Code:
;*******************************************
;* (X) SamLaren 2016 *
;*******************************************
;* Metamorphic Pseudo Assembler *
;* *
;* release v1.0 20/12-2016 *
;* *
;*******************************************
buff equ buffert
decryptorSize equ bufferSize
include 'pseudo_assembler.inc'
fixAAjmps:
buff_size equ [ebp+8]
buff_addr equ [ebp+12]
label_arr_address equ [ebp+16]
push ebp
mov ebp, esp
pushad
xor ecx, ecx
mov eax, buff_addr
mov ebx, label_arr_address
_@lop1:
cmp ecx, buff_size
je end_lop1
movzx edx, byte[eax+ecx]
cmp dl, 0xE9
je fix_jmp
cmp dl, 0x74
je fix_je_jmp
cmp dl, 0x75
je fix_jne_jmp
ret_to_lop:
inc ecx
jmp _@lop1
end_lop1:
popad
mov esp, ebp
pop ebp
ret
fix_jne_jmp:
push edx
mov edx, [ebx]
sub edx, buff_addr
sub edx, ecx
sub edx, 2
mov byte[eax+ecx+1], dl
pop edx
add ebx, 4
jmp ret_to_lop
fix_je_jmp:
push edx
mov edx, [ebx]
sub edx, buff_addr
sub edx, ecx
sub edx, 2
mov byte[eax+ecx+1], dl
pop edx
add ebx, 4
jmp ret_to_lop
fix_jmp:
push edx
mov edx, [ebx]
sub edx, buff_addr
sub edx, ecx
sub edx, 5
mov dword[eax+ecx+1], edx
pop edx
add ebx, 4
jmp ret_to_lop
assembler:
buff_address equ [ebp+8]
store_address equ [ebp+12]
push ebp
mov ebp, esp
pushad
xor eax, eax
xor edx, edx
cmp [pseudo.type], TYPEPUSHAD
je @ps_pushad
cmp [pseudo.type], TYPEPOPAD
je @ps_popad
cmp [pseudo.type], TYPECALL
je @ps_call
cmp [pseudo.type], TYPEDECR
je @decr
cmp [pseudo.type], TYPEPUSHI
je @pushi
cmp [pseudo.type], TYPEPUSHM
je @pushi
cmp [pseudo.type], TYPETESTR
je @testr
cmp [pseudo.type], TYPEMOVREGPTR
je @mOv_reg_ptr
cmp [pseudo.type], TYPEMOVPTRREG
je @mOv_ptr_reg
cmp [pseudo.type], TYPESUBI
je @subi
cmp [pseudo.type], TYPELABEL
je _label
cmp [pseudo.type], TYPEXORI
je @Xori
cmp [pseudo.type], TYPEADDI
je @addi
cmp [pseudo.type], TYPEJNE
je @jnejump
cmp [pseudo.type], TYPEINCR
je @incr
cmp [pseudo.type], TYPECMPR
je @cmpr
cmp [pseudo.type], TYPECMPI
je @cmpi
cmp [pseudo.type], TYPEJE
je @jejump
cmp [pseudo.type], TYPEJMP
je @JumP
cmp [pseudo.type], TYPEXORR
je @Xorr
cmp [pseudo.type], TYPEPUSHR
je @pushr
cmp [pseudo.type], TYPEPOPR
je @popr
cmp [pseudo.type], TYPEMOVI
je @MovI
cmp [pseudo.type], TYPEMOVR
je @mOvr
cmp [pseudo.type], TYPERET
je retfunc
_@exit:
popad
mov esp, ebp
pop ebp
ret
@ps_popad:
mov [pseudo.len], 0x1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x61
stosb
jmp _@exit
@ps_pushad:
mov [pseudo.len], 0x1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x60
stosb
jmp _@exit
@ps_call:
mov [pseudo.len], 0x6
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0xFF
stosb
mov al, 0x15
stosb
mov eax, [pseudo.dst]
stosd
jmp _@exit
@decr:
mov [pseudo.len], 0x1 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x48
add al, byte[pseudo.dst]
stosb
jmp _@exit
@pushi:
mov edx, [pseudo.src]
cmp edx, 127
ja large_i
xor edx, edx
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x6A
stosb
mov al, byte[pseudo.src]
stosb
jmp _@exit
large_i:
xor edx, edx
mov [pseudo.len], 0x5
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x68
stosb
mov eax, [pseudo.src]
stosd
xor eax, eax
jmp _@exit
@testr:
call Rand
cmp eax, 6
jae testr_mut_1
cmp eax, 3
jae testr_mut_1
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x85
stosb
mov al, byte[pseudo.src]
mov dl, 0x8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
testr_mut_1: ; or reg, reg
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x09
stosb
mov al, byte[pseudo.src]
mov dl, 0x8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
testr_mut_2: ; and reg, reg
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x21
stosb
mov al, byte[pseudo.src]
mov dl, 0x8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
@mOv_reg_ptr:
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x8B
stosb
mov al, byte[pseudo.dst]
mov dl, 0x8
mul dl
add al, byte[pseudo.src]
stosb
jmp _@exit
@mOv_ptr_reg:
mov [pseudo.len], 0x2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x89
stosb
mov al, byte[pseudo.src]
mov dl, 0x8
mul dl
add al, byte[pseudo.dst]
stosb
jmp _@exit
@subi:
call Rand
cmp eax, 4
jae subi_mut_1
mov [pseudo.len], 0x3 ; size = 3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x83
stosb
mov al, 0xE8
add al, byte[pseudo.dst]
stosb
mov al, byte[pseudo.src]
stosb
jmp _@exit
subi_mut_1: ; sub reg, (imm+rand) | add reg, rand
mov [pseudo.len], 0x3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
call Rand
mov dl, al
mov al, 0x83
stosb
mov al, 0xE8
add al, byte[pseudo.dst]
stosb
mov al, byte[pseudo.src]
add al, dl
stosb
mov byte[pseudo.src], dl
jmp @addi
_label:
mov eax, buff_address
add eax, [decryptorSize]
mov edx, [ebp+12]
mov [edx], eax
jmp _@exit
@Xori:
mov [pseudo.len], 0x3 ; size = 3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x83
stosb
mov al, 0xF0
add al, byte[pseudo.dst]
stosb
mov al, byte[pseudo.src]
stosb
jmp _@exit
@addi:
call Rand
cmp eax, 4
jae addi_mut_1
mov [pseudo.len], 0x3 ; size = 3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x83
stosb
mov al, 0xC0
add al, byte[pseudo.dst]
stosb
mov al, byte[pseudo.src]
stosb
jmp _@exit
addi_mut_1: ; add reg, (imm+rand) | sub reg, rand
mov [pseudo.len], 0x3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
call Rand
mov dl, al
mov al, 0x83
stosb
mov al, byte[pseudo.dst]
add al, 0xC0
stosb
mov al, byte[pseudo.src]
add al, dl
stosb
mov byte[pseudo.src], dl
jmp @subi
@jnejump:
mov [pseudo.len], 0x2 ; size = 2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x75
stosb
;mov al, byte[pseudo.dst]
;stosb
mov al, 0
stosb
jmp _@exit
@incr:
call Rand
cmp eax, 5
jae add_1
mov [pseudo.len], 0x1 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x40
add al, byte[pseudo.dst]
stosb
jmp _@exit
add_1: ; add reg, 1
mov [pseudo.src], 1
jmp @addi
@cmpr:
mov [pseudo.len], 0x2 ; size = 2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x39
stosb
mov al, byte[pseudo.src]
mov dl, 8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
@cmpi:
mov [pseudo.len], 0x3 ; size = 3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x83
stosb
mov al, 0xF8
add al, byte[pseudo.dst]
stosb
mov al, byte[pseudo.src]
stosb
jmp _@exit
@jejump:
mov [pseudo.len], 0x2 ; size = 2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x74
stosb
;mov al, byte[pseudo.dst]
;stosb
mov al, 0
stosb
jmp _@exit
@JumP:
mov eax, buff
add eax, [decryptorSize]
mov [pseudo.src], eax ; save src location, vill aldrig hoppa från något annat ställe
xor eax, eax
mov [pseudo.len], 0x5 ; size = 5
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0xE9
stosb
mov eax, 0
stosd
jmp _@exit
@Xorr:
mov [pseudo.len], 0x2 ; size = 2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x31
stosb
mov al, byte[pseudo.src]
mov dl, 8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
retfunc:
mov [pseudo.len], 0x1 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0xC3
stosb
jmp _@exit
@MovI:
call Rand
cmp eax, 4
jae movi_mut_1
mov [pseudo.len], 0x5 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0xB8
add al, byte[pseudo.dst]
stosb
mov eax, [pseudo.src]
stosd
jmp _@exit
movi_mut_1: ; push imm | pop reg
mov [pseudo.len], 0x5
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x68
stosb
mov eax, [pseudo.src]
stosd
xor eax, eax
jmp @popr
@popr:
call Rand
cmp eax, 5
jae popr_mut_1
mov [pseudo.len], 0x1 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x58
add al, byte[pseudo.dst]
stosb
jmp _@exit
popr_mut_1: ; mov reg, [esp] | add esp, 4
mov [pseudo.len], 0x3
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x8B
stosb
mov al, byte[pseudo.dst]
mov dl, 8
mul dl
add al, 0x4
stosb
mov al, 0x24
stosb
mov [pseudo.dst], REGESP
mov [pseudo.src], 0x4
jmp @addi
@pushr:
call Rand
cmp eax, 5
jae push_mut_1
mov [pseudo.len], 0x1 ; size = 1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x50
add al, byte[pseudo.src]
stosb
jmp _@exit
push_mut_1: ; sub esp, 4 | mov [esp], reg
mov [pseudo.len], 0x6
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x83
stosb
mov al, 0xEC
stosb
mov al, 0x4
stosb
mov al, 0x89
stosb
mov al, byte[pseudo.src]
mov dl, 8
mul dl
add al, 0x4
stosb
mov al, 0x24
stosb
jmp _@exit
@mOvr:
call Rand
cmp eax, 5
jae movr_mut_1
mov [pseudo.len], 0x2 ; size = 2
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x89
stosb
mov al, byte[pseudo.src]
mov dl, 0x8
mul dl
add al, 0xC0
add al, byte[pseudo.dst]
stosb
jmp _@exit
movr_mut_1: ; push reg | pop reg2
mov [pseudo.len], 0x1
mov edi, buff_address
add edi, [decryptorSize] ; Get next spot for instruction
movzx eax, [pseudo.len]
add [decryptorSize], eax ; update decryptor size
mov al, 0x50
add al, byte[pseudo.src]
stosb
jmp @popr
Rand: ; Random number between 0 and 10
;push ebp
;mov ebp, esp
push edx
push ecx
xor eax, eax
rdtsc
xor edx, edx
mov ecx, 10
div ecx
mov eax, edx
pop ecx
pop edx
;mov esp, ebp
;pop ebp
ret
pseudoAssembler.inc
Code:
struct INSTR
type db ?
src dd ?
dst dd ?
len db ?
ends
macro store
{
push buff
call assembler
}
macro store_label arg1
{
push arg1
push buff
call assembler
}
macro fix_jmps
{
push label1
push buff
push [decryptorSize]
call fixAAjmps
}
macro pushr src
{
mov [pseudo.type], TYPEPUSHR
mov [pseudo.src], src
store
}
macro popr dst
{
mov [pseudo.type], TYPEPOPR
mov [pseudo.dst], dst
store
}
macro movr dst, src
{
mov [pseudo.type], TYPEMOVR
mov [pseudo.dst], dst
mov [pseudo.src], src
store
}
macro movi dst, src
{
mov [pseudo.type], TYPEMOVI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro movm dst, src
{
mov [pseudo.type], TYPEMOVI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro @ret
{
mov [pseudo.type], TYPERET
store
}
macro xorr dst, src
{
mov [pseudo.type], TYPEXORR
mov [pseudo.src], src
mov [pseudo.dst], dst
store
}
macro jump
{
mov [pseudo.type], TYPEJMP
mov [pseudo.dst], 0
store
}
macro jejump
{
mov [pseudo.type], TYPEJE
mov [pseudo.dst], 0
store
}
macro jzjump
{
mov [pseudo.type], TYPEJZ
mov [pseudo.dst], 0
store
}
macro cmpi dst, src
{
mov [pseudo.type], TYPECMPI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], src
pop eax
store
}
macro cmpm dst, src
{
mov [pseudo.type], TYPECMPI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], src
pop eax
store
}
macro cmpr dst, src
{
mov [pseudo.type], TYPECMPR
mov [pseudo.dst], dst
mov [pseudo.src], src
store
}
macro incr dst
{
mov [pseudo.type], TYPEINCR
mov [pseudo.dst], dst
store
}
macro jnejump
{
mov [pseudo.type], TYPEJNE
mov [pseudo.dst], 0
store
}
macro jnzjump
{
mov [pseudo.type], TYPEJNZ
mov [pseudo.dst], 0
store
}
macro addi dst, src
{
mov [pseudo.type], TYPEADDI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro addm dst, src
{
mov [pseudo.type], TYPEADDI
mov [pseudo.dst], dst
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro xori dst, src
{
mov [pseudo.type], TYPEXORI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
mov [pseudo.dst], dst
store
}
macro xorm dst, src
{
mov [pseudo.type], TYPEXORI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
mov [pseudo.dst], dst
store
}
macro @label arg1
{
mov [pseudo.type], TYPELABEL
store_label arg1
}
macro subi dst, src
{
mov [pseudo.type], TYPESUBI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
mov [pseudo.dst], dst
store
}
macro subm dst, src
{
mov [pseudo.type], TYPESUBI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
mov [pseudo.dst], dst
store
}
macro mov_ptr_reg dst, src
{
mov [pseudo.type], TYPEMOVPTRREG
mov [pseudo.dst], dst
mov [pseudo.src], src
store
}
macro mov_reg_ptr dst, src
{
mov [pseudo.type], TYPEMOVREGPTR
mov [pseudo.dst], dst
mov [pseudo.src], src
store
}
macro testr dst, src
{
mov [pseudo.type], TYPETESTR
mov [pseudo.dst], dst
mov [pseudo.src], src
store
}
macro pushi src
{
mov [pseudo.type], TYPEPUSHI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro pushm src
{
mov [pseudo.type], TYPEPUSHI
push eax
mov eax, src
mov [pseudo.src], eax
pop eax
store
}
macro decr dst
{
mov [pseudo.type], TYPEDECR
mov [pseudo.dst], dst
store
}
macro @call dst
{
mov [pseudo.type], TYPECALL
mov [pseudo.dst], dst
store
}
macro @Pushad
{
mov [pseudo.type], TYPEPUSHAD
store
}
macro @Popad
{
mov [pseudo.type], TYPEPOPAD
store
}
TYPEPUSHM equ 0x16 ; push [mem]
TYPEPUSHR equ 0x1 ; push reg
TYPEPOPM equ 0x2 ; pop [mem]
TYPEPOPR equ 0x3 ; pop reg
TYPEMOVM equ 0x6 ; mov reg, [mem]
TYPEMOVR equ 0x5 ; mov reg, reg2
TYPEMOVI equ 0x6 ; mov reg, imm / mov reg, [mem]
TYPERET equ 0x7 ; ret
TYPEXORR equ 0x8 ; xor reg, reg2
TYPEJMP equ 0x9 ; jmp
TYPEJE equ 0xA ; je
TYPEJZ equ 0xA ; jz
TYPECMPI equ 0xB ; cmp reg, imm / cmp reg, [mem]
TYPECMPR equ 0xC ; cmp reg, reg2
TYPEINCR equ 0xD ; inc reg
TYPEJNE equ 0xE ; jne
TYPEJNZ equ 0xE ; jnz
TYPEADDI equ 0xF ; add reg, imm / add reg, [mem]
TYPEXORI equ 0x10 ; xor reg, imm / xor reg, [mem]
TYPELABEL equ 0x11 ; label:
TYPESUBI equ 0x12 ; sub reg, imm / sub reg, [mem]
TYPEMOVPTRREG equ 0x13 ; mov [reg], reg2 does not work with esp or ebp in ptr postition
TYPEMOVREGPTR equ 0x14 ; mov reg, [reg2] does not work with esp or ebp in ptr postition
TYPETESTR equ 0x15 ; test reg, reg2
TYPEPUSHI equ 0x16 ; push imm / push [mem]
TYPEDECR equ 0x17 ; dec reg
TYPECALL equ 0x18 ; call
TYPEPUSHAD equ 0x19 ; pushad
TYPEPOPAD equ 0x1A ; popad
REGEAX equ 0x0
REGECX equ 0x1
REGEDX equ 0x2
REGEBX equ 0x3
REGESP equ 0x4
REGEBP equ 0x5
REGESI equ 0x6
REGEDI equ 0x7
Use this as you want and contribute if you want. Hope it can come in use.