📄 29a-7.027
字号:
8b bd 78563412
[CODE] [MorR/M] [???]
/ \
/ \
/ \
/ \
+----------------; +-----+--------+-------+
; instr ; d ; w ; ; Mod ; Reg/ ; R/M ;
+--------+---+---; ; ; opcode ; ;
; 100010 ; 1 ; 1 ; +-----+--------+-------+
+--------+---+---; ; 1 0 ; 1 1 1 ; 1 0 1 ;
(d)=0 : the order is +-----+--------+-------+
REG1-REG2 EDI EBP
(w)=1 : 32 bits mode or code
instr : MOV r32,r/m32 extension
[CODE] = 8b : opcode
---> MOV r32,r/m32
[Mod] = 10 : memory address with 1 dword displacement
---> MOV REG,[REG+DWORD]
[Reg/opcode] = 111 : this instruction don't need an code extension
so it is a register
---> MOV EDI,[EBP+DWORD]
[R/M] = 101 : there is no [SIB] after the byte[ModR/M]
[78563412] = 12345678h : it is the deplacement
---> MOV EDI,[EBP+12345678h]
So the instruction 8b bd 78563412 is mov edi,[ebp+12345678h]
*****************
** **
** IMMEDIATE **
** **
*****************
expl: 05h is the opcode for ADD EAX,imm32
05h 00000010 is the instruction for add eax, 10000000
****************************
** **
** ALGO OF DISASSEMBLY **
** **
****************************
!
\!/
+-----'-------+
; Read 1 byte ; <---------
+-------------+ \
! \ +------------------+
\!/ --------<----- ; Convert to ASCII ;
+-----'------------+ +-------.----------+
; Check for prefix ; /!\
+------------------+ !
! !
\!/ +-----------------+
;-----'----------------+ ; [IMMEDIATE] ;
; Decode [CODE] byte(s); +-----------------+
+----------------------+ ; [DISPLACEMENT] ;
! +-----------------+
\!/ ; decode [SIB] ;
+-----'-----------------+ +-----------------+
; JMP or CALL opcodes ? ; -------->------> ; decode [ModR/M] ;
+-----------------------+ +-----------------+
************************************************
** **
** HOW TO WRITE YOUR OWN DIS/ASSEMBLY PROCESS **
** **
************************************************
Of course you can code a process which is able to disassemble all the code
of the virus, to morph all the code and to reassemble the virus. I think
it is better to deal only with the decryptor LOOP because it is more speed
and your code will be not too much big...
You should choose first the opcodes and morphed opcodes you want to include
in your decryptor LOOP. Next you can write a code which is able to disasm and reasm
them.
You will find a problem: JMP,LOOP and CALL instructions...Use your brain!
You should considered your decryptor like inside a larger field:
+-----------------+ +-----------------+ +-----------------+
; POLY DECRYPTOR ; ; POLY DECRYPTOR ; ; POLY DECRYPTOR ;
+-----------------+ because it ; MORPHED ; ; MORE MORPHED ;
; ; can looks like ; ;--->; ;
; EMPTY ; this next ------> +-----------------+ ; ;
; SPACE ; ; ; +-----------------+
; (NOP or other) ; ; EMPTY SPACE ;--->; empty space ;
+-----------------+ <- fixed offset -> +-----------------+ +-----------------+
; ; ; ; ; ;
; VIRUS ; ; VIRUS ; ; VIRUS ;
of course you should check if your 'reasm code' isn't larger than your empty space...
+--------------------+
+ MORPHING YOUR CODE +
+--------------------+
There is 4 ways to do that:
method 1 : change the code 'xor ecx,ecx' in 'mov ecx,0' for example
method 2 : change the encoding of instruction:
8BF8 mov edi,eax
89C7 mov edi,eax (see the (d)bits in [CODE]field)
8b00 mov eax,dword ptr DS:[EAX]
3e8b00 mov eax,dword ptr DS:[EAX] (see default segment prefix)
method 3 : insert instruction which don't change the result of your code
method 4 : Change the registers used
Decrypt: Decrypt:
xor byte[esi],al xor byte[edx],bl
inc esi inc edx
loop Decrypt loop Decrypt
******************
** **
** APPENDIX **
** **
******************
############################
# INTEL INSTRUCTION FORMAT #
############################
+-----------+--------+ +----------------;
; OPCODE ;REGISTER; ; instr ; d ; w ;
+-----------+--------+ OR +--------+---+---;
; 0 1 0 1 0 ; 0 0 0 ; ; 100010 ; 0 ; 1 ;
+-----------+--------+ +--------+---+---;
\ /
\ /
\ /
\ /
\ /
+-------------+--------+----------+---------+--------------+------------+
; instruction ; opcode ; ModR/M ; SIB ; Displacement ; Immediate ;
; prefixe ; ; ; ; ; ;
+-------------+--------+----------+---------+--------------+------------+
Up to four 1 or 2 1 byte(if 1 byte(if address immediate
prefixe of bytes required) required) displacement data
1 byte each opcode / \ of 1,2 or 4 of 1,2 or 4
(optional) / \ bytes or none bytes or none
/ \
/ \
/ \
/ \
7 6 5 3 2 0 7 6 5 3 2 0
+-----+--------+-----+ +-------+-------+------+
; Mod ; Reg/ ; R/M ; ; scale ; index ; base ;
; ; opcode ; ; ; ; ; ;
+-----+--------+-----+ +-------+-------+------+
############################
# PREFIX #
############################
- SEGMENT PREFIX : 2E(CS) 36(SS) 3E(DS) 26(ES) 64(FS) 65(GS)
(default is DS)
- Operand-Size Prefix : 66 (default is none)
- Address-Size Prefix : 67 (default is none)
- REP/REPNE Prefixes : F3 F2
- Bus LOCK Prefix : F0
############################
# [CODE] #
############################
+-----------+--------+ Commone Opcode Table: Register Table:
; OPCODE ;REGISTER; REG 8bit 16bit 32bit
+-----------+--------+ 01000 : INC REG 000 : AL : AX : EAX
; 0 1 0 1 0 ; 0 0 0 ; 01001 : DEC REG 001 : CL : CX : ECX
+-----------+--------+ 01010 : PUSH REG 010 : DL : DX : EDX
01011 : POP REG 011 : BL : BX : EBX
10010 : XCHG EAX,REG 100 : AH : SP : ESP
10111 : MOV REG,IMM32 101 : CH : BP : EBP
110 : DH : SI : ESI
111 : BH : DI : EDI
[CODE] [ModR/M] Common Instruction Opcode table:
+----------------;;------------------+
; instr ; d ; w ;; ; REG1 ; REG2 ; BINARY OPCODE
+--------+---+---;;----+------+------+ -----------------------
; 100010 ; 0 ; 1 ;; 11 ; 000 ; 001 ; 000010dw OR REG,REG
+--------+---+---;;----+------+------+ 001000dw AND REG,REG
001010dw SUB REG,REG
if (d)=0 , the order is REG2-REG1 001100dw XOR REG,REG
if (d)=1 , the order is REG1-REG2 001110dw CMP REG,REG
if (w)=0 we are in 8 bits mode(Win32) 100000dw ADD REG,REG
if (w)=1 we are in 32 bits mode(Win32) 100010dw MOV REG,REG
MORE ABOUT [CODE] :
ENCODING MEANING
------------------------------+----------------------------+
000010dw OR REG,REG ; or reg,reg ;
00000101 imm32 ; add eax,imm32 ;
000000dw Mod,R/M,Reg ; add reg,mem add mem,reg ;
001000dw AND REG,REG ; and reg,reg ;
001010dw Mod,R/M,Reg ; SUB reg,mem SUB mem, reg ;
00101101 imm32 ; sub eax,imm32 ;
001100dw Mod,r/m,Reg data ; xor reg,mem xor mem,reg ;
001110dw CMP REG,REG ; cmp reg,reg ;
01000reg ; inc reg32 ;
01001reg ; dec reg32 ;
01010reg PUSH REG ; push reg ;
01011reg POP REG ; pop reg ;
1000000w 11101reg data32 ; SUB reg, imm ;
1000000w 11000reg data32 ; add reg,imm ;
100010dw MdRegReg data32bit ; mov reg,reg/mem ;
10010reg XCHG EAX,REG ; xchg eax,reg ;
10111reg data32bits ; mov reg,imm32 ;
11100010 imm16 ; loop imm16 ;
------------------------------+----------------------------+
############################
# [ModR/M] #
############################
7 6 5 3 2 0
+-----+--------+-------+
; Mod ; Reg/ ; R/M ;
; ; opcode ; ;
+-----+--------+-------+
; 0 0 ; 0 0 0 ; 0 0 0 ;
+-----+--------+-------+
[Mod] : 00 : mem address expl: eax, [eax]
01 : mem address with 1 byte displ. expl: [eax+00]
10 : mem address with 1 dword displ. expl: [eax+00000000]
11 : both operands are memory expl: eax,eax
[Reg/opcode] : Code extension field or Reg fielf
[R/M] : Depending on the (Mode) Bits in the ModRM byte:
- [Mod]=00 [R/M]=101 : the address is in the DWORD after [ModR/M] Byte.
- [Mod]=00 [R/M]=100 : there抯 a SIB byte after the [ModR/M] byte.
- [Mod]=01 [R/M]=100 : there抯 a SIB byte after the [ModR/M] byte.
- [Mod]=10 [R/M]=100 : there抯 a SIB byte after the [ModR/M] byte.
- [Mod]=11 : this field means --> registers
==========================================================================
==========================================================================
thanks to : Intel to make polymorph instructions
Micro$oft Windows Let's give us more n' more exe food for our baby!
29A menbers For their zines!!! VIVA 29A!!!
no thanks to : ME !!! for my bad english ;-)
All destructiv virus writers
I hope that this tutorial will help you but don't forget this:
DON'T DESTROY ANYTHING !!!
PEACE !
LiTlLe VxW
December 2003
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -