First virus have no protection from av scanner. When av company catched virus they insert signature of this virus in database and av already new that this program is virus just with getting hash sum of the program.
So Virus Exchange makes disguise code to prevent this. Idea is encrypt virus! Now only decryptor is naked, so only decryptor needs be polymorphic.
This project makes header-file (decryptor) polymorphic, body code is encrypted with simple xor-cipher, and python file makes this encrypting, polymorphism and merges this two files.
- Adding nop.
- Add push and pop register to the stack.
- Adding push and pop register in between them nop.
- Adding on top of adding and subtracting the same random number from some register.
- Divide addition / subtraction by addition / subtraction of 2 other numbers.
- Dividing addition / subtraction by adding / subtracting 3 other numbers.
- Divide addition / subtraction into successive addition of subtraction of other numbers.
- Dividing when multiplying two numbers one of them by two others.
- Replacement of registers at cmp.
- Mul pattern.
Here we using xor-cipher, with 0x8E4E54DE6596DAEC 8 byte key
The body code in this program 52 nop (Opcode of the mnemonic nop is 90)
So when program stats, first-things-first it decrypt body code and after run this decrypted code.
- nasm-packages
- python3
$ git clone https://github.com/lurak/Polymorphic_engine
- Change
src/bubble_sort.asmon some script - Run main.py
The algorithm of decrypting assume that your program size divided by 8 (length of key), so if your code don't divides by 8
just add some nop to your program.
- Ihor Titov (polymorphism)
- Danylo Sluzhynskyi (encrypting)