请问Flash文件加入资源后能不能用内存流的方式播放,而不用临时文件? ( 积分: 100 )

  • 主题发起人 主题发起人 Avalon
  • 开始时间 开始时间
我这里有些资料,你看看吧
在内存中直接运行exe而不用磁盘文件做参数---一个很有意思的问题
关于这个问题,可能大家摸的方向不对.实际上,你不一定要用资源.用流即可.当然,你要重组节内容.大概步骤如下:根据你要运行的EXE,计算出新头,然后重新写DOS头和节表即可,这样一来运行的时候,不用释放出来,直接跳到该地址即可.
第一步:计算节表并填充新的EXE头
if Key<>nil then

begin

GenerateKey(Key,KeySize);

ZeroMemory(@DosHeader,SizeOf(DosHeader));
ZeroMemory(@NtHeaders,SizeOf(NtHeaders));
ZeroMemory(@DosStubEnd,SizeOf(DosStubEnd));
if not Quiet then
WriteLn(#$0D#$0A'Buildingdo
S header ...');
do
sHeader.e_magic:=PWord(PChar('MZ'))^;
do
sHeader.e_cblp:=$0050;
do
sHeader.e_cp:=$0002;
do
sHeader.e_cparhdr:=$0004;
do
sHeader.e_minalloc:=$000F;
do
sHeader.e_maxalloc:=$FFFF;
do
sHeader.e_sp:=$00B8;
do
sHeader.e_lfarlc:=$0040;
do
sHeader.e_ovno:=$001A;
do
sHeader._lfanew:=$0100;

if not Quiet then
WriteLn('Building NT headers ...');
NtHeaders.Signature:=PCardinal(PChar('PE'))^;
NtHeaders.FileHeader.Machine:=IMAGE_FILE_MACHINE_I386;
NtHeaders.FileHeader.NumberOfSections:=3;
if TlsSectionPresent then
Inc(NtHeaders.FileHeader.NumberOfSections);
if not Quiet then
WriteLn('Number of sections: ',NtHeaders.FileHeader.NumberOfSections);
NtHeaders.FileHeader.TimeDateStamp:=Random($20000000)+$20000000;
NtHeaders.FileHeader.SizeOfOptionalHeader:=IMAGE_SIZEOF_NT_OPTIONAL_HEADER;
NtHeaders.FileHeader.Characteristics:=IMAGE_FILE_EXECUTABLE_IMAGE or IMAGE_FILE_LINE_NUMS_STRIPPED
or IMAGE_FILE_LOCAL_SYMS_STRIPPED or IMAGE_FILE_LINE_NUMS_STRIPPED
or IMAGE_FILE_BYTES_REVERSED_LO or IMAGE_FILE_32BIT_MACHINE
or IMAGE_FILE_BYTES_REVERSED_HI;

NtHeaders.OptionalHeader.Magic:=IMAGE_NT_OPTIONAL_HDR_MAGIC;
NtHeaders.OptionalHeader.MajorLinkerVersion:=Random(9)+1;
NtHeaders.OptionalHeader.MinorLinkerVersion:=Random(99)+1;
NtHeaders.OptionalHeader.SizeOfCode:=$00001000;
//may change
NtHeaders.OptionalHeader.BaseOfCode:=$00001000;
//may change
if ReqImageBase<>0 then
NtHeaders.OptionalHeader.ImageBase:=RoundSize(ReqImageBase,$00010000)
else
if HostImageBase=$00400000 then
NtHeaders.OptionalHeader.ImageBase:=RoundSize(HostImageBase+HostSizeOfImage+$00100000,$00010000)
else
NtHeaders.OptionalHeader.ImageBase:=$00400000;
if not Quiet then
WriteLn('ImageBase: ',IntToHex(NtHeaders.OptionalHeader.ImageBase,8));
NtHeaders.OptionalHeader.SectionAlignment:=$00001000;
NtHeaders.OptionalHeader.FileAlignment:=$00000200;
//may change
NtHeaders.OptionalHeader.MajorOperatingSystemVersion:=$0004;
NtHeaders.OptionalHeader.MajorSubsystemVersion:=$0004;
NtHeaders.OptionalHeader.SizeOfHeaders:=$00000400;
//may change
NtHeaders.OptionalHeader.Subsystem:=HostSubsystem;
NtHeaders.OptionalHeader.SizeOfStackReserve:=$00100000;
NtHeaders.OptionalHeader.SizeOfStackCommit:=$00010000;
//may change
NtHeaders.OptionalHeader.SizeOfHeapReserve:=$00100000;
NtHeaders.OptionalHeader.SizeOfHeapCommit:=$00010000;
NtHeaders.OptionalHeader.NumberOfRvaAndSizes:=$00000010;

if not Quiet then
WriteLn(#$0D#$0A'Building .text section');
ZeroMemory(@CodeSection,SizeOf(CodeSection));
CopyMemory(@CodeSection.Name,PChar('.text'),5);
//may change -> CODE
CodeSection.Misc.VirtualSize:=$00001000;
//should change
CodeSection.VirtualAddress:=NtHeaders.OptionalHeader.BaseOfCode;
CodeSection.SizeOfRawData:=$00001000;
CodeSection.PointerToRawData:=NtHeaders.OptionalHeader.SizeOfHeaders;
CodeSection.Characteristics:=IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ;
if not Quiet then

begin

WriteLn('.text section virtual address: ',IntToHex(CodeSection.VirtualAddress,8));
WriteLn('.text section virtual size: ',IntToHex(CodeSection.Misc.VirtualSize,8));
WriteLn(#$0D#$0A'Building .data section');
end;


ZeroMemory(@DataSection,SizeOf(DataSection));
CopyMemory(@DataSection.Name,PChar('.data'),5);
//may change -> DATA
DataSection.Misc.VirtualSize:=RoundSize(MainSize,NtHeaders.OptionalHeader.SectionAlignment);
DataSection.VirtualAddress:=CodeSection.VirtualAddress+CodeSection.Misc.VirtualSize;
DataSection.SizeOfRawData:=RoundSize(MainSize,RawDataAlignment);
DataSection.PointerToRawData:=CodeSection.PointerToRawData+CodeSection.SizeOfRawData;
DataSection.Characteristics:=IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ;

NtHeaders.OptionalHeader.SizeOfInitializedData:=DataSection.Misc.VirtualSize;
NtHeaders.OptionalHeader.BaseOfData:=DataSection.VirtualAddress;

if not Quiet then

begin

WriteLn('.data section virtual address: ',IntToHex(DataSection.VirtualAddress,8));
WriteLn('.data section virtual size: ',IntToHex(DataSection.Misc.VirtualSize,8));
WriteLn(#$0D#$0A'Building .idata section');
end;


NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress:=DataSection.VirtualAddress+DataSection.Misc.VirtualSize;
//may change
NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size:=NtHeaders.OptionalHeader.SectionAlignment;

ZeroMemory(@ImportSection,SizeOf(ImportSection));
CopyMemory(@ImportSection.Name,PChar('.idata'),6);
ImportSection.Misc.VirtualSize:=NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
ImportSection.VirtualAddress:=NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportSection.SizeOfRawData:=RoundSize($00000070,RawDataAlignment);
ImportSection.PointerToRawData:=DataSection.PointerToRawData+DataSection.SizeOfRawData;
ImportSection.Characteristics:=IMAGE_SCN_CNT_CODE or IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ;

if not Quiet then

begin

WriteLn('.idata section virtual address: ',IntToHex(DataSection.VirtualAddress,8));
WriteLn('.idata section virtual size: ',IntToHex(DataSection.Misc.VirtualSize,8));
end;

// .tls Section
if TlsSectionPresent then

begin

if not Quiet then
WriteLn(#$0D#$0A'Building .tls section');
TlsCopy.Directory:=@PImageNtHeaders(Ptr)^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];
PB:=VirtAddrToPhysAddr(Ptr,Pointer(TlsCopy.Directory.VirtualAddress+PImageNtHeaders(Ptr)^.OptionalHeader.ImageBase));
if PB<>nil then
Inc(PB,Cardinal(MainData));
TlsCopy.SectionData:=Pointer(PB);
if TlsCopy.SectionData<>nil then

begin

TlsCopy.RawDataLen:=TlsCopy.SectionData^.RawDataEnd-TlsCopy.SectionData^.RawDataStart;
TlsCopy.RawData:=Pointer(LocalAlloc(LMEM_FIXED,TlsCopy.RawDataLen));

PB:=VirtAddrToPhysAddr(Ptr,Pointer(TlsCopy.SectionData^.RawDataStart));
if PB<>nil then

begin

Inc(PB,Cardinal(MainData));
CopyMemory(TlsCopy.RawData,PB,TlsCopy.RawDataLen);
end else
ZeroMemory(TlsCopy.RawData,TlsCopy.RawDataLen);

PB:=VirtAddrToPhysAddr(Ptr,Pointer(TlsCopy.SectionData^.AddressOfCallbacks));
if PB=nil then

begin

TlsCopy.CallbacksLen:=4;
TlsCopy.Callbacks:=Pointer(LocalAlloc(LMEM_FIXED,TlsCopy.CallbacksLen));
ZeroMemory(TlsCopy.Callbacks,TlsCopy.CallbacksLen);
end else

begin

Inc(PB,Cardinal(MainData));
TlsCopy.CallbacksLen:=GetTlsCallbacksLen(PB);
TlsCopy.Callbacks:=Pointer(LocalAlloc(LMEM_FIXED,TlsCopy.CallbacksLen));
CopyMemory(TlsCopy.Callbacks,PB,TlsCopy.CallbacksLen);
end;


ZeroMemory(@TlsSection,SizeOf(TlsSection));
CopyMemory(@TlsSection.Name,PChar('.tls'),4);
TlsSection.VirtualAddress:=ImportSection.VirtualAddress+ImportSection.Misc.VirtualSize;
TlsSection.PointerToRawData:=ImportSection.PointerToRawData+ImportSection.SizeOfRawData;
TlsSection.Characteristics:=IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ;

ZeroMemory(@TlsSectionData,SizeOf(TlsSectionData));
TlsSectionData.RawDataStart:=NtHeaders.OptionalHeader.ImageBase+TlsSection.VirtualAddress+RoundSize(SizeOf(TlsSectionData),$10);
TlsSectionData.RawDataEnd:=TlsSectionData.RawDataStart+TlsCopy.RawDataLen;
TlsSectionData.AddressOfCallbacks:=RoundSize(TlsSectionData.RawDataEnd,$10);
TlsSectionData.AddressOfIndex:=RoundSize(TlsSectionData.AddressOfCallbacks+TlsCopy.CallbacksLen,$08);

TlsSection.SizeOfRawData:=RoundSize(TlsSectionData.AddressOfIndex-TlsSection.VirtualAddress-NtHeaders.OptionalHeader.ImageBase+$10,RawDataAlignment);
TlsSection.Misc.VirtualSize:=RoundSize(TlsSection.SizeOfRawData,NtHeaders.OptionalHeader.SectionAlignment);

NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress:=ImportSection.VirtualAddress+ImportSection.Misc.VirtualSize;
//may change
NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size:=TlsSection.SizeOfRawData;
end else
TlsSectionPresent:=False;
end;


if not Quiet then

begin

WriteLn('.tls section virtual address: ',IntToHex(TlsSection.VirtualAddress,8));
WriteLn('.tls section virtual size: ',IntToHex(TlsSection.Misc.VirtualSize,8));
if not TlsSectionPresent then
WriteLn('.tls section is invalid, new executable may not work');
end;


if TlsSectionPresent then
NtHeaders.OptionalHeader.SizeOfImage:=TlsSection.VirtualAddress+TlsSection.Misc.VirtualSize
else
NtHeaders.OptionalHeader.SizeOfImage:=ImportSection.VirtualAddress+ImportSection.Misc.VirtualSize;

if not Quiet then
WriteLn(#$0D#$0A'Building import descriptor ...');
ZeroMemory(@ImportDesc,SizeOf(ImportDesc));
ImportDesc.Characteristics:=ImportSection.VirtualAddress+(NumberOfDLL+1)*SizeOf(ImportDesc);
ImportDesc.cName:=ImportSection.VirtualAddress+(NumberOfDLL+1)*SizeOf(ImportDesc)+(NumberOfImports+1)*SizeOf(TImageThunkData)*2;
ImportDesc.cFirstThunk:=Pointer(ImportDesc.Characteristics+(NumberOfImports+1)*SizeOf(TImageThunkData));

ThunkGetProcAddress.Ordinal:=ImportSection.VirtualAddress+(NumberOfDLL+1)*SizeOf(ImportDesc)+(NumberOfImports+1)*SizeOf(TImageThunkData)*2+Kernel32Size+2;
ThunkLoadLibrary.Ordinal:=ThunkGetProcAddress.Ordinal+GetProcAddressSize+2+2;

ZeroMemory(@NullDesc,SizeOf(NullDesc));
.......

其中可能用到的函数为:

procedure GenerateInitCode(ACodePtr,AKeyPtr,AData1Ptr,ASize1,AData2Ptr,ASize2,ADynLoadAddr,AGetProcAddrImpAddr,ALoadLibImpAddr,AMainPtr:Cardinal);
//this is the POLY-decoder and loader
//see the end of this function to know what it finallydo
es
//don't forget to fixup pointers of some instructions
//add more variants for each instruction if you think antivirus still get this
var
LInitInstr:array[0..InitInstrCount-1] of TVarInstruction;
LI:Integer;
LVirtAddr,LRubbishSize,LDelta,LDelta2,LRemaining,LCodeStart,LPtrAddr:Cardinal;
LPB:PByte;
begin

ZeroMemory(@LInitInstr,SizeOf(LInitInstr));
//call somewhere to get eip
LInitInstr[00].Count:=1;
LInitInstr[00].Vars[0].Len:=5;
LInitInstr[00].Vars[0].Code:=#$E8#$78#$56#$34#$12;
//call 0WWXXYYZZh

//eip to ebx
LInitInstr[01].Count:=5;
LInitInstr[01].Vars[0].Len:=1;
LInitInstr[01].Vars[0].Code:=#$5B;
//pop ebx
LInitInstr[01].Vars[1].Len:=3;
LInitInstr[01].Vars[1].Code:=#$8B#$1C#$24;
//mov ebx,[esp]
LInitInstr[01].Vars[2].Len:=3;
LInitInstr[01].Vars[2].Code:=#$58 //pop eax
+#$8B#$D8;
//mov ebx,eax
LInitInstr[01].Vars[3].Len:=5;
LInitInstr[01].Vars[3].Code:=#$8B#$14#$24 //mov edx,[esp]
+#$87#$DA;
//xchg ebx,edx
LInitInstr[01].Vars[4].Len:=7;
LInitInstr[01].Vars[4].Code:=#$8B#$F4 //mov esi,esp
+#$AD //lodsd
+#$33#$DB //xor ebx,ebx
+#$33#$D8;
//xor ebx,eax

//ebx - offset = image base
LInitInstr[02].Count:=4;
LInitInstr[02].Vars[0].Len:=6;
LInitInstr[02].Vars[0].Code:=#$81#$EB#$78#$56#$34#$12;
//sub ebx,0WWXXYYZZh
LInitInstr[02].Vars[1].Len:=8;
LInitInstr[02].Vars[1].Code:=#$B9#$78#$56#$34#$12 //mov ecx,0WWXXYYZZh
+#$4B //dec ebx
+#$E2#$FD;
//loop Code
LInitInstr[02].Vars[2].Len:=16;
LInitInstr[02].Vars[2].Code:=#$66#$B8#$34#$12 //mov ax,0WWXXh
+#$66#$B9#$78#$56 //mov cx,0YYZZh
+#$C1#$E0#$10 //shl eax,010h
+#$66#$33#$C1 //xor ax,cx
+#$2B#$D8;
//sub ebx,eax
LInitInstr[02].Vars[3].Len:=9;
LInitInstr[02].Vars[3].Code:=#$53 //push ebx
+#$81#$2C#$24#$78#$56#$34#$12 //sub [esp],0WWXXYYZZh
+#$5B;
//pop ebx

//image base to eax
LInitInstr[03].Count:=4;
LInitInstr[03].Vars[0].Len:=2;
LInitInstr[03].Vars[0].Code:=#$8B#$C3;
//mov eax,ebx
LInitInstr[03].Vars[1].Len:=2;
LInitInstr[03].Vars[1].Code:=#$53 //push ebx
+#$58;
//pop eax
LInitInstr[03].Vars[2].Len:=3;
LInitInstr[03].Vars[2].Code:=#$53 //push ebx
+#$93 //xchg ebx,eax
+#$5B;
//pop ebx
LInitInstr[03].Vars[3].Len:=5;
LInitInstr[03].Vars[3].Code:=#$52 //push edx
+#$89#$1C#$24 //mov [esp],ebsx
+#$58;
//pop eax

//image base to edi
LInitInstr[04].Count:=4;
LInitInstr[04].Vars[0].Len:=2;
LInitInstr[04].Vars[0].Code:=#$8B#$FB;
//mov edi,ebx
LInitInstr[04].Vars[1].Len:=2;
LInitInstr[04].Vars[1].Code:=#$53 //push ebx
+#$5F;
//pop edi
LInitInstr[04].Vars[2].Len:=4;
LInitInstr[04].Vars[2].Code:=#$53 //push ebx
+#$87#$DF //xchg ebx,edi
+#$5B;
//pop ebx
LInitInstr[04].Vars[3].Len:=2;
LInitInstr[04].Vars[3].Code:=#$8D#$3B;
//lea edi,[ebx]

//edi + key addr = ptr on key
LInitInstr[05].Count:=4;
LInitInstr[05].Vars[0].Len:=6;
LInitInstr[05].Vars[0].Code:=#$81#$C7#$78#$56#$34#$12;
//add edi,0WWXXYYZZh
LInitInstr[05].Vars[1].Len:=7;
LInitInstr[05].Vars[1].Code:=#$BA#$78#$56#$34#$12 //mov edx,0WWXXYYZZh
+#$03#$FA;
//add edi,edx
LInitInstr[05].Vars[2].Len:=8;
LInitInstr[05].Vars[2].Code:=#$68#$78#$56#$34#$12 //push 0WWXXYYZZh
+#$03#$3C#$24;
//add esi,[esp]
LInitInstr[05].Vars[3].Len:=9;
LInitInstr[05].Vars[3].Code:=#$57 //push edi
+#$BF#$78#$56#$34#$12 //mov edi,0WWXXYYZZh
+#$5A //pop edx
+#$03#$FA;
//add edi,edx

//edi = key on stack
LInitInstr[06].Count:=4;
LInitInstr[06].Vars[0].Len:=1;
LInitInstr[06].Vars[0].Code:=#$57;
//push edi
LInitInstr[06].Vars[1].Len:=4;
LInitInstr[06].Vars[1].Code:=#$53 //push ebx
+#$89#$3C#$24;
//mov [esp],edi
LInitInstr[06].Vars[2].Len:=3;
LInitInstr[06].Vars[2].Code:=#$8B#$CF //mov ecx,edi
+#$51;
//push ecx
LInitInstr[06].Vars[3].Len:=5;
LInitInstr[06].Vars[3].Code:=#$6A#$00 //push 000h
+#$31#$3C#$24;
//xor [esp],edi

//eax + data addr = ptr on data
LInitInstr[07].Count:=4;
LInitInstr[07].Vars[0].Len:=5;
LInitInstr[07].Vars[0].Code:=#$05#$78#$56#$34#$12;
//add eax,0WWXXYYZZh
LInitInstr[07].Vars[1].Len:=7;
LInitInstr[07].Vars[1].Code:=#$BA#$78#$56#$34#$12 //mov edx,0WWXXYYZZh
+#$03#$C2;
//add eax,edx
LInitInstr[07].Vars[2].Len:=9;
LInitInstr[07].Vars[2].Code:=#$68#$78#$56#$34#$12 //push 0WWXXYYZZh
+#$03#$04#$24 //add eax,[esp]
+#$5A;
//pop edx
LInitInstr[07].Vars[3].Len:=6;
LInitInstr[07].Vars[3].Code:=#$8D#$80#$78#$56#$34#$12;
//lea eax,[eax+0WWXXYYZZh]

//size on stack
LInitInstr[08].Count:=4;
LInitInstr[08].Vars[0].Len:=5;
LInitInstr[08].Vars[0].Code:=#$68#$78#$56#$34#$12;
//push 0WWXXYYZZh
LInitInstr[08].Vars[1].Len:=6;
LInitInstr[08].Vars[1].Code:=#$BD#$78#$56#$34#$12 //mov ebp,0WWXXYYZZh
+#$55;
//push ebp
LInitInstr[08].Vars[2].Len:=9;
LInitInstr[08].Vars[2].Code:=#$6A#$00 //push 000h
+#$81#$04#$24#$78#$56#$34#$12;
//add [esp],0WWXXYYZZh
LInitInstr[08].Vars[3].Len:=9;
LInitInstr[08].Vars[3].Code:=#$33#$C9 //xor ecx,ecx
+#$81#$C1#$78#$56#$34#$12 //add ecx,0WWXXYYZZh
+#$51;
//push ecx
//eax = addr on stack
LInitInstr[09].Count:=4;
LInitInstr[09].Vars[0].Len:=1;
LInitInstr[09].Vars[0].Code:=#$50;
//push eax
LInitInstr[09].Vars[1].Len:=4;
LInitInstr[09].Vars[1].Code:=#$51 //push ecx
+#$89#$04#$24;
//mov [esp],eax
LInitInstr[09].Vars[2].Len:=3;
LInitInstr[09].Vars[2].Code:=#$8B#$E8 //mov ebp,eax
+#$55;
//push ebp
LInitInstr[09].Vars[3].Len:=9;
LInitInstr[09].Vars[3].Code:=#$6A#$21 //push 021h
+#$31#$04#$24 //xor [esp],eax
+#$83#$34#$24#$21;
//xor [esp],021h

//call @Coder
LInitInstr[10].Count:=1;
LInitInstr[10].Vars[0].Len:=5;
LInitInstr[10].Vars[0].Code:=#$E8#$78#$56#$34#$12;
//call 0WWXXYYZZh

//image base to eax
LInitInstr[11].Count:=4;
LInitInstr[11].Vars[0].Len:=2;
LInitInstr[11].Vars[0].Code:=#$8B#$C3;
//mov eax,ebx
LInitInstr[11].Vars[1].Len:=2;
LInitInstr[11].Vars[1].Code:=#$53 //push ebx
+#$58;
//pop eax
LInitInstr[11].Vars[2].Len:=4;
LInitInstr[11].Vars[2].Code:=#$8B#$CB //mov ecx,ebx
+#$8B#$C1;
//mov eax,ecx
LInitInstr[11].Vars[3].Len:=3;
LInitInstr[11].Vars[3].Code:=#$53 //push ebx
+#$93 //xchg ebx,eax
+#$5B;
//pop ebx

//eax + data ptr -> ptr on data
LInitInstr[12].Count:=4;
LInitInstr[12].Vars[0].Len:=5;
LInitInstr[12].Vars[0].Code:=#$05#$78#$56#$34#$12;
//add eax,012345678h
LInitInstr[12].Vars[1].Len:=7;
LInitInstr[12].Vars[1].Code:=#$B9#$78#$56#$34#$12 //mov ecx,012345678h
+#$03#$C1;
//add eax,ecx
LInitInstr[12].Vars[2].Len:=11;
LInitInstr[12].Vars[2].Code:=#$68#$78#$56#$34#$12 //push 012345678h
+#$03#$04#$24 //add eax,[esp]
+#$83#$C4#$04;
//add esp,004h
LInitInstr[12].Vars[3].Len:=9;
LInitInstr[12].Vars[3].Code:=#$50 //push eax
+#$81#$04#$24#$78#$56#$34#$12 //add [esp],012345678h
+#$58;
//pop eax

//edi = key on stack
LInitInstr[13].Count:=4;
LInitInstr[13].Vars[0].Len:=1;
LInitInstr[13].Vars[0].Code:=#$57;
//push edi
LInitInstr[13].Vars[1].Len:=4;
LInitInstr[13].Vars[1].Code:=#$53 //push ebx
+#$89#$3C#$24;
//mov [esp],edi
LInitInstr[13].Vars[2].Len:=3;
LInitInstr[13].Vars[2].Code:=#$8B#$CF //mov ecx,edi
+#$51;
//push ecx
LInitInstr[13].Vars[3].Len:=5;
LInitInstr[13].Vars[3].Code:=#$6A#$00 //push 000h
+#$31#$3C#$24;
//xor [esp],edi

//size on stack
LInitInstr[14].Count:=5;
LInitInstr[14].Vars[0].Len:=5;
LInitInstr[14].Vars[0].Code:=#$68#$78#$56#$34#$12;
//push 0WWXXYYZZh
LInitInstr[14].Vars[1].Len:=6;
LInitInstr[14].Vars[1].Code:=#$BD#$78#$56#$34#$12 //mov ebp,0WWXXYYZZh
+#$55;
//push ebp
LInitInstr[14].Vars[2].Len:=9;
LInitInstr[14].Vars[2].Code:=#$6A#$00 //push 000h
+#$81#$04#$24#$78#$56#$34#$12;
//add [esp],0WWXXYYZZh
LInitInstr[14].Vars[3].Len:=9;
LInitInstr[14].Vars[3].Code:=#$33#$C9 //xor ecx,ecx
+#$81#$C1#$78#$56#$34#$12 //add ecx,0WWXXYYZZh
+#$51;
//push ecx
LInitInstr[14].Vars[4].Len:=9;
LInitInstr[14].Vars[4].Code:=#$6A#$00 //push 000h
+#$81#$34#$24#$78#$56#$34#$12;
//xor [esp],0WWXXYYZZh

//eax = addr on stack
LInitInstr[15].Count:=4;
LInitInstr[15].Vars[0].Len:=1;
LInitInstr[15].Vars[0].Code:=#$50;
//push eax
LInitInstr[15].Vars[1].Len:=4;
LInitInstr[15].Vars[1].Code:=#$51 //push ecx
+#$89#$04#$24;
//mov [esp],eax
LInitInstr[15].Vars[2].Len:=3;
LInitInstr[15].Vars[2].Code:=#$8B#$E8 //mov ebp,eax
+#$55;
//push ebp
LInitInstr[15].Vars[3].Len:=9;
LInitInstr[15].Vars[3].Code:=#$6A#$21 //push 021h
+#$31#$04#$24 //xor [esp],eax
+#$83#$34#$24#$21;
//xor [esp],021h

//call @Coder
LInitInstr[16].Count:=1;
LInitInstr[16].Vars[0].Len:=5;
LInitInstr[16].Vars[0].Code:=#$E8#$78#$56#$34#$12;
//call 0WWXXYYZZh

//call @DynLoader
LInitInstr[17].Count:=1;
LInitInstr[17].Vars[0].Len:=5;
LInitInstr[17].Vars[0].Code:=#$E8#$78#$56#$34#$12;
//call 0WWXXYYZZh

//ret
LInitInstr[18].Count:=4;
LInitInstr[18].Vars[0].Len:=1;
LInitInstr[18].Vars[0].Code:=#$C3;
//ret
LInitInstr[18].Vars[1].Len:=3;
LInitInstr[18].Vars[1].Code:=#$58 //pop eax
+#$FF#$E0;
//jmp eax
LInitInstr[18].Vars[2].Len:=7;
LInitInstr[18].Vars[2].Code:=#$83#$C4#$04 //add esp,004h
+#$FF#$64#$24#$FC;
//jmp [esp-004h]
LInitInstr[18].Vars[3].Len:=7;
LInitInstr[18].Vars[3].Code:=#$8B#$04#$24 //mov eax,[esp]
+#$50 //push eax
+#$C2#$04#$00;
//ret 004h

//@Coder_begin

//save edi on stack
LInitInstr[19].Count:=4;
LInitInstr[19].Vars[0].Len:=1;
LInitInstr[19].Vars[0].Code:=#$57;
//push edi
LInitInstr[19].Vars[1].Len:=4;
LInitInstr[19].Vars[1].Code:=#$53 //push ebx
+#$89#$3C#$24;
//mov [esp],edi
LInitInstr[19].Vars[2].Len:=3;
LInitInstr[19].Vars[2].Code:=#$8B#$CF //mov ecx,edi
+#$51;
//push ecx
LInitInstr[19].Vars[3].Len:=5;
LInitInstr[19].Vars[3].Code:=#$6A#$00 //push 000h
+#$31#$3C#$24;
//xor [esp],edi

//AAddr -> edi
LInitInstr[20].Count:=4;
LInitInstr[20].Vars[0].Len:=4;
LInitInstr[20].Vars[0].Code:=#$8B#$7C#$24#$08;
//mov edi,[esp+008h]
LInitInstr[20].Vars[1].Len:=6;
LInitInstr[20].Vars[1].Code:=#$8B#$4C#$24#$08 //mov ecx,[esp+008h]
+#$87#$CF;
//xchg ecx,edi
LInitInstr[20].Vars[2].Len:=6;
LInitInstr[20].Vars[2].Code:=#$33#$FF //xor edi,edi
+#$03#$7C#$24#$08;
//add edi,[esp+008h]
LInitInstr[20].Vars[3].Len:=6;
LInitInstr[20].Vars[3].Code:=#$8D#$7C#$24#$08 //lea edi,[esp+008h]
+#$8B#$3F;
//mov edi,[edi]

//ASize -> ecx
LInitInstr[21].Count:=4;
LInitInstr[21].Vars[0].Len:=4;
LInitInstr[21].Vars[0].Code:=#$8B#$4C#$24#$0C;
//mov ecx,[esp+00Ch]
LInitInstr[21].Vars[1].Len:=5;
LInitInstr[21].Vars[1].Code:=#$8B#$44#$24#$0C //mov eax,[esp+00Ch]
+#$91;
//xchg ecx,eax
LInitInstr[21].Vars[2].Len:=7;
LInitInstr[21].Vars[2].Code:=#$6A#$00 //push 000h
+#$59 //pop ecx
+#$03#$4C#$24#$0C;
//add ecx,[esp+00Ch]
LInitInstr[21].Vars[3].Len:=6;
LInitInstr[21].Vars[3].Code:=#$8D#$44#$24#$0C //lea eax,[esp+00Ch]
+#$8B#$08;
//mov ecx,[eax]

//ASize = ASize div 4 -> ecx
LInitInstr[22].Count:=4;
LInitInstr[22].Vars[0].Len:=3;
LInitInstr[22].Vars[0].Code:=#$C1#$E9#$02;
//shr ecx,002h
LInitInstr[22].Vars[1].Len:=4;
LInitInstr[22].Vars[1].Code:=#$D1#$E9 //shr ecx,001h
+#$D1#$E9;
//shr ecx,001h
LInitInstr[22].Vars[2].Len:=10;
LInitInstr[22].Vars[2].Code:=#$8B#$C1 //mov eax,ecx
+#$6A#$04 //push 004h
+#$59 //pop ecx
+#$99 //cdq
+#$F7#$F1 //div ecx
+#$8B#$C8;
//mov ecx,eax
LInitInstr[22].Vars[3].Len:=14;
LInitInstr[22].Vars[3].Code:=#$51 //push ecx
+#$58 //pop eax
+#$48 //dec eax
+#$49 //dec ecx
+#$E2#$FC //loop -2
+#$8B#$C8 //mov ecx,eax
+#$48 //dec eax
+#$49 //dec ecx
+#$E2#$FC //loop -2
+#$8B#$C8;
//mov ecx,eax

//AKey -> esi
LInitInstr[23].Count:=4;
LInitInstr[23].Vars[0].Len:=4;
LInitInstr[23].Vars[0].Code:=#$8B#$74#$24#$10;
//mov esi,[esp+010h]
LInitInstr[23].Vars[1].Len:=5;
LInitInstr[23].Vars[1].Code:=#$8B#$44#$24#$10 //mov eax,[esp+010h]
+#$96;
//xchg esi,eax
LInitInstr[23].Vars[2].Len:=6;
LInitInstr[23].Vars[2].Code:=#$33#$F6 //xor esi,esi
+#$33#$74#$24#$10;
//xor esi,[esp+010h]
LInitInstr[23].Vars[3].Len:=6;
LInitInstr[23].Vars[3].Code:=#$8D#$74#$24#$10 //lea esi,[esp+010h]
+#$8B#$36;
//mov esi,[esi]

//mov eax,[esi]
LInitInstr[24].Count:=4;
LInitInstr[24].Vars[0].Len:=2;
LInitInstr[24].Vars[0].Code:=#$8B#$06;
//mov eax,[esi]
LInitInstr[24].Vars[1].Len:=3;
LInitInstr[24].Vars[1].Code:=#$FF#$36 //push esi
+#$58;
//pop eax
LInitInstr[24].Vars[2].Len:=4;
LInitInstr[24].Vars[2].Code:=#$8D#$06 //lea eax,esi
+#$8B#$00;
//mov eax,[eax]
LInitInstr[24].Vars[3].Len:=4;
LInitInstr[24].Vars[3].Code:=#$33#$C0 //xor eax,eax
+#$03#$06;
//add eax,[esi]

//test eax,0FF000000h
LInitInstr[25].Count:=4;
LInitInstr[25].Vars[0].Len:=5;
LInitInstr[25].Vars[0].Code:=#$A9#$00#$00#$00#$FF;
//test eax,0FF000000h
LInitInstr[25].Vars[1].Len:=6;
LInitInstr[25].Vars[1].Code:=#$F7#$06#$00#$00#$00#$FF;
//test [esi],0FF000000h
LInitInstr[25].Vars[2].Len:=7;
LInitInstr[25].Vars[2].Code:=#$8B#$D0 //mov edx,eax
+#$C1#$EA#$18 //shr edx,018h
+#$85#$D2;
//test edx,edx
LInitInstr[25].Vars[3].Len:=11;
LInitInstr[25].Vars[3].Code:=#$50 //push eax
+#$5A //pop edx
+#$81#$E2#$00#$00#$00#$FF //and edx,0FF000000h
+#$83#$FA#$00;
//cmp edx,000h

//jz @Coder_pre_code
LInitInstr[26].Count:=2;
LInitInstr[26].Vars[0].Len:=6;
LInitInstr[26].Vars[0].Code:=#$0F#$84#$78#$56#$34#$12;
//jz +0XXYYZZWWh
LInitInstr[26].Vars[1].Len:=7;
LInitInstr[26].Vars[1].Code:=#$75#$05 //jnz +5
+#$E9#$78#$56#$34#$12;
//jmp 0XXYYZZWWh

//add eax,[esp+00Ch]
LInitInstr[27].Count:=4;
LInitInstr[27].Vars[0].Len:=4;
LInitInstr[27].Vars[0].Code:=#$03#$44#$24#$08;
//add eax,[esp+00Ch]
LInitInstr[27].Vars[1].Len:=6;
LInitInstr[27].Vars[1].Code:=#$8D#$54#$24#$08 //lea edx,[esp+00Ch]
+#$03#$02;
//add eax,[edx]
LInitInstr[27].Vars[2].Len:=5;
LInitInstr[27].Vars[2].Code:=#$8B#$D4 //mov edx,esp
+#$03#$42#$08;
//add eax,[edx+00Ch]
LInitInstr[27].Vars[3].Len:=8;
LInitInstr[27].Vars[3].Code:=#$FF#$74#$24#$08 //push [esp+00Ch]
+#$03#$04#$24 //add eax,[esp]
+#$5A;
//pop edx

//rol eax,010h
LInitInstr[28].Count:=4;
LInitInstr[28].Vars[0].Len:=3;
LInitInstr[28].Vars[0].Code:=#$C1#$C0#$10;
//rol eax,010h
LInitInstr[28].Vars[1].Len:=3;
LInitInstr[28].Vars[1].Code:=#$C1#$C8#$10;
//ror eax,010h
LInitInstr[28].Vars[2].Len:=11;
LInitInstr[28].Vars[2].Code:=#$8B#$D0 //mov edx,eax
+#$C1#$EA#$10 //shr edx,010h
+#$C1#$E0#$10 //shl eax,010h
+#$66#$8B#$C2;
//mov ax,dx
LInitInstr[28].Vars[3].Len:=12;
LInitInstr[28].Vars[3].Code:=#$66#$50 //push ax
+#$C1#$E8#$10 //shr eax,010h
+#$66#$5A //pop dx
+#$C1#$E2#$10 //shl edx,010h
+#$0B#$C2;
//or eax,edx

//add eax,[esp+010h]
LInitInstr[29].Count:=4;
LInitInstr[29].Vars[0].Len:=4;
LInitInstr[29].Vars[0].Code:=#$03#$44#$24#$10;
//add eax,[esp+010h]
LInitInstr[29].Vars[1].Len:=7;
LInitInstr[29].Vars[1].Code:=#$8D#$6C#$24#$10 //lea ebp,[esp+010h]
+#$03#$45#$00;
//add eax,[ebp+010h]
LInitInstr[29].Vars[2].Len:=5;
LInitInstr[29].Vars[2].Code:=#$8B#$D4 //mov edx,esp
+#$03#$42#$10;
//add eax,[edx+010h]
LInitInstr[29].Vars[3].Len:=8;
LInitInstr[29].Vars[3].Code:=#$FF#$74#$24#$10 //push [esp+00Ch]
+#$03#$04#$24 //add eax,[esp]
+#$5A;
//pop edx

//rol eax,004h
LInitInstr[30].Count:=4;
LInitInstr[30].Vars[0].Len:=3;
LInitInstr[30].Vars[0].Code:=#$C1#$C0#$04;
//rol eax,004h
LInitInstr[30].Vars[1].Len:=3;
LInitInstr[30].Vars[1].Code:=#$C1#$C8#$1C;
//ror eax,01Ch
LInitInstr[30].Vars[2].Len:=10;
LInitInstr[30].Vars[2].Code:=#$8B#$D0 //mov edx,eax
+#$C1#$EA#$1C //shr edx,01Ch
+#$C1#$E0#$04 //shl eax,004h
+#$0B#$C2;
//or eax,edx
LInitInstr[30].Vars[3].Len:=11;
LInitInstr[30].Vars[3].Code:=#$50 //push eax
+#$50 //push eax
+#$8B#$44#$24#$03 //mov eax,[esp+003h]
+#$C1#$C8#$04 //ror eax,004h
+#$5A //pop edx
+#$5D;
//pop ebp

//add eax,ecx
LInitInstr[31].Count:=4;
LInitInstr[31].Vars[0].Len:=2;
LInitInstr[31].Vars[0].Code:=#$03#$C1;
//add eax,ecx
LInitInstr[31].Vars[1].Len:=5;
LInitInstr[31].Vars[1].Code:=#$51 //push ecx
+#$03#$04#$24 //add eax,[esp]
+#$5A;
//pop edx
LInitInstr[31].Vars[2].Len:=4;
LInitInstr[31].Vars[2].Code:=#$8B#$E9 //mov ebp,ecx
+#$03#$C5;
//add eax,ebp
LInitInstr[31].Vars[3].Len:=5;
LInitInstr[31].Vars[3].Code:=#$50 //push eax
+#$01#$0C#$24 //add [esp],ecx
+#$58;
//pop eax

//xor eax,[edi]
LInitInstr[32].Count:=4;
LInitInstr[32].Vars[0].Len:=2;
LInitInstr[32].Vars[0].Code:=#$33#$07;
//xor eax,[edi]
LInitInstr[32].Vars[1].Len:=6;
LInitInstr[32].Vars[1].Code:=#$FF#$37 //push [edi]
+#$33#$04#$24 //xor eax,[esp]
+#$5D;
//pop ebp
LInitInstr[32].Vars[2].Len:=4;
LInitInstr[32].Vars[2].Code:=#$8B#$17 //mov edx,[edi]
+#$33#$C2;
//xor eax,edx
LInitInstr[32].Vars[3].Len:=7;
LInitInstr[32].Vars[3].Code:=#$8B#$2F //mov ebp,[edi]
+#$55 //push ebp
+#$31#$04#$24 //xor [esp],eax
+#$58;
//pop eax

//stosd
LInitInstr[33].Count:=4;
LInitInstr[33].Vars[0].Len:=1;
LInitInstr[33].Vars[0].Code:=#$AB;
//stosd
LInitInstr[33].Vars[1].Len:=6;
LInitInstr[33].Vars[1].Code:=#$89#$07 //mov [edi],eax
+#$47 //inc edi
+#$47 //inc edi
+#$47 //inc edi
+#$47;
//inc edi
LInitInstr[33].Vars[2].Len:=7;
LInitInstr[33].Vars[2].Code:=#$87#$E7 //xchg esp,edi
+#$5A //pop edx
+#$50 //push eax
+#$5A //pop edx
+#$87#$FC;
//xchg edi,esp
LInitInstr[33].Vars[3].Len:=9;
LInitInstr[33].Vars[3].Code:=#$50 //push eax
+#$8B#$EC //mov ebp,esp
+#$87#$F5 //xchg esi,ebp
+#$A5 //movsd
+#$8B#$F5 //mov esi,ebp
+#$5A;
//pop edx
//inc esi
LInitInstr[34].Count:=4;
LInitInstr[34].Vars[0].Len:=1;
LInitInstr[34].Vars[0].Code:=#$46;
//inc esi
LInitInstr[34].Vars[1].Len:=3;
LInitInstr[34].Vars[1].Code:=#$83#$C6#$01;
//add esi,001h
LInitInstr[34].Vars[2].Len:=3;
LInitInstr[34].Vars[2].Code:=#$83#$EE#$FF;
//sub esi,-001h
LInitInstr[34].Vars[3].Len:=5;
LInitInstr[34].Vars[3].Code:=#$6A#$01 //push 001h
+#$5A //pop edx
+#$03#$F2;
//add esi,edx

//loop @Coder_code
LInitInstr[35].Count:=1;
LInitInstr[35].Vars[0].Len:=7;
LInitInstr[35].Vars[0].Code:=#$49 //dec ecx
+#$0F#$85#$78#$56#$34#$12;
//jnz +0WWXXYYZZh

//pop edi
LInitInstr[36].Count:=4;
LInitInstr[36].Vars[0].Len:=1;
LInitInstr[36].Vars[0].Code:=#$5F;
//pop edi
LInitInstr[36].Vars[1].Len:=4;
LInitInstr[36].Vars[1].Code:=#$8B#$3C#$24 //mov edi,[esp]
+#$5D;
//pop ebp
LInitInstr[36].Vars[2].Len:=3;
LInitInstr[36].Vars[2].Code:=#$5D //pop ebp
+#$8B#$FD;
//mov edi,ebp
LInitInstr[36].Vars[3].Len:=3;
LInitInstr[36].Vars[3].Code:=#$5A //pop edx
+#$87#$FA;
//xchg edi,edx

//ret 00Ch
LInitInstr[37].Count:=4;
LInitInstr[37].Vars[0].Len:=3;
LInitInstr[37].Vars[0].Code:=#$C2#$0C#$00;
//ret 00Ch
LInitInstr[37].Vars[1].Len:=6;
LInitInstr[37].Vars[1].Code:=#$58 //pop eax
+#$5A //pop edx
+#$5D //pop ebp
+#$59 //pop ecx
+#$FF#$E0;
//jmp eax
LInitInstr[37].Vars[2].Len:=7;
LInitInstr[37].Vars[2].Code:=#$83#$C4#$10 //add esp,010h
+#$FF#$64#$24#$F0;
//jmp [esp-010h]
LInitInstr[37].Vars[3].Len:=8;
LInitInstr[37].Vars[3].Code:=#$6A#$F0 //push -010h
+#$59 //pop ecx
+#$2B#$E1 //sub esp,ecx
+#$FF#$24#$0C;
//jmp [esp+ecx]

//mov eax,0WWXXYYZZh
LInitInstr[38].Count:=4;
LInitInstr[38].Vars[0].Len:=5;
LInitInstr[38].Vars[0].Code:=#$B8#$78#$56#$34#$12;
//mov eax,012345678h
LInitInstr[38].Vars[1].Len:=6;
LInitInstr[38].Vars[1].Code:=#$68#$78#$56#$34#$12 //push [0WWXXYYZZh]
+#$58;
//pop eax
LInitInstr[38].Vars[2].Len:=6;
LInitInstr[38].Vars[2].Code:=#$B9#$78#$56#$34#$12 //mov ecx,012345678h
+#$91;
//xchg ecx,eax
LInitInstr[38].Vars[3].Len:=6;
LInitInstr[38].Vars[3].Code:=#$8D#$05#$78#$56#$34#$12;
//lea eax,[012345678h]

//mov [ebx+0WWXXYYZZh],eax
LInitInstr[39].Count:=4;
LInitInstr[39].Vars[0].Len:=6;
LInitInstr[39].Vars[0].Code:=#$89#$83#$78#$56#$34#$12;
//mov [ebx+0WWXXYYZZh],eax
LInitInstr[39].Vars[1].Len:=7;
LInitInstr[39].Vars[1].Code:=#$50 //push eax
+#$8F#$83#$78#$56#$34#$12;
//pop [ebx+0WWXXYYZZh]
LInitInstr[39].Vars[2].Len:=10;
LInitInstr[39].Vars[2].Code:=#$53 //push ebx
+#$81#$C3#$78#$56#$34#$12 //add ebx,0WWXXYYZZh
+#$89#$03 //mov [ebx],eax
+#$5B;
//pop ebx
LInitInstr[39].Vars[3].Len:=7;
LInitInstr[39].Vars[3].Code:=#$8D#$BB#$78#$56#$34#$12 //lea edi,[ebx+0WWXXYYZZh]
+#$AB;
//stosd

//mov eax,0WWXXYYZZh
LInitInstr[40].Count:=4;
LInitInstr[40].Vars[0].Len:=5;
LInitInstr[40].Vars[0].Code:=#$B8#$78#$56#$34#$12;
//mov eax,012345678h
LInitInstr[40].Vars[1].Len:=6;
LInitInstr[40].Vars[1].Code:=#$68#$78#$56#$34#$12 //push [0WWXXYYZZh]
+#$58;
//pop eax
LInitInstr[40].Vars[2].Len:=6;
LInitInstr[40].Vars[2].Code:=#$B9#$78#$56#$34#$12 //mov ecx,012345678h
+#$91;
//xchg ecx,eax
LInitInstr[40].Vars[3].Len:=6;
LInitInstr[40].Vars[3].Code:=#$8D#$05#$78#$56#$34#$12;
//lea eax,[012345678h]

//mov [ebx+0WWXXYYZZh],eax
LInitInstr[41].Count:=4;
LInitInstr[41].Vars[0].Len:=6;
LInitInstr[41].Vars[0].Code:=#$89#$83#$78#$56#$34#$12;
//mov [ebx+0WWXXYYZZh],eax
LInitInstr[41].Vars[1].Len:=7;
LInitInstr[41].Vars[1].Code:=#$50 //push eax
+#$8F#$83#$78#$56#$34#$12;
//pop [ebx+0WWXXYYZZh]
LInitInstr[41].Vars[2].Len:=10;
LInitInstr[41].Vars[2].Code:=#$53 //push ebx
+#$81#$C3#$78#$56#$34#$12 //add ebx,0WWXXYYZZh
+#$89#$03 //mov [ebx],eax
+#$5B;
//pop ebx
LInitInstr[41].Vars[3].Len:=7;
LInitInstr[41].Vars[3].Code:=#$8D#$BB#$78#$56#$34#$12 //lea edi,[ebx+0WWXXYYZZh]
+#$AB;
//stosd

//mov eax,0WWXXYYZZh
LInitInstr[42].Count:=4;
LInitInstr[42].Vars[0].Len:=5;
LInitInstr[42].Vars[0].Code:=#$B8#$78#$56#$34#$12;
//mov eax,012345678h
LInitInstr[42].Vars[1].Len:=6;
LInitInstr[42].Vars[1].Code:=#$68#$78#$56#$34#$12 //push [0WWXXYYZZh]
+#$58;
//pop eax
LInitInstr[42].Vars[2].Len:=6;
LInitInstr[42].Vars[2].Code:=#$B9#$78#$56#$34#$12 //mov ecx,012345678h
+#$91;
//xchg ecx,eax
LInitInstr[42].Vars[3].Len:=6;
LInitInstr[42].Vars[3].Code:=#$8D#$05#$78#$56#$34#$12;
//lea eax,[012345678h]

//mov [ebx+0WWXXYYZZh],eax
LInitInstr[43].Count:=4;
LInitInstr[43].Vars[0].Len:=6;
LInitInstr[43].Vars[0].Code:=#$89#$83#$78#$56#$34#$12;
//mov [ebx+0WWXXYYZZh],eax
LInitInstr[43].Vars[1].Len:=7;
LInitInstr[43].Vars[1].Code:=#$50 //push eax
+#$8F#$83#$78#$56#$34#$12;
//pop [ebx+0WWXXYYZZh]
LInitInstr[43].Vars[2].Len:=10;
LInitInstr[43].Vars[2].Code:=#$53 //push ebx
+#$81#$C3#$78#$56#$34#$12 //add ebx,0WWXXYYZZh
+#$89#$03 //mov [ebx],eax
+#$5B;
//pop ebx
LInitInstr[43].Vars[3].Len:=7;
LInitInstr[43].Vars[3].Code:=#$8D#$BB#$78#$56#$34#$12 //lea edi,[ebx+0WWXXYYZZh]
+#$AB;
//stosd

//jmp @DynLoader_begin

LInitInstr[44].Count:=3;
LInitInstr[44].Vars[0].Len:=5;
LInitInstr[44].Vars[0].Code:=#$E9#$78#$56#$34#$12;
//jmp +0WWXXYYZZh
LInitInstr[44].Vars[1].Len:=8;
LInitInstr[44].Vars[1].Code:=#$33#$C0 //xor eax,eax
+#$0F#$84#$78#$56#$34#$12;
//jz +0WWXXYYZZh
LInitInstr[44].Vars[2].Len:=7;
LInitInstr[44].Vars[2].Code:=#$48 //dec eax
+#$0F#$85#$78#$56#$34#$12;
//jnz +0WWXXYYZZh


//
//now put some rubbish, select instruction and write it there
//then
put some rubbish, select next instruction and write it there
//then
put some ...
//
//but be careful with 26th and 27th instructions which is test and condition jump
//don't put the rubbish between them
//


ZeroMemory(InitData,InitSize);
LRemaining:=InitSize;

LPB:=InitData;
LCodeStart:=NtHeaders.OptionalHeader.ImageBase+NtHeaders.OptionalHeader.AddressOfEntryPoint;
LVirtAddr:=LCodeStart;

for LI:=0 to InitInstrCount-1do

with LInitInstr[LI]do

begin

LDelta:=InitInstrCount-LI;
LDelta2:=LRemaining-LDelta*10;
LRubbishSize:=Random(LDelta2 div LDelta);
if (LI<>26) and (LRubbishSize>0) then
//can't change flags after test
begin

GenerateRubbishCode(LPB,LRubbishSize,LVirtAddr);
Inc(LPB,LRubbishSize);
Inc(LVirtAddr,LRubbishSize);
Dec(LRemaining,LRubbishSize);
end;


VirtualAddress:=LVirtAddr;
Index:=Random(LInitInstr[LI].Count);
with Vars[Index]do

begin

CopyMemory(LPB,@Code,Len);
Inc(LPB,Len);
Inc(LVirtAddr,Len);
Dec(LRemaining,Len);
end;

end;

LRubbishSize:=Random(LRemaining);
GenerateRubbishCode(LPB,LRubbishSize,LVirtAddr);
Dec(LRemaining,LRubbishSize);
Inc(LPB,LRubbishSize);
LRubbishSize:=Random(LRemaining);
GenerateRandomBuffer(LPB,LRubbishSize);


//
//now correct pointers
//

LPB:=Pointer(Cardinal(InitData)+LInitInstr[00].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[01].VirtualAddress-(LInitInstr[00].VirtualAddress+5);
Inc(LPB);
PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[02].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[00].VirtualAddress+5-ACodePtr;
if LInitInstr[02].Index<>2 then

begin

case LInitInstr[02].Index of
0:Inc(LPB,2);
1:Inc(LPB);
3:Inc(LPB,4);
end;

PCardinal(LPB)^:=LPtrAddr;
end else

begin

Inc(LPB,2);
PWord(LPB)^:=HiWord(LPtrAddr);
Inc(LPB,4);
PWord(LPB)^:=LoWord(LPtrAddr);
end;


LPB:=Pointer(Cardinal(InitData)+LInitInstr[05].VirtualAddress-LCodeStart);
LPtrAddr:=AKeyPtr;
case LInitInstr[05].Index of
0,3:Inc(LPB,2);
1,2:Inc(LPB);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[07].VirtualAddress-LCodeStart);
LPtrAddr:=AData1Ptr;
case LInitInstr[07].Index of
0,1,2:Inc(LPB);
3:Inc(LPB,2);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[08].VirtualAddress-LCodeStart);
LPtrAddr:=ASize1;
case LInitInstr[08].Index of
0,1:Inc(LPB);
2:Inc(LPB,5);
3:Inc(LPB,4);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[10].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[19].VirtualAddress-(LInitInstr[10].VirtualAddress+5);
Inc(LPB);
PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[12].VirtualAddress-LCodeStart);
LPtrAddr:=AData2Ptr;
case LInitInstr[12].Index of
0,1,2:Inc(LPB);
3:Inc(LPB,4);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[14].VirtualAddress-LCodeStart);
LPtrAddr:=ASize2;
case LInitInstr[14].Index of
0,1:Inc(LPB);
2,4:Inc(LPB,5);
3:Inc(LPB,4);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[16].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[19].VirtualAddress-(LInitInstr[16].VirtualAddress+5);
Inc(LPB);
PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[17].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[38].VirtualAddress-(LInitInstr[17].VirtualAddress+5);
Inc(LPB);
PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[26].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[23].VirtualAddress-(LInitInstr[26].VirtualAddress+6);
case LInitInstr[26].Index of
0:Inc(LPB,2);
1:begin
Inc(LPB,3);
Dec(LPtrAddr);
end;

end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[35].VirtualAddress-LCodeStart);
LPtrAddr:=LInitInstr[24].VirtualAddress-(LInitInstr[35].VirtualAddress+6);
Inc(LPB,3);
Dec(LPtrAddr);
PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[38].VirtualAddress-LCodeStart);
LPtrAddr:=ALoadLibImpAddr;
case LInitInstr[38].Index of
0,1,2:Inc(LPB);
3:Inc(LPB,2);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[39].VirtualAddress-LCodeStart);
LPtrAddr:=AData1Ptr+1;
case LInitInstr[39].Index of
0,3:Inc(LPB,2);
1,2:Inc(LPB,3);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[40].VirtualAddress-LCodeStart);
LPtrAddr:=AGetProcAddrImpAddr;
case LInitInstr[40].Index of
0,1,2:Inc(LPB);
3:Inc(LPB,2);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[41].VirtualAddress-LCodeStart);
LPtrAddr:=AData1Ptr+6;
case LInitInstr[41].Index of
0,3:Inc(LPB,2);
1,2:Inc(LPB,3);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[42].VirtualAddress-LCodeStart);
LPtrAddr:=AMainPtr;
case LInitInstr[42].Index of
0,1,2:Inc(LPB);
3:Inc(LPB,2);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[43].VirtualAddress-LCodeStart);
LPtrAddr:=AData1Ptr+11;
case LInitInstr[43].Index of
0,3:Inc(LPB,2);
1,2:Inc(LPB,3);
end;

PCardinal(LPB)^:=LPtrAddr;

LPB:=Pointer(Cardinal(InitData)+LInitInstr[44].VirtualAddress-LCodeStart);
LPtrAddr:=ADynLoadAddr-(LInitInstr[44].VirtualAddress+5);
case LInitInstr[44].Index of
0:Inc(LPB);
1:begin
Inc(LPB,4);
Dec(LPtrAddr,3);
end;

2:begin
Inc(LPB,3);
Dec(LPtrAddr,2);
end;

end;

PCardinal(LPB)^:=LPtrAddr;

end;
 
您必须登录或注册才可回复。

Similar threads

Python从内存中使用编译后的模块 - 不得闲
回复
0
查看
706
不得闲
Delphi实现类似Android锁屏的密码锁控件 - 不得闲
回复
0
查看
971
不得闲
S
[转]ClientDataSet加上TDataSetProvider的数据保存问题
回复
0
查看
3K
SUNSTONE的Delphi笔记
S
S
[转]ClientDataSet加上TDataSetProvider的数据保存问题
回复
0
查看
2K
SUNSTONE的Delphi笔记
S
S
[原]Delphi2010中DataSnap高级技术(6)—加强服务程序对访问者的控制能力
回复
0
查看
1K
SUNSTONE的Delphi笔记
S
后退
顶部