q3k :blobcatcoffee: on Nostr: I have managed to extract a list of encoded strings within the liblzma/xz backdoor ...
I have managed to extract a list of encoded strings within the liblzma/xz backdoor payload (5.6.1):
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).
This should bring us one step closer to knowing what the binary payload does.
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).
This should bring us one step closer to knowing what the binary payload does.