Results 1 to 15 of 15

Thread: ReverseMe

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5

    ReverseMe

    This is well known code. Harmless.

    What is it?

    Code:
    Disassembly of File: reverseme.com
    Code Offset = 00000000, Code Size = 00000044
    Data Offset = 00000000, Data Size = 00000000
    
    Number of Objects = 0001 (dec), Imagebase = 00000000h
    
       Object01:          RVA: 00000000 Offset: 00000000 Size: 00000044 Flags: 00000000
    
    
    +++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
    //********************** Start of Code in Object BinaryCode **************
    Program Entry Point Not Available
    
    
    //********************** Start of Code in Segment: 1 **************
    
    :0001.0100 58                     pop ax
    :0001.0101 354F21                 xor ax, 214F
    :0001.0104 50                     push ax
    :0001.0105 254041                 and ax, 4140
    :0001.0108 50                     push ax
    :0001.0109 5B                     pop bx
    :0001.010A 345C                   xor al, 5C
    :0001.010C 50                     push ax
    :0001.010D 5A                     pop dx
    :0001.010E 58                     pop ax
    :0001.010F 353428                 xor ax, 2834
    :0001.0112 50                     push ax
    :0001.0113 5E                     pop si
    :0001.0114 2937                   sub [bx], si
    :0001.0116 43                     inc bx
    :0001.0117 43                     inc bx
    :0001.0118 2937                   sub [bx], si
    :0001.011A 7D24                   jge 0140
    :0001.011C 45                     inc bp
    :0001.011D 49                     dec cx
    :0001.011E 43                     inc bx
    :0001.011F 41                     inc cx
    :0001.0120 52                     push dx
    :0001.0121 2D5354                 sub ax, 5453
    :0001.0124 41                     inc cx
    :0001.0125 4E                     dec si
    :0001.0126 44                     inc sp
    :0001.0127 41                     inc cx
    :0001.0128 52                     push dx
    :0001.0129 44                     inc sp
    :0001.012A 2D414E                 sub ax, 4E41
    :0001.012D 54                     push sp
    :0001.012E 49                     dec cx
    :0001.012F 56                     push si
    :0001.0130 49                     dec cx
    :0001.0131 52                     push dx
    :0001.0132 55                     push bp
    :0001.0133 53                     push bx
    :0001.0134 2D5445                 sub ax, 4554
    :0001.0137 53                     push bx
    :0001.0138 54                     push sp
    :0001.0139 2D4649                 sub ax, 4946
    :0001.013C 4C                     dec sp
    :0001.013D 45                     inc bp
    :0001.013E 2124                   and [si], sp
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.011A(C)
    |
    :0001.0140 48                     dec ax
    :0001.0141 2B482A                 sub cx, [bx+si+2A]
    :0001.0144 00000000000000000000   BYTE 10 DUP(0)

  2. #2
    Quote Originally Posted by Kayaker View Post
    This is well known code. Harmless. What is it?
    I started working through it with the assumption that first statement POP AX was 0000.

    Got about 10 steps down then decided to check 'and ax, 4140', which lead to following page:

    https://en.wikipedia.org/wiki/Talk%3AEICAR_test_file

    Which lead to the following page:

    https://www.eicar.org/86-0-Intended-use.html


  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    I've been looking at the Windows Antimalware Scan Interface (AMSI) lately, and its relation to exploits particularly with PowerShell.

    https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal?redirectedfrom=MSDN

    https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

    The AMSI feature is integrated into these components of Windows 10.

    User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
    PowerShell (scripts, interactive use, and dynamic code evaluation)
    Windows Script Host (wscript.exe and cscript.exe)
    JavaScript and VBScript
    Office VBA macros

    I've seen the AMSI.dll crop up in Windbg several times depending on the application. In my case it also loads the Avast provider dll aswAMSI, which for some reason always generates two dozen C++ EH exception - code e06d7363 errors, class name AVerror@exceptions@asw. No harm no foul, but I'm trying to figure out why the errors.

    In one app I was looking at AMSI.dll loading seemed to be directly tied to ole32!CoCreateInstance being called, to register itself with the IActiveScript interface to be able to use external JScript/VBScript/etc scripts, using a specific GUID IID CLSID_IActiveScript = {BB1A2AE1-A4F9-11CF-8F20-00805F2CD064}.

    ProcessExplorer is another app that loads AMSI.dll. CoCreateInstance again seems to be a trigger that will eventually cause the dll to be loaded, this time I think through WTSAPI32!WTSEnumerateSessionsW which is involved with the "Users" menu item.

    In both cases CoCreateInstance seems to end up with the antimalware dll being triggered to load in the application. When I noticed the common calls to CoCreateInstance I googled that and AMSI and found related information regarding exploits:

    Bypassing AMSI via COM Server Hijacking
    https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/


    On a side note, W32Dasm89 might do with RosASM improvements, particularly the fonts.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    the file itself tells what it is

    Code:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
    00000000  58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35  X5O!P%@AP[4\PZX5
    00000010  34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41  4(P^)7CC)7}$EICA
    00000020  52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56  R-STANDARD-ANTIV
    00000030  49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24  IRUS-TEST-FILE!$
    00000040  48 2B 48 2A                                      H+H*
    Avast winx reports it correctly as eicar test

    Name:  eica.png
Views: 169
Size:  7.8 KB
    Last edited by blabberer; May 29th, 2020 at 09:31.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    If you're protected you shouldn't be able to make a copy of that file (ctrl-c ctrl-v). Avast won't let me unless I do it in one of my 'excluded from scans' folders.

    Mcafee states that it protects PowerShell from running that script. My Avast seems to ignore the signature in PS and doesn't flag it.

    https://kc.mcafee.com/corporate/index?page=content&id=KB59742

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    I tried to 'imagine' environment of this 'shellcode' but ESI & EDI are unknown. well we can think about EDI in range of this code.. but nothings come.
    probably just test to trigger AV

  7. #7
    Quote Originally Posted by evaluator View Post
    probably just test to trigger AV
    Click the Spoiler button on my last post. It reveals a couple of links explaining exactly what it is. The first link gives a step by step solution to the code.

    I used the Spoiler feature to hide the solution in case someone was working on figuring it out.

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    well, that explanation assumes code as 16bit, while I assumed as 32bit shell-code

  9. #9
    Quote Originally Posted by evaluator View Post
    well, that explanation assumes code as 16bit, while I assumed as 32bit shell-code
    I saw no obvious start point so I presumed the first POP statement had AX initialized to 0. I started following the statements one by one, doing the XORs and ANDs, and it was working. Did not go all the way through but it seems to be a form of self-modifying code.

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    I decided to try to emulate the self modifying code in the Eicar test file just for fun. The original bytes can't be used because of the requirement to use operand and address override prefixes 66h and 67h when working with 16bit registers in 32bit mode.

    For example the opcodes of the first 2 instructions now look like this

    66 58 pop ax
    66 35 4F 21 xor ax, 214Fh


    So while most of the code works as originally written, the clever register displacement offsets don't, and the actual output text is now corrupted with the 66h opcodes.

    Here is the code I came up with, which can be compiled as written and traced. If you execute the file it will simply give an access violation message when it hits the INT 21h that the SMC resolves to.

    INT 21h / AH=9 - output of a string at DS-DX. String must be terminated by '$'.

    (using PHP code tags because they give syntax coloring while regular CODE tags don't)

    PHP Code:
    /*
    Attempt to replicate self modifying code in Eicar test file.
    Original bytes can't be duplicated because of requirement to use
    operand and address override prefixes 66h and 67h when working
    with 16bit registers in 32bit mode.
    */

    #include <windows.h>
    #include <stdio.h>
    #include <excpt.h>

    // Make code section writable
    #pragma comment(linker, "/SECTION:.text,ERW")
    #pragma code_seg(".text")

    int filter(unsigned int codestruct _EXCEPTION_POINTERS *ep);


    void eicar_test(void)
    {
        
    __try {
            
    __asm {
                
    // initialize code for tracing
                
    xor eaxeax
                
    xor ebxebx
                
    xor edxedx
                
    xor esiesi
                push 0
            off_start
    :
                    
    pop ax
                    
    xor ax0x214F
                    push ax    
    // 214Fh
                    
    and ax0x4140
                    push ax    
    // 140h
                    
    pop bx
                    
    xor al0x5C
                    push ax    
    // 11Ch
                    
    pop dx
                    pop ax    
    // 214Fh
                    
    xor ax0x2834
                    push ax    
    // 97Bh
                    
    pop si
                    
    // value of bx no longer valid as displacement offset
                    // SUB word ptr[BX], SI                
                    
    sub WORD PTR[off_overwrite], si
                    
    // 2B48h - 97Bh = 21CDh
                    
    inc bx
                    inc bx
                    
    // SUB word ptr[BX], SI
                    
    sub WORD PTR[off_overwrite 2], si
                    
    // 2A48h - 97Bh = 20CDh
                    
    jge off_overwrite

                    
    // code below represented "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
                    
    inc bp
                    dec cx
                    inc bx
                    inc cx
                    push dx
                    sub ax
    0x5453
                    inc cx
                    dec si
                    inc sp
                    inc cx
                    push dx
                    inc sp
                    sub ax
    0x4E41
                    push sp
                    dec cx
                    push si
                    dec cx
                    push dx
                    push bp
                    push bx
                    sub ax
    0x4554
                    push bx
                    push sp
                    sub ax
    0x4946
                    dec sp
                    inc bp
                    
    and WORD PTR[esi], sp

            off_overwrite 
    :
                
    _emit 0x48 // dec ax
                
    _emit 0x2B // sub cx, [bx+si+2A]
                
    _emit 0x48 
                _emit 0x2A

                
    /*
                SMC modified to

                cd21    int    21h  ; AH = 09h DS:DX = 2B:11C (start of Eicar text string)
                cd20    int    20h

                DOS INT 21h
                AH = 09h - WRITE STRING TO STANDARD OUTPUT
                Entry: DS:DX -> '$'-terminated string
                Return: AL = 24h

                DOS INT 20h
                QUIT WITH EXIT CODE ; AL = exit code
                */
            
    }
        }
        
    __except (filter(GetExceptionCode(), GetExceptionInformation()))
        {
            
    puts("ERROR");
        }
    }


    int filter(unsigned int codestruct _EXCEPTION_POINTERS *ep)
    {
        if (
    code == EXCEPTION_ACCESS_VIOLATION)
        {
            
    puts("Access Violation");
            return 
    EXCEPTION_EXECUTE_HANDLER;
        }
        else
        {
            
    puts("didn't catch AV, unexpected");
            return 
    EXCEPTION_CONTINUE_SEARCH;
        };
    }

    ///////////////////////////////////////////////////////
    // WinMain
    ///////////////////////////////////////////////////////
    int mainint argccharargv[] )
    {
        
    eicar_test();
        return 
    0;
    }
    ///////////////////////////////////////////////////////

    /*

    EICAR test file
    "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

    ORIGINAL CODE:

    :0001.0100 58                     pop ax
    :0001.0101 354F21                 xor ax, 214F
    :0001.0104 50                     push ax
    :0001.0105 254041                 and ax, 4140
    :0001.0108 50                     push ax
    :0001.0109 5B                     pop bx
    :0001.010A 345C                   xor al, 5C
    :0001.010C 50                     push ax
    :0001.010D 5A                     pop dx
    :0001.010E 58                     pop ax
    :0001.010F 353428                 xor ax, 2834
    :0001.0112 50                     push ax
    :0001.0113 5E                     pop si
    :0001.0114 2937                   sub [bx], si
    :0001.0116 43                     inc bx
    :0001.0117 43                     inc bx
    :0001.0118 2937                   sub [bx], si
    :0001.011A 7D24                   jge 0140
    :0001.011C 45                     inc bp
    :0001.011D 49                     dec cx
    :0001.011E 43                     inc bx
    :0001.011F 41                     inc cx
    :0001.0120 52                     push dx
    :0001.0121 2D5354                 sub ax, 5453
    :0001.0124 41                     inc cx
    :0001.0125 4E                     dec si
    :0001.0126 44                     inc sp
    :0001.0127 41                     inc cx
    :0001.0128 52                     push dx
    :0001.0129 44                     inc sp
    :0001.012A 2D414E                 sub ax, 4E41
    :0001.012D 54                     push sp
    :0001.012E 49                     dec cx
    :0001.012F 56                     push si
    :0001.0130 49                     dec cx
    :0001.0131 52                     push dx
    :0001.0132 55                     push bp
    :0001.0133 53                     push bx
    :0001.0134 2D5445                 sub ax, 4554
    :0001.0137 53                     push bx
    :0001.0138 54                     push sp
    :0001.0139 2D4649                 sub ax, 4946
    :0001.013C 4C                     dec sp
    :0001.013D 45                     inc bp
    :0001.013E 2124                   and [si], sp

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.011A(C)
    |
    :0001.0140 48                     dec ax
    :0001.0141 2B482A                 sub cx, [bx+si+2A]
    */ 

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    'alternatively' you can make from those "text" chars "test.com" file and it will execute in dos mode.

  12. #12
    Sorry...I posted a bad link above. My reference to the Eicar test file was on Wayback Machine and I supplied the address of the bad URL rather than the Wayback URL. Since then, I have found the proper Eicar URL which is posted below. I'm wondering if this file is actually meant to be run. It's too coincidental that the name EICAR would fit into a legit file which is written completely as:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    unless a lot of the code is repetitive junk such as INC EAX, DEC EAX, etc.

    Eval says it runs in DOS so I'd say that's pretty clever programming if the string above works. BTW...there seems to be an Eicar-2 file which is a bit bigger.

    https://www.eicar.org/?page_id=3950

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    those are text-char range opcodes, I met likes of them previously in shell code analyzes. however in 32bit, code needs to find self address, thus using call/pop or FPU commands, but these are not in ansi-text-char range.

    ps https://nets.ec/Ascii_shellcode

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    @kayaker if you want to run that code in windows 10
    download and install vdos to say f:\vdos
    download grdb by ladsoft and copy grdb.exe to f:\vdos\grdb
    modify the autoexec.txt in f:\vdos folder to call grdb\grdb.exe instead of the default dptest\start.bat

    open a log file inside grdb with
    @a foo.txt

    edit the bytes in with e 100 [�.] , e 110 [�] etc

    Code:
    e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
    e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
    e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
    e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
    e 140 48,2B,48,2A
    dump the memory using d 100 144 , unassemble with u 100 144
    step into with t
    step over with p

    prior to executing the int 21 with dx = 11c
    dump the memory again with d 100 144 you can notice H+H* turned to cd 21 , cd 20 (int 21 , int 20 )

    here is dump of the trace



    Code:
    ->e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
    ->e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
    ->e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
    ->e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
    ->e 140 48,2B,48,2A
    ->d 100 144
    1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35  X5O!P%@AP[4\PZX5
    1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41  4(P^)7CC)7}$EICA
    1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56  R-STANDARD-ANTIV
    1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24  IRUS-TEST-FILE!$
    1197:0140 48-2B 48 2A 00                                   H+H*.
    ->u 100 144
    1197:0100 58             pop          ax
    1197:0101 35 4F 21       xor          ax,214F
    1197:0104 50             push         ax
    1197:0105 25 40 41       and          ax,4140
    1197:0108 50             push         ax
    1197:0109 5B             pop          bx
    1197:010A 34 5C          xor          al,5C
    1197:010C 50             push         ax
    1197:010D 5A             pop          dx
    1197:010E 58             pop          ax
    1197:010F 35 34 28       xor          ax,2834
    1197:0112 50             push         ax
    1197:0113 5E             pop          si
    1197:0114 29 37          sub          [bx],si
    1197:0116 43             inc          bx
    1197:0117 43             inc          bx
    1197:0118 29 37          sub          [bx],si
    1197:011A 7D 24          jge          0140
    1197:011C 45             inc          bp
    1197:011D 49             dec          cx
    1197:011E 43             inc          bx
    1197:011F 41             inc          cx
    1197:0120 52             push         dx
    1197:0121 2D 53 54       sub          ax,5453
    1197:0124 41             inc          cx
    1197:0125 4E             dec          si
    1197:0126 44             inc          sp
    1197:0127 41             inc          cx
    1197:0128 52             push         dx
    1197:0129 44             inc          sp
    1197:012A 2D 41 4E       sub          ax,4E41
    1197:012D 54             push         sp
    1197:012E 49             dec          cx
    1197:012F 56             push         si
    1197:0130 49             dec          cx
    1197:0131 52             push         dx
    1197:0132 55             push         bp
    1197:0133 53             push         bx
    1197:0134 2D 54 45       sub          ax,4554
    1197:0137 53             push         bx
    1197:0138 54             push         sp
    1197:0139 2D 46 49       sub          ax,4946
    1197:013C 4C             dec          sp
    1197:013D 45             inc          bp
    1197:013E 21 24          and          [si],sp
    1197:0140 48             dec          ax
    1197:0141 2B 48 2A       sub          cx,[bx+si+2A]
    1197:0144 00 00          add          [bx+si],al
    ->t
    
    eax:00000000 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000101 flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0101 35 4F 21       xor          ax,214F
    ->t
    
    eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000104 flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0104 50             push         ax
    ->t
    
    eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:00000105 flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0105 25 40 41       and          ax,4140
    ->t
    
    eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:00000108 flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0108 50             push         ax
    ->t
    
    eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEC eip:00000109 flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0109 5B             pop          bx
    ->t
    
    eax:00000140 ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:0000010A flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:010A 34 5C          xor          al,5C
    ->t
    
    eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:0000010C flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:010C 50             push         ax
    ->t
    
    eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEC eip:0000010D flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:010D 5A             pop          dx
    ->t
    
    eax:0000011C ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:0000010E flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:010E 58             pop          ax
    ->t
    
    eax:0000214F ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:0000010F flag:00000202 NV UP EI PL NZ NA PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:010F 35 34 28       xor          ax,2834
    ->t
    
    eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000112 flag:00000206 NV UP EI PL NZ NA PE NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0112 50             push         ax
    ->t
    
    eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
    ebp:00000000 esp:0000FFEE eip:00000113 flag:00000206 NV UP EI PL NZ NA PE NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0113 5E             pop          si
    ->t
    
    eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000114 flag:00000206 NV UP EI PL NZ NA PE NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0114 29 37          sub          [bx],si                 ds:[0140]=2B48
    ->t
    
    eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000116 flag:00000212 NV UP EI PL NZ AC PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0116 43             inc          bx
    ->t
    
    eax:0000097B ebx:00000141 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000117 flag:00000206 NV UP EI PL NZ NA PE NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0117 43             inc          bx
    ->t
    
    eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000118 flag:00000206 NV UP EI PL NZ NA PE NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0118 29 37          sub          [bx],si                 ds:[0142]=2A48
    ->t
    
    eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:0000011A flag:00000212 NV UP EI PL NZ AC PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:011A 7D 24          jge          0140     (jumps)
    ->t
    
    eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000140 flag:00000212 NV UP EI PL NZ AC PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0140 CD 21          int          21
    ->d 100 144
    1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35  X5O!P%@AP[4\PZX5
    1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41  4(P^)7CC)7}$EICA
    1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56  R-STANDARD-ANTIV
    1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24  IRUS-TEST-FILE!$
    1197:0140 CD-21 CD 20 00                                   .!. .
    ->
    pEICAR-STANDARD-ANTIVIRUS-TEST-FILE!
    
    eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
    ebp:00000000 esp:0000FFF0 eip:00000142 flag:00000212 NV UP EI PL NZ AC PO NC 
    ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
    1197:0142 CD 20          int          20
    ->

    Name:  eic.png
Views: 125
Size:  122.0 KB
    Last edited by blabberer; June 4th, 2020 at 10:05.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,157
    Blog Entries
    5
    And they say DOS is dead. Yep, that's a nice way to do it.

    I've been using this little bit of SMC as an excuse to try to learn to create an emulator script for it in Ghidra. Still a lot to figure out but the emu example script is a good start.

    I'm starting to quite like Ghidra as an alternative to IDA, the decompiler is really nice, the scripting, other features as well. Cerbero Suite (from NTCore / CFF Explorer) kind of throws itself in the mix now too since it integrates the Ghidra decompiler (Sleigh) in its disassembler.

    Lots of good new tools, guess I'll shelve W32Dasm89 for good now

Similar Threads

  1. Newbie ReverseMe
    By lucid_dream in forum Mini Project Area
    Replies: 3
    Last Post: February 8th, 2005, 05:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •