📄 pcshrink.asm
字号:
mov ecx,newalign ; ecx=200h
push eax ; save obj rec ptr
xchg eax,ebx ; eax=object virtual size
call align_fix ; align that baby
xchg eax,ebx ; ebx=object virtual size
pop eax ; restore obj ptr
jmp did_align
skip_align:
mov ebx,[eax+objpsize] ; use psize if vsize>psize
did_align:
mov [eax+objpsize],ebx ; save new aligned physical size
add esi,map_ptr ; set esi into mapping
mov ecx,ebx ; ecx=physical size
rep movsb ; store object at new|old location
next_obj2:
pop ecx eax
add eax,40 ; onto next object ..whohoo
loop otbl_loop2
sub eax,40 ; adjust to last object
mov ecx,[eax+objpsize] ; ecx=last object physical size
add ecx,[eax+objpoff] ; ecx=total physical size of file
push ecx
;mov ecx,[eax+objvsize]
;mov ecx,[eax+objrva]
;xchg eax,ecx
;mov eax,map_ptr
;call GetPEHeader
;mov ecx,[esi+objalign]
;call align_fix
;mov [esi+imagesize],eax
call unmap
mov error,0
pop ecx
mov new_fsize,ecx
call SetFilePointer,handle,ecx,0,FILE_BEGIN ; move file pointer to
; real EOF
call SetEndOfFile,handle
xor ecx,ecx
call create_mapping
jc unmapped2
call GetPEHeader
lea eax,[esi+checksum]
call CheckSumMappedFile,map_ptr,fsize,offset oldchksum,eax
call unmap
mov error,0 ; if we made it here then no error
jmp unmapped2
abort_align:
call unmap ;unmap if aborted infection
unmapped2:
; call CloseHandle,handle
ret
AlignFile endp
;TiTi/Blizzard
;###########BEGINING OF APPENDED CODE#########################
SqueezeSection proc
push ebx
push ecx
mov eax, 28h
mul bl
add eax, secpt
mov esi, eax ;pointer to (i) section entry in table
mov eax, [esi+10h] ;get raw size of (i) section
mov ecx, eax
add eax, [esi+14h] ;add raw offset to size
add eax, map_ptr ;add file mapping offset
mov edi, eax
dec edi
xor eax, eax
std ;set direction flag
repe scasb ;calculate REAL end of section (eliminate 00)
cld ;restore direction flag
add edi, 2 ;adjust real end of section
sub edi, [esi+14h] ;sub raw offset from new size
sub edi, map_ptr ;sub mapping offset to obtain real size
; ---- mods here by Virogen
;and edi, 0FFFFFF00h ;only get main part
;add edi, 100h
mov ecx,newalign
xchg eax,edi
call align_fix
;ssloop: ;find a new section size multiple of 'newalign'
; mov eax, edi
; xor edx, edx
; div ecx
; test edx, edx
; je ssend
; add edi, 100h
; jmp ssloop
ssend:
cmp eax, [esi+10h]
jge ssnofix ;test is new size is lower than original
mov [esi+10h], eax ;write new section size
; --- mods end
ssnofix:
pop ecx
pop ebx
ret
SqueezeSection endp
;###########END OF APPENDED CODE##############################
write_decimal proc
push edi
mov ecx,3
xor eax,eax
rep stosd
pop edi
mov eax,edx
mov esi,10
xor ecx,ecx
nz:
xor edx,edx
div esi
push edx
inc ecx
or eax,eax
jnz nz
wdl:
pop edx
add dl,'0'
mov al,dl
stosb
loop wdl
ret
write_decimal endp
CalcPhysicalAddress proc
push esi edi edx ecx eax
mov eax,objptr
mov ecx,TotalSections
continue_find2:
mov edx,eax[objrva]
cmp edx,ebx
ja got_obj_no_dec2
add eax,40
loop continue_find2
got_obj_no_dec2:
sub eax,40
sub ebx,eax[objrva]
add ebx,eax[objpoff]
pop eax ecx edx edi esi
ret
CalcPhysicalAddress endp
CalcVirtualAddress proc
push esi edi edx ecx eax
mov eax,objptr
mov ecx,TotalSections
continue_find:
mov edx,eax[objpoff]
cmp edx,ebx
ja got_obj_no_dec
add eax,40
loop continue_find
got_obj_no_dec:
sub eax,40
sub ebx,eax[objpoff]
add ebx,eax[objrva]
pop eax ecx edx edi esi
ret
CalcVirtualAddress endp
pack_callback proc
mov eax,[esp+4]
xor edx,edx
mov ecx,100
mul ecx
xor edx,edx
mov ecx,CurrentSectionSize
or ecx,ecx
jz no_update_status
div ecx
call SendMessageA,hProgress,PBM_SETPOS,eax,0
no_update_status:
mov edx,[esp+8]
mov csize,edx
mov eax,1 ; continue unpacking
ret
pack_callback endp
;
; MergeSections(DWORD *objtable, DWORD *MergeTable)
;
MergeSections proc
pop edx
pop eax
pop edi
push edx
mov ecx,TotalSections
dec ecx ; scan only to object before last
xor ebp,ebp ; use ebp as last obj compressable flag
MergeSectionLoop:
push ecx
call test_obj
jnc good_obj_to_merge
xor ebp,ebp ; set unable to merge flag
jz merge_next_obj
good_obj_to_merge:
cmp ebp,1 ; previous section mergable?
jz previous_section_mergeable
mov ebp,1
jmp merge_next_obj
previous_section_mergeable:
push eax
mov ebx,[eax+objpoff-40]
add ebx,[eax+objpsize-40]
add ebx,map_ptr
push edi
mov edi,ebx
call ScanUpToNonZero
mov ecx,edi
sub ecx,[eax+objpoff-40] ; ecx=real physical size of 1st sect
sub ecx,map_ptr
mov FirstSectionPhysicalSize,ecx
mov ebx,edi
pop edi
pop eax
push eax
; ebx->physical destination for second section
push ebx
mov ebx,[eax+objpoff]
add ebx,[eax+objpsize]
add ebx,map_ptr
push edi
mov edi,ebx
call ScanUpToNonZero
mov ecx,edi
sub ecx,[eax+objpoff] ; ecx=real physical size of sec sect
sub ecx,map_ptr
mov SecondSectionPhysicalSize,ecx
pop edi
; ebx->physical source of second section
mov ebp,edi ; temp storage of edi
pop edi ; pop physical destination (edi)
mov esi,[eax+objpoff]
add esi,map_ptr
mov ecx,SecondSectionPhysicalSize
rep movsb ; append the section
pop eax
mov ebx,[eax+40+objrva] ; get third object rva
mov ecx,[eax-40+objrva] ; get first object rva
sub ebx,ecx ; ebx=merged object virtual size
mov [eax-40+objvsize],ebx ; set merged object virtual size
mov ebx,FirstSectionPhysicalSize ; get first obj physical size
add ebx,SecondSectionPhysicalSize
mov [eax-40+objpsize],ebx
; ebx=merged physical size (unaligned)
; save table inof
mov edi,ebp
mov ebx,[eax+objrva]
add ebx,svd_imgbase
mov [edi.OriginalRva],ebx
mov ebx,[eax-40+objrva]
add ebx,FirstSectionPhysicalSize
add ebx,svd_imgbase
mov [edi.NewRva],ebx
mov ebx,SecondSectionPhysicalSize
mov [edi+SecondSize],ebx
mov ecx,[eax+40+objrva]
sub ecx,[eax+objrva]
sub ecx,ebx
mov [edi+PadSize],ecx
add edi,16 ; to next record
; remove the section from the object table
pop ecx
push ecx
push eax
inc ecx
mov eax,ecx
xor edx,edx
mov ecx,40
mul ecx
mov ecx,eax
pop eax
mov esi,eax
add esi,40
push edi
mov edi,eax
rep movsb
pop edi
dec TotalSections
;xor ebp,ebp
mov ebp,1
sub eax,40 ; account for section disp.
merge_next_obj:
pop ecx
add eax,40
loop MergeSectionLoop
ret
MergeSections endp
ScanUpToNonZero proc
push eax
push edi
std
mov ecx,0ffffh
xor eax,eax
repe scasb
add edi,4
cld
pop edx
cmp edx,edi
jae ok_nonzero_scan
mov edi,edx
ok_nonzero_scan:
pop eax
ret
ScanUpToNonZero endp
; returns eax=difference in size
CompressSymbiont proc
push esi edi ecx edx
mov ecx,(offset decryptor_code_end-offset compressable_symbiont)
push ecx
call HeapAlloc,HeapHandle,HEAP_ZERO_MEMORY,ecx
mov p_lz_mem,eax
call HeapAlloc,HeapHandle,HEAP_ZERO_MEMORY,1024*1000
mov working_mem,eax
pop ecx
push ecx
call _aP_pack,offset compressable_symbiont,p_lz_mem,ecx,working_mem,NULL
push eax
mov ecx,eax
mov esi,p_lz_mem
lea edi,compressable_symbiont
rep movsb
call HeapFree,HeapHandle,0,working_mem
call HeapFree,HeapHandle,0,p_lz_mem
pop ecx
pop eax
sub eax,ecx ; eax now difference
push eax
lea edi,compressable_symbiont
add edi,ecx
mov ecx,eax
xor eax,eax
rep stosb
pop eax
pop edx ecx edi esi
ret
CompressSymbiont endp
; todo: recode this shiznit cleaner
ReverseMergeTable proc
;int 3
pop eax
pop ebx
push eax
pushad
xchg ebx,edi
add edi,(MAX_OBJS+1)*16
scan_down_to_end:
sub edi,16
cmp dword ptr [edi],0
jz scan_down_to_end
xchg edi,esi
lea edi,MergeTable
merge_copy_loop:
mov ecx,4
rep movsd
sub esi,32
cmp esi,offset SymbiontMergeTable
jae merge_copy_loop
lea esi,MergeTable
lea edi,SymbiontMergeTable
mov ecx,MAX_OBJS*16
rep movsb
popad
ret
ReverseMergeTable endp
end start
ends
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -