Not working for Havoc shellcode

[JBalanza]

Hi,

I'm trying to use it to transform Havoc's Demon shellcode output into something more stealthier. However, after trying with different parameters (varying --syntax and --allow-invalid) I cannot make it work. It doesn't work neither with donut shellcode. Any insight why so?

Best regards

[EgeBalci]

Hi,

This project is designed for de-optimizing machine "code". Many shellcodes contain strings and other static data (non-code) parts in them. As described in the usage examples, you need to specify those offsets with "--skip-offsets" parameter to preserve the strings and other static data.

In your case, Havoc shellcodes are full DLL files with a PE loader. So you need to skip lots of offsets because of strings and PE headers :) I'm aware this is a common struggle among users, so the next version of the tool will include an "auto skip" feature for automatically detecting and skipping necessary offsets. I'll try to push the next version in 1-2 weeks. Until then you can try to skip string offsets manually.

[jdivincuit]

Incredible work and incredible response. I can't wait for the auto skip version. I will try in the meantime to do the manual skips. Thanks for everything!

edit I think it will be problematic to do it automatically with the Havoc demon since the configuration (c2 host/port etc.) is in stored in a raw bytes format within the agent (and not string)

[EgeBalci]

New version released :tada: Check examples https://github.com/EgeBalci/deoptimizer?tab=readme-ov-file#examples