VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

Mutating deCryptor Generator

Author: Doctor Revenge

Generates several parts of garbage, much like Bomber and the OneHalf family, which passes the control to the decryptor, which is placed before the encrypted code.
The engine is included in PeaceKeeper, by the same author.
Third party analysis:
"The poly itself is quite simple (but it wasn't for the times the virus was actually written). It generates decryptors that can use ADD/SUB/XOR math operations on either bytes or words with a fixed encryption key as immediate. The counter register is fixed to CX, while the pointer can be either SI or DI, that can be also associated with a fixed offset (ie. [DI + 100h]). There are two ways to create the loop check for the decryptor, using a LOOP instruction or by just using the DEC CX with a counter check. It is interesting that most of the exact structure of the decryptor is already decided at the poly calling time in the register with decryptor flags, this is BL. Most of the poly is written using tables. The assignation of the registers infact (counter and pointer one) is done by selecting one of the four possible constructs from an offset table that are quite simillar and have all the same task to assign a given value to the given register (look at comments in code for the exact structure of each of this code blocks). As for the incrementation of the pointer there are a few possibile ways to do the work, depending on the used register infact a SCASB or CMPSB (or word if encrypting by words) could be used instead of the more usual INC. As for garbage there are 7 different types of garbage generation routines (tables are used here aswell) that generate usual one byte instructions, some assignment and logical instructions, conditional jumps and comparations between registers or between a register and an immediate. Garbage instruction can be either 16bit or 8bit ones. All the garbage generated doesn't affect in any way any of the registers (infact only logical operations between the register and itself like OR and AND are used), except flags, so the poly doesn't have to keep reference of which registers must be preserved or which registers have been changed during the decryptor. This of course makes the garbage generation easier to manage, but on the other side makes the possible generated garbage very reduced and generated instructions are not likely ones that could be found in a normal program, since they don't act on the registers at all."

mcg031.zip62405[MCG 0.31]May 1994MD5 sum 61b30edd0be627f87b9d806fa65a069e

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka