We'll this is going to be a very short blog post. magic_mz_x86 and magic_mz_x64 are two malleable profile values one can set in since cobalt strike 2.4.3 . I haven't seen anyone talk about it and what are the possible values. I have searched internet to find anyone using different set of values. No one has ever published this. So here, I'll publish some details about it.
magic_mz_x86 and magic_mz_x64 malleable options are available in "Stage" block of Cobaltstrike malleable profile. They are responsible to change the MZ PE header in the shellcode you generate from CobaltStrike (staged or stageless). There is basic information provided on cobaltstrike blog post on how to change these values. One can change these values by providing a set of 2 (for x64) or 4(for x86) assembly instructions. The condition for the assembly instructions is that the resultant should be a no operation. For eg
inc eaxdec eax
Above instructions combined together result in a no operation
Default values as provided in the blog from cobalt strike are as follows
To change these values here is a generic approach
For x86 we have to write 4 instructions (resulting to NOP) to fill up MZRE space. You can use any 4 x86 instructions which can fill 4 byte space and result in a resultant NO-OPERATION . This is how MZRE is created
bits 32section .textglobal _start_start:dec abppop edxpush edxinc ebp
So if you'll compile the above asm, and do a hexdump of this you'll see MZRE.
now to modify, change these 4 instructions to any instructions of 4 byte total length. For example
bits 32section .textglobal _start_start:dec eaxinc eaxdec ebxinc ebx
As mentioned above , now you can change magic_mz_x86 to "[email protected]"
Similarly, for x64, now you need two instructions to fill up the 4 byte space. You can use something
bits 64section .textglobal _start_start:pop r9push r9
Compiling the same will result as following
Now AYAQ can be used as a value in magic_mz_x64
The difference is actually seen when you dump the stageless raw shellcode . You can see you MZ header change which helps evade EDR
With Default profile as below
Following is the dump of stageless payload
Now if we change profile values to custom values you can see the difference
Thanks to @vysecurity for guidance and motivation