scdbg updates


Author: David Zimmer
Date: 07.14.13 - 1:16pm



just a quick note on some scdbg updates.

the -f   load file option can now accept %u, %xx, \x, and raw hex blobs as input as well as the traditional raw binary blobs. The converters will ignore leading white space, as well as common characters such plus signs, quotes, tabs, commas, new lines, spaces, and semicolons. If you want to double check the converted buffer, you can use -conv to dump it to disk as binary data, -dump to view a hexdump of it, or you examine it in memory from the debug shell.

-findsc mode has been enhanced, if it cant locate any shellcode on the first pass, it will now -bswap (byte swap) the input buffer and try again, if that fails it will also -eswap (endian swap) the original buffer and try one more time. Reliability of -findsc mode has also been increased, there was previously a strange bug that could crop up due to the libemu environment not being reset enough in between runs. (I should port this fix back to the *nix build eventually)

when experimenting with trying to handle rop shellcodes, I added the -rop, -raw, -wint, and -wstr commands. -raw is like -path except it loads a raw file data into memory, -wint and -wstr are both handy for manually patching up shellcode just before execution. You can even run data just entered with any of these using the -nofile addition to the command line. -dllmap has also been added to the main command line (previously undocumented command from the debug shell prompt) which now also shows dll version (useful if playing with rop chains)

In addition to the existing -d directory mode (or drop a folder on the scdbg icon), it can now also process .scmd files which are basically just a listing of command line options in a flat text file, but which can include comments and new lines for easy reading/modification.

currently we are up to 199 implemented api, across 12 dlls, and supporting 244 opcodes. These stats along with the specific api it supports are available through the -hooks command line option.

Thats all thats coming to mind. cutting edge binaries are always available on github, with the latest stable build in the main download package

In other news, shellcode_2_exe has also received some updates. The new Detect Type option will auto detect shell scripts, javascript, perl, text, flash, executables, and low entropy and display them appropriately. The hexdump option has also been enhanced with some more tools such the capability to perform various byte swaps, signature scanner, xor scanner, entry point scanner, and web disassembler. Several x64 husks are also provided should you need them.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
 



Twitter
RSS

About Me
More Blogs
Main Site
Posts:
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
Twitter Feed
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation