📄 unopix.asm
字号:
loop @b
;******************************************
loader_exe: ; exe loader
;******************************************
loader_rubbish_14_133:
db 133 dup($90)
;---------- Ring3 antidebug ----------;
mov eax,[fs:$30]
mov ecx,[eax+$0C]
jecxz @_dbg_w9x
add eax,$AC
cmp word [eax],2195 ; Windows 2000
jne @_dbg_xp
mov eax,$FFFFFF38
jmp @_dbg_nt_common
@_dbg_xp:
cmp word [eax],2600 ; Windows XP
jne @_dbg_quit
mov eax,$FFFFFF1A
;jmp @_dbg_nt_common
@_dbg_nt_common:
xor ecx,ecx
push ecx
push ecx
push 17
push -2
call @f
@@: add dword [esp],@f-@b
not eax
lea edx,[esp+4]
int $2E ; call ZwSetInformationThread
@@: add esp,$14
jmp @_dbg_quit
@_dbg_w9x:
; w9x antidebug
@_dbg_quit:
;-------------------------------------;
add esp,4
mov eax,[esp]
cmp eax,$70000000
jl @_ldr_get_api_error
call loader_get_module_handle
cmp eax,$70000000
jl @_ldr_get_api_error
mov ebx,eax
call @f
db 'SetUnhandledExceptionFilter',0
@@: pop eax
call loader_get_proc_address
call @f
@@: pop edx
mov [edx+_SetUnhandledExceptionFilter-@b],eax
@_ldr_get_api_error:
loader_rubbish_15_57:
db 57 dup($90)
;--------------------------------------;
loader_antidump_start:
; anti-dump protection
mov eax,[fs:$30] ; PEB
mov eax,[eax+$0C] ; PEB_LDR_DATA
mov eax,[eax+$0C] ; Ldr.InLoadOrderModuleList.Flink
lea ecx,[eax+$18] ; LDR_DATA_TABLE_ENTRY.DllBase
lea edx,[eax+$20] ; LDR_DATA_TABLE_ENTRY.SizeOfImage
mov [ecx],ebx ; fix ImageBase to KERNEL32.DLL ImageBase
sub dword [edx],$10000 ; fix SizeOfImage
loader_antidump_end:
;--------------------------------------;
loader_rubbish_16_87:
db 87 dup($90)
call @f
@@: pop edx
mov eax,[edx+_SetUnhandledExceptionFilter-@b]
xor edx,edx
or eax,eax
je @_adbg_exit_1
call @f
@@: add dword [esp],@f-@b
cmp byte [eax],$CC
je loader_lol
cmp byte [eax+1],$CC
je loader_lol
call eax
;int 3
loader_rubbish_17_63:
db 63 dup($90)
@@: mov eax,[esp+4]
mov eax,[eax+EXCEPTION_POINTERS.ContextRecord]
call @f
@@: pop edx
add edx,@_adbg_exit_1-@b
mov [eax+CONTEXT.Eip],edx
xor edx,edx
mov [eax+CONTEXT.Dr0],edx
mov [eax+CONTEXT.Dr1],edx
mov [eax+CONTEXT.Dr2],edx
mov [eax+CONTEXT.Dr3],edx
xor eax,eax
dec eax
retn 4
@_adbg_exit_1:
db $68 ; push xxxxxxxx
loader_oep_part1:
dd ? ; oep address part 1
loader_rubbish_18_531:
db 531 dup($90)
db $81,$04,$24 ; add [esp],xxxxxxxx
loader_oep_part2:
dd ? ; oep address part 2
loader_rubbish_19_263:
db 263 dup($90)
mov eax,[esp]
call @f
@@: pop edx
add edx,loader_code_key_data1-@b
db $B9 ; mov ecx,xxxxxxxx
loader_ecx_oep:
dd ?
loader_rubbish_20_127:
db 127 dup($90)
; crc check - restore key
push eax edx ecx
call @f
@@: pop eax
sub eax,@b-loader_crypt_start
mov dword [edx],1
mov ecx,loader_crypt_end_adler-loader_crypt_start
call Adler32_Update
mov eax,[edx+8]
xor [edx],eax
pop ecx edx eax
; -----------------------
call TEA_DecryptECB
retn
;-------------------------------------------
loader_get_module_handle:
; ->EAX module address
; <-EAX module handle
and eax,$FFFF0000
mov ecx,6
@@: cmp word [eax],IMAGE_DOS_SIGNATURE
jne @_getbase_next
mov edx,[eax+IMAGE_DOS_HEADER._lfanew]
cmp dword [eax+edx],IMAGE_NT_SIGNATURE
je @_getbase_succ
@_getbase_next:
sub eax,$10000
loop @b
xor eax,eax
@_getbase_succ:
retn
;-------------------------------------------
loader_get_proc_address:
; ->EAX function name
; ->EBX module handle
; <-EAX function address
push ebx edi esi eax
mov esi,[ebx+IMAGE_DOS_HEADER._lfanew]
lea esi,[ebx+esi]
lea esi,[esi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectoryExport]
mov esi,[esi+IMAGE_DATA_DIRECTORY.VirtualAddress]
or esi,esi
je @_get_proc_addr_err
add esi,ebx
mov eax,[esi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
or eax,eax
je @_get_proc_addr_err
mov edx,[esi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
or edx,edx
je @_get_proc_addr_err
mov ecx,[esi+IMAGE_EXPORT_DIRECTORY.NumberOfFunctions]
jecxz @_get_proc_addr_err
add eax,ebx
add edx,ebx
cld
@@: push ecx
mov ecx,8
mov edi,[eax]
add edi,ebx
add eax,4
add edx,4
mov esi,[esp+4]
repe cmpsb
pop ecx
loopne @b
add esp,4
mov eax,[edx-4]
add eax,ebx
pop esi edi ebx
retn
@_get_proc_addr_err:
xor eax,eax
pop esi edi ebx
retn
;******************************************
loader_rubbish_21_77:
db 77 dup($90)
;******************************************
loader_jmp_oep_unp:
loader_rubbish_oep1_33:
db 33 dup($90)
loader_rubbish_oep2_33:
db 33 dup($90)
loader_rubbish_oep3_33:
db 33 dup($90)
loader_rubbish_oep4_33:
db 33 dup($90)
loader_rubbish_oep5_33:
db 33 dup($90)
db $B8 ; mov eax,xxxxxxxx
loader_jmp_oep_unp_addr:
dd ?
loader_rubbish_oep6_33:
db 33 dup($90)
cmp byte [eax],$CC ; int3
je loader_lol
loader_rubbish_oep7_33:
db 33 dup($90)
cmp byte [eax],$55 ; push ebp
jne @f
mov byte [eax],$90 ; nop
loader_rubbish_oep8_33:
db 33 dup($90)
@@: jmp eax
loader_rubbish_oep9_33:
db 33 dup($90)
;-------------------------------------------
Adler32_Update:
; ->EAX - address of data buffer
; ->ECX - buffer size
; ->EDX - address of 32-bits update buffer
push edi esi edx
mov edi,[edx]
mov esi,edi
shr esi,16
shl edi,16
shr edi,16
xor edx,edx
jecxz @_adler32_end
@_adler32_loop:
mov dl,[eax]
add edi,edx
cmp edi,$FFF1
jl @f
sub edi,$FFF1
@@: add esi,edi
cmp esi,$FFF1
jl @f
sub esi,$FFF1
@@: inc eax
loop @_adler32_loop
@_adler32_end:
pop edx
shl esi,16
add edi,esi
mov [edx],edi
pop esi edi
retn
loader_rubbish_23_117:
db 117 dup($90)
;-------------------------------------------
TEA_DecryptECB:
; ->EAX - address of data buffer
; ->ECX - buffer size
; ->EDX - address of 128-bits key
shr ecx,3
jecxz @_ecb_decrypt_end
@_ecb_decrypt_loop:
call TEA_DecryptBlock
add eax,8
loop @_ecb_decrypt_loop
@_ecb_decrypt_end:
retn
loader_rubbish_24_233:
db 233 dup($90)
;-------------------------------------------
TEA_DecryptBlock:
; ->EAX - address of 64-bits block to decrypt
; ->EDX - address of 128-bits key
push ecx edx eax
mov ebx,edx
mov edx,[eax]
bswap edx
mov edi,edx
mov edx,[eax+4]
bswap edx
mov esi,edx
mov edx,$E3770000
loader_rubbish_25_47:
db 47 dup($90)
add edx,$00009B90
mov ecx,16
@@: mov eax,edi
shl eax,4
sub esi,eax
mov eax,edi
xor eax,[ebx+8]
sub esi,eax
mov eax,edi
shr eax,5
xor eax,edx
sub esi,eax
sub esi,[ebx+12]
mov eax,esi
shl eax,4
sub edi,eax
mov eax,esi
xor eax,[ebx]
sub edi,eax
mov eax,esi
shr eax,5
xor eax,edx
sub edi,eax
sub edi,[ebx+4]
sub edx,$9E370000
loader_rubbish_26_57:
db 57 dup($90)
sub edx,$000079B9
loop @b
pop eax
mov edx,edi
bswap edx
mov [eax],edx
mov edx,esi
bswap edx
mov [eax+4],edx
pop edx ecx
loader_rubbish_27_137:
db 137 dup($90)
retn
;-------------------------------------------
loader_crypt_end_adler:
loader_rubbish_22_33:
db 33 dup($90)
loader_code_key_data1: ; 128-bits key for OEP code decryption
dd ?
loader_code_key_data2:
dd ?
loader_code_key_data3:
dd ?
loader_code_key_data4:
dd ?
_SetUnhandledExceptionFilter dd ?
;-------------------------------------------
align 8
loader_crypt_end:
loader_decrypt_key_data1: ; 128-bits key for loader code decryption
dd ?
loader_decrypt_key_data2:
dd ?
loader_decrypt_key_data3:
dd ?
loader_decrypt_key_data4:
dd ?
loader_rubbish_28_149:
db 149 dup($90)
;-------------------------------------------
Adler32_Update_2:
; ->EAX - address of data buffer
; ->ECX - buffer size
; ->EDX - address of 32-bits update buffer
push edi esi edx
mov edi,[edx]
mov esi,edi
shr esi,16
shl edi,16
shr edi,16
xor edx,edx
jecxz @_adler32_end_2
@_adler32_loop_2:
mov dl,[eax]
add edi,edx
cmp edi,$FFF1
jl @f
sub edi,$FFF1
@@: add esi,edi
cmp esi,$FFF1
jl @f
sub esi,$FFF1
@@: inc eax
loop @_adler32_loop_2
@_adler32_end_2:
pop edx
shl esi,16
add edi,esi
mov [edx],edi
pop esi edi
retn
loader_rubbish_29_117:
db 117 dup($90)
;-------------------------------------------
TEA_DecryptECB_2:
; ->EAX - address of data buffer
; ->ECX - buffer size
; ->EDX - address of 128-bits key
shr ecx,3
jecxz @_ecb_decrypt_end_2
@_ecb_decrypt_loop_2:
call TEA_DecryptBlock_2
add eax,8
loop @_ecb_decrypt_loop_2
@_ecb_decrypt_end_2:
retn
loader_rubbish_30_233:
db 233 dup($90)
;-------------------------------------------
TEA_DecryptBlock_2:
; ->EAX - address of 64-bits block to decrypt
; ->EDX - address of 128-bits key
push ecx edx eax
mov ebx,edx
mov edx,[eax]
bswap edx
mov edi,edx
mov edx,[eax+4]
bswap edx
mov esi,edx
mov edx,$E3770000
loader_rubbish_31_113:
db 113 dup($90)
add edx,$00009B90
mov ecx,16
@@: mov eax,edi
shl eax,4
sub esi,eax
mov eax,edi
xor eax,[ebx+8]
sub esi,eax
mov eax,edi
shr eax,5
xor eax,edx
sub esi,eax
sub esi,[ebx+12]
mov eax,esi
shl eax,4
sub edi,eax
mov eax,esi
xor eax,[ebx]
sub edi,eax
mov eax,esi
shr eax,5
xor eax,edx
sub edi,eax
sub edi,[ebx+4]
sub edx,$9E370000
loader_rubbish_32_43:
db 43 dup($90)
sub edx,$000079B9
loop @b
pop eax
mov edx,edi
bswap edx
mov [eax],edx
mov edx,esi
bswap edx
mov [eax+4],edx
pop edx ecx
loader_rubbish_33_99:
db 99 dup($90)
retn
;-------------------------------------------
loader_rubbish_34_551:
db 551 dup($90)
fake_sign_md4
@@: loader_size = @b - loader_proc
_AppTtle db 'Unopix ',Version,0
_AppLogo db '-----------------------------------',13,10
db ' # # # # ## ### ### # # ',13,10
db ' # # ## # # # # # # ## ',13,10
db ' # # # ## # # ### # ## ',13,10
db ' ## # # ## # ### # # ',13,10
db '-----------------------------------',13,10
db 'Scrambler for UPX packed PE files',13,10
db 'Version ',Version,32,BuildDate,13,10
db 'Copyright (c) 2005,2006 by bagie',13,10,0
_Usage db 'Usage: unopix <filename> <-switches>',13,10
db 'switches:',13,10
db ' -b create backup file',13,10
db ' -e preserve extra data',13,10
db ' -d enable antidump protection',0
_Filename db 'Filename: %s',0
_FileNotFound db 'file not found: %s',0
_ErrorOpenFile db 'open file error: %s',0
_ErrorMapFile db 'file mapping error',0
_ErrorNotValid db 'not a valid PE file',0
_ErrorBadEntry db 'already packed\protected',0
StdIn dd ? ; std console input
StdOut dd ? ; std console output
MAX_PARAM_COUNT = 32 ; max number of arguments
_argc dd ? ; number of args
_argv dd ? ; ptr to paramstr(0)
rd MAX_PARAM_COUNT ; args table
RandSeed dd ?
Dummy dd ?
ScrBufInfo CONSOLE_SCREEN_BUFFER_INFO
data import
library kernel32,'KERNEL32.DLL',\
user32,'USER32.DLL',\
morph,'MORPH.DLL'
import_kernel32
import_user32
import morph,\
GenerateRubbishCode,'GenerateRubbishCode'
end data
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -