zydis these nutz in ur mouth

ShellcodeObfuscator/Obfuscator.cpp

@@ -73,106 +73,97 @@ bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size)
 
 bool obf_create_groups(pobfuscator_t obf, int group_size)
 {
-
-	obf->groups.clear();
-
-	if (group_size < 24)
-		return false;
-
-	int cur_group_id = 0, cur_size_in_bytes = 0;
-	pcode_link_t start = obf->code_start->next;
-	for (pcode_link_t t = obf->code_start->next; t; t = t->next)
-	{
-		if (!(t->flags & CLFLAG_IS_GAGET))
-		{
-			if (cur_size_in_bytes + t->raw_data_size + 16 > group_size)
-			{
-				
-				pcode_link_t push_rax = new code_link_t;
-				push_rax->flags = 0;
-				push_rax->label_name = "";
-				push_rax->raw_data = new unsigned char[1];
-				push_rax->raw_data_size = 1;
-				push_rax->group = cur_group_id;
-				*(unsigned char*)push_rax->raw_data = 0x50;
-				push_rax->label_name = "";
-
-				pcode_link_t mov_address = new code_link_t;
-				mov_address->flags = CLFLAG_IS_GROUP_JMP;
-				mov_address->label_name = t->label_name;
-				mov_address->raw_data = new unsigned char[10];
-				mov_address->raw_data_size = 10;
-				mov_address->group = cur_group_id;
-				unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F };
-				memcpy(mov_address->raw_data, mov_address_data, 10);
-
-				pcode_link_t xchg_rax_rsp = new code_link_t;
-				xchg_rax_rsp->flags = 0;
-				xchg_rax_rsp->label_name = "";
-				xchg_rax_rsp->raw_data = new unsigned char[4];
-				xchg_rax_rsp->raw_data_size = 4;
-				xchg_rax_rsp->group = cur_group_id;
-				unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
-				memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4);
-
-				pcode_link_t ret = new code_link_t;
-				ret->flags = 0;
-				ret->label_name = "";
-				ret->raw_data = new unsigned char[1];
-				ret->raw_data_size = 1;
-				ret->group = cur_group_id;
-				*(unsigned char*)ret->raw_data = 0xC3;
-
-				t->prev->next = push_rax;
-				push_rax->next = mov_address;
-				mov_address->next = xchg_rax_rsp;
-				xchg_rax_rsp->next = ret;
-				ret->next = t;
-
-				ret->prev = xchg_rax_rsp;
-				xchg_rax_rsp->prev = mov_address;
-				mov_address->prev = push_rax;
-				push_rax->prev = t->prev;
-				t->prev = ret;
-
-				printf("creating group %d\n", cur_group_id);
-				obf->groups.emplace_back();
-				obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
-				obf->groups.back().start = start;
-				cur_size_in_bytes = 0;
-				cur_group_id++;
-				start = t;
-			}
-		}
-
-		cur_size_in_bytes += t->raw_data_size;
-		t->group = cur_group_id;
-	}
-
-	obf->groups.emplace_back();
-	obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
-	obf->groups.back().start = start;
-
-	return true;
+	//remake cuz this shit broke as fuck
+
+
+	//obf->groups.clear();
+
+	///*if (group_size < 24)
+	//	return false;*/
+
+	//int cur_group_id = 0, cur_size_in_bytes = 0;
+	//pcode_link_t start = obf->code_start->next;
+	//for (pcode_link_t t = obf->code_start->next; t;)
+	//{
+	//	pcode_link_t real_next = t->next;
+	//	if (!(t->flags & CLFLAG_IS_GAGET) && !(t->flags & CLFLAG_IS_LABEL))
+	//	{
+	//		if (cur_size_in_bytes + t->raw_data_size /*+ END_OF_GROUP_GAGT_SIZE*/ > group_size)
+	//		{
+	//			std::string group_label_name = "Group";
+	//			group_label_name.append(std::to_string(cur_group_id + 1));
+	//			pcode_link_t lab = new code_link_t;
+	//			lab->flags = CLFLAG_IS_LABEL;
+	//			lab->label_name = group_label_name;
+	//			lab->group = cur_group_id;
+
+	//			pcode_link_t gadget = new code_link_t;
+	//			gadget->flags = 0;
+	//			gadget->label_name = "";
+	//			gadget->raw_data = new unsigned char[6];
+	//			gadget->raw_data_size = 6;
+	//			gadget->group = cur_group_id;
+	//			unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+	//			memcpy(gadget->raw_data, gadget_data, 6);
+
+	//			pcode_link_t abs_addr = new code_link_t;
+	//			abs_addr->flags = CLFLAG_IS_ABS_ADDR;
+	//			abs_addr->label_name = group_label_name;
+	//			abs_addr->raw_data = new unsigned char[8];
+	//			abs_addr->raw_data_size = 8;
+	//			abs_addr->group = cur_group_id;
+
+	//			t->prev->next = gadget;
+	//			gadget->next = abs_addr;
+	//			abs_addr->next = lab;
+	//			lab->next = t;// real_next;
+
+	//			gadget->prev = t->prev;
+	//			abs_addr->prev = gadget;
+	//			lab->prev = abs_addr;
+	//			t->prev = lab;
+
+	//			
+
+	//			printf("creating group %d\n", cur_group_id);
+	//			obf->groups.emplace_back();
+	//			obf->groups.back().size_in_bytes = cur_size_in_bytes + END_OF_GROUP_GAGT_SIZE;
+	//			obf->groups.back().start = start;
+	//			obf->groups.back().base_address = cur_group_id;
+	//			cur_size_in_bytes = 0;
+	//			cur_group_id++;
+	//			start = t;
+	//		}
+	//	}
+
+	//	cur_size_in_bytes += t->raw_data_size;
+	//	t->group = cur_group_id;
+	//	t = real_next;
+	//}
+
+	//obf->groups.emplace_back();
+	//obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
+	//obf->groups.back().start = start;
+	//obf->groups.back().base_address = cur_group_id;
+
+	//return true;
 }
 
 void obf_replace_rel_jmps(pobfuscator_t obf)
 
 {	//	original_jump   -------------------------.
-	//	jmp 0x10			0xEB, 0x10			 |
-	//	push rax			0x50,			<----'
-	//	mov rax,abs_address 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F, 
-	//	xchg rax,[rsp]		0x48, 0x87, 0x04, 0x24, 
-	//	ret					0xC3 
+	//	jmp 0x10(0xEB, 0x10)  ------------------ | -----.
+	//	jmp qword ptr[rip]		<----------------'	    |
+	//	address here(8 bytes)							|
+	//	not taken branch code	<-----------------------'
 
 	for (pcode_link_t t = obf->code_start->next; t;)
 	{
+		pcode_link_t real_next = t->next;
 		if (t->flags & CLFLAG_IS_REL_JUMP)
 		{
-			pcode_link_t real_next = t->next;
-			unsigned int inst_len = xed_decoded_inst_get_length(&t->instruction);
 			unsigned int jmp_delta_width = xed_decoded_inst_get_branch_displacement_width(&t->instruction);
-			unsigned int opcode_size = inst_len - jmp_delta_width;
+			unsigned int opcode_size = t->raw_data_size - jmp_delta_width;
 
 			switch (jmp_delta_width)
 			{
@@ -185,72 +176,37 @@ void obf_replace_rel_jmps(pobfuscator_t obf)
 			}
 			t->flags = CLFLAG_IS_GAGET;
 
-			pcode_link_t jmp_around_gagt = new code_link_t;
-			jmp_around_gagt->flags = CLFLAG_IS_GAGET;
-			jmp_around_gagt->label_name = "";
-			jmp_around_gagt->raw_data = new unsigned char[2];
-			jmp_around_gagt->raw_data_size = 2;
-			unsigned char jmp_around_gagt_data[] = { 0xEB, 0x10 };
-			memcpy(jmp_around_gagt->raw_data, jmp_around_gagt_data, 2);
-
-
-			pcode_link_t push_rax = new code_link_t;
-			push_rax->flags = CLFLAG_IS_GAGET;
-			push_rax->label_name = "";
-			push_rax->raw_data = new unsigned char[1];
-			push_rax->raw_data_size = 1;
-			*(unsigned char*)push_rax->raw_data = 0x50;
-			push_rax->label_name = "";
-
-
-			pcode_link_t mov_address = new code_link_t;
-			mov_address->flags = (CLFLAG_IS_ABS_ADDR | CLFLAG_IS_GAGET);
-			mov_address->label_name = t->label_name;
-			mov_address->raw_data = new unsigned char[10];
-			mov_address->raw_data_size = 10;
-			unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F };
-			memcpy(mov_address->raw_data, mov_address_data, 10);
-
-			pcode_link_t xchg_rax_rsp = new code_link_t;
-			xchg_rax_rsp->flags = CLFLAG_IS_GAGET;
-			xchg_rax_rsp->label_name = "";
-			xchg_rax_rsp->raw_data = new unsigned char[4];
-			xchg_rax_rsp->raw_data_size = 4;
-			unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
-			memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4);
-
-			pcode_link_t ret = new code_link_t;
-			ret->flags = CLFLAG_IS_GAGET;
-			ret->label_name = "";
-			ret->raw_data = new unsigned char[1];
-			ret->raw_data_size = 1;
-			*(unsigned char*)ret->raw_data = 0xC3;
-
-			t->next = jmp_around_gagt;
-			jmp_around_gagt->next = push_rax;
-			push_rax->next = mov_address;
-			mov_address->next = xchg_rax_rsp;
-			xchg_rax_rsp->next = ret;
-			ret->next = real_next;
-
-			real_next->prev = ret;
-			ret->prev = xchg_rax_rsp;
-			xchg_rax_rsp->prev = mov_address;
-			mov_address->prev = push_rax;
-			push_rax->prev = jmp_around_gagt;
-			jmp_around_gagt->prev = t;
-
-
-			t = real_next;
-			continue;
+			pcode_link_t gadget = new code_link_t;
+			gadget->flags = CLFLAG_IS_GAGET;
+			gadget->label_name = "";
+			gadget->raw_data = new unsigned char[8];
+			gadget->raw_data_size = 8;
+			unsigned char gadget_data[] = { 0xEB, 0x0E, 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+			memcpy(gadget->raw_data, gadget_data, 8);
+
+			pcode_link_t abs_addr = new code_link_t;
+			abs_addr->flags = (CLFLAG_IS_GAGET | CLFLAG_IS_ABS_ADDR);
+			abs_addr->label_name = t->label_name;
+			t->label_name = "";
+			abs_addr->raw_data = new unsigned char[8];
+			abs_addr->raw_data_size = 8;
+
+			t->next = gadget;
+			gadget->next = abs_addr;
+			abs_addr->next = real_next;
+
+			if (real_next) real_next->prev = abs_addr;
+			abs_addr->prev = gadget;
+			gadget->prev = t;
+
 		}
-		t = t->next;
+		t = real_next;
 	}
 }
 
 bool obf_replace_abs_jmps(pobfuscator_t obf)
 {
-	for (pcode_link_t t = obf->code_start->next; t;)
+	for (pcode_link_t t = obf->code_start->next; t; t = t->next)
 	{
 		if (t->flags & CLFLAG_IS_ABS_ADDR)
 		{
@@ -270,7 +226,6 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
 				}
 			}
 			return false;
-			continue;
 
 		have_label_found:
 			uint64_t addr = obf->groups[temp->group].base_address;
@@ -280,9 +235,12 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
 				{
 					break;
 				}
-				addr += temp->raw_data_size;
+				if (!(temp2->flags & CLFLAG_IS_LABEL))
+				{
+					addr += temp2->raw_data_size;
+				}
 			}
-			*(uint64_t*)((unsigned char*)t->raw_data + 2) = addr;
+			*(uint64_t*)((unsigned char*)t->raw_data) = addr;
 		}
 	}
 	return true;
@@ -374,22 +332,22 @@ void obf_dbg_print_code(pobfuscator_t obf)
 {
 	for (pcode_link_t t = obf->code_start->next; t; t = t->next)
 	{
-		if (!(t->flags & CLFLAG_IS_LABEL))
-		{
-			obf_print_byte_array(t->raw_data, t->raw_data_size);
-		}
-		/*if (t->flags & CLFLAG_IS_REL_JUMP)
+		if (t->flags & CLFLAG_IS_REL_JUMP)
 		{
-			printf("\tJump to: %s\n", t->label_name.data());
+			printf("\tJump to: %s   ", t->label_name.data());
 		}
 		else if (t->flags & CLFLAG_IS_LABEL)
 		{
-			printf("Label: %s\n", t->label_name.data());
+			printf("Label: %s   ", t->label_name.data());
 		}
 		else
 		{
-			printf("\tRegular Instruction.\n");
-		}*/
+			printf("\tRegular Instruction.   ");
+		}
+		if (!(t->flags & CLFLAG_IS_LABEL))
+		{
+			obf_print_byte_array(t->raw_data, t->raw_data_size);
+		}
 	}
 }
 

ShellcodeObfuscator/Obfuscator.h

@@ -13,7 +13,9 @@ extern "C"
 #define CLFLAG_IS_REL_JUMP		(1<<1)
 #define CLFLAG_IS_ABS_ADDR		(1<<2)
 #define CLFLAG_IS_GAGET			(1<<3)
-#define CLFLAG_IS_GROUP_JMP		(1<<4)
+
+#define ABS_JUMP_GAGT_SIZE		16
+#define END_OF_GROUP_GAGT_SIZE	14
 
 typedef struct _code_link_t
 {
@@ -47,6 +49,8 @@ typedef struct _obfuscator_t
 	xed_address_width_enum_t	addr_width;
 }obfuscator_t, *pobfuscator_t;
 
+typedef void* (*FnAllocateMem)(unsigned long size);
+
 //snickers
 void obf_one_time_please();
 

ShellcodeObfuscator/main.cpp

@@ -25,13 +25,17 @@ int main(int argc, char** argv)
 	obf_one_time_please();
 	obf_init_from_buffer(&obf, buffer, buffer_size);
 	obf_gen_all_labels(&obf);
-	//obf_replace_rel_jmps(&obf);
+
+	obf_dbg_print_code(&obf);
+	printf("\n\n");
+	obf_replace_rel_jmps(&obf);
 	obf_dbg_print_code(&obf);
-	obf_create_groups(&obf, 28);
+	
+	/*obf_create_groups(&obf, 10);
 	for (int i = 0; i < obf.groups.size(); i++)
 	{
-		printf("printing group %d \n", i);
+		printf("\nprinting group %d \n", i);
 		obf_dbg_print_group(&obf, i);
-	}
+	}*/
 	system("pause");
 }

ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/ShellcodeObfuscator.lastbuildstate

@@ -1,2 +1,2 @@
-PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:
-Debug|x64|C:\$Fanta\ShellcodeObfuscator\|
+PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:VcpkgTriplet=x64-windows:
+Debug|x64|C:\$Fanta\shellcode-obfuscator\|

ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log

@@ -1,21 +1,15 @@
 c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.pdb
 c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.idb
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
 c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\main.obj
+c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
+c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.exe
+c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.ilk
 c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.pdb
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.write.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
-c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\vc142.idb
+c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.ilk
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
+c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog

ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.exe.recipe

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project>
-  <ProjectOutputs>C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs>
+  <ProjectOutputs>C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs>
   <ContentFiles></ContentFiles>
   <SatelliteDlls></SatelliteDlls>
   <NonRecipeFileRefs></NonRecipeFileRefs>

ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log

@@ -1,8 +1,2 @@
-  Obfuscator.cpp
-C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(353,20): warning C4018: '<': signed/unsigned mismatch
-  main.cpp
-  Generating Code...
-C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(246): warning C4715: 'obf_get_group_size': not all control paths return a value
-C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value
-LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library
-  ShellcodeObfuscator.vcxproj -> C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe
+  main.cpp
+  ShellcodeObfuscator.vcxproj -> C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe

ShellcodeObfuscator/x64/Debug/vcpkg.applocal.log

@@ -0,0 +1 @@
+