From: Farley Flud Subject: Think You're A Programmer? Think Again. Newsgroups: comp.os.linux.advocacy Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Lines: 39 Path: ...!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!feeder.usenetexpress.com!tr2.iad1.usenetexpress.com!news.usenetexpress.com!not-for-mail Date: Sat, 13 Apr 2024 15:21:53 +0000 Nntp-Posting-Date: Sat, 13 Apr 2024 15:21:53 +0000 X-Received-Bytes: 1418 Organization: UsenetExpress - www.usenetexpress.com X-Complaints-To: abuse@usenetexpress.com Message-Id: <17c5e02c1c64d208$662$181469$802601b3@news.usenetexpress.com> Bytes: 1812 Any TRUE programmer can also program in reverse, i.e. de-program. Let's see if you can assist the global effort in documenting the xz-backdoor. GNU/Linux has the absolute best tool for the job: Ghidra. https://ghidra-sre.org/ I have posted an image of the xv-backdoor loaded into ghidra and analyzed: https://i.postimg.cc/NsrmMvDv/xz-backdoor.png The left panel shows the dissassembled code and the right shows the corresponding de-compile. Notice the match: xor edi, edi mov esi, 0x12 mov edx, 0x46 mov ecx, 0x02 CALL .Llzma_decoder_end.1 <==> iVar4 = .Llzma_decoder_end.1(0, 0x12, 0x46, 2); TEST EAX, EAX JZ LAB_00100606 <==> if (iVar4 == 0) { Ghidra is fucking fantastic! Unfortunately, I will not be attempting to document the backdoor. To do so would entail first learning thoroughly the functions of sshd and I am not at all interested in network programming. Yes, sshd. Did you think that the xz-backoor was about compression/ decompression? Ha, ha, ha, ha, ha, ha, ha, ha, ha! Think again.