API tools faq
paste
Advertisement
Madmouse

sample generated polymorphic engine

Madmouse
Jun 27th, 2016
240
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 1.84 KB | None | 0 0
raw download clone embed print report
  1. [bits 64]
  2. global _start
  3. exit:
  4. mov rax, 60
  5. xor rdi, rdi
  6. syscall
  7.  
  8.  
  9. _start:
  10. mov rcx, 1
  11. lea r8, [jmprcx_lookup]
  12. mov r10, qword [jmprcx_replacement]
  13. call engine
  14.  
  15. mov rcx, 2
  16. lea r8, [jmprax_lookup]
  17. mov r10, qword [jmprax_replacement]
  18. call engine
  19.  
  20. mov rcx, 3
  21. lea r8, [jmprbx_lookup]
  22. mov r10, qword [jmprbx_replacement]
  23. call engine
  24.  
  25. mov rax, exit
  26. jmp10: jmp rax
  27. nop
  28. nop
  29. mov rax, exit
  30. jmp12: jmp rax
  31. nop
  32. nop
  33.  
  34. mov rcx, exit
  35. jmp15: jmp rcx
  36. nop
  37. nop
  38.  
  39. mov rbx, exit
  40. jmp18: jmp rbx
  41. nop
  42. nop
  43. mov rbx, exit
  44. jmp20: jmp rbx
  45. nop
  46. nop
  47. mov rbx, exit
  48. jmp22: jmp rbx
  49. nop
  50. nop
  51.  
  52.  
  53.  
  54.  
  55.  
  56.  
  57.  
  58. ; George Marsaglia's xorshift PRNG
  59. ; t = rsi
  60. prng_state:
  61. w: dq 60
  62. x: dq 0
  63. y: dq 3000
  64. z: dq 99999
  65.  
  66. prng_seed:
  67. rdtsc
  68. mov qword [x], rax
  69. ret
  70.  
  71. prng:
  72. ; t = x
  73. mov rsi, qword [x]
  74. ; t ^= t << 11
  75. mov rax, rsi
  76. shl rax, 11
  77. xor rsi, rax
  78. ; t ^= t >> 8
  79. mov rax, rsi
  80. shr rax, 8
  81. xor rsi, rax
  82. ; x = y, y = z, z = w
  83. push qword [w]
  84. push qword [y]
  85. push qword [z]
  86. pop qword [y]
  87. pop qword [x]
  88. pop qword [z]
  89. ; w ^= w >> 19
  90. mov rax, [w]
  91. shr rax, 19
  92. xor qword [w], rax
  93. ; w ^= t
  94. xor qword [w], rsi
  95.  
  96. ; return w
  97. mov rax, qword [w]
  98. ret
  99.  
  100.  
  101. ; counter set externally
  102. engine:
  103.  
  104. call prng_seed
  105. eloop:
  106. ; copy address in lookup table iterator
  107. mov r9, qword [r8]
  108.  
  109. ; flip a coin
  110. call prng
  111. and rax, 2
  112.  
  113. ; modify operation
  114. jnz b_jmp
  115.  
  116. shr r10, 32
  117. mov dword [r9], r10d
  118. jmp end_jmp
  119. b_jmp:
  120. mov dword [r9], r10d
  121. end_jmp:
  122.  
  123. ; flip a coin
  124. call prng
  125. and rax, 2
  126.  
  127. ; shift in nops if zero
  128. jnz no_shift
  129. shl dword [r9], 16
  130. or dword [r9], 0x9090
  131. no_shift:
  132.  
  133. ; iterate to next address
  134. add r8, 8
  135. loop eloop
  136.  
  137. ret
  138.  
  139. jmprcx_replacement: dq 0x9090e1ff9090c351
  140. jmprcx_lookup:
  141. dq jmp15
  142. jmprax_replacement: dq 0x9090e0ff9090c350
  143. jmprax_lookup:
  144. dq jmp10
  145. dq jmp12
  146. jmprbx_replacement: dq 0x9090e3ff9090c353
  147. jmprbx_lookup:
  148. dq jmp18
  149. dq jmp20
  150. dq jmp22
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!