I wrote a class that uses a blend of polymorphic code; something I originally wrote for another user, who had too much trouble integrating it, I figure the community could use it.

The PHP script attached will verify an account ID given over a network pipe, then return the requested function. The script should store all valuable functions in an encoded/encrypted/encoded buffer, which the client will fetch when needed, decrypt, load to stack, and execute.

For an example, check out the WinMain.cpp file, and take note of the "GetFunction" and "QueueFunction".

The kePolymorphic class is, essentially, just a large NOP, not being actually polymorphic; a number of random instructions are completed on each run, but the instructions don't change, only which instructions get executed. That's where I would personally store strings that should appear interesting to a potential reverser, but in all reality, do nothing of value (As seen with examples such as "@lawnmower", "@godmode", etc).

Most, if not all of the strings in the library are encoded; you'll have to modify the host encoded buffer and the request to your specific server, where the modified PHP script would be hosted.

Lastly, there is a key in the keConfig.h file, you can modify it or not; I personally would. Below is a python script for encrypting given buffers, then writing to a file, "key.txt".

from time import sleep
eiEncrypt_Key = [ 0xA9, 0x9F, 0x02, 0x87, 0x3A, 0x16, 0xFF, 0x6F, 0x75, 0x74 ]

eiDecrypt_Key = [ 0x74, 0x75, 0x6F, 0xFF, 0x16, 0x3A, 0x87, 0x02, 0x9F, 0xA9 ]

def eiCrypt_Encrypt( eiString ):
i = 0
while eiString[i] != 0x00:
j = 0
for l in eiEncrypt_Key:
eiString[i] ^= eiEncrypt_Key[j]
return eiString

def eiCrypt_Decrypt( eiCryptedString ):
i = 0
while eiCryptedString[i] != 0x00:
j = 0
for l in eiEncrypt_Key:
eiCryptedString[i] ^= eiDecrypt_Key[j]
return eiCryptedString

x = input()
k = 0
m = []
while k < len ( x ):
m.append ( ord( x[k] ) )
k += 1

realstring = ""
m.append ( 0x00 )
for x in eiCrypt_Encrypt(m):
if x != 0x00:
realstring += "'\\x"+str(hex(x)).strip("0x")+", "

f = open ( "key.txt", "wb" )
k = " { %s };" % realstring
f.write ( k )
f.close ( )
Enjoy, everybody!

Use it as you want, credits or not.


Anyways, the only "polymorphic" feature in the above, is the feature to dynamically load functions to the stack, execute, and remove from the stack. Functions can be stored, or fetched from the attached script.

Other than that, enjoy; I may come back and re-write the kePolymorph class to actually be polymorphic. At one point, I did have plans to include a small metamorphic engine, which would modify resources slightly on each run, using the working polymorphic engine. From there, ideally, the resource could be executed at random, functions could be stored in the resource, being loaded and unloaded from the main binary, etc.

Regardless, just enjoy it, and excuse any messiness I left in.