easyunpack.asm

也算是一个通用脱壳软件吧

;--------------------------------------------------------------------------------
        ;去掉 Dos Stub，构造 Nt Header 和 Section Header
        mov     ebx, lpDosHeader
        assume  ebx : ptr IMAGE_DOS_HEADER
        add     ebx, [ebx].e_lfanew
        assume  ebx : ptr IMAGE_NT_HEADERS
        mov     [ebx].OptionalHeader.FileAlignment, 200h        ;修正文件对齐
        movzx   ecx, [ebx].FileHeader.NumberOfSections
        inc     ecx
        imul    ecx, sizeof IMAGE_SECTION_HEADER
        movzx   edx, [ebx].FileHeader.SizeOfOptionalHeader
        add     edx, 18h
        add     ecx, edx
        
        mov     esi, ebx
        mov     edi, lpMem
        add     edi, sizeof IMAGE_DOS_HEADER
        rep movsb
        
;--------------------------------------------------------------------------------
        ;构造 Dos Header
        mov     esi, lpDosHeader
        mov     edi, lpMem
        mov     ecx, sizeof IMAGE_DOS_HEADER
        assume  esi : ptr IMAGE_DOS_HEADER
        mov     [esi].e_lfanew, ecx                             ;修正 Dos Header
        rep movsb
        
        invoke  UnmapViewOfFile, pMemory
        invoke  CloseHandle, hMapFile
        invoke  CloseHandle, hFile
        
;--------------------------------------------------------------------------------
        ;打开文件把优化后的数据写入
        invoke  CreateFile, lpszFile, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ,
                        0, CREATE_ALWAYS, FILE_ATTRIBUTE_ARCHIVE, 0
        .if eax==INVALID_HANDLE_VALUE
                invoke  _OutputInfo, g_hOutputCtl, CTXT("打开文件出错!!!")
                ret
        .endif
        mov     hFile, eax
        invoke  WriteFile, hFile, lpMem, dwFileSize, addr dwReturn, 0
        invoke  CloseHandle, hFile
        
        invoke  GlobalFree, lpMem
        popad
        ret
_RebuildPE endp

_DumpFix proc lpMem:DWORD, dwOEP:DWORD
        pushad
        
        ;修正入口点，文件对齐
        mov     esi, lpMem
        assume  esi : ptr IMAGE_DOS_HEADER
        add     esi, [esi].e_lfanew
        assume  esi : ptr IMAGE_NT_HEADERS
        m2m     [esi].OptionalHeader.AddressOfEntryPoint, dwOEP
        mov     eax, [esi].OptionalHeader.SectionAlignment
        mov     [esi].OptionalHeader.FileAlignment, eax
;        mov     [esi].OptionalHeader.SizeOfHeaders, eax
        
        ;修正节表，RS=VS/RO=VO
        movzx   ecx, word ptr [esi].FileHeader.NumberOfSections
        movzx   eax, word ptr [esi].FileHeader.SizeOfOptionalHeader
        lea     esi, [esi+eax+18h]
        assume  esi : ptr IMAGE_SECTION_HEADER
        .while ecx
                mov     eax, [esi].Misc.VirtualSize
                mov     [esi].SizeOfRawData, eax
                mov     eax, [esi].VirtualAddress
                mov     [esi].PointerToRawData, eax
                add     esi, sizeof IMAGE_SECTION_HEADER
                dec     ecx
        .endw
        assume  esi : nothing
        
        popad
        ret
_DumpFix endp

_Dump proc hProcess:DWORD, lpBaseAddress:DWORD, dwSize:DWORD, lpBuffer:DWORD
        pushad
        invoke  ReadProcessMemory, hProcess, lpBaseAddress, lpBuffer, dwSize, 0
        popad
        ret
_Dump endp

_GetOEP proc lpMem:DWORD, dwLen:DWORD
        LOCAL   dwOEP
        
        pushad
        invoke  _InString, lpMem, dwLen, addr g_Delphi_Signs, 32
        .if eax
                jmp     exit_1
        .endif
        
        invoke  _InString, lpMem, dwLen, addr g_VC6_Signs, 29
        .if eax
                jmp     exit_1
        .endif
        
        jmp     exit_0
        
exit_1:
        mov     dwOEP, eax
        popad
        mov     eax, dwOEP
        ret
exit_0:
        popad
        xor     eax, eax
        ret
_GetOEP endp

_InString proc lpszStr:DWORD, dwStrLen:DWORD, lpszSubStr:DWORD, dwSubStrLen:DWORD
        LOCAL   dwPos
        
        pushad
        mov     eax, dwStrLen
        .if eax < dwSubStrLen
                jmp     exit_0
        .endif
        sub     eax, dwSubStrLen
        mov     dwStrLen, eax
        
        mov     esi, lpszStr
        mov     edi, lpszSubStr
        xor     edx, edx
        
    Loop1: 
        cmp     edx, dwStrLen
        jz      exit_0
        xor     ecx, ecx
        mov     al, byte ptr [edi+ecx]
        mov     bl, byte ptr [esi+edx]
        cmp     al, bl
        jz      Loop2
        inc     edx
        jmp     Loop1
        
    Loop2: 
        inc     ecx
        inc     edx
        cmp     ecx, dwSubStrLen
        jz      exit_1
        mov     al, byte ptr [edi+ecx]
        mov     bl, byte ptr [esi+edx]
        cmp     al, bl
        jz      Loop2
        test    al, al
        jz      Loop2
        sub     edx, ecx
        inc     edx
        jmp     Loop1
        
exit_1:
        sub     edx, ecx
        mov     dwPos, edx
        popad
        mov     eax, dwPos
        ret
        
exit_0:
        popad
        xor     eax, eax
        ret
_InString endp

;输出信息
_OutputInfo proc hWnd:DWORD, lpszText:DWORD
        pushad
        invoke  SendMessage, hWnd, LB_ADDSTRING, 0, lpszText
        invoke  SendMessage, hWnd, LB_GETCOUNT, 0, 0
        dec     eax
        invoke  SendMessage, hWnd, LB_SETCURSEL, eax, 0
        popad
        ret
_OutputInfo endp

_Paint proc hWnd:DWORD
        LOCAL   hdc : HDC
        LOCAL   ps : PAINTSTRUCT
        LOCAL   rect : RECT
        LOCAL   pt : POINT
        
        pushad
        ;根据最左边的一个控件和最下边的一个控件来计算左下角的位置
        invoke  BeginPaint, hWnd, addr ps
        mov     hdc, eax
        invoke  GetDlgItem, hWnd, IDC_GROUP
        mov     ebx, eax
        invoke  GetWindowRect, ebx, addr rect
        mov     ebx, rect.left
        invoke  GetDlgItem, hWnd, IDC_BTN_START
        mov     esi, eax
        invoke  GetWindowRect, esi, addr rect
        m2m     pt.x, rect.left
        m2m     pt.y, rect.bottom
        invoke  ScreenToClient, hWnd, addr pt
        m2m     rect.right, pt.x
        m2m     rect.bottom, pt.y
        m2m     pt.x, ebx
        m2m     pt.y, rect.top
        invoke  ScreenToClient, hWnd, addr pt
        m2m     rect.left, pt.x
        m2m     rect.top, pt.y
        
        ;画上标志，用不同的颜色画两次，产生立体效果
        invoke  SetBkMode, hdc, TRANSPARENT
        invoke  SelectObject, hdc, g_hFont
        invoke  SetTextColor, hdc, COLOR(255,255,255)
        invoke  OffsetRect, addr rect, 1, 1
        invoke  DrawText, hdc, CTXT("crazy_soft@163.net"), 18, addr rect, DT_VCENTER or DT_LEFT or DT_SINGLELINE
        invoke  SetTextColor, hdc, COLOR(128,128,128)
        invoke  OffsetRect, addr rect, -1, -1
        invoke  DrawText, hdc, CTXT("crazy_soft@163.net"), 18, addr rect, DT_VCENTER or DT_LEFT or DT_SINGLELINE
        
        invoke  EndPaint, hWnd, addr ps
        popad
        ret
_Paint endp

_Init proc hWnd:DWORD

        pushad
        invoke  LoadIcon, g_hInst, IDI_MAIN
        invoke  SendMessage, hWnd, WM_SETICON, ICON_SMALL, eax
        invoke  CreateFont, 20, 6, 0, 0, FW_NORMAL, FALSE, FALSE, 0, 0, 0, 0, 0, 0, CTXT("Arial")
        mov     g_hFont, eax
        
        invoke  GetDlgItem, hWnd, IDC_FILE
        mov     g_hFileCtl, eax
        invoke  GetDlgItem, hWnd, IDC_OUTPUT
        mov     g_hOutputCtl, eax
        invoke  GetDlgItem, hWnd, IDC_CHK_REBUILDIAT
        mov     g_hRebIAT, eax
        invoke  GetDlgItem, hWnd, IDC_CHK_OPTIMIZEFILE
        mov     g_hOptFile, eax
        invoke  GetDlgItem, hWnd, IDC_CHK_OEP
        mov     g_hChkOEP, eax
        invoke  GetDlgItem, hWnd, IDC_OEP
        mov     g_hOEP, eax
        
        invoke  SendMessage, g_hRebIAT, BM_SETCHECK, BST_CHECKED, 0
        invoke  SendMessage, g_hOptFile, BM_SETCHECK, BST_CHECKED, 0
        invoke  EnableWindow, g_hOEP, FALSE
        
        invoke  RtlZeroMemory, addr g_ofn, sizeof g_ofn
        
        mov     g_lpRebuildImport, 0
        invoke  LoadLibrary, CTXT("ImpREC.dll")
        .if eax
                mov     ebx, eax
                invoke  GetProcAddress, ebx, CTXT("RebuildImport")
                .if eax
                        mov     g_lpRebuildImport, eax
                .else
                        invoke  _OutputInfo, g_hOutputCtl, CTXT("不能从 ImpREC.dll 中引入 RebuildImport 函数")
                        invoke  _OutputInfo, g_hOutputCtl, CTXT("脱壳后的文件不能重建输入表!!!")
                .endif
        .else
                invoke  _OutputInfo, g_hOutputCtl, CTXT("找不到 ImpREC.dll 文件")
                invoke  _OutputInfo, g_hOutputCtl, CTXT("脱壳后的文件不能重建输入表!!!")
        .endif
        
        invoke  SetWindowLong, g_hOEP, GWL_WNDPROC, addr EditWndProc
        mov     g_lpOldWndProc, eax

        popad
        ret
_Init endp

EditWndProc proc hEdit:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
	.if uMsg==WM_CHAR
		mov eax,wParam
		.if (al>="0" && al<="9") || (al>="A" && al<="F") || (al>="a" && al<="f") || al==VK_BACK
			.if al>="a" && al<="f"
				sub al,20h
			.endif
			invoke CallWindowProc,g_lpOldWndProc,hEdit,uMsg,eax,lParam
			ret
		.endif
	.else
		invoke CallWindowProc,g_lpOldWndProc,hEdit,uMsg,wParam,lParam
		ret
	.endif
	xor eax,eax
	ret
EditWndProc endp
end start