gpoulios
commented
6 years ago In this case, the linear disassembly (i.e the instructions decoded by sequentially traversing the code) and the recursive traversal (i.e. the instructions decoded by following the branches) do not result in the same code.
This is indeed a common trick by shellcode authors to break disassemblers (and who knows, potentially also AVs) and apparently it is even more common nowadays (the two provided were taken directly from msf some 3+ years ago whereas the updated equivalent payloads use anti-disassembling tricks).
The tool can’t handle them as it is not just a matter of displaying a disassembly, but rather interpreting it correctly into something that actually runs. However, since the purpose of ropinjector itself is to obfuscate, there is no point in using shellcode with anti-disassembling tricks, and doing so would not make its outcome any better.
Bottomline: I guess you can't use most of the popular shellcode any more, although I haven't tried myself (they were fine a few years ago).
On Tue, 25 Sep 2018 at 04:15, CalvinJH notifications@github.com wrote:
Hello, I am trying to use other shellcode but it will appear 'Can't handle code ambiguity. Aborting...' and cmd.exe stops without responding. Is shellcode limited to the two provided? Or What are the special requirements for shellcode?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/gpoulios/ROPInjector/issues/2, or mute the thread https://github.com/notifications/unsubscribe-auth/ANZ_QNQtIe4Jr5xej6wEXNWSrHtdzdJtks5ueXWfgaJpZM4W3qP9 .
op7ic
Hello, I am trying to use other shellcode but it will appear 'Can't handle code ambiguity. Aborting...' and cmd.exe stops without responding. Is shellcode limited to the two provided? Or What are the special requirements for shellcode?