MOTHER FUCK

git-svn-id: file:///home/svn/incoming/trunk@2617 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/encoders/xor_dword_additive.rb

@@ -0,0 +1,41 @@
+#!/usr/bin/ruby
+
+require 'Rex/Encoder/Xor/DWordAdditive'
+
+#
+# Jmp/Call DWord Additive Feedback Encoder
+# Author: skape
+# Arch:   x86
+#
+
+module Rex
+module Encoders
+
+class XorDWordAdditive < Rex::Encoder::Xor::DWordAdditive
+	module Backend
+
+		def _unencoded_transform(data)
+			# pad to a dword boundary so we can append our key aligned
+			data = data + ("\x00" * ((4 - data.length & 3) & 3)) + "\x00\x00\x00\x00"
+		end
+
+		def _prepend
+			"\xfc"                + # cld
+			"\xbb" + key          + # mov ebx, key
+			"\xeb\x0c"            + # jmp short 0x14
+			"\x5e"                + # pop esi
+			"\x56"                + # push esi
+			"\x31\x1e"            + # xor [esi], ebx
+			"\xad"                + # lodsd
+			"\x01\xc3"            + # add ebx, eax
+			"\x85\xc0"            + # test eax, eax
+			"\x75\xf7"            + # jnz 0xa
+			"\xc3"                + # ret
+			"\xe8\xef\xff\xff\xff"  # call 0x8
+		end
+	end
+
+	include Backend
+end
+
+end end

lib/rex/encoding/xor/dword_additive.rb

@@ -36,7 +36,7 @@ class DWordAdditive < Generic
 			# add the last len bytes (in this case 4) with the key,
 			# dropping off any overflow
 			key = pack_key(
-			  unpack_key(key) + unpack_key(buf[-len, len]) &
+			  unpack_key(key) + unpack_key(buf[pos - (len - 1), len]) &
 			    (1 << (len << 3)) - 1
 			)
 		end

lib/rex/encoding/xor/generic.rb

@@ -121,7 +121,7 @@ class Generic
 
 		while pos < buf.length
 			encoded += (buf[pos] ^ key[pos % len]).chr
-			key = _encode_mutate_key(encoded, key, pos, len)
+			key = _encode_mutate_key(buf, key, pos, len)
 			pos += 1
 		end