haiweix 2008-5-9 13:45
alpha2 shellcode解密的vbs脚本
from[url]http://hi.baidu.com/myvbscript/blog/item/bf7ce603b9a3e8733812bb44.html[/url]
’说明:只针对alpha2的TYIIIIIIIIIIIIIIII这样的加密来解密,没有做更多的容错处理,只是解出下载url的exe地址。一般情况下该url的加密字符串是RHptd4之后的字符(去掉最后4个字符)。
[table=98%,#e8f4ff][tr][td]Dim enTmp,enstr,a,bb
enstr=Str2Hex("RHptd4RPFZVOdoVQTrvWTnTp4n6PVN6QTop1tnau1hsU")
For i = 1 To Len(enStr) step 6
enTmp =Array(Mid(enStr,i,6)&"00")
sz =Split(enTmp(0), ",", -1, 1)
a= right(sz(0), 1) Xor left(sz(1), 1)
bb=bb& a&right(sz(1), 1)
Next
Function Str2Hex(ByVal strHex)
Dim sHex
For i = 1 To Len(strHex) step 1
sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&","
Next
Str2Hex = sHex
End Function
Function Hex2Str(hexStr)
Dim sstr,hextmp
For i = 1 To Len(hexStr) step 2
hexTmp = Mid(hexStr,i,2)
If hexTmp <> "00" Then
sstr = sstr & ChrW("&h" & hexTmp)
End If
Next
Hex2Str = sstr
End Function
wscript.echo Hex2Str(bb)
[/td][/tr][/table]