Reply to floor 12, running the script from floor 12 pops up an open file dialog window
China DOS Union
Union site: www.cn-dos.net Forum site: www.cn-dos.net/forum
DOS stands for freedom, openness and progress. Let us work hard, learn from the openness and GNU spirit of FreeDOS and Linux, and together build and grow a free GNU GPL world!
中国DOS联盟论坛 » DOS批处理 & 脚本技术(批处理室) » Implement screenshot to system clipboard or Paint using VBS script
View 4,325 Replies 22
Floor 16
Posted 2007-06-17 17:18 · 中国 安徽 芜湖 电信
高级用户
★★★
Credits 906
Posts 346
Joined 2006-07-10 09:58
19-year member
UID 58334
Gender Male
Posts 346
Joined 2006-07-10 09:58
19-year member
UID 58334
Gender Male
Status Offline
Floor 17
Posted 2007-06-17 17:31 · 中国 广西 玉林 博白县 电信
金牌会员
★★★★
Credits 3,687
Posts 1,467
Joined 2005-08-08 12:00
20-year member
UID 44210
Posts 1,467
Joined 2005-08-08 12:00
20-year member
UID 44210
Status Offline
Originally posted by eech at 2007-6-17 17:18:
Reply to post 12, running the script in post 12 pops up a file open dialog window
This file dialog window is for you to enter the file name to be generated. Enter XXX.exe to generate the exe file.
Floor 18
Posted 2007-11-03 22:47 · 中国 浙江 丽水 电信
初级用户
★
Credits 20
Posts 9
Joined 2007-11-03 22:24
18-year member
UID 101617
Gender Male
Posts 9
Joined 2007-11-03 22:24
18-year member
UID 101617
Gender Male
Status Offline
Finally met an expert, can you please the person above take a look at the following program? It uses encoding or some other method. By the way, answer my following question. If it is encoding, then how does it self-decode?
The following is a delay program, although it seems irrelevant on the surface.
Copy content to clipboard
Code:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR ,AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND ,DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR ,AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND ,DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,
0C1E:016D 304578 XOR ,AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
I executed it 200 times, and the code didn't change. But when using g 176, the result came out. The display is as follows: (Because cs:0176 is never executed, the program can't go out from there, so it's no different from directly using g)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
This is the image of sleep.exe. See? There are also APIs.
This is obviously written with a high-level language and then using some technology to make it pure text.
However, the program doesn't exit and will continue, but it needs human intervention, so it doesn't affect the use of sleep.exe.
The exit is at cs:136. Executing again will enter the place less than CS:100, obviously making a mistake.
This is a standard PE file, and its content can be understood after decompilation.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR ,00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR ,22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR ,20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR ,004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR
004010C9: A5 MOVS DWORD PTR DS:,DWORD PTR ES:
004010CA: 10 40 00 ADC ,AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR ; ExitProcess
The format of the EXE file can also be seen with tools:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
No longer doubt that it is a genuine PE file, right?
As for the principle of sleep.exe, it's very simple, see below
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
These are all APIs in kernel32.dll, that is to say, high-level assembly languages such as win32asm can be directly used to call.
My question is why although this code string is a dead loop, the program can still run. It executed without coming out and displayed the above EXE image.
I hope assembly experts can give an answer.
[ Last edited by phai2003 on 2007-11-3 at 10:53 PM ]
The following is a delay program, although it seems irrelevant on the surface.
Copy content to clipboard
Code:
Bj@jzh`0X-`/PPPPPPa(DE(DM(DO(Dh(Ls(Lu(LX(LeZRR]EEEUYRX2Dx=
0DxFP,0Xx.t0P,=XtGsB4o@$?PIyU WwX0GwUY Wv;ovBX2Gv0ExGIuht6
T}{z~~@GwkBG@OEKcUt`~}@MqqBsy?seHB~_Phxr?@zAB`LrPEyoDt@Cj?
pky_jN@QEKpEt@ij?jySjN@REKpEt@jj?jyGjN@SEKkjtlGuNw?p@pjirz
LFvAURQ?OYLTQ@@?~QCoOL~RDU@?aU?@{QOq?@}IKuNWpe~FpeQFwH?Vkk
_GSqoCvH{OjeOSeIQRmA@KnEFB?p??mcjNne~B?M??QhetLBgBPHexh@e=
EsOgwTLbLK?sFU`?LDOD@@K@xO?SUudA?_FKJ@N?KD@?UA??O}HCQOQ??R
_OQOL?CLA?CEU?_FU?UAQ?UBD?LOC?ORO?UOL?UOD?OOI?UgL?LOR@YUO?
dsmSQswDOR
0C1E:0139 3D0D0A CMP AX,0A0D
0C1E:013C 304478 XOR ,AL
0C1E:013F 46 INC SI
0C1E:0140 50 PUSH AX
0C1E:0141 2C30 SUB AL,30
0C1E:0143 58 POP AX
0C1E:0144 78EE JS 0134
0C1E:0146 7430 JZ 0178
0C1E:0148 50 PUSH AX
0C1E:0149 2C3D SUB AL,3D
0C1E:014B 58 POP AX
0C1E:014C 7407 JZ 0155
0C1E:014E 7302 JNB 0152
0C1E:0150 346F XOR AL,6F
0C1E:0152 40 INC AX
0C1E:0153 243F AND AL,3F
0C1E:0155 50 PUSH AX
0C1E:0156 49 DEC CX
0C1E:0157 79DB JNS 0134
0C1E:0159 205777 AND ,DL
0C1E:015C 58 POP AX
0C1E:015D 304777 XOR ,AL
0C1E:0160 55 PUSH BP
0C1E:0161 59 POP CX
0C1E:0162 205776 AND ,DL
0C1E:0165 C1 DB C1
0C1E:0166 6F DB 6F
0C1E:0167 7602 JBE 016B
0C1E:0169 58 POP AX
0C1E:016A 324776 XOR AL,
0C1E:016D 304578 XOR ,AL
0C1E:0170 47 INC DI
0C1E:0171 49 DEC CX
0C1E:0172 75EE JNZ 0162
0C1E:0174 74BC JZ 0132
I executed it 200 times, and the code didn't change. But when using g 176, the result came out. The display is as follows: (Because cs:0176 is never executed, the program can't go out from there, so it's no different from directly using g)
MZP☺☺ ♦ P☺ @ É ⁿ╛ü ☼╢L f1╥f1└Ix
¼,0r¶< w►fk╥
f☺┬.╟♠/ 1 δΣ. &/ ♫ fi╥Φ♥ fë╤f┴Θ►┤å═§╕ L═! PE L☺☺ PyÑ6
α ☼☺♂☺♣♀ ☻ ~► ► @ ► ☻ ♦ ♦ ☻ ♥
► ► ► ► ► ►► (
► ► .text
▄ ► ☻ ☻ α
V► d► v► F► 8► ►
KERNEL32.dll V► d► v► ExitProcess GetCommandLineA Sleep
§♦►@ 1╥H@Ç8 t◄Ç8"u☻≈╥ ╥u∩Ç8 uΩ@ⁿë╞1╥1└└t#,0r§< w◄k╥
☺┬╟♣╔►@ ═►@ δΓ %╔►@ Ñ
►@ R ►@ j § ►@
This is the image of sleep.exe. See? There are also APIs.
This is obviously written with a high-level language and then using some technology to make it pure text.
However, the program doesn't exit and will continue, but it needs human intervention, so it doesn't affect the use of sleep.exe.
The exit is at cs:136. Executing again will enter the place less than CS:100, obviously making a mistake.
This is a standard PE file, and its content can be understood after decompilation.
0040107E: FF 15 04 10 40 00 CALL DWORD PTR ; GetCommandLineA
00401084: 31 D2 XOR EDX,EDX
00401086: 48 DEC EAX
00401087: 40 INC EAX
00401088: 80 38 00 CMP BYTE PTR ,00
0040108B: 74 11 JZ 0040109E
0040108D: 80 38 22 CMP BYTE PTR ,22
00401090: 75 02 JNZ 00401094
00401092: F7 D2 NOT EDX
00401094: 09 D2 OR EDX,EDX
00401096: 75 EF JNZ 00401087
00401098: 80 38 20 CMP BYTE PTR ,20
0040109B: 75 EA JNZ 00401087
0040109D: 40 INC EAX
0040109E: FC CLD
0040109F: 89 C6 MOV ESI,EAX
004010A1: 31 D2 XOR EDX,EDX
004010A3: 31 C0 XOR EAX,EAX
004010A5: AC LODS AL,BYTE PTR DS:
004010A6: 08 C0 OR AL,AL
004010A8: 74 23 JZ 004010CD
004010AA: 2C 30 SUB AL,30
004010AC: 72 15 JB 004010C3
004010AE: 3C 09 CMP AL,09
004010B0: 77 11 JNBE 004010C3
004010B2: 6B D2 0A IMUL EDX,EDX,0A
004010B5: 01 C2 ADD EDX,EAX
004010B7: C7 05 C9 10 40 00 CD 10 40 00 MOV DWORD PTR ,004010CD
004010C1: EB E2 JMP 004010A5
004010C3: FF 25 C9 10 40 00 JMP DWORD PTR
004010C9: A5 MOVS DWORD PTR DS:,DWORD PTR ES:
004010CA: 10 40 00 ADC ,AL
004010CD: 52 PUSH EDX
004010CE: FF 15 08 10 40 00 CALL DWORD PTR ; Sleep
004010D4: 6A 00 PUSH 00
004010D6: FF 15 00 10 40 00 CALL DWORD PTR ; ExitProcess
The format of the EXE file can also be seen with tools:
00000000 5A4D Signature: MZ
00000002 0150 Extra Bytes
00000004 0001 Pages
00000006 0000 Reloc Items
00000008 0004 Header Size
0000000A 0000 Min Alloc
0000000C FFFF Max Alloc
0000000E 0000 Initial SS
00000010 0150 Initial SP
00000012 0000 Check Sum
00000014 0000 Initial IP
00000016 0000 Initial CS
00000018 0040 Reloc Table
0000001A 0000 Overlay
00000090 00004550 Signature: PE
00000094 014C Machine: 014C=I386
00000096 0001 Number of Sections
00000098 36A57950 Time/Date Stamp
0000009C 00000000 Pointer to Symbol Table
000000A0 00000000 Number of Symbols
000000A4 00E0 Optional Header Size
000000A6 010F Characteristics
No longer doubt that it is a genuine PE file, right?
As for the principle of sleep.exe, it's very simple, see below
00000000 ExitProcess
00000000 GetCommandLineA
00000000 Sleep
These are all APIs in kernel32.dll, that is to say, high-level assembly languages such as win32asm can be directly used to call.
My question is why although this code string is a dead loop, the program can still run. It executed without coming out and displayed the above EXE image.
I hope assembly experts can give an answer.
[ Last edited by phai2003 on 2007-11-3 at 10:53 PM ]
Floor 19
Posted 2007-11-14 10:22 · 中国 山东 淄博 联通
In this case, just use the Sleep function along with the ExitProcess function. The GetCommandLineA is unnecessary. I don't understand assembly, and I don't know where the loop is.
Floor 20
Posted 2008-02-02 13:39 · 中国 广东 东莞 电信
How to automatically save the content in the clipboard as a BMP format file and save it in a specified path.
Floor 21
Posted 2008-04-03 22:30 · 中国 上海 静安区 电信
The same as above, I also want to realize this function, I don't know if there is a way, I estimate it's not possible!
Floor 22
Posted 2008-04-04 13:00 · 中国 浙江 杭州 电信
Good stuff, very practical.
Floor 23
Posted 2008-04-04 13:27 · 中国 浙江 杭州 电信
Can the VBS you provided by the landlord automatically save the captured image to C:\tset.bmp?
Forum Jump: