[转载]一个xxx变形引擎
<P><FONT color=#666686>文章作者: 老丫</FONT></P><P><FONT face=宋体>可以用于病毒,也可以用于壳<BR><BR>;.386<BR>;.modelflat,stdcall;32bitmemorymodel<BR>;optioncasemap:none;casesensitive<BR><BR>.code<BR>lbl_PolyStart:<BR><BR><BR>;异常指令表<BR>SEHOpCode:<BR>SEHInt1db0CDh,01h;int1<BR>SEHDiv0db33h,0C9h,0F7h,0F1h;xorecx,ecxdivecx<BR><BR>;单字节指令可变动表(2)<BR><BR>OneByteOpCodedb40h,48h;incregxx,decregxx<BR><BR>;单字节指令固定表(4)<BR><BR>OneBytedb0F8h,0FCh,0F5h,0F9h;clc,cld,cmc,stc<BR><BR>;双字节指令可变动表(9)<BR><BR>TwoByteOpCodedw08BC0h;movregxx,regxx<BR>dw033C0h;xorregxx,regxx<BR>dw003C0h;addregxx,regxx<BR>dw02BC0h;subregxx,regxx<BR>dw021C0h;andregxx,regxx<BR>dw085C0h;testregxx,regxx<BR>dw03BC0h;cmpregxx,regxx<BR>dw009C0h;orregxx,regxx<BR>dw011C0h;adcregxx<BR><BR><BR><BR>;双字节固定表(2)<BR><BR>TwoBytedw0D40Ah,0D50Ah;aam,aad<BR><BR><BR>;六字节指令变动表(8)<BR><BR>SixByteOpCodedw0C7C0h,081F0h,081E0h,081C8h;movregxx,xxxxorregxx,xxxandregxx,xxxorregxx,xxx<BR>dw0F7C0h,081F8h,081C0h,081E8h;testregxx,xxxcmpregxx,xxxaddregxx,xxxsubregxx,xxx<BR><BR><BR>;花指令表(9)<BR><BR>RandOpCodedb70h,7Ah,72h,76h,7Eh,78h,7Ch,0EBh,0E8h<BR>;jo,jnojp,jnpjb,jnbja,jnajng,jgjs,jnsjl,jnl,jmp,call<BR><BR>;随机表(5)<BR>RandomTableddoffsetOneByteOpCode,offsetOneByte<BR>ddoffsetTwoByteOpCode,offsetTwoByte<BR>ddoffsetSixByteOpCode<BR><BR>Reg_StartAddressdd0<BR>Reg_Lengthdd0<BR><BR>OP_MOVequ0B8h<BR>OP_XORequ313400h<BR>Randxdd0<BR><BR><BR><BR><BR>pushallmacro<BR>pusheax<BR>pushecx<BR>pushedx<BR>pushebx<BR>pushesi<BR><BR>endm<BR><BR>popallmacro<BR>popesi<BR>popebx<BR>popedx<BR>popecx<BR>popeax<BR>endm<BR><BR><BR><BR><BR>;计算CRC32,Esi为首地址,Edi为长度<BR>;Eax返回CRC32值<BR>CRC32procusesesiediBuf:dword,nLength:dword<BR><BR>pushecx;procedureforcalculatingCRC32s<BR>pushedx;atrun-time<BR>pushebx<BR>movesi,Buf<BR>movedi,nLength<BR>xorecx,ecx<BR>dececx<BR>movedx,ecx<BR>NextByteCRC:<BR>xoreax,eax<BR>xorebx,ebx<BR>lodsb<BR>xoral,cl<BR>movcl,ch<BR>movch,dl<BR>movdl,dh<BR>movdh,8<BR>NextBitCRC:<BR>shrbx,1<BR>rcrax,1<BR>jncNoCRC<BR>xorax,08320h<BR>xorbx,0EDB8h<BR>NoCRC:decdh<BR>jnzNextBitCRC<BR>xorecx,eax<BR>xoredx,ebx<BR>decedi<BR>jneNextByteCRC<BR>notedx<BR>notecx<BR>popebx<BR>moveax,edx<BR>roleax,16<BR>movax,cx<BR>popedx<BR>popecx<BR><BR>ret<BR><BR>CRC32endp<BR><BR>;Eax返回0---dwNumber-1之间的随机数<BR><BR>RandSeeddd0<BR>Randomizeproc<BR>pushad<BR>callPolyStart<BR>PolyStart:<BR>popesi<BR>subesi,offsetPolyStart;重定位<BR>db0fh,31h<BR>addeax,edx<BR>movdwordptrRandSeed[esi],eax<BR>popad<BR>ret<BR><BR>Randomizeendp<BR>RandomprocusesedxecxdwNumber:dword<BR>callPolyStart<BR>PolyStart:<BR>popesi<BR>subesi,offsetPolyStart;重定位<BR>moveax,RandSeed[esi]<BR><BR>movecx,41C64E6Dh<BR>mulecx<BR>addeax,3039h<BR>movRandSeed[esi],eax<BR>xoredx,edx<BR>divdwNumber<BR>xchgeax,edx<BR>ret<BR><BR>Randomendp<BR><BR>RandomRegprocdwNumber:dword<BR>callPolyStart<BR>PolyStart:<BR>popesi<BR>subesi,offsetPolyStart;重定位<BR>Rep8:<BR><BR>pushdwNumber<BR>callRandom<BR>cmpeax,4;保护Esp寄存器<BR>jzRep8<BR>cmpeax,5;保护ebp寄存器(ebp在程序为存取变量)<BR>jzRep8<BR>cmpeax,Reg_StartAddress[esi]<BR>jzRep8<BR>cmpeax,Reg_Length[esi]<BR>jzRep8<BR><BR>ret<BR><BR>RandomRegendp<BR><BR><BR>;1字节可变垃圾指令处理<BR>;Ecx为要产生的垃圾指令的条数<BR><BR>Sub_OneByteOpCodeproc<BR><BR>pushall<BR>push2<BR>callRandom;随机选取指令inc,dec...<BR>leaebx,OneByteOpCode[esi+eax];取得1字节可变垃圾指令的相应地址<BR>movzxedx,byteptr[ebx];取得1字节可变垃圾指令<BR>pushedx<BR>Rep9:<BR>push8<BR>callRandomReg;随机选取寄存器eax,ecx,edx...<BR>cmpeax,Reg_Length[esi]<BR>jzRep9<BR>cmpeax,Reg_StartAddress[esi]<BR>jzRep9<BR>popedx;保护代码起始地址和代码长度已经选取的寄存器<BR>adddl,al<BR>movbyteptr[edi],dl<BR>incedi<BR>popall<BR>ret<BR><BR>Sub_OneByteOpCodeendp<BR><BR>;1字节固定垃圾指令处理<BR><BR>Sub_OneByteproc<BR>pushall<BR>push4<BR>callRandom;随机选取指令aaa,aas,clc...<BR>leaebx,OneByte[esi+eax];取得1字节固定垃圾指令的相应地址<BR>movzxedx,byteptr[ebx];取得1字节固定垃圾指令<BR>movbyteptr[edi],dl<BR>incedi<BR>popall<BR>ret<BR><BR>Sub_OneByteendp<BR><BR><BR>;2字节可变垃圾指令处理<BR><BR>Sub_TwoByteOpCodeproc<BR>pushall<BR>push9<BR>callRandom<BR>leaebx,TwoByteOpCode[esi+eax*2]<BR>movzxedx,wordptr[ebx]<BR>pushedx;usespush<BR>Rep10:<BR>push8<BR>callRandomReg<BR>cmpeax,Reg_Length[esi]<BR>jzRep10<BR>cmpeax,Reg_StartAddress[esi]<BR>jzRep10;保护代码起始地址和代码长度已经选取的寄存器<BR><BR>movebx,eax<BR><BR>Rep11:<BR>push8<BR>callRandomReg<BR>cmpeax,Reg_Length[esi]<BR>jzRep11<BR>cmpeax,Reg_StartAddress[esi]<BR>jzRep11;保护代码起始地址和代码长度已经选取的寄存器<BR>movcl,8;usesecx<BR>mulcl<BR>popedx<BR>adddl,al<BR>adddl,bl<BR>movbyteptr[edi],dh<BR>incedi<BR>movbyteptr[edi],dl<BR>incedi<BR>popall<BR>ret<BR><BR>Sub_TwoByteOpCodeendp<BR><BR>;2字节固定垃圾指令处理<BR><BR>Sub_TwoByteproc<BR>pushall<BR>push2<BR>callRandom<BR>leaebx,TwoByte[esi+eax*2]<BR>movdx,wordptr[ebx]<BR>movbyteptr[edi],dh<BR>incedi<BR>movbyteptr[edi],dl<BR>incedi<BR>popall<BR>ret<BR><BR>Sub_TwoByteendp<BR><BR>;6字节垃圾指令处理<BR><BR>Sub_SixByteOpCodeproc<BR>pushall<BR>push8<BR>callRandom<BR>leaebx,SixByteOpCode[esi+eax*2]<BR>movdx,wordptr[ebx]<BR>pushedx<BR><BR>Rep12:<BR>push8<BR>callRandomReg<BR>cmpeax,Reg_Length[esi]<BR>jzRep12<BR>cmpeax,Reg_StartAddress[esi]<BR>jzRep12;保护代码起始地址和代码长度已经选取的寄存器<BR><BR>popedx<BR>adddl,al<BR>movbyteptr[edi],dh<BR><BR>incedi<BR>movbyteptr[edi],dl<BR>incedi<BR>push600000h<BR>callRandom<BR>movdwordptr[edi],eax<BR>addedi,4<BR>popall<BR><BR>ret<BR><BR>Sub_SixByteOpCodeendp<BR><BR><BR><BR><BR>;产生异常块<BR>GenSEHBlockproc<BR><BR><BR><BR><BR>ret<BR><BR>GenSEHBlockendp<BR><BR><BR>;产生随机的垃圾指令<BR><BR>GenerateRandOpCodeproc<BR>pushall<BR>push10<BR>callRandom;在每条有效指令之间随机的产生0-9条垃圾指令<BR>inceax<BR>movecx,eax;usesecx<BR><BR>Rep13:<BR>pushecx<BR>push5<BR>callRandom;总共有5种类型的垃圾指令,随机取一种<BR>movebx,eax<BR><BR>movedx,RandomTable[esi+ebx*4]<BR>leaedx,[edx+esi];得到垃圾指令表的地址<BR><BR>cmpebx,0<BR>jzlbl_OneByteOpCode;转1字节可变垃圾指令处理<BR><BR>cmpebx,1<BR>jzlbl_OneByte;转1字节固定垃圾指令处理<BR><BR>cmpebx,2<BR>jzlbl_TwoByteOpCode;转2字节可变垃圾指令处理<BR><BR>cmpebx,3<BR>jzlbl_TwoByte;转2字节固定垃圾指令处理<BR><BR>jmplbl_SixByteOpCode;转6字节垃圾指令处理<BR><BR><BR>lbl_OneByteOpCode:<BR>callSub_OneByteOpCode<BR>jmplbl_Next1<BR><BR>lbl_OneByte:<BR>callSub_OneByte<BR>jmplbl_Next1<BR><BR>lbl_TwoByteOpCode:<BR>callSub_TwoByteOpCode<BR>jmplbl_Next1<BR><BR>lbl_TwoByte:<BR>callSub_TwoByte<BR>jmplbl_Next1<BR><BR>lbl_SixByteOpCode:<BR><BR>callSub_SixByteOpCode<BR><BR>lbl_Next1:<BR>popecx<BR>dececx<BR>jnzRep13;继续产生垃圾指令<BR>popall<BR>ret<BR><BR>GenerateRandOpCodeendp<BR><BR><BR>;填充dwLength2长的随机数据到edi->的缓冲区<BR>FillRandomCodeprocdwLength2:dword<BR>pushall<BR>movecx,dwLength2;usesecx<BR><BR>Rep14:<BR>push0FFh<BR>callRandom<BR>movbyteptr[edi],al<BR>incedi<BR>loopRep14<BR>popall<BR>ret<BR><BR>FillRandomCodeendp<BR><BR><BR>;产生随机的花指令<BR><BR>GFIproc<BR>pushall<BR><BR>push9<BR>callRandom<BR>cmpeax,7<BR>jzlbl_Jmp<BR>cmpeax,8<BR>jzlbl_Call<BR>leaebx,RandOpCode[esi+eax]<BR>movzxedx,byteptr[ebx]<BR>movbyteptr[edi],dl<BR>incedi<BR>push5<BR>callRandom<BR>addeax,3;3-7之间<BR>movbyteptr[edi],al<BR>incedi<BR>incdl<BR>movbyteptr[edi],dl<BR>incedi<BR>deceax<BR>deceax<BR>movbyteptr[edi],al<BR>incedi<BR>pusheax<BR>callFillRandomCode<BR>jmplbl_Exit1<BR><BR><BR>lbl_Jmp:<BR>leaebx,RandOpCode[esi+eax]<BR>movzxedx,byteptr[ebx]<BR>movbyteptr[edi],dl;E9h->[edi]<BR>incedi<BR>push4<BR>callRandom<BR>inceax<BR>inceax<BR>movbyteptr[edi],al<BR>incedi<BR>movbyteptr[edi],0E8h<BR>incedi<BR>deceax<BR>pusheax<BR>callFillRandomCode<BR>jmplbl_Exit1<BR><BR>lbl_Call:<BR>leaebx,RandOpCode[esi+eax]<BR>movzxedx,byteptr[ebx]<BR>movbyteptr[edi],dl;E8h->[edi]<BR>incedi<BR>push4<BR>callRandom<BR>inceax<BR>inceax<BR>movdwordptr[edi],eax<BR>addedi,4<BR>movbyteptr[edi],0E9h<BR>deceax<BR>pusheax<BR>callFillRandomCode<BR>incedi<BR>push8<BR>callRandomReg<BR>movedx,58h;popregxx<BR>addedx,eax<BR>movbyteptr[edi],dl<BR>incedi<BR><BR>lbl_Exit1:<BR>popall<BR>ret<BR><BR>GFIendp<BR><BR><BR><BR>;随机产生第1部分代码<BR>G1CodeprocdwLength1:dword,reg:dword<BR>pushall<BR>movebx,dwLength1<BR>push5<BR>callRandom<BR>cmpeax,1<BR>jzlbl_PushPopG1<BR>cmpeax,2<BR>jzlbl_MovXorG1<BR>cmpeax,3<BR>jzlbl_MovNotG1<BR>cmpeax,4<BR>jzlbl_MovRolG1<BR><BR>lbl_MovAddG1:<BR>push0FFFFFFFFh<BR>callRandom<BR>subebx,eax<BR><BR>movedx,0C0C7h;movregxx,xxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0C081h;addregxx,xxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],eax;eax为addregxx,xxx里的xxx<BR>addedi,4<BR><BR>jmplbl_Exit2<BR><BR>lbl_PushPopG1:<BR><BR>movbyteptr[edi],68h;pushxxx<BR>incedi<BR>movdwordptr[edi],ebx;ebx为pushxxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,58h;popregxx<BR>addedx,reg<BR>movbyteptr[edi],dl<BR>incedi<BR><BR><BR>jmplbl_Exit2<BR><BR>lbl_MovXorG1:<BR><BR>push0FFFFFFFFh<BR>callRandom<BR>xorebx,eax<BR><BR>movedx,0C0C7h;movregxx,xxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0F081h;xorregxx,xxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],eax;eax为addregxx,xxx里的xxx<BR>addedi,4<BR><BR><BR>jmplbl_Exit2<BR><BR>lbl_MovNotG1:<BR><BR>notebx<BR>movedx,0C0C7h;movregxx,xxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0D0F7h;notregxx<BR>movecx,reg<BR>adddh,cl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR>jmplbl_Exit2<BR><BR>lbl_MovRolG1:<BR><BR>push020h<BR>callRandom<BR>movcl,al<BR>pusheax<BR>rorebx,cl<BR><BR>movedx,0C0C7h;movregxx,xxx<BR>moveax,reg<BR>adddh,al<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0C0C1h;rolregxx,xxx<BR>moveax,reg<BR>adddh,al<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>popeax<BR>movbyteptr[edi],al;eax为addregxx,xxx里的xxx<BR>incedi<BR><BR><BR>lbl_Exit2:<BR>popall<BR>ret<BR><BR>G1Codeendp<BR><BR><BR>;随机产生第2部分代码<BR>G2Codeprocreg:dword<BR>pushall<BR>push5<BR>callRandom<BR>cmpeax,1<BR>jzlbl_PushPopG2<BR>cmpeax,2<BR>jzlbl_MovXorG2<BR>cmpeax,3<BR>jzlbl_MovNotG2<BR>cmpeax,4<BR>jzlbl_MovRolG2<BR><BR>lbl_MovAddG2:<BR>movG2Selected[esi],0;保存第2部分的产生方式<BR>movedx,0C0C7h;movregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址<BR>movdwordptr[edi],0;0为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0C081h;addregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode2[esi],edi;保存addregxx,xxx指令的地址<BR><BR>movdwordptr[edi],0;eax为addregxx,xxx里的xxx<BR>addedi,4<BR><BR>jmplbl_Exit3<BR><BR>lbl_PushPopG2:<BR>movG2Selected[esi],1;保存第2部分的产生方式<BR><BR><BR>movbyteptr[edi],68h;pushxxx<BR>incedi<BR>movAddressOfCode1[esi],edi;保存Pushxxx指令的地址<BR><BR><BR>movdwordptr[edi],0;为pushxxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,58h;popregxx<BR>addedx,reg<BR>movbyteptr[edi],dl<BR>incedi<BR><BR><BR>jmplbl_Exit3<BR><BR>lbl_MovXorG2:<BR>movG2Selected[esi],2;保存第2部分的产生方式<BR><BR>movedx,0C0C7h;movregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址<BR><BR>movdwordptr[edi],0;0为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0F081h;xorregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode2[esi],edi;保存xorregxx,xxx指令的地址<BR><BR>movdwordptr[edi],0;eax为xorregxx,xxx里的xxx<BR>addedi,4<BR><BR><BR>jmplbl_Exit3<BR><BR>lbl_MovNotG2:<BR>movG2Selected[esi],3;保存第2部分的产生方式<BR><BR>notebx<BR>movedx,0C0C7h;movregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode1[esi],edi<BR>movdwordptr[edi],0;0为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0D0F7h;notregxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR>jmplbl_Exit3<BR><BR>lbl_MovRolG2:<BR>movG2Selected[esi],4;保存第2部分的产生方式<BR><BR><BR>movedx,0C0C7h;movregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址<BR><BR>movdwordptr[edi],0;0为movregxx,xxx里的xxx<BR>addedi,4<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0C0C1h;rolregxx,xxx<BR>movebx,reg<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movAddressOfCode2[esi],edi;保存Rolregxx,xxx指令的地址<BR><BR>movbyteptr[edi],0;eax为Rolregxx,cl里的regxx<BR>incedi<BR><BR><BR>lbl_Exit3:<BR>popall<BR>ret<BR><BR>G2Codeendp<BR><BR><BR>;随机产生第3部分代码<BR>G3CodeprocregOfAddr:dword,key:dword<BR>pushall<BR>push8;1234567<BR>callRandom;决定采用的加密方式-->addsubincdecnotrolror...等等<BR>cmpeax,1<BR>jzlbl_AddG3<BR>cmpeax,2<BR>jzlbl_SubG3<BR>cmpeax,3<BR>jzlbl_IncG3<BR>cmpeax,4<BR>jzlbl_DecG3<BR>cmpeax,5<BR>jzlbl_NotG3<BR>;cmpeax,6<BR>;jzlbl_Rol<BR>;cmpeax,7<BR>;jzlbl_Ror<BR><BR>lbl_XorG3:<BR>movEncryptSelected[esi],0;保存加密方式<BR>movedx,3080h;Xorbyteptr[regxx],xxx<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movedx,key<BR>movbyteptr[edi],dl<BR>incedi<BR><BR>jmplbl_Exit4<BR><BR>lbl_AddG3:<BR><BR>movEncryptSelected[esi],1;保存加密方式<BR>movedx,2880h;Subbyteptr[regxx],xxx<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movedx,key<BR>movbyteptr[edi],dl<BR>incedi<BR><BR><BR>jmplbl_Exit4<BR><BR>lbl_SubG3:<BR>movEncryptSelected[esi],2;保存加密方式<BR><BR>movedx,0080h;Addbyteptr[regxx],xxx<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movedx,key<BR>movbyteptr[edi],dl<BR>incedi<BR><BR>jmplbl_Exit4<BR><BR>lbl_IncG3:<BR><BR>movEncryptSelected[esi],3;保存加密方式<BR>movedx,008FEh;Decbyteptr[regxx]<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR><BR>jmplbl_Exit4<BR><BR>lbl_DecG3:<BR><BR>movEncryptSelected[esi],4;保存加密方式<BR>movedx,000FEh;Incbyteptr[regxx]<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR>jmplbl_Exit4<BR><BR>lbl_NotG3:<BR><BR>movEncryptSelected[esi],5;保存加密方式<BR>movedx,010F6h;Notbyteptr[regxx]<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR>jmplbl_Exit4<BR><BR>lbl_RolG3:<BR><BR>movEncryptSelected[esi],6;保存加密方式<BR>moveax,key<BR>xoredx,edx<BR>movecx,20h<BR>divecx<BR>movcl,dl<BR>movedx,51h;pushecx<BR>movbyteptr[edi],dl<BR>incedi<BR>pushecx<BR>callGFI<BR>popecx<BR>movedx,0C1C6h;movcl,xxx<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movbyteptr[edi],cl<BR>incedi<BR>callGFI<BR>movedx,008D3h;rordwordptr[edi],cl<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR>jmplbl_Exit4<BR><BR>lbl_RorG3:<BR><BR>movEncryptSelected[esi],7;保存加密方式<BR><BR>moveax,key<BR>xoredx,edx<BR>movecx,20h<BR>divecx<BR>movcl,dl<BR>movedx,51h;pushecx<BR>movbyteptr[edi],dl<BR>incedi<BR>pushecx<BR>callGFI<BR>popecx<BR>movedx,0C1C6h;movcl,xxx<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>movbyteptr[edi],cl<BR>incedi<BR>callGFI<BR>movedx,000D3h;roldwordptr[regxx],cl<BR>movebx,regOfAddr<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR><BR><BR><BR>lbl_Exit4:<BR><BR>popall<BR>ret<BR><BR>G3Codeendp<BR><BR>pGetModuleCodedd0<BR>;随机产生第4部分代码<BR>G4CodeprocregOfLen:dword,regOfAddr:dword,key:dword,EntryPoint:dword<BR>pushall<BR><BR>rep100:<BR>push2<BR>callRandom<BR>cmpeax,0<BR>jzlbl_DecJge<BR>cmpregOfAddr,1<BR>jzrep100<BR>;pushreg00保护首地址寄存器<BR>;movecx,reg11长度寄存器<BR><BR>;Rep:<BR>;Xordwordptr[reg00],key<BR>;increg00<BR>;LoopRep<BR>;popreg00<BR>lbl_Loop:<BR><BR>movedx,50h;pushregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR>movedx,0C88Bh;movecx,regxx<BR>movebx,regOfLen<BR>adddh,bl<BR>movwordptr[edi],dx<BR>incedi<BR>incedi<BR>callGFI<BR>pushedi<BR>popedx<BR>pushedx;保存Loopxxx的循环地址<BR>callGFI<BR>movbyteptr[edi],51h;pushecx<BR>incedi<BR>callGenerateRandOpCode;产生垃圾指令<BR><BR>callGFI;产生花指令<BR><BR>pushkey<BR>pushregOfAddr<BR>callG3Code<BR><BR>callGFI;产生花指令<BR>movedx,40h;incregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR><BR>callGenerateRandOpCode<BR>movbyteptr[edi],59h;popecx<BR>incedi<BR>callGFI;产生花指令<BR>movedx,0E2h;Loopxxx<BR>movbyteptr[edi],dl<BR>;incedi<BR>incedi<BR>movbyteptr[edi],0<BR>incedi<BR>popedx<BR>subedx,edi<BR>movbyteptr[edi-1],dl<BR>movedx,58h;popregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR>callGFI<BR>;invokeVirtualAlloc,NULL,1000h,MEM_COMMIT,PAGE_EXECUTE_READWRITE<BR>;oreax,eax<BR>;jzlbl_Exit5<BR>;movpGetModuleCode,eax<BR>callGenerateRandOpCode<BR>callGFI<BR><BR>;pushEn_ImageBase<BR>;pushNewRva<BR>;pushedi<BR>;callGenerateGetModule<BR><BR>;movbyteptr[edi],68h;PushEntryPoint<BR>;incedi<BR>;movedx,EntryPoint<BR>;movdwordptr[edi],edx<BR>;addedi,4<BR>;callGenerateRandOpCode<BR>;callGFI<BR>;movbyteptr[edi],0C3h;Ret<BR>;incedi<BR>jmplbl_Exit5<BR><BR><BR>lbl_DecJge:<BR><BR>movedx,50h;pushregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR>callGenerateRandOpCode;产生垃圾指令<BR>callGFI;产生花指令<BR><BR>callGFI;产生花指令<BR><BR>pushedi<BR>popedx<BR>pushedx;保存Jgexxx的循环地址<BR><BR>callGFI;产生花指令<BR><BR>pushkey<BR>pushregOfAddr<BR>callG3Code;产生解密代码,如Xor,sub,not...等等<BR><BR>callGFI;产生花指令<BR>movedx,40h;incregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR><BR>callGFI;产生花指令<BR><BR>movedx,48h;Decregxx<BR>addedx,regOfLen<BR>movbyteptr[edi],dl<BR>incedi<BR>callGFI<BR><BR>movedx,07fh;Jgexxx<BR>movbyteptr[edi],dl<BR>incedi<BR>movbyteptr[edi],0<BR>incedi<BR>popedx;恢复Jgexxx的xxx<BR>subedx,edi<BR>movbyteptr[edi-1],dl<BR>callGenerateRandOpCode<BR>callGFI<BR><BR>;pushEn_ImageBase<BR>;pushNewRva<BR>;pushedi<BR>;callGenerateGetModule<BR><BR><BR><BR>callGenerateRandOpCode<BR>callGFI<BR>movedx,58h;popregxx<BR>addedx,regOfAddr<BR>movbyteptr[edi],dl<BR>incedi<BR>callGenerateRandOpCode<BR>callGFI<BR>;movbyteptr[edi],0FFh<BR>;incedi<BR>;movedx,0E0h<BR>;addedx,regOfAddr<BR>;movbyteptr[edi],dl;Jmpregxx<BR>;incedi<BR>;callGenerateRandOpCode<BR>;callGFI<BR><BR>;movbyteptr[edi],68h;PushEntryPoint<BR>;incedi<BR>;movedx,EntryPoint<BR>;movdwordptr[edi],edx<BR>;addedi,4<BR>;callGenerateRandOpCode<BR>;callGFI<BR>;movbyteptr[edi],0C3h;Ret<BR>;incedi<BR><BR><BR><BR><BR>lbl_Exit5:<BR>popall<BR>ret<BR><BR>G4Codeendp<BR><BR><BR><BR>;整个程序的核心(变形引擎)<BR>;假设解密代码如下:(可分为4部分)<BR>;movreg00,SizeOfCode1<BR>;movreg11,EntryPointOfCode2<BR>;Rep:<BR>;xordowrdptr[reg00+reg11],key3<BR>;decreg004<BR>;jnzRep<BR>;为了增强变形引擎的强度可以把上面的代码分解(或叫变换)<BR>;如下:<BR>;第1部分代码可以有下面5种选择<BR>;movreg00,SizeOfCode--->movreg00,xxxaddreg00,xxx0(其中reg00为随机选取的寄存器)<BR>;pushxxxpopreg001<BR>;movreg00,xxxxorreg00,xxx2<BR>;movreg00,xxxnotreg003<BR>;movreg00,xxxrolreg00,xx4<BR>;<BR><BR>;第2部分同样有5种选择<BR>;movreg11,EntryPointOfCode也可作同样处理<BR><BR><BR>;第3部分有8种选择<BR>;0<BR>;同理xordwordptr[reg00+reg11],key也可变换如下:<BR><BR>;1234567<BR>;-->addsubincdecnotrolror...等等<BR>;<BR><BR>;第4部分有2种选择<BR>;01<BR>;decreg00--->Loopxxx<BR>;jnzxxx<BR><BR><BR><BR>;paramBuf存放变形以后代码的缓冲区<BR>;paramStartAddress欲加密代码的首地址<BR>;paramdwLength欲加密代码的长度<BR>;<BR><BR>EncryptSelecteddd0;保存被选择的加密方式<BR>G2Selecteddd0;保存第2部分产生的方式<BR>AddressOfCode1dd0;相应的地址<BR>AddressOfCode2dd0<BR>keydd0<BR><BR>PolyEngineprocBuf:dword,StartAddress:dword,dwLength:dword,VA:dword,EntryPoint:dword<BR>callPolyStart<BR>PolyStart:<BR>popesi<BR>subesi,offsetPolyStart;重定位<BR>callRandomize;初始化随机种子<BR>push8<BR>callRandomReg<BR>movdwordptrReg_Length[esi],eax;决定代码长度使用的寄存器<BR>Rep0:<BR>push8<BR>callRandomReg<BR>cmpeax,Reg_Length[esi]<BR>jzRep0<BR>movdwordptrReg_StartAddress[esi],eax;决定代码起始地址使用的寄存器<BR>movedi,Buf<BR>pushesi<BR>callGenerateRandOpCode;产生0-9条随机的垃圾指令<BR>popesi<BR>callGFI;产生花指令<BR>pushesi<BR>pushReg_Length[esi]<BR>pushdwLength<BR><BR>callG1Code<BR>popesi;产生第1部分代码<BR>callGenerateRandOpCode;产生0-9条随机的垃圾指令<BR>callGFI;产生花指令<BR>pushesi<BR>pushReg_StartAddress[esi]<BR>callG2Code<BR>popesi<BR>pushesi<BR>push0FFh<BR>callRandom;取得一个随机的Key<BR>popesi<BR>movkey[esi],eax<BR>pushesi<BR>pushEntryPoint;原程序入口点<BR>pushkey[esi]<BR>pushReg_StartAddress[esi]<BR>pushReg_Length[esi]<BR><BR>callG4Code<BR>popesi<BR>moveax,G2Selected[esi]<BR>pushedi;把Edi保护起来<BR>pushecx<BR>;movreg00,SizeOfCode--->movreg00,xxxaddreg00,xxx0(其中reg00为随机选取的寄存器)<BR>;pushxxxpopreg001<BR>;movreg00,xxxxorreg00,xxx2<BR>;movreg00,xxxnotreg003<BR>;movreg00,xxxrolreg00,xx4<BR>;<BR>.ifVA!=0<BR>movedi,VA<BR>.endif<BR><BR>.ifeax==0<BR>push0FFFFFFFFh<BR>callRandom<BR>subedi,eax<BR>movebx,AddressOfCode1[esi]<BR>mov[ebx],edi<BR>movebx,AddressOfCode2[esi]<BR>mov[ebx],eax<BR><BR>.elseifeax==1<BR>movebx,AddressOfCode1[esi]<BR>mov[ebx],edi<BR>.elseifeax==2<BR>push0FFFFFFFFh<BR>callRandom<BR>xoredi,eax<BR>movebx,AddressOfCode1[esi]<BR>mov[ebx],edi<BR>movebx,AddressOfCode2[esi]<BR>mov[ebx],eax<BR><BR><BR>.elseifeax==3<BR>notedi<BR>movebx,AddressOfCode1[esi]<BR>mov[ebx],edi<BR><BR>.else<BR>push020h<BR>callRandom<BR>movcl,al<BR>roredi,cl<BR>movebx,AddressOfCode1[esi]<BR>mov[ebx],edi<BR>movebx,AddressOfCode2[esi]<BR>movbyteptr[ebx],cl<BR>.endif<BR>popecx<BR>popedi<BR><BR><BR>;同理xordwordptr[reg00+reg11],key也可变换如下:<BR><BR>;1234567<BR>;-->addsubincdecnotrolror...等等<BR><BR>moveax,EncryptSelected[esi]<BR><BR>movecx,dwLength;需加密代码的长度<BR>.ifVA==0<BR>pushad<BR>movesi,StartAddress<BR>cld<BR>repmovsb<BR><BR>popad<BR>.else<BR>movedi,StartAddress;需加密代码的起始地址<BR><BR>.endif<BR>movedx,key[esi]<BR><BR>.ifeax==0;xor<BR>Rep1:<BR>xorbyteptr[edi],dl<BR>incedi<BR>loopRep1<BR>.elseifeax==1;add<BR>Rep2:<BR>addbyteptr[edi],dl<BR>incedi<BR>loopRep2<BR><BR>.elseifeax==2;sub<BR>Rep3:<BR>subbyteptr[edi],dl<BR>incedi<BR>loopRep3<BR><BR><BR>.elseifeax==3;inc<BR>Rep4:<BR>incbyteptr[edi]<BR>incedi<BR>loopRep4<BR><BR><BR>.elseifeax==4;dec<BR>Rep5:<BR>decbyteptr[edi]<BR>incedi<BR>loopRep5<BR><BR><BR>.elseifeax==5;not<BR>Rep6:<BR>movbl,byteptr[edi]<BR>notbl<BR>movbyteptr[edi],bl<BR>incedi<BR>loopRep6<BR><BR><BR>;.elseifeax==6;rol<BR>Rep7:<BR>;roldwordptr[edi],edx<BR>;incedi<BR>;loopRep7<BR><BR><BR>;.else;ror<BR><BR>Rep20:<BR>;rordwordptr[edi],edx<BR>;incedi<BR>;loopRep20<BR><BR>.endif<BR><BR>moveax,edi<BR>;popad<BR><BR>ret<BR><BR>PolyEngineendp<BR>RealSizeequ$-offsetlbl_PolyStart<BR><BR>SizeOfCodeequ((($-offsetlbl_PolyStart)*10)/1000h+1)*1000h<BR>;end</FONT><BR></P>
页:
[1]