X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
October 23, 2024 1:53 PM   Subscribe

A Tutorial in x86 Assembly Language: an examination of the EICAR standard AV test program including a step-by-step analysis of its operation using Microsoft's DEBUG Program.

From Wikipedia: The file is a text file of between 68 and 128 bytes that is a legitimate .com executable file (plain x86 machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). The EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when executed and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.
posted by Wolfdog (8 comments total) 16 users marked this as a favorite
 
Honestly, it's not much of a tutorial, and it's x86 which learning is of somewhat dubious value at this point, but in fairness, the article was written about 20 years ago.
posted by milnak at 2:30 PM on October 23 [1 favorite]


It's not a great tutorial for learning x86 assembly language, but the thing it's describing is a fascinating piece of engineering.
posted by Wolfdog at 2:34 PM on October 23 [2 favorites]


I wrote the original x86 assembly language manual for Intel back in the late 70’s, early 80’s. It was for their ASM86 8086 assembler which I worked on. Dubious value? I was really surprised that it’s still floating around 40 years later. I lost touch with Intel processors when I left there for much greener pastures in 1980. My manual is still available on the internets!
posted by njohnson23 at 2:42 PM on October 23 [53 favorites]


I wrote a disassembler too for the 8086, but that is long gone and no help here.
posted by njohnson23 at 2:43 PM on October 23 [4 favorites]


So a notable thing about this program is that it's made up of bytes that are all printable ASCII.

I could have sworn that there was a DOS-oriented self-extracting format that worked in a similar way so that the output was not only email-safe ASCII but also a self-extracting .com file. Sort of like shar but for DOS. I thought that maybe it was .boo but looking at the makeboo/deboo source it doesn't seem to have this quality.

Does anybody remember such a format?
posted by donio at 3:06 PM on October 23 [2 favorites]


Related Compiling C to printable x86 by tom7 from a few years ago, for people who like their executable bytes constrained to the ASCII character set.
posted by Lirp at 3:21 PM on October 23 [9 favorites]


Back in the day I constructed a copyright message that was also executable 68k code and included it in my Mac code (and executed it, and checked the results)
posted by mbo at 9:21 PM on October 23 [2 favorites]


Another fun bit of assembly code can be found in the Atari ST ROMS at offset 0xFCF716: 
 4461        NEG.W    -(A1)   
 7665        MOVEQ    #$65,D3 
 2053        MOVEA.L  (A3),A0 
 7461        MOVEQ    #$61,D2 
 5567        SUBQ.W   #2,-(A7)
 6173        BSR      $0000007f
 206c 6f76   MOVEA.L  +28534(A4),A0
 6573        BCS      $00000085
 2042        MOVEA.L  D2,A0
 6561        BCS      $00000077
 2048        MOVEA.L  A0,A0
 6162        BSR      $0000007c
 6c69        BGE      $00000085
 6720        BEQ      $0000003e
 4e75        RTS
which compiles to: 
Dave StaUgas loves Bea Hablig Nu
posted by autopilot at 10:44 AM on October 24 [1 favorite]


« Older The Dodgers are in the World Series, and you hate...   |   Have you been sold down the digital river? Newer »


This thread has been archived and is closed to new comments



Tags

Share