; .__ ; _____ ____ ____ ____ | |__ ; / \ / _ \_/ ___\/ _ \| | \ Poly Engine ;| Y Y ( <_> ) \__( <_> ) Y \ ;|__|_| /\____/ \___ >____/|___| / ; \/ \/ \/ ; ; [+] Simple Polymorphic PoC (code and decrypt routine) ; [+] 1byte XOR random key ; [+] The engine can change the key, and some instructions (code and order) ; [+] This is not new, not advanced... Just for education purposes ; ; By: SWaNk 2019 - Back in business, VX forever! ; ;https://pt.wikipedia.org/wiki/Mocó (Kerodon rupestris) format PE GUI 4.0 entry start include "%include%/win32a.inc" ; This is the poly encryption macro (1 byte xor). ; It is a simple XOR random 0x00 to 0xFF at compilation time. ;This is just a example how this can be done... Use your imagination to improve macro encrypt dstart,dsize { local ..char key = %t and 0xff repeat dsize load ..char from dstart+%-1 ..char = ..char xor key store ..char at dstart+%-1 end repeat } ;The idea was to create a didactic macro. this guy will split the 1 byte range in 2 (0xff / 2 = 0x7f) ; ;If the pseudo random key is bigger than 0x7f, edx will receive the real_start then ecx will receive ;the code_size. if the key is smaller than 0x7f, the order chage ; ;If the pseudo random key is bigger than 0x7f, the increase of edx will be made with "inc edx" otherwise ;with "add edx, 1" macro simplePoly { if key > 0x7f mov edx,real_start mov ecx,code_size else mov ecx,code_size mov edx,real_start end if @@: xor byte [edx],key if key > 0x7f inc edx else add edx,1 end if loop @B } ;this macro will generate this instructions starting at the entry point ; mov edx,mocoh.401010 | The order of this instructions ; mov ecx,1C | can change ; xor byte ptr ds:[edx],F4 | The key will change (this case is F4) ; inc edx | This can change to "add edx, 1" ; loop mocoh.40100A ;============================================================ section ".code" code readable writeable ;============================================================ start: simplePoly real_start: ; Add your code here, start of encrypted code stdcall [MessageBox],0,msg,title,MB_ICONASTERISK stdcall [ExitProcess],0 ; end of encrypted code display "Encrypting this shit... " code_size = $ - real_start encrypt real_start,code_size display "done",13,10 ;============================================================ section ".data" data readable writeable import ;============================================================ library kernel32,"kernel32.dll",user32,"user32.dll" include "%include%/api/kernel32.inc" include "%include%/api/user32.inc" title db "SWaNk 2019",0 msg db "compile 2 times and compare the hashes and decryption instruction bitches!",0