📄 29a-7.027
字号:
;-------------------------------------------------------------------------------
; DISCLAIMER : All these informations and documentations are given :REMIALCSID ;
; DISCLAIMER : to public in order to understand how is made a :REMIALCSID ;
; DISCLAIMER : virus, I'm not responsible of the use of this :REMIALCSID ;
; DISCLAIMER : (cool) paper. Virus writting is not forbiden! :REMIALCSID ;
; DISCLAIMER : but virus distribution is forbiden!!! :REMIALCSID ;
;-------------------------------------------------------------------------------
************************************************
* POLYMORPHISM AND INTEL INSTRUCTION FORMAT *
************************************************
1 - INTRODUCTION
2 - INTEL INSTRUCTION FORMAT
3 - INSTRUCTION PREFIXE
4 - OP CODE
5 - ModR/M
6 - SIB
7 - DISPLACEMENT
8 - IMMEDIATE
9 - ALGO OF DISASSEMBLY
10 - HOW TO WRITE YOUR OWN ASSEMBLY PROCESS
11 - APPENDIX ( SCHEMAS AND TABLES )
*********************
*** ***
** INTRODUCTION **
*** ***
*********************
This quick tutorial will help you to understood the way to disassemble opcodes.
It is not an 'intel looks like' document...It is only an introduction to intel
opcode, after reading this you should read intel doc, or all doc speaking about
intel instruction format...
NOTION REQUIRED before learning this tutorial:
- asm, the only way to code nice vx...
- english, only the bad english used to wrote vx tutorials ;-)
- Encryption
- Polymorphisme
DOCUMENTS YOU SHOULD FIND:
- The Art Of Assembly (pdf) http://aod.anticrack.de
- Intel Architecture Manual http://intel.com
- Code source of NASM (in C++)
In the 'The Art Of Assembly Tutorial' you will find some exe prog to
play with opcodes!
In virus world there is a terrible war: Against virus writers and antivirus
software. Most virus writters code for pleasure but AV company for money...
I will not explain here the concept of polymorphism (see older zines!)
The principe is simple: in a polymorph virus, the body of the virus is encrypted
to avoid AV string scanning, and polymorphism is use in the 'decryptage' code.
The part of the code which decrypt all the rest of the virus is'nt encrypted but
his appeareance change in the next infection. There is severals ways to do that.
If will explain here a cool technique: The virus is able to disasm the
'decryptage loop', change him, and re-asm it.
example:
;----------------------------------------------------------------
lea esi,[VirusBody+ebp] ; (ebp=delta offset of course)
mov ecx,EndOfVirusBody-VirusBody ; lenght of virus body
mov al,byte[key+ebp] ; key to decrypte data
Decrypt:
xor byte[esi],al
inc esi
loop Decrypt
VirusBody:
.
.
.
EndOfVirusBody:
;----------------------------------------------------------------
can be change in:
;----------------------------------------------------------------
mov esi,[VirusBody]
add esi,ebp
xor ebx,ebx
mov bl,byte[key+ebp]
xchg eax,ebx
push dword EndOfVirusBody-VirusBody
pop ecx
Decrypt:
xor byte[esi],al
add esi,1
nop
loop Decrypt
VirusBody:
.
.
.
EndOfVirusBody:
;----------------------------------------------------------------
The problem is to Disasm, and Re-asm the code...To do this I will explain
brievely the Intel Instruction Format:
To know how to convert the hex string '40h' in his "humanly readeable code" 'inc eax'
for example
********************************
*** ***
** INTEL INSTRUCTION FORMAT **
*** ***
********************************
An intel instruction has a specific format:
INTEL INSTRUCTION FORMAT
+-------------+--------+----------+---------+--------------+------------+
; instruction ; opcode ; ModR/M ; SIB ; Displacement ; Immediate ;
; prefixe ; ; ; ; ; ;
+-------------+--------+----------+---------+--------------+------------+
Up to four 1 or 2 1 byte(if 1 byte(if address immediate
prefixe of bytes required) required) displacement data
1 byte each opcode / \ of 1,2 or 4 of 1,2 or 4
(optional) / \ bytes or none bytes or none
/ \
/ \
/ \
/ \
7 6 5 3 2 0 7 6 5 3 2 0
+-----+--------+-----+ +-------+-------+------+
; Mod ; Reg/ ; R/M ; ; scale ; index ; base ;
; ; opcode ; ; ; ; ; ;
+-----+--------+-----+ +-------+-------+------+
Intel instructions can vary in size, but they still have the same six
groups. We need to understand each group , and know it is purpose in order
to be able to learn the sizes of the diferent instructions.
I will not describe all in detail because it's annoying, find doc about intel
instruction format (see on intel web site)
***************************
*** ***
** INSTRUCTION PREFIXE **
*** ***
***************************
The instruction prefix is optional but they change the behavior of the instruction
in many ways. an instruction can have (or not) 0,1,2,3 or 4 prefixes.
There are 5 type of prefixes:
- SEGMENT PREFIX : Prefixes that specify the segment
2E 36 3E 26 64 65
- Operand-Size Prefix : Prefix that changes the default operand size
66
- Address-Size Prefix : Prefix that changes the default address size
67
- REP/REPNE Prefixes : Prefixes that change the string operation n loops
F3 F2
- Bus LOCK Prefix : Prefix that controls the processor BUS
F0
* One opcode can have several prefix: none,1,2,3 or 4
* the order of the prefixes is not important
* Each prefix is 1 byte size
+----------------+
; Segment prefix ;
+----------------+
The segment prefix change the default segment of the instruction, the default
segment prefix is DS:
2EH : CS segment override prefix.
36H : SS segment override prefix.
3EH : DS segment override prefix.
26H : ES segment override prefix.
64H : FS segment override prefix.
65H : GS segment override prefix.
expl: 8B00 MOV EAX,DWORD PTR DS:[EAX] (none prefix)
2E:8B00 MOV EAX,DWORD PTR CS:[EAX]
8B00 MOV EAX,DWORD PTR DS:[EAX] (none prefix)
36:8B00 MOV EAX,DWORD PTR SS:[EAX]
+---------------------+
; OPERAND-SIZE PREFIX ;
+---------------------+
The operand size prefix allows a programm to switch between 16 n' 32 bit operand sizes.
This prefix select the non-default size...It is to say that if there is not the prefix
66h so it is the default operand size. It 's recommended not to use this prefix after
MMX, SSE and/or SSE2 instructions!
Quick example(in a win32 environement):
89 C0 MOV EAX,EAX (none prefix)
66 89 C0 MOV AX, AX (prefix=66h)
+---------------------+
; Address-Size Prefix ;
+---------------------+
The address-size prefix allow a program to switch between 16 n' 32 bits
addressing. the prefix select the non default size
I will put here an example because it's no really use for us
(I hope you code in win32...)
expl: 8B00 MOV EAX,DWORD PTR DS:[EAX] 32bits addressing mode
67:8B00 MOV EAX,DWORD PTR DS:[BX+SI] 16bits adressing mode
+--------------------+
; REP/REPNE Prefixes ;
+--------------------+
I will put here only examples:
AD LODS DWORD PTR DS:[ESI]
F3 AD REP LODS DWORD PTR DS:[ESI]
F2 AD REPNE LODS DWORD PTR DS:[ESI]
3E F2 AD REPNE LODS DWORD PTR DS:[ESI]
+-----------------+
; Bus LOCK Prefix ;
+-----------------+
No use for us...Execpt if you want to know all the mystery of intel instruction
format in order to disasm the host, find a good place for the virus inside
the disassembled host code and reassembly all the infected file...
***************************
** **
** OP CODE **
** **
***************************
+------------------+
; One Byte Opcodes ;
+------------------+
in intel doc you can find something like this for the description of the
PUSH REG instruction:
PUSH REG <------> 01010reg (where 'reg' are 3 bits)
For the description of all instruction, I let you see the big pdf file from intel
(I've put some description in APPENDIX about the most used instructions you can
use in a decryptor LOOP)
Let抯 study this following instruction (it is 1byte instruction):
PUSH EAX ---> 50h ---> 01010000 ---> 01010 000
/ \
/ \
/ \
bits 7 6 5 4 3 2 1 0
+-----------+--------+
; OPCODE ;REGISTER;
+-----------+--------+
; 0 1 0 1 0 ; 0 0 0 ;
+-----------+--------+
The 5 bits (01010) on the left are responsible for the instruction 'push'
The 3 bits (000) on the right are responsible for the register 'eax' (see register table)
let's look at some instruction encoding:
Little Opcode Table: Register Table:
REG 8bit 16bit 32bit
01000reg : INC REG 000 : AL : AX : EAX
01001reg : DEC REG 001 : CL : CX : ECX
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -