;--Written by Tycho Veltmeijer ;--Example code to use with PETool ;--1 This code will show the message 'This program has been hacked^^' ;--2 Next it's askes a question 'Do you still want to start the ectual program?' ;--3 If you click 'Yes' it will run the original entrypoint of the program ;-- 'no' will end the program ;---How to add this code to an other 32-bit Windows program? ; 1. compile the example code with Flat Assembler. ; 2. Open PETool. ; 3. Open the application to expand with PETool using instruction open. (like open c:\temp\test.exe). ; 4. Add the compiled code using instruction addcode. (like addcode example). ; 5. Recalculate the checksum by executing instruction fixsum. ; 6. Close PETool by using instruction close. ; 7. Open the expanded program to see the result. ;!important: make a copy of the original application you are going to expand, so you can recover the orgininal! use32 ;--------- ;Call start to get the begin pointer of the module call Start Message db 'This program has been hacked^^',0 Message2 db 'Do you still want to start the ectual program?',0 Title db 'Hacked',0 Start: sub dword [esp],5 ;Make it absolute push ebp mov ebp,esp sub esp,0x40 mov eax,dword [fs:0x30] mov eax,dword [eax+0xC] mov eax,dword [eax+0x1C] mov eax,dword [eax] mov eax,dword [eax+0x8] mov dword [ebp-0x4], eax ;LoadLibrary push 0xEC0E4E8E push dword [ebp-0x4] call get_function_address_by_hash mov dword [ebp-0x8], eax ;Load USER32.DLL push 0x004C4C44 push 0x2E323352 push 0x45535500 mov ecx,esp inc ecx push ecx call dword [ebp-0x8] add esp,0xC ;MessageBoxA push 0xBC4DA2A8 push eax call get_function_address_by_hash mov dword [ebp-0xC], eax ;MessageBox mov eax,dword [ebp+0x4] add eax,Message mov ecx,dword [ebp+0x4] add ecx,Title ;Call MessageBoxA for the first message push 0 push ecx push eax push 0 call dword [ebp-0xC] mov eax,dword [ebp+0x4] add eax,Message2 mov ecx,dword [ebp+0x4] add ecx,Title ;Call MessageBoxA for the second message push 0x44 push ecx push eax push 0 call dword [ebp-0xC] cmp eax,0x6 ;quit if you have pressed no jne Exit mov ecx,dword [ebp+0x4] sub ecx,8 mov ecx,dword [ecx] mov edx,dword [ebp+0x4] sub edx,4 mov edx,dword [edx] sub dword [ebp+0x4],ecx add edx,dword [ebp+0x4] mov esp,ebp pop ebp add esp,0x4 jmp edx ;the call the original entrypoint :-) Exit: mov eax,0 mov esp,ebp pop ebp add esp,0x4 ret ;--------- get_function_address_by_hash: push ecx push edx push ebx push edi push esi push ebp mov ebp,esp mov eax,dword [ebp+0x1C] mov esi,dword [ebp+0x20] mov ebx, dword [eax+3ch] mov ebx, dword [eax+ebx+78h] add ebx, eax mov ecx, dword [ebx+18h] mov edx, dword [ebx+20h] add edx, eax next_function_hash: dec ecx test ecx, ecx jz not_found_hash shl ecx, 2 push esi mov esi, dword [edx+ecx] add esi, eax shr ecx, 2 xor edi, edi push eax next_character_hash: xor eax, eax mov al, byte [esi] test al, al jz end_of_name_hash ror edi, 13 add edi, eax inc esi jmp next_character_hash end_of_name_hash: pop eax pop esi cmp edi, esi jnz next_function_hash not_found_hash: mov edx, dword [ebx+24h] add edx, eax shl ecx, 1 mov dx, word [edx+ecx] xor ecx, ecx mov cx, dx mov edx, dword [ebx+1ch] add edx, eax shl ecx, 2 mov esi, dword [edx+ecx] add esi, eax mov eax, esi mov esp,ebp pop ebp pop esi pop edi pop ebx pop edx pop ecx ret 0x8