This is often used by computer viruses and shellcode to keep their de/en-cryption-engines from being detected by anti virus software[?] and intrusion-detection system.
An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of codes that changed the content in the variable C.
The original algorithm:
Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code!!! ... Decryption_Code: *A = Encrypted Loop: B = *A B = B XOR CryptoKey *A = B A = A + 1 GOTO Loop IF NOT A = (Decryption_Code - Encrypted) GOTO Encrypted CryptoKey: some_random_number
The same algorithm, but with lots of unnessisary C-altering codes..
Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code!!! ... Decryption_Code: C = C + 1 *A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = (Decryption_Code - Encrypted) C = C^2 GOTO Encrypted CryptoKey: some_random_number
The code inside "Encrypted" could then search the code between Decryption_Code and CryptoKey[?] and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C.
Start: GOTO Decryption_Code
Encrypted: ... (when this part is decrypted, it will contain the following...) ... Then remove all the C-Codes between Decryption_engine and CryptoKey And input new unnessisary C-Codes at other locations in the algorithm Change the code beneth "Change_this" to RETURN_TO_SYSTEM ... Do_whatever_this_code_is_suposed_to_do ... Goto Decryption_Code
Decryption_Code: C = C + 1 *A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = (Decryption_Code - Encrypted) C = C^2 Change_this: GOTO Encrypted CryptoKey: some_random_number
The code above will decrypt the code inside "Encrypted" with a mutated crypto-engine. Then it will transfer control to the decrypted code inside "Encrypted". The code in there will remove all the codes that alters C. Then it will input new codes that alters C at other (random) locations in the crypto-algorithm. The change of "GOTO Encrypted" to "RETURN_TO_SYSTEM" will make it possible to re-use the old encryption engine (as XOR works in both ways.) then it will do something (like spreading to other files in the case of a virus) and at last, it will return to the Decryption_Code.
If the code is trying to replicate itself (in the case of a computer worm or computer virus) it will need to encrypt the code inside "Encrypted" before it sends it away.
see self-modifying code, alphanumeric code, shellcode, cracking
Search Encyclopedia
|
Featured Article
|