EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how wouldEntropyReducerorganize your payload if BUFF_SIZE
was set to4, and NULL_BYTES
to2.
BUFF_SIZE
, if not, it pads it to be as so.BUFF_SIZE
chunk from the payload, and makes a linked list node for it, using the InitializePayloadList function, initializing the payload as a linked list.NULL_BYTES
, that will be used to lower the entropyObfuscate
function here.Obfuscation Algorithm
was serializing the linked list, the first thing that must be done here is to deserialize the obfuscated payload, generating a linked list from it, this step is done here in the Deobfuscate
function.EntropyReducer simply read the raw payload file from the command line, and writes the obfuscated version to the same file’s name prefixed with “.ER”.
The size of the final obfuscated payload varies depending on the values of both BUFF_SIZE
and NULL_BYTES
. However, it can be determined using the following equation
FinalSize = ((OriginalSize + BUFF_SIZE - OriginalSize % BUFF_SIZE ) / BUFF_SIZE) * (BUFF_SIZE + NULL_BYTES + sizeof(INT))
The PoC project in this repo is used to execute the ".ER"
file generated as an example of deserializing and deobfuscating it.
All you have to do is add EntropyReducer.c and EntropyReducer.h files to your project, and call the Deobfuscate function. You can check PoC/main.c for reference.
In this example, BUFF_SIZE
was set to 3, and NULL_BYTES
to1.
FC 48 83
)5.883
, view by pestudio.7.110
.7.210
4.093
github.com/Leyxargon/c-linked-list
github.com/Maldev-Academy/EntropyReducer
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/Common.h#L13
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/Common.h#L14
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/EntropyReducer.c#L10
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/EntropyReducer.c#L133
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/EntropyReducer.c#L160
github.com/Maldev-Academy/EntropyReducer/blob/main/EntropyReducer/main.c#L71
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.c
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.c#L210
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.c#L216
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.c#L223
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.c#L250
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.h
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/EntropyReducer.h#L20
github.com/Maldev-Academy/EntropyReducer/blob/main/PoC/main.c#L54
github.com/Maldev-Academy/EntropyReducer/tree/main/PoC
user-images.githubusercontent.com/111295429/222896340-b1d7fe55-6bb3-4614-be91-38c939f8ea77.png
user-images.githubusercontent.com/111295429/222896883-8f98a4c0-2820-4af7-b8fb-817069e4cf31.png
user-images.githubusercontent.com/111295429/222897280-caa4f2dc-bacb-42eb-808f-fbc81094c1de.png
user-images.githubusercontent.com/111295429/222897447-32958bb3-1db2-4056-b23a-1c4f53b1a67e.png
user-images.githubusercontent.com/111295429/222897475-45705211-6d4d-41b5-9358-e9ea215f3bd2.png
user-images.githubusercontent.com/111295429/222897491-f9217e51-3007-4f1c-a5e4-b8e4c89442c3.png