[drclau]

This brings back fond memories. It's been a _long_ time since then, and I was about 14yo. This was pre-internet, the BBS era. My computer, an old PC XT, 8086 based. I was getting new software via mail order from various specialized magazines, or from BBS's (to which I did not have access directly at that time -- not particularly relevant to this story).

One day, I got something infected with a virus named Romania.856 (I will always remember this name), a COM infector, as I found out from F-Prot Antivirus (which came with a great db with information about viruses -- such a great read for the young me!).

The tools available to me were still very limited; I had not yet discovered TDD (Borland Turbo Debugger). But I was dead set to understand how the virus worked. There I was, using the very limited `debug` tool that came with MS-DOS. I've learned x86 Assembler from various texts downloaded from BBS's. I reverseengineered Romania.856, and learned how it worked, and did my own experiments. That's how I spent my summer vacation that year.

This was the beginning of some of the most beautiful years of my life, with regard to computers. It lasted for a bit over half a decade, time in which tech evolved fast, I got an internet connection (still dialup back then), I discovered IRC, met people with similar interests and so on. What I miss the most now is the feeling of everything being new, the possibility for exploration and discovery.

[jzawodn]

> What I miss the most now is the feeling of everything being new, the possibility for exploration and discovery.

Oh, good... it's not just me. :-)

[dblohm7]

Me three!

[seppel]

> I got something infected with a virus named Romania.856 (I will always remember this name)

For me it was Tai-Pan.438.A. I printed out(!) the disassembly code and studied it for weeks. I remember the stack modifications (not matching push/pop instructions) were super troubling for me to understand because such tricks were not really explained it the normal books.

[mycall]

I understand the modifications part, but why would push/pop counts be mismatched?

[seppel]

It was doing push/ret, ie. pushing stuff (addresses) and then returning to the pushed address. Or popping stuff without pushing before (saving the return address of something) and storing it somewhere.

That is of course perfectly legal, but not something you see in normal programs. In the end, it really helping me to understand how the stack works, but the first time I saw it, it was super confusing.

[tinus_hn]

The return address is on the stack so if you push data and then return, that data is now interpreted as an address to jump to.