【文章标题】: PE文件添加区段[逆向分析+asm代码实现]
【文章作者】: eASYSCt
【作者主页】: http://blog.sina.com.cn/77muyulong
【软件名称】: zeroadd
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 无
【编写语言】: 汇编
【使用工具】: ODB
【软件介绍】: 一款为PE文件添加区段的小工具
【作者声明】: 只是为学习原理 并无其他目的 大侠指教~ 【详细过程】 闲来无事 逛至编程区 发现了好多教程 其中专题系列更是十分值得学习 看了玩命大侠的 第一篇文章
【成果6.1】软件保护壳技术专题 - 添加新节
http://bbs.pediy.com/showthread.php?p=467116
之后才明白自己为何平时用LDPE给文件加区段总是失败 呵呵 自以为收益颇丰
转念一想平时常用一工具 名曰zeroadd 跟文中提到之方甚为相似 遂肢解其文件 以求知
撰写此文 仅为笔记 高手嘲笑之余 望指点一二 愚弟拜谢……
此工具可谓清晰之至 win32ASM写的 反汇编出来基本根源码一样 奈何自己只是一只小菜虫 研究了整整一个晚上~
首先是看下流程
摘自 玩命 大侠 壳 专题 文章
添加新节相关的PE头属性: 位于IMAGE_NT_HEADERS结构中的属性: ImageBase(4字节) SizeOfImage(4字节) NumberOfSections(2字节) AddressOfEntryPoint(4字节) SectionAlignment(4字节) FileAlignment(4字节) 位于IMAGE_SECTION_HEADER结构的属性: 最后节表VirtualSize(4字节) 最后节表的VirtualAddress(4字节) 最后节表的SizeOfRawData(4字节) 最后节表的PointerToRawData(4字节) 最后节表的Characteristics(4字节) 添加新节算法描述: 1.建立文件映射 2.判断是否是PE文件 3.移动到最后一个节表 4.添加新节节表 5.设置新节的VirtualAddress,VirtualSize,SizeOfRawData,PointerToRawData,Characteristics等属性 ※6.将新节的内容写入文件 7.增加NumberOfSections属性 8.设置SizeOfImage,AddressOfEntryPoint属性 9.将内存映射回文件
其中 第6条 略过 因为在本文这不是重点。。
了解了大概思路就要开始动手了
OD加载zercadd.exe
先看主体函数
[SIZE=2]00401000 z>/$ 6A 00 push 0 ; /pModule = NULL[/SIZE]
[SIZE=2]00401002 |. E8 7F050000 call ; \GetModuleHandleA[/SIZE]
[SIZE=2]00401007 |. 6A 00 push 0 ; /lParam = NULL[/SIZE]
[SIZE=2]00401009 |. 68 1F104000 push 0040101F ; |DlgProc = zeroadd.0040101F[/SIZE]
[SIZE=2]0040100E |. 6A 00 push 0 ; |hOwner = NULL[/SIZE]
[SIZE=2]00401010 |. 6A 01 push 1 ; |pTemplate = 1[/SIZE]
[SIZE=2]00401012 |. 50 push eax ; |hInst[/SIZE]
[SIZE=2]00401013 |. E8 20050000 call ; \DialogBoxParamA[/SIZE]
[SIZE=2]00401018 |. 6A 00 push 0 ; /ExitCode = 0[/SIZE]
[SIZE=2]0040101A \. E8 5B050000 call ; \ExitProcess[/SIZE]
哈哈 会编写的果然好 看上去一目了然
DialogBoxParamA的参数hInst为上面GetModuleHandleA得到的返回值 pTemplate为对话框资源ID DlgProc为对话框主函数体
我们跟随到主函数看看
又是很清晰的代码
主函数体很长 只做有用的摘录
[SIZE=2]00401030 |> \837D 0C 10 cmp dword ptr [ebp+C], 10[/SIZE]
[SIZE=2]00401034 |. 75 0F jnz short 00401045[/SIZE]
[SIZE=2]00401036 |. 6A 00 push 0 ; /Result = 0[/SIZE]
[SIZE=2]00401038 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]0040103B |. E8 FE040000 call ; \EndDialog[/SIZE]
判断消息是否为WM_CLOSE 是的话不跳 call EndDialog结束对话框
[SIZE=2]00401045 |> \817D 0C 11010000 cmp dword ptr [ebp+C], 111[/SIZE]
[SIZE=2]0040104C |. 0F85 31040000 jnz 00401483[/SIZE]
[SIZE=2]00401052 |. 8B45 10 mov eax, dword ptr [ebp+10][/SIZE]
[SIZE=2]00401055 |. 66:83F8 02 cmp ax, 2[/SIZE]
[SIZE=2]00401059 |. 75 58 jnz short 004010B3[/SIZE]
[SIZE=2]0040105B |. C1E8 10 shr eax, 10[/SIZE]
[SIZE=2]0040105E |. 66:0BC0 or ax, ax[/SIZE]
[SIZE=2]00401061 |. 75 50 jnz short 004010B3[/SIZE]
[SIZE=2]00401063 |. C705 F3324000 4C00>mov dword ptr [4032F3], 4C[/SIZE]
[SIZE=2]0040106D |. C705 FF324000 3F33>mov dword ptr [4032FF], 0040333F ; ASCII "Executable Files (*.exe, *.dll)"[/SIZE]
[SIZE=2]00401077 |. C705 0F334000 7C33>mov dword ptr [40330F], 0040337C[/SIZE]
[SIZE=2]00401081 |. C705 13334000 0002>mov dword ptr [403313], 200[/SIZE]
[SIZE=2]0040108B |. C705 27334000 0418>mov dword ptr [403327], 281804[/SIZE]
[SIZE=2]00401095 |. 68 F3324000 push 004032F3 ; /pOpenFileName = zeroadd.004032F3[/SIZE]
[SIZE=2]0040109A |. E8 11050000 call ; \GetOpenFileNameA[/SIZE]
判断消息是否为WM_COMMAND 是则不跳 判断是否ID=2按下 之后初始化ofn结构 调用GetOpenFileNameA函数用系统对话框获得文件名
onf结构
typedef struct tagOFN {
DWORD lStructSize;
HWND hwndOwner;
HINSTANCE hInstance;
LPCTSTR lpstrFilter;
LPTSTR lpstrCustomFilter;
DWORD nMaxCustFilter;
DWORD nFilterIndex;
LPTSTR lpstrFile;
DWORD nMaxFile;
LPTSTR lpstrFileTitle;
DWORD nMaxFileTitle;
LPCTSTR lpstrInitialDir;
LPCTSTR lpstrTitle;
DWORD Flags;
WORD nFileOffset;
WORD nFileExtension;
LPCTSTR lpstrDefExt;
LPARAM lCustData;
LPOFNHOOKPROC lpfnHook;
LPCTSTR lpTemplateName;
#if (_WIN32_WINNT >= 0x0500)
void * pvReserved;
DWORD dwReserved;
DWORD FlagsEx;
#endif // (_WIN32_WINNT >= 0x0500)
} OPENFILENAME, *LPOPENFILENAME;
VC++的介绍 详见 http://dev.csdn.net/article/13/13461.shtm
[SIZE=2]004010A4 |. 68 7C334000 push 0040337C ; /Text = ""[/SIZE]
[SIZE=2]004010A9 |. 6A 03 push 3 ; |ControlID = 3[/SIZE]
[SIZE=2]004010AB |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010AE |. E8 A3040000 call ; \SetDlgItemTextA[/SIZE]
得到文件名后将其显示到ID=3的EDIT控件里
[SIZE=2]004010B3 |> \66:83F8 06 cmp ax, 6[/SIZE]
[SIZE=2]004010B7 |. 0F85 7A030000 jnz 00401437[/SIZE]
[SIZE=2]004010BD |. C1E8 10 shr eax, 10[/SIZE]
[SIZE=2]004010C0 |. 66:0BC0 or ax, ax[/SIZE]
[SIZE=2]004010C3 |. 0F85 6E030000 jnz 00401437[/SIZE]
[SIZE=2]004010C9 |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010CE |. 68 20304000 push 00403020 ; |Buffer = zeroadd.00403020[/SIZE]
[SIZE=2]004010D3 |. 6A 03 push 3 ; |ControlID = 3[/SIZE]
[SIZE=2]004010D5 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010D8 |. E8 67040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010DD |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010E2 |. 68 00304000 push 00403000 ; |Buffer = zeroadd.00403000[/SIZE]
[SIZE=2]004010E7 |. 6A 04 push 4 ; |ControlID = 4[/SIZE]
[SIZE=2]004010E9 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010EC |. E8 53040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010F1 |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010F6 |. 68 08304000 push 00403008 ; |Buffer = zeroadd.00403008[/SIZE]
[SIZE=2]004010FB |. 6A 05 push 5 ; |ControlID = 5[/SIZE]
[SIZE=2]004010FD |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]00401100 |. E8 3F040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]00401105 |. 6A 0F push 0F ; /ButtonID = F (15.)[/SIZE]
[SIZE=2]00401107 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]0040110A |. E8 3B040000 call ; \IsDlgButtonChecked[/SIZE]
如果按下的是ID=6的BUTTEN 则读取三个EDIT控件的文字和一个CheckBox的状态
它们分别是 完整文件名 补区段的段名 段的大小 和是否备份源文件
[SIZE=2]0040110F |. 83F8 01 cmp eax, 1[/SIZE]
[SIZE=2]00401112 |. 75 38 jnz short 0040114C[/SIZE]
[SIZE=2]00401114 |. 68 20304000 push 00403020 ; /String2 = ""[/SIZE]
[SIZE=2]00401119 |. 68 85304000 push 00403085 ; |String1 = zeroadd.00403085[/SIZE]
[SIZE=2]0040111E |. E8 81040000 call ; \lstrcpyA[/SIZE]
[SIZE=2]00401123 |. 68 1B314000 push 0040311B ; /StringToAdd = ".bak"[/SIZE]
[SIZE=2]00401128 |. 68 85304000 push 00403085 ; |ConcatString = ""[/SIZE]
[SIZE=2]0040112D |. E8 6C040000 call ; \lstrcatA[/SIZE]
[SIZE=2]00401132 |. 6A 00 push 0 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]00401134 |. 68 85304000 push 00403085 ; |NewFileName = ""[/SIZE]
[SIZE=2]00401139 |. 68 20304000 push 00403020 ; |ExistingFileName = ""[/SIZE]
[SIZE=2]0040113E |. E8 1F040000 call ; \CopyFileA[/SIZE]
[SIZE=2]00401143 |. 83F8 00 cmp eax, 0[/SIZE]
[SIZE=2]00401146 |. 0F84 51020000 je 0040139D[/SIZE]
[SIZE=2]0040114C |> 6A 00 push 0 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]0040114E |. 68 29314000 push 00403129 ; |NewFileName = "swapit.sca"[/SIZE]
[SIZE=2]00401153 |. 68 20304000 push 00403020 ; |ExistingFileName = ""[/SIZE]
[SIZE=2]00401158 |. E8 05040000 call ; \CopyFileA[/SIZE]
如果call IsDlgButtonChecked的返回结构是1就是说明选中了备份文件 那么复制完整文件名 再文件名后面加上".bak"
之后拷贝文件 即完成了原文件的备份工作 呵呵 很简单哦~
再之后过程就和玩命大侠在文中叙述的几乎一样了 由于玩命大侠写得太清楚透彻了 我不再赘述 以免班门弄斧…
不过有一个函数引起了我的注意
[SIZE=2]00401190 |. 68 08304000 push 00403008 ; /Arg1 = 00403008[/SIZE]
[SIZE=2]00401195 |. E8 13030000 call Hex> ; \zeroadd.004014AD[/SIZE]
标签是我后来加的 原来是call 004014AD 这是这个程序为数不多的自己写的函数
跟过去看个究竟 看看他到底是干什么的
[SIZE=2]004014AD <>/$ 55 push ebp[/SIZE]
[SIZE=2]004014AE |. 8BEC mov ebp, esp[/SIZE]
[SIZE=2]004014B0 |. 83C4 FC add esp, -4[/SIZE]
[SIZE=2]004014B3 |. 53 push ebx[/SIZE]
[SIZE=2]004014B4 |. 51 push ecx[/SIZE]
[SIZE=2]004014B5 |. 57 push edi[/SIZE]
[SIZE=2]004014B6 |. 52 push edx[/SIZE]
[SIZE=2]004014B7 |. 56 push esi[/SIZE]
[SIZE=2]004014B8 |. C745 FC 00000000 mov dword ptr [ebp-4], 0[/SIZE]
[SIZE=2]004014BF |. 33C9 xor ecx, ecx[/SIZE]
[SIZE=2]004014C1 |. 8B7D 08 mov edi, dword ptr [ebp+8][/SIZE]
[SIZE=2]004014C4 |. FF75 08 push dword ptr [ebp+8] ; /String[/SIZE]
[SIZE=2]004014C7 |. E8 DE000000 call ; \lstrlenA[/SIZE]
[SIZE=2]004014CC |. BB 10000000 mov ebx, 10[/SIZE]
[SIZE=2]004014D1 |. 8BF0 mov esi, eax[/SIZE]
[SIZE=2]004014D3 |. EB 35 jmp short 0040150A[/SIZE]
[SIZE=2]004014D5 |> 8A07 /mov al, byte ptr [edi][/SIZE]
[SIZE=2]004014D7 |. 3C 30 |cmp al, 30 ; Switch (cases 30..39)[/SIZE]
[SIZE=2]004014D9 |. 72 08 |jb short 004014E3 ; 小于30跳[/SIZE]
[SIZE=2]004014DB |. 3C 39 |cmp al, 39[/SIZE]
[SIZE=2]004014DD |. 77 04 |ja short 004014E3 ; 大于39跳[/SIZE]
[SIZE=2]004014DF |. 2C 30 |sub al, 30 ; 不跳就-30即为0~9[/SIZE]
[SIZE=2]004014E1 |. EB 12 |jmp short 004014F5[/SIZE]
[SIZE=2]004014E3 |> 3C 61 |cmp al, 61 ; Default case of switch 004014D7[/SIZE]
[SIZE=2]004014E5 |. 72 0A |jb short 004014F1[/SIZE]
[SIZE=2]004014E7 |. 3C 66 |cmp al, 66[/SIZE]
[SIZE=2]004014E9 |. 77 06 |ja short 004014F1[/SIZE]
[SIZE=2]004014EB |. 2C 61 |sub al, 61[/SIZE]
[SIZE=2]004014ED |. 04 0A |add al, 0A[/SIZE]
[SIZE=2]004014EF |. EB 04 |jmp short 004014F5[/SIZE]
[SIZE=2]004014F1 |> 2C 41 |sub al, 41[/SIZE]
[SIZE=2]004014F3 |. 04 0A |add al, 0A[/SIZE]
[SIZE=2]004014F5 |> 0FB6C0 |movzx eax, al ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004014D7[/SIZE]
[SIZE=2]004014F8 |. 8BCE |mov ecx, esi[/SIZE]
[SIZE=2]004014FA |. 49 |dec ecx[/SIZE]
[SIZE=2]004014FB |. EB 03 |jmp short 00401500[/SIZE]
[SIZE=2]004014FD |> F7E3 |/mul ebx[/SIZE]
[SIZE=2]004014FF |. 49 ||dec ecx[/SIZE]
[SIZE=2]00401500 |> 83F9 00 | cmp ecx, 0[/SIZE]
[SIZE=2]00401503 |.^ 77 F8 |\ja short 004014FD[/SIZE]
[SIZE=2]00401505 |. 0145 FC |add dword ptr [ebp-4], eax[/SIZE]
[SIZE=2]00401508 |. 47 |inc edi[/SIZE]
[SIZE=2]00401509 |. 4E |dec esi[/SIZE]
[SIZE=2]0040150A |> 0BF6 or esi, esi[/SIZE]
[SIZE=2]0040150C |.^ 75 C7 \jnz short 004014D5[/SIZE]
[SIZE=2]0040150E |. 8B45 FC mov eax, dword ptr [ebp-4][/SIZE]
[SIZE=2]00401511 |. 5E pop esi[/SIZE]
[SIZE=2]00401512 |. 5A pop edx[/SIZE]
[SIZE=2]00401513 |. 5F pop edi[/SIZE]
[SIZE=2]00401514 |. 59 pop ecx[/SIZE]
[SIZE=2]00401515 |. 5B pop ebx[/SIZE]
[SIZE=2]00401516 |. C9 leave[/SIZE]
[SIZE=2]00401517 \. C2 0400 retn 4[/SIZE]
一个完整的小函数 设计的相当精巧 类似于
[SIZE=2]long Fanc(LPSTR)[/SIZE]
[SIZE=2]{[/SIZE]
[SIZE=2]long dwM;[/SIZE]
[SIZE=2]....[/SIZE]
[SIZE=2]...[/SIZE]
[SIZE=2]..[/SIZE]
[SIZE=2].[/SIZE]
[SIZE=2]}[/SIZE]
传入的参数是ID=5的EDIT里面的字符串 这个EDIT里面是我们输入的区段大小 猜想都可以知道 这个函数是把字符串转化为
HEX整型变量的 对于这个函数我十分感兴趣 但起初是觉得这一定是现成的函数 不用太在意 一定可以在网上找到 不过我错
了 的确是翻了很久 很久 在网上也没有找到一个比较完整好用的函数 于是分析了一下
先调用lstrlenA得到字符串的长度 之后就进入循环 读入一个字节 比较该字节的ascii值 30h~39h就直接减去30h 即为0~9
如果是61h~66h就减去61h之后在加上0Ah 就是0Ah~0Fh 之后用这个值去乘以10h 分别乘以当前esi-1次 即实现了进位
之后出乘法小循环 把中间结果保存在局部变量里 字符串指针+1 esi变量-1 再去循环 知道最后esi为0 退出大循环
最后的结果保存在 EAX寄存器里……
好了 大概经过我们都明白了 这个程序就像是自己的了 看哪里都知道原理 呵呵 但这还不是我们的最终目的 嘻嘻
知道原理就要实现 逆向高级语言都不怕难 何况这种会编写的清晰的都告诉你API的程序呢
所以ASM写了自己的一个小工具 对他的代码某些部分进行了优化
代码里引用了 玩命 大侠 在《【成果6.1】软件保护壳技术专题 - 添加新节》 一文中的代码 稍作修改 主要是不敢班门弄斧
代码中引用了 罗云斌 @公用子程序部分:窗口部分 将窗口移动到屏幕中间函数
[SIZE=2][COLOR=#0000ff].386[/SIZE]
[SIZE=2][COLOR=#0000ff].model [COLOR=#ff0000]flat, [COLOR=#ff0000]stdcall[/SIZE]
[SIZE=2][COLOR=#0000ff]option [COLOR=#ff0000]casemap:[COLOR=#ff0000]none[/SIZE]
[SIZE=2][COLOR=#008000];; ----------------------------------------[/SIZE]
[SIZE=2][COLOR=#008000];; header file and lib file[/SIZE]
[SIZE=2][COLOR=#008000];; ----------------------------------------[/SIZE]
[SIZE=2][COLOR=#0000ff]include kernel32.inc[/SIZE]
[SIZE=2][COLOR=#0000ff]include user32.inc[/SIZE]
[SIZE=2][COLOR=#0000ff]include comdlg32.inc[/SIZE]
[SIZE=2][COLOR=#0000ff]includelib kernel32.lib[/SIZE]
[SIZE=2][COLOR=#0000ff]includelib user32.lib[/SIZE]
[SIZE=2][COLOR=#0000ff]includelib comdlg32.lib[/SIZE]
[SIZE=2][COLOR=#0000ff]include windows.inc[/SIZE]
[SIZE=2]PEAlign [COLOR=#0000ff]proto dwTarNum : [COLOR=#ff0000]DWORD, dwAlignTo : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2]AddSection [COLOR=#0000ff]proto pMem : LPVOID, [/SIZE]
[SIZE=2] pSectionName : LPVOID, [/SIZE]
[SIZE=2] dwSectionSize : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2][COLOR=#008000];DLGproc proto dlghwnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM[/SIZE]
[SIZE=2][COLOR=#008000];_CenterWindow proto :DWORD ;将窗口移动到屏幕中间 by 罗云彬@公用子程序部分:窗口部分[/SIZE]
[SIZE=2]APPEND_SIZE [COLOR=#ff0000]equ 2000h[/SIZE]
[SIZE=2][COLOR=#0000ff].data[/SIZE]
[SIZE=2]ofn OPENFILENAME <>[/SIZE]
[SIZE=2]lpstrFilter [COLOR=#ff0000]db [COLOR=#ff00ff]"eXe Files(*.eXe)",0[/SIZE]
[SIZE=2]lpstrFile [COLOR=#ff0000]db 255 dup(0)[/SIZE]
[SIZE=2]lpstrBAKFile [COLOR=#ff0000]db 255 dup(0)[/SIZE]
[SIZE=2]lpBAK [COLOR=#ff0000]db [COLOR=#ff00ff]".bak",0[/SIZE]
[SIZE=2]lpsectionName [COLOR=#ff0000]db 8 dup(0)[/SIZE]
[SIZE=2]lpsectionSize [COLOR=#ff0000]db 8 dup(0)[/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2][COLOR=#008000];以下变量定义摘自"玩命"大侠 【成果6.1】软件保护壳技术专题 - 添加新节[/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2]g_szErr [COLOR=#ff0000]db [COLOR=#ff00ff]"错误",0[/SIZE]
[SIZE=2]g_szDone [COLOR=#ff0000]db [COLOR=#ff00ff]"文件加密成功!",0[/SIZE]
[SIZE=2]g_szDoneCap [COLOR=#ff0000]db [COLOR=#ff00ff]"^_^",0[/SIZE]
[SIZE=2]g_szOpenFileFailed [COLOR=#ff0000]db [COLOR=#ff00ff]"打不开文件",0[/SIZE]
[SIZE=2]g_szGetFileSizeFailed [COLOR=#ff0000]db [COLOR=#ff00ff]"获取文件大小失败",0[/SIZE]
[SIZE=2]g_szCreateMapFailed [COLOR=#ff0000]db [COLOR=#ff00ff]"创建文件映射失败",0[/SIZE]
[SIZE=2]g_szMapFileFailed [COLOR=#ff0000]db [COLOR=#ff00ff]"映射文件到内存失败",0[/SIZE]
[SIZE=2]g_szInvalidPE [COLOR=#ff0000]db [COLOR=#ff00ff]"无效的PE文件",0[/SIZE]
[SIZE=2]g_bError [COLOR=#ff0000]db 0[/SIZE]
[SIZE=2]g_dwNewSectionSize [COLOR=#ff0000]dd 0[/SIZE]
[SIZE=2][COLOR=#0000ff].code[/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2][COLOR=#008000];以下函数修改自"玩命"大侠 【成果6.1】软件保护壳技术专题 - 添加新节[/SIZE]
[SIZE=2][COLOR=#008000];http://bbs.pediy.com/showthread.php?p=467116[/SIZE]
[SIZE=2][COLOR=#008000];一文,稍作改动[/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2]CryptFile [COLOR=#ff0000]proc szFname : LPSTR,szSectionName:LPSTR,dwSectionSize:[COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL hFile : HANDLE[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL hMap : HANDLE[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL pMem : LPVOID[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwOrigFileSize : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwNTHeaderAddr : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#008000];; init data[/SIZE]
[SIZE=2] [COLOR=#0000ff]xor [COLOR=#808000]eax, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov g_bError, [COLOR=#808000]al[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, dwSectionSize[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov g_dwNewSectionSize, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#008000];; open file[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CreateFile, szFname,\[/SIZE]
[SIZE=2] GENERIC_WRITE + GENERIC_READ,\[/SIZE]
[SIZE=2] FILE_SHARE_WRITE + FILE_SHARE_READ,\[/SIZE]
[SIZE=2] NULL,\[/SIZE]
[SIZE=2] OPEN_EXISTING,\[/SIZE]
[SIZE=2] FILE_ATTRIBUTE_NORMAL,\[/SIZE]
[SIZE=2] 0[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [COLOR=#808000]eax == INVALID_HANDLE_VALUE[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp OpenFileFailed [/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov hFile, [COLOR=#808000]eax [/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetFileSize, hFile, NULL[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [COLOR=#808000]eax == 0[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile [/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp GetFileSizeFailed[/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov dwOrigFileSize, [COLOR=#808000]eax [/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]eax, APPEND_SIZE[/SIZE]
[SIZE=2] [COLOR=#0000ff]xchg [COLOR=#808000]eax, [COLOR=#808000]ecx[/SIZE]
[SIZE=2] [COLOR=#008000];; create memory map[/SIZE]
[SIZE=2] [COLOR=#0000ff]xor [COLOR=#808000]ebx, [COLOR=#808000]ebx [/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CreateFileMapping, hFile, [COLOR=#808000]ebx, PAGE_READWRITE, [COLOR=#808000]ebx, [COLOR=#808000]ecx, [COLOR=#808000]ebx[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [COLOR=#808000]eax == 0[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp CreateMapFailed [/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov hMap, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#008000];; map file to memory[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke MapViewOfFile, hMap,[/SIZE]
[SIZE=2] FILE_MAP_WRITE+FILE_MAP_READ+FILE_MAP_COPY, [/SIZE]
[SIZE=2] [COLOR=#808000]ebx, [COLOR=#808000]ebx, [COLOR=#808000]ebx[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [COLOR=#808000]eax == 0[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hMap[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp MapFileFailed[/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov pMem, [COLOR=#808000]eax [/SIZE]
[SIZE=2] [COLOR=#008000];; check it's PE file or not ?[/SIZE]
[SIZE=2] [COLOR=#0000ff]xchg [COLOR=#808000]eax, [COLOR=#808000]esi[/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : [COLOR=#ff0000]ptr IMAGE_DOS_HEADER[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [[COLOR=#808000]esi].e_magic != 'ZM'[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke UnmapViewOfFile, pMem[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hMap[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp InvalidPE [/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF [/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]esi, [[COLOR=#808000]esi].e_lfanew[/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : [COLOR=#ff0000]ptr IMAGE_NT_HEADERS [/SIZE]
[SIZE=2] [COLOR=#ff0000].IF [COLOR=#ff0000]word [COLOR=#ff0000]ptr [[COLOR=#808000]esi].Signature != 'EP'[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke UnmapViewOfFile, pMem[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hMap[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp InvalidPE [/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov dwNTHeaderAddr, [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke AddSection, pMem,szSectionName, g_dwNewSectionSize[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]esi, dwNTHeaderAddr[/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : [COLOR=#ff0000]ptr IMAGE_NT_HEADERS[/SIZE]
[SIZE=2] LogicShellExit:[/SIZE]
[SIZE=2] [COLOR=#008000];; close handle & write it[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke UnmapViewOfFile, pMem[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hMap[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CloseHandle, hFile[/SIZE]
[SIZE=2] [COLOR=#ff0000].IF g_bError == 0[/SIZE]
[SIZE=2] [COLOR=#008000];; show success message [/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke MessageBox, NULL, [COLOR=#ff0000]offset g_szDone, [COLOR=#ff0000]offset g_szDoneCap, MB_ICONINFORMATION[/SIZE]
[SIZE=2] [COLOR=#ff0000].ENDIF [/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2][COLOR=#008000];; ----- Show error message ----- [/SIZE]
[SIZE=2]OpenFileFailed:[/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]eax, g_szOpenFileFailed[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp ShowErr[/SIZE]
[SIZE=2]GetFileSizeFailed:[/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]eax, g_szGetFileSizeFailed[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp ShowErr [/SIZE]
[SIZE=2]CreateMapFailed:[/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]eax, g_szCreateMapFailed[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp ShowErr[/SIZE]
[SIZE=2]MapFileFailed:[/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]eax, g_szMapFileFailed[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp ShowErr [/SIZE]
[SIZE=2]InvalidPE: [/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]eax, g_szInvalidPE[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp ShowErr [/SIZE]
[SIZE=2]ShowErr:[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke MessageBox, NULL, [COLOR=#808000]eax, [COLOR=#ff0000]offset g_szErr, MB_ICONERROR[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]al, 1[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov g_bError, [COLOR=#808000]al[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp LogicShellExit[/SIZE]
[SIZE=2]CryptFile [COLOR=#ff0000]endp [/SIZE]
[SIZE=2]AddSection [COLOR=#ff0000]proc [COLOR=#ff0000]uses [COLOR=#808000]ebx [COLOR=#808000]ecx [COLOR=#808000]edx [COLOR=#808000]esi [COLOR=#808000]edi, pMem : LPVOID,[/SIZE]
[SIZE=2] pSectionName : LPVOID,[/SIZE]
[SIZE=2] dwSectionSize : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2][COLOR=#008000];; add a new section[/SIZE]
[SIZE=2][COLOR=#008000];; ret: eax = new section table file offset[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwNTHeader : LPVOID[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwLastSecTbl : LPVOID [/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwFileAlig : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwSecAlig : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#008000];; move to section table[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]esi, pMem[/SIZE]
[SIZE=2] [COLOR=#008000];; assume esi : ptr IMAGE_DOS_HEADER[/SIZE]
[SIZE=2] [COLOR=#008000];; add esi, dword ptr [esi].e_lfanew[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]esi, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi+3ch][/SIZE]
[SIZE=2] [COLOR=#0000ff]mov dwNTHeader, [COLOR=#808000]esi [/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : [COLOR=#ff0000]ptr IMAGE_NT_HEADERS[/SIZE]
[SIZE=2] [COLOR=#008000];; update the number of section[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]cx, [COLOR=#ff0000]word [COLOR=#ff0000]ptr [[COLOR=#808000]esi].FileHeader.NumberOfSections[/SIZE]
[SIZE=2] [COLOR=#0000ff]movzx [COLOR=#808000]ecx, [COLOR=#808000]cx[/SIZE]
[SIZE=2] [COLOR=#0000ff]inc [COLOR=#ff0000]word [COLOR=#ff0000]ptr [[COLOR=#808000]esi].FileHeader.NumberOfSections[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].OptionalHeader.FileAlignment[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop dwFileAlig[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].OptionalHeader.SectionAlignment[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop dwSecAlig [/SIZE]
[SIZE=2] [COLOR=#008000];; move esi point to section table[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]esi, sizeof IMAGE_NT_HEADERS[/SIZE]
[SIZE=2] [COLOR=#008000];; store the last section table[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, sizeof IMAGE_SECTION_HEADER[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ebx, [COLOR=#808000]ecx[/SIZE]
[SIZE=2] [COLOR=#0000ff]imul [COLOR=#808000]ebx[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]esi, [COLOR=#808000]eax [COLOR=#008000]; esi = the end of orig last section fva[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]esi, sizeof IMAGE_SECTION_HEADER [COLOR=#008000]; esi = the orig last section fva[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov dwLastSecTbl, [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#008000];; set new section table[/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : [COLOR=#ff0000]ptr IMAGE_SECTION_HEADER[/SIZE]
[SIZE=2] [COLOR=#008000];; set section name[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#0000ff]lea [COLOR=#808000]edi, [[COLOR=#808000]esi].Name1[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]esi, pSectionName[/SIZE]
[SIZE=2]CopySectionNameLoop: [/SIZE]
[SIZE=2] [COLOR=#0000ff]lodsb[/SIZE]
[SIZE=2] [COLOR=#0000ff]test [COLOR=#808000]al, [COLOR=#808000]al[/SIZE]
[SIZE=2] [COLOR=#0000ff]jz EndCopySectionNameLoop[/SIZE]
[SIZE=2] [COLOR=#0000ff]stosb[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp CopySectionNameLoop[/SIZE]
[SIZE=2]EndCopySectionNameLoop: [/SIZE]
[SIZE=2] [COLOR=#0000ff]pop [COLOR=#808000]esi [/SIZE]
[SIZE=2] [COLOR=#0000ff]push 0E00000E0h[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].Characteristics[/SIZE]
[SIZE=2] [COLOR=#0000ff]push dwSectionSize[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].Misc.VirtualSize[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke PEAlign, dwSectionSize, dwFileAlig[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].SizeOfRawData, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, dwLastSecTbl [COLOR=#008000]; eax = orig last section table fva[/SIZE]
[SIZE=2] assume [COLOR=#808000]eax : [COLOR=#ff0000]ptr IMAGE_SECTION_HEADER[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ecx, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]eax].VirtualAddress[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]ecx, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]eax].Misc.VirtualSize [COLOR=#008000]; ecx = new section rva[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ebx, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]eax].PointerToRawData[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]ebx, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]eax].SizeOfRawData [COLOR=#008000]; ebx = new section fva[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke PEAlign, [COLOR=#808000]ecx, dwSecAlig[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].VirtualAddress, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#008000];; set section pointertorawdata[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke PEAlign, [COLOR=#808000]ebx, dwFileAlig[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].PointerToRawData, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].VirtualAddress[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]eax, [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].Misc.VirtualSize[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke PEAlign, [COLOR=#808000]eax, dwSecAlig[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]edx, dwNTHeader[/SIZE]
[SIZE=2] assume [COLOR=#808000]edx : [COLOR=#ff0000]ptr IMAGE_NT_HEADERS[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]edx].OptionalHeader.SizeOfImage, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]push [COLOR=#ff0000]dword [COLOR=#ff0000]ptr [[COLOR=#808000]esi].PointerToRawData[/SIZE]
[SIZE=2] [COLOR=#0000ff]pop [COLOR=#808000]edi[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]edi, pMem[/SIZE]
[SIZE=2] [COLOR=#008000];; clear the new sec[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ecx, dwSectionSize[/SIZE]
[SIZE=2] [COLOR=#0000ff]xor [COLOR=#808000]eax, [COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]cld[/SIZE]
[SIZE=2] [COLOR=#0000ff]rep [COLOR=#0000ff]stosb[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, [COLOR=#808000]esi[/SIZE]
[SIZE=2] assume [COLOR=#808000]esi : nothing[/SIZE]
[SIZE=2] assume [COLOR=#808000]eax : nothing[/SIZE]
[SIZE=2] assume [COLOR=#808000]edx : nothing[/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2]AddSection [COLOR=#ff0000]endp[/SIZE]
[SIZE=2]PEAlign [COLOR=#ff0000]proc [COLOR=#ff0000]uses [COLOR=#808000]ecx [COLOR=#808000]edx, dwTarNum : [COLOR=#ff0000]DWORD, dwAlignTo : [COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2][COLOR=#008000];; returns aligned value [/SIZE]
[SIZE=2] [COLOR=#008000];; Algorithms:[/SIZE]
[SIZE=2] [COLOR=#008000];; $1 = dwTarNum / dwAlignTo[/SIZE]
[SIZE=2] [COLOR=#008000];; if remain != 0[/SIZE]
[SIZE=2] [COLOR=#008000];; $r = $1 + 1 * dwAlignTo[/SIZE]
[SIZE=2] [COLOR=#008000];; return $r[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ecx, dwAlignTo[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax, dwTarNum[/SIZE]
[SIZE=2] [COLOR=#0000ff]xor [COLOR=#808000]edx, [COLOR=#808000]edx[/SIZE]
[SIZE=2] [COLOR=#0000ff]div [COLOR=#808000]ecx[/SIZE]
[SIZE=2] [COLOR=#0000ff]cmp [COLOR=#808000]edx, 0[/SIZE]
[SIZE=2] [COLOR=#0000ff]jz AlreadyAligned[/SIZE]
[SIZE=2] [COLOR=#0000ff]inc [COLOR=#808000]eax[/SIZE]
[SIZE=2]AlreadyAligned:[/SIZE]
[SIZE=2] [COLOR=#0000ff]mul [COLOR=#808000]ecx [/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2]PEAlign [COLOR=#ff0000]endp [/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2][COLOR=#008000];引用代码结束[/SIZE]
[SIZE=2][COLOR=#008000];////////////////////////////////////////////////////////////////////////[/SIZE]
[SIZE=2]_CenterWindow [COLOR=#ff0000]proc hWnd:[COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#ff0000]local @stRectDeskTop:RECT,@stRectWin:RECT[/SIZE]
[SIZE=2] [COLOR=#ff0000]local @dwWidth:[COLOR=#ff0000]DWORD,@dwHeight:[COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetWindowRect,hWnd,[COLOR=#ff0000]addr @stRectWin[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetDesktopWindow[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ebx,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetWindowRect,[COLOR=#808000]ebx,[COLOR=#ff0000]addr @stRectDeskTop[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,@stRectWin.bottom[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]eax,@stRectWin.top[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov @dwHeight,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,@stRectWin.right[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]eax,@stRectWin.left[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov @dwWidth,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ebx,@stRectDeskTop.bottom[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]ebx,@dwHeight[/SIZE]
[SIZE=2] [COLOR=#0000ff]shr [COLOR=#808000]ebx,1[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ecx,@stRectDeskTop.right[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]ecx,@dwWidth[/SIZE]
[SIZE=2] [COLOR=#0000ff]shr [COLOR=#808000]ecx,1[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke MoveWindow,hWnd,[COLOR=#808000]ecx,[COLOR=#808000]ebx,@dwWidth,@dwHeight,[COLOR=#0000ff]FALSE[/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2]_CenterWindow [COLOR=#ff0000]endp[/SIZE]
[SIZE=2]LpstrToHex [COLOR=#ff0000]proc [COLOR=#ff0000]uses [COLOR=#808000]esi [COLOR=#808000]edi [COLOR=#808000]ecx [COLOR=#808000]edx [COLOR=#808000]ebx, lpstr:LPSTR[/SIZE]
[SIZE=2] [COLOR=#ff0000]LOCAL dwM:[COLOR=#ff0000]DWORD[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ebx,10h[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]edi,lpstr[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov dwM,0[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke lstrlen,lpstr[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]esi,[COLOR=#808000]eax[/SIZE]
[SIZE=2]looop3: [/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]esi>0[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]al,[COLOR=#ff0000]byte [COLOR=#ff0000]ptr [[COLOR=#808000]edi][/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]al>=30h[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]al<=39h[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]al,30h[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp looop[/SIZE]
[SIZE=2] [COLOR=#ff0000].elseif [COLOR=#808000]al>=61h[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]al<=66h[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]al,61h[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]al,0ah[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp looop[/SIZE]
[SIZE=2] [COLOR=#ff0000].elseif [COLOR=#808000]al>=41h[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]al<=46h[/SIZE]
[SIZE=2] [COLOR=#0000ff]sub [COLOR=#808000]al,41h[/SIZE]
[SIZE=2] [COLOR=#0000ff]add [COLOR=#808000]al,0ah[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp looop[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] looop: [/SIZE]
[SIZE=2] [COLOR=#0000ff]movzx [COLOR=#808000]eax,[COLOR=#808000]al[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]ecx,[COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#0000ff]dec [COLOR=#808000]ecx[/SIZE]
[SIZE=2] looop2: [/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]ecx>0[/SIZE]
[SIZE=2] [COLOR=#0000ff]mul [COLOR=#808000]ebx[/SIZE]
[SIZE=2] [COLOR=#0000ff]dec [COLOR=#808000]ecx[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp looop2[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#0000ff]add dwM,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]inc [COLOR=#808000]edi[/SIZE]
[SIZE=2] [COLOR=#0000ff]dec [COLOR=#808000]esi[/SIZE]
[SIZE=2] [COLOR=#0000ff]jmp looop3[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,dwM[/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2]LpstrToHex [COLOR=#ff0000]endp[/SIZE]
[SIZE=2]DLGproc [COLOR=#ff0000]proc dlghwnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,uMsg[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]eax == WM_CLOSE[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke EndDialog,dlghwnd,NULL[/SIZE]
[SIZE=2][COLOR=#008000];********************************************************************[/SIZE]
[SIZE=2] [COLOR=#ff0000].elseif [COLOR=#808000]eax == WM_INITDIALOG[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke _CenterWindow,dlghwnd[/SIZE]
[SIZE=2][COLOR=#008000];********************************************************************[/SIZE]
[SIZE=2] [COLOR=#ff0000].elseif [COLOR=#808000]eax == WM_COMMAND[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,wParam[/SIZE]
[SIZE=2] [COLOR=#0000ff]movzx [COLOR=#808000]eax,[COLOR=#808000]ax[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]eax == 1001[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov ofn.lStructSize,sizeof ofn[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,[COLOR=#ff0000]offset lpstrFilter [COLOR=#008000];初始化ofn结构[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov ofn.lpstrFilter,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,[COLOR=#ff0000]offset lpstrFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov ofn.lpstrFile,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov ofn.nMaxFile,sizeof lpstrFile[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov ofn.Flags,OFN_FILEMUSTEXIST [COLOR=#0000ff]or OFN_PATHMUSTEXIST[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetOpenFileName,[COLOR=#ff0000]addr ofn[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]eax==1[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke SetDlgItemText,dlghwnd,1003,ofn.lpstrFile[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#ff0000].elseif [COLOR=#808000]eax==1008[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke IsDlgButtonChecked,dlghwnd,1002[/SIZE]
[SIZE=2] [COLOR=#ff0000].if [COLOR=#808000]eax==1[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke lstrcpy,[COLOR=#ff0000]offset lpstrBAKFile,[COLOR=#ff0000]offset lpstrFile[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke lstrcat,[COLOR=#ff0000]offset lpstrBAKFile,[COLOR=#ff0000]offset lpBAK[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CopyFile,[COLOR=#ff0000]offset lpstrFile,[COLOR=#ff0000]offset lpstrBAKFile,0[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetDlgItemText,dlghwnd,1003,[COLOR=#ff0000]offset lpstrFile,255[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetDlgItemText,dlghwnd,1005,[COLOR=#ff0000]offset lpsectionName,8[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke GetDlgItemText,dlghwnd,1007,[COLOR=#ff0000]offset lpsectionSize,8[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke LpstrToHex,[COLOR=#ff0000]offset lpsectionSize[/SIZE]
[SIZE=2] [COLOR=#ff0000]invoke CryptFile,[COLOR=#ff0000]offset lpstrFile,[COLOR=#ff0000]offset lpsectionName,[COLOR=#808000]eax[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2][COLOR=#008000];********************************************************************[/SIZE]
[SIZE=2][COLOR=#008000]; 注意:对话框的消息处理后,要返回 TRUE,对没有处理的消息[/SIZE]
[SIZE=2][COLOR=#008000]; 要返回 FALSE[/SIZE]
[SIZE=2][COLOR=#008000];********************************************************************[/SIZE]
[SIZE=2] [COLOR=#ff0000].else[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,[COLOR=#0000ff]FALSE[/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2] [COLOR=#ff0000].endif[/SIZE]
[SIZE=2] [COLOR=#0000ff]mov [COLOR=#808000]eax,[COLOR=#0000ff]TRUE[/SIZE]
[SIZE=2] [COLOR=#0000ff]ret[/SIZE]
[SIZE=2]DLGproc [COLOR=#ff0000]endp[/SIZE]
[SIZE=2]start:[/SIZE]
[SIZE=2][COLOR=#ff0000]invoke GetModuleHandle,0[/SIZE]
[SIZE=2][COLOR=#ff0000]invoke DialogBoxParam,[COLOR=#808000]eax,1000,0,[COLOR=#ff0000]addr DLGproc,0[/SIZE]
[SIZE=2][COLOR=#ff0000]invoke ExitProcess,0[/SIZE]
[SIZE=2][COLOR=#0000ff]end start[/SIZE]
附上资源脚本
#define IDD_DLG1 1000
#define IDC_BTN1 1001
#define IDC_CHK1 1002
#define IDC_STC1 1003
#define IDC_STC2 1004
#define IDC_EDT1 1005
#define IDC_STC3 1006
#define IDC_EDT2 1007
#define IDC_BTN2 1008
#define IDR_VERSION 1
IDD_DLG1 DIALOGEX 6,6,99,108
CAPTION "SCTaDD_BY_eASYSCt"
FONT 8,"MS Sans Serif",0,0
STYLE 0x10CA0000
BEGIN
CONTROL "打开文件",IDC_BTN1,"Button",0x50010000,4,1,92,15
CONTROL "备份源文件",IDC_CHK1,"Button",0x50010003,4,20,92,15
CONTROL "",IDC_STC1,"Static",0x50000000,2,40,94,13
CONTROL "新区段名",IDC_STC2,"Static",0x50000000,2,60,36,9
CONTROL "",IDC_EDT1,"Edit",0x50010000,46,57,50,15,0x00000200
CONTROL "新区段大小",IDC_STC3,"Static",0x50000000,2,77,42,9
CONTROL "",IDC_EDT2,"Edit",0x50010000,46,73,50,15,0x00000200
CONTROL "增加区段",IDC_BTN2,"Button",0x50010000,4,90,92,13
END
IDR_VERSION VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEOS 0x00000004
FILETYPE 0x00000000
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "FFFF0000"
BEGIN
VALUE "FileVersion", "1.0.0.0\0"
VALUE "ProductVersion", "1.0.0.0\0"
VALUE "CompanyName", "hIMcrACk\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0xFFFF, 0x0000
END
END
玩命 大侠的代码在http://bbs.pediy.com/showthread.php?p=467116有详细注释的 像我一样的小菜虫可以去阅读~ 其中 函数LpstrToHex为自己优化后的字符串转16进制整型变量的函数 算法上不算高明 结构上不算美观 不过能够达到效用 有需要的朋友可以拿去使用~~ 期待大牛们逆出效率更高 结构更漂亮的函数 以供收藏…… 天快亮了 就不多写了 最后把工具上传 喜欢就拿去用~ 感谢你耐心的看到这里 为能忍受菜菜的笔记所感谢~ 【经验总结】 PE文件结构基础 asm的练习 细心coding 耐心debuging是最大收获 tHAT is ALl THX!!!! 2008年11月23日 6:16:55
[2023春季班]《安卓高级研修班(网课)》月薪两万班招生中~
上传的附件:
