Quiz #2 By Horny Toad Try and see how many of these you can answer without your notes. Most of them should be fairly easy. They should be common knowledge if you want to advance in virus writing. Again, like the first quiz, don't sweat it. Use these questions as a reminder of the concepts that you need to learn. 1. What is meant by the delta offset? 2. What is the value of the delta offset during the first run of the virus? 3. What would happen if the virus didn't check the host for previous infection? 4. What information can we get from the DTA? 5. Where is the DTA located? 6. What happens when the "call" instruction is initiated? 7. What instruction does e9 hex equate to? 8. What is the significance of DX when AH=3fh and int 21 is issued? 9. Describe the procedure in checking whether a file has previously been infected with this virus. 10. What value is CX after "xor CX,CX" has been done? 11. What is the purpose for doing an int 20 during the first run of the virus? 12. What parameters does the AH=4fh in next_bug use? 13. What does the pop instruction do? 14. When used in code, what does the term "offset" mean? 15. Do "mov DX,OFFSET whatever" and "lea DX,whatever" produce the same result in DX? Answers to Quiz 1 I have decided not to discuss the answers in detail because they should be pretty obvious. Rather, I put down a short answer to refresh your memory. You can always go back to the tutorial for a better explaination. Describe different ways to put 00h in AX. - mov AX,0 or xor AX,AX What does the org 100h directive mean? -This denotes the beginning of a COM file, the end of the PSP. What is the purpose in commenting your code? - It helps you in remembering what the routines and procedures are doing in your code. Are there any downsides of commenting your code? - No, you can never comment too much. What is the purpose of the IP? - The Instruction Pointer contains the offset of the next instruction that is to execute. What are the general purpose registers? - AX (primary accumulator), BX (base register), CX (count register), DX (data register) What is the relationship between AH/AL and AX? - AH is the high portion of AX and AL is the low portion. What is an offset? - An offset is simply a relative displacement from a specified point What is the difference between CS and DS? - CS contains the starting address for the code segment and DS for the data segment. What do you think would happen if in Toad "comsig" is defined as "*.*",0? - Toad would then attempt to overwrite any file it found. What does the Toad virus do to an infected file? - It overwrites the file with itself. In eat_fly, why does AX have to be moved to BX? - The returned file handle needs to be in BX. What is the purpose of first_fly written after end? - It is where program execution is to begin. What are the two ways you have learned to terminate a program? - int 20 or int 21 AH=4ch In eat_fly, what exactly are we moving into CX? - The number of bytes to write. What is the difference between TASM and TLINK? - TASM is a compiler and TLINK is a linker. Describe what LEA does? - Load a near address into a register. (Load Effective Address) Why or why wouldn't the jump be executed at the end of find_fly? - The jump would execute if the carry flag equals 1, if no file was found.