###################################################
#                                                 #
# FLE-ELFcorrupt.s                                #
#                                                 #
# Just a lame ELF crasher... It replace the magic #
# number 0x7f'ELF' by 0x7f'FLE' and obviously the #
# binary goes to hell.                            #
#                                                 #
# $as FLE-ELFcorrupt.s -o FLE-ELFcorrupt.o        #
# $ld FLE-ELFcorrupt.o -o FLE-ELFcorrupt          #
# $./anyelf                                       #
# Hello World                                     #
# $./FLE-ELFcorrupt ./anyelf                      #
# $./anyelf                                       #
# Cannot execute                                  #
#                                                 #
# nitrous[at]conthackto[dot]com[dot]mx            #
# 29/11/2005                                      #
###################################################

.section .data
	#GLOBAL VARS
	.equ	SDTIN, 0
	.equ	STDOUT, 1
	.equ	STDERR, 2
	.equ	SYS_EXIT, 1
	.equ	SYS_READ, 3
	.equ	SYS_WRITE, 4
	.equ	SYS_OPEN, 5
	.equ	SYS_CLOSE, 6
	.equ	SYS_LSEEK, 19
	.equ	O_RDWR, 2
	.equ	SEEK_SET, 0
	.equ	MAGIC_YEAH, 0x464c457f	#0x7f 'ELF' in Little Endian
	.equ	MAGIC_HELL, 0x454c467f	#0x7f 'FLE' in Little Endian
	.equ	NULL, 0x00000000

NOARG:
	.ascii	"I need an ELF file as argument\n"
LENNOARG = . - NOARG

ERROPEN:
	.ascii	"Cannot open() file\n"
LENERROPEN = . - ERROPEN

NOELF:
	.ascii	"This is not an ELF file\n"
LENNOELF = . - NOELF

INF:
	.ascii	"Changed \"ELF\" to \"FLE\" hehehe }:-)\nBy -=[nITROUs]=-\n"
LENINF = . - INF


.section .text
.globl _start
_start:
	#CLEAR REGISTERS
	xorl	%eax, %eax
	xorl	%ebx, %ebx
	xorl	%ecx, %ecx
	xorl	%edx, %edx
	xorl	%esi, %esi
	xorl	%edi, %edi

	movl	8(%esp), %esi	# %esi = argv[1]
	cmpl	$NULL, %esi	# if(argv[1] == NULL) { goto usage; }
	je	usage

	jmp	openfile

usage:
	movb	$SYS_WRITE, %al
	movb	$STDERR, %bl
	movl	$NOARG, %ecx
	movl	$LENNOARG, %edx
	int	$0x80	# write(1, NOARG, LENNOARG);

	jmp	exit

openfile:
	xorl	%eax, %eax
	movb	$SYS_OPEN, %al
	movl	%esi, %ebx
	movb	$O_RDWR, %cl
	int	$0x80	# open(argv[1], 2);

	movl	%eax, %edi	# %edi = returned file descriptor

	cmpl	$0x00, %edi
	jl	erropen # if((%eax = open()) < 0) { goto erropen; }

	jmp	checkifelf

erropen:
	xorl	%eax, %eax
	xorl	%ebx, %ebx

	movb	$SYS_WRITE, %al
	movb	$STDERR, %bl
	movl	$ERROPEN, %ecx
	movl	$LENERROPEN, %edx
	int	$0x80	# write(1, ERROPEN, LENERROPEN);

	jmp	exit

checkifelf:
	movb	$SYS_READ, %al
	movl	%edi, %ebx
	movl	%esp, %ecx
	movl	$0x4, %edx
	int	$0x80	# read(%edi, (%esp), 4);

	cmpl	$MAGIC_YEAH, (%esp)
	jne	notelf

	jmp	infect

notelf:
	movb	$SYS_WRITE, %al
	movb	$STDERR, %bl
	movl	$NOELF, %ecx
	movl	$LENNOELF, %edx
	int	$0x80	# write(1, NOELF, LENNOELF);

	jmp	closefile

infect:
	movb	$SYS_WRITE, %al
	movb	$STDOUT, %bl
	movl	$INF, %ecx
	movl	$LENINF, %edx
	int	$0x80	# write(1, INF, LENINF);

	movb	$SYS_LSEEK, %al
	movl	%edi, %ebx
	xorl	%ecx, %ecx
	movl	$SEEK_SET, %edx
	int	$0x80	# lseek(%edi, 0, 0);

	movb	$SYS_WRITE, %al
	pushl	$MAGIC_HELL
	movl	%esp, %ecx
	movl	$0x4, %edx
	int	$0x80	# write(%edi, (%esp), 4);

closefile:
	movb	$SYS_CLOSE, %al
	xchgl	%edi, %ebx
	int	$0x80	# close(argv[1]);

exit:
	movb	$SYS_EXIT, %al
	xorl	%ebx, %ebx
	int	$0x80	# exit(0);