Polymorphic Linux x86 shellcode engine

Polygo is polymorphic shellcode engine made in Go.

• Polymorphism
• No NULL bytes
• Shellcode x86
• Cross-plateform engine
• Multiple obfuscation methods
• Multi-layer encapsulation
• Crazy mode

Polygo uses predefined assembly stubs (decoders) for each obfuscation method (ADD, SUB, XOR, SWAP).

• ADD

Engine substracts a random byte to each shellcode's byte. At runtime, decoder adds the same byte to retrieve original shellcode and pass execution to it.

• SUB

Engine adds a random byte to each shellcode's byte. At runtime, decoder substracts the same byte to retrieve original shellcode and pass execution to it.

• XOR

Engine xors each shellcode's byte using a random byte. At runtime, decoder xors it again to retrieve original shellcode and pass execution to it.

• SWAP

Engine swaps byte pairs in-place across the entire shellcode. If the number of bytes is odd, the engine adds a NOP byte at the end. At runtime, decoded swaps them back and pass execution to the shellcode.

Polygo is capable of chaining multiple obfuscation methods. For example you can decide to chain SUB, XOR and ADD. In this case, shellcode will first be obfuscated using ADD method, then the new generated shellcode will obfuscated using XOR method and at the end this last shellcode will be obfuscated using ADD method producing the final shellcode.

go build polygo.go

Usage of ./polygo:
  -add
        Use add ofuscation
  -brainless uint
        Specify the number of recursive encapsulated obfuscation methods (default: 5)
  -crazy
        Recursively obfuscate the shellcode with all methods
  -f string
        File with the shellcode
  -random
        Use random ofuscation
  -sub
        Use sub ofuscation
  -swap
        Use swap ofuscation
  -xor
        Use xor ofuscation

Example:

./polygo -f shellcode.bin -xor

• -add/sub/xor/swap : use a single spcified obfuscation method
• -random : use a single random obfuscation method
• -crazy : use each method in a random order
• -brainless N : Number of encapsulations with random methods

⚠️ Be careful with -brainless option's parameter, it might get your shellcode much longer.

In order to get a raw shellcode, you first need to compile your ASM file to an object file (.o).

nasm -f elf32 revshell.asm

Then you need to retrieve opcodes from the object file using objdump.

for i in $(objdump -d revshell.o |grep "^ " |cut -f2); do echo -En '\x'$i; done;

Finally, use echo to write shellcode to file as raw bytes.

echo -n -e '<objdump output>' > shellcode.bin

⚠️ You must use single quotes when echoing shellcode to file.

Made with ♥ by Leco & Atsika