?? cool.asm
字號:
; ------------------------------------------------------------------------
;
; Hying's PE-Armor Tool
; Coded By fORGAT/iPB
;
; ------------------------------------------------------------------------
; 0.46 supported
; 0.46+ by onlyu supported
; 0.46+ by duzhuzai supported
; 0.49//////// unsupprots:(
; rebuild bug fixed
.386p
.model flat,stdcall
option casemap:none
.code
include WIN32.INC
include USEFUL.INC
include FILEIO.INC
include MEMMAN.INC
include MZ.INC
include PE.INC
include REBUILDER.ASM
code_key macro bytes
local bbb
push sizeof bbb
bbb db bytes
@@:
endm
; ------------------------------------------------------------------------
;DEBUG = TRUE
MAX_BUFFER_SIZE = 1024*1024 ; 1MB
; ------------------------------------------------------------------------
ofns:
dd 04Ch, 0, 0, ofnfltr, 0, 0, 0
dd file
dw 200h, 0
dd 0, 0, 0, titlebox, 1000h
dd 0, 0, 0, 0, 0
ofnfltr db 'gimme armor gimme gimme',0,'*.exe',0,0
titlebox db "-= Dearmor v0.46++ bugfix *beta* =- by fORGAT/iPB 2oo5",0
yeah db 'YEAH!',0
fuck db 'FUCK!',0
errbox db 'okay forget it, an exception occoured!',0
sucbox db 'muhahaha, we defeated it!',0
;begin: jmp main
db 'GOOD LUCK'
; ------------------------------------------------------------------------
;main proc
;
;IFNDEF DEBUG
;
; push offset ofns
; call GetOpenFileNameA
; test eax, eax
; jz @@exit
;
; push offset file
;ELSE
; @pushsz 'Test.eXe'
;ENDIF
; call TouchFile
;
;@@exit:
;
; push -1
; call ExitProcess
;
;main endp
; ------------------------------------------------------------------------
TouchFile proc FileName
local FileHandle ; file handle
local FileSize
local FileBase
local SavedOverlay ; overlays info
local OverlaySize
local NtHeaderPtr
local StartOfSectionHeaders ; sections headerz
local NumberOfSections:WORD
local ImageBase ; image base(may be used)
local LoaderSectionHeader
local LoaderStart
local LoaderSize
local UnpackedSymbiontBase ; map of symbiont
local TotalSymbiontSize
local RealSymbiontStart ; real ptr
local CompressSectionHeaders
local EncryptedCodePtr ; ptr 2 special code
local MutatedImports
local ImportsProtectedFlag
local OriginalEntryPoint
local SizeOfImage ; unwarp size
local TempBuffer ; 4 bytes buf
; init
pushad
cld
xor eax, eax
mov SavedOverlay, eax
mov OverlaySize, eax
mov UnpackedSymbiontBase, eax
mov TotalSymbiontSize, eax
mov FileBase, eax
; open file
mov edx, FileName
call fopen
test eax, eax
jz @@err
mov FileHandle, eax
xchg ebx, eax ; ebx - file handle(see FILEIO.INC)
; get size of image(unwarp), allocate memory
mov eax, 3Ch
call @@read_eax
mov NtHeaderPtr, eax
add eax, 50h
call @@read_eax ; image size
add eax, MAX_BUFFER_SIZE
mov FileSize, eax ; add tracing size
xchg ecx, eax
call malloc
test eax, eax
jz @@err
mov FileBase, eax
xchg edi, eax ; edi - buf
; read PE Header(only) into memory
mov esi, NtHeaderPtr
xor ecx, ecx
lea eax, [esi+54h] ; size of headerz
call @@read_eax
push eax
xor ecx, ecx
call fseek
pop ecx
mov edx, edi
call fread
test eax, eax
jz @@err
; fix var - normalize some local vars
add NtHeaderPtr, edi
; get some info
mov edi, NtHeaderPtr
assume edi : ptr pe_struc
m2m ImageBase, [edi].pe_imagebase
m2m NumberOfSections, [edi].pe_numofobjects ; # of sections we have
m2m SizeOfImage, [edi].pe_imagesize ; size of image
; load sections & align all section info(rva, size, ...)
lea esi, [edi+0F8h]
mov StartOfSectionHeaders, esi
assume esi : ptr oe_struc
movzx ecx, NumberOfSections
; save ovarlays info
pushad
dec ecx
imul eax, ecx, 28h
add esi, eax
push 0
push ebx
call GetFileSize
mov edx, dword ptr[esi+14h]
add edx, dword ptr[esi+10h]
sub eax, edx
jz __noolay
xchg ecx, eax
call malloc
test eax, eax
jz @@err
mov SavedOverlay, eax
mov OverlaySize, ecx
xchg ecx, edx
call fseek
mov edx, SavedOverlay
mov ecx, OverlaySize
call fread
__noolay:
popad
__xxx:
push ecx
mov ecx, [esi].oe_phys_offs
call fseek
mov edx, [esi].oe_virt_rva
add edx, FileBase
mov ecx, [esi].oe_phys_size
call fread
;mov eax, [esi].oe_virt_size
;call @@SectionAlign ; fix
;mov [esi].oe_virt_size, eax
; do dump-fix :O
m2m [esi].oe_phys_size, [esi].oe_virt_size
m2m [esi].oe_phys_offs, [esi].oe_virt_rva
add esi, 28h ; IMAGE_SIZEOF_SECTION_HEADER
pop ecx
loop __xxx
assume esi : nothing
; otherwise
movzx eax, NumberOfSections
dec eax
imul eax, 28h
add eax, StartOfSectionHeaders
mov LoaderSectionHeader, eax ; last section
m2m LoaderSize, [eax+oe_struc.oe_phys_size]
mov ecx, [eax+oe_struc.oe_virt_rva]
add ecx, FileBase
mov LoaderStart, ecx
; increase loader section size for NEW IT
add [eax+oe_struc.oe_virt_size], MAX_BUFFER_SIZE
add [eax+oe_struc.oe_phys_size], MAX_BUFFER_SIZE
add [edi].pe_imagesize, MAX_BUFFER_SIZE
; --------------------- UNPACKING START ----------------------------------
mov esi, LoaderStart
; search a string 'VirtualAlloc'
push sizeof __virt_signx
call __virt_sign
__virt_signx db 'VirtualAlloc'
__virt_sign:
push LoaderSize
push esi
call SearchBytes
test eax, eax
jz @@err
lea esi, [esi+eax-8]
lodsd ; pointer to pack symbiont
add edx, eax
lodsd ; the size of above
mov TotalSymbiontSize, eax
xchg ecx, eax
call malloc
test eax, eax
jz @@err
mov UnpackedSymbiontBase, eax
push eax
push eax
push edx
call _aP_depack_asm ; changed stdcall HOHO
; decompress sysmbiont
pop esi ; now ptr 2 sm WHAHAHA
; find real start point in symbiont(skip junkx)
;001838B0 E8 00000000 call 001838B5
;001838B5 5A pop edx
;001838B6 83EA 05 sub edx, 5 ; THE BIGEST SIGN
;001838B9 5D pop ebp
push sizeof __sym_sign_sx
call __sym_sign_s
__sym_sign_sx db 83h, 0EAh, 05h
__sym_sign_s: push TotalSymbiontSize
push esi
call SearchBytes
test eax, eax
jz @@err
add esi, eax
; find backward call $+5
.while byte ptr[esi] !=0E8h || dword ptr[esi+1] !=00h
dec esi
.endw
mov RealSymbiontStart, esi ; save it!
; find packed section table
;00401000 > BB 78563412 mov ebx, 12345678 ; to ptr here
;00401005 833C2B 00 cmp dword ptr [ebx+ebp], 0 ; cut
push sizeof __depack_signx
call __depack_sign
__depack_signx db 83h, 3Ch, 2Bh, 00h
__depack_sign: push TotalSymbiontSize
push esi
call SearchBytes
test eax, eax
jz @@err
lea esi, [esi+eax-5+1] ; get my ptr
lodsd
add eax, RealSymbiontStart
mov CompressSectionHeaders, eax
; the special code protection address
;0040D000 > 8958 FC mov [eax-4], ebx
;0040D003 83C7 08 add edi, 8
mov esi, RealSymbiontStart
push sizeof __scpa_signx
call __scpa_sign
__scpa_signx db 89h, 58h, 0FCh, 83h, 0C7h, 08h
__scpa_sign:
push TotalSymbiontSize
push esi
call SearchBytes
test eax, eax
jz @@err
add esi, eax
; backward searching
;0040D000 > 8B85 78563412 mov eax, [ebp+12345678] ; PROTECTION FLAG
.while word ptr[esi]!=858Bh
dec esi
.endw
inc esi
inc esi
lodsd
add eax, RealSymbiontStart
mov ecx, [eax]
jecxz __no_cop
; forward...
;0040148C > 8BBD 78563412 mov edi, [ebp+12345678]
.while word ptr[esi] !=0BD8Bh
inc esi
.endw
inc esi
inc esi
lodsd
add eax, RealSymbiontStart
mov ecx, [eax]
add ecx, RealSymbiontStart
__no_cop:
mov EncryptedCodePtr, ecx
; the IMPORT TABLE address
;0037A0A2 03BD 34120000 add edi, [ebp+1234]
;0037A0A8 8B77 0C mov esi, [edi+C]
;0037A0AB 0BF6 or esi, esi
mov esi, RealSymbiontStart
push sizeof __scpa_signy
call __scpa_sign2
__scpa_signy db 03h, 0BDh, 00h, 00h, 00h, 00h, 8Bh, 77h, 0Ch
__scpa_sign2:
push TotalSymbiontSize
push esi
call SearchBytes
test eax, eax
jz @@err
add esi, eax
; backward
; 0037A088 8BBD 38120000 mov edi, [ebp+1238] ; ADDR
.while word ptr [esi]!= 0BD8Bh
dec esi
.endw
inc esi
inc esi
lodsd
add eax, RealSymbiontStart
mov eax, [eax]
add eax, RealSymbiontStart
mov MutatedImports, eax
xor eax, eax
mov ImportsProtectedFlag, eax
; 0037A07A 8B85 30120000 mov eax, [ebp+1230] ; FLAG
.while word ptr[esi]!= 858Bh