Mail Archives: djgpp/1995/08/26/06:24:00

delorie.com/archives/browse.cgi

search

Mail Archives: djgpp/1995/08/26/06:24:00

Xref: news-dnh.mv.net comp.os.msdos.djgpp:1750

Path: news-dnh.mv.net!mv!news.sprintlink.net!sunic!sunic.sunet.se!news.uni-c.dk!diku.dk!terra

From: terra AT diku DOT dk (Morten Welinder)

Newsgroups: comp.os.msdos.djgpp

Subject: Re: djgpp2 and TBAV

Date: 26 Aug 1995 05:12:58 GMT

Organization: Department of Computer Science, U of Copenhagen

Lines: 55

Sender: terra AT tyr DOT diku DOT dk

References: <DDvEG2 DOT 41u AT jade DOT mv DOT net> <mictaliDDvHxL DOT 84w AT netcom DOT com> <Pine DOT A32 DOT 3 DOT 91 DOT 950825122621 DOT 15802A-100000 AT srv1 DOT freenet DOT calgary DOT ab DOT ca> <303e5067 DOT sandmann AT praline DOT no DOT NeoSoft DOT com> <Pine DOT A32 DOT 3 DOT 91 DOT 950825193848 DOT 28926A-100000 AT srv1 DOT freenet DOT calgary DOT ab DOT ca>

Nntp-Posting-Host: odin.diku.dk

To: djgpp AT sun DOT soe DOT clarkson DOT edu

Dj-Gateway: from newsgroup comp.os.msdos.djgpp

Chi Hoang <choang AT freenet DOT calgary DOT ab DOT ca> writes:

>well, this is what TBAV says on all djgpp2 programs:
> Heuristic flags: c!?ZK AT i
> c  No checksum / recovery information (Anti-Vir.Dat) available. 

Well, that's for sure not our fault!  :-)

> !  Invalid opcode (non-8088 instructions) or out-of-range branch. 

We _need_ 386 instructions.  Is that what it complains about?

> ?  Inconsistent exe-header.  Might be a virus but can also be a bug. 

Hmm.  DJ, Charles: any ideas?

> Z  EXE/COM determination.  The program tries to check whether a file
>    is a COM or EXE file.  Viruses need to do this to infect a program. 

It's wrong here.  However, there is code in there to add ".EXE" to a
file name.  Is that what it complains about?

> K  Unusual stack.  The program has a suspicious stack or an odd stack. 

The stack is not very big and accurs in the middle.   I would think
that is what is detected.

> @  Encountered instructions which are not likely to be generated by
>    an assembler, but by some code generator like a polymorphic virus. 

Two things: djasm doesn't generate the same bit patterns as [mt]asm
would have done, and the code is optimized by hand for size.

> i  Additional data found at end of file. Probably internal overlay. 

Right, and what's wrong with that?

I say ship a compiled program and the source for the stub off to the
author of TBAV.  Have him _fix_ his program, or tell us what do to
differently.

Morten

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

Xref:	news-dnh.mv.net comp.os.msdos.djgpp:1750
Path:	news-dnh.mv.net!mv!news.sprintlink.net!sunic!sunic.sunet.se!news.uni-c.dk!diku.dk!terra
From:	terra AT diku DOT dk (Morten Welinder)
Newsgroups:	comp.os.msdos.djgpp
Subject:	Re: djgpp2 and TBAV
Date:	26 Aug 1995 05:12:58 GMT
Organization:	Department of Computer Science, U of Copenhagen
Lines:	55
Sender:	terra AT tyr DOT diku DOT dk
References:	<DDvEG2 DOT 41u AT jade DOT mv DOT net> <mictaliDDvHxL DOT 84w AT netcom DOT com> <Pine DOT A32 DOT 3 DOT 91 DOT 950825122621 DOT 15802A-100000 AT srv1 DOT freenet DOT calgary DOT ab DOT ca> <303e5067 DOT sandmann AT praline DOT no DOT NeoSoft DOT com> <Pine DOT A32 DOT 3 DOT 91 DOT 950825193848 DOT 28926A-100000 AT srv1 DOT freenet DOT calgary DOT ab DOT ca>
Nntp-Posting-Host:	odin.diku.dk
To:	djgpp AT sun DOT soe DOT clarkson DOT edu
Dj-Gateway:	from newsgroup comp.os.msdos.djgpp