Twenty Year Anniversary

dis2.c

dis2.c
Posted Jun 7, 2007
Authored by Piotr Bania | Site piotrbania.com

Gaara virus disinfector type 2 for the TI-89.

tags | virus
MD5 | f98358c3bbe3ab69b253d4343904ac99

dis2.c

Change Mirror Download
/*



Gaara virus disinfector type 2
--------------------------------------
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com


Details:

Firs of all, the disinfector checks if the GAARA is already resident
if so you may want to clear the RAM memory. And this seems to be
the best way of disinfection but you will loose all your RAM programs
unless they are archived. Anyway i made an another approach.
Which i hope can teach you how to clear the virus.

This type of disinfector is trying to find a EPO injection
which virus made by patching the ti-gcc epilog. It's how
it obtains it execution. The idea is simple, we are scanning
the potencial infected file starting from entrypoint, we are
looking for a BRA sequence of byte (of course do to the fact
we don't have a disassembler here this may gives as a lot of
false positives). So, next we are checking if the bra destination
is suitable for following codintions:

1) it is not negative (because Gaara body lays below)
2) it is within the file size range
3) it points to the virus body

If following conditions are passed, we consider the BRA as na
injection of GAARA. Then we simply reset the injection within
the original EPILOG. And finally we are clearing GAARA marker.
That's all, have fun!

*/



#include <tigcclib.h>

#define get_romb(x) ({(long)x = *(long*)0xC8;})
#define LOW_GAARA_SIZE 400



/* signatures */
unsigned char sig_gaara_mark[] = {'G','A','A','R','A','X'};

/* repair */
unsigned char repair_bytes[] = {0x4E, 0x5E, 0x4E, 0x75};

unsigned short gaara_m_offset = 0;
int d_files = 0;


void is_infected(void)
{
unsigned long a;
get_romb(a);

if (!(a & 0xE00000))
{
printf("Disg: Seems the ROMCALL-JUMP-TABLE is redirected\n");
printf("Disg: Please reset RAM to make it clean.\n");
ngetchx();

/* well i should rewrite the ROMCALL-JUMP-TABLE ptr here by hand
but i guess it would be a cool job for you :)*/
return;
}

printf("Disg: Seems the RAM is clean\n");
}


unsigned short get_sig_off(void *mem, unsigned short size, unsigned char *sig, int sig_s)
{

int i,ii, found;
for (i = 0; i < (size-3); i++)
{
found = 1;
for (ii = 0; ii < sig_s; ii++)
{
if (*(unsigned char*)(mem+i+ii) != sig[ii])
{
found = 0;
goto next;
}
}

next:
if (found == 1)
{
if (*(char*)(mem+i+ii) == 'X')
return 0; // to avoid fail on itself
return i;
}

}

return 0;
}


int is_gaara(void *mem, unsigned short size)
{
int i;
unsigned long offset;

printf("Disg: Scaning for the infection mark\n");

gaara_m_offset = get_sig_off(mem,size,&sig_gaara_mark,sizeof(sig_gaara_mark)-1);
if (gaara_m_offset != 0)
{
printf("Disg: File is infected with Gaara, trying to repair\n");
return 1;
}

printf("Disg: File is clean\n");
return 0;
}


void disinfection_two(void *mem, unsigned short size)
{
int i = 0;
void *where;
void *start_scan;

unsigned long dest;
unsigned short offset;


/* lets look for potencial BRA's */

start_scan = (unsigned long)mem + 2;



/* this is a bit slow and bit bruteforce, but the good point is that
large BRA is not so heavily used in orginal programs :) */

for (i = 0; i < (size-6); i++)
{
/* this would be faster then sig_gaara_injection proc */
if ((*(unsigned char*)(start_scan+i) == 0x60) && (*(unsigned char*)(start_scan+i+1) == 0x00))
{
/* potencial BRA is found, now let check its destination, it can be an even address */
memcpy((void*)&offset,(void*)(start_scan+i+2),2);

/* all Gaara size-jumps must be positive */
if ((offset < 0) || (offset > size))
continue;

/* borders? */
if ((unsigned long)((start_scan+i) + offset) > (unsigned long)(mem + size))
continue;

dest = start_scan + i + offset + 2;

/* does it points to Gaara? */
if ((*(unsigned char*)(dest) == 0x4E) && (*(unsigned char*)(dest+3) == 0x71) && \
(*(unsigned char*)(dest+4) == 0x48))
{

printf("Disg: The virus injection was found at %lx\n",start_scan+i);

/* clean the injection */
memcpy((void*)(start_scan+i),(void*)&repair_bytes,sizeof(repair_bytes));

/* and now destroy the Gaara marker, pad it with 0 */
memset((void*)(mem + gaara_m_offset),0,5);
}
}
}

printf("Disg: File is repaired\n");
d_files++;
return;
}




void in_infected_file(SYM_ENTRY *se)
{
unsigned short size;
void *mem = HeapDeref(se->handle);

printf("Disg: Checking %s\n",se->name);

if (!mem)
{
printf("Disg: Error, cannot HeapDeref();\n");
return;
}

size = *(unsigned short*)mem;

printf("Disg: Variable size is %d bytes \n",size);

if (size < LOW_GAARA_SIZE)
{
printf("Disg: The file is not infected (size is too low)\n");
return;
}

if (!is_gaara(mem,size))
return;

disinfection_two(mem,size);

}




void dis_loop(void)
{

SYM_ENTRY *se;

if (!FolderOp(NULL, FOP_LOCK | FOP_ALL_FOLDERS))
{
printf("Disg: Locking folder table failed\n");
return;
}

se = SymFindFirst(NULL, FO_RECURSE | FO_SKIP_TEMPS);

while (se)
{
in_infected_file(se);
se = SymFindNext();
}

FolderOp(NULL,FOP_UNLOCK | FOP_ALL_FOLDERS);

}


// Main Function
void _main(void)
{
clrscr();
printf("*** DISG - Gaara virus file disinfector ready.\n");
printf("*** by Piotr Bania - http://www.piotrbania.com\n");

is_infected();
dis_loop();

printf("Disg: Disinfection ended, %d file were disinfected\n",d_files);
ngetchx();
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    3 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close