lol, forgot that needa actually copy the instruction

main
James 3 years ago
parent feaed17402
commit 9ccd3a5eae

@ -4,5 +4,6 @@
#define CODE_FLAG_IS_LABEL (1<<0) #define CODE_FLAG_IS_LABEL (1<<0)
#define CODE_FLAG_IS_REL_JMP (1<<1) #define CODE_FLAG_IS_REL_JMP (1<<1)
#define CODE_FLAG_IS_INST (1<<2) #define CODE_FLAG_IS_INST (1<<2)
#define CODE_FLAG_DO_NOT_DIVIDE (1<<3)
#endif #endif

@ -149,10 +149,12 @@
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="Junk.cpp" />
<ClCompile Include="NativeCode.cpp" /> <ClCompile Include="NativeCode.cpp" />
<ClCompile Include="Main.cpp" /> <ClCompile Include="Main.cpp" />
<ClCompile Include="Nop.cpp" /> <ClCompile Include="Nop.cpp" />
<ClCompile Include="Obfuscator.cpp" /> <ClCompile Include="Obfuscator.cpp" />
<ClCompile Include="OpaqueBranching.cpp" />
<ClCompile Include="RipMovInst.cpp" /> <ClCompile Include="RipMovInst.cpp" />
<ClCompile Include="RipXorInst.cpp" /> <ClCompile Include="RipXorInst.cpp" />
<ClCompile Include="Virtualizer.cpp" /> <ClCompile Include="Virtualizer.cpp" />
@ -162,9 +164,11 @@
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="Code.h" /> <ClInclude Include="Code.h" />
<ClInclude Include="Junk.h" />
<ClInclude Include="NativeCode.h" /> <ClInclude Include="NativeCode.h" />
<ClInclude Include="Nop.h" /> <ClInclude Include="Nop.h" />
<ClInclude Include="Obfuscator.h" /> <ClInclude Include="Obfuscator.h" />
<ClInclude Include="OpaqueBranching.h" />
<ClInclude Include="RipMovInst.h" /> <ClInclude Include="RipMovInst.h" />
<ClInclude Include="RipXorInst.h" /> <ClInclude Include="RipXorInst.h" />
<ClInclude Include="Virtualizer.h" /> <ClInclude Include="Virtualizer.h" />

@ -21,10 +21,10 @@
<Filter>VirtualMachine</Filter> <Filter>VirtualMachine</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="RipXorInst.h"> <ClInclude Include="RipXorInst.h">
<Filter>Obfuscator\RipXorInst</Filter> <Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="RipMovInst.h"> <ClInclude Include="RipMovInst.h">
<Filter>Obfuscator\RipMovInst</Filter> <Filter>Obfuscator\Jit\RipMovInst</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="Obfuscator.h"> <ClInclude Include="Obfuscator.h">
<Filter>Obfuscator</Filter> <Filter>Obfuscator</Filter>
@ -32,6 +32,12 @@
<ClInclude Include="Nop.h"> <ClInclude Include="Nop.h">
<Filter>Obfuscator\Nop</Filter> <Filter>Obfuscator\Nop</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="Junk.h">
<Filter>Obfuscator\Branching\Junk</Filter>
</ClInclude>
<ClInclude Include="OpaqueBranching.h">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="Main.cpp" /> <ClCompile Include="Main.cpp" />
@ -51,10 +57,10 @@
<Filter>VirtualMachine</Filter> <Filter>VirtualMachine</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="RipXorInst.cpp"> <ClCompile Include="RipXorInst.cpp">
<Filter>Obfuscator\RipXorInst</Filter> <Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="RipMovInst.cpp"> <ClCompile Include="RipMovInst.cpp">
<Filter>Obfuscator\RipMovInst</Filter> <Filter>Obfuscator\Jit\RipMovInst</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="Obfuscator.cpp"> <ClCompile Include="Obfuscator.cpp">
<Filter>Obfuscator</Filter> <Filter>Obfuscator</Filter>
@ -62,6 +68,12 @@
<ClCompile Include="Nop.cpp"> <ClCompile Include="Nop.cpp">
<Filter>Obfuscator\Nop</Filter> <Filter>Obfuscator\Nop</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="Junk.cpp">
<Filter>Obfuscator\Branching\Junk</Filter>
</ClCompile>
<ClCompile Include="OpaqueBranching.cpp">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<Filter Include="Xed"> <Filter Include="Xed">
@ -79,14 +91,32 @@
<Filter Include="Obfuscator"> <Filter Include="Obfuscator">
<UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier> <UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="Obfuscator\RipMovInst"> <Filter Include="Obfuscator\Nop">
<UniqueIdentifier>{4b1bac75-b456-46a5-ad8b-453ffef9eef9}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Branching">
<UniqueIdentifier>{3e2b0e35-a45c-42c4-9a63-df17442bd6eb}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit">
<UniqueIdentifier>{53f6966d-c6e0-422a-9e72-e94a5bab8958}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipAndInst">
<UniqueIdentifier>{a15ab2ae-ba21-4f72-b110-ed3012cfefde}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipOrInst">
<UniqueIdentifier>{aa4e6b0f-dd50-41e7-bc46-5dc8a6b44a62}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipMovInst">
<UniqueIdentifier>{7040cc27-0179-47d5-9908-962d224b8c6e}</UniqueIdentifier> <UniqueIdentifier>{7040cc27-0179-47d5-9908-962d224b8c6e}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="Obfuscator\RipXorInst"> <Filter Include="Obfuscator\Jit\RipXorInst">
<UniqueIdentifier>{51b7ca69-a7e9-4634-9eb2-d70f211fe2d2}</UniqueIdentifier> <UniqueIdentifier>{51b7ca69-a7e9-4634-9eb2-d70f211fe2d2}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="Obfuscator\Nop"> <Filter Include="Obfuscator\Branching\Junk">
<UniqueIdentifier>{4b1bac75-b456-46a5-ad8b-453ffef9eef9}</UniqueIdentifier> <UniqueIdentifier>{a280c509-ba7e-4660-93fb-459ffe274a17}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Branching\OpaqueBranching">
<UniqueIdentifier>{9b60f523-bf84-4740-9ee6-b8f34a317078}</UniqueIdentifier>
</Filter> </Filter>
</ItemGroup> </ItemGroup>
</Project> </Project>

@ -0,0 +1 @@
#include "Junk.h"

@ -0,0 +1,9 @@
#ifndef __JUNK_CODE_H
#define __JUNK_CODE_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#endif

@ -282,6 +282,64 @@ PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
return Jmp; return Jmp;
} }
PNATIVE_CODE_LINK NcDeepCopy(PNATIVE_CODE_LINK Link)
{
if (Link->Flags & CODE_FLAG_IS_LABEL)
{
return new NATIVE_CODE_LINK(Link->Label, NULL);
}
else
{
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Link->XedInst);
printf("Doing %s\n", XedIClassEnumToString(IClass));
PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(Link->Flags, Link->RawData, Link->RawDataSize);
NewLink->Label = Link->Label;
XED_ERROR_ENUM DecodeError = XedDecode(&NewLink->XedInst, Link->RawData, Link->RawDataSize);
if (DecodeError != XED_ERROR_NONE)
{
printf("XedDecode failed in NcDeepCopy: %s\n", XedErrorEnumToString(DecodeError));
delete NewLink;
return NULL;
}
printf("succeeded\n");
return NewLink;
}
}
PNATIVE_CODE_BLOCK NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End)
{
if (!Start || !End)
return NULL;
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
for (PNATIVE_CODE_LINK CurLink = Start; CurLink != End->Next; CurLink = CurLink->Next)
{
PNATIVE_CODE_LINK Temp = NcDeepCopy(CurLink);
if (!Temp)
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
if (Temp->Flags & CODE_FLAG_IS_REL_JMP)
Block->HasRelativeJumps = TRUE;
NcAppendToBlock(Block, Temp);
}
return Block;
}
PNATIVE_CODE_BLOCK NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block)
{
return NcDeepCopyPartialBlock(Block->Start, Block->End);
}
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize) BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
{ {
PUCHAR Buf = (PUCHAR)Buffer; PUCHAR Buf = (PUCHAR)Buffer;
@ -296,12 +354,13 @@ BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
if (DecodeError != XED_ERROR_NONE) if (DecodeError != XED_ERROR_NONE)
{ {
printf("XedDecode failed with error %s\n", XedErrorEnumToString(DecodeError)); printf("XedDecode failed with error %s\n", XedErrorEnumToString(DecodeError));
NcDelete(Block); NcDeleteBlock(Block);
delete Link; delete Link;
return FALSE; return FALSE;
} }
Link->RawDataSize = XedDecodedInstGetLength(&Link->XedInst); Link->RawDataSize = XedDecodedInstGetLength(&Link->XedInst);
Link->RawData = new UCHAR[Link->RawDataSize]; Link->RawData = new UCHAR[Link->RawDataSize];
memcpy(Link->RawData, (Buf + Offset), Link->RawDataSize);
NcAppendToBlock(Block, Link); NcAppendToBlock(Block, Link);
@ -315,10 +374,10 @@ BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block) PVOID NcAssemble(PNATIVE_CODE_BLOCK Block)
{ {
return NULL;
} }
VOID NcDelete(PNATIVE_CODE_BLOCK Block) VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T;) for (PNATIVE_CODE_LINK T = Block->Start; T;)
{ {

@ -55,11 +55,17 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block);
PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Link, INT32 Delta); PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Link, INT32 Delta);
PNATIVE_CODE_LINK NcDeepCopy(PNATIVE_CODE_LINK Link);
PNATIVE_CODE_BLOCK NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End);
PNATIVE_CODE_BLOCK NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block);
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize); BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize);
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block); PVOID NcAssemble(PNATIVE_CODE_BLOCK Block);
VOID NcDelete(PNATIVE_CODE_BLOCK Block); VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block);
VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block); VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block);

@ -0,0 +1 @@
#include "OpaqueBranching.h"

@ -0,0 +1,11 @@
#ifndef __OPAQUE_BRANCHING_H
#define __OPAQUE_BRANCHING_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
VOID ObfGenerateOpaqueBranch(PNATIVE_CODE_LINK Start, ULONG Length);
#endif

@ -61,7 +61,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIns
system("pause"); system("pause");
if (!ObfEmitRipRelativeMovD(Block, RipDelta, DataOffset)) if (!ObfEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -76,7 +76,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIns
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovW(Block, RipDelta, DataOffset)) if (!ObfEmitRipRelativeMovW(Block, RipDelta, DataOffset))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -90,7 +90,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIns
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovB(Block, RipDelta, DataOffset)) if (!ObfEmitRipRelativeMovB(Block, RipDelta, DataOffset))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -124,7 +124,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIn
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue)) if (!ObfEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -140,7 +140,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIn
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue)) if (!ObfEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -156,7 +156,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToIn
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue)) if (!ObfEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }

@ -164,7 +164,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
if (SaveFlags && !ObfEmitPushfqInst(Block)) if (SaveFlags && !ObfEmitPushfqInst(Block))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -183,7 +183,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
//Add the actual instruction //Add the actual instruction
if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte-Count])) if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte-Count]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -199,7 +199,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3])) if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -214,7 +214,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4])) if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -222,7 +222,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
if (SaveFlags && !ObfEmitPopfqInst(Block)) if (SaveFlags && !ObfEmitPopfqInst(Block))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -242,7 +242,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
if (SaveFlags && !ObfEmitPushfqInst(Block)) if (SaveFlags && !ObfEmitPushfqInst(Block))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -258,7 +258,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte - Count])) if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte - Count]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -276,7 +276,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3])) if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -294,7 +294,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
RipDelta += DeltaToInst; RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4])) if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }
@ -302,7 +302,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
if (SaveFlags && !ObfEmitPopfqInst(Block)) if (SaveFlags && !ObfEmitPopfqInst(Block))
{ {
NcDelete(Block); NcDeleteBlock(Block);
delete Block; delete Block;
return NULL; return NULL;
} }

Binary file not shown.
Loading…
Cancel
Save