cryptstuff.cpp

I think this the first time every one can look at a PE crypter source in top level language such VC

			MOV DWORD PTR [EAX+20h],1000h // increase size variable
			JMP fuapfdw_finished
fuapfdw_is9x:
			PUSH 0
			MOV EBX,EBP
			ADD EBX,OFFSET _RO_GetModuleHandle
			CALL [EBX]
			//HMODULE GetModuleHandle(LPCTSTR lpModuleName);
			TEST EDX,EDX
			JNS fuapfdw_finished		// Most probably incompatible!!!
			CMP DWORD PTR [EDX+8],-1
			JNE fuapfdw_finished		// Most probably incompatible!!!
			MOV EDX,[EDX+4]				// get address of internaly used
										// PE header
			MOV DWORD PTR [EDX+50h],1000h // increase size variable
fuapfdw_finished:
LetDumpable:
	//.ENDIF
	//----------------------------------------------------------
	//---------------- GET HEADER WRITE ACCESS -----------------
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwImageBase
	MOV EDI,DWORD PTR [EDX]
	ADD EDI,DWORD PTR [EDI+03Ch]// edi -> pointer to PE header
	//assume edi : ptr IMAGE_NT_HEADERS
	MOV ESI,DWORD PTR [EDX]
	MOV ECX,DWORD PTR [EDI+0x54]//.OptionalHeader.SizeOfHeaders
	//assume edi : nothing
		
	// fix page access
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_Buff
	LEA EAX,[EDX]
	PUSH EAX
	PUSH PAGE_READWRITE
	PUSH ECX
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwImageBase
	PUSH [EDX]
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_VirtualProtect
	CALL [EDX]
	//VirtualProtect(dwImageBase,
	//				 OptionalHeader.SizeOfHeaders,
	//				 PAGE_READWRITE,
	//				 *Buff);

	//----------------------------------------------------------
	//---------------------- CALCULATE CRC ---------------------
	//.IF [EBP+PROTECTION_FLAGS]== CHECK_HEADER_CRC
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_PROTECTION_FLAGS
	TEST DWORD PTR [EDX],CHECK_HEADER_CRC
	JZ DontCheckCRC
		// get the calling exe filename
		push MAX_PATH
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_Buff
		LEA EDI,[EDX]
		PUSH EDI// edi -> filename
		PUSH 0
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_GetModuleFileName
		CALL [EDX]
		//FileName=GetModuleFileName(NULL,Buff,MAX_PATH);

		// map it...
		PUSH 0
		PUSH FILE_ATTRIBUTE_NORMAL
		PUSH OPEN_EXISTING
		PUSH NULL
		PUSH FILE_SHARE_READ
		PUSH GENERIC_READ
		PUSH EDI
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_CreateFile
		CALL [EDX]
		//handle=CreateFile(FileName,
		//	                GENERIC_READ,FILE_SHARE_READ,NULL,
		//	                OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);

		CMP EAX,_INVALID_HANDLE_VALUE
		JNE HANDLE_IS_VALID1
			XOR EAX,EAX
			JMP SkipChecksumCalc
HANDLE_IS_VALID1:
		MOV EDI,EAX	// edi -> file handle
	
		PUSH NULL
		PUSH edi
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_GetFileSize
		CALL [EDX]
		//filesize=GetFileSize(handle,NULL);

		MOV EDX,OFFSET DepackerCodeEND//OEP_JUMP_CODE_END
		SUB EDX,OFFSET OEP_JUMP_CODE_START//EDX->CHECKSUM_SKIP_SIZE
		SUB EAX,EDX
		SUB EAX,2
		XCHG EAX,ESI// esi -> filesize
		
		PUSH ESI
		PUSH GMEM_FIXED+GMEM_ZEROINIT
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_GlobalAlloc
		CALL [EDX]
		//hglobal=GlobalAlloc(GMEM_FIXED|GMEM_ZEROINIT,filesize);

		//.IF(hglobal==NUL;)
		CMP EAX,NULL
		JNE ALLOCATE_IS_VALID
			JMP SkipChecksumCalcAndCleanUp
ALLOCATE_IS_VALID:
		//.ENDIF

		XCHG EAX,EBX// ebx -> mem base
	
		PUSH NULL
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_Buff
		LEA EAX,[EDX]

		PUSH EAX
		PUSH ESI
		PUSH EBX
		PUSH EDI
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_ReadFile
		CALL [EDX]
		//BOOL ReadFile(handle,hglobal,filesize,Buff,NULL);

		// get the checksum
		MOV EAX,EBX
		MOV ECX,ESI
		PUSH EBX// [ESP] -> hMem
		PUSH EDI// EDI = hFile
	
		CALL _GetCheckSum
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_dwCalcedCRC
		MOV [EDX],EAX
	
		POP  EDI
		POP  EBX
		// the calculated CRC will be compared at the start of the InitIT function >:-)
		// FUNNY JUMP :)
		MOV EDX,EBP
		ADD EDX,OFFSET AfterCRCCalcContinue
		LEA  EAX,[EDX]
		PUSH EAX
		RETN
	JMP AfterDeCryptionContinue

//---------------------
//-> Start of GetCheckSum
_GetCheckSum:
	// EAX = file image base
	// ECX = filesize	
	MOV EDI,EAX	// edi -> data pointer
	XOR EAX,EAX	// eax -> current bytes
	XOR EBX,EBX	// ebx -> current checksum
	XOR EDX,EDX	// edx -> Position (zero based)
	// start calculation
CheckSumLoop:
		MOV AL,BYTE PTR [EDI]
		MUL EDX
		ADD EBX,EAX 
		INC EDX
   	INC EDI   	
	LOOP CheckSumLoop
   	XCHG EAX,EBX// EAX -> checksum
	RETN
//-> End of GetChecksum
//---------------------
AfterCRCCalcContinue:
		// clean up
		PUSH EBX
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_GlobalFree
		CALL [EDX]//GlobalFree(checksum);

		XCHG ESI,EAX
SkipChecksumCalcAndCleanUp:	
		PUSH EAX
		PUSH EDI
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_CloseHandle
		CALL [EDX]//CloseHandle(handle);	
		POP EAX
SkipChecksumCalc:
DontCheckCRC:
	//.ENDIF
	//----------------------------------------------------------
	//----------------------- DECRYPTION -----------------------
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwImageBase
	MOV EAX,[EDX]
	MOV EBX,1
	CALL _CryptPE
	MOV EDX,EBP
	ADD EDX,OFFSET AfterDeCryptionContinue
	LEA EAX,[EDX]
	PUSH EAX
	RETN
//-----------------------------------------------------
//----------------- SECTIONS DECRYPTER ----------------
// void DecryptBuff(char* Base,DWORD dwRV,DWORD dwSize)
// esi = CryptStart
// ecx = CryptSize
_DecryptBuff:
	MOV EDI,ESI
	JMP DecryptBuffLoop
	INT 3
	INT 3
	INT 3
	INT 3
DecryptBuffLoop:
		LODS BYTE PTR DS:[ESI]
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		ADD BYTE PTR DS:[EAX],AL
		STOS BYTE PTR ES:[EDI]
	LOOP DecryptBuffLoop
RETN
//-----------------------------------------------------
//----------------- SECTIONS ENCRYPTER ----------------
// void EncryptBuff(char* Base,DWORD dwRVA,DWORD dwSize)
// esi = CryptStart
// ecx = CryptSize
_EncryptBuff:
	MOV EDI,ESI
EncryptBuffLoop:
		MOV EDI,ESI
		LODS BYTE PTR DS:[ESI]
		//SecEncryptBuff DB SEC_PER_SIZE DUP (0)
		STOS BYTE PTR ES:[EDI]
	LOOP EncryptBuffLoop
RETN
//------------------------------------------------------
// void CryptPE(char* Base,DWORD dwMode)
//------------------------------------------------------
// eax = pointer to file memory
// ebx: 0 - RawCrypt mode
//      1 - VirtualCrypt mode
_CryptPE:
	MOV EDI,EAX
	ADD EDI,[EDI+3Ch]
	//assume edi : ptr IMAGE_NT_HEADERS		; edi -> PE header
	MOV ESI,EDI
	ADD ESI,0F8h
	//assume esi : ptr IMAGE_SECTION_HEADER		; esi -> Section header
	XOR EDX,EDX
	//.REPEAT	   
SECTION_IS_NOT_ZERO:
		// -> skip some special sections !
		//.IF dword ptr [esi].Name1 == ('crsr')
		CMP DWORD PTR DS:[ESI],'crsr'//rsrc
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('rsr.')
		CMP DWORD PTR DS:[ESI],'rsr.'//.rsrc
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('oler')
		CMP DWORD PTR DS:[ESI],'oler'//reloc
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('ler.')
		CMP DWORD PTR DS:[ESI],'ler.'//.reloc
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('Cy')
		CMP DWORD PTR DS:[ESI],'Cy'//yC
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('ade.')
		CMP DWORD PTR DS:[ESI],'ade.'//.edata
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('adr.')
		CMP DWORD PTR DS:[ESI],'adr.'//.rdata
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('adi.')
		CMP DWORD PTR DS:[ESI],'adi.'//.idata
			JZ __LoopEnd
		//.ENDIF

		//.IF dword ptr [esi].Name1 == ('slt.')
		CMP DWORD PTR DS:[ESI],'slt.'//.tls
			JZ __LoopEnd
		//.ENDIF
		//-> skip also some other sections
		//.IF [esi].PointerToRawData == 0 || [esi].SizeOfRawData == 0
		CMP DWORD PTR DS:[ESI+14h],0
		JZ __LoopEnd
		CMP DWORD PTR DS:[ESI+10h],0
		JZ __LoopEnd
		//.ENDIF
   
	   //-> en-/decrypt it

		PUSHAD
		MOV ECX,DWORD PTR DS:[ESI+10h]	//[esi].SizeOfRawData
		//.IF ebx == 0	// (ebx is a parameter)
		OR EBX,EBX
		JNZ MODE_IS_1
			MOV ESI,DWORD PTR DS:[ESI+14h]//[esi].PointerToRawData
			ADD ESI, EAX
			CALL _EncryptBuff
			JMP CHECKMODE_FINISH
		//.ELSE
MODE_IS_1:
			MOV ESI,DWORD PTR DS:[ESI+0Ch]//[esi].VirtualAddress
			ADD ESI,EAX
			CALL _DecryptBuff
		//.ENDIF
CHECKMODE_FINISH:
		// FUNNY JUMP :)
		MOV EDX,EBP
		ADD EDX,OFFSET SecDecryptContinue1
		LEA EAX, [EDX]
		PUSH EAX
		RETN
		MOV EAX,00h
		INT 13
SecDecryptContinue1:	   
		POPAD
__LoopEnd:   
		ADD ESI,28h//SIZEOF IMAGE_SECTION_HEADER
		INC EDX
	//.UNTIL DX==[EDI].FileHeader.NumberOfSections
	CMP DX,WORD PTR DS:[EDI+6]
	JNZ SECTION_IS_NOT_ZERO
	//assume esi : nothing
	//assume edi : nothing*/
	RETN

AfterDeCryptionContinue:
   	//------ PREPARE THE OEP JUMP EXCEPTION :) ------
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwImageBase
	MOV EBX,[EDX]
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwOrgEntryPoint
	ADD EBX,[EDX]
	ROR EBX,7
	MOV [ESP+010h],EBX
	MOV EDX,EBP
	ADD EDX,OFFSET SehHandler_OEP_Jump
	LEA EBX,[EDX]
	MOV [ESP+01Ch],EBX
	
	//----- SET Index Variable of TLS table to 0 -----
	// check whether there's a tls table
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwImageBase
	MOV EDI,DWORD PTR [EDX]
	ADD EDI,DWORD PTR [EDI+03Ch]// edi -> pointer to PE header
	//assume edi : ptr IMAGE_NT_HEADERS
	MOV EBX,DWORD PTR [EDI+0C0h]//OptionalHeader.DataDirectory[9].VirtualAddress
	//assume edi : nothing
	CMP EBX,0	// no tls section
	JZ SkipTlsFix
	ADD EBX,DWORD PTR [EDX]	// ebx -> pointer to tls table
	//assume ebx : ptr IMAGE_TLS_DIRECTORY32
	MOV EAX,DWORD PTR [EBX+08h]
	MOV DWORD PTR [EAX],0
	//assume ebx : nothing	
SkipTlsFix:
	//----- CRC COMPARE -----
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_dwCalcedCRC
	MOV EAX,DWORD PTR [EDX]

	OR EAX,EAX
	JE INIT_IMPORT_TABLE
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_dwOrgChecksum
		CMP EAX,DWORD PTR [EDX]
		JE NotSkipInitIt
			JMP SkipInitIt
NotSkipInitIt:

INIT_IMPORT_TABLE:
	//----- INIT IMPORT TABLE -----
	// 0 - an error occurred
	// 1 - IT initialized successfully
	MOV EDX,EBP
	ADD EDX,OFFSET _RO_IIDInfo
	LEA ESI,[EDX]//ESI -> pointer to the current IID
	//ASSUME ESI : PTR sItInfo

	//----------------------------------------------------------
	//----------------- PREPARE API REDIRECTION ----------------
	//.IF [EBP+PROTECTION_FLAGS]== API_REDIRECT_FLAG
	PUSH EBX
	MOV EBX,EBP
	ADD EBX,OFFSET _RO_PROTECTION_FLAGS
	TEST DWORD PTR [EBX],API_REDIRECT_FLAG
	JZ DonotAPIRedirect
		PUSH ESI
		MOV EBX,EBP
		ADD EBX,OFFSET _RO_Buff
		LEA  EDI,[EBX]
		//ASSUME EDI : PTR sReThunkInfo
		XOR  ECX, ECX
		//.WHILE [ESI].FirstThunk
Kernel32IIDInfoLoop:   
		CMP DWORD PTR DS:[ESI+4],0
		JZ EndOfKernel32IIDInfo
			MOV EDX,DWORD PTR DS:[ESI+4]//[ESI].FirstThunk
			MOV EBX,EBP
			ADD EBX,OFFSET _RO_dwImageBase
			ADD EDX,DWORD PTR [EBX]
Kernel32FunInfoLoop:
			//.WHILE DWORD PTR [EDX]
			CMP DWORD PTR DS:[EDX],0
			JZ EndOfKernel32FuncInfo
				INC ECX
				ADD EDX,4
			JMP Kernel32FunInfoLoop
EndOfKernel32FuncInfo:
			//.ENDW
			ADD ESI,0Ch//SIZEOF sItInfo
		JMP Kernel32IIDInfoLoop
EndOfKernel32IIDInfo:
		//.ENDW

		// allocate memory for the api stubs
		XOR EDX,EDX
		MOV EAX,5//SIZEOF sApiStub
		MUL ECX
		PUSH EAX
		PUSH GMEM_FIXED
		MOV EBX,EBP
		ADD EBX,OFFSET _RO_GlobalAlloc
		CALL [EBX]
		//hglobal=GlobalAlloc(GMEM_FIXED,sApiStub);
		//.IF (hglobal==0)
		OR EAX,EAX// fatal exit
		JNZ DonotDofatalexit
			ADD ESP,4
			POPAD
			RETN
		//.ENDIF
DonotDofatalexit:
		MOV DWORD PTR DS:[EDI],EAX//[EDI].ApiStubMemAddr
		MOV DWORD PTR DS:[EDI+4],EAX//[EDI].pNextStub
		//ASSUME EDI : NOTHING
   		POP  ESI
DonotAPIRedirect:
	//.ENDI
	POP EBX

	// start with the real routine
	//.WHILE [esi].FirstThunk != 0
DllIIDInfoLoop:
	CMP DWORD PTR DS:[ESI+4],0
	JZ EndOfDllIIDInfo;
	   // load the library
		MOV EBX,DWORD PTR DS:[ESI]//[esi].DllNameRVA
		MOV EDX,EBP
		ADD EDX,OFFSET _RO_dwImageBase
		ADD EBX,DWORD PTR [EDX]