PE(需要加载成RVA=OFFSET的形势)资源经过这个代码处理
会生成一份新的资源,这个资源
1。不能被编辑软件编辑,是混杂的。
2。ID=3/14/16/24 中需要保留的资源都已经移动到新的位置。
原来的资源段可以压缩了。 另外:原来的资源移走的会清0
3。代码长度经过一点优化,只扫描1遍资源结构,使用递归算法。
速度可能不是很快,但也不会慢。
4。我测试了几个没有问题,可能存在bug。
; ************** S U B R O U T I N E *****************************************
public start
start proc near
mov ebp, 400000h ; 测试代码
lea eax, ds:402000h
push eax
sub eax, ebp
push eax
push ebp
mov eax, [ebp+3Ch]
add eax, ebp
mov eax, [eax+88h]
add eax, ebp
push eax
call restruc_rsrc
add esp, 10h
retn
start endp
; ************** S U B R O U T I N E *****************************************
restruc_rsrc proc C \
ibuf, \
imgbase,\
rva, \
obuf
local level
local gicon
local numoficons
local permuted
local rmask
local rtype
local id
pusha
xor eax, eax
mov level, eax
mov gicon, eax
mov numoficons, eax
mov permuted, eax
mov rmask, 1014008h
mov ebx, ibuf
mov edi, obuf
@@recursive:
movzx eax, word ptr [ebx+0Ch]
movzx ecx, word ptr [ebx+0Eh]
add eax, ecx
push eax
mov esi, ebx
lea ebx, [edi+10h]
lea ecx, [eax+2]
shl ecx, 3
call @@move
@@cycle: dec dword ptr [esp]
jl @@done
cmp permuted, 0
jnz @@permuted
mov ecx, [esp]
pusha
inc permuted
mov edx, ebx
@@permute_cycle: mov eax, [ebx]
cmp eax, 0Eh
jnz @@dont_swap
cmp ebx, edx
jz @@dont_swap
xchg eax, [edx]
mov [ebx], eax
mov eax, [ebx+4]
xchg eax, [edx+4]
mov [ebx+4], eax
@@dont_swap: add ebx, 8
loop @@permute_cycle
popa
@@permuted: mov esi, [ebx]
btr esi, 1Fh
jnb @@id
mov eax, edi
sub eax, obuf
bts eax, 1Fh
mov [ebx], eax
add esi, ibuf
movzx ecx, word ptr [esi]
lea ecx, [ecx+ecx+2]
call @@move
jmp @@x1
; ----------------------------------------------------------------------------
@@id: cmp level, 1
jg @@x1
mov id, esi
jz @@x1
mov rtype, esi
@@x1:
mov edx, [ebx+4]
add edx, ibuf
btr edx, 1Fh
jnb @@rsrc
mov eax, edi
sub eax, obuf
bts eax, 1Fh
push eax
inc level
push ebx
xchg ebx, edx
call @@recursive
pop ebx
dec level
jmp @@fixup
; ----------------------------------------------------------------------------
@@rsrc: mov eax, rtype
btr rmask, eax
jnb @@dont_move
cmp eax, 3
jnz @@x3
mov esi, gicon
test esi, esi
jz @@dont_move
bts rmask, eax
mov eax, id
mov ecx, numoficons
@@icon_cycle: cmp ax, [esi+0Ch]
jz @@do_move
add esi, 0Eh
loop @@icon_cycle
jmp @@dont_move
; ----------------------------------------------------------------------------
@@x3:
cmp eax, 0Eh
jnz @@do_move
push edx
mov eax, [edx+4]
sub eax, 6
cdq
mov ecx, 0Eh
div ecx
mov numoficons, eax
pop edx
@@do_move: mov esi, edi
sub esi, obuf
add esi, imgbase
xchg esi, [edx]
add esi, ibuf
mov ecx, [edx+4]
call @@move
@@dont_move: mov eax, edi
sub eax, obuf
push eax
xchg esi, edx
mov edx, edi
push 10h
pop ecx
call @@move
cmp numoficons, 0
jz @@fixup
cmp gicon, 0
jnz @@fixup
mov eax, [edx]
add eax, ibuf
add eax, 6
mov gicon, eax
@@fixup: pop eax
mov [ebx+4], eax
add ebx, 8
jmp @@cycle
; ----------------------------------------------------------------------------
@@move: cmp esi, edi
jnz @@move_cycle
add edi, ecx
xor ecx, ecx
@@move_cycle: jecxz @@return
movsb
and byte ptr [esi-1], 0
dec ecx
jmp @@move_cycle
; ----------------------------------------------------------------------------
@@done: pop eax
cmp level, 0
jnz @@return
popa
leave
@@return:
retn
restruc_rsrc endp
; ----------------------------------------------------------------------------
end start