[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F2BC2B7.1090206@intruded.net>
Date: Fri, 03 Feb 2012 12:19:19 +0100
From: bashrc <bashrc@...ruded.net>
To: Joshua Thomas <rappercrazzy@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Tricky Shellcode
Hello Joshua,
your shellcode is basically decrypting some string using 8-bit XOR with
the key 0x41.
You can use ndisasm for analysing it. The code is easy to understand if
you know assembler.
Regards,
bashrc
$ ndisasm -b 32 SC
00000000 31C0 xor eax,eax
00000002 50 push eax ;push 0
00000003 6870797178 push dword 0x78717970 ; push string
00000008 6872772771 push dword 0x71277772
0000000D 6877797474 push dword 0x74747977
00000012 6825722524 push dword 0x24257225
00000017 6824242024 push dword 0x24202424
0000001C 6875787678 push dword 0x78767875
00000021 6873797579 push dword 0x79757973
00000026 6823767471 push dword 0x71747623
0000002B 6825717073 push dword 0x73707125
00000030 6870757475 push dword 0x75747570
00000035 6875247873 push dword 0x73782475
0000003A 6825777671 push dword 0x71767725
0000003F 6822727323 push dword 0x23737222
00000044 6824762777 push dword 0x77277624
00000049 6873757679 push dword 0x79767573
0000004E 6820797025 push dword 0x25707920
00000053 6873727577 push dword 0x77757273
00000058 6827777124 push dword 0x24717727
0000005D 6827227573 push dword 0x73752227
00000062 6823797076 push dword 0x76707923
00000067 6875752470 push dword 0x70247575
0000006C 6822237127 push dword 0x27712322
00000071 6825797122 push dword 0x22717925
00000076 6822722725 push dword 0x25277222
0000007B 6875232277 push dword 0x77222375
00000080 6822247576 push dword 0x76752422
00000085 6827252024 push dword 0x24202527
0000008A 6875702773 push dword 0x73277075
0000008F 6877207924 push dword 0x24792077
00000094 6872737023 push dword 0x23707372
00000099 6870787023 push dword 0x23707870
0000009E 6878247171 push dword 0x71712478
000000A3 54 push esp ; esp is pointing to the string on
stack
000000A4 5E pop esi ; esi is pointing to the string
000000A5 8BFE mov edi,esi ; edi is pointing to the string
000000A7 8BD7 mov edx,edi ; edx is pointing to the string
000000A9 FC cld
000000AA B980000000 mov ecx,0x80 ;size = 128
000000AF BB41000000 mov ebx,0x41 ;xorbyte = 0x41
000000B4 31C0 xor eax,eax
000000B6 50 push eax
;loop begin
000000B7 AC lodsb ;load byte
where esi is pointing
000000B8 33C3 xor eax,ebx ;xor loadedbyte
with 0x41
000000BA AA stosb ;store
result where edi is pointing
000000BB E2FA loop 0xb7
;loop 128 times
000000BD 54 push esp
000000BE 5E pop esi ;esi
containing the decrypted string
000000BF CC int3
Am 01.02.2012 21:57, schrieb Joshua Thomas:
> Can anyone help in solving what this shellcode does?
>
> \x31\xC0\x50\x68\x70\x79\x71\x78\x68\x72\x77\x27\x71\x68\x77\x79\x74\x74\x68\x25\x72\x25\x24\x68\x24\x24\x20\x24\x68\x75\x78\x76\x78\x68\x73\x79\x75\x79\x68\x23\x76\x74\x71\x68\x25\x71\x70\x73\x68\x70\x75\x74\x75\x68\x75\x24\x78\x73\x68\x25\x77\x76\x71\x68\x22\x72\x73\x23\x68\x24\x76\x27\x77\x68\x73\x75\x76\x79\x68\x20\x79\x70\x25\x68\x73\x72\x75\x77\x68\x27\x77\x71\x24\x68\x27\x22\x75\x73\x68\x23\x79\x70\x76\x68\x75\x75\x24\x70\x68\x22\x23\x71\x27\x68\x25\x79\x71\x22\x68\x22\x72\x27\x25\x68\x75\x23\x22\x77\x68\x22\x24\x75\x76\x68\x27\x25\x20\x24\x68\x75\x70\x27\x73\x68\x77\x20\x79\x24\x68\x72\x73\x70\x23\x68\x70\x78\x70\x23\x68\x78\x24\x71\x71\x54\x5E\x8B\xFE\x8B\xD7\xFC\xB9\x80\x00\x00\x00\xBB\x41\x00\x00\x00\x31\xC0\x50\xAC\x33\xC3\xAA\xE2\xFA\x54\x5E\xCC
>
> Thanks
> JT
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists