minor updates

exam4/HOWTO

@@ -1,6 +0,0 @@
-Compile and run
-nasm -f elf32 -o helloworld.o helloworld.nasm && ld -m elf_i386 -o helloworld helloworld.o && ./helloworld ; echo $?
-
-Get shellcode
-for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
-

exam4/decoder.nasm

@@ -0,0 +1,67 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: decoder.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 April
+;
+;
+
+section .text
+global _start
+
+_start:
+	jmp short _down		; JMP-CALL-POP technique
+_up:
+	pop esi			; get the last address of this program, 
+				; which will be a start of our encoded shellcode
+
+	xor ecx, ecx		; zero the counter, will be used below
+
+_decoder:
+	mov al, byte [esi]	; preparing to compare the first byte of the encoded shellcode
+	inc esi			; going for the next byte
+
+	;
+	; Checking for markers
+	;
+	cmp al, 0x37
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xFA
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xD6
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0x3F
+	je short _decoder	; if current byte is a gargabe, then we skip it and check the next byte
+
+	cmp al, 0xAF
+	je short _runshellcode	; if we reach the exit marker, then we run the shellcode
+
+	;
+	; Collecting decoded shellcode in the EDX address
+	;
+	mov byte [edx+ecx], al	; moving good byte to EDX
+	inc ecx			; increase the counter
+
+	jmp short _decoder	; continuing
+
+
+_runshellcode:
+	call edx
+
+_down:
+	call _up		; ESP now has and address that points to the next instruction, however we are going UP

exam4/encoder.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env sh
-
-echo "Original shellcode"
-for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
-
-echo ""
-
-
-echo "Encoded shellcode"
-Y=2; for i in $(objdump -d helloworld -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; if [[ $Y -gt 1 ]];then echo -n '\xAA'; Y=$[Y-1]; else Y=$[Y+1]; fi; done; echo
-
-echo ""
-

exam4/helloworld.nasm

@@ -1,25 +0,0 @@
-; helloworld.nasm
-; 2013 April
-;
-
-section .text
-global _start
-
-_start:
-	xor eax,eax
-	xor ebx,ebx
-	xor edx,edx
-
-	; write('hi there')
-	mov al,4		; write
-	mov bl,1		; stdout
-	push 0x0a657265		; 'ere\n' in reverse
-	push 0x68546948		; 'HiTh' in reverse
-	mov ecx, esp		; ecx is a pointer to stack
-	mov dl, 8		; length of message
-	int 0x80
-
-	; exit(0)
-	xor ebx,ebx
-	mov al,1		; exit
-	int 0x80