attach.asm

向EXE程序插入自己的代码。特别说明：本代码不得用于非法目的。

;*********************************************************
;程序名称：LC Crypto
;          本文件是加密部分的源代码
;          本程序综合运用了SEH、PE、CRC32知识
;作者：罗聪
;日期：2002-11-29
;整理：2003-3-2
;出处：http://www.LuoCong.com（老罗的缤纷天地）
;注意事项：如欲转载，请保持本程序的完整，并注明：
;转载自“老罗的缤纷天地”（http://www.LuoCong.com）
;>> 在此特别强烈感激 俄罗斯 的 Comrade 大虾，
;>> 跟他的交流使我受益匪浅，他的源代码更使我汗颜！
;*********************************************************


;*********************************************************
;很有用的宏
;*********************************************************
_call MACRO procedure, parameters:VARARG
	LOCAL param, reversed
	reversed TEXTEQU <>
%	for	param, <parameters>
		reversed CATSTR <param>, <!,>, reversed
	endm
%	for	param, <reversed>
		push	param
	endm
	call	procedure
ENDM

;*********************************************************
;子程序定义
;*********************************************************
Attachment					proto
AttachWindowProc			proto	:DWORD,:DWORD,:DWORD,:DWORD
init_crc32table				proto
arraycrc32					proto

;*********************************************************
;常量定义
;*********************************************************
.const
hWndAttachExStyle			equ		0
hWndAttachStyle				equ		WS_MINIMIZEBOX or WS_SYSMENU or WS_CAPTION or WS_OVERLAPPED or WS_THICKFRAME
dwWndAttachWidth			equ		320
dwWndAttachHeight			equ		120
IDC_BUTTON_OK				equ		101
IDM_ATTACH_MENU_ABOUT		equ		102

;*********************************************************
;代码段开始
;*********************************************************
.code
	;下面是要用到的一大堆变量定义：
	;以“_”开头，并以 API 函数名相接的，是用来储存通过 GetProcAddress 得到的 API 线形地址：
	attach_start			equ		$
	attach_data_start		equ		$
	hLibUser32				dd		?
	hLibGDI32				dd		?
	crc32tbl				dd		256 dup(?)	;CRC-32 table
	_GetProcAddress			dd		0
	_LoadLibrary			dd		0
	_FreeLibrary			dd		0
	_ExitProcess			dd		0
	_GetModuleHandle		dd		0
	_GetMessage				dd		0
	_TranslateMessage		dd		0
	_DispatchMessage		dd		0
	_GetSystemMetrics		dd		0
	_PostMessage			dd		0
	_SendMessage			dd		0
	_ShowWindow				dd		0
	_UpdateWindow			dd		0
	_LoadCursor				dd		0
	_PostQuitMessage		dd		0
	_MessageBox				dd		0
	_RegisterClassEx		dd		0
	_CreateWindowEx			dd		0
	_DefWindowProc			dd		0
	_SetFocus				dd		0
	_GetWindowLong			dd		0
	_SetWindowLong			dd		0
	_GetDlgItemText			dd		0
	_GetSystemMenu			dd		0
	_AppendMenu				dd		0
	_CreateFontIndirect		dd		0
	_DeleteObject			dd		0
	_IsDialogMessage		dd		0
	_GetDlgItem				dd		0
	_hWndAttach				HWND	0
	_wsprintfA				dd		0
	_SetWindowTextA			dd		0

	szLibUser32				db		"user32", 0
	szLibGDI32				db		"gdi32", 0

	szProcLoadLibrary		db		"LoadLibraryA", 0
	szProcFreeLibrary		db		"FreeLibrary", 0
	szProcExitProcess		db		"ExitProcess", 0
	szProcGetModuleHandle	db		"GetModuleHandleA", 0

	szProcGetMessage		db		"GetMessageA", 0
	szProcTranslateMessage	db		"TranslateMessage", 0
	szProcDispatchMessage	db		"DispatchMessageA", 0
	szProcGetSystemMetrics	db		"GetSystemMetrics", 0
	szProcPostMessage		db		"PostMessageA", 0
	szProcSendMessage		db		"SendMessageA", 0
	szProcShowWindow		db		"ShowWindow", 0
	szProcUpdateWindow		db		"UpdateWindow", 0
	szProcLoadCursor		db		"LoadCursorA", 0
	szProcPostQuitMessage	db		"PostQuitMessage", 0
	szProcMessageBox		db		"MessageBoxA", 0
	szProcRegisterClassEx	db		"RegisterClassExA", 0
	szProcCreateWindowEx	db		"CreateWindowExA", 0
	szProcDefWindowProc		db		"DefWindowProcA", 0
	szProcSetFocus			db		"SetFocus", 0
	szProcGetWindowLong		db		"GetWindowLongA", 0
	szProcSetWindowLong		db		"SetWindowLongA", 0
	szProcGetDlgItemText	db		"GetDlgItemTextA", 0
	szProcGetSystemMenu		db		"GetSystemMenu", 0
	szProcAppendMenu		db		"AppendMenuA", 0
	szIsDialogMessage		db		"IsDialogMessage", 0
	szGetDlgItem			db		"GetDlgItem", 0
	szwsprintfA				db		"wsprintfA", 0
	szSetWindowTextA		db		"SetWindowTextA", 0

	szProcCreateFontIndirect	db	"CreateFontIndirectA", 0
	szProcDeleteObject		db		"DeleteObject", 0

	_fnt					LOGFONT	<13, 0, 0, 0, FW_NORMAL, 0, 0, 0, DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, PROOF_QUALITY, DEFAULT_PITCH or FF_DONTCARE, "宋体">

	_szAppClass				db		"LCCrypto32", 0
	_szAppTitle				db		"LC Crypto :: v0.1 by LC", 0
	_szMenuAbout			db		"&About LC Crypto...", 0
	_szMsgAbout				db		"【 LC Crypto 】", 13, 10
							db		"Version: 0.1", 13, 10, 13, 10
							db		"作者：罗聪", 13, 10
							db		"E-Mail: lcother@163.net", 13, 10, 13, 10
							db		"老罗的缤纷天地", 13, 10
							db		"http://www.LuoCong.com", 0
	_szClassEdit			db		"Edit", 0
	_szClassStatic			db		"Static", 0
	_szClassButton			db		"Button", 0
	_szTitlePassword		db		"请输入密码：", 0
	_szOK					db		"确定(&O)", 0
	_szWrongPassword		db		"密码不正确，请重新输入！", 0
	_szTemplate				db		"--= 您还剩下 %d 次机会 =--", 0
	_szRealPassword			db		16 dup (?)
	_szPassword				db		16 dup (?)
	_szChanceCount			db		255 dup(?)
	_hFont					dd		0
	_bCorrect				db		0
	_hWndChanceCount		HWND	0
	_wc						WNDCLASSEX	<0>
	_msg					MSG		<0>
	_nCount					dd		3

;*********************************************************
;真正的代码开始
;*********************************************************
	attach_code_start		equ		$

;*********************************************************
;附加段的子程序处理模块
;*********************************************************
Attachment proc
	;以下是经典的查找 kernel32.dll 的基地址的代码：
	mov	eax, [esp]
	and	eax, 0FFFF0000h
@@chk:
	cmp	dword ptr [eax], 00905A4Dh	; 比较一下……
	je	@@fnd						; 找到了？
	sub	eax, 1000h					; faint，找不到，减少1000h作为跨度
	jmp	@@chk						; Go on!
@@fnd:
	;以下的涉及到 PE 格式的操作不多说了，看不懂的话……我也没办法了
	push ebp
	push ebx
	push esi
	push edi
	mov	ebp, eax
	add	eax, [eax][IMAGE_DOS_HEADER.e_lfanew]
	mov	edi, [eax][IMAGE_NT_HEADERS.OptionalHeader.DataDirectory]
	add	edi, ebp
	mov	esi, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNames]
	add	esi, ebp

	;在 kernel32.dll 里面查找 GetProcAddress 这个 API 的线形地址：
	xor	edx, edx
@@name:
	mov	eax, [esi]
	add	eax, ebp
@@chgp:	; GetProcAddress()
	cmp	dword ptr [eax+00h], "PteG"	; GetP
	jne	@@next
	cmp	dword ptr [eax+04h], "Acor"	; rocA
	jne	@@next
	cmp	dword ptr [eax+08h], "erdd"	; ddre
	jne	@@next
	cmp	word ptr [eax+0Ch], "ss"	; ss
	jne	@@next
	mov	eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
	add	eax, ebp
	movzx ebx, word ptr [edx*2+eax]
	mov	eax, [edi][IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
	add	eax, ebp
	mov	eax, [ebx*4+eax]
	add	eax, ebp
	;找到了，储存起来：
	mov	[_GetProcAddress], eax
@@next:
	add	esi, 4
	inc	edx
	cmp	edx, [edi][IMAGE_EXPORT_DIRECTORY.NumberOfNames]
	jne	@@name

	;下面的是通过 GetProcAddress 获得一大堆 API 的线形地址，并储存起来，供后面使用：
	_call	[_GetProcAddress], ebp, offset szProcFreeLibrary
	mov		[_FreeLibrary], eax
	_call	[_GetProcAddress], ebp, offset szProcGetModuleHandle
	mov		[_GetModuleHandle], eax
	_call	[_GetProcAddress], ebp, offset szProcExitProcess
	mov		[_ExitProcess], eax
	_call	[_GetProcAddress], ebp, offset szProcLoadLibrary
	mov		[_LoadLibrary], eax
	;载入 user32.dll ，并储存它的句柄：
	_call	eax, offset szLibUser32
	mov		[hLibUser32], eax
	_call	[_GetProcAddress], eax, offset szProcGetMessage
	mov		[_GetMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcTranslateMessage
	mov		[_TranslateMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcDispatchMessage
	mov		[_DispatchMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcGetSystemMetrics
	mov		[_GetSystemMetrics], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcPostMessage
	mov		[_PostMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcSendMessage
	mov		[_SendMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcShowWindow
	mov		[_ShowWindow], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcUpdateWindow
	mov		[_UpdateWindow], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcLoadCursor
	mov		[_LoadCursor], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcPostQuitMessage
	mov		[_PostQuitMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcMessageBox
	mov		[_MessageBox], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcRegisterClassEx
	mov		[_RegisterClassEx], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcCreateWindowEx
	mov		[_CreateWindowEx], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcDefWindowProc
	mov		[_DefWindowProc], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcSetFocus
	mov		[_SetFocus], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcGetWindowLong
	mov		[_GetWindowLong], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcSetWindowLong
	mov		[_SetWindowLong], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcGetDlgItemText
	mov		[_GetDlgItemText], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcGetSystemMenu
	mov		[_GetSystemMenu], eax
	_call	[_GetProcAddress], [hLibUser32], offset szProcAppendMenu
	mov		[_AppendMenu], eax
	_call	[_GetProcAddress], [hLibUser32], offset szIsDialogMessage
	mov		[_IsDialogMessage], eax
	_call	[_GetProcAddress], [hLibUser32], offset szGetDlgItem
	mov		[_GetDlgItem], eax
	_call	[_GetProcAddress], [hLibUser32], offset szwsprintfA
	mov		[_wsprintfA], eax
	_call	[_GetProcAddress], [hLibUser32], offset szSetWindowTextA
	mov		[_SetWindowTextA], eax

	;载入 gdi32.dll ，并储存它的句柄：
	_call	[_LoadLibrary], offset szLibGDI32
	mov		[hLibGDI32], eax

	;通过 GetProcAddress 获得 gdi32.dll 里面的两个 API 的线形地址，并储存起来：
	_call	[_GetProcAddress], eax, offset szProcCreateFontIndirect
	mov		[_CreateFontIndirect], eax
	_call	[_GetProcAddress], [hLibGDI32], offset szProcDeleteObject
	mov		[_DeleteObject], eax

	pop		edi
	pop		esi
	pop		ebx