Easily decrypts various webpage Trojans

We should know how to decrypt the Trojan.

Maybe you have seen a lot of methods for unblocking network horses. With the tool a lot of web horse are easily unlocked, not as good as: unescape encryption, Encode encryption, js variant encryption, US-ASCII encryption, but if there is no tool at hand? Or what about encryption that cannot be unlocked by a tool? It's not our style to give up! Today, I will explain some practical decryption methods and new methods.

First of all, we need to understand a problem. All Network horse encryption methods must be recognized by clients. If they cannot be converted to standard code that can be recognized by browsers, they cannot be run! In theory, all network horse encryption methods can be decrypted. Let's take a few typical examples.

First, I recently met a network horse. The encryption result is as follows:

Is it a headache? It's a mess. It's not a simple decryption tool, right? Let's fix it together! First, let's take a look at the two keywords "document. write" and "eval ".

"Document. write" is a print statement in JAVASCRIPT, and "eval" refers to the eval () function. This function can execute a string like a JavaScript expression. If you encounter document. write in the Javascript encryption code, we generally change it to "alert". If you encounter "eval", it is generally changed to "document. write ". Let's first change eval to document. write and run the command to see the result:

OK! It has been preliminarily decrypted and can be seen from the final call of the realexploit () User-Defined Function. This is the recently discovered realplay vulnerability. I don't need to explain the unescape encryption part in it? The fastest way is to copy that part of the code. Then add Baidu search keyword address after the http://www.baidu.com/s? Wd =, for example, document.

 

This code, the fastest anti-translation method is to add the above address in http://www.baidu.com/s? Wd = document, the returned result is:

Next let's take a look at a web horse that has been mounted to Skynet:

I don't know what it is. How to interpret it? In fact, the fastest and easiest way is to browse this page and select the Central Europe (ISO) encoding when saving it.

Expected result:

Similar to this, there is a US-ACSII encrypted network horse, you can also decrypt through this method.

When saving the file, select the Central Europe (ISO) encoding to get the following results:

Next, let's take a look at the difficulty. Recently, the hacker line "Dark Web horse" uses an encryption tool from Firefox. The password must be provided during decryption to prevent modification? It looks a bit like md5 encryption. Is it really irreversible? It's terrible that 1 K web horses can be encrypted to 15 K or even larger? Let's decrypt it together!

At the end of the long code, we can see
Var pass = "TEST. WWW. CUTEQQ. CN ";
If (pass ){
Pass = unescape (pass );
Var cuteqq, cuteqq2, cuteqq3;
Cuteqq = XOR (unescape (Qq_784378237), STR. md5 (pass ));
Cuteqq2 = XOR (unescape (Qq784378237), STR. md5 (pass ));
Cuteqq3 = cuteqq + www_cuteqq_cn_s + cuteqq2;
Document. write (cuteqq3 );
Return (false );
}

This indicates that the pass verification function is called. If it is true, the content in the verification function is executed. XOR is an operator that performs logical "XOR" operations on two expressions. I will not go into details here. The key is the Final Document. write (cuteqq3). The person who understands the webpage code knows the specific meaning of this section. If the password is correct. Output the content in the cuteqq3 function. When we encounter document. write, we usually change it to "alert" for initial decryption:

Here we have a problem. Alert displays the content based on the display size. The content cannot be completely displayed. What should I do? We introduce a javascript code: document. getElementById (textfield). value = cuteqq3; replace the original document. write (cuteqq3); then on the page Add a segment between <body> and <script> </script>. The effect is as follows:
<Html>
<Head>
<Title> network horse </title>
</Head>
<Body>
<Form id = "form1" name = "form1" method = "post" action = "">
<Label>
<Textarea name = "textfield" cols = "100" rows = "50"> </textarea>
</Label>
</Form>
<Script>
.... The decryption part is omitted here.
</Script>
Here, we create a text box, and assign the content of cuteqq3 to the text box. Textfield is the name of the text box. You can modify it by yourself. However, you must modify the name of document. getElementById (textfield). value and run the network horse:

The size of the encrypted code is:

After decryption:

As for the x72x65x73x70x6Fx6Ex73x65x42x6Fx64x79 code, we can use a simple method to break through.

The hexadecimal escape string is as follows:
<Script language = "JavaScript">
Alert ("x72x65x73x70x6Fx6Ex73x65x42x6Fx64x79 ")
</SCRIPT>

It can be displayed, by the way. The encryption page just used technology to prevent source code viewing. Is applicable to the following code
<Noscript>
<Iframe src = *>
</Iframe>
</Noscript>

The noscript element is used to define the alternative content (text) when the script is not executed. This label can be used to identify the <script> tag but cannot support the script browser. However, when the browser supports javascript scripts, the content in the noscript tag is hidden, so the source code cannot be viewed. Many times we have to steal others' network horses. What should we do? Simple! As we mentioned earlier, all web horses must be converted into codes that can be recognized by the browser before they are executed. In addition, Web horses must be stored in the browser cache when they are executed. The default location is C: Documents and SettingsAdministratorLocal SettingsTemporary Internet Files. To open the Web horse page, clear your IE cache and refresh the Web horse page, you will find the Web horse lying inside again! (The webpage tested locally is not saved to the cache, so it cannot be stored here)

Next let's look at an encryption method.