Iizerd 3 years ago
parent 0acd3b7030
commit 3e73d359b8

@ -27,7 +27,9 @@ PVOID MakeExecutableBuffer(PVOID Buffer, ULONG BufferSize)
VOID PutToFile(PVOID Buffer, ULONG BufferSize)
{
std::ofstream fout;
fout.open("C:\\Users\\Iizerd\\Desktop\\Leeg Hake\\Test.m", std::ios::binary | std::ios::out);
//
fout.open("C:\\Users\\James\\Desktop\\fantern\\Test.m", std::ios::binary | std::ios::out);
//fout.open("C:\\Users\\Iizerd\\Desktop\\Leeg Hake\\Test.m", std::ios::binary | std::ios::out);
fout.write((PCHAR)Buffer, BufferSize);
fout.close();
}
@ -91,22 +93,27 @@ int main()
XedTablesInit();
srand(time(NULL));
system("pause");
NATIVE_CODE_BLOCK RetNumBlock;
NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
OBFUSCATOR Obf;
Obf.Flags = 0;
Obf.MinSizeForOpaqueBranch = 1;
Obf.InstructionMutateChance = 0;
Obf.InstructionMutateChance = 100;
Obf.OpaqueBranchChance = 100;
Obf.MinDepthForRandomOpaqueBranch = 0;
Obf.GlobalBlock = &RetNumBlock;
Obf.BlockDivisionFactor = 2;
Obf.InstructionMutateChance = 100;
Obf.MaxDepth = 800000;
ObfObfuscate1(&Obf, &RetNumBlock);
Obf.MinSizeForOpaqueBranch = 5;
Obf.InstructionMutateChance = 0;
Obf.OpaqueBranchChance = 100;
ObfObfuscate1(&Obf, &RetNumBlock, 0);
Obf.MinSizeForOpaqueBranch = 50;
Obf.InstructionMutateChance = 50;
ObfObfuscate1(&Obf, &RetNumBlock);
ObfObfuscate1(&Obf, &RetNumBlock, 0);
printf("Finished second pas.\n");
//Obf.MinSizeForOpaqueBranch = 200;
@ -114,6 +121,7 @@ int main()
//Obf.MinSizeForOpaqueBranch = 30;
//ObfObfuscate(&Obf, &RetNumBlock);
NcDebugPrint(&RetNumBlock);
ULONG AsmSize;
PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
@ -129,6 +137,7 @@ int main()
PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG64(*FnRetNum)(ULONG Num);
printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776));
NcDeleteBlock(&RetNumBlock);
system("pause");

@ -121,13 +121,15 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link)
}
}
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block)
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne)
{
ULONG InstructionCount = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
if (CountCombinedAsOne && T->Next && (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) && !(T->Next->Flags & CODE_FLAG_DO_NOT_DIVIDE))
continue;
++InstructionCount;
}
return InstructionCount;

@ -41,7 +41,7 @@ VOID NcInsertLinkBefore(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2);
VOID NcUnlink(PNATIVE_CODE_LINK Link);
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block);
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne = FALSE);
ULONG NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block);

@ -5,7 +5,11 @@
VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
{
ULONG InstructionCount = NcCountInstructions(Block);
if (Depth > Obf->MaxDepth)
return;
ULONG InstructionCount = NcCountInstructions(Block, FALSE);
printf("Depth: %u, InstCount: %u\n", Depth, InstructionCount);
if (InstructionCount <= Obf->MinSizeForOpaqueBranch)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
@ -23,6 +27,13 @@ VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T);
PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T);
if (T->Prev)
T->Prev->Next = PreOp->Start;
PreOp->End->Next = T;
NcInsertBlockBefore(T, PreOp, FALSE);
NcInsertBlockAfter(T, PostOp, FALSE);
@ -31,6 +42,9 @@ VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
if (Block->End == T)
Block->End = PostOp->End;
delete PreOp;
delete PostOp;
//for (ULONG i = 0; i < T->RawDataSize; i++)
// T->RawData[i] = (UCHAR)(rand() % 255);
@ -43,7 +57,8 @@ VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
}
else
{
ULONG TargetCount = max(Obf->MinSizeForOpaqueBranch, InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor);
//ULONG TargetCount = max(Obf->MinSizeForOpaqueBranch, InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor);
ULONG TargetCount = (InstructionCount / ((Obf->Flags & OBF_ATTRIBUTE_RANDOMIZE_DIVISOR) ? (rand() % Obf->BlockDivisionFactor) : Obf->BlockDivisionFactor)); // max(Obf->MinBlockSize, InstructionCount / Obf->BlockDivisionFactor);
ULONG CurrentCount = 0;
PNATIVE_CODE_LINK NewBlockStart = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
@ -62,9 +77,9 @@ VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
continue;
}
if (CurrentCount == TargetCount)
if (CurrentCount >= TargetCount)
{
if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance)
if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance && CurrentCount <= Obf->MinSizeForOpaqueBranch)
{
NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken);
@ -89,15 +104,27 @@ VOID ObfObfuscate1(POBFUSCATOR Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
}
T = T->Next;
}
if (NewBlockStart)
/*if (NewBlockStart && CurrentCount >= Obf->MinSizeForOpaqueBranch)
{
NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken);
ObfObfuscate1(Obf, &NotTaken, Depth + 1);
ObfObfuscate1(Obf, &Taken, Depth + 1);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken);
}
if (Depth >= Obf->MinDepthForRandomOpaqueBranch && (rand() % 100) <= Obf->OpaqueBranchChance && CurrentCount <= Obf->MinSizeForOpaqueBranch)
{
NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken);
ObfObfuscate1(Obf, &NotTaken, Depth + 1);
ObfObfuscate1(Obf, &Taken, Depth + 1);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->GlobalBlock), NcGenUnusedLabelId(Obf->GlobalBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken);
}
else
{
NATIVE_CODE_BLOCK TempBlock;
if (NcDeepCopyPartialBlock(NewBlockStart, Block->End, &TempBlock))
{
ObfObfuscate1(Obf, &TempBlock, Depth + 1);
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &TempBlock);
}
}
}*/
}

@ -23,6 +23,7 @@ typedef struct _OBFUSCATOR
ULONG Flags;
PNATIVE_CODE_BLOCK GlobalBlock;
ULONG MaxDepth;
}OBFUSCATOR, *POBFUSCATOR;
BOOL ObfJitInst();

@ -1,4 +1,4 @@
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/18/21 14:21:08
Microsoft (R) Macro Assembler (x64) Version 14.29.30038.1 10/23/21 14:21:58
Assembly.asm Page 1 - 1
@ -23,7 +23,7 @@ Assembly.asm Page 1 - 1
0000001E NextFunction ENDP
END
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/18/21 14:21:08
Microsoft (R) Macro Assembler (x64) Version 14.29.30038.1 10/23/21 14:21:58
Assembly.asm Symbols 2 - 1

@ -1,7 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>C:\$Fanta\code-virtualizer\x64\Debug\CodeVirtualizer.exe</ProjectOutputs>
<ContentFiles></ContentFiles>
<SatelliteDlls></SatelliteDlls>
<NonRecipeFileRefs></NonRecipeFileRefs>
<ProjectOutputs>
<ProjectOutput>
<FullPath>C:\@\Work\code-virtualizer\x64\Debug\CodeVirtualizer.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save