1

this is my first post on here so please excuse me if I have made any mistakes.

So, I was browsing around on the Metasploit page, and I found these strange types of codes. I tried searching it on google and on here, but couldn't find any other questions and answers like I had. I also noticed that Elliot used the method in "Mr. Robot" while programming in Python. I can see that the code is usually used in viruses, but I need to know why. This is the code that I found using this method:

buf += "\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x30\x3d\x43\x3a\x5c"

Märten Reinaas
  • 43
  • 8
  • Possible duplicate of [What does a leading \`\x\` mean in a Python string \`\xaa\`](https://stackoverflow.com/questions/2672326/what-does-a-leading-x-mean-in-a-python-string-xaa) – ikkuh Jan 31 '18 at 15:45
  • Also might be something along the lines of [obfuscation](https://stackoverflow.com/questions/261638/how-do-i-protect-python-code) – Patrick Artner Jan 31 '18 at 15:51

3 Answers3

3

The code is a sequence of ASCII character encoded in hex. It can be printed directly.

print('\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x30\x3d\x43\x3a\x5c')

The result is:

[MoviePlay]
FileName0=C:\
Aaron
  • 1,255
  • 1
  • 9
  • 12
  • I have no idea whether this piece of code is malicious. Film maker usually make use some kind of encoding to make their films mysterious (to the general public) – Aaron Jan 31 '18 at 16:04
  • I just took this piece of code from google as an example, but I think it was this one: https://www.exploit-db.com/exploits/16153/ – Märten Reinaas Jan 31 '18 at 16:08
  • This kind of code obfuscation may protect it from the detection of anti-virus. However, i think anti-virus can detect the problem when it is decoded. – Aaron Jan 31 '18 at 16:15
3

It's a string, just as any other string like "Hello World!". However, it's written in a different way. In computers, each character corresponds to a number, called a code-point, according to an encoding. One such encoding that you might have heard of is ASCII, another is UTF-8. To give an example, in both encodings, the letter H corresponds to the number 72. In Python, one usually specifies a string using the matching letters, like "Hello World!". However, it is also possible to use the code-points. In python, this can be denoted with \xab, where ab is replaced with the hexadecimal form of the code-point. So H would become '\x48', because 48 is the hexadecimal notation for 72, the code-point for the letter H. In this notation, "Hello World!" becomes "\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21".

The string you specify consists of the hexadecimal code-point 5b (decimal 91, the code-point for the character [), followed by the code-point 4d (M), etc., leading to the full string [MoviePlay]\r\nFileName0=C:\\. Here \r and \n are special characters together representing a line-break, so one could also read it as:

[MoviePlay]
FileName0=C:\\

In principle this notation is not necessarily found in viruses, but that kind of programming often requires very specific manipulation of numbers in memory without a lot of regard for the actual characters represented by those numbers, so that could explain why you'd see it arise there.

Lennaert Bel
  • 318
  • 1
  • 6
-1

They use Metasploit, msfvenom to be more specific, to create or generate shellcodes specially for crafted or exploited file such as documents (docs, ppt, xls, etc) with different encoding.

Llallum
  • 111
  • 7