Created
July 19, 2015 18:15
-
-
Save FrankSpierings/3be858438480fd7eefe4 to your computer and use it in GitHub Desktop.
Shikata-ga-nai_x86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # _payload: | |
| # 00002014 B8DAFFFECD mov eax, 0xcdfeffda ; Move the initialisation vector (IV) into EAX. This is the initial key, XREF=_main+13 | |
| # 00002019 DAD3 fcmovbe st0, st3 ; (Not sure) Conditional move ST0 to ST3 (floating point). Not sure why this is necessary | |
| # 0000201b D97424F4 fnstenv dword [ss:esp-0xc] ; Places the floating point memory into designated location in memory. This includes EIP. Note the offset to ESP (Stack Pointer). This makes sure that ESP will point to stored EIP. | |
| # 0000201f 5B pop ebx ; Get EIP from the stack. This was saved by FSTENV | |
| # 00002020 29C9 sub ecx, ecx ; Zero out ECX | |
| # 00002022 B10E mov cl, 0xe ; ECX is loop counter | |
| # ; EBX + 0x12 is a pointer to the next instruction to decode | |
| # 00002024 314312 xor dword [ds:ebx+0x12], eax ; XOR value of pointer to EBX+0x12 with the key in EAX | |
| # 00002027 034312 add eax, dword [ds:ebx+0x12] ; Add the decoded value of pointer to EBX+0x12, to EAX. This is the new key. | |
| # ; Below data will decode in the first run, to: | |
| # ; addl $0x4, %ebx ; increment EBX pointer | |
| # ; loop 0x2024 ; jump to address while ECX > 0 | |
| # 0000202a db 0x83 | |
| # ; endp | |
| # 0000202b dd 0x381cfb19 | |
| # 0000202f dd 0xd609c4ac | |
| # 00002033 dd 0xadc9c4ce | |
| # 00002037 dd 0x25aab1a1 | |
| # 0000203b dd 0xdb59153d | |
| # 0000203f dd 0x46c9464d | |
| # 00002043 dd 0xa766f4c1 | |
| # 00002047 dd 0xb70d7d6d | |
| # 0000204b dd 0xe734f4d6 | |
| # 0000204f dd 0xc946e461 | |
| # 00002053 dd 0xca48e977 | |
| # 00002057 dd 0x2bc1ba26 | |
| # 0000205b dd 0x1b816d9a | |
| # 0000205f dd 0xdce8de21 | |
| #Taken from memory address 0000202b | |
| buffer = [0x381cfb19, 0xd609c4ac, 0xadc9c4ce, 0x25aab1a1, | |
| 0xdb59153d, 0x46c9464d, 0xa766f4c1, 0xb70d7d6d, | |
| 0xe734f4d6, 0xc946e461, 0xca48e977, 0x2bc1ba26, | |
| 0x1b816d9a, 0xdce8de21] | |
| import ctypes | |
| import struct | |
| import hexdump | |
| class Shikata_ga_nai: | |
| iv = 0xcdfeffda | |
| def decode(self, buffer): | |
| result = [] | |
| key = self.iv | |
| for encoded in buffer: | |
| decoded = encoded ^ key | |
| result += [decoded] | |
| key = ctypes.c_uint32(decoded + key).value | |
| return result | |
| def encode(self, buffer): | |
| result = [] | |
| key = self.iv | |
| for decoded in buffer: | |
| encoded = decoded ^ key | |
| result += [encoded] | |
| key = ctypes.c_uint32(decoded + key).value | |
| return result | |
| def print_int_array(self, buffer): | |
| char_buffer = "" | |
| for item in buffer: | |
| char_buffer += struct.pack("<I", item) | |
| print "-------------------" | |
| hexdump.hexdump(char_buffer) | |
| s = Shikata_ga_nai() | |
| s.print_int_array(buffer) | |
| decoded = s.decode(buffer) | |
| s.print_int_array(decoded) | |
| re_encoded = s.encode(decoded) | |
| s.print_int_array(re_encoded) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment