From eb3487b393c85610d4719d3b3b341133e92b4270 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 22:14:38 +0100 Subject: [PATCH] =?UTF-8?q?Obfuscation=20fake=5Fmain=20et=20fonctions=20as?= =?UTF-8?q?soci=C3=A9es?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Malware/Malware/Malware.cpp | 257 +++++++++++++++++++++++++++++------- 1 file changed, 210 insertions(+), 47 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 284acda..12c3944 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -17,6 +17,13 @@ #define MSB ((uint8_t)(0x40 << 1)) // 64 << 1 = 128 = 0x80 #define SHIFT ((uint8_t)(14 >> 1)) // 14 / 2 = 7 +// Constantes d'états pour le Control Flow Flattening +#define STATE_INIT (0xAA ^ 0x11) // 0xBB +#define STATE_KEY_DERIV (0xCC ^ 0x22) // 0xEE +#define STATE_DECRYPT (0x77 ^ 0x44) // 0x33 +#define STATE_HASH (0x88 ^ 0x11) // 0x99 +#define STATE_EXIT (0xDE ^ 0xAD) // 0x73 + /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) @@ -45,6 +52,20 @@ typedef struct { GF_CONTEXT inner_ctx; // Le contexte de gf_mul imbriqué ! } POLY_CONTEXT; +typedef struct { + char* hidden_buffer; // Le pointeur qui remplace le "return useful;" + uint32_t chaos_seed; // Pour le générateur de lag + uint32_t opaque_counter; // Variable de contrôle bidon +} RED_HERRING_CTX; + +typedef struct { + char* input_decoded; // L'argument entrant + int final_match_result; // Le retour sortant + + unsigned char computed_hash[32]; // Buffer interne + uint32_t chaos_state; // Pour le générateur de lag +} HASH_CTX; + uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; @@ -253,61 +274,203 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) { } typedef struct { - char *(*p1)(); - int (*p2)(char *decoded); + void (*p1)(RED_HERRING_CTX* pctx); + void (*p2)(HASH_CTX* pctx); } FuncList; -char *this_is_useful_fr_dont_miss_it() { // it's not, pure red herring - char *useful = (char *)malloc(sizeof(char) * 100); - for (int i = 0; i < 99; i++) { - useful[i] ^= useful[i + 1] + 'c'; +// Fausse piste ultime - Draine le temps de l'analyste (VAGUE 3) +void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) { + uint32_t magic_size = (0xFF ^ 0x9B); + pctx->chaos_seed = 0xC0DEF00D; + + pctx->opaque_counter = (magic_size * 2) - 200; + + pctx->hidden_buffer = (char*)malloc( (magic_size | 0x00) + pctx->opaque_counter ); + + if (pctx->hidden_buffer == NULL) return; // Sécurité basique + + // Générateur de Lag & Boucle poubelle + // Boucle qui tourne dans le vide pour exploser le Graphe de Flux de Contrôle + for (int lag = 0; lag < ((0x64 ^ 0x07) & 0x3F); lag++) { + pctx->chaos_seed += (lag ^ 0xAA); + pctx->chaos_seed = (pctx->chaos_seed << 3) | (pctx->chaos_seed >> 29); // ROR 29 } - return useful; + + for (uint32_t j = 0; j < (magic_size - (0xFF / 0xFF)); j++) { + + // Entrelacement : on met à jour le chaos au milieu des calculs "utiles" + pctx->chaos_seed ^= pctx->hidden_buffer[j]; + + uint8_t constant_c = (0xC6 >> 1); + uint8_t next_val = pctx->hidden_buffer[j + 1]; + uint8_t current_val = pctx->hidden_buffer[j]; + + //x + y = (x ^ y) + 2*(x & y) + uint8_t added_val = (next_val ^ constant_c) + ((next_val & constant_c) << 1); + + //Sert à rien : condition impossible + if (((pctx->chaos_seed * pctx->chaos_seed) + pctx->chaos_seed) % 2 != 0) { + pctx->hidden_buffer[j] = pctx->opaque_counter & 0xFF; + pctx->chaos_seed /= pctx->opaque_counter; + } + pctx->hidden_buffer[j] = (current_val | added_val) & ~(current_val & added_val); //x ^ y = (x | y) & ~(x & y) + } + + // Pas de return ! Le résultat est discrètement caché dans pctx->hidden_buffer } -int cmp_hash(char *decoded) { - unsigned char hash[32] = {0xf4, 0xed, 0x2a, 0x38, 0xd2, 0xff, 0xcc, 0x38, - 0xbc, 0x63, 0x28, 0x46, 0xaf, 0xe2, 0x4f, 0x34, - 0x2d, 0xd8, 0xb8, 0x5e, 0x74, 0xbd, 0x73, 0x99, - 0x2d, 0x91, 0x56, 0x24, 0xb4, 0x73, 0x5d, 0xee}; - unsigned char hash_computed[32]; - lonesha256(hash_computed, (unsigned char *)decoded, sizeof(char) * 57); - for (int i = 0; i < 32; i++) { - if (hash[i] != hash_computed[i]) { - return hash[i] - hash_computed[i]; +// Comparaison de Hash SHA-256 (VAGUES 1, 2 & 3 COMBINÉES) +void cmp_hash(HASH_CTX* pctx) { + + uint32_t len_57 = (0xFF ^ 0xC6); + uint32_t len_32 = (0x80 >> 2); + + pctx->chaos_state = 0xDEADBEEF; + pctx->final_match_result = 0; + + lonesha256(pctx->computed_hash, (unsigned char*)pctx->input_decoded, len_57); + + //(XOR Key = 0x55) + const unsigned char obfuscated_target[32] = { + 0xA1, 0xB8, 0x7F, 0x6D, 0x87, 0xAA, 0x99, 0x6D, + 0xE9, 0x36, 0x7D, 0x13, 0xFA, 0xB7, 0x1A, 0x61, + 0x78, 0x8D, 0xED, 0x0B, 0x21, 0xE8, 0x26, 0xCC, + 0x78, 0xC4, 0x03, 0x71, 0xE1, 0x26, 0x08, 0xBB + }; + + for (uint32_t i = 0; i < len_32; i++) { + + // Générateur de Lag + for(uint32_t lag = 0; lag < ((i & 0x03) + 2); lag++) { + pctx->chaos_state ^= (lag << (i % 4)); + } + + // Déchiffrement à la volée du vrai byte ciblé + uint8_t real_target_byte = obfuscated_target[i] ^ 0x55; + uint8_t current_computed = pctx->computed_hash[i]; + + uint8_t is_different = (real_target_byte ^ current_computed); + + if (is_different != 0) { + + //Condition toujours vraie + if (((pctx->chaos_state * pctx->chaos_state) + pctx->chaos_state) % 2 == 0) { + // Vrai calcul : on simule le (hash[i] - hash_computed[i]) + // x - y = (x + (~y) + 1) + pctx->final_match_result = real_target_byte + (~current_computed) + 1; + return; // On sort discrètement, le résultat est dans pctx + + } else { + // Branche morte + pctx->final_match_result = 0xFF; + pctx->chaos_state /= (is_different - is_different); // Division par zéro + } + } + // Entrelacement de bruit + pctx->chaos_state = (pctx->chaos_state >> 3) | (pctx->chaos_state << 29); + } +} + +int fakemain(int argc, wchar_t *argv[]) { + // Vérifie si argc < 2 + if ((((argc << 1) - argc) | 0) <= (0xFF / 0xFF)) { + return (0xBAD & 0); + } + + // Initialisation de la machine à états + uint32_t current_state = STATE_INIT; + uint32_t junk_register = 0; + + // Déclarations remontées pour le switch + Obfuscated_stdFunclist *stdfunclist = nullptr; + FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; + char *encoded = nullptr; + char *key = nullptr; + RED_HERRING_CTX fake_context; + HASH_CTX my_hash_ctx; + + //Aplatissement du flux de contrôle + while (current_state != STATE_EXIT) { + switch (current_state) { + + case STATE_INIT: + { + stdfunclist = new Obfuscated_stdFunclist(); + + // Le payload. L'analyste le verra, mais ne saura pas quand il est utilisé. + encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" + "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" + "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" + "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; + + key = (char *)malloc(sizeof(char) * (0x12 >> 1)); + + list.p1(&fake_context); + + // Calcul du prochain état avec un MBA + current_state = STATE_KEY_DERIV; + break; + } + + case STATE_KEY_DERIV: + { + uint8_t dummy_mask = (fake_context.chaos_seed == (junk_register & 0)) ? 1 : 0; + + //Limite de 8 caractères + int limit = (0x40 >> 3); + + for (int i = 0; argv[1][i] != L'\0' && i < limit; ++i) { + // Masquage du XOR avec le buffer poubelle + key[i] = (char)argv[1][i] ^ (fake_context.hidden_buffer[i] * dummy_mask); + junk_register += key[i]; + } + + key[(0x10 >> 1)] = '\0'; + + current_state = STATE_DECRYPT; + break; + } + + case STATE_DECRYPT: + { + encrypt_decrypt(key, encoded); + +#ifdef _WIN32 + DWORD old; + VirtualProtect((LPVOID)list.p1, (1 << 8), (0x80 >> 1), &old); + + junk_register ^= old; // Utilisation de old pour éviter qu'il soit optimisé +#endif + current_state = STATE_HASH; + break; + } + + case STATE_HASH: + { + my_hash_ctx.input_decoded = encoded; + + list.p2(&my_hash_ctx); + + // Si final_match_result == 0, alors (0 | 0) == 0. + if ((my_hash_ctx.final_match_result | 0) == 0) { + // On affiche le flag avec le printf obfusqué + stdfunclist->obfusc_printf("%s\n", encoded); + } + + // Sortie du labyrinthe + current_state = STATE_EXIT; + break; + } + + default: + // Anti-tampering : si l'analyste modifie la mémoire et casse l'état + current_state = STATE_EXIT; + break; } } - return 0; -} -// Fake main -int fakemain(int argc, wchar_t *argv[]) { - Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); - - FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; - // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce - // string"; - char *encoded = - "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" - "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" - "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" - "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; - char *key = (char *)malloc(sizeof(char) * 9); - for (int i = 0; argv[1][i] != '\0'; ++i) { - key[i] = (char)argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ - list.p1()[i]; // xors to argv[1][i] - } - key[8] = '\0'; - // printf("Key: %s\n", key); - encrypt_decrypt(key, encoded); -#ifdef _WIN32 - DWORD old; - VirtualProtect(&list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); -#endif - if (!list.p2(encoded)) { // cmp_hash - stdfunclist->obfusc_printf("%s", encoded); - } - return 0; + // Le retour utilise la variable poubelle annulée (0) + return (junk_register - junk_register); } /* ==============================================================================