seliaste/malware-m2-2026
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Obfuscation main, correction bug, nique jai fini ca me clc

Browse source
This commit is contained in:
unknown 2026-02-25 23:26:53 +01:00
parent eb3487b393
commit b541496c39
1 changed files with 189 additions and 254 deletions
Download patch file Download diff file Expand all files Collapse all files

443
Malware/Malware/Malware.cpp
View file

@ -24,6 +24,14 @@
#define STATE_HASH (0x88 ^ 0x11) // 0x99
#define STATE_EXIT (0xDE ^ 0xAD) // 0x73
#define M_INIT (0xFA ^ 0xAF) // 0x55
#define M_EXPAND (0xDE ^ 0x9A) // 0x44
#define M_ORACLE (0xCC ^ 0xFF) // 0x33
#define M_DECOY (0x88 ^ 0xEE) // 0x66
#define M_EXEC (0x11 ^ 0x88) // 0x99
#define M_TRAP (0x55 ^ 0xFF) // 0xAA
#define M_EXIT (0xDE ^ 0xAD) // 0x73
/* ==============================================================================
* MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8)
* Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B)
@ -41,15 +49,13 @@ typedef struct {
} GF_CONTEXT;
typedef struct {
uint8_t input_x; // Le 'x' original
uint8_t* p_coeffs; // Pointeur vers le tableau de coeffs
uint8_t final_result; // Le résultat retourné ici
// Variables internes pour rendre la structure plus opaque
uint8_t input_x;
uint8_t* p_coeffs;
uint8_t final_result;
uint8_t current_x_pow;
uint32_t junk_data;
uint32_t lag_counter;
GF_CONTEXT inner_ctx; // Le contexte de gf_mul imbriqué !
uint32_t state; // On l'intègre ici pour le flux
GF_CONTEXT inner_ctx;
} POLY_CONTEXT;
typedef struct {
@ -152,124 +158,81 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) {
return ctx->p;
}
/*
// Évaluation d'un polynôme de degré 7 sur GF(256)
uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) {
uint8_t result = 0;
uint8_t x_pow = 1;
for (int j = 0; j < 8; j++) {
GF_CONTEXT ctx;
ctx.a = coeffs[j];
ctx.b = x_pow;
result ^= gf_mul(&ctx, 0x55);
ctx.a = x_pow;
ctx.b = x;
x_pow = gf_mul(&ctx, 0xAA);
}
return result;
}*/
void evaluate_polynomial(POLY_CONTEXT* pctx) {
// Initialisation via la structure (Blinding)
pctx->final_result = (pctx->input_x & (~pctx->input_x));
pctx->junk_data = 0xDEADBEEF;
pctx->current_x_pow = (0xFF / 0xFF);
pctx->lag_counter = 0;
pctx->current_x_pow = (uint8_t)((0xDE >> 7) | (0x01 & 0x01));
pctx->junk_data = 0x1337BEEF;
uint32_t j = 0;
pctx->state = 0xDEAD6666; // Point d'entrée
//Entrelacement Itérations 0, 1 & Lag
// On accède au tableau via le pointeur de la structure
pctx->inner_ctx.a = *(pctx->p_coeffs + pctx->final_result);
pctx->lag_counter += (pctx->current_x_pow ^ 0x05);
pctx->inner_ctx.b = pctx->current_x_pow;
uint8_t m0 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->junk_data ^= (pctx->lag_counter << (pctx->final_result % 3));
pctx->inner_ctx.b = pctx->input_x;
pctx->final_result = (pctx->final_result + m0) - ((pctx->final_result & m0) << 1);
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
while (pctx->state != 0xBAADF00D) {
switch (pctx->state) {
case 0xDEAD6666: // BLOC : Calcul du terme (coeff * x^j)
{
pctx->inner_ctx.a = pctx->p_coeffs[j];
pctx->inner_ctx.b = pctx->current_x_pow;
uint8_t m_term = gf_mul(&(pctx->inner_ctx), 0x55);
pctx->final_result = (pctx->final_result | m_term) - (pctx->final_result & m_term);
GF_CONTEXT ctx3 = { *(pctx->p_coeffs + (5*5 - 4*4 - 6)), 0 };
pctx->state = 0xFEED1111;
break;
}
//Entrelacement Itération 1 & Prédicat Opaque
pctx->inner_ctx.a = *(pctx->p_coeffs + ((pctx->current_x_pow | ~pctx->current_x_pow) & 1));
pctx->inner_ctx.b = pctx->current_x_pow;
if (((pctx->current_x_pow * pctx->current_x_pow * pctx->current_x_pow) - pctx->current_x_pow) % 3 != 0) {
pctx->final_result = pctx->lag_counter & 0xFF;
pctx->current_x_pow /= (pctx->final_result - pctx->final_result);
}
case 0xFEED1111: // BLOC : x_pow = x_pow * x
{
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->inner_ctx.b = pctx->input_x;
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), 0xAA);
uint8_t m1 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.a = pctx->current_x_pow;
ctx3.b = pctx->current_x_pow;
pctx->inner_ctx.b = pctx->input_x;
pctx->final_result = (pctx->final_result | m1) & ~(pctx->final_result & m1);
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
//Condition toujours vraie
if (((pctx->junk_data * (pctx->junk_data + 1)) + 1) % 2 != 0) {
pctx->state = 0xCAFE2222; // Chemin normal
} else {
pctx->state = 0x00000000; // Branche morte
}
break;
}
//Entrelacement Itération 2 & Générateur de Lag
pctx->inner_ctx.a = *(pctx->p_coeffs + (1 << ((0xFF / 0xFF) & 1)));
for(int lag = 0; lag < ((pctx->current_x_pow & 0x0F) + 5); lag++) {
pctx->lag_counter += (pctx->final_result ^ lag);
pctx->junk_data ^= (pctx->lag_counter << (lag % 3));
}
case 0xCAFE2222: // BLOC : Incrémentation & Boucle
{
j = -~j;
// On compare j à 8 (0x40 >> 3)
if (j < (0x80 >> 4)) {
pctx->state = 0xDEAD6666; // Reboucle
} else {
pctx->state = 0xBAADF00D; // Sortie
}
pctx->inner_ctx.b = pctx->current_x_pow;
uint8_t m2 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->final_result = (pctx->final_result + m2) - ((pctx->final_result & m2) << 1);
pctx->inner_ctx.b = pctx->input_x;
pctx->junk_data = (pctx->junk_data + pctx->final_result) ^ (pctx->current_x_pow << 4);
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
pctx->junk_data ^= (j << 13) | (pctx->final_result);
break;
}
//Entrelacement Itération 3 & Prédicat Opaque
uint8_t m3 = gf_mul(&ctx3, (0xFF / 3));
pctx->junk_data = (pctx->junk_data >> 3) | (pctx->junk_data << 29);
if ((pctx->junk_data % 256) == 256) {
pctx->final_result = (uint8_t)(pctx->junk_data & 0xFF);
return; // Sortie prématurée (Code mort)
}
pctx->final_result = (pctx->final_result | m3) & ~(pctx->final_result & m3);
ctx3.a = pctx->current_x_pow;
ctx3.b = pctx->input_x;
pctx->current_x_pow = gf_mul(&ctx3, (0xFF - (0xFF / 3)));
//Entrelacement Itérations 4, 5, 6
pctx->inner_ctx.b = pctx->current_x_pow;
pctx->inner_ctx.a = *(pctx->p_coeffs + ((2*2*2) >> 1));
uint8_t m4 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.b = pctx->input_x;
pctx->final_result = (pctx->final_result + m4) - ((pctx->final_result & m4) << 1);
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
pctx->inner_ctx.b = pctx->current_x_pow;
pctx->inner_ctx.a = *(pctx->p_coeffs + (15 % 10));
uint8_t m5 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->final_result = (pctx->final_result | m5) & ~(pctx->final_result & m5);
pctx->inner_ctx.b = pctx->input_x;
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
pctx->inner_ctx.a = *(pctx->p_coeffs + (3 * 2 * 1));
pctx->inner_ctx.b = pctx->current_x_pow;
uint8_t m6 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->inner_ctx.b = pctx->input_x;
pctx->final_result = (pctx->final_result + m6) - ((pctx->final_result & m6) << 1);
pctx->inner_ctx.a = pctx->current_x_pow;
pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3)));
//Itération 7 finale
pctx->inner_ctx.a = *(pctx->p_coeffs + ((0xFF >> 5) & 0x07));
pctx->inner_ctx.b = pctx->current_x_pow;
uint8_t m7 = gf_mul(&(pctx->inner_ctx), (0xFF / 3));
pctx->final_result = (pctx->final_result | m7) & ~(pctx->final_result & m7);
if ((pctx->junk_data | 1) % 2 != 0) {
// Le vrai résultat est DÉJÀ dans pctx->final_result, on ne fait rien !
return;
} else {
pctx->final_result = (uint8_t)pctx->lag_counter;
default:
// Anti-debug / Anti-tamper : si le state est corrompu
pctx->state = 0xBAADF00D;
break;
}
}
}
@ -473,161 +436,133 @@ int fakemain(int argc, wchar_t *argv[]) {
return (junk_register - junk_register);
}
/* ==============================================================================
* MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION)
* ==============================================================================
*/
typedef struct {
void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ;
//uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]);
void *(*memcpy)(void *__restrict __dest, const void *__restrict __src,
size_t __n);
int (*lonesha256)(unsigned char out[32], const unsigned char *in,
size_t len);
} FuncList2;
// Identité de Boole pour M_EXIT (toujours 0x73)
#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0))
int main(int argc, char *argv[]) {
if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD;
if (argc < 2 || strlen(argv[1]) > 8) {
printf("Arguments invalides.\n");
return 1;
}
uint32_t selector = M_INIT;
Obfuscated_stdFunclist *stdfunclist = nullptr;
FuncList2 list;
uint8_t input[8] = {0};
uint8_t super_bloc[64] = {0};
unsigned char h1[32], h2[32], h_leurre[32];
uint64_t mask = 0;
// Init des struct d'obfuscation d'appel de fonction
Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist();
FuncList2 list = {evaluate_polynomial, stdfunclist->obfusc_memcpy, lonesha256};
while (selector != M_EXIT) {
switch (selector) {
fakemain(argc, (wchar_t **)argv);
case M_INIT: {
stdfunclist = new Obfuscated_stdFunclist();
list.evaluate_polynomial = evaluate_polynomial;
list.memcpy = stdfunclist->obfusc_memcpy;
list.lonesha256 = lonesha256;
uint8_t input[8];
list.memcpy(input, argv[1], 8);
fakemain(argc, (wchar_t **)argv);
size_t sz = 0;
while(argv[1][sz] != '\0' && sz < 9) sz++;
if (sz > 8) return 0;
/* --------------------------------------------------------------------------
* 1. EXPANSION SPATIALE (FORWARD-COMPUTATION)
* Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de
* 64 octets (512 bits) pour remplir parfaitement un bloc de compression
* SHA-256 sans ajout de bits de padding prévisibles.
*
* Équation de récurrence non-linéaire :
* S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i)
* :
* - c : Index de la chaîne d'évaluation parallèle (de 0 à 7).
* - i : Index du caractère de l'entrée en cours de traitement (de 0
* à 7).
* - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'.
* - x_i : i-ème octet (caractère) de l'entrée fournie.
* - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à
* cette étape.
* --------------------------------------------------------------------------
*/
list.memcpy(input, argv[1], sz);
selector = (selector ^ 0x11);
break;
}
uint8_t super_bloc[64];
for (int c = 0; c < 8; c++) {
uint8_t state = INITIAL_STATES[c];
for (int i = 0; i < 8; i++) {
POLY_CONTEXT my_poly_ctx;
my_poly_ctx.input_x = state ^ input[i];
my_poly_ctx.p_coeffs = (uint8_t*)POLY_COEFFS[c][i];
list.evaluate_polynomial(&my_poly_ctx);
// Mélange non-linéaire du caractère d'entrée avec l'état courant
state = my_poly_ctx.final_result;
// Capture de la trace pour former le bloc final
super_bloc[c * 8 + i] = state;
case M_EXPAND: {
for (uint32_t c = 0; c < (0x40 >> 3); c++) {
uint8_t current_state = INITIAL_STATES[c];
for (uint32_t i = 0; i < 8; i++) {
POLY_CONTEXT mctx;
mctx.input_x = (current_state | input[i]) - (current_state & input[i]);
mctx.p_coeffs = (uint8_t*)POLY_COEFFS[c][i];
list.evaluate_polynomial(&mctx);
current_state = mctx.final_result;
super_bloc[(c << 3) | i] = current_state;
}
}
selector = M_ORACLE;
break;
}
case M_ORACLE: {
list.lonesha256(h1, super_bloc, 64);
uint32_t diff = 0;
for (int i = 0; i < 32; i++) {
diff |= (h1[i] ^ h_cible[i]);
}
uint64_t d64 = diff;
mask = ((d64 | (~d64 + 1)) >> 63) - 1;
selector = M_DECOY;
break;
}
case M_DECOY: {
//"Microsoft..." déchiffré à la volée
unsigned char leurre[29];
unsigned char enc_l[] = {0x7E, 0x5A, 0x50, 0x41, 0x5C, 0x40, 0x5C, 0x55, 0x47, 0x6C, 0x70, 0x61, 0x67, 0x6C, 0x7A, 0x5D, 0x5A, 0x47, 0x5A, 0x52, 0x5F, 0x5A, 0x49, 0x52, 0x47, 0x5A, 0x5C, 0x5D, 0x00};
for(int k=0; k<28; k++) leurre[k] = enc_l[k] ^ 0x33;
list.lonesha256(h_leurre, leurre, 28);
unsigned char b2[74];
list.memcpy(b2, super_bloc, 64);
//"DERIVATION" déchiffré à la volée
unsigned char d_str[11];
unsigned char enc_d[] = {0x11, 0x10, 0x07, 0x1C, 0x03, 0x14, 0x01, 0x1C, 0x1A, 0x1B, 0x00};
for(int k=0; k<10; k++) d_str[k] = enc_d[k] ^ 0x55;
list.memcpy(b2 + 64, d_str, 10);
list.lonesha256(h2, b2, 74);
selector = M_EXEC;
break;
}
case M_EXEC: {
for (int i = 0; i < 8; i++) {
uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF);
payload[i] ^= (h_leurre[i] ^ d);
}
payload[7] = (uint8_t)(0);
stdfunclist->obfusc_printf((char *)payload, argv[1]);
selector = M_TRAP;
break;
}
case M_TRAP: {
// DEADLOCK MATHÉMATIQUE
// Un carré parfait + 1 n'est jamais nul sur les entiers non-signés 32 bits
uint32_t trap_sync = 1;
while ((trap_sync * trap_sync) + 1 != 0) {
trap_sync++;
if (trap_sync == 0) break; // Sécurité physique
}
selector = GET_EXIT_STATE(selector);
break;
}
default:
selector = M_EXIT;
break;
}
}
/* --------------------------------------------------------------------------
* 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE)
* Calcul de l'empreinte H1 = SHA256(super_bloc)
* --------------------------------------------------------------------------
*/
unsigned char h1[32];
list.lonesha256(h1, super_bloc, 64);
// Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique
// Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k])
uint32_t diff = 0;
for (int i = 0; i < 32; i++) {
diff |= (h1[i] ^ h_cible[i]);
}
/* --------------------------------------------------------------------------
* 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION)
* Transforme l'erreur accumulée en un masque binaire absolu.
* Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1
* --------------------------------------------------------------------------
*/
uint64_t diff64 = diff;
// Si diff > 0 (mot de passe faux) -> is_wrong = 1
// Si diff == 0 (mot de passe bon) -> is_wrong = 0
uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63;
// Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload)
// Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload)
uint64_t mask = is_wrong - 1;
/* --------------------------------------------------------------------------
* 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE)
* K_G = SHA256(L)_{[0..7]} L est une chaîne d'apparence inoffensive.
* Permet une indistinguabilité totale lors d'une analyse statique
* (strings).
* --------------------------------------------------------------------------
*/
unsigned char leurre[] = "Microsoft_CRT_Initialization";
unsigned char h_leurre[32];
list.lonesha256(h_leurre, leurre,
28); // K_G correspond aux 8 premiers octets
/* --------------------------------------------------------------------------
* 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION)
* Calcul de l'empreinte de dérivation H2.
* H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"})
* Garantit l'indépendance mathématique entre la vérification (H1) et le
* déchiffrement (H2).
* --------------------------------------------------------------------------
*/
unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel)
list.memcpy(buffer_h2, super_bloc, 64);
list.memcpy(buffer_h2 + 64, "DERIVATION", 10);
unsigned char h2[32];
list.lonesha256(h2, buffer_h2, 74);
/* --------------------------------------------------------------------------
* 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT
* Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask )
* - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware)
* - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M
* (Malware)
* --------------------------------------------------------------------------
*/
unsigned char derived_key[8];
for (int i = 0; i < 8; i++) {
// Tentative de déchiffrement du secret (\Delta)
uint8_t computed_delta = enc_delta[i] ^ h2[i];
// Application du masque d'annihilation (filtre AND)
uint8_t applied_delta = computed_delta & (mask & 0xFF);
// Recombinaison finale de la clé
derived_key[i] = h_leurre[i] ^ applied_delta;
// Déchiffrement immédiat in-place du payload
payload[i] ^= derived_key[i];
}
payload[7] = '\0'; // Protection d'affichage C-String
/* --------------------------------------------------------------------------
* 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ
* --------------------------------------------------------------------------
*/
stdfunclist->obfusc_printf((char *)payload, argv[1]);
// Boucle infinie demandée pour suspendre le processus
while (1) {
}
return 0;
}