Source Code Little bit of polymorphic code

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
So I started off working on this project this morning and I'm quite happy where I am right now with it. I just want to show people that creating a good polymorphic engine is not that hard and doesn't take a year to develop (unless really good or if you are going for metamorphic). This is far from a complete project but it's a start, and maybe will help someone to understand the concepts of polymorphic code better.

It dries out pretty quick and mostl likely after a few hundred runs won't find any code to patch (depending on the size of your executable) and most likely can jump over sections without finding anything to patch, but as said, I'm in early stages with it.

Anyways, here's the code.

C++:
#pragma once

#include <Windows.h>

#include <ctime>
#include <cstdlib>

#include "ADE32.h"

class CPolymorphic
{
private:
	unsigned char regs32[8];

	inline unsigned char Read (DWORD dwAddress)
	{
		return *(unsigned char*)dwAddress;
	}
	inline void Write (DWORD dwAddress, unsigned char val)
	{
		*(unsigned char*)dwAddress = val;
	}
	inline int randomize(int min, int max)
	{
		return (1 + int((max - min + 1)*rand()/(RAND_MAX + 1.0))); 
	}

	bool PatchOpcode(DWORD dwAddress, BYTE bytes[], unsigned int bytecount);
	void ObfuscateOpcode(DWORD dwAddress, int opcodeLen);
public:
	CPolymorphic(void);
	~CPolymorphic(void);

	void Run(DWORD dwStart, DWORD dwLength);
};

C++:
#include "stdafx.h"
#include "Polymorphic.h"


#include <iostream>
using namespace std;


void CPolymorphic::ObfuscateOpcode(DWORD dwAddress, int opcodeLen)
{
	if(opcodeLen == 1)
	{
		if ((this->randomize(1, 2) == 1) && (this->Read(dwAddress) == 0xC3 && this->Read(dwAddress + 1) == 0xCC && this->Read(dwAddress + 2) == 0xCC)) // retn -> retn 0
		{
			cout << hex << "retn -> retn 0" << dwAddress << endl;

			this->Write(dwAddress, 0xC2);
			this->Write(dwAddress + 1, 0x00);
			this->Write(dwAddress + 2, 0x00);
		}
		else if (this->Read(dwAddress) == 0xCC) // int 3
		{
			if (this->Read(dwAddress + 1) == 0xCC)
			{
				if (this->randomize(1, 10) > 5)
				{
					cout << hex << "0xCC -> mov reg, reg" << dwAddress << endl;

					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else 
				{
					cout << hex << "0xCC -> rand at 0x" << dwAddress << endl;

					this->Write(dwAddress, this->randomize(0, 0xFF));
				}
			}
			else 
			{
				cout << hex << "0xCC -> rand at 0x" << dwAddress << endl;

				this->Write(dwAddress, this->randomize(0, 0xFF));
			}
		}
		else if (this->Read(dwAddress) == 0x90 && this->Read(dwAddress + 1) == 0x90) // nop
		{
			cout << hex << "0x90 0x90 -> mov reg, reg at 0x" << dwAddress << endl;
			
			this->Write(dwAddress, 0x8B); // mov
			this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
		}
	}
	else if (opcodeLen == 2)
	{
		if (this->Read(dwAddress) == 0x8B) // mov
		{	
			if (this->Read(dwAddress + 1) == 0xC0) // mov eax, eax 
			{
				cout << "patched mov eax, eax" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xDB) // mov ebx, ebx 
			{
				cout << "patched mov ebx, ebx" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xC9) // mov ecx, ecx
			{
				cout << "patched mov ecx, ecx" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xD2) // mov edx, edx
			{
				cout << "patched mov edx, edx" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xE4) // mov esp, esp
			{
				cout << "patched mov esp, esp" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xED) // mov ebp, ebp
			{
				cout << "patched mov ebp, ebp" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xF6) // mov esi, esi
			{
				cout << "patched mov esi, esi" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
			else if (this->Read(dwAddress + 1) == 0xFF) // mov edi, edi
			{
				cout << "patched mov edi, edi" << endl;

				if (this->randomize(1, 10) > 4)
				{
					this->Write(dwAddress, 0x8B); // mov
					this->Write(dwAddress + 1, regs32[this->randomize(0, 7)]); // reg
				}
				else
				{
					this->Write(dwAddress, 0x90); // nop
					this->Write(dwAddress + 1, 0x90); // nop
				}
			}
		}


	}

}

void CPolymorphic::Run(DWORD dwStart, DWORD dwLength)
{
	DWORD dwCurrent = dwStart;
	MEMORY_BASIC_INFORMATION mbi;

	while (true)
	{
		VirtualQuery((void*)dwCurrent, &mbi, sizeof(mbi));

		// Check if the memory page is mapped and accessible
		if (mbi.State == MEM_COMMIT && mbi.Protect != 0x1)
		{
			DWORD prevAccess, newAccess, startAddress(dwCurrent);

			// Enable writing access to the code
			VirtualProtect((PBYTE)dwCurrent, ((DWORD)mbi.BaseAddress + mbi.RegionSize) - startAddress, PAGE_EXECUTE_READWRITE, &prevAccess);

			while ((dwCurrent < (DWORD)mbi.BaseAddress + static_cast<DWORD>(mbi.RegionSize)) && (dwCurrent < dwStart + dwLength))
			{
				int nOpcodeLen = oplen((BYTE*)dwCurrent);
		
				if (nOpcodeLen > 0)
				{
					this->ObfuscateOpcode(dwCurrent, nOpcodeLen);
					dwCurrent += nOpcodeLen;
				}
				else
					dwCurrent++;	
			}

			// Apply old access to the code
			VirtualProtect((PBYTE)startAddress, ((DWORD)mbi.BaseAddress + mbi.RegionSize) - startAddress, prevAccess, &newAccess);
		}
		else
			dwCurrent = (DWORD)mbi.BaseAddress + mbi.RegionSize + 0x1; // Go to the next region

		if (dwCurrent >= dwStart + dwLength)
			break;
	}
}

CPolymorphic::CPolymorphic(void)
{
	srand((unsigned)time(0)); 

	this->regs32[0] = 0xC0;
	this->regs32[1] = 0xDB;
	this->regs32[2] = 0xC9;
	this->regs32[3] = 0xD2;
	this->regs32[4] = 0xE4;
	this->regs32[5] = 0xED;
	this->regs32[6] = 0xF6;
	this->regs32[7] = 0xFF;

}

CPolymorphic::~CPolymorphic(void)
{
}


I used my own modified version of z0mbie's ADE32 to calculate the opcode length
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Any thoughts? My final goal is to have perfect registry swapping working, so I can basically beat any kind of generic code section hashing/signature scanning method. A few sleepless nights waiting ahead I reckon :)
 

dem0

Newbie
Full Member
Aug 14, 2013
7
172
0
I'm not skilled in C++, at all, but currently learning C# in school. Do you mind commenting your code when you get the time? I would love to read up on some polymorphic code :)
 

WiTH

Jr.Coder
Full Member
Nobleman
May 24, 2012
58
458
1
i've been curious about this since i watched lena's tuts
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
hmmmm if i would like to randomize my own module, like an injected dll to make it more secure together with manual map blink, flink etc - how would i know the DWORD dwStart, DWORD dwLength dynamicly at runtime ? even possible ? since you know how big your module is after compile and watch into ida or odbg
but run-time checks hmmmm (like all few min 1 rand of the opcodes etc for the injected module)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods