added malloc to obfuscated functions, fixed a bug where the search would skip over
This commit is contained in:
parent
3be58984ac
commit
bbf3c1a93f
4 changed files with 38 additions and 14 deletions
|
|
@ -11,14 +11,14 @@
|
|||
#include <windows.h>
|
||||
#endif
|
||||
|
||||
|
||||
Obfuscated_stdFunclist* stdfunclist;
|
||||
typedef struct {
|
||||
char* (*p1)();
|
||||
int (*p2)(char* decoded);
|
||||
} FuncList;
|
||||
|
||||
char* this_is_useful_fr_dont_miss_it(){ // it's not, pure red herring
|
||||
char* useful = (char*) malloc(sizeof(char)*100);
|
||||
char* useful = (char*) stdfunclist->obfusc_malloc(sizeof(char)*100);
|
||||
for (int i = 0; i < 99; i++){
|
||||
useful[i] ^= useful[i+1] + 'c';
|
||||
}
|
||||
|
|
@ -39,7 +39,7 @@ int cmp_hash(char* decoded){
|
|||
|
||||
int _tmain(int argc, wchar_t* argv[])
|
||||
{
|
||||
Obfuscated_stdFunclist* stdfunclist = new Obfuscated_stdFunclist();
|
||||
stdfunclist = new Obfuscated_stdFunclist();
|
||||
|
||||
|
||||
FuncList list = {
|
||||
|
|
@ -54,7 +54,7 @@ int _tmain(int argc, wchar_t* argv[])
|
|||
}
|
||||
// char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string";
|
||||
char* encoded = "\x64\x55\x58\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54";
|
||||
char* key = (char*) malloc(sizeof(char)*9);
|
||||
char* key = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9);
|
||||
for(int i = 0; argv[1][i] != '\0'; ++i) {
|
||||
key[i] = (char) argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ list.p1()[i]; // xors to argv[1][i]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#include "stdafx.h" // IWYU pragma: keep
|
||||
#include "encryption.h"
|
||||
#include "tree.h"
|
||||
#include "functions.h"
|
||||
#ifdef _WIN32
|
||||
#include <windows.h>
|
||||
#endif
|
||||
|
|
@ -36,7 +37,8 @@ Node* gen_tree(){
|
|||
}
|
||||
|
||||
char* derive_key_from_tree(char* key){
|
||||
char* res = (char*) malloc(sizeof(char)*9*8);
|
||||
auto stdfunclist = new Obfuscated_stdFunclist();
|
||||
char* res = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9*8);
|
||||
Node* root = gen_tree();
|
||||
Node* current = root;
|
||||
int i_key = 0;
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
#include "stdafx.h" // IWYU pragma: keep
|
||||
#include <cstdio>
|
||||
#include "functions.h"
|
||||
#ifdef _WIN32
|
||||
#include <windows.h>
|
||||
#endif
|
||||
|
||||
bool verify_signature(unsigned int* signature, unsigned int* starting_loc){
|
||||
for(int i = 0; i < 3; i++){
|
||||
bool verify_signature(unsigned char* signature, unsigned char* starting_loc){
|
||||
for(int i = 0; i < 12; i++){
|
||||
if (signature[i] != starting_loc[i]){
|
||||
return false;
|
||||
}
|
||||
|
|
@ -12,3 +14,11 @@ bool verify_signature(unsigned int* signature, unsigned int* starting_loc){
|
|||
return true;
|
||||
}
|
||||
|
||||
void print_signature(unsigned char* loc){\
|
||||
printf("{");
|
||||
for(int i = 0; i < 12; i++){
|
||||
printf("0x%x",loc[i]);
|
||||
if (i != 11) printf(", ");
|
||||
}
|
||||
printf("}\n");
|
||||
}
|
||||
|
|
@ -1,23 +1,35 @@
|
|||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
|
||||
|
||||
unsigned int signature_printf[3] = {0x8b55ff8b,0x68fe6aec,0x1034dbe0};
|
||||
|
||||
bool verify_signature(unsigned int* signature, unsigned int* starting_loc);
|
||||
bool verify_signature(unsigned char* signature, unsigned char* starting_loc);
|
||||
void print_signature(unsigned char* loc);
|
||||
|
||||
class Obfuscated_stdFunclist {
|
||||
public:
|
||||
public: // list of functions
|
||||
int (*obfusc_printf)(const char *__restrict, ...);
|
||||
void* (*obfusc_malloc)(size_t __size);
|
||||
private:
|
||||
void find_obfusc_printf(){
|
||||
unsigned int* loc = (unsigned int*) ungetc; // after printf in memory
|
||||
// print_signature(printf)
|
||||
unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, 0xe0, 0xdb, 0x34, 0x10};
|
||||
unsigned char* loc = (unsigned char*) ungetc; // after printf in memory
|
||||
while (!verify_signature(signature_printf, loc)) {
|
||||
loc--; // go back until we find printf
|
||||
}
|
||||
obfusc_printf = (int (*)(const char *__restrict, ...)) loc;
|
||||
}
|
||||
public:
|
||||
void find_obfusc_malloc(){
|
||||
// print_signature((unsigned char*)malloc);
|
||||
unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, 0x6a, 0x0, 0x6a, 0x1};
|
||||
unsigned char* loc = (unsigned char*) free; // after malloc in memory
|
||||
while (!verify_signature(signature_malloc, loc)) {
|
||||
loc--; // go backwards until we find malloc
|
||||
}
|
||||
obfusc_malloc = (void* (*)(size_t __size)) loc;
|
||||
}
|
||||
public: // constructor
|
||||
Obfuscated_stdFunclist(){
|
||||
find_obfusc_printf();
|
||||
find_obfusc_malloc();
|
||||
}
|
||||
};
|
||||
Loading…
Add table
Add a link
Reference in a new issue