SLAE Assignment #4 | Custom Shellcode Encoder

9. October 2017

Hey ho, it’s time for some low-level shellcode encoding. After going through the encoder examples of the SLAE material I build a custom one, which you can find here.

At first I wrote a little python script which takes every single byte of a given shellcode and subtracts a random integer from it. In the end it prints the “encoded” shellcode, its length and the used random integer.

The following assembly code uses the jump-call-pop method to save the address of the shellcode into the esi register. After cleaning up the ecx register and setting up the counter (length of the encoded shellcode) the decoding process starts. The addition of the random integer to every single byte of the shellcode (stored in esi) will be done until the counter (ecx) reaches 0. Finally the execution flow jumps to the decoded shellcode.

Again I just used a helloWorldPayload to demonstrate the functionality:

This encoder is not efficient, but it does its job.


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-1036

Similar posts

After gaining my OSCP in June I decided to go deeper into exploitDev and shellcoding. And here we are, this [...]

9. October 2017

Welcome back to my second post for the SLAE certification. Today we are going to build a reverse_shell shellcode and [...]

9. October 2017

Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting The third task [...]

9. October 2017

Got time to read? This tasks was a bigger one. We have to pick 3 random metasploit payloads and analyze [...]

9. October 2017