From 18358ce36cc1c06962b4c2c53af90df8647c66b8 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Tue, 3 Sep 2024 23:57:33 +0200 Subject: [PATCH] refacto(xor): opti payload size --- assets/xor.s | 59 +++++++++++++++++------------------------- src/woody_woodpacker.c | 33 +++++++++++------------ 2 files changed, 41 insertions(+), 51 deletions(-) diff --git a/assets/xor.s b/assets/xor.s index daea697..21e2f45 100644 --- a/assets/xor.s +++ b/assets/xor.s @@ -5,66 +5,55 @@ _start: push rbp push rsp push rbx - push r13 push rax push rcx push rdx push rsi push rdi push r8 - push r9 - mov rdi, 1 lea rsi, [rel msg] mov rbx, rsi - ;mov rbx, qword [rel text_section] sub rbx, qword [rel text_section] ;text_section address because of this and that mov r8, qword [rel section_size] ;text_section size - mov r9, 0 ;increment register - xor r13, r13 - mov r13, qword [rel private_key] - - decrypt_whole_blocks: - ; check left to decrypt < block_size - mov rcx, r8 - sub rcx, r9 - cmp rcx, 8 - jle decrypt_last_block - ; xor section with private_key - mov rdx, rbx - add rdx, r9 - xor [rdx], r13 - ; increase section address - ; increase counter - add r9, 8 - jmp decrypt_whole_blocks + mov rdx, qword [rel private_key] decrypt_last_block: - mov rdx, 8 - sub rdx, rcx - mov rcx, rdx - mov rax, 8 - mul cl - mov rcx, rax - shl r13, cl - shr r13, cl - mov rdx, rbx - add rdx, r9 - xor [rdx], r13 + ; rcx = 8 * (8 - section_size % 8) + ; Then crop the private key by rcx bits + ; That's to decrypt the end of the section in case the section size + ; isn't a multiple of 64 bits + mov rcx, r8 + not rcx + and rcx, 7 + inc rcx + shl rcx, 3 + mov rax, rdx + shl rax, cl + shr rax, cl + ; make section size a multiple of 64bits with this and + and r8, 0xfffffffffffffff8 + xor [rbx + r8], rax + + decrypt_whole_blocks: + sub r8, 8 + cmp r8, -8 + je end_decrypt + xor [rbx + r8], rdx + jmp decrypt_whole_blocks end_decrypt: + mov rdi, 1 mov rdx, 14 mov rax, 1 syscall - pop r9 pop r8 pop rdi pop rsi pop rdx pop rcx pop rax - pop r13 pop rbx pop rsp pop rbp diff --git a/src/woody_woodpacker.c b/src/woody_woodpacker.c index d9f7dda..4d7598b 100644 --- a/src/woody_woodpacker.c +++ b/src/woody_woodpacker.c @@ -116,25 +116,26 @@ int encrypt_xor(t_map file, Elf64_Phdr load_segment) { t_payload64 get_xor_payload64(void) { t_payload64 payload; - payload.len = 191; - payload.jump_offset = 149; - payload.load_ptr_offset = 167; - payload.load_size_offset = 175; + size_t diff = 30; + + payload.len = 191 - diff; + payload.jump_offset = 149 - diff; + payload.load_ptr_offset = 167 - diff; + payload.load_size_offset = 175 - diff; payload.encrypt = &encrypt_xor; payload.data = malloc(payload.len * sizeof(unsigned char)); ft_memcpy(payload.data, - "\x55\x54\x53\x41\x55\x50\x51\x52\x56\x57\x41\x50\x41\x51\xbf\x01" - "\x00\x00\x00\x48\x8d\x35\x7f\x00\x00\x00\x48\x89\xf3\x48\x2b\x1d" - "\x83\x00\x00\x00\x4c\x8b\x05\x84\x00\x00\x00\x41\xb9\x00\x00\x00" - "\x00\x4d\x31\xed\x4c\x8b\x2d\x7c\x00\x00\x00\x4c\x89\xc1\x4c\x29" - "\xc9\x48\x83\xf9\x08\x7e\x0f\x48\x89\xda\x4c\x01\xca\x4c\x31\x2a" - "\x49\x83\xc1\x08\xeb\xe5\xba\x08\x00\x00\x00\x48\x29\xca\x48\x89" - "\xd1\xb8\x08\x00\x00\x00\xf6\xe1\x48\x89\xc1\x49\xd3\xe5\x49\xd3" - "\xed\x48\x89\xda\x4c\x01\xca\x4c\x31\x2a\xba\x0e\x00\x00\x00\xb8" - "\x01\x00\x00\x00\x0f\x05\x41\x59\x41\x58\x5f\x5e\x5a\x59\x58\x41" - "\x5d\x5b\x5c\x5d\xe9\x41\xda\xda\xda\x2e\x2e\x2e\x2e\x57\x4f\x4f" - "\x44\x59\x2e\x2e\x2e\x2e\x0a\xba\xba\xba\xba\xba\xba\xba\xba\xca" - "\xca\xca\xca\xca\xca\xca\xca\xcd\xab\xef\xcd\xab\xef\xcd\xab", + "\x55\x54\x53\x50\x51\x52\x56\x57\x41\x50\x48\x8d\x35\x6a\x00\x00" + "\x00\x48\x89\xf3\x48\x2b\x1d\x6e\x00\x00\x00\x4c\x8b\x05\x6f\x00" + "\x00\x00\x48\x8b\x15\x70\x00\x00\x00\x4c\x89\xc1\x48\xf7\xd1\x48" + "\x83\xe1\x07\x48\xff\xc1\x48\xc1\xe1\x03\x48\x89\xd0\x48\xd3\xe0" + "\x48\xd3\xe8\x49\x83\xe0\xf8\x4a\x31\x04\x03\x49\x83\xe8\x08\x49" + "\x83\xf8\xf8\x74\x06\x4a\x31\x14\x03\xeb\xf0\xbf\x01\x00\x00\x00" + "\xba\x0e\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x41\x58\x5f\x5e" + "\x5a\x59\x58\x5b\x5c\x5d\xe9\x5f\xda\xda\xda\x2e\x2e\x2e\x2e\x57" + "\x4f\x4f\x44\x59\x2e\x2e\x2e\x2e\x0a\xba\xba\xba\xba\xba\xba\xba" + "\xba\xca\xca\xca\xca\xca\xca\xca\xca\xcd\xab\xef\xcd\xab\xef\xcd" + "\xab", payload.len); return payload; }