When analyzing javascript that contain shellcode, I really need a UCS2 to Hex converter before running the shellcode via libemu's sctest because the shellcode are in UCS2 format when directly convert the hex into ascii, it means nothing, for example:
UCS2 : %u3341
if i remove the %u and directly convert the 3341 to ascii, it will produce 3A in ascii. But this may bring a false meaning if we run the shellcode. Because the real hex is 4133. So, before we convert the ucs2 into hex, we need to remove the %u and swap the 33 and 41. To make our life easier, we a have python code that automate our job:
def ucs2hex(self, match):
s = match.group()
return "".join([s[4]+s[5],s[2]+s[3]]) # swap the 4th and 5th char with 2nd and 3rd char
def find_word(self,data):
p = re.compile(r'\%u(\w{4})') #regular expression to search for %u and 4 char after it
return p.sub(self.ucs2hex, data)
ucs2_string = "%u3341"
hex_string = self.find_word(ucs2_string)
print hex_string
this code will simply sear the string for %u and 4 chars after it, swap the char no 4 and 5 with char no 2 and 3.
Wednesday, January 21, 2009
Subscribe to:
Post Comments (Atom)
4 comments:
Just curious for this article, u did not showed how to convert ucs2 to hex. Somemore the function very confusing. you can try to demonstrate the usage in easier way rather than just copy-and-paste
u don't know how to code in Python?
and anyways this code won't convert a text from ucs2 to hex.....
this function really implemented in my project for analyzing malicious shellcode in pdf.. anyway, if you dont understand shellcode and you did not need my code, just leave where it was.. or I'm very pleasure to invite you to show me the way it should look like and i can repair my code..
Hey,
nice functions. Spared me some time. Thx.
I think I'll use your code quite a lot!
Keep on the good work :)
*addToMyRssReader*
Regards
Post a Comment