VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

Deroko's Poly Engine

Author: Deroko

Author's comments

1. Theory

As usual poly engines are used to generate decryptor for virus. Thats all about theory.

2. How does this work?

First of all, there is predefined decryption algo, so your code must be encrypted with appropriate algo (example\test.asm) Algo goes like this:

                     add           eax, edx
                     mov           ecx, sizecrypted
                     shr           ecx, 2
                     mov           edi, offset code
__spin_crypt:        xor           dword ptr[edi], eax
                     ror           dword ptr[edi], 16
                     sub           dword ptr[edi], eax
                     add           edi, 4
                     loop          __spin_crypt

it consist of xor/ror/sub and decryption integrated into poly is

                     add           [reg1], reg2
                     ror           [reg1], 16
                     xor           [reg1], reg2

These are the rules that engine follows.

Engines uses 3 predefined subroutines as garbage, and uses 1 randomly generated sub which consist of garbagegenerator + SEH Also there are at least 3 SEHs in da poly decryptor, and their purpose is to remove hardware breakpoints using CONTEXT structure, so all hardware breakpoints will be removed. SEH is also polymorphic and it uses different regs + mov/and to change CONTEXT_Dr0/Dr3 to 0

It ain't powerful polyengin, but it works fine...

3. How to use it


                     push          cryptkey
                     push          _where_to_generate_poly
                     push          virussize
                     push          virus_virtual_address
                     call          poly

inside of virus poly should be called with CALL b/c it uses RET at the end.


                     [call         polyengin]
                     [    POLY_DECRYPTOR    ]

Well that's it... This poly is used in blacky.virus (still private) which uses runtime decryption to foobar heuristic/emulation/debugging... There are some random memory acceses... using regbase... FPU is used as garbage...

Polymorphic (generated decryptor) is not larger than 1300 bytes, actually it did not generate bigger decryptor than 1300 bytes so it should be optimal size for poly's buffer...


polyengine.zip11683DPEApr 2005MD5 sum 20500925221555665241cbd6719ccc13

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka