Omnimaga
Calculator Community => Other Calc-Related Projects and Ideas => TI Z80 => Topic started by: ACagliano on March 24, 2010, 06:20:46 pm
-
Version 5 of my antivirus software for the TI-83+ or compatible is underway. Features will include this:
( Anything in red means that I am asking an assembly programmer to please help.)
1. A single installer program uses Celtic3 to create the actual antivirus software. No more keeping track of multiple program files or groups (except Celtic3). Upon installation, the installer script will be automatically archived in the event of a crash.
2. Virus definitions stored as a program, not a string, stored in archive, and accessed through Celtic3, line by line.
3. Addition of new program names to the virus definitions manually will be supported.
4. Option to delete will be given, as opposed to Version 4, where a matching program is deleted without you being told.
5. Firewall (asm subroutine) that intercepts incoming silent-linked programs and stores their names to some variable. Then, it will compare the name to the contents of the virus definitions file and give you the reject option if a matching entry is found.
-
For anyone who is interested, by the way, my previous version of the Antivirus (Version 4.0) is provided below. When I made it, I was amazed by its ability, but now, it seems horrible, thus my intent to release Version 5.0
Version 4.0: http://www.mediafire.com/?kohymtqdwew (http://www.mediafire.com/?kohymtqdwew)
You can email any comments or suggestions to me. (or put them here).
-
One thing I wonder, will the program actually check for the virus code to detect them or just the program name? I am asking since if someone was to send you a virus or if you downloaded a fake program somewhere, your program could potentially miss it if the author changed the name. With Celtic you can copy parts of code to a string and then in your program you could check if parts of that code matches antivirus code.
Also the user should be allowed to setup antivirus sensitivity so for example it checks for program names and/or parts of their code. If the antivirus reports a bad program, then the user can decide what to do with it (in case it might be false positive)
Personally I don't think I would use it much, though, since there aren't a lot of viruses for calc (ticalc.org deletes them if reported, anyway) and I never send anything to my calc when programming except maybe Mirage, Axe, Celtic III, etc, but maybe some people who have trouble at school with people sending viruses could like this.
-
I would like to write that in, but I would also like it to be able to decompile asm programs and check the hex for malcodes. Of course, I would need to be annoying and bug you assembly people for a subroutine, then. Maybe Basic interpretation atm.
-
Well if you knew the hex codes you could use some of Celtic III's bin->hex to figure it out.
-
Yep. So I humbly ask any asm programmers who are familiar with destructive hex routines to please post them here or to email them to me at [email protected].
-
pop hl
ret
-
ld a,1
ld (appInfo+2),a
bcall(50CBh)
ld a,$7E
bcall(_eraseFlash)
Or something similar... (it should erase the certificate, but I'm not sure if this will work without extra Weird Stuff)
-
hex????
-
pop bc ; A1
ret ; C9
-
Ok. I'll add these to the definitions file as they come in.
-
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.
-
BB6DA1C9 wouldn't.
-
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.
Don't worry. I will configure response to that as maximum security. Under lower security, it won't respond to it. Anything else?
-
I'm just gonna drop this attachment here, while you're working on some sort of antivirus. The IRC'ers will know what this is for.
-
^ 300th post, congrats!
-
I'm just gonna drop this attachment here, while you're working on some sort of antivirus. The IRC'ers will know what this is for.
A long program. What exactly does it do??
PS: I am officially loving Celtic3
-
Mmm i was thinking about the firewall, like for stopping incoming silently linked programs, and i think that it would be pretty safe to assume that any programs sent through silent linking would be malicious o.o
-
Yep but i need assembly to intercept and store it to a buffer so that my firewall can check it
-
ok, so this program is to intercept silently linked programs correct. I might be able to write one that told you if there was a silent link going on, but not sure about how to go about making it store the name of the program though.
-
That leaves the program half done. Does anyone know how to do the other part. Lesson 3 of "28 days" doesn't seem to touch upon it.
-
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.
Don't worry. I will configure response to that as maximum security. Under lower security, it won't respond to it. Anything else?
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.
-
[...]
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.
More than half? :P
Scanning a program that way would epically fail if the program did anything using SP for anything other than for entries on the hardware stack. Like clearing off the screen buffer. Also, any such scanning program would have to be aware of program flow, which could take a while to scan if the person's doing strange things with the stack in their program. Not saying that all programs are strange and weird, but just letting you know that there are people that would code their programs in the most convoluted way possible. (I'm half an example here)
-
Well, that's pretty much the reason why I said this wouldn't be airtight. :P
(and that 'more than half' counts for me, at least... :P )
-
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.
Not to discourage, I'm just asking.
-
Well in theory if the a program is in basic you can't jack your calculator up, but you can do fake programs that just annoy the user. But there are also programs that can do RAM clears or even do worse like erase the OS or certificate (in that case you're basically screwed unless some like BrandonW can help ya out). The programs that do that are Assembly programs.
-
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.
Not to discourage, I'm just asking.
Iambian wrote one that infects all Ion programs you run and IIRC it transmits from calc to calc. BrandonW wrote a program that can really screw up your calc certificate badly. Also Iambian had the Flashcrash program in his sig on UTI before, which deletes the calc OS. Technically, over the internet, an antivirus for calc wouldn't be much useful, because if a virus lands on ticalc.org or on a calc forum, on ticalc it will get taken down and on a forum, people will all know it's a virus. An antivirus like this is more useful at school, if you receive a lot of programs from students or if your calc is at risk of getting left unnatended, otherwise it can be useful if you tend to download calc programs from unsafe sources. It could be very easy to bypass, though, because the author can simply constantly update his virus code so the antivirus can no longer detect it.
-
However, If it dissassembles the code like you're talking about, the updates would be much harder, right?
I won't sleep well tonight.....but then again, in my area I'm the only person who knows how ASM really works. hehehe.
-
Which update do you mean? The antivirus or the viruses?
-
He's saying updating the virus, changing the code, so that the antivirus cannot detect that particular piece of code.
For anyone interested, the file attached is the last version of my antivirus. It has a "by-name" program scanner, and (maybe) can be set to run on start-up. I made this a while back, so I don't remember if it did.
-
yeah if the viruses got updated regulary the antivirus updates could get much harder and could even overhelm the author with work.
-
Yeah. That's why linux rules. :D
Honestly, viruses on calcs seem too much like a curiosity to have that much work on either side.
-
Oh let's not get started with OS fanboyism here it got pretty annoying on IRC a few weeks ago. If you be careful on Windows (such as not using IE and watching out what you download) you won't get much viruses anyway.
As for calcs yeah they're very uncommon. And if someone make a bad ASM program he can simply rename it to Mario or Galaxian and make it the exact same size as the original game. All he has to do is use bad Axe Parser code then put loads of data at the end of his program, enough so the file is the same size. I am sure some detection could be done code-wise, though, but it would still be hard x.x
-
i meant the antivirus, actually. As in it dissassembles the program being scanned and detects bad code. For instance, you could have a scanner program that you can tell to scan specific programs, then have it tell you the result.
-
Well, I need a list of bad hex codes. Ones that are malicious. Without them, I can't do it.
-
I have decided to revive the Blast Antivirus project, using Celtic III app, designed to be compatible with both Celtic III and DCS7. This will be version 5. Also, whereas the settings and updates to the virus definitions were lost in a RAM clear in version 4, I am working on making them crash-proof in version 5. Also, the subroutines will be provided in a group file, and i will use Celtic3 to call them when needed and delete them when they are no longer needed. No ungrouping nessecary. I will post here on my project as I complete it.
Question: Let's say, the calc is currently running prgmBLAST5. I then use Celtic III to move BLAST5 to archive before quitting it, and move it back to ram upon launching it. Assume that no other software (ie: CalcUtil) is installed. Will that be an error? If yes, then I have another way around it.
-
This above program is nearing completion. While it will be some time before it is available for beta testing, I am posting here to ask if anyone is willing to beta test when the time comes. If you want to participate, please post so here, and provide a VALID email address. Thank you.
-
im not sure what the point of antivirus would be, but i have nothing better to do and am somewhat curious so... sure, why not
-
Unfortunately, since I am slowly returning from some break and might be busy with some stuff outside the community such as some games (*cough*Starcraft II*cough*) and my calc project, I don't think I'll have time to test this, especially that I do not know assembly programming or anything that would allow me to figure out how to find security breaches in your program.
That said I'll be honest with you. I do not mean to be rude and I generally don't do this when it comes to calc projects, but like Shmibs is implying, I do not really see the use of a calculator anti-virus. Maybe inside school, where students who barely know anything about calcs can get infected with some sort of Ion-virus renamed to Phoenix or risks of running programs like OSKill, also renamed to popular game names, it could be useful to have on someone's calc, but online, in the TI community, I personally doubt anyone with minimal calculator knowledge will want an anti-virus on their calc, especially that ASM programmers can easily modify their program to circumvent the protections you would need to keep updated regulary. Another issue is that a virus needs to be on a popular archive to be popular. This means ticalc.org. However, ticalc.org deletes such file from their archives. Hence why Iambian's Ion infector program (I forgot the name and URL) as well as BrandonW's OSKill program are not available there.
I noticed that since you joined the forums, you have a huge dedication in such programs, and it can be seen by how you resumed work on Blast Antivirus after most of us thought it was dead. However, I think that in long terms, persisting in creating such program could ruin your TI programmer reputation (like what happened to KermMartian between 2002 and 2004). Once a reputation is ruined, it is hard to repair it afterward. On certain other sites, you may get an even harsher response to an anti-virus project, or the thread may be turned into a troll fest in a day, as people will not take its author seriously anymore. Most people will think you only make useless programs or programs that were done 100000 times before and flood the ticalc.org archives with them, and people in the TI community often suggested to ticalc.org to stop allowing said "anti-viruses" and "Windows XP" clones in their archives, because about 90% of the archives are made of those (as well as Quadratic Solvers and Number Guessing Games). In the past, I was one of those people. Later, I simply stopped visiting TI-83 Plus BASIC Misc. Programs altogether, until Ticalc.org split them in sub-directories.
I think that once this project is done, you should maybe focus on something that would be more useful to the average Omnimaga/Cemetech/UTI/etc user and that hasn't been overdone either in the past decade. Examples would be games (like the Star Trek game you had in the works a while ago) or programming tools (like your TI-BASIC tutorials, providing they are made to provide a way of learning that other tutorials don't). That's unless your audience is meant to be people at school, but then still remains the issue that programs for school users may not really attract attention on a site like Omnimaga. As you could notice already, even math programs have an hard time getting attention on Omnimaga as well. The thing is that the average crowd here is only interested in games and tools to develop games.
Of course that's up to you, though. I am just giving a suggestion. I would like to see at least one anti-virus for calcs that actually work and do something, even if it's to protect against Iambian's and BrandonW.
Also, I merged your 3 anti-virus threads together and moved them to calc projects and ideas, since I felt one was enough.
-
Ok. I actually lost track of the other two threads, so sorry about that.
As for persistence, ever since the release of Version 4, I wanted to make one with the potential to search by contents rather than just by name. Also, as you will see in the release, it is more than just an anti-virus. It will also have RAM restore capabilities, if I can get it working properly. And, yes the tool is designed to be used by an average student to wipe out malicious stuff that endangers their ability to play games or cheat on tests.
PS: Version 5.0 will detect OSKILL and BRICK by BrandonW. If Iambian is kind enough to provide his code, I'll include it as well.
PS2: My tutorial in game design is still on the menu to be worked on, and I will also complete the Star Trek game, once I see the necessary command support within Axe.
So thanks to all who are willing to test. My purpose of testing is to make sure it works. And to all the skeptics...this one will actually work.
Regards.
-
Just to repeat a couple things you are probably already aware of:
This is extremely difficult, especially since a person who was really trying to be malicious could simply disassemble, slightly change, then reassemble the code, which would render your checks inoperable.
As for RAM restore, realize that this can only be done on the 83+SE and older 84+(SE)'s, because newer ones (and any normal 83+) do not have the RAM required to backup the main 32KB of RAM.
Anyway, ignore my skepticism and good luck! :) (Do be aware of the reputation damage that could be done, though, like DJ said)
-
1. This is extremely difficult, especially since a person who was really trying to be malicious could simply disassemble, slightly change, then reassemble the code, which would render your checks inoperable.
2. Anyway, ignore my skepticism and good luck! :) (Do be aware of the reputation damage that could be done, though, like DJ said)
1. Not if you are tailoring your checks toward b_calls like unlocking Flash, editting the certificate and stuff like that. The scanner will throw a warning if it detects such routines. Regardless of what they do to the code, they'll still need to use certain b_calls.
2. I know of reputation damage. That's why I'm taking my time working on this and planning it out well. I plan on Blast AntiVirus being known as the AntiVirus that works. Prior to release, I will test it extensively on BrandonW's stuff and try to make it as thourough as possible before release.
*Another feature is this: You may modify the virus definitions file (appvar BDefs) within the program. Let's say someone designs a new virus (or prank) called BXC1 and that program is not in the definitions, you may add it yourself.
**The virus definitions update file that I will periodically provide (for new virus/pranks that are designed after release) is called appvar BUDefs. When you run the antivirus, it will detect the update if one is present. With a single keypress, the antivirus auto-updates the virus definitions, then deletes the update file. Due to the structure of the update process, any self-modifications to the defintions file will be preserved across updates.
***The antivirus and all of its subroutines, appvars, and needed ingredients will be specifically designed so that you only need to send ONE file to your calculator. The installer will do the rest. Furthermore, all parts of this program are designed to endure in the event of any RAM clear.
If anyone has any more suggestions/ideas, please let me know.
-
The main problems that I see though are that I'm not sure you can really block everything. If I wanted to, I could make a bad program, decrease every byte by one, and send it to someones calc. Your program wouldn't even pick up a single bcall because in it's current state, there are none. But then when it is run, it increments all the data and runs.
Not to mention, I found a way to invalidate an os, (in my case, erase page 0) with 7 bytes. I could make a 3k program that slowly through a process does those commands. I could add $70 + $0F to get $7F. Then use out (06), a, to bring in flash page $7F which is the boot code. Finally, add $4300 + $0014 to get $4314 which I could use jp (hl) to hide. I just don't see how you can protect against everything.
-
The best thing you could do is probably get some people to write bad programs for you to test your anti-virus on, but of course make sure to test on emulator first, and watch out about programs that deletes the certificate x.x
-
The best thing you could do is probably get some people to write bad programs for you to test your anti-virus on, but of course make sure to test on emulator first, and watch out about programs that deletes the certificate x.x
Reading this I think to myself, "I just disassembled the boot code yesterday... I know how to do this!"
-
Lol. Just as an head up, though: try to make such bad programs as hard to reach by the community as possible :P.
-
Hm, an idea: Maybe you could market this to teachers with the "virus definitions" changed to instead block games on school-owned calculators? (I'm being perfectly serious. It'd actually be pretty useful.)
-
That wouldn't be to hard, just block anything with the Ion, MirageOS, or DCS header, since virtually all well-known games are written for those shells. (Not to mention many people don't use the shells for anything other than to play games anyway)
-
you could also check for BASIC code that sets Xmin to 0 and Xmas to 94. That would be enough to block most graphical games, although it may also block legitimate math programs.
-
Are you still working on this? I am also quite sceptic towards it's use but the more I read the more I got convinced it might be useful. I would suggest however that you install it invisble. I would also password protect the program and make it only removable if you have entered the right password...of course there are disadvantages to this but since this is a antivirus i'd recommend it to be as silent, fast and protected as possible. I'd recommend you to let the program scan at startup and save the state of the calculator (e.g. there are 5 programs) then on the next boot it checks the savestate and if there are any changes rescan. Also I'd make an option whether or not to scan basic prgms/ dcs prgms/ asm prgms/ ion prgms etc. Another function would be to check whether or not apps are allowed.
Last but not least it is extremely difficult to check all malicious asmcode. Any wrong (order) of asm commands will ram-clear the calc (the antivirus should be bullet -proof to that as well) so essentially 99% of the malicious hex code clears the ram, the other 1% is worse.
Actually the whole teacher-security idea isn't that bad at all, altough I would personally dislike it you might just be able to resell it to math teachers so that games are blocked.
The second use is, me. /me wants to write a virus that bypasses this :) just for the fun and giggles of it :P
Good Luck!
PS: You can give me version 5 @ [email protected]
-
The details are at Cemetech, but I revived this project using Axe and working with help from Kerm Martian. This program will have a full system scan feature, which will check all programs on calc BY CONTENT!!!! It will search for a bunch of hex malcodes saved into a virus definitions file. No more searching by name, people. Also, it will install a parser hook, fully compatible with DCS7's hook, that, when you run a program, will scan that program for malcodes and request manual confirmation if they are found. Also, if I can get this working, the installer will create a file for itself in DCS and place itself in that folder, AUTOMATICALLY. Stay tuned for updates.
-
Nice. I wonder what kind of program we could create to test this when it is released in beta? Would stuff such as For(Z,32768,65535):0->{Z}:End do the trick as well or does it have to be programs like OSkill? IN the later case I am not too sure how to write one :P
-
It is designed to deflect OS invalidating, certificate screwing, or other extremely harmful stuff. It will not, nor is it intended to, intercept everything that could possibly crash or freeze.
-
Oooh ok, I see. I think it might be good to add some small protections for that stuff too, though, such as that program Iambian wrote that infects Ion programs. Detecting potential OS/certificate harming seems pretty nice, though.
-
wow, Thats sounds really cool!
-
Here's what will be included:
Null programs (crash sometimes)
Stack Overflow (maybe)
A While 1 loop
OS invalidation routines
b_call Unlock Flash (but, wouldnt this occur any time you move something to archive???)
writing to certificate
Any of these things will trigger the antivirus. More may be added later though. I have included a definitions update routine within the program.
-
Ah right. For While 1 loops I assume you'll check for endless ones, right? Cuz it's possible to have While 1 loops that are not endless loops. Axe Tunnel uses one I think.
-
There's no bcall(_unlockFlash). (If there was, BrandonW would fall out of his chair laughing.) You have to glitch the OS into giving control back to your program while flash is unlocked.
-
Actually...
(from #omnimaga today)
[15:25:56] <ztrumpet> "There's no bcall(_unlockFlash). (If there was, BrandonW would fall out of his chair laughing.) You have to glitch the OS into giving control back to your program while flash is unlocked." lol
[15:29:18] <calc84maniac> where dat quote be from?
[15:30:25] <ztrumpet> http://ourl.ca/4351/125226
[15:30:31] <calc84maniac> also, I want a bcall(_unlockFlash) :P
[15:31:20] <ztrumpet> So how does it work (providing you feel like explaining something else to me... =P )?
[15:31:51] <calc84maniac> I've never done it before :P
[15:31:59] <ztrumpet> ah
[15:33:20] <calc84maniac> I'm thinking that for TI-Boy I should only do whatever hack needs to be done the first time it is run with an OS
[15:33:43] <calc84maniac> then write my own unlocking routine to the end of one of the pages
[15:34:06] <calc84maniac> and use that from then on
[15:34:36] <calc84maniac> cause I'm not sure these hacks even work if rom page 0 is trashed
[15:38:20] <+BrandonW> There used to be a BCALL that more or less did that, but TI actually fixed it.
[15:38:33] <+BrandonW> ld a,1 \ ld (appInfo+2),a \ bcall(50CBh) That used to unlock Flash.
[15:40:35] <ztrumpet> lol
[15:40:37] <calc84maniac> BrandonW, what was that routine you like to write to flash? nop / nop / im 1 / di / out (c),b / ret ?
[15:40:48] <+BrandonW> Yes.
-
b_call Unlock Flash (but, wouldnt this occur any time you move something to archive???)
writing to certificate
How quickly could it react to those? If you're scanning and running the program simultaneously, you could probably get a command or two in before CalcShield shut down the virus. That's enough to potentially mess with the MD5 hash on the certificate. If you're scanning the instructions for malicious Hex and THEN running the code, you're going to have very slow code. Graphing is already pretty slow on the 83/84+ series and it'd be even slower with another software layer in it.
-
It's actually b_call(EraseFlash).
-
While 1 loops would be hard to find in ASM because almost all loops have the same structure. They just quit at different times. So I guess you could search for DJNZ loops without a jump out?
-
I think you're getting confused with how djnz works ;)
For example, this code leaves hl equal to $100:
ld b,0
ld h,b
ld l,b
;Zero b and hl
loop:
inc hl
djnz loopIn short, you normally don't write infinite loops with djnz.
In addition, "While 1" loops can be useful.
0->X
While 1
Output(0,0,X+1->X>Dec
ReturnIf getkey(0)
EndWait, do you mean just an empty loop? (I missed the previous page)
In that case, there are still ways to get around it. Another endless loop: (and yes, storing to a variable address returns the address, not the valued stored)
0->A
While 0->{A}=A
End
-
Ok. Thank you.