1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
.486P
LOCALS
JUMPS
.Model Flat,StdCall
%nolist
%list
UNICODE=0
WriteConsole2 Macro oText
pusha
call TextBoxWrite, offset oText, 0
popa
EndM
F1CKEN Macro _Byte
Jmp $+3
db _Byte
EndM
F1CKEN2 Macro _Byte
jmp $+4
int 20h
jmp $+5
db _Byte
int 20h
EndM
F1CKEN3 Macro _Byte
call $+8
int 20h
db _Byte
EndM
F1CKEN4 Macro _Byte
push eax
call $+13
db _Byte
db 0FFh
pop eax
jmp $+26
F1CKEN 0Fh
F1CKEN2 _Byte
pop eax
inc eax
F1CKEN 8Bh
inc eax
jmp $+4
db 36h
db 83h
push eax
ret
EndM
F1CKEN5 Macro
test eax,eax
jnc $+4
db 0F7h
db 05h
EndM
CONFUSE Macro _Byte
jmp $+8
int 20h
db _Byte
db 00h
db 05h
db 00h
jmp $+6
int 20h
db 06h
db 00h
jmp $+6
int 20h
db 05h
db 00h
EndM
CONFUSE2 Macro _Byte
jmp $+6
jmp $+6
jmp $+12
jmp $-4
jmp $-4
int 20h
db _Byte
db 00H
db 05h
db 00h
EndM
SEH_TRICK1 Macro _Byte
CONFUSE 0EAh
mov edx,(offset $+30 - offset ToAdd)
CONFUSE 08Dh
add edx,ebx
dw 0FFFFh
db _Byte
mov ebp,ebx
EndM
CheckforHookedFunctions Macro
pushad
mov al,byte ptr [(offset Thunktable+4+3 - offset ToAdd)+ebx]
F1CKEN2 0EAh
cmp al,byte ptr [(offset Thunktable+4+4+3 - offset ToAdd)+ebx]
jnz DeCompressResources
mov al,byte ptr [(Thunktable - offset ToAdd)+3+ebx]
F1CKEN2 0EFh
cmp al,byte ptr [(offset Thunktable+4+4+3 - offset ToAdd)+ebx]
jnz DeCompressResources
mov edx,(offset ModuleDLL - offset ToAdd)
add edx,ebx
F1CKEN2 0FFh
push edx
call dword ptr [(offset Thunktable+4 - offset ToAdd)+ebx] ; call "GetmoduleHandle"
shr eax,32-8
cmp al,byte ptr [(Thunktable - offset ToAdd)+3+ebx]
F1CKEN2 0E9h
jnz DeCompressResources
cmp al,byte ptr [(offset Thunktable+4+4+3 - offset ToAdd)+ebx]
F1CKEN2 0C7h
jnz DeCompressResources
cmp al,byte ptr [(offset Thunktable+4+3 - offset ToAdd)+ebx]
F1CKEN2 0C8h
jnz DeCompressResources
popad
EndM
include w32.inc
Include k-data.inc
include r-data.inc
Include r-loader.inc
include k-engine.asm
.Code
PeCryptAsm_Start:
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Fixed ;) Now it acts da right way and we have a REAL win95 task
; means we have only one task even if several dilaog are active
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Main:
call FindWindow, offset szClassPE, offset DialogTitle
test eax, eax
jnz Already_Open
pusha
push 4
push 1000h
push (ToAdd_END - offset CRC_Block1)
push 0
call VirtualAlloc
mov dword ptr [MemStart6],eax
mov ecx,(ToAdd_END - offset CRC_Block1)
mov esi,offset CRC_Block1
mov edi,dword ptr [MemStart6]
rep movsb
popa
push offset SEH_Handler ; push the new SEH handler
push dword ptr fs:[0] ; push the previous one
mov dword ptr fs:[0],esp ; save the new handler (install it)
call GetModuleHandle, 0 ; get hmod (in eax)
mov hInst, eax ; hInstance is same as HMODULE in the Win32 world
call InitCommonControls
; mov dword ptr muttafick, offset FakeProc
; mov dword ptr lpszClassName, offset szClassKI
; call RegisterClass, offset bla
; call CreateWindowEx,0, offset szClassKI, offset szClassKI, 0, 0, 0, 0, 0, 0, 0, hInst, 0
; mov dword ptr lpszClassName, offset szClassRA
; call RegisterClass, offset bla
; call CreateWindowEx,0, offset szClassRA, offset szClassRA, 0, 0, 0, 0, 0, 0, 0, hInst, 0
; mov dword ptr lpszClassName, offset szClassPE
; call RegisterClass, offset bla
; call CreateWindowEx,0, offset szClassPE, offset szClassPE, 0, 0, 0, 0, 0, 0, 0, hInst, 0
Splash:
call DialogBoxParamA, hInst , DLG_SPLASH, NULL , offset SplashProc, 0
Splash_End:
call GetCommandLine
; parse the command line - we want just the parameters
mov edi, eax
; Resolution of "can't open file pb" Command fucked up ;)
; Start of modification - G-RoM 08/07/98
mov COMMANDLINE, 0 ; Never forget it, NT dislike ;)
xor eax, eax
xor ecx, ecx
dec ecx
push edi
cld
repnz scasb
pop edi
not ecx
mov al,20h
repnz scasb
repz scasb
test ecx, ecx
jz EndCL
dec edi
; End of modification - G-RoM 08/07/98
EndGCL:
mov COMMANDLINE, 1
mov esi, edi
lea edi, FileName2
call lstrlen, esi
mov ecx, eax
repz movsb
lea esi, FileName2
lea edi, CryptFile
call lstrlen, esi
mov ecx, eax
repz movsb
EndCL:
; initialize the WndClass (Window Class) structure
; Actually, we'll get the window class from a DIALOG resource (with CLASS directive)
;int 3
mov wc.wc_cbSize, WNDCLASSEX_
mov wc.wc_style, CS_HREDRAW + CS_VREDRAW
mov wc.wc_lpfnWndProc, offset DlgProc
mov wc.wc_cbClsExtra, 0
mov wc.wc_cbWndExtra, DLGWINDOWEXTRA ; necessary to use a DialogBox as
; an window class
mov eax, hInst
mov wc.wc_hInstance, eax
; load main icon from resource
call LoadIcon, hInst, ICON_MAIN
mov wc.wc_hIcon, eax
mov wc.wc_hIconSm, eax
; load a default cursor
call LoadCursor,NULL, IDC_ARROW
mov wc.wc_hCursor, eax
mov wc.wc_hbrBackground, COLOR_WINDOW
mov wc.wc_lpszMenuName, MENU_MENU
mov wc.wc_lpszClassName, offset szClassPE
;int 3
call RegisterClassEx, offset wc
; create main window
call CreateDialogParam, hInst, offset szClassPE, 0, NULL, 0
mov [hMain], eax ; We have now owner
call CreateToolbarEx, hMain, TBSTYLE_TOOLTIPS+WS_CHILD, 0, 8, hInst, 110, offset tdbutton, 8, 16, 16, 16, 16, 18
mov hToolBar, eax
call ShowWindow, eax, TRUE
call SendMessageA, hToolBar, TB_ENABLEBUTTON , ITEM_PROT, FALSE
call ListViewIni, hMain, 1015
call ListViewAddCol,60,offset SecName
call ListViewAddCol,75,offset SecVadd
call ListViewAddCol,85, offset SecVsize
call ListViewAddCol,75, offset SecRoff
call ListViewAddCol,85, offset SecRsize
call ListViewAddCol,90, offset SecRchar
call ListViewAddCol,60, offset SecRstate
call TextBoxIni, [hMain], CTL_EDBOX ; EditBox Identifier given to Routine
call GetDlgItem, [hMain], CTL_PROGBAR ; Handle for progressbar
mov hPrgrs, eax
cmp COMMANDLINE, 1
jnz msg_loop
mov COMMANDLINE2, 1
mov COMMANDLINE, 0
msg_loop:
call GetMessage, offset msg, 0,0,0
cmp ax, 0
je end_loop
call IsDialogMessage, [hMain], offset msg ; put this if you want to let the
cmp eax, TRUE ; system handle TAB, ENTER, etc
jz msg_loop
call TranslateMessage, offset msg
call DispatchMessage, offset msg
jmp msg_loop
end_loop:
Push 2
push (ToAdd_END - offset CRC_Block1)
Push DWord Ptr [MemStart6]
Call VirtualFree
or eax,eax
jne dealloc_error
Already_Open:
call SetForegroundWindow, eax
call ExitProcess, msg.ms_wParam
GeouttaHere:
Push LARGE-1
Call ExitProcess
CryptIT:
FakeProc proc uses ebx edi esi, hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD
xor eax, eax
ret
FakeProc endp
PeCryptAsm_End:
Pecrypt_End:
include r-seh.inc
End Main
|
