tags:

views:

1293

answers:

3
+7  Q: 

What exactly is this batch file supposed to do?

What does this do in a .bat file?

Is it some sort of assembly language or what?

    @debug <%0 >nul
    e100 48 e6 61 be 3f 01 31 db 8a 1c 80 fb ff 74 f4 81
    e110 c3 d0 00 b0 b6 e6 43 31 d2 66 b8 dd 34 12 00 66
    e120 f7 f3 e6 42 88 e0 e6 42 46 8a 0c 46 ba da 03 ec
    e130 a8 08 74 fb ec a8 08 75 fb fe c9 74 c9 eb f0 00
    e140 0c 19 0c 45 0c 19 0c 8d 24 8d 24 67 48 00 0c 19
    e150 0c 45 0c 19 0c 67 24 67 24 45 24 36 0c 19 18 00
    e160 0c 19 0c 45 0c 19 0c 45 30 67 18 36 24 19 0c 00
    e170 30 00 18 67 18 45 18 45 34 00 0c 19 0c 45 0c 19
    e180 0c 8d 30 8d 18 67 48 00 0c 19 0c 45 0c 19 0c cf
    e190 30 45 18 45 24 36 0c 19 18 00 0c 19 0c 45 0c 19
    e1a0 0c 45 30 67 18 36 24 19 0c 00 30 00 18 67 30 45
    e1b0 6b ff
    g
+10  A: 

Yes, it's using "debug.exe" to put some raw hex into memory as a COM file, and then executing it. Whatever it is, it looks dangerous.

Paul Tomblin  2009-04-20 21:06:14
why does it look dangerous?
TStamper  2009-04-20 21:06:48
@TStamper ... because it it wasn't there wouldn't be any need to obfuscate what it was doing by dynamically generating an executable.
Aaron Maenpaa  2009-04-20 21:08:37
Because no one in their right mind would do something like that unless it was to purposefully obfuscate some undesired behavior. The only other option is that the person who wrote it is on crack.
RibaldEddie  2009-04-20 21:09:11
And having a programmer on crack is also dangerous.
C. Ross  2009-04-20 21:26:45
are you saying its dangerous because someone wrote that themselves? because of all that hex translation?
TStamper  2009-04-20 21:27:21
I'm saying it's dangerous because it's doing something that could be profoundly bad for your system without telling you what it's doing, and doing it in a way that looks like it was designed to avoid virus and trojan scanners.
Paul Tomblin  2009-04-20 21:53:28
+10  A: 

The disassembled version below...

00000000  48                dec ax
00000001  E661              out 0x61,al
00000003  BE3F01            mov si,0x13f
00000006  31DB              xor bx,bx
00000008  8A1C              mov bl,[si]
0000000A  80FBFF            cmp bl,0xff
0000000D  74F4              jz 0x3
0000000F  81C3D000          add bx,0xd0
00000013  B0B6              mov al,0xb6
00000015  E643              out 0x43,al
00000017  31D2              xor dx,dx
00000019  66B8DD341200      mov eax,0x1234dd
0000001F  66F7F3            div ebx
00000022  E642              out 0x42,al
00000024  88E0              mov al,ah
00000026  E642              out 0x42,al
00000028  46                inc si
00000029  8A0C              mov cl,[si]
0000002B  46                inc si
0000002C  BADA03            mov dx,0x3da
0000002F  EC                in al,dx
00000030  A808              test al,0x8
00000032  74FB              jz 0x2f
00000034  EC                in al,dx
00000035  A808              test al,0x8
00000037  75FB              jnz 0x34
00000039  FEC9              dec cl
0000003B  74C9              jz 0x6
0000003D  EBF0              jmp short 0x2f

; Data starting at 0x13f
0000000: 000c 190c 450c 190c 8d24 8d24 6748 000c  ....E....$.$gH..
0000010: 190c 450c 190c 6724 6724 4524 360c 1918  ..E...g$g$E$6...
0000020: 000c 190c 450c 190c 4530 6718 3624 190c  ....E...E0g.6$..
0000030: 0030 0018 6718 4518 4534 000c 190c 450c  .0..g.E.E4....E.
0000040: 190c 8d30 8d18 6748 000c 190c 450c 190c  ...0..gH....E...
0000050: cf30 4518 4524 360c 1918 000c 190c 450c  .0E.E$6.......E.
0000060: 190c 4530 6718 3624 190c 0030 0018 6730  ..E0g.6$...0..g0
0000070: 456b ff0d 0a                             Ek...
Dan Olson  2009-04-20 21:22:44
The disassembly is correct except that com files are offset from 0x100; if you do that then line 3 makes more sense.
xahtep  2009-04-20 22:17:34
Also, note that everything after 0x13f (or 0x3f) in your listing is just data.
Eclipse  2009-04-20 22:21:57
Thanks for pointing out the data.
Dan Olson  2009-04-20 23:26:18
+13  A: 

Look at Dan Olson's dissasembly, it looks like a short program that loops through and plays some music:

out 0x61

Turns on the pc speaker on and off.

out 0x43

Sets up the system timer to generate square waves.

out 0x42

Sets the timer frequency.

Then there's a bunch of loops, reading through the data starting at 0x13f, synching with the video status for timing, finally starting back at the beginning.

The data, of course, is just pairs of note pitches and length. For the curious, feel free to listen to the youtube version.

Eclipse  2009-04-20 22:34:31
Yeah. How very "8 bit".
gyaresu  2009-05-06 12:03:01

related questions

inserting hex value into mysql
Send binary to the serial port
Output ASCII Value C++
Check if Char is in range
Comparing Char which holds hex values C++
Why use hex?
How can I Convert a Big decimal number to Hex in C# (Eg : 588063595292424954445828)
Converting a paragraph to hex notatation, then back to string
Converting a String to HEX in SQL
Converting hex to RGB and vice-versa
Convert hex string to int in Python
How can I unpack binary hex formatted data in Python?
Binary Database Aligned or Packed
Any Generic Utilities or Libraries for Converting Hex Dumps into Human-readable Form?
Hex operations in C#
vb.net - sending UDP data including hex
Can someone explain hex offsets to me?
Passing timestamp parameters in SQLAnalyzer to debug stored procedures
Callstack that has has AV reported I see FunctionName() + some Hex value?
char[] to hex string exercise
How to convert decimal to hex in JavaScript?
Where did these hex named folders come from?
Off-the-Shelf C++ Hex Dump Code
What is a good Windows hex editor / viewer?
Decoding T-SQL CAST in C#/VB.net