I left off the last post with saying I'd have a bit of a poke around. I didn't, however, imagine how difficult it would be.
I decided that the best thing to do would be to build the software, then try to see what it does. Never mind that it's spyware or whatever, I'm in a safe environment - plus, I doubt it'll matter now that nobody is ever going to contract with Hacking Team ever again.
So I'll just run make, right? What could go wrong?
Yeah, I ran into some problems. First of all, I didn't have a command called diet installed (which was really very difficult to google for). After a bit of digging, I found it in a package called dietlibc-dev - I'm building this on Ubuntu 14.04, which may or may not be a suicide mission.
That was only the beginning. The next error that make threw looked to be a bit stranger:
I (wrongly) tried to typedef the missing __u64 type in dropper.c, before I read the error message properly. For an embarassingly long amount of time. When I'd finished banging my head against the desk, I opened up emacs with root privileges to have a look at /usr/include/diet/asm/x86_64-sigcontext.h.
The __u64 rip; definition causing all the trouble was pretty easy to spot, on line 21. Along with the double-underscore prefix, the fact that the only include file is asm/types.h makes it a pretty safe bet that __u64 is (not) defined in there somewhere.
There! Since the other assembly-style declarations aren't causing any errors, we can assume that asm/types.h was correctly included. That means something's causing that preprocessor if-block to be skipped: either __STRICT_ANSI__ is defined, or __STDC_VERSION__ isn't high enough. I'm not fussed about which it is, so I've just commented out the if-macro completely; the __u64 type is defined no matter what.
Great! Now make should get past that particular problem.
Next, it threw up some warnings about some printf flavour I've never seen before (vsnprintf, if you're interested), then failed because /bin/upx wasn't installed.
Googling for upx made me realise what the problems with printf were: UPX is a packer for executables, and the printf family of functions "add several kilobytes of bloat" (at least according to the build output).
Luckily, a simple sudo apt-get install upx did the trick to install the packer. The next error looked fairly tricky: # include <sys/cdefs.h> threw an error, saying that there was no such file or directory. This AskUbuntu answer seemed to work for me, but it also confirmed what I've been slightly worried about ever since the __u64 type was the only one not defined: this software might not be designed for 64-bit operating systems. which means I'll have to do a lot of compatibility work.
Here's a small sample of the make output currently:
This seems like a good place to end this post: after that last command, there was a lot of fan-whirring and output; it seems like the majority of the work is done. Hopefully there'll be just a few more snaggles to get through till we get a full working spyware binary to give to oppressive governments!