1. Save the encrypted code as a.vbe
2. Use the third-party command tool scrdec18.exe to decrypt
scrdec18.exe can be downloaded here:
Special Thread for Batch Processing Room Attachment Collection
scrdec18.exe a.vbe b.txt -cp 936
The result is saved in b.txt:
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Execute(ET)
3. Rename b.txt to b.vbs, modify b.vbs, replace the last Excute with interception code
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Intercept(ET)
Sub Intercept (code)
'WScript.Echo code
OutPutFile="DecodeVBS.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub
4. Double-click to run the modified b.vbs, and the result is saved in DecodeVBS.txt:
const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess in OBJWMIProcess
MyOBJProcessName=OBJProcess.Name&" "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
Next
[
Last edited by HAT on 2008-11-23 at 02:10 ]
