search

backengineering / bintests

A large collection of 32bit and 64bit PE files useful for verifying the correctness of bin2bin transformations
38 stars 2 forks source link

Nasty x86 binary #6

Closed rbran closed 4 months ago

rbran commented 5 months ago

Are you interested in some nasty byte-codes, like this?

; nasm -g -f win32 strange_offset.s && x86_64-w64-mingw32-cc -g -no-pie -m32 -o strange_offset.exe strange_offset.obj
; nasm -g -f elf strange_offset.s && gcc -g -no-pie -m32 -o strange_offset strange_offset.o
section .text
    global main

    extern printf
    extern exit

main:
    mov EAX, 0x02eb11b0
    cmp EAX, 0x02eb11b0
    fake_jmp dw 0xfa74

    push EAX
    push reveal_key
    call printf

finish:
    ; exit the program
    push 0
    call exit

section .data
    reveal_key db 'The key is "%x"', 0

This will print The key is "2eb1111"

CR3Swapper commented 4 months ago

Are you interested in some nasty byte-codes, like this?

; nasm -g -f win32 strange_offset.s && x86_64-w64-mingw32-cc -g -no-pie -m32 -o strange_offset.exe strange_offset.obj
; nasm -g -f elf strange_offset.s && gcc -g -no-pie -m32 -o strange_offset strange_offset.o
section .text
    global main

    extern printf
    extern exit

main:
    mov EAX, 0x02eb11b0
    cmp EAX, 0x02eb11b0
    fake_jmp dw 0xfa74

    push EAX
    push reveal_key
    call printf

finish:
    ; exit the program
    push 0
    call exit

section .data
    reveal_key db 'The key is "%x"', 0

This will print The key is "2eb1111"

👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)

I assume this is overlapping instructions?

rbran commented 4 months ago

👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)

I tried with "x86_64-w64-mingw32", but I could not link it to libc correctly, I don't have real windows development environment ready. Sorry

I assume this is overlapping instructions?

Yes, this is a variation of the polyglot technique. I know 3 variations of this:

Address offset

This example

CPU state variation

Executing the same Address in different cpu modes, eg: Thumb/ARM, 32/64bits, BE/LE.

Pipeline manipulation

Eg: manipulating how the IT instruction in ARM Thumb2 mode modify subsequent instructions, so it's possible to jump inside the block skipping the IT instruction and avoid the conditional being added to the instructions.

rbran commented 4 months ago

👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)

I got some time to solve my problem with mingw, here the code and compilation:

.section .data
reveal_key:
    .asciz "The key is \"%x\"\n"

.section .text
.globl entry

.extern printf
.extern exit

entry:
    mov $0x02eb11b0, %EAX
    cmp $0x02eb11b0, %EAX
fake_jmp: .short 0xfa74

    push $0
    mov %RAX, %RDX
    mov $reveal_key, %ECX
    call printf
    mov $0, %ECX
    call exit

Compiled with x86_64-w64-mingw32-gcc -no-pie -o strange_offset.exe strange_offset.s -nostdlib -lmsvcrt -Wl,--image-base -Wl,0x10000000 -Wl,--entry=entry -g

Here a "oneliner" to create this binary file:

echo "H4sICDas32UAA3N0cmFuZ2Vfb2Zmc2V0LmV4ZQDtWV9sFEUY/3a3xdLCcUVSSIhhqVQboscB/YeGpEAbISm0aY+EmpBh727ubrndvcvutrQ+EY0mJj4QE1+NJvhmIjE+gC8YnsUHX0xMjD4ZEn3wyQdMrPNv/84WEIQauC+5nZnf/Ga+75v5dmZu9vSbV0ADgC7yW1sDuA5cJuH+cpn8cnu+zsFXm2/vva7M3N5bapie3nZbddew9YrhOC1fL2PdXXJ009GnZhd0u1XFha1be/eJPuamAarv9cLY5z9j2AXQJtgf8BL0qerLoJLCJkHMi1/8qXK7qXQzMpFr3JnpD4D6pQDoEGsVZcJyIgtQ5H6tK2RgtjzA2EjNSL+77lFf8PGKT9ILgUHUna4kRyfVharhGyC80gVvU5JHTPymYHLiZQoUBa8ng+diq1URPk0KXq/EO35ghOdpVzAneFsyeAePsPwwCGcoL5fBO3yQ5XfQR1vw8hm8kVEIVDJnKG97Bm90nOUH6eOK4O3I4I1NsPwAfXwieAMyD54RuX6t/zf1KH34dy/Cyfdv3SBRlb/zAqm6Qevv9JHHlUjWhnp1CoSpkKC/dLkj/28pNbDexKs6WbcHh1YGe+/foiNPkwwXo7xf5PtUlpwT+IXig+GfaXjFJBvatq62azp+jYFF/rO95YrrF6qW9ej2d+QRJc+38e3rzHtHnm55BUCcnMXhMM9PYUMbZVBHnqjQ/2HdoLDJVxgSD4B+4Idj5fKGGNeRxy5KP+R39ivbt2m53bmh3PPdG21QR56ozAB9/3tgP0kVRfkrt5UmdCVQGLCHLQqqskfdprLY4AGyWQ3WCa1PWbx04Oji4iKpV5SN8aIjDyue7xpOHaNWreZhv+DBAd9uwxtnzurHFvRDhcNHNtrAjjxWYdMtBUFHnhUp1EwLA783/XsNoK7UjCaWeSWR0v8KGlAOumi36XURXfL5BTQSHFrSlGGQLqaJNEX6HOPskOqprIq0h3HozW/yIjy4KwehXVOGmFUJjrgnD21W+jN1vSvSXsYZyOR8JNJuxgku05NyVaSbGWdQqg9sLgY2Q/wmn49qoewlXj2CsFv8feOW8C9ERifTyMhwGhk7FyFC+8RDaW9L2k9K2ouS9gsRImKsAOvHWMMxbApFXtT8xpLT5B8lkl5MBl5knDYkv7I43MJDEPTM4lDL4sijGh954ddr9/DrP7Z5ZCK0uWc9zujc/TnjfsjpkzjY8d3gHVQgiPYv6CPPSxz5TnAi5CfgX2p4q+DmbyLRz++ilRYiPTF/ObJT/BWl3xE48qKStmdcHFIjzqzCLYyQBmulx5C3Ff4eR8jHkvZrEnJLQr6XkF+U9Phoatqe3Wq61asJBKGqZSG+jkatjgpOhMyr6fExJF2XSBKsABx5R01b+ClJ/ATnphrFIUe+VaPo5ciPkhe/SsifEtKjpfvZqaX92i8MifmuRSsAR05q0ddqjpxPcBDCThUFe1HAaWrxyKSyyrTnY/18GFsCOHJV471GnC8lzk3Jix8k5I5AuHZ+Mx7tBZxzV+O5qNVAV7qfAkGCtZcjr3dBak7PxzZLFewuur7g8lIdGeyQ5wVF06m1wqpy2cXLQckyHRzkydEwDrMyoWLDQk28+u/6CjvINojWIITmz54pnTo9jeYWps9OzaL56ZnZE2jm1EKJzCl5P8jqRZiG67MimirNzoe1DWxUiZby2Ah98s8MqIpryKBU3/JiLU/ZRh0fNzxM8gRqe+xDuGCIF7HSICZWfOyanm+SOtrOM9+iB2XKqzRRpWXbpp9R4WIPu8uY1djGxZaLvKWyt+r52EbL2PXMlsMdoCauWHGXGGJmIDyuESIbdbx2/QGbPjOVMI2MTztuMu+4Lalqh6ps0yGmt7yEzSYdOlQmY8d7xxWfVhmWWXdssnnw8T1WCnu595RmThgJKXogEBMedHQiPttsHIIabnhFKsdcSzZOzDkZHwLR7TzlhWmTsaCvazCLqaGgXkYqEsGYHPV4PHDb/FjDKDZQEKnhDDC1fMjjmq2WUcUuqllG3ZMcIo3DycuOO14nd0sdFvv2g0RW4Apfcv8BYcoD5U0kAAA=" | base64 -d | gzip -d -c > strange_offset.exe
CR3Swapper commented 4 months ago

Thank you! just pushed it. FYI we dont include overlapping instructions in our well behaved function descriptions. I.E we wont rewrite this function if we detect overlapping, but this is a good test for us to have anyways! Ill add it to our internal unit tests :)