|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『楼 主』:
[已结]VBS 解密
使用 LLM 解释/回答一下
不知道是怎么加密的~看不懂~
原文件在这
http://upload.cn-dos.net/img/1118.rar
这是代码(直接复制代码是不能运行的)
#@~^lwoAAA==6 P3MDKDP"+k;:PH+XY@#@&Gk:,3?@#@&2U~xPr{^VGw�oVb#TQ}rhbB}Ypr$K�,�^G* RSBOcO��pm2�s1CN�,�91w||4l|;G\$wCL8R,|0=e(-l���0H8+CgKmDw8(mE�sV).Yg}6hb9}D5r$nvG$w!m\gTw��G;aIDkklB?0lO�I��@$:#C\{1l���=OPYt.m �)�*&f��W52"Tr/mB%3Cc�p��hl C4^@*5m9lUKT\l���#YKY4.mc�=�XcT ZRRR��wMx]?N;lFmblT�O��jnNls/r66m���=d?|t588�,�Tc *z2&��KwKKDt.^xT%mZ�)��9W$w3GAx3)/^���|k?|t;( �1�c��wMx]?N;lnmkm �O��jLm:dSs5wW:N���=dj|t;8f�,�zJR c*��$wxU{454dTr4W�1�,H;6Cozloa���#/U{4;8*�,�!BT*��V61meK^a@$PHg@$U{4$4�fM~]_Ih1)|"$}K;1`a.xV4hdD50vW$w]Trdm9?3mR#(/]?N;l ��36m1Mhm2@$Kt1@$U{454�f!Aq$_]h1bn]$5nZgc2D M(hJT5WvW5w"DkklB?0lRb8kI?L$CJ��0r1mehma@$Kt1@$?|t58�fM~ $QIng)FI]phZH`2. M8hdD;6`G5aITrdm9?3m&*4d"7N;lZ��Vr1mMn1w@$Pt1@$Umt$4�G!$]g"nHbF]]pKZgcwMx!8SST5WvW5w"Db/Cx70l!*4k]7N;CF��V61meh^w@$KHg@$j{4;(�9M$ ]g]ng)|"$}K;1`2. M8hdD$0cK;aITb/mB70lq#(/]?N;ly��0rm1MKma@$:HH@$jm4;8�G!Aq$_]h1bF]]pKZgcaDUV4SST$0vG;aIDkklB?0l *8/"7L$Cf������@$WV�3mtU62C�$W^Tt\maN���6(D�0{4?rA�O�K5{U0 wM@$alT$^|%om|2YPUr#wnV5S}N8L4�]=~/K=ws5~mY(PY�}WmL�����G+%?NST5W�,�P������^=W?KoC1.Vf�=0=M87l�Sr�{2l nsD�3~^3t^+0����H4 tD|1^A6sT4H{a@$?gH$Sh$"p)1b�KwGqm;H|w
Last edited by HAT on 2008-11-21 at 23:00 ]
I don't know how it's encrypted~ Can't understand~
The original file is here
http://upload.cn-dos.net/img/1118.rar
This is the code (directly copying the code won't run)
#@~^lwoAAA==6 P3MDKDP"+k;:PH+XY@#@&Gk:,3?@#@&2U~xPr{^VGw�oVb#TQ}rhbB}Ypr$K�,�^G* RSBOcO��pm2�s1CN�,�91w||4l|;G\$wCL8R,|0=e(-l���0H8+CgKmDw8(mE�sV).Yg}6hb9}D5r$nvG$w!m\gTw��G;aIDkklB?0lO�I��@$:#C\{1l���=OPYt.m �)�*&f��W52"Tr/mB%3Cc�p��hl C4^@*5m9lUKT\l���#YKY4.mc�=�XcT ZRRR��wMx]?N;lFmblT�O��jnNls/r66m���=d?|t588�,�Tc *z2&��KwKKDt.^xT%mZ�)��9W$w3GAx3)/^���|k?|t;( �1�c��wMx]?N;lnmkm �O��jLm:dSs5wW:N���=dj|t;8f�,�zJR c*��$wxU{454dTr4W�1�,H;6Cozloa���#/U{4;8*�,�!BT*��V61meK^a@$PHg@$U{4$4�fM~]_Ih1)|"$}K;1`a.xV4hdD50vW$w]Trdm9?3mR#(/]?N;l ��36m1Mhm2@$Kt1@$U{454�f!Aq$_]h1bn]$5nZgc2D M(hJT5WvW5w"DkklB?0lRb8kI?L$CJ��0r1mehma@$Kt1@$?|t58�fM~ $QIng)FI]phZH`2. M8hdD;6`G5aITrdm9?3m&*4d"7N;lZ��Vr1mMn1w@$Pt1@$Umt$4�G!$]g"nHbF]]pKZgcwMx!8SST5WvW5w"Db/Cx70l!*4k]7N;CF��V61meh^w@$KHg@$j{4;(�9M$ ]g]ng)|"$}K;1`2. M8hdD$0cK;aITb/mB70lq#(/]?N;ly��0rm1MKma@$:HH@$jm4;8�G!Aq$_]h1bF]]pKZgcaDUV4SST$0vG;aIDkklB?0l *8/"7L$Cf������@$WV�3mtU62C�$W^Tt\maN���6(D�0{4?rA�O�K5{U0 wM@$alT$^|%om|2YPUr#wnV5S}N8L4�]=~/K=ws5~mY(PY�}WmL�����G+%?NST5W�,�P������^=W?KoC1.Vf�=0=M87l�Sr�{2l nsD�3~^3t^+0����H4 tD|1^A6sT4H{a@$?gH$Sh$"p)1b�KwGqm;H|w
Last edited by HAT on 2008-11-21 at 23:00 ]
|
|
 2008-11-21 15:41 |
|
|
5872169
高级用户
积分 959
发帖 474
注册 2007-10-25
状态 离线
|
『第 2 楼』:
使用 LLM 解释/回答一下
天书啊,网上好多免费解密的网站,你搜一下
It's like天书! There are many free decryption websites online. Just search for them.
|
|
|
2008-11-21 16:27 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第 3 楼』:
使用 LLM 解释/回答一下
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default
:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (LCase(Right(WScript.Fullname,11)) = "wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " & Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = Nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" & vbTab & vbTab & "ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess In OBJWMIProcess
MyOBJProcessName = OBJProcess.Name & " "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) & vbTab & OBJProcess.ProcessID & vbTab & strNameOfUser & vbTab & vbTab & OBJProcess.ExecutablePath
Next
```vb
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER, strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName1, dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName2, dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName3, dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName4, dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName5, dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName6, dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If LCase(Right(WScript.Fullname, 11)) = "wscript.exe" Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " & Replace(FinalPath, "'", """"))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = Nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner: ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess In OBJWMIProcess
MyOBJProcessName = OBJProcess.Name & " "
colProperties = OBJProcess.GetOwner(strNameOfUser, strUserDomain)
WScript.Echo Mid(MyOBJProcessName, 1, 20) & vbTab & OBJProcess.ProcessID & vbTab & strNameOfUser & vbTab & vbTab & OBJProcess.ExecutablePath
Next
```
此帖被 +1 点积分 点击查看详情 | 评分人:【 6688 】 | 分数: +1 | 时间:2008-11-21 22:25 |
|
|
S smile 微笑,L love 爱,O optimism 乐观,R relax 放松,E enthusiasm 热情...Slore |
|
|
2008-11-21 22:20 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第 4 楼』:
使用 LLM 解释/回答一下
Originally posted by slore at 2008-11-21 22:20:
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject(
谢谢~
是怎么解密的?
Originally posted by slore at 2008-11-21 22:20:
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject(
Thanks~
How is it decrypted?
|
|
|
2008-11-21 22:28 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第 5 楼』:
使用 LLM 解释/回答一下
vbe是官方加密……网上有很多网页都可以
decode
vbe is official encryption... There are many web pages on the Internet that can
decode
|
S smile 微笑,L love 爱,O optimism 乐观,R relax 放松,E enthusiasm 热情...Slore |
|
|
2008-11-21 22:35 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第 6 楼』:
使用 LLM 解释/回答一下
汗~
VBE不是与VBS一样的吗?
我之前试过搜VBS找很久也没找到~
现在搜VBE一搜就有了~
Sweat~
Is VBE the same as VBS?
I tried searching for VBS before and couldn't find it for a long time~
Now I search for VBE and find it right away~
|
|
|
2008-11-21 22:41 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第 7 楼』:
使用 LLM 解释/回答一下
还有解密前也只能以VBE的后缀才能运行~VBS后缀就不能运行~
And before decryption, it can only run with the VBE suffix~ The VBS suffix cannot run~
|
|
|
2008-11-21 22:46 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第 8 楼』:
凑个热闹
使用 LLM 解释/回答一下
1. 把加密的代码保存为a.vbe
2. 使用第三方命令工具scrdec18.exe进行解密
scrdec18.exe可以去这里下载: 批处理室附件收集专用帖
scrdec18.exe a.vbe b.txt -cp 936
结果保存在b.txt里面:
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Execute(ET)
3. 把b.txt重命名为b.vbs,修改b.vbs,用拦截代码代替最后一个Excute
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Intercept(ET)
Sub Intercept (code)
'WScript.Echo code
OutPutFile="DecodeVBS.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub
4. 双击运行修改之后的b.vbs,结果保存在DecodeVBS.txt里面:
const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess in OBJWMIProcess
MyOBJProcessName=OBJProcess.Name&" "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
Next
Last edited by HAT on 2008-11-23 at 02:10 ]
1. Save the encrypted code as a.vbe
2. Use the third-party command tool scrdec18.exe to decrypt
scrdec18.exe can be downloaded here: Special Thread for Batch Processing Room Attachment Collection
scrdec18.exe a.vbe b.txt -cp 936
The result is saved in b.txt:
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Execute(ET)
3. Rename b.txt to b.vbs, modify b.vbs, replace the last Excute with interception code
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBWqf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Intercept(ET)
Sub Intercept (code)
'WScript.Echo code
OutPutFile="DecodeVBS.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub
4. Double-click to run the modified b.vbs, and the result is saved in DecodeVBS.txt:
const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess in OBJWMIProcess
MyOBJProcessName=OBJProcess.Name&" "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
Next
Last edited by HAT on 2008-11-23 at 02:10 ]
|
 |
|
|
2008-11-23 01:59 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第 9 楼』:
使用 LLM 解释/回答一下
3. 把b.txt重命名为b.vbs,修改b.vbs,用拦截代码代替最后一个Excute
我在网吧,映像劫持在注册表里改不动,不知道什么什么原因
专门用来拦截的代码是什么代码
3. Rename b.txt to b.vbs, modify b.vbs, and replace the last Excute with the interception code
I'm in an internet cafe, and I can't change the image hijacking in the registry. I don't know the reason.
What is the specific code used for interception?
|
|
|
2008-11-23 08:43 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第 10 楼』:
Re 9楼
使用 LLM 解释/回答一下
不用映像劫持,拦截代码就是指最后添加的那个Intercept子函数。
Without using image hijacking, the interception code refers to the last added Intercept sub - function.
|
|
|
|
2008-11-23 09:45 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第 11 楼』:
使用 LLM 解释/回答一下
哦原来酱子哦,谢谢
那么我这里 在注册表里面的 映像劫持的地方 改不动会是什么原因呢
Oh, so that's how it is. Thanks. Then, what could be the reason that I can't modify the image hijacking part in the registry here?
|
|
|
2008-11-23 10:24 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第 12 楼』:
Re 11楼
使用 LLM 解释/回答一下
可能的原因很多,比如:
注册表分支的读写权限被修改了、有其它程序或者服务在监控注册表的读写等等。
There are many possible reasons, such as: the read and write permissions of the registry branch have been modified, or there are other programs or services monitoring the read and write of the registry, etc.
|
|
|
|
2008-11-23 10:43 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第 13 楼』:
使用 LLM 解释/回答一下
对,原来是这样啊,说得有道理
那么改这个地方的权限在哪里(其它地方都改得动),或者怎么把 程序或者服务监测到,再把它揪出来呢
Yes, that's how it is. It makes sense. Then where is the permission to modify this place? (I can modify other places) Or how to make the program or service detect it and then find it out?
|
|
|
2008-11-23 10:48 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第 14 楼』:
Re 13楼
使用 LLM 解释/回答一下
1. 右键单击某个注册表分支->权限
2. 如果你的系统进程和服务有足够的了解,可以尝试结束除系统必要进程/服务之外的其他所有。
1. Right-click on a certain registry branch -> Permissions
2. If you have sufficient knowledge of the system processes and services, you can try to end all processes/services except the necessary system ones.
|
|
|
|
2008-11-23 10:58 |
|
|
ggaking
新手上路
积分 19
发帖 8
注册 2008-9-11
状态 离线
|
|
|
2009-12-20 01:04 |
|
|
