From 24afc2aec6adc7b734e3dc567211e9dc5808e871 Mon Sep 17 00:00:00 2001
From: arno01 <andrey.arapov@gmail.com>
Date: Thu, 11 Apr 2013 13:44:15 +0200
Subject: [PATCH] minor updates

---
 exam4/HOWTO           |   6 ----
 exam4/decoder.nasm    |  67 ++++++++++++++++++++++++++++++++++++++++++
 exam4/encoder.sh      |  13 --------
 exam4/helloworld      | Bin 524 -> 0 bytes
 exam4/helloworld.nasm |  25 ----------------
 exam4/helloworld.o    | Bin 448 -> 0 bytes
 6 files changed, 67 insertions(+), 44 deletions(-)
 delete mode 100644 exam4/HOWTO
 delete mode 100755 exam4/encoder.sh
 delete mode 100755 exam4/helloworld
 delete mode 100644 exam4/helloworld.nasm
 delete mode 100644 exam4/helloworld.o

diff --git a/exam4/HOWTO b/exam4/HOWTO
deleted file mode 100644
index 048796c..0000000
--- a/exam4/HOWTO
+++ /dev/null
@@ -1,6 +0,0 @@
-Compile and run
-nasm -f elf32 -o helloworld.o helloworld.nasm && ld -m elf_i386 -o helloworld helloworld.o && ./helloworld ; echo $?
-
-Get shellcode
-for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
-
diff --git a/exam4/decoder.nasm b/exam4/decoder.nasm
index e69de29..bce620f 100644
--- a/exam4/decoder.nasm
+++ b/exam4/decoder.nasm
@@ -0,0 +1,67 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: decoder.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 April
+;
+;
+
+section .text
+global _start
+
+_start:
+	jmp short _down		; JMP-CALL-POP technique
+_up:
+	pop esi			; get the last address of this program, 
+				; which will be a start of our encoded shellcode
+
+	xor ecx, ecx		; zero the counter, will be used below
+
+_decoder:
+	mov al, byte [esi]	; preparing to compare the first byte of the encoded shellcode
+	inc esi			; going for the next byte
+
+	;
+	; Checking for markers
+	;
+	cmp al, 0x37
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xFA
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xD6
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0x3F
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xAF
+	je short _runshellcode	; if we reach the exit marker, then we run the shellcode
+
+	;
+	; Collecting decoded shellcode in the EDX address
+	;
+	mov byte [edx+ecx], al	; moving good byte to EDX
+	inc ecx			; increase the counter
+
+	jmp short _decoder	; continuing
+
+
+_runshellcode:
+	call edx
+
+_down:
+	call _up		; ESP now has and address that points to the next instruction, however we are going UP
diff --git a/exam4/encoder.sh b/exam4/encoder.sh
deleted file mode 100755
index 11af6fe..0000000
--- a/exam4/encoder.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env sh
-
-echo "Original shellcode"
-for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
-
-echo ""
-
-
-echo "Encoded shellcode"
-Y=2; for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; if [[ $Y -gt 1 ]];then echo -n '\xAA'; Y=$[Y-1]; else Y=$[Y+1]; fi; done; echo
-
-echo ""
-
diff --git a/exam4/helloworld b/exam4/helloworld
deleted file mode 100755
index 6a6efad5e44f0349d67885a1f6d0626fee0e23cf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 524
zcmb<-^>JflWMqH=CI)5(5HF#Dg~J3$FM&#!Fem`UH5gbKn85O2VW1iYAZ`G1K$sPX
z83aHC0vH}Jylr@C1IuQ{jMSo3t_+XNkc`fUn>fxk7~bB%c(#E-uedU|Bryp{mlQ$h
z3>d2<wW0)J5@D7!PzlKGY(NZhe*%zJ0Ad(`IZY5Kzzh=v(hWeYh{Ok(0RkYJ3Cw~J
zIY5B|Ad>}%LHa>7$V^TsA4q}09iTb`7zaqh%tI1_GePbIaX_Jttd51@<A0DlVe$e%
zSqUJ&VFE<G08m~9jjxTyXUIs+$;mIzFUm>L%S$ZIWr!~>Nh~U1h>uSyE{3sFQxZ!O
K8RAp(QWyXf=|YGA

diff --git a/exam4/helloworld.nasm b/exam4/helloworld.nasm
deleted file mode 100644
index 0e205e9..0000000
--- a/exam4/helloworld.nasm
+++ /dev/null
@@ -1,25 +0,0 @@
-; helloworld.nasm
-; 2013 April
-;
-
-section .text
-global _start
-
-_start:
-	xor eax,eax
-	xor ebx,ebx
-	xor edx,edx
-
-	; write('hi there')
-	mov al,4		; write
-	mov bl,1		; stdout
-	push 0x0a657265		; 'ere\n' in reverse
-	push 0x68546948		; 'HiTh' in reverse
-	mov ecx, esp		; ecx is a pointer to stack
-	mov dl, 8		; length of message
-	int 0x80
-
-	; exit(0)
-	xor ebx,ebx
-	mov al,1		; exit
-	int 0x80
diff --git a/exam4/helloworld.o b/exam4/helloworld.o
deleted file mode 100644
index f4d170bd097f9b053ccd8c0b2f998e2b447795de..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 448
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpH?8JJ*7Nuoh!f-oCYmjIBX0A+(H0Vtat
zNHas(Aj$x!P7#R@<br`9kVJM#0#L#MD8>TBApIa3WTqsP52V0g0Z^R;j02=$=D~yv
z4;bDyytIL3Gh;?-Q7Tu4M`lPy=fh1LXB!M}Z(uyzz@S%>T2aEFSDaB?QdE+d1Y}j_
zLTCsdW)Kb<**+GAkN=UCfkGbSFBlL2xh^9$Cnvu=zbGd~FE6n;mm$8mB(bOjri1|i
DT-PXk