ShenCode - ByteSwap
Polymorphic ByteSwapper (Win64)
Description
The shellcode to be appended must be a maximum of 255 bytes in size, as the value is passed to the CL register. This is done to avoid null bytes. This will change in a future release.
The polymorphic ByteSwapper:
- The payload is encrypted following the pattern described below
- The encrypted bytes are appended to the ByteSwapper decoder
- The length of the shellcode is adjusted in the decoder at offset 10
- Your XOR key is adjusted in the decoder at offset 36
- The finalized shellcode is saved as a file
ByteSwapper works according to this scheme:
\(EncryptedByte(even) = Byte(even) \wedge Key(XOR)\) \(EncryptedByte(odd) = Byte(odd) \wedge EncryptedByte(even)\)
An example with an XOR key of 20 (hexadecimal):
| Byte 1 | Byte 2 | Byte 3 | Byte 4 | |
|---|---|---|---|---|
| plain | 01 |
F4 |
85 |
CF |
| XOR Value | 20 |
21 |
20 |
A5 |
| encrypted | 21 |
D5 |
A5 |
6A |
Command
python shencode.py byteswap --input payload.raw --output output.raw ---key 63