I have a C++ program with 2 labels. The code between these labels is encrypted in binary file (using 3rd party utils) and then decrypted in runtime. The code for decryption looks like following:
int a = 0xBAD, b = 0xC0DE;
std::cin >> a >> b;
int c = static_cast<int>(pow(a, pow(b, b))) % static_cast<int>(pow(a, b));
switch (c)
{
case 0:
std::cout << "c = " << 0 << std::endl;
break;
case 1:
std::cout << "c = " << 1 << std::endl;
break;
case 2:
std::cout << "c = " << 2 << std::endl;
break;
case 3:
std::cout << "c = " << 3 << std::endl;
break;
default:
std::cout << "c = " << c << std::endl;
}
_end:
Decryption process is following: I call VirtualAlloc to allocate a new memory buffer with PAGE_EXECUTE_READWRITE permissions. Then I copy the encrypted part to this buffer and decrypt it. And after that I just do a call of this buffer.
__asm
{
lea eax, begin
lea edx, _begin
mov dword ptr[eax], edx
lea eax, end
lea edx, _end
mov dword ptr[eax], edx
}
LPVOID ptr = VirtualAlloc(NULL, end - begin, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(ptr, begin, end - begin);
//decryption here
((void(*)(void))ptr)();
The problem is in that std::cin and std::cout calls have near call with relative offset which makes this offset absolutely incorrect in newly allocated memory block which I try to execute.
The question is how to calculate correct offset for decrypted code and use it there?
