# scdbgc
# Shellcode emulator — analyze shellcode behavior through API-level emulation
# FOR610 Labs: 3.4, 3.5, 4.6 | Sections: 3, 4
# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/shellcode

% shellcode, emulation, api-calls

# Basic usage
scdbgc /f shellcode.bin /s -1

# Alternative usage
scdbgc /f shellcode.bin /foff 0x3B /fopen qa.doc

# Alternative usage
scdbgc /f shellcode.bin /s -1 /norw


# --- Recipes (multi-tool chains) ---

# >> Full Office Macro Decode Chain
# Step 1: List streams and extract VBA
oledump.py <document>
oledump.py <document> -s <macro_stream> -v
# Step 2: Extract Base64 from data stream
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
# Step 3: Decode second Base64 layer + decompress
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
# Step 4: XOR decode the shellcode
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
# Step 5: Emulate the shellcode
scdbgc /f shellcode.bin /s -1

# >> Extract Shellcode from RTF Document
# Scan RTF structure — look for groups with lots of hex data
rtfdump.py <document.rtf>
# Extract the hex-heavy group as binary
rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
# Scan for shellcode patterns (even XOR-encoded)
XORSearch -W -d 3 extracted.bin
# Emulate shellcode at found offset
scdbgc /f extracted.bin /foff <offset> /s -1

# >> Emulate Shellcode at Specific Offset
# Emulate from file start
scdbgc /f <shellcode.bin> /s -1
# Emulate from specific offset (hex)
scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1
# Emulate with a file handle pre-opened (for exploits)
scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1