📄 cryptstuff.cpp
字号:
// decrypt dll string
MOV EAX,EBX
CALL _EnDeCryptString
MOV EDX,EBP
ADD EDX,OFFSET InitITContinue1
LEA EAX, [EDX]// goto InitITContinue1
PUSH EAX
RETN
//-------------------------------
// eax = VA of target string
//DWORD EnDeCryptString(char* Base,DWORD VA)
_EnDeCryptString:
PUSH ESI
PUSH EDI
MOV ESI,EAX
MOV EDI,EAX
DllCryptLoop:
LODS BYTE PTR DS:[ESI]
ROR AL,4
STOS BYTE PTR ES:[EDI]
CMP BYTE PTR DS:[EDI],0
JNZ DllCryptLoop
POP EDI
POP ESI
RETN
//End of EnDeCryptString Function
//-------------------------------
InitITContinue1:
PUSH EBX
MOV EDX,EBP
ADD EDX,OFFSET _RO_LoadLibrary
CALL [EDX]
//hmodule=LoadLibrary(*(IIDInfo.DllNameRVA+dwImageBase));
//.IF (hmodule==0) .GOTO SkipInitIt
TEST EAX,EAX
JZ SkipInitIt
// zero dll name
PUSH EDX
PUSH EAX// save dll base
//----------------------------------------------------------
//---------------- Delete Import Information ---------------
//.IF [EBP+PROTECTION_FLAGS]== DESTROY_IMPORT_FLAG
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [EDX],DESTROY_IMPORT_FLAG
JZ DontKillDllName
// push return address
MOV EDX,EBP
ADD EDX,OFFSET DontKillDllName
LEA EAX,[EDX]
PUSH EAX // push return address :)
MOV EAX,EBX
JMP KillString
//.ENDIF
DontKillDllName:
POP EBX // EBX -> library handle
POP EDX
// process the (Original-)FirstThunk members
MOV ECX,DWORD PTR DS:[ESI+8]//[esi].OrgFirstThunk
//.IF ecx == 0
OR ECX,ECX
JNZ OrgFirstThunkNotZero1
MOV ECX,DWORD PTR DS:[ESI+4]//[esi].FirstThunk
OrgFirstThunkNotZero1:
//.ENDIF
PUSH EBX
MOV EBX,EBP
ADD EBX,OFFSET _RO_dwImageBase
ADD ECX,[EBX] // ecx -> pointer to current thunk
MOV EDX,DWORD PTR DS:[ESI+4]//[esi].FirstThunk
ADD EDX,[EBX] // edx -> pointer to current thunk (always the non-original one)
POP EBX
//.WHILE dword ptr [ecx] != 0
FuncIIDInfoLoop:
CMP DWORD PTR DS:[ECX],0
JZ EndOfFuncIIDInfo
TEST DWORD PTR [ECX],IMAGE_ORDINAL_FLAG32// is it an ordinal import ?
JNZ __OrdinalImp
// process a name import
MOV EAX,DWORD PTR [ECX]
ADD EAX,2
PUSH EBX
MOV EBX,EBP
ADD EBX,OFFSET _RO_dwImageBase
ADD EAX,[EBX]// eax points now to the Name of the Import
POP EBX
PUSH EAX
CALL _EnDeCryptString
POP EAX
MOV EDI,EAX // save the API name pointer for destroying it later
PUSH EDX
PUSH ECX// save the Thunk pointers
PUSH EAX
PUSH EBX
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetProcAddress
CALL [EDX]
//dw_=GetProcAddress(KernelBase,sz_);
//.IF eax == NULL
OR EAX,EAX
JNZ GetProcAddressNotNULL
POP ECX
POP EDX
JMP SkipInitIt
GetProcAddressNotNULL:
//.ENDIF
POP ECX
POP EDX
//->kill API name
PUSH EDX
PUSHAD
//----------------------------------------------------------
//---------------- Delete Import Information ---------------
//.IF [EBP+PROTECTION_FLAGS]== DESTROY_IMPORT_FLAG
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST [EDX],DESTROY_IMPORT_FLAG
JZ DontKillApiName
MOV EDX,EBP
ADD EDX,OFFSET DontKillApiName
LEA EAX, [EDX] // push return address
PUSH EAX
MOV EAX, EDI
JMP KillString
DontKillApiName:
//.ENDIF
POPAD
POP EDX
//-> paste API address
MOV DWORD PTR [EDX],EAX
JMP __NextThunkPlease
__OrdinalImp:
// process an ordinal import
PUSH EDX
PUSH ECX // save the thunk pointers
MOV EAX,DWORD PTR [ECX]
SUB EAX,080000000h
PUSH EAX
PUSH EBX
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetProcAddress
CALL [EDX]
//dw_=GetProcAddress(KernelBase,sz_);
TEST EAX,EAX
JZ SkipInitIt
POP ECX
POP EDX
MOV DWORD PTR [EDX],EAX
__NextThunkPlease:
// eax = Current Api address
// ebx = dll base
// edx = non-org thunk pointer
//----------------------------------------------------------
//----------------- PREPARE API REDIRECTION ----------------
//.IF [EBP+PROTECTION_FLAGS]== API_REDIRECT_FLAG
PUSH ECX
MOV ECX,EBP
ADD ECX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [ECX],API_REDIRECT_FLAG
JZ DonotAPIRedirect2
//.IF [EBP+bNT]
MOV ECX,EBP
ADD ECX,OFFSET _RO_bNT
CMP DWORD PTR [ECX],0
JZ WindowsNotNT
//.IF EBX < 070000000h || EBX > 077FFFFFFh
CMP EBX,070000000h
JB CHECK_0x70000000
CMP EBX,077FFFFFFh
JBE FinishThunkRedDo
CHECK_0x70000000:
JMP SkipThunkRed
JMP FinishThunkRedDo
//.ENDIF
//.ELSE
WindowsNotNT:
//.IF EBX < 080000000h
CMP EBX,080000000h
JNB FinishThunkRedDo
JMP SkipThunkRed
//.ENDIF
FinishThunkRedDo:
//.ENDIF
PUSH EDI
PUSH ESI
MOV ECX,EBP
ADD ECX,OFFSET _RO_Buff
LEA EDI,[ECX]
//ASSUME EDI : PTR sReThunkInfo
MOV ESI,DWORD PTR DS:[EDI+4]//[EDI].pNextStub
MOV [EDX],ESI// make the thunk point to stub mem
SUB EAX,ESI
SUB EAX,5// sizeof E9XXXXXXXX - Jump long
MOV BYTE PTR [ESI],0E9h
MOV DWORD PTR [ESI+1],EAX
ADD DWORD PTR DS:[EDI+4],5//ADD [EDI].pNextStub,SIZEOF sApiStub
//ASSUME EDI : NOTHING
POP ESI
POP EDI
SkipThunkRed:
DonotAPIRedirect2:
//.ENDIF
POP ECX
ADD ECX,4
ADD EDX,4
JMP FuncIIDInfoLoop
EndOfFuncIIDInfo:
//.ENDW
ADD ESI,0Ch//SIZEOF sItInfo make esi point to the next IID
JMP DllIIDInfoLoop
EndOfDllIIDInfo:
//.ENDW
XOR EAX,EAX
INC EAX
//------------------------------
SkipInitIt:
//.IF eax != TRUE
CMP EAX,1
JE ERASE_PE_HEADER
// exit
POPAD
RETN
//.ENDIF
ERASE_PE_HEADER:
//----- ERASE PE HEADER ------
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [EDX],ERASE_HEADER_FLAG
JZ SkipEraseHeader
// zero the header
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwImageBase
MOV EDI,DWORD PTR [EDX]
ADD EDI,DWORD PTR [EDI+03Ch]// edi -> pointer to PE header
//assume edi : ptr IMAGE_NT_HEADERS
MOV ESI,DWORD PTR [EDX]
MOV ECX,DWORD PTR [EDI+0x54]//.OptionalHeader.SizeOfHeaders
//assume edi : nothing
ZeroMemLoop:
MOV BYTE PTR [ESI],0
INC ESI
LOOP ZeroMemLoop
SkipEraseHeader:
//------ CHECK AGAIN LOADER CRC & COMPARE ------
MOV EDX,EBP
ADD EDX,OFFSET DepackerCode
LEA EAX,DWORD PTR [EDX]
MOV ECX,OFFSET OEP_JUMP_CODE_START
SUB ECX,OFFSET DepackerCode//ECX->LOADER_CRC_CHECK_SIZE
JMP SM10
INT 09h//DB 0E9h
SM10:
CALL _GetCheckSum
JMP SM11
INT 0Ch//DB 0C7h
SM11:
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwLoaderCRC
MOV EBX,DWORD PTR [EDX]
XOR EAX,EBX
//.IF !ZERO?
JE DECRYPT_ENTRYPOINT
JMP SM12
INT 3//DB 2C
SM12:
POPAD
JMP SM13
INT 3//DB E8
SM13:
RETN
//.ENDIF
//----- DECRYPT ENTRYPOINT JUMP CODE -----
DECRYPT_ENTRYPOINT:
MOV EDX,EBP
ADD EDX,OFFSET OEP_JUMP_CODE_START
LEA EDI,[EDX]
MOV ESI,EDI
LEA EDI,[EDX]
MOV ECX,OFFSET OEP_JUMP_CODE_END
SUB ECX,OFFSET OEP_JUMP_CODE_START//ECX->CRYPT_OEP_JUMP_SIZE
XOR EAX,EAX
OepJumpDecryptLoop:
LODS BYTE PTR DS:[ESI]
XOR AL,OEP_JUMP_ENCRYPT_NUM
SUB AL,CL
ROL AL,2
STOS BYTE PTR ES:[EDI]
LOOP OepJumpDecryptLoop
MOV EDX,EBP
ADD EDX,OFFSET OEP_JUMP_CODE_START
LEA EAX,[EDX]
PUSH EAX
RET
//-----------------------
INT 3
INT 3
INT 3
INT 3
//----- JUMP TO OEP -----
OEP_JUMP_CODE_START:
//----- CHECK FOR DEBUG API's -----
MOV EDX,EBP
ADD EDX,OFFSET _RO_szIsDebuggerPresent
LEA EAX,[EDX]
PUSH EAX
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwKernelBase
PUSH [EDX]
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetProcAddress
//dw_=GetProcAddress(KernelBase,szIsDebuggerPresent);
CALL [EDX]//bool=IsDebuggerPresent(void)
OR EAX,EAX// API not present on W95
//.IF !ZERO?
JE SECOND_SI_CHECK
CALL EAX
OR EAX,EAX
//.IF !ZERO?
JE SECOND_SI_CHECK
POPAD
RETN
//.ENDIF
//.ENDIF
SECOND_SI_CHECK:
//------ SECOND SI CHECK ------
// doesn't work on NT
// install SEH frame
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [EDX],CHECK_SI_FLAG
JZ SkipSICheck2
MOV EDX,EBP
ADD EDX,OFFSET _RO_SEH
LEA ESI,[EDX]
//ASSUME ESI : PTR sSEH
MOV EDX,EBP
ADD EDX,OFFSET SICheck2_SP
LEA EAX,[EDX]
MOV DWORD PTR DS:[ESI+8],EAX//[ESI].SaveEip
//ASSUME ESI : NOTHING
XOR EBX,EBX
MOV EDX,EBP
ADD EDX,OFFSET SehHandler2
LEA EAX,[EDX]
PUSH EAX
PUSH FS:[EBX]
MOV FS:[EBX], ESP
MOV EDI,EBP
MOV EAX,04400h
JMP SM4
INT 3//DB 0C7h
SM4:
INT 68h
SICheck2_SP:
XOR EBX,EBX
POP FS:[EBX]
ADD ESP,4
//.IF DI == 01297h || DI == 01277h || DI == 01330h
CMP DI,01297h
JE SI_DEBUG_EXIST
CMP DI,01277h
JE SI_DEBUG_EXIST
CMP DI,01330h
JNZ SkipSICheck2
SI_DEBUG_EXIST:
JMP SM5
INT 7//DB 0FFh
SM5:
POPAD
JMP SM6
INT 1//DB 0E8h
SM6:
RETN
//.ENDIF
SkipSICheck2:
MOV EDX,EBP
ADD EDX,OFFSET OepJumpCodeCont
LEA EAX,[EDX]
PUSH EAX
RET
//------------------------------
// ------ OEP SEH HANDLER ------
//SehHandler_OEP_Jump PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
SehHandler_OEP_Jump:
PUSH EBP
MOV EBP,ESP
PUSH EDI
MOV EAX,DWORD PTR SS:[EBP+010h]//pContext
//ASSUME EAX : PTR CONTEXT
// restore original seh handle
MOV EDI,DWORD PTR DS:[EAX+0C4h] //[EAX].regEsp
PUSH DWORD PTR DS:[EDI]
XOR EDI,EDI
POP DWORD PTR FS:[EDI]
// kill seh frame
ADD DWORD PTR DS:[EAX+0C4h],8 //[EAX].regEsp
// set EIP to the OEP
MOV EDI,DWORD PTR DS:[EAX+0A4h]//[EAX].regEbx; EDI -> OEP
ROL EDI,7
MOV DWORD PTR DS:[EAX+0B8h],EDI//[EAX].regEip
MOV EAX,0//ExceptionContinueExecution
//ASSUME EAX : NOTHING
POP EDI
LEAVE
RETN
//SehHandler_OEP_Jump ENDP
//-----------------------------------------
OepJumpCodeCont:
//---- ZERO THE LOADER CODE AND DATA ----
XOR AL,AL
MOV EDX,EBP
ADD EDX,OFFSET DepackerCode
LEA EDI,[EDX]
MOV ECX,OFFSET SehHandler_OEP_Jump
SUB ECX,OFFSET DepackerCode
LoaderZeroLoop:
STOS BYTE PTR ES:[EDI]
LOOP LoaderZeroLoop
MOV EDX,EBP
ADD EDX,OFFSET OEP_JUMP_CODE_END
LEA EDI,[EDX]
MOV ECX,OFFSET LOADER_CRYPT_END
SUB ECX,OFFSET OEP_JUMP_CODE_END
LoaderVarZeroLoop:
STOS BYTE PTR ES:[EDI]
LOOP LoaderVarZeroLoop
POPAD // RESTORE STARTUP REGS
// After this POPAD:
// EAX - OEP Seh handler
// EBX - OEP (rored)
//------ install OEP JUMP SEH frame ------
PUSH EAX
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV DWORD PTR FS:[EAX],ESP
JMP SM3
INT 3 //DB 87
SM3: // the seh handler will set EIP to the OEP :)
OEP_JUMP_CODE_END:
//----------------------------------------
/*OepJumpCodeCont:
//------ install OEP JUMP SEH frame ------
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwImageBase
MOV EAX,DWORD PTR [EDX]
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwOrgEntryPoint
ADD EAX,DWORD PTR [EDX] //MOV EAX,004028EAh
JMP EAX
//------------------------------------
OEP_JUMP_CODE_END:*/
//----------------------------------------
NOP
INT 3
INT 3
INT 3
INT 3
//-----------------------
// -------- KILL STRING --------
// EAX = ASCII string address
KillString:
JMP KillStr2
KillStr1:
MOV BYTE PTR DS:[EAX],0
INC EAX
Kil⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -