1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
;
;SectionData struct
;
;8 bytes maximal fuer den sectionsnamen
;1 dword fuer den rva
;1 dword fuer die virtual size
;1 dword fuer das offset auf der pladde
;1 dword fuer die physical size
;1 dword fuer die flags
;==
;28
;
;ZERO DWORD TERMINATED
;
;SectionStates struct
;bpro section ein byte
;0=none
;1=encrypt
;2=compress
RSreadIncStart:
ReadSectionData proc
pusha
xor eax,eax
push eax
push eax
push 3
push eax
push eax
push 80000000h+40000000h
push offset CryptFile
call CreateFileA ; Open file with read&write access
cmp eax,-1
jnz FileOpened
WriteConsole2 <offset Error1>
jmp FinishedWithReading
FileOpened:
mov dword ptr [Fhandle],eax
push offset HighOrderF
push dword ptr [Fhandle]
call GetFileSize
or eax,eax
jz No_PE_File2
mov edx,offset DosHeader
mov ecx,80
call ReadFromFile
cmp word ptr [DosHeader],"ZM"
jz DosExecutable
cmp word ptr [DosHeader],"MZ"
jz DosExecutable
jmp No_PE_File2
DosExecutable:
push offset HighOrderF
push dword ptr [Fhandle]
call GetFileSize
mov edx,dword ptr [DosHeader+3Ch]
cmp edx,eax
ja No_PE_File2
call SeekFile
mov edx,offset PEHeader
mov ecx,4000
call ReadFromFile
cmp word ptr [PEHeader],"EP"
jz PEFileForSure
No_PE_File2:
WriteConsole2 <offset NotPE>
push dword ptr [Fhandle]
call CloseHandle
jmp FinishedWithReading
PEFileForSure:
cmp dword ptr [PEHeader+40],0
jnz RvaAvailable
WriteConsole2 <offset Baukasten37>
push dword ptr [Fhandle]
jmp FinishedWithReading
RvaAvailable:
mov esi,offset PEHeader+248 ; pointer to the first obj
movzx ecx,word ptr [PEHeader+6] ; get the number of objects
mov edi,offset SectionData ; points to sectiondata start
mov edx,offset SectionStates ; points to the section states buffa
CreateSectionBuffer:
push esi
push ecx
push esi
mov ecx,8 ; section name is 8 bytes (maximum)
rep movsb ; copy it to the sectiondata structure
pop esi
mov eax,[esi+12] ; get the section rva
stosd ; save it
mov eax,[esi+8] ; get the virtual size
stosd ; save it
mov eax,[esi+20] ; get the physical offset
stosd ; save it
mov eax,[esi+16] ; get the physical size
stosd ; save it
mov eax,[esi+36] ; get the section flags
stosd ; save them
push edi
cmp dword ptr [esi+20],0 ; is the physical offset = 0
jz WriteNoEncryptionByte ; if yes, then don't encrypt / pack
cmp dword ptr [esi+16],0 ; is the physical size = 0
jz WriteNoEncryptionByte ; if yes, then don't encrypt / pack
push esi
mov edi,offset TLS_String ; pointer to the usual tls string
mov ecx,4 ; size of the string = 3 bytes (".tls")
rep cmpsb ; compare th000se 2 strings
pop esi
jz WriteNoEncryptionByte
mov eax,dword ptr [PEHeader+120] ; get the export rva
mov ebx,dword ptr [esi+12] ; get the current rva
cmp eax,ebx
jl NoExportForSure
add ebx,dword ptr [esi+8]
cmp eax,ebx
jl WriteNoEncryptionByte ; don't encrypt / pack this section!
NoExportForSure:
push esi
mov edi,offset DGROUP_String ; pointer to the dgroup string
mov ecx,7 ; 7 bytes = size (".dgroup")
rep cmpsb
pop esi
jz WriteNoEncryptionByte
push esi
mov edi,offset Icon_String
mov ecx,5
rep cmpsb
pop esi
jz WriteNoEncryptionByte
mov eax,dword ptr [PEHeader+192] ; get tls section rva
mov ebx,dword ptr [esi+12] ; get the section rva
cmp eax,ebx
jl NoTlsForSure
add ebx,[esi+8] ; get the section vsize
cmp eax,ebx
jl WriteNoEncryptionByte
NoTlsForSure:
mov eax,dword ptr [PEHeader+120]
cmp eax,dword ptr [esi+12]
jz WriteNoEncryptionByte
mov eax,dword ptr [PEHeader+136] ; check if this obj is the resource obj
cmp eax,dword ptr [esi+12]
jz ResourceConfig
mov eax,dword ptr [PEHeader+164]
mov dword ptr [RELOCSIZE],eax ; save the original size of the relocation section
mov eax,dword ptr [PEHeader+160] ; get relocation section rva
mov ebx,dword ptr [esi+12] ; get the section rva
cmp eax,ebx
jl NoRelocationsForSure
add ebx,[esi+8] ; get the section vsize
cmp eax,ebx
jl RelocationConfig
NoRelocationsForSure:
test [esi+36],00010000000000000000000000000000b ; check for the shared flag!
jnz WriteNoEncryptionByte
mov edi,edx
cmp byte ptr [COMPRESSION],1
jz PackingEnabled
mov al,1
jmp Finished_With_This_Section
PackingEnabled:
mov al,2
jmp Finished_With_This_Section
RelocationConfig:
mov edi,edx
cmp byte ptr [RELOCCOMP],1
jz RelocationCompressionEnabled
mov al,1
jmp Finished_With_This_Section
RelocationCompressionEnabled:
mov al,2
jmp Finished_With_This_Section
ResourceConfig:
mov edi,edx
mov al,byte ptr [RESOURCECOMP]
cmp al,2
jnz ConvertCrap
xor al,al
jmp Finished_With_This_Section
ConvertCrap:
cmp al,1
jnz ConvertCrap2
mov al,2
jmp Finished_With_This_Section
ConvertCrap2:
mov al,1
jmp Finished_With_This_Section
WriteNoEncryptionByte:
mov edi,edx
xor al,al
Finished_With_This_Section:
stosb
inc edx
pop edi
pop ecx
pop esi
add esi,40 ; points now to the next object
dec ecx
jnz CreateSectionBuffer
xor eax,eax
stosd
push dword ptr [Fhandle]
call CloseHandle
popa
ret
FinishedWithReading:
popa
pop eax
jmp finish
ReadSectionData endp
RSreadIncEnd:
|
