This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are explored like instruction format, opcode maps, and common rules. Examples of optimized shellcode from a past competition are analyzed to extract the optimization changes between versions. Practice tasks are provided to write shellcode that performs a reverse connect and executes a second stage payload. Questions from attendees are solicited at the end.

1. Shellcode Mastering
by Anton Dorfman

2. About me
• Fan of & Fun with Assembly language
• Reverser
• Teach Reverse Engineering since 2001
• Candidate of technical science

3. Hands-on Lab structure
• Basics of shellcode
• Basic shellcode techniques
• Shellcode optimization techniques
• Optimization example analysis
• Practice

4. Required tools
• Windows XP virtual machine
• Windows 7 virtual machine
• Olly Debugger
• Masm32 by hutch v11
• RadASM
• Hview
• Total Commander

5. Basics of shellcode

6. Shellcode features
• Base independent
• Small size of code
• Written in Assembly Language
• Used as payload in the exploitation of
vulnerabilities

7. Types of shellcode
• Local
• Remote
• Download and execute
• Staged
• Null-free shelcode

8. Shellcode development tasks
• Find yourself in memory (delta offset, value of
the EIP register – program counter)
• Addressing shellcode variables
• Work with strings

9. Windows specific shellcode tasks
• Find kernel32.dll base address
• Find entry points of needed Win32 API

10. Basic shellcode techniques

11. Usual program

12. Call and Ret algorithms

13. Delta offset
• call next (or call $+5)
• next:
• pop ebp
• sub ebp,offset next
• Open Delta.asm
• Compile and debug it
• Add bytes before start and check

14. Zero-null delta offset variant
• call $+4
• ret
• pop ebp
• Open DeltaNoNull.asm
• Compile and debug it
• Check instruction overlap

15. Addressing shellcode variables
• First – find delta offset of our code
• Commonly used [reg+offset of instruction]
• We can use any registers
• Create VarUsing.asm
• Write in it base-independent (shellcode-like)
variant of “Usual program” example
• Compile and debug it

16. Addressing shellcode variables
through code blocks structure
• call next
• Var dd 12345678h
• next:
• pop esi – now points to Var
• Create VarUsingBlocks.asm
• Modify VarUsing.asm to use this tecnique
• Compile and debug it

17. Types of strings in shellcodes
• Come parameters
• Names of dll libraries
• Names of Win32 API

18. Using strings in stack
• push ‘yt’
• push ‘rewq’
• mov esi,esp - esi now points to string ‘qwerty’
• Create StringUsingStack.asm with using this
technique and string you prefer
• Create StringUsingBlock.asm with the using code
blocks structure technique
• Compile and debug it

19. Hashes are less then strings
• One hash – 4 bytes
• Hash procedure – x bytes
• Total size of Win32 API names- y bytes
• If (x+4) less then we must use hashes

20. Restricted but weak hashes
• We can check API namespace of the dll
libraries used in our shellcode for 2-byte or
even 1 byte hashes

21. Few symbols less then hash
• We can check API namespace of the dll
libraries used in our shellcode for unique
symbols in different positions of the API name
• If we find such “unique positions” we can use
them for checking needed APIs

22. Find entry points of needed Win32 API
• Using hardcoded addresses of API
• Scan for GetProcAddress
• Find API from Export

23. Using hardcoded addresses of API
• Find addresses of needed API in OS similar to
target
• Harcode them into shellcode
• For example:
• call 7c801d7bh – kernel32.LoadLibraryA

24. Ways to find kernel32.dll Base Address
• Hardcoded address
• PEB based (Process Environment Block)
• SEH based (Structured Exception Handler)
• From TOP of the STACK

25. Kernel32.dll Base from PEB

26. Kernel32.dll Base from PEB

27. Kernel32.dll Base from SEH

28. Kernel32.dll Base from TOP STACK

29. Scan for GetProcAddress

30. Find API from Export

31. Shellcode optimization
techniques

32. Shellcode optimization techniques
• Structural optimization
• Less action – value reusing optimization
• Local optimization

33. Instruction format

34. Types of Opcode byte

35. ModR/M

36. SIB

37. Opcode map - 00h-77h

38. Opcode map - 08h-7Fh

39. Opcode map - 80h-F7h

40. Opcode map - 88h-FFh

41. Opcode in ModR/M

42. Common optimization rules
• Relative addresses, offsets and immediate
values are less in instruction if they between -
128: +127 (00h-0FFh)
• Some instructions with eax/ax/al are less for 1
byte
• 1 byte instructions: push reg, pop reg, inc reg,
dec reg, xchg eax,reg
• Chained instructions are best

43. Zeroing register
• mov eax,00000000h – 5 bytes
• xor eax,eax – 2 bytes
• sub eax,eax – 2 bytes

44. Assign “-1” to register
• mov eax,0FFFFFFFFh (-1)
• xor eax,eax (sub eax,eax) – 2 bytes
• dec eax – 1 byte
• or eax,-1 – 3 bytes

45. Check register for zero
• cmp eax,00000000h – 5 bytes
• jz eax_is_zero – 2 bytes
• test eax,eax (or eax,eax) – 2 bytes
• jz eax_is_zero – 2 bytes
• xchg eax,ecx – 1 byte
• jecxz eax_is_zero – 2 bytes

46. Check register for “-1”
• cmp eax,0FFFFFFFFh – 5 bytes
• jz eax_is_minus_1 – 2 bytes
• inc eax – 1 byte
• jz eax_is_minus_1 – 2 bytes
• dec eax – 1 byte

47. Assign 8bit value to register
• mov eax,000000FFh – 5 bytes
• xor eax,eax – 2 bytes
• mov al,0FFh – 2 bytes
• push 0FFh – 2 bytes
• pop eax – 1 byte

48. Отказ от стека

49. Optimization example analysis

50. Prehistory
• In 3-th January 2009 guy with nickname “sl0n”
made a proposal for “New Year competition of
smallest download and execute shellcode”
• Link:
http://wasm.ru/forum/viewtopic.php?pid=28
8731
• Participants: sl0n, takerZ cencored, freeman,
researcher (me)

51. Branches of code optimization
• Sl0n_185 - censored_170 - freeman_163
• researcher_160 - researcher_149 NULL-FREE
branch
• takerZ_160 - takerZ_160_148 -
researcher_153 - takerZ_150 - researcher_141
- takerZ_138 - researcher_137 -
researcher_134

52. Sl0n_185
• Check the file 1_sl0n_185.asm
• Analyze it structure and actions

53. censored_170
• Check the file 3_censored_170.asm
• Analyze it structure and actions

54. freeman_163
• Check the file 4_freeman_163.asm
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

55. takerZ_160
• Check the file 2_takerZ_160.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

56. takerZ_160_148
• Check the file 21_takerZ_160_148.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

57. researcher_160
• Check the file 5_researcher_160.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous - 2_takerZ_160.asm
• Extract optimization changes
• Notify the Null-Free feature

58. researcher_153
• Check the file 6_researcher_153.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous - 2_takerZ_160.asm
• Extract optimization changes

59. takerZ_150
• Check the file 7_takerZ_150.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

60. researcher_149
• Check the file 81_researcher_149.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
• Notify the Null-Free feature

61. researcher_141
• Check the file 8_researcher_141.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

62. takerZ_138
• Check the file 9_takerZ_138.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

63. researcher_137
• Check the file A_researcher_137.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

64. researcher_134
• Check the file B_researcher_134.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes

65. Task for Practice – VolgaCTF 2013
Quals – PPC 400
• You have some information about a remote vulnerability in a
service of our enemies. This service is based on sockets. You have
already developed an exploit and the second stage shellcode.
• You should write x86 first stage shellcode. Its size should be no
more than XXX bytes. Null bytes are allowed.
• Hardcoded entrypoint addresses of API and image base addresses
of dlls are not allowed. Possible OS platform - Windows, except for
Windows 7.
• Shellcode must do reverse connect to address 127.0.0.1, port 20480
(5000h), receive exactly 512 bytes (our second stage) to buffer and
jump to it (first byte).
• The guy who will check your shellcode is a lazy bastard, so you need
to wait some time before he will answer.

66. Questions ?