[转载]加壳工具的壳代码-如何加壳

信息来源：无花果编程驿站

完整加壳工具下载
以下是外壳汇编源代码,注意使用本工具加壳的软件可能被Norton认为是病毒

includewin32.inc
.586
.modelflat,stdcall
locals

extrn_wsprintfA:proc,MessageBoxA:proc,ExitProcess:proc,IsDebuggerPresent:proc
extrnReleaseDC:proc,GetDC:proc,TextOutA:proc,GetTickCount:proc

OLD_TICK_COUNTequ072h
GET_TICK_COUNTequ0c1h
IS_DBG_PRESENTequ034h
EXIT_PROCESSequ0a7h

XXequ12345678h

.data

PCStart:
nop
@@PCStartRVA:
pushad
callGetRVAOffset,offset@@KillIDA
jmpeax
@@KillIDA:
;//定位GetProcAddress函数
;db0ebh,001h,0e8h;//乱码样版
subesp,100h
movebp,esp
db0ebh,001h,0e8h;//乱码样版
movebx,[ebp+100h+8*4]
@@RepScanGPA:
decebx
db0ebh,001h,0e8h;//乱码样版
callGetPEOffset,ebx
movebx,eax
xoresi,esi
db0ebh,001h,0e8h;//乱码样版
@@RepScanGPAName:
incesi
callGetGPANameByIndex,ebx,esi
oreax,eax
db0ebh,001h,0e8h;//乱码样版
jzshort@@RepScanGPA
movedi,eax
callGetGPAString
db0ebh,001h,0e8h;//乱码样版
movedx,eax
callCompareMemory,edi,edx,15
oreax,eax
jnzshort@@RepScanGPAName
db0ebh,001h,0e8h;//乱码样版
callGetGPARVAByIndex,ebx,esi
movesi,eax
;//ebx=Kernel32Base;esi=GetProcAddress

;//定位其他API函数
db0ebh,001h,0e8h;//乱码样版
callGetGTCString
callesi,ebx,eax
mov[ebp+GET_TICK_COUNT],eax
db0ebh,001h,0e8h;//乱码样版
callGetIDPString
callesi,ebx,eax
mov[ebp+IS_DBG_PRESENT],eax
db0ebh,001h,0e8h;//乱码样版
callGetEXPString
callesi,ebx,eax
mov[ebp+EXIT_PROCESS],eax

;//SaveOldTickCount
call[ebp+GET_TICK_COUNT]
mov[ebp+OLD_TICK_COUNT],eax
db0ebh,001h,0e8h;//乱码样版

;//SehCheck
callSetSehFrame,offset@@SehCheckContinue
xoreax,eax
db0ebh,001h,0e8h;//乱码样版
diveax
ret
@@SehCheckContinue:
callClsSehFrame

;//CalcOldEntryRVA
db0ebh,001h,0e8h;//乱码样版
callGetRVAOffset,offsetPCStart
movebx,eax
callGetRVAOffset,offsetRRVAEIP
db0ebh,001h,0e8h;//乱码样版
addebx,[eax]
callGetRVAOffset,offsetJRVAEIP
mov[eax],ebx
db0ebh,001h,0e8h;//乱码样版

;//TimeLimitCheckAndDebugCheck
call[ebp+GET_TICK_COUNT]
cmp[ebp+OLD_TICK_COUNT],eax
db0ebh,001h,0e8h;//乱码样版
ja@@ExitProcess;
subeax,1000
cmp[ebp+OLD_TICK_COUNT],eax
db0ebh,001h,0e8h;//乱码样版
jb@@ExitProcess;
call[ebp+IS_DBG_PRESENT]
oreax,eax
jnz@@ExitProcess;
db0ebh,001h,0e8h;//乱码样版

;//恢复堆栈执行原始程序
addesp,100h
popad
db0ebh,001h,0e8h;//乱码样版
jmpJmpOldEIP
@@ExitProcess:
call[ebp+EXIT_PROCESS],0


;//得到相对地址
GetRVAOffsetprocAddress:DWORD
db0ebh,001h,0e8h;//乱码样版
call@@PushRVAOffset
@@PushRVAOffset:
popeax
subeax,offset@@PushRVAOffset
db0ebh,001h,0e8h;//乱码样版
addeax,Address
ret
GetRVAOffsetendp

;//建立SEH过滤
SetSehFrame:;SafeEipChangeeaxecxedx
popedx
popecx;//PopParamSafeEip
callGetRVAOffset,ecx
db0ebh,001h,0e8h;//乱码样版
movecx,eax
callGetRVAOffset,offsetException
pusheax
db0ebh,001h,0e8h;//乱码样版
pushfs:dwordptr[0];//PushOldSehFrame
movfs:dwordptr[0],esp
callGetRVAOffset,offsetSafeEIP
db0ebh,001h,0e8h;//乱码样版
pushdwordptr[eax];//PushOldSafeEip
movdwordptr[eax],ecx;//SetSafeEip
callGetRVAOffset,offsetSafeESP
db0ebh,001h,0e8h;//乱码样版
pushdwordptr[eax];//PushOldSafeEsp
subesp,100h;//SubSafeStackSpaceSize
movdwordptr[eax],esp;//SetSafeEsp
db0ebh,001h,0e8h;//乱码样版
jmpedx

;//清除SEH过滤
ClsSehFrame:;Changeecxedx,Notchangeeax
popedx
movecx,eax
db0ebh,001h,0e8h;//乱码样版
callGetRVAOffset,offsetSafeESP
movesp,[eax];//GetSafeEsp
addesp,100h;//AddSafeStackSapceSize
db0ebh,001h,0e8h;//乱码样版
popdwordptr[eax];//PopOldSafeEsp
callGetRVAOffset,offsetSafeEIP
popdwordptr[eax];//PopOldSafeEip
popfs:dwordptr[0];//PopOldSehFrame
db0ebh,001h,0e8h;//乱码样版
popeax;//PopException
moveax,ecx
db0ebh,001h,0e8h;//乱码样版
jmpedx

;//SEH意外处理，记录错误
Exceptionprocusesebxesiedi,Record:DWORD,Frame:DWORD,Context:DWORD,Dispatch:DWORD
movedx,Context
callGetRVAOffset,offsetSafeESP
db0ebh,001h,0e8h;//乱码样版
moveax,[eax]
movdwordptr[edx.cx_Esp],eax
callGetRVAOffset,offsetSafeEIP
db0ebh,001h,0e8h;//乱码样版
moveax,[eax]
movdwordptr[edx.cx_Eip],eax
xoreax,eax;忽略错误继续执行
db0ebh,001h,0e8h;//乱码样版
ret
Exceptionendp

;//比较字符串
CompareMemoryprocusesebxesiedi,Src:DWORD,Des:DWORD,Size:DWORD
db0ebh,001h,0e8h;//乱码样版
callSetSehFrame,offset@@NotSame
movesi,Src
movedi,Des
db0ebh,001h,0e8h;//乱码样版
movecx,Size
cld
repcmpsb
db0ebh,001h,0e8h;//乱码样版
movebx,ecx
callClsSehFrame
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
@@NotSame:
callClsSehFrame
moveax,-1
ret
CompareMemoryendp

;//字符解密
EncodeStringprocusesebxesiedi,PChar:DWORD,Size:DWORD
db0ebh,001h,0e8h;//乱码样版
movecx,Size
movesi,PChar
db0ebh,001h,0e8h;//乱码样版
@@ContEncode:
xor[esi],dwordptrXX
addesi,4
db0ebh,001h,0e8h;//乱码样版
loopshort@@ContEncode
db0ebh,001h,0e8h;//乱码样版
ret
EncodeStringendp

;//得到GetProcAddress字符串指针
GetGPAStringprocusesebx
db0ebh,001h,0e8h;//乱码样版
call@@PushGetProcAddressStr
dd$1$PteG$1$xorXX,$1$Acor$1$xorXX,$1$erdd$1$xorXX,$1$ss$1$xorXX
@@PushGetProcAddressStr:
popebx
cmp[ebx],wordptr$1$eG$1$
jzshort@@HasEncode
db0ebh,001h,0e8h;//乱码样版
callEncodeString,ebx,4
@@HasEncode:
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
GetGPAStringendp

GetGTCStringprocusesebx
db0ebh,001h,0e8h;//乱码样版
call@@PushGetTickCountStr
dd$1$TteG$1$xorXX,$1$Ckci$1$xorXX,$1$tnuo$1$xorXX,0
@@PushGetTickCountStr:
popebx
db0ebh,001h,0e8h;//乱码样版
cmp[ebx],wordptr$1$eG$1$
jzshort@@HasEncode
callEncodeString,ebx,3
@@HasEncode:
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
GetGTCStringendp

GetIDPStringprocusesebx
db0ebh,001h,0e8h;//乱码样版
call@@PushIsDebugPresent
dd$1$eDsI$1$xorXX,$1$ggub$1$xorXX,$1$rPre$1$xorXX,$1$nese$1$xorXX,$1$t$1$xorXX
@@PushIsDebugPresent:
popebx
cmp[ebx],wordptr$1$sI$1$
jzshort@@HasEncode
db0ebh,001h,0e8h;//乱码样版
callEncodeString,ebx,5
@@HasEncode:
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
GetIDPStringendp

GetEXPStringprocusesebx
db0ebh,001h,0e8h;//乱码样版
call@@PushExitProcessString
dd$1$tixE$1$xorXX,$1$corP$1$xorXX,$1$sse$1$xorXX
@@PushExitProcessString:
popebx
cmp[ebx],wordptr$1$xE$1$
jzshort@@HasEncode
db0ebh,001h,0e8h;//乱码样版
callEncodeString,ebx,3
@@HasEncode:
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
GetEXPStringendp

;//搜索PE头
GetPEOffsetprocusesebxesiedi,MZOffset:DWORD
db0ebh,001h,0e8h;//乱码样版
callSetSehFrame,offset@@RepScanPEOffset
movebx,MZOffset
@@RepScanPEOffset:
decebx
andbx,0f000h
db0ebh,001h,0e8h;//乱码样版
movzxeax,wordptr[ebx]
xoreax,XX
cmpeax,dwordptr$1$ZM$1$xorXX
db0ebh,001h,0e8h;//乱码样版
jnzshort@@RepScanPEOffset
movzxesi,[ebx+PeHeadOffset]
addesi,ebx
db0ebh,001h,0e8h;//乱码样版
movzxeax,wordptr[esi]
xoreax,XX
cmpeax,dwordptr$1$EP$1$xorXX
db0ebh,001h,0e8h;//乱码样版
jnzshort@@RepScanPEOffset
callClsSehFrame
moveax,ebx
db0ebh,001h,0e8h;//乱码样版
ret
GetPEOffsetendp

;//从MZ/PE文件中得到GPA名字
GetGPANameByIndexprocusesebxesiedi,MZOffset:DWORD,Index:DWORD
db0ebh,001h,0e8h;//乱码样版
callSetSehFrame,offset@@NotFound
movebx,MZOffset
movzxecx,[ebx+PeHeadOffset]
addecx,ebx
db0ebh,001h,0e8h;//乱码样版
movesi,[ecx.peExportsRVA]
addesi,ebx
movedi,[esi.etExportNameList]
db0ebh,001h,0e8h;//乱码样版
addedi,ebx
movecx,Index
cmpecx,[esi.etExportNameSum]
db0ebh,001h,0e8h;//乱码样版
jaeshort@@NotFound
movedi,[edi+ecx*4]
addedi,ebx
db0ebh,001h,0e8h;//乱码样版
oreax,[edi];//Test
oreax,[edi+15];//Test
callClsSehFrame
db0ebh,001h,0e8h;//乱码样版
moveax,edi
db0ebh,001h,0e8h;//乱码样版
ret
@@NotFound:
callClsSehFrame
xoreax,eax
db0ebh,001h,0e8h;//乱码样版
ret
GetGPANameByIndexendp

;//得到GPA地址
GetGPARVAByIndexprocusesebxesiedi,MZOffset:DWORD,Index:DWORD
db0ebh,001h,0e8h;//乱码样版
callGetRVAOffset,offset@@NotFound
callSetSehFrame,eax
db0ebh,001h,0e8h;//乱码样版
movebx,MZOffset
movzxecx,[ebx+PeHeadOffset]
db0ebh,001h,0e8h;//乱码样版
addecx,ebx
movesi,[ecx.peExportsRVA]
addesi,ebx
db0ebh,001h,0e8h;//乱码样版
movecx,Index
cmpecx,[esi.etExportAddrSum]
jaeshort@@NotFound
db0ebh,001h,0e8h;//乱码样版
movedi,[esi.etExportOrdlList]
addedi,ebx
db0ebh,001h,0e8h;//乱码样版
movzxecx,wordptr[edi+ecx*2]
cmpecx,[esi.etExportAddrSum]
jaeshort@@NotFound
db0ebh,001h,0e8h;//乱码样版
movedi,[esi.etExportAddrList]
addedi,ebx
db0ebh,001h,0e8h;//乱码样版
movedi,[edi+ecx*4]
db0ebh,001h,0e8h;//乱码样版
addedi,ebx
oreax,[edi];//Test
callClsSehFrame
db0ebh,001h,0e8h;//乱码样版
moveax,edi
ret
@@NotFound:
callClsSehFrame
xoreax,eax
db0ebh,001h,0e8h;//乱码样版
ret
GetGPARVAByIndexendp

JmpOldEIP:
db068h
JRVAEIPdd?
db0c3h
RRVAEIPdd-1000h
SafeESPdd?
SafeEIPdd?


PCEnd:
MsgFmtdb$1$RRVAIP:%X,Size:%x$1$,0
MsgBufdb256dup(?);

.code

Exit:
callShowMsg
callExitProcess,0

Start:
jmpPCStart

ShowMsgproc
pushad
movebp,esp
call_wsprintfA,offsetMsgBuf,offsetMsgFmt,offsetRRVAEIP,offsetPCEnd-offsetPCStart
callMessageBoxA,0,offsetMsgBuf,offsetMsgBuf,0
movesp,ebp
popad
ret
ShowMsgendp



endStart