Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# r2pipe script using ESIL to decode the msfvenom jmp_call_additive XOR encoder
import r2pipe
import sys
def dump(addr):
pass
def startEsil():
r.cmd('e io.cache=true')
r.cmd('e asm.bits=32')
r.cmd('e asm.arch=x86')
r.cmd('aei')
r.cmd('aeim 0xffffd000 0x2000 stack')
def emulate():
# First we need to find our current address
cmd = r.cmdj('pdj 1')
base = cmd[0]['offset']
print "Base address: %x" % (base)
cmd = r.cmdj('oj')
end = cmd[0]['size']
print "Size of payload: %x" % (end)
# Next we need to find the CALL opcode which marks the end of the encoder
cmd = r.cmdj('pdj 100')
for c in cmd:
if c['opcode'].startswith('call'):
decoded = c['offset'] + 5
break
print "Length of Decoder: %d bytes" % (decoded - base)
# Now we emulate until we are beyond the call and the orig payload has been decoded
r.cmd('aecu %d' % (base + (decoded - base)))
print r.cmd('pD %d @ %d' % (end - (decoded - base), base + (decoded - base)))
raw = r.cmdj('p8j %d @ %d' % (end - (decoded - base), decoded))
with open('out.bin', 'w') as f:
f.write(''.join(map(chr, raw)))
print "Raw code is now in ./out.bin"
r = r2pipe.open(sys.argv[1])
r.cmd('e asm.comments=false');
r.cmd('e asm.lines=false');
r.cmd('e asm.flags=false');
startEsil()
emulate()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.