}
elif op == "CALL": # E8 xxxxxxxx call <dword> ; (dword is relative to next instruction address)
labels.append(arg) # we need to remember where it jumps
mutated_code += """
add esp, -4
mov dword [esp], _%(returnaddress)i_ret
add esp, -4
mov dword [esp], _%(calltarget)i
retn
_%(returnaddress)i_ret:
""" % {
"returnaddress": addr,
"calltarget": arg
}
elif op == "JUMP": # FF25 xxxxxxxx jump [<dword>]
mutated_code += """
mov eax, dword [%i]
add esp, -4
mov dword [esp], eax
retn""" % arg
# generate our stub
stub = mypacklib.build_stub(mutated_code)
#patch the file with our changes, and modify EntryPoint value
mypacklib.patchas(pe, "mutated.exe", oep, stub)
# Ange Albertini, Creative Commons BY, 2009-2010
.getgammaloop:
call getbit
adc ecx, ecx
call getbit
jc .getgammaloop
ret
donedepacking:
push 0%(oep_va)08xh
retn
compressed_data:
"""
# fill fake values to be able to get the stub size
dummy_stub = my_stub % {"start_va": oep + ib, "oep_va": oep + ib}
stub_length = len(mypacklib.build_stub(dummy_stub))
# now we can locate our stub accurately
stub_start = start + size - (stub_length + len(compressed_data))
# and generate it
my_stub = my_stub % {"start_va": stub_start + ib, "oep_va": oep + ib}
stub = mypacklib.build_stub(my_stub)
stub += compressed_data
# we need to make that first section writable
section = pe.sections[mypacklib.getEPsection(pe)]
section.Characteristics |= pefile.SECTION_CHARACTERISTICS[
"IMAGE_SCN_MEM_WRITE"]
mutated_code += """
add esp, -4
mov dword [esp], %(arg)i
""" % {"arg" : arg}
elif op == "CALL": # E8 xxxxxxxx call <dword> ; (dword is relative to next instruction address)
labels.append(arg) # we need to remember where it jumps
mutated_code += """
add esp, -4
mov dword [esp], _%(returnaddress)i_ret
add esp, -4
mov dword [esp], _%(calltarget)i
retn
_%(returnaddress)i_ret:
""" % {"returnaddress": addr, "calltarget":arg}
elif op == "JUMP": # FF25 xxxxxxxx jump [<dword>]
mutated_code += """
mov eax, dword [%i]
add esp, -4
mov dword [esp], eax
retn""" % arg
# generate our stub
stub = mypacklib.build_stub(mutated_code)
#patch the file with our changes, and modify EntryPoint value
mypacklib.patchas(pe, "mutated.exe", oep, stub)
# Ange Albertini, Creative Commons BY, 2009-2010
pe, oep, ib, start, size = mypacklib.load()
# generates our stub
my_stub = """bits 32
pushad ; let's save registers
mov eax, dword [fs:018h] ; implementing IsDebuggerPresent
mov eax, dword [eax + 030h]
movzx eax, byte [eax + 2]
test al, al ; al is 1 if debugger is present
jnz _fail
popad
push 0%(oep_va)08xh
retn
_fail:
popad
retn
""" % {
'oep_va': oep + ib
}
stub = mypacklib.build_stub(my_stub)
stub_length = len(stub)
# our stub will be located at the end of the section that contains the entry point
new_ep = start + (size - stub_length)
# patch the file with our changes, and modify EntryPoint value
mypacklib.patchas(pe, "protected.exe", new_ep, stub)
# Ange Albertini, Creative Commons BY, 2009-2010
mov edi, esi
mov ecx, 0%(size)08xh
_loop:
lodsb
xor al, 042h
stosb
loop _loop
popad
push 0%(oep_va)08xh
retn
"""
# % {'start_va':start + ib, 'size':crypted_size, 'oep_va':oep + ib}
# incorrect values, just to get the stub size
dummy_stub = my_stub % {'start_va':start + ib, 'size':size, 'oep_va':oep + ib}
stub_length = len(mypacklib.build_stub(dummy_stub))
# calculating real values
crypted_size = size - stub_length
# final stub generation
final_stub = my_stub % {'start_va':start + ib, 'size':crypted_size, 'oep_va':oep + ib}
stub = mypacklib.build_stub(final_stub)
# crypts the original section
buffer = list(pe.get_data(start, crypted_size))
for i,b in enumerate(buffer):
buffer[i] = chr(ord(b) ^ 0x42)
buffer = str().join(buffer)
import pefile, mypacklib
pe, oep, ib, start, size = mypacklib.load()
# generates our stub
my_stub = """bits 32
pushad ; let's save registers
mov eax, dword [fs:018h] ; implementing IsDebuggerPresent
mov eax, dword [eax + 030h]
movzx eax, byte [eax + 2]
test al, al ; al is 1 if debugger is present
jnz _fail
popad
push 0%(oep_va)08xh
retn
_fail:
popad
retn
""" % {'oep_va':oep + ib}
stub = mypacklib.build_stub(my_stub)
stub_length = len(stub)
# our stub will be located at the end of the section that contains the entry point
new_ep = start + (size - stub_length)
# patch the file with our changes, and modify EntryPoint value
mypacklib.patchas(pe, "protected.exe", new_ep, stub)
# Ange Albertini, Creative Commons BY, 2009-2010
