RHINCE
RHINCE
Type Polymorphic mutation engine
Creator Rhincewind
Date Completed 1995
Place of Origin
Source Language Assembly
Platform DOS

RHINCE is a mutation engine by Rhincewind of the group VLAD. Its name stands for "The Rickety and Hardly Insidious yet New Chaos Engine". The engine is very small, 416 bytes in length and modeled after the Dark Slayer Confusion Engine, which allows the person writing the virus to not need to keep track of a counter, pointer or any other register. It includes the calling parameters CX for the length of code to encrypt, DS:DX for the 32-bit pointer to code to encrypt, and BP for the offset the encrypted code will be run at. Its return parameters are CX and DS:DX, which involve the same values as as the calling parameters.

Like Dark Avenger's engine, the virus writer needs to call it at the same offset as the assembled version. This can make it more difficult to implement in a direct action infector, since they will have to relocate CS:IP, while it makes no difference for a memory resident virus. Encrypted code will be placed after the engine in a "polycode" label. This can be moved if it is inconvenient.

Rhincewind was motivated to write the engine because he thought the Dark Slayer Confusion Engine was too large. He noted that it was a simple matter for an antivirus program to detect it, but did not care.

The Goodtimes virus by Qark uses the RHINCE engine.

Sources

Rhincewind. VLAD Issue 4, RHINCE Source Code.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License