upx3.03 unpack self MessageBox Code
UnpackMe <981902529 qq com> |
Friday, September 23 2011 12:41.22 CDT |
Hello Everyone!This Is one UnpackMe,Use upx3.03 Target,Self Analyze ,Write Unpacker Code,This No Is one General Unpack Code.Pelloc Compile,Recovery Windows Extension Option!
Code:
#include <windows.h>
#include <stdlib.h>
#include "upx.h"
#ifndef _IMAGEHLP_H
#include "imagehlp.h"
#pragma comment ( lib, "imagehlp.lib" )
#endif
IMAGE_DOS_HEADER *DosHeader = NULL; //DOSͷ
IMAGE_NT_HEADERS *NtHeader = NULL; //NTͷ
IMAGE_FILE_HEADER *FileHeader = NULL; //�ļ�ͷ
IMAGE_OPTIONAL_HEADER32 *OptHeader = NULL; //��ѡͷ
IMAGE_SECTION_HEADER *SecHeader =NULL;
IMAGE_IMPORT_DESCRIPTOR *pIID = NULL; //����Ŀ¼
DWORD dwImportBase;
PIMAGE_DOS_HEADER GetDosHeader(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
/////////////////////////////���DosHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
return pDosHeader;
}
PIMAGE_NT_HEADERS GetNtHeader(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
/////////////////////////////���NtHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
return pNtHeader;
}
PIMAGE_FILE_HEADER GetFileHeader(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_FILE_HEADER pFileHeader = NULL;
/////////////////////////////���FileHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pFileHeader =(PIMAGE_FILE_HEADER)&pNtHeader->FileHeader;
return pFileHeader;
}
PIMAGE_OPTIONAL_HEADER GetOptionalHeader(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
/////////////////////////////���OptionalHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)&pNtHeader->OptionalHeader;
return pOptionHeader;
}
PIMAGE_SECTION_HEADER GetSectionHeader(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
PIMAGE_FILE_HEADER pFileHeader = NULL;
PIMAGE_SECTION_HEADER pSecHeader = NULL;
/////////////////////////////���SectionHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pFileHeader =(PIMAGE_FILE_HEADER)&pNtHeader->FileHeader;
pOptionHeader = (PIMAGE_OPTIONAL_HEADER)&pNtHeader->OptionalHeader;
pSecHeader =(PIMAGE_SECTION_HEADER)((LPBYTE)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
return pSecHeader;
}
PIMAGE_IMPORT_DESCRIPTOR GetFirstImportDesc(LPVOID ImageBase)
{
//////////////////////////////�ṹ����
PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNtHeader = NULL;
PIMAGE_OPTIONAL_HEADER pOptionHeader = NULL;
PIMAGE_FILE_HEADER pFileHeader = NULL;
PIMAGE_SECTION_HEADER pSecHeader = NULL;
/////////////////////////////���OptionalHeader�ṹ
pDosHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNtHeader = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
pFileHeader =(PIMAGE_FILE_HEADER)&pNtHeader->FileHeader;
pOptionHeader = (PIMAGE_OPTIONAL_HEADER)&pNtHeader->OptionalHeader;
pSecHeader =(PIMAGE_SECTION_HEADER)((LPBYTE)pOptionHeader + pFileHeader->SizeOfOptionalHeader);
DWORD pImportOffset = (pOptionHeader->DataDirectory[1]).VirtualAddress ;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)
ImageRvaToVa (pNtHeader,ImageBase,pImportOffset,&pSecHeader ) ;
return pImportDesc;
}
////////////////////�Ƚ��Ƿ�ΪPE�ļ�
BOOL MemCmpPe(LPVOID ImageBase)
{
PIMAGE_DOS_HEADER pDosHeader =(PIMAGE_DOS_HEADER)ImageBase;
PIMAGE_NT_HEADERS pNtHeader =(PIMAGE_NT_HEADERS32)((DWORD)pDosHeader+pDosHeader->e_lfanew);
while(!ImageBase)
return FALSE;
while(pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
return FALSE;
while(pNtHeader->Signature!=IMAGE_NT_SIGNATURE)
return FALSE;
return TRUE;
}
///////////////////////////��ȡ�ļ����ڴ�
LPVOID MapFileToMemory(char *szFileName)
{
HANDLE hFile = CreateFile(szFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile==INVALID_HANDLE_VALUE)
{
MessageBox(NULL,"���ܴ��ļ�","��ʾ",MB_OK);
return NULL;
}
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY | SEC_COMMIT, 0, 0, NULL);
LPVOID pMap = MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
return pMap;
}
///////////////////////////��ö���ֵ
DWORD Alignment(DWORD Size,DWORD Align)
{
if(Size%Align!=0)
return (Size/Align+1)*Align;
return Size;
}
/////////////////////����������
void ModifySecName(PIMAGE_SECTION_HEADER SecHeader,DWORD SecNum)
{
int i=0;
while(i<SecNum)
{
strcpy((char*)SecHeader[i].Name,"UnPack");
i++;
}
}
///////////////////�������
void ModifyImport(DWORD SecOffset,DWORD SecOffsetA,DWORD SecOffsetB)
{
DWORD SecOffsetC=SecOffset+SecOffsetA;
DWORD ImPort =*(DWORD*)SecOffsetC;
while(ImPort)
{
DWORD FuncAddr =*(DWORD*)(SecOffsetC+4);
HMODULE hMod=LoadLibraryA((char*)SecOffsetB+ImPort);
FuncAddr+=SecOffset;
SecOffsetC+=8;
while(*(BYTE*)SecOffsetC!=0)
{
++SecOffsetC;
*(DWORD*)FuncAddr=(DWORD)GetProcAddress(hMod,(char*)SecOffsetC);
FuncAddr+=4;
SecOffsetC+=strlen((char*)SecOffsetC)+1;
}
++SecOffsetC;
ImPort=*(DWORD*)SecOffsetC;
}
}
////////////���ڴ���0xE8,0xE9//////////////C���Ա�ʾ///////////////�е�����
void ModifyCall(BYTE *Start,int Size)
{
BYTE DB;
DWORD DDb;
DWORD FixAddr=(DWORD)Start;
WORD DWA;
BYTE Hi8;
WORD Lo8;
while(Size)
{
DB=*(BYTE*)Start-0xE8;
++Start;
if(DB>1||*Start!=3)
{
continue;
}
DDb=*(DWORD*)Start;
DWA=DDb&0x0ffff;
DWA>>=8;
DDb&=0xffff0000;
DDb|=DWA;
DDb=((DDb<<0x10)|(DDb>>0x10));
DWA=DDb&0x0ffff;
Lo8=((WORD)DWA<<8);
Hi8=(BYTE)(DWA>>8);
DWA=(Lo8+Hi8);
DDb&=0xffff0000;
DDb|=DWA;
DDb-=(DWORD)Start;
*(DWORD*)Start=DDb+FixAddr;
Start+=4;
--Size;
}
}
///////////////////���������
void SetSectionAlignment(IMAGE_SECTION_HEADER *TempSecHeader,int SectionNum,DWORD SecValue)
{
int AlignValue=0;
for(int i=0;i<SectionNum;i++)
{
AlignValue=Alignment(TempSecHeader->Misc.VirtualSize, SecValue);
TempSecHeader->SizeOfRawData =AlignValue;
TempSecHeader->Misc.VirtualSize=AlignValue;
TempSecHeader->PointerToRawData=TempSecHeader->VirtualAddress;
TempSecHeader++;
}
}
BYTE PCode; //ѹ����Ĵ�����ļ�ָ��
BYTE *pImage; //�µ�ӳ��ռ�
DWORD ImageSize; //�ӿǺ��ӳ���С
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
DWORD dwWrite;
LPBYTE lpFile=(LPBYTE)MapFileToMemory("Test.exe");
if(MemCmpPe(lpFile)==FALSE)
{
MessageBoxA(NULL,"PEǩ����Ч","��ʾ",MB_OK);
}
DosHeader =GetDosHeader(lpFile);
NtHeader =GetNtHeader(lpFile);
FileHeader =GetFileHeader(lpFile);
OptHeader =GetOptionalHeader(lpFile);
SecHeader =GetSectionHeader(lpFile);
pIID =GetFirstImportDesc(lpFile);
/////////////////////������һ�����Σ������Ƶ��ڴ���
ImageSize=Alignment(OptHeader->SizeOfImage,OptHeader->SectionAlignment);//��üӿǺ��ӳ���С��Ҳ��������ռ��С
pImage =VirtualAlloc(NULL,ImageSize,MEM_COMMIT,PAGE_READWRITE); //�����µ�PEӳ��ռ�
memcpy(pImage,lpFile,OptHeader->SizeOfHeaders); //����PEͷ���·����ӳ��ؼ�����
IMAGE_SECTION_HEADER *TempSecHeader =SecHeader; //��ʱ���νṹ
////////////////////���θ������ε��µ�PE����������ȥ
for(int i=0;i<FileHeader->NumberOfSections;i++) //���θ��ƴ��뵽�µ�ӳ��ռ�����
{
memcpy(pImage+TempSecHeader->VirtualAddress, //���մ����ӳ���ַ
lpFile+TempSecHeader->PointerToRawData, //���ƴ�����ļ�ƫ�Ƶ�ַ
Alignment(TempSecHeader->SizeOfRawData,OptHeader->FileAlignment)//���ƴ����С���ļ���С�Ͷ������
);
++TempSecHeader;
}
////////////////////����Image�����PEͷ
IMAGE_NT_HEADERS *NewNtHeader = GetNtHeader(pImage); //NTͷ
IMAGE_SECTION_HEADER *NewSecHeader = GetSectionHeader(pImage);
IMAGE_OPTIONAL_HEADER *NewOptHeader =GetOptionalHeader(pImage);
////////////////////������ڵ�
NewNtHeader->OptionalHeader.AddressOfEntryPoint=0x1020;
////////////////////�ļ����뷽ʽ
NewNtHeader->OptionalHeader.SizeOfImage =Alignment(NewOptHeader->SizeOfImage,NewOptHeader->SectionAlignment);
NewNtHeader->OptionalHeader.FileAlignment =NewOptHeader->FileAlignment;
NewNtHeader->OptionalHeader.SizeOfHeaders =NewSecHeader->VirtualAddress;
////////////////////��������λ�úʹ�С
SetSectionAlignment(NewSecHeader,NewNtHeader->FileHeader.NumberOfSections,0x1000); //�������
////////////////////��ʼ��ѹ����
UnCompress(pImage+SecHeader->VirtualAddress,(BYTE*)lpFile+SecHeader->PointerToRawData); //��ֻ���ڴ��е�ѹ�������ѹ��ӳ��ռ�
//DisposureE8(pImage+SecHeader->VirtualAddress,0x84); //���ڴ���E8
ModifyCall(pImage+SecHeader->VirtualAddress,0x84);
////////////////////�������
ModifyImport((DWORD)pImage+0x1000,0x9000,(DWORD)pImage+0xC000);
////////////////////����������
ModifySecName(GetSectionHeader(pImage),3);
///////////////////д���ļ�
HANDLE Handle=CreateFile("UnpackMe.exe", GENERIC_READ|GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
SetFilePointer(Handle,0,0,FILE_BEGIN);
WriteFile(Handle,pImage,ImageSize,&dwWrite,NULL);
MessageBox(NULL,"�ѿdzɹ�","UnpackMe",MB_OK);
return TRUE;
}
In Which,UnCompress Is Quote Other Code,Code As Follows,
Code:
#define True 1
int getbit(unsigned __int64 *pcom_dword, unsigned char **ppsrc)
{
unsigned __int64 temp;
//int result;
*pcom_dword &= 0xffffffff;
(*pcom_dword) *= 2;
if(!(*pcom_dword & 0xffffffff))
{
*pcom_dword = *(unsigned int *)(*ppsrc);
temp = (unsigned int)(*ppsrc);
temp -= (unsigned int)(-4);
(*ppsrc) += 4;
*pcom_dword = ((temp >> 32) & 1) + *pcom_dword + *pcom_dword;
}
return (int)((*pcom_dword >> 32) & 1);
}
int UnCompress(void *dst, void *src)
{
unsigned char *pdst = dst;
unsigned char *psrc = src;
unsigned char *xdst = NULL;
unsigned __int64 com_dword = 0;
unsigned __int64 off = 0;
unsigned __int64 temp = 0;
unsigned int length = 0;
unsigned int last_off = (unsigned int)-1;
int flag = 0;
com_dword = *(unsigned int *)psrc;
temp = (unsigned int)psrc;
psrc += 4;
temp -= (unsigned int)(-4);
com_dword = com_dword * 2 + ((temp >> 32) & 1);
if(((com_dword >> 32) & 1))
{
do
{
*pdst++ = *psrc++;
}while(getbit(&com_dword, &psrc));
}
while(True)
{
if(flag)
{
while(getbit(&com_dword, &psrc))
{
*pdst++ = *psrc++;
}
}
flag = 1;
off = 1;
do
{
do
{
off = off * 2 + getbit(&com_dword, &psrc);
}while(com_dword =com_dword + com_dword, ((com_dword >> 32) & 1) == 0);
if(com_dword & 0xffffffff)
{
break;
}
com_dword = *(unsigned int *)psrc;
temp = (unsigned int)psrc;
psrc += 4;
temp -= (unsigned int)(-4);
}while(com_dword = com_dword + com_dword + ((temp >> 32) & 1), ((com_dword >> 32) & 1) == 0);
length = 0;
off -= 3;
if(off >> 32 == 0)
{
off <<= 8;
off = off + *psrc++;
if((off = (off & 0xffffffff) ^ 0xffffffff) == 0)
{
break;
}
last_off = (unsigned int)off;
}
length = length + length + getbit(&com_dword, &psrc);
length = length + length + getbit(&com_dword, &psrc);
if(length == 0)
{
length++;
do
{
do
{
length = length + length + getbit(&com_dword, &psrc);
}while(com_dword = com_dword + com_dword, ((com_dword >> 32) & 1) == 0);
if(com_dword & 0xffffffff)
{
break;
}
com_dword = *(unsigned int *)psrc;
temp = (unsigned int)psrc;
psrc += 4;
temp -= (unsigned int)(-4);
}while(com_dword = com_dword + com_dword + ((temp >> 32) & 1), ((com_dword >> 32) & 1) == 0);
length += 2;
}
length++;
if(last_off < (unsigned int)(-0xd00))
length++;
xdst = last_off + pdst;
temp = last_off;
temp -= (unsigned int)(-4);
if(temp != 0 && ((temp >> 32) & 1) == 0)
{
for(;length > 0; length--)
{
*pdst++ = *xdst++;
}
}
else
{
for(;;)
{
*(unsigned int *)pdst = *(unsigned int *)xdst;
pdst += 4;
xdst += 4;
temp = length;
length -= 4;
temp -= 4;
if(temp == 0 || ((temp >> 32) & 1) == 1)
break;
}
pdst += length;
}
}
return pdst - (unsigned char *)dst;
}
Thank You Support! e-Mail: [email protected]
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |