Hello
I want to decrypt and run executable file from memory i found this code but when i try to use it with compressed or setup file gives me error.

type
TSections = array [0..0] of TImageSectionHeader;


function GetAlignedSize(Size: dword; Alignment: dword): dword;
begin
if ((Size mod Alignment) = 0) then
Result := Size;
else
Result := ((Size div Alignment) + 1) * Alignment;
end;

function ImageSize(Image: pointer): dword;
var
Alignment: dword;
ImageNtHeaders: PImageNtHeaders;
PSections: ^TSections;
SectionLoop: dword;
begin
ImageNtHeaders := pointer(dword(dword(Image)) + dword(PImageDosHeader(Image)._lfanew));
Alignment := ImageNtHeaders.OptionalHeader.SectionAlignment;
if ((ImageNtHeaders.OptionalHeader.SizeOfHeaders mod Alignment) = 0) then
begin
Result := ImageNtHeaders.OptionalHeader.SizeOfHeaders;
end
else
begin
Result := ((ImageNtHeaders.OptionalHeader.SizeOfHeaders div Alignment) + 1) * Alignment;
end;
PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
begin
if PSections[SectionLoop].Misc.VirtualSize <> 0 then
begin
if ((PSections[SectionLoop].Misc.VirtualSize mod Alignment) = 0) then
begin
Result := Result + PSections[SectionLoop].Misc.VirtualSize;
end
else
begin
Result := Result + (((PSections[SectionLoop].Misc.VirtualSize div Alignment) + 1) * Alignment);
end;
end;
end;
end;

procedure CreateProcessEx(FileMemory: pointer);
var
BaseAddress, Bytes, HeaderSize, InjectSize, SectionLoop, SectionSize: dword;
Context: TContext;
FileData: pointer;
ImageNtHeaders: PImageNtHeaders;
InjectMemory: pointer;
ProcInfo: TProcessInformation;
PSections: ^TSections;
StartInfo: TStartupInfo;
begin
ImageNtHeaders := pointer(dword(dword(FileMemory)) + dword(PImageDosHeader(FileMemory)._lfanew));
InjectSize := ImageSize(FileMemory);
GetMem(InjectMemory, InjectSize);
try
FileData := InjectMemory;
HeaderSize := ImageNtHeaders.OptionalHeader.SizeOfHeaders;
PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
begin
if PSections[SectionLoop].PointerToRawData < HeaderSize then HeaderSize := PSections[SectionLoop].PointerToRawData;
end;
CopyMemory(FileData, FileMemory, HeaderSize);
FileData := pointer(dword(FileData) + GetAlignedSize(ImageNtHeaders.OptionalHeader.SizeOfHeaders, ImageNtHeaders.OptionalHeader.SectionAlignment));
for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
begin
if PSections[SectionLoop].SizeOfRawData > 0 then
begin
SectionSize := PSections[SectionLoop].SizeOfRawData;
if SectionSize > PSections[SectionLoop].Misc.VirtualSize then SectionSize := PSections[SectionLoop].Misc.VirtualSize;
CopyMemory(FileData, pointer(dword(FileMemory) + PSections[SectionLoop].PointerToRawData), SectionSize);
FileData := pointer(dword(FileData) + GetAlignedSize(PSections[SectionLoop].Misc.VirtualSize, ImageNtHeaders.OptionalHeader.SectionAlignment));
end
else
begin
if PSections[SectionLoop].Misc.VirtualSize <> 0 then FileData := pointer(dword(FileData) + GetAlignedSize(PSections[SectionLoop].Misc.VirtualSize, ImageNtHeaders.OptionalHeader.SectionAlignment));
end;
end;
ZeroMemory(@StartInfo, SizeOf(StartupInfo));
ZeroMemory(@Context, SizeOf(TContext));
CreateProcess(nil, pchar(ParamStr(0)), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
Context.ContextFlags := CONTEXT_FULL;
GetThreadContext(ProcInfo.hThread, Context);
ReadProcessMemory(ProcInfo.hProcess, pointer(Context.Ebx + 8), @BaseAddress, 4, Bytes);
VirtualAllocEx(ProcInfo.hProcess, pointer(ImageNtHeaders.OptionalHeader.ImageBase), InjectSize, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcInfo.hProcess, pointer(ImageNtHeaders.OptionalHeader.ImageBase), InjectMemory, InjectSize, Bytes);
WriteProcessMemory(ProcInfo.hProcess, pointer(Context.Ebx + 8), @ImageNtHeaders.OptionalHeader.ImageBase, 4, Bytes);
Context.Eax := ImageNtHeaders.OptionalHeader.ImageBase + ImageNtHeaders.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(ProcInfo.hThread, Context);
ResumeThread(ProcInfo.hThread);
finally
FreeMemory(InjectMemory);
end;
end;

//-------------------------------------------------------------------- ---------------------------------------------------
var
MyStream: TMemoryStream;

begin
MyStream := TMemoryStream.Create;
try
MyStream.LoadFromFile('Pro.exe');
//MyStream.LoadFromStream(yourstream);
CreateProcessEx(MyStream.Memory);
finally
MyStream.Free;
end;
end;

don't forget to include CreateProcessEX from the link above
also something verry important change image base of your program bu adding something like yhis:
{$IMAGEBASE $10000000}
Help Please

| Сообщение посчитали полезным:

you got it from here
www.experts-exchange.com/Programming/Editors_IDEs/Delphi/Q_22587636.html
www.delphipages.com/threads/thread.cfm?ID=187966&G=187946
Original Idea/Source was writen by Aphex

it work fine, whats your problem ?

| Сообщение посчитали полезным:

The problem when I try to execute protected file or setup file from memory I get error reading in memory and application crashed.

| Сообщение посчитали полезным:

protector can use memory when you unpack you're file or it can change options of sections file... i think you must use UPX or another simple protector .... or are you can use protector for file in memory??
PS sorry English

| Сообщение посчитали полезным:

By me CreateProcessEx procedure works only if it pass pointer from MapViewOfFile,
In the context MyStream:TMemoryStream error in the CreateProcessEx correct parser PE header.
But, then lose the opportunity to use MyStream...

| Сообщение посчитали полезным:

No, it work
the in memory program MUST have IMAGEBASE greater than 400000
see there an example on the first link i posted

| Сообщение посчитали полезным:

well, that has probably to do with how the compressed/setup files work.
I coded some applications that actually store data in the executable and the way I extracted it was to get the application.exename, open it in readonly mode, seek to the end of the actual applicaiton data (computed at compile time) and start extracting the data.
with this approach, there will not be a correct application.exename file on disk to apply this extraction.
so, no matter the implementation, an aproach like this (loading directly in memory) will obviously not work with every executable.

i got that from www.delphipages.com/threads/thread.cfm?ID=187975&G=187946
So I think if the file was setup type will not work or if it was protected with some kind of protectors which protect or block memory also will not work.

| Сообщение посчитали полезным:

abatu, no it work
it's used in mPack / FishPE / PolyBox / NTPacker and many others Delphi packers

| Сообщение посчитали полезным:

Ok today I’ll upload sample application + 3 files protected with (Themedia, armadillo, thinstall).
Please check them and see by your self

| Сообщение посчитали полезным:

Well, wait a result

| Сообщение посчитали полезным:

Hi
I set the IMAGEBASE to 1000000 but the same result.
check by your self
files-upload.com/files/507987/Abatu.rar

| Сообщение посчитали полезным:

404 Not Found
Upload to rapidshare

| Сообщение посчитали полезным:

Hi
I upload it with the project source + 5 files protected with (Themedia, armadillo, thinstall)+setup & normal file).
rapidshare.com/files/56518968/Abatu.rar
Please if you can help do it.
i want to make program like TZ Exelock, so i need this code so much...

| Сообщение посчитали полезным:

abatu, i tested All OK, worked
Windows XM +SP2
(you can delete rapidshare file)

| Сообщение посчитали полезным:

Hi again
1- When i execute file protected with Themedia gives error message:
File corrupted, this file won't work anymore.
2- When i execute file setup Doesn’t work at all.
3- When i execute file protected with armadillo Doesn’t work at all.
4- When i execute file protected with thinstall gives error message:
The data is invalid.
Windows xp sp2 and vista business.
So how it works well with you?
Do you have any another idea to decrypt file to memory and execute it from there?
How TZ Exelock works all files behave normal how to decrypt files and execute them from *.dat file without extracting first to hard disk?

Help please

| Сообщение посчитали полезным:

yes, all files works well
i tested again in win XP SP1 and all ok
i'm almost sure your computer is infected with virus that corrupt them
-
i don't know about TZ Exelock, link ?
i googled and no result
is the related to TZ CD copy protection?

| Сообщение посчитали полезным:

I tested on 2 different PC and Lap top the same result
And the link to TZ Exelock tzcopyprotection.tk/ .
Thank you.

| Сообщение посчитали полезным:

anyway this is new link if anyone wants to try it and tell us if it works or not.
rapidshare.com/files/56580248/Abatu.rar
Thank you.

| Сообщение посчитали полезным:

abatu, I tested code on Win XP SP2, SP1 & 2000.
Result was no great, on Win XP works well, Win 2000 crashed on initialization(my work system), but I not found what a mistake...

the code is interesting. I will try to rewrite it in a different context when I have free time ...

| Сообщение посчитали полезным:

Hi yesterday I found something when I was trying TZ Exelock :
How it works? It encrypts first byte of application and then change extenuation to *.dat. that’s all.
So is there any one has any idea how to encrypt & decrypt first byte using Delphi?

| Сообщение посчитали полезным:

abatu пишет:
It encrypts first byte of application and then change extenuation to *.dat

You need save encrypt first byte in file(*.dat) and decrypt in MemoryStream? Sorry, I do not understand, why?

| Сообщение посчитали полезным:

Try thus pogram and will understand what exactly i want to do and what i'm talking about.
www.fileden.com/files/2007/5/9/1063131/tzexelock_beta32.zip

| Сообщение посчитали полезным:

abatu writes:
any idea how to encrypt & decrypt first byte using Delphi?
easy, open your file, read some bytes, encrypt them(chooseany crypto algo), write them back, close your file, done

| Сообщение посчитали полезным:

Please tell me how to do that in delphi can you upload sample code?
i need it so much.

| Сообщение посчитали полезным: