A forum for reverse engineering, OS internals and malware analysis 

Windows Defender DB dump and VDLL's

Discussion on reverse-engineering and debugging.

Windows Defender DB dump and VDLL's

 #32770  by EP_X0FF
 Fri Mar 29, 2019 6:26 pm
The following script -> https://gist.github.com/mattifestation/ ... 1cb5fed866 can be used to decompress Windows Defender database files (*.vdm).

Aside from signatures you will be able also extract so-called VDLL's - the environment used by Windows Defender emulator engine. There are a lot of system dlls, for example advapi32, kernel32, ntdll.

Examining VDLL internals may give you a hints how to detect fact of code emulation.

Re: Windows Defender DB dump and VDLL's

 #32771  by EP_X0FF
 Sat Mar 30, 2019 1:20 pm
I rewrote this script to C++ making it much faster because I basically can go away, drink some covfefe, watch tv, and this powershell still do something.

Usage wdextract <vdm filename>

This program distributed as-is, copyleft.

It uses ZLIB Data Compression Library (https://github.com/madler/zlib), compiled exe + zlibwapi.dll can be found in "output\x64\Release" directory.
MSVC 2017 used with SDK 17763.

The result DB dump is very big for attach (total > 200 megabytes) and no needed.

Re: Windows Defender DB dump and VDLL's

 #32783  by EP_X0FF
 Wed Apr 03, 2019 7:09 am
Just for fun. Here is the VFS contents dumped.

This virtual file system used by WD during code emulation and exist only in memory. Can be found inside mpasbase.vdm.

Majority of these files are just empty stubs, however some (like for example default.wab) contain additional data.
Code: Select all
C:\Documents and Settings\JohnDoe\Local Settings\Temporary Internet Files\\__empty
C:\INTERNAL\__empty
C:\Program Files\Internet Explorer\SIGNUP\INSTALL.INS
C:\TEMP\__empty
C:\WINDOWS\FONTS\__empty
C:\WINDOWS\Inf\__empty
C:\WINDOWS\SYSTEM32\bopomofo.uce
C:\WINDOWS\SYSTEM32\c_737.nls
C:\WINDOWS\SYSTEM32\drivers\root\system\__empty
C:\WINDOWS\SYSTEM32\sorttbls.nls
C:\WINDOWS\System\__empty
C:\WINDOWS\TEMP\__empty
C:\WINDOWS\Web\__empty
C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\Microsoft\\CD Burning\\__empty
C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\__empty
C:\\Documents and Settings\\JohnDoe\\Application Data\\Microsoft\\__empty
C:\\Documents and Settings\\JohnDoe\\Application Data\\__empty
C:\\Documents and Settings\\JohnDoe\\Desktop\\__empty
C:\\Documents and Settings\\JohnDoe\\Local Settings\\Application Data\\Microsoft\\Windows\\__empty
C:\\Program Files\\Common Files\\Microsoft Shared\\__empty
C:\\Program Files\\Common Files\\System\\__empty
C:\\Program Files\\Internet Explorer\\__empty
C:\\Program Files\\WebMoney\\__empty
C:\\System Volume Information\\__empty
C:\\WINDOWS\\SYSTEM32\\IME\\__empty
C:\ntldr
G:\RECYCLER\__empty
C:\Mirc\script.ini
C:\Mirc\mirc.ini
C:\WINDOWS\Media\tada.wav
C:\WINDOWS\system.ini
C:\WINDOWS\msdfmap.ini
C:\WINDOWS\SYSTEM32\perfmon.msc
C:\WINDOWS\SYSTEM32\rsop.msc
C:\WINDOWS\SYSTEM32\certmgr.msc
C:\WINDOWS\SYSTEM32\diskmgmt.msc
C:\WINDOWS\SYSTEM32\devmgmt.msc
C:\WINDOWS\SYSTEM32\fsmgmt.msc
C:\WINDOWS\SYSTEM32\lusrmgr.msc
C:\WINDOWS\win.ini
C:\WINDOWS\SYSTEM32\drivers\etc\hosts
C:\WINDOWS\SYSTEM32\drivers\asyncmac.sys
C:\WINDOWS\SYSTEM32\drivers\acpi.sys
C:\IndexerVolumeGuid
C:\WINDOWS\SYSTEM32\dllhost.exe
C:\WINDOWS\SYSTEM32\drivers\fastfat.sys
C:\WINDOWS\SYSTEM32\dumprep.exe
C:\WINDOWS\SYSTEM32\dxdiag.exe
C:\WINDOWS\SYSTEM32\expand.exe
C:\WINDOWS\SYSTEM32\ipconfig.exe
C:\WINDOWS\hh.exe
C:\WINDOWS\SYSTEM32\ahui.exe
C:\WINDOWS\SYSTEM32\append.exe
C:\WINDOWS\SYSTEM32\arp.exe
C:\WINDOWS\SYSTEM32\at.exe
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\SYSTEM32\nlsdl.dll
C:\WINDOWS\SYSTEM32\nslookup.exe
C:\WINDOWS\SYSTEM32\pmspl.dll
C:\WINDOWS\SYSTEM32\autochk.exe
C:\WINDOWS\SYSTEM32\control.exe
C:\WINDOWS\SYSTEM32\debug.exe
C:\WINDOWS\SYSTEM32\xcopy.exe
C:\WINDOWS\SYSTEM32\reset.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\sysedit.exe
C:\WINDOWS\SYSTEM32\ver.dll
C:\WINDOWS\SYSTEM32\verclsid.exe
C:\WINDOWS\SYSTEM32\verifier.exe
C:\WINDOWS\SYSTEM32\vga256.dll
C:\WINDOWS\SYSTEM32\vssadmin.exe
C:\WINDOWS\SYSTEM32\wpnpinst.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\taskman.exe
C:\WINDOWS\twunk_32.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\SYSTEM32\fc.exe
C:\WINDOWS\SYSTEM32\find.exe
C:\WINDOWS\SYSTEM32\finger.exe
C:\WINDOWS\SYSTEM32\lodctr.exe
C:\WINDOWS\SYSTEM32\logoff.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\migpwd.exe
C:\WINDOWS\SYSTEM32\mmc.exe
C:\WINDOWS\SYSTEM32\mshta.exe
C:\WINDOWS\SYSTEM32\ncpa.cpl
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\SYSTEM32\compact.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\WINDOWS\SYSTEM32\print.exe
C:\WINDOWS\SYSTEM32\rasautou.exe
C:\WINDOWS\SYSTEM32\rasdial.exe
C:\WINDOWS\SYSTEM32\sethc.exe
C:\WINDOWS\SYSTEM32\sfc.exe
C:\WINDOWS\SYSTEM32\sort.exe
C:\WINDOWS\SYSTEM32\sstext3d.scr
C:\WINDOWS\SYSTEM32\subst.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\SYSTEM32\w32tm.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\write.exe
C:\WINDOWS\twunk_16.exe
C:\WINDOWS\SYSTEM32\ipv6.exe
C:\WINDOWS\SYSTEM32\fixmapi.exe
C:\WINDOWS\SYSTEM32\winver.exe
C:\WINDOWS\SYSTEM32\dfrgfat.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
C:\WINDOWS\SYSTEM32\chkdsk.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\ping.exe
C:\WINDOWS\SYSTEM32\wscript.exe
C:\WINDOWS\SYSTEM32\cliconfg.exe
C:\WINDOWS\SYSTEM32\cscript.exe
C:\WINDOWS\SYSTEM32\cipher.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\WINDOWS\SYSTEM32\replace.exe
C:\WINDOWS\SYSTEM32\relog.exe
C:\\Program Files\\Internet Explorer\\Iexplore.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\SYSTEM32\autoconv.exe
C:\WINDOWS\SYSTEM32\calc.exe
C:\UserData\default.wab
C:\WINDOWS\SYSTEM32\drivers\ntfs.sys
Code: Select all
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00025183
00026283
00027383
00027d83
00032b83
0003f183
00042483
00043a83
00045083
00045083
00045283
00045283
00045583
00047883
00054983
0008d083
00095083
00105083
00105083
0018d083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00245083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
00265083
002a5083
002c5083
002c5083
002e5083
00365083
00365083
00365083
00385083
00385083
00445083
00465083
00565083
00565083
00565083
006e5083
00a45083
00a65083
00b65083
01265083
02bab883
04095083
Simple code to extract data, however first you need to locate the begining of the VFS catalogue (you can use entry magic from the above) and then save to the file which will be next parsed by this routine.
Code: Select all
typedef struct _VFS_ENTRY {
    DWORD EntryType;
    DWORD Reserved0;
    FILETIME LastTime1;
    FILETIME LastTime2;
    FILETIME LastTime3;
    ULONG Reserved1;
    ULONG DataLength;
    ULONG Reserved2;
    ULONG Reserved3;
    WCHAR FileName[260];
    ULONG Reserved4; //irrelevant
    ULONG Reserved5;
    ULONG Reserved6;
    ULONG Reserved7;
    ULONG Reserved8;
    ULONG Reserved9;
    ULONG Reserved10;
} VFS_ENTRY, *PVFS_ENTRY;

void ParseVFS(LPWSTR FileName)
{
    HANDLE hFile;

    hFile = CreateFile(FileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
        return;

    LARGE_INTEGER fsz;
    GetFileSizeEx(hFile, &fsz);

    HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
    if (hMap) {

        PVOID MappedFile = MapViewOfFile(hMap, PAGE_READWRITE, 0, 0, 0);
        if (MappedFile) {

            __try {

                VFS_ENTRY *Entry;
                HANDLE hDumped;
                DWORD Offset = 0, DataOffset = 0;
                DWORD nCount = 0, dwWrite;
                WCHAR DumpedFileName[MAX_PATH * 2];
                WCHAR folder[MAX_PATH * 2];

                do {
                    Entry = (VFS_ENTRY*)RtlOffsetToPointer(MappedFile, Offset);
                    if (Entry->Reserved0 != 0x20)
                        break;

                    WCHAR *end, *path = &Entry->FileName[3];

                    end = wcschr(path, L'\\');
                    while (end != NULL) {
                        StringCbCopy(folder, MAX_PATH, L"C:\\VFS\\");
                        StringCchCatN(folder, MAX_PATH, path, end - path + 1);
                        CreateDirectory(folder, NULL);
                        end = wcschr(++end, L'\\');
                    }

                    __stosb((PBYTE)&DumpedFileName, 0, sizeof(DumpedFileName));
                    StringCchPrintf(DumpedFileName, MAX_PATH * 2, TEXT("C:\\VFS\\%ws"), &Entry->FileName[3]);
                    hDumped = CreateFile(DumpedFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
                    if (hDumped != INVALID_HANDLE_VALUE) {
                        DataOffset = sizeof(VFS_ENTRY);
                        WriteFile(hDumped, RtlOffsetToPointer(Entry, DataOffset), Entry->DataLength, &dwWrite, NULL);
                        CloseHandle(hDumped);
                    }
                    Offset += (sizeof(VFS_ENTRY) + Entry->DataLength);
                    if (Offset >= fsz.LowPart)
                        break;
                    nCount += 1;

                } while (TRUE);

            }
            __except (EXCEPTION_EXECUTE_HANDLER) {
                ;
            }

            UnmapViewOfFile(MappedFile);
        }
        CloseHandle(hMap);
    }

    CloseHandle(hFile);
}

Re: Windows Defender DB dump and VDLL's

 #32829  by Codefuser
 Tue Apr 16, 2019 12:37 pm
Small change of code to support Windows 10 Version 1803 Build 17134.706, with VFS file being from 11 April.

Change from
Code: Select all
                    if (Entry->Reserved0 != 0x20)
To
Code: Select all
                    if (Entry->Reserved0 != 0x20 && Entry->Reserved0 != 0x21)
It might also be worth it to remove the check altogether because exception handler will handle if we get into somewhere that is not a real entry, and other windows versions might have different values for Reserved0.

Re: Windows Defender DB dump and VDLL's

 #32833  by EP_X0FF
 Wed Apr 17, 2019 7:03 am
This code need corrections, like pointed above plus MRT database support.

Malicious removal tool database is not packed but instead it is obfuscated with XOR algorithm implemented as chains of data xored, where data type is unique xor key for block. Updated extractor will be posted later.

Also, here is the fun comments from developers left in database :) It is JScript initialization script from MRT database, multiple mentioned hashes are malware samples (you can google most of them).
Code: Select all
// JSInit
//
// NOTE: on DBDEV builds any reference to an undefined value within the DOM (i.e., under 'document') will throw a reference error
// (which produces PLI for analysis) and will assert!




// a default document.location object 
document.location = {
    hostname : "www.myserver.com"
};

// Objects and functions used with Windows Scripting Host, to enable emulation and generate sigattr events
if ( !mp.getAttribute("//MpIsIEVScan") ) {
    // b44436a06e71cac99d8395e3677af62f3e901269 document undifined in WSH
    // removed, breaks tests, until a better way can be found to determine WSH context
    // document = undefined;  
    var Scripting = {
        // https://msdn.microsoft.com/en-us/library/6tkce7xa%28v=vs.84%29.aspx
        FileSystemObject: {
            // Methods
            Add: function (strFolderName) {
            },
            BuildPath: function (strPath, strName) {
            },
            Close: function () {
            },
            Copy: function (strDest) {
                mp.triggerEvent("Scripting.FileSystemObject.Copy()", strDest);
            },
            CopyFile: function (strSource, strDest) {
            },
            CopyFolder: function (strSource, strDest) {
            },
            CreateFolder: function (strFolderName) {
                mp.triggerEvent("Scripting.FileSystemObject.CreateFolder()", strFolderName);
            },
            CreateTextFile: function (strFileName) {
                mp.triggerEvent("Scripting.FileSystemObject.CreateTextFile()", strFileName);
                return Scripting.FileSystemObject; // TextFileObject
            },
            Delete: function (bForce) {
            },
            DeleteFile: function (strFileSpec) {
                mp.triggerEvent("Scripting.FileSystemObject.DeleteFile()", strFileSpec);
            },
            deleteFile: function (strFileSpec) {
                mp.triggerEvent("Scripting.FileSystemObject.deleteFile()", strFileSpec);
            },
            DeleteFolder: function (strFolderSpec) {
            },
            DriveExists: function (strDriveSpec) {
                return true;
            },
            FileExists: function (strFileSpec) {
                mp.triggerEvent("Scripting.FileSystemObject.FileExists()", strFileSpec);
                return true;
            },
            FolderExists: function (strFolderSpec) {
                mp.triggerEvent("Scripting.FileSystemObject.FolderExists()", strFolderSpec);
            },
            GetAbsolutePathName: function (strPathSpec) {
                // c37488e83c3b238c69cafa28687fc314d8ae6181 (Nemucod)
                return "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\"+strPathSpec;
            },
            GetBaseName: function (strPath) {
                return strPath;
            },
            GetDrive: function (strDriveSpec) {
                return strDriveSpec;
            },
            GetDriveName: function (strPath)  {
                return strPath;
            },
            GetExtensionName: function (strPath) {
                return strPath;
            },
            GetFile: function (strFileSpec) {
                return strFileSpec;
            },
            GetFileName: function (strPathSpec) {
                return strPathSpec;
            },
            GetFileVersion: function (strPathSpec) {
                return strPathSpec;
            },
            GetFolder: function (strFolderSpec) {
                mp.triggerEvent("Scripting.FileSystemObject.GetFolder()", strFolderSpec);
                return strFolderSpec;
            },
            GetParentFolderName: function (strPath) {
                return strPath;
            },
            GetSpecialFolder: function (strFolderSpec) {
                return strFolderSpec;
            },
            GetStandardStream: function (varStandardStreamType) {
                return varStandardStreamType;
            },
            GetTempName: function () {
                var tname = "rad" + Math.floor(Math.random()*1048575).toString(16) + ".tmp";
                return tname;
            },
            Move: function (strDestination) {
            },
            MoveFile: function (strSource, strDestination) {
            },
            MoveFolder: function (strSource, strDestination) {
            },
            OpenAsTextStream: function () {
            },
            OpenTextFile: function (strFileName) {
                mp.triggerEvent("Scripting.FileSystemObject.OpenTextFile()", strFileName);
                return Scripting.FileSystemObject; // TextFileObject
            },
            Read: function (varCharacters) {
                return varCharacters;
            },
            ReadAll: function () {
                return "";
            },
            ReadLine: function () {
                return "";
            },
            Skip: function (varCharacters) {
            },
            SkipLine: function () {
            },
            Write: function (strText) {
                return strText;
            },
            WriteBlankLines: function (varLines) {
            },
            WriteLine: function (strText) {
                mp.triggerEvent("Scripting.FileSystemObject.WriteLine()", strText);
                return strText;
            }
    
        } // FileSystemObject
    };
    
    var MSXML2 = {
        // https://msdn.microsoft.com/en-us/library/windows/apps/hh453379.aspx
        XMLHTTP : {
            // Events
            onreadystatechange      : 0,
            ontimeout               : 0,
            // Property
            constructor             : this,
            readyState              : 4,
            readystate              : 4,
            responseBody            : "",
            response                : "",
            responseText            : "",
            responseType            : "blob",
            responseXML             : "",
            status                  : 200,
            Status                  : 200, //for f1054e8f2518a7598b1df40a0ca2069a42a42e73
            statusText              : "OK",
            timeout                 : 0,
            withCredentials         : 0,
            // Methods
            abort: function () {
                return 0;
            },
            addEventListener: function (strtype, varlistener, varuseCapture) {
            },
            dispatchEvent: function (varevt) {
            },
            getAllResponseHeaders: function () {
                mp.triggerEvent("MSXML2.XMLHTTP.getAllResponseHeaders()"); return "HTTP/1.0 200 OK\x0ACache-Control: no-cache, no-store\x0APragma: no-cache\x0AContent-Type: application/octet-stream\x0A\x0A";
            },
            getResponseHeader: function () {
                mp.triggerEvent("MSXML2.XMLHTTP.getResponseHeader()"); return "HTTP/1.0 200 OK\x0ACache-Control: no-cache, no-store\x0APragma: no-cache\x0AContent-Type: application/octet-stream\x0A\x0A";
            },
            open: function (strMethod, strUrl, varAsync, varUser, varPassword) {
                mp.triggerEvent("MSXML2.XMLHTTP.open()", strMethod + " " + strUrl);
            },
            overrideMimeType: function (strmime) {
            },
            removeEventListener: function (strtype, varlistener, varuseCapture) {
                mp.triggerEvent("MSXML2.XMLHTTP.removeEventListener()");
            },
            send: function (varBody) {
                mp.triggerEvent("MSXML2.XMLHTTP.send()", varBody); if (this.onreadystatechange != 0) this.onreadystatechange();
            },
            setRequestHeader: function (strHeader, strValue) {
                mp.triggerEvent("MSXML2.XMLHTTP.setRequestHeader()", strHeader + ":" + strValue);
            }
        }
    };
    
    var ADODB = {
        Stream : {
            // Property
            Charset                     : "ascii",
            EOS                         : true,
            LineSeparator               : -1,
            Mode                        : 0,
            Position                    : 0,
            Size                        : 0,
            State                       : 0,
            Type                        : 2,
            // lowercase properties for cc38315a262496200c11284fbad25aa44dd50183 (sample is buggy, incorrect filename generation)
            position                    : 0,
            type                        : 2,
            // Methods
            Cancel: function () {
            },
            Close: function () {
            },
            CopyTo: function (varDestStream, varNumChars) {
            },
            Flush: function () {
            },
            LoadFromFile: function (strFilename) {
                mp.triggerEvent("ADODB.Stream.LoadFromFile()", strFilename);
            },
            Open: function (strSource, varMode, varOpenOptions, strUserName, strPassword) {
                mp.triggerEvent("ADODB.Stream.Open()", strSource);
            },
            Read: function (varNumBytes) {
                mp.triggerEvent("ADODB.Stream.Read()");
            },
            ReadText: function (varNumChars) {
            },
            SaveToFile: function (strFilename, varSavOptions) {
                mp.triggerEvent("ADODB.Stream.SaveToFile()", strFilename);
            },
            Write: function (varBuffer) {
                mp.triggerEvent("ADODB.Stream.Write()",varBuffer);
            },
            WriteText: function (varData, varOptions) {
                mp.triggerEvent("ADODB.Stream.WriteText()",varData);
            },
            // lowercase methods, calling these is supported even though Javascript is case sensitive 
            open: function (strSource, varMode, varOpenOptions, strUserName, strPassword) {
                mp.triggerEvent("ADODB.Stream.Open()", strSource);
            },
            read: function (varNumBytes) {
                mp.triggerEvent("ADODB.Stream.Read()",varNumBytes);
            },
            write: function (varBuffer) {
                mp.triggerEvent("ADODB.Stream.Write()", varBuffer);
            },
            close: function () {
                mp.triggerEvent("ADODB.Stream.Close()");
            },
            saveToFile: function (strFilename, varSavOptions) {
                mp.triggerEvent("ADODB.Stream.SaveToFile()", strFilename);
            }
        }
    };
    
    var WScript = {
        // Properties
        Arguments: {
        // https://msdn.microsoft.com/en-us/library/ss1ysb2a%28v=vs.84%29.aspx
        // b44436a06e71cac99d8395e3677af62f3e901269
            // Properties
            Item: {},
            length: 0,
            Named: {},
            Unnamed: {},
            // Methods
            Count: function () { return 0;},
            ShowUsage: function () { return ""; },
        },
        BuildVersion: 8820,       // Wscript build  on XPSP2 , typeof number (06D1315EE0BBA9276D9E4F053386B17282760563)
        FullName: "C:\\WINDOWS\\system32\\wscript.exe",
        Interactive: true,          // 
        Name: "Windows Script Host",
        Path: "C:\\WINDOWS\\system32",
        ScriptFullName: "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\script.js",  // need to change will vary according to actual name
        ScriptName: "script.js", // need to change will vary according to actual name
        // https://msdn.microsoft.com/en-us/library/ddz9scc8%28v=vs.84%29.aspx
        // These should be objects (3aeae0456b651d5a587ed5d41e9f9ff42ba609cd)
        StdErr: {
            Column: 1,
            Line: 1,
            },
        StdIn: {
            Column: 1,  // a9d3cae5e1cdd841f9654e2718491c2d057f6e05
            Line: 1,    // 1acaf738df4de17fcbf5f2f6544f642d2e44c044
            },
        StdOut: {
            Column: 1,
            Line: 1,
            },
        Version: "5.6",     // Wscript version  on XPSP2

        // Methods
        ConnectObject: function (objEventSource, strPrefix) {
        },
        CreateObject: function (strProgID, strPrefix) { 
            mp.triggerEvent("WScript.CreateObject()",strProgID);
            var strName = strProgID.toLowerCase(); 
            if(strName == "scripting.filesystemobject") { 
                return Scripting.FileSystemObject;
            }
            else if(strName == "msxml2.xmlhttp" || (strName == "msxml2.xmlhttp.6.0")) {
                return MSXML2.XMLHTTP;
            }
            else if(strName == "adodb.stream") {
                return ADODB.Stream;
            }
            else if(strName == "wscript.shell") {
                return WScript.Shell;
            }
            else if (strName == "wscript.network") {
                return WScript.Network;
            }
            else if (strName.match(/^winhttp\.winhttprequest\./)) {
                return WinHTTP.WinHttpRequest;
            }
            else if (strName == "shell.application") {
                return Shell;
            }
            else {
                print("CreateObject( " + strProgID + " )")
                return Object();
            }
        }, // CreateObject
        DisconnectObject: function (obj) {
        },
        Echo: function (strArg) { // typeof WScript.Echo() returns "unknown", which is a non standard type in JS
        },
        GetObject: function (strPathname) {
            mp.triggerEvent("WScript.GetObject()",strPathname);
        },
        Quit: function (intErrorCode) {
        },
        Sleep: function (intTime) {
        },
        // lowercase
        sleep: function (intTime) {
        },

        // Objects
        Shell: {
            // Property
            CurrentDirectory: "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp",
            // https://msdn.microsoft.com/en-us/library/fd7hxfdd%28v=vs.84%29.aspx
            // 31dadba8e475360d85b3ffea88f0b5366a78f335
            Environment: function (strType) {
                var System = function (strProperty) {
                    var strprop = strProperty.toLowerCase();
                    if (strprop == "number_of_processors") {
                        return "1";
                    }
                    else if( strprop == "processor_architecture"){
                        return "x86";
                    }
                    else if (strprop == "processor_identifier") {
                        return "x86 Family 6 Model 26 Stepping 5, GenuineIntel";
                    }
                    else if (strprop == "processor_level") {
                        return "6";
                    }
                    else if( strprop == "processor_revision"){
                        return "1a05";
                    }
                    else if( strprop == "os"){
                        return "Windows_NT";
                    }
                    else if( strprop == "comspec"){
                        return "%SystemRoot%\\system32\\cmd.exe"
                    }
                    else {
                        return "";
                    }

                };
                var User = function (strProperty) {
                    var strprop = strProperty.toLowerCase();
                    if( strprop == "path") {
                        return "C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem";
                    }
                    else if( strprop == "pathext"){
                        return "";
                    }
                    else if( strprop == "windir"){
                    }
                    else {
                        return "";
                    }

                };
                var Volatile = function (strProperty) {
                    return "";
                };
                var Process = function (strProperty) {
                    var strprop = strProperty.toLowerCase();
                    if( strprop == "number_of_processors") {
                        return "1";
                    }
                    else if( strprop == "processor_architecture") {
                        return "x86";
                    }
                    else if( strprop == "processor_identifier") {
                        return "x86 Family 6 Model 26 Stepping 5, GenuineIntel";
                    }
                    else if( strprop == "processor_level") {
                        return "6";
                    }
                    else if( strprop == "processor_revision") {
                        return "1a05";
                    }
                    else if( strprop == "os") {
                        return "Windows_NT";
                    }
                    else if( strprop == "comspec") {
                        return "C:\\WINDOWS\\system32\\cmd.exe";
                    }
                    else if( (strprop == "homedrive") || (strprop == "systemdrive") ) {
                        return "C:";
                    }
                    else if( strprop == "homepath") {
                        return "\\Documents and Settings\\Administrator";
                    }
                    else if( strprop == "path") {
                        return "C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem";
                    }
                    else if( strprop == "pathext") {
                        return ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH";
                    }
                    else if( strprop == "prompt") {
                        return "";
                    }
                    else if( (strprop == "systemroot") || (strprop == "windir") ) {
                        return "C:\\WINDOWS";
                    }
                    else if( (strprop == "temp") || (strprop == "tmp") ) {
                        return "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp";
                    }
                    else {
                        return "";
                    }
                };

                // check the type of Environment and return the property
                var strenv = strType.toLowerCase();
                if (strenv == "system") {
                    return System;
                }
                else if (strenv == "user") {
                    return User;
                }
                else if (strenv == "volatile") {
                    return Volatile;
                }
                else if (strenv == "process") {
                    return Process;
                }
                else {
                    return;
                }
            },
            // 2987a163d974c7eb0feb8afdd61a6bc9872bd5bd
            // https://msdn.microsoft.com/en-us/library/0ea7b5xe%28v=vs.84%29.aspx
            SpecialFolders: function (strSpecialFolders) {
                var strfolder = strSpecialFolders.toLowerCase();
                if (strfolder == "allusersdesktop") {
                    return "C:\\Documents and Settings\\All Users\\Desktop";
                }
                else if (strfolder == "allusersstartmenu") {
                    return "C:\\Documents and Settings\\All Users\\Start Menu";
                }
                else if (strfolder == "allusersprograms") {
                    return "C:\\Documents and Settings\\All Users\\Start Menu\\Programs";
                }
                else if (strfolder == "allusersstartup") {
                    return "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup";
                }
                else if (strfolder == "desktop") {
                    return "C:\\Documents and Settings\\Administrator\\Desktop";
                }
                else if (strfolder == "favorites") {
                    return "C:\\Documents and Settings\\Administrator\\Favorites";
                }
                else if (strfolder == "fonts") {
                    return "C:\\Windows\Fonts";
                }
                else if (strfolder == "mydocuments") {
                    return "C:\\Documents and Settings\\Administrator\\My Documents";
                }
                else if (strfolder == "nethood") {
                    return "C:\\Documents and Settings\\Administrator\\NetHood";
                }
                else if (strfolder == "printhood") {
                    return "C:\\Documents and Settings\\Administrator\\PrintHood";
                }
                else if (strfolder == "programs") {
                    return "C:\\Documents and Settings\\Administrator\\Programs";
                }
                else if (strfolder == "recent") {
                    return "C:\\Documents and Settings\\Administrator\\Recent";
                }
                else if (strfolder == "sendto") {
                    return "C:\\Documents and Settings\\Administrator\\SendTo";
                }
                else if (strfolder == "startmenu") {
                    return "C:\\Documents and Settings\\Administrator\\Start Menu";
                }
                else if (strfolder == "startup") {
                    return "C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup";
                }
                else if (strfolder == "templates") {
                    return "C:\\Documents and Settings\\Administrator\\Templates";
                }
                else {
                    return "";
                }
            },
            // Methods
            AppActivate: function (strTitle) {
                mp.triggerEvent("WScript.Shell.AppActivate()", strTitle);
            },
            CreateShortcut: function (strPathname) {
                mp.triggerEvent("WScript.Shell.CreateShortcut()", strPathname);
            },
            Exec: function (strCommand) {
                mp.triggerEvent("WScript.Shell.Exec()", strCommand); return 0;
            },
            ExpandEnvironmentStrings: function (strCommand) {
                mp.triggerEvent("WScript.Shell.ExpandEnvironmentStrings()", strCommand);
                // return location string, locations taken from kernel32 VDLL ExpandEnvironmentStrings()
                var strName = strCommand.toLowerCase();
                // Need to handle enviroment string like "%Temp%/"
                var regexp = /([^\%]*)(\%[a-z]+\%)(.*)/;
                // required for 512b8ceb894ba5f8c46c5f14b55b22e18ad52b37 and similar
                  
                var match = regexp.exec(strName);
                var before = match[1];
                var env = match[2];
                var after = match[3]   
                
                var replaced = ""
                
                if ((env == "%windir%") || env == "%systemroot%") {
                    replaced = "C:\\WINDOWS\\";
                }
                else if (env == "%temp%"){
                   	replaced = "C:\\Documents and Settings\\Administrator\\Local Settings\\Temp";
                }
                else if (env == "%programfiles%"){
                    replaced = "C:\\Program Files";
                }
                else if (env == "%comspec%") {
                    replaced = "C:\\WINDOWS\\system32\\cmd.exe";
                }
                else if ((env == "%homedrive%") || env == "%systemdrive%") {
                    replaced = "C:";
                }
                else if  (env == "%homepath%") {
                    replaced = "\\Documents and Settings\\Administrator";
                }
                else if (env == "%userprofile%"){
                    replaced = "C:\\Documents and Settings\\Administrator";
                }
                else if (env == "%appdata%") {
                    replaced = "C:\\Documents and Settings\\Administrator\\Application Data";
                }
                else {
                    replaced = "";
                }
                
                return before + replaced + after;
                
            }, // ExpandEnvironmentStrings()
            LogEvent: function (intType, strMessage, strTarget) {
                mp.triggerEvent("WScript.Shell.LogEvent()");
            },
            Popup: function (strText, intSecondsToWait, strTitle, intType) {
                mp.triggerEvent("WScript.Shell.Popup()");
            },
            RegDelete: function (strName) {
                mp.triggerEvent("WScript.Shell.RegDelete()", strName);
            },
            RegRead: function (strName) {
                mp.triggerEvent("WScript.Shell.RegRead()", strName);
                var reg = strName.toLowerCase();
                // quick fix for 1bab6a0b27560287e960e58d192971cedce02bd7
                if (reg == "hkey_local_machine\\software\\microsoft\\windows nt\\currentversion\\softwaretype") {
                    return "System";
                }
                // 3c8133ee80bcee524fefb7d44a1a5898dd6d81fa 
                else if (reg == "hklm\\software\\microsoft\\windows nt\\currentversion\\systemroot"){
                    return "C:\\WINDOWS\\";
                } 
                else {
                    return "";
                }
            },
            RegWrite: function (strName, anyValue, strType) {
                mp.triggerEvent("WScript.Shell.RegWrite()", strName);
            },
            Run: function (strCommand, intOptWindowStyle, bOptWaitOnReturn) {
                mp.triggerEvent("WScript.Shell.Run()", strCommand);
            },
            SendKeys: function (string) {
                mp.triggerEvent("WScript.Shell.SendKeys()");
            },
            // lower case methods, calling these is supported even though Javascript is case sensitive
            exec: function (strCommand) {
                mp.triggerEvent("WScript.Shell.Exec()", strCommand); return 0;
            },
            run: function (strCommand, intOptWindowStyle, bOptWaitOnReturn) {
                mp.triggerEvent("WScript.Shell.Run()", strCommand);
            },
        }, // Shell
        Network: {
            // properties
            ComputerName: "HAL9TH",
            UserDomain: "ICTIM",
            UserName: "Administrator",
            // Methods
            AddWindowsPrinterConnection: function (strPrinterPath) {
            },
            AddPrinterConnection: function (strLocalName, strRemoteName) {
            },
            EnumNetworkDrives: function () {
                mp.triggerEvent("WScript.Network.EnumNetworkDrives()");
            },
            EnumPrinterConnections: function () {
            },
            MapNetworkDrive: function (strLocalName, strRemoteName) {
            },
            RemoveNetworkDrive: function (strName) {
            },
            RemovePrinterConnection: function (strName) {
            },
            SetDefaultPrinter: function (strPrinterName) {
            },
        } // Network
    }; // WScript
    
    // https://msdn.microsoft.com/en-us/library/6ch9zb09%28v=vs.94%29
    // Constructor for Enumerator
    var Enumerator = function (varObj) {
        this._objItems = [];
        for (var prop in varObj) {
            if (varObj.hasOwnProperty(prop) && (typeof varObj[prop]) != "function") {
                this._objItems.push(varObj[prop]);
            }
        }
        this._index = 0;
    };
    Enumerator.prototype.atEnd = function() {
        if (this._objItems.length < this._index) {
            return false;
        }
        else {
            return true;
        }
    };
    Enumerator.prototype.item = function() {
        if (this._index < this._objItems.length) {
            return this._objItems[this._index];
        }
    };
    Enumerator.prototype.moveFirst = function() {
        this._index = 0;
    };
    Enumerator.prototype.moveNext =  function() {
        if (this._index < this._objItems.length) {
            this._index++;
        }
    };

    var WMI = {
        // https://msdn.microsoft.com/en-us/library/aa394239%28v=vs.85%29.aspx#properties
        Win32_OperatingSystem: {
            // properties
            BootDevice: "",
            BuildNumber: "",
            BuildType: "",
            Caption: "",
            CodeSet: "",
            CountryCode: "",
            CreationClassName: "",
            CSCreationClassName: "",
            CSDVersion: "",
            CSName: "",
            CurrentTimeZone: 0,
            DataExecutionPrevention_Available: true,
            DataExecutionPrevention_32BitApplications: true,
            DataExecutionPrevention_Drivers: true,
            DataExecutionPrevention_SupportPolicy: 0,
            Debug: false,
            Description: "",
            Distributed: false, 
            EncryptionLevel: 0, 
            ForegroundApplicationBoost: 0,
            FreePhysicalMemory: 0,
            FreeSpaceInPagingFiles: 0, 
            FreeVirtualMemory: 0,
            InstallDate: "",
            LargeSystemCache: 0,
            LastBootUpTime: "",
            LocalDateTime: "",
            Locale: "",
            Manufacturer: "",
            MaxNumberOfProcesses: 0,
            MaxProcessMemorySize: 0,
            MUILanguages: "",
            Name: "",
            NumberOfLicensedUsers: 0,
            NumberOfProcesses: 0,
            NumberOfUsers: 0,
            OperatingSystemSKU: 0,
            Organization: "",
            OSArchitecture: "",
            OSLanguage: 0,
            OSProductSuite: 0,
            OSType: 0,
            OtherTypeDescription: "",
            PAEEnabled: true,
            PlusProductID: "",
            PlusVersionNumber: "",
            PortableOperatingSystem: false,
            Primary: true,
            ProductType: 0,
            RegisteredUser: "",
            SerialNumber: "",
            ServicePackMajorVersion: 0,
            ServicePackMinorVersion: 0,
            SizeStoredInPagingFiles: 0, 
            Status: 0,
            SuiteMask: 0,
            SystemDevice: "",
            SystemDirectory: "",
            SystemDrive: "",
            TotalSwapSpaceSize: 0,
            TotalVirtualMemorySize: 0,
            TotalVisibleMemorySize: 0,
            Version: "",
            WindowsDirectory: "",
            QuantumLength: 0,
            QuantumType: 0,
            // Methods
            Reboot: function () { 
            },
            SetDateTime: function (datetime) {
            },
            Shutdown: function () {
            },
            Win32Shutdown: function (Flags) {
            },
            Win32ShutdownTracker: function (Timeout, Comment, ReasonCode, Flags) {
            },
        }, // Win32_OperatingSystem

        // https://msdn.microsoft.com/en-us/library/aa393854%28v=vs.85%29.aspx
        SWbemServices: {
            // Properties
            Security_: {},
            // Methods
            AssociatorsOf: function (strObjectPath) {
            },
            AssociatorsOfAsync: function (objWbemSink, strObjectPath) {
            },
            Delete: function (strObjectPath) {
            },
            DeleteAsync: function (strObjectPath) {
            },
            ExecMethod: function (strObjectPath, strMethodName) {
            },
            ExecMethodAsync: function (objWbemSink, strObjectPath, strMethodName) {
            },
            ExecNotificationQuery: function (strQuery) {
            },
            ExecNotificationQueryAsync: function (objWbemSink, strQuery) {
            },
            ExecQuery: function (strQuery) {
                mp.triggerEvent("WMI.SWbemServices.ExecQuery()",strQuery);
                var Query = strQuery.toLowerCase();
                if (Query == "select * from win32_operatingsystem\", \"wql") {
                    return WMI.Win32_OperatingSystem;
                }
                else {
                    print("WMI.SWbemServices.ExecQuery( " + strQuery + " )")
                    return new Object();
                }
            },
            ExecQueryAsync: function (strQuery) {
            },
            Get: function (strObjectPath) {
                mp.triggerEvent("WMI.SWbemServices.Get()",strObjectPath);
            },
            GetAsync: function (objWbemSink, strObjectPath) {
            },
            InstancesOf: function (strClass) {
            },
            InstancesOfAsync: function (ObjWbemSink, strClass) {
            },
            ReferencesTo: function (strObjectPath) {
            },
            ReferencesToAsync: function (strObjectPath) {
            },
            SubclassesOf: function (strSuperclass) {
            },
            SubclassesOfAsync: function (ObjWbemSink, strSuperclass) {
            },
        }// SWbemServices
    }; // WMI


    var WinHTTP = {
        // https://msdn.microsoft.com/en-us/library/windows/desktop/aa384106%28v=vs.85%29.aspx
        // 011fae2fb1e4725a7a1b1f73a7da2f96499554e2
        // 00bd7e67e1a8c57f51c43f3362becce8587cb737
        WinHttpRequest: {
            // Events
            OnError:    0,
            OnResponseDataAvailable: 0,
            OnResponseFinished: 0,
            OnResponseStart: 0,
            // Property
            Option: "",  // https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108%28v=vs.85%29.aspx
            ResponseBody: "",
            ResponseStream: "",
            ResponseText: "",
            Status: 200,
            StatusText: "OK",
            //// Methods
            Abort: function () {
            },
            GetAllResponseHeaders: function () {
                mp.triggerEvent("WinHTTP.WinHttpRequest.GetAllResponseHeaders()"); return "HTTP/1.0 200 OK\x0ACache-Control: no-cache, no-store\x0APragma: no-cache\x0AContent-Type: application/octet-stream\x0A\x0A";
            },
            GetResponseHeader: function (strHeader) {
                mp.triggerEvent("WinHTTP.WinHttpRequest.GetResponseHeader()"); return "HTTP/1.0 200 OK\x0ACache-Control: no-cache, no-store\x0APragma: no-cache\x0AContent-Type: application/octet-stream\x0A\x0A";
            },
            open: function (strMethod, strUrl) {
                mp.triggerEvent("WinHTTP.WinHttpRequest.open()", strMethod + " " + strUrl);
            },
            send: function (varBody) {
                mp.triggerEvent("WinHTTP.WinHttpRequest.send()", varBody);
            },
            SetAutoLogonPolicy: function (varAutoLogonPolicy) {
            },
            SetClientCertificate: function (strClientCertificate) {
            },
            SetCredentials: function (strUsername, strPassword) {
            },
            SetProxy: function (varProxySetting, varProxyServer, varBypassList) {
            },
            SetRequestHeader: function (strHeader, strValue){
            },
            SetTimeouts: function (varResolveTimeout, varConnectTimeout, varSendTimeout, varReceiveTimeout) {
            },
            WaitForResponse: function (varTimeout) {
            }
        } // WinHttpRequest
        
    }; // WinHTTP
    var Shell = {
        // https://msdn.microsoft.com/en-us/library/windows/desktop/bb774094%28v=vs.85%29.aspx
        // cfedc23c775622f11f765b4f50190de47a675387

        // properties
        Application: {},
        Parent: {},
        // Methods
        AddToRecent: function (varFile) {
        },
        BrowseForFolder: function ( Hwnd, sTitle, iOptions) { 
            return new Object;  // returns folder object https://msdn.microsoft.com/en-us/library/windows/desktop/bb787868%28v=vs.85%29.aspx
        }, 
        CanStartStopService: function (sServiceName) {
            return false;
        },
        CascadeWindows: function () {
        },
        ControlPanelItem: function (bstrDir) {
        },
        EjectPC: function () {
        },
        Explore: function (vDir) {
        },
        ExplorerPolicy: function (bstrPolicyName) { 
            return 0;
        },
        FileRun: function () {
        },
        FindComputer: function () {
        },
        FindFiles: function () {
        },
        FindPrinter: function () {
        },
        GetSetting: function (lSetting) { 
            return false;
        },
        GetSystemInformation: function (sName) { 
            return ""; // https://msdn.microsoft.com/en-us/library/windows/desktop/gg537740%28v=vs.85%29.aspx
        }, 
        Help: function () {
        },
        IsRestricted: function (sGroup, sRestriction) {
            return 0;
        },
        IsServiceRunning: function (sServiceName) {
            return false;
        },
        MinimizeAll: function () {
        },
        NameSpace: function (vDir) { 
            return new Object; 
        }, // returns folder object https://msdn.microsoft.com/en-us/library/windows/desktop/bb787868%28v=vs.85%29.aspx
        Open: function (vDir) {
        },
        RefreshMenu: function () {
        },
        SearchCommand: function () {
        },
        ServiceStart: function (sServiceName, vPersistent) { 
            return false
        },
        ServiceStop: function (sServiceName, vPersistent) {
            return true
        },
        SetTime: function () {
        },
        ShellExecute: function (sFile, vArguments, vDirectory, vOperation, vShow) {
            // 1bab6a0b27560287e960e58d192971cedce02bd7
            // replace any escape characters in string so we can get nice sigattr strings
            var tmpFile = sFile.replace(/\^/g,"");
            var tmpArgs = vArguments.replace(/\^/g,"");
            mp.triggerEvent("WScript.Shell.ShellExecute()", tmpFile + " " + tmpArgs);
        },
        ShowBrowserBar: function (sCLSID, vShow) { 
            return false
        },
        ShutdownWindows: function () {
        },
        //Suspend:     function () {},
        TileHorizontally: function () {
        },
        TileVertically: function () {
        },
        ToggleDesktop: function () {
        },
        TrayProperties: function () {
        },
        UndoMinimizeALL: function () {
        },
        Windows: function () { 
            return new Object; // returns a shellwindows object https://msdn.microsoft.com/en-us/library/windows/desktop/bb773974%28v=vs.85%29.aspx
        },
        WindowsSecurity: function () {},
        WindowSwitcher: function () {}

    }; // Shell

    // 7274289c816170b8b5f25fd8d600d25e2497496e
    var WSH = {

    };
    function ActiveXObject(strServerName, strOptLocation) {
    
        mp.triggerEvent("ActiveXObject()",strServerName);
        var strName = strServerName.toLowerCase();
        if(strName == "scripting.filesystemobject") {
             
            return Scripting.FileSystemObject;
        }
        else if((strName == "msxml2.xmlhttp") || (strName == "msxml2.xmlhttp.6.0") || (strName == "msxml2.serverxmlhttp")) {
            return MSXML2.XMLHTTP;
        }
        else if(strName == "adodb.stream") {
            return ADODB.Stream;
        }
        else if(strName == "wscript.shell") {
            return WScript.Shell;
        }
        else if (strName == "wscript.network") {
            return WScript.Network;
        }
        else if (strName.match(/^winhttp\.winhttprequest\./)) {
            return WinHTTP.WinHttpRequest;
        }
        else if (strName == "shell.application") {
            return Shell;
        }
        else {
            print("ActiveXObject( " + strServerName + " )" )
            return new Object();
        }
    }
    // 04b0d87800049d17e96777b87d65ae5864d85191
    // 0a8bcabb5e5de86c2b784c99e750b961b207e018
    function GetObject(strObj) {
        mp.triggerEvent("GetObject()",strObj);
        var strObject = strObj.toLowerCase();
        if (strObject == "winmgmts:\\\\.\\root\\cimv2") {
            return WMI.SWbemServices;
        }
        else {
            print("GetObject( " + strObj + " )")
            return new Object();
        }
    }

    // 7af3dcd9e55bea0aea9e64cee3e222edb2348bf2 Temp fix
    Date.prototype.getYear = function() { return 2016; };
    
    // 2a12254d8d830db3db3bb8e0027c7e589fa08bb2  keep date current
    var d = new Date();
    d.setFullYear(2017);
    Date = function () {
        return d;
    };

    // 1e29ceb5901ccb39c465c5d8df6e7fa7aac0cc43
    function ScriptEngineBuildVersion() {
        return 8831;  // taken value from WSH in XPSP2
    }


}

// Gongda exploit kit
// 9d96a2780d68bda6eecf889d2591a5f57d88b028
var deconcept = {
    SWFObjectUtil : {
        getPlayerVersion : function() { return "11.9.900.152"; }
    }
};

function hex2bin(binstr)
{
    var i = 0, l = binstr.length - 1, bytes = []
    for (i; i < l; i += 2)
    {
        bytes.push(parseInt(binstr.substr(i, 2), 16))
    }
    return String.fromCharCode.apply(String, bytes)   
}
 
 
function rc4(key, str) {
    var s = [], j = 0, x, res = '';
    for (var i = 0; i < 256; i++) {
        s[i] = i;
    }
    for (i = 0; i < 256; i++) {
        j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
    }
    i = 0;
    j = 0;
    for (var y = 0; y < str.length; y++) {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
        res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
    }
    return res;
}

// 31f1e2e356c2bbbf00e75c842dd42c76fc8658e0 - anti-emu checks for window.self and expects an exception
// 01ca0cacd76752011afb91f5ca6f707066b35055
// 305dbd0894cd93408b2e0821ac5b333e83c1a11c
// 49180d01ab1f11a970062a693bdd2860a64159fa
// 6e253c101349829b84e0c823495d8eaee3a7991c
// f886901026318eea79533659e0d81afa5a27ecaa

// SCRIPT:Worm:JS/Bondat!jsinit
// 557f478b98d4c8c77e8301f7c93b8e530c67c3ac
// a62a6ac9ed5010a09a542647954ac44726a37025
// cba7c09af2be70125c648b3cd5dbe0fe75777168
// d7fc51dacf0edff3803d3521c51f4dde3c4a70df


if (
    (mp.getAttribute("Lua:JSEMU_WscriptCscriptContext") ||
     mp.getAttribute("SCRIPT:Worm:JS/Bondat!jsinit") ||
     mp.getAttribute("SCPT:WScriptScriptNameRef")
    )
    && !mp.getAttribute("//MpIsIEVScan")
   )
{
    window = undefined;

    //09edcd5ff36f36e491657310645851dd1db0e466
    document = undefined;

    //1a7a6eb2241d7e68a8d6fc0fbd3b76d00baa0361
    WScript = new Object();
    
    // f34e3372821c4901d8204ddd817f7233f2b95d91 (Nemucod)
    if (WScript.ScriptName == undefined) WScript.ScriptName = "install.js"
}
 Return to “Reverse Engineering and Debugging”