HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT
PART II
In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly
tedious) method of searching for scan strings. In short, this was his
method:
1) Make a small carrier file.
2) Infect the carrier with the virus.
3) Fill parts of the virus with a dummy value until you isolate the
scan string.
4) Modify the virus so it is not detectable, i.e. switch the order of
the instructions.
The problem is, of course, that step 3 takes a maddeningly inordinate
amount of time. I shall present a tip which will save you much time.
The trick is, of course, to find out where the encryption mechanism and
hence the unencrypted portion where the scan string is usually located.
Once the encryption mechanism is located, isolating the scan string is
much simpler.
Of course, the problem is finding the encryption mechanism in the first
place. The simplest method of doing this is using V Communication's
Sourcer 486, or any similar dissassembler. Dissassemble the file and
search for the unencrypted portions. Most of the file will be DBs, so
search for any part which isn't. Once you have located those parts, all
you have to do is subtract 100h from the memory location to find its
physical offset in the file. You now have a general idea of where the
scan string is located, so perform step 3 until you find it.
Ack, you say, what if you don't have Sourcer? Well, all is not lost.
Load up the infected carrier in good old DEBUG. The first instruction
(in COM infections) should be a JMP. Trace (T) into the JMP and you
should be thrown into the area around the encryption mechanism. Use the
memory offset (relative to the PSP segment) and subtract 100h to find
the physical location of the unencrypted portion in the file. Once
again, once you have this, perform step 3. Simple, no?
Sometimes, SCAN looks for the writing portion of the code, which
generally calls INT 21h, function 40h. This is usually, though not
always, located somewhere near the encryption mechanism. If it is
not near there, all you have to do is trace through the virus until
it calls the write file function.
Another method of looking for scan codes is to break the infected carrier
file into a series of 50 byte overlapping chunks. For example, the first
chunk would be from offset 0 to 49, the second from 24 to 74, the third
from 49 to 99, etc. Then use SCAN to see which chunk holds the scan code.
This is by far the easiest, not to mention quickest, method.
One side note on step 1, making the carrier file. Some virii don't
infect tiny files. What you must do is create a larger file (duh).
Simply assemble the following two lines:
int 20h
db 98 dup (0)
(with all the garbage segment declarations and shit, of course) and
you'll have a nice 100 byte carrier which should be sufficient in most
cases, with maybe the exception of the Darth Vaders.
Enjoy!
-------------------------------------------------------------------------------
Dark Angel
