░▒ ▒░ ▄▄ tm ░▒ ▒░ ██▀▀▀ █▀▀▀ Version ░▒▒░ ██ ██ █▀▀▀ 0.5 ░▒ ██ ██▄▄▄ █▄▄▄ ────────────────────────────────── √irogen's Irregular Code Engine ─────────────────────────────────── (c)1995 √irogen [NuKE] "A Virus Is Only As Great As It's Polymorphic Engine" -√irogen **************************************************************************** DISCLAIMER: This polymorphic engine is actually part of a conspiracy against you. Every living thing on this planet has made a mutual agreement to conspire to make your life a living hell. **************************************************************************** Introduction ───────────────────────────────────────────────────────────────────────────── Welcome to √irogen's Irregular Code Engine v0.5. This is a new polymorphic tool which can easily be included into any virus. It generates 100% polymorphic decryptors which are extremly variable in both code and action. You should find this engine quite effective. With this version, I include the entire source code. One reason is because I don't plan on updating this polymorphic engine any furthur. I'm sure it can be improved, but those improvments will be done with a completly new engine done from scratch; which I'll do eventually. This engine is just done, I need to start from scratch again. How to Use ───────────────────────────────────────────────────────────────────────────── Add the following line to your latest super-virus: extrn _vice:near Then call the routine from your code with the following parameters: CS:SI = address of code to encrypt CS:DI = address to put decryptor+encrypted code. (Be sure to reserve an extra 850 bytes for the decryptor code if garbage is turned on. If garbage is off then 50 bytes should suffice.) CX = total code size (don't forget to add in the size of ViCE, 1995 bytes) DX = offset where decryption routine will be run from. (i.e. The offset where the decryptor will start on the infected file) AL = options byte, defined as follows: 76543210 │││││││└─ 0=CS: Segment Override In Decryptor, 1=No CS: Override ││││││└── 0=Garbage Code Off, 1=Garbage Code On │││││└─── reserved ││││└──── reserved │││└───── reserved ││└────── reserved │└─────── reserved └──────── reserved bit 0=This bit specifies whether or not to force use of the CS segment in the decryptor. Typically, this bit should be set to 0 when infecting a COM file, and 1 when infecting an EXE. bit 1=This bit turns garbage code on or off. Garbage code greatly increses the size of the decyptor, but adds even more variability to the code. Returns: CX = Total length (virus code+decryptor) Specifications ───────────────────────────────────────────────────────────────────────────── ViCE Current Version: 0.5 05-08-95 Procedure Name: _VICE Code Size: 1995 bytes Regs Destroyed: None. CX=Code Length Decryptors Generated Size: Approx. 13 - 850 bytes Encryption Type: ADD,SUB, and XOR - combinations of any. Direct, load into register and manipulate, or load key into register and directly crypt. Regs Destroyed: Everything except segment registers Garbage Code: Random number of bytes between each functional operand. Detection: None. Obtaining The Latest Version / Contacting √irogen ───────────────────────────────────────────────────────────────────────────── The latest version of this engine can be downloaded from the West Coast Institute Of Virus Research. I can be reached via NuKENet. History ───────────────────────────────────────────────────────────────────────────── v0.1ß = 02-05-95: ■Started coding. 02-09-95: ■First Beta Release. Getting too anxious to release this mother fucker. v0.2ß = 02-11-95: ■Fixed bug which rarely caused lockups when the decryptor size became too large for the loop construct. As a result, decryptor sizes have been reduced. ■Random Number seed wasn't being initialized correctly, fixed. No biggie, but things were predictable everytime it started with a seed of 0. ■Added capability of garbage code between a couple of operands it didn't before. ■Improved Anti-TBSCAN code significantly ■Optimized code; this version ended up being only 15 bytes larger. ■This version is released under [NuKE]. v0.3ß = 02-21-95: ■Rewrote garbage code engine. Now much more diverse. ■Fixed bug which occasional resulted in only partially encrypted viruses. ■Fixed bug in that the new total code size returned in CX was accidently being added to the run offset of the decryptor. This caused the virus size to be larger than it really was in some cases. v0.4ß = 02-24-95: ■Improved engine power. -Added new technique of encryption which is very variable. -Added new possible operand combinations in some functions. -Decryptors may now be larger, be sure to reserve up to 250 bytes. ■This will probably be the last version for a while, I'm taking a break from coding for a bit. The next version will be a big jump. Probably v1.0 provided nothing new happens ; this will be the final of this engine. v0.5 = 05-07-95: ■Went through and commented the code, optimized some of it. ■Removed Anti-TBSCAN code (as version 6.34 circumvents it) and replaced it with larger decryptors. ■Removed possiblity of garbage code generated which made a CMP or TEST to the same register. (i.e. TEST AX,AX). ■All ADD and SUB operands which function on the AX register now are written in the short form. ■Now sets up its own stack. ■No longer tolerates ES or DS segments which aren't equal to CS. ■Removed option to turn off JMPS in garbage code. ■Released complete source code. ■THIS IS THE LAST VERSION OF THIS ENGINE [I think]. I think I can do better with a newly designed engine. √irogen [NuKE]