; DOS Int21 backdoor
; Kees Cook 1994

; Running this code is as good as calling INT 21
; Everything up to "fakeit" is setup to find the true identity of the original
; Int 21 handler


        cs: mov cx,[6]		; get address for old DOS services call
        cs: mov ax,[8]
        push ax
        pop ds
        add cx,1
        mov bx,cx
        mov cx,[bx]
        mov ax,[bx+2]
trylo:        
        push ax
        pop ds
        mov di,cx        
        mov bx,cx
        add bx,20h
lowloop:        
        cmp di,bx		; look for the cmp/jmp pair at the end
        jz itshigh		;  of the old DOS services code
        mov al,[di]
        add di,1
        cmp al,80h
        jnz lowloop
        mov al,[di]
        add di,1
        cmp al,0f9h
        jnz lowloop
        mov al,[di]
        add di,1
        cmp al,24h
        jnz lowloop
        mov cx,di
        add cx,6		; entry point is 6 away from there
        jmp saveaddr		
itshigh:
        mov di,cx		; found DOS loaded high
        mov bx,cx
        add bx,20h
highloop:
        cmp di,bx
        jz useregular
        mov al,[di]		; loop through the hi-DOS pointers
        add di,1		;  and try to find the code again
        cmp al,0ffh
        jnz highloop
        mov al,[di]
        add di,1
        cmp al,2eh
        mov bx,[di]
        mov ax,[bx+2]
        mov cx,[bx]
        jmp trylo
saveaddr:        
        push ds
        pop bx
        push cs
        pop ds
        mov [502h],bx
        mov [500h],cx
        jmp fakeit
useregular:
        mov ax,0
        push ax
        pop ds
        mov cx,[84h]
        mov bx,[86h]
        push bx
        pop ds
        jmp saveaddr
fakeit:				; ds:[500h] hold the far pointer for int21 now
        mov ax,4cffh		; call int 21, 4ch == exit, errorcode == ffh
        pushf
        call far [500h]