seliaste/malware-m2-2026
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Correction du checksum

Browse source
This commit is contained in:
unknown 2026-02-26 19:33:35 +01:00
parent 2756387905
commit 6d7a7fa4ec
1 changed files with 18 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

77
Malware/Malware/Malware.cpp
View file

@ -31,7 +31,6 @@
#define M_ORACLE (0xCC ^ 0xFF) // 0x33 #define M_ORACLE (0xCC ^ 0xFF) // 0x33
#define M_DECOY (0x88 ^ 0xEE) // 0x66 #define M_DECOY (0x88 ^ 0xEE) // 0x66
#define M_EXEC (0x11 ^ 0x88) // 0x99 #define M_EXEC (0x11 ^ 0x88) // 0x99
#define M_TRAP (0x55 ^ 0xFF) // 0xAA
#define M_EXIT (0xDE ^ 0xAD) // 0x73 #define M_EXIT (0xDE ^ 0xAD) // 0x73
// Identité de Boole pour M_EXIT (toujours 0x73) // Identité de Boole pour M_EXIT (toujours 0x73)
#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) #define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0))
@ -76,8 +75,10 @@ typedef struct {
uint32_t chaos_state; // Pour le générateur de lag uint32_t chaos_state; // Pour le générateur de lag
} HASH_CTX; } HASH_CTX;
int __declspec(noinline) main(int argc, char *argv[]);
void __declspec(noinline) boundary_end();
void __declspec(noinline) boundary_start() { __asm { nop } }
uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) {
ctx->p = 0; ctx->p = 0;
@ -163,24 +164,6 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) {
return ctx->p; return ctx->p;
} }
/*
// Évaluation d'un polynôme de degré 7 sur GF(256)
uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) {
uint8_t result = 0;
uint8_t x_pow = 1;
for (int j = 0; j < 8; j++) {
GF_CONTEXT ctx;
ctx.a = coeffs[j];
ctx.b = x_pow;
result ^= gf_mul(&ctx, 0x55);
ctx.a = x_pow;
ctx.b = x;
x_pow = gf_mul(&ctx, 0xAA);
}
return result;
}*/
void evaluate_polynomial(POLY_CONTEXT* pctx) { void evaluate_polynomial(POLY_CONTEXT* pctx) {
pctx->final_result = (pctx->input_x & (~pctx->input_x)); pctx->final_result = (pctx->input_x & (~pctx->input_x));
pctx->current_x_pow = (uint8_t)((0xDE >> 7) | (0x01 & 0x01)); pctx->current_x_pow = (uint8_t)((0xDE >> 7) | (0x01 & 0x01));
@ -242,15 +225,11 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) {
} }
} }
void __declspec(noinline) boundary_end() { __asm { nop } }
typedef struct { typedef struct {
void (*p1)(RED_HERRING_CTX* pctx); void (*p1)(RED_HERRING_CTX* pctx);
void (*p2)(HASH_CTX* pctx); void (*p2)(HASH_CTX* pctx);
} FuncList; } FuncList;
// Fausse piste ultime - Draine le temps de l'analyste (VAGUE 3)
void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) { void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) {
uint32_t magic_size = (0xFF ^ 0x9B); uint32_t magic_size = (0xFF ^ 0x9B);
pctx->chaos_seed = 0xC0DEF00D; pctx->chaos_seed = 0xC0DEF00D;
@ -291,7 +270,6 @@ void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) {
// Pas de return ! Le résultat est discrètement caché dans pctx->hidden_buffer // Pas de return ! Le résultat est discrètement caché dans pctx->hidden_buffer
} }
// Comparaison de Hash SHA-256 (VAGUES 1, 2 & 3 COMBINÉES)
void cmp_hash(HASH_CTX* pctx) { void cmp_hash(HASH_CTX* pctx) {
uint32_t len_57 = (0xFF ^ 0xC6); uint32_t len_57 = (0xFF ^ 0xC6);
@ -369,7 +347,6 @@ int fakemain(int argc, wchar_t *argv[]) {
{ {
stdfunclist = new Obfuscated_stdFunclist(); stdfunclist = new Obfuscated_stdFunclist();
// Le payload. L'analyste le verra, mais ne saura pas quand il est utilisé.
encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52"
"\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40"
"\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41"
@ -462,38 +439,28 @@ uint32_t get_anti_debug_score() {
} }
uint32_t get_checksum_diff() { uint32_t get_checksum_diff() {
const unsigned char* start = (const unsigned char*)boundary_start; const unsigned char* start_ptr = (const unsigned char*) main;
const unsigned char* end = (const unsigned char*)boundary_end; const unsigned char* end_ptr = (const unsigned char*) boundary_end;
unsigned char hash[32]; unsigned char hash[32];
lonesha256(hash, start, (size_t)(end - start)); lonesha256(hash, start_ptr, (size_t) (end_ptr-start_ptr));
/* unsigned char compareto[32] = {
printf("unsigned char compareto [32] = {"); 0x53, 0x66, 0xc0, 0x21, 0x8d, 0xb2, 0xd4, 0xe2,
for (int i = 0; i < 32; i++) { 0x3f, 0x23, 0xc4, 0xb3, 0xad, 0xc3, 0x71, 0x98,
// %02x affiche l'hexa sur 2 caractères avec un 0 si nécessaire 0x77, 0x01, 0x1d, 0x1c, 0x22, 0xe6, 0xfb, 0x93,
printf("0x%02x", hash[i]); 0x7d, 0x4b, 0x7e, 0xdb, 0x1f, 0x2b, 0x33, 0x3a
};
// Ajoute une virgule et un espace sauf pour le dernier élément
if (i < 31) {
printf(", ");
}
}
printf("};\n");*/
//unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf};
unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf};
uint32_t diff = 0; uint32_t diff = 0;
for(int i=0; i<32; i++) { for(int i=0; i<32; i++) {
diff |= (hash[i] ^ compareto[i]); diff |= (hash[i] ^ compareto[i]);
} }
//printf("0x%02x", diff);
return diff; return diff;
} }
typedef struct { typedef struct {
void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ;
//uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]);
void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, void *(*memcpy)(void *__restrict __dest, const void *__restrict __src,
size_t __n); size_t __n);
int (*lonesha256)(unsigned char out[32], const unsigned char *in, int (*lonesha256)(unsigned char out[32], const unsigned char *in,
@ -501,7 +468,7 @@ typedef struct {
unsigned long long (*rdtsc)(); unsigned long long (*rdtsc)();
} FuncList2; } FuncList2;
int main(int argc, char *argv[]) { int __declspec(noinline) main(int argc, char *argv[]) {
if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD;
uint32_t selector = M_INIT; uint32_t selector = M_INIT;
@ -627,23 +594,9 @@ int main(int argc, char *argv[]) {
} }
payload[7] = (uint8_t)(0); payload[7] = (uint8_t)(0);
stdfunclist->obfusc_printf((char *)payload, argv[1]); stdfunclist->obfusc_printf((char *)payload, argv[1]);
selector = M_TRAP; selector = M_EXIT;
break;
}
case M_TRAP: {
// DEADLOCK MATHÉMATIQUE
// Un carré parfait + 1 n'est jamais nul sur les entiers non-signés 32 bits
uint32_t trap_sync = 1;
while ((trap_sync * trap_sync) + 1 != 0) {
trap_sync++;
if (trap_sync == 0) break; // Sécurité physique
}
selector = GET_EXIT_STATE(selector);
break; break;
} }
@ -654,7 +607,7 @@ int main(int argc, char *argv[]) {
} }
return 0; return 0;
} }
void __declspec(noinline) boundary_end() { __asm { nop }; }