forked from vxunderground/VXUG-Papers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Mocoh Polymorphic Engine.asm
105 lines (81 loc) · 3.07 KB
/
Mocoh Polymorphic Engine.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
; .__
; _____ ____ ____ ____ | |__
; / \ / _ \_/ ___\/ _ \| | \ Poly Engine
;| Y Y ( <_> ) \__( <_> ) Y \
;|__|_| /\____/ \___ >____/|___| /
; \/ \/ \/
;
; [+] Simple Polymorphic PoC (code and decrypt routine)
; [+] 1byte XOR random key
; [+] The engine can change the key, and some instructions (code and order)
; [+] This is not new, not advanced... Just for education purposes
;
; By: SWaNk 2019 - Back in business, VX forever!
;
;https://pt.wikipedia.org/wiki/Mocó (Kerodon rupestris)
format PE GUI 4.0
entry start
include "%include%/win32a.inc"
; This is the poly encryption macro (1 byte xor).
; It is a simple XOR random 0x00 to 0xFF at compilation time.
;This is just a example how this can be done... Use your imagination to improve
macro encrypt dstart,dsize {
local ..char
key = %t and 0xff
repeat dsize
load ..char from dstart+%-1
..char = ..char xor key
store ..char at dstart+%-1
end repeat
}
;The idea was to create a didactic macro. this guy will split the 1 byte range in 2 (0xff / 2 = 0x7f)
;
;If the pseudo random key is bigger than 0x7f, edx will receive the real_start then ecx will receive
;the code_size. if the key is smaller than 0x7f, the order chage
;
;If the pseudo random key is bigger than 0x7f, the increase of edx will be made with "inc edx" otherwise
;with "add edx, 1"
macro simplePoly {
if key > 0x7f
mov edx,real_start
mov ecx,code_size
else
mov ecx,code_size
mov edx,real_start
end if
@@: xor byte [edx],key
if key > 0x7f
inc edx
else
add edx,1
end if
loop @B
}
;this macro will generate this instructions starting at the entry point
; mov edx,mocoh.401010 | The order of this instructions
; mov ecx,1C | can change
; xor byte ptr ds:[edx],F4 | The key will change (this case is F4)
; inc edx | This can change to "add edx, 1"
; loop mocoh.40100A
;============================================================
section ".code" code readable writeable
;============================================================
start:
simplePoly
real_start:
; Add your code here, start of encrypted code
stdcall [MessageBox],0,msg,title,MB_ICONASTERISK
stdcall [ExitProcess],0
; end of encrypted code
display "Encrypting this shit... "
code_size = $ - real_start
encrypt real_start,code_size
display "done",13,10
;============================================================
section ".data" data readable writeable import
;============================================================
library kernel32,"kernel32.dll",user32,"user32.dll"
include "%include%/api/kernel32.inc"
include "%include%/api/user32.inc"
title db "SWaNk 2019",0
msg db "compile 2 times and compare the hashes and decryption instruction bitches!",0