📄 prot.asm
字号:
add edi,4h
mov eax,edi
ret
MoveImpTable endp
;***************清除原输入表************************
ClsImpTable PROC
pushad
mov edi,PeHeadBase
assume edi : ptr IMAGE_NT_HEADERS
mov edi,dword ptr [edi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress
add edi,MapOfFile ;输入表地址
mov eax,dword ptr [edi+0ch]
.while eax!=0
add eax,MapOfFile
invoke ClsString,eax
mov esi,dword ptr [edi]
.if esi == 0
mov esi,dword ptr [edi+10h]
.endif
add esi,MapOfFile
xor ecx,ecx
mov eax,dword ptr [esi]
.while eax !=0
cdq
.if edx == 0
add eax,MapOfFile
mov word ptr [eax],0h
add eax,2h
invoke ClsString,eax
.endif
inc ecx
mov dword ptr [esi],0h
add esi,4h
mov eax,dword ptr [esi]
.endw
xor eax,eax
push edi
mov edi,dword ptr [edi+10h]
add edi,MapOfFile
rep stosd
pop edi
mov ecx,14h
rep stosb
mov eax,dword ptr [edi+0ch]
.endw
popad
ret
ClsImpTable endp
;****************压缩资源****************************
MoveRes PROC ResType:DWORD,MoveADDR:DWORD,MoveResSize:DWORD
LOCAL ResBase:DWORD
pushad
mov edx,PeHeadBase
assume edx : ptr IMAGE_NT_HEADERS
mov edx,dword ptr [edx].OptionalHeader.DataDirectory[2*SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress
add edx,MapOfFile ;资源地址
mov ResBase,edx
xor ecx,ecx
mov cx,word ptr [edx+0ch]
add cx,word ptr [edx+0eh]
add edx,10h
FindResDir:
mov eax,dword ptr [edx]
.if eax==ResType
jmp FoundResDir
.elseif
add edx,8h
.endif
loop FindResDir
jmp NotFoundResDir
FoundResDir:
mov edx,dword ptr [edx+4h]
and edx,7fffffffh
add edx,ResBase
xor ecx,ecx
mov cx,word ptr [edx+0ch]
add cx,word ptr [edx+0eh]
add edx,10h
MoveResItem:
mov ebx,dword ptr [edx+4h]
and ebx,7fffffffh
add ebx,ResBase
add ebx,10h
mov ebx,dword ptr [ebx+4h]
add ebx,ResBase
push ecx
mov ecx,dword ptr [ebx+4h]
mov esi,dword ptr [ebx]
add esi,MapOfFile
mov eax,PeImageSize
add eax,ShellEnd0-ShellStart0
add eax,MoveResSize
mov dword ptr [ebx],eax
mov edi,MoveADDR
add edi,MoveResSize
add MoveResSize,ecx
push esi
push ecx
rep movsb
pop ecx
pop edi
xor eax,eax
rep stosb
pop ecx
add edx,8h
loop MoveResItem
NotFoundResDir:
popad
mov eax,MoveResSize
ret
MoveRes endp
;*******************合并区段************************
MergeSection PROC
;将开始的一些可以压缩的区段合并,可以缩小一些压缩后文件的大小
;经过此函数后融合生成的区段只有映象大小和映象偏移有用,文件大
;小和文件偏移在压缩回写时修正.
LOCAL NumOfSec :word
pushad
mov ebx,PeHeadBase
assume ebx : ptr IMAGE_NT_HEADERS
movzx ecx,word ptr [ebx].FileHeader.NumberOfSections
mov NumOfSec,cx
mov edi,SecTableBase ;块表起点
mov esi,edi
add esi,28h
dec ecx
MergeNextSection:
cmp dword ptr [esi], 'ade.'
jz MergeSectionOver
cmp dword ptr [esi], 'rsr.'
jz MergeSectionOver
cmp dword ptr [esi], 'oci.'
jz MergeSectionOver
mov eax,dword ptr [esi+8h]
add dword ptr [edi+8h],eax
add esi,28h
loop MergeNextSection
MergeSectionOver:
mov eax,ecx
inc eax
mov word ptr [ebx].FileHeader.NumberOfSections,ax
mov eax,28h
xor edx,edx
mul ecx
mov ecx,eax ;剩余区块表的长度
add edi,28h
rep movsb
movzx ecx,NumOfSec
sub cx,word ptr [ebx].FileHeader.NumberOfSections
mov eax,28h
xor edx,edx
mul ecx
mov ecx,eax ;多余区块表的长度
xor eax,eax
rep stosb
popad
ret
MergeSection endp
;****************压缩文件***************************
PackFile PROC
LOCAL MEM :DWORD
LOCAL MEMSize :DWORD
LOCAL NumberOfBytesRW :DWORD
LOCAL ResBase:DWORD
pushad
invoke AddLine,ADDR M_BeginPackFile
mov CurrentSize,0
mov esi,PeHeadBase
assume esi : ptr IMAGE_NT_HEADERS
mov eax,dword ptr [esi].OptionalHeader.DataDirectory[2*SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress
mov ResBase,eax
mov edi,SecTableBase ;块表起点
.if IsReFileHead == 1
movzx eax,word ptr [esi].FileHeader.NumberOfSections
inc eax
mov ebx,28h
xor edx,edx
mul ebx
mov ebx,SecTableBase
sub ebx,MapOfFile
add ebx,eax
invoke GetIntegral,ebx,FileAlignment
mov ebx,eax
.else
mov ebx,dword ptr [edi+14h] ;第一个区块文件偏移,即文件头大小
.endif
mov PeHeadSize,ebx
add CurrentSize, ebx ;当前输出大小,以后逐步追加
invoke WriteFile, hFile,MapOfFile ,ebx,ADDR NumberOfBytesRW, NULL ;写文件头
movzx ecx,word ptr [esi].FileHeader.NumberOfSections
mov esi, offset PackSection
PackNextSection:
test ecx,ecx
jz AllSectionPacked
cmp dword ptr [edi], 'adr.'
jz NotPack
cmp dword ptr [edi], 'ade.'
jz NotPack
cmp dword ptr [edi], 'rsr.'
jz PackResSection
cmp dword ptr [edi], 'oci.'
jz NotPack
cmp dword ptr [edi+10h], 0
jz NotPack
;*********压缩**********
mov eax,dword ptr [edi+08h] ;区块映象大小
mov edx, 9
mul edx
shr eax,3
add eax,16
mov MEMSize,eax ;计算需要占用的内存空间
push ecx
invoke VirtualAlloc, NULL, eax, MEM_COMMIT, PAGE_READWRITE
mov MEM, eax
mov ebx,dword ptr [edi+0ch] ;区块映象偏移
add ebx,MapOfFile
invoke aP_pack,ebx,MEM,dword ptr[edi+08h],lpPackBuffer,0
invoke GetIntegral,eax,FileAlignment
;*********保存各段属性,以备解压缩
push eax
mov eax,dword ptr[edi+08h]
mov dword ptr[esi],eax ;保存区块原大小__解压所需空间大小
mov eax,dword ptr[edi+0ch]
mov dword ptr[esi+4h],eax ;保存区块原偏移__解压起点
pop ebx
mov dword ptr[esi+8h],ebx ;保存压缩后大小__解压数量
add esi,0ch
;*********
mov dword ptr[edi+10h],ebx ;修改段的文件大小
mov eax,CurrentSize
mov dword ptr[edi+14h], eax ;修改段的文件偏移
add CurrentSize, ebx ;改变当前文件大小
invoke WriteFile, hFile,MEM,ebx,ADDR NumberOfBytesRW, NULL ;写入段
invoke VirtualFree, MEM, 0, MEM_RELEASE
pop ecx
jmp PackDone
PackResSection:
.if IsPackRes == 0h
jmp NotPack
.endif
;写入资源段不被压缩的部分
push ecx
mov eax,FirstResADDR ;最前面的资源的存放偏移
sub eax,dword ptr [edi+0ch] ;减区块基址后得不压缩部分长度
mov ecx,eax
mov ebx,dword ptr [edi+0ch]
add ebx,MapOfFile ;需写入的起点
invoke WriteFile, hFile,ebx,ecx,ADDR NumberOfBytesRW, NULL
;************************
mov eax,dword ptr [edi+08h]
mov edx, 9
mul edx
shr eax,3
add eax,16
mov MEMSize,eax ;计算需要占用的内存空间
invoke VirtualAlloc, NULL, MEMSize, MEM_COMMIT, PAGE_READWRITE
mov MEM, eax
mov ebx,FirstResADDR
sub ebx,dword ptr [edi+0ch] ;不压缩部分长度
mov eax,dword ptr[edi+08h]
sub eax,ebx ;全段长度减不压缩部分得压缩部分长度
push eax ;需要压缩的字节数
mov ebx,FirstResADDR
add ebx,MapOfFile ;需压缩部分起点
invoke aP_pack,ebx,MEM,eax,lpPackBuffer,0
pop ebx
mov dword ptr[esi],ebx ;还原后长度
mov ebx,FirstResADDR
mov dword ptr[esi+4h],ebx ;还原起点
mov dword ptr[esi+8h],eax ;需还原部分长度
add esi,0ch
mov ebx,CurrentSize
mov dword ptr[edi+14h], ebx ;修改文件偏移
mov ebx,FirstResADDR
sub ebx,dword ptr[edi+0ch] ;不压缩部分长度
add ebx,eax ;加上压缩后长度
invoke GetIntegral,ebx,FileAlignment
add CurrentSize, eax
mov dword ptr[edi+10h], eax ;修改文件大小
mov ebx,FirstResADDR
sub ebx,dword ptr[edi+0ch]
sub eax,ebx ;块总长减已写入长度得此次写入长度
mov ebx,eax
invoke WriteFile, hFile,MEM,ebx,ADDR NumberOfBytesRW, NULL
invoke VirtualFree, MEM, 0, MEM_RELEASE
pop ecx
jmp PackDone
NotPack:
push ecx
mov ecx,dword ptr [edi+0ch] ;区块映象偏移
add ecx,MapOfFile
mov edx,CurrentSize
mov dword ptr [edi+14h],edx ;写入文件偏移
mov eax,dword ptr [edi+10h] ;区块文件大小
invoke GetIntegral,eax,FileAlignment
add CurrentSize, eax
mov ebx,eax
invoke WriteFile, hFile,ecx,ebx,ADDR NumberOfBytesRW, NULL ;写入段
pop ecx
PackDone:
add edi,28h
dec ecx
jmp PackNextSection
AllSectionPacked:
invoke AddLine,ADDR M_PackFileOk
popad
ret
PackFile endp
;***************处理外壳**********************************
DisposeShell PROC
LOCAL ShellBufferMap :DWORD
LOCAL ShellBufferMapUsed :DWORD
LOCAL MEM :DWORD
LOCAL MEMSize :DWORD
LOCAL ShellSize :DWORD
LOCAL ShellSize_NoPack:DWORD
LOCAL FunkCodeSize :DWORD
pushad
invoke VirtualAlloc, NULL, 20000h, MEM_COMMIT, PAGE_READWRITE
mov ShellBufferMap,eax
;*******产生垃圾指令
invoke MakeFunkCode,ShellBufferMap
mov FunkCodeSize,eax
;*******读入外壳
mov ecx,ShellEnd-ShellStart
mov ShellSize_NoPack,ecx
lea esi,ShellStart
mov edi,ShellBufferMap
add edi,FunkCodeSize
rep movsb
;*******保存OEP
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,OEP-ShellStart
mov edx,PeHeadBase
assume edx : ptr IMAGE_NT_HEADERS
mov eax,dword ptr [edx].OptionalHeader.AddressOfEntryPoint
mov dword ptr [ebx],eax
;*******保存是否处理输入表的标记
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,S_IsProtImpTable-ShellStart
mov eax,IsProtImpTable
mov dword ptr [ebx],eax
;*******保存输入表地址
.if IsProtImpTable == 0
mov eax,dword ptr [edx].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,ImpTableAddr-ShellStart
mov dword ptr [ebx],eax
.else
mov eax,ShellSize_NoPack
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,ImpTableAddr-ShellStart
mov dword ptr [ebx],eax
mov edi,ShellBufferMap
add edi,FunkCodeSize
add edi,ShellSize_NoPack
mov esi,MapOfImpProt
mov ecx,MapOfImpProtUsed
add ShellSize_NoPack,ecx
rep movsb
.endif
;*******保存特殊代码加密信息
.if IsCodeProt == 1
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,S_IsCodeProt-ShellStart
mov dword ptr [ebx],1
mov eax,ShellSize_NoPack
mov ebx,ShellBufferMap
add ebx,FunkCodeSize
add ebx,CodeProtAddr-ShellStart
mov dword ptr [ebx],eax
mov edi,ShellBufferMap
add edi,FunkCodeSize
add edi,ShellSize_NoPack
mov esi,MapOfCodeProt
mov ecx,MapOfCodeProtUsed
add ShellSize_NoPack,ecx
rep movsb
.endif
;*******保存压缩块表信息
mov ecx,0a0h
lea esi,PackSection
mov edi,ShellBufferMap
add edi,FunkCodeSize
add edi,S_PackSection-ShellStart
rep movsb
;*******
mov eax,FunkCodeSize
add ShellSize_NoPack,eax
;*******压缩
mov eax,ShellSize_NoPack
mov edx, 9
mul edx
shr eax,3
add eax,16
mov MEMSize,eax ;计算需要占用的内存空间
invoke VirtualAlloc, NULL, eax, MEM_COMMIT, PAGE_READWRITE
mov MEM, eax
invoke aP_pack,ShellBufferMap,MEM,ShellSize_NoPack,lpPackBuffer,0
mov ShellBufferMapUsed,eax
;*******读取外壳引导段**********
mov ecx,ShellEnd0-ShellStart0
mov ShellSize,ecx
mov edi,MapOfShell
lea esi,ShellStart0
rep movsb
.if IsPackRes == 1
mov ecx,MapOfPackResUsed
add ShellSize,ecx
mov esi,MapOfPackRes
rep movsb
.endif
;*******写入压缩后的外壳
mov ecx,ShellBufferMapUsed
add ShellSize,ecx
mov esi,MEM
rep movsb
;*******修正外壳输入表
mov eax,PeImageSize
add eax,ImportTable-ShellStart0 ;得到外壳输入表偏移
mov ebx,MapOfShell ;修改外壳输入表头
add ebx,ImportTable-ShellStart0
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -