Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 110
Ú-----------------------------¿
| Xine - issue #5 - Phile 110 |
À-----------------------------Ù
Algorithms of unpacking
~~~~~~~~~~~~~~~~~~~~~~~
In this articles I shall describe two algorithms of unpacking LZ and RAR of
archives. I have written this articles because used one of these algorithms
in macro viruses and it seems, that it is very speed it will be necessary
much in a spelling of viruses which update via WWW.
So 2 algorithms of unpacking:
* LZ algorithms - using LZ32.dll api
* RAR algorithms - using UnRAR.dll api
First algorithms : LZ
~~~~~~~~~~~~~~~~~~~~~
It is very convenient algorithm at him(it) there is a heap of advantages:
+ using 3 api
+ fast unpacking
+ kewl compresses filez
Having read clause bumbleeBee in a zine 29à#5, Me the idea has come to make this
algorithm for macro of viruses, it was very good idea. This algorithm I use in 3 new macro
of viruses and it(he) is very convenient. Before that to begin the description of functions
and I shall advise you to read clause BumbleBee in e-zine 29a#5 About LZ algorithm.
start:
LZCopy Copies a compressed file into an uncompressed one
LZOpenFile Opens a compressed file and returns a handle
LZClose Closes a file handle by LZOpenFile
parametrz:
LZOpenFileA (filename, buffer, mode)
LZCopy (source, destination)
LZClose (handle)
exemple:
' On a disk C:\ exists compressed via LZ a file ultras.tx_ we it(him) we unpack in ultras.txt.
' Using LZ32.dll API
Private Declare Function LZOpenFileA Lib "LZ32" (ByVal s As String, ByVal o As String, ByVal mode As Long) As Long
Private Declare Sub LZCopy Lib "LZ32" (ByVal src As Long, ByVal dst As Long)
Private Declare Sub LZClose Lib "LZ32" (ByVal h As Long)
Sub Decompress()
'start procedure
On Error Resume Next
Dim filez1 As String, filez2 As String, h As Long, g As Long, buf1 As String, buf2 As String
buf1 = String(256, "X")
buf2 = String(256, "X")
' buffer
filez1 = "C:\ultras.tx_"
filez2 = "C:\ultras.txt"
' names of files
h = LZOpenFileA(filez1, buf1, 0)
' we open compressed a file
g = LZOpenFileA(filez2, buf2, 4096)
' we open on record (For the present not unpacked file)
LZCopy h, g
' we unpack
LZClose g
LZClose h
' We shall close files which opened
End Sub
You can be convinced with what it is easy algorithm of unpacking....
second method : RAR
~~~~~~~~~~~~~~~~~~~
This algorithm has many lacks:
- This algorithm will be of works if on computerz is WinRAR or UnRAR.dll
- It is a lot of a code
+ Fast algorithm
+ Opportunity use of archives with the password
This algorithm is made as procedure to you it will be simply necessary to cause parameters
parametrz:
sRARArchive = RAR Archive filename
sDestPath = Destination path for extracted file(s)
sPassword = Password [OPTIONAL]
Returns:-
Integer = 0 Failed (no files, incorrect PW etc)
-1 Failed to open RAR archive
>0 Number of files extracted
exemple:
Sub Decompress()
ulz = RARExtract("c:\aplib.rar", "c:\11111\", 0)
End Sub
' Open Mode Constants
Private Const RAR_OM_LIST As Byte = 0
Private Const RAR_OM_EXTRACT As Byte = 1
' Error Constants
Private Const ERAR_NO_MEMORY As Byte = 11
Private Const ERAR_BAD_DATA As Byte = 12
Private Const ERAR_BAD_ARCHIVE As Byte = 13
Private Const ERAR_EOPEN As Byte = 15
Private Const ERAR_UNKNOWN_FORMAT As Byte = 14
Private Const ERAR_SMALL_BUF As Byte = 20
Private Const ERAR_ECLOSE As Byte = 17
Private Const ERAR_END_ARCHIVE As Byte = 10
Private Const ERAR_ECREATE As Byte = 16
Private Const ERAR_EREAD As Byte = 18
Private Const ERAR_EWRITE As Byte = 19
' Operation Constants
Private Const RAR_SKIP As Byte = 0
Private Const RAR_TEST As Byte = 1
Private Const RAR_EXTRACT As Byte = 2
' Volume Constants
Private Const RAR_VOL_ASK As Byte = 0
Private Const RAR_VOL_NOTIFY As Byte = 1
' User Defined Types
Private Type RARHeaderData
ArcName As String * 260
FileName As String * 260
Flags As Long
PackSize As Long
UnpSize As Long
HostOS As Long
FileCRC As Long
FileTime As Long
UnpVer As Long
Method As Long
FileAttr As Long
CmtBuf As String ' Pointer (char *CmtBuf in C)
CmtBufSize As Long
CmtSize As Long
CmtState As Long
End Type
Private Type RAROpenArchiveData
ArcName As String ' Pointer (char *ArcName in C)
OpenMode As Long
OpenResult As Long
CmtBuf As String ' Pointer (char *CmtBuf in C)
CmtBufSize As Long
CmtSize As Long
CmtState As Long
End Type
' RAR DLL Declares
Public Declare Function RAROpen Lib "UnRAR.dll" Alias "RAROpenArchive" (ByRef RAROpenData As RAROpenArchiveData) As Long
Public Declare Function RARClose Lib "UnRAR.dll" Alias "RARCloseArchive" (ByVal HandleToArchive As Long) As Long
Public Declare Function RARReadHdr Lib "UnRAR.dll" Alias "RARReadHeader" (ByVal HandleToArcRecord As Long, ByRef rcHeaderRead As RARHeaderData) As Long
Public Declare Function RARProcFile Lib "UnRAR.dll" Alias "RARProcessFile" (ByVal HandleToArcHeader As Long, ByVal Operation As Long, ByVal DestPath As String, ByVal DestName As String) As Long
Public Declare Sub RARSetChangeVolProc Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Mode As Long)
Public Declare Sub RARSetPassword Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Password As String)
Function RARExtract(ByVal sRARArchive As String, ByVal sDestPath As String, Optional ByVal sPassword As String) As Integer
Dim lHandle As Long
Dim iStatus As Integer
Dim uRAR As RAROpenArchiveData
Dim uHeader As RARHeaderData
Dim iFileCount As Integer
RARExtract = -1
' Open the RAR
uRAR.ArcName = sRARArchive
uRAR.OpenMode = RAR_OM_EXTRACT
lHandle = RAROpen(uRAR)
' Failed to open RAR ?
If uRAR.OpenResult <> 0 Then Exit Function
' Password ?
If sPassword <> "" Then
RARSetPassword lHandle, sPassword
End If
' Extract file(s)...
iFileCount = 0
' Is there at lease one archived file to extract ?
iStatus = RARReadHdr(lHandle, uHeader)
Do Until iStatus <> 0
' Process (extract) the current file within the archive
If RARProcFile(lHandle, RAR_EXTRACT, "", sDestPath + uHeader.FileName) = 0 Then
iFileCount = iFileCount + 1
End If
' Is there another archived file in this RAR ?
iStatus = RARReadHdr(lHandle, uHeader)
Loop
' Close the RAR
RARClose lHandle
' Return
RARExtract = iFileCount
End Function
email : ultras_@hotmail.com
url : www.coderz.net/ultras
irc : undernet #virus, #vir, efnet #virus, #coders.ru
ULTRAS [MATRiX] 
