Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

ReverseMe

All-in-one reversing related discussions
Post Reply
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

ReverseMe

Post by Kayaker »

This is well known code. Harmless.

What is it?

Code: Select all

Disassembly of File: reverseme.com
Code Offset = 00000000, Code Size = 00000044
Data Offset = 00000000, Data Size = 00000000

Number of Objects = 0001 (dec), Imagebase = 00000000h

   Object01:          RVA: 00000000 Offset: 00000000 Size: 00000044 Flags: 00000000


+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object BinaryCode **************
Program Entry Point Not Available


//********************** Start of Code in Segment: 1 **************

:0001.0100 58                     pop ax
:0001.0101 354F21                 xor ax, 214F
:0001.0104 50                     push ax
:0001.0105 254041                 and ax, 4140
:0001.0108 50                     push ax
:0001.0109 5B                     pop bx
:0001.010A 345C                   xor al, 5C
:0001.010C 50                     push ax
:0001.010D 5A                     pop dx
:0001.010E 58                     pop ax
:0001.010F 353428                 xor ax, 2834
:0001.0112 50                     push ax
:0001.0113 5E                     pop si
:0001.0114 2937                   sub [bx], si
:0001.0116 43                     inc bx
:0001.0117 43                     inc bx
:0001.0118 2937                   sub [bx], si
:0001.011A 7D24                   jge 0140
:0001.011C 45                     inc bp
:0001.011D 49                     dec cx
:0001.011E 43                     inc bx
:0001.011F 41                     inc cx
:0001.0120 52                     push dx
:0001.0121 2D5354                 sub ax, 5453
:0001.0124 41                     inc cx
:0001.0125 4E                     dec si
:0001.0126 44                     inc sp
:0001.0127 41                     inc cx
:0001.0128 52                     push dx
:0001.0129 44                     inc sp
:0001.012A 2D414E                 sub ax, 4E41
:0001.012D 54                     push sp
:0001.012E 49                     dec cx
:0001.012F 56                     push si
:0001.0130 49                     dec cx
:0001.0131 52                     push dx
:0001.0132 55                     push bp
:0001.0133 53                     push bx
:0001.0134 2D5445                 sub ax, 4554
:0001.0137 53                     push bx
:0001.0138 54                     push sp
:0001.0139 2D4649                 sub ax, 4946
:0001.013C 4C                     dec sp
:0001.013D 45                     inc bp
:0001.013E 2124                   and [si], sp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.011A(C)
|
:0001.0140 48                     dec ax
:0001.0141 2B482A                 sub cx, [bx+si+2A]
:0001.0144 00000000000000000000   BYTE 10 DUP(0)
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:This is well known code. Harmless. What is it?
I started working through it with the assumption that first statement POP AX was 0000.

[SPOILER]Got about 10 steps down then decided to check 'and ax, 4140', which lead to following page:

https://en.wikipedia.org/wiki/Talk%3AEICAR_test_file

Which lead to the following page:

https://www.eicar.org/86-0-Intended-use.html[/SPOILER]
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I've been looking at the Windows Antimalware Scan Interface (AMSI) lately, and its relation to exploits particularly with PowerShell.

https://docs.microsoft.com/en-us/window ... dfrom=MSDN

https://www.blackhat.com/docs/us-16/mat ... oes-It.pdf
The AMSI feature is integrated into these components of Windows 10.

User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
PowerShell (scripts, interactive use, and dynamic code evaluation)
Windows Script Host (wscript.exe and cscript.exe)
JavaScript and VBScript
Office VBA macros


I've seen the AMSI.dll crop up in Windbg several times depending on the application. In my case it also loads the Avast provider dll aswAMSI, which for some reason always generates two dozen C++ EH exception - code e06d7363 errors, class name [email protected]@asw. No harm no foul, but I'm trying to figure out why the errors.

In one app I was looking at AMSI.dll loading seemed to be directly tied to ole32!CoCreateInstance being called, to register itself with the IActiveScript interface to be able to use external JScript/VBScript/etc scripts, using a specific GUID IID CLSID_IActiveScript = {BB1A2AE1-A4F9-11CF-8F20-00805F2CD064}.

ProcessExplorer is another app that loads AMSI.dll. CoCreateInstance again seems to be a trigger that will eventually cause the dll to be loaded, this time I think through WTSAPI32!WTSEnumerateSessionsW which is involved with the "Users" menu item.

In both cases CoCreateInstance seems to end up with the antimalware dll being triggered to load in the application. When I noticed the common calls to CoCreateInstance I googled that and AMSI and found related information regarding exploits:

Bypassing AMSI via COM Server Hijacking
https://enigma0x3.net/2017/07/19/bypass ... hijacking/


On a side note, W32Dasm89 might do with RosASM improvements, particularly the fonts.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

the file itself tells what it is

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35  X5O!P%@AP[4\PZX5
00000010  34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41  4(P^)7CC)7}$EICA
00000020  52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56  R-STANDARD-ANTIV
00000030  49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24  IRUS-TEST-FILE!$
00000040  48 2B 48 2A                                      H+H*
Avast winx reports it correctly as eicar test

[ATTACH]3088[/ATTACH]
Attachments
eica.png
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

If you're protected you shouldn't be able to make a copy of that file (ctrl-c ctrl-v). Avast won't let me unless I do it in one of my 'excluded from scans' folders.

Mcafee states that it protects PowerShell from running that script. My Avast seems to ignore the signature in PS and doesn't flag it.

https://kc.mcafee.com/corporate/index?p ... id=KB59742
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

I tried to 'imagine' environment of this 'shellcode' but ESI & EDI are unknown. well we can think about EDI in range of this code.. but nothings come.
probably just test to trigger AV
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote:probably just test to trigger AV
Click the Spoiler button on my last post. It reveals a couple of links explaining exactly what it is. The first link gives a step by step solution to the code.

I used the Spoiler feature to hide the solution in case someone was working on figuring it out.
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, that explanation assumes code as 16bit, while I assumed as 32bit shell-code
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote:well, that explanation assumes code as 16bit, while I assumed as 32bit shell-code
I saw no obvious start point so I presumed the first POP statement had AX initialized to 0. I started following the statements one by one, doing the XORs and ANDs, and it was working. Did not go all the way through but it seems to be a form of self-modifying code.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I decided to try to emulate the self modifying code in the Eicar test file just for fun. The original bytes can't be used because of the requirement to use operand and address override prefixes 66h and 67h when working with 16bit registers in 32bit mode.

For example the opcodes of the first 2 instructions now look like this

66 58 pop ax
66 35 4F 21 xor ax, 214Fh


So while most of the code works as originally written, the clever register displacement offsets don't, and the actual output text is now corrupted with the 66h opcodes.

Here is the code I came up with, which can be compiled as written and traced. If you execute the file it will simply give an access violation message when it hits the INT 21h that the SMC resolves to.

INT 21h / AH=9 - output of a string at DS-DX. String must be terminated by '$'.

(using PHP code tags because they give syntax coloring while regular CODE tags don't)

Code: Select all

/*
Attempt to replicate self modifying code in Eicar test file.
Original bytes can't be duplicated because of requirement to use
operand and address override prefixes 66h and 67h when working
with 16bit registers in 32bit mode.
*/

#include <windows.h>
#include <stdio.h>
#include <excpt.h>

// Make code section writable
#pragma comment(linker, "/SECTION:.text,ERW")
#pragma code_seg(".text")

int filter(unsigned int code, struct _EXCEPTION_POINTERS *ep);


void eicar_test(void)
{
    __try {
        __asm {
            // initialize code for tracing
            xor eax, eax
            xor ebx, ebx
            xor edx, edx
            xor esi, esi
            push 0
        off_start:
                pop ax
                xor ax, 0x214F
                push ax    // 214Fh
                and ax, 0x4140
                push ax    // 140h
                pop bx
                xor al, 0x5C
                push ax    // 11Ch
                pop dx
                pop ax    // 214Fh
                xor ax, 0x2834
                push ax    // 97Bh
                pop si
                // value of bx no longer valid as displacement offset
                // SUB word ptr[BX], SI                
                sub WORD PTR[off_overwrite], si
                // 2B48h - 97Bh = 21CDh
                inc bx
                inc bx
                // SUB word ptr[BX], SI
                sub WORD PTR[off_overwrite + 2], si
                // 2A48h - 97Bh = 20CDh
                jge off_overwrite

                // code below represented "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
                inc bp
                dec cx
                inc bx
                inc cx
                push dx
                sub ax, 0x5453
                inc cx
                dec si
                inc sp
                inc cx
                push dx
                inc sp
                sub ax, 0x4E41
                push sp
                dec cx
                push si
                dec cx
                push dx
                push bp
                push bx
                sub ax, 0x4554
                push bx
                push sp
                sub ax, 0x4946
                dec sp
                inc bp
                and WORD PTR[esi], sp

        off_overwrite :
            _emit 0x48 // dec ax
            _emit 0x2B // sub cx, [bx+si+2A]
            _emit 0x48 
            _emit 0x2A

            /*
            SMC modified to

            cd21    int    21h  ; AH = 09h DS :D X = 2B:11C (start of Eicar text string)
            cd20    int    20h

            DOS INT 21h
            AH = 09h - WRITE STRING TO STANDARD OUTPUT
            Entry: DS :D X -> '$'-terminated string
            Return: AL = 24h

            DOS INT 20h
            QUIT WITH EXIT CODE ; AL = exit code
            */
        }
    }
    __except (filter(GetExceptionCode(), GetExceptionInformation()))
    {
        puts("ERROR");
    }
}


int filter(unsigned int code, struct _EXCEPTION_POINTERS *ep)
{
    if (code == EXCEPTION_ACCESS_VIOLATION)
    {
        puts("Access Violation");
        return EXCEPTION_EXECUTE_HANDLER;
    }
    else
    {
        puts("didn't catch AV, unexpected");
        return EXCEPTION_CONTINUE_SEARCH;
    };
}

///////////////////////////////////////////////////////
// WinMain
///////////////////////////////////////////////////////
int main( int argc, char* argv[] )
{
    eicar_test();
    return 0;
}
///////////////////////////////////////////////////////

/*

EICAR test file
"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

ORIGINAL CODE:

:0001.0100 58                     pop ax
:0001.0101 354F21                 xor ax, 214F
:0001.0104 50                     push ax
:0001.0105 254041                 and ax, 4140
:0001.0108 50                     push ax
:0001.0109 5B                     pop bx
:0001.010A 345C                   xor al, 5C
:0001.010C 50                     push ax
:0001.010D 5A                     pop dx
:0001.010E 58                     pop ax
:0001.010F 353428                 xor ax, 2834
:0001.0112 50                     push ax
:0001.0113 5E                     pop si
:0001.0114 2937                   sub [bx], si
:0001.0116 43                     inc bx
:0001.0117 43                     inc bx
:0001.0118 2937                   sub [bx], si
:0001.011A 7D24                   jge 0140
:0001.011C 45                     inc bp
:0001.011D 49                     dec cx
:0001.011E 43                     inc bx
:0001.011F 41                     inc cx
:0001.0120 52                     push dx
:0001.0121 2D5354                 sub ax, 5453
:0001.0124 41                     inc cx
:0001.0125 4E                     dec si
:0001.0126 44                     inc sp
:0001.0127 41                     inc cx
:0001.0128 52                     push dx
:0001.0129 44                     inc sp
:0001.012A 2D414E                 sub ax, 4E41
:0001.012D 54                     push sp
:0001.012E 49                     dec cx
:0001.012F 56                     push si
:0001.0130 49                     dec cx
:0001.0131 52                     push dx
:0001.0132 55                     push bp
:0001.0133 53                     push bx
:0001.0134 2D5445                 sub ax, 4554
:0001.0137 53                     push bx
:0001.0138 54                     push sp
:0001.0139 2D4649                 sub ax, 4946
:0001.013C 4C                     dec sp
:0001.013D 45                     inc bp
:0001.013E 2124                   and [si], sp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.011A(C)
|
:0001.0140 48                     dec ax
:0001.0141 2B482A                 sub cx, [bx+si+2A]
*/
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

'alternatively' you can make from those "text" chars "test.com" file and it will execute in dos mode.
WaxfordSqueers
Senior Member
Posts: 1015
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Sorry...I posted a bad link above. My reference to the Eicar test file was on Wayback Machine and I supplied the address of the bad URL rather than the Wayback URL. Since then, I have found the proper Eicar URL which is posted below. I'm wondering if this file is actually meant to be run. It's too coincidental that the name EICAR would fit into a legit file which is written completely as:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

unless a lot of the code is repetitive junk such as INC EAX, DEC EAX, etc.

Eval says it runs in DOS so I'd say that's pretty clever programming if the string above works. BTW...there seems to be an Eicar-2 file which is a bit bigger.

https://www.eicar.org/?page_id=3950
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

those are text-char range opcodes, I met likes of them previously in shell code analyzes. however in 32bit, code needs to find self address, thus using call/pop or FPU commands, but these are not in ansi-text-char range.

ps https://nets.ec/Ascii_shellcode
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@kayaker if you want to run that code in windows 10
download and install vdos to say f:\vdos
download grdb by ladsoft and copy grdb.exe to f:\vdos\grdb
modify the autoexec.txt in f:\vdos folder to call grdb\grdb.exe instead of the default dptest\start.bat

open a log file inside grdb with
@a foo.txt

edit the bytes in with e 100 [�.] , e 110 [�] etc

Code: Select all

e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
e 140 48,2B,48,2A
dump the memory using d 100 144 , unassemble with u 100 144
step into with t
step over with p

prior to executing the int 21 with dx = 11c
dump the memory again with d 100 144 you can notice H+H* turned to cd 21 , cd 20 (int 21 , int 20 )

here is dump of the trace


Code: Select all

->e 100 58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,
->e 110 34,28,50,5E,29,37,43,43,29,37,7D,24,45,49,43,41,
->e 120 52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,
->e 130 49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45,21,24,
->e 140 48,2B,48,2A
->d 100 144
1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35  X5O!P%@AP[4\PZX5
1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41  4(P^)7CC)7}$EICA
1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56  R-STANDARD-ANTIV
1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24  IRUS-TEST-FILE!$
1197:0140 48-2B 48 2A 00                                   H+H*.
->u 100 144
1197:0100 58             pop          ax
1197:0101 35 4F 21       xor          ax,214F
1197:0104 50             push         ax
1197:0105 25 40 41       and          ax,4140
1197:0108 50             push         ax
1197:0109 5B             pop          bx
1197:010A 34 5C          xor          al,5C
1197:010C 50             push         ax
1197:010D 5A             pop          dx
1197:010E 58             pop          ax
1197:010F 35 34 28       xor          ax,2834
1197:0112 50             push         ax
1197:0113 5E             pop          si
1197:0114 29 37          sub          [bx],si
1197:0116 43             inc          bx
1197:0117 43             inc          bx
1197:0118 29 37          sub          [bx],si
1197:011A 7D 24          jge          0140
1197:011C 45             inc          bp
1197:011D 49             dec          cx
1197:011E 43             inc          bx
1197:011F 41             inc          cx
1197:0120 52             push         dx
1197:0121 2D 53 54       sub          ax,5453
1197:0124 41             inc          cx
1197:0125 4E             dec          si
1197:0126 44             inc          sp
1197:0127 41             inc          cx
1197:0128 52             push         dx
1197:0129 44             inc          sp
1197:012A 2D 41 4E       sub          ax,4E41
1197:012D 54             push         sp
1197:012E 49             dec          cx
1197:012F 56             push         si
1197:0130 49             dec          cx
1197:0131 52             push         dx
1197:0132 55             push         bp
1197:0133 53             push         bx
1197:0134 2D 54 45       sub          ax,4554
1197:0137 53             push         bx
1197:0138 54             push         sp
1197:0139 2D 46 49       sub          ax,4946
1197:013C 4C             dec          sp
1197:013D 45             inc          bp
1197:013E 21 24          and          [si],sp
1197:0140 48             dec          ax
1197:0141 2B 48 2A       sub          cx,[bx+si+2A]
1197:0144 00 00          add          [bx+si],al
->t

eax:00000000 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000101 flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0101 35 4F 21       xor          ax,214F
->t

eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000104 flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0104 50             push         ax
->t

eax:0000214F ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:00000105 flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0105 25 40 41       and          ax,4140
->t

eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:00000108 flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0108 50             push         ax
->t

eax:00000140 ebx:00000000 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEC eip:00000109 flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0109 5B             pop          bx
->t

eax:00000140 ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:0000010A flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:010A 34 5C          xor          al,5C
->t

eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:0000010C flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:010C 50             push         ax
->t

eax:0000011C ebx:00000140 ecx:00000000 edx:00000000 esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEC eip:0000010D flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:010D 5A             pop          dx
->t

eax:0000011C ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:0000010E flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:010E 58             pop          ax
->t

eax:0000214F ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFF0 eip:0000010F flag:00000202 NV UP EI PL NZ NA PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:010F 35 34 28       xor          ax,2834
->t

eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000112 flag:00000206 NV UP EI PL NZ NA PE NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0112 50             push         ax
->t

eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:00000000 edi:00000000 
ebp:00000000 esp:0000FFEE eip:00000113 flag:00000206 NV UP EI PL NZ NA PE NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0113 5E             pop          si
->t

eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000114 flag:00000206 NV UP EI PL NZ NA PE NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0114 29 37          sub          [bx],si                 ds:[0140]=2B48
->t

eax:0000097B ebx:00000140 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000116 flag:00000212 NV UP EI PL NZ AC PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0116 43             inc          bx
->t

eax:0000097B ebx:00000141 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000117 flag:00000206 NV UP EI PL NZ NA PE NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0117 43             inc          bx
->t

eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000118 flag:00000206 NV UP EI PL NZ NA PE NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0118 29 37          sub          [bx],si                 ds:[0142]=2A48
->t

eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:0000011A flag:00000212 NV UP EI PL NZ AC PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:011A 7D 24          jge          0140     (jumps)
->t

eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000140 flag:00000212 NV UP EI PL NZ AC PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0140 CD 21          int          21
->d 100 144
1197:0100 58 35 4F 21-50 25 40 41-50 5B 34 5C-50 5A 58 35  X5O!P%@AP[4\PZX5
1197:0110 34 28 50 5E-29 37 43 43-29 37 7D 24-45 49 43 41  4(P^)7CC)7}$EICA
1197:0120 52 2D 53 54-41 4E 44 41-52 44 2D 41-4E 54 49 56  R-STANDARD-ANTIV
1197:0130 49 52 55 53-2D 54 45 53-54 2D 46 49-4C 45 21 24  IRUS-TEST-FILE!$
1197:0140 CD-21 CD 20 00                                   .!. .
->
pEICAR-STANDARD-ANTIVIRUS-TEST-FILE!

eax:0000097B ebx:00000142 ecx:00000000 edx:0000011C esi:0000097B edi:00000000 
ebp:00000000 esp:0000FFF0 eip:00000142 flag:00000212 NV UP EI PL NZ AC PO NC 
ds:1197 es:1197 fs:1197 gs:1197 ss:1197 cs:1197 
1197:0142 CD 20          int          20
->

[ATTACH]3089[/ATTACH]
Attachments
eic.png
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

And they say DOS is dead. Yep, that's a nice way to do it.

I've been using this little bit of SMC as an excuse to try to learn to create an emulator script for it in Ghidra. Still a lot to figure out but the emu example script is a good start.

I'm starting to quite like Ghidra as an alternative to IDA, the decompiler is really nice, the scripting, other features as well. Cerbero Suite (from NTCore / CFF Explorer) kind of throws itself in the mix now too since it integrates the Ghidra decompiler (Sleigh) in its disassembler.

Lots of good new tools, guess I'll shelve W32Dasm89 for good now :p
Post Reply