How to disassemble a shellcode into assembly instruction?
Is there some tool to disassemble a raw hex into assembly instructions? for example: lets say we have \xeb\x1d that disassemble into jmp 0x1f according to this online disassembler. So is there some offline tool? I have tried ndisasm its not giving me the right output.
ndisam -b32 foo gives me:
OUTPUT:
00000000 5C pop esp<br>
00000001 7833 js 0x36<br>
00000003 315C7865 xor [eax+edi*2+0x65],ebx<br>
00000007 620A bound ecx,[edx]
It should be jmp 0x1f. I have also tried objdump like:
objdump -D -b binary -mi386 -M intel foo
OUTPUT:
00000000 <.data>:<br>
0: 5c pop esp <br>
1: 78 33 js 0x36 <br>
3: 31 5c 78 65 xor DWORD PTR [eax+edi*2+0x65],ebx<br>
7: 62 0a bound ecx,QWORD PTR [edx]<br>
SO can you tell me some tool that will disassemble raw hex codes into assembly language.
I have also tried gdb but I want something more flexible.
Answer
As the comments have suggested, your issue is that you have output the string \xeb\x1d as ASCII into the file you are trying to disassemble. You may have done something like:
echo '\xeb\x1d' >foo
You can do this but you will want to tell echo to interpret the escape character \. This can be done with the -e option.
You'll want it to not append a newline on the end using the -n option. This is documented in the ECHO manual page:
-n do not output the trailing newline -e enable interpretation of backslash escapes
This may work:
echo -ne '\xeb\x1d' >foo
Using NDISASM to disassemble the bytes:
ndisasm -b32 foo
Should now produce:
00000000 EB1D jmp short 0x1f
Without using an intermediate file (like foo) you can pipe ECHO output into NDISASM and disassemble it that way. This line would take a shell code string and output the disassembly as well:
echo -ne '\xeb\x1d' | ndisasm -b32 -
The - on the end is needed to tell NDISASM to disassemble input from standard input rather than an explicit file.
We have now revolutionized the IT industry! ;-)