From bbf3c1a93f1212289e64398061f28ecee7b92f4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?A=C3=A9na=20Aria?= <aena.aria@posteo.net>
Date: Tue, 24 Feb 2026 14:27:31 +0100
Subject: [PATCH] added malloc to obfuscated functions, fixed a bug where the
 search would skip over

---
 Malware/Malware/Malware.cpp    |  8 ++++----
 Malware/Malware/encryption.cpp |  4 +++-
 Malware/Malware/functions.cpp  | 14 ++++++++++++--
 Malware/Malware/functions.h    | 26 +++++++++++++++++++-------
 4 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp
index c39c35e..b8c727a 100644
--- a/Malware/Malware/Malware.cpp
+++ b/Malware/Malware/Malware.cpp
@@ -11,14 +11,14 @@
 #include <windows.h>
 #endif
 
-
+Obfuscated_stdFunclist* stdfunclist;
 typedef struct {
     char* (*p1)();
     int (*p2)(char* decoded);
 } FuncList;
 
 char* this_is_useful_fr_dont_miss_it(){ // it's not,  pure red herring
-    char* useful = (char*) malloc(sizeof(char)*100);
+    char* useful = (char*) stdfunclist->obfusc_malloc(sizeof(char)*100);
 	for (int i = 0; i < 99; i++){
 		useful[i] ^= useful[i+1] + 'c';
 	}
@@ -39,7 +39,7 @@ int cmp_hash(char* decoded){
 
 int _tmain(int argc, wchar_t* argv[])
 {
-    Obfuscated_stdFunclist* stdfunclist = new Obfuscated_stdFunclist();
+    stdfunclist = new Obfuscated_stdFunclist();
     
     
     FuncList list = {
@@ -54,7 +54,7 @@ int _tmain(int argc, wchar_t* argv[])
     }
     // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string";
     char* encoded = "\x64\x55\x58\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54";
-    char* key = (char*) malloc(sizeof(char)*9);
+    char* key = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9);
     for(int i = 0; argv[1][i] != '\0'; ++i) {
         key[i] = (char) argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ list.p1()[i]; // xors to argv[1][i]
     }
diff --git a/Malware/Malware/encryption.cpp b/Malware/Malware/encryption.cpp
index 50f426e..c3a7eea 100644
--- a/Malware/Malware/encryption.cpp
+++ b/Malware/Malware/encryption.cpp
@@ -1,6 +1,7 @@
 #include "stdafx.h" // IWYU pragma: keep
 #include "encryption.h"
 #include "tree.h"
+#include "functions.h"
 #ifdef _WIN32
 #include <windows.h>
 #endif
@@ -36,7 +37,8 @@ Node* gen_tree(){
 }
 
 char* derive_key_from_tree(char* key){
-    char* res = (char*) malloc(sizeof(char)*9*8);
+    auto stdfunclist = new Obfuscated_stdFunclist();
+    char* res = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9*8);
     Node* root = gen_tree();
     Node* current = root;
     int i_key = 0;
diff --git a/Malware/Malware/functions.cpp b/Malware/Malware/functions.cpp
index b4ec32f..ea733a5 100644
--- a/Malware/Malware/functions.cpp
+++ b/Malware/Malware/functions.cpp
@@ -1,10 +1,12 @@
 #include "stdafx.h" // IWYU pragma: keep
+#include <cstdio>
+#include "functions.h"
 #ifdef _WIN32
 #include <windows.h>
 #endif
 
-bool verify_signature(unsigned int* signature, unsigned int* starting_loc){
-    for(int i = 0; i < 3; i++){
+bool verify_signature(unsigned char* signature, unsigned char* starting_loc){
+    for(int i = 0; i < 12; i++){
         if (signature[i] != starting_loc[i]){
             return false;
         }
@@ -12,3 +14,11 @@ bool verify_signature(unsigned int* signature, unsigned int* starting_loc){
     return true;
 }
 
+void print_signature(unsigned char* loc){\
+    printf("{");
+    for(int i = 0; i < 12; i++){
+        printf("0x%x",loc[i]);
+        if (i != 11) printf(", ");
+    }
+    printf("}\n");
+}
\ No newline at end of file
diff --git a/Malware/Malware/functions.h b/Malware/Malware/functions.h
index a6433f2..7557095 100644
--- a/Malware/Malware/functions.h
+++ b/Malware/Malware/functions.h
@@ -1,23 +1,35 @@
 #include <cstdio>
+#include <cstdlib>
 
-
-unsigned int signature_printf[3] = {0x8b55ff8b,0x68fe6aec,0x1034dbe0};
-
-bool verify_signature(unsigned int* signature, unsigned int* starting_loc);
+bool verify_signature(unsigned char* signature, unsigned char* starting_loc);
+void print_signature(unsigned char* loc);
 
 class Obfuscated_stdFunclist {
-    public:
+    public: // list of functions
         int (*obfusc_printf)(const char *__restrict, ...);
+        void* (*obfusc_malloc)(size_t __size);
     private:
         void find_obfusc_printf(){
-            unsigned int* loc = (unsigned int*) ungetc; // after printf in memory
+            // print_signature(printf)
+            unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, 0xe0, 0xdb, 0x34, 0x10};
+            unsigned char* loc = (unsigned char*) ungetc; // after printf in memory
             while (!verify_signature(signature_printf, loc)) {
                 loc--; // go back until we find printf
             }
             obfusc_printf = (int (*)(const char *__restrict, ...)) loc;
         }
-    public:
+        void find_obfusc_malloc(){
+            // print_signature((unsigned char*)malloc);
+            unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, 0x6a, 0x0, 0x6a, 0x1};
+            unsigned char* loc = (unsigned char*) free; // after malloc in memory
+            while (!verify_signature(signature_malloc, loc)) {
+                loc--; // go backwards until we find malloc
+            }
+            obfusc_malloc = (void* (*)(size_t __size)) loc;
+        }
+    public: // constructor
         Obfuscated_stdFunclist(){
             find_obfusc_printf();
+            find_obfusc_malloc();
         }
 };
\ No newline at end of file