> Hi,
> TAPiON engine was developed to avoid code detection (shellcode/whatever).
Hi Piotr,
I had a look at Tapion's code and I don't relly see any trully genuin
polymorphism. Actually I did see some fixed patterns which could make
Tapion's decryptors pretty detectable:
The main problem is that you build the decryptor based on some blocks
which can be made into patterns, specially because the block
construction is always the same:
1) XOR block [optional with 50% of probabilities]
2) (mov block | get_eip block) or
(get_eip block | anti_emu block [1/3 prob] | mov block) [50% prob]
3) anti_emu block [1/3 prob]
4) -- Decryptor loop --
(copy_reg block | mov_reg block) or
(mov_reg block | copy_reg block | temp block ) [50% prob]
...
As you see, there is nearly no randomnes in the process and the
construction blocks are easy to detect.
If you want some indepth on polymorphis I recomend you the 29a papers:
http://vx.netlux.org/29a/
> best regards,
> Piotr Bania
Kindest regards :)
--
Alejandro Barrera García-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: abarrera@xxxxxxxxxxxxx
