Alphanumeric Shellcode Ensuring Jumps

Question

I'm trying to write some shellcode that will eventually be in the form of an English paragraph. This means that I'm mostly limited to instructions that have opcodes that evaluate to alphanumeric characters or punctuation. This actually leaves me with many different jump instructions including: jo, jno, jb, jae, je, jne, jbe, ja, js, jns, and jp (which correspond to letters p-z). Each of these jumps performs a test before it decides to jump or not. In most cases I can combine a jump plus its inverse to ensure a jump will take place in the shellcode (e.g. using jo then jno, or je then jne), but I cannot do this in the case of jb. The test for jb is CF=1.

My question is, is there any series of alphanumberic instructions that is functionally a NOP, but also ensures that CF=1? CF is the carry flag, so any operations that are guaranteed to set the carry flag would suffice.

Also to ensure a jae, is the anyway to ensure that the CF=0?

Answer 1

You can use "4444" to set CF to 0.

"44" is XOR AL, 0x34.

2 XORs with the same value result no change in AL.

It should be noted, though, that XOR affects almost all arithmetic flags (effect on AF is undefined). So, it's not completely "NOP".

In 32-bit mode you can use "PhohohX7X" to set CF to 1.

"P" is PUSH EAX.
"hohoh" is PUSH 0x686F686F.
"X" is POP EAX.
"7" is AAA.
"X" is POP EAX.

There's a caveat with AAA, too. Its effect on most of arithmetic flags is undefined (CF and AF excepted, they become equal). So, it's not completely "NOP" either.