This is simply another technique to obfuscate the payload while simultaneously lowering its entropy.
Using the OffsetArrayBuilder program, one can create an array of DWORD
values, where each element in this array represents an offset of where a payload's byte is located in a dummy file specified by the user. For example, if we go to the 0x30A
offset (778
in decimal) in the dummygif.gif
file. We'll find the first byte of our payload (0xFC
).
The PoC reads the dummygif.fig file and searches for matching bytes with the payload, saving the indexes of where the elements matched in an array. In the execution implementation, you only need the offset array and the same dummy file.
Instead of storing the payload in your implementation, you will need to store the generated offsets array that will be of a size equal to sizeof(payload) * sizeof(DWORD)
, which is 4 times the size of the payload. In addition to this, you'll need the dummy file used by the OffsetArrayBuilder.exe
. To solve the latter issue, one can use a built-in Windows file as the dummy file instead of bringing his file.