Polymorphic code question: follow-up

Two weeks ago I made a post on writing some basic polymorphic code, which can be seen here:


I got some really good advice and it helped me on my way. However, I've encountered a new problem...

So the goal was to write a program where a MD5 hash was taken from the .exe (of that .cpp file) was taken at the beginning of runtime, and then again at the end, and compared. To prove that the code is polymorphic, the hash values have to be different. No big deal...I inserted a string into the .exe and that hash changed.

Here's my problem. The .exe is in machine code. The string I inserted is ASCII. That presents a major issue...I can't simply "re-run" my program without compiling it again. The string that is inserted is completely random, so if you recompile each time, the hash is always different.

I'd like to change it to where I can just run ./test.exe over and over and over, and have it work, instead of recompiling every time. Any suggestions?
I just found out that adding blank lines to the end of a .exe file will completely change the hash, but will not affect the programs ability to run. While I sort of feel like this is too simple of a solution, it works, so I'm doing to run with it for now.
I'm afraid I don't understand.

The exe should not change as you run it, so the hash is going to remain the same. So this:

So the goal was to write a program where a MD5 hash was taken from the .exe (of that .cpp file) was taken at the beginning of runtime, and then again at the end, and compared

Those two hashes will always be identical, because running an exe does not modify its binary (assuming you are hashing the binary).

Going in and manually modifying the binary by adding newlines or 00's to the end of it or whatever just to get a different hash is completely pointless.

Furthermore, the hash of an exe has absolutely nothing to do with whether or not the code you wrote is polymorphic.

And lastly, compilers tend to watermark generated exes, so even if you change absolutely nothing in the source between two separate builds, it's very possible that the two generated exes will have different hashes.
Have you seen the example and exlanation on the wiki? http://en.wikipedia.org/wiki/Polymorphic_code
wikipedia wrote:
This example is not a really polymorphic code but will serve as an introduction to the world of encryption via the XOR operator. For example, in an algorithm using the variables A and B but not the variable C, there could be a large amount of code that changes C, and it would have no effect on the algorithm itself, allowing it to be changed endlessly and without heed as to what the final product will be.
    lots of encrypted code
    C = C + 1
    A = Encrypted
    B = *A
    C = 3214 * A
    B = B XOR CryptoKey
    *A = B
    C = 1
    C = A + B
    A = A + 1
    GOTO Loop IF NOT A = Decryption_Code
    C = C^2
    GOTO Encrypted

wikipedia wrote:
The encrypted code is the payload. To make different versions of the code, in each copy the garbage lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can search the code between Decryption_Code and CryptoKey and e algorithm for new code that does the same thing. Usually the coder uses a zero key (for example; A xor 0 = A) for the first generation of the virus, making it easier for the coder because with this key the code is not encrypted. The coder then implements an incremental key algorithm or a random one.

I'v never attempted anything like this myself, but I dont think adding/removing data from the end of the executable file will count as polymorphic code.
Last edited on
Topic archived. No new replies allowed.