* * * * * * * * * * * * * * * * * * * V I R U S A L E R T * * * * * * * * * * * * * * * * * * * Article by Joe Horn Disinfectant programs by Brian Maguire "Next to a battle lost, the greatest misery is a battle gained." -- Wellington It was just a matter of time. Three viruses (all very similar) have been written for the HP 48. As if this weren't bad enough, they are being spread around on college campuses as a practical joke. Not funny at all, when it's your 48 that gets sick, then goes psychotic, and finally dies. I must admit, however, a certain morbid respect for the author(s); these little timebombs are well written. When stripped from their host program, they look like this harmless little 3-object snippit: "þ" External Code where the "þ" is the null character (displayed as a little square blob). The "External" is not at all what it appears to be! It's really an "external type 2" object, one of the four unused object types; and it contains the real body of the virus, in System RPL. The subsequent Code object merely jumps backwards into the External object, just past its object header, thus executing its contents as an RPL program. If you engage in promiscuous I/O with college students (who doesn't?), be on the lookout for the following bogus "error messages": "System Malfunction" "Defective ROM" "Damaged ROM" "Invalid Addressing" Also, the virus attaches itself to other program objects in the current directory (thereby earning the name "virus"). Since it modifies objects without your knowledge, it may wreak havoc that the author(s) never intended, especially if you are into System RPL programming. It may cause objects to be purged, entire directories to be lost, memory corrupted, and even total Memory Clear. And the null character at the beginning prevents you from removing the virus by normal editing, because when you hit EDIT you'll get the "Can't Edit Null Char." error message. This sucker not only propagates itself, it even has self-preservation instincts! Geez. Since the current "strains" of this virus all contain the same Code object, it's easy to write a "vaccine" that checks a program for the virus, and if found, "disinfects" it. If you'd like to do it yourself, here's the recognizable 29.5-byte Code object: In ASC-> format: %%HP:T(1); "CCD20630001741433450000EA1411C414334A0000CA14134E8F60DA808C4ECA" Source code: HP AG opcode -------- ------------ -------- D1=D1+ 5 ADD.A #5,D1 174 A=DAT1 A MOVE.A @D1,A 143 LC(5) 5 MOVE.P5 #5,C 3450000 A=A-C A SUB.A C,A EA DAT1=A A MOVE.A A,@D1 141 D1=D1- 5 SUB.A #5,D1 1C4 A=DAT1 A MOVE.A @D1,A 143 LC(5) 10 MOVE.P5 #A,C 34A0000 A=A+C A ADD.A C,A CA DAT1=A A MOVE.A A,@D1 141 LC(5) #06F8E MOVE.P5 #06F8E,C 34E8F60 A=C A MOVE.A C,A DA PC=(A) JUMP.A @A 808C The "External" object immediately precedes this Code object. It consists of its five-nibble prolog (02BCC), followed by a five-nibble length field (nib distance to the following Code object). The length field is immediately followed by an RPL program object (beginning D9D20, of course), which is the nucleus of the virus, the part that does all the dirty work; the "DNA" part, as it were. For obvious reasons, I will not publish the virus itself. Brian Maguire considered this sordid situation to be a delightful programming challenge, and whipped up the following two programs. 'VACCINE.1' disinfects program objects, and 'CLEAN' disinfects entire directories. INSTRUCTIONS: Place infected program on stack and press VACCINE.1 to disinfect it, or run CLEAN to disinfect all the programs in the current directory. Obviously it is best to keep these programs protected in a card switched to the ROM position. They can be run from there, for example via a CST key or a user-mode key assignment. Here's the source code for the curious and curiouser: 'VACCINE.1' ( in System RPL ) :: CK1NoBlame CK&DISPATCH0 EIGHT :: BEGIN :: DUPLENCOMP #2= NOTcase FALSE DUP TWO NTHCOMPDROP DTYPECOL? NOTcase DROPFALSE DUPLENCOMP #3= NOTcase DROPFALSE THREE NTHCOMPDROP ' CODE 49 1741433450000EA1411C414334A0000CA14134E8F60DA808C EQUAL ; WHILE CARCOMP REPEAT ; ; 'CLEAN' ( in User RPL ) \<< 8 TVARS LIST\-> 1 SWAP FOR i DUP RCL VACCINE.1 SWAP STO NEXT \>> VACCINE on this disk is an HP 48 directory which contains both of the above programs. Many thanx to Brian Maguire for making this potentially terrifying situation so easy to cope with.