📄 sunrise_pe.pas
字号:
cmp word ptr [eax],$5A4D
jnz @findhead
@_final:
end;
function CodeEnd_GetRoomBase():DWORD;
asm
Call @CodeEnd
@CodeEnd:
pop eax
sub eax,5
end;
function Getandsaveinfo():cardinal;stdcall;assembler;
var
_PEDH : TImageDosHeader;
_PENH : TImageNtHeaders;
asm_GetModuleHandleA : function (ModuleName:pansichar):Cardinal;stdcall;
asm_GetProcAddress : function (
ModuleName:pansichar;ProcName:pansichar):Cardinal;stdcall;
asm_VirtualAlloc : function (lpvAddress: Pointer; dwSize,flAllocationType, flProtect: DWORD): Pointer; stdcall;
p_GetModuleHandleA : Cardinal;
p_GetProcAddress : cardinal;
p_packheader:tpackheader0;
begin
//windows.CreateFile()
movmem(GetImageBase,@_PEDH,sizeof(_PEDH));
movmem(GetImageBase+_PEDH._lfanew,@_PENH,sizeof(_PENH));
p_GetModuleHandleA := GetImageBase+_PENH.OptionalHeader.DataDirectory[1].VirtualAddress + $34;
p_GetProcAddress := GetImageBase+_PENH.OptionalHeader.DataDirectory[
1].VirtualAddress + $38;
asm
pushad
mov eax,p_GetModuleHandleA
mov eax,dword ptr [eax]
mov asm_GetModuleHandleA,eax
mov p_packheader.p_GetModuleHandleA,eax
mov eax,p_GetProcAddress
mov eax,dword ptr [eax]
mov asm_GetProcAddress,eax
mov p_packheader.p_GetProcAddress,eax
call @s_kernel32 //kernel32.dll
db 06Bh, 065h,072h,06Eh,065h,06Ch,033h,032h,02Eh,064h,06Ch,06Ch,0h
@s_kernel32:
call asm_getmodulehandleA
mov p_packheader.base_Kernel32,eax
call @s_VirtualAlloc
//VirtualAlloc
db 056h,069h,072h,074h,075h,061h,06Ch,041h,06Ch,06Ch,06Fh,063h,0h //
@s_VirtualAlloc:
push eax
call asm_GetProcAddress
mov p_packheader.p_VirtualAlloc,eax
push 040h //PAGE_EXECUTE_READWRITE
push 01000h // MEM_COMMIT
push $1000 //size
push 0h //address
call eax
mov result,eax
mov edi,eax
call GetImageBase
mov p_packheader.imagebase,eax
call @s_VirtualFree
//VirtuallFree
db 056h,069h,072h,074h,075h,061h,06Ch,046h,072h,065h,065h,0h
@s_VirtualFree:
push p_packheader.base_Kernel32
call asm_GetProcAddress
mov p_packheader.p_VirtualFree,eax
//LoadLibraryA
call @s_LoadLibraryA
db 04Ch,06Fh,061h,064h,04Ch,069h,062h,072h,061h,072h,079h,041h,0h
@s_LoadLibraryA:
push p_packheader.base_Kernel32
call asm_GetProcAddress
mov p_packheader.p_LoadLibraryA,eax
//ExitProcess
call @s_ExitProcess
db 45h,078h,069h,074h,050h,072h,06Fh,063h,065h,073h,073h,0h
@s_ExitProcess:
push p_packheader.base_Kernel32
call asm_GetProcAddress
mov p_packheader.p_Exitprocess,eax
//p_VirtualProtect
call @s_VirtualProtect
db 56h,069h,072h,074h,075h,061h,06Ch,050h,072h,06Fh,074h,065h,063h,074h,0h
@s_VirtualProtect:
push p_packheader.base_kernel32
call asm_Getprocaddress
mov p_packheader.p_VirtualProtect,eax
call @s_GetCommandLineA
db 047h,065h,074h,043h,06Fh,06Dh,06Dh,061h,06Eh,064h,04Ch,069h,06Eh,065h,041h,0h
@s_GetCommandLineA:
push p_packheader.base_kernel32
call asm_GetProcAddress
mov p_packheader.p_GetCommandLineA,eax
call @s_CreateProcessA
db 43h,072h,065h,061h,074h,065h,050h,072h,06Fh,063h,065h,073h,073h,041h,0h
@s_CreateProcessA:
push p_packheader.base_kernel32
call asm_getProcaddress
mov p_packheader.p_createprocessA,eax
call @s_WaitForDebugEvent
db 057h,061h,069h,074h,046h,06Fh,072h,044h,065h,062h,075h,067h,045h,076h,065h,06Eh,074h,0h
@s_WaitForDebugEvent:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_WaitForDebugEvent,eax
call @s_ContinueDebugEvent
db 043h,06Fh,06Eh,074h,069h,06Eh,075h,065h,044h,065h,062h,075h,067h,045h,076h,065h,06Eh,074h,0h
@s_ContinueDebugEvent:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_ContinueDebugEvent,eax
call @s_CreateEventA
db 043h,072h,065h,061h,074h,065h,045h,076h,065h,06Eh,074h,041h,0h
@s_CreateEventA:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_CreateEventA,eax
call @s_GetLastError
db 047h,065h,074h,04Ch,061h,073h,074h,045h,072h,072h,06Fh,072h,0h
@s_GetLastError:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_GetLastError,eax
call @s_CloseHandle
db 043h,06Ch,06Fh,073h,065h,048h,061h,06Eh,064h,06Ch,065h,0h
@s_closeHandle:
push p_packheader.base_kernel32
call asm_getProcaddress
mov p_packheader.p_closehandle,eax
call @s_OutputDebugStringA
db 04Fh,075h,074h,070h,075h,074h,044h,065h,062h,075h,067h,053h,074h,072h,069h,06Eh,067h,041h,0h
@s_OutputDebugStringA:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_OutputDebugStringA,eax
call @s_GetThreadContext
db 047h,065h,074h,054h,068h,072h,065h,061h,064h,043h,06Fh,06Eh,074h,065h,078h,074h,000h
@s_GetThreadContext:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_GetThreadContext,eax
call @s_SetThreadContext
db 053h,065h,074h,054h,068h,072h,065h,061h,064h,043h,06Fh,06Eh,074h,065h,078h,074h,000h
@s_SetThreadContext:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_SetThreadContext,eax
call @s_Isdebuggerpresent
db 049h,073h,044h,065h,062h,075h,067h,067h,065h,072h,050h,072h,065h,073h,065h,06Eh,074h,0h
@s_Isdebuggerpresent:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_Isdebuggerpresent,eax
call @s_CreateThread
db 043h,072h,065h,061h,074h,065h,054h,068h,072h,065h,061h,064h,0h
@s_CreateThread:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_CreateThread,eax
call @s_WaitForSingleObject
db 057h,061h,069h,074h,046h,06Fh,072h,053h,069h,06Eh,067h,06Ch,065h,04Fh,062h,06Ah,065h,063h,074h,0h
@s_WaitForSingleObject:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_WaitForSingleObject,eax
call @s_ExitThread
db 045h,078h,069h,074h,054h,068h,072h,065h,061h,064h,0h
@s_ExitThread:
push p_packheader.base_kernel32
call asm_getprocaddress
mov p_packheader.p_ExitThread,eax
end;
p_packheader.adr_datasec := _PENH.OptionalHeader.BaseOfData + p_packheader.imagebase;
asm_VirtualAlloc := pointer(p_packheader.p_VirtualAlloc);
p_packheader.linkroom := cardinal(asm_virtualalloc(nil,$3000,MEM_COMMIT,PAGE_READWRITE));
movmem(cardinal(@p_packheader),pointer(result),sizeof(p_packheader));
end;
function linkpackercode(m_info:DWORD):DWORD;assembler;
var
p_packheader:tpackheader0;
p_packdata:tdatasecheader;
p_roomheader:Troomheader;
begin
movmem(m_info,@p_packheader,sizeof(p_packheader));
movmem(p_packheader.adr_datasec,@p_packdata,sizeof(p_packdata));
p_roomheader.Sign := $5A4D;
p_roomheader.dataroom := m_info;
p_roomheader.GetRoomBase := p_packheader.linkroom+sizeof(p_roomheader);
movmem(Codestart_movmem,pointer(p_roomheader.GetRoombase + Codeend_GetRoomBase()-CodeStart_GetRoomBase()),Codeend_movmem()-CodeStart_movMem());
p_packheader.p_movmem := p_roomheader.GetRoombase + Codeend_GetRoomBase()-CodeStart_GetRoomBase();
p_roomheader.baseofcode := p_roomheader.GetRoomBase +sizeof(p_roomheader) +Codeend_movmem()-CodeStart_movMem();
movmem(cardinal(@p_roomheader),pointer(p_packheader.linkroom),sizeof(p_roomheader));
movmem(cardinal(@p_packheader),pointer(m_info),sizeof(p_packheader));
depack_shell(pointer(p_packheader.adr_datasec+p_packdata.packfunctions.p_main),pointer(p_roomheader.baseofcode));
result := p_roomheader.baseofcode;
end;
function Depack_shell(src,dest:pointer):DWORD;stdcall;
asm
push dest
push src
call @depack
add esp,8
jmp @_final
@depack:
pushad
mov esi, [esp + 36] // ; C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
xor ebx, ebx
@literal:
movsb
mov bl, 2
@nexttag:
call @getbit
jnc @literal
xor ecx, ecx
call @getbit
jnc @codepair
xor eax, eax
call @getbit
jnc @shortmatch
mov bl, 2
inc ecx
mov al, 10h
@getmorebits:
call @getbit
adc al, al
jnc @getmorebits
jnz @domatch
stosb
jmp @nexttag
@codepair:
call @getgamma_no_ecx
sub ecx, ebx
jnz @normalcodepair
call @getgamma
jmp @domatch_lastpos
@shortmatch:
lodsb
shr eax, 1
jz @donedepacking
adc ecx, ecx
jmp @domatch_with_2inc
@normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call @getgamma
cmp eax, 32000
jae @domatch_with_2inc
cmp ah, 5
jae @domatch_with_inc
cmp eax, 7fh
ja @domatch_new_lastpos
@domatch_with_2inc:
inc ecx
@domatch_with_inc:
inc ecx
@domatch_new_lastpos:
xchg eax, ebp
@domatch_lastpos:
mov eax, ebp
mov bl, 1
@domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp @nexttag
@getbit:
add dl, dl
jnz @stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
@stillbitsleft:
ret
@getgamma:
xor ecx, ecx
@getgamma_no_ecx:
inc ecx
@getgammaloop:
call @getbit
adc ecx, ecx
call @getbit
jc @getgammaloop
ret
@donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi // ; return unpacked length in eax
popad
ret
@_final:
end;
function CodeEnd_Packer():DWORD;
asm
Call @CodeEnd
@CodeEnd:
pop eax
sub eax,5
end;
function CodeStart_packer_main():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
procedure Packer_main_init();
asm
push ebp
push esp
call Packer_main
end;
procedure asm_FillChar(Dest:cardinal;size:cardinal;char:cardinal);assembler;
asm
pushad
mov esi,size
mov edi,dest
mov ebx,char
@_next:
cmp esi,0
jz @_final
mov byte ptr [edi+esi],bl
dec esi
jmp @_next
@_final:
popad
end;
function asm_GetImageBase():cardinal;stdcall;assembler;
asm
Call @p_next
@p_next:
pop eax
shr eax,$0C
shl eax,$0C
cmp word ptr [eax],$5A4D
jz @_final
@findhead:
sub eax,$1000
cmp word ptr [eax],$5A4D
jnz @findhead
@_final:
end;
function linkemulfunctions(dwType:DWORD):DWORD;stdcall;
begin
case dwType of
SPECIAL_MESSAGEBOXA:
result := CodeStart_emul_MessageBoxA;
SPECIAL_MESSAGEBOXW:
result := CodeStart_emul_MessageBoxW;
SPECIAL_CREATEFILEA:
result := Codestart_emul_CreatefileA;
SPECIAL_CREATEFILEW:
result := Codestart_emul_CreateFileW;
end;
end;
function asm_strcmp(oper1,oper2:pansichar):boolean;stdcall;assembler;
asm
pushad
mov edi,oper1
mov esi,oper2
@next:
mov al,byte [edi]
cmp byte [esi],al
jnz @final_f
cmp al,0
jz @final_t
inc edi
inc esi
jmp @next
@final_t:
mov result,true
jmp @final
@final_f:
mov result,false
@final:
popad
end;
function CodeStart_packer_main2():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function Packer_main(dw_esp,dw_ebp:cardinal):DWORD; stdcall;
var
p_packheader:tpackheader0;
p_packdata:tdatasecheader;
p_roomheader:Troomheader;
p_section : TImageSectionHeader;
t_size : DWORD;
asm_movmem :procedure (src:cardinal;dest:pointer;size:cardinal);stdcall;
asm_VirtualAlloc : function (lpvAddress: Pointer; dwSize,flAllocationType, flProtect: DWORD): Pointer; stdcall;
asm_virtualfree : function (lpAddress: Pointer; dwSize,dwFreeType: DWORD):BOOL; stdcall;
asm_LoadlibraryA : function (lpLibFileName: PAnsiChar): Cardinal;stdcall;
asm_GetProcAddress :function (hModule: HMODULE; lpProcName:LPCSTR): Cardinal; stdcall;
asm_GetModuleHandleA:function (lpModuleName: PAnsiChar):Cardinal; stdcall;
asm_VirtualProtect : function (lpAddress: Pointer; dwSize, flNewProtect:
DWORD;var OldProtect: DWORD): BOOL; stdcall;
asm_Messagebox:function (hWnd: HWND; lpText, lpCaption: PAnsiChar;uType:
UINT): Integer; stdcall;
// asm_CreateProcessA:function (lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar;
// lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
// bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
// lpCurrentDirectory: PAnsiChar; const lpStartupInfo: TStartupInfoA;
// var lpProcessInformation: TProcessInformation): BOOL; stdcall;
// asm_GetCommandLineA:function (): PAnsiChar; stdcall;
i : Cardinal;
p_IatWorkMem : Pointer;
p_import:T_AImport;
p_IatWorkProc:Cardinal;
pp_IatMem : cardinal;
base_adr : cardinal;
p_DLLName : pansichar;
hModule : cardinal;
t_Length:cardinal;
t_saveiat : cardinal;
t_address : cardinal;
v_imagebase : DWORD;
t_importbase:DWORD;
t_funbase:DWORD;
t_hmodule:DWORD;
//重组res使用
p_resworkmem : pointer;
p_resstoremem:pointer;
p_resmydir:Tmyresdir;
//anti 使用的
_PEDH:windows.TImageDosHeader;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -