Code automodifiant
This commit is contained in:
parent
6d7a7fa4ec
commit
75c14abfa5
1 changed files with 166 additions and 8 deletions
|
|
@ -78,6 +78,67 @@ typedef struct {
|
|||
int __declspec(noinline) main(int argc, char *argv[]);
|
||||
void __declspec(noinline) boundary_end();
|
||||
|
||||
unsigned char shellcode[] = {
|
||||
0x31, 0xFF, // [0] xor edi, edi
|
||||
// <loop_start>:
|
||||
0x8A, 0x87, 0x00, 0x00, 0x00, 0x00, // [2] mov al, [edi + p_enc_delta]
|
||||
0x32, 0x87, 0x00, 0x00, 0x00, 0x00, // [8] xor al, [edi + p_h2]
|
||||
0x8A, 0x0D, 0x00, 0x00, 0x00, 0x00, // [14] mov cl, [p_mask]
|
||||
0x20, 0xC8, // [20] and al, cl
|
||||
0x8A, 0x8F, 0x00, 0x00, 0x00, 0x00, // [22] mov cl, [edi + p_leurre]
|
||||
0x30, 0xC1, // [28] xor cl, al
|
||||
0x30, 0x8F, 0x00, 0x00, 0x00, 0x00, // [30] xor [edi + p_payload], cl
|
||||
0x47, // [36] inc edi
|
||||
0x83, 0xFF, 0x07, // [37] cmp edi, 7
|
||||
0x7C, 0xD8, // [40] jl <loop_start> (-40 octets)
|
||||
|
||||
// Finition du payload
|
||||
0xC6, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, // [42] mov byte ptr [p_payload+7], 0
|
||||
|
||||
// Récupération de argv[1]
|
||||
0x8B, 0x55, 0x0C, // [49] mov edx, [ebp+0x0C]
|
||||
0x8B, 0x52, 0x04, // [52] mov edx, [edx+4]
|
||||
0x52, // [55] push edx
|
||||
|
||||
// Appel de la fonction
|
||||
0x68, 0x00, 0x00, 0x00, 0x00, // [56] push p_payload
|
||||
|
||||
// --- L'INJECTION ABSOLUE EST ICI ---
|
||||
0xB8, 0x00, 0x00, 0x00, 0x00, // [61] mov eax, p_funcs
|
||||
0x90, 0x90, // [66] NOP, NOP (On supprime le déréférencement)
|
||||
0xFF, 0xD0, // [68] call eax // [68] call eax
|
||||
0x83, 0xC4, 0x08, // [70] add esp, 8
|
||||
|
||||
// Sortie (selector = 3)
|
||||
0xC7, 0x85, 0x48, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, // [73] mov dword ptr [ebp-B8h], 3
|
||||
|
||||
0x90, 0x90 // [83] NOPs (Taille totale : 85 octets)
|
||||
};
|
||||
|
||||
void apply_smc_patch(void* target, void* p_enc_delta, void* p_h2, void* p_mask, void* p_leurre, void* p_payload, void* p_funcs)
|
||||
{
|
||||
*(uint32_t*)(shellcode + 4) = (uint32_t)p_enc_delta;
|
||||
*(uint32_t*)(shellcode + 10) = (uint32_t)p_h2;
|
||||
*(uint32_t*)(shellcode + 16) = (uint32_t)p_mask;
|
||||
*(uint32_t*)(shellcode + 24) = (uint32_t)p_leurre;
|
||||
*(uint32_t*)(shellcode + 32) = (uint32_t)p_payload;
|
||||
*(uint32_t*)(shellcode + 44) = (uint32_t)p_payload + 7;
|
||||
*(uint32_t*)(shellcode + 57) = (uint32_t)p_payload;
|
||||
|
||||
// NOUVEAU : Injection de l'adresse de ton pointeur de fonction
|
||||
*(uint32_t*)(shellcode + 62) = (uint32_t)p_funcs;
|
||||
|
||||
// (La modification de selector reste inchangée car ton image montre que ça marche parfaitement !)
|
||||
|
||||
DWORD oldProtect;
|
||||
if (VirtualProtect(target, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect))
|
||||
{
|
||||
memcpy(target, shellcode, sizeof(shellcode));
|
||||
VirtualProtect(target, sizeof(shellcode), oldProtect, &oldProtect);
|
||||
FlushInstructionCache(GetCurrentProcess(), target, sizeof(shellcode));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) {
|
||||
ctx->p = 0;
|
||||
|
|
@ -587,15 +648,112 @@ int __declspec(noinline) main(int argc, char *argv[]) {
|
|||
fake_exit(argv[1]);
|
||||
}
|
||||
|
||||
void* p_target;
|
||||
__asm { mov p_target, offset smc_zone }
|
||||
apply_smc_patch(p_target, &enc_delta, &h2, &mask, &h_leurre, &payload, stdfunclist->obfusc_printf);
|
||||
|
||||
for (int i = 0; i < 8; i++) {
|
||||
uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF);
|
||||
payload[i] ^= (h_leurre[i] ^ d);
|
||||
smc_zone:
|
||||
__asm {
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
_emit 0x90
|
||||
}
|
||||
payload[7] = (uint8_t)(0);
|
||||
|
||||
stdfunclist->obfusc_printf((char *)payload, argv[1]);
|
||||
goto label_finish_exec;
|
||||
|
||||
stdfunclist->obfusc_printf("%s", argv[1]);
|
||||
|
||||
label_finish_exec:
|
||||
selector = M_EXIT;
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue