0pack

A payload injector designed for x64 binaries, engineered to obscure code from debuggers and disassemblers. It integrates shellcode, crafted in Flat Assembler (FASM), into the binary's header as part of the relocation process. The execution is initiated at the unconventional entry point—offset zero of the header—deliberately creating ambiguity that often incapacitates debugging tools. The executed code can only be found by parsing the header relocations on disk.

Compiler flags

The targeted binary must have following flags: gcc -m64 -fPIE -pie

Statically linking is not possible as -pie and -static are incompatible flags. Or in other terms:

-static means a statically linked executable with no dynamic
> relocations and only PT_LOAD segments.  -pie means a shared library with
> dynamic relocations and PT_INTERP and PT_DYNAMIC segments.

Presentation links

HTML: https://luis-hebendanz.github.io/0pack/
PDF: https://github.com/Luis-Hebendanz/0pack/raw/master/0pack-presentation.pdf
Video: https://github.com/Luis-Hebendanz/0pack/raw/master/html/showcase_video.webm

Debugger behaviour

Debuggers don't generally like 0 as the entrypoint and oftentimes it is impossible to set breakpoints at the header area. Another often occured issue is that the entry0 label gets set incorrectly to the main label. Which means the attacker can purposely mislead the reverse engineer into reverse engineering fake code by jumping over the main method. Executing db entry0 in radare2 has this behaviour.

Affected debuggers

• radare2
• Hopper
• gdb
• IDA Pro --> Not tested

0pack help

Injects shellcode as relocations into an ELF binary
Usage:
  0pack [OPTION...]

  -d, --debug            Enable debugging
  -i, --input arg        Input file path. Required.
  -p, --payload arg      Fasm payload path.
  -b, --bin_payload arg  Binary payload path.
  -o, --output arg       Output file path. Required.
  -s, --strip            Strip the binary. Optional.

-b, --bin_payload

The bin_payload option reads a binary file and converts it to ELF relocations. 0pack appends to the binary payload a jmp to the original entrypoint.

-p, --payload

Needs a fasm payload, 0pack prepends and appends a "push/pop all registers" and a jmp to the original entrypoint to the payload.

Dependencies

• cmake version 3.12.2 or higher
• build-essential
• gcc
• fasm

Use build script

$ ./build.sh

Build it manually

  $ mkdir build
  $ cd build
  $ cmake ..
  $ make
  $ ./../main.elf