Provide the XOR key (prefix 0x is to indicate that the key is provide as hexadecimal byte values):Īnd then, after pressing OK, the bytes that contain the beacon size are decoded by XOR-ing them with the provided key: Then we launch 010 Editor script XORSelection.1sc: We can decode the beacon size, that is XOR-encoded with key 0x3F0882FB, as follows. The decoding shellcode is in the first 62 bytes (0x3E) of the file:Īfter the shellcode comes the XOR-key, the size and the beacon: Later I included this decoding in my Cobalt Strike beacon analysis tool 1768.py. I made this update to my XORSelection script, because I had to “manually” decode a Cobalt Strike beacon that was XOR-encoded with a changing XOR key (it is part of a WebLogic server attack). ![]() Watch this video to understand exactly how the key changes (if you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation). Hence option cb means change before, and ca means change after. It can change, one byte at-a-time, before or after each XOR operation at byte-level is executed. That is a key that changes while it is being used. With version 6.0, I add support for a dynamic XOR-key. Later versions accepted an hexadecimal key too, and introduced various options. ![]() The first version just accepted a printable, arbitrary-length string as XOR-key. ![]() XORSelection.1sc is a script I wrote years ago, that will XOR-encode a (partial) file open in the editor. I released an update to my 010 Editor script XORSelection.1sc.Ġ10 is a binary editor with a scripting engine. class file and see what happens: it works, so there are no other changes to make. So I guess there are no more changes to make, and I decide to tryout my modified. It runs without errors, and the result looks good. But what I do as an extra check is: save the modified file and run the template again. class file, like other length fields … I don’t know. Maybe there are more changes to make to the internal structure of this. So I have changed the constant string I wanted to change. I have to make sure that the editor is in insert mode (INS), so that when I type characters, they are inserted at the cursor, in stead of overwriting existing bytes: Next I need to add a character to the string. Since I want to add 1 character, I change the length from 14 to 15: I can do that inside the template results by double-clicking the value 14, I don’t need to make that change inside the hexdump: The length is 14, that’s indeed the length of the string I want to extend. It’s not only the string, but also bytes that represent the tag and length. From that I gather that the string I want to modify is inside a pool of constants.Īnd here I can see which bytes inside the. So my cursor was on the 10th byte (bytes) of the string, which is part of template variable cp_info constant_pool. Which selects the corresponding template variable: To find the template result field I need to modify, I position my cursor on the string I want to modify inside the ASCII dump, I right-click and select “Jump To Template Variable”: class template, hoping that the template will make it clear to me what needs to be changed. class files, that why I’m using 010 Editor’s. ![]() I’m not familiar with the internal structure of. java files remain valid: for example, if there is something in that structure like a field length, I need to change the field length too. Into something like “1.2 (20210922a)”.ĭoing so will make the string longer, thus I need to add a byte to the file (trivial), but I also need to make sure that the binary structure of. For example, the first field I selected here, u4 magic, is the magic header of a. Under the hex/ascii dump, the template results are displayed: a set of nested fields that match the internal structure of. Here is how you can apply a template manually, in case the file extension is not the original extension:Īnd this is how the template results look like: That’s what I wanted to know: is there a template for. class extension and installed and ran the template for. When opening the file, 010 Editor recognized the. Here is the file opened inside the editor: Before going the route of decompiling / editing / recompiling, I tried with 010 Editor. class file: extend a string inside that class. It’s a powerful binary editor with scripting and templates. 010 Editor is one of few commercial applications that I use daily.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |