- Fixed bugs reported by third parties (instruction-override issues, padding-space logic, and more)
- Corrected typos (translated comments/examples to English)
- Fully refactored the Ryujin console (arguments now handled via the argparser library)
- MBA pass: fixed equivalence-logic issues when generating MBA instructions for original operations
- Updated DemoObfuscation usage examples
- Now DemoObfuscation for TestBinary is part of Ryujin main Solution and able to compile together.
- Some code typos was fixed into DemoObfuscation.
- Output solution paths configs fix and more.
- Started working on the feature to add a custom standalone pass that adds support for MBA obfuscation in arithmetic operators with guaranteed equivalence and semantics.
- Now Ryujin requires Z3 for MBA Obfuscation equivalence..
- Fixed context and flag handling issues in RunMiniVMObfuscation.
- New HVPass feature – This feature allows the code VM to run through Microsoft’s Hypervisor API, adding an extra layer of analysis difficulty.
- MiniVM (normal) or MiniVM + HVPass – Now support junk/mutation in the stub, making the logic and instructions randomized at each interaction, further protecting the stub’s code.
- Bug fix – Fixed an issue in the extraction of unused registers from candidate procedures, where some registers were not being handled correctly.
- Bug fix – Fixed an issue in the extraction of XMM registers to enable junk/mutation support for multimedia registers.
- Bug fix – Fixed a problem in the junk/mutation logic for the instructions cdqe and cbw, which were incorrectly overwriting the RAX register, breaking results even when the registers were in use.
- Bug fix – Some instructions were not having relocations properly fixed by the RIP-relative relocation algorithm; this has now been corrected.
- Articles + Project Diagrams as well.
Some of these issues, as well as feature suggestions like HVPass, were discovered or suggested by the reviewers of Ryujin’s article.
- Improved the Custom Pass code to align with Ryujin coding standards.
- Added clear and helpful comments for better understanding of how RyujinCustomPassDemo works.
- Improved README.md for better structure and readability as user-facing documentation.
- Updated demo images for Ryujin and added more visual examples.
- Ryujin users can now register their own callbacks following the standard interface to create custom passes and extend Ryujin’s behavior.
- Updated configuration files to support safe usage.
- Adjusted README.md.
- Improved and organized pointer safety.
- Removed old, unused fields from the config.
- Introduced RyuJinConfigInternal to separate internal fields not directly related to the exposed config, used only by the Ryujin core.
- Updated README.md.
- Added the original source code that generates the memory protection stub as a comment in the stub.
- Added a memory protection flag to the CLI and an option to the GUI.
- Improved CLI help text to be more detailed and explanatory.
- Updated README.md.
- Working on a new feature to allow users to protect obfuscated code with a memory protection mechanism, inspired by VMProtect, where the protector uses CRC32 to validate if a page was modified on disk or in memory.
- This is just the base to start building the feature. It’s still in development and I hope it evolves a lot.
- Begin work on the foundational structure for the "AntiDump" feature
- Introduced a new capability in Ryujin called "RyujinRunOncePass", which runs only on the first obfuscated function — ideal for volatile features
- Updated "RyujinCoreConfiguration" structures
- Updated "RyujinGUI" to include the "AntiDump" option
- Updated "RyujinConsole" to display the "AntiDump" feature
- Updated "README.md" accordingly
- Fixed a bug related to MSVC optimizations that broke Ryujin's relocation algorithm and its fix-up logic.
- Introduced a standardized FFI argument-passing method for Ryujin Core; the legacy method remains compatible.
- Ryujin GUI now fully supports the Anti-Debug features.
- Various minor bug fixes and improvements to project structure.
- Started working on the initial concept and base implementation for AntiDebug detection.
- The goal is to use stealthy techniques (similar to Themida) to detect debugging attempts.
- An additional feature is being developed to troll reverse engineers by triggering a forced BSOD upon detection, causing them to lose their analysis progress.
- RyujinGUI now uses RyujinCore to properly obfuscate code with full configuration support.
- Added new Ryujin logo.
- Added new Ryujin banner.
- Improved UI design, components, and more.
- Set up base GUI project structure using wxWidgets.
- Implement main window with custom styles and fixed dimensions.
- Add input fields for EXE, PDB, and output paths.
- Include obfuscation options with styled checkboxes.
- Add procedure list with add/remove functionality.
- Implement progress bar and "Run Obfuscator" button.
- Bind events for file selection, procedure management, and obfuscation run.
The implementation of RyujinConsole is now complete. Users can fully customize the obfuscation process using a wide range of command-line options.
- Added full command-line interface support for RyujinConsole.
- Users can now specify input and output paths, and provide a PDB file for symbol mapping.
- Supports various obfuscation techniques via flags:
- --virtualize: Enables code virtualization.
- --junk: Inserts junk code.
- --encrypt: Encrypts the obfuscated code.
- --iat: Enables Import Address Table obfuscation.
- --random-section: Uses a randomized PE section for output.
- --keep-original: Preserves the original code (does not remove it).
- Allows fine-grained control over which procedures to obfuscate via --procs.
- Includes a --help option that provides detailed usage information.
- Example usage is provided in the built-in help message.
- The Ryujin console can now include the Ryujin core through a dedicated header file.
- Exporting is now standardized using a definition file.
- The project's compiled output is now placed in a folder named compiled, organized by the desired configuration (Release or Debug).
- Some code organization improvements have been made.
- Ryujin now includes a component called Core, where the main obfuscator logic resides. It functions as an independent library that can be used anywhere.
- RyujinConsole now operates by loading the RyujinCore library to run the obfuscator.
- This is a preparation step for additional Ryujin components, such as a future Ryujin GUI and more features like passes and advanced obfuscation options.
- The "Encrypt Obfuscated Code" feature is now complete, using a new encryption algorithm called TeaDelKew, which is based on XTEA, to encrypt all obfuscated code and decrypt it at the entry point before execution.
- Some code improvements were also made.
- The encryption feature in Ryujin is now fully implemented and functional. Currently, it uses a simple XOR-based algorithm for encryption and decryption. This approach will be improved in the future to enhance security.
- The feature overrides the Original Entry Point (OEP) with a new stub that decrypts all obfuscated code at runtime, then transfers control to the original entry point to continue normal execution.
- Started working on the logic to obfuscate opcodes in the Ryujin section to prevent static analysis. This is just the initial groundwork for the feature.
- Ryujin MiniVM now supports dynamic register values, allowing it to store immediate values and registers using dual arguments: the first as the register operand (argument one) and the VM bytecode as the second (argument two).
- Code improvements and bug fixes.
- Ryujin can now interpret MiniVM bytecode. It inserts the MiniVM entry routine's RVA to enable execution of the VM interpreter.
- This is just the initial implementation and will be significantly improved in future commits. We're pushing our first working solution for now.
- Ryujin can now locate candidate instructions, convert them into VM bytecode, and insert the MiniVM entry point to enable execution of these bytecodes.
- Minor bug fixes.
- Ryujin can now generate dynamic junk code instructions that are truly random on every iteration.
- Fixed several constants used in junk code obfuscation.
- Implemented the base for Junk Code dynamic generation.
- Implemented logic for ZydisRegister to GP register conversion.
- Fixed a heuristic analysis feature that stored unused stack registers.
- Ignored reserved stack registers.
- Increased the number of obfuscation passes.
- Completed the core Junk Code Insertion feature.
-Translated comments.
- Made minor code improvements.
- Planned future enhancements for the Junk Code Insertion feature.
- Some parts of the code have been organized.
- A new obfuscation option to encrypt the obfuscated code is now available.
- The foundation for junk code insertion has been implemented.
- Completed the implementation of the IAT obfuscation logic.
- Integrated AsmJit-based code emission for obfuscation.
- Obfuscated the PEB and its offset entries to evade automated scanning.
- Added a randomized algorithm to generate a unique key for each iteration.
- Implemented runtime polymorphic IAT resolution to disrupt disassemblers and decompilers.
- Initial IAT obfuscation feature, Ryujin can now obfuscate the IAT for the configured procedures.
- New basic block context generation.
- Bug fixes.
- Improved obfuscation logic for better organization.
- Now Ryujin removes all the original procedure code after obfuscation.
- Now Ryujin redirects the original procedure to the correct obfuscated location for execution.
- Now Ryujin can handle multiple procedures at once and their relocation, organizing each obfuscated procedure sequentially in the new section.
- Fixed the bug in "RyujinObfuscationCore::fix_branch_near_far_short" that could break in some unexpected branching cases.
- Now after processing the obfuscated opcodes the ryujin can fix all the relocations for the obfuscated code turning this code valid again after obfuscating considering all possible relocation cases.
- The section generator was been improved as well
- The logic to handle obfuscated opcodes and function is also improved.
- Some unused field for our logic has been removed.
- Finished the logic for add new segments.
- Moved the segments code to a independent class for PESections.
- New method utils.
- Bug fixies.
- Code organization.
- Adding a new option on obfuscator for IAT obfuscation support.
- Adding a new logic to randomize section names.
- Adding the initial logic to add a new section in the PE file. and writing some ideas and some things to be able to continue the logic in a correct way.
