Home

Awesome

AE64

AE64 is a tool which can transform any amd64 architecture shellcode into pure alphanumeric shellcode using self-modify code technology, so the page need to be writable.

Install

git clone https://github.com/veritas501/ae64.git --depth 1
cd ae64
sudo python3 setup.py install

Usage

For usage example, you can see example folder.

Quickstart

from ae64 import AE64
from pwn import *
context.arch='amd64'

# get bytes format shellcode
shellcode = asm(shellcraft.sh())

# get alphanumeric shellcode
enc_shellcode = AE64().encode(shellcode)
print(enc_shellcode.decode('latin-1'))

About default

enc_shellcode = AE64().encode(shellcode)
# equal to 
enc_shellcode = AE64().encode(shellcode, 'rax', 0, 'fast')

'''
def encode(self, shellcode: bytes, register: str = 'rax', offset: int = 0, strategy: str = 'fast') -> bytes:
"""
encode given shellcode into alphanumeric shellcode (amd64 only)
@param shellcode: bytes format shellcode
@param register: the register contains shellcode pointer (can with offset) (default=rax)
@param offset: the offset (default=0)
@param strategy: encode strategy, can be "fast" or "small" (default=fast)
@return: encoded shellcode
"""
'''

About encode strategy

I write two encode strategy, fast and small.

Fast strategy is the default strategy, it generate alphanumeric shellcode very fast, but the shellcode is a bit long.

Small strategy generate shellcode with the help of z3-solver, so it will be slower but when encoding big shellcode, it can gernerate much smaller shellcode.

Benchmark

Functionality:

ae64alpha3
Encode x32 alphanumeric shellcode
Encode x64 alphanumeric shellcode
Original shellcode can contain zero bytes
Base address register can contain offset

Length:

Origin length(in bytes)ae64(fast)ae64(small)alpha3
27611965
48237185157
192749401445
57620749771213

P.S.

length 2 shellcode: "lbl : jmp lbl"

length 48 shellcode: shellcraft.sh()

length 192 shellcode: shellcraft.sh()*4

length 576 shellcode: shellcraft.sh()*12

Old story

For older version which I written for HCTF2018 christmas pwn challenge, goto branch old_archive.

https://github.com/veritas501/ae64/tree/old_archive

ver1 details: https://github.com/veritas501/hctf2018#pwn---christmas4-solves