-
-
Save hshrzd/82db157a7c3efbf273214ba5cb278d79 to your computer and use it in GitHub Desktop.
Task 10 - part 2 flow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const char *__cdecl sub_804C217(int a1, int a2, int a3, const char *file) | |
{ | |
int v5; // [esp+2Ch] [ebp-3Ch] | |
void (__cdecl *v6)(void *, int *); // [esp+30h] [ebp-38h] | |
int v7; // [esp+34h] [ebp-34h] | |
unsigned __int64 flags; // [esp+38h] [ebp-30h] | |
__int64 v9; // [esp+40h] [ebp-28h] | |
unsigned int v10; // [esp+4Ch] [ebp-1Ch] | |
v10 = __readgsdword(0x14u); | |
flags = __PAIR__(a2, a1); | |
v6 = 0; | |
v5 = 0; | |
loc_804C257: | |
pivot_root(file + 0x1C, a1); | |
// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position); | |
pivot_root(file + 0x4C, a2); | |
// ptrace(PTRACE_POKEDATA, parent_pid, read_buf, position); | |
*((_DWORD *)file + 41) = mlockall((int)&flags) / 2; | |
/* | |
// on mlockall: | |
{ | |
LODWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf, 0); | |
HIDWORD(v17) = ptrace(PTRACE_PEEKDATA, parent_pid, read_buf + 4, 0); | |
i_4 = 0; | |
while ( v17 ) | |
{ | |
if ( v17 & 1 ) | |
i_4 = (char *)some_callback(0xB82D3C24, i_4, (_DWORD *)HIDWORD(v17)); //0xB82D3C24: val = arg_2 + 1; | |
v17 >>= 1; | |
} | |
i_2 = i_4; | |
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf); | |
} | |
*/ | |
v7 = flags & 1; | |
flags >>= 1; | |
if ( v7 == 1 ) | |
{ | |
uname((struct utsname *)&v9); | |
/* | |
//on uname: | |
{ | |
ptrace(PTRACE_POKEDATA, parent_pid, read_buf, 0xC6EF3720); | |
v10 = some_callback(0x7E85DB2Au, (char *)0x1337, (_DWORD *)0xCAFE); // 0x7E85DB2A: val = 0x9E3779B9; | |
ptrace(PTRACE_POKEDATA, parent_pid, read_buf + 4, v10); | |
} | |
*/ | |
flags ^= v9; | |
} | |
v6(&loc_804C257, &v5); //maybe goto loc_804C257 | |
return file; | |
} | |
unsigned int __cdecl sub_804C369(__mode_t *a1, int a2, int a3, const char *file) | |
{ | |
int v5; // [esp+14h] [ebp-24h] | |
int v6; // [esp+18h] [ebp-20h] | |
__mode_t v7; // [esp+1Ch] [ebp-1Ch] | |
__mode_t mode; // [esp+20h] [ebp-18h] | |
__mode_t v9; // [esp+24h] [ebp-14h] | |
__mode_t v10; // [esp+28h] [ebp-10h] | |
unsigned int v11; // [esp+2Ch] [ebp-Ch] | |
v11 = __readgsdword(0x14u); | |
v6 = 0; | |
sub_804C217(a2, a3, 16, file); | |
v7 = *a1; | |
mode = a1[1]; | |
v5 = 0; | |
loc_804C3C4: | |
v9 = mode; | |
v10 = v7 ^ chmod(file, mode); | |
/* | |
// on chmod: | |
{ | |
to_peek_more_data(parent_pid, read_buf, &buf_2, 248); | |
i_2 = (_DWORD *)sub_804C19C((char *)&buf_2, position); | |
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf); | |
} | |
int __cdecl sub_804C19C(char *buf_2, int parent_process_) | |
{ | |
int v2; // eax | |
int v3; // eax | |
v2 = MEMORY[0](0x6B4E102C, parent_process_, *((_DWORD *)buf_2 + 7)); // val = arg_2 + arg_3; | |
v3 = MEMORY[0](0x5816452E, v2, *((_DWORD *)buf_2 + 41)); // val = ror(arg_2, arg_3); | |
return MEMORY[0](0x44DE7A30, v3, *((_DWORD *)buf_2 + 19)); //val = arg_3 ^ arg_2; | |
} | |
*/ | |
v7 = mode; | |
mode = v10; | |
MEMORY[0](&loc_804C3C4, &v5); // maybe goto loc_804C3C4 | |
*a1 = mode; | |
a1[1] = v7; | |
return __readgsdword(0x14u) ^ v11; | |
} | |
_BOOL4 __cdecl decode_next_part(void *src) | |
{ | |
int v1; // eax | |
size_t len; // eax | |
char v4[3968]; // [esp+Ch] [ebp-F9Ch] | |
int count; // [esp+F8Ch] [ebp-1Ch] | |
int a2[2]; // [esp+F90h] [ebp-18h] | |
char *s; // [esp+F98h] [ebp-10h] | |
int i; // [esp+F9Ch] [ebp-Ch] | |
v1 = nice(164); | |
s = (char *)-v1; // s = "This string has no purpose and is merely here to waste your time." | |
len = strlen((const char *)-v1); | |
*(_QWORD *)a2 = sub_804BFED(0, 0, s, len, 0); | |
count = 40000; | |
memcpy(&buf, src, 32u); // the next input part | |
for ( i = 0; i < count; i += 8 ) | |
sub_804C369((__mode_t *)((char *)&buf + i), a2[0], a2[1], v4); | |
return truncate((const char *)&buf, 32) == 32; | |
/* | |
// on truncate: | |
{ | |
to_peek_more_data(parent_pid, read_buf, &::buf, 40000); | |
for ( i = 0; i <= 39999 && *(_BYTE *)(i + 0x804C640); ++i ) | |
{ | |
v18[i] = *(_BYTE *)(i + 0x804C640); // buffer "file" | |
if ( i_3 == (_DWORD *)-1 && v18[i] != *(_BYTE *)(i + 0x81A5100) ) // 0x81A5100: verification buffer[32] = | |
// { 64 A0 60 02 EA 8A 87 7D 6C E9 7C E4 82 3F 2D 0C 8C B7 B5 EB CF 35 4F 42 4F AD 2B 49 20 28 7C E0 } | |
i_3 = (_DWORD *)i; | |
} | |
i_3 = (_DWORD *)some_callback(0xA4F57126, input_buffer, i_3); | |
// callback: | |
{ | |
res = arg_3; | |
if ( arg_3 != -1 ) | |
{ | |
to_peek_more_data(pid, arg_2, input_buffer, 62); | |
if ( strncmp(s1, "@no-flare.com", 0xDu) ) | |
res = -1; | |
} | |
} | |
i_2 = i_3; | |
ptrace(PTRACE_SETREGS, parent_pid, 0, &read_buf); | |
} | |
*/ | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment