NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2007-q3

Re: [Dailydave] add %ebx, (%esi)

From: Bee Binger (bbinger123yahoo.com)
Date: Fri Jul 20 2007 - 10:21:31 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interesting replies... I also didnt realize this was for mostly generating "shellcode", but with a little thought I could of probably figured this out.

"Berend-Jan Wever (SKYLINED)" <bjwevermicrosoft.com> wrote:
>>The number of variations of achieving the same thing is actually very
>>large. It would be nice to be able to determine how many variations
>>there are in total. I'm only interested in variations that don't use "nop" >>instructions that don't do anything useful. There must be a way to do
>>it and prove that you've got all of them.

>>Cheers,

>>SkyLined

Do you actually think its possible to find *every* combination? I have thought about it a bit since reading your email and if there are no size/performance/opcode restrictions then I think you could have an unlimited amount of combinations ( assuming we are using your last example about extending one instruction into multiple). It would somewhat depend on what exactly you consider a nop instruction too.

Also if you move away from the basic instruction set into the "extended ones" ( i do not know the real name for all the multimedia and floating point ones), then you would have extreme problems trying to match them all.

Dave Aitel <daveimmunityinc.com> wrote:
>>Which so far hasn't hurt us, since our shellcode doesn't use it. This
>>is very much a shellcode/proglet assembler.

I should have realized this point before, but it went right past me.

>> I added bt this morning, so that should work nicely for you now. For bonus >>credit I added bswap. :>.

gracias

>> We have been using a similar (though much slower) assembler for a few
>> years now in all of our exploits (which is why I can finish an assembler in a >> week, rather than a month or two).

I was wondering this exact thing

>> Once the C parser is rewritten, I'll release it all as LGPL and you can fix it :>.

/me hides

>> I really like the idea of a web service for shellcode decoder creation. This was >> part of the original idea for the CANVAS World Service (which we're still going >> to do some day).

this would be amazing, especially if some of skylined ideas ( multiple instructions, setting fixed offsets to introduce alot of math instructions to break patterns) would be incorporated.

>> - -dave

---------------------------------
Pinpoint customers who are looking for what you sell.

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]