Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  .Hex to .Bin

Topic created on: January 31, 2013 05:21 CST by legola .

Hi guys, i hava a problem. I'm analyzing a malware who goes to exploits office vulnerabilities to exec a backdoor on target. The payload is embedded in document as xored hex encoded ascii string. I have retrevied key for dexor this xored hex ascii and i can successfully view the magic "MZ" of original trojan payload as ascii string (i can save also in pure hex). The problem is that the structure i retrievied is not recognized as a valid PE format. Someone can give me an hand ? Is there some tool to generate a valid PE / exe from pure HEX or from the ascii? Where am i in wrong ? Thanks

  codeinject     January 31, 2013 05:49.20 CST
I'd use other a HexEditor or NASM.
010 Editor is really good for this kind of stuff.

If you drop the hex data you've got I would like to help you

  legola     January 31, 2013 07:09.27 CST
codeinject, if you give me a contact, a will send you hex data.

  legola     January 31, 2013 09:16.22 CST
Hi. It's possibile now to download hex data here:

http://www.4shared.com/rar/7axoz3_e/output.html (psw: infected)

If you ll translate to ASCII text, you will see a simil PE structure but it's not recognized as valid. Thannks for help.

  legola     January 31, 2013 12:53.03 CST
Someone who will help? Anyone else? is important to me. are three days that shake my head :(

  legola     January 31, 2013 15:07.34 CST
Hi guys, if you have problems with the link above you can download hex data from here if you want:

http://www.2shared.com/complete/zbyVWXUB/output.html (pwd: infected)

Thanks for helps.

  gN3mes1s     February 1, 2013 02:45.55 CST
Hi legola, in attach a valide pe file extracted.

ompldr.org/vaGIwNA

as usual passwd: infected

  codeinject     February 1, 2013 02:56.53 CST
> legola: codeinject, if you give me a contact, a will send you hex data.

Next time, check my profile it contains my email addr.

  cod     February 1, 2013 03:01.03 CST
your hex dump is a valid PE exe after filename ...


PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               5 number of sections
        509B8C9A time date stamp Thu Nov 08 11:42:34 2012
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10E characteristics
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            5.12 linker version
           19E00 size of code
           68A00 size of initialized data
               0 size of uninitialized data
           118A4 entry point (004118A4)
            1000 base of code
           1B000 base of data
          400000 image base (00400000 to 00484FFF)
            1000 section alignment
             200 file alignment
            4.00 operating system version
            0.00 image version
            4.00 subsystem version
               0 Win32 version
           85000 size of image
             400 size of headers
               0 checksum
               2 subsystem (Windows GUI)
               0 DLL characteristics
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           1A60C [      3C] RVA [size] of Import Directory
               0 [       0] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
           20000 [    3460] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
            1000 [     120] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
   .text name
   19C78 virtual size
    1000 virtual address (00401000 to 0041AC77)
   19E00 size of raw data
     400 file pointer to raw data (00000400 to 0001A1FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000020 flags
         Code
         Read Write

SECTION HEADER #2
   .data name
    3AA8 virtual size
   1B000 virtual address (0041B000 to 0041EAA7)
    2000 size of raw data
   1A200 file pointer to raw data (0001A200 to 0001C1FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

SECTION HEADER #3
.sxdata name
      A4 virtual size
   1F000 virtual address (0041F000 to 0041F0A3)
     200 size of raw data
   1C200 file pointer to raw data (0001C200 to 0001C3FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000240 flags
         Initialized Data
         Info
         Read Write

SECTION HEADER #4
  .reloc name
    3B6E virtual size
   20000 virtual address (00420000 to 00423B6D)
    3C00 size of raw data
   1C400 file pointer to raw data (0001C400 to 0001FFFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         Read Only

SECTION HEADER #5
  .idata name
   61000 virtual size
   24000 virtual address (00424000 to 00484FFF)
   60600 size of raw data
   20000 file pointer to raw data (00020000 to 000805FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Summary

        4000 .data
       61000 .idata
        4000 .reloc
        1000 .sxdata
       1A000 .text

  legola     February 1, 2013 04:22.35 CST
Hi guys, there is something that i can't understand.What was the process that you performed to retrieve the executable? From hex, i tried to retrieve a valid PE (converting in ASCII) but software like CFF (and others) fail to recognize a valid PE. Why ? What process have you adopted ?

  gN3mes1s     February 1, 2013 04:54.11 CST
> legola: Hi guys, there is something that i can\'t understand.What was the process that you performed to retrieve the executable? From hex, i tried to retrieve a valid PE (converting in ASCII) but software like CFF (and others) fail to recognize a valid PE. Why ? What process have you adopted ?

i've used python binascii and http://hooked-on-mnemonics.blogspot.it/2013/01/pe-carvpy.html

  legola     February 1, 2013 07:08.02 CST
Hi gN3mes1s, have you used binascii and pe-carv starting form my hex data ? If i understand...

Hex -> ASCII -> PE-CARV - EXE

Correct ?

  legola     February 1, 2013 07:56.16 CST
Nothing to do. This file to me seems cursed. gN3mes1s I tried to save the file in ascii and use pe-carv.py but does not work (can not save the exe...it say nothing. On others bin it works). At this point, you may offer two lines of python code that you used to generate the file to submit to pe-carv.py ? thank you very much

  anonymouse     February 1, 2013 15:07.39 CST
that output.txt is a valid pe file it just has its filename msmx21.exe prepended to it

00401000 >6D 73 6D 78 32 31 2E 65 78 65 00 4D 5A 90 00 03  msmx21.exe.MZ�.
00401010  00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00  ......��..�....
00401020  00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
00401030  00  

delete the name append a marker to the end and copypaste it as binary into a dummy debugggee that is big enouggh to hold the bytes inside ollydbg
select the bytes from start to marker and right click backup save data to file

you got your exe

to make a big dummy exe


.386
.model flat, stdcall
option casemap:none

.code
start:
db 1100800 dup (0)
end start


use masm to compile and link it load the dummy.exe in ollydbg
copy output1.txt
paste as binary at 401000
select the bytes till marker
right click backup save data to file

  gN3mes1s     February 2, 2013 02:17.32 CST
> legola: Nothing to do. This file to me seems cursed. gN3mes1s I tried to save the file in ascii and use pe-carv.py but does not work (can not save the exe...it say nothing. On others bin it works). At this point, you may offer two lines of python code that you used to generate the file to submit to pe-carv.py ? thank you very much

Sure, here is it:
python2 shell; outputhex is your hexed stream, outputascii.txt as result

>>> import binascii
>>> f=open("outputhex", "r+")
>>> hx=f.read()
>>> ascii=binascii.a2b_hex(hx)
>>> outascii=open("outputascii.txt","r+")
>>> outascii.write(ascii)

and now in your terminal:
$ python2 pecarve.py outputascii.txt
      * exe found at offset 0xb

$ ls -la 1.exe
-rw-r--r-- 1 nemesis users 525824  2 feb 09.13 1.exe

$ file 1.exe
1.exe: PE32 executable (GUI) Intel 80386, for MS Windows

PS: It seems you've dropped a file from redoctober campaign ;)

  legola     February 5, 2013 05:34.59 CST
Hi gN3mes1s, i'm using pe-carve.py under Windows. It run without errors, but fails to retrieve a valid exe (it give me nothing, only a file named "pefile.pyc"). I used also your istruction. Nothing to do. I'm not understand very well operations the actions suggested in the post above by 'anonymouse'. Is there another way or somebody can explain me better please ?

  gN3mes1s     February 5, 2013 12:56.50 CST
ok, just delete the namefile in your outputascii.txt,as anonymouse said (that output.txt is a valid pe file it just has its filename msmx21.exe prepended to it

00401000 >6D 73 6D 78 32 31 2E 65 78 65 00 4D 5A 90 00 03  msmx21.exe.MZ�.)  and save file.

  anonymouse     February 6, 2013 04:26.16 CST
i dont know what you cant understand in my post
it is simple create a dummy exe load it in ollydbg
copypaste the output.txt as binary and save it :(

there are probably n number of ways to do it heck you could have coded an asciitohex in an hour including debugging it for errors

take this compile
put the output.txt in the same folder as the compiled exe and run you should get an output.exe  all automatic


#include <stdio.h>
#include <Windows.h>
int main(void)
{
    FILE *  fp          = NULL;
    FILE *  fpout       = NULL;
    errno_t err         = NULL;
    ULONG   filesize    = NULL;
    char *  Buff        = NULL;
    char *  temp        = NULL;
    long    e           = NULL;
    char    hex[8]      = {'0','x',0,0,0,0,0,0};
    int     exenamelen  = 2*sizeof("msmx21.exe");
    if (( err = fopen_s(&fp,"output.txt" , "rb")) != 0)
    {
        printf("cannot open file\n");
        exit (FALSE);
    }
    printf("opened output.txt convert to output.exe\n");
    fseek(fp,0,SEEK_END);
    filesize = ftell(fp);
    if (( Buff = (char *)malloc(filesize) ) == 0)
    {
        printf("cannot allocate memory\n");
        fclose(fp);
        exit(FALSE);
    }
    temp = Buff;                                    // save it for later
    memset(Buff,0,filesize);
    fseek(fp,exenamelen,SEEK_SET);                  // skip the exe name 22 bytes
    for (ULONG i= 0; i<(filesize-exenamelen);i++)   // convert rest of file
    {
        hex[2] = fgetc(fp);                         // most significant byte
        hex[3] = fgetc(fp);                         // least significant byte
        e = strtol(hex,NULL,16);                    //take a pair of bytes  
        sprintf_s(Buff,2,"%c",e);                   // convert and save
        Buff++;    
    }
    fopen_s(&fpout,"output.exe","wb");
    fwrite(temp,1,((filesize-exenamelen)/2),fpout); // the saved address of the
    fclose(fpout);
    fclose(fp);
    free(temp); // buffer used as we have manipulated the buffer
    printf("Success converted output.txt to output.exe\n");
    return 0;
}

  gN3mes1s     February 6, 2013 10:10.31 CST
haahah poor anonymouse, nice work :D
anyway another method is:

>dd bs=11 skip=1 if=outputascii.txt of=trimmed.exe

dozen of method to trim the first 11 bytes

  anonymouse     February 6, 2013 14:49.45 CST
> gN3mes1s:
> >dd bs=11 skip=1 if=outputascii.txt of=trimmed.exe

that wont work dd will take 11 as 11 decimal which would be wrong you would need 22 and dd will still make the output as ascii not hex you need to take a pair and put it as single character
you may need awk strtonum something like that

  anonymouse     February 7, 2013 06:57.41 CST
yes like i posted dd wont do it
but sed and awk will



:\>type convert.bat
asciitohex
sed s/......................// output.txt | sed s/../"& "/g | gawk -v BINMODE=2
"{for(i=1;i<=NF;i++) printf \"%%c\", strtonum(\"0x\"$i)}" > output1.exe
fc output.exe output1.exe
:\>convert.bat

:\>asciitohex
opened output.txt for converting to output.exe
Success converted output.txt to output.exe

:\>sed s/......................// output.txt   | sed s/../"& "/g   | gawk -v BIN
MODE=2 "{for(i=1;i<=NF;i++) printf \"%c\", strtonum(\"0x\"$i)}"  1>output1.exe

:\>fc output.exe output1.exe
Comparing files output.exe and OUTPUT1.EXE
FC: no differences encountered


:\>


the first sed deltes 22 bytes from beginning of output.txt
the second sed splits the stream after every two bytes and inserts a space in between

so 4D5A will become 4D 5A and so on

so that we can use gawk on each record

and gawk takes each pair of bytes and converts it into a single charecter ie 4D 5A will become MZ

we need gawk and its BINMODE switch plain awk will make all 0A in 0d0a  ie \LF to \CR\LF

done fc encountes no difference :)

  legola     February 7, 2013 12:30.48 CST
Sorry guy. Finally done. Sorry but often a lose myself in a glass of water. I'm just at the beginning of rem, this may happen i think :( sorry again for disturb.

Note: Registration is required to post to the forums.

There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit