We currently work on a ASM ripper in ruby. The purpose is to execute directly ASM code extract from a binary (usefull for decoder/decrypter)
To perform this work we decided to use metasm that is a cross-architecture assembler, disassembler, compiler, linker and debugger write in Ruby : http://code.google.com/p/metasm/
The code source of our ripper is available here
To show how the ripper works we will use the herpesnet decoder.
The encoded strings are submited to a decoder function (0x403034):
The encoded strings are stored in ecx. The function uses to decode string:
So we do not try to understand the ASM code but only use it… The code source of the ripper:
#!/usr/bin/env ruby # include the magic ripper require "ripper.rb" # a loop to get each encoded string for a in [ 0x1AE88, 0x1AEF0, 0x1AF54, 0x1AF88, 0x1AFEC, 0x1B020, 0x1B084, 0x1B0B8, 0x1B0EC, 0x1B120, 0x1B184 ] srcFile = File.open(ARGV, 'r') srcFile.seek(a, IO::SEEK_SET) string = srcFile.sysread(0x20) # ARGV in the binary to rip # 0x403034 is the adress of the function use to decode string # "unsigned int decode();" is the prototype of the function decode() # each , , ,  are not used in this example # string contain the encoded string and must be store in ecx specs = [Spec.new(ARGV, 0x403034,"unsigned int decode();", , , , , string)] worker = Ripper.new(specs) worker.runner.decode() puts string end
You can add a 1 to the Ripper.new() to get a vi on the ASM and manualy edit it ;)
So you rip & execute an ASM function in 3 lines of ruby !!!
email@example.com$ ./decode.rb db6779d497cb5e22697106e26eebfaa8 gpresultl http://dd.zeroxcode.net/herpnet/ 74978b6ecc6c19836a17a3c2cd0840b0 http://www.zeroxcode.net/herpnet ftp.zeroxcode.net http://frk7.mine.nu/herpnet/ firstname.lastname@example.org uppit hwfqfqooatstwuuhhtstshwq esstttubbb Nfusheapfzk