- Now DemoObfuscation for TestBinary is part of Ryujin main Solution and able to compile together.
- Some code typos was fixed into DemoObfuscation.
- Output solution paths configs fix and more.
- Started working on the feature to add a custom standalone pass that adds support for MBA obfuscation in arithmetic operators with guaranteed equivalence and semantics.
- Now Ryujin requires Z3 for MBA Obfuscation equivalence..
- Fixed context and flag handling issues in RunMiniVMObfuscation.
- Added full support and the ability to obfuscate the MiniVM stub that uses logic different from the conventional one because it is PIC-relative.
- We added safe junkcode instructions to prevent problems.
- We will now have 40 padding bytes of NOP.
- Fixed a bug that prevented obfuscation of Ryujin MiniVm instructions.
- Implemented a specific algorithm to correct RIP-relative PIC relocations so the Ryujin shellcode stub can execute as expected when properly obfuscated.
- Only padding added for now. an obfuscation and mutation algorithm will be implemented next, independent and customized for the Ryujin MiniVm.
- Fixed bugs that caused stack misalignment when handling RIP-relative relocations.
- Added comments to improve the readability of the relocation fix logic.
- New HVPass feature – This feature allows the code VM to run through Microsoft’s Hypervisor API, adding an extra layer of analysis difficulty.
- MiniVM (normal) or MiniVM + HVPass – Now support junk/mutation in the stub, making the logic and instructions randomized at each interaction, further protecting the stub’s code.
- Bug fix – Fixed an issue in the extraction of unused registers from candidate procedures, where some registers were not being handled correctly.
- Bug fix – Fixed an issue in the extraction of XMM registers to enable junk/mutation support for multimedia registers.
- Bug fix – Fixed a problem in the junk/mutation logic for the instructions cdqe and cbw, which were incorrectly overwriting the RAX register, breaking results even when the registers were in use.
- Bug fix – Some instructions were not having relocations properly fixed by the RIP-relative relocation algorithm; this has now been corrected.
- Articles + Project Diagrams as well.
Some of these issues, as well as feature suggestions like HVPass, were discovered or suggested by the reviewers of Ryujin’s article.
- Improved the Custom Pass code to align with Ryujin coding standards.
- Added clear and helpful comments for better understanding of how RyujinCustomPassDemo works.
- Improved README.md for better structure and readability as user-facing documentation.
- Updated demo images for Ryujin and added more visual examples.
- Ryujin users can now register their own callbacks following the standard interface to create custom passes and extend Ryujin’s behavior.
- Updated configuration files to support safe usage.
- Adjusted README.md.
- Improved and organized pointer safety.
- Removed old, unused fields from the config.
- Introduced RyuJinConfigInternal to separate internal fields not directly related to the exposed config, used only by the Ryujin core.
- Updated README.md.
- Added the original source code that generates the memory protection stub as a comment in the stub.
- Added a memory protection flag to the CLI and an option to the GUI.
- Improved CLI help text to be more detailed and explanatory.
- Updated README.md.
- Implemented support for CRC-based memory protection stub.
- Improved CRC algorithm for better uniqueness and robustness.
- Added capability for Ryujin to store CRC from the .ryujin section into section header fields.
- Bug fixes and updated documentation.
- Working on a new feature to allow users to protect obfuscated code with a memory protection mechanism, inspired by VMProtect, where the protector uses CRC32 to validate if a page was modified on disk or in memory.
- This is just the base to start building the feature. It’s still in development and I hope it evolves a lot.
- The disassembler and decompiler's break feature now supports multiple techniques, inspired by a talk from BinjaDev at Off by One Conf. I've researched new capabilities to expand on this idea. The code has also been significantly improved to be more efficient and dynamic, allowing for future enhancements.
- Updated README.md to include the new Memory Protection feature.
- Ryujin can now break decompilers and disassemblers using a simple technique. This feature was inspired by a talk from BinjaDev at Off by One Conf. It will definitely be improved in the near future with more techniques.
- Added the shellcode generation code as comments within the "AntiDump" stub for better context and understanding.
- Enhanced README.md with more detailed descriptions and an outline of planned future features.
- Begin work on the foundational structure for the "AntiDump" feature
- Introduced a new capability in Ryujin called "RyujinRunOncePass", which runs only on the first obfuscated function — ideal for volatile features
- Updated "RyujinCoreConfiguration" structures
- Updated "RyujinGUI" to include the "AntiDump" option
- Updated "RyujinConsole" to display the "AntiDump" feature
- Updated "README.md" accordingly
- Fixed a bug related to MSVC optimizations that broke Ryujin's relocation algorithm and its fix-up logic.
- Introduced a standardized FFI argument-passing method for Ryujin Core; the legacy method remains compatible.
- Ryujin GUI now fully supports the Anti-Debug features.
- Various minor bug fixes and improvements to project structure.
- Ryujin is now fully capable of detecting debuggers from both userland and kernel land.
- Ryujin inserts its detection stub without breaking application logic.
- Ryujin supports two modes:
- Troll – triggers a BSOD using a Microsoft Windows bug.
- Normal – simply calls NtTerminateProcess when a debugger is detected.
- This implementation can be improved in the future to handle more advanced detection methods, but it's good for now.
- Researching how to insert a safe stub to handle detections for anti-debugging and troll attempts as part of the TrollReversers feature.
- Currently, it only inserts a "Hello World" MessageBox in each procedure indicated to Ryujin.
- This stub is completely safe and does not break the original code logic or flow. It can be fully mutated and obfuscated when reanalyzing opcodes, making it fully compatible with all Ryujin features simultaneously.
- Started working on the initial concept and base implementation for AntiDebug detection.
- The goal is to use stealthy techniques (similar to Themida) to detect debugging attempts.
- An additional feature is being developed to troll reverse engineers by triggering a forced BSOD upon detection, causing them to lose their analysis progress.
- RyujinGUI now uses RyujinCore to properly obfuscate code with full configuration support.
- Added new Ryujin logo.
- Added new Ryujin banner.
- Improved UI design, components, and more.
- Set up base GUI project structure using wxWidgets.
- Implement main window with custom styles and fixed dimensions.
- Add input fields for EXE, PDB, and output paths.
- Include obfuscation options with styled checkboxes.
- Add procedure list with add/remove functionality.
- Implement progress bar and "Run Obfuscator" button.
- Bind events for file selection, procedure management, and obfuscation run.
The implementation of RyujinConsole is now complete. Users can fully customize the obfuscation process using a wide range of command-line options.
- Added full command-line interface support for RyujinConsole.
- Users can now specify input and output paths, and provide a PDB file for symbol mapping.
- Supports various obfuscation techniques via flags:
- --virtualize: Enables code virtualization.
- --junk: Inserts junk code.
- --encrypt: Encrypts the obfuscated code.
- --iat: Enables Import Address Table obfuscation.
- --random-section: Uses a randomized PE section for output.
- --keep-original: Preserves the original code (does not remove it).
- Allows fine-grained control over which procedures to obfuscate via --procs.
- Includes a --help option that provides detailed usage information.
- Example usage is provided in the built-in help message.
- The Ryujin console can now include the Ryujin core through a dedicated header file.
- Exporting is now standardized using a definition file.
- The project's compiled output is now placed in a folder named compiled, organized by the desired configuration (Release or Debug).
- Some code organization improvements have been made.
- Ryujin now includes a component called Core, where the main obfuscator logic resides. It functions as an independent library that can be used anywhere.
- RyujinConsole now operates by loading the RyujinCore library to run the obfuscator.
- This is a preparation step for additional Ryujin components, such as a future Ryujin GUI and more features like passes and advanced obfuscation options.
- The "Encrypt Obfuscated Code" feature is now complete, using a new encryption algorithm called TeaDelKew, which is based on XTEA, to encrypt all obfuscated code and decrypt it at the entry point before execution.
- Some code improvements were also made.
- The encryption feature in Ryujin is now fully implemented and functional. Currently, it uses a simple XOR-based algorithm for encryption and decryption. This approach will be improved in the future to enhance security.
- The feature overrides the Original Entry Point (OEP) with a new stub that decrypts all obfuscated code at runtime, then transfers control to the original entry point to continue normal execution.
- Started working on the logic to obfuscate opcodes in the Ryujin section to prevent static analysis. This is just the initial groundwork for the feature.
- Ryujin MiniVM now supports dynamic register values, allowing it to store immediate values and registers using dual arguments: the first as the register operand (argument one) and the VM bytecode as the second (argument two).
- Code improvements and bug fixes.
- Ryujin can now interpret MiniVM bytecode. It inserts the MiniVM entry routine's RVA to enable execution of the VM interpreter.
- This is just the initial implementation and will be significantly improved in future commits. We're pushing our first working solution for now.
- Ryujin can now locate candidate instructions, convert them into VM bytecode, and insert the MiniVM entry point to enable execution of these bytecodes.
- Minor bug fixes.
- Ryujin can now generate dynamic junk code instructions that are truly random on every iteration.
- Fixed several constants used in junk code obfuscation.
- Implemented the base for Junk Code dynamic generation.
- Implemented logic for ZydisRegister to GP register conversion.
- Fixed a heuristic analysis feature that stored unused stack registers.
- Ignored reserved stack registers.
- Increased the number of obfuscation passes.
