From 0cbe7fef38d35310895da849d064432c1802ff1c Mon Sep 17 00:00:00 2001 From: pbonilla Date: Mon, 19 Feb 2024 11:35:40 +0100 Subject: [PATCH 01/20] chaos --- .vscode/settings.json | 6 +++ Makefile | 2 +- includes/woody.h | 7 ++- payload | Bin 0 -> 42 bytes print | Bin 0 -> 4704 bytes print.s | 27 ++++++++++ shell_test | Bin 0 -> 15824 bytes shellcode_test.c | 26 ++++++++++ srcs/main.c | 25 +++++---- srcs/utils.c | 2 +- srcs/woody.c | 115 ++++++++++++++++++++++++++++++++++-------- 11 files changed, 173 insertions(+), 37 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 payload create mode 100755 print create mode 100644 print.s create mode 100755 shell_test create mode 100644 shellcode_test.c diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..2386c0c --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "files.associations": { + "stdio.h": "c", + "mman.h": "c" + } +} \ No newline at end of file diff --git a/Makefile b/Makefile index 1cd28f8..59ab4ab 100644 --- a/Makefile +++ b/Makefile @@ -37,4 +37,4 @@ fclean: re: fclean make all -.PHONY : all clean fclean re +.PHONY : all clean fclean re \ No newline at end of file diff --git a/includes/woody.h b/includes/woody.h index c86a04a..7fc6f23 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -2,6 +2,7 @@ # define WOODY_H #include "../ft_printf/includes/ft_printf.h" +#include #include #include #include @@ -17,15 +18,17 @@ typedef struct efl_content long unsigned int file_size; char *file_path; char *file; + Elf64_Ehdr *Ehdr; + Elf64_Phdr *Phdr; char *extra_data; } t_efl_content; // utils.c -void *secure_access(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); +void *secure_jump(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); int ft_put_error(char *str); // woody.c -int woody(t_efl_content *file_content); +int inject(t_efl_content *woody); #endif \ No newline at end of file diff --git a/payload b/payload new file mode 100644 index 0000000000000000000000000000000000000000..34879f8ac9ac77b81acde8357cc6b9c522b94b98 GIT binary patch literal 42 ycmXp!Fmn^v{{x-JJ$g+A7#JA%SvP4J9{7LY+oR6oh6ngr_4LC1{aqsU^tb?s1Q3w` literal 0 HcmV?d00001 diff --git a/print b/print new file mode 100755 index 0000000000000000000000000000000000000000..5f1691355d4c1278dcdd35bafcf14c2a8ee383a0 GIT binary patch literal 4704 zcmb<-^>JfjWMqH=CI&kOFi*e%ECeAL7!(9yDi|0X7%Ui=fFvse3s@}+LJG)&>44B1 zpmH#pK>#8EvV#@Ggz_1n_Q7Z^h%yEk4Oa&hAEib^U^E0qLtr!nMnhmU1V%$(Gz3ON zU^E0qLtr!nMnhmU1c(m-!vixnas5BgdEBGd6x0>xXWgV_c;NqmZ;v{U8y?_i)zb_2 z_jifZ)8oQ#Ca6Ep!tn7wx++ev03(9}tbY$xAOxfZK%)m};=C|%1qY}~2qlR_TmgqT zLqSnyUWr~YLvC?8LwtNvadCWcNn%k6LwssVVo4&9%1dEj&?~OYElErQ(j`R@Is?Wk zNv$Y>SWOWr4b%+^8#b6JF#kfwJ>cUTPoXAu7HX$18ETEfbu1v kG${N*;^^Q8RKF^k1js&Q02=nervEQgzap|?ARApj0JJPO2mk;8 literal 0 HcmV?d00001 diff --git a/print.s b/print.s new file mode 100644 index 0000000..3759956 --- /dev/null +++ b/print.s @@ -0,0 +1,27 @@ +bits 64 +default rel +global _start + +; rdi rsi rdx +; v v v +;write(fd, msg, len); + +_start: + xor eax, eax + cdq + mov dl, 10 ;3eme argument (rdx) + inc eax ;eax = 1 (syscall) + mov edi, eax ;1er argument rdi = 1 + lea rsi, [rel msg] ;2eme arg + syscall + mov dl, 42 ;petit registre pour enregistrer 42 sans 0x00 + xor eax, eax + inc eax + mul dl ;multiplier 42 * rax (rax = 1), resultat dans rax + mov edi, eax ;bouger la valeur 42 de rax à rdi + xor eax, eax + syscall + +msg db "..WOODY..",10 + + diff --git a/shell_test b/shell_test new file mode 100755 index 0000000000000000000000000000000000000000..15ec415a5e362e2036ebf2435a95193c15653010 GIT binary patch literal 15824 zcmeHOZEPGz8J;`m!=;JsBn|nbS(OHA8gK3#+X@9Y=h)}0!AVMDgMh-a_O0!c?!(;e zwRVBxDtuXKM37M72S`Aft|}?ezUN zbx>^~dsD#a@{9&5)#-Y2J+=zpLdbD@Inx9WYMNTm2|Z-wxQ){CW?ceQavdBO6p0NU zn3o2C;2Z53(qaUk6&e_hV{MkZw8L`$dh8TkQi6zMljD@B{b@LK60A!i= zGm0sx1{jT-k+>)hNgR;d;B@{KFZbWHcb~*Nv4QqKNI(vQ9KqhJ2lFJIX8+n3rq-gLb#sZT2?u$9j}KGIrX|xfORhU-jI|*y+JSx#W&H z69ukrx>znrb+&eG>c|Qvf`59X5@d6KF<)x?^S7|-JpY*c@mC%rnUnOy(+T%6?jK`^ z=2ztY2EQZ~wq|rWc-YrZXr9NAHA7ko@!@g55#lk&IA%G-^ZY?t3GqB%;uI?oD-bIX zD-bIXD-bIXD-bKd3jC%0_J3LzUTw85ZvORArL51_y`=x5b>Z38X99uz-Y1Cuvw!$o z1nq|cf3kiWSVKBK{l}5TYah23U$!p%e)+z!Y`UI)&brk9JXPTDu9D|pr_A<4p9|_E z{(Hn&mo{^~*1K1{-PH64IZsXB;xDxyT42X#1j&Cs@b9fKbgo*9%huC>I$=G%(qbj9 zSl3p)+o*!WQbDV~G}V5H`h|GDzJ-31idF6IaqB{VlC#$0E8aHiV*eI0Zgl#-eX%>h{dcg#(AMA= zusbQ+L!YOJ4~Vvo;kLc+Yrplu)&+H9|2^+Ic4zQ&A;)vOkHe4hoVZSpK95j8QcPsq zI=+w`+`eU+8fH6Au>!FIu>!FIu>!FIu>!FIu>!FIu>!FIO%=d?MeI++-b3u!+=eLG zzqnoO`(>ZwKC!V6@_^WQ7uzp3_Cxaf8z+?iZPhQc{iJMS#NNaie)*)N_p~Z?UCQ60 zY4s(+TLt$D?iK_{n5xVE$E{M3l7`Tay708wGf1fKcCq32hOhfeItA3K*uf@T@}*yf zgX@8g^qLyj%W^&c5F7oH>i>6u{o!x2M(j&X|0Z33GI4c5of;gx$GB^JqE_;1MmlBo znyIdIEils$cXykqo=&0vW6P||CiS`>bzjeE|MDlxf!g zjjoG#3nXYqcHKY?YuK!wD}g`F`pCGy5QOben~b%1&b>^ZgnDb^en9C8Wt!~+-%WxT za0+22;P)t%36Ydd6W^isH1tI2apHF-+ZCQ0;O`axXg%)_>W9}FeuVfP$vq156D8Bk zQ_ITGjNESO0pdGoe2ok|H4YKKlg2S4^Cb8`Dk}Pv_+vgG>WkvvDbKx>6g)~i_a|Ea z*NHa}9Ks(Fe@Dnh_A2o^lk_x;%-dfOzk~Gb$Y@VIpVaxuikCLawA0<0$lIPXt%#_4 zwW%p{QmyTZx4oi0$@}7~I8PxV%O+26oojW*EfglpIoI~wsz*Ju?cs9+r?YnU%#cm{ z@`pZrX5jS5AklQd!OmJzY7L!J_NmdcCkICDv%|yZvt#zyz{$}pMMTdDWN|C{M&p4$VpCcGKOJ2Er$*xu1oFW0}%buuKB{n#zVB2)| z09V9^5}KYgSbyN5(QQ7|5a>oDk#p&sPj$ZNITM6lMdJ)|`4Sy-m{n$}?78N2sb
)R`I62bAb0ct{ajG-Q%*~gm35{MwmptHBs`+whoncd1#Vt4- zpiCZFWzH7#mpNUgjOWhLH%|}pEC=$M?u<-`nHsODR4k7mkmf zr{ez)4<|gg!13Rwa6JA#0u49{M&mz3{NHKKf&OEi1w{K;XGQz(P&}`(5RY{j@Upba zePo>xkM&cYIR2B4c&zJy{C6{)xQ=l8BpJM>LOj+{K&(&EfA|3(rg&bX!Nxibi062; z|LDUd%CM%0$GQ<%7e}-oz5cIJIbRdX8_#!n&SSkS)dX!J&-hLHgyRi~1B%%Qfem~j z5}%R+ApB4PY~c4J@fj%q?u!f<;!xiYBk}nA55)Tf{G;>tClcRSn;7CL81;t@{F%gK z{IDJZ^0}^XLL9iOl;KN6e9F)zz^`hv@s05Z@hi%-(Ff~&tPgSiFzOE*_&bVi55;3W zy3$1?CHQG;%?AG(74Y0c`;B#?oF}cz`0@PbggA`jw~1pH#N$1xew4kH$^_qQUx)|t zx-uN!2uSG|yg#A_#KB&r40C87>#}_kkAA~nE(fM+A%Zz^Z}5n}yTRxT;=_os54&1Y x;U}bHd>`{1MgQ^q +#include +#include +#include + +// Define the shellcode +char code[] = "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x12\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\xb0\x3c\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"; + +// Declare a function pointer with no arguments and no return value +typedef void (*ShellcodeFunc)(); + +int main() { + // Create a function pointer of the appropriate type and point it to the shellcode + ShellcodeFunc func = (ShellcodeFunc)code; + + // Make the memory containing the shellcode executable + // Using a reasonable default page size + size_t pagesize = 4096; // 4KB, a common page size + uintptr_t page_start = (uintptr_t)code & ~(pagesize - 1); + mprotect((void *)page_start, pagesize, PROT_READ | PROT_EXEC); + + // Call the shellcode + func(); + + return 0; +} diff --git a/srcs/main.c b/srcs/main.c index a5d84b1..3fd7078 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -1,29 +1,29 @@ #include "../includes/woody.h" -int get_elf_file(t_efl_content *file_content) +int get_elf_file(t_efl_content *woody) { int fd; off_t off; - fd = open(file_content->file_path, O_RDONLY); + fd = open(woody->file_path, O_RDONLY); if (fd < 0) { - ft_printf("Error: Failed to open \'%s\'\n", file_content->file_path); + ft_printf("Error: Failed to open \'%s\'\n", woody->file_path); return EXIT_FAILURE; } off = lseek(fd, 0, SEEK_END); if (off == -1) { close(fd); - ft_printf("Error: Failed to read file offset \'%s\'\n", file_content->file_path); + ft_printf("Error: Failed to read file offset \'%s\'\n", woody->file_path); return EXIT_FAILURE; } - file_content->file_size = off; - file_content->file = mmap(NULL, file_content->file_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (file_content->file == MAP_FAILED) + woody->file_size = off; + woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (woody->file == MAP_FAILED) { close(fd); - ft_printf("Error: Failed to map file \'%s\'\n", file_content->file_path); + ft_printf("Error: Failed to map file \'%s\'\n", woody->file_path); return EXIT_FAILURE; } close(fd); @@ -32,15 +32,14 @@ int get_elf_file(t_efl_content *file_content) int main(int ac, char **av) { - t_efl_content file_content; + t_efl_content woody; if (ac != 2) { return ft_put_error("Woody_woodpacker take 1 argument\n"); } - file_content.file_path = av[1]; - int ret = get_elf_file(&file_content); + woody.file_path = av[1]; + int ret = get_elf_file(&woody); if (ret == EXIT_FAILURE) return ret; - - return woody(&file_content); + return inject(&woody); } \ No newline at end of file diff --git a/srcs/utils.c b/srcs/utils.c index 81a6e3c..84ca99a 100644 --- a/srcs/utils.c +++ b/srcs/utils.c @@ -1,6 +1,6 @@ #include "../includes/woody.h" -void *secure_access(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size) +void *secure_jump(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size) { if (file_size > offset_to_data && file_size >= (offset_to_data + supposed_data_size)) return (file + offset_to_data); diff --git a/srcs/woody.c b/srcs/woody.c index 7435bc1..a3ebdec 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,5 +1,7 @@ #include "../includes/woody.h" +#define CODE_MACRO "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x10\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" + int elf_magic_numbers(char *str) { return (!ft_strncmp(str, ELFMAG, SELFMAG)); @@ -36,49 +38,122 @@ int save_elf(char *path, char *file, unsigned long int size) return EXIT_SUCCESS; } -int woody(t_efl_content *file_content) +int get_load_segment(t_efl_content *woody, int start, bool executable) { - Elf64_Ehdr *Ehdr = (Elf64_Ehdr *)secure_access(file_content->file, file_content->file_size, 0, sizeof(Elf64_Ehdr)); - - if (!Ehdr || !elf_magic_numbers(file_content->file) || Ehdr->e_ident[EI_CLASS] != 2) + for (int i = start; i < woody->Ehdr->e_phnum; i++) { - ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", file_content->file_path); + if (woody->Phdr[i].p_type == PT_LOAD) + { + if (executable) + { + if (woody->Phdr[i].p_flags & PF_X) + return i; + } + else + return i; + } + } + return -1; +} + +void find_cave(t_efl_content *woody) +{ + woody->Phdr = (Elf64_Phdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); + + int i = get_load_segment(woody, 0, true); + int j = get_load_segment(woody, i + 1, false); + + printf("%d %ld\n", i, woody->Phdr[i].p_align); + printf("%d %ld\n", j, woody->Phdr[j].p_align); + printf("code_cave_start = %lx, virtual adress = %lx\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_vaddr); + printf("code_cave_size = %lx\n", woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz)); + + +// static void inject(t_woody64 *woody, const t_patch *patch) { +// char payload[] = PAYLOAD; + + Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz; + +// ft_memcpy((void *)woody->file + payload_off, payload, PAYLOAD_SIZE); +// ft_memcpy( +// (void *)woody->file + payload_off + (PAYLOAD_SIZE - sizeof(t_patch)), +// patch, sizeof(t_patch)); + +// woody->file->e_entry = woody->load_seg->p_vaddr + woody->load_seg->p_filesz; +// woody->load_seg->p_filesz += PAYLOAD_SIZE; +// woody->load_seg->p_memsz += PAYLOAD_SIZE; +// } + + size_t len = sizeof(CODE_MACRO) - 1; + ft_memcpy(woody->file + payload_off, CODE_MACRO, len); + + woody->Ehdr->e_entry = woody->Phdr[i].p_vaddr + woody->Phdr[i].p_filesz; + woody->Phdr[i].p_filesz += len; + woody->Phdr[i].p_memsz += len; +} + + +int inject(t_efl_content *woody) +{ + woody->Ehdr = (Elf64_Ehdr *)secure_access(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); + if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2) + { + ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); return EXIT_FAILURE; } - Elf64_Shdr *Shdr = (Elf64_Shdr *)secure_access(file_content->file, file_content->file_size, Ehdr->e_shoff, sizeof(Elf64_Shdr)); - if (Shdr == NULL || !secure_access(file_content->file, file_content->file_size, Ehdr->e_shoff, Ehdr->e_shnum * sizeof(Elf64_Shdr))) + printf("entry point = %ld\n", woody->Ehdr->e_entry); + Elf64_Shdr *Shdr = (Elf64_Shdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); + if (Shdr == NULL || !secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) { return ft_put_error("Corrupted file"); } - if (file_content->file_size > Ehdr->e_shoff + Ehdr->e_shnum * sizeof(Elf64_Shdr)) + if (woody->file_size > woody->Ehdr->e_shoff + woody->Ehdr->e_shnum * sizeof(Elf64_Shdr)) { - printf("extra_data !\n"); // save it in file_content->extra_data and append it to the end of the woody file ? Could be dangerous + printf("extra_data !\n"); // save it in woody->extra_data and append it to the end of the woody file ? Could be dangerous } Elf64_Shdr *symbols_table = NULL; - for (int i = 0; i < Ehdr->e_shnum; i++) { + for (int i = 0; i < woody->Ehdr->e_shnum; i++) { if (Shdr[i].sh_type == SHT_SYMTAB) { - symbols_table = secure_access(file_content->file, file_content->file_size, Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); + symbols_table = secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); } } if (symbols_table == NULL) + return ft_put_error("No symbols"); + + if (!secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) return ft_put_error("Corrupted file"); - Elf64_Shdr *strtab_header = (Elf64_Shdr *)secure_access(file_content->file, file_content->file_size, Ehdr->e_shoff + (symbols_table->sh_link * Ehdr->e_shentsize), sizeof(Elf64_Shdr)); + char *Sshstrtab = (char *)secure_access(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); + if (Sshstrtab == NULL) + return ft_put_error("Corrupted file"); + + for (int i = 0; i < woody->Ehdr->e_shnum; i++) { + char *section_name = Sshstrtab + Shdr[i].sh_name; + printf("%s : Offset: %lx | Size: %lx | Virtual adress: %lx\n", section_name, Shdr[i].sh_offset, Shdr[i].sh_size, Shdr[i].sh_addr); + } + + // useless for now + Elf64_Shdr *strtab_header = (Elf64_Shdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); if (!strtab_header) return ft_put_error("Corrupted file"); + char *strtab = secure_access(woody->file, woody->file_size, strtab_header->sh_offset, 0); + if (strtab == NULL) + return ft_put_error("Corrupted file"); + Elf64_Sym *symbols = (Elf64_Sym *)secure_access(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); + if (symbols == NULL) + return ft_put_error("Corrupted file"); + // end useless woody->Ehdr->e_entry = - if (strtab_header->sh_offset + strtab_header->sh_size > file_content->file_size) - { - return ft_put_error("Encrypt after the end of the file"); - } + find_cave(woody); - char *woody = malloc(file_content->file_size); - ft_memcpy(woody, file_content->file, file_content->file_size); + char *woody_file = malloc(woody->file_size); - encrypt_zone(woody, strtab_header->sh_offset , strtab_header->sh_size); + ft_memcpy(woody_file, woody->file, woody->file_size); + + encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); - return save_elf("woody", woody, file_content->file_size); + return save_elf("woody", woody_file, woody->file_size); } \ No newline at end of file From c7862e27816182722385b771b49069645bfacc90 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Mon, 19 Feb 2024 16:49:40 +0100 Subject: [PATCH 02/20] je suis plus ou jen suis --- a.out | Bin 0 -> 16056 bytes diff.txt | 4 + p_memsz | 0 p_offset | 0 payload | Bin 42 -> 40 bytes print | Bin 4704 -> 4696 bytes print.s | 34 ++- sample | 825 +++++++++++++++++++++++++++++++++++++++++++++++++++ sample.txt | 825 +++++++++++++++++++++++++++++++++++++++++++++++++++ srcs/woody.c | 42 ++- woody.txt | 825 +++++++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 2515 insertions(+), 40 deletions(-) create mode 100755 a.out create mode 100644 diff.txt create mode 100644 p_memsz create mode 100644 p_offset create mode 100644 sample create mode 100644 sample.txt create mode 100644 woody.txt diff --git a/a.out b/a.out new file mode 100755 index 0000000000000000000000000000000000000000..9c336ffb10a06c00d205eda9400c80cb8946baf9 GIT binary patch literal 16056 zcmeHOYit}>6~4QP6E{s_Cv9lrgk}f@^&wBZiEX8iH0#GE<6-e_L*3NdlRM5A0)l<7P95kkO?LMGT zOqFyTMirm*Whswrx3Zo56B`y?`{DNvZpyCvw(TAsOO91^%$$|UE0U=LI@PZJzV04#i@rtgsO7h|E3qFHG)pxxbRDd_$G*W6>+tHzs|%=taJ`!`D+EQ|u&N3h0C5VmhFg zF-V-5fZlulaY3^Iy+4k8!+F-zy+-3PN>K!&2t*NxA`nF&ia->BC<6aq5%_b{?f)>2 z{Grh}+VJbmN*SN8I&t^BapdL3m%IygJH8I}HTOf`05ok>e`#XbzS!a$*{iQ zS$madhg=TIiMRSH7d~NBE*nSQnAtm+N>mfC8ppT)9HqEx_QUfpBYM-u&w2Ghe+C-k zc*ALeduN?BXj&)b(X^Y~OHCUm$?+vd_*Xptj?WU@b=|1U7%%>Dhw(e1y7Fue}fIi1GoY(oqD zVvm74kN@Uj7^$EG;31eATK_VbMkO_EoJ-Bn%Y$(=HDmnkqEY!Nj3>$Xf%CA>LXTr$ z=0`L+H!80gm2=Zm*Im~*dSH4AD&_vlgICcVRE5`9wca6zC`A#7A`nF&ia->BC<0Lg zq6kD0h$0Y0Ac{Z~fg494Mqj(uFS@@CuJj7JVa9dSzz2ZGfc?Pl03QX?H^S6a*Znb& zzGYI1J+V*4#+zg7moIHRfe%%rr*HO+@c%G5^e**2o!x;febYVlC)d@0YGw1zm1`er zy7_S9q}tJP-`!j9@IDU`|4|&z!B4)qkvr)f9N!A*sV-{gQ>f1Zs?^HnFT{IREQx;% zEh0sfq6kD0h$0Y0Ac{Z~fhYn|1fmE;5r`u2za0TtS19WUWsM-MRiw1shuXr$6)Zo` z>kerhC?#31xZW3)yfU@0EbA8OJ&Tgq|9agmkbH_48_L?k$;G6dTaS8??aO?%dWP|4 z#%SF`=^EX#Fp@&7fD_2A(G+k!96VdKA%W!-7mB~ks_ z>1A%Ua?Uv3LF;{+8cyGxsJhj+FIUbbs;3@kYS8tE_w4C?MAw(8T|GVbX?GqND(9WD zmT1#E^tRSS*%K2_ZrP%@wco|+a5XiV;<;E|b!!UFP=Cc>ImQ9iSbqz!o(38I(!aE_@KHIVdW>2F${9aHa9a)0<%r9O=em0!C*+3-cre@*Rv z6aSOQ)NB7j*F}o~V)!@Yk|rh0VZCzBdj7Ym@Ob&9N4rHW*5>$>yNn~I*4FMjvCbk> zZ@u>#1Vj_3046;>o-)aR64?aw&1zjOo?_hw{p$ECCC?|(Kgj;!az5gfFJ5!_ap+gY z*QxM$9wj|pf#&=2V@f>^eKY!ZZ*r~-%Jo9O8kU1RPQ3rJp#K#6%Xkph)9l~J&sU2L z$2`4w&Ed1qQ#-@;z5u;8=T^&|gML#@n#){|tR;P4-cEvz8^c8> zp%<_q-Wtl7jy0;FC^_Yk5q((AEuJ@>oHw8lz?Qy)0yX58nd(6;X>Lr9lPY9 zWv01vU)Mm&OzrM9v3$Sxk=6aX=ANB9_ooKU!LIK9 z6d2*{1WDOMaHEX_cG_|*IsGPwDm`s{gUEO`HG+;dUF{?DD^z=j?Rru%> zeaqu^v6Ly~=LsfkMLTN|fpdqlj?%rh>d5M&1&EX>*~3bA>~V-Rg5X{7dO)|wc+8BY zQJP488UEn$8Ing;RxX3Wd^&=!bd1^@2IJiQ^Imf_U&1YhXT6`o``Bc@#AeS|@`NA6 zL30%0FSK8ad@0Gi#Fvz!?RY_cc;6QN-yTfzyb~S$t_At>yDF%OBV(BVF!XO@jw9`t zd7z-w&(pDYwci4t=77SNd7|KRTrahe;w;xM^R*0gG!+p3BsWk{=9zHu5|t55pM*ej zIN{5@O>iYUOZ&x7@JZNdPAIa>3kBPlA8tRZ)p2B~$-?iYH zL5UObDIexP3mwHo%CG%?@b8Gc55UDs;r{<7v_Zbcyc#l3Kz^PCPlotOHVBH}Li|%9 z{$3^s-iUuD#6QRc!G}TvCS2Z6LVTIG2+I4Gv_BlbpE18Sr_$JyG3+n0;4hdj<45Lk zg6&+Kfbc~AO^Clu^DTnUizB0qA5mXHhVBu0zmfMy*=HH{7g_KsxJ?1R%%iJ3Q4v45 zcu8czcc7)QEA`9#R`$)x{#d&IC<#yc@w?Db7YkqBGp9C_Ha0$pkzDlxd zn~wuErk~M5@^X-=EU91SlLO2bz0jzxU|PlXvwO`XeEAf25w>($qeJtEYsMHL-NFlu?75SnUE6#dA)8u;m*J)!VQp*ka{{mI~2?hWF literal 0 HcmV?d00001 diff --git a/diff.txt b/diff.txt new file mode 100644 index 0000000..e4f2717 --- /dev/null +++ b/diff.txt @@ -0,0 +1,4 @@ +2c2 +< resources/sample64: file format elf64-x86-64 +--- +> woody: file format elf64-x86-64 diff --git a/p_memsz b/p_memsz new file mode 100644 index 0000000..e69de29 diff --git a/p_offset b/p_offset new file mode 100644 index 0000000..e69de29 diff --git a/payload b/payload index 34879f8ac9ac77b81acde8357cc6b9c522b94b98..fe0bf4eeebc875e56df6ae84757fb018be02028c 100644 GIT binary patch literal 40 wcmWFt4+{!5JTP+;*Z%{Z$31#YIT;uj_*tW(qvGNt4(sWK`}?~@>gjO-05Zo7S^xk5 literal 42 ycmXp!Fmn^v{{x-JJ$g+A7#JA%SvP4J9{7LY+oR6oh6ngr_4LC1{aqsU^tb?s1Q3w` diff --git a/print b/print index 5f1691355d4c1278dcdd35bafcf14c2a8ee383a0..c4d460bc1a25e44ab6e64179e45f7b70344b92c9 100755 GIT binary patch delta 107 zcmaE$azkZ;2BXA8&3sM`1_;pDxG)=r!d8%JQ>DMMuTO zM;xB4AfPmPfgsCd9|0Lgxy_jZ;*5+MlN$xif#gm>d&Ucse+t@jeieY2s5qHXNFD&4 ClO4SP delta 114 zcmcbi@<3&R2BX46&3sNR1_;pFxG: + 318: 2f (bad) + 319: 6c insb (%dx),%es:(%rdi) + 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp + 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax + 326: 78 2d js 355 <__abi_tag-0x37> + 328: 78 38 js 362 <__abi_tag-0x2a> + 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax + 330: 6f outsl %ds:(%rsi),(%dx) + 331: 2e 32 00 cs xor (%rax),%al + +Disassembly of section .note.gnu.property: + +0000000000000338 <.note.gnu.property>: + 338: 04 00 add $0x0,%al + 33a: 00 00 add %al,(%rax) + 33c: 20 00 and %al,(%rax) + 33e: 00 00 add %al,(%rax) + 340: 05 00 00 00 47 add $0x47000000,%eax + 345: 4e 55 rex.WRX push %rbp + 347: 00 02 add %al,(%rdx) + 349: 00 00 add %al,(%rax) + 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) + 34f: 00 03 add %al,(%rbx) + 351: 00 00 add %al,(%rax) + 353: 00 00 add %al,(%rax) + 355: 00 00 add %al,(%rax) + 357: 00 02 add %al,(%rdx) + 359: 80 00 c0 addb $0xc0,(%rax) + 35c: 04 00 add $0x0,%al + 35e: 00 00 add %al,(%rax) + 360: 01 00 add %eax,(%rax) + 362: 00 00 add %al,(%rax) + 364: 00 00 add %al,(%rax) + ... + +Disassembly of section .note.gnu.build-id: + +0000000000000368 <.note.gnu.build-id>: + 368: 04 00 add $0x0,%al + 36a: 00 00 add %al,(%rax) + 36c: 14 00 adc $0x0,%al + 36e: 00 00 add %al,(%rax) + 370: 03 00 add (%rax),%eax + 372: 00 00 add %al,(%rax) + 374: 47 rex.RXB + 375: 4e 55 rex.WRX push %rbp + 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) + 37d: 9d popf + 37e: 21 c9 and %ecx,%ecx + 380: 16 (bad) + 381: 1e (bad) + 382: 8a 34 ce mov (%rsi,%rcx,8),%dh + 385: 99 cltd + 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx + +Disassembly of section .note.ABI-tag: + +000000000000038c <__abi_tag>: + 38c: 04 00 add $0x0,%al + 38e: 00 00 add %al,(%rax) + 390: 10 00 adc %al,(%rax) + 392: 00 00 add %al,(%rax) + 394: 01 00 add %eax,(%rax) + 396: 00 00 add %al,(%rax) + 398: 47 rex.RXB + 399: 4e 55 rex.WRX push %rbp + 39b: 00 00 add %al,(%rax) + 39d: 00 00 add %al,(%rax) + 39f: 00 03 add %al,(%rbx) + 3a1: 00 00 add %al,(%rax) + 3a3: 00 02 add %al,(%rdx) + 3a5: 00 00 add %al,(%rax) + 3a7: 00 00 add %al,(%rax) + 3a9: 00 00 add %al,(%rax) + ... + +Disassembly of section .gnu.hash: + +00000000000003b0 <.gnu.hash>: + 3b0: 02 00 add (%rax),%al + 3b2: 00 00 add %al,(%rax) + 3b4: 06 (bad) + 3b5: 00 00 add %al,(%rax) + 3b7: 00 01 add %al,(%rcx) + 3b9: 00 00 add %al,(%rax) + 3bb: 00 06 add %al,(%rsi) + 3bd: 00 00 add %al,(%rax) + 3bf: 00 00 add %al,(%rax) + 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) + 3c7: 00 06 add %al,(%rsi) + 3c9: 00 00 add %al,(%rax) + 3cb: 00 00 add %al,(%rax) + 3cd: 00 00 add %al,(%rax) + 3cf: 00 d1 add %dl,%cl + 3d1: 65 ce gs (bad) + 3d3: 6d insl (%dx),%es:(%rdi) + +Disassembly of section .dynsym: + +00000000000003d8 <.dynsym>: + ... + 3f0: 10 00 adc %al,(%rax) + 3f2: 00 00 add %al,(%rax) + 3f4: 12 00 adc (%rax),%al + ... + 406: 00 00 add %al,(%rax) + 408: 48 00 00 rex.W add %al,(%rax) + 40b: 00 20 add %ah,(%rax) + ... + 41d: 00 00 add %al,(%rax) + 41f: 00 22 add %ah,(%rdx) + 421: 00 00 add %al,(%rax) + 423: 00 12 add %dl,(%rdx) + ... + 435: 00 00 add %al,(%rax) + 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) + 43b: 00 20 add %ah,(%rax) + ... + 44d: 00 00 add %al,(%rax) + 44f: 00 73 00 add %dh,0x0(%rbx) + 452: 00 00 add %al,(%rax) + 454: 20 00 and %al,(%rax) + ... + 466: 00 00 add %al,(%rax) + 468: 01 00 add %eax,(%rax) + 46a: 00 00 add %al,(%rax) + 46c: 22 00 and (%rax),%al + ... + +Disassembly of section .dynstr: + +0000000000000480 <.dynstr>: + 480: 00 5f 5f add %bl,0x5f(%rdi) + 483: 63 78 61 movsxd 0x61(%rax),%edi + 486: 5f pop %rdi + 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp + 48d: 7a 65 jp 4f4 <__abi_tag+0x168> + 48f: 00 5f 5f add %bl,0x5f(%rdi) + 492: 6c insb (%dx),%es:(%rdi) + 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp + 49a: 72 74 jb 510 <__abi_tag+0x184> + 49c: 5f pop %rdi + 49d: 6d insl (%dx),%es:(%rdi) + 49e: 61 (bad) + 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp + 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) + 4aa: 63 2e movsxd (%rsi),%ebp + 4ac: 73 6f jae 51d <__abi_tag+0x191> + 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) + 4b3: 49 rex.WB + 4b4: 42 rex.X + 4b5: 43 5f rex.XB pop %r15 + 4b7: 32 2e xor (%rsi),%ch + 4b9: 32 2e xor (%rsi),%ch + 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax + 4c0: 42 rex.X + 4c1: 43 5f rex.XB pop %r15 + 4c3: 32 2e xor (%rsi),%ch + 4c5: 33 34 00 xor (%rax,%rax,1),%esi + 4c8: 5f pop %rdi + 4c9: 49 54 rex.WB push %r12 + 4cb: 4d 5f rex.WRB pop %r15 + 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> + 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 4d8: 4d + 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) + 4db: 6f outsl %ds:(%rsi),(%dx) + 4dc: 6e outsb %ds:(%rsi),(%dx) + 4dd: 65 54 gs push %rsp + 4df: 61 (bad) + 4e0: 62 (bad) + 4e1: 6c insb (%dx),%es:(%rdi) + 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) + 4e6: 67 6d insl (%dx),%es:(%edi) + 4e8: 6f outsl %ds:(%rsi),(%dx) + 4e9: 6e outsb %ds:(%rsi),(%dx) + 4ea: 5f pop %rdi + 4eb: 73 74 jae 561 <__abi_tag+0x1d5> + 4ed: 61 (bad) + 4ee: 72 74 jb 564 <__abi_tag+0x1d8> + 4f0: 5f pop %rdi + 4f1: 5f pop %rdi + 4f2: 00 5f 49 add %bl,0x49(%rdi) + 4f5: 54 push %rsp + 4f6: 4d 5f rex.WRB pop %r15 + 4f8: 72 65 jb 55f <__abi_tag+0x1d3> + 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 501: 4d + 502: 43 6c rex.XB insb (%dx),%es:(%rdi) + 504: 6f outsl %ds:(%rsi),(%dx) + 505: 6e outsb %ds:(%rsi),(%dx) + 506: 65 54 gs push %rsp + 508: 61 (bad) + 509: 62 .byte 0x62 + 50a: 6c insb (%dx),%es:(%rdi) + 50b: 65 gs + ... + +Disassembly of section .gnu.version: + +000000000000050e <.gnu.version>: + 50e: 00 00 add %al,(%rax) + 510: 02 00 add (%rax),%al + 512: 01 00 add %eax,(%rax) + 514: 03 00 add (%rax),%eax + 516: 01 00 add %eax,(%rax) + 518: 01 00 add %eax,(%rax) + 51a: 03 00 add (%rax),%eax + +Disassembly of section .gnu.version_r: + +0000000000000520 <.gnu.version_r>: + 520: 01 00 add %eax,(%rax) + 522: 02 00 add (%rax),%al + 524: 27 (bad) + 525: 00 00 add %al,(%rax) + 527: 00 10 add %dl,(%rax) + 529: 00 00 add %al,(%rax) + 52b: 00 00 add %al,(%rax) + 52d: 00 00 add %al,(%rax) + 52f: 00 75 1a add %dh,0x1a(%rbp) + 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx + 538: 31 00 xor %eax,(%rax) + 53a: 00 00 add %al,(%rax) + 53c: 10 00 adc %al,(%rax) + 53e: 00 00 add %al,(%rax) + 540: b4 91 mov $0x91,%ah + 542: 96 xchg %eax,%esi + 543: 06 (bad) + 544: 00 00 add %al,(%rax) + 546: 02 00 add (%rax),%al + 548: 3d 00 00 00 00 cmp $0x0,%eax + 54d: 00 00 add %al,(%rax) + ... + +Disassembly of section .rela.dyn: + +0000000000000550 <.rela.dyn>: + 550: b8 3d 00 00 00 mov $0x3d,%eax + 555: 00 00 add %al,(%rax) + 557: 00 08 add %cl,(%rax) + 559: 00 00 add %al,(%rax) + 55b: 00 00 add %al,(%rax) + 55d: 00 00 add %al,(%rax) + 55f: 00 40 11 add %al,0x11(%rax) + 562: 00 00 add %al,(%rax) + 564: 00 00 add %al,(%rax) + 566: 00 00 add %al,(%rax) + 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> + 56f: 00 08 add %cl,(%rax) + ... + 579: 11 00 adc %eax,(%rax) + 57b: 00 00 add %al,(%rax) + 57d: 00 00 add %al,(%rax) + 57f: 00 08 add %cl,(%rax) + 581: 40 00 00 rex add %al,(%rax) + 584: 00 00 add %al,(%rax) + 586: 00 00 add %al,(%rax) + 588: 08 00 or %al,(%rax) + 58a: 00 00 add %al,(%rax) + 58c: 00 00 add %al,(%rax) + 58e: 00 00 add %al,(%rax) + 590: 08 40 00 or %al,0x0(%rax) + 593: 00 00 add %al,(%rax) + 595: 00 00 add %al,(%rax) + 597: 00 d8 add %bl,%al + 599: 3f (bad) + 59a: 00 00 add %al,(%rax) + 59c: 00 00 add %al,(%rax) + 59e: 00 00 add %al,(%rax) + 5a0: 06 (bad) + 5a1: 00 00 add %al,(%rax) + 5a3: 00 01 add %al,(%rcx) + ... + 5ad: 00 00 add %al,(%rax) + 5af: 00 e0 add %ah,%al + 5b1: 3f (bad) + 5b2: 00 00 add %al,(%rax) + 5b4: 00 00 add %al,(%rax) + 5b6: 00 00 add %al,(%rax) + 5b8: 06 (bad) + 5b9: 00 00 add %al,(%rax) + 5bb: 00 02 add %al,(%rdx) + ... + 5c5: 00 00 add %al,(%rax) + 5c7: 00 e8 add %ch,%al + 5c9: 3f (bad) + 5ca: 00 00 add %al,(%rax) + 5cc: 00 00 add %al,(%rax) + 5ce: 00 00 add %al,(%rax) + 5d0: 06 (bad) + 5d1: 00 00 add %al,(%rax) + 5d3: 00 04 00 add %al,(%rax,%rax,1) + ... + 5de: 00 00 add %al,(%rax) + 5e0: f0 3f lock (bad) + 5e2: 00 00 add %al,(%rax) + 5e4: 00 00 add %al,(%rax) + 5e6: 00 00 add %al,(%rax) + 5e8: 06 (bad) + 5e9: 00 00 add %al,(%rax) + 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> + 5f1: 00 00 add %al,(%rax) + 5f3: 00 00 add %al,(%rax) + 5f5: 00 00 add %al,(%rax) + 5f7: 00 f8 add %bh,%al + 5f9: 3f (bad) + 5fa: 00 00 add %al,(%rax) + 5fc: 00 00 add %al,(%rax) + 5fe: 00 00 add %al,(%rax) + 600: 06 (bad) + 601: 00 00 add %al,(%rax) + 603: 00 06 add %al,(%rsi) + ... + +Disassembly of section .rela.plt: + +0000000000000610 <.rela.plt>: + 610: d0 3f sarb (%rdi) + 612: 00 00 add %al,(%rax) + 614: 00 00 add %al,(%rax) + 616: 00 00 add %al,(%rax) + 618: 07 (bad) + 619: 00 00 add %al,(%rax) + 61b: 00 03 add %al,(%rbx) + ... + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 sub $0x8,%rsp + 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> + 100f: 48 85 c0 test %rax,%rax + 1012: 74 02 je 1016 <_init+0x16> + 1014: ff d0 call *%rax + 1016: 48 83 c4 08 add $0x8,%rsp + 101a: c3 ret + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> + 102d: 0f 1f 00 nopl (%rax) + 1030: f3 0f 1e fa endbr64 + 1034: 68 00 00 00 00 push $0x0 + 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> + 103f: 90 nop + +Disassembly of section .plt.got: + +0000000000001040 <__cxa_finalize@plt>: + 1040: f3 0f 1e fa endbr64 + 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .plt.sec: + +0000000000001050 : + 1050: f3 0f 1e fa endbr64 + 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 + 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .text: + +0000000000001060 <_start>: + 1060: f3 0f 1e fa endbr64 + 1064: 31 ed xor %ebp,%ebp + 1066: 49 89 d1 mov %rdx,%r9 + 1069: 5e pop %rsi + 106a: 48 89 e2 mov %rsp,%rdx + 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp + 1071: 50 push %rax + 1072: 54 push %rsp + 1073: 45 31 c0 xor %r8d,%r8d + 1076: 31 c9 xor %ecx,%ecx + 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
+ 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> + 1085: f4 hlt + 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 108d: 00 00 00 + +0000000000001090 : + 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> + 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> + 109e: 48 39 f8 cmp %rdi,%rax + 10a1: 74 15 je 10b8 + 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> + 10aa: 48 85 c0 test %rax,%rax + 10ad: 74 09 je 10b8 + 10af: ff e0 jmp *%rax + 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + 10b8: c3 ret + 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +00000000000010c0 : + 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> + 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> + 10ce: 48 29 fe sub %rdi,%rsi + 10d1: 48 89 f0 mov %rsi,%rax + 10d4: 48 c1 ee 3f shr $0x3f,%rsi + 10d8: 48 c1 f8 03 sar $0x3,%rax + 10dc: 48 01 c6 add %rax,%rsi + 10df: 48 d1 fe sar %rsi + 10e2: 74 14 je 10f8 + 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> + 10eb: 48 85 c0 test %rax,%rax + 10ee: 74 08 je 10f8 + 10f0: ff e0 jmp *%rax + 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) + 10f8: c3 ret + 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001100 <__do_global_dtors_aux>: + 1100: f3 0f 1e fa endbr64 + 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> + 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> + 110d: 55 push %rbp + 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 1115: 00 + 1116: 48 89 e5 mov %rsp,%rbp + 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> + 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> + 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> + 1127: e8 64 ff ff ff call 1090 + 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> + 1133: 5d pop %rbp + 1134: c3 ret + 1135: 0f 1f 00 nopl (%rax) + 1138: c3 ret + 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001140 : + 1140: f3 0f 1e fa endbr64 + 1144: e9 77 ff ff ff jmp 10c0 + +0000000000001149
: + 1149: f3 0f 1e fa endbr64 + 114d: 55 push %rbp + 114e: 48 89 e5 mov %rsp,%rbp + 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> + 1158: e8 f3 fe ff ff call 1050 + 115d: b8 00 00 00 00 mov $0x0,%eax + 1162: 5d pop %rbp + 1163: c3 ret + +Disassembly of section .fini: + +0000000000001164 <_fini>: + 1164: f3 0f 1e fa endbr64 + 1168: 48 83 ec 08 sub $0x8,%rsp + 116c: 48 83 c4 08 add $0x8,%rsp + 1170: c3 ret + +Disassembly of section .rodata: + +0000000000002000 <_IO_stdin_used>: + 2000: 01 00 add %eax,(%rax) + 2002: 02 00 add (%rax),%al + 2004: 48 rex.W + 2005: 65 6c gs insb (%dx),%es:(%rdi) + 2007: 6c insb (%dx),%es:(%rdi) + 2008: 6f outsl %ds:(%rsi),(%dx) + 2009: 2c 20 sub $0x20,%al + 200b: 57 push %rdi + 200c: 6f outsl %ds:(%rsi),(%dx) + 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> + 200f: 64 21 00 and %eax,%fs:(%rax) + +Disassembly of section .eh_frame_hdr: + +0000000000002014 <__GNU_EH_FRAME_HDR>: + 2014: 01 1b add %ebx,(%rbx) + 2016: 03 3b add (%rbx),%edi + 2018: 30 00 xor %al,(%rax) + 201a: 00 00 add %al,(%rax) + 201c: 05 00 00 00 0c add $0xc000000,%eax + 2021: f0 ff lock (bad) + 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) + 2027: 00 2c f0 add %ch,(%rax,%rsi,8) + 202a: ff (bad) + 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) + 2032: ff (bad) + 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) + 203a: ff (bad) + 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) + 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> + 2045: 00 00 add %al,(%rax) + ... + +Disassembly of section .eh_frame: + +0000000000002048 <__FRAME_END__-0xa8>: + 2048: 14 00 adc $0x0,%al + 204a: 00 00 add %al,(%rax) + 204c: 00 00 add %al,(%rax) + 204e: 00 00 add %al,(%rax) + 2050: 01 7a 52 add %edi,0x52(%rdx) + 2053: 00 01 add %al,(%rcx) + 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> + 2057: 01 1b add %ebx,(%rbx) + 2059: 0c 07 or $0x7,%al + 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) + 2061: 00 00 add %al,(%rax) + 2063: 00 1c 00 add %bl,(%rax,%rax,1) + 2066: 00 00 add %al,(%rax) + 2068: f8 clc + 2069: ef out %eax,(%dx) + 206a: ff (bad) + 206b: ff 26 jmp *(%rsi) + 206d: 00 00 add %al,(%rax) + 206f: 00 00 add %al,(%rax) + 2071: 44 07 rex.R (bad) + 2073: 10 00 adc %al,(%rax) + 2075: 00 00 add %al,(%rax) + 2077: 00 24 00 add %ah,(%rax,%rax,1) + 207a: 00 00 add %al,(%rax) + 207c: 34 00 xor $0x0,%al + 207e: 00 00 add %al,(%rax) + 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al + 2087: 00 00 + 2089: 0e (bad) + 208a: 10 46 0e adc %al,0xe(%rsi) + 208d: 18 4a 0f sbb %cl,0xf(%rdx) + 2090: 0b 77 08 or 0x8(%rdi),%esi + 2093: 80 00 3f addb $0x3f,(%rax) + 2096: 1a 3a sbb (%rdx),%bh + 2098: 2a 33 sub (%rbx),%dh + 209a: 24 22 and $0x22,%al + 209c: 00 00 add %al,(%rax) + 209e: 00 00 add %al,(%rax) + 20a0: 14 00 adc $0x0,%al + 20a2: 00 00 add %al,(%rax) + 20a4: 5c pop %rsp + 20a5: 00 00 add %al,(%rax) + 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) + ... + 20b5: 00 00 add %al,(%rax) + 20b7: 00 14 00 add %dl,(%rax,%rax,1) + 20ba: 00 00 add %al,(%rax) + 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> + 20be: 00 00 add %al,(%rax) + 20c0: 90 nop + 20c1: ef out %eax,(%dx) + 20c2: ff (bad) + 20c3: ff 10 call *(%rax) + ... + 20cd: 00 00 add %al,(%rax) + 20cf: 00 1c 00 add %bl,(%rax,%rax,1) + 20d2: 00 00 add %al,(%rax) + 20d4: 8c 00 mov %es,(%rax) + 20d6: 00 00 add %al,(%rax) + 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> + 20da: ff (bad) + 20db: ff 1b lcall *(%rbx) + 20dd: 00 00 add %al,(%rax) + 20df: 00 00 add %al,(%rax) + 20e1: 45 0e rex.RB (bad) + 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) + 20e9: 52 push %rdx + 20ea: 0c 07 or $0x7,%al + 20ec: 08 00 or %al,(%rax) + ... + +00000000000020f0 <__FRAME_END__>: + 20f0: 00 00 add %al,(%rax) + ... + +Disassembly of section .init_array: + +0000000000003db8 <__frame_dummy_init_array_entry>: + 3db8: 40 11 00 rex adc %eax,(%rax) + 3dbb: 00 00 add %al,(%rax) + 3dbd: 00 00 add %al,(%rax) + ... + +Disassembly of section .fini_array: + +0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: + 3dc0: 00 11 add %dl,(%rcx) + 3dc2: 00 00 add %al,(%rax) + 3dc4: 00 00 add %al,(%rax) + ... + +Disassembly of section .dynamic: + +0000000000003dc8 <_DYNAMIC>: + 3dc8: 01 00 add %eax,(%rax) + 3dca: 00 00 add %al,(%rax) + 3dcc: 00 00 add %al,(%rax) + 3dce: 00 00 add %al,(%rax) + 3dd0: 27 (bad) + 3dd1: 00 00 add %al,(%rax) + 3dd3: 00 00 add %al,(%rax) + 3dd5: 00 00 add %al,(%rax) + 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) + 3dda: 00 00 add %al,(%rax) + 3ddc: 00 00 add %al,(%rax) + 3dde: 00 00 add %al,(%rax) + 3de0: 00 10 add %dl,(%rax) + 3de2: 00 00 add %al,(%rax) + 3de4: 00 00 add %al,(%rax) + 3de6: 00 00 add %al,(%rax) + 3de8: 0d 00 00 00 00 or $0x0,%eax + 3ded: 00 00 add %al,(%rax) + 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) + 3df3: 00 00 add %al,(%rax) + 3df5: 00 00 add %al,(%rax) + 3df7: 00 19 add %bl,(%rcx) + 3df9: 00 00 add %al,(%rax) + 3dfb: 00 00 add %al,(%rax) + 3dfd: 00 00 add %al,(%rax) + 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) + 3e05: 00 00 add %al,(%rax) + 3e07: 00 1b add %bl,(%rbx) + 3e09: 00 00 add %al,(%rax) + 3e0b: 00 00 add %al,(%rax) + 3e0d: 00 00 add %al,(%rax) + 3e0f: 00 08 add %cl,(%rax) + 3e11: 00 00 add %al,(%rax) + 3e13: 00 00 add %al,(%rax) + 3e15: 00 00 add %al,(%rax) + 3e17: 00 1a add %bl,(%rdx) + 3e19: 00 00 add %al,(%rax) + 3e1b: 00 00 add %al,(%rax) + 3e1d: 00 00 add %al,(%rax) + 3e1f: 00 c0 add %al,%al + 3e21: 3d 00 00 00 00 cmp $0x0,%eax + 3e26: 00 00 add %al,(%rax) + 3e28: 1c 00 sbb $0x0,%al + 3e2a: 00 00 add %al,(%rax) + 3e2c: 00 00 add %al,(%rax) + 3e2e: 00 00 add %al,(%rax) + 3e30: 08 00 or %al,(%rax) + 3e32: 00 00 add %al,(%rax) + 3e34: 00 00 add %al,(%rax) + 3e36: 00 00 add %al,(%rax) + 3e38: f5 cmc + 3e39: fe (bad) + 3e3a: ff 6f 00 ljmp *0x0(%rdi) + 3e3d: 00 00 add %al,(%rax) + 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) + 3e45: 00 00 add %al,(%rax) + 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> + 3e4d: 00 00 add %al,(%rax) + 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) + 3e55: 00 00 add %al,(%rax) + 3e57: 00 06 add %al,(%rsi) + 3e59: 00 00 add %al,(%rax) + 3e5b: 00 00 add %al,(%rax) + 3e5d: 00 00 add %al,(%rax) + 3e5f: 00 d8 add %bl,%al + 3e61: 03 00 add (%rax),%eax + 3e63: 00 00 add %al,(%rax) + 3e65: 00 00 add %al,(%rax) + 3e67: 00 0a add %cl,(%rdx) + 3e69: 00 00 add %al,(%rax) + 3e6b: 00 00 add %al,(%rax) + 3e6d: 00 00 add %al,(%rax) + 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) + 3e75: 00 00 add %al,(%rax) + 3e77: 00 0b add %cl,(%rbx) + 3e79: 00 00 add %al,(%rax) + 3e7b: 00 00 add %al,(%rax) + 3e7d: 00 00 add %al,(%rax) + 3e7f: 00 18 add %bl,(%rax) + 3e81: 00 00 add %al,(%rax) + 3e83: 00 00 add %al,(%rax) + 3e85: 00 00 add %al,(%rax) + 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> + ... + 3e95: 00 00 add %al,(%rax) + 3e97: 00 03 add %al,(%rbx) + 3e99: 00 00 add %al,(%rax) + 3e9b: 00 00 add %al,(%rax) + 3e9d: 00 00 add %al,(%rax) + 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) + 3ea5: 00 00 add %al,(%rax) + 3ea7: 00 02 add %al,(%rdx) + 3ea9: 00 00 add %al,(%rax) + 3eab: 00 00 add %al,(%rax) + 3ead: 00 00 add %al,(%rax) + 3eaf: 00 18 add %bl,(%rax) + 3eb1: 00 00 add %al,(%rax) + 3eb3: 00 00 add %al,(%rax) + 3eb5: 00 00 add %al,(%rax) + 3eb7: 00 14 00 add %dl,(%rax,%rax,1) + 3eba: 00 00 add %al,(%rax) + 3ebc: 00 00 add %al,(%rax) + 3ebe: 00 00 add %al,(%rax) + 3ec0: 07 (bad) + 3ec1: 00 00 add %al,(%rax) + 3ec3: 00 00 add %al,(%rax) + 3ec5: 00 00 add %al,(%rax) + 3ec7: 00 17 add %dl,(%rdi) + 3ec9: 00 00 add %al,(%rax) + 3ecb: 00 00 add %al,(%rax) + 3ecd: 00 00 add %al,(%rax) + 3ecf: 00 10 add %dl,(%rax) + 3ed1: 06 (bad) + 3ed2: 00 00 add %al,(%rax) + 3ed4: 00 00 add %al,(%rax) + 3ed6: 00 00 add %al,(%rax) + 3ed8: 07 (bad) + 3ed9: 00 00 add %al,(%rax) + 3edb: 00 00 add %al,(%rax) + 3edd: 00 00 add %al,(%rax) + 3edf: 00 50 05 add %dl,0x5(%rax) + 3ee2: 00 00 add %al,(%rax) + 3ee4: 00 00 add %al,(%rax) + 3ee6: 00 00 add %al,(%rax) + 3ee8: 08 00 or %al,(%rax) + 3eea: 00 00 add %al,(%rax) + 3eec: 00 00 add %al,(%rax) + 3eee: 00 00 add %al,(%rax) + 3ef0: c0 00 00 rolb $0x0,(%rax) + 3ef3: 00 00 add %al,(%rax) + 3ef5: 00 00 add %al,(%rax) + 3ef7: 00 09 add %cl,(%rcx) + 3ef9: 00 00 add %al,(%rax) + 3efb: 00 00 add %al,(%rax) + 3efd: 00 00 add %al,(%rax) + 3eff: 00 18 add %bl,(%rax) + 3f01: 00 00 add %al,(%rax) + 3f03: 00 00 add %al,(%rax) + 3f05: 00 00 add %al,(%rax) + 3f07: 00 1e add %bl,(%rsi) + 3f09: 00 00 add %al,(%rax) + 3f0b: 00 00 add %al,(%rax) + 3f0d: 00 00 add %al,(%rax) + 3f0f: 00 08 add %cl,(%rax) + 3f11: 00 00 add %al,(%rax) + 3f13: 00 00 add %al,(%rax) + 3f15: 00 00 add %al,(%rax) + 3f17: 00 fb add %bh,%bl + 3f19: ff (bad) + 3f1a: ff 6f 00 ljmp *0x0(%rdi) + 3f1d: 00 00 add %al,(%rax) + 3f1f: 00 01 add %al,(%rcx) + 3f21: 00 00 add %al,(%rax) + 3f23: 08 00 or %al,(%rax) + 3f25: 00 00 add %al,(%rax) + 3f27: 00 fe add %bh,%dh + 3f29: ff (bad) + 3f2a: ff 6f 00 ljmp *0x0(%rdi) + 3f2d: 00 00 add %al,(%rax) + 3f2f: 00 20 add %ah,(%rax) + 3f31: 05 00 00 00 00 add $0x0,%eax + 3f36: 00 00 add %al,(%rax) + 3f38: ff (bad) + 3f39: ff (bad) + 3f3a: ff 6f 00 ljmp *0x0(%rdi) + 3f3d: 00 00 add %al,(%rax) + 3f3f: 00 01 add %al,(%rcx) + 3f41: 00 00 add %al,(%rax) + 3f43: 00 00 add %al,(%rax) + 3f45: 00 00 add %al,(%rax) + 3f47: 00 f0 add %dh,%al + 3f49: ff (bad) + 3f4a: ff 6f 00 ljmp *0x0(%rdi) + 3f4d: 00 00 add %al,(%rax) + 3f4f: 00 0e add %cl,(%rsi) + 3f51: 05 00 00 00 00 add $0x0,%eax + 3f56: 00 00 add %al,(%rax) + 3f58: f9 stc + 3f59: ff (bad) + 3f5a: ff 6f 00 ljmp *0x0(%rdi) + 3f5d: 00 00 add %al,(%rax) + 3f5f: 00 03 add %al,(%rbx) + ... + +Disassembly of section .got: + +0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: + 3fb8: c8 3d 00 00 enter $0x3d,$0x0 + ... + 3fd0: 30 10 xor %dl,(%rax) + ... + +Disassembly of section .data: + +0000000000004000 <__data_start>: + ... + +0000000000004008 <__dso_handle>: + 4008: 08 40 00 or %al,0x0(%rax) + 400b: 00 00 add %al,(%rax) + 400d: 00 00 add %al,(%rax) + ... + +Disassembly of section .bss: + +0000000000004010 : + ... + +Disassembly of section .comment: + +0000000000000000 <.comment>: + 0: 47 rex.RXB + 1: 43 rex.XB + 2: 43 3a 20 rex.XB cmp (%r8),%spl + 5: 28 55 62 sub %dl,0x62(%rbp) + 8: 75 6e jne 78 <__abi_tag-0x314> + a: 74 75 je 81 <__abi_tag-0x30b> + c: 20 31 and %dh,(%rcx) + e: 30 2e xor %ch,(%rsi) + 10: 35 2e 30 2d 31 xor $0x312d302e,%eax + 15: 75 62 jne 79 <__abi_tag-0x313> + 17: 75 6e jne 87 <__abi_tag-0x305> + 19: 74 75 je 90 <__abi_tag-0x2fc> + 1b: 31 7e 32 xor %edi,0x32(%rsi) + 1e: 32 2e xor (%rsi),%ch + 20: 30 34 29 xor %dh,(%rcx,%rbp,1) + 23: 20 31 and %dh,(%rcx) + 25: 30 2e xor %ch,(%rsi) + 27: 35 .byte 0x35 + 28: 2e 30 00 cs xor %al,(%rax) diff --git a/sample.txt b/sample.txt new file mode 100644 index 0000000..e8f30c0 --- /dev/null +++ b/sample.txt @@ -0,0 +1,825 @@ + +resources/sample64: file format elf64-x86-64 + + +Disassembly of section .interp: + +0000000000000318 <.interp>: + 318: 2f (bad) + 319: 6c insb (%dx),%es:(%rdi) + 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp + 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax + 326: 78 2d js 355 <__abi_tag-0x37> + 328: 78 38 js 362 <__abi_tag-0x2a> + 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax + 330: 6f outsl %ds:(%rsi),(%dx) + 331: 2e 32 00 cs xor (%rax),%al + +Disassembly of section .note.gnu.property: + +0000000000000338 <.note.gnu.property>: + 338: 04 00 add $0x0,%al + 33a: 00 00 add %al,(%rax) + 33c: 20 00 and %al,(%rax) + 33e: 00 00 add %al,(%rax) + 340: 05 00 00 00 47 add $0x47000000,%eax + 345: 4e 55 rex.WRX push %rbp + 347: 00 02 add %al,(%rdx) + 349: 00 00 add %al,(%rax) + 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) + 34f: 00 03 add %al,(%rbx) + 351: 00 00 add %al,(%rax) + 353: 00 00 add %al,(%rax) + 355: 00 00 add %al,(%rax) + 357: 00 02 add %al,(%rdx) + 359: 80 00 c0 addb $0xc0,(%rax) + 35c: 04 00 add $0x0,%al + 35e: 00 00 add %al,(%rax) + 360: 01 00 add %eax,(%rax) + 362: 00 00 add %al,(%rax) + 364: 00 00 add %al,(%rax) + ... + +Disassembly of section .note.gnu.build-id: + +0000000000000368 <.note.gnu.build-id>: + 368: 04 00 add $0x0,%al + 36a: 00 00 add %al,(%rax) + 36c: 14 00 adc $0x0,%al + 36e: 00 00 add %al,(%rax) + 370: 03 00 add (%rax),%eax + 372: 00 00 add %al,(%rax) + 374: 47 rex.RXB + 375: 4e 55 rex.WRX push %rbp + 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) + 37d: 9d popf + 37e: 21 c9 and %ecx,%ecx + 380: 16 (bad) + 381: 1e (bad) + 382: 8a 34 ce mov (%rsi,%rcx,8),%dh + 385: 99 cltd + 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx + +Disassembly of section .note.ABI-tag: + +000000000000038c <__abi_tag>: + 38c: 04 00 add $0x0,%al + 38e: 00 00 add %al,(%rax) + 390: 10 00 adc %al,(%rax) + 392: 00 00 add %al,(%rax) + 394: 01 00 add %eax,(%rax) + 396: 00 00 add %al,(%rax) + 398: 47 rex.RXB + 399: 4e 55 rex.WRX push %rbp + 39b: 00 00 add %al,(%rax) + 39d: 00 00 add %al,(%rax) + 39f: 00 03 add %al,(%rbx) + 3a1: 00 00 add %al,(%rax) + 3a3: 00 02 add %al,(%rdx) + 3a5: 00 00 add %al,(%rax) + 3a7: 00 00 add %al,(%rax) + 3a9: 00 00 add %al,(%rax) + ... + +Disassembly of section .gnu.hash: + +00000000000003b0 <.gnu.hash>: + 3b0: 02 00 add (%rax),%al + 3b2: 00 00 add %al,(%rax) + 3b4: 06 (bad) + 3b5: 00 00 add %al,(%rax) + 3b7: 00 01 add %al,(%rcx) + 3b9: 00 00 add %al,(%rax) + 3bb: 00 06 add %al,(%rsi) + 3bd: 00 00 add %al,(%rax) + 3bf: 00 00 add %al,(%rax) + 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) + 3c7: 00 06 add %al,(%rsi) + 3c9: 00 00 add %al,(%rax) + 3cb: 00 00 add %al,(%rax) + 3cd: 00 00 add %al,(%rax) + 3cf: 00 d1 add %dl,%cl + 3d1: 65 ce gs (bad) + 3d3: 6d insl (%dx),%es:(%rdi) + +Disassembly of section .dynsym: + +00000000000003d8 <.dynsym>: + ... + 3f0: 10 00 adc %al,(%rax) + 3f2: 00 00 add %al,(%rax) + 3f4: 12 00 adc (%rax),%al + ... + 406: 00 00 add %al,(%rax) + 408: 48 00 00 rex.W add %al,(%rax) + 40b: 00 20 add %ah,(%rax) + ... + 41d: 00 00 add %al,(%rax) + 41f: 00 22 add %ah,(%rdx) + 421: 00 00 add %al,(%rax) + 423: 00 12 add %dl,(%rdx) + ... + 435: 00 00 add %al,(%rax) + 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) + 43b: 00 20 add %ah,(%rax) + ... + 44d: 00 00 add %al,(%rax) + 44f: 00 73 00 add %dh,0x0(%rbx) + 452: 00 00 add %al,(%rax) + 454: 20 00 and %al,(%rax) + ... + 466: 00 00 add %al,(%rax) + 468: 01 00 add %eax,(%rax) + 46a: 00 00 add %al,(%rax) + 46c: 22 00 and (%rax),%al + ... + +Disassembly of section .dynstr: + +0000000000000480 <.dynstr>: + 480: 00 5f 5f add %bl,0x5f(%rdi) + 483: 63 78 61 movsxd 0x61(%rax),%edi + 486: 5f pop %rdi + 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp + 48d: 7a 65 jp 4f4 <__abi_tag+0x168> + 48f: 00 5f 5f add %bl,0x5f(%rdi) + 492: 6c insb (%dx),%es:(%rdi) + 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp + 49a: 72 74 jb 510 <__abi_tag+0x184> + 49c: 5f pop %rdi + 49d: 6d insl (%dx),%es:(%rdi) + 49e: 61 (bad) + 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp + 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) + 4aa: 63 2e movsxd (%rsi),%ebp + 4ac: 73 6f jae 51d <__abi_tag+0x191> + 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) + 4b3: 49 rex.WB + 4b4: 42 rex.X + 4b5: 43 5f rex.XB pop %r15 + 4b7: 32 2e xor (%rsi),%ch + 4b9: 32 2e xor (%rsi),%ch + 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax + 4c0: 42 rex.X + 4c1: 43 5f rex.XB pop %r15 + 4c3: 32 2e xor (%rsi),%ch + 4c5: 33 34 00 xor (%rax,%rax,1),%esi + 4c8: 5f pop %rdi + 4c9: 49 54 rex.WB push %r12 + 4cb: 4d 5f rex.WRB pop %r15 + 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> + 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 4d8: 4d + 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) + 4db: 6f outsl %ds:(%rsi),(%dx) + 4dc: 6e outsb %ds:(%rsi),(%dx) + 4dd: 65 54 gs push %rsp + 4df: 61 (bad) + 4e0: 62 (bad) + 4e1: 6c insb (%dx),%es:(%rdi) + 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) + 4e6: 67 6d insl (%dx),%es:(%edi) + 4e8: 6f outsl %ds:(%rsi),(%dx) + 4e9: 6e outsb %ds:(%rsi),(%dx) + 4ea: 5f pop %rdi + 4eb: 73 74 jae 561 <__abi_tag+0x1d5> + 4ed: 61 (bad) + 4ee: 72 74 jb 564 <__abi_tag+0x1d8> + 4f0: 5f pop %rdi + 4f1: 5f pop %rdi + 4f2: 00 5f 49 add %bl,0x49(%rdi) + 4f5: 54 push %rsp + 4f6: 4d 5f rex.WRB pop %r15 + 4f8: 72 65 jb 55f <__abi_tag+0x1d3> + 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 501: 4d + 502: 43 6c rex.XB insb (%dx),%es:(%rdi) + 504: 6f outsl %ds:(%rsi),(%dx) + 505: 6e outsb %ds:(%rsi),(%dx) + 506: 65 54 gs push %rsp + 508: 61 (bad) + 509: 62 .byte 0x62 + 50a: 6c insb (%dx),%es:(%rdi) + 50b: 65 gs + ... + +Disassembly of section .gnu.version: + +000000000000050e <.gnu.version>: + 50e: 00 00 add %al,(%rax) + 510: 02 00 add (%rax),%al + 512: 01 00 add %eax,(%rax) + 514: 03 00 add (%rax),%eax + 516: 01 00 add %eax,(%rax) + 518: 01 00 add %eax,(%rax) + 51a: 03 00 add (%rax),%eax + +Disassembly of section .gnu.version_r: + +0000000000000520 <.gnu.version_r>: + 520: 01 00 add %eax,(%rax) + 522: 02 00 add (%rax),%al + 524: 27 (bad) + 525: 00 00 add %al,(%rax) + 527: 00 10 add %dl,(%rax) + 529: 00 00 add %al,(%rax) + 52b: 00 00 add %al,(%rax) + 52d: 00 00 add %al,(%rax) + 52f: 00 75 1a add %dh,0x1a(%rbp) + 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx + 538: 31 00 xor %eax,(%rax) + 53a: 00 00 add %al,(%rax) + 53c: 10 00 adc %al,(%rax) + 53e: 00 00 add %al,(%rax) + 540: b4 91 mov $0x91,%ah + 542: 96 xchg %eax,%esi + 543: 06 (bad) + 544: 00 00 add %al,(%rax) + 546: 02 00 add (%rax),%al + 548: 3d 00 00 00 00 cmp $0x0,%eax + 54d: 00 00 add %al,(%rax) + ... + +Disassembly of section .rela.dyn: + +0000000000000550 <.rela.dyn>: + 550: b8 3d 00 00 00 mov $0x3d,%eax + 555: 00 00 add %al,(%rax) + 557: 00 08 add %cl,(%rax) + 559: 00 00 add %al,(%rax) + 55b: 00 00 add %al,(%rax) + 55d: 00 00 add %al,(%rax) + 55f: 00 40 11 add %al,0x11(%rax) + 562: 00 00 add %al,(%rax) + 564: 00 00 add %al,(%rax) + 566: 00 00 add %al,(%rax) + 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> + 56f: 00 08 add %cl,(%rax) + ... + 579: 11 00 adc %eax,(%rax) + 57b: 00 00 add %al,(%rax) + 57d: 00 00 add %al,(%rax) + 57f: 00 08 add %cl,(%rax) + 581: 40 00 00 rex add %al,(%rax) + 584: 00 00 add %al,(%rax) + 586: 00 00 add %al,(%rax) + 588: 08 00 or %al,(%rax) + 58a: 00 00 add %al,(%rax) + 58c: 00 00 add %al,(%rax) + 58e: 00 00 add %al,(%rax) + 590: 08 40 00 or %al,0x0(%rax) + 593: 00 00 add %al,(%rax) + 595: 00 00 add %al,(%rax) + 597: 00 d8 add %bl,%al + 599: 3f (bad) + 59a: 00 00 add %al,(%rax) + 59c: 00 00 add %al,(%rax) + 59e: 00 00 add %al,(%rax) + 5a0: 06 (bad) + 5a1: 00 00 add %al,(%rax) + 5a3: 00 01 add %al,(%rcx) + ... + 5ad: 00 00 add %al,(%rax) + 5af: 00 e0 add %ah,%al + 5b1: 3f (bad) + 5b2: 00 00 add %al,(%rax) + 5b4: 00 00 add %al,(%rax) + 5b6: 00 00 add %al,(%rax) + 5b8: 06 (bad) + 5b9: 00 00 add %al,(%rax) + 5bb: 00 02 add %al,(%rdx) + ... + 5c5: 00 00 add %al,(%rax) + 5c7: 00 e8 add %ch,%al + 5c9: 3f (bad) + 5ca: 00 00 add %al,(%rax) + 5cc: 00 00 add %al,(%rax) + 5ce: 00 00 add %al,(%rax) + 5d0: 06 (bad) + 5d1: 00 00 add %al,(%rax) + 5d3: 00 04 00 add %al,(%rax,%rax,1) + ... + 5de: 00 00 add %al,(%rax) + 5e0: f0 3f lock (bad) + 5e2: 00 00 add %al,(%rax) + 5e4: 00 00 add %al,(%rax) + 5e6: 00 00 add %al,(%rax) + 5e8: 06 (bad) + 5e9: 00 00 add %al,(%rax) + 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> + 5f1: 00 00 add %al,(%rax) + 5f3: 00 00 add %al,(%rax) + 5f5: 00 00 add %al,(%rax) + 5f7: 00 f8 add %bh,%al + 5f9: 3f (bad) + 5fa: 00 00 add %al,(%rax) + 5fc: 00 00 add %al,(%rax) + 5fe: 00 00 add %al,(%rax) + 600: 06 (bad) + 601: 00 00 add %al,(%rax) + 603: 00 06 add %al,(%rsi) + ... + +Disassembly of section .rela.plt: + +0000000000000610 <.rela.plt>: + 610: d0 3f sarb (%rdi) + 612: 00 00 add %al,(%rax) + 614: 00 00 add %al,(%rax) + 616: 00 00 add %al,(%rax) + 618: 07 (bad) + 619: 00 00 add %al,(%rax) + 61b: 00 03 add %al,(%rbx) + ... + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 sub $0x8,%rsp + 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> + 100f: 48 85 c0 test %rax,%rax + 1012: 74 02 je 1016 <_init+0x16> + 1014: ff d0 call *%rax + 1016: 48 83 c4 08 add $0x8,%rsp + 101a: c3 ret + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> + 102d: 0f 1f 00 nopl (%rax) + 1030: f3 0f 1e fa endbr64 + 1034: 68 00 00 00 00 push $0x0 + 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> + 103f: 90 nop + +Disassembly of section .plt.got: + +0000000000001040 <__cxa_finalize@plt>: + 1040: f3 0f 1e fa endbr64 + 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .plt.sec: + +0000000000001050 : + 1050: f3 0f 1e fa endbr64 + 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 + 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .text: + +0000000000001060 <_start>: + 1060: f3 0f 1e fa endbr64 + 1064: 31 ed xor %ebp,%ebp + 1066: 49 89 d1 mov %rdx,%r9 + 1069: 5e pop %rsi + 106a: 48 89 e2 mov %rsp,%rdx + 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp + 1071: 50 push %rax + 1072: 54 push %rsp + 1073: 45 31 c0 xor %r8d,%r8d + 1076: 31 c9 xor %ecx,%ecx + 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
+ 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> + 1085: f4 hlt + 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 108d: 00 00 00 + +0000000000001090 : + 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> + 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> + 109e: 48 39 f8 cmp %rdi,%rax + 10a1: 74 15 je 10b8 + 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> + 10aa: 48 85 c0 test %rax,%rax + 10ad: 74 09 je 10b8 + 10af: ff e0 jmp *%rax + 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + 10b8: c3 ret + 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +00000000000010c0 : + 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> + 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> + 10ce: 48 29 fe sub %rdi,%rsi + 10d1: 48 89 f0 mov %rsi,%rax + 10d4: 48 c1 ee 3f shr $0x3f,%rsi + 10d8: 48 c1 f8 03 sar $0x3,%rax + 10dc: 48 01 c6 add %rax,%rsi + 10df: 48 d1 fe sar %rsi + 10e2: 74 14 je 10f8 + 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> + 10eb: 48 85 c0 test %rax,%rax + 10ee: 74 08 je 10f8 + 10f0: ff e0 jmp *%rax + 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) + 10f8: c3 ret + 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001100 <__do_global_dtors_aux>: + 1100: f3 0f 1e fa endbr64 + 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> + 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> + 110d: 55 push %rbp + 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 1115: 00 + 1116: 48 89 e5 mov %rsp,%rbp + 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> + 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> + 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> + 1127: e8 64 ff ff ff call 1090 + 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> + 1133: 5d pop %rbp + 1134: c3 ret + 1135: 0f 1f 00 nopl (%rax) + 1138: c3 ret + 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001140 : + 1140: f3 0f 1e fa endbr64 + 1144: e9 77 ff ff ff jmp 10c0 + +0000000000001149
: + 1149: f3 0f 1e fa endbr64 + 114d: 55 push %rbp + 114e: 48 89 e5 mov %rsp,%rbp + 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> + 1158: e8 f3 fe ff ff call 1050 + 115d: b8 00 00 00 00 mov $0x0,%eax + 1162: 5d pop %rbp + 1163: c3 ret + +Disassembly of section .fini: + +0000000000001164 <_fini>: + 1164: f3 0f 1e fa endbr64 + 1168: 48 83 ec 08 sub $0x8,%rsp + 116c: 48 83 c4 08 add $0x8,%rsp + 1170: c3 ret + +Disassembly of section .rodata: + +0000000000002000 <_IO_stdin_used>: + 2000: 01 00 add %eax,(%rax) + 2002: 02 00 add (%rax),%al + 2004: 48 rex.W + 2005: 65 6c gs insb (%dx),%es:(%rdi) + 2007: 6c insb (%dx),%es:(%rdi) + 2008: 6f outsl %ds:(%rsi),(%dx) + 2009: 2c 20 sub $0x20,%al + 200b: 57 push %rdi + 200c: 6f outsl %ds:(%rsi),(%dx) + 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> + 200f: 64 21 00 and %eax,%fs:(%rax) + +Disassembly of section .eh_frame_hdr: + +0000000000002014 <__GNU_EH_FRAME_HDR>: + 2014: 01 1b add %ebx,(%rbx) + 2016: 03 3b add (%rbx),%edi + 2018: 30 00 xor %al,(%rax) + 201a: 00 00 add %al,(%rax) + 201c: 05 00 00 00 0c add $0xc000000,%eax + 2021: f0 ff lock (bad) + 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) + 2027: 00 2c f0 add %ch,(%rax,%rsi,8) + 202a: ff (bad) + 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) + 2032: ff (bad) + 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) + 203a: ff (bad) + 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) + 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> + 2045: 00 00 add %al,(%rax) + ... + +Disassembly of section .eh_frame: + +0000000000002048 <__FRAME_END__-0xa8>: + 2048: 14 00 adc $0x0,%al + 204a: 00 00 add %al,(%rax) + 204c: 00 00 add %al,(%rax) + 204e: 00 00 add %al,(%rax) + 2050: 01 7a 52 add %edi,0x52(%rdx) + 2053: 00 01 add %al,(%rcx) + 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> + 2057: 01 1b add %ebx,(%rbx) + 2059: 0c 07 or $0x7,%al + 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) + 2061: 00 00 add %al,(%rax) + 2063: 00 1c 00 add %bl,(%rax,%rax,1) + 2066: 00 00 add %al,(%rax) + 2068: f8 clc + 2069: ef out %eax,(%dx) + 206a: ff (bad) + 206b: ff 26 jmp *(%rsi) + 206d: 00 00 add %al,(%rax) + 206f: 00 00 add %al,(%rax) + 2071: 44 07 rex.R (bad) + 2073: 10 00 adc %al,(%rax) + 2075: 00 00 add %al,(%rax) + 2077: 00 24 00 add %ah,(%rax,%rax,1) + 207a: 00 00 add %al,(%rax) + 207c: 34 00 xor $0x0,%al + 207e: 00 00 add %al,(%rax) + 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al + 2087: 00 00 + 2089: 0e (bad) + 208a: 10 46 0e adc %al,0xe(%rsi) + 208d: 18 4a 0f sbb %cl,0xf(%rdx) + 2090: 0b 77 08 or 0x8(%rdi),%esi + 2093: 80 00 3f addb $0x3f,(%rax) + 2096: 1a 3a sbb (%rdx),%bh + 2098: 2a 33 sub (%rbx),%dh + 209a: 24 22 and $0x22,%al + 209c: 00 00 add %al,(%rax) + 209e: 00 00 add %al,(%rax) + 20a0: 14 00 adc $0x0,%al + 20a2: 00 00 add %al,(%rax) + 20a4: 5c pop %rsp + 20a5: 00 00 add %al,(%rax) + 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) + ... + 20b5: 00 00 add %al,(%rax) + 20b7: 00 14 00 add %dl,(%rax,%rax,1) + 20ba: 00 00 add %al,(%rax) + 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> + 20be: 00 00 add %al,(%rax) + 20c0: 90 nop + 20c1: ef out %eax,(%dx) + 20c2: ff (bad) + 20c3: ff 10 call *(%rax) + ... + 20cd: 00 00 add %al,(%rax) + 20cf: 00 1c 00 add %bl,(%rax,%rax,1) + 20d2: 00 00 add %al,(%rax) + 20d4: 8c 00 mov %es,(%rax) + 20d6: 00 00 add %al,(%rax) + 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> + 20da: ff (bad) + 20db: ff 1b lcall *(%rbx) + 20dd: 00 00 add %al,(%rax) + 20df: 00 00 add %al,(%rax) + 20e1: 45 0e rex.RB (bad) + 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) + 20e9: 52 push %rdx + 20ea: 0c 07 or $0x7,%al + 20ec: 08 00 or %al,(%rax) + ... + +00000000000020f0 <__FRAME_END__>: + 20f0: 00 00 add %al,(%rax) + ... + +Disassembly of section .init_array: + +0000000000003db8 <__frame_dummy_init_array_entry>: + 3db8: 40 11 00 rex adc %eax,(%rax) + 3dbb: 00 00 add %al,(%rax) + 3dbd: 00 00 add %al,(%rax) + ... + +Disassembly of section .fini_array: + +0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: + 3dc0: 00 11 add %dl,(%rcx) + 3dc2: 00 00 add %al,(%rax) + 3dc4: 00 00 add %al,(%rax) + ... + +Disassembly of section .dynamic: + +0000000000003dc8 <_DYNAMIC>: + 3dc8: 01 00 add %eax,(%rax) + 3dca: 00 00 add %al,(%rax) + 3dcc: 00 00 add %al,(%rax) + 3dce: 00 00 add %al,(%rax) + 3dd0: 27 (bad) + 3dd1: 00 00 add %al,(%rax) + 3dd3: 00 00 add %al,(%rax) + 3dd5: 00 00 add %al,(%rax) + 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) + 3dda: 00 00 add %al,(%rax) + 3ddc: 00 00 add %al,(%rax) + 3dde: 00 00 add %al,(%rax) + 3de0: 00 10 add %dl,(%rax) + 3de2: 00 00 add %al,(%rax) + 3de4: 00 00 add %al,(%rax) + 3de6: 00 00 add %al,(%rax) + 3de8: 0d 00 00 00 00 or $0x0,%eax + 3ded: 00 00 add %al,(%rax) + 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) + 3df3: 00 00 add %al,(%rax) + 3df5: 00 00 add %al,(%rax) + 3df7: 00 19 add %bl,(%rcx) + 3df9: 00 00 add %al,(%rax) + 3dfb: 00 00 add %al,(%rax) + 3dfd: 00 00 add %al,(%rax) + 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) + 3e05: 00 00 add %al,(%rax) + 3e07: 00 1b add %bl,(%rbx) + 3e09: 00 00 add %al,(%rax) + 3e0b: 00 00 add %al,(%rax) + 3e0d: 00 00 add %al,(%rax) + 3e0f: 00 08 add %cl,(%rax) + 3e11: 00 00 add %al,(%rax) + 3e13: 00 00 add %al,(%rax) + 3e15: 00 00 add %al,(%rax) + 3e17: 00 1a add %bl,(%rdx) + 3e19: 00 00 add %al,(%rax) + 3e1b: 00 00 add %al,(%rax) + 3e1d: 00 00 add %al,(%rax) + 3e1f: 00 c0 add %al,%al + 3e21: 3d 00 00 00 00 cmp $0x0,%eax + 3e26: 00 00 add %al,(%rax) + 3e28: 1c 00 sbb $0x0,%al + 3e2a: 00 00 add %al,(%rax) + 3e2c: 00 00 add %al,(%rax) + 3e2e: 00 00 add %al,(%rax) + 3e30: 08 00 or %al,(%rax) + 3e32: 00 00 add %al,(%rax) + 3e34: 00 00 add %al,(%rax) + 3e36: 00 00 add %al,(%rax) + 3e38: f5 cmc + 3e39: fe (bad) + 3e3a: ff 6f 00 ljmp *0x0(%rdi) + 3e3d: 00 00 add %al,(%rax) + 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) + 3e45: 00 00 add %al,(%rax) + 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> + 3e4d: 00 00 add %al,(%rax) + 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) + 3e55: 00 00 add %al,(%rax) + 3e57: 00 06 add %al,(%rsi) + 3e59: 00 00 add %al,(%rax) + 3e5b: 00 00 add %al,(%rax) + 3e5d: 00 00 add %al,(%rax) + 3e5f: 00 d8 add %bl,%al + 3e61: 03 00 add (%rax),%eax + 3e63: 00 00 add %al,(%rax) + 3e65: 00 00 add %al,(%rax) + 3e67: 00 0a add %cl,(%rdx) + 3e69: 00 00 add %al,(%rax) + 3e6b: 00 00 add %al,(%rax) + 3e6d: 00 00 add %al,(%rax) + 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) + 3e75: 00 00 add %al,(%rax) + 3e77: 00 0b add %cl,(%rbx) + 3e79: 00 00 add %al,(%rax) + 3e7b: 00 00 add %al,(%rax) + 3e7d: 00 00 add %al,(%rax) + 3e7f: 00 18 add %bl,(%rax) + 3e81: 00 00 add %al,(%rax) + 3e83: 00 00 add %al,(%rax) + 3e85: 00 00 add %al,(%rax) + 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> + ... + 3e95: 00 00 add %al,(%rax) + 3e97: 00 03 add %al,(%rbx) + 3e99: 00 00 add %al,(%rax) + 3e9b: 00 00 add %al,(%rax) + 3e9d: 00 00 add %al,(%rax) + 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) + 3ea5: 00 00 add %al,(%rax) + 3ea7: 00 02 add %al,(%rdx) + 3ea9: 00 00 add %al,(%rax) + 3eab: 00 00 add %al,(%rax) + 3ead: 00 00 add %al,(%rax) + 3eaf: 00 18 add %bl,(%rax) + 3eb1: 00 00 add %al,(%rax) + 3eb3: 00 00 add %al,(%rax) + 3eb5: 00 00 add %al,(%rax) + 3eb7: 00 14 00 add %dl,(%rax,%rax,1) + 3eba: 00 00 add %al,(%rax) + 3ebc: 00 00 add %al,(%rax) + 3ebe: 00 00 add %al,(%rax) + 3ec0: 07 (bad) + 3ec1: 00 00 add %al,(%rax) + 3ec3: 00 00 add %al,(%rax) + 3ec5: 00 00 add %al,(%rax) + 3ec7: 00 17 add %dl,(%rdi) + 3ec9: 00 00 add %al,(%rax) + 3ecb: 00 00 add %al,(%rax) + 3ecd: 00 00 add %al,(%rax) + 3ecf: 00 10 add %dl,(%rax) + 3ed1: 06 (bad) + 3ed2: 00 00 add %al,(%rax) + 3ed4: 00 00 add %al,(%rax) + 3ed6: 00 00 add %al,(%rax) + 3ed8: 07 (bad) + 3ed9: 00 00 add %al,(%rax) + 3edb: 00 00 add %al,(%rax) + 3edd: 00 00 add %al,(%rax) + 3edf: 00 50 05 add %dl,0x5(%rax) + 3ee2: 00 00 add %al,(%rax) + 3ee4: 00 00 add %al,(%rax) + 3ee6: 00 00 add %al,(%rax) + 3ee8: 08 00 or %al,(%rax) + 3eea: 00 00 add %al,(%rax) + 3eec: 00 00 add %al,(%rax) + 3eee: 00 00 add %al,(%rax) + 3ef0: c0 00 00 rolb $0x0,(%rax) + 3ef3: 00 00 add %al,(%rax) + 3ef5: 00 00 add %al,(%rax) + 3ef7: 00 09 add %cl,(%rcx) + 3ef9: 00 00 add %al,(%rax) + 3efb: 00 00 add %al,(%rax) + 3efd: 00 00 add %al,(%rax) + 3eff: 00 18 add %bl,(%rax) + 3f01: 00 00 add %al,(%rax) + 3f03: 00 00 add %al,(%rax) + 3f05: 00 00 add %al,(%rax) + 3f07: 00 1e add %bl,(%rsi) + 3f09: 00 00 add %al,(%rax) + 3f0b: 00 00 add %al,(%rax) + 3f0d: 00 00 add %al,(%rax) + 3f0f: 00 08 add %cl,(%rax) + 3f11: 00 00 add %al,(%rax) + 3f13: 00 00 add %al,(%rax) + 3f15: 00 00 add %al,(%rax) + 3f17: 00 fb add %bh,%bl + 3f19: ff (bad) + 3f1a: ff 6f 00 ljmp *0x0(%rdi) + 3f1d: 00 00 add %al,(%rax) + 3f1f: 00 01 add %al,(%rcx) + 3f21: 00 00 add %al,(%rax) + 3f23: 08 00 or %al,(%rax) + 3f25: 00 00 add %al,(%rax) + 3f27: 00 fe add %bh,%dh + 3f29: ff (bad) + 3f2a: ff 6f 00 ljmp *0x0(%rdi) + 3f2d: 00 00 add %al,(%rax) + 3f2f: 00 20 add %ah,(%rax) + 3f31: 05 00 00 00 00 add $0x0,%eax + 3f36: 00 00 add %al,(%rax) + 3f38: ff (bad) + 3f39: ff (bad) + 3f3a: ff 6f 00 ljmp *0x0(%rdi) + 3f3d: 00 00 add %al,(%rax) + 3f3f: 00 01 add %al,(%rcx) + 3f41: 00 00 add %al,(%rax) + 3f43: 00 00 add %al,(%rax) + 3f45: 00 00 add %al,(%rax) + 3f47: 00 f0 add %dh,%al + 3f49: ff (bad) + 3f4a: ff 6f 00 ljmp *0x0(%rdi) + 3f4d: 00 00 add %al,(%rax) + 3f4f: 00 0e add %cl,(%rsi) + 3f51: 05 00 00 00 00 add $0x0,%eax + 3f56: 00 00 add %al,(%rax) + 3f58: f9 stc + 3f59: ff (bad) + 3f5a: ff 6f 00 ljmp *0x0(%rdi) + 3f5d: 00 00 add %al,(%rax) + 3f5f: 00 03 add %al,(%rbx) + ... + +Disassembly of section .got: + +0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: + 3fb8: c8 3d 00 00 enter $0x3d,$0x0 + ... + 3fd0: 30 10 xor %dl,(%rax) + ... + +Disassembly of section .data: + +0000000000004000 <__data_start>: + ... + +0000000000004008 <__dso_handle>: + 4008: 08 40 00 or %al,0x0(%rax) + 400b: 00 00 add %al,(%rax) + 400d: 00 00 add %al,(%rax) + ... + +Disassembly of section .bss: + +0000000000004010 : + ... + +Disassembly of section .comment: + +0000000000000000 <.comment>: + 0: 47 rex.RXB + 1: 43 rex.XB + 2: 43 3a 20 rex.XB cmp (%r8),%spl + 5: 28 55 62 sub %dl,0x62(%rbp) + 8: 75 6e jne 78 <__abi_tag-0x314> + a: 74 75 je 81 <__abi_tag-0x30b> + c: 20 31 and %dh,(%rcx) + e: 30 2e xor %ch,(%rsi) + 10: 35 2e 30 2d 31 xor $0x312d302e,%eax + 15: 75 62 jne 79 <__abi_tag-0x313> + 17: 75 6e jne 87 <__abi_tag-0x305> + 19: 74 75 je 90 <__abi_tag-0x2fc> + 1b: 31 7e 32 xor %edi,0x32(%rsi) + 1e: 32 2e xor (%rsi),%ch + 20: 30 34 29 xor %dh,(%rcx,%rbp,1) + 23: 20 31 and %dh,(%rcx) + 25: 30 2e xor %ch,(%rsi) + 27: 35 .byte 0x35 + 28: 2e 30 00 cs xor %al,(%rax) diff --git a/srcs/woody.c b/srcs/woody.c index a3ebdec..17cabd9 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,6 +1,7 @@ #include "../includes/woody.h" -#define CODE_MACRO "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x10\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" +#define CODE_MACRO "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x09\x00\x00\x00\x0f\x05\x5a\x5b\x5a\x5e\x5f\x58\xc3\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" +char jmp[] = "\xe9\x00\x00\x00\x00"; int elf_magic_numbers(char *str) { @@ -58,7 +59,7 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) void find_cave(t_efl_content *woody) { - woody->Phdr = (Elf64_Phdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); + woody->Phdr = (Elf64_Phdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); @@ -69,33 +70,26 @@ void find_cave(t_efl_content *woody) printf("code_cave_size = %lx\n", woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz)); -// static void inject(t_woody64 *woody, const t_patch *patch) { -// char payload[] = PAYLOAD; - Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz; -// ft_memcpy((void *)woody->file + payload_off, payload, PAYLOAD_SIZE); -// ft_memcpy( -// (void *)woody->file + payload_off + (PAYLOAD_SIZE - sizeof(t_patch)), -// patch, sizeof(t_patch)); - -// woody->file->e_entry = woody->load_seg->p_vaddr + woody->load_seg->p_filesz; -// woody->load_seg->p_filesz += PAYLOAD_SIZE; -// woody->load_seg->p_memsz += PAYLOAD_SIZE; -// } size_t len = sizeof(CODE_MACRO) - 1; ft_memcpy(woody->file + payload_off, CODE_MACRO, len); + printf("old entry : %lx\n", woody->Ehdr->e_entry); woody->Ehdr->e_entry = woody->Phdr[i].p_vaddr + woody->Phdr[i].p_filesz; woody->Phdr[i].p_filesz += len; woody->Phdr[i].p_memsz += len; + + printf("e_entry = %lx\n", woody->Ehdr->e_entry); + printf("p_filesz = %lx\n", woody->Phdr[i].p_filesz); + printf("p_memsz = %lx\n", woody->Phdr[i].p_memsz); } int inject(t_efl_content *woody) { - woody->Ehdr = (Elf64_Ehdr *)secure_access(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); + woody->Ehdr = (Elf64_Ehdr *)secure_jump(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2) { ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); @@ -103,8 +97,8 @@ int inject(t_efl_content *woody) } printf("entry point = %ld\n", woody->Ehdr->e_entry); - Elf64_Shdr *Shdr = (Elf64_Shdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); - if (Shdr == NULL || !secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) + Elf64_Shdr *Shdr = (Elf64_Shdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); + if (Shdr == NULL || !secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) { return ft_put_error("Corrupted file"); } @@ -116,16 +110,16 @@ int inject(t_efl_content *woody) Elf64_Shdr *symbols_table = NULL; for (int i = 0; i < woody->Ehdr->e_shnum; i++) { if (Shdr[i].sh_type == SHT_SYMTAB) { - symbols_table = secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); + symbols_table = secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); } } if (symbols_table == NULL) return ft_put_error("No symbols"); - if (!secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) + if (!secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) return ft_put_error("Corrupted file"); - char *Sshstrtab = (char *)secure_access(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); + char *Sshstrtab = (char *)secure_jump(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); if (Sshstrtab == NULL) return ft_put_error("Corrupted file"); @@ -135,14 +129,14 @@ int inject(t_efl_content *woody) } // useless for now - Elf64_Shdr *strtab_header = (Elf64_Shdr *)secure_access(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); + Elf64_Shdr *strtab_header = (Elf64_Shdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); if (!strtab_header) return ft_put_error("Corrupted file"); - char *strtab = secure_access(woody->file, woody->file_size, strtab_header->sh_offset, 0); + char *strtab = secure_jump(woody->file, woody->file_size, strtab_header->sh_offset, 0); if (strtab == NULL) return ft_put_error("Corrupted file"); - Elf64_Sym *symbols = (Elf64_Sym *)secure_access(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); + Elf64_Sym *symbols = (Elf64_Sym *)secure_jump(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); if (symbols == NULL) return ft_put_error("Corrupted file"); // end useless woody->Ehdr->e_entry = @@ -153,7 +147,7 @@ int inject(t_efl_content *woody) ft_memcpy(woody_file, woody->file, woody->file_size); - encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); + // encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); return save_elf("woody", woody_file, woody->file_size); } \ No newline at end of file diff --git a/woody.txt b/woody.txt new file mode 100644 index 0000000..dc5f9d3 --- /dev/null +++ b/woody.txt @@ -0,0 +1,825 @@ + +woody: file format elf64-x86-64 + + +Disassembly of section .interp: + +0000000000000318 <.interp>: + 318: 2f (bad) + 319: 6c insb (%dx),%es:(%rdi) + 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp + 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax + 326: 78 2d js 355 <__abi_tag-0x37> + 328: 78 38 js 362 <__abi_tag-0x2a> + 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax + 330: 6f outsl %ds:(%rsi),(%dx) + 331: 2e 32 00 cs xor (%rax),%al + +Disassembly of section .note.gnu.property: + +0000000000000338 <.note.gnu.property>: + 338: 04 00 add $0x0,%al + 33a: 00 00 add %al,(%rax) + 33c: 20 00 and %al,(%rax) + 33e: 00 00 add %al,(%rax) + 340: 05 00 00 00 47 add $0x47000000,%eax + 345: 4e 55 rex.WRX push %rbp + 347: 00 02 add %al,(%rdx) + 349: 00 00 add %al,(%rax) + 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) + 34f: 00 03 add %al,(%rbx) + 351: 00 00 add %al,(%rax) + 353: 00 00 add %al,(%rax) + 355: 00 00 add %al,(%rax) + 357: 00 02 add %al,(%rdx) + 359: 80 00 c0 addb $0xc0,(%rax) + 35c: 04 00 add $0x0,%al + 35e: 00 00 add %al,(%rax) + 360: 01 00 add %eax,(%rax) + 362: 00 00 add %al,(%rax) + 364: 00 00 add %al,(%rax) + ... + +Disassembly of section .note.gnu.build-id: + +0000000000000368 <.note.gnu.build-id>: + 368: 04 00 add $0x0,%al + 36a: 00 00 add %al,(%rax) + 36c: 14 00 adc $0x0,%al + 36e: 00 00 add %al,(%rax) + 370: 03 00 add (%rax),%eax + 372: 00 00 add %al,(%rax) + 374: 47 rex.RXB + 375: 4e 55 rex.WRX push %rbp + 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) + 37d: 9d popf + 37e: 21 c9 and %ecx,%ecx + 380: 16 (bad) + 381: 1e (bad) + 382: 8a 34 ce mov (%rsi,%rcx,8),%dh + 385: 99 cltd + 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx + +Disassembly of section .note.ABI-tag: + +000000000000038c <__abi_tag>: + 38c: 04 00 add $0x0,%al + 38e: 00 00 add %al,(%rax) + 390: 10 00 adc %al,(%rax) + 392: 00 00 add %al,(%rax) + 394: 01 00 add %eax,(%rax) + 396: 00 00 add %al,(%rax) + 398: 47 rex.RXB + 399: 4e 55 rex.WRX push %rbp + 39b: 00 00 add %al,(%rax) + 39d: 00 00 add %al,(%rax) + 39f: 00 03 add %al,(%rbx) + 3a1: 00 00 add %al,(%rax) + 3a3: 00 02 add %al,(%rdx) + 3a5: 00 00 add %al,(%rax) + 3a7: 00 00 add %al,(%rax) + 3a9: 00 00 add %al,(%rax) + ... + +Disassembly of section .gnu.hash: + +00000000000003b0 <.gnu.hash>: + 3b0: 02 00 add (%rax),%al + 3b2: 00 00 add %al,(%rax) + 3b4: 06 (bad) + 3b5: 00 00 add %al,(%rax) + 3b7: 00 01 add %al,(%rcx) + 3b9: 00 00 add %al,(%rax) + 3bb: 00 06 add %al,(%rsi) + 3bd: 00 00 add %al,(%rax) + 3bf: 00 00 add %al,(%rax) + 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) + 3c7: 00 06 add %al,(%rsi) + 3c9: 00 00 add %al,(%rax) + 3cb: 00 00 add %al,(%rax) + 3cd: 00 00 add %al,(%rax) + 3cf: 00 d1 add %dl,%cl + 3d1: 65 ce gs (bad) + 3d3: 6d insl (%dx),%es:(%rdi) + +Disassembly of section .dynsym: + +00000000000003d8 <.dynsym>: + ... + 3f0: 10 00 adc %al,(%rax) + 3f2: 00 00 add %al,(%rax) + 3f4: 12 00 adc (%rax),%al + ... + 406: 00 00 add %al,(%rax) + 408: 48 00 00 rex.W add %al,(%rax) + 40b: 00 20 add %ah,(%rax) + ... + 41d: 00 00 add %al,(%rax) + 41f: 00 22 add %ah,(%rdx) + 421: 00 00 add %al,(%rax) + 423: 00 12 add %dl,(%rdx) + ... + 435: 00 00 add %al,(%rax) + 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) + 43b: 00 20 add %ah,(%rax) + ... + 44d: 00 00 add %al,(%rax) + 44f: 00 73 00 add %dh,0x0(%rbx) + 452: 00 00 add %al,(%rax) + 454: 20 00 and %al,(%rax) + ... + 466: 00 00 add %al,(%rax) + 468: 01 00 add %eax,(%rax) + 46a: 00 00 add %al,(%rax) + 46c: 22 00 and (%rax),%al + ... + +Disassembly of section .dynstr: + +0000000000000480 <.dynstr>: + 480: 00 5f 5f add %bl,0x5f(%rdi) + 483: 63 78 61 movsxd 0x61(%rax),%edi + 486: 5f pop %rdi + 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp + 48d: 7a 65 jp 4f4 <__abi_tag+0x168> + 48f: 00 5f 5f add %bl,0x5f(%rdi) + 492: 6c insb (%dx),%es:(%rdi) + 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp + 49a: 72 74 jb 510 <__abi_tag+0x184> + 49c: 5f pop %rdi + 49d: 6d insl (%dx),%es:(%rdi) + 49e: 61 (bad) + 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp + 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) + 4aa: 63 2e movsxd (%rsi),%ebp + 4ac: 73 6f jae 51d <__abi_tag+0x191> + 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) + 4b3: 49 rex.WB + 4b4: 42 rex.X + 4b5: 43 5f rex.XB pop %r15 + 4b7: 32 2e xor (%rsi),%ch + 4b9: 32 2e xor (%rsi),%ch + 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax + 4c0: 42 rex.X + 4c1: 43 5f rex.XB pop %r15 + 4c3: 32 2e xor (%rsi),%ch + 4c5: 33 34 00 xor (%rax,%rax,1),%esi + 4c8: 5f pop %rdi + 4c9: 49 54 rex.WB push %r12 + 4cb: 4d 5f rex.WRB pop %r15 + 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> + 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 4d8: 4d + 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) + 4db: 6f outsl %ds:(%rsi),(%dx) + 4dc: 6e outsb %ds:(%rsi),(%dx) + 4dd: 65 54 gs push %rsp + 4df: 61 (bad) + 4e0: 62 (bad) + 4e1: 6c insb (%dx),%es:(%rdi) + 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) + 4e6: 67 6d insl (%dx),%es:(%edi) + 4e8: 6f outsl %ds:(%rsi),(%dx) + 4e9: 6e outsb %ds:(%rsi),(%dx) + 4ea: 5f pop %rdi + 4eb: 73 74 jae 561 <__abi_tag+0x1d5> + 4ed: 61 (bad) + 4ee: 72 74 jb 564 <__abi_tag+0x1d8> + 4f0: 5f pop %rdi + 4f1: 5f pop %rdi + 4f2: 00 5f 49 add %bl,0x49(%rdi) + 4f5: 54 push %rsp + 4f6: 4d 5f rex.WRB pop %r15 + 4f8: 72 65 jb 55f <__abi_tag+0x1d3> + 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi + 501: 4d + 502: 43 6c rex.XB insb (%dx),%es:(%rdi) + 504: 6f outsl %ds:(%rsi),(%dx) + 505: 6e outsb %ds:(%rsi),(%dx) + 506: 65 54 gs push %rsp + 508: 61 (bad) + 509: 62 .byte 0x62 + 50a: 6c insb (%dx),%es:(%rdi) + 50b: 65 gs + ... + +Disassembly of section .gnu.version: + +000000000000050e <.gnu.version>: + 50e: 00 00 add %al,(%rax) + 510: 02 00 add (%rax),%al + 512: 01 00 add %eax,(%rax) + 514: 03 00 add (%rax),%eax + 516: 01 00 add %eax,(%rax) + 518: 01 00 add %eax,(%rax) + 51a: 03 00 add (%rax),%eax + +Disassembly of section .gnu.version_r: + +0000000000000520 <.gnu.version_r>: + 520: 01 00 add %eax,(%rax) + 522: 02 00 add (%rax),%al + 524: 27 (bad) + 525: 00 00 add %al,(%rax) + 527: 00 10 add %dl,(%rax) + 529: 00 00 add %al,(%rax) + 52b: 00 00 add %al,(%rax) + 52d: 00 00 add %al,(%rax) + 52f: 00 75 1a add %dh,0x1a(%rbp) + 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx + 538: 31 00 xor %eax,(%rax) + 53a: 00 00 add %al,(%rax) + 53c: 10 00 adc %al,(%rax) + 53e: 00 00 add %al,(%rax) + 540: b4 91 mov $0x91,%ah + 542: 96 xchg %eax,%esi + 543: 06 (bad) + 544: 00 00 add %al,(%rax) + 546: 02 00 add (%rax),%al + 548: 3d 00 00 00 00 cmp $0x0,%eax + 54d: 00 00 add %al,(%rax) + ... + +Disassembly of section .rela.dyn: + +0000000000000550 <.rela.dyn>: + 550: b8 3d 00 00 00 mov $0x3d,%eax + 555: 00 00 add %al,(%rax) + 557: 00 08 add %cl,(%rax) + 559: 00 00 add %al,(%rax) + 55b: 00 00 add %al,(%rax) + 55d: 00 00 add %al,(%rax) + 55f: 00 40 11 add %al,0x11(%rax) + 562: 00 00 add %al,(%rax) + 564: 00 00 add %al,(%rax) + 566: 00 00 add %al,(%rax) + 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> + 56f: 00 08 add %cl,(%rax) + ... + 579: 11 00 adc %eax,(%rax) + 57b: 00 00 add %al,(%rax) + 57d: 00 00 add %al,(%rax) + 57f: 00 08 add %cl,(%rax) + 581: 40 00 00 rex add %al,(%rax) + 584: 00 00 add %al,(%rax) + 586: 00 00 add %al,(%rax) + 588: 08 00 or %al,(%rax) + 58a: 00 00 add %al,(%rax) + 58c: 00 00 add %al,(%rax) + 58e: 00 00 add %al,(%rax) + 590: 08 40 00 or %al,0x0(%rax) + 593: 00 00 add %al,(%rax) + 595: 00 00 add %al,(%rax) + 597: 00 d8 add %bl,%al + 599: 3f (bad) + 59a: 00 00 add %al,(%rax) + 59c: 00 00 add %al,(%rax) + 59e: 00 00 add %al,(%rax) + 5a0: 06 (bad) + 5a1: 00 00 add %al,(%rax) + 5a3: 00 01 add %al,(%rcx) + ... + 5ad: 00 00 add %al,(%rax) + 5af: 00 e0 add %ah,%al + 5b1: 3f (bad) + 5b2: 00 00 add %al,(%rax) + 5b4: 00 00 add %al,(%rax) + 5b6: 00 00 add %al,(%rax) + 5b8: 06 (bad) + 5b9: 00 00 add %al,(%rax) + 5bb: 00 02 add %al,(%rdx) + ... + 5c5: 00 00 add %al,(%rax) + 5c7: 00 e8 add %ch,%al + 5c9: 3f (bad) + 5ca: 00 00 add %al,(%rax) + 5cc: 00 00 add %al,(%rax) + 5ce: 00 00 add %al,(%rax) + 5d0: 06 (bad) + 5d1: 00 00 add %al,(%rax) + 5d3: 00 04 00 add %al,(%rax,%rax,1) + ... + 5de: 00 00 add %al,(%rax) + 5e0: f0 3f lock (bad) + 5e2: 00 00 add %al,(%rax) + 5e4: 00 00 add %al,(%rax) + 5e6: 00 00 add %al,(%rax) + 5e8: 06 (bad) + 5e9: 00 00 add %al,(%rax) + 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> + 5f1: 00 00 add %al,(%rax) + 5f3: 00 00 add %al,(%rax) + 5f5: 00 00 add %al,(%rax) + 5f7: 00 f8 add %bh,%al + 5f9: 3f (bad) + 5fa: 00 00 add %al,(%rax) + 5fc: 00 00 add %al,(%rax) + 5fe: 00 00 add %al,(%rax) + 600: 06 (bad) + 601: 00 00 add %al,(%rax) + 603: 00 06 add %al,(%rsi) + ... + +Disassembly of section .rela.plt: + +0000000000000610 <.rela.plt>: + 610: d0 3f sarb (%rdi) + 612: 00 00 add %al,(%rax) + 614: 00 00 add %al,(%rax) + 616: 00 00 add %al,(%rax) + 618: 07 (bad) + 619: 00 00 add %al,(%rax) + 61b: 00 03 add %al,(%rbx) + ... + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: f3 0f 1e fa endbr64 + 1004: 48 83 ec 08 sub $0x8,%rsp + 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> + 100f: 48 85 c0 test %rax,%rax + 1012: 74 02 je 1016 <_init+0x16> + 1014: ff d0 call *%rax + 1016: 48 83 c4 08 add $0x8,%rsp + 101a: c3 ret + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> + 102d: 0f 1f 00 nopl (%rax) + 1030: f3 0f 1e fa endbr64 + 1034: 68 00 00 00 00 push $0x0 + 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> + 103f: 90 nop + +Disassembly of section .plt.got: + +0000000000001040 <__cxa_finalize@plt>: + 1040: f3 0f 1e fa endbr64 + 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .plt.sec: + +0000000000001050 : + 1050: f3 0f 1e fa endbr64 + 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 + 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) + +Disassembly of section .text: + +0000000000001060 <_start>: + 1060: f3 0f 1e fa endbr64 + 1064: 31 ed xor %ebp,%ebp + 1066: 49 89 d1 mov %rdx,%r9 + 1069: 5e pop %rsi + 106a: 48 89 e2 mov %rsp,%rdx + 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp + 1071: 50 push %rax + 1072: 54 push %rsp + 1073: 45 31 c0 xor %r8d,%r8d + 1076: 31 c9 xor %ecx,%ecx + 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
+ 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> + 1085: f4 hlt + 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) + 108d: 00 00 00 + +0000000000001090 : + 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> + 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> + 109e: 48 39 f8 cmp %rdi,%rax + 10a1: 74 15 je 10b8 + 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> + 10aa: 48 85 c0 test %rax,%rax + 10ad: 74 09 je 10b8 + 10af: ff e0 jmp *%rax + 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + 10b8: c3 ret + 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +00000000000010c0 : + 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> + 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> + 10ce: 48 29 fe sub %rdi,%rsi + 10d1: 48 89 f0 mov %rsi,%rax + 10d4: 48 c1 ee 3f shr $0x3f,%rsi + 10d8: 48 c1 f8 03 sar $0x3,%rax + 10dc: 48 01 c6 add %rax,%rsi + 10df: 48 d1 fe sar %rsi + 10e2: 74 14 je 10f8 + 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> + 10eb: 48 85 c0 test %rax,%rax + 10ee: 74 08 je 10f8 + 10f0: ff e0 jmp *%rax + 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) + 10f8: c3 ret + 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001100 <__do_global_dtors_aux>: + 1100: f3 0f 1e fa endbr64 + 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> + 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> + 110d: 55 push %rbp + 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 1115: 00 + 1116: 48 89 e5 mov %rsp,%rbp + 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> + 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> + 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> + 1127: e8 64 ff ff ff call 1090 + 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> + 1133: 5d pop %rbp + 1134: c3 ret + 1135: 0f 1f 00 nopl (%rax) + 1138: c3 ret + 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) + +0000000000001140 : + 1140: f3 0f 1e fa endbr64 + 1144: e9 77 ff ff ff jmp 10c0 + +0000000000001149
: + 1149: f3 0f 1e fa endbr64 + 114d: 55 push %rbp + 114e: 48 89 e5 mov %rsp,%rbp + 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> + 1158: e8 f3 fe ff ff call 1050 + 115d: b8 00 00 00 00 mov $0x0,%eax + 1162: 5d pop %rbp + 1163: c3 ret + +Disassembly of section .fini: + +0000000000001164 <_fini>: + 1164: f3 0f 1e fa endbr64 + 1168: 48 83 ec 08 sub $0x8,%rsp + 116c: 48 83 c4 08 add $0x8,%rsp + 1170: c3 ret + +Disassembly of section .rodata: + +0000000000002000 <_IO_stdin_used>: + 2000: 01 00 add %eax,(%rax) + 2002: 02 00 add (%rax),%al + 2004: 48 rex.W + 2005: 65 6c gs insb (%dx),%es:(%rdi) + 2007: 6c insb (%dx),%es:(%rdi) + 2008: 6f outsl %ds:(%rsi),(%dx) + 2009: 2c 20 sub $0x20,%al + 200b: 57 push %rdi + 200c: 6f outsl %ds:(%rsi),(%dx) + 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> + 200f: 64 21 00 and %eax,%fs:(%rax) + +Disassembly of section .eh_frame_hdr: + +0000000000002014 <__GNU_EH_FRAME_HDR>: + 2014: 01 1b add %ebx,(%rbx) + 2016: 03 3b add (%rbx),%edi + 2018: 30 00 xor %al,(%rax) + 201a: 00 00 add %al,(%rax) + 201c: 05 00 00 00 0c add $0xc000000,%eax + 2021: f0 ff lock (bad) + 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) + 2027: 00 2c f0 add %ch,(%rax,%rsi,8) + 202a: ff (bad) + 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) + 2032: ff (bad) + 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) + 203a: ff (bad) + 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) + 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> + 2045: 00 00 add %al,(%rax) + ... + +Disassembly of section .eh_frame: + +0000000000002048 <__FRAME_END__-0xa8>: + 2048: 14 00 adc $0x0,%al + 204a: 00 00 add %al,(%rax) + 204c: 00 00 add %al,(%rax) + 204e: 00 00 add %al,(%rax) + 2050: 01 7a 52 add %edi,0x52(%rdx) + 2053: 00 01 add %al,(%rcx) + 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> + 2057: 01 1b add %ebx,(%rbx) + 2059: 0c 07 or $0x7,%al + 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) + 2061: 00 00 add %al,(%rax) + 2063: 00 1c 00 add %bl,(%rax,%rax,1) + 2066: 00 00 add %al,(%rax) + 2068: f8 clc + 2069: ef out %eax,(%dx) + 206a: ff (bad) + 206b: ff 26 jmp *(%rsi) + 206d: 00 00 add %al,(%rax) + 206f: 00 00 add %al,(%rax) + 2071: 44 07 rex.R (bad) + 2073: 10 00 adc %al,(%rax) + 2075: 00 00 add %al,(%rax) + 2077: 00 24 00 add %ah,(%rax,%rax,1) + 207a: 00 00 add %al,(%rax) + 207c: 34 00 xor $0x0,%al + 207e: 00 00 add %al,(%rax) + 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al + 2087: 00 00 + 2089: 0e (bad) + 208a: 10 46 0e adc %al,0xe(%rsi) + 208d: 18 4a 0f sbb %cl,0xf(%rdx) + 2090: 0b 77 08 or 0x8(%rdi),%esi + 2093: 80 00 3f addb $0x3f,(%rax) + 2096: 1a 3a sbb (%rdx),%bh + 2098: 2a 33 sub (%rbx),%dh + 209a: 24 22 and $0x22,%al + 209c: 00 00 add %al,(%rax) + 209e: 00 00 add %al,(%rax) + 20a0: 14 00 adc $0x0,%al + 20a2: 00 00 add %al,(%rax) + 20a4: 5c pop %rsp + 20a5: 00 00 add %al,(%rax) + 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) + ... + 20b5: 00 00 add %al,(%rax) + 20b7: 00 14 00 add %dl,(%rax,%rax,1) + 20ba: 00 00 add %al,(%rax) + 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> + 20be: 00 00 add %al,(%rax) + 20c0: 90 nop + 20c1: ef out %eax,(%dx) + 20c2: ff (bad) + 20c3: ff 10 call *(%rax) + ... + 20cd: 00 00 add %al,(%rax) + 20cf: 00 1c 00 add %bl,(%rax,%rax,1) + 20d2: 00 00 add %al,(%rax) + 20d4: 8c 00 mov %es,(%rax) + 20d6: 00 00 add %al,(%rax) + 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> + 20da: ff (bad) + 20db: ff 1b lcall *(%rbx) + 20dd: 00 00 add %al,(%rax) + 20df: 00 00 add %al,(%rax) + 20e1: 45 0e rex.RB (bad) + 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) + 20e9: 52 push %rdx + 20ea: 0c 07 or $0x7,%al + 20ec: 08 00 or %al,(%rax) + ... + +00000000000020f0 <__FRAME_END__>: + 20f0: 00 00 add %al,(%rax) + ... + +Disassembly of section .init_array: + +0000000000003db8 <__frame_dummy_init_array_entry>: + 3db8: 40 11 00 rex adc %eax,(%rax) + 3dbb: 00 00 add %al,(%rax) + 3dbd: 00 00 add %al,(%rax) + ... + +Disassembly of section .fini_array: + +0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: + 3dc0: 00 11 add %dl,(%rcx) + 3dc2: 00 00 add %al,(%rax) + 3dc4: 00 00 add %al,(%rax) + ... + +Disassembly of section .dynamic: + +0000000000003dc8 <_DYNAMIC>: + 3dc8: 01 00 add %eax,(%rax) + 3dca: 00 00 add %al,(%rax) + 3dcc: 00 00 add %al,(%rax) + 3dce: 00 00 add %al,(%rax) + 3dd0: 27 (bad) + 3dd1: 00 00 add %al,(%rax) + 3dd3: 00 00 add %al,(%rax) + 3dd5: 00 00 add %al,(%rax) + 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) + 3dda: 00 00 add %al,(%rax) + 3ddc: 00 00 add %al,(%rax) + 3dde: 00 00 add %al,(%rax) + 3de0: 00 10 add %dl,(%rax) + 3de2: 00 00 add %al,(%rax) + 3de4: 00 00 add %al,(%rax) + 3de6: 00 00 add %al,(%rax) + 3de8: 0d 00 00 00 00 or $0x0,%eax + 3ded: 00 00 add %al,(%rax) + 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) + 3df3: 00 00 add %al,(%rax) + 3df5: 00 00 add %al,(%rax) + 3df7: 00 19 add %bl,(%rcx) + 3df9: 00 00 add %al,(%rax) + 3dfb: 00 00 add %al,(%rax) + 3dfd: 00 00 add %al,(%rax) + 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) + 3e05: 00 00 add %al,(%rax) + 3e07: 00 1b add %bl,(%rbx) + 3e09: 00 00 add %al,(%rax) + 3e0b: 00 00 add %al,(%rax) + 3e0d: 00 00 add %al,(%rax) + 3e0f: 00 08 add %cl,(%rax) + 3e11: 00 00 add %al,(%rax) + 3e13: 00 00 add %al,(%rax) + 3e15: 00 00 add %al,(%rax) + 3e17: 00 1a add %bl,(%rdx) + 3e19: 00 00 add %al,(%rax) + 3e1b: 00 00 add %al,(%rax) + 3e1d: 00 00 add %al,(%rax) + 3e1f: 00 c0 add %al,%al + 3e21: 3d 00 00 00 00 cmp $0x0,%eax + 3e26: 00 00 add %al,(%rax) + 3e28: 1c 00 sbb $0x0,%al + 3e2a: 00 00 add %al,(%rax) + 3e2c: 00 00 add %al,(%rax) + 3e2e: 00 00 add %al,(%rax) + 3e30: 08 00 or %al,(%rax) + 3e32: 00 00 add %al,(%rax) + 3e34: 00 00 add %al,(%rax) + 3e36: 00 00 add %al,(%rax) + 3e38: f5 cmc + 3e39: fe (bad) + 3e3a: ff 6f 00 ljmp *0x0(%rdi) + 3e3d: 00 00 add %al,(%rax) + 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) + 3e45: 00 00 add %al,(%rax) + 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> + 3e4d: 00 00 add %al,(%rax) + 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) + 3e55: 00 00 add %al,(%rax) + 3e57: 00 06 add %al,(%rsi) + 3e59: 00 00 add %al,(%rax) + 3e5b: 00 00 add %al,(%rax) + 3e5d: 00 00 add %al,(%rax) + 3e5f: 00 d8 add %bl,%al + 3e61: 03 00 add (%rax),%eax + 3e63: 00 00 add %al,(%rax) + 3e65: 00 00 add %al,(%rax) + 3e67: 00 0a add %cl,(%rdx) + 3e69: 00 00 add %al,(%rax) + 3e6b: 00 00 add %al,(%rax) + 3e6d: 00 00 add %al,(%rax) + 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) + 3e75: 00 00 add %al,(%rax) + 3e77: 00 0b add %cl,(%rbx) + 3e79: 00 00 add %al,(%rax) + 3e7b: 00 00 add %al,(%rax) + 3e7d: 00 00 add %al,(%rax) + 3e7f: 00 18 add %bl,(%rax) + 3e81: 00 00 add %al,(%rax) + 3e83: 00 00 add %al,(%rax) + 3e85: 00 00 add %al,(%rax) + 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> + ... + 3e95: 00 00 add %al,(%rax) + 3e97: 00 03 add %al,(%rbx) + 3e99: 00 00 add %al,(%rax) + 3e9b: 00 00 add %al,(%rax) + 3e9d: 00 00 add %al,(%rax) + 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) + 3ea5: 00 00 add %al,(%rax) + 3ea7: 00 02 add %al,(%rdx) + 3ea9: 00 00 add %al,(%rax) + 3eab: 00 00 add %al,(%rax) + 3ead: 00 00 add %al,(%rax) + 3eaf: 00 18 add %bl,(%rax) + 3eb1: 00 00 add %al,(%rax) + 3eb3: 00 00 add %al,(%rax) + 3eb5: 00 00 add %al,(%rax) + 3eb7: 00 14 00 add %dl,(%rax,%rax,1) + 3eba: 00 00 add %al,(%rax) + 3ebc: 00 00 add %al,(%rax) + 3ebe: 00 00 add %al,(%rax) + 3ec0: 07 (bad) + 3ec1: 00 00 add %al,(%rax) + 3ec3: 00 00 add %al,(%rax) + 3ec5: 00 00 add %al,(%rax) + 3ec7: 00 17 add %dl,(%rdi) + 3ec9: 00 00 add %al,(%rax) + 3ecb: 00 00 add %al,(%rax) + 3ecd: 00 00 add %al,(%rax) + 3ecf: 00 10 add %dl,(%rax) + 3ed1: 06 (bad) + 3ed2: 00 00 add %al,(%rax) + 3ed4: 00 00 add %al,(%rax) + 3ed6: 00 00 add %al,(%rax) + 3ed8: 07 (bad) + 3ed9: 00 00 add %al,(%rax) + 3edb: 00 00 add %al,(%rax) + 3edd: 00 00 add %al,(%rax) + 3edf: 00 50 05 add %dl,0x5(%rax) + 3ee2: 00 00 add %al,(%rax) + 3ee4: 00 00 add %al,(%rax) + 3ee6: 00 00 add %al,(%rax) + 3ee8: 08 00 or %al,(%rax) + 3eea: 00 00 add %al,(%rax) + 3eec: 00 00 add %al,(%rax) + 3eee: 00 00 add %al,(%rax) + 3ef0: c0 00 00 rolb $0x0,(%rax) + 3ef3: 00 00 add %al,(%rax) + 3ef5: 00 00 add %al,(%rax) + 3ef7: 00 09 add %cl,(%rcx) + 3ef9: 00 00 add %al,(%rax) + 3efb: 00 00 add %al,(%rax) + 3efd: 00 00 add %al,(%rax) + 3eff: 00 18 add %bl,(%rax) + 3f01: 00 00 add %al,(%rax) + 3f03: 00 00 add %al,(%rax) + 3f05: 00 00 add %al,(%rax) + 3f07: 00 1e add %bl,(%rsi) + 3f09: 00 00 add %al,(%rax) + 3f0b: 00 00 add %al,(%rax) + 3f0d: 00 00 add %al,(%rax) + 3f0f: 00 08 add %cl,(%rax) + 3f11: 00 00 add %al,(%rax) + 3f13: 00 00 add %al,(%rax) + 3f15: 00 00 add %al,(%rax) + 3f17: 00 fb add %bh,%bl + 3f19: ff (bad) + 3f1a: ff 6f 00 ljmp *0x0(%rdi) + 3f1d: 00 00 add %al,(%rax) + 3f1f: 00 01 add %al,(%rcx) + 3f21: 00 00 add %al,(%rax) + 3f23: 08 00 or %al,(%rax) + 3f25: 00 00 add %al,(%rax) + 3f27: 00 fe add %bh,%dh + 3f29: ff (bad) + 3f2a: ff 6f 00 ljmp *0x0(%rdi) + 3f2d: 00 00 add %al,(%rax) + 3f2f: 00 20 add %ah,(%rax) + 3f31: 05 00 00 00 00 add $0x0,%eax + 3f36: 00 00 add %al,(%rax) + 3f38: ff (bad) + 3f39: ff (bad) + 3f3a: ff 6f 00 ljmp *0x0(%rdi) + 3f3d: 00 00 add %al,(%rax) + 3f3f: 00 01 add %al,(%rcx) + 3f41: 00 00 add %al,(%rax) + 3f43: 00 00 add %al,(%rax) + 3f45: 00 00 add %al,(%rax) + 3f47: 00 f0 add %dh,%al + 3f49: ff (bad) + 3f4a: ff 6f 00 ljmp *0x0(%rdi) + 3f4d: 00 00 add %al,(%rax) + 3f4f: 00 0e add %cl,(%rsi) + 3f51: 05 00 00 00 00 add $0x0,%eax + 3f56: 00 00 add %al,(%rax) + 3f58: f9 stc + 3f59: ff (bad) + 3f5a: ff 6f 00 ljmp *0x0(%rdi) + 3f5d: 00 00 add %al,(%rax) + 3f5f: 00 03 add %al,(%rbx) + ... + +Disassembly of section .got: + +0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: + 3fb8: c8 3d 00 00 enter $0x3d,$0x0 + ... + 3fd0: 30 10 xor %dl,(%rax) + ... + +Disassembly of section .data: + +0000000000004000 <__data_start>: + ... + +0000000000004008 <__dso_handle>: + 4008: 08 40 00 or %al,0x0(%rax) + 400b: 00 00 add %al,(%rax) + 400d: 00 00 add %al,(%rax) + ... + +Disassembly of section .bss: + +0000000000004010 : + ... + +Disassembly of section .comment: + +0000000000000000 <.comment>: + 0: 47 rex.RXB + 1: 43 rex.XB + 2: 43 3a 20 rex.XB cmp (%r8),%spl + 5: 28 55 62 sub %dl,0x62(%rbp) + 8: 75 6e jne 78 <__abi_tag-0x314> + a: 74 75 je 81 <__abi_tag-0x30b> + c: 20 31 and %dh,(%rcx) + e: 30 2e xor %ch,(%rsi) + 10: 35 2e 30 2d 31 xor $0x312d302e,%eax + 15: 75 62 jne 79 <__abi_tag-0x313> + 17: 75 6e jne 87 <__abi_tag-0x305> + 19: 74 75 je 90 <__abi_tag-0x2fc> + 1b: 31 7e 32 xor %edi,0x32(%rsi) + 1e: 32 2e xor (%rsi),%ch + 20: 30 34 29 xor %dh,(%rcx,%rbp,1) + 23: 20 31 and %dh,(%rcx) + 25: 30 2e xor %ch,(%rsi) + 27: 35 .byte 0x35 + 28: 2e 30 00 cs xor %al,(%rax) From e9e29568fc9e9b18e3e24eff0e15f653b0eb019f Mon Sep 17 00:00:00 2001 From: pbonilla Date: Wed, 21 Feb 2024 13:13:17 +0100 Subject: [PATCH 03/20] it works time to clean up --- .vscode/settings.json | 3 +- a.out | Bin 16056 -> 0 bytes ft_printf/libft/Makefile | 1 + ft_printf/libft/ft_strnstr_nullterminated.c | 17 +++++++++ ft_printf/libft/libft.h | 2 ++ includes/woody.h | 4 +++ payload | Bin 40 -> 43 bytes print | Bin 4696 -> 4704 bytes print.s | 5 ++- srcs/woody.c | 37 +++++++++++++++----- 10 files changed, 57 insertions(+), 12 deletions(-) delete mode 100755 a.out create mode 100644 ft_printf/libft/ft_strnstr_nullterminated.c diff --git a/.vscode/settings.json b/.vscode/settings.json index 2386c0c..258e317 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,7 @@ { "files.associations": { "stdio.h": "c", - "mman.h": "c" + "mman.h": "c", + "stdint.h": "c" } } \ No newline at end of file diff --git a/a.out b/a.out deleted file mode 100755 index 9c336ffb10a06c00d205eda9400c80cb8946baf9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16056 zcmeHOYit}>6~4QP6E{s_Cv9lrgk}f@^&wBZiEX8iH0#GE<6-e_L*3NdlRM5A0)l<7P95kkO?LMGT zOqFyTMirm*Whswrx3Zo56B`y?`{DNvZpyCvw(TAsOO91^%$$|UE0U=LI@PZJzV04#i@rtgsO7h|E3qFHG)pxxbRDd_$G*W6>+tHzs|%=taJ`!`D+EQ|u&N3h0C5VmhFg zF-V-5fZlulaY3^Iy+4k8!+F-zy+-3PN>K!&2t*NxA`nF&ia->BC<6aq5%_b{?f)>2 z{Grh}+VJbmN*SN8I&t^BapdL3m%IygJH8I}HTOf`05ok>e`#XbzS!a$*{iQ zS$madhg=TIiMRSH7d~NBE*nSQnAtm+N>mfC8ppT)9HqEx_QUfpBYM-u&w2Ghe+C-k zc*ALeduN?BXj&)b(X^Y~OHCUm$?+vd_*Xptj?WU@b=|1U7%%>Dhw(e1y7Fue}fIi1GoY(oqD zVvm74kN@Uj7^$EG;31eATK_VbMkO_EoJ-Bn%Y$(=HDmnkqEY!Nj3>$Xf%CA>LXTr$ z=0`L+H!80gm2=Zm*Im~*dSH4AD&_vlgICcVRE5`9wca6zC`A#7A`nF&ia->BC<0Lg zq6kD0h$0Y0Ac{Z~fg494Mqj(uFS@@CuJj7JVa9dSzz2ZGfc?Pl03QX?H^S6a*Znb& zzGYI1J+V*4#+zg7moIHRfe%%rr*HO+@c%G5^e**2o!x;febYVlC)d@0YGw1zm1`er zy7_S9q}tJP-`!j9@IDU`|4|&z!B4)qkvr)f9N!A*sV-{gQ>f1Zs?^HnFT{IREQx;% zEh0sfq6kD0h$0Y0Ac{Z~fhYn|1fmE;5r`u2za0TtS19WUWsM-MRiw1shuXr$6)Zo` z>kerhC?#31xZW3)yfU@0EbA8OJ&Tgq|9agmkbH_48_L?k$;G6dTaS8??aO?%dWP|4 z#%SF`=^EX#Fp@&7fD_2A(G+k!96VdKA%W!-7mB~ks_ z>1A%Ua?Uv3LF;{+8cyGxsJhj+FIUbbs;3@kYS8tE_w4C?MAw(8T|GVbX?GqND(9WD zmT1#E^tRSS*%K2_ZrP%@wco|+a5XiV;<;E|b!!UFP=Cc>ImQ9iSbqz!o(38I(!aE_@KHIVdW>2F${9aHa9a)0<%r9O=em0!C*+3-cre@*Rv z6aSOQ)NB7j*F}o~V)!@Yk|rh0VZCzBdj7Ym@Ob&9N4rHW*5>$>yNn~I*4FMjvCbk> zZ@u>#1Vj_3046;>o-)aR64?aw&1zjOo?_hw{p$ECCC?|(Kgj;!az5gfFJ5!_ap+gY z*QxM$9wj|pf#&=2V@f>^eKY!ZZ*r~-%Jo9O8kU1RPQ3rJp#K#6%Xkph)9l~J&sU2L z$2`4w&Ed1qQ#-@;z5u;8=T^&|gML#@n#){|tR;P4-cEvz8^c8> zp%<_q-Wtl7jy0;FC^_Yk5q((AEuJ@>oHw8lz?Qy)0yX58nd(6;X>Lr9lPY9 zWv01vU)Mm&OzrM9v3$Sxk=6aX=ANB9_ooKU!LIK9 z6d2*{1WDOMaHEX_cG_|*IsGPwDm`s{gUEO`HG+;dUF{?DD^z=j?Rru%> zeaqu^v6Ly~=LsfkMLTN|fpdqlj?%rh>d5M&1&EX>*~3bA>~V-Rg5X{7dO)|wc+8BY zQJP488UEn$8Ing;RxX3Wd^&=!bd1^@2IJiQ^Imf_U&1YhXT6`o``Bc@#AeS|@`NA6 zL30%0FSK8ad@0Gi#Fvz!?RY_cc;6QN-yTfzyb~S$t_At>yDF%OBV(BVF!XO@jw9`t zd7z-w&(pDYwci4t=77SNd7|KRTrahe;w;xM^R*0gG!+p3BsWk{=9zHu5|t55pM*ej zIN{5@O>iYUOZ&x7@JZNdPAIa>3kBPlA8tRZ)p2B~$-?iYH zL5UObDIexP3mwHo%CG%?@b8Gc55UDs;r{<7v_Zbcyc#l3Kz^PCPlotOHVBH}Li|%9 z{$3^s-iUuD#6QRc!G}TvCS2Z6LVTIG2+I4Gv_BlbpE18Sr_$JyG3+n0;4hdj<45Lk zg6&+Kfbc~AO^Clu^DTnUizB0qA5mXHhVBu0zmfMy*=HH{7g_KsxJ?1R%%iJ3Q4v45 zcu8czcc7)QEA`9#R`$)x{#d&IC<#yc@w?Db7YkqBGp9C_Ha0$pkzDlxd zn~wuErk~M5@^X-=EU91SlLO2bz0jzxU|PlXvwO`XeEAf25w>($qeJtEYsMHL-NFlu?75SnUE6#dA)8u;m*J)!VQp*ka{{mI~2?hWF diff --git a/ft_printf/libft/Makefile b/ft_printf/libft/Makefile index 0ff9c4e..9bfb217 100644 --- a/ft_printf/libft/Makefile +++ b/ft_printf/libft/Makefile @@ -41,6 +41,7 @@ SRCS = $(SRCS_PATH)ft_atoi.c \ $(SRCS_PATH)ft_bzero.c \ $(SRCS_PATH)ft_strdup.c \ $(SRCS_PATH)ft_strnstr.c \ + $(SRCS_PATH)ft_strnstr_nullterminated.c \ $(SRCS_PATH)ft_calloc.c \ $(SRCS_PATH)ft_substr.c \ $(SRCS_PATH)ft_strjoin.c \ diff --git a/ft_printf/libft/ft_strnstr_nullterminated.c b/ft_printf/libft/ft_strnstr_nullterminated.c new file mode 100644 index 0000000..3f13db2 --- /dev/null +++ b/ft_printf/libft/ft_strnstr_nullterminated.c @@ -0,0 +1,17 @@ +#include "libft.h" + +char *ft_strnstr_nullterminated(const char *big, const char *little, size_t len) +{ + size_t len_l; + + if (*little == 0) + return ((char *)big); + len_l = ft_strlen(little); + while (len-- >= len_l) + { + if (*big == *little && ft_strncmp(big, little, len_l) == 0) + return ((char *)big); + big++; + } + return (NULL); +} \ No newline at end of file diff --git a/ft_printf/libft/libft.h b/ft_printf/libft/libft.h index 93441d3..fd6ed1d 100644 --- a/ft_printf/libft/libft.h +++ b/ft_printf/libft/libft.h @@ -37,6 +37,7 @@ int ft_strncmp(const char *s1, const char *s2, size_t n); size_t ft_strlcpy(char *dst, const char *src, size_t size); size_t ft_strlcat(char *dst, const char *src, size_t size); char *ft_strnstr(const char *big, const char *little, size_t len); +char *ft_strnstr_nullterminated(const char *big, const char *little, size_t len); int ft_atoi(const char *nptr); char *ft_substr(char const *s, unsigned int start, size_t len); char *ft_strjoin(char const *s1, char const *s2); @@ -55,6 +56,7 @@ void *ft_calloc(size_t nmemb, size_t size); char *ft_convert_base(char *nbr, char *base_from, char *base_to); char *ft_u_convert(char *nbr, char *base_from, char *base_to); void ft_rev_int_tab(char *tab, int size); + typedef struct s_list { void *content; diff --git a/includes/woody.h b/includes/woody.h index 7fc6f23..c5f23e3 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -12,6 +12,10 @@ #include #include #include +#include + +#define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" +#define JUMP "\xe9\xdf\xff\xff\xff"; typedef struct efl_content { diff --git a/payload b/payload index fe0bf4eeebc875e56df6ae84757fb018be02028c..37d7f4523531c0171bf85412fd665df6ee7ba4a2 100644 GIT binary patch literal 43 zcmWFt4+{!5JTP+;*Z%{Z$31#Yc^DWN_*tW);^HG--v9sqzn)&WzrRbQo*owff%Fjt literal 40 wcmWFt4+{!5JTP+;*Z%{Z$31#YIT;uj_*tW(qvGNt4(sWK`}?~@>gjO-05Zo7S^xk5 diff --git a/print b/print index c4d460bc1a25e44ab6e64179e45f7b70344b92c9..f16118f5abef9cc1096627e208402957e30fefa5 100755 GIT binary patch delta 98 zcmcbi@<3&R2BX46&3sO61_;pJxUhg>!}P qsJJ;%K%9{SreWej37{~`GK_MY kGX=yM88s$13Yr7Sor3m^7bgD{wCDUP05L#uGNX_@0P!jny#N3J diff --git a/print.s b/print.s index 1fb08fe..6b75ec4 100644 --- a/print.s +++ b/print.s @@ -8,6 +8,7 @@ _start: push rsi push rdx push rbx + xor eax, eax cdq mov dl, 10 @@ -15,14 +16,12 @@ _start: mov edi, eax lea rsi, [rel msg] syscall - pop rdx - pop rbx pop rdx pop rsi pop rdi pop rax - ret + jmp 0x00000000 msg db "..WOODY..",10 diff --git a/srcs/woody.c b/srcs/woody.c index 17cabd9..8a44c50 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,7 +1,5 @@ #include "../includes/woody.h" -#define CODE_MACRO "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x09\x00\x00\x00\x0f\x05\x5a\x5b\x5a\x5e\x5f\x58\xc3\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" -char jmp[] = "\xe9\x00\x00\x00\x00"; int elf_magic_numbers(char *str) { @@ -57,6 +55,18 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } + +int32_t find_jmp(char *code, size_t len) +{ + char *jump = JUMP; + char *ptr = ft_strnstr_nullterminated(code, jump, len); + if (ptr) + { + return ptr - code; + } + return 0; +} + void find_cave(t_efl_content *woody) { woody->Phdr = (Elf64_Phdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); @@ -69,21 +79,32 @@ void find_cave(t_efl_content *woody) printf("code_cave_start = %lx, virtual adress = %lx\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_vaddr); printf("code_cave_size = %lx\n", woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz)); + Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; - Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz; + size_t len = sizeof(PAYLOAD) - 1; + char payload[] = PAYLOAD; + int32_t jmp = find_jmp(payload, len); + printf("%ld\n", (long int)payload[jmp + 1]); + int32_t test = ((payload_off + len) - woody->Ehdr->e_entry) * -1; - size_t len = sizeof(CODE_MACRO) - 1; - ft_memcpy(woody->file + payload_off, CODE_MACRO, len); + ft_memcpy(&payload[jmp + 1], &test, sizeof(test)); + + ft_memcpy(woody->file + payload_off, payload, len); printf("old entry : %lx\n", woody->Ehdr->e_entry); - woody->Ehdr->e_entry = woody->Phdr[i].p_vaddr + woody->Phdr[i].p_filesz; + printf("backward offset = %ld\n", (payload_off + len) - woody->Ehdr->e_entry); + woody->Ehdr->e_entry = payload_off; woody->Phdr[i].p_filesz += len; woody->Phdr[i].p_memsz += len; + + + printf("new entry = %lx\n", woody->Ehdr->e_entry); - printf("e_entry = %lx\n", woody->Ehdr->e_entry); printf("p_filesz = %lx\n", woody->Phdr[i].p_filesz); printf("p_memsz = %lx\n", woody->Phdr[i].p_memsz); + woody->file_size += len; + } @@ -148,6 +169,6 @@ int inject(t_efl_content *woody) ft_memcpy(woody_file, woody->file, woody->file_size); // encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); - + munmap(woody_file, woody->file_size); return save_elf("woody", woody_file, woody->file_size); } \ No newline at end of file From 086bda76420fedf921dadea411d097c0e2aa986c Mon Sep 17 00:00:00 2001 From: pbonilla Date: Wed, 21 Feb 2024 13:54:33 +0100 Subject: [PATCH 04/20] a little cleanup --- Makefile | 3 +- README | 5 + includes/woody.h | 9 +- p_memsz | 0 p_offset | 0 payload | Bin 43 -> 0 bytes print | Bin 4704 -> 0 bytes sample | 825 ----------------------------------------------- sample.txt | 825 ----------------------------------------------- shell_test | Bin 15824 -> 0 bytes shellcode_test.c | 9 - srcs/encrypt.c | 11 + srcs/main.c | 2 +- srcs/utils.c | 2 +- srcs/woody.c | 116 +++---- woody.txt | 825 ----------------------------------------------- 16 files changed, 76 insertions(+), 2556 deletions(-) create mode 100644 README delete mode 100644 p_memsz delete mode 100644 p_offset delete mode 100644 payload delete mode 100755 print delete mode 100644 sample delete mode 100644 sample.txt delete mode 100755 shell_test create mode 100644 srcs/encrypt.c delete mode 100644 woody.txt diff --git a/Makefile b/Makefile index 59ab4ab..c441a74 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,8 @@ SRCS_PATH = srcs/ SRCS = $(SRCS_PATH)main.c \ $(SRCS_PATH)utils.c \ - $(SRCS_PATH)woody.c + $(SRCS_PATH)woody.c \ + $(SRCS_PATH)encrypt.c OBJS = ${SRCS:.c=.o} diff --git a/README b/README new file mode 100644 index 0000000..ff6b199 --- /dev/null +++ b/README @@ -0,0 +1,5 @@ +Transform payload code in hexa : + +nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload + +Append : | xclip -sel clip to directly get it in clipboard \ No newline at end of file diff --git a/includes/woody.h b/includes/woody.h index c5f23e3..64bb890 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -15,7 +15,7 @@ #include #define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" -#define JUMP "\xe9\xdf\xff\xff\xff"; +#define JUMP "\xe9";//\xdf\xff\xff\xff"; typedef struct efl_content { @@ -29,10 +29,13 @@ typedef struct efl_content // utils.c -void *secure_jump(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); +void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); int ft_put_error(char *str); // woody.c -int inject(t_efl_content *woody); +int prepare_injection(t_efl_content *woody); + +// encrypt.c +void encrypt(char *file, unsigned long int offset, unsigned long int size); #endif \ No newline at end of file diff --git a/p_memsz b/p_memsz deleted file mode 100644 index e69de29..0000000 diff --git a/p_offset b/p_offset deleted file mode 100644 index e69de29..0000000 diff --git a/payload b/payload deleted file mode 100644 index 37d7f4523531c0171bf85412fd665df6ee7ba4a2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 43 zcmWFt4+{!5JTP+;*Z%{Z$31#Yc^DWN_*tW);^HG--v9sqzn)&WzrRbQo*owff%Fjt diff --git a/print b/print deleted file mode 100755 index f16118f5abef9cc1096627e208402957e30fefa5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4704 zcmb<-^>JfjWMqH=CI&kOFi*e%ECeAL7!(9yDi|0X7%Ui=fFvse3s@}+LJG)&>44B1 zpmH#pK>#8EvV#@Ggz_1n_Q7avh%yEk4Oa&hAEib^U^E0qLtr!nMnhmU1V%$(Gz3ON zU^E0qLtr!nMnhmU1c(oTfbg)OV8a75H*x(x(0SaW*OUjSm!CB{DlR_a<)8om|Lf_6 z`}?~@>gjReH5AmJXJPpGA6*eASb&j15!SzlDi8wF0-(_YG;v;-xPk*zC4`d1A+CT! zoS~p7Gp|Iim?5_~ogqFxskk`4xFoTtgdsjPC9xzCNadw4Fz6Lm=9VNT0qK$=2%Q0A zm84dbK&+;Slm_Ysg$*0b6qtXZ;~wzw4X8Y9I0U8~q?ZZCL81+y3RghIn1M71b3pkL lP#P5eAaQhX1FByYO#);eG5`(xVAKB>s$UUVF_4X}9{>fUH=O_g diff --git a/sample b/sample deleted file mode 100644 index e8f30c0..0000000 --- a/sample +++ /dev/null @@ -1,825 +0,0 @@ - -resources/sample64: file format elf64-x86-64 - - -Disassembly of section .interp: - -0000000000000318 <.interp>: - 318: 2f (bad) - 319: 6c insb (%dx),%es:(%rdi) - 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp - 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax - 326: 78 2d js 355 <__abi_tag-0x37> - 328: 78 38 js 362 <__abi_tag-0x2a> - 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax - 330: 6f outsl %ds:(%rsi),(%dx) - 331: 2e 32 00 cs xor (%rax),%al - -Disassembly of section .note.gnu.property: - -0000000000000338 <.note.gnu.property>: - 338: 04 00 add $0x0,%al - 33a: 00 00 add %al,(%rax) - 33c: 20 00 and %al,(%rax) - 33e: 00 00 add %al,(%rax) - 340: 05 00 00 00 47 add $0x47000000,%eax - 345: 4e 55 rex.WRX push %rbp - 347: 00 02 add %al,(%rdx) - 349: 00 00 add %al,(%rax) - 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) - 34f: 00 03 add %al,(%rbx) - 351: 00 00 add %al,(%rax) - 353: 00 00 add %al,(%rax) - 355: 00 00 add %al,(%rax) - 357: 00 02 add %al,(%rdx) - 359: 80 00 c0 addb $0xc0,(%rax) - 35c: 04 00 add $0x0,%al - 35e: 00 00 add %al,(%rax) - 360: 01 00 add %eax,(%rax) - 362: 00 00 add %al,(%rax) - 364: 00 00 add %al,(%rax) - ... - -Disassembly of section .note.gnu.build-id: - -0000000000000368 <.note.gnu.build-id>: - 368: 04 00 add $0x0,%al - 36a: 00 00 add %al,(%rax) - 36c: 14 00 adc $0x0,%al - 36e: 00 00 add %al,(%rax) - 370: 03 00 add (%rax),%eax - 372: 00 00 add %al,(%rax) - 374: 47 rex.RXB - 375: 4e 55 rex.WRX push %rbp - 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) - 37d: 9d popf - 37e: 21 c9 and %ecx,%ecx - 380: 16 (bad) - 381: 1e (bad) - 382: 8a 34 ce mov (%rsi,%rcx,8),%dh - 385: 99 cltd - 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx - -Disassembly of section .note.ABI-tag: - -000000000000038c <__abi_tag>: - 38c: 04 00 add $0x0,%al - 38e: 00 00 add %al,(%rax) - 390: 10 00 adc %al,(%rax) - 392: 00 00 add %al,(%rax) - 394: 01 00 add %eax,(%rax) - 396: 00 00 add %al,(%rax) - 398: 47 rex.RXB - 399: 4e 55 rex.WRX push %rbp - 39b: 00 00 add %al,(%rax) - 39d: 00 00 add %al,(%rax) - 39f: 00 03 add %al,(%rbx) - 3a1: 00 00 add %al,(%rax) - 3a3: 00 02 add %al,(%rdx) - 3a5: 00 00 add %al,(%rax) - 3a7: 00 00 add %al,(%rax) - 3a9: 00 00 add %al,(%rax) - ... - -Disassembly of section .gnu.hash: - -00000000000003b0 <.gnu.hash>: - 3b0: 02 00 add (%rax),%al - 3b2: 00 00 add %al,(%rax) - 3b4: 06 (bad) - 3b5: 00 00 add %al,(%rax) - 3b7: 00 01 add %al,(%rcx) - 3b9: 00 00 add %al,(%rax) - 3bb: 00 06 add %al,(%rsi) - 3bd: 00 00 add %al,(%rax) - 3bf: 00 00 add %al,(%rax) - 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) - 3c7: 00 06 add %al,(%rsi) - 3c9: 00 00 add %al,(%rax) - 3cb: 00 00 add %al,(%rax) - 3cd: 00 00 add %al,(%rax) - 3cf: 00 d1 add %dl,%cl - 3d1: 65 ce gs (bad) - 3d3: 6d insl (%dx),%es:(%rdi) - -Disassembly of section .dynsym: - -00000000000003d8 <.dynsym>: - ... - 3f0: 10 00 adc %al,(%rax) - 3f2: 00 00 add %al,(%rax) - 3f4: 12 00 adc (%rax),%al - ... - 406: 00 00 add %al,(%rax) - 408: 48 00 00 rex.W add %al,(%rax) - 40b: 00 20 add %ah,(%rax) - ... - 41d: 00 00 add %al,(%rax) - 41f: 00 22 add %ah,(%rdx) - 421: 00 00 add %al,(%rax) - 423: 00 12 add %dl,(%rdx) - ... - 435: 00 00 add %al,(%rax) - 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) - 43b: 00 20 add %ah,(%rax) - ... - 44d: 00 00 add %al,(%rax) - 44f: 00 73 00 add %dh,0x0(%rbx) - 452: 00 00 add %al,(%rax) - 454: 20 00 and %al,(%rax) - ... - 466: 00 00 add %al,(%rax) - 468: 01 00 add %eax,(%rax) - 46a: 00 00 add %al,(%rax) - 46c: 22 00 and (%rax),%al - ... - -Disassembly of section .dynstr: - -0000000000000480 <.dynstr>: - 480: 00 5f 5f add %bl,0x5f(%rdi) - 483: 63 78 61 movsxd 0x61(%rax),%edi - 486: 5f pop %rdi - 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp - 48d: 7a 65 jp 4f4 <__abi_tag+0x168> - 48f: 00 5f 5f add %bl,0x5f(%rdi) - 492: 6c insb (%dx),%es:(%rdi) - 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp - 49a: 72 74 jb 510 <__abi_tag+0x184> - 49c: 5f pop %rdi - 49d: 6d insl (%dx),%es:(%rdi) - 49e: 61 (bad) - 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp - 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) - 4aa: 63 2e movsxd (%rsi),%ebp - 4ac: 73 6f jae 51d <__abi_tag+0x191> - 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) - 4b3: 49 rex.WB - 4b4: 42 rex.X - 4b5: 43 5f rex.XB pop %r15 - 4b7: 32 2e xor (%rsi),%ch - 4b9: 32 2e xor (%rsi),%ch - 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax - 4c0: 42 rex.X - 4c1: 43 5f rex.XB pop %r15 - 4c3: 32 2e xor (%rsi),%ch - 4c5: 33 34 00 xor (%rax,%rax,1),%esi - 4c8: 5f pop %rdi - 4c9: 49 54 rex.WB push %r12 - 4cb: 4d 5f rex.WRB pop %r15 - 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> - 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 4d8: 4d - 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) - 4db: 6f outsl %ds:(%rsi),(%dx) - 4dc: 6e outsb %ds:(%rsi),(%dx) - 4dd: 65 54 gs push %rsp - 4df: 61 (bad) - 4e0: 62 (bad) - 4e1: 6c insb (%dx),%es:(%rdi) - 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) - 4e6: 67 6d insl (%dx),%es:(%edi) - 4e8: 6f outsl %ds:(%rsi),(%dx) - 4e9: 6e outsb %ds:(%rsi),(%dx) - 4ea: 5f pop %rdi - 4eb: 73 74 jae 561 <__abi_tag+0x1d5> - 4ed: 61 (bad) - 4ee: 72 74 jb 564 <__abi_tag+0x1d8> - 4f0: 5f pop %rdi - 4f1: 5f pop %rdi - 4f2: 00 5f 49 add %bl,0x49(%rdi) - 4f5: 54 push %rsp - 4f6: 4d 5f rex.WRB pop %r15 - 4f8: 72 65 jb 55f <__abi_tag+0x1d3> - 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 501: 4d - 502: 43 6c rex.XB insb (%dx),%es:(%rdi) - 504: 6f outsl %ds:(%rsi),(%dx) - 505: 6e outsb %ds:(%rsi),(%dx) - 506: 65 54 gs push %rsp - 508: 61 (bad) - 509: 62 .byte 0x62 - 50a: 6c insb (%dx),%es:(%rdi) - 50b: 65 gs - ... - -Disassembly of section .gnu.version: - -000000000000050e <.gnu.version>: - 50e: 00 00 add %al,(%rax) - 510: 02 00 add (%rax),%al - 512: 01 00 add %eax,(%rax) - 514: 03 00 add (%rax),%eax - 516: 01 00 add %eax,(%rax) - 518: 01 00 add %eax,(%rax) - 51a: 03 00 add (%rax),%eax - -Disassembly of section .gnu.version_r: - -0000000000000520 <.gnu.version_r>: - 520: 01 00 add %eax,(%rax) - 522: 02 00 add (%rax),%al - 524: 27 (bad) - 525: 00 00 add %al,(%rax) - 527: 00 10 add %dl,(%rax) - 529: 00 00 add %al,(%rax) - 52b: 00 00 add %al,(%rax) - 52d: 00 00 add %al,(%rax) - 52f: 00 75 1a add %dh,0x1a(%rbp) - 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx - 538: 31 00 xor %eax,(%rax) - 53a: 00 00 add %al,(%rax) - 53c: 10 00 adc %al,(%rax) - 53e: 00 00 add %al,(%rax) - 540: b4 91 mov $0x91,%ah - 542: 96 xchg %eax,%esi - 543: 06 (bad) - 544: 00 00 add %al,(%rax) - 546: 02 00 add (%rax),%al - 548: 3d 00 00 00 00 cmp $0x0,%eax - 54d: 00 00 add %al,(%rax) - ... - -Disassembly of section .rela.dyn: - -0000000000000550 <.rela.dyn>: - 550: b8 3d 00 00 00 mov $0x3d,%eax - 555: 00 00 add %al,(%rax) - 557: 00 08 add %cl,(%rax) - 559: 00 00 add %al,(%rax) - 55b: 00 00 add %al,(%rax) - 55d: 00 00 add %al,(%rax) - 55f: 00 40 11 add %al,0x11(%rax) - 562: 00 00 add %al,(%rax) - 564: 00 00 add %al,(%rax) - 566: 00 00 add %al,(%rax) - 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> - 56f: 00 08 add %cl,(%rax) - ... - 579: 11 00 adc %eax,(%rax) - 57b: 00 00 add %al,(%rax) - 57d: 00 00 add %al,(%rax) - 57f: 00 08 add %cl,(%rax) - 581: 40 00 00 rex add %al,(%rax) - 584: 00 00 add %al,(%rax) - 586: 00 00 add %al,(%rax) - 588: 08 00 or %al,(%rax) - 58a: 00 00 add %al,(%rax) - 58c: 00 00 add %al,(%rax) - 58e: 00 00 add %al,(%rax) - 590: 08 40 00 or %al,0x0(%rax) - 593: 00 00 add %al,(%rax) - 595: 00 00 add %al,(%rax) - 597: 00 d8 add %bl,%al - 599: 3f (bad) - 59a: 00 00 add %al,(%rax) - 59c: 00 00 add %al,(%rax) - 59e: 00 00 add %al,(%rax) - 5a0: 06 (bad) - 5a1: 00 00 add %al,(%rax) - 5a3: 00 01 add %al,(%rcx) - ... - 5ad: 00 00 add %al,(%rax) - 5af: 00 e0 add %ah,%al - 5b1: 3f (bad) - 5b2: 00 00 add %al,(%rax) - 5b4: 00 00 add %al,(%rax) - 5b6: 00 00 add %al,(%rax) - 5b8: 06 (bad) - 5b9: 00 00 add %al,(%rax) - 5bb: 00 02 add %al,(%rdx) - ... - 5c5: 00 00 add %al,(%rax) - 5c7: 00 e8 add %ch,%al - 5c9: 3f (bad) - 5ca: 00 00 add %al,(%rax) - 5cc: 00 00 add %al,(%rax) - 5ce: 00 00 add %al,(%rax) - 5d0: 06 (bad) - 5d1: 00 00 add %al,(%rax) - 5d3: 00 04 00 add %al,(%rax,%rax,1) - ... - 5de: 00 00 add %al,(%rax) - 5e0: f0 3f lock (bad) - 5e2: 00 00 add %al,(%rax) - 5e4: 00 00 add %al,(%rax) - 5e6: 00 00 add %al,(%rax) - 5e8: 06 (bad) - 5e9: 00 00 add %al,(%rax) - 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> - 5f1: 00 00 add %al,(%rax) - 5f3: 00 00 add %al,(%rax) - 5f5: 00 00 add %al,(%rax) - 5f7: 00 f8 add %bh,%al - 5f9: 3f (bad) - 5fa: 00 00 add %al,(%rax) - 5fc: 00 00 add %al,(%rax) - 5fe: 00 00 add %al,(%rax) - 600: 06 (bad) - 601: 00 00 add %al,(%rax) - 603: 00 06 add %al,(%rsi) - ... - -Disassembly of section .rela.plt: - -0000000000000610 <.rela.plt>: - 610: d0 3f sarb (%rdi) - 612: 00 00 add %al,(%rax) - 614: 00 00 add %al,(%rax) - 616: 00 00 add %al,(%rax) - 618: 07 (bad) - 619: 00 00 add %al,(%rax) - 61b: 00 03 add %al,(%rbx) - ... - -Disassembly of section .init: - -0000000000001000 <_init>: - 1000: f3 0f 1e fa endbr64 - 1004: 48 83 ec 08 sub $0x8,%rsp - 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> - 100f: 48 85 c0 test %rax,%rax - 1012: 74 02 je 1016 <_init+0x16> - 1014: ff d0 call *%rax - 1016: 48 83 c4 08 add $0x8,%rsp - 101a: c3 ret - -Disassembly of section .plt: - -0000000000001020 <.plt>: - 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> - 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> - 102d: 0f 1f 00 nopl (%rax) - 1030: f3 0f 1e fa endbr64 - 1034: 68 00 00 00 00 push $0x0 - 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> - 103f: 90 nop - -Disassembly of section .plt.got: - -0000000000001040 <__cxa_finalize@plt>: - 1040: f3 0f 1e fa endbr64 - 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .plt.sec: - -0000000000001050 : - 1050: f3 0f 1e fa endbr64 - 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 - 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .text: - -0000000000001060 <_start>: - 1060: f3 0f 1e fa endbr64 - 1064: 31 ed xor %ebp,%ebp - 1066: 49 89 d1 mov %rdx,%r9 - 1069: 5e pop %rsi - 106a: 48 89 e2 mov %rsp,%rdx - 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp - 1071: 50 push %rax - 1072: 54 push %rsp - 1073: 45 31 c0 xor %r8d,%r8d - 1076: 31 c9 xor %ecx,%ecx - 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
- 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> - 1085: f4 hlt - 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) - 108d: 00 00 00 - -0000000000001090 : - 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> - 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> - 109e: 48 39 f8 cmp %rdi,%rax - 10a1: 74 15 je 10b8 - 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> - 10aa: 48 85 c0 test %rax,%rax - 10ad: 74 09 je 10b8 - 10af: ff e0 jmp *%rax - 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - 10b8: c3 ret - 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -00000000000010c0 : - 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> - 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> - 10ce: 48 29 fe sub %rdi,%rsi - 10d1: 48 89 f0 mov %rsi,%rax - 10d4: 48 c1 ee 3f shr $0x3f,%rsi - 10d8: 48 c1 f8 03 sar $0x3,%rax - 10dc: 48 01 c6 add %rax,%rsi - 10df: 48 d1 fe sar %rsi - 10e2: 74 14 je 10f8 - 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> - 10eb: 48 85 c0 test %rax,%rax - 10ee: 74 08 je 10f8 - 10f0: ff e0 jmp *%rax - 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) - 10f8: c3 ret - 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001100 <__do_global_dtors_aux>: - 1100: f3 0f 1e fa endbr64 - 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> - 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> - 110d: 55 push %rbp - 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 1115: 00 - 1116: 48 89 e5 mov %rsp,%rbp - 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> - 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> - 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> - 1127: e8 64 ff ff ff call 1090 - 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> - 1133: 5d pop %rbp - 1134: c3 ret - 1135: 0f 1f 00 nopl (%rax) - 1138: c3 ret - 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001140 : - 1140: f3 0f 1e fa endbr64 - 1144: e9 77 ff ff ff jmp 10c0 - -0000000000001149
: - 1149: f3 0f 1e fa endbr64 - 114d: 55 push %rbp - 114e: 48 89 e5 mov %rsp,%rbp - 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> - 1158: e8 f3 fe ff ff call 1050 - 115d: b8 00 00 00 00 mov $0x0,%eax - 1162: 5d pop %rbp - 1163: c3 ret - -Disassembly of section .fini: - -0000000000001164 <_fini>: - 1164: f3 0f 1e fa endbr64 - 1168: 48 83 ec 08 sub $0x8,%rsp - 116c: 48 83 c4 08 add $0x8,%rsp - 1170: c3 ret - -Disassembly of section .rodata: - -0000000000002000 <_IO_stdin_used>: - 2000: 01 00 add %eax,(%rax) - 2002: 02 00 add (%rax),%al - 2004: 48 rex.W - 2005: 65 6c gs insb (%dx),%es:(%rdi) - 2007: 6c insb (%dx),%es:(%rdi) - 2008: 6f outsl %ds:(%rsi),(%dx) - 2009: 2c 20 sub $0x20,%al - 200b: 57 push %rdi - 200c: 6f outsl %ds:(%rsi),(%dx) - 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> - 200f: 64 21 00 and %eax,%fs:(%rax) - -Disassembly of section .eh_frame_hdr: - -0000000000002014 <__GNU_EH_FRAME_HDR>: - 2014: 01 1b add %ebx,(%rbx) - 2016: 03 3b add (%rbx),%edi - 2018: 30 00 xor %al,(%rax) - 201a: 00 00 add %al,(%rax) - 201c: 05 00 00 00 0c add $0xc000000,%eax - 2021: f0 ff lock (bad) - 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) - 2027: 00 2c f0 add %ch,(%rax,%rsi,8) - 202a: ff (bad) - 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) - 2032: ff (bad) - 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) - 203a: ff (bad) - 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) - 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> - 2045: 00 00 add %al,(%rax) - ... - -Disassembly of section .eh_frame: - -0000000000002048 <__FRAME_END__-0xa8>: - 2048: 14 00 adc $0x0,%al - 204a: 00 00 add %al,(%rax) - 204c: 00 00 add %al,(%rax) - 204e: 00 00 add %al,(%rax) - 2050: 01 7a 52 add %edi,0x52(%rdx) - 2053: 00 01 add %al,(%rcx) - 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> - 2057: 01 1b add %ebx,(%rbx) - 2059: 0c 07 or $0x7,%al - 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) - 2061: 00 00 add %al,(%rax) - 2063: 00 1c 00 add %bl,(%rax,%rax,1) - 2066: 00 00 add %al,(%rax) - 2068: f8 clc - 2069: ef out %eax,(%dx) - 206a: ff (bad) - 206b: ff 26 jmp *(%rsi) - 206d: 00 00 add %al,(%rax) - 206f: 00 00 add %al,(%rax) - 2071: 44 07 rex.R (bad) - 2073: 10 00 adc %al,(%rax) - 2075: 00 00 add %al,(%rax) - 2077: 00 24 00 add %ah,(%rax,%rax,1) - 207a: 00 00 add %al,(%rax) - 207c: 34 00 xor $0x0,%al - 207e: 00 00 add %al,(%rax) - 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al - 2087: 00 00 - 2089: 0e (bad) - 208a: 10 46 0e adc %al,0xe(%rsi) - 208d: 18 4a 0f sbb %cl,0xf(%rdx) - 2090: 0b 77 08 or 0x8(%rdi),%esi - 2093: 80 00 3f addb $0x3f,(%rax) - 2096: 1a 3a sbb (%rdx),%bh - 2098: 2a 33 sub (%rbx),%dh - 209a: 24 22 and $0x22,%al - 209c: 00 00 add %al,(%rax) - 209e: 00 00 add %al,(%rax) - 20a0: 14 00 adc $0x0,%al - 20a2: 00 00 add %al,(%rax) - 20a4: 5c pop %rsp - 20a5: 00 00 add %al,(%rax) - 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) - ... - 20b5: 00 00 add %al,(%rax) - 20b7: 00 14 00 add %dl,(%rax,%rax,1) - 20ba: 00 00 add %al,(%rax) - 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> - 20be: 00 00 add %al,(%rax) - 20c0: 90 nop - 20c1: ef out %eax,(%dx) - 20c2: ff (bad) - 20c3: ff 10 call *(%rax) - ... - 20cd: 00 00 add %al,(%rax) - 20cf: 00 1c 00 add %bl,(%rax,%rax,1) - 20d2: 00 00 add %al,(%rax) - 20d4: 8c 00 mov %es,(%rax) - 20d6: 00 00 add %al,(%rax) - 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> - 20da: ff (bad) - 20db: ff 1b lcall *(%rbx) - 20dd: 00 00 add %al,(%rax) - 20df: 00 00 add %al,(%rax) - 20e1: 45 0e rex.RB (bad) - 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) - 20e9: 52 push %rdx - 20ea: 0c 07 or $0x7,%al - 20ec: 08 00 or %al,(%rax) - ... - -00000000000020f0 <__FRAME_END__>: - 20f0: 00 00 add %al,(%rax) - ... - -Disassembly of section .init_array: - -0000000000003db8 <__frame_dummy_init_array_entry>: - 3db8: 40 11 00 rex adc %eax,(%rax) - 3dbb: 00 00 add %al,(%rax) - 3dbd: 00 00 add %al,(%rax) - ... - -Disassembly of section .fini_array: - -0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: - 3dc0: 00 11 add %dl,(%rcx) - 3dc2: 00 00 add %al,(%rax) - 3dc4: 00 00 add %al,(%rax) - ... - -Disassembly of section .dynamic: - -0000000000003dc8 <_DYNAMIC>: - 3dc8: 01 00 add %eax,(%rax) - 3dca: 00 00 add %al,(%rax) - 3dcc: 00 00 add %al,(%rax) - 3dce: 00 00 add %al,(%rax) - 3dd0: 27 (bad) - 3dd1: 00 00 add %al,(%rax) - 3dd3: 00 00 add %al,(%rax) - 3dd5: 00 00 add %al,(%rax) - 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) - 3dda: 00 00 add %al,(%rax) - 3ddc: 00 00 add %al,(%rax) - 3dde: 00 00 add %al,(%rax) - 3de0: 00 10 add %dl,(%rax) - 3de2: 00 00 add %al,(%rax) - 3de4: 00 00 add %al,(%rax) - 3de6: 00 00 add %al,(%rax) - 3de8: 0d 00 00 00 00 or $0x0,%eax - 3ded: 00 00 add %al,(%rax) - 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) - 3df3: 00 00 add %al,(%rax) - 3df5: 00 00 add %al,(%rax) - 3df7: 00 19 add %bl,(%rcx) - 3df9: 00 00 add %al,(%rax) - 3dfb: 00 00 add %al,(%rax) - 3dfd: 00 00 add %al,(%rax) - 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) - 3e05: 00 00 add %al,(%rax) - 3e07: 00 1b add %bl,(%rbx) - 3e09: 00 00 add %al,(%rax) - 3e0b: 00 00 add %al,(%rax) - 3e0d: 00 00 add %al,(%rax) - 3e0f: 00 08 add %cl,(%rax) - 3e11: 00 00 add %al,(%rax) - 3e13: 00 00 add %al,(%rax) - 3e15: 00 00 add %al,(%rax) - 3e17: 00 1a add %bl,(%rdx) - 3e19: 00 00 add %al,(%rax) - 3e1b: 00 00 add %al,(%rax) - 3e1d: 00 00 add %al,(%rax) - 3e1f: 00 c0 add %al,%al - 3e21: 3d 00 00 00 00 cmp $0x0,%eax - 3e26: 00 00 add %al,(%rax) - 3e28: 1c 00 sbb $0x0,%al - 3e2a: 00 00 add %al,(%rax) - 3e2c: 00 00 add %al,(%rax) - 3e2e: 00 00 add %al,(%rax) - 3e30: 08 00 or %al,(%rax) - 3e32: 00 00 add %al,(%rax) - 3e34: 00 00 add %al,(%rax) - 3e36: 00 00 add %al,(%rax) - 3e38: f5 cmc - 3e39: fe (bad) - 3e3a: ff 6f 00 ljmp *0x0(%rdi) - 3e3d: 00 00 add %al,(%rax) - 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) - 3e45: 00 00 add %al,(%rax) - 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> - 3e4d: 00 00 add %al,(%rax) - 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) - 3e55: 00 00 add %al,(%rax) - 3e57: 00 06 add %al,(%rsi) - 3e59: 00 00 add %al,(%rax) - 3e5b: 00 00 add %al,(%rax) - 3e5d: 00 00 add %al,(%rax) - 3e5f: 00 d8 add %bl,%al - 3e61: 03 00 add (%rax),%eax - 3e63: 00 00 add %al,(%rax) - 3e65: 00 00 add %al,(%rax) - 3e67: 00 0a add %cl,(%rdx) - 3e69: 00 00 add %al,(%rax) - 3e6b: 00 00 add %al,(%rax) - 3e6d: 00 00 add %al,(%rax) - 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) - 3e75: 00 00 add %al,(%rax) - 3e77: 00 0b add %cl,(%rbx) - 3e79: 00 00 add %al,(%rax) - 3e7b: 00 00 add %al,(%rax) - 3e7d: 00 00 add %al,(%rax) - 3e7f: 00 18 add %bl,(%rax) - 3e81: 00 00 add %al,(%rax) - 3e83: 00 00 add %al,(%rax) - 3e85: 00 00 add %al,(%rax) - 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> - ... - 3e95: 00 00 add %al,(%rax) - 3e97: 00 03 add %al,(%rbx) - 3e99: 00 00 add %al,(%rax) - 3e9b: 00 00 add %al,(%rax) - 3e9d: 00 00 add %al,(%rax) - 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) - 3ea5: 00 00 add %al,(%rax) - 3ea7: 00 02 add %al,(%rdx) - 3ea9: 00 00 add %al,(%rax) - 3eab: 00 00 add %al,(%rax) - 3ead: 00 00 add %al,(%rax) - 3eaf: 00 18 add %bl,(%rax) - 3eb1: 00 00 add %al,(%rax) - 3eb3: 00 00 add %al,(%rax) - 3eb5: 00 00 add %al,(%rax) - 3eb7: 00 14 00 add %dl,(%rax,%rax,1) - 3eba: 00 00 add %al,(%rax) - 3ebc: 00 00 add %al,(%rax) - 3ebe: 00 00 add %al,(%rax) - 3ec0: 07 (bad) - 3ec1: 00 00 add %al,(%rax) - 3ec3: 00 00 add %al,(%rax) - 3ec5: 00 00 add %al,(%rax) - 3ec7: 00 17 add %dl,(%rdi) - 3ec9: 00 00 add %al,(%rax) - 3ecb: 00 00 add %al,(%rax) - 3ecd: 00 00 add %al,(%rax) - 3ecf: 00 10 add %dl,(%rax) - 3ed1: 06 (bad) - 3ed2: 00 00 add %al,(%rax) - 3ed4: 00 00 add %al,(%rax) - 3ed6: 00 00 add %al,(%rax) - 3ed8: 07 (bad) - 3ed9: 00 00 add %al,(%rax) - 3edb: 00 00 add %al,(%rax) - 3edd: 00 00 add %al,(%rax) - 3edf: 00 50 05 add %dl,0x5(%rax) - 3ee2: 00 00 add %al,(%rax) - 3ee4: 00 00 add %al,(%rax) - 3ee6: 00 00 add %al,(%rax) - 3ee8: 08 00 or %al,(%rax) - 3eea: 00 00 add %al,(%rax) - 3eec: 00 00 add %al,(%rax) - 3eee: 00 00 add %al,(%rax) - 3ef0: c0 00 00 rolb $0x0,(%rax) - 3ef3: 00 00 add %al,(%rax) - 3ef5: 00 00 add %al,(%rax) - 3ef7: 00 09 add %cl,(%rcx) - 3ef9: 00 00 add %al,(%rax) - 3efb: 00 00 add %al,(%rax) - 3efd: 00 00 add %al,(%rax) - 3eff: 00 18 add %bl,(%rax) - 3f01: 00 00 add %al,(%rax) - 3f03: 00 00 add %al,(%rax) - 3f05: 00 00 add %al,(%rax) - 3f07: 00 1e add %bl,(%rsi) - 3f09: 00 00 add %al,(%rax) - 3f0b: 00 00 add %al,(%rax) - 3f0d: 00 00 add %al,(%rax) - 3f0f: 00 08 add %cl,(%rax) - 3f11: 00 00 add %al,(%rax) - 3f13: 00 00 add %al,(%rax) - 3f15: 00 00 add %al,(%rax) - 3f17: 00 fb add %bh,%bl - 3f19: ff (bad) - 3f1a: ff 6f 00 ljmp *0x0(%rdi) - 3f1d: 00 00 add %al,(%rax) - 3f1f: 00 01 add %al,(%rcx) - 3f21: 00 00 add %al,(%rax) - 3f23: 08 00 or %al,(%rax) - 3f25: 00 00 add %al,(%rax) - 3f27: 00 fe add %bh,%dh - 3f29: ff (bad) - 3f2a: ff 6f 00 ljmp *0x0(%rdi) - 3f2d: 00 00 add %al,(%rax) - 3f2f: 00 20 add %ah,(%rax) - 3f31: 05 00 00 00 00 add $0x0,%eax - 3f36: 00 00 add %al,(%rax) - 3f38: ff (bad) - 3f39: ff (bad) - 3f3a: ff 6f 00 ljmp *0x0(%rdi) - 3f3d: 00 00 add %al,(%rax) - 3f3f: 00 01 add %al,(%rcx) - 3f41: 00 00 add %al,(%rax) - 3f43: 00 00 add %al,(%rax) - 3f45: 00 00 add %al,(%rax) - 3f47: 00 f0 add %dh,%al - 3f49: ff (bad) - 3f4a: ff 6f 00 ljmp *0x0(%rdi) - 3f4d: 00 00 add %al,(%rax) - 3f4f: 00 0e add %cl,(%rsi) - 3f51: 05 00 00 00 00 add $0x0,%eax - 3f56: 00 00 add %al,(%rax) - 3f58: f9 stc - 3f59: ff (bad) - 3f5a: ff 6f 00 ljmp *0x0(%rdi) - 3f5d: 00 00 add %al,(%rax) - 3f5f: 00 03 add %al,(%rbx) - ... - -Disassembly of section .got: - -0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: - 3fb8: c8 3d 00 00 enter $0x3d,$0x0 - ... - 3fd0: 30 10 xor %dl,(%rax) - ... - -Disassembly of section .data: - -0000000000004000 <__data_start>: - ... - -0000000000004008 <__dso_handle>: - 4008: 08 40 00 or %al,0x0(%rax) - 400b: 00 00 add %al,(%rax) - 400d: 00 00 add %al,(%rax) - ... - -Disassembly of section .bss: - -0000000000004010 : - ... - -Disassembly of section .comment: - -0000000000000000 <.comment>: - 0: 47 rex.RXB - 1: 43 rex.XB - 2: 43 3a 20 rex.XB cmp (%r8),%spl - 5: 28 55 62 sub %dl,0x62(%rbp) - 8: 75 6e jne 78 <__abi_tag-0x314> - a: 74 75 je 81 <__abi_tag-0x30b> - c: 20 31 and %dh,(%rcx) - e: 30 2e xor %ch,(%rsi) - 10: 35 2e 30 2d 31 xor $0x312d302e,%eax - 15: 75 62 jne 79 <__abi_tag-0x313> - 17: 75 6e jne 87 <__abi_tag-0x305> - 19: 74 75 je 90 <__abi_tag-0x2fc> - 1b: 31 7e 32 xor %edi,0x32(%rsi) - 1e: 32 2e xor (%rsi),%ch - 20: 30 34 29 xor %dh,(%rcx,%rbp,1) - 23: 20 31 and %dh,(%rcx) - 25: 30 2e xor %ch,(%rsi) - 27: 35 .byte 0x35 - 28: 2e 30 00 cs xor %al,(%rax) diff --git a/sample.txt b/sample.txt deleted file mode 100644 index e8f30c0..0000000 --- a/sample.txt +++ /dev/null @@ -1,825 +0,0 @@ - -resources/sample64: file format elf64-x86-64 - - -Disassembly of section .interp: - -0000000000000318 <.interp>: - 318: 2f (bad) - 319: 6c insb (%dx),%es:(%rdi) - 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp - 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax - 326: 78 2d js 355 <__abi_tag-0x37> - 328: 78 38 js 362 <__abi_tag-0x2a> - 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax - 330: 6f outsl %ds:(%rsi),(%dx) - 331: 2e 32 00 cs xor (%rax),%al - -Disassembly of section .note.gnu.property: - -0000000000000338 <.note.gnu.property>: - 338: 04 00 add $0x0,%al - 33a: 00 00 add %al,(%rax) - 33c: 20 00 and %al,(%rax) - 33e: 00 00 add %al,(%rax) - 340: 05 00 00 00 47 add $0x47000000,%eax - 345: 4e 55 rex.WRX push %rbp - 347: 00 02 add %al,(%rdx) - 349: 00 00 add %al,(%rax) - 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) - 34f: 00 03 add %al,(%rbx) - 351: 00 00 add %al,(%rax) - 353: 00 00 add %al,(%rax) - 355: 00 00 add %al,(%rax) - 357: 00 02 add %al,(%rdx) - 359: 80 00 c0 addb $0xc0,(%rax) - 35c: 04 00 add $0x0,%al - 35e: 00 00 add %al,(%rax) - 360: 01 00 add %eax,(%rax) - 362: 00 00 add %al,(%rax) - 364: 00 00 add %al,(%rax) - ... - -Disassembly of section .note.gnu.build-id: - -0000000000000368 <.note.gnu.build-id>: - 368: 04 00 add $0x0,%al - 36a: 00 00 add %al,(%rax) - 36c: 14 00 adc $0x0,%al - 36e: 00 00 add %al,(%rax) - 370: 03 00 add (%rax),%eax - 372: 00 00 add %al,(%rax) - 374: 47 rex.RXB - 375: 4e 55 rex.WRX push %rbp - 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) - 37d: 9d popf - 37e: 21 c9 and %ecx,%ecx - 380: 16 (bad) - 381: 1e (bad) - 382: 8a 34 ce mov (%rsi,%rcx,8),%dh - 385: 99 cltd - 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx - -Disassembly of section .note.ABI-tag: - -000000000000038c <__abi_tag>: - 38c: 04 00 add $0x0,%al - 38e: 00 00 add %al,(%rax) - 390: 10 00 adc %al,(%rax) - 392: 00 00 add %al,(%rax) - 394: 01 00 add %eax,(%rax) - 396: 00 00 add %al,(%rax) - 398: 47 rex.RXB - 399: 4e 55 rex.WRX push %rbp - 39b: 00 00 add %al,(%rax) - 39d: 00 00 add %al,(%rax) - 39f: 00 03 add %al,(%rbx) - 3a1: 00 00 add %al,(%rax) - 3a3: 00 02 add %al,(%rdx) - 3a5: 00 00 add %al,(%rax) - 3a7: 00 00 add %al,(%rax) - 3a9: 00 00 add %al,(%rax) - ... - -Disassembly of section .gnu.hash: - -00000000000003b0 <.gnu.hash>: - 3b0: 02 00 add (%rax),%al - 3b2: 00 00 add %al,(%rax) - 3b4: 06 (bad) - 3b5: 00 00 add %al,(%rax) - 3b7: 00 01 add %al,(%rcx) - 3b9: 00 00 add %al,(%rax) - 3bb: 00 06 add %al,(%rsi) - 3bd: 00 00 add %al,(%rax) - 3bf: 00 00 add %al,(%rax) - 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) - 3c7: 00 06 add %al,(%rsi) - 3c9: 00 00 add %al,(%rax) - 3cb: 00 00 add %al,(%rax) - 3cd: 00 00 add %al,(%rax) - 3cf: 00 d1 add %dl,%cl - 3d1: 65 ce gs (bad) - 3d3: 6d insl (%dx),%es:(%rdi) - -Disassembly of section .dynsym: - -00000000000003d8 <.dynsym>: - ... - 3f0: 10 00 adc %al,(%rax) - 3f2: 00 00 add %al,(%rax) - 3f4: 12 00 adc (%rax),%al - ... - 406: 00 00 add %al,(%rax) - 408: 48 00 00 rex.W add %al,(%rax) - 40b: 00 20 add %ah,(%rax) - ... - 41d: 00 00 add %al,(%rax) - 41f: 00 22 add %ah,(%rdx) - 421: 00 00 add %al,(%rax) - 423: 00 12 add %dl,(%rdx) - ... - 435: 00 00 add %al,(%rax) - 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) - 43b: 00 20 add %ah,(%rax) - ... - 44d: 00 00 add %al,(%rax) - 44f: 00 73 00 add %dh,0x0(%rbx) - 452: 00 00 add %al,(%rax) - 454: 20 00 and %al,(%rax) - ... - 466: 00 00 add %al,(%rax) - 468: 01 00 add %eax,(%rax) - 46a: 00 00 add %al,(%rax) - 46c: 22 00 and (%rax),%al - ... - -Disassembly of section .dynstr: - -0000000000000480 <.dynstr>: - 480: 00 5f 5f add %bl,0x5f(%rdi) - 483: 63 78 61 movsxd 0x61(%rax),%edi - 486: 5f pop %rdi - 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp - 48d: 7a 65 jp 4f4 <__abi_tag+0x168> - 48f: 00 5f 5f add %bl,0x5f(%rdi) - 492: 6c insb (%dx),%es:(%rdi) - 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp - 49a: 72 74 jb 510 <__abi_tag+0x184> - 49c: 5f pop %rdi - 49d: 6d insl (%dx),%es:(%rdi) - 49e: 61 (bad) - 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp - 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) - 4aa: 63 2e movsxd (%rsi),%ebp - 4ac: 73 6f jae 51d <__abi_tag+0x191> - 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) - 4b3: 49 rex.WB - 4b4: 42 rex.X - 4b5: 43 5f rex.XB pop %r15 - 4b7: 32 2e xor (%rsi),%ch - 4b9: 32 2e xor (%rsi),%ch - 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax - 4c0: 42 rex.X - 4c1: 43 5f rex.XB pop %r15 - 4c3: 32 2e xor (%rsi),%ch - 4c5: 33 34 00 xor (%rax,%rax,1),%esi - 4c8: 5f pop %rdi - 4c9: 49 54 rex.WB push %r12 - 4cb: 4d 5f rex.WRB pop %r15 - 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> - 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 4d8: 4d - 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) - 4db: 6f outsl %ds:(%rsi),(%dx) - 4dc: 6e outsb %ds:(%rsi),(%dx) - 4dd: 65 54 gs push %rsp - 4df: 61 (bad) - 4e0: 62 (bad) - 4e1: 6c insb (%dx),%es:(%rdi) - 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) - 4e6: 67 6d insl (%dx),%es:(%edi) - 4e8: 6f outsl %ds:(%rsi),(%dx) - 4e9: 6e outsb %ds:(%rsi),(%dx) - 4ea: 5f pop %rdi - 4eb: 73 74 jae 561 <__abi_tag+0x1d5> - 4ed: 61 (bad) - 4ee: 72 74 jb 564 <__abi_tag+0x1d8> - 4f0: 5f pop %rdi - 4f1: 5f pop %rdi - 4f2: 00 5f 49 add %bl,0x49(%rdi) - 4f5: 54 push %rsp - 4f6: 4d 5f rex.WRB pop %r15 - 4f8: 72 65 jb 55f <__abi_tag+0x1d3> - 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 501: 4d - 502: 43 6c rex.XB insb (%dx),%es:(%rdi) - 504: 6f outsl %ds:(%rsi),(%dx) - 505: 6e outsb %ds:(%rsi),(%dx) - 506: 65 54 gs push %rsp - 508: 61 (bad) - 509: 62 .byte 0x62 - 50a: 6c insb (%dx),%es:(%rdi) - 50b: 65 gs - ... - -Disassembly of section .gnu.version: - -000000000000050e <.gnu.version>: - 50e: 00 00 add %al,(%rax) - 510: 02 00 add (%rax),%al - 512: 01 00 add %eax,(%rax) - 514: 03 00 add (%rax),%eax - 516: 01 00 add %eax,(%rax) - 518: 01 00 add %eax,(%rax) - 51a: 03 00 add (%rax),%eax - -Disassembly of section .gnu.version_r: - -0000000000000520 <.gnu.version_r>: - 520: 01 00 add %eax,(%rax) - 522: 02 00 add (%rax),%al - 524: 27 (bad) - 525: 00 00 add %al,(%rax) - 527: 00 10 add %dl,(%rax) - 529: 00 00 add %al,(%rax) - 52b: 00 00 add %al,(%rax) - 52d: 00 00 add %al,(%rax) - 52f: 00 75 1a add %dh,0x1a(%rbp) - 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx - 538: 31 00 xor %eax,(%rax) - 53a: 00 00 add %al,(%rax) - 53c: 10 00 adc %al,(%rax) - 53e: 00 00 add %al,(%rax) - 540: b4 91 mov $0x91,%ah - 542: 96 xchg %eax,%esi - 543: 06 (bad) - 544: 00 00 add %al,(%rax) - 546: 02 00 add (%rax),%al - 548: 3d 00 00 00 00 cmp $0x0,%eax - 54d: 00 00 add %al,(%rax) - ... - -Disassembly of section .rela.dyn: - -0000000000000550 <.rela.dyn>: - 550: b8 3d 00 00 00 mov $0x3d,%eax - 555: 00 00 add %al,(%rax) - 557: 00 08 add %cl,(%rax) - 559: 00 00 add %al,(%rax) - 55b: 00 00 add %al,(%rax) - 55d: 00 00 add %al,(%rax) - 55f: 00 40 11 add %al,0x11(%rax) - 562: 00 00 add %al,(%rax) - 564: 00 00 add %al,(%rax) - 566: 00 00 add %al,(%rax) - 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> - 56f: 00 08 add %cl,(%rax) - ... - 579: 11 00 adc %eax,(%rax) - 57b: 00 00 add %al,(%rax) - 57d: 00 00 add %al,(%rax) - 57f: 00 08 add %cl,(%rax) - 581: 40 00 00 rex add %al,(%rax) - 584: 00 00 add %al,(%rax) - 586: 00 00 add %al,(%rax) - 588: 08 00 or %al,(%rax) - 58a: 00 00 add %al,(%rax) - 58c: 00 00 add %al,(%rax) - 58e: 00 00 add %al,(%rax) - 590: 08 40 00 or %al,0x0(%rax) - 593: 00 00 add %al,(%rax) - 595: 00 00 add %al,(%rax) - 597: 00 d8 add %bl,%al - 599: 3f (bad) - 59a: 00 00 add %al,(%rax) - 59c: 00 00 add %al,(%rax) - 59e: 00 00 add %al,(%rax) - 5a0: 06 (bad) - 5a1: 00 00 add %al,(%rax) - 5a3: 00 01 add %al,(%rcx) - ... - 5ad: 00 00 add %al,(%rax) - 5af: 00 e0 add %ah,%al - 5b1: 3f (bad) - 5b2: 00 00 add %al,(%rax) - 5b4: 00 00 add %al,(%rax) - 5b6: 00 00 add %al,(%rax) - 5b8: 06 (bad) - 5b9: 00 00 add %al,(%rax) - 5bb: 00 02 add %al,(%rdx) - ... - 5c5: 00 00 add %al,(%rax) - 5c7: 00 e8 add %ch,%al - 5c9: 3f (bad) - 5ca: 00 00 add %al,(%rax) - 5cc: 00 00 add %al,(%rax) - 5ce: 00 00 add %al,(%rax) - 5d0: 06 (bad) - 5d1: 00 00 add %al,(%rax) - 5d3: 00 04 00 add %al,(%rax,%rax,1) - ... - 5de: 00 00 add %al,(%rax) - 5e0: f0 3f lock (bad) - 5e2: 00 00 add %al,(%rax) - 5e4: 00 00 add %al,(%rax) - 5e6: 00 00 add %al,(%rax) - 5e8: 06 (bad) - 5e9: 00 00 add %al,(%rax) - 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> - 5f1: 00 00 add %al,(%rax) - 5f3: 00 00 add %al,(%rax) - 5f5: 00 00 add %al,(%rax) - 5f7: 00 f8 add %bh,%al - 5f9: 3f (bad) - 5fa: 00 00 add %al,(%rax) - 5fc: 00 00 add %al,(%rax) - 5fe: 00 00 add %al,(%rax) - 600: 06 (bad) - 601: 00 00 add %al,(%rax) - 603: 00 06 add %al,(%rsi) - ... - -Disassembly of section .rela.plt: - -0000000000000610 <.rela.plt>: - 610: d0 3f sarb (%rdi) - 612: 00 00 add %al,(%rax) - 614: 00 00 add %al,(%rax) - 616: 00 00 add %al,(%rax) - 618: 07 (bad) - 619: 00 00 add %al,(%rax) - 61b: 00 03 add %al,(%rbx) - ... - -Disassembly of section .init: - -0000000000001000 <_init>: - 1000: f3 0f 1e fa endbr64 - 1004: 48 83 ec 08 sub $0x8,%rsp - 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> - 100f: 48 85 c0 test %rax,%rax - 1012: 74 02 je 1016 <_init+0x16> - 1014: ff d0 call *%rax - 1016: 48 83 c4 08 add $0x8,%rsp - 101a: c3 ret - -Disassembly of section .plt: - -0000000000001020 <.plt>: - 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> - 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> - 102d: 0f 1f 00 nopl (%rax) - 1030: f3 0f 1e fa endbr64 - 1034: 68 00 00 00 00 push $0x0 - 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> - 103f: 90 nop - -Disassembly of section .plt.got: - -0000000000001040 <__cxa_finalize@plt>: - 1040: f3 0f 1e fa endbr64 - 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .plt.sec: - -0000000000001050 : - 1050: f3 0f 1e fa endbr64 - 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 - 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .text: - -0000000000001060 <_start>: - 1060: f3 0f 1e fa endbr64 - 1064: 31 ed xor %ebp,%ebp - 1066: 49 89 d1 mov %rdx,%r9 - 1069: 5e pop %rsi - 106a: 48 89 e2 mov %rsp,%rdx - 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp - 1071: 50 push %rax - 1072: 54 push %rsp - 1073: 45 31 c0 xor %r8d,%r8d - 1076: 31 c9 xor %ecx,%ecx - 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
- 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> - 1085: f4 hlt - 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) - 108d: 00 00 00 - -0000000000001090 : - 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> - 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> - 109e: 48 39 f8 cmp %rdi,%rax - 10a1: 74 15 je 10b8 - 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> - 10aa: 48 85 c0 test %rax,%rax - 10ad: 74 09 je 10b8 - 10af: ff e0 jmp *%rax - 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - 10b8: c3 ret - 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -00000000000010c0 : - 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> - 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> - 10ce: 48 29 fe sub %rdi,%rsi - 10d1: 48 89 f0 mov %rsi,%rax - 10d4: 48 c1 ee 3f shr $0x3f,%rsi - 10d8: 48 c1 f8 03 sar $0x3,%rax - 10dc: 48 01 c6 add %rax,%rsi - 10df: 48 d1 fe sar %rsi - 10e2: 74 14 je 10f8 - 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> - 10eb: 48 85 c0 test %rax,%rax - 10ee: 74 08 je 10f8 - 10f0: ff e0 jmp *%rax - 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) - 10f8: c3 ret - 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001100 <__do_global_dtors_aux>: - 1100: f3 0f 1e fa endbr64 - 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> - 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> - 110d: 55 push %rbp - 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 1115: 00 - 1116: 48 89 e5 mov %rsp,%rbp - 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> - 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> - 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> - 1127: e8 64 ff ff ff call 1090 - 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> - 1133: 5d pop %rbp - 1134: c3 ret - 1135: 0f 1f 00 nopl (%rax) - 1138: c3 ret - 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001140 : - 1140: f3 0f 1e fa endbr64 - 1144: e9 77 ff ff ff jmp 10c0 - -0000000000001149
: - 1149: f3 0f 1e fa endbr64 - 114d: 55 push %rbp - 114e: 48 89 e5 mov %rsp,%rbp - 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> - 1158: e8 f3 fe ff ff call 1050 - 115d: b8 00 00 00 00 mov $0x0,%eax - 1162: 5d pop %rbp - 1163: c3 ret - -Disassembly of section .fini: - -0000000000001164 <_fini>: - 1164: f3 0f 1e fa endbr64 - 1168: 48 83 ec 08 sub $0x8,%rsp - 116c: 48 83 c4 08 add $0x8,%rsp - 1170: c3 ret - -Disassembly of section .rodata: - -0000000000002000 <_IO_stdin_used>: - 2000: 01 00 add %eax,(%rax) - 2002: 02 00 add (%rax),%al - 2004: 48 rex.W - 2005: 65 6c gs insb (%dx),%es:(%rdi) - 2007: 6c insb (%dx),%es:(%rdi) - 2008: 6f outsl %ds:(%rsi),(%dx) - 2009: 2c 20 sub $0x20,%al - 200b: 57 push %rdi - 200c: 6f outsl %ds:(%rsi),(%dx) - 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> - 200f: 64 21 00 and %eax,%fs:(%rax) - -Disassembly of section .eh_frame_hdr: - -0000000000002014 <__GNU_EH_FRAME_HDR>: - 2014: 01 1b add %ebx,(%rbx) - 2016: 03 3b add (%rbx),%edi - 2018: 30 00 xor %al,(%rax) - 201a: 00 00 add %al,(%rax) - 201c: 05 00 00 00 0c add $0xc000000,%eax - 2021: f0 ff lock (bad) - 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) - 2027: 00 2c f0 add %ch,(%rax,%rsi,8) - 202a: ff (bad) - 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) - 2032: ff (bad) - 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) - 203a: ff (bad) - 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) - 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> - 2045: 00 00 add %al,(%rax) - ... - -Disassembly of section .eh_frame: - -0000000000002048 <__FRAME_END__-0xa8>: - 2048: 14 00 adc $0x0,%al - 204a: 00 00 add %al,(%rax) - 204c: 00 00 add %al,(%rax) - 204e: 00 00 add %al,(%rax) - 2050: 01 7a 52 add %edi,0x52(%rdx) - 2053: 00 01 add %al,(%rcx) - 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> - 2057: 01 1b add %ebx,(%rbx) - 2059: 0c 07 or $0x7,%al - 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) - 2061: 00 00 add %al,(%rax) - 2063: 00 1c 00 add %bl,(%rax,%rax,1) - 2066: 00 00 add %al,(%rax) - 2068: f8 clc - 2069: ef out %eax,(%dx) - 206a: ff (bad) - 206b: ff 26 jmp *(%rsi) - 206d: 00 00 add %al,(%rax) - 206f: 00 00 add %al,(%rax) - 2071: 44 07 rex.R (bad) - 2073: 10 00 adc %al,(%rax) - 2075: 00 00 add %al,(%rax) - 2077: 00 24 00 add %ah,(%rax,%rax,1) - 207a: 00 00 add %al,(%rax) - 207c: 34 00 xor $0x0,%al - 207e: 00 00 add %al,(%rax) - 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al - 2087: 00 00 - 2089: 0e (bad) - 208a: 10 46 0e adc %al,0xe(%rsi) - 208d: 18 4a 0f sbb %cl,0xf(%rdx) - 2090: 0b 77 08 or 0x8(%rdi),%esi - 2093: 80 00 3f addb $0x3f,(%rax) - 2096: 1a 3a sbb (%rdx),%bh - 2098: 2a 33 sub (%rbx),%dh - 209a: 24 22 and $0x22,%al - 209c: 00 00 add %al,(%rax) - 209e: 00 00 add %al,(%rax) - 20a0: 14 00 adc $0x0,%al - 20a2: 00 00 add %al,(%rax) - 20a4: 5c pop %rsp - 20a5: 00 00 add %al,(%rax) - 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) - ... - 20b5: 00 00 add %al,(%rax) - 20b7: 00 14 00 add %dl,(%rax,%rax,1) - 20ba: 00 00 add %al,(%rax) - 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> - 20be: 00 00 add %al,(%rax) - 20c0: 90 nop - 20c1: ef out %eax,(%dx) - 20c2: ff (bad) - 20c3: ff 10 call *(%rax) - ... - 20cd: 00 00 add %al,(%rax) - 20cf: 00 1c 00 add %bl,(%rax,%rax,1) - 20d2: 00 00 add %al,(%rax) - 20d4: 8c 00 mov %es,(%rax) - 20d6: 00 00 add %al,(%rax) - 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> - 20da: ff (bad) - 20db: ff 1b lcall *(%rbx) - 20dd: 00 00 add %al,(%rax) - 20df: 00 00 add %al,(%rax) - 20e1: 45 0e rex.RB (bad) - 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) - 20e9: 52 push %rdx - 20ea: 0c 07 or $0x7,%al - 20ec: 08 00 or %al,(%rax) - ... - -00000000000020f0 <__FRAME_END__>: - 20f0: 00 00 add %al,(%rax) - ... - -Disassembly of section .init_array: - -0000000000003db8 <__frame_dummy_init_array_entry>: - 3db8: 40 11 00 rex adc %eax,(%rax) - 3dbb: 00 00 add %al,(%rax) - 3dbd: 00 00 add %al,(%rax) - ... - -Disassembly of section .fini_array: - -0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: - 3dc0: 00 11 add %dl,(%rcx) - 3dc2: 00 00 add %al,(%rax) - 3dc4: 00 00 add %al,(%rax) - ... - -Disassembly of section .dynamic: - -0000000000003dc8 <_DYNAMIC>: - 3dc8: 01 00 add %eax,(%rax) - 3dca: 00 00 add %al,(%rax) - 3dcc: 00 00 add %al,(%rax) - 3dce: 00 00 add %al,(%rax) - 3dd0: 27 (bad) - 3dd1: 00 00 add %al,(%rax) - 3dd3: 00 00 add %al,(%rax) - 3dd5: 00 00 add %al,(%rax) - 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) - 3dda: 00 00 add %al,(%rax) - 3ddc: 00 00 add %al,(%rax) - 3dde: 00 00 add %al,(%rax) - 3de0: 00 10 add %dl,(%rax) - 3de2: 00 00 add %al,(%rax) - 3de4: 00 00 add %al,(%rax) - 3de6: 00 00 add %al,(%rax) - 3de8: 0d 00 00 00 00 or $0x0,%eax - 3ded: 00 00 add %al,(%rax) - 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) - 3df3: 00 00 add %al,(%rax) - 3df5: 00 00 add %al,(%rax) - 3df7: 00 19 add %bl,(%rcx) - 3df9: 00 00 add %al,(%rax) - 3dfb: 00 00 add %al,(%rax) - 3dfd: 00 00 add %al,(%rax) - 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) - 3e05: 00 00 add %al,(%rax) - 3e07: 00 1b add %bl,(%rbx) - 3e09: 00 00 add %al,(%rax) - 3e0b: 00 00 add %al,(%rax) - 3e0d: 00 00 add %al,(%rax) - 3e0f: 00 08 add %cl,(%rax) - 3e11: 00 00 add %al,(%rax) - 3e13: 00 00 add %al,(%rax) - 3e15: 00 00 add %al,(%rax) - 3e17: 00 1a add %bl,(%rdx) - 3e19: 00 00 add %al,(%rax) - 3e1b: 00 00 add %al,(%rax) - 3e1d: 00 00 add %al,(%rax) - 3e1f: 00 c0 add %al,%al - 3e21: 3d 00 00 00 00 cmp $0x0,%eax - 3e26: 00 00 add %al,(%rax) - 3e28: 1c 00 sbb $0x0,%al - 3e2a: 00 00 add %al,(%rax) - 3e2c: 00 00 add %al,(%rax) - 3e2e: 00 00 add %al,(%rax) - 3e30: 08 00 or %al,(%rax) - 3e32: 00 00 add %al,(%rax) - 3e34: 00 00 add %al,(%rax) - 3e36: 00 00 add %al,(%rax) - 3e38: f5 cmc - 3e39: fe (bad) - 3e3a: ff 6f 00 ljmp *0x0(%rdi) - 3e3d: 00 00 add %al,(%rax) - 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) - 3e45: 00 00 add %al,(%rax) - 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> - 3e4d: 00 00 add %al,(%rax) - 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) - 3e55: 00 00 add %al,(%rax) - 3e57: 00 06 add %al,(%rsi) - 3e59: 00 00 add %al,(%rax) - 3e5b: 00 00 add %al,(%rax) - 3e5d: 00 00 add %al,(%rax) - 3e5f: 00 d8 add %bl,%al - 3e61: 03 00 add (%rax),%eax - 3e63: 00 00 add %al,(%rax) - 3e65: 00 00 add %al,(%rax) - 3e67: 00 0a add %cl,(%rdx) - 3e69: 00 00 add %al,(%rax) - 3e6b: 00 00 add %al,(%rax) - 3e6d: 00 00 add %al,(%rax) - 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) - 3e75: 00 00 add %al,(%rax) - 3e77: 00 0b add %cl,(%rbx) - 3e79: 00 00 add %al,(%rax) - 3e7b: 00 00 add %al,(%rax) - 3e7d: 00 00 add %al,(%rax) - 3e7f: 00 18 add %bl,(%rax) - 3e81: 00 00 add %al,(%rax) - 3e83: 00 00 add %al,(%rax) - 3e85: 00 00 add %al,(%rax) - 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> - ... - 3e95: 00 00 add %al,(%rax) - 3e97: 00 03 add %al,(%rbx) - 3e99: 00 00 add %al,(%rax) - 3e9b: 00 00 add %al,(%rax) - 3e9d: 00 00 add %al,(%rax) - 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) - 3ea5: 00 00 add %al,(%rax) - 3ea7: 00 02 add %al,(%rdx) - 3ea9: 00 00 add %al,(%rax) - 3eab: 00 00 add %al,(%rax) - 3ead: 00 00 add %al,(%rax) - 3eaf: 00 18 add %bl,(%rax) - 3eb1: 00 00 add %al,(%rax) - 3eb3: 00 00 add %al,(%rax) - 3eb5: 00 00 add %al,(%rax) - 3eb7: 00 14 00 add %dl,(%rax,%rax,1) - 3eba: 00 00 add %al,(%rax) - 3ebc: 00 00 add %al,(%rax) - 3ebe: 00 00 add %al,(%rax) - 3ec0: 07 (bad) - 3ec1: 00 00 add %al,(%rax) - 3ec3: 00 00 add %al,(%rax) - 3ec5: 00 00 add %al,(%rax) - 3ec7: 00 17 add %dl,(%rdi) - 3ec9: 00 00 add %al,(%rax) - 3ecb: 00 00 add %al,(%rax) - 3ecd: 00 00 add %al,(%rax) - 3ecf: 00 10 add %dl,(%rax) - 3ed1: 06 (bad) - 3ed2: 00 00 add %al,(%rax) - 3ed4: 00 00 add %al,(%rax) - 3ed6: 00 00 add %al,(%rax) - 3ed8: 07 (bad) - 3ed9: 00 00 add %al,(%rax) - 3edb: 00 00 add %al,(%rax) - 3edd: 00 00 add %al,(%rax) - 3edf: 00 50 05 add %dl,0x5(%rax) - 3ee2: 00 00 add %al,(%rax) - 3ee4: 00 00 add %al,(%rax) - 3ee6: 00 00 add %al,(%rax) - 3ee8: 08 00 or %al,(%rax) - 3eea: 00 00 add %al,(%rax) - 3eec: 00 00 add %al,(%rax) - 3eee: 00 00 add %al,(%rax) - 3ef0: c0 00 00 rolb $0x0,(%rax) - 3ef3: 00 00 add %al,(%rax) - 3ef5: 00 00 add %al,(%rax) - 3ef7: 00 09 add %cl,(%rcx) - 3ef9: 00 00 add %al,(%rax) - 3efb: 00 00 add %al,(%rax) - 3efd: 00 00 add %al,(%rax) - 3eff: 00 18 add %bl,(%rax) - 3f01: 00 00 add %al,(%rax) - 3f03: 00 00 add %al,(%rax) - 3f05: 00 00 add %al,(%rax) - 3f07: 00 1e add %bl,(%rsi) - 3f09: 00 00 add %al,(%rax) - 3f0b: 00 00 add %al,(%rax) - 3f0d: 00 00 add %al,(%rax) - 3f0f: 00 08 add %cl,(%rax) - 3f11: 00 00 add %al,(%rax) - 3f13: 00 00 add %al,(%rax) - 3f15: 00 00 add %al,(%rax) - 3f17: 00 fb add %bh,%bl - 3f19: ff (bad) - 3f1a: ff 6f 00 ljmp *0x0(%rdi) - 3f1d: 00 00 add %al,(%rax) - 3f1f: 00 01 add %al,(%rcx) - 3f21: 00 00 add %al,(%rax) - 3f23: 08 00 or %al,(%rax) - 3f25: 00 00 add %al,(%rax) - 3f27: 00 fe add %bh,%dh - 3f29: ff (bad) - 3f2a: ff 6f 00 ljmp *0x0(%rdi) - 3f2d: 00 00 add %al,(%rax) - 3f2f: 00 20 add %ah,(%rax) - 3f31: 05 00 00 00 00 add $0x0,%eax - 3f36: 00 00 add %al,(%rax) - 3f38: ff (bad) - 3f39: ff (bad) - 3f3a: ff 6f 00 ljmp *0x0(%rdi) - 3f3d: 00 00 add %al,(%rax) - 3f3f: 00 01 add %al,(%rcx) - 3f41: 00 00 add %al,(%rax) - 3f43: 00 00 add %al,(%rax) - 3f45: 00 00 add %al,(%rax) - 3f47: 00 f0 add %dh,%al - 3f49: ff (bad) - 3f4a: ff 6f 00 ljmp *0x0(%rdi) - 3f4d: 00 00 add %al,(%rax) - 3f4f: 00 0e add %cl,(%rsi) - 3f51: 05 00 00 00 00 add $0x0,%eax - 3f56: 00 00 add %al,(%rax) - 3f58: f9 stc - 3f59: ff (bad) - 3f5a: ff 6f 00 ljmp *0x0(%rdi) - 3f5d: 00 00 add %al,(%rax) - 3f5f: 00 03 add %al,(%rbx) - ... - -Disassembly of section .got: - -0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: - 3fb8: c8 3d 00 00 enter $0x3d,$0x0 - ... - 3fd0: 30 10 xor %dl,(%rax) - ... - -Disassembly of section .data: - -0000000000004000 <__data_start>: - ... - -0000000000004008 <__dso_handle>: - 4008: 08 40 00 or %al,0x0(%rax) - 400b: 00 00 add %al,(%rax) - 400d: 00 00 add %al,(%rax) - ... - -Disassembly of section .bss: - -0000000000004010 : - ... - -Disassembly of section .comment: - -0000000000000000 <.comment>: - 0: 47 rex.RXB - 1: 43 rex.XB - 2: 43 3a 20 rex.XB cmp (%r8),%spl - 5: 28 55 62 sub %dl,0x62(%rbp) - 8: 75 6e jne 78 <__abi_tag-0x314> - a: 74 75 je 81 <__abi_tag-0x30b> - c: 20 31 and %dh,(%rcx) - e: 30 2e xor %ch,(%rsi) - 10: 35 2e 30 2d 31 xor $0x312d302e,%eax - 15: 75 62 jne 79 <__abi_tag-0x313> - 17: 75 6e jne 87 <__abi_tag-0x305> - 19: 74 75 je 90 <__abi_tag-0x2fc> - 1b: 31 7e 32 xor %edi,0x32(%rsi) - 1e: 32 2e xor (%rsi),%ch - 20: 30 34 29 xor %dh,(%rcx,%rbp,1) - 23: 20 31 and %dh,(%rcx) - 25: 30 2e xor %ch,(%rsi) - 27: 35 .byte 0x35 - 28: 2e 30 00 cs xor %al,(%rax) diff --git a/shell_test b/shell_test deleted file mode 100755 index 15ec415a5e362e2036ebf2435a95193c15653010..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15824 zcmeHOZEPGz8J;`m!=;JsBn|nbS(OHA8gK3#+X@9Y=h)}0!AVMDgMh-a_O0!c?!(;e zwRVBxDtuXKM37M72S`Aft|}?ezUN zbx>^~dsD#a@{9&5)#-Y2J+=zpLdbD@Inx9WYMNTm2|Z-wxQ){CW?ceQavdBO6p0NU zn3o2C;2Z53(qaUk6&e_hV{MkZw8L`$dh8TkQi6zMljD@B{b@LK60A!i= zGm0sx1{jT-k+>)hNgR;d;B@{KFZbWHcb~*Nv4QqKNI(vQ9KqhJ2lFJIX8+n3rq-gLb#sZT2?u$9j}KGIrX|xfORhU-jI|*y+JSx#W&H z69ukrx>znrb+&eG>c|Qvf`59X5@d6KF<)x?^S7|-JpY*c@mC%rnUnOy(+T%6?jK`^ z=2ztY2EQZ~wq|rWc-YrZXr9NAHA7ko@!@g55#lk&IA%G-^ZY?t3GqB%;uI?oD-bIX zD-bIXD-bIXD-bKd3jC%0_J3LzUTw85ZvORArL51_y`=x5b>Z38X99uz-Y1Cuvw!$o z1nq|cf3kiWSVKBK{l}5TYah23U$!p%e)+z!Y`UI)&brk9JXPTDu9D|pr_A<4p9|_E z{(Hn&mo{^~*1K1{-PH64IZsXB;xDxyT42X#1j&Cs@b9fKbgo*9%huC>I$=G%(qbj9 zSl3p)+o*!WQbDV~G}V5H`h|GDzJ-31idF6IaqB{VlC#$0E8aHiV*eI0Zgl#-eX%>h{dcg#(AMA= zusbQ+L!YOJ4~Vvo;kLc+Yrplu)&+H9|2^+Ic4zQ&A;)vOkHe4hoVZSpK95j8QcPsq zI=+w`+`eU+8fH6Au>!FIu>!FIu>!FIu>!FIu>!FIu>!FIO%=d?MeI++-b3u!+=eLG zzqnoO`(>ZwKC!V6@_^WQ7uzp3_Cxaf8z+?iZPhQc{iJMS#NNaie)*)N_p~Z?UCQ60 zY4s(+TLt$D?iK_{n5xVE$E{M3l7`Tay708wGf1fKcCq32hOhfeItA3K*uf@T@}*yf zgX@8g^qLyj%W^&c5F7oH>i>6u{o!x2M(j&X|0Z33GI4c5of;gx$GB^JqE_;1MmlBo znyIdIEils$cXykqo=&0vW6P||CiS`>bzjeE|MDlxf!g zjjoG#3nXYqcHKY?YuK!wD}g`F`pCGy5QOben~b%1&b>^ZgnDb^en9C8Wt!~+-%WxT za0+22;P)t%36Ydd6W^isH1tI2apHF-+ZCQ0;O`axXg%)_>W9}FeuVfP$vq156D8Bk zQ_ITGjNESO0pdGoe2ok|H4YKKlg2S4^Cb8`Dk}Pv_+vgG>WkvvDbKx>6g)~i_a|Ea z*NHa}9Ks(Fe@Dnh_A2o^lk_x;%-dfOzk~Gb$Y@VIpVaxuikCLawA0<0$lIPXt%#_4 zwW%p{QmyTZx4oi0$@}7~I8PxV%O+26oojW*EfglpIoI~wsz*Ju?cs9+r?YnU%#cm{ z@`pZrX5jS5AklQd!OmJzY7L!J_NmdcCkICDv%|yZvt#zyz{$}pMMTdDWN|C{M&p4$VpCcGKOJ2Er$*xu1oFW0}%buuKB{n#zVB2)| z09V9^5}KYgSbyN5(QQ7|5a>oDk#p&sPj$ZNITM6lMdJ)|`4Sy-m{n$}?78N2sb
)R`I62bAb0ct{ajG-Q%*~gm35{MwmptHBs`+whoncd1#Vt4- zpiCZFWzH7#mpNUgjOWhLH%|}pEC=$M?u<-`nHsODR4k7mkmf zr{ez)4<|gg!13Rwa6JA#0u49{M&mz3{NHKKf&OEi1w{K;XGQz(P&}`(5RY{j@Upba zePo>xkM&cYIR2B4c&zJy{C6{)xQ=l8BpJM>LOj+{K&(&EfA|3(rg&bX!Nxibi062; z|LDUd%CM%0$GQ<%7e}-oz5cIJIbRdX8_#!n&SSkS)dX!J&-hLHgyRi~1B%%Qfem~j z5}%R+ApB4PY~c4J@fj%q?u!f<;!xiYBk}nA55)Tf{G;>tClcRSn;7CL81;t@{F%gK z{IDJZ^0}^XLL9iOl;KN6e9F)zz^`hv@s05Z@hi%-(Ff~&tPgSiFzOE*_&bVi55;3W zy3$1?CHQG;%?AG(74Y0c`;B#?oF}cz`0@PbggA`jw~1pH#N$1xew4kH$^_qQUx)|t zx-uN!2uSG|yg#A_#KB&r40C87>#}_kkAA~nE(fM+A%Zz^Z}5n}yTRxT;=_os54&1Y x;U}bHd>`{1MgQ^q #include -// Define the shellcode char code[] = "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x12\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\xb0\x3c\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"; - -// Declare a function pointer with no arguments and no return value typedef void (*ShellcodeFunc)(); int main() { - // Create a function pointer of the appropriate type and point it to the shellcode ShellcodeFunc func = (ShellcodeFunc)code; - // Make the memory containing the shellcode executable - // Using a reasonable default page size size_t pagesize = 4096; // 4KB, a common page size uintptr_t page_start = (uintptr_t)code & ~(pagesize - 1); mprotect((void *)page_start, pagesize, PROT_READ | PROT_EXEC); - - // Call the shellcode func(); - return 0; } diff --git a/srcs/encrypt.c b/srcs/encrypt.c new file mode 100644 index 0000000..d66e160 --- /dev/null +++ b/srcs/encrypt.c @@ -0,0 +1,11 @@ +#include "../includes/woody.h" + +void encrypt(char *file, unsigned long int offset, unsigned long int size) +{ + size_t i = 0; + while (i < size) + { + file[offset + i] = 0; + ++i; + } +} \ No newline at end of file diff --git a/srcs/main.c b/srcs/main.c index 3fd7078..d2228a7 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -41,5 +41,5 @@ int main(int ac, char **av) int ret = get_elf_file(&woody); if (ret == EXIT_FAILURE) return ret; - return inject(&woody); + return prepare_injection(&woody); } \ No newline at end of file diff --git a/srcs/utils.c b/srcs/utils.c index 84ca99a..db2b226 100644 --- a/srcs/utils.c +++ b/srcs/utils.c @@ -1,6 +1,6 @@ #include "../includes/woody.h" -void *secure_jump(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size) +void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size) { if (file_size > offset_to_data && file_size >= (offset_to_data + supposed_data_size)) return (file + offset_to_data); diff --git a/srcs/woody.c b/srcs/woody.c index 8a44c50..5568579 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -6,16 +6,6 @@ int elf_magic_numbers(char *str) return (!ft_strncmp(str, ELFMAG, SELFMAG)); } -void encrypt_zone(char *file, unsigned long int offset, unsigned long int size) -{ - size_t i = 0; - while (i < size) - { - file[offset + i] = 0; - ++i; - } -} - int save_elf(char *path, char *file, unsigned long int size) { int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0755); @@ -67,108 +57,102 @@ int32_t find_jmp(char *code, size_t len) return 0; } -void find_cave(t_efl_content *woody) +void inject(t_efl_content *woody) { - woody->Phdr = (Elf64_Phdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); + char payload[] = PAYLOAD; + size_t len_payload = sizeof(PAYLOAD) - 1; + woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); - printf("%d %ld\n", i, woody->Phdr[i].p_align); - printf("%d %ld\n", j, woody->Phdr[j].p_align); - printf("code_cave_start = %lx, virtual adress = %lx\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_vaddr); - printf("code_cave_size = %lx\n", woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz)); + size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); + size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; + + printf("Old entry : %ld\n", woody->Ehdr->e_entry); + printf("Code_cave_start = %ld\n", woody->Phdr[i].p_offset); + printf("Code_cave_size = %ld\n", code_cave_size); + printf("Payload size = %ld\n", len_payload); + + int32_t jmp_index = find_jmp(payload, len_payload); + int32_t backward_len = ((payload_off + len_payload) - woody->Ehdr->e_entry) * -1; - Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; + ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len)); + ft_memcpy(woody->file + payload_off, payload, len_payload); + + printf("Backward offset = %d\n", backward_len); - size_t len = sizeof(PAYLOAD) - 1; - char payload[] = PAYLOAD; - int32_t jmp = find_jmp(payload, len); - - printf("%ld\n", (long int)payload[jmp + 1]); - int32_t test = ((payload_off + len) - woody->Ehdr->e_entry) * -1; - - ft_memcpy(&payload[jmp + 1], &test, sizeof(test)); - - ft_memcpy(woody->file + payload_off, payload, len); - - printf("old entry : %lx\n", woody->Ehdr->e_entry); - printf("backward offset = %ld\n", (payload_off + len) - woody->Ehdr->e_entry); woody->Ehdr->e_entry = payload_off; - woody->Phdr[i].p_filesz += len; - woody->Phdr[i].p_memsz += len; - - - printf("new entry = %lx\n", woody->Ehdr->e_entry); - - printf("p_filesz = %lx\n", woody->Phdr[i].p_filesz); - printf("p_memsz = %lx\n", woody->Phdr[i].p_memsz); - woody->file_size += len; + woody->Phdr[i].p_filesz += len_payload; + woody->Phdr[i].p_memsz += len_payload; + woody->file_size += len_payload; + printf("New entry = %ld\n", woody->Ehdr->e_entry); } - -int inject(t_efl_content *woody) +int get_elf_sections(t_efl_content *woody) { - woody->Ehdr = (Elf64_Ehdr *)secure_jump(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); + woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2) { ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); return EXIT_FAILURE; } - printf("entry point = %ld\n", woody->Ehdr->e_entry); - Elf64_Shdr *Shdr = (Elf64_Shdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); - if (Shdr == NULL || !secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) + Elf64_Shdr *Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); + if (Shdr == NULL || !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) { return ft_put_error("Corrupted file"); } - if (woody->file_size > woody->Ehdr->e_shoff + woody->Ehdr->e_shnum * sizeof(Elf64_Shdr)) - { - printf("extra_data !\n"); // save it in woody->extra_data and append it to the end of the woody file ? Could be dangerous - } Elf64_Shdr *symbols_table = NULL; for (int i = 0; i < woody->Ehdr->e_shnum; i++) { if (Shdr[i].sh_type == SHT_SYMTAB) { - symbols_table = secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); + symbols_table = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); } } if (symbols_table == NULL) return ft_put_error("No symbols"); - if (!secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) + if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) return ft_put_error("Corrupted file"); - char *Sshstrtab = (char *)secure_jump(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); + char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); if (Sshstrtab == NULL) return ft_put_error("Corrupted file"); - for (int i = 0; i < woody->Ehdr->e_shnum; i++) { - char *section_name = Sshstrtab + Shdr[i].sh_name; - printf("%s : Offset: %lx | Size: %lx | Virtual adress: %lx\n", section_name, Shdr[i].sh_offset, Shdr[i].sh_size, Shdr[i].sh_addr); - } - - // useless for now - Elf64_Shdr *strtab_header = (Elf64_Shdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); + Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); if (!strtab_header) return ft_put_error("Corrupted file"); - char *strtab = secure_jump(woody->file, woody->file_size, strtab_header->sh_offset, 0); + char *strtab = fetch(woody->file, woody->file_size, strtab_header->sh_offset, 0); if (strtab == NULL) return ft_put_error("Corrupted file"); - Elf64_Sym *symbols = (Elf64_Sym *)secure_jump(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); + Elf64_Sym *symbols = (Elf64_Sym *)fetch(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); if (symbols == NULL) return ft_put_error("Corrupted file"); - // end useless woody->Ehdr->e_entry = - find_cave(woody); + return EXIT_SUCCESS; +} - char *woody_file = malloc(woody->file_size); +int prepare_injection(t_efl_content *woody) +{ + int elf_statut = get_elf_sections(woody); + if (elf_statut) + return elf_statut; + + inject(woody); + + char *woody_file; + if (!(woody_file = malloc(woody->file_size))) + return ft_put_error("Allocation error"); ft_memcpy(woody_file, woody->file, woody->file_size); - // encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); + // encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size); + munmap(woody_file, woody->file_size); - return save_elf("woody", woody_file, woody->file_size); + save_elf("woody", woody_file, woody->file_size); + free(woody_file); + return EXIT_SUCCESS; } \ No newline at end of file diff --git a/woody.txt b/woody.txt deleted file mode 100644 index dc5f9d3..0000000 --- a/woody.txt +++ /dev/null @@ -1,825 +0,0 @@ - -woody: file format elf64-x86-64 - - -Disassembly of section .interp: - -0000000000000318 <.interp>: - 318: 2f (bad) - 319: 6c insb (%dx),%es:(%rdi) - 31a: 69 62 36 34 2f 6c 64 imul $0x646c2f34,0x36(%rdx),%esp - 321: 2d 6c 69 6e 75 sub $0x756e696c,%eax - 326: 78 2d js 355 <__abi_tag-0x37> - 328: 78 38 js 362 <__abi_tag-0x2a> - 32a: 36 2d 36 34 2e 73 ss sub $0x732e3436,%eax - 330: 6f outsl %ds:(%rsi),(%dx) - 331: 2e 32 00 cs xor (%rax),%al - -Disassembly of section .note.gnu.property: - -0000000000000338 <.note.gnu.property>: - 338: 04 00 add $0x0,%al - 33a: 00 00 add %al,(%rax) - 33c: 20 00 and %al,(%rax) - 33e: 00 00 add %al,(%rax) - 340: 05 00 00 00 47 add $0x47000000,%eax - 345: 4e 55 rex.WRX push %rbp - 347: 00 02 add %al,(%rdx) - 349: 00 00 add %al,(%rax) - 34b: c0 04 00 00 rolb $0x0,(%rax,%rax,1) - 34f: 00 03 add %al,(%rbx) - 351: 00 00 add %al,(%rax) - 353: 00 00 add %al,(%rax) - 355: 00 00 add %al,(%rax) - 357: 00 02 add %al,(%rdx) - 359: 80 00 c0 addb $0xc0,(%rax) - 35c: 04 00 add $0x0,%al - 35e: 00 00 add %al,(%rax) - 360: 01 00 add %eax,(%rax) - 362: 00 00 add %al,(%rax) - 364: 00 00 add %al,(%rax) - ... - -Disassembly of section .note.gnu.build-id: - -0000000000000368 <.note.gnu.build-id>: - 368: 04 00 add $0x0,%al - 36a: 00 00 add %al,(%rax) - 36c: 14 00 adc $0x0,%al - 36e: 00 00 add %al,(%rax) - 370: 03 00 add (%rax),%eax - 372: 00 00 add %al,(%rax) - 374: 47 rex.RXB - 375: 4e 55 rex.WRX push %rbp - 377: 00 aa 0d f4 0f 29 add %ch,0x290ff40d(%rdx) - 37d: 9d popf - 37e: 21 c9 and %ecx,%ecx - 380: 16 (bad) - 381: 1e (bad) - 382: 8a 34 ce mov (%rsi,%rcx,8),%dh - 385: 99 cltd - 386: 69 cc 15 8d 7d 01 imul $0x17d8d15,%esp,%ecx - -Disassembly of section .note.ABI-tag: - -000000000000038c <__abi_tag>: - 38c: 04 00 add $0x0,%al - 38e: 00 00 add %al,(%rax) - 390: 10 00 adc %al,(%rax) - 392: 00 00 add %al,(%rax) - 394: 01 00 add %eax,(%rax) - 396: 00 00 add %al,(%rax) - 398: 47 rex.RXB - 399: 4e 55 rex.WRX push %rbp - 39b: 00 00 add %al,(%rax) - 39d: 00 00 add %al,(%rax) - 39f: 00 03 add %al,(%rbx) - 3a1: 00 00 add %al,(%rax) - 3a3: 00 02 add %al,(%rdx) - 3a5: 00 00 add %al,(%rax) - 3a7: 00 00 add %al,(%rax) - 3a9: 00 00 add %al,(%rax) - ... - -Disassembly of section .gnu.hash: - -00000000000003b0 <.gnu.hash>: - 3b0: 02 00 add (%rax),%al - 3b2: 00 00 add %al,(%rax) - 3b4: 06 (bad) - 3b5: 00 00 add %al,(%rax) - 3b7: 00 01 add %al,(%rcx) - 3b9: 00 00 add %al,(%rax) - 3bb: 00 06 add %al,(%rsi) - 3bd: 00 00 add %al,(%rax) - 3bf: 00 00 add %al,(%rax) - 3c1: 00 81 00 00 00 00 add %al,0x0(%rcx) - 3c7: 00 06 add %al,(%rsi) - 3c9: 00 00 add %al,(%rax) - 3cb: 00 00 add %al,(%rax) - 3cd: 00 00 add %al,(%rax) - 3cf: 00 d1 add %dl,%cl - 3d1: 65 ce gs (bad) - 3d3: 6d insl (%dx),%es:(%rdi) - -Disassembly of section .dynsym: - -00000000000003d8 <.dynsym>: - ... - 3f0: 10 00 adc %al,(%rax) - 3f2: 00 00 add %al,(%rax) - 3f4: 12 00 adc (%rax),%al - ... - 406: 00 00 add %al,(%rax) - 408: 48 00 00 rex.W add %al,(%rax) - 40b: 00 20 add %ah,(%rax) - ... - 41d: 00 00 add %al,(%rax) - 41f: 00 22 add %ah,(%rdx) - 421: 00 00 add %al,(%rax) - 423: 00 12 add %dl,(%rdx) - ... - 435: 00 00 add %al,(%rax) - 437: 00 64 00 00 add %ah,0x0(%rax,%rax,1) - 43b: 00 20 add %ah,(%rax) - ... - 44d: 00 00 add %al,(%rax) - 44f: 00 73 00 add %dh,0x0(%rbx) - 452: 00 00 add %al,(%rax) - 454: 20 00 and %al,(%rax) - ... - 466: 00 00 add %al,(%rax) - 468: 01 00 add %eax,(%rax) - 46a: 00 00 add %al,(%rax) - 46c: 22 00 and (%rax),%al - ... - -Disassembly of section .dynstr: - -0000000000000480 <.dynstr>: - 480: 00 5f 5f add %bl,0x5f(%rdi) - 483: 63 78 61 movsxd 0x61(%rax),%edi - 486: 5f pop %rdi - 487: 66 69 6e 61 6c 69 imul $0x696c,0x61(%rsi),%bp - 48d: 7a 65 jp 4f4 <__abi_tag+0x168> - 48f: 00 5f 5f add %bl,0x5f(%rdi) - 492: 6c insb (%dx),%es:(%rdi) - 493: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%rdx),%esp - 49a: 72 74 jb 510 <__abi_tag+0x184> - 49c: 5f pop %rdi - 49d: 6d insl (%dx),%es:(%rdi) - 49e: 61 (bad) - 49f: 69 6e 00 70 75 74 73 imul $0x73747570,0x0(%rsi),%ebp - 4a6: 00 6c 69 62 add %ch,0x62(%rcx,%rbp,2) - 4aa: 63 2e movsxd (%rsi),%ebp - 4ac: 73 6f jae 51d <__abi_tag+0x191> - 4ae: 2e 36 00 47 4c cs ss add %al,0x4c(%rdi) - 4b3: 49 rex.WB - 4b4: 42 rex.X - 4b5: 43 5f rex.XB pop %r15 - 4b7: 32 2e xor (%rsi),%ch - 4b9: 32 2e xor (%rsi),%ch - 4bb: 35 00 47 4c 49 xor $0x494c4700,%eax - 4c0: 42 rex.X - 4c1: 43 5f rex.XB pop %r15 - 4c3: 32 2e xor (%rsi),%ch - 4c5: 33 34 00 xor (%rax,%rax,1),%esi - 4c8: 5f pop %rdi - 4c9: 49 54 rex.WB push %r12 - 4cb: 4d 5f rex.WRB pop %r15 - 4cd: 64 65 72 65 fs gs jb 536 <__abi_tag+0x1aa> - 4d1: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 4d8: 4d - 4d9: 43 6c rex.XB insb (%dx),%es:(%rdi) - 4db: 6f outsl %ds:(%rsi),(%dx) - 4dc: 6e outsb %ds:(%rsi),(%dx) - 4dd: 65 54 gs push %rsp - 4df: 61 (bad) - 4e0: 62 (bad) - 4e1: 6c insb (%dx),%es:(%rdi) - 4e2: 65 00 5f 5f add %bl,%gs:0x5f(%rdi) - 4e6: 67 6d insl (%dx),%es:(%edi) - 4e8: 6f outsl %ds:(%rsi),(%dx) - 4e9: 6e outsb %ds:(%rsi),(%dx) - 4ea: 5f pop %rdi - 4eb: 73 74 jae 561 <__abi_tag+0x1d5> - 4ed: 61 (bad) - 4ee: 72 74 jb 564 <__abi_tag+0x1d8> - 4f0: 5f pop %rdi - 4f1: 5f pop %rdi - 4f2: 00 5f 49 add %bl,0x49(%rdi) - 4f5: 54 push %rsp - 4f6: 4d 5f rex.WRB pop %r15 - 4f8: 72 65 jb 55f <__abi_tag+0x1d3> - 4fa: 67 69 73 74 65 72 54 imul $0x4d547265,0x74(%ebx),%esi - 501: 4d - 502: 43 6c rex.XB insb (%dx),%es:(%rdi) - 504: 6f outsl %ds:(%rsi),(%dx) - 505: 6e outsb %ds:(%rsi),(%dx) - 506: 65 54 gs push %rsp - 508: 61 (bad) - 509: 62 .byte 0x62 - 50a: 6c insb (%dx),%es:(%rdi) - 50b: 65 gs - ... - -Disassembly of section .gnu.version: - -000000000000050e <.gnu.version>: - 50e: 00 00 add %al,(%rax) - 510: 02 00 add (%rax),%al - 512: 01 00 add %eax,(%rax) - 514: 03 00 add (%rax),%eax - 516: 01 00 add %eax,(%rax) - 518: 01 00 add %eax,(%rax) - 51a: 03 00 add (%rax),%eax - -Disassembly of section .gnu.version_r: - -0000000000000520 <.gnu.version_r>: - 520: 01 00 add %eax,(%rax) - 522: 02 00 add (%rax),%al - 524: 27 (bad) - 525: 00 00 add %al,(%rax) - 527: 00 10 add %dl,(%rax) - 529: 00 00 add %al,(%rax) - 52b: 00 00 add %al,(%rax) - 52d: 00 00 add %al,(%rax) - 52f: 00 75 1a add %dh,0x1a(%rbp) - 532: 69 09 00 00 03 00 imul $0x30000,(%rcx),%ecx - 538: 31 00 xor %eax,(%rax) - 53a: 00 00 add %al,(%rax) - 53c: 10 00 adc %al,(%rax) - 53e: 00 00 add %al,(%rax) - 540: b4 91 mov $0x91,%ah - 542: 96 xchg %eax,%esi - 543: 06 (bad) - 544: 00 00 add %al,(%rax) - 546: 02 00 add (%rax),%al - 548: 3d 00 00 00 00 cmp $0x0,%eax - 54d: 00 00 add %al,(%rax) - ... - -Disassembly of section .rela.dyn: - -0000000000000550 <.rela.dyn>: - 550: b8 3d 00 00 00 mov $0x3d,%eax - 555: 00 00 add %al,(%rax) - 557: 00 08 add %cl,(%rax) - 559: 00 00 add %al,(%rax) - 55b: 00 00 add %al,(%rax) - 55d: 00 00 add %al,(%rax) - 55f: 00 40 11 add %al,0x11(%rax) - 562: 00 00 add %al,(%rax) - 564: 00 00 add %al,(%rax) - 566: 00 00 add %al,(%rax) - 568: c0 3d 00 00 00 00 00 sarb $0x0,0x0(%rip) # 56f <__abi_tag+0x1e3> - 56f: 00 08 add %cl,(%rax) - ... - 579: 11 00 adc %eax,(%rax) - 57b: 00 00 add %al,(%rax) - 57d: 00 00 add %al,(%rax) - 57f: 00 08 add %cl,(%rax) - 581: 40 00 00 rex add %al,(%rax) - 584: 00 00 add %al,(%rax) - 586: 00 00 add %al,(%rax) - 588: 08 00 or %al,(%rax) - 58a: 00 00 add %al,(%rax) - 58c: 00 00 add %al,(%rax) - 58e: 00 00 add %al,(%rax) - 590: 08 40 00 or %al,0x0(%rax) - 593: 00 00 add %al,(%rax) - 595: 00 00 add %al,(%rax) - 597: 00 d8 add %bl,%al - 599: 3f (bad) - 59a: 00 00 add %al,(%rax) - 59c: 00 00 add %al,(%rax) - 59e: 00 00 add %al,(%rax) - 5a0: 06 (bad) - 5a1: 00 00 add %al,(%rax) - 5a3: 00 01 add %al,(%rcx) - ... - 5ad: 00 00 add %al,(%rax) - 5af: 00 e0 add %ah,%al - 5b1: 3f (bad) - 5b2: 00 00 add %al,(%rax) - 5b4: 00 00 add %al,(%rax) - 5b6: 00 00 add %al,(%rax) - 5b8: 06 (bad) - 5b9: 00 00 add %al,(%rax) - 5bb: 00 02 add %al,(%rdx) - ... - 5c5: 00 00 add %al,(%rax) - 5c7: 00 e8 add %ch,%al - 5c9: 3f (bad) - 5ca: 00 00 add %al,(%rax) - 5cc: 00 00 add %al,(%rax) - 5ce: 00 00 add %al,(%rax) - 5d0: 06 (bad) - 5d1: 00 00 add %al,(%rax) - 5d3: 00 04 00 add %al,(%rax,%rax,1) - ... - 5de: 00 00 add %al,(%rax) - 5e0: f0 3f lock (bad) - 5e2: 00 00 add %al,(%rax) - 5e4: 00 00 add %al,(%rax) - 5e6: 00 00 add %al,(%rax) - 5e8: 06 (bad) - 5e9: 00 00 add %al,(%rax) - 5eb: 00 05 00 00 00 00 add %al,0x0(%rip) # 5f1 <__abi_tag+0x265> - 5f1: 00 00 add %al,(%rax) - 5f3: 00 00 add %al,(%rax) - 5f5: 00 00 add %al,(%rax) - 5f7: 00 f8 add %bh,%al - 5f9: 3f (bad) - 5fa: 00 00 add %al,(%rax) - 5fc: 00 00 add %al,(%rax) - 5fe: 00 00 add %al,(%rax) - 600: 06 (bad) - 601: 00 00 add %al,(%rax) - 603: 00 06 add %al,(%rsi) - ... - -Disassembly of section .rela.plt: - -0000000000000610 <.rela.plt>: - 610: d0 3f sarb (%rdi) - 612: 00 00 add %al,(%rax) - 614: 00 00 add %al,(%rax) - 616: 00 00 add %al,(%rax) - 618: 07 (bad) - 619: 00 00 add %al,(%rax) - 61b: 00 03 add %al,(%rbx) - ... - -Disassembly of section .init: - -0000000000001000 <_init>: - 1000: f3 0f 1e fa endbr64 - 1004: 48 83 ec 08 sub $0x8,%rsp - 1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base> - 100f: 48 85 c0 test %rax,%rax - 1012: 74 02 je 1016 <_init+0x16> - 1014: ff d0 call *%rax - 1016: 48 83 c4 08 add $0x8,%rsp - 101a: c3 ret - -Disassembly of section .plt: - -0000000000001020 <.plt>: - 1020: ff 35 9a 2f 00 00 push 0x2f9a(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x8> - 1026: f2 ff 25 9b 2f 00 00 bnd jmp *0x2f9b(%rip) # 3fc8 <_GLOBAL_OFFSET_TABLE_+0x10> - 102d: 0f 1f 00 nopl (%rax) - 1030: f3 0f 1e fa endbr64 - 1034: 68 00 00 00 00 push $0x0 - 1039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20> - 103f: 90 nop - -Disassembly of section .plt.got: - -0000000000001040 <__cxa_finalize@plt>: - 1040: f3 0f 1e fa endbr64 - 1044: f2 ff 25 ad 2f 00 00 bnd jmp *0x2fad(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 104b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .plt.sec: - -0000000000001050 : - 1050: f3 0f 1e fa endbr64 - 1054: f2 ff 25 75 2f 00 00 bnd jmp *0x2f75(%rip) # 3fd0 - 105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) - -Disassembly of section .text: - -0000000000001060 <_start>: - 1060: f3 0f 1e fa endbr64 - 1064: 31 ed xor %ebp,%ebp - 1066: 49 89 d1 mov %rdx,%r9 - 1069: 5e pop %rsi - 106a: 48 89 e2 mov %rsp,%rdx - 106d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp - 1071: 50 push %rax - 1072: 54 push %rsp - 1073: 45 31 c0 xor %r8d,%r8d - 1076: 31 c9 xor %ecx,%ecx - 1078: 48 8d 3d ca 00 00 00 lea 0xca(%rip),%rdi # 1149
- 107f: ff 15 53 2f 00 00 call *0x2f53(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34> - 1085: f4 hlt - 1086: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) - 108d: 00 00 00 - -0000000000001090 : - 1090: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4010 <__TMC_END__> - 1097: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4010 <__TMC_END__> - 109e: 48 39 f8 cmp %rdi,%rax - 10a1: 74 15 je 10b8 - 10a3: 48 8b 05 36 2f 00 00 mov 0x2f36(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base> - 10aa: 48 85 c0 test %rax,%rax - 10ad: 74 09 je 10b8 - 10af: ff e0 jmp *%rax - 10b1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - 10b8: c3 ret - 10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -00000000000010c0 : - 10c0: 48 8d 3d 49 2f 00 00 lea 0x2f49(%rip),%rdi # 4010 <__TMC_END__> - 10c7: 48 8d 35 42 2f 00 00 lea 0x2f42(%rip),%rsi # 4010 <__TMC_END__> - 10ce: 48 29 fe sub %rdi,%rsi - 10d1: 48 89 f0 mov %rsi,%rax - 10d4: 48 c1 ee 3f shr $0x3f,%rsi - 10d8: 48 c1 f8 03 sar $0x3,%rax - 10dc: 48 01 c6 add %rax,%rsi - 10df: 48 d1 fe sar %rsi - 10e2: 74 14 je 10f8 - 10e4: 48 8b 05 05 2f 00 00 mov 0x2f05(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base> - 10eb: 48 85 c0 test %rax,%rax - 10ee: 74 08 je 10f8 - 10f0: ff e0 jmp *%rax - 10f2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) - 10f8: c3 ret - 10f9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001100 <__do_global_dtors_aux>: - 1100: f3 0f 1e fa endbr64 - 1104: 80 3d 05 2f 00 00 00 cmpb $0x0,0x2f05(%rip) # 4010 <__TMC_END__> - 110b: 75 2b jne 1138 <__do_global_dtors_aux+0x38> - 110d: 55 push %rbp - 110e: 48 83 3d e2 2e 00 00 cmpq $0x0,0x2ee2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5> - 1115: 00 - 1116: 48 89 e5 mov %rsp,%rbp - 1119: 74 0c je 1127 <__do_global_dtors_aux+0x27> - 111b: 48 8b 3d e6 2e 00 00 mov 0x2ee6(%rip),%rdi # 4008 <__dso_handle> - 1122: e8 19 ff ff ff call 1040 <__cxa_finalize@plt> - 1127: e8 64 ff ff ff call 1090 - 112c: c6 05 dd 2e 00 00 01 movb $0x1,0x2edd(%rip) # 4010 <__TMC_END__> - 1133: 5d pop %rbp - 1134: c3 ret - 1135: 0f 1f 00 nopl (%rax) - 1138: c3 ret - 1139: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) - -0000000000001140 : - 1140: f3 0f 1e fa endbr64 - 1144: e9 77 ff ff ff jmp 10c0 - -0000000000001149
: - 1149: f3 0f 1e fa endbr64 - 114d: 55 push %rbp - 114e: 48 89 e5 mov %rsp,%rbp - 1151: 48 8d 3d ac 0e 00 00 lea 0xeac(%rip),%rdi # 2004 <_IO_stdin_used+0x4> - 1158: e8 f3 fe ff ff call 1050 - 115d: b8 00 00 00 00 mov $0x0,%eax - 1162: 5d pop %rbp - 1163: c3 ret - -Disassembly of section .fini: - -0000000000001164 <_fini>: - 1164: f3 0f 1e fa endbr64 - 1168: 48 83 ec 08 sub $0x8,%rsp - 116c: 48 83 c4 08 add $0x8,%rsp - 1170: c3 ret - -Disassembly of section .rodata: - -0000000000002000 <_IO_stdin_used>: - 2000: 01 00 add %eax,(%rax) - 2002: 02 00 add (%rax),%al - 2004: 48 rex.W - 2005: 65 6c gs insb (%dx),%es:(%rdi) - 2007: 6c insb (%dx),%es:(%rdi) - 2008: 6f outsl %ds:(%rsi),(%dx) - 2009: 2c 20 sub $0x20,%al - 200b: 57 push %rdi - 200c: 6f outsl %ds:(%rsi),(%dx) - 200d: 72 6c jb 207b <__GNU_EH_FRAME_HDR+0x67> - 200f: 64 21 00 and %eax,%fs:(%rax) - -Disassembly of section .eh_frame_hdr: - -0000000000002014 <__GNU_EH_FRAME_HDR>: - 2014: 01 1b add %ebx,(%rbx) - 2016: 03 3b add (%rbx),%edi - 2018: 30 00 xor %al,(%rax) - 201a: 00 00 add %al,(%rax) - 201c: 05 00 00 00 0c add $0xc000000,%eax - 2021: f0 ff lock (bad) - 2023: ff 64 00 00 jmp *0x0(%rax,%rax,1) - 2027: 00 2c f0 add %ch,(%rax,%rsi,8) - 202a: ff (bad) - 202b: ff 8c 00 00 00 3c f0 decl -0xfc40000(%rax,%rax,1) - 2032: ff (bad) - 2033: ff a4 00 00 00 4c f0 jmp *-0xfb40000(%rax,%rax,1) - 203a: ff (bad) - 203b: ff 4c 00 00 decl 0x0(%rax,%rax,1) - 203f: 00 35 f1 ff ff bc add %dh,-0x4300000f(%rip) # ffffffffbd002036 <_end+0xffffffffbcffe01e> - 2045: 00 00 add %al,(%rax) - ... - -Disassembly of section .eh_frame: - -0000000000002048 <__FRAME_END__-0xa8>: - 2048: 14 00 adc $0x0,%al - 204a: 00 00 add %al,(%rax) - 204c: 00 00 add %al,(%rax) - 204e: 00 00 add %al,(%rax) - 2050: 01 7a 52 add %edi,0x52(%rdx) - 2053: 00 01 add %al,(%rcx) - 2055: 78 10 js 2067 <__GNU_EH_FRAME_HDR+0x53> - 2057: 01 1b add %ebx,(%rbx) - 2059: 0c 07 or $0x7,%al - 205b: 08 90 01 00 00 14 or %dl,0x14000001(%rax) - 2061: 00 00 add %al,(%rax) - 2063: 00 1c 00 add %bl,(%rax,%rax,1) - 2066: 00 00 add %al,(%rax) - 2068: f8 clc - 2069: ef out %eax,(%dx) - 206a: ff (bad) - 206b: ff 26 jmp *(%rsi) - 206d: 00 00 add %al,(%rax) - 206f: 00 00 add %al,(%rax) - 2071: 44 07 rex.R (bad) - 2073: 10 00 adc %al,(%rax) - 2075: 00 00 add %al,(%rax) - 2077: 00 24 00 add %ah,(%rax,%rax,1) - 207a: 00 00 add %al,(%rax) - 207c: 34 00 xor $0x0,%al - 207e: 00 00 add %al,(%rax) - 2080: a0 ef ff ff 20 00 00 movabs 0x20ffffef,%al - 2087: 00 00 - 2089: 0e (bad) - 208a: 10 46 0e adc %al,0xe(%rsi) - 208d: 18 4a 0f sbb %cl,0xf(%rdx) - 2090: 0b 77 08 or 0x8(%rdi),%esi - 2093: 80 00 3f addb $0x3f,(%rax) - 2096: 1a 3a sbb (%rdx),%bh - 2098: 2a 33 sub (%rbx),%dh - 209a: 24 22 and $0x22,%al - 209c: 00 00 add %al,(%rax) - 209e: 00 00 add %al,(%rax) - 20a0: 14 00 adc $0x0,%al - 20a2: 00 00 add %al,(%rax) - 20a4: 5c pop %rsp - 20a5: 00 00 add %al,(%rax) - 20a7: 00 98 ef ff ff 10 add %bl,0x10ffffef(%rax) - ... - 20b5: 00 00 add %al,(%rax) - 20b7: 00 14 00 add %dl,(%rax,%rax,1) - 20ba: 00 00 add %al,(%rax) - 20bc: 74 00 je 20be <__GNU_EH_FRAME_HDR+0xaa> - 20be: 00 00 add %al,(%rax) - 20c0: 90 nop - 20c1: ef out %eax,(%dx) - 20c2: ff (bad) - 20c3: ff 10 call *(%rax) - ... - 20cd: 00 00 add %al,(%rax) - 20cf: 00 1c 00 add %bl,(%rax,%rax,1) - 20d2: 00 00 add %al,(%rax) - 20d4: 8c 00 mov %es,(%rax) - 20d6: 00 00 add %al,(%rax) - 20d8: 71 f0 jno 20ca <__GNU_EH_FRAME_HDR+0xb6> - 20da: ff (bad) - 20db: ff 1b lcall *(%rbx) - 20dd: 00 00 add %al,(%rax) - 20df: 00 00 add %al,(%rax) - 20e1: 45 0e rex.RB (bad) - 20e3: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi) - 20e9: 52 push %rdx - 20ea: 0c 07 or $0x7,%al - 20ec: 08 00 or %al,(%rax) - ... - -00000000000020f0 <__FRAME_END__>: - 20f0: 00 00 add %al,(%rax) - ... - -Disassembly of section .init_array: - -0000000000003db8 <__frame_dummy_init_array_entry>: - 3db8: 40 11 00 rex adc %eax,(%rax) - 3dbb: 00 00 add %al,(%rax) - 3dbd: 00 00 add %al,(%rax) - ... - -Disassembly of section .fini_array: - -0000000000003dc0 <__do_global_dtors_aux_fini_array_entry>: - 3dc0: 00 11 add %dl,(%rcx) - 3dc2: 00 00 add %al,(%rax) - 3dc4: 00 00 add %al,(%rax) - ... - -Disassembly of section .dynamic: - -0000000000003dc8 <_DYNAMIC>: - 3dc8: 01 00 add %eax,(%rax) - 3dca: 00 00 add %al,(%rax) - 3dcc: 00 00 add %al,(%rax) - 3dce: 00 00 add %al,(%rax) - 3dd0: 27 (bad) - 3dd1: 00 00 add %al,(%rax) - 3dd3: 00 00 add %al,(%rax) - 3dd5: 00 00 add %al,(%rax) - 3dd7: 00 0c 00 add %cl,(%rax,%rax,1) - 3dda: 00 00 add %al,(%rax) - 3ddc: 00 00 add %al,(%rax) - 3dde: 00 00 add %al,(%rax) - 3de0: 00 10 add %dl,(%rax) - 3de2: 00 00 add %al,(%rax) - 3de4: 00 00 add %al,(%rax) - 3de6: 00 00 add %al,(%rax) - 3de8: 0d 00 00 00 00 or $0x0,%eax - 3ded: 00 00 add %al,(%rax) - 3def: 00 64 11 00 add %ah,0x0(%rcx,%rdx,1) - 3df3: 00 00 add %al,(%rax) - 3df5: 00 00 add %al,(%rax) - 3df7: 00 19 add %bl,(%rcx) - 3df9: 00 00 add %al,(%rax) - 3dfb: 00 00 add %al,(%rax) - 3dfd: 00 00 add %al,(%rax) - 3dff: 00 b8 3d 00 00 00 add %bh,0x3d(%rax) - 3e05: 00 00 add %al,(%rax) - 3e07: 00 1b add %bl,(%rbx) - 3e09: 00 00 add %al,(%rax) - 3e0b: 00 00 add %al,(%rax) - 3e0d: 00 00 add %al,(%rax) - 3e0f: 00 08 add %cl,(%rax) - 3e11: 00 00 add %al,(%rax) - 3e13: 00 00 add %al,(%rax) - 3e15: 00 00 add %al,(%rax) - 3e17: 00 1a add %bl,(%rdx) - 3e19: 00 00 add %al,(%rax) - 3e1b: 00 00 add %al,(%rax) - 3e1d: 00 00 add %al,(%rax) - 3e1f: 00 c0 add %al,%al - 3e21: 3d 00 00 00 00 cmp $0x0,%eax - 3e26: 00 00 add %al,(%rax) - 3e28: 1c 00 sbb $0x0,%al - 3e2a: 00 00 add %al,(%rax) - 3e2c: 00 00 add %al,(%rax) - 3e2e: 00 00 add %al,(%rax) - 3e30: 08 00 or %al,(%rax) - 3e32: 00 00 add %al,(%rax) - 3e34: 00 00 add %al,(%rax) - 3e36: 00 00 add %al,(%rax) - 3e38: f5 cmc - 3e39: fe (bad) - 3e3a: ff 6f 00 ljmp *0x0(%rdi) - 3e3d: 00 00 add %al,(%rax) - 3e3f: 00 b0 03 00 00 00 add %dh,0x3(%rax) - 3e45: 00 00 add %al,(%rax) - 3e47: 00 05 00 00 00 00 add %al,0x0(%rip) # 3e4d <_DYNAMIC+0x85> - 3e4d: 00 00 add %al,(%rax) - 3e4f: 00 80 04 00 00 00 add %al,0x4(%rax) - 3e55: 00 00 add %al,(%rax) - 3e57: 00 06 add %al,(%rsi) - 3e59: 00 00 add %al,(%rax) - 3e5b: 00 00 add %al,(%rax) - 3e5d: 00 00 add %al,(%rax) - 3e5f: 00 d8 add %bl,%al - 3e61: 03 00 add (%rax),%eax - 3e63: 00 00 add %al,(%rax) - 3e65: 00 00 add %al,(%rax) - 3e67: 00 0a add %cl,(%rdx) - 3e69: 00 00 add %al,(%rax) - 3e6b: 00 00 add %al,(%rax) - 3e6d: 00 00 add %al,(%rax) - 3e6f: 00 8d 00 00 00 00 add %cl,0x0(%rbp) - 3e75: 00 00 add %al,(%rax) - 3e77: 00 0b add %cl,(%rbx) - 3e79: 00 00 add %al,(%rax) - 3e7b: 00 00 add %al,(%rax) - 3e7d: 00 00 add %al,(%rax) - 3e7f: 00 18 add %bl,(%rax) - 3e81: 00 00 add %al,(%rax) - 3e83: 00 00 add %al,(%rax) - 3e85: 00 00 add %al,(%rax) - 3e87: 00 15 00 00 00 00 add %dl,0x0(%rip) # 3e8d <_DYNAMIC+0xc5> - ... - 3e95: 00 00 add %al,(%rax) - 3e97: 00 03 add %al,(%rbx) - 3e99: 00 00 add %al,(%rax) - 3e9b: 00 00 add %al,(%rax) - 3e9d: 00 00 add %al,(%rax) - 3e9f: 00 b8 3f 00 00 00 add %bh,0x3f(%rax) - 3ea5: 00 00 add %al,(%rax) - 3ea7: 00 02 add %al,(%rdx) - 3ea9: 00 00 add %al,(%rax) - 3eab: 00 00 add %al,(%rax) - 3ead: 00 00 add %al,(%rax) - 3eaf: 00 18 add %bl,(%rax) - 3eb1: 00 00 add %al,(%rax) - 3eb3: 00 00 add %al,(%rax) - 3eb5: 00 00 add %al,(%rax) - 3eb7: 00 14 00 add %dl,(%rax,%rax,1) - 3eba: 00 00 add %al,(%rax) - 3ebc: 00 00 add %al,(%rax) - 3ebe: 00 00 add %al,(%rax) - 3ec0: 07 (bad) - 3ec1: 00 00 add %al,(%rax) - 3ec3: 00 00 add %al,(%rax) - 3ec5: 00 00 add %al,(%rax) - 3ec7: 00 17 add %dl,(%rdi) - 3ec9: 00 00 add %al,(%rax) - 3ecb: 00 00 add %al,(%rax) - 3ecd: 00 00 add %al,(%rax) - 3ecf: 00 10 add %dl,(%rax) - 3ed1: 06 (bad) - 3ed2: 00 00 add %al,(%rax) - 3ed4: 00 00 add %al,(%rax) - 3ed6: 00 00 add %al,(%rax) - 3ed8: 07 (bad) - 3ed9: 00 00 add %al,(%rax) - 3edb: 00 00 add %al,(%rax) - 3edd: 00 00 add %al,(%rax) - 3edf: 00 50 05 add %dl,0x5(%rax) - 3ee2: 00 00 add %al,(%rax) - 3ee4: 00 00 add %al,(%rax) - 3ee6: 00 00 add %al,(%rax) - 3ee8: 08 00 or %al,(%rax) - 3eea: 00 00 add %al,(%rax) - 3eec: 00 00 add %al,(%rax) - 3eee: 00 00 add %al,(%rax) - 3ef0: c0 00 00 rolb $0x0,(%rax) - 3ef3: 00 00 add %al,(%rax) - 3ef5: 00 00 add %al,(%rax) - 3ef7: 00 09 add %cl,(%rcx) - 3ef9: 00 00 add %al,(%rax) - 3efb: 00 00 add %al,(%rax) - 3efd: 00 00 add %al,(%rax) - 3eff: 00 18 add %bl,(%rax) - 3f01: 00 00 add %al,(%rax) - 3f03: 00 00 add %al,(%rax) - 3f05: 00 00 add %al,(%rax) - 3f07: 00 1e add %bl,(%rsi) - 3f09: 00 00 add %al,(%rax) - 3f0b: 00 00 add %al,(%rax) - 3f0d: 00 00 add %al,(%rax) - 3f0f: 00 08 add %cl,(%rax) - 3f11: 00 00 add %al,(%rax) - 3f13: 00 00 add %al,(%rax) - 3f15: 00 00 add %al,(%rax) - 3f17: 00 fb add %bh,%bl - 3f19: ff (bad) - 3f1a: ff 6f 00 ljmp *0x0(%rdi) - 3f1d: 00 00 add %al,(%rax) - 3f1f: 00 01 add %al,(%rcx) - 3f21: 00 00 add %al,(%rax) - 3f23: 08 00 or %al,(%rax) - 3f25: 00 00 add %al,(%rax) - 3f27: 00 fe add %bh,%dh - 3f29: ff (bad) - 3f2a: ff 6f 00 ljmp *0x0(%rdi) - 3f2d: 00 00 add %al,(%rax) - 3f2f: 00 20 add %ah,(%rax) - 3f31: 05 00 00 00 00 add $0x0,%eax - 3f36: 00 00 add %al,(%rax) - 3f38: ff (bad) - 3f39: ff (bad) - 3f3a: ff 6f 00 ljmp *0x0(%rdi) - 3f3d: 00 00 add %al,(%rax) - 3f3f: 00 01 add %al,(%rcx) - 3f41: 00 00 add %al,(%rax) - 3f43: 00 00 add %al,(%rax) - 3f45: 00 00 add %al,(%rax) - 3f47: 00 f0 add %dh,%al - 3f49: ff (bad) - 3f4a: ff 6f 00 ljmp *0x0(%rdi) - 3f4d: 00 00 add %al,(%rax) - 3f4f: 00 0e add %cl,(%rsi) - 3f51: 05 00 00 00 00 add $0x0,%eax - 3f56: 00 00 add %al,(%rax) - 3f58: f9 stc - 3f59: ff (bad) - 3f5a: ff 6f 00 ljmp *0x0(%rdi) - 3f5d: 00 00 add %al,(%rax) - 3f5f: 00 03 add %al,(%rbx) - ... - -Disassembly of section .got: - -0000000000003fb8 <_GLOBAL_OFFSET_TABLE_>: - 3fb8: c8 3d 00 00 enter $0x3d,$0x0 - ... - 3fd0: 30 10 xor %dl,(%rax) - ... - -Disassembly of section .data: - -0000000000004000 <__data_start>: - ... - -0000000000004008 <__dso_handle>: - 4008: 08 40 00 or %al,0x0(%rax) - 400b: 00 00 add %al,(%rax) - 400d: 00 00 add %al,(%rax) - ... - -Disassembly of section .bss: - -0000000000004010 : - ... - -Disassembly of section .comment: - -0000000000000000 <.comment>: - 0: 47 rex.RXB - 1: 43 rex.XB - 2: 43 3a 20 rex.XB cmp (%r8),%spl - 5: 28 55 62 sub %dl,0x62(%rbp) - 8: 75 6e jne 78 <__abi_tag-0x314> - a: 74 75 je 81 <__abi_tag-0x30b> - c: 20 31 and %dh,(%rcx) - e: 30 2e xor %ch,(%rsi) - 10: 35 2e 30 2d 31 xor $0x312d302e,%eax - 15: 75 62 jne 79 <__abi_tag-0x313> - 17: 75 6e jne 87 <__abi_tag-0x305> - 19: 74 75 je 90 <__abi_tag-0x2fc> - 1b: 31 7e 32 xor %edi,0x32(%rsi) - 1e: 32 2e xor (%rsi),%ch - 20: 30 34 29 xor %dh,(%rcx,%rbp,1) - 23: 20 31 and %dh,(%rcx) - 25: 30 2e xor %ch,(%rsi) - 27: 35 .byte 0x35 - 28: 2e 30 00 cs xor %al,(%rax) From b714716094bf93ebffe84781fbb617295eaf6ddb Mon Sep 17 00:00:00 2001 From: pbonilla Date: Fri, 23 Feb 2024 14:17:23 +0100 Subject: [PATCH 05/20] assembly simplified --- README | 6 ++--- diff.txt | 4 --- includes/woody.h | 4 +-- print.s | 66 +++++++++++++++++++++++++++++++++--------------- shellcode_test.c | 17 ------------- srcs/woody.c | 9 +++---- 6 files changed, 53 insertions(+), 53 deletions(-) delete mode 100644 diff.txt delete mode 100644 shellcode_test.c diff --git a/README b/README index ff6b199..c5565b7 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ Transform payload code in hexa : + nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload -nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload - -Append : | xclip -sel clip to directly get it in clipboard \ No newline at end of file +To get it in the clipboad directly append : + | xclip -sel clip to directly \ No newline at end of file diff --git a/diff.txt b/diff.txt deleted file mode 100644 index e4f2717..0000000 --- a/diff.txt +++ /dev/null @@ -1,4 +0,0 @@ -2c2 -< resources/sample64: file format elf64-x86-64 ---- -> woody: file format elf64-x86-64 diff --git a/includes/woody.h b/includes/woody.h index 64bb890..794a1d3 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -14,8 +14,8 @@ #include #include -#define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" -#define JUMP "\xe9";//\xdf\xff\xff\xff"; +#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" +#define JUMP "\xe9" typedef struct efl_content { diff --git a/print.s b/print.s index 6b75ec4..db11230 100644 --- a/print.s +++ b/print.s @@ -1,28 +1,52 @@ +; bits 64 +; default rel +; global _start + +; _start: +; push rax +; push rdi +; push rsi +; push rdx +; push rbx + +; xor eax, eax +; cdq +; mov dl, 10 +; inc eax +; mov edi, eax +; lea rsi, [rel msg] +; syscall +; pop rbx +; pop rdx +; pop rsi +; pop rdi +; pop rax +; jmp 0x00000000 + +; msg db "..WOODY..",10 + bits 64 default rel global _start _start: - push rax - push rdi - push rsi - push rdx - push rbx - - xor eax, eax - cdq - mov dl, 10 - inc eax - mov edi, eax - lea rsi, [rel msg] - syscall - pop rbx - pop rdx - pop rsi - pop rdi - pop rax - jmp 0x00000000 + push rax + push rdi + push rsi + push rdx + push rbx + mov rdi, 1 + lea rsi, [rel msg] + mov rdx, 10 + mov rax, 1 + syscall + + pop rbx + pop rdx + pop rsi + pop rdi + pop rax + jmp 0x00000000 + msg db "..WOODY..",10 - - diff --git a/shellcode_test.c b/shellcode_test.c deleted file mode 100644 index ae1646f..0000000 --- a/shellcode_test.c +++ /dev/null @@ -1,17 +0,0 @@ -#include -#include -#include -#include - -char code[] = "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x12\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\xb0\x3c\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"; -typedef void (*ShellcodeFunc)(); - -int main() { - ShellcodeFunc func = (ShellcodeFunc)code; - - size_t pagesize = 4096; // 4KB, a common page size - uintptr_t page_start = (uintptr_t)code & ~(pagesize - 1); - mprotect((void *)page_start, pagesize, PROT_READ | PROT_EXEC); - func(); - return 0; -} diff --git a/srcs/woody.c b/srcs/woody.c index 5568579..8aad51a 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -45,7 +45,6 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } - int32_t find_jmp(char *code, size_t len) { char *jump = JUMP; @@ -70,7 +69,7 @@ void inject(t_efl_content *woody) size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; printf("Old entry : %ld\n", woody->Ehdr->e_entry); - printf("Code_cave_start = %ld\n", woody->Phdr[i].p_offset); + printf("Code_cave_start = %ld\n", payload_off); printf("Code_cave_size = %ld\n", code_cave_size); printf("Payload size = %ld\n", len_payload); @@ -80,12 +79,11 @@ void inject(t_efl_content *woody) ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len)); ft_memcpy(woody->file + payload_off, payload, len_payload); - printf("Backward offset = %d\n", backward_len); + printf("Backward offset = %d (%x)\n", backward_len, backward_len); woody->Ehdr->e_entry = payload_off; woody->Phdr[i].p_filesz += len_payload; woody->Phdr[i].p_memsz += len_payload; - woody->file_size += len_payload; printf("New entry = %ld\n", woody->Ehdr->e_entry); } @@ -93,7 +91,7 @@ void inject(t_efl_content *woody) int get_elf_sections(t_efl_content *woody) { woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); - if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2) + if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64) { ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); return EXIT_FAILURE; @@ -150,7 +148,6 @@ int prepare_injection(t_efl_content *woody) ft_memcpy(woody_file, woody->file, woody->file_size); // encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size); - munmap(woody_file, woody->file_size); save_elf("woody", woody_file, woody->file_size); free(woody_file); From 11bbe38aa450d4034ae3801ba5e5f5950d575ddc Mon Sep 17 00:00:00 2001 From: pbonilla Date: Tue, 19 Mar 2024 17:20:11 +0100 Subject: [PATCH 06/20] create codecave added --- .vscode/settings.json | 3 +- includes/woody.h | 24 ++++---- srcs/woody.c | 137 ++++++++++++++++++++++++++++-------------- 3 files changed, 105 insertions(+), 59 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 258e317..983d135 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -2,6 +2,7 @@ "files.associations": { "stdio.h": "c", "mman.h": "c", - "stdint.h": "c" + "stdint.h": "c", + "compare": "c" } } \ No newline at end of file diff --git a/includes/woody.h b/includes/woody.h index 794a1d3..f136809 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -1,8 +1,8 @@ #ifndef WOODY_H -# define WOODY_H +#define WOODY_H #include "../ft_printf/includes/ft_printf.h" -#include +#include #include #include #include @@ -20,22 +20,22 @@ typedef struct efl_content { long unsigned int file_size; - char *file_path; - char *file; - Elf64_Ehdr *Ehdr; - Elf64_Phdr *Phdr; - char *extra_data; -} t_efl_content; - + char *file_path; + char *file; + Elf64_Ehdr *Ehdr; + Elf64_Phdr *Phdr; + Elf64_Shdr *Shdr; + char *extra_data; +} t_efl_content; // utils.c -void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); -int ft_put_error(char *str); +void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); +int ft_put_error(char *str); // woody.c int prepare_injection(t_efl_content *woody); // encrypt.c -void encrypt(char *file, unsigned long int offset, unsigned long int size); +void encrypt(char *file, unsigned long int offset, unsigned long int size); #endif \ No newline at end of file diff --git a/srcs/woody.c b/srcs/woody.c index 8aad51a..0748f6b 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -45,47 +45,89 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } -int32_t find_jmp(char *code, size_t len) +void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offset_ammount) { - char *jump = JUMP; - char *ptr = ft_strnstr_nullterminated(code, jump, len); + for (int i = 0; i < woody->Ehdr->e_phnum; i++) + { + if (woody->Phdr[i].p_offset > from) + woody->Phdr[i].p_offset += offset_ammount; + } + for (int i = 0; i < woody->Ehdr->e_shnum; i++) + { + if (woody->Shdr[i].sh_offset > from) + woody->Shdr[i].sh_offset += offset_ammount; + } +} + +size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) +{ + const unsigned int page_size = 4096;// getpagesize(); not authorized + unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size; + unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz; + offset_sections(woody, codecave_start, padding_size); + char *new_woody = malloc(woody->file_size + padding_size); + if (!new_woody) + return 0; + ft_memcpy(new_woody, woody->file, codecave_start); + ft_bzero(new_woody + codecave_start, padding_size); + ft_memcpy(new_woody + codecave_start + padding_size, woody->file + codecave_start, woody->file_size - codecave_start); + munmap(woody->file, woody->file_size); + woody->file = new_woody; + woody->file_size += padding_size; + return codecave_start; +} + + +int insert_payload(t_efl_content *woody, size_t payload_position) +{ + char payload[] = PAYLOAD; + size_t len_payload = sizeof(PAYLOAD) - 1; + char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload); + if (ptr) { - return ptr - code; + int32_t jmp_index = ptr - payload; + int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1; + ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value)); + ft_memcpy(woody->file + payload_position, payload, len_payload); + + printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); + printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position); + printf("Payload size = %ld (%lx)\n", len_payload, len_payload); + printf("Backward offset = %d (%x)\n", jump_value, jump_value); + + return EXIT_SUCCESS; } - return 0; + return EXIT_FAILURE; } void inject(t_efl_content *woody) { - char payload[] = PAYLOAD; size_t len_payload = sizeof(PAYLOAD) - 1; - woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); + size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); - size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; - - printf("Old entry : %ld\n", woody->Ehdr->e_entry); - printf("Code_cave_start = %ld\n", payload_off); - printf("Code_cave_size = %ld\n", code_cave_size); - printf("Payload size = %ld\n", len_payload); - - int32_t jmp_index = find_jmp(payload, len_payload); - int32_t backward_len = ((payload_off + len_payload) - woody->Ehdr->e_entry) * -1; + size_t payload_position; - ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len)); - ft_memcpy(woody->file + payload_off, payload, len_payload); - - printf("Backward offset = %d (%x)\n", backward_len, backward_len); + if (code_cave_size > len_payload) + { + payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; + printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size); + } + else + { + payload_position = create_codecave(woody, &woody->Phdr[i]); + } + insert_payload(woody, payload_position); - woody->Ehdr->e_entry = payload_off; + woody->Ehdr->e_entry = payload_position; woody->Phdr[i].p_filesz += len_payload; woody->Phdr[i].p_memsz += len_payload; - printf("New entry = %ld\n", woody->Ehdr->e_entry); + printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } int get_elf_sections(t_efl_content *woody) @@ -96,39 +138,42 @@ int get_elf_sections(t_efl_content *woody) ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); return EXIT_FAILURE; } + woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); - Elf64_Shdr *Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); - if (Shdr == NULL || !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) + woody->Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); + if (woody->Shdr == NULL || !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) { return ft_put_error("Corrupted file"); } - Elf64_Shdr *symbols_table = NULL; - for (int i = 0; i < woody->Ehdr->e_shnum; i++) { - if (Shdr[i].sh_type == SHT_SYMTAB) { - symbols_table = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); - } - } - if (symbols_table == NULL) - return ft_put_error("No symbols"); - if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) - return ft_put_error("Corrupted file"); - char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); - if (Sshstrtab == NULL) - return ft_put_error("Corrupted file"); + // Elf64_Shdr *symbols_table = NULL; + // for (int i = 0; i < woody->Ehdr->e_shnum; i++) { + // if (Shdr[i].sh_type == SHT_SYMTAB) { + // symbols_table = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); + // } + // } + // if (symbols_table == NULL) + // return ft_put_error("No symbols"); - Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); - if (!strtab_header) - return ft_put_error("Corrupted file"); + // if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) + // return ft_put_error("Corrupted file"); - char *strtab = fetch(woody->file, woody->file_size, strtab_header->sh_offset, 0); - if (strtab == NULL) - return ft_put_error("Corrupted file"); - Elf64_Sym *symbols = (Elf64_Sym *)fetch(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); - if (symbols == NULL) - return ft_put_error("Corrupted file"); + // char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); + // if (Sshstrtab == NULL) + // return ft_put_error("Corrupted file"); + + // Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); + // if (!strtab_header) + // return ft_put_error("Corrupted file"); + + // char *strtab = fetch(woody->file, woody->file_size, strtab_header->sh_offset, 0); + // if (strtab == NULL) + // return ft_put_error("Corrupted file"); + // Elf64_Sym *symbols = (Elf64_Sym *)fetch(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); + // if (symbols == NULL) + // return ft_put_error("Corrupted file"); return EXIT_SUCCESS; } From 2c4bdfeeecb8509b6782efc65f3fc749a14b8612 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Tue, 19 Mar 2024 17:44:54 +0100 Subject: [PATCH 07/20] reassign woody pointers after codecave creation --- srcs/woody.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/srcs/woody.c b/srcs/woody.c index 0748f6b..c7d5778 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -74,6 +74,9 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) munmap(woody->file, woody->file_size); woody->file = new_woody; woody->file_size += padding_size; + woody->Ehdr = (Elf64_Ehdr *)new_woody; + woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); + woody->Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); return codecave_start; } From fa004f3a6a4ec91db744723207de03167f050a9e Mon Sep 17 00:00:00 2001 From: pbonilla Date: Thu, 21 Mar 2024 15:44:29 +0100 Subject: [PATCH 08/20] generate payload from file --- includes/woody.h | 7 +++++- print.s | 53 ++++++++++++---------------------------------- srcs/main.c | 2 +- srcs/woody.c | 55 +++++++++++++++++++++++++++++------------------- 4 files changed, 54 insertions(+), 63 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index f136809..7aa98d7 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -14,9 +14,14 @@ #include #include -#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" #define JUMP "\xe9" +typedef struct payload +{ + char *payload; + size_t len; +} t_payload; + typedef struct efl_content { long unsigned int file_size; diff --git a/print.s b/print.s index db11230..3a557c8 100644 --- a/print.s +++ b/print.s @@ -1,52 +1,27 @@ -; bits 64 -; default rel -; global _start - -; _start: -; push rax -; push rdi -; push rsi -; push rdx -; push rbx - -; xor eax, eax -; cdq -; mov dl, 10 -; inc eax -; mov edi, eax -; lea rsi, [rel msg] -; syscall -; pop rbx -; pop rdx -; pop rsi -; pop rdi -; pop rax -; jmp 0x00000000 - -; msg db "..WOODY..",10 - bits 64 -default rel global _start _start: - push rax - push rdi - push rsi - push rdx - push rbx - - mov rdi, 1 + push rax + push rdi + push rsi + push rdx + + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 lea rsi, [rel msg] mov rdx, 10 mov rax, 1 syscall - pop rbx - pop rdx + pop rdx pop rsi pop rdi pop rax jmp 0x00000000 - -msg db "..WOODY..",10 + + msg db "..WOODY..",10 diff --git a/srcs/main.c b/srcs/main.c index d2228a7..143a099 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -19,7 +19,7 @@ int get_elf_file(t_efl_content *woody) return EXIT_FAILURE; } woody->file_size = off; - woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0); if (woody->file == MAP_FAILED) { close(fd); diff --git a/srcs/woody.c b/srcs/woody.c index c7d5778..154d178 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -59,10 +59,10 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse } } -size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) +size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload) { - const unsigned int page_size = 4096;// getpagesize(); not authorized - unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size; + const unsigned int page_size = 4096; // getpagesize(); not authorized + unsigned int padding_size = ((payload->len / page_size) + 1) * page_size; unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz; offset_sections(woody, codecave_start, padding_size); char *new_woody = malloc(woody->file_size + padding_size); @@ -80,24 +80,34 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) return codecave_start; } - -int insert_payload(t_efl_content *woody, size_t payload_position) +t_payload *get_payload() { - char payload[] = PAYLOAD; - size_t len_payload = sizeof(PAYLOAD) - 1; - char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload); + t_payload *payload = malloc(sizeof(t_payload)); + if (!payload) + return NULL; + char buffer[1024]; + int fd = open("payload", O_RDONLY); + payload->len = read(fd, buffer, 1024); + payload->payload = malloc(sizeof(char) * payload->len); + ft_memcpy(payload->payload, buffer, payload->len); + return payload; +} +int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position) +{ + char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); if (ptr) { - int32_t jmp_index = ptr - payload; - int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1; - ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value)); - ft_memcpy(woody->file + payload_position, payload, len_payload); + int32_t jmp_index = ptr - payload->payload; + int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; + + ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); + ft_memcpy(woody->file + payload_position, payload->payload, payload->len); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); - printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position); - printf("Payload size = %ld (%lx)\n", len_payload, len_payload); - printf("Backward offset = %d (%x)\n", jump_value, jump_value); + printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); + printf("Payload size = %ld (%lx)\n", payload->len, payload->len); + printf("Backwar d offset = %d (%x)\n", jump_value, jump_value); return EXIT_SUCCESS; } @@ -106,29 +116,30 @@ int insert_payload(t_efl_content *woody, size_t payload_position) void inject(t_efl_content *woody) { - size_t len_payload = sizeof(PAYLOAD) - 1; + t_payload *payload = get_payload(); int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); - size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t payload_position; + printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset); + printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz); - if (code_cave_size > len_payload) + if (code_cave_size > payload->len) // inverse here to test the other technique { payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size); } else { - payload_position = create_codecave(woody, &woody->Phdr[i]); + payload_position = create_codecave(woody, &woody->Phdr[i], payload); } - insert_payload(woody, payload_position); + insert_payload(woody, payload, payload_position); woody->Ehdr->e_entry = payload_position; - woody->Phdr[i].p_filesz += len_payload; - woody->Phdr[i].p_memsz += len_payload; + woody->Phdr[i].p_filesz += payload->len; + woody->Phdr[i].p_memsz += payload->len; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } From f83b053fcbf4a5ba924e64482f059f6cb25c41d0 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Tue, 9 Apr 2024 10:28:35 +0200 Subject: [PATCH 09/20] fix: check payload fd --- srcs/.woody.c.swp | Bin 0 -> 20480 bytes srcs/woody.c | 7 ++++++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 srcs/.woody.c.swp diff --git a/srcs/.woody.c.swp b/srcs/.woody.c.swp new file mode 100644 index 0000000000000000000000000000000000000000..db761445917e7d3d3908cbc30fa2258f01e8c8b4 GIT binary patch literal 20480 zcmeHOZHygN86Ks4Tm&JdjS7LBUD9&z_TK$&yQSSF%XSOJ?Y8N5q1ZOl**jl!VhU6>MtWwq_8n}bcTmIUT1~t0pR261U%l^|p80FF`8nUK z)(oGDmijb|rc<$oZ}&%nq28*~3_|V)y~BeI!?%N8D{g;()M4N7V4v-VzENp5ZL=~o zuyM%bgGOaw!$^N+c)hWyGGcBtDyF${g!2Kjf1@!}SwFmKWMhASr7`EZw&NImfnN>! zj(VQC&|6(fy1XoBAZI{phE`?dYHet6pr6>dxx0&9w{kWoCTAdLAZH+FAZH+FAZH+F zAZH+F;3LF9*tkUdJm&jxHRprs`(rKNE7bM%>ia-T`6cSwP~S&d%GG85l{1htkTZ}o zkTZ}okTZ}okTZ}okTZ}okTZ}o@IPR{Fg5K7B=1`;#o&1Ue^ANr?lqeB4saIu8E^*p z2JjH@bzmBp0#*X&KZ!cP_kbsXCx8XO0=j?|!1=2+?O(v}fTw^5fiD1ufEq9lFyJQO zPgiN$AAlEt=Ygkzr+||{9jE~Zf!)9~@LAwCU=-K_y!#2r4g3Ij7I+ZY3(Nv*fNtP} zD>dy^;1|Fvz{|j4zy`X3Hw&8fWndSu3b+LL+ZCGjBJeP<8u;_&n)Ykphrm~W8-VX$ zrfH7?j{x5SjswSlJAe_O1gr+mf$y`x8Q>Y<3E;ax6Chpu1qUuq0^bH60XT3qa20R{ z`tkr5xDj{_hc{mX?gS=*USJ)t8n_Nv37k_0I!8R)EZFWLUJZ+(&Mil;dTz+wkoAan zDN34lN-Ow0Z2B&n+`D~`zHNN_)a>rb%~}BknUa~=iHXUX8I%<8ui@jB4y)LGyHP!S z)bN?fJj)7r$VS;3lNHw-EA4l?%j{6I-q4R2PLrp9m#CAdhh4^k;~6Fk?BkqTJJj4! z?HjVNGUjl%%+gnxJ|;Yqv#N1~vmi8lAw;Kc^oAGMq3tDI#dk8@?L=dcXQ7JBcjYd8<%%WwM*<91IxL;-i{e#1#V6r%V%npkKQr$l1(M-jS z2KRl>FLsMB<~6u$yYta#-Bg8mv`jWS3PqF{5erkN8=`ixTS)@L+^O&0x^sH!UTP&c zm%{8LSq|V{Wct&yQ&XzrF4Y=ZYGtcH1ou- z#I0fSS#1a(kc?Yqkqb}`En7QgJ`udq(xDo7?l||o;^O0yO((-HB5h{4a)*JU)!dKS zl8to51I8{VzLTuvl*<-mw{Sqh$W2cVu)$(m2_)C8612~u=?3<^%S}f1nWYZH({_k1 z=j+&B;No<(v#x6^Aa;Y}5F^uHnlM^ikq;5hoArUvd1)UdObBj*9G1F+t`HyuA#3SS z6{EM|{!JS;v%WqCE2d^-XT{QH=6WGBnqkfJal?ecQ-K~9s_=FpN7x}vdlBy|O;H+K zdiI_CvUC~bDPfZs^IWMIHDW%y4Q5cnFz(FJW9637_)q@j@57i_Tc%f zNSd)R;r`9|+7hky#FMzqI!e~9LzA>DGzaQA(b@$>X>0HyC27>G!QwCvR!-hsh#6nJ19|ZD4i6UrH{e|+Md#DaFHcT z>qB&lecbaLmX@_OsE$KthR-RD{?ey&+)eH{ij5~}!@renGhpZ@3q4kKynvIFXTtC9 zzhzCZ{}vHxH;k|bk3{_vNunZRfl?9-h_VZePR;4Flnh6GJG`I_)JZHuB9>??f*+D! zZpG~)#?ePhO0qOH!qY5=n8ik@UJTZ&wi#*XQu&y&4y-(4}^>?c$YuBtzZ3y?E(f{Ept6uXSsb|KEseKc)N- z`G55M{yg&fw}9UO&jKfb;{fIRe@8z57_b$X0RD=c{Ty%_(1HEH-M|cR6;J@)Kwkbj z@C@((uot)oxE#0?SOL6+y!=hz6!0lv74RZ*@n?b4z!qRL@LECB?gH)rZUSxqt_MB? zd>VKkx%p3kZvvMA|3F@T4)_&t8h9GG33wlQ_V8DCG#a{+q0v-k)0>**sfj>eA zuLCatq>nSek{@`~w8w~@O2MK;L3l--mK?<;@v7_=_Yv?X<(X(n1UA$n9W07&I#B3(xrunj04$V)Y`yUDa@oN_UP z;xH!e#2HanN>uFVDrpl#R>p`iNkR!5hcw(o8j@0-pNN}6>}YthMQj0Klfnyfy2%Z6 z6KQq4$fBt}D}LE4!5a^<-*5)Kp%&T$a^RPJ&a! zZiww8<)+woZ1*q%{Q>ID))F$`945tE+@YLNn>)kWP%)uaj$t%y^fMNl=yGkPZI){G_J^1!ye6$Gazm*UE{f)7?%bo#+`D7X`0aF(MS`O8hfB@S zjz&A}f^aY|S^?kgRfC;BC+6$#=*N;yz=@+9lJ==BrtcZn$@%Fwss%j_uuZtpeUsbuiK+3KnFFkA zlm-_U8-^2gk!}+L#nmzi>~GNxwM|lkw)mn`-Y?^aD8HOWA}O9>K%VS_mzJrCN^PrC z+!b4+s-EQJcv5IpYHe2RxJ&8@zCfON(2|XaoxpjQF3+;z^xN2_sIud+F`W1%S}BoZwcR5~CONBdpVL7@$Z-l7);RO<$H!&0 z=Gyl)Is8C0$MjRXMV^x->p`kHUO}w|H04ac(UUq%`+|MTld2AV%L3|Ko<>H~j!8{Q zS{TZbeJFLFSBc$zG6y*hBCa+K$!U`WG9fsG`LrD{sYPbfacr4c22RkZ1tk!40=Zay zc!SVyqAHT$&QD~hrP4IcXpv`7{{J@eYy<^R$9{jVa=e;#-a_%SdC90Vx;zXG@v zcmuir{lF=p0=$Df|19t@a2xOe`g{)f5%4(h81NwQCE$yI7?XC|{F5_~GmtZoGmtZo zGmtZoGmtZoGw}bxK>ot1eDAgOXdyl^h*M9>@Zyv=f8kWTaSlen = read(fd, buffer, 1024); payload->payload = malloc(sizeof(char) * payload->len); ft_memcpy(payload->payload, buffer, payload->len); @@ -211,4 +216,4 @@ int prepare_injection(t_efl_content *woody) save_elf("woody", woody_file, woody->file_size); free(woody_file); return EXIT_SUCCESS; -} \ No newline at end of file +} From 2a20011050fd0488b7d09f0e9f7faf5de39aca9e Mon Sep 17 00:00:00 2001 From: gbrochar Date: Tue, 9 Apr 2024 10:30:12 +0200 Subject: [PATCH 10/20] clean: rename efl_content to elf_content --- includes/woody.h | 6 +++--- srcs/main.c | 4 ++-- srcs/woody.c | 14 +++++++------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index 7aa98d7..6ec0516 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -22,7 +22,7 @@ typedef struct payload size_t len; } t_payload; -typedef struct efl_content +typedef struct elf_content { long unsigned int file_size; char *file_path; @@ -31,14 +31,14 @@ typedef struct efl_content Elf64_Phdr *Phdr; Elf64_Shdr *Shdr; char *extra_data; -} t_efl_content; +} t_elf_content; // utils.c void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); int ft_put_error(char *str); // woody.c -int prepare_injection(t_efl_content *woody); +int prepare_injection(t_elf_content *woody); // encrypt.c void encrypt(char *file, unsigned long int offset, unsigned long int size); diff --git a/srcs/main.c b/srcs/main.c index 143a099..0e42de8 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -1,6 +1,6 @@ #include "../includes/woody.h" -int get_elf_file(t_efl_content *woody) +int get_elf_file(t_elf_content *woody) { int fd; off_t off; @@ -32,7 +32,7 @@ int get_elf_file(t_efl_content *woody) int main(int ac, char **av) { - t_efl_content woody; + t_elf_content woody; if (ac != 2) { return ft_put_error("Woody_woodpacker take 1 argument\n"); diff --git a/srcs/woody.c b/srcs/woody.c index dc73446..da52764 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -27,7 +27,7 @@ int save_elf(char *path, char *file, unsigned long int size) return EXIT_SUCCESS; } -int get_load_segment(t_efl_content *woody, int start, bool executable) +int get_load_segment(t_elf_content *woody, int start, bool executable) { for (int i = start; i < woody->Ehdr->e_phnum; i++) { @@ -45,7 +45,7 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } -void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offset_ammount) +void offset_sections(t_elf_content *woody, unsigned int from, unsigned int offset_ammount) { for (int i = 0; i < woody->Ehdr->e_phnum; i++) { @@ -59,7 +59,7 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse } } -size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload) +size_t create_codecave(t_elf_content *woody, Elf64_Phdr *load_segment, t_payload *payload) { const unsigned int page_size = 4096; // getpagesize(); not authorized unsigned int padding_size = ((payload->len / page_size) + 1) * page_size; @@ -98,7 +98,7 @@ t_payload *get_payload() return payload; } -int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position) +int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) { char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); if (ptr) @@ -119,7 +119,7 @@ int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_posi return EXIT_FAILURE; } -void inject(t_efl_content *woody) +void inject(t_elf_content *woody) { t_payload *payload = get_payload(); @@ -149,7 +149,7 @@ void inject(t_efl_content *woody) printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } -int get_elf_sections(t_efl_content *woody) +int get_elf_sections(t_elf_content *woody) { woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64) @@ -197,7 +197,7 @@ int get_elf_sections(t_efl_content *woody) return EXIT_SUCCESS; } -int prepare_injection(t_efl_content *woody) +int prepare_injection(t_elf_content *woody) { int elf_statut = get_elf_sections(woody); if (elf_statut) From fba60ca76ef0fd451c5af35686a0040d189c84a0 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Thu, 11 Apr 2024 12:20:44 +0200 Subject: [PATCH 11/20] encrypt text section --- .gitignore | 5 ++- .vscode/settings.json | 8 ----- includes/woody.h | 5 +++ print.s | 5 --- srcs/.woody.c.swp | Bin 20480 -> 0 bytes srcs/encrypt.c | 2 +- srcs/main.c | 2 +- srcs/utils.c | 20 ++++++++++++ srcs/woody.c | 72 +++++++++++++++++++----------------------- 9 files changed, 63 insertions(+), 56 deletions(-) delete mode 100644 .vscode/settings.json delete mode 100644 srcs/.woody.c.swp diff --git a/.gitignore b/.gitignore index 1fde0fe..536a1bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,7 @@ *.o *.a woody_woodpacker -woody \ No newline at end of file +woody +asm +payload +print diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 983d135..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "files.associations": { - "stdio.h": "c", - "mman.h": "c", - "stdint.h": "c", - "compare": "c" - } -} \ No newline at end of file diff --git a/includes/woody.h b/includes/woody.h index 6ec0516..f47c5a4 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -15,6 +15,8 @@ #include #define JUMP "\xe9" +// #define TEXT_OFFSET "\xba\xba\xba\xba\xba\xba\xba\xba" +// #define SECTION_SIZE "\xca\xca\xca\xca\xca\xca\xca\xca" typedef struct payload { @@ -30,12 +32,15 @@ typedef struct elf_content Elf64_Ehdr *Ehdr; Elf64_Phdr *Phdr; Elf64_Shdr *Shdr; + Elf64_Shdr *text_section; char *extra_data; } t_elf_content; // utils.c void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); int ft_put_error(char *str); +char *get_string(char *str, char *end_file); +int get_symbols_count(int sh_size, int sh_entsize); // woody.c int prepare_injection(t_elf_content *woody); diff --git a/print.s b/print.s index 3a557c8..c30897a 100644 --- a/print.s +++ b/print.s @@ -7,11 +7,6 @@ _start: push rsi push rdx - mov rdi, 1 - mov rdi, 1 - mov rdi, 1 - mov rdi, 1 - mov rdi, 1 mov rdi, 1 lea rsi, [rel msg] mov rdx, 10 diff --git a/srcs/.woody.c.swp b/srcs/.woody.c.swp deleted file mode 100644 index db761445917e7d3d3908cbc30fa2258f01e8c8b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20480 zcmeHOZHygN86Ks4Tm&JdjS7LBUD9&z_TK$&yQSSF%XSOJ?Y8N5q1ZOl**jl!VhU6>MtWwq_8n}bcTmIUT1~t0pR261U%l^|p80FF`8nUK z)(oGDmijb|rc<$oZ}&%nq28*~3_|V)y~BeI!?%N8D{g;()M4N7V4v-VzENp5ZL=~o zuyM%bgGOaw!$^N+c)hWyGGcBtDyF${g!2Kjf1@!}SwFmKWMhASr7`EZw&NImfnN>! zj(VQC&|6(fy1XoBAZI{phE`?dYHet6pr6>dxx0&9w{kWoCTAdLAZH+FAZH+FAZH+F zAZH+F;3LF9*tkUdJm&jxHRprs`(rKNE7bM%>ia-T`6cSwP~S&d%GG85l{1htkTZ}o zkTZ}okTZ}okTZ}okTZ}okTZ}o@IPR{Fg5K7B=1`;#o&1Ue^ANr?lqeB4saIu8E^*p z2JjH@bzmBp0#*X&KZ!cP_kbsXCx8XO0=j?|!1=2+?O(v}fTw^5fiD1ufEq9lFyJQO zPgiN$AAlEt=Ygkzr+||{9jE~Zf!)9~@LAwCU=-K_y!#2r4g3Ij7I+ZY3(Nv*fNtP} zD>dy^;1|Fvz{|j4zy`X3Hw&8fWndSu3b+LL+ZCGjBJeP<8u;_&n)Ykphrm~W8-VX$ zrfH7?j{x5SjswSlJAe_O1gr+mf$y`x8Q>Y<3E;ax6Chpu1qUuq0^bH60XT3qa20R{ z`tkr5xDj{_hc{mX?gS=*USJ)t8n_Nv37k_0I!8R)EZFWLUJZ+(&Mil;dTz+wkoAan zDN34lN-Ow0Z2B&n+`D~`zHNN_)a>rb%~}BknUa~=iHXUX8I%<8ui@jB4y)LGyHP!S z)bN?fJj)7r$VS;3lNHw-EA4l?%j{6I-q4R2PLrp9m#CAdhh4^k;~6Fk?BkqTJJj4! z?HjVNGUjl%%+gnxJ|;Yqv#N1~vmi8lAw;Kc^oAGMq3tDI#dk8@?L=dcXQ7JBcjYd8<%%WwM*<91IxL;-i{e#1#V6r%V%npkKQr$l1(M-jS z2KRl>FLsMB<~6u$yYta#-Bg8mv`jWS3PqF{5erkN8=`ixTS)@L+^O&0x^sH!UTP&c zm%{8LSq|V{Wct&yQ&XzrF4Y=ZYGtcH1ou- z#I0fSS#1a(kc?Yqkqb}`En7QgJ`udq(xDo7?l||o;^O0yO((-HB5h{4a)*JU)!dKS zl8to51I8{VzLTuvl*<-mw{Sqh$W2cVu)$(m2_)C8612~u=?3<^%S}f1nWYZH({_k1 z=j+&B;No<(v#x6^Aa;Y}5F^uHnlM^ikq;5hoArUvd1)UdObBj*9G1F+t`HyuA#3SS z6{EM|{!JS;v%WqCE2d^-XT{QH=6WGBnqkfJal?ecQ-K~9s_=FpN7x}vdlBy|O;H+K zdiI_CvUC~bDPfZs^IWMIHDW%y4Q5cnFz(FJW9637_)q@j@57i_Tc%f zNSd)R;r`9|+7hky#FMzqI!e~9LzA>DGzaQA(b@$>X>0HyC27>G!QwCvR!-hsh#6nJ19|ZD4i6UrH{e|+Md#DaFHcT z>qB&lecbaLmX@_OsE$KthR-RD{?ey&+)eH{ij5~}!@renGhpZ@3q4kKynvIFXTtC9 zzhzCZ{}vHxH;k|bk3{_vNunZRfl?9-h_VZePR;4Flnh6GJG`I_)JZHuB9>??f*+D! zZpG~)#?ePhO0qOH!qY5=n8ik@UJTZ&wi#*XQu&y&4y-(4}^>?c$YuBtzZ3y?E(f{Ept6uXSsb|KEseKc)N- z`G55M{yg&fw}9UO&jKfb;{fIRe@8z57_b$X0RD=c{Ty%_(1HEH-M|cR6;J@)Kwkbj z@C@((uot)oxE#0?SOL6+y!=hz6!0lv74RZ*@n?b4z!qRL@LECB?gH)rZUSxqt_MB? zd>VKkx%p3kZvvMA|3F@T4)_&t8h9GG33wlQ_V8DCG#a{+q0v-k)0>**sfj>eA zuLCatq>nSek{@`~w8w~@O2MK;L3l--mK?<;@v7_=_Yv?X<(X(n1UA$n9W07&I#B3(xrunj04$V)Y`yUDa@oN_UP z;xH!e#2HanN>uFVDrpl#R>p`iNkR!5hcw(o8j@0-pNN}6>}YthMQj0Klfnyfy2%Z6 z6KQq4$fBt}D}LE4!5a^<-*5)Kp%&T$a^RPJ&a! zZiww8<)+woZ1*q%{Q>ID))F$`945tE+@YLNn>)kWP%)uaj$t%y^fMNl=yGkPZI){G_J^1!ye6$Gazm*UE{f)7?%bo#+`D7X`0aF(MS`O8hfB@S zjz&A}f^aY|S^?kgRfC;BC+6$#=*N;yz=@+9lJ==BrtcZn$@%Fwss%j_uuZtpeUsbuiK+3KnFFkA zlm-_U8-^2gk!}+L#nmzi>~GNxwM|lkw)mn`-Y?^aD8HOWA}O9>K%VS_mzJrCN^PrC z+!b4+s-EQJcv5IpYHe2RxJ&8@zCfON(2|XaoxpjQF3+;z^xN2_sIud+F`W1%S}BoZwcR5~CONBdpVL7@$Z-l7);RO<$H!&0 z=Gyl)Is8C0$MjRXMV^x->p`kHUO}w|H04ac(UUq%`+|MTld2AV%L3|Ko<>H~j!8{Q zS{TZbeJFLFSBc$zG6y*hBCa+K$!U`WG9fsG`LrD{sYPbfacr4c22RkZ1tk!40=Zay zc!SVyqAHT$&QD~hrP4IcXpv`7{{J@eYy<^R$9{jVa=e;#-a_%SdC90Vx;zXG@v zcmuir{lF=p0=$Df|19t@a2xOe`g{)f5%4(h81NwQCE$yI7?XC|{F5_~GmtZoGmtZo zGmtZoGmtZoGw}bxK>ot1eDAgOXdyl^h*M9>@Zyv=f8kWTaSfile_size = off; woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0); - if (woody->file == MAP_FAILED) + if (woody->file == MAP_FAILED) { close(fd); ft_printf("Error: Failed to map file \'%s\'\n", woody->file_path); diff --git a/srcs/utils.c b/srcs/utils.c index db2b226..1857a26 100644 --- a/srcs/utils.c +++ b/srcs/utils.c @@ -7,6 +7,26 @@ void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, u return NULL; } +int get_symbols_count(int sh_size, int sh_entsize) +{ + if (sh_size <= 0 || sh_entsize <= 0) + return 0; + return (sh_size / sh_entsize); +} + +char *get_string(char *str, char *end_file) +{ + char *search_end = str; + while (search_end < end_file) + { + if (*search_end == 0) + return str; + ++search_end; + + } + return NULL; +} + int ft_put_error(char *str) { ft_putstr_fd("Error: ", STDERR_FILENO); diff --git a/srcs/woody.c b/srcs/woody.c index da52764..24a9728 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -6,7 +6,7 @@ int elf_magic_numbers(char *str) return (!ft_strncmp(str, ELFMAG, SELFMAG)); } -int save_elf(char *path, char *file, unsigned long int size) +int save_elf(char *path, char *file, unsigned long int size) { int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0755); if (fd == -1) { @@ -113,7 +113,6 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); printf("Backwar d offset = %d (%x)\n", jump_value, jump_value); - return EXIT_SUCCESS; } return EXIT_FAILURE; @@ -122,7 +121,6 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi void inject(t_elf_content *woody) { t_payload *payload = get_payload(); - int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); @@ -149,6 +147,14 @@ void inject(t_elf_content *woody) printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } +int is_special_section_indice(uint16_t section_index) { + return (section_index == SHN_LOPROC || section_index == SHN_BEFORE || + section_index == SHN_AFTER || section_index == SHN_HIPROC || + section_index == SHN_LOOS || section_index == SHN_HIOS || + section_index == SHN_ABS || section_index == SHN_COMMON || + section_index == SHN_XINDEX || section_index == SHN_HIRESERVE); +} + int get_elf_sections(t_elf_content *woody) { woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); @@ -160,40 +166,30 @@ int get_elf_sections(t_elf_content *woody) woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); woody->Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); - if (woody->Shdr == NULL || !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) + if (!woody->Shdr|| !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) + return EXIT_FAILURE; + + if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) { - return ft_put_error("Corrupted file"); + return EXIT_FAILURE; + } + char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, woody->Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); + if (Sshstrtab == NULL) + { + return EXIT_FAILURE; + } + for (int j = 0; j < woody->Ehdr->e_shnum;j++) + { + if (woody->Shdr[j].sh_name > woody->Shdr[woody->Ehdr->e_shstrndx].sh_size) return EXIT_FAILURE; + if (woody->Shdr[j].sh_type == SHT_PROGBITS && woody->Shdr[j].sh_flags & SHF_EXECINSTR && + woody->Shdr[j].sh_flags & SHF_ALLOC && + Sshstrtab + woody->Shdr[j].sh_name < (char *)woody->file + woody->file_size && + !ft_strncmp(".text\0", Sshstrtab + woody->Shdr[j].sh_name, 6)) + { + woody->text_section = &woody->Shdr[j]; + break; + } } - - - - // Elf64_Shdr *symbols_table = NULL; - // for (int i = 0; i < woody->Ehdr->e_shnum; i++) { - // if (Shdr[i].sh_type == SHT_SYMTAB) { - // symbols_table = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); - // } - // } - // if (symbols_table == NULL) - // return ft_put_error("No symbols"); - - // if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) - // return ft_put_error("Corrupted file"); - - // char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); - // if (Sshstrtab == NULL) - // return ft_put_error("Corrupted file"); - - // Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); - // if (!strtab_header) - // return ft_put_error("Corrupted file"); - - // char *strtab = fetch(woody->file, woody->file_size, strtab_header->sh_offset, 0); - // if (strtab == NULL) - // return ft_put_error("Corrupted file"); - // Elf64_Sym *symbols = (Elf64_Sym *)fetch(woody->file, woody->file_size, symbols_table->sh_offset, sizeof(Elf64_Sym)); - // if (symbols == NULL) - // return ft_put_error("Corrupted file"); - return EXIT_SUCCESS; } @@ -202,16 +198,12 @@ int prepare_injection(t_elf_content *woody) int elf_statut = get_elf_sections(woody); if (elf_statut) return elf_statut; - inject(woody); - + // encrypt(woody->file, woody->text_section->sh_offset, woody->text_section->sh_size); char *woody_file; if (!(woody_file = malloc(woody->file_size))) return ft_put_error("Allocation error"); - ft_memcpy(woody_file, woody->file, woody->file_size); - - // encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size); munmap(woody_file, woody->file_size); save_elf("woody", woody_file, woody->file_size); free(woody_file); From 8a5bfae528f46be541e5db69006a843d1db87ed2 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Thu, 11 Apr 2024 23:15:15 +0200 Subject: [PATCH 12/20] fix trisomic jump --- includes/woody.h | 4 ++-- print.s | 2 +- srcs/woody.c | 20 +++++++++++++++----- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index f47c5a4..2807779 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -15,8 +15,8 @@ #include #define JUMP "\xe9" -// #define TEXT_OFFSET "\xba\xba\xba\xba\xba\xba\xba\xba" -// #define SECTION_SIZE "\xca\xca\xca\xca\xca\xca\xca\xca" +#define TEXT_OFFSET "\xba\xba\xba\xba\xba\xba\xba\xba" +#define SECTION_SIZE "\xca\xca\xca\xca\xca\xca\xca\xca" typedef struct payload { diff --git a/print.s b/print.s index c30897a..4e386bd 100644 --- a/print.s +++ b/print.s @@ -18,5 +18,5 @@ _start: pop rdi pop rax jmp 0x00000000 - msg db "..WOODY..",10 + section_sisze dq 0xcacacacacacacaca \ No newline at end of file diff --git a/srcs/woody.c b/srcs/woody.c index 24a9728..0ad2708 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -100,11 +100,21 @@ t_payload *get_payload() int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) { - char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); - if (ptr) + char *ptr_jmp = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); + char *ptr_text_section = ft_strnstr_nullterminated(payload->payload, TEXT_OFFSET, payload->len); + char *ptr_section_size = ft_strnstr_nullterminated(payload->payload, SECTION_SIZE, payload->len); + (void)ptr_section_size; + (void)ptr_text_section; + printf("text_section = %ld and size = %ld\n", woody->text_section->sh_offset, woody->text_section->sh_size); + if (ptr_jmp) { - int32_t jmp_index = ptr - payload->payload; - int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; + printf("test a jumo = %ld\n", ptr_jmp - payload->payload); + printf("test a jumo = %ld\n", ptr_jmp - payload->payload + sizeof(JUMP)); + printf("jump base = %ld\n", payload->len); + printf("the jump = %ld\n", payload->len - 16); + + int32_t jmp_index = ptr_jmp - payload->payload; + int32_t jump_value = (payload_position - woody->Ehdr->e_entry + jmp_index - 1) * -1; ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); ft_memcpy(woody->file + payload_position, payload->payload, payload->len); @@ -112,7 +122,7 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); - printf("Backwar d offset = %d (%x)\n", jump_value, jump_value); + printf("Backwar d offset = %d (%x)(%x)\n", jump_value, jump_value, -jump_value); return EXIT_SUCCESS; } return EXIT_FAILURE; From ee6e39f716b32ca460e26d28c760c56f77c00b43 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Mon, 15 Apr 2024 06:17:31 +0200 Subject: [PATCH 13/20] chore: efl -> elf --- includes/woody.h | 9 +++++---- srcs/main.c | 7 ++++--- srcs/woody.c | 27 ++++++++++++++------------- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index 7aa98d7..05d125b 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -22,7 +22,7 @@ typedef struct payload size_t len; } t_payload; -typedef struct efl_content +typedef struct elf_content { long unsigned int file_size; char *file_path; @@ -31,16 +31,17 @@ typedef struct efl_content Elf64_Phdr *Phdr; Elf64_Shdr *Shdr; char *extra_data; -} t_efl_content; +} t_elf_content; // utils.c void *fetch(char *file, unsigned long file_size, unsigned long offset_to_data, unsigned long supposed_data_size); int ft_put_error(char *str); // woody.c -int prepare_injection(t_efl_content *woody); +int prepare_injection(t_elf_content *woody); // encrypt.c void encrypt(char *file, unsigned long int offset, unsigned long int size); -#endif \ No newline at end of file +#endif + diff --git a/srcs/main.c b/srcs/main.c index 143a099..9c3bb06 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -1,6 +1,6 @@ #include "../includes/woody.h" -int get_elf_file(t_efl_content *woody) +int get_elf_file(t_elf_content *woody) { int fd; off_t off; @@ -32,7 +32,7 @@ int get_elf_file(t_efl_content *woody) int main(int ac, char **av) { - t_efl_content woody; + t_elf_content woody; if (ac != 2) { return ft_put_error("Woody_woodpacker take 1 argument\n"); @@ -42,4 +42,5 @@ int main(int ac, char **av) if (ret == EXIT_FAILURE) return ret; return prepare_injection(&woody); -} \ No newline at end of file +} + diff --git a/srcs/woody.c b/srcs/woody.c index 154d178..94522a1 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -27,7 +27,7 @@ int save_elf(char *path, char *file, unsigned long int size) return EXIT_SUCCESS; } -int get_load_segment(t_efl_content *woody, int start, bool executable) +int get_load_segment(t_elf_content *woody, int start, bool executable) { for (int i = start; i < woody->Ehdr->e_phnum; i++) { @@ -45,7 +45,7 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } -void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offset_ammount) +void offset_sections(t_elf_content *woody, unsigned int from, unsigned int offset_ammount) { for (int i = 0; i < woody->Ehdr->e_phnum; i++) { @@ -59,7 +59,7 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse } } -size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload) +size_t create_codecave(t_elf_content *woody, Elf64_Phdr *load_segment, t_payload *payload) { const unsigned int page_size = 4096; // getpagesize(); not authorized unsigned int padding_size = ((payload->len / page_size) + 1) * page_size; @@ -93,12 +93,12 @@ t_payload *get_payload() return payload; } -int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position) +int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) { char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); if (ptr) { - int32_t jmp_index = ptr - payload->payload; + int32_t jmp_index = ptr - payload->payload; int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); @@ -108,19 +108,19 @@ int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_posi printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); printf("Backwar d offset = %d (%x)\n", jump_value, jump_value); - + return EXIT_SUCCESS; } return EXIT_FAILURE; } -void inject(t_efl_content *woody) +void inject(t_elf_content *woody) { t_payload *payload = get_payload(); - int i = get_load_segment(woody, 0, true); + int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); - + size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t payload_position; printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset); @@ -144,7 +144,7 @@ void inject(t_efl_content *woody) printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } -int get_elf_sections(t_efl_content *woody) +int get_elf_sections(t_elf_content *woody) { woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64) @@ -178,7 +178,7 @@ int get_elf_sections(t_efl_content *woody) // if (Sshstrtab == NULL) // return ft_put_error("Corrupted file"); - // Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); + // Elf64_Shdr *strtab_header = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (symbols_table->sh_link * woody->Ehdr->e_shentsize), sizeof(Elf64_Shdr)); // if (!strtab_header) // return ft_put_error("Corrupted file"); @@ -192,7 +192,7 @@ int get_elf_sections(t_efl_content *woody) return EXIT_SUCCESS; } -int prepare_injection(t_efl_content *woody) +int prepare_injection(t_elf_content *woody) { int elf_statut = get_elf_sections(woody); if (elf_statut) @@ -211,4 +211,5 @@ int prepare_injection(t_efl_content *woody) save_elf("woody", woody_file, woody->file_size); free(woody_file); return EXIT_SUCCESS; -} \ No newline at end of file +} + From d1c86e7165b04e01efe13e93761502769b9cdfec Mon Sep 17 00:00:00 2001 From: pbonilla Date: Mon, 15 Apr 2024 10:16:28 +0200 Subject: [PATCH 14/20] Adress to sections added to asm --- print.s | 2 +- srcs/woody.c | 21 +++++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/print.s b/print.s index 4e386bd..bfc8337 100644 --- a/print.s +++ b/print.s @@ -12,11 +12,11 @@ _start: mov rdx, 10 mov rax, 1 syscall - pop rdx pop rsi pop rdi pop rax jmp 0x00000000 msg db "..WOODY..",10 + text_section dq 0xbabababababababa section_sisze dq 0xcacacacacacacaca \ No newline at end of file diff --git a/srcs/woody.c b/srcs/woody.c index 0ad2708..21176da 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -103,10 +103,7 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi char *ptr_jmp = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); char *ptr_text_section = ft_strnstr_nullterminated(payload->payload, TEXT_OFFSET, payload->len); char *ptr_section_size = ft_strnstr_nullterminated(payload->payload, SECTION_SIZE, payload->len); - (void)ptr_section_size; - (void)ptr_text_section; - printf("text_section = %ld and size = %ld\n", woody->text_section->sh_offset, woody->text_section->sh_size); - if (ptr_jmp) + if (ptr_jmp && ptr_text_section && ptr_section_size) { printf("test a jumo = %ld\n", ptr_jmp - payload->payload); printf("test a jumo = %ld\n", ptr_jmp - payload->payload + sizeof(JUMP)); @@ -115,10 +112,18 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi int32_t jmp_index = ptr_jmp - payload->payload; int32_t jump_value = (payload_position - woody->Ehdr->e_entry + jmp_index - 1) * -1; - ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); - ft_memcpy(woody->file + payload_position, payload->payload, payload->len); + int64_t text_index = ptr_text_section - payload->payload; + int64_t text_value = (payload_position - woody->text_section->sh_offset + text_index - 1) * -1; + text_value = 0; + ft_memcpy(&payload->payload[text_index], &text_value, sizeof(text_value)); + + int64_t section_index = ptr_section_size - payload->payload; + int64_t section_value = (payload_position - woody->text_section->sh_size + section_index - 1) * -1; + ft_memcpy(&payload->payload[section_index], §ion_value, sizeof(section_value)); + + ft_memcpy(woody->file + payload_position, payload->payload, payload->len); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); @@ -138,7 +143,6 @@ void inject(t_elf_content *woody) size_t payload_position; printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset); printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz); - if (code_cave_size > payload->len) // inverse here to test the other technique { payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; @@ -153,7 +157,8 @@ void inject(t_elf_content *woody) woody->Ehdr->e_entry = payload_position; woody->Phdr[i].p_filesz += payload->len; woody->Phdr[i].p_memsz += payload->len; - + woody->Phdr[i].p_flags = PF_X | PF_W | PF_R; + woody->text_section->sh_size += payload->len; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } From 95bac7cadf92f3b313f97a178c7732a1cfc55800 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Tue, 16 Apr 2024 13:56:58 +0200 Subject: [PATCH 15/20] mov 0x90 to runtimes address --- print.s | 1 + 1 file changed, 1 insertion(+) diff --git a/print.s b/print.s index bfc8337..519afa7 100644 --- a/print.s +++ b/print.s @@ -9,6 +9,7 @@ _start: mov rdi, 1 lea rsi, [rel msg] + mov byte[rsi - 317], 0x90 mov rdx, 10 mov rax, 1 syscall From 621a1ec64166f0275657d1d7db97b49d85fcfe83 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Tue, 16 Apr 2024 21:25:36 +0200 Subject: [PATCH 16/20] fix: jump value hotfix, double injection OK --- gen_payload.sh | 1 + print.s | 4 ++-- srcs/woody.c | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100755 gen_payload.sh diff --git a/gen_payload.sh b/gen_payload.sh new file mode 100755 index 0000000..2c99491 --- /dev/null +++ b/gen_payload.sh @@ -0,0 +1 @@ +nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload diff --git a/print.s b/print.s index 3a557c8..83e7918 100644 --- a/print.s +++ b/print.s @@ -14,7 +14,7 @@ _start: mov rdi, 1 mov rdi, 1 lea rsi, [rel msg] - mov rdx, 10 + mov rdx, 14 mov rax, 1 syscall @@ -24,4 +24,4 @@ _start: pop rax jmp 0x00000000 - msg db "..WOODY..",10 + msg db "....WOODY....",10 diff --git a/srcs/woody.c b/srcs/woody.c index 94522a1..448a085 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -100,6 +100,7 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi { int32_t jmp_index = ptr - payload->payload; int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; + jump_value += 14; ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); ft_memcpy(woody->file + payload_position, payload->payload, payload->len); From c04078e5a2f4e37dd6a1010226d363cb5531ec95 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Wed, 17 Apr 2024 06:53:47 +0200 Subject: [PATCH 17/20] fix: "clean" jump, can modify payload --- srcs/woody.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/srcs/woody.c b/srcs/woody.c index 448a085..a317d9a 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,6 +1,5 @@ #include "../includes/woody.h" - int elf_magic_numbers(char *str) { return (!ft_strncmp(str, ELFMAG, SELFMAG)); @@ -99,8 +98,7 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi if (ptr) { int32_t jmp_index = ptr - payload->payload; - int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; - jump_value += 14; + int32_t jump_value = ((payload_position + jmp_index + 5) - woody->Ehdr->e_entry) * -1; // 5 = JUMP SIZE (OPCODE + 4 bytes operand) ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); ft_memcpy(woody->file + payload_position, payload->payload, payload->len); From a0e9ccb0e31f97ec9e7d11a1e1fc150a7f275d13 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Wed, 17 Apr 2024 09:04:43 +0200 Subject: [PATCH 18/20] chore: fix compilation on my machine --- ft_printf/libft/ft_lstdelone.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ft_printf/libft/ft_lstdelone.c b/ft_printf/libft/ft_lstdelone.c index 5f21f42..1d01c83 100644 --- a/ft_printf/libft/ft_lstdelone.c +++ b/ft_printf/libft/ft_lstdelone.c @@ -18,7 +18,8 @@ void ft_lstdelone(t_list *lst, void (*del)(void *)) return ; if (del) { - free(lst); del(lst->content); + free(lst); } } + From 41fb358473e52233b99225597be23265311d0f09 Mon Sep 17 00:00:00 2001 From: pbonilla Date: Wed, 17 Apr 2024 12:14:08 +0200 Subject: [PATCH 19/20] start rot 1 --- includes/woody.h | 2 ++ print.s | 18 ++++++++++++++++-- srcs/encrypt.c | 2 +- srcs/woody.c | 18 ++++++++++-------- 4 files changed, 29 insertions(+), 11 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index 2807779..459e691 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -14,7 +14,9 @@ #include #include + #define JUMP "\xe9" +#define WOODY "..WOODY.." #define TEXT_OFFSET "\xba\xba\xba\xba\xba\xba\xba\xba" #define SECTION_SIZE "\xca\xca\xca\xca\xca\xca\xca\xca" diff --git a/print.s b/print.s index 519afa7..51adbe6 100644 --- a/print.s +++ b/print.s @@ -9,7 +9,20 @@ _start: mov rdi, 1 lea rsi, [rel msg] - mov byte[rsi - 317], 0x90 + mov rax, rsi + sub rax, qword [rel text_section] ;text_section address + mov r8, qword [rel section_sisze] ;text_section size + mov r9, 0 ;increment register + xor r10, r10 + ; encrypt: + ; cmp r8, r9 + ; je end_encrypt + ; mov r10b, byte[rax + r9] + ; inc r10b ;rot + 1 + ; mov byte[rax + r9], r10b + ; inc r9 + ; jmp encrypt + ; end_encrypt: mov rdx, 10 mov rax, 1 syscall @@ -17,7 +30,8 @@ _start: pop rsi pop rdi pop rax - jmp 0x00000000 + + jmp 0x00000000 ;for now it needs to be the first jmp msg db "..WOODY..",10 text_section dq 0xbabababababababa section_sisze dq 0xcacacacacacacaca \ No newline at end of file diff --git a/srcs/encrypt.c b/srcs/encrypt.c index 833b63a..f7866d7 100644 --- a/srcs/encrypt.c +++ b/srcs/encrypt.c @@ -5,7 +5,7 @@ void encrypt(char *file, unsigned long int offset, unsigned long int size) size_t i = 0; while (i < size) { - file[offset + i] = file[offset + i] + 1; + file[offset + i] = file[offset + i] - 1; ++i; } } \ No newline at end of file diff --git a/srcs/woody.c b/srcs/woody.c index 21176da..37b3ecd 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -101,29 +101,31 @@ t_payload *get_payload() int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) { char *ptr_jmp = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); + char *ptr_woody = ft_strnstr_nullterminated(payload->payload, WOODY, payload->len); char *ptr_text_section = ft_strnstr_nullterminated(payload->payload, TEXT_OFFSET, payload->len); char *ptr_section_size = ft_strnstr_nullterminated(payload->payload, SECTION_SIZE, payload->len); - if (ptr_jmp && ptr_text_section && ptr_section_size) + if (ptr_jmp && ptr_woody && ptr_text_section && ptr_section_size) { - printf("test a jumo = %ld\n", ptr_jmp - payload->payload); - printf("test a jumo = %ld\n", ptr_jmp - payload->payload + sizeof(JUMP)); - printf("jump base = %ld\n", payload->len); - printf("the jump = %ld\n", payload->len - 16); + int32_t woody_index = ptr_woody - payload->payload; int32_t jmp_index = ptr_jmp - payload->payload; int32_t jump_value = (payload_position - woody->Ehdr->e_entry + jmp_index - 1) * -1; ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); int64_t text_index = ptr_text_section - payload->payload; - int64_t text_value = (payload_position - woody->text_section->sh_offset + text_index - 1) * -1; - text_value = 0; + int64_t text_value = payload_position - woody->Ehdr->e_entry + woody_index; ft_memcpy(&payload->payload[text_index], &text_value, sizeof(text_value)); int64_t section_index = ptr_section_size - payload->payload; - int64_t section_value = (payload_position - woody->text_section->sh_size + section_index - 1) * -1; + int64_t section_value = woody->text_section->sh_size; ft_memcpy(&payload->payload[section_index], §ion_value, sizeof(section_value)); ft_memcpy(woody->file + payload_position, payload->payload, payload->len); + + printf("jmp_index : %d (%x)\n", jmp_index, jmp_index); + printf("woody index :%d (%x)\n", woody_index, woody_index); + printf("jmp_index++ : %ld (%lx)\n", jmp_index + sizeof(JUMP) + sizeof(jump_value), jmp_index + sizeof(JUMP) + sizeof(jump_value) - 1); + printf("text_value : %ld (%lx)\n", text_value, text_value); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); From 6d6a5952f8493fb17c96b071107a5097e9fac8aa Mon Sep 17 00:00:00 2001 From: pbonilla Date: Wed, 17 Apr 2024 12:28:34 +0200 Subject: [PATCH 20/20] point point point point --- print.s | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/print.s b/print.s index bef77dd..5c2c123 100644 --- a/print.s +++ b/print.s @@ -23,7 +23,7 @@ _start: ; inc r9 ; jmp encrypt ; end_encrypt: - mov rdx, 10 + mov rdx, 14 mov rax, 1 syscall pop rdx @@ -32,6 +32,6 @@ _start: pop rax jmp 0x00000000 ;for now it needs to be the first jmp - msg db "..WOODY..",10 + msg db "....WOODY....",10 text_section dq 0xbabababababababa section_sisze dq 0xcacacacacacacaca