Omnimaga

Calculator Community => Other Calc-Related Projects and Ideas => TI Z80 => Topic started by: ACagliano on March 24, 2010, 06:20:46 pm

Title: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on March 24, 2010, 06:20:46 pm
Version 5 of my antivirus software for the TI-83+ or compatible is underway. Features will include this:
( Anything in red means that I am asking an assembly programmer to please help.)

1. A single installer program uses Celtic3 to create the actual antivirus software. No more keeping track of multiple program files or groups (except Celtic3). Upon installation, the installer script will be automatically archived in the event of a crash.

2. Virus definitions stored as a program, not a string, stored in archive, and accessed through Celtic3, line by line.

3. Addition of new program names to the virus definitions manually will be supported.

4. Option to delete will be given, as opposed to Version 4, where a matching program is deleted without you being told.

5. Firewall (asm subroutine) that intercepts incoming silent-linked programs and stores their names to some variable. Then, it will compare the name to the contents of the virus definitions file and give you the reject option if a matching entry is found.
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 24, 2010, 08:03:14 pm
For anyone who is interested, by the way, my previous version of the Antivirus (Version 4.0) is provided below. When I made it, I was amazed by its ability, but now, it seems horrible, thus my intent to release Version 5.0


Version 4.0:  http://www.mediafire.com/?kohymtqdwew (http://www.mediafire.com/?kohymtqdwew)

You can email any comments or suggestions to me. (or put them here).
Title: Re: Blast Antivirus Version 5.0
Post by: DJ Omnimaga on March 24, 2010, 11:20:06 pm
One thing I wonder, will the program actually check for the virus code to detect them or just the program name? I am asking since if someone was to send you a virus or if you downloaded a fake program somewhere, your program could potentially miss it if the author changed the name. With Celtic you can copy parts of code to a string and then in your program you could check if parts of that code matches antivirus code.

Also the user should be allowed to setup antivirus sensitivity  so for example it checks for program names and/or parts of their code. If the antivirus reports a bad program, then the user can decide what to do with it (in case it might be false positive)

Personally I don't think I would use it much, though, since there aren't a lot of viruses for calc (ticalc.org deletes them if reported, anyway) and I never send anything to my calc when programming except maybe Mirage, Axe, Celtic III, etc, but maybe some people who have trouble at school with people sending viruses could like this.
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 02:08:24 am
I would like to write that in, but I would also like it to be able to decompile asm programs and check the hex for malcodes. Of course, I would need to be annoying and bug you assembly people for a subroutine, then. Maybe Basic interpretation atm.
Title: Re: Blast Antivirus Version 5.0
Post by: Eeems on March 25, 2010, 11:40:45 am
Well if you knew the hex codes you could use some of Celtic III's bin->hex to figure it out.
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 12:23:11 pm
Yep. So I humbly ask any asm programmers who are familiar with destructive hex routines to please post them here or to email them to me at [email protected]
Title: Re: Blast Antivirus Version 5.0
Post by: SirCmpwn on March 25, 2010, 12:24:18 pm
Code: [Select]
pop hl
ret
Title: Re: Blast Antivirus Version 5.0
Post by: mapar007 on March 25, 2010, 12:28:50 pm
Code: [Select]

ld a,1
ld (appInfo+2),a
bcall(50CBh)

ld a,$7E
bcall(_eraseFlash)

Or something similar... (it should erase the certificate, but I'm not sure if this will work without extra Weird Stuff)
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 12:29:38 pm
hex????
Title: Re: Blast Antivirus Version 5.0
Post by: SirCmpwn on March 25, 2010, 12:46:43 pm
pop bc ; A1
ret      ; C9
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 12:50:17 pm
Ok. I'll add these to the definitions file as they come in.
Title: Re: Blast Antivirus Version 5.0
Post by: mapar007 on March 25, 2010, 02:52:32 pm
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.
Title: Re: Blast Antivirus Version 5.0
Post by: SirCmpwn on March 25, 2010, 02:54:54 pm
BB6DA1C9 wouldn't.
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 06:49:51 pm
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.

Don't worry. I will configure response to that as maximum security. Under lower security, it won't respond to it. Anything else?
Title: Re: Blast Antivirus Version 5.0
Post by: Iambian on March 25, 2010, 07:10:32 pm
I'm just gonna drop this attachment here, while you're working on some sort of antivirus. The IRC'ers will know what this is for.
Title: Re: Blast Antivirus Version 5.0
Post by: SirCmpwn on March 25, 2010, 07:11:54 pm
^ 300th post, congrats!
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 07:17:31 pm
I'm just gonna drop this attachment here, while you're working on some sort of antivirus. The IRC'ers will know what this is for.

A long program. What exactly does it do??


PS: I am officially loving Celtic3
Title: Re: Blast Antivirus Version 5.0
Post by: Builderboy on March 25, 2010, 08:13:51 pm
Mmm i was thinking about the firewall, like for stopping incoming silently linked programs, and i think that it would be pretty safe to assume that any programs sent through silent linking would be malicious o.o
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 25, 2010, 08:25:40 pm
Yep but i need assembly to intercept and store it to a buffer so that my firewall can check it
Title: Re: Blast Antivirus Version 5.0
Post by: _player1537 on March 26, 2010, 01:00:14 am
ok, so this program is to intercept silently linked programs correct.  I might be able to write one that told you if there was a silent link going on, but not sure about how to go about making it store the name of the program though. 
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on March 26, 2010, 10:26:56 am
That leaves the program half done. Does anyone know how to do the other part. Lesson 3 of "28 days" doesn't seem to touch upon it.
Title: Re: Blast Antivirus Version 5.0
Post by: mapar007 on March 31, 2010, 02:20:37 am
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.

Don't worry. I will configure response to that as maximum security. Under lower security, it won't respond to it. Anything else?
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.



Title: Re: Blast Antivirus Version 5.0
Post by: Iambian on March 31, 2010, 09:01:41 am
[...]
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.
More than half? :P

Scanning a program that way would epically fail if the program did anything using SP for anything other than for entries on the hardware stack. Like clearing off the screen buffer. Also, any such scanning program would have to be aware of program flow, which could take a while to scan if the person's doing strange things with the stack in their program. Not saying that all programs are strange and weird, but just letting you know that there are people that would code their programs in the most convoluted way possible. (I'm half an example here)
Title: Re: Blast Antivirus Version 5.0
Post by: mapar007 on March 31, 2010, 09:19:17 am
Well, that's pretty much the reason why I said this wouldn't be airtight. :P

(and that 'more than half' counts for me, at least... :P )
Title: Re: Blast Antivirus Version 5.0
Post by: willrandship on April 12, 2010, 09:46:34 pm
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.

Not to discourage, I'm just asking.
Title: Re: Blast Antivirus Version 5.0
Post by: meishe91 on April 12, 2010, 10:00:57 pm
Well in theory if the a program is in basic you can't jack your calculator up, but you can do fake programs that just annoy the user. But there are also programs that can do RAM clears or even do worse like erase the OS or certificate (in that case you're basically screwed unless some like BrandonW can help ya out). The programs that do that are Assembly programs.
Title: Re: Blast Antivirus Version 5.0
Post by: DJ Omnimaga on April 12, 2010, 11:23:39 pm
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.

Not to discourage, I'm just asking.
Iambian wrote one that infects all Ion programs you run and IIRC it transmits from calc to calc. BrandonW wrote a program that can really screw up your calc certificate badly. Also Iambian had the Flashcrash program in his sig on UTI before, which deletes the calc OS. Technically, over the internet, an antivirus for calc wouldn't be much useful, because if a virus lands on ticalc.org or on a calc forum, on ticalc it will get taken down and on a forum, people will all know it's a virus. An antivirus like this is more useful at school, if you receive a lot of programs from students or if your calc is at risk of getting left unnatended, otherwise it can be useful if you tend to download calc programs from unsafe sources. It could be very easy to bypass, though, because the author can simply constantly update his virus code so the antivirus can no longer detect it.
Title: Re: Blast Antivirus Version 5.0
Post by: willrandship on April 12, 2010, 11:45:07 pm
However, If it dissassembles the code like you're talking about, the updates would be much harder, right?

I won't sleep well tonight.....but then again, in my area I'm the only person who knows how ASM really works. hehehe.
Title: Re: Blast Antivirus Version 5.0
Post by: DJ Omnimaga on April 12, 2010, 11:57:03 pm
Which update do you mean? The antivirus or the viruses?
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on April 13, 2010, 08:41:45 am
He's saying updating the virus, changing the code, so that the antivirus cannot detect that particular piece of code.


For anyone interested, the file attached is the last version of my antivirus. It has a "by-name" program scanner, and (maybe) can be set to run on start-up. I made this a while back, so I don't remember if it did.
Title: Re: Blast Antivirus Version 5.0
Post by: DJ Omnimaga on April 13, 2010, 11:13:13 am
yeah if the viruses got updated regulary the antivirus updates could get much harder and could even overhelm the author with work.
Title: Re: Blast Antivirus Version 5.0
Post by: willrandship on April 13, 2010, 11:22:16 am
Yeah. That's why linux rules. :D

Honestly, viruses on calcs seem too much like a curiosity to have that much work on either side.
Title: Re: Blast Antivirus Version 5.0
Post by: DJ Omnimaga on April 13, 2010, 11:31:22 am
Oh let's not get started with OS fanboyism here it got pretty annoying on IRC a few weeks ago. If you be careful on Windows (such as not using IE and watching out what you download) you won't get much viruses anyway.

As for calcs yeah they're very uncommon. And if someone make a bad ASM program he can simply rename it to Mario or Galaxian and make it the exact same size as the original game. All he has to do is use bad Axe Parser code then put loads of data at the end of his program, enough so the file is the same size. I am sure some detection could be done code-wise, though, but it would still be hard x.x
Title: Re: Blast Antivirus Version 5.0
Post by: willrandship on April 13, 2010, 10:42:46 pm
i meant the antivirus, actually. As in it dissassembles the program being scanned and detects bad code. For instance, you could have a scanner program that you can tell to scan specific programs, then have it tell you the result.
Title: Re: Blast Antivirus Version 5.0
Post by: ACagliano on April 14, 2010, 11:36:51 am
Well, I need a list of bad hex codes. Ones that are malicious. Without them, I can't do it.
Title: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on July 03, 2010, 11:40:14 am
I have decided to revive the Blast Antivirus project, using Celtic III app, designed to be compatible with both Celtic III and DCS7. This will be version 5. Also, whereas the settings and updates to the virus definitions were lost in a RAM clear in version 4, I am working on making them crash-proof in version 5. Also, the subroutines will be provided in a group file, and i will use Celtic3 to call them when needed and delete them when they are no longer needed. No ungrouping nessecary. I will post here on my project as I complete it.


Question: Let's say, the calc is currently running prgmBLAST5. I then use Celtic III to move BLAST5 to archive before quitting it, and move it back to ram upon launching it. Assume that no other software (ie: CalcUtil) is installed. Will that be an error? If yes, then I have another way around it.
Title: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on July 18, 2010, 12:29:12 pm
This above program is nearing completion. While it will be some time before it is available for beta testing, I am posting here to ask if anyone is willing to beta test when the time comes. If you want to participate, please post so here, and provide a VALID email address. Thank you.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: shmibs on July 18, 2010, 03:18:40 pm
im not sure what the point of antivirus would be, but i have nothing better to do and am somewhat curious so... sure, why not

Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on July 18, 2010, 07:03:49 pm
Unfortunately, since I am slowly returning from some break and might be busy with some stuff outside the community such as some games (*cough*Starcraft II*cough*) and my calc project, I don't think I'll have time to test this, especially that I do not know assembly programming or anything that would allow me to figure out how to find security breaches in your program.

That said I'll be honest with you. I do not mean to be rude and I generally don't do this when it comes to calc projects, but like Shmibs is implying, I do not really see the use of a calculator anti-virus. Maybe inside school, where students who barely know anything about calcs can get infected with some sort of Ion-virus renamed to Phoenix or risks of running programs like OSKill, also renamed to popular game names, it could be useful to have on someone's calc, but online, in the TI community, I personally doubt anyone with minimal calculator knowledge will want an anti-virus on their calc, especially that ASM programmers can easily modify their program to circumvent the protections you would need to keep updated regulary. Another issue is that a virus needs to be on a popular archive to be popular. This means ticalc.org. However, ticalc.org deletes such file from their archives. Hence why Iambian's Ion infector program (I forgot the name and URL) as well as BrandonW's OSKill program are not available there.

I noticed that since you joined the forums, you have a huge dedication in such programs, and it can be seen by how you resumed work on Blast Antivirus after most of us thought it was dead. However, I think that in long terms, persisting in creating such program could ruin your TI programmer reputation (like what happened to KermMartian between 2002 and 2004). Once a reputation is ruined, it is hard to repair it afterward. On certain other sites, you may get an even harsher response to an anti-virus project, or the thread may be turned into a troll fest in a day, as people will not take its author seriously anymore. Most people will think you only make useless programs or programs that were done 100000 times before and flood the ticalc.org archives with them, and people in the TI community often suggested to ticalc.org to stop allowing said "anti-viruses" and "Windows XP" clones in their archives, because about 90% of the archives are made of those (as well as Quadratic Solvers and Number Guessing Games). In the past, I was one of those people. Later, I simply stopped visiting TI-83 Plus BASIC Misc. Programs altogether, until Ticalc.org split them in sub-directories.

I think that once this project is done, you should maybe focus on something that would be more useful to the average Omnimaga/Cemetech/UTI/etc user and that hasn't been overdone either in the past decade. Examples would be games (like the Star Trek game you had in the works a while ago) or programming tools (like your TI-BASIC tutorials, providing they are made to provide a way of learning that other tutorials don't). That's unless your audience is meant to be people at school, but then still remains the issue that programs for school users may not really attract attention on a site like Omnimaga. As you could notice already, even math programs have an hard time getting attention on Omnimaga as well. The thing is that the average crowd here is only interested in games and tools to develop games.

Of course that's up to you, though. I am just giving a suggestion. I would like to see at least one anti-virus for calcs that actually work and do something, even if it's to protect against Iambian's and BrandonW.

Also, I merged your 3 anti-virus threads together and moved them to calc projects and ideas, since I felt one was enough.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on July 19, 2010, 12:22:58 pm
Ok. I actually lost track of the other two threads, so sorry about that.

As for persistence, ever since the release of Version 4, I wanted to make one with the potential to search by contents rather than just by name. Also, as you will see in the release, it is more than just an anti-virus. It will also have RAM restore capabilities, if I can get it working properly. And, yes the tool is designed to be used by an average student to wipe out malicious stuff that endangers their ability to play games or cheat on tests.

PS: Version 5.0 will detect OSKILL and BRICK by BrandonW. If Iambian is kind enough to provide his code, I'll include it as well.

PS2: My tutorial in game design is still on the menu to be worked on, and I will also complete the Star Trek game, once I see the necessary command support within Axe.

So thanks to all who are willing to test. My purpose of testing is to make sure it works. And to all the skeptics...this one will actually work.

Regards. 
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: calcdude84se on July 19, 2010, 12:31:42 pm
Just to repeat a couple things you are probably already aware of:
This is extremely difficult, especially since a person who was really trying to be malicious could simply disassemble, slightly change, then reassemble the code, which would render your checks inoperable.
As for RAM restore, realize that this can only be done on the 83+SE and older 84+(SE)'s, because newer ones (and any normal 83+) do not have the RAM required to backup the main 32KB of RAM.
Anyway, ignore my skepticism and good luck! :) (Do be aware of the reputation damage that could be done, though, like DJ said)
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on July 19, 2010, 09:37:46 pm
1. This is extremely difficult, especially since a person who was really trying to be malicious could simply disassemble, slightly change, then reassemble the code, which would render your checks inoperable.

2. Anyway, ignore my skepticism and good luck! :) (Do be aware of the reputation damage that could be done, though, like DJ said)

1. Not if you are tailoring your checks toward b_calls like unlocking Flash, editting the certificate and stuff like that. The scanner will throw a warning if it detects such routines. Regardless of what they do to the code, they'll still need to use certain b_calls.

2. I know of reputation damage. That's why I'm taking my time working on this and planning it out well. I plan on Blast AntiVirus being known as the AntiVirus that works. Prior to release, I will test it extensively on BrandonW's stuff and try to make it as thourough as possible before release.

*Another feature is this: You may modify the virus definitions file (appvar BDefs) within the program. Let's say someone designs a new virus (or prank) called BXC1 and that program is not in the definitions, you may add it yourself.

**The virus definitions update file that I will periodically provide (for new virus/pranks that are designed after release) is called appvar BUDefs. When you run the antivirus, it will detect the update if one is present. With a single keypress, the antivirus auto-updates the virus definitions, then deletes the update file. Due to the structure of the update process, any self-modifications to the defintions file will be preserved across updates.

***The antivirus and all of its subroutines, appvars, and needed ingredients will be specifically designed so that you only need to send ONE file to your calculator. The installer will do the rest. Furthermore, all parts of this program are designed to endure in the event of any RAM clear.


If anyone has any more suggestions/ideas, please let me know.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: thepenguin77 on July 19, 2010, 10:48:26 pm
The main problems that I see though are that I'm not sure you can really block everything. If I wanted to, I could make a bad program, decrease every byte by one, and send it to someones calc. Your program wouldn't even pick up a single bcall because in it's current state, there are none. But then when it is run, it increments all the data and runs.

Not to mention, I found a way to invalidate an os, (in my case, erase page 0) with 7 bytes. I could make a 3k program that slowly through a process does those commands. I could add $70 + $0F to get $7F. Then use out (06), a, to bring in flash page $7F which is the boot code. Finally, add $4300 + $0014 to get $4314 which I could use jp (hl) to hide. I just don't see how you can protect against everything.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on July 19, 2010, 10:57:14 pm
The best thing you could do is probably get some people to write bad programs for you to test your anti-virus on, but of course make sure to test on emulator first, and watch out about programs that deletes the certificate x.x
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: thepenguin77 on July 19, 2010, 11:14:15 pm
The best thing you could do is probably get some people to write bad programs for you to test your anti-virus on, but of course make sure to test on emulator first, and watch out about programs that deletes the certificate x.x

Reading this I think to myself, "I just disassembled the boot code yesterday... I know how to do this!"
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on July 19, 2010, 11:18:21 pm
Lol. Just as an head up, though: try to make such bad programs as hard to reach by the community as possible :P.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: Deep Toaster on July 21, 2010, 04:33:31 am
Hm, an idea: Maybe you could market this to teachers with the "virus definitions" changed to instead block games on school-owned calculators? (I'm being perfectly serious. It'd actually be pretty useful.)
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: calcdude84se on July 21, 2010, 10:08:09 am
That wouldn't be to hard, just block anything with the Ion, MirageOS, or DCS header, since virtually all well-known games are written for those shells. (Not to mention many people don't use the shells for anything other than to play games anyway)
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on July 21, 2010, 12:12:39 pm
you could also check for BASIC code that sets Xmin to 0 and Xmas to 94. That would be enough to block most graphical games, although it may also block legitimate math programs.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: matthias1992 on July 28, 2010, 02:43:37 pm
Are you still working on this? I am also quite sceptic towards it's use but the more I read the more I got convinced it might be useful. I would suggest however that you install it invisble. I would also password protect the program and make it only removable if you have entered the right password...of course there are disadvantages to this but since this is a antivirus i'd recommend it to be as silent, fast and protected as possible. I'd recommend you to let the program scan at startup and save the state of the calculator (e.g. there are 5 programs) then on the next boot it checks the savestate and if there are any changes rescan. Also I'd make an option whether or not to scan basic prgms/ dcs prgms/ asm prgms/ ion prgms etc. Another function would be to check whether or not apps are allowed.

Last but not least it is extremely difficult to check all malicious asmcode. Any wrong (order) of asm commands will ram-clear the calc (the antivirus should be bullet -proof to that as well) so essentially 99% of the malicious hex code clears the ram, the other 1% is worse.

Actually the whole teacher-security idea isn't that bad at all, altough I would personally dislike it you might just be able to resell it to math teachers so that games are blocked.
The second use is, me. /me wants to write a virus that bypasses this :) just for the fun and giggles of it :P

Good Luck!

PS: You can give me version 5 @ [email protected]
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on October 06, 2010, 02:49:56 pm
The details are at Cemetech, but I revived this project using Axe and working with help from Kerm Martian. This program will have a full system scan feature, which will check all programs on calc BY CONTENT!!!! It will search for a bunch of hex malcodes saved into a virus definitions file. No more searching by name, people. Also, it will install a parser hook, fully compatible with DCS7's hook, that, when you run a program, will scan that program for malcodes and request manual confirmation if they are found. Also, if I can get this working, the installer will create a file for itself in DCS and place itself in that folder, AUTOMATICALLY. Stay tuned for updates.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on October 06, 2010, 02:52:19 pm
Nice. I wonder what kind of program we could create to test this when it is released in beta? Would stuff such as For(Z,32768,65535):0->{Z}:End do the trick as well or does it have to be programs like OSkill? IN the later case I am not too sure how to write one :P
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on October 06, 2010, 02:54:30 pm
It is designed to deflect OS invalidating, certificate screwing, or other extremely harmful stuff. It will not, nor is it intended to, intercept everything that could possibly crash or freeze.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on October 06, 2010, 02:56:07 pm
Oooh ok, I see. I think it might be good to add some small protections for that stuff too, though, such as that program Iambian wrote that infects Ion programs. Detecting potential OS/certificate harming seems pretty nice, though.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: yunhua98 on October 06, 2010, 02:57:52 pm
wow, Thats sounds really cool!
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on October 06, 2010, 03:00:15 pm
Here's what will be included:

Null programs (crash sometimes)
Stack Overflow (maybe)
A While 1 loop
OS invalidation routines
b_call Unlock Flash  (but, wouldnt this occur any time you move something to archive???)
writing to certificate

Any of these things will trigger the antivirus. More may be added later though. I have included a definitions update routine within the program.

Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: DJ Omnimaga on October 06, 2010, 03:51:45 pm
Ah right. For While 1 loops I assume you'll check for endless ones, right? Cuz it's possible to have While 1 loops that are not endless loops. Axe Tunnel uses one I think.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: thepenguin77 on October 06, 2010, 04:20:58 pm
There's no bcall(_unlockFlash). (If there was, BrandonW would fall out of his chair laughing.) You have to glitch the OS into giving control back to your program while flash is unlocked.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ztrumpet on October 06, 2010, 05:44:33 pm
Actually...
(from #omnimaga today)
Quote
[15:25:56] <ztrumpet> "There's no bcall(_unlockFlash). (If there was, BrandonW would fall out of his chair laughing.) You have to glitch the OS into giving control back to your program while flash is unlocked." lol
[15:29:18] <calc84maniac> where dat quote be from?
[15:30:25] <ztrumpet> http://ourl.ca/4351/125226
[15:30:31] <calc84maniac> also, I want a bcall(_unlockFlash) :P
[15:31:20] <ztrumpet> So how does it work (providing you feel like explaining something else to me... =P )?
[15:31:51] <calc84maniac> I've never done it before :P
[15:31:59] <ztrumpet> ah
[15:33:20] <calc84maniac> I'm thinking that for TI-Boy I should only do whatever hack needs to be done the first time it is run with an OS
[15:33:43] <calc84maniac> then write my own unlocking routine to the end of one of the pages
[15:34:06] <calc84maniac> and use that from then on
[15:34:36] <calc84maniac> cause I'm not sure these hacks even work if rom page 0 is trashed
[15:38:20] <+BrandonW> There used to be a BCALL that more or less did that, but TI actually fixed it.
[15:38:33] <+BrandonW> ld a,1 \ ld (appInfo+2),a \ bcall(50CBh) That used to unlock Flash.
[15:40:35] <ztrumpet> lol
[15:40:37] <calc84maniac> BrandonW, what was that routine you like to write to flash? nop / nop / im 1 / di / out (c),b / ret ?
[15:40:48] <+BrandonW> Yes.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: AngelFish on October 06, 2010, 05:55:11 pm
Quote
b_call Unlock Flash  (but, wouldnt this occur any time you move something to archive???)
writing to certificate

How quickly could it react to those? If you're scanning and running the program simultaneously, you could probably get a command or two in before CalcShield shut down the virus. That's enough to potentially mess with the MD5 hash on the certificate. If you're scanning the instructions for malicious Hex and THEN running the code, you're going to have very slow code. Graphing is already pretty slow on the 83/84+ series and it'd be even slower with another software layer in it.
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on October 06, 2010, 06:19:46 pm
It's actually b_call(EraseFlash).
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: Deep Toaster on October 06, 2010, 07:59:02 pm
While 1 loops would be hard to find in ASM because almost all loops have the same structure. They just quit at different times. So I guess you could search for DJNZ loops without a jump out?
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: calcdude84se on October 07, 2010, 06:19:32 pm
I think you're getting confused with how djnz works ;)
For example, this code leaves hl equal to $100:
Code: [Select]
ld b,0
ld h,b
ld l,b
;Zero b and hl
loop:
inc hl
djnz loop
In short, you normally don't write infinite loops with djnz.
In addition, "While 1" loops can be useful.
Code: [Select]
0->X
While 1
Output(0,0,X+1->X>Dec
ReturnIf getkey(0)
End
Wait, do you mean just an empty loop? (I missed the previous page)
In that case, there are still ways to get around it. Another endless loop: (and yes, storing to a variable address returns the address, not the valued stored)
Code: [Select]
0->A
While 0->{A}=A
End
Title: Re: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed
Post by: ACagliano on October 10, 2010, 08:55:50 pm
Ok. Thank you.