es3n1n / obfuscator Goto Github PK
View Code? Open in Web Editor NEWPE bin2bin obfuscator
Home Page: https://blog.es3n1n.eu/posts/obfuscator-pt-1
License: GNU General Public License v3.0
PE bin2bin obfuscator
Home Page: https://blog.es3n1n.eu/posts/obfuscator-pt-1
License: GNU General Public License v3.0
This topic is truly fascinating and, unfortunately, there isn't much about it on the internet. It would be interesting if, in the future, we could see some basic content regarding bin2bin code virtualization. ๐
I have tried clang17/libc++abi-17-dev on kali but failed on linker (looks like some symbols couldn't found in libc++, compiled 100% )
Then I tried other llvm docker but also failed .
If would be helpful to provide some version information as c++23 is not stably supported
hi, can I use this after use Themida?
or
can I use Themida after use this?
thanks!
command: obfuscator.exe stage1.dll -f main
(seed irrelevant)
crash at:
sample: RelWithDebInfo.zip (It's part of fumo_loader, one of my projects, just built with symbols)
discord name: nezu.cc
in case you need that
obf a.exe -f main
15:56:52.897 | [ info ] random: seed is 0xf758817f291fee
15:56:52.900 | [ info ] main: loading binary from a.exe
15:56:52.905 | [ debug ] pe: parsed 11 sections
15:56:52.907 | [critical] RUNTIME ERROR: pe: duplicated 0x22b000 rva entry
Tried this on two .exes. Not too sure why, mabye I need to disable a compiler setting when compiling a.exe?
Some of the project files that are header only can benefit from having source files created for them.
As per https://github.com/es3n1n/obfuscator/blob/master/todo.txt#L1
PS C:\Users\user\Desktop\obfuscator> C:\Users\user\Desktop\obfuscator\build\src\Release\obfuscator.exe ..\test.exe
09:45:08.662 | [ info ] random: seed is 0x87ee46b82834fc34
09:45:08.666 | [ info ] main: loading binary from ..\test.exe
09:45:08.696 | [ debug ] pe: parsed 15 sections
09:45:08.700 | [ debug ] pe: parsed total number of 29309 relocations
09:45:08.701 | [ info ] func_parser: discovering functions: 0%
09:45:08.702 | [ info ] func_parser: discovering functions: 25%
09:45:08.703 | [ info ] func_parser: discovering functions: 50%
09:45:08.705 | [ info ] func_parser: discovering functions: 75%
09:45:08.708 | [ info ] func_parser: discovering functions: 100% took 7 ms
09:45:08.712 | [critical] RUNTIME ERROR: parser: Parsed 0 functions in total
text.exe is a golang binary, I also tried a c binary and same issue. Any idea how to fix the issue?
13:10:14.962 | [ info ] random: seed is 0x5904f32cf6a0ce77
13:10:14.964 | [ info ] main: loading binary from test.exe
13:10:14.968 | [ debug ] pe: parsed 6 sections
13:10:14.969 | [ debug ] pe: parsed total number of 232 relocations
13:10:14.970 | [ info ] func_parser: discovering functions: 0%
13:10:15.026 | [ debug ] pdb: Parsed 38 types of DBI symbols
13:10:15.058 | [ info ] func_parser: discovering functions: 25%
13:10:15.058 | [ info ] func_parser: discovering functions: 50%
13:10:15.062 | [ info ] func_parser: discovering functions: 75%
13:10:15.066 | [ info ] func_parser: discovering functions: 100% took 96 ms
13:10:15.068 | [ debug ] func_parser: discovered 3089 functions
13:10:15.069 | [ info ] obfuscator: setting up functions: 9223372036854775808% took 13 microseconds
13:10:15.070 | [ info ] obfuscator: got 0 function(s) to obfuscate
13:10:15.075 | [critical] RUNTIME ERROR: obfuscator: got 0 functions to protect
It gives me this error for every .exe that I try
Smaller functions with only one basic block breaks most of the transforms. A fix for this would be writing a transform that splits it up into multiple.
mov rax, 1
ret
becomes
:bb1
mov rax, 1
jmp bb2
:bb2
ret
Command I've used to perform:
"C:\Users\geork\Documents\Github\obfuscator\build\src\RelWithDebInfo\obfuscator.exe" C:\Users\geork\Documents\Github\obfox\test_app\AppKey\x64\Debug\AppKey.exe -pdb C:\Users\geork\Documents\Github\obfox\test_app\AppKey\x64\Debug\AppKey.pdb -f main -t ConstantCrypt -t BogusControlFlow -t DecompBreak -t Substitution -v SomeValue0 133
AppKey source code:
#include <stdio.h>
#include <string.h>
#define PASS "key01234"
#define BUFF_SIZE 0xFF
int main(void) {
printf("Enter key: ");
char key[BUFF_SIZE];
fgets(key, BUFF_SIZE, stdin);
key[sizeof(PASS) - 1] = '\0';
if (strcmp(key, PASS) == 0) {
printf("Correct key!\n");
} else {
printf("Incorrect key!\n");
}
getchar();
return 0;
}
I've tried both Release
and Release with debug info
versions of obfuscator
. Both do nothing, guess it because of exception:
Console output:
If I remove all of the transforms I want to apply to program and leave only, for example, ConstantCrypt
still doesn't work.
Is iOS (MachO) supported?
Good job, mate!
Do you have any idea to rebuild executable without adding second executeble section?
I think it have to look like as https://github.com/jnastarot/furikuri project
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.