Jump to content

Recommended Posts

Posted (edited)

I've been messing with machine <-> asm back and forth, and I have a script to create compilable asm from machine code (in hex format)

s="90909041484A"; echo "section .bss"; echo; echo "section .data"; echo; echo "section .text"; echo "   global _start"; echo "      _start:"; COUNT=0; for i in $(echo -n "$s" | xxd -ps -r | ndisasm -b 32 - | awk '{ORS="";print "    ";for(i=3; i<NF+2; i++) print $i" "; print "; "$1" "$2"\n"}' | tr ' ' '\377'); do CHAR_TEMP="$(echo "$i" | tr '\377' ' ' | sed 's/^\([^;]*\);.*$/\1/g' | wc -c)"; CHAR_WC=$(($CHAR_TEMP / 8 )); if [ "$((CHAR_TEMP % 8))" = "0" ]; then CHAR_WC=$(($CHAR_WC-1)); fi;  echo "$i" | tr '\377' ' ' | sed 's/^\([^;]*\);.*$/\1/g' | tr -d '\n'; for j in $(seq 0 $((8-$CHAR_WC))); do echo -ne "\t"; done; echo "$i" | tr '\377' ' ' | sed 's/^[^;]*\(;.*\)$/\1/g' | tr -d '\n'; echo; COUNT=$(($COUNT+1)); done
maybe is might be helpful to someone Edited by fugu
Posted

Now it's only a one-liner when there's no semicolon in there... :smile:

What do you call machine code? The .o file?

Posted (edited)

Yeah I guess thats right. I wish I knew how to make it a true oneliner, but its so complicated it's probably not possible. I should relabel this post "script" for clarity. Just piping in the .o/.obj file probably won't work, I've been diving into those files to pull out just the executable part of it. I'm mainly using it for analysing shellcodes and such. I've found that tools like objdump/ndisasm are great for disassembly, but the format they leave the code in can't be compiled. I made this script to convert the ndisasm output into something that can be directly compiled again.

So, for instance, you can do

$ msfpayload windows/exec CMD=dir R | xxd -ps | tr -d '\n'; echo
and this could be the machine code used in the script. Edited by fugu
Posted (edited)

So I guess there is already a tool to do this in:

/usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb
But for the life of me I can't get it to work. I know I've seen it work before and it does something my script doesn't, which is using relative names for the jmp and loop points. ndisasm uses static/absolute addresses for each jmp and loop it makes, which is fine, but if you want to add your own asm code, these values might change. I'll will make a new script to fix this (and release/update it here), and I will also try to figure out how to get the metasm program working too.

UPDATE:

Heres a tutorial on how to get metasm working:

https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/
 
His tutorial seems to be broken for kali-2.0's version of metasploit, but instead of all the copying of files, I've found a way to get it to run:

$ cd /usr/share/metasploit-framework/lib/metasm/samples/
$ msfvenom -p windows/shell/bind_tcp -f raw > raw_binary
$ ruby -I.. disassemble.rb raw_binary > test.asm
$ ruby -I.. peencode.rb test.asm -o test.exe
I have not been having luck getting msf's shellcode to execute though. It works fine when I use their builtin compiler, but the shellcode alone doesn't seem to want to work. I don't know... Edited by fugu

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...