From 5b004bff5468a401cc2f65ae53e069f2b3dd5172 Mon Sep 17 00:00:00 2001 From: keowu Date: Wed, 4 Jun 2025 20:55:23 -0300 Subject: [PATCH] feat: Enable "Ignore Remove Original Code After Obfuscation" Users can now enable an option in the obfuscation config to "ignore the removal of the original code" after obfuscation. --- RyujinConsole/RyujinConsole/Ryujin/Ryujin.cc | 5 +---- .../Ryujin/RyujinCore/RyujinObfuscationCore.cc | 8 +++----- .../Ryujin/RyujinCore/RyujinObfuscationCore.hh | 2 +- RyujinConsole/RyujinConsole/RyujinConsole.cc | 1 + 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/RyujinConsole/RyujinConsole/Ryujin/Ryujin.cc b/RyujinConsole/RyujinConsole/Ryujin/Ryujin.cc index 8d938d2..64f3735 100644 --- a/RyujinConsole/RyujinConsole/Ryujin/Ryujin.cc +++ b/RyujinConsole/RyujinConsole/Ryujin/Ryujin.cc @@ -149,9 +149,6 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) { } - //Remove old code and jump to the new code region - if (config.m_isIgnoreOriginalCodeRemove) todoAction(); - //Add section char chSectionName[8]{ '.', 'R', 'y', 'u', 'j', 'i', 'n', '\0' }; if (config.m_isRandomSection) RyujinUtils::randomizeSectionName(chSectionName); @@ -169,7 +166,7 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) { obc.applyRelocationFixupsToInstructions(reinterpret_cast(imgDos), peSections.getRyujinSectionVA() + offsetVA, tempValued); //Removendo e adicionando um salto no procedimento original e removendo opcodes originais para um salto ao novo código ofuscado - obc.removeOldOpcodeRedirect(peSections.mappedPeDiskBaseAddress(), peSections.getRyujinMappedPeSize(), reinterpret_cast(imgDos) + peSections.getRyujinSectionVA() + offsetVA); + obc.removeOldOpcodeRedirect(peSections.mappedPeDiskBaseAddress(), peSections.getRyujinMappedPeSize(), reinterpret_cast(imgDos) + peSections.getRyujinSectionVA() + offsetVA, config.m_isIgnoreOriginalCodeRemove); //Destructing class obc.~RyujinObfuscationCore(); diff --git a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc index 20ac756..b14be3c 100644 --- a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc +++ b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc @@ -437,7 +437,7 @@ void RyujinObfuscationCore::applyRelocationFixupsToInstructions(uintptr_t imageB } -void RyujinObfuscationCore::removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress) { +void RyujinObfuscationCore::removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress, bool isIgnoreOriginalCodeRemove) { /* Creating signatures to search for the opcode in the PE mapped from disk. @@ -448,10 +448,8 @@ void RyujinObfuscationCore::removeOldOpcodeRedirect(uintptr_t newMappedPE, std:: std::memcpy(ucSigature, reinterpret_cast(m_proc.address), 10); auto offsetz = findOpcodeOffset(reinterpret_cast(newMappedPE), szMapped, &ucSigature, 10); - /* - Removing all the opcodes from the original procedure and replacing them with NOP instructions. - */ - std::memset(reinterpret_cast(newMappedPE + offsetz), 0x90, m_proc.size); + // Based on the obfuscation configuration, some users can decide to not remove the original code from the original procedure after obfuscation. + if (!isIgnoreOriginalCodeRemove) std::memset(reinterpret_cast(newMappedPE + offsetz), 0x90, m_proc.size); // Removing all the opcodes from the original procedure and replacing them with NOP instructions. /* Creating a new JMP opcode in such a way that it can be added to the old region that was completely replaced by NOP, diff --git a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh index 14d641a..43fae19 100644 --- a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh +++ b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh @@ -26,7 +26,7 @@ private: public: RyujinObfuscationCore(const RyujinObfuscatorConfig& config, const RyujinProcedure& proc); void applyRelocationFixupsToInstructions(uintptr_t imageBase, DWORD virtualAddress, std::vector& new_opcodes); - void removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress); + void removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress, bool isIgnoreOriginalCodeRemove = false); BOOL Run(); RyujinProcedure getProcessedProc(); ~RyujinObfuscationCore(); diff --git a/RyujinConsole/RyujinConsole/RyujinConsole.cc b/RyujinConsole/RyujinConsole/RyujinConsole.cc index ed9faad..01ca143 100644 --- a/RyujinConsole/RyujinConsole/RyujinConsole.cc +++ b/RyujinConsole/RyujinConsole/RyujinConsole.cc @@ -14,6 +14,7 @@ auto main() -> int { config.m_isJunkCode = TRUE; config.m_isRandomSection = FALSE; config.m_isVirtualized = FALSE; + config.m_isIatObfuscation = TRUE; std::vector procsToObfuscate{ "main", "mainCRTStartup",