Re: Shellcode from ASCII

[Gerardo Richarte <gera () corest com>]

martin rakhmanoff wrote:

> Usually when coding exploits one needs to escape null bytes in shellcode. 
> To do this XOR is often used. My question is: is it possible to escape not 
> only null bytes but also non-ascii bytes?
> In other words is it possible to have shellcode (for Windows 2000/XP/2003) 
> that consists of bytes with codes 0x21-0x7e?

        Here I'm sending our solution to the problem, we came to
it after starting a small challenge to have some fun with some
friends. This solution will somehow be enough for you. One of
the other guys in the challenge (we were 4 total, if not 3) made
a much better solution, without using anything but numbers and
letters (I think).

TY```T]Q\%GERA%(*).P^HPYQFFFF3Dw:+Dw:+Dw:+Dw:3E\3Dw61D76QXgeraBOO@T||lJAB@XXXXDABNLTTPE@@NXHXXEFIL\\L\GDBL\\X\LEEA@DDDEAAO@@@@

        This code (also attached) assumes %edi is pointing to its
first byte, and after that, it's a generic decoder (pretty much like
an xor decoder) with the benefit of only using "ascii" characters,
both in the decoding routing and the encoded part.
        Now, the encoder and reversing of it I both leave as exercise
to the reader and hope to see discussed in this list :-) and, erm...
be carefull with the encoder, it was what consumed most of my time
when we wrote it.

        On the next email I'll be starting a different challenge, for
which I still have no good answer, and furthermore, I think there is
not generic answer, if there is one at all... (sounds challengien, eh?!)

        gera

TY```T]Q\%GERA%(*).P^HPYQFFFF3Dw:+Dw:+Dw:+Dw:3E\3Dw61D76QXgeraBOO@T||lJAB@XXXXDABNLTTPE@@NXHXXEFIL\\L\GDBL\\X\LEEA@DDDEAAO@@@@