-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathunpack.c
60 lines (46 loc) · 1.22 KB
/
unpack.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include "avu.h"
extern char **global_envp;
int unpack_executable(char *path, char **args)
{
int i, ret;
int status;
pid_t pid;
long val;
char outfile[260];
struct user_regs_struct reg;
Elf32mem_t packed;
/* The # of single steps to take */
unsigned long stepLen;
if(LoadElf(path, MAP_PRIVATE, PROT_READ|PROT_WRITE, 0, 0, &packed) == -1)
{
printf("Unable to load ELF object: %s\n", path);
return -1;
}
stepLen = packed.text_memsz;
UnloadElf(&packed);
printf("[+] Text segment size: %d bytes\n", stepLen);
if ((pid = fork()) < 0)
{
printf("fork() error: %s\n", strerror(errno));
return -1;
}
printf("[+] Attempting to Dynamically de-obfuscate %s\n", path);
if (pid == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execve(path, args, global_envp);
exit(0);
}
waitpid(pid, &status, WNOHANG);
for (i = 0; i < stepLen; i++)
{
ptrace(PTRACE_SINGLESTEP, pid, NULL, NULL);
wait(&status);
ptrace(PTRACE_GETREGS, pid, NULL, ®);
}
/* Lets unpack it! */
printf("[+] Dumping unpacked executable...\n");
PDump2ELF_child(pid, path);
ptrace(PTRACE_KILL, pid, NULL, NULL);
wait(&status);
}