Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 021
HEX-FILES No. 3 File 021
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
HOW TO COMPILE LISTINGS IN HEX-FILES
***********************************************************************
* *
* HEX-FILES does not carry live virus. However, program listings and *
* scripts found in HEX-FILES create first generation viruses, *
* infected programs, virus droppers or other virus related programs *
* when compiled. This was intentionally done to prevent someone from *
* executing these programs without exactly knowing what the programs *
* really are. Believe me, there are people stupid enough to do this. *
* *
* If you create an executable program out of those listed in *
* HEX-FILES, it is taken to mean that you are fully aware of the *
* nature of these programs and the consequences of their use. You *
* also agree that HEX-FILES and/or anybody connected with HEX-FILES *
* in any way are not responsible for any damage that may result from *
* the use or misuse of these programs. *
* *
* You, the person who created the executable program and/or executed *
* the program shall bear full responsibility for your actions. *
* *
* Furthermore, you fully agree that these programs are only to be *
* used for research and/or educational purposes. Last but not least, *
* in no way shall these programs be used to inflict harm and/or *
* damage on another person and/or his property. *
* *
***********************************************************************
Programs in HEX-FILES are presented as assembly language source code
(*.asm) or debug scripts (*.scr). The suggested name for the assembly
source code or debug script is indicated before the listing. The
compiler used to exactly recreate the virus is indicated at the start
of the assembly listing. If another compiler is used, you might not
be able to recreate the exact virus and instead create a new variant
of the virus.
If the debug scripts contains an infected program, the virus that
infected the program is at least on the third generation. The first
generation being the compilation of the source code that appears with
it. If this is not the case, this would be stated somewhere in the
accompanying article and/or immediately before the debug script.
How to create an executable program
1. Open the selected file in a text editor. You can also use your
word processor but you will have to save it as a plain text or
ms-dos text file. Save a back-up copy of the file. Most files
contain both asm or scr/uue listings, and others contain multiple
listings.
2. Cut everything from the start of the file up to the line which
says
ÄÄÄÄÄÄÄÄ xxxxxxxx.ASM starts here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
or ÄÄÄÄÄÄÄÄ xxxxxxxx.SCR starts here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
or ÄÄÄÄÄÄÄÄ xxxxxxxx.UUE starts here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Cut everything from the line which says
ÄÄÄÄÄÄÄÄ xxxxxxxx.ASM ends here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
or ÄÄÄÄÄÄÄÄ xxxxxxxx.SCR ends here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
or ÄÄÄÄÄÄÄÄ xxxxxxxx.UUE ends here ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
up to the end of the file.
4. Save the file as xxxxxxxx.ASM or xxxxxxxx.SCR or xxxxxxxx.UUE, as
the case may be. Remember to save the file as plain text or ms-dos
text file.
5. Compile the listing
5.1. For debug scripts, the command line is
debug < xxxxxxxx.SCR
An executable file is created, usually a com. If the created
file is an exe, it will have an .ex_ extension. Rename to
xxxxxxxx.exe to make it executable.
5.2. For uuencoded scripts, the command line is
uudecode xxxxxxxx.UUE
This recreates the original file.
5.3. For assembly source codes, the listing is written in a way
that it could be compiled by different compilers,
specifically A86 4.02, TASM 2.01 and MASM 5.0. Other
compilers could be used but might require code fixes.
5.3.1. Command line for A86 version 4.02
5.3.1.1. Create COM program with org 100 directive
a86 xxxxxxxx.ASM
5.3.1.2. Create COM program with org 0 directive
a86 xxxxxxxx.ASM xxxxxxxx.COM
5.3.1.3. Create EXE program
a86 xxxxxxxx.ASM xxxxxxxx.OBJ
linker xxxxxxxx.OBJ
You can use tasm's tlink, masm's link or a linker
of your choice. a86 does not have a separate linker
program.
5.3.2. Command line for TASM version 2.01
5.3.2.1. Create COM program with org 100 directive
tasm xxxxxxxx.ASM;
tlink /t xxxxxxxx.OBJ;
5.3.2.2. Create COM program with org 0 directive
tasm xxxxxxxx.ASM;
tlink xxxxxxxx.OBJ;
exe2bin xxxxxxxx.EXE xxxxxxxx.COM
You can use other binary converters instead of
exe2bin.
5.3.2.3. Create EXE program
tasm xxxxxxxx.ASM;
tlink xxxxxxxx.OBJ;
5.3.3. Command line for MASM version 5.0
5.3.3.1. Create COM program
masm xxxxxxxx.ASM;
link xxxxxxxx.OBJ;
exe2bin xxxxxxxx.EXE xxxxxxxx.COM
You can use other binary converters instead of
exe2bin.
5.3.3.2. Create EXE program
masm xxxxxxxx.ASM;
link xxxxxxxx.OBJ;
5.3.4. For other compilers, refer to the program documentation
or the compiler's help screen.
Availability of Compilers/Programs
1. DEBUG.EXE comes with Microsoft's operating system. If you are
using ms-dos/win9x you have debug unless you deleted it.
2. UUDECODE.COM is available from most shareware archives. I also
have a debug script of UUDECODE.COM at the end of this file.
3. EXE2BIN.EXE comes with ms-dos but was dropped from ms-dos 6.
Programs similar to exe2bin are available from shareware sites.
However, if you still want exe2bin, I think you can download a
copy from microsoft.
4. A86 is a shareware program and is available from shareware sites
or you can get it directly from its distribution site at
http://eji.com/a86/index.htm
5. TASM and MASM are commercial programs. If you are interested, get
in touch with Borland and Microsoft, respectively.
However, if like me, you couldn't afford to buy these programs, a
copy is available from your friendly warez and/or virus sites. I
won't tell you where but...
Seek and you will find
Knock and it will be opened to you
6. For other compilers, you can find many shareware assembly
compilers in the Internet. Refer to FAQs of assembly language
newsgroups, such as alt.lang.asm and comp.lang.asm.x86, on what
are these and where you can get them.
ÄÄ UUDECODE.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N UUDECODE.COM
E 0100 EB 5F 90 49 6E 70 75 74 20 66 69 6C 65 20 65 72
E 0110 72 6F 72 2E 4F 75 74 70 75 74 20 66 69 6C 65 20
E 0120 65 72 72 6F 72 2E 73 74 61 72 74 20 6E 6F 74 20
E 0130 66 6F 75 6E 64 2E 45 6E 64 20 6E 6F 74 20 66 6F
E 0140 75 6E 64 2E 20 65 78 69 73 74 73 2E 20 41 62 6F
E 0150 72 74 69 6E 67 21 00 00 00 00 AC 03 AC 03 5C 03
E 0160 00 E8 FA 01 E8 54 01 BF 5C 03 E8 D1 00 AD 3D 62
E 0170 65 75 F4 AD 3D 67 69 75 EE AD 3D 6E 20 75 E8 BF
E 0180 5C 03 B4 20 AC 3A C4 76 FB AC 3A C4 75 FB AC 3A
E 0190 C4 76 FB 3A C4 74 04 AA AC EB F8 BA 5C 03 33 C9
E 01A0 88 0D 80 3E 60 01 FF 74 1E B4 4E CD 21 3C 02 74
E 01B0 16 3C 12 74 12 8B CF 2B CA E8 2F 01 BA 44 01 B9
E 01C0 12 00 B0 05 E9 16 01 B4 3C CD 21 73 03 E9 E3 00
E 01D0 A3 58 01 BF 5C 03 E8 65 00 AC 0A C0 74 48 BB 20
E 01E0 20 2A C3 0A C0 74 3F 32 E4 8B E8 B9 04 06 AC 8A
E 01F0 E0 AC 8A D0 2B C3 D0 E4 D0 E4 D2 E8 0A C4 AA 4D
E 0200 74 D4 8A E2 AC 8A D0 2B C3 D2 E4 D0 E8 D0 E8 0A
E 0210 C4 AA 4D 74 C1 8A E2 AC 2B C3 8A CD D2 E4 0A C4
E 0220 AA 4D 75 C7 EB B0 E8 15 00 AD 3D 65 6E 75 05 AC
E 0230 3C 64 74 03 E8 AE 00 E8 61 00 B4 4C CD 21 8B 36
E 0240 5A 01 89 3E 5E 01 BD 50 00 BF 0C 03 33 C0 AB B9
E 0250 27 00 B8 20 20 F3 AB BF 0C 03 3B 36 5C 01 72 06
E 0260 E8 38 00 E8 55 00 AC 3C 60 75 04 B0 20 EB 08 3C
E 0270 0D 74 1B 3C 0A 74 18 AA 4D 75 DF 3B 36 5C 01 72
E 0280 03 E8 37 00 AC 3C 0A 75 F2 BF 5C 03 EB B4 46 89
E 0290 36 5A 01 8B 3E 5E 01 BE 0C 03 C3 BA 5C 03 8B CA
E 02A0 87 0E 5E 01 2B CA 76 0A 8B 1E 58 01 B4 40 CD 21
E 02B0 72 01 C3 BA 14 01 B9 12 00 EB 22 BA AC 03 B9 54
E 02C0 FA 8B 1E 56 01 B4 3F CD 21 72 0C 0B C0 74 08 8B
E 02D0 F2 03 C6 A3 5C 01 C3 BA 03 01 B9 11 00 50 E8 0A
E 02E0 00 58 E9 55 FF BA 36 01 B9 0E 00 52 51 BA 3E 03
E 02F0 B9 02 00 90 E8 0C 00 59 5A E8 07 00 BA 3E 03 B9
E 0300 02 00 90 BB 02 00 B4 40 CD 21 C3 90 0D 0A 54 68
E 0310 69 73 20 50 72 6F 67 72 61 6D 20 52 65 71 75 69
E 0320 72 65 73 20 44 4F 53 20 56 65 72 73 69 6F 6E 20
E 0330 32 2E 30 20 6F 72 20 68 69 67 68 65 72 2E 0D 0A
E 0340 24 0D 0A 49 6E 70 75 74 20 70 61 74 68 2F 66 69
E 0350 6C 65 3A 20 20 4E 6F 20 61 63 74 69 6F 6E B4 30
E 0360 CD 21 3C 02 73 0C BA 0C 03 B4 09 CD 21 B8 01 4C
E 0370 CD 21 E8 46 00 73 33 BA 68 04 B9 1B 01 90 E8 6A
E 0380 FF BA 41 03 B9 14 00 BB 02 00 B4 40 CD 21 BF 7F
E 0390 00 C6 05 50 8B D7 B4 0A CD 21 E8 1E 00 73 0B BA
E 03A0 55 03 B9 09 00 B0 01 E9 33 FF BA 04 04 B8 00 3D
E 03B0 CD 21 72 04 A3 56 01 C3 E9 1C FF BE 80 00 BF 04
E 03C0 04 FC AC 0A C0 74 2F B4 20 AC 3A C4 76 FB 3A C4
E 03D0 76 26 3C 2F 74 04 3C 2D 75 18 8B D0 8B 04 3C 3F
E 03E0 74 1B 24 5F 3D 4F 20 8B C2 75 07 F6 16 60 01 46
E 03F0 46 AC AA AC EB D8 F9 C3 C6 05 00 F8 C3 BA 68 04
E 0400 E9 66 FF 90 55 55 44 45 43 4F 44 45 20 76 32 2E
E 0410 30 00 4F 72 69 67 69 6E 61 6C 6C 79 20 62 79 20
E 0420 54 68 65 6F 64 6F 72 65 20 41 2E 20 4B 61 6C 64
E 0430 69 73 00 54 68 6F 72 6F 75 67 68 6C 79 20 72 65
E 0440 68 61 63 6B 65 64 20 62 79 20 44 61 76 69 64 20
E 0450 50 20 4B 69 72 73 63 68 62 61 75 6D 2C 20 54 6F
E 0460 61 64 20 48 61 6C 6C 00 55 55 44 45 43 4F 44 45
E 0470 20 5B 2D 3F 5D 5B 2D 6F 5D 20 5B 64 3A 5D 5B 5C
E 0480 70 61 74 68 5C 5D 62 69 6E 61 72 79 2E 55 55 45
E 0490 20 3C 52 45 54 55 52 4E 3E 0D 0A 55 73 69 6E 67
E 04A0 20 74 68 65 20 66 69 6C 65 6E 61 6D 65 2E 74 79
E 04B0 70 20 69 6E 20 74 68 65 20 22 62 65 67 69 6E 22
E 04C0 20 6C 69 6E 65 2C 0D 0A 70 72 6F 64 75 63 65 73
E 04D0 20 75 75 64 65 63 6F 64 65 64 20 66 69 6C 65 6E
E 04E0 61 6D 65 2E 74 79 70 20 6F 6E 20 63 75 72 72 65
E 04F0 6E 74 20 64 72 69 76 65 5C 70 61 74 68 0D 0A 28
E 0500 70 72 6F 76 69 64 69 6E 67 20 66 69 6C 65 6E 61
E 0510 6D 65 2E 74 79 70 20 64 6F 65 73 6E 27 74 20 61
E 0520 6C 72 65 61 64 79 20 65 78 69 73 74 29 2E 0D 0A
E 0530 2D 6F 20 73 77 69 74 63 68 20 66 6F 72 63 65 73
E 0540 20 6F 76 65 72 77 72 69 74 65 20 6F 66 20 65 78
E 0550 69 73 74 69 6E 67 20 66 69 6C 65 6E 61 6D 65 2E
E 0560 74 79 70 0D 0A 2D 3F 20 70 72 6F 64 75 63 65 73
E 0570 20 74 68 69 73 20 68 65 6C 70 20 6D 65 73 73 61
E 0580 67 65 2E 0D 0A 24
RCX
0486
W
Q
ÄÄ UUDECODE.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<HF4>=-
