The seventh and final assignment of the SLAE64 exam states:

  • Create a custom crypto like the one shown in the “crypters” video
  • Free to use any existing encryption schema
  • Can use any programming language

Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.

For this assignment I chose to use Python and the PyCryptodome library and added the code to the compile.py I wrote earlier in the course in the new Crypter class.

Note, if you get the following error when running the code:

Traceback (most recent call last):
  File "compile.py", line 24, in <module>
    from Crypto.Cipher import ChaCha20
ImportError: cannot import name 'ChaCha20'

You may want to use the provided requirements.txt in a virtualenv as your distribution’s pycrypto is not pycryptodome and lacks support for ChaCha20.

The way this crypter works is it takes a NASM source file, e.g. Execve.nasm and uses the original Compiler class to get the bytecode. It then generates a random key and encrypts the bytecode before writing it to Execve.enc.

[*] Switching to crypter mode
[*] Assembling Execve.nasm
[*] Linking Execve.o
[*] Extracting and analyzing byte code
[+] No NULL bytes found
[*] Shellcode length: 32
[*] Generated key (base64 encoded): h0Wm2K8eN33TQ96pR5i4ZB1pgKwSNuQSckKd1gA6cok=
[*] Nonce (base64 encoded): +nFn9N8cmbs=
[*] Saved encrypted bytecode to Execve.enc

In order to decrypt Execve.enc one needs the key and nonce which are displayed during encryption. It then re-uses the C shellcode wrapper to insert the decrypted bytecode and compiles it to Execve.bin.

[*] Switching to crypter mode
[*] Compiling shellcode-Execve.enc.c
[*] Decrypted shellcode compiled to Execve.bin

Simple and straightforward!

asciicast

I also added an --autorun flag which will directly execute the new shellcode too:

[*] Switching to crypter mode
[*] Compiling shellcode-Execve.enc.c
[*] Decrypted shellcode compiled to Execve.bin
[*] Invoking ./Execve.bin
$

Wrapping up

I have uploaded the new compile.py code to jasperla/slae64 on GitHub:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification. Student ID: SLAE64-1614