Wednesday, June 1, 2011

ChapljaVM Code Obfuscator 0.0.1 alpha

This is a release of a very early alpha version of the program, make sure to read the README!

Download: chaplja.net/ChapljaVM.zip

README file contents:

# ChapljaVM Code Obfuscator readme

ChapljaVM Code Obfuscator is a tool used for protection of PE executable
files. It is currently in alpha stage and is thus far from finished.
Many instructions are not supported yet or may be improperly mutated
which can result in the protection application not functioning correctly
(e.g. crashing).

Notes: The input executable must be compiled with image randomization
disabled and no relocation sections or it will crash when loaded at non
default base address. This means you must disable the above mentioned
features in your compiler for your EXE files as well. Only 32bit files
are supported at this stage and instructions in the marked code blocks
must not have any prefixes (e.g. lock, repne, etc). Also, certain
instructions are currently supported only in certain forms, for example:
"xor register, register" may be supported, but "xor [mem], imm" not.

More instructions will be supported soon, but you may report an
instruction used by your program if it's not supported and it will take
priority over other instructions. Contact details are on the bottom of
this file.

The code produced at this stage is a bit too large (100 bytes of code
becomes around 1600 bytes of code, but that will be optimized soon) and
not all instructions are mutated, some are simply copied in its original
form. Remember, this is an alpha version! Many things are temporary and
the obfuscation complexity will be much more complex in future versions.

The protection options are not customizable at this stage, the options
block will be enabled at a later point.

How to use: Include the "ChapljaVM_SDK.h" in your C/C++ project and use
CVM_BEGIN and CVM_END macros to mark the start and the end of a code
block you wish to protect.

Please report all bugs to chaplja@gmail.com - this includes unsupported
instructions as well as any other kind of bug (e.g. the generated exe
file is crashing or producing wrong results).

# Credits for used libraries
* PeLib - www.pelib.com
Copyright 2004 by Sebastian Porst
Original license in PELIB_LICENSE.txt

* libudis86 - http://udis86.sourceforge.net
Copyright (c) 2002, 2003, 2004, 2005, 2006, 2007, 2008
Original license in UDIS86_LICENSE.txt

* AsmJit - http://code.google.com/p/asmjit/
Copyright (c) 2008-2010, Petr Kobalicek
Original license in ASMJIT_COPYING.txt

# www.chaplja.net | www.valsimot.com | chaplja.blogspot.com
# chaplja@gmail.com
Posted by at No comments:
Labels: , , , , , , , , ,

Monday, May 30, 2011

ChapljaVM progress update

Here's a binary obfuscated with the current CVM version. It's still in a very early development phase and the mutation complexity is very simple compared to the plans I have for later, but it should already stop quite a few newbies from easily reversing a mutated block of code.

The obfuscated application is a SHA-1 implementation with a self-test program which computes a checksum of predefined values and compares them to the expected result. The original program's source can be found here: http://www.packetizer.com/security/sha1/

Download the obfuscated binary here: http://chaplja.net/SHA1_2011_05_30.exe

Hopefully I'll be able to release a test version for testing to public soon.
Posted by at No comments:
Labels: , , , , , , ,

Thursday, May 19, 2011

ChapljaVM v2 - Code mutation/virtualization engine (work in progress, pre-alpha)

Previous release: chapljaVM assembler/scripting

Ok, this is not really related to it because this is now a completely different and way more complex project, but the tool I'm working on now will also support a language similar to what I linked above to be inserted into the executable binary or to be executed from memory using an SDK function.

Click here for a small pre-alpha screenshot

I have done quite a lot of research and have done a lot of testing, which I believe is the hardest part of the work. Now I need to implement everything I've done so far in simpler tests. It's not very hard, but it's a lot of work because really many instructions and cases need to be covered.

The goal is to make a codevirtualizer/vmprotect-like application which allows you to select areas of code you'd like to protect within your C/C++ sources - but with the actual obfuscation being priority, the anti-debugging and similar things being less of a priority and will be implemented after everything else is.

It doesn't do much yet, of course not everything is implemented what is seen in the application window, but almost everything has been tested in various console apps and now needs to be implemented into actual obfuscation engine and this gui version.

I've tested relocation of selected code blocks into a new section which the tool generates and it's working fine (though not finished yet - need to take care of relocations so DLLs are supported in case they're loaded at a different address, but it won't be hard to implement).

These are the first important features I'd like to cover:
- Code mutation (one instruction is transformed into multiple instructions which end up having the same result)
- Code virtualization (will come after mutation is fully implemented)
- Junk code insertion between original instructions
- Other 'standard' features such as IAT obfuscation, debug information removal, etc, not really giving much attention to it now, it's not very hard to implement these)

Hopefully I'll have an alpha version for testing or at least a produced binary of some more complex code within some reasonable amount of time.. will post more updates as the development progresses further.
Posted by at No comments:
Subscribe to: Posts (Atom)