1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::Xor
7

8
  def initialize
9
    super(
10
      'Name' => 'Call+4 Dword XOR Encoder',
11
      'Description' => 'Call+4 Dword XOR Encoder',
12
      'Author' => [ 'hdm', 'spoonm' ],
13
      'Arch' => ARCH_X86,
14
      'License' => MSF_LICENSE,
15
      'Decoder' => {
16
        'KeySize' => 4,
17
        'BlockSize' => 4
18
      })
19
  end
20

21
  #
22
  # Returns the decoder stub that is adjusted for the size of
23
  # the buffer being encoded
24
  #
25
  def decoder_stub(state)
26
    # Sanity check that saved_registers doesn't overlap with modified_registers
27
    if !(modified_registers & saved_registers).empty?
28
      raise BadGenerateError
29
    end
30

31
    decoder =
32
      Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX,
33
                         state.badchars) +
34
      "\xe8\xff\xff\xff" + # call $+4
35
      "\xff\xc0" + # inc eax
36
      "\x5e" + # pop esi
37
      "\x81\x76\x0eXORK" + # xor [esi + 0xe], xork
38
      "\x83\xee\xfc" + # sub esi, -4
39
      "\xe2\xf4" # loop xor
40

41
    # Calculate the offset to the XOR key
42
    state.decoder_key_offset = decoder.index('XORK')
43

44
    return decoder
45
  end
46

47
  # Indicate that this module can preserve some registers
48
  def can_preserve_registers?
49
    true
50
  end
51

52
  # A list of registers always touched by this encoder
53
  def modified_registers
54
    [ Rex::Arch::X86::ECX, Rex::Arch::X86::EAX, Rex::Arch::X86::ESI ]
55
  end
56

57
  # Convert the SaveRegisters to an array of x86 register constants
58
  def saved_registers
59
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
60
  end
61
end
62

63