WARNING: My English sucks ;)))

This idea is to make a multi-decryptor polymorphic engine  and
use it wisely. I invented it some months  ago,  but  there  is
still no code - I'm too busy now. And possibly there  will  be
no source code of this engine from me, so maybe you guys  will
try to do it, huh? ;)
It's too bad, but I don't have neither patience, nor talent to
code such things as some great coderz of all times ;)))) But I
don't give up, and today I decided to send some information to, just to tell many people about idea of Metal0gic -
powerful  viral  technology,  possibly  useful  for  non-virus
programs as anti-patch module.
Okay now. Let's remember some school ;)

Do you remember the theory of Boolean operations?
Just look:
Possible main operations:
NOT - N()
AND - *
OR  - +
Main theorems:
N(A+B)=N(A)*N(B)  - by de Morgan
N(A*B)=N(A)+N(B)  - by de Morgan

Using thiese main theorems  we  can   make  a logical function
unlimited BIG, same as convert big  function into  small  one.
Using boolean operations as main crypt/decrypt operations  for
virus, we can make unlimited number of decryptors!!!

Example (A - crypted message, B - key, C - decrypted message):
A xor B = C
We can make such converions:

A xor B = A*N(B) + B*N(A)

A=A*A=(D+N(D))*D*N(D)+A*A and so on, and so on... Same with B.

This is an example of what we will have after:

+B*B)*N(((D+N(D))*D*N(D)+A*A)) = C

Only imagine that it's same to A xor B = C ;)
Okay now, if decryptor becomes  big  enough  (>=100 bytes  for
example),then we just  delete  it,  generate  a  new  key  and
encrypt piece of body with new algorythm, then we  create  new
small decryptor. In each next generation it will become bigger
until it grows enough so we can delete it and create new one.
But all body must not be crypted with the same  algorythm! No,
we must divide body into some parts (3 to 10 for example)  and
only then encrypt each of it with the unique algorythm.  Then,
to increase protection, we mix encrypted body  with  decryptor
and victim code,  and wait for enemy to lauch infected file ;)


The point of cascade metal0gic is to make viral body from  one
small piece of information, using constants and decryptors.

For example we have 8 bits, and we need to generate DWORD.
first 8 bits - 10111111
DWORD - 10111001 01110101 00001101 01100010

mov al,byte ptr [firstbyte]
and al,10111001 ;first byte of dword is generated
mov byte ptr [__dwrd],al
xor al,11001100 ;second byte is generated from first byte
mov byte ptr [__dwrd+1],al
xor al,01111000 ;third byte is generated from second
mov byte ptr [__dwrd+2],al
xor al,01101111 ;last byte generated
mov byte ptr [__dwrd+4],al
So the next information block is generated from  the  previous
We can simply use OR and AND functions together  if  we  don't
like XOR too much ;)
Of course, there is no need for us to crypt and  decrypt  each
byte - we can crypt and decrypt massives of 256,512,etc  bytes
using cycles.
If with all other blocks Metal0gic also  will  be  armed  with
nice analyzer, it  could  even  compress  the  infected  files
crypting it's body  and  infected  code  into  one  compressed
crypted massive!
BTW, possibly there is no reason to use Metal0gic without such
analyzer, because it's size in this way could be VERY big.


Comparing  with  MetaPHOR  model,  Metal0gic  can  be   easily
detected by  looking  how  much  logical  operations  used  in
executable module, and also how much constants in it.
But it's a very simple way to overcome it.In old times I found
simple but interesting anti-heuristic code - in some I/O ports
value is constant for all times,  but  no  emulators  can  see
that.They will have to emulate da whole machine to detect such
things heh! So, some code that uses pseudo-constants (constant
values of I/O  ports,  constant  memory  values  that  CAN  be
changed theoretically,  but  the  chance  for  that  is  about
0.001%) can not be perfectly emulated, and a virus  with  such
code cannot be detected by heuristic methods.
So, it's strongly recommended that Metal0gic must be used with
other types of protection.


Oh, this can be written only by old math teacher ;)

The point - decryptor is crypted body. Yes, decryptor decrypts
First of all,we must remember that decryptor and crypted viral
body are both just massives of binary digits. Changing them in
some pre-calculated ways may help us to make them equal.
We can use the LIMIT funtion (ex. limit of decrytor value when
difference between it and crypted body goes to  zero),  if  it
exists   (if  not,   we  must  make  new  key/crypted message/

Look for Calculus Analysis books for more information.
This thing makes possible to optimize virus both by  size  and
by speed.

Nice :)))


I'm not sure, but  as I  remember  no  viruses  yet  used  the
registry (except of wormz, maybe), so  if  we  put  some  main
decryptor keys into it (and encrypt file's insides with them),
it could be possible  way to fuck AVers up. Who knows,  can AV
software read from registry  (or  another  file)  dirung  cure
process? I think yes, but I'm sure that NOT EVERY soft  can do

ALWAYS ALWAYS ALWAYS remember about mental part of the attack.
For example, if one of the models listed  above  will  be  TOO
slow (enough to detect it without problems) we should just use
the AVers weapon against them.
Example: "Warning! The system  has  detected  a  virus.  Click
'Next' to remove it, but  remember  that    Anti-Viral
Module cannot be used with another anti-virus programs, so  be
sure that there is no other anti-virus software (AVP, Dr. Web,
Norton AntiVirus...) is loaded at this moment."
Of course,user will click Next and virus will show status bar.
User thinks that it shows time interval, but really  it  shows
the number of infected files ;)
The best way in this case is to make virus  messages  same  to
messages of another popular software (like Internet  Explorer,
or even defragmenter tool! ;)))
Another example - use the CULT: "Knock Knock Neo... The matrix
has you, now you must fuck up the matrix! Do U wish to  do  it
Or politics: "Do U like ?" Until user  thinks,
virus spreads ;)

And the last one:
I think it would be useful for many people if I'll  show  some
randomize generator algorythms (they're useful not only in  my
idea, but in any viral program):

1. GetTickCount API: nice way - you'll get tick count and  can
use it as random digit.

2. BIOS (possibly unable to use under NT, works with bugs even
under 9x):

push ds
push 40h
pop  ds
mov  eax,dword ptr ds:006ch
pop  ds

;in EAX - BIOS interrupt tick counter.

3. And some more math generators (formulas only).

Congruent method:

X(n+1)=(AX(n)+C) mod M

X - massive of random digits
n - number of digit
A=2^L+1 where L>=2
C>0, C mod 2<>0, M=2^P, where P >=2

Additive method:

X(n+1)=(X(n-h)+X(n-k)) mod M

Recommended values:
X(n+1)=(X(n-24)+X(n-55))mod M

n>=55, M=2^L
In this case period will be: (2^55-1)

Okay, that's all for now...
Greets goes to all alive and active CUG people.

Best wishez,

Back to index