大家好,我想实现如下功能:
对一个PE文件的资源区进行加密,当然,不能进行加密的图标和版本信息不要求实现加密功能。
我的想法就是,对其中自定义的资源进行加密,也就是除图标和版本两信息之外的资源。网上找到的办法,都是用汇编来实现的:
找到资源地址,移位,再进行简单的XOR方式的加密。无奈本人汇编技术不入流,不知如何用VB内嵌汇编来实现此操作。哎附上原汇编加密办法:
ResViewEntry proc uses ebx ecx edx edi esi pEntry : LPVOID, dwLevel : DWORD
LOCAL szOutFileName[MAX_PATH] : BYTE
;; level = 0,1,2 mov esi, pEntry
assume esi : ptr IMAGE_RESOURCE_DIRECTORY
;; 计算有几个资源在当前目录下
mov cx, word ptr [esi].NumberOfNamedEntries
add cx, word ptr [esi].NumberOfIdEntries
movzx ecx, cx
;; 这里存在着ecx个IMAGE_RESOURCE_DIRECTORY_ENTRY
add esi, sizeof IMAGE_RESOURCE_DIRECTORY
mov edi, esi
assume edi : ptr IMAGE_RESOURCE_DIRECTORY_ENTRY
ResDirEntryLoop:
;; 打印资源层
invoke JudegeResourceEntryLevel, edi, dwLevel
mov eax, dword ptr [edi].OffsetToData
test eax, FIRSTBIT
jz FoundTheDataEntry
and eax, 0000FFFFh
add eax, g_pResSection
mov edx, dwLevel
inc edx
invoke ResViewEntry, eax, edx
jmp ContinueResDirEntryLoop
FoundTheDataEntry:
;; 取出资源文件
add eax, g_pResSection
assume eax : ptr IMAGE_RESOURCE_DATA_ENTRY
mov edx, dword ptr [eax].Size1
mov eax, dword ptr [eax].OffsetToData
;; 转化RVA到偏移
invoke RVA2Offset, g_pMem, eax
push eax
push ecx
push edx
invoke wsprintf, addr szOutFileName, offset g_szOutOrdFormat, eax
pop edx
pop ecx
pop eax
add eax, g_pMem
invoke OutputToFile, addr szOutFileName, eax, edx
ContinueResDirEntryLoop:
add edi, sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
dec ecx
test ecx, ecx
jnz ResDirEntryLoop
assume esi : nothing
assume edi : nothing
retResViewEntry endpJudegeResourceEntryLevel proc uses ebx ecx edx edi esi pResEntry : LPVOID, dwLevel : DWORD
LOCAL szTmpBuf[MAX_PATH] : BYTE
;; init local variable
mov ecx, MAX_PATH
lea edi, szTmpBuf
xor eax, eax
cld
rep stosb
mov edi, pResEntry
assume edi : ptr IMAGE_RESOURCE_DIRECTORY_ENTRY
mov eax, dwLevel
cmp eax, 0
jnz JudgeLevelOne
;; 显示类型
mov eax, dword ptr [edi].Name1
invoke ShowResourceType, eax
jmp ExitJudgeLevel
JudgeLevelOne:
cmp eax, 1
jnz JudgeLevelTwo
;; 显示名称
mov eax, dword ptr [edi].Name1
;; 最高位是0时表示使用ID
test eax, FIRSTBIT
jz UseID
and eax, 0000FFFFh
add eax, g_pResSection
assume eax : ptr IMAGE_RESOURCE_DIR_STRING_U
lea esi, [eax].NameString
lea edi, szTmpBuf
;; 拷贝字符串到局部变量
mov cx, word ptr [eax].Length1
movzx ecx, cx
cld
rep movsw
invoke crt_printf, offset g_szOutFormat, offset g_szResNameByStr
invoke crt_wprintf, addr szTmpBuf
invoke crt_printf, offset g_szOutFormat, offset g_szEndLine
jmp ExitJudgeLevel
UseID:
invoke crt_printf, offset g_szResNameById, eax
jmp ExitJudgeLevel
JudgeLevelTwo:
;; 第三次是语言,这里输出语言定义的常量
mov eax, dword ptr [edi].Name1
invoke crt_printf, offset g_szResLang, eax
ExitJudgeLevel:
assume eax : nothing
assume edi : nothing
retJudegeResourceEntryLevel endp
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/iiprogram/archive/2008/07/14/2649831.aspx
对一个PE文件的资源区进行加密,当然,不能进行加密的图标和版本信息不要求实现加密功能。
我的想法就是,对其中自定义的资源进行加密,也就是除图标和版本两信息之外的资源。网上找到的办法,都是用汇编来实现的:
找到资源地址,移位,再进行简单的XOR方式的加密。无奈本人汇编技术不入流,不知如何用VB内嵌汇编来实现此操作。哎附上原汇编加密办法:
ResViewEntry proc uses ebx ecx edx edi esi pEntry : LPVOID, dwLevel : DWORD
LOCAL szOutFileName[MAX_PATH] : BYTE
;; level = 0,1,2 mov esi, pEntry
assume esi : ptr IMAGE_RESOURCE_DIRECTORY
;; 计算有几个资源在当前目录下
mov cx, word ptr [esi].NumberOfNamedEntries
add cx, word ptr [esi].NumberOfIdEntries
movzx ecx, cx
;; 这里存在着ecx个IMAGE_RESOURCE_DIRECTORY_ENTRY
add esi, sizeof IMAGE_RESOURCE_DIRECTORY
mov edi, esi
assume edi : ptr IMAGE_RESOURCE_DIRECTORY_ENTRY
ResDirEntryLoop:
;; 打印资源层
invoke JudegeResourceEntryLevel, edi, dwLevel
mov eax, dword ptr [edi].OffsetToData
test eax, FIRSTBIT
jz FoundTheDataEntry
and eax, 0000FFFFh
add eax, g_pResSection
mov edx, dwLevel
inc edx
invoke ResViewEntry, eax, edx
jmp ContinueResDirEntryLoop
FoundTheDataEntry:
;; 取出资源文件
add eax, g_pResSection
assume eax : ptr IMAGE_RESOURCE_DATA_ENTRY
mov edx, dword ptr [eax].Size1
mov eax, dword ptr [eax].OffsetToData
;; 转化RVA到偏移
invoke RVA2Offset, g_pMem, eax
push eax
push ecx
push edx
invoke wsprintf, addr szOutFileName, offset g_szOutOrdFormat, eax
pop edx
pop ecx
pop eax
add eax, g_pMem
invoke OutputToFile, addr szOutFileName, eax, edx
ContinueResDirEntryLoop:
add edi, sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY
dec ecx
test ecx, ecx
jnz ResDirEntryLoop
assume esi : nothing
assume edi : nothing
retResViewEntry endpJudegeResourceEntryLevel proc uses ebx ecx edx edi esi pResEntry : LPVOID, dwLevel : DWORD
LOCAL szTmpBuf[MAX_PATH] : BYTE
;; init local variable
mov ecx, MAX_PATH
lea edi, szTmpBuf
xor eax, eax
cld
rep stosb
mov edi, pResEntry
assume edi : ptr IMAGE_RESOURCE_DIRECTORY_ENTRY
mov eax, dwLevel
cmp eax, 0
jnz JudgeLevelOne
;; 显示类型
mov eax, dword ptr [edi].Name1
invoke ShowResourceType, eax
jmp ExitJudgeLevel
JudgeLevelOne:
cmp eax, 1
jnz JudgeLevelTwo
;; 显示名称
mov eax, dword ptr [edi].Name1
;; 最高位是0时表示使用ID
test eax, FIRSTBIT
jz UseID
and eax, 0000FFFFh
add eax, g_pResSection
assume eax : ptr IMAGE_RESOURCE_DIR_STRING_U
lea esi, [eax].NameString
lea edi, szTmpBuf
;; 拷贝字符串到局部变量
mov cx, word ptr [eax].Length1
movzx ecx, cx
cld
rep movsw
invoke crt_printf, offset g_szOutFormat, offset g_szResNameByStr
invoke crt_wprintf, addr szTmpBuf
invoke crt_printf, offset g_szOutFormat, offset g_szEndLine
jmp ExitJudgeLevel
UseID:
invoke crt_printf, offset g_szResNameById, eax
jmp ExitJudgeLevel
JudgeLevelTwo:
;; 第三次是语言,这里输出语言定义的常量
mov eax, dword ptr [edi].Name1
invoke crt_printf, offset g_szResLang, eax
ExitJudgeLevel:
assume eax : nothing
assume edi : nothing
retJudegeResourceEntryLevel endp
本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/iiprogram/archive/2008/07/14/2649831.aspx
我就是这个意思哈
加密,用时解密,但是,小弟对此有迷惑,望能得到大哥指点~