Софт Milfuscator Free - x86 PE Mutator

[nelfo57]

Всем привет!
Перед релизом платной версии мы решили сделать бесплатную версию Milfusactor, бесплатная версия читает .MAP файл и накрывает весь код мутацией, возможно для кого-то она покажется знакомой, ведь идея самой реализации бралась из одного популярного чита на CS:GO

Спойлер: Почему это не perses

Perses работает по принципу всех протекторов, создает доп. секцию в конце файла и туда пихает код под обфускацией, а после этого затирает оригинальный код .text секции и вставляет джамп в свою секцию.
Милфускатор же полностью ребилдит PE файл, изменяет и дополняет уже существующий код .text секции тем самым её расширяя, никаких доп. секций он не создает.
Персес схож только в одном, он сохраняет и ресторит ефлаги в каждом блоке обфускации. Делает он это чтобы не сломать логику программы (ему это не помогает кстати), без этого, увы, даже наш обфускатор обойтись не может (кому нужен обфускатор который ломает код?).

Недавно мы столкнулись с не очень приятной ситуацией, дело в том, что из-за одного поста многие люди могут подумать, что наш проект основан полностью на другом проекте, а именно: Perses. Но для людей, которые действительно так считают я рекомендую перечитать спойлеры в этой теме, а в особенности спойлер "Почему это не perses".
Мы решили протестировать сам Perses, чтобы далее показать существенную разницу между Milfuscator Free и Perses. На удивление мы столкнулись с критическими ошибками после накрытия семплов, оказалось так, что Perses ломает стек поинтер, из-за чего после исполнения инструкции RET код уходит в ебеня на невалидные адреса памяти, либо же крашится из-за инструкции push qword ptr ds:[eax]

Теперь перейдем к самим результатам теста, я решил протестить код, работающий с мьютексом.

#include <iostream>
#include <mutex>

std::mutex g_Mutex;

void ThreadStarter( )
{
    std::thread::id CurrentThreadId = std::this_thread::get_id( );

    g_Mutex.lock( );

    std::cout << "Thread " << CurrentThreadId << " blocked!\n";

    g_Mutex.unlock( );

    std::cout << "Thread " << CurrentThreadId << " active!\n";

    std::this_thread::sleep_for( std::chrono::seconds( 1 ) );
}

int main()
{
    ThreadStarter( );
    while ( true );
}

Теперь посмотрим как выглядит накрытый семпл фри версии милфускатора и perses в декомпилированном виде:

Посмотреть вложение 207419

Прибавляем ко всему этому факт, что семпл накрытый Perses нерабочий, потому что сломан стек поинтер.

Кто хочет глянуть семплы, скачать можно тут ->

Пожалуйста, авторизуйтесь для просмотра ссылки.

Надеюсь, что подозрений в пастинге больше не возникнут

No, this is not your writeJcc function that I see for the first time, this is a switch from the transfer loop of the entire PE file to asmjit. While I'm transferring the entire file, I fix all the jumps and calls that my code analyzer found along the way.

It could coincide due to the fact that I took all the mnemonics for the switch in order from the mnemonics enum, which you could do, obviously, in your switches where you checked for some jumps.

Below is the code from the milfuscator
Посмотреть вложение 207604

The fact that there are coincidences, by the way, I described in the first message of the topic. There is a coincidence that you also save and restore flags (you save them to the stack, and I to the stack and then TIB). Of course, you can not believe me, but I didn’t even look into perses to steal the ingenious way to fix flags, initially I did without it at all, it was added as a crutch due to the fact that the decrypt instructions broke the flags, for some reason I did not immediately predict this. Already after the release of the free version and the accusations that we stole something from Perses, I was very surprised when I saw that you also use this crutch. Also, regarding ror / rol / bswap, they are used not because I saw it in perses, but because in general these instructions are quite popular for decrypting some values, I don’t see anything unusual in this.


The private version is not quite ready for use, but the free one should have been uploaded now, so there was no other way out. The use of the private version is in one crackme, which I posted recently on this forum, you can download it and look at the obfuscation, and once again make sure that no one needs your p3rs3s.

Скрытое содержимое

By the way, an advice for your obfuscator, always keep the stack pointer aligned, movaps instructions don't work with unaligned pointers.

Спойлер: До обфускации

Спойлер: После обфускации

Спойлер: Минусы

- Поддержка только 32-битных .exe файлов
- Нет выбора обфускации пользовательского кода
- Вырезает все директории кроме импортов

Все минусы обусловлены ленью и тем, что обфускатор бесплатный.
Так как мы работаем плодотворно над платной версии, то мы достаточно мало тестов проводили для бесплатной версии, поэтому принимаются все баг-репорты по поводу работоспособности самого милфускатора или уже накрытой программы. Писать в тг: @nelfo или @netherrealmdev

Пожалуйста, авторизуйтесь для просмотра ссылки.

Пожалуйста, авторизуйтесь для просмотра ссылки.

Пожалуйста, авторизуйтесь для просмотра ссылки.

Пожалуйста, авторизуйтесь для просмотра ссылки.

 

[malko43]

То что мутируют все функции тебя не смутило?

 

[colby57]

То что мутируют все функции тебя не смутило?

мутация во фри версии не такая уж и сильная, для людей с опытом в асм всё ещё +- читабельно, поэтому вызывать смуту из-за мутации всех функции не особо должно

 

[vitt]

мутация во фри версии не такая уж и сильная, для людей с опытом в асм всё ещё +- читабельно, поэтому вызывать смуту из-за мутации всех функции не особо должно

будет платная получ? Будет в ней x64 и длл саппорт?

 

[colby57]

будет платная получ? Будет в ней x64 и длл саппорт?

в целом да, но, распорядок релизов будет такой:

Milfuscator x32 dll + exe
Milfuscator x64 dll + exe
Milfualizer x32 dll + exe
Milfualizer x64 dll +exe

 

[CleoSKS]

32-битных .exe

Простите за странный вопрос, но только exe?? или dll тоже можно?

 

[veales1337]

в целом да, но, распорядок релизов будет такой:

Milfuscator x32 dll + exe
Milfuscator x64 dll + exe
Milfualizer x32 dll + exe
Milfualizer x64 dll +exe

 

[colby57]

Скрытое содержимое

 

[colby57]

Недавно мы столкнулись с не очень приятной ситуацией, дело в том, что из-за одного поста многие люди могут подумать, что наш проект основан полностью на другом проекте, а именно: Perses. Но для людей, которые действительно так считают я рекомендую перечитать спойлеры в этой теме, а в особенности спойлер "Почему это не perses".
Мы решили протестировать сам Perses, чтобы далее показать существенную разницу между Milfuscator Free и Perses. На удивление мы столкнулись с критическими ошибками после накрытия семплов, оказалось так, что Perses ломает стек поинтер, из-за чего после исполнения инструкции RET код уходит в ебеня на невалидные адреса памяти, либо же крашится из-за инструкции push qword ptr ds:[eax]

Теперь перейдем к самим результатам теста, я решил протестить код, работающий с мьютексом.

#include <iostream>
#include <mutex>

std::mutex g_Mutex;

void ThreadStarter( )
{
    std::thread::id CurrentThreadId = std::this_thread::get_id( );
 
    g_Mutex.lock( );

    std::cout << "Thread " << CurrentThreadId << " blocked!\n";

    g_Mutex.unlock( );

    std::cout << "Thread " << CurrentThreadId << " active!\n";
 
    std::this_thread::sleep_for( std::chrono::seconds( 1 ) );
}

int main()
{
    ThreadStarter( );
    while ( true );
}

Теперь посмотрим как выглядит накрытый семпл фри версии милфускатора и perses в декомпилированном виде:



Прибавляем ко всему этому факт, что семпл накрытый Perses нерабочий, потому что сломан стек поинтер.

Кто хочет глянуть семплы, скачать можно тут ->

Пожалуйста, авторизуйтесь для просмотра ссылки.

Надеюсь, что подозрений в пастинге больше не возникнут

 

[veales1337]

Скрытое содержимое

благодарю

 

[mikemikemike]

I am the developer of PERSES. PERSES is a proof of concept and not intended for official usage as stated countless times before. Your observations about the code protection issues are already documented, and they bear no weight when debating whether or not your project derives from the original PERSES source code. I find it funny that you use AsmJit, Zydis, and also use .MAP file obfuscation. These are not unique to PERSES and I am definitely not the first one to use them for an obfuscator, but it is worth noting when comparing the two. You'll see why I bring this up later :).

Firstly:

Посмотреть вложение 207419

Пожалуйста, авторизуйтесь для просмотра ссылки.

They're different, but you can clearly tell the obfuscation method is quite similar. It seems as if you just modified the handlers. The specific instruction usage in general are eerily similar as well: encrypt operand at compile time, mov reg, compiletime_image_base => decrypt operand (you also use bswap, ror/rol, etc) => add rva, image_base.

Secondly:

You would have saved yourself the embarrassment if you were initially honest. I don't care if you use PERSES for your obfuscator, it's fine. It's licensed under MIT and I'm happy when people use my work. But don't lie to everyone for monetary value, it makes your business look trash. You clearly aren't even confident enough in your own product (or mine I should say :P) if you have to use Code Virtualizer as a means of obfuscation. I wouldn't buy a obfuscator if it uses another well established one instead of it's own, that is kind of a meme.

Also, what exactly are these guys protecting? I'll tell you. All their obfuscation routines are virtualized, so if you're interested in reversing their EXE or methods of obfuscation, it will be quite painful. I didn't have much time for a in depth analysis, but one interesting thing I noticed however was a 1:1 copy of my function writeJcc (

Пожалуйста, авторизуйтесь для просмотра ссылки.

) .

Let's take a look.

PERSES (X64, cbf to recompile to 32bit) :

MILFUSCATOR" :

What you're seeing here is a compiled jump table and its relevant properties. They're exactly identical (apart from the ISA), you're free to check this out yourself (jump to 0x44481E). Furthermore, other parts of the binary and some of the virtualized routines have very similar code layout and structure to PERSES (check the AsmJit::emit calls). I'd hold on to my wallet on this one guys, you can just fork PERSES and modify it yourself ;)

- Mike

 

[liquidCR]

I am the developer of PERSES. PERSES is a proof of concept and not intended for official usage as stated countless times before. Your observations about the code protection issues are already documented, and they bear no weight when debating whether or not your project derives from the original PERSES source code. I find it funny that you use AsmJit, Zydis, and also use .MAP file obfuscation. These are not unique to PERSES and I am definitely not the first one to use them for an obfuscator, but it is worth noting when comparing the two. You'll see why I bring this up later :).

Firstly:

Пожалуйста, авторизуйтесь для просмотра ссылки.

They're different, but you can clearly tell the obfuscation method is quite similar. It seems as if you just modified the handlers. The specific instruction usage in general are eerily similar as well: encrypt operand at compile time, mov reg, compiletime_image_base => decrypt operand (you also use bswap, ror/rol, etc) => add rva, image_base.

Secondly:

You would have saved yourself the embarrassment if you were initially honest. I don't care if you use PERSES for your obfuscator, it's fine. It's licensed under MIT and I'm happy when people use my work. But don't lie to everyone for monetary value, it makes your business look trash. You clearly aren't even confident enough in your own product (or mine I should say :P) if you have to use Code Virtualizer as a means of obfuscation. I wouldn't buy a obfuscator if it uses another well established one instead of it's own, that is kind of a meme.

Also, what exactly are these guys protecting? I'll tell you. All their obfuscation routines are virtualized, so if you're interested in reversing their EXE or methods of obfuscation, it will be quite painful. I didn't have much time for a in depth analysis, but one interesting thing I noticed however was a 1:1 copy of my function writeJcc (

Пожалуйста, авторизуйтесь для просмотра ссылки.

) .

Let's take a look.

PERSES (X64, cbf to recompile to 32bit) :

MILFUSCATOR" :

What you're seeing here is a compiled jump table and its relevant properties. They're exactly identical (apart from the ISA), you're free to check this out yourself (jump to 0x44481E). Furthermore, other parts of the binary and some of the virtualized routines have very similar code layout and structure to PERSES (check the AsmJit::emit calls). I'd hold on to my wallet on this one guys, you can just fork PERSES and modify it yourself ;)

- Mike

По фактам разложил оппонента. Ахмат сила, brat.

 

[colby57]

You would have saved yourself the embarrassment if you were initially honest. I don't care if you use PERSES for your obfuscator, it's fine. It's licensed under MIT and I'm happy when people use my work. But don't lie to everyone for monetary value, it makes your business look trash. You clearly aren't even confident enough in your own product (or mine I should say :P) if you have to use Code Virtualizer as a means of obfuscation. I wouldn't buy a obfuscator if it uses another well established one instead of it's own, that is kind of a meme.

Okay, great assembler genius, since we really stole the code in your opinion and want to sell it, then tell me, how is it that Milfuscator of the free version has no problems with the stack, and Perses breaks the return address? Despite the fact that we found out about it literally yesterday, when we started testing your greatest mutator, after accusing us of copying the code. Aren't you taking on too much? Roll up your lip, kid, and learn how to work with the stack and its instructions. Now let me clarify about the paid version, who inspired you that we would sell an executable file from this topic? Show me this jerk, if you want to see an example of the beta version of the paid version, then you are here -> https://yougame.biz/threads/255202 /. It's funny to see how a person tries to prove that this is his mutator, while still unable to explain the situation with the stack , we can lay out some code, but the second developer will do it.

 

[nelfo57]

PERSES (X64, cbf to recompile to 32bit) :

MILFUSCATOR" :

No, this is not your writeJcc function that I see for the first time, this is a switch from the transfer loop of the entire PE file to asmjit. While I'm transferring the entire file, I fix all the jumps and calls that my code analyzer found along the way.

It could coincide due to the fact that I took all the mnemonics for the switch in order from the mnemonics enum, which you could do, obviously, in your switches where you checked for some jumps.

Below is the code from the milfuscator


The fact that there are coincidences, by the way, I described in the first message of the topic. There is a coincidence that you also save and restore flags (you save them to the stack, and I to the stack and then TIB). Of course, you can not believe me, but I didn’t even look into perses to steal the ingenious way to fix flags, initially I did without it at all, it was added as a crutch due to the fact that the decrypt instructions broke the flags, for some reason I did not immediately predict this. Already after the release of the free version and the accusations that we stole something from Perses, I was very surprised when I saw that you also use this crutch. Also, regarding ror / rol / bswap, they are used not because I saw it in perses, but because in general these instructions are quite popular for decrypting some values, I don’t see anything unusual in this.

if you have to use Code Virtualizer as a means of obfuscation. I wouldn't buy a obfuscator if it uses another well established one instead of it's own, that is kind of a meme.

The private version is not quite ready for use, but the free one should have been uploaded now, so there was no other way out. The use of the beta private version is in one crackme, which I posted recently on this forum, you can download it and look at the obfuscation, and once again make sure that no one needs your p3rs3s.

By the way, an advice for your obfuscator, always keep the stack pointer aligned, movaps instructions don't work with unaligned pointers.

 

[mikemikemike]

No, this is not your writeJcc function that I see for the first time, this is a switch from the transfer loop of the entire PE file to asmjit. While I'm transferring the entire file, I fix all the jumps and calls that my code analyzer found along the way.

It could coincide due to the fact that I took all the mnemonics for the switch in order from the mnemonics enum, which you could do, obviously, in your switches where you checked for some jumps.

Below is the code from the milfuscator
Посмотреть вложение 207604

The fact that there are coincidences, by the way, I described in the first message of the topic. There is a coincidence that you also save and restore flags (you save them to the stack, and I to the stack and then TIB). Of course, you can not believe me, but I didn't even look into perses to steal the ingenious way to fix flags, initially I did without it at all, it was added as a crutch due to the fact that the decrypt instructions broke the flags, for some reason I did not immediately predict this. Already after the release of the free version and the accusations that we stole something from Perses, I was very surprised when I saw that you also use this crutch. Also, regarding ror / rol / bswap, they are used not because I saw it in perses, but because in general these instructions are quite popular for decrypting some values,

I guess it is also a coincidence you fix JCCs almost identically to me. Maybe you should have read the comments in PERSES and you would have done it properly, or were you not able to because there was not ready-to-paste code? Do you think renaming and using slightly different structures makes your code & ideas completely unique?

Пожалуйста, авторизуйтесь для просмотра ссылки.

"Once An Accident, Twice A Coincidence, Three Times A Pattern" - Alan Weiss

The private version is not quite ready for use, but the free one should have been uploaded now, so there was no other way out. The use of the beta private version is in one crackme, which I posted recently on this forum, you can download it and look at the obfuscation, and once again make sure that no one needs your p3rs3s.

It is baffling you sit here and act as if the ideas in your project are completely original. What a joke.

By the way, an advice for your obfuscator, always keep the stack pointer aligned, movaps instructions don't work with unaligned pointers.

It is unfortunate that neither you nor your partner are able to google what "proof of concept" means. Here, I'll do it for you:

Пожалуйста, авторизуйтесь для просмотра ссылки.

Humble yourself, please.

Anyways, I think the proof is quite clear and to argue any further would be a waste of our time. Good luck to you both on your project and I hope to see some important structural changes. By the way, an advice for your obfuscator, maybe don't code it like a pile of shit.

P.S: This is cringe!

 

[nelfo57]

I guess it is also a coincidence you fix JCCs almost identically to me. Maybe you should have read the comments in PERSES and you would have done it properly, or were you not able to because there was not ready-to-paste code? Do you think renaming and using slightly different structures makes your code & ideas completely unique?

Пожалуйста, авторизуйтесь для просмотра ссылки.

"Once An Accident, Twice A Coincidence, Three Times A Pattern" - Alan Weiss



It is baffling you sit here and act as if the ideas in your project are completely original. What a joke.



It is unfortunate that neither you nor your partner are able to google what "proof of concept" means. Here, I'll do it for you:

Пожалуйста, авторизуйтесь для просмотра ссылки.

Humble yourself, please.

Anyways, I think the proof is quite clear and to argue any further would be a waste of our time. Good luck to you both on your project and I hope to see some important structural changes. By the way, an advice for your obfuscator, maybe don't code it like a pile of shit.

P.S: This is cringe!

I didn't think it would take 2 hours of thinking to find a quote from Alan Weiss and decrypt the line about niggas, and once again accuse me of using your perses without any normal evidence.

About originality. I didn’t say this until the last, I thought that smart people like you would understand this themselves, but the main feature of this obfuscator is that it rebuilds the entire PE file (so I can expand the text section anywhere in it) and does not insert jumps into the additional section of the protector. Not a fucking decrypt through rolls and ror, not a way to fix flags, just a rebuild... I know it's not very hard to do, but that's the main idea. I thought that for a free obfuscator this is a pretty unique idea.

As a result, I implemented a rebuild of the PE file(main feature), made a simple obfuscation with rolls and rors (and a flags fix that I, of course, stole from Perses (sarcasm)), and some retard attacked me with accusations of pasting his obfuscator, which I don't fucking need.

 

[Rezy1337]

Битва была равна, сражались два говна.

 

[glistering]

looks great sadly I can't use it x64 support would be nice

 

[colby57]

Опубликовали исходный код милфускатора:

Пожалуйста, авторизуйтесь для просмотра ссылки.

Нам скрывать нечего.

 

[unover]

Опубликовали исходный код милфускатора:

Пожалуйста, авторизуйтесь для просмотра ссылки.

Нам скрывать нечего.

Не слушайте ни кого, пусть считают что это паста.