Add shellcode for RC4 decoding

Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.

Author: schierlm

external/source/shellcode/windows/x86/src/block/block_rc4.asm

@@ -0,0 +1,51 @@
+;-----------------------------------------------------------------------------;
+; Author: Michael Schierl (schierlm[at]gmx[dot]de)
+; Version: 1.0 (29 December 2012)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP - Data to decode
+;        ECX - Data length
+;        ESI - Key (16 bytes for simplicity)
+;        EDI - pointer to 0x100 bytes scratch space for S-box
+; Direction flag has to be cleared
+; Output: None. Data is decoded in place.
+; Clobbers: EAX, EBX, ECX, EDX, ESI, EBP (stack is not used)
+
+  ; Initialize S-box
+  xor eax, eax           ; Start with 0
+init:
+  stosb                  ; Store next S-Box byte S[i] = i
+  inc al                 ; increase byte to write (EDI is increased automatically)
+  jnz init               ; loop until we wrap around
+  sub edi, 0x100         ; restore EDI
+  
+  ; permute S-box according to key
+  xor ebx, ebx           ; Clear EBX (EAX is already cleared)
+permute:
+  add bl, [edi+eax]      ; BL += S[AL] + KEY[AL % 16]
+  mov edx, eax
+  and dl, 0xF
+  add bl, [esi+edx]
+  mov dl, [edi+eax]      ; swap S[AL] and S[BL]
+  xchg dl, [edi+ebx]
+  mov [edi+eax], dl
+  inc al                 ; AL += 1 until we wrap around
+  jnz permute
+  
+  
+  ; decryption loop
+  xor ebx, ebx           ; Clear EBX and EDX (EAX is already cleared)
+  xor edx, edx
+decrypt:
+  inc al                 ; AL += 1
+  add bl, [edi+eax]      ; BL += S[AL]
+  mov dl, [edi+eax]      ; swap S[AL] and S[BL]
+  xchg dl, [edi+ebx]
+  mov [edi+eax], dl
+  add dl, [edi+ebx]      ; DL = S[AL]+S[BL]
+  mov dl, [edi+edx]      ; DL = S[DL]
+  xor [ebp], dl          ; [EBP] ^= DL
+  inc ebp                ; advance data pointer
+  dec ecx                ; reduce counter
+  jnz decrypt            ; until finished

external/source/shellcode/windows/x86/src/test_rc4.asm

@@ -0,0 +1,43 @@
+;-----------------------------------------------------------------------------;
+; Author: Michael Schierl (schierlm[at]gmx[dot]de)
+; Version: 1.0 (29 December 2012)
+;-----------------------------------------------------------------------------;
+
+;
+; c1 = OpenSSL::Cipher::Cipher.new('RC4')
+; c1.encrypt
+; c1.key="Hello, my world!"
+; c1.update("This is some magic data you may want to have encoded and decoded again").unpack("H*")
+; 
+; => "882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b"
+;
+; c1 = OpenSSL::Cipher::Cipher.new('RC4')
+; c1.decrypt
+; c1.key="Hello, my world!"
+; c1.update(["882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b"].pack("H*"))
+;
+; => "This is some magic data you may want to have encoded and decoded again"
+;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call pushkey           ; push the address of the key onto the stack
+  db "Hello, my world!"
+pushkey:
+  pop esi                ; and store it into ESI
+  call pushdata          ; push the address of the encrypted data on the stack
+  db 0x88, 0x23, 0x53, 0xc5, 0xde, 0x0f, 0x5e, 0x6b, 0x10, 0xbf, 0x0d, 0x25, 0xc4, 0x32, 0xc5, 0xd1, 0x64, 0x24, 0xdc, 0x79, 0x7e, 0x89, 0x5f, 0x37, 0xf2, 0x61, 0xc8, 0x93, 0xb3, 0x1d, 0x57, 0x7e, 0x7e, 0x69, 0xf7, 0x7e, 0x07, 0xaa, 0x57, 0x6d, 0x58, 0xc7, 0xf7, 0x57, 0x16, 0x4e, 0x7d, 0x74, 0x98, 0x8f, 0xeb, 0x10, 0xf9, 0x72, 0xb2, 0x8d, 0xcf, 0xa1, 0xe3, 0xa2, 0xb1, 0xcc, 0x0b, 0x0f, 0xa1, 0xa8, 0xb1, 0x16, 0x29, 0x4b
+pushdata:
+  pop ebp                ; and store it into EBP
+  mov ecx, 70            ; store data length into ECX
+  sub esp, 0x100         ; make space on stack for S-Box
+  mov edi, esp           ; and store address into EDI
+  nop
+  nop
+  nop
+  int 3                  ; for stepping through the code
+                         ; let's run the RC4 decoder
+%include "./src/block/block_rc4.asm"
+  int 3                  ; EBP should point to decoded data now