NirvanaOn/NOW
GitHub: NirvanaOn/NOW
NØW 是一款用 C 语言编写的 shellcode 编码混淆工具,将原始 shellcode 字节流转换为看似自然英文散文的文本以实现伪装。
Stars: 37 | Forks: 4
# NØW — 基于单词的 Shellcode 编码器
## 什么是 NØW?
**NØW** (Natural Output Words) 是一个 C 语言工具,用于将原始的 shellcode 字节转换为人类可读的英文文本——可以是简单的代码词列表,或者是包含句子和段落的流畅自然散文。其输出看起来就像普通的文字,而不是 hex 转储或 base64 数据块。
每个字节值 (0x00–0xFF) 都映射到一个唯一的单词,该单词由你提供的**秘密语句**生成。流密码 (RC4 或 AES-256-CTR) 会根据**密码**对字节到单词的映射进行混淆。如果不同时拥有语句和密码,编码后的文本就只是一堆无意义的信息。
在上图中,我们使用 **NØW 基于单词的 Shellcode 工具**加密了一段 shellcode。原始 shellcode 首先使用所选的流密码(本例中为 **RC4**)和密码 **"nirvana"** 进行加密。加密后,每个加密字节都会被映射到预定义词库中的单词,从而生成一段看起来很自然的文本,而不是明显的 shellcode 字节。
生成的输出表现为普通的散文,包含诸如 *hope*、*bottle*、*spiral*、*fog*、*ink* 和 *snow* 等单词。然而,这段文本并不能作为有意义的段落来阅读。每个单词都代表一个加密的字节值,单词序列保存了加密后的 shellcode 数据。
在解密过程中,该工具会执行反向操作:
1. 将单词转换回其对应的字节值。
2. 重建加密的 shellcode 字节流。
3. 使用相同的密码和流密码设置(**RC4**)解密数据。
4. 精确恢复加密前的原始 shellcode。
这项技术将 shellcode 转换为人类可读的文本,使 payload 看起来不像原始的十六进制字节数组那样可疑,同时在提供了正确的密码和密码设置时,仍允许重建原始的 shellcode。
### 加密文本
```
Probably, laughed hope polishing, how most perhaps sleep would bottle, additionally, somewhere bottle, immediately bottle me spiral me time fog. Immediately, spiral animal certainly hope all by, previously do elsewhere hope perhaps ink fog, also hope ink, consequently fog? Door hope ink, meanwhile fog equally snow hope ink, recently room time hope get then immediately house, importantly house. Written all window hope all would, eventually vanished fire notably one he, elsewhere than?
Accordingly, roof snow me waves window, somewhere into me obviously now waves great, particularly ago fog. Nonetheless, me spiral hope ink, regardless fog snow consequently ink shore, fire moreover hope now birds, indirectly ink. Probably, peace floor bottle, everywhere bottle, everywhere bottle hope never would earth, white hope. Now birds time, ink hope door black, ink faded consequently snow.
About now birds moon animal, hope us window however me, currently ink similarly leaving floor. Regardless, hope now map written all window, hope all would vanished me waves? Probably, window into me furthermore now waves calm, there bucket basically horse ceiling star ceiling, dying. Furthermore, which evening pig because, bucket even word black ink!
Additionally, faded dying about now, however birds specifically used me, ink revolver hope, black ink originally faded, equally see. About now consequently birds certainly me ink two, floor particularly hope obviously now birds me. Word me word, my packed bag, me word me otherwise packed me, bag hope. Polishing father snow, me fog us, there word me packed, immediately bag hope everywhere ink.
Particularly, happy flower your, us, equally us, likewise us partly years about meanwhile fresh make, indirectly cat therefore just. Namely, not we just bottle, chiefly bottle me animal, about subsequently stone moreover to hope fish? Basically, father dawn nevertheless now, bottle, although bottle about stone prank, about but than, regardless bottle? Now home would lighthouse, immediately now go namely me until, similarly about indirectly stone.
Additionally, how ceiling stone horse, additionally me they ceiling make, its. Equally, fear us yellow chiefly ceiling stone a, old eventually now notably, whereas now eventually bottle, mainly bottle packed me. They mouse originally peace for, bottle us yellow, time, furthermore time written nowhere all window, written likewise all! Would hope us would hope stone, her hope.
Us would hope stone, alternatively waves me probably they moreover a, consequently get want there us, particularly yellow hope. Stone every currently something, notably or me word ceiling stone, great however hope stone, human me they indirectly angry. Prayer earth mostly one, nevertheless us yellow accordingly hope fish, staircase equally faded than bottle, obviously bottle about thinking leather? Buried bird bottle, chiefly bottle mainly, accordingly bottle, partly bottle, anywhere bottle moreover me perhaps time, me.
Time hope certainly stone, somewhere great your whereas, obviously your, originally your written all would. Something into packed me, time great partly laughed, regardless used every black, nonetheless dying until moreover now, somewhere now hope. Another black dying, similarly door previously stopped additionally bottle old, indeed hope stone. To animal time me time, particularly me time me.
Time about originally us, particularly would me time about, everywhere us dream meanwhile written initially stone, eventually waves ceiling meanwhile stone. Waves me they, chiefly sea whereas rocky washed leaf us, somewhere yellow hope. Mainly, all by hope us, containing ink dog, otherwise me they which. Rolled duck also, chiefly us yellow home most constant, war animal me, they found.
Long who what us yellow, hope polishing nowhere staircase? Look fire wall, indirectly he garden peace, differently waters there additionally bucket coming. Nevertheless, home ice notably have whereas room, sky something bottle packed, me stone cloud us. Importantly, yellow.
```
#### 将单词解密回 Shellcode
加密文本连同正确的密码 (nirvana) 和流密码 (RC4) 一起提供给该工具。工具会去除标点符号和格式,将每个单词转换回其对应的字节值,重建加密字节流,然后对其进行解密以恢复原始的 shellcode。
流程:
Shellcode → 加密字节 → 单词 → 单词 → 加密字节 → 原始 Shellcode
**注意**:密码和密码必须与加密时使用的值匹配。任何不匹配都将导致解密不正确或失败。
## 功能
- **256 词代码本**,由你提供的任何语句构建,并自动使用常见英文单词进行填充
- **两种流密码**用于字节到单词的混淆:
- `RC4` — 跨平台,与 RC4ENC/RC4DEC 兼容
- `AES-256-CTR` — 仅限 Windows(通过 CryptoAPI),与 AESENC/AESDEC 兼容
- **四种输出样式:**
| 级别 | 描述 |
|------- |------------- |
| 0 — 纯文本 | 原始单词列表,无标点符号 |
| 1 — 轻度散文 | 较长的句子,极少填充词 |
| 2 — 中度散文 | 均衡的段落(默认) |
| 3 — 重度散文 | 频繁的连接词和段落换行 |
- **往返自检** — 在保存前自动验证编码→解码是否产生完全相同的字节
- **多种输入格式** — 直接粘贴十六进制字节或加载 `.bin` 文件
- **解密时的多种输出格式** — 保存为 `.bin`、`.c` (C 数组) 和 `.hex`
- **可选的 shellcode 执行**(仅限 Windows) — 通过 `VirtualAlloc` + `CreateThread` 在内存中运行解码后的 shellcode
## 项目结构
```
├── main.c # Entry point, main menu loop
├── menu.c / menu.h # Interactive CLI actions (encrypt, decrypt, help)
├── encrypt.c / .h # Shellcode → word encoding (plain + natural prose)
├── decrypt.c / .h # Word text → shellcode decoding
├── word_mapping.c/.h # Builds the 256-word codebook and byte↔word lookup tables
├── rc4.c / .h # RC4 stream cipher implementation
├── io.c / .h # File I/O, hex parsing, multi-line input
├── platform.c / .h # Platform-specific shellcode execution (Windows)
├── util.c / .h # String helpers (trim, clean tokens, etc.)
└── common.h # Shared constants, macros, and type definitions
```
## 构建
1. 在 **Visual Studio 2022** 中打开项目。
2. 将所有 `.c` 和 `.h` 文件添加到项目中。
3. 选择 **x64** 和 **Release**。
4. 构建解决方案 (`Ctrl + Shift + B`)。
**环境要求:**
- Visual Studio 2022
- Windows SDK
## 使用说明
运行二进制文件并按照交互式菜单操作:
```
NØW v2.2 - Word-Based Shellcode Tool
RC4 or AES stream | Natural prose output
Main menu:
1. Encrypt shellcode -> words
2. Decrypt words -> shellcode
3. Help
4. Exit
```
### 加密
1. 选择 **选项 1**
2. 输入你的**秘密语句**(任意短语;独特的单词越多 = 代码本越好)
3. 输入**密码**(最少 4 个字符)
4. 选择流密码(`RC4` 或 `AES-256-CTR`)
5. 选择输出样式(0 = 纯文本,1–3 = 自然散文)
6. 将 shellcode 作为**十六进制字节**粘贴或加载 `.bin` 文件
7. 输出将保存到 `.txt` 文件中
### 解密
1. 选择 **选项 2**
2. 输入加密时使用的**相同的秘密语句和密码**
3. 选择**相同的流密码**
4. 粘贴编码后的文本或加载该文件
5. 输出将保存为 `.bin`、`.c` 和 `.hex`
## 安全说明
- 编码的安全性完全取决于对**语句和密码的保密**
- 单词代码本是确定性的——相同的语句 + 密码 + 密码总是会生成相同的映射
- 本工具仅用于**安全研究、CTF 挑战和红队 payload 混淆**
- Shellcode 执行(`platform.c`)仅限 Windows,并且在运行时需要用户明确确认
Medium : https://medium.com/@0xnirsec
# 📝 NØW
### 自然 Output Words
*当 shellcode 化作散文。*
      
   
## 工作原理
```
Shellcode bytes
│
▼
Stream cipher (RC4 or AES-256-CTR) shuffles byte→word table
│
▼
Each byte → one codeword from your secret sentence (padded to 256 unique words)
│
▼
Optional: wrap in natural prose with connectors, punctuation, paragraph breaks
│
▼
Output text file (looks like an essay or paragraph)
```
解密则是该过程的逆过程——它读取文本,去除标点符号和连接词,并将每个代码词映射回其对应的字节值。
## 示例
      
   
在上图中,我们使用 **NØW 基于单词的 Shellcode 工具**加密了一段 shellcode。原始 shellcode 首先使用所选的流密码(本例中为 **RC4**)和密码 **"nirvana"** 进行加密。加密后,每个加密字节都会被映射到预定义词库中的单词,从而生成一段看起来很自然的文本,而不是明显的 shellcode 字节。
生成的输出表现为普通的散文,包含诸如 *hope*、*bottle*、*spiral*、*fog*、*ink* 和 *snow* 等单词。然而,这段文本并不能作为有意义的段落来阅读。每个单词都代表一个加密的字节值,单词序列保存了加密后的 shellcode 数据。
在解密过程中,该工具会执行反向操作:
1. 将单词转换回其对应的字节值。
2. 重建加密的 shellcode 字节流。
3. 使用相同的密码和流密码设置(**RC4**)解密数据。
4. 精确恢复加密前的原始 shellcode。
这项技术将 shellcode 转换为人类可读的文本,使 payload 看起来不像原始的十六进制字节数组那样可疑,同时在提供了正确的密码和密码设置时,仍允许重建原始的 shellcode。
### 加密文本
```
Probably, laughed hope polishing, how most perhaps sleep would bottle, additionally, somewhere bottle, immediately bottle me spiral me time fog. Immediately, spiral animal certainly hope all by, previously do elsewhere hope perhaps ink fog, also hope ink, consequently fog? Door hope ink, meanwhile fog equally snow hope ink, recently room time hope get then immediately house, importantly house. Written all window hope all would, eventually vanished fire notably one he, elsewhere than?
Accordingly, roof snow me waves window, somewhere into me obviously now waves great, particularly ago fog. Nonetheless, me spiral hope ink, regardless fog snow consequently ink shore, fire moreover hope now birds, indirectly ink. Probably, peace floor bottle, everywhere bottle, everywhere bottle hope never would earth, white hope. Now birds time, ink hope door black, ink faded consequently snow.
About now birds moon animal, hope us window however me, currently ink similarly leaving floor. Regardless, hope now map written all window, hope all would vanished me waves? Probably, window into me furthermore now waves calm, there bucket basically horse ceiling star ceiling, dying. Furthermore, which evening pig because, bucket even word black ink!
Additionally, faded dying about now, however birds specifically used me, ink revolver hope, black ink originally faded, equally see. About now consequently birds certainly me ink two, floor particularly hope obviously now birds me. Word me word, my packed bag, me word me otherwise packed me, bag hope. Polishing father snow, me fog us, there word me packed, immediately bag hope everywhere ink.
Particularly, happy flower your, us, equally us, likewise us partly years about meanwhile fresh make, indirectly cat therefore just. Namely, not we just bottle, chiefly bottle me animal, about subsequently stone moreover to hope fish? Basically, father dawn nevertheless now, bottle, although bottle about stone prank, about but than, regardless bottle? Now home would lighthouse, immediately now go namely me until, similarly about indirectly stone.
Additionally, how ceiling stone horse, additionally me they ceiling make, its. Equally, fear us yellow chiefly ceiling stone a, old eventually now notably, whereas now eventually bottle, mainly bottle packed me. They mouse originally peace for, bottle us yellow, time, furthermore time written nowhere all window, written likewise all! Would hope us would hope stone, her hope.
Us would hope stone, alternatively waves me probably they moreover a, consequently get want there us, particularly yellow hope. Stone every currently something, notably or me word ceiling stone, great however hope stone, human me they indirectly angry. Prayer earth mostly one, nevertheless us yellow accordingly hope fish, staircase equally faded than bottle, obviously bottle about thinking leather? Buried bird bottle, chiefly bottle mainly, accordingly bottle, partly bottle, anywhere bottle moreover me perhaps time, me.
Time hope certainly stone, somewhere great your whereas, obviously your, originally your written all would. Something into packed me, time great partly laughed, regardless used every black, nonetheless dying until moreover now, somewhere now hope. Another black dying, similarly door previously stopped additionally bottle old, indeed hope stone. To animal time me time, particularly me time me.
Time about originally us, particularly would me time about, everywhere us dream meanwhile written initially stone, eventually waves ceiling meanwhile stone. Waves me they, chiefly sea whereas rocky washed leaf us, somewhere yellow hope. Mainly, all by hope us, containing ink dog, otherwise me they which. Rolled duck also, chiefly us yellow home most constant, war animal me, they found.
Long who what us yellow, hope polishing nowhere staircase? Look fire wall, indirectly he garden peace, differently waters there additionally bucket coming. Nevertheless, home ice notably have whereas room, sky something bottle packed, me stone cloud us. Importantly, yellow.
```
#### 将单词解密回 Shellcode
加密文本连同正确的密码 (nirvana) 和流密码 (RC4) 一起提供给该工具。工具会去除标点符号和格式,将每个单词转换回其对应的字节值,重建加密字节流,然后对其进行解密以恢复原始的 shellcode。
流程:
Shellcode → 加密字节 → 单词 → 单词 → 加密字节 → 原始 Shellcode
**注意**:密码和密码必须与加密时使用的值匹配。任何不匹配都将导致解密不正确或失败。
## 功能
- **256 词代码本**,由你提供的任何语句构建,并自动使用常见英文单词进行填充
- **两种流密码**用于字节到单词的混淆:
- `RC4` — 跨平台,与 RC4ENC/RC4DEC 兼容
- `AES-256-CTR` — 仅限 Windows(通过 CryptoAPI),与 AESENC/AESDEC 兼容
- **四种输出样式:**
| 级别 | 描述 |
|------- |------------- |
| 0 — 纯文本 | 原始单词列表,无标点符号 |
| 1 — 轻度散文 | 较长的句子,极少填充词 |
| 2 — 中度散文 | 均衡的段落(默认) |
| 3 — 重度散文 | 频繁的连接词和段落换行 |
- **往返自检** — 在保存前自动验证编码→解码是否产生完全相同的字节
- **多种输入格式** — 直接粘贴十六进制字节或加载 `.bin` 文件
- **解密时的多种输出格式** — 保存为 `.bin`、`.c` (C 数组) 和 `.hex`
- **可选的 shellcode 执行**(仅限 Windows) — 通过 `VirtualAlloc` + `CreateThread` 在内存中运行解码后的 shellcode
## 项目结构
```
├── main.c # Entry point, main menu loop
├── menu.c / menu.h # Interactive CLI actions (encrypt, decrypt, help)
├── encrypt.c / .h # Shellcode → word encoding (plain + natural prose)
├── decrypt.c / .h # Word text → shellcode decoding
├── word_mapping.c/.h # Builds the 256-word codebook and byte↔word lookup tables
├── rc4.c / .h # RC4 stream cipher implementation
├── io.c / .h # File I/O, hex parsing, multi-line input
├── platform.c / .h # Platform-specific shellcode execution (Windows)
├── util.c / .h # String helpers (trim, clean tokens, etc.)
└── common.h # Shared constants, macros, and type definitions
```
## 构建
1. 在 **Visual Studio 2022** 中打开项目。
2. 将所有 `.c` 和 `.h` 文件添加到项目中。
3. 选择 **x64** 和 **Release**。
4. 构建解决方案 (`Ctrl + Shift + B`)。
**环境要求:**
- Visual Studio 2022
- Windows SDK
## 使用说明
运行二进制文件并按照交互式菜单操作:
```
NØW v2.2 - Word-Based Shellcode Tool
RC4 or AES stream | Natural prose output
Main menu:
1. Encrypt shellcode -> words
2. Decrypt words -> shellcode
3. Help
4. Exit
```
### 加密
1. 选择 **选项 1**
2. 输入你的**秘密语句**(任意短语;独特的单词越多 = 代码本越好)
3. 输入**密码**(最少 4 个字符)
4. 选择流密码(`RC4` 或 `AES-256-CTR`)
5. 选择输出样式(0 = 纯文本,1–3 = 自然散文)
6. 将 shellcode 作为**十六进制字节**粘贴或加载 `.bin` 文件
7. 输出将保存到 `.txt` 文件中
### 解密
1. 选择 **选项 2**
2. 输入加密时使用的**相同的秘密语句和密码**
3. 选择**相同的流密码**
4. 粘贴编码后的文本或加载该文件
5. 输出将保存为 `.bin`、`.c` 和 `.hex`
## 安全说明
- 编码的安全性完全取决于对**语句和密码的保密**
- 单词代码本是确定性的——相同的语句 + 密码 + 密码总是会生成相同的映射
- 本工具仅用于**安全研究、CTF 挑战和红队 payload 混淆**
- Shellcode 执行(`platform.c`)仅限 Windows,并且在运行时需要用户明确确认
Medium : https://medium.com/@0xnirsec标签:DNS 反向解析, Shellcode, 代码混淆, 安全意识培训, 客户端加密, 技术调研