https://github.com/m512i/patcher

obfuscator that encrypts imports and replaces callsites with custom decrypting stubs
https://github.com/m512i/patcher

anti-disassembly assembly binary-patching c iat-obfuscation obfuscation portable-executable reverse-engineering windows-api x86-assembly

Last synced: 3 months ago
JSON representation

obfuscator that encrypts imports and replaces callsites with custom decrypting stubs

• Host: GitHub
• URL: https://github.com/m512i/patcher
• Owner: m512i
• License: gpl-3.0
• Created: 2025-06-09T09:47:50.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-06-09T10:50:32.000Z (4 months ago)
• Last Synced: 2025-06-12T04:42:21.553Z (4 months ago)
• Topics: anti-disassembly, assembly, binary-patching, c, iat-obfuscation, obfuscation, portable-executable, reverse-engineering, windows-api, x86-assembly
• Language: C
• Homepage:
• Size: 28.3 KB
• Stars: 4
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.txt
  • License: LICENSE

Awesome Lists containing this project

README

          
injects a new .istub section (marked executable+readable) and, for each imported function, 

emits a tiny XOR-decrypt stub that preserves registers (pushad/popad on x86, push rax/pop rax on x64), 

loads the encrypted function RVA into EAX/RAX, 

xors the low byte with a compile-time key, 

writes the result back into the original IAT slot on the stack, 

and then jmps through that slot—adding a random padding byte at the end for misalignment. 

then scans every code section for indirect IAT calls (FF 15 ) 

and replaces each 6-byte sequence with a 5-byte relative call into the matching stub plus a single-byte pad (usually NOP, 

optionally randomized). 

An optional second pass also rewrites direct E8  calls targeting the import directory. 

The patched binary behaves identically, 

but all imports are hidden behind encrypted pointers and custom stubs, 

defeating static disassembly and import-table enumeration.

COMPILE PATCHER/TESTER:

at root dir do 

cmake -S . -B build `

>>       -DCMAKE_POSITION_INDEPENDENT_CODE=ON `

>>       -DICO_VERBOSE=ON

then 

cmake --build build

then go to build/debug and its there

---

in src dir do

nasm -f win32 main.asm -o test.obj 

then in x86 native cmd prompt

link test.obj user32.lib kernel32.lib /SUBSYSTEM:CONSOLE /MACHINE:X86 /ENTRY:main /OUT:test32.exe

DISCLAIMERS:

this is funky got bored so i stopped x64 PE binaries do NOT work, patcher patches x86 but wont be able to run yes ik frick me!

but whoever wants to fork and fix it be my guest i just cba anymore

easily detectable. :)