[!] AES256_CBC_decrypt Failed (main.c:219)

[cam-stalk]

Hi. I've got an error [!] AES256_CBC_decrypt Failed (main.c:219) Generating PayloadConfig.pc: `PayloadBuilder.exe demon.dll

[i] Reading "demon.dll" ... [+] DONE

Read Payload Size : 65536 [i] The Generate Key Bytes: [ 6A 6F 73 60 1A 15 9A DB 1A 01 53 7D 12 CD 1C DA 0E DE 16 A5 C8 9A 63 81 2A D4 D2 14 0F 8B BE 5D ] [i] The Generate Iv Bytes: [ 90 2B D2 23 52 93 D2 BD F6 93 53 F9 44 DE 0B 46 ] [+] Payload Encrypted At : 0x000001441C053FB0 The Encrypted Key Bytes: [ 6D 96 92 9F E9 EC 69 2A E9 00 B2 84 F1 34 E3 29 F5 25 ED 5C 37 69 A2 80 D9 2B 31 EB F6 7A 45 A4 ] The Encrypted Iv Bytes: [ FD 44 BB 4C 3B FC BB DA 9F FC 3C 96 31 B7 64 2F ] [i] Writing "PayloadConfig.pc" ... [+] DONE [+] File "PayloadConfig.pc" Is Successfully Written Under : C:\Users\User\Documents\AtomLdr\x64\Release`

Debug output of rundll32.exe .\AtomLdr.dll Atom: `[#] AtomLdr.dll Is Called Via Command Line Tool, Running "ActualMain" From The Exported Function "Atom" [+] Payload Is At 0x00007FFEEE1CA090 Of Size 47

Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042 Searching in "win32u.dll" ... [+] Found "syscall; ret" gadget At - 0x00007FFEFA9E1042

Suspending Thread Of Id : 7304 ... [+] DONE Suspending Thread Of Id : 7880 ... [+] DONE

[i] Replacing .txt of ntdll.dll ...

pLocalTxtAddress : 0x00007FFEFCB11000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of KERNEL32.DLL ...

pLocalTxtAddress : 0x00007FFEFC041000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of KERNELBASE.dll ...

pLocalTxtAddress : 0x00007FFEFA431000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of msvcrt.dll ...

pLocalTxtAddress : 0x00007FFEFBE61000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of combase.dll ...

pLocalTxtAddress : 0x00007FFEFC271000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of ucrtbase.dll ...

pLocalTxtAddress : 0x00007FFEFAA61000 pRemoteTxtAddress : 0x0000022869A21000 [+] DONE

[i] Replacing .txt of RPCRT4.dll ...

pLocalTxtAddress : 0x00007FFEFBBF1000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of shcore.dll ...

pLocalTxtAddress : 0x00007FFEFBF71000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of imagehlp.dll ...

pLocalTxtAddress : 0x00007FFEFC021000 pRemoteTxtAddress : 0x0000022868061000 [+] DONE [!] NtOpenSection Failed For "\KnownDlls\AtomLdr.dll" With Status : 0xC0000034 [THAT'S PROB OK]

[i] Replacing .txt of USER32.dll ...

pLocalTxtAddress : 0x00007FFEFC891000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of GDI32.dll ...

pLocalTxtAddress : 0x00007FFEFCAA1000 pRemoteTxtAddress : 0x0000022868061000 [+] DONE

[i] Replacing .txt of gdi32full.dll ...

pLocalTxtAddress : 0x00007FFEFA821000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of msvcp_win.dll ...

pLocalTxtAddress : 0x00007FFEFA781000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of SHELL32.dll ...

pLocalTxtAddress : 0x00007FFEFB2B1000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of IMM32.DLL ...

pLocalTxtAddress : 0x00007FFEFBA01000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE [!] NtOpenSection Failed For "\KnownDlls\uxtheme.dll" With Status : 0xC0000034 [THAT'S PROB OK]

[i] Replacing .txt of MSCTF.dll ...

pLocalTxtAddress : 0x00007FFEFB191000 pRemoteTxtAddress : 0x000002286A871000 [+] DONE

[i] Replacing .txt of OLEAUT32.dll ...

pLocalTxtAddress : 0x00007FFEFC691000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of sechost.dll ...

pLocalTxtAddress : 0x00007FFEFC1D1000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of advapi32.dll ...

pLocalTxtAddress : 0x00007FFEFC5D1000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

[i] Replacing .txt of shlwapi.dll ...

pLocalTxtAddress : 0x00007FFEFBD21000 pRemoteTxtAddress : 0x0000022868191000 [+] DONE

Resuming Thread Of Id : 7304 ... [+] DONE Resuming Thread Of Id : 7880 ... [+] DONE

The Decrypted Key Bytes: [ 71 21 22 34 59 27 22 2D 26 59 34 21 28 36 2D 25 59 1B 26 59 2B 26 29 2D 1A 24 26 25 59 30 22 35 ] The Decrypted Iv Bytes: [ 14 6C 00 14 13 6C 55 3C 2F 07 18 1D 2F 10 31 1D ] [!] AES256_CBC_decrypt Failed (main.c:219)`

Could you please help? Thanks

[NUL0x4C]

first of all, this only work with position-independent code, meaning the DLL file won't run already. the second issue I noticed, is that the loader isn't detecting the payload;

[+] Payload Is At 0x00007FFEEE1CA090 Of Size 47

I suppose the DLL file is not 47 bytes only, so are you making sure to replace the generated PayloadConfig file with this one?

if not do as the usage suggest, and let me know the results

[cam-stalk]

Oh shit... You are right. I forgot to replace PayloadConfig before compiling. Thank you