From 3be58984ac0b2496ad6e05c00216f02e5e8fc32e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Tue, 24 Feb 2026 13:36:48 +0100 Subject: [PATCH 01/23] added a new way to obfuscate printf calls (and others!) --- Malware/Malware/Malware.cpp | 11 +++++++---- Malware/Malware/Malware.vcxproj | 2 ++ Malware/Malware/Malware.vcxproj.filters | 6 ++++++ Malware/Malware/functions.cpp | 14 ++++++++++++++ Malware/Malware/functions.h | 23 +++++++++++++++++++++++ 5 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 Malware/Malware/functions.cpp create mode 100644 Malware/Malware/functions.h diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index de52546..c39c35e 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -4,7 +4,7 @@ #include "stdafx.h" // IWYU pragma: keep #include -#include +#include "functions.h" #include "encryption.h" #include "lonesha256.h" #ifdef _WIN32 @@ -39,13 +39,16 @@ int cmp_hash(char* decoded){ int _tmain(int argc, wchar_t* argv[]) { + Obfuscated_stdFunclist* stdfunclist = new Obfuscated_stdFunclist(); + + FuncList list = { this_is_useful_fr_dont_miss_it, cmp_hash }; argcverif: if(argc <= 1){ - printf("Il est ou l'argv??????"); + stdfunclist->obfusc_printf("Il est ou l'argv??????"); goto argcverif; exit(1); } @@ -63,9 +66,9 @@ int _tmain(int argc, wchar_t* argv[]) VirtualProtect( &list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); #endif if(!list.p2(encoded)){ // cmp_hash - printf("%s", encoded); + stdfunclist->obfusc_printf("%s", encoded); } else { - printf("%S", argv[1]); + stdfunclist->obfusc_printf("%S", argv[1]); } while (true) { diff --git a/Malware/Malware/Malware.vcxproj b/Malware/Malware/Malware.vcxproj index 2903f38..7bd09f1 100644 --- a/Malware/Malware/Malware.vcxproj +++ b/Malware/Malware/Malware.vcxproj @@ -130,6 +130,7 @@ + @@ -137,6 +138,7 @@ + Create diff --git a/Malware/Malware/Malware.vcxproj.filters b/Malware/Malware/Malware.vcxproj.filters index d2b6ecb..bc27ddc 100644 --- a/Malware/Malware/Malware.vcxproj.filters +++ b/Malware/Malware/Malware.vcxproj.filters @@ -33,6 +33,9 @@ Fichiers d%27en-tête + + Fichiers d%27en-tête + @@ -47,5 +50,8 @@ Fichiers sources + + Fichiers sources + \ No newline at end of file diff --git a/Malware/Malware/functions.cpp b/Malware/Malware/functions.cpp new file mode 100644 index 0000000..b4ec32f --- /dev/null +++ b/Malware/Malware/functions.cpp @@ -0,0 +1,14 @@ +#include "stdafx.h" // IWYU pragma: keep +#ifdef _WIN32 +#include +#endif + +bool verify_signature(unsigned int* signature, unsigned int* starting_loc){ + for(int i = 0; i < 3; i++){ + if (signature[i] != starting_loc[i]){ + return false; + } + } + return true; +} + diff --git a/Malware/Malware/functions.h b/Malware/Malware/functions.h new file mode 100644 index 0000000..a6433f2 --- /dev/null +++ b/Malware/Malware/functions.h @@ -0,0 +1,23 @@ +#include + + +unsigned int signature_printf[3] = {0x8b55ff8b,0x68fe6aec,0x1034dbe0}; + +bool verify_signature(unsigned int* signature, unsigned int* starting_loc); + +class Obfuscated_stdFunclist { + public: + int (*obfusc_printf)(const char *__restrict, ...); + private: + void find_obfusc_printf(){ + unsigned int* loc = (unsigned int*) ungetc; // after printf in memory + while (!verify_signature(signature_printf, loc)) { + loc--; // go back until we find printf + } + obfusc_printf = (int (*)(const char *__restrict, ...)) loc; + } + public: + Obfuscated_stdFunclist(){ + find_obfusc_printf(); + } +}; \ No newline at end of file From bbf3c1a93f1212289e64398061f28ecee7b92f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Tue, 24 Feb 2026 14:27:31 +0100 Subject: [PATCH 02/23] added malloc to obfuscated functions, fixed a bug where the search would skip over --- Malware/Malware/Malware.cpp | 8 ++++---- Malware/Malware/encryption.cpp | 4 +++- Malware/Malware/functions.cpp | 14 ++++++++++++-- Malware/Malware/functions.h | 26 +++++++++++++++++++------- 4 files changed, 38 insertions(+), 14 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index c39c35e..b8c727a 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -11,14 +11,14 @@ #include #endif - +Obfuscated_stdFunclist* stdfunclist; typedef struct { char* (*p1)(); int (*p2)(char* decoded); } FuncList; char* this_is_useful_fr_dont_miss_it(){ // it's not, pure red herring - char* useful = (char*) malloc(sizeof(char)*100); + char* useful = (char*) stdfunclist->obfusc_malloc(sizeof(char)*100); for (int i = 0; i < 99; i++){ useful[i] ^= useful[i+1] + 'c'; } @@ -39,7 +39,7 @@ int cmp_hash(char* decoded){ int _tmain(int argc, wchar_t* argv[]) { - Obfuscated_stdFunclist* stdfunclist = new Obfuscated_stdFunclist(); + stdfunclist = new Obfuscated_stdFunclist(); FuncList list = { @@ -54,7 +54,7 @@ int _tmain(int argc, wchar_t* argv[]) } // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string"; char* encoded = "\x64\x55\x58\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; - char* key = (char*) malloc(sizeof(char)*9); + char* key = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9); for(int i = 0; argv[1][i] != '\0'; ++i) { key[i] = (char) argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ list.p1()[i]; // xors to argv[1][i] } diff --git a/Malware/Malware/encryption.cpp b/Malware/Malware/encryption.cpp index 50f426e..c3a7eea 100644 --- a/Malware/Malware/encryption.cpp +++ b/Malware/Malware/encryption.cpp @@ -1,6 +1,7 @@ #include "stdafx.h" // IWYU pragma: keep #include "encryption.h" #include "tree.h" +#include "functions.h" #ifdef _WIN32 #include #endif @@ -36,7 +37,8 @@ Node* gen_tree(){ } char* derive_key_from_tree(char* key){ - char* res = (char*) malloc(sizeof(char)*9*8); + auto stdfunclist = new Obfuscated_stdFunclist(); + char* res = (char*) stdfunclist->obfusc_malloc(sizeof(char)*9*8); Node* root = gen_tree(); Node* current = root; int i_key = 0; diff --git a/Malware/Malware/functions.cpp b/Malware/Malware/functions.cpp index b4ec32f..ea733a5 100644 --- a/Malware/Malware/functions.cpp +++ b/Malware/Malware/functions.cpp @@ -1,10 +1,12 @@ #include "stdafx.h" // IWYU pragma: keep +#include +#include "functions.h" #ifdef _WIN32 #include #endif -bool verify_signature(unsigned int* signature, unsigned int* starting_loc){ - for(int i = 0; i < 3; i++){ +bool verify_signature(unsigned char* signature, unsigned char* starting_loc){ + for(int i = 0; i < 12; i++){ if (signature[i] != starting_loc[i]){ return false; } @@ -12,3 +14,11 @@ bool verify_signature(unsigned int* signature, unsigned int* starting_loc){ return true; } +void print_signature(unsigned char* loc){\ + printf("{"); + for(int i = 0; i < 12; i++){ + printf("0x%x",loc[i]); + if (i != 11) printf(", "); + } + printf("}\n"); +} \ No newline at end of file diff --git a/Malware/Malware/functions.h b/Malware/Malware/functions.h index a6433f2..7557095 100644 --- a/Malware/Malware/functions.h +++ b/Malware/Malware/functions.h @@ -1,23 +1,35 @@ #include +#include - -unsigned int signature_printf[3] = {0x8b55ff8b,0x68fe6aec,0x1034dbe0}; - -bool verify_signature(unsigned int* signature, unsigned int* starting_loc); +bool verify_signature(unsigned char* signature, unsigned char* starting_loc); +void print_signature(unsigned char* loc); class Obfuscated_stdFunclist { - public: + public: // list of functions int (*obfusc_printf)(const char *__restrict, ...); + void* (*obfusc_malloc)(size_t __size); private: void find_obfusc_printf(){ - unsigned int* loc = (unsigned int*) ungetc; // after printf in memory + // print_signature(printf) + unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, 0xe0, 0xdb, 0x34, 0x10}; + unsigned char* loc = (unsigned char*) ungetc; // after printf in memory while (!verify_signature(signature_printf, loc)) { loc--; // go back until we find printf } obfusc_printf = (int (*)(const char *__restrict, ...)) loc; } - public: + void find_obfusc_malloc(){ + // print_signature((unsigned char*)malloc); + unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, 0x6a, 0x0, 0x6a, 0x1}; + unsigned char* loc = (unsigned char*) free; // after malloc in memory + while (!verify_signature(signature_malloc, loc)) { + loc--; // go backwards until we find malloc + } + obfusc_malloc = (void* (*)(size_t __size)) loc; + } + public: // constructor Obfuscated_stdFunclist(){ find_obfusc_printf(); + find_obfusc_malloc(); } }; \ No newline at end of file From 5378e7ad26981be2ae26e276e15a1eae59930a17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Wed, 25 Feb 2026 09:37:27 +0100 Subject: [PATCH 03/23] ajout du vieux main comme bait --- Malware/Malware/Malware.cpp | 348 +++++++++++++++--------- Malware/Malware/Malware.vcxproj | 1 + Malware/Malware/Malware.vcxproj.filters | 3 + 3 files changed, 218 insertions(+), 134 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index bfa0c60..daeda04 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -1,160 +1,240 @@ -#include "stdafx.h" -#include -#include -#include +#pragma clang diagnostic ignored "-Wwritable-strings" +#include "stdafx.h" // IWYU pragma: keep +#include "functions.h" #include "lonesha256.h" -#include "tables_poly.h" +#include "tables_poly.h" +#include "encryption.h" +#include +#include +#include +#ifdef _WIN32 +#include +#endif /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) - * ============================================================================== */ + * ============================================================================== + */ // Multiplication dans GF(256) : a * b mod 0x1B uint8_t gf_mul(uint8_t a, uint8_t b) { - uint8_t p = 0; - for (int i = 0; i < 8; i++) { - if (b & 1) p ^= a; - uint8_t hi_bit = a & 0x80; - a <<= 1; - if (hi_bit) a ^= 0x1B; - b >>= 1; - } - return p; + uint8_t p = 0; + for (int i = 0; i < 8; i++) { + if (b & 1) + p ^= a; + uint8_t hi_bit = a & 0x80; + a <<= 1; + if (hi_bit) + a ^= 0x1B; + b >>= 1; + } + return p; } // Évaluation d'un polynôme de degré 7 sur GF(256) uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { - uint8_t result = 0; - uint8_t x_pow = 1; - for (int j = 0; j < 8; j++) { - result ^= gf_mul(coeffs[j], x_pow); - x_pow = gf_mul(x_pow, x); + uint8_t result = 0; + uint8_t x_pow = 1; + for (int j = 0; j < 8; j++) { + result ^= gf_mul(coeffs[j], x_pow); + x_pow = gf_mul(x_pow, x); + } + return result; +} + +typedef struct { + char *(*p1)(); + int (*p2)(char *decoded); +} FuncList; + +char *this_is_useful_fr_dont_miss_it() { // it's not, pure red herring + char *useful = (char *)malloc(sizeof(char) * 100); + for (int i = 0; i < 99; i++) { + useful[i] ^= useful[i + 1] + 'c'; + } + return useful; +} + +int cmp_hash(char *decoded) { + unsigned char hash[32] = {0xf4, 0xed, 0x2a, 0x38, 0xd2, 0xff, 0xcc, 0x38, + 0xbc, 0x63, 0x28, 0x46, 0xaf, 0xe2, 0x4f, 0x34, + 0x2d, 0xd8, 0xb8, 0x5e, 0x74, 0xbd, 0x73, 0x99, + 0x2d, 0x91, 0x56, 0x24, 0xb4, 0x73, 0x5d, 0xee}; + unsigned char hash_computed[32]; + lonesha256(hash_computed, (unsigned char *)decoded, sizeof(char) * 57); + for (int i = 0; i < 32; i++) { + if (hash[i] != hash_computed[i]) { + return hash[i] - hash_computed[i]; } - return result; + } + return 0; +} + +// Fake main +int fakemain(int argc, wchar_t *argv[]) { + Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); + + FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; + // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string"; + char *encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" + "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" + "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" + "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; + char *key = (char *)malloc(sizeof(char) * 9); + for (int i = 0; argv[1][i] != '\0'; ++i) { + key[i] = (char)argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ + list.p1()[i]; // xors to argv[1][i] + } + key[8] = '\0'; + // printf("Key: %s\n", key); + encrypt_decrypt(key, encoded); +#ifdef _WIN32 + DWORD old; + VirtualProtect(&list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); +#endif + if (!list.p2(encoded)) { // cmp_hash + stdfunclist->obfusc_printf("%s", encoded); + } + return 0; } /* ============================================================================== * MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION) - * ============================================================================== */ -int main(int argc, char* argv[]) { - if (argc < 2 || strlen(argv[1]) < 8) { - printf("Arguments invalides.\n"); - return 1; - } + * ============================================================================== + */ +int main(int argc, char *argv[]) { + if (argc < 2 || strlen(argv[1]) > 8) { + printf("Arguments invalides.\n"); + return 1; + } - uint8_t input[8]; - memcpy(input, argv[1], 8); + fakemain(argc, (wchar_t**) argv); - /* -------------------------------------------------------------------------- - * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) - * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de - * 64 octets (512 bits) pour remplir parfaitement un bloc de compression - * SHA-256 sans ajout de bits de padding prévisibles. - * - * Équation de récurrence non-linéaire : - * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) - * où: - * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). - * - i : Index du caractère de l'entrée en cours de traitement (de 0 à 7). - * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. - * - x_i : i-ème octet (caractère) de l'entrée fournie. - * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à cette étape. - * -------------------------------------------------------------------------- */ + uint8_t input[8]; + memcpy(input, argv[1], 8); - uint8_t super_bloc[64]; - for (int c = 0; c < 8; c++) { - uint8_t state = INITIAL_STATES[c]; - for (int i = 0; i < 8; i++) { - // Mélange non-linéaire du caractère d'entrée avec l'état courant - state = evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); - // Capture de la trace pour former le bloc final - super_bloc[c * 8 + i] = state; - } - } + /* -------------------------------------------------------------------------- + * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) + * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de + * 64 octets (512 bits) pour remplir parfaitement un bloc de compression + * SHA-256 sans ajout de bits de padding prévisibles. + * + * Équation de récurrence non-linéaire : + * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) + * où: + * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). + * - i : Index du caractère de l'entrée en cours de traitement (de 0 à + * 7). + * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. + * - x_i : i-ème octet (caractère) de l'entrée fournie. + * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à + * cette étape. + * -------------------------------------------------------------------------- + */ - /* -------------------------------------------------------------------------- - * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) - * Calcul de l'empreinte H1 = SHA256(super_bloc) - * -------------------------------------------------------------------------- */ - unsigned char h1[32]; - lonesha256(h1, super_bloc, 64); - - // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique - // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) - uint32_t diff = 0; - for (int i = 0; i < 32; i++) { - diff |= (h1[i] ^ h_cible[i]); - } - - /* -------------------------------------------------------------------------- - * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) - * Transforme l'erreur accumulée en un masque binaire absolu. - * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 - * -------------------------------------------------------------------------- */ - - uint64_t diff64 = diff; - - // Si diff > 0 (mot de passe faux) -> is_wrong = 1 - // Si diff == 0 (mot de passe bon) -> is_wrong = 0 - uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; - - // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) - // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) - uint64_t mask = is_wrong - 1; - - /* -------------------------------------------------------------------------- - * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) - * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. - * Permet une indistinguabilité totale lors d'une analyse statique (strings). - * -------------------------------------------------------------------------- */ - unsigned char leurre[] = "Microsoft_CRT_Initialization"; - unsigned char h_leurre[32]; - lonesha256(h_leurre, leurre, 28); // K_G correspond aux 8 premiers octets - - /* -------------------------------------------------------------------------- - * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) - * Calcul de l'empreinte de dérivation H2. - * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) - * Garantit l'indépendance mathématique entre la vérification (H1) et le déchiffrement (H2). - * -------------------------------------------------------------------------- */ - - unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) - memcpy(buffer_h2, super_bloc, 64); - memcpy(buffer_h2 + 64, "DERIVATION", 10); - - unsigned char h2[32]; - lonesha256(h2, buffer_h2, 74); - - /* -------------------------------------------------------------------------- - * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT - * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) - * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) - * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M (Malware) - * -------------------------------------------------------------------------- */ - unsigned char derived_key[8]; + uint8_t super_bloc[64]; + for (int c = 0; c < 8; c++) { + uint8_t state = INITIAL_STATES[c]; for (int i = 0; i < 8; i++) { - // Tentative de déchiffrement du secret (\Delta) - uint8_t computed_delta = enc_delta[i] ^ h2[i]; - - // Application du masque d'annihilation (filtre AND) - uint8_t applied_delta = computed_delta & (mask & 0xFF); - - // Recombinaison finale de la clé - derived_key[i] = h_leurre[i] ^ applied_delta; - - // Déchiffrement immédiat in-place du payload - payload[i] ^= derived_key[i]; + // Mélange non-linéaire du caractère d'entrée avec l'état courant + state = evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); + // Capture de la trace pour former le bloc final + super_bloc[c * 8 + i] = state; } - payload[7] = '\0'; // Protection d'affichage C-String + } - /* -------------------------------------------------------------------------- - * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ - * -------------------------------------------------------------------------- */ - printf((char*)payload, argv[1]); + /* -------------------------------------------------------------------------- + * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) + * Calcul de l'empreinte H1 = SHA256(super_bloc) + * -------------------------------------------------------------------------- + */ + unsigned char h1[32]; + lonesha256(h1, super_bloc, 64); - // Boucle infinie demandée pour suspendre le processus - while(1){} - - return 0; + // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique + // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) + uint32_t diff = 0; + for (int i = 0; i < 32; i++) { + diff |= (h1[i] ^ h_cible[i]); + } + + /* -------------------------------------------------------------------------- + * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) + * Transforme l'erreur accumulée en un masque binaire absolu. + * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 + * -------------------------------------------------------------------------- + */ + + uint64_t diff64 = diff; + + // Si diff > 0 (mot de passe faux) -> is_wrong = 1 + // Si diff == 0 (mot de passe bon) -> is_wrong = 0 + uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; + + // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) + // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) + uint64_t mask = is_wrong - 1; + + /* -------------------------------------------------------------------------- + * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) + * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. + * Permet une indistinguabilité totale lors d'une analyse statique (strings). + * -------------------------------------------------------------------------- + */ + unsigned char leurre[] = "Microsoft_CRT_Initialization"; + unsigned char h_leurre[32]; + lonesha256(h_leurre, leurre, 28); // K_G correspond aux 8 premiers octets + + /* -------------------------------------------------------------------------- + * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) + * Calcul de l'empreinte de dérivation H2. + * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) + * Garantit l'indépendance mathématique entre la vérification (H1) et le + * déchiffrement (H2). + * -------------------------------------------------------------------------- + */ + + unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) + memcpy(buffer_h2, super_bloc, 64); + memcpy(buffer_h2 + 64, "DERIVATION", 10); + + unsigned char h2[32]; + lonesha256(h2, buffer_h2, 74); + + /* -------------------------------------------------------------------------- + * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT + * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) + * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) + * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M + * (Malware) + * -------------------------------------------------------------------------- + */ + unsigned char derived_key[8]; + for (int i = 0; i < 8; i++) { + // Tentative de déchiffrement du secret (\Delta) + uint8_t computed_delta = enc_delta[i] ^ h2[i]; + + // Application du masque d'annihilation (filtre AND) + uint8_t applied_delta = computed_delta & (mask & 0xFF); + + // Recombinaison finale de la clé + derived_key[i] = h_leurre[i] ^ applied_delta; + + // Déchiffrement immédiat in-place du payload + payload[i] ^= derived_key[i]; + } + payload[7] = '\0'; // Protection d'affichage C-String + + /* -------------------------------------------------------------------------- + * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ + * -------------------------------------------------------------------------- + */ + printf((char *)payload, argv[1]); + + // Boucle infinie demandée pour suspendre le processus + while (1) { + } + + return 0; } \ No newline at end of file diff --git a/Malware/Malware/Malware.vcxproj b/Malware/Malware/Malware.vcxproj index 7bd09f1..74e2700 100644 --- a/Malware/Malware/Malware.vcxproj +++ b/Malware/Malware/Malware.vcxproj @@ -133,6 +133,7 @@ + diff --git a/Malware/Malware/Malware.vcxproj.filters b/Malware/Malware/Malware.vcxproj.filters index bc27ddc..f32f7bd 100644 --- a/Malware/Malware/Malware.vcxproj.filters +++ b/Malware/Malware/Malware.vcxproj.filters @@ -36,6 +36,9 @@ Fichiers d%27en-tête + + Fichiers d%27en-tête + From 6d8cf617a5c5395f6c94435903e2af139fe7ce68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Wed, 25 Feb 2026 09:50:55 +0100 Subject: [PATCH 04/23] main + obfuscations --- .clang-format | 3 + Malware/Malware/Malware.cpp | 368 +++++++++++++++++++----------------- 2 files changed, 196 insertions(+), 175 deletions(-) create mode 100644 .clang-format diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..7509457 --- /dev/null +++ b/.clang-format @@ -0,0 +1,3 @@ +--- +IndentWidth: 4 +ColumnLimit: 80 diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index daeda04..1902add 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -1,12 +1,13 @@ #pragma clang diagnostic ignored "-Wwritable-strings" #include "stdafx.h" // IWYU pragma: keep -#include "functions.h" -#include "lonesha256.h" -#include "tables_poly.h" -#include "encryption.h" #include #include #include + +#include "encryption.h" +#include "functions.h" +#include "lonesha256.h" +#include "tables_poly.h" #ifdef _WIN32 #include #endif @@ -19,222 +20,239 @@ // Multiplication dans GF(256) : a * b mod 0x1B uint8_t gf_mul(uint8_t a, uint8_t b) { - uint8_t p = 0; - for (int i = 0; i < 8; i++) { - if (b & 1) - p ^= a; - uint8_t hi_bit = a & 0x80; - a <<= 1; - if (hi_bit) - a ^= 0x1B; - b >>= 1; - } - return p; + uint8_t p = 0; + for (int i = 0; i < 8; i++) { + if (b & 1) + p ^= a; + uint8_t hi_bit = a & 0x80; + a <<= 1; + if (hi_bit) + a ^= 0x1B; + b >>= 1; + } + return p; } // Évaluation d'un polynôme de degré 7 sur GF(256) uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { - uint8_t result = 0; - uint8_t x_pow = 1; - for (int j = 0; j < 8; j++) { - result ^= gf_mul(coeffs[j], x_pow); - x_pow = gf_mul(x_pow, x); - } - return result; + uint8_t result = 0; + uint8_t x_pow = 1; + for (int j = 0; j < 8; j++) { + result ^= gf_mul(coeffs[j], x_pow); + x_pow = gf_mul(x_pow, x); + } + return result; } typedef struct { - char *(*p1)(); - int (*p2)(char *decoded); + char *(*p1)(); + int (*p2)(char *decoded); } FuncList; char *this_is_useful_fr_dont_miss_it() { // it's not, pure red herring - char *useful = (char *)malloc(sizeof(char) * 100); - for (int i = 0; i < 99; i++) { - useful[i] ^= useful[i + 1] + 'c'; - } - return useful; + char *useful = (char *)malloc(sizeof(char) * 100); + for (int i = 0; i < 99; i++) { + useful[i] ^= useful[i + 1] + 'c'; + } + return useful; } int cmp_hash(char *decoded) { - unsigned char hash[32] = {0xf4, 0xed, 0x2a, 0x38, 0xd2, 0xff, 0xcc, 0x38, - 0xbc, 0x63, 0x28, 0x46, 0xaf, 0xe2, 0x4f, 0x34, - 0x2d, 0xd8, 0xb8, 0x5e, 0x74, 0xbd, 0x73, 0x99, - 0x2d, 0x91, 0x56, 0x24, 0xb4, 0x73, 0x5d, 0xee}; - unsigned char hash_computed[32]; - lonesha256(hash_computed, (unsigned char *)decoded, sizeof(char) * 57); - for (int i = 0; i < 32; i++) { - if (hash[i] != hash_computed[i]) { - return hash[i] - hash_computed[i]; + unsigned char hash[32] = {0xf4, 0xed, 0x2a, 0x38, 0xd2, 0xff, 0xcc, 0x38, + 0xbc, 0x63, 0x28, 0x46, 0xaf, 0xe2, 0x4f, 0x34, + 0x2d, 0xd8, 0xb8, 0x5e, 0x74, 0xbd, 0x73, 0x99, + 0x2d, 0x91, 0x56, 0x24, 0xb4, 0x73, 0x5d, 0xee}; + unsigned char hash_computed[32]; + lonesha256(hash_computed, (unsigned char *)decoded, sizeof(char) * 57); + for (int i = 0; i < 32; i++) { + if (hash[i] != hash_computed[i]) { + return hash[i] - hash_computed[i]; + } } - } - return 0; + return 0; } // Fake main int fakemain(int argc, wchar_t *argv[]) { - Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); + Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); - FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; - // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce string"; - char *encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" - "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" - "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" - "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; - char *key = (char *)malloc(sizeof(char) * 9); - for (int i = 0; argv[1][i] != '\0'; ++i) { - key[i] = (char)argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ - list.p1()[i]; // xors to argv[1][i] - } - key[8] = '\0'; - // printf("Key: %s\n", key); - encrypt_decrypt(key, encoded); + FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; + // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce + // string"; + char *encoded = + "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" + "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" + "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" + "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; + char *key = (char *)malloc(sizeof(char) * 9); + for (int i = 0; argv[1][i] != '\0'; ++i) { + key[i] = (char)argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ + list.p1()[i]; // xors to argv[1][i] + } + key[8] = '\0'; + // printf("Key: %s\n", key); + encrypt_decrypt(key, encoded); #ifdef _WIN32 - DWORD old; - VirtualProtect(&list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); + DWORD old; + VirtualProtect(&list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); #endif - if (!list.p2(encoded)) { // cmp_hash - stdfunclist->obfusc_printf("%s", encoded); - } - return 0; + if (!list.p2(encoded)) { // cmp_hash + stdfunclist->obfusc_printf("%s", encoded); + } + return 0; } /* ============================================================================== * MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION) * ============================================================================== */ +typedef struct { + uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); + void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, + size_t __n); + int (*lonesha256)(unsigned char out[32], const unsigned char *in, + size_t len); +} FuncList2; + int main(int argc, char *argv[]) { - if (argc < 2 || strlen(argv[1]) > 8) { - printf("Arguments invalides.\n"); - return 1; - } + // Init des struct d'obfuscation d'appel de fonction + Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); + FuncList2 list = {evaluate_polynomial, memcpy, lonesha256}; - fakemain(argc, (wchar_t**) argv); - - uint8_t input[8]; - memcpy(input, argv[1], 8); - - /* -------------------------------------------------------------------------- - * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) - * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de - * 64 octets (512 bits) pour remplir parfaitement un bloc de compression - * SHA-256 sans ajout de bits de padding prévisibles. - * - * Équation de récurrence non-linéaire : - * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) - * où: - * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). - * - i : Index du caractère de l'entrée en cours de traitement (de 0 à - * 7). - * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. - * - x_i : i-ème octet (caractère) de l'entrée fournie. - * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à - * cette étape. - * -------------------------------------------------------------------------- - */ - - uint8_t super_bloc[64]; - for (int c = 0; c < 8; c++) { - uint8_t state = INITIAL_STATES[c]; - for (int i = 0; i < 8; i++) { - // Mélange non-linéaire du caractère d'entrée avec l'état courant - state = evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); - // Capture de la trace pour former le bloc final - super_bloc[c * 8 + i] = state; + if (argc < 2 || strlen(argv[1]) > 8) { + printf("Arguments invalides.\n"); + return 1; } - } - /* -------------------------------------------------------------------------- - * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) - * Calcul de l'empreinte H1 = SHA256(super_bloc) - * -------------------------------------------------------------------------- - */ - unsigned char h1[32]; - lonesha256(h1, super_bloc, 64); + fakemain(argc, (wchar_t **)argv); - // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique - // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) - uint32_t diff = 0; - for (int i = 0; i < 32; i++) { - diff |= (h1[i] ^ h_cible[i]); - } + uint8_t input[8]; + list.memcpy(input, argv[1], 8); - /* -------------------------------------------------------------------------- - * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) - * Transforme l'erreur accumulée en un masque binaire absolu. - * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 - * -------------------------------------------------------------------------- - */ + /* -------------------------------------------------------------------------- + * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) + * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de + * 64 octets (512 bits) pour remplir parfaitement un bloc de compression + * SHA-256 sans ajout de bits de padding prévisibles. + * + * Équation de récurrence non-linéaire : + * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) + * où: + * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). + * - i : Index du caractère de l'entrée en cours de traitement (de 0 + * à 7). + * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. + * - x_i : i-ème octet (caractère) de l'entrée fournie. + * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à + * cette étape. + * -------------------------------------------------------------------------- + */ - uint64_t diff64 = diff; + uint8_t super_bloc[64]; + for (int c = 0; c < 8; c++) { + uint8_t state = INITIAL_STATES[c]; + for (int i = 0; i < 8; i++) { + // Mélange non-linéaire du caractère d'entrée avec l'état courant + state = + list.evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); + // Capture de la trace pour former le bloc final + super_bloc[c * 8 + i] = state; + } + } - // Si diff > 0 (mot de passe faux) -> is_wrong = 1 - // Si diff == 0 (mot de passe bon) -> is_wrong = 0 - uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; + /* -------------------------------------------------------------------------- + * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) + * Calcul de l'empreinte H1 = SHA256(super_bloc) + * -------------------------------------------------------------------------- + */ + unsigned char h1[32]; + list.lonesha256(h1, super_bloc, 64); - // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) - // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) - uint64_t mask = is_wrong - 1; + // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique + // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) + uint32_t diff = 0; + for (int i = 0; i < 32; i++) { + diff |= (h1[i] ^ h_cible[i]); + } - /* -------------------------------------------------------------------------- - * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) - * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. - * Permet une indistinguabilité totale lors d'une analyse statique (strings). - * -------------------------------------------------------------------------- - */ - unsigned char leurre[] = "Microsoft_CRT_Initialization"; - unsigned char h_leurre[32]; - lonesha256(h_leurre, leurre, 28); // K_G correspond aux 8 premiers octets + /* -------------------------------------------------------------------------- + * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) + * Transforme l'erreur accumulée en un masque binaire absolu. + * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 + * -------------------------------------------------------------------------- + */ - /* -------------------------------------------------------------------------- - * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) - * Calcul de l'empreinte de dérivation H2. - * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) - * Garantit l'indépendance mathématique entre la vérification (H1) et le - * déchiffrement (H2). - * -------------------------------------------------------------------------- - */ + uint64_t diff64 = diff; - unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) - memcpy(buffer_h2, super_bloc, 64); - memcpy(buffer_h2 + 64, "DERIVATION", 10); + // Si diff > 0 (mot de passe faux) -> is_wrong = 1 + // Si diff == 0 (mot de passe bon) -> is_wrong = 0 + uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; - unsigned char h2[32]; - lonesha256(h2, buffer_h2, 74); + // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) + // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) + uint64_t mask = is_wrong - 1; - /* -------------------------------------------------------------------------- - * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT - * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) - * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) - * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M - * (Malware) - * -------------------------------------------------------------------------- - */ - unsigned char derived_key[8]; - for (int i = 0; i < 8; i++) { - // Tentative de déchiffrement du secret (\Delta) - uint8_t computed_delta = enc_delta[i] ^ h2[i]; + /* -------------------------------------------------------------------------- + * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) + * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. + * Permet une indistinguabilité totale lors d'une analyse statique + * (strings). + * -------------------------------------------------------------------------- + */ + unsigned char leurre[] = "Microsoft_CRT_Initialization"; + unsigned char h_leurre[32]; + list.lonesha256(h_leurre, leurre, + 28); // K_G correspond aux 8 premiers octets - // Application du masque d'annihilation (filtre AND) - uint8_t applied_delta = computed_delta & (mask & 0xFF); + /* -------------------------------------------------------------------------- + * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) + * Calcul de l'empreinte de dérivation H2. + * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) + * Garantit l'indépendance mathématique entre la vérification (H1) et le + * déchiffrement (H2). + * -------------------------------------------------------------------------- + */ - // Recombinaison finale de la clé - derived_key[i] = h_leurre[i] ^ applied_delta; + unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) + list.memcpy(buffer_h2, super_bloc, 64); + list.memcpy(buffer_h2 + 64, "DERIVATION", 10); - // Déchiffrement immédiat in-place du payload - payload[i] ^= derived_key[i]; - } - payload[7] = '\0'; // Protection d'affichage C-String + unsigned char h2[32]; + list.lonesha256(h2, buffer_h2, 74); - /* -------------------------------------------------------------------------- - * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ - * -------------------------------------------------------------------------- - */ - printf((char *)payload, argv[1]); + /* -------------------------------------------------------------------------- + * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT + * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) + * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) + * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M + * (Malware) + * -------------------------------------------------------------------------- + */ + unsigned char derived_key[8]; + for (int i = 0; i < 8; i++) { + // Tentative de déchiffrement du secret (\Delta) + uint8_t computed_delta = enc_delta[i] ^ h2[i]; - // Boucle infinie demandée pour suspendre le processus - while (1) { - } + // Application du masque d'annihilation (filtre AND) + uint8_t applied_delta = computed_delta & (mask & 0xFF); - return 0; + // Recombinaison finale de la clé + derived_key[i] = h_leurre[i] ^ applied_delta; + + // Déchiffrement immédiat in-place du payload + payload[i] ^= derived_key[i]; + } + payload[7] = '\0'; // Protection d'affichage C-String + + /* -------------------------------------------------------------------------- + * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ + * -------------------------------------------------------------------------- + */ + stdfunclist->obfusc_printf((char *)payload, argv[1]); + + // Boucle infinie demandée pour suspendre le processus + while (1) { + } + + return 0; } \ No newline at end of file From 2fe73c3be3ccad89744fb2236c56380cb2e50601 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Wed, 25 Feb 2026 10:25:41 +0100 Subject: [PATCH 05/23] Obfuscated memcpy --- Malware/Malware/Malware.cpp | 8 ++-- Malware/Malware/Malware.vcxproj | 11 +++-- Malware/Malware/functions.h | 78 +++++++++++++++++++++------------ 3 files changed, 61 insertions(+), 36 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 1902add..0599073 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -115,15 +115,15 @@ typedef struct { } FuncList2; int main(int argc, char *argv[]) { - // Init des struct d'obfuscation d'appel de fonction - Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); - FuncList2 list = {evaluate_polynomial, memcpy, lonesha256}; - if (argc < 2 || strlen(argv[1]) > 8) { printf("Arguments invalides.\n"); return 1; } + // Init des struct d'obfuscation d'appel de fonction + Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); + FuncList2 list = {evaluate_polynomial, stdfunclist->obfusc_memcpy, lonesha256}; + fakemain(argc, (wchar_t **)argv); uint8_t input[8]; diff --git a/Malware/Malware/Malware.vcxproj b/Malware/Malware/Malware.vcxproj index 74e2700..88845a2 100644 --- a/Malware/Malware/Malware.vcxproj +++ b/Malware/Malware/Malware.vcxproj @@ -113,16 +113,19 @@ Level3 Use - MaxSpeed + Disabled true - true + false WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + Disabled Console true - true - true + false + false + false + false diff --git a/Malware/Malware/functions.h b/Malware/Malware/functions.h index 7557095..efebae9 100644 --- a/Malware/Malware/functions.h +++ b/Malware/Malware/functions.h @@ -1,35 +1,57 @@ -#include -#include +#include +#include +#include -bool verify_signature(unsigned char* signature, unsigned char* starting_loc); -void print_signature(unsigned char* loc); +bool verify_signature(unsigned char *signature, unsigned char *starting_loc); +void print_signature(unsigned char *loc); class Obfuscated_stdFunclist { - public: // list of functions - int (*obfusc_printf)(const char *__restrict, ...); - void* (*obfusc_malloc)(size_t __size); - private: - void find_obfusc_printf(){ - // print_signature(printf) - unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, 0xe0, 0xdb, 0x34, 0x10}; - unsigned char* loc = (unsigned char*) ungetc; // after printf in memory - while (!verify_signature(signature_printf, loc)) { - loc--; // go back until we find printf - } - obfusc_printf = (int (*)(const char *__restrict, ...)) loc; + public: // list of functions + int (*obfusc_printf)(const char *__restrict, ...); + void *(*obfusc_malloc)(size_t __size); + void *(*obfusc_memcpy)(void *__restrict __dest, + const void *__restrict __src, size_t __n); + + private: + void find_obfusc_printf() { + // print_signature(printf) + unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, + 0xec, 0x6a, 0xfe, 0x68, + 0xe0, 0xdb, 0x34, 0x10}; + unsigned char *loc = (unsigned char *)ungetc; // after printf in memory + while (!verify_signature(signature_printf, loc)) { + loc--; // go back until we find printf } - void find_obfusc_malloc(){ - // print_signature((unsigned char*)malloc); - unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, 0x6a, 0x0, 0x6a, 0x1}; - unsigned char* loc = (unsigned char*) free; // after malloc in memory - while (!verify_signature(signature_malloc, loc)) { - loc--; // go backwards until we find malloc - } - obfusc_malloc = (void* (*)(size_t __size)) loc; + obfusc_printf = (int (*)(const char *__restrict, ...))loc; + } + void find_obfusc_malloc() { + // print_signature((unsigned char*)malloc); + unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, + 0xec, 0x51, 0x6a, 0x0, + 0x6a, 0x0, 0x6a, 0x1}; + unsigned char *loc = (unsigned char *)free; // after malloc in memory + while (!verify_signature(signature_malloc, loc)) { + loc--; // go backwards until we find malloc } - public: // constructor - Obfuscated_stdFunclist(){ - find_obfusc_printf(); - find_obfusc_malloc(); + obfusc_malloc = (void *(*)(size_t __size))loc; + } + void find_obfusc_memcpy() { + auto a = memcpy; // sinon ça crash parce que memcpy est pas chargé en mémoire :c + unsigned char signature_memcpy[12] = {0xe9, 0xdf, 0x39, 0x0, 0x0, 0xe9, + 0x20, 0x58, 0x0, 0x0, 0xe9, 0xb}; + unsigned char *loc = (unsigned char *)memset; // after memcpy in memory + while (!verify_signature(signature_memcpy, loc)) { + loc++; // go backwards until we find memcpy } + obfusc_memcpy = + (void *(*)(void *__restrict __dest, const void *__restrict __src, + size_t __n))loc; + } + + public: // constructor + Obfuscated_stdFunclist() { + find_obfusc_printf(); + find_obfusc_malloc(); + find_obfusc_memcpy(); + } }; \ No newline at end of file From 063729ae1ddf08b69b98eabce264de32b2aad6d0 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 18:30:26 +0100 Subject: [PATCH 06/23] Obfuscation gf_mul --- .../Debug + argument/Malware.lastbuildstate | 2 +- Malware/Malware/Malware.cpp | 119 +++++++++++++++--- 2 files changed, 106 insertions(+), 15 deletions(-) diff --git a/Malware/Malware/Debug + argument/Malware.lastbuildstate b/Malware/Malware/Debug + argument/Malware.lastbuildstate index f4b5fea..22b7188 100644 --- a/Malware/Malware/Debug + argument/Malware.lastbuildstate +++ b/Malware/Malware/Debug + argument/Malware.lastbuildstate @@ -1,2 +1,2 @@ #v4.0:v100 -Debug + argument|Win32|Z:\Malware\| +Debug + argument|Win32|Z:\malware-m2-2026\Malware\| diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 0599073..4a6ea45 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -12,25 +12,111 @@ #include #endif +// Macros d'obfuscation pour cacher les "Magic Numbers" +#define POLY ((uint8_t)(0xAA ^ 0xB1)) // 170 ^ 177 = 27 = 0x1B +#define MSB ((uint8_t)(0x40 << 1)) // 64 << 1 = 128 = 0x80 +#define SHIFT ((uint8_t)(14 >> 1)) // 14 / 2 = 7 + /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) * ============================================================================== */ -// Multiplication dans GF(256) : a * b mod 0x1B -uint8_t gf_mul(uint8_t a, uint8_t b) { - uint8_t p = 0; - for (int i = 0; i < 8; i++) { - if (b & 1) - p ^= a; - uint8_t hi_bit = a & 0x80; - a <<= 1; - if (hi_bit) - a ^= 0x1B; - b >>= 1; +typedef struct { + uint32_t fake_entropy; + uint8_t a; + uint8_t mask; + uint16_t padding; + uint8_t b; + uint8_t p; + uint8_t junk; +} GF_CONTEXT; + +uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { + ctx->p = 0; + + //Sert à rien + ctx->junk = key_stream ^ 0x33; + + //Itération 1 + ctx->mask = -(ctx->b & 1); + ctx->p = (ctx->p | (ctx->a & ctx->mask)) - (ctx->p & (ctx->a & ctx->mask)); + ctx->mask = -((ctx->a & MSB) >> SHIFT); + ctx->a <<= 1; + ctx->a ^= (POLY & ctx->mask); + ctx->b >>= 1; + + //Sert à rien (condition impossible) + if (((ctx->junk * ctx->junk) + ctx->junk) % 2 != 0) { + ctx->p ^= ctx->fake_entropy; // Code mort + ctx->b = ctx->a / (ctx->junk - ctx->junk); } - return p; + + //Itération 2 + ctx->mask = -(ctx->b % 2); + ctx->p ^= (ctx->a & ctx->mask); + ctx->mask = -((ctx->a & (256 / 2)) / 128); + ctx->a = (ctx->a ^ ctx->a) + 2 * (ctx->a & ctx->a); + + //Sert à rien : x ^ key_stream ^ key_stream == x + ctx->a = ((ctx->a ^ key_stream) | (POLY & ctx->mask)) - ((ctx->a ^ key_stream) & (POLY & ctx->mask)); + ctx->a ^= key_stream; // Rétablissement invisible + ctx->b = ctx->b / 2; + + //Itération 3 + ctx->mask = -(ctx->b & 1); + ctx->p ^= (ctx->a & ctx->mask); + ctx->mask = -((ctx->a & MSB) >> (21 / 3)); + ctx->a = ctx->a + ctx->a; + ctx->a ^= ((54 / 2) & ctx->mask); + ctx->b >>= 1; + + //Sert à rien : condition impossible + if (ctx->b > 255) { + ctx->a ^= ctx->p; + return 0x00; + } + + //Itération 4 + ctx->p = (ctx->p | (ctx->a & (-(ctx->b & 1)))) - (ctx->p & (ctx->a & (-(ctx->b & 1)))); + ctx->mask = -((ctx->a >> SHIFT) & 1); + ctx->a <<= 1; + ctx->a ^= (POLY & ctx->mask); + ctx->b >>= 1; + + //Itération 5 + ctx->mask = -(ctx->b % 2); + ctx->p ^= (ctx->a & ctx->mask); + ctx->mask = -((ctx->a & MSB) / 128); + ctx->a = ctx->a * 2; + ctx->a ^= (POLY & ctx->mask); + ctx->b = ctx->b / 2; + + //Itération 6 + ctx->mask = -(ctx->b & 1); + ctx->p ^= (ctx->a & ctx->mask); + ctx->mask = -((ctx->a & 128) >> SHIFT); + ctx->a = ctx->a + ctx->a; + ctx->a = (ctx->a | (POLY & ctx->mask)) - (ctx->a & (POLY & ctx->mask)); + ctx->b >>= 1; + + //Itération 7 + ctx->fake_entropy = ctx->p ^ ctx->a; //Sert à rien + ctx->p ^= (ctx->a & (-(ctx->b % 2))); + ctx->mask = -((ctx->a >> SHIFT) & 1); + ctx->a <<= 1; + ctx->a ^= ((0xFF ^ 0xE4) & ctx->mask); + ctx->b = ctx->b / 2; + + //Itération 8 + ctx->mask = -(ctx->b & 1); + ctx->p = (ctx->p | (ctx->a & ctx->mask)) - (ctx->p & (ctx->a & ctx->mask)); + ctx->mask = -((ctx->a & MSB) >> SHIFT); + ctx->a = ctx->a * 2; + ctx->a ^= (POLY & ctx->mask); + + return ctx->p; } // Évaluation d'un polynôme de degré 7 sur GF(256) @@ -38,8 +124,13 @@ uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { uint8_t result = 0; uint8_t x_pow = 1; for (int j = 0; j < 8; j++) { - result ^= gf_mul(coeffs[j], x_pow); - x_pow = gf_mul(x_pow, x); + GF_CONTEXT ctx; + ctx.a = coeffs[j]; + ctx.b = x_pow; + result ^= gf_mul(&ctx, 0x55); + ctx.a = x_pow; + ctx.b = x; + x_pow = gf_mul(&ctx, 0xAA); } return result; } From 1dd0ea284bdbeecec403cf777044e6fa5d177d97 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 19:10:12 +0100 Subject: [PATCH 07/23] Obfuscation evaluate_polynomial --- Malware/Malware/Malware.cpp | 150 ++++++++++++++++++++++++++++++++---- 1 file changed, 135 insertions(+), 15 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 4a6ea45..8ffec8f 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -33,6 +33,18 @@ typedef struct { uint8_t junk; } GF_CONTEXT; +typedef struct { + uint8_t input_x; // Le 'x' original + uint8_t* p_coeffs; // Pointeur vers le tableau de coeffs + uint8_t final_result; // Le résultat retourné ici + + // Variables internes pour rendre la structure plus opaque + uint8_t current_x_pow; + uint32_t junk_data; + uint32_t lag_counter; + GF_CONTEXT inner_ctx; // Le contexte de gf_mul imbriqué ! +} POLY_CONTEXT; + uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; @@ -120,19 +132,124 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { } // Évaluation d'un polynôme de degré 7 sur GF(256) -uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { - uint8_t result = 0; - uint8_t x_pow = 1; - for (int j = 0; j < 8; j++) { - GF_CONTEXT ctx; - ctx.a = coeffs[j]; - ctx.b = x_pow; - result ^= gf_mul(&ctx, 0x55); - ctx.a = x_pow; - ctx.b = x; - x_pow = gf_mul(&ctx, 0xAA); +void evaluate_polynomial(POLY_CONTEXT* pctx) { + // Initialisation via la structure (Blinding) + pctx->final_result = (pctx->input_x & (~pctx->input_x)); + pctx->junk_data = 0xDEADBEEF; + pctx->current_x_pow = (0xFF / 0xFF); + pctx->lag_counter = 0; + + //Entrelacement Itérations 0, 1 & Lag + // On accède au tableau via le pointeur de la structure + pctx->inner_ctx.a = *(pctx->p_coeffs + pctx->final_result); + pctx->lag_counter += (pctx->current_x_pow ^ 0x05); + pctx->inner_ctx.b = pctx->current_x_pow; + + uint8_t m0 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.a = pctx->current_x_pow; + pctx->junk_data ^= (pctx->lag_counter << (pctx->final_result % 3)); + pctx->inner_ctx.b = pctx->input_x; + + pctx->final_result = (pctx->final_result + m0) - ((pctx->final_result & m0) << 1); + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + GF_CONTEXT ctx3 = { *(pctx->p_coeffs + (5*5 - 4*4 - 6)), 0 }; + + //Entrelacement Itération 1 & Prédicat Opaque + pctx->inner_ctx.a = *(pctx->p_coeffs + ((pctx->current_x_pow | ~pctx->current_x_pow) & 1)); + pctx->inner_ctx.b = pctx->current_x_pow; + + if (((pctx->current_x_pow * pctx->current_x_pow * pctx->current_x_pow) - pctx->current_x_pow) % 3 != 0) { + pctx->final_result = pctx->lag_counter & 0xFF; + pctx->current_x_pow /= (pctx->final_result - pctx->final_result); + } + + uint8_t m1 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.a = pctx->current_x_pow; + ctx3.b = pctx->current_x_pow; + pctx->inner_ctx.b = pctx->input_x; + + pctx->final_result = (pctx->final_result | m1) & ~(pctx->final_result & m1); + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + //Entrelacement Itération 2 & Générateur de Lag + pctx->inner_ctx.a = *(pctx->p_coeffs + (1 << ((0xFF / 0xFF) & 1))); + + for(int lag = 0; lag < ((pctx->current_x_pow & 0x0F) + 5); lag++) { + pctx->lag_counter += (pctx->final_result ^ lag); + pctx->junk_data ^= (pctx->lag_counter << (lag % 3)); + } + + pctx->inner_ctx.b = pctx->current_x_pow; + uint8_t m2 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.a = pctx->current_x_pow; + pctx->final_result = (pctx->final_result + m2) - ((pctx->final_result & m2) << 1); + pctx->inner_ctx.b = pctx->input_x; + + pctx->junk_data = (pctx->junk_data + pctx->final_result) ^ (pctx->current_x_pow << 4); + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + //Entrelacement Itération 3 & Prédicat Opaque + uint8_t m3 = gf_mul(&ctx3, (0xFF / 3)); + + pctx->junk_data = (pctx->junk_data >> 3) | (pctx->junk_data << 29); + + if ((pctx->junk_data % 256) == 256) { + pctx->final_result = (uint8_t)(pctx->junk_data & 0xFF); + return; // Sortie prématurée (Code mort) + } + + pctx->final_result = (pctx->final_result | m3) & ~(pctx->final_result & m3); + ctx3.a = pctx->current_x_pow; + ctx3.b = pctx->input_x; + pctx->current_x_pow = gf_mul(&ctx3, (0xFF - (0xFF / 3))); + + //Entrelacement Itérations 4, 5, 6 + pctx->inner_ctx.b = pctx->current_x_pow; + pctx->inner_ctx.a = *(pctx->p_coeffs + ((2*2*2) >> 1)); + uint8_t m4 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.b = pctx->input_x; + pctx->final_result = (pctx->final_result + m4) - ((pctx->final_result & m4) << 1); + + pctx->inner_ctx.a = pctx->current_x_pow; + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + pctx->inner_ctx.b = pctx->current_x_pow; + pctx->inner_ctx.a = *(pctx->p_coeffs + (15 % 10)); + uint8_t m5 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.a = pctx->current_x_pow; + pctx->final_result = (pctx->final_result | m5) & ~(pctx->final_result & m5); + pctx->inner_ctx.b = pctx->input_x; + + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + pctx->inner_ctx.a = *(pctx->p_coeffs + (3 * 2 * 1)); + pctx->inner_ctx.b = pctx->current_x_pow; + uint8_t m6 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + + pctx->inner_ctx.b = pctx->input_x; + pctx->final_result = (pctx->final_result + m6) - ((pctx->final_result & m6) << 1); + pctx->inner_ctx.a = pctx->current_x_pow; + + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + + //Itération 7 finale + pctx->inner_ctx.a = *(pctx->p_coeffs + ((0xFF >> 5) & 0x07)); + pctx->inner_ctx.b = pctx->current_x_pow; + uint8_t m7 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); + pctx->final_result = (pctx->final_result | m7) & ~(pctx->final_result & m7); + + if ((pctx->junk_data | 1) % 2 != 0) { + // Le vrai résultat est DÉJÀ dans pctx->final_result, on ne fait rien ! + return; + } else { + pctx->final_result = (uint8_t)pctx->lag_counter; } - return result; } typedef struct { @@ -198,7 +315,7 @@ int fakemain(int argc, wchar_t *argv[]) { * ============================================================================== */ typedef struct { - uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); + void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, size_t __n); int (*lonesha256)(unsigned char out[32], const unsigned char *in, @@ -243,9 +360,12 @@ int main(int argc, char *argv[]) { for (int c = 0; c < 8; c++) { uint8_t state = INITIAL_STATES[c]; for (int i = 0; i < 8; i++) { + POLY_CONTEXT my_poly_ctx; + my_poly_ctx.input_x = state ^ input[i]; + my_poly_ctx.p_coeffs = (uint8_t*)POLY_COEFFS[c][i]; + list.evaluate_polynomial(&my_poly_ctx); // Mélange non-linéaire du caractère d'entrée avec l'état courant - state = - list.evaluate_polynomial(state ^ input[i], POLY_COEFFS[c][i]); + state = my_poly_ctx.final_result; // Capture de la trace pour former le bloc final super_bloc[c * 8 + i] = state; } From fc0f6f7cd26922c7c0a4c2077afdd3bbae704708 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 21:24:46 +0100 Subject: [PATCH 08/23] =?UTF-8?q?Correction=20bug=20m=C3=A9moire?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Malware/Malware/Malware.cpp | 1 + Malware/Malware/functions.cpp | 2 +- Malware/Malware/functions.h | 20 ++++++++++++-------- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 8ffec8f..284acda 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -323,6 +323,7 @@ typedef struct { } FuncList2; int main(int argc, char *argv[]) { + if (argc < 2 || strlen(argv[1]) > 8) { printf("Arguments invalides.\n"); return 1; diff --git a/Malware/Malware/functions.cpp b/Malware/Malware/functions.cpp index ea733a5..aee90b6 100644 --- a/Malware/Malware/functions.cpp +++ b/Malware/Malware/functions.cpp @@ -16,7 +16,7 @@ bool verify_signature(unsigned char* signature, unsigned char* starting_loc){ void print_signature(unsigned char* loc){\ printf("{"); - for(int i = 0; i < 12; i++){ + for(int i = 0; i < 5; i++){ printf("0x%x",loc[i]); if (i != 11) printf(", "); } diff --git a/Malware/Malware/functions.h b/Malware/Malware/functions.h index efebae9..608e135 100644 --- a/Malware/Malware/functions.h +++ b/Malware/Malware/functions.h @@ -15,9 +15,10 @@ class Obfuscated_stdFunclist { private: void find_obfusc_printf() { // print_signature(printf) - unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, + /*unsigned char signature_printf[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x6a, 0xfe, 0x68, - 0xe0, 0xdb, 0x34, 0x10}; + 0xe0, 0xdb, 0x34, 0x10};*/ + unsigned char signature_printf[12] = { 0x6A, 0x0C, 0x68, 0x60, 0x57, 0xB0, 0x78, 0xE8, 0xC0, 0xB5, 0xFA, 0xFF }; unsigned char *loc = (unsigned char *)ungetc; // after printf in memory while (!verify_signature(signature_printf, loc)) { loc--; // go back until we find printf @@ -26,22 +27,25 @@ class Obfuscated_stdFunclist { } void find_obfusc_malloc() { // print_signature((unsigned char*)malloc); - unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, + /*unsigned char signature_malloc[12] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x51, 0x6a, 0x0, - 0x6a, 0x0, 0x6a, 0x1}; + 0x6a, 0x0, 0x6a, 0x1};*/ + unsigned char signature_malloc[12] = { 0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x53, 0x8B, 0x5D, 0x08, 0x83, 0xFB, 0xE0 }; unsigned char *loc = (unsigned char *)free; // after malloc in memory while (!verify_signature(signature_malloc, loc)) { - loc--; // go backwards until we find malloc + loc++; // go backwards until we find malloc } obfusc_malloc = (void *(*)(size_t __size))loc; } void find_obfusc_memcpy() { auto a = memcpy; // sinon ça crash parce que memcpy est pas chargé en mémoire :c + /* unsigned char signature_memcpy[12] = {0xe9, 0xdf, 0x39, 0x0, 0x0, 0xe9, - 0x20, 0x58, 0x0, 0x0, 0xe9, 0xb}; - unsigned char *loc = (unsigned char *)memset; // after memcpy in memory + 0x20, 0x58, 0x0, 0x0, 0xe9, 0xb};*/ + unsigned char signature_memcpy[12] = { 0x55, 0x8B, 0xEC, 0x57, 0x56, 0x8B, 0x75, 0x0C, 0x8B, 0x4D, 0x10, 0x8B }; + unsigned char *loc = (unsigned char *)memset; // before memcpy in memory while (!verify_signature(signature_memcpy, loc)) { - loc++; // go backwards until we find memcpy + loc--; // go forwards until we find memcpy } obfusc_memcpy = (void *(*)(void *__restrict __dest, const void *__restrict __src, From eb3487b393c85610d4719d3b3b341133e92b4270 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 22:14:38 +0100 Subject: [PATCH 09/23] =?UTF-8?q?Obfuscation=20fake=5Fmain=20et=20fonction?= =?UTF-8?q?s=20associ=C3=A9es?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Malware/Malware/Malware.cpp | 257 +++++++++++++++++++++++++++++------- 1 file changed, 210 insertions(+), 47 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 284acda..12c3944 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -17,6 +17,13 @@ #define MSB ((uint8_t)(0x40 << 1)) // 64 << 1 = 128 = 0x80 #define SHIFT ((uint8_t)(14 >> 1)) // 14 / 2 = 7 +// Constantes d'états pour le Control Flow Flattening +#define STATE_INIT (0xAA ^ 0x11) // 0xBB +#define STATE_KEY_DERIV (0xCC ^ 0x22) // 0xEE +#define STATE_DECRYPT (0x77 ^ 0x44) // 0x33 +#define STATE_HASH (0x88 ^ 0x11) // 0x99 +#define STATE_EXIT (0xDE ^ 0xAD) // 0x73 + /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) @@ -45,6 +52,20 @@ typedef struct { GF_CONTEXT inner_ctx; // Le contexte de gf_mul imbriqué ! } POLY_CONTEXT; +typedef struct { + char* hidden_buffer; // Le pointeur qui remplace le "return useful;" + uint32_t chaos_seed; // Pour le générateur de lag + uint32_t opaque_counter; // Variable de contrôle bidon +} RED_HERRING_CTX; + +typedef struct { + char* input_decoded; // L'argument entrant + int final_match_result; // Le retour sortant + + unsigned char computed_hash[32]; // Buffer interne + uint32_t chaos_state; // Pour le générateur de lag +} HASH_CTX; + uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; @@ -253,61 +274,203 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) { } typedef struct { - char *(*p1)(); - int (*p2)(char *decoded); + void (*p1)(RED_HERRING_CTX* pctx); + void (*p2)(HASH_CTX* pctx); } FuncList; -char *this_is_useful_fr_dont_miss_it() { // it's not, pure red herring - char *useful = (char *)malloc(sizeof(char) * 100); - for (int i = 0; i < 99; i++) { - useful[i] ^= useful[i + 1] + 'c'; +// Fausse piste ultime - Draine le temps de l'analyste (VAGUE 3) +void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) { + uint32_t magic_size = (0xFF ^ 0x9B); + pctx->chaos_seed = 0xC0DEF00D; + + pctx->opaque_counter = (magic_size * 2) - 200; + + pctx->hidden_buffer = (char*)malloc( (magic_size | 0x00) + pctx->opaque_counter ); + + if (pctx->hidden_buffer == NULL) return; // Sécurité basique + + // Générateur de Lag & Boucle poubelle + // Boucle qui tourne dans le vide pour exploser le Graphe de Flux de Contrôle + for (int lag = 0; lag < ((0x64 ^ 0x07) & 0x3F); lag++) { + pctx->chaos_seed += (lag ^ 0xAA); + pctx->chaos_seed = (pctx->chaos_seed << 3) | (pctx->chaos_seed >> 29); // ROR 29 } - return useful; + + for (uint32_t j = 0; j < (magic_size - (0xFF / 0xFF)); j++) { + + // Entrelacement : on met à jour le chaos au milieu des calculs "utiles" + pctx->chaos_seed ^= pctx->hidden_buffer[j]; + + uint8_t constant_c = (0xC6 >> 1); + uint8_t next_val = pctx->hidden_buffer[j + 1]; + uint8_t current_val = pctx->hidden_buffer[j]; + + //x + y = (x ^ y) + 2*(x & y) + uint8_t added_val = (next_val ^ constant_c) + ((next_val & constant_c) << 1); + + //Sert à rien : condition impossible + if (((pctx->chaos_seed * pctx->chaos_seed) + pctx->chaos_seed) % 2 != 0) { + pctx->hidden_buffer[j] = pctx->opaque_counter & 0xFF; + pctx->chaos_seed /= pctx->opaque_counter; + } + pctx->hidden_buffer[j] = (current_val | added_val) & ~(current_val & added_val); //x ^ y = (x | y) & ~(x & y) + } + + // Pas de return ! Le résultat est discrètement caché dans pctx->hidden_buffer } -int cmp_hash(char *decoded) { - unsigned char hash[32] = {0xf4, 0xed, 0x2a, 0x38, 0xd2, 0xff, 0xcc, 0x38, - 0xbc, 0x63, 0x28, 0x46, 0xaf, 0xe2, 0x4f, 0x34, - 0x2d, 0xd8, 0xb8, 0x5e, 0x74, 0xbd, 0x73, 0x99, - 0x2d, 0x91, 0x56, 0x24, 0xb4, 0x73, 0x5d, 0xee}; - unsigned char hash_computed[32]; - lonesha256(hash_computed, (unsigned char *)decoded, sizeof(char) * 57); - for (int i = 0; i < 32; i++) { - if (hash[i] != hash_computed[i]) { - return hash[i] - hash_computed[i]; +// Comparaison de Hash SHA-256 (VAGUES 1, 2 & 3 COMBINÉES) +void cmp_hash(HASH_CTX* pctx) { + + uint32_t len_57 = (0xFF ^ 0xC6); + uint32_t len_32 = (0x80 >> 2); + + pctx->chaos_state = 0xDEADBEEF; + pctx->final_match_result = 0; + + lonesha256(pctx->computed_hash, (unsigned char*)pctx->input_decoded, len_57); + + //(XOR Key = 0x55) + const unsigned char obfuscated_target[32] = { + 0xA1, 0xB8, 0x7F, 0x6D, 0x87, 0xAA, 0x99, 0x6D, + 0xE9, 0x36, 0x7D, 0x13, 0xFA, 0xB7, 0x1A, 0x61, + 0x78, 0x8D, 0xED, 0x0B, 0x21, 0xE8, 0x26, 0xCC, + 0x78, 0xC4, 0x03, 0x71, 0xE1, 0x26, 0x08, 0xBB + }; + + for (uint32_t i = 0; i < len_32; i++) { + + // Générateur de Lag + for(uint32_t lag = 0; lag < ((i & 0x03) + 2); lag++) { + pctx->chaos_state ^= (lag << (i % 4)); + } + + // Déchiffrement à la volée du vrai byte ciblé + uint8_t real_target_byte = obfuscated_target[i] ^ 0x55; + uint8_t current_computed = pctx->computed_hash[i]; + + uint8_t is_different = (real_target_byte ^ current_computed); + + if (is_different != 0) { + + //Condition toujours vraie + if (((pctx->chaos_state * pctx->chaos_state) + pctx->chaos_state) % 2 == 0) { + // Vrai calcul : on simule le (hash[i] - hash_computed[i]) + // x - y = (x + (~y) + 1) + pctx->final_match_result = real_target_byte + (~current_computed) + 1; + return; // On sort discrètement, le résultat est dans pctx + + } else { + // Branche morte + pctx->final_match_result = 0xFF; + pctx->chaos_state /= (is_different - is_different); // Division par zéro + } + } + // Entrelacement de bruit + pctx->chaos_state = (pctx->chaos_state >> 3) | (pctx->chaos_state << 29); + } +} + +int fakemain(int argc, wchar_t *argv[]) { + // Vérifie si argc < 2 + if ((((argc << 1) - argc) | 0) <= (0xFF / 0xFF)) { + return (0xBAD & 0); + } + + // Initialisation de la machine à états + uint32_t current_state = STATE_INIT; + uint32_t junk_register = 0; + + // Déclarations remontées pour le switch + Obfuscated_stdFunclist *stdfunclist = nullptr; + FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; + char *encoded = nullptr; + char *key = nullptr; + RED_HERRING_CTX fake_context; + HASH_CTX my_hash_ctx; + + //Aplatissement du flux de contrôle + while (current_state != STATE_EXIT) { + switch (current_state) { + + case STATE_INIT: + { + stdfunclist = new Obfuscated_stdFunclist(); + + // Le payload. L'analyste le verra, mais ne saura pas quand il est utilisé. + encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" + "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" + "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" + "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; + + key = (char *)malloc(sizeof(char) * (0x12 >> 1)); + + list.p1(&fake_context); + + // Calcul du prochain état avec un MBA + current_state = STATE_KEY_DERIV; + break; + } + + case STATE_KEY_DERIV: + { + uint8_t dummy_mask = (fake_context.chaos_seed == (junk_register & 0)) ? 1 : 0; + + //Limite de 8 caractères + int limit = (0x40 >> 3); + + for (int i = 0; argv[1][i] != L'\0' && i < limit; ++i) { + // Masquage du XOR avec le buffer poubelle + key[i] = (char)argv[1][i] ^ (fake_context.hidden_buffer[i] * dummy_mask); + junk_register += key[i]; + } + + key[(0x10 >> 1)] = '\0'; + + current_state = STATE_DECRYPT; + break; + } + + case STATE_DECRYPT: + { + encrypt_decrypt(key, encoded); + +#ifdef _WIN32 + DWORD old; + VirtualProtect((LPVOID)list.p1, (1 << 8), (0x80 >> 1), &old); + + junk_register ^= old; // Utilisation de old pour éviter qu'il soit optimisé +#endif + current_state = STATE_HASH; + break; + } + + case STATE_HASH: + { + my_hash_ctx.input_decoded = encoded; + + list.p2(&my_hash_ctx); + + // Si final_match_result == 0, alors (0 | 0) == 0. + if ((my_hash_ctx.final_match_result | 0) == 0) { + // On affiche le flag avec le printf obfusqué + stdfunclist->obfusc_printf("%s\n", encoded); + } + + // Sortie du labyrinthe + current_state = STATE_EXIT; + break; + } + + default: + // Anti-tampering : si l'analyste modifie la mémoire et casse l'état + current_state = STATE_EXIT; + break; } } - return 0; -} -// Fake main -int fakemain(int argc, wchar_t *argv[]) { - Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); - - FuncList list = {this_is_useful_fr_dont_miss_it, cmp_hash}; - // char* encoded = "Salut a tous les amis, gg pour avoir dechiffre ce - // string"; - char *encoded = - "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" - "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" - "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" - "\x51\x12\x54\x51\x13\x44\x47\x46\x5a\x5d\x54"; - char *key = (char *)malloc(sizeof(char) * 9); - for (int i = 0; argv[1][i] != '\0'; ++i) { - key[i] = (char)argv[1][i] ^ this_is_useful_fr_dont_miss_it()[i] ^ - list.p1()[i]; // xors to argv[1][i] - } - key[8] = '\0'; - // printf("Key: %s\n", key); - encrypt_decrypt(key, encoded); -#ifdef _WIN32 - DWORD old; - VirtualProtect(&list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old); -#endif - if (!list.p2(encoded)) { // cmp_hash - stdfunclist->obfusc_printf("%s", encoded); - } - return 0; + // Le retour utilise la variable poubelle annulée (0) + return (junk_register - junk_register); } /* ============================================================================== From b541496c39fefe307e1132165addf277e6ac6d5d Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 25 Feb 2026 23:26:53 +0100 Subject: [PATCH 10/23] Obfuscation main, correction bug, nique jai fini ca me clc --- Malware/Malware/Malware.cpp | 443 +++++++++++++++--------------------- 1 file changed, 189 insertions(+), 254 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 12c3944..bd9db70 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -24,6 +24,14 @@ #define STATE_HASH (0x88 ^ 0x11) // 0x99 #define STATE_EXIT (0xDE ^ 0xAD) // 0x73 +#define M_INIT (0xFA ^ 0xAF) // 0x55 +#define M_EXPAND (0xDE ^ 0x9A) // 0x44 +#define M_ORACLE (0xCC ^ 0xFF) // 0x33 +#define M_DECOY (0x88 ^ 0xEE) // 0x66 +#define M_EXEC (0x11 ^ 0x88) // 0x99 +#define M_TRAP (0x55 ^ 0xFF) // 0xAA +#define M_EXIT (0xDE ^ 0xAD) // 0x73 + /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) * Polynôme irréductible standard (AES) : x^8 + x^4 + x^3 + x + 1 (0x1B) @@ -41,15 +49,13 @@ typedef struct { } GF_CONTEXT; typedef struct { - uint8_t input_x; // Le 'x' original - uint8_t* p_coeffs; // Pointeur vers le tableau de coeffs - uint8_t final_result; // Le résultat retourné ici - - // Variables internes pour rendre la structure plus opaque + uint8_t input_x; + uint8_t* p_coeffs; + uint8_t final_result; uint8_t current_x_pow; uint32_t junk_data; - uint32_t lag_counter; - GF_CONTEXT inner_ctx; // Le contexte de gf_mul imbriqué ! + uint32_t state; // On l'intègre ici pour le flux + GF_CONTEXT inner_ctx; } POLY_CONTEXT; typedef struct { @@ -152,124 +158,81 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { return ctx->p; } +/* // Évaluation d'un polynôme de degré 7 sur GF(256) +uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { + uint8_t result = 0; + uint8_t x_pow = 1; + for (int j = 0; j < 8; j++) { + GF_CONTEXT ctx; + ctx.a = coeffs[j]; + ctx.b = x_pow; + result ^= gf_mul(&ctx, 0x55); + ctx.a = x_pow; + ctx.b = x; + x_pow = gf_mul(&ctx, 0xAA); + } + return result; +}*/ + void evaluate_polynomial(POLY_CONTEXT* pctx) { - // Initialisation via la structure (Blinding) pctx->final_result = (pctx->input_x & (~pctx->input_x)); - pctx->junk_data = 0xDEADBEEF; - pctx->current_x_pow = (0xFF / 0xFF); - pctx->lag_counter = 0; + pctx->current_x_pow = (uint8_t)((0xDE >> 7) | (0x01 & 0x01)); + pctx->junk_data = 0x1337BEEF; + + + uint32_t j = 0; + pctx->state = 0xDEAD6666; // Point d'entrée - //Entrelacement Itérations 0, 1 & Lag - // On accède au tableau via le pointeur de la structure - pctx->inner_ctx.a = *(pctx->p_coeffs + pctx->final_result); - pctx->lag_counter += (pctx->current_x_pow ^ 0x05); - pctx->inner_ctx.b = pctx->current_x_pow; - - uint8_t m0 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.a = pctx->current_x_pow; - pctx->junk_data ^= (pctx->lag_counter << (pctx->final_result % 3)); - pctx->inner_ctx.b = pctx->input_x; - - pctx->final_result = (pctx->final_result + m0) - ((pctx->final_result & m0) << 1); - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + while (pctx->state != 0xBAADF00D) { + switch (pctx->state) { + case 0xDEAD6666: // BLOC : Calcul du terme (coeff * x^j) + { + pctx->inner_ctx.a = pctx->p_coeffs[j]; + pctx->inner_ctx.b = pctx->current_x_pow; + + uint8_t m_term = gf_mul(&(pctx->inner_ctx), 0x55); + pctx->final_result = (pctx->final_result | m_term) - (pctx->final_result & m_term); - GF_CONTEXT ctx3 = { *(pctx->p_coeffs + (5*5 - 4*4 - 6)), 0 }; + pctx->state = 0xFEED1111; + break; + } - //Entrelacement Itération 1 & Prédicat Opaque - pctx->inner_ctx.a = *(pctx->p_coeffs + ((pctx->current_x_pow | ~pctx->current_x_pow) & 1)); - pctx->inner_ctx.b = pctx->current_x_pow; - - if (((pctx->current_x_pow * pctx->current_x_pow * pctx->current_x_pow) - pctx->current_x_pow) % 3 != 0) { - pctx->final_result = pctx->lag_counter & 0xFF; - pctx->current_x_pow /= (pctx->final_result - pctx->final_result); - } + case 0xFEED1111: // BLOC : x_pow = x_pow * x + { + pctx->inner_ctx.a = pctx->current_x_pow; + pctx->inner_ctx.b = pctx->input_x; + + pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), 0xAA); - uint8_t m1 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.a = pctx->current_x_pow; - ctx3.b = pctx->current_x_pow; - pctx->inner_ctx.b = pctx->input_x; - - pctx->final_result = (pctx->final_result | m1) & ~(pctx->final_result & m1); - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + //Condition toujours vraie + if (((pctx->junk_data * (pctx->junk_data + 1)) + 1) % 2 != 0) { + pctx->state = 0xCAFE2222; // Chemin normal + } else { + pctx->state = 0x00000000; // Branche morte + } + break; + } - //Entrelacement Itération 2 & Générateur de Lag - pctx->inner_ctx.a = *(pctx->p_coeffs + (1 << ((0xFF / 0xFF) & 1))); - - for(int lag = 0; lag < ((pctx->current_x_pow & 0x0F) + 5); lag++) { - pctx->lag_counter += (pctx->final_result ^ lag); - pctx->junk_data ^= (pctx->lag_counter << (lag % 3)); - } + case 0xCAFE2222: // BLOC : Incrémentation & Boucle + { + j = -~j; + // On compare j à 8 (0x40 >> 3) + if (j < (0x80 >> 4)) { + pctx->state = 0xDEAD6666; // Reboucle + } else { + pctx->state = 0xBAADF00D; // Sortie + } - pctx->inner_ctx.b = pctx->current_x_pow; - uint8_t m2 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.a = pctx->current_x_pow; - pctx->final_result = (pctx->final_result + m2) - ((pctx->final_result & m2) << 1); - pctx->inner_ctx.b = pctx->input_x; - - pctx->junk_data = (pctx->junk_data + pctx->final_result) ^ (pctx->current_x_pow << 4); - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); + pctx->junk_data ^= (j << 13) | (pctx->final_result); + break; + } - //Entrelacement Itération 3 & Prédicat Opaque - uint8_t m3 = gf_mul(&ctx3, (0xFF / 3)); - - pctx->junk_data = (pctx->junk_data >> 3) | (pctx->junk_data << 29); - - if ((pctx->junk_data % 256) == 256) { - pctx->final_result = (uint8_t)(pctx->junk_data & 0xFF); - return; // Sortie prématurée (Code mort) - } - - pctx->final_result = (pctx->final_result | m3) & ~(pctx->final_result & m3); - ctx3.a = pctx->current_x_pow; - ctx3.b = pctx->input_x; - pctx->current_x_pow = gf_mul(&ctx3, (0xFF - (0xFF / 3))); - - //Entrelacement Itérations 4, 5, 6 - pctx->inner_ctx.b = pctx->current_x_pow; - pctx->inner_ctx.a = *(pctx->p_coeffs + ((2*2*2) >> 1)); - uint8_t m4 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.b = pctx->input_x; - pctx->final_result = (pctx->final_result + m4) - ((pctx->final_result & m4) << 1); - - pctx->inner_ctx.a = pctx->current_x_pow; - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); - - pctx->inner_ctx.b = pctx->current_x_pow; - pctx->inner_ctx.a = *(pctx->p_coeffs + (15 % 10)); - uint8_t m5 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.a = pctx->current_x_pow; - pctx->final_result = (pctx->final_result | m5) & ~(pctx->final_result & m5); - pctx->inner_ctx.b = pctx->input_x; - - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); - - pctx->inner_ctx.a = *(pctx->p_coeffs + (3 * 2 * 1)); - pctx->inner_ctx.b = pctx->current_x_pow; - uint8_t m6 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - - pctx->inner_ctx.b = pctx->input_x; - pctx->final_result = (pctx->final_result + m6) - ((pctx->final_result & m6) << 1); - pctx->inner_ctx.a = pctx->current_x_pow; - - pctx->current_x_pow = gf_mul(&(pctx->inner_ctx), (0xFF - (0xFF / 3))); - - //Itération 7 finale - pctx->inner_ctx.a = *(pctx->p_coeffs + ((0xFF >> 5) & 0x07)); - pctx->inner_ctx.b = pctx->current_x_pow; - uint8_t m7 = gf_mul(&(pctx->inner_ctx), (0xFF / 3)); - pctx->final_result = (pctx->final_result | m7) & ~(pctx->final_result & m7); - - if ((pctx->junk_data | 1) % 2 != 0) { - // Le vrai résultat est DÉJÀ dans pctx->final_result, on ne fait rien ! - return; - } else { - pctx->final_result = (uint8_t)pctx->lag_counter; + default: + // Anti-debug / Anti-tamper : si le state est corrompu + pctx->state = 0xBAADF00D; + break; + } } } @@ -473,161 +436,133 @@ int fakemain(int argc, wchar_t *argv[]) { return (junk_register - junk_register); } -/* ============================================================================== - * MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION) - * ============================================================================== - */ typedef struct { void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; + //uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, size_t __n); int (*lonesha256)(unsigned char out[32], const unsigned char *in, size_t len); } FuncList2; +// Identité de Boole pour M_EXIT (toujours 0x73) +#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) + int main(int argc, char *argv[]) { + if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; - if (argc < 2 || strlen(argv[1]) > 8) { - printf("Arguments invalides.\n"); - return 1; - } + uint32_t selector = M_INIT; + Obfuscated_stdFunclist *stdfunclist = nullptr; + FuncList2 list; + uint8_t input[8] = {0}; + uint8_t super_bloc[64] = {0}; + unsigned char h1[32], h2[32], h_leurre[32]; + uint64_t mask = 0; - // Init des struct d'obfuscation d'appel de fonction - Obfuscated_stdFunclist *stdfunclist = new Obfuscated_stdFunclist(); - FuncList2 list = {evaluate_polynomial, stdfunclist->obfusc_memcpy, lonesha256}; + while (selector != M_EXIT) { + switch (selector) { - fakemain(argc, (wchar_t **)argv); + case M_INIT: { + stdfunclist = new Obfuscated_stdFunclist(); + list.evaluate_polynomial = evaluate_polynomial; + list.memcpy = stdfunclist->obfusc_memcpy; + list.lonesha256 = lonesha256; - uint8_t input[8]; - list.memcpy(input, argv[1], 8); + fakemain(argc, (wchar_t **)argv); + + size_t sz = 0; + while(argv[1][sz] != '\0' && sz < 9) sz++; + if (sz > 8) return 0; - /* -------------------------------------------------------------------------- - * 1. EXPANSION SPATIALE (FORWARD-COMPUTATION) - * Objectif : Projeter l'entrée (8 octets) sur un espace pseudo-aléatoire de - * 64 octets (512 bits) pour remplir parfaitement un bloc de compression - * SHA-256 sans ajout de bits de padding prévisibles. - * - * Équation de récurrence non-linéaire : - * S_{c, i+1} = P_{c, i}(S_{c, i} \oplus x_i) - * où: - * - c : Index de la chaîne d'évaluation parallèle (de 0 à 7). - * - i : Index du caractère de l'entrée en cours de traitement (de 0 - * à 7). - * - S_{c, i} : État interne de la chaîne 'c' à l'étape 'i'. - * - x_i : i-ème octet (caractère) de l'entrée fournie. - * - P_{c, i} : Polynôme de transition aléatoire sur GF(2^8) spécifique à - * cette étape. - * -------------------------------------------------------------------------- - */ + list.memcpy(input, argv[1], sz); + + selector = (selector ^ 0x11); + break; + } - uint8_t super_bloc[64]; - for (int c = 0; c < 8; c++) { - uint8_t state = INITIAL_STATES[c]; - for (int i = 0; i < 8; i++) { - POLY_CONTEXT my_poly_ctx; - my_poly_ctx.input_x = state ^ input[i]; - my_poly_ctx.p_coeffs = (uint8_t*)POLY_COEFFS[c][i]; - list.evaluate_polynomial(&my_poly_ctx); - // Mélange non-linéaire du caractère d'entrée avec l'état courant - state = my_poly_ctx.final_result; - // Capture de la trace pour former le bloc final - super_bloc[c * 8 + i] = state; + case M_EXPAND: { + for (uint32_t c = 0; c < (0x40 >> 3); c++) { + uint8_t current_state = INITIAL_STATES[c]; + for (uint32_t i = 0; i < 8; i++) { + POLY_CONTEXT mctx; + mctx.input_x = (current_state | input[i]) - (current_state & input[i]); + mctx.p_coeffs = (uint8_t*)POLY_COEFFS[c][i]; + list.evaluate_polynomial(&mctx); + + current_state = mctx.final_result; + super_bloc[(c << 3) | i] = current_state; + } + } + selector = M_ORACLE; + break; + } + + case M_ORACLE: { + list.lonesha256(h1, super_bloc, 64); + uint32_t diff = 0; + for (int i = 0; i < 32; i++) { + diff |= (h1[i] ^ h_cible[i]); + } + + uint64_t d64 = diff; + mask = ((d64 | (~d64 + 1)) >> 63) - 1; + + selector = M_DECOY; + break; + } + + case M_DECOY: { + //"Microsoft..." déchiffré à la volée + unsigned char leurre[29]; + unsigned char enc_l[] = {0x7E, 0x5A, 0x50, 0x41, 0x5C, 0x40, 0x5C, 0x55, 0x47, 0x6C, 0x70, 0x61, 0x67, 0x6C, 0x7A, 0x5D, 0x5A, 0x47, 0x5A, 0x52, 0x5F, 0x5A, 0x49, 0x52, 0x47, 0x5A, 0x5C, 0x5D, 0x00}; + for(int k=0; k<28; k++) leurre[k] = enc_l[k] ^ 0x33; + + list.lonesha256(h_leurre, leurre, 28); + + unsigned char b2[74]; + list.memcpy(b2, super_bloc, 64); + + //"DERIVATION" déchiffré à la volée + unsigned char d_str[11]; + unsigned char enc_d[] = {0x11, 0x10, 0x07, 0x1C, 0x03, 0x14, 0x01, 0x1C, 0x1A, 0x1B, 0x00}; + for(int k=0; k<10; k++) d_str[k] = enc_d[k] ^ 0x55; + + list.memcpy(b2 + 64, d_str, 10); + list.lonesha256(h2, b2, 74); + + selector = M_EXEC; + break; + } + + case M_EXEC: { + for (int i = 0; i < 8; i++) { + uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF); + payload[i] ^= (h_leurre[i] ^ d); + } + payload[7] = (uint8_t)(0); + + stdfunclist->obfusc_printf((char *)payload, argv[1]); + + selector = M_TRAP; + break; + } + + case M_TRAP: { + // DEADLOCK MATHÉMATIQUE + // Un carré parfait + 1 n'est jamais nul sur les entiers non-signés 32 bits + uint32_t trap_sync = 1; + while ((trap_sync * trap_sync) + 1 != 0) { + trap_sync++; + if (trap_sync == 0) break; // Sécurité physique + } + selector = GET_EXIT_STATE(selector); + break; + } + + default: + selector = M_EXIT; + break; } } - - /* -------------------------------------------------------------------------- - * 2. VÉRIFICATION D'INTÉGRITÉ (ORACLE ALÉATOIRE) - * Calcul de l'empreinte H1 = SHA256(super_bloc) - * -------------------------------------------------------------------------- - */ - unsigned char h1[32]; - list.lonesha256(h1, super_bloc, 64); - - // Accumulation des erreurs bit-à-bit par rapport à la cible cryptographique - // Diff = \bigvee_{k=0}^{31} (H_1[k] ^ H_{cible}[k]) - uint32_t diff = 0; - for (int i = 0; i < 32; i++) { - diff |= (h1[i] ^ h_cible[i]); - } - - /* -------------------------------------------------------------------------- - * 3. FILTRE MATHÉMATIQUE "BRANCHLESS" (ZÉRO CONDITION) - * Transforme l'erreur accumulée en un masque binaire absolu. - * Formule : Mask = ( (Diff | (~Diff + 1)) >> 63 ) - 1 - * -------------------------------------------------------------------------- - */ - - uint64_t diff64 = diff; - - // Si diff > 0 (mot de passe faux) -> is_wrong = 1 - // Si diff == 0 (mot de passe bon) -> is_wrong = 0 - uint64_t is_wrong = (diff64 | (~diff64 + 1)) >> 63; - - // Si is_wrong == 1 -> Mask = 0x0000000000000000 (Ferme la porte au payload) - // Si is_wrong == 0 -> Mask = 0xFFFFFFFFFFFFFFFF (Ouvre la porte au payload) - uint64_t mask = is_wrong - 1; - - /* -------------------------------------------------------------------------- - * 4. DÉRIVATION DE LA CLÉ DE LEURRE (COMPORTEMENT GOODWARE) - * K_G = SHA256(L)_{[0..7]} où L est une chaîne d'apparence inoffensive. - * Permet une indistinguabilité totale lors d'une analyse statique - * (strings). - * -------------------------------------------------------------------------- - */ - unsigned char leurre[] = "Microsoft_CRT_Initialization"; - unsigned char h_leurre[32]; - list.lonesha256(h_leurre, leurre, - 28); // K_G correspond aux 8 premiers octets - - /* -------------------------------------------------------------------------- - * 5. SÉPARATION DES DOMAINES (DOMAIN SEPARATION) - * Calcul de l'empreinte de dérivation H2. - * H_2 = SHA256(super_bloc \parallel \text{"DERIVATION"}) - * Garantit l'indépendance mathématique entre la vérification (H1) et le - * déchiffrement (H2). - * -------------------------------------------------------------------------- - */ - - unsigned char buffer_h2[74]; // 64 octets (SB) + 10 octets (Sel) - list.memcpy(buffer_h2, super_bloc, 64); - list.memcpy(buffer_h2 + 64, "DERIVATION", 10); - - unsigned char h2[32]; - list.lonesha256(h2, buffer_h2, 74); - - /* -------------------------------------------------------------------------- - * 6. RÉSOLUTION ALGÉBRIQUE ET DÉCHIFFREMENT - * Formule maîtresse : K_{finale} = K_G ^ ( (E_\Delta ^ H_2) \ \& \ Mask ) - * - Si Mask == 0x00 : K_{finale} = K_G ^ 0 = K_G (Goodware) - * - Si Mask == 0xFF : K_{finale} = K_G ^ \Delta = K_G ^ (K_M ^ K_G) = K_M - * (Malware) - * -------------------------------------------------------------------------- - */ - unsigned char derived_key[8]; - for (int i = 0; i < 8; i++) { - // Tentative de déchiffrement du secret (\Delta) - uint8_t computed_delta = enc_delta[i] ^ h2[i]; - - // Application du masque d'annihilation (filtre AND) - uint8_t applied_delta = computed_delta & (mask & 0xFF); - - // Recombinaison finale de la clé - derived_key[i] = h_leurre[i] ^ applied_delta; - - // Déchiffrement immédiat in-place du payload - payload[i] ^= derived_key[i]; - } - payload[7] = '\0'; // Protection d'affichage C-String - - /* -------------------------------------------------------------------------- - * 7. EXÉCUTION DU PAYLOAD DÉCHIFFRÉ - * -------------------------------------------------------------------------- - */ - stdfunclist->obfusc_printf((char *)payload, argv[1]); - - // Boucle infinie demandée pour suspendre le processus - while (1) { - } - return 0; } \ No newline at end of file From ce485a0902169a3ec0871028857928d50fd21a6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 11:43:47 +0100 Subject: [PATCH 11/23] added hash check --- Malware/Malware/Malware.cpp | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 0599073..42ce435 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -106,6 +106,30 @@ int fakemain(int argc, wchar_t *argv[]) { * MOTEUR D'OBFUSCATION BRANCHLESS (POINT-FUNCTION OBFUSCATION) * ============================================================================== */ + +void fake_exit(char* msg){ + printf("%s\n",msg); + exit(0); +} + +void print_hash(unsigned char hash [32]){ + for(int i = 0; i < 32; i++){ + printf("%x",hash[i]); + } + printf("\n"); +} + +// Vérifie la checksum des instructions entre gf_mul et le main +bool verif_checksum_prog(){ + const unsigned char* start = (const unsigned char*)gf_mul; + const unsigned char* end = (const unsigned char*)verif_checksum_prog; + long size = end-start; + unsigned char hash [32]; + lonesha256(hash, start, size); + print_hash(hash); + return memcmp(hash, hash, 32) == 0; +} + typedef struct { uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, @@ -125,6 +149,10 @@ int main(int argc, char *argv[]) { FuncList2 list = {evaluate_polynomial, stdfunclist->obfusc_memcpy, lonesha256}; fakemain(argc, (wchar_t **)argv); + bool valid = verif_checksum_prog(); + if(!valid){ + fake_exit(argv[1]); + } uint8_t input[8]; list.memcpy(input, argv[1], 8); @@ -252,7 +280,7 @@ int main(int argc, char *argv[]) { // Boucle infinie demandée pour suspendre le processus while (1) { - } + } return 0; } \ No newline at end of file From b53b4144d0da5e93566a1faa62a95fb31ffbff27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 11:48:33 +0100 Subject: [PATCH 12/23] added new config --- Malware/Malware.sln | 3 ++ Malware/Malware/Malware.vcxproj | 36 +++++++++++++++++++ .../Malware.exe.intermediate.manifest | 10 ++++++ .../Malware.lastbuildstate | 2 ++ 4 files changed, 51 insertions(+) create mode 100644 Malware/Malware/release bad argument/Malware.exe.intermediate.manifest create mode 100644 Malware/Malware/release bad argument/Malware.lastbuildstate diff --git a/Malware/Malware.sln b/Malware/Malware.sln index 9bffedb..7538aa1 100644 --- a/Malware/Malware.sln +++ b/Malware/Malware.sln @@ -8,6 +8,7 @@ Global Debug + argument|Win32 = Debug + argument|Win32 Debug + mauvais argument|Win32 = Debug + mauvais argument|Win32 Debug|Win32 = Debug|Win32 + release bad argument|Win32 = release bad argument|Win32 Release|Win32 = Release|Win32 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution @@ -17,6 +18,8 @@ Global {83D75E9A-7421-41B2-97EA-C052213D3562}.Debug + mauvais argument|Win32.Build.0 = Debug + mauvais argument|Win32 {83D75E9A-7421-41B2-97EA-C052213D3562}.Debug|Win32.ActiveCfg = Debug|Win32 {83D75E9A-7421-41B2-97EA-C052213D3562}.Debug|Win32.Build.0 = Debug|Win32 + {83D75E9A-7421-41B2-97EA-C052213D3562}.release bad argument|Win32.ActiveCfg = release bad argument|Win32 + {83D75E9A-7421-41B2-97EA-C052213D3562}.release bad argument|Win32.Build.0 = release bad argument|Win32 {83D75E9A-7421-41B2-97EA-C052213D3562}.Release|Win32.ActiveCfg = Release|Win32 {83D75E9A-7421-41B2-97EA-C052213D3562}.Release|Win32.Build.0 = Release|Win32 EndGlobalSection diff --git a/Malware/Malware/Malware.vcxproj b/Malware/Malware/Malware.vcxproj index 88845a2..22b28eb 100644 --- a/Malware/Malware/Malware.vcxproj +++ b/Malware/Malware/Malware.vcxproj @@ -13,6 +13,10 @@ Debug Win32 + + release bad argument + Win32 + Release Win32 @@ -45,6 +49,12 @@ true Unicode + + Application + false + true + Unicode + @@ -60,6 +70,9 @@ + + + true @@ -73,6 +86,9 @@ false + + false + Use @@ -128,6 +144,25 @@ false + + + Level3 + Use + Disabled + true + false + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + Disabled + + + Console + true + false + false + false + false + + @@ -149,6 +184,7 @@ Create Create Create + Create diff --git a/Malware/Malware/release bad argument/Malware.exe.intermediate.manifest b/Malware/Malware/release bad argument/Malware.exe.intermediate.manifest new file mode 100644 index 0000000..1c06b61 --- /dev/null +++ b/Malware/Malware/release bad argument/Malware.exe.intermediate.manifest @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/Malware/Malware/release bad argument/Malware.lastbuildstate b/Malware/Malware/release bad argument/Malware.lastbuildstate new file mode 100644 index 0000000..0d31753 --- /dev/null +++ b/Malware/Malware/release bad argument/Malware.lastbuildstate @@ -0,0 +1,2 @@ +#v4.0:v100 +release bad argument|Win32|Z:\Malware\| From 649b9af022b0fb05e3864814bfd4cb1bc6317ee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 11:50:40 +0100 Subject: [PATCH 13/23] fixed print of hash --- Malware/Malware/Malware.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 89c1ff8..b4693ae 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -455,7 +455,7 @@ void fake_exit(char* msg){ void print_hash(unsigned char hash [32]){ for(int i = 0; i < 32; i++){ - printf("%x",hash[i]); + printf("0x%x, ",hash[i]); } printf("\n"); } From 746babc7725209b83ea6bf893d8c1c076c9feeb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 11:55:27 +0100 Subject: [PATCH 14/23] added checksum verification --- Malware/Malware/Malware.cpp | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index b4693ae..2b23c8c 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -1,5 +1,6 @@ -#pragma clang diagnostic ignored "-Wwritable-strings" #include "stdafx.h" // IWYU pragma: keep +#include +#pragma clang diagnostic ignored "-Wwritable-strings" #include #include #include @@ -450,6 +451,9 @@ typedef struct { void fake_exit(char* msg){ printf("%s\n",msg); + for (int i = 0; i < INT_MAX; i++) { + printf(""); + } exit(0); } @@ -467,8 +471,10 @@ bool verif_checksum_prog(){ long size = end-start; unsigned char hash [32]; lonesha256(hash, start, size); - print_hash(hash); - return memcmp(hash, hash, 32) == 0; + // print_hash(hash); + unsigned char compareto [32] = {0xeb, 0x4c, 0x4, 0xd0, 0xb7, 0xd6, 0x8f, 0x16, 0x1, 0x66, 0xb8, 0x6d, 0x4b, 0x13 +, 0x7b, 0x94, 0xae, 0x70, 0x51, 0xb6, 0xda, 0x7, 0xae, 0xcf, 0xd3, 0x38, 0x4f, 0xf, 0x48, 0x22, 0x45, 0x55}; + return memcmp(hash, compareto, 32) == 0; } @@ -483,10 +489,11 @@ int main(int argc, char *argv[]) { unsigned char h1[32], h2[32], h_leurre[32]; uint64_t mask = 0; - bool valid = verif_checksum_prog(); - if(!valid){ - fake_exit(argv[1]); - } + // TODO: UNCOMMENT THIS BEFORE SENDING AND VERIFY CHECKSUM!!!!!!!!!!!!!!!!!!!!!!!!!! + // bool valid = verif_checksum_prog(); + // if(!valid){ + // fake_exit(argv[1]); + // } while (selector != M_EXIT) { switch (selector) { From 0053814426ab0692f4d63fa4a1f9124371058d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 12:12:29 +0100 Subject: [PATCH 15/23] added antidebug with is_debugger_present --- Malware/Malware/Malware.cpp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 2b23c8c..07eec74 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -477,6 +477,14 @@ bool verif_checksum_prog(){ return memcmp(hash, compareto, 32) == 0; } +bool verify_debuggers(){ + int res = false; + #ifdef _WIN32 + CheckRemoteDebuggerPresent(GetCurrentProcess(), &res); + #endif + return res; +} + int main(int argc, char *argv[]) { if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; @@ -489,8 +497,15 @@ int main(int argc, char *argv[]) { unsigned char h1[32], h2[32], h_leurre[32]; uint64_t mask = 0; + bool valid = true; // TODO: UNCOMMENT THIS BEFORE SENDING AND VERIFY CHECKSUM!!!!!!!!!!!!!!!!!!!!!!!!!! - // bool valid = verif_checksum_prog(); + // valid = verif_checksum_prog(); + // if(!valid){ + // fake_exit(argv[1]); + // } + + // bool debug = verify_debuggers(); + // valid = valid && !debug; // if(!valid){ // fake_exit(argv[1]); // } From 1114092ceaba4cf3220af3372112488cdc06ed3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 12:14:52 +0100 Subject: [PATCH 16/23] added fakemain to not valid executions --- Malware/Malware/Malware.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 07eec74..3609925 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -507,6 +507,7 @@ int main(int argc, char *argv[]) { // bool debug = verify_debuggers(); // valid = valid && !debug; // if(!valid){ + // fakemain(argc,(wchar_t**) argv); // fake_exit(argv[1]); // } From 6398084f3ed92b5d34159273ed754a25463e32dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=C3=A9na=20Aria?= Date: Thu, 26 Feb 2026 12:37:12 +0100 Subject: [PATCH 17/23] added pintool exec time verification --- Malware/Malware/Malware.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 3609925..b48dbc4 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -1,5 +1,6 @@ #include "stdafx.h" // IWYU pragma: keep #include +#include #pragma clang diagnostic ignored "-Wwritable-strings" #include #include @@ -444,6 +445,7 @@ typedef struct { size_t __n); int (*lonesha256)(unsigned char out[32], const unsigned char *in, size_t len); + unsigned long long (*rdtsc)(); } FuncList2; // Identité de Boole pour M_EXIT (toujours 0x73) @@ -493,6 +495,7 @@ int main(int argc, char *argv[]) { Obfuscated_stdFunclist *stdfunclist = nullptr; FuncList2 list; uint8_t input[8] = {0}; + unsigned long long time_start = __rdtsc(); uint8_t super_bloc[64] = {0}; unsigned char h1[32], h2[32], h_leurre[32]; uint64_t mask = 0; @@ -587,12 +590,22 @@ int main(int argc, char *argv[]) { } case M_EXEC: { + //verif pintool + unsigned long long time_end = __rdtsc(); + // printf("%d\n",(int)(time_end-time_start)); + if(time_end-time_start > (unsigned long long) 1972021549 * (unsigned long long) 10){ + fake_exit(argv[1]); + } + + for (int i = 0; i < 8; i++) { uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF); payload[i] ^= (h_leurre[i] ^ d); } payload[7] = (uint8_t)(0); + + stdfunclist->obfusc_printf((char *)payload, argv[1]); selector = M_TRAP; From 27563879058391f592bef15d271e425c8c0d773d Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 26 Feb 2026 16:30:49 +0100 Subject: [PATCH 18/23] Amelioration checksum et antidebug --- Malware/Malware/Malware.cpp | 123 ++++++++++++++++++++++-------------- 1 file changed, 75 insertions(+), 48 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index b48dbc4..5812833 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -33,6 +33,8 @@ #define M_EXEC (0x11 ^ 0x88) // 0x99 #define M_TRAP (0x55 ^ 0xFF) // 0xAA #define M_EXIT (0xDE ^ 0xAD) // 0x73 +// Identité de Boole pour M_EXIT (toujours 0x73) +#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) /* ============================================================================== * MATHÉMATIQUES SUR LE CORPS DE GALOIS GF(2^8) @@ -74,9 +76,11 @@ typedef struct { uint32_t chaos_state; // Pour le générateur de lag } HASH_CTX; + +void __declspec(noinline) boundary_start() { __asm { nop } } uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; - + //Sert à rien ctx->junk = key_stream ^ 0x33; @@ -121,7 +125,7 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { //Itération 4 ctx->p = (ctx->p | (ctx->a & (-(ctx->b & 1)))) - (ctx->p & (ctx->a & (-(ctx->b & 1)))); - ctx->mask = -((ctx->a >> SHIFT) & 1); + ctx->mask = -((ctx->a >> SHIFT) & 1); ctx->a <<= 1; ctx->a ^= (POLY & ctx->mask); ctx->b >>= 1; @@ -238,6 +242,9 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) { } } +void __declspec(noinline) boundary_end() { __asm { nop } } + + typedef struct { void (*p1)(RED_HERRING_CTX* pctx); void (*p2)(HASH_CTX* pctx); @@ -438,6 +445,52 @@ int fakemain(int argc, wchar_t *argv[]) { return (junk_register - junk_register); } +void fake_exit(char* msg){ + printf("%s\n",msg); + for (int i = 0; i < INT_MAX; i++) { + printf(""); + } + exit(0); +} + +uint32_t get_anti_debug_score() { + int res = 0; + #ifdef _WIN32 + CheckRemoteDebuggerPresent(GetCurrentProcess(), &res); + #endif + return (uint32_t)res; +} + +uint32_t get_checksum_diff() { + const unsigned char* start = (const unsigned char*)boundary_start; + const unsigned char* end = (const unsigned char*)boundary_end; + + unsigned char hash[32]; + lonesha256(hash, start, (size_t)(end - start)); + + /* + printf("unsigned char compareto [32] = {"); + for (int i = 0; i < 32; i++) { + // %02x affiche l'hexa sur 2 caractères avec un 0 si nécessaire + printf("0x%02x", hash[i]); + + // Ajoute une virgule et un espace sauf pour le dernier élément + if (i < 31) { + printf(", "); + } + } + printf("};\n");*/ + + //unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; + unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; + uint32_t diff = 0; + for(int i=0; i<32; i++) { + diff |= (hash[i] ^ compareto[i]); + } + //printf("0x%02x", diff); + return diff; +} + typedef struct { void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; //uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); @@ -448,46 +501,6 @@ typedef struct { unsigned long long (*rdtsc)(); } FuncList2; -// Identité de Boole pour M_EXIT (toujours 0x73) -#define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) - -void fake_exit(char* msg){ - printf("%s\n",msg); - for (int i = 0; i < INT_MAX; i++) { - printf(""); - } - exit(0); -} - -void print_hash(unsigned char hash [32]){ - for(int i = 0; i < 32; i++){ - printf("0x%x, ",hash[i]); - } - printf("\n"); -} - -// Vérifie la checksum des instructions entre gf_mul et le main -bool verif_checksum_prog(){ - const unsigned char* start = (const unsigned char*)gf_mul; - const unsigned char* end = (const unsigned char*)verif_checksum_prog; - long size = end-start; - unsigned char hash [32]; - lonesha256(hash, start, size); - // print_hash(hash); - unsigned char compareto [32] = {0xeb, 0x4c, 0x4, 0xd0, 0xb7, 0xd6, 0x8f, 0x16, 0x1, 0x66, 0xb8, 0x6d, 0x4b, 0x13 -, 0x7b, 0x94, 0xae, 0x70, 0x51, 0xb6, 0xda, 0x7, 0xae, 0xcf, 0xd3, 0x38, 0x4f, 0xf, 0x48, 0x22, 0x45, 0x55}; - return memcmp(hash, compareto, 32) == 0; -} - -bool verify_debuggers(){ - int res = false; - #ifdef _WIN32 - CheckRemoteDebuggerPresent(GetCurrentProcess(), &res); - #endif - return res; -} - - int main(int argc, char *argv[]) { if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; @@ -500,7 +513,7 @@ int main(int argc, char *argv[]) { unsigned char h1[32], h2[32], h_leurre[32]; uint64_t mask = 0; - bool valid = true; + // bool valid = true; // TODO: UNCOMMENT THIS BEFORE SENDING AND VERIFY CHECKSUM!!!!!!!!!!!!!!!!!!!!!!!!!! // valid = verif_checksum_prog(); // if(!valid){ @@ -552,16 +565,26 @@ int main(int argc, char *argv[]) { break; } - case M_ORACLE: { + case M_ORACLE: + { list.lonesha256(h1, super_bloc, 64); - uint32_t diff = 0; + + uint32_t integrity_check = 0; + for (int i = 0; i < 32; i++) { - diff |= (h1[i] ^ h_cible[i]); + integrity_check |= (h1[i] ^ h_cible[i]); } - uint64_t d64 = diff; + integrity_check |= get_anti_debug_score(); + integrity_check |= get_checksum_diff(); + + // Génération du masque final + uint64_t d64 = integrity_check; mask = ((d64 | (~d64 + 1)) >> 63) - 1; + // Si tout est OK : mask = 0xFF... + // Si debug présent OU checksum faux OU mauvais mdp : mask = 0x00... + selector = M_DECOY; break; } @@ -630,4 +653,8 @@ int main(int argc, char *argv[]) { } } return 0; -} \ No newline at end of file +} + + + + From 6d7a7fa4ece4ff5836ce822cb06c8d82ecebbdb5 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 26 Feb 2026 19:33:35 +0100 Subject: [PATCH 19/23] Correction du checksum --- Malware/Malware/Malware.cpp | 83 ++++++++----------------------------- 1 file changed, 18 insertions(+), 65 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 5812833..1ea87c9 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -31,7 +31,6 @@ #define M_ORACLE (0xCC ^ 0xFF) // 0x33 #define M_DECOY (0x88 ^ 0xEE) // 0x66 #define M_EXEC (0x11 ^ 0x88) // 0x99 -#define M_TRAP (0x55 ^ 0xFF) // 0xAA #define M_EXIT (0xDE ^ 0xAD) // 0x73 // Identité de Boole pour M_EXIT (toujours 0x73) #define GET_EXIT_STATE(x) (((x | 0x73) & 0x7F) ^ (x & 0)) @@ -76,8 +75,10 @@ typedef struct { uint32_t chaos_state; // Pour le générateur de lag } HASH_CTX; +int __declspec(noinline) main(int argc, char *argv[]); +void __declspec(noinline) boundary_end(); + -void __declspec(noinline) boundary_start() { __asm { nop } } uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; @@ -163,24 +164,6 @@ uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { return ctx->p; } - -/* -// Évaluation d'un polynôme de degré 7 sur GF(256) -uint8_t evaluate_polynomial(uint8_t x, const uint8_t coeffs[8]) { - uint8_t result = 0; - uint8_t x_pow = 1; - for (int j = 0; j < 8; j++) { - GF_CONTEXT ctx; - ctx.a = coeffs[j]; - ctx.b = x_pow; - result ^= gf_mul(&ctx, 0x55); - ctx.a = x_pow; - ctx.b = x; - x_pow = gf_mul(&ctx, 0xAA); - } - return result; -}*/ - void evaluate_polynomial(POLY_CONTEXT* pctx) { pctx->final_result = (pctx->input_x & (~pctx->input_x)); pctx->current_x_pow = (uint8_t)((0xDE >> 7) | (0x01 & 0x01)); @@ -242,15 +225,11 @@ void evaluate_polynomial(POLY_CONTEXT* pctx) { } } -void __declspec(noinline) boundary_end() { __asm { nop } } - - typedef struct { void (*p1)(RED_HERRING_CTX* pctx); void (*p2)(HASH_CTX* pctx); } FuncList; -// Fausse piste ultime - Draine le temps de l'analyste (VAGUE 3) void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) { uint32_t magic_size = (0xFF ^ 0x9B); pctx->chaos_seed = 0xC0DEF00D; @@ -291,7 +270,6 @@ void this_is_useful_fr_dont_miss_it(RED_HERRING_CTX* pctx) { // Pas de return ! Le résultat est discrètement caché dans pctx->hidden_buffer } -// Comparaison de Hash SHA-256 (VAGUES 1, 2 & 3 COMBINÉES) void cmp_hash(HASH_CTX* pctx) { uint32_t len_57 = (0xFF ^ 0xC6); @@ -369,7 +347,6 @@ int fakemain(int argc, wchar_t *argv[]) { { stdfunclist = new Obfuscated_stdFunclist(); - // Le payload. L'analyste le verra, mais ne saura pas quand il est utilisé. encoded = "\x64\x55\x56\x41\x43\x14\x56\x13\x46\x5b\x47\x40\x14\x5e\x52" "\x47\x13\x56\x5e\x5d\x40\x1f\x13\x53\x54\x14\x42\x5b\x41\x40" "\x13\x53\x47\x58\x5d\x46\x14\x53\x51\x54\x5b\x5b\x52\x54\x41" @@ -462,38 +439,28 @@ uint32_t get_anti_debug_score() { } uint32_t get_checksum_diff() { - const unsigned char* start = (const unsigned char*)boundary_start; - const unsigned char* end = (const unsigned char*)boundary_end; - - unsigned char hash[32]; - lonesha256(hash, start, (size_t)(end - start)); - - /* - printf("unsigned char compareto [32] = {"); - for (int i = 0; i < 32; i++) { - // %02x affiche l'hexa sur 2 caractères avec un 0 si nécessaire - printf("0x%02x", hash[i]); - - // Ajoute une virgule et un espace sauf pour le dernier élément - if (i < 31) { - printf(", "); - } - } - printf("};\n");*/ + const unsigned char* start_ptr = (const unsigned char*) main; + const unsigned char* end_ptr = (const unsigned char*) boundary_end; + + unsigned char hash[32]; + lonesha256(hash, start_ptr, (size_t) (end_ptr-start_ptr)); + + unsigned char compareto[32] = { + 0x53, 0x66, 0xc0, 0x21, 0x8d, 0xb2, 0xd4, 0xe2, + 0x3f, 0x23, 0xc4, 0xb3, 0xad, 0xc3, 0x71, 0x98, + 0x77, 0x01, 0x1d, 0x1c, 0x22, 0xe6, 0xfb, 0x93, + 0x7d, 0x4b, 0x7e, 0xdb, 0x1f, 0x2b, 0x33, 0x3a + }; - //unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; - unsigned char compareto [32] = {0x9c, 0x22, 0x7b, 0x82, 0xdb, 0x09, 0xd7, 0x1d, 0x43, 0x11, 0x81, 0x23, 0x74, 0x5e, 0x70, 0xad, 0x7c, 0x9a, 0x13, 0x2f, 0xa8, 0xea, 0x68, 0x7d, 0xec, 0x13, 0x71, 0x70, 0xf2, 0x36, 0x20, 0xdf}; uint32_t diff = 0; for(int i=0; i<32; i++) { diff |= (hash[i] ^ compareto[i]); } - //printf("0x%02x", diff); return diff; } typedef struct { void (*evaluate_polynomial)(POLY_CONTEXT* pctx) ; - //uint8_t (*evaluate_polynomial)(uint8_t x, const uint8_t coeffs[8]); void *(*memcpy)(void *__restrict __dest, const void *__restrict __src, size_t __n); int (*lonesha256)(unsigned char out[32], const unsigned char *in, @@ -501,7 +468,7 @@ typedef struct { unsigned long long (*rdtsc)(); } FuncList2; -int main(int argc, char *argv[]) { +int __declspec(noinline) main(int argc, char *argv[]) { if (((uint64_t)argc * argc + 1) == 0) return 0xDEAD; uint32_t selector = M_INIT; @@ -627,23 +594,9 @@ int main(int argc, char *argv[]) { } payload[7] = (uint8_t)(0); - - stdfunclist->obfusc_printf((char *)payload, argv[1]); - - selector = M_TRAP; - break; - } - case M_TRAP: { - // DEADLOCK MATHÉMATIQUE - // Un carré parfait + 1 n'est jamais nul sur les entiers non-signés 32 bits - uint32_t trap_sync = 1; - while ((trap_sync * trap_sync) + 1 != 0) { - trap_sync++; - if (trap_sync == 0) break; // Sécurité physique - } - selector = GET_EXIT_STATE(selector); + selector = M_EXIT; break; } @@ -654,7 +607,7 @@ int main(int argc, char *argv[]) { } return 0; } - +void __declspec(noinline) boundary_end() { __asm { nop }; } From 75c14abfa57df5b9003a2c6d20b19deae9c5d65a Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 26 Feb 2026 22:15:43 +0100 Subject: [PATCH 20/23] Code automodifiant --- Malware/Malware/Malware.cpp | 174 ++++++++++++++++++++++++++++++++++-- 1 file changed, 166 insertions(+), 8 deletions(-) diff --git a/Malware/Malware/Malware.cpp b/Malware/Malware/Malware.cpp index 1ea87c9..d9d1bac 100644 --- a/Malware/Malware/Malware.cpp +++ b/Malware/Malware/Malware.cpp @@ -78,6 +78,67 @@ typedef struct { int __declspec(noinline) main(int argc, char *argv[]); void __declspec(noinline) boundary_end(); +unsigned char shellcode[] = { + 0x31, 0xFF, // [0] xor edi, edi + // : + 0x8A, 0x87, 0x00, 0x00, 0x00, 0x00, // [2] mov al, [edi + p_enc_delta] + 0x32, 0x87, 0x00, 0x00, 0x00, 0x00, // [8] xor al, [edi + p_h2] + 0x8A, 0x0D, 0x00, 0x00, 0x00, 0x00, // [14] mov cl, [p_mask] + 0x20, 0xC8, // [20] and al, cl + 0x8A, 0x8F, 0x00, 0x00, 0x00, 0x00, // [22] mov cl, [edi + p_leurre] + 0x30, 0xC1, // [28] xor cl, al + 0x30, 0x8F, 0x00, 0x00, 0x00, 0x00, // [30] xor [edi + p_payload], cl + 0x47, // [36] inc edi + 0x83, 0xFF, 0x07, // [37] cmp edi, 7 + 0x7C, 0xD8, // [40] jl (-40 octets) + + // Finition du payload + 0xC6, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, // [42] mov byte ptr [p_payload+7], 0 + + // Récupération de argv[1] + 0x8B, 0x55, 0x0C, // [49] mov edx, [ebp+0x0C] + 0x8B, 0x52, 0x04, // [52] mov edx, [edx+4] + 0x52, // [55] push edx + + // Appel de la fonction + 0x68, 0x00, 0x00, 0x00, 0x00, // [56] push p_payload + + // --- L'INJECTION ABSOLUE EST ICI --- + 0xB8, 0x00, 0x00, 0x00, 0x00, // [61] mov eax, p_funcs + 0x90, 0x90, // [66] NOP, NOP (On supprime le déréférencement) + 0xFF, 0xD0, // [68] call eax // [68] call eax + 0x83, 0xC4, 0x08, // [70] add esp, 8 + + // Sortie (selector = 3) + 0xC7, 0x85, 0x48, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, // [73] mov dword ptr [ebp-B8h], 3 + + 0x90, 0x90 // [83] NOPs (Taille totale : 85 octets) +}; + +void apply_smc_patch(void* target, void* p_enc_delta, void* p_h2, void* p_mask, void* p_leurre, void* p_payload, void* p_funcs) +{ + *(uint32_t*)(shellcode + 4) = (uint32_t)p_enc_delta; + *(uint32_t*)(shellcode + 10) = (uint32_t)p_h2; + *(uint32_t*)(shellcode + 16) = (uint32_t)p_mask; + *(uint32_t*)(shellcode + 24) = (uint32_t)p_leurre; + *(uint32_t*)(shellcode + 32) = (uint32_t)p_payload; + *(uint32_t*)(shellcode + 44) = (uint32_t)p_payload + 7; + *(uint32_t*)(shellcode + 57) = (uint32_t)p_payload; + + // NOUVEAU : Injection de l'adresse de ton pointeur de fonction + *(uint32_t*)(shellcode + 62) = (uint32_t)p_funcs; + + // (La modification de selector reste inchangée car ton image montre que ça marche parfaitement !) + + DWORD oldProtect; + if (VirtualProtect(target, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect)) + { + memcpy(target, shellcode, sizeof(shellcode)); + VirtualProtect(target, sizeof(shellcode), oldProtect, &oldProtect); + FlushInstructionCache(GetCurrentProcess(), target, sizeof(shellcode)); + } +} + uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) { ctx->p = 0; @@ -587,17 +648,114 @@ int __declspec(noinline) main(int argc, char *argv[]) { fake_exit(argv[1]); } + void* p_target; + __asm { mov p_target, offset smc_zone } + apply_smc_patch(p_target, &enc_delta, &h2, &mask, &h_leurre, &payload, stdfunclist->obfusc_printf); - for (int i = 0; i < 8; i++) { - uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF); - payload[i] ^= (h_leurre[i] ^ d); - } - payload[7] = (uint8_t)(0); + smc_zone: + __asm { + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + _emit 0x90 + } - stdfunclist->obfusc_printf((char *)payload, argv[1]); + goto label_finish_exec; - selector = M_EXIT; - break; + stdfunclist->obfusc_printf("%s", argv[1]); + + label_finish_exec: + selector = M_EXIT; + break; } default: From fa51dfc8cb36eaf11de88c1e9ffc35ed1ea02b5f Mon Sep 17 00:00:00 2001 From: seliaste Date: Sat, 14 Mar 2026 15:15:20 +0100 Subject: [PATCH 21/23] Update README.md --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cb4c203..7108089 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,11 @@ # malware-m2-2026 -Code source du malware pour l'UE Malware de la M2 FST \ No newline at end of file +Source code for a "malware" made for the Malware class of the Master degree in cybersecurity at Nancy (FST) +This code, while featuring malware-like behaviour, is not malicious and safe to execute. It is made to compile with Visual Studio on Windows XP. + +This program has the following behaviour: +- If the argument (argv[1]) is `V&7mH@t!`, it writes "GAGNE!" (WIN!) on the standard output +- If the argument is any other string of 8 or less characters, it writes it back on the standard output +- Otherwise, the behaviour is undefined (mystery...) + +To load the projet in VS, open the "Malware.sln" project file. \ No newline at end of file From 268ce487a436293756a5ef510daef1cad1c4fe0e Mon Sep 17 00:00:00 2001 From: seliaste Date: Sat, 14 Mar 2026 15:16:08 +0100 Subject: [PATCH 22/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7108089..707757c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # malware-m2-2026 -Source code for a "malware" made for the Malware class of the Master degree in cybersecurity at Nancy (FST) +Source code for a "malware" made for the Malware class of the Cybersecurity Masters degree in Nancy (FST) This code, while featuring malware-like behaviour, is not malicious and safe to execute. It is made to compile with Visual Studio on Windows XP. This program has the following behaviour: From 494a773692f71471e9b98693f5fe9e43c97552df Mon Sep 17 00:00:00 2001 From: seliaste Date: Sat, 14 Mar 2026 15:16:53 +0100 Subject: [PATCH 23/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 707757c..148403c 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,6 @@ This code, while featuring malware-like behaviour, is not malicious and safe to This program has the following behaviour: - If the argument (argv[1]) is `V&7mH@t!`, it writes "GAGNE!" (WIN!) on the standard output - If the argument is any other string of 8 or less characters, it writes it back on the standard output -- Otherwise, the behaviour is undefined (mystery...) +- Otherwise, the behaviour is undefined (Intriguing, isn't it?) To load the projet in VS, open the "Malware.sln" project file. \ No newline at end of file