TridenT Polymorphic Engine version 1.3 ============================================================ Written by Masud Khafir of the TridenT virus research group. What is it? ~~~~~~~~~~~ The TPE is a module that can be included in programs to make them able to produce polymorphic programs. The TPE comes as an OBJ file. If you want to include the TPE in your program you must link it to it. If you have never linked an object file to a program, DON'T start with the TPE. First do this, then return to the TPE. The TPE does two things. First, it will encrypt the original code. This is done in a different way each time the TPE is called. Second, it will generate a decryption routine for it. The encrypted code will be put right after the decryption routine. The size of the decryption routine will not be very big. At most a few hundred bytes. Of course, the decryptor will also be different each time the TPE is called. The TPE can produce plain decryptors or decryptors with some random non-functional instructions inserted. The size of the TPE is 1411 bytes; We believe this is not too big. What's new? ~~~~~~~~~~~ Read the file HISTORY.DOC for more information about this new version of TPE. How can I use it? ~~~~~~~~~~~~~~~~~ The TPE offers you 3 subroutines: 'rnd_init', 'rnd_get' and 'crypt'. It also can give you the addresses of the begin and end of TPE. If you write your program in assembler, you must include the following in your source code: .model tiny .code extrn rnd_init:near extrn rnd_get:near extrn crypt:near extrn tpe_bottom:near extrn tpe_top:near The first (rnd_init) is a subroutine to initialize the random number generator. You are advised to call this subroutine before the first time you call the encryption subroutine. If you don't, the random number generator may not function perfectly. All registers will be preserved. The second is a subroutine that returns a random number in AX. This subroutine is used by TPE, but you can use it also for other things in your program. Your imagination is the limit. All registers, except AX, are preserved. The third is the actual encryption subroutine. This one needs several input parameters. When it finishes, it will return some output parameters. All parameters are passed in registers (see below). The last two are the begin and end addresses of the TPE in your program. You may need these if your program is going to include the TPE in the generated program. You can leave out 'extrn' commands of things you don't use in your source code. Be sure that there is enough stack space for the TPE. (100 bytes appear to be enough). If you use the TPE in a resident program, it is recomended to maintain your own stack. Otherwise the chance is that you will blow the DOS stack. Of course, you must link TPE.OBJ to you program! If you are using more than one segment in your program, the complete TPE will be put in the CODE segment (called _TEXT). Input parameters of the crypt routine: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ES = Work segment This is the place where the decryptor and the encrypted code will be generated. Be sure that it is large enough. It must at least be as large as the size of the code to encrypt plus the size of the decryptor. 512 bytes plus the length of the code ought to be enough. DS:DX => Code to encrypt This must point to the code you want to encrypt. CX = Length of code to encrypt Put the size of the piece of code you want to encrypt in CX. The TPE cannot encrypt more than 32768 bytes, so the value of CX must be lower. BP = Offset where the decryption routine will be executed You must put the address where the decryptor will start in BP. For example, if the generated program will be a COM file which starts with the decryptor, you must set this value to 100h. SI = Distance between decryptor and encrypted code In this register you must put the distance that will be between the decryptor and the encrypted code. If the encrypted code will be right after the decryptor (this is the normal case) you must set this value to 0. AX = Bit field In this register you can provide some options about the way the decryptor must be. bit 0: DS will not always be equal to CS If you are not sure that DS will be equal to CS when the decryptor takes control, you must set this bit high. This is the case when the decryptor is in an EXE file. bit 1: Insert random non-functional instructions in decryptor If this bit is high, the decryption routine will contain several non-functional instructions. Since these instructions are non-functional, they don't disturb the decryptor. bit 2: Put random instructions before decryptor If this bit is high, several random instructions are put before the decryption routine. These instructions may affect the registers, but they won't disturb the decryptor. bit 3: Preserve AX with decryptor If you want to preserve the original value of AX after decryption, you must set this bit high. Output parameters of the crypt routine: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ES = Work segment (preserved) ES will still point to the work segment. DS:DX => Decryptor + encrypted code This will now point to the decryptor, immediatly followed by the encrypted code. DS:DX will be the same as ES:0000. If SI was set to 0 before the TPE was called, the code is now ready to be put in a file. CX = Length of decryptor + encrypted code CX now has the summary length of both the decryptor and the encrypted code. You can use this value to write the decryptor plus the encrypted code to a file (in case SI was set to 0 before the TPE was called). DI = Length of decryptor If SI was not set to 0 before the TPE was called, you will need this value when you want to write the decryptor to a file. This value can also be used as an offset of the encrypted code. This will be at DS:DI (because DX will be 0). If SI was 0, you can ignore this value. AX = length of encrypted code This value will be the same as the value of CX before the TPE was called. If SI was not set to 0 before the TPE was called, you will need this value when you want to write the encrypted code to a file. If SI was 0, you can ignore this value. Final notes. ~~~~~~~~~~~~ First, I want to thank the Dark Avenger from Bulgaria for his nice 'Mutation Engine' program. This fine program has been a great source of inspiration for the TPE! Check out the source of TPE-GEN to learn more about the TPE and how it works. Please, remember that the author of the TPE and the TridenT virus research group are not responsible if you use the TPE in an illegal or naughty way. Good luck.