NOP equivalent instructions used by snort

NOP Equivalent opcodes for shellcodes – Canonical List

Used by snort:spp_fnord.c nop sled detector – www.snort.org
v1.0 – 2002 Feb 26

Arch  Code (hex, 00=wild)       Opcode
—-  —————–         ———————
HPPA   08 21 02 9a               xor %r1,%r1,%r26
HPPA   08 41 02 83               xor %r1,%r2,%r3
HPPA   08 a4 02 46               or  %r4,%r5,%r6
HPPA   09 04 06 8f               shladd %r4,2,%r8,%r15
HPPA   09 09 04 07               sub %r9,%r8,%r7
HPPA   09 6a 02 8c               xor %r10,%r11,%12
HPPA   09 cd 06 0f               add %r13,%r14,%r15
Sprc   20 bf bf 00               bn -random
IA32   27                        daa                           ‘
IA32   2f                        das                           /
IA32   33 c0                     xor %eax,%eax
IA32   37                        aaa                           7
IA32   3f                        aas                           ?
IA32   40                        inc %eax                      @
IA32   41                        inc %ecx                      A
IA32   42                        inc %edx                      B
IA32   43                        inc %ebx                      C
IA32   44                        inc %esp                      D
IA32   45                        inc %ebp                      E
IA32   46                        inc %esi                      F
IA32   47                        inc %edi                      G
IA32   48                        dec %eax,                     H
IA32   4a                        dec %edx                      J
IA32   4b                        dec %ebx                      K
IA32   4c                        dec %esp                      L
IA32   4d                        dec %ebp,                     M
IA32   4e                        dec %esi                      N
IA32   4f                        dec %edi                      O
IA32   50                        push %eax                     P
IA32   51                        push %ecx                     Q
IA32   52                        push %edx                     R
IA32   53                        push %ebx                     S
IA32   54                        push %dsp                     T
IA32   55                        push %ebp                     U
IA32   56                        push %esi                     V
IA32   57                        push %edi                     W
IA32   58                        pop %eax                      X
IA32   59                        pop %ecx                      Y
IA32   5a                        pop %edx                      Z
IA32   5b                        pop %ebx                      [
IA32   5d                        pop %ebp                      ]
IA32   5e                        pop %esi                      ^
IA32   5f                        pop %edi                      _
IA32   60                        pusha                         `
IA32   6b c0 00                  imul N,%eax
Sprc   81 d0 20 00               tn random
IA32   83 e0 00                  and N,%eax
IA32   83 c8 00                  or  N,%eax
IA32   83 e8 00                  sub N,%eax
IA32   83 f0 00                  xor N,%eax
IA32   83 f8 00                  cmp N,%eax
IA32   83 f9 00                  cmp N,%ecx
IA32   83 fa 00                  cmp N,%edx
IA32   83 fb 00                  cmp N,%ebx
IA32   83 c0 00                  add N,%eax
IA32   85 c0                     test %eax,%eax
IA32   87 d2                     xchg %edx,%edx
IA32   87 db                     xchg %ebx,%ebx
IA32   87 c9                     xchg %ecx,%ecx
Sprc   89 a5 08 22               fadds %f20,%f2,%f4
IA32   8c c0                     m

NOP Equivalent opcodes for shellcodes – Canonical List

Used by snort:spp_fnord.c nop sled detector – www.snort.org
v1.0 – 2002 Feb 26

Arch  Code (hex, 00=wild)       Opcode
—-  —————–         ———————
HPPA   08 21 02 9a               xor %r1,%r1,%r26
HPPA   08 41 02 83               xor %r1,%r2,%r3
HPPA   08 a4 02 46               or  %r4,%r5,%r6
HPPA   09 04 06 8f               shladd %r4,2,%r8,%r15
HPPA   09 09 04 07               sub %r9,%r8,%r7
HPPA   09 6a 02 8c               xor %r10,%r11,%12
HPPA   09 cd 06 0f               add %r13,%r14,%r15
Sprc   20 bf bf 00               bn -random
IA32   27                        daa                           ‘
IA32   2f                        das                           /
IA32   33 c0                     xor %eax,%eax
IA32   37                        aaa                           7
IA32   3f                        aas                           ?
IA32   40                        inc %eax                      @
IA32   41                        inc %ecx                      A
IA32   42                        inc %edx                      B
IA32   43                        inc %ebx                      C
IA32   44                        inc %esp                      D
IA32   45                        inc %ebp                      E
IA32   46                        inc %esi                      F
IA32   47                        inc %edi                      G
IA32   48                        dec %eax,                     H
IA32   4a                        dec %edx                      J
IA32   4b                        dec %ebx                      K
IA32   4c                        dec %esp                      L
IA32   4d                        dec %ebp,                     M
IA32   4e                        dec %esi                      N
IA32   4f                        dec %edi                      O
IA32   50                        push %eax                     P
IA32   51                        push %ecx                     Q
IA32   52                        push %edx                     R
IA32   53                        push %ebx                     S
IA32   54                        push %dsp                     T
IA32   55                        push %ebp                     U
IA32   56                        push %esi                     V
IA32   57                        push %edi                     W
IA32   58                        pop %eax                      X
IA32   59                        pop %ecx                      Y
IA32   5a                        pop %edx                      Z
IA32   5b                        pop %ebx                      [
IA32   5d                        pop %ebp                      ]
IA32   5e                        pop %esi                      ^
IA32   5f                        pop %edi                      _
IA32   60                        pusha                         `
IA32   6b c0 00                  imul N,%eax
Sprc   81 d0 20 00               tn random
IA32   83 e0 00                  and N,%eax
IA32   83 c8 00                  or  N,%eax
IA32   83 e8 00                  sub N,%eax
IA32   83 f0 00                  xor N,%eax
IA32   83 f8 00                  cmp N,%eax
IA32   83 f9 00                  cmp N,%ecx
IA32   83 fa 00                  cmp N,%edx
IA32   83 fb 00                  cmp N,%ebx
IA32   83 c0 00                  add N,%eax
IA32   85 c0                     test %eax,%eax
IA32   87 d2                     xchg %edx,%edx
IA32   87 db                     xchg %ebx,%ebx
IA32   87 c9                     xchg %ecx,%ecx
Sprc   89 a5 08 22               fadds %f20,%f2,%f4
IA32   8c c0                     mov %es,%eax
IA32   8c e0                     mov %fs,%eax
IA32   8c e8                     mov %gs,%eax
IA32   90                        regular NOP
IA32   91                        xchg %eax,%ecx
IA32   92                        xchg %eax,%edx
IA32   93                        xchg %eax,%ebx
HPPA   94 6c e0 84               subi,OD  42,%r3,%r12
IA32   95                        xchg %eax,%ebp
IA32   96                        xchg %eax,%esi
Sprc   96 23 60 00               sub %o5, 42,%o3
Sprc   96 24 80 12               sub %l2,%l2,%o3
IA32   97                        xchg %eax,%edi
IA32   98                        cwtl
Sprc   98 3e 80 12               xnor %i2,%l2,%o4
IA32   99                        cltd
IA32   9b                        fwait
IA32   9c                        pushf
IA32   9e                        safh
IA32   9f                        lahf
Sprc   a0 26 e0 00               sub %i3, 42,%l0
Sprc   a2 03 40 12               add %o5,%l2,%l1
Sprc   a2 0e 80 13               and %i2,%l3,%l1
Sprc   a2 1a 40 0a               xor %o1,%o2,%l1
Sprc   a2 1c 80 12               xor %l2,%l2,%l1
Sprc   a4 04 e0 00               add %l3, 42,%l2
Sprc   a4 27 40 12               sub %i5,%l2,%l2
Sprc   a4 32 a0 00               orn %o2, 42,%l2
IA32   b0 00                     mov N,%eax
Sprc   b2 03 60 00               add %o5, 42,%i1
Sprc   b2 26 80 19               sub %i2,%i1,%i1
HPPA   b5 03 e0 00               addi,OD  42,%r8,%r3
HPPA   b5 4b e0 00               addi,OD  42,%r10,%r11
Sprc   b6 06 40 1a               add %i1,%i2,%i3
Sprc   b6 16 40 1a               or  %i1,%i2,%i3
Sprc   b6 04 80 12               add %l2,%l2,%i3
Sprc   b6 03 60 00               add %o5, 42,%i3
Sprc   ba 56 a0 00               umul %i2, 42,%i5
IA32   c1 c0 00                  rol N,%eax
IA32   c1 c8 00                  ror N,%eax
IA32   c1 e8 00                  shr N,%eax
HPPA   d0 e8 0a e9               shrpw %r8,%r7,8,%r9
IA32   f5                        cmc
IA32   f7 d0                     not %eax
IA32   f8                        clc
IA32   f9                        stc
IA32   fc                        cld
ov %es,%eax
IA32   8c e0                     mov %fs,%eax
IA32   8c e8                     mov %gs,%eax
IA32   90                        regular NOP
IA32   91                        xchg %eax,%ecx
IA32   92                        xchg %eax,%edx
IA32   93                        xchg %eax,%ebx
HPPA   94 6c e0 84               subi,OD  42,%r3,%r12
IA32   95                        xchg %eax,%ebp
IA32   96                        xchg %eax,%esi
Sprc   96 23 60 00               sub %o5, 42,%o3
Sprc   96 24 80 12               sub %l2,%l2,%o3
IA32   97                        xchg %eax,%edi
IA32   98                        cwtl
Sprc   98 3e 80 12               xnor %i2,%l2,%o4
IA32   99                        cltd
IA32   9b                        fwait
IA32   9c                        pushf
IA32   9e                        safh
IA32   9f                        lahf
Sprc   a0 26 e0 00               sub %i3, 42,%l0
Sprc   a2 03 40 12               add %o5,%l2,%l1
Sprc   a2 0e 80 13               and %i2,%l3,%l1
Sprc   a2 1a 40 0a               xor %o1,%o2,%l1
Sprc   a2 1c 80 12               xor %l2,%l2,%l1
Sprc   a4 04 e0 00               add %l3, 42,%l2
Sprc   a4 27 40 12               sub %i5,%l2,%l2
Sprc   a4 32 a0 00               orn %o2, 42,%l2
IA32   b0 00                     mov N,%eax
Sprc   b2 03 60 00               add %o5, 42,%i1
Sprc   b2 26 80 19               sub %i2,%i1,%i1
HPPA   b5 03 e0 00               addi,OD  42,%r8,%r3
HPPA   b5 4b e0 00               addi,OD  42,%r10,%r11
Sprc   b6 06 40 1a               add %i1,%i2,%i3
Sprc   b6 16 40 1a               or  %i1,%i2,%i3
Sprc   b6 04 80 12               add %l2,%l2,%i3
Sprc   b6 03 60 00               add %o5, 42,%i3
Sprc   ba 56 a0 00               umul %i2, 42,%i5
IA32   c1 c0 00                  rol N,%eax
IA32   c1 c8 00                  ror N,%eax
IA32   c1 e8 00                  shr N,%eax
HPPA   d0 e8 0a e9               shrpw %r8,%r7,8,%r9
IA32   f5                        cmc
IA32   f7 d0                     not %eax
IA32   f8                        clc
IA32   f9                        stc
IA32   fc                        cld

Leave a Reply