XOR BYTE Array (Shellcode)

Question

Im trying to perform a XOR encryption on a BYTE (unsigned char) by trying to pass it directly into the function without defining it first.

XOR function:

void xor(BYTE input[], BYTE output[]) {
BYTE key[] = { 'T', 'A', 'M' }; //Can be any chars, and any size array

int i;
for (i = 0; i < sizeof(input); i++) {
    output[i] = input[i] ^ key[i % (sizeof(key) / sizeof(BYTE))];
}

BYTE array example:

BYTE Shellcode[] =
{
    0x48, 0x83, 0xEC, 0x08,                                     
};

The problem is that i dont want to save the BYTE array without encrypting it because it will be exposed in memory then.

How could i directly pass the BYTE array into the function without defining it first?

With a simple char array that contains strings it would of course be easy but i cant find out how to pass the byte array with integer values instead of string literals.

It has to be exposed in memory if you can pass it as in input to the function. It will also be exposed in memory (and in the executable file) if you use a string literal. — interjay, Oct 18 '17 at 13:23
Your function is broken: you cannot use `sizeof` inside a function to determine the length of an array passed to that function as an argument. That's mainly because you *can't* pass an array -- wherever you think that's what you're doing, you are in fact passing a pointer to the first array element instead. Such a pointer does not carry information about the number of elements in the array. — John Bollinger, Oct 18 '17 at 13:27
Makes sense, thanks! guess i will be hardcoding the input length then! — Junos, Oct 18 '17 at 13:37
To me this is unclear. Are you asking how to avoid that data is stored in memory but still can get into the CPU and be processed? If so... There is no general way to do that. But on some systems it may be possible depending on HW architecture. Also you may have to write assembly code instead of C. BTW - where do you get the input from? — Support Ukraine, Oct 18 '17 at 13:54
I think you want to hardcode `"MYSECRET"` but you are concerned people will see it with hex editor? There is not much you can do except obfuscate. You could encrypt the secret with another secret to make it harder to crack. — Barmak Shemirani, Oct 20 '17 at 08:23

score 0 · Answer 1 · answered Oct 18 '17 at 13:38

The problem is that i dont want to save the BYTE array without encrypting it because it will be exposed in memory then.

How could i directly pass the BYTE array into the function without defining it first?

You cannot do so. It doesn't even make sense. Passing the bytes depends on having them in memory already, and so does performing the encryption operation on them.

Moreover, if the program is supposed to provide the plaintext itself, then there is no avoiding that plaintext being stored, in some form, in the program image. On the other hand, if the plaintext bytes are obtained from an external source then you could consider encrypting them at the point where you input them. Depending on the details, that might avoid having all the plaintext in memory at the same time.

You could also consider wiping the input array after encrypting its contents, instead of avoiding ever having such an array in the first place. Just overwrite it with 0 or with random bytes. That's really only useful for the case of plaintext coming from an external source, however; data provided by the program itself are accessible without even running the program.

XOR BYTE Array (Shellcode)

1 Answers1