📄 morphine.dpr
字号:
// mov esi,esp
//popad without eax and ecx
pop edi
pop esi
pop ebp
add esp,004h
pop ebx
pop edx
add esp,008h
mov [esp+004h],ecx //change DllMain.hinstDLL
// int 3
push eax //some crazy jump
retn //jumps to entrypoint
@DynLoader_begin:
//we've got image base in eax (except ax), save it to ebp-050h
push ebp
mov ebp,esp
sub esp,00000200h
{
-01F8..-0100 - NtHeaders:TImageNtHeaders
-09C - MemoryBasicInformation.BaseAddress
-098 - MemoryBasicInformation.AllocationBase
-094 - MemoryBasicInformation.AllocationProtect
-090 - MemoryBasicInformation.RegionSize
-08C - MemoryBasicInformation.State
-088 - MemoryBasicInformation.Protect
-084 - MemoryBasicInformation.Type
-07C - IsBadReadPtr:Pointer
-078 - VirtualQuery:Pointer
-074 - VirtualProtect:Pointer
-070 - FirstModule:Cardinal
-054 - OrgImageSize:Cardinal
-050 - ImageBase:Cardinal
-04C - ImageEntryPoint:Cardinal
-048 - ImageSize:Cardinal
-044 - ImageType:Cardinal
-040 - HintName:Cardinal
-03C - Thunk:Cardinal
-038..-010 - Section:TImageSectionHeader
-00C - FileData:Pointer
-008 - ImageSizeOrg:Cardinal
-004 - ImageBaseOrg:Cardinal
+008 - AddrOfMainData:Pointer
+00C - GetProcAddress:Pointer
+010 - LoadLibrary:Pointer
}
push ebx //save ebx, edi, esi
push edi
push esi
and eax,0FFFF0000h
mov [ebp-050h],eax //save ImageBase
mov ecx,00008000h
@DynLoader_fake_loop:
add eax,0AF631837h
xor ebx,eax
add bx,ax
rol ebx,007h
loop @DynLoader_fake_loop
//HERE you can insert our own crypto routine
//esp and ebp should not be changed
push dword ptr [ebp+008h] //AAddr
dd DYN_LOADER_DEC_MAGIC
//\end of crypto routine
call @DynLoader_fill_image_info
jmp @UnpackerEntryPoint
//Depack
@depackit:
pushad
call @VirtualAlloc
pushad
//
popad
call @depackpe
pushad
// movzx esahdsd
//
popad
call @copype
popad
ret
@copype:
//Destination-EDI,Source-ESI,Length-ECX
mov esi, eax
mov edi, dword ptr [ebp+08]
PUSH ECX
PUSH ESI
PUSH EDI
call @CopyMemory
pop edi
pop esi
pop ecx
ret
@depackpe:
push eax
mov ecx,dword ptr [ebp+08]
lea edx, [ecx+018h]
push edx //Source
call @aP_depack_asm
mov ecx, eax
pop edx
pop eax
ret
//VirtualAlloc
@VirtualAlloc:
push PAGE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push dword ptr [ebp-048h] //File size //dwSize
push 0 //lpAddress
call ebx //VirtualAlloc
ret
//-mov eax, 07C809A81h
//-jmp eax
//-mov eax, eax
//EndOfVirtualAlloc
//Memory Mover
//----------------------------------------------------------
//CopyMemory(Destination : Integer; const Source, Length: Integer);
//----------------------------------------------------------
// Destination -> EDI
// Source -> ESI
// Length -> ECX
//----------------------------------------------------------
@CopyMemory:
PUSH ebp
MOV ebp,esp
push ecx
push eax
push esi
push edi
mov EDI,DWORD PTR SS:[EBP+08h]// -> Destination
mov ESI,DWORD PTR SS:[EBP+0Ch]// -> Source
mov ECX,DWORD PTR SS:[EBP+10h]// -> Length
xor EAX,EAX
@memcopy:
lods byte ptr ds:[esi]//ESI
stos byte ptr es:[edi]//EDI
loop @memcopy
pop edi
pop esi
pop eax
pop ecx
mov esp,ebp
pop ebp
retn
//Aplib Depacker
@aP_depack_asm:
pushad
mov esi, [esp + 36] // C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
xor ebx, ebx
@literal:
movsb
mov bl, 2
@nexttag:
call @getbit
jnc @literal
xor ecx, ecx
call @getbit
jnc @codepair
xor eax, eax
call @getbit
jnc @shortmatch
mov bl, 2
inc ecx
mov al, 10h
@getmorebits:
call @getbit
adc al, al
jnc @getmorebits
jnz @domatch
stosb
jmp @nexttag
@codepair:
call @getgamma_no_ecx
sub ecx, ebx
jnz @normalcodepair
call @getgamma
jmp @domatch_lastpos
@shortmatch:
lodsb
shr eax, 1
jz @donedepacking
adc ecx, ecx
jmp @domatch_with_2inc
@normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call @getgamma
cmp eax, 32000
jae @domatch_with_2inc
cmp ah, 5
jae @domatch_with_inc
cmp eax, 7fh
ja @domatch_new_lastpos
@domatch_with_2inc:
inc ecx
@domatch_with_inc:
inc ecx
@domatch_new_lastpos:
xchg eax, ebp
@domatch_lastpos:
mov eax, ebp
mov bl, 1
@domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp @nexttag
@getbit:
add dl, dl
jnz @stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
@stillbitsleft:
ret
@getgamma:
xor ecx, ecx
@getgamma_no_ecx:
inc ecx
@getgammaloop:
call @getbit
adc ecx, ecx
call @getbit
jc @getgammaloop
ret
@donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi // return unpacked length in eax
popad
ret
@FixDLLName: //eax
ret
pushad
xor edx, edx
xor ebx, ebx
popad
ret
@FixProcName: //edx
ret
pushad
xor eax, eax
mov ebx, edx
@FixProc_FindEnd:
inc ebx
cmp byte ptr[ebx], 00h
jnz @FixProc_FindEnd
dec ebx
dec edx
@Crypto_Proc:
inc edx
xor byte ptr [edx], 02h
cmp ebx, edx
jnz @Crypto_Proc
popad
ret
@SmallITP:
pushad
mov ebx, eax
push 000h
push 06C6C642Eh
push 032336C65h
push 06E72656Bh //kernel32.dll on stack
push esp //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
add esp,010h
mov edi,eax
//
push 000h
push 0636F6C6Ch
push 0416C6175h
push 074726956h //VirtualAlloc on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov ecx,eax
test eax,eax
jz @DynLoader_end
//
push PAGE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push 018h //dwSize
push 000h //lpAddress
call ecx //VirtualAlloc
mov esi, eax
add eax, 014h
push eax
db 0fh, 031h
mov edx, eax
pop eax
sub ebx, edx
mov dword ptr [eax], ebx
mov dword ptr [esi], 0A150006Ah
mov dword ptr [esi+04h], eax
mov byte ptr [esi+08h], 05h
mov dword ptr [esi+09h], edx
mov dword ptr [esi+0Dh], 004244489h
mov word ptr [esi+011h], 0C358h
mov byte ptr [esi+013h], 0E8h
{
6A0050A1
FE009C00 - eax
05
FAD30DE8 - edx
89442404
58C3
90
}
mov [esp+01Ch], esi
popad
ret
@DestroyImport:
pushad
mov ebx, [esi+0400h]
@FindIt:
mov byte ptr [ebx], 00h
inc ebx
cmp byte ptr [ebx], 00h
jnz @FindIt
popad
ret
@SuperAntiDebugger:
pushad
@CheckKernel:
mov eax, [ebp-17Ch]
call eax
test eax, eax
jnz @DebuggerDetected
@CheckWindows:
@OllyCheck:
@CheckOllyDbg1:
mov eax, [ebp-188h]
mov [ebp-0203h], 038505A46h
mov [ebp-01FFh], 000000038h
mov ebx, ebp
sub ebx, 0203h
push 000h
push ebx
call eax
test eax, eax
jnz @DebuggerDetected
@CheckOllyDbg2:
mov eax, [ebp-188h]
mov [ebp-0203h], 0594C4C4Fh
mov [ebp-01FFh], 000474244h
mov ebx, ebp
sub ebx, 0203h
push 000h
push ebx
call eax
test eax, eax
jnz @DebuggerDetected
@GoBugCheck:
@GoBugWindowCheck:
mov eax, [ebp-188h]
mov [ebp-0203h], 000000041h
mov ebx, ebp
sub ebx, 0203h
push 000h
push ebx
call eax
test eax, eax
jz @SoftIceDetector
@GoBugWindowTitleCheck:
mov ecx, eax //ecx - HWND
mov esi, eax //ecx - HWND
mov eax, [ebp-194h]
push ecx
call eax
test eax, eax
jz @SoftIceDetector
inc eax
mov edx, eax //edx - Length
mov eax, [ebp-18Ch]
mov ebx, ebp
sub ebx, 0203h
push edx //Length
push ebx //Buffer
push esi //HWND
call eax
test eax, eax
jz @SoftIceDetector
//Compare Function
mov edx, [ebp-0203h]
mov ebx, 075426F47h
cmp ebx, edx
jnz @SoftIceDetector
mov edx, [ebp-01FFh]
mov ebx, 065442067h
cmp ebx, edx
jnz @SoftIceDetector
mov edx, [ebp-01FBh]
mov ebx, 067677562h
cmp ebx, edx
jnz @SoftIceDetector
mov [ebp-01F5h], 00h
mov edx, [ebp-01F7h]
mov ebx, 000007265h
cmp ebx, edx
jz @DebuggerDetected
@SoftIceDetector:
//Some crazy work - IsDebuggerPresent - 2
mov eax,fs:[018h]
mov ebx, ebp
add ebx, 0203h
mov eax,[eax+030h]
xor ecx, ecx
mov ebx, ecx
inc ecx
sub ebx, ecx
dec esi
add ebx, esi
push esi
movzx eax,byte ptr [eax+02h]
pop esi
test eax, eax
jnz @DebuggerDetected
//
@SICEDetector:
mov [ebp-0203h], 05C2E5C5Ch
mov [ebp-01FFh], 045434953h
mov [ebp-01FBh], 000000000h
mov ebx, ebp
sub ebx, 0203h
mov eax, [ebp-180h]
push 000000000h
push 000000080h
push 000000003h
push 000000000h
push 000000003h
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -