Home

Awesome

Furikuri

License Build status Build Status

Furikuri is protection framework what targeting on shellcode and executable files 
Supported x32 and x64 archs
  1. Obfuscation techniques
  2. Examples
  3. Compile
  4. Third party

Obfuscation techniques

Instruction mutation

Mutation of original instruction into series of other equivalent instructions

example:

 mov rcx, rax
 mov rdx, [rsp + 38h]
 call SomeFunc

becomes to :

 mov rdx, rax
 mov rcx, [rsp + 38h]
 push rcx
 mov rcx, rdx
 pop rdx
 call SomeFunc


Junk generation

Inserting assembler instructions with out any payload between "original" instructions

example:

 mov rcx, rax
 mov rdx, [rsp + 38h]
 call SomeFunc

becomes to :

 mov rdx, rdx
 mov rdx, r8
 mov rcx, rax
 push r8
 mov r8, 12345678h
 pop r8
 mov rdx, [rsp + 38h]
 call SomeFunc

Spaghetti code

Dividing original basic block of code on several but more smaller, through insertion jmp in middle of block to start of second of "new" block

example:

mov r10, [rax+20h]
mov eax, [rsp+98h]
mov [rsp+40h], eax
mov rax, [rsp+90h]
mov [rsp+38h], rax
mov eax, [rsp+88h]
mov [rsp+30h], eax
mov rax, [rsp+80h]
mov [rsp+28h], rax
mov [rsp+20h], r9d

becomes to :

mov r10, [rax+20h]
mov eax, [rsp+98h]
mov [rsp+40h], eax
mov rax, [rsp+90h]
mov [rsp+38h], rax
jmp l1:
...
...
...

l1 :
mov eax, [rsp+88h]
mov [rsp+30h], eax
mov rax, [rsp+80h]
mov [rsp+28h], rax
mov [rsp+20h], r9d


Bytecode obfuscation

Changes bytecode of instruction to another bytecode

example:

 48 8B CA mov rcx,rdx

becomes to :

 48 89 D1 mov rcx,rdx

Examples

shellcode obfuscation<br> executable obfuscation


Compile

Third Party

capstone<br> enma pe<br> fukutasm<br>