Teaching noobs shady shit lol

A place to submit all custom code, scripts, and programs.
Forum rules
Do NOT post malicious code or programs. Please review all code posted in this forum before downloading or running any of the code or programs here.

Teaching noobs shady shit lol

Post by MadM0use on Fri Feb 13, 2015 9:39 am
([msg=86689]see Teaching noobs shady shit lol[/msg])

I have been busy recently writing an assembler called Plasm, and haven't had time to write tutorials for you guys the past two weeks. So I put together a quick teaser.

Code: Select all

#include <unistd.h>

typedef unsigned char BYTE;

const BYTE emo[] = \
"\x6a\x02\x58\x6a\x01\x5e\x0f\x05\x49\x89"
"\xc0\x49\x89\xfe\xeb\x44\x41\x5a\x68\x01"
"\x90\x01\x00\x41\x5f\x6a\x01\x58\x4c\x89"
"\xc7\x4c\x89\xd6\x6a\x18\x5a\x0f\x05\x6a"
"\x08\x58\x4c\x89\xc7\x6a\x01\x5e\x48\x89"
"\xf2\x0f\x05\x49\xff\xcf\x4d\x85\xff\x75"
"\xdc\x6a\x03\x58\x4c\x89\xc7\x0f\x05\x6a"
"\x57\x58\x4c\x89\xf7\x0f\x05\x48\x31\xc0"
"\x48\x31\xff\xc3\xe8\xb7\xff\xff\xff\x4c"
"\x4f\x4c\x4f\x4c\x4f\x4c\x4f\x4c\x4f\x4c"
"\x4f\x4c\x4f\x4c\x4f\x4c\x4f\x4c\x4f\x4c"
"\x4f\x4c\x4f";

const BYTE spoofy[] = \
"\x48\x89\xd1\x48\x31\xc0\x8a\x06\x88\x07"
"\x48\xff\xc6\x48\xff\xc7\xe2\xf4\x48\x31"
"\xc0\x48\x31\xff\xc3";

const BYTE breaky[] = \
"\x48\x89\xf1\x48\x89\xfe\x48\x31\xc0\x48"
"\x31\xff\x80\x3e\xcc\x74\x09\x48\xff\xc6"
"\xe2\xf6\x48\x31\xff\xc3\x48\x31\xff\xb0"
"\x01\xc3";


main(int count, char** argv)
{
   if(fork()>0)return;            // daemonize
   ((void(*)(void*))emo)(argv[0]);   // erase ourselves, overkill style
   
   // scan spoofy for breakpoints
   if(((int(*)(void*,unsigned))breaky)((void*)spoofy,sizeof(spoofy)))
      puts("NO KITTY, THATS MY POT PIE!!!!!");
      
   // change our name to something more suspicious (you may want to do the opposite)
   ((void(*)(void*,void*,unsigned))spoofy)(argv[0],"Hey Mom, Look at me :D",23);
   
   // waste CPU so that we can get to the top of the
   // process listing for easy preview lol
   while(1)
      if(((int(*)(void*,unsigned))breaky)((void*)main,105))
         puts("YOU'Z BAD MR. KITEH< YOU IZ BAYAAD!!!");
}

/*

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; good ol'e spoofy
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
   mov rcx, rdx
   xor rax, rax
loop:
   mov al, byte [rsi]
   mov byte [rdi], al
   inc rsi
   inc rdi
loop loop   
   xor rax, rax
   xor rdi, rdi
   ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; breakpoints huh?
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;   mov rcx, rsi
;   mov rsi, rdi
;   xor rax, rax
;   xor rdi, rdi
;scan:
;   cmp byte [rsi], 0xCC
;   je fuck_you
;   inc rsi
;loop scan
;   xor rdi, rdi
;   ret
;fuck_you:
;   xor rdi, rdi
;   mov al, 1
;   ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; EMO
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; open our file
   push 2
   pop rax
   push 1
   pop rsi
   syscall
   mov r8, rax
   mov r14, rdi
   jmp lol
laugh:
   pop r10
   push 0x19001
   pop r15
do:
; write garbage
   push 1
   pop rax
   mov rdi, r8
   mov rsi, r10
   push 24
   pop rdx
   syscall
; seek file
   push 8
   pop rax
   mov rdi, r8
   push 1
   pop rsi
   mov rdx, rsi
   syscall
   dec r15
   test r15, r15
jnz do

; close fd
   push 3
   pop rax
   mov rdi, r8
   syscall   
; unlink file   
   push 87
   pop rax
   mov rdi, r14
   syscall   
   xor rax, rax
   xor rdi, rdi
   ret
lol:
   call laugh
   db "LOLOLOLOLOLOLOLOLOLOLOLO"

*/



how to calculate the length to plug into breaky you ask?
simply take the offset address at the start of the objdump output, (in this case its 400c86) and subtract it from the last one.
400cef - 400c86 = 69 = 105

Code: Select all
0000000000400c86 <main>:
  400c86:   55                      push   %rbp
  400c87:   53                      push   %rbx
  400c88:   48 89 f5                mov    %rsi,%rbp
  400c8b:   52                      push   %rdx
  400c8c:   e8 cf 29 03 00          callq  433660 <__libc_fork>
  400c91:   85 c0                   test   %eax,%eax
  400c93:   7f 57                   jg     400cec <main+0x66>
  400c95:   48 8b 7d 00             mov    0x0(%rbp),%rdi
  400c99:   bb 80 3e 49 00          mov    $0x493e80,%ebx
  400c9e:   e8 5d 32 09 00          callq  493f00 <emo>
  400ca3:   be 1a 00 00 00          mov    $0x1a,%esi
  400ca8:   bf b0 3e 49 00          mov    $0x493eb0,%edi
  400cad:   ff d3                   callq  *%rbx
  400caf:   85 c0                   test   %eax,%eax
  400cb1:   74 0a                   je     400cbd <main+0x37>
  400cb3:   bf 04 3e 49 00          mov    $0x493e04,%edi
  400cb8:   e8 73 79 00 00          callq  408630 <_IO_puts>
  400cbd:   48 8b 7d 00             mov    0x0(%rbp),%rdi
  400cc1:   ba 17 00 00 00          mov    $0x17,%edx
  400cc6:   be 24 3e 49 00          mov    $0x493e24,%esi
  400ccb:   e8 e0 31 09 00          callq  493eb0 <spoofy>
  400cd0:   be ad de 00 00          mov    $0xdead,%esi
  400cd5:   bf 86 0c 40 00          mov    $0x400c86,%edi
  400cda:   ff d3                   callq  *%rbx
  400cdc:   85 c0                   test   %eax,%eax
  400cde:   74 f0                   je     400cd0 <main+0x4a>
  400ce0:   bf 3b 3e 49 00          mov    $0x493e3b,%edi
  400ce5:   e8 46 79 00 00          callq  408630 <_IO_puts>
  400cea:   eb e4                   jmp    400cd0 <main+0x4a>
  400cec:   58                      pop    %rax
  400ced:   5b                      pop    %rbx
  400cee:   5d                      pop    %rbp
  400cef:   c3                      retq   



I will be sure to get something much nicer and more satisfying together as soon as I am finished writing my assembler :D
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)


Re: Teaching noobs shady shit lol

Post by tgoe on Fri Feb 20, 2015 8:47 pm
([msg=86839]see Re: Teaching noobs shady shit lol[/msg])

Any chance that there is a public Plasm repo somewhere? :)
User avatar
tgoe
Contributor
Contributor
 
Posts: 716
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Teaching noobs shady shit lol

Post by MadM0use on Sat Feb 21, 2015 8:46 am
([msg=86856]see Re: Teaching noobs shady shit lol[/msg])

tgoe wrote:Any chance that there is a public Plasm repo somewhere? :)



not yet, but it will be on my github shortly lol
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)



Return to Custom Code

Who is online

Users browsing this forum: No registered users and 0 guests