Index > Macroinstructions > Xor Crypting Macro Troubles

shism2 05 Dec 2005, 23:34
macro endcrypt name, key
count = (rva name#.end - rva name#.begin)
repeat count - 1
load b byte from %+ name#.begin - 1
t = ((b xor key)+510) and 0ffh
store byte t at %+ name#.begin - 1

end repeat

See Im using this

For example

mov edi, layer5.begin 
   mov ecx, layer5.end - layer5.begin - 1
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,11h
    dec ecx
    jne @b 
begincrypt layer5
proc start6
mov eax,1
invoke ExitProcess,0
endcrypt layer5,11h < ---- key

The encryption passes endp and also encrypts the nop..How can I prevent this
shism2 06 Dec 2005, 01:33
Another thing I was trying to do is decrypt backwards and also increase inlining encryption complexity.. By doing this


Takes a shitload of clock cycles ( enormously slower) but is more complex.....

mov edi, layer4.end 
mov dword [codebegin],edi
mov ecx, layer4.end  - layer4.begin + 1 
mov dword [codelength],ecx
mov ebx,2
    mov eax,255
    dec1:         --------
    dec byte [edi]      '   Takes 1530 clock cycles ( I think)
    dec eax              '
    jnz dec1--------- '
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
   xor byte [edi],12h
   dec edi
   dec ecx
   jnz dec2    

Instead of :


A enormous amount less of clock cycles ( a shitload faster) but to easy..
 mov edi, layer3.begin 
   mov ecx, layer3.end - layer3.begin - 1
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,12h
    dec ecx
    jne @b    
shism2 07 Dec 2005, 21:47
Anyone ???
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 07 Dec 2005, 22:05
paste entire source
shism2 08 Dec 2005, 22:52
macro endcrypt name, key  
   count = (rva name#.end - rva name#.begin)    
   repeat count - 1      
     load b byte from %+ name#.begin - 1 
      t = ((b xor key)+510) and 0ffh
     store byte t at %+ name#.begin - 1

   end repeat  

macro SysInvoke proc,[parameters]  

{ common  
local blah1,blah2,param_count  
push eax   

pushd parameters   

jmp blah2   
mov eax, proc   
mov edx, esp   
dw 340Fh ;sysenter 0F34h   
call blah1   
add esp, (param_count * 4) + 4 ; + 1 dummy EIP   

section '.idata' data readable

  szUser32                   db "kernel32.dll",0
  szMessageBox               db "Beep",0
  szOlly1      db "explorer.exe",0
  section '.udata' readable writeable
  hLib          dd 0
  hProc         dd ?
  dwBytesWritten1 dd ?
  hInstance                  dd ?
  hModule                    dd ?
  dwBytesWritten             dd ?
handle1 dd 0
temp                    dd ?
errorc dd 0
PrE             PROCESSENTRY32
time dd 0
align 16
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
 thrid dd 0

tics        dq      0
resultlist  rq      iter
bcdresult   rb      12
message     rb      iter*32

shit db '%*s',0
max         dq      1E15
level       dq      1E5  
trYes       db      'Yes',0
trNo        db      'No',0,0
caption     db      'IsDebuggerPresent by RDTSC',0
align 4
tickfmt     db      '%.8X%.8X%.8X',13,10,0
align 4
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0

threadter dq 0

codelength dq ?

codebegin db ?

section '.text' code readable executable writeable 


invoke GetCurrentThreadId

invoke  CreateThread,0,0,start6,0,0,thrid
invoke CloseHandle, eax

;invoke  CreateThread,0,0,start5,0,0,thrid
;invoke CloseHandle,eax
pop eax
invoke OpenThread,3,0,eax
;invoke TerminateThread,eax,0
SysInvoke ZWTerminateThread,eax,0

proc start6
align 16

mov edi, layer4.end 
mov dword [codebegin],edi
mov ecx, layer4.end  - layer4.begin + 1 
mov dword [codelength],ecx
mov ebx,2
    mov eax,255
    dec byte [edi]
    dec eax
    jnz dec1
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
   xor byte [edi],12h
   dec edi
   dec ecx
   jnz dec2
begincrypt layer4

   mov edi, layer3.begin 
   mov ecx, layer3.end - layer3.begin - 1
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,11h
    dec ecx
    jne @b 
   begincrypt layer3
     call @@Set_SEH

    mov eax,[esp+12]
    add dword [eax+CONTEXT_Eip],2   ;
    mov dword [eax],CONTEXT_FULL
    xor eax,eax

    push dword [fs:0]
    mov [fs:0],esp

    xor eax,eax
    mov dword [resultlist],eax 
    test [eax],eax 
    test [eax],eax 

    mov ecx,iter*8   
    lea ebp,[resultlist+ecx]
    neg ecx
    sub esp,8  ;push local tics

align 16
      ;mov dword [tics],eax
      ;mov dword [tics+4],edx
    mov [esp],eax
    mov [esp+4],edx

    xor eax,eax
    test [eax],eax  ;exception

    sub eax,dword [esp]
    sbb edx,dword [esp+4]
    mov [ebp+ecx],eax
    mov [ebp+ecx+4],edx

    add ecx,8
    jnz @B

    add esp,8  ;pop local ticks
    pop dword [fs:0]
    add esp,4
;                                                 âûâîä ðåçóëüòàòîâ
            mov     ebx,iter
            mov     esi,resultlist
            mov     ebp,bcdresult   
            mov     edi,message
            fld     qword [max]     
align 16
@@:         fild    qword [esi]
            fld     st0
            fbstp   [ebp]           
            fcom  st1
            fstsw ax
            test  ax,100h  
            jz @@ge1
            fstp    st0
            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp
            add     esp,5*4
            add     esi,8
            add     edi,eax
            dec     ebx
            jnz     @B

            mov     ebx,trNo
            fld     qword [level]
            fcomp st1
            fstsw ax
            fstp  st0
            test  ax,100h  
            jz @@ge2
            mov ebx,trYes

            invoke  wsprintf,edi,presentfmt,ebx
            add esp, 3*4

            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
            invoke ExitProcess,0
endcrypt layer3,11h
endcrypt layer4,12h

revolution 09 Dec 2005, 01:53
Why do you do this?
    mov eax,255 
    dec byte [edi] 
    dec eax 
    jnz dec1    

You can replace with this
    sub byte [edi],255     
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2005, 02:03
Do you mean this code encryps the NOPs? I tested it and the NOPs are untouched

Here is the code I tested (I commented some lines and added "begincrypt" to get out all the error messages):
format PE GUI 4.0

include "win32axp.inc"
entry start
macro begincrypt name

macro endcrypt name, key
   count = (rva name#.end - rva name#.begin)     
   repeat count - 1       
     load b byte from %+ name#.begin - 1  
      t = ((b xor key)+510) and 0ffh 
     store byte t at %+ name#.begin - 1 

   end repeat   

macro SysInvoke proc,[parameters]   

{ common   
local blah1,blah2,param_count   
push eax    

pushd parameters    

jmp blah2    
mov eax, proc    
mov edx, esp    
dw 340Fh ;sysenter 0F34h    
call blah1    
add esp, (param_count * 4) + 4 ; + 1 dummy EIP    

section '.idata' data readable 

  szUser32                   db "kernel32.dll",0 
  szMessageBox               db "Beep",0 
  szOlly1      db "explorer.exe",0 
  section '.udata' readable writeable 
  hLib          dd 0 
  hProc         dd ? 
  dwBytesWritten1 dd ? 
  hInstance                  dd ? 
  hModule                    dd ? 
  dwBytesWritten             dd ? 
handle1 dd 0 
temp                    dd ? 
errorc dd 0 
;PrE             PROCESSENTRY32
time dd 0 
align 16 
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 
 thrid dd 0 

tics        dq      0 
;resultlist  rq      iter
bcdresult   rb      12 
;message     rb      iter*32

shit db '%*s',0 
max         dq      1E15 
level       dq      1E5   
trYes       db      'Yes',0 
trNo        db      'No',0,0 
caption     db      'IsDebuggerPresent by RDTSC',0 
align 4 
tickfmt     db      '%.8X%.8X%.8X',13,10,0 
align 4 
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0 

threadter dq 0 

codelength dq ? 

codebegin db ? 

section '.text' code readable executable writeable  


;invoke GetCurrentThreadId

;invoke  CreateThread,0,0,start6,0,0,thrid
;invoke CloseHandle, eax

;invoke  CreateThread,0,0,start5,0,0,thrid 
;invoke CloseHandle,eax 
pop eax
call start6
;invoke OpenThread,3,0,eax
;invoke TerminateThread,eax,0 
;SysInvoke ZWTerminateThread,eax,0

proc start6 
align 16 

mov edi, layer4.end  
mov dword [codebegin],edi 
mov ecx, layer4.end  - layer4.begin + 1  
mov dword [codelength],ecx 
mov ebx,2 
    mov eax,255 
    dec byte [edi] 
    dec eax 
    jnz dec1 
    dec edi 
    dec ecx 
    jnz @b 
    mov edi,dword [codebegin] 
    mov ecx,dword [codelength] 
    dec ebx 
    jnz @b 
   xor byte [edi],12h 
   dec edi 
   dec ecx 
   jnz dec2 
begincrypt layer4 

   mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    mov al, byte [edi] 
    sub al,255 
    sub al,255  
    xor al,11h 
    dec ecx 
    jne @b  
   begincrypt layer3 
     call @@Set_SEH 

    mov eax,[esp+12] 
;    add dword [eax+CONTEXT_Eip],2   ;
;    mov dword [eax],CONTEXT_FULL
    xor eax,eax 

    push dword [fs:0] 
    mov [fs:0],esp 

    xor eax,eax 
;    mov dword [resultlist],eax
    test [eax],eax  
    test [eax],eax  

;    mov ecx,iter*8
;    lea ebp,[resultlist+ecx]
    neg ecx 
    sub esp,8  ;push local tics 

align 16 
      ;mov dword [tics],eax 
      ;mov dword [tics+4],edx 
    mov [esp],eax 
    mov [esp+4],edx 

    xor eax,eax 
    test [eax],eax  ;exception 

    sub eax,dword [esp] 
    sbb edx,dword [esp+4] 
    mov [ebp+ecx],eax 
    mov [ebp+ecx+4],edx 

    add ecx,8 
    jnz @B 

    add esp,8  ;pop local ticks 
    pop dword [fs:0] 
    add esp,4 
;                                                 âûâîä ðåçóëüòàòîâ 
;            mov     ebx,iter
;            mov     esi,resultlist
            mov     ebp,bcdresult    
;            mov     edi,message
            fld     qword [max]      
align 16 
@@:         fild    qword [esi] 
            fld     st0 
            fbstp   [ebp]            
            fcom  st1 
            fstsw ax 
            test  ax,100h   
            jz @@ge1 
            fstp    st0 
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp
            add     esp,5*4 
            add     esi,8 
            add     edi,eax 
            dec     ebx 
            jnz     @B 

            mov     ebx,trNo 
            fld     qword [level] 
            fcomp st1 
            fstsw ax 
            fstp  st0 
            test  ax,100h   
            jz @@ge2 
            mov ebx,trYes 

;            invoke  wsprintf,edi,presentfmt,ebx
            add esp, 3*4 

;            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
;            invoke ExitProcess,0
endcrypt layer3,11h 
endcrypt layer4,12h 


[edit]The NOPs are located from address 00403111 to 00403115[/edit]

[edit2] Instead of:
A enormous amount less of clock cycles ( a shitload faster) but to easy.. 
 mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    mov al, byte [edi] 
    sub al,255 
    sub al,255  
    xor al,12h 
Why not
mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    mov al, byte [edi] 
    sub al,254 ; 254 = -2 
;    sub al,255  
    xor al, 12h
shism2 09 Dec 2005, 07:03
If you take the nop out under exitprocess... It will encrypt the next nop
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2005, 12:50
Well, now I tried your first code and the NOP still there. Check the attachment, if I'm still using the wrong code please post a compilable code which have only the defective part if you don't want to publish the entire code.


[edit]Wierd, the attachment wasn't accesible :S, now I removed it. Well when I uploaded that attachment I had a problem and this post was posted two consecutive times and then I deleted the duplicated post, maybe that was the problem[/edit]

Last edited by LocoDelAssembly on 09 Dec 2005, 21:10; edited 2 times in total
shism2 09 Dec 2005, 18:55
attachment doesn't exist?
shism2 09 Dec 2005, 18:58
format PE GUI 4.0 

include "win32axp.inc" 
entry start 
macro begincrypt name 

macro endcrypt name, key 
   count = (rva name#.end - rva name#.begin)      
   repeat count - 1        
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh  
     store byte t at %+ name#.begin - 1  

   end repeat    

macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

pushd parameters     

jmp blah2     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     

section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32 

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 

;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 

proc start6  
align 16  

mov edi, layer4.end   
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin + 1   
mov dword [codelength],ecx  
mov ebx,2  
    mov eax,255  
    dec byte [edi]  
    dec eax  
    jnz dec1  
    dec edi  
    dec ecx  
    jnz @b  
    mov edi,dword [codebegin]  
    mov ecx,dword [codelength]  
    dec ebx  
    jnz @b  
   xor byte [edi],12h  
   dec edi  
   dec ecx  
   jnz dec2  
begincrypt layer4  

   mov edi, layer3.begin   
   mov ecx, layer3.end - layer3.begin - 1  
    mov al, byte [edi]  
    sub al,255  
    sub al,255   
    xor al,11h  
    dec ecx  
    jne @b   
   begincrypt layer3  
     call @@Set_SEH  

    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax  

    push dword [fs:0]  
    mov [fs:0],esp  

    xor eax,eax  
;    mov dword [resultlist],eax 
    test [eax],eax   
    test [eax],eax   

;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
    pop dword [fs:0]  
    add esp,4  
;                                                 âûâîä ðåçóëüòàòîâ  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fstp    st0  
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  

;            invoke  wsprintf,edi,presentfmt,ebx 
            add esp, 3*4  

;            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION 
;            invoke ExitProcess,0 
endcrypt layer3,11h  
endcrypt layer4,12h  

nop   < -- tell me how many nops are left

LocoDelAssembly 09 Dec 2005, 21:06
I see 4 NOPs

Check attachment

[edit] I removed the attachment for space saving [/edit]

Last edited by LocoDelAssembly on 09 Apr 2006, 22:07; edited 1 time in total
shism2 09 Dec 2005, 23:51
format PE GUI 4.0 

include "win32axp.inc" 
entry start 
macro begincrypt name 

macro endcrypt name, key 
   count = (rva name#.end - rva name#.begin)      
   repeat count - 1        
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh  
     store byte t at %+ name#.begin - 1  

   end repeat    

macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

pushd parameters     

jmp blah2     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     

section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32 

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 

;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 

proc start6  
align 16  

mov edi, layer4.end   
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin + 1   
mov dword [codelength],ecx  
mov ebx,2  
    mov eax,255  
    dec byte [edi]  
    dec eax  
    jnz dec1  
    dec edi  
    dec ecx  
    jnz @b  
    mov edi,dword [codebegin]  
    mov ecx,dword [codelength]  
    dec ebx  
    jnz @b  
   xor byte [edi],12h  
   dec edi  
   dec ecx  
   jnz dec2  
begincrypt layer4  

   mov edi, layer3.begin   
   mov ecx, layer3.end - layer3.begin - 1  
    mov al, byte [edi]  
    sub al,255  
    sub al,255   
    xor al,11h  
    dec ecx  
    jne @b   
   begincrypt layer3  
     call @@Set_SEH  

    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax  

    push dword [fs:0]  
    mov [fs:0],esp  

    xor eax,eax  
;    mov dword [resultlist],eax 
    test [eax],eax   
    test [eax],eax   

;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
    pop dword [fs:0]  
    add esp,4  
;                                                 âûâîä ðåçóëüòàòîâ  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fstp    st0  
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  

            invoke  wsprintf,edi,presentfmt,ebx 
            add esp, 3*4  

            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION 
            invoke ExitProcess,0 
endcrypt layer3,11h  
endcrypt layer4,12h  

nop   < -- tell me how many nops are left


Try this one... It crashes for me because exitprocess gets encrypted incorrectly... It only works if there is a nop under it..
LocoDelAssembly 10 Dec 2005, 00:46
aaahh, did you noticed how you are using "repeat"? You are substracting 1 to count which leaves the last byte uncrypted.

This code will display "123":
dd 0

count = block.end - block.start
repeat count - 1
  display %+48
end repeat    
This one will display "1234"
dd 0

count = block.end - block.start

repeat count
  display %+48
end repeat    

The counting starts from 1, not 0 and a "repeat 0" do nothing

[edit]Well, you have another problem, I'm checking it now[/edit]

shism2 10 Dec 2005, 00:52
macro begincrypt name

macro endcrypt name, key
count = (rva name#.end - rva name#.begin)
repeat count
load b byte from %+ name#.begin -1
t = ((b xor key)+510) and 0ffh
store byte t at %+ name#.begin -1

end repeat

Now If I take out the - 1 from repeat count .. It still encrypts the next nop and crashes :9
LocoDelAssembly 10 Dec 2005, 01:14
I'm still seeing 4 NOPs, however if I let the decrypting code to execute the first NOP is destroyed, so the problem is the decrypting code, not the encrypting macro.[edit]BUT, don't add "-1" again, removing it is still needed[/edit]
shism2 10 Dec 2005, 01:58
if i take of the -1's it gives me errors
LocoDelAssembly 10 Dec 2005, 02:55
I get crashes in both ways, please check your decrypting code, I suggest doing it again and using the suggestions of the other guys.

Note that you put align 16 inside the proc start6, put it just before the line "proc start6" because you are not really aligning your procedure but filling with NOPs the procedure.

PS: I'm using Windows 98 SE so my crashes can become for something else...
Tomasz Grysztar 10 Dec 2005, 10:49
OK, time to come in. Wink
Here's the code after a few corrections to make it work. It displays the nops in the MessageBox, so you can count them Wink I also made it skipping the SEH etc. code, since it was not working for me and I you asked about a different problem. Also you omitted the imports, so I used the standard WIN32AX ones.

Do you need me to point all the corrections? I guess you should be able to find them yourself.
format PE GUI 4.0

include "win32axp.inc" 
;entry start
macro begincrypt name 

macro endcrypt name, key 
   count = (rva name#.end - rva name#.begin)      
   repeat count
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh

     store byte t at %+ name#.begin - 1  
   end repeat    

macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

pushd parameters     

jmp blah2     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     

section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^i"î?îa~',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 

;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 

align 16  
mov edi, layer4.end - 1
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin
mov dword [codelength],ecx  
mov ebx,2  
    mov eax,255
    dec byte [edi]
    dec eax
    jnz dec1
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
   xor byte [edi],12h  
   dec edi
   dec ecx
   jnz dec2  
begincrypt layer4  

   mov edi, layer3.begin
   mov ecx, layer3.end - layer3.begin
    mov al, byte [edi]  
    sub al,255
    sub al,255
    xor al,11h  
    dec ecx  
    jne @b   
   begincrypt layer3  
     call @@Set_SEH  

    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax

jmp Finish!
    push dword [fs:0]  
    mov [fs:0],esp  

    xor eax,eax  
;    mov dword [resultlist],eax 
    test [eax],eax   
    test [eax],eax   

;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
    pop dword [fs:0]  
    add esp,4

;                                                 âu^âîä ?a*çóëüo`a`o`îâ  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fstp    st0  
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  

         ;   invoke  wsprintf,edi,presentfmt,ebx
         ;   add esp, 3*4
            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
            invoke ExitProcess,0 
endcrypt layer3,11h  
endcrypt layer4,12h  

nop  ; < -- tell me how many nops are left

.end start    
shism2 10 Dec 2005, 18:06
Thank you Thomas now it works perfectly....The problem was with the decryption lol.

I also have another question concerning this :

mov     ebx,iter
            mov     esi,resultlist
            mov     ebp,bcdresult   
            mov     edi,message
            fld     qword [max]     
align 16
@@:         fild    qword [esi]
            fld     st0
            fbstp   [ebp]           
            fcom  st1
            fstsw ax
            test  ax,100h  
            jz @@ge1
            fstp    st0
            invoke  wsprintf,edi,tickfmt,[ebp+8],[ebp+4],[ebp] <--- Gives error
            add     esp,5*4
            add     esi,8
            add     edi,eax
            dec     ebx
            jnz     @B    

