Polymorphic ByteSwapper (Win64)
Description
The shellcode to be appended must be a maximum of 255 bytes in size, as the value is passed to the CL register. This is done to avoid null bytes. This will change in a future release.
The polymorphic ByteSwapper:
- The payload is encrypted following the pattern described below
- The encrypted bytes are appended to the ByteSwapper decoder
- The length of the shellcode is adjusted in the decoder at offset 10
- Your XOR key is adjusted in the decoder at offset 36
- The finalized shellcode is saved as a file
ByteSwapper works according to this scheme:
\(EncryptedByte(even) = Byte(even) \wedge Key(XOR)\) \(EncryptedByte(odd) = Byte(odd) \wedge EncryptedByte(even)\)
An example with an XOR key of 20 (hexadecimal):
| Byte 1 | Byte 2 | Byte 3 | Byte 4 | |
|---|---|---|---|---|
| plain | 01 |
F4 |
85 |
CF |
| XOR Value | 20 |
21 |
20 |
A5 |
| encrypted | 21 |
D5 |
A5 |
6A |
Command
shencode encoder byteswap [-h] [-i INPUT] [-o OUTPUT] [-k KEY]
options:
--help show this help message and exit
--input INPUTInput file to use with byteswap stub
--output OUTPUToutputfile for byteswap stub
--key KEY the XOR key to use
Example output
shencode encoder byteswap --input dev\calc.raw --output dev\temp.bs --key 171
[+] [XOR-SWAP] File exists
[i] [XOR-SWAP] File: dev\calc.raw
[i] [XOR-SWAP] Hash: 7c1bb19fe6606cfe29e750326db2972c4743e623
[*] Header loaded, size of shellcode 54 bytes
[i] Source Shellcode size 251 bytes
[*] XORed payload added, size of shellcode 305 bytes
[+] XOR encoded shellcode created in dev\temp.bs
[+] [XOR-SWAP] File created
[i] [XOR-SWAP] File: dev\temp.bs
[i] [XOR-SWAP] Hash: 7cb34a5bf0d9780b7d2d9a43946fe69eef5b21d9