-
Notifications
You must be signed in to change notification settings - Fork 3
/
hex0_x86.hex0
153 lines (122 loc) · 7.46 KB
/
hex0_x86.hex0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# SPDX-FileCopyrightText: 2019 Jeremiah Orians
# SPDX-FileCopyrightText: 2022 Andrius Štikonas
# SPDX-FileCopyrightText: 2024 Noah Goldstein
#
# SPDX-License-Identifier: GPL-3.0-or-later
## ELF Header
#:ELF_base
7F 45 4C 46 # e_ident[EI_MAG0-3] ELF's magic number
01 # e_ident[EI_CLASS] Indicating 32 bit
01 # e_ident[EI_DATA] Indicating little endianness
01 # e_ident[EI_VERSION] Indicating original elf
03 # e_ident[EI_OSABI] Set at 3 because FreeBSD is strict
00 # e_ident[EI_ABIVERSION] Set at 0 because no one cares
00 00 00 00 00 00 00 # e_ident[EI_PAD]
02 00 # e_type Indicating Executable
03 00 # e_machine Indicating x86
01 00 00 00 # e_version Indicating original elf
54 80 04 08 # e_entry Address of the entry point
34 00 00 00 # e_phoff Address of program header table
00 00 00 00 # e_shoff Address of section header table
00 00 00 00 # e_flags
34 00 # e_ehsize Indicating our 52 Byte header
20 00 # e_phentsize size of a program header table
01 00 # e_phnum number of entries in program table
00 00 # e_shentsize size of a section header table
00 00 # e_shnum number of entries in section table
00 00 # e_shstrndx index of the section names
## Program Header
#:ELF_program_headers
#:ELF_program_header__text
01 00 00 00 # ph_type: PT-LOAD = 1
00 00 00 00 # ph_offset
00 80 04 08 # ph_vaddr
00 80 04 08 # ph_physaddr
BE 00 00 00 # ph_filesz
BE 00 00 00 # ph_memsz
07 00 00 00 # ph_flags: PF-X|PF-W|PF-R = 7
01 00 00 00 # ph_align
#:ELF_text
# Where the ELF Header is going to hit
# Simply jump to _start
# Our main function
# :_start ; (0x8048054)
58 ; pop_eax # Get the number of arguments
5B ; pop_ebx # Get the program name
5B ; pop_ebx # Get the actual input name
31C9 ; xor_ecx,ecx # prepare read_only, ecx = 0
6A 05 ; push !5 # prepare to set eax to 5
58 ; pop_eax # the syscall number for open()
99 ; cdq # Extra sure, edx = 0
CD 80 ; int !0x80 # Now open that damn file
5B ; pop_ebx # Get the output name
50 ; push_eax # Preserve the file pointer we were given
66B9 4102 ; mov_cx, @577 # Prepare file as O_WRONLY|O_CREAT|O_TRUNC
66BA C001 ; mov_dx, @448 # Prepare file as RWX for owner only (700 in octal)
6A 05 ; push !0x5 # Prepare to set eax to 5
58 ; pop_eax # the syscall number for open()
CD 80 ; int !0x80 # Now open that damn file
99 ; cdq # edx = 0 since file descriptor is nonnegative
42 ; inc_edx # edx = 1 (count for read/write)
97 ; xchg_eax,edi # Preserve outfile
#:loop_reset_all ; (0x8048071)
31ED ; xor_ebp,ebp # ebp = 0 (no prior hex val)
# Comment tracking is done with esi.
# esi is decremented if we hit a
# comment (';' or '#') and reset
# if we hit a new-line.
#:loop_reset_comment ; (0x8048073)
89D6 ; mov_esi,edx # Set no current comment
#:loop_add_comment ; (0x8048075)
4E ; dec_esi
#:loop ; (0x8048076)
# Read a byte
5B ; pop_ebx # Get infile
89E1 ; mov_ecx,esp # Set buffer
# edx is already set to 1.
6A03 ; push !3
58 ; pop_eax # Set read syscall in eax
CD80 ; int !0x80 # Do the actual read
53 ; push_ebx # Re-save infile
85C0 ; test_eax,eax # Check what we got
75 05 ; jne !cont # No EOF
# Exit successfully
40 ; inc_eax # Set exit syscall in eax
31DB ; xor_ebx,ebx # Set return success (ebx = 0)
CD80 ; int !0x80 # Exit
#:cont ; (0x8048088)
8A01 ; mov_al,[ecx] # Move prog byte in eax
# New line check
3C0A ; cmp_al, !10 # Check new-line
74 E5 ; je !loop_reset_comment # If new-line, end comment handling
# In comment check
85F6 ; test_esi,esi # Skip byte if we are in a comment
75 E4 ; jne !loop
# Start comment check
3C23 ; cmp_al, !35 # Start of '#' comment
74 DF ; je !loop_add_comment
3C3B ; cmp_al, !59 # Start of ';' comment
74 DB ; je !loop_add_comment
# Start of hex str to int
2C30 ; sub_al, !48 # Subtract ascii '0' from al
2C0A ; sub_al, !10 # Check for value in '0'-'9'
7208 ; jb !write # We have hex value, write it
2C07 ; sub_al, !7 # Subtract ('A'-'0') from al
24DF ; and_al, !0xDF # Remove lower case bit
3C07 ; cmp_al, !7 # Check for value 'A'-'F'
73 CE ; jae !loop # We don't have hex value ignore it
#:write ; (0x80480a8)
C1E504 ; shl_ebp, !4 # Shift up existing hex digit
040A ; add_al, !10 # Finish converting ascii to raw value
01C5 ; add_ebp,eax # Combine the hex digits
# Check if this is first digit in hex val
F7DF ; neg_edi # Flip sign of edi to indicate we got a digit
7C C3 ; jl !loop # Negative -> first digit, get another one
# We have both digits in low byte of ebp, good to write
8929 ; mov_[ecx],ebp # Move edge to buffer
89FB ; mov_ebx,edi # Move outfile to ebx
6A04 ; push !4
58 ; pop_eax # Set write syscall in eax
CD80 ; int !0x80 # Do the write
EB B3 ; jmp !loop_reset_all # Start a fresh byte
#:ELF_end ; (0x80480be)