modules/encoders/x86/jmp_call_additive.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Encoder::XorAdditiveFeedback
# Uncomment when we get the poly stuff working again.
#Rank = GreatRanking
def initialize
super(
'Name' => 'Jump/Call XOR Additive Feedback Encoder',
'Description' => 'Jump/Call XOR Additive Feedback',
'Author' => 'skape',
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
'Decoder' =>
{
'Stub' =>
"\xfc" + # cld
"\xbbXORK" + # mov ebx, key
"\xeb\x0c" + # jmp short 0x14
"\x5e" + # pop esi
"\x56" + # push esi
"\x31\x1e" + # xor [esi], ebx
"\xad" + # lodsd
"\x01\xc3" + # add ebx, eax
"\x85\xc0" + # test eax, eax
"\x75\xf7" + # jnz 0xa
"\xc3" + # ret
"\xe8\xef\xff\xff\xff", # call 0x8
'KeyOffset' => 2,
'KeySize' => 4,
'BlockSize' => 4,
})
end
#
# Append the termination block.
#
def encode_end(state)
state.encoded += [ state.key ].pack(state.decoder_key_pack)
end
end