//VC++6外衣 1
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00);
//VC++6外衣 2
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);
1.直接將入口地址賦給寄存器eax,然后jmp eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
2. 直接跳轉到入口地址
00469124 - E9 07B9FEFF jmp Project1.00454A30
兩種效果實際上是一樣的,但我們為了方便修改花指令跳轉到原來的入口地址,通常取得原
pe header的AddressOfEntryPoint,然后給寄存器eax保存改值,所以第二種方法就不太方便,
所以一般采用第一種方法,JMPOFF為花指令代碼到跳轉指令的偏移,如對Visual C++的花指令
JMPOFF=54,其后免跟的是原入口地址,可以隨便填寫,程序加花指令是會自動修改,一般可以
默認設為00104000(即00401000).
通過匯編修改花指令跳轉原入口地址的語句:
asm //這里說明一下,這是嵌入的匯編代碼,寄存器—CPU暫時儲存數據的東西,比內存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //將OEPCODE的地址交給寄存器
ADD eax, JMPOFF //添加JMPOFF值給寄存器
MOV edx, AddressOfEntryPoint //轉移指令,相當于付值語句,左邊給右邊
MOV DWORD ptr [eax], edx //同上
POPAD
end;
}
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls, ShellAPI;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
RadioGroup1: TRadioGroup;
Label2: TLabel;
Edit2: TEdit;
Label3: TLabel;
Edit3: TEdit;
CheckBox1: TCheckBox;
Button2: TButton;
Label5: TLabel;
OpenDialog1: TOpenDialog;
Label4: TLabel;
procedure Button1Click(Sender: TObject);
procedure obtain;
procedure Button2Click(Sender: TObject);
procedure Label4Click(Sender: TObject);
procedure Edit3KeyPress(Sender: TObject; var Key: Char);
private
{ Private declarations }
FImageBase: DWORD;
procedure SetOepCode;
public
{ Public declarations }
end;
THEAD = array[0..63] of byte;
var
Form1: TForm1;
const
{MYSECTION = 'Fi7ke'; //添加的節名,自定義
JMPOFF = 43; //花指令的機器碼,Ollydbg加載后隨便取
//Microsoft Visual C++
OEPCODE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38,
$90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89,
$25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00,
$58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00); }
//Nothing found * one
OEPCODEONE: THEAD =
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//Nothing found * two
OEPCODETWO: THEAD =
($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++外衣
OEPCODETHREE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++5外衣
OEPCODEFOUR: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
$53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
//VC++6外衣
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);
//C外衣
OEPCODESIX: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);
OepCount = 6;
//OEPCODEARRAY :array[0..OepCount-1,0..63] of byte=(
//OEPCODEARRAY :array[0..OepCount-1] of array[0..63] of byte=(
OEPCODEARRAY :array[0..OepCount-1] of THEAD=(
($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //Nothing found * one
($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++外衣
($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
$53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //VC++5外衣
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
$53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
$58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00), //VC++6外衣
($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
$A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
$00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00), //C外衣
($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
$E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00) //Nothing found * two
);
JMPOFFARRAY :array[0..OepCount-1] of integer=(10,43,38,54,43,11);
{Nothing found * ONE:
Borland Delphi 6.0 - 7.0
00469022 0055 8B add byte ptr ss:[ebp-75],dl
00469025 EC in al,dx
00469026 83C4 F4 add esp,-0C
00469029 83C4 0C add esp,0C
0046902C B8 304A4500 mov eax,Project1.00454A30
00469031 50 push eax
00469032 C3 retn
Nothing found * TWO
00454A72 55 push ebp
00454A73 8BEC mov ebp,esp
00454A75 41 inc ecx
00454A76 52 push edx
00454A77 90 nop
00454A78 5A pop edx
00454A79 49 dec ecx
00454A7A 5D pop ebp
00454A7B 41 inc ecx
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
C外衣:
00454A6C 55 push ebp
00454A6D 8BEC mov ebp,esp
00454A6F 6A FF push -1
00454A71 68 11111100 push 111111
00454A76 68 22222200 push 222222
00454A7B 64:A1 00000>mov eax,dword ptr fs:[0]
00454A81 50 push eax
00454A82 64:8925 000>mov dword ptr fs:[0],esp
00454A89 58 pop eax
00454A8A 64:A3 00000>mov dword ptr fs:[0],eax
00454A90 58 pop eax
00454A91 58 pop eax
00454A92 58 pop eax
00454A93 58 pop eax
00454A94 8BE8 mov ebp,eax
00454A96 - E9 65F5CAFF jmp 00104000
VC++5外衣:
0046905F P> 55 push ebp
00469060 8BEC mov ebp,esp
00469062 6A FF push -1
00469064 68 48544100 push Project1.00415448
00469069 68 A8214000 push Project1.004021A8
0046906E 64:A1 0000000>mov eax,dword ptr fs:[0]
00469074 50 push eax
00469075 64:8925 00000>mov dword ptr fs:[0],esp
0046907C 83C4 94 add esp,-6C
0046907F 53 push ebx
00469080 56 push esi
00469081 57 push edi
00469082 0000 add byte ptr ds:[eax],al
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
VC++外衣:
00469000 P> 55 push ebp
00469001 8BEC mov ebp,esp
00469003 6A FF push -1
00469005 68 2A2C0A00 push 0A2C2A
0046900A 68 38900D00 push 0D9038
0046900F 64:A1 0000000>mov eax,dword ptr fs:[0]
00469015 50 push eax
00469016 64:8925 00000>mov dword ptr fs:[0],esp
0046901D 58 pop eax
0046901E 64:A3 0000000>mov dword ptr fs:[0],eax
00469024 58 pop eax
00469025 58 pop eax
00469026 58 pop eax
00469027 58 pop eax
00469028 8BE8 mov ebp,eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
VC++6外衣:
004690EF P> 55 push ebp
004690F0 8BEC mov ebp,esp
004690F2 6A FF push -1
004690F4 68 00000000 push 0
004690F9 68 00000000 push 0
004690FE 64:A1 0000000>mov eax,dword ptr fs:[0]
00469104 50 push eax
00469105 64:8925 00000>mov dword ptr fs:[0],esp
0046910C 83EC 68 sub esp,68
0046910F 53 push ebx
00469110 56 push esi
00469111 57 push edi
00469112 58 pop eax
00469113 58 pop eax
00469114 58 pop eax
00469115 83C4 68 add esp,68
00469118 58 pop eax
00469119 67:64:A3 0000 mov dword ptr fs:[0],eax
0046911E 58 pop eax
0046911F 58 pop eax
00469120 58 pop eax
00469121 58 pop eax
00469122 8BE8 mov ebp,eax
0046902A B8 304A4500 mov eax,Project1.00454A30
0046902F FFE0 jmp eax
00469031 90 nop
}
function IntToHex(Int: Int64; IntSize: Byte): String;
procedure AddSection(FName,MySection: string;SecSize:DWord);
implementation
{$R *.dfm}
var
OEPCODE: THEAD;
JMPOFF :integer;
function IntToHex(Int: Int64; IntSize: Byte): String;
const
HexChars: array[0..15] of Char = ('0', '1', '2', '3', '4', '5','6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f');
var
n: Byte;
begin
Result := '';
for n := 0 to IntSize - 1 do
begin
Result := HexChars[Int and $F] + Result;
Int := Int shr $4;
end;
end;
procedure AddSection(FName,MySection: string;SecSize:DWord);
var
DOSHEADER: IMAGE_DOS_HEADER; //DOS MZ header
PEHEADER: IMAGE_NT_HEADERS; //PE header
SectionHeader: IMAGE_SECTION_HEADER; //節表
MySectionHeader: IMAGE_SECTION_HEADER; //自定義節表
fs: TFileStream;
AddressOfEntryPoint: DWORD; //入口點
i:integer;
begin
fs := TFileStream.Create(FName, fmOpenReadWrite +
fmShareDenyWrite);
try
{Tstream中定義的虛方法有四個:
1、Read:此方法實現將數據從流中讀出。函數原形為:
Function Read(var Buffer;Count:Longint):Longint;virtual;abstract;
參數Buffer為數據讀出時放置的緩沖區,Count為需要讀出的數據的字節數,該方法返回值為實際讀出的字節數,它可以小于或等于Count中指定的值。
2、Write:此方法實現將數據寫入流中。函數原形為:
Function Write(var Buffer;Count:Longint):Longint;virtual;abstract;
參數Buffer為將要寫入流中的數據的緩沖區,Count為數據的長度字節數,該方法返回值為實際寫入流中的字節數。
3、Seek:此方法實現流中讀取指針的移動。函數原形為:
Function Seek(Offset:Longint;Origint:Word):Longint;virtual;abstract;
參數Offset為偏移字節數,參數Origint指出Offset的實際意義,其可能的取值如下:
soFromBeginning:Offset為移動后指針距離數據開始的位置。此時Offset必須大于或者等于零。
soFromCurrent:Offset為移動后指針與當前指針的相對位置。
soFromEnd:Offset為移動后指針距離數據結束的位置。此時Offset必須小于或者等于零。該方法返回值為移動后指針的位置。
4、Setsize:此方法實現改變數據的大小。函數原形為:
Function Setsize(NewSize:Longint);virtual; }
//將指針偏移量放到文件頭部
fs.Seek(0, soFromBeginning);
//讀取DOS頭信息
fs.Read(DOSHEADER, sizeof(DOSHEADER));
//DOS MZ header 又命名為 IMAGE_DOS_HEADER.。其中只有兩個域比較重要:
//e_magic 包含字符串"MZ",e_lfanew 包含PE header在文件中的偏移量。
//將指針移到PE header在文件中的偏移量
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
//讀取PE header頭信息
fs.Read(PEHEADER, sizeOf(PEHEADER));
//PEHEADER.FileHeader.NumberOfSections:文件的節數目。如果我們要在文件中增加或刪除一個節,就需要修改這個值。
//將指針移到節表在當前位置的相對偏移量
fs.Seek(sizeOf(SectionHeader) *
(PEHEADER.FileHeader.NumberOfSections - 1), soFromCurrent);
//讀取節表的信息
fs.Read(SectionHeader, sizeof(IMAGE_SECTION_HEADER));
//節名長不超過8字節。記住節名僅僅是個標記而已,我們選擇任何名字甚至空著也行
{ MySectionHeader.Name[0] := ord('F');
MySectionHeader.Name[1] := ord('i');
MySectionHeader.Name[2] := ord('7');
MySectionHeader.Name[3] := ord('k');
MySectionHeader.Name[4] := ord('e');
MySectionHeader.Name[5] := 0;
MySectionHeader.Name[6] := 0;
MySectionHeader.Name[7] := 0; }
for i:=0 to 7 do
begin
MySectionHeader.Name[i] :=0;
if i<length(MySection) then
MySectionHeader.Name[i] :=Ord(MySection[i+1]);
end;
//VirtualAddress 本節的RVA(相對虛擬地址)。PE裝載器將節映射至內存時會讀取本值,因此如果域值是1000h,
//而PE文件裝在地址400000h處,那么本節就被載到401000h。
//SizeOfImage 內存中整個PE映像體的尺寸。它是所有頭和節經過節對齊處理后的大小。
MySectionHeader.VirtualAddress := PEHEADER.OptionalHeader.SizeOfImage;
//節的大小 $200十六進制 = 512字節 最好大于 512 不然可能會出錯
//MySectionHeader.Misc.VirtualSize := $200;
MySectionHeader.Misc.VirtualSize := SecSize; //StrToInt(IntToHex(SecSize,sizeof(SecSize)));
//SizeOfRawData 經過文件對齊處理后節尺寸,PE裝載器提取本域值了解需映射入內存的節字節數。
//(譯者注: 假設一個文件的文件對齊尺寸是0x200,如果前面的 VirtualSize域指示本節長度是0x388字節,
//則本域值為0x400,表示本節是0x400字節長)。
//FileAlignment 文件中節對齊的粒度。例如,如果該值是(200h),,那么每節的起始地址必須是512的倍數。
//若第一節從文件偏移量200h開始且大小是10個字節,則下一節必定位于偏移量400h:
//即使偏移量512和1024之間還有很多空間沒被使用/定義。
MySectionHeader.SizeOfRawData := (MySectionHeader.VirtualAddress div
PEHEADER.OptionalHeader.FileAlignment + 1) * PEHEADER.OptionalHeader.FileAlignment -
PEHEADER.OptionalHeader.SizeOfImage;
//這是節基于文件的偏移量,PE裝載器通過本域值找到節數據在文件中的位置。
MySectionHeader.PointerToRawData :=
SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
//包含標記以指示節屬性,比如節是否含有可執行代碼、初始化數據、未初始數據,是否可寫、可讀等。
MySectionHeader.Characteristics := $E0000020;
{PE裝載器的工作:
1.讀取 IMAGE_FILE_HEADER 的 NumberOfSections域,知道文件的節數目。
2.SizeOfHeaders 域值作為節表的文件偏移量,并以此定位節表。
3.遍歷整個結構數組檢查各成員值。
4.對于每個結構,我們讀取PointerToRawData域值并定位到該文件偏移量。然后再讀取SizeOfRawData域值來決定
映射內存的字節數。將VirtualAddress域值加上ImageBase域值等于節起始的虛擬地址。然后就準備把節映射進內存,
并根據Characteristics域值設置屬性。
5.遍歷整個數組,直至所有節都已處理完畢。
注意我們并沒有使用節名: 這其實并不重要。}
//節表數量加一
Inc(PEHEADER.FileHeader.NumberOfSections);
//寫入新加入的節表
fs.Write(MySectionHeader, sizeOf(MySectionHeader));
//將指針移到PE header在文件中的偏移量
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
//PE裝載器準備運行的PE文件的第一個指令的RVA。若您要改變整個執行的流程,
//可以將該值指定到新的RVA,這樣新RVA處的指令首先被執行。
AddressOfEntryPoint := PEHEADER.OptionalHeader.AddressOfEntryPoint;
//將入口地址指定到新加節表的RVA(相對虛擬地址)
PEHEADER.OptionalHeader.AddressOfEntryPoint :=
MySectionHeader.VirtualAddress;
//win32子系統版本。
PEHEADER.OptionalHeader.MajorLinkerVersion := 7;
PEHEADER.OptionalHeader.MinorLinkerVersion := 0;
AddressOfEntryPoint := AddressOfEntryPoint +
PEHEADER.OptionalHeader.ImageBase;
asm //這里說明一下,這是嵌入的匯編代碼,寄存器—CPU暫時儲存數據的東西,比內存更快,以提高效率
PUSHAD
LEA eax, OEPCODE //將OEPCODE的地址交給寄存器
ADD eax, JMPOFF //添加JMPOFF值給寄存器
MOV edx, AddressOfEntryPoint //轉移指令,相當于付值語句,左邊給右邊
MOV DWORD ptr [eax], edx //同上
POPAD
end;
//更改內存中整個PE映像體的尺寸
PEHEADER.OptionalHeader.SizeOfImage :=
PEHEADER.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
//寫入PEHEADER信息
fs.Write(PEHEADER, sizeof(PEHEADER));
//移動指針到文件尾部
fs.Seek(fs.Size, soFromBeginning);
//寫入花指令數據
fs.Write(OEPCODE, MySectionHeader.Misc.VirtualSize);
finally
fs.Free;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
if OpenDialog1.Execute then
edit1.Text :=OpenDialog1.FileName;
end;
procedure TForm1.obtain;
var
DOSHEADER: IMAGE_DOS_HEADER;
PEHEADER: IMAGE_NT_HEADERS;
fs: TFileStream;
begin
fs := TFileStream.Create(Edit1.Text, fmOpenReadWrite +
fmShareDenyWrite);
try
fs.Seek(0, soFromBeginning);
fs.Read(DOSHEADER, sizeof(DOSHEADER));
fs.Seek(DOSHEADER._lfanew, soFromBeginning);
fs.Read(PEHEADER, sizeOf(PEHEADER));
FImageBase := PEHEADER.OptionalHeader.ImageBase;
finally
fs.Free;
end;
end;
procedure TForm1.Button2Click(Sender: TObject);
var
FName,SecName:string;
SecSize:DWord;
begin
if trim(Edit1.Text) = '' then
begin
Messagebox(Handle, '請選擇你要偽裝的程序!', '提示', MB_OK + MB_ICONSTOP);
Exit;
end;
FName :=trim(Edit1.Text);
SecName :=trim(Edit2.Text);
if SecName='' then SecName:='.hnxyy';
SecSize :=512;
if trim(edit3.Text)<>'' then
begin
SecSize :=strtoint(trim(Edit3.Text));
if SecSize<512 then SecSize :=512;
end;
if CheckBox1.Checked then
CopyFile(PChar(FName),PChar(Fname+'.bak'),False);
SetOepCode;
AddSection(FName,SecName,SecSize);
Messagebox(Handle, '偽裝成功!', '提示', MB_OK + MB_ICONINFORMATION);
end;
procedure TForm1.SetOepCode;
begin
OEPCODE :=OEPCODEARRAY[RadioGroup1.ItemIndex];
JMPOFF :=JMPOFFARRAY[RadioGroup1.ItemIndex];
end;
procedure TForm1.Label4Click(Sender: TObject);
begin
ShellExecute(Handle, 'open','http://forum.wrsky.com', '', '', SW_SHOWNORMAL);
end;
procedure TForm1.Edit3KeyPress(Sender: TObject; var Key: Char);
begin
if not (key in ['0'..'9',#8,#13]) then
begin
key :=#0;
end;
end;
end.
![]() |
不含病毒。www.avast.com |