admin/Ryujin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a96d97b9b0db0513f94ff494c66b8def6bf7ae59
Ryujin/RyujinCore/Ryujin/Ryujin.cc
keowu a96d97b9b0 feat: MSVC optimization bug fixes, FFI standard support, and Anti-Debug options in RyujinGui 
- Fixed a bug related to MSVC optimizations that broke Ryujin's relocation algorithm and its fix-up logic.
- Introduced a standardized FFI argument-passing method for Ryujin Core; the legacy method remains compatible.
- Ryujin GUI now fully supports the Anti-Debug features.
- Various minor bug fixes and improvements to project structure.
2025-07-10 20:55:39 -03:00

656 lines
25 KiB
C++
Raw Blame History

#include "Ryujin.hh"
Ryujin::Ryujin(const std::string& strInputFilePath, const std::string& strPdbFilePath, const std::string& strOutputFilePath) {
m_strInputFilePath.assign(strInputFilePath.begin(), strInputFilePath.end());
m_strOutputFilePath.assign(strOutputFilePath.begin(), strOutputFilePath.end());
m_strPdbFilePath.assign(strPdbFilePath.begin(), strPdbFilePath.end());
auto mappedInfo = RyujinUtils::MapPortableExecutableFileIntoMemory(m_strInputFilePath, m_mappedPE);
m_szFile = mappedInfo.second;
m_isInitialized = mappedInfo.first;
if (!m_isInitialized) {
::OutputDebugStringA(
_In_ "Ryujin::Ryujin: failed to initilize.\n"
);
}
m_ryujinProcedures = RyujinPdbParsing::ExtractProceduresFromPdb(
reinterpret_cast<uintptr_t>(m_mappedPE.get()),
m_szFile,
m_strInputFilePath,
m_strPdbFilePath
);
if (m_ryujinProcedures.size() == 0) {
m_isInitialized = FALSE;
::OutputDebugStringA(
_In_ "Ryujin::Ryujin: No Associate PDB file found for the input binary.."
);
}
}
bool Ryujin::run(const RyujinObfuscatorConfig& config) {
auto imgDos = reinterpret_cast<PIMAGE_DOS_HEADER>(m_mappedPE.get());
if (imgDos->e_magic != IMAGE_DOS_SIGNATURE) {
::OutputDebugStringA(
_In_ "Ryujin::run: Invalid PE File.\n"
);
return FALSE;
}
auto imgNt = reinterpret_cast<PIMAGE_NT_HEADERS>(m_mappedPE.get() + imgDos->e_lfanew);
if (imgNt->Signature != IMAGE_NT_SIGNATURE) {
::OutputDebugStringA(
_In_ "Ryujin::run: Invalid NT headers for the input PE File.\n"
);
return FALSE;
}
if (!m_isInitialized) {
::OutputDebugStringA(
_In_ "Ryujin::Ryujin: not initilized.\n"
);
return FALSE;
}
if (config.m_strdProceduresToObfuscate.size() == 0) {
::OutputDebugStringA(
_In_ "Ryujin::Ryujin: not provided functions to obfuscate.\n"
);
return FALSE;
}
std::vector<RyujinObfuscationCore> processed_procs;
for (auto& proc : m_ryujinProcedures) {
auto it = std::find(config.m_strdProceduresToObfuscate.begin(), config.m_strdProceduresToObfuscate.end(), proc.name);
if (it == config.m_strdProceduresToObfuscate.end()) continue;
std::printf(
"[WORKING ON]: %s\n",
proc.name.c_str()
);
// Is a valid procedure ?
if (proc.size == 0) {
::OutputDebugStringA(
_In_ "Ryujin::Ryujin: The candidate is a ghost function cannot obfuscate this..\n"
);
continue;
}
//Get procedure opcodes from mapped pe file
auto ucOpcodes = new unsigned char[proc.size] { 0 };
std::memcpy(
ucOpcodes,
reinterpret_cast<void*>(proc.address),
proc.size
);
//Create basic blocks
RyujinBasicBlockerBuilder rybb(ZYDIS_MACHINE_MODE_LONG_64, ZydisStackWidth_::ZYDIS_STACK_WIDTH_64);
proc.basic_blocks = rybb.createBasicBlocks(ucOpcodes, proc.size, proc.address);
//Is time to obfuscate ?
RyujinObfuscationCore obc(config, proc, reinterpret_cast<uintptr_t>(m_mappedPE.get()));
obc.Run();
//TODO: Custom passes support
//Storing processed procs
processed_procs.push_back(obc);
//Clean up opcodes
delete[] ucOpcodes;
}
//Add section
char chSectionName[8]{ '.', 'R', 'y', 'u', 'j', 'i', 'n', '\0' };
if (config.m_isRandomSection) RyujinUtils::randomizeSectionName(chSectionName);
RyujinPESections peSections;
peSections.AddNewSection(m_strInputFilePath, chSectionName);
uintptr_t offsetVA = 0, miniVmEnterAddress = 0;
std::vector<unsigned char> opcodesWithRelocsFixed;
//Insert minivm enter routine
if (config.m_isVirtualized) {
// Ryujin MiniVM Routine
std::vector<unsigned char> miniVmEnter {
/*
#pragma optimize("", off)
__declspec(noinline) __declspec(safebuffers)uintptr_t miniVmExecute(uintptr_t rcx, uintptr_t rdx) {
unsigned char reg = (rdx >> 16) & 0xFF;
unsigned char op = (rdx >> 8) & 0xFF;
uint64_t value = rdx & 0xFF;
uintptr_t result = rcx;
switch (op) {
case 1:
result += value;
break;
case 2:
result -= value;
break;
case 3:
result *= value;
break;
case 4:
result /= value;
break;
default:
result = 0;
break;
}
return result;
}
#pragma optimize("", on)
*/
0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x83,
0xEC, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0xC1, 0xE8, 0x10, 0x48,
0x25, 0xFF, 0x00, 0x00, 0x00, 0x88, 0x44, 0x24, 0x01, 0x48, 0x8B, 0x44,
0x24, 0x38, 0x48, 0xC1, 0xE8, 0x08, 0x48, 0x25, 0xFF, 0x00, 0x00, 0x00,
0x88, 0x04, 0x24, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x25, 0xFF, 0x00,
0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x10, 0x48, 0x8B, 0x44, 0x24, 0x30,
0x48, 0x89, 0x44, 0x24, 0x08, 0x0F, 0xB6, 0x04, 0x24, 0x88, 0x44, 0x24,
0x04, 0x80, 0x7C, 0x24, 0x04, 0x01, 0x74, 0x17, 0x80, 0x7C, 0x24, 0x04,
0x02, 0x74, 0x27, 0x80, 0x7C, 0x24, 0x04, 0x03, 0x74, 0x37, 0x80, 0x7C,
0x24, 0x04, 0x04, 0x74, 0x42, 0xEB, 0x53, 0x48, 0x8B, 0x44, 0x24, 0x10,
0x48, 0x8B, 0x4C, 0x24, 0x08, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x89, 0x44, 0x24, 0x08, 0xEB, 0x45, 0x48, 0x8B, 0x44, 0x24, 0x10, 0x48,
0x8B, 0x4C, 0x24, 0x08, 0x48, 0x2B, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89,
0x44, 0x24, 0x08, 0xEB, 0x2E, 0x48, 0x8B, 0x44, 0x24, 0x08, 0x48, 0x0F,
0xAF, 0x44, 0x24, 0x10, 0x48, 0x89, 0x44, 0x24, 0x08, 0xEB, 0x1C, 0x33,
0xD2, 0x48, 0x8B, 0x44, 0x24, 0x08, 0x48, 0xF7, 0x74, 0x24, 0x10, 0x48,
0x89, 0x44, 0x24, 0x08, 0xEB, 0x09, 0x48, 0xC7, 0x44, 0x24, 0x08, 0x00,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x08, 0x48, 0x83, 0xC4, 0x28,
0xC3
};
// Inserting the Ryujin MiniVm stub at the beginning of Ryujin section
opcodesWithRelocsFixed.insert(opcodesWithRelocsFixed.end(), miniVmEnter.begin(), miniVmEnter.end());
// Storing the MiniVm Stub Offset
miniVmEnterAddress = peSections.getRyujinSectionVA();
// Calculating the size of the MiniVM Stub
offsetVA += miniVmEnter.size();
}
for (auto& obc : processed_procs) {
// Getting new obfuscated opcodes
auto tempValued = obc.getProcessedProc().getUpdateOpcodes();
// Fix relocations
obc.applyRelocationFixupsToInstructions(reinterpret_cast<uintptr_t>(imgDos), peSections.getRyujinSectionVA() + offsetVA, tempValued);
// Removing and adding a jump in the original procedure and removing original opcodes for a jump to the new obfuscated code
obc.removeOldOpcodeRedirect(peSections.mappedPeDiskBaseAddress(), peSections.getRyujinMappedPeSize(), reinterpret_cast<uintptr_t>(imgDos) + peSections.getRyujinSectionVA() + offsetVA, config.m_isIgnoreOriginalCodeRemove);
// Inserindo MiniVMEnter
if (config.m_isVirtualized) obc.InsertMiniVmEnterProcedureAddress(reinterpret_cast<uintptr_t>(imgDos), miniVmEnterAddress, tempValued);
// Destructing class
obc.~RyujinObfuscationCore();
// Inserting procedures into the list of corrected opcodes
opcodesWithRelocsFixed.insert(opcodesWithRelocsFixed.end(), tempValued.begin(), tempValued.end());
// Incrementing the offset with the size of the opcodes in question
offsetVA += tempValued.size();
}
// Encrypt all obfuscated code
if (config.m_isEncryptObfuscatedCode && !config.m_isRandomSection) {
/*
To "encrypt" all the obfuscated code:
1 - We will encrypt byte by byte of our vector that contains the new opcodes for the section.
2 - We will insert the stub that decrypts and its respective opcodes into the vector of new opcodes.
3 - We will replace the original entry point with our stub. Our stub will jump to the original entry point after deobfuscation.
4 - We will then have the code ready to be properly executed.
*/
/*
Begin TeaDelKew algorithm Implementation
(C) Jo<4A>o Vitor(@Keowu) avaliable on https://github.com/keowu/gamespy/blob/main/code_base/Kurumi/TeaDelKewTests/TeaDelKewAlgo.hh#L2
*/
// Aligning the data so we can run TeaDelKew
while (opcodesWithRelocsFixed.size() % 8 != 0) {
opcodesWithRelocsFixed.push_back(0x00);
offsetVA += 1;
}
// TEADELKEW key
uint32_t key[4] = {
0x77122545, 0x88998877, 0x9944DEAD, 0x10CAFEB4
};
// TEADELKEW KeyBox
uint32_t kew_box[12] = {
0x77122545, 0x88998877, 0x9944DEAD, 0x10CAFEB4,
0x45B0B0C4, 0x35DEADDE, 0x25C4C4C4, 0x85634897,
0x56123456, 0x11454545, 0x12323232, 0x95959595
};
// Encrypting all the opcode generated by the obfuscator using the TeaDelKew algorithm
for (size_t i = 0; i < opcodesWithRelocsFixed.size(); i += 8) {
uint32_t* block = reinterpret_cast<uint32_t*>(&opcodesWithRelocsFixed[i]);
uint32_t v0 = ~block[0];
uint32_t v1 = ~block[1];
uint32_t sum = 0;
uint32_t delta = 0x00B0B0C4;
uint32_t k0 = key[0] ^ 0xDEADBEEF;
uint32_t k1 = key[1] ^ 0xDEADBEEF;
uint32_t k2 = key[2] ^ 0xDEADBEEF;
uint32_t k3 = key[3] ^ 0xDEADBEEF;
for (int j = 0; j < 2048; j++) {
v1 ^= kew_box[j % 12];
v0 ^= kew_box[j % 12];
v1 ^= (j * 0x44444444 ^ ~j);
v0 ^= (j * 0x44444444 ^ ~j);
}
for (int j = 0; j < 2048; j++) {
v0 += ~((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k0);
sum += delta;
v1 += ~((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k1);
}
block[0] = v0;
block[1] = v1;
}
// Entry point stub to decrypt the obfuscated code
std::vector<unsigned char> entryPoint = {
/*
#pragma optimize("", off)
__declspec(noinline) __declspec(safebuffers)void ryujinEntryPoint() {
auto peb = reinterpret_cast<PVOID>(__readgsqword(0x60));
if (!peb) return;
auto imageBase = *reinterpret_cast<PVOID*>(reinterpret_cast<BYTE*>(peb) + 0x10);
if (!imageBase) return;
auto dos = reinterpret_cast<PIMAGE_DOS_HEADER>(imageBase);
if (dos->e_magic != 0x5A4D) return;
auto nt = reinterpret_cast<PIMAGE_NT_HEADERS64>(reinterpret_cast<BYTE*>(imageBase) + dos->e_lfanew);
if (nt->Signature != 0x00004550) return;
auto numSections = nt->FileHeader.NumberOfSections;
auto section = IMAGE_FIRST_SECTION(nt);
char name[9] { 0 };
char chLookingName[9] { '.', 'R', 'y', 'u', 'j', 'i', 'n', '\0' };
uintptr_t rvaEntryPointOriginal = 0x9999999999999999;
uintptr_t szStub = 0x8888888888888888;
for (auto i = 0; i < numSections; ++i, ++section) {
for (auto j = 0; j < 8; ++j) name[j] = section->Name[j];
name[8] = 0;
auto rva = section->VirtualAddress;
auto size = section->Misc.VirtualSize;
auto va = reinterpret_cast<uintptr_t>((BYTE*)imageBase + rva);
if (name[0] == chLookingName[0] && name[1] == chLookingName[1] && name[2] == chLookingName[2] && name[3] == chLookingName[3]
&& name[4] == chLookingName[4] && name[5] == chLookingName[5] && name[6] == chLookingName[6]) {
uint32_t kew_box[12] = {
0x77122545, 0x88998877, 0x9944DEAD, 0x10CAFEB4,
0x45B0B0C4, 0x35DEADDE, 0x25C4C4C4, 0x85634897,
0x56123456, 0x11454545, 0x12323232, 0x95959595
};
for (auto i = 0; i < (size - szStub); i += 8) {
if ((i + 8) > (size - szStub)) break;
auto* block = reinterpret_cast<uint32_t*>(va + i);
auto v0 = block[0];
auto v1 = block[1];
uint32_t key[4] = {
0x77122545, 0x88998877,
0x9944DEAD, 0x10CAFEB4
};
uint32_t sum = 0x85862000, delta = 0x00B0B0C4;
uint32_t k0 = key[0] ^ 0xDEADBEEF, k1 = key[1] ^ 0xDEADBEEF,
k2 = key[2] ^ 0xDEADBEEF, k3 = key[3] ^ 0xDEADBEEF;
for (auto j = 0; j < 2048; j++) {
v1 -= ~((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k1);
sum -= delta;
v0 -= ~((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k0);
}
for (auto j = 0; j < 2048; j++) {
v1 ^= kew_box[j % 12];
v0 ^= kew_box[j % 12];
v1 ^= (j * 0x44444444 ^ ~j);
v0 ^= (j * 0x44444444 ^ ~j);
}
block[0] = ~v0;
block[1] = ~v1;
}
using tpdEntryPoint = void(__stdcall*)();
tpdEntryPoint oep = reinterpret_cast<tpdEntryPoint>(reinterpret_cast<uintptr_t>(imageBase) + rvaEntryPointOriginal);
oep();
}
}
}
#pragma optimize("", on)
*/
0x40, 0x57, 0x48, 0x81, 0xEC, 0x20, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B,
0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0xB0, 0x00,
0x00, 0x00, 0x48, 0x83, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x00, 0x75,
0x05, 0xE9, 0x26, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xB0, 0x00,
0x00, 0x00, 0x48, 0x8B, 0x40, 0x10, 0x48, 0x89, 0x44, 0x24, 0x78, 0x48,
0x83, 0x7C, 0x24, 0x78, 0x00, 0x75, 0x05, 0xE9, 0x08, 0x06, 0x00, 0x00,
0x48, 0x8B, 0x44, 0x24, 0x78, 0x48, 0x89, 0x84, 0x24, 0xB8, 0x00, 0x00,
0x00, 0x48, 0x8B, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x00,
0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x05, 0xE9, 0xE4, 0x05, 0x00, 0x00,
0x48, 0x8B, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C,
0x48, 0x8B, 0x4C, 0x24, 0x78, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x80,
0x00, 0x00, 0x00, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x74, 0x05, 0xE9,
0xB0, 0x05, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
0x0F, 0xB7, 0x40, 0x06, 0x66, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8B, 0x84,
0x24, 0x80, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x40, 0x14, 0x48, 0x8B, 0x8C,
0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x44, 0x01, 0x18, 0x48, 0x89,
0x44, 0x24, 0x68, 0x48, 0x8D, 0x44, 0x24, 0x48, 0x48, 0x8B, 0xF8, 0x33,
0xC0, 0xB9, 0x09, 0x00, 0x00, 0x00, 0xF3, 0xAA, 0xC6, 0x44, 0x24, 0x30,
0x2E, 0xC6, 0x44, 0x24, 0x31, 0x52, 0xC6, 0x44, 0x24, 0x32, 0x79, 0xC6,
0x44, 0x24, 0x33, 0x75, 0xC6, 0x44, 0x24, 0x34, 0x6A, 0xC6, 0x44, 0x24,
0x35, 0x69, 0xC6, 0x44, 0x24, 0x36, 0x6E, 0xC6, 0x44, 0x24, 0x37, 0x00,
0x48, 0x8D, 0x44, 0x24, 0x38, 0x48, 0x8B, 0xF8, 0x33, 0xC0, 0xB9, 0x01,
0x00, 0x00, 0x00, 0xF3, 0xAA, 0x48, 0xB8, 0x99, 0x99, 0x99, 0x99, 0x99,
0x99, 0x99, 0x99, 0x48, 0x89, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00, 0x48,
0xB8, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x48, 0x89, 0x84,
0x24, 0xC0, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x5C, 0x00, 0x00, 0x00,
0x00, 0xEB, 0x18, 0x8B, 0x44, 0x24, 0x5C, 0xFF, 0xC0, 0x89, 0x44, 0x24,
0x5C, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89,
0x44, 0x24, 0x68, 0x0F, 0xB7, 0x44, 0x24, 0x58, 0x39, 0x44, 0x24, 0x5C,
0x0F, 0x8D, 0xE2, 0x04, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x40, 0xFF, 0xC0, 0x89, 0x44,
0x24, 0x40, 0x83, 0x7C, 0x24, 0x40, 0x08, 0x7D, 0x19, 0x48, 0x63, 0x44,
0x24, 0x40, 0x48, 0x63, 0x4C, 0x24, 0x40, 0x48, 0x8B, 0x54, 0x24, 0x68,
0x0F, 0xB6, 0x04, 0x02, 0x88, 0x44, 0x0C, 0x48, 0xEB, 0xD6, 0xB8, 0x01,
0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x08, 0xC6, 0x44, 0x04, 0x48, 0x00,
0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x40, 0x0C, 0x89, 0x84, 0x24, 0x90,
0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x40, 0x08, 0x89,
0x44, 0x24, 0x64, 0x8B, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B,
0x4C, 0x24, 0x78, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84,
0x24, 0x00, 0x01, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x00, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x00, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0x42, 0x04, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x01, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x01, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0x1E, 0x04, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x02, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x02, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0xFA, 0x03, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x03, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x03, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0xD6, 0x03, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x04, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x04, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0xB2, 0x03, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x05, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x05, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0x8E, 0x03, 0x00, 0x00, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x6B,
0xC0, 0x06, 0x0F, 0xBE, 0x44, 0x04, 0x48, 0xB9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x6B, 0xC9, 0x06, 0x0F, 0xBE, 0x4C, 0x0C, 0x30, 0x3B, 0xC1, 0x0F,
0x85, 0x6A, 0x03, 0x00, 0x00, 0xC7, 0x84, 0x24, 0xC8, 0x00, 0x00, 0x00,
0x45, 0x25, 0x12, 0x77, 0xC7, 0x84, 0x24, 0xCC, 0x00, 0x00, 0x00, 0x77,
0x88, 0x99, 0x88, 0xC7, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0xAD, 0xDE,
0x44, 0x99, 0xC7, 0x84, 0x24, 0xD4, 0x00, 0x00, 0x00, 0xB4, 0xFE, 0xCA,
0x10, 0xC7, 0x84, 0x24, 0xD8, 0x00, 0x00, 0x00, 0xC4, 0xB0, 0xB0, 0x45,
0xC7, 0x84, 0x24, 0xDC, 0x00, 0x00, 0x00, 0xDE, 0xAD, 0xDE, 0x35, 0xC7,
0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xC4, 0xC4, 0xC4, 0x25, 0xC7, 0x84,
0x24, 0xE4, 0x00, 0x00, 0x00, 0x97, 0x48, 0x63, 0x85, 0xC7, 0x84, 0x24,
0xE8, 0x00, 0x00, 0x00, 0x56, 0x34, 0x12, 0x56, 0xC7, 0x84, 0x24, 0xEC,
0x00, 0x00, 0x00, 0x45, 0x45, 0x45, 0x11, 0xC7, 0x84, 0x24, 0xF0, 0x00,
0x00, 0x00, 0x32, 0x32, 0x32, 0x12, 0xC7, 0x84, 0x24, 0xF4, 0x00, 0x00,
0x00, 0x95, 0x95, 0x95, 0x95, 0x48, 0xC7, 0x44, 0x24, 0x70, 0x00, 0x00,
0x00, 0x00, 0xEB, 0x0E, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x48, 0x83, 0xC0,
0x08, 0x48, 0x89, 0x44, 0x24, 0x70, 0x8B, 0x44, 0x24, 0x64, 0x48, 0x2B,
0x84, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x48, 0x39, 0x44, 0x24, 0x70, 0x0F,
0x83, 0x93, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x48, 0x83,
0xC0, 0x08, 0x8B, 0x4C, 0x24, 0x64, 0x48, 0x2B, 0x8C, 0x24, 0xC0, 0x00,
0x00, 0x00, 0x48, 0x3B, 0xC1, 0x76, 0x05, 0xE9, 0x74, 0x02, 0x00, 0x00,
0x48, 0x8B, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x8C, 0x24, 0x00, 0x01, 0x00,
0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x88,
0x00, 0x00, 0x00, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00,
0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x8B, 0x04, 0x01, 0x89,
0x44, 0x24, 0x20, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x01,
0x48, 0x8B, 0x8C, 0x24, 0x88, 0x00, 0x00, 0x00, 0x8B, 0x04, 0x01, 0x89,
0x44, 0x24, 0x24, 0xC7, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x45, 0x25,
0x12, 0x77, 0xC7, 0x84, 0x24, 0xA4, 0x00, 0x00, 0x00, 0x77, 0x88, 0x99,
0x88, 0xC7, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 0xAD, 0xDE, 0x44, 0x99,
0xC7, 0x84, 0x24, 0xAC, 0x00, 0x00, 0x00, 0xB4, 0xFE, 0xCA, 0x10, 0xC7,
0x44, 0x24, 0x44, 0x00, 0x20, 0x86, 0x85, 0xC7, 0x84, 0x24, 0x98, 0x00,
0x00, 0x00, 0xC4, 0xB0, 0xB0, 0x00, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x48,
0x6B, 0xC0, 0x00, 0x8B, 0x84, 0x04, 0xA0, 0x00, 0x00, 0x00, 0x35, 0xEF,
0xBE, 0xAD, 0xDE, 0x89, 0x84, 0x24, 0x9C, 0x00, 0x00, 0x00, 0xB8, 0x04,
0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x01, 0x8B, 0x84, 0x04, 0xA0, 0x00,
0x00, 0x00, 0x35, 0xEF, 0xBE, 0xAD, 0xDE, 0x89, 0x84, 0x24, 0x94, 0x00,
0x00, 0x00, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x02, 0x8B,
0x84, 0x04, 0xA0, 0x00, 0x00, 0x00, 0x35, 0xEF, 0xBE, 0xAD, 0xDE, 0x89,
0x84, 0x24, 0xF8, 0x00, 0x00, 0x00, 0xB8, 0x04, 0x00, 0x00, 0x00, 0x48,
0x6B, 0xC0, 0x03, 0x8B, 0x84, 0x04, 0xA0, 0x00, 0x00, 0x00, 0x35, 0xEF,
0xBE, 0xAD, 0xDE, 0x89, 0x84, 0x24, 0xFC, 0x00, 0x00, 0x00, 0xC7, 0x44,
0x24, 0x60, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x60,
0xFF, 0xC0, 0x89, 0x44, 0x24, 0x60, 0x81, 0x7C, 0x24, 0x60, 0x00, 0x08,
0x00, 0x00, 0x7D, 0x7E, 0x8B, 0x44, 0x24, 0x20, 0xC1, 0xE0, 0x04, 0x8B,
0x4C, 0x24, 0x20, 0xC1, 0xE9, 0x05, 0x33, 0xC1, 0x03, 0x44, 0x24, 0x20,
0xF7, 0xD0, 0x8B, 0x8C, 0x24, 0x94, 0x00, 0x00, 0x00, 0x8B, 0x54, 0x24,
0x44, 0x03, 0xD1, 0x8B, 0xCA, 0x33, 0xC1, 0x8B, 0x4C, 0x24, 0x24, 0x2B,
0xC8, 0x8B, 0xC1, 0x89, 0x44, 0x24, 0x24, 0x8B, 0x84, 0x24, 0x98, 0x00,
0x00, 0x00, 0x8B, 0x4C, 0x24, 0x44, 0x2B, 0xC8, 0x8B, 0xC1, 0x89, 0x44,
0x24, 0x44, 0x8B, 0x44, 0x24, 0x24, 0xC1, 0xE0, 0x04, 0x8B, 0x4C, 0x24,
0x24, 0xC1, 0xE9, 0x05, 0x33, 0xC1, 0x03, 0x44, 0x24, 0x24, 0xF7, 0xD0,
0x8B, 0x8C, 0x24, 0x9C, 0x00, 0x00, 0x00, 0x8B, 0x54, 0x24, 0x44, 0x03,
0xD1, 0x8B, 0xCA, 0x33, 0xC1, 0x8B, 0x4C, 0x24, 0x20, 0x2B, 0xC8, 0x8B,
0xC1, 0x89, 0x44, 0x24, 0x20, 0xE9, 0x6E, 0xFF, 0xFF, 0xFF, 0xC7, 0x44,
0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x28,
0xFF, 0xC0, 0x89, 0x44, 0x24, 0x28, 0x81, 0x7C, 0x24, 0x28, 0x00, 0x08,
0x00, 0x00, 0x0F, 0x8D, 0x83, 0x00, 0x00, 0x00, 0x8B, 0x44, 0x24, 0x28,
0x99, 0xB9, 0x0C, 0x00, 0x00, 0x00, 0xF7, 0xF9, 0x8B, 0xC2, 0x48, 0x98,
0x8B, 0x84, 0x84, 0xC8, 0x00, 0x00, 0x00, 0x8B, 0x4C, 0x24, 0x24, 0x33,
0xC8, 0x8B, 0xC1, 0x89, 0x44, 0x24, 0x24, 0x8B, 0x44, 0x24, 0x28, 0x99,
0xB9, 0x0C, 0x00, 0x00, 0x00, 0xF7, 0xF9, 0x8B, 0xC2, 0x48, 0x98, 0x8B,
0x84, 0x84, 0xC8, 0x00, 0x00, 0x00, 0x8B, 0x4C, 0x24, 0x20, 0x33, 0xC8,
0x8B, 0xC1, 0x89, 0x44, 0x24, 0x20, 0x69, 0x44, 0x24, 0x28, 0x44, 0x44,
0x44, 0x44, 0x8B, 0x4C, 0x24, 0x28, 0xF7, 0xD1, 0x33, 0xC1, 0x8B, 0x4C,
0x24, 0x24, 0x33, 0xC8, 0x8B, 0xC1, 0x89, 0x44, 0x24, 0x24, 0x69, 0x44,
0x24, 0x28, 0x44, 0x44, 0x44, 0x44, 0x8B, 0x4C, 0x24, 0x28, 0xF7, 0xD1,
0x33, 0xC1, 0x8B, 0x4C, 0x24, 0x20, 0x33, 0xC8, 0x8B, 0xC1, 0x89, 0x44,
0x24, 0x20, 0xE9, 0x65, 0xFF, 0xFF, 0xFF, 0x8B, 0x44, 0x24, 0x20, 0xF7,
0xD0, 0xB9, 0x04, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC9, 0x00, 0x48, 0x8B,
0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x89, 0x04, 0x0A, 0x8B, 0x44, 0x24,
0x24, 0xF7, 0xD0, 0xB9, 0x04, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC9, 0x01,
0x48, 0x8B, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x89, 0x04, 0x0A, 0xE9,
0x48, 0xFD, 0xFF, 0xFF, 0x48, 0x8B, 0x84, 0x24, 0x08, 0x01, 0x00, 0x00,
0x48, 0x8B, 0x4C, 0x24, 0x78, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48,
0x89, 0x84, 0x24, 0x10, 0x01, 0x00, 0x00, 0xFF, 0x94, 0x24, 0x10, 0x01,
0x00, 0x00, 0x90, 0xE9, 0xF7, 0xFA, 0xFF, 0xFF, 0x48, 0x81, 0xC4, 0x20,
0x01, 0x00, 0x00, 0x5F, 0xC3
};
// Parsing the PE file
auto imgDos = reinterpret_cast<PIMAGE_DOS_HEADER>(peSections.mappedPeDiskBaseAddress());
auto ntHeader = reinterpret_cast<PIMAGE_NT_HEADERS>(reinterpret_cast<uint8_t*>(imgDos) + imgDos->e_lfanew);
// Finding the OEP (Original Entry Point) to store it
DWORD OEP = ntHeader->OptionalHeader.AddressOfEntryPoint;
// Storing the size of the entry point stub, which will be the only non-encrypted code in the obfuscated code section
SIZE_T sizeOep = entryPoint.size();
// Setting a new entry point as the entry point stub that will decrypt the obfuscated executable code
ntHeader->OptionalHeader.AddressOfEntryPoint = peSections.getRyujinSectionVA() + offsetVA;
// Modifying the stub to adapt to the OEP of the original entry point
std::vector<unsigned char> pattern = {
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99
};
auto it = std::search(entryPoint.begin(), entryPoint.end(), pattern.begin(), pattern.end());
std::memset(&*(it), 0, 8);
std::memcpy(&*(it), &OEP, sizeof(OEP));
/*
Modifying the stub to adapt and ignore the entry point stub decryption code itself,
in a way that skips its size so it doesn<73>t break the stub
when it decrypts the executable code.
*/
pattern.assign({
0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88
});
it = std::search(entryPoint.begin(), entryPoint.end(), pattern.begin(), pattern.end());
std::memset(&*(it), 0, 8);
std::memcpy(&*(it), &sizeOep, sizeof(sizeOep));
// Inserting the opcodes of our stub into our vector along with the rest of the obfuscated and encrypted code
opcodesWithRelocsFixed.insert(opcodesWithRelocsFixed.end(), entryPoint.begin(), entryPoint.end());
// Log to inform the user that our code has been properly encrypted.
std::printf("[!] OEP: %llx - Inserting Decryption code routine on: %llx\n", imgNt->OptionalHeader.AddressOfEntryPoint, offsetVA);
}
//Process new opcodes
peSections.ProcessOpcodesNewSection(opcodesWithRelocsFixed);
//Save output file
peSections.FinishNewSection(m_strOutputFilePath);
}
void Ryujin::listRyujinProcedures() {
if (!m_isInitialized) {
::OutputDebugStringA(
_In_ "Ryujin::listRyujinProcedures: not initialized.\n"
);
return;
}
std::printf("=== Ryujin Procedures ===\n");
for (const auto& procedure : m_ryujinProcedures) {
std::printf(
"Name: %-30s | Address: 0x%016llx | Size: 0x%llx\n",
procedure.name.c_str(),
procedure.address,
procedure.size
);
}
std::printf("==========================\n");
}
Reference in New Issue View Git Blame Copy Permalink