Sub-Encoding

Let’s use the EAX register to perform all the stack placements and calculations.

1) We start by zero’ing out EAX
AND EAX, 554E4D4A
ADD EAX, 2A313235

-	How does this work? Take the values and convert them to binary. Add them together they all turn to 0000000000….


2) Now, we need to locate our position in the stack.
  -	This will hold the address of ESP in EAX. This will allow us to make relative memory calculations for expanding our encoded payload.
    o	Push ESP onto the stack.  (PUSH ESP)
    o	POP it back into EAX      (POP EAX)

3) We now want to get the stack aligned with the position of where we want to decode our shellcode.
  -	Estimate where our encoded shellcode ends, this can be kept for last.
      o	In this case, we know that our encoded shellcode will take up around 253 bytes.
      o	ALSO remember, give a few extra bytes for safety.

Where is ESP now?                 (A)
Where do you want ESP to be?      (B) (Where you want your carved normal shellcode to END)
Subtract (A) - (B).
Take the resuld and subencode it.
SUB EAX, 
SUB EAX,
SUB EAX,

Now, move the stack pointer to that address as we start carving out our shellcode in memory and placing it on thestack.
-	Push the value of eax on the stack.   (PUSH EAX)
-	Pop it back into ESP.                 (POP ESP)



Now we are free to write our decoding shellcode. 
Take the original 32 byte egghunter shellcode and break it down to 8 sets of 4 bytes.
Carve these bytes into the EAX register and push them onto the stack.

Remember, down to up! The first 4 bytes we will right will be the last 4 bytes of the egghunter shellcode. (x75\xe7\xff\xe7)
We need to put these bytes into a register (we will use EAX), then push them onto the stack.

Proceed to do this with each line until the shellcode is fully formed on the stack.

ZERO out eax, subtract the following values from it. Then push the value that is stored in EAX onto the stack.

AND EAX,
AND EAX,
SUB EAX,
SUB EAX,
SUB EAX,
PUSH EAX