NSG650/FatalAppExitA.asm

## FatalAppExitA.asm
section .text

extern _Start

_Start:
	mov rax, [gs:0x60]					; rax = Peb
	mov rax, [rax + 0x18]					; rax = Peb->Ldr
	mov rsi, [rax + 0x20]					; rsi = Peb->Ldr->InMemoryOrderModuleList

	; The first module is the executable itself
	; The second module is ntdll
	; The third module is kernel32

	lodsq							; rax = rsi->Flink

	; We now have ntdll we do it once more to get kernel32

	xchg rax, rsi
	lodsq

	mov rbx, [rax + 0x20]					; rbx = rax->DllBase

	; rbx now has kernel32's base
	; We can now manually look for FatalAppExitA through the export table

	xor r8, r8
	mov r8d, [rbx + 0x3c]					; r8 = &rbx->e_lfanew
	mov rdx, r8						; rdx = *r8
	add rdx, rbx						; rdx += rbx. We now have the PE header.

	mov r8d, [rdx + 0x88]					; r8 = rdx->OptionalHeaders.DataDirectory[0]
	add r8, rbx						; r8 += rbx. We now have the Export table.

	xor rsi, rsi
	mov esi, [r8 + 0x20]					; rsi = r8->AddressOfNames

	add rsi, rbx						; rsi += rbx. We now have the Names table.

	xor rcx, rcx						; rcx = 0
	mov r9, 0x7070416c61746146				; r9 = 'ppAlataF'

Look:
	inc rcx							; rcx++
	xor rax, rax						; rax = 0
	mov eax, [rsi + rcx * 4]				; rax = rsi[rcx]. Since AddressOfNames(rsi) is an array of ULONGs we multiply rcx by 4
	add rax, rbx						; rax += rbx. We now have a pointer to the function name string.
	cmp qword [rax], r9					; ZF = ((*(uint64_t *)rax) == r9) ? 1 : 0
	jne Look						; if (!ZF) { goto Look; }

	xor rsi, rsi						; rsi = 0
	mov esi, [r8 + 0x1c]					; rsi = r8->AddressOfFunctions
	add rsi, rbx						; rsi += rbx. We now have the Functions table.
	xor rdx, rdx						; rdx = 0
	mov edx, [rsi + rcx * 4]				; rdx = rsi[rcx]. Since AddressOfFunctions(rsi) is an array of ULONGs we multiply rcx by 4
	add rdx, rbx						; rdx += rbx. We now have the full address to the FatalAppExitA in rdx.
	mov rdi, rdx						; rdi = rdx.

	xor rcx, rcx						; rcx = 0
	push 0x00216948						; *rsp-- = 0x0000000000216948;
	mov rdx, rsp						; rdx = rsp

	sub rsp, 0x20						; rsp -= 0x20. We are making stack space for the FatalAppExitA function.
	call rdi						; FatalAppExitA(rcx, rdx)
	section .text

	extern _Start

	_Start:
	mov rax, [gs:0x60] ; rax = Peb
	mov rax, [rax + 0x18] ; rax = Peb->Ldr
	mov rsi, [rax + 0x20] ; rsi = Peb->Ldr->InMemoryOrderModuleList

	; The first module is the executable itself
	; The second module is ntdll
	; The third module is kernel32

	lodsq ; rax = rsi->Flink

	; We now have ntdll we do it once more to get kernel32

	xchg rax, rsi
	lodsq

	mov rbx, [rax + 0x20] ; rbx = rax->DllBase

	; rbx now has kernel32's base
	; We can now manually look for FatalAppExitA through the export table

	xor r8, r8
	mov r8d, [rbx + 0x3c] ; r8 = &rbx->e_lfanew
	mov rdx, r8 ; rdx = *r8
	add rdx, rbx ; rdx += rbx. We now have the PE header.

	mov r8d, [rdx + 0x88] ; r8 = rdx->OptionalHeaders.DataDirectory[0]
	add r8, rbx ; r8 += rbx. We now have the Export table.

	xor rsi, rsi
	mov esi, [r8 + 0x20] ; rsi = r8->AddressOfNames

	add rsi, rbx ; rsi += rbx. We now have the Names table.

	xor rcx, rcx ; rcx = 0
	mov r9, 0x7070416c61746146 ; r9 = 'ppAlataF'

	Look:
	inc rcx ; rcx++
	xor rax, rax ; rax = 0
	mov eax, [rsi + rcx * 4] ; rax = rsi[rcx]. Since AddressOfNames(rsi) is an array of ULONGs we multiply rcx by 4
	add rax, rbx ; rax += rbx. We now have a pointer to the function name string.
	cmp qword [rax], r9 ; ZF = (((uint64_t )rax) == r9) ? 1 : 0
	jne Look ; if (!ZF) { goto Look; }

	xor rsi, rsi ; rsi = 0
	mov esi, [r8 + 0x1c] ; rsi = r8->AddressOfFunctions
	add rsi, rbx ; rsi += rbx. We now have the Functions table.
	xor rdx, rdx ; rdx = 0
	mov edx, [rsi + rcx * 4] ; rdx = rsi[rcx]. Since AddressOfFunctions(rsi) is an array of ULONGs we multiply rcx by 4
	add rdx, rbx ; rdx += rbx. We now have the full address to the FatalAppExitA in rdx.
	mov rdi, rdx ; rdi = rdx.

	xor rcx, rcx ; rcx = 0
	push 0x00216948 ; *rsp-- = 0x0000000000216948;
	mov rdx, rsp ; rdx = rsp

	sub rsp, 0x20 ; rsp -= 0x20. We are making stack space for the FatalAppExitA function.
	call rdi ; FatalAppExitA(rcx, rdx)