Copy Link
Add to Bookmark
Report

29A Issue 01 03 05

eZine's profile picture
Published in 
29A
 · 4 years ago

  

TBAV: antidetection
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Blade Runner

Well, well, well... in this article, i'll show you all how to fuck TbScan
TBAV 7.00; you'll see how 'difficult' it is ;-) There are some points
that make it more vulnerable than previous versions, though it's true
that i spent more time on this one. Anyway, it wasn't more than five mi-
nutes ;-D Let's see... get you all the GameTools. Those of you without
them can use some other debugger which can capture interruptions on the
fly. Let's start...


C:\29A>tbscan c:\virus.com


When TbScan starts checking, we stop it when reading the master boot and
capture int 21h function 48h. As soon as it triggers, trace all the code
till the first ret. Then we're interested in the following addresses:


15E8:3593: here starts the routine to fuck
[...]
15E8:359B F607FF TEST Byte Ptr [BX],FF
15E8:359E 7415 JZ 35B5
^^ ^^
75 JNZ

Well, we make this little change and continue... we'll cancel the first
half of it heuristic checking.


15E8:35B8 81FB4A5A CMP BX,5A4A
15E8:35BC 72DD JB 359B
^^ ^^
77 JA

All right, we've killed its heuristics (second half). Keep on going...


15E8:1065 803EA4FF06 CMP Byte Ptr [FFA4],06
15E8:106A 7206 JB 1072
^^ ^^
77 JA

Again... we break the check changing the condition to the opposite one.
Let's continue...


15E8:108D F7065084FFFF TEST Word Ptr [8450],FFFF
15E8:1093 7408 JZ 109D
^^ ^^
75 JNZ

We're done with this last one. TbScan WILL NOT DETECT any damn virus; no
matter if we have 8000 in our HD, it doesn't mind. If you will deep into
this, here you have some windows with a bit more code, so you may get in
place:


ÉÍÍÍ INTERNAL DEBUGGER ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º º
º 15E8:3593 BF84FF MOV DI,FF84 º
º 15E8:3596 BB3458 MOV BX,5834 º
º 15E8:3599 33C0 XOR AX,AX º
º 15E8:359B F607FF TEST Byte Ptr [BX],FF º
>>15E8:359E 7415 JZ 35B5 -> JNZ 35B5 <<
º 15E8:35A0 8A4701 MOV AL,[BX+01] º
º 15E8:35A3 0006A4FF ADD [FFA4],AL º
º 15E8:35A7 8A4702 MOV AL,[BX+02] º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ


ÉÍÍÍ INTERNAL DEBUGGER ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º º
º 15E8:35AE 3AC4 CMP AL,AH º
º 15E8:35B0 7403 JZ 35B5 º
º 15E8:35B2 8AE0 MOV AH,AL º
º 15E8:35B4 AA STOSB º
º 15E8:35B5 83C306 ADD BX,+06 º
º 15E8:35B8 81FB4A5A CMP BX,5A4A º
>>15E8:35BC 72DD JB 359B -> JA 359B <<
º 15E8:35BE C3 RET º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ


ÉÍÍÍ INTERNAL DEBUGGER ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º º
º 15E8:105B C606A4FF00 MOV Byte Ptr [FFA4],00 º
º 15E8:1060 33C0 XOR AX,AX º
º 15E8:1062 AA STOSB º
º 15E8:1063 B007 MOV AL,07 º
º 15E8:1065 803EA4FF06 CMP Byte Ptr [FFA4],06 º
>>15E8:106A 7206 JB 1072 -> JA 1072 <<
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ


ÉÍÍÍ INTERNAL DEBUGGER ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º º
º 15E8:107D E80445 CALL 5584 º
º 15E8:1080 F606195604 TEST Byte Ptr [5619],04 º
º 15E8:1085 7406 JZ 108D º
º 15E8:1087 C70650840000 MOV Word Ptr [8450],0000 º
º 15E8:108D F7065084FFFF TEST Word Ptr [8450],FFFF º
>>15E8:1093 7408 JZ 109D -> JNZ 109D <<
º 15E8:1095 B005 MOV AL,05 º
º 15E8:1097 E8941B CALL 2C2E º
º 15E8:109A E9E900 JMP 1186 º
º 15E8:109D 803EA4FF40 CMP Byte Ptr [FFA4],40 º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ


Blade Runner/29A
Los Angeles, 2019

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT