I have the dissembled code of a shellcode:
shellex: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: b0 46 mov $0x46,%al
8048064: 31 db xor %ebx,%ebx
8048066: 31 c9 xor %ecx,%ecx
8048068: cd 80 int $0x80
804806a: eb 16 jmp 8048082 <ender>
0804806c <starter>:
804806c: 5b pop %ebx
804806d: 31 c0 xor %eax,%eax
804806f: 88 43 07 mov %al,0x7(%ebx)
8048072: 89 5b 08 mov %ebx,0x8(%ebx)
8048075: 89 43 0c mov %eax,0xc(%ebx)
8048078: b0 0b mov $0xb,%al
804807a: 8d 4b 08 lea 0x8(%ebx),%ecx
804807d: 8d 53 0c lea 0xc(%ebx),%edx
8048080: cd 80 int $0x80
08048082 <ender>:
8048082: e8 e5 ff ff ff call 804806c <starter>
8048087: 2f das
8048088: 62 69 6e bound %ebp,0x6e(%ecx)
804808b: 2f das
804808c: 73 68 jae 80480f6 <ender+0x74>
804808e: 4e dec %esi
804808f: 58 pop %eax
8048090: 58 pop %eax
8048091: 58 pop %eax
8048092: 58 pop %eax
8048093: 59 pop %ecx
8048094: 59 pop %ecx
8048095: 59 pop %ecx
8048096: 59 pop %ecx
And I want to extract like this:
\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\
x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x
69\x6e\x2f\x73\x68\x4e\x58\x58\x58\x58\x59\x59\x59\x59
This is where a have get, but I don't know how to continue, it is important to note that between the first line and the second one, it is not a blank space. This is what I have done for the moment:
objdump -d shell | sed 's/^ //g' | grep ^[0-9].*[0-9a-z]: | tr -s " " | cut -d \t -f1 | sed 's/[a-z]{3}//g'
And I have got this point:
8048060: 31 c0 xor %eax,%eax
8048062: b0 46 mov $0x46,%al
8048064: 31 db xor %ebx,%ebx
8048066: 31 c9 xor %ecx,%ecx
8048068: cd 80 in
804806a: eb 16 jmp 0x8048082
804806c: 5b pop %ebx
804806d: 31 c0 xor %eax,%eax
804806f: 88 43 07 mov %al,0x7(%ebx)
8048072: 89 5b 08 mov %ebx,0x8(%ebx)
8048075: 89 43 0c mov %eax,0xc(%ebx)
8048078: b0 0b mov $0xb,%al
804807a: 8d 4b 08 lea 0x8(%ebx),%ecx
804807d: 8d 53 0c lea 0xc(%ebx),%edx
8048080: cd 80 in
8048082: e8 e5 ff ff ff call 0x804806c
8048087: 2f das
8048088: 62 69 6e bound %ebp,0x6e(%ecx)
804808b: 2f das
804808c: 73 68 jae 0x80480f6
804808e: 4e dec %esi
804808f: 58 pop %eax
8048090: 58 pop %eax
8048091: 58 pop %eax
8048092: 58 pop %eax
8048093: 59 pop %ecx
8048094: 59 pop %ecx
8048095: 59 pop %ecx
8048096: 59 pop %ecx
Still very far from the solution.
Thank you in advance
I think you are missing a point here.. Just use a HEX editor (free one here). You will find the opcodes that represent what you are after. If you want to view as "\x" just pad \x for every byte.