RECON 0xa The Remote Metamorphic Engine

The Remote Metamorphic Engine
Detecting, Evading, Attacking the AI and Reverse Engineering
Amro Abdelgawad / REcon 2016

line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl

xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
Security as undefined expression

dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
Flux binary mutation

mov ebx, 92
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d
add eax, 4
add dword [eax], 0xa1723594
add eax, 4
Resisting Reverse Engineering

xor dword [eax], 0xb1c21343
add eax, 4
sub dword [eax], 0x111111ee
add eax, 4
add dword [eax], 0xaaccee22
add eax, 4
jmp ebx
Evading AI machine learning

line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
Artificial Immunity
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
{ }
db 1
dd -1
Security Patterns
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
Division by Zero | Division by Infinity

add eax, 4
add eax, 4
jmp ebx
Isolation Randomization
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
The Undefined Expression

mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
Security as Undefined & indeterminate expression

pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
1
dd 3318121790
db 2
- = =
dd 1375432265
db 1
dd -1
mov ebx, 92
0
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
Undefined
add eax, 4
jmp ebx
line95_2:
popf
0
popad
RE Time
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
The Remote
xor edx, 0
mov ecx, 0x00000057
Metamorphic
ret Engine
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
The Unbreakable Code

test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
Unpredictable
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
unpredictable
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
adjective:/nprdiktb()l/
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
Likely to change suddenly and without reason

jmp ebx
line95_2:
popf
popad
nop
jmp long line96
and therefore not able to be predicted

line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
(= expected before it happens)

xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
The Breakable Code

line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
The Fixed Static Code Problem

db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Static Code Dynamic Data

dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
Core security weakness in all todays software

add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
Enables all sorts of replicable software

line95_1:
mov eax, [esp]
nop
nop
security exploits
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Unpredictable Code Evolution

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
Dynamic Code Dynamic Data

dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Code evolution across time

dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
Functionality evolution across location

add eax, 4
add eax, 4
add eax, 4
Self contained autonomous code

add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
Unpredictable
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
Self aware
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
Code Evolution
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
Resisting Reverse Engineering

db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
Locate the Code

db 2
dd 1375432265
db 1
dd -1
not locatable
mov ebx, 92
add eax, ebx
mov ebx, eax
Remote Execution
add eax, 4
add eax, 4
add eax, 4
Analyze the Code

add eax, 4
add eax, 4
Short Lifetime
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
Flux Mutation
mov eax, [esp]
Break the Code

nop
nop
Self aware Unbreakable

xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl

xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
Remote Flux Mutation

db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Trusted Zone Untrusted Zone

dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
Remote Mutation Thread/Process
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
Mutation Engine Morphed Code Execution
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
Challenge
xor ecx, ecx
xor edx, edx
mov cl, 0xe9 Response
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Challenge Response Metamorphic Protocol

call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
Trusted Zone Untrusted Zone

dd 3318121790
db 2
dd 1375432265
Challenge
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
4 bytes size Code
add eax, 4
add eax, 4
Remote Mutation Thread/Process
add eax, 4 Clock Synced
Mutation Engine
jmp ebx
line95_2:
popf Morphed Code Execution
popad
nop
jmp long line96
Response
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
Communication protocol made of morphed clock

mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
synchronized machine code rather than data

mov ecx, 0x00000057
ret
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Remote Code Slicing

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
The Reverse Engineer Side

dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Known to the reverse engineer
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
The Engine Side
ret
Unknown to the reverse engineer
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
Mutation Engines
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
AV Signature Evasion
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
Polymorphic Engines
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
morphed body encryption

add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
Metamorphic Engines
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
body polymorphic
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
Signature Evasion
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques Evading Signature

call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
Instruction reordering Code Permutation

dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
Subroutine permutation Instruction Substitution

mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
Subroutine Inlining Dead Code Insertion

add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
Subroutine Outlining Changing Control Flow

line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
Expansion Transposition
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Can not resist reverse engineering

line46_1:
mov ecx, [esp]
Remote Code Evolution

nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
Flux Mutation Goals

line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
Extend Trust
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
Ensure Trusted Remote Execution

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
Evade Signature
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
Evade AI Machine Learning

nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
Detect & Evade RE

xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Detect Tampering Attempts

line46_1:
mov ecx, [esp]
Trusted Mutation
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
Trusted Challenge Response Mutation

line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
Remote Mutation Mutated

db 2
dd 3318121790
db 2
dd 1375432265
db 1
Morphing Engine Challenge

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
Function Morphed Function

add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
Head Morphed Function Tail
mov eax, [esp]
nop
nop
xor eax, eax
Response
xor ecx, ecx
Unused Code Return value

xor edx, edx
mov cl, 0xe9
Mutation
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Structure Obfuscation
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
All functions look the same before and during execution
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Structure Obfuscation
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Self modifying basic block Edges

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
RE Evasion
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
Morphing Techniques
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
Metamorphic + Polymorphic
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
Self modifying mutation

dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
Code structure obfuscation

db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
Clock synchronized execution

add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
Challenge-Response Mutation
popf
popad
Functionality Mutation
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
Decoupled Reversible Mutation
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Slices Permutation
Code size magnification
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
_start:
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
push 0
add eax, 4
pushad
mov reg1, [fs:dword 0x30]
add eax, 4
add eax, 4
add eax, 4
add eax, 4
movzx reg2, byte [reg1+2]
jmp ebx
line95_2:
popf
mov dword [esp+32], reg2
popad
nop
jmp long line96 popad
line95_1:
mov eax, [esp]
nop pop eax
nop
xor eax, eax
xor ecx, ecx
ret
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
end:
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
_start:
xor reg1, reg1
db 1
{
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
push 0 push reg1
add eax, 4
add eax, 4
pushad
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp] popad
nop
nop
xor eax, eax
pop eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
ret
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
end:
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
_start:
db 2
xor reg1, reg1

{
dd 1375432265
db 1
push 0 push reg1

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
pushad
add eax, 4
Insertion sub reg1, reg1
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
popad
xor eax, eax
xor ecx, ecx
xor edx, edx
pop eax
mov cl, 0xe9
mov byte [eax], cl ret
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx end:
ret
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
_start:
db 2
xor reg1, reg1

{
dd 1375432265
db 1
push 0 push reg1

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
pushad
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
Insertion add reg2, reg2
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
popad
mov cl, 0xe9
mov byte [eax], cl pop eax
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx ret
ret
end:
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
_start:
db 2
xor reg1, reg1

{
dd 1375432265
db 1
push 0 push reg1

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
pushad
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
Insertion mov reg3, reg4
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl popad
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx pop eax
ret
ret
end:
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
_start:
db 2
xor reg1, reg1

{
dd 1375432265
db 1
push 0 push reg1

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
pushad
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
xor edx, 0
mov ecx, 0x00000057 n*nop pop eax
ret
ret
end:
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Morphing Techniques
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
_start:
db 2
xor reg1, reg1

{
dd 1375432265
db 1
push 0 push reg1

dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
pushad
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
xor edx, 0
mov ecx, 0x00000057 n*nop pop eax add esp,36
ret
ret push reg2
end: sub esp,32
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx

mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
First Morphing Stage

call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2 _start:
dd 3318121790
db 2
dd 1375432265
db 1
xor reg1, reg1
dd -1
mov ebx, 92
add eax, ebx
push reg1
mov ebx, eax
add eax, 4
pushad
add eax, 4
sub reg1, reg1
add eax, 4
add eax, 4
add eax, 4
jmp ebx
add reg2, reg2
line95_2:
popf
popad movzx reg2, byte [reg1+2]
nop
jmp long line96
line95_1: mov reg3, reg4
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx popad
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
nop
xor edx, 0
mov ecx, 0x00000057
pop eax
ret
nop
ret
end:
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl

xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Second Morphing Stage

call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
line1: line6: line11:
db 1
dd -1
xor edi, edi add ebx, ebx popad
mov ebx, 92
add eax, ebx jmp long line2 jmp long line7 jmp long line12
mov ebx, eax
add eax, 4
add eax, 4
xor dword [eax], 0xb1c21343 push edi movzx ebx, byte [edi+2] nop
jmp long line3 jmp long line8
add eax, 4
add eax, 4
jmp long line13
add eax, 4
jmp ebx line3: line8: line13:
line95_2:
popf
popad
pushad mov ecx, edx pop eax
nop
jmp long line96
jmp long line4 jmp long line9 jmp long line14
line95_1:
mov eax, [esp] line4: line9: line14:
nop
nop sub edi, edi mov dword [esp+32], ebx nop
xor eax, eax
xor ecx, ecx jmp long line5 jmp long line10 jmp long line15
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl line5: line10: line15:
xor edx, 0
mov ecx, 0x00000057 jmp long line6 nop ret
ret jmp long line11 jmp long line16
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl

xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
Third Morphing Stage

call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2 line1: line14: line12:
dd 1375432265
db 1
xor edi, edi nop nop
jmp long line13
dd -1
mov ebx, 92
add eax, ebx jmp long line2 jmp long line15
mov ebx, eax
add eax, 4 line6: line13: line5:
jmp long line6
add eax, 4
xor dword [eax], 0xb1c21343 add ebx, ebx pop eax
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf mov ecx, edx pushad movzx ebx, byte [edi+2]
popad
nop
jmp long line96
jmp long line9
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
ret sub edi, edi push edi
xor ecx, ecx
xor edx, edx
jmp long line16 jmp long line5 jmp long line3
mov cl, 0xe9
mov byte [eax], cl line11: line9: line10:
xor edx, 0
mov ecx, 0x00000057 popad mov dword [esp+32], ebx nop
ret jmp long line12 jmp long line10 jmp long line11
line46_1:
Self Modifying Body Polymorphism

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
Forth Morphing Stage

xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
Random Obfuscation Keys line1:
pushad Self modifying instructions
pushf
db 7
db 3 db 5 call line1_1 mov eax, 93
db 5
db 1 add ecx, eax
dd 838225172
db 2 db 1
dd 4211932376 dd -1
db 4
dd 2520091426 dd -1 db 0 mov eax, ecx
dd 27
db 3
dd 946381070 db 0 db 4 mov ebx, 0x11223344
dd 3524080526
not ebx
db 2
dd 3318121790
db 2
dd 27 db 0
dd 7
dd 1375432265
db 1 db 4 db 2 mov [ecx], ebx
dd 545547056
dd -1
mov ebx, 92 dd 3524080526 mov eax, 93
add ecx, eax
add ecx, 4
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d db 0 mov eax, ecx
mov ebx, 0x11223344
mov ebx, 0x11223344
add eax, 4
add dword [eax], 0xa1723594 dd 7 not ebx
mov [ecx], ebx
ror ebx, 27
add eax, 4
db 2
add ecx, 4
mov ebx, 0x11223344
mov [ecx], ebx
add eax, 4
add eax, 4 dd 545547056
ror ebx, 27
mov [ecx], ebx
add ecx, 4
add eax, 4
add ecx, 4
xor dword [ecx], 0x11223344
xor dword [ecx], 0x11223344
jmp ebx
line95_2: line1: add ecx, 4
mov ebx, 0x11223344 add ecx, 4
xor edi, edi
popf
popad
nop
ror ebx, 7
mov [ecx], ebx mov ebx, 0x11223344
jmp long line96 jmp long line2 add ecx, 4
add dword [ecx], 0x11223344 ror ebx, 7
line95_1:
mov eax, [esp]
nop line1_1:
add ecx, 4
jmp eax mov [ecx], ebx
line1_2:
nop
add ecx, 4
xor eax, eax mov ecx, [esp] popf
popad
xor ecx, ecx add dword [ecx], 0x11223344
xor edx, edx nop xor edi, edi
mov cl, 0xe9
jmp long line2 add ecx, 4
mov byte [eax], cl nop
xor edx, 0 nop
jmp eax
mov ecx, 0x00000057
mov dl, 0xe9 . . . 20*nops
nop
line1_1:
ret mov byte [ecx], dl mov ecx, [esp]
Self Modifying
nop
mov edx, 0x00000058 nop
mov dl, 0xe9
mov dword [ecx+1], edx mov byte [ecx], dl
mov edx, 0x00000058
ret mov dword [ecx+1], edx
ret
line46_1:
Self Modifying Blocks

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Fifth Morphing Stage

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
All blocks have same

dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
Obfuscation Keys
identical structure
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
One block per

add eax, 4
jmp ebx
line95_2:
popf
morphed instruction
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
Self modifying code
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
Self Modifying Blocks

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
line46_1:
Response Time
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
[+] mutated code size: 15110 bytes
pushf
call line95_1
db 7
[+] encrypted response: 0x09575e31 | 156720689
db 3
dd 838225172
db 2
dd 4211932376
[+] decrypted response: 0x00000001 | 1
db 4
dd 2520091426
db 3
[+] remote execution response time: 6.685972 ms
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1 [+] mutated code size: 17771 bytes
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
[+] encrypted response: 0x5820b6b5 | 1478538933
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
[+] encrypted response: 0x5d844e9a | 1568951962
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax [+] remote execution response time: 6.897926 ms
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret [+] encrypted response: 0x818af8d8 | -2121598760
line46_1:
Variable Code Size

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
line46_1:
Response Mutation
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
line46_1:
mov ecx, [esp]

nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
Response Mutation
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
Trusted Zone
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
Remote Mutation Mutated
add eax, ebx
Challenge
mov ebx, eax
add eax, 4
add eax, 4
Morphing Engine
add eax, 4
add eax, 4
Function Morphed Function

add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
Head Morphed Function Tail
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057 Unused Code Return value Reversible
Mutation
ret
line46_1:
mov ecx, [esp]

nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
Reversible Instructions
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
add(value1) rol(value5)
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
sub(value2) ror(value4)
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
not() xor(value3)
add eax, 4
add eax, 4
add eax, 4
add eax, 4
xor(value3) not()
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
rol(value4) add(value2)
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
ror(value5) sub(value1)
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Reversible Instructions | Response Mutation
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx add eax, 0x48fa27f1
ret
line95: sub eax, 0xd353c205
pushad
pushf sub eax, 0xa888b8b2
call line95_1 add eax, 0x762e0f15
db 7 xor eax, 0xe017f6fa
db 3 not eax
dd 838225172 ror eax, 0xd
db 2 add eax, 0xe0d9780c sub eax, 0x75707780
dd 4211932376 sub eax, 0x247dab96
db 4 not eax add eax, 0xe3265fc4
dd 2520091426 add eax, 0xf6696155
db 3 sub eax, 0xbcf3e676 xor eax, 0x22952628
dd 946381070 sub eax, 0xbeaeaad5
db 2 not eax add eax, 0x231a8655
dd 3318121790 add eax, 0xd6c7b4ee
db 2 xor eax, 0xfb7e9fdd ror eax, 2 add eax, 0x58f934ef
dd 1375432265 add eax, 0x120d5924
db 1 sub eax, 0x695e3adf not eax sub eax, 0xa623710f
dd -1 add eax, 0x9a0be9b9
mov ebx, 92 add eax, 0x3e731a34 sub eax, 0x2c75569a xor eax, 0x8051cbca
add eax, ebx sub eax, 0xbfe386c3
mov ebx, eax xor eax, 0xa0b50d13 sub eax, 0x88ad3417 ror eax, 0x1d
sub dword [eax], 0xe82c334d ror eax, 0x17
add eax, 4 xor eax, 0x39034b8d not eax ror eax, 0xc
add eax, 0x14c58836
add eax, 4
ror eax, 0xf ror eax, 0x19 ror eax, 0x1c
ror eax, 5
add eax, 4
sub eax, 0xfb824ebb add eax, 0xe7634a71 xor eax, 0xa96f3357
xor eax, 0x1984a5de
add eax, 4
add dword [eax], 0xaaccee22 xor eax, 0xd1e6a7ec not eax ror eax, 0xa
add eax, 4 not eax
jmp ebx xor eax, 0xbb5202f7 xor eax, 0x500026f6 xor eax, 0xf13d8c20
line95_2: sub eax, 0x4d956430
popf ror eax, 4 add eax, 0xad1a2fd2 not eax
popad sub eax, 0x9c9df86
nop xor eax, 0x9ce66186 sub eax, 0x937ead1b xor eax, 0xfb42f152
jmp long line96 add eax, 0xd88904bc
line95_1: sub eax, 0x4ec067b8 not eax add eax, 0xb813492a
mov eax, [esp] xor eax, 0xf5bcc022
not eax add eax, 0x2f112a91 sub eax, 0x4f8728ef
nop xor eax, 0x205c4a75
nop sub eax, 0xc98775b4 sub eax, 0x801608e8 add eax, 0xee0e75bc
xor eax, eax add eax, 0xbcbb2b45
xor ecx, ecx xor eax, 0xbdc52b4f xor eax, 0x9cb2998b
xor edx, edx sub eax, 0xdb0a2bc0
mov cl, 0xe9 ror eax, 2 xor eax, 0xe626a2be
ror eax, 0xd
mov byte [eax], cl sub eax, 0xd925192c add eax, 0x3185e741
xor edx, 0 add eax, 0x529eba0f
mov ecx, 0x00000057 ror eax, 3 xor eax, 0x197e9520
mov dword [eax+1], ecx ror eax, 0x1c
ret xor eax, 0x5665148d
add eax, 0x8150605
sub eax, 0xc739155d
sub eax, 0xd8fe0628
add eax, 0xad81052c
ror eax, 5
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
Artificial Immunity | Detecting the non-self

ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
Mutations Responses Decrypted
dd 2520091426
1st
db 3
dd 946381070
db 2
dd 3318121790
156720689 0
db 2
dd 1375432265
db 1
2nd
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
147853893 0
add eax, 4
3rd
add eax, 4
15689519 0
add eax, 4
add eax, 4
add eax, 4
4th
jmp ebx
line95_2:
popf
popad
-21215987 0
nop
jmp long line96
line95_1:
Tampered non-self
5th
mov eax, [esp]
nop
nop 10778328 137106
xor eax, eax
xor ecx, ecx
xor edx, edx
6th
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
-689519 0
mov ecx, 0x00000057
ret
7th 11979087 0
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067

ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
Mutations Response Time Time Threshold
dd 2520091426
1st
db 3
dd 946381070
db 2
dd 3318121790
47 ms <500 ms
db 2
dd 1375432265
db 1
2nd
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
65 ms <500 ms
add eax, 4
3rd
add eax, 4
52 ms <500 ms
add eax, 4
add eax, 4
add eax, 4
4th
jmp ebx
line95_2:
popf
popad
106 ms <500 ms
nop
jmp long line96
line95_1:
Emulated non-self
5th
mov eax, [esp]
nop
nop 579 ms >500 ms
xor eax, eax
xor ecx, ecx
xor edx, edx
6th
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
39 ms <500 ms
mov ecx, 0x00000057
ret
7th 53 ms <500 ms
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067

ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
Mutations Response Time Time Threshold
dd 2520091426
1st
db 3
dd 946381070
db 2
dd 3318121790
521 ms >200 ms
db 2
dd 1375432265
db 1
2nd
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
608 ms >200 ms
add eax, 4
3rd
add eax, 4
492 ms >200 ms
add eax, 4
add eax, 4
add eax, 4
4th
jmp ebx
line95_2:
popf
popad
567 ms >200 ms
nop
jmp long line96
line95_1:
Emulated non-self
5th
mov eax, [esp]
nop
nop 65 ms <200 ms
xor eax, eax
xor ecx, ecx
xor edx, edx
6th
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
622 ms >200 ms
mov ecx, 0x00000057
ret
7th 545 ms >200 ms

line46_1:
Evading AI Machine Learning

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Mixing Morphed Blocks

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
Head Morphed Function 1 Tail

db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2

dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
Morphed Function 2
line95_2:
popf
popad
nop
Head Tail
jmp long line96
line95_1:
mov eax, [esp]
nop
Morphed Function 3
nop
xor eax, eax
xor ecx, ecx Head Tail
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret Head Morphed Function 3 Tail
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Mixing Morphed Blocks

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172

db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
Disabling the AI from differentiating
functions before, during and after execution
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4

add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret Head Morphed Function 3 Tail
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Remote Subroutine Slices Permutation

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
The AI Side
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Known to the machine learning
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
The Engine Side
ret
Unknown to the machine learning
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Remote Subroutine Slices Permutation

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
Start computing hash

The AI Side
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
Known to the machine learning
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4 Resolve API
Mixed
add eax, 4
add eax, 4
Meanings
add eax, 4
add dword [eax], 0xaaccee22 Continue
add eax, 4
jmp ebx
line95_2:
computing hash
popf
popad
nop
jmp long line96
Mixed CPU
line95_1:
mov eax, [esp]
nop
Context
nop
xor eax, eax
xor ecx, ecx
xor edx, edx Call API
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
The Engine Side
ret
Unknown to the machine learning
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Anti-Emulation
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
In memory code integrity check

db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
Execution environment integrity check
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
In memory APIs code integrity check
add eax, 4
add eax, 4
add eax, 4
Detect hooks
add eax, 4
Clock synchronization
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
Detect debuggers
nop
xor eax, eax
xor ecx, ecx
xor edx, edx Detect Virtual Machines
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx Collect Machine IDs
ret
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Surprise the Emulator

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
Heavy Memory Operations

dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
Consume the Emulators Memory
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
Consume the Emulators CPU
mov ebx, eax
add eax, 4
add eax, 4
Consume the Emulators disk space
add eax, 4
Crash the Emulator

add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
Disconnect VPNs and network interfaces

popad
nop
jmp long line96
line95_1:
mov eax, [esp]
Escape the Emulator

nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
Force Bind IPs

mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret
Track and Block the Emulators IPs
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Blindfolded Reverse Engineering

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2

dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4 Mutated Algorithm
add eax, 4
xor dword [eax], 0xb1c21343 Valid for few Milliseconds
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
Algorithm Mutation
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
The Engine Side
ret
line46_1:

mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
Confuse the Reverse Engineer

mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
Start computing hash

dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
Morphed Morphed
dd -1
mov ebx, 92
add eax, ebx
mov ebx, eax
add eax, 4
Resolve API Logic Meanings
add eax, 4
add eax, 4
add eax, 4
add dword [eax], 0xaaccee22 Continue
add eax, 4
jmp ebx
line95_2:
computing hash
popf
popad
nop
jmp long line96
Morphing
line95_1:
mov eax, [esp]
nop
Meanings
nop
xor eax, eax
xor ecx, ecx
xor edx, edx Call API
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
The Engine Side
ret
line46_1:
mov ecx, [esp]
nop
nop
The Undefined Expression

mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
Security as Undefined & indeterminate expression

pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
1
dd 3318121790
db 2
- = =
dd 1375432265
db 1
dd -1
mov ebx, 92
0
add eax, ebx
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
Undefined
add eax, 4
jmp ebx
line95_2:
popf
0
popad
RE Time
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
The Remote
xor edx, 0
mov ecx, 0x00000057
Metamorphic
ret Engine
line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
{ }
db 1
dd -1
mov ebx, 92
add eax, ebx
Questions?
mov ebx, eax
add eax, 4
add eax, 4
add eax, 4
add eax, 4
add eax, 4
jmp ebx
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
ret

RECON 0xa The Remote Metamorphic Engine

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

RECON 0xa The Remote Metamorphic Engine

Загружено:

Авторское право:

Доступные форматы

The Remote Metamorphic Engine

Detecting, Evading, Attacking the AI and Reverse Engineering

Amro Abdelgawad / REcon 2016

The Remote Metamorphic Engine

Security as undefined expression

Flux binary mutation

Resisting Reverse Engineering

Evading AI machine learning

Division by Zero | Division by Infinity

The Undefined Expression

Security as Undefined & indeterminate expression

The Unbreakable Code

Likely to change suddenly and without reason

and therefore not able to be predicted

(= expected before it happens)

The Breakable Code

The Fixed Static Code Problem

Static Code Dynamic Data

Core security weakness in all todays software

Enables all sorts of replicable software

Unpredictable Code Evolution

Dynamic Code Dynamic Data

Code evolution across time

Functionality evolution across location

Self contained autonomous code

Resisting Reverse Engineering

Locate the Code

Analyze the Code

Break the Code

Self aware Unbreakable

The Remote Metamorphic Engine

Remote Flux Mutation

Trusted Zone Untrusted Zone

The Remote Metamorphic Engine

Challenge Response Metamorphic Protocol

Trusted Zone Untrusted Zone

Communication protocol made of morphed clock

synchronized machine code rather than data

The Remote Metamorphic Engine

Remote Code Slicing

The Reverse Engineer Side

morphed body encryption

Morphing Techniques Evading Signature

Instruction reordering Code Permutation

Subroutine permutation Instruction Substitution

Subroutine Inlining Dead Code Insertion

Subroutine Outlining Changing Control Flow

Can not resist reverse engineering

Remote Code Evolution

Flux Mutation Goals

Ensure Trusted Remote Execution

Evade AI Machine Learning

Detect & Evade RE

Detect Tampering Attempts

Trusted Challenge Response Mutation

Remote Mutation Mutated

Morphing Engine Challenge

Function Morphed Function

Unused Code Return value

Self modifying basic block Edges

Self modifying mutation

Code structure obfuscation

Clock synchronized execution