Skip to content

Instantly share code, notes, and snippets.

@hshrzd
Last active September 21, 2020 02:49
Embed
What would you like to do?
Task 10 - part 2 flow
const char *__cdecl sub_804C217(int a1, int a2, int a3, const char *file)
{
int v5; // [esp+2Ch] [ebp-3Ch]
void (__cdecl *v6)(void *, int *); // [esp+30h] [ebp-38h]
int v7; // [esp+34h] [ebp-34h]
unsigned __int64 flags; // [esp+38h] [ebp-30h]
__int64 v9; // [esp+40h] [ebp-28h]
unsigned int v10; // [esp+4Ch] [ebp-1Ch]
v10 = __readgsdword(0x14u);
flags = __PAIR__(a2, a1);
v6 = 0;
v5 = 0;
loc_804C257:
pivot_root(file + 0x1C, a1);
// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);
pivot_root(file + 0x4C, a2);
// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position);
*((_DWORD *)file + 41) = mlockall((int)&flags) / 2;
/*
// on mlockall:
{
LODWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf, 0);
HIDWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf + 4, 0);
i_4 = 0;
while ( v17 )
{
if ( v17 & 1 )
i_4 = (char *)some_callback(0xB82D3C24, i_4, (_DWORD *)HIDWORD(v17)); //0xB82D3C24: val = arg_2 + 1;
v17 >>= 1;
}
i_2 = i_4;
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
}
*/
v7 = flags & 1;
flags >>= 1;
if ( v7 == 1 )
{
uname((struct utsname *)&v9);
/*
//on uname:
{
ptrace(PTRACE_POKEDATA, parent_pid, read_buf, 0xC6EF3720);
v10 = some_callback(0x7E85DB2Au, (char *)0x1337, (_DWORD *)0xCAFE); // 0x7E85DB2A: val = 0x9E3779B9;
ptrace(PTRACE_POKEDATA, parent_pid, read_buf + 4, v10);
}
*/
flags ^= v9;
}
v6(&loc_804C257, &v5); //maybe goto loc_804C257
return file;
}
unsigned int __cdecl sub_804C369(__mode_t *a1, int a2, int a3, const char *file)
{
int v5; // [esp+14h] [ebp-24h]
int v6; // [esp+18h] [ebp-20h]
__mode_t v7; // [esp+1Ch] [ebp-1Ch]
__mode_t mode; // [esp+20h] [ebp-18h]
__mode_t v9; // [esp+24h] [ebp-14h]
__mode_t v10; // [esp+28h] [ebp-10h]
unsigned int v11; // [esp+2Ch] [ebp-Ch]
v11 = __readgsdword(0x14u);
v6 = 0;
sub_804C217(a2, a3, 16, file);
v7 = *a1;
mode = a1[1];
v5 = 0;
loc_804C3C4:
v9 = mode;
v10 = v7 ^ chmod(file, mode);
/*
// on chmod:
{
to_peek_more_data(parent_pid, read_buf, &buf_2, 248);
i_2 = (_DWORD *)sub_804C19C((char *)&buf_2, position);
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
}
int __cdecl sub_804C19C(char *buf_2, int parent_process_)
{
int v2; // eax
int v3; // eax
v2 = MEMORY[0](0x6B4E102C, parent_process_, *((_DWORD *)buf_2 + 7)); // val = arg_2 + arg_3;
v3 = MEMORY[0](0x5816452E, v2, *((_DWORD *)buf_2 + 41)); // val = ror(arg_2, arg_3);
return MEMORY[0](0x44DE7A30, v3, *((_DWORD *)buf_2 + 19)); //val = arg_3 ^ arg_2;
}
*/
v7 = mode;
mode = v10;
MEMORY[0](&loc_804C3C4, &v5); // maybe goto loc_804C3C4
*a1 = mode;
a1[1] = v7;
return __readgsdword(0x14u) ^ v11;
}
_BOOL4 __cdecl decode_next_part(void *src)
{
int v1; // eax
size_t len; // eax
char v4[3968]; // [esp+Ch] [ebp-F9Ch]
int count; // [esp+F8Ch] [ebp-1Ch]
int a2[2]; // [esp+F90h] [ebp-18h]
char *s; // [esp+F98h] [ebp-10h]
int i; // [esp+F9Ch] [ebp-Ch]
v1 = nice(164);
s = (char *)-v1; // s = "This string has no purpose and is merely here to waste your time."
len = strlen((const char *)-v1);
*(_QWORD *)a2 = sub_804BFED(0, 0, s, len, 0);
count = 40000;
memcpy(&buf, src, 32u); // the next input part
for ( i = 0; i < count; i += 8 )
sub_804C369((__mode_t *)((char *)&buf + i), a2[0], a2[1], v4);
return truncate((const char *)&buf, 32) == 32;
/*
// on truncate:
{
to_peek_more_data(parent_pid, read_buf, &::buf, 40000);
for ( i = 0; i <= 39999 && *(_BYTE *)(i + 0x804C640); ++i )
{
v18[i] = *(_BYTE *)(i + 0x804C640); // buffer "file"
if ( i_3 == (_DWORD *)-1 && v18[i] != *(_BYTE *)(i + 0x81A5100) ) // 0x81A5100: verification buffer[32] =
// { 64 A0 60 02 EA 8A 87 7D 6C E9 7C E4 82 3F 2D 0C 8C B7 B5 EB CF 35 4F 42 4F AD 2B 49 20 28 7C E0 }
i_3 = (_DWORD *)i;
}
i_3 = (_DWORD *)some_callback(0xA4F57126, input_buffer, i_3);
// callback:
{
res = arg_3;
if ( arg_3 != -1 )
{
to_peek_more_data(pid, arg_2, input_buffer, 62);
if ( strncmp(s1, "@no-flare.com", 0xDu) )
res = -1;
}
}
i_2 = i_3;
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf);
}
*/
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment