finishing obfuscator

main
James 3 years ago
parent 2689c7d30c
commit 0acd3b7030

@ -6,5 +6,6 @@
#define CODE_FLAG_IS_INST (1<<2) #define CODE_FLAG_IS_INST (1<<2)
#define CODE_FLAG_DO_NOT_DIVIDE (1<<3) #define CODE_FLAG_DO_NOT_DIVIDE (1<<3)
#define CODE_FLAG_IS_OBFUSCATED (1<<4) #define CODE_FLAG_IS_OBFUSCATED (1<<4)
#define CODE_FLAG_IS_RIP_REL (1<<5) //Figure out how to deal with this...
#endif #endif

@ -8,7 +8,7 @@
BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block) BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block)
{ {
UCHAR RawData[] = { 0x9C }; UCHAR RawData[] = { 0x9C };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1); XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link); NcAppendToBlock(Block, Link);
return TRUE; return TRUE;
@ -17,7 +17,7 @@ BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block)
BOOL JitEmitPopfqInst(PNATIVE_CODE_BLOCK Block) BOOL JitEmitPopfqInst(PNATIVE_CODE_BLOCK Block)
{ {
UCHAR RawData[] = { 0x9D }; UCHAR RawData[] = { 0x9D };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1); XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link); NcAppendToBlock(Block, Link);
return TRUE; return TRUE;

@ -96,12 +96,23 @@ int main()
NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode)); NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
OBFUSCATOR Obf; OBFUSCATOR Obf;
Obf.Flags = 0; Obf.Flags = 0;
Obf.MinInstCount = 4; Obf.MinSizeForOpaqueBranch = 1;
Obf.InstructionMutateChance = 0;
Obf.OpaqueBranchChance = 100;
Obf.MinDepthForRandomOpaqueBranch = 0;
Obf.GlobalBlock = &RetNumBlock; Obf.GlobalBlock = &RetNumBlock;
ObfObfuscate(&Obf, &RetNumBlock); Obf.BlockDivisionFactor = 2;
ObfObfuscate(&Obf, &RetNumBlock); Obf.InstructionMutateChance = 100;
Obf.MinInstCount = 30; ObfObfuscate1(&Obf, &RetNumBlock);
ObfObfuscate(&Obf, &RetNumBlock); Obf.MinSizeForOpaqueBranch = 50;
Obf.InstructionMutateChance = 50;
ObfObfuscate1(&Obf, &RetNumBlock);
printf("Finished second pas.\n");
//Obf.MinSizeForOpaqueBranch = 200;
//ObfObfuscate1(&Obf, &RetNumBlock);
//Obf.MinSizeForOpaqueBranch = 30;
//ObfObfuscate(&Obf, &RetNumBlock);
ULONG AsmSize; ULONG AsmSize;
@ -112,10 +123,12 @@ int main()
system("pause"); system("pause");
return 1; return 1;
} }
PutToFile(Asm, AsmSize);
system("pause");
PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG64(*FnRetNum)(ULONG Num); typedef ULONG64(*FnRetNum)(ULONG Num);
printf("\n\nObfuscated: %llu Original: %llu\n\n", ((FnRetNum)Exec)(1776), RetNum(1776)); printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776));
PutToFile(Asm, AsmSize);
system("pause"); system("pause");
@ -123,10 +136,10 @@ int main()
NcDisassemble(&Block, meme1, sizeof(meme1)); NcDisassemble(&Block, meme1, sizeof(meme1));
OBFUSCATOR Obf; OBFUSCATOR Obf;
Obf.Flags = 0; Obf.Flags = 0;
Obf.MinInstCount = 12; Obf.MinSizeForOpaqueBranch = 12;
Obf.GlobalBlock = &Block; Obf.GlobalBlock = &Block;
ObfObfuscate(&Obf, &Block); ObfObfuscate(&Obf, &Block);
Obf.MinInstCount = 4; Obf.MinSizeForOpaqueBranch = 4;
ObfObfuscate(&Obf, &Block); ObfObfuscate(&Obf, &Block);
NcDebugPrint(&Block); NcDebugPrint(&Block);

@ -401,20 +401,14 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
{ {
INT32 BranchDisp = 0; INT32 BranchDisp = 0;
if (!NcGetDeltaToLabel(T, &BranchDisp)) if (!NcGetDeltaToLabel(T, &BranchDisp))
{ return FALSE;
printf("\n1\n");
return NULL;
}
ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction); ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction);
if (log2(abs(BranchDisp)) + 1 > DispWidth) if (log2(abs(BranchDisp)) + 1 > DispWidth)
{ {
//duh oh //duh oh
if (DispWidth == 32) if (DispWidth == 32)
{ return FALSE;
printf("\n2\n");
return NULL;
}
////Grow displacement width to required size ////Grow displacement width to required size
//DispWidth *= 2; //DispWidth *= 2;
@ -423,10 +417,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
//if (log2(abs(BranchDisp)) + 1 > DispWidth) //if (log2(abs(BranchDisp)) + 1 > DispWidth)
//{ //{
// if (DispWidth == 32) // if (DispWidth == 32)
// { // return FALSE;
// printf("\n3\n");
// return NULL;
// }
// //Grow once more if not already at 32 // //Grow once more if not already at 32
// DispWidth *= 2; // DispWidth *= 2;
@ -448,17 +439,10 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth)); XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState); XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction)) if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
{ return FALSE;
printf("\n4\n");
return NULL;
}
XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize); XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize);
if (XED_ERROR_NONE != Err) if (XED_ERROR_NONE != Err)
{ return FALSE;
printf("%s %s %u \n", XedErrorEnumToString(Err), XedIClassEnumToString(IClass), DispWidth);
printf("\n5\n");
return NULL;
}
//fixup T->RawData //fixup T->RawData
delete[] T->RawData; delete[] T->RawData;
@ -469,10 +453,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
//Decode instruction so its proper and all that //Decode instruction so its proper and all that
XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState); XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState);
if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize)) if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize))
{ return FALSE;
printf("\n6\n");
return NULL;
}
//Go back to the start and loop through all labels again because now this instruction is larger :)))) //Go back to the start and loop through all labels again because now this instruction is larger :))))
T = Block->Start; T = Block->Start;

@ -3,16 +3,47 @@
VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block) VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
{ {
ULONG InstructionCount = NcCountInstructions(Block); ULONG InstructionCount = NcCountInstructions(Block);
if (InstructionCount <= Obf->MinInstCount) if (InstructionCount <= Obf->MinSizeForOpaqueBranch)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
if ((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) || (T->Flags & CODE_FLAG_IS_REL_JMP))
{
T = T->Next;
continue;
}
PNATIVE_CODE_LINK RealNext = T->Next;
if ((rand() % 100) <= Obf->InstructionMutateChance)
{
PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T);
PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T);
NcInsertBlockBefore(T, PreOp, FALSE);
NcInsertBlockAfter(T, PostOp, FALSE);
if (Block->Start == T)
Block->Start = PreOp->Start;
if (Block->End == T)
Block->End = PostOp->End;
//for (ULONG i = 0; i < T->RawDataSize; i++)
// T->RawData[i] = (UCHAR)(rand() % 255);
T->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
}
T = RealNext;
}
} }
else else
{ {
ULONG TargetCount = InstructionCount / 2; ULONG TargetCount = max(Obf->MinSizeForOpaqueBranch, InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor);
ULONG CurrentCount = 0; ULONG CurrentCount = 0;
PNATIVE_CODE_LINK NewBlockStart = Block->Start; PNATIVE_CODE_LINK NewBlockStart = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
@ -25,15 +56,34 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block)
++CurrentCount; ++CurrentCount;
if (T->Flags & CODE_FLAG_DO_NOT_DIVIDE)
{
T = T->Next;
continue;
}
if (CurrentCount == TargetCount) if (CurrentCount == TargetCount)
{ {
NATIVE_CODE_BLOCK NotTaken, Taken; if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance)
ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken); {
ObfObfuscate(Obf, &NotTaken); NATIVE_CODE_BLOCK NotTaken, Taken;
ObfObfuscate(Obf, &Taken); ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); ObfObfuscate1(Obf, &NotTaken, Depth + 1);
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken); ObfObfuscate1(Obf, &Taken, Depth + 1);
T = NotTaken.End; ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken);
T = NotTaken.End;
}
else
{
NATIVE_CODE_BLOCK TempBlock;
if (NcDeepCopyPartialBlock(NewBlockStart, T, &TempBlock))
{
ObfObfuscate1(Obf, &TempBlock, Depth + 1);
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &TempBlock);
}
T = TempBlock.End;
}
NewBlockStart = T->Next; NewBlockStart = T->Next;
CurrentCount = 0; CurrentCount = 0;
} }
@ -43,12 +93,16 @@ VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block)
{ {
NATIVE_CODE_BLOCK NotTaken, Taken; NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken); ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken);
ObfObfuscate(Obf, &NotTaken); ObfObfuscate1(Obf, &NotTaken, Depth + 1);
ObfObfuscate(Obf, &Taken); ObfObfuscate1(Obf, &Taken, Depth + 1);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock)); ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken); ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken);
} }
} }
} }

@ -10,15 +10,24 @@
#define OBF_ATTRIBUTE_JIT (1<<0) #define OBF_ATTRIBUTE_JIT (1<<0)
#define OBF_ATTRIBUTE_OPAQUE_BRANCHES (1<<1) #define OBF_ATTRIBUTE_OPAQUE_BRANCHES (1<<1)
#define OBF_ATTRIBUTE_RANDOMIZE_DIVISOR (1<<2)
typedef struct _OBFUSCATOR typedef struct _OBFUSCATOR
{ {
ULONG MinInstCount; ULONG MinDepthForRandomOpaqueBranch;
ULONG MinSizeForOpaqueBranch;
UCHAR OpaqueBranchChance;
UCHAR InstructionMutateChance;
UCHAR BlockDivisionFactor;
ULONG Flags; ULONG Flags;
PNATIVE_CODE_BLOCK GlobalBlock; PNATIVE_CODE_BLOCK GlobalBlock;
}OBFUSCATOR, *POBFUSCATOR; }OBFUSCATOR, *POBFUSCATOR;
BOOL ObfJitInst();
//Recursive obfuscation routine using opaque branches and jit //Recursive obfuscation routine using opaque branches and jit
VOID ObfObfuscate(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block); VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth = 0);
#endif #endif

@ -5930,7 +5930,7 @@ $LN6:
00047 c6 45 04 9d mov BYTE PTR RawData$[rbp], 157 ; 0000009dH 00047 c6 45 04 9d mov BYTE PTR RawData$[rbp], 157 ; 0000009dH
; 20 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); ; 20 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1);
0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -5944,7 +5944,7 @@ $LN6:
0006e 41 b9 01 00 00 0006e 41 b9 01 00 00
00 mov r9d, 1 00 mov r9d, 1
00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00078 ba 04 00 00 00 mov edx, 4 00078 ba 0c 00 00 00 mov edx, 12
0007d 48 8b 8d 28 01 0007d 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK
@ -6099,7 +6099,7 @@ $LN6:
00047 c6 45 04 9c mov BYTE PTR RawData$[rbp], 156 ; 0000009cH 00047 c6 45 04 9c mov BYTE PTR RawData$[rbp], 156 ; 0000009cH
; 11 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1); ; 11 : PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, 1);
0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H 0004b b9 f0 00 00 00 mov ecx, 240 ; 000000f0H
00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new 00050 e8 00 00 00 00 call ??2@YAPEAX_K@Z ; operator new
@ -6113,7 +6113,7 @@ $LN6:
0006e 41 b9 01 00 00 0006e 41 b9 01 00 00
00 mov r9d, 1 00 mov r9d, 1
00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp] 00074 4c 8d 45 04 lea r8, QWORD PTR RawData$[rbp]
00078 ba 04 00 00 00 mov edx, 4 00078 ba 0c 00 00 00 mov edx, 12
0007d 48 8b 8d 28 01 0007d 48 8b 8d 28 01
00 00 mov rcx, QWORD PTR $T5[rbp] 00 00 mov rcx, QWORD PTR $T5[rbp]
00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK 00084 e8 00 00 00 00 call ??0_NATIVE_CODE_LINK@@QEAA@KPEAXKH@Z ; _NATIVE_CODE_LINK::_NATIVE_CODE_LINK

@ -427,9 +427,10 @@ PUBLIC ??_7?$basic_filebuf@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_filebuf
PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable' PUBLIC ??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vftable'
PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable' PUBLIC ??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@ ; std::basic_ofstream<char,std::char_traits<char> >::`vbtable'
PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string' PUBLIC ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; `string'
PUBLIC ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ ; `string'
PUBLIC ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ ; `string' PUBLIC ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ ; `string'
PUBLIC ??_C@_05PDJBBECF@pause@ ; `string' PUBLIC ??_C@_05PDJBBECF@pause@ ; `string'
PUBLIC ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ ; `string' PUBLIC ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ ; `string'
PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string' PUBLIC ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ ; `string'
PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string' PUBLIC ??_C@_0GI@GFIDMGHH@C?3?2Program?5Files?5?$CIx86?$CJ?2Microsof@ ; `string'
PUBLIC ??_C@_1NA@LKMCOJGD@?$AAC?$AA?3?$AA?2?$AAP?$AAr?$AAo?$AAg?$AAr?$AAa?$AAm?$AA?5?$AAF?$AAi?$AAl?$AAe@ ; `string' PUBLIC ??_C@_1NA@LKMCOJGD@?$AAC?$AA?3?$AA?2?$AAP?$AAr?$AAo?$AAg?$AAr?$AAa?$AAm?$AA?5?$AAF?$AAi?$AAl?$AAe@ ; `string'
@ -591,9 +592,10 @@ EXTRN __imp__time64:PROC
EXTRN ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z:PROC ; std::setw EXTRN ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z:PROC ; std::setw
EXTRN xed_tables_init:PROC EXTRN xed_tables_init:PROC
EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK EXTRN ??0_NATIVE_CODE_BLOCK@@QEAA@XZ:PROC ; _NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK
EXTRN ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; NcCountInstructions
EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble EXTRN ?NcDisassemble@@YAHPEAU_NATIVE_CODE_BLOCK@@PEAXK@Z:PROC ; NcDisassemble
EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble EXTRN ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z:PROC ; NcAssemble
EXTRN ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z:PROC ; ObfObfuscate EXTRN ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z:PROC ; ObfObfuscate1
EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor' EXTRN ??_E?$basic_filebuf@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_filebuf<char,std::char_traits<char> >::`vector deleting destructor'
EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor' EXTRN ??_E?$basic_ofstream@DU?$char_traits@D@std@@@std@@UEAAPEAXI@Z:PROC ; std::basic_ofstream<char,std::char_traits<char> >::`vector deleting destructor'
EXTRN RetNum:PROC EXTRN RetNum:PROC
@ -1484,7 +1486,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$main DD imagerel $LN7 $pdata$main DD imagerel $LN7
DD imagerel $LN7+461 DD imagerel $LN7+527
DD imagerel $unwind$main DD imagerel $unwind$main
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -2259,10 +2261,11 @@ CONST ENDS
CONST SEGMENT CONST SEGMENT
??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ DB ':AM:am:PM:pm', 00H ; `string' ??_C@_0N@LPFKKEBD@?3AM?3am?3PM?3pm@ DB ':AM:am:PM:pm', 00H ; `string'
CONST ENDS CONST ENDS
; COMDAT ??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ ; COMDAT ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@
CONST SEGMENT CONST SEGMENT
??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@ DB 0aH, 0aH ??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@ DB 0aH
DB 'Obfuscated: %llu Original: %llu', 0aH, 0aH, 00H ; `string' DB 0aH, 'Size: %u Obfuscated: %llu Original: %llu', 0aH, 0aH
DB 00H ; `string'
CONST ENDS CONST ENDS
; COMDAT ??_C@_05PDJBBECF@pause@ ; COMDAT ??_C@_05PDJBBECF@pause@
CONST SEGMENT CONST SEGMENT
@ -2272,6 +2275,11 @@ CONST ENDS
CONST SEGMENT CONST SEGMENT
??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ DB 'failed to assemble', 0aH, 00H ; `string' ??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ DB 'failed to assemble', 0aH, 00H ; `string'
CONST ENDS CONST ENDS
; COMDAT ??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@
CONST SEGMENT
??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@ DB 'Finished second pas.', 0aH
DB 00H ; `string'
CONST ENDS
; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ ; COMDAT ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@
CONST SEGMENT CONST SEGMENT
??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii' ??_C@_0CJ@GEFBLICI@C?3?2Users?2Iizerd?2Desktop?2Leeg?5Ha@ DB 'C:\Users\Ii'
@ -3346,11 +3354,11 @@ $ip2state$main DB 0aH
DB 00H DB 00H
DB 0b2H DB 0b2H
DB 02H DB 02H
DB 'y', 02H DB 0f9H, 02H
DB 00H DB 00H
DB '(' DB '('
DB 02H DB 02H
DB 011H, 02H DB 099H, 02H
DB 00H DB 00H
xdata ENDS xdata ENDS
; COMDAT xdata ; COMDAT xdata
@ -3373,7 +3381,7 @@ $unwind$main DD 025052f19H
DD 05002H DD 05002H
DD imagerel __GSHandlerCheck_EH4 DD imagerel __GSHandlerCheck_EH4
DD imagerel $cppxdata$main DD imagerel $cppxdata$main
DD 01f2H DD 01faH
xdata ENDS xdata ENDS
; COMDAT CONST ; COMDAT CONST
CONST SEGMENT CONST SEGMENT
@ -3406,7 +3414,7 @@ main$rtcVarDesc DD 0a4H
DD 04H DD 04H
DQ FLAT:main$rtcName$2 DQ FLAT:main$rtcName$2
DD 078H DD 078H
DD 010H DD 018H
DQ FLAT:main$rtcName$1 DQ FLAT:main$rtcName$1
DD 028H DD 028H
DD 030H DD 030H
@ -8739,10 +8747,11 @@ AsmSize$ = 132
Asm$ = 168 Asm$ = 168
Exec$ = 200 Exec$ = 200
$T6 = 420 $T6 = 420
tv134 = 440 tv143 = 440
tv128 = 448 tv132 = 448
tv132 = 456 tv141 = 456
__$ArrayPad$ = 464 tv139 = 464
__$ArrayPad$ = 472
main PROC ; COMDAT main PROC ; COMDAT
; 90 : { ; 90 : {
@ -8760,7 +8769,7 @@ $LN7:
0001e 48 8b 05 00 00 0001e 48 8b 05 00 00
00 00 mov rax, QWORD PTR __security_cookie 00 00 mov rax, QWORD PTR __security_cookie
00025 48 33 c5 xor rax, rbp 00025 48 33 c5 xor rax, rbp
00028 48 89 85 d0 01 00028 48 89 85 d8 01
00 00 mov QWORD PTR __$ArrayPad$[rbp], rax 00 00 mov QWORD PTR __$ArrayPad$[rbp], rax
0002f 48 8d 0d 00 00 0002f 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp 00 00 lea rcx, OFFSET FLAT:__4031338C_Main@cpp
@ -8798,282 +8807,328 @@ $LN7:
; 97 : OBFUSCATOR Obf; ; 97 : OBFUSCATOR Obf;
; 98 : Obf.Flags = 0; ; 98 : Obf.Flags = 0;
0006f c7 45 5c 00 00 0006f c7 45 64 00 00
00 00 mov DWORD PTR Obf$[rbp+4], 0 00 00 mov DWORD PTR Obf$[rbp+12], 0
; 99 : Obf.MinSizeForOpaqueBranch = 1;
00076 c7 45 5c 01 00
00 00 mov DWORD PTR Obf$[rbp+4], 1
; 100 : Obf.InstructionMutateChance = 0;
0007d c6 45 61 00 mov BYTE PTR Obf$[rbp+9], 0
; 101 : Obf.OpaqueBranchChance = 100;
00081 c6 45 60 64 mov BYTE PTR Obf$[rbp+8], 100 ; 00000064H
; 102 : Obf.MinDepthForRandomOpaqueBranch = 0;
00085 c7 45 58 00 00
00 00 mov DWORD PTR Obf$[rbp], 0
; 103 : Obf.GlobalBlock = &RetNumBlock;
; 99 : Obf.MinInstCount = 4; 0008c 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp]
00090 48 89 45 68 mov QWORD PTR Obf$[rbp+16], rax
00076 c7 45 58 04 00 ; 104 : Obf.BlockDivisionFactor = 2;
00 00 mov DWORD PTR Obf$[rbp], 4
; 100 : Obf.GlobalBlock = &RetNumBlock; 00094 c6 45 62 02 mov BYTE PTR Obf$[rbp+10], 2
0007d 48 8d 45 08 lea rax, QWORD PTR RetNumBlock$[rbp] ; 105 : Obf.InstructionMutateChance = 100;
00081 48 89 45 60 mov QWORD PTR Obf$[rbp+8], rax
; 101 : ObfObfuscate(&Obf, &RetNumBlock); 00098 c6 45 61 64 mov BYTE PTR Obf$[rbp+9], 100 ; 00000064H
00085 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] ; 106 : ObfObfuscate1(&Obf, &RetNumBlock);
00089 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
0008d e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 102 : ObfObfuscate(&Obf, &RetNumBlock); 0009c 45 33 c0 xor r8d, r8d
0009f 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
000a3 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
000a7 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1
00092 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] ; 107 : Obf.MinSizeForOpaqueBranch = 50;
00096 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
0009a e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 103 : Obf.MinInstCount = 30; 000ac c7 45 5c 32 00
00 00 mov DWORD PTR Obf$[rbp+4], 50 ; 00000032H
0009f c7 45 58 1e 00 ; 108 : Obf.InstructionMutateChance = 50;
00 00 mov DWORD PTR Obf$[rbp], 30
; 104 : ObfObfuscate(&Obf, &RetNumBlock); 000b3 c6 45 61 32 mov BYTE PTR Obf$[rbp+9], 50 ; 00000032H
000a6 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp] ; 109 : ObfObfuscate1(&Obf, &RetNumBlock);
000aa 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
000ae e8 00 00 00 00 call ?ObfObfuscate@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@@Z ; ObfObfuscate
; 105 : 000b7 45 33 c0 xor r8d, r8d
; 106 : 000ba 48 8d 55 08 lea rdx, QWORD PTR RetNumBlock$[rbp]
; 107 : ULONG AsmSize; 000be 48 8d 4d 58 lea rcx, QWORD PTR Obf$[rbp]
; 108 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize); 000c2 e8 00 00 00 00 call ?ObfObfuscate1@@YAXPEAU_OBFUSCATOR@@PEAU_NATIVE_CODE_BLOCK@@K@Z ; ObfObfuscate1
000b3 48 8d 95 84 00 ; 110 :
; 111 : printf("Finished second pas.\n");
000c7 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0BG@KBAIGCC@Finished?5second?5pas?4?6@
000ce e8 00 00 00 00 call printf
; 112 : //Obf.MinSizeForOpaqueBranch = 200;
; 113 : //ObfObfuscate1(&Obf, &RetNumBlock);
; 114 : //Obf.MinSizeForOpaqueBranch = 30;
; 115 : //ObfObfuscate(&Obf, &RetNumBlock);
; 116 :
; 117 :
; 118 : ULONG AsmSize;
; 119 : PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
000d3 48 8d 95 84 00
00 00 lea rdx, QWORD PTR AsmSize$[rbp] 00 00 lea rdx, QWORD PTR AsmSize$[rbp]
000ba 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] 000da 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
000be e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble 000de e8 00 00 00 00 call ?NcAssemble@@YAPEAXPEAU_NATIVE_CODE_BLOCK@@PEAK@Z ; NcAssemble
000c3 48 89 85 a8 00 000e3 48 89 85 a8 00
00 00 mov QWORD PTR Asm$[rbp], rax 00 00 mov QWORD PTR Asm$[rbp], rax
; 109 : if (!Asm) ; 120 : if (!Asm)
000ca 48 83 bd a8 00 000ea 48 83 bd a8 00
00 00 00 cmp QWORD PTR Asm$[rbp], 0 00 00 00 cmp QWORD PTR Asm$[rbp], 0
000d2 75 37 jne SHORT $LN2@main 000f2 75 37 jne SHORT $LN2@main
; 110 : { ; 121 : {
; 111 : printf("failed to assemble\n"); ; 122 : printf("failed to assemble\n");
000d4 48 8d 0d 00 00 000f4 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@ 00 00 lea rcx, OFFSET FLAT:??_C@_0BE@GALOGKHF@failed?5to?5assemble?6@
000db e8 00 00 00 00 call printf 000fb e8 00 00 00 00 call printf
; 112 : system("pause"); ; 123 : system("pause");
000e0 48 8d 0d 00 00 00100 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@ 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
000e7 ff 15 00 00 00 00107 ff 15 00 00 00
00 call QWORD PTR __imp_system 00 call QWORD PTR __imp_system
; 113 : return 1; ; 124 : return 1;
000ed c7 85 a4 01 00 0010d c7 85 a4 01 00
00 01 00 00 00 mov DWORD PTR $T6[rbp], 1 00 01 00 00 00 mov DWORD PTR $T6[rbp], 1
000f7 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] 00117 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
000fb e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ 0011b e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
00100 8b 85 a4 01 00 00120 8b 85 a4 01 00
00 mov eax, DWORD PTR $T6[rbp] 00 mov eax, DWORD PTR $T6[rbp]
00106 e9 93 00 00 00 jmp $LN5@main 00126 e9 b5 00 00 00 jmp $LN5@main
$LN2@main: $LN2@main:
; 114 : } ; 125 : }
; 115 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); ; 126 : PutToFile(Asm, AsmSize);
0010b 8b 95 84 00 00 0012b 8b 95 84 00 00
00 mov edx, DWORD PTR AsmSize$[rbp] 00 mov edx, DWORD PTR AsmSize$[rbp]
00111 48 8b 8d a8 00 00131 48 8b 8d a8 00
00 00 mov rcx, QWORD PTR Asm$[rbp] 00 00 mov rcx, QWORD PTR Asm$[rbp]
00118 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer 00138 e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile
0011d 48 89 85 c8 00
00 00 mov QWORD PTR Exec$[rbp], rax
; 116 : typedef ULONG64(*FnRetNum)(ULONG Num); ; 127 : system("pause");
; 117 : printf("\n\nObfuscated: %llu Original: %llu\n\n", ((FnRetNum)Exec)(1776), RetNum(1776));
00124 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H 0013d 48 8d 0d 00 00
00129 e8 00 00 00 00 call RetNum 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
0012e 48 89 85 b8 01 00144 ff 15 00 00 00
00 00 mov QWORD PTR tv134[rbp], rax 00 call QWORD PTR __imp_system
00135 48 8b 85 c8 00
00 00 mov rax, QWORD PTR Exec$[rbp]
0013c 48 89 85 c0 01
00 00 mov QWORD PTR tv128[rbp], rax
00143 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
00148 ff 95 c0 01 00
00 call QWORD PTR tv128[rbp]
0014e 48 89 85 c8 01
00 00 mov QWORD PTR tv132[rbp], rax
00155 4c 8b 85 b8 01
00 00 mov r8, QWORD PTR tv134[rbp]
0015c 48 8b 95 c8 01
00 00 mov rdx, QWORD PTR tv132[rbp]
00163 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0CH@OKHDPAIH@?6?6Obfuscated?3?5?$CFllu?5?5?5?5Original?3@
0016a e8 00 00 00 00 call printf
; 118 : PutToFile(Asm, AsmSize); ; 128 :
; 129 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
0016f 8b 95 84 00 00 0014a 8b 95 84 00 00
00 mov edx, DWORD PTR AsmSize$[rbp] 00 mov edx, DWORD PTR AsmSize$[rbp]
00175 48 8b 8d a8 00 00150 48 8b 8d a8 00
00 00 mov rcx, QWORD PTR Asm$[rbp] 00 00 mov rcx, QWORD PTR Asm$[rbp]
0017c e8 00 00 00 00 call ?PutToFile@@YAXPEAXK@Z ; PutToFile 00157 e8 00 00 00 00 call ?MakeExecutableBuffer@@YAPEAXPEAXK@Z ; MakeExecutableBuffer
0015c 48 89 85 c8 00
00 00 mov QWORD PTR Exec$[rbp], rax
; 119 : system("pause"); ; 130 : typedef ULONG64(*FnRetNum)(ULONG Num);
; 131 : printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776));
00181 48 8d 0d 00 00 00163 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
00168 e8 00 00 00 00 call RetNum
0016d 48 89 85 b8 01
00 00 mov QWORD PTR tv143[rbp], rax
00174 48 8b 85 c8 00
00 00 mov rax, QWORD PTR Exec$[rbp]
0017b 48 89 85 c0 01
00 00 mov QWORD PTR tv132[rbp], rax
00182 b9 f0 06 00 00 mov ecx, 1776 ; 000006f0H
00187 ff 95 c0 01 00
00 call QWORD PTR tv132[rbp]
0018d 48 89 85 c8 01
00 00 mov QWORD PTR tv141[rbp], rax
00194 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
00198 e8 00 00 00 00 call ?NcCountInstructions@@YAKPEAU_NATIVE_CODE_BLOCK@@@Z ; NcCountInstructions
0019d 89 85 d0 01 00
00 mov DWORD PTR tv139[rbp], eax
001a3 4c 8b 8d b8 01
00 00 mov r9, QWORD PTR tv143[rbp]
001aa 4c 8b 85 c8 01
00 00 mov r8, QWORD PTR tv141[rbp]
001b1 8b 95 d0 01 00
00 mov edx, DWORD PTR tv139[rbp]
001b7 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_0DC@MEGCPGB@?6?6Size?3?5?$CFu?5?5?5Obfuscated?3?5?$CFllu?5?5@
001be e8 00 00 00 00 call printf
; 132 : system("pause");
001c3 48 8d 0d 00 00
00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@ 00 00 lea rcx, OFFSET FLAT:??_C@_05PDJBBECF@pause@
00188 ff 15 00 00 00 001ca ff 15 00 00 00
00 call QWORD PTR __imp_system 00 call QWORD PTR __imp_system
0018e 90 npad 1 001d0 90 npad 1
; 120 : ; 133 :
; 121 : ; 134 :
; 122 : /*NATIVE_CODE_BLOCK Block; ; 135 : /*NATIVE_CODE_BLOCK Block;
; 123 : NcDisassemble(&Block, meme1, sizeof(meme1)); ; 136 : NcDisassemble(&Block, meme1, sizeof(meme1));
; 124 : OBFUSCATOR Obf; ; 137 : OBFUSCATOR Obf;
; 125 : Obf.Flags = 0; ; 138 : Obf.Flags = 0;
; 126 : Obf.MinInstCount = 12; ; 139 : Obf.MinSizeForOpaqueBranch = 12;
; 127 : Obf.GlobalBlock = &Block; ; 140 : Obf.GlobalBlock = &Block;
; 128 : ObfObfuscate(&Obf, &Block); ; 141 : ObfObfuscate(&Obf, &Block);
; 129 : Obf.MinInstCount = 4; ; 142 : Obf.MinSizeForOpaqueBranch = 4;
; 130 : ObfObfuscate(&Obf, &Block); ; 143 : ObfObfuscate(&Obf, &Block);
; 131 : NcDebugPrint(&Block); ; 144 : NcDebugPrint(&Block);
; 132 :
; 133 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
; 134 : ULONG InstSize = NcCountInstructions(&Block);
; 135 :
; 136 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
; 137 :
; 138 : ULONG AsmSize;
; 139 : PVOID Asm = NcAssemble(&Block, &AsmSize);
; 140 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
; 141 : typedef ULONG(*FnGetFour)();
; 142 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
; 143 : PutToFile(Asm, AsmSize);*/
; 144 :
; 145 : ; 145 :
; 146 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); ; 146 : ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
; 147 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2)); ; 147 : ULONG InstSize = NcCountInstructions(&Block);
; 148 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776); ; 148 :
; 149 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776); ; 149 : printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
; 150 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst); ; 150 :
; 151 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst); ; 151 : ULONG AsmSize;
; 152 : ; 152 : PVOID Asm = NcAssemble(&Block, &AsmSize);
; 153 : //NcAppendToBlock(Pre1, Return1776); ; 153 : PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
; 154 : //NcInsertBlockAfter(Pre1->End, Post1, 0); ; 154 : typedef ULONG(*FnGetFour)();
; 155 : //Pre1->End = Post1->End; ; 155 : printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
; 156 : //NcInsertBlockAfter(Pre1->End, Pre2, 0); ; 156 : PutToFile(Asm, AsmSize);*/
; 157 : //Pre1->End = Pre2->End; ; 157 :
; 158 : //NcAppendToBlock(Pre1, RetInst); ; 158 :
; 159 : //NcInsertBlockAfter(Pre1->End, Post2, 0); ; 159 : //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
; 160 : //Pre1->End = Post2->End; ; 160 : //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
; 161 : ; 161 : //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
; 162 : ///*Pre->Start = Return1776; ; 162 : //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
; 163 : //Pre->End = Return1776;*/ ; 163 : //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
; 164 : ; 164 : //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
; 165 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++) ; 165 :
; 166 : // Return1776->RawData[i] = (UCHAR)rand(); ; 166 : //NcAppendToBlock(Pre1, Return1776);
; 167 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++) ; 167 : //NcInsertBlockAfter(Pre1->End, Post1, 0);
; 168 : // RetInst->RawData[i] = (UCHAR)rand(); ; 168 : //Pre1->End = Post1->End;
; 169 : ; 169 : //NcInsertBlockAfter(Pre1->End, Pre2, 0);
; 170 : ; 170 : //Pre1->End = Pre2->End;
; 171 : ; 171 : //NcAppendToBlock(Pre1, RetInst);
; 172 : //ULONG AsmLen; ; 172 : //NcInsertBlockAfter(Pre1->End, Post2, 0);
; 173 : //PVOID Asm = NcAssemble(Pre1, &AsmLen); ; 173 : //Pre1->End = Post2->End;
; 174 : //PUCHAR Tb = (PUCHAR)Asm; ; 174 :
; 175 : //for (uint32_t i = 0; i < AsmLen; i++) ; 175 : ///*Pre->Start = Return1776;
; 176 : //{ ; 176 : //Pre->End = Return1776;*/
; 177 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; ; 177 :
; 178 : //} ; 178 : //for (ULONG i = 0; i < Return1776->RawDataSize; i++)
; 179 : ; 179 : // Return1776->RawData[i] = (UCHAR)rand();
; 180 : //system("pause"); ; 180 : //for (ULONG i = 0; i < RetInst->RawDataSize; i++)
; 181 : ; 181 : // RetInst->RawData[i] = (UCHAR)rand();
; 182 : //typedef ULONG64(*FnGet1776)(); ; 182 :
; 183 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen); ; 183 :
; 184 : //if (ExecBuffer) ; 184 :
; 185 : //{ ; 185 : //ULONG AsmLen;
; 186 : // printf("The numba was: %X\n", ExecBuffer()); ; 186 : //PVOID Asm = NcAssemble(Pre1, &AsmLen);
; 187 : // printf("The numba was: %X\n", ExecBuffer()); ; 187 : //PUCHAR Tb = (PUCHAR)Asm;
; 188 : ; 188 : //for (uint32_t i = 0; i < AsmLen; i++)
; 189 : // printf("The numba was: %X\n", ExecBuffer()); ; 189 : //{
; 190 : ; 190 : // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
; 191 : // printf("The numba was: %X\n", ExecBuffer()); ; 191 : //}
; 192 : ; 192 :
; 193 : //} ; 193 : //system("pause");
; 194 : ; 194 :
; 195 : ; 195 : //typedef ULONG64(*FnGet1776)();
; 196 : //NcDebugPrint(Post); ; 196 : //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
; 197 : ; 197 : //if (ExecBuffer)
; 198 : ; 198 : //{
; 199 : ; 199 : // printf("The numba was: %X\n", ExecBuffer());
; 200 : /*NATIVE_CODE_BLOCK Block; ; 200 : // printf("The numba was: %X\n", ExecBuffer());
; 201 : NcDisassemble(&Block, TestBuffer, TestBufferSize); ; 201 :
; 202 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); ; 202 : // printf("The numba was: %X\n", ExecBuffer());
; 203 : ; 203 :
; 204 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); ; 204 : // printf("The numba was: %X\n", ExecBuffer());
; 205 : ULONG AssembledSize; ; 205 :
; 206 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); ; 206 : //}
; 207 : if (!AssembledBlock || !AssembledSize) ; 207 :
; 208 : { ; 208 :
; 209 : printf("Something failed nicka.\n"); ; 209 : //NcDebugPrint(Post);
; 210 : system("pause"); ; 210 :
; 211 : return -1; ; 211 :
; 212 : } ; 212 :
; 213 : PUCHAR Tb = (PUCHAR)AssembledBlock; ; 213 : /*NATIVE_CODE_BLOCK Block;
; 214 : for (uint32_t i = 0; i < AssembledSize; i++) ; 214 : NcDisassemble(&Block, TestBuffer, TestBufferSize);
; 215 : { ; 215 : PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
; 216 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; ; 216 :
; 217 : } ; 217 : NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
; 218 : */ ; 218 : ULONG AssembledSize;
; 219 : ; 219 : PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
; 220 : ; 220 : if (!AssembledBlock || !AssembledSize)
; 221 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); ; 221 : {
; 222 : //NcDebugPrint(OpaqueBranch); ; 222 : printf("Something failed nicka.\n");
; 223 : ; 223 : system("pause");
; 224 : ; 224 : return -1;
; 225 : ; 225 : }
; 226 : /*NATIVE_CODE_LINK T; ; 226 : PUCHAR Tb = (PUCHAR)AssembledBlock;
; 227 : T.RawDataSize = 10; ; 227 : for (uint32_t i = 0; i < AssembledSize; i++)
; 228 : T.RawData = new UCHAR[10]; ; 228 : {
; 229 : memset(T.RawData, 0xAA, 10); ; 229 : std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
; 230 : JIT_BITWISE_DATA Data; ; 230 : }
; 231 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA)); ; 231 : */
; 232 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T); ; 232 :
; 233 : if (NewBlock) ; 233 :
; 234 : { ; 234 : //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
; 235 : printf("\n"); ; 235 : //NcDebugPrint(OpaqueBranch);
; 236 : NcDebugPrint(NewBlock); ; 236 :
; 237 : printf("\n"); ; 237 :
; 238 : NcPrintBlockCode(NewBlock); ; 238 :
; 239 : } ; 239 : /*NATIVE_CODE_LINK T;
; 240 : system("pause");*/ ; 240 : T.RawDataSize = 10;
; 241 : ; 241 : T.RawData = new UCHAR[10];
; 242 : } ; 242 : memset(T.RawData, 0xAA, 10);
; 243 : JIT_BITWISE_DATA Data;
0018f 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp] ; 244 : RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA));
00193 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ ; 245 : PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T);
00198 eb 02 jmp SHORT $LN6@main ; 246 : if (NewBlock)
0019a eb 02 jmp SHORT $LN5@main ; 247 : {
; 248 : printf("\n");
; 249 : NcDebugPrint(NewBlock);
; 250 : printf("\n");
; 251 : NcPrintBlockCode(NewBlock);
; 252 : }
; 253 : system("pause");*/
; 254 :
; 255 : }
001d1 48 8d 4d 08 lea rcx, QWORD PTR RetNumBlock$[rbp]
001d5 e8 00 00 00 00 call ??1_NATIVE_CODE_BLOCK@@QEAA@XZ
001da eb 02 jmp SHORT $LN6@main
001dc eb 02 jmp SHORT $LN5@main
$LN6@main: $LN6@main:
0019c 33 c0 xor eax, eax 001de 33 c0 xor eax, eax
$LN5@main: $LN5@main:
0019e 48 8b f8 mov rdi, rax 001e0 48 8b f8 mov rdi, rax
001a1 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 001e3 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
001a5 48 8d 15 00 00 001e7 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:main$rtcFrameData 00 00 lea rdx, OFFSET FLAT:main$rtcFrameData
001ac e8 00 00 00 00 call _RTC_CheckStackVars 001ee e8 00 00 00 00 call _RTC_CheckStackVars
001b1 48 8b c7 mov rax, rdi 001f3 48 8b c7 mov rax, rdi
001b4 48 8b 8d d0 01 001f6 48 8b 8d d8 01
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
001bb 48 33 cd xor rcx, rbp 001fd 48 33 cd xor rcx, rbp
001be e8 00 00 00 00 call __security_check_cookie 00200 e8 00 00 00 00 call __security_check_cookie
001c3 48 8d a5 e8 01 00205 48 8d a5 e8 01
00 00 lea rsp, QWORD PTR [rbp+488] 00 00 lea rsp, QWORD PTR [rbp+488]
001ca 5f pop rdi 0020c 5f pop rdi
001cb 5d pop rbp 0020d 5d pop rbp
001cc c3 ret 0 0020e c3 ret 0
main ENDP main ENDP
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -9084,10 +9139,11 @@ AsmSize$ = 132
Asm$ = 168 Asm$ = 168
Exec$ = 200 Exec$ = 200
$T6 = 420 $T6 = 420
tv134 = 440 tv143 = 440
tv128 = 448 tv132 = 448
tv132 = 456 tv141 = 456
__$ArrayPad$ = 464 tv139 = 464
__$ArrayPad$ = 472
main$dtor$0 PROC main$dtor$0 PROC
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx
@ -9112,10 +9168,11 @@ AsmSize$ = 132
Asm$ = 168 Asm$ = 168
Exec$ = 200 Exec$ = 200
$T6 = 420 $T6 = 420
tv134 = 440 tv143 = 440
tv128 = 448 tv132 = 448
tv132 = 456 tv141 = 456
__$ArrayPad$ = 464 tv139 = 464
__$ArrayPad$ = 472
main$dtor$0 PROC main$dtor$0 PROC
00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx 00000 48 89 4c 24 08 mov QWORD PTR [rsp+8], rcx
00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx 00005 48 89 54 24 10 mov QWORD PTR [rsp+16], rdx

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save