Editing Shellcode (section)

===Null-free shellcode===
Most shellcodes are written without the use of [[Null character|null]] bytes because they are intended to be injected into a target process through [[null-terminated string]]s. When a null-terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it incapable of running successfully.

To produce null-free shellcode from shellcode that contains [[Null character|null]] bytes, one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of nulls. For example, on the [[IA-32]] architecture one could replace this instruction:
 B8 01000000    [[MOV (x86 instruction)|MOV]] EAX,1          // Set the register EAX to 0x00000001
which contains zeroes as part of the literal (<code>1</code> expands to <code>0x00000001</code>) with these instructions:
 33C0           [[XOR (x86 instruction)|XOR]] EAX,EAX        // Set the register EAX to 0x00000000
 40             [[INC (x86 instruction)|INC]] EAX            // Increase EAX to 0x00000001
which have the same effect but take fewer bytes to encode and are free of nulls.