                          poly  engine
                          ~~~~~~~~~~~~
                                           deroko <deroko<at>gmail<dot>com>
                                           http://deroko.headcoders.net 

1. Theory
~~~~~~~~~
As usual poly engines are used to generate decryptor for virus.
Thats all about theory.

2. How does this work?
~~~~~~~~~~~~~~~~~~~~~~
First of all, there is predefined decryption algo, so your code
must be encrypted with appropriate algo (example\test.asm)
Algo goes like this:

                     rdtsc
                     add           eax, edx
                     mov           ecx, sizecrypted
                     shr           ecx, 2
                     mov           edi, offset code
__spin_crypt:        xor           dword ptr[edi], eax
                     ror           dword ptr[edi], 16
                     sub           dword ptr[edi], eax
                     add           edi, 4
                     loop          __spin_crypt
it consist of xor/ror/sub and decryption integrated into poly is

                     add           [reg1], reg2
                     ror           [reg1], 16
                     xor           [reg1], reg2
                     
These are the rules that engine follows.

Engines uses 3 predefined subroutines as garbage, and uses 1 randomly
generated sub which consist of garbagegenerator + SEH
Also there are at least 3 SEHs in da poly decryptor, and their purpose
is to remove hardware breakpoints using CONTEXT structure, so all hardware
breakpoints will be removed.
SEH is also polymorphic and it uses different regs + mov/and to change 
CONTEXT_Dr0/Dr3 to 0

It ain't powerful polyengin, but it works fine...

3. How to use it
~~~~~~~~~~~~~~~~

syntax:
                     push          cryptkey
                     push          _where_to_generate_poly
                     push          virussize
                     push          virus_virtual_address
                     call          poly
                     
inside of virus poly should be called with CALL b/c it uses RET at the end.
Example:
                     [call         polyengin]
                     [VVVVVVVVVVVVVVVVVVVVVV]
                     [IIIIIIIIIIIIIIIIIIIIII]
                     [RRRRRRRRRRRRRRRRRRRRRR]
                     [UUUUUUUUUUUUUUUUUUUUUU]
                     [SSSSSSSSSSSSSSSSSSSSSS]
                     [    POLY_DECRYPTOR    ]


Well that's it... This poly is used in blacky.virus (still private) which uses
runtime decryption to foobar heuristic/emulation/debugging... 
There are some random memory acceses... using regbase...
FPU is used as garbage...

Polymorphic (generated decryptor) is not larger than 1300 bytes, actually it 
did not generate bigger decryptor than 1300 bytes so it should be optimal size
for poly's buffer...


       
                                           deroko <deroko<at>gmail<dot>com>
                                           http://deroko.headcoders.net
                                          
                           