- Started working on the initial concept and base implementation for AntiDebug detection.
- The goal is to use stealthy techniques (similar to Themida) to detect debugging attempts.
- An additional feature is being developed to troll reverse engineers by triggering a forced BSOD upon detection, causing them to lose their analysis progress.
- RyujinGUI now uses RyujinCore to properly obfuscate code with full configuration support.
- Added new Ryujin logo.
- Added new Ryujin banner.
- Improved UI design, components, and more.
- Set up base GUI project structure using wxWidgets.
- Implement main window with custom styles and fixed dimensions.
- Add input fields for EXE, PDB, and output paths.
- Include obfuscation options with styled checkboxes.
- Add procedure list with add/remove functionality.
- Implement progress bar and "Run Obfuscator" button.
- Bind events for file selection, procedure management, and obfuscation run.
The implementation of RyujinConsole is now complete. Users can fully customize the obfuscation process using a wide range of command-line options.
- Added full command-line interface support for RyujinConsole.
- Users can now specify input and output paths, and provide a PDB file for symbol mapping.
- Supports various obfuscation techniques via flags:
- --virtualize: Enables code virtualization.
- --junk: Inserts junk code.
- --encrypt: Encrypts the obfuscated code.
- --iat: Enables Import Address Table obfuscation.
- --random-section: Uses a randomized PE section for output.
- --keep-original: Preserves the original code (does not remove it).
- Allows fine-grained control over which procedures to obfuscate via --procs.
- Includes a --help option that provides detailed usage information.
- Example usage is provided in the built-in help message.
- The Ryujin console can now include the Ryujin core through a dedicated header file.
- Exporting is now standardized using a definition file.
- The project's compiled output is now placed in a folder named compiled, organized by the desired configuration (Release or Debug).
- Some code organization improvements have been made.
- Ryujin now includes a component called Core, where the main obfuscator logic resides. It functions as an independent library that can be used anywhere.
- RyujinConsole now operates by loading the RyujinCore library to run the obfuscator.
- This is a preparation step for additional Ryujin components, such as a future Ryujin GUI and more features like passes and advanced obfuscation options.
- The "Encrypt Obfuscated Code" feature is now complete, using a new encryption algorithm called TeaDelKew, which is based on XTEA, to encrypt all obfuscated code and decrypt it at the entry point before execution.
- Some code improvements were also made.
- The encryption feature in Ryujin is now fully implemented and functional. Currently, it uses a simple XOR-based algorithm for encryption and decryption. This approach will be improved in the future to enhance security.
- The feature overrides the Original Entry Point (OEP) with a new stub that decrypts all obfuscated code at runtime, then transfers control to the original entry point to continue normal execution.
- Started working on the logic to obfuscate opcodes in the Ryujin section to prevent static analysis. This is just the initial groundwork for the feature.
- Ryujin MiniVM now supports dynamic register values, allowing it to store immediate values and registers using dual arguments: the first as the register operand (argument one) and the VM bytecode as the second (argument two).
- Code improvements and bug fixes.
- Ryujin can now interpret MiniVM bytecode. It inserts the MiniVM entry routine's RVA to enable execution of the VM interpreter.
- This is just the initial implementation and will be significantly improved in future commits. We're pushing our first working solution for now.
- Ryujin can now locate candidate instructions, convert them into VM bytecode, and insert the MiniVM entry point to enable execution of these bytecodes.
- Minor bug fixes.
- Ryujin can now generate dynamic junk code instructions that are truly random on every iteration.
- Fixed several constants used in junk code obfuscation.
- Implemented the base for Junk Code dynamic generation.
- Implemented logic for ZydisRegister to GP register conversion.
- Fixed a heuristic analysis feature that stored unused stack registers.
- Ignored reserved stack registers.
- Increased the number of obfuscation passes.
- Completed the core Junk Code Insertion feature.
-Translated comments.
- Made minor code improvements.
- Planned future enhancements for the Junk Code Insertion feature.
- Some parts of the code have been organized.
- A new obfuscation option to encrypt the obfuscated code is now available.
- The foundation for junk code insertion has been implemented.
- Completed the implementation of the IAT obfuscation logic.
- Integrated AsmJit-based code emission for obfuscation.
- Obfuscated the PEB and its offset entries to evade automated scanning.
- Added a randomized algorithm to generate a unique key for each iteration.
- Implemented runtime polymorphic IAT resolution to disrupt disassemblers and decompilers.
- Initial IAT obfuscation feature, Ryujin can now obfuscate the IAT for the configured procedures.
- New basic block context generation.
- Bug fixes.
- Improved obfuscation logic for better organization.
- Now Ryujin removes all the original procedure code after obfuscation.
- Now Ryujin redirects the original procedure to the correct obfuscated location for execution.
- Now Ryujin can handle multiple procedures at once and their relocation, organizing each obfuscated procedure sequentially in the new section.
- Fixed the bug in "RyujinObfuscationCore::fix_branch_near_far_short" that could break in some unexpected branching cases.
- Now after processing the obfuscated opcodes the ryujin can fix all the relocations for the obfuscated code turning this code valid again after obfuscating considering all possible relocation cases.
- The section generator was been improved as well
- The logic to handle obfuscated opcodes and function is also improved.
- Some unused field for our logic has been removed.
- Finished the logic for add new segments.
- Moved the segments code to a independent class for PESections.
- New method utils.
- Bug fixies.
- Code organization.
- Adding a new option on obfuscator for IAT obfuscation support.
- Adding a new logic to randomize section names.
- Adding the initial logic to add a new section in the PE file. and writing some ideas and some things to be able to continue the logic in a correct way.
