1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
|
;============================================================
;===== External Functions ===================================
Extrn WriteConsoleA : PROC
Extrn WriteFileA : PROC
Extrn VirtualAlloc : PROC
Extrn VirtualFree : PROC
Extrn GetTickCount : PROC
Extrn LookupIconIdFromDirectoryEx : PROC
Extrn DeleteFileA : PROC
Extrn LoadLibraryA : PROC
Extrn SetConsoleCursorInfo : PROC
Extrn GetConsoleCursorInfo : PROC
Extrn CreateThread : PROC
Extrn SetThreadPriority : PROC
Extrn GetThreadPriority : PROC
Extrn GetCurrentProcessId : PROC
Extrn GetPriorityClass : PROC
Extrn OpenProcess : PROC
Extrn SetPriorityClass : PROC
Extrn ResumeThread : PROC
Extrn SuspendThread : PROC
Extrn ExitThread : PROC
Extrn CreateEventA : PROC
Extrn WaitForSingleObject : PROC
Extrn SetEvent : PROC
Extrn ResetEvent : PROC
Extrn GetProcAddress : PROC
Extrn GetThreadContext : PROC
Extrn SetThreadContext : PROC
Extrn GetCurrentThread : PROC
extrn _aP_pack : near
;============================================================
;===== Some Constants =======================================
PE_CryptVer EQU "version 1.02"
PE_Build EQU "bugfix & test version (DiSTRiBUTE AND DiE)"
CR_LF EQU 0dh,0ah
;============================================================
;===== Variables ============================================
Error1 db "Can't open file!",CR_LF,0
db "ERROR: Filename incorrect or file is in use by another proccess!",CR_LF,0
da_error db "ERROR: Error while deallocating memory used by PE-Crypt.",CR_LF
db "It is RECOMMENDED that you reboot the system ASAP!",CR_LF,0
a_error db "ERROR: Error while allocating memory, free some!.",CR_LF,0
Terror1 db "ERROR: Error while reading file!",CR_LF,0
MemAllocated db " - Memory allocated...",CR_LF,0
MemDeallocated db CR_LF," - Memory successfully deallocated.",CR_LF
db " - Portable Executable file successfully processed. ",CR_LF,0
NotPE db "ERROR: This file is damaged or not in Portable Executable Format!",CR_LF,0
Displaystring db " ",0
String0 db " - Backup successfully generated.",CR_LF,0
String1 db " - Reading Portable Executable header.",CR_LF,0
String2 db " - Processing the Portable Executable ObjectTable.",CR_LF,0
Baukasten db " - OBJECT : ",0
Baukasten2 db "RVA : ",0
Baukasten3 db "VSIZE : ",0
Baukasten4 db "FLAGS : ",0
Baukasten5 db " - packing done ",0
Baukasten6 db " - encryption done",0
Baukasten7 db "Old PhysicalSize : ",0
Baukasten8 db CR_LF," New PhysicalSize : ",0
Baukasten9 db CR_LF," - Compressionratio : ",0
Baukasten10 db " - Encryption successfully finished. ",0
Baukasten11 db " - Encryption is finished. (compression ratio too low)",0
Baukasten12 db " -- Processing Portable Executable resources.",CR_LF,0
Baukasten13 db " - Encrypting resources.",CR_LF,0
Baukasten14 db " - Compressing resources.",CR_LF,0
Baukasten15 db " - Reading resources.",CR_LF,0
Baukasten16 db " - Compression ratio too low.",CR_LF,0
Baukasten17 db " - Resource Processing finished.",CR_LF,0
Baukasten18 db " -- Processing PE Relocations.",CR_LF,0
Baukasten19 db " - Reading relocations.",CR_LF,0
Baukasten20 db " - Encrypting relocations (16bit).",CR_LF,0
Baukasten21 db " - Encrypting relocations (12bit).",CR_LF,0
Baukasten22 db " - Relocation Processing finished.",CR_LF,0
Baukasten23 db CR_LF," - Debug info was removed.",0
Baukasten24 db CR_LF," - Backup generated.",0
Baukasten25 db " - Using delta compression for relocations.",CR_LF,0
Baukasten252 db " - Delta compression finished.",CR_LF
db " - Now using normal compression.",CR_LF,0
Baukasten253 db " - Normal compression finished.",CR_LF,0
Baukasten26 db " - Error while parsing the resource data.",CR_LF
db " - Report this error to : random__@hotmail.com",CR_LF,0
OverLayEr db CR_LF," - Overlay was successfully transfered. ",CR_LF
db " - File may not work after getting protected. ",0
Baukasten27 db " - No Encryption / Packing of this object (object skipped).",CR_LF
db " This object can't be encrypted / packed due an internal reason.",CR_LF,0
Baukasten28 db CR_LF
db "-=[o]=- PECRYPT32 Internal Version Information -=[ž]=-",CR_LF
db "ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ",CR_LF,CR_LF
db "PECRYPT32 VERSION : ",0
Baukasten29 db "PECRYPT32 BUILD : ",0
Baukasten30 db CR_LF
db "-=[o]=- PECRYPT32 PROTECTOR REPORT -=[ž]=-",CR_LF
db "ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ",CR_LF,CR_LF,0
Baukasten32 db CR_LF
db " - Thread Local Storage (.tls) section found.",CR_LF
db " If the file doesn't run anymore : ",CR_LF
db " DISABLE THE TLS SUPPORT. ",CR_LF,0
Baukasten34 db CR_LF
db "ERROR: Can't create backup file.",CR_LF,0
Baukasten35 db CR_LF
db "ERROR: No PE file, or PE Header damaged.",CR_LF,0
Baukasten36 db "PECRYPT32: ERROR REPORT",0
Baukasten362 db "File is already PECRYPT32 protected.",CR_LF
db "!API HOOKING DISABLED!",0
Baukasten372 db "Import Merging disabled due to a zero size section.",0
Baukasten38 db "File is already PECRYPT32 protected.",CR_LF
db "!IMPORT DESTROYING DISABLED!",0
Baukasten37 db "ERROR: PECRYPT32 can't handle files with no Entrypoint.",CR_LF,0
PEVersion db PE_CryptVer,0
PEBuild db PE_Build,0
ReturnChars db CR_LF,0
HTable db "0123456789ABCDEF"
RVAString db " h ",0
VsizeString db " h ",0
FlagString db " h",CR_LF,0
PhysString db " h ",0
NewPhysString db " h ",0
PercentString db " %",0
CryptFile db 128 Dup(0)
BackupFile db 128 dup(0)
Spaces db " - processing ..",0
Contexti db 1000 dup(0)
NewOBJ db ".ficken",0
VirtualS_NEW dd 0
RVA_NEW dd 0
Physical_NEW dd 0
Offset_NEW dd 0
Reserved dd 0,0,0
ObjectFla db 40h,0,0,0C0h
NewOBJ2 db ".icon",0,0,0
VSize_New dd 0
Rva_NEW dd 0
PhysSize_New dd 0
PhysOffset dd 0
dd 0,0,0
db 40h,0,0,0C0h
NewRelocString db ".relocp",0
NewStringi db " % compression successfully finished."
OrdinalNumba db " ",0 ; buffer for the ordinal values
KILLASTINKT dd 0 ; to save ebp for later use
MONGOKILLA dd 0 ; to save esp
DontStore db 1 ; Dontstore the damn raw data offsets
MemStart6 dd 0 ; holds another memory offset (needed for the whole loader.inc)
MemStart7 dd 0
Fhandle dd 0
Fhandle2 dd 0
RVA dd 0
PhysicalO dd 0
DosHeader db 4000 dup (?) ; Dosheader
PEHeader db 4000 dup (?)
LastOBJ db 40 dup (?)
CODEOBJ db 40 dup (?)
output_data db 1024 dup (?)
TempBuffer db 2000 dup (?)
IconBuffer dd 0 ; points to the memory allocated for the icons
OBJnumber dw 0
RelocLength dd 0
TempVar dd 0 ; just a temp variable
TempVar2 dd 0 ; just another temp variable
TempVar4 dd 0 ; just another tempvariable
CryptValue1 dw 0 ; cryptvalue
RCompress db 0
DirSize dd 0 ; size of the resource directory
MemStart8 dd 0 ; holds the overlay stuff
MemStart2 dd 0 ; 2nd mem variable for the resource compression
MemStart4 dd 0 ; another pointer for the apack library
MemStart5 dd 0 ; holds the offset of the offset buffer ;))
IconSize dd 0 ; size of the icons
SaveTemp dd 0 ; lame temp variable
IconID dd 0 ; icon id
SaveTemp2 dd 0 ; another lame temp variable
SaveTemp3 dd 0
SaveTemp4 dd 0
LastOBJPos dd 0
VSizeTable db 100 dup (?) ; table for all virtual sizes
SaveCrap dd 0
FileNLength dd 0 ; length of the filename
FCpassd db 0 ; file check passed?
CurrentRVA dd 0 ; current rva
CurrentVSIZE dd 0 ; current virtualsize
CurrentFLAGS dd 0 ; current Flags
CurrentPhysS dd 0 ; current physicalsize (old)
NewPhysS dd 0 ; new physicalsize
ResourceInde db 0 ; index for resource crap
CompressRelocsnow db 0 ; internal flag for relocation compression
RelocCofs dw 0 ; buffer for the reloc offset
RSize dd 0 ; size of all relocations together
DamnCrap22 dd 0
NullStellen dd 0 ; suuuuuuuckkking offset
Rbyte db 0 ; are the relocations the last object?
SPointer1 dd 0
SPointer2 dd 0
SPointer3 dd 0
NewRPos dd 0 ; variable for the new relocation pos
PatchRrva db 0 ; internal variable for icon rvas ;)
NoWayassi db 0
LazyNess db 0 ; just another lame internal variable
SaveMCRC dd 0
dd 0
SAVEMCRC2 dd 0
Phillipsuckt dd 0
Dontsave db 0 ; internal variable for the tls support
RealSize dd 0 ; the real physical size of an object
HighOrderF db 0 ; High order word for the filesize function
FileSize dd 0 ; filesize of this portable executable file
FileSize2 dd 0 ; another filesize variable
OverLay db 0 ; internal variable for the overlay detection
OverlaySize dd 0 ; size of the overlay
BufferPos dd 0 ; position of the buffer
InternalRVA dd 0 ; internal import rva (recalculated)
EsiBuffer dd 0 ; just to save esi ;)
TextBuffer dd 0 ; offset of the reserved memory
FunctionC dd 0 ; functioncounter
SaveEESP dd 0
OfsAmount dd 0 ; amount of all offsets
OfsPos dd 0 ; position in the table
OfsResult dd 0 ; offset result for each round
EndResult dd 0 ; contains the smallest offset amount
PosResult dd 0 ; containts the result for each round
CheckIcon db 0 ; check for icons? (for the readsubdir procedure)
CheckVInfo db 0 ; check for version information dir entries
NumberofDirs dd 0 ; number of subdirectories in this directory
IconResult db 0 ; icon found?
Marki dw 0 ; used for the api hooking
ImpCounti dd 0 ; counter for the sections in this PEfile
Impenc dd 0 ; random value for the separate import encryption
Impenc3 dd 0 ; another random value for the separate import encryption
InfoSize dd 0 ; needed for the progress bar ;)
IconPointers db 2000 dup (?) ; 500 icons = maximum!
IconPointi dd offset IconPointers
CompressCounter dd 0
CompressBytes dd 0
HowMany dd 0
CCounter dd 0
OrigSize dd 0
SaveTmp dd 0
SavePosition dd 0
Csize dd 0 ; size of the compressed data
AddNew db 0 ; add a new obj? 1 = yes, 0 = nooooo
NewOBJPos dd 0 ; new position for the new obj
NewAlign db 0 ; align it?
OldHSize dd 0 ; old header size
Dealloc db 0 ; needed to fix another possible memory leak
BLASEN dd 0
BLASEN2 dd 0
Howmuch dd 0
FICK dd 0 ; leck mich du drecksprogramm
WorkMemory dd 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Strings for the Protector Detection
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; BJFNTString db ".BJFnt" ; detection string for the BJFnt Protector by Marquis
; BJFMessage db "--[ž] PROTECTOR USED : BJFnt CODER : MARQUIS:DE:SOIRE",CR_LF,0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Detection strings for the object detection (support for the rva detection)
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
TLS_String db ".tls"
RELOC_String db ".reloc"
DGROUP_String db "DGROUP"
Icon_String db ".icon"
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;possible options
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
COMPRESSION db 0 ; 1 = compression on, 0 = only encryption
ARTOFRELOC db 0 ; 1 = 16bit, 0 = 12bit relocation encryption
RESOURCECOMP db 0 ; 1 = resource compression, 0 = resource encryption,
; 2 = resource compression / encryption = off
RELOCCOMP db 0 ; 1 = relocation compression
ANTID db 0 ; 1 = enabled, 0 = disabled
INFOMODE db 1 ; infomode , 0 = off, 1 = on
BACKUPMODE db 0 ; backup mode, 0 = off, 1 = on
VHEURISTIC db 0 ; pseudo pe virus heuristic, 1 = on, 0 = off
CRCM db 0 ; crc warning 0=off, 1=hangup on error, 2=window with warning
HOOKFUNC db 0 ; function hooking, 0 = off , 1 = on
KILLH db 0 ; 0 = off (default) , 1 = on
IMPORTD db 0 ; enhanced import destroying, 0=off, 1=on
I_MERGING db 0 ; belongs to the enhanced import destroying
ANTILOADER db 0 ; 0 = off , 1 = on..anti loader routines (background crc checking)
ANTIBPX db 0 ; 0 = off , 1 = on..anti bpx routines
COMPATIBLE db 0 ; 0 = offset, 1 = disables the TLS support
DData db ".debug",0
RsrcString db ".rsrc",0
aAplibV0_10bThe db 0Dh,0Ah ; DATA XREF: _DATA:000000B0�o
db 0Dh,0Ah
db 'aPLib v0.10b - the smaller the better :)',0Dh,0Ah
db 'Copyright (c) 1998 by Ä'
db 0FAh ; ś
db 4Ah ; J
db 69h ; i
db 62h ; b
db 7Ah ; z
db 0FAh ; ś
db 0C4h ; Ä
db 20h ;
db 20h ;
db 41h ; A
db 6Ch ; l
db 6Ch ; l
db 20h ;
db 52h ; R
db 69h ; i
db 67h ; g
db 68h ; h
db 74h ; t
db 73h ; s
db 20h ;
db 52h ; R
db 65h ; e
db 73h ; s
db 65h ; e
db 72h ; r
db 76h ; v
db 65h ; e
db 64h ; d
db 0Dh ;
db 0Ah ;
db 0Dh ;
db 0Ah ;
db 54h ; T
db 68h ; h
db 69h ; i
db 73h ; s
db 20h ;
db 63h ; c
db 6Fh ; o
db 70h ; p
db 79h ; y
db 20h ;
db 6Fh ; o
db 66h ; f
db 20h ;
db 61h ; a
db 50h ; P
db 4Ch ; L
db 69h ; i
db 62h ; b
db 20h ;
db 69h ; i
db 73h ; s
db 20h ;
db 66h ; f
db 72h ; r
db 65h ; e
db 65h ; e
db 20h ;
db 66h ; f
db 6Fh ; o
db 72h ; r
db 20h ;
db 6Eh ; n
db 6Fh ; o
db 6Eh ; n
db 2Dh ; -
db 70h ; p
db 72h ; r
db 6Fh ; o
db 66h ; f
db 69h ; i
db 74h ; t
db 61h ; a
db 62h ; b
db 6Ch ; l
db 65h ; e
db 20h ;
db 75h ; u
db 73h ; s
db 65h ; e
db 2Eh ; .
db 0Dh ;
db 0Ah ;
db 0Dh ;
db 0Ah ;
db 0 ;
W?message$npnuc dd offset aAplibV0_10bThe
public W?aP_nexthashentry$ni
W?aP_nexthashentry$ni dd 1
public W?aP_R0$nui
W?aP_R0$nui dd 0FFFFFFFFh
W?aP_hashtable$npn$aP_HASH$$ dd 0
public W?aP_lookup$n__pnui
W?aP_lookup$n__pnui dd 0
db 1024 dup (?)
public W?aP_hashptr$npnuc
W?aP_hashptr$npnuc dd 0
public W?aP_hash_base$nui
W?aP_hash_base$nui dd 0
public W?aP_output$npnuc
W?aP_output$npnuc dd 0
public W?aP_input$npnuc
W?aP_input$npnuc dd 0
public W?aP_tagbyte$npnuc
W?aP_tagbyte$npnuc dd 0
public W?aP_tagpos$nui
W?aP_tagpos$nui dd 0
|
