💾 Archived View for spam.works › mirrors › textfiles › virus › ratboy-2.txt captured on 2023-06-16 at 21:04:14.
-=-=-=-=-=-=-
/\---/\ RATBOY'S OVER WRITTING VIRUS TUTORIAL #2
( . . )
\ / WARNING: Information Contained Within Can Eat Both Your
\ / ^^^^^^^ Mind, Hard Drive and your dog.
\*/ I assume no responsiblity!!!!!!
#
Hello everyone!!!! Considering I have gotten positive responses about
Ratboy#1 I decided to continue on with your lessions in simple viruses.
So what is in store for this issue? We will be going over some terms to
help us in this issue. Also, we will move on to more complex overwriting
.Com viruses. If you read and understood Ratboy#1, you should understand
how to due simple file operations. Such as, you need to open the victum
for reading and writing, and if you are a ATF agent you need to open the
file to shoot it in the back like it was one of your own agents. You will
read how to read from your file, write to it, "tag" it, and more helpful
example code to help with your further learning of viruses. :) Yea!!
Now the boreing parts:
What is a JMP (jump)?
A jump is kinda like what it sounds like, a jump. Since we know
that an assembly source reads top to bottom, sometimes we need to
skip around in a program depending on the situation. Here's a simple
example:
call delta_offset
delta_offset:
pop bp
sub bp,delta_offset
jmp restore ;<===this is a jump :)
eat_hd:
"blah"
"blah"
As you can see, in the example, we jumped over eat_hd and anything
else that was between the jump and restore. A real simple
explanation of how a jump works is like this. A jump when put
together by the assembler, well be converted to a jump without
the label but a displacement. Like this:
jmp anywhere
Really means jmp 45 bytes
As you can see the number is postive so it a foward jump (negative
would be backwards). Now I think I'm getting too far, I just wanted
you to understand it's a displacement. I'm not even going into
conditional jumps since I did say in the Ratboy#1 you do need to
understand Assembly. I know a lot of this should be old hat, but
bare with me for now. :)
I was recently asked what is a CALL?
A call is like a jump with a return address. When a Call is made,
the next line offset(address) is pushed into the stack, and a jump
to the place called is made. Once there, you can return by using
RET. This RET will pop the return address off the stack and jump
there.
Simple example:
mov al,02h
call mov_ptr ;<==the next line's address it put into
;the stack (that would be eat_hd) and a
;jump is made to mov_ptr
eat_hd:
"blah"
"blah"
"blah"
jmp exit ;<==simple review, how does this work?
mov-ptr:
"blah"
"blah"
"blah"
ret ;ah..now the return address(eat_hd) is
;popped off the stack and a jump is made
;to it
Another question was what is an OFFSET?
Since we are so far just dealing with .Com files make this real
simple. An offset is like an address. If you know where you live,
then you understand how and address works.
Simple Simple Example:
Where does Debby live?
Oh, on 16th St. and 5th Ave. (that is an example of an Offset)
Review:
Where does Debby live?
Oh, go down three blocks and the third house on the left.
(this is an example of a jump, see the displacement?)
Another question is what is LEA?
LEA stands for Load Effective Address. Yarn! Too technical. Here's
how it works. Remember in Ratboy#1 when looking for a file, you
needed to load the file type(*.com) offset into dx, like this:
mov dx,offset file_type
well you can do this instead:
lea dx,file_type
Nuff said. Practice with it, see its ranges of use.
Ok I know some one must have fallen asleep, if this bores you just go ahead
and read Dark Angel's Virus Writing Guides, maybe they are up to speed with
you.
How can I speed up my programs?
Simple, kinda think of speed as being the least amount of bytes
nessary for you to carry out the job.
example:
mov ax,0 ;3 bytes
sub ax,ax ;2 bytes
So which one would you figure to be the faster. I used sub ax,ax
since I don't want to even go into explaining XOR, but XOR AX,AX
will do the samethin. Do some reading up on it, you'll need it for
encryption later on in your virus writing carreer. The Sub should
make sense, subtract a number from itself = 0.
Also here's another way of putting what is AX in BX.
Instead of saying:
mov bx,ax ;2 bytes
say:
xchg bx,ax ;1 byte
Ya get it?
Now down to the exciting part of doing something. Yea!!!!
Ok in the last issue if you made your virus and you noticed that it infected
the first file and not any others, that's because it was real simple. This
time we will teach your little life form how to determine if the file is
already infected. Now how do you make sure you know which underwear are
your's at summer camp, your mom sewed your name inside of them. If you are
over 30 and your mom still does this, you are a geek. No arguements, you are
a Geek.
Ok, we need to put in, the infected file, some type of marker, so that we
can later read it. Let's keep this simple, since ofcourse that's the motive
of this tutorial. I will use the letter "r" for RaTBoY. We will put
that "infection marker" right after the jump. So it will kinda look like
this:
virus_start:
jmp find_first
me db 'r'
find_first:
"blah"
"blah"
Ya see it? Now we will go on. Since to do it all you have to do is put the
Me db 'r' in the front of your virus. Now we need to put that jump in
there, for the file to go over the 'r' and start looking for the file. All
the virus needs to do is read the first four bytes of a file, and check if
the 4th (jmp + offset = 3bytes) byte to identify if it's already infected.
Now let's look at the order of operations. For you english majors this is
outline. :)
(I) find file
(a)no files to infect...EXIT
(II) open file for reading
(III) read first four bytes
(IV) close file
(V) compare to id byte(infection marker)
(a) if infected already:
1. setup to find next file
2. goto step I
(b) if not infected continue on
(VI) open file for read/write
(VII) write self to file
(VIII) close file
(IX) exit
Now that should not be such a differcult virus to make. Some of this
material will be review for you and a chance to see if you can still
understand everything clearly.
-=Step I=-
~~~~~~
Now of course we need to find the first file. Here are the required inputs:
ah = 4eh
cx = atributes
dx = file type (ie. *.com)
int 21h
if the carry flag is set then there were no files, so if:
jc exit ;jump to exit if no files
not bad if you can remember this off the top of your head. I think I went
over this well enough in Ratboy#1, so not to bore you I go on.
-=Step II=-
~~~~~~~
Now we need to open that file to read and write to it. Inputs are:
ax = 3d00h ;remember the value of AL will setup
;for the access you want
;al = 00h(read only)
;al = 01h(write only)
;al = 02h(read/write)
dx = offset address of file name
int 21h
Returns:
ax = file handle (or error code..nah can't happen)
Now do you remember where we get that file name? Why of course you know
this, it's in the DTA. Now since we didn't mess with it, it should be
at 80h in the Program Segment Prefix (PSP). So if you know that and you've
read Ratboy#1 where do we look for the address of the file name?
That's right 9eh. Remember to put the file handle in BX where we will use it
later(ie. xchg bx,ax) Since we went over this in Ratboy#1 we'll go on.
-=Step III=-
~~~~~~~~
Now comes something new. We will read the first four bytes of the victum
file, and put it in our buffer, HOLDN_PLACE. Here's the function's inputs:
ah = 3fh
bx = file handle
cx = bytes to read
dx = offset of buffer(buffer = the place you put the read byte(s))
int 21h
Here's how it would look in your virus: