'OLEAUT32
Private Declare Function SysAllocString Lib "OLEAUT32" (ByVal pOlechar As Long) As String
'KERNEL32
Private Declare Function GetModuleHandleA Lib "KERNEL32" (ByVal ModuleName As String) As Long
 
Public Static Function WhereAmI() As String
    WhereAmI = SysAllocString(GetModuleHandleA("MSVBVM60") + &H10C528)
End Function

MsgBox WhereAmI()

'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByRef first_asm As Currency, ByRef params() As Variant, ByVal lib As String, ByVal fnc As String, Optional ByVal null0 As Long = 0) As Long
'---------------------------------------------------------------------------------------
' Author : Karcrack
' Date   : 12092013
' Credits: sonykuccio (http://hackhound.org/forums/topic/2790-vb6asm-%C2%B5callapi/)
'---------------------------------------------------------------------------------------
 
Public Function NanoInvoke(ByRef sLib As String, ByRef sFnc As String, ParamArray params() As Variant) As Long
    Dim asm(11)     As Currency
    Dim p()         As Variant
 
    If UBound(params) >= 0 Then p = params
 
    asm(0) = -881438862054780.1504@: asm(1) = -140193315782017.312@: asm(2) = 93112413858165.2867@: asm(3) = 593189448021741.0902@
    asm(4) = 843045704464075.3748@: asm(5) = -4834317066834.7356@: asm(6) = 260429944098681.7488@: asm(7) = 537140947255014.6699@
    asm(8) = 7683543183094.8624@: asm(9) = 598313605633923.5838@: asm(10) = -200740417519275.4208@: asm(11) = 109.8337@
 
    NanoInvoke = CallWindowProcW(asm(0), p, sLib, sFnc)
End Function
' ASM Code: pastebin.com/5gnLv7xn

    Call NanoInvoke("user32", "MessageBoxW", 0, StrPtr("test"), StrPtr("karcrack"), 0)
    Call NanoInvoke("kernel32", "ExitProcess", 0)

  <Import Project="C:\Users\Karcrack\Desktop\kPreprocessor\kPreprocessor.targets" />

<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" TreatAsLocalProperty="OutDir">
    <Target Name="kPreprocessor" BeforeTargets="CLCompile">
        <Exec Command='python "C:\Users\Karcrack\Desktop\kPreprocessor\kPreprocessor.py" %(CLInclude.FullPath) %(CLCompile.FullPath)' />
    </Target>
    <Target Name="kCleanPreProc" AfterTargets="Link">
        <Exec Command='python "C:\Users\Karcrack\Desktop\kPreprocessor\kPreprocessor.py" -clean' />
    </Target>
</Project>

# -*- coding: utf8 -*-
from sys import argv
from shutil import copyfile
import os, re
 
def save2dump(s):
    f = open("./dump","a")
    f.write(s)
    f.close()
 
if __name__ == "__main__":
    if argv[1] == "-clean":
        print "[kP] Limpiando y restaurando ficheros."
 
        for file_name in os.listdir("./"):
            root, ext = os.path.splitext(file_name)
            if ext == ".kbak":
                os.remove(os.path.join("./", root))
                os.rename(os.path.join("./", file_name), os.path.join("./", root))
 
        os.remove("./dump")
    else:
        file_path = argv[1]
        print "[kP] Trabajando sobre el fichero '%s'" % (file_path)
        #Backup
        copyfile(file_path, file_path+".kbak")
        #Read SRC
        with open(file_path, "r") as r:
            raw = r.read()
        #INCLUDE_PYSRC()
        for i in re.findall("(?<=INCLUDE_PYSRC\()(.*?)(?=\)\n)", raw, re.DOTALL):
            with open(os.path.abspath(i), 'r') as fi:
                save2dump(fi.read()+"\n")
        #DEFINE_PYSRC()
        r = re.findall("(?<=DEFINE_PYSRC\(\n)(.*?)(?=\)DEFINE_END\(\))", raw, re.DOTALL)
        if len(r)>0:
            save2dump(''.join(r) + "\n")
        #Load src
        try:
            exec open("./dump", "r")
        except IOError as e:
            pass
        #Resolve macros
        for fu in re.findall("(?<=#define)(.*?)(?=\(\.\.\.\) *PYTHON_FUNCTION\(\))", raw, re.DOTALL):
            raw = re.sub("("+fu+"\([^\.?].*?\)(?=[^\:]))", lambda m:str(eval(m.group(1))), raw)
        #Save file
        with open(file_path, "w+") as f:
            f.write(raw)
 

#ifndef PRETEST
#define PRETEST
#include <Windows.h>
#include "../../kPreprocessor/kPreprocessor.h"
 
INCLUDE_PYSRC(.\test.py)
DEFINE_PYSRC(
 
def TEST():
    return 12
 
)DEFINE_END()
#endif

#pragma comment(linker, "/ENTRY:main")
#include "Header.h"
 
#define XOR_STR(...) PYTHON_FUNCTION()
#define MD5(...) PYTHON_FUNCTION()
#define TEST(...) PYTHON_FUNCTION()
 
void main(){
    MessageBoxA(0, XOR_STR("karcrack", 0xFF), MD5("karcrack"), TEST( ));
}

#Glenn Maynard
def string_to_c(s, max_length = 140, unicode=False):
    ret = []

    # Try to split on whitespace, not in the middle of a word.
    split_at_space_pos = max_length - 10
    if split_at_space_pos < 10:
        split_at_space_pos = None

    position = 0
    if unicode:
        position += 1
        ret.append('L')

    ret.append('"')
    position += 1
    for c in s:
        newline = False
        if c == "\n":
            to_add = "\\\n"
            newline = True
        elif ord(c) < 32 or 0x80 <= ord(c) <= 0xff:
            to_add = "\\x%02x" % ord(c)
        elif ord(c) > 0xff:
            if not unicode:
                raise ValueError, "string contains unicode character but unicode=False"
            to_add = "\\u%04x" % ord(c)
        elif "\\\"".find(c) != -1:
            to_add = "\\%c" % c
        else:
            to_add = c

        ret.append(to_add)
        position += len(to_add)
        if newline:
            position = 0

        if split_at_space_pos is not None and position >= split_at_space_pos and " \t".find(c) != -1:
            ret.append("\\\n")
            position = 0
        elif position >= max_length:
            ret.append("\\\n")
            position = 0

    ret.append('"')

    return "".join(ret)

def XOR_STR(str, c):
    s = ""
    for x in str:
        s+= chr(ord(x)^c)

    return string_to_c(s)

def MD5(s):
    import md5
    return string_to_c(md5.new(s).hexdigest())

• Copiamos el contenido del CD (O de la imagen de CD ) en una nueva carpeta del disco duro.
• Vamos a la subcarpeta TSBin que estará en esa nueva carpeta creada.
• Abrimos el ejecutable problemático (TS2UPD.exe, TS2UPD0.exe, TS2UPD*.exe... dependerá de la expansión) con nuestro editor PE favorito. (Recomiendo usar CFF Explorer)
• Navegamos hasta OptionalHeader->SizeOfStackCommit y multiplicamos su valor por 16 (O lo que es lo mismo, quitamos un 0 del lado izquierdo y lo metemos en el derecho) para dar espacio más que de sobra.

#ifndef CRYPTAPI
#define CRYPTAPI
 
struct FNV1a{
    template <size_t N>
    __forceinline static DWORD hash(const char (&str)[N]){
        return (hash<N-1>((const char(&)[N-1])str)^str[N-1]) * 16777619u;
    };
 
    template <>
    __forceinline static DWORD hash<1>(const char (&str)[1]){
        return (2166136261u^str[0]) * 16777619u;
    };
 
    __forceinline static DWORD hash(char* str){
        DWORD r = 2166136261u;
 
        do{
            r ^= *str;
            r *= 16777619u;
        }while(*str++);
 
        return r;
    };
};
 
struct CUSTOM{
    template <size_t N>
    __forceinline static DWORD hash(const char (&str)[N]){
        return ((hash<N-1>((const char(&)[N-1])str) ^ (str[N-1] << 24)) >> 2);
    };
 
    template <>
    __forceinline static DWORD hash<1>(const char (&str)[1]){
        return (str[0]<<24)>>2;
    };
 
    __forceinline static DWORD hash(char* str){
        DWORD r = 0;
 
        do{
            r ^= (*str << 24);
            r >>= 2;
        }while(*str++);
 
        return r;
    };
};
 
template <class ret, class hashFnc = FNV1a> class invoke{
private:
    char*   base;
    DWORD   FuncHash;
public:
    template <size_t N, size_t M>
    invoke(const char (&DLL)[N], const char (&Func)[M]){
        base = (char*)LoadLibraryA(DLL);
        FuncHash = hashFnc::hash<M>(Func);
    };
 
    ret operator()(int numArgs, ...){
        BYTE*                       dirApi;
        IMAGE_DOS_HEADER*           IDH         = (IMAGE_DOS_HEADER*)base;
        IMAGE_NT_HEADERS*           INH         = (IMAGE_NT_HEADERS*)(base + IDH->e_lfanew);
        IMAGE_OPTIONAL_HEADER*      IOH         = &INH->OptionalHeader;
        IMAGE_DATA_DIRECTORY*       IDE         = (IMAGE_DATA_DIRECTORY*)(&IOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
        IMAGE_EXPORT_DIRECTORY*     IED         = (IMAGE_EXPORT_DIRECTORY *)(base + IDE->VirtualAddress);
 
        void**                      FTABLE      = (void **)(base + IED->AddressOfFunctions);
        WORD*                       OTABLE      = (WORD *)(base + IED->AddressOfNameOrdinals);
        char**                      NTABLE      = (char **)(base + IED->AddressOfNames);
 
        for (DWORD i = 0; i <= IED->NumberOfNames; i++){
            if (hashFnc::hash(base + (DWORD)NTABLE[i]) == FuncHash){
                dirApi = (BYTE*)(base + (DWORD)FTABLE[OTABLE[i]]);
                break;
            }
        }
        va_list listaArgs;
        void**  args;
 
        va_start(listaArgs, numArgs);
        args = &va_arg(listaArgs, void*);
 
        for(int n=numArgs-1; n>=0; n--){
            void* temp = args[n];
            __asm
                push [temp]
        }
        va_end(listaArgs);
 
        __asm
            call dirApi
    };
};
#endif

invoke<%TIPO_DE_RETORNO%,%ALGORITMO_USADO%>(%NOMBRE_DLL%,%NOMBRE_FUNCION%)(%N_PARAMETROS%,%PARAMETRO1%,%PARAMETRO2%,...,%PARAMETRON%);

#pragma comment(linker,"/ENTRY:main")
 
#include <Windows.h>
#include "cryptAPI.hpp"
 
void main(){
    invoke<void, FNV1a>("URLMON", "URLDownloadToFileA")(5, 0, "http://goo.gl/veps2", "C:/test.png", 0, 0);
    invoke<BOOL, FNV1a>("KERNEL32", "ExitProcess")(1, 0);
}

http://foro.h-sec.org/programacion/(template)-cryptapi-cifra-la-llamada-a-las-apis-d

strlen:
    pop  edx
    pop  edi
    push -1
    pop  ecx
    xor  eax, eax
    repne scasb
    not  ecx
    mov  eax, ecx
    jmp  edx

Private Declare Function rtcGetHostLCID Lib "MSVBVM60" () As Long
 
Private Sub Form_Load()
   MsgBox rtcGetHostLCID
End Sub