zydis these nutz in ur mouth

master
James 3 years ago
parent 7efc4bacd0
commit 77c11fa473

@ -73,106 +73,97 @@ bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size)
bool obf_create_groups(pobfuscator_t obf, int group_size)
{
obf->groups.clear();
if (group_size < 24)
return false;
int cur_group_id = 0, cur_size_in_bytes = 0;
pcode_link_t start = obf->code_start->next;
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
{
if (!(t->flags & CLFLAG_IS_GAGET))
{
if (cur_size_in_bytes + t->raw_data_size + 16 > group_size)
{
pcode_link_t push_rax = new code_link_t;
push_rax->flags = 0;
push_rax->label_name = "";
push_rax->raw_data = new unsigned char[1];
push_rax->raw_data_size = 1;
push_rax->group = cur_group_id;
*(unsigned char*)push_rax->raw_data = 0x50;
push_rax->label_name = "";
pcode_link_t mov_address = new code_link_t;
mov_address->flags = CLFLAG_IS_GROUP_JMP;
mov_address->label_name = t->label_name;
mov_address->raw_data = new unsigned char[10];
mov_address->raw_data_size = 10;
mov_address->group = cur_group_id;
unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F };
memcpy(mov_address->raw_data, mov_address_data, 10);
pcode_link_t xchg_rax_rsp = new code_link_t;
xchg_rax_rsp->flags = 0;
xchg_rax_rsp->label_name = "";
xchg_rax_rsp->raw_data = new unsigned char[4];
xchg_rax_rsp->raw_data_size = 4;
xchg_rax_rsp->group = cur_group_id;
unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4);
pcode_link_t ret = new code_link_t;
ret->flags = 0;
ret->label_name = "";
ret->raw_data = new unsigned char[1];
ret->raw_data_size = 1;
ret->group = cur_group_id;
*(unsigned char*)ret->raw_data = 0xC3;
t->prev->next = push_rax;
push_rax->next = mov_address;
mov_address->next = xchg_rax_rsp;
xchg_rax_rsp->next = ret;
ret->next = t;
ret->prev = xchg_rax_rsp;
xchg_rax_rsp->prev = mov_address;
mov_address->prev = push_rax;
push_rax->prev = t->prev;
t->prev = ret;
printf("creating group %d\n", cur_group_id);
obf->groups.emplace_back();
obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
obf->groups.back().start = start;
cur_size_in_bytes = 0;
cur_group_id++;
start = t;
}
}
cur_size_in_bytes += t->raw_data_size;
t->group = cur_group_id;
}
obf->groups.emplace_back();
obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
obf->groups.back().start = start;
return true;
//remake cuz this shit broke as fuck
//obf->groups.clear();
///*if (group_size < 24)
// return false;*/
//int cur_group_id = 0, cur_size_in_bytes = 0;
//pcode_link_t start = obf->code_start->next;
//for (pcode_link_t t = obf->code_start->next; t;)
//{
// pcode_link_t real_next = t->next;
// if (!(t->flags & CLFLAG_IS_GAGET) && !(t->flags & CLFLAG_IS_LABEL))
// {
// if (cur_size_in_bytes + t->raw_data_size /*+ END_OF_GROUP_GAGT_SIZE*/ > group_size)
// {
// std::string group_label_name = "Group";
// group_label_name.append(std::to_string(cur_group_id + 1));
// pcode_link_t lab = new code_link_t;
// lab->flags = CLFLAG_IS_LABEL;
// lab->label_name = group_label_name;
// lab->group = cur_group_id;
// pcode_link_t gadget = new code_link_t;
// gadget->flags = 0;
// gadget->label_name = "";
// gadget->raw_data = new unsigned char[6];
// gadget->raw_data_size = 6;
// gadget->group = cur_group_id;
// unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
// memcpy(gadget->raw_data, gadget_data, 6);
// pcode_link_t abs_addr = new code_link_t;
// abs_addr->flags = CLFLAG_IS_ABS_ADDR;
// abs_addr->label_name = group_label_name;
// abs_addr->raw_data = new unsigned char[8];
// abs_addr->raw_data_size = 8;
// abs_addr->group = cur_group_id;
// t->prev->next = gadget;
// gadget->next = abs_addr;
// abs_addr->next = lab;
// lab->next = t;// real_next;
// gadget->prev = t->prev;
// abs_addr->prev = gadget;
// lab->prev = abs_addr;
// t->prev = lab;
//
// printf("creating group %d\n", cur_group_id);
// obf->groups.emplace_back();
// obf->groups.back().size_in_bytes = cur_size_in_bytes + END_OF_GROUP_GAGT_SIZE;
// obf->groups.back().start = start;
// obf->groups.back().base_address = cur_group_id;
// cur_size_in_bytes = 0;
// cur_group_id++;
// start = t;
// }
// }
// cur_size_in_bytes += t->raw_data_size;
// t->group = cur_group_id;
// t = real_next;
//}
//obf->groups.emplace_back();
//obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
//obf->groups.back().start = start;
//obf->groups.back().base_address = cur_group_id;
//return true;
}
void obf_replace_rel_jmps(pobfuscator_t obf)
{ // original_jump -------------------------.
// jmp 0x10 0xEB, 0x10 |
// push rax 0x50, <----'
// mov rax,abs_address 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F,
// xchg rax,[rsp] 0x48, 0x87, 0x04, 0x24,
// ret 0xC3
// jmp 0x10(0xEB, 0x10) ------------------ | -----.
// jmp qword ptr[rip] <----------------' |
// address here(8 bytes) |
// not taken branch code <-----------------------'
for (pcode_link_t t = obf->code_start->next; t;)
{
pcode_link_t real_next = t->next;
if (t->flags & CLFLAG_IS_REL_JUMP)
{
pcode_link_t real_next = t->next;
unsigned int inst_len = xed_decoded_inst_get_length(&t->instruction);
unsigned int jmp_delta_width = xed_decoded_inst_get_branch_displacement_width(&t->instruction);
unsigned int opcode_size = inst_len - jmp_delta_width;
unsigned int opcode_size = t->raw_data_size - jmp_delta_width;
switch (jmp_delta_width)
{
@ -185,72 +176,37 @@ void obf_replace_rel_jmps(pobfuscator_t obf)
}
t->flags = CLFLAG_IS_GAGET;
pcode_link_t jmp_around_gagt = new code_link_t;
jmp_around_gagt->flags = CLFLAG_IS_GAGET;
jmp_around_gagt->label_name = "";
jmp_around_gagt->raw_data = new unsigned char[2];
jmp_around_gagt->raw_data_size = 2;
unsigned char jmp_around_gagt_data[] = { 0xEB, 0x10 };
memcpy(jmp_around_gagt->raw_data, jmp_around_gagt_data, 2);
pcode_link_t push_rax = new code_link_t;
push_rax->flags = CLFLAG_IS_GAGET;
push_rax->label_name = "";
push_rax->raw_data = new unsigned char[1];
push_rax->raw_data_size = 1;
*(unsigned char*)push_rax->raw_data = 0x50;
push_rax->label_name = "";
pcode_link_t mov_address = new code_link_t;
mov_address->flags = (CLFLAG_IS_ABS_ADDR | CLFLAG_IS_GAGET);
mov_address->label_name = t->label_name;
mov_address->raw_data = new unsigned char[10];
mov_address->raw_data_size = 10;
unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F };
memcpy(mov_address->raw_data, mov_address_data, 10);
pcode_link_t xchg_rax_rsp = new code_link_t;
xchg_rax_rsp->flags = CLFLAG_IS_GAGET;
xchg_rax_rsp->label_name = "";
xchg_rax_rsp->raw_data = new unsigned char[4];
xchg_rax_rsp->raw_data_size = 4;
unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4);
pcode_link_t ret = new code_link_t;
ret->flags = CLFLAG_IS_GAGET;
ret->label_name = "";
ret->raw_data = new unsigned char[1];
ret->raw_data_size = 1;
*(unsigned char*)ret->raw_data = 0xC3;
t->next = jmp_around_gagt;
jmp_around_gagt->next = push_rax;
push_rax->next = mov_address;
mov_address->next = xchg_rax_rsp;
xchg_rax_rsp->next = ret;
ret->next = real_next;
real_next->prev = ret;
ret->prev = xchg_rax_rsp;
xchg_rax_rsp->prev = mov_address;
mov_address->prev = push_rax;
push_rax->prev = jmp_around_gagt;
jmp_around_gagt->prev = t;
t = real_next;
continue;
pcode_link_t gadget = new code_link_t;
gadget->flags = CLFLAG_IS_GAGET;
gadget->label_name = "";
gadget->raw_data = new unsigned char[8];
gadget->raw_data_size = 8;
unsigned char gadget_data[] = { 0xEB, 0x0E, 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
memcpy(gadget->raw_data, gadget_data, 8);
pcode_link_t abs_addr = new code_link_t;
abs_addr->flags = (CLFLAG_IS_GAGET | CLFLAG_IS_ABS_ADDR);
abs_addr->label_name = t->label_name;
t->label_name = "";
abs_addr->raw_data = new unsigned char[8];
abs_addr->raw_data_size = 8;
t->next = gadget;
gadget->next = abs_addr;
abs_addr->next = real_next;
if (real_next) real_next->prev = abs_addr;
abs_addr->prev = gadget;
gadget->prev = t;
}
t = t->next;
t = real_next;
}
}
bool obf_replace_abs_jmps(pobfuscator_t obf)
{
for (pcode_link_t t = obf->code_start->next; t;)
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
{
if (t->flags & CLFLAG_IS_ABS_ADDR)
{
@ -270,7 +226,6 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
}
}
return false;
continue;
have_label_found:
uint64_t addr = obf->groups[temp->group].base_address;
@ -280,9 +235,12 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
{
break;
}
addr += temp->raw_data_size;
if (!(temp2->flags & CLFLAG_IS_LABEL))
{
addr += temp2->raw_data_size;
}
}
*(uint64_t*)((unsigned char*)t->raw_data + 2) = addr;
*(uint64_t*)((unsigned char*)t->raw_data) = addr;
}
}
return true;
@ -374,22 +332,22 @@ void obf_dbg_print_code(pobfuscator_t obf)
{
for (pcode_link_t t = obf->code_start->next; t; t = t->next)
{
if (!(t->flags & CLFLAG_IS_LABEL))
{
obf_print_byte_array(t->raw_data, t->raw_data_size);
}
/*if (t->flags & CLFLAG_IS_REL_JUMP)
if (t->flags & CLFLAG_IS_REL_JUMP)
{
printf("\tJump to: %s\n", t->label_name.data());
printf("\tJump to: %s ", t->label_name.data());
}
else if (t->flags & CLFLAG_IS_LABEL)
{
printf("Label: %s\n", t->label_name.data());
printf("Label: %s ", t->label_name.data());
}
else
{
printf("\tRegular Instruction.\n");
}*/
printf("\tRegular Instruction. ");
}
if (!(t->flags & CLFLAG_IS_LABEL))
{
obf_print_byte_array(t->raw_data, t->raw_data_size);
}
}
}

@ -13,7 +13,9 @@ extern "C"
#define CLFLAG_IS_REL_JUMP (1<<1)
#define CLFLAG_IS_ABS_ADDR (1<<2)
#define CLFLAG_IS_GAGET (1<<3)
#define CLFLAG_IS_GROUP_JMP (1<<4)
#define ABS_JUMP_GAGT_SIZE 16
#define END_OF_GROUP_GAGT_SIZE 14
typedef struct _code_link_t
{
@ -47,6 +49,8 @@ typedef struct _obfuscator_t
xed_address_width_enum_t addr_width;
}obfuscator_t, *pobfuscator_t;
typedef void* (*FnAllocateMem)(unsigned long size);
//snickers
void obf_one_time_please();

@ -25,13 +25,17 @@ int main(int argc, char** argv)
obf_one_time_please();
obf_init_from_buffer(&obf, buffer, buffer_size);
obf_gen_all_labels(&obf);
//obf_replace_rel_jmps(&obf);
obf_dbg_print_code(&obf);
printf("\n\n");
obf_replace_rel_jmps(&obf);
obf_dbg_print_code(&obf);
obf_create_groups(&obf, 28);
/*obf_create_groups(&obf, 10);
for (int i = 0; i < obf.groups.size(); i++)
{
printf("printing group %d \n", i);
printf("\nprinting group %d \n", i);
obf_dbg_print_group(&obf, i);
}
}*/
system("pause");
}

@ -1,2 +1,2 @@
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:
Debug|x64|C:\$Fanta\ShellcodeObfuscator\|
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:VcpkgTriplet=x64-windows:
Debug|x64|C:\$Fanta\shellcode-obfuscator\|

@ -1,21 +1,15 @@
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.pdb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.idb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\main.obj
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.exe
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.ilk
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.pdb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\vc142.idb
c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.ilk
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs>
<ProjectOutputs>C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs>
<ContentFiles></ContentFiles>
<SatelliteDlls></SatelliteDlls>
<NonRecipeFileRefs></NonRecipeFileRefs>

@ -1,8 +1,2 @@
 Obfuscator.cpp
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(353,20): warning C4018: '<': signed/unsigned mismatch
main.cpp
Generating Code...
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(246): warning C4715: 'obf_get_group_size': not all control paths return a value
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value
LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library
ShellcodeObfuscator.vcxproj -> C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe
 main.cpp
ShellcodeObfuscator.vcxproj -> C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe

Binary file not shown.
Loading…
Cancel
Save