In a current tutorial, I confirmed you the best way to use shikata_ga_nai to vary the signature of a payload to evade detection by safety units (firewalls, IDS, and so forth.) and AV software program.
Shikata_ga_nai is an encoding module in Metasploit that XORs the payload by a number of iterations (the variety of iterations is as much as you), thereby altering the payload’s signature. When the payload bypasses the safety units and the AV software program, it then reverses the XORing and the payload is executed usually on the sufferer’s system.
​
From the questions and feedback I acquired on that information, it grew to become obvious that not all of you might be acquainted with this idea of XOR. This information is devoted to these of you who will not be acquainted with this widespread method in info expertise, and as refresher for individuals who are.
​
What Is XOR?
​
XOR stands for eXclusive OR. In logic and in on a regular basis language, an OR can imply that both assertion is true or each are true. In different phrases, the assertion will consider to true if any of the statements are true. So, if I say, “The sky is cloudy OR the sky is blue,” it should consider to true if both assertion is true or if the sky is blue AND cloudy.
​
The unique OR makes a distinction between these two and means solely the case the place one of many two statements is true. It’s used all through computing for quite a few functions, together with the encryption of the payload utilizing shikata_ga_nai, error checking, and setting parity bits on a RAID, amongst many different issues.
​
As you understand, computer systems function with tens of millions of on/off switches. Trendy computer systems makes use of transistors to function these on/off switches, however after all, early computer systems used vacuum tubes and any on/off swap would suffice.
​
These on/off switches are represented by a single bit that’s usually represented by an o. That bit may be on or off. Whether it is off, it’s represented with a 0 (zero) and whether it is on, it’s represented with a 1 (one). Moreover, the 0 represents false and the 1 represents true. It would make it easier to to recollect this by pondering of the query, “Is the swap on?” True whether it is “on” (1), and false if it “off” (0). Hope that helps.
​
Boolean Algebra
​
Boolean algebra is the algebra of statements that consider to both true or false. That is helpful in computing as a result of we are able to characterize these two states (true or false) by a single bit. When the assertion is fake, it’s represented by a zero (off) and when it’s true it’s represented by a one (on).
​
Reality Desk
​
In logic and computing, we frequently use what are generally known as reality tables. These reality tables characterize all of the attainable instances and whether or not they would consider to true or false, therefore the title “reality tables”. Within the case of XOR, there are solely 4 attainable instances as illustrated beneath.
​
​
​
​
​
Word that each time the 2 inputs are the identical (00, 11) they consider to false. each time the 2 inputs are completely different (10, 01) the XOR evaluates to true. So, to summarize, identical is 0 and completely different is 1.
​
XOR Cipher
​
The XOR cipher is a comparatively easy cipher that encrypts the enter through the use of a key that’s then XORed in opposition to the enter to create an output. For instance:
​​
​
​
​​
​One of many benefits of the XOR cipher is that it’s easy and quick. As well as, it doesn’t want a separate algorithm to decipher it, as all techniques can XOR. That is why it really works so nicely in Metasploit’s shikata_ga_nai encoding.
​
XOR in RAIDS
​
XOR is utilized in RAID ranges 3–6 for creating parity info. RAID 1 is mirroring the laborious drive, which implies we want twice as many drives (and price) to create fault tolerance. Then again, parity info is used to make sure that if one drive fails, the unique info may be recovered. On this method, the RAID has fault tolerance with out an enormous extra expense.
​
​
​For instance, a RAID can guarantee the restoration of bytes 10011100 and 01101100 from two (or extra) laborious drives by XORing these bytes, leading to (11110000) and writing it to a different drive. In a RAID 3 association, it is a separate drive. In a RAID 5 association, as illustrated above, the parity is interspersed among the many drives.
​
Beneath this technique, if any one of many laborious drives are misplaced, the misplaced byte may be recreated by XORing bytes from the remaining drives. For example, if the drive containing 01101100 is misplaced, 10011100 and 11110000 may be XORed to get well the misplaced byte.
​
XOR in Error Checking
​
XORing can be carried out in CRC, or cyclic redundancy verify, a standard technique in computing to detect whether or not any unintended errors have entered the information. CRC is used for error checking in TCP, laborious drives, cell telephones, and practically each different kind of information transmission. Though the arithmetic are past the scope of this tutorial, suffice to say that at the very least, partially, CRC makes use of XOR.
​
I hope this quick tutorial on XOR is useful and enlightening to my novice hackers, as XOR is used all through IT and hacking. It’s particularly necessary in exploit and payload obfuscation to keep away from detection by safety units and AV software program.
