For the seventh assignment of the SLAE32 course we were required to create a custom cryptor and decryptor.
Online I found many examples for RC4, AES, DES and other common encryptors, so I decided to do something different.
Creating a Custom Cryptor
For my cryptor I decided to create somewhat of a Cesaer Chipher.
- The cryptor takes a key, and for every byte of the shellcode adds to it the corresponding byte of the key.
- When the key length is exceeded, the key repeats itself.
- the example key is
key = "HelloFriend"
- Instead of
XOR‘ing I chose to use the bitwise
- Since I have used
XORquite a bit in the SLAE32 course.
- Since I have used
Using the Cryptor Smartly
In the example, the strength of this cryptor is quite terrible. Although it can be used in a way that makes it good.
If the key is the same length of the shellcode, then this works as a One-Time Pad (OTP).
- The key or “pad” should not be words, or even letters, of the english language.
- Each byte of the key should be a randomly generated hex value, ranging from
This encryption method is not typically seen in production because the key lengths are huge, non-memerable strings, and the key is needed both at the cryptor and decryptor sides.
Obviously adding a byte from the shellcode and the key together is likely to exceed the maximum value of the result space.
- If this happens, the cryptor will subtract
1 byte) from the result, and store the remainder in the encrypted byte.
Example Overflow while Encrypting
if decrypted_byte + key_byte > 255 encrypted_byte = decrypted_byte + key_byte - 256 else encrypted_byte = decrypted_byte + key_byte
When decrypting, it will simply check to see if a byte was subtracted, and add a byte back.
Example Underflow while Decrypting
if encrypted_byte - key_byte < 0 decrypted_byte = encrypted_byte - key_byte + 256 else decrypted_byte = encrypted_byte - key_byte
Since my example uses a small, repeated key, I added that the byte be rotated to the left once when encrypting. Then rotate the byte to the right once when decrypting.
ADD Rotate-Left Cryptor
#!/usr/bin/python shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" shellcode += "\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" key = "HelloFriend" encrypted = "" keyArray = bytearray(key) keyLength = len(bytearray(key)) # count will be used to make the key the same length as the shellcode count = 0 for x in bytearray(shellcode) : # If their are no more letters in the key, reuse the key from the start if count == keyLength : count = 0 # Add the first byte of shellcode and key together x = x + keyArray[count] if x > 255 : # if the key is greater than a byte value, remove the extra byte x -= 256 if x > 127: x = x - 128 # Remove the left-most bit x = x << 1 # Shift to the left 1 x += 1 # Add 1, to complete the rotate encrypted += '\\x' encrypted += '%02x' %x # Add the rotated left hex to string else: encrypted += '\\x' # No leftmost bit, just rotate encrypted += '%02x' %(x << 1) count += 1 print encrypted
SUB Rotate-Right Decryptor
#!/usr/bin/python encrypted = "\xf2\x4a\x79\xa9\x3d\xea\xcb\xa3\x9b\x3b\x8d\x63\xa7" encrypted += "\xeb\x9e\x7f\x9f\xa8\x79\xdd\x9e\x28\xa6\x64\xd9" key = "HelloFriend" decrypted = "" keyArray = bytearray(key) keyLength = len(bytearray(key)) count = 0 for x in bytearray(encrypted) : if count == keyLength : count = 0 oddEven = x % 2 if oddEven == 1: x = x >> 1 x = x + 128 else: x = x >> 1 x = x - keyArray[count] if x < 0 : x += 256 decrypted += '\\x' decrypted += '%02x' %x # Add the rotated left hex to string count += 1 print decrypted
SLAE32 Blog Proof
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ - Now at: https://www.pentesteracademy.com/course?id=3 SLAE/Student ID: PA-10913