Author Topic: CalcShield 2010 (Blast AntiVirus Version 5.0) - Beta Testers Needed  (Read 17436 times)

0 Members and 1 Guest are viewing this topic.

SirCmpwn

  • Guest
Re: Blast Antivirus Version 5.0
« Reply #15 on: March 25, 2010, 07:11:54 pm »
^ 300th post, congrats!

Offline ACagliano

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 919
  • Rating: +32/-2
    • View Profile
    • ClrHome Productions
Re: Blast Antivirus Version 5.0
« Reply #16 on: March 25, 2010, 07:17:31 pm »
I'm just gonna drop this attachment here, while you're working on some sort of antivirus. The IRC'ers will know what this is for.

A long program. What exactly does it do??


PS: I am officially loving Celtic3
« Last Edit: March 25, 2010, 07:24:16 pm by ACagliano »

Offline Builderboy

  • Physics Guru
  • CoT Emeritus
  • LV13 Extreme Addict (Next: 9001)
  • *
  • Posts: 5673
  • Rating: +613/-9
  • Would you kindly?
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #17 on: March 25, 2010, 08:13:51 pm »
Mmm i was thinking about the firewall, like for stopping incoming silently linked programs, and i think that it would be pretty safe to assume that any programs sent through silent linking would be malicious o.o

Offline ACagliano

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 919
  • Rating: +32/-2
    • View Profile
    • ClrHome Productions
Re: Blast Antivirus Version 5.0
« Reply #18 on: March 25, 2010, 08:25:40 pm »
Yep but i need assembly to intercept and store it to a buffer so that my firewall can check it

_player1537

  • Guest
Re: Blast Antivirus Version 5.0
« Reply #19 on: March 26, 2010, 01:00:14 am »
ok, so this program is to intercept silently linked programs correct.  I might be able to write one that told you if there was a silent link going on, but not sure about how to go about making it store the name of the program though. 

Offline ACagliano

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 919
  • Rating: +32/-2
    • View Profile
    • ClrHome Productions
Re: Blast Antivirus Version 5.0
« Reply #20 on: March 26, 2010, 10:26:56 am »
That leaves the program half done. Does anyone know how to do the other part. Lesson 3 of "28 days" doesn't seem to touch upon it.

Offline mapar007

  • LV7 Elite (Next: 700)
  • *******
  • Posts: 550
  • Rating: +28/-5
  • The Great Mata Mata
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #21 on: March 31, 2010, 02:20:37 am »
This will give LOADS of false alarms. The scanner will say a program is evil every time it pop's BC before a RET, while this sometimes is required. The code will only crash your calculator when the stack level at RET is different from the stack level at the routine's entry point.

Don't worry. I will configure response to that as maximum security. Under lower security, it won't respond to it. Anything else?
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.



« Last Edit: March 31, 2010, 02:22:10 am by mapar007 »

Offline Iambian

  • Coder Of Tomorrow
  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 739
  • Rating: +216/-3
  • Cherry Flavoured Nommer of Fishies
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #22 on: March 31, 2010, 09:01:41 am »
[...]
No... You'd have to trace the stack. There is no other way. More than half of the normal asm routines end in a pop instruction, then a RET. The only way to check for stack leaks (and even this is not completely airtight), is to count every pop and push instruction and check whether the numbers are equal.
More than half? :P

Scanning a program that way would epically fail if the program did anything using SP for anything other than for entries on the hardware stack. Like clearing off the screen buffer. Also, any such scanning program would have to be aware of program flow, which could take a while to scan if the person's doing strange things with the stack in their program. Not saying that all programs are strange and weird, but just letting you know that there are people that would code their programs in the most convoluted way possible. (I'm half an example here)
« Last Edit: March 31, 2010, 09:02:25 am by Iambian »
A Cherry-Flavored Iambian draws near... what do you do? ...

Offline mapar007

  • LV7 Elite (Next: 700)
  • *******
  • Posts: 550
  • Rating: +28/-5
  • The Great Mata Mata
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #23 on: March 31, 2010, 09:19:17 am »
Well, that's pretty much the reason why I said this wouldn't be airtight. :P

(and that 'more than half' counts for me, at least... :P )

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #24 on: April 12, 2010, 09:46:34 pm »
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.

Not to discourage, I'm just asking.

Offline meishe91

  • Super Ninja
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2946
  • Rating: +115/-11
    • View Profile
    • DeviantArt
Re: Blast Antivirus Version 5.0
« Reply #25 on: April 12, 2010, 10:00:57 pm »
Well in theory if the a program is in basic you can't jack your calculator up, but you can do fake programs that just annoy the user. But there are also programs that can do RAM clears or even do worse like erase the OS or certificate (in that case you're basically screwed unless some like BrandonW can help ya out). The programs that do that are Assembly programs.
« Last Edit: April 12, 2010, 10:01:36 pm by meishe91 »
Spoiler For Spoiler:



For the 51st time, that is not my card! (Magic Joke)

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Blast Antivirus Version 5.0
« Reply #26 on: April 12, 2010, 11:23:39 pm »
Have there actually been any kind of malicious programs written for crashing your calc, or is this only for badly written ones, that will crash your calc? The only real way I can see someone writing a virus like this would be a local friend, as most calc sites would most likely not put it up, having tried it out.

Not to discourage, I'm just asking.
Iambian wrote one that infects all Ion programs you run and IIRC it transmits from calc to calc. BrandonW wrote a program that can really screw up your calc certificate badly. Also Iambian had the Flashcrash program in his sig on UTI before, which deletes the calc OS. Technically, over the internet, an antivirus for calc wouldn't be much useful, because if a virus lands on ticalc.org or on a calc forum, on ticalc it will get taken down and on a forum, people will all know it's a virus. An antivirus like this is more useful at school, if you receive a lot of programs from students or if your calc is at risk of getting left unnatended, otherwise it can be useful if you tend to download calc programs from unsafe sources. It could be very easy to bypass, though, because the author can simply constantly update his virus code so the antivirus can no longer detect it.

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Blast Antivirus Version 5.0
« Reply #27 on: April 12, 2010, 11:45:07 pm »
However, If it dissassembles the code like you're talking about, the updates would be much harder, right?

I won't sleep well tonight.....but then again, in my area I'm the only person who knows how ASM really works. hehehe.

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Blast Antivirus Version 5.0
« Reply #28 on: April 12, 2010, 11:57:03 pm »
Which update do you mean? The antivirus or the viruses?

Offline ACagliano

  • LV8 Addict (Next: 1000)
  • ********
  • Posts: 919
  • Rating: +32/-2
    • View Profile
    • ClrHome Productions
Re: Blast Antivirus Version 5.0
« Reply #29 on: April 13, 2010, 08:41:45 am »
He's saying updating the virus, changing the code, so that the antivirus cannot detect that particular piece of code.


For anyone interested, the file attached is the last version of my antivirus. It has a "by-name" program scanner, and (maybe) can be set to run on start-up. I made this a while back, so I don't remember if it did.
« Last Edit: April 13, 2010, 08:49:26 am by ACagliano »