Presentation & example of our ASM ripper

Published on 2012-05-29 14:00:00.

We currently work on a ASM ripper in ruby. The purpose is to execute directly ASM code extract from a binary (usefull for decoder/decrypter)

To perform this work we decided to use metasm that is a cross-architecture assembler, disassembler, compiler, linker and debugger write in Ruby :

The code source of our ripper is available here


To show how the ripper works we will use the herpesnet decoder.

The encoded strings are submited to a decoder function (0x403034):


The encoded strings are stored in ecx. The function uses to decode string:


So we do not try to understand the ASM code but only use it… The code source of the ripper:

#!/usr/bin/env ruby
# include the magic ripper
require "ripper.rb"
# a loop to get each encoded string
for a in [ 0x1AE88, 0x1AEF0, 0x1AF54, 0x1AF88, 0x1AFEC, 0x1B020, 0x1B084, 0x1B0B8, 0x1B0EC, 0x1B120, 0x1B184 ]
  srcFile =[0], 'r'), IO::SEEK_SET)
  string = srcFile.sysread(0x20)
  # ARGV[0] in the binary to rip
  # 0x403034 is the adress of the function use to decode string
  # "unsigned int decode();" is the prototype of the function decode()
  # each [], [], [], [] are not used in this example
  # string contain the encoded string and must be store in ecx
  specs = [[0], 0x403034,"unsigned int decode();", [], [], [], [], string)]
  worker =
  puts string

You can add a 1 to the to get a vi on the ASM and manualy edit it ;)

So you rip & execute an ASM function in 3 lines of ruby !!!$ ./decode.rb db6779d497cb5e22697106e26eebfaa8