°± ±° ÜÜ tm °± ±° ÛÛßßß Ûßßß Version °±±° ÛÛ ÛÛ Ûßßß 0.5 °± ÛÛ ÛÛÜÜÜ ÛÜÜÜ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ûirogen's Irregular Code Engine ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ (c)1995 ûirogen [NuKE] "A Virus Is Only As Great As It's Polymorphic Engine" -ûirogen **************************************************************************** DISCLAIMER: This polymorphic engine is actually part of a conspiracy against you. Every living thing on this planet has made a mutual agreement to conspire to make your life a living hell. **************************************************************************** Introduction ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Welcome to ûirogen's Irregular Code Engine v0.5. This is a new polymorphic tool which can easily be included into any virus. It generates 100% polymorphic decryptors which are extremly variable in both code and action. You should find this engine quite effective. With this version, I include the entire source code. One reason is because I don't plan on updating this polymorphic engine any furthur. I'm sure it can be improved, but those improvments will be done with a completly new engine done from scratch; which I'll do eventually. This engine is just done, I need to start from scratch again. How to Use ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Add the following line to your latest super-virus: extrn _vice:near Then call the routine from your code with the following parameters: CS:SI = address of code to encrypt CS:DI = address to put decryptor+encrypted code. (Be sure to reserve an extra 850 bytes for the decryptor code if garbage is turned on. If garbage is off then 50 bytes should suffice.) CX = total code size (don't forget to add in the size of ViCE, 1995 bytes) DX = offset where decryption routine will be run from. (i.e. The offset where the decryptor will start on the infected file) AL = options byte, defined as follows: 76543210 ³³³³³³³ÀÄ 0=CS: Segment Override In Decryptor, 1=No CS: Override ³³³³³³ÀÄÄ 0=Garbage Code Off, 1=Garbage Code On ³³³³³ÀÄÄÄ reserved ³³³³ÀÄÄÄÄ reserved ³³³ÀÄÄÄÄÄ reserved ³³ÀÄÄÄÄÄÄ reserved ³ÀÄÄÄÄÄÄÄ reserved ÀÄÄÄÄÄÄÄÄ reserved bit 0=This bit specifies whether or not to force use of the CS segment in the decryptor. Typically, this bit should be set to 0 when infecting a COM file, and 1 when infecting an EXE. bit 1=This bit turns garbage code on or off. Garbage code greatly increses the size of the decyptor, but adds even more variability to the code. Returns: CX = Total length (virus code+decryptor) Specifications ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ViCE Current Version: 0.5 05-08-95 Procedure Name: _VICE Code Size: 1995 bytes Regs Destroyed: None. CX=Code Length Decryptors Generated Size: Approx. 13 - 850 bytes Encryption Type: ADD,SUB, and XOR - combinations of any. Direct, load into register and manipulate, or load key into register and directly crypt. Regs Destroyed: Everything except segment registers Garbage Code: Random number of bytes between each functional operand. Detection: None. Obtaining The Latest Version / Contacting ûirogen ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The latest version of this engine can be downloaded from the West Coast Institute Of Virus Research. I can be reached via NuKENet. History ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ v0.1á = 02-05-95: þStarted coding. 02-09-95: þFirst Beta Release. Getting too anxious to release this mother fucker. v0.2á = 02-11-95: þFixed bug which rarely caused lockups when the decryptor size became too large for the loop construct. As a result, decryptor sizes have been reduced. þRandom Number seed wasn't being initialized correctly, fixed. No biggie, but things were predictable everytime it started with a seed of 0. þAdded capability of garbage code between a couple of operands it didn't before. þImproved Anti-TBSCAN code significantly þOptimized code; this version ended up being only 15 bytes larger. þThis version is released under [NuKE]. v0.3á = 02-21-95: þRewrote garbage code engine. Now much more diverse. þFixed bug which occasional resulted in only partially encrypted viruses. þFixed bug in that the new total code size returned in CX was accidently being added to the run offset of the decryptor. This caused the virus size to be larger than it really was in some cases. v0.4á = 02-24-95: þImproved engine power. -Added new technique of encryption which is very variable. -Added new possible operand combinations in some functions. -Decryptors may now be larger, be sure to reserve up to 250 bytes. þThis will probably be the last version for a while, I'm taking a break from coding for a bit. The next version will be a big jump. Probably v1.0 provided nothing new happens ; this will be the final of this engine. v0.5 = 05-07-95: þWent through and commented the code, optimized some of it. þRemoved Anti-TBSCAN code (as version 6.34 circumvents it) and replaced it with larger decryptors. þRemoved possiblity of garbage code generated which made a CMP or TEST to the same register. (i.e. TEST AX,AX). þAll ADD and SUB operands which function on the AX register now are written in the short form. þNow sets up its own stack. þNo longer tolerates ES or DS segments which aren't equal to CS. þRemoved option to turn off JMPS in garbage code. þReleased complete source code. þTHIS IS THE LAST VERSION OF THIS ENGINE [I think]. I think I can do better with a newly designed engine. ûirogen [NuKE]