cryptstuff.cpp

I think this the first time every one can look at a PE crypter source in top level language such VC

/* CryptStuff.cpp --

   This file is part of the "yoda Crypter v1.3".

   Copyright (C) 2004-2005 Ashkbiz Danehkar
   Copyright (C) 2000-2001 yoda/FReAK2FReAK
   All Rights Reserved.

   yoda Crypter v1.3 library are free software; you can redistribute them
   and/or modify them under the terms of the GNU General Public License as
   published by the Free Software Foundation.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; see the file COPYRIGHT.TXT.
   If not, write to the Free Software Foundation, Inc.,
   59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

   Ashkbiz Danehkar
   <ashkbiz@yahoo.com>
*/

#include "stdafx.h"
#include "yC.h"
#include "PER.h"
#include "CryptStuff.h"
#include ".\CryptStuff.h"
#include <winnt.h>
#include <imagehlp.h>

#ifdef _DEBUG
#define DEBUG_NEW
#endif

//------ DEFINITIONS -------
#define IT_SIZE                 0x60
#define MAX_SECTION_NUM         20
#define MAX_IID_NUM             30
#define OEP_JUMP_ENCRYPT_NUM    'y'
#define VAR_PER_SIZE            0x30
#define SEC_PER_SIZE            0x30
#define _INVALID_HANDLE_VALUE	0xFFFFFFFF
//------- ERROR --------
#define MemErr					1
#define PEErr					2
#define FileErr					3
#define NoRoom4SectionErr		4
#define FsizeErr				5
#define SecNumErr				6
#define IIDErr					7
//----------------------------------------------------------------
//------- FUNCTION ---------
void ShowErr(unsigned char numErr);

DWORD GetFunctionRVA(void* FuncName);
DWORD GetFunctionSize(void* FuncName);
char* CopyFunction(void* FuncName);
PIMAGE_SECTION_HEADER _ImageRvaToSection(char* Base,DWORD dwRVA);
DWORD RVA2Offset(char* Base,DWORD dwRVA);

void AllocateLoaderVariables(char* Base);
void GetLoaderCryptRO(char* pFuncBody);
void GetOepJumpCodeRO(char* pFuncBody);
void OepJumpEncrypt(char* Base);
DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo);
DWORD GetChecksum(char* Base,DWORD FileSize);

char* ReadStringFrom(char* Base,DWORD VA);
DWORD EnDeCryptString(char* Base,DWORD dwRO);
DWORD ProcessOrgIT(char* pFileImage,DWORD pITBaseRO);
void AssembleIT(char* Base,DWORD dwNewSectionRO,DWORD dwNewSectionVA);
void ProcessTlsTable(char* Base,DWORD CryptSectionVA);

PIMAGE_SECTION_HEADER AddSection(char* Base);
void CryptPE(char* Base,DWORD dwMode);
void CryptFile(char* szFname,DWORD dwProtFlags);
void PE_LOADER_CODE();
//----------------------------------------------------------------
//------- CONST --------
const char	*szDone				="File encrypted successfully !";
const char	*szDoneCap			=":)";
const char	*szFileErr			="File access error :(";
const char	*szNoPEErr			="Invalid PE file !";
const char	*szNoMemErr			="Not enough memory :(";
const char	*szFsizeErr			="Files with a filesize of 0 aren't allowed !";
const char	*szNoRoom4SectionErr="There's no room for a new section :(";
const char	*szSecNumErr		="Too many sections !";
const char	*szIIDErr			="Too much ImageImportDescriptors !";

const DWORD ALIGN_CORRECTION	=0x1000;// this big value is e.g. needed for WATCOM compiled files
const char	*DEPACKER_SECTION_NAME="yC";
const char	*szKernel			="KeRnEl32.dLl";
const char	*szLoadLibrary		="LoadLibraryA";
const char	*szGetProcAddress	="GetProcAddress";
//----------------------------------------------------------------
//------- DATA ---------
HANDLE	pMap			= NULL;
DWORD	dwBytesRead		= 0;
DWORD	dwBytesWritten	= 0;
char	*pMem			= NULL;
DWORD	dwFsize			= 0;
DWORD	dwOutPutSize	= 0;
DWORD	dwNewFileEnd	= 0;
DWORD	dwNTHeaderAddr	= 0;
DWORD	dwSectionNum	= 0;
DWORD	dwNewSectionRO	= 0;
DWORD	dwOrgITRVA		= 0;
HANDLE	hFile			= NULL;
char	*dllname;
//----------------------------
char	*SecEncryptBuff;
char	*SecDecryptBuff;
char	*pDepackerCode;
DWORD	DEPACKER_CODE_SIZE;
//-----------------------------
DWORD	dwRO_VAR_DECRYPTION;
DWORD   dwRO_SEC_DECRYPT;
DWORD	dwRO_OEP_JUMP_CODE_START;
DWORD	dwRO_OEP_JUMP_CODE_END;
DWORD	OEP_JUMP_CODE_SIZE; 
//----------------------------------------------------------------
//----- LOADER STRUCTS -----
struct sItInfo
{
	DWORD DllNameRVA;
	DWORD FirstThunk;
	DWORD OrgFirstThunk;
};

struct sSEH
{
	DWORD OrgEsp;
	DWORD OrgEbp;
	DWORD SaveEip;
};

struct sReThunkInfo
{
	DWORD ApiStubMemAddr;
	DWORD pNextStub;
};

struct sApiStub // UNUSED !
{
	UCHAR JumpOpc;
	DWORD JumpAddr;
};
//----------------------------------------------------------------
//----- LOADER VARIABLES -----
DWORD	dwImageBase		= 0;
DWORD	dwOrgEntryPoint	= 0;
DWORD	PROTECTION_FLAGS= 0;
DWORD	dwCalcedCRC		= 0;
DWORD	dwLoaderCRC		= 0;
DWORD	bNT				= 0;

sItInfo IIDInfo[MAX_IID_NUM];
sSEH SEH;

DWORD _LoadLibrary		= 0;
DWORD _GetProcAddress	= 0;

// some API stuff
const char	*szKernel32			= "Kernel32.dll";
DWORD		dwKernelBase		= 0;
const char	*szGetModuleHandle	= "GetModuleHandleA";
DWORD		_GetModuleHandle	= 0;
const char	*szVirtualProtect	="VirtualProtect";
DWORD		_VirtualProtect		= 0;
const char	*szGetModuleFileName= "GetModuleFileNameA";
DWORD		_GetModuleFileName	= 0;
const char	*szCreateFile		= "CreateFileA";
DWORD		_CreateFile			= 0;
const char	*szGlobalAlloc		= "GlobalAlloc";
DWORD		_GlobalAlloc		= 0;
const char	*szGlobalFree		= "GlobalFree";
DWORD		_GlobalFree			= 0;
const char	*szReadFile			= "ReadFile";
DWORD		_ReadFile			= 0;
const char	*szGetFileSize		= "GetFileSize";
DWORD		_GetFileSize		= 0;
const char	*szCloseHandle		= "CloseHandle";
DWORD		_CloseHandle		= 0;
const char	*szIsDebuggerPresent= "IsDebuggerPresent";

// This variables won't be crypted:
IMAGE_TLS_DIRECTORY32	TlsBackup;
DWORD	dwOrgChecksum	= 0;
char	*Buff			= NULL;// buffer for some stuff, its size: 2000h(VS) - DEPACKER_CODE_SIZE
//----------------------------------------------------------------
//----- LOADER VARIABLES ADDRESS-----
DWORD	dwRO_dwImageBase;
DWORD	dwRO_dwOrgEntryPoint;
DWORD	dwRO_PROTECTION_FLAGS	;
DWORD	dwRO_dwCalcedCRC;
DWORD	dwRO_dwLoaderCRC;
DWORD	dwRO_bNT;

DWORD dwRO_IIDInfo;
DWORD dwRO_SEH;

DWORD dwRO_LoadLibrary;
DWORD dwRO_GetProcAddress;

// some API stuff
DWORD dwRO_szKernel32;
DWORD dwRO_dwKernelBase;
DWORD dwRO_szGetModuleHandle;
DWORD dwRO_GetModuleHandle;
DWORD dwRO_szVirtualProtect;
DWORD dwRO_VirtualProtect;
DWORD dwRO_szGetModuleFileName;
DWORD dwRO_GetModuleFileName;
DWORD dwRO_szCreateFile;
DWORD dwRO_CreateFile;
DWORD dwRO_szGlobalAlloc;
DWORD dwRO_GlobalAlloc;
DWORD dwRO_szGlobalFree;
DWORD dwRO_GlobalFree;
DWORD dwRO_szReadFile;
DWORD dwRO_ReadFile;
DWORD dwRO_szGetFileSize;
DWORD dwRO_GetFileSize;
DWORD dwRO_szCloseHandle;
DWORD dwRO_CloseHandle;
DWORD dwRO_szIsDebuggerPresent;

// This variables won't be crypted:
DWORD	dwRO_TlsBackup;
DWORD	dwRO_dwOrgChecksum;
DWORD	dwRO_Buff;
//----------------------------------------------------------------
//----- ERROR MESSAGES ----
//The ShowErr display message by receiving its Error Number
void ShowErr(unsigned char numErr)
{
	char *szErr=new TCHAR[64];
	switch(numErr)
	{
	case MemErr:
		strcpy(szErr,szNoMemErr);
		break;

	case PEErr:
		strcpy(szErr,szNoPEErr);
		break;

	case FileErr:
		strcpy(szErr,szFileErr);
		break;

	case NoRoom4SectionErr:
		strcpy(szErr,szNoRoom4SectionErr);
		break;

	case FsizeErr:
		strcpy(szErr,szFsizeErr);
		break;

	case SecNumErr:
		strcpy(szErr,szSecNumErr);
		break;

	case IIDErr:
		strcpy(szErr,szIIDErr);
		break;
	}
	MessageBox(GetActiveWindow(),szErr,
			   "ERROR", 
			   MB_OK | MB_ICONERROR );
}	


//----------------------------------------------------------------
//The GetFunctionRVA function returns the relative virtual 
//address (RVA) of a Function with location pointer.
DWORD GetFunctionRVA(void* FuncName)
{
	void *_tempFuncName=FuncName;
	char *ptempFuncName=PCHAR(_tempFuncName);
	DWORD _jmpdwRVA,dwRVA;
	CopyMemory(&_jmpdwRVA,ptempFuncName+1,4);
	dwRVA=DWORD(ptempFuncName)+_jmpdwRVA+5;
	return(dwRVA);
}
//----------------------------------------------------------------
//The GetFunctionSize function returns the size of 
//a Function with FuncName location pointer.
DWORD GetFunctionSize(void* FuncName)
{
	DWORD dwRVA=GetFunctionRVA(FuncName);
	char* pFuncBody=PCHAR(dwRVA);
	UCHAR _temp;
	bool notEnd=TRUE;
	char *DepackerCodeEnd=new TCHAR[10];
	DWORD l=0;
	do
	{
		CopyMemory(&_temp,pFuncBody+l,1);
		if(_temp==0xC3)
		{
			CopyMemory(DepackerCodeEnd,pFuncBody+l+0x01,10);
			DepackerCodeEnd[9]=0x00;
			if(strcmp(DepackerCodeEnd,"DEPACKEND")==0)
			{
				notEnd=FALSE;
			}
		}
		l++;
	}while(notEnd);
	return(l);
}
//----------------------------------------------------------------
//The CopyFunction function returns the pointer of
//a Function with FuncName location pointer to TCHAR pointer.
char* CopyFunction(void* FuncName)
{
	DWORD dwRVA=GetFunctionRVA(FuncName);
	DWORD dwSize=GetFunctionSize(FuncName);
	char* pFuncBody=PCHAR(dwRVA);
	char* filebuff=new TCHAR[dwSize+1];
	CopyMemory(filebuff,pFuncBody,dwSize);
	return(filebuff);
}
//----------------------------------------------------------------
//The _ImageRvaToSection function locates a relative virtual 
//address (RVA) within the image header of a file that is 
//mapped as a file and returns a pointer to the section table 
//entry for that virtual address.
PIMAGE_SECTION_HEADER _ImageRvaToSection(char* Base,DWORD dwRVA)
{
	IMAGE_SECTION_HEADER section;
	IMAGE_NT_HEADERS nt_headers;
	DWORD dwPE_Offset,SectionOffset;
	CopyMemory(&dwPE_Offset,Base+0x3c,4);
	CopyMemory(&nt_headers,Base+dwPE_Offset,sizeof(IMAGE_NT_HEADERS));
	SectionOffset=dwPE_Offset+sizeof(IMAGE_NT_HEADERS);
	for(int i=0;i<nt_headers.FileHeader.NumberOfSections;i++)
	{
		CopyMemory(&section,Base+SectionOffset+i*0x28,sizeof(IMAGE_SECTION_HEADER));
		if((dwRVA>=section.VirtualAddress) && (dwRVA<=(section.VirtualAddress+section.SizeOfRawData)))
		{
			return ((PIMAGE_SECTION_HEADER)&section);
		}
	}
	return(NULL);
}
//----------------------------------------------------------------
// calulates the Offset from a RVA
// Base    - base of the MMF
// dwRVA - the RVA to calculate
// returns 0 if an error occurred else the calculated Offset will be returned
DWORD RVA2Offset(char* Base,DWORD dwRVA)
{
	DWORD _offset;
	PIMAGE_SECTION_HEADER section;
	section=_ImageRvaToSection(Base,dwRVA);
	if(section==NULL)
	{
		return(0);
	}
	_offset=dwRVA+section->PointerToRawData-section->VirtualAddress;
	return(_offset);
}
//----------------------------------------------------------------
void AllocateLoaderVariables(char* Base)
{
	DWORD l;
	//----- LOADER VARIABLES -----
	DWORD dwRO=DEPACKER_CODE_SIZE;
	dwRO = dwRO - 1;

	//Buff						DB 0	
	dwRO = dwRO - 4;
	dwRO_Buff =dwRO;
	FillMemory(Base+dwRO,4,0x00);

	//dwOrgChecksum				DD 0
	dwRO = dwRO - 4;
	dwRO_dwOrgChecksum =dwRO;
	CopyMemory(Base+dwRO,&dwOrgChecksum,4);

	//TlsBackup					IMAGE_TLS_DIRECTORY32 <0>
	dwRO = dwRO - sizeof(IMAGE_TLS_DIRECTORY32);
	dwRO_TlsBackup =dwRO;
	CopyMemory(Base+dwRO,&TlsBackup,sizeof(IMAGE_TLS_DIRECTORY32));
	
	//szIsDebuggerPresent		DB "IsDebuggerPresent",0
	l=DWORD(strlen(szIsDebuggerPresent))+1;
	dwRO = dwRO - l;
	dwRO_szIsDebuggerPresent=dwRO;
	CopyMemory(Base+dwRO,szIsDebuggerPresent,l);

	//_CloseHandle				DD 0
	dwRO = dwRO - 4;
	dwRO_CloseHandle=dwRO;
	CopyMemory(Base+dwRO,&_CloseHandle,4);

	//szCloseHandle				DB "CloseHandle",0
	l=DWORD(strlen(szCloseHandle))+1;
	dwRO = dwRO - l;
	dwRO_szCloseHandle=dwRO;
	CopyMemory(Base+dwRO,szCloseHandle,l);

	//_GetFileSize				DD 0
	dwRO = dwRO - 4;
	dwRO_GetFileSize=dwRO;
	CopyMemory(Base+dwRO,&_GetFileSize,4);

	//szGetFileSize				DB "GetFileSize",0
	l=DWORD(strlen(szGetFileSize))+1;
	dwRO = dwRO - l;
	dwRO_szGetFileSize=dwRO;
	CopyMemory(Base+dwRO,szGetFileSize,l);

	//_ReadFile					DD 0
	dwRO = dwRO - 4;
	dwRO_ReadFile=dwRO;
	CopyMemory(Base+dwRO,&_ReadFile,4);

	//szReadFile				DB "ReadFile",0
	l=DWORD(strlen(szReadFile))+1;
	dwRO = dwRO - l;
	dwRO_szReadFile=dwRO;
	CopyMemory(Base+dwRO,szReadFile,l);

	//_GlobalFree				DD 0
	dwRO = dwRO - 4;
	dwRO_GlobalFree=dwRO;
	CopyMemory(Base+dwRO,&_GlobalFree,4);

	//szGlobalFree				DB "GlobalFree",0
	l=DWORD(strlen(szGlobalFree))+1;
	dwRO = dwRO - l;
	dwRO_szGlobalFree=dwRO;
	CopyMemory(Base+dwRO,szGlobalFree,l);	

	//_GlobalAlloc				DD 0
	dwRO = dwRO - 4;
	dwRO_GlobalAlloc=dwRO;
	CopyMemory(Base+dwRO,&_GlobalAlloc,4);

	//szGlobalAlloc				DB "GlobalAlloc",0
	l=DWORD(strlen(szGlobalAlloc))+1;
	dwRO = dwRO - l;
	dwRO_szGlobalAlloc=dwRO;
	CopyMemory(Base+dwRO,szGlobalAlloc,l);

	//_CreateFile				DD 0
	dwRO = dwRO - 4;
	dwRO_CreateFile=dwRO;
	CopyMemory(Base+dwRO,&_CreateFile,4);

	//szCreateFile				DB "CreateFileA",0
	l=DWORD(strlen(szCreateFile))+1;
	dwRO = dwRO - l;
	dwRO_szCreateFile=dwRO;
	CopyMemory(Base+dwRO,szCreateFile,l);

	//_GetModuleFileName		DD 0
	dwRO = dwRO - 4;
	dwRO_GetModuleFileName=dwRO;
	CopyMemory(Base+dwRO,&_GetModuleFileName,4);

	//szGetModuleFileName		DB "GetModuleFileNameA",0
	l=DWORD(strlen(szGetModuleFileName))+1;
	dwRO = dwRO - l;
	dwRO_szGetModuleFileName=dwRO;
	CopyMemory(Base+dwRO,szGetModuleFileName,l);

	//_VirtualProtect			DD 0
	dwRO = dwRO - 4;
	dwRO_VirtualProtect=dwRO;
	CopyMemory(Base+dwRO,&_VirtualProtect,4);

	//szVirtualProtect			DB "VirtualProtect",0
	l=DWORD(strlen(szVirtualProtect))+1;
	dwRO = dwRO - l;
	dwRO_szVirtualProtect=dwRO;
	CopyMemory(Base+dwRO,szVirtualProtect,l);