23/01/2009 Featured Article: How to remove Buzus Virus

Sorgente ASM true.asm

An asm source code for Linux

(by brian raiter

This program returns an exit code of either zero or one, depending on whether it is invoked with the name "true" or "false", respectively. This one is the runt of the litter. Its size is 45 (count them) bytes. I believe that this is the smallest it is possible for a Linux ELF executable to be.
This article is online from 3488 days and has been seen 4375 times

;; true.asm: Copyright (C) 1999-2001 by Brian Raiter, under the GNU
;; General Public License (version 2 or later). No warranty.
;; To build:
;; nasm -f bin -o true true.asm && chmod +x true
;; ln -s true false


org 0x255F0000

db 0x7F, "ELF"
dd 1
dd 0
dw $$
_start: pop edi ; remove argc from stack
and eax, 0x00030002 ; clear all but 3 bits in eax
mov ch, 0xFF ; set ecx to >= 0xFF00
jmp short skip
dw _start
skip: pop edi ; get argv[0]
and eax, 4 ; set eax to zero
repnz scasb ; find end of argv[0]
inc eax ; 1 == exit system call
mov bl, [byte edi - 5] ; get 4th-to-last char (t or a)
and bl, al ; set bl to 0 or 1
int 0x80 ; exit(bl)
dw 0x20
db 1

;; This is how the file looks when it is read as an (incomplete) ELF
;; header, beginning at offset 0:
;; e_ident: db 0x7F, "ELF" ; required
;; db 1 ; 1 = ELFCLASS32
;; db 0 ; (garbage)
;; db 0 ; (garbage)
;; db 0x00, 0x00, 0x00, 0x00, 0x00 ; (unused)
;; db 0x00, 0x00, 0x5F, 0x25
;; e_type: dw 2 ; 2 = ET_EXE
;; e_machine: dw 3 ; 3 = EM_386
;; e_version: dd 0x02EBFFB5 ; (garbage)
;; e_entry: dd 0x255F000E ; program starts here
;; e_phoff: dd 4 ; phdrs located here
;; e_shoff: dd 0x8A40AEF2 ; (garbage)
;; e_flags: dd 0xC320FB5F ; (unused)
;; e_ehsize: dw 0x80CD ; (garbage)
;; e_phentsize: dw 0x20 ; phdr entry size
;; e_phnum: db 1 ; one phdr in the table
;; e_shentsize:
;; e_shnum:
;; e_shstrndx:
;; This is how the file looks when it is read as a program header
;; table, beginning at offset 4:
;; p_type: dd 1 ; 1 = PT_LOAD
;; p_offset: dd 0 ; read from top of file
;; p_vaddr: dd 0x255F0000 ; load at this address
;; p_paddr: dd 0x00030002 ; (unused)
;; p_filesz: dd 0x02EBFFB5 ; too big, but ok
;; p_memsz: dd 0x255F000E ; even bigger
;; p_flags: dd 4 ; 4 = PF_R
;; p_align: dd 0x8A40AEF2 ; (garbage)

;; Note that the top two bytes of the file's origin (0x5F 0x25)
;; correspond to the instructions "pop edi" and the first byte of "and
;; eax, IMM".
;; The fields marked as unused are either specifically documented as
;; not being used, or not being used with 386-based implementations.
;; Some of the fields marked as containing garbage are not used when
;; loading and executing programs. Other fields containing garbage are
;; accepted because Linux currently doesn't examine then.

