No windows debugger detection? AmIBeingDebugged only works for Mac?

Is ADVObfuscator is supported for Obj C?? If so can I have an example code, what I see in the source code is for MAC OS. Please help.

For example, Visual Studio considers the OBFUSCATED4() macro below as "incomplete" -- so, although it will compile just fine, it underlines every instance of it in red and complains non-stop with warnings.

#define DEF_OBFUSCATED4(str) MetaString4<andrivet::ADVobfuscator::MetaRandom<__COUNTER__, 3>::value, andrivet::ADVobfuscator::MetaRandomChar4<__COUNTER__>::value, Make_Indexes<sizeof(str) - 1>::type>(str)

#define OBFUSCATED4(str) (DEF_OBFUSCATED4(str).decrypt())

Although I'm sure there are many ways to fix it (which is why I'm not doing a pull request), the way I dealt with it was by making it just one macro:

#define OBFUSCATED4(str)    (MetaString4<andrivet::ADVobfuscator::MetaRandom<__COUNTER__, 3>::value, andrivet::ADVobfuscator::MetaRandomChar4<__COUNTER__>::value, Make_Indexes<sizeof(str) - 1>::type>(str)).decrypt()

Is this a new C++11 standard? I don't recall this being an issue with previous versions of Visual Studio.

I'm using your OBFUSCATED4() macro, which randomly chooses string obfuscation methods. In some cases, it chooses one that causes a compiler warning on line 78 of MetaString4.h:

    constexpr ALWAYS_INLINE MetaString4(const char* str)
    : buffer_ {static_cast<char>(K), encrypt(str[I], I)...} { }

The compiler warning:

3>MetaString4.h(78): warning C4309: 'argument': truncation of constant value
3>MetaString4.h(78): note: while compiling class template member function 'andrivet::ADVobfuscator::MetaString4<1,85,andrivet::ADVobfuscator::Indexes<0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130>>::MetaString4(const char *)'
3>  isxCurl_http.cpp(213): note: see reference to function template instantiation 'andrivet::ADVobfuscator::MetaString4<1,85,andrivet::ADVobfuscator::Indexes<0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130>>::MetaString4(const char *)' being compiled
3>  isxCurl_http.cpp(213): note: see reference to class template instantiation 'andrivet::ADVobfuscator::MetaString4<1,85,andrivet::ADVobfuscator::Indexes<0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130>>' being compiled

The code referenced in the warning (line 222 of isxCurl_http.cpp):

printf(OBFUSCATED4(" \n \nIt appears as though this extension is attempting to connect to a website that is not available.  Please try again in a moment."));

(Please note that I have a LOT of other code lines that look identical to this one....just with different text. "printf" is a macro defined in the API I use for this software. Anyway, the other lines must be using the other obfuscation methods, so that's why they're not causing the warning.)

This may be something that you might expect, given that this project utilizes some newer features of C++ (and sprintf, etc. are C functions); however, if there's not a way to fix it, I think it'd be a good idea to include a line about it in this documentation. sprintf is still used quite a bit, even in C++, and tracking down why this crash was happening was a bit of a pain :)

Anyway, here's the code I used for testing. Comments included. Let me know if you have any questions.

#include <iostream>
#include <string>
#include "ADVobfuscator\ADVobfuscator\MetaString4.h"
#include <boost/algorithm/string.hpp>
#include <boost/format.hpp>
using namespace andrivet::ADVobfuscator;

int main()
{
    char buf[2048];
    buf[0] = '\0';

    // Enabling this line crashes the compiler!
    //sprintf_s(buf, 2048, OBFUSCATED4("%s %s!\n"), "Hello", "World");

    // Enabling this line also crashes the compiler!
    //sprintf(buf, OBFUSCATED4("%s %s!\n"), "Hello", "World");

    // Compiles and runs just fine
    std::string buf2 = boost::str(boost::format(OBFUSCATED4("%1% %2%!\n")) % "Hello" % "World");
    std::string buf3 = boost::str(boost::format(OBFUSCATED4("%s %s!\n")) % "Hello" % "World");

    std::cout << buf;
    std::cout << buf2;
    std::cout << buf3;
    return 0;
}

For example, the combination of algorithm #2 and key 0x68.

I've compiled a C++ project in which I encrypted strings using the OBFUSCATED4(...) macro. I modified it by put it inside std::string() constructor so that it becomes something like '#define OBFUSCATED4 std::string(MetaString4...)' so I can assign it to a std::string for example: std::string myStr = OBFUSCATED4("MyString");. Now, when I disassemble the code I can see all string characters one by one, sometimes in random order. I also use clang to compile and I set the -O2 compiler flag. Any suggestion?

Hello , I want to use OBFUSCATED_CALL_RET function and pass another datatype rather than strings . How can I modify the library to achieve that ?

Was having issues with it decrypting the strings properly

Hello,

First, I want to thank you for this amazing project and its ease of use.

My issue might in fact be a question coming from a lack of experience.

The functions I want to obfuscate are inside a class such as:

class Loop1 : public BaseThread
{
public:
    Loop1();
...

The problem with that is that when I call a function like OBFUSCATED_CALL0(FaceToCursorPos)
I have an error (below). I tried different things without success.

MetaFSM.h:162: error: invalid cast from type 'void (Loop1::*)()' to type 'andrivet::ADVobfuscator::ObfuscatedAddress

Thank you so much for your help.

how obfuscator call works? and why we need this?
I think obfuscator string is enough, Maybe add this in README is more great.

Error:

fatal error C1202: recursive type or function dependency context too complex
message : see reference to class template instantiation 'Make_Indexes<7429>' being compiled
[...]
message : see reference to class template instantiation 'Make_Indexes<7926>' being compiled
message : see reference to class template instantiation 'Make_Indexes<7927>' being compiled

Congratulations for your great work. I've been testing it, but I have one doubt:

I see that you use a char as key for MetaString. Does this mean that there will be only 255 possible "ciphertexts" for a given plaintext (using the same algorythm)?

I am working on a new version of ADVobfuscator. A complete rewrite based on C++ 20. It will support obfuscation of string like the existing version but will permit to use a combination of different algorithms and keys so it will be more resistant. It will also avoid using undefined behaviour and will thus be more reliable (data always obfuscated at compile time).

It will also introduce AES encryption (still at compile time, decryption at runtime) for big chucks of data (for ex. certificates with private keys, ...)

Currently, the obfuscation part is ready but not the AES one which has some bugs I need to solve. Then I need to write the documentation, package the code, etc.

Don't ask when it will be released. I don't know. When I consider it to be ready.

The Boost Library is a terrible set of utter craps, can you really drop it in favor of STL?

// To remove Boost assert messages
#if !defined(DEBUG) || DEBUG == 0
#define BOOST_DISABLE_ASSERTS
#endif

#pragma warning(disable: 4503)

#include
#include "MetaString.h"
#include "ObfuscatedCall.h"
#include "ObfuscatedCallWithPredicate.h"

using namespace andrivet::ADVobfuscator;
struct Function1 {
inline void operator()(int a, int b) {
cout << DEF_OBFUSCATED("Womenizer").decrypt() << endl;
}
};
// Obfuscate function calls
void SampleFiniteStateMachine() {
using namespace andrivet::ADVobfuscator::Machine1;
OBFUSCATED_CALL(Function1 , 1, 2);
}

// Entry point
int main(int, const char *[]) {
SampleFiniteStateMachine();
return 0;
}

aboved code cannot complied with Visual Stdio 2015

I am very interested in this project but I really need it more than in the Visual Studio 2012 build with v110_xp, so I ask you to support this. It would be appreciated.

On line 93 of MetaString4.h:
constexpr char key(int position) const { return buffer_[0] + position; }

I got a compiler warning on this and after looking at it, I thought you might want to check it out. Should 'position' also be a char in this instance? (The compiler does not like returning a value as char when you're doing math with an int.)

There are a few other instances similar to this in the same file.

Basically what the title says. The code compiles fine, but intellisense reports this error any idea why?

E0070 Incomplete type is not allowed

this code:
`int main()
{
bool res = OBFUSCATED_CALL_RET(BOOL,IsDebuggerPresent);
printf("%d\n" , res);

return 0;

}`

will be translate with msvc2015 x86 to: (using ida)
`
lea eax, [ebp+var_C]

mov large fs:0, eax

mov esi, ds:IsDebuggerPresent

lea ecx, [ebp+var_58]

add esi, 175h

call sub_401470

or in xray to :
sub_401470(&v5);

v8 = 0;

sub_401390((char *)&IsDebuggerPresent + 373, 373);

v3 = v6;

sub_401530(&Memory);
`

As you can see the code does not really get obfuscation - it does get at the level of the program but the function names (which is the most central thing to the researcher) still remain ...

Using MetaString<1, K, Indexes<I...>>, compile with VS 2017 ver 15.7.1, disassemble and you'll find constexpr not working as supposed. As a result, the strings are obfuscated at runtime.
For some unknown reason, the compiler regards the position I as a variant not a const value though it can be and indeed is produced at compile-time.

After several tries, an ugly template function fools the compiler to obfuscate string at compile-time.

template<char K, int... I>
  struct MetaString<1, K, Indexes<I...>>
  {
    // Constructor. Evaluated at compile time. Instantiate template function **encrypt**.
    constexpr ALWAYS_INLINE MetaString(const char* str)
    : key_(K), buffer_ {encrypt<K+I>(str[I])...} { }
    /* untouched  inline const char* decrypt() */
    private:
        // ......
        // decrypt and encrypt2 are evaluated at runtime.
        constexpr char  encrypt2(char c, size_t position) const { return c ^ key(position); }
	constexpr char decrypt(char c, size_t position) const { return encrypt2(c, position); }
        // **encrypt** will be instantiated at compile time in the constructor of this MetaString.
	template<char _k>
	constexpr char encrypt(char c) const { return c ^ _k; }
        /* key_ and buffer_ */
};

x2

I have been working on a project and first I built it with visual studio solutions and it worked perfectly. However, when trying to build the same project with CMake an error occurs that I cannot understand why it happens!

Here is the error message

C2440   'reinterpret_cast': cannot convert from 'F' to 'andrivet::ADVobfuscator::ObfuscatedAddress<std::string>::func_ptr_integral' 
my_project_directory\out\build\x64-Debug\quantumsample
C:\Users\Bpc\myProjects\vcpkg-master\installed\x64-windows-mixed\include\Lib\MetaFSM.h  162 

And here is the block code of this part

template<typename F>
    struct ObfuscatedAddress
    {
        // Pointer to a function
        using func_ptr_t = void(*)();
        // Integral type big enough (and not too big) to store a function pointer
        using func_ptr_integral = std::conditional<sizeof(func_ptr_t) <= sizeof(long), long, long long>::type;

        func_ptr_integral f_;
        int offset_;

        constexpr ObfuscatedAddress(F f, int offset): f_{reinterpret_cast<func_ptr_integral>(f) + offset}, offset_{offset} {}
        constexpr F original() const { return reinterpret_cast<F>(f_ - offset_); }
    };

Hi

I have a C++ library using OBFUSCATOR that always works fine with Java JNI 32/64 bits.
But know on, jvm crashes while calling OBFUSCATED_CALL_P() only with JDK 64 Bits on Win10. Works fine on Win7, Linux (32 and 64).
See log below.

A fatal error has been detected by the Java Runtime Environment:

EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000000f9a51f90, pid=1896, tid=0x0000000000001590

When compiling with GCC and O3, some strings remains in clear in the binary executable.

Can you show me how to use it please ?

i want to see it obfuscate an c++ output then if i look in ida 6.8 i must see the string has been obfuscate :( please

Hi,

Is ADVobfuscator supported for VS2019? Currently I am using the current release with VS2019 but getting below errors.

Can you please help me to resolve the issue?

Regards,
Monali

VS2015 (v140), internal compiler error if I replace XOR with XOR2.
sprintf_s(szInfoString, XOR("%s = %d"), varName.c_str(), GetInt());
sprintf(szValue, XOR("%.02f"), fltValue);

definitions:

define XOR(a) a //Place holder to be swapped with XOR2

define XOR2(a) OBFUSCATED4(a)

I didnt touch any of your code, it's all original.
I tested it separetly and XOR2("%s is %s") works fine (at least compiles, didn't check runtime, but it's not issue) so I guess it's related to sprintf_s/sprintf.

Are there any plans on implementing an alternative function call obfuscation without requiring Boost and what about the production ready function call obfuscation with the function call being placed in the middle of the state machine you mentioned in the comment here?

This is just an idea/suggestion. Conan is a package manager for C/C++ projects, could ADVobfuscator be added to that package manager? As it would allow for easier integration with C/C++ projects. If you are unfamiliar with Conan https://conan.io/