-
Notifications
You must be signed in to change notification settings - Fork 15
/
cmix.txt
78 lines (60 loc) · 3.11 KB
/
cmix.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
CODE MIXER
version 1.50
CODE MIXER is an utility (subroutine, library, engine, include file, ...)
to mix 2 code buffers.
The destination buffer will contain all instructions of the source buffers
mixed between each other in random order.
src buf #1 src buf #2 dest buf
------------ ------------ -------------
imul eax, ebx add edi,1 add edi,1
q:cdq add edi,2 imul eax, ebx
xor ecx, ecx add edi,3 q:cdq
jz q loop $-2 add edi,2
nop xor ecx,ecx ; next cmd is jxx
jz q ; jxx-expanded to near,fixed
add edi,3
nop
loop $-2 ; loop/z/nz/jecxz-ignored
CODEMIXER uses two external subroutines, rnd() and disasm(), both should
be written in C calling convention (i.e. return control with RET).
DWORD rnd(DWORD) returns random number,
DWORD disasm(BYTE* cmd) returns length of the command and -1 if error.
In the example used simple randomer and external disassembler (LDE32).
But you are always able to use your own randomer and/or disassembler.
CALLING CODEMIXER
include cmix.inc
pusho offset disasm ; DWORD disasm(BYTE*)
pusho offset rnd ; DWORD rnd(DWORD range)
push offset srcbuf1 ; source buffer #1 -- offset
push size srcbuf1 ; ... size
push offset srcbuf2 ; source buffer #2 -- offset
push size srcbuf2 ; ... size
push offset destbuf ; destination buffer -- offset
push size destbuf ; ... maximal size
push offset destsize ; ... pointer to new size (DWORD PTR)
push maxcmd ; max # of commands (in both buffers)
call codemixer
Return values:
EAX==0 if success, destsize=size of the destination buffer
EAX!=0 if error, error codes (CM_ERR_xxx) see in the CMIX.INC
FEATURES
- code is offset-independent, so it can be displaced or permutated
- no external data used, only own stack vars
- jmps/calls (E8,E9,7x,0F 8x) are fixed
(to point correctly to the new addresses)
- external jmps/calls (i.e. out of the source buffers) are fixed correctly
- short jmps (7x,EB) are expanded into near jmps
- if next command is jxx (short or near), it will be stored after current
command, without inserting other buffer commands before jxx
- commands jecxz,loop,loopz,loopnz (E0/E1/E2/E3) are ignored
WHERE CODEMIXER CAN BE USED
- to create polymorphic decryptors
1. generate simple decryptor (as in crypt-virus)
2. generate some trash (easy with ETG engine)
3. mix buffers
- to mix some commands from host 's startup and from virus's startup
- to generate some hash-alike functions
for example:
dst-reg-set = [REG_EAX],
src-reg-set = [REG_EBX],
so generated function will return EAX=f(EBX)