SLAE32 Assignment 7 - Add-Rotate Cryptor

5 minute read

Overview

For the seventh assignment of the SLAE32 course we were required to create a custom cryptor and decryptor.

Online I found many examples for RC4, AES, DES and other common encryptors, so I decided to do something different.

Creating a Custom Cryptor

For my cryptor I decided to create somewhat of a Cesaer Chipher.

  • The cryptor takes a key, and for every byte of the shellcode adds to it the corresponding byte of the key.
  • When the key length is exceeded, the key repeats itself.
  • the example key is key = "HelloFriend"
  • Instead of XOR‘ing I chose to use the bitwise AND operation
    • Since I have used XOR quite a bit in the SLAE32 course.

Using the Cryptor Smartly

In the example, the strength of this cryptor is quite terrible. Although it can be used in a way that makes it good.
If the key is the same length of the shellcode, then this works as a One-Time Pad (OTP).

  • The key or “pad” should not be words, or even letters, of the english language.
  • Each byte of the key should be a randomly generated hex value, ranging from \x00 to \xff.

This encryption method is not typically seen in production because the key lengths are huge, non-memerable strings, and the key is needed both at the cryptor and decryptor sides.

Obviously adding a byte from the shellcode and the key together is likely to exceed the maximum value of the result space.

  • If this happens, the cryptor will subtract 256 (1 byte) from the result, and store the remainder in the encrypted byte.

    Example Overflow while Encrypting

    if decrypted_byte + key_byte > 255
      encrypted_byte = decrypted_byte + key_byte - 256
    else 
      encrypted_byte = decrypted_byte + key_byte
    

When decrypting, it will simply check to see if a byte was subtracted, and add a byte back.

Example Underflow while Decrypting

if encrypted_byte - key_byte < 0
	decrypted_byte = encrypted_byte - key_byte + 256
else
	decrypted_byte = encrypted_byte - key_byte

Since my example uses a small, repeated key, I added that the byte be rotated to the left once when encrypting. Then rotate the byte to the right once when decrypting.

ADD Rotate-Left Cryptor

#!/usr/bin/python
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
key = "HelloFriend"
encrypted = ""
keyArray = bytearray(key)
keyLength = len(bytearray(key))
# count will be used to make the key the same length as the shellcode
count = 0				
for x in bytearray(shellcode) : 
	# If their are no more letters in the key, reuse the key from the start
	if count == keyLength :		
		count = 0
	# Add the first byte of shellcode and key together
	x = x + keyArray[count]		
	if x > 255 :
		# if the key is greater than a byte value, remove the extra byte
		x -= 256		
	if x > 127:
        	x = x - 128             # Remove the left-most bit
        	x = x << 1              # Shift to the left 1
        	x += 1                  # Add 1, to complete the rotate
        	encrypted += '\\x'
        	encrypted += '%02x' %x	# Add the rotated left hex to string 
	else:
        	encrypted += '\\x'       # No leftmost bit, just rotate
        	encrypted += '%02x' %(x << 1)
	count += 1

print encrypted

SUB Rotate-Right Decryptor

#!/usr/bin/python
encrypted = "\xf2\x4a\x79\xa9\x3d\xea\xcb\xa3\x9b\x3b\x8d\x63\xa7"
encrypted += "\xeb\x9e\x7f\x9f\xa8\x79\xdd\x9e\x28\xa6\x64\xd9"
key = "HelloFriend"
decrypted = ""

keyArray = bytearray(key)
keyLength = len(bytearray(key))
count = 0
for x in bytearray(encrypted) : 
	if count == keyLength :
		count = 0
	oddEven = x % 2
	if oddEven == 1:
		x = x >> 1
		x = x + 128
	else:
		x = x >> 1
	x = x - keyArray[count]
	if x < 0 :
		x += 256
	decrypted += '\\x'
	decrypted += '%02x' %x	# Add the rotated left hex to string 
	count += 1

print decrypted

SLAE32 Blog Proof

This blog post has been created for completing the requirements
 of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
	- Now at: https://www.pentesteracademy.com/course?id=3
SLAE/Student ID: PA-10913

Updated: