xorl %eax, %eax

From Shellcode to Assembly

with 3 comments

It is common to have a really interesting shellcode but not its corresponding assembly instructions. This is definitely not a new problem. Of course you can retrieve the assembly code as long as you know for what platform was this shellcode being designed.

So, let’s assume that you have a really simple shellcode such as this:

\x31\xc0\x40\x89\xc3\xcd\x80

Yeah, this is a simple exit() system call for Linux / x86 platforms. Since this is valid machine code you can print it in a file and there you have a 100% correct object code file, so:

sh-3.2$ perl -e 'print "\x31\xc0\x40\x89\xc3\xcd\x80"' > shellcode
sh-3.2$ ndisasm -b 32 shellcode
00000000  31C0                     xor eax,eax
00000002  40                       inc eax
00000003  89C3                     mov ebx,eax
00000005  CD80                     int 0x80
sh-3.2$

The -b option specifies the mode, which in this case is 32bit. Of course, this is a simple match of machine code instructions to equivalent assembly mnemonics, but this is what we want :P If you wonder what was the original shellcode (you shouldn’t be since you saw the output of ndisasm) then, here it is:

.globl _start
_start:

 xorl   %eax, %eax
 inc    %eax
 movl   %eax, %ebx
 int    $0x80

Written by xorl

January 4, 2009 at 02:40

Posted in tips

3 Responses

Subscribe to comments with RSS.

  1. I incorporated in my ruby bag of tricks :-)
    Once again, nice one :-)

    thanasisk

    May 26, 2009 at 15:21

  2. How can I pass from nasm to hex (ex. “\x31\xc0\x40\x89\xc3\xcd\x80”)

    axjslack

    October 8, 2009 at 09:29

  3. @axjslack: There is a very simple, yet beautiful C code that typo of TESO wrote a few years ago that simply iterates through the object file bytes and prints them out which you can find here:
    http://packetstormsecurity.org/groups/teso/outp.c
    Or you could simply do something like this in bash shell:

    xorl:~$ ndisasm -b 32 shellcode.o | awk '{printf "%s", $2}' && echo -ne '\n'
    31C04089C3CD80
    xorl:~$
    

    You could write a simple shell script that does something like the above and additionally, iterate in a loop through each character and add \x on every second iteration.

    xorl

    October 13, 2009 at 21:27


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s