Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# r2pipe script using ESIL to decode the msfvenom x86/alpha_mixed encoder
import r2pipe
import sys
def dump(addr):
pass
def startEsil():
r.cmd('e io.cache=true')
r.cmd('e asm.bits=32')
r.cmd('e asm.arch=x86')
r.cmd('aei')
r.cmd('aeip')
r.cmd('aeim 0xffffd000 0x2000 stack')
def emulate():
# First we need to find our current address
cmd = r.cmdj('pdj 1')
base = cmd[0]['offset']
print "Base address: %x" % (base)
# Now we grab the size of the payload
cmd = r.cmdj('oj')
end = cmd[0]['size']
print "Size of payload: %x" % (end)
lastfpu = 0
# We need to fudge the FPU call, as Radare doesn't support this yet
for i in range(10000):
# Get reg values
regs = r.cmdj('aerj')
# Retrieve current EIP value
cmd = r.cmdj('pdj 1 @ ' + str(regs['eip']))[0]
if cmd['family'] == 'fpu':
if cmd['opcode'].startswith('fnstenv'):
# If we have our FPU instruction, we dump the location of the last FPU instruction (mock)
r.cmd('wv %d @ %d' % (lastfpu, regs['esp']))
else:
lastfpu = cmd['offset']
# The 'jne' call is the final call before our payload
if cmd['opcode'].startswith('jne'):
decoded = cmd['offset'] + cmd['size']
# We can ask the emulator to break after the jne call, which will be our decoded payload
r.cmd('aecu ' + str(decoded))
# Finally, we extract the original payload
print r.cmd('pD %d @ %d' % (end - (decoded - base), base + (decoded - base)))
raw = r.cmdj('p8j %d @ %d' % (end - (decoded - base), decoded))
with open('out.bin', 'w') as f:
f.write(''.join(map(chr, raw)))
print "Raw code is now in ./out.bin"
quit(0)
r.cmd('aes')
r = r2pipe.open(sys.argv[1])
r.cmd('e asm.comments=false');
r.cmd('e asm.lines=false');
r.cmd('e asm.flags=false');
startEsil()
emulate()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.