This forum is in archive mode. You will not be able to post new content.

Author Topic: [NASM] Useless, but kicked boredom away  (Read 2558 times)

0 Members and 1 Guest are viewing this topic.

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
[NASM] Useless, but kicked boredom away
« on: September 02, 2011, 12:24:13 PM »
Code: [Select]
BITS 64
segment .text
global main
main:
jmp +6
mov rbx, 0x9090906e69622f68
jmp +6
mov rbx, 0x900000000cc48148
jmp +6
mov rbx, 0x9090900068732f68
jmp +6
mov rbx, 0x9000000004ec8148
jmp +6
mov rbx, 0x9090909090e78948
jmp +6
mov rbx, 0x9090909090f63148
jmp +6
mov rbx, 0x9090c03148d23148
jmp +6
mov rbx, 0x90050f0000003bb8
jmp +6
mov rbx, 0x9000000008c48148
xor rax, rax
ret

Offline xzid

  • Knight
  • **
  • Posts: 329
  • Cookies: 41
    • View Profile
Re: [NASM] Useless, but kicked boredom away
« Reply #1 on: September 02, 2011, 09:38:14 PM »
Well that was an awful lot of fun to decode.

Code: [Select]
xg@localhost ~ $ cat test.asm
BITS 64
segment .text
global main
main:
jmp +6
mov rbx, 0x9090906e69622f68
jmp +6
mov rbx, 0x900000000cc48148
jmp +6
mov rbx, 0x9090900068732f68
jmp +6
mov rbx, 0x9000000004ec8148
jmp +6
mov rbx, 0x9090909090e78948
jmp +6
mov rbx, 0x9090909090f63148
jmp +6
mov rbx, 0x9090c03148d23148
jmp +6
mov rbx, 0x90050f0000003bb8
jmp +6
mov rbx, 0x9000000008c48148
xor rax, rax
ret
xg@localhost ~ $ nasm -f elf64 test.asm
xg@localhost ~ $ objdump -j .text -xd test.o
0000000000000000 <main>:
   0:   e9 02 00 00 00          jmpq   7 <main+0x7>
   5:   48 bb 68 2f 62 69 6e    movabs $0x9090906e69622f68,%rbx
   c:   90 90 90
   f:   e9 02 00 00 00          jmpq   16 <main+0x16>
  14:   48 bb 48 81 c4 0c 00    movabs $0x900000000cc48148,%rbx
  1b:   00 00 90
  1e:   e9 02 00 00 00          jmpq   25 <main+0x25>
  23:   48 bb 68 2f 73 68 00    movabs $0x9090900068732f68,%rbx
  2a:   90 90 90
  2d:   e9 02 00 00 00          jmpq   34 <main+0x34>
  32:   48 bb 48 81 ec 04 00    movabs $0x9000000004ec8148,%rbx
  39:   00 00 90
  3c:   e9 02 00 00 00          jmpq   43 <main+0x43>
  41:   48 bb 48 89 e7 90 90    movabs $0x9090909090e78948,%rbx
  48:   90 90 90
  4b:   e9 02 00 00 00          jmpq   52 <main+0x52>
  50:   48 bb 48 31 f6 90 90    movabs $0x9090909090f63148,%rbx
  57:   90 90 90
  5a:   e9 02 00 00 00          jmpq   61 <main+0x61>
  5f:   48 bb 48 31 d2 48 31    movabs $0x9090c03148d23148,%rbx
  66:   c0 90 90
  69:   e9 02 00 00 00          jmpq   70 <main+0x70>
  6e:   48 bb b8 3b 00 00 00    movabs $0x90050f0000003bb8,%rbx
  75:   0f 05 90
  78:   e9 02 00 00 00          jmpq   7f <main+0x7f>
  7d:   48 bb 48 81 c4 08 00    movabs $0x9000000008c48148,%rbx
  84:   00 00 90
  87:   48 31 c0                xor    %rax,%rax
  8a:   c3                      retq
xg@localhost ~ $ printf "BITS 64\nsegment .text\nglobal main\nmain: db " > test2.asm
xg@localhost ~ $ objdump -j .text -xd test.o | perl -e 'while(<>) {
> chomp;
> next if(!m/ +[0-9a-f]*:/);
> next if(m/(jmp|xor|ret)/);
> s/ +[0-9a-f]*:\t//;
> s/\tmov.*//;
> s/^48 bb //;
> s/([a-f0-9]{2})/0$1h,/g;
> print "$_\\\n";
> }' >> test2.asm
xg@localhost ~ $ echo "48h, 31h, 0c0h, 0c3h" >> test2.asm
xg@localhost ~ $ cat test2.asm
BITS 64
segment .text
global main
main: db 068h, 02fh, 062h, 069h, 06eh, \
090h, 090h, 090h, \
048h, 081h, 0c4h, 00ch, 000h, \
000h, 000h, 090h, \
068h, 02fh, 073h, 068h, 000h, \
090h, 090h, 090h, \
048h, 081h, 0ech, 004h, 000h, \
000h, 000h, 090h, \
048h, 089h, 0e7h, 090h, 090h, \
090h, 090h, 090h, \
048h, 031h, 0f6h, 090h, 090h, \
090h, 090h, 090h, \
048h, 031h, 0d2h, 048h, 031h, \
0c0h, 090h, 090h, \
0b8h, 03bh, 000h, 000h, 000h, \
00fh, 005h, 090h, \
048h, 081h, 0c4h, 008h, 000h, \
000h, 000h, 090h, \
48h, 31h, 0c0h, 0c3h
xg@localhost ~ $ nasm -f elf64 test2.asm
xg@localhost ~ $ objdump -j .text -xd test2.o
0000000000000000 <main>:
   0:   68 2f 62 69 6e          pushq  $0x6e69622f
   5:   90                      nop
   6:   90                      nop
   7:   90                      nop
   8:   48 81 c4 0c 00 00 00    add    $0xc,%rsp
   f:   90                      nop
  10:   68 2f 73 68 00          pushq  $0x68732f
  15:   90                      nop
  16:   90                      nop
  17:   90                      nop
  18:   48 81 ec 04 00 00 00    sub    $0x4,%rsp
  1f:   90                      nop
  20:   48 89 e7                mov    %rsp,%rdi
  23:   90                      nop
  24:   90                      nop
  25:   90                      nop
  26:   90                      nop
  27:   90                      nop
  28:   48 31 f6                xor    %rsi,%rsi
  2b:   90                      nop
  2c:   90                      nop
  2d:   90                      nop
  2e:   90                      nop
  2f:   90                      nop
  30:   48 31 d2                xor    %rdx,%rdx
  33:   48 31 c0                xor    %rax,%rax
  36:   90                      nop
  37:   90                      nop
  38:   b8 3b 00 00 00          mov    $0x3b,%eax
  3d:   0f 05                   syscall
  3f:   90                      nop
  40:   48 81 c4 08 00 00 00    add    $0x8,%rsp
  47:   90                      nop
  48:   48 31 c0                xor    %rax,%rax
  4b:   c3                      retq   
xg@localhost ~ $ cat /usr/include/asm/unistd_64.h | grep `perl -e 'printf("%d",0x3b)'`
#define __NR_execve                             59
#define __NR_adjtimex                           159
#define __NR_mknodat                            259
xg@localhost ~ $ perl -e 'foreach (unpack("(A2)*", "6e69622f68732f")) {print chr hex;}'; echo
nib/hs/

I guess I should of run it beforehand, or traced it. Coulda been malicious for all I knew, wouldn't of mattered though. Well that's 20 minutes of my life I'll never get back, although I do enjoy writting perl.

edit: Looking back there was a much faster way to do it.
« Last Edit: September 02, 2011, 09:38:39 PM by xzid »

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: [NASM] Useless, but kicked boredom away
« Reply #2 on: September 02, 2011, 09:40:19 PM »
Nice analysis xzid :)
I did that code a boring evening some weeks ago, as a try to confuse AV's or debugers or something. Then I opened it with IDA and saw that it was futile. But it was nice to write.

Offline xzid

  • Knight
  • **
  • Posts: 329
  • Cookies: 41
    • View Profile
Re: [NASM] Useless, but kicked boredom away
« Reply #3 on: September 02, 2011, 09:42:59 PM »
Yeah but I made a grave error, I changed everything to bytes when I could have run a much shorter script and used "DQ" instead directly on your code... not the disasm.

 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.