rebuildit.asm

这是脱壳 PE-ARMOR 的程序源代码汇编的

; ------------------------------------------------------------------------
; Rebuild imports, my hardest work brrrrr

@@RebuildNewImports:
			pushad
			mov	ecx, ImportsProtectedFlag
			test	ecx, ecx
			mov	esi, MutatedImports
			jz	__xxxit_nor
			

; let's rebuild -_0


;FristThunk	00 01 02 03					; we must patch this
;LengthOfDllName	04
;DllName		05 .. .. ..
;
;Null		00
;NumberOfThunks	01 02 03 04
;FakeThunkx	05 - Flag 0=Index, 1=String
                ;06 07 08 09 index
		;06 xx xx xx string

			mov	edi, LoaderStart		; use old loader space for new IMPORT TABLE
			add	edi, LoaderSize			; skip loader,rsrc,othershit

; state 1 - build stringz & fake-thunkx
; recreate all of above, write new ptr in old  pos
			push	esi
__x_s_1:
			mov	eax, [esi]
			test	eax, eax
			jz	__r_end1

			movzx	ecx, byte ptr[esi+4]		; name len
			inc	ecx

			mov	eax, edi
			sub	eax, FileBase			; rva
			add	esi, 4+1
			push	esi
			rep_movsb
			mov	ecx, esi
			pop	esi
			mov	[esi], eax
			
			xchg	esi, ecx

			lodsd
			xchg	ecx, eax			; # of thunkx

__r_1_big_loop:
			push	ecx

			lodsb
			test	al, al
			jz	__bd_thunkx_i			; imported by index
			mov	ecx, edi
			sub	ecx, FileBase			; 2 rva
			mov	edx, esi
			xor	eax, eax
			stosw					; no hint
			@copysz
			mov	[edx-1], ecx
			jmp	__r_1_big_out

__bd_thunkx_i:
			lodsd
			or	eax, 80000000h			; set MSB flag
			mov	[esi-5], eax
__r_1_big_out:
			pop	ecx
			loop	__r_1_big_loop

			jmp	__x_s_1
__r_end1:
			pop	esi

			;int	3
			nop
; state 2 - modify IID thunks array

			push	esi

__x_s_2:
			mov	eax, [esi]
			test	eax, eax
			jz	__r_end2
			lodsd					; 1st thunk array
			xchg	ebx, eax
			add	ebx, FileBase

			movzx	ecx, byte ptr[esi]
			inc	ecx				; self
			inc	ecx
			add	esi, ecx

			lodsd					; # of thunkx
			xchg	ecx, eax

			mov	edx, esi			; to put ptr here l8r
			
			push	ebx

__make_1st_thunkx:
			lodsd
			mov	[ebx], eax
			@endsz
			add	ebx, 4
			loop	__make_1st_thunkx

			pop	ebx

			mov	[edx], ebx
			mov	[edx+4], esi			; we can place here next time


			jmp	__x_s_2
__r_end2:

			pop	esi

			
; state 3 - final build IID structs , our imports back!

			push	edi				; IMPORTANT! save new Import Table VA

			push	esi
__x_s_3:
			mov	eax, [esi]
			test	eax, eax
			jz	__r_end3
			lodsd
			movzx	ecx, byte ptr[esi]
			inc	esi

			lodsd					; name rva
			xchg	edx, eax

			sub	ecx, 4-1
			add	esi, ecx			
			
			lodsd
			lodsd					; first thunk
			sub	eax, FileBase			; rva
			xchg	ebx, eax

			mov	ecx, edi			; our NEW IMPORT ADDRESS

			xor	eax, eax
			stosd
			dec	eax
			stosd
			stosd
			xchg	eax, edx
			stosd					; name
			xchg	eax, ebx
			stosd					; 1st thunk

			
			lodsd					; get done ptr
			xchg	esi, eax
			jmp	__x_s_3

__r_end3:
			pop	esi

; build a null IID for end
			push	5
			pop	ecx
			xor	eax, eax
__bd_null_iid:
			stosd
			loop	__bd_null_iid

			;int	3
			;nop
; bound IT to target file

			pop	edi
			xchg	esi, edi
			sub	esi, FileBase
			jmp	__xxxit_do

__xxxit_nor:
			sub	esi, RealSymbiontStart
__xxxit_do:
			mov	edi, NtHeaderPtr		
			mov	[edi+pe_struc.pe_importtablerva], esi
			xor	ecx, ecx
			inc	ecx
			mov	[edi+pe_struc.pe_importtablesize], ecx
			jmp	__xxxit_exit

__xxxit_exit:

			popad
			retn