
                                 

                ,   
    (      )   -       
 ,   .

               ?  
 ,      HHH,     H 
 .    ,  ,     
  .

     H,    :

                ...
                call sub_1
                call sub_2
       label_1: call sub_3
                ...

     ..        call sub_1,  call
 sub_2      .  ,           ,
             ,      
 ,     label_1.
     :           
   ,   label_1  ""  
    ? (..  G  DEBUG/soft-ice, G/HERE  soft-ice, F4 
 TD)
     : .

     ,       :

                ...
                dec    dword ptr [12345678]
                jz     1234abcd
                ...

           --      
 (  ,  ,  =  10),        --   
    .
               ,  
 N-    --      ,     ,  - 
  .

          :

                ...
                mov    eax, 10
                call   random
                cmp    eax, 7
                je     check_debugger
                ...

     H     .    , ,
  .

        ,          ,   
           ,       
 ,   ,   .

               ,     
   --     ,     
 .      ,     
   ,            ,   .
        , 
       ,    ,   ,
  .

         :    (
   ),  ,   10 ,  
           /   ,         
 /,   ,   ,        
  .

           ,      N ""   
 ,   entrypoint  uep,      
  .
       ?  H,    ,     . . 
 -    !   ,    , 
 __   ,       "",      
 ,  .   --  . H  
 ,       ""    ,  
           1/100,   - 
 ,    1    win95 --> winNT
   .           ,
    ;      ,   
           
 ...

               ?   : 
   ,    N  ( ),    
  .
             :     
 A,B,C,...      1/10.       --  .
 H      ,              ,
      MMX',    
   ,              ,    ..
       A,B,C      --  1/1000,     
       ,    ,  ,  
   __    /    .  
  .

     H            --      
       .       
 ,           
       X.Z.6.6.6 --   
   ;        .

         'PE',      , 
         ,   GetTickCount.  
 ,       (   ) 
  ,    :

                  pornofuck.exe   ,
           , , .  ,  .

     ,            :       
 /   ;           /
 ;  ,     
 , ,  ,  ,  ,   .


     -       :     ?
       "  ",         
       .  ,    ;      
                ,    
      ,  ,  ,  .
       ,   
                      
 .
     H           ,    : 
  ""   ,     
 .     --  ,     ,
 .

     ,  ,        
     :
    entrypoint --> uep,
    standard --> crypt --> poly --> meta/permutating
    rda
    s&d

               "".   ,
        (,  )
 A,B,C,...,          
 , DWORD', 0-   A, 1-  B,   .

     H,   ,    --  
     ADD,  SUB, XOR,  ..     
 ,     .

                   
 ,   FFFFFFFF,       
     ;  ( )    
   .

                   ,  
            ,        
 DEC,XOR,SHL,   ADD,ADC,BSR,INC  ..

    ..   :
       SHR,OR,INC,ADD,ROL,XOR,OR,INC,ROL,OR,ADD,INC,XOR,XOR,SHR,OR,ROR,...
       ADD,ADD,XOR,INC,SUB,ROR,XOR,OR,INC,ADD,SUB,SHL,OR,INC,ADD,OR,SUB,...
       INC,OR,ROR,SUB,SOR,HL,ROR,ADD,OR,XOR,INC,SUB,SUB,SHL,ADD,INC,ADD,...
     :
       XOR,INC,ADD,INC,XOR,XOR,INC,XOR,ADD,INC,XOR,XOR,ADD,ADD,INC,XOR,...
       SHL,SHL,SHL,ADD,ADD,SHL,SUB,SUB,SUB,SHL,ADD,...
       XOR,OR,ROR,ROL,OR,ROL,ROL,OR,ROR,XOR,OR,XOR,ROR,OR,XOR,OR,ROL,...

        ,             
 ,           , 
    .

                     
 _  _,              
 .

     :     ?
     :
                ...
__re:           call    get_rnd_dword
                xchg    ebx, eax      ; EBX:  =1/2
                call    get_rnd_dword
                and     ebx, eax      ; EBX:  =1/4
                call    get_rnd_dword
                and     ebx, eax      ; EBX:  =1/8
                jz      __re
                ...


       ?           
 ,                
 ,      ,      .


           .
           ,  
         randseed,   
               ;    
 -       randseed'.
                  
 randseed,     .

         32-   :

randseed                dd      ?
randcount               db      ?

randomize:              pusha
                        call    GetTickCount    ; KERNEL32.GetTickCount
                        add     randseed, eax
                        mov     randcount, al
                        popa
                        retn

process_randseed:       mov     eax, randseed
                        imul    eax, 214013
                        add     eax, 2531011
                        mov     randseed, eax
                        dec     randcount
                        jz      randomize
                        retn

; :  ECX=range
; : EAX=0..ECX-1

get_rnd_number:         push    ecx
                        push    edx
                        call    process_randseed
                        cmp     ecx, 65536  ; 
                        jb      __mul       ; 
__div:                  xor     edx, edx    ; 
                        div     ecx         ; ECX
                        xchg    edx, eax    ; 
                        jmp     __exit      ; >= 65536
__mul:                  shr     eax, 16
                        imul    eax, ecx
                        shr     eax, 16
__exit:                 pop     edx
                        pop     ecx
                        retn

get_rnd_byte:           call    process_randseed
                        shr     eax, 24
                        retn

get_rnd_dword:          push    ecx
                        call    get_rnd_byte
                        shl     eax, 24
                        xchg    ecx, eax
                        call    get_rnd_byte
                        shl     eax, 16
                        or      ecx, eax
                        call    get_rnd_byte
                        mov     ch, al
                        call    get_rnd_byte
                        or      eax, ecx
                        pop     ecx
                        retn

                 get_rnd_dword ?
 ,    rnd(0xFFFFFFFF)   randseed',    
    DWORD   ,  
 , ,    /.
       ,      randseed    
     ,     ,   
  7 .

           get_rnd_byte  ?  ,    
       r'  = r * 214013 + 2531011,    
       ,   .

        ?   ,  ,
   DISKREET';     ,   TurboPascal',   ,  
   .    : r' = r * 0x8088405 + 1. H
       (  ),    .

           ?      .      
 0,1,2,3,....,N-1,          __, 
       . ,  
   ,      -  .

        ,           ,        
  (  )    0  15,  
 XOR'        ,  ,  13,   :
 0,1,2,...,13,14,15 --> 13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2

            ,  
 :      randseed', process_randseed(),  (
   ,   )     ,  
  ;       .
           randseed    , 
      entrypoint   .

     ,   ,                 , 
   :

  HCRYPTPROV hProv;
  if (CryptAcquireContext(&hProv, NULL, MS_DEF_PROV, PROV_RSA_FULL,
                          CRYPT_VERIFYCONTEXT) != 0)   return -1;
  BYTE* buf = new BYTE[ 65536 ];
  CryptGenRandom(hProv, 65536, buf);
  CryptReleaseContext(hProv, 0);

     , , .     ?...

                                                                     Z0MBiE
                                                                  -2001
