A new drip from the viral bucket of Norman ASA’s senior. As some of you may remember, there was a time when every virus writing group with any respect for itself had to have at least one polymorphic encryption engine. Trident (from the Netherlands) had one of the earliest and most coveted ones. MtE was even earlier and drove some of the establishment up the walls and into apoplexy. This one is Brainwave’s. One of them. As usual, we’ll just drop the beginning out here. It would be interesting to see if anyone recognises it, because I don’t think it ever got out. But having learned fully of the kind of duplicity hiding under Norman’s rocks, I can no longer be certain of that.

here we go:

;* By Brainwave 1994

.model tiny
.radix 16

PUBLIC chicago_init,chicago_size,chicago

;1: Call chicago_init with:
; AX = decryptor flags
; CX = length of code to encrypt (including chicago)
; DX = offset of code to encrypt
;format of decryptor flags:
;bits 0-7 Amount of garbage code generation.
; Valid entries are 0,1,3,7,f,1f,3f,7f,ff
; A value of 0 will choose a random value, the rest
; shows maximum amount of garbage instructions that
; will be generated between each good instruction.
; eg. a value of 1f will generate between 1 and 31 garbage
; instructions between good instructions.
;bit 8 0/1 = COM/EXE decryptor segment usage
;bit 9 0/1 = Variable/static encrypted code size
;NB! NB! NB! chicago_init must always be called before calling chicago.
; However, it’s enough to call it once. It’s not necessary to
; call it between consecutive encryptions unless you want to
; change parameters.
;2: Call chicago with:
; BP = IP in decryptor
; ES = free segment
; Maximum amount of free memory required:
; flags.lowbyte = 01 -> 340h+code
; flags.lowbyte = 03 -> 378h+code
; flags.lowbyte = 07 -> 3e8h+code
; flags.lowbyte = 0f -> 4c8h+code
; flags.lowbyte = 1f -> 688h+code
; flags.lowbyte = 3f -> 1008h+code
; flags.lowbyte = 7f -> 1108h+code
; flags.lowbyte = ff -> 1f08h+code
; flags.lowbyte = 0 -> random, to be safe choose 1f08+code
; These values are worst case. Experiment to see how much
; memory that will be sufficient in your case.

;The code size of chicago is 030dh (781 decimal) bytes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: