Flag: Tornado!
Hurricane!
|
|
Topic created on: June 27, 2005 20:32 CDT by ryanlrussell  .
As a learning exercise, I was writing some Windows x86 shellcode by hand. This ended up being extraordinarily slow. Mostly because I don't have a good reference for what the hex values for various instructions will be.
Does anyone have a good reference for this, or (ideally) a mini-assembler?
For example, I'd like to be able to put in:
mov [EBP], AL
and have it spit out the appropriate hex values, or tell me that's not a valid instruction. By "mini-assembler", I mean something that can do a quick conversion like this, with no context, and not trying to produce a working collection of code.
I have (of course) IDA Pro and Ollydbg, if there's such a function built into those, or maybe a plugin, and I just don't know it.
If I can't have such a util, does anyone have a good reference or cheat sheet that can be used to look up hex values by mnemonic? I have a few Intel assembly books, but I find those to be unsuitably terse for this purpose.
Well within OllyDbg you could just attach to any process, hit the assemble command (space bar) and start entering instructions. It would be nice to have a quick reference for this though. So perhaps I'll build a small webapp around the ever so excellent libdasm disassembler and put it in the reference library.
Regarding a good reference. I find myself constant referring to this windows .hlp reference:
Intel Hex Opcodes and Mnemonics
|
Ah, both great, thanks!
The .hlp file is handy, and the Assemble function in Ollydbg is just about perfect.
|
I ran into a similar need when developing quick patchs and found this along the way
http://sandsprite.com/CodeStuff/cavewriter.jpg
Lets you asm small bits for whatever va you enter
and use the targets existing IAT for API calls.
http://sandsprite.com/CodeStuff/cavewriter.zip
|
Impressive tool, quig! Took me a few minutes to figure out the UI. I had to actually read the instructions. :)
That's a nice way to assemble up a quick bit of code, and using the imports from the target is a useful feature as well.
|
Ryan,
I know your question was x86 specific but there are tons of other systems out there. A person you may want to ask, is Fyodor (of snort fame, rather than Fyodor of nmap fame). I know he did some work generating shell code for a vast number of archs. If you need a contact address for him, send me an email.
Also if you want to build your own tool, the gnu assembler sources should also have the opcode to mnemonic mappings you need.
|
Hi
HIEW would probably work, but there's also a handy little util that is suitable just for this purpose, RTA by Squidge
http://www.wasm.ru/baixado.php?mode=tool&id=181
Regards,
Kayaker
|
JCR: Yup, I just figured such a beast was most likely to exist for x86 if anything, and that happened to be the task at hand. Such a tool that did various architectures would be cool as well, of course.
I might look into some of he various shellcode generators, as you mentioned. Spoonm also gave an interesting presentation along those lines at REcon, and I believe some of Dave Aitel's tools will compile shellcode as well.
Since I was writing shellcode, I did have some minor restrictions on the characters I could use. In particular, the overflow was passed as a command-line argument, so any kind of whitespace or line terminator (and of course NULL) couldn't be used.
I suppose if one wanted to build the ideal shellcode calculator applet, you would have a radio button for the processor, and have a set of settings for what characters were not allowed. Then you would type in some assembly or maybe some pseudo code or slightly higher-level language, and the calculator would spit out the assembly and hex. One could make it smart enough to be able to suggest an alternate expression with the same effect, designed to fit in your character restrictions, or maybe to optimize for size.
If I'm going to keep a wishlist, I might as well do it right. :)
|
Kayaker: RTA is pretty much exactly what I wanted, thanks!
HIEW doesn't seem to want to run on my machine.
|
I personally use RTA myself. it is pretty handy.
Else, when i need big chunks of assembly, I have done a little TASM project, where i write whatever i need to assemble. I assemble and link it. Then i execute it, and i have a simple CreateFileA/WriteFile to extract the shellcode or whatever piece of code i have there, into a bin file.
Then it would take a few minutes to write an utility to create C, Assembly, delphi, or whatever language arrays, ready to be placed into your sploit for instance.
While this is not the best way to do it (i don't use nasm much), if you have big code to write, ie longer than usual shellcodes, it is pretty handy.
|
well sometime back i did kinda what nico suggested using masm
maybe its usefull
i created a bat file with this content
@echo off
ml /c /coff /nologo whatever.asm
dumpbin /rawdata:bytes whatever.obj /out:shellcode.txt
edit shellcode.txt
now if i have an asm file named whatever.asm like this
[code]
.386
.model flat, stdcall
option casemap:none
bamba PROTO
gimba PROTO :DWORD
.code
start:
push 0
push 401020
push 401040
push 0
call bamba
invoke gimba,9
bamba proc
nop
nop
nop
nop
nop
nop
nop
nop
ret
bamba endp
gimba proc handle
push handle
push 0
nop
nop
push 87h
ret
gimba endp
end start
and run the bat
you will get a shellcode.txt like this
[code]
Dump of file t.obj
File Type: COFF OBJECT
RAW DATA #1
00000000: 6A 00 68 7C 1E 06 00 68 90 1E 06 00 6A 00 E8 07 j.h|...h....j.
|
btw pedram as hoglund suggests a way to edit posts would be fine too :)
i wanted to add this saved link to my post but i am forced to create a new one
a nice article about creating shell codes
http://www.linuxgazette.com/node/9166
|
|
mnemonix.exe is in masm32 package, www.movsd.com. Maybe you may get it seperately. it is a listbox of mnemonics.
|
|
as far as i know (haven't had a look at the most recent version), it is not a very complete list.
|
MOSDEF is one solution. For example CANVAS_ME/MOSDEF/mosdef.py -a "mov %al, (%ebp)" will tell you the answer to your question. :>. If you're having a really good time, you can call assembleEx(code,arch) and have it tell you a long list of meta-data attached to each bit. Assembling jmps is harder that it seems...
Should I make MOSDEF's assembler a web service? :>
|
|
I haven't actually gotten around to looking at mosdef yet, I should. But yes, if it can be used as a library easily, then it might be quite suitable. It could be especially nice because of the multi-platform support.
|
If you have cygwin and nasm installed, you could try the following:
#!/bin/sh
while read; do
echo "USE32" > /tmp/assemble
echo $REPLY >> /tmp/assemble
nasm -f bin -o /tmp/assemble.bin /tmp/assemble
if [ -f /tmp/assemble.bin ]; then
od -A x -t x1 /tmp/assemble.bin | head -n 1 | cut -c 8-
fi;
done
rm -rf /tmp/assemble
rm -rf /tmp/assemble.bin
Which in interactive and looks like this when run:
# ./assemble.sh
mov [ebp],eax
89 45 00
mov [ebp],al
88 45 00
jmp eax
ff e0
xor ecx,ecx
31 c9
nop
90
Alternatively you could use cat to pipe a larger file through it, though you might as well use nasm directly on the file in that case.
Chris
|
Apologies for replying to myself. Pedram let me know of a cross platform problem and I think the following is a bit better:
#!/bin/sh
#cygwin users probably need /usr/bin/sh above
while read x; do
echo "USE32" > /tmp/assemble
echo $x >> /tmp/assemble
nasm -f bin -o /tmp/assemble.bin /tmp/assemble
if [ -f /tmp/assemble.bin ]; then
od -A x -t x1 /tmp/assemble.bin | head -n 1 | cut -c 8-
fi;
done
rm -rf /tmp/assemble
rm -rf /tmp/assemble.bin
Chris
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}