 
 ____   ___  ____  _____    ____ ___  __  __    ____                  _
|  _ \ / _ \/ ___|| ____|  / ___/ _ \|  \/  |  / ___|_ __ _   _ _ __ | |_
| |_) | | | \___ \|  _|   | |  | | | | |\/| | | |   | '__| | | | '_ \| __|
|  _ <| |_| |___) | |___  | |__| |_| | |  | | | |___| |  | |_| | |_) | |_
|_| \_\\___/|____/|_____|  \____\___/|_|  |_|  \____|_|   \__, | .__/ \__|
                                                          |___/|_|

--------------------------------------------------------------------------
                     RSCC - ROSE SWE Super COM Crypt
--------------------------------------------------------------------------
$Header: /home/CVS/asm/rc/rscc.txt,v 1.11 2003/07/31 18:55:06 ralproth Exp $

This was a test to write a crypter/protector that is fully polymorph. I 
got this idea from the famous Uruguay virus family. Unfortunately virus 
scanners like AVP/KAV find in RSCC 1.05 (and lower) protected files a 
TPE.DOS virus with is a false positive! This limits the use of older 
RSCC version! Starting with RSCC 1.20 we use another (ADDITIONALLY!) 
mutation engine, so this false positive is fixed!

I suggest to put over RSCC another protector like RC/Hard or HackStop to 
avoid false positives from anti virus software!

Files to protect must be greater than 300-400 bytes and smaller than 55 
KB. RSCC will add protection code that is in average 215 bytes long (the 
smallest protector is around 177 bytes and larger protectors are around 
250 bytes). The plain RSCC protector size is 138 bytes, the rest is 
needed for the polymorph code. The average protector length is 229 bytes 
for RSCC 1.20.

If RSCC successfully crypts a file then the jump to the second 
decryption routine will be hidden under a polymorphic layer (approx 80 
bytes long). This first layer is encrypted using the new HS Mutation 
Engine V2.0. The second polymorph layer is encrypted using the old HS 
Mutation Engine V1.0 which is based on the TPE 1.4 engine.

RSCC is based on RC286 version 1.11. I release this lame stuff because 
many people ask me for 'new' stuff to write detection and unpacker tools 
for. Maybe YOU will find bugs in RSCC - for this reason the original 
source code is included!

 Ralph Roth, ROSE SWE


