-
Notifications
You must be signed in to change notification settings - Fork 3
/
hex1_x86.hex0
317 lines (255 loc) · 12.5 KB
/
hex1_x86.hex0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
# SPDX-FileCopyrightText: © 2017 Jeremiah Orians
#
# SPDX-License-Identifier: GPL-3.0-or-later
## ELF Header
#:ELF_base
7F 45 4C 46 # e_ident[EI_MAG0-3] ELF's magic number
01 # e_ident[EI_CLASS] Indicating 32 bit
01 # e_ident[EI_DATA] Indicating little endianness
01 # e_ident[EI_VERSION] Indicating original elf
03 # e_ident[EI_OSABI] Set at 3 because FreeBSD is strict
00 # e_ident[EI_ABIVERSION] Set at 0 because none cares
00 00 00 00 00 00 00 # e_ident[EI_PAD]
02 00 # e_type Indicating Executable
03 00 # e_machine Indicating x86
01 00 00 00 # e_version Indicating original elf
54 80 04 08 # e_entry Address of the entry point
34 00 00 00 # e_phoff Address of program header table
00 00 00 00 # e_shoff Address of section header table
00 00 00 00 # e_flags
34 00 # e_ehsize Indicating our 52 Byte header
20 00 # e_phentsize size of a program header table
01 00 # e_phnum number of entries in program table
00 00 # e_shentsize size of a section header table
00 00 # e_shnum number of entries in section table
00 00 # e_shstrndx index of the section names
## Program Header
#:ELF_program_headers
#:ELF_program_header__text
01 00 00 00 # ph_type: PT-LOAD = 1
00 00 00 00 # ph_offset
00 80 04 08 # ph_vaddr
00 80 04 08 # ph_physaddr
B1 02 00 00 # ph_filesz
B1 02 00 00 # ph_memsz
07 00 00 00 # ph_flags: PF-X|PF-W|PF-R = 7
01 00 00 00 # ph_align
#:ELF_text
#:_start ; (0x8048054)
58 ; pop_eax # Get the number of arguments
5B ; pop_ebx # Get the program name
5B ; pop_ebx # Get the actual input name
B9 00000000 ; mov_ecx, %0 # prepare read_only
BA 00000000 ; mov_edx, %0 # extra sure
B8 05000000 ; mov_eax, %5 # the syscall number for open()
CD 80 ; int !0x80 # Now open that damn file
A3 A9820408 ; mov_[DWORD],eax &fin # Preserve the file pointer we were given
5B ; pop_ebx # Get the actual output name
B9 41020000 ; mov_ecx, %577 # Prepare file as O_WRONLY|O_CREAT|O_TRUNC
BA C0010000 ; mov_edx, %448 # Prepare file as RWX for owner only (700 in octal)
B8 05000000 ; mov_eax, %5 # the syscall number for open()
CD 80 ; int !0x80 # Now open that damn file
A3 AD820408 ; mov_[DWORD],eax &fout # Preserve the file pointer we were given
BD FFFFFFFF ; mov_ebp, %-1 # Our flag for byte processing
BE 00000000 ; mov_esi, %0 # temp storage for the sum
BF 00000000 ; mov_edi, %0 # Our starting IP
E8 30000000 ; call %First_pass # Process it
# rewind input file
8B1D A9820408 ; mov_ebx,[DWORD] &fin # Using our input file
B9 00000000 ; mov_ecx, %0 # Offset Zero
BA 00000000 ; mov_edx, %0 # Whence Zero
B8 13000000 ; mov_eax, %19 # lseek
CD 80 ; int !0x80
BD FFFFFFFF ; mov_ebp, %-1 # Our flag for byte processing
BE 00000000 ; mov_esi, %0 # temp storage for the sum
BF 00000000 ; mov_edi, %0 # Our starting IP
E8 B8000000 ; call %Second_pass # Process it
E9 62010000 ; jmp %Done
#:First_pass ; (0x80480C8)
E8 69010000 ; call %Read_byte
# Deal with EOF
83F8 FC ; cmp_eax, !-4
0F84 4E000000 ; je %First_pass_done
# Check for :
83F8 3A ; cmp_eax, !58
0F85 05000000 ; jne %First_pass_0
# Deal with label
E8 A1010000 ; call %StoreLabel
#:First_pass_0 ; (0x80480E4)
# Check for %
83F8 25 ; cmp_eax, !37
0F84 2A000000 ; je %First_pass_pointer
# Deal with everything else
E8 33000000 ; call %hex # Process our char
# Deal with EOF
83F8 FC ; cmp_eax, !-4
0F84 29000000 ; je %First_pass_done
# deal with -1 values
83F8 00 ; cmp_eax, !0
0F8C C4FFFFFF ; jl %First_pass
# deal with toggle
83FD 00 ; cmp_ebp, !0
0F84 03000000 ; je %First_pass_1
83C7 01 ; add_edi, !1 # Increment IP
#:First_pass_1 ; (0x8048110)
F7D5 ; not_ebp
E9 B1FFFFFF ; jmp %First_pass
#:First_pass_pointer ; (0x8048117)
# Deal with Pointer to label
E8 1A010000 ; call %Read_byte # Drop the char
83C7 04 ; add_edi, !4 # Increment IP
E9 A4FFFFFF ; jmp %First_pass # Loop again
#:First_pass_done ; (0x8048124)
C3 ; ret
#:hex ; (0x8048125)
# deal with EOF
83F8 FC ; cmp_eax, !-4
0F84 AE000000 ; je %EOF
# deal with line comments starting with #
83F8 23 ; cmp_eax, !35
0F84 B8000000 ; je %ascii_comment
# deal with line comments starting with ;
83F8 3B ; cmp_eax, !59
0F84 AF000000 ; je %ascii_comment
# deal all ascii less than 0
83F8 30 ; cmp_eax, !48
0F8C A0000000 ; jl %ascii_other
# deal with 0-9
83F8 3A ; cmp_eax, !58
0F8C 8B000000 ; jl %ascii_num
# deal with all ascii less than A
83F8 41 ; cmp_eax, !65
0F8C 8E000000 ; jl %ascii_other
# deal with A-F
83F8 47 ; cmp_eax, !71
0F8C 81000000 ; jl %ascii_high
# deal with all ascii less than a
83F8 61 ; cmp_eax, !97
0F8C 7C000000 ; jl %ascii_other
# deal with a-f
83F8 67 ; cmp_eax, !103
0F8C 6B000000 ; jl %ascii_low
# The rest that remains needs to be ignored
E9 6E000000 ; jmp %ascii_other
#:Second_pass ; (0x804817B)
E8 B6000000 ; call %Read_byte
# Deal with EOF
83F8 FC ; cmp_eax, !-4
0F84 52000000 ; je %Second_pass_done
# Simply drop the label
83F8 3A ; cmp_eax, !58
0F85 0A000000 ; jne %Second_pass_0
E8 9F000000 ; call %Read_byte
E9 DFFFFFFF ; jmp %Second_pass
#:Second_pass_0 ; (0x804819C)
# Deal with pointer
83F8 25 ; cmp_eax, !37
0F85 0A000000 ; jne %Second_pass_1
E8 E3000000 ; call %StorePointer
E9 CCFFFFFF ; jmp %Second_pass
#:Second_pass_1 ; (0x80481AF)
# Deal with everything else
E8 71FFFFFF ; call %hex # Process our char
# Deal with EOF
83F8 FC ; cmp_eax, !-4
0F84 1E000000 ; je %Second_pass_done
# deal with -1 values
83F8 00 ; cmp_eax, !0
0F8C B5FFFFFF ; jl %Second_pass
# deal with toggle
83FD 00 ; cmp_ebp, !0
0F84 3D000000 ; je %print
# process first byte of pair
89C6 ; mov_esi,eax
BD 00000000 ; mov_ebp, %0
E9 A0FFFFFF ; jmp %Second_pass
#:Second_pass_done ; (0x80481DB)
C3 ; ret
#:EOF ; (0x80481DC)
C3 ; ret
#:ascii_num ; (0x80481DD)
83E8 30 ; sub_eax, !48
C3 ; ret
#:ascii_low ; (0x80481E1)
83E8 57 ; sub_eax, !87
C3 ; ret
#:ascii_high ; (0x80481E5)
83E8 37 ; sub_eax, !55
C3 ; ret
#:ascii_other ; (0x80481E9)
B8 FFFFFFFF ; mov_eax, %-1
C3 ; ret
#:ascii_comment ; (0x80481EF)
E8 42000000 ; call %Read_byte
83F8 0D ; cmp_eax, !13
0F84 09000000 ; je %ascii_comment_cr
83F8 0A ; cmp_eax, !10
0F85 E9FFFFFF ; jne %ascii_comment
#:ascii_comment_cr ; (0x8048206)
B8 FFFFFFFF ; mov_eax, %-1
C3 ; ret
# process second byte of pair
#:print ; (0x804820C)
# update the sum and store in output
C1E6 04 ; shl_esi, !4
01F0 ; add_eax,esi
A2 B1820408 ; mov_[DWORD],al &table
# flip the toggle
F7D5 ; not_ebp
# Print our first Hex
BA 01000000 ; mov_edx, %1 # set the size of chars we want
E8 42000000 ; call %print_chars
83C7 01 ; add_edi, !1 # Increment IP
E9 51FFFFFF ; jmp %Second_pass
#:Done ; (0x804822A)
# program completed Successfully
BB 00000000 ; mov_ebx, %0 # All is well
B8 01000000 ; mov_eax, %1 # put the exit syscall number in eax
CD 80 ; int !0x80 # Call it a good day
#:Read_byte ; (0x8048236)
# Attempt to read 1 byte from STDIN
BA 01000000 ; mov_edx, %1 # set the size of chars we want
B9 B1820408 ; mov_ecx, &table # Where to put it
8B1D A9820408 ; mov_ebx,[DWORD] &fin # Where are we reading from
B8 03000000 ; mov_eax, %3 # the syscall number for read
CD 80 ; int !0x80 # call the Kernel
85C0 ; test_eax,eax # check what we got
0F84 09000000 ; je %Read_byte_1 # Got EOF call it done
# load byte
A0 B1820408 ; mov_al,[DWORD] &table # load char
0FB6C0 ; movzx_eax,al # We have to zero extend it to use it
C3 ; ret
# Deal with EOF
#:Read_byte_1 ; (0x804825E)
B8 FCFFFFFF ; mov_eax, %-4 # Put EOF in eax
C3 ; ret
#:print_chars ; (0x8048264)
B9 B1820408 ; mov_ecx, &table # What we are writing
8B1D AD820408 ; mov_ebx,[DWORD] &fout # Write to target file
B8 04000000 ; mov_eax, %4 # the syscall number for write
CD80 ; int !0x80 # call the Kernel
C3 ; ret
#:Get_table_target ; (0x8048277)
E8 BAFFFFFF ; call %Read_byte # Get single char label
C1E0 02 ; shl_eax, !2 # Each label in table takes 4 bytes to store
05 B1820408 ; add_eax, &table # Calculate offset
C3 ; ret
#:StoreLabel ; (0x8048285)
E8 EDFFFFFF ; call %Get_table_target
8938 ; mov_[eax],edi # Write out pointer to table
C3 ; ret
#:StorePointer ; (0x804828D)
83C7 04 ; add_edi, !4 # Increment IP
E8 E2FFFFFF ; call %Get_table_target # Get address of pointer
8B00 ; mov_eax,[eax] # Get pointer
29F8 ; sub_eax,edi # target - ip
A3 B1820408 ; mov_[DWORD],eax &table # put value in output
BA 04000000 ; mov_edx, %4 # set the size of chars we want
E8 BCFFFFFF ; call %print_chars
C3 ; ret
#:fin ; (0x80482A9)
00000000 ; %0
#:fout ; (0x80482AD)
00000000 ; %0
#:table ; (0x80482B1)
#:ELF_end