9. The entry point

 

The longest part of the journey is said to be the passing of the gate.

 Marcus Terentius Varro

If we decide to leave entry_point as it is, we have to patch something else. One approach is to disassemble the code, starting at entry_point, find the first call (or jmp) and abuse it. This requires way too much intelligence for a virus, though. But then we are operating in a homogeneous environment, having one compiler and one C run-time library for all. The startup code should be the same for every executable.

Command: pre/sparc-debian2.2-linux/entry_point/gdb/Linux.sh
#!/bin/bash
pre/sparc-debian2.2-linux/entry_point/gdb_core.sh \
| pre/sparc-debian2.2-linux/magic_elf/gdb_format.pl

We uses the tool from Extracting e_entry to retrieve the entry point. On some shells a read from a pipe opens a sub-shell, i.e. it does not export the variables to the surrounding scope. The while loop is executed just once. Its only purpose is to build a block for read.

Command: pre/sparc-debian2.2-linux/entry_point/gdb_core.sh
#!/bin/bash
file=${1:-/bin/bash}

tmp/sparc-debian2.2-linux/evil_magic/e_entry ${file} \
| while read entry_point offset
do
  /bin/echo "[entry_point=${entry_point}]"
  /usr/bin/gdb ${file} -q <<EOT 2>&1
	
	break *0x${entry_point}
	run
	disassemble 0x${entry_point} 0x${entry_point}+0x100
EOT
done

Output: out/sparc-debian2.2-linux/entry_point/sh.gdb
Starting program:         /bin/bash     
0x1f598 <_start>:         mov           %g0, %fp
0x1f59c <_start+4>:       sub           %sp, 0x18, %sp
0x1f5a0 <_start+8>:       ld            [ %sp + 0x58 ], %o1
0x1f5a4 <_start+12>:      add           %sp, 0x5c, %o2
0x1f5a8 <_start+16>:      sethi         %hi(0x1f400), %o0
0x1f5ac <_start+20>:      sethi         %hi(0x1f400), %o3
0x1f5b0 <_start+24>:      sethi         %hi(0x75000), %o4
0x1f5b4 <_start+28>:      or            %o0, 0x2a4, %o0
0x1f5b8 <_start+32>:      or            %o3, 0x174, %o3
0x1f5bc <_start+36>:      or            %o4, 0x154, %o4
0x1f5c0 <_start+40>:      mov           %g1, %o5
0x1f5c4 <_start+44>:      call          0x9ab68 <__libc_start_main>
0x1f5c8 <_start+48>:      nop           
0x1f5cc <_start+52>:      unimp         0