📄 morphine.dpr
字号:
push 0C0000000h
push ebx // \\.\SICE
call eax //CreateFileA
cmp eax, 0FFFFFFFFh // if invalid handle value
je @NTICEDetector // jumps here
push eax
mov eax, [ebp-184h]
call eax //CloseHandle
jmp @DebuggerDetected
@NTICEDetector:
mov [ebp-0203h], 05C2E5C5Ch
mov [ebp-01FFh], 04349544Eh
mov [ebp-01FBh], 000000045h
mov ebx, ebp
sub ebx, 0203h
mov eax, [ebp-180h]
push 000000000h
push 000000080h
push 000000003h
push 000000000h
push 000000003h
push 0C0000000h
push ebx // \\.\NTICE
call eax //CreateFileA
cmp eax, 0FFFFFFFFh // if invalid handle value
je @FinishingLine // jumps here
push eax
mov eax, [ebp-184h]
call eax //CloseHandle
jmp @DebuggerDetected
@FinishingLine:
db 0Fh, 031h
mov [ebp-0203h], eax
db 0Fh, 031h
add eax, ebx
mov [ebp-01FFh], eax
db 0Fh, 031h
sub eax, ebx
mov [ebp-01FBh], eax
call @CheckCRC64
@CheckCRC64:
pop eax
mov ebx, eax
add eax, 000000031h
sub ebx, 0000001F9h
@CalcCrc64:
mov edx, eax //ebx - zacatek ; eax - konyc
sub edx, ebx //vypocita velkost
mov esi, ebx //zacatek
mov ecx, edx //velkost
xor ebx, ebx
xor edx, edx
mov eax, 001h
@L0:
movzx ebx, byte ptr [esi]
inc esi
add eax, ecx
add eax, ebx
xor eax, ebx
xor edx, eax
dec ecx
jne @L0
cmp edx, [ebp-19Ch]
jne @DebuggerDetected
popad
jmp @Depackers
@DebuggerDetected:
call @FindNow
@FindNow:
pop eax
@FindLDRStart:
dec eax
cmp [eax], 00F50310Fh
jne @FindLDRStart
cmp [eax+04h], 024042B31h
jne @FindLDRStart
call @FindNow2
@FindNow2:
pop edi
sub edi, 08h
@EraseLoop1:
mov dword ptr[eax], 00h
inc eax
cmp eax, edi
jne @EraseLoop1
call @FindNow3
@FindNow3:
pop eax
@FindFileEnd:
inc eax
cmp [eax], 06E52654Bh
jne @FindFileEnd
cmp [eax+04h], 032336C45h
jne @FindFileEnd
cmp [eax+08h], 06C4C642Eh
jne @FindFileEnd
sub eax, 09Ch
call @FindNow4
@FindNow4:
pop ebx
@FindLoaderX:
inc ebx
cmp [ebx], 0642E3233h
jne @FindLoaderX
cmp [ebx+05h], 072657375h
jne @FindLoaderX
@EraseLoop2:
mov dword ptr[eax], 00h
dec eax
cmp eax, ebx
jne @EraseLoop2
//Vypisuvac Textu
call @FinXXXXXX
@FinXXXXXX:
pop eax
add eax, 0FFFh
mov ebx, eax
add ebx, 00ACh
mov [eax], 0656C6946h
mov [eax+04h], 0636E4920h
mov [eax+08h], 07572726Fh
mov [eax+0Ch], 064657470h
mov [eax+010h], 002021h
mov [ebx], 06F727245h
mov [ebx+04h], 052h
//End
mov ecx, [ebp-190h]
mov [ebp-190h], eax
push 00000000
push ebx //caption
push eax //text
push 00000000
call ecx
mov eax, [ebp-190h]
mov [eax], 000h
mov [eax+04h], 000h
mov [eax+08h], 000h
mov [eax+0Ch], 000h
mov [eax+010h], 000h
mov ebx, eax
add ebx, 00ACh
mov [ebx], 000h
mov [ebx+04h], 000h
//Erase MY Improts
mov ebx, ebp
sub ebx, 174h
mov edx, [ebp-198h]
@EraseImportLoop:
sub ebx, 04h
mov [ebx],000h
mov eax, ebp
sub eax, 194h
cmp ebx, eax
jne @EraseImportLoop
push PAGE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push 0100h //dwSize
push 0 //lpAddress
call edx //VirtualAlloc
mov edx, eax
mov [eax], 04259d231h
add eax, 04h
mov [eax], 000AFFA81h
add eax, 04h
mov [eax], 0F6750000h
add eax, 04h
mov [eax], 0C750C083h
add eax, 04h
mov [eax], 001010100h
add eax, 04h
mov [eax], 004E88301h
add eax, 04h
mov [eax], 075003883h
add eax, 04h
mov [eax], 0FC7883F2h
add eax, 04h
mov [eax], 031EC7500h
add eax, 04h
mov [eax], 000C390C0h
call @CallMeXXX
@CallMeXXX:
pop eax
push edx
retn
popad
xor eax, eax
popad
xor ebx, ebx
popad
xor ecx, ecx
popad
xor edi, edi
popad
xor esi, esi
popad
xor eax, eax
popad
xor edi, edi
push eax
xor ebx, ebx
push ebx
xor esi, esi
push ecx
xor ecx, ecx
push edi
xor al, al
push esi
xor ax, ax
call @ultra
@Ultra:
pop eax
sub eax, 03h
@UltraEraseLoop:
mov [eax], 001010101h
sub eax, 04h
cmp [eax], 00h
jne @UltraEraseLoop
cmp [eax-04h], 00h
jne @UltraEraseLoop
xor eax, eax
push eax
retn
@LoadLibraries:
pop eax
//Added by Silent Shield (Dayvo)
push 000006C6Ch
push 0642E3233h
push 072657375h //user32.dll on stack
push esp //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
add esp,010h
mov [ebp-178h],eax //user32.dll on my stack
test eax,eax
jz @DynLoader_end
//End of Added
push 000h
push 06C6C642Eh
push 032336C65h
push 06E72656Bh //kernel32.dll on stack
push esp //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
add esp,010h
mov [ebp-174h],eax //kenrel32.dll on my stack
mov edi,eax
push 000h
push 0636F6C6Ch
push 0416C6175h
push 074726956h //VirtualAlloc on stack
push esp //lpProcName
push eax //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-198h],eax //VirtualAlloc on my stack
mov ebx,eax
test eax,eax
jz @DynLoader_end
//Newly Added by Silent Shield (Dayvo)
push 000000074h
push 06E657365h
push 072507265h
push 067677562h
push 065447349h //IsDbgPresent on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-17Ch],eax //IsDebuggerPresent on my stack
test eax,eax
jz @DynLoader_end
push 00041656Ch
push 069466574h
push 061657243h //CreateFileA on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-180h],eax //CreateFileA on my stack
test eax,eax
jz @DynLoader_end
push 000656C64h
push 06E614865h
push 0736F6C43h //CloseHandle on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-184h],eax //CloseHandle on my stack
test eax,eax
jz @DynLoader_end
mov edi, [ebp-178h] //now loading from user32.dll - hmmm
push 00041776Fh
push 0646E6957h
push 0646E6946h //FindWindowA on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-188h],eax //FindWindowA on my stack
test eax,eax
jz @DynLoader_end
push 000004174h
push 078655477h
push 06F646E69h
push 057746547h //GetWindowTextA on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-18Ch],eax //GetWindowTextA on my stack
test eax,eax
jz @DynLoader_end
push 00041786Fh
push 042656761h
push 07373654Dh //MessageBoxA on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-190h],eax //MessageBoxA on my stack
test eax,eax
jz @DynLoader_end
push 000h
push 041687467h
push 06E654C74h
push 078655477h
push 06F646E69h
push 057746547h //GetWindowTextLengthA on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-194h],eax //GetWindowTextLengthA on my stack
test eax,eax
jz @DynLoader_end
mov edi, [ebp-174h] //for security systems I write back kernel32.dll - hmmm
//End of Added
//CRC CHECK - FIELD
mov [ebp-19Ch], 00003B173h
//END OF CRC CHECK - FIELD
push 000007463h
push 065746f72h
push 0506C6175h
push 074726956h //VirtualProtect on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-074h],eax //VirtualProtect
test eax,eax
jz @DynLoader_end
push 000h
push 079726575h
push 0516C6175h
push 074726956h //VirtualQuery on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-078h],eax //VirtualQuery
test eax,eax
jz @DynLoader_end
push 000h
push 072745064h
push 061655264h
push 061427349h //IsBadReadPtr on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-07Ch],eax //IsBadReadPtr
test eax,eax
jz @DynLoader_end
jmp @SuperAntiDebugger
@UnpackerEntryPoint:
call @LoadLibraries
@Depackers:
call @depackit
lea edi,[ebp-01F8h] //NtHeaders
push edi
mov esi,[ebp+008h] //TImageDosHeader
add esi,[esi+03Ch] //TImageDosHeader._lfanew
push 03Eh //SizeOf(NtHeaders) div 4
pop ecx
rep movsd
pop edi
mov eax,[edi+034h] //NtHeaders.OptionalHeader.ImageBase
mov [ebp-004h],eax //ImageBaseOrg
mov ecx,[edi+050h] //NtHeaders.OptionalHeader.SizeOfImage
mov [ebp-008h],ecx //ImageSizeOrg
push ecx
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
pop ecx
test eax,eax
jnz @DynLoader_alloc_done
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
test eax,eax
jz @DynLoader_end
@DynLoader_alloc_done:
mov [ebp-00Ch],eax //FileData
mov edi,eax
mov esi,[ebp+008h] //TImageDosHeader
push esi
mov ecx,esi //TImageDosHeader
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -