GithubHelp home page GithubHelp logo

ae64's Introduction

AE64

AE64 is a tool which can transform any amd64 architecture shellcode into pure alphanumeric shellcode using self-modify code technology, so the page need to be writable.

Deps

python3 -m pip install keystone-engine
python3 -m pip install z3-solver

Usage

For usage example, you can see example folder.

Quickstart

from ae64 import AE64
from pwn import *
context.arch='amd64'

# get bytes format shellcode
shellcode = asm(shellcraft.sh())

# get alphanumeric shellcode
enc_shellcode = AE64().encode(shellcode)
print(enc_shellcode.decode('latin-1'))

About default

enc_shellcode = AE64().encode(shellcode)
# equal to 
enc_shellcode = AE64().encode(shellcode, 'rax', 0, 'fast')

'''
def encode(self, shellcode: bytes, register: str = 'rax', offset: int = 0, strategy: str = 'fast') -> bytes:
"""
encode given shellcode into alphanumeric shellcode (amd64 only)
@param shellcode: bytes format shellcode
@param register: the register contains shellcode pointer (can with offset) (default=rax)
@param offset: the offset (default=0)
@param strategy: encode strategy, can be "fast" or "small" (default=fast)
@return: encoded shellcode
"""
'''

About encode strategy

I write two encode strategy, fast and small.

Fast strategy is the default strategy, it generate alphanumeric shellcode very fast, but the shellcode is a bit long.

Small strategy generate shellcode with the help of z3-solver, so it will be slower but when encoding big shellcode, it can gernerate much smaller shellcode.

Benchmark

Functionality:

ae64 alpha3
Encode x32 alphanumeric shellcode
Encode x64 alphanumeric shellcode
Original shellcode can contain zero bytes
Base address register can contain offset

Length:

Origin length(in bytes) ae64(fast) ae64(small) alpha3
2 76 119 65
48 237 185 157
192 749 401 445
576 2074 977 1213

P.S.

length 2 shellcode: "lbl : jmp lbl"

length 48 shellcode: shellcraft.sh()

length 192 shellcode: shellcraft.sh()*4

length 576 shellcode: shellcraft.sh()*12

Old story

For older version which I written for HCTF2018 christmas pwn challenge, goto branch old_archive.

https://github.com/veritas501/ae64/tree/old_archive

ver1 details: https://github.com/veritas501/hctf2018#pwn---christmas4-solves

ae64's People

Contributors

veritas501 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.