From Shellcode to Assembly
It is common to have a really interesting shellcode but not its corresponding assembly instructions. This is definitely not a new problem. Of course you can retrieve the assembly code as long as you know for what platform was this shellcode being designed.
So, let’s assume that you have a really simple shellcode such as this:
\x31\xc0\x40\x89\xc3\xcd\x80
Yeah, this is a simple exit() system call for Linux / x86 platforms. Since this is valid machine code you can print it in a file and there you have a 100% correct object code file, so:
sh-3.2$ perl -e 'print "\x31\xc0\x40\x89\xc3\xcd\x80"' > shellcode sh-3.2$ ndisasm -b 32 shellcode 00000000 31C0 xor eax,eax 00000002 40 inc eax 00000003 89C3 mov ebx,eax 00000005 CD80 int 0x80 sh-3.2$
The -b option specifies the mode, which in this case is 32bit. Of course, this is a simple match of machine code instructions to equivalent assembly mnemonics, but this is what we want :P If you wonder what was the original shellcode (you shouldn’t be since you saw the output of ndisasm) then, here it is:
.globl _start _start: xorl %eax, %eax inc %eax movl %eax, %ebx int $0x80
xorl %eax, %eax 
I incorporated in my ruby bag of tricks :-)
Once again, nice one :-)
thanasisk
May 26, 2009 at 15:21
How can I pass from nasm to hex (ex. “\x31\xc0\x40\x89\xc3\xcd\x80”)
axjslack
October 8, 2009 at 09:29
@axjslack: There is a very simple, yet beautiful C code that typo of TESO wrote a few years ago that simply iterates through the object file bytes and prints them out which you can find here:
http://packetstormsecurity.org/groups/teso/outp.c
Or you could simply do something like this in bash shell:
xorl:~$ ndisasm -b 32 shellcode.o | awk '{printf "%s", $2}' && echo -ne '\n' 31C04089C3CD80 xorl:~$You could write a simple shell script that does something like the above and additionally, iterate in a loop through each character and add \x on every second iteration.
xorl
October 13, 2009 at 21:27