Rajaats Recursive Random Assembler Code Creator (RRRACC) Version 1.03 Internal Version Id RRRACC1.03 To see usage, use with --help A word of warning ~~~~~~~~~~~~~~~~~ This tool is not intended for use by novice users, since you will need in-depth assembler knowlegde to know what kind of operands cause which flags to trigger, or what operands you can change without creating a possibility that one of the generated source codes will not compile properly, or even worse, produce a virus that is defective! RRRACC also ain't fool proof yet, and it could benefit from a lot of improvements, so if you don't use it with care, disasters could happen. In other words, YOU HAVE BEEN WARNED!!!!! General ~~~~~~~ Rajaats Recursive Random Assembler Code Creator, RRRACC for short (and if you still don't like it you can pronounce it as ROCK), is a utility that processes text files, recognizes special tokens which it uses to randomize the input, and write the result to an output file. This does not have to mean assembler code, but my primary intention was to make it work mainly with assemblers. Invocation ~~~~~~~~~~ To invoke RRRACC on a file, use the following syntax: RRRACC infile.ext outfile.ext RRRACC does not perform any extension checking, so I suggest you use .rrr for source file extension, and .asm for the RRRACC generated files. The output will usually show something like this: ---------- Rajaats Recursive Random Assembler Code Creator (RRRACC) Version 1.03 Internal Version Id RRRACC1.03 To see usage, use with --help Pass one - reading input file dsa2.rrr... Pass two - processing file... Pass three - write the processed file to dsa2.asm... Done. Statistics: 1 mutation out of 8.88520724322027e+62 possible complete mutations 1 mutation out of 589824 possible line mutations 1 mutation out of 1.50641670112106e+57 possible variable mutations 1 mutation out of 1 possible variable ranges Please be nice and do not remove the header of the generated file, it is for educational purpose only. :-) Comments to rajaat@itookmyprozac.com ---------- Please not that RRRACC doesn't has strong error checking, so you better get familiar with the inner workings of the tokens, which I will explain to you in the next section. You also might get shocked at the large numbers in the statistics. These are mathematically correct, assuming the instructions are very different in nature, a 1 out of 1 mutation means that there weren't any mutations performed of this type. ASM to RRRACC ~~~~~~~~~~~~~ The most common use of RRRACC is probably converting an existing virus source to a RRRACC parseable one, which is easiest to do in the beginning. If you grow more accustomed to the use of RRRACC you might want to write directly code that can be parsed by it. RRRACC is able to do only three things: 1. Random change a consecutive range of lines 2. Pick a random string from a selection and put it in a variable 3. Replace variable references in the asm source with the random chosen selection This might not seem a lot, and indeed I think it is yet a start, but if properly applied, this can create tons of variants from one single RRRACC source. How to swap lines ~~~~~~~~~~~~~~~~~ This is the easiest part to understand, I bet even macro virus writers understand this (oh oh, I feel I'll get my arse kicked for saying this). All you have to do is put a ! (that's right, and exclamation mark) at the start of the lines you wish to randomize. For example ! mov ax,4202h ! xor cx,cx ! xor dx,dx ; DON'T USE CWD! int 21h would mean that the first three lines can be changed in random order. I also hereby present you the first caveat you could get yourself entangled in. If you are an optimizing fanatic and change the xor dx,dx to a cwd ,it might have a chance of generating a sequence like this cwd mov ax,4202h xor cx,cx where you don't know what value ax had before it was converted to a doubleword. You are in luck if ax already happens to be less than 8000h. If you don't understand this, go buy a book about assembler or surf the internet to get one. Well as you see, it's not hard to use RRRACC, it's more a problem of knowing assembler right. Another example ! pop ds ! cmp ax,4b00 jz infect would be perfectly right, since the pop ds opcode does not affect the flags, so the cmp ax,4b00 is allowed to be swapped before it. But look out for this ! pop ds ! mov word ptr ds:[old_21],bx since the second line depends on ds set properly, you can't swap these. Assigning a random string to a variable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Variables are assigned on a separate blank line, which will be ommited in the output. Variables are recognized by their ~ prefix, and can contains characters,digits and _, however they may not start with a digit (I could support this, but it's not a good habit of using them anyway). I'll show a silly example and explains what it does: ~rndreg = ( "bx" "cx" "dx" ) ; 1 ~rndmov = ( "mov" "xchg" ) ; 2 ~rndmov ~rndreg,ax ; 3 push ~rndreg ; 4 ~rndreg = ( "bx" "cx" "dx" "si" "di" ) ; 5 ~rndopen = ( "3d02h" "3d82h" ) ; 6 mov ~rndreg,~rndopen ; 7 ~rndmov = ( "mov" "xchg" ) ; 8 ~rndmov ax,~rndreg ; 9 int 21h ; 10 pop cx ; 11 At line 1, the variable rndreg gets a value assigned from chosen random from its parameters. Lets say, ~rndreg becomes bx. At line 2 we'll do the same, but then we don't assing a random register, but a random operand. In this example, we'll assume ~rndmov gets "xchg" assigned. Now line 3 and 4 will be parsed and RRRACC sees the variables and will replace them with their random assigned value. The above example *could* generate: xchg bx,ax or mov dx,ax or xchg cx,ax push bx push dx push cx A random value stays assigned to a variable until the variable is reused/reinitialized. Once you know this, understanding the rest of the above example is very easy. Assigning a random hex number to a variable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Since assigning variables has been extended with the possibility of generating a hexadecimal random number between two numbers. Hexadecimal numbers are specified in C notation, but the output will be TASM compatible. ~maxlen = ( 0xe000 0xf400 ) ; maximum host size ~cjump = ( "ja" "jae" ) cmp cx,~maxlen ~cjump too_big Combining ~~~~~~~~~ The true power of RRRACC (yuck) comes in view when you combine both the line randomizer and the random variable substitution. I'll show you a little example again: ~rndzero1 = ( "xor" "sub" ) ~rndzero2 = ( "xor" "sub" ) ! mov ax,4202h ; seek eof ! ~rndzero1 cx,cx ! ~rndzero2 dx,dx This is very annoying if for antivirus researcher to analyse if you can create enough possibilities in your source code to get randomized. A small word on the mutation mathematics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is a small table that shows the amount of mutations possible with a certain amount of consecutive lines set to randomized order: Consecutive Lines Possible amount of mutations ============================================================ 1 1 2 2 3 6 4 24 5 120 6 660 7 4,620 8 36,960 9 332,640 10 3,326,400 The formula to calculate this is fairly simple and straightfordward, you just take the amount of mutations possible shown by the last line and multiply it by the amount of consecutive lines on the next line, so 11 consecutive lines show give a possible 11*3,326,400 amount of mutations, and so on. To calculate the total amounts of line mutations possible in a file, multiply all possible amount of mutations times of all the blocks encountered in the source code. I think I am correct in my calculations, but I would love it to be proved wrong by Alan Solomon, after all he's a doctor in mathematics. :-) Future ~~~~~~ RRRACC is very powerful in its simplicity, still it lacks a lot of thing I would like to add before I start on my GRACE project, like + random ordering blocks of code in addition to lines + variables assignments and parameters that can span more than a line (and can contain newline characters, possibly with a new line starting with a !, which should be randomized) + recursive variable assignment (by using variables in variables, I didn't call it rRracc for nothing ) + parameter exclusion, so you can say that it can't choose a parameter thas has been assigned to another variable + random line ordering reversed stack, so you can push and pop registers in the right order + stronger error checking - this version has some, but not enough to my liking + multiple file processing and bulk output (using numbering instead of an extension) + optional automatic compilation, by calling a batch file (to invoke assembler/linker with your own parameters), ideal for bulk generation History ~~~~~~~ 02-28-1999: Release of RRRACC 1.03, including PERL source + Final release of RRRACC, since it is very bulky, when compiled, and I have finally started on coding GRACE, so this should become obsolete. Maybe I will release newer versions if I still think there should be an intermediate release before the first beta release of GRACE. At least I hope the source code will be interesting to study for PERL fanatics. 01-23-1999: Release of RRRACC 1.02 + Shows amount of possible random mutations in a source file, don't get shocked at the monstrous numbers, these numbers are mathematically correct (at least they are, I think, if you doubt it, just try to generate some samples and prove me it calculates wrong) 01-21-1999: Release of RRRACC 1.01 + Support for random hex ranges added 01-20-1999: Release of RRRACC 1.0 01-19-1999: Release of SwapLine, actually RRRACC 0.01รก :-) Contact ~~~~~~~ If you have any questions or bug reports (this does not include invalid use, read the docs), feel free to mail them to rajaat@itookmyprozac.com and I'll try to answer them. You can also check my website for new updates or new programs, which is located at http://www.sourceofkaos.com/homes/rajaat Hint ~~~~ You might want to print out this help, which can simply do by redirecting the output, like : RRRACC --help > lpt1.