Metasm

Metasm is a cross-architecture assembler, disassembler, linker, and debugger.
It is written in such a way that it is easy to add support for new architectures.
For now, the following architectures are in:

  • Intel Ia32.txt (16 and 32bits)
  • Intel X86_64.txt (aka Ia32 64bits, X64, AMD64)
  • MIPS
  • PowerPC
  • Sh4

Supports low and high-level debugging support (Ia32 only for now) under Windows, Linux and remote (via a gdbserver). Metasm is included in Metasploit by default.

  • Install Metasm gem
    1. gem install metasm
    More about installation here.

Converting Assembly to Op-code - metasm-shell.rb

You can find metasm-shell in ruby gems default path after installation. In my case, it’s located in /var/lib/gems/2.1.0/gems/metasm-1.0.2/samples

  • Run it
  1. ruby metasm-shell.rb
  2. type "exit" or "quit" to quit
  3. use ";" for newline
  5. asm>

as you can see you are now in the shell’s prompt

  • Find assembly op-code
  1. asm> nop nop
  2. "\x90\x90"
  3. asm> call [eax]
  4. "\xff\x10"
  5. asm> push esp
  6. "\x54"
  7. asm> pop eax
  8. "\x58"

More usage will be added for this awesome library.

!--- https://github.com/jjyg/metasm/tree/master/samples http://archive.hack.lu/2007/metasm.pdf https://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/ http://blog.cobaltstrike.com/2012/11/09/using-av-safe-executables-with-cortana/ https://funoverip.net/wp-content/uploads/2012/06/AV-Sandbox-Presentation_v2.0.pdf https://www.blackhat.com/presentations/bh-usa-09/TRACY/BHUSA09-Tracy-RubyPentesters-PAPER.pdf --