This time, we need to provide an option to change the XOR-decoding process. To decode the beacon, we select the encoded beacon and launch script XORSelection.1sc again: This beacon size (bytes 00 14 04 00) is a little-endian, 32-bit integer: 0x041400. Provide the XOR key (prefix 0x is to indicate that the key is provide as hexadecimal byte values):Īnd then, after pressing OK, the bytes that contain the beacon size are decoded by XOR-ing them with the provided key: Then we launch 010 Editor script XORSelection.1sc: We can decode the beacon size, that is XOR-encoded with key 0x3F0882FB, as follows. The decoding shellcode is in the first 62 bytes (0x3E) of the file:Īfter the shellcode comes the XOR-key, the size and the beacon: Later I included this decoding in my Cobalt Strike beacon analysis tool 1768.py.
#010 editor error update
I made this update to my XORSelection script, because I had to “manually” decode a Cobalt Strike beacon that was XOR-encoded with a changing XOR key (it is part of a WebLogic server attack). Watch this video to understand exactly how the key changes (if you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation). Hence option cb means change before, and ca means change after.
It can change, one byte at-a-time, before or after each XOR operation at byte-level is executed. That is a key that changes while it is being used. With version 6.0, I add support for a dynamic XOR-key. Later versions accepted an hexadecimal key too, and introduced various options. The first version just accepted a printable, arbitrary-length string as XOR-key. XORSelection.1sc is a script I wrote years ago, that will XOR-encode a (partial) file open in the editor. I released an update to my 010 Editor script XORSelection.1sc.Ġ10 is a binary editor with a scripting engine. class file and see what happens: it works, so there are no other changes to make. So I guess there are no more changes to make, and I decide to tryout my modified. It runs without errors, and the result looks good. But what I do as an extra check is: save the modified file and run the template again. class file, like other length fields … I don’t know. Maybe there are more changes to make to the internal structure of this. So I have changed the constant string I wanted to change. I have to make sure that the editor is in insert mode (INS), so that when I type characters, they are inserted at the cursor, in stead of overwriting existing bytes: Next I need to add a character to the string. Since I want to add 1 character, I change the length from 14 to 15: I can do that inside the template results by double-clicking the value 14, I don’t need to make that change inside the hexdump: The length is 14, that’s indeed the length of the string I want to extend. It’s not only the string, but also bytes that represent the tag and length. From that I gather that the string I want to modify is inside a pool of constants.Īnd here I can see which bytes inside the. So my cursor was on the 10th byte (bytes) of the string, which is part of template variable cp_info constant_pool. Which selects the corresponding template variable: To find the template result field I need to modify, I position my cursor on the string I want to modify inside the ASCII dump, I right-click and select “Jump To Template Variable”: class template, hoping that the template will make it clear to me what needs to be changed. class files, that why I’m using 010 Editor’s. I’m not familiar with the internal structure of. java files remain valid: for example, if there is something in that structure like a field length, I need to change the field length too.
Into something like “1.2 (20210922a)”.ĭoing so will make the string longer, thus I need to add a byte to the file (trivial), but I also need to make sure that the binary structure of. For example, the first field I selected here, u4 magic, is the magic header of a. Under the hex/ascii dump, the template results are displayed: a set of nested fields that match the internal structure of. Here is how you can apply a template manually, in case the file extension is not the original extension:Īnd this is how the template results look like: That’s what I wanted to know: is there a template for. class extension and installed and ran the template for. When opening the file, 010 Editor recognized the. Here is the file opened inside the editor: Before going the route of decompiling / editing / recompiling, I tried with 010 Editor. class file: extend a string inside that class. It’s a powerful binary editor with scripting and templates. 010 Editor is one of few commercial applications that I use daily.
0 kommentar(er)
