📄 erika.c
字号:
if (dwRSRCAddr == 0 || dwRSRCSize == 0)
{
MapOfRSRC = NULL;
SizeOfRSRC = 0;
return ;
}
CountOfICON = 0;
ICONOffset = NULL;
IRD1 = (IMAGE_RESOURCE_DIRECTORY *)(dwRSRCAddr+MapOfFile);
dwType = IRD1->NumberOfNamedEntries+IRD1->NumberOfIdEntries;
I_DIR_E_TYPE = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD1+sizeof(IMAGE_RESOURCE_DIRECTORY));
for (iType=0; iType<dwType; iType++)
{
IRD2 = (IMAGE_RESOURCE_DIRECTORY *)(I_DIR_E_TYPE->OffsetToDirectory + dwRSRCAddr + (DWORD)MapOfFile);
dwObj = IRD2->NumberOfIdEntries + IRD2->NumberOfNamedEntries;
I_DIR_E_OBJ = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY));
for (iObj=0; iObj<dwObj; iObj++)
{
IRD3 = (IMAGE_RESOURCE_DIRECTORY *)(I_DIR_E_OBJ->OffsetToDirectory + dwRSRCAddr + (DWORD)MapOfFile);
I_DIR_E = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD3+sizeof(IMAGE_RESOURCE_DIRECTORY));
I_DAT_E = (IMAGE_RESOURCE_DATA_ENTRY *)(I_DIR_E->OffsetToData + dwRSRCAddr + (DWORD)MapOfFile);
if (I_DIR_E_TYPE->Id == 0x0E
&& ((DWORD)I_DIR_E_OBJ -(DWORD)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY))) == 0)
{
GICONAddr = I_DAT_E->OffsetToData;
GICONSize = I_DAT_E->Size;
CountOfICON = (GICONSize-6)/0x0E;
ICONOffset = VirtualAlloc(NULL, CountOfICON*8, MEM_COMMIT, PAGE_READWRITE);
for (iIcon=0; iIcon<CountOfICON; iIcon++)
{
*(LPWORD)(ICONOffset+iIcon*8) = *(LPWORD)(MapOfFile+GICONAddr+6+iIcon*0x0E+0x0C);
}
}
I_DIR_E_OBJ++;
}
I_DIR_E_TYPE++;
}
return ;
}
///////////////////////////////////////////////////////////////
void FuckRSRC()
{
DWORD dwRSRCAddr;
DWORD dwRSRCSize;
DWORD dwType;
DWORD dwObj;
DWORD iType;
DWORD iObj;
DWORD iIcon;
WORD wNameLen;
LPBYTE ICONAddr = NULL;
LPBYTE GICONAddr = NULL;
DWORD GICONSize = 0;
LPBYTE VERSNAddr = NULL;
DWORD VERSNSize = 0;
LPBYTE XML18Addr = NULL;
DWORD XML18Size = 0;
IMAGE_RESOURCE_DIRECTORY *IRD1;
IMAGE_RESOURCE_DIRECTORY *IRD2;
IMAGE_RESOURCE_DIRECTORY *IRD3;
IMAGE_RESOURCE_DATA_ENTRY *I_DAT_E;
IMAGE_RESOURCE_DIRECTORY_ENTRY *I_DIR_E_TYPE;
IMAGE_RESOURCE_DIRECTORY_ENTRY *I_DIR_E_OBJ;
IMAGE_RESOURCE_DIRECTORY_ENTRY *I_DIR_E;
IMAGE_RESOURCE_DIRECTORY *MY_IRD1;
IMAGE_RESOURCE_DIRECTORY *MY_IRD2;
IMAGE_RESOURCE_DIRECTORY *MY_IRD3;
IMAGE_RESOURCE_DATA_ENTRY *MY_I_DAT_E;
IMAGE_RESOURCE_DIRECTORY_ENTRY *MY_I_DIR_E_TYPE;
IMAGE_RESOURCE_DIRECTORY_ENTRY *MY_I_DIR_E_OBJ;
IMAGE_RESOURCE_DIRECTORY_ENTRY *MY_I_DIR_E;
GICONOffset = NULL;
VERSNOffset = NULL;
XML18Offset = NULL;
if (CountOfICON != 0 && ICONOffset != NULL)
{
ICONAddr = VirtualAlloc(NULL, 8*CountOfICON, MEM_COMMIT, PAGE_READWRITE);
}
dwRSRCAddr = PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress;
dwRSRCSize = PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size;
if (dwRSRCAddr == 0 || dwRSRCSize == 0)
{
MapOfRSRC = NULL;
SizeOfRSRC = 0;
return ;
}
MapOfRSRC = VirtualAlloc(NULL, dwRSRCSize, MEM_COMMIT, PAGE_READWRITE);
SizeOfRSRC = 0;
IRD1 = (IMAGE_RESOURCE_DIRECTORY *)(dwRSRCAddr+MapOfFile);
MY_IRD1 = (IMAGE_RESOURCE_DIRECTORY *)(MapOfRSRC);
memcpy(MY_IRD1, IRD1, sizeof(IMAGE_RESOURCE_DIRECTORY));
SizeOfRSRC += sizeof(IMAGE_RESOURCE_DIRECTORY);
dwType = IRD1->NumberOfNamedEntries+IRD1->NumberOfIdEntries;
memset(IRD1, 0, sizeof(IMAGE_RESOURCE_DIRECTORY));
I_DIR_E_TYPE = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD1+sizeof(IMAGE_RESOURCE_DIRECTORY));
MY_I_DIR_E_TYPE = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)MY_IRD1+sizeof(IMAGE_RESOURCE_DIRECTORY));
memcpy(MY_I_DIR_E_TYPE, I_DIR_E_TYPE, dwType*sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
SizeOfRSRC += dwType*sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
for (iType=0; iType<dwType; iType++)
{
if (I_DIR_E_TYPE->NameIsString)
{
MY_I_DIR_E_TYPE->Name = SizeOfRSRC | 0x80000000;
wNameLen = *(LPWORD)(I_DIR_E_TYPE->NameOffset+dwRSRCAddr+(DWORD)MapOfFile);
*(LPWORD)(MapOfRSRC+SizeOfRSRC) = wNameLen;
SizeOfRSRC += 2;
memcpy(MapOfRSRC+SizeOfRSRC, (LPBYTE)(I_DIR_E_TYPE->NameOffset)+dwRSRCAddr+(DWORD)MapOfFile+2, wNameLen*2);
SizeOfRSRC += wNameLen*2;
*(LPWORD)(I_DIR_E_TYPE->NameOffset+dwRSRCAddr+(DWORD)MapOfFile) = 0;
memset((LPBYTE)(I_DIR_E_TYPE->NameOffset)+dwRSRCAddr+(DWORD)MapOfFile+2, 0, wNameLen*2);
}
MY_I_DIR_E_TYPE->OffsetToData = SizeOfRSRC | 0x80000000;
IRD2 = (IMAGE_RESOURCE_DIRECTORY *)(I_DIR_E_TYPE->OffsetToDirectory + dwRSRCAddr + (DWORD)MapOfFile);
MY_IRD2 = (IMAGE_RESOURCE_DIRECTORY *)(MY_I_DIR_E_TYPE->OffsetToDirectory + MapOfRSRC);
memcpy(MY_IRD2, IRD2, sizeof(IMAGE_RESOURCE_DIRECTORY));
SizeOfRSRC += sizeof(IMAGE_RESOURCE_DIRECTORY);
dwObj = IRD2->NumberOfIdEntries + IRD2->NumberOfNamedEntries;
memset(IRD2, 0, sizeof(IMAGE_RESOURCE_DIRECTORY));
I_DIR_E_OBJ = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY));
MY_I_DIR_E_OBJ = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)MY_IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY));
memcpy(MY_I_DIR_E_OBJ, I_DIR_E_OBJ, dwObj*sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
SizeOfRSRC += dwObj*sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
for (iObj=0; iObj<dwObj; iObj++)
{
if (I_DIR_E_OBJ->NameIsString)
{
MY_I_DIR_E_OBJ->Name = SizeOfRSRC | 0x80000000;
wNameLen = *(LPWORD)(I_DIR_E_OBJ->NameOffset+dwRSRCAddr+(DWORD)MapOfFile);
*(LPWORD)(MapOfRSRC+SizeOfRSRC) = wNameLen;
SizeOfRSRC += 2;
memcpy(MapOfRSRC+SizeOfRSRC, (LPBYTE)(I_DIR_E_OBJ->NameOffset)+dwRSRCAddr+(DWORD)MapOfFile+2, wNameLen*2);
SizeOfRSRC += wNameLen*2;
*(LPWORD)(I_DIR_E_OBJ->NameOffset+dwRSRCAddr+(DWORD)MapOfFile) = 0;
memset((LPBYTE)(I_DIR_E_OBJ->NameOffset)+dwRSRCAddr+(DWORD)MapOfFile+2, 0, wNameLen*2);
}
MY_I_DIR_E_OBJ->OffsetToData = SizeOfRSRC | 0x80000000;
IRD3 = (IMAGE_RESOURCE_DIRECTORY *)(I_DIR_E_OBJ->OffsetToDirectory + dwRSRCAddr + (DWORD)MapOfFile);
MY_IRD3 = (IMAGE_RESOURCE_DIRECTORY *)(MY_I_DIR_E_OBJ->OffsetToDirectory + (DWORD)MapOfRSRC);
memcpy(MY_IRD3, IRD3, sizeof(IMAGE_RESOURCE_DIRECTORY));
SizeOfRSRC += sizeof(IMAGE_RESOURCE_DIRECTORY);
memset(IRD3, 0, sizeof(IMAGE_RESOURCE_DIRECTORY));
I_DIR_E = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)IRD3+sizeof(IMAGE_RESOURCE_DIRECTORY));
MY_I_DIR_E = (IMAGE_RESOURCE_DIRECTORY_ENTRY *)((LPBYTE)MY_IRD3+sizeof(IMAGE_RESOURCE_DIRECTORY));
memcpy(MY_I_DIR_E, I_DIR_E, sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
SizeOfRSRC += sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
MY_I_DIR_E->OffsetToData = SizeOfRSRC;
I_DAT_E = (IMAGE_RESOURCE_DATA_ENTRY *)(I_DIR_E->OffsetToData + dwRSRCAddr + (DWORD)MapOfFile);
MY_I_DAT_E = (IMAGE_RESOURCE_DATA_ENTRY *)(MY_I_DIR_E->OffsetToData + (DWORD)MapOfRSRC);
memcpy(MY_I_DAT_E, I_DAT_E, sizeof(IMAGE_RESOURCE_DATA_ENTRY));
SizeOfRSRC += sizeof(IMAGE_RESOURCE_DATA_ENTRY);
memset(I_DIR_E, 0, sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
if (I_DIR_E_TYPE->Id == 0x03)
{
for (iIcon=0; iIcon<CountOfICON; iIcon++)
{
if (I_DIR_E_OBJ->Id == *(LPDWORD)(ICONOffset+iIcon*0x08))
{
*(LPDWORD)(ICONAddr+iIcon*8+0) = I_DAT_E->OffsetToData;
*(LPDWORD)(ICONAddr+iIcon*8+4) = I_DAT_E->Size;
*(LPDWORD)(ICONOffset+iIcon*0x08+4) = (DWORD)&(MY_I_DAT_E->OffsetToData);
break ;
}
}
}
if (I_DIR_E_TYPE->Id == 0x0E
&& ((DWORD)I_DIR_E_OBJ -(DWORD)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY))) == 0)
{
GICONAddr = (LPBYTE)I_DAT_E->OffsetToData;
GICONSize = I_DAT_E->Size;
GICONOffset = (LPDWORD)&(MY_I_DAT_E->OffsetToData);
}
if (I_DIR_E_TYPE->Id == 0x10
&& ((DWORD)I_DIR_E_OBJ -(DWORD)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY))) == 0)
{
VERSNAddr = (LPBYTE)I_DAT_E->OffsetToData;
VERSNSize = I_DAT_E->Size;
VERSNOffset = (LPDWORD)&(MY_I_DAT_E->OffsetToData);
}
if (I_DIR_E_TYPE->Id == 0x18
&& ((DWORD)I_DIR_E_OBJ -(DWORD)((LPBYTE)IRD2+sizeof(IMAGE_RESOURCE_DIRECTORY))) == 0)
{
XML18Addr = (LPBYTE)I_DAT_E->OffsetToData;
XML18Size = I_DAT_E->Size;
XML18Offset = (LPDWORD)&(MY_I_DAT_E->OffsetToData);
}
memset(I_DAT_E, 0, sizeof(IMAGE_RESOURCE_DATA_ENTRY));
memset(I_DIR_E_OBJ, 0, sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
I_DIR_E_OBJ++;
MY_I_DIR_E_OBJ++;
}
memset(I_DIR_E_TYPE, 0, sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
I_DIR_E_TYPE++;
MY_I_DIR_E_TYPE++;
}
if (ICONAddr != NULL)
{
for (iIcon=0; iIcon<CountOfICON; iIcon++)
{
*(LPDWORD)(*(LPDWORD)(ICONOffset+iIcon*0x08+4)) = SizeOfRSRC;
memcpy(MapOfRSRC+SizeOfRSRC, MapOfFile+*(LPDWORD)(ICONAddr+iIcon*8+0), *(LPDWORD)(ICONAddr+iIcon*8+4));
memset(MapOfFile+*(LPDWORD)(ICONAddr+iIcon*8+0), 0, *(LPDWORD)(ICONAddr+iIcon*8+4));
SizeOfRSRC += *(LPDWORD)(ICONAddr+iIcon*8+4);
}
VirtualFree(ICONAddr, 0, MEM_RELEASE);
}
if (GICONAddr != 0)
{
*GICONOffset = SizeOfRSRC;
memcpy(MapOfRSRC+SizeOfRSRC, MapOfFile+(DWORD)GICONAddr, GICONSize);
memset(MapOfFile+(DWORD)GICONAddr, 0, GICONSize);
SizeOfRSRC += GICONSize;
}
if (VERSNAddr != 0)
{
*VERSNOffset = SizeOfRSRC;
memcpy(MapOfRSRC+SizeOfRSRC, MapOfFile+(DWORD)VERSNAddr, VERSNSize);
memset(MapOfFile+(DWORD)VERSNAddr, 0, VERSNSize);
SizeOfRSRC += VERSNSize;
}
if (XML18Addr != 0)
{
*XML18Offset = SizeOfRSRC;
memcpy(MapOfRSRC+SizeOfRSRC, MapOfFile+(DWORD)XML18Addr, XML18Size);
memset(MapOfFile+(DWORD)XML18Addr, 0, XML18Size);
SizeOfRSRC += XML18Size;
}
return ;
}
///////////////////////////////////////////////////////////////
void FuckTLS()
{
DWORD dwTLSAddr;
DWORD dwTLSSize;
dwTLSAddr = PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
dwTLSSize = PE->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size;
if (dwTLSAddr == 0 || dwTLSSize == 0)
{
MapOfTLS = NULL;
SizeOfTLS = 0;
return ;
}
MapOfTLS = (LPBYTE)VirtualAlloc(NULL, dwTLSSize, MEM_COMMIT, PAGE_READWRITE);
memcpy(MapOfTLS, MapOfFile+dwTLSAddr, dwTLSSize);
*(LPDWORD)(MapOfTLS+0x0C) = 0;
memset(MapOfFile+dwTLSAddr, 0, dwTLSSize);
SizeOfTLS = dwTLSSize;
return ;
}
///////////////////////////////////////////////////////////////
void FuckSection()
{
DWORD i;
DWORD j;
DWORD dwAddr;
DWORD dwSize;
for (i=0; i<PE->FileHeader.NumberOfSections; i++)
{
dwAddr = (SH+i)->VirtualAddress+(DWORD)MapOfFile;
dwSize = (SH+i)->Misc.VirtualSize;
for (j=dwAddr+dwSize-1; j>dwAddr; j--)
{
if (*(LPBYTE)j != 0)
{
j++;
break ;
}
}
(SH+i)->SizeOfRawData = j-dwAddr;
(SH+i)->Characteristics |= 0xE00000E0;
}
}
///////////////////////////////////////////////////////////////
void PackSection()
{
DWORD dwSize;
DWORD i;
dwSize = 1;
for (i=0; i<PE->FileHeader.NumberOfSections; i++)
{
if ((SH+i)->SizeOfRawData != 0)
dwSize += (SH+i)->SizeOfRawData+8;
}
dwSize += SizeOfIAT+4;
if (MapOfReloc != NULL && SizeOfReloc != 0)
dwSize += SizeOfReloc;
MapOfPack = (LPBYTE)VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
SizeOfPack = dwSize;
dwSize = 1;
for (i=0; i<PE->FileHeader.NumberOfSections; i++)
{
if ((SH+i)->SizeOfRawData != 0)
{
*(LPDWORD)(MapOfPack+dwSize) = (SH+i)->VirtualAddress;
dwSize += 4;
*(LPDWORD)(MapOfPack+dwSize) = (SH+i)->SizeOfRawData;
dwSize += 4;
memcpy(MapOfPack+dwSize, MapOfFile+(SH+i)->VirtualAddress, (SH+i)->SizeOfRawData);
dwSize += (SH+i)->SizeOfRawData;
(*MapOfPack)++;
}
}
memcpy(MapOfPack+dwSize, MapOfIAT, SizeOfIAT);
dwSize += SizeOfIAT+4;
if (MapOfReloc != NULL && SizeOfReloc != 0)
{
memcpy(MapOfPack+dwSize, MapOfReloc, SizeOfReloc);
dwSize += SizeOfReloc;
}
dwSize = packbuff(MapOfPack, dwSize);
SizeOfPacked = dwSize - 0x0D;
}
///////////////////////////////////////////////////////////////
void __declspec(naked) loader()
{
__asm
{
popad
ep:
mov eax, 00000000 ;ep /oep
mov edx, 00000000
add eax, edx
jmp eax
__emit 00 ;指向第一段中的数据结构
__emit 00
__emit 00
__emit 00
pushad
call next
next:
pop esi
sub esi, 0x0A
mov eax, [esi]
add eax, edx
mov ecx, [eax]
mov [esi-0x0D], ecx ;写回oep
sub esi, 0x0F
push esi
push edx
mov esi, eax
lods dword ptr [esi]
lods dword ptr [esi]
add eax, edx
mov ebx, eax
push 0x04
mov edi, 0x1000
push edi
push edi
push 0x00
call dword ptr [ebx+0x08] ;为解压lzma开空间
pop edx
pop ecx
mov ebp, 0x8000
push ebp
push 0x00
push eax
push ecx
push edx
push eax
mov dword ptr [esi], eax
lods dword ptr [esi]
lods dword ptr [esi]
add eax, edx
push eax
lods dword ptr [esi]
add eax, edx
call eax ;aplib 解压lzma
push 0x04
push edi
lods dword ptr [esi]
push eax
push 0x00
call dword ptr [ebx+0x08] ;lzma解压后的数据空间
pop edx
push ebp
push 0x00
push eax
push [ebx+0x0C]
push edx
push 0x04
push edi
mov edi, eax
push ebp
push 0x00
call dword ptr [ebx+0x08] ;lzma工作空间
pop edx
push ebp
push 0x00
push eax
push [ebx+0x0C]
push [esp]
mov ecx, eax
push eax
push esp
push [esi-4]
push edi
lods dword ptr [esi]
push eax
lods dword ptr [esi]
add eax, edx
push eax
push ebp
push ecx
mov ebp, edx
call [esi-0x18] ;lzma解压
pop eax
add [esi], ebp
mov edi, [esi]
lods dword ptr [esi]
push eax
lods dword ptr [esi]
push eax
lods dword ptr [esi]
push eax
lods dword ptr [esi]
push eax
xor eax, eax
mov ecx, 0x180
rep stos dword ptr [edi] ;第一段清空
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -