home *** CD-ROM | disk | FTP | other *** search
- ;This is a disassembly of Thunderbyte's anti-viral partition code.
- ;An org statement was not used because it appears that all offsets used
- ;herein are either relative or absolute, i.e. it just doesn't matter.
- ;This should be compiled as a binary image file, it *WILL NOT* create
- ;an executable file. This code is exactly 512 bytes long and should be
- ;implanted into the hard drive at physical sector 1, cylinder 0, head 0
- ;using the BIOS direct write to disk function. *DO NOT* use DOS write to
- ;disk functions or DEBUG because these functions can't access hidden sectors
- ;and you'll probably just overwrite the disk drive.
-
- ;have fun, folks!
-
- code_start:
-
- cli ;no interrupts
- xor cx, cx
- mov ss, cx
- mov sp, 7c00h
- mov si, sp
- sti
- cld
-
- mov es, cx ;cs already equals 0
- mov ds, cx
-
- mov di, 0600h ;
-
- mov ch, 01 ;cx = 100h
- repz movsw ;mov 200h bytes from 0000:7c00h to 0000:0600h
- ;to make room for boot sector
-
- jump_pt db 0e9h, 00, 8ah ;this will act like far jmp to first_pt label
- ;i.e. 0000:061ah, wraps around segment
- first_pt: ;when execution continues, this will be offset
- ;061ah here
- mov si, 06ddh
- call routine_1
- mov si, 07eeh
- call routine_2
- mov bp, si
- mov si, 0733h
- jb second_pt
-
- mov bx, sp ;buffer at stack pointer (7c00h?)
- mov ax, 0201h ;func 2, 1 sector - possibily boot sector?
- int 13h ;BIOS read sector
-
- mov si, 0725h
- second_pt:
- jb sixth_pt
-
- mov si, 745h
- call routine_1
- call routine_1
-
- mov si, 7c40h
- mov cx, 01c0h
- loop_1:
- xchg ax, bx
- shl bx, 1
- lodsb ;from 0000:7c40h
- add ax, bx
- mov ah, bh
- test ah, ah
- jns third_pt
- xor ax, 0a097h
- third_pt:
- loop loop_1
-
- cmp ax, 7805h
- jnz fourth_pt
- mov si, 0740h
- call routine_1
-
- mov si, 0762h
- call 01cdh
- mov dx, [si + 0fc9fh]
- cmp dx, 27eh
- jb fourth_pt
-
- mov si, 740h
- call routine_1
- mov si, 774h
- call routine_1
-
- les ax, [004c]
- mov bx, es
- mov cl, 04
- shr ax, cl
- add ax, bx
- inc cx
- inc cx
- shl dx, cl
- cmp ax, dx
- jnb fifth_pt
-
- fourth_pt:
- mov si, 0787h
- call routine_1
- int 16h
- mov si, 783h
- or al, 20h
- cmp al, 79h
- jnz seventh_pt
-
- fifth_pt:
- call routine_1
- mov si, bp
- mov dx, [si]
- jmp sp ;control goes to boot sector
-
- sixth_pt:
- call routine_1
- int 16h
-
- seventh_pt:
- int 18h ;rom BASIC!
-
- eighth_pt:
- jmp eighth_pt ;infinite loop Lock Up!
-
-
- routine_2:
- lea di, [si - 30h]
- boot_chk:
- cmp byte ptr [si], 80h ;looks like check for bootable parttn
- jz bootable
- sub si, 10h
- cmp si, di
- jnb boot_chk
- ret
- bootable:
- mov dx, [si]
- mov cx, [si + 2]
- return_pt:
- ret
-
- routine_1:
- lodsb
- cbw ;convert to word
- test ax, ax ;huh?
- jz return_pt ;like ret to original caller
-
- mov ah, 0eh
- xor bx, bx
- push si
- int 10h
- pop si
- jmp routine_1
-
- code_end:
-
- msg1 db 13, 10, "Thunderbyte anti-virus partition "
- db "v6.24 (C) 1993-94 Thunderbyte BV.", 13, 10, 10, 0
- msg2 db "Disk error!", 13, 10, 00
- msg3 db "No system!", 13, 10, 00
- msg4 db "OK!", 13, 10,"Checking ",0
- msg5 db "bootsector CRC -> ",0
- msg6 db "available RAM -> ",0
- msg7 db "INT 13h -> ",0
- msg8 db "OK!",13, 10, 10, 0
- msg9 db "Failed!", 13, 10, "System might be infected. Continue? (N/Y)", 07, 0
-
- misc db 0, 0, 0, 80h, 01h, 01, 0, 06, 0dh, 0feh, 0f8h
- db 03eh, 0, 0, 0, 06h, 78h, 0dh, 0, 0, 0
- db 10h dup(0)
- db 10h dup(0)
- db 0eh dup(0)
-
- id_sig db 55h, 0aah
-
-
