瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » 网马解密大讲堂——网马解密中级篇(Base64篇)
networkedition - 2009-5-19 9:47:00
卡卡讲堂之网马解密 初级篇
卡卡讲堂之网马解密 中级篇
卡卡讲堂之网马解密 高级篇(swf网马解密)
卡卡讲堂之网马解密 高级篇(pdf网马解密)
1.Freshow解密工具的详细用法
2.网马解密之——Eval篇
3.网马解密之——Document.write篇
4.网马解密之——Alpha2篇
5.网马解密之——Shellcode篇
6.网马解密之——Base64篇
7.网马解密之——US-ASCII篇
8.浅谈eval解密之——工具篇




引用:

一. Base64加密原理:(摘自小聪大牛的博客)

  把每三个字符,共24位2进制的ASCII码,折分成连续4个6位的ASCII码,再在每个ASCII码前面补00变成8位, 最后对应一个码表来变成编码字符:

码表为(从0~63分别依次对应):
0对应A………………………………………………………………………………63对应/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
如果最后不够3位数,则补0,这时后面对应的编码是“=”
例:原文:                a                  b                c
  ASCII码:    01100001 | 01100010 | 01100011
        分成4个:    011000 | 010110 | 001001 | 100011
        补足位数: 00011000 | 00010110 | 00001001 | 00100011
        数值大小:        24                22                9                  35
        对应编码:        Y                  W                J                  j
        编码结果:    YWJj

        如果只有ab两个字符,则第三个字符用全0来代替,这时结果为YWI=
        其实按照算法,=对应的编码其实也可以认为是为0,所以QQ==和QQAA用来解密的话,都是A,但是后面补0时用“=”是加密算法自己的设置,所以加密结果只能是QQ==而不会是QQAA
知道了加密原理,解密原理就反其道而行之就行了,呵呵……


用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2009-5-19 9:48:00


引用:

二.  加密特征:

    大小写字母及数字混排,末尾可能包含等号




引用:

三.    Base64解密方法

    我们还是以一个实例来简单讲解base64解密方法,在实际的网马解密中,这种加密方式很少见。今天我们提供一种解密的方法,在这里用到的解密工具为:notepad++ 这个软件(附件为notepad++)。后续我们还会讲解使用一些其他的解密工具来解密base64。


附件: npp5.3.1.bin.rar
networkedition - 2009-5-19 9:48:00
我们来看一个base64的源代码:


YgBlAGcAaQBuADwAYgByAD4AMAA4ADEAMgAwADcALAAxACwAMQAsADEALAAyADAAMAAsADAALAAwACwAMQAwACwAOQAwACwAMAAsACwAMwAwACwALAAwACwAMQAsADEAMAAwACwAMQAsADAALAAxADgAMAAsADYAMAAsADEAMAAsADMALAAxADAALAAwACwAOQAwACwAMQAyADMANAAsADAAPABiAHIAPgAsAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBjAG4AZwBnAC4AbwByAGcALwBhAGQALwBhAGQAMQAuAGUAeABlACwAYQBkADEALAAxADMAOQAwADAAMAAsADUAMAAwADAAMAAwACwAMQAsADEALAAsADsAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGMAbgBnAGcALgBvAHIAZwAvAGEAZAAvAG0AcwBuADAANwA0AC4AZQB4AGUALABtAHMAbgAsADEANAA3ADAAMAAwACwANQAwADAAMAAwADAALAAyACwAMQAsACwAOwBoAHQAdABwADoALwAvAHcAdwB3AC4AYwBuAGcAZwAuAG8AcgBnAC8AYQBkAC8AcQBxADIAMwAuAGUAeABlACwAcQBxACwANAA3ADAAMAAwACwANQAwADAAMAAwADAAMAAsADMALAAxACwALAA7ADwAYgByAD4APABiAHIAPgA2ADAAPABiAHIAPgA8AGIAcgA+ADwAYgByAD4APABiAHIAPgAxADEALAAxACwAMQAwADAALAAwAC0AMgA0ACwAMgA1ADAALAAxADAAMAAsACgAMAAsADAAOwApACwAMQAzADAALAA1ADAAMAAsACgAYQBsAGwAKQAsAGgAdAB0AHAAJQAzAEEALwAvAHcAdwB3AC4AdQBkADkAOQAuAGMAbwBtAC8AdAByAGEAYwBrAC4AYQBzAHAAeAAlADMARgB0AHkAcABlACUAMwBEAEMAUABBACUAMgA2AGkAZAAlADMARAA5ADkAMwAsACwAMAAsADAALAAwACwAMQAsADAALAAsADAAPABiAHIAPgAyADEAMAAwADAAMAAwACwAMQAwADAALAAwAC0AMgA0ACwAMAAsAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB1AGQAOQA5AC4AYwBvAG0ALwB0AHIAYQBjAGsALgBhAHMAcAB4AD8AdAB5AHAAZQA9AEMAUABTACYAaQBkAD0AOQA5ADMAJgBjAG8AZABlAD0AMQAwADMAMQAyADMAMQAsAGgAdAB0AHAAJQAzAEEALwAvAHcAdwB3AC4AYgBhAGkAZAB1AC4AYwBvAG0ALwA8AGIAcgA+ADIAMQAwADAAMAAwADAALAAxADAAMAAsADAALQAyADQALAAwACwAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHUAZAA5ADkALgBjAG8AbQAvAHQAcgBhAGMAawAuAGEAcwBwAHgAPwB0AHkAcABlAD0AQwBQAFMAJgBpAGQAPQA5ADkAMwAmAGMAbwBkAGUAPQAxADAAMwAxADIAMwAxACwAaAB0AHQAcAAlADMAQQAvAC8AdwB3AHcALgAxADYAMwAuAGMAbwBtAC8APABiAHIAPgAyADEAMAAwADAAMAAwACwAMQAwADAALAAwAC0AMgA0ACwAMAAsAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB1AGQAOQA5AC4AYwBvAG0ALwB0AHIAYQBjAGsALgBhAHMAcAB4AD8AdAB5AHAAZQA9AEMAUABTACYAaQBkAD0AOQA5ADMAJgBjAG8AZABlAD0AMQAwADMAMQAyADMAMQAsAGgAdAB0AHAAJQAzAEEALwAvAHcAdwB3AC4AcwBpAG4AYQAuAGMAbwBtAC8APABiAHIAPgAyADEAMAAwADAAMAAwACwAMQAwADAALAAwAC0AMgA0ACwAMAAsAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB1AGQAOQA5AC4AYwBvAG0ALwB0AHIAYQBjAGsALgBhAHMAcAB4AD8AdAB5AHAAZQA9AEMAUABTACYAaQBkAD0AOQA5ADMAJgBjAG8AZABlAD0AMQAwADMAMQAyADMAMQAsAGgAdAB0AHAAJQAzAEEALwAvAHcAdwB3AC4AcwBvAGgAdQAuAGMAbwBtAC8APABiAHIAPgAyADEAMAAwADAAMAAwACwAMQAwADAALAAwAC0AMgA0ACwAMAAsAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB1AGQAOQA5AC4AYwBvAG0ALwB0AHIAYQBjAGsALgBhAHMAcAB4AD8AdAB5AHAAZQA9AEMAUABTACYAaQBkAD0AOQA5ADMAJgBjAG8AZABlAD0AMQAwADMAMQAyADMAMQAsAGgAdAB0AHAAJQAzAEEALwAvAHcAdwB3AC4AdABhAG8AYgBhAG8ALgBjAG8AbQAvADwAYgByAD4AZQBuAGQAPABiAHIAPgA=


networkedition - 2009-5-19 9:48:00
将上述代码复制粘贴到notepad++,详细步骤参看下例截图:


networkedition - 2009-5-19 10:42:00
接下来ctrl+a选中代码,点击TextFX菜单下TextFXTools下的Base64 Decode后,点击file下的save as(另存为),将代码保存为扩展名为txt(文件名任意)的文件。直接打开保存好的文档即可看到解密后的内容。




上图为点击 Base64 Decode后的截图
networkedition - 2009-5-19 10:53:00
最终的解密结果相见下图,红色框中内容均为病毒的下载地址(可能已失效):



於陵闲云 - 2009-5-19 10:56:00
前排听课:kaka12:
幸福耗子 - 2009-5-19 11:03:00
排队听课
竹本无ベ - 2009-5-19 11:30:00
安静听课。
艾玛 - 2009-5-19 11:44:00
:kaka6: 都用5.3.1了,我还是5.2
艾玛 - 2009-5-20 14:20:00
Malzilla

jhh28 - 2009-6-27 15:56:00
听课中:kaka12:
gtyre2 - 2009-7-2 16:26:00
Base64篇不太懂,学习下
kav2046 - 2009-7-17 21:39:00
继续听课!感谢楼主分享!:kaka12:
零度的穷浪漫 - 2009-8-2 20:18:00
大版主是在教我们另一种方法么?
networkedition - 2009-8-3 9:19:00
是呀,他是教你使用神器来解base64:kaka12:
springyun - 2010-5-22 14:08:00
继续学习
鹰丶风少 - 2010-7-28 15:19:00
又看完一课:kaka9:
凯撒不骑马 - 2013-4-1 23:17:00
老师 这个解密出来的木马有三个 是不是中这网马的主机是不是 会把这三个都下载运行啊:kaka2:
1
查看完整版本: 网马解密大讲堂——网马解密中级篇(Base64篇)