📄 rebuildimport.c
字号:
SearchAddr += cmdsize;
//0700C0F6 |. 8B02 |mov eax,[edx]
Readmemory(&eax,edx,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0F8 |. 8B48 08 |mov ecx,[eax+8]
Readmemory(&ecx,eax+8,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0FB |. 8B40 0C |mov eax,[eax+C]
Readmemory(&eax,eax+0x0C,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
SearchAddr += cmdsize;
//0700C0FE |> 3BC8 |/cmp ecx,eax
//0700C100 |. 74 19 ||je short 0700C11B
//0700C102 |. 8B39 ||mov edi,[ecx]
//0700C104 |. 8B7F 04 ||mov edi,[edi+4]
//0700C107 |. 81F7 58594A57 ||xor edi,574A5958
//0700C10D |. 83C7 05 ||add edi,5
//0700C110 >|. 3B7C24 0C ||cmp edi,[esp+C] ; Thunk傪屇傫偱捈偖偺call偺儕僞乕儞傾僪儗僗偲堦抳偡傞傑偱孞傝曉偟
//0700C114 |. 74 0A ||je short 0700C120
//0700C116 |. 83C1 04 ||add ecx,4
//0700C119 |.^ EB E3 |\jmp short 0700C0FE
//0700C11B |> 83C2 04 |add edx,4
//0700C11E |.^ EB D2 \jmp short 0700C0F2
//0700C120 |> 8B01 mov eax,[ecx] ; 700C110偺斾妑偱堦抳偟偨帪偺ecx偵杮摉偺API偺傾僪儗僗偑偁傞
//0700C122 |. EB 02 jmp short 0700C126
//0700C124 |> 33C0 xor eax,eax
//0700C126 |> 5F pop edi
//0700C127 |. 5E pop esi
//0700C128 \. C3 retn
while(ecx != eax) {
Readmemory(&edi,ecx,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(&edi,edi+4,sizeof(DWORD),MM_RESTORE|MM_SILENT);
edi ^= 0x574A5958;
edi += 5;
if(edi == RetBuf) {
if(SearchLog) {
Addtolist(ecx,0,"in Vbox API address search loop : edi:%08X RetBuf:%08X",edi,RetBuf);
Updatelist();
}
break;
}
ecx += 4;
}
Readmemory(&eax,ecx,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(&Address,eax,sizeof(DWORD),MM_RESTORE|MM_SILENT);
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchAnimation) {
Setcpu(0,Address,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
}
}
__except(1) {
Addtolist(SearchAddr,1,"Exception in searching Vbox's method");
}
VBOX_NOTFOUND:
// try to find PELock's disguised API address
__try {
if(SearchLog) {
Addtolist(0,0,"PELock and ASProtect search");
Updatelist();
}
Address = ApiAddress;
pmem = Findmemory(Address);
bcount = 0;
SearchAddr = Address;
while(bcount < MAX_BYTE_COUNT) {
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(r == 0x68) {
PushBuf = dasm.immconst;
}
if(r == 0xC3) {
Address = PushBuf;
bcount -= 5;
break;
}
if(r == 0xE9) {
Address = dasm.jmpaddr;
break;
}
if(r == 0xEB) {
SearchAddr = dasm.jmpaddr;
continue;
}
SearchAddr += cmdsize;
bcount += cmdsize;
}
if(SearchAddr < pmem->base + pmem->size) {
Address -= bcount;
if(SearchAnimation) {
Setcpu(0,Address,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
}
}
}
__except(1) {
Addtolist(SearchAddr,1,"Exception in searching PELock's method");
}
// try to find tElock0.96's disguised API address
__try {
if(SearchLog) {
Addtolist(0,0,"tElock 0.96 search");
}
Address = ApiAddress;
bcount = 0;
SearchAddr = Address;
while(bcount < MAX_BYTE_COUNT) {
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(!stricmp(dasm.result,"stc")) {
SearchAddr += cmdsize;
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(r == 0x72) {
SearchAddr = dasm.jmpaddr;
continue;
}
}
if(r == 0xEB || r == 0xE9 || r == 0x75 || r == 0x79) {
SearchAddr = dasm.jmpaddr;
continue;
}
if(r == 0xB8) {
Readmemory(&AddrBuf,SearchAddr+1,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(&Address,AddrBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
}
}
SearchAddr += cmdsize;
bcount += cmdsize;
}
}
__except(1) {
Addtolist(SearchAddr,1,"Exception in searching tElock0.96's method");
}
// try to find tElock0.98's disguised API address
__try {
if(SearchLog) {
Addtolist(0,0,"tElock 0.98 search");
Updatelist();
}
Address = ApiAddress;
bcount = 0;
SearchAddr = Address;
while(bcount < MAX_BYTE_COUNT) {
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(cmd,SearchAddr,MAXCMDSIZE,MM_RESTORE|MM_SILENT);
cmdsize = Disasm(cmd,MAXCMDSIZE,SearchAddr,NULL,&dasm,DISASM_ALL,NULL);
if(SearchLog) {
Addtolist(SearchAddr,0," %-16s %-30s",dasm.dump,dasm.result);
Updatelist();
}
Readmemory(&tElock,SearchAddr,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(&r,SearchAddr,1,MM_RESTORE|MM_SILENT);
if(tElock == 0xC330FF40) {
Readmemory(&AddrBuf,SearchAddr-4,sizeof(DWORD),MM_RESTORE|MM_SILENT);
AddrBuf++;
Readmemory(&Address,AddrBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
if(SearchLog) {
Addtolist(SearchAddr-5,0,"found tElock 0.98 signature. API address is in %08X",AddrBuf);
Updatelist();
}
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
}
}
}
if(r == 0xEB || r == 0xE9) {
SearchAddr = dasm.jmpaddr;
continue;
}
SearchAddr += cmdsize;
bcount += cmdsize;
}
}
__except(1) {
Addtolist(SearchAddr,1,"Exception in searching tElock0.98's method");
}
// ASProtect Special
__try {
if(SearchLog) {
Addtolist(0,0,"ASProtect Special search");
}
Address = ApiAddress;
bcount = 0;
SearchAddr = Address;
while(bcount < MAX_BYTE_COUNT) {
if(SearchAnimation) {
Setcpu(0,SearchAddr,0,0,CPU_ASMHIST|CPU_ASMCENTER|CPU_ASMFOCUS|CPU_REDRAW);
Sleep(AnimationWait);
}
Readmemory(&ASPR,SearchAddr,sizeof(DWORD),MM_RESTORE|MM_SILENT);
if(ASPR == 0x505207EB) {
if(SearchLog) {
Addtolist(SearchAddr,0,"found ASProtect Special signature");
Updatelist();
}
Readmemory(&AddrBuf,SearchAddr+5,sizeof(DWORD),MM_RESTORE|MM_SILENT);
AddrBuf += SearchAddr + 5 + 4;
Readmemory(&AddrBuf,AddrBuf+2,sizeof(DWORD),MM_RESTORE|MM_SILENT);
Readmemory(&Address,AddrBuf,sizeof(DWORD),MM_RESTORE|MM_SILENT);
pmod = Findmodule(Address);
if(pmod) {
if((pdest = strrchr(pmod->path,'\\')) != NULL) {
pdest++;
wsprintf(DllName,"%s",pdest);
*Ordinal = GetApiNameOrdinal(Address,DllName,ApiName);
if(*Ordinal != 0xFFFF) {
if(SearchLog) {
Addtolist(Address,0,"Found in %-12s --- Address:%08X Ordinal:%04X API name:%-25s",DllName,Address,*Ordinal,ApiName);
Updatelist();
}
goto ADDRESS_FOUND;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -