{"id":50800120,"url":"https://github.com/mirralis/x64-calc-popper-shellcode","last_synced_at":"2026-06-12T19:00:36.547Z","repository":{"id":354717587,"uuid":"1224869108","full_name":"MirraLis/x64-calc-popper-shellcode","owner":"MirraLis","description":"x64 Windows PEB walker in NASM. Resolves exports by hash comparison without importing any APIs. Features a custom salted hash function and XOR-obfuscated payload string.","archived":false,"fork":false,"pushed_at":"2026-04-29T20:04:28.000Z","size":27,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-29T20:04:50.731Z","etag":null,"topics":["apihashing","assembly","calc-popper","obfuscation","pebwalking","shellcode","windows","x64","x86-64"],"latest_commit_sha":null,"homepage":"","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MirraLis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-29T17:59:12.000Z","updated_at":"2026-04-29T20:04:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/MirraLis/x64-calc-popper-shellcode","commit_stats":null,"previous_names":["mirralis/x64-calc-popper-shellcode"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/MirraLis/x64-calc-popper-shellcode","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MirraLis%2Fx64-calc-popper-shellcode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MirraLis%2Fx64-calc-popper-shellcode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MirraLis%2Fx64-calc-popper-shellcode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MirraLis%2Fx64-calc-popper-shellcode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MirraLis","download_url":"https://codeload.github.com/MirraLis/x64-calc-popper-shellcode/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MirraLis%2Fx64-calc-popper-shellcode/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34258372,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apihashing","assembly","calc-popper","obfuscation","pebwalking","shellcode","windows","x64","x86-64"],"created_at":"2026-06-12T19:00:17.584Z","updated_at":"2026-06-12T19:00:36.514Z","avatar_url":"https://github.com/MirraLis.png","language":"Assembly","funding_links":[],"categories":[],"sub_categories":[],"readme":"# x64-calc-popper-shellcode — NASM Shellcode Demo\n\nA position-independent x64 Windows shellcode implementation demonstrating \nPEB walking, custom hash-based API resolution, and XOR string obfuscation.\nWritten in NASM as a learning exercise to understand what happens below \nthe C abstraction layer.\n\n## What it does\n\nResolves `WinExec` from `kernel32.dll` at runtime without using the Windows \nImport Address Table, then executes a XOR-encoded command string.\n\n## Techniques demonstrated\n\n**PEB Walking**  \nTraverses the Process Environment Block's `InMemoryOrderModuleList` to locate \nloaded modules without calling `LoadLibrary` or `GetProcAddress`. Handles the \n`LDR_DATA_TABLE_ENTRY` offset arithmetic manually to recover module base addresses.\n\n**Custom Hash-based API Resolution**  \nInstead of storing plaintext API names, a custom salted hash function identifies \ntarget functions by comparing computed hashes against stored constants. Supports \nboth ASCII and wide string inputs for handling module names (wide) and export \nnames (ASCII).\n\nHash algorithm: `hash = char + (SALT ^ SALT_2 ^ i) + (hash \u003c\u003c 6) + (hash \u003c\u003c 16) - hash`  \nFinal XOR step applied to the result for additional obfuscation.\nIts basically a sdbm derivative.\n\n**XOR String Obfuscation**  \nTarget command string is stored XOR-encoded in the `.text` section and decoded \nat runtime onto the stack, avoiding plaintext strings in the binary.\n\n**PE Export Directory Parsing**  \nManually walks the PE export directory structures (`AddressOfNames`, \n`AddressOfFunctions`, `AddressOfNameOrdinals`) to resolve function addresses \nfrom the export table RVAs.\n\n## Build\n\n## As an executable\n```nasm\nnasm -f win64 calc_peb.nasm -o calc_peb.obj\ngcc calc_peb.obj -o calc_peb.exe -nostartfiles\n```\n\n## As shellcode\n```nasm\nnasm -f bin calc_peb.nasm -o calc_peb.bin\n```\n\nYou can also used the compiled calc_peb.bin in the Releases if you like.\n\n## Notes\n\n- Written as a learning exercise — payload target is calc.exe\n- Hash constants and XOR key are visible in source by design for educational clarity\n\n## Closing Note\nI left my comments in there. They show my thought process while i was making it. I hope it helps in understanding the code if analyse it.\n\nThis binary is for educational security research only. Do not run it on any system you do not own.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmirralis%2Fx64-calc-popper-shellcode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmirralis%2Fx64-calc-popper-shellcode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmirralis%2Fx64-calc-popper-shellcode/lists"}