📄 penight2b.asm
字号:
inc progress_var
.if progress_var == SPEED_VAR
inc progress_bar
.if progress_bar>100
mov progress_bar, 0
.endif
mov progress_var, 0
call SendDlgItemMessageA, winHwnd, ID_PROGRESS, PBM_SETPOS, progress_bar, 0
call UpdateWindow, winHwnd
.endif
popad
ret
; ----------------------------------------------------------
roundup PROC uses ebx edx, value_to_round:DWORD, base:DWORD
; ----------------------------------------------------------
mov eax, value_to_round
mov ebx, base
xor edx, edx
round:
push eax
div ebx
test edx, edx
pop eax
jz done
inc eax
jmp round
done:
ret
roundup ENDP
; -------------------------------------------------------------------
centre_win proc window:DWORD ; edx=wdt, ecx=hgt @ return
; -------------------------------------------------------------------
local width:DWORD
local height:DWORD
call GetWindowRect, [window], offset win_dim
mov edx, win_dim.rcRight
sub edx, win_dim.rcLeft
mov ecx, win_dim.rcBottom
sub ecx, win_dim.rcTop ; save for later
mov width, edx
mov height, ecx
call GetSystemMetrics, SM_CXSCREEN ; width
mov ecx, width
sub eax, ecx
shr eax,1
mov width, eax
call GetSystemMetrics, SM_CYSCREEN ; height
mov ecx, height
sub eax, ecx
shr eax, 1
mov height, eax ; width, height
call SetWindowPos, [window], 0, width, height, 0,0, SWP_NOZORDER+\
SWP_NOSIZE
ret
endp centre_win
; ---------------------------------------------------------
; OUR NEW SECTION
; ---------------------------------------------------------
section:
ASSUME FS:NOTHING
pushad
call delta
delta:
pop ebp
sub ebp, offset delta
call GetKernelBase, dword ptr [esp+20h]
or EAX, EAX
jz QUIT
mov [ebp+dwKernelBase], EAX
lea eax, [ebp+OFFSET szLoadLibrary]
CALL GetProcAddr, [ebp+dwKernelBase], eax
OR EAX, EAX
JZ QUIT
MOV [ebp+_LoadLibrary], EAX
lea eax, [ebp+OFFSET szGetProcAddress]
CALL GetProcAddr, [ebp+dwKernelBase], eax
OR EAX, EAX
JZ QUIT
MOV [ebp+_GetProcAddress], EAX
lea eax, [ebp+OFFSET szExitProcess]
CALL GetProcAddr, [ebp+dwKernelBase], eax
OR EAX, EAX
JZ QUIT
MOV [ebp+_ExitProcess], EAX
lea eax, [ebp+offset szGlobAlloc]
call GetProcAddr, [ebp+dwKernelBase], eax
.if eax==0
jmp QUIT
.endif
mov [ebp+_GlobalAlloc], eax
lea eax, [ebp+offset szGlobFree]
call GetProcAddr, [ebp+dwKernelBase], eax
.if eax==0
jmp QUIT
.endif
mov [ebp+_GlobalFree], eax
lea eax, [ebp+OFFSET szUser32]
CALL [ebp+_LoadLibrary], eax
OR EAX, EAX
JZ QUIT
MOV [ebp+dwUserBase], EAX
lea eax, [ebp+OFFSET szMessageBox]
CALL GetProcAddr, [ebp+dwUserBase], eax
OR EAX, EAX
JZ QUIT
MOV [ebp+_MessageBox], EAX
; ------------- ACTUAL CODE --------------------------------
call [ebp+_GlobalAlloc], GMEM_FIXED OR GMEM_ZEROINIT, [ebp+section1_orig]
mov [ebp+pMemRd], eax
mov edi, [ebp+pMemRd]
mov esi, [ebp+section1_voff]
mov ecx, [ebp+section1_comp]
rep movsb
mov esi, [ebp+pMemRd]
mov edi, [ebp+section1_voff]
call depack_f, esi, edi ; make sure section IS writeable!!!
call [ebp+_GlobalFree], [ebp+pMemRd]
lea eax, [ebp+OFFSET szInfoCap]
CALL [ebp+_MessageBox], 0, eax, eax, MB_ICONINFORMATION OR MB_SYSTEMMODAL
QUIT:
mov eax, [ebp+oep]
mov [esp+1ch], eax
popad
jmp eax
; --------------------------------------------------------
szLoadLibrary db "LoadLibraryA",0
szGetProcAddress db "GetProcAddress",0
szExitProcess db "ExitProcess",0
szGlobAlloc db "GlobalAlloc",0
szGlobFree db "GlobalFree",0,0
szUser32 db "User32",0
szMessageBox db "MessageBoxA",0,0
db 0
szInfoCap db "File compressed by PE Nightmare2",0
dwKernelBase dd 0
_LoadLibrary dd 0
_GetProcAddress dd 0
_ExitProcess dd 0
_GlobalAlloc dd 0
_GlobalFree dd 0
dwUserBase dd 0
_MessageBox dd 0
SEH sSEH <0>
oep dd 0 ; HOSTS OEP
section1_comp dd 0 ; section compr size
section1_orig dd 0 ; section orig sz
section1_voff dd 0 ; section1 real offset
pMemRd dd 0
; returns NULL in the case of an error
GetKernelBase:
mov edi, [esp+4]
lea eax, [ebp+OFFSET SehHandler]
push eax
push dword ptr FS:[0]
lea eax, [ebp+offset SEH]
assume eax:ptr sSEH
MOV [eax].OrgEsp, ESP
MOV [eax].OrgEbp, EBP
lea ebx, [ebp+OFFSET ExceptCont]
MOV [eax].SaveEip, ebx
MOV FS:[0], ESP
assume eax:
; start the search
AND EDI, 0FFFF0000h ; wipe the LOWORD !
.WHILE TRUE
.IF WORD PTR [EDI] == IMAGE_DOS_SIGNATURE
MOV ESI, EDI
ADD ESI, [ESI+03Ch]
.IF DWORD PTR [ESI] == IMAGE_NT_SIGNATURE
.BREAK
.ENDIF
.ENDIF
ExceptCont:
SUB EDI, 010000h
.IF EDI < MIN_KERNEL_SEARCH_BASE
MOV EDI, 0BFF70000h
.BREAK
.ENDIF
.ENDW
XCHG EAX, EDI
POP dword ptr FS:[0]
ADD ESP, 4
ret 4
; returns address or NULL in the case of an error
GetProcAddr:
lea eax, [ebp+OFFSET SehHandler]
push eax
push dword ptr FS:[0]
lea eax, [ebp+offset SEH]
assume eax:ptr sSEH
MOV [eax].OrgEsp, ESP
MOV [eax].OrgEbp, EBP
lea ebx, [ebp+OFFSET ExceptCont]
MOV [eax].SaveEip, ebx
MOV FS:[0], ESP
assume eax:
; check PE Signarue
MOV ESI, [esp+0ch]
CMP WORD PTR [ESI], IMAGE_DOS_SIGNATURE
JNZ @@BadExit
ADD ESI, [ESI+03Ch]
CMP DWORD PTR [ESI], IMAGE_NT_SIGNATURE
JNZ @@BadExit
; get the string length of the target Api
MOV EDI, [esp+10h]
MOV ECX, MAX_API_STRING_LENGTH
XOR AL, AL
REPNZ SCASB
MOV ECX, EDI
SUB ECX, [esp+10h] ; ECX -> Api string length
; trace the export table
MOV EDX, [ESI+078h] ; EDX -> Export table
ADD EDX, [esp+0ch]
ASSUME EDX:PTR IMAGE_EXPORT_DIRECTORY
MOV EBX, [EDX].AddressOfNames ; EBX -> AddressOfNames array pointer
ADD EBX, [esp+0ch]
XOR EAX, EAX ; EAX AddressOfNames Index
.REPEAT
MOV EDI, [EBX]
ADD EDI, [esp+0ch] ; imagebase
MOV ESI, [esp+10h] ; szAPI
PUSH ECX ; save the api string length
REPZ CMPSB
.IF ZERO?
ADD ESP, 4
.BREAK
.ENDIF
POP ECX
ADD EBX, 4
INC EAX
.UNTIL EAX == [EDX].NumberOfNames
; did we found sth ?
.IF EAX == [EDX].NumberOfNames
JMP @@BadExit
.ENDIF
; find the corresponding Ordinal
MOV ESI, [EDX].AddressOfNameOrdinals
ADD ESI, [esp+0ch]
PUSH EDX ; save the export table pointer
MOV EBX, 2
XOR EDX, EDX
MUL EBX
POP EDX
ADD EAX, ESI
XOR ECX, ECX
MOV WORD PTR CX, [EAX] ; ECX -> Api Ordinal
MOV EDI, [EDX].AddressOfFunctions ; get the address of the api
XOR EDX, EDX
MOV EBX, 4
MOV EAX, ECX
MUL EBX
ADD EAX, [esp+0ch]
ADD EAX, EDI
MOV EAX, [EAX]
ADD EAX, [esp+0ch] ; dwDllBase
JMP @@ExitProc
ASSUME EDX:
@@BadExit:
XOR EAX, EAX
@@ExitProc:
POP dword ptr FS:[0] ; shutdown SEH frame
ADD ESP, 4
ret 8
getbitM MACRO
LOCAL stillbitsleft
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ENDM getbitM
domatchM MACRO reg
push esi
mov esi, edi
sub esi, reg
rep movsb
pop esi
ENDM domatchM
getgammaM MACRO reg
LOCAL getmorebits
mov reg, 1
getmorebits:
getbitM
adc reg, reg
getbitM
jc getmorebits
ENDM getgammaM
; ------------------------------------------------------
depack_f proc ; arg1 = SRC, arg2 = DEST, eax=ln on RET
; ------------------------------------------------------
pushad
mov esi, [esp + 36] ; C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
literal:
mov al, [esi]
inc esi
mov [edi], al
inc edi
nexttag:
getbitM
jnc literal
getbitM
jnc codepair
xor eax, eax
getbitM
jnc shortmatch
getbitM
adc eax, eax
getbitM
adc eax, eax
getbitM
adc eax, eax
getbitM
adc eax, eax
jz thewrite
push edi
sub edi, eax
mov al, [edi]
pop edi
thewrite:
mov [edi], al
inc edi
jmp short nexttag
codepair:
getgammaM eax
sub eax, 2
jnz normalcodepair
getgammaM ecx
domatchM ebp
jmp nexttag
normalcodepair:
dec eax
shl eax, 8
mov al, [esi]
inc esi
mov ebp, eax
getgammaM ecx
cmp eax, 32000
jae do_add_2
cmp eax, 1280
jb not_gt_1280
inc ecx
domatchM eax
jmp nexttag
not_gt_1280:
cmp eax, 7fh
ja dont_add_2
do_add_2:
add ecx, 2
dont_add_2:
domatchM eax
jmp nexttag
shortmatch:
mov al, [esi]
inc esi
xor ecx, ecx
db 0c0h, 0e8h, 001h
jz donedepacking
adc ecx, 2
mov ebp, eax
domatchM eax
jmp nexttag
donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi ; return unpacked length in eax
popad
ret
depack_f endp
SehHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
MOV EAX, pContext
ASSUME EAX:PTR CONTEXT
PUSH SEH.SaveEip
POP [EAX].regEip
PUSH SEH.OrgEsp
POP [EAX].regEsp
PUSH SEH.OrgEbp
POP [EAX].regEbp
MOV EAX, ExceptionContinueExecution
ret
SehHandler ENDP
section_end:
end main
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -