OSDev.org https://forum.osdev.org/ |
|
Just for the H@CK of it https://forum.osdev.org/viewtopic.php?f=11&t=31196 |
Page 1 of 1 |
Author: | mikegonta [ Tue Jan 10, 2017 5:39 pm ] |
Post subject: | Just for the H@CK of it |
Just for the H@CK of it here is an x86 (but not x64) executable signature which is essentially a nop in that it only modifies the flags (but not the carry flag). An executable signature can be easily located and also run as code without ill effect. Code: db "H@CK" disassembles as: Code: dec ax ; 'H' inc ax ; '@' inc bx ; 'C' dec bx ; 'K' The interesting thing is that the same register pair of inc / dec in close proximity to each other (they don't necessarily have to follow each other, or be any particular order) will not normally be found in working code. Because of this, really only the first two (or 4 in 32 bit) need to be located and the rest of the "word" makes a nice "Easter Egg" for H@CKers disassembling the code. |
Author: | bzt [ Tue Jan 10, 2017 6:01 pm ] |
Post subject: | Re: Just for the H@CK of it |
Wow, nice finding! |
Author: | mikegonta [ Thu Jan 12, 2017 6:03 am ] |
Post subject: | Re: Just for the H@CK of it |
bzt wrote: Wow, nice finding! Code: inc esi ; 'F' inc ecx ; 'A' push ebx ; 'S' dec ebp ; 'M' dec esi dec ecx pop ebx inc ebp Code: dec esi ; 'N' inc ecx ; 'A' push ebx ; 'S' dec ebp ; 'M' inc esi dec ecx pop ebx inc ebp Code: inc edx ; 'B' inc ecx ; 'A' push ebx ; 'S' dec ebp ; 'M' dec edx dec ecx pop ebx inc ebp Code: jns .1 ; 'y' ; 'A' push ebx ; 'S' dec ebp ; 'M' inc ebp pop ebx times 61 nop .1: Code: dec ebp ; 'M' inc ecx ; 'A' push ebx ; 'S' dec ebp ; 'M' inc ebp dec ecx pop ebx inc ebp Code: push esp ; 'T'
inc ecx ; 'A' push ebx ; 'S' dec ebp ; 'M' inc ebp pop ebx dec ecx pop esp |
Author: | dozniak [ Thu Jan 12, 2017 7:35 am ] |
Post subject: | Re: Just for the H@CK of it |
Code: push bp 'U'
push bx 'S' inc bp 'E' dec sp 'L' inc bp 'E' push bx 'S' push bx 'S' |
Author: | mikegonta [ Thu Jan 12, 2017 8:39 am ] |
Post subject: | Re: Just for the H@CK of it |
dozniak wrote: Code: push bp 'U' push bx 'S' inc bp 'E' dec sp 'L' inc bp 'E' push bx 'S' push bx 'S' Code: push ebp ; 'U'
push ebx ; 'S' inc ebp ; 'E' dec ebp ; 'M' dec edi ; 'O' push edx ; 'R' inc ebp ; 'E' and eax, eax ; '!' pop edx inc edi pop ebx pop ebp |
Author: | BrightLight [ Thu Jan 12, 2017 8:47 am ] |
Post subject: | Re: Just for the H@CK of it |
Code: use16
dec sp ; 'L' inc cx ; 'A' dec bp ; 'M' inc bp ; 'E' inc sp dec cx |
Author: | mikegonta [ Thu Jan 12, 2017 9:25 am ] |
Post subject: | Re: Just for the H@CK of it |
omarrx024 wrote: Code: use16 dec sp ; 'L' inc cx ; 'A' dec bp ; 'M' inc bp ; 'E' inc sp dec cx Code: use16
dec sp ; 'L' inc cx ; 'A' push sp ; 'T' push cx ; 'Q' pop cx ; 'Y' dec di ; 'O' push bp ; 'U' and ax, ax ; '!' pop bp inc di pop sp dec cx inc sp |
Author: | glauxosdever [ Thu Jan 12, 2017 9:33 am ] |
Post subject: | Re: Just for the H@CK of it |
Hi, Maybe it would be better if a moderator moved it to "General Ramblings" or even "Auto Delete"? Regards, glauxosdever |
Author: | mikegonta [ Thu Jan 12, 2017 9:55 am ] |
Post subject: | Re: Just for the H@CK of it |
glauxosdever wrote: Maybe it would be better ... Code: use16
inc di ; 'G' dec sp ; 'L' inc cx ; 'A' jne .1 ; 'u' ; 'X' dec di ; 'O' push bx ; 'S' pop bx inc di times 84 nop .1: dec cx inc sp dec di |
Author: | Antti [ Fri Jan 13, 2017 2:28 am ] |
Post subject: | Re: Just for the H@CK of it |
Code: /* EDIT: Escape sequences are not handled properly. Not for production use.
* input.txt * hello, world * * output.asm * align 16 * hello_world: * test al, 'h' * test al, 'e' * test al, 'l' * test al, 'l' * test al, 'o' * test al, ',' * test al, ' ' * test al, 'w' * test al, 'o' * test al, 'r' * test al, 'l' * test al, 'd' * test al, 0x00 * test al, 0x00 * test al, 0x00 * nop * ret * * Example: * txt2asm.exe hello_world < input.txt > output.asm */ #include <stdio.h> int main(int argc, char *argv[]) { unsigned i; int c; if (argc != 2) { (void)fprintf(stderr, "Usage: %s <function>\n", argv[0]); return 1; } (void)fprintf(stdout, "align 16\n%s:\n", argv[1]); for (i = 0u; (c = getchar()) != EOF || !feof(stdin); i++) if (c >= 0x20 && c < 0x7F) (void)fprintf(stdout, "\ttest al, '%c'\n", c); else if (c == 0x09 || c == 0x0A || c >= 0x7F && c <= 0xFF) (void)fprintf(stdout, "\ttest al, 0x%02X\n", c); while (i++ % 8u != 7u) (void)fprintf(stdout, "\ttest al, 0x00\n"); (void)fprintf(stdout, "\tnop\n\tret\n"); return 0; } |
Author: | mikegonta [ Fri Jan 13, 2017 3:49 am ] |
Post subject: | Re: Just for the H@CK of it |
Antti wrote: Code: * hello, world Code: dec ax ; 'H'
inc bp ; 'E' dec sp ; 'L' dec sp ; 'L' dec di ; 'O' push di ; 'W' dec di ; 'O' push dx ; 'R' dec sp ; 'L' inc sp ; 'D' and ax, ax ; '!' pop dx pop di inc di inc sp inc sp dec bp inc ax |
Author: | dchapiesky [ Fri Jan 13, 2017 3:51 am ] |
Post subject: | Re: Just for the H@CK of it |
So this is the obfuscated assembly thread.... |
Author: | DixiumOS [ Fri Jan 13, 2017 4:36 am ] |
Post subject: | Re: Just for the H@CK of it |
Never knew Code: test.bin: file format binary Disassembly of section .data: 00000000 <.data>: 0: 4e dec %si 1: 6b 6f 73 69 imul $0x69,0x73(%bx),%bp 5: 20 73 69 and %dh,0x69(%bp,%di) 8: 6b 65 6c 65 imul $0x65,0x6c(%di),%sp c: 6c insb (%dx),%es:(%di) d: 27 daa e: 20 69 41 and %ch,0x41(%bx,%di) 11: 66 72 69 data32 jb 0x7d 14: 6b 61 4d 61 imul $0x61,0x4d(%bx,%di),%sp 18: 6c insb (%dx),%es:(%di) 19: 75 70 jne 0x8b 1b: 68 61 6b push $0x6b61 1e: 61 popa 1f: 6e outsb %ds:(%si),(%dx) 20: 79 69 jns 0x8b 22: 73 77 jae 0x9b 24: 20 75 70 and %dh,0x70(%di) 27: 68 6f 6e push $0x6e6f 2a: 64 6f outsw %fs:(%si),(%dx) 2c: 20 49 77 and %cl,0x77(%bx,%di) 2f: 61 popa 30: 79 6f jns 0xa1 32: 59 pop %cx 33: 69 7a 77 61 20 imul $0x2061,0x77(%bp,%si),%di 38: 69 6d 69 74 68 imul $0x6874,0x69(%di),%bp 3d: 61 popa 3e: 6e outsb %ds:(%si),(%dx) 3f: 64 61 fs popa 41: 7a 6f jp 0xb2 43: 20 79 65 and %bh,0x65(%bx,%di) 46: 74 68 je 0xb0 48: 75 2c jne 0x76 4a: 4e dec %si 4b: 6b 6f 73 69 imul $0x69,0x73(%bx),%bp 4f: 20 73 69 and %dh,0x69(%bp,%di) 52: 6b 65 6c 65 imul $0x65,0x6c(%di),%sp 56: 6c insb (%dx),%es:(%di) 57: 61 popa 58: 2c 20 sub $0x20,%al 5a: 74 68 je 0xc4 5c: 69 6e 61 20 6c imul $0x6c20,0x61(%bp),%bp 61: 75 73 jne 0xd6 63: 61 popa 64: 70 68 jo 0xce 66: 6f outsw %ds:(%si),(%dx) 67: 20 49 77 and %cl,0x77(%bx,%di) 6a: 61 popa 6b: 79 6f jns 0xdc 6d: 2e 4d cs dec %bp 6f: 6f outsw %ds:(%si),(%dx) 70: 72 65 jb 0xd7 72: 6e outsb %ds:(%si),(%dx) 73: 61 popa 74: 20 62 6f and %ah,0x6f(%bp,%si) 77: 6c insb (%dx),%es:(%di) 78: 6f outsw %ds:(%si),(%dx) 79: 6b 61 20 73 imul $0x73,0x20(%bx,%di),%sp 7d: 65 74 6a gs je 0xea 80: 68 61 62 push $0x6261 83: 61 popa 84: 20 73 61 and %dh,0x61(%bp,%di) 87: 20 68 65 and %ch,0x65(%bx,%si) 8a: 73 6f jae 0xfb 8c: 2c 4f sub $0x4f,%al 8e: 20 66 65 and %ah,0x65(%bp) 91: 64 69 73 65 20 64 imul $0x6420,%fs:0x65(%bp,%di),%si 97: 69 6e 74 77 61 imul $0x6177,0x74(%bp),%bp 9c: 20 6c 65 and %ch,0x65(%si) 9f: 20 6d 61 and %ch,0x61(%di) a2: 74 73 je 0x117 a4: 68 77 65 push $0x6577 a7: 6e outsb %ds:(%si),(%dx) a8: 79 65 jns 0x10f aa: 68 6f 2c push $0x2c6f ad: 4f dec %di ae: 20 73 65 and %dh,0x65(%bp,%di) b1: 20 62 6f and %ah,0x6f(%bp,%si) b4: 6c insb (%dx),%es:(%di) b5: 6f outsw %ds:(%si),(%dx) b6: 6b 65 2c 20 imul $0x20,0x2c(%di),%sp ba: 4f dec %di bb: 20 73 65 and %dh,0x65(%bp,%di) be: 20 62 6f and %ah,0x6f(%bp,%si) c1: 6c insb (%dx),%es:(%di) c2: 6f outsw %ds:(%si),(%dx) c3: 6b 65 20 73 imul $0x73,0x20(%di),%sp c7: 65 74 6a gs je 0x134 ca: 68 61 62 push $0x6261 cd: 61 popa ce: 20 73 61 and %dh,0x61(%bp,%di) d1: 20 68 65 and %ch,0x65(%bx,%si) d4: 73 6f jae 0x145 d6: 2c 53 sub $0x53,%al d8: 65 74 6a gs je 0x145 db: 68 61 62 push $0x6261 de: 61 popa df: 20 73 61 and %dh,0x61(%bp,%di) e2: 2c 20 sub $0x20,%al e4: 53 push %bx e5: 6f outsw %ds:(%si),(%dx) e6: 75 74 jne 0x15c e8: 68 20 41 push $0x4120 eb: 66 72 69 data32 jb 0x157 ee: 6b 61 2c 20 imul $0x20,0x2c(%bx,%di),%sp f2: 53 push %bx f3: 6f outsw %ds:(%si),(%dx) f4: 75 74 jne 0x16a f6: 68 20 41 push $0x4120 f9: 66 72 69 data32 jb 0x165 fc: 6b 61 2e 55 imul $0x55,0x2e(%bx,%di),%sp 100: 69 74 20 64 69 imul $0x6964,0x20(%si),%si 105: 65 20 62 6c and %ah,%gs:0x6c(%bp,%si) 109: 6f outsw %ds:(%si),(%dx) 10a: 75 20 jne 0x12c 10c: 76 61 jbe 0x16f 10e: 6e outsb %ds:(%si),(%dx) 10f: 20 6f 6e and %ch,0x6e(%bx) 112: 73 65 jae 0x179 114: 20 68 65 and %ch,0x65(%bx,%si) 117: 6d insw (%dx),%es:(%di) 118: 65 6c gs insb (%dx),%es:(%di) 11a: 2c 55 sub $0x55,%al 11c: 69 74 20 64 69 imul $0x6964,0x20(%si),%si 121: 65 20 64 69 and %ah,%gs:0x69(%si) 125: 65 70 74 gs jo 0x19c 128: 65 20 76 61 and %dh,%gs:0x61(%bp) 12c: 6e outsb %ds:(%si),(%dx) 12d: 20 6f 6e and %ch,0x6e(%bx) 130: 73 20 jae 0x152 132: 73 65 jae 0x199 134: 65 2c 4f gs sub $0x4f,%al 137: 6f outsw %ds:(%si),(%dx) 138: 72 20 jb 0x15a 13a: 6f outsw %ds:(%si),(%dx) 13b: 6e outsb %ds:(%si),(%dx) 13c: 73 20 jae 0x15e 13e: 65 77 69 gs ja 0x1aa 141: 67 65 20 67 65 and %ah,%gs:0x65(%edi) 146: 62 65 72 bound %sp,0x72(%di) 149: 67 74 65 addr32 je 0x1b1 14c: 73 2c jae 0x17a 14e: 57 push %di 14f: 61 popa 150: 61 popa 151: 72 20 jb 0x173 153: 64 69 65 20 6b 72 imul $0x726b,%fs:0x20(%di),%sp 159: 61 popa 15a: 6e outsb %ds:(%si),(%dx) 15b: 73 65 jae 0x1c2 15d: 20 61 6e and %ah,0x6e(%bx,%di) 160: 74 77 je 0x1d9 162: 6f outsw %ds:(%si),(%dx) 163: 6f outsw %ds:(%si),(%dx) 164: 72 64 jb 0x1ca 166: 20 67 65 and %ah,0x65(%bx) 169: 65 2c 53 gs sub $0x53,%al 16c: 6f outsw %ds:(%si),(%dx) 16d: 75 6e jne 0x1dd 16f: 64 73 20 fs jae 0x192 172: 74 68 je 0x1dc 174: 65 20 63 61 and %ah,%gs:0x61(%bp,%di) 178: 6c insb (%dx),%es:(%di) 179: 6c insb (%dx),%es:(%di) 17a: 20 74 6f and %dh,0x6f(%si) 17d: 20 63 6f and %ah,0x6f(%bp,%di) 180: 6d insw (%dx),%es:(%di) 181: 65 20 74 6f and %dh,%gs:0x6f(%si) 185: 67 65 74 68 addr32 gs je 0x1f1 189: 65 72 2c gs jb 0x1b8 18c: 41 inc %cx 18d: 6e outsb %ds:(%si),(%dx) 18e: 64 20 75 6e and %dh,%fs:0x6e(%di) 192: 69 74 65 64 20 imul $0x2064,0x65(%si),%si 197: 77 65 ja 0x1fe 199: 20 73 68 and %dh,0x68(%bp,%di) 19c: 61 popa 19d: 6c insb (%dx),%es:(%di) 19e: 6c insb (%dx),%es:(%di) 19f: 20 73 74 and %dh,0x74(%bp,%di) 1a2: 61 popa 1a3: 6e outsb %ds:(%si),(%dx) 1a4: 64 2c 4c fs sub $0x4c,%al 1a7: 65 74 20 gs je 0x1ca 1aa: 75 73 jne 0x21f 1ac: 20 6c 69 and %ch,0x69(%si) 1af: 76 65 jbe 0x216 1b1: 20 61 6e and %ah,0x6e(%bx,%di) 1b4: 64 20 73 74 and %dh,%fs:0x74(%bp,%di) 1b8: 72 69 jb 0x223 1ba: 76 65 jbe 0x221 1bc: 20 66 6f and %ah,0x6f(%bp) 1bf: 72 20 jb 0x1e1 1c1: 66 72 65 data32 jb 0x229 1c4: 65 64 6f gs outsw %fs:(%si),(%dx) 1c7: 6d insw (%dx),%es:(%di) 1c8: 49 dec %cx 1c9: 6e outsb %ds:(%si),(%dx) 1ca: 20 53 6f and %dl,0x6f(%bp,%di) 1cd: 75 74 jne 0x243 1cf: 68 20 41 push $0x4120 1d2: 66 72 69 data32 jb 0x23e 1d5: 63 61 20 arpl %sp,0x20(%bx,%di) 1d8: 6f outsw %ds:(%si),(%dx) 1d9: 75 72 jne 0x24d 1db: 20 6c 61 and %ch,0x61(%si) 1de: 6e outsb %ds:(%si),(%dx) 1df: 64 fs 1e0: 21 .byte 0x21 was the same as Code: db "Nkosi sikelel' iAfrika" db "Maluphakanyisw uphondo Iwayo" db "Yizwa imithandazo yethu," db "Nkosi sikelela, thina lusapho Iwayo." db "Morena boloka setjhaba sa heso," db "O fedise dintwa le matshwenyeho," db "O se boloke, O se boloke setjhaba sa heso," db "Setjhaba sa, South Afrika, South Afrika." db "Uit die blou van onse hemel," db "Uit die diepte van ons see," db "Oor ons ewige gebergtes," db "Waar die kranse antwoord gee," db "Sounds the call to come together," db "And united we shall stand," db "Let us live and strive for freedom" db "In South Africa our land!" sorry for using the south african anthem yet again |
Page 1 of 1 | All times are UTC - 6 hours |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |