 TBAV: signatures
 ддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддд>
                                                                       Tcp

 Using the signature leaker from Virogen (Chiba City Times #2) i've done a
 little change  for version 7.04 of TBAV. Changes are more than i expected
 firstly  cause TBSCAN.SIG uses a different  encryption in each version, i
 knew that... but i also had to modify a limitation of the program because
 that TbSig wasn't able to manipulate files over f000h bytes (in TBAV 6.50
 it was already bigger than that, so the file extractor hanged).

 My program is included right  in this issue under \FILES. To use it, just
 copy  it  into your TBAV directory and run 'xsig > file.ext'. The program
 will dump in this file all the signatures, but before looking anything in
 that file, you should know the meaning  of the wildcards TBAV uses in its
 search strings; they appear in between the sigs with the format _38??_:


  Description                                            Signature
  ддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддддд
  Jump over n bytes and continue                            388n
  Jump over nn bytes and continue, but nn < 7fh             388nn (1)
  Jump till n bytes                                         384n
  Jump till nn bytes and continue, but nn < 1fh             38nn  (1)
  The value ranges from n0 to n7                            382n
  The value ranges from n8h to nfh                          383n
  CRC from 38cn to 38c0 and compare it to the following 2   38cn  (2)


 (1) The highest bit is set. If nn is greater  than the number above indi-
     cated, then the bit will not be set.

 (2) This meaning is not in CCT#2, though it may  be due  to the fact that
     these  wildcards weren't  used  then; since 6.50 it is present in all
     the strings. If the wildcard is above 38c0, TBAV calculates a sort of
     CRC sum ranging 38c?-38c0 bytes (for instance, 38d7 will mean it gets
     17h bytes), and compares it to the next word in the string. Eg:


     String :        00 01 02 03 _38C3_ 33 44
     In file:        00 01 02 03 04 05  06 07


     In this example, TBAV would  compare  the 4 first bytes, which  would
     pass; then it'd find _38c3_, which tells it to CRC sum the three next
     bytes: 04, 05, and 06. If the CRC is 4433 it will say so :)

     Btw, if someone  is interested  in knowing how to calculate this CRC,
     look for me in #virus on IRC and ask :)


 Another thing Шirogen  didn't notice is that, as 38h represents the wild-
 card, if we want to represent the 38h itself, we must use _3880_ ;)

 Nothing more then; if you want to take a look at the program or read some
 more about it, look in Chiba City Times #2.


 Waiting for IP...