From 27563879058391f592bef15d271e425c8c0d773d Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 26 Feb 2026 16:30:49 +0100 Subject: [PATCH] Amelioration checksum et antidebug --- Malware/Malware/Malware.cpp | 123 ++++++++++++++++++++++-------------- 1 file changed, 75 insertions(+), 48 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index b48dbc4..5812833 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -33,6 +33,8 @@ #define M_EXEC (0x11 ^ 0x88) // 0x99 #define M_TRAP (0x55 ^ 0xFF) // 0xAA #define M_EXIT (0xDE ^ 0xAD) // 0x73 +// Identité de Boole pour M_EXIT (toujours 0x73) +#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) @@ -74,9 +76,11 @@ typedef struct { uint32_t chaos_state; // Pour le générateur de lag } HASH_CTX; + +void __declspec(noinline) boundary_start() { __asm { nop } } uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; - + //Sert à rien ctx->junk = key_stream ^ 0x33; @@ -121,7 +125,7 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { //Itération 4 ctx->p = (ctx->p | (ctx->a & (-(ctx->b & 1)))) - (ctx->p & (ctx->a & (-(ctx->b & 1)))); - ctx->mask = -((ctx->a >> SHIFT) & 1); + ctx->mask = -((ctx->a >> SHIFT) & 1); ctx->a <<= 1; ctx->a ^= (POLY & ctx->mask); ctx->b >>= 1; @@ -238,6 +242,9 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) { } } +void __declspec(noinline) boundary_end() { __asm { nop } } + + typedef struct { void (*p1)(RED_HERRING_CTX* pctx); void (*p2)(HASH_CTX* pctx); @@ -438,6 +445,52 @@ int fakemain(int argc, wchar_t *argv[]) { return (junk_register - junk_register); } +void fake_exit(char* msg){ + printf("%s\n",msg); + for (int i = 0; i < INT_MAX; i++) { + printf(""); + } + exit(0); +} + +uint32_t get_anti_debug_score() { + int res = 0; + #ifdef _WIN32 + CheckRemoteDebuggerPresent(GetCurrentProcess(), &res); + #endif + return (uint32_t)res; +} + +uint32_t get_checksum_diff() { + const unsigned char* start = (const unsigned char*)boundary_start; + const unsigned char* end = (const unsigned char*)boundary_end; + + unsigned char hash[32]; + lonesha256(hash, start, (size_t)(end - start)); + + /* + printf("unsigned char compareto [32] = {"); + for (int i = 0; i < 32; i++) { + // %02x affiche l'hexa sur 2 caractères avec un 0 si nécessaire + printf("0x%02x", hash[i]); + + // Ajoute une virgule et un espace sauf pour le dernier élément + if (i < 31) { + printf(", "); + } + } + printf("};\n");*/ + + //unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; + unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; + uint32_t diff = 0; + for(int i=0; i<32; i++) { + diff |= (hash[i] ^ compareto[i]); + } + //printf("0x%02x", diff); + return diff; +} + typedef struct { void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; //uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); @@ -448,46 +501,6 @@ typedef struct { unsigned long long (*rdtsc)(); } FuncList2; -// Identité de Boole pour M_EXIT (toujours 0x73) -#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) - -void fake_exit(char* msg){ - printf("%s\n",msg); - for (int i = 0; i < INT_MAX; i++) { - printf(""); - } - exit(0); -} - -void print_hash(unsigned char hash [32]){ - for(int i = 0; i < 32; i++){ - printf("0x%x, ",hash[i]); - } - printf("\n"); -} - -// Vérifie la checksum des instructions entre gf_mul et le main -bool verif_checksum_prog(){ - const unsigned char* start = (const unsigned char*)gf_mul; - const unsigned char* end = (const unsigned char*)verif_checksum_prog; - long size = end-start; - unsigned char hash [32]; - lonesha256(hash, start, size); - // print_hash(hash); - unsigned char compareto [32] = {0xeb, 0x4c, 0x4, 0xd0, 0xb7, 0xd6, 0x8f, 0x16, 0x1, 0x66, 0xb8, 0x6d, 0x4b, 0x13 -, 0x7b, 0x94, 0xae, 0x70, 0x51, 0xb6, 0xda, 0x7, 0xae, 0xcf, 0xd3, 0x38, 0x4f, 0xf, 0x48, 0x22, 0x45, 0x55}; - return memcmp(hash, compareto, 32) == 0; -} - -bool verify_debuggers(){ - int res = false; - #ifdef _WIN32 - CheckRemoteDebuggerPresent(GetCurrentProcess(), &res); - #endif - return res; -} - - int main(int argc, char *argv[]) { if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; @@ -500,7 +513,7 @@ int main(int argc, char *argv[]) { unsigned char h1[32], h2[32], h_leurre[32]; uint64_t mask = 0; - bool valid = true; + // bool valid = true; // TODO: UNCOMMENT THIS BEFORE SENDING AND VERIFY CHECKSUM!!!!!!!!!!!!!!!!!!!!!!!!!! // valid = verif_checksum_prog(); // if(!valid){ @@ -552,16 +565,26 @@ int main(int argc, char *argv[]) { break; } - case M_ORACLE: { + case M_ORACLE: + { list.lonesha256(h1, super_bloc, 64); - uint32_t diff = 0; + + uint32_t integrity_check = 0; + for (int i = 0; i < 32; i++) { - diff |= (h1[i] ^ h_cible[i]); + integrity_check |= (h1[i] ^ h_cible[i]); } - uint64_t d64 = diff; + integrity_check |= get_anti_debug_score(); + integrity_check |= get_checksum_diff(); + + // Génération du masque final + uint64_t d64 = integrity_check; mask = ((d64 | (~d64 + 1)) >> 63) - 1; + // Si tout est OK : mask = 0xFF... + // Si debug présent OU checksum faux OU mauvais mdp : mask = 0x00... + selector = M_DECOY; break; } @@ -630,4 +653,8 @@ int main(int argc, char *argv[]) { } } return 0; -} \ No newline at end of file +} + + + +