@kayaker if you want to run that code in windows 10
download and install vdos to say f:\vdos
download grdb by ladsoft and copy grdb.exe to f:\vdos\grdb
modify the autoexec.txt in f:\vdos folder to call grdb\grdb.exe instead of the default dptest\start.bat
open a log file inside grdb with
@a foo.txt
edit the bytes in with e 100 [Ã¯Â¿Â½.] , e 110 [Ã¯Â¿Â½] etc
Code: Select all
e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
e 140 48,2B,48,2A
dump the memory using d 100 144 , unassemble with u 100 144
step into with t
step over with p
prior to executing the int 21 with dx = 11c
dump the memory again with d 100 144 you can notice H+H* turned to cd 21 , cd 20 (int 21 , int 20 )
here is dump of the trace
Code: Select all
->e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
->e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
->e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
->e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
->e 140 48,2B,48,2A
->d 100 144
1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35 X5O!P%@AP[4\PZX5
1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41 4(P^)7CC)7}$EICA
1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56 R-STANDARD-ANTIV
1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24 IRUS-TEST-FILE!$
1197:0140 48-2B 48 2A 00 H+H*.
->u 100 144
1197:0100 58 pop ax
1197:0101 35 4F 21 xor ax,214F
1197:0104 50 push ax
1197:0105 25 40 41 and ax,4140
1197:0108 50 push ax
1197:0109 5B pop bx
1197:010A 34 5C xor al,5C
1197:010C 50 push ax
1197:010D 5A pop dx
1197:010E 58 pop ax
1197:010F 35 34 28 xor ax,2834
1197:0112 50 push ax
1197:0113 5E pop si
1197:0114 29 37 sub [bx],si
1197:0116 43 inc bx
1197:0117 43 inc bx
1197:0118 29 37 sub [bx],si
1197:011A 7D 24 jge 0140
1197:011C 45 inc bp
1197:011D 49 dec cx
1197:011E 43 inc bx
1197:011F 41 inc cx
1197:0120 52 push dx
1197:0121 2D 53 54 sub ax,5453
1197:0124 41 inc cx
1197:0125 4E dec si
1197:0126 44 inc sp
1197:0127 41 inc cx
1197:0128 52 push dx
1197:0129 44 inc sp
1197:012A 2D 41 4E sub ax,4E41
1197:012D 54 push sp
1197:012E 49 dec cx
1197:012F 56 push si
1197:0130 49 dec cx
1197:0131 52 push dx
1197:0132 55 push bp
1197:0133 53 push bx
1197:0134 2D 54 45 sub ax,4554
1197:0137 53 push bx
1197:0138 54 push sp
1197:0139 2D 46 49 sub ax,4946
1197:013C 4C dec sp
1197:013D 45 inc bp
1197:013E 21 24 and [si],sp
1197:0140 48 dec ax
1197:0141 2B 48 2A sub cx,[bx+si+2A]
1197:0144 00 00 add [bx+si],al
->t
eax:00000000 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000101 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0101 35 4F 21 xor ax,214F
->t
eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000104 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0104 50 push ax
->t
eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:00000105 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0105 25 40 41 and ax,4140
->t
eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:00000108 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0108 50 push ax
->t
eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEC eip:00000109 flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0109 5B pop bx
->t
eax:00000140 ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:0000010A flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:010A 34 5C xor al,5C
->t
eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:0000010C flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:010C 50 push ax
->t
eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEC eip:0000010D flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:010D 5A pop dx
->t
eax:0000011C ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:0000010E flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:010E 58 pop ax
->t
eax:0000214F ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000
ebp:00000000 esp:0000FFF0 eip:0000010F flag:00000202 NV UP EI PL NZ NA PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:010F 35 34 28 xor ax,2834
->t
eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000112 flag:00000206 NV UP EI PL NZ NA PE NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0112 50 push ax
->t
eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000
ebp:00000000 esp:0000FFEE eip:00000113 flag:00000206 NV UP EI PL NZ NA PE NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0113 5E pop si
->t
eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000114 flag:00000206 NV UP EI PL NZ NA PE NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0114 29 37 sub [bx],si ds:[0140]=2B48
->t
eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000116 flag:00000212 NV UP EI PL NZ AC PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0116 43 inc bx
->t
eax:0000097B ebx:00000141 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000117 flag:00000206 NV UP EI PL NZ NA PE NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0117 43 inc bx
->t
eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000118 flag:00000206 NV UP EI PL NZ NA PE NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0118 29 37 sub [bx],si ds:[0142]=2A48
->t
eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:0000011A flag:00000212 NV UP EI PL NZ AC PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:011A 7D 24 jge 0140 (jumps)
->t
eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000140 flag:00000212 NV UP EI PL NZ AC PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0140 CD 21 int 21
->d 100 144
1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35 X5O!P%@AP[4\PZX5
1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41 4(P^)7CC)7}$EICA
1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56 R-STANDARD-ANTIV
1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24 IRUS-TEST-FILE!$
1197:0140 CD-21 CD 20 00 .!. .
->
pEICAR-STANDARD-ANTIVIRUS-TEST-FILE!
eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000
ebp:00000000 esp:0000FFF0 eip:00000142 flag:00000212 NV UP EI PL NZ AC PO NC
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197
1197:0142 CD 20 int 20
->
[ATTACH]3089[/ATTACH]