Davhack Posted November 22, 2022 Share Posted November 22, 2022 Greetings, I test the new USB Rubber Ducky and I have two questions: Q1 Where is the source file (aka payload.txt) of the inject.bin standing in the root of the new USB Rubber Ducky to check what it does ? Q2) How to convert back to payload.txt any inject.bin compiled payload ? Any help will be greatly appreciated. Thx by now for your time and help. Dav Link to comment Share on other sites More sharing options...
dark_pyrro Posted November 22, 2022 Share Posted November 22, 2022 31 minutes ago, Davhack said: Q1 Where is the source file (aka payload.txt) of the inject.bin standing in the root of the new USB Rubber Ducky to check what it does ? Not really sure what you mean here. There is no relation between the payload.txt and inject.bin files other than the fact that the text based payload file is used to encode the inject.bin file (if loaded into PayloadStudio). I.e. you don't need any payload.txt file on the Ducky to make it run a payload as long as the desired inject.bin is stored in the root of the Ducky Micro SD card. 36 minutes ago, Davhack said: Q2) How to convert back to payload.txt any inject.bin compiled payload ? There is no official utility to do that. There has been some, but just partly converting payloads back, i.e. not getting the full text based payload file as the output from the tools. In Ducky Script 3.0, I haven't seen any such tool yet to "reverse engineer" already encoded payload bin files. Link to comment Share on other sites More sharing options...
Davhack Posted November 22, 2022 Author Share Posted November 22, 2022 Greetings dark_pyrro, Thanks for your quick reply. Much appreciated. For Q1), I am simply looking for the source code of the inject.bin file standing in the root of the new USB Rubber Ducky when you buy it. Do you have it ? For Q2), I understand and I hope some day we will see an update of the old package I found on Github @ https://github.com/midnitesnake/usb-rubber-ducky Have a nice and safe day. Dav Link to comment Share on other sites More sharing options...
Davhack Posted November 22, 2022 Author Share Posted November 22, 2022 Update: inject.bin in the root of a new USB Rubber Ducky contains 4 x bytes, i.e.: F2F2F2F2. What does it mean ? Some address for NSA's backdoor code ? 🙂 Thx. Link to comment Share on other sites More sharing options...
dark_pyrro Posted November 22, 2022 Share Posted November 22, 2022 I don't think I still have the original payload saved somewhere. It should just be a simple ATTACKMODE STORAGE script Regarding F2F2F2F2; create a payload in PayloadStudio containing ATTACKMODE STORAGE only and see what you get in hex..... Creating a reverse payload utility will be some amount of work to do considering all the possible variants of Ducky Script 3.0. Anyone is of course free to create it though Link to comment Share on other sites More sharing options...
Davhack Posted November 22, 2022 Author Share Posted November 22, 2022 Thx. You got it and "ATTACKMODE STORAGE" gives F2F2F2F2 in default inject.bin coming with the new USB Rubber Ducky. As far as the reverse payload utility is concerned, is the source code of the payload compiler available ? Link to comment Share on other sites More sharing options...
dark_pyrro Posted November 22, 2022 Share Posted November 22, 2022 You could download PayloadStudio offline and browse the code and see if you get anything relevant from it. Link to comment Share on other sites More sharing options...
Davhack Posted November 23, 2022 Author Share Posted November 23, 2022 Hello, I downloaded Payload Studio but if I "grep -i F2F2F2F2 *", I even do not get a match ... I can see that mode-hak5duckyscript.js is defining all the Advanced DuckyScript language commands but no more. Here are the files I got from the download: -rw-r--r-- 1 dav users 9.5K Nov 22 09:26 1_product-tour.css -rw-r--r-- 1 dav users 16K Nov 22 09:26 1_sliding-panels.css -rw-r--r-- 1 dav users 4.0K Nov 22 09:26 1_tooltip.css -rw-r--r-- 1 dav users 9.4K Nov 22 09:26 _1_tooltip.js -rw-r--r-- 1 dav users 5.0K Nov 22 09:26 1_tree.css -rw-r--r-- 1 dav users 11K Nov 22 09:26 _1_tree.js -rw-r--r-- 1 dav users 704K Nov 22 09:26 ace.js -rw-r--r-- 1 dav users 6.7K Nov 22 09:26 alert.css -rw-r--r-- 1 dav users 526 Nov 22 09:26 alert.js -rw-r--r-- 1 dav users 3.9K Nov 22 09:26 bunny_logo.svg -rw-r--r-- 1 dav users 126K Nov 22 09:26 bunny.png -rw-r--r-- 1 dav users 261K Nov 22 09:26 ch.css -rw-r--r-- 1 dav users 8.4K Nov 22 09:26 ch_util.js -rw-r--r-- 1 dav users 7.0K Nov 22 09:26 croc_logo.svg -rw-r--r-- 1 dav users 156K Nov 22 09:26 croc.png -rw-r--r-- 1 dav users 16K Nov 22 09:26 croc.svg -rw-r--r-- 1 dav users 12K Nov 22 09:26 dialog.css -rw-r--r-- 1 dav users 5.6K Nov 22 09:26 dialog.js -rw-r--r-- 1 dav users 14K Nov 22 09:26 downloadlist.css -rw-r--r-- 1 dav users 5.4K Nov 22 09:26 duck_logo.svg -rw-r--r-- 1 dav users 138K Nov 22 09:26 duck.png -rw-r--r-- 1 dav users 76K Nov 22 09:26 ext-language_tools.js -rw-r--r-- 1 dav users 5.5K Nov 22 09:26 flash.css -rw-r--r-- 1 dav users 3.4K Nov 22 09:26 flash.js -rw-r--r-- 1 dav users 9.7K Nov 22 09:26 header.css -rw-r--r-- 1 dav users 3.4K Nov 22 09:26 header.js -rw-r--r-- 1 dav users 85K Nov 22 09:26 jquery.min.js -rw-r--r-- 1 dav users 5.6K Nov 22 09:26 menubar.css -rw-r--r-- 1 dav users 8.6K Nov 22 09:26 menubar.js -rw-r--r-- 1 dav users 6.6K Nov 22 09:26 menu.css -rw-r--r-- 1 dav users 9.1K Nov 22 09:26 menu.js -rw-r--r-- 1 dav users 9.7K Nov 22 09:26 modalform.css -rw-r--r-- 1 dav users 20K Nov 22 09:26 modalwindow.css -rw-r--r-- 1 dav users 9.2K Nov 22 09:26 modalwindow.js -rw-r--r-- 1 dav users 16K Nov 22 09:26 mode-hak5duckyscript.js -rw-r--r-- 1 dav users 7.9K Nov 22 09:26 newbunny.svg -rw-r--r-- 1 dav users 27K Nov 22 09:26 newduck.svg -rw-r--r-- 1 dav users 4.6K Nov 22 09:26 numberpicker.css -rw-r--r-- 1 dav users 2.9K Nov 22 09:26 numberpicker.js -rw-r--r-- 1 dav users 11K Nov 22 09:26 payloadstudio_large_color.png -rw-r--r-- 1 dav users 80K Nov 22 09:26 payloadstudio_main.css -rw-r--r-- 1 dav users 11K Nov 22 09:26 payloadstudiopro_large.svg -rw-r--r-- 1 dav users 7.1K Nov 22 09:26 popover.css -rw-r--r-- 1 dav users 13K Nov 22 09:26 popover.js -rw-r--r-- 1 dav users 2.2K Nov 22 09:26 pro_feature.svg -rw-r--r-- 1 dav users 3.7K Nov 22 09:26 shark_logo.svg -rw-r--r-- 1 dav users 82K Nov 22 09:26 shark.png -rw-r--r-- 1 dav users 16K Nov 22 09:26 shark.svg -rw-r--r-- 1 dav users 5.3K Nov 22 09:26 splitbutton.css -rw-r--r-- 1 dav users 622 Nov 22 09:26 splitbutton.js -rw-r--r-- 1 dav users 3.6K Nov 22 09:26 squirrel_logo.svg -rw-r--r-- 1 dav users 198K Nov 22 09:26 squirrel.png -rw-r--r-- 1 dav users 14K Nov 22 09:26 squirrel.svg -rw-r--r-- 1 dav users 28K Nov 22 09:26 theme-ambiance.js -rw-r--r-- 1 dav users 13K Nov 22 09:26 toast.css -rw-r--r-- 1 dav users 8.5K Nov 22 09:26 toast.js -rw-r--r-- 1 dav users 3.7K Nov 22 09:26 turtle_logo.svg -rw-r--r-- 1 dav users 199K Nov 22 09:26 turtle.png -rw-r--r-- 1 dav users 13K Nov 22 09:26 turtle.svg Have a nice and safe day. Dav Link to comment Share on other sites More sharing options...
dark_pyrro Posted November 23, 2022 Share Posted November 23, 2022 In the file "Hak5 PayloadStudio.html", the "Generate Payload" button calls the "Compile" function which in turn calls the "doDuckyEncode" function (starting on line 7686). I would probably start drilling there to get the logic behind the encoding. To grep for "F2F2F2F2" will not ever end up in something relevant since that is a result of the encoding procedure (and is dynamic depending on what the text payload contains), not something static that can be found in the source code. Link to comment Share on other sites More sharing options...
Davhack Posted November 24, 2022 Author Share Posted November 24, 2022 Well done. I forgot to check "Hak5 PayloadStudio.html" and you are right since the part I was looking for stands in this file. Advanced DuckyScript language commands seems to be defined by only 2 bytes in the html source code and hence the reason why I had to look for 0xf2f2 for "ATTACKMODE STORAGE" and not 0xf2f2f2f2 that appears in the binary inject.bin 🙂 That said, I would have to understand why "ATTACKMODE STORAGE" is coded on 4 bytes in inject.bin when I see that "LED_OFF" command is coded on only 2 bytes in inject.bin (i.e.: 0xeaed) ... Looks like not everything is coded on 4 bytes in inject.bin 😞 I can see that Little Endian storage is used in inject.bin but I do not catch why some commands are coded on 2 bytes and others on 4 bytes. Do you ? Have a nice and safe day. Link to comment Share on other sites More sharing options...
Korben Posted December 14, 2022 Share Posted December 14, 2022 As you've discovered - the default payload is simply ATTACKMODE STORAGE. DuckyScript 1.0 was "encoded" - one could fairly trivially reverse an inject.bin back into a payload.txt that made sense and was 1:1 as it was simply only ever injection or delay. This is not the case with 3.0. DuckyScript 3.0 is compiled more similarly to a "real" language. There are many calculations done during "encoding" that make (decompiling) going backwards from an inject.bin to a useful payload.txt not easy if at all possible - for a number of complex reasons due to the design. The details of the byte format is not intended to be required for users to understand; PayloadStudio is the only official compiler and takes care of compilation so you don't have to. However, regarding your original ask -Â PayloadStudio will in the future provide ways to mark and identify your compiled inject.bins for easier correlation back to the specific payload source that generated it; until then it will be easier to treat inject.bins as disposable and simply recompile when needed. (or keep them organized via a naming / folder structure of your choice elsewhere) Link to comment Share on other sites More sharing options...
Davhack Posted December 15, 2022 Author Share Posted December 15, 2022 Greetings Korben, Thanks for your answer. I now know that this is not that easy at least. Conclusion for the time being is that you do not have to run some unknown inject.bin since you will never know what it is going to do ... Have a nice and safe day. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.