keypress/unpacker/syscall.h
//
// syscall.h
// keypress
//
// Created by armored on 28/03/14.
// Copyright (c) 2014 -. All rights reserved.
//
#ifndef keypress_syscall_h
#define keypress_syscall_h
#include <signal.h>
#include "dynamic_enc.h"
void dmh_open_end_v1();
void dmh_mmap_end_v1();
void dmh_mmap_enc_v1();
__attribute__ ((visibility ("default"))) void sys_mmap();
void* _dmh_mmap_v1(void *addr, size_t len, int prot, int flags, int filedes, int offset)
{
void* dmh_mmap_end_ptr = dmh_mmap_end_v1;
dynamic_enc_t dyn_enc = (void*)DYNAMIC_ENC;
/////////////////////////////////
// decryptin code block
/////////////////////////////////
__asm __volatile__
(
"call dmh_mmap_enc_v1\n"
"dmh_mmap_enc_v1:\n"
"movl %0, %%eax\n"
"push %%eax\n"
"call %1\n"
"test %%eax, %%eax\n"
:
: "m" (dmh_mmap_end_ptr), "m" (dyn_enc)
: "ebx", "eax"
);
/////////////////////////////////
// Encrypted code block: begin
/////////////////////////////////
void* ret_val = 0;
__asm __volatile__
(
"push %6\n"
"push %5\n"
"push %4\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xC5\n"
"movl $0xC5, %%eax\n"
"call _sys_mmap_v1\n"
"jmp dmmap_exit_v1\n"
"_sys_mmap_v1:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"dmmap_exit_v1:"
"add $0x1C, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (addr), "m" (len), "m" (prot), "m" (flags), "m" (filedes), "m" (offset)
: "eax", "ecx", "esp"
);
return ret_val;
/////////////////////////////////
// Encrypted code block: end
/////////////////////////////////
}
void dmh_mmap_end_v1()
{
}
int mh_open_v1(const char *path, int oflag)
{
void* dmh_open_end_ptr = dmh_open_end_v1;
void* dmh_open_enc_start;
void* dmh_open_enc_stop;
dynamic_enc_t dyn_enc = (void*)DYNAMIC_ENC;
/////////////////////////////////
// decryptin code block
/////////////////////////////////
__asm __volatile__
(
"call dmh_open_enc_v1\n"
"dmh_open_enc_v1:\n"
"movl %0, %%eax\n"
"push %%eax\n"
"call %1\n"
"test %%eax, %%eax\n"
"movl -0x4(%%esp), %%eax\n"
"movl %%eax, %2\n"
"movl -0x8(%%esp), %%eax\n"
"movl %%eax, %3\n"
:
: "m" (dmh_open_end_ptr), "m" (dyn_enc), "m" (dmh_open_enc_start), "m" (dmh_open_enc_stop)
: "ebx", "eax"
);
/////////////////////////////////
// Encrypted code block: begin
/////////////////////////////////
int ret_val = 0;
__asm __volatile__
(
"push %2\n"
"push %1\n"
"push $0x5\n"
"movl $0x5, %%eax\n"
"call sysc_open_v1\n"
"jmp open_exit_v1\n"
"sysc_open_v1:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"open_exit_v1:"
"addl $0xC, %%esp\n"
"movl %%eax, %0\n"
: "=r" (ret_val)
: "m" (path), "m" (oflag)
: "eax", "ecx", "edx", "esp"
);
/////////////////////////////////
// encryptin code block
/////////////////////////////////
__asm __volatile__
(
"push %1\n"
"push %2\n"
"call %0\n"
:
: "m" (dyn_enc), "m" (dmh_open_enc_start), "m" (dmh_open_enc_stop)
: "eax"
);
return ret_val;
}
void dmh_open_end_v1()
{
}
int mh_exit(int oflag)
{
int ret_val = 0;
__asm __volatile__
(
"push %1\n"
"push $0x01\n"
"movl $0x01, %%eax\n"
"movl %%esp, %%ecx\n"
"sysenter\n"
"addl $0x8, %%esp\n"
"movl %%eax, %0\n"
: "=r" (ret_val)
: "r" (oflag)
: "eax", "ecx"
);
return ret_val;
}
long long mh_lseek(int fildes, long long offxet, int whence)
{
long long _val = 0;
__asm __volatile__
(
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xC7\n"
"movl $0xC7, %%eax\n"
"call sysc_lseek\n"
"jmp lseek_exit\n"
"sysc_lseek:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"lseek_exit:"
"addl $0x10, %%esp\n"
"movl %%eax, %0\n"
: "=r" (_val)
: "m" (fildes), "m" (offxet), "m" (whence)
: "eax", "ecx"
);
return _val;
}
int mh_open(const char *path, int oflag)
{
int ret_val = 0;
__asm __volatile__
(
"push %2\n"
"push %1\n"
"push $0x5\n"
"movl $0x5, %%eax\n"
"call sysc_open\n"
"jmp open_exit\n"
"sysc_open:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"open_exit:"
"addl $0xC, %%esp\n"
"movl %%eax, %0\n"
: "=r" (ret_val)
: "m" (path), "m" (oflag)
: "eax", "ecx", "edx", "esp"
);
return ret_val;
}
ssize_t __mh_read(int fildes, void *buf, size_t nbyte)
{
ssize_t ret_val = 0;
__asm __volatile__
(
"push %3\n"
"push %2\n"
"push %1\n"
"push $0x3\n"
"movl $0x3, %%eax\n"
"call sys_read\n"
"jmp read_exit\n"
"sys_read:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"read_exit:"
"addl $0x10, %%esp\n"
"movl %%eax, %0\n"
: "=r" (ret_val)
: "m" (fildes), "m" (buf), "m" (nbyte)
: "eax", "ecx", "esp"
);
return ret_val;
}
void* mh_mmap(void *addr, size_t len, int prot, int flagx, int filedes, int offxet)
{
void* ret_val = 0;
// original_bytecode;
// {pop edx;mov esp, ecx; sysenter;} = 0x0fe1895a;
__asm __volatile__
(
"push %6\n"
"push %5\n"
"push %4\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xC5\n"
"movl $0xC5, %%eax\n"
"call _sys_resolve_mmap\n"
"_sys_resolve_mmap:"
"popl %%ebx\n"
"addl $0x14, %%ebx\n"
"movl $0x0fe1895a, (%%ebx)\n" /* de obfuscate */
"call _sys_mmap_enc\n"
"jmp _sys_mmap_exit\n"
"_sys_mmap_enc:" /* bytecode obfuscation begin */
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n" /* bytecode obfuscation end */
"nop\n"
"_sys_mmap_exit:"
"movl $0x8Bc4458B, (%%ebx)\n" /* re obfuscate */
"add $0x1C, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (addr), "m" (len), "m" (prot), "m" (flagx), "m" (filedes), "m" (offxet)
: "eax", "ecx", "esp", "ebx"
);
return ret_val;
}
int mh_mprotect(void *addr, size_t len, int prot)
{
int ret_val = 0;
__asm __volatile__
(
"push %3\n"
"push %2\n"
"push %1\n"
"push $0x4a\n"
"mov $0x4a, %%eax\n"
"call sys_prot\n"
"jmp prot_exit\n"
"sys_prot:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"prot_exit:"
"add $0x10, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (addr), "m" (len), "m" (prot)
: "eax", "ecx", "esp"
);
return ret_val;
}
int dmh_sysctl_v1(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen)
{
int ret_val = 0;
__asm __volatile__
(
// "int $0x3\n"
"push %6\n"
"push %5\n"
"push %4\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xca\n"
"movl $0xca, %%eax\n"
"call _sys_sysctl_v1\n"
"jmp sysctl_exit_v1\n"
"_sys_sysctl_v1:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"sysctl_exit_v1:"
"add $0x1C, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (name), "m" (namelen), "m" (oldp), "m" (oldlenp), "m" (newp), "m" (newlen)
: "eax", "ecx", "esp", "ebx"
);
return ret_val;
}
int mh_sysctlbyname(char *name, void *oldp, size_t *oldlenp, void *newp, size_t newlen)
{
size_t namelen;
int result;
size_t ii_namelen;
int* ii_name;
int* i_name;
// Anti checkguard: make room for key table on stack
__asm __volatile__
(
"subl $0x38, %%esp\n"
"movl %%esp , %0\n"
: "=r" (ii_name)
:
: "eax"
);
__asm __volatile__
(
"subl $0x8, %%esp\n"
"movl %%esp , %0\n"
"subl $0x20, %%esp\n"
: "=r" (i_name)
:
: "eax"
);
i_name[1] = 3;
i_name[0] = 0;
ii_namelen = 56;
namelen = (size_t)__strlen(name);
result = dmh_sysctl_v1(i_name, 2u, ii_name, &ii_namelen, (void *)name, namelen);
if ( result >= 0 )
{
ii_namelen >>= 2;
result = dmh_sysctl_v1(ii_name, ii_namelen, oldp, oldlenp, NULL, 0);
}
__asm __volatile__
(
"addl $0x60, %%esp\n"
:
:
: "eax"
);
return result;
}
void ___memcpy(char* dst, char* src, int size)
{
char* _dst = (char*)dst;
char* _src = (char*)src;
for (int i=0; i<size; i++)
{
_dst[i]=_src[i];
}
}
static inline __attribute__((always_inline)) int randomize_addresses_v1()
{
char* osstr;
char* osrelease;
int ret_addr = 0;
size_t osstrsize = 0x100;
// Anti checkguard: make room for key table on stack
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osrelease)
:
: "eax"
);
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osstr)
:
: "eax"
);
for(int i=0; i<0x100; i++)
osstr[i]=0;
int o1 = 'nrek', o2 = 'rso.', o3 = 'aele', o4 = 'es';
___memcpy(osrelease, (char*)&o1, 4);
___memcpy(osrelease+4, (char*)&o2, 4);
___memcpy(osrelease+8, (char*)&o3, 4);
___memcpy(osrelease+12,(char*)&o4, 4);
int ret = mh_sysctlbyname(osrelease, osstr, &osstrsize, NULL, 0);
if (ret == 0 && osstrsize != 0)
{
if (osstr[0] == '1' && osstr[1] == '0')
ret_addr = 0;
else
ret_addr = 1;
}
__asm __volatile__
(
"addl $0x200, %%esp\n"
:
:
: "eax"
);
return ret_addr;
}
static inline __attribute__((always_inline))int randomize_addresses_v2()
{
char* osstr;
char* osrelease;
size_t osstrsize = 0x100;
// Anti checkguard: make room for key table on stack
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osrelease)
:
: "eax"
);
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osstr)
:
: "eax"
);
for(int i=0; i<0x100; i++)
osstr[i]=0;
int o1 = 'nrek', o2 = 'rso.', o3 = 'aele', o4 = 'es';
___memcpy(osrelease, (char*)&o1, 4);
___memcpy(osrelease+4, (char*)&o2, 4);
___memcpy(osrelease+8, (char*)&o3, 4);
___memcpy(osrelease+12,(char*)&o4, 4);
int ret = mh_sysctlbyname(osrelease, osstr, &osstrsize, NULL, 0);
if (ret == 0 && osstrsize != 0)
{
if (osstr[0] == '1' && osstr[1] == '0')
return 0;
else
return 1;
}
else
return 0;
}
static inline __attribute__((always_inline))int randomize_addresses_v3()
{
char* osstr;
char* osrelease;
size_t osstrsize = 0x100;
// Anti checkguard: make room for key table on stack
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osrelease)
:
: "eax"
);
__asm __volatile__
(
"subl $0x100, %%esp\n"
"movl %%esp , %0\n"
: "=r" (osstr)
:
: "eax"
);
for(int i=0; i<0x100; i++)
osstr[i]=0;
int o1 = 'nrek', o2 = 'rso.', o3 = 'aele', o4 = 'es';
___memcpy(osrelease, (char*)&o1, 4);
___memcpy(osrelease+4, (char*)&o2, 4);
___memcpy(osrelease+8, (char*)&o3, 4);
___memcpy(osrelease+12,(char*)&o4, 4);
int ret = mh_sysctlbyname(osrelease, osstr, &osstrsize, NULL, 0);
if (ret == 0 && osstrsize != 0)
{
if (osstr[0] == '1' && osstr[1] == '0')
return 0;
else
return 1;
}
else
return 0;
}
// Not used syscalls
#ifdef SYS_INCLUDED
__attribute__ ((visibility ("default"))) void sys_mmap_v2();
int mh_fork()
{
int ret_val = -1;
__asm __volatile__
(
"subl $0x1c, %%esp\n"
"movl $0x2, %%eax\n"
"int $0x80\n"
"jnb fork_ok\n"
"movl $0xffffffff, %0\n"
"jmp fork_exit\n"
"fork_ok:"
"or %%edx, %%edx\n"
"jz fork_exit\n"
"xor %%eax, %%eax\n"
"fork_exit:"
"movl %%eax, %%eax\n"
"addl $0x1c, %%esp\n"
: "=r" (ret_val)
:
: "eax", "esp", "edx"
);
return ret_val;
}
// how to call this
// void* _sigtramp = (void*)0xFF;
// _sigtramp = endpcall - patched_param->sigtramp_offset - ENDCALL_LEN;
// struct sigaction act;
// act.sa_sigaction = (void*)&hdl;
// act.sa_mask = 0;
// act.sa_flags = SA_SIGINFO;
//
// mh_sigaction(15, &act, NULL, _sigtramp);
void* _dmh_mmap_v2(void *addr, size_t len, int prot, int flagx, int filedes, int offxet)
{
void* ret_val = 0;
// original_bytecode;
// {pop edx;mov esp, ecx; sysenter;} = 0x0fe1895a;
__asm __volatile__
(
// "int $0x3\n"
"push %6\n"
"push %5\n"
"push %4\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xC5\n"
"movl $0xC5, %%eax\n"
"call _sys_mmap_v2\n"
"jmp mmap_exit_v2\n"
"_sys_mmap_v2:"
/* trap sigbus*/
"movl 0xffffffed, %%esi\n"
"movl $0xFF, (%%esi)\n"
"nop\n"
"nop\n"
/* bytecode obfuscation: begin */
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
/* bytecode obfuscation: end */
"nopl (%%eax)\n"
"mmap_exit_v2:"
"add $0x1C, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (addr), "m" (len), "m" (prot), "m" (flagx), "m" (filedes), "m" (offxet)
: "eax", "ecx", "esp", "ebx"
);
return ret_val;
}
void sigtramp(void *a1, int a2, int a3, int a4, int a5)
{
int p1, p2, p3, p4, p5, p6;
p1 = p2 = p3 = p4 = p5 = p6 = 0;
void *a5p = 0;
a5p = (void*)a5;
((void (*)(int, int, int))a1)(a3, a4, a5);
__asm __volatile__
(
"movl %0, %%esi\n"
"movl %%esi, (%%esp)\n"
"movl %1, %%esi\n"
"movl %%esi, 0x4(%%esp)\n"
"movl $0x1e, 0x8(%%esp)\n"
"movl $0xb8, %%eax\n"
"int $0x80\n" /*AUE_SIGRETURN*/
:
: "m" (a3), "m" (a5p)
: "eax", "esi", "esp"
);
}
void hdl (int sig, siginfo_t *siginfo, ucontext_t *context)
{
char* patch_addr = (char*)context->uc_mcontext->__ss.__eip;
int dec_indicator = (int) context->uc_mcontext->__ss.__esi;
int patched_bytcode = 0;
switch (dec_indicator)
{
case 0xffffffed:
patched_bytcode = 0x0fe1895a;
break;
}
__asm __volatile__
(
//"int $0x3\n"
"movl %0, %%esi\n"
"movl $0x90909090, (%%esi)\n"
"movl $0x90909090, 0x4(%%esi)\n"
"movl %1, %%eax\n"
"movl %%eax, 0x8(%%esi)\n"
:
: "m" (patch_addr), "m" (patched_bytcode)
: "esi"
);
}
int mh_sigaction(int sig, struct sigaction * act, struct sigaction *oact, void* tramp)
{
int ret_val;
struct __sigaction _sa_s;
struct __sigaction *_sa_ptr = &_sa_s;
_sa_s.__sigaction_u.__sa_sigaction = act->sa_sigaction;
_sa_s.sa_tramp = (void*)tramp;
_sa_s.sa_mask = act->sa_mask;
_sa_s.sa_flags = act->sa_flags;
__asm __volatile__
(
// "int $0x3\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0xc002e\n"
"movl $0xc002e, %%eax\n"
"call sys_sigact\n"
"jmp sigact_exit\n"
"sys_sigact:\n"
"popl %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"sigact_exit:\n"
"add $0x10, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (sig), "m" (_sa_ptr), "m" (oact)
: "eax", "ecx", "esp", "edx"
);
return ret_val;
}
int mh_bsdthread_create(void *addr, void* arg, int stack_size, int arg1, int arg2)
{
int ret_val = 0;
__asm __volatile__
(
"push %5\n"
"push %4\n"
"push %3\n"
"push %2\n"
"push %1\n"
"push $0x140168\n"
"movl $0x140168, %%eax\n"
"call sys_thd\n"
"jmp thd_exit\n"
"sys_thd:"
"pop %%edx\n"
"mov %%esp, %%ecx\n"
"sysenter\n"
"nopl (%%eax)\n"
"thd_exit:"
"add $0x18, %%esp\n"
"mov %%eax, %0\n"
: "=r" (ret_val)
: "m" (addr), "m" (arg), "m" (stack_size), "m" (arg1), "m" (arg2)
: "eax", "ecx", "esp"
);
return ret_val;
}
#endif
#endif