diff --git a/ShellcodeObfuscator/Obfuscator.cpp b/ShellcodeObfuscator/Obfuscator.cpp index 82852fe..b00faab 100644 --- a/ShellcodeObfuscator/Obfuscator.cpp +++ b/ShellcodeObfuscator/Obfuscator.cpp @@ -124,16 +124,16 @@ void obf_replace_rel_jmps(pobfuscator_t obf) pcode_link_t jmp_around_gagt = new code_link_t; jmp_around_gagt->flags = 0; jmp_around_gagt->label_name = ""; - jmp_around_gagt->raw_data = (unsigned char*)malloc(2); + jmp_around_gagt->raw_data = new unsigned char[2]; jmp_around_gagt->raw_data_size = 2; unsigned char jmp_around_gagt_data[] = { 0xEB, 0x10 }; - memcpy(jmp_around_gagt->raw_data, jmp_around_gagt_data, 10); + memcpy(jmp_around_gagt->raw_data, jmp_around_gagt_data, 2); pcode_link_t push_rax = new code_link_t; push_rax->flags = 0; push_rax->label_name = ""; - push_rax->raw_data = (unsigned char*)malloc(1); + push_rax->raw_data = new unsigned char[1]; push_rax->raw_data_size = 1; *(unsigned char*)push_rax->raw_data = 0x50; push_rax->label_name = ""; @@ -142,7 +142,7 @@ void obf_replace_rel_jmps(pobfuscator_t obf) pcode_link_t mov_address = new code_link_t; mov_address->flags = CLFLAG_IS_ABS_ADDR; mov_address->label_name = t->label_name; - mov_address->raw_data = (unsigned char*)malloc(10); + mov_address->raw_data = new unsigned char[10]; mov_address->raw_data_size = 10; unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F }; memcpy(mov_address->raw_data, mov_address_data, 10); @@ -150,7 +150,7 @@ void obf_replace_rel_jmps(pobfuscator_t obf) pcode_link_t xchg_rax_rsp = new code_link_t; xchg_rax_rsp->flags = 0; xchg_rax_rsp->label_name = ""; - xchg_rax_rsp->raw_data = (unsigned char*)malloc(4); + xchg_rax_rsp->raw_data = new unsigned char[4]; xchg_rax_rsp->raw_data_size = 4; unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 }; memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4); @@ -158,7 +158,7 @@ void obf_replace_rel_jmps(pobfuscator_t obf) pcode_link_t ret = new code_link_t; ret->flags = 0; ret->label_name = ""; - ret->raw_data = (unsigned char*)malloc(1); + ret->raw_data = new unsigned char[1]; ret->raw_data_size = 1; *(unsigned char*)ret->raw_data = 0xC3; @@ -186,7 +186,57 @@ void obf_replace_rel_jmps(pobfuscator_t obf) void obf_replace_abs_jmps(pobfuscator_t obf) { + //FIRST ITERATE AND CHECK BEHIND THE JMP + //pcode_link_t Temp; + //for (Temp = Jmp; Temp && Temp->Prev; Temp = Temp->Prev) + //{ + // if (Temp->Prev->IsLabel && Temp->Prev->Name == Jmp->Name) + // { + // Jmp->Data = (PVOID)Delta; + // return TRUE; + // } + // Delta -= Assembler->Instructions[Temp->Prev->InstructionId].LengthInBytes; + //} + + ////NOW LOOK IN FRONT + //Delta = Assembler->Instructions[Jmp->InstructionId].LengthInBytes; //9 + //for (Temp = Jmp; Temp && Temp->Next; Temp = Temp->Next) + //{ + // if (Temp->Next->IsLabel && Temp->Next->Name == Jmp->Name) + // { + // Jmp->Data = (PVOID)Delta; + // return TRUE; + // } + // Delta += Assembler->Instructions[Temp->Next->InstructionId].LengthInBytes; + //} + + //return FALSE; + + for (pcode_link_t t = obf->code_start->next; t;) + { + if (t->flags & CLFLAG_IS_ABS_ADDR) + { + pcode_link_t temp; + for (temp = t; temp && temp->prev; temp = temp->prev) + { + if (temp->flags & CLFLAG_IS_LABEL && temp->label_name == t->label_name) + { + uint64_t addr = obf->groups[t->group].base_address; + pcode_link_t temp2 = obf->groups[t->group].start; + for (; temp2 && temp2->group == temp->group; temp2 = temp2->next) + { + if (temp2 == temp) + { + break; + } + addr += temp->raw_data_size; + } + + } + } + } + } } size_t obf_get_group_size(pobfuscator_t obf, int group_id) diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog index 1ef8f25..77571a7 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog index 5c3daf5..0dc10b3 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.read.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.read.1.tlog index 731562c..48b69c4 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.read.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.read.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.write.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.write.1.tlog index 56c60ff..7a1b7b4 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.write.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.write.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log index 4015257..c9b4668 100644 --- a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log +++ b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log @@ -1,2 +1,8 @@ - main.cpp + Obfuscator.cpp +C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(353,20): warning C4018: '<': signed/unsigned mismatch + main.cpp + Generating Code... +C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(246): warning C4715: 'obf_get_group_size': not all control paths return a value +C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value +LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library ShellcodeObfuscator.vcxproj -> C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe diff --git a/ShellcodeObfuscator/x64/Debug/vc142.idb b/ShellcodeObfuscator/x64/Debug/vc142.idb index 7e44f1e..f934986 100644 Binary files a/ShellcodeObfuscator/x64/Debug/vc142.idb and b/ShellcodeObfuscator/x64/Debug/vc142.idb differ diff --git a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/CL.write.1.tlog b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/CL.write.1.tlog index fed7c98..11f0789 100644 Binary files a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/CL.write.1.tlog and b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/CL.write.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/ShellcodeObfuscator.write.1u.tlog b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/ShellcodeObfuscator.write.1u.tlog index 9dce939..620e80f 100644 Binary files a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/ShellcodeObfuscator.write.1u.tlog and b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/ShellcodeObfuscator.write.1u.tlog differ diff --git a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/link.read.1.tlog b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/link.read.1.tlog index 2ead3f0..95b01bf 100644 Binary files a/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/link.read.1.tlog and b/ShellcodeObfuscator/x64/Release/Shellcod.ad60371b.tlog/link.read.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Release/ShellcodeObfuscator.log b/ShellcodeObfuscator/x64/Release/ShellcodeObfuscator.log index e57bc2c..de9e71d 100644 --- a/ShellcodeObfuscator/x64/Release/ShellcodeObfuscator.log +++ b/ShellcodeObfuscator/x64/Release/ShellcodeObfuscator.log @@ -1,10 +1,9 @@  Obfuscator.cpp -C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(302,20): warning C4018: '<': signed/unsigned mismatch +C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(353,20): warning C4018: '<': signed/unsigned mismatch LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library Generating code -C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value - 29 of 134 functions (21.6%) were compiled, the rest were copied from previous compilation. - 13 functions were new in current compilation - 1 functions had inline decision re-evaluated but remain unchanged + 2 of 134 functions ( 1.5%) were compiled, the rest were copied from previous compilation. + 0 functions were new in current compilation + 0 functions had inline decision re-evaluated but remain unchanged Finished generating code ShellcodeObfuscator.vcxproj -> C:\$Fanta\ShellcodeObfuscator\x64\Release\ShellcodeObfuscator.exe diff --git a/x64/Debug/ShellcodeObfuscator.ilk b/x64/Debug/ShellcodeObfuscator.ilk index a026ef7..d75b676 100644 Binary files a/x64/Debug/ShellcodeObfuscator.ilk and b/x64/Debug/ShellcodeObfuscator.ilk differ diff --git a/x64/Release/ShellcodeObfuscator.iobj b/x64/Release/ShellcodeObfuscator.iobj index 63c740c..af49c9e 100644 Binary files a/x64/Release/ShellcodeObfuscator.iobj and b/x64/Release/ShellcodeObfuscator.iobj differ diff --git a/x64/Release/ShellcodeObfuscator.ipdb b/x64/Release/ShellcodeObfuscator.ipdb index 3fac718..1f996df 100644 Binary files a/x64/Release/ShellcodeObfuscator.ipdb and b/x64/Release/ShellcodeObfuscator.ipdb differ