104 lines
3.7 KiB
Plaintext
104 lines
3.7 KiB
Plaintext
|
|
|
|
Rajaat's Tiny Flexible Mutator [RTFM] ³
|
|
Version 1.1 ³
|
|
(C) 1994 Rajaat ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
|
|
What is it? ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
RTFM is an object module that can be linked to your virus to make
|
|
it impossible for a scanner to use a simple string. It will encrypt
|
|
your virus and generates a random decryptor using random registers
|
|
and random instructions. Therefore, an algorithmic approach will be
|
|
needed to detect viruses using this object module.
|
|
|
|
How to use it ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
RTFM is very easy to use, and regular assembler users will have no
|
|
problem using this routine. RTFM needs some input registers and will
|
|
give some return values after processing.
|
|
|
|
Input ³
|
|
ÄÄÄÄÄÙ
|
|
|
|
DS:SI = piece of code to encrypt
|
|
ES:SI = place of decryptor+encrypted code
|
|
CX = length of code (include the mutator (mut_len))
|
|
BX = offset of decryptor in file
|
|
AX = flag bits
|
|
0 = 1 do not use junk code
|
|
|
|
Output ³
|
|
ÄÄÄÄÄÄÙ
|
|
|
|
DS:DX = place of decryptor+encrypted code
|
|
CX = length of encrypted code+decryptor
|
|
BP = preserved
|
|
Other registers might be trashed
|
|
|
|
Put this at the start of your virus code ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
extrn mut_top:near, mut_bottom:near, mut_len:abs
|
|
extrn rnd_init:near, rnd_get:near
|
|
extrn mutate:near
|
|
|
|
Before writing the virus to a file, call the engine with these parameters ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
mov si,offset virusstart ; with non-resident virii
|
|
; you will need a delta offset
|
|
|
|
mov di,offset workspace ; make sure you point this to
|
|
; an area that has enough space
|
|
; virus the virus (including
|
|
; the mutation engine) and the
|
|
; decryptor
|
|
|
|
mov cx,viruslength+mut_len ; the length of the virus (and
|
|
; the length of the mutation
|
|
; engine)
|
|
|
|
mov bx,absstart ; absolute start of the
|
|
; decryptor
|
|
|
|
xor ax,ax ; no flags set
|
|
|
|
call mutate ; and mutate!
|
|
|
|
Linking the module ³
|
|
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
To link RTFM to your virus, use TLINK from Borland. Use the following
|
|
syntax :
|
|
|
|
TLINK /T MYVIRUS+RME11
|
|
|
|
Notes ³
|
|
ÄÄÄÄÄÙ
|
|
|
|
RTFM was not meant to make an unscannable virus, it's only purpose is
|
|
to make string scanning impossible. The code generated by RTFM is by
|
|
no means extremely polymorphic and it will not be very difficult to
|
|
devise an algorithm to detect viruses using RTFM. The size of RTFM is
|
|
smaller than 650 bytes. This is not too big.
|
|
|
|
History ³
|
|
ÄÄÄÄÄÄÄÙ
|
|
|
|
1.0 initial version
|
|
1.1 the decrease counter can get an add or sub
|
|
the increase pointer can get an add or sub
|
|
added random byte operation with one register as trash function
|
|
|
|
Greetings ³
|
|
ÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
Omega [AD], NuKE, Phalcon/Skism, Immortal Riot, TridenT, VLAD, YAM,
|
|
Trinity, Zerial, DNA and all other virus writers I forgot!
|
|
|