daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2020-10-09 21:56:39 -05:00
committed by GitHub
parent cb8e4ddb00
commit a5fc35f165
69 changed files with 14340 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libs/VirTool.Win32.Disassembler.Lito.asm
+398
View File
@@ -0,0 +1,398 @@
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ;
; ### ;
; ### ;
; ### #################################################### ;
; ### #################################################### ;
; ### ### ### ;
; ### ### ### ######### ### ;
; ### ### ### ########### ;
; ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ############ ### ### ########### ;
; ################################################################ ;
; ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; Advanced Length dIsassembler moTOr:) ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ‚¥àá¨ï 2.1 ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;äã­ªæ¨ï _LiTo_ ;
;¤¨§ áᥬ¡«¨à®¢ ­¨¥ ¬ è¨­­®© ª®¬ ­¤ë ;
;®¯à¥¤¥«¥­¨¥ ¤«¨­ë ¬ è¨­­®© ª®¬ ­¤ë ;
;‚室: ;
;esi -  ¤à¥á à §¡¨à ¥¬®© ¬ è¨­­®© ª®¬ ­¤ë ;
;edi - 㪠§ â¥«ì ­  ¢ë室­ãî áâàãªâãàã (¨«¨ ¡ãä¥à) (­ §®¢¥¬ ¥¥ INSTR:) ;
;‚ë室: ;
;¢ eax - ¤«¨­  ¬ è¨­­®© ª®¬ ­¤ë. ;
;‡ ¬¥âª¨: ;
;(x) ‚ë室­ ï áâàãªâãà  (¨«¨ ¡ãä¥à) § ¯®«­ï¥âáï ¢ ¯à®æ¥áᥠ¤¨§ áᥬ¡«¨à®¢ ­¨ï ;
;¨­áâàãªæ¨¨ ¨ ¤®«¦­  ¯à¥¤áâ ¢«ïâì ᮡ®© á«¥¤ãî饥: ;
; ;
; INSTR1 struct ;
; (+ 00) len_com db 00h ; - ¤«¨­  ª®¬ ­¤ë; ;
; (+ 01) flags dd 00h ; - ¢ëáâ ¢«¥­­ë¥ ä« £¨ ;
; (+ 05) seg db 00h ; - ᥣ¬¥­â (¥á«¨ ¥áâì); ;
; (+ 06) repx db 00h ; - ¯à¥ä¨ªá (0F2h/0F3h) (¥á«¨ ¥áâì); ;
; (+ 07) len_offset db 00h ; - à §¬¥à ᬥ饭¨ï; ;
; (+ 08) len_operand db 00h ; - à §¬¥à ®¯¥à ­¤ ; ;
; (+ 09) opcode db 00h ; - ®¯ª®¤ (¥á«¨ ®¯ª®¤=0Fh, ⮣¤  ;
; ; á á®åà ­ï¥âáï 2-®© ®¯ª®¤, ¨ ;
; ; ãáâ ­ ¢«¨¢ ¥âáï ä« £ B_OPCODE2); ;
; (+ 10) modrm db 00h ; - ¡ ©â MODRM (â ª¦¥, ¥á«¨ ¥áâì) ;
; (+ 11) sib db 00h ; - ¡ ©â SIB ;
; (+ 12) offset db 8 dup (00h); - ᬥ饭¨¥ ¨­áâàãªæ¨¨ ;
; (+ 20) operand db 8 dup (00h); - ®¯¥à ­¤ ¨­áâàãªæ¨¨ ;
; INSTR1 ends ;
; ;
;(å) ¯®­¨¬ îâáï (¯®ª ) ⮫쪮 general purpose & fpu instructions ;
; (®áâ «ì­ë¥ - ¢ ⮯ªã:)! ;
;(å) ­¥â ¯à®¢¥àª¨ ­  ¬ ªá¨¬ «ì­ãî ¤«¨­ã ¨­áâàãªæ¨¨ (15 ¡ ©â) (­ å७) ;
;(å) Š ª ¯®áâ஥­ë í⨠⠡«¨çª¨: ;
; Ž—…œ Ž‘’Ž: â ª ª ª ¢ í⮬ ¤¨§ á¬¥ ¨á¯®«ì§ãîâáï ä« £¨ á ç¨á«®¢ë¬ ;
; ®¡®§­ ç¥­¨¥¬ <=8, â® ¤«ï ®¤­®£® ä« £  ¤®áâ â®ç­® ¬¥áâ  ¢ ¯®«®¢¨­ã ¡ ©â  ;
; (¬ ªá¨¬ «ì­®¥ ç¨á«® =8 (B_PREFIX6X) - ¢ ¤¢®¨ç­®¬ ¯à¥¤áâ ¢«¥­¨¨ =1000b). ;
; ‡­ ï íâ®, ¯à®áâ® â㯮 ¢ ®¤¨­ ¡ ©â § ¯¨å¨¢ ¥¬ 2 ä« £  - ¢®â ¨ ¢á¥. ’ ª¨¬ ;
; ®¡à §®¬, ª ¦¤ ï â ¡«¨çª  ¢ 256 ¡ ©â ã१ ¥âáï ¤® 128. ;
;(å) „«ï 32-¡¨â­®£® ¨á¯®«­ï¥¬®£® ª®¤ . ;
;(å) Šâ® å®ç¥â, ¯ãáâì ­ ä¨£ á ¬ ¨ ¤®¡ ¢«ï¥â ®áâ «ì­ë¥ ª®¬ ­¤ë ¨ ¢á直¥ â ¬ ;
; ¯à®¢¥àª¨. ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ”ˆ—ˆ: ;
;(+) ¡ §®­¥§ ¢¨á¨¬®áâì ;
;(+) 㯠ª®¢ ­­ë¥ â ¡«¨çª¨ ;
; ;
;(-) ¬ãâ®à­® ¤®¡ ¢«ïâì ­®¢ë¥ ¨­áâàãªæ¨¨ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ˆ‘Ž‹œ‡Ž‚€ˆ…: ;
;1)®¤ª«î祭¨¥: ;
; lito.asm ;
;2)‚맮¢:(¯à¨¬¥à) ;
; lea esi,XXXXXXXXh ; ¤à¥á ª®¬ ­¤ë, çìî ¤«¨­ã ­ ¤® 㧭 âì ;
; lea edi,XXXXXXXXh ;lea edi,INSTR1 ;
; call LiTo ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;m1x
;pr0mix@mail.ru
_LiTo_:
pushad
call _delta_lito_
;===================================================================================
;áâப  ¯à¥ä¨ªá®¢
pfx:
db 2Eh,36h,3Eh,26h,64h,65h,0F2h,0F3h,0F0h,66h,67h
SizePfx equ $-pfx ;¤«¨­  pfx
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ®¤­®¡ ©â­ëå ®¯ª®¤®¢
TableFlags1:
; 01 23 45 67 89 AB CD EF
db 11h,11h,28h,00h,11h,11h,28h,00h ;00
db 11h,11h,28h,00h,11h,11h,28h,00h ;01
db 11h,11h,28h,00h,11h,11h,28h,00h ;02
db 11h,11h,28h,00h,11h,11h,28h,00h ;03
db 00h,00h,00h,00h,00h,00h,00h,00h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,11h,00h,00h,89h,23h,00h,00h ;06
db 22h,22h,22h,22h,22h,22h,22h,22h ;07
db 39h,33h,11h,11h,11h,11h,11h,11h ;08
db 00h,00h,00h,00h,00h,0C0h,00h,00h ;09
db 88h,88h,00h,00h,28h,00h,00h,00h ;0A
db 22h,22h,22h,22h,88h,88h,88h,88h ;0B
db 33h,40h,11h,39h,60h,40h,02h,00h ;0C
db 11h,11h,22h,00h,11h,11h,11h,11h ;0D
db 22h,22h,22h,22h,88h,0C2h,00h,00h ;0E
db 00h,00h,00h,11h,00h,00h,00h,11h ;0F
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ¤¢ãå¡ ©â­ëå ®¯ª®¤®¢
TableFlags2:
; 01 23 45 67 89 AB CD EF
db 11h,11h,00h,00h,00h,00h,01h,00h ;00
db 00h,00h,00h,00h,00h,00h,00h,01h ;01
db 11h,11h,00h,00h,00h,00h,00h,00h ;02
db 00h,00h,00h,00h,00h,00h,00h,00h ;03
db 11h,11h,11h,11h,11h,11h,11h,11h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,00h,00h,00h,00h,00h,00h,00h ;06
db 00h,00h,00h,00h,00h,00h,00h,00h ;07
db 88h,88h,88h,88h,88h,88h,88h,88h ;08
db 11h,11h,11h,11h,11h,11h,11h,11h ;09
db 00h,01h,31h,00h,00h,01h,31h,01h ;0A
db 11h,11h,11h,11h,00h,31h,11h,11h ;0B
db 11h,00h,00h,01h,00h,00h,00h,00h ;0C
db 00h,00h,00h,00h,00h,00h,00h,00h ;0D
db 00h,00h,00h,00h,00h,00h,00h,00h ;0E
db 00h,00h,00h,00h,00h,00h,00h,00h ;0F
;===================================================================================
SizeTbl equ $-pfx
;===================================================================================
;ä« £¨
;-----------------------------------------------------------------------------------
B_NONE equ 00h ;xex
B_MODRM equ 01h ;present byte MODRM
B_DATA8 equ 02h ;present imm8,rel8, etc
B_DATA16 equ 04h ;present imm16,rel16, etc
B_PREFIX6X equ 08h ;present imm16/imm32 (¢ § ¢¨á¨¬®á⨠®â ­ «¨ç¨ï ¯à¥ä¨ªá  0x66 (0x67 ¤«ï ®¯ª®¤®¢ 0xA0-0xA3))
B_SEG equ 10h ;present segment (¯à¨¬¥à: 0x2e,0x3E, etc)
B_PFX66 equ 20h ;present byte 0x66
B_PFX67 equ 40h ;present byte 0x67
B_LOCK equ 80h ;present byte LOCK (0xF0)
B_REP equ 100h ;present byte rep[e/ne]
B_OPCODE2 equ 200h ;present second opcode (first opcode=0x0F)
B_SIB equ 400h ;present byte SIB
B_RELX equ 800h ;present jxx/jmp/call (rel8,rel16,rel32)
;===================================================================================
_delta_lito_:
pop ebp
cld
xor eax,eax
xor ebx,ebx
cdq ;¢ edx: dl(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x66
; dh(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x67
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_nextpfx_:
lodsb ;¯®«ãç ¥¬ ®ç¥à¥¤­®© ¡ ©â ª®¬ ­¤ë
push edi
lea edi,[ebp+(pfx-_delta_lito_+SizeTbl)] ;¢ edi -  ¤à¥á áâப¨ ¯à¥ä¨ªá®¢
db 6Ah,SizePfx
pop ecx
repne scasb ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªáë?
pop edi
jne _endpfx_ ;­¥â? - ­  ¢ë室
cmp ecx,5
jl _lock_
or bl,B_SEG
mov byte ptr [edi+05h],al ;seg
_lock_:
cmp al,0F0h
jne _rep_
or bl,B_LOCK
_rep_:
mov ch,al
and ch,0FEh
cmp ch,0F2h
jne _66_
or bx,B_REP
mov byte ptr [edi+06h],al ;rep
_66_:
cmp al,66h ;¨­ ç¥ ᬮâਬ, íâ® 0x66?
jne _67_
mov dl,1
or bl,B_PFX66
_67_:
cmp al,67h ;¨­ ç¥, íâ® 0x67?
jnz _nextpfx_ ;¥á«¨ ­¥â, â® ¨é¥¬ ¤à㣨¥ ¯à¥ä¨ªáë
mov dh,1
or bl,B_PFX67
jmp _nextpfx_ ;¯à®¤®«¦ ¥¬ ¯®¨áª
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endpfx_:
_search_jxx_call_jmp_:
mov ch,al
and ch,0FEh
cmp ch,0E8h
je _jxxok_
mov ch,al
and ch,11110000b
cmp ch,70h
je _jxxok_
cmp al,0EBh
je _jxxok_
cmp al,0Fh ;®¯ª®¤ á®á⮨⠨§ 2-å ¡ ©â?
jne _opcode_
lodsb ;¥á«¨ ¤ , â® ¡¥à¥¬ 2-®© ¡ ©â ®¯ª®¤ 
mov cl,80h ;¨ 㢥«¨ç¨¢ ¥¬ cl=80h
or bx,B_OPCODE2
mov ch,al
and ch,11110000b
cmp ch,80h
jne _opcode_
_jxxok_:
or bx,B_RELX
;-----------------------------------------------------------------------------------
_opcode_:
xor ch,ch
mov byte ptr [edi+09h],al ;save first opcode
lea ebp,[ebp+ecx+(TableFlags1-_delta_lito_+SizeTbl)];¢ edi -  ¤à¥á ­ã¦­®© â ¡«¨æë ä« £®¢(å à-ª)
cmp al,0A0h ;¥á«¨ ®¯ª®¤>=0xA0 ¨ ®¯ª®¤<=A3,
jl _01_;jb ;
cmp al,0A3h
jg _01_
test cl,cl
jne _01_;je ;â® dl=dh
mov dl,dh ;mov dl,dh
;-----------------------------------------------------------------------------------
_01_:
push eax
shr eax,1
mov cl,byte ptr [ebp+eax] ;¢ cl - ä« £¨ ª®¬ ­¤ë
jc _noCF_
shr cl,4
_noCF_:
and cl,0Fh
xor ebp,ebp ;¢ ebp - ¡ã¤¥â åà ­¨âìáï ¤«¨­  ᬥ饭¨ï(offset)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
or ecx,ebx
pop ebx ;bl=opcode
test cl,B_MODRM ;¯à¨áãâáâ¢ã¥â «¨ ¡ ©â modrm?
je _endmodrm_ ;­¥â? ­  ¢ë室
lodsb ;al=modrm
mov byte ptr [edi+10],al ;MODRM
mov ah,al
;-----------------------------------------------------------------------------------
shr ah,6 ;ah=mod
;-----------------------------------------------------------------------------------
test al,38h ;¤ «¥¥ ᬮâਬ, à ¢­® «¨ ¯®«¥ reg==0?
jne _03_
sub bl,0F6h ;¥á«¨ ¤ , ⮠ᬮâਬ ­  ®¯ª®¤:
jne _02_ ;à ¢¥­ «¨ ®­ 0xF6 ¨«¨ 0xF7(test)?
or cl,B_DATA8 ;¥á«¨ ¤ , â® ãáâ ­ ¢«¨¢ ¥¬ ­ã¦­ë© ä« £
_02_:
dec ebx
jne _03_
or cl,B_PREFIX6X
;-----------------------------------------------------------------------------------
_03_:
and al,07h
xor ebx,ebx ;bl ®â¢¥ç ¥â §  ¯à¨áãâá⢨¥ ¡ ©â  sib
mov bh,ah ;bh=mod
cmp dh,1 ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªá 0x67?
je _mod00_ ;¥á«¨ ¤ , â® ¯¥à¥áª ª¨¢ ¥¬
cmp al,4 ;¨­ ç¥ ¯à®¢¥à塞,à ¢­® «¨ ¯®«¥ rm==4?
jne _mod00_
inc ebx ;¥á«¨ ¤ , â® ¢®§¬®¦­® ¥áâì sib
;-----------------------------------------------------------------------------------
_mod00_:
test ah,ah ;¯®«¥ mod==0?
jne _mod01_
dec dh ;ᮤ¥à¦¨â «¨ ª®¬ ­¤  0x67?
jne _nop67_ ;­¥â? ¯¥à¥áª ª¨¢ ¥¬
cmp al,6 ;¥á«¨ ¤ , â® rm==6?
jne _sib_
inc ebp ;¥á«¨ ¤ , â® ¤«¨­  ᬥ饭¨ï=2(16 bit)
inc ebp
_nop67_:
cmp al,5 ;¨­ ç¥, rm==5?
jne _sib_
add ebp,4 ;¥á«¨ ¤ , â® ¤«¨­  ®ääá¥â =4 (32 bit)
jmp _sib_ ;¨¤¥¬ ¤ «ìè¥
;-----------------------------------------------------------------------------------
_mod01_: ;mod==1?
dec ah
jne _mod02_
inc ebp ;¤ ? ⮣¤  ebp=1
jmp _sib_
;-----------------------------------------------------------------------------------
_mod02_: ;mod==2?
dec ah
jne _mod03_
inc ebp ;ebp=2
inc ebp
dec dh ;¥á«¨ ¥áâì ¯à¥ä¨ªá  0x67, ¯¥à¥áª ª¨¢ ¥¬ ¤ «ìè¥
je _sib_
inc ebp ;â® ebp+=2
inc ebp
inc ebx
;-----------------------------------------------------------------------------------
_mod03_: ;mod==3?
dec bl ;¥á«¨ ¤ , ⮣¤  sib'  â®ç­® ­¥â!
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_sib_:
dec bl ;¥áâì «¨ ¡ ©â sib?
jne _endmodrm_
or cx,B_SIB
lodsb ;¥á«¨ ¤ , â® ¢ al ⥯¥àì «¥¦¨â sib(al=sib)
mov byte ptr [edi+11],al ;SIB
and al,7 ;¤ «¥¥,
cmp al,5 ;al==5?
jne _endmodrm_
test bh,bh ;¥á«¨ ¤ , ⮠ᬮâਬ, ¯®«¥ mod==0?
jne _endmodrm_
push 4 ;¥á«¨ ¤ , â® ¥áâì 4-¡ ©â®¢®¥ ᬥ饭¨¥
pop ebp
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endmodrm_:
xor ebx,ebx
test cl,B_DATA8 ;¥áâì «¨ ®¤­®¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf1_
inc ebx
_nf1_:
test cl,B_DATA16 ;¥áâì «¨ ¤¢ãå¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf2_
inc ebx
inc ebx
_nf2_:
test cl,B_PREFIX6X ;¥áâì «¨ ¢ ª®¬ ­¤¥ ­¥¯®á।á⢥­­®¥ §­ ç¥­¨¥?
je _endflag_
dec dl ;¥áâì «¨ 0x66(0x67 ¤«ï [0xA0,0xA3]) ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥?
je _okp66_
inc ebx
inc ebx
_okp66_:
inc ebx
inc ebx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endflag_:
push ecx
push edi
mov ecx,ebp
add edi,12
rep movsb
sub edi,ebp
add edi,8
mov ecx,ebx
rep movsb
pop edi
pop dword ptr [edi+1]
sub esi,dword ptr [esp+4];eax
xchg esi,eax
mov byte ptr [edi+0],al
mov dword ptr [esp+7*4],eax ;á®å࠭塞 à §¬¥à ¢ ¥ å
xchg ebp,eax
mov byte ptr [edi+7],al
mov byte ptr [edi+8],bl
popad
ret ;¢ë室¨¬:)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;Š®­¥æ ä㭪樨 _LiTo_ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SizeOfLiTo equ $-_LiTo_ ;à §¬¥à ä㭪樨 _LiTo_