feat: Start implementing the base for the "AntiDump" feature

- Begin work on the foundational structure for the "AntiDump" feature
- Introduced a new capability in Ryujin called "RyujinRunOncePass", which runs only on the first obfuscated function — ideal for volatile features
- Updated "RyujinCoreConfiguration" structures
 - Updated "RyujinGUI" to include the "AntiDump" option
- Updated "RyujinConsole" to display the "AntiDump" feature
- Updated "README.md" accordingly

README.md

@@ -13,10 +13,10 @@
 - Random Section naming(Default name: Ryujin)
 - Mathematical Operators Virtualization(aka: Ryūjin MiniVM)
 - Obfuscated code Encryption(Using TeaDelKew Algorithm)
-- Anti-Debug User + Kernel(Planned)
-- Anti-Dump(Planned)
+- Anti-Debug User + Kernel
+- Anti-Dump
 - Anti-Disassembly(Planned)
-- Troll Reversers(Exclusive Planned)
+- Troll Reversers(Exclusive)
 
 ---
 

RyujinConsole/RyujinConsole/RyujinConsole.cc

@@ -29,7 +29,7 @@ Options:
   --help                    Show this help message
 
 In Action Usage Example:
-    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie
+    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --AntiDump --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie
 
 )";
 
@@ -86,6 +86,7 @@ auto main(int argc, char* argv[]) -> int {
     config.m_isEncryptObfuscatedCode = has_flag(args, "--encrypt");
     config.m_isTrollRerversers = has_flag(args, "--troll");
     config.m_isAntiDebug = has_flag(args, "--AntiDebug");
+    config.m_isAntiDump = has_flag(args, "--AntiDump");
 
     if (has_flag(args, "--procs")) {
         auto rawList = args["--procs"];

RyujinConsole/RyujinConsole/RyujinCore.hh

@@ -22,6 +22,7 @@ public:
     bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
     bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
     bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
+    bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary
     RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate
     std::vector<std::string> m_strdProceduresToObfuscate; // Names of the procedures to obfuscate
 

RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh

@@ -20,6 +20,7 @@ public:
     bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
     bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
     bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
+    bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary
     RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate - FFI
     std::vector<std::string> m_strdProceduresToObfuscate; // Names of the procedures to obfuscate
 	// todo: passes

RyujinCore/Ryujin/Ryujin.cc

@@ -94,8 +94,8 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) {
 		return FALSE;
 	}
 
+	bool RyujinRunOncePass{ TRUE };
 	std::vector<RyujinObfuscationCore> processed_procs;
-
 	for (auto& proc : m_ryujinProcedures) {
 
 		auto it = std::find(config.m_strdProceduresToObfuscate.begin(), config.m_strdProceduresToObfuscate.end(), proc.name);
@@ -137,7 +137,7 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) {
 
 		//Is time to obfuscate ?
 		RyujinObfuscationCore obc(config, proc, reinterpret_cast<uintptr_t>(m_mappedPE.get()));
-		obc.Run();
+		obc.Run(RyujinRunOncePass);
 
 		//TODO: Custom passes support
 

RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc

@@ -1602,6 +1602,34 @@ void RyujinObfuscationCore::insertAntiDebug() {
 
 }
 
+void RyujinObfuscationCore::insertAntiDump() {
+	
+	BOOL isInserted{ FALSE };
+
+	for (auto& block : m_proc.basic_blocks) {
+
+		for (auto& instr : block.instructions) {
+
+			if (isInserted) break;
+
+			if (!isInserted) {
+
+				auto block_info = findBlockId(instr.instruction.info.opcode, instr.instruction.operands[1].imm.value.u, 2, sizeof(unsigned char));
+
+				if (block_info.first == -1 || block_info.second == -1) continue;
+
+				auto& data = m_proc.basic_blocks[block_info.first].opcodes[block_info.second];
+
+				std::printf("RyujinObfuscationCore::insertAntiDump\n");
+
+				isInserted = TRUE;
+
+			}
+		}
+	}
+
+}
+
 void RyujinObfuscationCore::updateBasicBlocksContext() {
 
 	auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes();
@@ -1610,11 +1638,22 @@ void RyujinObfuscationCore::updateBasicBlocksContext() {
 
 }
 
-BOOL RyujinObfuscationCore::Run() {
+BOOL RyujinObfuscationCore::Run(bool& RyujinRunOncePass) {
 
 	//Add padding spaces
 	addPaddingSpaces();
 
+	/*
+		RyujinRunOncePass only run once for the first function candidate to obfuscation.
+		this is the better place to put unique logic code that is high volatily.
+	*/
+	if (RyujinRunOncePass) {
+
+		this->insertAntiDump();
+
+		RyujinRunOncePass = FALSE;
+	}
+
 	//Update basic blocks view based on the new obfuscated 
 	this->updateBasicBlocksContext();
 

RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh

@@ -30,6 +30,7 @@ private:
 	void insertJunkCode();
 	void insertVirtualization();
 	void insertAntiDebug();
+	void insertAntiDump();
 	std::vector<uint8_t> fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address);
 	uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize);
 
@@ -69,7 +70,7 @@ public:
 	void applyRelocationFixupsToInstructions(uintptr_t imageBase, DWORD virtualAddress, std::vector<unsigned char>& new_opcodes);
 	void removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress, bool isIgnoreOriginalCodeRemove = false);
 	void InsertMiniVmEnterProcedureAddress(uintptr_t imageBase, uintptr_t virtualAddress, std::vector<unsigned char>& new_opcodes);
-	BOOL Run();
+	BOOL Run(bool& RyujinRunOncePass);
 	RyujinProcedure getProcessedProc();
 	~RyujinObfuscationCore();
 

RyujinGUI/RyujinApp.cc

@@ -199,6 +199,13 @@ bool RyujinApp::OnInit() {
 
     );
 
+    m_isAntiDump = DrawnStyledCheckbox(
+
+        panel,
+        "AntiDump"
+
+    );
+
     optionsSizer->Add(
         
         m_virtualize
@@ -238,6 +245,11 @@ bool RyujinApp::OnInit() {
 
         m_isAntiDebugNormal
 
+    );
+    optionsSizer->Add(
+
+        m_isAntiDump
+
     );
     optionsBox->Add(
         
@@ -684,6 +696,7 @@ auto RyujinApp::BindRunEvent(wxFrame* frame) -> void {
             core.m_isJunkCode = m_junk->IsChecked();
             core.m_isRandomSection = m_randomSection->IsChecked();
             core.m_isVirtualized = m_virtualize->IsChecked();
+            core.m_isAntiDump = m_isAntiDump->IsChecked();
 
             if (m_isAntiDebugWithTroll->IsChecked()) {
 

RyujinGUI/RyujinApp.hh

@@ -22,6 +22,7 @@ private:
     wxCheckBox* m_ignoreOriginalCodeRemove = nullptr;
     wxCheckBox* m_isAntiDebugWithTroll = nullptr;
     wxCheckBox* m_isAntiDebugNormal = nullptr;
+    wxCheckBox* m_isAntiDump = nullptr;
     wxListBox* m_procList = nullptr;
     wxGauge* m_progress = nullptr;
 

RyujinGUI/RyujinCore.hh

@@ -22,6 +22,7 @@ public:
     bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
     bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
     bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
+    bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary
     RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate - FFI
     std::vector<std::string> m_strdProceduresToObfuscate; // Names of the procedures to obfuscate