tmp0ut

@@@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@ @@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@ @@@ @@@@@@@ @@! @@! @@! @@! @@! @@@ 2 @@! @@@@ @@! @@@ @@! !@! !@! !@! !@! !@! @!@ 0 !@! @!@!@ !@! @!@ !@! @!! @!! !!@ @!@ @!@@!@! 2 @!@ @! !@! @!@ !@! @!! !!! !@! ! !@! !!@!!! 2 !@!!! !!! !@! !!! !!! !!: !!: !!: !!: !!:! !!! !!: !!! !!: :!: :!: :!: :!: :!: :!: !:! :!: !:! :!: :: ::: :: :: ::: ::::::: :: ::::: :: :: : : : : ::: : : : : : : : : Fellow ELF enthusiasts, I'm pleased to announce that a new tmp.0ut project is going live now: We started a repository with some Awesome ELF resources! The goal is to provide a curated list of ELF-rel...

~ netspooky I hadn't seen a golfed aarch64 binary so I decided to write one. It works the same as old golfed ELFs in kernels < 5.8. aarch64 instructions are fixed width, which made it a bit more challenging. Shoutout to ixi & the fox. [: BASE64 POC :] base64 -d <<< f0VMRuH//xAICIDSEAAAFAIAtwABAAAABAAAAAEAAAAcAAAAAAAAAAAA\ AAAAAAAAAQAAAEAAOAABAADU8v//FwAAAADy//8XAAAAAIIAgNL6//8X > aarch64.elf; ┌ ELF Header ─────┐ ┌─────────┬───────────┤ 00: e_ident │ ┌─ 00: 7f 45 4c 46 .ELF ─┐ │ │ │ ┌┬────────────────────┤ 04: ei_class │ │ ││ ┌┬─────────────────┤ 05: ei_data │ │ ││ ││ ┌┬──────────────┤...

~ netspooky The Binary Golf Grand Prix is a now annual challenge for Binary Golf. Binary Golf is the art of crafting the smallest possible binaries. The second annual BGGP took place from June 18th - September 17th 2021. The 2020 challenge involved creating a binary palindrome. This year's challenge was to create the smallest possible binary polyglot, with two different categories for scoring that influenced how participants would approach this challenge. The challenge announcement is here: https://n0.lol/bggp/2021/ The main repo for BGGP2021 is here: https://github.com/netspooky/BGGP/tree/m...

~ RiS Hey hey ELF fiends, Caveman RiS here, bringing you a quick note on how to bash those ELFs in to submission in restricted environments without compilers or easy to use file transfer protocols. Readers may remember an ELF infection technique discussed in the first release of tmp.0ut called PT_NOTE infection. PT_NOTE infection takes advantage of a behavior of modern compilers which add segments to ELF binaries that contain auxillary information in various .note sections. The Ubuntu 20.04 man page for ELF includes a description of a few .note sections which are now part of a standard ELF object: .note : This section holds various notes....

~ netspooky CONTENTS 0. Introduction 1. Background 2. Read No Longer Implies Exec 3. Exploring Other Overlays 3.1 The 0x38 Overlay 3.2 The 0x31 Overlay 4. Tracing the ELF Loader 5. Limited Addition 6. There's Levels To This Chip 7. write() Or Die 8. ./xit 0. Introduction It's been about three years since I started playing with tiny executable files and released the first part of the ELF Binary Mangling series. In part 2, we established a limit of 84 bytes for 64 bit ELFs. This was achieved by starting the program header at offset 0x1C within the ELF header, and carefully crafting each field to make it work within the required ...

~ hexadecim8 Follow along with the code found here: vxnake1.tar.gz 0 Intro I've been poking around the TMP clubhouse for a while, and the crew decided to give me the oddest bit of ELF they could find for my first write up. For anyone who had the Nokia phone in middle school (you know the one) you'll remember the classic game "snake". Well, this game of snake comes with some added elf excitement. This is a brief introduction to this code and a more in-depth analysis may happen at a later date. 1 File Structure The program drops with a single directory aptly named 'virus'. The following file struct should help apprise the re...

~ qkumba Just what I needed today - a virus implemented as a virtual machine. At least it's short. Linux/Marx is a direct-action infector of 64-bit x86-based ELF files in the current directory, using the PT_LOAD technique. Fasten your seatbelts, we're going to race through the code. WHERE DO YOU WANT TO GO TODAY? The virus is implemented using 20 general registers, one stack register, and 1504 bytes of scratch memory (though it also moves the real stack pointer arbitrarily in order to access more memory). There are 31 defined commands, but only 29 of them actually do anything. These are the commands: 0x01 NOP 0x02 PUSH reg32 0...

; .____ .__ ________ _____ _____ _____ ; | | |__| ____ / _____/ / | | / \ / | |__________ ___ _____ ______ _____ ; | | | |/ \/ __ \ / | |_ / \ / \ / | |\_ __ \ \/ / \__ \ / ___// \ ; | |___| | | \ |__\ \/ ^ / / Y \/ ^ /| | \/> < / __ \_\___ \| Y Y \ ; |_______ \__|___| /\_____ /\____ | /\ \____|__ /\____ | |__| /__/\_ \ /\ (____ /____ >__|_| / ; \/ \/ \/ |__| \/ \/ |__| \/ \/ \/ \/ \/ ; A Virtualized virus, by s01den ; Don't spread this shit into the wild... ;...

With love, by S01den. mail: S01den@protonmail.com Introduction In this new paper, I'm gonna present you my last virus: Lin64.M4rx, the first virus I wrote using a VM as a protection against reverse engineering. Obviously I didn't and I won't spread it into the wild. Don't do that stupid thing neither. I implemented some tricks to spice a bit the RE, such as false disassembly in some parts of the code, and the classic PTRACE_TRACEME technique (but this time, it won't be as easy as usual to bypass...). Also, as a rule, Lin64.M4rx is a virus infecting every ELF which is in the same directory (PIE or not), with PT_NOTE to ...

~ elfmaster Introduction Let's jump right in, and begin this paper by defining "Linker preloading". This technique refers to the idea that one can maniuplate the kernels ELF loader (see linux/fs/binfmt_elf.c) to pass execution to a custom program interpreter instead of the real dynamic linker. Note that the term 'program interpreter' usually refers to the dynamic linker, i.e. "/lib64/ld-linux.so". Also known as the RTLD (Runtime loader). This paper is about creating an alternate 'program interpreter' which is loaded prior to the dynamic linker itself. Do not confuse the "linker preloading" technique wit...