DEFCON 2015 - misc/patcher

1. /*
2.  * DEFCON 2015 - misc/patcher
3.  * @mykiimike
4.  */
5. #include <sys/types.h>
6. #include <fcntl.h>
7. #include <stdio.h>
8. #include <err.h>
9. #include <unistd.h>
10. #include <string.h>
11. #define BASE  0x08048000
12.  
13. //unsigned char shell[] = "\xC7\x04\x24\x94\x13\x00\x00"; // org shell
14. unsigned char shell_080487AF[] = "\xC7\x04\x24\xC0\x5A\x12\x00";
15. #define FLASH_080487AF 0x080487AF
16. unsigned char oldShell_080487AF[8];
17. int oldShellSize_080487AF = 7;
18.  
19. //unsigned char shell_08048C56[] = "\x81\xFF\x00\x00\x01\x00"; // org shell
20. unsigned char shell_08048C56[] = "\x81\xFF\x00\x01\x00\x00";
21. #define FLASH_08048C56 0x08048C56
22. unsigned char oldShell_08048C56[8];
23. int oldShellSize_08048C56 = sizeof(shell_08048C56)-1;
24.  
25. //unsigned char shell_080489BD[] = "\x81\xC1\xA0\x0F\x00\x00"; // org shell
26. unsigned char shell_080489BD[] = "\x81\xC1\xFA\x00\x00\x00";
27. #define FLASH_080489BD 0x080489BD
28. unsigned char oldShell_080489BD[8];
29. int oldShellSize_080489BD = sizeof(shell_080489BD)-1;
30.  
31. //unsigned char shell[] = "\xb8\x5\x0\x0\x0\x53\x51\x52\x8b\x5c\x24\x10\x8b\x4c\x24\x14\x8b\x54\x24\x18\xcd\x80\x5a\x59\x5b\xc3"; // org shell
32. //unsigned char shell[] = "\x60\x8B\x5C\x24\x10\x8B\x4C\x24\x14\x8B\x54\x24\x18\xCD\x80\x5A\x59\x5B\xC3";
33. void printbuf(unsigned char *p, int s) {
34.     int a;
35.     for(a=0; a<s; a++, p++)
36.         printf("\\x%x", *p);
37.    
38.     putchar('\n');
39. }
40. void flash(int f, off_t address, char *new, int newSize, char *old, int oldSize) {
41.     int a;
42.     unsigned char *p;
43.     off_t off;
44.     /* place */
45.     off = address-BASE;
46.     printf("* Seek 0x%x to %x\n", address, off);
47.     lseek(f, off, SEEK_SET);
48.     /* load the code */
49.     printf("* Recoding 0x%x old shell code:", address);
50.     p = old;
51.     for(a=0; a<oldSize;)
52.         a += read(f, p+a, oldSize-a);
53.     printbuf(old, oldSize);
54.     /* patch the code */
55.     printf("* Patching 0x%x the code using (%d bytes): ", address, newSize);
56.     printbuf(new, newSize);
57.     lseek(f, off, SEEK_SET);
58.     p = new;
59.     for(a=0; a<newSize;)
60.         a += write(f, p, newSize-a);
61.    
62. }
63. int main(int argc, char **argv) {
64.     int i, f, a;
65.     int ret = 0;
66.     unsigned char *p;
67.     if (argc < 2) {
68.         fprintf(stderr, "files...\n");
69.         return (1);
70.     }
71.  
72.     for (i = 1; i < argc; i++) {
73.         f = open(argv[i], O_RDWR, 0);
74.         if (f == -1) {
75.             ret = 1;
76.             warn("open %s", argv[i]);
77.             return(1);
78.         }
79.         flash(f, FLASH_080487AF, shell_080487AF, sizeof(shell_080487AF)-1, oldShell_080487AF, oldShellSize_080487AF);
80.         flash(f, FLASH_08048C56, shell_08048C56, sizeof(shell_08048C56)-1, oldShell_08048C56, oldShellSize_08048C56);
81.         flash(f, FLASH_080489BD, shell_080489BD, sizeof(shell_080489BD)-1, oldShell_080489BD, oldShellSize_080489BD);
82.         /* close file */
83.         if (f != -1) {
84.             close(f);
85.             f = -1;
86.         }
87.     }
88.     return (ret);
89. }