📄 sunrise_pe.pas
字号:
xor byte ptr [eax],bl
popfd
inc eax //0字节算上
sub eax,ecx
pop ecx
pop ebx
end;
procedure ClearnStr(src:pansichar);stdcall;
asm
push eax
push ebx
pushfd
mov eax,src
@_next:
cmp byte ptr [eax],0
jz @_final
mov byte ptr [eax],0
add eax,1
jmp @_next
@_final:
popfd
pop ebx
pop eax
end;
procedure DropStr(src:pansichar);stdcall;
asm
push eax
push ebx
pushfd
mov eax,src
@_next:
cmp byte ptr [eax],0
jz @_final
xor byte ptr [eax],cl
add eax,1
jmp @_next
@_final:
popfd
pop ebx
pop eax
end;
procedure packer_Movmem(src:cardinal;dest:pointer;size:cardinal);stdcall;assembler;
asm
pushad
mov ecx,size
mov edi,dest
mov esi,src
rep movs byte ptr [edi],byte ptr [esi]
popad
end;
function LinkEmulApi(dwtype:DWORD):DWORD;
var
room:Troomheader;
data:Tpackheader0;
asm_LoadlibraryA : function (lpLibFileName: PAnsiChar): Cardinal;stdcall;
asm_GetProcAddress :function (hModule: HMODULE; lpProcName:LPCSTR): Cardinal; stdcall;
asm_GetModuleHandleA:function (lpModuleName: PAnsiChar):Cardinal; stdcall;
begin
packer_movmem(asm_GetImageBase,@room,sizeof(room));
if not room.emul_linked then
begin
packer_movmem(room.dataroom,@data,sizeof(data));
asm_LoadLibraryA := pointer(data.p_LoadLibraryA);
asm_GetProcAddress := pointer(data.p_GetProcAddress);
asm_GetModuleHandleA := pointer(data.p_GetModuleHandleA);
room.Module_Kernel32 := data.base_Kernel32;
asm
pushad
push 00006C6Ch //user32.dll
push 642E3233h
push 72657375h
push esp
call data.p_LoadLibraryA
add esp,0Ch
mov room.Module_user32,eax
push 0041786Fh
push 42656761h
push 7373654Dh
push esp
push eax
call asm_GetProcAddress
add esp,0Ch
mov room.emul_messageboxA,eax
mov eax,room.Module_user32
push 0057786Fh
push 42656761h
push 7373654Dh
push esp
push eax
call asm_GetProcAddress
add esp,0Ch
mov room.emul_messageboxW,eax
//kernel32.dll
push 0041656Ch //CreateFileA
push 69466574h
push 61657243h
push esp
mov eax,room.module_kernel32
push eax
call asm_getprocaddress
add esp,0Ch
mov room.emul_createfileA,eax
push 0057656Ch //CreateFileA
push 69466574h
push 61657243h
push esp
mov eax,room.module_kernel32
push eax
call asm_getprocaddress
add esp,0Ch
mov room.emul_createfileW,eax
popad
end;
packer_movmem(cardinal(@room),pointer(asm_GetImageBase),sizeof(room));
room.emul_linked := true;
end;
case dwType of
SPECIAL_MESSAGEBOXA:
result := room.emul_messageboxA;
SPECIAL_MESSAGEBOXW:
result := room.emul_messageboxW;
SPECIAL_CREATEFILEA:
result := room.emul_CreateFileA;
SPECIAL_CREATEFILEW:
result := room.emul_CreateFileW;
end;
end;
function CodeStart_emul_CreateFileA():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function emul_CreateFileA(lpFileName: PAnsiChar; dwDesiredAccess, dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
asm_CreateFileA:function (lpFileName: PAnsiChar; dwDesiredAccess, dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
begin
asm_CreateFileA := pointer(LinkEmulApi(SPECIAL_CREATEFILEA));
result := asm_CreateFileA(lpFileName,dwDesiredAccess, dwShareMode,lpSecurityAttributes,dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
end;
function CodeStart_emul_CreateFileW():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function Emul_CreateFileW(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
asm_CreateFileW:function (lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD;
lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
begin
asm_CreateFileW := pointer(LinkEmulApi(SPECIAL_CREATEFILEW));
result := asm_CreateFileW(lpFileName,dwDesiredAccess, dwShareMode,lpSecurityAttributes,
dwCreationDisposition, dwFlagsAndAttributes,hTemplateFile);
end;
function CodeStart_emul_MessageBoxA():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function emul_MessageBoxA(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
var
asm_MessageBoxA:function (hWnd: DWORD; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
asm_Messageboxa := pointer(LinkEmulApi(SPECIAL_MESSAGEBOXA));
result := asm_MessageBoxA(hwnd,lpText,lpCaption,uType);
end;
function CodeStart_emul_MessageBoxW():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function emul_MessageBoxW(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
var
asm_MessageBoxW:function (hWnd: DWORD; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
asm_MessageBoxW := pointer(LinkEmulApi(SPECIAL_MESSAGEBOXW));
result := asm_MessageBoxW(hwnd,lpText,lpCaption,uType);
end;
function emul_MsgBox(hWnd:HWND;lText,lCaption:PChar;lStyle:DWord;Icon:Integer):Integer;
var
Msg:TMsgBoxParams;
asm_MessageBoxIndirectA :function (const MsgBoxParams: TMsgBoxParamsA): BOOL;stdcall;
begin
Msg.cbSize:=Sizeof(Msg);
Msg.hwndOwner:=hWnd;
Msg.hInstance:=hinstance;
Msg.lpszText:=lText;
Msg.lpszCaption:=lCaption;
Msg.dwStyle:=lStyle;
Msg.lpszIcon:=MakeIntResource(Icon);
Msg.dwContextHelpId:=1;
Msg.lpfnMsgBoxCallback:=nil;
Msg.dwLanguageId:=LANG_NEUTRAL;
asm_MessageBoxIndirectA := pointer(LinkEmulApi(SPECIAL_MSGBOXINXA));
Result:=integer(asm_MessageBoxIndirectA(Msg));
end;
function Depack(src,dest:pointer):DWORD;stdcall;
asm
push dest
push src
call @depack
add esp,8
jmp @_final
@depack:
pushad
mov esi, [esp + 36] // ; C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
xor ebx, ebx
@literal:
movsb
mov bl, 2
@nexttag:
call @getbit
jnc @literal
xor ecx, ecx
call @getbit
jnc @codepair
xor eax, eax
call @getbit
jnc @shortmatch
mov bl, 2
inc ecx
mov al, 10h
@getmorebits:
call @getbit
adc al, al
jnc @getmorebits
jnz @domatch
stosb
jmp @nexttag
@codepair:
call @getgamma_no_ecx
sub ecx, ebx
jnz @normalcodepair
call @getgamma
jmp @domatch_lastpos
@shortmatch:
lodsb
shr eax, 1
jz @donedepacking
adc ecx, ecx
jmp @domatch_with_2inc
@normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call @getgamma
cmp eax, 32000
jae @domatch_with_2inc
cmp ah, 5
jae @domatch_with_inc
cmp eax, 7fh
ja @domatch_new_lastpos
@domatch_with_2inc:
inc ecx
@domatch_with_inc:
inc ecx
@domatch_new_lastpos:
xchg eax, ebp
@domatch_lastpos:
mov eax, ebp
mov bl, 1
@domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp @nexttag
@getbit:
add dl, dl
jnz @stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
@stillbitsleft:
ret
@getgamma:
xor ecx, ecx
@getgamma_no_ecx:
inc ecx
@getgammaloop:
call @getbit
adc ecx, ecx
call @getbit
jc @getgammaloop
ret
@donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi // ; return unpacked length in eax
popad
ret
@_final:
end;
function CodeStart_IatWorkProc():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
Function IatWorkProc():DWORD;stdcall;
asm
push eax
push ebx
mov eax,dword ptr [esp+8]
mov eax,dword ptr [eax+22]
mov ebx,dword ptr [esp+8]
sub ebx,4
mov ebx,dword ptr [ebx]
xor eax,ebx
mov dword ptr [esp+8],eax
pop ebx
pop eax
end;
//------------------------------------------------------------------------------
// vmachine-shell 1.0
//------------------------------------------------------------------------------
function Shell_vmachine_esp(dw_esp:dword):DWORD;stdcall;
asm
call @p_value
DB 0,0,0,0
@p_value:
pop eax
mov ebx,dw_esp
cmp ebx,0
jz @final
mov dword [eax],ebx
@final:
mov eax,dword [eax]
end;
function Shell_vmachine_vesp(dw_esp:dword):DWORD;stdcall;
asm
call @p_value
DB 0,0,0,0
@p_value:
pop eax
mov ebx,dw_esp
cmp ebx,0
jz @final
mov dword [eax],ebx
@final:
mov eax,dword [eax]
end;
function Shell_vmachine_vebp(dw_ebp:dword):DWORD;stdcall;
asm
call @p_value
DB 0,0,0,0
@p_value:
pop eax
mov ebx,dw_ebp
cmp ebx,0
jz @final
mov dword [eax],ebx
@final:
mov eax,dword [eax]
end;
function Shell_vmachine_ebp(dw_ebp:dword):DWORD;stdcall;
asm
call @p_value
DB 0,0,0,0
@p_value:
pop eax
mov ebx,dw_ebp
cmp ebx,0
jz @final
mov dword [eax],ebx
@final:
mov eax,dword [eax]
end;
function shell_vmachine_init(p_virtualaloc:cardinal):DWORD;stdcall;
var
asm_VirtualAlloc : function (lpvAddress: Pointer; dwSize,flAllocationType,
flProtect: DWORD): DWORD; stdcall;
dw_vm_esp:dword;
begin
asm_VirtualAlloc := pointer(p_virtualaloc);
dw_vm_esp := asm_virtualalloc(nil,$2000,MEM_COMMIT,PAGE_READWRITE);
Shell_vmachine_esp(dw_vm_esp+$1000);
end;
procedure shell_vmachine_setvalue(p_src,p_dst:cardinal);stdcall;assembler;
asm
push eax
mov eax,p_src
//mov eax,dword ptr [eax]
push eax
mov eax,p_dst
pop dword ptr [eax]
pop eax
end;
function shell_vmachine_getvalue(p_src:cardinal):cardinal;stdcall;assembler;
asm
push eax
mov eax,p_src
mov eax,dword ptr [eax]
mov result,eax
pop eax
end;
function shell_vmachine_RunCode(p_vmcode,dw_rebp,dw_resp,
dw_imagebase,dw_reip:cardinal):cardinal;stdcall;
var
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -