home *** CD-ROM | disk | FTP | other *** search
- DECOM 0.9ß - MTE file decryptor
-
- Written by Black Wolf '93
-
- This is a simple utility that will step through an MTE decryptor and
- decrypt the virus it is attached to, then terminate before executing
- the virus. It is useful if you have an MTE-based virus and you want to
- find out what virus has infected it - just decrypt it using DECOM, then
- check the resulting file, looking after the decryptor. This is a proto-type
- version, and is NOT IN ANY WAY GUARANTEED! I am only releasing this version
- because to this date nothing else seems to be able to do this. I am
- also releasing the source code. This will allow anyone who needs to be able
- to disinfect MTE-based viruses to modify the code to- instead of saving the
- result to disk -search it for the storage bytes, original SS:SP and CS:IP,
- or whatever is needed for the disinfection routine. Once I have gotten
- time to come back to this, I will modify it into a generic encryption
- bypasser, and add a few useful features in it.
-
- When used, it will attempt to follow the execution of the program
- until the end of the MTE decryptor. It will not execute INT calls, and
- will terminate if one is encountered. It also terminates if DS and ES
- change, or if a far call or PUSHF is encountered. THIS DOES NOT ABSOLUTELY
- GUARANTEE SAFETY WHEN RUN! While I have not encountered an MTE file that
- it did not safely unencrypt, it is quite possible to program such. The
- viruses I have tested this on are POGUE, DEMOVIR, and the INSUFF series,
- as well as a collection of my own test MTE files. One possible time
- when DECOM may go passed the decryptor is when the MTE does not actually
- encrypt the code - this generally results in DECOM printing that it
- can not safely decrypt it, whereas it was never actually decrypted.
- I hope this is found to be useful at least as a coding example, if not
- as a tool. Good luck!
-
- Black Wolf
-
-
