-
-
PeSpin 0.3 Unpacker Source
-
2004-6-26 15:17 9172
-
原程序可以在论坛里找到。
;.======================================================
;| PeDespinner 0.3 by Pumqara <pumqara@abv.bg>
;|
;| Unpacker for the PeSpin 0.3 Protector
;|
;'======================================================
myMoveMemory PROTO :DWORD,:DWORD,:DWORD
.data
strAppNameA db "PeSpin 0.3 Unpacker by +Pumqara <pumqara@abv.bg>",0
strFilterA db "ExEcutable Files",0,"*.exe",0,0
strFileNameA db "unpacked.exe",0
strTempFile db "temp.pum",0
strPumqaraA db "+Pumqara",0
valNewDescriptor byte 0
valFoundOEP byte 0
valImportHandling byte 0
.data?
;Values:
valRealFileSize dd ?
valNextRawAddress dd ?
valFileStart dd ?
valDecryptionStart dd ?
valPackerSection dd ?
valPackerSecPointer dd ?
valSectionsToDecrypt dd ?
valPackerSecSize dd ?
valMagic dd ?
valSections dd ?
hMemoryA dd ?
valHash dd ?
valEndHash dd ?
valFileSizeA dd ?
valImageBase dd ?
SizeReadWrite DWORD ?
pTemp dd ?
hTemp dd ?
; Values for the Import Rebuilding
valImageBaseOfDll dd ?
valSizeOfExports dd ?
valNumOfNames dd ?
valAddrOfExportDir dd ?
valAddrofnAameOrdinals dd ?
valAddrOfFunctions dd ?
valAddrOfNames dd ?
valnBase dd ?
valEndIdentifier dd ?
valImportsStart dd ?
ptrDescriptors dd ?
ptrDllNames dd ?
ptrApis dd ?
ptrThunk dd ?
ptrIAT dd ?
ptrImportDir dd ?
ptrDllName dd ?
valNumOfDescriptors dd ?
valNumOfApis dd ?
;Buffers:
bufFileName db 512 dup(?)
bufCurrentApi db 512 dup(?)
bufUnpacked dd ?
bufUnPointer dd ?
bufStolenBytes db 512 dup(?)
;Structures:
ofnA OPENFILENAME <>
strucPointer PL_POINTERS <>
strucPeInfo PL_PEINFO <>
strucSectionInfo PL_SECTION_INFO <>
strucImpTable PL_IMPORTS_INFO <>
.code
start:
mov ecx,offset strAppNameA
mov ofnA.lpstrTitle,ecx
mov ofnA.lStructSize,SIZEOF ofnA
mov ofnA.lpstrFilter, OFFSET strFilterA
mov ofnA.lpstrFile, OFFSET bufFileName
mov ofnA.nMaxFile,512
mov ofnA.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofnA
.iF eax==0
invoke ExitProcess,0
.ENDiF
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr bufFileName
invoke plSaveToNewFile,PL_NO_SAVE_DIALOG,addr strTempFile
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr strTempFile
invoke plGetPeInfo,addr strucPeInfo, addr strucPointer
lea eax,offset strucPeInfo
assume eax:ptr PL_PEINFO
xor ebx,ebx
mov bx,[eax].plNumberOfSections
mov dword ptr [valPackerSection],ebx
mov dword ptr [valSections],ebx
push [eax].plSizeOfImage
pop dword ptr [valFileSizeA]
push [eax].plImageBase
pop dword ptr [valImageBase]
lea eax,offset strucPointer
assume eax:ptr PL_POINTERS
push [eax].plMZHeader
pop dword ptr [valFileStart]
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plRawAddress
mov ecx,[eax].plRawSize
add ecx,ebx
sub ecx,00000119h
;========================================================================================
; Calculate hash of file and save it
;========================================================================================
mov edi,dword ptr [valFileStart]
dec edi
mov eax,0ffffffffh
mov ebx,eax
xor edx,edx
hash_file:
push ecx
or dl,4
inc edi
xor ah,byte ptr ds:[edi]
shr eax,3
inside_loop:
xor al,bh
add eax,7801a018h
xor eax,ebx
mov cl,bl
ror eax,cl
xchg eax,ebx
dec edx
jnz inside_loop
pop ecx
loop hash_file
mov dword ptr [valHash],ebx
;========================================================================================
; Load Layers (Packer's section)
;========================================================================================
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plPtrSection
pop dword ptr [valPackerSecPointer]
mov eax,[eax].plPtrSection
;========================================================================================
; Calculate Final Hash
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,1CE8h
mov esi,dword ptr [eax]
mov ebx,dword ptr [valHash]
sub esi,ebx
mov dword ptr [valHash],esi
;========================================================================================
; preDecrypt File
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,1cd8h
mov eax,dword ptr [esi]
mov dword ptr [valMagic],eax
xor esi,esi
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
dec esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
xor eax,eax
inc esi
preDecrypt:
mov edx,dword ptr [valHash]
dec esi
mov eax,dword ptr [valMagic]
bt eax,esi
inc esi
jnb skip_it5
loop_em:
shr edx,1
jb skip_em
xor edx,0ed43af32h
skip_em:
xor byte ptr [edi],dl
inc edi
dec ecx
dec ecx
jnz loop_em
skip_it5:
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
cmp esi,dword ptr [valSections]
jl preDecrypt
skip_last1:
;========================================================================================
; Rebuild Polymorph Layer 1
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,116h
push dword ptr [eax+1]
pop ebx
;========================================================================================
; Decrypt Polymorph Layer 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
mov edi,eax
add edi,0000123Fh
dec edi
xor ecx,ecx
mov cx,0A75h
decrypt_one:
xor byte ptr [ecx+edi],bl
dec bl
loop decrypt_one
;========================================================================================
; Rebuild Polymorph Layer 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,173eh
push dword ptr [eax+1]
pop ebx
;========================================================================================
; Decrypt Polymorph Layer 3
;========================================================================================
mov edi,dword ptr [valPackerSecPointer]
add edi,24Ah
xor ecx,ecx
mov cx,0383h
decrypt_two:
shr ebx,1
jnb skip_one
xor ebx,8C328834h
skip_one:
xor byte ptr [edi],bl
inc edi
loop decrypt_two
;========================================================================================
; Rebuild Polymorph Layer 3
;========================================================================================
xor ecx,ecx
mov ecx,104h
mov eax,dword ptr [valPackerSecPointer]
add eax,4C2h
push dword ptr [eax+07h]
pop edx
mov edi,dword ptr [valPackerSecPointer]
add edi,1887h
;========================================================================================
; Decrypt Polymorph Layer 4
;========================================================================================
decrypt_three:
shr edx,1
jnb skip_two
xor edx,0ED43AF32h
skip_two:
xor byte ptr [edi],dl
inc edi
loop decrypt_three
;========================================================================================
; Rebuild Polymorph Layer 4
;========================================================================================
xor eax,eax
mov esi,dword ptr [valPackerSecPointer]
add esi,1892h
lea edi,offset bufPolymorph4
mov ecx,000029h
rep movsb
;========================================================================================
; Decrypt Polymorph Layer 5 - Teh LAST one :]
;========================================================================================
xor ecx,ecx
mov ecx,0E0h
mov edi,dword ptr [valPackerSecPointer]
add edi,4EDh
nop
nop
nop
bufPolymorph4 db 30h dup(90h)
nop
nop
;========================================================================================
; Rebuild Polymorph Layer 5
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,529h
lea edi,offset bufPolymorph5
xor ecx,ecx
mov ecx,29h
rep movsb
nop
nop
;========================================================================================
; Decrypt File!!! (without the .rsrc and .tls section)
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,500h
mov eax,dword ptr [esi+1]
mov dword ptr [valMagic],eax
xor esi,esi
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
xor eax,eax
decrypt_file:
dec esi
mov eax,dword ptr [valMagic]
bt eax,esi
inc esi
jnb skip_it4
bufPolymorph5 db 30h dup(90h)
nop
skip_it4:
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
cmp esi,dword ptr [valSections]
jl decrypt_file
last2:
;========================================================================================
; Decompress File
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,1b08h
mov eax,dword ptr [esi+1]
mov dword ptr [valMagic],eax
; bt magic,section number
; jnb skip_section
invoke GlobalAlloc,GMEM_MOVEABLE or GMEM_ZEROINIT,dword ptr [valFileSizeA]
mov hMemoryA,eax
invoke GlobalLock,hMemoryA
mov bufUnpacked,eax
mov bufUnPointer,eax
; Copy Headers
invoke plGetSectionInfo,addr strucSectionInfo,000001h
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plRawAddress
pop dword ptr [valRealFileSize]
mov eax,[eax].plRawAddress
push eax
invoke myMoveMemory,bufUnpacked,dword ptr [valFileStart],eax
pop eax
mov ecx,bufUnpacked
add ecx,eax
mov bufUnpacked,ecx
xor esi,esi
inc esi
xor eax,eax
prepare_section:
dec esi
mov eax,dword ptr [valMagic]
cmp esi,dword ptr [valPackerSection]
je pre_skip
bt eax,esi
inc esi
jnb pre_skip
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plPtrSection
mov edx,[eax].plRawAddress
push edx
push eax
push dword ptr [bufUnpacked]
push ebx
CALL aP_depack_asm
add esp,8h
mov ecx,bufUnpacked
add ecx,eax
mov bufUnpacked,ecx
pop ebx
pop edx
assume ebx:ptr PL_SECTION_INFO
cmp esi,1h
je skip_1_sec
push dword ptr [valNextRawAddress]
pop [ebx].plRawAddress
mov edx,[ebx].plRawAddress
skip_1_sec:
add edx,eax
add dword ptr [valRealFileSize],eax
mov dword ptr [valNextRawAddress],edx
mov [ebx].plRawSize,eax
invoke plUpdateSectionInfo,addr strucSectionInfo,esi
jmp skip_it1
pre_skip:
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plRawAddress
mov ecx,[eax].plRawSize
push [eax].plPtrSection
mov edx,eax
push dword ptr [valNextRawAddress]
pop [eax].plRawAddress
mov ebx,[eax].plRawAddress
invoke plUpdateSectionInfo,addr strucSectionInfo,esi
mov eax,edx
add dword ptr [valRealFileSize],ecx
add ebx,ecx
mov dword ptr [valNextRawAddress],ebx
pop ebx
push esi
mov esi,ebx
mov edi,bufUnpacked
mov ecx,[eax].plRawSize
push ecx
invoke myMoveMemory,edi,esi,ecx
mov ecx,bufUnpacked
pop eax
add ecx,eax
mov bufUnpacked,ecx
pop esi
skip_it1:
inc esi
cmp esi,dword ptr [valSections]
jle prepare_section
done1:
; Copy Headers
invoke plGetSectionInfo,addr strucSectionInfo,000001h
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov eax,[eax].plRawAddress
invoke myMoveMemory,bufUnPointer,dword ptr [valFileStart],eax
invoke CreateFile,ADDR strFileNameA,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
push eax
invoke WriteFile,eax,bufUnPointer,valRealFileSize,ADDR SizeReadWrite,NULL
pop eax
invoke CloseHandle,eax
invoke GlobalUnlock,bufUnPointer
invoke GlobalFree,hMemoryA
invoke plCloseFile
;========================================================================================
; ReOpen File (unpacked.exe) + Add Section for the Imports + Load Pointers
;========================================================================================
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr strFileNameA
invoke plAddSection,addr strPumqaraA, 26000, 26000, PL_NORMAL_SECTION
mov esi,eax
mov dword ptr [ptrApis],esi
add esi,19000
mov dword ptr [ptrThunk],esi
invoke plMapOffsetToRVA,esi
add eax,8h
mov dword ptr [ptrIAT],eax
add esi,4000
mov dword ptr [ptrDllNames],esi
add esi,2000
mov dword ptr [ptrDescriptors],esi
invoke plMapOffsetToRVA,esi
mov dword ptr [ptrImportDir],eax
;========================================================================================
; ReLoad Layers (Packer's section)
;========================================================================================
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plPtrSection
pop dword ptr [valPackerSecPointer]
mov eax,[eax].plPtrSection
;========================================================================================
; Rebuild Import's Rebuilding Algo Decryption 1
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,195ch
mov ecx,29h
lea edi,offset bufImportsPolymorph
rep movsb
mov edi,dword ptr [valPackerSecPointer]
add edi,5CDh
mov ecx,684h
xor eax,eax
;========================================================================================
; Decrypt Import's Rebuilding Algo Decryption 1
;========================================================================================
bufImportsPolymorph db 30h dup(90h)
;========================================================================================
; Rebuild Import's Rebuilding Algo Decryption 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,17BCh
mov ecx,684h
push dword ptr [eax]
pop edx
mov eax,dword ptr [valPackerSecPointer]
add eax,5CDh
;========================================================================================
; Decrypt Import's Rebuilding Algo Decryption 2
;========================================================================================
import_algo_decrypt:
shr edx,1
jnb not_below
xor edx,0ed43af32h
not_below:
xor byte ptr [eax],dl
inc eax
loop import_algo_decrypt
;========================================================================================
; Decrypt Dll Name + Load Dll + Extract Info
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,0a1ah
push dword ptr [esi]
pop dword ptr [valEndIdentifier]
mov esi, dword ptr [valPackerSecPointer]
add esi,0B92h
mov esi,dword ptr [esi]
pushad
invoke plRVAToMapOffset,esi
mov dword ptr [valImportsStart],eax
popad
mov esi,dword ptr [valImportsStart]
reb_imports_loop:
; Check if rebuilding is done
mov ebx,dword ptr [valEndIdentifier]
cmp dword ptr [esi+10h],ebx
je done_yo
mov ebx,dword ptr [esi+0CH]
invoke plRVAToMapOffset,ebx
mov edi,eax
call myDecryptDllName
mov dword ptr [ptrDllName],edi
;call myAddDescriptor
push edi
push esi
invoke LoadLibrary,edi
inc byte ptr [valNewDescriptor]
; valImageBaseOfDll dd ?
; valSizeOfExports dd ?
; valNumOfNames dd ?
; valAddrOfExportDir dd ?
; valAddrofnAameOrdinals dd ?
; valAddrOfFunctions dd ?
; valAddrOfNames dd ?
; valAddrofnAameOrdinals dd ?
; valnBase dd ?
; Extract info for the Export Dir of the .dll
mov edx,eax
mov dword ptr [valImageBaseOfDll],edx
mov ebx,edx
add edx,dword ptr [edx+3ch]
push dword ptr [edx+7ch]
pop dword ptr [valSizeOfExports]
mov edx,dword ptr [edx+78h]
add edx,ebx
push edx
pop dword ptr [valAddrOfExportDir]
push dword ptr [edx+20h]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrOfNames]
push dword ptr [edx+18h]
pop dword ptr [valNumOfNames]
push dword ptr [edx+1ch]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrOfFunctions]
push dword ptr [edx+24h]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrofnAameOrdinals]
push dword ptr [edx+10h]
pop dword ptr [valnBase]
pop esi
pop edi
mov ebx,edi
;========================================================================================
; Check what method of Import Rebuilding is used in the packed .exe
;========================================================================================
pushad
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
cmp edi,000000000
jnz go_on
inc byte ptr [valImportHandling]
;========================================================================================
; Find Apis to Rebuild + Create new Import Table
;========================================================================================
go_on:
popad
; Find Api function's names
mov edx,dword ptr [esi+10h]
invoke plRVAToMapOffset,edx
mov edx,eax
next_api:
or dword ptr [edx],0 ; More Names left ?
je next_dll
mov eax,dword ptr [edx]
test eax,80000000h ; Ordinal ?
je skip_imp1
sub edi,edi
jmp skip_imp2
skip_imp1:
inc eax
invoke plRVAToMapOffset,eax
xchg eax,edi
skip_imp2:
pushad
or edi,edi
jnz skip_imp3
;Here Handle Ordinary
cmp byte ptr [valNewDescriptor],00
je no_new_desc1
dec byte ptr [valNewDescriptor]
call myAddDescriptor
no_new_desc1:
call myAddOrdinal
jmp loop_it_bitch
skip_imp3:
; IdentAPI STRUC
; BYTE FirstLetterOfAPI
; DWORD HashValue
; ENDS IdentAPI
mov ebx,dword ptr [valAddrOfNames]
mov al,byte ptr [edi-1] ; First letter of Api func's name
and al,7Fh ; Decrypt it
lea ecx,offset fl_comp
mov byte ptr [ecx+2h],al
push dword ptr [edi] ; CRC Hash
lea ecx,offset hash_comp
pop dword ptr [ecx +1h]
sub ecx,ecx
find_api:
mov edi,dword ptr [ebx]
add edi,dword ptr [valImageBaseOfDll]
fl_comp:
cmp byte ptr [edi],0FFh ; First Letters match ?
jne next_api_name
call myHashName
hash_comp:
cmp eax,12345678h ; CRC hashes match ?
jne next_api_name
; FOUND !!!
cmp byte ptr [valNewDescriptor],00
je no_new_desc2
dec byte ptr [valNewDescriptor]
call myAddDescriptor
no_new_desc2:
call myAddApi
loop_it_bitch:
popad
add edx,4h
jmp next_api
next_api_name:
add ebx,4h
inc ecx
cmp ecx,dword ptr [valNumOfNames]
jne find_api
next_dll:
add esi,14h
jmp reb_imports_loop
done_yo:
;========================================================================================
; Update unpacked.exe with right Import Infos
;========================================================================================
lea esi,offset strucImpTable
assume esi:ptr PL_IMPORTS_INFO
mov ebx,dword ptr [valNumOfApis]
xor edx,edx
imul ebx,ebx,4h
mov [esi].plIATDirSize,ebx
push dword ptr [ptrIAT]
pop [esi].plIATDirRVA
push dword ptr [ptrImportDir]
pop [esi].plImportDirRVA
mov ebx,dword ptr [valNumOfDescriptors]
imul ebx,ebx,14h
mov [esi].plImportDirSize,ebx
invoke plUpdateImportsInfo,addr strucImpTable
;========================================================================================
; Detect if there are Stolen Bytes -> If no Get OEP, fix and exit
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,0C0Dh
cmp byte ptr [esi],0E9h
jne Stolen_Bytes
mov ebx,dword ptr [esi+1]
add esi,5
invoke plMapOffsetToRVA,esi
add eax,ebx
invoke plChangeEP,eax
jmp END_IT
;========================================================================================
; Restore Stolen Bytes
;========================================================================================
Stolen_Bytes:
mov edi,esi
xor eax,eax
xor ebx,ebx
xor edx,edx
xor esi,esi
mov ebx,edi
find_Stolen_Bytes:
;push edi
mov ecx,10h
mov al,0EBh
repnz scasb
cmp byte ptr [edi],001h
jnz damn
;jmp skip_check
; check_if_oep:
; pop edi
; mov ecx,10h
; mov al,0E9h
; repnz scasb
; cmp ecx,00000
; jz find_Stolen_Bytes
; dec edi
; inc byte ptr [valFoundOEP]
; jmp take_last_bytes
; skip_check:
;pop edx
inc edi
inc edi
cmp byte ptr [edi],0E9h
jz oep_found
;take_last_bytes:
mov edx,edi
sub edx,ebx
sub edx,3h
pushad
mov ecx,edx
lea edi,offset bufStolenBytes
add edi,esi
mov esi,ebx
rep movsb
popad
add esi,edx
mov ebx,edi
;cmp byte ptr [valFoundOEP],01
; je oep_found
jmp find_Stolen_Bytes
oep_found:
mov ebx,dword ptr [edi+1]
add edi,5
invoke plMapOffsetToRVA,edi
add eax,ebx
sub eax,esi
push eax
invoke plChangeEP,eax
pop eax
invoke plRVAToMapOffset,eax
invoke myMoveMemory,eax,addr bufStolenBytes,esi
jmp END_IT
damn:
mov edi,dword ptr [valPackerSecPointer]
add edi,0C0Dh
invoke plMapOffsetToRVA,edi
invoke plChangeEP,eax
;========================================================================================
; Done !!!!!! Source Code by Pumqara <pumqara@abv.bg>
;========================================================================================
END_IT:
invoke plCloseFile
invoke ExitProcess,0
aP_depack_asm:
pushad
mov esi, [esp + 36] ; C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
xor ebx, ebx
literal:
movsb
mov bl, 2
nexttag:
call getbit
jnc literal
xor ecx, ecx
call getbit
jnc codepair
xor eax, eax
call getbit
jnc shortmatch
mov bl, 2
inc ecx
mov al, 10h
getmorebits:
call getbit
adc al, al
jnc getmorebits
jnz domatch
stosb
jmp short nexttag
codepair:
call getgamma_no_ecx
sub ecx, ebx
jnz normalcodepair
call getgamma
jmp short domatch_lastpos
shortmatch:
lodsb
shr eax, 1
jz donedepacking
adc ecx, ecx
jmp short domatch_with_2inc
normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call getgamma
cmp eax, 32000
jae domatch_with_2inc
cmp ah, 5
jae domatch_with_inc
cmp eax, 7fh
ja domatch_new_lastpos
domatch_with_2inc:
inc ecx
domatch_with_inc:
inc ecx
domatch_new_lastpos:
xchg eax, ebp
domatch_lastpos:
mov eax, ebp
mov bl, 1
domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short nexttag
getbit:
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ret
getgamma:
xor ecx, ecx
getgamma_no_ecx:
inc ecx
getgammaloop:
call getbit
adc ecx, ecx
call getbit
jc getgammaloop
ret
donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi ; return unpacked length in eax
popad
ret
myAddApi PROC
pushad
push edx
cmp byte ptr [valImportHandling],00
je normally1
mov dword ptr [ptrThunk],edx
normally1:
mov esi,dword ptr [ptrApis]
push esi
add esi,2h
push esi
invoke lstrlen,addr bufCurrentApi
push eax
invoke lstrcpy,esi,addr bufCurrentApi
pop eax
pop esi
add esi,eax
inc esi
mov dword ptr [ptrApis],esi
mov edi,dword ptr [ptrThunk]
pop esi
invoke plMapOffsetToRVA,esi
mov dword ptr [edi],eax
add edi,4h
mov dword ptr [ptrThunk],edi
inc dword ptr [valNumOfApis]
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
sub edi,dword ptr [valImageBase]
invoke plRVAToMapOffset,edi
mov edi,eax
mov ecx,dword ptr [valPackerSecPointer]
add ecx,883h
mov ecx,dword ptr [ecx]
pop edx
cmp byte ptr [valImportHandling],00
jne end_add_api
invoke plMapOffsetToRVA,edx
add eax,dword ptr [valImageBase]
mov edx,eax
find_location1:
cmp dword ptr [edi],edx
je patch1
inc edi
loop find_location1
patch1:
dec edi
cmp byte ptr [edi],25h
jne skip88
dec edi
skip88:
mov byte ptr [edi],0FFh
mov byte ptr [edi+1],025h
mov eax,dword ptr [ptrThunk]
sub eax,4h
invoke plMapOffsetToRVA,eax
add eax,dword ptr [valImageBase]
mov dword ptr [edi+2],eax
end_add_api:
popad
ret
myAddApi ENDP
myAddOrdinal PROC
pushad
push edx
cmp byte ptr [valImportHandling],00
je normally2
mov dword ptr [ptrThunk],edx
normally2:
mov edi,dword ptr [ptrThunk]
mov dword ptr [edi],eax
add edi,4h
mov dword ptr [ptrThunk],edi
inc dword ptr [valNumOfApis]
cmp byte ptr [valImportHandling],00
jne end_add_ord
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
sub edi,dword ptr [valImageBase]
invoke plRVAToMapOffset,edi
mov edi,eax
mov ecx,dword ptr [valPackerSecPointer]
add ecx,883h
mov ecx,dword ptr [ecx]
pop edx
invoke plMapOffsetToRVA,edx
add eax,dword ptr [valImageBase]
mov edx,eax
find_location2:
cmp dword ptr [edi],edx
je patch2
inc edi
loop find_location2
patch2:
dec edi
cmp byte ptr [edi],25h
jne skip888
dec edi
skip888:
mov byte ptr [edi],0FFh
mov byte ptr [edi+1],025h
mov eax,dword ptr [ptrThunk]
sub eax,4h
invoke plMapOffsetToRVA,eax
add eax,dword ptr [valImageBase]
mov dword ptr [edi+2],eax
end_add_ord:
popad
ret
myAddOrdinal ENDP
myAddDescriptor PROC
pushad
cmp byte ptr [valImportHandling],00
je normally1
mov dword ptr [ptrThunk],edx
mov edi,dword ptr [ptrDllName]
jmp skip10
normally1:
mov edi,dword ptr [ptrDllName]
add dword ptr [ptrThunk],8h
skip10:
mov esi,dword ptr [ptrDllNames]
pushad
invoke lstrcpy,esi,edi
popad
invoke plMapOffsetToRVA,esi
push eax
push esi
invoke lstrlen,esi
pop esi
add esi,eax
inc esi
mov dword ptr [ptrDllNames],esi
mov esi,dword ptr [ptrDescriptors]
assume esi:ptr IMAGE_IMPORT_DESCRIPTOR
pop eax
mov [esi].Name1,eax
mov eax,dword ptr [ptrThunk]
invoke plMapOffsetToRVA,eax
mov [esi].FirstThunk,eax
add esi,sizeof IMAGE_IMPORT_DESCRIPTOR
mov dword ptr [ptrDescriptors],esi
inc dword ptr [valNumOfDescriptors]
popad
ret
myAddDescriptor ENDP
myMoveMemory PROC myIN:DWORD,myFROM:DWORD,mySize:DWORD
pushad
mov esi,myFROM
mov edi,myIN
mov ecx,mySize
rep movsb
popad
ret
myMoveMemory endp
myDecryptDllName PROC
push edi
dec_dll_loop:
or byte ptr [edi],0
je end_dec_dll
not byte ptr [edi]
inc edi
jmp dec_dll_loop
end_dec_dll:
pop edi
ret
myDecryptDllName endp
myHashName PROC
pushad
invoke lstrcpy,addr bufCurrentApi,edi
popad
push edx
or edx,0ffffffffh
hash_3:
mov al,byte ptr [edi]
or al,al
je end_hash
inc edi
xor dl,al
mov al,8
hash_2:
shr edx,1
jnb hash_1
xor edx,0edb88320h
hash_1:
dec al
jnz hash_2
jmp hash_3
end_hash:
;xor edi,edi
xchg eax,edx
pop edx
ret
myHashName endp
end start
;.======================================================
;| PeDespinner 0.3 by Pumqara <pumqara@abv.bg>
;|
;| Unpacker for the PeSpin 0.3 Protector
;|
;'======================================================
myMoveMemory PROTO :DWORD,:DWORD,:DWORD
.data
strAppNameA db "PeSpin 0.3 Unpacker by +Pumqara <pumqara@abv.bg>",0
strFilterA db "ExEcutable Files",0,"*.exe",0,0
strFileNameA db "unpacked.exe",0
strTempFile db "temp.pum",0
strPumqaraA db "+Pumqara",0
valNewDescriptor byte 0
valFoundOEP byte 0
valImportHandling byte 0
.data?
;Values:
valRealFileSize dd ?
valNextRawAddress dd ?
valFileStart dd ?
valDecryptionStart dd ?
valPackerSection dd ?
valPackerSecPointer dd ?
valSectionsToDecrypt dd ?
valPackerSecSize dd ?
valMagic dd ?
valSections dd ?
hMemoryA dd ?
valHash dd ?
valEndHash dd ?
valFileSizeA dd ?
valImageBase dd ?
SizeReadWrite DWORD ?
pTemp dd ?
hTemp dd ?
; Values for the Import Rebuilding
valImageBaseOfDll dd ?
valSizeOfExports dd ?
valNumOfNames dd ?
valAddrOfExportDir dd ?
valAddrofnAameOrdinals dd ?
valAddrOfFunctions dd ?
valAddrOfNames dd ?
valnBase dd ?
valEndIdentifier dd ?
valImportsStart dd ?
ptrDescriptors dd ?
ptrDllNames dd ?
ptrApis dd ?
ptrThunk dd ?
ptrIAT dd ?
ptrImportDir dd ?
ptrDllName dd ?
valNumOfDescriptors dd ?
valNumOfApis dd ?
;Buffers:
bufFileName db 512 dup(?)
bufCurrentApi db 512 dup(?)
bufUnpacked dd ?
bufUnPointer dd ?
bufStolenBytes db 512 dup(?)
;Structures:
ofnA OPENFILENAME <>
strucPointer PL_POINTERS <>
strucPeInfo PL_PEINFO <>
strucSectionInfo PL_SECTION_INFO <>
strucImpTable PL_IMPORTS_INFO <>
.code
start:
mov ecx,offset strAppNameA
mov ofnA.lpstrTitle,ecx
mov ofnA.lStructSize,SIZEOF ofnA
mov ofnA.lpstrFilter, OFFSET strFilterA
mov ofnA.lpstrFile, OFFSET bufFileName
mov ofnA.nMaxFile,512
mov ofnA.Flags, OFN_FILEMUSTEXIST or \
OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, ADDR ofnA
.iF eax==0
invoke ExitProcess,0
.ENDiF
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr bufFileName
invoke plSaveToNewFile,PL_NO_SAVE_DIALOG,addr strTempFile
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr strTempFile
invoke plGetPeInfo,addr strucPeInfo, addr strucPointer
lea eax,offset strucPeInfo
assume eax:ptr PL_PEINFO
xor ebx,ebx
mov bx,[eax].plNumberOfSections
mov dword ptr [valPackerSection],ebx
mov dword ptr [valSections],ebx
push [eax].plSizeOfImage
pop dword ptr [valFileSizeA]
push [eax].plImageBase
pop dword ptr [valImageBase]
lea eax,offset strucPointer
assume eax:ptr PL_POINTERS
push [eax].plMZHeader
pop dword ptr [valFileStart]
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plRawAddress
mov ecx,[eax].plRawSize
add ecx,ebx
sub ecx,00000119h
;========================================================================================
; Calculate hash of file and save it
;========================================================================================
mov edi,dword ptr [valFileStart]
dec edi
mov eax,0ffffffffh
mov ebx,eax
xor edx,edx
hash_file:
push ecx
or dl,4
inc edi
xor ah,byte ptr ds:[edi]
shr eax,3
inside_loop:
xor al,bh
add eax,7801a018h
xor eax,ebx
mov cl,bl
ror eax,cl
xchg eax,ebx
dec edx
jnz inside_loop
pop ecx
loop hash_file
mov dword ptr [valHash],ebx
;========================================================================================
; Load Layers (Packer's section)
;========================================================================================
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plPtrSection
pop dword ptr [valPackerSecPointer]
mov eax,[eax].plPtrSection
;========================================================================================
; Calculate Final Hash
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,1CE8h
mov esi,dword ptr [eax]
mov ebx,dword ptr [valHash]
sub esi,ebx
mov dword ptr [valHash],esi
;========================================================================================
; preDecrypt File
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,1cd8h
mov eax,dword ptr [esi]
mov dword ptr [valMagic],eax
xor esi,esi
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
dec esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
xor eax,eax
inc esi
preDecrypt:
mov edx,dword ptr [valHash]
dec esi
mov eax,dword ptr [valMagic]
bt eax,esi
inc esi
jnb skip_it5
loop_em:
shr edx,1
jb skip_em
xor edx,0ed43af32h
skip_em:
xor byte ptr [edi],dl
inc edi
dec ecx
dec ecx
jnz loop_em
skip_it5:
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
cmp esi,dword ptr [valSections]
jl preDecrypt
skip_last1:
;========================================================================================
; Rebuild Polymorph Layer 1
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,116h
push dword ptr [eax+1]
pop ebx
;========================================================================================
; Decrypt Polymorph Layer 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
mov edi,eax
add edi,0000123Fh
dec edi
xor ecx,ecx
mov cx,0A75h
decrypt_one:
xor byte ptr [ecx+edi],bl
dec bl
loop decrypt_one
;========================================================================================
; Rebuild Polymorph Layer 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,173eh
push dword ptr [eax+1]
pop ebx
;========================================================================================
; Decrypt Polymorph Layer 3
;========================================================================================
mov edi,dword ptr [valPackerSecPointer]
add edi,24Ah
xor ecx,ecx
mov cx,0383h
decrypt_two:
shr ebx,1
jnb skip_one
xor ebx,8C328834h
skip_one:
xor byte ptr [edi],bl
inc edi
loop decrypt_two
;========================================================================================
; Rebuild Polymorph Layer 3
;========================================================================================
xor ecx,ecx
mov ecx,104h
mov eax,dword ptr [valPackerSecPointer]
add eax,4C2h
push dword ptr [eax+07h]
pop edx
mov edi,dword ptr [valPackerSecPointer]
add edi,1887h
;========================================================================================
; Decrypt Polymorph Layer 4
;========================================================================================
decrypt_three:
shr edx,1
jnb skip_two
xor edx,0ED43AF32h
skip_two:
xor byte ptr [edi],dl
inc edi
loop decrypt_three
;========================================================================================
; Rebuild Polymorph Layer 4
;========================================================================================
xor eax,eax
mov esi,dword ptr [valPackerSecPointer]
add esi,1892h
lea edi,offset bufPolymorph4
mov ecx,000029h
rep movsb
;========================================================================================
; Decrypt Polymorph Layer 5 - Teh LAST one :]
;========================================================================================
xor ecx,ecx
mov ecx,0E0h
mov edi,dword ptr [valPackerSecPointer]
add edi,4EDh
nop
nop
nop
bufPolymorph4 db 30h dup(90h)
nop
nop
;========================================================================================
; Rebuild Polymorph Layer 5
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,529h
lea edi,offset bufPolymorph5
xor ecx,ecx
mov ecx,29h
rep movsb
nop
nop
;========================================================================================
; Decrypt File!!! (without the .rsrc and .tls section)
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,500h
mov eax,dword ptr [esi+1]
mov dword ptr [valMagic],eax
xor esi,esi
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
xor eax,eax
decrypt_file:
dec esi
mov eax,dword ptr [valMagic]
bt eax,esi
inc esi
jnb skip_it4
bufPolymorph5 db 30h dup(90h)
nop
skip_it4:
inc esi
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov edi,[eax].plPtrSection
mov ecx,[eax].plRawSize
cmp esi,dword ptr [valSections]
jl decrypt_file
last2:
;========================================================================================
; Decompress File
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,1b08h
mov eax,dword ptr [esi+1]
mov dword ptr [valMagic],eax
; bt magic,section number
; jnb skip_section
invoke GlobalAlloc,GMEM_MOVEABLE or GMEM_ZEROINIT,dword ptr [valFileSizeA]
mov hMemoryA,eax
invoke GlobalLock,hMemoryA
mov bufUnpacked,eax
mov bufUnPointer,eax
; Copy Headers
invoke plGetSectionInfo,addr strucSectionInfo,000001h
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plRawAddress
pop dword ptr [valRealFileSize]
mov eax,[eax].plRawAddress
push eax
invoke myMoveMemory,bufUnpacked,dword ptr [valFileStart],eax
pop eax
mov ecx,bufUnpacked
add ecx,eax
mov bufUnpacked,ecx
xor esi,esi
inc esi
xor eax,eax
prepare_section:
dec esi
mov eax,dword ptr [valMagic]
cmp esi,dword ptr [valPackerSection]
je pre_skip
bt eax,esi
inc esi
jnb pre_skip
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plPtrSection
mov edx,[eax].plRawAddress
push edx
push eax
push dword ptr [bufUnpacked]
push ebx
CALL aP_depack_asm
add esp,8h
mov ecx,bufUnpacked
add ecx,eax
mov bufUnpacked,ecx
pop ebx
pop edx
assume ebx:ptr PL_SECTION_INFO
cmp esi,1h
je skip_1_sec
push dword ptr [valNextRawAddress]
pop [ebx].plRawAddress
mov edx,[ebx].plRawAddress
skip_1_sec:
add edx,eax
add dword ptr [valRealFileSize],eax
mov dword ptr [valNextRawAddress],edx
mov [ebx].plRawSize,eax
invoke plUpdateSectionInfo,addr strucSectionInfo,esi
jmp skip_it1
pre_skip:
invoke plGetSectionInfo,addr strucSectionInfo,esi
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov ebx,[eax].plRawAddress
mov ecx,[eax].plRawSize
push [eax].plPtrSection
mov edx,eax
push dword ptr [valNextRawAddress]
pop [eax].plRawAddress
mov ebx,[eax].plRawAddress
invoke plUpdateSectionInfo,addr strucSectionInfo,esi
mov eax,edx
add dword ptr [valRealFileSize],ecx
add ebx,ecx
mov dword ptr [valNextRawAddress],ebx
pop ebx
push esi
mov esi,ebx
mov edi,bufUnpacked
mov ecx,[eax].plRawSize
push ecx
invoke myMoveMemory,edi,esi,ecx
mov ecx,bufUnpacked
pop eax
add ecx,eax
mov bufUnpacked,ecx
pop esi
skip_it1:
inc esi
cmp esi,dword ptr [valSections]
jle prepare_section
done1:
; Copy Headers
invoke plGetSectionInfo,addr strucSectionInfo,000001h
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
mov eax,[eax].plRawAddress
invoke myMoveMemory,bufUnPointer,dword ptr [valFileStart],eax
invoke CreateFile,ADDR strFileNameA,\
GENERIC_READ or GENERIC_WRITE ,\
FILE_SHARE_READ or FILE_SHARE_WRITE,\
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,\
NULL
push eax
invoke WriteFile,eax,bufUnPointer,valRealFileSize,ADDR SizeReadWrite,NULL
pop eax
invoke CloseHandle,eax
invoke GlobalUnlock,bufUnPointer
invoke GlobalFree,hMemoryA
invoke plCloseFile
;========================================================================================
; ReOpen File (unpacked.exe) + Add Section for the Imports + Load Pointers
;========================================================================================
invoke plOpenFile,PL_NO_OPEN_DIALOG,addr strFileNameA
invoke plAddSection,addr strPumqaraA, 26000, 26000, PL_NORMAL_SECTION
mov esi,eax
mov dword ptr [ptrApis],esi
add esi,19000
mov dword ptr [ptrThunk],esi
invoke plMapOffsetToRVA,esi
add eax,8h
mov dword ptr [ptrIAT],eax
add esi,4000
mov dword ptr [ptrDllNames],esi
add esi,2000
mov dword ptr [ptrDescriptors],esi
invoke plMapOffsetToRVA,esi
mov dword ptr [ptrImportDir],eax
;========================================================================================
; ReLoad Layers (Packer's section)
;========================================================================================
invoke plGetSectionInfo,addr strucSectionInfo,dword ptr [valPackerSection]
lea eax,offset strucSectionInfo
assume eax:ptr PL_SECTION_INFO
push [eax].plPtrSection
pop dword ptr [valPackerSecPointer]
mov eax,[eax].plPtrSection
;========================================================================================
; Rebuild Import's Rebuilding Algo Decryption 1
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,195ch
mov ecx,29h
lea edi,offset bufImportsPolymorph
rep movsb
mov edi,dword ptr [valPackerSecPointer]
add edi,5CDh
mov ecx,684h
xor eax,eax
;========================================================================================
; Decrypt Import's Rebuilding Algo Decryption 1
;========================================================================================
bufImportsPolymorph db 30h dup(90h)
;========================================================================================
; Rebuild Import's Rebuilding Algo Decryption 2
;========================================================================================
mov eax,dword ptr [valPackerSecPointer]
add eax,17BCh
mov ecx,684h
push dword ptr [eax]
pop edx
mov eax,dword ptr [valPackerSecPointer]
add eax,5CDh
;========================================================================================
; Decrypt Import's Rebuilding Algo Decryption 2
;========================================================================================
import_algo_decrypt:
shr edx,1
jnb not_below
xor edx,0ed43af32h
not_below:
xor byte ptr [eax],dl
inc eax
loop import_algo_decrypt
;========================================================================================
; Decrypt Dll Name + Load Dll + Extract Info
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,0a1ah
push dword ptr [esi]
pop dword ptr [valEndIdentifier]
mov esi, dword ptr [valPackerSecPointer]
add esi,0B92h
mov esi,dword ptr [esi]
pushad
invoke plRVAToMapOffset,esi
mov dword ptr [valImportsStart],eax
popad
mov esi,dword ptr [valImportsStart]
reb_imports_loop:
; Check if rebuilding is done
mov ebx,dword ptr [valEndIdentifier]
cmp dword ptr [esi+10h],ebx
je done_yo
mov ebx,dword ptr [esi+0CH]
invoke plRVAToMapOffset,ebx
mov edi,eax
call myDecryptDllName
mov dword ptr [ptrDllName],edi
;call myAddDescriptor
push edi
push esi
invoke LoadLibrary,edi
inc byte ptr [valNewDescriptor]
; valImageBaseOfDll dd ?
; valSizeOfExports dd ?
; valNumOfNames dd ?
; valAddrOfExportDir dd ?
; valAddrofnAameOrdinals dd ?
; valAddrOfFunctions dd ?
; valAddrOfNames dd ?
; valAddrofnAameOrdinals dd ?
; valnBase dd ?
; Extract info for the Export Dir of the .dll
mov edx,eax
mov dword ptr [valImageBaseOfDll],edx
mov ebx,edx
add edx,dword ptr [edx+3ch]
push dword ptr [edx+7ch]
pop dword ptr [valSizeOfExports]
mov edx,dword ptr [edx+78h]
add edx,ebx
push edx
pop dword ptr [valAddrOfExportDir]
push dword ptr [edx+20h]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrOfNames]
push dword ptr [edx+18h]
pop dword ptr [valNumOfNames]
push dword ptr [edx+1ch]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrOfFunctions]
push dword ptr [edx+24h]
pop edi
add edi,ebx
push edi
pop dword ptr [valAddrofnAameOrdinals]
push dword ptr [edx+10h]
pop dword ptr [valnBase]
pop esi
pop edi
mov ebx,edi
;========================================================================================
; Check what method of Import Rebuilding is used in the packed .exe
;========================================================================================
pushad
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
cmp edi,000000000
jnz go_on
inc byte ptr [valImportHandling]
;========================================================================================
; Find Apis to Rebuild + Create new Import Table
;========================================================================================
go_on:
popad
; Find Api function's names
mov edx,dword ptr [esi+10h]
invoke plRVAToMapOffset,edx
mov edx,eax
next_api:
or dword ptr [edx],0 ; More Names left ?
je next_dll
mov eax,dword ptr [edx]
test eax,80000000h ; Ordinal ?
je skip_imp1
sub edi,edi
jmp skip_imp2
skip_imp1:
inc eax
invoke plRVAToMapOffset,eax
xchg eax,edi
skip_imp2:
pushad
or edi,edi
jnz skip_imp3
;Here Handle Ordinary
cmp byte ptr [valNewDescriptor],00
je no_new_desc1
dec byte ptr [valNewDescriptor]
call myAddDescriptor
no_new_desc1:
call myAddOrdinal
jmp loop_it_bitch
skip_imp3:
; IdentAPI STRUC
; BYTE FirstLetterOfAPI
; DWORD HashValue
; ENDS IdentAPI
mov ebx,dword ptr [valAddrOfNames]
mov al,byte ptr [edi-1] ; First letter of Api func's name
and al,7Fh ; Decrypt it
lea ecx,offset fl_comp
mov byte ptr [ecx+2h],al
push dword ptr [edi] ; CRC Hash
lea ecx,offset hash_comp
pop dword ptr [ecx +1h]
sub ecx,ecx
find_api:
mov edi,dword ptr [ebx]
add edi,dword ptr [valImageBaseOfDll]
fl_comp:
cmp byte ptr [edi],0FFh ; First Letters match ?
jne next_api_name
call myHashName
hash_comp:
cmp eax,12345678h ; CRC hashes match ?
jne next_api_name
; FOUND !!!
cmp byte ptr [valNewDescriptor],00
je no_new_desc2
dec byte ptr [valNewDescriptor]
call myAddDescriptor
no_new_desc2:
call myAddApi
loop_it_bitch:
popad
add edx,4h
jmp next_api
next_api_name:
add ebx,4h
inc ecx
cmp ecx,dword ptr [valNumOfNames]
jne find_api
next_dll:
add esi,14h
jmp reb_imports_loop
done_yo:
;========================================================================================
; Update unpacked.exe with right Import Infos
;========================================================================================
lea esi,offset strucImpTable
assume esi:ptr PL_IMPORTS_INFO
mov ebx,dword ptr [valNumOfApis]
xor edx,edx
imul ebx,ebx,4h
mov [esi].plIATDirSize,ebx
push dword ptr [ptrIAT]
pop [esi].plIATDirRVA
push dword ptr [ptrImportDir]
pop [esi].plImportDirRVA
mov ebx,dword ptr [valNumOfDescriptors]
imul ebx,ebx,14h
mov [esi].plImportDirSize,ebx
invoke plUpdateImportsInfo,addr strucImpTable
;========================================================================================
; Detect if there are Stolen Bytes -> If no Get OEP, fix and exit
;========================================================================================
mov esi,dword ptr [valPackerSecPointer]
add esi,0C0Dh
cmp byte ptr [esi],0E9h
jne Stolen_Bytes
mov ebx,dword ptr [esi+1]
add esi,5
invoke plMapOffsetToRVA,esi
add eax,ebx
invoke plChangeEP,eax
jmp END_IT
;========================================================================================
; Restore Stolen Bytes
;========================================================================================
Stolen_Bytes:
mov edi,esi
xor eax,eax
xor ebx,ebx
xor edx,edx
xor esi,esi
mov ebx,edi
find_Stolen_Bytes:
;push edi
mov ecx,10h
mov al,0EBh
repnz scasb
cmp byte ptr [edi],001h
jnz damn
;jmp skip_check
; check_if_oep:
; pop edi
; mov ecx,10h
; mov al,0E9h
; repnz scasb
; cmp ecx,00000
; jz find_Stolen_Bytes
; dec edi
; inc byte ptr [valFoundOEP]
; jmp take_last_bytes
; skip_check:
;pop edx
inc edi
inc edi
cmp byte ptr [edi],0E9h
jz oep_found
;take_last_bytes:
mov edx,edi
sub edx,ebx
sub edx,3h
pushad
mov ecx,edx
lea edi,offset bufStolenBytes
add edi,esi
mov esi,ebx
rep movsb
popad
add esi,edx
mov ebx,edi
;cmp byte ptr [valFoundOEP],01
; je oep_found
jmp find_Stolen_Bytes
oep_found:
mov ebx,dword ptr [edi+1]
add edi,5
invoke plMapOffsetToRVA,edi
add eax,ebx
sub eax,esi
push eax
invoke plChangeEP,eax
pop eax
invoke plRVAToMapOffset,eax
invoke myMoveMemory,eax,addr bufStolenBytes,esi
jmp END_IT
damn:
mov edi,dword ptr [valPackerSecPointer]
add edi,0C0Dh
invoke plMapOffsetToRVA,edi
invoke plChangeEP,eax
;========================================================================================
; Done !!!!!! Source Code by Pumqara <pumqara@abv.bg>
;========================================================================================
END_IT:
invoke plCloseFile
invoke ExitProcess,0
aP_depack_asm:
pushad
mov esi, [esp + 36] ; C calling convention
mov edi, [esp + 40]
cld
mov dl, 80h
xor ebx, ebx
literal:
movsb
mov bl, 2
nexttag:
call getbit
jnc literal
xor ecx, ecx
call getbit
jnc codepair
xor eax, eax
call getbit
jnc shortmatch
mov bl, 2
inc ecx
mov al, 10h
getmorebits:
call getbit
adc al, al
jnc getmorebits
jnz domatch
stosb
jmp short nexttag
codepair:
call getgamma_no_ecx
sub ecx, ebx
jnz normalcodepair
call getgamma
jmp short domatch_lastpos
shortmatch:
lodsb
shr eax, 1
jz donedepacking
adc ecx, ecx
jmp short domatch_with_2inc
normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
call getgamma
cmp eax, 32000
jae domatch_with_2inc
cmp ah, 5
jae domatch_with_inc
cmp eax, 7fh
ja domatch_new_lastpos
domatch_with_2inc:
inc ecx
domatch_with_inc:
inc ecx
domatch_new_lastpos:
xchg eax, ebp
domatch_lastpos:
mov eax, ebp
mov bl, 1
domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short nexttag
getbit:
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ret
getgamma:
xor ecx, ecx
getgamma_no_ecx:
inc ecx
getgammaloop:
call getbit
adc ecx, ecx
call getbit
jc getgammaloop
ret
donedepacking:
sub edi, [esp + 40]
mov [esp + 28], edi ; return unpacked length in eax
popad
ret
myAddApi PROC
pushad
push edx
cmp byte ptr [valImportHandling],00
je normally1
mov dword ptr [ptrThunk],edx
normally1:
mov esi,dword ptr [ptrApis]
push esi
add esi,2h
push esi
invoke lstrlen,addr bufCurrentApi
push eax
invoke lstrcpy,esi,addr bufCurrentApi
pop eax
pop esi
add esi,eax
inc esi
mov dword ptr [ptrApis],esi
mov edi,dword ptr [ptrThunk]
pop esi
invoke plMapOffsetToRVA,esi
mov dword ptr [edi],eax
add edi,4h
mov dword ptr [ptrThunk],edi
inc dword ptr [valNumOfApis]
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
sub edi,dword ptr [valImageBase]
invoke plRVAToMapOffset,edi
mov edi,eax
mov ecx,dword ptr [valPackerSecPointer]
add ecx,883h
mov ecx,dword ptr [ecx]
pop edx
cmp byte ptr [valImportHandling],00
jne end_add_api
invoke plMapOffsetToRVA,edx
add eax,dword ptr [valImageBase]
mov edx,eax
find_location1:
cmp dword ptr [edi],edx
je patch1
inc edi
loop find_location1
patch1:
dec edi
cmp byte ptr [edi],25h
jne skip88
dec edi
skip88:
mov byte ptr [edi],0FFh
mov byte ptr [edi+1],025h
mov eax,dword ptr [ptrThunk]
sub eax,4h
invoke plMapOffsetToRVA,eax
add eax,dword ptr [valImageBase]
mov dword ptr [edi+2],eax
end_add_api:
popad
ret
myAddApi ENDP
myAddOrdinal PROC
pushad
push edx
cmp byte ptr [valImportHandling],00
je normally2
mov dword ptr [ptrThunk],edx
normally2:
mov edi,dword ptr [ptrThunk]
mov dword ptr [edi],eax
add edi,4h
mov dword ptr [ptrThunk],edi
inc dword ptr [valNumOfApis]
cmp byte ptr [valImportHandling],00
jne end_add_ord
mov edi,dword ptr [valPackerSecPointer]
add edi,87eh
mov edi,dword ptr [edi]
sub edi,dword ptr [valImageBase]
invoke plRVAToMapOffset,edi
mov edi,eax
mov ecx,dword ptr [valPackerSecPointer]
add ecx,883h
mov ecx,dword ptr [ecx]
pop edx
invoke plMapOffsetToRVA,edx
add eax,dword ptr [valImageBase]
mov edx,eax
find_location2:
cmp dword ptr [edi],edx
je patch2
inc edi
loop find_location2
patch2:
dec edi
cmp byte ptr [edi],25h
jne skip888
dec edi
skip888:
mov byte ptr [edi],0FFh
mov byte ptr [edi+1],025h
mov eax,dword ptr [ptrThunk]
sub eax,4h
invoke plMapOffsetToRVA,eax
add eax,dword ptr [valImageBase]
mov dword ptr [edi+2],eax
end_add_ord:
popad
ret
myAddOrdinal ENDP
myAddDescriptor PROC
pushad
cmp byte ptr [valImportHandling],00
je normally1
mov dword ptr [ptrThunk],edx
mov edi,dword ptr [ptrDllName]
jmp skip10
normally1:
mov edi,dword ptr [ptrDllName]
add dword ptr [ptrThunk],8h
skip10:
mov esi,dword ptr [ptrDllNames]
pushad
invoke lstrcpy,esi,edi
popad
invoke plMapOffsetToRVA,esi
push eax
push esi
invoke lstrlen,esi
pop esi
add esi,eax
inc esi
mov dword ptr [ptrDllNames],esi
mov esi,dword ptr [ptrDescriptors]
assume esi:ptr IMAGE_IMPORT_DESCRIPTOR
pop eax
mov [esi].Name1,eax
mov eax,dword ptr [ptrThunk]
invoke plMapOffsetToRVA,eax
mov [esi].FirstThunk,eax
add esi,sizeof IMAGE_IMPORT_DESCRIPTOR
mov dword ptr [ptrDescriptors],esi
inc dword ptr [valNumOfDescriptors]
popad
ret
myAddDescriptor ENDP
myMoveMemory PROC myIN:DWORD,myFROM:DWORD,mySize:DWORD
pushad
mov esi,myFROM
mov edi,myIN
mov ecx,mySize
rep movsb
popad
ret
myMoveMemory endp
myDecryptDllName PROC
push edi
dec_dll_loop:
or byte ptr [edi],0
je end_dec_dll
not byte ptr [edi]
inc edi
jmp dec_dll_loop
end_dec_dll:
pop edi
ret
myDecryptDllName endp
myHashName PROC
pushad
invoke lstrcpy,addr bufCurrentApi,edi
popad
push edx
or edx,0ffffffffh
hash_3:
mov al,byte ptr [edi]
or al,al
je end_hash
inc edi
xor dl,al
mov al,8
hash_2:
shr edx,1
jnb hash_1
xor edx,0edb88320h
hash_1:
dec al
jnz hash_2
jmp hash_3
end_hash:
;xor edi,edi
xchg eax,edx
pop edx
ret
myHashName endp
end start
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
赞赏记录
参与人
雪币
留言
日期
嫉妒的死远点
为你点赞~
2024-3-30 00:04
Youlor
为你点赞~
2023-5-11 00:36
心游尘世外
为你点赞~
2023-3-28 05:51
飘零丶
为你点赞~
2023-3-28 05:22
一笑人间万事
为你点赞~
2023-3-23 01:53
shinratensei
为你点赞~
2023-3-19 01:53
QinBeast
为你点赞~
2023-3-19 01:50
伟叔叔
为你点赞~
2023-3-19 00:37
赞赏
他的文章
赞赏
雪币:
留言:
