Phantasie Mutation Engine for Windows Version 0.00 Written by Burglar in Taipei, Taiwan. (95/07/16) 1. License You are free to include this Engine in your Windows virii, and your Windows virii don't injure anything. Injure anything is prohibited. 2. How to use it when you want use it, you must declare below at first in code segment. EXTRN PMEW:NEAR, PMEW_END:NEAR Then you write your Windows virii as usual. When you need to encrypt the code, you just call the Engine. Put the following instruction in your code: CALL PMEW You also need to supply the parameters for the Engine. They are passed in registers. Results are also passed in registers. Of course, you must link the PMEW.OBJ module to your Windows virii ! PMEW_END labeled the tail of your virii that includes the engine, and you can use OFFSET PMEW_END to get the length of your Windows virii that includes the engine. 3. Input parameters All parameters are mandatory. Description follows: ES:DI => Work space The Engine needs work space. For placing product (decrypt code & encrypted code) which is generated by PME/W. DS:SI => Code to encrypt On entry, just set DS:SI to point to the code you want to be encrypted. CX = Length of code to encrypt On entry, just set CX to the length of the code you want to be encrypted. DX:AX => Relocation fixup information When your virii has relocation records (such as you may call the Windows APIs to do something, or your virii will pass control to host program via intersegment jump, etc.) , you have to pass pertinent information to PME/W. Format of relocation fixup information: Offset Size Description 00h WORD number of relocation items 02h 2N BYTEs relocation items Offset Size Description 00h WORD offset within segment ATTENTION! Your Windows virii must be zero start! (i.e. begin running with CS:0000) 4. Results The Engine returns the following values in registers: (all other except for the listed below will be PRESERVED) CX = Length of the decryption routine CX now has the length of decryption routine. ATTENTION! (mere length of decryption routine) The product (decryption routine & encrypted code) which generated by PME/W is placed in Work space (i.e. pointed by ES:DI) 5. Final Notes SPECIAL THANKS: qark (for your Windows infection theory & WinSurfer) quantum (for WinSurfer & grin me !@#$%^&*) metabolis (for leading vlad magazine & tons of stuff) malware (for NE format detail) lookout (for tons of stuff) kdkd (for tons of stuff & blah.gif - fxxx with horse !@#$%^&*) horde (for tons of stuff - cvdq.arj) dread (for giving me a account in Russia) theora (you are the only one female interested in virii, could you be my girl friend ?!) slash (hehe... my teacher & confident) Well, that's for now. No time for more. No demonstration program . Pass the Engine (all files together in an archive) to Windows virii programmers. Greetings to all virii programmers Burglar Taipei, Taiwan.