来源：安全中国

alpha2 shellcode解密的vbs脚本

author:lcx 

fromhttp://hi.baidu.com/myvbscript/blog/item/bf7ce603b9a3e8733812bb44.html ;

’说明：只针对alpha2的TYIIIIIIIIIIIIIIII这样的加密来解密，没有做更多的容错处理，只是解出下载url的exe地址。一般情况下该url的加密字符串是RHptd4之后的字符（去掉最后4个字符）。 

Dim enTmp,enstr,a,bb 
enstr=Str2Hex("RHptd4RPFZVOdoVQTrvWTnTp4n6PVN6QTop1tnau1hsU") 
For i = 1 To Len(enStr) step 6 
  enTmp =Array(Mid(enStr,i,6)&"00") 
  sz =Split(enTmp(0), ",", -1, 1) 
a= right(sz(0), 1) Xor left(sz(1), 1) 
bb=bb& a&right(sz(1), 1) 
Next 

Function Str2Hex(ByVal strHex) 
Dim sHex 
For i = 1 To Len(strHex) step 1 
sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&"," 
Next 
Str2Hex = sHex 
End Function 

Function Hex2Str(hexStr) 
Dim sstr,hextmp 
For i = 1 To Len(hexStr) step 2 
  hexTmp = Mid(hexStr,i,2) 
  If hexTmp <> "00" Then 
   sstr = sstr & ChrW("&h" & hexTmp) 
  End If 
Next 
Hex2Str = sstr 
End Function 

wscript.echo Hex2Str(bb)