[40263] in bugtraq
Re: [Full-disclosure] (TOOL) TAPiON (Polymorphic Decryptor Generator) Engine
daemon@ATHENA.MIT.EDU (Alejandro Barrera)
Mon Sep 12 17:03:47 2005
Date: Fri, 9 Sep 2005 21:39:45 +0200
From: Alejandro Barrera <abarrera@iron-gate.net>
Reply-To: Alejandro Barrera <abarrera@iron-gate.net>
Message-ID: <992110152.20050909213945@iron-gate.net>
To: Piotr Bania <bania.piotr@gmail.com>
Cc: FULLDISC <full-disclosure@lists.grok.org.uk>,
SBUGTRAQ <bugtraq@securityfocus.com>
In-Reply-To: <4321A803.4010106@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
> Hi,
> TAPiON engine was developed to avoid code detection (shellcode/whatever).
Hi Piotr,
I had a look at Tapion's code and I don't relly see any trully genuin
polymorphism. Actually I did see some fixed patterns which could make
Tapion's decryptors pretty detectable:
The main problem is that you build the decryptor based on some blocks
which can be made into patterns, specially because the block
construction is always the same:
1) XOR block [optional with 50% of probabilities]
2) (mov block | get_eip block) or
(get_eip block | anti_emu block [1/3 prob] | mov block) [50% prob]
3) anti_emu block [1/3 prob]
4) -- Decryptor loop --
(copy_reg block | mov_reg block) or
(mov_reg block | copy_reg block | temp block ) [50% prob]
...
As you see, there is nearly no randomnes in the process and the
construction blocks are easy to detect.
If you want some indepth on polymorphis I recomend you the 29a papers:
http://vx.netlux.org/29a/
> best regards,
> Piotr Bania
Kindest regards :)
--
Alejandro Barrera García-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: abarrera@iron-gate.net
