.686
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
include gdi32.inc
include Comctl32.inc
include comdlg32.inc
include shell32.inc
include masm32.inc
include dbghelp.inc
include msvcrt.inc
include Libc.inc

includelib kernel32.lib
includelib user32.lib
includelib gdi32.lib
includelib Comctl32.lib
includelib comdlg32.lib
includelib shell32.lib
includelib masm32.lib
includelib dbghelp.lib
includelib msvcrt.lib
includelib LIBC.LIB

DlgProc        proto        :DWORD,:DWORD,:DWORD,:DWORD
OpenFileProc proto :DWORD
OutputInfo proto :DWORD,:DWORD
SaveDumpFile proto :DWORD,:DWORD,:DWORD
PEinfo proto :DWORD
Handler     proto     :DWORD
FindString    proto     :DWORD,:DWORD,:WORD
LoadDll proto :dword    

.const
IDD_MAIN equ 1000
IDC_FileName equ 1002
IDC_OPEN equ 1003
IDC_GET equ 1007
IDC_ABOUT equ 1011
IDC_Exit equ 1010
IDC_OutInf equ 1012
ico      equ 2001


.data
startinfo STARTUPINFO <>
processInfo PROCESS_INFORMATION <>
oldbyte dd 0
      
szBuffur db 256 dup(0)
OutBuff db 256 dup(0)


.data?
hDlg HINSTANCE ?
hInstance    HINSTANCE    ?
lpOldHandler    dd ?
DllEntryPoint dd ?
OEP dd ?
loaded_dll dd ?
dwFileSize dd ?
stolenbyte dd ?

pPE dd ?
dwAddress dd ?
dwRetAddr dd ?
flOldProtect dd ?
hMap dd ?
pMap dd ?
dwMapSize dd ?
hProcess dd ?
pid dd ?
hOutputCtl dd ?
ProgPath db 256 dup(?)

dwDumpSize dd ?
dwDllBase dd ?
section dd ?
dwNewFSize dd ?
dwcExtra dd ?
bAppendExtraData dd ?
NumOfSec dd ?
imagebase dd ?
IATsize dd ?
CTEXT macro Text:VARARG
    local szText
    .data
     szText byte Text, 0
    .code
    exitm <offset szText>
endm


.code
start:
    invoke GetModuleHandle, NULL
    mov hInstance,eax
    invoke InitCommonControls
    invoke DialogBoxParam, hInstance, IDD_MAIN, NULL, addr DlgProc, NULL
    invoke ExitProcess,eax
    
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL FilePath [MAX_PATH+2]:BYTE
.if uMsg == WM_INITDIALOG
        push hWnd
        pop hDlg
    invoke    LoadIcon,hInstance,ico
    invoke    SendMessage,hWnd,WM_SETICON,1,eax
    invoke SetFocus,eax
.elseif uMsg == WM_COMMAND
    mov    eax,wParam
    .if eax==IDC_OPEN
     lea eax,FilePath
                mov dword ptr [eax],0
                invoke OpenFileProc,eax
                .if eax!=0
                invoke SetDlgItemText,hWnd,IDC_FileName,addr FilePath
                .endif
                invoke SetDlgItemText,hWnd,IDC_OutInf,0
    .elseif eax==IDC_GET     
     invoke GetDlgItemText,hWnd,IDC_FileName,addr FilePath,MAX_PATH
     invoke RtlZeroMemory, addr ProgPath, sizeof ProgPath
     invoke lstrcpy,addr ProgPath,addr FilePath
     call process
    .elseif eax==IDC_ABOUT
        invoke MessageBox,NULL,CTEXT(13," Unpacker by laomms ",13,13," --===2008.5===-- ",0) ,CTEXT("About"),MB_OK
    .elseif eax==IDC_Exit
        invoke ExitProcess,0
    .endif
.elseif    uMsg == WM_CLOSE
    invoke    EndDialog,hWnd,0
.endif
    xor    eax,eax
    ret
DlgProc endp
OpenFileProc proc OpenFileNameBuffer:DWORD
LOCAL ofn :OPENFILENAME
               lea esi, ofn
               mov ecx, sizeof OPENFILENAME
zeroloop:
               mov byte ptr [esi+ecx-1],0
               dec ecx
               jnz zeroloop
    
     mov ofn.lStructSize,SIZEOF OPENFILENAME
                push hDlg
                pop ofn.hWndOwner
                mov ofn.lpstrCustomFilter,0
                push hInstance
                pop ofn.hInstance
                mov ofn.lpstrFilter, CTEXT("PE 文件(*.dll)", 0, "*.dll", 0,13,10,"All",0,"*.*",0 , 0)
                mov eax,OpenFileNameBuffer
                mov ofn.lpstrFile, eax
                mov ofn.nMaxFile, MAX_PATH
                mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
                mov ofn.lpstrTitle,CTEXT("打开可执行文件…")
                invoke GetOpenFileName, ADDR ofn
     ret
OpenFileProc endp

LoadDll proc szFilePath:dword    
LOCAL SizeofImage:dword
LOCAL hFile,temp_dll,import:dword
LOCAL OriginalFirstThunk,FirstThunk,lpAddress,temp_api:dword
LOCAL reloc:dword
LOCAL VirtualAddress,RelocThunk,reloc_size,reloc_size2:DWORD
LOCAL RelocApplyChange,delta:DWORD

        invoke CreateFile,szFilePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
        mov hFile,eax
        invoke    GetFileSize,hFile,NULL
        mov dwFileSize,eax
    invoke CreateFileMapping,hFile,0,PAGE_READONLY,0,0,0
    mov hMap,eax
    invoke MapViewOfFile,hMap,FILE_MAP_READ,0,0,0
        mov pMap,eax    
        assume edi : ptr IMAGE_NT_HEADERS
        invoke ImageNtHeader, pMap
        mov edi,eax
        movzx ecx,[edi].FileHeader.SizeOfOptionalHeader
        add eax,ecx
        add eax,4
        add eax,sizeof IMAGE_FILE_HEADER
        mov section,eax
        mov edx,[edi].OptionalHeader.SizeOfImage
        mov dwDumpSize,edx
;申请内存，大小等于SizeOfImage
    invoke VirtualAlloc,0, dwDumpSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE
    mov loaded_dll,eax
;拷贝文件头
    mov eax, [edi].OptionalHeader.SizeOfHeaders
    push eax
    push pMap
    push loaded_dll
    call memcpy
    add esp, 0Ch
;区段拷贝    
    mov esi,section
        assume esi: ptr IMAGE_SECTION_HEADER
        movzx ecx, [edi].FileHeader.NumberOfSections
        mov NumOfSec,ecx
        .while ecx
                push [esi].SizeOfRawData
                mov eax,[esi].PointerToRawData
                add eax,pMap
                push eax
                mov edx,[esi].VirtualAddress
                add edx,loaded_dll
                push edx
                call memcpy
                sub NumOfSec, 1
                mov ecx, NumOfSec
                add esi, sizeof IMAGE_SECTION_HEADER
        .endw
        assume esi:nothing
        assume edi:nothing

    invoke UnmapViewOfFile,pMap
    invoke CloseHandle,hMap
    invoke CloseHandle,hFile
;输入表拷贝
        invoke ImageNtHeader, loaded_dll
        mov edi, eax
        assume edi : ptr IMAGE_NT_HEADERS
        mov esi, loaded_dll
        add esi, [edi].OptionalHeader.DataDirectory[8].VirtualAddress
        mov import,esi
        mov esi,import
        assume esi: ptr IMAGE_IMPORT_DESCRIPTOR
        .while [esi].Name1
                .if [esi].OriginalFirstThunk
                    mov edx,loaded_dll
                    add edx,[esi].OriginalFirstThunk
                    mov OriginalFirstThunk,edx
                    mov edx,loaded_dll
                    add edx,[esi].FirstThunk
                    mov FirstThunk,edx     
                .else
                    mov edx,loaded_dll
                    add edx,[esi].FirstThunk
                    mov FirstThunk,edx
                    mov OriginalFirstThunk,edx
                .endif
                mov edx,loaded_dll
                add edx,[esi].Name1
                invoke LoadLibrary,edx
                mov temp_dll,eax
                .if !eax
     invoke wsprintf,addr OutBuff,CTEXT("%s is missing"),edx
     invoke MessageBox,0,addr OutBuff,CTEXT("import error"),MB_OK
     ret
                .endif
                
                .while OriginalFirstThunk
                         mov eax,OriginalFirstThunk
                         mov eax,[eax]
                         and eax,80000000h
                    .if eax
                     invoke GetProcAddress,temp_dll, eax
                     mov temp_api,eax
                    .else
                        mov eax,loaded_dll
                        add eax,2
                        mov ecx,OriginalFirstThunk
                        add eax,[ecx]
                        lea eax, [eax]
                        invoke GetProcAddress,temp_dll, eax
                        mov temp_api,eax         
                    .endif
                    invoke VirtualProtect,FirstThunk, 4, PAGE_READWRITE, addr flOldProtect
     mov eax, FirstThunk
     mov ecx, temp_api
     mov [eax], ecx
                    invoke VirtualProtect,FirstThunk, 4, flOldProtect, addr flOldProtect
     mov edx, FirstThunk
     add edx, 4
     mov FirstThunk, edx
     mov eax, OriginalFirstThunk
     add eax, 4
     mov OriginalFirstThunk, eax
                    mov edx,[eax]
                     .if edx==0
                     .break
                    .endif
                .endw
                mov eax, esi
                add eax, sizeof IMAGE_FILE_HEADER
                mov esi, eax
        .endw
        assume esi:nothing
;重定位拷贝
        mov eax,[edi].OptionalHeader.ImageBase
        .if loaded_dll !=eax
             mov edx,loaded_dll
             add edx,[edi].OptionalHeader.DataDirectory[8*5].VirtualAddress
             mov reloc,edx
             mov esi,reloc
             assume esi: ptr IMAGE_BASE_RELOCATION
             mov eax,[edi].OptionalHeader.DataDirectory[8*5].isize
             mov reloc_size,eax
             mov edx,loaded_dll
             sub edx,[edi].OptionalHeader.ImageBase
             mov delta,edx
             .while reloc_size
              mov eax,reloc
              add eax,8
              mov RelocThunk,eax
              mov ecx, reloc
              mov edx, [ecx+4]
              sub edx,8
              shr edx, 1
              mov reloc_size2,edx
     mov ecx, reloc
     mov edx, [ecx]
     add edx, loaded_dll
              invoke VirtualProtect,edx, 1000h, PAGE_READWRITE, addr flOldProtect
              .while reloc_size2
              mov eax,RelocThunk
              movzx ecx, word ptr [eax]
              and ecx,0F000h
              .if ecx!=0
              mov edx,RelocThunk
              movzx eax, word ptr [edx]
              and eax,0FFFh
              mov ecx, reloc
     mov edx, [ecx]
              add edx,eax
              add edx,loaded_dll
              mov RelocApplyChange,edx
              mov eax, RelocApplyChange
              mov ecx, [eax]
              add ecx, delta
              mov edx, RelocApplyChange
              mov [edx], ecx
              .endif
     mov eax, reloc_size2
     sub eax, 1
     mov reloc_size2, eax
     mov ecx, RelocThunk
     add ecx, 2
     mov RelocThunk, ecx
              .endw
                        mov ecx, reloc
     mov edx, [ecx]
     add edx, loaded_dll
              invoke VirtualProtect,edx, 1000h, flOldProtect, addr flOldProtect
              mov eax, reloc
     mov ecx, reloc_size
     sub ecx, [eax+4]
     mov edx, reloc
     mov reloc_size, ecx
     mov eax, reloc
     add eax, [edx+4]
     mov reloc, eax
             .endw
             
        .endif
     
        mov eax,[edi].OptionalHeader.AddressOfEntryPoint
        add eax,loaded_dll
        mov stolenbyte,eax
    mov eax, stolenbyte
    movzx ecx, byte ptr [eax]
    mov oldbyte, ecx
    invoke wsprintf,addr OutBuff, CTEXT("偷取入口代码: %.02X",13,10,0), ecx
    invoke MessageBox,0,addr OutBuff,CTEXT("偷取入口代码第一字节"),MB_OK
    invoke OutputInfo,addr OutBuff,0
    invoke VirtualProtect,stolenbyte, 1, PAGE_READWRITE,addr flOldProtect
    mov    eax, stolenbyte
    mov    byte ptr [eax],0CCh ;下断
    invoke VirtualProtect,stolenbyte, 1, flOldProtect, addr flOldProtect
    
    mov    ecx, [edi].OptionalHeader.AddressOfEntryPoint
    add    ecx, loaded_dll
    mov    DllEntryPoint, ecx
    
    assume edi:nothing
    assume esi:nothing
    


@exit:                
    ret

LoadDll endp

process proc
    invoke LoadDll,addr ProgPath
    push    0
    push    1
    mov    eax, loaded_dll
    push    eax
    call DllEntryPoint
    ret

process endp


FindString    proc    uses esi lpData:dword,dwSize:dword,szWord:word
local    @szBuffer[128]:byte

        mov    esi,lpData
        mov    ecx,dwSize
        lea    edi,@szBuffer
        xor    edx,edx
        cld
LoopBegin:
        or    ecx,ecx
        jz    @exit
        lods word ptr [esi]
        sub    ecx,2
        cmp    ax,szWord    
        jnz    LoopBegin
                push esi
                sub esi,2
                mov eax,esi
@exit:
        ret
FindString    endp
OutputInfo proc OurBuff:DWORD,flag:DWORD
     .if flag!=0
      invoke SetDlgItemText,hDlg,IDC_OutInf,CTEXT(0)
      ret
     .endif
     invoke SendDlgItemMessage,hDlg,IDC_OutInf,EM_SETSEL,-1,-1
     invoke SendDlgItemMessage,hDlg,IDC_OutInf,EM_REPLACESEL,FALSE,OurBuff
     ret
OutputInfo endp

end start