Tips for Converting Shellcode to x86 Assembly

Security analysts might encounter shellcode when examining exploits that they detect on the network, observe inside malicious document files, or find on compromised systems. This note recommends two tools for converting shellcode into x86 assembly instructions that the analyst can read to understand the exploit and its payload: ConvertShellcode.exe and


The ConvertShellcode.exe tool for Windows parses the supplied shellcode string and immediately disassembles it, converting the string into corresponding x86 assembly instructions. This tool was written by Alain Rioux.


ConvertShellcode.exe shellcode

The “shellcode” string can follow any of the following formats:

  • "xEBx08xBAx4Dx11x86x7CxFFxD2xCC"
  • "%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989"
  • "%40%6E%40%6E%40%6E%40%6E%40%6E%40%6E"
  • "%u9090"
  • "u9090"
  • "&#x9090"

You can download ConvertShellcode.exe as a zip archive from its author’s website. You can also get this tool as a Perl script from the author’s Github repository.

The script accepts shellcode encoded as a string or as raw binary data, and produces an executable that can run that shellcode. You load the resulting executable file into a debugger to examine its. This approach is useful for analyzing shellcode that’s difficult to understand without stepping through it with a debugger. This script was written by Mario Vilas, and was later tweaked by Anand Sastry to accept not only shellcode in binary form, but also shellcode encoded using “\x” strings via the “-s” parameter. The script was further updated by Patrick Copeland to accept as input shellcode encoded using “%u” strings via the “-u” parameter.

You can download the latest script, written in Python, from the author’s Github repository. This tool relies on the InlineEgg library by Core Security. That library doesn’t work well on a 64-bit OS, though it has been patched on the REMnux distro to allow on REMnux to work properly.


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more