.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include gdi32.inc
include Comctl32.inc
include comdlg32.inc
include shell32.inc
include masm32.inc
include advapi32.inc
include dbghelp.inc
includelib kernel32.lib
includelib user32.lib
includelib gdi32.lib
includelib Comctl32.lib
includelib comdlg32.lib
includelib shell32.lib
includelib masm32.lib
includelib advapi32.lib
includelib dbghelp.lib
CTEXT macro Text:VARARG
local szText
.data
szText byte Text, 0
.code
exitm
endm
include HookLib.inc
include ImpREC.inc
include EPE121.inc
include Unpacker.inc
_ProtoCreateProcessA typedef proto :dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword,:dword
_ProtoWriteProcessMemory typedef proto :dword,:dword,:dword,:dword,:dword
_ProtoSetThreadContext typedef proto :dword,:dword
_CreateProcessA typedef ptr _ProtoCreateProcessA
_WriteProcessMemory typedef ptr _ProtoWriteProcessMemory
_SetThreadContext typedef ptr _ProtoSetThreadContext
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
OpenFileProc proto :DWORD
OutputInfo proto :DWORD,:DWORD
Unpack proto :DWORD
GetOEP_FixIAT proto :DWORD
Searchcode proto :DWORD,:DWORD
PEinfo proto :DWORD
GetPidFromProcName proto :DWORD
GetFileName proto :DWORD
EnableDebugPrivilege proto :DWORD
.const
IDD_MAIN equ 1000
IDC_FileName equ 1002
IDC_OPEN equ 1003
IDC_GET equ 1007
IDC_ABOUT equ 1011
IDC_Exit equ 1010
IDC_OutInf equ 1012
ico equ 2001
.data
startup STARTUPINFO <>
processInfo PROCESS_INFORMATION <>
pNewImports dd 0
AddrEntryPiont dd 0
AddrSec dd 0
NumOfSec dd 0
ImageBase dd 0
EntryPiont dd 0
dumpsize dd 0
SizeOfIAT dd 0
SizeOfImage dd 0
IatRVA dd 0
SizeOfImportDir dd 0
AddrImportDir dd 0
SecAlign dd 0
RawLastSec dd 0
VarLastSec dd 0
.data?
lpCreateProcessA _CreateProcessA ?
lpSetThreadContext _SetThreadContext ?
lpWriteProcessMemory _WriteProcessMemory ?
hDlg HINSTANCE ?
hInstance HINSTANCE ?
hDllEPE dd ?
pid dd ?
hOutputCtl dd ?
OEP dd ?
ProgPath db 256 dup(?)
subProcess dd ?
subProcessID dd ?
subThread dd ?
subThreadID dd ?
flags dd ?
hLib dd ?
.code
start:
invoke EnableDebugPrivilege,TRUE
invoke GetModuleHandle, NULL
mov hInstance,eax
invoke InitCommonControls
invoke DialogBoxParam, hInstance, IDD_MAIN, NULL, addr DlgProc, NULL
invoke ExitProcess,eax
OpenFileProc proc OpenFileNameBuffer:DWORD
LOCAL ofn :OPENFILENAME
lea esi, ofn
mov ecx, sizeof OPENFILENAME
zeroloop:
mov byte ptr [esi+ecx-1],0
dec ecx
jnz zeroloop
mov ofn.lStructSize,SIZEOF OPENFILENAME
push hDlg
pop ofn.hWndOwner
mov ofn.lpstrCustomFilter,0
push hInstance
pop ofn.hInstance
mov ofn.lpstrFilter, CTEXT("PE File(*.exe)", 0, "*.exe", 0,13,10,"All",0,"*.*",0 , 0)
mov eax,OpenFileNameBuffer
mov ofn.lpstrFile, eax
mov ofn.nMaxFile, MAX_PATH
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
mov ofn.lpstrTitle,CTEXT("打开可执行文件…")
invoke GetOpenFileName, ADDR ofn
ret
OpenFileProc endp
PEinfo proc FilePath:DWORD
LOCAL hFile,hMap,pMap:DWORD
LOCAL OutBuff[256]:byte
invoke OutputInfo,CTEXT("正在打开文件...",13,10,0),0
invoke CreateFile,FilePath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
.if eax==INVALID_HANDLE_VALUE
invoke MessageBox,hDlg,CTEXT("文件打开出错!"),CTEXT("错误"),MB_ICONERROR
invoke OutputInfo,CTEXT("在打开文件....",13,10,0),0
ret
.endif
mov hFile,eax
invoke CreateFileMapping,hFile,0,PAGE_READONLY,0,0,0
.if eax==0
invoke CloseHandle,hFile
invoke MessageBox,hDlg,CTEXT("创建内存映射错误!"),CTEXT("错误"),MB_ICONERROR
invoke OutputInfo,CTEXT("创建内存映射错误!"),0
ret
.endif
mov hMap,eax
invoke MapViewOfFile,hMap,FILE_MAP_READ,0,0,0
.if eax==0
invoke MessageBox,hDlg,CTEXT("映射出错...") ,CTEXT("错误") ,MB_OK or MB_ICONEXCLAMATION
invoke CloseHandle,hMap
ret
.endif
mov pMap,eax
;判断PE文件是否有效
mov edi,eax
cmp word ptr [edi],"ZM"
jne notPE
add edi, [edi+03ch]
cmp word ptr [edi],"EP"
jne notPE
jmp isPE
notPE:
invoke MessageBox,hDlg,CTEXT("不是一个有效的PE文件!") ,CTEXT("错误"),MB_ICONERROR
invoke OutputInfo,CTEXT("不是一个有效的PE文件!"),0
invoke UnmapViewOfFile,pMap
invoke CloseHandle,hMap
invoke CloseHandle,hFile
mov eax,-1
ret
isPE:
invoke OutputInfo,CTEXT("合法的PE文件!",13,10,0),0
invoke LoadLibraryEx,FilePath,0,DONT_RESOLVE_DLL_REFERENCES
mov hLib,eax
mov esi,eax
lea eax,[esi+3Ch]
mov ebx,[eax]
lea ebx,[ebx+esi+28h]
mov edi,[ebx]
lea ebx,[edi+esi]
mov eax,ebx
add eax,200h
invoke lstrcmp,eax,CTEXT('V220071201.EPE')
.if eax!=0
invoke MessageBox,0,CTEXT("软件不是EPEV220071201加的壳"),0,MB_OK
mov eax,0
jmp @exit
.endif
add ebx,220h
mov eax,[ebx]
lea edx,[ebx+4]
add eax,[edx]
add ebx, eax
add ebx, 9
mov esi, [ebx]
and esi,11h
.if esi==0
mov flags,0
invoke OutputInfo,CTEXT("你打开的软件是非S方式加的壳",13,10,0),0
.else
mov flags,1
invoke OutputInfo,CTEXT("你打开的软件是S方式加的壳",13,10,0),0
.endif
invoke FreeLibrary,hLib
invoke ImageNtHeader,pMap
mov edi,eax
assume edi:ptr IMAGE_NT_HEADERS
lea eax, [edi].OptionalHeader.AddressOfEntryPoint
sub eax,pMap
push eax
pop AddrEntryPiont
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("读取原程序入口点"),AddrEntryPiont
invoke OutputInfo,addr OutBuff,0
push [edi].OptionalHeader.AddressOfEntryPoint
pop EntryPiont
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("原程序EP"),EntryPiont
invoke OutputInfo,addr OutBuff,0
push [edi].OptionalHeader.ImageBase
pop ImageBase
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("原程序基地址"),ImageBase
invoke OutputInfo,addr OutBuff,0
mov eax, [edi].OptionalHeader.SizeOfImage
;sub eax,pMap
mov SizeOfImage, eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("原程序映像体大小"),SizeOfImage
invoke OutputInfo,addr OutBuff,0
mov eax,dword ptr [edi].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress
mov IatRVA,eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("原程序IarRVA地址"),IatRVA
invoke OutputInfo,addr OutBuff,0
mov eax,edi
add eax,80h ;ImportDirectory VA
sub eax,pMap
mov AddrImportDir,eax
add eax,4
mov SizeOfImportDir,eax ;ImportDirectory Size
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("输入表目录入口"),AddrImportDir
invoke OutputInfo,addr OutBuff,0
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("输入表目录大小"),SizeOfImportDir
invoke OutputInfo,addr OutBuff,0
mov eax, [edi].OptionalHeader.SectionAlignment
mov SecAlign,eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("区块的对齐单位"),SecAlign
invoke OutputInfo,addr OutBuff,0
movzx ecx,word ptr [edi].FileHeader.NumberOfSections
mov NumOfSec,ecx
mov esi,edi
add esi,sizeof IMAGE_NT_HEADERS
assume esi:ptr IMAGE_SECTION_HEADER
mov eax,esi
sub eax,pMap
mov AddrSec,eax
xor eax,eax
sect_loop:
add eax,dword ptr[esi].Misc.VirtualSize
add esi,sizeof IMAGE_SECTION_HEADER
loop sect_loop
add eax,1000h ;Headersize
mov dumpsize,eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("计算转储大小 (所有区段VirtualSize)"),dumpsize
invoke OutputInfo,addr OutBuff,0
sub esi,sizeof IMAGE_SECTION_HEADER
lea eax, [esi].Misc.VirtualSize
sub eax,pMap
mov VarLastSec,eax
lea eax, [esi].SizeOfRawData
sub eax,pMap
mov RawLastSec,eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("最后一节VirtualSize"),VarLastSec
invoke OutputInfo,addr OutBuff,0
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("最后一节SizeOfRawData"),RawLastSec
invoke OutputInfo,addr OutBuff,0
assume edi:nothing
assume esi:nothing
invoke UnmapViewOfFile,pMap
invoke CloseHandle,hMap
invoke CloseHandle,hFile
invoke OutputInfo,CTEXT("PE文件所有检测有效, 关闭文件",13,10,13,10,0) ,0
mov eax,1
@exit:
ret
PEinfo endp
GetFileName proc FilePath:dword
std
mov edi,offset ProgPath
add edi,sizeof ProgPath-1
mov al,"\"
mov ecx,sizeof ProgPath
repne scasb
cld
lea esi,dword ptr [edi+2]
mov eax,esi
ret
GetFileName endp
Searchcode proc uses edi esi start_pos:DWORD, opcode:DWORD
LOCAL Buffer:DWORD
mov edi,start_pos
lea esi,Buffer
_Loop:
invoke ReadProcessMemory,processInfo.hProcess,edi,esi,2,0
inc edi
.if eax==0
invoke MessageBox,hDlg,CTEXT("读取内存错误 !"),CTEXT("错误") ,MB_ICONERROR
xor eax,eax
ret
.endif
mov eax,opcode
xchg al,ah
cmp word ptr [esi],ax
jne _Loop
mov eax,edi
dec eax
ret
Searchcode endp
myWriteProcessMemory proc hProcess,lpBadeAddr,lpBuffer,nSize,lpNum
LOCAL OutBuff [256]:byte
LOCAL Buffer [128]:byte
pushad
invoke lpWriteProcessMemory,hProcess,lpBadeAddr,lpBuffer,nSize,lpNum
invoke lpWriteProcessMemory,hProcess,7120B101h,CTEXT(0E9h, 0FAh, 09Fh, 01h, 00h),5,0
invoke lpWriteProcessMemory,hProcess,712059F0h,CTEXT(90h,0E9h),2,0
invoke lpWriteProcessMemory,hProcess,71207968h,CTEXT(0EBh,5Eh),2,0
invoke lpWriteProcessMemory,hProcess,7120B1DAh,CTEXT(90h, 90h, 90h, 90h, 90h),5,0
invoke lpWriteProcessMemory,hProcess,7120B266h,CTEXT(0E9h, 0B5h, 09Eh, 01h, 00h),5,0
invoke lpWriteProcessMemory,hProcess,7120B4DDh,CTEXT(90h, 90h),2,0
invoke lpWriteProcessMemory,hProcess,712082EDh,CTEXT(0E9h,0AEh,0CDh,01h,00h,90h,90h),7,0
invoke lpWriteProcessMemory,hProcess,7120B27Ah,CTEXT(90h, 90h, 90h, 90h, 90h),5,0
invoke lpWriteProcessMemory,hProcess,71207105h,CTEXT(0EBh,0Bh),2,0
invoke lpWriteProcessMemory,hProcess,711f94B1h,CTEXT(0E9h,0A6h,00h,00h,00h,90h),6,0
invoke lpWriteProcessMemory,hProcess,7120B287h,CTEXT(90h,90h),2,0
invoke lpWriteProcessMemory,hProcess,711F9054h,CTEXT(0B2h,01h),2,0
invoke lpWriteProcessMemory,hProcess,71209182h,CTEXT(0B0h,00h,90h),3,0
invoke lpWriteProcessMemory,hProcess,711F91EFh,CTEXT(8Bh,25h,0D1h,50h,22h,71h,0C3h,90h,90h,90h),0Ah,0
invoke lpWriteProcessMemory,hProcess,7120B2C7h,CTEXT(0E9h,74h,9Eh,01h,00h),5,0
invoke lpWriteProcessMemory,hProcess,7120B31Ch,CTEXT(90h, 90h),2,0
invoke lpWriteProcessMemory,hProcess,711fdc15h,CTEXT(74h, 00h),2,0
invoke lpWriteProcessMemory,hProcess,711FDC23h,CTEXT(0B0h,00h,90h),3,0
invoke lpWriteProcessMemory,hProcess,7120B4E4h,CTEXT(0E9h,97h,9Ch,01h,00h),5,0
invoke lpWriteProcessMemory,hProcess,7120B4C6h,CTEXT(90h, 90h, 90h, 90h, 90h),5,0
invoke lpWriteProcessMemory,hProcess,712070f6h,CTEXT(74h, 00h),2,0
invoke lpWriteProcessMemory,hProcess,7120B50Eh,CTEXT(0EBh,05h),2,0
invoke lpWriteProcessMemory,hProcess,711FCC59h,CTEXT(00h),1,0
invoke lpWriteProcessMemory,hProcess,71209172h,CTEXT(74h, 00h),2,0
invoke lpWriteProcessMemory,hProcess,712084b3h,CTEXT(0E9h,08h,0CDh,01h,00h,90h,90h),7,0
invoke lpWriteProcessMemory,hProcess,711f92b9h,CTEXT(0B0h,01h),2,0
invoke lpWriteProcessMemory,hProcess,71205b74h,CTEXT(0EBh,7Eh),2,0
invoke lpWriteProcessMemory,hProcess,711f955Ch,CTEXT(8Bh,25h,0F1h,51h,22h,71h,0C3h,90h,90h),9,0
invoke lpWriteProcessMemory,hProcess,711F8E32h,CTEXT(90h, 90h, 90h, 90h, 90h),5,0
invoke lpWriteProcessMemory,hProcess,711F8E41h,CTEXT(90h, 90h),2,0
invoke lpWriteProcessMemory,hProcess,71206239h,CTEXT(00h),1,0
invoke lpWriteProcessMemory,hProcess,7120B83Dh,CTEXT(0B0h,00h,90h),3,0
invoke lpWriteProcessMemory,hProcess,711F5E2Dh,CTEXT(90h, 90h, 90h, 90h, 90h,90h),6,0
invoke lpWriteProcessMemory,hProcess,711F5E36h,CTEXT(90h, 90h, 90h, 90h, 90h,90h),6,0
invoke lpWriteProcessMemory,hProcess,7120B41Fh,CTEXT(90h,90h),2,0
invoke lpWriteProcessMemory,hProcess,711f7490h,CTEXT(75h,0Eh),2,0
invoke lpWriteProcessMemory,hProcess,711F5E43h,CTEXT(90h, 90h, 90h, 90h, 90h,90h),6,0
invoke lpWriteProcessMemory,hProcess,711F5E63h,CTEXT(90h,90h),2,0
invoke lpWriteProcessMemory,hProcess,711f949bh,CTEXT(0E9h,0BCh,00h,00h,00h,90h),6,0
invoke lpWriteProcessMemory,hProcess,711F5E89h,CTEXT(90h,90h),2,0
invoke lpWriteProcessMemory,hProcess,711FC214h,CTEXT(0c3h),1,0
invoke lpWriteProcessMemory,hProcess,711F8E74h,CTEXT(8Bh,25h,73h,51h,22h,71h,0C3h),7,0
invoke lpWriteProcessMemory,hProcess,7120B506h,CTEXT(0E9h,9Bh,9Ch,01h,00h),5,0
invoke lpWriteProcessMemory,hProcess,71225100h,addr key,0EDh,0
invoke lpWriteProcessMemory,hProcess,712250A0h,addr key2,2Eh,0
invoke lpWriteProcessMemory,hProcess,71225107h,CTEXT(00h,00h,40h,00h),4,0
invoke lpWriteProcessMemory,hProcess,7122512ch,CTEXT(02h,00h,40h,00h),4,0
invoke lpWriteProcessMemory,hProcess,00000000h,CTEXT(00,00,00,00),4,0
popad
ret
myWriteProcessMemory endp
mySetThreadContext proc hThread,lpContext
LOCAL RetAddr:dword
LOCAL OutBuff [256]:byte
pushad
mov esi,lpContext
assume esi:ptr CONTEXT
.if [esi].regEip < 10000000h
mov eax,[esi].regEip
mov OEP,eax
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("发现OEP"),[esi].regEip
invoke OutputInfo,addr OutBuff,0
invoke UnHookAPI,lpSetThreadContext
invoke UnHookAPI,lpWriteProcessMemory
call FreeHookDll
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("线程句柄"),hThread
invoke OutputInfo,addr OutBuff,0
call DumpFile
.endif
assume esi: nothing
invoke lpSetThreadContext,hThread,lpContext
popad
ret
mySetThreadContext endp
GetPidFromProcName proc lpProcName:DWORD
LOCAL stProcess : PROCESSENTRY32
LOCAL hSnapshot
LOCAL dwProcessID
mov dwProcessID, 0
invoke RtlZeroMemory, addr stProcess, sizeof stProcess
mov stProcess.dwSize, sizeof stProcess
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot, eax
invoke Process32First, hSnapshot, addr stProcess
.while eax
invoke lstrcmpi, lpProcName, addr stProcess.szExeFile
.if eax==0
mov eax, stProcess.th32ProcessID
mov dwProcessID, eax
.break
.endif
invoke Process32Next, hSnapshot, addr stProcess
.endw
invoke CloseHandle, hSnapshot
mov eax, dwProcessID
ret
GetPidFromProcName endp
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL hRsrc,hResData,dwSize,dwSizeWritten,lpData,lpRes
LOCAL FilePath [MAX_PATH+2]:BYTE
LOCAL Buffer [64]:byte
LOCAL OutBuff [256]:byte
LOCAL flag:dword
.if uMsg == WM_INITDIALOG
push hWnd
pop hDlg
invoke LoadIcon,hInstance,ico
invoke SendMessage,hWnd,WM_SETICON,1,eax
invoke SetFocus,eax
call LoadEPE
.elseif uMsg == WM_COMMAND
mov eax,wParam
.if eax==IDC_OPEN
invoke GetDlgItem,hWnd,IDC_OPEN
invoke EnableWindow,eax,FALSE
lea eax,FilePath
mov dword ptr [eax],0
invoke OpenFileProc,eax
.if eax!=0
invoke SetDlgItemText,hWnd,IDC_FileName,addr FilePath
.endif
invoke SetDlgItemText,hWnd,IDC_OutInf,0
call EncryptPEInit
.elseif eax==IDC_GET
invoke GetDlgItemText,hWnd,IDC_FileName,addr FilePath,MAX_PATH
invoke RtlZeroMemory, addr ProgPath, sizeof ProgPath
invoke lstrcpy,addr ProgPath,addr FilePath
invoke PEinfo,addr ProgPath
.if eax==0
ret
.endif
call LoadHookDll
.if flags==0
invoke HookAPI,CTEXT("kernel32.dll"),CTEXT("SetThreadContext"),offset mySetThreadContext
mov lpSetThreadContext, eax
invoke HookAPI,CTEXT("kernel32.dll"),CTEXT("WriteProcessMemory"),offset myWriteProcessMemory
mov lpWriteProcessMemory, eax
invoke OutputInfo,CTEXT("开始脱壳...",13,10,0),0
invoke WinExec,offset ProgPath,SW_SHOW
.elseif flags==1
invoke Unpack,addr FilePath
call DumpFile
.endif
.elseif eax==IDC_ABOUT
invoke MessageBox,NULL,CTEXT(13," Unpacker by laomms ",13,13," --===2008.5===-- ",0) ,CTEXT("About"),MB_OK
.elseif eax==IDC_Exit
invoke ExitProcess,0
.endif
.elseif uMsg == WM_CLOSE
invoke EndDialog,hWnd,0
.endif
xor eax,eax
ret
DlgProc endp
Unpack proc FilePath:DWORD
BUF_MAX equ 64
LOCAL Buffer [BUF_MAX]:byte
LOCAL call_ebx:DWORD
LOCAL OutBuff [256]:byte
LOCAL OutBufftemp1,OutBufftemp2,OutBufftemp3,OutBufftemp4:DWORD
LOCAL OutBuff2 [64]:byte
LOCAL BP1_data,BP2_data,BP3_data,BP4_data,BP5_data,BP6_data,OEP_data:DWORD
LOCAL BP1,BP2,BP3,BP4,BP5,BP6:DWORD
LOCAL Buffer2:DWORD
LOCAL StepintoAddr:DWORD
LOCAL dlls_imported:DWORD
LOCAL context :CONTEXT
LOCAL PatchAddr:DWORD
LOCAL borland_flag,redirection_flag:DWORD
LOCAL lpMem
LOCAL FileName:dword
invoke OutputInfo,hOutputCtl,0
invoke OutputInfo,CTEXT("记录:",13,10,"开始脱壳...",13,10,0),0
invoke CreateProcess,FilePath,0,0,0,FALSE,CREATE_SUSPENDED,0,0,addr startup,addr processInfo
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,processInfo.dwProcessId
push eax
pop processInfo.hProcess
invoke VirtualProtectEx,processInfo.hProcess,ImageBase,1000h,PAGE_EXECUTE_READWRITE,addr Buffer
mov edi,ImageBase
add edi,EntryPiont
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("得到入口地址"),edi
invoke OutputInfo,addr OutBuff,0
invoke Searchcode,edi,0FFD3h
.if eax==0
invoke OutputInfo,CTEXT("搜索 'call ebx'错误",13,10,0),0
invoke TerminateProcess,processInfo.hProcess,0
invoke CloseHandle,processInfo.hProcess
ret
.endif
mov BP1,eax
pushad
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("搜索 'call ebx', 发现地址"),eax
invoke OutputInfo,addr OutBuff,0
popad
invoke ReadProcessMemory,processInfo.hProcess,BP1,addr BP1_data,2,0
invoke WriteProcessMemory,processInfo.hProcess,BP1,CTEXT(0EBh,0FEh),2,0
invoke OutputInfo,CTEXT("开始处理 ...",13,10,"...",13,10,0) ,0
invoke ResumeThread,processInfo.hThread
invoke Sleep,2000
mov esi,pNewImports
assume esi:ptr IMAGE_IMPORT_DESCRIPTOR
@loop:
invoke SuspendThread,processInfo.hThread
mov context.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,processInfo.hThread,addr context
mov eax,context.regEip
.if eax==BP1;
pushad
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("断在断点1处"),eax
invoke OutputInfo,addr OutBuff,0
popad
invoke WriteProcessMemory,processInfo.hProcess,BP1,addr BP1_data,2,0
mov ebx, context.regEbx
add ebx,03Bh
mov BP3,ebx
pushad
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("在断点3处下断"),ebx
invoke OutputInfo,addr OutBuff,0
popad
invoke ReadProcessMemory,processInfo.hProcess,BP3,addr BP3_data,2,0
invoke WriteProcessMemory,processInfo.hProcess,BP3,CTEXT(0EBh,0FEh),2,0
invoke HookAPI,CTEXT("kernel32.dll"),CTEXT("WriteProcessMemory"),offset myWriteProcessMemory
mov lpWriteProcessMemory, eax
invoke WriteProcessMemory,processInfo.hProcess,0,0,0,0
invoke UnHookAPI,lpWriteProcessMemory
invoke OutputInfo,CTEXT("补丁成功",13,10,0),0
.elseif eax== BP3
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("断在断点3处"),eax
invoke OutputInfo,addr OutBuff,0
pushad
popad
invoke WriteProcessMemory,processInfo.hProcess,BP3,addr BP3_data,2,0 ;
mov eax, context.regEax
mov OEP,eax
pushad
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("得到OEP"),eax
invoke OutputInfo,addr OutBuff,0
popad
invoke ReadProcessMemory,processInfo.hProcess,OEP,addr OEP_data,2,0
invoke WriteProcessMemory,processInfo.hProcess,OEP,CTEXT(0EBh,0FEh),2,0
.elseif eax== OEP
invoke wsprintf,addr OutBuff,CTEXT("%s: %.08X",13,10,0),CTEXT("断在OEP处"),eax
invoke OutputInfo,addr OutBuff,0
invoke WriteProcessMemory,processInfo.hProcess,OEP,addr OEP_data,2,0 ;
jmp @exit
.endif
invoke ResumeThread,processInfo.hThread
invoke Sleep,8
jmp @loop
@exit:
invoke WriteProcessMemory,processInfo.hProcess,BP1,addr BP1_data,2,0
invoke WriteProcessMemory,processInfo.hProcess,BP3,addr BP3_data,2,0 ;
invoke WriteProcessMemory,processInfo.hProcess,OEP,addr OEP_data,2,0
ret
Unpack endp
DumpFile proc
LOCAL hFile, dwSizeReturn
LOCAL Dumpath[1024]:byte
LOCAL ProcInfo3: PROCESS_INFORMATION
LOCAL StartupInfo : STARTUPINFO
LOCAL Buffer:DWORD
LOCAL lpMem:dword
LOCAL ProcessID:dword
LOCAL FileName[256]:byte
invoke GetFileName,addr ProgPath
invoke lstrcpy,addr FileName,eax
invoke GetPidFromProcName,addr FileName
.if eax==0
invoke MessageBox,0,CTEXT("找不到进程!!"),0,MB_OK
.endif
mov ProcessID,eax
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,ProcessID
.if eax==0
invoke MessageBox,0,CTEXT("打开进程错误"),0,MB_OK
ret
.endif
mov ebx,eax
invoke VirtualAlloc, NULL, SizeOfImage, MEM_COMMIT, PAGE_READWRITE
mov esi,eax
invoke ReadProcessMemory,ebx,ImageBase,esi,SizeOfImage,addr Buffer
.if eax==0
invoke MessageBox,0,CTEXT("读取进程错误"),0,MB_OK
ret
.endif
mov eax,esi
mov edx,dword ptr [esi+3ch]
add edx,esi
assume edx:ptr IMAGE_NT_HEADERS
mov eax,NumOfSec
mov word ptr [edx].FileHeader.NumberOfSections,ax
mov eax,IatRVA
mov dword ptr [edx].OptionalHeader.DataDirectory[SIZEOF IMAGE_DATA_DIRECTORY].VirtualAddress,eax
mov eax,OEP
sub eax, ImageBase
mov dword ptr [edx].OptionalHeader.AddressOfEntryPoint,eax
movzx eax,word ptr [edx].FileHeader.SizeOfOptionalHeader
add edx,eax
add edx,18h
mov ecx,NumOfSec
@@1:
mov eax,dword ptr [edx+8h]
mov dword ptr [edx+10h],eax
mov eax,dword ptr [edx+0ch]
mov dword ptr [edx+14h],eax
add edx,28h
loop @@1
invoke OutputInfo, CTEXT("保存文件...",13,10,0),0
invoke GetPathOnly, addr ProgPath, addr Dumpath
invoke lstrcat, addr Dumpath, CTEXT("dumped.exe")
invoke CreateFile, addr Dumpath, GENERIC_READ + GENERIC_WRITE,FILE_SHARE_READ + FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_ARCHIVE, 0
.if eax==INVALID_HANDLE_VALUE
invoke OutputInfo, CTEXT("保存文件出错!!!"),0
jmp @exit
.endif
mov hFile, eax
invoke SetFilePointer, hFile, 0, NULL, FILE_BEGIN
invoke WriteFile, hFile,esi,SizeOfImage,addr Buffer, NULL
.if eax==0
invoke OutputInfo, CTEXT("写入文件出错!!!"),0
jmp @exit
.endif
;invoke WriteFile, hFile,pNewImports,SizeOfIAT,addr Buffer,0
invoke CloseHandle, hFile
mov hFile, 0
call LoadImpREC
.if eax
invoke OutputInfo, CTEXT("重建输入表...",13,10,0),0
mov ecx, OEP
sub ecx, ImageBase
lea eax, Dumpath
push eax
push 5
push 0
push ecx
push ProcessID
call lpImpREC
.if eax==0
invoke OutputInfo, CTEXT("重建输入表出错...",13,10,0),0
ret
.endif
invoke OutputInfo, CTEXT("重建输入表完成...",13,10,0),0
invoke DeleteFile, addr Dumpath
lea esi, Dumpath
invoke lstrlen, esi
add esi, eax
sub esi, 4
invoke lstrcpy, esi, CTEXT("_.exe")
invoke FreeImpREC
invoke TerminateProcess, pid, 0
.else
invoke OutputInfo, CTEXT("加载ImpREC错误...",13,10,0),0
ret
.endif
invoke OutputInfo, CTEXT("脱壳完成! 请检查目录下的dumped_.exe文件"),0
@exit:
.if pid
invoke TerminateProcess, pid, 0
.endif
.if processInfo.hProcess
invoke TerminateProcess, processInfo.hProcess, 0
.endif
.if subProcess
invoke TerminateProcess,subProcess, 0
.endif
.if lpMem
invoke GlobalFree, lpMem
.endif
.if hFile
invoke CloseHandle, hFile
.endif
ret
DumpFile endp
OutputInfo proc OurBuff:DWORD,flag:DWORD
.if flag!=0
invoke SetDlgItemText,hDlg,IDC_OutInf,CTEXT(0)
ret
.endif
invoke SendDlgItemMessage,hDlg,IDC_OutInf,EM_SETSEL,-1,-1
invoke SendDlgItemMessage,hDlg,IDC_OutInf,EM_REPLACESEL,FALSE,OurBuff
ret
OutputInfo endp
EnableDebugPrivilege proc isEnable
local htoken:HANDLE
local uid:LUID
local tp:TOKEN_PRIVILEGES
local isSuccess
mov isSuccess,FALSE
invoke GetCurrentProcess
lea ebx,htoken
invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES, ebx ;得到进程的令牌句柄
invoke LookupPrivilegeValue,NULL,CTEXT("SeDebugPrivilege"), addr uid ;查询进程的权限
mov tp.PrivilegeCount,1
push uid.LowPart
pop tp.Privileges[0].Luid.LowPart
push uid.HighPart
pop tp.Privileges[0].Luid.HighPart
.if isEnable
mov tp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
.else
mov tp.Privileges[0].Attributes,0
.endif
invoke AdjustTokenPrivileges,htoken,FALSE,addr tp, sizeof tp,NULL,NULL ;判断令牌权限
invoke GetLastError
.if eax == ERROR_SUCCESS
mov isSuccess,TRUE
.endif
invoke CloseHandle,htoken
mov eax,isSuccess
ret
EnableDebugPrivilege endp
end start
