📄 cool.asm
字号:
dec esi
.endw
inc esi
inc esi
lodsd
add eax, RealSymbiontStart
mov eax, [eax]
test eax, eax
setnz byte ptr[ImportsProtectedFlag]
; the ORIGINAL ENTRY POINT
;forward
;0040D000 > 89AD 78563412 mov [ebp+12345678], ebp
.while word ptr[esi]!= 0AD89h
inc esi
.endw
; forward
; 0037A07A 8B85 30120000 mov eax, [ebp+1240] ; OEP rva
.while word ptr[esi]!= 858Bh
inc esi
.endw
inc esi
inc esi
lodsd
add eax, RealSymbiontStart
mov eax, [eax]
mov OriginalEntryPoint, eax
; **************** FIX UP ENCRYPTED THINGS START ****************
; depack sections, emulate loader hmm
mov eax, CompressSectionHeaders
sub eax, RealSymbiontStart ; we just need rva
call @@UnpackSections
; restore imports
; remove special code protection
call @@ReverseCodeProtection
; rebuild import table
call @@RebuildNewImports
; fix OEP value, code
call @@TryToRestoreEncryptedOEP
call @@FixOepCode
push OriginalEntryPoint
pop [edi].pe_entrypointrva
; fix section name if needed
call @@GuessSectionName
; all done
assume edi : nothing
; write out file
mov ebx, FileHandle
xor ecx, ecx
call fseek
mov ecx, FileSize
mov edi, FileBase
call fwrite
; write out ovarlays
mov ecx, SavedOverlay
jecxz __skip_w_olay
mov edi, OverlaySize
xchg edi, ecx
call fwrite
__skip_w_olay:
; close file
call fclose
call @@FreeMemory
; push MB_YESNO ; I fixed rebuilder's bug!!
; push offset yeah
; push offset askbox
; push 0
; call MessageBoxA
; .if eax == 6 ;MB_YES
push FileName
call _RebuildPE
; .endif
;
push 0
push offset yeah
push offset sucbox
push 0
call MessageBoxA
jmp @@exit
; ------------------------------------------------------------------------
; It's my last thing I need
@@err:
call @@FreeMemory
push 0
push offset fuck
push offset errbox
push 0
call MessageBoxA
@@exit:
popad
ret
; ------------------------------------------------------------------------
; Free memory in eax/all buffer
@@MemoryFree:
test eax, eax
jz __skip_free
call free
__skip_free: retn
@@FreeMemory:
mov eax, FileBase
call @@MemoryFree
mov eax, UnpackedSymbiontBase
call @@MemoryFree
mov eax, SavedOverlay
call @@MemoryFree
retn
; ------------------------------------------------------------------------
; Some one encrypted the OEP value :(((, I see one,
; let's fix it, how to? only one way check the oep if incorrect to fix it
@@TryToRestoreEncryptedOEP:
pushad
mov eax, OriginalEntryPoint
; topic: the entry point must be in the image [FirstSection.Rva...imagesize]
mov esi, StartOfSectionHeaders
assume esi : ptr oe_struc
mov esi, [esi].oe_virt_rva
mov edi, SizeOfImage
mov ebx, eax ;; save. I cannot assume I can do it
.if eax<esi || eax>edi
;00DB3F78 81C2 C3230000 add edx, 23C3
;00DB3F96 81EA 94937000 sub edx, 709394
add eax, 23C3h
sub eax, 709394h
.if eax>esi && eax<edi
mov OriginalEntryPoint, eax
jmp @@CalcOutOEP
.endif
.endif
@@CalcOutOEP: popad
retn
; ------------------------------------------------------------------------
; Now we're going to guess the names of the sections.
; As help, we have some values in the header.
; If a name can't be guessed, it'll be named ".iPB#", where # is a digit.
@@GuessSectionName:
pushad
mov edx, NtHeaderPtr
assume edx : ptr pe_struc
mov esi, LoaderSectionHeader ; last section
assume esi : ptr oe_struc
cmp dword ptr[esi].oe_name, 'gcc.'
je __skipguess
mov esi, StartOfSectionHeaders
xor ecx, ecx
mov cx, NumberOfSections
mov ebp, 30h ; 30h == '0'
__guess:
mov dword ptr[esi], 'BPi.'
mov dword ptr[esi+4],0
;or dword ptr[esi+24h], 20000020h ; fix flag
mov eax,dword ptr [esi+0ch]
mov ebx,dword ptr [edx+2ch]
cmp eax,ebx
jl NotCodeSection
add ebx,dword ptr [edx+1ch]
cmp eax,ebx
jge NotCodeSection
mov dword ptr [esi],7865742eh ; Code-section - ".text"
mov dword ptr [esi+4],74h
jmp __g_next_obj
NotCodeSection:
mov ebx,dword ptr [edx+30h]
cmp eax,ebx
jl NotDataSection
add ebx,dword ptr [edx+20h]
cmp eax,ebx
jge NotDataSection
mov dword ptr [esi],7461642eh ; Data-section - ".data"
mov dword ptr [esi+4],61h
jmp __g_next_obj
NotDataSection:
cmp dword ptr [esi+10h],0
jne NotBSSSection
mov dword ptr [esi],7373622eh ; BSS-section - ".bss"
jmp __g_next_obj
NotBSSSection:
mov word ptr [esi+4],bp ; No idea - "iPB#"
inc ebp
__g_next_obj:
add esi,28h
dec ecx
jne __guess
__skipguess:
assume esi : nothing
assume edx : nothing
popad
retn
; ------------------------------------------------------------------------
include rebuildit.asm ; imports fixer
include fixoep.asm ; oep code fixer
; ------------------------------------------------------------------------
; Decompress packed sections, IN: eax = sections RVA to RealSymbiontStart
@@UnpackSections:
pushad
mov edx, FileBase ; will change ebp!
mov ebp, RealSymbiontStart
mov ebx, eax
IFDEF DEBUG
int 3
ENDIF
; go go go
__dpack_objn:
cmp dword ptr [ebp+ebx],0h
jz __obj_done
push edx ; *
push PAGE_READWRITE
push MEM_COMMIT
push dword ptr [ebp+ebx]
push 0
call VirtualAlloc
pop edx ; *
mov esi,eax
lea eax, [ebx+ebp]
mov edi,dword ptr [eax+4h]
add edi, edx
push esi
push edi
call _aP_depack_asm ; stdcall
mov ecx,dword ptr [ebp+ebx]
push esi
rep movsb
pop esi
push ebx
push edx ; *
push MEM_RELEASE
push 0
push esi
call VirtualFree
pop edx ; *
pop ebx
add ebx,0ch
jmp __dpack_objn
__obj_done:
popad
retn
; ------------------------------------------------------------------------
; Remove special code protection, still emulate loader muhahaha
@@ReverseCodeProtection:
pushad
mov ecx, EncryptedCodePtr
jecxz __xcode_exit
xchg esi, ecx
__xxxcode:
mov ecx, [esi]
jecxz __xcode_exit
mov ebx, [esi+4]
test ecx, 80000000h ; check MSB
jz __xxxjmp
mov ax, 25FFh
jmp __xxxfix
__xxxjmp:
mov ax, 15FFh
__xxxfix:
and ecx, 7FFFFFFFh
sub ecx, ImageBase
add ecx, FileBase
mov [ecx-6], ax
;sub ebx, ImageBase ; rva but reloc
mov dword ptr [ecx-4], ebx
add esi, 8
jmp __xxxcode
__xcode_exit:
popad
retn
; ------------------------------------------------------------------------
; Read a dword form [file_start+eax]
@@read_eax:
mov ecx, eax
call fseek
cmp eax, -1
je @@err
@@read_dw:
lea edx, TempBuffer ; buff
push 4
pop ecx
call fread
test eax, eax
jz @@err
mov eax, [edx] ; real result
retn
; ------------------------------------------------------------------------
; Align eax value with f(ile) or O(bject) alignment, but will destory ecx
@@FileAlign:
mov ecx, NtHeaderPtr
mov ecx, [ecx+pe_struc.pe_filealign]
jmp __adjust_size
@@SectionAlign:
mov ecx, NtHeaderPtr
mov ecx, [ecx+pe_struc.pe_objectalign]
__adjust_size:
dec eax
add eax, ecx
neg ecx
and eax, ecx
retn
TouchFile endp
include dpack.asm
; ------------------------------------------------------------------------
SearchBytes proc \
lpszStr, \
dwStrLen, \
lpszSubStr, \
dwSubStrLen
local dwPos
pushad
mov eax, dwStrLen
.if eax < dwSubStrLen
jmp exit_0
.endif
sub eax, dwSubStrLen
mov dwStrLen, eax
mov esi, lpszStr
mov edi, lpszSubStr
xor edx, edx
Loop1:
cmp edx, dwStrLen
jz exit_0
xor ecx, ecx
mov al, byte ptr [edi+ecx]
mov bl, byte ptr [esi+edx]
cmp al, bl
jz Loop2
inc edx
jmp Loop1
Loop2:
inc ecx
inc edx
cmp ecx, dwSubStrLen
jz exit_1
mov al, byte ptr [edi+ecx]
mov bl, byte ptr [esi+edx]
cmp al, bl
jz Loop2
test al, al
jz Loop2
sub edx, ecx
inc edx
jmp Loop1
exit_1:
sub edx, ecx
mov dwPos, edx
popad
mov eax, dwPos
ret
exit_0:
popad
xor eax, eax
ret
SearchBytes endp
; ------------------------------------------------------------------------
include GUI.ASM
; end begin⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -