Encyclopedia > Polymorphic code

  Article Content

Polymorphic code

In computer science (or more often, in computer underground terms) polymorphic code is code that mutates while keeping the original algorithm intact.

This is often used by computer viruses and shellcode to keep their de/en-cryption-engines from being detected by anti virus software[?] and intrusion-detection system.

How it works

An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of codes that changed the content in the variable C.

The original algorithm:

 
 Start:
 GOTO Decryption_Code
 Encrypted:
     ...
     lots of encrypted code!!!
     ...
 Decryption_Code:
     *A = Encrypted
 Loop:
     B = *A
     B = B XOR CryptoKey
     *A = B
     A = A + 1
     GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
     GOTO Encrypted
  CryptoKey:
     some_random_number

The same algorithm, but with lots of unnessisary C-altering codes..

 
 Start:
 GOTO Decryption_Code
 Encrypted:
     ...
     lots of encrypted code!!!
     ...
 Decryption_Code:
     C = C + 1
     *A = Encrypted
 Loop:
     B = *A
     C = 3214 * A
     B = B XOR CryptoKey
     *A = B
     C = 1
     C = A + B
     A = A + 1
     GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
     C = C^2
     GOTO Encrypted
  CryptoKey:
     some_random_number

The code inside "Encrypted" could then search the code between Decryption_Code and CryptoKey[?] and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C.

 
 Start:
 GOTO Decryption_Code
 
 Encrypted:
     ...
     (when this part is decrypted, it will contain the following...)
     ...
     Then remove all the C-Codes between Decryption_engine and CryptoKey
     And input new unnessisary C-Codes at other locations in the algorithm
     Change the code beneth "Change_this" to RETURN_TO_SYSTEM
     ...
     Do_whatever_this_code_is_suposed_to_do
     ...
     Goto Decryption_Code
 
 Decryption_Code:
     C = C + 1
     *A = Encrypted
 Loop:
     B = *A
     C = 3214 * A
     B = B XOR CryptoKey
     *A = B
     C = 1
     C = A + B
     A = A + 1
     GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
     C = C^2
  Change_this:
     GOTO Encrypted
  CryptoKey:
     some_random_number

The code above will decrypt the code inside "Encrypted" with a mutated crypto-engine. Then it will transfer control to the decrypted code inside "Encrypted". The code in there will remove all the codes that alters C. Then it will input new codes that alters C at other (random) locations in the crypto-algorithm. The change of "GOTO Encrypted" to "RETURN_TO_SYSTEM" will make it possible to re-use the old encryption engine (as XOR works in both ways.) then it will do something (like spreading to other files in the case of a virus) and at last, it will return to the Decryption_Code.

If the code is trying to replicate itself (in the case of a computer worm or computer virus) it will need to encrypt the code inside "Encrypted" before it sends it away.

see self-modifying code, alphanumeric code, shellcode, cracking



All Wikipedia text is available under the terms of the GNU Free Documentation License

 
  Search Encyclopedia

Search over one million articles, find something about almost anything!
 
 
  
  Featured Article
Monty Woolley

... Woolley (August 17, 1888 - May 6, 1963) was an American actor. Born Edgar Montillion Wooley in New York City, Woolley was a professor and lecturer at Yal ...

 
 
 
This page was created in 38.8 ms