stub_aplib.asm

RLPack1.20 一款优秀的压缩壳源代码.这个是官方最新的版本的源代码。壳完全采用masm32开发. 里面自带两款压缩引擎.

 __DLL_STUB_START:
	CMP BYTE PTR[ESP+8],1		; DLL entry point check
	JNE __STUB_OEP_JUMP		; unpack the .dll file!
 __STUB_START:
 	PUSHAD
 	CALL __start
 __start:
 	MOV EBP,DWORD PTR[ESP]
	ADD ESP,4
	.if DWORD PTR[ESP+28h] == 1	; DLL ImageBase loader
		MOV EAX,DWORD PTR[ESP+24h]
		MOV DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)],EAX
	.else
		MOV EAX,DWORD PTR[EBP+(offset __PE32_IMAGEBASE - offset __start)]
		MOV DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)],EAX
	.endif
 	LEA ESI,DWORD PTR[EBP+(offset __data - offset __start)+12]
 	LEA EBX,DWORD PTR[EBP+(offset __aplib_unpack - offset __start)]
 	XOR EDI,EDI
 	
 	CALL __FIX_ACCESS
 __unpack_sections:
	.while DWORD PTR[ESI+EDI] != 0
		MOV EAX,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
		PUSH DWORD PTR[ESI+EDI+4]
		ADD DWORD PTR[ESP],EAX
		PUSH DWORD PTR[ESI+EDI]
		ADD DWORD PTR[ESP],EAX
		CALL EBX
		ADD ESP,8
		ADD EDI,8
	.endw
 	.if DWORD PTR[EBP+(offset __FILTER_CODE_START - offset __start)] != 0 && DWORD PTR[EBP+(offset __FILTER_CODE_SIZE - offset __start)] != 0
		CALL __FIX_FILTER_CODE
 	.endif
	LEA ESI,DWORD PTR[ESI+EDI+4]
	PUSH EBX
		PUSH PAGE_EXECUTE_READWRITE
		PUSH MEM_COMMIT
 __STUB_VA_SIZE:
		PUSH 20000h
		PUSH NULL
		CALL DWORD PTR[EBP+(offset __locva - offset __start)]
		MOV DWORD PTR[EBP+(offset __data - offset __start)+8],EAX
	POP EBX
		PUSH DWORD PTR[EBP+(offset __data - offset __start)+8]
		PUSH ESI
		CALL EBX
		ADD ESP,8

	MOV ESI,DWORD PTR[EBP+(offset __data - offset __start)+8]
	MOV EAX,ESI
	.while BYTE PTR[EAX] != 01
		INC EAX
	.endw
	INC EAX
	MOV EDI,DWORD PTR[EAX]
	ADD EDI,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
	ADD EAX,4
	MOV DWORD PTR[EBP+(offset __data - offset __start)+4],EAX

	.while BYTE PTR[ESI] != 01
		PUSH ESI
		CALL DWORD PTR[EBP+(offset __locloadlib - offset __start)]
		.if EAX == NULL
			CALL __AlternatePathCheck
		.endif
		TEST EAX,EAX
		JE __ERROR_EXIT
		MOV DWORD PTR[EBP+(offset __data - offset __start)],EAX
		MOV EAX,ESI
		.while DWORD PTR[EAX] != 0
			MOV EAX,DWORD PTR[EBP+(offset __data - offset __start)+4]
			MOV EAX,DWORD PTR[EAX]
			PUSH EAX
			PUSH DWORD PTR[EBP+(offset __data - offset __start)]
			CALL __GLOBAL_GETPROCADDRESS
			TEST EAX,EAX
			JE __ERROR_EXIT
			MOV DWORD PTR[EDI],EAX
			ADD DWORD PTR[EBP+(offset __data - offset __start)+4],4
			ADD EDI,4
			MOV EAX,DWORD PTR[EBP+(offset __data - offset __start)+4]
		.endw
		.while BYTE PTR[ESI] != 0
			INC ESI
		.endw
		INC ESI
		ADD EAX,4
                MOV EDI,DWORD PTR[EAX]
                ADD EDI,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
                ADD EAX,4
		MOV DWORD PTR[EBP+(offset __data - offset __start)+4],EAX
	.endw

	PUSH MEM_DECOMMIT
 __STUB_VF_SIZE:
	PUSH 20000h
	PUSH DWORD PTR[EBP+(offset __data - offset __start)+8]
	CALL DWORD PTR[EBP+(offset __locvf - offset __start)]
	
	PUSH MEM_RELEASE
	PUSH 0
	PUSH DWORD PTR[EBP+(offset __data - offset __start)+8]
	CALL DWORD PTR[EBP+(offset __locvf - offset __start)]

	CALL __FIX_RELOCATIONS

	CALL __TLS_CALLBACK_EMULATE

	POPAD

 __STUB_OEP_JUMP:
	JMP pack

 __ERROR_EXIT:
 	POPAD
 	RET

 __FIX_ACCESS:
 	PUSHAD

	LEA EAX,DWORD PTR[EBP+(offset __OLD_PROTECT - offset __start)]
 	PUSH EAX
 	PUSH PAGE_EXECUTE_READWRITE
 	PUSH 200h
 	PUSH DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
        CALL DWORD PTR[EBP+(offset __locvp - offset __start)]
	MOV DWORD PTR[EBP+(offset __OLD_PROTECT - offset __start)],02040001h

	MOV EAX,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
	ADD EAX,DWORD PTR[EAX+3Ch]
	ADD AX,WORD PTR[EAX+14h]
	ADD EAX,18h
	MOV EBX,DWORD PTR[EAX+12]
	ADD EBX,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
	MOV ECX,DWORD PTR[EAX+8]

	LEA EAX,DWORD PTR[EBP+(offset __OLD_PROTECT - offset __start)]
 	PUSH EAX
 	PUSH PAGE_EXECUTE_READWRITE
 	PUSH ECX
 	PUSH EBX
        CALL DWORD PTR[EBP+(offset __locvp - offset __start)]

	POPAD
	RET

 __FIX_RELOCATIONS:
 	PUSHAD
	MOV ESI,DWORD PTR[EBP+(offset __RELOCATION - offset __start)]
	.if ESI != 0
		MOV EDI,DWORD PTR[EBP+(offset __PE32_IMAGEBASE - offset __start)]
		MOV EAX,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
		.if EAX != EDI
			ADD ESI,EAX
			.while DWORD PTR[ESI] != 0
				MOV EDX,DWORD PTR[ESI]
				MOV EAX,DWORD PTR[ESI+4]
				MOV DWORD PTR[EBP+(offset __RELOCATION_SIZE - offset __start)],EAX
				ADD DWORD PTR[EBP+(offset __RELOCATION_SIZE - offset __start)],ESI
				MOV EBX,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
				XOR ECX,ECX
				ADD ESI,8
				.while ESI < DWORD PTR[EBP+(offset __RELOCATION_SIZE - offset __start)]
					MOVZX EAX,BYTE PTR[ESI]
					.if AL < 0E0h
						PUSH EAX
						ADD EAX,EDX
						ADD EAX,EBX
						ADD EAX,ECX
						ADD ECX,DWORD PTR[ESP]
						ADD ESP,4
						SUB DWORD PTR[EAX],EDI
						ADD DWORD PTR[EAX],EBX
						INC ESI
					.else
						MOVZX EAX,WORD PTR[ESI]
						XCHG AL,AH
						SUB AX,0E000h
						PUSH EAX
						ADD EAX,EDX
						ADD EAX,EBX
						ADD EAX,ECX
						ADD ECX,DWORD PTR[ESP]
						ADD ESP,4
						SUB DWORD PTR[EAX],EDI
						ADD DWORD PTR[EAX],EBX
						ADD ESI,2
					.endif
				.endw
			.endw
		.endif
	.endif
	POPAD
	RET

 __FIX_FILTER_CODE:
 	PUSHAD
 	MOV ESI,DWORD PTR[EBP+(offset __FILTER_CODE_START - offset __start)]
 	ADD ESI,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
 	MOV EDI,ESI
	MOV ECX,DWORD PTR[EBP+(offset __FILTER_CODE_SIZE - offset __start)]
	.if DWORD PTR[EBP+(offset __FILTER_CODE_BYTE - offset __start)] != NULL
		.while ECX > 0
			.if BYTE PTR[ESI] == 0E8h || BYTE PTR[ESI] == 0E9h
			       MOV EAX,DWORD PTR[ESI+1]
			       .if AL == BYTE PTR[EBP+(offset __FILTER_CODE_BYTE - offset __start)]
				       MOV AL,0
				       BSWAP EAX
				       SUB EAX,5
				       ADD EAX,EDI
				       SUB EAX,ESI
				       MOV DWORD PTR[ESI+1],EAX
				.endif
			       ADD ESI,4
			       SUB ECX,4
			.endif
			INC ESI
			DEC ECX
		.endw
	.else
		CDQ
		.while ECX > 0
			INC EDX
			.if BYTE PTR[ESI] == 0E8h || BYTE PTR[ESI] == 0E9h
			       MOV EAX,DWORD PTR[ESI+1]
			       BSWAP EAX
			       SUB EAX,EDX
			       MOV DWORD PTR[ESI+1],EAX
			       ADD ESI,4
			       ADD EDX,4
			       SUB ECX,4
			.endif
			INC ESI
			DEC ECX
		.endw
	.endif
 	POPAD
 	RET

 __TLS_CALLBACK_EMULATE:
	PUSHAD
	MOV ESI,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
	ADD ESI,DWORD PTR[ESI+3Ch]
	MOV ESI,DWORD PTR[ESI+0C0h]
	.if ESI != 0
		ADD ESI,DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
		ADD ESI,12
		MOV ESI,DWORD PTR[ESI]
		.if ESI != 0
			MOV EAX,DWORD PTR[ESI]
			.while EAX != 0
				PUSH ESI
				.if DWORD PTR[EAX] != 0
					PUSH NULL
					PUSH DLL_PROCESS_ATTACH
					PUSH DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
					CALL EAX
				.endif
				POP ESI
				ADD ESI,4
				MOV EAX,DWORD PTR[ESI]
			.endw
		.endif
	.endif
	POPAD
	RET
	
 __GLOBAL_GETPROCADDRESS:
	LEA EAX,DWORD PTR[ESP+4]
	PUSHAD
	MOV ESI,EAX
	MOV EAX,DWORD PTR[ESI+4]
	ROL EAX,8
	.if AL == 80h
		ROR EAX,8
		XOR EAX,80000000h
		.if EAX > 10000h
			XOR EAX,80000000h
			PUSH EAX
			PUSH DWORD PTR[ESI]
			CALL __FindAPIName
		.endif
	.else
		ROR EAX,8
		PUSH DWORD PTR[ESI+4]
		PUSH DWORD PTR[ESI]
		CALL __FindAPIName
	.endif

	PUSH EAX
	PUSH DWORD PTR[ESI]
	CALL DWORD PTR[EBP+(offset __locgpa - offset __start)]
	MOV DWORD PTR[ESP+1Ch],EAX

	POPAD
	RET 8

 __FindAPIName:
	db 060h,08Bh,05Ch,024h,024h,08Bh,0CBh,003h
	db 05Bh,03Ch,08Bh,05Bh,078h,003h,0D9h,08Bh
	db 07Bh,020h,003h,0F9h,033h,0F6h,08Dh,014h
	db 0B7h,08Bh,012h,003h,0D1h,033h,0C0h,0C1h
	db 0C0h,007h,032h,002h,042h,080h,03Ah,000h
	db 075h,0F5h,03Bh,044h,024h,028h,074h,006h
	db 046h,03Bh,073h,018h,072h,0E0h,08Dh,014h
	db 0B7h,08Bh,012h,003h,0D1h,089h,054h,024h
	db 01Ch,061h,0C2h,008h,000h
	
 __AlternatePathCheck:
 	PUSHAD

	LEA EAX,DWORD PTR[EBP+(offset __kernel32 - offset __start)]
	PUSH EAX
	CALL DWORD PTR[EBP+(offset __locloadlib - offset __start)]

	PUSH 774393E8h	;Hashed GetModuleFileNameA
	PUSH EAX
	CALL __GLOBAL_GETPROCADDRESS
	MOV EDI,EAX

	PUSH PAGE_EXECUTE_READWRITE
	PUSH MEM_COMMIT
	PUSH MAX_PATH
	PUSH NULL
	CALL DWORD PTR[EBP+(offset __locva - offset __start)]
	MOV DWORD PTR[EBP+(offset __ALTERNATE_PATH - offset __start)],EAX

	PUSH MAX_PATH
	PUSH DWORD PTR[EBP+(offset __ALTERNATE_PATH - offset __start)]
	.if DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)] != 0
		PUSH DWORD PTR[EBP+(offset __LOADED_IMAGEBASE - offset __start)]
	.else
		PUSH DWORD PTR[EBP+(offset __PE32_IMAGEBASE - offset __start)]
	.endif
	CALL EDI

	MOV EAX,DWORD PTR[EBP+(offset __ALTERNATE_PATH - offset __start)]
	.while BYTE PTR[EAX] != 0
		INC EAX
	.endw
	.while BYTE PTR[EAX] != "\"
		MOV BYTE PTR[EAX],0
		DEC EAX
	.endw
	INC EAX
	.while BYTE PTR[ESI] != NULL
		MOVZX EBX,BYTE PTR[ESI]
		MOV BYTE PTR[EAX],BL
		INC ESI
		INC EAX
	.endw
	PUSH DWORD PTR[EBP+(offset __ALTERNATE_PATH - offset __start)]
	CALL DWORD PTR[EBP+(offset __locloadlib - offset __start)]
	MOV DWORD PTR[ESP+1Ch],EAX

 	PUSH MEM_RELEASE
	PUSH 0
	PUSH DWORD PTR[EBP+(offset __ALTERNATE_PATH - offset __start)]
	CALL DWORD PTR[EBP+(offset __locvf - offset __start)]

 	POPAD
 	RET

 __aplib_unpack:
	include aplib_depack.asm

 __iat:
	__OriginalFirstThunk dd 00000000h
	__TimeDateStamp dd 00000000h
	__ForwarderChain dd 00000000h
	__dllName dd ?				;Kernel32.dll
	__FirstThunk dd ?			;LoadLibraryA
		dd ?
		dd ?
		dd ?
		dd ?
		dd ?
	__kernel32 db "kernel32.dll",00h
	__locloadlib dd ?
	__locgpa dd ?
	__locva dd ?
	__locvf dd ?
	__locvp dd ?
		db 00h,00h,00h,00h,00h,00h
	__loadlib db "LoadLibraryA",00h,00h
	__gpa db "GetProcAddress",00h,00h
	__va db "VirtualAlloc",00h,00h
	__vf db "VirtualFree",00h,00h
	__vp db "VirtualProtect",00h,00h

	__WIN9x_RELOCATION dd 00001000h
			   dd 00000008h
			   
	__OLD_PROTECT dd 02040001h
 	__PE32_IMAGEBASE dd ?
 	__LOADED_IMAGEBASE dd ?
 	__RELOCATION dd ?
 	__RELOCATION_SIZE dd ?
 	__FILTER_CODE_START dd ?
 	__FILTER_CODE_SIZE dd ?
 	__FILTER_CODE_BYTE dd ?
 	__ALTERNATE_PATH dd ?

 __data:
 __STUB_END:
;	StoreVar1/2 dd ?
; 	SectionInfo dd ?	;PackedStart/UnpackedStart