flat assembler
Message board for the users of flat assembler.
Index
> Macroinstructions > Xor Crypting Macro Troubles Goto page 1, 2 Next |
Author |
|
shism2 06 Dec 2005, 01:33
Another thing I was trying to do is decrypt backwards and also increase inlining encryption complexity.. By doing this
Code: Takes a shitload of clock cycles ( enormously slower) but is more complex..... mov edi, layer4.end mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin + 1 mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: -------- dec byte [edi] ' Takes 1530 clock cycles ( I think) dec eax ' jnz dec1--------- ' dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 Instead of : Code: A enormous amount less of clock cycles ( a shitload faster) but to easy.. mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,12h stosb dec ecx jne @b |
|||
06 Dec 2005, 01:33 |
|
shism2 07 Dec 2005, 21:47
Anyone ???
|
|||
07 Dec 2005, 21:47 |
|
vid 07 Dec 2005, 22:05
paste entire source
|
|||
07 Dec 2005, 22:05 |
|
shism2 08 Dec 2005, 22:52
Code: macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count - 1 load b byte from %+ name#.begin - 1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin - 1 end repeat } macro SysInvoke proc,[parameters] { common local blah1,blah2,param_count push eax param_count=0 reverse pushd parameters param_count=param_count+1 common jmp blah2 blah1: mov eax, proc mov edx, esp dw 340Fh ;sysenter 0F34h blah2: call blah1 add esp, (param_count * 4) + 4 ; + 1 dummy EIP } section '.idata' data readable szUser32 db "kernel32.dll",0 szMessageBox db "Beep",0 szOlly1 db "explorer.exe",0 section '.udata' readable writeable hLib dd 0 hProc dd ? dwBytesWritten1 dd ? hInstance dd ? hModule dd ? dwBytesWritten dd ? handle1 dd 0 temp dd ? errorc dd 0 PrE PROCESSENTRY32 time dd 0 align 16 dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 thrid dd 0 tics dq 0 resultlist rq iter bcdresult rb 12 message rb iter*32 shit db '%*s',0 max dq 1E15 level dq 1E5 trYes db 'Yes',0 trNo db 'No',0,0 caption db 'IsDebuggerPresent by RDTSC',0 align 4 tickfmt db '%.8X%.8X%.8X',13,10,0 align 4 presentfmt db 'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent: %s',13,10,0 threadter dq 0 codelength dq ? codebegin db ? section '.text' code readable executable writeable start: invoke GetCurrentThreadId invoke CreateThread,0,0,start6,0,0,thrid invoke CloseHandle, eax ;invoke CreateThread,0,0,start5,0,0,thrid ;invoke CloseHandle,eax pop eax invoke OpenThread,3,0,eax ;invoke TerminateThread,eax,0 SysInvoke ZWTerminateThread,eax,0 proc start6 align 16 decs: mov edi, layer4.end mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin + 1 mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 begincrypt layer4 mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,11h stosb dec ecx jne @b begincrypt layer3 start3: call @@Set_SEH mov eax,[esp+12] add dword [eax+CONTEXT_Eip],2 ; mov dword [eax],CONTEXT_FULL xor eax,eax ret @@Set_SEH: push dword [fs:0] mov [fs:0],esp xor eax,eax mov dword [resultlist],eax test [eax],eax test [eax],eax mov ecx,iter*8 lea ebp,[resultlist+ecx] neg ecx sub esp,8 ;push local tics align 16 @@: rdtsc ;mov dword [tics],eax ;mov dword [tics+4],edx mov [esp],eax mov [esp+4],edx xor eax,eax test [eax],eax ;exception rdtsc sub eax,dword [esp] sbb edx,dword [esp+4] mov [ebp+ecx],eax mov [ebp+ecx+4],edx add ecx,8 jnz @B add esp,8 ;pop local ticks pop dword [fs:0] add esp,4 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; âûâîä ðåçóëüòàòîâ ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ finit mov ebx,iter mov esi,resultlist mov ebp,bcdresult mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 invoke wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B mov ebx,trNo fld qword [level] fcomp st1 fstsw ax fstp st0 test ax,100h jz @@ge2 mov ebx,trYes @@ge2: invoke wsprintf,edi,presentfmt,ebx add esp, 3*4 invoke MessageBox,0,message,caption,MB_ICONINFORMATION invoke ExitProcess,0 nop endcrypt layer3,11h endcrypt layer4,12h nop nop nop nop endp |
|||
08 Dec 2005, 22:52 |
|
revolution 09 Dec 2005, 01:53
Why do you do this?
Code: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 You can replace with this Code: sub byte [edi],255 |
|||
09 Dec 2005, 01:53 |
|
LocoDelAssembly 09 Dec 2005, 02:03
Do you mean this code encryps the NOPs? I tested it and the NOPs are untouched
Here is the code I tested (I commented some lines and added "begincrypt" to get out all the error messages): Code: format PE GUI 4.0 include "win32axp.inc" entry start macro begincrypt name { name#.begin: } macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count - 1 load b byte from %+ name#.begin - 1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin - 1 end repeat } macro SysInvoke proc,[parameters] { common local blah1,blah2,param_count push eax param_count=0 reverse pushd parameters param_count=param_count+1 common jmp blah2 blah1: mov eax, proc mov edx, esp dw 340Fh ;sysenter 0F34h blah2: call blah1 add esp, (param_count * 4) + 4 ; + 1 dummy EIP } section '.idata' data readable szUser32 db "kernel32.dll",0 szMessageBox db "Beep",0 szOlly1 db "explorer.exe",0 section '.udata' readable writeable hLib dd 0 hProc dd ? dwBytesWritten1 dd ? hInstance dd ? hModule dd ? dwBytesWritten dd ? handle1 dd 0 temp dd ? errorc dd 0 ;PrE PROCESSENTRY32 time dd 0 align 16 dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 thrid dd 0 tics dq 0 ;resultlist rq iter bcdresult rb 12 ;message rb iter*32 shit db '%*s',0 max dq 1E15 level dq 1E5 trYes db 'Yes',0 trNo db 'No',0,0 caption db 'IsDebuggerPresent by RDTSC',0 align 4 tickfmt db '%.8X%.8X%.8X',13,10,0 align 4 presentfmt db 'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent: %s',13,10,0 threadter dq 0 codelength dq ? codebegin db ? section '.text' code readable executable writeable start: ;invoke GetCurrentThreadId ;invoke CreateThread,0,0,start6,0,0,thrid ;invoke CloseHandle, eax ;invoke CreateThread,0,0,start5,0,0,thrid ;invoke CloseHandle,eax pop eax call start6 ;invoke OpenThread,3,0,eax ;invoke TerminateThread,eax,0 ;SysInvoke ZWTerminateThread,eax,0 proc start6 align 16 decs: mov edi, layer4.end mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin + 1 mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 begincrypt layer4 mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,11h stosb dec ecx jne @b begincrypt layer3 start3: call @@Set_SEH mov eax,[esp+12] ; add dword [eax+CONTEXT_Eip],2 ; ; mov dword [eax],CONTEXT_FULL xor eax,eax ret @@Set_SEH: push dword [fs:0] mov [fs:0],esp xor eax,eax ; mov dword [resultlist],eax test [eax],eax test [eax],eax ; mov ecx,iter*8 ; lea ebp,[resultlist+ecx] neg ecx sub esp,8 ;push local tics align 16 @@: rdtsc ;mov dword [tics],eax ;mov dword [tics+4],edx mov [esp],eax mov [esp+4],edx xor eax,eax test [eax],eax ;exception rdtsc sub eax,dword [esp] sbb edx,dword [esp+4] mov [ebp+ecx],eax mov [ebp+ecx+4],edx add ecx,8 jnz @B add esp,8 ;pop local ticks pop dword [fs:0] add esp,4 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; âûâîä ðåçóëüòàòîâ ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ finit ; mov ebx,iter ; mov esi,resultlist mov ebp,bcdresult ; mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 ; invoke wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B mov ebx,trNo fld qword [level] fcomp st1 fstsw ax fstp st0 test ax,100h jz @@ge2 mov ebx,trYes @@ge2: ; invoke wsprintf,edi,presentfmt,ebx add esp, 3*4 ; invoke MessageBox,0,message,caption,MB_ICONINFORMATION ; invoke ExitProcess,0 nop endcrypt layer3,11h endcrypt layer4,12h nop nop nop nop endp [edit]The NOPs are located from address 00403111 to 00403115[/edit] [edit2] Instead of: Code: A enormous amount less of clock cycles ( a shitload faster) but to easy.. mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,12h Code: mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,254 ; 254 = -2 ; sub al,255 xor al, 12h |
|||
09 Dec 2005, 02:03 |
|
shism2 09 Dec 2005, 07:03
If you take the nop out under exitprocess... It will encrypt the next nop
|
|||
09 Dec 2005, 07:03 |
|
LocoDelAssembly 09 Dec 2005, 12:50
Well, now I tried your first code and the NOP still there. Check the attachment, if I'm still using the wrong code please post a compilable code which have only the defective part if you don't want to publish the entire code.
Regards [edit]Wierd, the attachment wasn't accesible :S, now I removed it. Well when I uploaded that attachment I had a problem and this post was posted two consecutive times and then I deleted the duplicated post, maybe that was the problem[/edit] Last edited by LocoDelAssembly on 09 Dec 2005, 21:10; edited 2 times in total |
|||
09 Dec 2005, 12:50 |
|
shism2 09 Dec 2005, 18:55
attachment doesn't exist?
|
|||
09 Dec 2005, 18:55 |
|
shism2 09 Dec 2005, 18:58
Code: format PE GUI 4.0 include "win32axp.inc" entry start macro begincrypt name { name#.begin: } macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count - 1 load b byte from %+ name#.begin - 1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin - 1 end repeat } macro SysInvoke proc,[parameters] { common local blah1,blah2,param_count push eax param_count=0 reverse pushd parameters param_count=param_count+1 common jmp blah2 blah1: mov eax, proc mov edx, esp dw 340Fh ;sysenter 0F34h blah2: call blah1 add esp, (param_count * 4) + 4 ; + 1 dummy EIP } section '.idata' data readable szUser32 db "kernel32.dll",0 szMessageBox db "Beep",0 szOlly1 db "explorer.exe",0 section '.udata' readable writeable hLib dd 0 hProc dd ? dwBytesWritten1 dd ? hInstance dd ? hModule dd ? dwBytesWritten dd ? handle1 dd 0 temp dd ? errorc dd 0 ;PrE PROCESSENTRY32 time dd 0 align 16 dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 thrid dd 0 tics dq 0 ;resultlist rq iter bcdresult rb 12 ;message rb iter*32 shit db '%*s',0 max dq 1E15 level dq 1E5 trYes db 'Yes',0 trNo db 'No',0,0 caption db 'IsDebuggerPresent by RDTSC',0 align 4 tickfmt db '%.8X%.8X%.8X',13,10,0 align 4 presentfmt db 'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent: %s',13,10,0 threadter dq 0 codelength dq ? codebegin db ? section '.text' code readable executable writeable start: ;invoke GetCurrentThreadId ;invoke CreateThread,0,0,start6,0,0,thrid ;invoke CloseHandle, eax ;invoke CreateThread,0,0,start5,0,0,thrid ;invoke CloseHandle,eax pop eax call start6 ;invoke OpenThread,3,0,eax ;invoke TerminateThread,eax,0 ;SysInvoke ZWTerminateThread,eax,0 proc start6 align 16 decs: mov edi, layer4.end mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin + 1 mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 begincrypt layer4 mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,11h stosb dec ecx jne @b begincrypt layer3 start3: call @@Set_SEH mov eax,[esp+12] ; add dword [eax+CONTEXT_Eip],2 ; ; mov dword [eax],CONTEXT_FULL xor eax,eax ret @@Set_SEH: push dword [fs:0] mov [fs:0],esp xor eax,eax ; mov dword [resultlist],eax test [eax],eax test [eax],eax ; mov ecx,iter*8 ; lea ebp,[resultlist+ecx] neg ecx sub esp,8 ;push local tics align 16 @@: rdtsc ;mov dword [tics],eax ;mov dword [tics+4],edx mov [esp],eax mov [esp+4],edx xor eax,eax test [eax],eax ;exception rdtsc sub eax,dword [esp] sbb edx,dword [esp+4] mov [ebp+ecx],eax mov [ebp+ecx+4],edx add ecx,8 jnz @B add esp,8 ;pop local ticks pop dword [fs:0] add esp,4 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; âûâîä ðåçóëüòàòîâ ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ finit ; mov ebx,iter ; mov esi,resultlist mov ebp,bcdresult ; mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 ; invoke wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B mov ebx,trNo fld qword [level] fcomp st1 fstsw ax fstp st0 test ax,100h jz @@ge2 mov ebx,trYes @@ge2: ; invoke wsprintf,edi,presentfmt,ebx add esp, 3*4 ; invoke MessageBox,0,message,caption,MB_ICONINFORMATION ; invoke ExitProcess,0 endcrypt layer3,11h endcrypt layer4,12h nop < -- tell me how many nops are left nop nop nop endp |
|||
09 Dec 2005, 18:58 |
|
LocoDelAssembly 09 Dec 2005, 21:06
I see 4 NOPs
Check attachment [edit] I removed the attachment for space saving [/edit] Last edited by LocoDelAssembly on 09 Apr 2006, 22:07; edited 1 time in total |
|||
09 Dec 2005, 21:06 |
|
shism2 09 Dec 2005, 23:51
Code: format PE GUI 4.0 include "win32axp.inc" entry start macro begincrypt name { name#.begin: } macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count - 1 load b byte from %+ name#.begin - 1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin - 1 end repeat } macro SysInvoke proc,[parameters] { common local blah1,blah2,param_count push eax param_count=0 reverse pushd parameters param_count=param_count+1 common jmp blah2 blah1: mov eax, proc mov edx, esp dw 340Fh ;sysenter 0F34h blah2: call blah1 add esp, (param_count * 4) + 4 ; + 1 dummy EIP } section '.idata' data readable szUser32 db "kernel32.dll",0 szMessageBox db "Beep",0 szOlly1 db "explorer.exe",0 section '.udata' readable writeable hLib dd 0 hProc dd ? dwBytesWritten1 dd ? hInstance dd ? hModule dd ? dwBytesWritten dd ? handle1 dd 0 temp dd ? errorc dd 0 ;PrE PROCESSENTRY32 time dd 0 align 16 dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 thrid dd 0 tics dq 0 ;resultlist rq iter bcdresult rb 12 ;message rb iter*32 shit db '%*s',0 max dq 1E15 level dq 1E5 trYes db 'Yes',0 trNo db 'No',0,0 caption db 'IsDebuggerPresent by RDTSC',0 align 4 tickfmt db '%.8X%.8X%.8X',13,10,0 align 4 presentfmt db 'oooooooooooooooooo^ïîðîã',13,10,13,10,'IsDebuggerPresent: %s',13,10,0 threadter dq 0 codelength dq ? codebegin db ? section '.text' code readable executable writeable start: ;invoke GetCurrentThreadId ;invoke CreateThread,0,0,start6,0,0,thrid ;invoke CloseHandle, eax ;invoke CreateThread,0,0,start5,0,0,thrid ;invoke CloseHandle,eax pop eax call start6 ;invoke OpenThread,3,0,eax ;invoke TerminateThread,eax,0 ;SysInvoke ZWTerminateThread,eax,0 proc start6 align 16 decs: mov edi, layer4.end mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin + 1 mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 begincrypt layer4 mov edi, layer3.begin mov ecx, layer3.end - layer3.begin - 1 @@: mov al, byte [edi] sub al,255 sub al,255 xor al,11h stosb dec ecx jne @b begincrypt layer3 start3: call @@Set_SEH mov eax,[esp+12] ; add dword [eax+CONTEXT_Eip],2 ; ; mov dword [eax],CONTEXT_FULL xor eax,eax ret @@Set_SEH: push dword [fs:0] mov [fs:0],esp xor eax,eax ; mov dword [resultlist],eax test [eax],eax test [eax],eax ; mov ecx,iter*8 ; lea ebp,[resultlist+ecx] neg ecx sub esp,8 ;push local tics align 16 @@: rdtsc ;mov dword [tics],eax ;mov dword [tics+4],edx mov [esp],eax mov [esp+4],edx xor eax,eax test [eax],eax ;exception rdtsc sub eax,dword [esp] sbb edx,dword [esp+4] mov [ebp+ecx],eax mov [ebp+ecx+4],edx add ecx,8 jnz @B add esp,8 ;pop local ticks pop dword [fs:0] add esp,4 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; âûâîä ðåçóëüòàòîâ ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ finit ; mov ebx,iter ; mov esi,resultlist mov ebp,bcdresult ; mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 ; invoke wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B mov ebx,trNo fld qword [level] fcomp st1 fstsw ax fstp st0 test ax,100h jz @@ge2 mov ebx,trYes @@ge2: invoke wsprintf,edi,presentfmt,ebx add esp, 3*4 invoke MessageBox,0,message,caption,MB_ICONINFORMATION invoke ExitProcess,0 endcrypt layer3,11h endcrypt layer4,12h nop < -- tell me how many nops are left nop nop nop endp Try this one... It crashes for me because exitprocess gets encrypted incorrectly... It only works if there is a nop under it.. |
|||
09 Dec 2005, 23:51 |
|
LocoDelAssembly 10 Dec 2005, 00:46
aaahh, did you noticed how you are using "repeat"? You are substracting 1 to count which leaves the last byte uncrypted.
This code will display "123": Code: block.start: dd 0 block.end: count = block.end - block.start repeat count - 1 display %+48 end repeat Code: block.start: dd 0 block.end: count = block.end - block.start repeat count display %+48 end repeat The counting starts from 1, not 0 and a "repeat 0" do nothing [edit]Well, you have another problem, I'm checking it now[/edit] Last edited by LocoDelAssembly on 10 Dec 2005, 01:09; edited 2 times in total |
|||
10 Dec 2005, 00:46 |
|
shism2 10 Dec 2005, 00:52
macro begincrypt name
{ name#.begin: } macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count load b byte from %+ name#.begin -1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin -1 end repeat } Now If I take out the - 1 from repeat count .. It still encrypts the next nop and crashes :9 |
|||
10 Dec 2005, 00:52 |
|
LocoDelAssembly 10 Dec 2005, 01:14
I'm still seeing 4 NOPs, however if I let the decrypting code to execute the first NOP is destroyed, so the problem is the decrypting code, not the encrypting macro.[edit]BUT, don't add "-1" again, removing it is still needed[/edit]
|
|||
10 Dec 2005, 01:14 |
|
shism2 10 Dec 2005, 01:58
if i take of the -1's it gives me errors
|
|||
10 Dec 2005, 01:58 |
|
LocoDelAssembly 10 Dec 2005, 02:55
I get crashes in both ways, please check your decrypting code, I suggest doing it again and using the suggestions of the other guys.
Note that you put align 16 inside the proc start6, put it just before the line "proc start6" because you are not really aligning your procedure but filling with NOPs the procedure. PS: I'm using Windows 98 SE so my crashes can become for something else... |
|||
10 Dec 2005, 02:55 |
|
Tomasz Grysztar 10 Dec 2005, 10:49
OK, time to come in.
Here's the code after a few corrections to make it work. It displays the nops in the MessageBox, so you can count them I also made it skipping the SEH etc. code, since it was not working for me and I you asked about a different problem. Also you omitted the imports, so I used the standard WIN32AX ones. Do you need me to point all the corrections? I guess you should be able to find them yourself. Code: format PE GUI 4.0 include "win32axp.inc" ;entry start macro begincrypt name { name#.begin: } macro endcrypt name, key { name#.end: count = (rva name#.end - rva name#.begin) repeat count load b byte from %+ name#.begin - 1 t = ((b xor key)+510) and 0ffh store byte t at %+ name#.begin - 1 end repeat } macro SysInvoke proc,[parameters] { common local blah1,blah2,param_count push eax param_count=0 reverse pushd parameters param_count=param_count+1 common jmp blah2 blah1: mov eax, proc mov edx, esp dw 340Fh ;sysenter 0F34h blah2: call blah1 add esp, (param_count * 4) + 4 ; + 1 dummy EIP } section '.idata' data readable szUser32 db "kernel32.dll",0 szMessageBox db "Beep",0 szOlly1 db "explorer.exe",0 section '.udata' readable writeable hLib dd 0 hProc dd ? dwBytesWritten1 dd ? hInstance dd ? hModule dd ? dwBytesWritten dd ? handle1 dd 0 temp dd ? errorc dd 0 ;PrE PROCESSENTRY32 time dd 0 align 16 dupid dd 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 thrid dd 0 tics dq 0 ;resultlist rq iter bcdresult rb 12 ;message rb iter*32 shit db '%*s',0 max dq 1E15 level dq 1E5 trYes db 'Yes',0 trNo db 'No',0,0 caption db 'IsDebuggerPresent by RDTSC',0 align 4 tickfmt db '%.8X%.8X%.8X',13,10,0 align 4 presentfmt db 'oooooooooooooooooo^i"î?îa~',13,10,13,10,'IsDebuggerPresent: %s',13,10,0 threadter dq 0 codelength dq ? codebegin db ? section '.text' code readable executable writeable start: ;invoke GetCurrentThreadId ;invoke CreateThread,0,0,start6,0,0,thrid ;invoke CloseHandle, eax ;invoke CreateThread,0,0,start5,0,0,thrid ;invoke CloseHandle,eax pop eax call start6 ;invoke OpenThread,3,0,eax ;invoke TerminateThread,eax,0 ;SysInvoke ZWTerminateThread,eax,0 start6: align 16 decs: mov edi, layer4.end - 1 mov dword [codebegin],edi mov ecx, layer4.end - layer4.begin mov dword [codelength],ecx mov ebx,2 @@: mov eax,255 dec1: dec byte [edi] dec eax jnz dec1 dec edi dec ecx jnz @b mov edi,dword [codebegin] mov ecx,dword [codelength] dec ebx jnz @b dec2: xor byte [edi],12h dec edi dec ecx jnz dec2 begincrypt layer4 mov edi, layer3.begin mov ecx, layer3.end - layer3.begin @@: mov al, byte [edi] sub al,255 sub al,255 xor al,11h stosb dec ecx jne @b begincrypt layer3 start3: call @@Set_SEH mov eax,[esp+12] ; add dword [eax+CONTEXT_Eip],2 ; ; mov dword [eax],CONTEXT_FULL xor eax,eax ret @@Set_SEH: jmp Finish! push dword [fs:0] mov [fs:0],esp xor eax,eax ; mov dword [resultlist],eax test [eax],eax test [eax],eax ; mov ecx,iter*8 ; lea ebp,[resultlist+ecx] neg ecx sub esp,8 ;push local tics align 16 @@: rdtsc ;mov dword [tics],eax ;mov dword [tics+4],edx mov [esp],eax mov [esp+4],edx xor eax,eax test [eax],eax ;exception rdtsc sub eax,dword [esp] sbb edx,dword [esp+4] mov [ebp+ecx],eax mov [ebp+ecx+4],edx add ecx,8 jnz @B add esp,8 ;pop local ticks pop dword [fs:0] add esp,4 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; âu^âîä ?a*çóëüo`a`o`îâ ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ finit ; mov ebx,iter ; mov esi,resultlist mov ebp,bcdresult ; mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 ; invoke wsprintf,edi,tickfmt,ebp+8,ebp+4,ebp add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B mov ebx,trNo fld qword [level] fcomp st1 fstsw ax fstp st0 test ax,100h jz @@ge2 mov ebx,trYes @@ge2: Finish!: ; invoke wsprintf,edi,presentfmt,ebx ; add esp, 3*4 invoke MessageBox,0,message,caption,MB_ICONINFORMATION invoke ExitProcess,0 endcrypt layer3,11h endcrypt layer4,12h message: nop ; < -- tell me how many nops are left nop nop nop .end start |
|||
10 Dec 2005, 10:49 |
|
shism2 10 Dec 2005, 18:06
Thank you Thomas now it works perfectly....The problem was with the decryption lol.
I also have another question concerning this : Code: mov ebx,iter mov esi,resultlist mov ebp,bcdresult mov edi,message fld qword [max] align 16 @@: fild qword [esi] fld st0 fbstp [ebp] fcom st1 fstsw ax test ax,100h jz @@ge1 fxch @@ge1: fstp st0 invoke wsprintf,edi,tickfmt,[ebp+8],[ebp+4],[ebp] <--- Gives error add esp,5*4 add esi,8 add edi,eax dec ebx jnz @B
|
|||||||||||
10 Dec 2005, 18:06 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.