depack-createheap.pas

这些天新壳大爆发啊

function ApDepack(var Source, Destination) : DWORD; cdecl;
asm
@@_aP_depack_asm:
    pushad
    mov    esi, [esp + 40]
    mov    edi, [esp + 44]
    cld
    mov    dl, 80h
    xor    ebx, ebx
@@literal:
    movsb
    mov    bl, 2
@@nexttag:
    call   @@getbit
    jnc    @@literal
    xor    ecx, ecx
    call   @@getbit
    jnc    @@codepair
    xor    eax, eax
    call   @@getbit
    jnc    @@shortmatch
    mov    bl, 2
    inc    ecx
    mov    al, 10h
@@getmorebits:
    call   @@getbit
    adc    al, al
    jnc    @@getmorebits
    jnz    @@domatch
    stosb
    jmp    @@nexttag
@@codepair:
    call   @@getgamma_no_ecx
    sub    ecx, ebx
    jnz    @@normalcodepair
    call   @@getgamma
    jmp    @@domatch_lastpos
@@shortmatch:
    lodsb
    shr    eax, 1
    jz     @@donedepacking
    adc    ecx, ecx
    jmp    @@domatch_with_2inc
@@normalcodepair:
    xchg   eax, ecx
    dec    eax
    shl    eax, 8
    lodsb
    call   @@getgamma
    cmp    eax, 32000
    jae    @@domatch_with_2inc
    cmp    ah, 5
    jae    @@domatch_with_inc
    cmp    eax, 7fh
    ja     @@domatch_new_lastpos
@@domatch_with_2inc:
    inc    ecx
@@domatch_with_inc:
    inc    ecx
@@domatch_new_lastpos:
    xchg   eax, ebp
@@domatch_lastpos:
    mov    eax, ebp
    mov    bl, 1
@@domatch:
    push   esi
    mov    esi, edi
    sub    esi, eax
    rep    movsb
    pop    esi
    jmp    @@nexttag
@@getbit:
    add     dl, dl
    jnz     @@stillbitsleft
    mov     dl, [esi]
    inc     esi
    adc     dl, dl
@@stillbitsleft:
    ret
@@getgamma:
    xor    ecx, ecx
@@getgamma_no_ecx:
    inc    ecx
@@getgammaloop:
    call   @@getbit
    adc    ecx, ecx
    call   @@getbit
    jc     @@getgammaloop
    ret
@@donedepacking:
    sub    edi, [esp + 40]
    mov    [esp + 28], edi
    popad
end;

procedure Move(const Source; var Dest; count: Integer);
asm
  PUSH    ESI
  PUSH    EDI
  MOV     ESI,EAX
  MOV     EDI,EDX
  MOV     EAX,ECX
  CMP     EDI,ESI
  JA      @@down
  JE      @@exit
  SAR     ECX,2
  JS      @@exit
  REP     MOVSD
  MOV     ECX,EAX
  AND     ECX,03H
  REP     MOVSB
  JMP     @@exit
@@down:
  LEA     ESI,[ESI+ECX-4]
  LEA     EDI,[EDI+ECX-4]
  SAR     ECX,2
  JS      @@exit
  STD
  REP     MOVSD            
  MOV     ECX,EAX
  AND     ECX,03H
  ADD     ESI,4-1
  ADD     EDI,4-1
  REP     MOVSB
  CLD
@@exit:
  POP     EDI
  POP     ESI
end;

function GetImageBase: DWORD;
var
  PEB, Ldr, fLink: DWORD;
begin
  asm
    mov eax, fs: [$30]
    mov PEB, eax
  end;
  Ldr := PDWORD(PEB + $C)^;
  fLink := PDWORD(Ldr + $C)^;
  result := PDWORD(DWORD(fLink) + $18)^;
end;

function NextPChar(s: PChar): PChar;
begin
  result := s;
  while PByte(result)^ <> 0 do
    inc(result);
  inc(result);
end;

function NextDWORD(d: Pointer): PDWORD;
begin
  result := d;
  inc(result);
end;

procedure DelphiEP(cRegs: TRegs); stdcall;
var
  pGetModuleHandle: function (lpModuleName: PChar): HMODULE; stdcall;
  pGetProcAddress: function (hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;
  pLoadLibrary: function (lpLibFileName: PChar): HMODULE; stdcall;
  pVirtualAlloc: function (lpvAddress: Pointer; dwSize, flAllocationType, flProtect: DWORD): Pointer; stdcall;
  pVirtualFree: function (lpAddress: Pointer; dwSize, dwFreeType: DWORD): BOOL; stdcall;
  pVirtualProtect: function (lpAddress: Pointer; dwSize, flNewProtect: DWORD;
                    lpflOldProtect: Pointer): BOOL; stdcall;

  pHeapCreate: function (flOptions: DWORD; dwInitialSize: SIZE_T;  dwMaximumSize: SIZE_T): HANDLE; stdcall;
  pHeapAlloc: function (hHeap: HANDLE; dwFlags: DWORD; dwBytes: SIZE_T): LPVOID; stdcall;
//以上为必须变量
//下面为自定义变量
//  pMessageBoxA: function (hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;

  PackDataHeaderRVA: Cardinal;
  PackedDir: PPkDataHeader;
  PackedSectionDir: PPkSectionDir;
  PackedData, UnPackedData: Pointer;
  i: Cardinal;

  ImageBase: Cardinal;

  ImpDirPtr: PImpDir;
  p: PChar;
  hDll: DWORD;
  pp: PDWORD;
  xp: Pointer;

  pKeyFunc: PDWORD;
  pResDir: PImageDataDirectory;
  pBuf: Pointer;

  PFileHeader: PImageFileHeader;
  POptionalHeader32: PImageOptionalHeader32;

  pNewHeap: Pointer;
begin
  ImageBase := PDWORD(cRegs.Ebp + 3 * SizeOf(DWORD))^;
  if ImageBase = 0 then
    ImageBase := GetImageBase;
  pKeyFunc := LocalVar;
  PackDataHeaderRVA := pKeyFunc^;
  PackedDir := Pointer(ImageBase + PackDataHeaderRVA);

  Inc(pKeyFunc);
  pGetModuleHandle := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pLoadLibrary := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pGetProcAddress := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pVirtualAlloc := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pVirtualFree := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pVirtualProtect := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pHeapCreate := Pointer(pKeyFunc^);
  Inc(pKeyFunc);
  pHeapAlloc := Pointer(pKeyFunc^);

  PackedSectionDir := Pointer(PChar(PackedDir) + PackedDir^.PkSectionDirOffset);
  xp := PackedSectionDir;
  for i := 0 to PackedDir^.PkSectionDirCount - 1 do
  begin
    if PackedSectionDir^.Length <> 0 then
    begin
      PackedData := Pointer(PChar(xp) + PackedSectionDir^.Offset);
      UnPackedData := Pointer(ImageBase + PackedSectionDir^.RVA);
      ApDepack(PackedData^, UnPackedData^);
    end;
    Inc(PackedSectionDir);
  end;          

  pBuf := pVirtualAlloc(nil, PackedDir^.ImpSize, MEM_COMMIT, PAGE_READWRITE);
  ImpDirPtr := Pointer(PChar(PackedDir) + PackedDir^.PkImpDirOffset);
  ApDepack(ImpDirPtr^, pBuf^);

  ImpDirPtr := pBuf;
  while ImpDirPtr^.ThunkRVA <> 0 do
  begin
    p := @ImpDirPtr^.Name[0];
    hDll := pGetModuleHandle(p);
    if hDll = 0 then
      hDll := pLoadLibrary(p);
    p := NextPChar(p);
    pp := Pointer(ImageBase + ImpDirPtr^.ThunkRVA);
    for i := 1 to ImpDirPtr^.ImpFuncCount do
    begin
      if PDWORD(p)^ and $FFFF0000 = 0 then
      begin
        pp^ := DWORD(pGetProcAddress(hDll, Pointer(PWORD(p)^)));
        p := PChar(NextDWORD(p));
      end
      else
      begin
        pp^ := DWORD(pGetProcAddress(hDll, p));
        p := NextPChar(p);
      end;
      inc(pp);
    end;
    ImpDirPtr := PImpDir(p);
  end;

  pVirtualFree(pBuf, 0, MEM_RELEASE);

  PFileHeader := PImageFileHeader(ImageBase + DWORD(PImageDosHeader(ImageBase)^.e_lfanew) + 4);
  POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);

  pVirtualProtect(Pointer(ImageBase), $1000, PAGE_EXECUTE_READWRITE, @i);
  pResDir := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);
  Inc(pResDir, 2);
  pResDir^.VirtualAddress := PackedDir^.ResRVA;
  pResDir^.Size := PackedDir^.ResSize;
  Inc(pResDir, 11);
  pResDir^.VirtualAddress := PackedDir^.DelayImpRVA;
  pResDir^.Size := PackedDir^.DelayImpSize;

  pNewHeap := pHeapAlloc(
    pHeapCreate(HEAP_GENERATE_EXCEPTIONS, POptionalHeader32^.SizeOfHeapCommit, POptionalHeader32^.SizeOfHeapReserve),
    HEAP_GENERATE_EXCEPTIONS or HEAP_ZERO_MEMORY, POptionalHeader32^.SizeOfHeapCommit);
  asm
    int 3
    mov eax, pNewHeap
    mov [eax], $12345678
  end;
  pNewHeap := NextDword(pNewHeap);
  Move(cRegs, pNewHeap^, SizeOf(cRegs));
  asm
    mov ebp, pNewHeap
    mov ebp, [ebp]
    mov ebp, ebp + 4 * 4
    mov esp, ebp - 4 * 5
    ret
{    lea edx, PackedDir
    mov edx, [edx]
    mov edx, TPkDataHeader([edx]).EPRVA
    add edx, ImageBase

    lea eax, cRegs
  int 3
    lea eax, cRegs.esp
    push eax
    lea eax, cRegs.ebp
    push eax
    pop ebp
    pop esp
    jmp edx    }
  end;
end;