(no subject)
Патьков прислал баг-репорт на YAD, сегодня поисправлял ошибки:
; 1) db 0x67,0xc7,0x44,0x10,0x55,0x00,0x00,0x00 ;mov dword [si+0x10],0x000000010 ; 2) db 0x9a,0x00,0x00,0xff,0xff,0xff,0xff db 0x66,0x9a,0x00,0x01,0x10,0x00 ; 3) db 0xFE,0x0e db 0x67,0xFE,0x0C ; 4) db 0xd6 ; 5) fwait ; 6) db 0x82,0x5A,0x79,0x66 ; sbb byte [edx+0x79],0x066 ; 7) db 0xD2,0xF4 ; sal ah,cl db 0xC1,0x32,0xF7 ; sal dword [edx],-9 db 0xC1,0x70,0xC5,0xFC ; sal dword [eax-0x3B],-4 db 0xD1,0x75,0x27 ; sal dword [ebp+0x27],1 db 0xD0,0xB3,0x59,0x68,0xF5,0x69 ; sal byte [ebx+0x69F56859],1 db 0xD1,0x30 ; sal dword [eax],1 db 0xD3,0x71,0x25 ; sal dword [ecx+0x25],cl db 0xC0,0xF3,0xD6 ; sal bl,0x0FFFFFFD6 ; 8) cmp byte [ebp+0x0D960AFFD],0x041 db 0x82,0xBD,0xFD,0xAF,0x60,0xD9,0x41 ; 9) sub byte [ecx+0x0CC07D311],0x010 db 0x82,0xA9,0x11,0xD3,0x07,0xCC,0x10 ; 10) xor byte [esi+0x5C21255E],0x0BA db 0x82,0xB6,0x5E,0x25,0x21,0x5C,0xBA Зря я выбрал qemu. Ж-) Для начала пофиксил по быстрому, потом наверное буду дальше сверять таблицу (а то и заново её перебью), хотя бы ради SSE2+.
Я довольно часто слышал одну глупость (и даже сам её повторял), что мол “не хватает хороших идей”. Большинство же идей сидят в своем идеальном мирке и поглядывают от туда в наш мир, и ждут чей бы еще мозг зохавать. Ж-) Это я к чему. Случайно наткнулся на статью: Binary obfuscation using signals, и вспомнилось мне такое вот извращение:
.model tiny .code org 100h start: mov ax, 3506h int 21h mov 2 ptr [oldint6+2],es mov 2 ptr [oldint6 ],bx sub ah, 10h mov dx, offset int6hnd int 21h db 0feh, 10h db 0feh, 11h db 0feh, 12h db 0feh, 13h db 0feh, 14h db 0feh, 15h db 0feh, 16h mov ax, 2506h lds dx, [oldint6] int 21h ret int6hnd: push ds si ax bp mov bp, sp lds si, [bp+8] lodsw mov 2 ptr cs:[offset j2_addr ], si mov 2 ptr cs:[offset j2_addr+2], ds xchg al, ah cbw sub al, 10h shl ax, 1 xchg bp, ax mov ax, cs:[bp+offset cmd_table] mov cs:[offset j1_addr], ax jmp $+2 pop bp ax si ds add sp, 4 popf db 0e9h ; jmp xxxx j1_addr dw ? cmd0: push 0b800h jmp ret_back cmd1: pop es jmp ret_back cmd2: mov ax, 0fdbh jmp ret_back cmd3: mov cx, 4000 jmp ret_back cmd4: rep stosw jmp ret_back cmd5: xor ax, ax jmp ret_back cmd6: int 16h ret_back: db 0eah j2_addr dd ? cmd_table dw 0, offset cmd1-offset cmd0 dw offset cmd2-offset cmd0 dw offset cmd3-offset cmd0 dw offset cmd4-offset cmd0 dw offset cmd5-offset cmd0 dw offset cmd6-offset cmd0 oldint6 dd ? end start Не помню работает ли этот пример, да это и не важно. Решил немного поиграться с сигналами. Тут, я вижу две возможности:
< /bin/uname: формат файла elf32-i386 --- > ./uname: формат файла elf32-i386 220c220,221 < 8048c5d: 74 02 je 8048c61 --- > 8048c5d: 90 nop > 8048c5e: cc int3 231c232,233 < 8048c75: 75 29 jne 8048ca0 --- > 8048c75: 90 nop > 8048c76: cc int3 235c237,238 < 8048c80: 74 17 je 8048c99 --- > 8048c80: 90 nop > 8048c81: cc int3 243c246,247 < 8048c97: 75 eb jne 8048c84 --- > 8048c97: 90 nop > 8048c98: cc int3 gdb и strace просто в восторге от такой замены:
(gdb) handle SIGTRAP nostop noprint pass SIGTRAP is used by the debugger. Are you sure you want to change it? (y or n) y Signal Stop Print Pass to program Description SIGTRAP No No Yes Trace/breakpoint trap (gdb) run Starting program: .../uname [1]+ Stopped gdb ./uname # fg %1 gdb ./uname Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x4bf000 (no debugging symbols found)...(no debugging symbols found)... Program terminated with signal SIGTRAP, Trace/breakpoint trap. The program no longer exists. # strace ./uname execve("./uname", ["./uname"], [/* 41 vars */]) = 0 ... mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0xb7f58000 sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) .................................... и собственно izvr.c, который все это делает. (прога очень сырая, signal/sigaction не перехватываются и еще есть какие-то глюки, доделаю попозже...)
/* izvr.c */ #include #include #include #include #include #define VL(x) (*(volatile long *)x) #define set_bit(nr, addr) asm("btsl %1,%0":"=m"VL(addr):"Ir" (nr)) #define clr_bit(nr, addr) asm("btrl %1,%0":"=m"VL(addr):"Ir" (nr)) #define tst_bit(nr, addr) ({\ int b; asm("btl %2,%1\nsbbl %0,%0":"=r" (b):"m"VL(addr),"Ir"(nr)); b; }) unsigned char lde[343]={ 0x60, 0x8b, 0x74, 0x24, 0x24, 0x6a, 0x0f, 0x59, 0x6a, 0x08, 0x5a, 0xe8, 0x8d, 0x00, 0x00, 0x00, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x01, 0x41, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x0f, 0x0f, 0x05, 0x52, 0x44, 0xa1, 0xf1, 0x11, 0x61, 0x04, 0x1f, 0x11, 0x61, 0xf1, 0x62, 0x5c, 0x0a, 0xc1, 0x05, 0x24, 0x04, 0x11, 0xa1, 0x06, 0x18, 0xa8, 0x62, 0x21, 0x01, 0x52, 0x61, 0xf1, 0x31, 0x01, 0x21, 0x02, 0x11, 0x02, 0x54, 0x12, 0x02, 0x58, 0x18, 0xa2, 0xc1, 0x11, 0x04, 0x41, 0x01, 0x42, 0x02, 0x81, 0x91, 0x06, 0x52, 0x54, 0x72, 0x01, 0x71, 0x02, 0x76, 0x59, 0x77, 0x54, 0x74, 0x58, 0x06, 0x7a, 0x5f, 0x5f, 0x5f, 0x53, 0x64, 0x53, 0x01, 0x76, 0x52, 0xaf, 0xa1, 0x5f, 0x51, 0x03, 0x51, 0x61, 0x51, 0x72, 0x03, 0x51, 0x61, 0x5b, 0x72, 0x61, 0x57, 0x61, 0x51, 0x63, 0x51, 0x08, 0x71, 0x5f, 0x5f, 0x51, 0x71, 0x5e, 0x71, 0x5f, 0x57, 0x8a, 0x1e, 0x8a, 0x07, 0x47, 0xd4, 0x10, 0x28, 0xc3, 0x73, 0xf7, 0x5f, 0xac, 0x86, 0xe0, 0x3c, 0x07, 0x74, 0x18, 0x3c, 0x04, 0x75, 0x51, 0x80, 0xfc, 0x0f, 0x75, 0x03, 0x83, 0xc7, 0x5b, 0x80, 0xec, 0x65, 0x80, 0xfc, 0x02, 0x77, 0x02, 0x08, 0xe6, 0xe2, 0xd4, 0xeb, 0x2d, 0x80, 0xfb, 0x40, 0x73, 0x07, 0x80, 0xfc, 0x06, 0x75, 0x02, 0xb3, 0x80, 0xc0, 0xeb, 0x06, 0x7a, 0x11, 0x00, 0xd8, 0x80, 0xec, 0xa0, 0x80, 0xfc, 0x03, 0x77, 0x07, 0x80, 0xf2, 0x08, 0x74, 0x0b, 0xd0, 0xee, 0x66, 0xf7, 0xc2, 0x08, 0x01, 0x75, 0x02, 0x40, 0x40, 0x28, 0xc8, 0x04, 0x10, 0x3c, 0x10, 0xf5, 0x0f, 0xb6, 0xc0, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xc3, 0x30, 0xc2, 0x3c, 0x09, 0x76, 0x02, 0x24, 0x07, 0x3c, 0x05, 0x72, 0xcc, 0x8b, 0x1e, 0x49, 0x3c, 0x08, 0x1c, 0x04, 0xa8, 0x04, 0x74, 0x0f, 0x2c, 0x03, 0xf6, 0xc3, 0x30, 0x74, 0x02, 0x30, 0xc0, 0x3c, 0x02, 0x74, 0x02, 0xb2, 0x08, 0xb4, 0x07, 0x20, 0xdc, 0xf6, 0xc6, 0x02, 0x75, 0x96, 0xf6, 0xc3, 0xc0, 0x79, 0x04, 0x7a, 0xb1, 0x40, 0x40, 0x80, 0xfc, 0x04, 0x75, 0x05, 0x40, 0xb4, 0x07, 0x20, 0xfc, 0xf6, 0xc3, 0xc0, 0x75, 0x8a, 0x80, 0xfc, 0x05, 0x75, 0x85, 0x04, 0x04, 0xeb, 0x81 }; #define LDE(p)((int(*)(void*))lde)(p) #define INFO "roy g biv length dissassembler engine" extern void mydata(); extern void code_start(); extern void patch(); extern int ari_compress(uint8_t *src, uint8_t *dst, int src_len, uint8_t *temp); #define PAGE_SIZE 4096 void infect(int h, char *m, int l, char *code, int code_size, char *data, int data_size) { int i; Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m; Elf32_Phdr *ph, *phdr; uint32_t base; phdr = (Elf32_Phdr*)(m + ehdr->e_phoff); for (base = 0, ph = NULL, i = 0; i < ehdr->e_phnum; i++) { if (phdr[i].p_type == PT_NOTE) { ph = &phdr[i]; } else if (phdr[i].p_type == PT_LOAD && phdr[i].p_offset == 0) base = phdr[i].p_vaddr; } if (ph == NULL) { puts("Failed"); return; } ph->p_type = PT_LOAD; ph->p_flags = PF_R|PF_W|PF_X; ph->p_align = 0x1000; ph->p_offset = l; ph->p_filesz = ph->p_memsz = code_size + data_size; ph->p_vaddr = ph->p_paddr = base - ((code_size + data_size + 4095) & 0xfffff000) + (l & (PAGE_SIZE - 1)); write(h, code, code_size); write(h, data, data_size); uint32_t jmp = ehdr->e_entry - ph->p_vaddr - 21; pwrite(h, &jmp, 4, l + 17, 0); ehdr->e_entry = ph->p_vaddr; } int main(int argc, char **argv) { int h = open(argv[1], 2); assert(h > 0); int l = lseek(h, 0, 2); assert(l > 0); unsigned char *m = mmap(NULL, l, PROT_READ|PROT_WRITE, MAP_SHARED, h, 0); assert(m != MAP_FAILED); Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m; assert(ehdr->e_shstrndx != SHN_UNDEF); Elf32_Shdr *shdr = (Elf32_Shdr*)(m + ehdr->e_shoff); char *strtab = m + shdr[ehdr->e_shstrndx].sh_offset; uint8_t *cp; uint32_t cs, ca; int i; for (i = 0; i < ehdr->e_shnum; i++) if (! strcmp(strtab + shdr[i].sh_name, ".text")) { cp = shdr[i].sh_offset + m; cs = shdr[i].sh_size; ca = shdr[i].sh_addr; break; } assert(cp != NULL); uint8_t map[(cs + 7) / 8]; bzero(map, (cs + 7) / 8); uint8_t *p = cp; int r, ol; int count = 0; uint32_t *rel = NULL; uint8_t *occ = NULL; while (p - cp < cs) { ol = LDE(p); assert(ol != 0); r = 0; if ((p[0] & 0xf0) == 0x70) r = 1; else if ((p[1] & 0xf0) == 0x80 && p[0] == 0x0f) r = 2; if (r) { void fill(uint8_t *where, int l) { memset(where, 0x90, l); where[l - 1] = 0xcc; } set_bit(p - cp + (r == 1 ? 2 : 6), map); rel = (uint32_t*)realloc(rel, 4 * (count + 1)); occ = (uint8_t*)realloc(occ, (count + 2) / 2); rel[count] = (r == 1 ? (char)p[1] : *(uint32_t*)(p + 2)); if ((count & 1) == 0) occ[count / 2] = (p[r - 1] & 0x0f) << 4; else occ[count / 2] |= p[r - 1] & 0x0f; count++; fill(p, r == 1 ? 2 : 6); } p += ol; } uint8_t *buf = (char*)malloc(12 + (cs + 7) / 8 + (count + 1) / 2 + count*4); assert(buf != NULL); p = buf; #define CP(v, s) memcpy(p, v, s); p += s; CP(&ca, 4); CP(&cs, 4); CP(&count, 4); CP(map, (cs + 7) / 8); CP(rel, count * 4); CP(occ, (count + 1) / 2); int ul = p - buf; printf("Size: %d\n", ul); uint8_t *dst = (char*)malloc(ul); uint8_t t[3374]; int al; al = ari_compress(buf, dst + 4, p - buf, t); memcpy(dst, &ul, 4); al += 4; printf("CSize: %d\n", al); infect(h, m, l, (char*)&code_start, (char*)&mydata - (char*)code_start, dst, al); munmap(m, l); close(h); } asm (".globl code_start; code_start: pusha; call 1f; 1: sub $6, (%esp); call myinit; popa; .byte 0xe9; .long 0"); /* Syscalls */ asm( "_syscall:\n" " pusha\n" " mov 36(%esp),%eax\n" " mov 40(%esp),%ebx\n" " mov 44(%esp),%ecx\n" " mov 48(%esp),%edx\n" " mov 52(%esp),%esi\n" " mov 56(%esp),%edi\n" " mov 60(%esp),%ebp\n" " int $0x80\n" " mov %eax,28(%esp)\n" " popa\n" " ret\n"); extern unsigned int _syscall(); #define exit(a) _syscall(1, a) #define read(a,b,c) _syscall(3, a,b,c) #define write(a,b,c) _syscall(4, a,b,c) #define open(a,b) _syscall(5, a,b) #define close(a) _syscall(6, a) #define creat(a,b) _syscall(8, a,b) #define chdir(a) _syscall(12, a) #define time(a) _syscall(13, a) #define lseek(a,b,c) _syscall(19, a,b,c) #define access(a,b) _syscall(33, a,b) #define rename(a,b) _syscall(38, a,b) #define sigaction(a,b,c) _syscall(67, a,b,c) #define readdir(a,b) _syscall(89, a,b) #define munmap(a,b) _syscall(91, a,b) #define ftruncate(a,b) _syscall(93, a,b) #define lstat(a,b) _syscall(107,a,b) #define mprotect(a,b,c) _syscall(125,a,b,c) #define mremap(a,b,c,d) _syscall(163,a,b,c,d) #define pwrite(a,b,c,d,e) _syscall(181,a,b,c,d,e) #define mmap(a,b,c,d,e,f) _syscall(192,a,b,c,d,e,f) static void bzero(unsigned char *s, int n) { int i; for (i = 0; i < n; i++) s[i] = 0; } void putd(int a) { int i, c; for (i = 28; i >= 0; i-= 4) { c = (a >> i) & 15; if (c > 9) c = c - 10 + 'a'; else c += '0'; write(1, &c, 1); } c = 10; write(1, &c, 1); } void do_sig(unsigned int signo) { uint32_t cs, cn, cc, a, n, i; uint8_t *map, *occ; uint32_t *rel, *data; asm volatile("movl $0x55aa55aa, %0; patch:; .globl patch":"=r"(data)); cs = data[1]; cn = data[2]; map = (char*)&data[3]; rel = (uint32_t*)(map + (cs + 7) / 8); occ = (uint8_t*)((char*)rel + cn*4); a = *(&signo + 15) - data[0]; if (a > cs || tst_bit(a, map) == 0) return; for (n = 0, i = 0; i < a; i++) if (tst_bit(i, map)) n++; if (n > cn) return; cc = occ[n >> 1]; cc = n & 1 ? cc & 15 : cc >> 4; #define CF ((flags >> 0) & 1) #define PF ((flags >> 2) & 1) #define AF ((flgas >> 4) & 1) #define ZF ((flags >> 6) & 1) #define SF ((flags >> 7) & 1) #define OF ((flags >> 11) & 1) #define CC(N, cond) if (cc == N) { if (cond) goto L; else return; } else unsigned int flags = *(&signo + 17); CC(0x00, OF) /* jo */ CC(0x01, OF == 0) /* jno */ CC(0x02, CF) /* jb/jnae/jc */ CC(0x03, CF == 0) /* jnb/jae/jnc */ CC(0x04, ZF) /* je/jz */ CC(0x05, ZF == 0) /* jne/jnz */ CC(0x06, CF || ZF) /* jbe/jna */ CC(0x07, CF == 0 && ZF == 0) /* ja/jnbe */ CC(0x08, SF) /* js */ CC(0x09, SF == 0) /* jns */ CC(0x0a, PF) /* jp/jpe */ CC(0x0b, PF == 0) /* jnp/jpo */ CC(0x0c, SF != OF) /* jl/jnge */ CC(0x0d, SF == OF) /* jge/jnl */ CC(0x0e, ZF || SF != OF) /* jle/jng */ CC(0x0f, ZF == 0 && SF == OF) ; /* jg/jnle */ L: (*(&signo + 15)) += (int)rel[n]; // putd(cc); } static void __attribute__((stdcall)) myinit (uint8_t *self) { char c; uint8_t *archdata = (char*)self + ((char*)&mydata - (char*)&code_start); /* unpack data */ uint32_t ds = *(uint32_t*)archdata; uint8_t *data = (void*)mmap(0, (ds + 4095) & 0xfffff000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); uint8_t temp[3374]; ari_expand(archdata + 4, data, temp); /* patch handler */ uint32_t *p = (uint32_t*)((char*)self + ((char*)&patch - (char*)&code_start) - 4); *p = (uint32_t)data; /* set handler */ struct sigaction sa; bzero((void*)&sa, sizeof(sa)); sa.sa_handler = (void(*)(int))((char*)&do_sig - (char*)&code_start + self); sigaction(5, &sa, 0); } asm("ari_expand:"); asm(".byte 0x60,0xfc,0x8b,0x44,0x24,0x24,0x8b,0x7c,0x24,0x28,0x8b,0x6c,0x24,0x2c,0x89,0x45"); asm(".byte 0x10,0x31,0xc0,0x89,0x45,0x0c,0x8d,0xb5,0x1c,0x04,0x00,0x00,0xe8,0x6b,0x00,0x00"); asm(".byte 0x00,0xe8,0x37,0x00,0x00,0x00,0xe8,0x89,0x01,0x00,0x00,0x89,0xc3,0x3d,0x01,0x01"); asm(".byte 0x00,0x00,0x74,0x0f,0x8a,0x04,0x1e,0xaa,0x53,0xe8,0x93,0x00,0x00,0x00,0x83,0xc4"); asm(".byte 0x04,0xeb,0xe3,0x2b,0x7c,0x24,0x28,0x89,0x7c,0x24,0x1c,0x61,0xc3,0x31,0xc0,0x89"); asm(".byte 0x45,0x08,0x31,0xc0,0x89,0x45,0x04,0x66,0x48,0x89,0x45,0x00,0xc3,0x60,0x6a,0x10"); asm(".byte 0x59,0x31,0xdb,0xe8,0xdd,0x01,0x00,0x00,0xd1,0xe3,0x09,0xc3,0xe2,0xf5,0x89,0x5d"); asm(".byte 0x08,0x61,0xeb,0xde,0xff,0x45,0x08,0x81,0x7d,0x04,0x00,0x40,0x00,0x00,0x73,0x04"); asm(".byte 0x6a,0x00,0xeb,0x02,0x6a,0x01,0xe8,0x2d,0xff,0xff,0xff,0xc3,0x60,0x8d,0x7d,0x1c"); asm(".byte 0x8d,0xb5,0x1c,0x04,0x00,0x00,0x31,0xc9,0x89,0xc8,0x40,0xab,0x88,0x0c,0x06,0x41"); asm(".byte 0x81,0xf9,0x00,0x01,0x00,0x00,0x72,0xf0,0x8d,0xb5,0x1e,0x05,0x00,0x00,0x8d,0xbd"); asm(".byte 0x26,0x09,0x00,0x00,0x31,0xc9,0xba,0x01,0x01,0x00,0x00,0x31,0xc0,0x40,0x89,0x04"); asm(".byte 0x8e,0x89,0xd0,0x29,0xc8,0xab,0x41,0x39,0xd1,0x76,0xf0,0x31,0xc0,0x89,0x06,0x61"); asm(".byte 0xc3,0x60,0x8b,0x54,0x24,0x24,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8d,0xbd,0x1e,0x05"); asm(".byte 0x00,0x00,0x81,0x3e,0xff,0x3f,0x00,0x00,0x75,0x18,0x31,0xc0,0xb9,0x01,0x01,0x00"); asm(".byte 0x00,0x8b,0x1c,0x8f,0x43,0xd1,0xeb,0x89,0x1c,0x8f,0x89,0x04,0x8e,0x01,0xd8,0x49"); asm(".byte 0x79,0xef,0x89,0xd1,0x8b,0x04,0x8f,0x3b,0x44,0x8f,0xfc,0x75,0x03,0x49,0xeb,0xf4"); asm(".byte 0xff,0x04,0x8f,0x39,0xd1,0x73,0x1d,0x8d,0xbd,0x1c,0x04,0x00,0x00,0x0f,0xb6,0x04"); asm(".byte 0x0f,0x0f,0xb6,0x1c,0x17,0x88,0x1c,0x0f,0x88,0x04,0x17,0x8d,0x7d,0x1c,0x89,0x14"); asm(".byte 0x87,0x89,0x0c,0x9f,0x09,0xc9,0x74,0x06,0x49,0xff,0x04,0x8e,0xeb,0xf6,0x61,0xc3"); asm(".byte 0x60,0x8d,0xbd,0x26,0x09,0x00,0x00,0x8b,0x74,0x24,0x24,0x8b,0x5d,0x04,0x8b,0x4d"); asm(".byte 0x00,0x89,0xc8,0x29,0xd8,0x40,0x50,0xf7,0x64,0xb7,0xfc,0xf7,0x37,0x48,0x89,0xc1"); asm(".byte 0x01,0xd9,0x58,0xf7,0x24,0xb7,0xf7,0x37,0x01,0xc3,0xb8,0x00,0x80,0x00,0x00,0x39"); asm(".byte 0xc1,0x73,0x09,0x6a,0x00,0xe8,0x3e,0xfe,0xff,0xff,0xeb,0x29,0x39,0xc3,0x72,0x0d"); asm(".byte 0x6a,0x01,0xe8,0x31,0xfe,0xff,0xff,0x29,0xc3,0x29,0xc1,0xeb,0x18,0xb8,0x00,0x40"); asm(".byte 0x00,0x00,0x39,0xc3,0x72,0x16,0x81,0xf9,0x00,0xc0,0x00,0x00,0x73,0x0e,0xff,0x45"); asm(".byte 0x08,0x29,0xc3,0x29,0xc1,0xd1,0xe3,0xd1,0xe1,0x41,0xeb,0xbe,0x89,0x5d,0x04,0x89"); asm(".byte 0x4d,0x00,0x61,0xc3,0x60,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8b,0x5d,0x00,0x2b,0x5d"); asm(".byte 0x04,0x43,0x8b,0x45,0x08,0x2b,0x45,0x04,0x40,0xf7,0x26,0x48,0xf7,0xf3,0x31,0xc9"); asm(".byte 0x41,0x39,0x04,0x8e,0x76,0x03,0x41,0xeb,0xf8,0x89,0xd8,0xf7,0x64,0x8e,0xfc,0xf7"); asm(".byte 0x36,0x03,0x45,0x04,0x48,0x89,0xc7,0x89,0xd8,0xf7,0x24,0x8e,0xf7,0x36,0x03,0x45"); asm(".byte 0x04,0x89,0xc2,0x8b,0x5d,0x08,0x81,0xff,0x00,0x80,0x00,0x00,0x72,0x28,0xb8,0x00"); asm(".byte 0x80,0x00,0x00,0x39,0xc2,0x72,0x08,0x29,0xc3,0x29,0xc2,0x29,0xc7,0xeb,0x17,0xb8"); asm(".byte 0x00,0x40,0x00,0x00,0x39,0xc2,0x72,0x1e,0x81,0xff,0x00,0xc0,0x00,0x00,0x73,0x16"); asm(".byte 0x29,0xc3,0x29,0xc2,0x29,0xc7,0xd1,0xe2,0xd1,0xe7,0x47,0xe8,0x15,0x00,0x00,0x00"); asm(".byte 0xd1,0xe3,0x09,0xc3,0xeb,0xc0,0x89,0x55,0x04,0x89,0x7d,0x00,0x89,0x5d,0x08,0x89"); asm(".byte 0x4c,0x24,0x1c,0x61,0xc3,0x60,0x31,0xc0,0x8b,0x7d,0x10,0x8b,0x4d,0x0c,0x0f,0xa3"); asm(".byte 0x0f,0x73,0x01,0x40,0xff,0x45,0x0c,0x89,0x44,0x24,0x1c,0x61,0xc3"); asm(".globl mydata; mydata:");
; 1) db 0x67,0xc7,0x44,0x10,0x55,0x00,0x00,0x00 ;mov dword [si+0x10],0x000000010 ; 2) db 0x9a,0x00,0x00,0xff,0xff,0xff,0xff db 0x66,0x9a,0x00,0x01,0x10,0x00 ; 3) db 0xFE,0x0e db 0x67,0xFE,0x0C ; 4) db 0xd6 ; 5) fwait ; 6) db 0x82,0x5A,0x79,0x66 ; sbb byte [edx+0x79],0x066 ; 7) db 0xD2,0xF4 ; sal ah,cl db 0xC1,0x32,0xF7 ; sal dword [edx],-9 db 0xC1,0x70,0xC5,0xFC ; sal dword [eax-0x3B],-4 db 0xD1,0x75,0x27 ; sal dword [ebp+0x27],1 db 0xD0,0xB3,0x59,0x68,0xF5,0x69 ; sal byte [ebx+0x69F56859],1 db 0xD1,0x30 ; sal dword [eax],1 db 0xD3,0x71,0x25 ; sal dword [ecx+0x25],cl db 0xC0,0xF3,0xD6 ; sal bl,0x0FFFFFFD6 ; 8) cmp byte [ebp+0x0D960AFFD],0x041 db 0x82,0xBD,0xFD,0xAF,0x60,0xD9,0x41 ; 9) sub byte [ecx+0x0CC07D311],0x010 db 0x82,0xA9,0x11,0xD3,0x07,0xCC,0x10 ; 10) xor byte [esi+0x5C21255E],0x0BA db 0x82,0xB6,0x5E,0x25,0x21,0x5C,0xBA Зря я выбрал qemu. Ж-) Для начала пофиксил по быстрому, потом наверное буду дальше сверять таблицу (а то и заново её перебью), хотя бы ради SSE2+.
Я довольно часто слышал одну глупость (и даже сам её повторял), что мол “не хватает хороших идей”. Большинство же идей сидят в своем идеальном мирке и поглядывают от туда в наш мир, и ждут чей бы еще мозг зохавать. Ж-) Это я к чему. Случайно наткнулся на статью: Binary obfuscation using signals, и вспомнилось мне такое вот извращение:
.model tiny .code org 100h start: mov ax, 3506h int 21h mov 2 ptr [oldint6+2],es mov 2 ptr [oldint6 ],bx sub ah, 10h mov dx, offset int6hnd int 21h db 0feh, 10h db 0feh, 11h db 0feh, 12h db 0feh, 13h db 0feh, 14h db 0feh, 15h db 0feh, 16h mov ax, 2506h lds dx, [oldint6] int 21h ret int6hnd: push ds si ax bp mov bp, sp lds si, [bp+8] lodsw mov 2 ptr cs:[offset j2_addr ], si mov 2 ptr cs:[offset j2_addr+2], ds xchg al, ah cbw sub al, 10h shl ax, 1 xchg bp, ax mov ax, cs:[bp+offset cmd_table] mov cs:[offset j1_addr], ax jmp $+2 pop bp ax si ds add sp, 4 popf db 0e9h ; jmp xxxx j1_addr dw ? cmd0: push 0b800h jmp ret_back cmd1: pop es jmp ret_back cmd2: mov ax, 0fdbh jmp ret_back cmd3: mov cx, 4000 jmp ret_back cmd4: rep stosw jmp ret_back cmd5: xor ax, ax jmp ret_back cmd6: int 16h ret_back: db 0eah j2_addr dd ? cmd_table dw 0, offset cmd1-offset cmd0 dw offset cmd2-offset cmd0 dw offset cmd3-offset cmd0 dw offset cmd4-offset cmd0 dw offset cmd5-offset cmd0 dw offset cmd6-offset cmd0 oldint6 dd ? end start Не помню работает ли этот пример, да это и не важно. Решил немного поиграться с сигналами. Тут, я вижу две возможности:
- Перенос кода в обработчик сигнала (требует анализа кода)
- Эмуляция кода обработчиком
< /bin/uname: формат файла elf32-i386 --- > ./uname: формат файла elf32-i386 220c220,221 < 8048c5d: 74 02 je 8048c61 --- > 8048c5d: 90 nop > 8048c5e: cc int3 231c232,233 < 8048c75: 75 29 jne 8048ca0 --- > 8048c75: 90 nop > 8048c76: cc int3 235c237,238 < 8048c80: 74 17 je 8048c99 --- > 8048c80: 90 nop > 8048c81: cc int3 243c246,247 < 8048c97: 75 eb jne 8048c84 --- > 8048c97: 90 nop > 8048c98: cc int3 gdb и strace просто в восторге от такой замены:
(gdb) handle SIGTRAP nostop noprint pass SIGTRAP is used by the debugger. Are you sure you want to change it? (y or n) y Signal Stop Print Pass to program Description SIGTRAP No No Yes Trace/breakpoint trap (gdb) run Starting program: .../uname [1]+ Stopped gdb ./uname # fg %1 gdb ./uname Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x4bf000 (no debugging symbols found)...(no debugging symbols found)... Program terminated with signal SIGTRAP, Trace/breakpoint trap. The program no longer exists. # strace ./uname execve("./uname", ["./uname"], [/* 41 vars */]) = 0 ... mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0xb7f58000 sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) sigaction(SIGTRAP, {0x80474b9, [], 0}, NULL, 0x804e37c) = ? ERESTARTNOINTR (To be restarted) .................................... и собственно izvr.c, который все это делает. (прога очень сырая, signal/sigaction не перехватываются и еще есть какие-то глюки, доделаю попозже...)
/* izvr.c */ #include #include #include #include #include #define VL(x) (*(volatile long *)x) #define set_bit(nr, addr) asm("btsl %1,%0":"=m"VL(addr):"Ir" (nr)) #define clr_bit(nr, addr) asm("btrl %1,%0":"=m"VL(addr):"Ir" (nr)) #define tst_bit(nr, addr) ({\ int b; asm("btl %2,%1\nsbbl %0,%0":"=r" (b):"m"VL(addr),"Ir"(nr)); b; }) unsigned char lde[343]={ 0x60, 0x8b, 0x74, 0x24, 0x24, 0x6a, 0x0f, 0x59, 0x6a, 0x08, 0x5a, 0xe8, 0x8d, 0x00, 0x00, 0x00, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x01, 0x41, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x02, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x01, 0x54, 0x11, 0xa1, 0x41, 0x0f, 0x0f, 0x05, 0x52, 0x44, 0xa1, 0xf1, 0x11, 0x61, 0x04, 0x1f, 0x11, 0x61, 0xf1, 0x62, 0x5c, 0x0a, 0xc1, 0x05, 0x24, 0x04, 0x11, 0xa1, 0x06, 0x18, 0xa8, 0x62, 0x21, 0x01, 0x52, 0x61, 0xf1, 0x31, 0x01, 0x21, 0x02, 0x11, 0x02, 0x54, 0x12, 0x02, 0x58, 0x18, 0xa2, 0xc1, 0x11, 0x04, 0x41, 0x01, 0x42, 0x02, 0x81, 0x91, 0x06, 0x52, 0x54, 0x72, 0x01, 0x71, 0x02, 0x76, 0x59, 0x77, 0x54, 0x74, 0x58, 0x06, 0x7a, 0x5f, 0x5f, 0x5f, 0x53, 0x64, 0x53, 0x01, 0x76, 0x52, 0xaf, 0xa1, 0x5f, 0x51, 0x03, 0x51, 0x61, 0x51, 0x72, 0x03, 0x51, 0x61, 0x5b, 0x72, 0x61, 0x57, 0x61, 0x51, 0x63, 0x51, 0x08, 0x71, 0x5f, 0x5f, 0x51, 0x71, 0x5e, 0x71, 0x5f, 0x57, 0x8a, 0x1e, 0x8a, 0x07, 0x47, 0xd4, 0x10, 0x28, 0xc3, 0x73, 0xf7, 0x5f, 0xac, 0x86, 0xe0, 0x3c, 0x07, 0x74, 0x18, 0x3c, 0x04, 0x75, 0x51, 0x80, 0xfc, 0x0f, 0x75, 0x03, 0x83, 0xc7, 0x5b, 0x80, 0xec, 0x65, 0x80, 0xfc, 0x02, 0x77, 0x02, 0x08, 0xe6, 0xe2, 0xd4, 0xeb, 0x2d, 0x80, 0xfb, 0x40, 0x73, 0x07, 0x80, 0xfc, 0x06, 0x75, 0x02, 0xb3, 0x80, 0xc0, 0xeb, 0x06, 0x7a, 0x11, 0x00, 0xd8, 0x80, 0xec, 0xa0, 0x80, 0xfc, 0x03, 0x77, 0x07, 0x80, 0xf2, 0x08, 0x74, 0x0b, 0xd0, 0xee, 0x66, 0xf7, 0xc2, 0x08, 0x01, 0x75, 0x02, 0x40, 0x40, 0x28, 0xc8, 0x04, 0x10, 0x3c, 0x10, 0xf5, 0x0f, 0xb6, 0xc0, 0x89, 0x44, 0x24, 0x1c, 0x61, 0xc3, 0x30, 0xc2, 0x3c, 0x09, 0x76, 0x02, 0x24, 0x07, 0x3c, 0x05, 0x72, 0xcc, 0x8b, 0x1e, 0x49, 0x3c, 0x08, 0x1c, 0x04, 0xa8, 0x04, 0x74, 0x0f, 0x2c, 0x03, 0xf6, 0xc3, 0x30, 0x74, 0x02, 0x30, 0xc0, 0x3c, 0x02, 0x74, 0x02, 0xb2, 0x08, 0xb4, 0x07, 0x20, 0xdc, 0xf6, 0xc6, 0x02, 0x75, 0x96, 0xf6, 0xc3, 0xc0, 0x79, 0x04, 0x7a, 0xb1, 0x40, 0x40, 0x80, 0xfc, 0x04, 0x75, 0x05, 0x40, 0xb4, 0x07, 0x20, 0xfc, 0xf6, 0xc3, 0xc0, 0x75, 0x8a, 0x80, 0xfc, 0x05, 0x75, 0x85, 0x04, 0x04, 0xeb, 0x81 }; #define LDE(p)((int(*)(void*))lde)(p) #define INFO "roy g biv length dissassembler engine" extern void mydata(); extern void code_start(); extern void patch(); extern int ari_compress(uint8_t *src, uint8_t *dst, int src_len, uint8_t *temp); #define PAGE_SIZE 4096 void infect(int h, char *m, int l, char *code, int code_size, char *data, int data_size) { int i; Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m; Elf32_Phdr *ph, *phdr; uint32_t base; phdr = (Elf32_Phdr*)(m + ehdr->e_phoff); for (base = 0, ph = NULL, i = 0; i < ehdr->e_phnum; i++) { if (phdr[i].p_type == PT_NOTE) { ph = &phdr[i]; } else if (phdr[i].p_type == PT_LOAD && phdr[i].p_offset == 0) base = phdr[i].p_vaddr; } if (ph == NULL) { puts("Failed"); return; } ph->p_type = PT_LOAD; ph->p_flags = PF_R|PF_W|PF_X; ph->p_align = 0x1000; ph->p_offset = l; ph->p_filesz = ph->p_memsz = code_size + data_size; ph->p_vaddr = ph->p_paddr = base - ((code_size + data_size + 4095) & 0xfffff000) + (l & (PAGE_SIZE - 1)); write(h, code, code_size); write(h, data, data_size); uint32_t jmp = ehdr->e_entry - ph->p_vaddr - 21; pwrite(h, &jmp, 4, l + 17, 0); ehdr->e_entry = ph->p_vaddr; } int main(int argc, char **argv) { int h = open(argv[1], 2); assert(h > 0); int l = lseek(h, 0, 2); assert(l > 0); unsigned char *m = mmap(NULL, l, PROT_READ|PROT_WRITE, MAP_SHARED, h, 0); assert(m != MAP_FAILED); Elf32_Ehdr *ehdr = (Elf32_Ehdr*)m; assert(ehdr->e_shstrndx != SHN_UNDEF); Elf32_Shdr *shdr = (Elf32_Shdr*)(m + ehdr->e_shoff); char *strtab = m + shdr[ehdr->e_shstrndx].sh_offset; uint8_t *cp; uint32_t cs, ca; int i; for (i = 0; i < ehdr->e_shnum; i++) if (! strcmp(strtab + shdr[i].sh_name, ".text")) { cp = shdr[i].sh_offset + m; cs = shdr[i].sh_size; ca = shdr[i].sh_addr; break; } assert(cp != NULL); uint8_t map[(cs + 7) / 8]; bzero(map, (cs + 7) / 8); uint8_t *p = cp; int r, ol; int count = 0; uint32_t *rel = NULL; uint8_t *occ = NULL; while (p - cp < cs) { ol = LDE(p); assert(ol != 0); r = 0; if ((p[0] & 0xf0) == 0x70) r = 1; else if ((p[1] & 0xf0) == 0x80 && p[0] == 0x0f) r = 2; if (r) { void fill(uint8_t *where, int l) { memset(where, 0x90, l); where[l - 1] = 0xcc; } set_bit(p - cp + (r == 1 ? 2 : 6), map); rel = (uint32_t*)realloc(rel, 4 * (count + 1)); occ = (uint8_t*)realloc(occ, (count + 2) / 2); rel[count] = (r == 1 ? (char)p[1] : *(uint32_t*)(p + 2)); if ((count & 1) == 0) occ[count / 2] = (p[r - 1] & 0x0f) << 4; else occ[count / 2] |= p[r - 1] & 0x0f; count++; fill(p, r == 1 ? 2 : 6); } p += ol; } uint8_t *buf = (char*)malloc(12 + (cs + 7) / 8 + (count + 1) / 2 + count*4); assert(buf != NULL); p = buf; #define CP(v, s) memcpy(p, v, s); p += s; CP(&ca, 4); CP(&cs, 4); CP(&count, 4); CP(map, (cs + 7) / 8); CP(rel, count * 4); CP(occ, (count + 1) / 2); int ul = p - buf; printf("Size: %d\n", ul); uint8_t *dst = (char*)malloc(ul); uint8_t t[3374]; int al; al = ari_compress(buf, dst + 4, p - buf, t); memcpy(dst, &ul, 4); al += 4; printf("CSize: %d\n", al); infect(h, m, l, (char*)&code_start, (char*)&mydata - (char*)code_start, dst, al); munmap(m, l); close(h); } asm (".globl code_start; code_start: pusha; call 1f; 1: sub $6, (%esp); call myinit; popa; .byte 0xe9; .long 0"); /* Syscalls */ asm( "_syscall:\n" " pusha\n" " mov 36(%esp),%eax\n" " mov 40(%esp),%ebx\n" " mov 44(%esp),%ecx\n" " mov 48(%esp),%edx\n" " mov 52(%esp),%esi\n" " mov 56(%esp),%edi\n" " mov 60(%esp),%ebp\n" " int $0x80\n" " mov %eax,28(%esp)\n" " popa\n" " ret\n"); extern unsigned int _syscall(); #define exit(a) _syscall(1, a) #define read(a,b,c) _syscall(3, a,b,c) #define write(a,b,c) _syscall(4, a,b,c) #define open(a,b) _syscall(5, a,b) #define close(a) _syscall(6, a) #define creat(a,b) _syscall(8, a,b) #define chdir(a) _syscall(12, a) #define time(a) _syscall(13, a) #define lseek(a,b,c) _syscall(19, a,b,c) #define access(a,b) _syscall(33, a,b) #define rename(a,b) _syscall(38, a,b) #define sigaction(a,b,c) _syscall(67, a,b,c) #define readdir(a,b) _syscall(89, a,b) #define munmap(a,b) _syscall(91, a,b) #define ftruncate(a,b) _syscall(93, a,b) #define lstat(a,b) _syscall(107,a,b) #define mprotect(a,b,c) _syscall(125,a,b,c) #define mremap(a,b,c,d) _syscall(163,a,b,c,d) #define pwrite(a,b,c,d,e) _syscall(181,a,b,c,d,e) #define mmap(a,b,c,d,e,f) _syscall(192,a,b,c,d,e,f) static void bzero(unsigned char *s, int n) { int i; for (i = 0; i < n; i++) s[i] = 0; } void putd(int a) { int i, c; for (i = 28; i >= 0; i-= 4) { c = (a >> i) & 15; if (c > 9) c = c - 10 + 'a'; else c += '0'; write(1, &c, 1); } c = 10; write(1, &c, 1); } void do_sig(unsigned int signo) { uint32_t cs, cn, cc, a, n, i; uint8_t *map, *occ; uint32_t *rel, *data; asm volatile("movl $0x55aa55aa, %0; patch:; .globl patch":"=r"(data)); cs = data[1]; cn = data[2]; map = (char*)&data[3]; rel = (uint32_t*)(map + (cs + 7) / 8); occ = (uint8_t*)((char*)rel + cn*4); a = *(&signo + 15) - data[0]; if (a > cs || tst_bit(a, map) == 0) return; for (n = 0, i = 0; i < a; i++) if (tst_bit(i, map)) n++; if (n > cn) return; cc = occ[n >> 1]; cc = n & 1 ? cc & 15 : cc >> 4; #define CF ((flags >> 0) & 1) #define PF ((flags >> 2) & 1) #define AF ((flgas >> 4) & 1) #define ZF ((flags >> 6) & 1) #define SF ((flags >> 7) & 1) #define OF ((flags >> 11) & 1) #define CC(N, cond) if (cc == N) { if (cond) goto L; else return; } else unsigned int flags = *(&signo + 17); CC(0x00, OF) /* jo */ CC(0x01, OF == 0) /* jno */ CC(0x02, CF) /* jb/jnae/jc */ CC(0x03, CF == 0) /* jnb/jae/jnc */ CC(0x04, ZF) /* je/jz */ CC(0x05, ZF == 0) /* jne/jnz */ CC(0x06, CF || ZF) /* jbe/jna */ CC(0x07, CF == 0 && ZF == 0) /* ja/jnbe */ CC(0x08, SF) /* js */ CC(0x09, SF == 0) /* jns */ CC(0x0a, PF) /* jp/jpe */ CC(0x0b, PF == 0) /* jnp/jpo */ CC(0x0c, SF != OF) /* jl/jnge */ CC(0x0d, SF == OF) /* jge/jnl */ CC(0x0e, ZF || SF != OF) /* jle/jng */ CC(0x0f, ZF == 0 && SF == OF) ; /* jg/jnle */ L: (*(&signo + 15)) += (int)rel[n]; // putd(cc); } static void __attribute__((stdcall)) myinit (uint8_t *self) { char c; uint8_t *archdata = (char*)self + ((char*)&mydata - (char*)&code_start); /* unpack data */ uint32_t ds = *(uint32_t*)archdata; uint8_t *data = (void*)mmap(0, (ds + 4095) & 0xfffff000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); uint8_t temp[3374]; ari_expand(archdata + 4, data, temp); /* patch handler */ uint32_t *p = (uint32_t*)((char*)self + ((char*)&patch - (char*)&code_start) - 4); *p = (uint32_t)data; /* set handler */ struct sigaction sa; bzero((void*)&sa, sizeof(sa)); sa.sa_handler = (void(*)(int))((char*)&do_sig - (char*)&code_start + self); sigaction(5, &sa, 0); } asm("ari_expand:"); asm(".byte 0x60,0xfc,0x8b,0x44,0x24,0x24,0x8b,0x7c,0x24,0x28,0x8b,0x6c,0x24,0x2c,0x89,0x45"); asm(".byte 0x10,0x31,0xc0,0x89,0x45,0x0c,0x8d,0xb5,0x1c,0x04,0x00,0x00,0xe8,0x6b,0x00,0x00"); asm(".byte 0x00,0xe8,0x37,0x00,0x00,0x00,0xe8,0x89,0x01,0x00,0x00,0x89,0xc3,0x3d,0x01,0x01"); asm(".byte 0x00,0x00,0x74,0x0f,0x8a,0x04,0x1e,0xaa,0x53,0xe8,0x93,0x00,0x00,0x00,0x83,0xc4"); asm(".byte 0x04,0xeb,0xe3,0x2b,0x7c,0x24,0x28,0x89,0x7c,0x24,0x1c,0x61,0xc3,0x31,0xc0,0x89"); asm(".byte 0x45,0x08,0x31,0xc0,0x89,0x45,0x04,0x66,0x48,0x89,0x45,0x00,0xc3,0x60,0x6a,0x10"); asm(".byte 0x59,0x31,0xdb,0xe8,0xdd,0x01,0x00,0x00,0xd1,0xe3,0x09,0xc3,0xe2,0xf5,0x89,0x5d"); asm(".byte 0x08,0x61,0xeb,0xde,0xff,0x45,0x08,0x81,0x7d,0x04,0x00,0x40,0x00,0x00,0x73,0x04"); asm(".byte 0x6a,0x00,0xeb,0x02,0x6a,0x01,0xe8,0x2d,0xff,0xff,0xff,0xc3,0x60,0x8d,0x7d,0x1c"); asm(".byte 0x8d,0xb5,0x1c,0x04,0x00,0x00,0x31,0xc9,0x89,0xc8,0x40,0xab,0x88,0x0c,0x06,0x41"); asm(".byte 0x81,0xf9,0x00,0x01,0x00,0x00,0x72,0xf0,0x8d,0xb5,0x1e,0x05,0x00,0x00,0x8d,0xbd"); asm(".byte 0x26,0x09,0x00,0x00,0x31,0xc9,0xba,0x01,0x01,0x00,0x00,0x31,0xc0,0x40,0x89,0x04"); asm(".byte 0x8e,0x89,0xd0,0x29,0xc8,0xab,0x41,0x39,0xd1,0x76,0xf0,0x31,0xc0,0x89,0x06,0x61"); asm(".byte 0xc3,0x60,0x8b,0x54,0x24,0x24,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8d,0xbd,0x1e,0x05"); asm(".byte 0x00,0x00,0x81,0x3e,0xff,0x3f,0x00,0x00,0x75,0x18,0x31,0xc0,0xb9,0x01,0x01,0x00"); asm(".byte 0x00,0x8b,0x1c,0x8f,0x43,0xd1,0xeb,0x89,0x1c,0x8f,0x89,0x04,0x8e,0x01,0xd8,0x49"); asm(".byte 0x79,0xef,0x89,0xd1,0x8b,0x04,0x8f,0x3b,0x44,0x8f,0xfc,0x75,0x03,0x49,0xeb,0xf4"); asm(".byte 0xff,0x04,0x8f,0x39,0xd1,0x73,0x1d,0x8d,0xbd,0x1c,0x04,0x00,0x00,0x0f,0xb6,0x04"); asm(".byte 0x0f,0x0f,0xb6,0x1c,0x17,0x88,0x1c,0x0f,0x88,0x04,0x17,0x8d,0x7d,0x1c,0x89,0x14"); asm(".byte 0x87,0x89,0x0c,0x9f,0x09,0xc9,0x74,0x06,0x49,0xff,0x04,0x8e,0xeb,0xf6,0x61,0xc3"); asm(".byte 0x60,0x8d,0xbd,0x26,0x09,0x00,0x00,0x8b,0x74,0x24,0x24,0x8b,0x5d,0x04,0x8b,0x4d"); asm(".byte 0x00,0x89,0xc8,0x29,0xd8,0x40,0x50,0xf7,0x64,0xb7,0xfc,0xf7,0x37,0x48,0x89,0xc1"); asm(".byte 0x01,0xd9,0x58,0xf7,0x24,0xb7,0xf7,0x37,0x01,0xc3,0xb8,0x00,0x80,0x00,0x00,0x39"); asm(".byte 0xc1,0x73,0x09,0x6a,0x00,0xe8,0x3e,0xfe,0xff,0xff,0xeb,0x29,0x39,0xc3,0x72,0x0d"); asm(".byte 0x6a,0x01,0xe8,0x31,0xfe,0xff,0xff,0x29,0xc3,0x29,0xc1,0xeb,0x18,0xb8,0x00,0x40"); asm(".byte 0x00,0x00,0x39,0xc3,0x72,0x16,0x81,0xf9,0x00,0xc0,0x00,0x00,0x73,0x0e,0xff,0x45"); asm(".byte 0x08,0x29,0xc3,0x29,0xc1,0xd1,0xe3,0xd1,0xe1,0x41,0xeb,0xbe,0x89,0x5d,0x04,0x89"); asm(".byte 0x4d,0x00,0x61,0xc3,0x60,0x8d,0xb5,0x26,0x09,0x00,0x00,0x8b,0x5d,0x00,0x2b,0x5d"); asm(".byte 0x04,0x43,0x8b,0x45,0x08,0x2b,0x45,0x04,0x40,0xf7,0x26,0x48,0xf7,0xf3,0x31,0xc9"); asm(".byte 0x41,0x39,0x04,0x8e,0x76,0x03,0x41,0xeb,0xf8,0x89,0xd8,0xf7,0x64,0x8e,0xfc,0xf7"); asm(".byte 0x36,0x03,0x45,0x04,0x48,0x89,0xc7,0x89,0xd8,0xf7,0x24,0x8e,0xf7,0x36,0x03,0x45"); asm(".byte 0x04,0x89,0xc2,0x8b,0x5d,0x08,0x81,0xff,0x00,0x80,0x00,0x00,0x72,0x28,0xb8,0x00"); asm(".byte 0x80,0x00,0x00,0x39,0xc2,0x72,0x08,0x29,0xc3,0x29,0xc2,0x29,0xc7,0xeb,0x17,0xb8"); asm(".byte 0x00,0x40,0x00,0x00,0x39,0xc2,0x72,0x1e,0x81,0xff,0x00,0xc0,0x00,0x00,0x73,0x16"); asm(".byte 0x29,0xc3,0x29,0xc2,0x29,0xc7,0xd1,0xe2,0xd1,0xe7,0x47,0xe8,0x15,0x00,0x00,0x00"); asm(".byte 0xd1,0xe3,0x09,0xc3,0xeb,0xc0,0x89,0x55,0x04,0x89,0x7d,0x00,0x89,0x5d,0x08,0x89"); asm(".byte 0x4c,0x24,0x1c,0x61,0xc3,0x60,0x31,0xc0,0x8b,0x7d,0x10,0x8b,0x4d,0x0c,0x0f,0xa3"); asm(".byte 0x0f,0x73,0x01,0x40,0xff,0x45,0x0c,0x89,0x44,0x24,0x1c,0x61,0xc3"); asm(".globl mydata; mydata:");