In our last installment of the Shellcode Signature Series for security practitioners, we walked through the Metasploit shellcode encoder, Shikata Ga Nai. In this article, we’ll explore the x86 Countdown Encoder, which is not as complicated as Shikata Ga Nai, but incorporates several techniques that will be useful when analyzing the additional signatures in this series. There is no polymorphism or randomization when this shellcode is constructed, so it should result in a simple signature.
The “core” logic of the x86 Countdown Encoder is hardcoded within a single function—decoder_stub. At the beginning of the code, ECX is cleared and then loaded with the length of the shellcode minus 1.