WWHF @ Mile High 2025

In this talk, Mike will cover two highly effective techniques for obfuscating shellcode in your payloads.

Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes and uses each word's position in a dictionary array to resolve the shellcode bytes at runtime. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR. We've found Jargon to be highly effective in evading detection.

Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring encryption. Jigsaw uses Python’s shuffle function to create a randomized array of shellcode and then reconstructs the original shellcode at runtime. This eliminates possible signatures related to including encryption libraries in your payload while also avoiding significant increases in entropy. Our research indicates that very few AV/EDR are aware of this technique. This technique could be an effective part of your shellcode loader arsenal.