# Hexademical Code

can someone please explain to me about this hex code?

This is from Hex Workshop

B4 4E BA 26 01 CD 21 72 1C B8 01 3D BA 9E 00 CD 21 93 B4 40 B1 2A BA 00 01 CD 21 B4 3E CD 21 B4 4F CD 21 EB E2 C3 2A 2E 43 4F 4D 00

This is given by the question

1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H

What i am trying to do, is search for file that has the same string given and say that they are same.

The hex that I gave above is produced using Hex Workshop using same source. But, why mine is different to the given string?

Still cant figure them out!

## Comments

• : can someone please explain to me about this hex code?
:
:
: This is from Hex Workshop
:
: B4 4E BA 26 01 CD 21 72 1C B8 01 3D BA 9E 00 CD 21 93 B4 40 B1 2A BA 00 01 CD 21 B4 3E CD 21 B4 4F CD 21 EB E2 C3 2A 2E 43 4F 4D 00
:
:
: This is given by the question
:
: 1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H
:
: What i am trying to do, is search for file that has the same string given and say that they are same.
:
: The hex that I gave above is produced using Hex Workshop using same source. But, why mine is different to the given string?
:
: Still cant figure them out!
:
:
[blue]I have read your question a few times, but still can't get it... You need to find a file with this byte sequence:

1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H

Right?

What is has to do with producing some file with the same source?[/blue]
• : : can someone please explain to me about this hex code?
: :
: :
: : This is from Hex Workshop
: :
: : B4 4E BA 26 01 CD 21 72 1C B8 01 3D BA 9E 00 CD 21 93 B4 40 B1 2A BA 00 01 CD 21 B4 3E CD 21 B4 4F CD 21 EB E2 C3 2A 2E 43 4F 4D 00
: :
: :
: : This is given by the question
: :
: : 1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H
: :
: : What i am trying to do, is search for file that has the same string given and say that they are same.
: :
: : The hex that I gave above is produced using Hex Workshop using same source. But, why mine is different to the given string?
: :
: : Still cant figure them out!
: :
: :
: [blue]I have read your question a few times, but still can't get it... You need to find a file with this byte sequence:
:
: 1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H
:
: Right?
:
: What is has to do with producing some file with the same source?[/blue]
:

Ok... Yes, the given string is to find from the any file.

Then, the string that I read using Hex Workshop is produces by the same source to which the given string was taken.

My problem is, I cant identify how he/she has taken the given strings from the file, since my strings that I have taken from the same file doesnt match to string that he/she gave to me.

Because, it supposed to be understood that both of the strings that I shown above was taken from one same file.

The problem is, how has he/she produced the strings, and logically, the strings should be match since both are taken from one same file....

I still cant figure it out!

• [blue]Is this a school assignment?
If so, can you post the whole text of this assignment?
Or give a link, where I can look at it.[/blue]
• [b][red]This message was edited by sealnight5 at 2005-10-16 20:47:15[/red][/b][hr]
[b][red]This message was edited by sealnight5 at 2005-10-16 20:46:42[/red][/b][hr]
: [blue]Is this a school assignment?
: If so, can you post the whole text of this assignment?
: Or give a link, where I can look at it.[/blue]
:

Ok.. The question is in Malay, here I try to translate what the question wants in English.

Understanding How Antivirus Work.
=================================

Write a simple virus scanner, which does this:
1. Open an external file which contains strings of virii.
2. Open target files.
3. Search for strings from (1) in (2)
4. When a string matched, write a report into external file, quoting the location of (2) and what kind of virus of (2) has been infected.

Requirement:
1. The program should be able to receive argument to scan a single-target file, or a directory.
2. The program should also be able to analyse COM, EXE, HTM (text based) files.
3. The program should be able to scan boot sector of floppy disk.
Note: A simple DOS virus included and should be the main case.

I forgot, the ASM must work for TASM.

• : : : can someone please explain to me about this hex code?
: : :
: : :
: : : This is from Hex Workshop
: : :
: : : B4 4E BA 26 01 CD 21 72 1C B8 01 3D BA 9E 00 CD 21 93 B4 40 B1 2A BA 00 01 CD 21 B4 3E CD 21 B4 4F CD 21 EB E2 C3 2A 2E 43 4F 4D 00
: : :
: : :
: : : This is given by the question
: : :
: : : 1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H
: : :
: : : What i am trying to do, is search for file that has the same string given and say that they are same.
: : :
: : : The hex that I gave above is produced using Hex Workshop using same source. But, why mine is different to the given string?
: : :
: : : Still cant figure them out!
: : :
: : :
: : [blue]I have read your question a few times, but still can't get it... You need to find a file with this byte sequence:
: :
: : 1EH,0E4H,10H,8CH,0ABH,67H,8BH,0D8H,0B6H,12H,0ABH,97H,10H,34H,0AAH,67H
: :
: : Right?
: :
: : What is has to do with producing some file with the same source?[/blue]
: :
:
: Ok... Yes, the given string is to find from the any file.
:
: Then, the string that I read using Hex Workshop is produces by the same source to which the given string was taken.
:
: My problem is, I cant identify how he/she has taken the given strings from the file, since my strings that I have taken from the same file doesnt match to string that he/she gave to me.
:
: Because, it supposed to be understood that both of the strings that I shown above was taken from one same file.
:
: The problem is, how has he/she produced the strings, and logically, the strings should be match since both are taken from one same file....
:
: I still cant figure it out!
:
:
There's three ways I can think of it:
1. The file doesn't contain it, and shouldnt
2. You got the wrong file
3. The file was formated wrong, like the first and seconde nibble swaped

The one and only [b]Niklas Ulvinge[/b] [white]aka [b]IDK[/b][/white]

• : Understanding How Antivirus Work.
: =================================
:
: Write a simple virus scanner, which does this:
: 1. Open an external file which contains strings of virii.
: 2. Open target files.
: 3. Search for strings from (1) in (2)
: 4. When a string matched, write a report into external file, quoting the location of (2) and what kind of virus of (2) has been infected.
:
: Requirement:
: 1. The program should be able to receive argument to scan a single-target file, or a directory.
: 2. The program should also be able to analyse COM, EXE, HTM (text based) files.
: 3. The program should be able to scan boot sector of floppy disk.
: Note: A simple DOS virus included and should be the main case.
:
: I forgot, the ASM must work for TASM.
:
[blue]Much better now!

If you planning to finish in a couple of days - it may be not so easy, because you have a lot of work to do in ASM (unless you have some library of functions).

I am not sure of a boot sector scan - check the disk I/O interrupts - they may provide a function to read the boot record.

You need to open a file with a set of virus signatures and load them all to memory, so you will not read that file again. Scanning the file in place every time on each file from some folder - will slow down your code dramatically.

Now, the loading depends on a format of that file - it may be text file or binary file - I did not get that part. You specify some string with HEX values - is that text or binary value? If that is binary - how do you tell when one virus string ends and other begins? If these are strings - they will end with a combination of bytes: 0Dh,0Ah. At this point you have to load the whole file in a single block of allocated memory and map the line address, so you will have a sort of table:

- addr1 = string for vir1
- addr2 = string for vir2
- addr3 = string for vir3

this should be also allocated. (DOS INT 21H has allocation services)

If you want this program to be simpler, you can set some static limits, like "the file of signatures will be no longer that 32 Kb and it may have maximum 500 lines". This way you allocate static memory in your data segment and will not bother with allocations.

Once you have it all loaded and mapped - close that file, ovbiously. The using the parameter from command line (you have to learn how to find and process that information in ASM! - GOOGLE for "DOS PSP" and you get it)

Use DOS INT 21H to scan through the directory.

Now, you open a file to be searched and load it piece by piece and scan every piece for all signatures that you have loaded. The signature may begin on one piece and end in the next, so you have to account for this - scan not the whole piece, but only a first (piece size - signature size) bytes. Then move the last (signature size) bytes to the beginning of a piece buffer and read (piece size - signature size) bytes from file. And so on until file ends. To detect the end of file watch for returned byte count from INT 21H file reading service. When you get zero - file ended. Always keep the correct byte count for a piece of scanned memory.

Now, all I just explained will work really slow, because the real virus scanners do not scan the whole file in question. Together with a virus signature there are possible places (offsets) stored where you can find the signature, so only a few bytes of a file scanned for the signature - not the whole files.
[/blue]
• : [blue]Much better now!
:
: If you planning to finish in a couple of days - it may be not so easy, because you have a lot of work to do in ASM (unless you have some library of functions).
:

It's ok, date of submission is on Dec 5th. Still have time for me to learn about assembly. But the bad thing about this is, this is my first time doing assembly project, and we are not allowed to use any other programming language, where languages I know is not included assembly. But, I dont mind to learn, I will learn piece by piece, and later assemble the pieces into one single program.

: I am not sure of a boot sector scan - check the disk I/O interrupts - they may provide a function to read the boot record.
:

I am learning on how to read sector 0 of floppy disk, and put it into temporary file, and later scanned it. Probably this will be the last thing I'll do..

: Now, the loading depends on a format of that file - it may be text file or binary file - I did not get that part. You specify some string with HEX values - is that text or binary value? If that is binary - how do you tell when one virus string ends and other begins? If these are strings - they will end with a combination of bytes: 0Dh,0Ah. At this point you have to load the whole file in a single block of allocated memory and map the line address, so you will have a sort of table:
:
: - addr1 = string for vir1
: - addr2 = string for vir2
: - addr3 = string for vir3
:
: this should be also allocated. (DOS INT 21H has allocation services)
:

My idea now is, read everything in HEX, meaning that even text will be read in HEX, therefore the signature file can be easily formatted, for example, the signature may look like this

VirusName = HEXcodes

: If you want this program to be simpler, you can set some static limits, like "the file of signatures will be no longer that 32 Kb and it may have maximum 500 lines". This way you allocate static memory in your data segment and will not bother with allocations.
:

: Once you have it all loaded and mapped - close that file, ovbiously. The using the parameter from command line (you have to learn how to find and process that information in ASM! - GOOGLE for "DOS PSP" and you get it)
:
: Use DOS INT 21H to scan through the directory.
:
: Now, you open a file to be searched and load it piece by piece and scan every piece for all signatures that you have loaded. The signature may begin on one piece and end in the next, so you have to account for this - scan not the whole piece, but only a first (piece size - signature size) bytes. Then move the last (signature size) bytes to the beginning of a piece buffer and read (piece size - signature size) bytes from file. And so on until file ends. To detect the end of file watch for returned byte count from INT 21H file reading service. When you get zero - file ended. Always keep the correct byte count for a piece of scanned memory.
:
: Now, all I just explained will work really slow, because the real virus scanners do not scan the whole file in question. Together with a virus signature there are possible places (offsets) stored where you can find the signature, so only a few bytes of a file scanned for the signature - not the whole files.
: [/blue]
:

I will post a simple virus scanner that I have imitate from a source I found on the net. I think, if I can work on that piece of code, and improve it with the project requirement, then it should be ok....

• probably, the first thing I should do now is learn how to open external file, and load information into memory.

i have decided to use this format at the signature

virus_name = strings

but, i just have no idea on how to read external file, and read it line by line in ASM.
• :
:
: probably, the first thing I should do now is learn how to open external file, and load information into memory.
:
: i have decided to use this format at the signature
:
: virus_name = strings
:
: but, i just have no idea on how to read external file, and read it line by line in ASM.
:
[blue]This link is your big friend:

http://www.ctyme.com/intr/int-21.htm

It has all info on opening/reading files and much more.
Since you need both virus names and their strings - I suggest you load the file as a whole in a piece of memory and then scan it. For better results keep the line in a file in a simple manner, like so:

virus1=0D,0F,A2,32,30... do not put H specifier (you just know they all HEX)
virus2=...
virus3=...

and so on.

First make an empty skeleton in TASM and then start adding stuff. What type of binary file you are deciding on: EXE or COM?

If you have any more questions just drop me an email: [email protected][/blue]
Sign In or Register to comment.

#### Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!