📄 stub.cod
字号:
TITLE C:\Documents and Settings\Administrator\桌面\病毒原理\加壳\bambam004_source\Stub\stub.cpp
.386P
include listing.inc
if @Version gt 510
.model FLAT
else
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
_DATA SEGMENT DWORD USE32 PUBLIC 'DATA'
_DATA ENDS
CONST SEGMENT DWORD USE32 PUBLIC 'CONST'
CONST ENDS
_BSS SEGMENT DWORD USE32 PUBLIC 'BSS'
_BSS ENDS
_TLS SEGMENT DWORD USE32 PUBLIC 'TLS'
_TLS ENDS
a$A SEGMENT DWORD USE32 PUBLIC ''
a$A ENDS
; COMDAT ?StubEntryPoint@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT _main
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?ResolveImports@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?Decrypt@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?CopyResources@@YAXPAU_IMAGE_RESOURCE_DIRECTORY@@0@Z
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT _TlsCallback@12
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?FinaliseTlsStuff@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?GetLoadAddress@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?Jump@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?DecryptVars@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?CheckDebugger@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?SetupFuncs@@YAXXZ
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
; COMDAT ?StringDecrypt@@YAPADPAE@Z
_TEXT SEGMENT PARA USE32 PUBLIC 'CODE'
_TEXT ENDS
FLAT GROUP _DATA, CONST, _BSS, a$A
ASSUME CS: FLAT, DS: FLAT, SS: FLAT
endif
PUBLIC ?gev@@3UGlobalExternalVars@@A ; gev
PUBLIC ?dwLoadAddress@@3KA ; dwLoadAddress
PUBLIC ?pfnGlobalAlloc@@3P6GPAXIK@ZA ; pfnGlobalAlloc
PUBLIC ?pfnGlobalFree@@3P6GPAXPAX@ZA ; pfnGlobalFree
PUBLIC ?pfnIsDebugerPresent@@3P6GHXZA ; pfnIsDebugerPresent
PUBLIC ?pfnExitProcess@@3P6GXI@ZA ; pfnExitProcess
PUBLIC ?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA ; pfnVirtualProtect
PUBLIC ?dwTlsSlotIndex@@3KA ; dwTlsSlotIndex
PUBLIC ?fSafeToCallback@@3_NA ; fSafeToCallback
PUBLIC ?fDelayedTlsCallback@@3_NA ; fDelayedTlsCallback
PUBLIC ?tlsDllHandle@@3PAXA ; tlsDllHandle
PUBLIC ?tlsReason@@3KA ; tlsReason
PUBLIC ?tlsReserved@@3PAXA ; tlsReserved
PUBLIC ?szKey@@3PAEA ; szKey
PUBLIC ?szRsrc@@3PAEA ; szRsrc
PUBLIC ?szKernel32@@3PAEA ; szKernel32
PUBLIC ?szGlobalAlloc@@3PAEA ; szGlobalAlloc
PUBLIC ?szGlobalFree@@3PAEA ; szGlobalFree
PUBLIC ?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
PUBLIC ?szExitProcess@@3PAEA ; szExitProcess
PUBLIC ?szVirtualProtect@@3PAEA ; szVirtualProtect
_BSS SEGMENT
?dwLoadAddress@@3KA DD 01H DUP (?) ; dwLoadAddress
?pfnGlobalAlloc@@3P6GPAXIK@ZA DD 01H DUP (?) ; pfnGlobalAlloc
?pfnGlobalFree@@3P6GPAXPAX@ZA DD 01H DUP (?) ; pfnGlobalFree
?pfnIsDebugerPresent@@3P6GHXZA DD 01H DUP (?) ; pfnIsDebugerPresent
?pfnExitProcess@@3P6GXI@ZA DD 01H DUP (?) ; pfnExitProcess
?pfnVirtualProtect@@3P6GHPAXKKPAK@ZA DD 01H DUP (?) ; pfnVirtualProtect
?dwTlsSlotIndex@@3KA DD 01H DUP (?) ; dwTlsSlotIndex
?fSafeToCallback@@3_NA DB 01H DUP (?) ; fSafeToCallback
ALIGN 4
?fDelayedTlsCallback@@3_NA DB 01H DUP (?) ; fDelayedTlsCallback
ALIGN 4
?tlsDllHandle@@3PAXA DD 01H DUP (?) ; tlsDllHandle
?tlsReason@@3KA DD 01H DUP (?) ; tlsReason
?tlsReserved@@3PAXA DD 01H DUP (?) ; tlsReserved
_BSS ENDS
a$A SEGMENT
?gev@@3UGlobalExternalVars@@A DD 00H ; gev
ORG $+48
a$A ENDS
_DATA SEGMENT
?szKey@@3PAEA DB 084H ; szKey
DB 036H
DB 02eH
DB 023H
DB 010H
DB 0b0H
DB 01dH
DB 036H
DB 097H
DB 077H
DB 047H
DB 045H
DB 00H
ORG $+3
?szRsrc@@3PAEA DB 023H ; szRsrc
DB 0d5H
DB 0c8H
DB 0f7H
DB 09eH
DB 00H
ORG $+2
?szKernel32@@3PAEA DB 037H ; szKernel32
DB 027H
DB 0bcH
DB 0c1H
DB 0a2H
DB 086H
DB 047H
DB 058H
DB 023H
DB 0c3H
DB 0d7H
DB 0e9H
DB 00H
ORG $+3
?szGlobalAlloc@@3PAEA DB 0c1H ; szGlobalAlloc
DB 0ceH
DB 0eeH
DB 0cdH
DB 0b9H
DB 0b2H
DB 0dH
DB 087H
DB 061H
DB 0c8H
DB 0d8H
DB 00H
?szGlobalFree@@3PAEA DB 08dH ; szGlobalFree
DB 07H
DB 0bcH
DB 0a0H
DB 03cH
DB 0a9H
DB 07aH
DB 0f9H
DB 068H
DB 0c2H
DB 00H
ORG $+1
?szIsDebuggerPresent@@3PAEA DB 07fH ; szIsDebuggerPresent
DB 056H
DB 0e0H
DB 0e4H
DB 0afH
DB 0d0H
DB 088H
DB 02bH
DB 03H
DB 0d1H
DB 0b8H
DB 066H
DB 0d5H
DB 0bfH
DB 045H
DB 0f5H
DB 079H
DB 00H
ORG $+2
?szExitProcess@@3PAEA DB 038H ; szExitProcess
DB 040H
DB 0a2H
DB 03dH
DB 0e3H
DB 060H
DB 0fdH
DB 0c8H
DB 068H
DB 0d4H
DB 0c8H
DB 00H
?szVirtualProtect@@3PAEA DB 0b2H ; szVirtualProtect
DB 088H
DB 05aH
DB 03dH
DB 08fH
DB 073H
DB 0b1H
DB 05bH
DB 07fH
DB 0c8H
DB 0cfH
DB 0e0H
DB 09eH
DB 0ffH
DB 00H
_DATA ENDS
PUBLIC ?ResolveImports@@YAXXZ ; ResolveImports
PUBLIC ?CopyResources@@YAXPAU_IMAGE_RESOURCE_DIRECTORY@@0@Z ; CopyResources
PUBLIC ?FinaliseTlsStuff@@YAXXZ ; FinaliseTlsStuff
PUBLIC ?StubEntryPoint@@YAXXZ ; StubEntryPoint
EXTRN __imp__LoadLibraryA@4:NEAR
EXTRN _aP_depack:NEAR
EXTRN ?DecryptData_TEA@@YA_NPBXHPBD@Z:NEAR ; DecryptData_TEA
EXTRN __imp__GetProcAddress@8:NEAR
; COMDAT ?StubEntryPoint@@YAXXZ
_TEXT SEGMENT
_pNtHdr$17177 = -24
_wNumSections$17182 = -16
_bResource$17185 = -1
_dwOldProtect$17186 = -8
_lpbDecompBuffer$17193 = -20
_lpbResourceBuffer$17195 = -12
?StubEntryPoint@@YAXXZ PROC NEAR ; StubEntryPoint, COMDAT
; 75 : main();
00000 bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00005 83 c9 ff or ecx, -1
00008 33 c0 xor eax, eax
0000a 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0000f f2 ae repne scasb
00011 f7 d1 not ecx
00013 49 dec ecx
00014 51 push ecx
00015 68 00 00 00 00 push OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
0001a e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
0001f 83 c4 0c add esp, 12 ; 0000000cH
00022 68 00 00 00 00 push OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00027 ff 15 00 00 00
00 call DWORD PTR __imp__LoadLibraryA@4
0002d 8b f0 mov esi, eax
0002f bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00034 83 c9 ff or ecx, -1
00037 33 c0 xor eax, eax
00039 f2 ae repne scasb
0003b f7 d1 not ecx
0003d 49 dec ecx
0003e bf 00 00 00 00 mov edi, OFFSET FLAT:?szKernel32@@3PAEA ; szKernel32
00043 8b d1 mov edx, ecx
00045 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
0004a c1 e9 02 shr ecx, 2
0004d f3 ab rep stosd
0004f 8b ca mov ecx, edx
00051 83 e1 03 and ecx, 3
00054 f3 aa rep stosb
00056 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
0005b 83 c9 ff or ecx, -1
0005e 33 c0 xor eax, eax
00060 f2 ae repne scasb
00062 f7 d1 not ecx
00064 49 dec ecx
00065 51 push ecx
00066 68 00 00 00 00 push OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
0006b e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00070 8b 1d 00 00 00
00 mov ebx, DWORD PTR __imp__GetProcAddress@8
00076 83 c4 0c add esp, 12 ; 0000000cH
00079 68 00 00 00 00 push OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
0007e 56 push esi
0007f ff d3 call ebx
00081 a3 00 00 00 00 mov DWORD PTR ?pfnGlobalAlloc@@3P6GPAXIK@ZA, eax ; pfnGlobalAlloc
00086 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
0008b 83 c9 ff or ecx, -1
0008e 33 c0 xor eax, eax
00090 f2 ae repne scasb
00092 f7 d1 not ecx
00094 49 dec ecx
00095 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalAlloc@@3PAEA ; szGlobalAlloc
0009a 8b d1 mov edx, ecx
0009c 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
000a1 c1 e9 02 shr ecx, 2
000a4 f3 ab rep stosd
000a6 8b ca mov ecx, edx
000a8 83 e1 03 and ecx, 3
000ab f3 aa rep stosb
000ad bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000b2 83 c9 ff or ecx, -1
000b5 33 c0 xor eax, eax
000b7 f2 ae repne scasb
000b9 f7 d1 not ecx
000bb 49 dec ecx
000bc 51 push ecx
000bd 68 00 00 00 00 push OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000c2 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
000c7 83 c4 0c add esp, 12 ; 0000000cH
000ca 68 00 00 00 00 push OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000cf 56 push esi
000d0 ff d3 call ebx
000d2 a3 00 00 00 00 mov DWORD PTR ?pfnGlobalFree@@3P6GPAXPAX@ZA, eax ; pfnGlobalFree
000d7 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000dc 83 c9 ff or ecx, -1
000df 33 c0 xor eax, eax
000e1 f2 ae repne scasb
000e3 f7 d1 not ecx
000e5 49 dec ecx
000e6 bf 00 00 00 00 mov edi, OFFSET FLAT:?szGlobalFree@@3PAEA ; szGlobalFree
000eb 8b d1 mov edx, ecx
000ed c1 e9 02 shr ecx, 2
000f0 f3 ab rep stosd
000f2 8b ca mov ecx, edx
000f4 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
000f9 83 e1 03 and ecx, 3
000fc f3 aa rep stosb
000fe bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00103 83 c9 ff or ecx, -1
00106 33 c0 xor eax, eax
00108 f2 ae repne scasb
0010a f7 d1 not ecx
0010c 49 dec ecx
0010d 51 push ecx
0010e 68 00 00 00 00 push OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00113 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00118 83 c4 0c add esp, 12 ; 0000000cH
0011b 68 00 00 00 00 push OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
00120 56 push esi
00121 ff d3 call ebx
00123 a3 00 00 00 00 mov DWORD PTR ?pfnIsDebugerPresent@@3P6GHXZA, eax ; pfnIsDebugerPresent
00128 bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
0012d 83 c9 ff or ecx, -1
00130 33 c0 xor eax, eax
00132 f2 ae repne scasb
00134 f7 d1 not ecx
00136 49 dec ecx
00137 bf 00 00 00 00 mov edi, OFFSET FLAT:?szIsDebuggerPresent@@3PAEA ; szIsDebuggerPresent
0013c 8b d1 mov edx, ecx
0013e 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
00143 c1 e9 02 shr ecx, 2
00146 f3 ab rep stosd
00148 8b ca mov ecx, edx
0014a 83 e1 03 and ecx, 3
0014d f3 aa rep stosb
0014f bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
00154 83 c9 ff or ecx, -1
00157 33 c0 xor eax, eax
00159 f2 ae repne scasb
0015b f7 d1 not ecx
0015d 49 dec ecx
0015e 51 push ecx
0015f 68 00 00 00 00 push OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
00164 e8 00 00 00 00 call ?DecryptData_TEA@@YA_NPBXHPBD@Z ; DecryptData_TEA
00169 83 c4 0c add esp, 12 ; 0000000cH
0016c 68 00 00 00 00 push OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
00171 56 push esi
00172 ff d3 call ebx
00174 a3 00 00 00 00 mov DWORD PTR ?pfnExitProcess@@3P6GXI@ZA, eax ; pfnExitProcess
00179 bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
0017e 83 c9 ff or ecx, -1
00181 33 c0 xor eax, eax
00183 f2 ae repne scasb
00185 f7 d1 not ecx
00187 49 dec ecx
00188 bf 00 00 00 00 mov edi, OFFSET FLAT:?szExitProcess@@3PAEA ; szExitProcess
0018d 8b d1 mov edx, ecx
0018f 68 00 00 00 00 push OFFSET FLAT:?szKey@@3PAEA ; szKey
00194 c1 e9 02 shr ecx, 2
00197 f3 ab rep stosd
00199 8b ca mov ecx, edx
0019b 83 e1 03 and ecx, 3
0019e f3 aa rep stosb
001a0 bf 00 00 00 00 mov edi, OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
001a5 83 c9 ff or ecx, -1
001a8 33 c0 xor eax, eax
001aa f2 ae repne scasb
001ac f7 d1 not ecx
001ae 49 dec ecx
001af 51 push ecx
001b0 68 00 00 00 00 push OFFSET FLAT:?szVirtualProtect@@3PAEA ; szVirtualProtect
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -