
                                  CODE MIXER
                                 version 1.50

  CODE MIXER is an utility (subroutine, library, engine, include file, ...)
  to mix 2 code buffers.
  The destination buffer will contain all instructions of the source buffers
  mixed between each other in random order.

  src buf #1        src buf #2      dest buf
  ------------      ------------    -------------
  imul eax, ebx     add edi,1       add edi,1
q:cdq               add edi,2       imul eax, ebx
  xor ecx, ecx      add edi,3     q:cdq
  jz  q             loop $-2        add edi,2
  nop                               xor ecx,ecx  ; next cmd is jxx
                                    jz q         ; jxx-expanded to near,fixed
                                    add edi,3
                                    nop
                                    loop $-2     ; loop/z/nz/jecxz-ignored


  CODEMIXER uses two external subroutines, rnd() and disasm(), both should
  be written in C calling convention (i.e. return control with RET).

  DWORD rnd(DWORD) returns random number,
  DWORD disasm(BYTE* cmd) returns length of the command and -1 if error.

  In the example used simple randomer and external disassembler (LDE32).
  But you are always able to use your own randomer and/or disassembler.

                              CALLING CODEMIXER

        include cmix.inc

        pusho   offset disasm   ; DWORD disasm(BYTE*)
        pusho   offset rnd      ; DWORD rnd(DWORD range)
        push    offset srcbuf1  ; source buffer #1 -- offset
        push    size srcbuf1    ; ... size
        push    offset srcbuf2  ; source buffer #2 -- offset
        push    size srcbuf2    ; ... size
        push    offset destbuf  ; destination buffer -- offset
        push    size destbuf    ; ... maximal size
        push    offset destsize ; ... pointer to new size (DWORD PTR)
        push    maxcmd          ; max # of commands (in both buffers)
        call    codemixer

  Return values:
        EAX==0 if success, destsize=size of the destination buffer
        EAX!=0 if error, error codes (CM_ERR_xxx) see in the CMIX.INC

                                   FEATURES

  - code is offset-independent, so it can be displaced or permutated
  - no external data used, only own stack vars
  - jmps/calls (E8,E9,7x,0F 8x) are fixed
    (to point correctly to the new addresses)
  - external jmps/calls (i.e. out of the source buffers) are fixed correctly
  - short jmps (7x,EB) are expanded into near jmps
  - if next command is jxx (short or near), it will be stored after current
    command, without inserting other buffer commands before jxx
  - commands jecxz,loop,loopz,loopnz (E0/E1/E2/E3) are ignored

                         WHERE CODEMIXER CAN BE USED

  - to create polymorphic decryptors
       1. generate simple decryptor (as in crypt-virus)
       2. generate some trash (easy with ETG engine)
       3. mix buffers

  - to mix some commands from host 's startup and from virus's startup

  - to generate some hash-alike functions
    for example:
    dst-reg-set = [REG_EAX],
    src-reg-set = [REG_EBX],
    so generated function will return EAX=f(EBX)

