admin/Ryujin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Start implementing the base for the "AntiDump" feature

Browse Source 
- Begin work on the foundational structure for the "AntiDump" feature
- Introduced a new capability in Ryujin called "RyujinRunOncePass", which runs only on the first obfuscated function — ideal for volatile features
- Updated "RyujinCoreConfiguration" structures
 - Updated "RyujinGUI" to include the "AntiDump" option
- Updated "RyujinConsole" to display the "AntiDump" feature
- Updated "README.md" accordingly
This commit is contained in:
keowu
2025-07-12 21:26:12 -03:00
parent a96d97b9b0
commit a9bdbb1bdd
10 changed files with 66 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh
View File

@@ -20,6 +20,7 @@ public:
bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary
RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate - FFI
std::vector<std::string> m_strdProceduresToObfuscate; // Names of the procedures to obfuscate
// todo: passes

4
RyujinCore/Ryujin/Ryujin.cc
View File

@@ -94,8 +94,8 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) {
return FALSE;
}
bool RyujinRunOncePass{ TRUE };
std::vector<RyujinObfuscationCore> processed_procs;
for (auto& proc : m_ryujinProcedures) {
auto it = std::find(config.m_strdProceduresToObfuscate.begin(), config.m_strdProceduresToObfuscate.end(), proc.name);
@@ -137,7 +137,7 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) {
//Is time to obfuscate ?
RyujinObfuscationCore obc(config, proc, reinterpret_cast<uintptr_t>(m_mappedPE.get()));
obc.Run();
obc.Run(RyujinRunOncePass);
//TODO: Custom passes support

41
RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc
View File

@@ -1602,6 +1602,34 @@ void RyujinObfuscationCore::insertAntiDebug() {
}
void RyujinObfuscationCore::insertAntiDump() {
BOOL isInserted{ FALSE };
for (auto& block : m_proc.basic_blocks) {
for (auto& instr : block.instructions) {
if (isInserted) break;
if (!isInserted) {
auto block_info = findBlockId(instr.instruction.info.opcode, instr.instruction.operands[1].imm.value.u, 2, sizeof(unsigned char));
if (block_info.first == -1 || block_info.second == -1) continue;
auto& data = m_proc.basic_blocks[block_info.first].opcodes[block_info.second];
std::printf("RyujinObfuscationCore::insertAntiDump\n");
isInserted = TRUE;
}
}
}
}
void RyujinObfuscationCore::updateBasicBlocksContext() {
auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes();
@@ -1610,11 +1638,22 @@ void RyujinObfuscationCore::updateBasicBlocksContext() {
}
BOOL RyujinObfuscationCore::Run() {
BOOL RyujinObfuscationCore::Run(bool& RyujinRunOncePass) {
//Add padding spaces
addPaddingSpaces();
/*
RyujinRunOncePass only run once for the first function candidate to obfuscation.
this is the better place to put unique logic code that is high volatily.
*/
if (RyujinRunOncePass) {
this->insertAntiDump();
RyujinRunOncePass = FALSE;
}
//Update basic blocks view based on the new obfuscated
this->updateBasicBlocksContext();

3
RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh
View File

@@ -30,6 +30,7 @@ private:
void insertJunkCode();
void insertVirtualization();
void insertAntiDebug();
void insertAntiDump();
std::vector<uint8_t> fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address);
uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize);
@@ -69,7 +70,7 @@ public:
void applyRelocationFixupsToInstructions(uintptr_t imageBase, DWORD virtualAddress, std::vector<unsigned char>& new_opcodes);
void removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress, bool isIgnoreOriginalCodeRemove = false);
void InsertMiniVmEnterProcedureAddress(uintptr_t imageBase, uintptr_t virtualAddress, std::vector<unsigned char>& new_opcodes);
BOOL Run();
BOOL Run(bool& RyujinRunOncePass);
RyujinProcedure getProcessedProc();
~RyujinObfuscationCore();