home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HaCKeRz KrOnIcKLeZ 3
/
HaCKeRz_KrOnIcKLeZ.iso
/
chibacity
/
dsce-eng.doc
< prev
next >
Wrap
Text File
|
1996-04-22
|
6KB
|
176 lines
Dark Slayer Confusion Engine <tm>
Version 1.0 <04-20-94>
Written
By
Dark Slayer
At
Keelung, Taiwan, R.O.C.
Who should use DSCE?
^^^^^^^^^^^^^^^^^^^^
If you are virus-writing beginner, you shouldn't use DSCE.
DSCE is just for those people who are senior in virus-writing.
How about the Licence ?
^^^^^^^^^^^^^^^^^^^^^^^
This is a LEAGEL agreement between YOU and DARK SLAYER.
You may:
1. Use DSCE in your virus writing.
2. Free copy DSCE to those who need DSCE to produce viruses.
You may NOT:
1. Use DSCE on other program writing.
2. Modify ,or disassemble DSCE.
All rights in this part are reserved by DARK SLAYER.
3. Sell DSCE to others.
About DSCE .....
^^^^^^^^^^^^^^^^
DSCE is just a module to help others make polymorphic viruses easier,
not a virus.
DSCE is different from DSME ( I wrote it at early time) . DSME use normal
algorithm ( like initial value, memory decoder instructions, and loops...etc
) ,but DSCE throw those methods away ( You can't find any initial value,
memory decoder instructions, and loops...etc) . DSCE can make more
instructions that DSME can't. When you use DSCE to make a virus,the virus
will be more complex than that made from DSME. That's why I call it 'Dark
Slayer Confusion Engine' .
Well, Both DSCE and DSME will go on, and I plan to wirte a virus generator
after my exam. If it possible, I will publish DS magazine that contants my
special skills, Taiwan viruses introductions and so on. Be patient... :)
How to use ?
DSCE module can be used under MASM or TASM. It may not used uner
used under other assembler compilers.
In order to use DSCE in your virus,you must include the following
in your source code:
Extrn dsce: near, dsce_end: near
'dsce' is the main body of DSCE. 'dsce_end' is not an subroutine,
it's the pointer of the program ending,when you ask the length of the
program,you will need it.
If you want to know virus break out or not, and you want to use it for
other purposes by rnd generator, add this code in your virus.
Extrn rnd: near
You can include the following when you want to encryption your source
code:
Call dsce
By now, only you have to do is setting proper parameters, you will get
your polymorphic virus. Remeber link DSCE.obj with your virus.obj.
Input parameters of the crypt routine:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ES => Work segment (Decryptor + encryted code ,start in ES:0)
DSCE's decryptor code will not over 1024 bytes.
You should reserve memory size (your virus lengh + DSCE's
lengh + 1024 bytes) You should notice this if your virus
is resident in memory.
DS:DX => Code's address to encrypt
DS:DX is usually point to the head of the program.
CX => Length of code to encrypt
Use 'OFFSET DSME_END' to get the whole lengh.
BP => Decryption routine's offset address
The decryption routine's offset address depends on which
kinds of file you want to infect it.(Like Friday infects
COM files, you should set BP to 0100h)
BL => Decryptor addressing mode
Bit 0 = 0 Don't care addressing mode.
(Used to infect COM files)
= 1 Use CS or SS to addressing.
(Used to infect EXE or COM files, and you should
set SS=CS on EXE header)
Bit 1 = 0 DSCE won't use the memory allocated after virus
program when decoding.
= 1 DSCE will use the memory allocated after virus
program when decoding. ( If you want to do so,
setting SP > 8800h in EXE header, otherwise the
stack will be unrest.
Bit 2-7 Reserved
Final notes.
~~~~~~~~~~~~
1. During decode process, SP will be changed so your virus should
set SP to its orignal value. ( Ex: in COM files, SP should be
set SP to FFFEh)
2. During decode process, ES will be changed and if BL's Bit 0 = 1
, DS will be changed too. If both DS and ES be changed, well, call
INT 21h ( AH = 51h or 62h ) ! :(
You should notice this !
3. Let the code which will be encrypted by 16's (10h) multiple, this
will make memory addressing easier then DSME v1.0.
Returning parameters from DSCE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DS:DX => Decryptor + encrypted code
Return from DSCE, DS:DX will point to decryptor + encrypted
code. This will make writing-function of INT 21h easier.
CX => Length of decryptor + encrypted code
This will make writing-function of INT 21h easier,too.
Except these register mentioned above and AX,other registers won't
be changed.
About Stack:
^^^^^^^^^^^^
If your virus halt system all the time and you can't find the
problem out, it maybe your stack covered by DSCE.
I suggest you use your own stack in your virus to avoid the
stack problem.
Good luck to all virus writers.
Sincerely yours,
Dark Slayer
******* English document by Dark Striker, Taipei, Taiwan *******