  Hiding Entry-Point - By NBK[MATRiX]
  ~~~~~~~~~~~~~~~~~~

  First of all, sorry for my poor english.

  I want here to show a simple entry-point hide routine, to your program/worm.

  Get an Hex Editor and open the file <EPTEST1.EXE>:

  The DOS header:

                  (Offset 0)
  e_magic           WORD      ?   ;   'MZ' string
  e_cblp            WORD      ?   ;   value 1
  e_cp              WORD      ?

  ;  blah ...

  The PE header (24 bytes of lenght) :

                  (Offset 256)
  Signature            DWORD   ?   ;   'PE' string 
  Machine              WORD    ?
  NumberOfSections     WORD    ?
  TimeDateStamp        DWORD   ?
  PointerToSymbolTable DWORD   ?
  NumberOfSymbols      DWORD   ?
  SizeOfOptionalHeader WORD    ?
  Characteristics      WORD    ?

  And the Optional header (24 bytes after PE header) :

                  (Offset 280)
  Magic                         WORD   ?  ;  0B01
  MajorLinkerVersion            BYTE   ?
  MinorLinkerVersion            BYTE   ?
  SizeOfCode                    DWORD  ?
  SizeOfInitializedData         DWORD  ?
  SizeOfUninitializedData       DWORD  ?
  AddressOfEntryPoint           DWORD  ?  ;  Entry Point value

  ;  blah ...

  If you're in a Hex Editor, you'll see the Entry Point value at the offset 296,
  it's 1000h. Save this DWORD and erase it, back to the DOS header, erase the 
  <e_cblp> word with null bytes and look where the windows message is showed 
  (This program must be run under Win32) at the offset 80 - this will be our 
  Loader Offset, only some instructions like XOR/ADD/SUB/ROR to hide the 
  original Entry-Point. Of course this is so easy to emulate, but you can add 
  more stuff like jumps in many places and SEH, but let's do the changes:

  As a file without Entry-Point value will start execution from the MZ string, 
 let's do it:

  M  ;  DEC EBP
  Z  ;  POP EDX

  First of all, we need a short jump  to the offset 80, and the <e_cblp> string
  will be changed for it.
  A short jump format is:

  EB??

  Where ?? is the last byte of our WORD 'e_cblp'. You've to get one byte after 
  it, offset (4) till our loader offset (80), and the result is 80 - 4 = 76, in
  hexadecimal = 4C

  You 've to type in 'e_cblp' the bytes EB4C, so it 'll jump to our loader.
  EB = JMP SHORT, 4C = DISTANCE BETWEEN PLACE WE ARE AND PLACE WE'RE GOING

  Now the execution look like this:

  M  ;  DEC EBP
  Z  ;  POP EDX
  .. ;  JMP SHORT LOADER

  LOADER:

  here you can do the calc that you want, i'll do a simple ADD/SUB, restoring 
  the changed registers/:

  push edx             ;   restoring KERNEL return address
  inc ebp              ;   restoring EBP
  lea edx, [esi+60h]   ;   restoring EDX value
  mov eax, 76232453h
  add eax, 63625432h
  sub eax, D9856885h
  add eax, 00400000h   ;   our ImageBase
  push eax
  ret                  ;   and return to our Entry-Point

  In EPTEST2.EXE, i change the entry-point to 0040101Ah, to it show another 
  message.

  As i don't have enough time to do a tool for this changes (working 10:00/day,
  studying 3:40/day) , only the main idea stay here.

  NBK[MATRiX]