From f5652f5f4f767e2322fbcf97c04a0daa4e02841c Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 8 Mar 2021 07:11:53 +0000 Subject: [PATCH] Update README.md --- README.md | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index dd7dc59..30929e7 100644 --- a/README.md +++ b/README.md @@ -57,39 +57,34 @@ This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a ro 0x53: ?UsermodeNoObfuscation@@YAXXZ endp ``` -# Obfuscation - -The usage of the word obfuscation in this project is use to define any changes made to code, this includes code flow. `obfuscation::obfuscate`, a base class, which is inherited and expanded upon by `obfuscation::mutation`, obfuscates code flow by inserting `JMP [RIP+0x0]` instructions after every single instruction. This allows for a routine to be broken up into unique allocations of memory and thus provides more canvas room for creative ideas. +As you can see from the code above, (sorry for the terrible syntax highlighting), references to strings and calls to functions are done by first loading the address of the symbol into a register and then interfacing with the symbol. -### Obfuscation - Base Class +```nasm +0x2D: 48 B8 A0 01 00 00 00 00 00 00 mov rax, offset MessageBoxA +; ... +0x3D: FF D0 call rax ; MessageBoxA +``` -The base class, as described in the above section, contains a handful of util routines and a single explicit constructor which is the corner stone of the class. The constructor fixes JCC relative virtual addresses so that if the condition is met, instead of jumping instruction pointer relativitly, it will jump to an addition jmp (`JMP [RIP+0x0]`). LEA, nor CALL are rip relative, even for symbols defined inside of the routine in which the instruction is compiled into. In other words JCC instructions are the only instruction pointer relative instructions that are generated. +Each of these instructions can be anywhere in virtual memory and it would not effect code execution one bit. However this is not the case with routines which have conditional branches. Take the following c++ code for example. ```cpp -reloc_t inline_jmp_reloc +ObfuscateRoutine +void LoopDemo() { - reloc_type::next_instruction_addr, - JMP_RIP_ADDR_IDX -}; + for (auto idx = 0u; idx < 10; ++idx) + DbgPrint("> Loop Demo: %d\n", idx); +} +``` -reloc_t inline_jmp_branch -{ - reloc_type::jcc, - JMP_RIP_ADDR_IDX, - *reinterpret_cast(rva_fix_addr) -}; +This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a routine with the following instructions: + +# Obfuscation -std::printf("> fixing JCC rva...\n"); -std::printf("> new rva = 0x%x\n", JMP_RIP_SIZE); -std::printf("> old rva = 0x%x\n", *reinterpret_cast(rva_fix_addr)); +The usage of the word obfuscation in this project is use to define any changes made to code, this includes code flow. `obfuscation::obfuscate`, a base class, which is inherited and expanded upon by `obfuscation::mutation`, obfuscates code flow by inserting `JMP [RIP+0x0]` instructions after every single instruction. This allows for a routine to be broken up into unique allocations of memory and thus provides more canvas room for creative ideas. -// when you inherit obfuscate please be mindful of JCC rvas... -*reinterpret_cast(rva_fix_addr) = JMP_RIP_SIZE; +### Obfuscation - Base Class -gadget_stack.push_back({ instruction.second, {} }); -gadget_stack.push_back({ jmp_rip, inline_jmp_reloc }); -gadget_stack.push_back({ jmp_rip, inline_jmp_branch }); -``` +The base class, as described in the above section, contains a handful of util routines and a single explicit constructor which is the corner stone of the class. The constructor fixes JCC relative virtual addresses so that if the condition is met, instead of jumping instruction pointer relativitly, it will jump to an addition jmp (`JMP [RIP+0x0]`). LEA, nor CALL are rip relative, even for symbols defined inside of the routine in which the instruction is compiled into. In other words JCC instructions are the only instruction pointer relative instructions that are generated. ### Mutation - Inherts Obfuscation