Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- procedure PackerFunctionAsm;
- begin
- asm
- push eax //Fake Call Emulation (Eax Contains Return Address)
- push ebp
- mov ebp,esp
- cmp [ebp+8],0
- je @@VerifyProtector1
- cmp [ebp+8],1
- je @@VerifyProtector2
- cmp [ebp+8],2
- je @@GetHardwareID1
- ret 4
- @@VerifyProtector1:
- push [ebp+$10]
- push [ebp+$C]
- call VerifyFunction1
- mov esp,ebp
- pop ebp
- ret $C
- @@VerifyProtector2:
- push [ebp+$10]
- push [ebp+$C]
- call VerifyFunction2
- mov esp,ebp
- pop ebp
- ret $C
- @@GetHardwareID1:
- push [ebp+$C]
- call GetHardwareID1
- mov esp,ebp
- pop ebp
- ret $8
- end;
- end;
- function PackerFunctionHandler(var Exp:EXCEPTION_POINTERS):Integer;stdcall;
- var
- i:Dword;
- CorrectFunction:Boolean;
- dwExceptionAddress:Dword;
- begin
- result:=0;
- If Exp.ExceptionRecord.ExceptionCode=STATUS_PRIVILEGED_INSTRUCTION then
- begin
- //31 C0 8B C0 90 F4
- CorrectFunction:=False;
- dwExceptionAddress:=Exp.ContextRecord.Eip;
- dwExceptionAddress:=dwExceptionAddress-5;
- if pbyte(dwExceptionAddress)^=$31 then
- if pbyte(dwExceptionAddress+1)^=$C0 then
- if pbyte(dwExceptionAddress+2)^=$89 then
- if pbyte(dwExceptionAddress+3)^=$C0 then
- if pbyte(dwExceptionAddress+4)^=$90 then
- if pbyte(dwExceptionAddress+5)^=$F4 then
- CorrectFunction:=True;
- if pbyte(dwExceptionAddress)^=$33 then
- if pbyte(dwExceptionAddress+1)^=$C0 then
- if pbyte(dwExceptionAddress+2)^=$8B then
- if pbyte(dwExceptionAddress+3)^=$C0 then
- if pbyte(dwExceptionAddress+4)^=$90 then
- if pbyte(dwExceptionAddress+5)^=$F4 then
- CorrectFunction:=True;
- If Not CorrectFunction Then
- Exit;
- Exp.ContextRecord.Eax:=Exp.ContextRecord.Eip+1; //Store Return Address in Eax
- Exp.ContextRecord.EFlags:=Exp.ContextRecord.EFlags and (not $100); //Destroy Trap Flag
- Exp.ContextRecord.Eip:=Dword(@PackerFunctionAsm); //Set Eip to Function Processor
- Result:=-1;
- Exit;
- end;
- end;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
