; BLM ~ BlueOwls Light Meta
; *************************
; Details
; Name: BLM (BlueOwls Light Meta)
; Date: 16 May 2005
; Size: 412 bytes
; Morphing power: light
; Morphing type: non-expansion
; Compatibility: most common x86 and pentium specific (rdtsc/movzx/..)
; Platforms: all 32bit (and maybe 16bit) x86 instruction set OSes
; Used compiler: FASM 1.60
; Bugs: hopefully none
; Morphing
; The following instructions can be morphed:
; 1. OP reg, reg -> changing the D bit (2)
; 2. OP (reg,) [(imm32+)reg] -> changing the unused SCALE bits (4)
; 3. OP (reg,) [(imm32+)reg+reg*1] -> swapping the regs (2)
; Any other instruction's size is calculated and skipped.
; Usage notes
; BLM can be usefull for any application which would like to do code
; morphing on its own, or other code. There are however, some things
; to keep note on:
; - Make sure you don't mix data with code, for example:
; > DB "some string",0
; > _LABEL:
; Would make the meta miscorrectly assume "some string",0 to be
; code. So make sure that in the codearea you specify is no data.
; - On input, esi is allowed to equal edi, but it is not recommended
; if it will cause the meta to morph itself on runtime.
; - This code does not need any data, and only needs to be able to
; execute. It is completely permutatable.
; Agreement
; This sourcecode is meant to be used in freeware and shareware
; programs, and therefor it is strictly prohibited to add any of this
; code in binary or source format in scan strings or other detection
; methods. If done, it will impact on the sellability of the product,
; and can result in high fees and/or trials before court.
; in: esi(ecx) = start of code to morph
; edi(ecx) = start of buffer to put morphed code in
; ecx = size of code to morph (and buffer)
; out: esi = esi + ecx
; edi = edi + ecx
; other registers are destroyed (except esp)
BLM: cld
lea ebx, [esi+ecx] ; ebx = ptr to end of code to morph
nextcode: push ebx
xor ecx, ecx
push 4
pop ebx
call .innext
pop ebx
rol edx, 7 ; simple RAND function
neg dx
cmp ebx, esi
ja nextcode
.next: movsb
.innext: mov al, [esi]
and al, 11100111b
cmp al, 00100110b ; es/cs/ss/ds segment?
jz .next ; check if more
mov al, [esi]
and al, 11111110b
cmp al, 01100100b ; fs/gs segment?
jz .next ; check if more
cmp al, 11110010b ; repz/repnz?
jz .next ; check if more
cmp al, 01100110b ; WORD?
jnz opcode
mov bl, 2 ; set WORD size
jmp .next
; -----------------------------------------------------------------------
opcode: mov al, [esi]
cmp al, 0fh
jnz branch_start
or al, [esi] ; ????1111
cmp al, 10001111b
jz .6byte ; -> jxx label32
cmp al, 10111111b
jz .3byte ; -> movzx/bt?
jmp .done
.6byte: movsb
.3byte: movsb
.done: movsb
branch_start: shl al, 1
jc branch_1xxxxxxx
branch_0xxxxxxx:shl al, 1
jc branch_01xxxxxx
branch_00xxxxxx:shl al, 4
jnc op_rmrm_d
op_eax: mov al, [esi]
shr al, 1
jc .pr32
ret ; -> op al, imm8
.pr32: add ecx, ebx ; -> op eax, imm32
rep movsb
branch_01xxxxxx:cmp al, 11000000b
jb .ncjump
movsb ; -> jxx label8
.ncjump: cmp al, 068h
jz do_5byte ; -> push imm32
cmp al, 06ah
jnz .done ; -> popad/pushad/pop/push/dec/inc (reg)
stosb ; -> push imm8
.done: movsb
op_rmrm_d: mov al, [esi+1] ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,r/m
rcr edx, 1 ; rand true/false
jc .nomorph
cmp al, 11000000b
.nomorph: jb op_rm ; (jc == jb so little optimization)
xor al, 00000010b
and eax, 00111111b ; 00000000 00regreg
shl eax, 5 ; 00000reg reg00000
shr al, 2 ; 00000reg 00reg000
or al, ah ; 00000xxx 00regreg
or al, 11000000b ; 11regreg
branch_1xxxxxxx:shl al, 1
jc branch_11xxxxxx
branch_10xxxxxx:shl al, 1
jc branch_101xxxxx
branch_100xxxxx:shl al, 1
jc branch_01xxxxxx.ncjump ; -> xchg eax,reg/cwde/cdq/pushf/popf/sahf/lahf
branch_1000xxxx:cmp al, 01000000b
jae op_rm ; -> test/xchg/mov/lea/pop r/m(,r/m)
shl al, 3
jc op_rmimm8 ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm8
jmp op_rmimm32 ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm32
branch_101xxxxx:shl al, 1
jc branch_1011xxxx
branch_1010xxxx:and al, 11100000b
cmp al, 00100000b
jb op_eax ; -> test eax, imm
cmp al, 10000000b
jz do_5byte ; -> mov mem32, eax
ret ; -> movs/stos/lods/scas
branch_1011xxxx:shl al, 1
jnc branch_1100001x.2byte ; -> mov reg, imm8
jmp op_eax.pr32 ; -> mov reg, imm32
do_5byte: movsd
branch_11xxxxxx:shl al, 1
jc branch_111xxxxx
branch_110xxxxx:shl al, 1
jc branch_1101xxxx
branch_1100xxxx:cmp al, 11010000b
jz branch_1100001x.2byte ; -> int imm8
shl al, 1
jc branch_1100001x.done ; -> leave/int 3
branch_11000xxx:shl al, 1
jc op_rm_w ; -> mov r/m, imm
branch_110000xx:shl al, 1
jc branch_1100001x
inc ecx ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1
jmp op_rm
branch_1100001x:shl al, 1
jc .done
.3byte: movsb
.2byte: movsb ; -> ret imm16
.done: movsb
ret ; -> ret
branch_1101xxxx:shl al, 2
jc branch_1100001x.done ; -> xlatb
branch_1101x0xx:jmp op_rm ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1
branch_111xxxxx:shl al, 1
jc branch_1111xxxx
branch_1110xxxx:shl al, 1
jnc branch_11101010 ; -> loop label
branch_11101xxx:cmp al, 00100000b
jz branch_111010x0.done ; -> call label
branch_111010x0:shl al, 2
jc branch_11101010
.done: movsd ; -> jmp label32
ret ; -> jmp label8
branch_1111xxxx:shl al, 1
jc branch_11111xxx
branch_11110xxx:shl al, 2
jnc branch_11111xxx.done ; -> cmc
branch_11111x1x:mov al, [esi+1] ; al = modr/m
and al, 00111000b
jnz op_rm ; -> not/mul/div/idiv
jmp op_rm_w ; -> test
branch_11111xxx:shl al, 1
jc .done ; -> clc/stc/cli
shr al, 1
jc op_rm ; -> inc/dec/call/jmp/push
.done: movsb
ret ; -> cld/std
; -----------------------------------------------------------------------
op_rm_w: mov al, [esi]
shr al, 1
jnc op_rmimm8
op_rmimm32: add ecx, ebx ; imm length will be 4 or 2
dec ecx
op_rmimm8: inc ecx ; imm length = 1 byte
op_rm: movsb
cmp al, 11000000b ; op reg, reg
jae .done
mov ah, al
and al, 111b
shr ah, 6
jz .regaddr
cmp ah, 00000001b
jz .ddone
add ecx, 3 ; op reg, [reg+dword]
.ddone: inc ecx ; op reg, [reg+byte]
.cmpsib: cmp al, 00000100b
jnz .done
xor ebx, ebx
mov eax, ebx
lodsb ; 00000000 iiregreg
shl eax, 2 ; 000000ii regreg00
xchg bl, ah ; 00000000 regreg00
shl eax, 3 ; 00000reg reg00000
shr al, 5 ; 00000reg 00000reg
cmp ah, 4
jz .randindex
cmp al, 4
jz .nosib
or bl, bl ; index = 1?
jnz .nosib
rcr edx, 1
jnc .nosib ; randomly abort switch
xchg al, ah
jmp .nosib
.randindex: mov bl, dl ; index is random
and bl, 00000011b
.nosib: shl al, 5 ; 00000reg reg00000
shr eax, 3 ; 00000000 regreg00
mov ah, bl ; 000000ii regreg00
shr eax, 2 ; 00000000 iiregreg
.done: rep movsb
.regaddr: cmp al, 00000101b ; op reg, [dword]
jnz .cmpsib
jmp .done
; in: esi(ecx) = start of code to morph
; edi(ecx) = start of buffer to put morphed code in
; ecx = size of code to morph (and buffer)
; out: esi = esi + ecx
; edi = edi + ecx
; other registers are destroyed (except esp)
BLM: db 252,141,28,14,83,49,201,106,4,91,232,13,0,0,0,91
db 193,194,7,102,247,218,57,243,119,234,195,164,138,6,36,231
db 60,38,116,247,138,6,36,254,60,100,116,239,60,242,116,235
db 60,102,117,4,179,2,235,227,138,6,60,15,117,19,164,10
db 6,60,143,116,6,60,191,116,5,235,4,164,164,164,164,164
db 195,208,224,114,75,208,224,114,20,192,224,4,115,31,138,6
db 208,232,114,3,164,164,195,1,217,243,164,164,195,60,192,114
db 1,164,60,104,116,95,60,106,117,1,170,164,195,138,70,1
db 209,218,114,2,60,192,15,130,179,0,0,0,172,52,2,170
db 172,131,224,63,193,224,5,192,232,2,8,224,12,192,170,195
db 208,224,114,52,208,224,114,23,208,224,114,198,60,64,15,131
db 139,0,0,0,192,224,3,15,130,129,0,0,0,235,124,208
db 224,114,12,36,224,60,32,114,149,60,128,116,8,164,195,208
db 224,115,37,235,146,165,164,195,208,224,114,38,208,224,114,27
db 60,208,116,20,208,224,114,17,208,224,114,73,208,224,114,3
db 65,235,76,208,224,114,2,164,164,164,195,192,224,2,114,249
db 235,61,208,224,114,19,208,224,115,12,60,32,116,5,192,224
db 2,114,3,165,164,195,164,164,195,208,224,114,14,192,224,2
db 115,17,138,70,1,36,56,117,22,235,10,208,224,114,4,208
db 232,114,12,164,195,138,6,208,232,115,3,1,217,73,65,164
db 172,170,60,192,115,76,136,196,36,7,192,236,6,116,70,128
db 252,1,116,3,131,193,3,65,60,4,117,54,49,219,137,216
db 172,193,224,2,134,220,193,224,3,192,232,5,128,252,4,116
db 16,60,4,116,17,8,219,117,13,209,218,115,9,134,196,235
db 5,136,211,128,227,3,192,224,5,193,232,3,136,220,193,232
db 2,170,243,164,195,60,5,117,191,165,235,246