Login/Register
Is there a difference between MASM shellcode and NASM shellcode
Asked Answered
Solved assemblynasmmasmshellcode
W

2

6

I am new to StackOverflow. Recently, I began studying assembly and am fairly new to assembly, completely new to shellcode. I am using RadAsm to compile using MASM assembler and I tried studying shellcode from this website Shellcoding for Linux and Windows

I am using RadAsm on Windows 64-bit. The code I used is almost the same, except that I use the absolute name of the function rather than the address of the function in the DLL. The shellcode is supposed to use the sleep function with the parameter 5000.

This is the code that I am using in MASM.

.386
.model flat, stdcall
option casemap:none

include kernel32.inc
includelib kernel32.lib

.code
_start:
    xor eax, eax    ; zero out eax
    mov ebx, Sleep  ; function sleep goes in ebx
    mov ax, 5000    ; parameter goes in ax
    push eax        ; parameter on stack
    call ebx        ; call Sleep
end _start
end

This assembles with no errors in MASM.

The shellcode generated has null values and is slightly different from the website. It is as follows.

I used objdump -d nameofexecutable.exe to get the disassembly.

Disassembly of section .text
 00401000 <.text>:
  401000:       33 c0                   xor    %eax,%eax
  401002:       bb 0e 10 40 00          mov    $0x40100e,%
  401007:       66 b8 88 13             mov    $0x1388,%ax
  40100b:       50                      push   %eax
  40100c:       ff d3                   call   *%ebx
  40100e:       ff 25 00 20 40 00       jmp    *0x402000

But in the website, there are no 00 hex codes.

Disassembly of section .text:

08048080 <_start>:
 8048080:       31 c0                   xor    %eax,%eax
 8048082:       bb ea 1b e6 77          mov    $0x77e61bea,%ebx
 8048087:       66 b8 88 13             mov    $0x1388,%ax
 804808b:       50                      push   %eax
 804808c:       ff d3                   call   *%ebx

Could it be because I am using x64 to compile or because I am calling the function indirectly?

Any help would be appreciated, thank you.

Winnie answered 28/8, 2014 at 6:48 Comment(1)
It also could be due to version difference of MASM/NASM.Edacity
A
3

The simple answer is that MASM sucks!!

Cited from here "In the past I had developed 32-bit shellcode using the free and open-source Netwide Assembler (NASM), but when going through the exercise of learning the 64-bit variety I figured I would try it out with the Microsoft Assembler (MASM) instead. One problem quickly became apparent: MASM offers no way (that I know of) to generate raw binary machine code as opposed to an .exe file! All is not lost though, the code bytes can be extracted from the .exe file easily enough (but in the future I might go back to NASM).", it's harder to create shellcode.

I used NASM to create the shellcode for a program that says hey from the link you provided on windows x64, this is the result that I achieved, no null bytes. Turns out the example for sleep may not work correctly but the second example is fully functional.

"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2f\x59\x88\x51\x0a"
"\xbb\x82\xf8\x60\x77\x51\xff\xd3\xeb\x31\x59\x31\xd2"
"\x88\x51\x0b\x51\x50\xbb\xe6\x4d\x61\x77\x59\x31\xd2"
"\x88\x51\x03\x31\xd2\x52\x51\x51\x52\x31\x32\xd2\x50"
"\xb8\xca\x3a\x61\x77\xe8\xcc\xff\xff\xff\x75\x73\x65"
"\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xca\xff\xff\xff"
"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8"
"\xc6\xff\xff\xff\x48\x65\x79\x4e"

NOTE: use nameofexecutable.o with objdump

ie. objdump -o nameofexecutable.o to get the shellcode and not nameofexecutable.exe

Adrianaadriane answered 28/8, 2014 at 16:44 Comment(0)
O
4

Your code is assembled to run at 0x00401000, so the highest byte of all addresses end up being 0x00. Their code is assembled to run at 0x08048080, so the highest byte of all their addresses end up being 0x08.

This is where all of your zeros come from.

Ochlocracy answered 28/8, 2014 at 7:4 Comment(6)
I found how you got the hex code and where it's running but is there any way to fix the NULL values?Winnie
@Winnie what do you mean "fix"? They are not causing a problem, are they?Corpora
well, according to the answer, they are starting at 0x00 and they are causing the NULL bytes to occur so how can I eliminate the NULL bytes? @CorporaWinnie
Why would you want to eliminate all the "NULL" bytes? Any non trivial program will have them.Corned
@RossRidge, I was tyring to make shellcode and it shouldn't have NULL bytes.Winnie
It'll work will NUL bytes if you copy it into the shellcodetest.c program used to do the testing, because you're not actually injecting it anywhere. Well, it would if you hadn't changed the example. The example on the website used the constant 0x77e61bea as the address of Sleep as determined by the program arwin. You used the symbol Sleep which uses an address specific to your program, and so won't work in shellcodetest.c or anywhere else.Corned
A
3

The simple answer is that MASM sucks!!

Cited from here "In the past I had developed 32-bit shellcode using the free and open-source Netwide Assembler (NASM), but when going through the exercise of learning the 64-bit variety I figured I would try it out with the Microsoft Assembler (MASM) instead. One problem quickly became apparent: MASM offers no way (that I know of) to generate raw binary machine code as opposed to an .exe file! All is not lost though, the code bytes can be extracted from the .exe file easily enough (but in the future I might go back to NASM).", it's harder to create shellcode.

I used NASM to create the shellcode for a program that says hey from the link you provided on windows x64, this is the result that I achieved, no null bytes. Turns out the example for sleep may not work correctly but the second example is fully functional.

"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2f\x59\x88\x51\x0a"
"\xbb\x82\xf8\x60\x77\x51\xff\xd3\xeb\x31\x59\x31\xd2"
"\x88\x51\x0b\x51\x50\xbb\xe6\x4d\x61\x77\x59\x31\xd2"
"\x88\x51\x03\x31\xd2\x52\x51\x51\x52\x31\x32\xd2\x50"
"\xb8\xca\x3a\x61\x77\xe8\xcc\xff\xff\xff\x75\x73\x65"
"\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xca\xff\xff\xff"
"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8"
"\xc6\xff\xff\xff\x48\x65\x79\x4e"

NOTE: use nameofexecutable.o with objdump

ie. objdump -o nameofexecutable.o to get the shellcode and not nameofexecutable.exe

Adrianaadriane answered 28/8, 2014 at 16:44 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.