Geek Answers Handbook

Who can decrypt this code?

Here are some examples of the weird code that I see in our access logs. Can anyone decode this?

For instance:

\xb3\xe1\xdd=H\t\xd5\xd2\xf0ml\xf1\x10\xee/\xa0$\xeaY\xa5\xe7\x81d \xd5\x1f\xd9 QI\xd9\'\xfb4I\xb8\xf3\x1d0:\xb5i\x18Q\x02\xa5\x10$\xdd\xcf\xfa\xc2\xfa\x15\xd0\xa8\xa5\xfc\xb2\xda\xb9\x9bA_\x89\xc4~\x0e\x0ebg*>\x18\x12\x9aniA\xf6\xfc\x85%]\x1d\xa6\x16\xfe\x96\x13\xe1\xd8\xb2\xf3i~\xde\xec6\xdbgW\xc3c\xac2\x7f\x9f&\xa5\xce\x14B8~8\xbe\xff1\xa8\xe6\x9a\x9d\xf7 \x14\x10\x9d\xce\xda\x06\x93r\xe7\x86\x98\xa1\x85^\xfa\x93\xf1\x94G\x95\xc0\x1b\xc9\x81\xcb<\x04/\x836E\x85\xbd\xae%\x07D\xe9j\x80\x7f=\xccWW\x04.\xbe\x0f\xb6\x8c

Now, if we leave all unreadable characters, we get:

 =H\tml/$Yd QI'4I0:iQ$A_~bg*>niA%]i~6gWc2&B8~81 r^G</6E%Dj=WW.

The "H \ tml" part at the beginning may suggest that the above code contains some HTML code, or could it just be a coincidence?

Here are some more examples:

 \xbdl\x1cq\x1e\xf65\ xe3@3 \xd8E\xa8\xf7\xc0e\x10\xfe\x15\xbfzhap\xff\xe6i\x9cq\xe3bGm\x81DWQ\xf5\x94\xbav~\\\xaa\xd0\xed\xdfl\x028\x1d\xcds\x07H\x02\x04\xf2\x8fU\xe0\xd6x,\x9f\x98)\xe8\x1c \xc7\xdd\xd7\xea\xd0\x12h^\xb4\xd0\x85G\xdb\xe4 \xe6\xabYM\xf36\"<\xb6\x1e\xeak]\x93\xc2D\xfa\xc4\xe9\xa93,b\xf5\x80\x15\x92L5\x02\xc3GY\xa7k\x7f\xa2\xfd}\xa2%+\x14\xf5\xe8\x95\x1f\xe2\xef\xd41 st|]%Y\xbf\xeaj\xe9<z\xbb\xfb\xe76\xbbf>\xe9\x1dU{\xaf\x97\x1b\x9e\xf3&\x9b\x87t{\xf3O0\x8c`TQ\xdc\xbd.\xee\xff\x9cEG\xabU\xc5 \xfc[\xe0\x0f\xa5jK\x85\x92\xb2\x90\x96E\xba\x9c\x9c\xa5\xccA`\v\xa0\xd7>3\t\x89u\x11\x817\xa5\xb2\x83\xfa\x89A\x14\x07\xe1\xc4>\"\xb4\x02m\xe4\x9eZ\x9b>\xb0\xe5\x9c\x15\xa0p\xado:\xb4\x1d\x1a\xb7\xb1\x1c\x0f\xa3\xadz-\xdc\xb5q\xb9\xfc\xb95g\xb8\xa8 \xd2t\xa3\x90\xe7N\xa7e \x15I\xe6\x1b\xdbNB5\xfa3\xed\xfdG\t\x19(\xe1\x9f wo\x01\xb9\x98\xa6q.\x0c&\xba\x1dnXN\xce\xb7\xd3\x99\xfd\x12>*\xa5\x89\xc9\xb2 lQ\x89\xcc\x9f\x113+\xb5\xc4\x86\xb6g\x97\x15]\x98g\xc1\xa1\xa8\xfeK\x03\xb5w\xe4\xf8&\xc8`1\x8c\x1c\x88\x82\xc2]\x8d&\xbc\x8cU&4\xc5[jS \xb0\xed\xf7m{\x95i \xbdl\x1cq\x1e\xf65\ xe3@3 \xd8E\xa8\xf7\xc0e\x10\xfe\x15\xbfzhap\xff\xe6i\x9cq\xe3bGm\x81DWQ\xf5\x94\xbav~\\\xaa\xd0\xed\xdfl\x028\x1d\xcds\x07H\x02\x04\xf2\x8fU\xe0\xd6x,\x9f\x98)\xe8\x1c \xc7\xdd\xd7\xea\xd0\x12h^\xb4\xd0\x85G\xdb\xe4 \xe6\xabYM\xf36\"<\xb6\x1e\xeak]\x93\xc2D\xfa\xc4\xe9\xa93,b\xf5\x80\x15\x92L5\x02\xc3GY\xa7k\x7f\xa2\xfd}\xa2%+\x14\xf5\xe8\x95\x1f\xe2\xef\xd41

We often see such codes in magazines. Like millions of times a day. I am very interested in its contents :))

(more) code is also available through http://pastebin.com/ZcXM5NHs

+6
security encoding character-encoding
source share
5 answers

This certainly means exploiting the alleged buffer overflow vulnerability on your server. I think this is X86 code. You can decode them in php, for example:

 <?php echo("\xbdl\x1cq\x1e\xf65\ xe3@3... ");

If you put the output in a file, you can open it in a disassembler and see the assembler instructions. Although I do not think that you get any valuable information by looking at them.

These are scanned attacks, there is a chance that someone trick will clearly attack your server.

+6
source share

This is for decoding back to binary. (Note: the backslash skip list may not be complete. I just typed the usual suspects)

 #include <stdio.h> #include <string.h> int main(void) { char buff[2000] ; size_t len, pos; int ch; unsigned val; while (fgets(buff, sizeof buff, stdin)) { len = strlen(buff); while (len && buff[len-1] == '\n') buff[--len] = 0; for(pos=0; pos < len; pos++) { ch = buff[pos]; if (ch != '\\') { putc( ch, stdout; continue; } switch ( ch = buff[++pos] ) { case '\\': case '\'': case '"': putc(ch,stdout); break; case 't': putc('\t',stdout); break; case 'n': putc('\n',stdout); break; case 'r': putc('\r',stdout); break; case 'a': putc('\a',stdout); break; case 'v': putc('\v',stdout); break; case 'b': putc('\b',stdout); break; case ' ': putc(' ',stdout); break; case 'x': ch = buff[++pos]; if (ch >= 'a') val = 10 + (ch -'a'); else if (ch >= 'A') val = 10 + (ch -'A'); else if (ch >= '0') val = (ch -'0'); val <<= 4; ch = buff[++pos]; if (ch >= 'a') val += 10 + (ch -'a'); else if (ch >= 'A') val += 10 + (ch -'A'); else if (ch >= '0') val += (ch -'0'); putc(val, stdout); break; default: putc(ch, stdout); break; } } } return 0; }

The bad news: sublimated lines don't seem to give valid x86 code. Perhaps it was crypted, with decript / bootstrap at the end; next to the overflow part. Disclaimer: I am not an expert in assembly.

+3
source share

Let's look at the first part:

 \xb3\xe1\xdd=H\t\xd5\xd2\xf0ml\xf1\x10

Equivalent codes in the form \xb3 are hexadecimal codes for 8-bit integers. In this case, this is the code for 179.

The escape \t code is a tab character.

"H \ t" is simply H (= 72) followed by a tab character (= 9). It is not Ht and is not related to HTML.

I suspect someone is sending data to your web server trying to exploit the vulnerability. You must ensure that your web server is fully updated to prevent exploit usage.

+2
source share

My first assumption is that \x starts the escape sequence using two hexadecimal characters. Therefore, try replacing \xAB character corresponding to hex AB.

\t is the side tab, and \' is shielded '

0
source share

Trying to reverse-engineer a binary is a very painful process that is almost impossible if you don't know what should be in the first place. This is because such files often contain headers that instruct a program that runs logs on how to decode them. For example, - the exact bit where the data begins, and which bit represents what data, as well as data about whether the data is float or double or int, and in which endian format the data is stored.

You probably need to take the time to develop which program wrote the log and use it to convert it to ascii - or be able to look for binary log format in some documents

0
source share

More articles:


All Articles