flat assembler
Message board for the users of flat assembler.

flat assembler > High Level Languages > Packer

Author
Thread Post new topic Reply to topic
positionx



Joined: 13 Sep 2018
Posts: 1
Hello i have this c++ code
unpack.cpp

Code:
//Include structures file from packer project
#include "../simple_pe_packer/structs.h"

//Unpacking algorithm
#include "lzo_conf.h"
#include "windows.h"
/* decompression */
LZO_EXTERNint
lzo1z_decompress         const lzo_bytep src, lzo_uint  src_len,
                                lzo_bytep dst, lzo_uintp dst_len,
                                lzo_voidp wrkmem /* NOT USED */ ;

//Create function without prologue and epilogue
extern "C" void __declspecnaked unpacker_main

        //Create prologue manually
        __asm
        
                jmp next;
                ret 0xC;
next

                push ebp;
                mov ebp, esp;
                sub esp, 4096;
                
                mov eax, 0x11111111;
                mov ecx, 0x22222222;
                mov edx, 0x33333333;
        
        

        //Image loading address
        unsigned int original_image_base;
        //First section relative address,
        //in which the packer stores its information
        //and packed data themselves
        unsigned int rva_of_first_section;
        //Image loading address Original one, relocations are not applied to it
        unsigned int original_image_base_no_fixup;
        
        //These instructions are required only to
        //replace the addresses in unpacker builder with real ones
        __asm
        
                mov original_image_base, eax;
                mov rva_of_first_section, ecx;
                mov original_image_base_no_fixup, edx;
        
        
        //Address of the variable,
        //which indicates if code was unpacked already
        DWORD* was_unpacked;

        __asm
        
                //Trick to get address
                //of instruction following "call"
                call next2;
                add byte ptr eax, al;
                add byte ptr eax, al;
next2
                //There is an address of first instruction
                //add byte ptr eax, al
                //in eax
                pop eax;

                //Store this address
                mov was_unpacked, eax;

                //Check what is stored there
                mov eax, eax;

                //If there is zero, then move to
                //the unpacker
                test eax, eax;
                jz next3;

                //If not, then finish the unpacker
                //and go to original entry point
                leave;
                jmp eax;

next3
        
        
        //Get pointer to structure with information
        //carefully prepared by packer
        const packed_file_info* info;
        //It is stored in the beginning
        //of packed file first section
        info = reinterpret_cast<const packed_file_info*>original_image_base + rva_of_first_section;

        //Get original entry point address
        DWORD original_ep;
        original_ep = info->original_entry_point + original_image_base;

        __asm
        
                //Write it to address stored in
                //was_unpacked variable
                mov edx, was_unpacked;
                mov eax, original_ep;
                mov edx, eax;
        
        
        //Two LoadLibraryA and GetProcAddress function prototypes typedefs 
        typedef HMODULE __stdcall* load_library_a_funcconst char* library_name;
        typedef INT_PTR __stdcall* get_proc_address_funcHMODULE dll, const char* func_name;

        //Read their addresses from packed_file_info structure
        //Loader puts them there for us
        load_library_a_func load_library_a;
        get_proc_address_func get_proc_address;
        load_library_a = reinterpret_cast<load_library_a_func>info->load_library_a;
        get_proc_address = reinterpret_cast<get_proc_address_func>info->get_proc_address;
        
        
        //Create buffer on stack
        char buf32;
        //kernel32.dll
        *reinterpret_cast<DWORD*>&buf0 = 'nrek';
        *reinterpret_cast<DWORD*>&buf4 = '23le';
        *reinterpret_cast<DWORD*>&buf8 = 'lld.';
        *reinterpret_cast<DWORD*>&buf12 = 0;

        //Load kernel32.dll library
        HMODULE kernel32_dll;
        kernel32_dll = load_library_abuf;

        //VirtualAlloc function prototype typedef
        typedef LPVOID __stdcall* virtual_alloc_funcLPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect;
        //VirtualProtect function prototype typedef
        typedef LPVOID __stdcall* virtual_protect_funcLPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect;
        //VirtualFree function prototype typedef
        typedef LPVOID __stdcall* virtual_free_funcLPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType;

        //VirtualAlloc
        *reinterpret_cast<DWORD*>&buf0 = 'triV';
        *reinterpret_cast<DWORD*>&buf4 = 'Alau';
        *reinterpret_cast<DWORD*>&buf8 = 'coll';
        *reinterpret_cast<DWORD*>&buf12 = 0;

        //Get VirtualAlloc function address
        virtual_alloc_func virtual_alloc;
        virtual_alloc = reinterpret_cast<virtual_alloc_func>get_proc_addresskernel32_dll, buf;

        //VirtualProtect
        *reinterpret_cast<DWORD*>&buf0 = 'triV';
        *reinterpret_cast<DWORD*>&buf4 = 'Plau';
        *reinterpret_cast<DWORD*>&buf8 = 'etor';
        *reinterpret_cast<DWORD*>&buf12 = 'tc';

        //Get VirtualProtect function address
        virtual_protect_func virtual_protect;
        virtual_protect = reinterpret_cast<virtual_protect_func>get_proc_addresskernel32_dll, buf;
        
        //VirtualFree
        *reinterpret_cast<DWORD*>&buf0 = 'triV';
        *reinterpret_cast<DWORD*>&buf4 = 'Flau';
        *reinterpret_cast<DWORD*>&buf8 = 'eer';

        //Get VirtualFree function address
        virtual_free_func virtual_free;
        virtual_free = reinterpret_cast<virtual_free_func>get_proc_addresskernel32_dll, buf;
        
        
        //Copy all packed_file_info structure fields, because
        //we will need them further, but we will overwrite the structure at "info" pointer soon
        packed_file_info info_copy;
        memcpy&info_copy, info, sizeofinfo_copy;
        
        
        //Pointer to the memory 
        //to store unpacked data
        LPVOID unpacked_mem;
        //Allocate the memory
        unpacked_mem = virtual_alloc
                0,
                info->size_of_unpacked_data,
                MEM_COMMIT,
                PAGE_READWRITE;

        //Unpacked data size
        //in fact, this variable is unnecessary
        lzo_uint out_len;
        out_len = 0;

        //Unpack with LZO algorithm
        lzo1z_decompress
                reinterpret_cast<const unsigned char*>reinterpret_cast<DWORD>info + sizeofpacked_file_info,
                info->size_of_packed_data,
                reinterpret_cast<unsigned char*>unpacked_mem,
                &out_len,
                0;
        
        
        //Pointer to DOS file header
        const IMAGE_DOS_HEADER* dos_header;
        //Pointer to file header
        IMAGE_FILE_HEADER* file_header;
        //Virtual address of sections header beginning
        DWORD offset_to_section_headers;
        //Calculate this address
        dos_header = reinterpret_cast<const IMAGE_DOS_HEADER*>original_image_base;
        file_header = reinterpret_cast<IMAGE_FILE_HEADER*>original_image_base + dos_header->e_lfanew + sizeofDWORD;
        //with this formula
        offset_to_section_headers = original_image_base + dos_header->e_lfanew + file_header->SizeOfOptionalHeader
                + sizeofIMAGE_FILE_HEADER + sizeofDWORD /* Signature */;
        
        
        //Null first section memory
        //This region matches the memory region,
        //which is occupied by all sections in original file
        memset
                reinterpret_cast<void*>original_image_base + rva_of_first_section,
                0,
                info_copy.total_virtual_size_of_sections - rva_of_first_section;

        //Let's change memory block attributes, in which
        //PE file and section headers are placed
        //We need write access
        DWORD old_protect;
        virtual_protectreinterpret_cast<LPVOID>offset_to_section_headers,
                info_copy.number_of_sections * sizeofIMAGE_SECTION_HEADER,
                PAGE_READWRITE, &old_protect;

        //Now we change section number
        //in PE file header to original
        file_header->NumberOfSections = info_copy.number_of_sections;
        
        
        //Section header virtual address
        DWORD current_section_structure_pos;
        current_section_structure_pos = offset_to_section_headers;
        //List all sections
        forint i = 0; i != info_copy.number_of_sections; ++i
        
                //Creates section header structure
                IMAGE_SECTION_HEADER section_header;
                //Set structure to null
                memset&section_header, 0, sizeofsection_header;
                //Fill the important fields
                //Characteristics
                section_header.Characteristics = reinterpret_cast<packed_section*>unpacked_mem + i->characteristics;
                //File data offset
                section_header.PointerToRawData = reinterpret_cast<packed_section*>unpacked_mem + i->pointer_to_raw_data;
                //File data size
                section_header.SizeOfRawData = reinterpret_cast<packed_section*>unpacked_mem + i->size_of_raw_data;
                //Relative section virtual address
                section_header.VirtualAddress = reinterpret_cast<packed_section*>unpacked_mem + i->virtual_address;
                //Section virtual size
                section_header.Misc.VirtualSize = reinterpret_cast<packed_section*>unpacked_mem + i->virtual_size;
                //Copy original section name
                memcpysection_header.Name, reinterpret_cast<packed_section*>unpacked_mem + i->name, sizeofsection_header.Name;

                //Copy filled header
                //to memory, where section headers are stored
                memcpyreinterpret_cast<void*>current_section_structure_pos, &section_header, sizeofsection_header;
                MessageBox0, L"And text here", L"MessageBox caption", MB_OK;
                //Move the pointer to next section header
                current_section_structure_pos += sizeofsection_header;
        
        
        
        //Pointer to raw section data
        //is necessary to disassemble compressed sections data
        //and to put them to right places
        DWORD current_raw_data_ptr;
        current_raw_data_ptr = 0;
        //Restore the pointer to section headers
        current_section_structure_pos = offset_to_section_headers;
        //List all the sections again
        forint i = 0; i != info_copy.number_of_sections; ++i
        
                //Section header we've just written
                const IMAGE_SECTION_HEADER* section_header = reinterpret_cast<const IMAGE_SECTION_HEADER*>current_section_structure_pos;

                //Copying sections data to the place in memory,
                //where they have to be placed
                memcpyreinterpret_cast<void*>original_image_base + section_header->VirtualAddress,
                        reinterpret_cast<char*>unpacked_mem + info_copy.number_of_sections * sizeofpacked_section + current_raw_data_ptr,
                        section_header->SizeOfRawData;

                //Move pointer to section data
                //in unpacked data block
                current_raw_data_ptr += section_header->SizeOfRawData;

                //Turn to next section header
                current_section_structure_pos += sizeofIMAGE_SECTION_HEADER;
        
        
        //Release memory with unpacked data,
        //we don't need it anymore
        virtual_freeunpacked_mem, 0, MEM_RELEASE;
        
        
        //Calculate relative virtual address
        //of directory table beginning
        DWORD offset_to_directories;
        offset_to_directories = original_image_base + dos_header->e_lfanew
                + sizeofIMAGE_NT_HEADERS32 - sizeofIMAGE_DATA_DIRECTORY * IMAGE_NUMBEROF_DIRECTORY_ENTRIES;

        //Pointer to import directory
        IMAGE_DATA_DIRECTORY* import_dir;
        import_dir = reinterpret_cast<IMAGE_DATA_DIRECTORY*>offset_to_directories + sizeofIMAGE_DATA_DIRECTORY * IMAGE_DIRECTORY_ENTRY_IMPORT;
        //Write size and virtual address values to corresponding fields
        import_dir->Size = info_copy.original_import_directory_size;
        import_dir->VirtualAddress = info_copy.original_import_directory_rva;
        
        //Pointer to resource directory
        IMAGE_DATA_DIRECTORY* resource_dir;
        resource_dir = reinterpret_cast<IMAGE_DATA_DIRECTORY*>offset_to_directories + sizeofIMAGE_DATA_DIRECTORY * IMAGE_DIRECTORY_ENTRY_RESOURCE;
        //Write size and virtual address values to corresponding fields
        resource_dir->Size = info_copy.original_resource_directory_size;
        resource_dir->VirtualAddress = info_copy.original_resource_directory_rva;

        
        //If the file has imports
        ifinfo_copy.original_import_directory_rva
        
                //First descriptor virtual address
                IMAGE_IMPORT_DESCRIPTOR* descr;
                descr = reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>info_copy.original_import_directory_rva + original_image_base;

                //List all descriptors
                //Last one is nulled
                whiledescr->Name
                
                        //Load the required DLL
                        HMODULE dll;
                        dll = load_library_areinterpret_cast<char*>descr->Name + original_image_base;
                        //Pointers to address table and lookup table
                        DWORD* lookup, *address;
                        //Take into account that lookup table may be absent,
                        //as I mentioned at previous step
                        lookup = reinterpret_cast<DWORD*>original_image_base + descr->OriginalFirstThunk ? descr->OriginalFirstThunk  descr->FirstThunk;
                        address = reinterpret_cast<DWORD*>descr->FirstThunk + original_image_base;

                        //List all descriptor imports
                        whiletrue
                        
                                //Till the first null element in lookup table
                                DWORD lookup_value = *lookup;
                                if!lookup_value
                                        break;

                                //Check if the function is imported by ordinal
                                ifIMAGE_SNAP_BY_ORDINAL32lookup_value
                                        *address = static_cast<DWORD>get_proc_addressdll, reinterpret_cast<const char*>lookup_value & ~IMAGE_ORDINAL_FLAG32;
                                else
                                        *address = static_cast<DWORD>get_proc_addressdll, reinterpret_cast<const char*>lookup_value + original_image_base + sizeofWORD;

                                //Move to next element
                                ++lookup;
                                ++address;
                        

                        //Move to next descriptor
                        ++descr;
                
        

        //If a file had relocations and it
        //was moved by the loader
        ifinfo_copy.original_relocation_directory_rva
                && original_image_base_no_fixup != original_image_base
        
                //Pointer to a first IMAGE_BASE_RELOCATION structure
                const IMAGE_BASE_RELOCATION* reloc = reinterpret_cast<const IMAGE_BASE_RELOCATION*>info_copy.original_relocation_directory_rva + original_image_base;

                //Relocated elements relocations directory size
                unsigned long reloc_size = info_copy.original_relocation_directory_size;
                //Count of processed bytes in a directory
                unsigned long read_size = 0;

                //List relocation tables
                whilereloc->SizeOfBlock && read_size < reloc_size
                
                        //List all elements in a table
                        forunsigned long i = sizeofIMAGE_BASE_RELOCATION; i < reloc->SizeOfBlock; i += sizeofWORD
                        
                                //Relocation value
                                WORD elem = *reinterpret_cast<const WORD*>reinterpret_cast<const char*>reloc + i;
                                //If this is IMAGE_REL_BASED_HIGHLOW relocation there are no other in PE x86
                                ifelem >> 12 == IMAGE_REL_BASED_HIGHLOW
                                
                                        //Get DWORD at relocation address
                                        DWORD* value = reinterpret_cast<DWORD*>original_image_base + reloc->VirtualAddress + elem & 1 << 12 - 1;
                                        //Fix it like PE loader
                                        *value = *value - original_image_base_no_fixup + original_image_base;
                                
                        

                        //Calculate number of bytes processed
                        //in relocation directory
                        read_size += reloc->SizeOfBlock;
                        //Go to next relocation table
                        reloc = reinterpret_cast<const IMAGE_BASE_RELOCATION*>reinterpret_cast<const char*>reloc + reloc->SizeOfBlock;
                
        
        
        
        //If file has load configuration directory
        ifinfo_copy.original_load_config_directory_rva
        
                //Get pointer to original load configuration directory
                const IMAGE_LOAD_CONFIG_DIRECTORY32* cfg = reinterpret_cast<const IMAGE_LOAD_CONFIG_DIRECTORY32*>info_copy.original_load_config_directory_rva + original_image_base;

                //If the directory has LOCK prefixes table
                //and the loader overwrites our fake LOCK opcode
                //to NOP 0x90 i.e. the system has a single processor
                ifcfg->LockPrefixTable && info_copy.lock_opcode == 0x90 /* NOP opcode */
                
                        //Get pointer to first element of
                        //absolute address of LOCK prefixes table
                        const DWORD* table_ptr = reinterpret_cast<const DWORD*>cfg->LockPrefixTable;
                        //Enumerate them
                        whiletrue
                        
                                //Pointer to LOCK prefix
                                BYTE* lock_prefix_va = reinterpret_cast<BYTE*>*table_ptr;

                                if!lock_prefix_va
                                break;

                                //Change it to NOP
                                *lock_prefix_va = 0x90;
                        
                
        
        
        //Copy TLS index
        ifinfo_copy.original_tls_index_rva
                *reinterpret_cast<DWORD*>info_copy.original_tls_index_rva + original_image_base = info_copy.tls_index;
                
        ifinfo_copy.original_rva_of_tls_callbacks
        
                //If TLS has callbacks
                PIMAGE_TLS_CALLBACK* tls_callback_address;
                //Pointer to first callback of an original array
                tls_callback_address = reinterpret_cast<PIMAGE_TLS_CALLBACK*>info_copy.original_rva_of_tls_callbacks + original_image_base;
                //Offset relative to the beginning of original TLS callbacks array
                DWORD offset = 0;

                whiletrue
                
                        //If callback is null - this is the end of array
                        if!*tls_callback_address
                                break;

                        //Copy the address of original one
                        //to our callbacks array
                        *reinterpret_cast<PIMAGE_TLS_CALLBACK*>info_copy.new_rva_of_tls_callbacks + original_image_base + offset = *tls_callback_address;

                        //Move to next callback
                        ++tls_callback_address;
                        offset += sizeofDWORD;
                

                //Return to the beginning of the new array
                tls_callback_address = reinterpret_cast<PIMAGE_TLS_CALLBACK*>info_copy.new_rva_of_tls_callbacks + original_image_base;
                whiletrue
                
                        //If callback is null - this is the end of array
                        if!*tls_callback_address
                                break;

                        //Execute callback
                        *tls_callback_addressreinterpret_cast<PVOID>original_image_base, DLL_PROCESS_ATTACH, 0;

                        //Move to next callback
                        ++tls_callback_address;
                
        
        
        
        //Restore headers memory attributes
        virtual_protectreinterpret_cast<LPVOID>offset_to_section_headers, info_copy.number_of_sections * sizeofIMAGE_SECTION_HEADER, old_protect, &old_protect;

        //Create epilogue manually
        _asm
        
                //Move to original entry point
                mov eax, info_copy.original_entry_point;
                add eax, original_image_base;
                leave;
                //Like this
                jmp eax;
        

    


How i can add simple xor decryption? In my main body i have something like this :
Code:
#pragma once
unsigned char unpacker_data = 
0xeb, 0x03, 0xc2, 0x0c, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x00, 0x10, 0x00, 0x00, 0xb8, 0x11, 
0x11, 0x11, 0x11, 0xb9, 0x22, 0x22, 0x22, 0x22, 0xba, 0x33, 0x33, 0x33, 0x33, 0x89, 0x45, 0x84, 
0x89, 0x8d, 0x50, 0xff, 0xff, 0xff, 0x89, 0x95, 0x7c, 0xff, 0xff, 0xff, 0xe8, 0x04, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x89, 0x85, 0x54, 0xff, 0xff, 0xff, 0x8b, 0x00, 0x85, 0xc0, 
0x74, 0x03, 0xc9, 0xff, 0xe0, 0x8b, 0x45, 0x84, 0x03, 0x85, 0x50, 0xff, 0xff, 0xff, 0x89, 0x85, 
0x48, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x15, 0x03, 0x45, 0x84, 
0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x54, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x58, 0xff, 
0xff, 0xff, 0x89, 0x02, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x41, 0x89, 0x85, 0x34, 
0xff, 0xff, 0xff, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x45, 0x89, 0x85, 0x38, 0xff, 
0xff, 0xff, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x6b, 0x65, 0x72, 0x6e, 0xc7, 0x85, 0x60, 0xff, 
0xff, 0xff, 0x65, 0x6c, 0x33, 0x32, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x2e, 0x64, 0x6c, 0x6c, 
0x83, 0xa5, 0x68, 0xff, 0xff, 0xff, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x50, 0xff, 0x95, 
0x34, 0xff, 0xff, 0xff, 0x89, 0x45, 0xe0, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x56, 0x69, 0x72, 
0x74, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff, 0x75, 0x61, 0x6c, 0x41, 0xc7, 0x85, 0x64, 0xff, 0xff, 
0xff, 0x6c, 0x6c, 0x6f, 0x63, 0x83, 0xa5, 0x68, 0xff, 0xff, 0xff, 0x00, 0x8d, 0x85, 0x5c, 0xff, 
0xff, 0xff, 0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x85, 0x3c, 0xff, 
0xff, 0xff, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x56, 0x69, 0x72, 0x74, 0xc7, 0x85, 0x60, 0xff, 
0xff, 0xff, 0x75, 0x61, 0x6c, 0x50, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x72, 0x6f, 0x74, 0x65, 
0xc7, 0x85, 0x68, 0xff, 0xff, 0xff, 0x63, 0x74, 0x00, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff, 0xff, 
0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x45, 0xdc, 0xc7, 0x85, 0x5c, 
0xff, 0xff, 0xff, 0x56, 0x69, 0x72, 0x74, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff, 0x75, 0x61, 0x6c, 
0x46, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x72, 0x65, 0x65, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff, 
0xff, 0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x85, 0x40, 0xff, 0xff, 
0xff, 0x6a, 0x4d, 0xff, 0xb5, 0x48, 0xff, 0xff, 0xff, 0x8d, 0x45, 0x88, 0x50, 0xe8, 0x8b, 0x08, 
0x00, 0x00, 0x83, 0xc4, 0x0c, 0x6a, 0x04, 0x68, 0x00, 0x10, 0x00, 0x00, 0x8b, 0x85, 0x48, 0xff, 
0xff, 0xff, 0xff, 0x70, 0x05, 0x6a, 0x00, 0xff, 0x95, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x45, 0xf8, 
0x83, 0x65, 0xec, 0x00, 0x6a, 0x00, 0x8d, 0x45, 0xec, 0x50, 0xff, 0x75, 0xf8, 0x8b, 0x85, 0x48, 
0xff, 0xff, 0xff, 0xff, 0x70, 0x01, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x4d, 0x50, 
0xe8, 0xb5, 0x05, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x8b, 0x45, 0x84, 0x89, 0x45, 0xe4, 0x8b, 0x45, 
0xe4, 0x8b, 0x40, 0x3c, 0x8b, 0x4d, 0x84, 0x8d, 0x44, 0x01, 0x04, 0x89, 0x45, 0xf0, 0x8b, 0x45, 
0xe4, 0x8b, 0x4d, 0x84, 0x03, 0x48, 0x3c, 0x8b, 0x45, 0xf0, 0x0f, 0xb7, 0x40, 0x10, 0x8d, 0x44, 
0x01, 0x18, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0x91, 0x2b, 0x85, 0x50, 0xff, 0xff, 0xff, 0x50, 0x6a, 
0x00, 0x8b, 0x45, 0x84, 0x03, 0x85, 0x50, 0xff, 0xff, 0xff, 0x50, 0xe8, 0xcf, 0x07, 0x00, 0x00, 
0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xf4, 0x50, 0x6a, 0x04, 0x0f, 0xb6, 0x45, 0x88, 0x6b, 0xc0, 0x28, 
0x50, 0xff, 0x75, 0xe8, 0xff, 0x55, 0xdc, 0x66, 0x0f, 0xb6, 0x45, 0x88, 0x8b, 0x4d, 0xf0, 0x66, 
0x89, 0x41, 0x02, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xfc, 0x83, 0xa5, 0x30, 0xff, 0xff, 0xff, 0x00, 
0xeb, 0x0d, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x40, 0x89, 0x85, 0x30, 0xff, 0xff, 0xff, 0x0f, 
0xb6, 0x45, 0x88, 0x39, 0x85, 0x30, 0xff, 0xff, 0xff, 0x0f, 0x84, 0xc1, 0x00, 0x00, 0x00, 0x6a, 
0x28, 0x6a, 0x00, 0x8d, 0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xe8, 0x70, 0x07, 0x00, 0x00, 0x83, 
0xc4, 0x0c, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 
0x01, 0x18, 0x89, 0x85, 0x2c, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 
0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x14, 0x89, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x8b, 0x85, 
0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x10, 0x89, 0x85, 
0x18, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 
0x8b, 0x44, 0x01, 0x0c, 0x89, 0x85, 0x14, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 
0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x08, 0x89, 0x85, 0x10, 0xff, 0xff, 0xff, 
0x6a, 0x08, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x03, 0x45, 0xf8, 0x50, 0x8d, 
0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xe8, 0x12, 0x07, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x6a, 0x28, 
0x8d, 0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xff, 0x75, 0xfc, 0xe8, 0xfe, 0x06, 0x00, 0x00, 0x83, 
0xc4, 0x0c, 0x8b, 0x45, 0xfc, 0x83, 0xc0, 0x28, 0x89, 0x45, 0xfc, 0xe9, 0x22, 0xff, 0xff, 0xff, 
0x83, 0xa5, 0x44, 0xff, 0xff, 0xff, 0x00, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xfc, 0x83, 0xa5, 0x04, 
0xff, 0xff, 0xff, 0x00, 0xeb, 0x0d, 0x8b, 0x85, 0x04, 0xff, 0xff, 0xff, 0x40, 0x89, 0x85, 0x04, 
0xff, 0xff, 0xff, 0x0f, 0xb6, 0x45, 0x88, 0x39, 0x85, 0x04, 0xff, 0xff, 0xff, 0x74, 0x58, 0x8b, 
0x45, 0xfc, 0x89, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0xff, 0x70, 
0x10, 0x0f, 0xb6, 0x45, 0x88, 0x6b, 0xc0, 0x1c, 0x03, 0x45, 0xf8, 0x03, 0x85, 0x44, 0xff, 0xff, 
0xff, 0x50, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x03, 0x48, 0x0c, 0x51, 0xe8, 
0x89, 0x06, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0x44, 
0xff, 0xff, 0xff, 0x03, 0x48, 0x10, 0x89, 0x8d, 0x44, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xfc, 0x83, 
0xc0, 0x28, 0x89, 0x45, 0xfc, 0xeb, 0x8f, 0x68, 0x00, 0x80, 0x00, 0x00, 0x6a, 0x00, 0xff, 0x75, 
0xf8, 0xff, 0x95, 0x40, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x3c, 0x8b, 0x4d, 0x84, 
0x8d, 0x44, 0x01, 0x78, 0x89, 0x45, 0x80, 0x8b, 0x45, 0x80, 0x83, 0xc0, 0x08, 0x89, 0x85, 0x4c, 
0xff, 0xff, 0xff, 0x8b, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x99, 0x89, 0x48, 0x04, 0x8b, 
0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x95, 0x89, 0x08, 0x8b, 0x45, 0x80, 0x83, 0xc0, 0x10, 
0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x4d, 0xa5, 0x89, 0x48, 0x04, 0x8b, 0x45, 0xd8, 0x8b, 
0x4d, 0xa1, 0x89, 0x08, 0x83, 0x7d, 0x95, 0x00, 0x0f, 0x84, 0x2a, 0x01, 0x00, 0x00, 0x8b, 0x45, 
0x95, 0x03, 0x45, 0x84, 0x89, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 
0x83, 0x78, 0x0c, 0x00, 0x0f, 0x84, 0x0e, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 
0x8b, 0x40, 0x0c, 0x03, 0x45, 0x84, 0x50, 0xff, 0x95, 0x34, 0xff, 0xff, 0xff, 0x89, 0x85, 0xf8, 
0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x83, 0x38, 0x00, 0x74, 0x10, 0x8b, 0x85, 
0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0xeb, 0x0f, 0x8b, 0x85, 
0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x40, 0x10, 0x89, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0x84, 
0x03, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x89, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 
0xff, 0xff, 0x8b, 0x40, 0x10, 0x03, 0x45, 0x84, 0x89, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x33, 0xc0, 
0x40, 0x0f, 0x84, 0x8d, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89, 
0x85, 0xec, 0xfe, 0xff, 0xff, 0x83, 0xbd, 0xec, 0xfe, 0xff, 0xff, 0x00, 0x75, 0x02, 0xeb, 0x74, 
0x8b, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x25, 0x00, 0x00, 0x00, 0x80, 0x74, 0x22, 0x8b, 0x85, 0xec, 
0xfe, 0xff, 0xff, 0x25, 0xff, 0xff, 0xff, 0x7f, 0x50, 0xff, 0xb5, 0xf8, 0xfe, 0xff, 0xff, 0xff, 
0x95, 0x38, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x01, 0xeb, 0x22, 0x8b, 
0x45, 0x84, 0x8b, 0x8d, 0xec, 0xfe, 0xff, 0xff, 0x8d, 0x44, 0x01, 0x02, 0x50, 0xff, 0xb5, 0xf8, 
0xfe, 0xff, 0xff, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x89, 
0x01, 0x8b, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xf0, 0xfe, 0xff, 0xff, 
0x8b, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0xe9, 
0x6a, 0xff, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x14, 0x89, 0x85, 0xfc, 
0xfe, 0xff, 0xff, 0xe9, 0xe2, 0xfe, 0xff, 0xff, 0x83, 0x7d, 0xa9, 0x00, 0x0f, 0x84, 0x06, 0x01, 
0x00, 0x00, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x3b, 0x45, 0x84, 0x0f, 0x84, 0xf7, 0x00, 0x00, 
0x00, 0x8b, 0x45, 0xa9, 0x03, 0x45, 0x84, 0x89, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xad, 
0x89, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x83, 0xa5, 0xe0, 0xfe, 0xff, 0xff, 0x00, 0x8b, 0x85, 0xe4, 
0xfe, 0xff, 0xff, 0x83, 0x78, 0x04, 0x00, 0x0f, 0x84, 0xcb, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xe0, 
0xfe, 0xff, 0xff, 0x3b, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x0f, 0x83, 0xb9, 0x00, 0x00, 0x00, 0xc7, 
0x85, 0xdc, 0xfe, 0xff, 0xff, 0x08, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x85, 0xdc, 0xfe, 0xff, 
0xff, 0x40, 0x40, 0x89, 0x85, 0xdc, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 
0x8d, 0xdc, 0xfe, 0xff, 0xff, 0x3b, 0x48, 0x04, 0x73, 0x5f, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff, 
0x03, 0x85, 0xdc, 0xfe, 0xff, 0xff, 0x66, 0x8b, 0x00, 0x66, 0x89, 0x85, 0xd8, 0xfe, 0xff, 0xff, 
0x0f, 0xb7, 0x85, 0xd8, 0xfe, 0xff, 0xff, 0xc1, 0xf8, 0x0c, 0x83, 0xf8, 0x03, 0x75, 0x38, 0x8b, 
0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x03, 0x08, 0x0f, 0xb7, 0x85, 0xd8, 0xfe, 0xff, 
0xff, 0x25, 0xff, 0x0f, 0x00, 0x00, 0x03, 0xc8, 0x89, 0x8d, 0xd4, 0xfe, 0xff, 0xff, 0x8b, 0x85, 
0xd4, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x2b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x03, 0x45, 0x84, 0x8b, 
0x8d, 0xd4, 0xfe, 0xff, 0xff, 0x89, 0x01, 0xeb, 0x82, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 
0x8d, 0xe0, 0xfe, 0xff, 0xff, 0x03, 0x48, 0x04, 0x89, 0x8d, 0xe0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 
0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x8d, 0xe4, 0xfe, 0xff, 0xff, 0x03, 0x48, 0x04, 0x89, 0x8d, 0xe4, 
0xfe, 0xff, 0xff, 0xe9, 0x25, 0xff, 0xff, 0xff, 0x83, 0x7d, 0xb1, 0x00, 0x74, 0x59, 0x8b, 0x45, 
0xb1, 0x03, 0x45, 0x84, 0x89, 0x85, 0xd0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xd0, 0xfe, 0xff, 0xff, 
0x83, 0x78, 0x20, 0x00, 0x74, 0x41, 0x81, 0x7d, 0xb5, 0x90, 0x00, 0x00, 0x00, 0x75, 0x38, 0x8b, 
0x85, 0xd0, 0xfe, 0xff, 0xff, 0x8b, 0x40, 0x20, 0x89, 0x85, 0xcc, 0xfe, 0xff, 0xff, 0x33, 0xc0, 
0x40, 0x74, 0x24, 0x8b, 0x85, 0xcc, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89, 0x85, 0xc8, 0xfe, 0xff, 
0xff, 0x83, 0xbd, 0xc8, 0xfe, 0xff, 0xff, 0x00, 0x75, 0x02, 0xeb, 0x0b, 0x8b, 0x85, 0xc8, 0xfe, 
0xff, 0xff, 0xc6, 0x00, 0x90, 0xeb, 0xd7, 0x83, 0x7d, 0xbd, 0x00, 0x74, 0x0b, 0x8b, 0x45, 0xbd, 
0x03, 0x45, 0x84, 0x8b, 0x4d, 0xb9, 0x89, 0x08, 0x83, 0x7d, 0xc1, 0x00, 0x0f, 0x84, 0x9a, 0x00, 
0x00, 0x00, 0x8b, 0x45, 0xc1, 0x03, 0x45, 0x84, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x83, 0xa5, 
0xc4, 0xfe, 0xff, 0xff, 0x00, 0x33, 0xc0, 0x40, 0x74, 0x44, 0x8b, 0x85, 0xc0, 0xfe, 0xff, 0xff, 
0x83, 0x38, 0x00, 0x75, 0x02, 0xeb, 0x37, 0x8b, 0x45, 0xc5, 0x03, 0x45, 0x84, 0x8b, 0x8d, 0xc4, 
0xfe, 0xff, 0xff, 0x8b, 0x95, 0xc0, 0xfe, 0xff, 0xff, 0x8b, 0x12, 0x89, 0x14, 0x08, 0x8b, 0x85, 
0xc0, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xc4, 
0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc4, 0xfe, 0xff, 0xff, 0xeb, 0xb7, 0x8b, 0x45, 
0xc5, 0x03, 0x45, 0x84, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x33, 0xc0, 0x40, 0x74, 0x2d, 0x8b, 
0x85, 0xc0, 0xfe, 0xff, 0xff, 0x83, 0x38, 0x00, 0x75, 0x02, 0xeb, 0x20, 0x6a, 0x00, 0x6a, 0x01, 
0xff, 0x75, 0x84, 0x8b, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0xff, 0x10, 0x8b, 0x85, 0xc0, 0xfe, 0xff, 
0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0xeb, 0xce, 0x8d, 0x45, 0xf4, 0x50 ;
    

Which is my unpacker shellcode added to first section okay now i can simple xoring all this bytes by 0x01 this is not problem but i dont know how to i decrypt it inside top code unpack.cpp any ideas?[/code]
Post 13 Sep 2018, 09:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16702
Location: In your JS exploiting you and your system
Moved to HLL forum
Post 13 Sep 2018, 10:24
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.