Copy Link
Add to Bookmark
Report
29A Issue 01 03 04
TBAV: signatures
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Tcp
Using the signature leaker from Virogen (Chiba City Times #2) i've done a
little change for version 7.04 of TBAV. Changes are more than i expected
firstly cause TBSCAN.SIG uses a different encryption in each version, i
knew that... but i also had to modify a limitation of the program because
that TbSig wasn't able to manipulate files over f000h bytes (in TBAV 6.50
it was already bigger than that, so the file extractor hanged).
My program is included right in this issue under \FILES. To use it, just
copy it into your TBAV directory and run 'xsig > file.ext'. The program
will dump in this file all the signatures, but before looking anything in
that file, you should know the meaning of the wildcards TBAV uses in its
search strings; they appear in between the sigs with the format _38??_:
Description Signature
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Jump over n bytes and continue 388n
Jump over nn bytes and continue, but nn < 7fh 388nn (1)
Jump till n bytes 384n
Jump till nn bytes and continue, but nn < 1fh 38nn (1)
The value ranges from n0 to n7 382n
The value ranges from n8h to nfh 383n
CRC from 38cn to 38c0 and compare it to the following 2 38cn (2)
(1) The highest bit is set. If nn is greater than the number above indi-
cated, then the bit will not be set.
(2) This meaning is not in CCT#2, though it may be due to the fact that
these wildcards weren't used then; since 6.50 it is present in all
the strings. If the wildcard is above 38c0, TBAV calculates a sort of
CRC sum ranging 38c?-38c0 bytes (for instance, 38d7 will mean it gets
17h bytes), and compares it to the next word in the string. Eg:
String : 00 01 02 03 _38C3_ 33 44
In file: 00 01 02 03 04 05 06 07
In this example, TBAV would compare the 4 first bytes, which would
pass; then it'd find _38c3_, which tells it to CRC sum the three next
bytes: 04, 05, and 06. If the CRC is 4433 it will say so :)
Btw, if someone is interested in knowing how to calculate this CRC,
look for me in #virus on IRC and ask :)
Another thing ûirogen didn't notice is that, as 38h represents the wild-
card, if we want to represent the 38h itself, we must use _3880_ ;)
Nothing more then; if you want to take a look at the program or read some
more about it, look in Chiba City Times #2.
Waiting for IP...