# magic\_mz\_x86 and magic\_mz\_x64

### Background

We'll this is going to be a very short blog post. magic\_mz\_x86 and magic\_mz\_x64 are two malleable profile values one can set in since cobalt strike 2.4.3 . I haven't seen anyone talk about it and what are the possible values. I have searched internet to find anyone using different set of values. No one has ever published this. So here, I'll publish some details about it.&#x20;

### Why Change these values?

magic\_mz\_x86 and magic\_mz\_x64 malleable options are available in "Stage" block of Cobaltstrike malleable profile. They are responsible to change the MZ PE header in the shellcode you generate from CobaltStrike (staged or stageless). There is basic information provided on cobaltstrike blog post on how to change these values. One can change these values by providing a set of 2 (for x64) or 4(for x86) assembly instructions. The condition for the assembly instructions is that the resultant should be a no operation. For eg&#x20;

```
inc eax
dec eax
```

Above instructions combined together result in a no operation&#x20;

### How to change values?

Default values as provided in the blog from cobalt strike are as follows&#x20;

![https://www.cobaltstrike.com/help-malleable-postex](/files/-MhSOPFc38WaQa6HQB80)

To change these values here is a generic approach

#### For x86 - magic\_mz\_x86

For x86 we have to write 4 instructions (resulting to NOP) to fill up MZRE space. You can use any 4 x86 instructions which can fill 4 byte space and result in a resultant NO-OPERATION . This is how MZRE is created

{% tabs %}
{% tab title="x86-orig.asm" %}

```
bits 32
section .text
global _start
 _start:
dec abp
pop edx
push edx
inc ebp
```

{% endtab %}
{% endtabs %}

So if you'll compile the above asm, and do a hexdump of this you'll see MZRE.&#x20;

![](/files/-Mhg5Ia8aFTSqM47zuSZ)

now to modify, change these 4 instructions to any instructions of 4 byte total length. For example&#x20;

{% tabs %}
{% tab title="x86-modif.asm" %}

```
bits 32
section .text
global _start
_start:
 dec eax
 inc eax
 dec ebx
 inc ebx
```

{% endtab %}
{% endtabs %}

![](/files/-Mhg62Mv_1Jinlbdf2Im)

As mentioned above , now you can change magic\_mz\_x86 to "H\@KC"&#x20;

#### For x64 - magic\_mz\_x64

Similarly, for x64, now you need two instructions to fill up the 4 byte space. You can use something&#x20;

{% tabs %}
{% tab title="x64-modif.asm" %}

```
bits 64
section .text
global _start
_start:
 pop r9
 push r9
```

{% endtab %}
{% endtabs %}

Compiling the same will result as following&#x20;

![](/files/-Mhg7edySlbxKWtue6j5)

Now AYAQ can be used as a value in magic\_mz\_x64

### What is the actual difference now

The difference is actually seen when you dump the stageless raw shellcode . You can see you MZ header change which helps evade EDR

With **Default** profile as below

&#x20;

![Profile with default magic\_mz values](/files/-Mhg8uPYs69XMUeyCIjy)

Following is the dump of stageless payload

![Exporting Raw shellcode of unmodified profile](/files/-Mhg9j7cYFSczQYdYo1O)

![Hexdump of Deafult stageless x86 shellcode](/files/-MhgB5vx2ThlZuJhxB0b)

![Hexdump of Deafult stageless x64 shellcode](/files/-MhgBnug2YLtIcySq6fI)

**Now if we change profile values to custom values you can see the difference**

![Changing default values of magic\_mz](/files/-MhgCSuEHwezsmQZj7V8)

![Exporting Raw Shellcode after modifying the profile](/files/-MhgCpgoxxvYofai8sEd)

![Hexdump of Modified stageless x64 shellcode](/files/-MhgDDsN3v_83CDTMmdq)

![Hexdump of Modified stageless x86 shellcode](/files/-MhgDU6tCM7c5FXUKjGt)

### Thanks&#x20;

Thanks to @[vysecurity ](https://twitter.com/vysecurity/)for guidance and motivation&#x20;

### References

<https://www.cobaltstrike.com/help-malleable-postex>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.