Obfuscated memcpy

Malware/Malware/Malware.cpp

@@ -115,15 +115,15 @@ typedef struct {
 } FuncList2;
 
 int main(int argc, char *argv[]) {
-    // Init des struct d'obfuscation d'appel de fonction
-    Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist();
-    FuncList2 list = {evaluate_polynomial, memcpy, lonesha256};
-
     if (argc < 2 || strlen(argv[1]) > 8) {
         printf("Arguments invalides.\n");
         return 1;
     }
 
+    // Init des struct d'obfuscation d'appel de fonction
+    Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist();
+    FuncList2 list = {evaluate_polynomial, stdfunclist->obfusc_memcpy, lonesha256};
+
     fakemain(argc, (wchar_t **)argv);
 
     uint8_t input[8];

Malware/Malware/Malware.vcxproj

@@ -113,16 +113,19 @@
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
       <PrecompiledHeader>Use</PrecompiledHeader>
-      <Optimization>MaxSpeed</Optimization>
+      <Optimization>Disabled</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <EnableCOMDATFolding>false</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
+      <OptimizeReferences>false</OptimizeReferences>
+      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>

Malware/Malware/functions.h

@@ -1,35 +1,57 @@
-#include <cstdio>
+#include <stdio.h>
-#include <cstdlib>
+#include <stdlib.h>
+#include <string.h>
 
-bool verify_signature(unsigned char* signature, unsigned char* starting_loc);
+bool verify_signature(unsigned char *signature, unsigned char *starting_loc);
-void print_signature(unsigned char* loc);
+void print_signature(unsigned char *loc);
 
 class Obfuscated_stdFunclist {
-    public: // list of functions
+  public: // list of functions
-        int (*obfusc_printf)(const char *__restrict, ...);
+    int (*obfusc_printf)(const char *__restrict, ...);
-        void* (*obfusc_malloc)(size_t __size);
+    void *(*obfusc_malloc)(size_t __size);
-    private:
+    void *(*obfusc_memcpy)(void *__restrict __dest,
-        void find_obfusc_printf(){
+                           const void *__restrict __src, size_t __n);
-            // print_signature(printf)
+
-            unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, 0xe0, 0xdb, 0x34, 0x10};
+  private:
-            unsigned char* loc = (unsigned char*) ungetc; // after printf in memory
+    void find_obfusc_printf() {
-            while (!verify_signature(signature_printf, loc)) {
+        // print_signature(printf)
-                loc--; // go back until we find printf
+        unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b,
-            }
+                                              0xec, 0x6a, 0xfe, 0x68,
-            obfusc_printf = (int (*)(const char *__restrict, ...)) loc;
+                                              0xe0, 0xdb, 0x34, 0x10};
+        unsigned char *loc = (unsigned char *)ungetc; // after printf in memory
+        while (!verify_signature(signature_printf, loc)) {
+            loc--; // go back until we find printf
         }
-        void find_obfusc_malloc(){
+        obfusc_printf = (int (*)(const char *__restrict, ...))loc;
-            // print_signature((unsigned char*)malloc);
+    }
-            unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, 0x6a, 0x0, 0x6a, 0x1};
+    void find_obfusc_malloc() {
-            unsigned char* loc = (unsigned char*) free; // after malloc in memory
+        // print_signature((unsigned char*)malloc);
-            while (!verify_signature(signature_malloc, loc)) {
+        unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b,
-                loc--; // go backwards until we find malloc
+                                              0xec, 0x51, 0x6a, 0x0,
-            }
+                                              0x6a, 0x0,  0x6a, 0x1};
-            obfusc_malloc = (void* (*)(size_t __size)) loc;
+        unsigned char *loc = (unsigned char *)free; // after malloc in memory
+        while (!verify_signature(signature_malloc, loc)) {
+            loc--; // go backwards until we find malloc
         }
-    public: // constructor
+        obfusc_malloc = (void *(*)(size_t __size))loc;
-        Obfuscated_stdFunclist(){
+    }
-            find_obfusc_printf();
+    void find_obfusc_memcpy() {
-            find_obfusc_malloc();
+        auto a = memcpy; // sinon ça crash parce que memcpy est pas chargé en mémoire :c
+        unsigned char signature_memcpy[12] = {0xe9, 0xdf, 0x39, 0x0, 0x0,  0xe9,
+                                              0x20, 0x58, 0x0,  0x0, 0xe9, 0xb};
+        unsigned char *loc = (unsigned char *)memset; // after memcpy in memory
+        while (!verify_signature(signature_memcpy, loc)) {
+            loc++; // go backwards until we find memcpy
         }
+        obfusc_memcpy =
+            (void *(*)(void *__restrict __dest, const void *__restrict __src,
+                       size_t __n))loc;
+    }
+
+  public: // constructor
+    Obfuscated_stdFunclist() {
+        find_obfusc_printf();
+        find_obfusc_malloc();
+        find_obfusc_memcpy();
+    }
 };