📄 stub_lzma.asm
字号:
__L_DLL_STUB_START:
CMP BYTE PTR[ESP+8],1 ; DLL entry point check
JNE __L_STUB_OEP_JUMP ; unpack the .dll file!
__L_STUB_START:
PUSHAD
CALL __L_start
__L_start:
MOV EBP,DWORD PTR[ESP]
ADD ESP,4
.if DWORD PTR[ESP+28h] == 1 ; DLL ImageBase loader
MOV EAX,DWORD PTR[ESP+24h]
MOV DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)],EAX
.else
MOV EAX,DWORD PTR[EBP+(offset __L_PE32_IMAGEBASE - offset __L_start)]
MOV DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)],EAX
.endif
LEA ESI,DWORD PTR[EBP+(offset __L_data - offset __L_start)+12]
LEA EBX,DWORD PTR[EBP+(offset __L_lzma_unpack - offset __L_start)]
XOR EDI,EDI
PUSH PAGE_EXECUTE_READWRITE
PUSH MEM_COMMIT
PUSH 0C2000h
PUSH NULL
CALL DWORD PTR[EBP+(offset __L_locva - offset __L_start)]
MOV DWORD PTR[EBP+(offset __L_LZMA_alloc - offset __L_start)],EAX
CALL __L_FIX_ACCESS
__L_unpack_sections:
.while DWORD PTR[ESI+EDI] != 0
PUSHAD
MOV EAX,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
PUSH DWORD PTR[EBP+(offset __L_LZMA_alloc - offset __L_start)]
PUSH DWORD PTR[ESI+EDI]
ADD DWORD PTR[ESP],EAX
PUSH DWORD PTR[ESI+EDI+4]
ADD DWORD PTR[ESP],EAX
CALL EBX
POPAD
ADD EDI,8
.endw
.if DWORD PTR[EBP+(offset __L_FILTER_CODE_START - offset __L_start)] != 0 && DWORD PTR[EBP+(offset __L_FILTER_CODE_SIZE - offset __L_start)] != 0
CALL __L_FIX_FILTER_CODE
.endif
LEA ESI,DWORD PTR[ESI+EDI+4]
PUSH EBX
PUSH PAGE_EXECUTE_READWRITE
PUSH MEM_COMMIT
__L_STUB_VA_SIZE:
PUSH 20000h
PUSH NULL
CALL DWORD PTR[EBP+(offset __L_locva - offset __L_start)]
MOV DWORD PTR[EBP+(offset __L_data - offset __L_start)+8],EAX
POP EBX
PUSHAD
PUSH DWORD PTR[EBP+(offset __L_LZMA_alloc - offset __L_start)]
PUSH ESI
PUSH DWORD PTR[EBP+(offset __L_data - offset __L_start)+8]
CALL EBX
POPAD
MOV ESI,DWORD PTR[EBP+(offset __L_data - offset __L_start)+8]
MOV EAX,ESI
.while BYTE PTR[EAX] != 01
INC EAX
.endw
INC EAX
MOV EDI,DWORD PTR[EAX]
ADD EDI,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
ADD EAX,4
MOV DWORD PTR[EBP+(offset __L_data - offset __L_start)+4],EAX
.while BYTE PTR[ESI] != 01
PUSH ESI
CALL DWORD PTR[EBP+(offset __L_locloadlib - offset __L_start)]
.if EAX == NULL
CALL __L_AlternatePathCheck
.endif
TEST EAX,EAX
JE __L_ERROR_EXIT
MOV DWORD PTR[EBP+(offset __L_data - offset __L_start)],EAX
MOV EAX,ESI
.while DWORD PTR[EAX] != 0
MOV EAX,DWORD PTR[EBP+(offset __L_data - offset __L_start)+4]
MOV EAX,DWORD PTR[EAX]
PUSH EAX
PUSH DWORD PTR[EBP+(offset __L_data - offset __L_start)]
CALL __L_GLOBAL_GETPROCADDRESS
TEST EAX,EAX
JE __L_ERROR_EXIT
MOV DWORD PTR[EDI],EAX
ADD DWORD PTR[EBP+(offset __L_data - offset __L_start)+4],4
ADD EDI,4
MOV EAX,DWORD PTR[EBP+(offset __L_data - offset __L_start)+4]
.endw
.while BYTE PTR[ESI] != 0
INC ESI
.endw
INC ESI
ADD EAX,4
MOV EDI,DWORD PTR[EAX]
ADD EDI,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
ADD EAX,4
MOV DWORD PTR[EBP+(offset __L_data - offset __L_start)+4],EAX
.endw
PUSH MEM_DECOMMIT
__L_STUB_VF_SIZE:
PUSH 20000h
PUSH DWORD PTR[EBP+(offset __L_data - offset __L_start)+8]
CALL DWORD PTR[EBP+(offset __L_locvf - offset __L_start)]
PUSH MEM_RELEASE
PUSH 0
PUSH DWORD PTR[EBP+(offset __L_data - offset __L_start)+8]
CALL DWORD PTR[EBP+(offset __L_locvf - offset __L_start)]
PUSH MEM_RELEASE
PUSH 0
PUSH DWORD PTR[EBP+(offset __L_LZMA_alloc - offset __L_start)]
CALL DWORD PTR[EBP+(offset __L_locvf - offset __L_start)]
CALL __L_FIX_RELOCATIONS
CALL __L_TLS_CALLBACK_EMULATE
POPAD
__L_STUB_OEP_JUMP:
JMP pack
__L_ERROR_EXIT:
POPAD
RET
__L_FIX_ACCESS:
PUSHAD
LEA EAX,DWORD PTR[EBP+(offset __L_OLD_PROTECT - offset __L_start)]
PUSH EAX
PUSH PAGE_EXECUTE_READWRITE
PUSH 200h
PUSH DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
CALL DWORD PTR[EBP+(offset __L_locvp - offset __L_start)]
MOV DWORD PTR[EBP+(offset __L_OLD_PROTECT - offset __L_start)],02040001h
MOV EAX,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
ADD EAX,DWORD PTR[EAX+3Ch]
ADD AX,WORD PTR[EAX+14h]
ADD EAX,18h
MOV EBX,DWORD PTR[EAX+12]
ADD EBX,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
MOV ECX,DWORD PTR[EAX+8]
LEA EAX,DWORD PTR[EBP+(offset __L_OLD_PROTECT - offset __L_start)]
PUSH EAX
PUSH PAGE_EXECUTE_READWRITE
PUSH ECX
PUSH EBX
CALL DWORD PTR[EBP+(offset __L_locvp - offset __L_start)]
POPAD
RET
__L_FIX_RELOCATIONS:
PUSHAD
MOV ESI,DWORD PTR[EBP+(offset __L_RELOCATION - offset __L_start)]
.if ESI != 0
MOV EDI,DWORD PTR[EBP+(offset __L_PE32_IMAGEBASE - offset __L_start)]
MOV EAX,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
.if EAX != EDI
ADD ESI,EAX
.while DWORD PTR[ESI] != 0
MOV EDX,DWORD PTR[ESI]
MOV EAX,DWORD PTR[ESI+4]
MOV DWORD PTR[EBP+(offset __L_RELOCATION_SIZE - offset __L_start)],EAX
ADD DWORD PTR[EBP+(offset __L_RELOCATION_SIZE - offset __L_start)],ESI
MOV EBX,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
XOR ECX,ECX
ADD ESI,8
.while ESI < DWORD PTR[EBP+(offset __L_RELOCATION_SIZE - offset __L_start)]
MOVZX EAX,BYTE PTR[ESI]
.if AL < 0E0h
PUSH EAX
ADD EAX,EDX
ADD EAX,EBX
ADD EAX,ECX
ADD ECX,DWORD PTR[ESP]
ADD ESP,4
SUB DWORD PTR[EAX],EDI
ADD DWORD PTR[EAX],EBX
INC ESI
.else
MOVZX EAX,WORD PTR[ESI]
XCHG AL,AH
SUB AX,0E000h
PUSH EAX
ADD EAX,EDX
ADD EAX,EBX
ADD EAX,ECX
ADD ECX,DWORD PTR[ESP]
ADD ESP,4
SUB DWORD PTR[EAX],EDI
ADD DWORD PTR[EAX],EBX
ADD ESI,2
.endif
.endw
.endw
.endif
.endif
POPAD
RET
__L_FIX_FILTER_CODE:
PUSHAD
MOV ESI,DWORD PTR[EBP+(offset __L_FILTER_CODE_START - offset __L_start)]
ADD ESI,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
MOV EDI,ESI
MOV ECX,DWORD PTR[EBP+(offset __L_FILTER_CODE_SIZE - offset __L_start)]
.if DWORD PTR[EBP+(offset __L_FILTER_CODE_BYTE - offset __L_start)] != NULL
.while ECX > 0
.if BYTE PTR[ESI] == 0E8h || BYTE PTR[ESI] == 0E9h
MOV EAX,DWORD PTR[ESI+1]
.if AL == BYTE PTR[EBP+(offset __L_FILTER_CODE_BYTE - offset __L_start)]
MOV AL,0
BSWAP EAX
SUB EAX,5
ADD EAX,EDI
SUB EAX,ESI
MOV DWORD PTR[ESI+1],EAX
.endif
ADD ESI,4
SUB ECX,4
.endif
INC ESI
DEC ECX
.endw
.else
CDQ
.while ECX > 0
INC EDX
.if BYTE PTR[ESI] == 0E8h || BYTE PTR[ESI] == 0E9h
MOV EAX,DWORD PTR[ESI+1]
BSWAP EAX
SUB EAX,EDX
MOV DWORD PTR[ESI+1],EAX
ADD ESI,4
ADD EDX,4
SUB ECX,4
.endif
INC ESI
DEC ECX
.endw
.endif
POPAD
RET
__L_TLS_CALLBACK_EMULATE:
PUSHAD
MOV ESI,DWORD PTR[EBP+(offset __L_RELOCATION - offset __L_start)]
MOV ESI,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
ADD ESI,DWORD PTR[ESI+3Ch]
MOV ESI,DWORD PTR[ESI+0C0h]
.if ESI != 0
ADD ESI,DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
ADD ESI,12
MOV ESI,DWORD PTR[ESI]
.if ESI != 0
MOV EAX,DWORD PTR[ESI]
.while EAX != 0
PUSH ESI
.if DWORD PTR[EAX] != 0
PUSH NULL
PUSH DLL_PROCESS_ATTACH
PUSH DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
CALL EAX
.endif
POP ESI
ADD ESI,4
MOV EAX,DWORD PTR[ESI]
.endw
.endif
.endif
POPAD
RET
__L_GLOBAL_GETPROCADDRESS:
LEA EAX,DWORD PTR[ESP+4]
PUSHAD
MOV ESI,EAX
MOV EAX,DWORD PTR[ESI+4]
ROL EAX,8
.if AL == 80h
ROR EAX,8
XOR EAX,80000000h
.if EAX > 10000h
XOR EAX,80000000h
PUSH EAX
PUSH DWORD PTR[ESI]
CALL __L_FindAPIName
.endif
.else
ROR EAX,8
PUSH DWORD PTR[ESI+4]
PUSH DWORD PTR[ESI]
CALL __L_FindAPIName
.endif
PUSH EAX
PUSH DWORD PTR[ESI]
CALL DWORD PTR[EBP+(offset __L_locgpa - offset __L_start)]
MOV DWORD PTR[ESP+1Ch],EAX
POPAD
RET 8
__L_FindAPIName:
db 060h,08Bh,05Ch,024h,024h,08Bh,0CBh,003h
db 05Bh,03Ch,08Bh,05Bh,078h,003h,0D9h,08Bh
db 07Bh,020h,003h,0F9h,033h,0F6h,08Dh,014h
db 0B7h,08Bh,012h,003h,0D1h,033h,0C0h,0C1h
db 0C0h,007h,032h,002h,042h,080h,03Ah,000h
db 075h,0F5h,03Bh,044h,024h,028h,074h,006h
db 046h,03Bh,073h,018h,072h,0E0h,08Dh,014h
db 0B7h,08Bh,012h,003h,0D1h,089h,054h,024h
db 01Ch,061h,0C2h,008h,000h
__L_AlternatePathCheck:
PUSHAD
LEA EAX,DWORD PTR[EBP+(offset __L_kernel32 - offset __L_start)]
PUSH EAX
CALL DWORD PTR[EBP+(offset __L_locloadlib - offset __L_start)]
PUSH 774393E8h ;Hashed GetModuleFileNameA
PUSH EAX
CALL __L_GLOBAL_GETPROCADDRESS
MOV EDI,EAX
PUSH PAGE_EXECUTE_READWRITE
PUSH MEM_COMMIT
PUSH MAX_PATH
PUSH NULL
CALL DWORD PTR[EBP+(offset __L_locva - offset __L_start)]
MOV DWORD PTR[EBP+(offset __L_ALTERNATE_PATH - offset __L_start)],EAX
PUSH MAX_PATH
PUSH DWORD PTR[EBP+(offset __L_ALTERNATE_PATH - offset __L_start)]
.if DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)] != 0
PUSH DWORD PTR[EBP+(offset __L_LOADED_IMAGEBASE - offset __L_start)]
.else
PUSH DWORD PTR[EBP+(offset __L_PE32_IMAGEBASE - offset __L_start)]
.endif
CALL EDI
MOV EAX,DWORD PTR[EBP+(offset __L_ALTERNATE_PATH - offset __L_start)]
.while BYTE PTR[EAX] != 0
INC EAX
.endw
.while BYTE PTR[EAX] != "\"
MOV BYTE PTR[EAX],0
DEC EAX
.endw
INC EAX
.while BYTE PTR[ESI] != NULL
MOVZX EBX,BYTE PTR[ESI]
MOV BYTE PTR[EAX],BL
INC ESI
INC EAX
.endw
PUSH DWORD PTR[EBP+(offset __L_ALTERNATE_PATH - offset __L_start)]
CALL DWORD PTR[EBP+(offset __L_locloadlib - offset __L_start)]
MOV DWORD PTR[ESP+1Ch],EAX
PUSH MEM_RELEASE
PUSH 0
PUSH DWORD PTR[EBP+(offset __L_ALTERNATE_PATH - offset __L_start)]
CALL DWORD PTR[EBP+(offset __L_locvf - offset __L_start)]
POPAD
RET
__L_lzma_unpack:
include lzma_depack.inc
__L_iat:
__L_OriginalFirstThunk_k dd 00000000h
__L_TimeDateStamp_k dd 00000000h
__L_ForwarderChain_k dd 00000000h
__L_dllName_k dd ? ;Kernel32.dll
__L_FirstThunk_k dd ? ;LoadLibraryA
dd ?
dd ?
dd ?
dd ?
dd ?
__L_kernel32 db "kernel32.dll",00h
__L_locloadlib dd ?
__L_locgpa dd ?
__L_locva dd ?
__L_locvf dd ?
__L_locvp dd ?
db 00h,00h,00h,00h,00h,00h
__L_loadlib db "LoadLibraryA",00h,00h
__L_gpa db "GetProcAddress",00h,00h
__L_va db "VirtualAlloc",00h,00h
__L_vf db "VirtualFree",00h,00h
__L_vp db "VirtualProtect",00h,00h
__L_WIN9x_RELOCATION dd 00001000h
dd 00000008h
__L_OLD_PROTECT dd 02040001h
__L_LZMA_alloc dd ?
__L_PE32_IMAGEBASE dd ?
__L_LOADED_IMAGEBASE dd ?
__L_RELOCATION dd ?
__L_RELOCATION_SIZE dd ?
__L_FILTER_CODE_START dd ?
__L_FILTER_CODE_SIZE dd ?
__L_FILTER_CODE_BYTE dd ?
__L_ALTERNATE_PATH dd ?
__L_data:
__L_STUB_END:⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -