Ú-----------------------------¿ | Xine - issue #5 - Phile 305 | À-----------------------------Ù Ú-------------¿ | VxD Packer2 | À-------------Á------------------------------------------------------------- This utility is basically the same as "VxD Packer". The only difference is that instead of "cutting", whenever possible, the space between the end of the "Fixup Record Table" and the beginning of the "Enumerated Data Pages", it "cuts" the unused space between the end of the MZ header and the start of the LE header. This space usually contains real-mode code to display a mes- sage like "This program cannot be run in DOS mode." and never ...

Ú-----------------------------¿ | Xine - issue #5 - Phile 304 | À-----------------------------Ù Ú------------¿ | VxD Packer | À------------Á-------------------------------------------------------------- "VxD Packer" isn't exactly a packer since it doesn't use any compression algorithm but I named it this way to avoid discrepancies about its purpose. It simply "cuts", whenever possible, the space between the end of the "Fixup Record Table" and the beginning of the "Enumerated Data Pages", thereby re- ducing the size of the VxD. In order to retain a valid VxD, it then fixes all pointers to nonresident data, starting from the "Enumerated Da...

Ú-----------------------------¿ | Xine - issue #5 - Phile 303 | À-----------------------------Ù ' [ ULZ by ULTRAS/MATRiX ] ' ' Engine Name : Ultra Lempel-Ziv (ULZ) ' Engine Version : 1.2 ' Release Date : 6 semptember ' Origin : Russia ' Language : Visual Basic (5.0-6.0) ' Features : ' + fast compression & decompression algorithm ' + not using windoze api ' + optimizated ' + the reduced version ' ' Greetz to ppl : ' mort - greetings to your gf, my czech bro ' anaktos - huffman engine kewl.... ' NBK - good work... ' Lord Dark - LME kewl, i test it... ' Benny - czech beer kewl ' Del_Armg0 - pif nice idea ' Z0MBiE - u are best coder ' Bh...

Ú-----------------------------¿ | Xine - issue #5 - Phile 302 | À-----------------------------Ù ; ; Well, i hope you've read my lil doc about anti debugging. ; ; This code shows how to make it more difficult for AV's to breakpoint ; the API's you use. ; ; *How it works: ; ; *Functional: ; ; Well, a breakpoint (in softice) is just an INT3 on the entry of the ; API. You say 'bpx loadlibrarya' to softice, softice looks in the dlls ; defined in winice.ini for loadlibrarya, and it puts an INT3 there. ; ; The following code looks for an INT3 in the API you call, not only ; on the start of the api, but it traces and emulates into the API, ; so ...

Ú-----------------------------¿ | Xine - issue #5 - Phile 301 | À-----------------------------Ù here come's the nice little gatos funky, they are provided as standalone win32asm compilable exemples, enjoy guys ;----------OpenGL in win32asm example 1---------------- ; ; draw a simple colored rectangle ; can be used as a template for more complex animations ; ; not at all optimized, it's better for code clarity ; by Spanska for Xine#5, February 2001, copyleft ; ; TASM32 /ml /m3 /z /t opengl ; TLINK32 -Tpe -aa opengl,,,import32 opengl32 callW macro x extrn x:PROC call x endm .386p .model flat,STDCALL .data ;------------- fun...

Ú-----------------------------¿ | Xine - issue #5 - Phile 300 | À-----------------------------Ù ; ; - expressway to my skull - ; - [ETMS] v0.36 - ; - b0z0/iKX - ; ; This is a polymorphic engine for Win32/Win9X viruses. It should be fully ; compatible with any 486+ processor. You should check ver. 0.1 (Xine#4) ; for some more basic informations. ; ; Changes from v0.1: ; - Multiple layers of encryption (random from 2 to 7 layers) ; - New garbage types added (MOVSX, MOVZX, BT family, SET family, ; XADD, SHLD/SHRD, CMPXCHG, BSWAP, XLAT, ENTER/LEAVE) on regs, ; mem, flags (when possible). Direct read/write on stack using ;...

Ú-----------------------------¿ | Xine - issue #5 - Phile 216 | À-----------------------------Ù comment * Virusname: Stealth Fighter, DEMO Part 3.2 Other names: RDA.Fighter.7868 Type: Poly TSR COM/EXE Semistealth Disasm: Darkman and b0z0 General description: -------------------- This is a quite old but interesting DOS virus, one of the first ones using the RDA, random decryption algorithm, idea. With RDA the decryption method (so both keys and mathematical operations) will not be stored in the decryptor. Indeed the RDA algorithm will try to decrypt the encrypted body with all the possible implemented methods until the right one will ...

Ú-----------------------------¿ | Xine - issue #5 - Phile 215 | À-----------------------------Ù comment # most of today's file sharing apps are usin a dummy protocol Gnetworks can be easily taken down or abused. this worm is a -basic- proof of concept.. Gspot acts like a Gnutella client, excepts that it connects automatically to the local Gnode to reach a Gnetwork, and then catches the search querys. It reports a result by appending a '.exe' to the search criteria. Its file server is running on port 99. A lil payload is included.. It replyes to 'G-pings' by a www's IP. This could cause -heavy- traffic on that target if this worm spreads ...

Ú-----------------------------¿ | Xine - issue #5 - Phile 214 | À-----------------------------Ù ; Asmodeus of iKX proudly presents ; STACK-I-WORM ; ßÛßßÜ ßÛßßÜ ÜßßßÜ ßÛßßÜ ßÛÜ ßÜ ÜßÛßßßß ; Û Û Û Û Û Û Û Û Û Û Û ; ßÛßßßÛ ßÛßÛß Û ßÛßßßÛ Û Û Û ÜÛÜÜ ; Û Û Û ßÜ Û Û Û Û Û Û ß Û ; Üß Üß ß ß ßÜÜÜÜß Üß Üß Üß ßÜß ÜßÜÜÜÜ ; Lifeforce mysteria ; ; Version : Beta 1.0 ; Size : 7424 bytes ; ; ---------------- ; ; Features ; ---------------- ; * Infects over email *without* attachment :> ; * Exploits buffer overflow (Malformed MIME header) in Outlook ; * Affected mail programs : Microsoft Outlook Express 4.0/4.01/5.0/5.01 ; Microsoft Outlook ...

Ú-----------------------------¿ | Xine - issue #5 - Phile 213 | À-----------------------------Ù Ú------------¿ | VxD.Burzum | À------------Á-------------------------------------------------------------- This virus is a simple VxD infector. I wrote it to demonstrate VxD protec- ted-mode infection, reserving extended memory from real-mode. Ú-------------------¿ | 1. Virus analysis | À-------------------Ù When the virus (real-mode) receives execution control, it makes its resi- dency check and goes resident (if necessary) using DOS functions to allocate memory (reloading the virus code from the end of file). Then, it hooks the interrupt 21h...