Delphi-PRAXiS - Einzelnen Beitrag anzeigen

**Peter666**

Ich habe mich vorhin mal hingesetzt und angefangen einen alten Assemblersource für einen Junk Code Generator zu erstellen. Herausgekommen ist folgendes..

markieren

Code:

			unit UJunkit;

interface

const

  ETG_MOVRR = $00000001;

  ETG_MOVRC = $00000002;

  ETG_MOVSXZX = $00000004;

  ETG_XCHG = $00000008;

  ETG_LEA = $00000010;

  ETG_TTTRR = $00000020;

  ETG_TTTRC = $00000040;

  ETG_INCDEC = $00000080;

  ETG_NOTNEG = $00000100;

  ETG_TESTRR = $00000200;

  ETG_TESTRC = $00000400;

  ETG_IMUL = $00000800;

  ETG_SHIFT = $00001000;

  ETG_SHxD = $00002000;

  ETG_BSWAP = $00004000;

  ETG_XADD = $00008000;

  ETG_BSx = $00010000;

  ETG_BTx = $00020000;

  ETG_JMPS = $00040000;

  ETG_SEG = $00080000;

  ETG_REP = $00100000;

  ETG_ALL = $001FFFFF;

  ETG_DEFAULT = ETG_TTTRC; // used if no cmds specified

  REG_EAX = $00000001;

  REG_ECX = $00000002;

  REG_EDX = $00000004;

  REG_EBX = $00000008;

  REG_ESP = $00000010;

  REG_EBP = $00000020;

  REG_ESI = $00000040;

  REG_EDI = $00000080;

  REG_ALL = (not REG_ESP) and $FF;

  REG_DEFAULT = REG_EAX; // used if no regs specified

procedure Junk(user_param, cmd_avail, regsrcavail,

  regdstavail: DWORD; out osizeptr: DWORD; ncmds, bufsize: DWORD;

  buf: Pointer);

implementation

type

  TRandomFunc = function(userdata, range: DWORD): DWORD; cdecl;

  TETG_Engine = procedure(

    user_param: DWORD; // user-parameter

    cmd_avail: DWORD; // set of ETG_xxx

    regsrcavail: DWORD; // set of REG_xxx

    regdstavail: DWORD; // set of REG_xxx

    out osizeptr: DWORD; // ptr to generated bufsize

    ncmds: DWORD; // max number of commands

    bufsize: DWORD; // max size of buffer

    buf: Pointer; // ptr to output buffer

    Random: TRandomFunc

    ); cdecl;

const

  ETG_bin: array[0..1139] of byte = (

    $C8, $50, $00, $00, $60, $8B, $7D, $24,

    $FC, $81, $65, $10, $EF, $00, $00, $00,

    $75, $07, $C7, $45, $10, $01, $00, $00,

    $00, $81, $65, $14, $EF, $00, $00, $00,

    $75, $07, $C7, $45, $14, $01, $00, $00,

    $00, $81, $65, $0C, $FF, $FF, $1F, $00,

    $75, $07, $C7, $45, $0C, $40, $00, $00,

    $00, $8B, $C7, $2B, $45, $24, $8B, $4D,

    $18, $89, $01, $83, $C0, $10, $3B, $45,

    $20, $73, $0C, $FF, $4D, $1C, $7C, $07,

    $E8, $05, $00, $00, $00, $EB, $E2, $61,

    $C9, $C3, $C7, $45, $FC, $01, $00, $00,

    $00, $C7, $45, $F8, $08, $00, $00, $00,

    $E8, $E4, $03, $00, $00, $89, $45, $C8,

    $C1, $E0, $03, $89, $45, $C4, $E8, $D1,

    $03, $00, $00, $89, $45, $C0, $C1, $E0,

    $03, $89, $45, $BC, $8B, $45, $14, $23,

    $45, $10, $A9, $0F, $00, $00, $00, $74,

    $13, $B8, $02, $00, $00, $00, $E8, $93,

    $03, $00, $00, $89, $45, $FC, $C1, $E0,

    $03, $89, $45, $F8, $B8, $02, $00, $00,

    $00, $E8, $80, $03, $00, $00, $89, $45,

    $DC, $D1, $E0, $89, $45, $D8, $C1, $E0,

    $02, $89, $45, $D4, $B8, $04, $00, $00,

    $00, $E8, $68, $03, $00, $00, $C1, $E0,

    $03, $89, $45, $D0, $E8, $70, $03, $00,

    $00, $C1, $E0, $03, $89, $45, $CC, $E8,

    $70, $03, $00, $00, $89, $45, $F4, $C1,

    $E0, $03, $89, $45, $E4, $E8, $62, $03,

    $00, $00, $89, $45, $EC, $E8, $5F, $03,

    $00, $00, $89, $45, $F0, $C1, $E0, $03,

    $89, $45, $E0, $E8, $51, $03, $00, $00,

    $89, $45, $E8, $E8, $4E, $03, $00, $00,

    $89, $45, $B8, $C1, $E0, $03, $89, $45,

    $B4, $E8, $40, $03, $00, $00, $89, $45,

    $B0, $B8, $1F, $00, $00, $00, $E8, $0B,

    $03, $00, $00, $96, $46, $8B, $55, $0C,

    $8B, $45, $FC, $D1, $EA, $73, $0E, $4E,

    $0F, $84, $27, $01, $00, $00, $4E, $0F,

    $84, $2D, $01, $00, $00, $D1, $EA, $73,

    $0E, $4E, $0F, $84, $2F, $01, $00, $00,

    $4E, $0F, $84, $36, $01, $00, $00, $D1,

    $EA, $73, $07, $4E, $0F, $84, $32, $01,

    $00, $00, $D1, $EA, $73, $07, $4E, $0F,

    $84, $47, $01, $00, $00, $D1, $EA, $73,

    $07, $4E, $0F, $84, $41, $01, $00, $00,

    $D1, $EA, $73, $0E, $4E, $0F, $84, $44,

    $01, $00, $00, $4E, $0F, $84, $45, $01,

    $00, $00, $D1, $EA, $73, $0E, $4E, $0F,

    $84, $42, $01, $00, $00, $4E, $0F, $84,

    $4C, $01, $00, $00, $D1, $EA, $73, $0E,

    $4E, $0F, $84, $59, $01, $00, $00, $4E,

    $0F, $84, $5F, $01, $00, $00, $D1, $EA,

    $73, $07, $4E, $0F, $84, $5E, $01, $00,

    $00, $D1, $EA, $73, $07, $4E, $0F, $84,

    $60, $01, $00, $00, $D1, $EA, $73, $07,

    $4E, $0F, $84, $62, $01, $00, $00, $D1,

    $EA, $73, $0E, $4E, $0F, $84, $65, $01,

    $00, $00, $4E, $0F, $84, $6E, $01, $00,

    $00, $D1, $EA, $73, $0E, $4E, $0F, $84,

    $70, $01, $00, $00, $4E, $0F, $84, $79,

    $01, $00, $00, $D1, $EA, $73, $0E, $4E,

    $0F, $84, $7F, $01, $00, $00, $4E, $0F,

    $84, $97, $01, $00, $00, $D1, $EA, $73,

    $07, $4E, $0F, $84, $A4, $01, $00, $00,

    $D1, $EA, $73, $07, $4E, $0F, $84, $A0,

    $01, $00, $00, $D1, $EA, $73, $07, $4E,

    $0F, $84, $A3, $01, $00, $00, $D1, $EA,

    $73, $0E, $4E, $0F, $84, $A6, $01, $00,

    $00, $4E, $0F, $84, $B0, $01, $00, $00,

    $D1, $EA, $73, $07, $4E, $0F, $84, $B0,

    $01, $00, $00, $D1, $EA, $73, $0E, $4E,

    $0F, $84, $B7, $01, $00, $00, $4E, $0F,

    $84, $B7, $01, $00, $00, $D1, $EA, $73,

    $07, $4E, $0F, $84, $B3, $01, $00, $00,

    $E9, $BC, $FE, $FF, $FF, $0C, $88, $AA,

    $B0, $C0, $0B, $45, $E4, $0B, $45, $F0,

    $AA, $C3, $0C, $8A, $AA, $B0, $C0, $0B,

    $45, $E0, $0B, $45, $F4, $AA, $C3, $B0,

    $B0, $0B, $45, $F8, $0B, $45, $F0, $AA,

    $E9, $8D, $01, $00, $00, $0C, $C6, $AA,

    $B0, $C0, $EB, $F0, $B0, $0F, $AA, $B0,

    $B6, $0B, $45, $FC, $0B, $45, $D4, $AA,

    $B0, $C0, $0B, $45, $C4, $EB, $D3, $0C,

    $86, $AA, $B0, $C0, $0B, $45, $E0, $0B,

    $45, $E8, $AA, $C3, $0C, $86, $AA, $EB,

    $F1, $B0, $8D, $AA, $B0, $05, $0B, $45,

    $C4, $AA, $E9, $59, $01, $00, $00, $0C,

    $00, $0B, $45, $CC, $AA, $EB, $99, $0C,

    $02, $0B, $45, $CC, $AA, $EB, $9E, $0C,

    $80, $AA, $B0, $C0, $0B, $45, $CC, $0B,

    $45, $F0, $AA, $E9, $32, $01, $00, $00,

    $F7, $45, $14, $01, $00, $00, $00, $0F,

    $84, $2C, $FE, $FF, $FF, $0C, $04, $0B,

    $45, $CC, $AA, $E9, $1A, $01, $00, $00,

    $0C, $FE, $AA, $B0, $C0, $0B, $45, $D4,

    $E9, $60, $FF, $FF, $FF, $B0, $40, $0B,

    $45, $D4, $0B, $45, $C8, $AA, $C3, $0C,

    $F6, $AA, $B0, $D0, $0B, $45, $D4, $E9,

    $49, $FF, $FF, $FF, $0C, $84, $AA, $B0,

    $C0, $0B, $45, $B4, $0B, $45, $B0, $AA,

    $C3, $0C, $F6, $AA, $B0, $C0, $0B, $45,

    $B8, $AA, $E9, $DB, $00, $00, $00, $B0,

    $0F, $AA, $B0, $AF, $AA, $B0, $C0, $0B,

    $45, $C4, $0B, $45, $C0, $AA, $C3, $B0,

    $69, $AA, $E8, $EE, $FF, $FF, $FF, $E9,

    $C4, $00, $00, $00, $0C, $D0, $0B, $45,

    $D8, $AA, $B0, $C0, $0B, $45, $CC, $0B,

    $45, $F0, $AA, $C3, $0C, $C0, $AA, $B0,

    $C0, $0B, $45, $CC, $0B, $45, $F0, $AA,

    $E9, $AD, $00, $00, $00, $B0, $0F, $AA,

    $B0, $A4, $0B, $45, $D4, $AA, $B0, $C0,

    $E8, $05, $00, $00, $00, $E9, $98, $00,

    $00, $00, $B0, $C0, $0B, $45, $BC, $0B,

    $45, $C8, $AA, $C3, $F7, $45, $10, $02,

    $00, $00, $00, $0F, $84, $78, $FD, $FF,

    $FF, $B0, $0F, $AA, $B0, $A5, $0B, $45,

    $D4, $AA, $EB, $DE, $B0, $0F, $AA, $B0,

    $C8, $EB, $DC, $B0, $0F, $AA, $B0, $C0,

    $0B, $45, $FC, $AA, $E9, $E1, $FE, $FF,

    $FF, $B0, $0F, $AA, $B0, $BC, $0B, $45,

    $DC, $AA, $E9, $6E, $FF, $FF, $FF, $B0,

    $0F, $AA, $B0, $BA, $AA, $B0, $E0, $0B,

    $45, $D0, $0B, $45, $C8, $AA, $EB, $42,

    $B0, $0F, $AA, $B0, $A3, $0B, $45, $D0,

    $AA, $EB, $9F, $66, $B8, $EB, $01, $66,

    $AB, $B8, $00, $01, $00, $00, $E8, $33,

    $00, $00, $00, $AA, $C3, $B0, $26, $0B,

    $45, $D0, $AA, $C3, $B0, $64, $0B, $45,

    $DC, $AA, $C3, $B0, $F2, $0B, $45, $DC,

    $AA, $C3, $83, $7D, $FC, $00, $74, $0A,

    $E8, $00, $00, $00, $00, $E8, $00, $00,

    $00, $00, $B8, $00, $01, $00, $00, $E8,

    $02, $00, $00, $00, $AA, $C3, $60, $50,

    $FF, $75, $08, $FF, $55, $28, $83, $C4,

    $08, $89, $44, $24, $1C, $61, $0B, $C0,

    $C3, $B8, $08, $00, $00, $00, $E8, $E3,

    $FF, $FF, $FF, $C3, $8B, $55, $10, $EB,

    $0D, $8B, $55, $14, $EB, $08, $8B, $55,

    $10, $0B, $55, $14, $EB, $00, $E8, $DE,

    $FF, $FF, $FF, $8B, $C8, $83, $7D, $FC,

    $00, $75, $03, $83, $E1, $03, $0F, $A3,

    $CA, $73, $EB, $C3);

var randseed: DWORD;

function MyRandom(userdata, range: DWORD): DWORD; cdecl;

begin

  if range = 0 then result := 0 else

  begin

    randseed := randseed * 214013 + 2531011;

    result := randseed mod range;

  end;

end;

procedure Junk(user_param, cmd_avail, regsrcavail,

  regdstavail: DWORD; out osizeptr: DWORD; ncmds, bufsize: DWORD;

  buf: Pointer);

begin

  randseed := GetTickCount;

  TETG_Engine(@ETG_bin)(user_param, cmd_avail, regsrcavail, regdstavail,

    osizeptr, ncmds, bufsize, buf, MyRandom);

  PAnsiChar(buf)[osizeptr] := #$C3; {ret} inc(osizeptr);

end;

Ich war ehrlich gesagt etwas Faul und habe nicht den Assemblercode (Quelle: ETG 2.00 engine) übersetzt, sondern nur das beiliegende C Beispiel umgesetzt.
Soweit erstellt die Anwendung recht praktischen Datenmüll, wenn ich das wie folgt aufrufe
var
buf: Array[0..2000] of byte;

Junk(
0,
ETG_ALL,
REG_ALL,
REG_EAX or REG_EBX,
bufsize,
1000,
sizeof(buf),
@buf);

Damit man den Code via call auch aufrufen kann, sollte am Ende des Puffers, also bei buf[bufsize] noch ein $C3 (ret) gepackt werden.
Mein Problem ist jedoch folgendes: Wenn ich innerhalb meiner Anwendung etwas wie folgt mache:

db $90,$90...$90

und mit meinem Patchtool in der Exe die Nops durch den Junkcode ersetze, müsste ich doch die Register vorher und hinterher manuell wiederherstellen, oder? Ein einfaches Pusha, popa reicht jedoch in dem Fall nicht. Hat da jemand eventuell eine Idee?

Peter

Einzelnen Beitrag anzeigen

AW: Kopierschutz