Commit 3facb811 authored by PoroCYon's avatar PoroCYon
Browse files


Copyright 2018 PoroCYon.
This software is provided "as is", without any express or implied warranties,
including but not limited to the implied warranties of merchantability and
fitness for a particular purpose. In no event will the authors or contributors
be held liable for any direct, indirect, incidental, special, exemplary, or
consequential damages however caused and on any theory of liability, whether in
contract, strict liability, or tort (including negligence or otherwise),
arising in any way out of the use of this software, even if advised of the
possibility of such damage.
Permission is granted to anyone to use this software for any purpose, including
commercial applications, and to alter and distribute it freely in any form,
provided that the following conditions are met:
1. The origin of this software must not be misrepresented; you must not claim
that you wrote the original software. If you use this software in a product,
an acknowledgment in the product documentation would be appreciated but is
not required.
2. Altered source versions may not be misrepresented as being the original
software, and neither the name of <copyright holder> nor the names of
authors or contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
3. This notice must be included, unaltered, with any source distribution.
default: test
testbin: test.c
$(CC) -static -nostdlib -nostartfiles -O3 -s -o "$@" "$<"
%.gz: %
< "$<" gzip -cnk9 > "$@"
%.lzma: %
< "$<" lzma --format=lzma -9 --extreme --lzma1=preset=9,lc=1,lp=0,pb=0 --keep --stdout > "$@"
vondehi: vondehi.asm
nasm -fbin -o"$@" "$<"
chmod +x "$@"
test: vondehi testbin.lzma
cat $^ > test && chmod +x test && strace -f ./test; echo $?
.PHONY: default test
# vondehi
##### "four-dent"
**An unpacker based on
(which is my fork of
but even smaller. It doesh't have a 64-bit version, though.**
## Comparison
| mode etc. | vondehi | trident | Fishypack | sh-based unpacker |
|:------------ | -------:| -------:| ---------:| -----------------:|
| gzip, 32-bit | 163 | 172 | 179? (198?) | 48 to 72 |
| xz, 32-bit | 166 | 179 | 186 | 48 to 72 |
| gzip, 64-bit | N/A | 208 | 208? | 48 to 72 |
| xz, 64-bit | N/A | 217 | 217 | 48 to 72 |
| Preserves args | Y | N | tries to | N |
| Min. platform | Linux 3.19 | Linux 2.27 | Linux 2.27 | Most Unices |
| Touches filesystem | N | N | N | Y |
The exact size of a shell-based unpacker depends on the exact impmelentation,
many variations exist. 'xz' means the usage of `xzcat` instead of `zcat`,
the former supports both `xz`- and `lzma`-compressed data.
Fishypack and trident depend on Linux >=2.27 because of the use of the
`memfd_create` syscall. vondehi requires `execveat` as well.
Note that a 32-bit unpacker can still run a 64-bit binary, as long as the
kernel is 64-bit and supports the 32-bit emulation layer.
## Usage
nasm -fbin -o$out vondehi.asm [-DUSE_GZIP] [-DTAG="j0!"]
cat $out $intro_compressed > $final
By default, `xz` is used. A tag can be supplied to include a vanity string
in the unpacker itself, right before the data.
## Greets to
* Blackle, for the original Fishypack
* Shiz, for other packing/unpacking and x86-related stuff
* Faemiyah, yx, etc., for small sh-based unpackers (yx: nice trick with
the script partially embedded in the gzip file!)
## License
int _start() {
asm volatile("mov $60, %%al\npush $42\npop %%rdi\nsyscall\n":::);
;%define USE_GZIP
%define STDIN_FILENO 0
%define AT_EMPTY_PATH 0x1000
%define P_ALL 4
%define SYS_memfd_create 356
%define SYS_fork 2
%define SYS_waitid 284
%define SYS_execve 11
%define SYS_open 5
%define SYS_lseek 19
%define SYS_dup2 63
%define SYS_execveat 358
%define EBP_bias ((_start-ehdr)-(__strempty-__self))
bits 32
org 0xEBDB0000
ehdr: ;~e_ident
; jg short 0x47 (inc ebp) ; dec esp ; inc esi
db 0x7F,"EL";"F" ;!E_MAGIC
inc esi
xor ebx, ebx
mov ax, SYS_waitid
lea esi, [ebx+P_ALL]
int 0x80
db 0x3D ; cmp eax, ...
dw 2 ;!e_type
dw 3 ;!e_machine
mov edx, esp
lea ecx, [ebp+__strempty-__self+EBP_bias]
add bl, bl
db 0xEB ; jmp short _parent.2
;dd _start ;!e_entry
dd phdr-ehdr ;!e_phoff ; 0x33
mov ax, SYS_memfd_create
mov ebx, esp
jmp short _start.1
;dd 0 ; e_shoff
;dd 0 ; e_flags
dw ehdr.end-ehdr;!e_ehdrsize ; 0x34 0x00
dw phdr.end-phdr;!e_phentsize ; 0x20 0x00
dw 1 ;!e_phnum
int 0x80
pop eax
jmp short _start.2
;dw 0 ; e_shentsize
;dw 0 ; e_shnum
;dw 0 ; e_shstrndx
db 1 ;!p_type
times 3 db 0
dd 0 ;!p_offset
dd ehdr ;!p_vaddr
mov ebp, __self-EBP_bias
;dd ehdr ; p_paddr
jmp short _start.3
db 0,0xEB
;dd filesize ;~p_filesz
jmp short _start.3+4
db 0
;dd filesize ;~p_memsz
db 5 ;~p_flags
mov al, SYS_fork
jmp short _start.4
;dd 5 ;~p_flags
;db 0 ; p_align
mov bl, 3
lea esi, [esp+0x18]
phdr.end equ phdr.endm1 + 1
mov ax, SYS_execveat
;int 0x80 ;; fallthru to _start.4
; mov ax, SYS_memfd_create
; mov ebx, esp
; int 0x80
; pop eax
; mov ebp, __self-EBP_bias
; mov al, SYS_fork
int 0x80
test eax, eax
jnz short _parent
;jz short _child
; xor ebx, ebx
; mov ax, SYS_waitid
; lea esi, [ebx+P_ALL] ; smaller than mov si, P_ALL
; int 0x80
; mov edx, esp ; use our args in args ; edx == argv
; lea ecx, [ebp+__strempty-__self] ; doesn't like a NULL
; mov bl, 3 ; __memfd
; lea esi, [esp+24]
; mov ax, SYS_execveat
; mov di, AT_EMPTY_PATH ; can be smaller, reg sucks
; int 0x80
;mov cl, 0 ; fix argc
;mov dl, 0
lea ebx, [ebp+EBP_bias]
;mov ebx, ebp
mov al, SYS_open
int 0x80
; fd1
push eax
; seek
mov al, SYS_lseek
pop ebx
push ebx
mov cl, payload - ehdr
int 0x80
; dup2 demo->stdout
dec ebx
mov al, SYS_dup2
int 0x80
; dup2 self->stdin
mov al, SYS_dup2
pop ebx
dec ecx ; zero it out -> STDIN_FILENO
int 0x80
; execve
mov al, SYS_execve
lea ebx, [ebp+__zip-__self+EBP_bias]
%ifndef USE_GZIP
push ecx
push ebx
mov ecx, esp
int 0x80
db '/proc/self/exe'
db 0
%ifdef USE_GZIP
db '/bin/zcat',0
db '/bin/xzcat',0
; if you insist
%ifdef TAG
db TAG
filesize equ END - ehdr
%if (_parent.2 - ehdr) != 0x50
%error "_parent.2: bad offset"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment