I am trying to convert an assembly program I wrote into NULL-free shellcode.
However, I am unsure how to go about this for certain instructions.
Some of them (in Intel syntax) include:
push 0x1000
and
mov BYTE [eax],0x31
I want to avoid using thousands of inc eax instructions. I was thinking maybe something creative with xor-ing values, and for the second, maybe if there was a flag to set to make it take a constant of only 8 bits.
push 0x1000
If you can spare a register (and you don't mind clobbering the flags), how about something like:
xor eax, eax
inc eax
shl eax, 12
push eax
mov BYTE [eax],0x31
The zero here does not come from the constant, but from the addressing mode. Try:
xchg eax, ecx
mov BYTE [ecx],0x31
xchg eax, ecx