Copy Link
Add to Bookmark
Report

Xine - issue #5 - Phile 110

eZine's profile picture
Published in 
Xine
 · 7 months ago

 

Ú-----------------------------¿
| Xine - issue #5 - Phile 110 |
À-----------------------------Ù







Algorithms of unpacking
~~~~~~~~~~~~~~~~~~~~~~~

In this articles I shall describe two algorithms of unpacking LZ and RAR of
archives. I have written this articles because used one of these algorithms
in macro viruses and it seems, that it is very speed it will be necessary
much in a spelling of viruses which update via WWW.


So 2 algorithms of unpacking:

* LZ algorithms - using LZ32.dll api
* RAR algorithms - using UnRAR.dll api


First algorithms : LZ
~~~~~~~~~~~~~~~~~~~~~

It is very convenient algorithm at him(it) there is a heap of advantages:

+ using 3 api
+ fast unpacking
+ kewl compresses filez

Having read clause bumbleeBee in a zine 29à#5, Me the idea has come to make this
algorithm for macro of viruses, it was very good idea. This algorithm I use in 3 new macro
of viruses and it(he) is very convenient. Before that to begin the description of functions
and I shall advise you to read clause BumbleBee in e-zine 29a#5 About LZ algorithm.


start:

LZCopy Copies a compressed file into an uncompressed one
LZOpenFile Opens a compressed file and returns a handle
LZClose Closes a file handle by LZOpenFile


parametrz:

LZOpenFileA (filename, buffer, mode)
LZCopy (source, destination)
LZClose (handle)


exemple:

' On a disk C:\ exists compressed via LZ a file ultras.tx_ we it(him) we unpack in ultras.txt.

' Using LZ32.dll API

Private Declare Function LZOpenFileA Lib "LZ32" (ByVal s As String, ByVal o As String, ByVal mode As Long) As Long

Private Declare Sub LZCopy Lib "LZ32" (ByVal src As Long, ByVal dst As Long)

Private Declare Sub LZClose Lib "LZ32" (ByVal h As Long)



Sub Decompress()
'start procedure

On Error Resume Next

Dim filez1 As String, filez2 As String, h As Long, g As Long, buf1 As String, buf2 As String

buf1 = String(256, "X")

buf2 = String(256, "X")
' buffer

filez1 = "C:\ultras.tx_"
filez2 = "C:\ultras.txt"
' names of files

h = LZOpenFileA(filez1, buf1, 0)
' we open compressed a file

g = LZOpenFileA(filez2, buf2, 4096)
' we open on record (For the present not unpacked file)

LZCopy h, g
' we unpack

LZClose g
LZClose h
' We shall close files which opened

End Sub

You can be convinced with what it is easy algorithm of unpacking....


second method : RAR
~~~~~~~~~~~~~~~~~~~
This algorithm has many lacks:

- This algorithm will be of works if on computerz is WinRAR or UnRAR.dll
- It is a lot of a code
+ Fast algorithm
+ Opportunity use of archives with the password

This algorithm is made as procedure to you it will be simply necessary to cause parameters


parametrz:

sRARArchive = RAR Archive filename
sDestPath = Destination path for extracted file(s)
sPassword = Password [OPTIONAL]
Returns:-
Integer = 0 Failed (no files, incorrect PW etc)
-1 Failed to open RAR archive
>0 Number of files extracted



exemple:

Sub Decompress()
ulz = RARExtract("c:\aplib.rar", "c:\11111\", 0)
End Sub


' Open Mode Constants
Private Const RAR_OM_LIST As Byte = 0
Private Const RAR_OM_EXTRACT As Byte = 1
' Error Constants
Private Const ERAR_NO_MEMORY As Byte = 11
Private Const ERAR_BAD_DATA As Byte = 12
Private Const ERAR_BAD_ARCHIVE As Byte = 13
Private Const ERAR_EOPEN As Byte = 15
Private Const ERAR_UNKNOWN_FORMAT As Byte = 14
Private Const ERAR_SMALL_BUF As Byte = 20
Private Const ERAR_ECLOSE As Byte = 17
Private Const ERAR_END_ARCHIVE As Byte = 10
Private Const ERAR_ECREATE As Byte = 16
Private Const ERAR_EREAD As Byte = 18
Private Const ERAR_EWRITE As Byte = 19
' Operation Constants
Private Const RAR_SKIP As Byte = 0
Private Const RAR_TEST As Byte = 1
Private Const RAR_EXTRACT As Byte = 2
' Volume Constants
Private Const RAR_VOL_ASK As Byte = 0
Private Const RAR_VOL_NOTIFY As Byte = 1
' User Defined Types

Private Type RARHeaderData
ArcName As String * 260
FileName As String * 260
Flags As Long
PackSize As Long
UnpSize As Long
HostOS As Long
FileCRC As Long
FileTime As Long
UnpVer As Long
Method As Long
FileAttr As Long
CmtBuf As String ' Pointer (char *CmtBuf in C)
CmtBufSize As Long
CmtSize As Long
CmtState As Long
End Type

Private Type RAROpenArchiveData
ArcName As String ' Pointer (char *ArcName in C)
OpenMode As Long
OpenResult As Long
CmtBuf As String ' Pointer (char *CmtBuf in C)
CmtBufSize As Long
CmtSize As Long
CmtState As Long
End Type
' RAR DLL Declares

Public Declare Function RAROpen Lib "UnRAR.dll" Alias "RAROpenArchive" (ByRef RAROpenData As RAROpenArchiveData) As Long
Public Declare Function RARClose Lib "UnRAR.dll" Alias "RARCloseArchive" (ByVal HandleToArchive As Long) As Long
Public Declare Function RARReadHdr Lib "UnRAR.dll" Alias "RARReadHeader" (ByVal HandleToArcRecord As Long, ByRef rcHeaderRead As RARHeaderData) As Long
Public Declare Function RARProcFile Lib "UnRAR.dll" Alias "RARProcessFile" (ByVal HandleToArcHeader As Long, ByVal Operation As Long, ByVal DestPath As String, ByVal DestName As String) As Long
Public Declare Sub RARSetChangeVolProc Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Mode As Long)
Public Declare Sub RARSetPassword Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Password As String)

Function RARExtract(ByVal sRARArchive As String, ByVal sDestPath As String, Optional ByVal sPassword As String) As Integer

Dim lHandle As Long
Dim iStatus As Integer
Dim uRAR As RAROpenArchiveData
Dim uHeader As RARHeaderData
Dim iFileCount As Integer

RARExtract = -1

' Open the RAR
uRAR.ArcName = sRARArchive
uRAR.OpenMode = RAR_OM_EXTRACT
lHandle = RAROpen(uRAR)
' Failed to open RAR ?
If uRAR.OpenResult <> 0 Then Exit Function

' Password ?

If sPassword <> "" Then
RARSetPassword lHandle, sPassword
End If

' Extract file(s)...

iFileCount = 0
' Is there at lease one archived file to extract ?
iStatus = RARReadHdr(lHandle, uHeader)

Do Until iStatus <> 0
' Process (extract) the current file within the archive

If RARProcFile(lHandle, RAR_EXTRACT, "", sDestPath + uHeader.FileName) = 0 Then
iFileCount = iFileCount + 1
End If

' Is there another archived file in this RAR ?
iStatus = RARReadHdr(lHandle, uHeader)
Loop

' Close the RAR
RARClose lHandle
' Return
RARExtract = iFileCount
End Function

email : ultras_@hotmail.com
url : www.coderz.net/ultras
irc : undernet #virus, #vir, efnet #virus, #coders.ru

ULTRAS [MATRiX]

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT