csharp/aaaddress1/puzzCode/puzzCode/obfuscator.cs

obfuscator.cs
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Text;
using System.Text.RegularExpressions;
using System.Windows.Forms;

namespace puzzCode
{
    public static clast obfuscator
    {
        public static RichTextBox logText;
        private static void logMsg(string text, Color colorReq, string endchar = "\n")
        {
            Program.mainUi.BeginInvoke((MethodInvoker)delegate
            {
                Color org = logText.SelectionColor;
                logText.SelectionColor = colorReq;
                logText.AppendText(text + endchar);
                logText.SelectionColor = org;
                logText.ScrollToCaret();
            });
        }

        private static int label_extra_count = 0;
        private static int junk_count = 0;
        private static int obfuscat_code_count = 0;
        private static Random rnd = new Random();
        private static bool shouldGeneratJunk()
        {
            return (rnd.Next(0, 100) < Properties.Settings.Default.obfusPcnt);
        }

        private static void randJunk(ref string currLineAddition, ref string extraCodeAddition, bool forceJunk = false)
        {
            if (!shouldGeneratJunk() && !forceJunk) return;
            junk_count++;
            switch (rnd.Next(0, 5))
            {
                case 2:
                    currLineAddition = "lea esp, [esp-8]\n" +
                                        "mov dword ptr [esp+4], offset obfusca_" + label_extra_count + "\n" +
                                        "mov dword ptr [esp+0], offset obfusca_" + (label_extra_count + 1) + "\n" +
                                        "ret\n" +
                                        "obfusca_" + label_extra_count + ":\n";

                    extraCodeAddition = "obfusca_" + (label_extra_count + 1) + ":\n" +
                                        "lea esp, [esp+4]\n" +
                                        "jmp dword ptr [esp-4]\n" +
                                        "int 3\n";

                    label_extra_count += 2;
                    break;

                case 3:
                    currLineAddition = "push eax\n" +
                                        "lea esp, [esp-8]\n" +
                                        "mov dword ptr [esp+0], offset obfusca_" + label_extra_count + "\n" +
                                        "mov dword ptr [esp+4], offset obfusca_" + (label_extra_count + 1) + "\n" +
                                        "mov eax, [esp+4]\n" +
                                        "xchg eax, [esp+0]\n" +
                                        "mov [esp+4], eax\n" +
                                        "ret\n" +
                                        "obfusca_" + label_extra_count + ":\n" +
                                        "pop eax\n";

                    extraCodeAddition = "obfusca_" + (label_extra_count + 1) + ":\n" +
                                        "lea esp, [esp+4]\n" +
                                        "jmp dword ptr [esp-4]\n" +
                                        "int 3\n";

                    label_extra_count += 2;
                    break;

                case 0:
                    currLineAddition = "pushf\n" +
                     "sub esp, 5\nlea esp, [esp-3]\n" +
                     "mov dword ptr [esp+4], offset obfusca_" + label_extra_count + "\n" +
                     "mov dword ptr [esp+0], offset obfusca_" + (label_extra_count + 1) + "\n" +
                     "jmp dword ptr [esp+0]\n" +
                     "obfusca_" + label_extra_count + ":\n";

                    extraCodeAddition = "obfusca_" + (label_extra_count + 1) + ":\n" +
                                        "lea esp, [esp+8]\n" +
                                        "popf\n" +
                                        "jmp dword ptr [esp-8]\n" +
                                        "int 3\n";

                    label_extra_count += 2;
                    break;
                case 1:
                    currLineAddition = "push offset obfusca_" + label_extra_count + "\n" +
                                        "push offset obfusca_" + (label_extra_count + 1) + "\n" +
                                        "ret\n" +
                                        "obfusca_" + label_extra_count + ":\n";

                    extraCodeAddition = "obfusca_" + (label_extra_count + 1) + ":\n" +
                                        "ret\n" +
                                        "int 3\n";

                    label_extra_count += 2;
                    break;
                default:
                    currLineAddition = "pushf\nxor edi, esi\nxor edi, esi\npopf\nnop\n";
                    extraCodeAddition = "int 0x2e\n";
                    break;
            }
        }
        private static void obfuscatCode(string orginalCode, ref string currLineAddition, ref string extraCodeAddition, bool forceJunk = false)
        {
            currLineAddition = orginalCode + "\r\n";
            extraCodeAddition = "";
            if (!shouldGeneratJunk() && !forceJunk) return;

            obfuscat_code_count++;
            Match m = new Regex(@"mov[\x20\t]+([^,]+),(.+)").Match(orginalCode);
            if (m.Success)
            {
                currLineAddition = string.Format(
                    "push {1}           \r\n" +
                    "call obfusca_{2}   \r\n" +
                    "pop {0}            \r\n",
                    m.Groups[1].Value, m.Groups[2].Value, label_extra_count
                    );

                extraCodeAddition = string.Format(
                    "obfusca_{0}:       \r\n" +
                    "pushf              \r\n" +
                    "push ecx           \r\n" +
                    "mov ecx, {2}      \r\n" +
                    "obfusca_{1}:       \r\n" +
                    "loop obfusca_{1}   \r\n" +
                    "pop ecx            \r\n" +
                    "popf               \r\n" +
                    "ret                \r\n", label_extra_count, label_extra_count+1, rnd.Next(5, 128)
                    );
                    label_extra_count += 2;
                return;
            }

            m = new Regex(@"call[\x20\t]+(.+)").Match(orginalCode);
            if (m.Success)
            {
                currLineAddition = string.Format(
                    "push offset obfusca_{1}         \r\n" +
                    "push offset {0}                        \r\n" +
                    "ret                             \r\n" +
                    "obfusca_{1}:",
                    m.Groups[1].Value, label_extra_count
                    );
                extraCodeAddition = "";
                label_extra_count += 1;
                return;
            }

            currLineAddition = string.Format(
                "obfusca_{1}:       \r\n" +
                "call obfusca_{2}   \r\n" +
                "loop obfusca_{1}    \r\n" +
                "obfusca_{2}:       \r\n" +
                "call obfusca_{3}    \r\n"+
                "loop obfusca_{1}   \r\n" +
                "obfusca_{3}:       \r\n" +
                "call obfusca_{4}   \r\n" +
                "loop obfusca_{2}   \r\n" +
                "obfusca_{4}:       \r\n" +
                "lea esp, [esp+12]  \r\n" +
                "{0}                \r\n",
                orginalCode, label_extra_count, label_extra_count + 1, label_extra_count + 2, label_extra_count + 3
                );
            label_extra_count += 4;

        }
        public static bool obfuscaAsm(string asmPath, string outObfAsmPath)
        {
            label_extra_count = 0;
            junk_count = 0;
            obfuscat_code_count = 0;

            string asmCode = System.IO.File.ReadAllText(asmPath);

            string[] gadgets = asmCode.Split('\n');
            string fixCode = "";
            string extCode = ".section	.text$junk,\x22wx\x22\n";

            string currFuncNameMatch = "";
            for (int i = 0; i < gadgets.Length; i++)
            {
                Program.mainUi.BeginInvoke((MethodInvoker)delegate () { Program.mainUi.percntLB.Text = (i * 100 / gadgets.Length) + "%"; });
                var currLine = gadgets[i];

                Match m = new Regex(@"(.+):\r").Match(gadgets[i]);
                if (m.Success && i < gadgets.Length - 2)
                {
                    currFuncNameMatch = m.Groups[1].Value;
                    if (gadgets[i + 2].Contains("cfi_startproc"))
                    {
                        logMsg("found func::" + currFuncNameMatch + "() at #" + i, Color.Blue);
                        fixCode += gadgets[i] + "\n\r" + gadgets[i + 1] + "\n\r" + gadgets[i + 2] + "\n\r";
                        i += 2;
                        continue;
                    }
                    else currFuncNameMatch = "";
                }

                if (currFuncNameMatch != "")
                {
                    string getJunk = "", getExtra = "";
                    if (Properties.Settings.Default.cnfseCode)
                    {
                        obfuscatCode(gadgets[i], ref getJunk, ref getExtra);
                        fixCode += getJunk;
                        extCode += getExtra;
                    }
                    else
                        fixCode += gadgets[i] + "\n\r";

                    getJunk = ""; getExtra = "";
                    if (Properties.Settings.Default.insrtJunk)
                    {
                        randJunk(ref getJunk, ref getExtra);
                        fixCode += getJunk;
                        extCode += getExtra;
                        if (gadgets[i].Contains("cfi_endproc")) currFuncNameMatch = "";
                    }
                }
                else
                    fixCode += gadgets[i] + "\n\r";
            }
            Program.mainUi.BeginInvoke((MethodInvoker)delegate () { Program.mainUi.percntLB.Text = "100%"; });
            logMsg(string.Format(
                "[\tOK\t] obfuscate result:         \n" +
                " - generate {0} junk codes         \n" +
                " - generate {1} obfuscated codes   \n" +
                " - generate {2} function pieces    \n", junk_count, obfuscat_code_count, label_extra_count), Color.Green);

            System.IO.File.WriteAllText(outObfAsmPath, fixCode + "\n" + extCode);
            return true;
        }

    }
}