RIG Exploit Kit Shellcode analysis
RIG Exploit Kit Shellcode analysis Brad published a traffic analysis exercise which I had a quick look at and felt that I wanted to take it to the next level so I started looking at how to decode the payload delivered by the exploit kit. I get the shellcode from the Flash exploit as its provided as a hex-encoded string starting with "90909090" (NOP): An easy way to go is to create an executable from the shellcode utilizing Shellcode2Exe to be able to step through it in OllyDbg. Taking the step into shellcode Loading it up in Olly, it will start with a loop which decodes the payload URL using XOR as seen below. The key can be found by inspecting ESI when first hitting the loop and the encoded data can be found by inspecting EDI. After decoding: The decoding loop will continue until the decoded byte is "!" (0x21), the reason will be explained later in the post under "Multiple payloads". The shellcode uses URLDownloadToCacheFileA to download the payload. Shou...