diff --git a/Mocoh Polymorphic Engine.asm b/Mocoh Polymorphic Engine.asm new file mode 100644 index 0000000..61c3239 --- /dev/null +++ b/Mocoh Polymorphic Engine.asm @@ -0,0 +1,105 @@ +; .__ +; _____ ____ ____ ____ | |__ +; / \ / _ \_/ ___\/ _ \| | \ Poly Engine +;| Y Y ( <_> ) \__( <_> ) Y \ +;|__|_| /\____/ \___ >____/|___| / +; \/ \/ \/ +; +; [+] Simple Polymorphic PoC (code and decrypt routine) +; [+] 1byte XOR random key +; [+] The engine can change the key, and some instructions (code and order) +; [+] This is not new, not advanced... Just for education purposes +; +; By: SWaNk 2019 - Back in business, VX forever! +; +;https://pt.wikipedia.org/wiki/Mocó (Kerodon rupestris) + +format PE GUI 4.0 +entry start + +include "%include%/win32a.inc" + +; This is the poly encryption macro (1 byte xor). +; It is a simple XOR random 0x00 to 0xFF at compilation time. +;This is just a example how this can be done... Use your imagination to improve + +macro encrypt dstart,dsize { + local ..char + + key = %t and 0xff + + repeat dsize + load ..char from dstart+%-1 + ..char = ..char xor key + store ..char at dstart+%-1 + end repeat +} + +;The idea was to create a didactic macro. this guy will split the 1 byte range in 2 (0xff / 2 = 0x7f) +; +;If the pseudo random key is bigger than 0x7f, edx will receive the real_start then ecx will receive +;the code_size. if the key is smaller than 0x7f, the order chage +; +;If the pseudo random key is bigger than 0x7f, the increase of edx will be made with "inc edx" otherwise +;with "add edx, 1" + +macro simplePoly { + if key > 0x7f + mov edx,real_start + mov ecx,code_size + else + mov ecx,code_size + mov edx,real_start + end if + + @@: xor byte [edx],key + + if key > 0x7f + inc edx + else + add edx,1 + end if + + loop @B +} + +;this macro will generate this instructions starting at the entry point + +; mov edx,mocoh.401010 | The order of this instructions +; mov ecx,1C | can change + +; xor byte ptr ds:[edx],F4 | The key will change (this case is F4) +; inc edx | This can change to "add edx, 1" +; loop mocoh.40100A + +;============================================================ +section ".code" code readable writeable +;============================================================ +start: + +simplePoly + +real_start: + +; Add your code here, start of encrypted code + + stdcall [MessageBox],0,msg,title,MB_ICONASTERISK + stdcall [ExitProcess],0 + +; end of encrypted code + + + display "Encrypting this shit... " + code_size = $ - real_start + encrypt real_start,code_size + display "done",13,10 + +;============================================================ +section ".data" data readable writeable import +;============================================================ + library kernel32,"kernel32.dll",user32,"user32.dll" + include "%include%/api/kernel32.inc" + include "%include%/api/user32.inc" + + title db "SWaNk 2019",0 + msg db "compile 2 times and compare the hashes and decryption instruction bitches!",0 \ No newline at end of file