README.md 3.73 KB
Newer Older
PoroCYon's avatar
PoroCYon committed
1
2
# vondehi

PoroCYon's avatar
PoroCYon committed
3
> "[four](https://vlasisku.alexburka.com/vo)-[dent](https://vlasisku.alexburka.com/denci)"
PoroCYon's avatar
PoroCYon committed
4
5
6
7
8

**An unpacker based on
[fishypack-trident](https://gitlab.com/PoroCYon/fishypack-trident/)
(which is my fork of
[Fishypack](https://bitbucket.org/blackle_mori/cenotaph4soda)),
PoroCYon's avatar
PoroCYon committed
9
but even smaller. It doesn't have a 64-bit version, though.**
PoroCYon's avatar
PoroCYon committed
10
11
12

## Comparison

PoroCYon's avatar
PoroCYon committed
13
14
15
16
17
18
19
20
21
| mode etc.          | vondehi    | trident    | Fishypack   | sh-based unpacker  |
|:------------------ | ----------:| ----------:| -----------:| ------------------:|
| gzip, 32-bit       |        161 |        172 | 179? (198?) |           48 to 72 |
| xz, 32-bit         | 164 (168*) |        179 |         186 |           48 to 72 |
| gzip, 64-bit       |        N/A |        208 |        208? |           48 to 72 |
| xz, 64-bit         |        N/A |        217 |         217 |           48 to 72 |
| Preserve arg & env |        Y/N |          N |    tries to | can, but often not |
| Min. platform      | Linux 3.19 | Linux 2.27 |  Linux 2.27 |        Most Unices |
| Touches filesystem |          N |          N |           N |                  Y |
PoroCYon's avatar
PoroCYon committed
22

PoroCYon's avatar
PoroCYon committed
23
\*: with `NO_UBUNTU_COMPAT` **dis**abled.
PoroCYon's avatar
PoroCYon committed
24

PoroCYon's avatar
PoroCYon committed
25
26
All values are with `NO_CHEATING` **dis**abled. If this is enabled, add 5 bytes.

PoroCYon's avatar
PoroCYon committed
27
28
29
30
31
32
33
34
35
36
37
38
39
The exact size of a shell-based unpacker depends on the exact impmelentation,
many variations exist. 'xz' means the usage of `xzcat` instead of `zcat`,
the former supports both `xz`- and `lzma`-compressed data.

Fishypack and trident depend on Linux >=2.27 because of the use of the
`memfd_create` syscall. vondehi requires `execveat` as well.

Note that a 32-bit unpacker can still run a 64-bit binary, as long as the
kernel is 64-bit and supports the 32-bit emulation layer.

## Usage

```
PoroCYon's avatar
PoroCYon committed
40
nasm -fbin -o$out vondehi.asm [-DUSE_GZIP] [-DTAG="j0!"] [-DNO_UBUNTU_COMPAT] \
PoroCYon's avatar
PoroCYon committed
41
    [-DUSE_VFORK] [-DNO_CHEATING]
PoroCYon's avatar
PoroCYon committed
42
43
44
cat $out $intro_compressed > $final
```

PoroCYon's avatar
PoroCYon committed
45
46
47
See also [autovndh.py](https://pcy.be/tmp/src/autovndh.py), a script that
brute-forces all compression parameters to find the optimal binary.

PoroCYon's avatar
PoroCYon committed
48
49
50
51
52
### Settings

* `USE_GZIP` (default off): use `gzip` (`/bin/zcat`) instead of `xz`
  (`/usr/bin/xzcat`).
* `NO_UBUNTU_COMPAT` (default off): assume `/bin` is the same as `/usr/bin`.
PoroCYon's avatar
PoroCYon committed
53
  Originally named like this because on my machine, `/bin` is linked to
PoroCYon's avatar
PoroCYon committed
54
  `/usr/bin`, but on the Revision compomachine (which runs Ubuntu), it isn't.
PoroCYon's avatar
PoroCYon committed
55
56
57
58
* `NO_FILE_MANAGER_COMPAT` (default off): save two bytes by putting
  instructions in the EI_CLASS and EI_DATA fields of the ELF header. Causes
  executables packed with vondehi to not be recognized as executable in file
  managers.
PoroCYon's avatar
PoroCYon committed
59
60
61
62
* `USE_VFORK` (default off): use `vfork(2)` instead of `fork(2)`. I hope you
  know what you're doing when you enable this.
* `TAG` (default empty): add a vanity tag right before the compressed data.
  Only use this when you have bytes to spare, of course.
PoroCYon's avatar
PoroCYon committed
63
64
65
* `NO_CHEATING` (default off): don't assume file descriptor numbers and
  properly pass arguments and environment variable to the payload. You need
  this if you're running on Wayland. Costs 5 bytes.
PoroCYon's avatar
PoroCYon committed
66
67
68
69
70
71
72
73
74

## How to debug it if it doesn't work

1. `strace` it
2. See where errors start happening
  * This can be obscured because the code assumes eg. syscall return values to
    be between `0` and `255`, so later syscalls might fail, or nonsense
    syscalls might be invoked.
3. Fix it. Somehow.
PoroCYon's avatar
PoroCYon committed
75
76
77

## Greets to

PoroCYon's avatar
PoroCYon committed
78
79
80
* Blackle, for the original Fishypack, and for replacing the `waitid(2)` call
  with `waitpid(2)`, fixing compatibility with some kernels and shaving off a
  few bytes at once!
PoroCYon's avatar
PoroCYon committed
81
82
83
84
* Shiz, for other packing/unpacking and x86-related stuff
* Faemiyah, yx, etc., for small sh-based unpackers (yx: nice trick with
  the script partially embedded in the gzip file!)

PoroCYon's avatar
PoroCYon committed
85
86
87
88
### Extra thanks to:

* blackle, greg, and others for contributions

PoroCYon's avatar
PoroCYon committed
89
90
91
92
## License

[SAL](LICENSE).