ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 110 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Algorithms of unpacking ~~~~~~~~~~~~~~~~~~~~~~~ In this articles I shall describe two algorithms of unpacking LZ and RAR of archives. I have written this articles because used one of these algorithms in macro viruses and it seems, that it is very speed it will be necessary much in a spelling of viruses which update via WWW. So 2 algorithms of unpacking: * LZ algorithms - using LZ32.dll api * RAR algorithms - using UnRAR.dll api First algorithms : LZ ~~~~~~~~~~~~~~~~~~~~~ It is very convenient algorithm at him(it) there is a heap of advantages: + using 3 api + fast unpacking + kewl compresses filez Having read clause bumbleeBee in a zine 29à#5, Me the idea has come to make this algorithm for macro of viruses, it was very good idea. This algorithm I use in 3 new macro of viruses and it(he) is very convenient. Before that to begin the description of functions and I shall advise you to read clause BumbleBee in e-zine 29a#5 About LZ algorithm. start: LZCopy Copies a compressed file into an uncompressed one LZOpenFile Opens a compressed file and returns a handle LZClose Closes a file handle by LZOpenFile parametrz: LZOpenFileA (filename, buffer, mode) LZCopy (source, destination) LZClose (handle) exemple: ' On a disk C:\ exists compressed via LZ a file ultras.tx_ we it(him) we unpack in ultras.txt. ' Using LZ32.dll API Private Declare Function LZOpenFileA Lib "LZ32" (ByVal s As String, ByVal o As String, ByVal mode As Long) As Long Private Declare Sub LZCopy Lib "LZ32" (ByVal src As Long, ByVal dst As Long) Private Declare Sub LZClose Lib "LZ32" (ByVal h As Long) Sub Decompress() 'start procedure On Error Resume Next Dim filez1 As String, filez2 As String, h As Long, g As Long, buf1 As String, buf2 As String buf1 = String(256, "X") buf2 = String(256, "X") ' buffer filez1 = "C:\ultras.tx_" filez2 = "C:\ultras.txt" ' names of files h = LZOpenFileA(filez1, buf1, 0) ' we open compressed a file g = LZOpenFileA(filez2, buf2, 4096) ' we open on record (For the present not unpacked file) LZCopy h, g ' we unpack LZClose g LZClose h ' We shall close files which opened End Sub You can be convinced with what it is easy algorithm of unpacking.... second method : RAR ~~~~~~~~~~~~~~~~~~~ This algorithm has many lacks: - This algorithm will be of works if on computerz is WinRAR or UnRAR.dll - It is a lot of a code + Fast algorithm + Opportunity use of archives with the password This algorithm is made as procedure to you it will be simply necessary to cause parameters parametrz: sRARArchive = RAR Archive filename sDestPath = Destination path for extracted file(s) sPassword = Password [OPTIONAL] Returns:- Integer = 0 Failed (no files, incorrect PW etc) -1 Failed to open RAR archive >0 Number of files extracted exemple: Sub Decompress() ulz = RARExtract("c:\aplib.rar", "c:\11111\", 0) End Sub ' Open Mode Constants Private Const RAR_OM_LIST As Byte = 0 Private Const RAR_OM_EXTRACT As Byte = 1 ' Error Constants Private Const ERAR_NO_MEMORY As Byte = 11 Private Const ERAR_BAD_DATA As Byte = 12 Private Const ERAR_BAD_ARCHIVE As Byte = 13 Private Const ERAR_EOPEN As Byte = 15 Private Const ERAR_UNKNOWN_FORMAT As Byte = 14 Private Const ERAR_SMALL_BUF As Byte = 20 Private Const ERAR_ECLOSE As Byte = 17 Private Const ERAR_END_ARCHIVE As Byte = 10 Private Const ERAR_ECREATE As Byte = 16 Private Const ERAR_EREAD As Byte = 18 Private Const ERAR_EWRITE As Byte = 19 ' Operation Constants Private Const RAR_SKIP As Byte = 0 Private Const RAR_TEST As Byte = 1 Private Const RAR_EXTRACT As Byte = 2 ' Volume Constants Private Const RAR_VOL_ASK As Byte = 0 Private Const RAR_VOL_NOTIFY As Byte = 1 ' User Defined Types Private Type RARHeaderData ArcName As String * 260 FileName As String * 260 Flags As Long PackSize As Long UnpSize As Long HostOS As Long FileCRC As Long FileTime As Long UnpVer As Long Method As Long FileAttr As Long CmtBuf As String ' Pointer (char *CmtBuf in C) CmtBufSize As Long CmtSize As Long CmtState As Long End Type Private Type RAROpenArchiveData ArcName As String ' Pointer (char *ArcName in C) OpenMode As Long OpenResult As Long CmtBuf As String ' Pointer (char *CmtBuf in C) CmtBufSize As Long CmtSize As Long CmtState As Long End Type ' RAR DLL Declares Public Declare Function RAROpen Lib "UnRAR.dll" Alias "RAROpenArchive" (ByRef RAROpenData As RAROpenArchiveData) As Long Public Declare Function RARClose Lib "UnRAR.dll" Alias "RARCloseArchive" (ByVal HandleToArchive As Long) As Long Public Declare Function RARReadHdr Lib "UnRAR.dll" Alias "RARReadHeader" (ByVal HandleToArcRecord As Long, ByRef rcHeaderRead As RARHeaderData) As Long Public Declare Function RARProcFile Lib "UnRAR.dll" Alias "RARProcessFile" (ByVal HandleToArcHeader As Long, ByVal Operation As Long, ByVal DestPath As String, ByVal DestName As String) As Long Public Declare Sub RARSetChangeVolProc Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Mode As Long) Public Declare Sub RARSetPassword Lib "UnRAR.dll" (ByVal HandleToArchive As Long, ByVal Password As String) Function RARExtract(ByVal sRARArchive As String, ByVal sDestPath As String, Optional ByVal sPassword As String) As Integer Dim lHandle As Long Dim iStatus As Integer Dim uRAR As RAROpenArchiveData Dim uHeader As RARHeaderData Dim iFileCount As Integer RARExtract = -1 ' Open the RAR uRAR.ArcName = sRARArchive uRAR.OpenMode = RAR_OM_EXTRACT lHandle = RAROpen(uRAR) ' Failed to open RAR ? If uRAR.OpenResult <> 0 Then Exit Function ' Password ? If sPassword <> "" Then RARSetPassword lHandle, sPassword End If ' Extract file(s)... iFileCount = 0 ' Is there at lease one archived file to extract ? iStatus = RARReadHdr(lHandle, uHeader) Do Until iStatus <> 0 ' Process (extract) the current file within the archive If RARProcFile(lHandle, RAR_EXTRACT, "", sDestPath + uHeader.FileName) = 0 Then iFileCount = iFileCount + 1 End If ' Is there another archived file in this RAR ? iStatus = RARReadHdr(lHandle, uHeader) Loop ' Close the RAR RARClose lHandle ' Return RARExtract = iFileCount End Function email : ultras_@hotmail.com url : www.coderz.net/ultras irc : undernet #virus, #vir, efnet #virus, #coders.ru ULTRAS [MATRiX]