40Hex Number 5 Volume 2 Issue 1 File 007 HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT PART II In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly tedious) method of searching for scan strings. In short, this was his method: 1) Make a small carrier file. 2) Infect the carrier with the virus. 3) Fill parts of the virus with a dummy value until you isolate the scan string. 4) Modify the virus so it is not detectable, i.e. switch the order of the instructions. The problem is, of course, that step 3 takes a maddeningly inordinate amount of time. I shall present a tip which will save you much time. The trick is, of course, to find out where the encryption mechanism and hence the unencrypted portion where the scan string is usually located. Once the encryption mechanism is located, isolating the scan string is much simpler. Of course, the problem is finding the encryption mechanism in the first place. The simplest method of doing this is using V Communication's Sourcer 486, or any similar dissassembler. Dissassemble the file and search for the unencrypted portions. Most of the file will be DBs, so search for any part which isn't. Once you have located those parts, all you have to do is subtract 100h from the memory location to find its physical offset in the file. You now have a general idea of where the scan string is located, so perform step 3 until you find it. Ack, you say, what if you don't have Sourcer? Well, all is not lost. Load up the infected carrier in good old DEBUG. The first instruction (in COM infections) should be a JMP. Trace (T) into the JMP and you should be thrown into the area around the encryption mechanism. Use the memory offset (relative to the PSP segment) and subtract 100h to find the physical location of the unencrypted portion in the file. Once again, once you have this, perform step 3. Simple, no? Sometimes, SCAN looks for the writing portion of the code, which generally calls INT 21h, function 40h. This is usually, though not always, located somewhere near the encryption mechanism. If it is not near there, all you have to do is trace through the virus until it calls the write file function. Another method of looking for scan codes is to break the infected carrier file into a series of 50 byte overlapping chunks. For example, the first chunk would be from offset 0 to 49, the second from 24 to 74, the third from 49 to 99, etc. Then use SCAN to see which chunk holds the scan code. This is by far the easiest, not to mention quickest, method. One side note on step 1, making the carrier file. Some virii don't infect tiny files. What you must do is create a larger file (duh). Simply assemble the following two lines: int 20h db 98 dup (0) (with all the garbage segment declarations and shit, of course) and you'll have a nice 100 byte carrier which should be sufficient in most cases, with maybe the exception of the Darth Vaders. Enjoy! ------------------------------------------------------------------------------- Dark Angel