|
|
|
@ -71,88 +71,115 @@ bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bool obf_create_groups(pobfuscator_t obf, int group_size)
|
|
|
|
bool obf_create_groups(pobfuscator_t obf, int32_t group_size)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//remake cuz this shit broke as fuck
|
|
|
|
int cur_group_id = 0;
|
|
|
|
|
|
|
|
int cur_offset = 0;
|
|
|
|
|
|
|
|
|
|
|
|
//obf->groups.clear();
|
|
|
|
//assign instructions to groups
|
|
|
|
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
///*if (group_size < 24)
|
|
|
|
{
|
|
|
|
// return false;*/
|
|
|
|
if (!(t->flags & CLFLAG_IS_LABEL))
|
|
|
|
|
|
|
|
{
|
|
|
|
//int cur_group_id = 0, cur_size_in_bytes = 0;
|
|
|
|
if (!(t->flags & CLFLAG_IS_GAGET))
|
|
|
|
//pcode_link_t start = obf->code_start->next;
|
|
|
|
{
|
|
|
|
//for (pcode_link_t t = obf->code_start->next; t;)
|
|
|
|
if (cur_offset + t->raw_data_size > group_size)
|
|
|
|
//{
|
|
|
|
{
|
|
|
|
// pcode_link_t real_next = t->next;
|
|
|
|
++cur_group_id;
|
|
|
|
// if (!(t->flags & CLFLAG_IS_GAGET) && !(t->flags & CLFLAG_IS_LABEL))
|
|
|
|
cur_offset = 0;
|
|
|
|
// {
|
|
|
|
}
|
|
|
|
// if (cur_size_in_bytes + t->raw_data_size /*+ END_OF_GROUP_GAGT_SIZE*/ > group_size)
|
|
|
|
}
|
|
|
|
// {
|
|
|
|
cur_offset += t->raw_data_size;
|
|
|
|
// std::string group_label_name = "Group";
|
|
|
|
t->group = cur_group_id;
|
|
|
|
// group_label_name.append(std::to_string(cur_group_id + 1));
|
|
|
|
}
|
|
|
|
// pcode_link_t lab = new code_link_t;
|
|
|
|
}
|
|
|
|
// lab->flags = CLFLAG_IS_LABEL;
|
|
|
|
|
|
|
|
// lab->label_name = group_label_name;
|
|
|
|
//assign labels to their proper groups
|
|
|
|
// lab->group = cur_group_id;
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
|
|
|
|
{
|
|
|
|
// pcode_link_t gadget = new code_link_t;
|
|
|
|
if (t->flags & CLFLAG_IS_LABEL)
|
|
|
|
// gadget->flags = 0;
|
|
|
|
{
|
|
|
|
// gadget->label_name = "";
|
|
|
|
pcode_link_t t2 = t;
|
|
|
|
// gadget->raw_data = new unsigned char[6];
|
|
|
|
while (t2 && (t2->flags & CLFLAG_IS_LABEL)) { t2 = t2->next; }
|
|
|
|
// gadget->raw_data_size = 6;
|
|
|
|
if (t2) t->group = t2->group;
|
|
|
|
// gadget->group = cur_group_id;
|
|
|
|
}
|
|
|
|
// unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
|
|
|
|
}
|
|
|
|
// memcpy(gadget->raw_data, gadget_data, 6);
|
|
|
|
|
|
|
|
|
|
|
|
//create group descriptors
|
|
|
|
// pcode_link_t abs_addr = new code_link_t;
|
|
|
|
obf->groups.clear();
|
|
|
|
// abs_addr->flags = CLFLAG_IS_ABS_ADDR;
|
|
|
|
pcode_link_t start = obf->code_start->next;
|
|
|
|
// abs_addr->label_name = group_label_name;
|
|
|
|
cur_offset = 0;
|
|
|
|
// abs_addr->raw_data = new unsigned char[8];
|
|
|
|
pcode_link_t prev_meme = nullptr;
|
|
|
|
// abs_addr->raw_data_size = 8;
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
// abs_addr->group = cur_group_id;
|
|
|
|
{
|
|
|
|
|
|
|
|
if (start->group != t->group)
|
|
|
|
// t->prev->next = gadget;
|
|
|
|
{
|
|
|
|
// gadget->next = abs_addr;
|
|
|
|
obf->groups.emplace_back(0, start, t->prev, cur_offset);
|
|
|
|
// abs_addr->next = lab;
|
|
|
|
cur_offset = 0;
|
|
|
|
// lab->next = t;// real_next;
|
|
|
|
start = t;
|
|
|
|
|
|
|
|
}
|
|
|
|
// gadget->prev = t->prev;
|
|
|
|
cur_offset += t->raw_data_size;
|
|
|
|
// abs_addr->prev = gadget;
|
|
|
|
prev_meme = t;
|
|
|
|
// lab->prev = abs_addr;
|
|
|
|
}
|
|
|
|
// t->prev = lab;
|
|
|
|
if (!prev_meme)
|
|
|
|
|
|
|
|
return false;
|
|
|
|
//
|
|
|
|
obf->groups.emplace_back(0, start, prev_meme, cur_offset);
|
|
|
|
|
|
|
|
|
|
|
|
// printf("creating group %d\n", cur_group_id);
|
|
|
|
//append jumps to next group onto end
|
|
|
|
// obf->groups.emplace_back();
|
|
|
|
for (uint32_t i = 0; i < obf->groups.size() - 1; i++)
|
|
|
|
// obf->groups.back().size_in_bytes = cur_size_in_bytes + END_OF_GROUP_GAGT_SIZE;
|
|
|
|
{
|
|
|
|
// obf->groups.back().start = start;
|
|
|
|
pcode_group_t cur_group = &obf->groups[i];
|
|
|
|
// obf->groups.back().base_address = cur_group_id;
|
|
|
|
pcode_group_t next_group = &obf->groups[i+1];
|
|
|
|
// cur_size_in_bytes = 0;
|
|
|
|
|
|
|
|
// cur_group_id++;
|
|
|
|
//add jump gadget to end of current group
|
|
|
|
// start = t;
|
|
|
|
pcode_link_t gadget = new code_link_t;
|
|
|
|
// }
|
|
|
|
gadget->flags = CLFLAG_IS_GAGET;
|
|
|
|
// }
|
|
|
|
gadget->label_name = "";
|
|
|
|
|
|
|
|
gadget->raw_data = new unsigned char[6];
|
|
|
|
// cur_size_in_bytes += t->raw_data_size;
|
|
|
|
gadget->raw_data_size = 6;
|
|
|
|
// t->group = cur_group_id;
|
|
|
|
gadget->group = i;
|
|
|
|
// t = real_next;
|
|
|
|
unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
|
|
|
|
//}
|
|
|
|
memcpy(gadget->raw_data, gadget_data, 6);
|
|
|
|
|
|
|
|
|
|
|
|
//obf->groups.emplace_back();
|
|
|
|
pcode_link_t abs_addr = new code_link_t;
|
|
|
|
//obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
|
|
|
|
abs_addr->flags = (CLFLAG_IS_GAGET | CLFLAG_IS_ABS_ADDR);
|
|
|
|
//obf->groups.back().start = start;
|
|
|
|
abs_addr->label_name = std::string("Group") + std::to_string(i + 1);
|
|
|
|
//obf->groups.back().base_address = cur_group_id;
|
|
|
|
abs_addr->raw_data = new unsigned char[8];
|
|
|
|
|
|
|
|
abs_addr->raw_data_size = 8;
|
|
|
|
//return true;
|
|
|
|
abs_addr->group = i;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pcode_link_t real_next = cur_group->end->next;
|
|
|
|
|
|
|
|
cur_group->end->next = gadget;
|
|
|
|
|
|
|
|
gadget->next = abs_addr;
|
|
|
|
|
|
|
|
abs_addr->next = real_next;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
real_next->prev = abs_addr;
|
|
|
|
|
|
|
|
abs_addr->prev = gadget;
|
|
|
|
|
|
|
|
gadget->prev = cur_group->end;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cur_group->end = abs_addr;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//add label to beginning of next group
|
|
|
|
|
|
|
|
pcode_link_t next_group_label = new code_link_t;
|
|
|
|
|
|
|
|
next_group_label->flags = CLFLAG_IS_LABEL;
|
|
|
|
|
|
|
|
next_group_label->label_name = std::string("Group") + std::to_string(i + 1);
|
|
|
|
|
|
|
|
next_group_label->group = i + 1;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pcode_link_t real_prev = next_group->start->prev;
|
|
|
|
|
|
|
|
next_group->start->prev = next_group_label;
|
|
|
|
|
|
|
|
real_prev->next = next_group_label;
|
|
|
|
|
|
|
|
next_group_label->next = next_group->start;
|
|
|
|
|
|
|
|
next_group_label->prev = real_prev;
|
|
|
|
|
|
|
|
next_group->start = next_group_label;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void obf_replace_rel_jmps(pobfuscator_t obf)
|
|
|
|
void obf_replace_rel_jmps(pobfuscator_t obf)
|
|
|
|
|
|
|
|
|
|
|
|
{ // original_jump -------------------------.
|
|
|
|
{ // original_jump -------------------------.
|
|
|
|
// jmp 0x10(0xEB, 0x10) ------------------ | -----.
|
|
|
|
// jmp 0x0E(0xEB, 0x0E) ------------------ | -----.
|
|
|
|
// jmp qword ptr[rip] <----------------' |
|
|
|
|
// jmp qword ptr[rip] <----------------' |
|
|
|
|
// address here(8 bytes) |
|
|
|
|
// address here(8 bytes) |
|
|
|
|
// not taken branch code <-----------------------'
|
|
|
|
// not taken branch code <-----------------------'
|
|
|
|
@ -204,7 +231,7 @@ void obf_replace_rel_jmps(pobfuscator_t obf)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bool obf_replace_abs_jmps(pobfuscator_t obf)
|
|
|
|
bool obf_resolve_abs_addresses(pobfuscator_t obf)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
@ -273,7 +300,6 @@ bool obf_gen_all_labels(pobfuscator_t obf)
|
|
|
|
|
|
|
|
|
|
|
|
bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta)
|
|
|
|
bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
obf->current_label_id++;
|
|
|
|
|
|
|
|
pcode_link_t temp;
|
|
|
|
pcode_link_t temp;
|
|
|
|
//when going positive, counting starts at NEXT instruction(excluding size of jmp)
|
|
|
|
//when going positive, counting starts at NEXT instruction(excluding size of jmp)
|
|
|
|
//when negative, counting INCLUDES the size of the jmp instructrion
|
|
|
|
//when negative, counting INCLUDES the size of the jmp instructrion
|
|
|
|
@ -316,7 +342,7 @@ bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta)
|
|
|
|
//couldnt find label, adding new one
|
|
|
|
//couldnt find label, adding new one
|
|
|
|
pcode_link_t new_label = new code_link_t;
|
|
|
|
pcode_link_t new_label = new code_link_t;
|
|
|
|
new_label->flags = CLFLAG_IS_LABEL;
|
|
|
|
new_label->flags = CLFLAG_IS_LABEL;
|
|
|
|
new_label->label_name = std::to_string(obf->current_label_id);
|
|
|
|
new_label->label_name = std::to_string(++obf->current_label_id);
|
|
|
|
jmp->label_name = new_label->label_name;
|
|
|
|
jmp->label_name = new_label->label_name;
|
|
|
|
|
|
|
|
|
|
|
|
new_label->next = temp;
|
|
|
|
new_label->next = temp;
|
|
|
|
@ -328,22 +354,41 @@ bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta)
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#include <Windows.h>
|
|
|
|
|
|
|
|
|
|
|
|
void obf_dbg_print_code(pobfuscator_t obf)
|
|
|
|
void obf_dbg_print_code(pobfuscator_t obf)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
|
|
|
|
HANDLE StdHandle = GetStdHandle(STD_OUTPUT_HANDLE);
|
|
|
|
|
|
|
|
if (!StdHandle)
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
|
|
|
|
if (t->group % 2)
|
|
|
|
|
|
|
|
SetConsoleTextAttribute(StdHandle, 12);
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
SetConsoleTextAttribute(StdHandle, 14);
|
|
|
|
|
|
|
|
|
|
|
|
if (t->flags & CLFLAG_IS_REL_JUMP)
|
|
|
|
if (t->flags & CLFLAG_IS_REL_JUMP)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
printf("\tJump to: %s ", t->label_name.data());
|
|
|
|
printf("\tRel jmp to: %s\t\t", t->label_name.data());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (t->flags & CLFLAG_IS_LABEL)
|
|
|
|
else if (t->flags & CLFLAG_IS_LABEL)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
printf("Label: %s ", t->label_name.data());
|
|
|
|
//SetConsoleTextAttribute(StdHandle, 13);
|
|
|
|
|
|
|
|
printf("Label: %s \n", t->label_name.data());
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
else if (t->flags & CLFLAG_IS_ABS_ADDR)
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
printf("\tAbs jmp to: %s\t", t->label_name.data());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
else
|
|
|
|
{
|
|
|
|
{
|
|
|
|
printf("\tRegular Instruction. ");
|
|
|
|
printf("\tInstruction: \t\t");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!(t->flags & CLFLAG_IS_LABEL))
|
|
|
|
if (!(t->flags & CLFLAG_IS_LABEL))
|
|
|
|
{
|
|
|
|
{
|
|
|
|
obf_print_byte_array(t->raw_data, t->raw_data_size);
|
|
|
|
obf_print_byte_array(t->raw_data, t->raw_data_size);
|
|
|
|
|
