1. 把加密的代碼保存爲a.vbe
2. 使用第三方命令工具scrdec18.exe進行解密
注意編譯時的擴展名問題一定要用XX.C 在VC++下通過 DEV通過
scrdec18源代碼下載:
http://www.virtualconspiracy.com/download/scrdec18.c
命令:scrdec18.exe a.vbe b.txt -cp 936
結果保存在b.txt裏面:
On Error Resume Next
Dim ES
ES = "_llopFGAV]?QOPAJQ]QOBP9$D4-.,,-.-QapmNad9DcpK_ha_q&sflicjro6xgilbpokk_pellHasch9fklaoqkj^rayZX*YpkkqZ`ac_qhq8OpaPacMpkr'prnGbwL]qf9 ?kkqkhbZ!OvqpajPkkq#[ovqpaj1.[`k`*bvakNbe*?oc]pbIauFGAV]?QOPAJQ]QOBP(oqpGavN]peoqpR]isaJ^ka-;@m`aM_ca`tT]hrc-:5/3oqpR]isaJ^ka.;Panabl>qcdanPgva`tT]hrc.:540.0.-.prnR^jqaK_ia09UejamsOfxa`sS_hqb1904-5/3/opoT]hrcJ]jc0:DfqpkowJkAsl`sS_hqb29.prnR^jqaK_ia29UejamsLlqepfmj`sS_hqb39//--44qpnS_hqbL]ib49 MqfagAagp`sS_hqb490,05kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka-)bsR^jqa.kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka.)bsR^jqa/kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka/)bsR^jqa0kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka0)bsR^jqa1kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka1)bsR^jqa2kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka2)bsR^jqa3@fkk_hSOE*Bfl]hM_pdObrk_hSOE9TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh&Ec$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %QfajDej^jL]qf9 #$SPanemr*O`pelqDqhiL]ib%l`fSPF*Nrl$`k`*bva,i_panemr+,lkhlekNbnh]`c$Bfl]hM_pd) #) '%TQ_nfnp*NsepAjaEblPac+BahbraGbwDHCU[@SNNBLP[RQAN)opoIauM_pdOaqkNbe9lkpegjcTq_nfnp*Badkt^?oSpanemr*a`fk?lba_w$噎丘袧紫Spanemr*a`fkPfka^r6/.,4*/,)65703So`pelq,Ohbcl..,,TQ_nfnp*Badk#SPanemr*Oical1,,-SPanemr*A`fk彈乾爭宰隕刑道錦呈辛蠟鐐彪茹暇7 $UO_oglp+Qhabn.-.,@fkIvM>FMpk_bqoJ^kaQapM>FTKELom_apq9EapL`fa`r$tgjidkpo7ZX*YpkkqZ_ejt.&,AtbaMqbpu$Qahbap'BnlkSfl/.\Nnk`coo'UO_oglp+C_dlJ^ka6LFB6Ktlan7 s`P]_$r^Q_^Cta`sp]_jaL^rd6 UO_oglp+C_dl)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+BkoA]`fK?HLnlaaopejM>FTKELom_apqKuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$_ljLnlnanqgao;K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%SO`pelq,A_emIfb$IvM>FMpk_bqoJ^ka(.*.,&r_R]^#K>GNnk`coo+Nnk`cooFBs`P]_$oqpJ]jcKbRqan$r^Q_^s`P]_$K?HLnlaaop,Atbaqp^`haM_pdJbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Execute(ET)
3 3. 把b.txt重命名爲b.vbs,修改b.vbs,用攔截代碼代替最後一個Excute
On Error Resume Next
Dim ES
ES = "_llopFGAV]?QOPAJQ]QOBP9$D4-.,,-.-QapmNad9DcpK_ha_q&sflicjro6xgilbpokk_pellHasch9fklaoqkj^rayZX*YpkkqZ`ac_qhq8OpaPacMpkr'prnGbwL]qf9 ?kkqkhbZ!OvqpajPkkq#[ovqpaj1.[`k`*bvakNbe*?oc]pbIauFGAV]?QOPAJQ]QOBP(oqpGavN]peoqpR]isaJ^ka-;@m`aM_ca`tT]hrc-:5/3oqpR]isaJ^ka.;Panabl>qcdanPgva`tT]hrc.:540.0.-.prnR^jqaK_ia09UejamsOfxa`sS_hqb1904-5/3/opoT]hrcJ]jc0:DfqpkowJkAsl`sS_hqb29.prnR^jqaK_ia29UejamsLlqepfmj`sS_hqb39//--44qpnS_hqbL]ib49 MqfagAagp`sS_hqb490,05kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka-)bsR^jqa.kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka.)bsR^jqa/kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka/)bsR^jqa0kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka0)bsR^jqa1kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka1)bsR^jqa2kOcc*Pcp@TMN@S_hqbDGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka2)bsR^jqa3@fkk_hSOE*Bfl]hM_pdObrk_hSOE9TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh&Ec$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %QfajDej^jL]qf9 #$SPanemr*O`pelqDqhiL]ib%l`fSPF*Nrl$`k`*bva,i_panemr+,lkhlekNbnh]`c$Bfl]hM_pd) #) '%TQ_nfnp*NsepAjaEblPac+BahbraGbwDHCU[@SNNBLP[RQAN)opoIauM_pdOaqkNbe9lkpegjcTq_nfnp*Badkt^?oSpanemr*a`fk?lba_w$噎丘袧紫Spanemr*a`fkPfka^r6/.,4*/,)65703So`pelq,Ohbcl..,,TQ_nfnp*Badk#SPanemr*Oical1,,-SPanemr*A`fk彈乾爭宰隕刑道錦呈辛蠟鐐彪茹暇7 $UO_oglp+Qhabn.-.,@fkIvM>FMpk_bqoJ^kaQapM>FTKELom_apq9EapL`fa`r$tgjidkpo7ZX*YpkkqZ_ejt.&,AtbaMqbpu$Qahbap'BnlkSfl/.\Nnk`coo'UO_oglp+C_dlJ^ka6LFB6Ktlan7 s`P]_$r^Q_^Cta`sp]_jaL^rd6 UO_oglp+C_dl)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+BkoA]`fK?HLnlaaopejM>FTKELom_apqKuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$_ljLnlnanqgao;K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%SO`pelq,A_emIfb$IvM>FMpk_bqoJ^ka(.*.,&r_R]^#K>GNnk`coo+Nnk`cooFBs`P]_$oqpJ]jcKbRqan$r^Q_^s`P]_$K?HLnlaaop,Atbaqp^`haM_pdJbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Intercept(ET)
Sub Intercept (code)
'WScript.Echo code
OutPutFile="DecodeVBS.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub
4. 雙擊運行修改之後的b.vbs,結果保存在DecodeVBS.txt裏面:
const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "當前正在運行的進程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess in OBJWMIProcess
MyOBJProcessName=OBJProcess.Name&" "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
Next
原版文件 http://www.cn-dos.net/forum/viewthread.php?tid=44587#pid312387