-
Notifications
You must be signed in to change notification settings - Fork 87
/
keydnap_upx.patch
79 lines (66 loc) · 3 KB
/
keydnap_upx.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
This patch applies to UPX 3.91 and can be used to unpack OSX/Keydnap
backdoor samples with "upx -d".
http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials
diff -r 6cd5982ece4f src/conf.h
--- a/src/conf.h Mon Sep 30 14:21:37 2013 +0200
+++ b/src/conf.h Thu Jun 30 11:15:59 2016 -0400
@@ -447,7 +447,7 @@
// magic constants for patching
-#define UPX_MAGIC_LE32 0x21585055 /* "UPX!" */
+#define UPX_MAGIC_LE32 0x37535341 /* "ASS7" */
#define UPX_MAGIC2_LE32 0xD5D0D8A1
diff -r 6cd5982ece4f src/p_unix.cpp
--- a/src/p_unix.cpp Mon Sep 30 14:21:37 2013 +0200
+++ b/src/p_unix.cpp Thu Jun 30 11:15:59 2016 -0400
@@ -467,6 +467,9 @@
decompress(ibuf+j, ibuf, false);
if (12==szb_info) { // modern per-block filter
if (hdr.b_ftid) {
+ for(off_t i = 0; i < sz_unc; i++) {
+ ibuf[i] ^= 0x01;
+ }
Filter ft(ph.level); // FIXME: ph.level for b_info?
ft.init(hdr.b_ftid, 0);
ft.cto = hdr.b_cto8;
diff -r 6cd5982ece4f src/stub/src/amd64-darwin.macho-main.c
--- a/src/stub/src/amd64-darwin.macho-main.c Mon Sep 30 14:21:37 2013 +0200
+++ b/src/stub/src/amd64-darwin.macho-main.c Thu Jun 30 11:15:59 2016 -0400
@@ -313,6 +313,9 @@
if (j != 0 || out_len != (nrv_uint)h.sz_unc)
err_exit(7);
if (h.b_ftid!=0 && f_unf) { // have filter
+ for(off_t i = 0; i < out_len; i++) {
+ xo->buf[i] ^= 0x01;
+ }
(*f_unf)(xo->buf, out_len, h.b_cto8, h.b_ftid);
}
xi->buf += h.sz_cpr;
diff -r 6cd5982ece4f src/stub/src/include/bsd.h
--- a/src/stub/src/include/bsd.h Mon Sep 30 14:21:37 2013 +0200
+++ b/src/stub/src/include/bsd.h Thu Jun 30 11:15:59 2016 -0400
@@ -289,7 +289,7 @@
// !!! must be the same as in p_unix.h !!!
#define OVERHEAD 2048
-#define UPX_MAGIC_LE32 0x21585055 // "UPX!"
+#define UPX_MAGIC_LE32 0x37535341 // "ASS7"
#if 1
// patch constants for our loader (le32 format)
diff -r 6cd5982ece4f src/stub/src/include/darwin.h
--- a/src/stub/src/include/darwin.h Mon Sep 30 14:21:37 2013 +0200
+++ b/src/stub/src/include/darwin.h Thu Jun 30 11:15:59 2016 -0400
@@ -98,7 +98,7 @@
// UPX stuff
**************************************************************************/
-#define UPX_MAGIC_LE32 0x21585055 // "UPX!"
+#define UPX_MAGIC_LE32 0x37535341 // "ASS7"
#define nrv_byte unsigned char
diff -r 6cd5982ece4f src/stub/src/include/linux.h
--- a/src/stub/src/include/linux.h Mon Sep 30 14:21:37 2013 +0200
+++ b/src/stub/src/include/linux.h Thu Jun 30 11:15:59 2016 -0400
@@ -676,7 +676,7 @@
// !!! must be the same as in p_unix.h !!!
#define OVERHEAD 2048
-#define UPX_MAGIC_LE32 0x21585055 // "UPX!"
+#define UPX_MAGIC_LE32 0x37535341 // "ASS7"
#if 1
// patch constants for our loader (le32 format)