positionx
Joined: 13 Sep 2018
Posts: 1
|
Hello i have this c++ code
unpack.cpp
//Include structures file from packer project
#include "../simple_pe_packer/structs.h"
//Unpacking algorithm
#include "lzo_conf.h"
#include "windows.h"
/* decompression */
LZO_EXTERN(int)
lzo1z_decompress ( const lzo_bytep src, lzo_uint src_len,
lzo_bytep dst, lzo_uintp dst_len,
lzo_voidp wrkmem /* NOT USED */ );
//Create function without prologue and epilogue
extern "C" void __declspec(naked) unpacker_main()
{
//Create prologue manually
__asm
{
jmp next;
ret 0xC;
next:
push ebp;
mov ebp, esp;
sub esp, 4096;
mov eax, 0x11111111;
mov ecx, 0x22222222;
mov edx, 0x33333333;
}
//Image loading address
unsigned int original_image_base;
//First section relative address,
//in which the packer stores its information
//and packed data themselves
unsigned int rva_of_first_section;
//Image loading address (Original one, relocations are not applied to it)
unsigned int original_image_base_no_fixup;
//These instructions are required only to
//replace the addresses in unpacker builder with real ones
__asm
{
mov original_image_base, eax;
mov rva_of_first_section, ecx;
mov original_image_base_no_fixup, edx;
}
//Address of the variable,
//which indicates if code was unpacked already
DWORD* was_unpacked;
__asm
{
//Trick to get address
//of instruction following "call"
call next2;
add byte ptr [eax], al;
add byte ptr [eax], al;
next2:
//There is an address of first instruction
//add byte ptr [eax], al
//in eax
pop eax;
//Store this address
mov was_unpacked, eax;
//Check what is stored there
mov eax, [eax];
//If there is zero, then move to
//the unpacker
test eax, eax;
jz next3;
//If not, then finish the unpacker
//and go to original entry point
leave;
jmp eax;
next3:
}
//Get pointer to structure with information
//carefully prepared by packer
const packed_file_info* info;
//It is stored in the beginning
//of packed file first section
info = reinterpret_cast<const packed_file_info*>(original_image_base + rva_of_first_section);
//Get original entry point address
DWORD original_ep;
original_ep = info->original_entry_point + original_image_base;
__asm
{
//Write it to address stored in
//was_unpacked variable
mov edx, was_unpacked;
mov eax, original_ep;
mov [edx], eax;
}
//Two LoadLibraryA and GetProcAddress function prototypes typedefs
typedef HMODULE (__stdcall* load_library_a_func)(const char* library_name);
typedef INT_PTR (__stdcall* get_proc_address_func)(HMODULE dll, const char* func_name);
//Read their addresses from packed_file_info structure
//Loader puts them there for us
load_library_a_func load_library_a;
get_proc_address_func get_proc_address;
load_library_a = reinterpret_cast<load_library_a_func>(info->load_library_a);
get_proc_address = reinterpret_cast<get_proc_address_func>(info->get_proc_address);
//Create buffer on stack
char buf[32];
//kernel32.dll
*reinterpret_cast<DWORD*>(&buf[0]) = 'nrek';
*reinterpret_cast<DWORD*>(&buf[4]) = '23le';
*reinterpret_cast<DWORD*>(&buf[8]) = 'lld.';
*reinterpret_cast<DWORD*>(&buf[12]) = 0;
//Load kernel32.dll library
HMODULE kernel32_dll;
kernel32_dll = load_library_a(buf);
//VirtualAlloc function prototype typedef
typedef LPVOID (__stdcall* virtual_alloc_func)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
//VirtualProtect function prototype typedef
typedef LPVOID (__stdcall* virtual_protect_func)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);
//VirtualFree function prototype typedef
typedef LPVOID (__stdcall* virtual_free_func)(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
//VirtualAlloc
*reinterpret_cast<DWORD*>(&buf[0]) = 'triV';
*reinterpret_cast<DWORD*>(&buf[4]) = 'Alau';
*reinterpret_cast<DWORD*>(&buf[8]) = 'coll';
*reinterpret_cast<DWORD*>(&buf[12]) = 0;
//Get VirtualAlloc function address
virtual_alloc_func virtual_alloc;
virtual_alloc = reinterpret_cast<virtual_alloc_func>(get_proc_address(kernel32_dll, buf));
//VirtualProtect
*reinterpret_cast<DWORD*>(&buf[0]) = 'triV';
*reinterpret_cast<DWORD*>(&buf[4]) = 'Plau';
*reinterpret_cast<DWORD*>(&buf[8]) = 'etor';
*reinterpret_cast<DWORD*>(&buf[12]) = 'tc';
//Get VirtualProtect function address
virtual_protect_func virtual_protect;
virtual_protect = reinterpret_cast<virtual_protect_func>(get_proc_address(kernel32_dll, buf));
//VirtualFree
*reinterpret_cast<DWORD*>(&buf[0]) = 'triV';
*reinterpret_cast<DWORD*>(&buf[4]) = 'Flau';
*reinterpret_cast<DWORD*>(&buf[8]) = 'eer';
//Get VirtualFree function address
virtual_free_func virtual_free;
virtual_free = reinterpret_cast<virtual_free_func>(get_proc_address(kernel32_dll, buf));
//Copy all packed_file_info structure fields, because
//we will need them further, but we will overwrite the structure at "info" pointer soon
packed_file_info info_copy;
memcpy(&info_copy, info, sizeof(info_copy));
//Pointer to the memory
//to store unpacked data
LPVOID unpacked_mem;
//Allocate the memory
unpacked_mem = virtual_alloc(
0,
info->size_of_unpacked_data,
MEM_COMMIT,
PAGE_READWRITE);
//Unpacked data size
//(in fact, this variable is unnecessary)
lzo_uint out_len;
out_len = 0;
//Unpack with LZO algorithm
lzo1z_decompress(
reinterpret_cast<const unsigned char*>(reinterpret_cast<DWORD>(info) + sizeof(packed_file_info)),
info->size_of_packed_data,
reinterpret_cast<unsigned char*>(unpacked_mem),
&out_len,
0);
//Pointer to DOS file header
const IMAGE_DOS_HEADER* dos_header;
//Pointer to file header
IMAGE_FILE_HEADER* file_header;
//Virtual address of sections header beginning
DWORD offset_to_section_headers;
//Calculate this address
dos_header = reinterpret_cast<const IMAGE_DOS_HEADER*>(original_image_base);
file_header = reinterpret_cast<IMAGE_FILE_HEADER*>(original_image_base + dos_header->e_lfanew + sizeof(DWORD));
//with this formula
offset_to_section_headers = original_image_base + dos_header->e_lfanew + file_header->SizeOfOptionalHeader
+ sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD) /* Signature */;
//Null first section memory
//This region matches the memory region,
//which is occupied by all sections in original file
memset(
reinterpret_cast<void*>(original_image_base + rva_of_first_section),
0,
info_copy.total_virtual_size_of_sections - rva_of_first_section);
//Let's change memory block attributes, in which
//PE file and section headers are placed
//We need write access
DWORD old_protect;
virtual_protect(reinterpret_cast<LPVOID>(offset_to_section_headers),
info_copy.number_of_sections * sizeof(IMAGE_SECTION_HEADER),
PAGE_READWRITE, &old_protect);
//Now we change section number
//in PE file header to original
file_header->NumberOfSections = info_copy.number_of_sections;
//Section header virtual address
DWORD current_section_structure_pos;
current_section_structure_pos = offset_to_section_headers;
//List all sections
for(int i = 0; i != info_copy.number_of_sections; ++i)
{
//Creates section header structure
IMAGE_SECTION_HEADER section_header;
//Set structure to null
memset(§ion_header, 0, sizeof(section_header));
//Fill the important fields:
//Characteristics
section_header.Characteristics = (reinterpret_cast<packed_section*>(unpacked_mem) + i)->characteristics;
//File data offset
section_header.PointerToRawData = (reinterpret_cast<packed_section*>(unpacked_mem) + i)->pointer_to_raw_data;
//File data size
section_header.SizeOfRawData = (reinterpret_cast<packed_section*>(unpacked_mem) + i)->size_of_raw_data;
//Relative section virtual address
section_header.VirtualAddress = (reinterpret_cast<packed_section*>(unpacked_mem) + i)->virtual_address;
//Section virtual size
section_header.Misc.VirtualSize = (reinterpret_cast<packed_section*>(unpacked_mem) + i)->virtual_size;
//Copy original section name
memcpy(section_header.Name, (reinterpret_cast<packed_section*>(unpacked_mem) + i)->name, sizeof(section_header.Name));
//Copy filled header
//to memory, where section headers are stored
memcpy(reinterpret_cast<void*>(current_section_structure_pos), §ion_header, sizeof(section_header));
MessageBox(0, L"And text here", L"MessageBox caption", MB_OK);
//Move the pointer to next section header
current_section_structure_pos += sizeof(section_header);
}
//Pointer to raw section data
//is necessary to disassemble compressed sections data
//and to put them to right places
DWORD current_raw_data_ptr;
current_raw_data_ptr = 0;
//Restore the pointer to section headers
current_section_structure_pos = offset_to_section_headers;
//List all the sections again
for(int i = 0; i != info_copy.number_of_sections; ++i)
{
//Section header we've just written
const IMAGE_SECTION_HEADER* section_header = reinterpret_cast<const IMAGE_SECTION_HEADER*>(current_section_structure_pos);
//Copying sections data to the place in memory,
//where they have to be placed
memcpy(reinterpret_cast<void*>(original_image_base + section_header->VirtualAddress),
reinterpret_cast<char*>(unpacked_mem) + info_copy.number_of_sections * sizeof(packed_section) + current_raw_data_ptr,
section_header->SizeOfRawData);
//Move pointer to section data
//in unpacked data block
current_raw_data_ptr += section_header->SizeOfRawData;
//Turn to next section header
current_section_structure_pos += sizeof(IMAGE_SECTION_HEADER);
}
//Release memory with unpacked data,
//we don't need it anymore
virtual_free(unpacked_mem, 0, MEM_RELEASE);
//Calculate relative virtual address
//of directory table beginning
DWORD offset_to_directories;
offset_to_directories = original_image_base + dos_header->e_lfanew
+ sizeof(IMAGE_NT_HEADERS32) - sizeof(IMAGE_DATA_DIRECTORY) * IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
//Pointer to import directory
IMAGE_DATA_DIRECTORY* import_dir;
import_dir = reinterpret_cast<IMAGE_DATA_DIRECTORY*>(offset_to_directories + sizeof(IMAGE_DATA_DIRECTORY) * IMAGE_DIRECTORY_ENTRY_IMPORT);
//Write size and virtual address values to corresponding fields
import_dir->Size = info_copy.original_import_directory_size;
import_dir->VirtualAddress = info_copy.original_import_directory_rva;
//Pointer to resource directory
IMAGE_DATA_DIRECTORY* resource_dir;
resource_dir = reinterpret_cast<IMAGE_DATA_DIRECTORY*>(offset_to_directories + sizeof(IMAGE_DATA_DIRECTORY) * IMAGE_DIRECTORY_ENTRY_RESOURCE);
//Write size and virtual address values to corresponding fields
resource_dir->Size = info_copy.original_resource_directory_size;
resource_dir->VirtualAddress = info_copy.original_resource_directory_rva;
//If the file has imports
if(info_copy.original_import_directory_rva)
{
//First descriptor virtual address
IMAGE_IMPORT_DESCRIPTOR* descr;
descr = reinterpret_cast<IMAGE_IMPORT_DESCRIPTOR*>(info_copy.original_import_directory_rva + original_image_base);
//List all descriptors
//Last one is nulled
while(descr->Name)
{
//Load the required DLL
HMODULE dll;
dll = load_library_a(reinterpret_cast<char*>(descr->Name + original_image_base));
//Pointers to address table and lookup table
DWORD* lookup, *address;
//Take into account that lookup table may be absent,
//as I mentioned at previous step
lookup = reinterpret_cast<DWORD*>(original_image_base + (descr->OriginalFirstThunk ? descr->OriginalFirstThunk : descr->FirstThunk));
address = reinterpret_cast<DWORD*>(descr->FirstThunk + original_image_base);
//List all descriptor imports
while(true)
{
//Till the first null element in lookup table
DWORD lookup_value = *lookup;
if(!lookup_value)
break;
//Check if the function is imported by ordinal
if(IMAGE_SNAP_BY_ORDINAL32(lookup_value))
*address = static_cast<DWORD>(get_proc_address(dll, reinterpret_cast<const char*>(lookup_value & ~IMAGE_ORDINAL_FLAG32)));
else
*address = static_cast<DWORD>(get_proc_address(dll, reinterpret_cast<const char*>(lookup_value + original_image_base + sizeof(WORD))));
//Move to next element
++lookup;
++address;
}
//Move to next descriptor
++descr;
}
}
//If a file had relocations and it
//was moved by the loader
if(info_copy.original_relocation_directory_rva
&& original_image_base_no_fixup != original_image_base)
{
//Pointer to a first IMAGE_BASE_RELOCATION structure
const IMAGE_BASE_RELOCATION* reloc = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(info_copy.original_relocation_directory_rva + original_image_base);
//Relocated elements (relocations) directory size
unsigned long reloc_size = info_copy.original_relocation_directory_size;
//Count of processed bytes in a directory
unsigned long read_size = 0;
//List relocation tables
while(reloc->SizeOfBlock && read_size < reloc_size)
{
//List all elements in a table
for(unsigned long i = sizeof(IMAGE_BASE_RELOCATION); i < reloc->SizeOfBlock; i += sizeof(WORD))
{
//Relocation value
WORD elem = *reinterpret_cast<const WORD*>(reinterpret_cast<const char*>(reloc) + i);
//If this is IMAGE_REL_BASED_HIGHLOW relocation (there are no other in PE x86)
if((elem >> 12) == IMAGE_REL_BASED_HIGHLOW)
{
//Get DWORD at relocation address
DWORD* value = reinterpret_cast<DWORD*>(original_image_base + reloc->VirtualAddress + (elem & ((1 << 12) - 1)));
//Fix it like PE loader
*value = *value - original_image_base_no_fixup + original_image_base;
}
}
//Calculate number of bytes processed
//in relocation directory
read_size += reloc->SizeOfBlock;
//Go to next relocation table
reloc = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(reinterpret_cast<const char*>(reloc) + reloc->SizeOfBlock);
}
}
//If file has load configuration directory
if(info_copy.original_load_config_directory_rva)
{
//Get pointer to original load configuration directory
const IMAGE_LOAD_CONFIG_DIRECTORY32* cfg = reinterpret_cast<const IMAGE_LOAD_CONFIG_DIRECTORY32*>(info_copy.original_load_config_directory_rva + original_image_base);
//If the directory has LOCK prefixes table
//and the loader overwrites our fake LOCK opcode
//to NOP (0x90) (i.e. the system has a single processor)
if(cfg->LockPrefixTable && info_copy.lock_opcode == 0x90 /* NOP opcode */)
{
//Get pointer to first element of
//absolute address of LOCK prefixes table
const DWORD* table_ptr = reinterpret_cast<const DWORD*>(cfg->LockPrefixTable);
//Enumerate them
while(true)
{
//Pointer to LOCK prefix
BYTE* lock_prefix_va = reinterpret_cast<BYTE*>(*table_ptr);
if(!lock_prefix_va)
break;
//Change it to NOP
*lock_prefix_va = 0x90;
}
}
}
//Copy TLS index
if(info_copy.original_tls_index_rva)
*reinterpret_cast<DWORD*>(info_copy.original_tls_index_rva + original_image_base) = info_copy.tls_index;
if(info_copy.original_rva_of_tls_callbacks)
{
//If TLS has callbacks
PIMAGE_TLS_CALLBACK* tls_callback_address;
//Pointer to first callback of an original array
tls_callback_address = reinterpret_cast<PIMAGE_TLS_CALLBACK*>(info_copy.original_rva_of_tls_callbacks + original_image_base);
//Offset relative to the beginning of original TLS callbacks array
DWORD offset = 0;
while(true)
{
//If callback is null - this is the end of array
if(!*tls_callback_address)
break;
//Copy the address of original one
//to our callbacks array
*reinterpret_cast<PIMAGE_TLS_CALLBACK*>(info_copy.new_rva_of_tls_callbacks + original_image_base + offset) = *tls_callback_address;
//Move to next callback
++tls_callback_address;
offset += sizeof(DWORD);
}
//Return to the beginning of the new array
tls_callback_address = reinterpret_cast<PIMAGE_TLS_CALLBACK*>(info_copy.new_rva_of_tls_callbacks + original_image_base);
while(true)
{
//If callback is null - this is the end of array
if(!*tls_callback_address)
break;
//Execute callback
(*tls_callback_address)(reinterpret_cast<PVOID>(original_image_base), DLL_PROCESS_ATTACH, 0);
//Move to next callback
++tls_callback_address;
}
}
//Restore headers memory attributes
virtual_protect(reinterpret_cast<LPVOID>(offset_to_section_headers), info_copy.number_of_sections * sizeof(IMAGE_SECTION_HEADER), old_protect, &old_protect);
//Create epilogue manually
_asm
{
//Move to original entry point
mov eax, info_copy.original_entry_point;
add eax, original_image_base;
leave;
//Like this
jmp eax;
}
}
How i can add simple xor decryption? In my main body i have something like this :
#pragma once
unsigned char unpacker_data[] = {
0xeb, 0x03, 0xc2, 0x0c, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x00, 0x10, 0x00, 0x00, 0xb8, 0x11,
0x11, 0x11, 0x11, 0xb9, 0x22, 0x22, 0x22, 0x22, 0xba, 0x33, 0x33, 0x33, 0x33, 0x89, 0x45, 0x84,
0x89, 0x8d, 0x50, 0xff, 0xff, 0xff, 0x89, 0x95, 0x7c, 0xff, 0xff, 0xff, 0xe8, 0x04, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x89, 0x85, 0x54, 0xff, 0xff, 0xff, 0x8b, 0x00, 0x85, 0xc0,
0x74, 0x03, 0xc9, 0xff, 0xe0, 0x8b, 0x45, 0x84, 0x03, 0x85, 0x50, 0xff, 0xff, 0xff, 0x89, 0x85,
0x48, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x15, 0x03, 0x45, 0x84,
0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x54, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x58, 0xff,
0xff, 0xff, 0x89, 0x02, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x41, 0x89, 0x85, 0x34,
0xff, 0xff, 0xff, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x45, 0x89, 0x85, 0x38, 0xff,
0xff, 0xff, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x6b, 0x65, 0x72, 0x6e, 0xc7, 0x85, 0x60, 0xff,
0xff, 0xff, 0x65, 0x6c, 0x33, 0x32, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x2e, 0x64, 0x6c, 0x6c,
0x83, 0xa5, 0x68, 0xff, 0xff, 0xff, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x50, 0xff, 0x95,
0x34, 0xff, 0xff, 0xff, 0x89, 0x45, 0xe0, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x56, 0x69, 0x72,
0x74, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff, 0x75, 0x61, 0x6c, 0x41, 0xc7, 0x85, 0x64, 0xff, 0xff,
0xff, 0x6c, 0x6c, 0x6f, 0x63, 0x83, 0xa5, 0x68, 0xff, 0xff, 0xff, 0x00, 0x8d, 0x85, 0x5c, 0xff,
0xff, 0xff, 0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x85, 0x3c, 0xff,
0xff, 0xff, 0xc7, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x56, 0x69, 0x72, 0x74, 0xc7, 0x85, 0x60, 0xff,
0xff, 0xff, 0x75, 0x61, 0x6c, 0x50, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x72, 0x6f, 0x74, 0x65,
0xc7, 0x85, 0x68, 0xff, 0xff, 0xff, 0x63, 0x74, 0x00, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff, 0xff,
0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x45, 0xdc, 0xc7, 0x85, 0x5c,
0xff, 0xff, 0xff, 0x56, 0x69, 0x72, 0x74, 0xc7, 0x85, 0x60, 0xff, 0xff, 0xff, 0x75, 0x61, 0x6c,
0x46, 0xc7, 0x85, 0x64, 0xff, 0xff, 0xff, 0x72, 0x65, 0x65, 0x00, 0x8d, 0x85, 0x5c, 0xff, 0xff,
0xff, 0x50, 0xff, 0x75, 0xe0, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x89, 0x85, 0x40, 0xff, 0xff,
0xff, 0x6a, 0x4d, 0xff, 0xb5, 0x48, 0xff, 0xff, 0xff, 0x8d, 0x45, 0x88, 0x50, 0xe8, 0x8b, 0x08,
0x00, 0x00, 0x83, 0xc4, 0x0c, 0x6a, 0x04, 0x68, 0x00, 0x10, 0x00, 0x00, 0x8b, 0x85, 0x48, 0xff,
0xff, 0xff, 0xff, 0x70, 0x05, 0x6a, 0x00, 0xff, 0x95, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x45, 0xf8,
0x83, 0x65, 0xec, 0x00, 0x6a, 0x00, 0x8d, 0x45, 0xec, 0x50, 0xff, 0x75, 0xf8, 0x8b, 0x85, 0x48,
0xff, 0xff, 0xff, 0xff, 0x70, 0x01, 0x8b, 0x85, 0x48, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x4d, 0x50,
0xe8, 0xb5, 0x05, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x8b, 0x45, 0x84, 0x89, 0x45, 0xe4, 0x8b, 0x45,
0xe4, 0x8b, 0x40, 0x3c, 0x8b, 0x4d, 0x84, 0x8d, 0x44, 0x01, 0x04, 0x89, 0x45, 0xf0, 0x8b, 0x45,
0xe4, 0x8b, 0x4d, 0x84, 0x03, 0x48, 0x3c, 0x8b, 0x45, 0xf0, 0x0f, 0xb7, 0x40, 0x10, 0x8d, 0x44,
0x01, 0x18, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0x91, 0x2b, 0x85, 0x50, 0xff, 0xff, 0xff, 0x50, 0x6a,
0x00, 0x8b, 0x45, 0x84, 0x03, 0x85, 0x50, 0xff, 0xff, 0xff, 0x50, 0xe8, 0xcf, 0x07, 0x00, 0x00,
0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xf4, 0x50, 0x6a, 0x04, 0x0f, 0xb6, 0x45, 0x88, 0x6b, 0xc0, 0x28,
0x50, 0xff, 0x75, 0xe8, 0xff, 0x55, 0xdc, 0x66, 0x0f, 0xb6, 0x45, 0x88, 0x8b, 0x4d, 0xf0, 0x66,
0x89, 0x41, 0x02, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xfc, 0x83, 0xa5, 0x30, 0xff, 0xff, 0xff, 0x00,
0xeb, 0x0d, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x40, 0x89, 0x85, 0x30, 0xff, 0xff, 0xff, 0x0f,
0xb6, 0x45, 0x88, 0x39, 0x85, 0x30, 0xff, 0xff, 0xff, 0x0f, 0x84, 0xc1, 0x00, 0x00, 0x00, 0x6a,
0x28, 0x6a, 0x00, 0x8d, 0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xe8, 0x70, 0x07, 0x00, 0x00, 0x83,
0xc4, 0x0c, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44,
0x01, 0x18, 0x89, 0x85, 0x2c, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0,
0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x14, 0x89, 0x85, 0x1c, 0xff, 0xff, 0xff, 0x8b, 0x85,
0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x10, 0x89, 0x85,
0x18, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8,
0x8b, 0x44, 0x01, 0x0c, 0x89, 0x85, 0x14, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff,
0x6b, 0xc0, 0x1c, 0x8b, 0x4d, 0xf8, 0x8b, 0x44, 0x01, 0x08, 0x89, 0x85, 0x10, 0xff, 0xff, 0xff,
0x6a, 0x08, 0x8b, 0x85, 0x30, 0xff, 0xff, 0xff, 0x6b, 0xc0, 0x1c, 0x03, 0x45, 0xf8, 0x50, 0x8d,
0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xe8, 0x12, 0x07, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x6a, 0x28,
0x8d, 0x85, 0x08, 0xff, 0xff, 0xff, 0x50, 0xff, 0x75, 0xfc, 0xe8, 0xfe, 0x06, 0x00, 0x00, 0x83,
0xc4, 0x0c, 0x8b, 0x45, 0xfc, 0x83, 0xc0, 0x28, 0x89, 0x45, 0xfc, 0xe9, 0x22, 0xff, 0xff, 0xff,
0x83, 0xa5, 0x44, 0xff, 0xff, 0xff, 0x00, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xfc, 0x83, 0xa5, 0x04,
0xff, 0xff, 0xff, 0x00, 0xeb, 0x0d, 0x8b, 0x85, 0x04, 0xff, 0xff, 0xff, 0x40, 0x89, 0x85, 0x04,
0xff, 0xff, 0xff, 0x0f, 0xb6, 0x45, 0x88, 0x39, 0x85, 0x04, 0xff, 0xff, 0xff, 0x74, 0x58, 0x8b,
0x45, 0xfc, 0x89, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0xff, 0x70,
0x10, 0x0f, 0xb6, 0x45, 0x88, 0x6b, 0xc0, 0x1c, 0x03, 0x45, 0xf8, 0x03, 0x85, 0x44, 0xff, 0xff,
0xff, 0x50, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x03, 0x48, 0x0c, 0x51, 0xe8,
0x89, 0x06, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8b, 0x85, 0x00, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0x44,
0xff, 0xff, 0xff, 0x03, 0x48, 0x10, 0x89, 0x8d, 0x44, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xfc, 0x83,
0xc0, 0x28, 0x89, 0x45, 0xfc, 0xeb, 0x8f, 0x68, 0x00, 0x80, 0x00, 0x00, 0x6a, 0x00, 0xff, 0x75,
0xf8, 0xff, 0x95, 0x40, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x3c, 0x8b, 0x4d, 0x84,
0x8d, 0x44, 0x01, 0x78, 0x89, 0x45, 0x80, 0x8b, 0x45, 0x80, 0x83, 0xc0, 0x08, 0x89, 0x85, 0x4c,
0xff, 0xff, 0xff, 0x8b, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x99, 0x89, 0x48, 0x04, 0x8b,
0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x4d, 0x95, 0x89, 0x08, 0x8b, 0x45, 0x80, 0x83, 0xc0, 0x10,
0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x4d, 0xa5, 0x89, 0x48, 0x04, 0x8b, 0x45, 0xd8, 0x8b,
0x4d, 0xa1, 0x89, 0x08, 0x83, 0x7d, 0x95, 0x00, 0x0f, 0x84, 0x2a, 0x01, 0x00, 0x00, 0x8b, 0x45,
0x95, 0x03, 0x45, 0x84, 0x89, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff,
0x83, 0x78, 0x0c, 0x00, 0x0f, 0x84, 0x0e, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff,
0x8b, 0x40, 0x0c, 0x03, 0x45, 0x84, 0x50, 0xff, 0x95, 0x34, 0xff, 0xff, 0xff, 0x89, 0x85, 0xf8,
0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x83, 0x38, 0x00, 0x74, 0x10, 0x8b, 0x85,
0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0xeb, 0x0f, 0x8b, 0x85,
0xfc, 0xfe, 0xff, 0xff, 0x8b, 0x40, 0x10, 0x89, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0x84,
0x03, 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x89, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe,
0xff, 0xff, 0x8b, 0x40, 0x10, 0x03, 0x45, 0x84, 0x89, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x33, 0xc0,
0x40, 0x0f, 0x84, 0x8d, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89,
0x85, 0xec, 0xfe, 0xff, 0xff, 0x83, 0xbd, 0xec, 0xfe, 0xff, 0xff, 0x00, 0x75, 0x02, 0xeb, 0x74,
0x8b, 0x85, 0xec, 0xfe, 0xff, 0xff, 0x25, 0x00, 0x00, 0x00, 0x80, 0x74, 0x22, 0x8b, 0x85, 0xec,
0xfe, 0xff, 0xff, 0x25, 0xff, 0xff, 0xff, 0x7f, 0x50, 0xff, 0xb5, 0xf8, 0xfe, 0xff, 0xff, 0xff,
0x95, 0x38, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x01, 0xeb, 0x22, 0x8b,
0x45, 0x84, 0x8b, 0x8d, 0xec, 0xfe, 0xff, 0xff, 0x8d, 0x44, 0x01, 0x02, 0x50, 0xff, 0xb5, 0xf8,
0xfe, 0xff, 0xff, 0xff, 0x95, 0x38, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x89,
0x01, 0x8b, 0x85, 0xf0, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xf0, 0xfe, 0xff, 0xff,
0x8b, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0xe9,
0x6a, 0xff, 0xff, 0xff, 0x8b, 0x85, 0xfc, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x14, 0x89, 0x85, 0xfc,
0xfe, 0xff, 0xff, 0xe9, 0xe2, 0xfe, 0xff, 0xff, 0x83, 0x7d, 0xa9, 0x00, 0x0f, 0x84, 0x06, 0x01,
0x00, 0x00, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x3b, 0x45, 0x84, 0x0f, 0x84, 0xf7, 0x00, 0x00,
0x00, 0x8b, 0x45, 0xa9, 0x03, 0x45, 0x84, 0x89, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xad,
0x89, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x83, 0xa5, 0xe0, 0xfe, 0xff, 0xff, 0x00, 0x8b, 0x85, 0xe4,
0xfe, 0xff, 0xff, 0x83, 0x78, 0x04, 0x00, 0x0f, 0x84, 0xcb, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xe0,
0xfe, 0xff, 0xff, 0x3b, 0x85, 0xe8, 0xfe, 0xff, 0xff, 0x0f, 0x83, 0xb9, 0x00, 0x00, 0x00, 0xc7,
0x85, 0xdc, 0xfe, 0xff, 0xff, 0x08, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x85, 0xdc, 0xfe, 0xff,
0xff, 0x40, 0x40, 0x89, 0x85, 0xdc, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b,
0x8d, 0xdc, 0xfe, 0xff, 0xff, 0x3b, 0x48, 0x04, 0x73, 0x5f, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff,
0x03, 0x85, 0xdc, 0xfe, 0xff, 0xff, 0x66, 0x8b, 0x00, 0x66, 0x89, 0x85, 0xd8, 0xfe, 0xff, 0xff,
0x0f, 0xb7, 0x85, 0xd8, 0xfe, 0xff, 0xff, 0xc1, 0xf8, 0x0c, 0x83, 0xf8, 0x03, 0x75, 0x38, 0x8b,
0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x03, 0x08, 0x0f, 0xb7, 0x85, 0xd8, 0xfe, 0xff,
0xff, 0x25, 0xff, 0x0f, 0x00, 0x00, 0x03, 0xc8, 0x89, 0x8d, 0xd4, 0xfe, 0xff, 0xff, 0x8b, 0x85,
0xd4, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x2b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x03, 0x45, 0x84, 0x8b,
0x8d, 0xd4, 0xfe, 0xff, 0xff, 0x89, 0x01, 0xeb, 0x82, 0x8b, 0x85, 0xe4, 0xfe, 0xff, 0xff, 0x8b,
0x8d, 0xe0, 0xfe, 0xff, 0xff, 0x03, 0x48, 0x04, 0x89, 0x8d, 0xe0, 0xfe, 0xff, 0xff, 0x8b, 0x85,
0xe4, 0xfe, 0xff, 0xff, 0x8b, 0x8d, 0xe4, 0xfe, 0xff, 0xff, 0x03, 0x48, 0x04, 0x89, 0x8d, 0xe4,
0xfe, 0xff, 0xff, 0xe9, 0x25, 0xff, 0xff, 0xff, 0x83, 0x7d, 0xb1, 0x00, 0x74, 0x59, 0x8b, 0x45,
0xb1, 0x03, 0x45, 0x84, 0x89, 0x85, 0xd0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xd0, 0xfe, 0xff, 0xff,
0x83, 0x78, 0x20, 0x00, 0x74, 0x41, 0x81, 0x7d, 0xb5, 0x90, 0x00, 0x00, 0x00, 0x75, 0x38, 0x8b,
0x85, 0xd0, 0xfe, 0xff, 0xff, 0x8b, 0x40, 0x20, 0x89, 0x85, 0xcc, 0xfe, 0xff, 0xff, 0x33, 0xc0,
0x40, 0x74, 0x24, 0x8b, 0x85, 0xcc, 0xfe, 0xff, 0xff, 0x8b, 0x00, 0x89, 0x85, 0xc8, 0xfe, 0xff,
0xff, 0x83, 0xbd, 0xc8, 0xfe, 0xff, 0xff, 0x00, 0x75, 0x02, 0xeb, 0x0b, 0x8b, 0x85, 0xc8, 0xfe,
0xff, 0xff, 0xc6, 0x00, 0x90, 0xeb, 0xd7, 0x83, 0x7d, 0xbd, 0x00, 0x74, 0x0b, 0x8b, 0x45, 0xbd,
0x03, 0x45, 0x84, 0x8b, 0x4d, 0xb9, 0x89, 0x08, 0x83, 0x7d, 0xc1, 0x00, 0x0f, 0x84, 0x9a, 0x00,
0x00, 0x00, 0x8b, 0x45, 0xc1, 0x03, 0x45, 0x84, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x83, 0xa5,
0xc4, 0xfe, 0xff, 0xff, 0x00, 0x33, 0xc0, 0x40, 0x74, 0x44, 0x8b, 0x85, 0xc0, 0xfe, 0xff, 0xff,
0x83, 0x38, 0x00, 0x75, 0x02, 0xeb, 0x37, 0x8b, 0x45, 0xc5, 0x03, 0x45, 0x84, 0x8b, 0x8d, 0xc4,
0xfe, 0xff, 0xff, 0x8b, 0x95, 0xc0, 0xfe, 0xff, 0xff, 0x8b, 0x12, 0x89, 0x14, 0x08, 0x8b, 0x85,
0xc0, 0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xc4,
0xfe, 0xff, 0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc4, 0xfe, 0xff, 0xff, 0xeb, 0xb7, 0x8b, 0x45,
0xc5, 0x03, 0x45, 0x84, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0x33, 0xc0, 0x40, 0x74, 0x2d, 0x8b,
0x85, 0xc0, 0xfe, 0xff, 0xff, 0x83, 0x38, 0x00, 0x75, 0x02, 0xeb, 0x20, 0x6a, 0x00, 0x6a, 0x01,
0xff, 0x75, 0x84, 0x8b, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0xff, 0x10, 0x8b, 0x85, 0xc0, 0xfe, 0xff,
0xff, 0x83, 0xc0, 0x04, 0x89, 0x85, 0xc0, 0xfe, 0xff, 0xff, 0xeb, 0xce, 0x8d, 0x45, 0xf4, 0x50 };
Which is my unpacker shellcode added to first section okay now i can simple xoring all this bytes by 0x01 this is not problem but i dont know how to i decrypt it inside top code unpack.cpp any ideas?[/code]
|