The Remote Metamorphic Engine

Detecting, Evading, Attacking the AI and Reverse Engineering

Amro Abdelgawad / REcon 2016

line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl

The Remote Metamorphic Engine
xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3

‣ Security as undefined expression
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265
db 1
dd -1

‣ Flux binary mutation
mov ebx, 92
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d
add eax, 4
add dword [eax], 0xa1723594
add eax, 4

‣ Resisting Reverse Engineering
xor dword [eax], 0xb1c21343
add eax, 4
sub dword [eax], 0x111111ee
add eax, 4
add dword [eax], 0xaaccee22
add eax, 4
jmp ebx

‣ Evading AI machine learning
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]

‣ Artificial Immunity
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx
ret

line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790
db 2
dd 1375432265

{ }
db 1
dd -1

Security Patterns
mov ebx, 92
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d
add eax, 4
add dword [eax], 0xa1723594
add eax, 4
xor dword [eax], 0xb1c21343
add eax, 4

Division by Zero | Division by Infinity
sub dword [eax], 0x111111ee
add eax, 4
add dword [eax], 0xaaccee22
add eax, 4
jmp ebx

Isolation Randomization
line95_2:
popf
popad
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx
ret

line46_1:
mov ecx, [esp]
nop
nop

The Undefined Expression
mov dl, 0xe9
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx
ret
line95:
pushad

Security as Undefined & indeterminate expression
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376
db 4
dd 2520091426
db 3
dd 946381070
db 2

1
dd 3318121790
db 2

-∞ = = ∞
dd 1375432265
db 1
dd -1
mov ebx, 92

0
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d
add eax, 4
add dword [eax], 0xa1723594
add eax, 4
xor dword [eax], 0xb1c21343
add eax, 4
sub dword [eax], 0x111111ee
add eax, 4
Undefined
add dword [eax], 0xaaccee22
add eax, 4
jmp ebx
line95_2:
popf

0 ∞
popad

RE Time
nop
jmp long line96
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
The Remote
xor edx, 0
mov ecx, 0x00000057
Metamorphic
mov dword [eax+1], ecx
ret Engine

line46_1:
mov ecx, [esp]
nop
nop
mov dl, 0xe9

The Unbreakable Code
test edx, edx
mov byte [ecx], dl
xor eax, 0
mov edx, 0x00000067
mov dword [ecx+1], edx
ret
line95:
pushad
pushf
call line95_1
db 7
db 3
dd 838225172
db 2
dd 4211932376

Unpredictable
db 4
dd 2520091426
db 3
dd 946381070
db 2
dd 3318121790

un·pre·dict·a·ble
db 2
dd 1375432265
db 1
dd -1
mov ebx, 92

adjective:/ˌənprəˈdiktəb(ə)l/
add eax, ebx
mov ebx, eax
sub dword [eax], 0xe82c334d
add eax, 4
add dword [eax], 0xa1723594
add eax, 4
xor dword [eax], 0xb1c21343
add eax, 4
sub dword [eax], 0x111111ee
add eax, 4
add dword [eax], 0xaaccee22
add eax, 4

Likely to change suddenly and without reason
jmp ebx
line95_2:
popf
popad
nop
jmp long line96

and therefore not able to be predicted
line95_1:
mov eax, [esp]
nop
nop
xor eax, eax

(= expected before it happens)
xor ecx, ecx
xor edx, edx
mov cl, 0xe9
mov byte [eax], cl
xor edx, 0
mov ecx, 0x00000057
mov dword [eax+1], ecx
ret

0xa1723594 add eax. edx mov byte [ecx]. 4 add dword [eax]. 0xe9 test edx. eax sub dword [eax]. 0x00000067 mov dword [ecx+1]. edx ret The Breakable Code line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 The Fixed Static Code Problem db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Static Code Dynamic Data dd 1375432265 db 1 dd -1 mov ebx. dl xor eax. ebx mov ebx. edx mov cl. 4 xor dword [eax]. 0 mov ecx. 0xe82c334d add eax. 0x111111ee add eax. 0xb1c21343 add eax. eax xor ecx. [esp] nop nop security exploits xor eax. ecx ret .line46_1: mov ecx. [esp] nop nop mov dl. cl xor edx. 4 jmp ebx line95_2: popf popad nop jmp long line96 Enables all sorts of replicable software line95_1: mov eax. 0 mov edx. 4 sub dword [eax]. 0xe9 mov byte [eax]. ecx xor edx. 92 add eax. 4 Core security weakness in all today’s software add dword [eax]. 0x00000057 mov dword [eax+1]. 0xaaccee22 add eax.

0xaaccee22 add eax. 0x111111ee Self contained autonomous code add eax. edx ret line95: pushad pushf call line95_1 db 7 db 3 Dynamic Code Dynamic Data dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Code evolution across time dd 1375432265 db 1 dd -1 mov ebx. ecx ret . [esp] nop nop Self aware xor eax. edx mov byte [ecx]. eax xor ecx. eax sub dword [eax]. [esp] nop nop mov dl. 4 add dword [eax]. cl xor edx. 4 jmp ebx line95_2: popf popad Unpredictable nop jmp long line96 line95_1: mov eax. 0xb1c21343 add eax. 0xe9 mov byte [eax]. 0xe82c334d Functionality evolution across location add eax.line46_1: mov ecx. 0x00000067 mov dword [ecx+1]. edx mov cl. 4 add dword [eax]. 0x00000057 mov dword [eax+1]. 0xa1723594 add eax. ebx mov ebx. 4 sub dword [eax]. ecx xor edx. dl xor eax. 92 add eax. 0 mov ecx. 4 xor dword [eax]. 0xe9 test edx. 0 Unpredictable Code Evolution mov edx.

0xe82c334d add eax. 0x00000067 mov dword [ecx+1]. 0 mov ecx. 0xaaccee22 add eax. 0x00000057 mov dword [eax+1]. 4 Short Lifetime jmp ebx line95_2: popf popad nop jmp long line96 line95_1: Flux Mutation mov eax. 0xb1c21343 add eax. cl xor edx.line46_1: mov ecx. 0xe9 mov byte [eax]. ecx ret . edx mov cl. edx mov byte [ecx]. [esp] nop nop mov dl. 0xa1723594 add eax. 4 add dword [eax]. dl Code Evolution xor eax. edx ret line95: pushad pushf call line95_1 Resisting Reverse Engineering db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 Locate the Code db 2 dd 1375432265 db 1 dd -1 not locatable mov ebx. 4 add dword [eax]. 4 Analyze the Code sub dword [eax]. [esp] Break the Code nop nop Self aware Unbreakable xor eax. 4 xor dword [eax]. 0 mov edx. 92 add eax. 0x111111ee add eax. 0xe9 test edx. eax Remote Execution sub dword [eax]. ebx mov ebx. eax xor ecx. ecx xor edx.

dl The Remote Metamorphic Engine xor eax. edx ret line95: pushad pushf call line95_1 Remote Flux Mutation db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Trusted Zone Untrusted Zone dd 1375432265 db 1 dd -1 mov ebx. ebx mov ebx. 0xa1723594 add eax. 0xe9 test edx. 0x00000067 mov dword [ecx+1]. 0xe9 Response mov byte [eax]. 92 add eax. 0xaaccee22 add eax. 0x111111ee add eax. 0xb1c21343 add eax. 4 sub dword [eax]. ecx ret . [esp] nop nop xor eax. eax Challenge xor ecx. edx mov byte [ecx]. 0xe82c334d add eax. 0x00000057 mov dword [eax+1]. [esp] nop nop mov dl. cl xor edx.line46_1: mov ecx. 4 Remote Mutation Thread/Process add dword [eax]. 0 mov edx. eax sub dword [eax]. 4 xor dword [eax]. 0 mov ecx. 4 jmp ebx line95_2: popf popad nop Mutation Engine Morphed Code Execution jmp long line96 line95_1: mov eax. edx mov cl. 4 add dword [eax]. ecx xor edx.

0x00000057 mov dword [eax+1]. eax sub dword [eax]. cl xor edx. [esp] nop nop xor eax. 0 synchronized machine code rather than data mov ecx. 0xb1c21343 add eax. ecx xor edx. 4 Clock Synced Mutation Engine jmp ebx line95_2: popf Morphed Code Execution popad nop jmp long line96 Response line95_1: mov eax. 0xe9 test edx.line46_1: mov ecx. [esp] nop nop mov dl. dl xor eax. 0xe9 mov byte [eax]. 0xa1723594 add eax. 4 sub dword [eax]. ebx mov ebx. 0 mov edx. eax xor ecx. 4 add dword [eax]. 0x111111ee add eax. 92 add eax. 0x00000067 mov dword [ecx+1]. ecx ret . edx Communication protocol made of morphed clock mov cl. 0xaaccee22 add eax. edx ret line95: pushad pushf Challenge Response Metamorphic Protocol call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 Trusted Zone Untrusted Zone dd 3318121790 db 2 dd 1375432265 Challenge db 1 dd -1 mov ebx. 4 4 bytes size Code xor dword [eax]. 4 Remote Mutation Thread/Process add dword [eax]. 0xe82c334d add eax. edx The Remote Metamorphic Engine mov byte [ecx].

eax xor ecx. 0x00000067 mov dword [ecx+1]. 4 sub dword [eax]. 0xe9 mov byte [eax]. eax sub dword [eax]. 4 add dword [eax]. ebx mov ebx. [esp] nop nop xor eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. [esp] nop nop mov dl.line46_1: The Remote Metamorphic Engine mov ecx. 4 add dword [eax]. 0 Remote Code Slicing mov edx. 92 add eax. 0xe9 test edx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 The Reverse Engineer Side dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Known to the reverse engineer dd 1375432265 db 1 dd -1 mov ebx. 0xa1723594 add eax. cl xor edx. edx mov byte [ecx]. ecx xor edx. 4 xor dword [eax]. 0xaaccee22 add eax. 0x111111ee add eax. 0xe82c334d add eax. 0 mov ecx. 0xb1c21343 add eax. dl xor eax. edx mov cl. ecx ret Unknown to the reverse engineer . 0x00000057 The Engine Side mov dword [eax+1].

0 mov edx. eax sub dword [eax]. 0xa1723594 morphed body encryption add eax. 0x00000057 mov dword [eax+1]. 0xb1c21343 add eax. eax xor ecx. cl xor edx. 4 sub dword [eax]. 4 add dword [eax]. 4 add dword [eax]. 0xe82c334d add eax. 0x111111ee add eax. ecx body polymorphic xor edx. ebx mov ebx. edx mov cl. ecx ret . 4 jmp ebx line95_2: popf Metamorphic Engines popad nop jmp long line96 line95_1: mov eax. [esp] nop nop xor eax. 4 xor dword [eax]. 0x00000067 mov dword [ecx+1]. edx ret line95: pushad pushf call line95_1 db 7 AV Signature Evasion db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 Polymorphic Engines mov ebx. dl Mutation Engines xor eax. 0xaaccee22 add eax. 0xe9 test edx.line46_1: mov ecx. 0 mov ecx. 92 add eax. 0xe9 mov byte [eax]. edx mov byte [ecx]. [esp] nop nop mov dl.

cl xor edx. [esp] nop nop Signature Evasion mov dl. 4 sub dword [eax]. eax sub dword [eax]. 0 mov ecx. edx ret line95: pushad pushf Morphing Techniques Evading Signature call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 Instruction reordering Code Permutation dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. 4 xor dword [eax]. 0xe82c334d add eax. ecx xor edx. 0x00000057 mov dword [eax+1]. 0xe9 test edx. 92 add eax. 4 add dword [eax]. 4 add dword [eax]. ecx ret Can not resist reverse engineering . eax xor ecx. edx mov byte [ecx]. 4 jmp ebx line95_2: popf popad nop jmp long line96 Subroutine Outlining Changing Control Flow line95_1: mov eax.line46_1: mov ecx. 0x00000067 mov dword [ecx+1]. 0xa1723594 add eax. edx Expansion Transposition mov cl. 0xe9 mov byte [eax]. dl xor eax. 0 mov edx. 0x111111ee Subroutine Inlining Dead Code Insertion add eax. 0xb1c21343 add eax. [esp] nop nop xor eax. ebx Subroutine permutation Instruction Substitution mov ebx. 0xaaccee22 add eax.

0 mov edx. 0xa1723594 add eax. 0x00000057 mov dword [eax+1]. 4 sub dword [eax]. eax sub dword [eax]. 4 add dword [eax]. cl xor edx. [esp] nop nop xor eax. ebx mov ebx. 4 xor dword [eax]. ecx xor edx. 4 add dword [eax]. 0 mov ecx. edx mov byte [ecx]. eax Detect & Evade RE xor ecx. 0xe82c334d add eax. 4 jmp ebx line95_2: popf popad Evade AI Machine Learning nop jmp long line96 line95_1: mov eax. 0xe9 test edx. edx ret Flux Mutation Goals line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 Extend Trust db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 Ensure Trusted Remote Execution dd -1 mov ebx. edx mov cl. 0xaaccee22 add eax. 92 add eax.line46_1: mov ecx. ecx ret Detect Tampering Attempts . [esp] Remote Code Evolution nop nop mov dl. 0xe9 mov byte [eax]. dl xor eax. 0xb1c21343 Evade Signature add eax. 0x111111ee add eax. 0x00000067 mov dword [ecx+1].

0xa1723594 add eax. edx mov byte [ecx]. 0xe82c334d add eax. edx ret Trusted Challenge Response Mutation line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 Remote Mutation Mutated db 2 dd 3318121790 db 2 dd 1375432265 db 1 Morphing Engine Challenge dd -1 mov ebx. 4 Function Morphed Function xor dword [eax]. 0xaaccee22 add eax. ecx ret . 0x00000057 mov dword [eax+1]. eax Response xor ecx. 0xb1c21343 add eax. 92 add eax. cl xor edx. 0xe9 Mutation mov byte [eax].line46_1: mov ecx. 0xe9 test edx. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: Head Morphed Function Tail mov eax. ebx mov ebx. [esp] nop nop xor eax. ecx Unused Code Return value xor edx. edx mov cl. 4 add dword [eax]. dl xor eax. 4 add dword [eax]. 4 sub dword [eax]. 0x111111ee add eax. 0x00000067 mov dword [ecx+1]. [esp] Trusted Mutation nop nop mov dl. 0 mov edx. 0 mov ecx. eax sub dword [eax].

cl xor edx. eax xor ecx. 0xb1c21343 add eax. edx mov cl. dl xor eax. 0 mov edx. 0xe9 mov byte [eax]. ecx ret . 4 sub dword [eax]. edx mov byte [ecx]. 0xe9 test edx. Structure Obfuscation line46_1: mov ecx. 4 add dword [eax]. 0x00000057 mov dword [eax+1]. 0xaaccee22 add eax. 0xe82c334d add eax. 92 add eax. ebx mov ebx. 4 xor dword [eax]. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. edx ret line95: pushad All functions look the same before and during execution pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. eax sub dword [eax]. ecx xor edx. 4 add dword [eax]. 0x111111ee add eax. 0 mov ecx. [esp] nop nop xor eax. 0x00000067 mov dword [ecx+1]. 0xa1723594 add eax. [esp] nop nop mov dl.

0x111111ee add eax. 0x00000057 mov dword [eax+1]. cl xor edx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. ebx mov ebx. 4 add dword [eax]. 0 Self modifying basic block Edges mov edx. ecx ret . 0xa1723594 add eax. 0xe9 mov byte [eax]. 0 mov ecx. [esp] nop nop xor eax. 4 sub dword [eax]. edx mov byte [ecx]. eax xor ecx. ecx xor edx. dl xor eax. eax sub dword [eax]. 4 xor dword [eax]. 4 add dword [eax]. 0xe9 test edx. 0x00000067 mov dword [ecx+1]. 0xaaccee22 add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. 0xe82c334d add eax. edx mov cl. 92 add eax. [esp] nop nop mov dl. 0xb1c21343 add eax. Structure Obfuscation line46_1: mov ecx.

0xe9 test edx. RE Evasion line46_1: mov ecx. dl Morphing Techniques xor eax. 0x111111ee add eax. 4 jmp ebx line95_2: Challenge-Response Mutation popf popad Functionality Mutation nop jmp long line96 line95_1: mov eax. 0xe82c334d Clock synchronized execution add eax. edx ret line95: pushad pushf call line95_1 Metamorphic + Polymorphic db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 Self modifying mutation dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 Code structure obfuscation db 1 dd -1 mov ebx. 0xaaccee22 add eax. 0 mov edx. 0xb1c21343 add eax. edx mov byte [ecx]. eax xor ecx. 0x00000057 mov dword [eax+1]. 92 add eax. ecx xor edx. 4 add dword [eax]. 0 mov ecx. 4 sub dword [eax]. edx Decoupled Reversible Mutation mov cl. 0xe9 mov byte [eax]. 0xa1723594 add eax. 4 add dword [eax]. [esp] nop nop mov dl. [esp] nop nop xor eax. 0x00000067 mov dword [ecx+1]. cl xor edx. eax sub dword [eax]. ebx mov ebx. ecx ret Slices Permutation Code size magnification . 4 xor dword [eax].

92 add eax. 4 sub dword [eax]. 0xb1c21343 add eax. ecx ret xor edx. 0xe82c334d add eax. ebx mov ebx. 0xaaccee22 add eax. 0x00000057 mov dword [eax+1]. [esp] nop pop eax nop xor eax. ecx ret . 4 movzx reg2. [esp] nop nop mov dl. 4 add dword [eax]. 4 xor dword [eax]. eax push 0 sub dword [eax]. eax xor ecx.line46_1: mov ecx. [fs:dword 0x30] add eax. edx mov cl. dl xor eax. 4 add dword [eax]. cl end: xor edx. 0x111111ee add eax. 0xa1723594 pushad mov reg1. 0xe9 test edx. 0x00000067 mov dword [ecx+1]. edx Remote Code Evolution mov byte [ecx]. 0 mov edx. 0xe9 mov byte [eax]. reg2 popad nop jmp long line96 popad line95_1: mov eax. byte [reg1+2] jmp ebx line95_2: popf mov dword [esp+32]. 0 mov ecx. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 _start: dd -1 mov ebx.

ecx xor edx. eax sub dword [eax]. 0 mov ecx. reg1 db 1 { dd -1 mov ebx. 0xb1c21343 pushad add eax. 0x111111ee add eax. 0xaaccee22 mov reg1. 0xe9 test edx. 0xa1723594 add eax. 0x00000057 end: mov dword [eax+1]. 0xe9 ret mov byte [eax]. 4 add dword [eax]. [fs:dword 0x30] add eax. [esp] nop nop mov dl. 0 mov edx. 4 jmp ebx line95_2: movzx reg2. reg2 line95_1: mov eax. 0xe82c334d push 0 push reg1 add eax. eax pop eax xor ecx. edx mov cl. [esp] popad nop nop xor eax. dl xor eax. 4 add dword [eax]. byte [reg1+2] popf popad nop jmp long line96 mov dword [esp+32].line46_1: mov ecx. ecx ret . edx Remote Code Evolution mov byte [ecx]. ebx mov ebx. 0x00000067 mov dword [ecx+1]. 92 add eax. cl xor edx. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 _start: xor reg1. 4 sub dword [eax]. 4 xor dword [eax].

4 add dword [eax]. [esp] nop nop popad xor eax. 0xaaccee22 add eax. ecx xor edx. 0x111111ee Insertion sub reg1. edx Remote Code Evolution mov byte [ecx]. 4 jmp ebx line95_2: popf popad movzx reg2. eax xor ecx. ebx mov ebx. 4 add dword [eax]. dl xor eax. eax sub dword [eax]. 0x00000057 mov dword [eax+1]. 4 sub dword [eax]. 0xb1c21343 add eax. ecx end: ret . 92 add eax. reg1 { dd 1375432265 db 1 push 0 push reg1 dd -1 mov ebx. 0xe9 test edx. reg1 mov reg1. [fs:dword 0x30] add eax. reg2 mov eax. [esp] nop nop mov dl. 0x00000067 mov dword [ecx+1]. 0xe82c334d add eax. 0 mov ecx. 0xa1723594 add eax. 0xe9 mov byte [eax]. edx pop eax mov cl. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 _start: db 2 xor reg1. cl ret xor edx. 4 pushad xor dword [eax]. byte [reg1+2] nop jmp long line96 line95_1: mov dword [esp+32].line46_1: mov ecx. 0 mov edx.

reg2 xor eax. 0x00000057 mov dword [eax+1]. 4 add dword [eax]. 0xe9 test edx. [esp] nop nop mov dword [esp+32]. 0xaaccee22 add eax. eax sub dword [eax]. reg1 mov reg1. 4 jmp ebx line95_2: popf popad Insertion add reg2. reg2 nop jmp long line96 line95_1: movzx reg2. eax xor ecx. 0 mov ecx. ecx xor edx. 0x00000067 mov dword [ecx+1]. 4 add dword [eax]. 0x111111ee Insertion sub reg1. edx Remote Code Evolution mov byte [ecx]. dl xor eax. 0xe82c334d add eax. cl pop eax xor edx. [fs:dword 0x30] add eax. ebx mov ebx. edx popad mov cl. 4 sub dword [eax]. [esp] nop nop mov dl. 0 mov edx. byte [reg1+2] mov eax. 0xe9 mov byte [eax]. 0xa1723594 add eax. 0xb1c21343 add eax. 4 pushad xor dword [eax].line46_1: mov ecx. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 _start: db 2 xor reg1. 92 add eax. reg1 { dd 1375432265 db 1 push 0 push reg1 dd -1 mov ebx. ecx ret ret end: .

[esp] nop nop Insertion mov reg3. eax sub dword [eax]. 4 add dword [eax]. edx mov dword [esp+32]. 0xaaccee22 add eax. 0xe9 mov byte [eax]. 0xe82c334d add eax. 0x00000057 mov dword [eax+1]. 0x111111ee Insertion sub reg1. edx Remote Code Evolution mov byte [ecx]. 92 add eax. reg2 mov cl. 0 mov edx. ecx pop eax ret ret end: . ebx mov ebx.line46_1: mov ecx. 0 mov ecx. reg1 mov reg1. 4 jmp ebx line95_2: popf popad Insertion add reg2. dl xor eax. [fs:dword 0x30] add eax. 0x00000067 mov dword [ecx+1]. 0xe9 test edx. 4 pushad xor dword [eax]. 0xa1723594 add eax. [esp] nop nop mov dl. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 _start: db 2 xor reg1. cl popad xor edx. 4 sub dword [eax]. byte [reg1+2] mov eax. 0xb1c21343 add eax. 4 add dword [eax]. eax xor ecx. reg4 xor eax. reg2 nop jmp long line96 line95_1: movzx reg2. reg1 { dd 1375432265 db 1 push 0 push reg1 dd -1 mov ebx. ecx xor edx.

eax sub dword [eax]. reg2 nop jmp long line96 line95_1: movzx reg2. reg2 mov cl. 0 mov ecx. dl xor eax. 0xe9 test edx. 92 add eax. [esp] nop nop mov dl. byte [reg1+2] mov eax. 0x111111ee Insertion sub reg1. 4 add dword [eax]. ecx ret ret end: .line46_1: mov ecx. edx mov dword [esp+32]. 4 sub dword [eax]. ecx xor edx. eax xor ecx. reg1 { dd 1375432265 db 1 push 0 push reg1 dd -1 mov ebx. 4 pushad xor dword [eax]. reg4 xor eax. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 _start: db 2 xor reg1. reg1 mov reg1. 0xe82c334d add eax. 4 jmp ebx line95_2: popf popad Insertion add reg2. [fs:dword 0x30] add eax. 0 mov edx. 0xe9 mov byte [eax]. 4 add dword [eax]. cl popad xor edx. ebx mov ebx. 0x00000067 mov dword [ecx+1]. 0xa1723594 add eax. 0x00000057 n*nop pop eax mov dword [eax+1]. [esp] nop nop Insertion mov reg3. edx Remote Code Evolution mov byte [ecx]. 0xb1c21343 add eax. 0xaaccee22 add eax.

36 mov dword [eax+1]. [fs:dword 0x30] add eax. 0 mov ecx. ebx mov ebx. reg4 xor eax. 4 add dword [eax]. 0 mov edx. eax xor ecx. 0x111111ee Insertion sub reg1. byte [reg1+2] mov eax. [esp] nop nop Insertion mov reg3.line46_1: mov ecx. edx ret line95: pushad pushf Morphing Techniques call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 _start: db 2 xor reg1. 0xb1c21343 add eax. reg2 mov cl. ecx xor edx. 0xe82c334d add eax.32 . reg1 { dd 1375432265 db 1 push 0 push reg1 dd -1 mov ebx. dl xor eax. edx mov dword [esp+32]. reg2 nop jmp long line96 line95_1: movzx reg2. 0xe9 test edx. 4 jmp ebx line95_2: popf popad Insertion add reg2. reg1 mov reg1. edx Remote Code Evolution mov byte [ecx]. 0x00000057 n*nop pop eax add esp. 0xe9 mov byte [eax]. 0xaaccee22 add eax. [esp] nop nop mov dl. ecx ret ret push reg2 end: sub esp. 4 add dword [eax]. 4 sub dword [eax]. 0x00000067 mov dword [ecx+1]. 4 pushad xor dword [eax]. eax sub dword [eax]. 92 add eax. cl popad xor edx. 0xa1723594 add eax.

[fs:dword 0x30] add dword [eax]. 0x00000057 mov dword [eax+1]. dl xor eax. 4 pushad add dword [eax]. edx Remote Code Evolution mov byte [ecx].line46_1: mov ecx. reg4 mov eax. reg2 xor eax. 0x00000067 mov dword [ecx+1]. ecx popad xor edx. 4 sub dword [eax]. 92 add eax. edx ret line95: pushad pushf First Morphing Stage call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 _start: dd 3318121790 db 2 dd 1375432265 db 1 xor reg1. 0xa1723594 add eax. 0x111111ee add eax. 0 mov ecx. reg2 line95_2: popf popad movzx reg2. 4 mov reg1. ebx push reg1 mov ebx. ecx pop eax ret nop ret end: . 0xaaccee22 add eax. eax sub dword [eax]. edx mov cl. 4 jmp ebx add reg2. 0xb1c21343 sub reg1. byte [reg1+2] nop jmp long line96 line95_1: mov reg3. 0 mov edx. 0xe82c334d add eax. 4 xor dword [eax]. 0xe9 test edx. reg1 add eax. [esp] nop nop mov dword [esp+32]. 0xe9 mov byte [eax]. [esp] nop nop mov dl. cl nop xor edx. reg1 dd -1 mov ebx. eax xor ecx.

0 mov edx. dl Remote Code Evolution xor eax. edx mov byte [ecx]. edx pop eax nop jmp long line96 jmp long line4 jmp long line9 jmp long line14 line95_1: mov eax. 4 jmp ebx line3: line8: line13: line95_2: popf popad pushad mov ecx. ebx jmp long line2 jmp long line7 jmp long line12 mov ebx. edi mov dword [esp+32]. ecx ret jmp long line11 jmp long line16 . 0xe82c334d add eax. edx mov cl. 0x00000067 mov dword [ecx+1]. edx ret line95: pushad pushf Second Morphing Stage call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 line1: line6: line11: db 1 dd -1 xor edi. 0x111111ee add eax. 0xe9 mov byte [eax]. ebx popad mov ebx. [esp] line4: line9: line14: nop nop sub edi. ecx jmp long line5 jmp long line10 jmp long line15 xor edx. 0 mov ecx. 0xaaccee22 add eax. 4 xor dword [eax]. eax sub dword [eax]. 0xe9 test edx. 0x00000057 jmp long line6 nop ret mov dword [eax+1]. 0xb1c21343 push edi movzx ebx. edi add ebx. cl line5: line10: line15: xor edx. ebx nop xor eax. 4 jmp long line13 add dword [eax]. 92 add eax. 4 sub dword [eax]. byte [edi+2] nop jmp long line3 jmp long line8 add eax. eax xor ecx. [esp] nop nop mov dl. 4 add dword [eax]. 0xa1723594 line2: line7: line12: add eax.line46_1: mov ecx.

4 line6: line13: line5: jmp long line6 add dword [eax]. [esp] nop nop mov dl. 0xe9 mov byte [eax]. 0x111111ee add eax. ecx xor edx. 0xaaccee22 add eax. 0 mov edx.line46_1: mov ecx. 4 xor dword [eax]. ebx jmp long line2 jmp long line15 mov ebx. 4 jmp ebx line8: line3: line7: line95_2: popf mov ecx. edx jmp long line16 jmp long line5 jmp long line3 mov cl. edi nop nop jmp long line13 dd -1 mov ebx. 0x00000057 popad mov dword [esp+32]. 92 add eax. eax ret sub edi. ebx pop eax jmp long line7 jmp long line14 add eax. edx pushad movzx ebx. ebx nop mov dword [eax+1]. 0xa1723594 add eax. eax sub dword [eax]. 0 mov ecx. 4 add dword [eax]. 0xe9 test edx. 0xb1c21343 add ebx. 0xe82c334d add eax. edx mov byte [ecx]. dl Remote Code Evolution xor eax. edx ret line95: pushad pushf Third Morphing Stage call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 line1: line14: line12: dd 1375432265 db 1 xor edi. ecx ret jmp long line12 jmp long line10 jmp long line11 . cl line11: line9: line10: xor edx. byte [edi+2] jmp long line4 jmp long line8 popad nop jmp long line96 jmp long line9 line95_1: mov eax. [esp] nop line15: line4: line2: nop xor eax. 0x00000067 mov dword [ecx+1]. edi push edi xor ecx. 4 sub dword [eax].

edi popf popad nop ror ebx. 4 add eax. edi mov cl. 4 xor eax. 7 mov [ecx]. dl Forth Morphing Stage xor eax. ebx add eax. 4 mov ebx. 4 add dword [ecx]. . 0x00000058 nop mov dl. 27 add eax. 0x11223344 dd 3524080526 not ebx db 2 dd 3318121790 db 2 dd 27 db 0 dd 7 dd 1375432265 db 1 db 4 db 2 mov [ecx]. 0xe9 . cl nop xor edx. 0x00000057 mov dword [eax+1]. ecx mov ebx. 4 add dword [eax]. 0 nop jmp eax mov ecx. ebx dd 545547056 dd -1 mov ebx. 0 mov edx. ecx add dword [ecx]. dl mov edx. eax mov ecx. 0xe82c334d db 0 mov eax. 4 xor dword [eax]. ecx mov dl. 0x11223344 mov ebx. [esp] nop line1_1: add ecx. 0x11223344 xor dword [ecx]. 4 add dword [eax]. edx ret line95: pushad pushf call line95_1 Random Obfuscation Keys line1: pushad Self modifying instructions pushf db 7 db 3 db 5 call line1_1 mov eax. 0x11223344 jmp ebx line95_2: line1: add ecx. edx mov byte [ecx]. 0x11223344 ror ebx. edx nop xor edi. 93 db 5 db 1 add ecx. 0x11223344 mov [ecx]. 0x11223344 add eax. edx ret . ebx add ecx. eax dd 838225172 db 2 db 1 dd 4211932376 dd -1 db 4 dd 2520091426 dd -1 db 0 mov eax. dl mov ecx. 0x11223344 jmp long line96 jmp long line2 add ecx. 93 add ecx. 0xe9 mov dword [ecx+1]. 0x00000058 ret mov dword [ecx+1]. 27 mov [ecx]. ecx dd 27 db 3 dd 946381070 db 0 db 4 mov ebx. [esp] nop nop mov dl. 4 xor dword [ecx]. 20*nops nop line1_1: ret mov byte [ecx]. 0xaaccee22 add eax. ebx mov ebx. 4 add ecx. . 0xe9 test edx. eax sub dword [eax]. edx mov byte [ecx]. eax add ecx. 92 dd 3524080526 mov eax. 0xb1c21343 db 2 add ecx.line46_1: Self Modifying Body Polymorphism mov ecx. 4 sub dword [eax]. [esp] popf popad xor ecx. 4 jmp eax mov [ecx]. 0x11223344 add ecx. 4 mov ebx. 0x111111ee add eax. 4 xor edi. ebx line1_2: nop add ecx. [esp] Self Modifying nop mov edx. 4 dd 545547056 ror ebx. ebx ror ebx. 0xa1723594 dd 7 not ebx mov [ecx]. 0x00000067 mov dword [ecx+1]. ebx mov ebx. 7 line95_1: mov eax. 4 mov byte [eax]. 0x11223344 xor edx. 0xe9 jmp long line2 add ecx.

cl xor edx. 0xaaccee22 add eax. 4 One block per add dword [eax]. edx ret line95: pushad pushf call line95_1 db 7 db 3 All blocks have same dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 Obfuscation Keys identical structure db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. ecx xor edx. eax xor ecx. 0xe9 mov byte [eax]. 4 xor dword [eax]. 0 mov ecx. eax sub dword [eax]. 0xe82c334d add eax. 0xa1723594 add eax.line46_1: Self Modifying Blocks mov ecx. 4 sub dword [eax]. 0xb1c21343 add eax. 0x00000057 mov dword [eax+1]. 4 add dword [eax]. 0x111111ee add eax. [esp] nop nop mov dl. ebx mov ebx. [esp] nop Self modifying code nop xor eax. 0 Fifth Morphing Stage mov edx. edx mov cl. 92 add eax. 4 jmp ebx line95_2: popf morphed instruction popad nop jmp long line96 line95_1: mov eax. edx mov byte [ecx]. 0x00000067 mov dword [ecx+1]. dl xor eax. 0xe9 test edx. ecx ret .

0x111111ee add eax. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. 4 xor dword [eax]. edx mov byte [ecx]. 4 add dword [eax]. eax sub dword [eax]. cl xor edx. [esp] nop nop mov dl. 0 mov ecx. eax xor ecx. 0xe9 mov byte [eax]. 0 mov edx. [esp] nop nop xor eax. 0xa1723594 add eax. 4 sub dword [eax]. 0xe9 test edx.line46_1: Self Modifying Blocks mov ecx. ebx mov ebx. 0xe82c334d add eax. 0xb1c21343 add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. 0x00000057 mov dword [eax+1]. 92 add eax. 4 add dword [eax]. ecx xor edx. 0xaaccee22 add eax. edx mov cl. ecx ret . 0x00000067 mov dword [ecx+1]. dl xor eax.

[esp] nop [+] decrypted response: 0x00000001 | 1 nop xor eax.897926 ms xor ecx.177187 ms . 4 xor dword [eax]. 0xaaccee22 add eax. ecx ret [+] encrypted response: 0x818af8d8 | -2121598760 [+] decrypted response: 0x00000001 | 1 [+] remote execution response time: 6. 0xe82c334d add eax. edx ret line95: pushad [+] mutated code size: 15110 bytes pushf call line95_1 db 7 [+] encrypted response: 0x09575e31 | 156720689 db 3 dd 838225172 db 2 dd 4211932376 [+] decrypted response: 0x00000001 | 1 db 4 dd 2520091426 db 3 [+] remote execution response time: 6. [esp] nop nop mov dl. 0xa1723594 [+] decrypted response: 0x00000001 | 1 add eax. 0 mov ecx. 0 mov edx. eax [+] remote execution response time: 6. 0xe9 test edx. 4 add dword [eax]. edx mov byte [ecx]. cl xor edx. dl xor eax.line46_1: Response Time mov ecx. 92 add eax. ebx mov ebx. eax [+] encrypted response: 0x5820b6b5 | 1478538933 sub dword [eax].040096 ms sub dword [eax]. 0x111111ee add eax. 0x00000067 mov dword [ecx+1]. 0xb1c21343 add eax. 0x00000057 [+] mutated code size: 19768 bytes mov dword [eax+1]. 4 add dword [eax].685972 ms dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 [+] mutated code size: 17771 bytes dd -1 mov ebx. 0xe9 mov byte [eax]. ecx xor edx. 4 [+] remote execution response time: 6. 4 jmp ebx line95_2: popf [+] mutated code size: 23814 bytes popad nop jmp long line96 [+] encrypted response: 0x5d844e9a | 1568951962 line95_1: mov eax. edx mov cl.

0xe9 mov byte [eax]. 4 xor dword [eax]. 0xe82c334d add eax. 0xb1c21343 add eax. ecx xor edx. 4 jmp ebx line95_2: popf [+] mutated code size: 23814 bytes popad nop jmp long line96 [+] encrypted response: 0x5d844e9a | 1568951962 line95_1: mov eax. 0x00000057 [+] mutated code size: 19768 bytes mov dword [eax+1]. eax [+] remote execution response time: 6. 4 add dword [eax]. 0 mov edx. dl xor eax. 0xaaccee22 add eax. [esp] nop [+] decrypted response: 0x00000001 | 1 nop xor eax.line46_1: Variable Code Size mov ecx. 0xa1723594 [+] decrypted response: 0x00000001 | 1 add eax. 0x111111ee add eax.685972 ms dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 [+] mutated code size: 17771 bytes dd -1 mov ebx.897926 ms xor ecx. edx mov byte [ecx]. 0 mov ecx. ecx ret [+] encrypted response: 0x818af8d8 | -2121598760 [+] decrypted response: 0x00000001 | 1 [+] remote execution response time: 6. 92 add eax. 0x00000067 mov dword [ecx+1]. edx mov cl. [esp] nop nop mov dl. 4 add dword [eax]. edx ret line95: pushad [+] mutated code size: 15110 bytes pushf call line95_1 db 7 [+] encrypted response: 0x09575e31 | 156720689 db 3 dd 838225172 db 2 dd 4211932376 [+] decrypted response: 0x00000001 | 1 db 4 dd 2520091426 db 3 [+] remote execution response time: 6. cl xor edx.177187 ms . 0xe9 test edx.040096 ms sub dword [eax]. 4 [+] remote execution response time: 6. ebx mov ebx. eax [+] encrypted response: 0x5820b6b5 | 1478538933 sub dword [eax].

[esp] nop nop mov dl. ebx mov ebx.177187 ms . dl xor eax. 0x111111ee add eax. 0x00000067 mov dword [ecx+1]. edx mov cl. 0xa1723594 [+] decrypted response: 0x00000001 | 1 add eax. ecx xor edx. eax [+] remote execution response time: 6. 0xb1c21343 add eax. 4 add dword [eax]. 0xaaccee22 add eax. 0xe82c334d add eax. 4 xor dword [eax]. cl xor edx. 0xe9 mov byte [eax].685972 ms dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 [+] mutated code size: 17771 bytes dd -1 mov ebx. 0 mov ecx.line46_1: Response Mutation mov ecx. 4 add dword [eax]. ecx ret [+] encrypted response: 0x818af8d8 | -2121598760 [+] decrypted response: 0x00000001 | 1 [+] remote execution response time: 6. 4 [+] remote execution response time: 6. 0xe9 test edx.897926 ms xor ecx.040096 ms sub dword [eax]. 4 jmp ebx line95_2: popf [+] mutated code size: 23814 bytes popad nop jmp long line96 [+] encrypted response: 0x5d844e9a | 1568951962 line95_1: mov eax. edx ret line95: pushad [+] mutated code size: 15110 bytes pushf call line95_1 db 7 [+] encrypted response: 0x09575e31 | 156720689 db 3 dd 838225172 db 2 dd 4211932376 [+] decrypted response: 0x00000001 | 1 db 4 dd 2520091426 db 3 [+] remote execution response time: 6. [esp] nop [+] decrypted response: 0x00000001 | 1 nop xor eax. 92 add eax. 0 mov edx. edx mov byte [ecx]. eax [+] encrypted response: 0x5820b6b5 | 1478538933 sub dword [eax]. 0x00000057 [+] mutated code size: 19768 bytes mov dword [eax+1].

0xa1723594 add eax. edx Response Mutation ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 Trusted Zone dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx. edx mov byte [ecx]. [esp] Decoupled Reversible Mutation nop nop mov dl. 0 mov ecx.line46_1: mov ecx. 0 mov edx. 4 add dword [eax]. 0xaaccee22 add eax. eax sub dword [eax]. 0xe82c334d add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. cl xor edx. 0x00000057 Unused Code Return value Reversible Mutation mov dword [eax+1]. 0xe9 mov byte [eax]. ecx xor edx. 4 sub dword [eax]. 4 Function Morphed Function add dword [eax]. 0xe9 test edx. ebx Challenge mov ebx. 0xb1c21343 add eax. dl xor eax. 4 Morphing Engine xor dword [eax]. [esp] nop nop Head Morphed Function Tail xor eax. 0x111111ee add eax. edx mov cl. ecx ret . eax xor ecx. 0x00000067 mov dword [ecx+1]. 92 Remote Mutation Mutated add eax.

0xb1c21343 add eax. dl xor eax.line46_1: mov ecx. 0xe82c334d add eax. 0xe9 mov byte [eax]. cl xor edx. 0xa1723594 not() xor(value3) add eax. ebx mov ebx. edx ror(value5) sub(value1) mov cl. 0xe9 test edx. 4 add dword [eax]. 4 sub dword [eax]. ecx ret . 0x00000067 mov dword [ecx+1]. edx mov byte [ecx]. 4 xor dword [eax]. 0x00000057 mov dword [eax+1]. 4 add dword [eax]. 0xaaccee22 add eax. 0 mov edx. edx Reversible Instructions ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 add(value1) rol(value5) db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 sub(value2) ror(value4) dd -1 mov ebx. eax sub dword [eax]. 92 add eax. ecx xor edx. eax xor ecx. 0 mov ecx. [esp] nop nop xor eax. 0x111111ee add eax. 4 xor(value3) not() jmp ebx line95_2: popf popad nop jmp long line96 line95_1: rol(value4) add(value2) mov eax. [esp] Decoupled Reversible Mutation nop nop mov dl.

4 xor eax. 0xe7634a71 xor eax. 0x00000057 ror eax. ecx xor eax. 0x500026f6 xor eax. 0x58f934ef dd 1375432265 add eax. 0x9a0be9b9 mov ebx. 0x2f112a91 sub eax. 0xaaccee22 xor eax. 0x762e0f15 db 7 xor eax. dl xor eax. 2 add eax. 0xf13d8c20 line95_2: sub eax. 0x19 ror eax. 0x17 add eax. 0x3e731a34 sub eax. 0xc98775b4 sub eax. 0x39034b8d not eax ror eax. 0x4f8728ef nop xor eax. 0xe82c334d ror eax. 0xe017f6fa db 3 not eax dd 838225172 ror eax. 0xc739155d sub eax. ecx ror eax. 0x8150605 sub eax. 0xc add dword [eax]. 0x9cb2998b xor edx. 0x1c ret xor eax. 0x120d5924 db 1 sub eax. 0xe9 test edx. cl sub eax. edx sub eax. 0xe9 ror eax. 0xa1723594 add eax. 0x231a8655 dd 3318121790 add eax. 0xdb0a2bc0 mov cl. 0xf5bcc022 not eax add eax. 0xa623710f dd -1 add eax. [esp] xor eax. 0x2c75569a xor eax. 0xd1e6a7ec not eax ror eax. 0xad1a2fd2 not eax popad sub eax. 0x695e3adf not eax sub eax. 0xd925192c add eax. 0xd db 2 add eax. 5 . 0xa96f3357 sub dword [eax]. 0x111111ee xor eax. 4 add dword [eax]. 0xbfe386c3 mov ebx. 0xe0d9780c sub eax. 0xb1c21343 ror eax. 0x75707780 dd 4211932376 sub eax. eax add eax. eax xor eax. 0xb813492a mov eax. 0xf ror eax. 0x205c4a75 nop sub eax. 0x4d956430 popf ror eax. 0xbdc52b4f xor eax. 3 xor eax. 4 sub eax. 0x48fa27f1 ret line95: sub eax. 0x5665148d add eax. 0xbcf3e676 xor eax. 0x247dab96 db 4 not eax add eax. 0xa0b50d13 sub eax. 0x801608e8 add eax. 0xe3265fc4 dd 2520091426 add eax. 0x14c58836 add eax. 0xf6696155 db 3 sub eax. 0xa add eax. 0xd353c205 pushad pushf sub eax. 0xa888b8b2 call line95_1 add eax. 0x22952628 dd 946381070 sub eax. 4 add eax. 0xe626a2be ror eax. 0 mov edx. 0x9ce66186 sub eax. 0x1d sub dword [eax]. 0xd6c7b4ee db 2 xor eax. 0x00000067 mov dword [ecx+1]. ebx sub eax. 0x8051cbca add eax. 0 add eax. 0x1c xor dword [eax]. edx mov byte [ecx]. [esp] nop nop mov dl. 0xfb7e9fdd ror eax. Reversible Instructions | Response Mutation line46_1: mov ecx. 4 not eax jmp ebx xor eax. 0xad81052c ror eax. 0xbb5202f7 xor eax. 92 add eax. 0x937ead1b xor eax. 0x88ad3417 ror eax. 0x4ec067b8 not eax add eax. 0xd mov byte [eax]. 0xee0e75bc xor eax. 2 xor eax. 0xfb824ebb add eax. 0x9c9df86 nop xor eax. edx add eax. 0xd88904bc line95_1: sub eax. 0xbcbb2b45 xor ecx. 4 ror eax. 0x3185e741 xor edx. 0xfb42f152 jmp long line96 add eax. 0x197e9520 mov dword [eax+1]. 0xd8fe0628 add eax. 0x529eba0f mov ecx. 0x1984a5de add eax. 5 add eax. 0xbeaeaad5 db 2 not eax add eax.

0xe9 mov byte [eax]. 0x00000057 mov dword [eax+1]. 4 4th jmp ebx line95_2: popf popad -21215987 0 nop jmp long line96 line95_1: Tampered non-self 5th mov eax. 0 mov edx. ecx xor edx. edx 6th mov cl. dl xor eax. 0x111111ee add eax. 0 -689519 0 mov ecx. 0xe9 test edx. [esp] nop nop 10778328 137106 xor eax. cl xor edx. 0x00000067 Artificial Immunity | Detecting the non-self mov dword [ecx+1]. 4 sub dword [eax]. 0xa1723594 3rd add eax. 0xaaccee22 add eax. eax xor ecx. ebx mov ebx. 4 add dword [eax]. ecx ret 7th 11979087 0 . 4 15689519 0 xor dword [eax]. 0xe82c334d add eax. 4 add dword [eax]. 0xb1c21343 add eax. 92 add eax.line46_1: The Remote Metamorphic Engine mov ecx. edx mov byte [ecx]. [esp] nop nop mov dl. eax 147853893 0 sub dword [eax]. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 Mutations Responses Decrypted dd 2520091426 1st db 3 dd 946381070 db 2 dd 3318121790 156720689 0 db 2 dd 1375432265 db 1 2nd dd -1 mov ebx.

4 add dword [eax]. 0xe9 mov byte [eax]. 4 sub dword [eax]. ebx mov ebx. [esp] nop nop 579 ms >500 ms xor eax. edx mov byte [ecx].line46_1: The Remote Metamorphic Engine mov ecx. 4 4th jmp ebx line95_2: popf popad 106 ms <500 ms nop jmp long line96 line95_1: Emulated non-self 5th mov eax. 4 52 ms <500 ms xor dword [eax]. dl xor eax. 0xb1c21343 add eax. 0xe9 test edx. 0xe82c334d add eax. 0xa1723594 3rd add eax. 4 add dword [eax]. ecx xor edx. 0x00000057 mov dword [eax+1]. [esp] nop nop mov dl. eax 65 ms <500 ms sub dword [eax]. 0xaaccee22 add eax. ecx ret 7th 53 ms <500 ms . edx 6th mov cl. 0 mov edx. 0x111111ee add eax. 0x00000067 Artificial Immunity | Detecting the non-self mov dword [ecx+1]. eax xor ecx. 0 39 ms <500 ms mov ecx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 Mutations Response Time Time Threshold dd 2520091426 1st db 3 dd 946381070 db 2 dd 3318121790 47 ms <500 ms db 2 dd 1375432265 db 1 2nd dd -1 mov ebx. cl xor edx. 92 add eax.

4 add dword [eax]. ebx mov ebx. 0xb1c21343 add eax. 0x00000067 Artificial Immunity | Detecting the non-self mov dword [ecx+1].line46_1: The Remote Metamorphic Engine mov ecx. 4 add dword [eax]. [esp] nop nop mov dl. 0xe9 test edx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 Mutations Response Time Time Threshold dd 2520091426 1st db 3 dd 946381070 db 2 dd 3318121790 521 ms >200 ms db 2 dd 1375432265 db 1 2nd dd -1 mov ebx. 0x111111ee add eax. 0 mov edx. 0xe82c334d add eax. 0xe9 mov byte [eax]. ecx ret 7th 545 ms >200 ms . 4 sub dword [eax]. eax xor ecx. 0xa1723594 3rd add eax. edx 6th mov cl. ecx xor edx. edx mov byte [ecx]. 0xaaccee22 add eax. 0x00000057 mov dword [eax+1]. 92 add eax. cl xor edx. 0 622 ms >200 ms mov ecx. 4 492 ms >200 ms xor dword [eax]. [esp] nop nop 65 ms <200 ms xor eax. eax 608 ms >200 ms sub dword [eax]. 4 4th jmp ebx line95_2: popf popad 567 ms >200 ms nop jmp long line96 line95_1: Emulated non-self 5th mov eax. dl xor eax.

0x00000057 mov dword [eax+1]. 0 Mixing Morphed Blocks mov edx. [esp] nop Morphed Function 3 nop xor eax. ecx Head Tail xor edx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 Head Morphed Function 1 Tail db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Head Morphed Function 1 Tail dd 1375432265 db 1 dd -1 mov ebx. dl xor eax. 0xa1723594 add eax. 4 add dword [eax]. eax xor ecx. ebx mov ebx.line46_1: Evading AI Machine Learning mov ecx. 0xe9 mov byte [eax]. eax sub dword [eax]. edx mov cl. 0xe82c334d add eax. 0xe9 test edx. 0x111111ee Head Morphed Function 2 Tail add eax. edx mov byte [ecx]. 0x00000067 mov dword [ecx+1]. 4 sub dword [eax]. cl xor edx. [esp] nop nop mov dl. 0xb1c21343 add eax. ecx ret Head Morphed Function 3 Tail . 92 add eax. 4 jmp ebx Morphed Function 2 line95_2: popf popad nop Head Tail jmp long line96 line95_1: mov eax. 0xaaccee22 add eax. 4 xor dword [eax]. 4 add dword [eax]. 0 mov ecx.

0xa1723594 add eax. ecx ret Head Morphed Function 3 Tail . 0xe9 mov byte [eax]. during and after execution db 1 dd -1 mov ebx. 4 xor dword [eax]. 0xe82c334d add eax.line46_1: Evading AI Machine Learning mov ecx. ebx mov ebx. cl xor edx. 0x00000067 mov dword [ecx+1]. 4 add dword [eax]. 4 add dword [eax]. [esp] nop nop mov dl. eax sub dword [eax]. edx mov byte [ecx]. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 Head Morphed Function 1 Tail db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 Disabling the AI from differentiating functions before. [esp] nop nop xor eax. 0 Mixing Morphed Blocks mov edx. ecx xor edx. eax xor ecx. 4 sub dword [eax]. 0xb1c21343 add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. 0xe9 test edx. dl xor eax. 0x00000057 mov dword [eax+1]. 0xaaccee22 add eax. 92 add eax. 0 mov ecx. edx mov cl. 0x111111ee Head Morphed Function 2 Tail add eax.

0x00000067 mov dword [ecx+1]. 0xb1c21343 add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. 92 add eax. 0 Remote Subroutine Slices Permutation mov edx. 0x111111ee add eax. edx mov cl. 4 add dword [eax]. 0 mov ecx. 0xe9 mov byte [eax]. 0xaaccee22 add eax. dl xor eax. ecx xor edx. [esp] nop nop mov dl.line46_1: Evading AI Machine Learning mov ecx. edx mov byte [ecx]. 0xa1723594 add eax. 0x00000057 The Engine Side mov dword [eax+1]. eax sub dword [eax]. eax xor ecx. [esp] nop nop xor eax. 4 add dword [eax]. ecx ret Unknown to the machine learning . edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 The AI Side dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Known to the machine learning dd 1375432265 db 1 dd -1 mov ebx. 4 sub dword [eax]. cl xor edx. ebx mov ebx. 0xe9 test edx. 0xe82c334d add eax. 4 xor dword [eax].

4 Resolve API Mixed add dword [eax]. [esp] nop Context nop xor eax. edx Call API mov cl. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 Start computing hash The AI Side dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Known to the machine learning dd 1375432265 db 1 dd -1 mov ebx. 4 jmp ebx line95_2: computing hash popf popad nop jmp long line96 Mixed CPU line95_1: mov eax. cl xor edx. ecx ret Unknown to the machine learning . 4 add dword [eax]. 4 xor dword [eax]. ebx mov ebx. 0 mov ecx. 0xe82c334d add eax. dl xor eax. eax xor ecx. ecx xor edx. 0xb1c21343 add eax. edx mov byte [ecx]. 0xe9 mov byte [eax]. 0xa1723594 add eax. 0xaaccee22 Continue add eax. [esp] nop nop mov dl. 0xe9 test edx. eax sub dword [eax]. 0x111111ee add eax. 4 Meanings sub dword [eax]. 0 Remote Subroutine Slices Permutation mov edx. 0x00000067 mov dword [ecx+1].line46_1: Evading AI Machine Learning mov ecx. 0x00000057 The Engine Side mov dword [eax+1]. 92 add eax.

0xe82c334d add eax. 0 mov ecx. 4 xor dword [eax]. 0x00000067 mov dword [ecx+1]. cl xor edx. 0xe9 mov byte [eax]. 0xe9 test edx. 0xb1c21343 add eax. ebx mov ebx. edx Detect Virtual Machines mov cl.line46_1: The Remote Metamorphic Engine mov ecx. [esp] nop nop mov dl. 92 add eax. 0xaaccee22 add eax. 4 Clock synchronization jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. ecx Collect Machine IDs ret . 0xa1723594 add eax. 4 In memory APIs code integrity check add dword [eax]. 0x111111ee add eax. ecx xor edx. 4 sub dword [eax]. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 In memory code integrity check db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 Execution environment integrity check dd -1 mov ebx. [esp] nop Detect debuggers nop xor eax. 0x00000057 mov dword [eax+1]. eax sub dword [eax]. dl xor eax. 0 Anti-Emulation mov edx. 4 Detect hooks add dword [eax]. edx mov byte [ecx]. eax xor ecx.

[esp] Escape the Emulator nop nop xor eax. ecx ret Track and Block the Emulators’ IPs . ecx xor edx. 4 add dword [eax]. edx Force Bind IPs mov cl. 0 mov ecx. dl xor eax. 0xaaccee22 add eax. edx mov byte [ecx]. 0 Surprise the Emulator mov edx. eax sub dword [eax]. edx ret line95: pushad pushf call line95_1 db 7 db 3 Heavy Memory Operations dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 Consume the Emulator’s Memory db 2 dd 1375432265 db 1 dd -1 mov ebx. 0xe9 mov byte [eax]. eax xor ecx. 92 add eax. cl xor edx. [esp] nop nop mov dl. 0x00000057 mov dword [eax+1]. 0x111111ee Crash the Emulator add eax.line46_1: The Remote Metamorphic Engine mov ecx. ebx Consume the Emulator’s CPU mov ebx. 0xa1723594 add eax. 4 xor dword [eax]. 4 sub dword [eax]. 0xe82c334d add eax. 0xe9 test edx. 0xb1c21343 Consume the Emulator’s disk space add eax. 4 add dword [eax]. 0x00000067 mov dword [ecx+1]. 4 jmp ebx line95_2: popf Disconnect VPNs and network interfaces popad nop jmp long line96 line95_1: mov eax.

edx mov byte [ecx]. 0xaaccee22 add eax. [esp] nop nop mov dl. 92 add eax. 0xe9 test edx. 0xe9 mov byte [eax]. 0xb1c21343 Valid for few Milliseconds add eax. 0xa1723594 add eax. 4 Mutated Algorithm add dword [eax]. 0x111111ee add eax. ecx ret Unknown to the reverse engineer . 0 mov ecx. 4 xor dword [eax]. 0xe82c334d add eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 Algorithm Mutation line95_1: mov eax. 0x00000067 mov dword [ecx+1]. edx mov cl. cl xor edx. 0x00000057 The Engine Side mov dword [eax+1]. ecx xor edx. eax xor ecx. eax sub dword [eax]. 0 Blindfolded Reverse Engineering mov edx.line46_1: The Remote Metamorphic Engine mov ecx. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 The Reverse Engineer Side dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Known to the reverse engineer dd 1375432265 db 1 dd -1 mov ebx. ebx mov ebx. [esp] nop nop xor eax. 4 sub dword [eax]. 4 add dword [eax]. dl xor eax.

[esp] nop nop mov dl. 0xaaccee22 Continue add eax. dl xor eax. ecx xor edx. 4 add dword [eax]. 0x111111ee add eax. 0x00000057 The Engine Side mov dword [eax+1]. eax xor ecx. 0xb1c21343 add eax. [esp] nop Meanings nop xor eax. 4 jmp ebx line95_2: computing hash popf popad nop jmp long line96 Morphing line95_1: mov eax. 4 xor dword [eax]. 0 mov ecx. 0xa1723594 Resolve API Logic Meanings add eax. ecx ret Unknown to the reverse engineer . edx mov byte [ecx]. cl xor edx. eax sub dword [eax]. ebx mov ebx.line46_1: The Remote Metamorphic Engine mov ecx. 4 add dword [eax]. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 Start computing hash The Reverse Engineer Side dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 Known to the reverse engineer dd 1375432265 db 1 Morphed Morphed dd -1 mov ebx. 0xe9 test edx. 0xe9 mov byte [eax]. 4 sub dword [eax]. edx Call API mov cl. 0 Confuse the Reverse Engineer mov edx. 92 add eax. 0x00000067 mov dword [ecx+1]. 0xe82c334d add eax.

92 0 add eax. ecx ret Engine . edx mov byte [ecx]. 4 add dword [eax]. eax xor ecx. 0xe9 mov byte [eax]. edx ret line95: pushad Security as Undefined & indeterminate expression pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 1 dd 3318121790 db 2 -∞ = = ∞ dd 1375432265 db 1 dd -1 mov ebx. 4 sub dword [eax]. 0x111111ee add eax. 0xaaccee22 add eax. eax sub dword [eax]. [esp] nop nop xor eax.line46_1: mov ecx. 4 Undefined add dword [eax]. 0 mov ecx. 0xe9 test edx. [esp] nop nop The Undefined Expression mov dl. 0xe82c334d add eax. 0xb1c21343 add eax. dl xor eax. ecx xor edx. cl The Remote xor edx. 0x00000057 Metamorphic mov dword [eax+1]. 0 mov edx. 0x00000067 mov dword [ecx+1]. edx mov cl. 0xa1723594 add eax. 4 jmp ebx line95_2: popf 0 ∞ popad RE Time nop jmp long line96 line95_1: mov eax. ebx mov ebx. 4 xor dword [eax].

4 sub dword [eax]. ebx Questions? mov ebx. 0xb1c21343 add eax. edx mov cl. 4 add dword [eax]. edx mov byte [ecx]. 0xe9 test edx. ecx ret .line46_1: mov ecx. 0x00000057 mov dword [eax+1]. 0xe82c334d add eax. 0xaaccee22 add eax. 4 xor dword [eax]. ecx xor edx. cl xor edx. 0x111111ee add eax. 92 add eax. 0 mov ecx. 0x00000067 mov dword [ecx+1]. edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 { } db 1 dd -1 mov ebx. [esp] nop nop mov dl. 0xe9 mov byte [eax]. dl xor eax. 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax. eax xor ecx. 0xa1723594 add eax. 4 add dword [eax]. 0 mov edx. eax sub dword [eax]. [esp] nop nop xor eax.