Trurl Variable Encription Device Version 1.0á - Beta Release Written By Trurl, the great constructor The First Polymorphic Library Writen in Argentina Not To be Distributed to the main public DISCLAIMER You are free to include this library in your virus or your Trojan Horses. Any other kind of use is prohibited. You are free to give this to any other person that is going to use it for his/her virus. The Author can not be held responsible for any damage caused by virus that use this polimorfic en- gine. HOW IT WORKS Unlike the other polimorfic engines, this one is so simple to use that you don't need to read the whole document to proceed, it's enough that you read the 'Parameters' part. (gna!). If you've never writen a virus before, you can start using this library or not, it's up to you and to your capabilities. Now let's go to the technical stuff. This engine has been writen under Turbo Assembler V 3.1, and we recommend that you use this assembler to compile the viruses that will carry the engine. This engine francly cannot compete to others like te MtE or the TpE, but it has the advantage that it cannot be detected, and it won't be for some period of time. But, though it has not the tremendous capabilities of MtE, it CAN polymorph your virus. The engine will encrypt your code each time with a diferent encryption key, and will generate a decryption routine that will be different each time. This decryption routine will have a variable length. The engine uses two methods of varying the decryption routine: The first consists in the variation of the registers of work. Some algorithms can be programmed using diferent registers, and still work in the same way. We use this principle and vary the registers of the decryption rou- tine in a almost random way. The second consists of adding trash-nothing-doing-orders of the type of 'nop'. The number and the length of this orders is randomly decided, chosing among a few diferent 'nop' style orders. Another advantage of the engine is its incredibly little size: it is only 667 bytes long. HOW THE PHUCK DO I USE THIS SHIT? Good question. We assume that you will use TASM 3.1 or higher to com- pile your virus. You need to add an 'extern' declaration like: extrn Polymorph: proc When you need to encrypt the code, you call the engine this way: call Polymorph Then you must link the engine to your virus: tlink [/t] your_virus tved PARAMETERS The input parameters are very simple: DS:DX Code to encrypt This is the code of your virus. (plus the engine). CX Length of the code This the length of the code, plus the length of the engine, wich is 684 bytes. SI Offset in wich the virus will begin running This is the offset in wich the decryption routine will take control. For example, if you are making a COM overwriting virus, this will be 100h. ES:DI Working Buffer. Here is where the engine will work and where it will leave you the decryption_routine + encrypted code. There has to be enough space for the code of your virus plus the code of the engine (684 bytes) plus the code of the decryption routine. (The length of this routine varies between 32 and 212 bytes) So we recommend you have in this buffer at least 212+684+Lengt_of your_virus. The output paramters are: CX Final Length of the decryption routine All other registers are preserved STACK USE The engine will not need much stack space. It uses aproximately 40 bytes for stack storage. So you don't need to use a private stack when resi- dent. RANDOM NUMBERS The random numbers used by the engine are generated by a routine that is inside the OBJ file. In future versions, we will allow you to make your own random number generators FINAL NOTES Well, i hope i haven't forget anything. Feel free to investigate and experiment with the engine. If you have any doubts regarding its usage, please look at the demo virus (called Bonsembiante) or at the test program. If you include it in your virus, make sure that the engine does work the way you expected, and if it does'nt or if you have any sugestions, any comments or any other thing that you like to tell me, contact me. Here you have some comments regarding the Bonsembiante virus and the test program: Bonsembiante Virus: This is a COM, overwriting, non-resident virus, made only to be an example for the use of the engine. We give up the source code of the virus. Note that this is a totally unremarkable virus. Test Program: This program uses the engine to modify itself each time it is runned. Thus, if you look at it now, then run it, and then look at it again, you will not be able to find one byte that is equal. We also give up the source of this program. CONTACTING ME You can find me in this BBS's in Buenos Aires: COPY GAME BBS ; if you don't VIRUSES BBS ; know the numbers Dionysios BBS ; get them. jajaja Satanic Brain The latest release of the Engine should also be available at these BBS's. Pass the Engine (all files together in an archive) to virus programmers only. Greatings to all virus programers spread around the world, and specialy to Argentinian Virus Programers! Trurl, the great constructor, 8/3/94.