diff --git a/external/source/shellcode/windows/x86/src/block/block_rc4.asm b/external/source/shellcode/windows/x86/src/block/block_rc4.asm new file mode 100644 index 0000000000..13a31803c9 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_rc4.asm @@ -0,0 +1,51 @@ +;-----------------------------------------------------------------------------; +; Author: Michael Schierl (schierlm[at]gmx[dot]de) +; Version: 1.0 (29 December 2012) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP - Data to decode +; ECX - Data length +; ESI - Key (16 bytes for simplicity) +; EDI - pointer to 0x100 bytes scratch space for S-box +; Direction flag has to be cleared +; Output: None. Data is decoded in place. +; Clobbers: EAX, EBX, ECX, EDX, ESI, EBP (stack is not used) + + ; Initialize S-box + xor eax, eax ; Start with 0 +init: + stosb ; Store next S-Box byte S[i] = i + inc al ; increase byte to write (EDI is increased automatically) + jnz init ; loop until we wrap around + sub edi, 0x100 ; restore EDI + + ; permute S-box according to key + xor ebx, ebx ; Clear EBX (EAX is already cleared) +permute: + add bl, [edi+eax] ; BL += S[AL] + KEY[AL % 16] + mov edx, eax + and dl, 0xF + add bl, [esi+edx] + mov dl, [edi+eax] ; swap S[AL] and S[BL] + xchg dl, [edi+ebx] + mov [edi+eax], dl + inc al ; AL += 1 until we wrap around + jnz permute + + + ; decryption loop + xor ebx, ebx ; Clear EBX and EDX (EAX is already cleared) + xor edx, edx +decrypt: + inc al ; AL += 1 + add bl, [edi+eax] ; BL += S[AL] + mov dl, [edi+eax] ; swap S[AL] and S[BL] + xchg dl, [edi+ebx] + mov [edi+eax], dl + add dl, [edi+ebx] ; DL = S[AL]+S[BL] + mov dl, [edi+edx] ; DL = S[DL] + xor [ebp], dl ; [EBP] ^= DL + inc ebp ; advance data pointer + dec ecx ; reduce counter + jnz decrypt ; until finished diff --git a/external/source/shellcode/windows/x86/src/test_rc4.asm b/external/source/shellcode/windows/x86/src/test_rc4.asm new file mode 100644 index 0000000000..5762389f73 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/test_rc4.asm @@ -0,0 +1,43 @@ +;-----------------------------------------------------------------------------; +; Author: Michael Schierl (schierlm[at]gmx[dot]de) +; Version: 1.0 (29 December 2012) +;-----------------------------------------------------------------------------; + +; +; c1 = OpenSSL::Cipher::Cipher.new('RC4') +; c1.encrypt +; c1.key="Hello, my world!" +; c1.update("This is some magic data you may want to have encoded and decoded again").unpack("H*") +; +; => "882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b" +; +; c1 = OpenSSL::Cipher::Cipher.new('RC4') +; c1.decrypt +; c1.key="Hello, my world!" +; c1.update(["882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b"].pack("H*")) +; +; => "This is some magic data you may want to have encoded and decoded again" +; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call pushkey ; push the address of the key onto the stack + db "Hello, my world!" +pushkey: + pop esi ; and store it into ESI + call pushdata ; push the address of the encrypted data on the stack + db 0x88, 0x23, 0x53, 0xc5, 0xde, 0x0f, 0x5e, 0x6b, 0x10, 0xbf, 0x0d, 0x25, 0xc4, 0x32, 0xc5, 0xd1, 0x64, 0x24, 0xdc, 0x79, 0x7e, 0x89, 0x5f, 0x37, 0xf2, 0x61, 0xc8, 0x93, 0xb3, 0x1d, 0x57, 0x7e, 0x7e, 0x69, 0xf7, 0x7e, 0x07, 0xaa, 0x57, 0x6d, 0x58, 0xc7, 0xf7, 0x57, 0x16, 0x4e, 0x7d, 0x74, 0x98, 0x8f, 0xeb, 0x10, 0xf9, 0x72, 0xb2, 0x8d, 0xcf, 0xa1, 0xe3, 0xa2, 0xb1, 0xcc, 0x0b, 0x0f, 0xa1, 0xa8, 0xb1, 0x16, 0x29, 0x4b +pushdata: + pop ebp ; and store it into EBP + mov ecx, 70 ; store data length into ECX + sub esp, 0x100 ; make space on stack for S-Box + mov edi, esp ; and store address into EDI + nop + nop + nop + int 3 ; for stepping through the code + ; let's run the RC4 decoder +%include "./src/block/block_rc4.asm" + int 3 ; EBP should point to decoded data now