From: Farley Flud <ff@linux.rocks>
Subject: Think You're A Programmer?  Think Again.
Newsgroups: comp.os.linux.advocacy
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Lines: 39
Path: ...!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!feeder.usenetexpress.com!tr2.iad1.usenetexpress.com!news.usenetexpress.com!not-for-mail
Date: Sat, 13 Apr 2024 15:21:53 +0000
Nntp-Posting-Date: Sat, 13 Apr 2024 15:21:53 +0000
X-Received-Bytes: 1418
Organization: UsenetExpress - www.usenetexpress.com
X-Complaints-To: abuse@usenetexpress.com
Message-Id: <17c5e02c1c64d208$662$181469$802601b3@news.usenetexpress.com>
Bytes: 1812

Any TRUE programmer can also program in reverse, i.e. de-program.

Let's see if you can assist the global effort in documenting the
xz-backdoor.

GNU/Linux has the absolute best tool for the job: Ghidra.

https://ghidra-sre.org/

I have posted an image of the xv-backdoor loaded into ghidra
and analyzed:

https://i.postimg.cc/NsrmMvDv/xz-backdoor.png

The left panel shows the dissassembled code and the right shows
the corresponding de-compile.

Notice the match:

xor edi, edi
mov esi, 0x12
mov edx, 0x46
mov ecx, 0x02
CALL .Llzma_decoder_end.1  <==> iVar4 = .Llzma_decoder_end.1(0, 0x12, 0x46, 2);

TEST EAX, EAX
JZ LAB_00100606  <==> if (iVar4 == 0) {

Ghidra is fucking fantastic!

Unfortunately, I will not be attempting to document the backdoor.
To do so would entail first learning thoroughly the functions of
sshd and I am not at all interested in network programming.

Yes, sshd.  Did you think that the xz-backoor was about compression/
decompression?  Ha, ha, ha, ha, ha, ha, ha, ha, ha!

Think again.