"push ax" misaligns stack from DWORD

[AlLongley]

An instruction when pushing potentially non DWORD-aligned strings to the stack can potentially cause the SP to become a value non-divisible by 4. Aside from the serious performance hit from a misaligned stack, NT Kernel calls rightfully fail to execute in non-apparent ways.

ie running "MoveFileA" after misaligning the stack fails with GetErrorCode ERROR_NOACCESS = 998 (0x3E6)

Which deceptively is unrelated to file permissions/access

osed-scripts/shellcoder.py

Line 73 in 0f4a395

first_instructions.append("push ax;")

[AlLongley]

I'm a bit past capacity right this second to properly review, commit and PR this but my workaround for pushing non-aligned strings which would otherwise introduce NULL byte into the payload is the following:

On the 3rd else for whether the string chunk is neither 2 or 4 byte aligned, I pad it with NULLs to become 4 bytes, then store it XOR'd it against 0xFFFFFFFF and XOR it back again just before pushing the full EAX DWORD

                chunk = bytearray.fromhex(target_bytes.ljust(8,"0"))
                xored = bytearray([x^0xFF for x in chunk[::-1]]).hex()
                print(xored)
                first_instructions.append(f"mov eax, 0x{xored};\n")
                first_instructions.append(f"xor eax, 0xFFFFFFFF;\n")

[epi052]

thanks for this!

It's been a long time since I've looked at any of this. Is there a reason why we're using

push ax

instead of

push eax

[epi052]

nvm, actually took the time to read the surrouding code.

do you think i should just apply your suggestion to main?