flat assembler
Message board for the users of flat assembler.

Index > Windows > Please Help me to convert fasm code to C ShellCode

Author
Thread Post new topic Reply to topic
tigo



Joined: 17 Dec 2011
Posts: 3
Location: FAR
tigo 18 Dec 2011, 16:59
This is RC4 encryption, i tried several times but i failed to execute from Visual C,

Actual Code from in this board
Code:
include 'win32ax.inc'
.data 
cBuffer db 'Hello world',0 
cPassword db 'Password',0 
s db 257 dup(0)

section '.text' code readable executable

start: 
stdcall Len,cPassword 
mov ebx,eax 
stdcall Len,cBuffer 

stdcall RC4,cBuffer,cPassword,eax,ebx 
invoke MessageBox,0,cBuffer,0,0 

invoke ExitProcess,0 

proc RC4,pBuffer,pPassword,pTam?oBuffer,pTamPass 
pushad 
dec [pTam?oBuffer] 
;   For i = 0 To 255 
 ; DoEvents 
 ; s(i) = i 
 ;   Next i 
 mov eax,s 
mov byte[eax],0 
inc eax 
mov ecx,256 
.bucle1_: 
mov bl,byte[eax-1] 
inc bl 
mov  byte[eax] ,bl 
inc eax 
loop .bucle1_ 

;    For i = 0 To 255 
;        DoEvents 
;        j = (j + s(i) + Key(i Mod Len(sKey))) Mod 256 
;        tmp = s(i) 
;        s(i) = s(j) 
;        s(j) = tmp 
;    Next i 
;j = ebx 
;ja = esi 
;I = edi 
xor ebx,ebx 
mov edi,-1 
.bucle2_: 
inc edi 
xor esi,esi 
mov esi,ebx 
movzx eax,byte[s+edi] 
add esi,eax 
stdcall lMod,edi,[pTamPass] 
mov ecx,[pPassword] 
movzx eax,byte[ecx+eax] 
add esi,eax 
stdcall lMod,esi,256 
mov ebx, eax 
mov eax,s 
mov cl,byte[eax+ebx] ; s(j) 
mov ch,byte[eax+edi] ; s(i) 
mov byte[eax+edi],cl 
mov byte[eax+ebx],ch 
cmp edi,255 
jne .bucle2_ 
inc edi 


 ;   For l = 0 To UBound(Buffer) 
 ;       DoEvents 
 ;       i = (i + 1) Mod 256 
 ;       j = (j + s(i)) Mod 256 
 ;       tmp = s(i) 
 ;       s(i) = s(j) 
 ;       s(j) = tmp 
 ;       Buffer(l) = Buffer(l) Xor (s((s(i) + s(j)) Mod 256)) 
 ;   Next l 
xor esi,esi  ;esi = l 
dec esi ; esi = -1 
.bucle3_: 
inc esi 
mov eax,edi 
inc eax 
stdcall lMod,eax,256 
mov edi,eax 
mov eax,ebx 
xor ecx,ecx 
movzx ecx,byte[s+edi] 
add eax,ecx 
stdcall lMod,eax,256 
mov ebx,eax 
mov eax,s 
mov cl,byte[eax+ebx] ; s(j) 
mov ch,byte[eax+edi] ; s(i) 
mov byte[eax+edi],cl 
mov byte[eax+ebx],ch 
mov eax,[pBuffer] 
add cl,ch 
movzx eax,cl 
add eax,s 
movzx eax,byte[eax] 
stdcall lMod,eax,256 

mov edx,[pBuffer] 
xor byte[edx+esi],al 

cmp esi,[pTam?oBuffer] 
jne .bucle3_ 
popad 
ret 
endp 

proc lMod,c1,c2 
push edx 
xor edx,edx 
mov eax,[c1] 
idiv [c2] 
push edx 
pop eax 
pop edx 
ret 
endp 

proc Len,cCadena 
push ecx edi 
mov ecx,-1 
mov edi,[cCadena] 
mov al,0 
repnz scasb 
mov eax,ecx 
not eax 
dec eax 
pop edi ecx 
ret 
endp 
.end start    


this is converted code by myself but not working
Code:
include 'win32ax.inc'
;.data
;cBuffer db 'Hello world',0
;cPassword db 'Password',0

section '.text' code readable executable writable



start: 
    call shellcode

proc shellcode
    locals
        cBuffer  dd ?
        cPassword dd ?
    endl

    stdcall RC4, [cBuffer], [cPassword], ECX, EDX
    invoke MessageBox,0,[cBuffer],0,0
    invoke ExitProcess,0
    ret
endp

s db 257 dup(0)

proc RC4,pBuffer,pPassword,pTam?oBuffer,pTamPass 
pushad 
dec [pTam?oBuffer] 
;   For i = 0 To 255 
 ; DoEvents 
 ; s(i) = i 
 ;   Next i 
 mov eax,s 
mov byte[eax],0 
inc eax 
mov ecx,256 
.bucle1_: 
mov bl,byte[eax-1] 
inc bl 
mov  byte[eax] ,bl 
inc eax 
loop .bucle1_ 

;    For i = 0 To 255 
;        DoEvents 
;        j = (j + s(i) + Key(i Mod Len(sKey))) Mod 256 
;        tmp = s(i) 
;        s(i) = s(j) 
;        s(j) = tmp 
;    Next i 
;j = ebx 
;ja = esi 
;I = edi 
xor ebx,ebx 
mov edi,-1 
.bucle2_: 
inc edi 
xor esi,esi 
mov esi,ebx 
movzx eax,byte[s+edi] 
add esi,eax 
stdcall lMod,edi,[pTamPass] 
mov ecx,[pPassword] 
movzx eax,byte[ecx+eax] 
add esi,eax 
stdcall lMod,esi,256 
mov ebx, eax 
mov eax,s 
mov cl,byte[eax+ebx] ; s(j) 
mov ch,byte[eax+edi] ; s(i) 
mov byte[eax+edi],cl 
mov byte[eax+ebx],ch 
cmp edi,255 
jne .bucle2_ 
inc edi 


 ;   For l = 0 To UBound(Buffer) 
 ;       DoEvents 
 ;       i = (i + 1) Mod 256 
 ;       j = (j + s(i)) Mod 256 
 ;       tmp = s(i) 
 ;       s(i) = s(j) 
 ;       s(j) = tmp 
 ;       Buffer(l) = Buffer(l) Xor (s((s(i) + s(j)) Mod 256)) 
 ;   Next l 
xor esi,esi  ;esi = l 
dec esi ; esi = -1 
.bucle3_: 
inc esi 
mov eax,edi 
inc eax 
stdcall lMod,eax,256 
mov edi,eax 
mov eax,ebx 
xor ecx,ecx 
movzx ecx,byte[s+edi] 
add eax,ecx 
stdcall lMod,eax,256 
mov ebx,eax 
mov eax,s 
mov cl,byte[eax+ebx] ; s(j) 
mov ch,byte[eax+edi] ; s(i) 
mov byte[eax+edi],cl 
mov byte[eax+ebx],ch 
mov eax,[pBuffer] 
add cl,ch 
movzx eax,cl 
add eax,s 
movzx eax,byte[eax] 
stdcall lMod,eax,256 

mov edx,[pBuffer] 
xor byte[edx+esi],al 

cmp esi,[pTam?oBuffer] 
jne .bucle3_ 
popad 
ret 
endp 

proc lMod,c1,c2 
push edx 
xor edx,edx 
mov eax,[c1] 
idiv [c2] 
push edx 
pop eax 
pop edx 
ret 
endp 

proc Len,cCadena 
push ecx edi 
mov ecx,-1 
mov edi,[cCadena] 
mov al,0 
repnz scasb 
mov eax,ecx 
not eax 
dec eax 
pop edi ecx 
ret 
endp 
.end start    


C code to execute the shell code which i converted already

Code:
  char strText[] = "Data to Encrypt";
       char strKey[] = "1111111111111111111111111111111111";
     DWORD size1 = sizeof(strText);
      DWORD size2 = sizeof(strKey);
       
    unsigned char code[] = "\xE8\x00\x00\x00\x00\x55\x89\xE5\x83\xEC\x08\x52\x51\xFF\x75\xFC\xFF\x75\xF8\xE8\x1A\x01\x00\x00\x6A\x00\x6A\x00\xFF\x75\xF8\x6A\x00\xFF\x15\x80\x20\x40\x00\x6A\x00\xFF\x15\x60\x20\x40\x00\xC9\xC3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x89\xE5\x60\xFF\x4D\x10\xB8\x31\x10\x40\x00\xC6\x00\x00\x40\xB9\x00\x01\x00\x00\x8A\x58\xFF\xFE\xC3\x88\x18\x40\xE2\xF6\x31\xDB\xBF\xFF\xFF\xFF\xFF\x47\x31\xF6\x89\xDE\x0F\xB6\x87\x31\x10\x40\x00\x01\xC6\xFF\x75\x14\x57\xE8\x9A\x00\x00\x00\x8B\x4D\x0C\x0F\xB6\x04\x01\x01\xC6\x68\x00\x01\x00\x00\x56\xE8\x86\x00\x00\x00\x89\xC3\xB8\x31\x10\x40\x00\x8A\x0C\x18\x8A\x2C\x38\x88\x0C\x38\x88\x2C\x18\x81\xFF\xFF\x00\x00\x00\x75\xBA\x47\x31\xF6\x4E\x46\x89\xF8\x40\x68\x00\x01\x00\x00\x50\xE8\x58\x00\x00\x00\x89\xC7\x89\xD8\x31\xC9\x0F\xB6\x8F\x31\x10\x40\x00\x01\xC8\x68\x00\x01\x00\x00\x50\xE8\x3E\x00\x00\x00\x89\xC3\xB8\x31\x10\x40\x00\x8A\x0C\x18\x8A\x2C\x38\x88\x0C\x38\x88\x2C\x18\x8B\x45\x08\x00\xE9\x0F\xB6\xC1\x05\x31\x10\x40\x00\x0F\xB6\x00\x68\x00\x01\x00\x00\x50\xE8\x10\x00\x00\x00\x8B\x55\x08\x30\x04\x32\x3B\x75\x10\x75\x9E\x61\xC9\xC2\x10\x00\x55\x89\xE5\x52\x31\xD2\x8B\x45\x08\xF7\x7D\x0C\x52\x58\x5A\xC9\xC2\x08";


 DWORD dNewProtect = 0;
      VirtualProtect(code, sizeof(code), PAGE_EXECUTE_READWRITE, &dNewProtect);
       
    _asm {
           lea esi, strText
            lea eax, strKey
             mov ecx, size1
              mov edx, size2
              lea ebx, code
               call ebx
  }    


sorry for poor english
Post 18 Dec 2011, 16:59
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 18 Dec 2011, 17:31
Have you tried with something simpler first? Also, what have you converted from where? I see in your C code "call $+5" (\xE8\x00\x00\x00\x00) but I don't see anything like that above (your fasm code does not use the saved EIP at all and perhaps you are causing the code to access the wrong stack addresses).
Post 18 Dec 2011, 17:31
View user's profile Send private message Reply with quote
tigo



Joined: 17 Dec 2011
Posts: 3
Location: FAR
tigo 18 Dec 2011, 18:56
LocoDelAssembly wrote:
Have you tried with something simpler first?
yes i tried other shellcode with .bin output format which is working
fine

LocoDelAssembly wrote:
what have you converted from where?
hex editor from .exe file

LocoDelAssembly wrote:
I see in your C code "call $+5" (\xE8\x00\x00\x00\x00) but I don't see anything like that above (your fasm code does not use the saved EIP at all and perhaps you are causing the code to access the wrong stack addresses).

i am not well in asm, please can you give correct code of this
Post 18 Dec 2011, 18:56
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 18 Dec 2011, 19:56
Let me guess. amateur malware coders.
Post 18 Dec 2011, 19:56
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 18 Dec 2011, 20:22
typedef wrote:
Let me guess. amateur malware coders.


You guessed right, here's your [cake], Mr. Developer.
Post 18 Dec 2011, 20:22
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 18 Dec 2011, 20:27
tigo wrote:
LocoDelAssembly wrote:
Have you tried with something simpler first?
yes i tried other shellcode with .bin output format which is working fine

show us
Post 18 Dec 2011, 20:27
View user's profile Send private message Reply with quote
tigo



Joined: 17 Dec 2011
Posts: 3
Location: FAR
tigo 18 Dec 2011, 20:48
Code:
void memcpyx(void *src, void *dest, DWORD dwsize)
{
  unsigned char code[] ="\x8b\x74\x24\x04\x8b\x7c\x24\x08"
                  "\x8b\x4c\x24\x0c\xeb\x00\xa4\xe2"
                        "\xfd\xc3";

 VirtualProtectx(code, sizeof(code));

    _asm {
    mov ecx, dwsize
          push ecx
            mov edi, dest
               push edi
            mov esi, src
                push esi
            lea eax, code;
              call eax
       //add esp, 12
    }
}    
Post 18 Dec 2011, 20:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.