test.bat

Cracker终结者——提供最优秀的软件保护技术

;@goto translate


.586P

.MODEL            FLAT, STDCALL

   OPTION         CASEMAP: NONE

   UNICODE        = 0
   INCLUDE        WINDOWS.inc
   INCLUDE        APIMACRO.mac

   INCLUDELIB     iKERNEL32.lib
   INCLUDELIB     iUSER32.lib

   INCLUDE        ApiHooks.inc
   INCLUDELIB     iApiHooks.lib


.DATA?
   OrigMsgBoxA DWORD ?
   OrigMsgBoxW DWORD ?

   prinfo    PROCESS_INFORMATION   <>
   stinfo    STARTUPINFO           <>


.CODE
   TEXTA     KERNEL32,   <KERNEL32.dll/0>
   TEXTA     GetVersion, <GetVersion/0>

   TEXTW     Cap,        <Cap.dll/0>
   TEXTW     DllRegSrv,  <DllRegisterServer/0>

   TEXT      Test4, <4Test.exe/0>

   TEXTA     AlienA,     <Alien.dll/0>
   TEXTW     AlienW,     <Alien.dll/0>

 PrimaryThread PROC
   iWin32    GetCurrentProcessId
   MOV       EBX, EAX

   iWin32    IsModuleLoadedW, sCap, EBX
   iWin32    LoadAndCallW, sCap, EBX, 1, sDllRegSrv
   iWin32    IsModuleLoadedW, sCap, EBX
   iWin32    UnloadModuleW, sCap, EBX, 10

   iWin32    IsModuleLoadedA, sKERNEL32, EBX
   iWin32    LoadAndCallA, sKERNEL32, EBX, 1, sGetVersion
   iWin32    UnloadModuleA, sKERNEL32, EBX, 10

   iMOV      EBX, MessageBoxA
   sWin32    EBX, NULL, smmsgA, smTitleA, MB_ICONINFORMATION
   MOV       OrigMsgBoxA, EBX  ;save original API address

   iMOV      EBX, MessageBoxW
   sWin32    EBX, NULL, smmsgW, smTitleW, MB_ICONINFORMATION
   MOV       OrigMsgBoxW, EBX  ;save original API address

   ;change my (ModuleImport==NULL) import
   iWin32    HookApiA, sUSER32A, sMessageBoxA, HOOK_BY_ADDRESS, NULL, NULL, OFFSET NewMessageBoxA, NULL
   iWin32    MessageBoxA, NULL, smmsgA, smTitleA, MB_ICONINFORMATION

   iWin32    HookApiW, sUSER32W, sMessageBoxW, HOOK_BY_ADDRESS, NULL, NULL, OFFSET NewMessageBoxW, NULL
   iWin32    MessageBoxW, NULL, smmsgW, smTitleW, MB_ICONINFORMATION

   MOV       ESI, OFFSET stinfo
   SUB       EBP, EBP
   MOV       (STARTUPINFO PTR [ESI]).cb, STARTUPINFO
   iWin32i   CreateProcess,sTest4, EBP,\
                           EBP, EBP, EBP,\
                           CREATE_SUSPENDED,\
                           EBP, EBP,\            
                           ESI, OFFSET prinfo
   TEST      EAX, EAX
   JE          @F

   MOV       EBX, prinfo.dwProcessId

   iWin32    IsModuleLoadedW, sCap, EBX
   iWin32    LoadAndCallW, sCap, EBX, 1, sDllRegSrv
   iWin32    IsModuleLoadedW, sCap, EBX
   iWin32    UnloadModuleW, sCap, EBX, 10

   iWin32    IsModuleLoadedA, sKERNEL32, EBX
   iWin32    LoadAndCallA, sKERNEL32, EBX, 1, sGetVersion
   iWin32    UnloadModuleA, sKERNEL32, EBX, 10

   iWin32    EstablishApiHooksA, sAlienA, EBX
   iWin32    EstablishApiHooksW, sAlienW, EBX
   iWin32    UnloadModuleA, sAlienA, EBX, 2

   iWin32    ResumeThread, prinfo.hThread
   iWin32    CloseHandle,  prinfo.hProcess
   iWin32    CloseHandle,  prinfo.hThread
   
  @@:
   iWin32    ExitProcess, STATUS_SUCCESS
 PrimaryThread ENDP

   TEXTA     mTitleA, <WarningA/0>   
   TEXTA     mmsgA,   <This is illegalA./0>

   TEXTW     mTitleW, <WarningW/0>   
   TEXTW     mmsgW,   <This is illegalW./0>

 NewMessageBoxA PROC hWnd, lpText, lpCaption, uType
   MOV       EAX, uType
   TEST      EAX, MB_ICONINFORMATION
   JE        @F
   XOR       EAX, MB_ICONINFORMATION OR MB_ICONEXCLAMATION
  @@:
   sWin32    OrigMsgBoxA, hWnd, lpText, lpCaption, EAX
   RET
 NewMessageBoxA ENDP

 NewMessageBoxW PROC hWnd, lpText, lpCaption, uType
   MOV       EAX, uType
   TEST      EAX, MB_ICONINFORMATION
   JE        @F
   XOR       EAX, MB_ICONINFORMATION OR MB_ICONEXCLAMATION
  @@:
   sWin32    OrigMsgBoxW, hWnd, lpText, lpCaption, EAX
   RET
 NewMessageBoxW ENDP

   TEXTA     USER32A, <USER32.dll/0>
   TEXTA     MessageBoxA, <MessageBoxA/0>
   TEXTW     USER32W, <USER32.dll/0>
   TEXTW     MessageBoxW, <MessageBoxW/0>

END PrimaryThread

:translate
@echo off
ML    /c /coff /nologo Test.bat
eLINK Test /nologo /optidata /IGNORE:4078 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text
DEL   Test.obj
PAUSE
CLS