forked from vxunderground/VXUG-Papers
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a6dbe47
commit ff8a5c6
Showing
1 changed file
with
105 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
; .__ | ||
; _____ ____ ____ ____ | |__ | ||
; / \ / _ \_/ ___\/ _ \| | \ Poly Engine | ||
;| Y Y ( <_> ) \__( <_> ) Y \ | ||
;|__|_| /\____/ \___ >____/|___| / | ||
; \/ \/ \/ | ||
; | ||
; [+] Simple Polymorphic PoC (code and decrypt routine) | ||
; [+] 1byte XOR random key | ||
; [+] The engine can change the key, and some instructions (code and order) | ||
; [+] This is not new, not advanced... Just for education purposes | ||
; | ||
; By: SWaNk 2019 - Back in business, VX forever! | ||
; | ||
;https://pt.wikipedia.org/wiki/Mocó (Kerodon rupestris) | ||
|
||
format PE GUI 4.0 | ||
entry start | ||
|
||
include "%include%/win32a.inc" | ||
|
||
; This is the poly encryption macro (1 byte xor). | ||
; It is a simple XOR random 0x00 to 0xFF at compilation time. | ||
;This is just a example how this can be done... Use your imagination to improve | ||
|
||
macro encrypt dstart,dsize { | ||
local ..char | ||
|
||
key = %t and 0xff | ||
|
||
repeat dsize | ||
load ..char from dstart+%-1 | ||
..char = ..char xor key | ||
store ..char at dstart+%-1 | ||
end repeat | ||
} | ||
|
||
;The idea was to create a didactic macro. this guy will split the 1 byte range in 2 (0xff / 2 = 0x7f) | ||
; | ||
;If the pseudo random key is bigger than 0x7f, edx will receive the real_start then ecx will receive | ||
;the code_size. if the key is smaller than 0x7f, the order chage | ||
; | ||
;If the pseudo random key is bigger than 0x7f, the increase of edx will be made with "inc edx" otherwise | ||
;with "add edx, 1" | ||
|
||
macro simplePoly { | ||
if key > 0x7f | ||
mov edx,real_start | ||
mov ecx,code_size | ||
else | ||
mov ecx,code_size | ||
mov edx,real_start | ||
end if | ||
|
||
@@: xor byte [edx],key | ||
|
||
if key > 0x7f | ||
inc edx | ||
else | ||
add edx,1 | ||
end if | ||
|
||
loop @B | ||
} | ||
|
||
;this macro will generate this instructions starting at the entry point | ||
|
||
; mov edx,mocoh.401010 | The order of this instructions | ||
; mov ecx,1C | can change | ||
|
||
; xor byte ptr ds:[edx],F4 | The key will change (this case is F4) | ||
; inc edx | This can change to "add edx, 1" | ||
; loop mocoh.40100A | ||
|
||
;============================================================ | ||
section ".code" code readable writeable | ||
;============================================================ | ||
start: | ||
|
||
simplePoly | ||
|
||
real_start: | ||
|
||
; Add your code here, start of encrypted code | ||
|
||
stdcall [MessageBox],0,msg,title,MB_ICONASTERISK | ||
stdcall [ExitProcess],0 | ||
|
||
; end of encrypted code | ||
|
||
|
||
display "Encrypting this shit... " | ||
code_size = $ - real_start | ||
encrypt real_start,code_size | ||
display "done",13,10 | ||
|
||
;============================================================ | ||
section ".data" data readable writeable import | ||
;============================================================ | ||
library kernel32,"kernel32.dll",user32,"user32.dll" | ||
include "%include%/api/kernel32.inc" | ||
include "%include%/api/user32.inc" | ||
|
||
title db "SWaNk 2019",0 | ||
msg db "compile 2 times and compare the hashes and decryption instruction bitches!",0 |