📄 cryptstuff.asm
字号:
SecDecryptContinue1:
popad
@@LoopEnd:
add esi,SIZEOF IMAGE_SECTION_HEADER
INC EDX
.UNTIL dx == [edi].FileHeader.NumberOfSections
assume esi : nothing
assume edi : nothing
ret
AfterDeCryptionContinue:
;------ PREPARE THE OEP JUMP EXCEPTION :) ------
MOV EBX, [EBP+dwImageBase]
ADD EBX, [EBP+dwOrgEntryPoint]
ROR EBX, 7
MOV [ESP+010h], EBX
LEA EBX, [EBP+OFFSET SehHandler_OEP_Jump]
MOV [ESP+01Ch], EBX
;----- SET Index Variable of TLS table to 0 -----
; check whether there's a tls table
mov edi,[ebp+dwImageBase]
add edi,dword ptr [edi+03Ch] ; edi -> pointer to PE header
assume edi : ptr IMAGE_NT_HEADERS
mov ebx,[edi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY * 9].VirtualAddress
assume edi : nothing
cmp ebx,0 ; no tls section
jz SkipTlsFix
add ebx,[ebp+dwImageBase] ; ebx -> pointer to tls table
assume ebx : ptr IMAGE_TLS_DIRECTORY32
mov eax,[ebx].AddressOfIndex
mov dword ptr [eax],0
assume ebx : nothing
SkipTlsFix:
;----- CRC COMPARE -----
mov eax,[ebp+dwCalcedCRC]
.IF eax != 0
.IF eax != [ebp+dwOrgChecksum]
jmp SkipInitIt
.ENDIF
.ENDIF
;----- INIT IMPORT TABLE -----
; 0 - an error occurred
; 1 - IT initialized successfully
LEA ESI, [EBP+OFFSET IIDInfo] ; ESI -> pointer to the current IID
ASSUME ESI : PTR sItInfo
;------ PREPARE API REDIRECTION ------
TEST [EBP+PROTECTION_FLAGS], API_REDIRECT_FLAG
.IF !ZERO?
PUSH ESI
LEA EDI, [EBP+OFFSET Buff]
ASSUME EDI : PTR sReThunkInfo
XOR ECX, ECX
.WHILE [ESI].FirstThunk
MOV EDX, [ESI].FirstThunk
ADD EDX, [EBP+dwImageBase]
.WHILE DWORD PTR [EDX]
INC ECX
ADD EDX, 4
.ENDW
ADD ESI, SIZEOF sItInfo
.ENDW
; allocate memory for the api stubs
XOR EDX, EDX
MOV EAX, SIZEOF sApiStub
MUL ECX
PUSH EAX
PUSH GMEM_FIXED
CALL [EBP+_GlobalAlloc]
.IF !EAX ; fatal exit
ADD ESP, 4
POPAD
RET
.ENDIF
MOV [EDI].ApiStubMemAddr, EAX
MOV [EDI].pNextStub, EAX
ASSUME EDI : NOTHING
POP ESI
.ENDIF
; start with the real routine
.WHILE [esi].FirstThunk != 0
; load the library
mov ebx,[esi].DllNameRVA
add ebx,[ebp+dwImageBase]
; decrypt dll string
MOV EAX,EBX
CALL EnDeCryptString
LEA EAX, [EBP+InitITContinue1] ; goto InitITContinue1
PUSH EAX
RET
; eax = VA of target string
EnDeCryptString:
PUSH ESI
PUSH EDI
MOV ESI,EAX
MOV EDI,EAX
DllCryptLoop:
LODSB
ROR AL,4
STOSB
CMP BYTE PTR [EDI],0
JNZ DllCryptLoop
POP EDI
POP ESI
RET
InitITContinue1:
push ebx
call [ebp+_LoadLibrary]
test eax,eax
jz SkipInitIt
; zero dll name
PUSH EAX ; save dll base
test [ebp+PROTECTION_FLAGS],DESTROY_IMPORT_FLAG
jz DontKillDllName
; push return address
LEA EAX, [EBP+OFFSET DontKillDllName]
PUSH EAX ; push return address :)
MOV EAX, EBX
JMP KillString
DontKillDllName:
POP EBX ; EBX -> library handle
; process the (Original-)FirstThunk members
mov ecx,[esi].OrgFirstThunk
.IF ecx == 0
mov ecx,[esi].FirstThunk
.ENDIF
add ecx,[ebp+dwImageBase] ; ecx -> pointer to current thunk
mov edx,[esi].FirstThunk
add edx,[ebp+dwImageBase] ; edx -> pointer to current thunk (always the non-original one)
.WHILE dword ptr [ecx] != 0
test dword ptr [ecx],IMAGE_ORDINAL_FLAG32 ; is it an ordinal import ?
jnz @@OrdinalImp
; process a name import
mov dword ptr eax,[ecx]
add eax,2
add eax,[ebp+dwImageBase] ; eax points now to the Name of the Import
PUSH EAX
CALL EnDeCryptString
POP EAX
mov edi,eax ; save the API name pointer for destroying it later
push edx
push ecx ; save the Thunk pointers
push eax
push ebx
call [ebp+_GetProcAddress]
.IF eax == NULL
pop ecx
pop edx
jmp SkipInitIt
.ENDIF
pop ecx
pop edx
;->kill API name
PUSHAD
test [ebp+PROTECTION_FLAGS],DESTROY_IMPORT_FLAG
JZ DontKillApiName
LEA EAX, [EBP+OFFSET DontKillApiName] ; push return address
PUSH EAX
MOV EAX, EDI
JMP KillString
DontKillApiName:
POPAD
;-> paste API address
mov dword ptr [edx],eax
jmp @@NextThunkPlease
@@OrdinalImp:
; process an ordinal import
push edx
push ecx ; save the thunk pointers
mov dword ptr eax,[ecx]
sub eax,080000000h
push eax
push ebx
call [ebp+_GetProcAddress]
test eax,eax
jz SkipInitIt
pop ecx
pop edx
mov dword ptr [edx],eax
@@NextThunkPlease:
; eax = Current Api address
; ebx = dll base
; edx = non-org thunk pointer
TEST [EBP+PROTECTION_FLAGS], API_REDIRECT_FLAG
.IF !ZERO?
.IF [EBP+bNT]
.IF EBX < 070000000h || EBX > 077FFFFFFh
JMP SkipThunkRed
.ENDIF
.ELSE
.IF EBX < 080000000h
JMP SkipThunkRed
.ENDIF
.ENDIF
PUSH EDI
PUSH ESI
LEA EDI, [EBP+Buff]
ASSUME EDI : PTR sReThunkInfo
MOV ESI, [EDI].pNextStub
MOV [EDX], ESI ; make the thunk point to stub mem
SUB EAX, ESI
SUB EAX, 5 ; sizeof E9XXXXXXXX - Jump long
MOV BYTE PTR [ESI], 0E9h
MOV DWORD PTR [ESI+1], EAX
ADD [EDI].pNextStub, SIZEOF sApiStub
ASSUME EDI : NOTHING
POP ESI
POP EDI
SkipThunkRed:
.ENDIF
add ecx,4
add edx,4
.ENDW
add esi,SIZEOF sItInfo ; make esi point to the next IID
.ENDW
assume esi:nothing
xor eax,eax
inc eax
SkipInitIt:
.IF eax != TRUE
; exit
popad
ret
.ENDIF
;----- ERASE PE HEADER ------
test [ebp+PROTECTION_FLAGS],ERASE_HEADER_FLAG
jz SkipEraseHeader
; zero the header
mov edi,[ebp+dwImageBase]
add edi,[edi+03Ch]
assume edi : ptr IMAGE_NT_HEADERS ; edi -> pointer to PE header
mov ecx,[edi].OptionalHeader.SizeOfHeaders
mov esi,[ebp+dwImageBase]
assume edi : nothing
ZeroMemLoop:
mov byte ptr [esi],0
inc esi
loop ZeroMemLoop
SkipEraseHeader:
;------ CHECK AGAIN LOADER CRC & COMPARE ------
LEA EAX, [EBP+DepackerCode]
MOV ECX, LOADER_CRC_CHECK_SIZE
JMP SM10
DB 0E9h
SM10:
CALL GetChecksum
JMP SM11
DB 0C7h
SM11:
MOV EBX, [EBP+dwLoaderCRC]
XOR EAX, EBX
.IF !ZERO?
JMP SM12
DB 02Ch
SM12:
POPAD
JMP SM13
DB 0E8h
SM13:
RET
.ENDIF
;----- DECRYPT ENTRYPOINT JUMP CODE -----
LEA EDI, [EBP+OFFSET OEP_JUMP_CODE_START]
MOV ESI, EDI
MOV ECX, CRYPT_OEP_JUMP_SIZE
XOR EBX, EBX
OepJumpDecryptLoop:
LODSB
XOR AL, OEP_JUMP_ENCRYPT_NUM
SUB AL, BL
ROL AL, 2
STOSB
INC EBX
LOOP OepJumpDecryptLoop
;----- JUMP TO OEP -----
OEP_JUMP_CODE_START:
;----- CHECK FOR DEBUG API's -----
LEA EAX, [EBP+OFFSET szIsDebuggerPresent]
PUSH EAX
PUSH [EBP+dwKernelBase]
CALL [EBP+_GetProcAddress]
OR EAX, EAX ; API not present on W95
.IF !ZERO?
CALL EAX
OR EAX, EAX
.IF !ZERO?
POPAD
RET
.ENDIF
.ENDIF
;------ SECOND SI CHECK ------
; doesn't work on NT
; install SEH frame
TEST [EBP+PROTECTION_FLAGS], CHECK_SI_FLAG
JZ SkipSICheck2
LEA ESI,[EBP+SEH]
ASSUME ESI : PTR sSEH
LEA EAX, [EBP+OFFSET SICheck2_SP]
MOV [ESI].SaveEip, EAX
ASSUME ESI : NOTHING
XOR EBX, EBX
LEA EAX, [EBP+OFFSET SehHandler2]
PUSH EAX
PUSH FS:[EBX]
MOV FS:[EBX], ESP
MOV EDI, EBP
MOV EAX, 4400h
JMP SM4
DB 0C7h
SM4:
INT 68h
SICheck2_SP:
XOR EBX, EBX
POP FS:[EBX]
ADD ESP, 4
.IF DI == 01297h || DI == 01277h || DI == 01330h
JMP SM5
DB 0FFh
SM5:
POPAD
JMP SM6
DB 0E8h
SM6:
RET
.ENDIF
SkipSICheck2:
LEA EAX, [EBP+OFFSET OepJumpCodeCont]
PUSH EAX
RET
; ---- OEP SEH HANDLER -----
SehHandler_OEP_Jump PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
PUSH EDI
MOV EAX,pContext
ASSUME EAX : PTR CONTEXT
; restore original seh handler
MOV EDI, [EAX].regEsp
PUSH [EDI]
XOR EDI, EDI
POP FS:[EDI]
; kill seh frame
ADD [EAX].regEsp, 8
; set EIP to the OEP
MOV EDI, [EAX].regEbx ; EDI -> OEP
ROL EDI, 7
MOV [EAX].regEip, EDI
mov EAX,ExceptionContinueExecution
ASSUME EAX : NOTHING
POP EDI
RET
SehHandler_OEP_Jump ENDP
OepJumpCodeCont:
;---- ZERO THE LOADER CODE AND DATA ----
XOR AL,AL
LEA EDI, [EBP+OFFSET DepackerCode]
MOV ECX, (OFFSET SehHandler_OEP_Jump - OFFSET DepackerCode)
LoaderZeroLoop:
STOSB
LOOP LoaderZeroLoop
LEA EDI, [EBP+OFFSET OEP_JUMP_CODE_END]
MOV ECX, (OFFSET LOADER_CRYPT_END - OFFSET OEP_JUMP_CODE_END)
LoaderVarZeroLoop:
STOSB
LOOP LoaderVarZeroLoop
POPAD ; RESTORE STARTUP REGS
; After this POPAD:
; EAX - OEP Seh handler
; EBX - OEP (rored)
;------ install OEP JUMP SEH frame ------
PUSH EAX
XOR EAX, EAX
PUSH FS:[EAX]
MOV FS:[EAX], ESP
JMP SM3
DB 087H
SM3: ; the seh handler will set EIP to the OEP :)
OEP_JUMP_CODE_END:
; EAX = ASCII string address
KillString:
.WHILE byte ptr [eax] != 0
mov byte ptr [eax],0
inc eax
.ENDW
ret
SehHandler1 PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
PUSH EDI
MOV EAX,pContext
ASSUME EAX : PTR CONTEXT
MOV EDI, [EAX].regEdi
push [EDI+SEH.SaveEip]
pop [eax].regEip
MOV [eax].regEbp, EDI
MOV [EAX].regEax, 4 ; SI NOT detected !
mov EAX,ExceptionContinueExecution
ASSUME EAX : NOTHING
POP EDI
RET
SehHandler1 ENDP
SehHandler2 PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
PUSH EDI
MOV EAX,pContext
ASSUME EAX : PTR CONTEXT
MOV EDI, [EAX].regEdi
push [EDI+SEH.SaveEip]
pop [eax].regEip
MOV [eax].regEbp, EDI
MOV [EAX].regEdi, 0 ; SI NOT detected !
mov EAX,ExceptionContinueExecution
ASSUME EAX : NOTHING
POP EDI
RET
SehHandler2 ENDP
;----- LOADER STRUCTS -----
sItInfo STRUCT
DllNameRVA dd ?
FirstThunk dd ?
OrgFirstThunk dd ?
sItInfo ENDS
sSEH STRUCT
OrgEsp dd ?
OrgEbp dd ?
SaveEip dd ?
sSEH ENDS
sReThunkInfo STRUCT
ApiStubMemAddr DD ?
pNextStub DD ?
sReThunkInfo ENDS
sApiStub STRUCT ; UNUSED !
JumpOpc DB ?
JumpAddr DD ?
sApiStub ENDS
;----- LOADER VARIABLES -----
dwImageBase dd 0
dwOrgEntryPoint dd 0
PROTECTION_FLAGS dd 0
dwCalcedCRC dd 0
dwLoaderCRC DD 0
bNT DD 0
IIDInfo db (SIZEOF sItInfo * MAX_IID_NUM) dup (0)
SEH sSEH <0>
_LoadLibrary dd 0
_GetProcAddress dd 0
; some API stuff
szKernel32 db "Kernel32.dll",0
dwKernelBase dd 0
szGetModuleHandle db "GetModuleHandleA",0
_GetModuleHandle dd 0
szVirtualProtect db "VirtualProtect",0
_VirtualProtect dd 0
szGetModuleFileName db "GetModuleFileNameA",0
_GetModuleFileName dd 0
szCreateFile db "CreateFileA",0
_CreateFile dd 0
szGlobalAlloc db "GlobalAlloc",0
_GlobalAlloc dd 0
szGlobalFree db "GlobalFree",0
_GlobalFree dd 0
szReadFile db "ReadFile",0
_ReadFile dd 0
szGetFileSize db "GetFileSize",0
_GetFileSize dd 0
szCloseHandle db "CloseHandle",0
_CloseHandle dd 0
szIsDebuggerPresent db "IsDebuggerPresent",0
LOADER_CRYPT_END:
; This variables won't be crypted:
TlsBackupLabel:
TlsBackup IMAGE_TLS_DIRECTORY32 <0>
ChecksumLabel:
dwOrgChecksum dd 0
Buff db 0 ; buffer for some stuff, its size: 2000h(VS) - DEPACKER_CODE_SIZE
;----- END OF PE LOADER CODE -----
DepackerCodeEnd:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -