lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F2BC2B7.1090206@intruded.net>
Date: Fri, 03 Feb 2012 12:19:19 +0100
From: bashrc <bashrc@...ruded.net>
To: Joshua Thomas <rappercrazzy@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Tricky Shellcode

Hello Joshua,

your shellcode is basically decrypting some string using 8-bit XOR with 
the key 0x41.
You can use ndisasm for analysing it. The code is easy to understand if 
you know assembler.

Regards,
bashrc

$ ndisasm -b 32 SC
00000000  31C0              xor eax,eax
00000002  50                push eax        ;push 0
00000003  6870797178        push dword 0x78717970    ; push string
00000008  6872772771        push dword 0x71277772
0000000D  6877797474        push dword 0x74747977
00000012  6825722524        push dword 0x24257225
00000017  6824242024        push dword 0x24202424
0000001C  6875787678        push dword 0x78767875
00000021  6873797579        push dword 0x79757973
00000026  6823767471        push dword 0x71747623
0000002B  6825717073        push dword 0x73707125
00000030  6870757475        push dword 0x75747570
00000035  6875247873        push dword 0x73782475
0000003A  6825777671        push dword 0x71767725
0000003F  6822727323        push dword 0x23737222
00000044  6824762777        push dword 0x77277624
00000049  6873757679        push dword 0x79767573
0000004E  6820797025        push dword 0x25707920
00000053  6873727577        push dword 0x77757273
00000058  6827777124        push dword 0x24717727
0000005D  6827227573        push dword 0x73752227
00000062  6823797076        push dword 0x76707923
00000067  6875752470        push dword 0x70247575
0000006C  6822237127        push dword 0x27712322
00000071  6825797122        push dword 0x22717925
00000076  6822722725        push dword 0x25277222
0000007B  6875232277        push dword 0x77222375
00000080  6822247576        push dword 0x76752422
00000085  6827252024        push dword 0x24202527
0000008A  6875702773        push dword 0x73277075
0000008F  6877207924        push dword 0x24792077
00000094  6872737023        push dword 0x23707372
00000099  6870787023        push dword 0x23707870
0000009E  6878247171        push dword 0x71712478
000000A3  54                push esp ; esp is pointing to the string on 
stack
000000A4  5E                pop esi    ; esi is pointing to the string
000000A5  8BFE              mov edi,esi ; edi is pointing to the string
000000A7  8BD7              mov edx,edi ; edx is pointing to the string
000000A9  FC                cld
000000AA  B980000000        mov ecx,0x80    ;size = 128
000000AF  BB41000000        mov ebx,0x41    ;xorbyte = 0x41
000000B4  31C0              xor eax,eax
000000B6  50                push eax
;loop begin
000000B7  AC                lodsb                            ;load byte 
where esi is pointing
000000B8  33C3              xor eax,ebx                ;xor loadedbyte 
with 0x41
000000BA  AA                stosb                            ;store 
result where edi is pointing
000000BB  E2FA              loop 0xb7
;loop 128 times
000000BD  54                push esp
000000BE  5E                pop esi                        ;esi 
containing the decrypted string
000000BF  CC                int3




Am 01.02.2012 21:57, schrieb Joshua Thomas:
> Can anyone help in solving what this shellcode does?
>
> \x31\xC0\x50\x68\x70\x79\x71\x78\x68\x72\x77\x27\x71\x68\x77\x79\x74\x74\x68\x25\x72\x25\x24\x68\x24\x24\x20\x24\x68\x75\x78\x76\x78\x68\x73\x79\x75\x79\x68\x23\x76\x74\x71\x68\x25\x71\x70\x73\x68\x70\x75\x74\x75\x68\x75\x24\x78\x73\x68\x25\x77\x76\x71\x68\x22\x72\x73\x23\x68\x24\x76\x27\x77\x68\x73\x75\x76\x79\x68\x20\x79\x70\x25\x68\x73\x72\x75\x77\x68\x27\x77\x71\x24\x68\x27\x22\x75\x73\x68\x23\x79\x70\x76\x68\x75\x75\x24\x70\x68\x22\x23\x71\x27\x68\x25\x79\x71\x22\x68\x22\x72\x27\x25\x68\x75\x23\x22\x77\x68\x22\x24\x75\x76\x68\x27\x25\x20\x24\x68\x75\x70\x27\x73\x68\x77\x20\x79\x24\x68\x72\x73\x70\x23\x68\x70\x78\x70\x23\x68\x78\x24\x71\x71\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC
>
> Thanks
> JT
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ