Shell recently developed, but the main safe shell I do not write on the subject, so the encryption and decryption method code of self-clearing openly implemented in delphi, the experts do not read, very simple.
First we have to define several processes,
procedure EncryptCode (Badress, size, key: cardinal); // Badress encrypted start address, size is the size of encryption, key encryption key
where
CTemp:cardinal;
begin
Virtulloc (pointer (Badress), Size, Page_readwrite, Ctemp); // function name is not up to pull level.
person
push eax;
push ebx;
push ecx;
mov eax,badress;
mov ebx,size;
mov ecx,key;
xor dword ptr ds:[eax],ecx;
add eax,4;
dec ebx;
db $ 75, fc; // here may not be correct, anyway, to xor dword ptr ds: [eax], ecx; jump can pull
pop even;
pop ebx;
pop eax;
end;
end;
Encryption and decryption is the same piece of code.
Code Clear
procedure CleanCode (Badress, size, key: cardinal); // Badress encrypted start address, size is the size of encryption, key encryption key
where
CTemp:cardinal;
begin
Virtulloc (pointer (Badress), Size, Page_readwrite, Ctemp); // function name is not up to pull level.
person
push eax;
push ebx;
push ecx;
mov eax,badress;
mov ebx,size;
mov ecx,key;
xor dword ptr ds:[eax],0;
add eax,1;
dec ebx;
db $ 75, fc; // here may not be correct, anyway, to xor dword ptr ds: [eax], ecx; jump can pull
pop even;
pop ebx;
pop eax;
end;
end;
Now you can call pull. Call the method is very simple, but be aware that the encryption code encryption can not make calls to their own process. Of course, for this we use badress
call XXXXXXXX;
pop eax;
Get.
Of course, there are a lot to do I do not say pull. I believe we all know.
Only I think, not impossible. Internet access