diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc index 1e8e0d6..ccfcd73 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc @@ -1927,7 +1927,7 @@ void RyujinObfuscationCore::insertAntiDump() { const auto pOpcodeBuffer = opcodeBuffer.data(); antidump_instructions.reserve(opcodeBuffer.size()); - // Storing our new opcodes for antidebug detection + // Storing our new opcodes for antidump detection for (auto i = 0; i < opcodeBuffer.size(); ++i) antidump_instructions.push_back(static_cast(pOpcodeBuffer[i])); // Saving the opcode block @@ -1943,11 +1943,259 @@ void RyujinObfuscationCore::insertAntiDump() { void RyujinObfuscationCore::insertMemoryProtection() { - unsigned char ucTest[]{ 0xDE, 0xAD, 0xBE, 0xEF }; + BOOL isInserted{ FALSE }; - RyujinCRC32Utils crcTest; - std::printf("RyujinObfuscationCore::insertMemoryProtection.TEST: 0x%X\n", crcTest.crc32(ucTest, 4)); + for (auto& block : m_proc.basic_blocks) { + for (auto& instr : block.instructions) { + + if (isInserted) break; + + if (!isInserted) { + + auto block_info = findBlockId(instr.instruction.info.opcode, instr.instruction.operands[1].imm.value.u, 2, sizeof(unsigned char)); + + if (block_info.first == -1 || block_info.second == -1) continue; + + auto& data = m_proc.basic_blocks[block_info.first].opcodes[block_info.second]; + + asmjit::JitRuntime runtime; + + asmjit::CodeHolder code; + code.init(runtime.environment()); + asmjit::x86::Assembler a(&code); + + // First, saving the states + + // Push flags + a.pushfq(); + + // Push regs + a.push(asmjit::x86::rax); + a.push(asmjit::x86::rcx); + a.push(asmjit::x86::rdx); + a.push(asmjit::x86::rbx); + a.push(asmjit::x86::rbp); + a.push(asmjit::x86::rsi); + a.push(asmjit::x86::rdi); + a.push(asmjit::x86::r8); + a.push(asmjit::x86::r9); + a.push(asmjit::x86::r10); + a.push(asmjit::x86::r11); + a.push(asmjit::x86::r12); + a.push(asmjit::x86::r13); + a.push(asmjit::x86::r14); + a.push(asmjit::x86::r15); + + std::vector memoryProtectionShellcode = { + + /* + TODO + */ + 0x48, 0x81, 0xEC, 0x58, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, + 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, + 0x48, 0x83, 0xBC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1E, 0x48, + 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83, 0x78, 0x10, 0x00, + 0x74, 0x0F, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83, + 0x78, 0x18, 0x00, 0x75, 0x05, 0xE9, 0x16, 0x07, 0x00, 0x00, 0x48, 0x8B, + 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x10, 0x48, 0x89, + 0x84, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE8, 0x00, + 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8B, + 0x84, 0x24, 0x00, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, + 0x00, 0x00, 0x74, 0x05, 0xE9, 0xDB, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x84, + 0x24, 0x00, 0x01, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, + 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, + 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xA0, + 0x00, 0x00, 0x00, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x74, 0x05, 0xE9, + 0xA4, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, + 0x0F, 0xB7, 0x40, 0x14, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, + 0x48, 0x8D, 0x44, 0x01, 0x18, 0x48, 0x89, 0x84, 0x24, 0xA8, 0x00, 0x00, + 0x00, 0x48, 0x8B, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x40, + 0x06, 0x89, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x50, + 0x2E, 0xC6, 0x44, 0x24, 0x51, 0x52, 0xC6, 0x44, 0x24, 0x52, 0x79, 0xC6, + 0x44, 0x24, 0x53, 0x75, 0xC6, 0x44, 0x24, 0x54, 0x6A, 0xC6, 0x44, 0x24, + 0x55, 0x69, 0xC6, 0x44, 0x24, 0x56, 0x6E, 0xC6, 0x44, 0x24, 0x57, 0x00, + 0x48, 0xC7, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xC7, 0x44, 0x24, 0x78, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x1E, 0x8B, 0x44, + 0x24, 0x78, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x78, 0x48, 0x8B, 0x84, 0x24, + 0xA8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89, 0x84, 0x24, + 0xA8, 0x00, 0x00, 0x00, 0x8B, 0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0x39, + 0x44, 0x24, 0x78, 0x7D, 0x68, 0xC6, 0x44, 0x24, 0x20, 0x01, 0xC7, 0x44, + 0x24, 0x2C, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x2C, + 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x2C, 0x83, 0x7C, 0x24, 0x2C, 0x08, 0x7D, + 0x28, 0x48, 0x63, 0x44, 0x24, 0x2C, 0x48, 0x8B, 0x8C, 0x24, 0xA8, 0x00, + 0x00, 0x00, 0x0F, 0xB6, 0x04, 0x01, 0x48, 0x63, 0x4C, 0x24, 0x2C, 0x0F, + 0xBE, 0x4C, 0x0C, 0x50, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x20, + 0x00, 0xEB, 0x02, 0xEB, 0xC7, 0x0F, 0xB6, 0x44, 0x24, 0x20, 0x85, 0xC0, + 0x74, 0x12, 0x48, 0x8B, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x89, + 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0xEB, 0x05, 0xE9, 0x6D, 0xFF, 0xFF, + 0xFF, 0x48, 0x83, 0xBC, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x75, 0x05, + 0xE9, 0x8F, 0x05, 0x00, 0x00, 0xB8, 0x6E, 0x00, 0x00, 0x00, 0x66, 0x89, + 0x84, 0x24, 0xC8, 0x00, 0x00, 0x00, 0xB8, 0x74, 0x00, 0x00, 0x00, 0x66, + 0x89, 0x84, 0x24, 0xCA, 0x00, 0x00, 0x00, 0xB8, 0x64, 0x00, 0x00, 0x00, + 0x66, 0x89, 0x84, 0x24, 0xCC, 0x00, 0x00, 0x00, 0xB8, 0x6C, 0x00, 0x00, + 0x00, 0x66, 0x89, 0x84, 0x24, 0xCE, 0x00, 0x00, 0x00, 0xB8, 0x6C, 0x00, + 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0xB8, 0x2E, + 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xD2, 0x00, 0x00, 0x00, 0xB8, + 0x64, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xD4, 0x00, 0x00, 0x00, + 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xD6, 0x00, 0x00, + 0x00, 0xB8, 0x6C, 0x00, 0x00, 0x00, 0x66, 0x89, 0x84, 0x24, 0xD8, 0x00, + 0x00, 0x00, 0x33, 0xC0, 0x66, 0x89, 0x84, 0x24, 0xDA, 0x00, 0x00, 0x00, + 0xC6, 0x44, 0x24, 0x58, 0x4E, 0xC6, 0x44, 0x24, 0x59, 0x74, 0xC6, 0x44, + 0x24, 0x5A, 0x54, 0xC6, 0x44, 0x24, 0x5B, 0x65, 0xC6, 0x44, 0x24, 0x5C, + 0x72, 0xC6, 0x44, 0x24, 0x5D, 0x6D, 0xC6, 0x44, 0x24, 0x5E, 0x69, 0xC6, + 0x44, 0x24, 0x5F, 0x6E, 0xC6, 0x44, 0x24, 0x60, 0x61, 0xC6, 0x44, 0x24, + 0x61, 0x74, 0xC6, 0x44, 0x24, 0x62, 0x65, 0xC6, 0x44, 0x24, 0x63, 0x50, + 0xC6, 0x44, 0x24, 0x64, 0x72, 0xC6, 0x44, 0x24, 0x65, 0x6F, 0xC6, 0x44, + 0x24, 0x66, 0x63, 0xC6, 0x44, 0x24, 0x67, 0x65, 0xC6, 0x44, 0x24, 0x68, + 0x73, 0xC6, 0x44, 0x24, 0x69, 0x73, 0xC6, 0x44, 0x24, 0x6A, 0x00, 0x48, + 0xC7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, + 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x8B, 0x40, 0x28, + 0x48, 0x89, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0xEB, 0x13, 0x48, 0x8B, + 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x84, + 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, + 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x39, 0x84, + 0x24, 0xB0, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x6D, 0x01, 0x00, 0x00, 0x48, + 0x8B, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x83, 0xE8, 0x10, 0x48, + 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, + 0x00, 0x00, 0x00, 0x48, 0x83, 0x78, 0x60, 0x00, 0x75, 0x02, 0xEB, 0xAA, + 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x60, + 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8D, 0x84, 0x24, 0xC8, 0x00, 0x00, + 0x00, 0x48, 0x89, 0x44, 0x24, 0x40, 0xC6, 0x44, 0x24, 0x21, 0x01, 0xEB, + 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, + 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0x83, 0xC0, 0x02, + 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, + 0x00, 0x85, 0xC0, 0x0F, 0x84, 0xBE, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, + 0x24, 0x48, 0x0F, 0xB7, 0x00, 0x85, 0xC0, 0x0F, 0x84, 0xAE, 0x00, 0x00, + 0x00, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x00, 0x83, 0xF8, 0x41, + 0x7C, 0x21, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x00, 0x83, 0xF8, + 0x5A, 0x7F, 0x14, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x00, 0x83, + 0xC0, 0x20, 0x89, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0xEB, 0x0F, 0x48, + 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x00, 0x89, 0x84, 0x24, 0x88, 0x00, + 0x00, 0x00, 0x0F, 0xB7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x66, 0x89, + 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x83, + 0xF8, 0x41, 0x7C, 0x21, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, + 0x83, 0xF8, 0x5A, 0x7F, 0x14, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, + 0x00, 0x83, 0xC0, 0x20, 0x89, 0x84, 0x24, 0x8C, 0x00, 0x00, 0x00, 0xEB, + 0x0F, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x89, 0x84, 0x24, + 0x8C, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x84, 0x24, 0x8C, 0x00, 0x00, 0x00, + 0x66, 0x89, 0x44, 0x24, 0x74, 0x0F, 0xB7, 0x44, 0x24, 0x70, 0x0F, 0xB7, + 0x4C, 0x24, 0x74, 0x3B, 0xC1, 0x74, 0x07, 0xC6, 0x44, 0x24, 0x21, 0x00, + 0xEB, 0x05, 0xE9, 0x16, 0xFF, 0xFF, 0xFF, 0x0F, 0xB6, 0x44, 0x24, 0x21, + 0x85, 0xC0, 0x74, 0x2B, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, + 0x85, 0xC0, 0x75, 0x1F, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x00, + 0x85, 0xC0, 0x75, 0x13, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, + 0x48, 0x8B, 0x40, 0x30, 0x48, 0x89, 0x44, 0x24, 0x38, 0xEB, 0x05, 0xE9, + 0x62, 0xFE, 0xFF, 0xFF, 0x48, 0x83, 0x7C, 0x24, 0x38, 0x00, 0x75, 0x05, + 0xE9, 0xE3, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x89, + 0x84, 0x24, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x18, 0x01, + 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, + 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x20, 0x01, 0x00, + 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, + 0x8C, 0x24, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8D, 0x84, 0x01, 0x88, 0x00, + 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8B, + 0x84, 0x24, 0x08, 0x01, 0x00, 0x00, 0x83, 0x38, 0x00, 0x75, 0x05, 0xE9, + 0x84, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00, + 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, + 0xC1, 0x48, 0x89, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, + 0x24, 0xB8, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, + 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x28, + 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x8B, + 0x40, 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, + 0xC1, 0x48, 0x89, 0x84, 0x24, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, + 0x24, 0xB8, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, + 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x38, + 0x01, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xEB, + 0x0A, 0x8B, 0x44, 0x24, 0x30, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x30, 0x48, + 0x8B, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x18, 0x39, 0x44, + 0x24, 0x30, 0x0F, 0x83, 0xC4, 0x00, 0x00, 0x00, 0x8B, 0x44, 0x24, 0x30, + 0x48, 0x8B, 0x8C, 0x24, 0x28, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, + 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, + 0x84, 0x24, 0x10, 0x01, 0x00, 0x00, 0xC6, 0x44, 0x24, 0x22, 0x01, 0xC7, + 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, + 0x28, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x28, 0x48, 0x63, 0x44, 0x24, 0x28, + 0x0F, 0xBE, 0x44, 0x04, 0x58, 0x85, 0xC0, 0x75, 0x15, 0x48, 0x63, 0x44, + 0x24, 0x28, 0x48, 0x8B, 0x8C, 0x24, 0x10, 0x01, 0x00, 0x00, 0x0F, 0xBE, + 0x04, 0x01, 0x85, 0xC0, 0x74, 0x28, 0x48, 0x63, 0x44, 0x24, 0x28, 0x0F, + 0xBE, 0x44, 0x04, 0x58, 0x48, 0x63, 0x4C, 0x24, 0x28, 0x48, 0x8B, 0x94, + 0x24, 0x10, 0x01, 0x00, 0x00, 0x0F, 0xBE, 0x0C, 0x0A, 0x3B, 0xC1, 0x74, + 0x07, 0xC6, 0x44, 0x24, 0x22, 0x00, 0xEB, 0x02, 0xEB, 0xAB, 0x0F, 0xB6, + 0x44, 0x24, 0x22, 0x85, 0xC0, 0x74, 0x30, 0x8B, 0x44, 0x24, 0x30, 0x48, + 0x8B, 0x8C, 0x24, 0x30, 0x01, 0x00, 0x00, 0x0F, 0xB7, 0x04, 0x41, 0x48, + 0x8B, 0x8C, 0x24, 0x38, 0x01, 0x00, 0x00, 0x8B, 0x04, 0x81, 0x48, 0x8B, + 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, + 0x24, 0xF0, 0x00, 0x00, 0x00, 0xEB, 0x05, 0xE9, 0x1D, 0xFF, 0xFF, 0xFF, + 0x48, 0x83, 0xBC, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0x05, + 0x01, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x8B, + 0x40, 0x0C, 0x48, 0x8B, 0x8C, 0x24, 0xE8, 0x00, 0x00, 0x00, 0x48, 0x03, + 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x40, 0x01, 0x00, 0x00, + 0xC7, 0x44, 0x24, 0x24, 0xFF, 0xFF, 0xFF, 0xFF, 0x48, 0xC7, 0x84, 0x24, + 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x13, 0x48, 0x8B, + 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x84, + 0x24, 0xC0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x98, 0x00, 0x00, + 0x00, 0x0F, 0xB7, 0x40, 0x22, 0x48, 0x39, 0x84, 0x24, 0xC0, 0x00, 0x00, + 0x00, 0x73, 0x6D, 0x48, 0x8B, 0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x48, + 0x8B, 0x8C, 0x24, 0x40, 0x01, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, + 0xC1, 0x0F, 0xB6, 0x00, 0x8B, 0x4C, 0x24, 0x24, 0x33, 0xC8, 0x8B, 0xC1, + 0x89, 0x44, 0x24, 0x24, 0xC7, 0x44, 0x24, 0x7C, 0x00, 0x00, 0x00, 0x00, + 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x7C, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x7C, + 0x83, 0x7C, 0x24, 0x7C, 0x08, 0x7D, 0x28, 0x8B, 0x44, 0x24, 0x24, 0x83, + 0xE0, 0x01, 0x85, 0xC0, 0x74, 0x11, 0x8B, 0x44, 0x24, 0x24, 0xD1, 0xE8, + 0x35, 0x00, 0xC4, 0xB0, 0xB0, 0x89, 0x44, 0x24, 0x24, 0xEB, 0x0A, 0x8B, + 0x44, 0x24, 0x24, 0xD1, 0xE8, 0x89, 0x44, 0x24, 0x24, 0xEB, 0xC7, 0xE9, + 0x6A, 0xFF, 0xFF, 0xFF, 0x8B, 0x44, 0x24, 0x24, 0x83, 0xF0, 0xFF, 0x89, + 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x98, 0x00, + 0x00, 0x00, 0x8B, 0x8C, 0x24, 0x90, 0x00, 0x00, 0x00, 0x39, 0x48, 0x1C, + 0x74, 0x16, 0x8B, 0x94, 0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC1, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x94, 0x24, 0xF0, 0x00, 0x00, 0x00, 0x90, + 0x48, 0x81, 0xC4, 0x58, 0x01, 0x00, 0x00 + + }; + + a.embed(memoryProtectionShellcode.data(), memoryProtectionShellcode.size()); + + // Restoring the register context + // Pop flags + a.pop(asmjit::x86::r15); + a.pop(asmjit::x86::r14); + a.pop(asmjit::x86::r13); + a.pop(asmjit::x86::r12); + a.pop(asmjit::x86::r11); + a.pop(asmjit::x86::r10); + a.pop(asmjit::x86::r9); + a.pop(asmjit::x86::r8); + a.pop(asmjit::x86::rdi); + a.pop(asmjit::x86::rsi); + a.pop(asmjit::x86::rbp); + a.pop(asmjit::x86::rbx); + a.pop(asmjit::x86::rdx); + a.pop(asmjit::x86::rcx); + a.pop(asmjit::x86::rax); + + // Breaking Decompilers + insertBreakDecompilers(a); + + // pop RFLAGS + a.popfq(); + + // Getting new opcodes to insert in place of the old block + std::vector memoryprotection_instructions; + auto& opcodeBuffer = code.sectionById(0)->buffer(); + const auto pOpcodeBuffer = opcodeBuffer.data(); + memoryprotection_instructions.reserve(opcodeBuffer.size()); + + // Storing our new opcodes for memory protection detection + for (auto i = 0; i < opcodeBuffer.size(); ++i) memoryprotection_instructions.push_back(static_cast(pOpcodeBuffer[i])); + + // Saving the opcode block + data.assign(memoryprotection_instructions.begin(), memoryprotection_instructions.end()); + + isInserted = TRUE; + + } + } + } } void RyujinObfuscationCore::updateBasicBlocksContext() { @@ -1996,15 +2244,15 @@ BOOL RyujinObfuscationCore::Run(bool& RyujinRunOncePass) { /* There is no need to obfuscate the anti-dump stub code. the junk code/mutation itself will handle that during processing. */ - this->insertAntiDump(); + if (this->m_config.m_isAntiDump) { - // Update our basic blocks context to rela 1-1 for the new obfuscated opcodes. - this->updateBasicBlocksContext(); + // Insert AntiDump Protection + this->insertAntiDump(); - //Insert stub for memory crc32 protection - this->insertMemoryProtection(); + // Update our basic blocks context to rela 1-1 for the new obfuscated opcodes. + this->updateBasicBlocksContext(); - RyujinRunOncePass = FALSE; + } } @@ -2054,6 +2302,22 @@ BOOL RyujinObfuscationCore::Run(bool& RyujinRunOncePass) { } + if (RyujinRunOncePass) { + + if (this->m_config.m_isMemoryProtection && (!this->m_config.m_isAntiDump || !this->m_config.m_isEncryptObfuscatedCode || !this->m_config.m_isRandomSection)) { + + //Insert stub for memory CRC protection + this->insertMemoryProtection(); + + // Update our basic blocks context to rela 1-1 for the new obfuscated opcodes. + this->updateBasicBlocksContext(); + + } + + RyujinRunOncePass = FALSE; + + } + return TRUE; } diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh index 7e9e589..0e1cf0d 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh @@ -12,7 +12,6 @@ #include "../Models/RyujinProcedure.hh" #include "../Models/RyujinObfuscatorConfig.hh" #include "../RyujinCore/BasicBlockerBuilder.hh" -#include "../Utils/RyujinCRC32Utils.hh" class RyujinObfuscationCore { diff --git a/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.cc b/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.cc index 1d779a2..a79e11c 100644 --- a/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.cc +++ b/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.cc @@ -1,41 +1,20 @@ #include "RyujinCRC32Utils.hh" -auto RyujinCRC32Utils::checksum_crc32gentab() -> void { - - unsigned long poly = 0xEDB88320L; - for (int i = 0; i < 256; i++) { - - unsigned long crc = i; - - for (int j = 8; j > 0; j--) { - - if (crc & 1) crc = (crc >> 1) ^ poly; - else crc >>= 1; +auto RyujinCRC32Utils::compute_crc(const uint8_t* data, size_t len, uint32_t poly) -> uint32_t { + uint32_t crc = 0xFFFFFFFF; + for (size_t i = 0; i < len; ++i) { + + crc ^= data[i]; + + for (int j = 0; j < 8; ++j) { + if (crc & 1) + crc = (crc >> 1) ^ poly; + else + crc >>= 1; } - - m_crc_tab[i] = crc; + } - -} - -auto RyujinCRC32Utils::checksum_crc32(unsigned char* block, unsigned int length) -> uint32_t { - - register unsigned long crc = 0xFFFFFFFF; - - for (unsigned long i = 0; i < length; i++) crc = ((crc >> 8) & 0x00FFFFFF) ^ m_crc_tab[(crc ^ *block++) & 0xFF]; - - return (crc ^ 0xFFFFFFFF); -} - -auto RyujinCRC32Utils::crc32(unsigned char* block, unsigned int length) -> uint32_t { - - if (!m_bInitialized) { - - checksum_crc32gentab(); - m_bInitialized = TRUE; - - } - - return checksum_crc32(block, length); + + return crc ^ 0xFFFFFFFF; } \ No newline at end of file diff --git a/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.hh b/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.hh index ac46e3f..6116f04 100644 --- a/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.hh +++ b/RyujinCore/Ryujin/Utils/RyujinCRC32Utils.hh @@ -2,19 +2,9 @@ #include #include -class RyujinCRC32Utils { +namespace RyujinCRC32Utils { -private: - uint32_t m_crc_tab[256]; - BOOL m_bInitialized = FALSE; - - auto checksum_crc32gentab() -> void; - - auto checksum_crc32(unsigned char* block, unsigned int length) -> uint32_t; - -public: - - auto crc32(unsigned char* block, unsigned int length) -> uint32_t; + auto compute_crc(const uint8_t* data, size_t len, uint32_t poly = 0xB0B0C400) -> uint32_t; }; diff --git a/RyujinCore/Ryujin/Utils/RyujinPESections.cc b/RyujinCore/Ryujin/Utils/RyujinPESections.cc index 88bef01..bfe54d4 100644 --- a/RyujinCore/Ryujin/Utils/RyujinPESections.cc +++ b/RyujinCore/Ryujin/Utils/RyujinPESections.cc @@ -84,6 +84,11 @@ BOOL RyujinPESections::AddNewSection(const std::string& strInputFilePath, char c BOOL RyujinPESections::ProcessOpcodesNewSection(std::vector& opcodeData) { + // Calculate ryujin section CRC for memory protection + m_newSection.PointerToLinenumbers = RyujinCRC32Utils::compute_crc(opcodeData.data(), opcodeData.size()); + m_newSection.NumberOfLinenumbers = opcodeData.size(); + + // Continue the logic m_newSection.Misc.VirtualSize = opcodeData.size(); m_newSection.SizeOfRawData = ALIGN_UP(opcodeData.size(), m_ntHeader->OptionalHeader.FileAlignment); diff --git a/RyujinCore/Ryujin/Utils/RyujinPESections.hh b/RyujinCore/Ryujin/Utils/RyujinPESections.hh index a0117c9..cb0110b 100644 --- a/RyujinCore/Ryujin/Utils/RyujinPESections.hh +++ b/RyujinCore/Ryujin/Utils/RyujinPESections.hh @@ -5,6 +5,7 @@ #include #include "RyujinUtils.hh" +#include "../Utils/RyujinCRC32Utils.hh" #define ALIGN_UP(value, alignment) ((value + alignment - 1) & ~(alignment - 1)) #define JACKPOTNUMBER 0x777