├── README.md
└── shellcode_extractor.py


/README.md:
--------------------------------------------------------------------------------
1 | # macho_shellcode_extractor
2 | extracts shellcode from a nasm compile macho binary
3 | 


--------------------------------------------------------------------------------
/shellcode_extractor.py:
--------------------------------------------------------------------------------
 1 | # Created by malwareunicorn
 2 | # To compile a macho: gcc mymacho.c -o mymacho.macho -fno-stack-protector -fno-builtin
 3 | # To compile asm: nasm -f macho64 cipher.asm -o cipher.o && ld -o cipher.macho -macosx_version_min 10.7 -e start cipher.o && ./cipher.macho
 4 | 
 5 | # ----------------------------------
 6 | # CONFIGURATION OPTIONS
 7 | # ----------------------------------
 8 | DIST_DIR             = "dist"
 9 | SRC_DIR              = "src"
10 | 
11 | def generate_downloader_macho(filename):
12 |     # compile mach-o
13 |     cmd = "gcc %s/gen_%s.c -o %s/%s.macho -fno-stack-protector -fno-builtin" % (
14 |             SRC_DIR,filename,DIST_DIR,filename)
15 |     return subprocess.call(cmd, shell=True)
16 | 
17 | def extract_shellcode(filename):
18 |     # find offset of _text and _data and extract to bin file
19 |     b = os.path.splitext(filename)[0]
20 |     macho_filename = os.path.join(SRC_DIR,"%s.macho" % (b))
21 |     fileoffset = 0
22 |     shellcodesize = 0
23 |     m = MachO(macho_filename)
24 |     for (load_cmd, cmd, data) in m.headers[0].commands:
25 |         if data:
26 |             if hasattr(data[0], "sectname"):
27 |                 sectionName = getattr(data[0], 'sectname', '').rstrip('\0')
28 |                 if "text" in sectionName:
29 |                     fileoffset=data[0].offset
30 |                     shellcodesize+=data[0].size
31 |                 if "data" in sectionName:
32 |                     shellcodesize+=data[0].size
33 |     shellcode_filename = os.path.join(SRC_DIR,"%s_shellcode.bin" % (b))
34 |     with open(macho_filename, 'rb') as f:
35 |         f.seek(fileoffset, 1)
36 |         shellcode_bytes = f.read(shellcodesize)
37 |         with open(shellcode_filename, 'wb') as sf:
38 |             sf.write(shellcode_bytes)
39 |             sf.close()
40 |         f.close()
41 |     return shellcode_bytes
42 | 
43 | def main():
44 |     xor_shellcode = extract_shellcode("mymacho.macho")
45 | 


--------------------------------------------------------------------------------