FrankSpierings/shikata-ga-nai_x64.py

## shikata-ga-nai_x64.py
# Nasm code for the stub.
# ________
#
# global start
#
#
# section .text
#
# start:
# 	mov     rax, 0x0123456789ABCDEF  ; set the key.
# 	fcmovbe st0, st3                 ; ?
# ;	fnstenv [rsp-0xc]                ; place floating env on the stack. Align EIP to RSP.
# 	fnstenv [rsp]                    ; place floating env on the stack.
# 	xor     rbx,rbx                  ; make sure rbx is 0
# ;	mov     [rsp+0x4], ebx           ; place 4 bytes
# 	mov     ebx, [rsp+0xc]           ; grab EIP from the stack
# 	xor     rcx,rcx
# 	mov     cl, 0x7
# Decode:
# 	;xor     [rbx+0x28], rax
# 	;add     rax, [rbx+0x28]
# 	xor     [rbx+0x1f], rax
# 	add     rax, [rbx+0x1f]
# 	add     rbx, 0x8
# 	loop    Decode
#
# section .data
#
# Payload:    db      `\xde\xff\x98\xbdRs\x149aB\x9c\xf9\xd9=\x1dq5\x07qV\xab\x8f1\x11`
# .len:   equ     $ - Payload

import ctypes
import struct
import hexdump

QWORD_SIZE = 8
IV = 0x0123456789ABCDEF

def pad_message(message):
    mod = 0
    if len(message) < QWORD_SIZE:
        mod = QWORD_SIZE - len(message)
    elif len(message) % QWORD_SIZE > 0:
        mod = QWORD_SIZE - (len(message) % QWORD_SIZE)
    return  message + "\x90" * mod

def encode(message):
    key = IV
    blocks = [message[i:i+QWORD_SIZE] for i in xrange(0,len(message),QWORD_SIZE)]
    ct_message = ""
    for block in blocks:
        plain_value = struct.unpack("<Q", block)[0]
        enc_value   = plain_value ^ key
        ct_message += struct.pack("<Q", enc_value)
        key = ctypes.c_uint64(plain_value + key).value
    return ct_message

def decode(ct_message):
    key = IV
    blocks = [ct_message[i:i+QWORD_SIZE] for i in xrange(0,len(ct_message),QWORD_SIZE)]
    message = ""
    for block in blocks:
        enc_value = struct.unpack("<Q", block)[0]
        plain_value   = enc_value ^ key
        message += struct.pack("<Q", plain_value)
        key = ctypes.c_uint64(plain_value + key).value
    return message

m = pad_message("12345678ABCDEFGHTESTIN")
print repr(m)
ct = encode(m)
hexdump.hexdump(m)
print repr(ct)
m  = decode(ct)
print repr(m)
	# Nasm code for the stub.
	# ________
	#
	# global start
	#
	#
	# section .text
	#
	# start:
	# mov rax, 0x0123456789ABCDEF ; set the key.
	# fcmovbe st0, st3 ; ?
	# ; fnstenv [rsp-0xc] ; place floating env on the stack. Align EIP to RSP.
	# fnstenv [rsp] ; place floating env on the stack.
	# xor rbx,rbx ; make sure rbx is 0
	# ; mov [rsp+0x4], ebx ; place 4 bytes
	# mov ebx, [rsp+0xc] ; grab EIP from the stack
	# xor rcx,rcx
	# mov cl, 0x7
	# Decode:
	# ;xor [rbx+0x28], rax
	# ;add rax, [rbx+0x28]
	# xor [rbx+0x1f], rax
	# add rax, [rbx+0x1f]
	# add rbx, 0x8
	# loop Decode
	#
	# section .data
	#
	# Payload: db `\xde\xff\x98\xbdRs\x149aB\x9c\xf9\xd9=\x1dq5\x07qV\xab\x8f1\x11`
	# .len: equ $ - Payload

	import ctypes
	import struct
	import hexdump

	QWORD_SIZE = 8
	IV = 0x0123456789ABCDEF

	def pad_message(message):
	mod = 0
	if len(message) < QWORD_SIZE:
	mod = QWORD_SIZE - len(message)
	elif len(message) % QWORD_SIZE > 0:
	mod = QWORD_SIZE - (len(message) % QWORD_SIZE)
	return message + "\x90" * mod

	def encode(message):
	key = IV
	blocks = [message[i:i+QWORD_SIZE] for i in xrange(0,len(message),QWORD_SIZE)]
	ct_message = ""
	for block in blocks:
	plain_value = struct.unpack("<Q", block)[0]
	enc_value = plain_value ^ key
	ct_message += struct.pack("<Q", enc_value)
	key = ctypes.c_uint64(plain_value + key).value
	return ct_message

	def decode(ct_message):
	key = IV
	blocks = [ct_message[i:i+QWORD_SIZE] for i in xrange(0,len(ct_message),QWORD_SIZE)]
	message = ""
	for block in blocks:
	enc_value = struct.unpack("<Q", block)[0]
	plain_value = enc_value ^ key
	message += struct.pack("<Q", plain_value)
	key = ctypes.c_uint64(plain_value + key).value
	return message

	m = pad_message("12345678ABCDEFGHTESTIN")
	print repr(m)
	ct = encode(m)
	hexdump.hexdump(m)
	print repr(ct)
	m = decode(ct)
	print repr(m)