Created
December 14, 2018 16:32
-
-
Save luca-m/7fdd922306481b3020925b6e7daaa494 to your computer and use it in GitHub Desktop.
autoit dropper payloa extractor ()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; CONFIG HERE | |
$INIFILE="C:\\TEMP\uaf.ui3" | |
$OUTFILE="C:\\TEMP\extracted.exe" | |
; -> | |
Global Const $4063A0C69862A72A9 = 0x1 | |
Global Const $53675A741B726EAC88522D14B9F334E1 = 24 | |
Global Const $368080A29D90F5BA0B1D1E0DEAF11686 = 0xF0000000 | |
Global Const $2BADE2A6917E4FD3141FF478399B9C29 = 0x0004 | |
Global Const $D7B87DBC9EBFE9B98E86AC402AF30278 = 0x0002 | |
Global Const $A4E74B3D571DD28A4BD46AFED2FF9A21 = 0x00000001 | |
Global Const $B939F5E560A162C57C19FFD63367B64E = 1 | |
Global Const $72C3DED1B4617DC9E36E9F0FA1ECD04B = 0x00008001 | |
Global Const $B6D07C74BD5D1C5988597C22A366633F = 0x00008002 | |
Global Const $AC23469B485C91685E66323634795BB3 = 0x00008003 | |
Global Const $A2FCA4C08C8A3F1468D8E746E31AB5CB = 0x00008004 | |
Global Const $487AA7ED5C22C2DBED5BE8784863E3CA = 0x00006603 | |
Global Const $F23BABECD6E4A8BB507295A70C116B81 = 0x0000660e | |
Global Const $893529605D2CC4E08C633862AF17D045 = 0x0000660f | |
Global Const $D55A30AD6906FF18C3F0AD47673624E1 = 0x00006610 | |
Global Const $D9E2A9D97C7FFBAD9D504886A359FB4A = 0x00006601 | |
Global Const $4350DEA878C5E4A2BAB83C4406A8B26B = 0x00006602 | |
Global Const $75A2FB145F3605CA0DA3CA48D7B9C281 = 0x00006801 | |
Global Const $1295974546E6E9CA72B1205FD83C6F10 = 0 | |
Global $FDA831CE40AFAB1CCB2F146F9D71CF0F[3] | |
Global $6D8EA853F0F9D4F4725A7B18BA8E68E5, $6C3C44D956C1D408BA305F8620833447, $D7D52CFFCBB6745185B9DB4AFA2C8C13, $FF9A003592FB5AC6C447DC74647093B4, $B9B82D98583A5C233FD445FABDD55983, $F39285179624EA59225A0BF28273C515, $79E6B6AD0E3929343C8227B45FDD4FFB | |
Global $3C02906DBD82FAE9BEDF15FA83019CD3 = @MIN + 1, $10408E6F4EE9BCC475D45187F7A61581 = @MIN + 1, $576E7ACF370C475C1F7CFFC8287D4894, $D670D931AB625312A06C6E78CAF5F4FA, $5D33270AF08A87ABF453DC3CE78E09EC, $FD207A895B0E415C87F1962728B8263A, $EF334541C41BF1292618BD324F33ECFF, $38FB60076F054E3721B05607F1809456 | |
Global $C53E1AA287D0B74A8A796B2D3DB2DAE2, $C8E8F8600975B3E41D4C0AFA85BEDAB0, $3B3F342DCB843A363757E1DD2813D3FF, $8F5EBE1328FC2B2DC6016A70C366F083 | |
Func _S0xF3480212E0F51234A3E6D08DDB50D175() | |
Return $FDA831CE40AFAB1CCB2F146F9D71CF0F[1] | |
EndFunc ;==>_S0xF3480212E0F51234A3E6D08DDB50D175 | |
Func _S0xFEF25B33C8D60CC3EE98893C3D856F5E() | |
Return $FDA831CE40AFAB1CCB2F146F9D71CF0F[0] | |
EndFunc ;==>_S0xFEF25B33C8D60CC3EE98893C3D856F5E | |
Func _S0x47756EC5C5FD73FD84CEA64B25829197($81D6022EF7D3BCE20A60C58E8584A9F6) | |
$FDA831CE40AFAB1CCB2F146F9D71CF0F[2] = $81D6022EF7D3BCE20A60C58E8584A9F6 | |
EndFunc ;==>_S0x47756EC5C5FD73FD84CEA64B25829197 | |
Func _S0x37D8322BEC6A5294DB414339A4FCB2E2() | |
Return $FDA831CE40AFAB1CCB2F146F9D71CF0F[2] | |
EndFunc ;==>_S0x37D8322BEC6A5294DB414339A4FCB2E2 | |
Func _S0x5D1574E9146FA08D0703DB81C21510C2($AC907458A37E739C43AC302BC278DC56) | |
$FDA831CE40AFAB1CCB2F146F9D71CF0F[1] = $AC907458A37E739C43AC302BC278DC56 | |
EndFunc ;==>_S0x5D1574E9146FA08D0703DB81C21510C2 | |
Func _S0x2EABB265E59944565B0DD219B9D60CB0() | |
If $FDA831CE40AFAB1CCB2F146F9D71CF0F[0] > 0 Then $FDA831CE40AFAB1CCB2F146F9D71CF0F[0] -= 1 | |
EndFunc ;==>_S0x2EABB265E59944565B0DD219B9D60CB0 | |
Func _S0xA60577F031C8B499DA0DEFE5CE3A8003() | |
$FDA831CE40AFAB1CCB2F146F9D71CF0F[0] += 1 | |
EndFunc ;==>_S0xA60577F031C8B499DA0DEFE5CE3A8003 | |
Func _S0xC4FD912398EE22E2D27771CBC8825110($9E20A0458DAA1298D365D27214FAAED2, $0D80EF9D3AB46B8CEAAD8908F022A4EB, $9BDC1F591B6EF9C92870FA376DF86B27 = $AC23469B485C91685E66323634795BB3) | |
Local $7EA3F329EC056519C6B44D5B56C67BF4 | |
Local $E39FD4A997F64354F410AD2280DACE64 | |
Local $355B31994C3D5AF204FC3A39293C8ECF | |
Local $D6F948BD77DF837704932DE0EFDF89C4 | |
Local $1FEB07F98C57EBB486E8D43A0EAA2B46 | |
_Crypt__S0xC8217D78780E72F524EC8E3C8A152959() | |
Do | |
$7EA3F329EC056519C6B44D5B56C67BF4 = DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptCreateHash", "handle", _S0x37D8322BEC6A5294DB414339A4FCB2E2(), "uint", $9BDC1F591B6EF9C92870FA376DF86B27, "ptr", 0, "dword", 0, "handle*", 0) | |
If @error Or Not $7EA3F329EC056519C6B44D5B56C67BF4[0] Then | |
$D6F948BD77DF837704932DE0EFDF89C4 = 1 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = -1 | |
ExitLoop | |
EndIf | |
$E39FD4A997F64354F410AD2280DACE64 = $7EA3F329EC056519C6B44D5B56C67BF4[5] | |
$355B31994C3D5AF204FC3A39293C8ECF = DllStructCreate("byte[" & BinaryLen($9E20A0458DAA1298D365D27214FAAED2) & "]") | |
DllStructSetData($355B31994C3D5AF204FC3A39293C8ECF, 1, $9E20A0458DAA1298D365D27214FAAED2) | |
$7EA3F329EC056519C6B44D5B56C67BF4 = DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptHashData", "handle", $E39FD4A997F64354F410AD2280DACE64, "struct*", $355B31994C3D5AF204FC3A39293C8ECF, "dword", DllStructGetSize($355B31994C3D5AF204FC3A39293C8ECF), "dword", $B939F5E560A162C57C19FFD63367B64E) | |
If @error Or Not $7EA3F329EC056519C6B44D5B56C67BF4[0] Then | |
$D6F948BD77DF837704932DE0EFDF89C4 = 2 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = -1 | |
ExitLoop | |
EndIf | |
$7EA3F329EC056519C6B44D5B56C67BF4 = DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptDeriveKey", "handle", _S0x37D8322BEC6A5294DB414339A4FCB2E2(), "uint", $0D80EF9D3AB46B8CEAAD8908F022A4EB, "handle", $E39FD4A997F64354F410AD2280DACE64, "dword", $A4E74B3D571DD28A4BD46AFED2FF9A21, "handle*", 0) | |
If @error Or Not $7EA3F329EC056519C6B44D5B56C67BF4[0] Then | |
$D6F948BD77DF837704932DE0EFDF89C4 = 3 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = -1 | |
ExitLoop | |
EndIf | |
$D6F948BD77DF837704932DE0EFDF89C4 = 0 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = $7EA3F329EC056519C6B44D5B56C67BF4[5] | |
Until True | |
If $E39FD4A997F64354F410AD2280DACE64 <> 0 Then DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptDestroyHash", "handle", $E39FD4A997F64354F410AD2280DACE64) | |
Return SetError($D6F948BD77DF837704932DE0EFDF89C4, 0, $1FEB07F98C57EBB486E8D43A0EAA2B46) | |
EndFunc ;==>_S0xC4FD912398EE22E2D27771CBC8825110 | |
Func _Crypt__S0xC8217D78780E72F524EC8E3C8A152959() | |
If _S0xFEF25B33C8D60CC3EE98893C3D856F5E() = 0 Then | |
Local $AC907458A37E739C43AC302BC278DC56 = DllOpen("Advapi32.dll") | |
If @error Then Return SetError(1, 0, False) | |
_S0x5D1574E9146FA08D0703DB81C21510C2($AC907458A37E739C43AC302BC278DC56) | |
Local $7EA3F329EC056519C6B44D5B56C67BF4 | |
Local $1283CADC840375F6321D7C638C5F87B9 = $53675A741B726EAC88522D14B9F334E1 | |
If @OSVersion = "WIN_2000" Then $1283CADC840375F6321D7C638C5F87B9 = $4063A0C69862A72A9 ; Provide backwards compatibility with win2000 | |
$7EA3F329EC056519C6B44D5B56C67BF4 = DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $1283CADC840375F6321D7C638C5F87B9, "dword", $368080A29D90F5BA0B1D1E0DEAF11686) | |
If @error Or Not $7EA3F329EC056519C6B44D5B56C67BF4[0] Then | |
DllClose(_S0xF3480212E0F51234A3E6D08DDB50D175()) | |
Return SetError(2, 0, False) | |
Else | |
_S0x47756EC5C5FD73FD84CEA64B25829197($7EA3F329EC056519C6B44D5B56C67BF4[1]) | |
EndIf | |
EndIf | |
_S0xA60577F031C8B499DA0DEFE5CE3A8003() | |
Return True | |
EndFunc ;==>_Crypt__S0xC8217D78780E72F524EC8E3C8A152959 | |
Func _S0x9A130944BC5ED49CF25A0ABCA629E5FB($02B22F23B39C315A51A9C34E85169CF0, $36B1AD8489BDCDE71CAB1832D9D98905, $0D80EF9D3AB46B8CEAAD8908F022A4EB, $E98169F6C5800EBC810E454C14E4F93B = True) | |
Local $355B31994C3D5AF204FC3A39293C8ECF | |
Local $D6F948BD77DF837704932DE0EFDF89C4 | |
Local $1FEB07F98C57EBB486E8D43A0EAA2B46 | |
Local $F6BE7241B22CBE0FD8A6C00CC2D28253 | |
Local $5CD9EFE0DFB53DD11B0F6BC84F859B35 | |
Local $7EA3F329EC056519C6B44D5B56C67BF4 | |
_Crypt__S0xC8217D78780E72F524EC8E3C8A152959() | |
Do | |
If $0D80EF9D3AB46B8CEAAD8908F022A4EB <> $1295974546E6E9CA72B1205FD83C6F10 Then | |
$36B1AD8489BDCDE71CAB1832D9D98905 = _S0xC4FD912398EE22E2D27771CBC8825110($36B1AD8489BDCDE71CAB1832D9D98905, $0D80EF9D3AB46B8CEAAD8908F022A4EB) | |
If @error Then | |
$D6F948BD77DF837704932DE0EFDF89C4 = 1 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = -1 | |
ExitLoop | |
EndIf | |
EndIf | |
$355B31994C3D5AF204FC3A39293C8ECF = DllStructCreate("byte[" & BinaryLen($02B22F23B39C315A51A9C34E85169CF0) + 1000 & "]") | |
DllStructSetData($355B31994C3D5AF204FC3A39293C8ECF, 1, $02B22F23B39C315A51A9C34E85169CF0) | |
$7EA3F329EC056519C6B44D5B56C67BF4 = DllCall(_S0xF3480212E0F51234A3E6D08DDB50D175(), "bool", "CryptDecrypt", "handle", $36B1AD8489BDCDE71CAB1832D9D98905, "handle", 0, "bool", $E98169F6C5800EBC810E454C14E4F93B, "dword", 0, "struct*", $355B31994C3D5AF204FC3A39293C8ECF, "dword*", BinaryLen($02B22F23B39C315A51A9C34E85169CF0)) | |
If @error Or Not $7EA3F329EC056519C6B44D5B56C67BF4[0] Then | |
$D6F948BD77DF837704932DE0EFDF89C4 = 2 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = -1 | |
ExitLoop | |
EndIf | |
$5CD9EFE0DFB53DD11B0F6BC84F859B35 = $7EA3F329EC056519C6B44D5B56C67BF4[6] | |
$F6BE7241B22CBE0FD8A6C00CC2D28253 = DllStructCreate("byte[" & $5CD9EFE0DFB53DD11B0F6BC84F859B35 & "]", DllStructGetPtr($355B31994C3D5AF204FC3A39293C8ECF)) | |
$D6F948BD77DF837704932DE0EFDF89C4 = 0 | |
$1FEB07F98C57EBB486E8D43A0EAA2B46 = DllStructGetData($F6BE7241B22CBE0FD8A6C00CC2D28253, 1) | |
Until True | |
Return $1FEB07F98C57EBB486E8D43A0EAA2B46 | |
EndFunc ;==>_S0x9A130944BC5ED49CF25A0ABCA629E5FB | |
Func _S0x6754396CF0678EFE96699CF2AAC9BD57($s_String, $s_Start, $s_End, $v_Case = -1) | |
Local $s_case = "" | |
If $v_Case = Default Or $v_Case = -1 Then $s_case = "(?i)" | |
Local $s_pattern_escape = "(\.|\||\*|\?|\+|\(|\)|\{|\}|\[|\]|\^|\$|\\)" | |
$s_Start = StringRegExpReplace($s_Start, $s_pattern_escape, "\\$1") | |
$s_End = StringRegExpReplace($s_End, $s_pattern_escape, "\\$1") | |
If $s_Start = "" Then $s_Start = "\A" | |
If $s_End = "" Then $s_End = "\z" | |
Local $a_ret = StringRegExp($s_String, "(?s)" & $s_case & $s_Start & "(.*?)" & $s_End, 3) | |
If @error Then Return SetError(1, 0, 0) | |
Return $a_ret | |
EndFunc ;==>_S0x6754396CF0678EFE96699CF2AAC9BD57 | |
$79E6B6AD0E3929343C8227B45FDD4FFB = IniRead($INIFILE, "Setting", "Keys", '') | |
;MsgBox(0,"Keys are",$79E6B6AD0E3929343C8227B45FDD4FFB) | |
$FA39CF41CED8EB2810F4476D567D84F0 = _S0x6754396CF0678EFE96699CF2AAC9BD57(FileRead($INIFILE), "[Data]", "[eData]") | |
;MsgBox(0,"eData is",$FA39CF41CED8EB2810F4476D567D84F0) | |
$C53E1AA287D0B74A8A796B2D3DB2DAE2 = $FA39CF41CED8EB2810F4476D567D84F0[0] | |
$C53E1AA287D0B74A8A796B2D3DB2DAE2 = _S0x9A130944BC5ED49CF25A0ABCA629E5FB($C53E1AA287D0B74A8A796B2D3DB2DAE2, $79E6B6AD0E3929343C8227B45FDD4FFB, 0x00006602) | |
FileWrite($OUTFILE, $C53E1AA287D0B74A8A796B2D3DB2DAE2) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment