PCShrink 0.71 部分源代码(带Packer)

　您现在的位置：捷凌网安 >> 文章中心 >> 加密合并 >> 加壳技术 >> 正文

作者：佚名责任编辑：左决点击数：更新时间：2008-2-17 1:06:49

这个东西对资源处理太棒了.正在还原它的源代码...
请问IDA怎么自定义常量?还有assume什么的?
这里是部分源码,也许脱壳有用吧...
都弄好以后会发布带资源的Full Source包:D

代码:--------------------------------------------------------------------------------
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO  EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO  EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+"  TO EXPAND]
; [COLLAPSED ENUM MACRO_WM. PRESS KEYPAD "+" TO  EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL_FLAG. PRESS KEYPAD "+" TO  EXPAND]
; [COLLAPSED ENUM MACRO_IMAGE_ORDINAL. PRESS KEYPAD "+"  TO EXPAND]
;
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
; ※  This file is generated by The Interactive Disassembler (IDA)      ※
; ※  Copyright (c) 2003 by DataRescue sa/nv,  <ida@datarescue.com>      ※
; ※            [iNTERNAL  RELEASE]          ※
; ※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
;
; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
; File Name   :  E:\Documents and Settings\Star\桌面\pcsnk071\PCSHRINK.EXE.unpacked_.exe
; Format      :  Portable executable for  IBM PC (PE)
; Section 1. (virtual address 00001000)
; Virtual size      : 00004000 (  16384.)
; Section size in file    : 00004000 (  16384.)
; Offset to raw  data for section: 00001000
; Flags  E0000020: Text Executable Readable WrITable
; Alignment  : 16 bytes ?

    model flat

; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?

; Segment type:  Pure code
; Segment permissions: Read/WrITe/Execute
pcs1    segment  para public 'CODE' use32
    assume cs:pcs1
    ;org 401000h
    assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
    call  GetProcessHeap

    mov  ds:hHeap, eax
    call  GetCommandLineA

    or  eax, eax
    jz  short start

    xchg  eax, esi

loc_401014:        ; CODE XREF: pcs1:00401035j
    cmp  byte ptr [esi],  0
    jz  short start

    shl  eax, 8
    lodsb
    cmp  eax, 72696E6Bh
    jnz  short loc_401029

    cmp  byte ptr [esi],  2Eh
    jnz  short loc_401037

loc_401029:        ; CODE XREF: pcs1:00401022j
    cmp  eax, 2E657865h
    jz  short loc_401037

    cmp  eax, 2E455845h
    jnz  short loc_401014

loc_401037:        ; CODE XREF: pcs1:00401027j
          ; pcs1:0040102Ej ...
    lodsb
    cmp  al, 20h
    jz  short loc_401037

    cmp  al, 22h
    jz  short loc_401037

    dec  esi
    push  esi
    push  offset szBuffer
    call  lstrcpy

; 〓〓〓〓〓〓〓〓 S U B R O U T I N E  〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

    public start
start    proc near    ; CODE XREF: pcs1:00401011j
          ; pcs1:00401017j
    push  0    ; lpModuleName
    call  GetModuleHandleA

    mov  ds:hInstance, eax
    push  0    ; dwInITParam
    push  offset DialogFunc ; lpDialogFunc
    push  0    ; hWndParent
    push  65h    ; lpTemplateName
    push  eax    ; hInstance
    call  DialogBoxParamA

    push  eax    ; uExITCode
    call  ExITProcess

; DWORD  __stdcall MyThread(LPVOID)
MyThread:        ; DATA XREF: pcs1:00401205o
    mov  ds:lpFileName, offset szBuffer
    cmp  ds:BackupFile, 1
    jnz  short @SkipBackupFile

    push  ds:lpFileName
    call  MakeBackup

@SkipBackupFile:      ; CODE XREF: start+34j
    push  ds:lpFileName
    push  offset szCompressOK ; "Successfully compressed!\r\n Installed on"...
    call  lstrcat

    call  CompressPE

    cmp  ds:CompressResult, 0FCh
    jz  short @ExIT

    cmp  ds:CompressResult, 0FFh
    jz  short @CompressError

    push  offset aCompressedObje ; "\r\n Compressed objects: "
    push  offset szCompressOK ; "Successfully compressed!\r\n Installed on"...
    call  lstrcat

    push  offset aOriginalSize ; "\r\nOriginal size: "
    push  offset szCompressOK ; "Successfully compressed!\r\n Installed on"...
    call  lstrcat

    push  0    ; uType
    push  offset szCaption ; lpCaption
    push  offset szCompressOK ; lpText
    push  0    ; hWnd
    call  MessageBoxA

    xor  eax, eax
    jmp  short @ExIT

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@CompressError:        ; CODE XREF: start+66j
    push  ds:lpFileName
    push  offset szCompressError ; "There  was an error compressing the file"...
    call  lstrcat

    push  30h    ; uType
    push  offset szCaption ; lpCaption
    push  offset szCompressError ; lpText
    push  0    ; hWnd
    call  MessageBoxA

    mov  eax, 2

@ExIT:          ; CODE XREF: start+5Dj  start+9Bj
    push  0    ; lParam
    push  0    ; wParam
    push  WM_CLOSE  ; Msg
    push  ds:hWnd    ; hWnd
    call  SendMessageA

    push  0    ; dwExITCode
    call  ExITThread  ; 退出线程

    retn

start    endp ; sp = -4

; 〓〓〓〓〓〓〓〓 S U B R O U T I N E  〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

; Attributes: bp-based frame

; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
DialogFunc  proc near    ; DATA XREF: start+Eo

hWnd    = dword  ptr  8
Msg    = dword  ptr  0Ch
wParam    = dword  ptr  10h

    enter  0, 0
DialogFunc  endp

    push  ebx
    push  edi
    push  esi
    mov  eax, [ebp+8]
    mov  ds:hWnd, eax
    cmp  dword ptr [ebp+0Ch], WM_COMMAND
    jz  short @Command

    cmp  dword ptr [ebp+0Ch], WM_CLOSE
    jz  @Close

    cmp  dword ptr [ebp+0Ch], WM_INITDIALOG
    jz  @InITDialog

@UnknownMsg:        ; CODE XREF: pcs1:00401243j
          ; pcs1:00401334j
    xor  eax, eax
    pop  esi
    pop  edi
    pop  ebx
    leave
    retn  10h

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@Command:        ; CODE XREF: pcs1:00401140j
    cmp  dword ptr [ebp+10h], 1
    jnz  @NotOK

    push  0
    push  ds:hOK
    call  EnableWindow

    push  0
    push  ds:hBrowse
    call  EnableWindow

    pusha
    call  ProcessCheckBoxes

    popa
    push  0FFh
    push  offset szBuffer
    push  1000
    push  ds:hWnd
    call  GetDlgITemTextA

    push  1004
    push  ds:hWnd
    call  IsDlgButtonChecked

    mov  ds:RestructureResourceData, eax
    push  1005
    push  ds:hWnd
    call  IsDlgButtonChecked

    mov  ds:SectionMerging, eax
    push  1012
    push  ds:hWnd
    call  IsDlgButtonChecked

    mov  ds:BackupFile, eax
    push  1026
    push  ds:hWnd
    call  IsDlgButtonChecked

    mov  ds:CompressExportTable,  eax
    pusha
    push  offset ThreadId
    push  0
    push  0
    push  offset MyThread
    push  0
    push  0
    call  CreateThread

    popa
    jmp  short @Return

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@NotOK:          ; CODE XREF: pcs1:00401166j
    cmp  dword ptr [ebp+10h], 1003
    jz  @Browse

    cmp  dword ptr [ebp+10h], 2
    jz  short @Close

    cmp  dword ptr [ebp+10h], 1009
    jz  @virogen_cjb_net

    cmp  dword ptr [ebp+10h], 1008
    jz  @phrozencrew_com

    jmp  @UnknownMsg

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@Return:        ; CODE XREF: pcs1:00401214j
          ; pcs1:00401351j ...
    mov  eax, 1
    pop  esi
    pop  edi
    pop  ebx
    leave
    retn  10h

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@Close:          ; CODE XREF: pcs1:00401146j
          ; pcs1:00401227j
    push  0    ; nExITCode
    call  PostQuITMessage

    pop  esi
    pop  edi
    pop  ebx
    leave
    retn  10h

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@InITDialog:        ; CODE XREF: pcs1:00401153j
    push  80h    ; lpIconName
    push  ds:hInstance  ; hInstance
    call  LoadIconA

    push  eax
    push  eax    ; lParam
    push  0    ; wParam
    push  WM_SETICON  ; Msg
    push  ds:hWnd    ; hWnd
    call  SendMessageA

    pop  eax
    push  eax    ; lParam
    push  1    ; wParam
    push  WM_SETICON  ; Msg
    push  ds:hWnd    ; hWnd
    call  SendMessageA

    push  offset szBuffer  ; lpString
    push  1000    ; nIDDlgITem
    push  ds:hWnd    ; hDlg
    call  SetDlgITemTextA

    push  ds:RestructureResourceData ; uCheck
    push  1004    ; nIDButton
    push  ds:hWnd    ; hDlg
    call  CheckDlgButton

    push  ds:SectionMerging ; uCheck
    push  3EDh    ; nIDButton
    push  ds:hWnd    ; hDlg
    call  CheckDlgButton

    push  ds:BackupFile  ; uCheck
    push  1012    ; nIDButton
    push  ds:hWnd    ; hDlg
    call  CheckDlgButton

    push  1011    ; nIDDlgITem
    push  ds:hWnd    ; hDlg
    call  GetDlgITem

    mov  ds:hProgress, eax
    push  1    ; &OK
    push  ds:hWnd    ; hDlg
    call  GetDlgITem

    mov  ds:hOK,  eax
    push  1003    ; &Browse
    push  ds:hWnd    ; hDlg
    call  GetDlgITem

    mov  ds:hBrowse, eax
    pusha
    call  _CheckDlgButton

    popa
    jmp  @UnknownMsg

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@virogen_cjb_net:      ; CODE XREF: pcs1:00401230j
    push  0
    push  0
    push  0
    push  offset szWeb1  ; "http://virogen.cjb.net"
    push  0
    push  ds:hWnd
    call  ShellExecuteA

    jmp  @Return

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@phrozencrew_com:      ; CODE XREF: pcs1:0040123Dj
    push  0
    push  0
    push  0
    push  offset szWeb2  ; "http://www.phrozencrew.com"
    push  0
    push  ds:hWnd
    call  ShellExecuteA

    jmp  @Return

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

@Browse:        ; CODE XREF: pcs1:0040121Dj
    mov  eax, ds:hWnd
    mov  ds:ofn.hwndOwner, eax
    mov  ds:ofn.lpstrFilter, offset aPeExeFiles ; "PE EXE files"
    mov  ds:ofn.lpstrFile, offset szBuffer
    mov  ds:ofn.lStructSize, 4Ch
    mov  ds:ofn.nMaxFile, 0FFh
    mov  ds:ofn.Flags, 4
    push  offset ofn
    call  GetOpenFileNameA

    or  eax, eax
    jz  short @NoSelectFile

    push  offset szBuffer
    push  1000
    push  ds:hWnd
    call  SetDlgITemTextA

@NoSelectFile:        ; CODE XREF: pcs1:004013BBj
    jmp  @Return

; 〓〓〓〓〓〓〓〓 S U B R O U T I N E  〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

sub_4013D7  proc near    ; CODE XREF: sub_4013D7+5Fp
          ; CompressPE+1D0p
    pop  eax
    pop  esi
    push  eax
    or  esi, esi
    jz  short loc_401452

    movzx  ecx, word ptr [esi+0Ch]
    add  cx, [esi+0Eh]
    add  esi, 10h
    or  ecx, ecx
    jz  short loc_401452

loc_4013ED:        ; CODE XREF: sub_4013D7+6Ej
    mov  ebx, [esi+4]
    test  ebx, 80000000h
    jz  short loc_401449

    cmp  ds:dword_4037E3, 0
    jnz  short @GetProcAddress ;  去掉高位

    pusha
    push  dword ptr [esi]
    call  sub_402291

    popa
    jnb  short loc_401418

    mov  ds:ha_buzhidao,  0
    jmp  short @GetProcAddress ;  去掉高位

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

loc_401418:        ; CODE XREF: sub_4013D7+33j
    mov  ds:ha_buzhidao,  1

@GetProcAddress:      ; CODE XREF: sub_4013D7+28j
          ; sub_4013D7+3Fj
    and  ebx, 7FFFFFFFh  ; 去掉高位
    add  ebx, ds:dword_4037B7
    pusha
    inc  ds:dword_4037E3
    push  ebx
    call  sub_4013D7

    dec  ds:dword_4037E3
    popa

loc_401442:        ; CODE XREF: sub_4013D7+79j
    add  esi, 8
    loop  loc_4013ED

    jmp  short loc_401452

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

loc_401449:        ; CODE XREF: sub_4013D7+1Fj
    pusha
    call  sub_401458

    popa
    jmp  short loc_401442

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

loc_401452:        ; CODE XREF: sub_4013D7+5j
          ; sub_4013D7+14j ...
    mov  eax, ds:dword_403C69
    retn

sub_4013D7  endp ; sp =  4

; 〓〓〓〓〓〓〓〓 S U B R O U T I N E  〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

sub_401458  proc near    ; CODE XREF: sub_4013D7+73p
    and  ebx, 7FFFFFFFh
    add  ebx, ds:dword_4037B7
    mov  esi, ebx
    cmp  ds:ha_buzhidao,  1
    jz  short loc_40147E

    mov  edx, ds:dword_4037CB
    add  ds:dword_4037CB, 8
    jmp  short loc_40148B

; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

loc_40147E:        ; CODE XREF: sub_401458+15j
    mov  edx, ds:dword_4037D7
    add  ds:dword_4037D7, 8

loc_40148B:        ; CODE XREF: sub_401458+24j
    mov  [edx], esi
    mov  ecx, [esi+4]
    push  ebx
    push  ecx
    push  edx
    push  esi
    push  edi
    push  ebp
    push  ecx    ; dwBytes
    push  8    ; dwFlags
    push  ds:hHeap  ; hHeap
    call  HeapAlloc

    pop  ebp
    pop  edi
    pop  esi
    pop  edx
    pop  ecx
    pop  ebx
    mov  [edx+4], eax
    push  eax
    mov  ebx, [esi]
    call  sub_401FC6

    add  ebx, ds:lpBaseAddress
    pop  edi
    mov  ecx, [esi+4]
    mov  esi, ebx
    rep movsb
    sub  ebx, ds:dword_4037B7
    retn

sub_401458  endp

上一篇文章：一个壳,附主程序和源代码

下一篇文章：利用进程空闲为壳软件打补丁3例

最进更新

	瑞星公司06月04日发布每日计	06-04
	陕西省地震局网站两次遭到"黑	06-04
	谨防"Flash蛀虫"病毒已感染	06-04
	安全预警：“肉鸡猎人”抓肉	06-04
	灰鸽子伪装成MSN、QQ等常用图	06-04
	微软：Safari浏览器存在安全	06-04
	中国黑客被疑导致美国2003年	06-04
	微软建议用户暂停用苹果Safa	06-04
	台北世贸中心官网被挂马	06-04
	电脑身份验证无处不在让黑客	06-04