Skip to content
shellcodes

Blog

Articles, guides, and shellcode research.

Leaving msfvenom on the jump box: a browser-native workflow
A migration path from team-server shellcode habits to in-browser generation without losing reproducibility or OPSEC discipline.
workflowwasmtooling
Bad-character filters: presets are a start, not the contract
How null and alphanumeric presets map to real injection channels, and when you must build a custom bad-char list.
bad-charsencodersbuilder
What the hex viewer tells you before you copy shellcode
Using a hex view to catch alignment issues, obvious bad chars, and length mistakes before shellcode hits an exploit script.
hex-vieweranalysisquality-control
Repeatable shellcode runbooks for authorized testing
How to document encoder chains, network parameters, and export formats so retests do not turn into archaeology.
runbookscollectionscompliance
Linux exec vs reverse TCP: pick the payload that matches the primitive
When to use exec-style shellcode versus reverse TCP in authorized labs, and why the flashy option is often the wrong one.
linuxpayload-typesred-team
Importing shellcode without corrupting a single byte
Common paste formats, whitespace traps, and how to round-trip external shellcode through a browser builder without silent truncation.
converterhexworkflow
Encoder pipeline order: why your second pass breaks the first
How stacked encoders change size, decoders, and bad-char profiles, plus a sane order for lab iterations before exploit integration.
encodersbad-charsexport-formats
Client-side shellcode generation: a threat model that is not marketing
What stays local in a browser-native shellcode builder, what still leaks, and how to run authorized tests without polluting your ticket trail.
privacybrowser-securitypentest-ops
Null bytes in shellcode still ruin exploits in 2026
Why 0x00 breaks strcpy-style delivery, how nulls sneak into reverse TCP structs, and what to do when your encoder pass lies to you.
bad-charsexploit-developmentlinux