diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index b8c727a..bfa0c60 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -1,80 +1,160 @@ -// Malware.cpp�: d�finit le point d'entr�e pour l'application console. -// -#pragma clang diagnostic ignored "-Wwritable-strings" - -#include "stdafx.h" // IWYU pragma: keep -#include -#include "functions.h" -#include "encryption.h" +#include "stdafx.h" +#include +#include +#include #include "lonesha256.h" -#ifdef _WIN32 -#include -#endif +#include "tables_poly.h" -Obfuscated_stdFunclist* stdfunclist; -typedef struct { - char* (*p1)(); - int (*p2)(char* decoded); -} FuncList; +/* ============================================================================== + * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) + * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) + * ============================================================================== */ -char* this_is_useful_fr_dont_miss_it(){ // it's not, pure red herring - char* useful = (char*) stdfunclist->obfusc_malloc(sizeof(char)*100); - for (int i = 0; i < 99; i++){ - useful[i] ^= useful[i+1] + 'c'; - } - return useful; +// Multiplication dans GF(256) : a * b mod 0x1B +uint8_t gf_mul(uint8_t a, uint8_t b) { + uint8_t p = 0; + for (int i = 0; i < 8; i++) { + if (b & 1) p ^= a; + uint8_t hi_bit = a & 0x80; + a <<= 1; + if (hi_bit) a ^= 0x1B; + b >>= 1; + } + return p; } -int cmp_hash(char* decoded){ - unsigned char hash[32] = {0xf4,0xed,0x2a,0x38,0xd2,0xff,0xcc,0x38,0xbc,0x63,0x28,0x46,0xaf,0xe2,0x4f,0x34,0x2d,0xd8,0xb8,0x5e,0x74,0xbd,0x73,0x99,0x2d,0x91,0x56,0x24,0xb4,0x73,0x5d,0xee}; - unsigned char hash_computed[32]; - lonesha256(hash_computed, (unsigned char*) decoded, sizeof(char)*57); - for(int i = 0; i < 32; i++){ - if(hash[i] != hash_computed[i]){ - return hash[i]-hash_computed[i]; +// Évaluation d'un polynôme de degré 7 sur GF(256) +uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { + uint8_t result = 0; + uint8_t x_pow = 1; + for (int j = 0; j < 8; j++) { + result ^= gf_mul(coeffs[j], x_pow); + x_pow = gf_mul(x_pow, x); + } + return result; +} + +/* ============================================================================== + * MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION) + * ============================================================================== */ +int main(int argc, char* argv[]) { + if (argc < 2 || strlen(argv[1]) < 8) { + printf("Arguments invalides.\n"); + return 1; + } + + uint8_t input[8]; + memcpy(input, argv[1], 8); + + /* -------------------------------------------------------------------------- + * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) + * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de + * 64 octets (512 bits) pour remplir parfaitement un bloc de compression + * SHA-256 sans ajout de bits de padding prévisibles. + * + * Équation de récurrence non-linéaire : + * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) + * où: + * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). + * - i : Index du caractère de l'entrée en cours de traitement (de 0 à 7). + * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. + * - x_i : i-ème octet (caractère) de l'entrée fournie. + * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à cette étape. + * -------------------------------------------------------------------------- */ + + uint8_t super_bloc[64]; + for (int c = 0; c < 8; c++) { + uint8_t state = INITIAL_STATES[c]; + for (int i = 0; i < 8; i++) { + // Mélange non-linéaire du caractère d'entrée avec l'état courant + state = evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); + // Capture de la trace pour former le bloc final + super_bloc[c * 8 + i] = state; } } + + /* -------------------------------------------------------------------------- + * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) + * Calcul de l'empreinte H1 = SHA256(super_bloc) + * -------------------------------------------------------------------------- */ + unsigned char h1[32]; + lonesha256(h1, super_bloc, 64); + + // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique + // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) + uint32_t diff = 0; + for (int i = 0; i < 32; i++) { + diff |= (h1[i] ^ h_cible[i]); + } + + /* -------------------------------------------------------------------------- + * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) + * Transforme l'erreur accumulée en un masque binaire absolu. + * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 + * -------------------------------------------------------------------------- */ + + uint64_t diff64 = diff; + + // Si diff > 0 (mot de passe faux) -> is_wrong = 1 + // Si diff == 0 (mot de passe bon) -> is_wrong = 0 + uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; + + // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) + // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) + uint64_t mask = is_wrong - 1; + + /* -------------------------------------------------------------------------- + * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) + * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. + * Permet une indistinguabilité totale lors d'une analyse statique (strings). + * -------------------------------------------------------------------------- */ + unsigned char leurre[] = "Microsoft_CRT_Initialization"; + unsigned char h_leurre[32]; + lonesha256(h_leurre, leurre, 28); // K_G correspond aux 8 premiers octets + + /* -------------------------------------------------------------------------- + * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) + * Calcul de l'empreinte de dérivation H2. + * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) + * Garantit l'indépendance mathématique entre la vérification (H1) et le déchiffrement (H2). + * -------------------------------------------------------------------------- */ + + unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) + memcpy(buffer_h2, super_bloc, 64); + memcpy(buffer_h2 + 64, "DERIVATION", 10); + + unsigned char h2[32]; + lonesha256(h2, buffer_h2, 74); + + /* -------------------------------------------------------------------------- + * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT + * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) + * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) + * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M (Malware) + * -------------------------------------------------------------------------- */ + unsigned char derived_key[8]; + for (int i = 0; i < 8; i++) { + // Tentative de déchiffrement du secret (\Delta) + uint8_t computed_delta = enc_delta[i] ^ h2[i]; + + // Application du masque d'annihilation (filtre AND) + uint8_t applied_delta = computed_delta & (mask & 0xFF); + + // Recombinaison finale de la clé + derived_key[i] = h_leurre[i] ^ applied_delta; + + // Déchiffrement immédiat in-place du payload + payload[i] ^= derived_key[i]; + } + payload[7] = '\0'; // Protection d'affichage C-String + + /* -------------------------------------------------------------------------- + * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ + * -------------------------------------------------------------------------- */ + printf((char*)payload, argv[1]); + + // Boucle infinie demandée pour suspendre le processus + while(1){} + return 0; -} - -int _tmain(int argc, wchar_t* argv[]) -{ - stdfunclist = new Obfuscated_stdFunclist(); - - - FuncList list = { - this_is_useful_fr_dont_miss_it, - cmp_hash - }; - argcverif: - if(argc <= 1){ - stdfunclist->obfusc_printf("Il est ou l'argv??????"); - goto argcverif; - exit(1); - } - // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string"; - char* encoded = "\x64\x55\x58\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; - char* key = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9); - for(int i = 0; argv[1][i] != '\0'; ++i) { - key[i] = (char) argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ list.p1()[i]; // xors to argv[1][i] - } - key[8]='\0'; - // printf("Key: %s\n", key); - encrypt_decrypt(key,encoded); - #ifdef _WIN32 - DWORD old; - VirtualProtect( &list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); - #endif - if(!list.p2(encoded)){ // cmp_hash - stdfunclist->obfusc_printf("%s", encoded); - } else { - stdfunclist->obfusc_printf("%S", argv[1]); - } - - while (true) { - - } - return 0; - -} - +} \ No newline at end of file diff --git a/Malware/Malware/tables_poly.h b/Malware/Malware/tables_poly.h new file mode 100644 index 0000000..f119c71 --- /dev/null +++ b/Malware/Malware/tables_poly.h @@ -0,0 +1,93 @@ +#ifndef TABLES_POLY_H +#define TABLES_POLY_H +#include + +const uint8_t INITIAL_STATES[8] = { 0x8a, 0x4e, 0x86, 0x7e, 0xf3, 0xca, 0x11, 0xd7 }; +unsigned char payload[8] = { 0x0B, 0x44, 0x4F, 0x87, 0x71, 0x9D, 0xEC, 0x2B }; +unsigned char h_cible[32] = { 0x5B, 0x33, 0xBD, 0xF1, 0xD7, 0x9A, 0x71, 0x88, 0x88, 0x7E, 0x28, 0xC9, 0x22, 0x51, 0x62, 0x36, 0xFB, 0xCB, 0x0C, 0xD2, 0xA4, 0xB3, 0x9D, 0x52, 0xE3, 0xAE, 0xDC, 0x05, 0x13, 0x46, 0x22, 0x4D }; +unsigned char enc_delta[8] = { 0x50, 0xC7, 0x1B, 0x22, 0x2B, 0x3A, 0x41, 0xEB }; + +const uint8_t POLY_COEFFS[8][8][8] = { + { + { 0xd2, 0x0, 0x35, 0x5e, 0xa2, 0xa2, 0x50, 0xe0 }, + { 0xda, 0x0, 0xec, 0x4b, 0x9f, 0x5d, 0x8b, 0x1 }, + { 0xea, 0x15, 0xd3, 0xe9, 0x96, 0xc7, 0x9e, 0xa4 }, + { 0xdf, 0xe6, 0xca, 0x5, 0x4f, 0x59, 0x5a, 0x25 }, + { 0xb5, 0xeb, 0x58, 0x7a, 0x9e, 0xfa, 0xe8, 0xab }, + { 0x13, 0x52, 0x7e, 0x1e, 0xe, 0x31, 0x86, 0xb8 }, + { 0xb0, 0xa4, 0x5c, 0xbc, 0xa, 0x4d, 0xed, 0x4 }, + { 0xc7, 0x86, 0xc5, 0x91, 0xc9, 0xa5, 0x65, 0xe }, + }, + { + { 0x7f, 0x6, 0xbe, 0x68, 0x50, 0x9d, 0xaa, 0x31 }, + { 0xbd, 0x14, 0xf6, 0xca, 0xaa, 0xa5, 0x26, 0xdc }, + { 0x4a, 0xea, 0x14, 0x44, 0x1a, 0x3f, 0x4a, 0xef }, + { 0xfd, 0x6a, 0x11, 0x7f, 0x6d, 0x54, 0xbc, 0x57 }, + { 0x3, 0x49, 0x2, 0xbf, 0x99, 0xd9, 0x14, 0x58 }, + { 0x47, 0x9c, 0xbb, 0x3f, 0x49, 0x87, 0x9e, 0x3f }, + { 0xff, 0xc2, 0xbb, 0xb7, 0x15, 0xec, 0xa1, 0xf7 }, + { 0xe5, 0xf4, 0xd4, 0xb2, 0x18, 0xe9, 0x40, 0x53 }, + }, + { + { 0x3, 0x9b, 0x6a, 0xe9, 0x65, 0x3d, 0x40, 0x91 }, + { 0xa0, 0xc4, 0xff, 0xc8, 0xb2, 0x90, 0xbb, 0x3 }, + { 0x70, 0x63, 0x57, 0x7a, 0xeb, 0x17, 0x5a, 0x9a }, + { 0xae, 0x51, 0xf5, 0x9f, 0xdf, 0xcf, 0xc2, 0x8b }, + { 0x98, 0x65, 0x8b, 0xa7, 0x68, 0x56, 0x28, 0xc1 }, + { 0x1, 0x78, 0x26, 0x6, 0xce, 0x54, 0x57, 0x4a }, + { 0x59, 0x80, 0xd, 0xe8, 0xfb, 0x3d, 0xfc, 0xe4 }, + { 0x23, 0x30, 0xde, 0x2b, 0xb2, 0x4, 0xee, 0x36 }, + }, + { + { 0x73, 0x26, 0x2d, 0x9e, 0xf5, 0x35, 0xa5, 0xee }, + { 0x63, 0xff, 0x4a, 0xb1, 0x7a, 0x3a, 0x67, 0x27 }, + { 0x7, 0x3, 0xad, 0x84, 0x87, 0x92, 0x2b, 0x35 }, + { 0x25, 0xa5, 0xe1, 0xb8, 0xb5, 0x5c, 0x5d, 0x94 }, + { 0x58, 0xe4, 0x6f, 0xc2, 0xb1, 0xfa, 0x66, 0x37 }, + { 0x3, 0xa, 0x2, 0x63, 0xef, 0xd3, 0x49, 0xcc }, + { 0x18, 0x9c, 0xd0, 0xe, 0x9c, 0xef, 0x80, 0x8d }, + { 0x2b, 0x24, 0x87, 0x31, 0xb, 0xd8, 0xaa, 0x29 }, + }, + { + { 0x1c, 0x95, 0xcc, 0x72, 0x8f, 0x96, 0xe6, 0x56 }, + { 0x8d, 0x19, 0x4c, 0x66, 0xa0, 0xe2, 0xba, 0x22 }, + { 0x2d, 0xa9, 0x67, 0x20, 0xf3, 0x1b, 0xaf, 0x4a }, + { 0x6d, 0x36, 0xda, 0x5, 0x1d, 0xb0, 0x83, 0x7d }, + { 0xea, 0xb4, 0x49, 0xdf, 0xe7, 0x8, 0xbd, 0x72 }, + { 0xdb, 0xe0, 0xae, 0xf2, 0xc8, 0x27, 0xcb, 0x6f }, + { 0x6, 0x95, 0x92, 0xe4, 0xa0, 0x3, 0x39, 0x24 }, + { 0x9c, 0xe7, 0xeb, 0x72, 0x14, 0x41, 0xd7, 0x33 }, + }, + { + { 0x20, 0xa8, 0xa8, 0x2d, 0x75, 0x99, 0x3c, 0x9f }, + { 0x99, 0xe9, 0x1f, 0xc5, 0x9a, 0x72, 0x18, 0x29 }, + { 0xe4, 0x14, 0xba, 0x3c, 0xad, 0x62, 0xee, 0xea }, + { 0x4f, 0x1b, 0x17, 0x7f, 0xc8, 0x2, 0xde, 0xe8 }, + { 0x4e, 0x2b, 0xc7, 0x8a, 0xd, 0x8, 0x8d, 0x1f }, + { 0x82, 0xf7, 0x6f, 0x77, 0xc3, 0xfd, 0x3d, 0xe1 }, + { 0xc, 0xdf, 0xe4, 0xa3, 0x68, 0x3a, 0xb8, 0x76 }, + { 0xae, 0x16, 0xd6, 0x7f, 0x9, 0x30, 0x2, 0xad }, + }, + { + { 0xce, 0x21, 0x84, 0x8c, 0x76, 0x8b, 0x9c, 0x13 }, + { 0x7a, 0x13, 0x18, 0xde, 0xd2, 0xb0, 0xd1, 0xa4 }, + { 0x80, 0x71, 0xff, 0x16, 0x42, 0x98, 0xdc, 0xb1 }, + { 0x62, 0x13, 0xb7, 0x55, 0xfc, 0x8a, 0x53, 0xd9 }, + { 0x7c, 0x60, 0xb0, 0xcf, 0xc5, 0x40, 0x4, 0x78 }, + { 0x1, 0x87, 0xba, 0xc3, 0x2f, 0x77, 0x24, 0x38 }, + { 0x90, 0xd4, 0x9c, 0xf8, 0x98, 0x77, 0x4f, 0x1e }, + { 0xb7, 0xc4, 0xe7, 0xad, 0xc0, 0x27, 0x24, 0x3b }, + }, + { + { 0xd2, 0x79, 0x3c, 0xca, 0xd8, 0x10, 0x6a, 0x36 }, + { 0xb7, 0xd7, 0x8e, 0x6a, 0xe1, 0x40, 0x0, 0x65 }, + { 0x6d, 0x71, 0x59, 0x4b, 0x2f, 0x44, 0x68, 0xba }, + { 0x2e, 0xa3, 0x2c, 0x78, 0xfd, 0x7, 0x21, 0xa3 }, + { 0xd0, 0xe, 0x3f, 0x29, 0x3d, 0x5c, 0xa6, 0x12 }, + { 0x2b, 0x49, 0x18, 0x92, 0xb5, 0x80, 0xd0, 0xf0 }, + { 0xaa, 0x93, 0xa8, 0xd1, 0x14, 0x1c, 0xa5, 0xe5 }, + { 0x32, 0x48, 0xd7, 0x6d, 0xd4, 0x13, 0x3d, 0x9 }, + }, +}; + +#endif