From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/mips.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 other/shellkit/mips.c (limited to 'other/shellkit/mips.c') diff --git a/other/shellkit/mips.c b/other/shellkit/mips.c new file mode 100644 index 0000000..dda3f92 --- /dev/null +++ b/other/shellkit/mips.c @@ -0,0 +1,143 @@ +/* mips.c - generic mips functions + * + * by team teso + */ + +#include +#include +#include "shellcode.h" +#include "mips.h" + +static unsigned long int mips_nop_rwreg (void); +static unsigned long int mips_nop_roreg (void); +static unsigned long int mips_nop_xfer (char *xferstr); + +/* mips generic isa "nop" space generator + */ + +/* get random read write register (i.e. not sp, everything else allowed) + */ +static unsigned long int +mips_nop_rwreg (void) +{ + unsigned long int reg; + + do { + reg = random_get (0, 31); + } while (reg == 29); /* 29 = $sp */ + + return (reg); +} + + +static unsigned long int +mips_nop_roreg (void) +{ + return (random_get (0, 31)); +} + + +static unsigned long int +mips_nop_xfer (char *xferstr) +{ + int bw = 0; /* bitfield walker */ + unsigned long int tgt; /* resulting instruction */ + + /* in a valid xferstr we trust */ + for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) { + switch (xferstr[0]) { + case ('0'): + BSET (tgt, 1, 0, bw); + break; + case ('1'): + BSET (tgt, 1, 1, bw); + break; + case ('r'): + BSET (tgt, 5, mips_nop_roreg (), bw); + break; + case ('w'): + BSET (tgt, 5, mips_nop_rwreg (), bw); + break; + case ('c'): + BSET (tgt, 16, random_get (0, 0xffff), bw); + break; + case ('.'): + break; /* ignore */ + default: + fprintf (stderr, "on steroids, huh?\n"); + exit (EXIT_FAILURE); + break; + } + } + + if (bw != 32) { + fprintf (stderr, "invalid bitwalker: bw = %d\n", bw); + exit (EXIT_FAILURE); + } + + return (tgt); +} + + +unsigned int +mips_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + int walk; + int bcount; /* bad counter */ + char * xs; + char * xferstr[] = { + "000000.r.r.w.00000.000100", /* sllv rs rt rd */ + "000000.r.r.w.00000.000110", /* srlv rs rt rd */ + "000000.r.r.w.00000.000111", /* srav rs rt rd */ + "000000.r.r.w.00000.100001", /* addu rs rt rd */ + "000000.r.r.w.00000.100011", /* subu rs rt rd */ + "000000.r.r.w.00000.100100", /* and rs rt rd */ + "000000.r.r.w.00000.100101", /* or rs rt rd */ + "000000.r.r.w.00000.100110", /* xor rs rt rd */ + "000000.r.r.w.00000.100111", /* nor rs rt rd */ + "000000.r.r.w.00000.101010", /* slt rs rt rd */ + "000000.r.r.w.00000.101011", /* sltu rs rt rd */ + "001001.r.w.c", /* addiu rs rd const */ + "001010.r.w.c", /* slti rs rd const */ + "001011.r.w.c", /* sltiu rs rd const */ + "001100.r.w.c", /* andi rs rd const */ + "001101.r.w.c", /* ori rs rd const */ + "001110.r.w.c", /* xori rs rd const */ + "001111.00000.w.c", /* lui rd const */ + NULL, + }; + unsigned long int tgt; + + if (dest_len % 4) { + fprintf (stderr, "off by %d padding of dest_len (= %u), rounding down\n", + dest_len % 4, dest_len); + dest_len -= (dest_len % 4); + } + + for (walk = 0 ; dest_len > 0 ; dest_len -= 4 , walk += 4) { + /* avoid endless loops on excessive badlisting */ + for (bcount = 0 ; bcount < 16384 ; ++bcount) { + xs = xferstr[random_get (0, 17)]; + tgt = mips_nop_xfer (xs); + + dest[walk + 0] = (tgt >> 24) & 0xff; + dest[walk + 1] = (tgt >> 16) & 0xff; + dest[walk + 2] = (tgt >> 8) & 0xff; + dest[walk + 3] = tgt & 0xff; + if (badstr (&dest[walk], 4, bad, bad_len) == 0) + break; + } + + /* should not happen */ + if (bcount >= 16384) { + fprintf (stderr, "too much blacklisting, giving up...\n"); + exit (EXIT_FAILURE); + } + } + + return (walk); +} + + + -- cgit v1.3