flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > Xor Crypting Macro Troubles

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 05 Dec 2005, 23:34
macro endcrypt name, key
{
name#.end:
count = (rva name#.end - rva name#.begin)
repeat count - 1
load b byte from %+ name#.begin - 1
t = ((b xor key)+510) and 0ffh
store byte t at %+ name#.begin - 1

end repeat
}

See Im using this

For example

Code:
mov edi, layer5.begin 
   mov ecx, layer5.end - layer5.begin - 1
    @@: 
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,11h
    stosb 
    dec ecx
    jne @b 
begincrypt layer5
proc start6
mov eax,1
invoke ExitProcess,0
endp
endcrypt layer5,11h < ---- key
nop    

The encryption passes endp and also encrypts the nop..How can I prevent this
Post 05 Dec 2005, 23:34
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 06 Dec 2005, 01:33
Another thing I was trying to do is decrypt backwards and also increase inlining encryption complexity.. By doing this




Code:


Takes a shitload of clock cycles ( enormously slower) but is more complex.....

mov edi, layer4.end 
mov dword [codebegin],edi
mov ecx, layer4.end  - layer4.begin + 1 
mov dword [codelength],ecx
mov ebx,2
@@: 
    
    mov eax,255
    dec1:         --------
    dec byte [edi]      '   Takes 1530 clock cycles ( I think)
    dec eax              '
    jnz dec1--------- '
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
    
   
    
    dec2:
   xor byte [edi],12h
   dec edi
   dec ecx
   jnz dec2    




Instead of :

Code:


A enormous amount less of clock cycles ( a shitload faster) but to easy..
 mov edi, layer3.begin 
   mov ecx, layer3.end - layer3.begin - 1
    @@: 
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,12h
    stosb 
    dec ecx
    jne @b    
Post 06 Dec 2005, 01:33
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 07 Dec 2005, 21:47
Anyone ???
Post 07 Dec 2005, 21:47
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 07 Dec 2005, 22:05
paste entire source
Post 07 Dec 2005, 22:05
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 08 Dec 2005, 22:52
Code:
macro endcrypt name, key  
{  
   name#.end:   
   count = (rva name#.end - rva name#.begin)    
   repeat count - 1      
     load b byte from %+ name#.begin - 1 
      t = ((b xor key)+510) and 0ffh
     store byte t at %+ name#.begin - 1

   end repeat  
}


macro SysInvoke proc,[parameters]  

{ common  
local blah1,blah2,param_count  
push eax   

param_count=0  
reverse   
pushd parameters   
param_count=param_count+1  
common  

jmp blah2   
blah1:   
mov eax, proc   
mov edx, esp   
dw 340Fh ;sysenter 0F34h   
blah2:   
call blah1   
add esp, (param_count * 4) + 4 ; + 1 dummy EIP   
}


section '.idata' data readable

  szUser32                   db "kernel32.dll",0
  szMessageBox               db "Beep",0
  szOlly1      db "explorer.exe",0
  
  
  section '.udata' readable writeable
  hLib          dd 0
  hProc         dd ?
  dwBytesWritten1 dd ?
  hInstance                  dd ?
  hModule                    dd ?
  dwBytesWritten             dd ?
handle1 dd 0
temp                    dd ?
errorc dd 0
PrE             PROCESSENTRY32
time dd 0
align 16
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
 thrid dd 0

  
tics        dq      0
resultlist  rq      iter
bcdresult   rb      12
message     rb      iter*32

shit db '%*s',0
max         dq      1E15
level       dq      1E5  
trYes       db      'Yes',0
trNo        db      'No',0,0
caption     db      'IsDebuggerPresent by RDTSC',0
align 4
tickfmt     db      '%.8X%.8X%.8X',13,10,0
align 4
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0

threadter dq 0

codelength dq ?

codebegin db ?

section '.text' code readable executable writeable 

start:


invoke GetCurrentThreadId

invoke  CreateThread,0,0,start6,0,0,thrid
invoke CloseHandle, eax



;invoke  CreateThread,0,0,start5,0,0,thrid
;invoke CloseHandle,eax
pop eax
invoke OpenThread,3,0,eax
;invoke TerminateThread,eax,0
SysInvoke ZWTerminateThread,eax,0




proc start6
align 16

decs:
mov edi, layer4.end 
mov dword [codebegin],edi
mov ecx, layer4.end  - layer4.begin + 1 
mov dword [codelength],ecx
mov ebx,2
@@: 
    
    mov eax,255
    dec1:
    dec byte [edi]
    dec eax
    jnz dec1
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
    
   
    
    dec2:
   xor byte [edi],12h
   dec edi
   dec ecx
   jnz dec2
   
   
begincrypt layer4

   mov edi, layer3.begin 
   mov ecx, layer3.end - layer3.begin - 1
    @@: 
    mov al, byte [edi]
    sub al,255
    sub al,255 
    xor al,11h
    stosb 
    dec ecx
    jne @b 
    
    
   begincrypt layer3
  
    start3:
     call @@Set_SEH

    
    mov eax,[esp+12]
    add dword [eax+CONTEXT_Eip],2   ;
    mov dword [eax],CONTEXT_FULL
    xor eax,eax
    ret

@@Set_SEH:
    
    push dword [fs:0]
    mov [fs:0],esp

    
    
    xor eax,eax
    mov dword [resultlist],eax 
   
    test [eax],eax 
    test [eax],eax 

 
    mov ecx,iter*8   
    lea ebp,[resultlist+ecx]
    neg ecx
    sub esp,8  ;push local tics

align 16
@@:
    rdtsc
      ;mov dword [tics],eax
      ;mov dword [tics+4],edx
    mov [esp],eax
    mov [esp+4],edx

    xor eax,eax
    test [eax],eax  ;exception

    rdtsc
      
    sub eax,dword [esp]
    sbb edx,dword [esp+4]
    mov [ebp+ecx],eax
    mov [ebp+ecx+4],edx

    add ecx,8
    jnz @B

    add esp,8  ;pop local ticks
   
    pop dword [fs:0]
    add esp,4
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;                                                 âûâîä ðåçóëüòàòîâ
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
            finit
            mov     ebx,iter
            mov     esi,resultlist
            mov     ebp,bcdresult   
            mov     edi,message
            fld     qword [max]     
align 16
@@:         fild    qword [esi]
            fld     st0
            fbstp   [ebp]           
            
             
            fcom  st1
            fstsw ax
            test  ax,100h  
            jz @@ge1
            fxch
@@ge1:
            fstp    st0
          
            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp
            add     esp,5*4
            add     esi,8
            add     edi,eax
            dec     ebx
            jnz     @B

            mov     ebx,trNo
            fld     qword [level]
              
            fcomp st1
            fstsw ax
            fstp  st0
            test  ax,100h  
            jz @@ge2
            mov ebx,trYes
@@ge2:

            invoke  wsprintf,edi,presentfmt,ebx
            add esp, 3*4

            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
            invoke ExitProcess,0
            nop
            
endcrypt layer3,11h
endcrypt layer4,12h

nop 
nop
nop
nop
endp    
Post 08 Dec 2005, 22:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 Dec 2005, 01:53
Why do you do this?
Code:
    mov eax,255 
    dec1: 
    dec byte [edi] 
    dec eax 
    jnz dec1    

You can replace with this
Code:
    sub byte [edi],255     
Post 09 Dec 2005, 01:53
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2005, 02:03
Do you mean this code encryps the NOPs? I tested it and the NOPs are untouched

Here is the code I tested (I commented some lines and added "begincrypt" to get out all the error messages):
Code:
format PE GUI 4.0

include "win32axp.inc"
entry start
macro begincrypt name
{
  name#.begin:
}

macro endcrypt name, key
{   
   name#.end:    
   count = (rva name#.end - rva name#.begin)     
   repeat count - 1       
     load b byte from %+ name#.begin - 1  
      t = ((b xor key)+510) and 0ffh 
     store byte t at %+ name#.begin - 1 

   end repeat   
} 


macro SysInvoke proc,[parameters]   

{ common   
local blah1,blah2,param_count   
push eax    

param_count=0   
reverse    
pushd parameters    
param_count=param_count+1   
common   

jmp blah2    
blah1:    
mov eax, proc    
mov edx, esp    
dw 340Fh ;sysenter 0F34h    
blah2:    
call blah1    
add esp, (param_count * 4) + 4 ; + 1 dummy EIP    
} 


section '.idata' data readable 

  szUser32                   db "kernel32.dll",0 
  szMessageBox               db "Beep",0 
  szOlly1      db "explorer.exe",0 
   
   
  section '.udata' readable writeable 
  hLib          dd 0 
  hProc         dd ? 
  dwBytesWritten1 dd ? 
  hInstance                  dd ? 
  hModule                    dd ? 
  dwBytesWritten             dd ? 
handle1 dd 0 
temp                    dd ? 
errorc dd 0 
;PrE             PROCESSENTRY32
time dd 0 
align 16 
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 
 thrid dd 0 

   
tics        dq      0 
;resultlist  rq      iter
bcdresult   rb      12 
;message     rb      iter*32

shit db '%*s',0 
max         dq      1E15 
level       dq      1E5   
trYes       db      'Yes',0 
trNo        db      'No',0,0 
caption     db      'IsDebuggerPresent by RDTSC',0 
align 4 
tickfmt     db      '%.8X%.8X%.8X',13,10,0 
align 4 
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0 

threadter dq 0 

codelength dq ? 

codebegin db ? 

section '.text' code readable executable writeable  

start: 


;invoke GetCurrentThreadId

;invoke  CreateThread,0,0,start6,0,0,thrid
;invoke CloseHandle, eax



;invoke  CreateThread,0,0,start5,0,0,thrid 
;invoke CloseHandle,eax 
pop eax
call start6
;invoke OpenThread,3,0,eax
;invoke TerminateThread,eax,0 
;SysInvoke ZWTerminateThread,eax,0




proc start6 
align 16 

decs: 
mov edi, layer4.end  
mov dword [codebegin],edi 
mov ecx, layer4.end  - layer4.begin + 1  
mov dword [codelength],ecx 
mov ebx,2 
@@:  
     
    mov eax,255 
    dec1: 
    dec byte [edi] 
    dec eax 
    jnz dec1 
    dec edi 
    dec ecx 
    jnz @b 
    mov edi,dword [codebegin] 
    mov ecx,dword [codelength] 
    dec ebx 
    jnz @b 
     
    
     
    dec2: 
   xor byte [edi],12h 
   dec edi 
   dec ecx 
   jnz dec2 
    
    
begincrypt layer4 

   mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    @@:  
    mov al, byte [edi] 
    sub al,255 
    sub al,255  
    xor al,11h 
    stosb  
    dec ecx 
    jne @b  
     
     
   begincrypt layer3 
   
    start3: 
     call @@Set_SEH 

     
    mov eax,[esp+12] 
;    add dword [eax+CONTEXT_Eip],2   ;
;    mov dword [eax],CONTEXT_FULL
    xor eax,eax 
    ret 

@@Set_SEH: 
     
    push dword [fs:0] 
    mov [fs:0],esp 

     
     
    xor eax,eax 
;    mov dword [resultlist],eax
    
    test [eax],eax  
    test [eax],eax  

  
;    mov ecx,iter*8
;    lea ebp,[resultlist+ecx]
    neg ecx 
    sub esp,8  ;push local tics 

align 16 
@@: 
    rdtsc 
      ;mov dword [tics],eax 
      ;mov dword [tics+4],edx 
    mov [esp],eax 
    mov [esp+4],edx 

    xor eax,eax 
    test [eax],eax  ;exception 

    rdtsc 
       
    sub eax,dword [esp] 
    sbb edx,dword [esp+4] 
    mov [ebp+ecx],eax 
    mov [ebp+ecx+4],edx 

    add ecx,8 
    jnz @B 

    add esp,8  ;pop local ticks 
    
    pop dword [fs:0] 
    add esp,4 
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
;                                                 âûâîä ðåçóëüòàòîâ 
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
            finit 
;            mov     ebx,iter
;            mov     esi,resultlist
            mov     ebp,bcdresult    
;            mov     edi,message
            fld     qword [max]      
align 16 
@@:         fild    qword [esi] 
            fld     st0 
            fbstp   [ebp]            
             
              
            fcom  st1 
            fstsw ax 
            test  ax,100h   
            jz @@ge1 
            fxch 
@@ge1: 
            fstp    st0 
           
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp
            add     esp,5*4 
            add     esi,8 
            add     edi,eax 
            dec     ebx 
            jnz     @B 

            mov     ebx,trNo 
            fld     qword [level] 
               
            fcomp st1 
            fstsw ax 
            fstp  st0 
            test  ax,100h   
            jz @@ge2 
            mov ebx,trYes 
@@ge2: 

;            invoke  wsprintf,edi,presentfmt,ebx
            add esp, 3*4 

;            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
;            invoke ExitProcess,0
            nop 
             
endcrypt layer3,11h 
endcrypt layer4,12h 

nop  
nop 
nop 
nop 
endp    


[edit]The NOPs are located from address 00403111 to 00403115[/edit]

[edit2] Instead of:
Code:
A enormous amount less of clock cycles ( a shitload faster) but to easy.. 
 mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    @@:  
    mov al, byte [edi] 
    sub al,255 
    sub al,255  
    xor al,12h 
    
Why not
Code:
mov edi, layer3.begin  
   mov ecx, layer3.end - layer3.begin - 1 
    @@:  
    mov al, byte [edi] 
    sub al,254 ; 254 = -2 
;    sub al,255  
    xor al, 12h
    
?[/edit2]
Post 09 Dec 2005, 02:03
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Dec 2005, 07:03
If you take the nop out under exitprocess... It will encrypt the next nop
Post 09 Dec 2005, 07:03
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2005, 12:50
Well, now I tried your first code and the NOP still there. Check the attachment, if I'm still using the wrong code please post a compilable code which have only the defective part if you don't want to publish the entire code.

Regards

[edit]Wierd, the attachment wasn't accesible :S, now I removed it. Well when I uploaded that attachment I had a problem and this post was posted two consecutive times and then I deleted the duplicated post, maybe that was the problem[/edit]


Last edited by LocoDelAssembly on 09 Dec 2005, 21:10; edited 2 times in total
Post 09 Dec 2005, 12:50
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Dec 2005, 18:55
attachment doesn't exist?
Post 09 Dec 2005, 18:55
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Dec 2005, 18:58
Code:
format PE GUI 4.0 

include "win32axp.inc" 
entry start 
macro begincrypt name 
{ 
  name#.begin: 
} 

macro endcrypt name, key 
{    
   name#.end:     
   count = (rva name#.end - rva name#.begin)      
   repeat count - 1        
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh  
     store byte t at %+ name#.begin - 1  

   end repeat    
}  


macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

param_count=0    
reverse     
pushd parameters     
param_count=param_count+1    
common    

jmp blah2     
blah1:     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
blah2:     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     
}  


section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
    
    
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

    
tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32 

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   

start:  


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 



;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 




proc start6  
align 16  

decs:  
mov edi, layer4.end   
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin + 1   
mov dword [codelength],ecx  
mov ebx,2  
@@:   
      
    mov eax,255  
    dec1:  
    dec byte [edi]  
    dec eax  
    jnz dec1  
    dec edi  
    dec ecx  
    jnz @b  
    mov edi,dword [codebegin]  
    mov ecx,dword [codelength]  
    dec ebx  
    jnz @b  
      
     
      
    dec2:  
   xor byte [edi],12h  
   dec edi  
   dec ecx  
   jnz dec2  
     
     
begincrypt layer4  

   mov edi, layer3.begin   
   mov ecx, layer3.end - layer3.begin - 1  
    @@:   
    mov al, byte [edi]  
    sub al,255  
    sub al,255   
    xor al,11h  
    stosb   
    dec ecx  
    jne @b   
      
      
   begincrypt layer3  
    
    start3:  
     call @@Set_SEH  

      
    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax  
    ret  

@@Set_SEH:  
      
    push dword [fs:0]  
    mov [fs:0],esp  

      
      
    xor eax,eax  
;    mov dword [resultlist],eax 
     
    test [eax],eax   
    test [eax],eax   

   
;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
@@:  
    rdtsc  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    rdtsc  
        
    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
     
    pop dword [fs:0]  
    add esp,4  
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
;                                                 âûâîä ðåçóëüòàòîâ  
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
            finit  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
              
               
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fxch  
@@ge1:  
            fstp    st0  
            
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
                
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  
@@ge2:  

;            invoke  wsprintf,edi,presentfmt,ebx 
            add esp, 3*4  

;            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION 
;            invoke ExitProcess,0 
             
              
endcrypt layer3,11h  
endcrypt layer4,12h  

nop   < -- tell me how many nops are left
nop  
nop  
nop  
endp
 

     
Post 09 Dec 2005, 18:58
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Dec 2005, 21:06
I see 4 NOPs

Check attachment

[edit] I removed the attachment for space saving [/edit]


Last edited by LocoDelAssembly on 09 Apr 2006, 22:07; edited 1 time in total
Post 09 Dec 2005, 21:06
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 09 Dec 2005, 23:51
Code:
format PE GUI 4.0 

include "win32axp.inc" 
entry start 
macro begincrypt name 
{ 
  name#.begin: 
} 

macro endcrypt name, key 
{    
   name#.end:     
   count = (rva name#.end - rva name#.begin)      
   repeat count - 1        
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh  
     store byte t at %+ name#.begin - 1  

   end repeat    
}  


macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

param_count=0    
reverse     
pushd parameters     
param_count=param_count+1    
common    

jmp blah2     
blah1:     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
blah2:     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     
}  


section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
    
    
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

    
tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32 

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   

start:  


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 



;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 




proc start6  
align 16  

decs:  
mov edi, layer4.end   
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin + 1   
mov dword [codelength],ecx  
mov ebx,2  
@@:   
      
    mov eax,255  
    dec1:  
    dec byte [edi]  
    dec eax  
    jnz dec1  
    dec edi  
    dec ecx  
    jnz @b  
    mov edi,dword [codebegin]  
    mov ecx,dword [codelength]  
    dec ebx  
    jnz @b  
      
     
      
    dec2:  
   xor byte [edi],12h  
   dec edi  
   dec ecx  
   jnz dec2  
     
     
begincrypt layer4  

   mov edi, layer3.begin   
   mov ecx, layer3.end - layer3.begin - 1  
    @@:   
    mov al, byte [edi]  
    sub al,255  
    sub al,255   
    xor al,11h  
    stosb   
    dec ecx  
    jne @b   
      
      
   begincrypt layer3  
    
    start3:  
     call @@Set_SEH  

      
    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax  
    ret  

@@Set_SEH:  
      
    push dword [fs:0]  
    mov [fs:0],esp  

      
      
    xor eax,eax  
;    mov dword [resultlist],eax 
     
    test [eax],eax   
    test [eax],eax   

   
;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
@@:  
    rdtsc  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    rdtsc  
        
    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
     
    pop dword [fs:0]  
    add esp,4  
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
;                                                 âûâîä ðåçóëüòàòîâ  
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
            finit  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
              
               
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fxch  
@@ge1:  
            fstp    st0  
            
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
                
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  
@@ge2:  

            invoke  wsprintf,edi,presentfmt,ebx 
            add esp, 3*4  

            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION 
            invoke ExitProcess,0 
             
              
endcrypt layer3,11h  
endcrypt layer4,12h  

nop   < -- tell me how many nops are left
nop  
nop  
nop  
endp
 

     



Try this one... It crashes for me because exitprocess gets encrypted incorrectly... It only works if there is a nop under it..
Post 09 Dec 2005, 23:51
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Dec 2005, 00:46
aaahh, did you noticed how you are using "repeat"? You are substracting 1 to count which leaves the last byte uncrypted.

This code will display "123":
Code:
block.start:
dd 0
block.end:

count = block.end - block.start
repeat count - 1
  display %+48
end repeat    
This one will display "1234"
Code:
block.start:
dd 0
block.end:

count = block.end - block.start

repeat count
  display %+48
end repeat    


The counting starts from 1, not 0 and a "repeat 0" do nothing

[edit]Well, you have another problem, I'm checking it now[/edit]


Last edited by LocoDelAssembly on 10 Dec 2005, 01:09; edited 2 times in total
Post 10 Dec 2005, 00:46
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 10 Dec 2005, 00:52
macro begincrypt name
{
name#.begin:
}

macro endcrypt name, key
{
name#.end:
count = (rva name#.end - rva name#.begin)
repeat count
load b byte from %+ name#.begin -1
t = ((b xor key)+510) and 0ffh
store byte t at %+ name#.begin -1

end repeat
}

Now If I take out the - 1 from repeat count .. It still encrypts the next nop and crashes :9
Post 10 Dec 2005, 00:52
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Dec 2005, 01:14
I'm still seeing 4 NOPs, however if I let the decrypting code to execute the first NOP is destroyed, so the problem is the decrypting code, not the encrypting macro.[edit]BUT, don't add "-1" again, removing it is still needed[/edit]
Post 10 Dec 2005, 01:14
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 10 Dec 2005, 01:58
if i take of the -1's it gives me errors
Post 10 Dec 2005, 01:58
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Dec 2005, 02:55
I get crashes in both ways, please check your decrypting code, I suggest doing it again and using the suggestions of the other guys.

Note that you put align 16 inside the proc start6, put it just before the line "proc start6" because you are not really aligning your procedure but filling with NOPs the procedure.

PS: I'm using Windows 98 SE so my crashes can become for something else...
Post 10 Dec 2005, 02:55
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8351
Location: Kraków, Poland
Tomasz Grysztar 10 Dec 2005, 10:49
OK, time to come in. Wink
Here's the code after a few corrections to make it work. It displays the nops in the MessageBox, so you can count them Wink I also made it skipping the SEH etc. code, since it was not working for me and I you asked about a different problem. Also you omitted the imports, so I used the standard WIN32AX ones.

Do you need me to point all the corrections? I guess you should be able to find them yourself.
Code:
format PE GUI 4.0

include "win32axp.inc" 
;entry start
macro begincrypt name 
{ 
  name#.begin: 
} 

macro endcrypt name, key 
{    
   name#.end:     
   count = (rva name#.end - rva name#.begin)      
   repeat count
     load b byte from %+ name#.begin - 1   
      t = ((b xor key)+510) and 0ffh

     store byte t at %+ name#.begin - 1  
   end repeat    
}  


macro SysInvoke proc,[parameters]    

{ common    
local blah1,blah2,param_count    
push eax     

param_count=0    
reverse     
pushd parameters     
param_count=param_count+1    
common    

jmp blah2     
blah1:     
mov eax, proc     
mov edx, esp     
dw 340Fh ;sysenter 0F34h     
blah2:     
call blah1     
add esp, (param_count * 4) + 4 ; + 1 dummy EIP     
}  


section '.idata' data readable  

  szUser32                   db "kernel32.dll",0  
  szMessageBox               db "Beep",0  
  szOlly1      db "explorer.exe",0  
    
    
  section '.udata' readable writeable  
  hLib          dd 0  
  hProc         dd ?  
  dwBytesWritten1 dd ?  
  hInstance                  dd ?  
  hModule                    dd ?  
  dwBytesWritten             dd ?  
handle1 dd 0  
temp                    dd ?  
errorc dd 0  
;PrE             PROCESSENTRY32 
time dd 0  
align 16  
dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  
 thrid dd 0  

    
tics        dq      0  
;resultlist  rq      iter 
bcdresult   rb      12  
;message     rb      iter*32

shit db '%*s',0  
max         dq      1E15  
level       dq      1E5    
trYes       db      'Yes',0  
trNo        db      'No',0,0  
caption     db      'IsDebuggerPresent by RDTSC',0  
align 4  
tickfmt     db      '%.8X%.8X%.8X',13,10,0  
align 4  
presentfmt  db      'oooooooooooooooooo^i"î?îa~',13,10,13,10,'IsDebuggerPresent:   %s',13,10,0  

threadter dq 0  

codelength dq ?  

codebegin db ?  

section '.text' code readable executable writeable   

start:  


;invoke GetCurrentThreadId 

;invoke  CreateThread,0,0,start6,0,0,thrid 
;invoke CloseHandle, eax 



;invoke  CreateThread,0,0,start5,0,0,thrid  
;invoke CloseHandle,eax  
pop eax 
call start6 
;invoke OpenThread,3,0,eax 
;invoke TerminateThread,eax,0  
;SysInvoke ZWTerminateThread,eax,0 




start6:
align 16  
decs:
mov edi, layer4.end - 1
mov dword [codebegin],edi  
mov ecx, layer4.end  - layer4.begin
mov dword [codelength],ecx  
mov ebx,2  
@@:   
      
    mov eax,255
    dec1:
    dec byte [edi]
    dec eax
    jnz dec1
    dec edi
    dec ecx
    jnz @b
    mov edi,dword [codebegin]
    mov ecx,dword [codelength]
    dec ebx
    jnz @b
      
     
      
    dec2:  
   xor byte [edi],12h  
   dec edi
   dec ecx
   jnz dec2  
     
     
begincrypt layer4  

   mov edi, layer3.begin
   mov ecx, layer3.end - layer3.begin
    @@:   
    mov al, byte [edi]  
    sub al,255
    sub al,255
    xor al,11h  
    stosb   
    dec ecx  
    jne @b   
      
      
   begincrypt layer3  
    
    start3:
     call @@Set_SEH  

      
    mov eax,[esp+12]  
;    add dword [eax+CONTEXT_Eip],2   ; 
;    mov dword [eax],CONTEXT_FULL 
    xor eax,eax
    ret  

@@Set_SEH:  
jmp Finish!
    push dword [fs:0]  
    mov [fs:0],esp  

      
      
    xor eax,eax  
;    mov dword [resultlist],eax 
     
    test [eax],eax   
    test [eax],eax   

   
;    mov ecx,iter*8 
;    lea ebp,[resultlist+ecx] 
    neg ecx  
    sub esp,8  ;push local tics  

align 16  
@@:  
    rdtsc  
      ;mov dword [tics],eax  
      ;mov dword [tics+4],edx  
    mov [esp],eax  
    mov [esp+4],edx  

    xor eax,eax  
    test [eax],eax  ;exception  

    rdtsc  
        
    sub eax,dword [esp]  
    sbb edx,dword [esp+4]  
    mov [ebp+ecx],eax  
    mov [ebp+ecx+4],edx  

    add ecx,8  
    jnz @B  

    add esp,8  ;pop local ticks  
     
    pop dword [fs:0]  
    add esp,4

;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;                                                 âu^âîä ?a*çóëüo`a`o`îâ  
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
            finit  
;            mov     ebx,iter 
;            mov     esi,resultlist 
            mov     ebp,bcdresult     
;            mov     edi,message 
            fld     qword [max]       
align 16  
@@:         fild    qword [esi]  
            fld     st0  
            fbstp   [ebp]             
              
               
            fcom  st1  
            fstsw ax  
            test  ax,100h    
            jz @@ge1  
            fxch  
@@ge1:  
            fstp    st0  
            
;            invoke  wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp 
            add     esp,5*4  
            add     esi,8  
            add     edi,eax  
            dec     ebx  
            jnz     @B  

            mov     ebx,trNo  
            fld     qword [level]  
                
            fcomp st1  
            fstsw ax  
            fstp  st0  
            test  ax,100h    
            jz @@ge2  
            mov ebx,trYes  
@@ge2:  

Finish!:
         ;   invoke  wsprintf,edi,presentfmt,ebx
         ;   add esp, 3*4
            invoke  MessageBox,0,message,caption,MB_ICONINFORMATION
            invoke ExitProcess,0 
             
endcrypt layer3,11h  
endcrypt layer4,12h  

message:
nop  ; < -- tell me how many nops are left
nop  
nop  
nop  

.end start    
Post 10 Dec 2005, 10:49
View user's profile Send private message Visit poster's website Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 10 Dec 2005, 18:06
Thank you Thomas now it works perfectly....The problem was with the decryption lol.

I also have another question concerning this :

Code:
mov     ebx,iter
            mov     esi,resultlist
            mov     ebp,bcdresult   
            mov     edi,message
            fld     qword [max]     
align 16
@@:         fild    qword [esi]
            fld     st0
            fbstp   [ebp]           
            
             
            fcom  st1
            fstsw ax
            test  ax,100h  
            jz @@ge1
            fxch
@@ge1:
            fstp    st0
          
            invoke  wsprintf,edi,tickfmt,[ebp+8],[ebp+4],[ebp] <--- Gives error
            add     esp,5*4
            add     esi,8
            add     edi,eax
            dec     ebx
            jnz     @B    


Description: Does it work??? without running it in olly
Download
Filename: flatpe.zip
Filesize: 1.49 KB
Downloaded: 381 Time(s)

Post 10 Dec 2005, 18:06
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.