📄 main.c
字号:
if (p<pmax) return fromMap(p);
else return 0;
}
int GetNextOneReallyHard()
{
static int savecount=0;
static int s=0, ss[16]={0,}, nss=0;
int startcount;
static PBYTE p, pstart, pmax, psave=0;
PBYTE q, qstart;
static BYTE codeByte[64]={
0x55,0x8B,0x8D,0x83,0x56,0x53,0x8D,0x81,0x8D,0x80,0x8A,0x33,
//0x64,0x6A,0x66,0x68,0x50,0x51,0x52,0x57,0x58,0x54,0x40,
0xB8,0xB9,0xBA,0xC1,0xC7,0xD9,0xDB,0xDD,0xE8,0xE9,0x9B,0};
PKEY pk;
_key_ k;
int r, i, n;
nextMode=3;
PostProcessing();
pstart=toMap(imagebaseRVA);
pmax =toMap(imagebaseRVA+CodeSize);
qstart=toFile(imagebaseRVA);
startcount=0;
// at the beginning the following condition cannot happen, but...
p=pstart;
newActivity=newEntry;
if (newActivity>saveActivity||savecount>1)
while(p<pmax) {if ((*p&0x2F)==0x20) startcount++;p++;}
saveActivity=newActivity;
savecount=startcount;
p=pstart;
while(startcount>0&&p<pmax)
{
while(p<pmax) {if ((*p&0x2F)==0x20) break;p++;}
r=fromMap(p);
// added 1998. 1. 9 by sang cho to avoid looping
n=0;
for (i=0;i<16;i++) if (r==ss[i]) n++;
if (n==0) {ss[nss]=r; nss++; if (nss>15)nss=0; return r;}
p++;
}
if (s==0||minEntry<s)
{ p=pstart;q=qstart;r=imagebaseRVA; }
else { p=toMap(s); q=toFile(s); r=s; }
while(p<pmax)
{
while((p<pmax)&&(*p&0x04)){p++;q++;r++;}
//fprintf(stdout,"%08X::%02X>:%02X:<%02X==%02X>%02X<%02X\n",
// r,*(q-1),*q,*(q+1),*(p-1),(*p),*(p+1));
if (p>=pmax) return 0;
if (((*q)&&((*p&0x20)||strchr(codeByte,*q)))&&(r>s))
{ s=r; minEntry=r; return r; }
if (*(q-2)==0xCC&&*(q-1)==0xCC&&r>s)
{ s=r; minEntry=r; return r; }
else
{
k.c_ref=r; k.c_pos=0; k.class=0;
if (referCount(r)>1)
{
if (r>s){s=r; minEntry=r; return r;}
s=r; *p++=0x0F; q++; r++;
}
else
{
s=r; *p++=0x0F; q++; r++;
}
}
while(p<pmax && ((*p&0x04)==0)
&& (*q==0||strchr(codeByte,*q)==NULL))
{
*p=0x0F; p++; q++; r++;
}
}
return 0;
}
int nextTry(int ref, int *size)
{
PBYTE pmax = toMap(imagebaseRVA+CodeSize);
static PBYTE p, ps, pe, q;
int i, n, nn, nz, r;
int cBox[256];
p=toMap(ref);
q=toFile(ref);
while(p<pmax)
{
for(i=0;i<256;i++)cBox[i]=0;
while(p<pmax&&((*p&0x0F)!=0x0F)){p++;q++;}
while(p<pmax&&((*p&0x0F)==0x0F)&&(*q==0x00||*q==0x90)){p++;q++;}
ps=p; n=0;
while(p<pmax&&((*p&0x0F)==0x0F))
{ cBox[*q] += 1; p++; q++; n++; }
pe=p;
nz=0;
nn=cBox[0x55]+cBox[0x8B]+cBox[0x8D]+cBox[0xE8]+cBox[0xFF];
for(i=0;i<0x33;i++)nz+=cBox[i];
nz+=cBox[0xFF];
nz-=nn+cBox[0xC3]*n+cBox[0xE9];
if(3<n && 4*nz<3*n)
{
for(p=ps;p<pe;p++)*p=0;
r=fromMap(ps);
*size=(int)pe-(int)ps;
return r;
}
p=pe;
}
*size=1;
return 0;
}
int eraseTry(int ref, int size)
{
PBYTE pmax =toMap(imagebaseRVA+CodeSize);
PBYTE p, pe;
p =toMap(ref);
pe=p+size;
while(p<pmax&&p<pe)*p++=0x0F;
nsc=0;
dmc=0;
fatalError=0;
return 1;
}
int TryFinally()
{
int n, ref, off, size;
PBYTE p, pe;
nextMode=4;
PostProcessing1();
ref=nextTry(imagebaseRVA,&size);
off=ref-imagebaseRVA+CodeOffset;
//fprintf(stderr,"f ref=%08X",ref);
if (ref==0) return 1;
resetDisassembler(off);
while (yytchar!=EOF)
{
Disassembler();
if (fatalError==998)
{
if (!secondChance(fatalReference))eraseTry(ref,size);
}
else if (fatalError) eraseTry(ref,size);
ref=nextTry(ref+size,&size);
off=ref-imagebaseRVA+CodeOffset;
if (ref==0) break;
resetDisassembler(off);
}
return 1;
}
int secondChance(int xref)
{
static int frefTab[4096];
static int nfrefTab=0;
int n;
int i, ref, off, size;
PBYTE p, ps, pe, q;
if (xref==0) return 0;
p=toMap(xref);
if(*p!=0x0F)return 0;
q=toFile(xref);
if(*q==0x00)return 0;
// added 1998. 1.8 by sangcho to avoid looping
n=0;
for (i=0;i<nfrefTab;i++) if (frefTab[i]==fatalReference) n++;
if(n>2) return -1;
frefTab[nfrefTab++]=fatalReference;
ps=p;
while(*p==0x0F)p++;
pe=p;
p=ps;
while(p<pe)*p++=0x00;
pushEnvironment();
off=xref-imagebaseRVA+CodeOffset;
resetDisassembler(off);
while (yytchar!=EOF)
{
Disassembler();
if (fatalError)
{
p=ps;
while(p<pe)*p++=0x0F;
popEnvironment();
return 0;
}
else break;
}
popEnvironment();
return 1;
}
#define TOLERANCE 0x00008000
int trySomeAddress(int r)
{
int i,n,d,rr;
PBYTE p, q, t;
p=toMap(r);
q=toFile(r);
n=0;
while((*p&0x0E)==0x0E){p++;q++;r++;}
fprintf(stderr,"t");
// I don't know why I am doing this way but somehow it makes sense.
for (i=0;i<CodeSize;i++)
{
d=*(int*)((int)q+4*i) - *(int*)((int)q+4*i-4);
if ((-TOLERANCE < d) && (d < TOLERANCE))
{
if ((*(p+4*i+0)==0x00)&&(*(p+4*i+1)==0x00)&&(*(p+4*i+2)==0x00)&&(*(p+4*i+3)==0x00))
{
rr=*(int*)((int)q+4*i);
EnterLabel(166, rr,(r+4*i));
//fprintf(stderr,"address++%08X :: %08X\n",r+4*i,*(int*)((int)p+4*i));
//fprintf(stdout,"address++%08X\n",r+4*i);
}
//else fprintf(stderr,"$");
}
else break;
}
return 1;
}
int PostProcessing()
{
static int s=0;
int i,j,m,n;
int c,d,r,rr;
int cBox[256];
_key_ k;
PKEY pk;
PBYTE p, pmax, pstart, ps, pe;
PBYTE q, qstart, qs, t;
pstart=toMap(imagebaseRVA);
pmax =toMap(imagebaseRVA+CodeSize);
qstart=toFile(imagebaseRVA);
if (s==0||addedAddress){ p=pstart;q=qstart; }
else {p=pmax;}
addedAddress=0;
// First check whether this is label or not.
while(p<pmax)
{
while(p<pmax && (*p)!=0x0E)p++,q++;
while(p<pmax && (*p)==0x0E)p++,q++;
if (p<pmax)
for (i=0;i<CodeSize;i++)
{
d=*(int*)((int)q+4*i) - *(int*)((int)q+4*i-4);
if ((-TOLERANCE<d) && (d<TOLERANCE))
{
if ((*(p+4*i+0)==0x00)&&(*(p+4*i+1)==0x00)&&(*(p+4*i+2)==0x00)&&(*(p+4*i+3)==0x00))
{
r=fromMap(p+4*i);
rr=*(int*)((int)q+4*i);
EnterLabel(166,rr,r);
}
else { p=p+4*i; q=q+4*i; break; }
}
else { p=p+4*i; q=q+4*i; break; }
}
else break;
}
// now for CC blocks to go
// sometimes non CC data maybe lost...beware!
if (s==0) {p=pstart;q=qstart;}
else {p=pmax;}
while(p<pmax)
{
while(p<pmax && (*p) >0){p++;q++;}
while(p<pmax && (*p)==0)
{
if ((*q==0xCC)&&(*(q+1)==0xCC)&&((*(q+2)==0xCC)||(*(p+2)>0)))
while(*q==0xCC){*p++=0x0C; q++;}
p++; q++;
}
}
// now for byte datas to go
// I have to test some more conditions here november 2,1997 sangcho
if (s==0) r=imagebaseRVA;
else if (minErase<s) r=minErase;
else r=s;
p=toMap(r);q=toFile(r);s=r+CodeSize;
while(p<pmax)
{
while(p<pmax && (*p&0x04)){p++;q++;r++;}
ps=p; rr=r;
if ((*p)==0x20)
{
if (s>r) s=r;
p++;q++;r++;
while(p<pmax && (*p)==0x00){p++;q++;r++;}
continue;
}
for(i=0;i<256;i++)cBox[i]=0;
m=0;
while(p<pmax && (*p&0x04)==0)
{
cBox[*q]+=1;
p++; q++; m++; r++;
}
pe=p;
if ((cBox[0xC2]+cBox[0xC3]==0) &&
((cBox[0x81]+cBox[0x83]+cBox[0x89]+cBox[0x8B])*100<m))
{
p=ps;
while(p<pe)
{
*p=0x0F;
p++;rr++;
}
}
else if(s>rr)s=rr;
if (m==0){p++;q++;r++;}
}
fprintf(stderr,"#");
minErase=s;
return 1;
}
int PostProcessing1()
{
int i, r, n, nn, nz, rs, re, ri, rr;
int cBox[256];
PBYTE pstart, pmax, p, ps, pe, pp;
PBYTE qstart, qi, q, qs, qe, qq;
pstart = toMap(imagebaseRVA);
qstart = toFile(imagebaseRVA);
r = imagebaseRVA;
pmax = pstart+CodeSize;
p=pmax-1;
q=qstart+CodeSize-1;
while(*q==0&&(*p&0x80)==0)q--,p--;
p++;
while(p<pmax)
{
*p++=0x0F;
}
// I got something which is not processed yet.
// I'll set everything to byte data whew...
p=pstart;
while(p<pmax)
{
if ((*p&0x04)==0)
{ *p=0x0F; p++; r++; }
else p++,r++;
}
// now i am doing something should be done.
// i am trying to find code blocks which lies between
// some address blocks or byte blocks which is imcomplete
// namely, which does not have return or jmp statement.
// so it should looks like
// {START|address|byte}code{address|byte|END}
// if this code block ends with C3 or C2 something or
// one of jmp statment it is OK
// otherwise there is some problem.
p=pstart;
q=qstart;
r=imagebaseRVA;
ri=r;
while(p<pmax)
{
while(*p&0x08)
{
if (*p==0x2F)
{*p=0x0F;rr=fromMap(p);fprintf(stderr,"2F%08X",rr);}
p++;q++;r++;
}
ps=p;n=0;
for(i=0;i<256;i++)cBox[i]=0;
while((*p&0x08)==0x00)
{
if (*p&0x05==0x05){cBox[*q]+=1;n++;qi=q;ri=r;}
p++;q++;r++;
}
pe=p;qe=q;re=r;nn=0;nz=0;
for(i=0x41;i<0x5B;i++)nn+=cBox[i];
for(i=0x61;i<0x7B;i++)nn+=cBox[i];
nn+=cBox[0x00]+cBox[0x90];
nz+=cBox[0x00]+cBox[0x01]+cBox[0x02]+cBox[0x03];
if((nn*3>n*2)||(nz*2>n)||(n==1&&isNotGoodJump(fromMap(ps)))||
(n<16&&(cBox[0xC2]+cBox[0xC3]==0)&&(*qi!=0xE9)&&(*qi!=0xFF)))
{
p=ps;
while(p<pe)
{
if(*p&0x20)eraseSuspicious(fromMap(p));
if(*p&0x40)break;
*p++=0x0F;
}
}
p=pe;q=qe;r=re;
}
// now for some final touch,,
// namely clear some garbage code which clings to byte data
p=pstart;q=qstart;r=imagebaseRVA;
while(p<pmax)
{
while((p<pmax)&&((*p&0x0F)==0x0F)){p++;q++;r++;}
while((p<pmax)&&((*p&0x0F)!=0x0F)){p++;q++;r++;}
if((*(p-1)&0x80)==0)
{
pe=p;p--;qe=q;q--;re=r;r--;
while((*p&0x80)==0x00&&!(*p&0x40)){p--;q--;r--;}
if((*p&0x40)||(*p&0x0C)==0x0C){p=pe;q=qe;r=re;continue;}
p++;q++;r++;
while(p<pe)
{
if((*p&0x0C)==0x0C){p=pe;q=qe;r=re;break;}
*p++=0x0F;q++;r++;
}
}
}
// now for some real final touch,, nov.10,1997 -sangcho-
// namely clear some garbage code which clings hard to byte data
p=pstart;
q=qstart;
r=imagebaseRVA;
while(p<pmax)
{
while((p<pmax)&&((*p&0x0F)==0x0F)){p++;q++;r++;}
while((p<pmax)&&((*p&0x0F)!=0x0F)){p++;q++;r++;}
if((*(p-1)&0x80))
{
pe=p;qe=q;re=r;
p--;q--;r--;
if((*(p-1)&0x88)==0)
{
p--;q--;r--;
while((*p&0x88)==0&&!(*p&0x40)){p--;q--;r--;}
if(*p&0x40){p=pe;q=qe;r=re;continue;}
p++;q++;r++;
ps=p;n=0;
for(i=0;i<256;i++)cBox[i]=0;
while((p<pe)&&((*p&0x08)==0x00))
{
if ((*p&0x05)==0x05){cBox[*q]+=1;n++;qi=q;}
p++;q++;r++;
}
nz=0;
for(i=0;i<0x33;i++)nz+=cBox[i];
nz-=cBox[0xC3]*n+cBox[0xE9]+cBox[0xFF];
//nz=cBox[0x00]+cBox[0x01]+cBox[0x02]+cBox[0x03];
if((nz*2>n)||(n==1&&isNotGoodJump(fromMap(ps))))
{
p=ps;
while(p<pe)
{
if(*p&0x40){p=pe;break;}
*p++=0x0F;
}
}
}
p=pe;q=qe;r=re;
}
}
// now for some real final touch,, nov.12,1997 -sangcho-
// namely clear some garbage code which clings hard to byte data
// this time we need to
// find the code block which clings after byte data and which is dead.
// so no outside reference is made, then you need to check out
// carefully what is code and what is byte,
// so this is what i do:
// if each instruction is in ascii character range including
// 00 and 20 and 2A you treat them as byte data.
// but if you find 55 then you are almost done!
// and check if next byte is something 8B or not.
// if it is then you are really done.
// and convert everything between start to just before 55 to
// byte data!
p=pstart;
q=qstart;
r=imagebaseRVA;
while(p<pmax)
{
while((p<pmax)&&((*p&0x0F)!=0x0F)){p++;q++;r++;}
while((p<pmax)&&((*p&0x0F)==0x0F)){p++;q++;r++;}
if(*p&0x40) continue;
if(!(*p&0x02))continue;
ps=p;qs=q;rs=r;
while((p<pmax)&&!(*p&0x02)&&!(*p&0x80)){p++;q++;r++;}
if(!(*p&0x02))continue;
pe=p;qe=q;re=r;
p=ps;q=qs;r=rs;
while((p<pmax)&&(*q<0x80)){p++;q++;r++;}
if((*q==0x8B)&&(*(q-1)==0x55)){pp=p-1;qq=q-1;rr=r-1;}
else {p=pe;q=qe;r=re;continue;}
p=ps;q=qs;r=rs;nn=0;
while(p<pp)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -