Main Page | See live article | Alphabetical index

Polymorphic code

In computer science (or more often, in computer underground terms) polymorphic code is code that mutates while keeping the original algorithm intact.

This is often used by computer viruses and shellcode to keep their de/en-cryption-engines from being detected by anti virus software and intrusion-detection system.

How it works

An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of codes that changed the content in the variable C.

The original algorithm:

Start:
GOTO Decryption_Code
Encrypted:
    ...
    lots of encrypted code!!!
    ...
Decryption_Code:
    *A = Encrypted
Loop:
    B = *A
    B = B XOR CryptoKey
    *A = B
    A = A + 1
    GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
    GOTO Encrypted
 CryptoKey:
    some_random_number

The same algorithm, but with lots of unnessisary C-altering codes..
Start:
GOTO Decryption_Code
Encrypted:
    ...
    lots of encrypted code!!!
    ...
Decryption_Code:
    C = C + 1
    *A = Encrypted
Loop:
    B = *A
    C = 3214 * A
    B = B XOR CryptoKey
    *A = B
    C = 1
    C = A + B
    A = A + 1
    GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
    C = C^2
    GOTO Encrypted
 CryptoKey:
    some_random_number

The code inside "Encrypted" could then search the code between Decryption_Code and CryptoKey and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C.
Start:
GOTO Decryption_Code

Encrypted:
    ...
    (when this part is decrypted, it will contain the following...)
    ...
    Then remove all the C-Codes between Decryption_engine and CryptoKey
    And input new unnessisary C-Codes at other locations in the algorithm
    Change the code beneth "Change_this" to RETURN_TO_SYSTEM
    ...
    Do_whatever_this_code_is_suposed_to_do
    ...
    Goto Decryption_Code

Decryption_Code:
    C = C + 1
    *A = Encrypted
Loop:
    B = *A
    C = 3214 * A
    B = B XOR CryptoKey
    *A = B
    C = 1
    C = A + B
    A = A + 1
    GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
    C = C^2
 Change_this:
    GOTO Encrypted
 CryptoKey:
    some_random_number

The code above will decrypt the code inside "Encrypted" with a mutated crypto-engine. Then it will transfer control to the decrypted code inside "Encrypted". The code in there will remove all the codes that alters C. Then it will input new codes that alters C at other (random) locations in the crypto-algorithm. The change of "GOTO Encrypted" to "RETURN_TO_SYSTEM" will make it possible to re-use the old encryption engine (as XOR works in both ways.) then it will do something (like spreading to other files in the case of a virus) and at last, it will return to the Decryption_Code.

If the code is trying to replicate itself (in the case of a computer worm or computer virus) it will need to encrypt the code inside "Encrypted" before it sends it away.

see self-modifying code, alphanumeric code, shellcode, cracking