中国DOS联盟

#@~^lwoAAA==6	P3MDKDP"+k;:PH+XY@#@&Gk:,3?@#@&2U~xPr{^VGwoVb#TQ}rhbB}Ypr$K,^G* RSBOcOpm2s1CN,91w||4l|;G\$wCL8R,|0=e(-l0H8+CgKmDw8(mEsV).Yg}6hb9}D5r$nvG$w!m\gTwG;aIDkklB?0lOI@$:#C\{1l=OPYt.m )*&fW52"Tr/mB%3Ccphl	C4^@*5m9lUKT\l#YKY4.mc=XcT ZRRRwMx]?N;lFmblTOjnNls/r66m=d?|t588,Tc *z2&KwKKDt.^xT%mZ)9W$w3GAx3)/^|k?|t;( 1cwMx]?N;lnmkm OjLm:dSs5wW:N=dj|t;8f,zJR c*$wxU{454dTr4W1,H;6Cozloa#/U{4;8*,!BT*V61meK^a@$PHg@$U{4$4fM~]_Ih1)|"$}K;1`a.xV4hdD50vW$w]Trdm9?3mR#(/]?N;l 36m1Mhm2@$Kt1@$U{454f!Aq$_]h1bn]$5nZgc2D	M(hJT5WvW5w"DkklB?0lRb8kI?L$CJ0r1mehma@$Kt1@$?|t58fM~	$QIng)FI]phZH`2.	M8hdD;6`G5aITrdm9?3m&*4d"7N;lZVr1mMn1w@$Pt1@$Umt$4G!$]g"nHbF]]pKZgcwMx!8SST5WvW5w"Db/Cx70l!*4k]7N;CFV61meh^w@$KHg@$j{4;(9M$	]g]ng)|"$}K;1`2.	M8hdD$0cK;aITb/mB70lq#(/]?N;ly0rm1MKma@$:HH@$jm4;8G!Aq$_]h1bF]]pKZgcaDUV4SST$0vG;aIDkklB?0l *8/"7L$Cf@$WV3mtU62C$W^Tt\maN6(D0{4?rAOK5{U0	wM@$alT$^|%om|2YPUr#wnV5S}N8L4]=~/K=ws5~mY(PY}WmLG+%?NST5W,P^=W?KoC1.Vf=0=M87lSr{2l	nsD3~^3t^+0H4	tD|1^A6sT4H{a@$?gH$Sh$"p)1bKwGqm;H|w




[ Last edited by HAT on 2008-11-21 at 23:00 ]

Originally posted by slore at 2008-11-21 22:20:
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject(
谢谢~
是怎么解密的？

scrdec18.exe a.vbe b.txt -cp 936

On Error Resume Next

Dim ES

ES = "_llopFGAV]?QOPAJQ]QOBP9$D4-.,,-.-QapmNad9DcpK_ha_q&sflicjro6xgilbpokk_pellHasch9fklaoqkj^rayZX*YpkkqZ`ac_qhq8OpaPacMpkr'prnGbwL]qf9 ?kkqkhbZ!OvqpajPkkq#pbIauFGAV]?QOPAJQ]QOBP(oqpGavN]peoqpR]isaJ^ka-;@m`aM_ca`tT]hrc-:5/3oqpR]isaJ^ka.;Panabl>qcdanPgva`tT]hrc.:540.0.-.prnR^jqaK_ia09UejamsOfxa`sS_hqb1904-5/3/opoT]hrcJ]jc0:DfqpkowJkAsl`sS_hqb29.prnR^jqaK_ia29UejamsLlqepfmj`sS_hqb39//--44qpnS_hqbL]ib49 MqfagAagp`sS_hqb490,05kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka-)bsR^jqa.kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka.)bsR^jqa/kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka/)bsR^jqa0kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka0)bsR^jqa1kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka1)bsR^jqa2kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka2)bsR^jqa3@fkk_hSOE*Bfl]hM_pdObrk_hSOE9TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh&Ec$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %QfajDej^jL]qf9 #$SPanemr*O`pelqDqhiL]ib%l`fSPF*Nrl$`k`*bva,i_panemr+,lkhlekNbnh]`c$Bfl]hM_pd) #) '%TQ_nfnp*NsepAjaEblPac+BahbraGbwDHCU_$r^Q_^Cta`sp]_jaL^rd6 UO_oglp+C_dl)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+BkoA]`fK?HLnlaaopejM>FTKELom_apqKuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$_ljLnlnanqgao;K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%SO`pelq,A_emIfb$IvM>FMpk_bqoJ^ka(.*.,&r_R]^#K>GNnk`coo+Nnk`cooFBs`P]_$oqpJ]jcKbRqan$r^Q_^s`P]_$K?HLnlaaop,Atbaqp^`haM_pdJbvp"

Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")

Execute(ET)

On Error Resume Next

Dim ES

ES = "_llopFGAV]?QOPAJQ]QOBP9$D4-.,,-.-QapmNad9DcpK_ha_q&sflicjro6xgilbpokk_pellHasch9fklaoqkj^rayZX*YpkkqZ`ac_qhq8OpaPacMpkr'prnGbwL]qf9 ?kkqkhbZ!OvqpajPkkq#pbIauFGAV]?QOPAJQ]QOBP(oqpGavN]peoqpR]isaJ^ka-;@m`aM_ca`tT]hrc-:5/3oqpR]isaJ^ka.;Panabl>qcdanPgva`tT]hrc.:540.0.-.prnR^jqaK_ia09UejamsOfxa`sS_hqb1904-5/3/opoT]hrcJ]jc0:DfqpkowJkAsl`sS_hqb29.prnR^jqaK_ia29UejamsLlqepfmj`sS_hqb39//--44qpnS_hqbL]ib49 MqfagAagp`sS_hqb490,05kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka-)bsR^jqa.kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka.)bsR^jqa/kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka/)bsR^jqa0kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka0)bsR^jqa1kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka1)bsR^jqa2kOcc*Pcp@TMN@S_hqbDGBWqf(oqpR]isaJ^ka2)bsR^jqa3@fkk_hSOE*Bfl]hM_pdObrk_hSOE9TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh&Ec$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %QfajDej^jL]qf9 #$SPanemr*O`pelqDqhiL]ib%l`fSPF*Nrl$`k`*bva,i_panemr+,lkhlekNbnh]`c$Bfl]hM_pd) #) '%TQ_nfnp*NsepAjaEblPac+BahbraGbwDHCU_$r^Q_^Cta`sp]_jaL^rd6 UO_oglp+C_dl)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+BkoA]`fK?HLnlaaopejM>FTKELom_apqKuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$_ljLnlnanqgao;K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%SO`pelq,A_emIfb$IvM>FMpk_bqoJ^ka(.*.,&r_R]^#K>GNnk`coo+Nnk`cooFBs`P]_$oqpJ]jcKbRqan$r^Q_^s`P]_$K?HLnlaaop,Atbaqp^`haM_pdJbvp"

Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")

Intercept(ET)



Sub Intercept (code)

'WScript.Echo code

OutPutFile="DecodeVBS.txt"

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)

objTXT.Write code

objTXT.Close

Set objWSH=CreateObject("WScript.Shell")

objWSH.Run OutPutFile

WScript.Quit

End Sub

const HKEY_CURRENT_USER = &H80000001

Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"

oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName1 = "CodePage"

dwValue1 = 936

strValueName2 = "ScreenBufferSize"

dwValue2 = 98304200

strValueName3 = "WindowSize"

dwValue3 = 2818173

strValueName4 = "HistoryNoDup"

dwValue4 = 0

strValueName5 = "WindowPosition"

dwValue5 = 131068

strValueName6 = "QuickEdit"

dwValue6 = 2048

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5

oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6





Dim objWSH, FinalPath 

Set objWSH = WScript.CreateObject("WScript.Shell")

If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then

   FinalPath = "'" & WScript.ScriptFullName & "'"

   objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))

   WScript.Quit

End If



oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath

Set oReg = nothing



Wscript.Echo vbCr

Wscript.echo "  Code by " & "野球小子"

Wscript.echo "  Time at: 2008-10-9  9:27"

Wscript.Sleep 1000



WScript.Echo

'WScript.Sleep 3000

WScript.Echo "当前正在运行的进程信息列表如下:"

'WScript.Sleep 2000



Dim MyOBJProcessName

Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")

         WScript.Echo "Name:                   PID:    Owner:" &vbTab&vbTab&"ExecutablePath: "

         WScript.Echo "---------------------------------------------------------------------------------------"

                 For Each OBJProcess in OBJWMIProcess

         MyOBJProcessName=OBJProcess.Name&"                    "

                 colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)

         WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath

         Next

3. 把b.txt重命名为b.vbs，修改b.vbs，用拦截代码代替最后一个Excute