Created
December 7, 2016 17:18
-
-
Save xpn/83c0b6b45a260d0d24408377ecd8bb55 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # r2pipe script using ESIL to decode the msfvenom jmp_call_additive XOR encoder | |
| import r2pipe | |
| import sys | |
| def dump(addr): | |
| pass | |
| def startEsil(): | |
| r.cmd('e io.cache=true') | |
| r.cmd('e asm.bits=32') | |
| r.cmd('e asm.arch=x86') | |
| r.cmd('aei') | |
| r.cmd('aeim 0xffffd000 0x2000 stack') | |
| def emulate(): | |
| # First we need to find our current address | |
| cmd = r.cmdj('pdj 1') | |
| base = cmd[0]['offset'] | |
| print "Base address: %x" % (base) | |
| cmd = r.cmdj('oj') | |
| end = cmd[0]['size'] | |
| print "Size of payload: %x" % (end) | |
| # Next we need to find the CALL opcode which marks the end of the encoder | |
| cmd = r.cmdj('pdj 100') | |
| for c in cmd: | |
| if c['opcode'].startswith('call'): | |
| decoded = c['offset'] + 5 | |
| break | |
| print "Length of Decoder: %d bytes" % (decoded - base) | |
| # Now we emulate until we are beyond the call and the orig payload has been decoded | |
| r.cmd('aecu %d' % (base + (decoded - base))) | |
| print r.cmd('pD %d @ %d' % (end - (decoded - base), base + (decoded - base))) | |
| raw = r.cmdj('p8j %d @ %d' % (end - (decoded - base), decoded)) | |
| with open('out.bin', 'w') as f: | |
| f.write(''.join(map(chr, raw))) | |
| print "Raw code is now in ./out.bin" | |
| r = r2pipe.open(sys.argv[1]) | |
| r.cmd('e asm.comments=false'); | |
| r.cmd('e asm.lines=false'); | |
| r.cmd('e asm.flags=false'); | |
| startEsil() | |
| emulate() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment