home *** CD-ROM | disk | FTP | other *** search
- 40Hex Issue 4 December 1991
-
- A Further Look Into Cracking Encrypted Virues
- ---------------------------------------------
-
-
- In Censor #1, Rabids' Data Disruptor showed a way to decrypt
- encrypted viruses. The only problem with the method shown is that
- once you decrypt the virus, it cannot be run without modification.
- I wish to take his theory a little farther, with a different
- approch.
-
- There is a really simple way around the problem. What you will
- need is a debugger. I perfer Turbo Debugger, by Borland. However
- if you are good at the DOS utility Debug, you may be able to follow
- along.
-
- The routine to unencrypt is simple, really simple. What you will
- need to do is make a small target file for the virus to infect. A
- 100 byte of less file is perfered.
-
- Step One
- --------
-
- Copy the target file to a different filename to make two copies of
- the file. Example - COPY TARGET.COM DUDE.COM
-
- Step Two
- --------
-
- Infect one of the files, however the virus infectes the file.
- Remember just infect one of the files.
-
- Step Three
- ----------
-
- Load up you dubugger (I'm gonna give Turbo Debugger steps, so people
- with Debug and the Microsoft Debugger will have to improvise) and
- get ready to single step through the virus.
-
- Step Four
- ---------
-
- Start single stepping through the virus. If the virus is encrypted
- you will hit a loop somwhere near the beginning of the code. In
- most cases this is an XOR loop. It will look something like this...
-
- add si, [1234] ;
- mov di, si ;
- mov cx, 0123 ; this would be the virus size to unencrypt
- * mov al, [0105] ; this is the encryption value's offset or the
- ; actual encryption value if no brackets are
- ; around it
- cli ; auto increment
- lodsb ; load byte from si position
- xor ah, al ; xor byte at si
- stosb ; store it a di (same as si)
- loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
- ret ; return when done
-
- Where the "*" is, will be either the location of the encryption
- value, or the actual encryption value if no brackets are around it.
- If there are no brackets, keep that number in mind. Otherwise write
- the offset down.
-
- Step Five
- ---------
-
- When the encryption procedure is done the virus is then unencrypted.
- If you were to write the virus to disk now, it would not run. Cause
- as soon as the virus runs it encrypts itself and then jumps into the
- encrypted code.
-
- Follow the program to the part where the virus is about to write the
- virus to the host program. It will again call on the encryption
- routine.
-
- * Here it is again, but this time, before it XORs anything load the
- encryption value with 0's. If it is a bytes value load it with 00,
- if it is a word value load it with 0000 as in...
-
-
- add si, [1234] ;
- mov di, si ;
- mov cx, 0123 ; this would be the virus size to unencrypt
- * mov al, 00 ; change the encryption value to zero, thus the
- ; encryption will not take place at all. Instead
- ; the virus will produce an original strain.
- cli ; auto increment
- lodsb ; load byte from si position
- xor ah, al ; xor byte at si
- stosb ; store it a di (same as si)
- loop 0110 ; loop until cx=0 NOTE: 0110 will be an offset
- ret ; return when done
-
- Now run the program at full speed. The next file the virus infects
- will be unencrypted, and executable.
-
- NOTE: This method will work only for the types of viruses that use
- this type of encryption. Mainly non-resident .COM and .EXE
- infectors. In other words, don't go thinking this trick will work
- on Whale or anything.
-
-
-
-
-
