Jump to content

Convert back inject.bin to payload.txt


Davhack

Recommended Posts

Greetings,
I test the new USB Rubber Ducky and I have two questions:

Q1 Where is the source file (aka payload.txt) of the inject.bin standing in the root of the new USB Rubber Ducky to check what it does ?

Q2) How to convert back to payload.txt any inject.bin compiled payload ?

Any help will be greatly appreciated.
Thx by now for your time and help.
Dav

Link to comment
Share on other sites

31 minutes ago, Davhack said:

Q1 Where is the source file (aka payload.txt) of the inject.bin standing in the root of the new USB Rubber Ducky to check what it does ?

Not really sure what you mean here. There is no relation between the payload.txt and inject.bin files other than the fact that the text based payload file is used to encode the inject.bin file (if loaded into PayloadStudio). I.e. you don't need any payload.txt file on the Ducky to make it run a payload as long as the desired inject.bin is stored in the root of the Ducky Micro SD card.

36 minutes ago, Davhack said:

Q2) How to convert back to payload.txt any inject.bin compiled payload ?

There is no official utility to do that. There has been some, but just partly converting payloads back, i.e. not getting the full text based payload file as the output from the tools. In Ducky Script 3.0, I haven't seen any such tool yet to "reverse engineer" already encoded payload bin files.

Link to comment
Share on other sites

Greetings dark_pyrro,

Thanks for your quick reply. Much appreciated.

For Q1), I am simply looking for the source code of the inject.bin file standing in the root of the new USB Rubber Ducky when you buy it. Do you have it ?

For Q2), I understand and I hope some day we will see an update of the old package I found on Github @ https://github.com/midnitesnake/usb-rubber-ducky

Have a nice and safe day.

Dav

Link to comment
Share on other sites

I don't think I still have the original payload saved somewhere. It should just be a simple ATTACKMODE STORAGE script

Regarding F2F2F2F2; create a payload in PayloadStudio containingĀ ATTACKMODE STORAGE only and see what you get in hex.....

Creating a reverse payload utility will be some amount of work to do considering all the possible variants of Ducky Script 3.0. Anyone is of course free to create it though

Link to comment
Share on other sites

Hello,

I downloaded Payload Studio but if I "grep -i F2F2F2F2 *", I even do not get a match ...

I can see that mode-hak5duckyscript.js is defining all the Advanced DuckyScript language commands but no more.

Here are the files I got from the download:

-rw-r--r-- 1 dav users 9.5K Nov 22 09:26 1_product-tour.css
-rw-r--r-- 1 dav usersĀ  16K Nov 22 09:26 1_sliding-panels.css
-rw-r--r-- 1 dav users 4.0K Nov 22 09:26 1_tooltip.css
-rw-r--r-- 1 dav users 9.4K Nov 22 09:26 _1_tooltip.js
-rw-r--r-- 1 dav users 5.0K Nov 22 09:26 1_tree.css
-rw-r--r-- 1 dav usersĀ  11K Nov 22 09:26 _1_tree.js
-rw-r--r-- 1 dav users 704K Nov 22 09:26 ace.js
-rw-r--r-- 1 dav users 6.7K Nov 22 09:26 alert.css
-rw-r--r-- 1 dav usersĀ  526 Nov 22 09:26 alert.js
-rw-r--r-- 1 dav users 3.9K Nov 22 09:26 bunny_logo.svg
-rw-r--r-- 1 dav users 126K Nov 22 09:26 bunny.png
-rw-r--r-- 1 dav users 261K Nov 22 09:26 ch.css
-rw-r--r-- 1 dav users 8.4K Nov 22 09:26 ch_util.js
-rw-r--r-- 1 dav users 7.0K Nov 22 09:26 croc_logo.svg
-rw-r--r-- 1 dav users 156K Nov 22 09:26 croc.png
-rw-r--r-- 1 dav usersĀ  16K Nov 22 09:26 croc.svg
-rw-r--r-- 1 dav usersĀ  12K Nov 22 09:26 dialog.css
-rw-r--r-- 1 dav users 5.6K Nov 22 09:26 dialog.js
-rw-r--r-- 1 dav usersĀ  14K Nov 22 09:26 downloadlist.css
-rw-r--r-- 1 dav users 5.4K Nov 22 09:26 duck_logo.svg
-rw-r--r-- 1 dav users 138K Nov 22 09:26 duck.png
-rw-r--r-- 1 dav usersĀ  76K Nov 22 09:26 ext-language_tools.js
-rw-r--r-- 1 dav users 5.5K Nov 22 09:26 flash.css
-rw-r--r-- 1 dav users 3.4K Nov 22 09:26 flash.js
-rw-r--r-- 1 dav users 9.7K Nov 22 09:26 header.css
-rw-r--r-- 1 dav users 3.4K Nov 22 09:26 header.js
-rw-r--r-- 1 dav usersĀ  85K Nov 22 09:26 jquery.min.js
-rw-r--r-- 1 dav users 5.6K Nov 22 09:26 menubar.css
-rw-r--r-- 1 dav users 8.6K Nov 22 09:26 menubar.js
-rw-r--r-- 1 dav users 6.6K Nov 22 09:26 menu.css
-rw-r--r-- 1 dav users 9.1K Nov 22 09:26 menu.js
-rw-r--r-- 1 dav users 9.7K Nov 22 09:26 modalform.css
-rw-r--r-- 1 dav usersĀ  20K Nov 22 09:26 modalwindow.css
-rw-r--r-- 1 dav users 9.2K Nov 22 09:26 modalwindow.js
-rw-r--r-- 1 dav usersĀ  16K Nov 22 09:26 mode-hak5duckyscript.js
-rw-r--r-- 1 dav users 7.9K Nov 22 09:26 newbunny.svg
-rw-r--r-- 1 dav usersĀ  27K Nov 22 09:26 newduck.svg
-rw-r--r-- 1 dav users 4.6K Nov 22 09:26 numberpicker.css
-rw-r--r-- 1 dav users 2.9K Nov 22 09:26 numberpicker.js
-rw-r--r-- 1 dav usersĀ  11K Nov 22 09:26 payloadstudio_large_color.png
-rw-r--r-- 1 dav usersĀ  80K Nov 22 09:26 payloadstudio_main.css
-rw-r--r-- 1 dav usersĀ  11K Nov 22 09:26 payloadstudiopro_large.svg
-rw-r--r-- 1 dav users 7.1K Nov 22 09:26 popover.css
-rw-r--r-- 1 dav usersĀ  13K Nov 22 09:26 popover.js
-rw-r--r-- 1 dav users 2.2K Nov 22 09:26 pro_feature.svg
-rw-r--r-- 1 dav users 3.7K Nov 22 09:26 shark_logo.svg
-rw-r--r-- 1 dav usersĀ  82K Nov 22 09:26 shark.png
-rw-r--r-- 1 dav usersĀ  16K Nov 22 09:26 shark.svg
-rw-r--r-- 1 dav users 5.3K Nov 22 09:26 splitbutton.css
-rw-r--r-- 1 dav usersĀ  622 Nov 22 09:26 splitbutton.js
-rw-r--r-- 1 dav users 3.6K Nov 22 09:26 squirrel_logo.svg
-rw-r--r-- 1 dav users 198K Nov 22 09:26 squirrel.png
-rw-r--r-- 1 dav usersĀ  14K Nov 22 09:26 squirrel.svg
-rw-r--r-- 1 dav usersĀ  28K Nov 22 09:26 theme-ambiance.js
-rw-r--r-- 1 dav usersĀ  13K Nov 22 09:26 toast.css
-rw-r--r-- 1 dav users 8.5K Nov 22 09:26 toast.js
-rw-r--r-- 1 dav users 3.7K Nov 22 09:26 turtle_logo.svg
-rw-r--r-- 1 dav users 199K Nov 22 09:26 turtle.png
-rw-r--r-- 1 dav usersĀ  13K Nov 22 09:26 turtle.svg

Have a nice and safe day.

Dav

Link to comment
Share on other sites

In the file "Hak5 PayloadStudio.html", the "Generate Payload" button calls the "Compile" function which in turn calls the "doDuckyEncode" function (starting on line 7686). I would probably start drilling there to get the logic behind the encoding.

To grep for "F2F2F2F2" will not ever end up in something relevant since that is a result of the encoding procedure (and is dynamic depending on what the text payload contains), not something static that can be found in the source code.

Link to comment
Share on other sites

Well done. I forgot to check "Hak5 PayloadStudio.html" and you are right since the part I was looking for stands in this file.

Advanced DuckyScript language commands seems to be defined by only 2 bytes in the html source code and hence the reason why I had to look for 0xf2f2 for "ATTACKMODE STORAGE" and not 0xf2f2f2f2 that appears in the binary inject.bin šŸ™‚ That said, I would have to understand why "ATTACKMODE STORAGE" is coded on 4 bytes in inject.bin when I see that "LED_OFF" command is coded on only 2 bytes in inject.bin (i.e.: 0xeaed) ... Looks like not everything is coded on 4 bytes in inject.bin šŸ˜ž

I can see that Little Endian storage is used in inject.bin but I do not catch why some commands are coded on 2 bytes and others on 4 bytes.

Do you ?

Have a nice and safe day.

Link to comment
Share on other sites

  • 3 weeks later...

As you've discovered - the default payload is simply ATTACKMODE STORAGE.

DuckyScript 1.0 was "encoded" - one could fairly trivially reverse an inject.bin back into a payload.txt that made sense and was 1:1 as it was simply only ever injection or delay. This is not the case with 3.0.

DuckyScript 3.0 is compiled more similarly to a "real" language. There are many calculations done during "encoding" that make (decompiling) going backwards from an inject.bin to a useful payload.txt not easy if at all possible - for a number of complex reasons due to the design. The details of the byte format is not intended to be required for users to understand; PayloadStudio is the only official compiler and takes care of compilation so you don't have to.

However, regarding your original ask -Ā 
PayloadStudio will in the future provide ways to mark and identify your compiled inject.bins for easier correlation back to the specific payload source that generated it; until then it will be easier to treat inject.bins as disposable and simply recompile when needed. (or keep them organized via a naming / folder structure of your choice elsewhere)

Link to comment
Share on other sites

Greetings Korben,

Thanks for your answer. I now know that this is not that easy at least.

Conclusion for the time being is that you do not have to run some unknown inject.bin since you will never know what it is going to do ...

Have a nice and safe day.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...