{"id":28951498,"url":"https://github.com/m512i/patcher","last_synced_at":"2025-06-23T15:02:26.861Z","repository":{"id":298085309,"uuid":"998816461","full_name":"m512i/patcher","owner":"m512i","description":"obfuscator that encrypts imports and replaces callsites with custom decrypting stubs","archived":false,"fork":false,"pushed_at":"2025-06-09T10:50:32.000Z","size":29,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-12T04:42:21.553Z","etag":null,"topics":["anti-disassembly","assembly","binary-patching","c","iat-obfuscation","obfuscation","portable-executable","reverse-engineering","windows-api","x86-assembly"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m512i.png","metadata":{"files":{"readme":"README.txt","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-09T09:47:50.000Z","updated_at":"2025-06-09T22:40:04.000Z","dependencies_parsed_at":"2025-06-12T04:42:27.021Z","dependency_job_id":"1277c241-8985-41a0-8c6a-e18e68b5a9fc","html_url":"https://github.com/m512i/patcher","commit_stats":null,"previous_names":["ozempiic/patcher","m512i/patcher"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/m512i/patcher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m512i%2Fpatcher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m512i%2Fpatcher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m512i%2Fpatcher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m512i%2Fpatcher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m512i","download_url":"https://codeload.github.com/m512i/patcher/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m512i%2Fpatcher/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261500286,"owners_count":23168066,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-disassembly","assembly","binary-patching","c","iat-obfuscation","obfuscation","portable-executable","reverse-engineering","windows-api","x86-assembly"],"created_at":"2025-06-23T15:02:24.073Z","updated_at":"2025-06-23T15:02:26.839Z","avatar_url":"https://github.com/m512i.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"injects a new .istub section (marked executable+readable) and, for each imported function, \nemits a tiny XOR-decrypt stub that preserves registers (pushad/popad on x86, push rax/pop rax on x64), \nloads the encrypted function RVA into EAX/RAX, \nxors the low byte with a compile-time key, \nwrites the result back into the original IAT slot on the stack, \nand then jmps through that slot—adding a random padding byte at the end for misalignment. \nthen scans every code section for indirect IAT calls (FF 15 \u003cimm32\u003e) \nand replaces each 6-byte sequence with a 5-byte relative call into the matching stub plus a single-byte pad (usually NOP, \noptionally randomized). \nAn optional second pass also rewrites direct E8 \u003crel32\u003e calls targeting the import directory. \nThe patched binary behaves identically, \nbut all imports are hidden behind encrypted pointers and custom stubs, \ndefeating static disassembly and import-table enumeration.\n\nCOMPILE PATCHER/TESTER:\nat root dir do \n\ncmake -S . -B build `\n\u003e\u003e       -DCMAKE_POSITION_INDEPENDENT_CODE=ON `\n\u003e\u003e       -DICO_VERBOSE=ON\n\nthen \n\ncmake --build build\n\nthen go to build/debug and its there\n\n---\n\nin src dir do\n\nnasm -f win32 main.asm -o test.obj \n\nthen in x86 native cmd prompt\n\nlink test.obj user32.lib kernel32.lib /SUBSYSTEM:CONSOLE /MACHINE:X86 /ENTRY:main /OUT:test32.exe\n\nDISCLAIMERS:\n\nthis is funky got bored so i stopped x64 PE binaries do NOT work, patcher patches x86 but wont be able to run yes ik frick me!\nbut whoever wants to fork and fix it be my guest i just cba anymore\neasily detectable. :)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm512i%2Fpatcher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm512i%2Fpatcher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm512i%2Fpatcher/lists"}