fugu Posted December 4, 2015 Share Posted December 4, 2015 (edited) I've been messing with machine <-> asm back and forth, and I have a script to create compilable asm from machine code (in hex format) s="90909041484A"; echo "section .bss"; echo; echo "section .data"; echo; echo "section .text"; echo " global _start"; echo " _start:"; COUNT=0; for i in $(echo -n "$s" | xxd -ps -r | ndisasm -b 32 - | awk '{ORS="";print " ";for(i=3; i<NF+2; i++) print $i" "; print "; "$1" "$2"\n"}' | tr ' ' '\377'); do CHAR_TEMP="$(echo "$i" | tr '\377' ' ' | sed 's/^\([^;]*\);.*$/\1/g' | wc -c)"; CHAR_WC=$(($CHAR_TEMP / 8 )); if [ "$((CHAR_TEMP % 8))" = "0" ]; then CHAR_WC=$(($CHAR_WC-1)); fi; echo "$i" | tr '\377' ' ' | sed 's/^\([^;]*\);.*$/\1/g' | tr -d '\n'; for j in $(seq 0 $((8-$CHAR_WC))); do echo -ne "\t"; done; echo "$i" | tr '\377' ' ' | sed 's/^[^;]*\(;.*\)$/\1/g' | tr -d '\n'; echo; COUNT=$(($COUNT+1)); done maybe is might be helpful to someone Edited December 4, 2015 by fugu Quote Link to comment Share on other sites More sharing options...
cooper Posted December 5, 2015 Share Posted December 5, 2015 Now it's only a one-liner when there's no semicolon in there... What do you call machine code? The .o file? Quote Link to comment Share on other sites More sharing options...
fugu Posted December 5, 2015 Author Share Posted December 5, 2015 (edited) Yeah I guess thats right. I wish I knew how to make it a true oneliner, but its so complicated it's probably not possible. I should relabel this post "script" for clarity. Just piping in the .o/.obj file probably won't work, I've been diving into those files to pull out just the executable part of it. I'm mainly using it for analysing shellcodes and such. I've found that tools like objdump/ndisasm are great for disassembly, but the format they leave the code in can't be compiled. I made this script to convert the ndisasm output into something that can be directly compiled again. So, for instance, you can do $ msfpayload windows/exec CMD=dir R | xxd -ps | tr -d '\n'; echo and this could be the machine code used in the script. Edited December 5, 2015 by fugu Quote Link to comment Share on other sites More sharing options...
i8igmac Posted December 5, 2015 Share Posted December 5, 2015 Very cool. Quote Link to comment Share on other sites More sharing options...
fugu Posted December 6, 2015 Author Share Posted December 6, 2015 (edited) So I guess there is already a tool to do this in: /usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb But for the life of me I can't get it to work. I know I've seen it work before and it does something my script doesn't, which is using relative names for the jmp and loop points. ndisasm uses static/absolute addresses for each jmp and loop it makes, which is fine, but if you want to add your own asm code, these values might change. I'll will make a new script to fix this (and release/update it here), and I will also try to figure out how to get the metasm program working too. UPDATE: Heres a tutorial on how to get metasm working: https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/ His tutorial seems to be broken for kali-2.0's version of metasploit, but instead of all the copying of files, I've found a way to get it to run: $ cd /usr/share/metasploit-framework/lib/metasm/samples/ $ msfvenom -p windows/shell/bind_tcp -f raw > raw_binary $ ruby -I.. disassemble.rb raw_binary > test.asm $ ruby -I.. peencode.rb test.asm -o test.exe I have not been having luck getting msf's shellcode to execute though. It works fine when I use their builtin compiler, but the shellcode alone doesn't seem to want to work. I don't know... Edited December 8, 2015 by fugu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.