Hacking/Shellcode/Alphanumeric/IMUL 0x30 encoding

From Skypher

Jump to: navigation, search

Main Page
├─▷Programming
└─▼Hacking
  ├─▼Shellcode
  │ ├─▷Bind
  │ ├─○Restricted instruction set
  │ ├─▼Alphanumeric
  │ │ ├─○ALPHA2
  │ │ ├─▷ALPHA3
  │ │ ├─●IMUL 0x30 encoding
  │ │ ├─○x86 printable opcodes
  │ │ ├─○x86 printable operands
  │ │ ├─○x64 printable opcodes
  │ │ └─○x64 printable operands
  │ ├─▷ASCII Art
  │ ├─○kernel32
  │ ├─○GetPC
  │ └─▷Egg hunt
  ├─▷Windows internals
  ├─○Vulnerabilities
  ├─○Heap spraying
  └─○List of security teams contact information

Contents

Alphanumeric shellcode decoders based on IMUL 0x30 encoding use an IMUL instruction to decode alphanumeric data. This instruction multiplies one alphanumeric data byte by 0x30 in order to have control over the most significant 4 bits of a byte. The result is combined with a second data byte (which gives control over the least significant 4 bits) to generate any byte from two alphanumeric bytes.

Improvement over IMUL 0x10

Previous alphanumeric decoders would multiply the data byte by 0x10 (This is the equivalent a shift-left by 4 bits). Because 0x10 is not alphanumeric, the code needs to "patch" itself in order to do this. Decoders that use 0x30 rather than 0x10 do not need to patch the multiplier while 0x30 also gives complete control over the most significant 4 bits of a byte. The result is that decoders that use IMUL 0x30 encoding can be made smaller than those that use IMUL 0x10.

Credits

The idea for IMUL 0x30 was inspired by the article "An improvement on mixed case alphanumeric shellcode decoder" written by tms320 of Ph4nt0m security team. In this article tms320 argues that using two IMUL 0x44 instructions is equivalent to IMUL 0x1210, which similar enough to IMUL 0x10 for our decoder to use it. Even though this requires two multiplications, this offers a size improvement over IMUL 0x10, because we can remove the code that patches the 0x10, which is bigger than the code that does the second IMUL. However, because IMUL 0x30 removes the code that patches the 0x10 and needs no second IMUL, it is even smaller.

Manual encoding

Many decoders end with a backwards jump that complete the decoding loop. The jump offset byte is encoded in the first two data bytes. Because the value in the data is multiplied by 0x30 rather than 0x10, it is not always easy to figure out how to encode a certain byte. In order to manually encode nibbles, here's a table of what encoded value to use to encode them nibble:

Nibble Encoded Math
0 0 0 * 30 =  00
1 11B B * 30 = 210
2 6 6 * 30 = 120
3 1 1 * 30 =  30
4 12C C * 30 = 240
5 7 7 * 30 = 150
6 2 2 * 30 =  60
7 13D D * 30 = 270
8 8 8 * 30 = 180
9 3 3 * 30 =  90
10A 14E E * 30 = 2A0
11B 9 9 * 30 = 1B0
12C 4 4 * 30 =  C0
13D 15F F * 30 = 2D0
14E 10A A * 30 = 1E0
15F 5 5 * 30 =  F0
Retrieved from "http://www.skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/IMUL_0x30_encoding"
Personal tools