Well that was an awful lot of fun to decode.
xg@localhost ~ $ cat test.asm
BITS 64
segment .text
global main
main:
jmp +6
mov rbx, 0x9090906e69622f68
jmp +6
mov rbx, 0x900000000cc48148
jmp +6
mov rbx, 0x9090900068732f68
jmp +6
mov rbx, 0x9000000004ec8148
jmp +6
mov rbx, 0x9090909090e78948
jmp +6
mov rbx, 0x9090909090f63148
jmp +6
mov rbx, 0x9090c03148d23148
jmp +6
mov rbx, 0x90050f0000003bb8
jmp +6
mov rbx, 0x9000000008c48148
xor rax, rax
ret
xg@localhost ~ $ nasm -f elf64 test.asm
xg@localhost ~ $ objdump -j .text -xd test.o
0000000000000000 <main>:
0: e9 02 00 00 00 jmpq 7 <main+0x7>
5: 48 bb 68 2f 62 69 6e movabs $0x9090906e69622f68,%rbx
c: 90 90 90
f: e9 02 00 00 00 jmpq 16 <main+0x16>
14: 48 bb 48 81 c4 0c 00 movabs $0x900000000cc48148,%rbx
1b: 00 00 90
1e: e9 02 00 00 00 jmpq 25 <main+0x25>
23: 48 bb 68 2f 73 68 00 movabs $0x9090900068732f68,%rbx
2a: 90 90 90
2d: e9 02 00 00 00 jmpq 34 <main+0x34>
32: 48 bb 48 81 ec 04 00 movabs $0x9000000004ec8148,%rbx
39: 00 00 90
3c: e9 02 00 00 00 jmpq 43 <main+0x43>
41: 48 bb 48 89 e7 90 90 movabs $0x9090909090e78948,%rbx
48: 90 90 90
4b: e9 02 00 00 00 jmpq 52 <main+0x52>
50: 48 bb 48 31 f6 90 90 movabs $0x9090909090f63148,%rbx
57: 90 90 90
5a: e9 02 00 00 00 jmpq 61 <main+0x61>
5f: 48 bb 48 31 d2 48 31 movabs $0x9090c03148d23148,%rbx
66: c0 90 90
69: e9 02 00 00 00 jmpq 70 <main+0x70>
6e: 48 bb b8 3b 00 00 00 movabs $0x90050f0000003bb8,%rbx
75: 0f 05 90
78: e9 02 00 00 00 jmpq 7f <main+0x7f>
7d: 48 bb 48 81 c4 08 00 movabs $0x9000000008c48148,%rbx
84: 00 00 90
87: 48 31 c0 xor %rax,%rax
8a: c3 retq
xg@localhost ~ $ printf "BITS 64\nsegment .text\nglobal main\nmain: db " > test2.asm
xg@localhost ~ $ objdump -j .text -xd test.o | perl -e 'while(<>) {
> chomp;
> next if(!m/ +[0-9a-f]*:/);
> next if(m/(jmp|xor|ret)/);
> s/ +[0-9a-f]*:\t//;
> s/\tmov.*//;
> s/^48 bb //;
> s/([a-f0-9]{2})/0$1h,/g;
> print "$_\\\n";
> }' >> test2.asm
xg@localhost ~ $ echo "48h, 31h, 0c0h, 0c3h" >> test2.asm
xg@localhost ~ $ cat test2.asm
BITS 64
segment .text
global main
main: db 068h, 02fh, 062h, 069h, 06eh, \
090h, 090h, 090h, \
048h, 081h, 0c4h, 00ch, 000h, \
000h, 000h, 090h, \
068h, 02fh, 073h, 068h, 000h, \
090h, 090h, 090h, \
048h, 081h, 0ech, 004h, 000h, \
000h, 000h, 090h, \
048h, 089h, 0e7h, 090h, 090h, \
090h, 090h, 090h, \
048h, 031h, 0f6h, 090h, 090h, \
090h, 090h, 090h, \
048h, 031h, 0d2h, 048h, 031h, \
0c0h, 090h, 090h, \
0b8h, 03bh, 000h, 000h, 000h, \
00fh, 005h, 090h, \
048h, 081h, 0c4h, 008h, 000h, \
000h, 000h, 090h, \
48h, 31h, 0c0h, 0c3h
xg@localhost ~ $ nasm -f elf64 test2.asm
xg@localhost ~ $ objdump -j .text -xd test2.o
0000000000000000 <main>:
0: 68 2f 62 69 6e pushq $0x6e69622f
5: 90 nop
6: 90 nop
7: 90 nop
8: 48 81 c4 0c 00 00 00 add $0xc,%rsp
f: 90 nop
10: 68 2f 73 68 00 pushq $0x68732f
15: 90 nop
16: 90 nop
17: 90 nop
18: 48 81 ec 04 00 00 00 sub $0x4,%rsp
1f: 90 nop
20: 48 89 e7 mov %rsp,%rdi
23: 90 nop
24: 90 nop
25: 90 nop
26: 90 nop
27: 90 nop
28: 48 31 f6 xor %rsi,%rsi
2b: 90 nop
2c: 90 nop
2d: 90 nop
2e: 90 nop
2f: 90 nop
30: 48 31 d2 xor %rdx,%rdx
33: 48 31 c0 xor %rax,%rax
36: 90 nop
37: 90 nop
38: b8 3b 00 00 00 mov $0x3b,%eax
3d: 0f 05 syscall
3f: 90 nop
40: 48 81 c4 08 00 00 00 add $0x8,%rsp
47: 90 nop
48: 48 31 c0 xor %rax,%rax
4b: c3 retq
xg@localhost ~ $ cat /usr/include/asm/unistd_64.h | grep `perl -e 'printf("%d",0x3b)'`
#define __NR_execve 59
#define __NR_adjtimex 159
#define __NR_mknodat 259
xg@localhost ~ $ perl -e 'foreach (unpack("(A2)*", "6e69622f68732f")) {print chr hex;}'; echo
nib/hs/
I guess I should of run it beforehand, or traced it. Coulda been malicious for all I knew, wouldn't of mattered though. Well that's 20 minutes of my life I'll never get back, although I do enjoy writting perl.
edit: Looking back there was a much faster way to do it.
