?? depack.pas
字號:
function ApDepack(var Source, Destination) : DWORD; cdecl;
asm
@@_aP_depack_asm:
pushad
mov esi, [esp + 40]
mov edi, [esp + 44]
cld
mov dl, 80h
xor ebx, ebx
@@literal:
movsb
mov bl, 2
@@nexttag:
call @@getbit
jnc @@literal
xor ecx, ecx
call @@getbit
jnc @@codepair
xor eax, eax
call @@getbit
jnc @@shortmatch
mov bl, 2
inc ecx
mov al, 10h
@@getmorebits:
call @@getbit
adc al, al
jnc @@getmorebits
jnz @@domatch
stosb
jmp @@nexttag
@@codepair:
call @@getgamma_no_ecx
sub ecx, ebx
jnz @@normalcodepair
call @@getgamma
jmp @@domatch_lastpos
@@shortmatch:
lodsb
shr eax, 1
jz @@donedepacking
adc ecx, ecx
jmp @@domatch_with_2inc
@@normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call @@getgamma
cmp eax, 32000
jae @@domatch_with_2inc
cmp ah, 5
jae @@domatch_with_inc
cmp eax, 7fh
ja @@domatch_new_lastpos
@@domatch_with_2inc:
inc ecx
@@domatch_with_inc:
inc ecx
@@domatch_new_lastpos:
xchg eax, ebp
@@domatch_lastpos:
mov eax, ebp
mov bl, 1
@@domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp @@nexttag
@@getbit:
add dl, dl
jnz @@stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
@@stillbitsleft:
ret
@@getgamma:
xor ecx, ecx
@@getgamma_no_ecx:
inc ecx
@@getgammaloop:
call @@getbit
adc ecx, ecx
call @@getbit
jc @@getgammaloop
ret
@@donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi
popad
end;
procedure Move(const Source; var Dest; count: Integer);
asm
PUSH ESI
PUSH EDI
MOV ESI,EAX
MOV EDI,EDX
MOV EAX,ECX
CMP EDI,ESI
JA @@down
JE @@exit
SAR ECX,2
JS @@exit
REP MOVSD
MOV ECX,EAX
AND ECX,03H
REP MOVSB
JMP @@exit
@@down:
LEA ESI,[ESI+ECX-4]
LEA EDI,[EDI+ECX-4]
SAR ECX,2
JS @@exit
STD
REP MOVSD
MOV ECX,EAX
AND ECX,03H
ADD ESI,4-1
ADD EDI,4-1
REP MOVSB
CLD
@@exit:
POP EDI
POP ESI
end;
function GetImageBase: DWORD;
var
PEB, Ldr, fLink: DWORD;
begin
asm
mov eax, fs: [$30]
mov PEB, eax
end;
Ldr := PDWORD(PEB + $C)^;
fLink := PDWORD(Ldr + $C)^;
result := PDWORD(DWORD(fLink) + $18)^;
end;
function NextPChar(s: PChar): PChar;
begin
result := s;
while PByte(result)^ <> 0 do
inc(result);
inc(result);
end;
function NextDWORD(d: Pointer): PDWORD;
begin
result := d;
inc(result);
end;
procedure NewEP(cRegs: TRegs); stdcall;
var
pGetModuleHandle: function (lpModuleName: PChar): HMODULE; stdcall;
pGetProcAddress: function (hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;
pLoadLibrary: function (lpLibFileName: PChar): HMODULE; stdcall;
pVirtualAlloc: function (lpvAddress: Pointer; dwSize, flAllocationType, flProtect: DWORD): Pointer; stdcall;
pVirtualFree: function (lpAddress: Pointer; dwSize, dwFreeType: DWORD): BOOL; stdcall;
pVirtualProtect: function (lpAddress: Pointer; dwSize, flNewProtect: DWORD;
lpflOldProtect: Pointer): BOOL; stdcall;
//以上為必須變量
//下面為自定義變量
ImageBase: Cardinal;
PackDataHeaderRVA: Cardinal;
i: Cardinal;
PackedDir: PPkDataHeader;
PackedSectionDir: PPkSectionDir;
PackedData,xp, UnPackedData: Pointer;
ImpDirPtr: PImpDir;
p: PChar;
hDll: DWORD;
pp: PDWORD;
pKeyFunc: PDWORD;
pResDir: PImageDataDirectory;
pBuf: Pointer;
PFileHeader: PImageFileHeader;
POptionalHeader32: PImageOptionalHeader32;
begin
ImageBase := PDWORD(cRegs.Ebp + 3 * SizeOf(DWORD))^;
if ImageBase = 0 then
ImageBase := GetImageBase;
pKeyFunc := LocalVar;
PackDataHeaderRVA := pKeyFunc^;
PackedDir := Pointer(ImageBase + PackDataHeaderRVA);
Inc(pKeyFunc);
pGetModuleHandle := Pointer(pKeyFunc^);
Inc(pKeyFunc);
pLoadLibrary := Pointer(pKeyFunc^);
Inc(pKeyFunc);
pGetProcAddress := Pointer(pKeyFunc^);
Inc(pKeyFunc);
pVirtualAlloc := Pointer(pKeyFunc^);
Inc(pKeyFunc);
pVirtualFree := Pointer(pKeyFunc^);
Inc(pKeyFunc);
pVirtualProtect := Pointer(pKeyFunc^);
PackedSectionDir := Pointer(PChar(PackedDir) + PackedDir^.PkSectionDirOffset);
xp := PackedSectionDir;
for i := 0 to PackedDir^.PkSectionDirCount - 1 do
begin
if PackedSectionDir^.Length <> 0 then
begin
PackedData := Pointer(PChar(xp) + PackedSectionDir^.Offset);
UnPackedData := Pointer(ImageBase + PackedSectionDir^.RVA);
ApDepack(PackedData^, UnPackedData^);
end;
Inc(PackedSectionDir);
end;
pBuf := pVirtualAlloc(nil, PackedDir^.ImpSize, MEM_COMMIT, PAGE_READWRITE);
ImpDirPtr := Pointer(PChar(PackedDir) + PackedDir^.PkImpDirOffset);
ApDepack(ImpDirPtr^, pBuf^);
ImpDirPtr := pBuf;
while ImpDirPtr^.ThunkRVA <> 0 do
begin
p := @ImpDirPtr^.Name[0];
hDll := pGetModuleHandle(p);
if hDll = 0 then
hDll := pLoadLibrary(p);
p := NextPChar(p);
pp := Pointer(ImageBase + ImpDirPtr^.ThunkRVA);
for i := 1 to ImpDirPtr^.ImpFuncCount do
begin
if PDWORD(p)^ and $FFFF0000 = 0 then
begin
pp^ := DWORD(pGetProcAddress(hDll, Pointer(PWORD(p)^)));
p := PChar(NextDWORD(p));
end
else
begin
pp^ := DWORD(pGetProcAddress(hDll, p));
p := NextPChar(p);
end;
inc(pp);
end;
ImpDirPtr := PImpDir(p);
end;
PDWORD(cRegs.esp + SizeOf(TRegs))^ := ImageBase + PackedDir.EPRVA; //覆蓋原來指向exitthread的指針
pVirtualFree(pBuf, 0, MEM_RELEASE);
PFileHeader := PImageFileHeader(ImageBase + DWORD(PImageDosHeader(ImageBase)^.e_lfanew) + 4);
POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);
pVirtualProtect(Pointer(ImageBase), $1000, PAGE_EXECUTE_READWRITE, @i);
pResDir := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);
pResDir^.VirtualAddress := PackedDir^.ExpRVA;
pResDir^.Size := PackedDir^.ExpSize;
Inc(pResDir, 2);
pResDir^.VirtualAddress := PackedDir^.ResRVA;
pResDir^.Size := PackedDir^.ResSize;
Inc(pResDir, 11);
pResDir^.VirtualAddress := PackedDir^.DelayImpRVA;
pResDir^.Size := PackedDir^.DelayImpSize;
asm
int 3 //拋出異常
end;
end;
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -