本来想省掉堆栈,没想到中文的有反序,只好写了个正确率不高的:
.386p
.model flat, stdcall
option casemap : none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
find macro r, p:VARARG
local __cycle, __next, __back, __done
local ofs, x
ofs = 0
pushfd
__cycle: for x, <p>
cmp byte ptr [r+ofs], x
jnz __next
ofs = ofs + 1
endm
jmp __done
__next: test dword ptr [esp], 10000000000b
jnz __back
inc r
jmp __cycle
__back: dec r
jmp __cycle
__done: popfd
endm
.data
input db 'shit.exe', 0
output db 'fuck.txt',0
.code
include shit.inc
include mlde32.inc
start: push offset output
push offset input
call strsux
call ExitProcess
strsux proc ifile, ofile
local ibuf
local obuf
local isize
local osize
local pehdr
local decode
local xbl
local xdl
local fhandle
local fuckr
pushad
push 1
push 0
push ifile
call LoadLibraryExA
test eax, eax
mov [ibuf], eax
jz __exit
add eax, [eax+3ch]
mov [pehdr], eax
mov edx, [eax+50h]
mov [isize], edx
push 4
push 1000h
push [isize]
push 0
call VirtualAlloc
test eax, eax
mov [obuf], eax
jz __kill
lea edx, [esp+5*4] ; pushad.edx
push edx
push 4
push [isize]
push [ibuf]
call VirtualProtect
test eax, eax
jz __kill
push 0
push 80h
push 2
push 0
push 1
push 0c0000000h
push ofile
call CreateFileA
test eax, eax
mov [fhandle], eax
jz __kill
mov esi, [ibuf]
find esi, 52h, 0c6h, 04h, 2ah, 00h, 0e8h
std
find esi, 8bh, 54h, 24h, 04h
cld
mov [decode], esi
mov esi, [ibuf]
mov ebx, [isize]
add ebx, esi
sub ebx, 3 ; for safe
__xref_cycle: cmp esi, ebx
jge __xref_end
mov eax, [esi]
cmp al, 0e8h
jnz __xref_next
mov eax, esi
call __parse_call
cmp eax, [decode]
jnz __xref_next
std
find esi, 90h, 90h
cld
call __disasm
__xref_next: inc esi
jmp __xref_cycle
__xref_end:
__kill: push [ofile]
call CloseHandle
push 8000h
push 0
push [obuf]
call VirtualFree
push [ibuf]
call FreeLibrary
__exit: popad
ret
; ------------------------------------------------------------------------------
; input: esi
;
; restart:
;
; 8D0424 lea eax, dword ptr [esp] xxxxxxxx0010010000xxx10010001101
; 8D4424 12 lea eax, dword ptr [esp+12] xxxxxxxx0010010001xxx10010001101
; 8D8424 78563412 lea eax, dword ptr [esp+12345678] xxxxxxxx0010010010xxx10010001101
;
; grab r8:
;
; 32DB xor bl, bl
; B3 12 mov bl, 12
; 33DB xor ebx, ebx
;
; 32D2 xor dl, dl
; B2 12 mov dl, 12
; 33D2 xor edx, edx ?
;
; store:
;
; 881C24 mov byte ptr [esp], bl
; 885C24 12 mov byte ptr [esp+12], bl
; 889C24 78563412 mov byte ptr [esp+12345678], bl
; 881424 mov byte ptr [esp], dl
; 885424 12 mov byte ptr [esp+12], dl
; 889424 78563412 mov byte ptr [esp+12345678], dl
; C64424 12 12 mov byte ptr [esp+12], 12
; C68424 78563412 12 mov byte ptr [esp+12345678], 12
;
; output:
;
; E8xxxxxxxx call decode
;
__disasm: pushad
call __restart
__disasm_cycle: cmp esi, ebx
jge __disasm_end
mov eax, [esi]
; mov edx, 00000000111111111100011111111111b
; and edx, eax
; cmp edx, 00000000001001000000010010001101b
; jz __x0
; mov edx, 00000000111111111100011111111111b
; and edx, eax
; cmp edx, 00000000001001000100010010001101b
; jz __x0
; mov edx, 00000000111111111100011111111111b
; and edx, eax
; cmp edx, 00000000001001001000010010001101b
; jz __x0
mov edx, 0ffffffh
and edx, eax
cmp edx, 241c88h ; mov [esp], bl
jz __x1_0
cmp edx, 245c88h ; mov [esp+?], bl
jz __x1_0
cmp edx, 249c88h ; mov [esp+????], bl
jz __x1_0
cmp edx, 2444c6h ; mov [esp+?], ?
jz __x1_1
cmp edx, 2484c6h ; mov [esp+????], ?
jz __x1_2
cmp edx, 241488h
jz __x1_3
cmp edx, 245488h
jz __x1_3
cmp edx, 249488h
jz __x1_3
cmp al, 0e8h ; call
jz __x2
cmp ax, 0db33h ; xor ebx, ebx
jz __x3_0
cmp ax, 0db32h ; xor bl, bl
jz __x3_0
cmp al, 0b3h ; mov bl, ?
jz __x3_1
cmp ax, 0d233h ; xor edx, edx
jz __x4_0
cmp ax, 0d232h ; xor dl, dl
jz __x4_0
cmp al, 0b2h ; mov dl, ?
jz __x4_1
cmp al, 0c2h ; retn ?
jz __disasm_end
cmp al, 0c3h ; ret
jz __disasm_end
__disasm_next: push esi
call mlde32
pop esi
add esi, eax
jmp __disasm_cycle
;__x0: jmp __disasm_next ; some instruction isn't ordered :(
__x1_0: mov eax, [xbl] ; store byte
jmp __store_byte
__x1_1: mov al, [esi+4]
and [fuckr], 0
jmp __store_byte
__x1_2: mov al, [esi+7]
and [fuckr], 0
__store_byte: cmp [fuckr], 0 ; r8 cannot set at start
jnz __disasm_next
stosb
jmp __disasm_next
__x1_3: mov eax, [xdl]
jmp __store_byte
__x2: mov eax, esi ; decode
call __parse_call
cmp eax, [decode]
jnz __disasm_next
push [obuf]
call deshit
pop eax
push [obuf]
call lstrlenA
mov [osize], eax
add eax, [obuf]
mov word ptr [eax], 0a0dh ; crlf
add [osize], 2
push FILE_END
push 0
push 0
push [fhandle]
call SetFilePointer
push 0
push esp
push [osize]
push [obuf]
push [fhandle]
call WriteFile
call __restart
mov byte ptr [esi], 0e9h ; disable xref scannin'
jmp __disasm_next
__x3_0: xor eax, eax ; grab bl
jmp __grab_bl
__x3_1: mov al, [esi+1]
__grab_bl: movzx eax, al
mov [xbl], eax
jmp __disasm_next
__x4_0: xor eax, eax
jmp __grab_dl
__x4_1: mov al, [esi+1]
__grab_dl: movzx eax, al
mov [xdl], eax
jmp __disasm_next
__disasm_end: popad
retn
__restart: mov edi, [obuf] ; and restart
pusha
mov ecx, [isize]
xor eax, eax
rep stosb
popa
or [fuckr], 1
retn
; ------------------------------------------------------------------------------
__parse_call: add eax, [eax+1]
add eax, 5
retn
strsux endp
end start
ccfer 的解法才是理想解法。
