easyctf/easyctf-2017
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
easyctf-2017/self-modifier/morpher.template.asm
John W 23125c60af Added the morphing problem 
Along with all of its generation script stuff...
2017-03-11 20:30:25 -06:00

104 lines
1.8 KiB
NASM
Raw Blame History

format PE console
entry start
include 'C:\\Projects/asm/INCLUDE/win32a.inc'
include 'C:\\Projects/asm/std.inc'
section '.mrph' code readable executable writeable
mrph:
%s
section '.stat' code readable executable
data import
library msvcrt, 'msvcrt.dll'
import msvcrt, \
printf , 'printf', \
puts , 'puts', \
scanf , 'scanf', \
sin , 'sin', \
cos , 'cos', \
tan , 'tan', \
asin , 'asin', \
acos , 'acos', \
atan , 'atan', \
malloc , 'malloc', \
free , 'free', \
getchar , 'getchar'
end data
do_morph:
push ebp
mov eax, 1
mov edx, dword [num_block]
lea ecx, [block_ptrs + 4*edx]
mov ecx, dword [ecx]
cmp ecx, 0 ; If the block ptr is null return
jz .finish
inc edx
mov dword [num_block], edx
lea edx, [ecx+512]
mov edi, mrph
.mod:
cmp ecx, edx
jz .finish
movzx eax, byte [ecx]
movzx ebp, byte [edi]
xor eax, ebp
mov byte [edi], al
inc edi
inc ecx
xor eax, eax
jmp .mod
.finish:
pop ebp
ret
; No args, flushes input.
flush_inp:
call [getchar]
cmp eax, -1
jz .finish
cmp eax, ENDL
jnz flush_inp
.finish:
ret
; On entrance to each shellcode segment the ebx register will be a vtable of std funcs
; esi contains the base address of the shellcode segment
; edi contains the address of the part of the flag that this segment fills
; edx contains the number of the block
run_morphed:
mov esi, mrph
mov edx, dword [num_block]
dec edx
lea edi, [flag + 4*edx]
mov ebx, func_vtable
call mrph
ret
start:
call do_morph
cmp eax, 0
jnz .finish
call run_morphed
call flush_inp
jmp start
.finish:
ret
section '.dat' data readable writeable
num_block dd 0
func_vtable dd printf, puts, scanf, sin, cos, tan, asin, acos, atan, malloc, free, 0
flag db 64 dup (0)
%s
Reference in a new issue View git blame Copy permalink