Full Disclosure mailing list archives
Re: Tricky Shellcode
From: bashrc <bashrc () intruded net>
Date: Fri, 03 Feb 2012 12:19:19 +0100
Hello Joshua,your shellcode is basically decrypting some string using 8-bit XOR with the key 0x41. You can use ndisasm for analysing it. The code is easy to understand if you know assembler.
Regards, bashrc $ ndisasm -b 32 SC 00000000 31C0 xor eax,eax 00000002 50 push eax ;push 0 00000003 6870797178 push dword 0x78717970 ; push string 00000008 6872772771 push dword 0x71277772 0000000D 6877797474 push dword 0x74747977 00000012 6825722524 push dword 0x24257225 00000017 6824242024 push dword 0x24202424 0000001C 6875787678 push dword 0x78767875 00000021 6873797579 push dword 0x79757973 00000026 6823767471 push dword 0x71747623 0000002B 6825717073 push dword 0x73707125 00000030 6870757475 push dword 0x75747570 00000035 6875247873 push dword 0x73782475 0000003A 6825777671 push dword 0x71767725 0000003F 6822727323 push dword 0x23737222 00000044 6824762777 push dword 0x77277624 00000049 6873757679 push dword 0x79767573 0000004E 6820797025 push dword 0x25707920 00000053 6873727577 push dword 0x77757273 00000058 6827777124 push dword 0x24717727 0000005D 6827227573 push dword 0x73752227 00000062 6823797076 push dword 0x76707923 00000067 6875752470 push dword 0x70247575 0000006C 6822237127 push dword 0x27712322 00000071 6825797122 push dword 0x22717925 00000076 6822722725 push dword 0x25277222 0000007B 6875232277 push dword 0x77222375 00000080 6822247576 push dword 0x76752422 00000085 6827252024 push dword 0x24202527 0000008A 6875702773 push dword 0x73277075 0000008F 6877207924 push dword 0x24792077 00000094 6872737023 push dword 0x23707372 00000099 6870787023 push dword 0x23707870 0000009E 6878247171 push dword 0x71712478000000A3 54 push esp ; esp is pointing to the string on stack
000000A4 5E pop esi ; esi is pointing to the string 000000A5 8BFE mov edi,esi ; edi is pointing to the string 000000A7 8BD7 mov edx,edi ; edx is pointing to the string 000000A9 FC cld 000000AA B980000000 mov ecx,0x80 ;size = 128 000000AF BB41000000 mov ebx,0x41 ;xorbyte = 0x41 000000B4 31C0 xor eax,eax 000000B6 50 push eax ;loop begin000000B7 AC lodsb ;load byte where esi is pointing 000000B8 33C3 xor eax,ebx ;xor loadedbyte with 0x41 000000BA AA stosb ;store result where edi is pointing
000000BB E2FA loop 0xb7 ;loop 128 times 000000BD 54 push esp000000BE 5E pop esi ;esi containing the decrypted string
000000BF CC int3 Am 01.02.2012 21:57, schrieb Joshua Thomas:
Can anyone help in solving what this shellcode does? \x31\xC0\x50\x68\x70\x79\x71\x78\x68\x72\x77\x27\x71\x68\x77\x79\x74\x74\x68\x25\x72\x25\x24\x68\x24\x24\x20\x24\x68\x75\x78\x76\x78\x68\x73\x79\x75\x79\x68\x23\x76\x74\x71\x68\x25\x71\x70\x73\x68\x70\x75\x74\x75\x68\x75\x24\x78\x73\x68\x25\x77\x76\x71\x68\x22\x72\x73\x23\x68\x24\x76\x27\x77\x68\x73\x75\x76\x79\x68\x20\x79\x70\x25\x68\x73\x72\x75\x77\x68\x27\x77\x71\x24\x68\x27\x22\x75\x73\x68\x23\x79\x70\x76\x68\x75\x75\x24\x70\x68\x22\x23\x71\x27\x68\x25\x79\x71\x22\x68\x22\x72\x27\x25\x68\x75\x23\x22\x77\x68\x22\x24\x75\x76\x68\x27\x25\x20\x24\x68\x75\x70\x27\x73\x68\x77\x20\x79\x24\x68\x72\x73\x70\x23\x68\x70\x78\x70\x23\x68\x78\x24\x71\x71\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC Thanks JT _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Tricky Shellcode Joshua Thomas (Feb 01)
- Re: Tricky Shellcode Grandma Eubanks (Feb 01)
- Re: Tricky Shellcode InterN0T Advisories (Feb 01)
- Re: Tricky Shellcode bashrc (Feb 05)