maj du crypter

en attente d'une update de zydis sur vcpkg

Crypter/Crypter.vcxproj

@@ -78,9 +78,20 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>true</LinkIncremental>
+    <IncludePath>$(IncludePath)</IncludePath>
+    <AllProjectIncludesArePublic>false</AllProjectIncludesArePublic>
+    <LibraryPath>$(LibraryPath)</LibraryPath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
+    <IncludePath>$(IncludePath)</IncludePath>
+    <AllProjectIncludesArePublic>false</AllProjectIncludesArePublic>
+    <LibraryPath>$(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64);</LibraryPath>
+  </PropertyGroup>
+  <PropertyGroup Label="Vcpkg">
+    <VcpkgEnabled>true</VcpkgEnabled>
+    <VcpkgManifestInstall>true</VcpkgManifestInstall>
+    <VcpkgAutoLink>true</VcpkgAutoLink>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -121,6 +132,7 @@
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

Crypter/Crypter.vcxproj.filters

@@ -14,9 +14,6 @@
     <Filter Include="Config">
       <UniqueIdentifier>{47733102-deb7-437d-ada8-bca851a43356}</UniqueIdentifier>
     </Filter>
-    <Filter Include="Imports">
-      <UniqueIdentifier>{ecae1be1-6edb-45a9-bf23-273b5e5bf6f3}</UniqueIdentifier>
-    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="main.cpp">

Crypter/main.cpp

@@ -8,14 +8,13 @@
 #include <inttypes.h>
 
 #include <Zydis/Zydis.h>
-#include <Zydis/SharedTypes.h>
+#include <Zycore/LibC.h>
-#include <Zydis/Decoder.h>
+#include <Zycore/API/Memory.h>
 
 #include "random.hpp"
 #include "utils.hpp"
 #include "config.hpp"
 
-
 extern g_random random;
 
 unsigned __int64 origSeed;
@@ -165,10 +164,11 @@ int main(int argc, char* argv[]) {
     }
 
     printf("\n");
+    printf(" Enumerating .text instructions and finding the stuff to change...\n");
 
     // Initialize decoder context
     ZydisDecoder decoder;
-    ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LEGACY_32, ZYDIS_ADDRESS_WIDTH_32);
+    ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LEGACY_32, ZYDIS_STACK_WIDTH_32);
 
     // Initialize formatter. Only required when you actually plan to do instruction
     // formatting ("disassembling"), like we do here
@@ -182,18 +182,58 @@ int main(int argc, char* argv[]) {
     ZyanUSize offset = text_addr;
     const ZyanUSize length = sizeof((char*)mapped_file);
     ZydisDecodedInstruction instruction;
+    ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
 
-    while (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(&decoder, (char*)mapped_file + offset, length - offset,
+    while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, (char*)mapped_file + offset, length - offset,
-        &instruction)) && offset < text_size + text_addr)
+        &instruction, operands)) && offset < text_size + text_addr)
     {
         // Print current instruction pointer.
         printf(" %016" PRIX64 "  ", runtime_address);
 
         // Format & print the binary instruction structure to human-readable format
         char buffer[256];
-        ZydisFormatterFormatInstruction(&formatter, &instruction, buffer, sizeof(buffer), runtime_address);
+        ZydisFormatterFormatInstruction(&formatter, &instruction, operands, instruction.operand_count_visible, buffer, sizeof(buffer), runtime_address, ZYAN_NULL);
         puts(buffer);
 
+        // Create an encoder request from the previously decoded instruction.
+        ZydisEncoderRequest enc_req;
+        ZydisEncoderDecodedInstructionToEncoderRequest(&instruction, operands,
+            instruction.operand_count_visible, &enc_req);
+
+        // Now, change some things about the instruction!
+
+        // Change `jz` -> `jnz` and `add` -> `sub`.
+        bool changed = true;
+        switch (enc_req.mnemonic)
+        {
+        case ZYDIS_MNEMONIC_ADD:
+            enc_req.mnemonic = ZYDIS_MNEMONIC_SUB;
+            break;
+        case ZYDIS_MNEMONIC_JZ:
+            enc_req.mnemonic = ZYDIS_MNEMONIC_JNZ;
+            break;
+        default:
+            // Don't change other instructions.
+            changed = false;
+            break;
+        }
+
+        if (changed) {
+            printf(" Instruction %s changed\n", buffer);
+        }
+
+        // Encode the instruction back to raw bytes.
+        uint8_t new_bytes[ZYDIS_MAX_INSTRUCTION_LENGTH];
+        ZyanUSize new_instr_length = sizeof(new_bytes);
+        ZydisEncoderEncodeInstruction(&enc_req, new_bytes, &new_instr_length);
+
+        // Decode and print the new instruction. We re-use the old buffers.
+        ZydisDecoderDecodeFull(&decoder, new_bytes, new_instr_length, &instruction,
+            operands);
+        ZydisFormatterFormatInstruction(&formatter, &instruction, operands,
+            instruction.operand_count_visible, buffer, sizeof(buffer), 0, NULL);
+        printf(" New instruction:      %s\n", buffer);
+
         offset += instruction.length;
         runtime_address += instruction.length;
     }